seg000:0000 ; seg000:0000 ; +-------------------------------------------------------------------------+ seg000:0000 ; | This file has been generated by The Interactive Disassembler (IDA) | seg000:0000 ; | Copyright (c) 2009 by Hex-Rays, | seg000:0000 ; | License info: 6D-E9FC-65B2-FC | seg000:0000 ; | Licensed User | seg000:0000 ; +-------------------------------------------------------------------------+ seg000:0000 ; seg000:0000 ; Input MD5 : C0D50338E48090EB0002714E41F4D131 seg000:0000 seg000:0000 ; --------------------------------------------------------------------------- seg000:0000 ; File Name : C:\Documents and Settings\admin\桌面\XP.MBR\XP.BS seg000:0000 ; Format : Binary file seg000:0000 ; Base Address: 0000h Range: 0000h - 0200h Loaded length: 0200h seg000:0000 seg000:0000 .386p seg000:0000 .model flat seg000:0000 seg000:0000 ; =========================================================================== seg000:0000 seg000:0000 ; Segment type: Pure code seg000:0000 seg000 segment byte public 'CODE' use16 seg000:0000 assume cs:seg000 seg000:0000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:0000 jmp short loc_54 seg000:0000 ; --------------------------------------------------------------------------- seg000:0002 aRntfs db '怤TFS ',0 seg000:000C db 2 seg000:000D db 8 seg000:000E word_E dw 0 ; DATA XREF: sub_C7+8Dw seg000:0010 dword_10 dd 0 ; DATA XREF: sub_C7+88w seg000:0014 db 0 seg000:0015 db 0F8h ; ? seg000:0016 db 0 seg000:0017 db 0 seg000:0018 word_18 dw 3Fh ; DATA XREF: sub_C7+53r seg000:001A word_1A dw 0FFh ; DATA XREF: sub_C7+67r seg000:001C db 3Fh ; ? seg000:001D db 0 seg000:001E db 0 seg000:001F db 0 seg000:0020 db 0 seg000:0021 db 0 seg000:0022 db 0 seg000:0023 db 0 seg000:0024 byte_24 db 80h ; DATA XREF: sub_C7+6Dr seg000:0025 db 0 seg000:0026 db 80h ; seg000:0027 db 0 seg000:0028 db 59h ; Y seg000:0029 db 98h ; ? seg000:002A db 0C4h ; ? seg000:002B db 9 seg000:002C db 0 seg000:002D db 0 seg000:002E db 0 seg000:002F db 0 seg000:0030 db 0 seg000:0031 db 0 seg000:0032 db 0Ch seg000:0033 db 0 seg000:0034 db 0 seg000:0035 db 0 seg000:0036 db 0 seg000:0037 db 0 seg000:0038 db 10h seg000:0039 db 0 seg000:003A db 0 seg000:003B db 0 seg000:003C db 0 seg000:003D db 0 seg000:003E db 0 seg000:003F db 0 seg000:0040 unk_40 db 0F6h ; ? ; DATA XREF: sub_170+Er seg000:0041 db 0 seg000:0042 db 0 seg000:0043 db 0 seg000:0044 db 1 seg000:0045 db 0 seg000:0046 db 0 seg000:0047 db 0 seg000:0048 db 0CFh ; ? seg000:0049 db 0A9h ; ? seg000:004A db 86h ; ? seg000:004B db 20h seg000:004C unk_4C db 0B3h ; ? ; DATA XREF: sub_7B+6r seg000:004C ; sub_AA+9r ... seg000:004D db 86h ; ? seg000:004E db 20h seg000:004F db 0C6h ; ? seg000:0050 db 0 seg000:0051 db 0 seg000:0052 db 0 seg000:0053 db 0 seg000:0054 ; --------------------------------------------------------------------------- seg000:0054 seg000:0054 loc_54: ; CODE XREF: seg000:0000j seg000:0054 cli seg000:0055 xor ax, ax seg000:0057 mov ss, ax seg000:0059 mov sp, 7C00h seg000:005C sti seg000:005D mov ax, 7C0h seg000:0060 mov ds, ax seg000:0062 assume ds:nothing seg000:0062 call sub_7B ; 检查是否支持扩展的int 13h seg000:0065 mov ax, 0D00h seg000:0068 mov es, ax seg000:006A assume es:nothing seg000:006A xor bx, bx seg000:006C mov byte ptr ds:0Eh, 10h seg000:0071 call sub_C7 ; 读取后续扇区, 读到0D000处, 其实这个扇区也被读了一次即0D000处, NTLDR在0D200处 seg000:0074 push 0D00h seg000:0077 push 26Ah ; 从NTLDR偏移26A处开始执行 seg000:007A retf ; 去0D00:026A执行, 即刚读入的第一个扇区偏移026A处 seg000:007B seg000:007B ; =============== S U B R O U T I N E ======================================= seg000:007B seg000:007B ; 检查是否支持扩展的int 13h seg000:007B seg000:007B sub_7B proc near ; CODE XREF: seg000:0062p seg000:007B mov dl, ds:24h seg000:007F mov ah, 8 seg000:0081 int 13h ; DISK - DISK - GET CURRENT DRIVE PARAMETERS (XT,AT,XT286,CONV,PS) seg000:0081 ; DL = drive number seg000:0081 ; Return: CF set on error, AH = status code, BL = drive type seg000:0081 ; DL = number of consecutive drives seg000:0081 ; DH = maximum value for head number, ES:DI -> drive parameter seg000:0083 jnb short loc_8A seg000:0085 mov cx, 0FFFFh seg000:0088 mov dh, cl seg000:008A seg000:008A loc_8A: ; CODE XREF: sub_7B+8j seg000:008A movzx eax, dh seg000:008E inc ax ; 磁头号+1, FE+1=FF seg000:008F movzx edx, cl seg000:0093 and dl, 3Fh seg000:0096 mul dx ; 扇区号*(磁头号+1), 最大为63*255=3EC1, ax中存放即可 seg000:0098 xchg cl, ch seg000:009A shr ch, 6 seg000:009D inc cx seg000:009E movzx ecx, cx seg000:00A2 mul ecx ; 扇区号*(磁头号+1)*(柱面号+1), 最大为3EC1*1023=FAC53F, eax中存放即可 seg000:00A5 mov ds:20h, eax ; 如果支持扩展的int 13h的话eax应该为0 seg000:00A9 retn seg000:00A9 sub_7B endp seg000:00A9 seg000:00AA seg000:00AA ; =============== S U B R O U T I N E ======================================= seg000:00AA seg000:00AA seg000:00AA sub_AA proc near ; CODE XREF: sub_C7+2Dp seg000:00AA mov ah, 41h ; 'A' seg000:00AC mov bx, 55AAh seg000:00AF mov dl, ds:24h seg000:00B3 int 13h ; DISK - seg000:00B5 jb short locret_C6 seg000:00B7 cmp bx, 0AA55h seg000:00BB jnz short locret_C6 seg000:00BD test cl, 1 seg000:00C0 jz short locret_C6 seg000:00C2 inc byte ptr ds:14h seg000:00C6 seg000:00C6 locret_C6: ; CODE XREF: sub_AA+Bj seg000:00C6 ; sub_AA+11j ... seg000:00C6 retn seg000:00C6 sub_AA endp seg000:00C6 seg000:00C7 seg000:00C7 ; =============== S U B R O U T I N E ======================================= seg000:00C7 seg000:00C7 ; 读取后续扇区 seg000:00C7 seg000:00C7 sub_C7 proc near ; CODE XREF: seg000:0071p seg000:00C7 pushad seg000:00C9 push ds seg000:00CA push es seg000:00CB seg000:00CB loc_CB: ; CODE XREF: sub_C7+91j seg000:00CB mov eax, ds:10h ; 已读分区数 seg000:00CF add eax, ds:1Ch ; 3F, 此分区前扇区数+已读分区数 seg000:00D4 cmp eax, ds:20h ; ds:20h为硬盘总扇区数 seg000:00D9 jb loc_117 ; 小于则跳, 即不支持扩展的int 13h seg000:00DD push ds seg000:00DE push large 0 seg000:00E1 push eax seg000:00E3 push es seg000:00E4 push bx seg000:00E5 push large 10010h seg000:00EB cmp byte ptr ds:14h, 0 seg000:00F0 jnz loc_100 seg000:00F4 call sub_AA seg000:00F7 cmp byte ptr ds:14h, 0 seg000:00FC jz loc_161 ; 跳到错误处理 seg000:0100 seg000:0100 loc_100: ; CODE XREF: sub_C7+29j seg000:0100 mov ah, 42h ; 'B' seg000:0102 mov dl, ds:24h seg000:0106 push ss seg000:0107 pop ds seg000:0108 assume ds:nothing seg000:0108 mov si, sp seg000:010A int 13h ; DISK - seg000:010C pop eax seg000:010E pop bx seg000:010F pop es seg000:0110 assume es:nothing seg000:0110 pop eax seg000:0112 pop eax seg000:0114 pop ds seg000:0115 jmp short loc_144 ; 跳到循环处理 seg000:0117 ; --------------------------------------------------------------------------- seg000:0117 seg000:0117 loc_117: ; CODE XREF: sub_C7+12j seg000:0117 xor edx, edx seg000:011A movzx ecx, ds:word_18 ; 3F seg000:0120 div ecx ; 即(此分区前扇区数+已读扇区数)/63 seg000:0123 inc dl ; edx为余数, 表示应读取的扇区号 seg000:0125 mov cl, dl ; CL = sector seg000:0127 mov edx, eax ; eax为商, 表示应读取的磁头号*应读取的柱面号 seg000:012A shr edx, 10h seg000:012E div ds:word_1A ; FF seg000:0132 xchg dl, dh ; edx为余数, 表示应读取的磁头号, 所以交换 seg000:0134 mov dl, ds:byte_24 ; drive=80h seg000:0138 mov ch, al ; eax为商, 表示应读取的柱面号 seg000:013A shl ah, 6 seg000:013D or cl, ah ; ch:8+cl:高2位为柱面号 + cl:低6位为扇区号 seg000:013F mov ax, 201h seg000:0142 int 13h ; DISK - READ SECTORS INTO MEMORY seg000:0142 ; AL = number of sectors to read, CH = track, CL = sector seg000:0142 ; DH = head, DL = drive, ES:BX -> buffer to fill seg000:0142 ; Return: CF set on error, AH = status, AL = number of sectors read seg000:0144 seg000:0144 loc_144: ; CODE XREF: sub_C7+4Ej seg000:0144 jb loc_161 ; 读取出错则跳转 seg000:0148 mov ax, es seg000:014A add ax, 20h ; ' ' seg000:014D mov es, ax ; es+=20h, 相当于跳过刚读入的1个扇区 seg000:014F assume es:nothing seg000:014F inc ds:dword_10 ; 初值0 seg000:0154 dec ds:word_E ; 初值65552 seg000:0158 jnz loc_CB ; 循环几次 seg000:015C pop es seg000:015D assume es:nothing seg000:015D pop ds seg000:015E popad seg000:0160 retn seg000:0161 ; --------------------------------------------------------------------------- seg000:0161 seg000:0161 loc_161: ; CODE XREF: sub_C7+35j seg000:0161 ; sub_C7:loc_144j seg000:0161 mov al, ds:byte_1F8 ; A disk read error occurred\0 seg000:0164 call sub_170 ; 出错处理: 打印出错信息并返回 seg000:0167 mov al, ds:byte_1FB ; Press Ctrl+Alt+Del to restart seg000:016A call sub_170 ; 出错处理: 打印出错信息并返回 seg000:016D sti seg000:016E seg000:016E loc_16E: ; CODE XREF: sub_C7:loc_16Ej seg000:016E jmp short loc_16E ; 死循环 seg000:016E sub_C7 endp ; sp-analysis failed seg000:016E seg000:0170 seg000:0170 ; =============== S U B R O U T I N E ======================================= seg000:0170 seg000:0170 ; 出错处理: 打印出错信息并返回 seg000:0170 seg000:0170 sub_170 proc near ; CODE XREF: sub_C7+9Dp seg000:0170 ; sub_C7+A3p seg000:0170 mov ah, 1 seg000:0172 mov si, ax seg000:0174 seg000:0174 loc_174: ; CODE XREF: sub_170+10j seg000:0174 lodsb ; 循环打印字符串 seg000:0175 cmp al, 0 seg000:0177 jz short locret_182 ; retn seg000:0179 mov ah, 0Eh seg000:017B mov bx, 7 seg000:017E int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE) seg000:017E ; AL = character, BH = display page (alpha modes) seg000:017E ; BL = foreground color (graphics modes) seg000:0180 jmp short loc_174 ; 循环打印字符串 seg000:0182 ; --------------------------------------------------------------------------- seg000:0182 seg000:0182 locret_182: ; CODE XREF: sub_170+7j seg000:0182 retn ; retn seg000:0182 sub_170 endp seg000:0182 seg000:0182 ; --------------------------------------------------------------------------- seg000:0183 db 0Dh seg000:0184 db 0Ah seg000:0185 db 41h ; A seg000:0186 db 20h seg000:0187 db 64h ; d seg000:0188 db 69h ; i seg000:0189 db 73h ; s seg000:018A db 6Bh ; k seg000:018B db 20h seg000:018C db 72h ; r seg000:018D db 65h ; e seg000:018E db 61h ; a seg000:018F db 64h ; d seg000:0190 db 20h seg000:0191 db 65h ; e seg000:0192 db 72h ; r seg000:0193 db 72h ; r seg000:0194 db 6Fh ; o seg000:0195 db 72h ; r seg000:0196 db 20h seg000:0197 db 6Fh ; o seg000:0198 db 63h ; c seg000:0199 db 63h ; c seg000:019A db 75h ; u seg000:019B db 72h ; r seg000:019C db 72h ; r seg000:019D db 65h ; e seg000:019E db 64h ; d seg000:019F db 0 seg000:01A0 db 0Dh seg000:01A1 db 0Ah seg000:01A2 db 4Eh ; N seg000:01A3 db 54h ; T seg000:01A4 db 4Ch ; L seg000:01A5 db 44h ; D seg000:01A6 db 52h ; R seg000:01A7 db 20h seg000:01A8 db 69h ; i seg000:01A9 db 73h ; s seg000:01AA db 20h seg000:01AB db 6Dh ; m seg000:01AC db 69h ; i seg000:01AD db 73h ; s seg000:01AE db 73h ; s seg000:01AF db 69h ; i seg000:01B0 db 6Eh ; n seg000:01B1 db 67h ; g seg000:01B2 db 0 seg000:01B3 db 0Dh seg000:01B4 db 0Ah seg000:01B5 db 4Eh ; N seg000:01B6 db 54h ; T seg000:01B7 db 4Ch ; L seg000:01B8 db 44h ; D seg000:01B9 db 52h ; R seg000:01BA db 20h seg000:01BB db 69h ; i seg000:01BC db 73h ; s seg000:01BD db 20h seg000:01BE db 63h ; c seg000:01BF db 6Fh ; o seg000:01C0 db 6Dh ; m seg000:01C1 db 70h ; p seg000:01C2 db 72h ; r seg000:01C3 db 65h ; e seg000:01C4 db 73h ; s seg000:01C5 db 73h ; s seg000:01C6 db 65h ; e seg000:01C7 db 64h ; d seg000:01C8 db 0 seg000:01C9 db 0Dh seg000:01CA db 0Ah seg000:01CB db 50h ; P seg000:01CC db 72h ; r seg000:01CD db 65h ; e seg000:01CE db 73h ; s seg000:01CF db 73h ; s seg000:01D0 db 20h seg000:01D1 db 43h ; C seg000:01D2 db 74h ; t seg000:01D3 db 72h ; r seg000:01D4 db 6Ch ; l seg000:01D5 db 2Bh ; + seg000:01D6 db 41h ; A seg000:01D7 db 6Ch ; l seg000:01D8 db 74h ; t seg000:01D9 db 2Bh ; + seg000:01DA db 44h ; D seg000:01DB db 65h ; e seg000:01DC db 6Ch ; l seg000:01DD db 20h seg000:01DE db 74h ; t seg000:01DF db 6Fh ; o seg000:01E0 db 20h seg000:01E1 db 72h ; r seg000:01E2 db 65h ; e seg000:01E3 db 73h ; s seg000:01E4 db 74h ; t seg000:01E5 db 61h ; a seg000:01E6 db 72h ; r seg000:01E7 db 74h ; t seg000:01E8 db 0Dh seg000:01E9 db 0Ah seg000:01EA db 0 seg000:01EB db 0 seg000:01EC db 0 seg000:01ED db 0 seg000:01EE db 0 seg000:01EF db 0 seg000:01F0 db 0 seg000:01F1 db 0 seg000:01F2 db 0 seg000:01F3 db 0 seg000:01F4 db 0 seg000:01F5 db 0 seg000:01F6 db 0 seg000:01F7 db 0 seg000:01F8 byte_1F8 db 83h ; DATA XREF: sub_C7:loc_161r seg000:01F9 db 0A0h ; ? seg000:01FA db 0B3h ; ? seg000:01FB byte_1FB db 0C9h ; DATA XREF: sub_C7+A0r seg000:01FC db 0 seg000:01FD db 0 seg000:01FE db 55h ; U seg000:01FF db 0AAh ; ? seg000:01FF seg000 ends