notebook 4.0 逆向分析 之新成果：

006F5891     /74 7E         je      short 006F5911  改成JMP 不然文件名提示不对⑴
006F5938   . /74 18         je      short 006F5952 应该也得跳，提示你要反安装，否则完蛋~~⑵
   上边两句改的问题不大

00443C2E   . /74 07         je      short 00443C37      不能让它跳~~⑶好像下面是签名的意思~~
00443C30   . |33C0          xor     eax, eax
00443C32   . |8945 B0       mov     dword ptr [ebp-0x50], eax
00443C35   . |EB 10         jmp     short 00443C47
00443C37   > \6A 00         push    0x0                                                   ; /EventName = NULL
00443C39   .  6A 00         push    0x0                                                   ; |InitiallySignaled = FALSE
00443C3B   .  6A FF         push    -0x1                                                  ; |ManualReset = TRUE
00443C3D   .  6A 00         push    0x0                                                   ; |pSecurity = NULL
00443C3F   .  E8 AC42FCFF   call    <jmp.&kernel32.CreateEventA>                          ; \CreateEventA
00443C44   .  8945 B0       mov     dword ptr [ebp-0x50], eax
00443C47   >  B0 01         mov     al, 0x1
00443C49   .  E8 CACDFEFF   call    00430A18
00443C4E   .  33C0          xor     eax, eax
00443C50   .  55            push    ebp
00443C51   .  68 133D4400   push    00443D13
00443C56   .  64:FF30       push    dword ptr fs:[eax]
00443C59   .  64:8920       mov     dword ptr fs:[eax], esp
00443C5C   .  837D B0 00    cmp     dword ptr [ebp-0x50], 0x0
00443C60   .  0F84 90000000 je      00443CF6
00443C66   .  6A 00         push    0x0                                                   ; /pOverlapped = NULL
00443C68   .  8D45 F0       lea     eax, dword ptr [ebp-0x10]                             ; |
00443C6B   .  50            push    eax                                                   ; |pBytesWritten
00443C6C   .  6A 38         push    0x38                                                  ; |nBytesToWrite = 38 (56.)
00443C6E   .  8D45 B0       lea     eax, dword ptr [ebp-0x50]                             ; |
00443C71   .  50            push    eax                                                   ; |Buffer
00443C72   .  A1 907B7100   mov     eax, dword ptr [0x717B90]                             ; |
00443C77   .  50            push    eax                                                   ; |hFile => 000000F4 (window)
00443C78   .  E8 1347FCFF   call    <jmp.&kernel32.WriteFile>                             ; \WriteFile
00443C7D   .  85C0          test    eax, eax
00443C7F   .  74 6A         je      short 00443CEB
00443C81   .  837D F0 38    cmp     dword ptr [ebp-0x10], 0x38
00443C85   .  75 64         jnz     short 00443CEB
00443C87   .  E8 BC43FCFF   call    <jmp.&kernel32.GetCurrentThreadId>                    ; [GetCurrentThreadId
00443C8C   .  8B15 C0FC7200 mov     edx, dword ptr [0x72FCC0]                             ;  这个好像.00730034
00443C92   .  3B02          cmp     eax, dword ptr [edx]
00443C94   .  75 4A         jnz     short 00443CE0

现在 就差初始化不对