DreamWaver3.0

标题：DreamWaver3.0注册流程分析 (17千字)
作者：夜月
时间：2001-9-10 18:05:20
链接：http://bbs.pediy.com

DreamWaver3.0注册流程分析

作者: 夜月
E-mail:luoyi.ly@yeah.net
写作日期:31th, August 2001

软件背景资料

运行平台: Win9X
文件名称: DreamWaver.exe
程序类型: 网页制作工具
下载地点: 未知
文件大小: 不详

使用的工具

Trw2000 V1.23--Win9X Debugger
Turboc V2.00--KeyGen Compiler1
Masm32 V5.00--KeyGen Compiler2
难易程度

Easy( ) Medium(X) Hard( ) Pro( )

------------------=====Declare=====------------------

  未经作者同意，不得修改、引用原文，一切权利保留。
  本教程只供教学用，其他一切用途皆被禁止。
------------------=====Begin=====------------------
  给三个能用的DreamWaver3.0的注册码：
（1）   DWW300-71511-95480-68658
（2）   WBW300-79525-15490-68658
（3）   WLW300-70814-65498-68658
  由此可以看出DreamWaver的注册码应该满足以下几个基本条件：
  （Str[]指向注册码字符串）
（A)   strlen(Str)=24
（B）   Str[6],Str[12],Str[18]固定为“-”
（C） Str[3]——Str[7] 检验得知：如果为“300-7”则生成的是教学班的序列号
如果为“300-0”则生成的是完全版的序列号
（D）   Str[0]——Str[2]有三个可选项。程序安装成功后，每一个字符串都可以注册成功。但在安装程序
  需要输入序列号时，开头为“WBW”的序列号不能通过，会被认为是旧版的序列号。
  基本条件就是如此。序列号的具体算法比较复杂。把整段字符串分成了5部分（不包括“DWW”，
  “WBW”，“WLW”这一串）。具体实施过程如下：
  (以第一个号码：DWW300-71511-95480-68658为例）
NUM1 = atoi(Str[3]——Str[5]) = 300
NUM2 = atoi(Str[7]) = 7
NUM3 = atol(strcat(Str[15],Str[14],Str[21],Str[20],Str[23],Str[19],Str[22])) = 4568865
NUM4 =   atoi(strcat(Str[10],Str[17],Str[16])) = 108
NUM5 = atoi(strcat(Str[8],Str[9],Str[11],Str[13])) = 1519
  这五个号码中，NUM3无任何限制,只要是7位数的整数就行。NUM4是由一个随机数查表得来的一个
  值，表不大，总共才15个数。也就是说，NUM4总共只有15种选择。NUM1,NUM2固定。NUM5就是最后
  用来校验的——看根据NUM1,NUM2,NUM3,NUM4四个数算出来的值等不等于NUM5（这段计算真的很复
  杂，我用A4的纸打了3张）。
  具体算法表示如下：
  （num1=NUM3，num2=NUM4。写注册机时图方便去了，没考虑到会给写这篇文章带来麻烦）

---------------------------------------Cut From Here------------------------------------------
edx1=num1/100000;edx2=num1/100;edx3=num1/1000000;edx4=num1/10000;
edx5=num2/100;edx6=3;edx7=30;ebx1=num2/10;edi1=num1/10;
ebp1=num1/1000;edx8=edx3+ebp1;
temp=7*(ebp1+num2)+3*(3*(edx1+ebx1+7)+edi1+edx2)+edx7+edx6+edx5+edx4+edx3+num1;
num[0]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edi1+3*(edx8+3*num2+ebx1)+edx7+edx6+edx5+edx4+edx2+edx1+7+num1;
num[1]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edx8+3*(3*ebx1+edx5+edx7+edx2)+edx6+edx4+edi1+edx1+num1+7+num2;
num[2]=(int) (temp-(temp/10)*10)+0x30;
temp=7*(edx6+edx2+ebx1)+3*(edx4+3*(edx7+num1)+edx3+edi1)+edx5+ebp1+edx1+7+num2;
num[3]=(int) (temp-(temp/10)*10)+0x30;
------------------------------------------Cut End---------------------------------------------

  有了这个核心算法，相信用Tc2.0作注册机，应该是很简单的事情了吧？

------------------=====KeyGen1(C)=====------------------
Tc2.0版注册机原码(dw_keygen.exe)：
---------------------------------------Cut From Here------------------------------------------
main()
{
void geneax(unsigned long num1,int num2,char *num);
unsigned long a;
int b,c;
int table[15]={0x51,0x5c,0x6a,0x102,0x10b,0xb6,0xbb,0xc5,0xc0,
    0xa2,0xa8,0x52,0x54,0x5d,0x6d};
char sn[26]={"DWW300-7"};
char num1[7],num2[3],num3[4];
seed1: printf("Please Input Seed1:\n");
scanf("%lu",&a);
if (a<1000000||a>=0x949d5b)
  {
  printf("Seed1 Must Be [1000000,9739612]");
  goto seed1;
  }
seed2: printf("Please Input Seed2 (0--14 but 1,7,8):\n");
scanf("%d",&b);
if (b<0 || b==1 || b==7 || b==8 || b>14)
  {
  printf("Seed2 Muse Be 0--14 But 1,7,8!\n");
  goto seed2;
  }

if (b==5 || b==6 || b==7 || b==8) {sn[0]='W';sn[1]='B';}
if (b==9 || b==10) {sn[0]='W';sn[1]='L'; }
b=table[b];
b+=27;
geneax(a,b,num3);
ultoa(a,num1,10);itoa(b,num2,10);
sn[8]=num3[0];sn[9]=num3[1];sn[10]=num2[0];sn[11]=num3[2];
sn[12]='-';sn[13]=num3[3];sn[14]=num1[1];sn[15]=num1[0];
sn[16]=num2[2];sn[17]=num2[1];sn[18]='-';sn[19]=num1[5];
sn[20]=num1[3];sn[21]=num1[2];sn[22]=num1[6];sn[23]=num1[4];
printf("SN CODE IS:\n");
printf("%s",sn);
}

void geneax(unsigned long num1,int num2,char *num)
{
unsigned long temp,edx1,edx2,edx3,edx4,edx5,edx6,edx7,edx8,
ebx1,edi1,ebp1;
edx1=num1/100000;edx2=num1/100;edx3=num1/1000000;edx4=num1/10000;
edx5=num2/100;edx6=3;edx7=30;ebx1=num2/10;edi1=num1/10;
ebp1=num1/1000;edx8=edx3+ebp1;
temp=7*(ebp1+num2)+3*(3*(edx1+ebx1+7)+edi1+edx2)+edx7+edx6+edx5+edx4+edx3+num1;
num[0]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edi1+3*(edx8+3*num2+ebx1)+edx7+edx6+edx5+edx4+edx2+edx1+7+num1;
num[1]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edx8+3*(3*ebx1+edx5+edx7+edx2)+edx6+edx4+edi1+edx1+num1+7+num2;
num[2]=(int) (temp-(temp/10)*10)+0x30;
temp=7*(edx6+edx2+ebx1)+3*(edx4+3*(edx7+num1)+edx3+edi1)+edx5+ebp1+edx1+7+num2;
num[3]=(int) (temp-(temp/10)*10)+0x30;
}
------------------------------------------Cut End---------------------------------------------

------------------=====KeyGen1(ASM)=====------------------
  说实话，对这个程序而言，用Tc2.0写注册机实在是很累人。那段核心算法很长也很复杂。针对算法
的特点，我建议大家用Masm32写注册机，那样比较方便——只要直接把在Trw2000中“U”下来的代码粘贴到
源文件中就行了，需要改动的地方不多。
  下面就是Masm32V5版的注册机源码：
Masm32版注册机源码(dw_keygen.exe)：
---------------------------------------Cut From Here------------------------------------------
.386
.model flat,stdcall
option casemap:none
include windows.inc
include user32.inc
include kernel32.inc
include comctl32.inc
include comdlg32.inc
include masm32.inc

includelib masm32.lib
includelib user32.lib
includelib kernel32.lib
includelib comctl32.lib
includelib comdlg32.lib

DLG_MAIN equ 100
IDGEN equ 10
Edit1 equ 11
Edit2 equ 12

_ProcDlgMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
_Math PROTO :DWORD,:DWORD,:DWORD
.data?
EDX1 DD ?
EDX2 DD ?
EDX3 DD ?
EDX4 DD ?
EDX5 DD ?
EDX6 DD ?
EDX7 DD ?
EDX8 DD ?
EAX1 DD ?
EBP1 DD ?
EDI1 DD ?
EBX1 DD ?

.data
szMess db "Seed Must Be [1000000,9000000]!",0
szCaption db "Error!"
hInstance dd ?
Number dd ?
Num1 db 7 dup(?),0
Num2 db 4 dup(?),0
snString1 db 4 dup(?),0
snString2 db 5 dup(?),0
snString3 db 5 dup(?),0
snString db "DWW300-7%s-%s-%s",0
sn db 24 dup(?),0
ddEbp dd ?

.code
_Math proc N1,N2,N3 ;这个过程就是粘贴过来的，很长吧？

  MOV ECX,N1
  MOV EAX,14F8B589H
  IMUL ECX
  SAR EDX,0DH
  MOV EAX,EDX
  PUSH EBX
  SHR EAX,1FH
  PUSH EBP
  ADD EDX,EAX
  PUSH ESI
  MOV ESI,N3
  MOV EAX,66666667H
  MOV EDX1,EDX
  IMUL ESI
  SAR EDX,02H
  MOV EAX,EDX
  PUSH EDI
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,51EB851FH
  MOV EBX,EDX
  IMUL ECX
  SAR EDX,05H
  MOV EAX,EDX
  MOV EBX1,EBX
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,66666667H
  MOV EDX2,EDX
  IMUL ECX
  SAR EDX,02H
  MOV EAX,EDX
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,10624DD3H
  MOV EDI,EDX
  IMUL ECX
  SAR EDX,06H
  MOV EAX,EDX
  MOV EDI1,EDI
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,431BDE83H
  MOV EBP,EDX
  IMUL ECX
  SAR EDX,12H
  MOV EAX,EDX
  MOV EBP1,EBP
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,68DB8BADH
  MOV EDX3,EDX
  IMUL ECX
  SAR EDX,0CH
  MOV EAX,EDX
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,51EB851FH
  MOV EDX4,EDX
  IMUL ESI
  SAR EDX,05H
  MOV EAX,EDX
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,51EB851FH
  MOV EDX5,EDX
MOV EDX,300
  IMUL EDX
  SAR EDX,05H
  MOV EAX,EDX
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EAX,66666667H
  MOV EDX6,EDX
MOV EDX,300
  IMUL EDX
  SAR EDX,02H
  MOV EAX,EDX
  SHR EAX,1FH
  ADD EDX,EAX
  MOV EDX7,EDX
  MOV EDX,EDX3
  ADD EDX,EBP
  MOV EAX,EDX1
  MOV EDX8,EDX
  MOV EDX,7H
  ADD EAX,EBX
  ADD EAX,EDX
  ADD EBP,ESI
  LEA EDX,[EDI+EAX*2]
  ADD EAX,EDX
  MOV EDX,EDX2
  ADD EAX,EDX
  MOV EDX,EDX7
  MOV EAX1,EAX
  ADD EDX,EAX
  LEA EAX,[EBP*8+00]
  SUB EAX,EBP
  MOV EBP,EAX1
  LEA EDX,[EDX+EBP*2]
  MOV EBP,EDX5
  ADD EAX,EDX
  MOV EDX,EDX6
  ADD EAX,EDX
  MOV EDX,EDX4
  ADD EAX,EBP
  MOV EBP,EDX3
  ADD EAX,EDX
  ADD EAX,EBP

  MOV EBP,0AH
  ADD EAX,ECX
  CDQ
  IDIV EBP
  MOV EAX,EDX8
  LEA EAX,[EAX+ESI*2]
  LEA EBP,[EDX+EDX*4]
  MOV EDX,ESI
  ADD EDX,EAX
  MOV EAX,EDX7
  ADD EDX,EBX
  LEA EBX,[EDX+EAX]
  LEA EAX,[EDI*8+00]
  SUB EAX,EDI
  MOV EDI,EDX5
  LEA EDX,[EBX+EDX*2]
  MOV EBX,EDX6
  ADD EAX,EDX
  MOV EDX,EDX4
  ADD EAX,EBX
  MOV EBX,0AH
  ADD EAX,EDI
  MOV EDI,EDX2
  ADD EAX,EDX
  MOV EDX,EDX1
  ADD EAX,EDI
  ADD EAX,EDX
  MOV EDX,7H
  ADD EAX,ECX
  ADD EAX,EDX
  CDQ
  IDIV EBX
  LEA EAX,[EDX+EBP*2]
  MOV EDX,EBX1
  LEA EBX,[EAX+EAX*4]
  MOV EAX,EDX7
  LEA EAX,[EAX+EDX*2]
  ADD EDX,EAX

  MOV EAX,EDX5
  ADD EDX,EAX
  MOV EAX,EDX6
  ADD EDX,EDI
  MOV EDI,EDX8
  LEA EBP,[EDX+EAX]
  LEA EAX,[EDI*8+00]
  SUB EAX,EDI
  MOV EDI,EDI1
  LEA EDX,[EBP+EDX*2+00]
  MOV EBP,EDX4
  ADD EAX,EDX
  ADD EAX,EBP
  ADD EAX,EDI
  MOV EDI,EDX1
  ADD EAX,EDI
  ADD EAX,ECX
  MOV EDX,7
  MOV EBP,0AH
  ADD EAX,EDX
  ADD EAX,ESI
  CDQ
  IDIV EBP
  MOV EBP,EDX3
  LEA EAX,[EDX+EBX*2]
  MOV EDX,EDX4
  LEA EBX,[EAX+EAX*4]
  MOV EAX,EDX7
  ADD ECX,EAX
  LEA EAX,[EDX+ECX*2]
  MOV EDX,EDI1
  ADD ECX,EAX
  MOV EAX,EDX6
  ADD ECX,EBP
  ADD ECX,EDX
  MOV EDX,EDX5
  LEA EBP,[ECX+EDX]
  MOV EDX,EDX2

  ADD EDX,EAX
  MOV EAX,EBX1
  ADD EDX,EAX
  LEA ECX,[EBP+ECX*2+00]
  LEA EAX,[EDX*8+00]
  SUB EAX,EDX
  MOV EDX,7
  ADD EAX,ECX
  MOV ECX,EBP1
  ADD EAX,ECX
  MOV ECX,0AH
  ADD EAX,EDI
  POP EDI
  ADD EAX,EDX
  ADD EAX,ESI
  POP ESI
  CDQ
  IDIV ECX
  POP EBP
  LEA EAX,[EDX+EBX*2]
  POP EBX
  RET
_Math endp

_ProcDlgMain proc uses ebx edi esi edx ecx,hWnd:DWORD,wMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,wMsg
.if eax==WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax==WM_COMMAND
mov eax,wParam
and eax,0ffffh
.if eax==IDGEN
invoke GetDlgItemText, hWnd,Edit1,offset Num1,8
invoke atodw,offset Num1
.if eax<1000000 || eax>9000000
invoke MessageBox,hWnd,offset szMess,offset szCaption,MB_ICONSTOP
ret
.endif
mov ecx,eax
mov eax,7
mov edx,108

invoke _Math,ecx,eax,edx

mov Number,eax
invoke dwtoa,Number,offset Num2

mov al,[Num1]
mov [snString2+2],al
mov al,[Num1+1]
mov [snString2+1],al
mov al,[Num1+2]
mov [snString3+2],al
mov al,[Num1+3]
mov [snString3+1],al
mov al,[Num1+4]
mov [snString3+4],al
mov al,[Num1+5]
mov [snString3],al
mov al,[Num1+6]
mov [snString3+3],al
mov al,[Num2]
mov [snString1],al
mov al,[Num2+1]
mov [snString1+1],al
mov al,[Num2+2]
mov [snString1+3],al
mov al,[Num2+3]
mov [snString2],al
mov [snString1+2],'1'
mov [snString2+3],'8'
mov [snString2+4],'0'
invoke wsprintf,offset sn,offset snString,offset snString1,offset snString2,offset snString3
invoke SetDlgItemText,hWnd,Edit2,offset sn
mov eax,FALSE
ret
.elseif eax==IDCLOSE
invoke EndDialog,hWnd,NULL
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret

_ProcDlgMain endp

start:
invoke InitCommonControls
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,0
invoke ExitProcess,NULL
end start

end

------------------------------------------Cut End---------------------------------------------

资源文件源码(rsrc.rc)：
---------------------------------------Cut From Here------------------------------------------
#include     <Resource.h>
#define         IDGEN 10
#define     DLG_MAIN 100
#define EDIT1 11
#define EDIT2 12

DLG_MAIN   DIALOGEX   100,150,250,60
STYLE       DS_MODALFRAME|WS_POPUP|WS_VISIBLE|WS_CAPTION|WS_SYSMENU|WS_THICKFRAME
CAPTION       "DreamWaver3.0 sn-generater By robotow"
FONT       9,"宋体"

BEGIN
CONTROL "SEED:",-1,"Static",SS_LEFT,10,13,40,17
CONTROL "SN:" ,-2,"Static",SS_CENTER,10,40,20,17
CONTROL "" ,11,"Edit",ES_LEFT,30,13,150,10
CONTROL "" ,12,"Edit",ES_LEFT,30,40,150,10
CONTROL "GENERATE",IDGEN,"BUTTON",BS_PUSHBUTTON,200,11,40,15
CONTROL "EXIT",IDCLOSE,"BUTTON",BS_PUSHBUTTON,200,36,41,14
END
-------------------------------------------Cut End---------------------------------------------

批处理编译文件(makefile.bat)：
---------------------------------------Cut From Here------------------------------------------
@echo off
set include=d:\masm32\include
set lib=d:\masm32\lib
set path=d:\masm32\bin

if not exist rsrc.rc goto over1
d:\masm32\bin\rc /v rsrc.rc
d:\masm32\bin\cvtres /machine:ix86 rsrc.res
:over1

if exist dw_keygen.obj del dw_keygen.obj
if exist dw_keygen.exe del dw_keygen.exe

d:\masm32\bin\ml /c /coff dw_keygen.asm
if errorlevel 1 goto errasm

if not exist rsrc.obj goto nores

d:\masm32\bin\Link /SUBSYSTEM:WINDOWS dw_keygen.obj rsrc.obj
if errorlevel 1 goto errlink

goto TheEnd

:nores
d:\masm32\bin\Link /SUBSYSTEM:WINDOWS dw_keygen.obj
if errorlevel 1 goto errlink

goto TheEnd

:errlink
echo _
echo Lin