不多说,win-hex先把有用的复制出来
回来之后ida开始反汇编
反汇编的时候ida提示不知道入口,直接分析就可以,文件时直接转载在7c00地址的
分析完一部分之后ida停止了,因为它不知道正确的跳转,人工分析,发现相当于就是向下继续执行,让ida继续分析。
人工分析代码,已经标上了注释,代码贴在下面
seg000:0100 ;
seg000:0100 ; +-------------------------------------------------------------------------+
seg000:0100 ; | This file has been generated by The Interactive Disassembler (IDA) |
seg000:0100 ; | Copyright (c) 2009 by Hex-Rays, |
seg000:0100 ; | License info: 77-4B83-901C-A6 |
seg000:0100 ; | Licensed User |
seg000:0100 ; +-------------------------------------------------------------------------+
seg000:0100 ;
seg000:0100 ; Input MD5 : 9A4CD7E035BD114990C4EE31EDAD9296
seg000:0100
seg000:0100 ; ---------------------------------------------------------------------------
seg000:0100 ; File Name : F:\datas\mbr.bin
seg000:0100 ; Format : Binary file
seg000:0100 ; Base Address: 7C00h Range: 7C100h - 7C300h Loaded length: 0200h
seg000:0100
seg000:0100 .686p
seg000:0100 .mmx
seg000:0100 .model flat
seg000:0100
seg000:0100 ; ===========================================================================
seg000:0100
seg000:0100 ; Segment type: Pure code
seg000:0100 seg000 segment byte public 'CODE' use16
seg000:0100 assume cs:seg000
seg000:0100 ;org 100h
seg000:0100 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:0100 cli
seg000:0101 xor ax, ax
seg000:0103 mov ss, ax
seg000:0105 mov sp, 7C00h
seg000:0108 mov si, sp
seg000:010A push ax
seg000:010B pop es
seg000:010C push ax
seg000:010D pop ds
seg000:010E sti
seg000:010F cld
seg000:0110 mov di, 600h
seg000:0113 mov cx, 100h
seg000:0116 rep movsw ; 复制自己到6100h
seg000:0118 jmp far ptr 0:61Dh ; 跳转之后继续运行
seg000:011D ; ---------------------------------------------------------------------------
seg000:011D xor ax, ax
seg000:011F mov es, ax
seg000:0121 mov cl, es:234h ; 读取中断向量表
seg000:0121 ; 获得8D中断
seg000:0126 cmp cl, 1
seg000:0129 mov byte ptr es:234h, 1
seg000:012F jnz short loc_7C14C ; 如果cl!=1就让cl等于1之后跳转
seg000:0131 mov ax, 0
seg000:0134 mov es, ax
seg000:0136 mov ax, 201h
seg000:0139 mov bx, 7C00h ; 读取在第六扇区的真正的mbr
seg000:013C mov cx, 6
seg000:013F mov dx, 80h ; '€'
seg000:0142 int 13h ; DISK - READ SECTORS INTO MEMORY
seg000:0142 ; AL = number of sectors to read, CH = track, CL = sector
seg000:0142 ; DH = head, DL = drive, ES:BX -> buffer to fill
seg000:0142 ; Return: CF set on error, AH = status, AL = number of sectors read
seg000:0144 jb short loc_7C19F ; io错误则跳转
seg000:0146 mov di, 7C00h
seg000:0149 push es
seg000:014A push di
seg000:014B retf
seg000:014C ; ---------------------------------------------------------------------------
seg000:014C
seg000:014C loc_7C14C: ; CODE XREF: seg000:012F�j
seg000:014C mov ax, 3000h
seg000:014F rol eax, 10h
seg000:0153 mov ax, 100h
seg000:0156 push eax ; ax=300100
seg000:0158 xor bx, bx
seg000:015A mov es, bx
seg000:015C mov si, 7B4h ; struct DiskAddressPacket
seg000:015C ; {
seg000:015C ; BYTE PacketSize; // 数据包尺寸(16字节) 0x7a4
seg000:015C ; BYTE Reserved; // ==0 0x7a5
seg000:015C ; WORD BlockCount; // 要传输的数据块个数(以扇区为单位) 0x7a6
seg000:015C ; DWORD BufferAddr; // 传输缓冲地址(segment:offset) 0x7a8
seg000:015C ; QWORD BlockNum; // 磁盘起始绝对块地址 0x7ac
seg000:015C ; };
seg000:015F mov ebx, cs:[si]
seg000:0163 mov si, 7A4h
seg000:0166 mov word ptr cs:[si], 10h ; DiskAddressPacket.PacketSize=16;
seg000:016B mov word ptr cs:[si+2], 7Fh ; '' ; DiskAddressPacket.BlockCount=127
seg000:0171 mov cs:[si+4], eax ; .BufferAddr=0x300100
seg000:0176 mov cs:[si+8], ebx
seg000:017B mov dword ptr cs:[si+0Ch], 0
seg000:0184 mov dl, 80h ; '€'
seg000:0186 mov ah, 42h ; 'B'
seg000:0188 xor al, al ; 磁盘块读取
seg000:0188 ; AH = 42h
seg000:0188 ; DL = 驱动器号
seg000:0188 ; DS:DI = 磁盘地址数据包(Disk Address Packet)
seg000:0188 ;
seg000:0188 ; 返回:
seg000:0188 ; CF = 0,AH = 0 成功
seg000:0188 ; CF = 1,AH = 错误码
seg000:0188 ;
seg000:0188 ; 这个调用将磁盘上的数据读入内存。如果出现错误,DAP 的 BlockCount项中则记录了出错前实际读取的数据块个数。
seg000:018A int 13h ; DISK -
seg000:018C jb short loc_7C19F ; 错误信息
seg000:018E pop ebx
seg000:0190 push ebx
seg000:0192 shr ebx, 10h ; ebx=0x30010
seg000:0196 mov es, bx ; es=0x10
seg000:0198 mov byte ptr es:124h, 1
seg000:019E retf
seg000:019F ; ---------------------------------------------------------------------------
seg000:019F
seg000:019F loc_7C19F: ; CODE XREF: seg000:0144�j
seg000:019F ; seg000:018C�j
seg000:019F mov si, 6DFh ; 错误信息
seg000:01A2
seg000:01A2 loc_7C1A2: ; CODE XREF: seg000:01B0�j
seg000:01A2 lodsb ; putch(si);
seg000:01A3 cmp al, 0
seg000:01A5 jz short loc_7C1B2 ; delay()
seg000:01A7 push si
seg000:01A8 mov bx, 7
seg000:01AB mov ah, 0Eh
seg000:01AD int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE)
seg000:01AD ; AL = character, BH = display page (alpha modes)
seg000:01AD ; BL = foreground color (graphics modes)
seg000:01AF pop si
seg000:01B0 jmp short loc_7C1A2 ; putch(si);
seg000:01B2 ; ---------------------------------------------------------------------------
seg000:01B2
seg000:01B2 loc_7C1B2: ; CODE XREF: seg000:01A5�j
seg000:01B2 push ecx ; delay()
seg000:01B4 mov ecx, 0FFFFFFFFh
seg000:01BA
seg000:01BA loc_7C1BA: ; CODE XREF: seg000:01C4�j
seg000:01BA cmp ecx, 0
seg000:01BE jz short loc_7C1C6 ; 对于硬件的一些操作,基本属于错误处理,无视就好
seg000:01C0 sub ecx, 1
seg000:01C4 jmp short loc_7C1BA
seg000:01C6 ; ---------------------------------------------------------------------------
seg000:01C6
seg000:01C6 loc_7C1C6: ; CODE XREF: seg000:01BE�j
seg000:01C6 push dx ; 对于硬件的一些操作,基本属于错误处理,无视就好
seg000:01C7 push ax
seg000:01C8 mov dx, 64h ; 'd'
seg000:01CB mov al, 0FEh ; '?
seg000:01CD out dx, al ; AT Keyboard controller 8042.
seg000:01CD ; Resend the last transmission
seg000:01CE in al, 92h
seg000:01D0 or al, 1
seg000:01D2 out 92h, al ; 打开A20地址线,可以访问高端内存
seg000:01D4 mov dx, 0CF9h
seg000:01D7 in al, dx
seg000:01D8 or al, 6
seg000:01DA out dx, al ; 把按键和reboot关联起来
seg000:01DB pop ax
seg000:01DC pop dx
seg000:01DD
seg000:01DD loc_7C1DD: ; CODE XREF: seg000:loc_7C1DD�j
seg000:01DD jmp short loc_7C1DD ; 死循环
seg000:01DD ; ---------------------------------------------------------------------------
seg000:01DF aReadDiskFailed db 'Read disk failed!',0Dh,0Ah,0
seg000:01F3 db 0
seg000:01F4 db 0
seg000:01F5 db 0
seg000:01F6 db 0
seg000:01F7 db 0
seg000:01F8 db 0
seg000:01F9 db 0
seg000:01FA db 0
seg000:01FB db 0
seg000:01FC db 0
seg000:01FD db 0
seg000:01FE db 0
seg000:01FF db 0
seg000:0200 db 0
seg000:0201 db 0
seg000:0202 db 0
seg000:0203 db 0
seg000:0204 db 0
seg000:0205 db 0
seg000:0206 db 0
seg000:0207 db 0
seg000:0208 db 0
seg000:0209 db 0
seg000:020A db 0
seg000:020B db 0
seg000:020C db 0
seg000:020D db 0
seg000:020E db 0
seg000:020F db 0
seg000:0210 db 0
seg000:0211 db 0
seg000:0212 db 0
seg000:0213 db 0
seg000:0214 db 0
seg000:0215 db 0
seg000:0216 db 0
seg000:0217 db 0
seg000:0218 db 0
seg000:0219 db 0
seg000:021A db 0
seg000:021B db 0
seg000:021C db 0
seg000:021D db 0
seg000:021E db 0
seg000:021F db 0
seg000:0220 db 0
seg000:0221 db 0
seg000:0222 db 0
seg000:0223 db 0
seg000:0224 db 0
seg000:0225 db 0
seg000:0226 db 0
seg000:0227 db 0
seg000:0228 db 0
seg000:0229 db 0
seg000:022A db 0
seg000:022B db 0
seg000:022C db 0
seg000:022D db 0
seg000:022E db 0
seg000:022F db 0
seg000:0230 db 0
seg000:0231 db 0
seg000:0232 db 0
seg000:0233 db 0
seg000:0234 db 0
seg000:0235 db 0
seg000:0236 db 0
seg000:0237 db 0
seg000:0238 db 0
seg000:0239 db 0
seg000:023A db 0
seg000:023B db 0
seg000:023C db 0
seg000:023D db 0
seg000:023E db 0
seg000:023F db 0
seg000:0240 db 0
seg000:0241 db 0
seg000:0242 db 0
seg000:0243 db 0
seg000:0244 db 0
seg000:0245 db 0
seg000:0246 db 0
seg000:0247 db 0
seg000:0248 db 0
seg000:0249 db 0
seg000:024A db 0
seg000:024B db 0
seg000:024C db 0
seg000:024D db 0
seg000:024E db 0
seg000:024F db 0
seg000:0250 db 0
seg000:0251 db 0
seg000:0252 db 0
seg000:0253 db 0
seg000:0254 db 0
seg000:0255 db 0
seg000:0256 db 0
seg000:0257 db 0
seg000:0258 db 0
seg000:0259 db 0
seg000:025A db 0
seg000:025B db 0
seg000:025C db 0
seg000:025D db 0
seg000:025E db 0
seg000:025F db 0
seg000:0260 db 0
seg000:0261 db 0
seg000:0262 db 0
seg000:0263 db 0
seg000:0264 db 0
seg000:0265 db 0
seg000:0266 db 0
seg000:0267 db 0
seg000:0268 db 0
seg000:0269 db 0
seg000:026A db 0
seg000:026B db 0
seg000:026C db 0
seg000:026D db 0
seg000:026E db 0
seg000:026F db 0
seg000:0270 db 0
seg000:0271 db 0
seg000:0272 db 0
seg000:0273 db 0
seg000:0274 db 0
seg000:0275 db 0
seg000:0276 db 0
seg000:0277 db 0
seg000:0278 db 0
seg000:0279 db 0
seg000:027A db 0
seg000:027B db 0
seg000:027C db 0
seg000:027D db 0
seg000:027E db 0
seg000:027F db 0
seg000:0280 db 0
seg000:0281 db 0
seg000:0282 db 0
seg000:0283 db 0
seg000:0284 db 0
seg000:0285 db 0
seg000:0286 db 0
seg000:0287 db 0
seg000:0288 db 0
seg000:0289 db 0
seg000:028A db 0
seg000:028B db 0
seg000:028C db 0
seg000:028D db 0
seg000:028E db 0
seg000:028F db 0
seg000:0290 db 0
seg000:0291 db 0
seg000:0292 db 0
seg000:0293 db 0
seg000:0294 db 0
seg000:0295 db 0
seg000:0296 db 0
seg000:0297 db 0
seg000:0298 db 0
seg000:0299 db 0
seg000:029A db 0
seg000:029B db 0
seg000:029C db 0
seg000:029D db 0
seg000:029E db 0
seg000:029F db 0
seg000:02A0 db 0
seg000:02A1 db 0
seg000:02A2 db 0
seg000:02A3 db 0
seg000:02A4 db 0
seg000:02A5 db 0
seg000:02A6 db 0
seg000:02A7 db 0
seg000:02A8 db 0
seg000:02A9 db 0
seg000:02AA db 0
seg000:02AB db 0
seg000:02AC db 0
seg000:02AD db 0
seg000:02AE db 0
seg000:02AF db 0
seg000:02B0 db 0
seg000:02B1 db 0
seg000:02B2 db 0
seg000:02B3 db 0
seg000:02B4 db 0BCh ; ?
seg000:02B5 db 0ABh ; ?
seg000:02B6 db 0AFh ; ?
seg000:02B7 db 0Ch
seg000:02B8 db 39h ; 9
seg000:02B9 db 0E7h ; ?
seg000:02BA db 52h ; R
seg000:02BB db 7Fh ;
seg000:02BC db 0
seg000:02BD db 1
seg000:02BE db 80h ; €
seg000:02BF db 1
seg000:02C0 db 1
seg000:02C1 db 0
seg000:02C2 db 7
seg000:02C3 db 0FEh ; ?
seg000:02C4 db 3Fh ; ?
seg000:02C5 db 0FFh
seg000:02C6 db 3Fh ; ?
seg000:02C7 db 0
seg000:02C8 db 0
seg000:02C9 db 0
seg000:02CA db 89h ; ?
seg000:02CB db 0F7h ; ?
seg000:02CC db 33h ; 3
seg000:02CD db 0Ch
seg000:02CE db 0
seg000:02CF db 0FEh ; ?
seg000:02D0 db 3Fh ; ?
seg000:02D1 db 0FFh
seg000:02D2 db 7
seg000:02D3 db 0FEh ; ?
seg000:02D4 db 3Fh ; ?
seg000:02D5 db 0FFh
seg000:02D6 db 8
seg000:02D7 db 11h
seg000:02D8 db 0B1h ; ?
seg000:02D9 db 35h ; 5
seg000:02DA db 70h ; p
seg000:02DB db 6
seg000:02DC db 85h ; ?
seg000:02DD db 4
seg000:02DE db 0
seg000:02DF db 0
seg000:02E0 db 0
seg000:02E1 db 0
seg000:02E2 db 0
seg000:02E3 db 0
seg000:02E4 db 0
seg000:02E5 db 0
seg000:02E6 db 0
seg000:02E7 db 0
seg000:02E8 db 0
seg000:02E9 db 0
seg000:02EA db 0
seg000:02EB db 0
seg000:02EC db 0
seg000:02ED db 0
seg000:02EE db 0
seg000:02EF db 0
seg000:02F0 db 0
seg000:02F1 db 0
seg000:02F2 db 0
seg000:02F3 db 0
seg000:02F4 db 0
seg000:02F5 db 0
seg000:02F6 db 0
seg000:02F7 db 0
seg000:02F8 db 0
seg000:02F9 db 0
seg000:02FA db 0
seg000:02FB db 0
seg000:02FC db 0
seg000:02FD db 0
seg000:02FE db 55h ; U
seg000:02FF db 0AAh ; ?
seg000:02FF seg000 ends
seg000:02FF
seg000:02FF
seg000:02FF end
