S.l.e!ep.￠%

0040140D? |.? 6A 00???????? push??? 0??????????????????????????????? ; /RootPathName = NULL
0040140F? |.? E8 B4000000?? call??? <jmp.&KERNEL32.GetDriveTypeA>??? ; \GetDriveTypeA
00401414? |.? A2 EC334000?? mov???? byte ptr [4033EC], al
00401419? |.? 6A 00???????? push??? 0??????????????????????????????? ; /pFileSystemNameSize = NULL
0040141B? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pFileSystemNameBuffer = NULL
0040141D? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pFileSystemFlags = NULL
0040141F? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pMaxFilenameLength = NULL
00401421? |.? 6A 00???????? push??? 0??????????????????????????????? ; |pVolumeSerialNumber = NULL
00401423? |.? 6A 0B???????? push??? 0B?????????????????????????????? ; |MaxVolumeNameSize = B (11.)
00401425? |.? 68 9C334000?? push??? 0040339C???????????????????????? ; |VolumeNameBuffer = CrackHea.0040339C
0040142A? |.? 6A 00???????? push??? 0??????????????????????????????? ; |RootPathName = NULL
0040142C? |.? E8 A3000000?? call??? <jmp.&KERNEL32.GetVolumeInformat>; \GetVolumeInformationA
00401431? |.? 8D35 9C334000 lea???? esi, dword ptr [40339C]
00401437? |.? 0FB60D EC3340>movzx?? ecx, byte ptr [4033EC]
0040143E? |.? 33FF????????? xor???? edi, edi
00401440? |>? 8BC1????????? mov???? eax, ecx
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad
00401455? \.? C3??????????? retn

0040140D? |.? 6A 00???????? push??? 0??????????????????????????????? ; /RootPathName = NULL
0040140F? |.? E8 B4000000?? call??? <jmp.&KERNEL32.GetDriveTypeA>??? ; \GetDriveTypeA

調(diào)用了API - GetDriveTypeA, 參數(shù)為 NULL
GetDriveType函數(shù)可以獲取目錄和盤號(hào)的屬性。
返回值是目錄的屬性，有如下值：
DRIVE_UNKNOWN??????? 0
DRIVE_NO_ROOT_DIR 1
DRIVE_REMOVABLE???? 2
DRIVE_FIXED?????????????? 3
DRIVE_REMOTE?????????? 4
DRIVE_CDROM??????????? 5
DRIVE_RAMDISK???????? 6

通常硬盤返回值為 DRIVE_FIXED?

一、關(guān)于寄存器
寄存器有EAX,EBX,ECX,EDX,EDI,ESI,ESP,EBP等，似乎IP也是寄存器，但只有在CALL/RET在中會(huì)默認(rèn)使用它，其它情況很少使用到，暫時(shí)可以不用理會(huì)。
EAX是WIN32 API 默認(rèn)的返回值存放處。
ECX是LOOP指令自動(dòng)減一的寄存器。
ESP是堆棧指針。
EBP經(jīng)常用來在堆棧中尋址。
ESI好像常常用在指針尋址中，EDI不大清楚。

00401414? |.? A2 EC334000?? mov???? byte ptr [4033EC], al??????????????因?yàn)?GetDriveTypeA 的返回值不超過一個(gè)字段，所以這里 byte & al 就夠了
GetDriveTypeA? 被暫時(shí)放到了 4033EC 這個(gè)地址

然后調(diào)用了API - GetVolumeInformationA（NULL，NULL，NULL，NULL，NULL，11， CrackHea.0040339C,? NULL) 獲取程序所在的盤的卷標(biāo)并放到
[40339C] 這個(gè)地址

00401431? |.? 8D35 9C334000 lea???? esi, dword ptr [40339C]
00401437? |.? 0FB60D EC3340>movzx?? ecx, byte ptr [4033EC]
0040143E? |.? 33FF????????? xor???? edi, edi
00401440? |>? 8BC1????????? mov???? eax, ecx
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx????????????????????????????????????????????????????????????? 讓ECX寄存器自減一,
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad

?