之所以贴出来,是有些地方不明白,希望能于大家交流分析
我系统2K PRO SP4,C盘采用NTFS,用WinHex提取MBR和DBR,拿IDA分析的.关键在DBR几处不明白.
1.一点预备知识:
主引导扇区代码(MBR)
2.MBR详细分析代码:
;====================================================================================
;
; MBR( Master Boot Record )主引导记录包含两部分的内容,前446字节为启动代码及数据,而
; 从446(0x1BE)开始则是分区表,分区表由四个分区项组成,每个分区项数据为16字节,记录了
; 启动时需要的分区参数。
;
; 在CPU上电之后,若由硬盘启动,则BIOS将硬盘的主引导记录(位于0柱面、0磁道、1扇区)读
; 入7C00处,然后将控制权交给主引导代码。主引导代码的任务包括:
; (1) 扫描分区表,找到一个激活(可引导)分区;
; (2) 找到激活分区的起始扇区;
; (3) 将激活分区的引导扇区装载到内存7C00处;
; (4) 将控制权交给引导扇区代码;
;
; 如果主引导代码无法完成上述任务,它将显示以下错误信息之一:
; No active partition.
; Invalid partition table.
; Error loading operating system.
; Missing operating system.
;
;====================================================================================
; FAT16分区尺寸与LBA
;====================================================================================
; LBA HeadsPerCylinder SectorsPerTrack Maximum Size for Boot Partition
; Disabled 64 32 1GB
; Enabled 255 63 4GB
;
; 为了适应超过8G的硬盘,Windows2000忽略了Start CHS和End CHS,而使用StartLBA和TotalSector
; 来确定分区在整个磁盘中的位置和大小。
;
;====================================================================================
; 分区表项结构(16字节)
;====================================================================================
;
; typedef struct _PARTITION_ENTRY
; {
; UCHAR BootIndicator; // 能否启动标志
; UCHAR StartHead; // 该分区起始磁头号
; UCHAR StartSector; // 起始柱面号高2位:6位起始扇区号
; UCHAR StartCylinder; // 起始柱面号低8位
; UCHAR PartitionType; // 分区类型
; UCHAR EndHead; // 该分区终止磁头号
; UCHAR EndSector; // 终止柱面号高2位:6位终止扇区号
; UCHAR EndCylinder; // 终止柱面号低8位
; ULONG StartLBA; // 起始扇区号
; ULONG TotalSector; // 分区尺寸(总扇区数)
; }PARTITION_ENTRY,*PPARTITION_ENTRY;
;
;====================================================================================
; 主引导记录(MBR)结构
;====================================================================================
; typedef struct _MASTER_BOOT_RECORD
; {
; UCHAR BootCode[446];
; PARTITION_ENTRY Partition[4];
; USHORT Signature;
; }MASTER_BOOT_RECORD,*PMASTER_BOOT_RECORD;
;
;====================================================================================
代码:code:7C00 code segment byte public 'CODE' use16
code:7C00 assume cs:code
code:7C00 org 7C00h
code:7C00 assume es:nothing, ss:nothing, ds:code, fs:nothing, gs:nothing
code:7C00 start proc far
code:7C00 xor ax, ax
code:7C02 mov ss, ax
code:7C04 mov sp, 7C00h
code:7C07 sti
code:7C08 push ax
code:7C09 pop es
code:7C0A push ax ; es=ds=ss=0x0000
code:7C0B pop ds ; initial segment and stack
code:7C0C cld
code:7C0D push ax
code:7C0E mov si, 7C00h
code:7C11 mov di, 600h
code:7C14 mov cx, 200h
code:7C17 rep movsb ; move this MBR code to 600h
code:7C19 mov di, 61Eh
code:7C1C push di
code:7C1D retf ; jmp 0000:61Eh
code:7C1E xor bx, bx ; ip=61Eh
code:7C20 xor dx, dx
code:7C22 mov si, 7BEh ; partition state
code:7C25 mov cl, 4 ; Search DPT,and it has 4 itemes,
code:7C27 check_next_partition:
code:7C27 test byte ptr [si], 80h ; 0x80->Active 0x00->not active
code:7C2A jz short search_active_partition ; next item, size of one item is 10h
code:7C2A
code:7C2C mov dx, si ; save item base address
code:7C2E inc bx ; the sum of the active item
code:7C2F search_active_partition:
code:7C2F add si, 10h ; next item, size of one item is 10h
code:7C32 loop check_next_partition ; 0x80->Active 0x00->not active
code:7C34 cmp bx, 1
code:7C37 jz short found_partition_active
code:7C39 mov si, 0C4h ; sz_Invalid_DPT Si=lpString (Offset)
code:7C3C mov cx, 17h ; length
code:7C3F jmp short Display_Error_Informatin ; add base ip
code:7C41 nop
code:7C42 found_partition_active:
code:7C42 push dx
code:7C43 mov ah, 41h
code:7C45 mov dl, 80h
code:7C47 mov bx, 55AAh
code:7C4A int 13h ; Detect sport extend int 13h call
code:7C4C pop dx
code:7C4D cmp bx, 0AA55h
code:7C51 jnz short CHSReadMBRFormDisk
code:7C53 test cl, 1
code:7C56 jz short CHSReadMBRFormDisk
code:7C58 LBAReadMBRFormDisk:
code:7C58 mov ax, 4200h
code:7C5B mov si, 7ADh
code:7C5E mov cl, 10h
code:7C60 init_disk_addr_pkt:
code:7C60 mov byte ptr [si], 0
code:7C63 inc si
code:7C64 loop init_disk_addr_pkt
code:7C66 mov si, 7ADh
code:7C69 mov di, dx ; dx point to active item base address
code:7C6B mov byte ptr [si], 10h ; packet_size=16 (DB must)
code:7C6E mov byte ptr [si+2], 1 ; sector_count 01h (DW)
code:7C72 mov word ptr [si+4], 7C00h ; buffer_addr (DD)
code:7C77 mov bx, [di+8] ; line address of sectors (DD RAV)
code:7C7A mov [si+8], bx ; sector_base (QD)
code:7C7D mov bx, [di+0Ah] ; line address of sectors + 2 (DD RAV)
code:7C80 mov [si+0Ah], bx ; sector_base + 2 (QD)
code:7C83 jmp short ReadDisk
code:7C85 nop
code:7C86 CHSReadMBRFormDisk:
code:7C86 mov ax, 201h
code:7C89 mov bx, 7C00h ; offset buffer_addr (DW)
code:7C8C mov si, dx ; dx point to active item base address
code:7C8E mov cx, [si+2] ; CH = track, CL = sector
code:7C91 mov dh, [si+1] ; DH = head
code:7C94 ReadDisk:
code:7C94 mov dl, 80h
code:7C96 int 13h AH = status, AL = number of sectors read
code:7C98 mov si, 7DFEh
code:7C9B cmp word ptr [si], 0AA55h ; chech is invalid MBR
code:7C9F jz short Load_OS_MBR
code:7CA1 mov si, 0DBh
code:7CA4 mov cx, 18h
code:7CA7 jmp short Display_Error_Informatin ; add base ip
code:7CA9 nop
code:7CAA Load_OS_MBR:
code:7CAA xor ax, ax
code:7CAC push ax
code:7CAD mov ax, 7C00h
code:7CB0 push ax
code:7CB1 retf ; jmp load os MBR
code:7CB2 Display_Error_Informatin:
code:7CB2 add si, 600h ; add base ip
code:7CB6 Display:
code:7CB6 lodsb ; AL = character
code:7CB7 mov bx, 7 ; BH = display page BL = foreground color
code:7CBA mov ah, 0Eh
code:7CBC int 10h ; VIDEO - WRITE CHARACTER AND ADVANCE CURSOR
code:7CBE loop Display
code:7CC0 db 0B1h
code:7CC1 db 0Fh
code:7CC2 db 0E2h ; ?
code:7CC3 db 0FCh ; ?
code:7CC4 sz_Invalid_DPT db 'Invalid partition tableMissing operating system',0
code:7CF4 sz_MBR_Information db 'Master Boot Record Wrote by DiskMan Ver1.30',0
code:7D20 db 98h dup(0) ; not use space
code:7DB8 s_Zmzm db 'ZmZm',0 ; not use data, can set any data if you like
code:7DBD db 0
code:7DBE First_Item_DPT db 80h ; statue
code:7DBF db 1 ; 开始头
code:7DC0 dw 1 ; 开始扇区
code:7DC2 db 7 ; 分区类型指示
code:7DC3 db 0FEh ; 结束头
code:7DC4 dw 0CCFFh ; 结束扇
code:7DC6 dd 3Fh ; 扇区在前的分区 1
code:7DCA dd 0EE834Eh
code:7DCE Second_Item_DPT db 0 ; statue
code:7DCF db 0
code:7DD0 dw 0CDC1h
code:7DD2 db 0Fh
code:7DD3 db 0FEh ; ?
code:7DD4 dw 0FFFFh
code:7DD6 dd 0EE838Dh
code:7DDA dd 3BB47F9h
code:7DDE T_Item_DPT db 10h dup(0)
code:7DEE F_Item_DPT db 10h dup(0)
code:7DFE MBR_Flag db 55h ; U
code:7DFF db 0AAh ; ?
code:7DFF code ends
code:7DFF end start
- 标 题: MBR和DBR详细分析
- 作 者:HSQ
- 时 间:2007-08-30 11:14
- 链 接:http://bbs.pediy.com/showthread.php?t=50714