这次自己分析一遍MBR,先拿winhex把MBR弄出来,保存到mbr.bin,再用IDA分析
winhex弄出来的样子:
代码中涉及几个bios中断调用:
INT 13,8 - Get Current Drive Parameters (XT & newer)
AH = 08
DL = drive number (0=A:, 1=2nd floppy, 80h=drive 0, 81h=drive 1)
on return:
AH = status (see INT 13,STATUS)
BL = CMOS drive type
01 - 5? 360K 03 - 3? 720K
02 - 5? 1.2Mb 04 - 3? 1.44Mb
CH = cylinders (0-1023 dec. see below)
CL = sectors per track (see below)
DH = number of sides (0 based)
DL = number of drives attached
ES:DI = pointer to 11 byte Disk Base Table (DBT)
CF = 0 if successful
= 1 if error
Cylinder and Sectors Per Track Format
│F│E│D│C│B│A│9│8│7│6│5│4│3│2│1│0│ CX
│ │ │ │ │ │ │ │ │ │ └─┴─┴─┴─┴─┴── sectors per track
│ │ │ │ │ │ │ │ └─┴────────── high order 2 bits of cylinder count
└─┴─┴─┴─┴─┴─┴─┴────────── low order 8 bits of cylinder count
- the track/cylinder number is a 10 bit value taken from the 2 high
order bits of CL and the 8 bits in CH (low order 8 bits of track)
- many good programming references indicate this function is only
available on the AT, PS/2 and later systems, but all hard disk
systems since the XT have this function available
- only the disk number is checked for validity
int 13 扩展功能 41号
1) 检验扩展功能是否存在
入口:
AH = 41h
BX = 55AAh
DL = 驱动器号
返回:
CF = 0
AH = 扩展功能的主版本号
AL = 内部使用
BX = AA55h
CX = API 子集支持位图
CF = 1
AH = 错误码 01h,无效命令
这个调用检验对特定的驱动器是否存在扩展功能。如果进位标志置 1则此驱动器不支持扩展功能。如果进位标志为 0,同时 BX = AA55h,则存在扩展功能。此时 CX 的 0 位表示是否支持第一个子集,1位表示是否支持第二个子集.
对于 1.x 版的扩展 Int13H 来说,主版本号 AH = 1。AL 是副版本号,但这仅限于 BIOS 内部使用,任何软件不得检查 AL 的值。
int 13 扩展功能 42
2) 扩展读
入口:
AH = 42h
DL = 驱动器号
DS:DI = 磁盘地址数据包(Disk Address Packet)
返回:
CF = 0,AH = 0 成功
CF = 1,AH = 错误码
Disk Address Packet --- DAP
name offset size description
size 00h 1 byte size of DAP = 16 = 10h
reversed1 01h 1 byte unused, should be zero
toReadNum 02h 1 byte number of sectors to be read, 0..127 (= 7Fh)
reversed2 03h 1 byte unused, should be zero
buffer 04h..07h 4 bytes segment:offset pointer to the memory buffer to which sectors will be
transferred (note that x86 is little-endian: if declaring the segment
and offset separately, the offset must be declared before the segment)
blockCount 08h..0Fh 8 bytes absolute number of the start of the sectors to be read (1st sector of drive
has number 0)
这个调用将磁盘上的数据读入内存。如果出现错误,DAP 的 BlockCount项中则记录了出错前实际读取的数据块个数。
还有就是涉及了上篇提到的分区表结构:
该知道的都知道了,先看看基本流程