深度挖掘boot-----mbr启动代码分析

这次自己分析一遍MBR，先拿winhex把MBR弄出来，保存到mbr.bin,再用IDA分析

winhex弄出来的样子：

 

 

 

 

  

代码中涉及几个bios中断调用：

 

INT 13,8 - Get Current Drive Parameters (XT & newer)
       AH = 08
       DL = drive number (0=A:, 1=2nd floppy, 80h=drive 0, 81h=drive 1)

       on return:
       AH = status  (see INT 13,STATUS)
       BL = CMOS drive type
            01 - 5?  360K           03 - 3?  720K
            02 - 5?  1.2Mb          04 - 3? 1.44Mb
       CH = cylinders (0-1023 dec. see below)
       CL = sectors per track  (see below)
       DH = number of sides (0 based)
       DL = number of drives attached
       ES:DI = pointer to 11 byte Disk Base Table (DBT)
       CF = 0 if successful
          = 1 if error


       Cylinder and Sectors Per Track Format

       │F│E│D│C│B│A│9│8│7│6│5│4│3│2│1│0│  CX
        │ │ │ │ │ │ │ │ │ │ └─┴─┴─┴─┴─┴──  sectors per track
        │ │ │ │ │ │ │ │ └─┴──────────  high order 2 bits of cylinder count
        └─┴─┴─┴─┴─┴─┴─┴──────────  low order 8 bits of cylinder count

       - the track/cylinder number is a 10 bit value taken from the 2 high
         order bits of CL and the 8 bits in CH (low order 8 bits of track)
       - many good programming references indicate this function is only
         available on the AT, PS/2 and later systems, but all hard disk
         systems since the XT have this function available
       - only the disk number is checked for validity

int 13 扩展功能 41号
1) 检验扩展功能是否存在
入口:
AH = 41h
BX = 55AAh
DL = 驱动器号
返回:
CF = 0
AH = 扩展功能的主版本号
AL = 内部使用
BX = AA55h
CX = API 子集支持位图
CF = 1
AH = 错误码 01h，无效命令

这个调用检验对特定的驱动器是否存在扩展功能。如果进位标志置 1则此驱动器不支持扩展功能。如果进位标志为 0，同时 BX = AA55h，则存在扩展功能。此时 CX 的 0 位表示是否支持第一个子集，1位表示是否支持第二个子集.
对于 1.x 版的扩展 Int13H 来说，主版本号 AH = 1。AL 是副版本号，但这仅限于 BIOS 内部使用，任何软件不得检查 AL 的值。

int 13 扩展功能 42
2) 扩展读
入口:
AH = 42h
DL = 驱动器号
DS:DI = 磁盘地址数据包(Disk Address Packet)

返回:
CF = 0，AH = 0 成功
CF = 1，AH = 错误码

 

 Disk Address Packet --- DAP

  name            offset            size                 description

 

  size               00h                 1 byte            size of DAP = 16 = 10h

 

  reversed1     01h                 1 byte            unused, should be zero

 

  toReadNum   02h                 1 byte            number of sectors to be read, 0..127 (= 7Fh)

 

  reversed2     03h                 1 byte            unused, should be zero

 

  buffer            04h..07h         4 bytes          segment:offset pointer to the memory buffer to which sectors will  be   

                                                               transferred (note that  x86 is little-endian: if declaring the segment

                                                              and  offset separately,  the offset   must be declared before the segment)

 

  blockCount    08h..0Fh         8 bytes          absolute number of the start of the sectors to be read (1st sector of drive

                                                              has number 0)

这个调用将磁盘上的数据读入内存。如果出现错误，DAP 的 BlockCount项中则记录了出错前实际读取的数据块个数。

 

还有就是涉及了上篇提到的分区表结构：

 

 

该知道的都知道了，先看看基本流程