os-easy boot引导分析(一):反汇编MBR

不多说,win-hex先把有用的复制出来

回来之后ida开始反汇编

反汇编的时候ida提示不知道入口,直接分析就可以,文件时直接转载在7c00地址的

分析完一部分之后ida停止了,因为它不知道正确的跳转,人工分析,发现相当于就是向下继续执行,让ida继续分析。

人工分析代码,已经标上了注释,代码贴在下面

 

seg000:0100 ;
seg000:0100 ; +-------------------------------------------------------------------------+
seg000:0100 ; |   This file has been generated by The Interactive Disassembler (IDA)    |
seg000:0100 ; |        Copyright (c) 2009 by Hex-Rays,            |
seg000:0100 ; |                      License info: 77-4B83-901C-A6                      |
seg000:0100 ; |                              Licensed User                              |
seg000:0100 ; +-------------------------------------------------------------------------+
seg000:0100 ;
seg000:0100 ; Input MD5   : 9A4CD7E035BD114990C4EE31EDAD9296
seg000:0100
seg000:0100 ; ---------------------------------------------------------------------------
seg000:0100 ; File Name   : F:\datas\mbr.bin
seg000:0100 ; Format      : Binary file
seg000:0100 ; Base Address: 7C00h Range: 7C100h - 7C300h Loaded length: 0200h
seg000:0100
seg000:0100                 .686p
seg000:0100                 .mmx
seg000:0100                 .model flat
seg000:0100
seg000:0100 ; ===========================================================================
seg000:0100
seg000:0100 ; Segment type: Pure code
seg000:0100 seg000          segment byte public 'CODE' use16
seg000:0100                 assume cs:seg000
seg000:0100                 ;org 100h
seg000:0100                 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:0100                 cli
seg000:0101                 xor     ax, ax
seg000:0103                 mov     ss, ax
seg000:0105                 mov     sp, 7C00h
seg000:0108                 mov     si, sp
seg000:010A                 push    ax
seg000:010B                 pop     es
seg000:010C                 push    ax
seg000:010D                 pop     ds
seg000:010E                 sti
seg000:010F                 cld
seg000:0110                 mov     di, 600h
seg000:0113                 mov     cx, 100h
seg000:0116                 rep movsw               ; 复制自己到6100h
seg000:0118                 jmp     far ptr 0:61Dh  ; 跳转之后继续运行
seg000:011D ; ---------------------------------------------------------------------------
seg000:011D                 xor     ax, ax
seg000:011F                 mov     es, ax
seg000:0121                 mov     cl, es:234h     ; 读取中断向量表
seg000:0121                                         ; 获得8D中断
seg000:0126                 cmp     cl, 1
seg000:0129                 mov     byte ptr es:234h, 1
seg000:012F                 jnz     short loc_7C14C ; 如果cl!=1就让cl等于1之后跳转
seg000:0131                 mov     ax, 0
seg000:0134                 mov     es, ax
seg000:0136                 mov     ax, 201h
seg000:0139                 mov     bx, 7C00h       ; 读取在第六扇区的真正的mbr
seg000:013C                 mov     cx, 6
seg000:013F                 mov     dx, 80h ; '€'
seg000:0142                 int     13h             ; DISK - READ SECTORS INTO MEMORY
seg000:0142                                         ; AL = number of sectors to read, CH = track, CL = sector
seg000:0142                                         ; DH = head, DL = drive, ES:BX -> buffer to fill
seg000:0142                                         ; Return: CF set on error, AH = status, AL = number of sectors read
seg000:0144                 jb      short loc_7C19F ; io错误则跳转
seg000:0146                 mov     di, 7C00h
seg000:0149                 push    es
seg000:014A                 push    di
seg000:014B                 retf
seg000:014C ; ---------------------------------------------------------------------------
seg000:014C
seg000:014C loc_7C14C:                              ; CODE XREF: seg000:012Fj
seg000:014C                 mov     ax, 3000h
seg000:014F                 rol     eax, 10h
seg000:0153                 mov     ax, 100h
seg000:0156                 push    eax             ; ax=300100
seg000:0158                 xor     bx, bx
seg000:015A                 mov     es, bx
seg000:015C                 mov     si, 7B4h        ; struct DiskAddressPacket
seg000:015C                                         ; {
seg000:015C                                         ; BYTE PacketSize; // 数据包尺寸(16字节) 0x7a4
seg000:015C                                         ; BYTE Reserved; // ==0 0x7a5
seg000:015C                                         ; WORD BlockCount; // 要传输的数据块个数(以扇区为单位) 0x7a6
seg000:015C                                         ; DWORD BufferAddr; // 传输缓冲地址(segment:offset) 0x7a8
seg000:015C                                         ; QWORD BlockNum; // 磁盘起始绝对块地址 0x7ac
seg000:015C                                         ; };
seg000:015F                 mov     ebx, cs:[si]
seg000:0163                 mov     si, 7A4h
seg000:0166                 mov     word ptr cs:[si], 10h ; DiskAddressPacket.PacketSize=16;
seg000:016B                 mov     word ptr cs:[si+2], 7Fh ; '' ; DiskAddressPacket.BlockCount=127
seg000:0171                 mov     cs:[si+4], eax  ; .BufferAddr=0x300100
seg000:0176                 mov     cs:[si+8], ebx
seg000:017B                 mov     dword ptr cs:[si+0Ch], 0
seg000:0184                 mov     dl, 80h ; '€'
seg000:0186                 mov     ah, 42h ; 'B'
seg000:0188                 xor     al, al          ; 磁盘块读取
seg000:0188                                         ; AH = 42h
seg000:0188                                         ; DL = 驱动器号
seg000:0188                                         ; DS:DI = 磁盘地址数据包(Disk Address Packet)
seg000:0188                                         ;
seg000:0188                                         ; 返回:
seg000:0188                                         ; CF = 0,AH = 0 成功
seg000:0188                                         ; CF = 1,AH = 错误码
seg000:0188                                         ;
seg000:0188                                         ; 这个调用将磁盘上的数据读入内存。如果出现错误,DAP 的 BlockCount项中则记录了出错前实际读取的数据块个数。
seg000:018A                 int     13h             ; DISK -
seg000:018C                 jb      short loc_7C19F ; 错误信息
seg000:018E                 pop     ebx
seg000:0190                 push    ebx
seg000:0192                 shr     ebx, 10h        ; ebx=0x30010
seg000:0196                 mov     es, bx          ; es=0x10
seg000:0198                 mov     byte ptr es:124h, 1
seg000:019E                 retf
seg000:019F ; ---------------------------------------------------------------------------
seg000:019F
seg000:019F loc_7C19F:                              ; CODE XREF: seg000:0144j
seg000:019F                                         ; seg000:018Cj
seg000:019F                 mov     si, 6DFh        ; 错误信息
seg000:01A2
seg000:01A2 loc_7C1A2:                              ; CODE XREF: seg000:01B0j
seg000:01A2                 lodsb                   ; putch(si);
seg000:01A3                 cmp     al, 0
seg000:01A5                 jz      short loc_7C1B2 ; delay()
seg000:01A7                 push    si
seg000:01A8                 mov     bx, 7
seg000:01AB                 mov     ah, 0Eh
seg000:01AD                 int     10h             ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE)
seg000:01AD                                         ; AL = character, BH = display page (alpha modes)
seg000:01AD                                         ; BL = foreground color (graphics modes)
seg000:01AF                 pop     si
seg000:01B0                 jmp     short loc_7C1A2 ; putch(si);
seg000:01B2 ; ---------------------------------------------------------------------------
seg000:01B2
seg000:01B2 loc_7C1B2:                              ; CODE XREF: seg000:01A5j
seg000:01B2                 push    ecx             ; delay()
seg000:01B4                 mov     ecx, 0FFFFFFFFh
seg000:01BA
seg000:01BA loc_7C1BA:                              ; CODE XREF: seg000:01C4j
seg000:01BA                 cmp     ecx, 0
seg000:01BE                 jz      short loc_7C1C6 ; 对于硬件的一些操作,基本属于错误处理,无视就好
seg000:01C0                 sub     ecx, 1
seg000:01C4                 jmp     short loc_7C1BA
seg000:01C6 ; ---------------------------------------------------------------------------
seg000:01C6
seg000:01C6 loc_7C1C6:                              ; CODE XREF: seg000:01BEj
seg000:01C6                 push    dx              ; 对于硬件的一些操作,基本属于错误处理,无视就好
seg000:01C7                 push    ax
seg000:01C8                 mov     dx, 64h ; 'd'
seg000:01CB                 mov     al, 0FEh ; '?
seg000:01CD                 out     dx, al          ; AT Keyboard controller 8042.
seg000:01CD                                         ; Resend the last transmission
seg000:01CE                 in      al, 92h
seg000:01D0                 or      al, 1
seg000:01D2                 out     92h, al         ; 打开A20地址线,可以访问高端内存
seg000:01D4                 mov     dx, 0CF9h
seg000:01D7                 in      al, dx
seg000:01D8                 or      al, 6
seg000:01DA                 out     dx, al          ; 把按键和reboot关联起来
seg000:01DB                 pop     ax
seg000:01DC                 pop     dx
seg000:01DD
seg000:01DD loc_7C1DD:                              ; CODE XREF: seg000:loc_7C1DDj
seg000:01DD                 jmp     short loc_7C1DD ; 死循环
seg000:01DD ; ---------------------------------------------------------------------------
seg000:01DF aReadDiskFailed db 'Read disk failed!',0Dh,0Ah,0
seg000:01F3                 db    0
seg000:01F4                 db    0
seg000:01F5                 db    0
seg000:01F6                 db    0
seg000:01F7                 db    0
seg000:01F8                 db    0
seg000:01F9                 db    0
seg000:01FA                 db    0
seg000:01FB                 db    0
seg000:01FC                 db    0
seg000:01FD                 db    0
seg000:01FE                 db    0
seg000:01FF                 db    0
seg000:0200                 db    0
seg000:0201                 db    0
seg000:0202                 db    0
seg000:0203                 db    0
seg000:0204                 db    0
seg000:0205                 db    0
seg000:0206                 db    0
seg000:0207                 db    0
seg000:0208                 db    0
seg000:0209                 db    0
seg000:020A                 db    0
seg000:020B                 db    0
seg000:020C                 db    0
seg000:020D                 db    0
seg000:020E                 db    0
seg000:020F                 db    0
seg000:0210                 db    0
seg000:0211                 db    0
seg000:0212                 db    0
seg000:0213                 db    0
seg000:0214                 db    0
seg000:0215                 db    0
seg000:0216                 db    0
seg000:0217                 db    0
seg000:0218                 db    0
seg000:0219                 db    0
seg000:021A                 db    0
seg000:021B                 db    0
seg000:021C                 db    0
seg000:021D                 db    0
seg000:021E                 db    0
seg000:021F                 db    0
seg000:0220                 db    0
seg000:0221                 db    0
seg000:0222                 db    0
seg000:0223                 db    0
seg000:0224                 db    0
seg000:0225                 db    0
seg000:0226                 db    0
seg000:0227                 db    0
seg000:0228                 db    0
seg000:0229                 db    0
seg000:022A                 db    0
seg000:022B                 db    0
seg000:022C                 db    0
seg000:022D                 db    0
seg000:022E                 db    0
seg000:022F                 db    0
seg000:0230                 db    0
seg000:0231                 db    0
seg000:0232                 db    0
seg000:0233                 db    0
seg000:0234                 db    0
seg000:0235                 db    0
seg000:0236                 db    0
seg000:0237                 db    0
seg000:0238                 db    0
seg000:0239                 db    0
seg000:023A                 db    0
seg000:023B                 db    0
seg000:023C                 db    0
seg000:023D                 db    0
seg000:023E                 db    0
seg000:023F                 db    0
seg000:0240                 db    0
seg000:0241                 db    0
seg000:0242                 db    0
seg000:0243                 db    0
seg000:0244                 db    0
seg000:0245                 db    0
seg000:0246                 db    0
seg000:0247                 db    0
seg000:0248                 db    0
seg000:0249                 db    0
seg000:024A                 db    0
seg000:024B                 db    0
seg000:024C                 db    0
seg000:024D                 db    0
seg000:024E                 db    0
seg000:024F                 db    0
seg000:0250                 db    0
seg000:0251                 db    0
seg000:0252                 db    0
seg000:0253                 db    0
seg000:0254                 db    0
seg000:0255                 db    0
seg000:0256                 db    0
seg000:0257                 db    0
seg000:0258                 db    0
seg000:0259                 db    0
seg000:025A                 db    0
seg000:025B                 db    0
seg000:025C                 db    0
seg000:025D                 db    0
seg000:025E                 db    0
seg000:025F                 db    0
seg000:0260                 db    0
seg000:0261                 db    0
seg000:0262                 db    0
seg000:0263                 db    0
seg000:0264                 db    0
seg000:0265                 db    0
seg000:0266                 db    0
seg000:0267                 db    0
seg000:0268                 db    0
seg000:0269                 db    0
seg000:026A                 db    0
seg000:026B                 db    0
seg000:026C                 db    0
seg000:026D                 db    0
seg000:026E                 db    0
seg000:026F                 db    0
seg000:0270                 db    0
seg000:0271                 db    0
seg000:0272                 db    0
seg000:0273                 db    0
seg000:0274                 db    0
seg000:0275                 db    0
seg000:0276                 db    0
seg000:0277                 db    0
seg000:0278                 db    0
seg000:0279                 db    0
seg000:027A                 db    0
seg000:027B                 db    0
seg000:027C                 db    0
seg000:027D                 db    0
seg000:027E                 db    0
seg000:027F                 db    0
seg000:0280                 db    0
seg000:0281                 db    0
seg000:0282                 db    0
seg000:0283                 db    0
seg000:0284                 db    0
seg000:0285                 db    0
seg000:0286                 db    0
seg000:0287                 db    0
seg000:0288                 db    0
seg000:0289                 db    0
seg000:028A                 db    0
seg000:028B                 db    0
seg000:028C                 db    0
seg000:028D                 db    0
seg000:028E                 db    0
seg000:028F                 db    0
seg000:0290                 db    0
seg000:0291                 db    0
seg000:0292                 db    0
seg000:0293                 db    0
seg000:0294                 db    0
seg000:0295                 db    0
seg000:0296                 db    0
seg000:0297                 db    0
seg000:0298                 db    0
seg000:0299                 db    0
seg000:029A                 db    0
seg000:029B                 db    0
seg000:029C                 db    0
seg000:029D                 db    0
seg000:029E                 db    0
seg000:029F                 db    0
seg000:02A0                 db    0
seg000:02A1                 db    0
seg000:02A2                 db    0
seg000:02A3                 db    0
seg000:02A4                 db    0
seg000:02A5                 db    0
seg000:02A6                 db    0
seg000:02A7                 db    0
seg000:02A8                 db    0
seg000:02A9                 db    0
seg000:02AA                 db    0
seg000:02AB                 db    0
seg000:02AC                 db    0
seg000:02AD                 db    0
seg000:02AE                 db    0
seg000:02AF                 db    0
seg000:02B0                 db    0
seg000:02B1                 db    0
seg000:02B2                 db    0
seg000:02B3                 db    0
seg000:02B4                 db 0BCh ; ?
seg000:02B5                 db 0ABh ; ?
seg000:02B6                 db 0AFh ; ?
seg000:02B7                 db  0Ch
seg000:02B8                 db  39h ; 9
seg000:02B9                 db 0E7h ; ?
seg000:02BA                 db  52h ; R
seg000:02BB                 db  7Fh ; 
seg000:02BC                 db    0
seg000:02BD                 db    1
seg000:02BE                 db  80h ; €
seg000:02BF                 db    1
seg000:02C0                 db    1
seg000:02C1                 db    0
seg000:02C2                 db    7
seg000:02C3                 db 0FEh ; ?
seg000:02C4                 db  3Fh ; ?
seg000:02C5                 db 0FFh
seg000:02C6                 db  3Fh ; ?
seg000:02C7                 db    0
seg000:02C8                 db    0
seg000:02C9                 db    0
seg000:02CA                 db  89h ; ?
seg000:02CB                 db 0F7h ; ?
seg000:02CC                 db  33h ; 3
seg000:02CD                 db  0Ch
seg000:02CE                 db    0
seg000:02CF                 db 0FEh ; ?
seg000:02D0                 db  3Fh ; ?
seg000:02D1                 db 0FFh
seg000:02D2                 db    7
seg000:02D3                 db 0FEh ; ?
seg000:02D4                 db  3Fh ; ?
seg000:02D5                 db 0FFh
seg000:02D6                 db    8
seg000:02D7                 db  11h
seg000:02D8                 db 0B1h ; ?
seg000:02D9                 db  35h ; 5
seg000:02DA                 db  70h ; p
seg000:02DB                 db    6
seg000:02DC                 db  85h ; ?
seg000:02DD                 db    4
seg000:02DE                 db    0
seg000:02DF                 db    0
seg000:02E0                 db    0
seg000:02E1                 db    0
seg000:02E2                 db    0
seg000:02E3                 db    0
seg000:02E4                 db    0
seg000:02E5                 db    0
seg000:02E6                 db    0
seg000:02E7                 db    0
seg000:02E8                 db    0
seg000:02E9                 db    0
seg000:02EA                 db    0
seg000:02EB                 db    0
seg000:02EC                 db    0
seg000:02ED                 db    0
seg000:02EE                 db    0
seg000:02EF                 db    0
seg000:02F0                 db    0
seg000:02F1                 db    0
seg000:02F2                 db    0
seg000:02F3                 db    0
seg000:02F4                 db    0
seg000:02F5                 db    0
seg000:02F6                 db    0
seg000:02F7                 db    0
seg000:02F8                 db    0
seg000:02F9                 db    0
seg000:02FA                 db    0
seg000:02FB                 db    0
seg000:02FC                 db    0
seg000:02FD                 db    0
seg000:02FE                 db  55h ; U
seg000:02FF                 db 0AAh ; ?
seg000:02FF seg000          ends
seg000:02FF
seg000:02FF
seg000:02FF                 end