正如我评论的那样，查询很模糊，只是看了一下，似乎并不太复杂

所有这些功能似乎都是从注册表中检索一些键值

基本上它运行一个循环

while (string) { 创建一个 Unicode 字符串 open regkey->onfail return false get regvalue->onfail return false got to next string } return true

这些是它在 win7 x86 中访问的字符串

C:\>cdb -c "uf winload!CmpFindNlsData;q" -z c:\Windows\System32\winload.exe | grep -B 2 RtlInitUnicode
0046511c b8405c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465c40)
00465121 8d4df0          lea     ecx,[ebp-10h]
00465124 e88d28fcff      call    winload!RtlInitUnicodeString (004279b6)
--
00465144 b8b05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465cb0)
00465149 8d4df0          lea     ecx,[ebp-10h]
0046514c e86528fcff      call    winload!RtlInitUnicodeString (004279b6)
--
0046516f b8c05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465cc0)
00465174 8d4df0          lea     ecx,[ebp-10h]
00465177 e83a28fcff      call    winload!RtlInitUnicodeString (004279b6)
--
0046519e b8e05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465ce0)
004651a3 8d4df0          lea     ecx,[ebp-10h]
004651a6 e80b28fcff      call    winload!RtlInitUnicodeString (004279b6)
--
0046526a b8f05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465cf0)
0046526f 8d4df0          lea     ecx,[ebp-10h]
00465272 e83f27fcff      call    winload!RtlInitUnicodeString (004279b6)
--
00465339 b8005d4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465d00)
0046533e 8d4df0          lea     ecx,[ebp-10h]
00465341 e87026fcff      call    winload!RtlInitUnicodeString (004279b6)
--
0046536b b8205d4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465d20)
00465370 8d4df0          lea     ecx,[ebp-10h]
00465373 e83e26fcff      call    winload!RtlInitUnicodeString (004279b6)
--
00465438 b8305d4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465d30)
0046543d 8d4df0          lea     ecx,[ebp-10h]
00465440 e87125fcff      call    winload!RtlInitUnicodeString (004279b6)

C:\>cdb -c "uf winload!CmpFindNlsData;q" -z c:\Windows\System32\winload.exe | grep -B 2 RtlInitUnicode | grep PBO
0046511c b8405c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465c40)
00465144 b8b05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465cb0)
0046516f b8c05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465cc0)
0046519e b8e05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465ce0)
0046526a b8f05c4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465cf0)
00465339 b8005d4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465d00)
0046536b b8205d4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465d20)
00465438 b8305d4600      mov     eax,offset winload! ?? ::PBOPGDP::`string' (00465d30)


C:\>cdb -c "du 465c40;du 465cb0;du 465cc0;du 465ce0;du 465cf0;du 465d00;du 465d20;du 465d30;q" -z c:\Windows\System32\winload.exe | awk "/Reading/,/quit/"
0:000> cdb: Reading initial command 'du 465c40;du 465cb0;du 465cc0;du 465ce0;du 465cf0;du 465d00;du 465d20;du 465d30;q'
00465c40  "Control"
00465cb0  "NLS"
00465cc0  "CodePage"
00465ce0  "ACP"
00465cf0  "OEMCP"
00465d00  "Language"
00465d20  "Default"
00465d30  "OEMHAL"
quit:

并且这些键存在于 hklm\system\currentcontrolset

C:\>reg query hklm\system\currentcontrolset\control\nls\codepage /v *cp*

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\nls\codepage
    ACP    REG_SZ    1252
    OEMCP    REG_SZ    437
    MACCP    REG_SZ    10000

End of search: 3 match(es) found.

找到这些后，它会在相应的输出参数中返回 c_1252.nls 等文件名