004017D6 |. 50 PUSH EAX ; |path
004017D7 |. FF15 0C324000 CALL DWORD PTR DS:[0x40320C] ; \fopen
004017DD |. 8BF8 MOV EDI,EAX
004017DF |. 83C4 08 ADD ESP,0x8
004017E2 |. 85FF TEST EDI,EDI
004017E4 |. 0F84 05010000 JE 004018EF ; 密码锁.004018EF
004017EA |. 57 PUSH EDI ; /stream
004017EB |. 6A 01 PUSH 0x1 ; |n = 1
004017ED |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+0x24] ; |
004017F1 |. 6A 62 PUSH 0x62 ; |size = 62 (98.)
004017F3 |. 51 PUSH ECX ; |ptr
004017F4 |. FF15 C8314000 CALL DWORD PTR DS:[0x4031C8] ; \fread
004017FA |. 8D5424 2C LEA EDX,DWORD PTR SS:[ESP+0x2C] ; 读取 98个字节
004017FE |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+0x1C]
00401802 |. 52 PUSH EDX
00401803 |. 68 58404000 PUSH 0x404058 ; %s
00401808 |. 50 PUSH EAX
00401809 |. E8 9E0B0000 CALL 004023AC ; <JMP.&MFC42.#2818>
0040180E |. 57 PUSH EDI ; /stream
0040180F |. FF15 14324000 CALL DWORD PTR DS:[0x403214] ; \fclose
00401815 |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+0x2C]
00401819 |. 83C4 20 ADD ESP,0x20
0040181C |. 8379 F8 62 CMP DWORD PTR DS:[ECX-0x8],0x62
00401820 |. 0F85 C9000000 JNZ 004018EF ; 密码锁.004018EF
00401826 |. 51 PUSH ECX
00401827 |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+0x10]
0040182B |. 8BCC MOV ECX,ESP
0040182D |. 896424 1C MOV DWORD PTR SS:[ESP+0x1C],ESP
00401831 |. 52 PUSH EDX
00401832 |. E8 6F0B0000 CALL 004023A6 ; <JMP.&MFC42.#535>
00401837 |. 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+0x18] ; |
0040183B |. 8BCE MOV ECX,ESI ; |
0040183D |. 50 PUSH EAX ; |Arg1
0040183E |. E8 1D070000 CALL 00401F60 ; \
关键算法,时间多滴跑进去看看...也不是很复杂.但也是要时间滴
00401843 |. 50 PUSH EAX
00401844 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+0x14]
00401848 |. C68424 280400>MOV BYTE PTR SS:[ESP+0x428],0x2
00401850 |. E8 2D0B0000 CALL 00402382 ; <JMP.&MFC42.#858>
00401855 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+0x14]
00401859 |. C68424 240400>MOV BYTE PTR SS:[ESP+0x424],0x1
00401861 |. E8 EA090000 CALL 00402250 ; <JMP.&MFC42.#800>
00401866 |. 6A 04 PUSH 0x4
00401868 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+0x1C]
0040186C |. 6A 2A PUSH 0x2A
0040186E |. 51 PUSH ECX
0040186F |. 8D4E 64 LEA ECX,DWORD PTR DS:[ESI+0x64]
00401872 |. E8 110B0000 CALL 00402388 ; <JMP.&MFC42.#4278>
00401877 |. 50 PUSH EAX
00401878 |. 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+0x18] ; 下面是正确的标志
0040187C |. 68 84404000 PUSH 0x404084 ; 2938735462728494
00401881 |. 52 PUSH EDX ;
00401882 |. C68424 300400>MOV BYTE PTR SS:[ESP+0x430],0x3
0040188A |. E8 110B0000 CALL 004023A0 ; <JMP.&MFC42.#926>
0040188F |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00401891 |. 50 PUSH EAX ; /s2
00401892 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+0x14] ; |
00401896 |. 50 PUSH EAX ; |s1
00401897 |. FF15 20324000 CALL DWORD PTR DS:[0x403220] ; \_mbscmp
0040189D |. 83C4 08 ADD ESP,0x8 ; 比较常数 判断密码是否正确的关键 因为是解码,肯定不能暴破的
004018A0 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+0x14] ; 1234567890123123456789012312345678901231233386 "
条件成立"的正确密码
004018A4 |. 85C0 TEST EAX,EAX
004018A6 |. 0F95C3 SETNE BL ; 置标志位
当然会出现另一种情况就是巧合.
比如验证密码是否正确只进行穿插性的比较,而刚好这组又吻合了.没看具体的算法和比较的位置,随便输入了一个1234567890123连续复制几次蒙中了成立的条件而已.