Here comes the important part. From this we determine the proper size of the password ( 10 numbers ) and the the keys we need to decrypt the final hash.
First we have a comparison to the first four numbers ( in reverse order 4th-3rd-2nd-1st ).
004011C3 |. 813A 2621242C CMP DWORD PTR DS:[EDX],2C242126 ; comp edx to first 4 characters of password
004011C9 75 18 JNZ SHORT pass.004011E3
We see the string "2C242126" and these our hex values we must convert to get the first 4 numbers of the password. Using our handy dandy wincalc or printf("%c%c%c%cn",0x26,0x21,0x24,0x2C); ( remember reverse order) We get the string "&!$," (without quotes). So we go to the next set
printf("%c%c%c%cn",0x24,0x2D,0x22,0x20); gives up $-" (with a space at the end).
Now for the final two characters.
004011D4 |. 66:817A 08 242>CMP WORD PTR DS:[EDX+8],2724 ; compare characters 9 and 10
printf 24,27 gives us $'
Now we have our string so all thats left to do is figure out what each number of 1-9 will convert to when they are encrypted.
Lucky for us this program doesnt terminate after a wrong pass and the encrypted text is sitting in memory for us to look and at compare.
So we send 1234567890 through the app and see what the final string is. After running through we see the string visible in a few places like so: