BOCHS分析XP MBR

最新推荐文章于 2021-07-17 21:15:15 发布

heydaimy

最新推荐文章于 2021-07-17 21:15:15 发布

阅读量492

点赞数 1

文章标签： BOCHS分析XP MBR

本文链接：https://blog.csdn.net/heydaimy/article/details/88777805

版权

这是小白的第一篇CSDN文章，连发文章的一些技巧都没有掌握，但总比不尝试好嘛。
好的，进入主题，我们今天的任务是BOCHS分析MBR，并且理解它的代码指令。
首先通过借鉴他人的一些经验用bochs调试mbr-深入mbr调试分析来调出大概的MBR指令进程。
由于博客中也没有贴出具体的分析步骤，所以这里相当于在原博客的基础上做了分析。这里参考了winhex分析MBR
先对MBR有清楚地了解，其实主引导记录的作用就是检查分区表是否正确以及判别哪个分区为可引导分区，并在程序结束时把该分区的启动程序（也就是操作系统引导扇区）调入内存加以执行。

Next at t=0
(0) [0x0000fffffff0] f000:fff0 (unk. ctxt): jmpf 0xf000:e05b          ; ea5be000f0
<bochs:1> b 0x7c00                            //设置断点
<bochs:2> c                                          
//首先是0000:7c1b的MBR代码复制到0000:061b中，留出0000:0x7c00来装载之后的扇区。
(0) Breakpoint 1, 0x0000000000007c00 in ?? () 
Next at t=4948784
(0) [0x000000007c00] 0000:7c00 (unk. ctxt): xor ax, ax                ; 33c0    //接下来的几
步都是把内存清零
<bochs:3> s
Next at t=4948785
(0) [0x000000007c02] 0000:7c02 (unk. ctxt): mov ss, ax                ; 8ed0
<bochs:4> s
Next at t=4948786
(0) [0x000000007c04] 0000:7c04 (unk. ctxt): mov sp, 0x7c00            ; bc007c
<bochs:5> s
Next at t=4948787
(0) [0x000000007c07] 0000:7c07 (unk. ctxt): sti                       ; fb
<bochs:6> s
Next at t=4948788
(0) [0x000000007c08] 0000:7c08 (unk. ctxt): push ax                   ; 50
<bochs:7> s
Next at t=4948789
(0) [0x000000007c09] 0000:7c09 (unk. ctxt): pop es                    ; 07
<bochs:8> s
Next at t=4948790
(0) [0x000000007c0a] 0000:7c0a (unk. ctxt): push ax                   ; 50
<bochs:9> s
Next at t=4948791
(0) [0x000000007c0b] 0000:7c0b (unk. ctxt): pop ds                    ; 1f
<bochs:10> s
Next at t=4948792
(0) [0x000000007c0c] 0000:7c0c (unk. ctxt): cld                       ; fc     //复制在7C1B
h处的长为1E5h 的代码至61Bh，截止复制任务完成
<bochs:11> s
Next at t=4948793
(0) [0x000000007c0d] 0000:7c0d (unk. ctxt): mov si, 0x7c1b            ; be1b7c
<bochs:12> s
Next at t=4948794
(0) [0x000000007c10] 0000:7c10 (unk. ctxt): mov di, 0x061b            ; bf1b06
<bochs:13> s
Next at t=4948795
(0) [0x000000007c13] 0000:7c13 (unk. ctxt): push ax                   ; 50
<bochs:14> s
Next at t=4948796
(0) [0x000000007c14] 0000:7c14 (unk. ctxt): push di                   ; 57
<bochs:15> s
Next at t=4948797
(0) [0x000000007c15] 0000:7c15 (unk. ctxt): mov cx, 0x01e5            ; b9e501
<bochs:16> s
Next at t=4948798
(0) [0x000000007c18] 0000:7c18 (unk. ctxt): rep movsb byte ptr es:[di], byte ptr ds:[si] ; f3a4
<bochs:17> o
:17: syntax error at 'o'
<bochs:18> p
Next at t=4949283
(0) [0x000000007c1a] 0000:7c1a (unk. ctxt): retf                      ; cb       //执行retf
后，指令跳转到061Bh处运行
<bochs:19> p
Next at t=4949284
(0) [0x00000000061b] 0000:061b (unk. ctxt): mov bp, 0x07be            ; bdbe07
<bochs:20> s
Next at t=4949285
(0) [0x00000000061e] 0000:061e (unk. ctxt): mov cl, 0x04              ; b104
<bochs:21> s
Next at t=4949286
(0) [0x000000000620] 0000:0620 (unk. ctxt): cmp byte ptr ss:[bp], ch  ; 386e00 //检查分区指
示符，每个分区的第一个字节都是分区的指示符，如果为00则不可引导，如果是80则可以引导。这里做一个判断
<bochs:22> s
Next at t=4949287
(0) [0x000000000623] 0000:0623 (unk. ctxt): jl .+9 (0x0000062e)       ; 7c09   //判断成功，
是80可以引导，跳转至062e位置
//找到分区后要判断其他的分区的指示符是不是都是0，不允许有多个活动分区
<bochs:23> s
Next at t=4949288
(0) [0x00000000062e] 0000:062e (unk. ctxt): mov si, bp                ; 8bf5
<bochs:24> s
Next at t=4949289
(0) [0x000000000630] 0000:0630 (unk. ctxt): add si, 0x0010            ; 83c610
<bochs:25> s
Next at t=4949290
(0) [0x000000000633] 0000:0633 (unk. ctxt): dec cx                    ; 49
<bochs:26> s
Next at t=4949291
(0) [0x000000000634] 0000:0634 (unk. ctxt): jz .+25 (0x0000064f)      ; 7419
<bochs:27> s
Next at t=4949292
(0) [0x000000000636] 0000:0636 (unk. ctxt): cmp byte ptr ds:[si], ch  ; 382c //判断分区指示
符是否为00
<bochs:28> s
Next at t=4949293
(0) [0x000000000638] 0000:0638 (unk. ctxt): jz .-10 (0x00000630)      ; 74f6  //如果是，那就
-10h（每个表项长度为10h）指向下一个分区指示符，重复之前的操作。
<bochs:29> s
Next at t=4949294
(0) [0x000000000630] 0000:0630 (unk. ctxt): add si, 0x0010            ; 83c610
<bochs:30> s
Next at t=4949295
(0) [0x000000000633] 0000:0633 (unk. ctxt): dec cx                    ; 49
<bochs:31> s
Next at t=4949296
(0) [0x000000000634] 0000:0634 (unk. ctxt): jz .+25 (0x0000064f)      ; 7419
<bochs:32> s
Next at t=4949297
(0) [0x000000000636] 0000:0636 (unk. ctxt): cmp byte ptr ds:[si], ch  ; 382c
<bochs:33> s
Next at t=4949298
(0) [0x000000000638] 0000:0638 (unk. ctxt): jz .-10 (0x00000630)      ; 74f6
<bochs:34> s
Next at t=4949299
(0) [0x000000000630] 0000:0630 (unk. ctxt): add si, 0x0010            ; 83c610
<bochs:35> s
Next at t=4949300
(0) [0x000000000633] 0000:0633 (unk. ctxt): dec cx                    ; 49
<bochs:36> s
Next at t=4949301
(0) [0x000000000634] 0000:0634 (unk. ctxt): jz .+25 (0x0000064f)      ; 7419
<bochs:37> s
Next at t=4949302
(0) [0x000000000636] 0000:0636 (unk. ctxt): cmp byte ptr ds:[si], ch  ; 382c
<bochs:38> s
Next at t=4949303
(0) [0x000000000638] 0000:0638 (unk. ctxt): jz .-10 (0x00000630)      ; 74f6
<bochs:39> s
//检查完分区表都正确后，开始加载后动分区引导扇区。
Next at t=4949304
(0) [0x000000000630] 0000:0630 (unk. ctxt): add si, 0x0010            ; 83c610
<bochs:40> s
Next at t=4949305
(0) [0x000000000633] 0000:0633 (unk. ctxt): dec cx                    ; 49
<bochs:41> s
Next at t=4949306
(0) [0x000000000634] 0000:0634 (unk. ctxt): jz .+25 (0x0000064f)      ; 7419
<bochs:42> s
Next at t=4949307
(0) [0x00000000064f] 0000:064f (unk. ctxt): mov byte ptr ss:[bp+16], cl ; 884e10 //使分区的
标识位为0，表示未尝试过备份的引导扇区。（这里出了点问题，因为在链接分析中使bp+10h，这里是+16，有点
不同，花了一些时间通过上下文关系才确定出来）
<bochs:43> s
Next at t=4949308
(0) [0x000000000652] 0000:0652 (unk. ctxt): call .+70 (0x0000069b)    ; e84600
<bochs:44> s
Next at t=4949309
(0) [0x00000000069b] 0000:069b (unk. ctxt): mov di, 0x0005            ; bf0500
<bochs:45> s
Next at t=4949310
(0) [0x00000000069e] 0000:069e (unk. ctxt): mov dl, byte ptr ss:[bp]  ; 8a5600
<bochs:46> s
Next at t=4949311
(0) [0x0000000006a1] 0000:06a1 (unk. ctxt): mov ah, 0x08              ; b408
<bochs:47> s
Next at t=4949312
(0) [0x0000000006a3] 0000:06a3 (unk. ctxt): int 0x13                  ; cd13     //用int13h
来访问分区
<bochs:48> p
Next at t=4949520
(0) [0x0000000006a5] 0000:06a5 (unk. ctxt): jb .+35 (0x000006ca)      ; 7223
<bochs:49> s
Next at t=4949521
(0) [0x0000000006a7] 0000:06a7 (unk. ctxt): mov al, cl                ; 8ac1
<bochs:50> s
Next at t=4949522
(0) [0x0000000006a9] 0000:06a9 (unk. ctxt): and al, 0x3f              ; 243f
<bochs:51> s
Next at t=4949523
(0) [0x0000000006ab] 0000:06ab (unk. ctxt): cbw                       ; 98
<bochs:52> s
Next at t=4949524
(0) [0x0000000006ac] 0000:06ac (unk. ctxt): mov bl, dh                ; 8ade
<bochs:53> s
Next at t=4949525
(0) [0x0000000006ae] 0000:06ae (unk. ctxt): mov bh, ah                ; 8afc
<bochs:54> s
Next at t=4949526
(0) [0x0000000006b0] 0000:06b0 (unk. ctxt): inc bx                    ; 43
<bochs:55> s
Next at t=4949527
(0) [0x0000000006b1] 0000:06b1 (unk. ctxt): mul ax, bx                ; f7e3
<bochs:56> s
Next at t=4949528
(0) [0x0000000006b3] 0000:06b3 (unk. ctxt): mov dx, cx                ; 8bd1
<bochs:57> s
Next at t=4949529
(0) [0x0000000006b5] 0000:06b5 (unk. ctxt): xchg dh, dl               ; 86d6
<bochs:58> s
Next at t=4949530
(0) [0x0000000006b7] 0000:06b7 (unk. ctxt): mov cl, 0x06              ; b106
<bochs:59> s
Next at t=4949531
(0) [0x0000000006b9] 0000:06b9 (unk. ctxt): shr dh, cl                ; d2ee
<bochs:60> s
Next at t=4949532
(0) [0x0000000006bb] 0000:06bb (unk. ctxt): inc dx                    ; 42
<bochs:61> s
Next at t=4949533
(0) [0x0000000006bc] 0000:06bc (unk. ctxt): mul ax, dx                ; f7e2
<bochs:62> s
Next at t=4949534
(0) [0x0000000006be] 0000:06be (unk. ctxt): cmp word ptr ss:[bp+10], dx ; 39560a //如果产生
进位，将本分区前已用的扇区数高两个字节+1
<bochs:63> s
Next at t=4949535
(0) [0x0000000006c1] 0000:06c1 (unk. ctxt): jnbe .+35 (0x000006e6)    ; 7723
<bochs:64> s
Next at t=4949536
(0) [0x0000000006c3] 0000:06c3 (unk. ctxt): jb .+5 (0x000006ca)       ; 7205
<bochs:65> s
Next at t=4949537
(0) [0x0000000006ca] 0000:06ca (unk. ctxt): mov ax, 0x0201            ; b80102
<bochs:66> s
Next at t=4949538
(0) [0x0000000006cd] 0000:06cd (unk. ctxt): mov bx, 0x7c00            ; bb007c
<bochs:67> s
Next at t=4949539
(0) [0x0000000006d0] 0000:06d0 (unk. ctxt): mov cx, word ptr ss:[bp+2] ; 8b4e02
<bochs:68> s
Next at t=4949540
(0) [0x0000000006d3] 0000:06d3 (unk. ctxt): mov dx, word ptr ss:[bp]  ; 8b5600
<bochs:69> s
Next at t=4949541
(0) [0x0000000006d6] 0000:06d6 (unk. ctxt): int 0x13                  ; cd13
<bochs:70> p
Next at t=4951090
(0) [0x0000000006d8] 0000:06d8 (unk. ctxt): jnb .+81 (0x0000072b)     ; 7351
<bochs:71> s
Next at t=4951091
(0) [0x00000000072b] 0000:072b (unk. ctxt): ret                       ; c3
<bochs:72> s
Next at t=4951092
(0) [0x000000000655] 0000:0655 (unk. ctxt): jnb .+42 (0x00000681)     ; 732a
<bochs:73> s
Next at t=4951093
(0) [0x000000000681] 0000:0681 (unk. ctxt): cmp word ptr ds:0x7dfe, 0xaa55 ; 813efe7d55aa 
 //最后判断是否以55aa作为结尾
<bochs:74> s
Next at t=4951094
(0) [0x000000000687] 0000:0687 (unk. ctxt): jz .+11 (0x00000694)      ; 740b
<bochs:75> s
Next at t=4951095
(0) [0x000000000694] 0000:0694 (unk. ctxt): mov di, sp                ; 8bfc
<bochs:76> s
Next at t=4951096
(0) [0x000000000696] 0000:0696 (unk. ctxt): push ds                   ; 1e
<bochs:77> s
Next at t=4951097
(0) [0x000000000697] 0000:0697 (unk. ctxt): push di                   ; 57
<bochs:78> s
Next at t=4951098
(0) [0x000000000698] 0000:0698 (unk. ctxt): mov si, bp                ; 8bf5  //把活动分区表
指针传给引导扇区
<bochs:79> s
Next at t=4951099
(0) [0x00000000069a] 0000:069a (unk. ctxt): retf  //指令跳转到0000:7c00处运行，MBR代码引导部
分结束

这一MBR的代码分析算是基本结束了。引导的流程与经过也分析的清楚了，但在调试过程中有一些内存赋值等指令因为不是很重要，我就没有过多的关注。

heydaimy

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
BOCHS分析XP MBR

这是小白的第一篇CSDN文章，连发文章的一些技巧都没有掌握，但总比不尝试好嘛。好的，进入主题，我们今天的任务是BOCHS分析MBR，并且理解它的代码指令。首先通过借鉴他人的一些经验用bochs调试mbr-深入mbr调试分析来调出大概的MBR指令进程。由于博客中也没有贴出具体的分析步骤，所以这里相当于在原博客的基础上做了分析。这里参考了winhex分析MBR先对MBR有清楚地了解，其实主...
复制链接

扫一扫