Cracking of a CrackMe that requires a run trace

[Article Title]: cracking of a CrackMe that requires a run trace
[Author]: bxm
[Author mailbox]: bxm78@163.com
[Protection method]: name, serial
[Language]: Borland C ++
[Tools]: peid, od
[Operating platform]: winxp
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]
Use peid for Shell check, no shell, run, input name and serial, No prompts, load with OD, search for strings, no useful information, getwindowtexta and getdlgitemtexta cannot be broken down, the next message breakpoint does not seem to work, so I had to use the RUN trace. Finally, I decided to use the normal breakpoint under [0040160A]. The detailed analysis is as follows:
0040160A |. 8D45 D4 lea eax, [ebp-2C]
0040160D |. 8D55 EC lea edx, [ebp-14]
00401610 |. E8 C3E10000 call 0040F7D8; this Call 1 function: Check the first three digits of serial. If it is a string of "CA-", set AL to 1; otherwise, set 0.
00401615 |. 50 push eax;/Arg1
00401616 |. FF4D 9C dec dword ptr [ebp-64]; |
00401619 |. 8D45 D4 lea eax, [ebp-2C]; |
0040161C |. BA 02000000 mov edx, 2; |
00401621 |. E8 D2E00000 call 0040F6F8; Crackme-. 0040F6F8
00401626 |. 59 pop ecx
00401627 |. 84C9 test cl, cl; the value of CL is the return value of AL in CALL 1 above.
00401629 0F84 26030000 je 00401955; not equal, finished
0040162F |. 66: C745 90 98> mov word ptr [ebp-70], 98
00401635 |. 8D45 D0 lea eax, [ebp-30]
00401638 |. E8 BB030000 call 004019F8
0040163D |. 50 push eax
0040163E |. FF45 9C inc dword ptr [ebp-64]
00401641 |. 8D45 F8 lea eax, [ebp-8]
00401644 |. E8 09E30000 call 0040F952
00401649 |. 8BD0 mov edx, eax; |
0040164B |. 83C2 FC add edx,-4; |
0040164E |. 8D45 F8 lea eax, [ebp-8]; |
00401651 |. B9 05000000 mov ecx, 5; |
00401656 |. E8 18EB0000 call 00410173; Crackme-. 00410173
0040165B |. 8D45 D0 lea eax, [ebp-30]
0040165E |. 8D55 E8 lea edx, [ebp-18]
00401661 |. E8 72E10000 call 0040F7D8; this Call 2 function: Check the last five digits of serial. If it is a string of "-3914", set AL to 1; otherwise, set 0.
00401666 |. 50 push eax;/Arg1
00401667 |. FF4D 9C dec dword ptr [ebp-64]; |
0040166A |. 8D45 D0 lea eax, [ebp-30]; |
0040166D |. BA 02000000 mov edx, 2; |
00401672 |. E8 81E00000 call 0040F6F8; Crackme-. 0040F6F8
00401677 |. 59 pop ecx
00401678 |. 84C9 test cl, cl; CL value, which is the return value of AL in CALL 2 above
0040167A 0F84 D5020000 je 00401955; not equal, finished
00401680 |. 33C0 xor eax, eax
00401682 |. 8985 74 FFFFFF mov [ebp-8C], eax
00401688 |. 66: C745 90 14> mov word ptr [ebp-70], 14
0040168E |. 33D2 xor edx, edx
00401690 |. 8995 70 FFFFFF mov [ebp-90], edx; [ebp-90] Clear 0
00401696 |. EB 1E jmp short 004016B6
00401698 |> 8D45 FC/lea eax, [ebp-4]
0040169B |. E8 88030000 | call 00401A28; name returned by EAX
004016A0 |. 8B95 70 FFFFFF | mov