004013C5 push offset aStartFirewall ; "START FIREWALL"
004013CA push dword_40D5E4 ; our command
004013D0 call loc_40232C ; compare the command with "START
FIREWALL"
004013D5 add esp, 8
004013D8 test eax, eax ; equals??
004013DA jnz loc_401484
004013E0 cmp byte_40B1C0, 0 ; the security mode is enabled??
004013E7 jz loc_401484 ; yes!, no jump
004013ED cmp byte_40B1C1, 0 ; the pacman is enabled??
004013F4 jz loc_401484 ; yes!!, no jump
...
00401425 call j_GetDlgItemTextA ; reads the serial for the
firewall's command
0040142A push dword_40D5E8
00401430 call loc_401108 ; routine that checked the password
这样，进入

00401118 movsx eax, byte ptr [esi] ; eax is the first char of the
password
0040111B add eax, ebx
0040111D add ecx, eax ; pay attention to the value stored in
ecx!!!
0040111F cmp ecx, 0B4h
00401125 jle short loc_401132
00401127 sub ecx, 1Dh
0040112A cmp ecx, 0B4h
00401130 jg short loc_401127
00401132 inc ebx
00401133 cmp byte ptr [esi+ebx], 0 ; do you reach the end of the
password?
00401137 jnz short loc_401118 ; no: jump up...
00401139 cmp ebx, 8 ; the length of the password must be at
least 8 chars
0040113C jge short loc_401142
0040113E xor eax, eax ; otherwise....error!
00401140 jmp short loc_401196
00401142 movsx edi, byte ptr [esi+ebx-1] ;
00401147 movsx eax, byte ptr [esi+ebx-2] ;
0040114C add edi, eax ;
0040114E movsx edx, byte ptr [esi+ebx-3] ;
00401153 add edi, edx ; sum the last 3 chars of the password
00401155 mov eax, edi
00401157 cdq
00401158 idiv ecx ; sum / ecx
0040115A mov [ebp-4], eax ; stores the ratio
0040115D mov eax, edi ; repeats the operation...i don't know
why...
0040115F cdq ; "
00401160 idiv ecx ; "
00401162 mov eax, edx ; eax is the rest
00401164 cmp dword ptr [ebp-4], 0 ; compare the ratio with 0
00401168 jle short loc_401189 ; jump if the ratio is 0 and go to
error!!!!
0040116A mov edx, ebx
0040116C sar edx, 1
0040116E jns short loc_401173
00401170 adc edx, 0
00401173 movsx ecx, byte ptr [esi+edx-1] ; cl is the 'middle'