Problem with P-Code

[squareD]

I'm trying to get a full version of a P-Coded app.

Changing Branch after comparing code number says 'good boy' and works mostly as full version, but the created license file doesn't seem to be correct and after next start it's share again.

So there are two ways to go...

First to fully crack the prog, that means to jump over lots and lots of serial tests.
This is what I could realize now, but I think it's not the best way, because after next update, I have to do so again.

Second is to find out the real code number, but I'm not really familar with the mnemonics of P-Code.

I only know that serial is generated out of an ID-number of local machine.
In my way it's 3999806

Can anybody give me a bright light on this kind of coding stuff in asm or vb-code, allowing me to find out real code number?

The main piece of code check is in attachement.

EDIT:

Quote:

What is the target name you are working on (where can be obtained)? -> Please update your 1st post

Target is a german application called BewerbungsMaster...
hxxp://www.robl-online.de/

Regards,
squareD

You mean things like:

001D23E9: 6C ILdRf var_458 =Load reference to a variable
001D23EC: 0A ImpAdCallFPR4 Val() =Perform VAL function
-
001D2406: EB CR8I2 Int(number) =Convert 2-Byte Integer to 8-Byte Real
001D2407: CD NeR8 <> =Perform a NotEqual operation on 2 8-Byte Real numbers
-
001D2409: FDF8 CVarBoolI2 = Convert Boolean type to 2-Byte Integer Variant type
-
001D242A: 5D HardType =Cast Variant as specified type.

(These are the best I can remember offhand. I'd have to look them up to be sure, if you need the definite specific description)

It would help a lot if the various opcode parameters were included.

Sarge

[squareD]

Thanks Sarge...

Yes indeed, that's what I meant.
But that's not my whole problem.

I'm also thinking about which is compared with which.
Where can I find the compared values?
Are they in registers or on stack?
If they are on stack, how to get the correct stack-address or is it always the current stack-address?

Questions over questions...

I wish I could see, how this P-Code check looks like in asm, in order to get an approximately conception.

Quote:

It would help a lot if the various opcode parameters were included.

What do you exactly mean?
Please give an example.

Regards,
squareD

May be this code help you?

loc_5D23CD: If (CInt(1) = 0) Then '5D23F8
loc_5D23D0: var_BC = ""
loc_5D23D5: Set var_CC = var_BC
loc_5D23DB: var_AC = "L5010"
loc_5D23E0: Set var_98 = var_AC
loc_5D23EC: Call 0.Method_arg_6F8 (stack: var_98, var_CC, var_98, , )
loc_5D23F8: End If
loc_5D2401: var_88 = Control_ID_1544
loc_5D2407: LateIdLdVar
loc_5D2418: If (CInt() = 1) Then '5D2443
loc_5D241B: var_BC = ""
loc_5D2420: Set var_CC = var_BC
loc_5D2426: var_AC = "L5110"
loc_5D242B: Set var_98 = var_AC
loc_5D2437: Call 0.Method_arg_6F8 (stack: var_98, var_CC, , , )
loc_5D2443: End If

VB PCode is very stack oriented. Many arithmetic operations are performed via the stack. If you notice the line :

CD NeR8 <> =Perform a NotEqual operation on 2 8-Byte Real numbers

you can see that a comparison is performed there. The two numbers being compared are almost certainly the top two entries on the stack.

Likewise, the line

001D242B: FB2F EqVar =

is performing a comparison for EqualTo, with the compared values also almost certainly on the top two positions of the stack; the line

001D244C: E1 GeR8 >=

is performing a comparison for GreaterThanOrEqualTo, and again, almost certainly the top two postions on the stack.

Ok, this type of stuff is pretty obvious based on the names, but some stuff isn't so obvious. How do you handle that? And, what about your question of what is compared and where is it, and even where is the answer found? This is where the parameter values come in. For example, look at the lines

001D2442: 0A ImpAdCallFPR4 Val()
001D2447: ED CR8R8

(Never mind what they do for now). Notice that, with "0a" is found at xxx42, and "ED" found at xxx47, we are missing 43,44,45,46 = 4 bytes. It just so happens that the "0A" opcode takes 4 bytes of parameter data. (Any guesses as to which 4 bytes?- Duh!)
So, the line should really be

001D2442: 0A,xx,xx,xx,xx ImpAdCallFPR4 Val()

The xx represents the missing 4 parameter bytes. That info is what will tell you where the actual values live in memory/stack/frame, and therefore which values are actually being used in the comparisons and computations and manipulations that the exe is performing. So, if we knew what those parameter bytes were...?

Sarge

[squareD]

Thanks Sarge and Sh400...

I think that can help a little bit.

First I have to process this mentally and then may be I make real progress in getting serial.

Regards,
sqareD

Is the original exe available? Obviously, it would be easy to get the params from that.

sarge

I think WKTVBdebugger would help a lot. Just load software in it, but breakpoints and see what is happened. WKTVBDbg shows stack and memory dump, hope you`ll see all the variables.

[GPcH]

Fully source may be help you

This is my best guess based on a quick analysis. Also, GPhC's stuff is valuable [What took you so long?? ].

L00001566:
'0A, ImpAdCallFPR4, 12, 00, 04, 00
'Call external routine.
'Parameter 1 = 2 bytes.
'Parameter 2 = 2 bytes.
'Parameter 1 is index into data pool.
'Parameter 2 is number of additional stack bytes used by external routine.
'Index = &h12.
'Number of additional stack bytes = &h4.
'Data pool location = &h42C88C.
'Pointer at index = &h40110E.
'Call is vectored through &h4010E4.
'Pointer to called routine = &h40110E.
'Called routine = "rtcR8ValFromBstr".
'Storage location for return value is function dependent.
'Stack operations: Pop x1.
L00001571:
'ED, CR8R8
'Convert to 8-Byte data value from 8-Byte data value.
'Data value in FloatingPoint register ST0 is multiplied by 1.0.
'Stack operations: None.
L00001572:
'F4, LitI2_Byte, 00
'Define 1-Byte literal Byte.
'Parameter 1 = 1 byte.
'Parameter 1 is 1-Byte Byte value.
'Byte value = 0.
'Byte value is pushed onto stack.
'Stack operations: Push x1.
L00001574:
'EB, CR8I2
'Convert to 8-Byte data type from 2-Byte Integer.
'Integer value is popped off stack.
'<CSng> operation is performed.
'Converted value is stored in FloatingPoint register ST0.
'Stack operations: Pop x1.
L00001575:
'CD, NeR8
'Perform <NotEqualTo> operation on two 8-Byte data types.
'First 8-Byte data value is found on FloatingPoint register ST0.
'Second 8-Byte data value is found on FloatingPoint register ST1.
'Data values are popped off FloatingPoint registers.
'<NotEqualTo> operation is performed.
'Results of comparison = FALSE(0) if data values are the same.
'Results of operation = TRUE(-1) if data values are not the same.
'Result of operation is pushed onto stack.
'Stack operations: Push x1.
L00001576:
'C4, AndI4
'Perform <And> operation on 4-Byte Integer.
'First Integer is popped off stack.
'<And> operation is performed with second Integer located at new top of stack.
'Result of operation overwrites second Integer.
'Stack operations: Pop x1, overwrite.
L00001577:
'FD F8, CVarBoolI2, 34, FD
'Convert to Variant data type from 2-Byte Boolean data type.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFD34.
'2-Byte data value to be converted is popped off stack.
'Result of conversion is 0 if Boolean is False.
'Result of conversion is -1 if Boolean is True.
'VariantDescriptor flag (&h0B) is saved at offset.
'VariantDescriptor value is saved at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x1, Push x1.
L00001581:
'28, LitVarI2, C4, FD, 01, 00
'Define 2-Byte literal Variant.
'Parameter 1 = 2 bytes.
'Parameter 2 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Parameter 2 is 2-Byte data value.
'Offset = &hFDC4.
'Variant data value = 1.
'VariantDescriptor flag (&h02) is stored at offset.
'VariantDescriptor value is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00001586:
'F5, LitI4, 05, 00, 00, 00
'Define 4-Byte literal Integer.
'Parameter 1 = 4 bytes.
'Parameter 1 is Integer value.
'Integer value = 5.
'Integer value is pushed onto stack.
'Stack operations: Push x1.
L00001591:
'05, ImpAdLdRf, 2D, 00
'Load address of reference.
'Parameter 1 = 2 bytes.
'Parameter 1 is index into data pool.
'Index = &h2D.
'Data pool location = &h42C88C.
'Pointer value at index = &h6526B4.
'Pointer value is address of reference to item.
'Pointer value is pushed onto stack.
'Stack operations: Push x1.
L00001594:
'04, FLdRfVar, 94, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFD94.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00001597:
'0A, ImpAdCallFPR4, 11, 00, 10, 00
'Call external routine.
'Parameter 1 = 2 bytes.
'Parameter 2 = 2 bytes.
'Parameter 1 is index into data pool.
'Parameter 2 is number of additional stack bytes used by external routine.
'Index = &h11.
'Number of additional stack bytes = &h10.
'Data pool location = &h42C88C.
'Pointer at index = &h401108.
'Call is vectored through &h401044.
'Pointer to called routine = &h401108.
'Called routine = "rtcMidCharVar".
'Storage location for return value is function dependent.
'Stack operations: Pop x4.
L00001602:
'04, FLdRfVar, 94, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFD94.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00001605:
'3A, LitVarStr, 84, FD, 2E, 00
'Define String Variant.
'Parameter 1 = 2 bytes.
'Parameter 2 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Parameter 2 is index into data pool.
'Offset = &hFD84.
'Index = &h2E.
'Data pool location = &h42C88C.
'Pointer value at index in data pool = &h462DA8.
'Pointer value points to StringText.
'StringText at Pointer = "/".
'VariantDescriptor flag (&h08) is stored into local Frame at offset.
'VariantDescriptor value (address of string) is stored into local Frame at offset + &h08.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00001610:
'5D, HardType
'Cast variant as specific data type.
'Address of VariantDescriptor is read from stack.
'VariantDescriptor at that address is accessed.
'VariantDescriptor flag has MSB set.
'Variant can no longer be coerced to a different data type.
'Stack operations: None.
L00001611:
'FB 2F, EqVar, 74, FD
'Perform <EqualTo> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFD74.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'<EqualTo> operation is performed.
'Result of operation = TRUE(-1) if Variants are equal.
'Result of operation = FALSE(0) if Variants are not equal.
'VariantDescriptor flag of result of operation (&h0B) is stored at offset.
'VariantDescriptor value of result of operation is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00001615:
'FB 27, AndVar, 14, FD
'Perform <And> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFD14.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'<And> operation is performed.
'VariantDescriptor flag of result of operation is stored at offset.
'VariantDescriptor value of result of operation is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00001619:
'FB 1F, OrVar, 04, FD
'Perform <Or> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFD04.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'<Or> operation is performed.
'VariantDescriptor flag of result of operation is stored at offset.
'VariantDescriptor value of result of operation is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.

(continued next post)

L00001623:
'FB 27, AndVar, E4, FC
'Perform <And> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFCE4.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'<And> operation is performed.
'VariantDescriptor flag of result of operation is stored at offset.
'VariantDescriptor value of result of operation is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00001627:
'05, ImpAdLdRf, 2D, 00
'Load address of reference.
'Parameter 1 = 2 bytes.
'Parameter 1 is index into data pool.
'Index = &h2D.
'Data pool location = &h42C88C.
'Pointer value at index = &h6526B4.
'Pointer value is address of reference to item.
'Pointer value is pushed onto stack.
'Stack operations: Push x1.
L00001630:
'FD FE, CStrVarVal, 9C, FB
'Convert to String from Variant.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFB9C.
'Address of VariantDescriptor is popped off stack.
'VariantDescriptor data value is address of string.
'VariantDescriptor data value is pushed onto stack.
'Stack operations: Pop x1, Push x1.
L00001634:
'0A, ImpAdCallFPR4, 12, 00, 04, 00
'Call external routine.
'Parameter 1 = 2 bytes.
'Parameter 2 = 2 bytes.
'Parameter 1 is index into data pool.
'Parameter 2 is number of additional stack bytes used by external routine.
'Index = &h12.
'Number of additional stack bytes = &h4.
'Data pool location = &h42C88C.
'Pointer at index = &h40110E.
'Call is vectored through &h4010E4.
'Pointer to called routine = &h40110E.
'Called routine = "rtcR8ValFromBstr".
'Storage location for return value is function dependent.
'Stack operations: Pop x1.
L00001639:
'ED, CR8R8
'Convert to 8-Byte data value from 8-Byte data value.
'Data value in FloatingPoint register ST0 is multiplied by 1.0.
'Stack operations: None.
L00001640:
'6F, FLdFPR8, 88, FB
'Load 8-Byte data value.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFB88.
'8-Byte data value is located at offset.
'8-Byte data value is copied onto FloatingPoint register stack.
'Stack operations: None.
L00001643:
'ED, CR8R8
'Convert to 8-Byte data value from 8-Byte data value.
'Data value in FloatingPoint register ST0 is multiplied by 1.0.
'Stack operations: None.
L00001644:
'E1, GeR8
'Perform <GreaterThanOrEqualTo> operation on two 8-Byte data types.
'First 8-Byte data value is found on FloatingPoint register ST0.
'Second 8-Byte data value is found on FloatingPoint register ST1.
'Data values are popped off FloatingPoint registers.
'<GreaterThanOrEqualTo> operation is performed.
'Result of operation = TRUE(-1) if second 8-Byte data value is GreaterThan or EqualTo first 8-Byte data value.
'Result of operation = FALSE(0) if second 8-Byte data value is LessThan first 8-Byte data value.
'Result of operation is pushed onto stack.
'Stack operations: Push x1.
L00001645:
'FD F8, CVarBoolI2, 64, FC
'Convert to Variant data type from 2-Byte Boolean data type.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFC64.
'2-Byte data value to be converted is popped off stack.
'Result of conversion is 0 if Boolean is False.
'Result of conversion is -1 if Boolean is True.
'VariantDescriptor flag (&h0B) is saved at offset.
'VariantDescriptor value is saved at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x1, Push x1.
L00001649:
'FB 27, AndVar, 54, FC
'Perform <And> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFC54.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'<And> operation is performed.
'VariantDescriptor flag of result of operation is stored at offset.
'VariantDescriptor value of result of operation is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00001653:
'FF 1B, CBoolVarNull
'Convert to Boolean value from Variant value.
'Address of Boolean Variant is popped off stack.
'Boolean value of Variant (FALSE = 0, TRUE = -1) is pushed onto stack.
'Stack operations: Pop x1, Push x1.
L00001657:
'32, FFreeStr, E4, FD, C0, FB, B8, FB, A8, FB, A4, FB, A0, FB, 9C, FB, 94, FB, 90, FB
'Free memory used by multiple strings.
'Parameter list represents 9 strings.
'Parameter list represents offsets into local Frame.
'Data at offset locations represents pointers to strings to be freed.
'Strings at these pointer locations will be freed from memory.
'Strings are freed by storing zeros into offset locations.
'Stack operations: None.
L00001678:
'29, FFreeAd, 48, FE, C4, FB, BC, FB, B4, FB, AC, FB, 98, FB
'Free memory used by multiple addresses.
'Parameter list represents 6 addresses.
'Parameter list represents offsets into local Frame.
'Data at offset locations represents address's to be freed.
'Addresses at these offsets will be freed from memory.
'Addresses are freed by storing zeros into offset locations.
'Stack operations: None.
L00001693:
'36, FFreeVar, 28, FE, C4, FD, 94, FD, 34, FD, 24, FD, D4, FC, 64, FC
'Free memory used by multiple Variants
'Parameter list represents 7 variants.
'Parameter list represents offsets into local Frame.
'Data at offset locations represents pointers to VariantDescriptors of Variants to be freed.
'Variants at these offsets will be freed from memory.
'Variants are freed by storing zeros into offset locations.
'Stack operations: None.
L00001708:
'1C, BranchF, 32, 0C
'Branch if FALSE.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into current code procedure for branch.
'Offset points to L00003122.
'TRUE(-1)/FALSE(0) data is popped off stack.
'If data is FALSE, branch code flow to location indicated by offset.
'If data is not FALSE, continue code flow to next sequential instruction.
'Stack operations: Pop x1.

Good luck
Sarge

[squareD]

Thanks a lot to all of you for helping me so kindly.

I will study the whole information and keep you up to date what's going on with my efforts.

Regards
squareD

[squareD]

Hello,

as announced in the last post, here a report of my efforts...

First the good message:
I found a working codenumber and I know the algo to generate it.

After tinkering for 8 weeks and more with no step foreward, I did something, what otherwise isn't my kind.

I knew, that there was a keygen for versions in 2004 and partly in 2005 by an unknown guy and I analysed his great work.

So I found out the very simple algo for generating a codenumber from ID.
Just two muliplications and one addition.
But I still could not reconstruct it in P-Code!

So I took good old Olly with a BP on memory access at first multiplication and traced a little bit.
All results of mathematical operations are shown in ST7...
No problem and very easy, but not the way to be proud.

So may I ask all P-Code gurus to teach me, how to get codenumber right out of WKT debugger.
Seems like results remain allways in Stx registers, because searching with WinHex in memory brought no success.

This is piece of code, where to find calculation in actual v1.4 of BewerbungsMaster 2006:

loc_6048CD: FLdRfVar var_208
loc_6048D0: MulVar var_1D8 1st multiplication
loc_6048D4: FLdRfVar var_22C
loc_6048D7: MulVar var_1F8 2nd multiplication
loc_6048DB: FLdRfVar var_218
loc_6048DE: AddVar var_23C addition
loc_6048E2: FStVar

Regards,
squareD

I found that sequence in two places. I didn't bother to work out the offset values to determine which one is appropriate...you have to do the other math anyway, so why not do that too?

Sub Command1_Click( )


L00000265:
'04, FLdRfVar, F8, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDF8.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000268:
'FB B4, MulVar, 28, FE
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFE28.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000272:
'04, FLdRfVar, D4, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDD4.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000275:
'FB B4, MulVar, 08, FE
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFE08.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000279:
'04, FLdRfVar, E8, FD
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDE8.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000282:
'FB 94, AddVar, C4, FD
'Perform <Addition> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDC4.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'First VariantDescriptor value is added to second VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000286:
'FC F6, FStVar, B4, FD
'Store Variant data.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFDB4.
'Address of VariantDescriptor is popped off stack.
'VariantDescriptor data is stored into local Frame at offset.
'Stack operations: Pop x1.



Sub Text1_Change( )

L00000200:
'04, FLdRfVar, 2C, FF
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF2C.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000203:
'FB B4, MulVar, 6C, FF
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF6C.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000207:
'04, FLdRfVar, 08, FF
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF08.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000210:
'FB B4, MulVar, 3C, FF
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF3C.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000214:
'04, FLdRfVar, 1C, FF
'Load reference to variable.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFF1C.
'Data at offset is reference to variable.
'Address of offset is pushed onto stack.
'Stack operations: Push x1.
L00000217:
'FB 94, AddVar, F8, FE
'Perform <Addition> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFEF8.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'First VariantDescriptor value is added to second VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.
L00000221:
'FC F6, FStVar, E8, FE
'Store Variant data.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFEE8.
'Address of VariantDescriptor is popped off stack.
'VariantDescriptor data is stored into local Frame at offset.
'Stack operations: Pop x1.


Good luck
Sarge

[squareD]

Sub Command1_Click( ) is the right one...

Thanks for your explanation, but it didn't helped me so far.
Maybe I'm strucked with blindness.

Let me give you an example with first muliplication:

Quote:

L00000268:
'FB B4, MulVar, 28, FE
'Perform <Multiplication> operation on two Variants.
'Parameter 1 = 2 bytes.
'Parameter 1 is offset into local Frame.
'Offset = &hFE28.
'Address of first VariantDescriptor is popped off stack.
'Address of second VariantDescriptor is popped off stack.
'Second VariantDescriptor value is multiplied by first VariantDescriptor value.
'VariantDescriptor flag of result is stored at offset.
'VariantDescriptor value of result is stored at offset + 8.
'Address of offset is pushed onto stack.
'Stack operations: Pop x2, Push x1.

First multiplication is 3999806 x 5 or in Hex 3D083Eh x 05h

002048E4: FBB4 MulVar *

I'm on the above instruction in WKT and top of Stack shows:

0012E4D0: 68E81200 284B6500

Looking at 0012E868 supplies 02000000 and looking at 00654B28 supplies 08001200

If addresses are popped off stack, in my opinion, the values to be muliplicated should be stored at 0012E868 and 00654B28.

Maybe I'm totally wrong?

But worst thing is, that I searched with WinHex in whole memory and never found 3E083D (3D083E = 3999806).

So I'm still wondering how this operations will work.

Regards,
squareD