【文章标题】: 爆破MODDE 8.0
【文章作者】: JJDG
【软件名称】: MODDE 8.0
【软件大小】: 9653k
【下载地址】: 自己搜索下载;URL http://www.umetrics.com/download/demos/modde8.exe
【加壳方式】: 无壳
【编写语言】: vc++
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这个软件具体是什么用,老实说,我也不太清楚,是帮一个同学破的!好像是试验设计用的吧!
下载,安装该软件,在安装过程中程序会要求你输入product id,这时只要选择下面的那个license选项,即可完成安装。
运行一下看看,程序的启动界面会提示你到什么时候该软件到期!(关键字是expire,后面会用到)
点help-register,你会看到在注册窗口的中间有个灰色区域,未注册的时候是空白的,注册成功会显示如下信息:
A license file already exists in the program directory! If you continue to import/activate this file will be replaced.
peid查看无壳!
OD载入,查找字符串,查找expire,双击this beta version has expired.来到:
004A0B0C . 6A 00 PUSH 0
004A0B0E . 6A 10 PUSH 10
004A0B10 . 83FE 03 CMP ESI,3
004A0B13 . 75 3A JNZ SHORT modde80.004A0B4F §跳过出错信息!
004A0B15 . 68 5CE24F00 PUSH modde80.004FE25C ; this beta version has expired. |来到这里!
004A0B1A . E8 E39A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B1F > 6A 00 PUSH 0
004A0B21 . 6A 40 PUSH 40
004A0B23 . 68 00E34F00 PUSH modde80.004FE300 ; please contact umetrics for further information.\nusa,
canada and south america: info.us@umetrics.com\nuk: info.uk@umetrics.com\nsweden and all other countries: info.se@umetrics.com
004A0B28 . E8 D59A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B2D . C645 FC 17 MOV BYTE PTR SS:[EBP-4],17
004A0B31 . 8D8D 9CFCFFFF LEA ECX,DWORD PTR SS:[EBP-364]
004A0B37 . 8B35 34FB4C00 MOV ESI,DWORD PTR DS:[<&MODDEutlwin.??1L>; MODDEu_1.??1Licence@@UAE@XZ
004A0B3D . FFD6 CALL ESI ; <&MODDEutlwin.??1Licence@@UAE@XZ>
004A0B3F . 885D FC MOV BYTE PTR SS:[EBP-4],BL
004A0B42 . 8D8D 0CFFFFFF LEA ECX,DWORD PTR SS:[EBP-F4]
004A0B48 . FFD6 CALL ESI
004A0B4A . E9 1E120000 JMP modde80.004A1D6D
004A0B4F > 83FE 05 CMP ESI,5
004A0B52 . 75 0C JNZ SHORT modde80.004A0B60
004A0B54 . 68 7CE24F00 PUSH modde80.004FE27C ; this version has expired.
004A0B59 . E8 A49A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B5E . EB 0F JMP SHORT modde80.004A0B6F
004A0B60 > 68 98E24F00 PUSH modde80.004FE298 ; your loan has expired.
004A0B65 . E8 989A0100 CALL <JMP.&MFC71.#1123_?AfxMessageBox@@Y>
004A0B6A . 83FE 04 CMP ESI,4
004A0B6D .^ 75 B0 JNZ SHORT modde80.004A0B1F
由于软件注册方式是由安装时你做出的选择决定的,所以只能从license文件方面来考虑了!
再次查找license,在含license的字符串里面,你会发现有很多是重复的,而且其中有一个是比较特殊的:umetricslicense,注意到了没?Umetrics是公司名称哦!
好,双击,来到:
004A0316 > \68 94DC4F00 PUSH modde80.004FDC94 ; umetricslicense |<--估计从这里向下是对license文件的校验!下个断点先!
你会发现:
004FDC94=modde80.004FDC94 (ASCII "UmetricsLicense")
跳转来自 004A02BB
先往上看看,来到这里:
004A01C9 . 53 PUSH EBX ; /Arg4
下断!(因为在这行下面包含有modde license file等注释!)
F9运行,断在004A01C9,F8到004A0341的时候,你会在寄存器看见:
EAX 0012FEEC
ECX 01B56800 ASCII "UmetricsLicense.$MODDE"
EDX 01B56800 ASCII "UmetricsLicense.$MODDE"
Ok,那么这个以.$MODDE为后缀名的文件就应该是license文件了!打开记事本,随便输点什么进去,存为UmetricsLicense.$MODDE即可!
OD重新载入,
F9运行,来到:
004A0316 > \68 94DC4F00 PUSH modde80.004FDC94 ; umetricslicense
f8继续,来到:
004A0440 . 84C0 TEST AL,AL
004A0442 . 75 3F JNZ SHORT modde80.004A0483 ; |下面是出错信息哦!跳走看看 把jnz改为jmp
004A0444 . 68 A8DC4F00 PUSH modde80.004FDCA8 ; the license file in modde's installation directory is incorrect.\nplease
contact umetrics to get a new license file.
来到下面:
004A048F . 84C0 TEST AL,AL
004A0491 . 0F85 89000000 JNZ modde80.004A0520 ; |下面又是出错信息,还是跳了好 把jnz改为jmp
004A0497 . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
004A049D . 51 PUSH ECX
004A049E . FF15 5CF84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>; MODDEutl.?GetApplicationVersion@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A04A4 . 8BF0 MOV ESI,EAX
004A04A6 . C645 FC 0D MOV BYTE PTR SS:[EBP-4],0D
004A04AA . 8D95 44FFFFFF LEA EDX,DWORD PTR SS:[EBP-BC]
004A04B0 . 52 PUSH EDX
004A04B1 . FF15 58F84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>; MODDEutl.?GetApplicationName@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A04B7 . C645 FC 0E MOV BYTE PTR SS:[EBP-4],0E
004A04BB . 8B0E MOV ECX,DWORD PTR DS:[ESI]
004A04BD . 51 PUSH ECX
004A04BE . 8B10 MOV EDX,DWORD PTR DS:[EAX]
004A04C0 . 52 PUSH EDX
004A04C1 . 68 20DD4F00 PUSH modde80.004FDD20 ; the license file in modde's installation directory is not valid.
004A04C6 . 8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
跳到这里:
004A0520 > \8B8E F4000000 MOV ECX,DWORD PTR DS:[ESI+F4]
004A0526 . 8B41 28 MOV EAX,DWORD PTR DS:[ECX+28]
004A0529 . 85C0 TEST EAX,EAX
004A052B . 0F84 97000000 JE modde80.004A05C8 ; 这里就不用改了,程序会自己跳的!
004A0531 . FF15 5CFB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?CheckL>; MODDEu_1.?CheckLockedToHardwareKey@LicenseFile@@QAE_NXZ
004A0537 . 84C0 TEST AL,AL
004A0539 . 0F85 89000000 JNZ modde80.004A05C8
004A053F . 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4]
004A0545 . 51 PUSH ECX
004A0546 . FF15 5CF84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>; MODDEutl.?GetApplicationVersion@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A054C . 8BF0 MOV ESI,EAX
004A054E . C645 FC 10 MOV BYTE PTR SS:[EBP-4],10
004A0552 . 8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
004A0558 . 52 PUSH EDX
004A0559 . FF15 58F84C00 CALL DWORD PTR DS:[<&MODDEutl.?GetApplic>; MODDEutl.?GetApplicationName@UmSystemInfo@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A055F . C645 FC 11 MOV BYTE PTR SS:[EBP-4],11
004A0563 . 8B0E MOV ECX,DWORD PTR DS:[ESI]
004A0565 . 51 PUSH ECX
004A0566 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
004A0568 . 52 PUSH EDX
004A0569 . 68 68DD4F00 PUSH modde80.004FDD68 ; the activation key in the license file does not match this computer id.
004A056E . 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
来到:
004A05C8 > \8B8E F4000000 MOV ECX,DWORD PTR DS:[ESI+F4]
004A05CE . 8A41 69 MOV AL,BYTE PTR DS:[ECX+69]
004A05D1 . 84C0 TEST AL,AL
004A05D3 . 0F84 6A010000 JE modde80.004A0743 ; 这里就不用改了,程序会自己跳的!
004A05D9 . C745 CC 04000>MOV DWORD PTR SS:[EBP-34],4
004A05E0 . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004A05E3 . 52 PUSH EDX
004A05E4 . FF15 58FB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?GetNum>; MODDEu_1.?GetNumberOfRegistrationDaysLeft@LicenseFile@@QAE_NAAH@Z
004A05EA . 84C0 TEST AL,AL
004A05EC . 0F84 7B170000 JE modde80.004A1D6D
004A05F2 . 837D D4 01 CMP DWORD PTR SS:[EBP-2C],1
004A05F6 . 0F8D 87000000 JGE modde80.004A0683
004A05FC . 6A 00 PUSH 0
004A05FE . 8B8E F4000000 MOV ECX,DWORD PTR DS:[ESI+F4]
004A0604 . FF15 6CFB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?ShowRe>; MODDEu_1.?ShowRegistrationDialog@LicenseFile@@QAE_N_N@Z
004A060A . 84C0 TEST AL,AL
来到:
004A073C > \C747 10 04000>MOV DWORD PTR DS:[EDI+10],4
004A0743 > 8B86 F4000000 MOV EAX,DWORD PTR DS:[ESI+F4]
004A0749 . 8B48 64 MOV ECX,DWORD PTR DS:[EAX+64]
004A074C . 85C9 TEST ECX,ECX
004A074E . 0F85 7A040000 JNZ modde80.004A0BCE ; 这次不跳不行了!jnz-->jmp因为如果顺序进行,下面又会出现出错信息的!
004A0754 . 68 00100000 PUSH 1000 ; /Index = 4096.
004A0759 . FF15 98024D00 CALL DWORD PTR DS:[<&USER32.GetSystemMet>; \GetSystemMetrics
004A075F . 85C0 TEST EAX,EAX
004A0761 . 0F84 67040000 JE modde80.004A0BCE
004A0767 . 6A 00 PUSH 0
004A0769 . 6A 40 PUSH 40
004A076B . 68 00DE4F00 PUSH modde80.004FDE00 ; the license file does not allow to run under windows terminal services.
please contact umetrics for further information.\nusa, canada and south america:
info.us@umetrics.com\nuk: info.uk@umetrics.com\nsweden and all other countries: info.se@umetrics.com
来到下面:
004A0BCE > \8B7D CC MOV EDI,DWORD PTR SS:[EBP-34]
004A0BD1 . 83FF 01 CMP EDI,1
004A0BD4 . 0F85 A5000000 JNZ modde80.004A0C7F 这里就不用改了,程序会自己跳的!看看下面的RegGetInstallationPath就知道应该跳了!
004A0BDA . C645 FC 1F MOV BYTE PTR SS:[EBP-4],1F
004A0BDE . 8D85 4CFFFFFF LEA EAX,DWORD PTR SS:[EBP-B4]
004A0BE4 . 50 PUSH EAX
004A0BE5 . FF15 14FB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.?RegGet>; MODDEu_1.?RegGetInstallationPath@@YA?AV?$CStringT@DV?$StrTraitMFC_DLL@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@XZ
004A0BEB . 83C4 04 ADD ESP,4
跳到下面:(跳了这么久,大家也累了吧!放轻松,这里就是终点了!)
004A0C7F > \895D FC MOV DWORD PTR SS:[EBP-4],EBX
004A0C82 . 6A 04 PUSH 4
004A0C84 . E8 4B970100 CALL <JMP.&MFC71.#762_??2@YAPAXI@Z>
004A0C89 . 83C4 04 ADD ESP,4
004A0C8C . 8945 A8 MOV DWORD PTR SS:[EBP-58],EAX
004A0C8F . C700 01000000 MOV DWORD PTR DS:[EAX],1
004A0C95 . C745 AC 00000>MOV DWORD PTR SS:[EBP-54],0
004A0C9C . C645 FC 23 MOV BYTE PTR SS:[EBP-4],23
004A0CA0 . 83FF 01 CMP EDI,1
004A0CA3 . 0F84 91000000 JE modde80.004A0D3A ; |跳不跳呢?当然.....不能跳了!没看见下面的自由女神吗?:)
004A0CA9 . 8B85 E0FCFFFF MOV EAX,DWORD PTR SS:[EBP-320] |不过,你也不用操心,到了这里,程序是舍不得你走的!
004A0CAF . 85C0 TEST EAX,EAX
004A0CB1 . 0F84 83000000 JE modde80.004A0D3A
004A0CB7 . C785 B8FEFFFF>MOV DWORD PTR SS:[EBP-148],136
004A0CC1 . C785 BCFEFFFF>MOV DWORD PTR SS:[EBP-144],43
004A0CCB . 6A 0C PUSH 0C
004A0CCD . E8 02970100 CALL <JMP.&MFC71.#762_??2@YAPAXI@Z>
004A0CD2 . 83C4 04 ADD ESP,4
004A0CD5 . 8BF8 MOV EDI,EAX
004A0CD7 . 89BD A4FEFFFF MOV DWORD PTR SS:[EBP-15C],EDI
004A0CDD . C645 FC 24 MOV BYTE PTR SS:[EBP-4],24
004A0CE1 . 85FF TEST EDI,EDI
004A0CE3 . 74 46 JE SHORT modde80.004A0D2B
004A0CE5 . 6A 00 PUSH 0
004A0CE7 . 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]
004A0CED . 50 PUSH EAX
004A0CEE . 68 431F0000 PUSH 1F43
004A0CF3 . 8B4E 44 MOV ECX,DWORD PTR DS:[ESI+44]
004A0CF6 . 51 PUSH ECX
004A0CF7 . 8BCF MOV ECX,EDI ; 看看,下面这个UmStartWindow不就是成功的标志吗?
004A0CF9 . FF15 10FB4C00 CALL DWORD PTR DS:[<&MODDEutlwin.??0UmSt>; MODDEu_1.??0UmStartWindow@@QAE@PAUHINSTANCE__@@PBDPBVCPoint@@K@Z
004A0CFF . C707 D4EF4F00 MOV DWORD PTR DS:[EDI],modde80.004FEFD4 ; 00j
基本上F8到004A0CF9的时候那个启动画面就出来了,同时那个什么到期(expired)的提示也没有了!
行了!
右击cpu窗口,复制到可执行文件--所有修改,保存,ok!
重新启动程序,看看结果吧!
怎么样?点那个help注册看看,A license file already exists in the program directory! If you continue to import/activate this file will be replaced.已经出现了!
恭喜你已经爆破通关啦!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年07月18日 23:32:43
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
