Analysis on password verification process of folder Encryption

Author: yulongying
Statement: To new users like me
Date: 18: 03 2011-4-1
A netizen asked for help when he poured water in the QQ group the day before yesterday, saying that he forgot his password when he used a folder encrypted,
So I analyzed the program. On the one hand, it was a practice, and on the other hand it was helpful to others.
The program is relatively small, so it is easier. I hope it will be helpful to new users like me.
The encryption information of this program is stored in a. XX2 file. After this program is installed, the file will change to the icon and the program will be opened by default.
I used UE to open this file:
The vast majority of data is filled with A9, and other data is filled in some places.
0000032eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000033eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000034eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000035eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000036eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000037eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000038eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000039eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
000003aeh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
000003beh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
000003ceh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
000003deh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
000003eeh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
000003feh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000040eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000041eh: BA 9A CA A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9; ┅
0000042eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000043eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000044eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000045eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000046eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000047eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000048eh: A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9 A9;
0000049eh: 99 A9; pushed

First open the program, click Add to add the. XX2 file, then click decrypt, enter a password casually, and the prompt message "the password does not match! Please enter it again ." Haha.

Open the program with OD and find the position of the string.

00407F08 |>/8A8C04 880100> |/mov cl, byte ptr ss: [esp + eax + 188]; compares encrypted input characters with passwords in memory
00407F0F |. | 8A9404 000C00> | mov dl, byte ptr ss: [esp + eax + C00]
00407F16 |. | 3ACA | cmp cl, dl
00407F18 | 75 0E | jnz short HideFold.00407F28
00407F1A |. | 40 | inc eax
00407F1B |. | 3D 80000000 | cmp eax, 80
00407F20 |. | 0F8D 15010000 | jge HideFold.0040803B
00407F26 |. ^ EB E0 | jmp short HideFold.00407F08
00407F28 |> 6A 10 | push 10
00407F2A 68 B8954100 push HideFold.004195B8; incorrect password
00407F2F |. 68 9C954100 | push HideFold.0041959C; password mismatch! Enter again.

Next there is a loop comparison process above, and this sentence is the key hop.
Cmp eax, 80
00407F20 |. | 0F8D 15010000 | jge HideFold.0040803B
If the cycle is 80, the system jumps.

Continue turning up
There is an obvious feature.
00407E78 |./0F84 55050000 | je HideFold.004083D3
00407E7E |. | 8D9424 E40700> | lea edx, dword ptr ss: [esp + 7E4]
00407E85 |. | 68 A0040000 | push 4A0
00407E8A |. | 52 | push edx
00407E8B |. | 8D4C24 74 | lea ecx, dword ptr ss: [esp + 74]
00407E8F |. | FF15 A8344100 | call near dword ptr ds: [<& MSVCP60.st>; MSVCP60.std: basic_istream <char, std: char_traits <char >:: read
This is how to read the. xx2 file and put it on the ss: [esp + 7E4]. Then we can analyze it here.

00407E8A |. 52 | push edx; read The. xx2 File
00407E8B |. 8D4C24 74 | lea ecx, dword ptr ss: [esp + 74]
California |. FF15 A8344100 | call near dword ptr ds: [<& MSVCP60.std: basic_istre>; MSVCP60.std: basic_istream <char, std: char_traits <char >:: read
00407E95 |. 8B4424 6C | mov eax, dword ptr ss: [esp + 6C]
00407E99 |. 8B48 04 | mov ecx, dword ptr ds: [eax + 4]
00407E9C |. F6440C 70 01 | test byte ptr ss: [esp + ecx + 70], 1
00407EA1 |. 0F85 20020000 | jnz HideFold.004080C7
00407EA7 |. B9 1F000000 | mov ecx, 1F
00407EAC |. 33C0 | xor eax, eax
890100 |. 8DBC24 189> | lea edi, dword ptr ss: [esp +]
00407EB5 |. C68424 880100> | mov byte ptr ss: [esp + 188], 0
00407EBD |. F3: AB | rep stos dword ptr es: [edi]
00407EBF |. 66: AB | stos word ptr es: [edi]
00407EC1 |. AA | stos byte ptr es: [edi]
00407EC2 |. B9 20000000 | mov ecx, 20
00407EC7 |. 33C0 | xor eax, eax
00407EC9 |. 8DBC24 880100> | lea edi, dword ptr ss: [esp + 188]
00407ED0 |. 8D9424 000100> | lea edx, dword ptr ss: [esp + 100]; input information is placed in edx
00407ED7 |. F3: AB | rep stos dword ptr es: [edi]
00407ED9 |. 68 80000000 | push