00401431? |.? 8D35 9C334000 lea???? esi, dword ptr [40339C]
00401437? |.? 0FB60D EC3340>movzx?? ecx, byte ptr [4033EC]
0040143E? |.? 33FF????????? xor???? edi, edi
00401440? |>? 8BC1????????? mov???? eax, ecx
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx????????????????????????????????????????????????????????????? 讓ECX寄存器自減一,
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad
lea???? esi, dword ptr [40339C]
?? lea 目的地址傳送指令. 將? 40339C 這個值放到 esi 寄存器
movzx?? ecx, byte ptr [4033EC]??
MOVZX指令將他的源操作數0擴展為他的目標操作數的長度(即不保留最高位的符號屬性),然后將結果復制到目標操作數中。?
??????????? movzx ? eax, ? bx ? ? ?
? ? 等價于 ?
? ? ? ? ? ? xor ? eax,eax ?
? ? ? ? ? ? mov ? ax,bx???
? 前者目標碼代碼較小,后者 ? 速度更快(在主流CPU)????
0040143E? |.? 33FF????????? xor???? edi, edi?????????????????????????????????????????? 將 edi 清零
00401440? |>? 8BC1????????? mov???? eax, ecx????????????????????????????????????? 將 ecx 的值賦值到 eax? (ecx 現在等于 3) <======???? 0040144C? |.^ 75 F2???????? jnz???? short 00401440
00401442? |.? 8B1E????????? mov???? ebx, dword ptr [esi]????????????????????? 將 esi 所指向的地址的值賦給 ebx ,? 這里是dword,即四個字節,將?卷標的前四個字節的值賦給 ebx?
00401444? |.? F7E3????????? mul???? ebx
00401446? |.? 03F8????????? add???? edi, eax
00401448? |.? 49??????????? dec???? ecx????????????????????????????????????????????????????????????? 讓ECX寄存器自減一,
00401449? |.? 83F9 00?????? cmp???? ecx, 0
0040144C? |.^ 75 F2???????? jnz???? short 00401440??????????????????????????????? <==== 這里做了一個循環
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
00401454? |.? 61??????????? popad
mul
MUL,將AL,AX或EAX與源操作數相乘。
如果源操作數是8位的,則與AL相乘,積存儲在AX中
如果源操作數是16位的,則與AX相乘,積存儲在DX:AX中
如果源操作數是32位的,則與EAX相乘,積存儲在EDX:EAX中?? EDX 為高位
? ? 你例句的操作數為10000h,已經不是16位了,故它因該是存儲在一個32位寄存器中。
? ? 依照以上第三條,與EAX相乘,最大情況為2的15次方乘以2的15次方=2的16次方,EDX:EAX滿足條件存儲,而10000h就更不用說了
POPAD 把EDI,ESI,EBP,ESP,EBX,EDX,ECX,EAX依次彈出堆棧.
esi = 40339c
ecx = 3
edi = 0
第一次循環
:again
eax = ecx (3)
ebx = 'ABCD'
eax = eax * ebx?? (3 * 0x44434241) = CCC9C6C3?? (32位相乘高位在 EDX, 低位在 EAX)
edi = edi + eax?? (0 + CCC9C6C3) = CCC9C6C3
ecx--
if ecx != 0? then goto again
第二次循環
:again
eax = ecx (2)
ebx = 'ABCD'
eax = eax * ebx?? (2 * 0x44434241) = 88868482 (32位相乘高位在 EDX, 低位在EAX)
edi = edi + eax?? (CCC9C6C3 + 88868482) = 155504B45 (此處溢出,edi只取得 55504B45)
ecx--
if ecx != 0 then goto again
第三次循環
:again
eax = ecx (1)
ebx = 'ABCD'
eax = eax * ebx (1* 0x44434241) = 0x44434241? (32位相乘高位在 EDX, 低位在EAX)
edi = edi + eax (0x55504B45 + 0x44434241) = 99938D86
ecx--
經過三次循環
經過計算的值放在 edi
經過
0040144E? |.? 893D 9C334000 mov???? dword ptr [40339C], edi
edi 的值放在 40339C 這個內存地址
0040339C? 86 8D 93 99 45 46 47 48 49 4A 00 00 00 00 00 00? 啀摍EFGHIJ......
004033AC? 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00???? ...............
經過推算,不難將它轉成C++代碼
#include <iostream>
#include <windows.h>
#include <memory.h>
using namespace std;
int main()
{
?int nDriveType = ::GetDriveType(NULL);
?char szBuf[11] = {0};
??? ::GetVolumeInformation(NULL, szBuf, 11, NULL, NULL, NULL, NULL, NULL);
?UINT nResult = 0;
?for( int i=3; i>0; i-- )
?{
??UINT nValue = 0;
??memcpy(&nValue, szBuf, 4);
??nValue *= i;
??nResult += nValue;
?}
?nResult ^= 0x797A7553;
?std::cout << nResult << std::endl;
?return 0;
}
?