repos_deltae_auxiliary_tool/Source/Assist/Assist/Assist.cpp

// Assist.cpp : 定义 DLL 应用程序的导出函数。
//

#include "stdafx.h"
#include "Assist.h"
#include <stdio.h> 
#include <process.h>

// 全局CallData;
CALLDATA _cd_Go;
CALLDATA _cd_Connect;
CALLDATA _cd_Disconnect;
CALLDATA _cd_CheckFW;
CALLDATA _cd_CheckFW_CommunicationError;
CALLDATA _cd_SaveAsOutputData;
CALLDATA _cd_Go_SN;
CALLDATA _cd_Go_CommunicationError;
CALLDATA _cd_Go_SetCommunicationError;
CALLDATA _cd_Initial_failed;
CALLDATA _cd_ExternalException;

// 调试耗时值ms;
DWORD dwElapsed = 0;

TCHAR g_szGoSN[32] = {0};

DWORD dwCallAddr = 0;

// 8组寄存器存储;
DWORD dwEAX = 0;
DWORD dwEBX = 0;
DWORD dwECX = 0;
DWORD dwEDX = 0;
DWORD dwEBP = 0;
DWORD dwESP = 0;
DWORD dwESI = 0;
DWORD dwEDI = 0;

// 定义跳转函数;
void Call_MyDisconnect();
void Call_MyConnect();
void Call_MyGo();
void Call_MyGoSN();
void Call_MyCheckFW();
void Call_MyCheckFWCommunicationError();
void Call_MySaveAsOutputData();
void Call_MyInitial_Failed();
void Call_MyGoCommunicationError();
void Call_MyGoSetCommunicationError();
void Call_MyExternalException();

// 其他函数;
void SetChannel(int nChannel);
void SetSN(LPCTSTR lpSN);
void ChangeSDK(int nSDK);   // 0=410SDK, 1=310SDK;

void InitCallData()
{
#pragma region 启动时Initial Communication：需要程序启动时注入;
	/*
		此劫持需要在程序刚启动时注入，即在弹框出现前实现注入;
		目前不实现程序时注入!
	*/
	// 00401EB8 | E8 7BCB0C00 | call demo.4CEA38 | # 弹出Messagebox：Initial Communication Failed!
	_cd_Initial_failed.myCall = Call_MyInitial_Failed;
	// 00401EBD | FF4D CC | dec dword ptr ss:[ebp-34] |
	_cd_Initial_failed.dwBack2Addr = 0x00401EBD;
	// 00401EB8 | E8 7BCB0C00 | call demo.4CEA38 | # 弹出Messagebox：Initial Communication Failed!
	_cd_Initial_failed.dwOriginalAddr = 0x00401EB8;
	_cd_Initial_failed.dwOriginalCallAddr = 0x004CEA38;

	_cd_Initial_failed.nMyCallDataLen = JMP_DLEN;
	memset(_cd_Initial_failed.szMyCallData, 0x90, CALL_LEN);
	_cd_Initial_failed.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_Initial_failed.szMyCallData[1]) = (DWORD)_cd_Initial_failed.myCall - _cd_Initial_failed.dwOriginalAddr - JMP_DLEN;
#pragma endregion

#pragma region Connect按钮劫持
	/*
		Connect存在External expection 异常弹框;
		出现External弹框时，结束进程，统一由Call_MyExternalException处理;
	*/
	//00415ECB | 0F84 6A040000 | je demo.41633B | # 关键跳：如果Connect失败实现跳转
	_cd_Connect.myCall = Call_MyConnect;
	// 00415ED1 | 6A 00                  | push 0                                   |
	_cd_Connect.dwBack2Addr = 0x00415ED1;
	_cd_Connect.dwOriginalAddr = 0x00415ECB;
	_cd_Connect.dwOriginalCallAddr = 0x0041633B;	// 此处是JMP，注意注入时不要调用为Call

	_cd_Connect.nMyCallDataLen = JMP_DLEN;
	memset(_cd_Connect.szMyCallData, 0x90, CALL_LEN);
	_cd_Connect.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_Connect.szMyCallData[1]) = (DWORD)_cd_Connect.myCall - _cd_Connect.dwOriginalAddr - JMP_DLEN;
#pragma endregion

#pragma region Disconnect按钮劫持
	/*
		disconnect时,同样存在External expection 异常弹框;
		出现External弹框时，结束进程，统一由Call_MyExternalException处理;
	*/
	// 0043790B | E8 E4C90900 | call demo.4D42F4 | # 此处可能用于SetWindowText之类处理
	// 00437910 | FF4D F4 | dec dword ptr ss:[ebp-C]                 |
	_cd_Disconnect.myCall = Call_MyDisconnect;
	_cd_Disconnect.dwBack2Addr = 0x00437910;
	_cd_Disconnect.dwOriginalAddr = 0x0043790B;
	_cd_Disconnect.dwOriginalCallAddr = 0x004D42F4;

	_cd_Disconnect.nMyCallDataLen = JMP_DLEN;
	memset(_cd_Disconnect.szMyCallData, 0x90, CALL_LEN);
	_cd_Disconnect.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_Disconnect.szMyCallData[1]) = (DWORD)_cd_Disconnect.myCall - _cd_Disconnect.dwOriginalAddr - JMP_DLEN;
#pragma endregion

#pragma region ExternalException
	// 必须获取模块地址：ca210ctrl.dll
	HMODULE hModule = GetModuleHandle(_T("Ca210Ctrl.dll"));
	// 044D677C | FF15 78645404 | call dword ptr ds:[<&RaiseException>] |
	_cd_ExternalException.myCall = Call_MyExternalException;
	// 044D6782 | 5F | pop edi |
	_cd_ExternalException.dwBack2Addr = (DWORD)hModule + 0x106782;
	_cd_ExternalException.dwOriginalAddr = (DWORD)hModule + 0x10677C;
	_cd_ExternalException.dwOriginalCallAddr = 0x769F05B0;

	_cd_ExternalException.nMyCallDataLen = JMP_DLEN;
	memset(_cd_ExternalException.szMyCallData, 0x90, CALL_LEN);
	_cd_ExternalException.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_ExternalException.szMyCallData[1]) = (DWORD)_cd_ExternalException.myCall - _cd_ExternalException.dwOriginalAddr - JMP_DLEN;
#pragma endregion

#pragma region Go按钮劫持
	/* 成功执行后的处理 */
	_cd_Go.myCall = Call_MyGo;
	_cd_Go.dwBack2Addr = 0x004376B0;
	// 004376AB | E8 50A30C00 | call demo.501A00 
	_cd_Go.dwOriginalAddr = 0x004376AB;
	_cd_Go.dwOriginalCallAddr = 0x00501A00;

	_cd_Go.nMyCallDataLen = JMP_DLEN;
	memset(_cd_Go.szMyCallData, 0x90, CALL_LEN);
	_cd_Go.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_Go.szMyCallData[1]) = (DWORD)_cd_Go.myCall - _cd_Go.dwOriginalAddr - JMP_DLEN;

	// 获取SN字符串;
	// 00417AEC | E8 9BA5FEFF | call demo.40208C |
	// 00417AF1 | E8 722C0700 | call demo.48A768 |
	_cd_Go_SN.myCall = Call_MyGoSN;
	_cd_Go_SN.dwBack2Addr = 0x00417AF1;
	// 004376AB | E8 50A30C00 | call demo.501A00 
	_cd_Go_SN.dwOriginalAddr = 0x00417AEC;
	_cd_Go_SN.dwOriginalCallAddr = 0x0040208C;

	_cd_Go_SN.nMyCallDataLen = JMP_DLEN;
	memset(_cd_Go_SN.szMyCallData, 0x90, CALL_LEN);
	_cd_Go_SN.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_Go_SN.szMyCallData[1]) = (DWORD)_cd_Go_SN.myCall - _cd_Go_SN.dwOriginalAddr - JMP_DLEN;

	// 消除 Set Communication Error 弹框;
	// 00417FCD | E8 666A0B00 | call demo.4CEA38 |
	_cd_Go_SetCommunicationError.myCall = Call_MyGoSetCommunicationError;
	_cd_Go_SetCommunicationError.dwBack2Addr = 0x00417FD2;
	// 00417FD2 | FF8D F4E8FFFF| dec dword ptr ss:[ebp-170C]|
	_cd_Go_SetCommunicationError.dwOriginalAddr = 0x00417FCD;
	_cd_Go_SetCommunicationError.dwOriginalCallAddr = 0x004CEA38;

	_cd_Go_SetCommunicationError.nMyCallDataLen = JMP_DLEN;
	memset(_cd_Go_SetCommunicationError.szMyCallData, 0x90, CALL_LEN);
	_cd_Go_SetCommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_Go_SetCommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_SetCommunicationError.myCall - _cd_Go_SetCommunicationError.dwOriginalAddr - JMP_DLEN;

	// 消除Communication Error弹框;
	// 00404408 | E8 2BA60C00| call demo.4CEA38| 
	_cd_Go_CommunicationError.myCall = Call_MyGoCommunicationError;
	_cd_Go_CommunicationError.dwBack2Addr = 0x0040440D;
	// 0040440D | FF4D BC | dec dword ptr ss:[ebp-44] | 
	_cd_Go_CommunicationError.dwOriginalAddr = 0x00404408;
	_cd_Go_CommunicationError.dwOriginalCallAddr = 0x004CEA38;

	_cd_Go_CommunicationError.nMyCallDataLen = JMP_DLEN;
	memset(_cd_Go_CommunicationError.szMyCallData, 0x90, CALL_LEN);
	_cd_Go_CommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_Go_CommunicationError.szMyCallData[1]) = (DWORD)_cd_Go_CommunicationError.myCall - _cd_Go_CommunicationError.dwOriginalAddr - JMP_DLEN;
#pragma endregion

#pragma region CheckFW按钮处理
	// 00404458 | E8 E7F70400       | call demo.453C44 | # 此处应该是执行I2CReadEx
	_cd_CheckFW.myCall = Call_MyCheckFW;	// 成功获取版本后跳转处理;
	// 0040445D | 83C4 1C           | add esp,1C                    |
	_cd_CheckFW.dwBack2Addr = 0x0040445D;
	_cd_CheckFW.dwOriginalAddr = 0x00404458;
	_cd_CheckFW.dwOriginalCallAddr = 0x453C44;

	_cd_CheckFW.nMyCallDataLen = JMP_DLEN;
	memset(_cd_CheckFW.szMyCallData, 0x90, CALL_LEN);
	_cd_CheckFW.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_CheckFW.szMyCallData[1]) = (DWORD)_cd_CheckFW.myCall - _cd_CheckFW.dwOriginalAddr - JMP_DLEN;

	/* 针对弹框Communication Error的消除处理 */
	// 00404408 | E8 2BA60C00       | call demo.4CEA38 | # Dailogs::ShowMessage(string) 弹出提示框：Communication Error
	_cd_CheckFW_CommunicationError.myCall = Call_MyCheckFWCommunicationError;	// 成功获取版本后跳转处理;
	// 0040440D | FF4D BC           | dec dword ptr ss:[ebp-44]     | [ebp-44]:&"脥I"
	_cd_CheckFW_CommunicationError.dwBack2Addr = 0x0040440D;
	_cd_CheckFW_CommunicationError.dwOriginalAddr = 0x00404408;
	_cd_CheckFW_CommunicationError.dwOriginalCallAddr = 0x4CEA38;

	_cd_CheckFW_CommunicationError.nMyCallDataLen = JMP_DLEN;
	memset(_cd_CheckFW_CommunicationError.szMyCallData, 0x90, CALL_LEN);
	_cd_CheckFW_CommunicationError.szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&_cd_CheckFW_CommunicationError.szMyCallData[1]) = (DWORD)_cd_CheckFW_CommunicationError.myCall - _cd_CheckFW_CommunicationError.dwOriginalAddr - JMP_DLEN;
#pragma endregion
}

BOOL HijackedAllCall()
{
	BOOL bHijack=FALSE;
	if ( !(bHijack = HijackedCall(&_cd_Connect)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_Disconnect)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_Go)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_Go_SN)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_Go_CommunicationError)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_Go_SetCommunicationError)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_ExternalException)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_CheckFW)) )
		goto end;

	if ( !(bHijack = HijackedCall(&_cd_CheckFW_CommunicationError)) )
		goto end;

end:
	return bHijack;
}

// 劫持原始地址;
BOOL HijackedCall2(CALLDATA *pCallData)
{
	if ( !pCallData )
		return FALSE;

	memset(pCallData->szMyCallData, 0x90, CALL_LEN);
	pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - 5;


	HANDLE hProc = GetCurrentProcess();
	// 将要劫持的地址指令备份下来;
	memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
	if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, pCallData->nOriginalAddrDataLen, NULL) )
	{
		MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
		return FALSE;
	}

	// 将我们的Call地址指令写入目标地址;
	if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, pCallData->nMyCallDataLen, NULL) )
	{
		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
		return FALSE;
	}

	return TRUE;
}

BOOL HijackedCall(CALLDATA *pCallData)
{
	if ( !pCallData )
		return FALSE;

	memset(pCallData->szMyCallData, 0, CALL_LEN);
	pCallData->szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&pCallData->szMyCallData[1]) = (DWORD)pCallData->myCall - pCallData->dwOriginalAddr - CALL_LEN;

	HANDLE hProc = GetCurrentProcess();
	// 将要劫持的地址指令备份下来;
	memset(pCallData->szOriginalAddrData, 0, CALL_LEN);
	if ( !ReadProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
	{
		MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
		return FALSE;
	}

	// 将我们的Call地址指令写入目标地址;
	if ( !WriteProcessMemory(hProc, (LPVOID)pCallData->dwOriginalAddr, pCallData->szMyCallData, CALL_LEN, NULL) )
	{
		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
		return FALSE;
	}

	return TRUE;
}

// 劫持原始地址;
BOOL HijackedCall(LPVOID MyCall, LPVOID OriginalCall, BYTE (&szOriginalCallData)[CALL_LEN])
{
	BYTE szMyCallData[CALL_LEN] = {0};
	szMyCallData[0] = 0xE9; // 汇编硬编码：jmp [4字节地址];
	*(LPDWORD)(&szMyCallData[1]) = (DWORD)MyCall - (DWORD)OriginalCall - CALL_LEN;

	HANDLE hProc = GetCurrentProcess();
	// 将要劫持的地址指令备份下来;
	if ( !ReadProcessMemory(hProc, OriginalCall, szOriginalCallData, CALL_LEN, NULL) )
	{
		MessageBox(NULL, _T("读取内存失败"), _T("提示"),MB_OK);
		return FALSE;
	}

	// 将我们的Call地址指令写入目标地址;
	if ( !WriteProcessMemory(hProc, OriginalCall, szMyCallData, CALL_LEN, NULL) )
	{
		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
		return FALSE;
	}

	return TRUE;
}

BOOL RecoveryCall(CALLDATA *pCallData)
{
	if ( !pCallData )
		return FALSE;

	// 将我们的Call地址指令写入目标地址;
	if ( !WriteProcessMemory(GetCurrentProcess(), (LPVOID)pCallData->dwOriginalAddr, pCallData->szOriginalAddrData, CALL_LEN, NULL) )
	{
		MessageBox(NULL, _T("写入内存失败"), _T("提示"),MB_OK);
		return FALSE;
	}

	return TRUE;
}

void MyInitialFailed()
{
	MessageBox(NULL, _T("MyInitialFailed"), _T("MyInitialFailed"), MB_OK);
}

void __declspec(naked) Call_MyInitial_Failed()
{
	__asm pushad;
	MyInitialFailed();
	__asm popad;
	// 不执行原call:原Call是Messagebox弹框，需要消除掉它;
	// __asm call _cd_Initial_failed.dwOriginalCallAddr;
	__asm jmp _cd_Initial_failed.dwBack2Addr;
}

void __declspec(naked) Call_MySaveAsOutputData()
{
	//004AB3FC
	__asm {
		// 保存寄存器;
		mov dwEAX, EAX;
		mov dwEBX, EBX;
		mov dwECX, ECX;
		mov dwEDX, EDX;
		mov dwEBP, EBP;
		mov dwESP, ESP;
		mov dwESI, ESI;
		mov dwEDI, EDI;
		// my call
		mov eax,0x004AB3FC
			mov dl,1
			call dword ptr[eax]
		// 恢复寄存器; 
		mov EAX, dwEAX;
		mov EBX, dwEBX;
		mov ECX, dwECX;
		mov EDX, dwEDX;
		mov EBP, dwEBP;
		mov ESP, dwESP;
		mov ESI, dwESI;
		mov EDI, dwEDI;
		// 返回
		ret
	}
}

void MyGo()
{   
	CHAR szMsg[MAX_PATH];
	DWORD dwElapsedAddr = 0x0052DF54;
	DWORD dwSNAddr = dwEBP - 0x5D0;
	sprintf_s(szMsg, "MyGo耗时:%ldms, SN:%08X, %s", *(LPDWORD)dwElapsedAddr, dwSNAddr, (CHAR*)(*(LPDWORD)dwSNAddr));
	MessageBoxA(NULL, szMsg, "MyGo", MB_OK);
}

void __declspec(naked) Call_MyGo()
{
	// 备份寄存器;
	__asm{
		// 保存寄存器;
		mov dwEAX, EAX;
		mov dwEBX, EBX;
		mov dwECX, ECX;
		mov dwEDX, EDX;
		mov dwEBP, EBP;
		mov dwESP, ESP;
		mov dwESI, ESI;
		mov dwEDI, EDI;
	}

	MyGo();

	__asm{
		// 恢复寄存器; 
		mov EAX, dwEAX;
		mov EBX, dwEBX;
		mov ECX, dwECX;
		mov EDX, dwEDX;
		mov EBP, dwEBP;
		mov ESP, dwESP;
		mov ESI, dwESI;
		mov EDI, dwEDI;
		// 执行原Call;
		call _cd_Go.dwOriginalCallAddr
			// 返回劫持地址下一行;
			jmp _cd_Go.dwBack2Addr
	}
}

void MyGoSN()
{
	CHAR szMsg[MAX_PATH];
	DWORD dwSNAddr = dwEBP - 0x5D0;
	//_stprintf_s(szMsg, _T("MyGo %08X, %08X, %08X, %s"), dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (TCHAR*)(*(LPDWORD)dwSNAddr));
	sprintf_s(szMsg, "MyGo %08X, %08X, %08X, %s", dwEAX, dwSNAddr, DWORD(*(LPDWORD)dwSNAddr), (CHAR*)(*(LPDWORD)dwSNAddr));
	MessageBoxA(NULL, szMsg, "MyGoSN", MB_OK);
}

void __declspec(naked) Call_MyGoSN()
{
	// 备份寄存器;
	__asm{
		// 保存寄存器;
		mov dwEAX, EAX;
		mov dwEBX, EBX;
		mov dwECX, ECX;
		mov dwEDX, EDX;
		mov dwEBP, EBP;
		mov dwESP, ESP;
		mov dwESI, ESI;
		mov dwEDI, EDI;
	}

	MyGoSN();

	__asm{
		// 恢复寄存器; 
		mov EAX, dwEAX;
		mov EBX, dwEBX;
		mov ECX, dwECX;
		mov EDX, dwEDX;
		mov EBP, dwEBP;
		mov ESP, dwESP;
		mov ESI, dwESI;
		mov EDI, dwEDI;
		// 执行原Call;
		call _cd_Go_SN.dwOriginalCallAddr
		// 返回劫持地址下一行;
		jmp _cd_Go_SN.dwBack2Addr
	}
}

void MyGoSetCommunicationError()
{
	MessageBox(NULL, _T("MyGoSetCommunicationError"), _T("劫持"), MB_OK);
}

void __declspec(naked) Call_MyGoSetCommunicationError()
{
	// 备份寄存器;
	__asm{
		// 保存寄存器;
		mov dwEAX, EAX;
		mov dwEBX, EBX;
		mov dwECX, ECX;
		mov dwEDX, EDX;
		mov dwEBP, EBP;
		mov dwESP, ESP;
		mov dwESI, ESI;
		mov dwEDI, EDI;
	}

	MyGoSetCommunicationError();

	__asm{
		// 恢复寄存器; 
		mov EAX, dwEAX;
		mov EBX, dwEBX;
		mov ECX, dwECX;
		mov EDX, dwEDX;
		mov EBP, dwEBP;
		mov ESP, dwESP;
		mov ESI, dwESI;
		mov EDI, dwEDI;
		// 执行原Call;
		//call _cd_Go_SetCommunicationError.dwOriginalCallAddr	// 经验证,即使不执行原call，也会弹异常框;
		// 返回劫持地址下一行;
		jmp _cd_Go_SetCommunicationError.dwBack2Addr
	}
}

void MyGoCommunicationError()
{
	MessageBox(NULL, _T("MyGoCommunicationError"), _T("劫持"), MB_OK);
}

void __declspec(naked) Call_MyGoCommunicationError()
{
	// 备份寄存器;
	__asm{
		// 保存寄存器;
		mov dwEAX, EAX;
		mov dwEBX, EBX;
		mov dwECX, ECX;
		mov dwEDX, EDX;
		mov dwEBP, EBP;
		mov dwESP, ESP;
		mov dwESI, ESI;
		mov dwEDI, EDI;
	}

	MyGoCommunicationError();

	__asm{
		// 恢复寄存器; 
		mov EAX, dwEAX;
		mov EBX, dwEBX;
		mov ECX, dwECX;
		mov EDX, dwEDX;
		mov EBP, dwEBP;
		mov ESP, dwESP;
		mov ESI, dwESI;
		mov EDI, dwEDI;
		// 执行原Call;
		//call _cd_Go_CommunicationError.dwOriginalCallAddr
		// 返回劫持地址下一行;
		jmp _cd_Go_CommunicationError.dwBack2Addr
	}
}

BOOL MyConnect()
{
	// 读取AL的值; 0表示Connect失败;1表示成功;
	BYTE AL = LOBYTE(LOWORD(dwEAX));
	if ( AL == 0 )
	{
		MessageBox(NULL, _T("连接失败"), _T("连接提示"), MB_OK);
		return FALSE;
	}
	else
	{
		MessageBox(NULL, _T("连接成功"), _T("连接提示"), MB_OK);
	}
	return TRUE;
}

void __declspec(naked) Call_MyConnect()
{
	// 备份寄存器;
	__asm mov dwEAX, eax;
	__asm pushad;

	if ( MyConnect() )
	{
		__asm{
			// 恢复寄存器; 
			popad;
			// 成功：则继续正常的流程;
			jmp _cd_Connect.dwBack2Addr;
		}

	}
	else
	{
		__asm{
			// 恢复寄存器; 
			popad;
			// 失败：JMP到出错处理;
			jmp _cd_Connect.dwOriginalCallAddr;
		}
	}   
}

void MyExternalException()
{
	MessageBox(NULL, _T("MyExternalExceptionE06D7363，重启异常待重启"), _T("提示"), MB_OK);
	::exit(0);
}

void __declspec(naked) Call_MyExternalException()
{
	// 备份寄存器;
	__asm {
		pushad;
	}

	MyExternalException();

	__asm
	{
		// 恢复寄存器; 
		popad;
		// 失败：JMP到出错处理;
		call _cd_ExternalException.dwOriginalCallAddr;
		jmp _cd_ExternalException.dwBack2Addr;
	} 
}

void MyDisconnect()
{
	MessageBox(NULL, _T("MyDisconnect Function"), _T("MyDisconnect"), MB_OK);
}

void __declspec(naked) Call_MyDisconnect()
{
	__asm pushad;
	MyDisconnect();
	__asm
	{
		popad;
		call _cd_Disconnect.dwOriginalCallAddr;
		jmp _cd_Disconnect.dwBack2Addr;
	}
}

void __declspec(naked) Call_MyCheckFW()
{
	// 备份寄存器;
	__asm pushad;


	MessageBox(NULL, _T("Call_MyCheckFW"), _T("MyCheckFW"), MB_OK);


	__asm{
		// 恢复寄存器; 
		popad;
		// 执行原call;
		call _cd_CheckFW.dwOriginalCallAddr;
		// 最后返回原Call地址下一行;
		jmp _cd_CheckFW.dwBack2Addr;
	}
}

void __declspec(naked) Call_MyCheckFWCommunicationError()
{
	// 备份寄存器;
	__asm pushad;


	MessageBox(NULL, _T("Call_MyCheckFWCommunicationError"), _T("MyCheckFWCommunicationError"), MB_OK);


	__asm{
		// 恢复寄存器; 
		popad;
		// 消除原call;
		// call _cd_CheckFW.dwOriginalCallAddr;
		// 最后返回原Call地址下一行;
		jmp _cd_CheckFW_CommunicationError.dwBack2Addr;
	}
}

void __declspec(naked) SetChannel()
{
	// 备份寄存器;
	__asm{
		// 保存寄存器;
		mov dwEAX, EAX;
		mov dwEBX, EBX;
		mov dwECX, ECX;
		mov dwEDX, EDX;
		mov dwEBP, EBP;
		mov dwESP, ESP;
		mov dwESI, ESI;
		mov dwEDI, EDI;
	}


	MessageBox(NULL, _T("MyGo Function"), _T("MyGo"), MB_OK);


	__asm{
		// 恢复寄存器; 
		mov EAX, dwEAX;
		mov EBX, dwEBX;
		mov ECX, dwECX;
		mov EDX, dwEDX;
		mov EBP, dwEBP;
		mov ESP, dwESP;
		mov ESI, dwESI;
		mov EDI, dwEDI;
		// 最后返回原Call地址下一行;
		jmp _cd_Go.dwBack2Addr;
	}
}

void SetSN(LPCTSTR lpSN)
{

}

void ChangeSDK(int nSDK)   // 0=410SDK, 1=310SDK;
{

}

void __declspec(naked) Call_Connect()
{
	//dwCallAddr = 0x004D5864;//0x004378B0;
	/*dwCallAddr = 0x004378B0;
	__asm {
		pushad;
		mov eax,0x02393F78;
		mov ebx,0x024856CC;
		mov ecx,0x004AB16C;
		mov edx,0x024156CC;
		call dwCallAddr;
		popad;
	}*/
	dwCallAddr = 0x00415DFC;
	__asm call dwCallAddr;
}