題目是vb的，沒有加殼，比較傳統簡單的題目。
輸入123456789，開啟vbcompiler，找到函式斷點下斷即可，
因為較簡單，就不細說，關鍵程式碼如下：

004036E5   .  83F8 09       cmp eax,0x9
004036E8   .  0f95c1        setne cl
004036EB   .  F7D9          neg ecx
004036ED   .  8BF1          mov esi,ecx

規定九個字元

0040377C   > /66:8B8D 14FFF>mov cx,word ptr ss:[ebp-0xEC]                        ;  判斷點
00403783
 
   . |66:394D E8    cmp word ptr ss:[ebp-0x18],cx
00403787   . |0F8F 17030000 jg bjanes_1.00403AA4

九個字元必須正確，判斷九次

004039AB   .  8D8D 30FFFFFF lea ecx,dword ptr ss:[ebp-0xD0]
004039B1   .  8D55 80       lea edx,dword ptr ss:[ebp-0x80]
004039B4   .  51            push ecx                                             ; /var18 = NULL
 

004039B5      52            push edx
004039B6   .  FF15 A0104000 call dword ptr ds:[<&MSVBVM60.__vbaVarTstNe>]        ; \__vbaVarTstNe
004039BC   .  8BF8          mov edi,eax
004039BE   .  8D45 D8       lea eax,dword ptr ss:[ebp-0x28]
004039C1   .  8D4D DC       lea ecx,dword ptr ss:[ebp-0x24]
004039C4   .  50            push
 
 eax
004039C5   .  8D55 E0       lea edx,dword ptr ss:[ebp-0x20]
004039C8   .  51            push ecx
004039C9   .  8D45 E4       lea eax,dword ptr ss:[ebp-0x1C]
004039CC   .  52            push edx
004039CD   .  50            push eax
004039CE   .  6A 04         push 0x4
004039D0   .  FF15 90104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeStrList>]     ;  msvbvm60.__vbaFreeStrList
004039D6   .  83C4 14       add esp,0x14
004039D9   .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
004039DC   .  FF15 C4104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeObj>]         ;  msvbvm60.__vbaFreeObj
004039E2   .  8D4D 80       lea ecx,dword ptr ss:[ebp-0x80]
004039E5   .  8D55 90       lea edx,dword ptr ss:[ebp-0x70]
004039E8   .  51            push ecx
004039E9   .  8D45 A0       lea eax,dword ptr ss:[ebp-0x60]
004039EC   .  52            push edx
004039ED   .  8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]
004039F0   .  50            push eax
004039F1   .  8D55 C0       lea edx,dword ptr ss:[ebp-0x40]
004039F4   .  51            push ecx
004039F5   .  52            push edx
004039F6   .  6A 05         push 0x5
004039F8   .  FF15 0C104000 call dword ptr ds:[<&MSVBVM60.__vbaFreeVarList>]     ;  msvbvm60.__vbaFreeVarList
004039FE   .  83C4 18       add esp,0x18
00403A01   .  66:85FF       test di,di
00403A04   .  75 1C         jnz short bjanes_1.00403A22
00403A06   .  8B7D 08       mov edi,dword ptr ss:[ebp+0x8]
00403A09   .  B8 01000000   mov eax,0x1
00403A0E   .  66:0345 E8    add ax,word ptr ss:[ebp-0x18]

判斷 ss:[ebp-0xD0]，和dword ptr ss:[ebp-0x80]的值是否相等，d0中儲存的是一個64位float型別的值，值為++的增長基數1與0x02進行異或然後轉化成為ascii碼然後轉化成為10進位制然後減掉48變成浮點數，然後與輸入的serial進行對比。。。。。。。好像比較扯淡，但是彙編來看就這麼個意思。。。。。

004038F1   > \66:8B45 E8    mov ax,word ptr ss:[ebp-0x18]
004038F5   .  8B1D 74104000 mov ebx,dword ptr ds:[<&MSVBVM60.#536>]              ;  msvbvm60.rtcStrFromVar
004038FB   .  66:35 0200    xor ax,0x2
004038FF   .  8D4D A0       lea ecx,dword ptr ss:[ebp-0x60]
00403902   .  0F80 A4020000 jo bjanes_1.00403BAC
00403908   .  51            push ecx
00403909   .  66:8945 A8    mov word ptr ss:[ebp-0x58],ax

註冊碼為：

for len in range(1,10):
    j = len ^ 0x2
    print j

得到3 0 1 6 7 4 5 10 11，也就是301674501