linux下一个磁盘映像,分析其主引导记录(2) IDA 中反编译的一个MBR 结果,补充了一些注释.
; +-------------------------------------------------------------------------+
; | This file has been generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2017 Hex-Rays, <support@hex-rays.com> |
; | License info: 48-3FBD-7F04-2C |
; +-------------------------------------------------------------------------+
;
; Input SHA256 : C4125FAB2B63658158B7C1AFC4CD87BB387ECC818D34776D3B7CD63A71C37BF7
; Input MD5 : 22588B73B702192EAE95DED781F01139
; Input CRC32 : 4000B6EA
; ---------------------------------------------------------------------------
; File Name : Z:\Downloads\1.bin
; Format : Binary file
; Base Address: 0000h Range: 0600h - 0800h Loaded length: 0200h
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
seg000 segment byte public 'CODE' use16
assume cs:seg000
;org 600h
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
xor ax, ax
cli
mov ds, ax
mov ss, ax
mov sp, 7C00h
mov si, sp
push es ; es,di 在堆栈中进行了保存,链接到下一启动区时可以恢复
push di
mov es, ax
sti
cld
mov di, 600h
mov cx, 100h
rep movsw
jmp far ptr loc_61F ; 将512字节移动到低位
; ---------------------------------------------------------------------------
loc_61F: ; CODE XREF: seg000:061A↑J
push dx ; dx 驱动器号在堆栈中进行了保存,链接到下一启动器可以恢复
push dx
mov ah, 41h ; 判定是否支持扩展int 13中断
mov bx, 55AAh
xor cx, cx
xor dh, dh
stc ; 置位Carry flag
int 13h ; DISK - Check for INT 13h Extensions
; BX = 55AAh, DL = drive number
; Return: CF set if not supported
; AH = extensions version
; BX = AA55h
; CX = Interface support bit map
jb short loc_642
cmp bx, 0AA55h
jnz short loc_642
shr cx, 1
jnb short loc_642
mov dword ptr ds:loc_68D, 15EB42B4h ; 支持扩展中断,在68D处存入15eb42b4h数据
loc_642: ; CODE XREF: seg000:062D↑j
; seg000:0633↑j ...
pop dx
mov ah, 8
int 13h ; DISK - DISK - GET CURRENT DRIVE PARAMETERS (XT,AT,XT286,CONV,PS)
; DL = drive number
; Return: CF set on error, AH = status code, BL = drive type
; DL = number of consecutive drives
; DH = maximum value for head number, ES:DI -> drive parameter
and cx, 3Fh
push cx ; 每磁道扇区数进入堆栈
movzx ax, dh
inc ax ; 磁头数
mul cx ; 每磁道扇区数
push dx ; 驱动器号进入堆栈
push ax ; 每柱面扇区数进入堆栈
xor eax, eax
cdq
call checkDiskTable
; START OF FUNCTION CHUNK FOR checkDiskTable
loc_65B: ; CODE XREF: checkDiskTable+90↓j
call DispStr ; 显示指针在堆栈中,这样就把后面的字符串显示出来了
; END OF FUNCTION CHUNK FOR checkDiskTable
; ---------------------------------------------------------------------------
aMissingOperati db 'Missing operating system.',0Dh,0Ah
; =============== S U B R O U T I N E =======================================
; 入口参数:eax,逻辑扇区号
ReadOneSector proc near ; CODE XREF: ReadOneSectorAndTransTbl↓p
; checkDiskTable+85↓p
pushad
xor edx, edx
mov bx, 7C00h
push edx ; push进4byte
push eax ; push进4byte
push es ; push进2byte
push bx
push 1
push 10h ; 总共push进16byte
mov si, sp
loc_68D: ; DATA XREF: seg000:0639↑w
div dword ptr ds:7BF4h ; 每柱面的扇区数,eda:eax做被除数,商eax柱面号,余数edx
shl ah, 6 ; 柱面号高位左移6,送cl
mov cl, ah
mov ch, al ; 柱面号低位送ch
xchg ax, dx
div byte ptr ds:7BF8h ; 每磁头(或每磁道)的扇区数
mov dh, al ; head
or cl, ah
inc cx ; cl低6位扇区号,高2位柱面高位
mov ax, 201h ; ah=02读扇区,al读取的扇区数
mov dl, ds:7BFAh ; drive
int 13h ; DISK - READ SECTORS INTO MEMORY
; AL = number of sectors to read, CH = track, CL = sector
; DH = head, DL = drive, ES:BX -> buffer to fill
; Return: CF set on error, AH = status, AL = number of sectors read
lea sp, [si+10h] ; 恢复堆栈
popad
retn
ReadOneSector endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
ReadOneSectorAndTransTbl proc near ; CODE XREF: checkDiskTable:loc_703↓p
; checkDiskTable+4E↓p
call ReadOneSector ; 入口参数:eax,逻辑扇区号
mov si, 7DBEh
mov di, 7BEh
mov cx, 20h
rep movsw
retn
ReadOneSectorAndTransTbl endp
; =============== S U B R O U T I N E =======================================
checkDiskTable proc near ; CODE XREF: seg000:0658↑p
; checkDiskTable+47↓p
arg_6 = dword ptr 8
; FUNCTION CHUNK AT 065B SIZE 00000003 BYTES
pushad
mov bp, sp
mov bx, 7BEh
mov cx, 4
xor ax, ax
push bx
push cx
loc_6CF: ; CODE XREF: checkDiskTable+19↓j
test byte ptr [bx], 80h ; 测试是否是活动分区
jz short loc_6D7
inc ax
mov si, bx
loc_6D7: ; CODE XREF: checkDiskTable+11↑j
add bx, 10h
loop loc_6CF ; 测试是否是活动分区
dec ax
jz short onlyOneActive ; 获取开始逻辑扇区号
jns short loc_71A
pop cx
pop bx
loc_6E3: ; CODE XREF: checkDiskTable+54↓j
mov al, [bx+4]
cmp al, 0Fh
jz short loc_6F0
and al, 7Fh
cmp al, 5
jnz short loc_712
loc_6F0: ; CODE XREF: checkDiskTable+27↑j
mov eax, [bx+8]
mov edx, [bp+14h]
add eax, edx
and edx, edx
jnz short loc_703
mov edx, eax
loc_703: ; CODE XREF: checkDiskTable+3D↑j
call ReadOneSectorAndTransTbl
jb short loc_70B
call checkDiskTable
loc_70B: ; CODE XREF: checkDiskTable+45↑j
mov eax, [bp+1Ch]
call ReadOneSectorAndTransTbl
loc_712: ; CODE XREF: checkDiskTable+2D↑j
add bx, 10h
loop loc_6E3
popad
retn
; ---------------------------------------------------------------------------
loc_71A: ; CODE XREF: checkDiskTable+1E↑j
call DispStr ; 字符串指针在堆栈中,这样就把后面定义的字符串显示出来了
; ---------------------------------------------------------------------------
aMultipleActive db 'Multiple active partitions.',0Dh,0Ah
; ---------------------------------------------------------------------------
onlyOneActive: ; CODE XREF: checkDiskTable+1C↑j
mov eax, [si+8] ; 获取开始逻辑扇区号
add eax, [bp+1Ch] ; bp 从何而来1ch 是什么含义? 据说是隐藏扇区
mov [si+8], eax
call ReadOneSector ; 入口参数:eax,逻辑扇区号
jb short loc_75E
cmp word ptr ds:7DFEh, 0AA55h
jnz loc_65B
mov sp, 7BFAh
pop dx
pop di
pop es
cli
jmp sp ; 跳转到7c00执行,恢复了dx 驱动器号和di
; ---------------------------------------------------------------------------
loc_75E: ; CODE XREF: checkDiskTable+88↑j
call DispStr ; 字符串指针在堆栈中,这样就把后面定义的字符串显示出来了
checkDiskTable endp
; ---------------------------------------------------------------------------
aOperatingSyste db 'Operating system load error.',0Dh,0Ah
; =============== S U B R O U T I N E =======================================
; 字符串指针在堆栈中,这样就把后面定义的字符串显示出来了
; Attributes: noreturn
DispStr proc near ; CODE XREF: checkDiskTable:loc_65B↑p
; checkDiskTable:loc_71A↑p ...
pop si
loc_780: ; CODE XREF: DispStr+E↓j
lodsb
mov ah, 0Eh
mov bh, ds:462h
mov bl, 7
int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE)
; AL = character, BH = display page (alpha modes)
; BL = foreground color (graphics modes)
cmp al, 0Ah
jnz short loc_780
int 18h ; TRANSFER TO ROM BASIC
; causes transfer to ROM-based BASIC (IBM-PC)
; often reboots a compatible; often has no effect at all
loc_791: ; CODE XREF: seg000:0792↓j
hlt
DispStr endp ; sp-analysis failed
; ---------------------------------------------------------------------------
jmp short loc_791
; ---------------------------------------------------------------------------
db 24h dup(0), 43h, 5Ah, 44h, 0B1h, 2 dup(0),;磁盘ID
db 80h, 2 dup(1) ;4个分区表
db 0, 2 dup(1), 12h, 4Fh, 12h, 3 dup(0), 2Eh, 0Bh, 32h dup(0)
db 55h, 0AAh ;启动标识
seg000 ends
end
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
