DreamWaver3.0注册流程分析
作者: 夜月
E-mail:luoyi.ly@yeah.net
写作日期:31th, August 2001
软件背景资料
运行平台: Win9X
文件名称: DreamWaver.exe
程序类型: 网页制作工具
下载地点: 未知
文件大小: 不详
使用的工具
Trw2000 V1.23--Win9X Debugger
Turboc V2.00--KeyGen Compiler1
Masm32 V5.00--KeyGen Compiler2
难易程度
Easy( )
Medium(X) Hard( ) Pro( )
------------------=====Declare=====------------------
未经作者同意,不得修改、引用原文,一切权利保留。
本教程只供教学用,其他一切用途皆被禁止。
------------------=====Begin=====------------------
给三个能用的DreamWaver3.0的注册码:
(1) DWW300-71511-95480-68658
(2) WBW300-79525-15490-68658
(3) WLW300-70814-65498-68658
由此可以看出DreamWaver的注册码应该满足以下几个基本条件:
(Str[]指向注册码字符串)
(A) strlen(Str)=24
(B) Str[6],Str[12],Str[18]固定为“-”
(C) Str[3]——Str[7]
检验得知:如果为“300-7”则生成的是教学班的序列号
如果为“300-0”则生成的是完全版的序列号
(D) Str[0]——Str[2]有三个可选项。程序安装成功后,每一个字符串都可以注册成功。但在安装程序
需要输入序列号时,开头为“WBW”的序列号不能通过,会被认为是旧版的序列号。
基本条件就是如此。序列号的具体算法比较复杂。把整段字符串分成了5部分(不包括“DWW”,
“WBW”,“WLW”这一串)。具体实施过程如下:
(以第一个号码:DWW300-71511-95480-68658为例)
NUM1 = atoi(Str[3]——Str[5]) = 300
NUM2 = atoi(Str[7]) = 7
NUM3
= atol(strcat(Str[15],Str[14],Str[21],Str[20],Str[23],Str[19],Str[22]))
= 4568865
NUM4 = atoi(strcat(Str[10],Str[17],Str[16]))
= 108
NUM5 = atoi(strcat(Str[8],Str[9],Str[11],Str[13])) = 1519
这五个号码中,NUM3无任何限制,只要是7位数的整数就行。NUM4是由一个随机数查表得来的一个
值,表不大,总共才15个数。也就是说,NUM4总共只有15种选择。NUM1,NUM2固定。NUM5就是最后
用来校验的——看根据NUM1,NUM2,NUM3,NUM4四个数算出来的值等不等于NUM5(这段计算真的很复
杂,我用A4的纸打了3张)。
具体算法表示如下:
(num1=NUM3,num2=NUM4。写注册机时图方便去了,没考虑到会给写这篇文章带来麻烦)
---------------------------------------Cut From Here------------------------------------------
edx1=num1/100000;edx2=num1/100;edx3=num1/1000000;edx4=num1/10000;
edx5=num2/100;edx6=3;edx7=30;ebx1=num2/10;edi1=num1/10;
ebp1=num1/1000;edx8=edx3+ebp1;
temp=7*(ebp1+num2)+3*(3*(edx1+ebx1+7)+edi1+edx2)+edx7+edx6+edx5+edx4+edx3+num1;
num[0]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edi1+3*(edx8+3*num2+ebx1)+edx7+edx6+edx5+edx4+edx2+edx1+7+num1;
num[1]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edx8+3*(3*ebx1+edx5+edx7+edx2)+edx6+edx4+edi1+edx1+num1+7+num2;
num[2]=(int) (temp-(temp/10)*10)+0x30;
temp=7*(edx6+edx2+ebx1)+3*(edx4+3*(edx7+num1)+edx3+edi1)+edx5+ebp1+edx1+7+num2;
num[3]=(int) (temp-(temp/10)*10)+0x30;
------------------------------------------Cut
End---------------------------------------------
有了这个核心算法,相信用Tc2.0作注册机,应该是很简单的事情了吧?
------------------=====KeyGen1(C)=====------------------
Tc2.0版注册机原码(dw_keygen.exe):
---------------------------------------Cut
From Here------------------------------------------
main()
{
void
geneax(unsigned long num1,int num2,char *num);
unsigned long a;
int
b,c;
int table[15]={0x51,0x5c,0x6a,0x102,0x10b,0xb6,0xbb,0xc5,0xc0,
0xa2,0xa8,0x52,0x54,0x5d,0x6d};
char
sn[26]={"DWW300-7"};
char num1[7],num2[3],num3[4];
seed1: printf("Please
Input Seed1:\n");
scanf("%lu",&a);
if (a<1000000||a>=0x949d5b)
{
printf("Seed1 Must Be [1000000,9739612]");
goto seed1;
}
seed2: printf("Please
Input Seed2 (0--14 but 1,7,8):\n");
scanf("%d",&b);
if (b<0 ||
b==1 || b==7 || b==8 || b>14)
{
printf("Seed2
Muse Be 0--14 But 1,7,8!\n");
goto seed2;
}
if (b==5 || b==6 || b==7 || b==8) {sn[0]='W';sn[1]='B';}
if (b==9 || b==10) {sn[0]='W';sn[1]='L'; }
b=table[b];
b+=27;
geneax(a,b,num3);
ultoa(a,num1,10);itoa(b,num2,10);
sn[8]=num3[0];sn[9]=num3[1];sn[10]=num2[0];sn[11]=num3[2];
sn[12]='-';sn[13]=num3[3];sn[14]=num1[1];sn[15]=num1[0];
sn[16]=num2[2];sn[17]=num2[1];sn[18]='-';sn[19]=num1[5];
sn[20]=num1[3];sn[21]=num1[2];sn[22]=num1[6];sn[23]=num1[4];
printf("SN
CODE IS:\n");
printf("%s",sn);
}
void geneax(unsigned long
num1,int num2,char *num)
{
unsigned long temp,edx1,edx2,edx3,edx4,edx5,edx6,edx7,edx8,
ebx1,edi1,ebp1;
edx1=num1/100000;edx2=num1/100;edx3=num1/1000000;edx4=num1/10000;
edx5=num2/100;edx6=3;edx7=30;ebx1=num2/10;edi1=num1/10;
ebp1=num1/1000;edx8=edx3+ebp1;
temp=7*(ebp1+num2)+3*(3*(edx1+ebx1+7)+edi1+edx2)+edx7+edx6+edx5+edx4+edx3+num1;
num[0]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edi1+3*(edx8+3*num2+ebx1)+edx7+edx6+edx5+edx4+edx2+edx1+7+num1;
num[1]=(int) (temp-(temp/10)*10)+0x30;
temp=7*edx8+3*(3*ebx1+edx5+edx7+edx2)+edx6+edx4+edi1+edx1+num1+7+num2;
num[2]=(int) (temp-(temp/10)*10)+0x30;
temp=7*(edx6+edx2+ebx1)+3*(edx4+3*(edx7+num1)+edx3+edi1)+edx5+ebp1+edx1+7+num2;
num[3]=(int) (temp-(temp/10)*10)+0x30;
}
------------------------------------------Cut
End---------------------------------------------
------------------=====KeyGen1(ASM)=====------------------
说实话,对这个程序而言,用Tc2.0写注册机实在是很累人。那段核心算法很长也很复杂。针对算法
的特点,我建议大家用Masm32写注册机,那样比较方便——只要直接把在Trw2000中“U”下来的代码粘贴到
源文件中就行了,需要改动的地方不多。
下面就是Masm32V5版的注册机源码:
Masm32版注册机源码(dw_keygen.exe):
---------------------------------------Cut From Here------------------------------------------
.386
.model
flat,stdcall
option casemap:none
include
windows.inc
include user32.inc
include kernel32.inc
include
comctl32.inc
include comdlg32.inc
include masm32.inc
includelib
masm32.lib
includelib user32.lib
includelib
kernel32.lib
includelib comctl32.lib
includelib comdlg32.lib
DLG_MAIN
equ 100
IDGEN equ
10
Edit1 equ 11
Edit2 equ 12
_ProcDlgMain PROTO :DWORD,:DWORD,:DWORD,:DWORD
_Math PROTO :DWORD,:DWORD,:DWORD
.data?
EDX1
DD ?
EDX2
DD ?
EDX3 DD
?
EDX4 DD
?
EDX5 DD
?
EDX6 DD ?
EDX7 DD ?
EDX8 DD ?
EAX1
DD ?
EBP1
DD ?
EDI1
DD ?
EBX1
DD ?
.data
szMess db "Seed Must
Be [1000000,9000000]!",0
szCaption db
"Error!"
hInstance dd ?
Number
dd ?
Num1
db 7 dup(?),0
Num2
db 4 dup(?),0
snString1
db 4 dup(?),0
snString2
db 5 dup(?),0
snString3
db 5 dup(?),0
snString
db "DWW300-7%s-%s-%s",0
sn
db 24 dup(?),0
ddEbp
dd ?
.code
_Math
proc N1,N2,N3 ;这个过程就是粘贴过来的,很长吧?
MOV
ECX,N1
MOV
EAX,14F8B589H
IMUL ECX
SAR EDX,0DH
MOV
EAX,EDX
PUSH EBX
SHR EAX,1FH
PUSH
EBP
ADD EDX,EAX
PUSH ESI
MOV
ESI,N3
MOV
EAX,66666667H
MOV
EDX1,EDX
IMUL ESI
SAR EDX,02H
MOV
EAX,EDX
PUSH EDI
SHR EAX,1FH
ADD
EDX,EAX
MOV EAX,51EB851FH
MOV EBX,EDX
IMUL ECX
SAR
EDX,05H
MOV EAX,EDX
MOV EBX1,EBX
SHR EAX,1FH
ADD
EDX,EAX
MOV EAX,66666667H
MOV EDX2,EDX
IMUL ECX
SAR
EDX,02H
MOV EAX,EDX
SHR EAX,1FH
ADD EDX,EAX
MOV
EAX,10624DD3H
MOV
EDI,EDX
IMUL ECX
SAR EDX,06H
MOV
EAX,EDX
MOV EDI1,EDI
SHR EAX,1FH
ADD EDX,EAX
MOV
EAX,431BDE83H
MOV
EBP,EDX
IMUL ECX
SAR EDX,12H
MOV
EAX,EDX
MOV EBP1,EBP
SHR EAX,1FH
ADD EDX,EAX
MOV
EAX,68DB8BADH
MOV
EDX3,EDX
IMUL ECX
SAR EDX,0CH
MOV
EAX,EDX
SHR EAX,1FH
ADD EDX,EAX
MOV EAX,51EB851FH
MOV
EDX4,EDX
IMUL ESI
SAR EDX,05H
MOV
EAX,EDX
SHR EAX,1FH
ADD EDX,EAX
MOV EAX,51EB851FH
MOV
EDX5,EDX
MOV
EDX,300
IMUL EDX
SAR EDX,05H
MOV
EAX,EDX
SHR EAX,1FH
ADD EDX,EAX
MOV EAX,66666667H
MOV
EDX6,EDX
MOV
EDX,300
IMUL EDX
SAR EDX,02H
MOV
EAX,EDX
SHR EAX,1FH
ADD EDX,EAX
MOV EDX7,EDX
MOV
EDX,EDX3
ADD
EDX,EBP
MOV EAX,EDX1
MOV EDX8,EDX
MOV EDX,7H
ADD EAX,EBX
ADD
EAX,EDX
ADD EBP,ESI
LEA EDX,[EDI+EAX*2]
ADD EAX,EDX
MOV
EDX,EDX2
ADD
EAX,EDX
MOV EDX,EDX7
MOV EAX1,EAX
ADD
EDX,EAX
LEA EAX,[EBP*8+00]
SUB EAX,EBP
MOV EBP,EAX1
LEA
EDX,[EDX+EBP*2]
MOV
EBP,EDX5
ADD EAX,EDX
MOV EDX,EDX6
ADD EAX,EDX
MOV
EDX,EDX4
ADD
EAX,EBP
MOV EBP,EDX3
ADD EAX,EDX
ADD
EAX,EBP
MOV
EBP,0AH
ADD
EAX,ECX
CDQ
IDIV EBP
MOV
EAX,EDX8
LEA
EAX,[EAX+ESI*2]
LEA EBP,[EDX+EDX*4]
MOV EDX,ESI
ADD EDX,EAX
MOV
EAX,EDX7
ADD
EDX,EBX
LEA EBX,[EDX+EAX]
LEA EAX,[EDI*8+00]
SUB EAX,EDI
MOV
EDI,EDX5
LEA
EDX,[EBX+EDX*2]
MOV EBX,EDX6
ADD EAX,EDX
MOV EDX,EDX4
ADD
EAX,EBX
MOV EBX,0AH
ADD EAX,EDI
MOV EDI,EDX2
ADD
EAX,EDX
MOV EDX,EDX1
ADD EAX,EDI
ADD EAX,EDX
MOV
EDX,7H
ADD EAX,ECX
ADD EAX,EDX
CDQ
IDIV
EBX
LEA EAX,[EDX+EBP*2]
MOV EDX,EBX1
LEA EBX,[EAX+EAX*4]
MOV
EAX,EDX7
LEA
EAX,[EAX+EDX*2]
ADD EDX,EAX
MOV EAX,EDX5
ADD EDX,EAX
MOV
EAX,EDX6
ADD
EDX,EDI
MOV EDI,EDX8
LEA EBP,[EDX+EAX]
LEA
EAX,[EDI*8+00]
SUB
EAX,EDI
MOV EDI,EDI1
LEA EDX,[EBP+EDX*2+00]
MOV EBP,EDX4
ADD
EAX,EDX
ADD EAX,EBP
ADD EAX,EDI
MOV EDI,EDX1
ADD
EAX,EDI
ADD EAX,ECX
MOV EDX,7
MOV EBP,0AH
ADD
EAX,EDX
ADD EAX,ESI
CDQ
IDIV
EBP
MOV EBP,EDX3
LEA EAX,[EDX+EBX*2]
MOV EDX,EDX4
LEA
EBX,[EAX+EAX*4]
MOV
EAX,EDX7
ADD ECX,EAX
LEA EAX,[EDX+ECX*2]
MOV EDX,EDI1
ADD
ECX,EAX
MOV EAX,EDX6
ADD ECX,EBP
ADD ECX,EDX
MOV
EDX,EDX5
LEA
EBP,[ECX+EDX]
MOV EDX,EDX2
ADD EDX,EAX
MOV EAX,EBX1
ADD
EDX,EAX
LEA ECX,[EBP+ECX*2+00]
LEA EAX,[EDX*8+00]
SUB EAX,EDX
MOV
EDX,7
ADD EAX,ECX
MOV ECX,EBP1
ADD EAX,ECX
MOV
ECX,0AH
ADD EAX,EDI
POP EDI
ADD EAX,EDX
ADD
EAX,ESI
POP ESI
CDQ
IDIV
ECX
POP EBP
LEA EAX,[EDX+EBX*2]
POP EBX
RET
_Math endp
_ProcDlgMain proc uses ebx edi
esi edx ecx,hWnd:DWORD,wMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,wMsg
.if
eax==WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax==WM_COMMAND
mov eax,wParam
and eax,0ffffh
.if
eax==IDGEN
invoke GetDlgItemText, hWnd,Edit1,offset Num1,8
invoke atodw,offset Num1
.if eax<1000000 || eax>9000000
invoke MessageBox,hWnd,offset szMess,offset
szCaption,MB_ICONSTOP
ret
.endif
mov ecx,eax
mov eax,7
mov
edx,108
invoke _Math,ecx,eax,edx
mov
Number,eax
invoke dwtoa,Number,offset Num2
mov
al,[Num1]
mov [snString2+2],al
mov
al,[Num1+1]
mov [snString2+1],al
mov
al,[Num1+2]
mov [snString3+2],al
mov
al,[Num1+3]
mov [snString3+1],al
mov
al,[Num1+4]
mov [snString3+4],al
mov
al,[Num1+5]
mov [snString3],al
mov
al,[Num1+6]
mov [snString3+3],al
mov
al,[Num2]
mov [snString1],al
mov
al,[Num2+1]
mov [snString1+1],al
mov
al,[Num2+2]
mov [snString1+3],al
mov
al,[Num2+3]
mov [snString2],al
mov
[snString1+2],'1'
mov [snString2+3],'8'
mov
[snString2+4],'0'
invoke wsprintf,offset sn,offset snString,offset
snString1,offset snString2,offset snString3
invoke SetDlgItemText,hWnd,Edit2,offset
sn
mov eax,FALSE
ret
.elseif eax==IDCLOSE
invoke EndDialog,hWnd,NULL
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
start:
invoke InitCommonControls
invoke
GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset
_ProcDlgMain,0
invoke ExitProcess,NULL
end start
end
------------------------------------------Cut
End---------------------------------------------
资源文件源码(rsrc.rc):
---------------------------------------Cut From Here------------------------------------------
#include <Resource.h>
#define
IDGEN 10
#define
DLG_MAIN 100
#define
EDIT1 11
#define
EDIT2 12
DLG_MAIN DIALOGEX
100,150,250,60
STYLE DS_MODALFRAME|WS_POPUP|WS_VISIBLE|WS_CAPTION|WS_SYSMENU|WS_THICKFRAME
CAPTION "DreamWaver3.0 sn-generater
By robotow"
FONT 9,"宋体"
BEGIN
CONTROL "SEED:",-1,"Static",SS_LEFT,10,13,40,17
CONTROL "SN:" ,-2,"Static",SS_CENTER,10,40,20,17
CONTROL "" ,11,"Edit",ES_LEFT,30,13,150,10
CONTROL "" ,12,"Edit",ES_LEFT,30,40,150,10
CONTROL "GENERATE",IDGEN,"BUTTON",BS_PUSHBUTTON,200,11,40,15
CONTROL "EXIT",IDCLOSE,"BUTTON",BS_PUSHBUTTON,200,36,41,14
END
-------------------------------------------Cut End---------------------------------------------
批处理编译文件(makefile.bat):
---------------------------------------Cut
From Here------------------------------------------
@echo off
set include=d:\masm32\include
set lib=d:\masm32\lib
set path=d:\masm32\bin
if not exist
rsrc.rc goto over1
d:\masm32\bin\rc /v rsrc.rc
d:\masm32\bin\cvtres
/machine:ix86 rsrc.res
:over1
if exist dw_keygen.obj del dw_keygen.obj
if exist dw_keygen.exe del dw_keygen.exe
d:\masm32\bin\ml /c /coff
dw_keygen.asm
if errorlevel 1 goto errasm
if not exist rsrc.obj
goto nores
d:\masm32\bin\Link /SUBSYSTEM:WINDOWS dw_keygen.obj rsrc.obj
if errorlevel 1 goto errlink
goto TheEnd
:nores
d:\masm32\bin\Link /SUBSYSTEM:WINDOWS dw_keygen.obj
if errorlevel 1
goto errlink
goto TheEnd
:errlink
echo _
echo Lin