MBR code analysis

MBRCodeAnalysis

After the machine is powered on or press the reset key, the system must be reset. After the reset, cs = ffffh and IP = Hangzhou H will naturally start executing commands from FFFF: Hangzhou H, there is only one JMP command to jump to system self-check.ProgramAfter the system self-check is completed, read the first sector of the floppy disk (if started by a floppy disk) or the first sector of the hard disk, that is, the MBR sector (if started by the hard disk) to 0: at 7c00h, the control is handed over from 0: 7c00h. The MBR code of the hard disk is analyzed below. The Boot Sector refers to the first sector in the corresponding partition of the hard disk. It is related to the operating system, and the operating system is guided by it, while the MBR is not responsible, the MBR has nothing to do with the operating system. Its task is to forward control to the operating system's boot program.

Procedure:

1. Move the program code from 0: 7c00h to 0: 0600 H (Note: BIOS places MBR at 0: 7c00h)

2. Search for bootable partitions, that is, the 80 h flag.

Success: goto 3

Failed: Jump to Rom basic

Invalid Partition Table: goto 5

3. Read Boot Sector

Failed: goto 5

Success: goto 4

4. Verify that the final Boot Sector is 55aah

Failed: goto 5

Success: goto 6

5 print errors into infinite Loops

6. Jump to 0: 7c00h to start the next step.

The following code is written and described in assembly language.

; MBR. ASM

; MASM MBR

; Link MBR

; Exe2bin MBR

. Model tiny

. Code

; Set registers and stack values

Org 0

Head:

Start:

CLI

XOR ax, ax

MoV SS, ax

MoV sp, 7c00h; SS: sp = 0: 7c00h

MoV Si, SP

PUSH AX

Pop es

PUSH AX

Pop Ds; es = DS = 0

STI

; Move the program code from 0: 7c00h to 0: 0600h

ClD

MoV Di, 600 h

MoV CX, 100 h; 100 h words = 512 bytes, that is, the size of a sector

Repne movsw

DB 0eah; this is the machine code of far jump

DW offset continue + 600 h, 0000 h; this is the jump destination address, that is, 0: 061dh

; Search for bootable partitions

Continue:

MoV Si, 600 h + 1beh; Si points to partition table

MoV BL, 4; four partitions

Findboot:

CMP byte PTR [Si], 80 h

Je saverec; read sector position

CMP byte PTR [Si], 0

JNE invaild; invalid Partition

Add Si, 10 h

Dec BL

Jnz findboot

Int 18 h; enter Rom basic

; Read the sector and Cylinder Number of the pilot Partition

Saverec:

MoV dx, [Si]

MoV CX, [Si + 2]

MoV bp, Si

; Check the remaining partition tables

Findnext:

Add Si, 10 h

Dec BL

JZ setread

CMP byte PTR [Si], 0; whether an illegal partition exists

Je findnext

Invaild:

MoV Si, offset errmsg1 + 600 h

; String output subroutine

Printstr:

Lodsb

CMP Al, 0

Je deadlock

Push Si

MoV BX, 7

MoV ah, 0eh; output character

Int 10 h

Pop Si

JMP short printstr; next character

Deadlock:

JMP short deadlock; infinite loop, can also be written as JMP $

; Read Boot Sector

Setread:

MoV Di, 5; read count

Readboot:

MoV BX, 7c00h

MoV ax, 201 H

Push di

INT 13 h; CX, DX has obtained at saverec

Pop di

JNC goboot; started upon success

XOR ax, ax

INT 13 h; reset drive, then read

Dec di

Jnz readboot

MoV Si, offset errmsg2 + 600 h

JMP short printstr failed to output information and enters an infinite loop

; Check the read Boot Sector

Goboot:

MoV Si, offseterrmsg3 + 600 h

MoV Di, 7c00h + 1feh

CMP word PTR [di], 0aa55h

JNE printstr; the error message is output if the flag is not aa55.

MoV Si, BP; Si points to the bootable Partition

DB 0eah, 0, 7ch, 0, 0; jump to 0: 7c00h

Errmsg1 dB invaild Partition Table, 0

Errmsg2 dB error loading operating system, 0

Errmsg3 dB missing operating system, 0

Tail:

Fillnum equ 1beh-(tail-head); 0 is calculated.

DB fillnum DUP (0)

The data of the four Partition Table items is related to the partition information.

Parttable dB 80 h, 4, 0d1h, H, 0, 0, 0feh, 0ffh

DB, 0c1h, 4, 0d1h, 0feh, 0ffh, 0ffh, 0ach, 53 H

DB 20 h DUP (0)

Id DW 0aa55h

End start

If you start to use org 600 h, you do not need to add 600 h for data access, such as mov Si and offset errmsg2 + 600 h.

; Can be written as mov Si, offset errmsg2, then you cannot use exe2bin to get data, you must try debug

; Debug mbr.exe

;-Nmbr. Bin

-RcX 200

;-Productname: 600

;-Q

Partition information is stored on the first sector of the hard disk, which is called the primary partition table. There are four items in total. To read a partition table, you must use the bios int 13 H. Generally, you can use DEBUG.

Debug

-

XXXX: 0100 mov ax, 201

MoV X, 200

MoV CX, 1

MoV dx, 80; if it is the second hard disk, It is 81...

INT 13

INT 20

XXXX :????

-G

At this time, the 0200 bytes starting from XXXX: 512 are the sector where the partition table is located. The first part is MBR. In debug, use-d3be L40 to view the 64-byte partition table information, you can use the-e command to modify 16 bytes. After modification, you can re-write them back. You only need to change mov ax and 201 in the previous code to mov ax and 301, or directly change 2 at location 102 to 3, for example:

-E 102

XXX: 0102 02.3

-G = 100

In this way, I wrote it back, but be careful. If it is not good, it will break down. You should copy and save the partition table in one copy, which will save a lot of trouble. Let's talk about the specific meaning of the Partition Table item. Take one of them as an example:

80 01 01 00 0b 3f ff 00 3f 00-00 00 81 4f 2f 00

1 (80) boot flag, 80 indicates boot, 00 indicates no boot. Generally, only one partition table item has a boot flag of 80, unless you modify the MBR yourself.

2 (01) Partition start head

3, 4 (01 00) = (1, 0) Start the shard and sector (details later)

5 (0b) partition type (detailed description later)

6 (3f) = (63) Partition end head

7, 8 (ff 00) = (, 63 partition end cylinder and sector (same as above)

9-12 (3f 00 00 00) = (63) Total number of sectors before the partition, that is, the number of relative sectors

13-16 (81 4f 2f 00) = (002f4f81h = 3100545) Total number of sectors in this partition

Because the cylinder and sector share two bytes, the cylinder number is 10 bits, the maximum is 1023, the slice number is 6 bits, and the maximum is 63

Fan Area No.

______ | ____

|

(7 6 5 4 3 2 1 0) (7 6 5 4 3 2 1 0)

| ___ | _____________ |

| ________________________ |

| _

Cylinder Number

Partition types are common:

00 unused, unused

01 DOS-12 (fat 12)

02 XENIX

04 DOS-16 (fat 16) (used for partitioning <32 m, is there anything else ?)

05 extend (DOS extended partition)

06 bigdos (> 32 m) (this is what we usually call fat 16)

07 HPFs (OS/2) (it seems that NTFS is also the mark)

0b FAT 32

0f this moment is not certain, West

50 DM

63 386/IX (UNIX)

64 net286 (Novell)

65 net386 (Novell)

FF bbt (UNIX bad block table)

Below are several balancing formulas used to calculate partition parameters:

1. Balance of the first partition Parameters

Total slice COUNT = (end cylinder + 1) * Number of magnetic heads * Number of slice per cylinder-Number of relative slice

Example: 3100545 = (768 + 1) * 64*63-63

2 balance of other partition Parameters

Total slice COUNT = (end cylinder-start cylinder + 1) * Number of magnetic heads * Number of slice per cylinder

00 00 C1 01 05 3f ff fd C0 4f-2f 00 C0 90 0f 00

000f90c0h = 1020096, (ff fd) = (), (C1 01) =)

Example: 1020096 = (1021-769 + 1) * 64*63

3. Relative slice of the first partition = number of slice per cylindrical Partition

Relative sectors of other partitions = relative sectors of the previous partition + total sectors of the previous Partition

The extended partition information is a chain-like structure. Many people do not know that the previous partition is deleted when the partition is deleted, which leads to the failure of the subsequent partition, we will analyze the extended partition items from the primary partition table as follows:

00 00 01 C0 05 Fe BF 6e C0 10-2f 00 EF A6 69 00

From this we can get the data:

Start head: 00

Start cylindrical sector: 01 C0 = (192,0)

Debug

Debug

-A100

XXXX: 0100 mov ax, 201

MoV X, 200

MoV CX, 05c0; start the cylindrical fan area number

MoV dx, 80; start head number in DH, where 0

INT 13

INT 20

XXXX :????

-G = 100

-D3be L10

The read sector contains two 16-byte Partition Table items and the last 55aa mark. The two Partition Table items are:

00 01 01 C0 06 Fe 7f 97 3f 00-00 00 99 F2 34 00

00 00 41 98 05 Fe BF 6e D8 F2-34 00 17 B4 34 00

The first partition type is 6. In fact, this is the first logical partition, which has the same meaning as that of the primary partition table. The second partition type is 5, which actually points to the next extended partition table. Here we can get:

Start head: 0

Start cylindrical sector: 41 98 = (408-1)

Continue to use DEBUG to read (mov CX, 9841 ).

00 01 41 98 06 Fe BF 6e 3f 00-00 00 D8 B3 34 00

There is only one table item, which is the second Logical Disk and the last one in the Logical Disk chain. It can be seen that the primary partition table is very important, so besides careful operations, the most secure backup mode should also be copied with a pen. in a safe place, you should also update the data every time you re-partition it.

We can see from the above that the most important thing in the partition table is the cylindrical number. For example, if the head number is 0 or 1 or the maximum value, the fan area number is 1 or 63 (the maximum value ), the total number of sectors can also be calculated, so it is best to write down the number of the cylinders of each partition during partitioning so that once the partition information is destroyed, it can be restored.