Posted on 2009-09-21 22:23
S.l.e!ep.¢% 閱讀(258)
評論(0) 編輯 收藏 引用 所屬分類:
Crack
0040140D? |.? 6A 00???????? push??? 0??????????????????????????????? ; /RootPathName = NULL
0040140F? |.? E8 B4000000?? call??? <jmp.&KERNEL32.GetDriveTypeA>??? ; \GetDriveTypeA
00401414? |.? A2 EC334000?? mov???? byte ptr [4033EC], al
00401419? |.? 6A 00???????? push??? 0??????????????????????????????? ; /pFileSystemNameSize = NULL
0040141B? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pFileSystemNameBuffer = NULL
0040141D? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pFileSystemFlags = NULL
0040141F? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pMaxFilenameLength = NULL
00401421? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pVolumeSerialNumber = NULL
00401423? |.? 6A 0B???????? push??? 0B?????????????????????????????? ; |MaxVolumeNameSize = B (11.)
00401425? |.? 68 9C334000?? push??? 0040339C???????????????????????? ; |VolumeNameBuffer = CrackHea.0040339C
0040142A? |.? 6A 00???????? push??? 0??????????????????????????????? ; |RootPathName = NULL
0040142C? |.? E8 A3000000?? call??? <jmp.&KERNEL32.GetVolumeInformat>; \GetVolumeInformationA
00401431? |.? 8D35 9C334000 lea???? esi, dword ptr [40339C]
00401437? |.? 0FB60D EC3340>movzx?? ecx, byte ptr [4033EC]
0040143E? |.? 33FF????????? xor???? edi, edi
00401440? |>? 8BC1????????? mov???? eax, ecx
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad
00401455? \.? C3??????????? retn
0040140D? |.? 6A 00???????? push??? 0??????????????????????????????? ; /RootPathName = NULL
0040140F? |.? E8 B4000000?? call??? <jmp.&KERNEL32.GetDriveTypeA>??? ; \GetDriveTypeA
調用了API - GetDriveTypeA, 參數為 NULL
GetDriveType函數可以獲取目錄和盤號的屬性。
返回值是目錄的屬性,有如下值:
DRIVE_UNKNOWN??????? 0
DRIVE_NO_ROOT_DIR 1
DRIVE_REMOVABLE???? 2
DRIVE_FIXED?????????????? 3
DRIVE_REMOTE?????????? 4
DRIVE_CDROM??????????? 5
DRIVE_RAMDISK???????? 6
通常硬盤返回值為 DRIVE_FIXED?
一、關于寄存器
寄存器有EAX,EBX,ECX,EDX,EDI,ESI,ESP,EBP等,似乎IP也是寄存器,但只有在CALL/RET在中會默認使用它,其它情況很少使用到,暫時可以不用理會。
EAX是WIN32 API 默認的返回值存放處。
ECX是LOOP指令自動減一的寄存器。
ESP是堆棧指針。
EBP經常用來在堆棧中尋址。
ESI好像常常用在指針尋址中,EDI不大清楚。
00401414? |.? A2 EC334000?? mov???? byte ptr [4033EC], al??????????????因為 GetDriveTypeA 的返回值不超過一個字段,所以這里 byte & al 就夠了
GetDriveTypeA? 被暫時放到了 4033EC 這個地址
然后調用了API - GetVolumeInformationA(NULL,NULL,NULL,NULL,NULL,11, CrackHea.0040339C,? NULL) 獲取程序所在的盤的卷標并放到
[40339C] 這個地址
00401431? |.? 8D35 9C334000 lea???? esi, dword ptr [40339C]
00401437? |.? 0FB60D EC3340>movzx?? ecx, byte ptr [4033EC]
0040143E? |.? 33FF????????? xor???? edi, edi
00401440? |>? 8BC1????????? mov???? eax, ecx
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx????????????????????????????????????????????????????????????? 讓ECX寄存器自減一,
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad
?