WIN98SE硬盘主引导记录代码反汇编分析

硬盘引导记录MBR(Master Boot Record)是指硬盘之0面0道1扇区之内容,PC及其兼容机之ROM BIOS约定在上电及POST自检成功后,将其从硬盘读出,放置在内存0:7C00处,然后转去该地址执行。该段代码负责从代码尾部之4个分区表项中找出可以引导的项,读出其引导记录引导之。

    MBR在相当长时间内都保持着1982年IBM设计IBM PC机时的代码原样,直到硬盘容量突破传统BIOS所能支持的最大容量8.4G之时,它才不得不加入新的INT13功能扩展代码,不过主要的功能还是没有改变。

; 硬盘主引导记录代码分析:
; 本段代码取自由WIN98SE之"FDISK /MBR"命令处理过的硬盘
;
; PC机之ROM在上电及POST自检成功后,将本段代码从硬盘之0面0道1扇区位置读出,
; 放置在0:7C00处,寄存器设置如下:
; CS=DS=ES=SS=0. IP=7C00h, SP=0400H
;
; 本段代码负责从代码尾部之4个分区表项中找出可以引导的项,读出其引导记录引导之。
;
; 流程如下:
;
; 1). 将代码从0:7C00移至0:600
; 2). 检查4个分区表项有效性:
; a).有否可引导分区?
; 无则转ROM BASIC(INT 18)
; b).多个引导分区?
; 是则显示'Invalid partition'后挂机
; c).可引导标志为0与80h之外的无效值?
; 是则显示'Invalid partition'后挂机
; 3). 找寻唯一有效引导分区项目,将之对应的引导记录读入0:7C00,
; a).读入方式有二种,
; 一般采用经典的INT13 AH=2号调用,
; 如果是0Eh系统ID,则使用另一种新型BIOS之INT13 AH=42号扩展功能
; b).如果读入操作错误(包括读入内容无效)就重复读10次, 如果系统ID为0B,0C,因为它们在原引导记录之后6个扇区位置 还有一个引导记录的备份,就从第6次开始读该备份
; c).仍然错误则转显示'Missing operating system'或 'Error loading operating system'后挂机
; 4). 转向有效的引导记录0:7C00
;
; 它载入引导记录至0:7C00,转向它时,寄存器设置如下: CS=DS=ES=SS=0. IP=7C00h, DI=SP=7C00H, SI=BP-->指向引导中的分区表项
; .386p
   _data segment public
                 assume cs:_data, ds:_data
                 org 600h
  mbr proc far
; The ROM in the IBM PC starts the boot process by performing a hardware initialization and a verification of all external devices. If all goes well, it will then load from the boot drive the sector from track 0, head 0, sector 1. This sector is placed at physical address 07C00h. The initial registers are set up as follows: CS=DS=ES=SS=0. IP=7C00h, SP=0400H, CLI.
汇编代码:
0000:0600 start: ; relocate to 0:0600
0000:0600 33 C0 xor ax,ax
0000:0602 8E D0 mov ss,ax
0000:0604 BC 7C00 mov sp,7C00h ; new stack at 0:7c00
0000:0607 FB sti ; interrupts ok now
0000:0608 50 push ax
0000:0609 07 pop es
0000:060A 50 push ax
0000:060B 1F pop ds ; ES:DS=0
0000:060C FC cld ; movsb direction: forward
0000:060D .BE 7C1B mov si,offset loc_restart - 600h + 7C00h
0000:0610 .BF 061B mov di,offset loc_restart
0000:0613 50 push ax
0000:0614 57 push di
0000:0615 B9 01E5 mov cx,offset code_end - offset loc_restart
0000:0618 F3/ A4 rep movsb ; move CX byte data from DS:SI to ES:DI
0000:061A CB retf ; return address = 0:061b = offset
loc_loc_restart

; look throught partition table
; for valid & activate entry
0000:061B loc_restart:
0000:061B .BE 07BE mov si,offset partition_tab
0000:061E B1 04 mov cl,4 ; number of table entrie

0000:0620 loc_nextpe:
0000:0620 38 2C cmp [si],ch ; is boot indicator <= 0(ch=0)?
0000:0622 7C 09 jl short loc_boot ; < 0, that is 80h, bootable entry found
0000:0624 75 15 jnz short loc_bad ; !=0 & !<0, that is invalid (0 & 80h only)
0000:0626 83 C6 10 add si,10h ; = 0, go partition next entry
0000:0629 E2 F5 loop loc_nextpe
; no more entries to lookup
0000:062B CD 18 int 18h ; no bootable entries - go to rom basic

0000:062D loc_boot: ; xref 0622
0000:062D 8B 14 mov dx,[si] ; head and drive to boot from
0000:062F 8B EE mov bp,si ; save table entry address to pass to partition boot record

0000:0631 loc_nextrpe: ; all remaining entries should begin with 0
0000:0631 83 C6 10 add si,10h ; next table entry
0000:0634 49 dec cx ; # entries left
0000:0635 74 16 jz short loc_tabok ; all entries look ok
0000:0637 38 2C cmp [si],ch ; other entries = 0 ?
0000:0639 74 F6 je loc_nextrpe ; yes, this one is ok

0000:063B loc_bad: ; found a invalid entry :
; A). from 0624: boot id !=0 and !=80h
; B). from 0639: multi entries with id=80h
0000:063B .BE 0710 mov si,offset msg1+1 ; 'Invalid partition'

0000:063E loc_halt: ; show msg then halt
0000:063E 4E dec si
0000:063F loc_msg: ; xref 064B, 06BA
0000:063F AC lodsb ; got a message char
0000:0640 3C 00 cmp al,0
0000:0642 74 FA je loc_halt ; no more char, then halt
0000:0644 BB 0007 mov bx,7
0000:0647 B4 0E mov ah,0Eh
0000:0649 CD 10 int 10h ; then display it: ah=functn 0Eh
; write char al, bl=attr, teletype mode
000:064B loc_msgh: ; xref 06BF
0000:064B EB F2 jmp short loc_msg ; do the entire message

; Tempory variable in heap:
; bp + 24h db ? ; boot record drive
; bp + 25h dw ? ; boot record sector (2nd copy of boot record)
0000:064D loc_tabok: ; xref 0635
0000:064D 89 46 25 mov [bp+25h],ax ; clear sector/cyl of 2nd copy of boot recordto 0
0000:0650 96 xchg si,ax ; si=0
0000:0651 8A 46 04 mov al,[bp+4] ; sys_id
0000:0654 B4 06 mov ah,6 ;
0000:0656 3C 0E cmp al,0Eh ; sys_id = 0Eh?
0000:0658 74 11 je short loc_check13ext ; yes
0000:065A B4 0B mov ah,0Bh
0000:065C 3C 0C cmp al,0Ch ; sys_id = 0Ch?
0000:065E 74 05 je short loc_sysid0B0C ; yes
0000:0660 3A C4 cmp al,ah ; sys_id = 0Bh?
0000:0662 75 2B jne short loc_int13old ; no

0000:0664 40 inc ax ; chang zf to jump over check13ext
0000:0665 loc_sysid0B0C: ; sys_id = 0Bh, 0Ch, got here
0000:0665 C6 46 25 06 mov byte ptr [bp+25h],6 ; set boot record sector = 6
0000:0669 75 24 jnz short loc_int13old

0000:066B loc_check13ext:

; Function 41 (Check Extensions Present)
; In : AH -Int 13 function Number
; BX -55AAh
; DL -Drive
; Out: AL -Internal Use, not preserved
; AH -21h, Major version of these extensions
; BX -AA55h
; CX -Interface support bit map as follows,
; 0 Extended access functions.
; 1 Drive Locking and Ejecting
; 2 EDD Support
0000:066B BB 55AA mov bx,55AAh ; 3-15 Reserved, must be 0
0000:066E 50 push ax ; Carry flag Clear if INT 13h, FN 41h supported
0000:066F B4 41 mov ah,41h ; Check Extensions Present notifies the caller that
0000:0671 CD 13 int 13h ; Extended drive support is preset.
0000:0673 58 pop ax ; support int13 ext?
0000:0674 72 16 jc short loc_no13ext ; no
0000:0676 .81 FB AA55 cmp bx,0AA55h
0000:067A 75 10 jne short loc_no13ext
0000:067C F6 C1 01 test cl,1
0000:067F 74 0B jz short loc_no13ext
; yes
0000:0681 8A E0 mov ah,al ; change code to jump over old int 13
0000:0683 88 56 24 mov [bp+24h],dl ; drive
0000:0686 C7 06 06A1 1EEB mov word ptr ds:[6A1h],1EEBh; "jump short 06C1"

0000:068C loc_no13ext:
0000:068C 88 66 04 mov [bp+4],ah ; return from Function 41 (Check Extensions Present)

0000:068F loc_int13old: ; 0Bh,0Ch,0Eh, got here

0000:068F BF 000A mov di,0Ah ; retry count
0000:0692 loc_readin: ; read in boot record, xref 06B6, 06D8
0000:0692 B8 0201 mov ax,201h ; func ah=2 :read, al=1 :sector
0000:0695 8B DC mov bx,sp ; es:bx=7C00h :buffer
0000:0697 33 C9 xor cx,cx
0000:0699 83 FF 05 cmp di,5 ; retry 5 times still error ?
0000:069C 7F 03 jg short loc_readbackup ; no
; yes, read 2nd copy of boot record
0000:069E 8B 4E 25 mov cx,[bp+25h] ; ch=cyl, cl=sector
; jmp short loc_int13ext
0000:06A1 loc_readbackup: ; xref 069C
0000:06A1 03 4E 02 add cx,[bp+2] ; start_sector (bits 0-5)
0000:06A4 CD 13 int 13h ; Disk dl=drive ? ah=func 02h
; read sectors to memory es:bx
; al=#,ch=cyl,cl=sectr,dh=head
0000:06A6 loc_int13extback: ; go back from int13ext, xref 06CF
0000:06A6 72 29 jc short loc_retry
0000:06A8 BE 0746 mov si,offset msg3 ; 'Missing operating system'
0000:06AB 81 3E 7DFE AA55 cmp word ptr ds:[7DFEh],0AA55h; magic word valid?
0000:06B1 74 5A je short loc_gobootrecok ; yes, finished
; no
0000:06B3 83 EF 05 sub di,5 ; try backup of boot record if possible
0000:06B6 7F DA jg loc_readin

0000:06B8 loc_endofretry: ; end of retry, still error
; show error message, then halt
0000:06B8 85 F6 test si,si ; error msg in si?
0000:06BA 75 83 jnz loc_msg ; yes, go show
0000:06BC BE 0727 mov si,offset msg2 ; no, show 'Error loading operating system'
0000:06BF EB 8A jmp short loc_msgh

0000:06C1 loc_int13ext: ; xref 0686, 06A1
0000:06C1 98 cbw ; al=01 so ax=0001
0000:06C2 91 xchg cx,ax ; cx=0001
0000:06C3 52 push dx
0000:06C4 99 cwd ; dx:ax = start_sector
0000:06C5 03 46 08 add ax,[bp+8] ; rel_sec (lo word)
0000:06C8 13 56 0A adc dx,[bp+0Ah] ; rel_sec (hi word)
; dx:ax = logic sector #, cx=# of sec to read
0000:06CB E8 0012 call int13ext ; call int13ext to read in boot record
0000:06CE 5A pop dx
0000:06CF EB D5 jmp short loc_int13extback
0000:06D1 loc_retry: ; xref 06A6
0000:06D1 4F dec di ; dec retry count
0000:06D2 74 E4 jz loc_endofretry
0000:06D4 33 C0 xor ax,ax
0000:06D6 CD 13 int 13h ; Disk dl=drive ? ah=func 00h
; reset disk, al=return status
0000:06D8 EB B8 jmp short loc_readin
0000:06DA 00 00 00 00 00 00 db 0, 0, 0, 0, 0, 0 ; reserved

mbr endp

; INT 13 extended read --------------------------------------------------------------------------------
; Entry:AH - 42h
; DL - Drive number
; DS:SI - Disk address packet
; Exit: carry clear
; AH - 0
; carry set
; AH - error code
; This function transfer sectors from the device to memory. In the event of an error,
; the block count field of the disk address packet contains the number of good blocks
; read before the error occurred.
;
; DS:SI -> Device address packet
; Offset Type Description
; 0 Byte Packet size in bytes. Shall be 10h.
; 1 Byte Reserved, must be 0
; 2 Byte Number of blocks to transfer. This field has a maximum value of 127 (7Fh).
; 3 Byte Reserved, must be 0
; 4 2Word Address of transfer buffer. The is the buffer which Read/Write operations will use
; to transfer the data. This is a 32-bit address of the form Seg:Offset.
; 8 4word Starting logical block address, on the target device, of the data to be transferred.
; This is a 64 bit unsigned linear address. If the device supports LBA addressing this
; value should be passed unmodified. If the device does not support LBA addressing
; the following formula holds true when the address is converted to a CHS value:
; LBA = (C1 * H0 + H1) * S0 + S1 - 1
; where: C1 = Selected Cylinder Number
; H0 = Number of Heads (Maximum Head Number + 1)
; H1 = Selected Head Number
; S0 = Maximum Sector Number
; S1 = Selected Sector Number
0000:06E0 int13ext proc near
; input dx:ax - 32 bit of logic sector address to read in
; cl - number of sector to read
; es:bx - buffer to hold data
; output carry clear if sucessful
; es:bx - end of read-in-data + 1
; carry set if error
0000:06E0 56 push si ; 10
0000:06E1 33 F6 xor si,si
0000:06E3 56 push si ; E
0000:06E4 56 push si ; C
0000:06E5 52 push dx ; A
0000:06E6 50 push ax ; 8 - 4W: Starting logical block address (dx:ax)
0000:06E7 06 push es ; 6 - 2W: Address of transfer buffer (es:bx)
0000:06E8 53 push bx ; 4
0000:06E9 51 push cx ; 2 - BY: Number of blocks to transfer
0000:06EA BE 0010 mov si,10h
0000:06ED 56 push si ; 0 - BY: packet size = 10h bytes
0000:06EE 8B F4 mov si,sp
0000:06F0 50 push ax
0000:06F1 52 push dx
0000:06F2 B8 4200 mov ax,4200h
0000:06F5 8A 56 24 mov dl,[bp+24h] ; boot record drive
0000:06F8 CD 13 int 13h
0000:06FA 5A pop dx
0000:06FB 58 pop ax
0000:06FC 8D 64 10 lea sp,[si+10h]
0000:06FF 72 0A jc short loc_ret

0000:0701 locloop_0701: ; move dx:ax to point end of buffer
0000:0701 40 inc ax
0000:0702 75 01 jnz short loc_0705
0000:0704 42 inc dx
0000:0705 loc_0705: ; xref 0702
0000:0705 80 C7 02 add bh,2
0000:0708 E2 F7 loop locloop_0701

0000:070A F8 clc
0000:070B loc_ret: ; xref 06FF
0000:070B 5E pop si
0000:070C C3 retn
int13ext endp

0000:070D loc_gobootrecok: ; xref 06B1
0000:070D EB 74 jmp short loc_bootrecok

0000:070F 49 6E 76 61 6C 69 msg1 db 'Invalid partition table', 0
0000:0715 64 20 70 61 72 74
0000:071B 69 74 69 6F 6E 20
0000:0721 74 61 62 6C 65 00
0000:0727 45 72 72 6F 72 20 msg2 db 'Error loading operating system', 0
0000:072D 6C 6F 61 64 69 6E
0000:0733 67 20 6F 70 65 72
0000:0739 61 74 69 6E 67 20
0000:073F 73 79 73 74 65 6D
0000:0745 00
0000:0746 4D 69 73 73 69 6E msg3 db 'Missing operating system'
0000:074C 67 20 6F 70 65 72
0000:0752 61 74 69 6E 67 20
0000:0758 73 79 73 74 65 6D
0000:075E 0025[00] db 37 dup (0) ; reserved space for message translation

0000:0783 loc_bootrecok: ; boot record ok, xref 070D
0000:0783 8B FC mov di,sp ; sp=7C00
0000:0785 1E push ds
0000:0786 57 push di
0000:0787 8B F5 mov si,bp ; ds:si -> 7C00
0000:0789 CB retf ; jump to 0:7C00 (that is boot record)

org 07BEh

part_table struc ;Offset Size Description
boot_ind db ? ; 00h BYTE boot indicator (80h = active partition) 0 - boot indicator
start_head db ? ; 01h BYTE partition start head
start_sector db ? ; 02h BYTE partition start sector (bits 0-5)
start_cyl db ? ; 03h BYTE partition start track (bits 8,9 in bits 6,7 of sector)
sys_id db ? ; 04h BYTE operating system indicator (see below)
end_head db ? ; 05h BYTE partition end head
end_sector db ? ; 06h BYTE partition end sector (bits 0-5)
end_cyl db ? ; 07h BYTE partition end track (bits 8,9 in bits 6,7 of sector)
rel_sec dd ? ; 08h DWORD sectors preceding partition
num_sec dd ? ; 0Ch DWORD length of partition in sectors
part_table ends ;Values for operating system indicator:
; 00h empty
; 01h DOS 12-bit FAT
; 04h DOS 16-bit FAT
; 05h DOS 3.3+ extended partition
; 06h DOS Large File System
; 0Bh DOS 32-bit FAT
; 0Ch DOS 32-bit FAT
; 0Eh DOS 32-bit FAT
0000:07BE 80 partition_tab label byte ; xref 061B
1boot_ind db 80h ; bootable
0000:07BF 01 01 00 0B 7F 7F 1start_head db 01h
1start_sector db 01h
1start_cyl db 00h
1sys_id db 0Bh ; DOS FAT32
1end_head db 7Fh
1end_sector db 7Fh
0000:07C5 C8 3F 00 00 00 41 1end_cyl db 0C8h
1rel_sec dd 0000003Fh
1num_sec dd 00383B41h
0000:07CB 3B 38 00 00
0000:07CE 00 00 41 2boot_ind db 00h
2start_head db 00h
2start_sector db 41h
0000:07D1 C9 05 7F FF 13 80 2start_cyl db 0C9h
2sys_id db 05h ; DOS extender
2end_head db 7Fh
2end_sector db 0FFh
2end_cyl db 13h
0000:07D5 2rel_sec dd 00383B80h
0000:07D7 3B 38 00 80 BA 28 2num_sec dd 0028BA80h

...
org 07FEh
0000:07FE 55 AA magicword dw 0AA55h

code_end label byte ; use this labelt to get length of code

_data ends ; xref 0615

end start

时间: 2024-09-09 17:37:23

WIN98SE硬盘主引导记录代码反汇编分析的相关文章

WIN98SE硬盘主引导记录代码数据注释

0000:7C00 33 C0 8E D0 BC 00 7C FB-50 07 50 1F FC BE 1B 7C 3@.P<.|{P.P.|>.|0000:7C10 BF 1B 06 50 57 B9 E5 01-F3 A4 CB BE BE 07 B1 04 ?..PW9e.s$K>>.1.0000:7C20 38 2C 7C 09 75 15 83 C6-10 E2 F5 CD 18 8B 14 8B 8,|.u..F.buM....0000:7C30 EE 83 C6 10

DOS主引导记录扇区:MBR技术详解

DOS是个人计算机上的一类操作系统.从1981年直到1995年的15年间,DOS在IBM PC 兼容机市场中占有举足轻重的地位.而且,若是把部分以DOS为基础的http://www.aliyun.com/zixun/aggregation/11208.html">Microsoft Windows版本,如Windows 95.98和Me等都算进去的话,那么其商业寿命至少可以算到2000年.DOS是一种面向磁盘的操作系统软件,简言之,DOS就是人与机器的一座桥梁,是设在机器硬件里面的一套人机

Win7电脑怎么重建MBR主引导记录?

主引导记录MBR丢失会让win7旗舰版系统无法启动,主引导记录(MBR)用于检测硬盘分区的正确性并确定活动分区,其内容是在硬盘分区时由分区软件(如FDISK)写入该扇区的,所以MBR不属于任何一个操作系统,不随操作系统的不同而不同,即使不同,MBR也不会夹带操作系统的性质,具有公共引导的特性.MBR的任务就是负责把引导权移交给操作系统,如果此段记录损坏将无法从硬盘引导. 这时候我们需要重建主引导记录mbr,那么怎么重建MBR主引导记录? 可以重建mbr的工具有很多种,而diskgenius无疑是

主引导记录的维护

  MBR就是主引导记录的缩写,在超级急救盘硬盘版中,对MBR进行维护是在MBR维护向导中进行的. 第一步:进入"DOS工具箱A",在"装机"类别中单击HDSECT菜单,打开主引导记录维护向导界面. 第二步:选择"备份MBR"选项,对硬盘进的MBR进行备份,选择"恢复MBR"选项,从备份文件恢复MBR;如果需要,可以选择"清除MBR". 第三步:选择"备份MBR"选项. 第四步:确认需要

《操作系统真象还原》——第2章 编写MBR主引导记录,让我们开始 掌权 2.1 计算机的启动过程

第2章 编写MBR主引导记录,让我们开始 掌权 2.1 计算机的启动过程 不知道大家对"载入内存"这4个字的理解是怎样的.以下这两点是我曾经的疑问:第一,为什么程序要载入内存.第二,什么是载入内存. 先回答第一个. CPU的硬件电路被设计成只能运行处于内存中的程序,这是硬件基因的问题,这样做的原因,首先肯定是内存比较快,且容量大. 其次,操作系统可以存储在软盘上,也可以存储在硬盘上,甚至U盘,当然还有很多存储介质都可以.但由于各个硬件特性不同,操作系统要分别考虑每种硬件的特性才行.所以

php防止sql注入漏洞代码和分析

 这篇文章主要介绍了php防止sql注入漏洞代码和分析,最近提供了几种常见攻击的正则表达式,大家参考使用吧 注入漏洞代码和分析 代码如下: <?php  function customError($errno, $errstr, $errfile, $errline)  {      echo "<b>Error number:</b> [$errno],error on line $errline in $errfile<br />";   

为什么主引导记录的内存地址是0x7C00?

<计算机原理>课本说,启动时,主引导记录会存入内存地址0x7C00. 这个奇怪的地址,是怎么来的,课本就不解释了.我一直有疑问,为什么不存入内存的头部.尾部.或者其他位置,而偏偏存入这个比 32KB 小1024字节的地方? 昨天,我读到一篇文章,终于解开了这个谜. 首先,如果你不知道,主引导记录(Master boot record,缩写为MBR)是什么,可以先读<计算机是如何启动的?>. 简单说,计算机启动是这样一个过程. 通电 读取ROM里面的BIOS,用来检查硬件 硬件检查通

编程-pwm代码求分析,求详细的注释!

问题描述 pwm代码求分析,求详细的注释! 下面这些代码我大概知道是干什么的,但是不知道是怎么实现的,每一步是什么意思,求详细的注释!!!跪求大神们!!!! PWM编程改变输出频率: rTFG0=0xff; rTCFG1=0x1; for(freq=4000;freq<14000;freq=freq+1000) { div=(PCLK/256/4)/freq; rTCON=0x0; rTCNTB0=div; rTCMPB=(2*div)/3; rTCON=0xa; rTCON=0x9; for(

RTC基本的缺陷和代码质量分析功能扩展

本文将深入介绍使用 RTC 提供的 Work Item API 实现灵活.全面.便捷的自定义缺陷分析功能,降低项目管理的复杂度,节约项目管理的人力成本,提供更丰富的项目管理参考数据,从而提高项目管理的精确度. RTC(Rational Team Concert)提供了软件生命周期各个阶段所需要的管理功能,而且为软件工程师提供了可以进行功能扩展开发的软件开发包.本文将介绍如何使用 RTC Plain Java API,基于 RTC 中的项目缺陷信息,统计出相关代码质量数据. 所有正在使用 RTC