关键点:
00401043 |. 8D7C24 20 |lea edi,dword ptr ss:[esp+0x20] ; edi存储假码ASCII的位置
00401047 |. 83C9 FF |or ecx,-0x1 ; 略过
0040104A |. 33C0 |xor eax,eax ; 略过
0040104C |. 83C4 0C |add esp,0xC ; 恢复堆栈
0040104F |. F2:AE |repne scas byte ptr es:[edi]
00401051 |. F7D1 |not ecx
00401053 |. 49 |dec ecx
00401054 |. 83F9 11 |cmp ecx,0x11 ; 比较输入的假码的数量是否超过17个字符
00401057 |. 0F87 B0000000 |ja 18a51cbc.0040110D ; 超过的直接报错
0040105D |. 33DB |xor ebx,ebx ; 清空ebx
0040105F |> 8A441C 14 |/mov al,byte ptr ss:[esp+ebx+0x14] ; 拿到假码的第一个字节
00401063 |. 84C0 ||test al,al ; 判断拿到的是否为空
00401065 |. 74 49 ||je short 18a51cbc.004010B0 ; 是的话 则跳转
00401067 |. 0FBEC8 ||movsx ecx,al ; 把假码赋值给ecx
0040106A |. 51 ||push ecx ; 把ecx压入堆栈
0040106B |. 8D5424 16 ||lea edx,dword ptr ss:[esp+0x16] ; 存储假码的地址赋值给edx
0040106F |. 68 44804000 ||push 18a51cbc.00408044 ; %x
00401074 |. 52 ||push edx
00401075 |. E8 68020000 ||call 18a51cbc.004012E2
0040107A |. 8D7C24 1E ||lea edi,dword ptr ss:[esp+0x1E] ; 存储假码的第一个数的地址赋值给edi
0040107E |. 83C9 FF ||or ecx,-0x1 ; 使ecx为FFFFFFFF
00401081 |. 33C0 ||xor eax,eax ; 清空eax
00401083 |. 83C4 0C ||add esp,0xC ; 恢复堆栈
00401086 |. F2:AE ||repne scas byte ptr es:[edi]
00401088 |. F7D1 ||not ecx
0040108A |. 2BF9 ||sub edi,ecx ; 把存储当前假码的字节地址赋值给edi
0040108C |. 8D5424 28 ||lea edx,dword ptr ss:[esp+0x28] ; 空内存地址赋值给edx
00401090 |. 8BF7 ||mov esi,edi ; 假码赋值给esi
00401092 |. 8BE9 ||mov ebp,ecx
00401094 |. 8BFA ||mov edi,edx
00401096 |. 83C9 FF ||or ecx,-0x1
00401099 |. F2:AE ||repne scas byte ptr es:[edi]
0040109B |. 8BCD ||mov ecx,ebp
0040109D |. 4F ||dec edi
0040109E |. C1E9 02 ||shr ecx,0x2 ; ecx右移两位
004010A1 |. F3:A5 ||rep movs dword ptr es:[edi],dword ptr ds:[esi]
004010A3 |. 8BCD ||mov ecx,ebp
004010A5 |. 83E1 03 ||and ecx,0x3
004010A8 |. 43 ||inc ebx ; 开始计数 自增1
004010A9 |. 83FB 11 ||cmp ebx,0x11 ; 比较是否为0x11
004010AC |. F3:A4 ||rep movs byte ptr es:[edi],byte ptr ds:[esi] ; 把假码的十六进制字节赋值给edi的地址中的值
004010AE |.^ 7C AF |jl short 18a51cbc.0040105F
004010B0 |> 8D7424 4C |lea esi,dword ptr ss:[esp+0x4C] ; esi存储真码的值
004010B4 |. 8D4424 28 |lea eax,dword ptr ss:[esp+0x28] ; eax存储假码的值
004010B8 |> 8A10 |/mov dl,byte ptr ds:[eax] ; dl存储真码的第一个字节
004010BA |. 8A1E ||mov bl,byte ptr ds:[esi] ; bl存储假码的第一个字节
004010BC |. 8ACA ||mov cl,dl ; 假码放到cl
004010BE |. 3AD3 ||cmp dl,bl ; 比较真码和假码,都为一字节
004010C0 |. 75 1E ||jnz short 18a51cbc.004010E0 ; 错误则跳
004010C2 |. 84C9 ||test cl,cl ; 检查cl是否为空
004010C4 |. 74 16 ||je short 18a51cbc.004010DC
004010C6 |. 8A50 01 ||mov dl,byte ptr ds:[eax+0x1]
004010C9 |. 8A5E 01 ||mov bl,byte ptr ds:[esi+0x1]
004010CC |. 8ACA ||mov cl,dl
004010CE |. 3AD3 ||cmp dl,bl
004010D0 |. 75 0E ||jnz short 18a51cbc.004010E0
004010D2 |. 83C0 02 ||add eax,0x2
004010D5 |. 83C6 02 ||add esi,0x2
004010D8 |. 84C9 ||test cl,cl
004010DA |.^ 75 DC |jnz short 18a51cbc.004010B8
004010DC |> 33C0 |xor eax,eax
004010DE |. EB 05 |jmp short 18a51cbc.004010E5
004010E0 |> 1BC0 |sbb eax,eax
004010E2 |. 83D8 FF |sbb eax,-0x1
004010E5 |> 85C0 |test eax,eax
004010E7 |. 75 12 |jnz short 18a51cbc.004010FB
004010E9 |. 68 38804000 |push 18a51cbc.00408038 ; success!
004010EE |. E8 58020000 |call 18a51cbc.0040134B
004010F3 |. 83C4 04 |add esp,0x4
004010F6 |.^ E9 1FFFFFFF |jmp 18a51cbc.0040101A
004010FB |> 68 30804000 |push 18a51cbc.00408030 ; wrong!
00401100 |. E8 46020000 |call 18a51cbc.0040134B