00401431? |.? 8D35 9C334000 lea???? esi, dword ptr [40339C]
00401437? |.? 0FB60D EC3340>movzx?? ecx, byte ptr [4033EC]
0040143E? |.? 33FF????????? xor???? edi, edi
00401440? |>? 8BC1????????? mov???? eax, ecx
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx????????????????????????????????????????????????????????????? 讓ECX寄存器自減一,
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad
lea???? esi, dword ptr [40339C]
?? lea 目的地址傳送指令. 將? 40339C 這個值放到 esi 寄存器
movzx?? ecx, byte ptr [4033EC]??
MOVZX指令將他的源操作數(shù)0擴展為他的目標(biāo)操作數(shù)的長度(即不保留最高位的符號屬性),然后將結(jié)果復(fù)制到目標(biāo)操作數(shù)中。?
??????????? movzx ? eax, ? bx ? ? ?
? ? 等價于 ?
? ? ? ? ? ? xor ? eax,eax ?
? ? ? ? ? ? mov ? ax,bx???
? 前者目標(biāo)碼代碼較小,后者 ? 速度更快(在主流CPU)????
0040143E? |.? 33FF????????? xor???? edi, edi?????????????????????????????????????????? 將 edi 清零
00401440? |>? 8BC1????????? mov???? eax, ecx????????????????????????????????????? 將 ecx 的值賦值到 eax? (ecx 現(xiàn)在等于 3) <======???? 0040144C? |.^ 75 F2???????? jnz???? short 00401440
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]????????????????????? 將 esi 所指向的地址的值賦給 ebx ,? 這里是dword,即四個字節(jié),將?卷標(biāo)的前四個字節(jié)的值賦給 ebx?
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx????????????????????????????????????????????????????????????? 讓ECX寄存器自減一,
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440??????????????????????????????? <==== 這里做了一個循環(huán)
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad
mul
MUL,將AL,AX或EAX與源操作數(shù)相乘。
如果源操作數(shù)是8位的,則與AL相乘,積存儲在AX中
如果源操作數(shù)是16位的,則與AX相乘,積存儲在DX:AX中
如果源操作數(shù)是32位的,則與EAX相乘,積存儲在EDX:EAX中?? EDX 為高位
? ? 你例句的操作數(shù)為10000h,已經(jīng)不是16位了,故它因該是存儲在一個32位寄存器中。
? ? 依照以上第三條,與EAX相乘,最大情況為2的15次方乘以2的15次方=2的16次方,EDX:EAX滿足條件存儲,而10000h就更不用說了
POPAD 把EDI,ESI,EBP,ESP,EBX,EDX,ECX,EAX依次彈出堆棧.
esi = 40339c
ecx = 3
edi = 0
第一次循環(huán)
:again
eax = ecx (3)
ebx = 'ABCD'
eax = eax * ebx?? (3 * 0x44434241) = CCC9C6C3?? (32位相乘高位在 EDX, 低位在 EAX)
edi = edi + eax?? (0 + CCC9C6C3) = CCC9C6C3
ecx--
if ecx != 0? then goto again
第二次循環(huán)
:again
eax = ecx (2)
ebx = 'ABCD'
eax = eax * ebx?? (2 * 0x44434241) = 88868482 (32位相乘高位在 EDX, 低位在EAX)
edi = edi + eax?? (CCC9C6C3 + 88868482) = 155504B45 (此處溢出,edi只取得 55504B45)
ecx--
if ecx != 0 then goto again
第三次循環(huán)
:again
eax = ecx (1)
ebx = 'ABCD'
eax = eax * ebx (1* 0x44434241) = 0x44434241? (32位相乘高位在 EDX, 低位在EAX)
edi = edi + eax (0x55504B45 + 0x44434241) = 99938D86
ecx--
經(jīng)過三次循環(huán)
經(jīng)過計算的值放在 edi
經(jīng)過
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
edi 的值放在 40339C 這個內(nèi)存地址
0040339C? 86 8D 93 99 45 46 47 48 49 4A 00 00 00 00 00 00? 啀摍EFGHIJ......
004033AC? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00???? ...............
經(jīng)過推算,不難將它轉(zhuǎn)成C++代碼
#include <iostream>
#include <windows.h>
#include <memory.h>
using namespace std;
int main()
{
?int nDriveType = ::GetDriveType(NULL);
?char szBuf[11] = {0};
??? ::GetVolumeInformation(NULL, szBuf, 11, NULL, NULL, NULL, NULL, NULL);
?UINT nResult = 0;
?for( int i=3; i>0; i-- )
?{
??UINT nValue = 0;
??memcpy(&nValue, szBuf, 4);
??nValue *= i;
??nResult += nValue;
?}
?nResult ^= 0x797A7553;
?std::cout << nResult << std::endl;
?return 0;
}
?