.text:00401380 sub_401380 proc near ; CODE XREF: _main+C9↓p
.text:00401380
.text:00401380 var_70 = byte ptr -70h
.text:00401380 var_60 = byte ptr -60h
.text:00401380 var_5F = byte ptr -5Fh
.text:00401380 var_51 = byte ptr -51h
.text:00401380 var_50 = byte ptr -50h
.text:00401380 var_40 = byte ptr -40h
.text:00401380 var_20 = byte ptr -20h
.text:00401380 arg_0 = dword ptr 4
.text:00401380 arg_4 = dword ptr 8
.text:00401380 arg_8 = dword ptr 0Ch
.text:00401380 arg_C = dword ptr 10h
.text:00401380
.text:00401380 sub esp, 70h
.text:00401383 push esi
.text:00401384 mov esi, [esp+74h+arg_4]
.text:00401388 cmp esi, 3
.text:0040138B jb loc_401456
.text:00401391 cmp esi, 14h //用户名长度3~20
.text:00401394 ja loc_401456
.text:0040139A cmp [esp+74h+arg_C], 40h //key长度=64
.text:004013A2 jnz loc_401456
.text:004013A8 mov ecx, [esp+74h+arg_8]
.text:004013AF lea eax, [esp+74h+var_40]
.text:004013B3 push eax
.text:004013B4 push 40h
.text:004013B6 push ecx
.text:004013B7 call sub_401000 //hex2bytes
.text:004013BC add esp, 0Ch
.text:004013BF cmp eax, 20h
.text:004013C2 jnz loc_401449
.text:004013C8 push 0 //改成push 1加密变解密
.text:004013CA push 80h
.text:004013CF lea edx, [esp+7Ch+var_20]
.text:004013D3 push offset unk_4190D0
.text:004013D8 push edx
.text:004013D9 push eax
.text:004013DA lea eax, [esp+88h+var_40]
.text:004013DE push eax
.text:004013DF call sub_4010F0 //加密算法,没看具体啥算法
.text:004013E4 lea ecx, [esp+8Ch+var_60]
.text:004013E8 lea edx, [esp+8Ch+var_20]
.text:004013EC push ecx
.text:004013ED push 20h
.text:004013EF push edx
.text:004013F0 call sub_401210 //rsa
.text:004013F5 mov al, [esp+98h+var_60] //第1个字节==0
.text:004013F9 add esp, 24h
.text:004013FC test al, al
.text:004013FE jnz short loc_401449
.text:00401400 cmp [esp+74h+var_5F], 2 //第2个字节==2
.text:00401405 jnz short loc_401449
.text:00401407 mov al, [esp+74h+var_51] //第16个字节==0
.text:0040140B test al, al
.text:0040140D jnz short loc_401449
.text:0040140F mov ecx, [esp+74h+arg_0]
.text:00401413 lea eax, [esp+74h+var_70]
.text:00401417 push edi
.text:00401418 push eax
.text:00401419 push esi
.text:0040141A push ecx
.text:0040141B call sub_401190 //用户名hash
.text:00401420 add esp, 0Ch
.text:00401423 mov ecx, 4
.text:00401428 lea edi, [esp+78h+var_50]
.text:0040142C lea esi, [esp+78h+var_70]
.text:00401430 xor edx, edx
.text:00401432 repe cmpsd //用户名hash与解密key的后面16字节比较
.text:00401434 pop edi
.text:00401435 jnz short loc_401456
.text:00401437 push offset aCongratulation ; "Congratulations! You did it!\n"
.text:0040143C call sub_411A90
.text:00401441 add esp, 4
.text:00401444 pop esi
.text:00401445 add esp, 70h
.text:00401448 retn
n = 69823028577465AB3991DF045146F91D556DEE8870845D8EE1CD3CF77E4A0C39
e = 10001
yafu分解得到:
p = 979BE0C9EECE7426C9FD28C2D6E7772B
q = B22831D15714EB91CD83340B4837182B
d = 390A684CB713378FFD5CCE8C4000B5D6A2BB9F29B63D395E6BE6E9DD941527BD
m = 0002000000000000000000000000000014AF58AD4D76D59D8D2171FFB4CA2231 (第3~15字节可任意,所以会多解)
c = m ^ d % n = 46FD7E72B31A3CB32B2DB098B3597825056A8AC4CF13CD127B95D2B22D9F2E45
key = sub_4010F0_decode(c) = EF589F333382266883B13D8DF4C6C4C2A786C2E7D9538E4A3D98E7B6CFCDDCE1
