Sponsoring website: Emergency Boot CD


The "Bootstrap" Code  or
BOOTMGR Loader Code
of an NTFS OS Partition
[
For Microsoft® Windows™ 7 ]

Web Presentation and Text are Copyright © 2015 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !

You can contact us here if you have any specific questions about this page.

 




Introduction

This page examines the second and following sectors of the NTFS Boot Record Code for Windows 7 (NT6.0). A Microsoft® web page refers to these sectors as being part of the “bootstrap code” for an NTFS partition (see reference here). But since the code in the first sector (the Boot Sector) loads all the other sectors into Memory, we are calling these sectors the BOOTMGR Loader section of the NTFS Boot Record. This section is actually the bulk of the whole Boot Record Area. And the bootmgr program which it loads is what makes NTFS volumes both flexible and very confusing for most users: Due to its use of a file called BCD (Boot Configuration Data), which among other things refers to the starting sector of a Windows 7 OS's C: drive! So any changes to the beginning location (and possibly size) of that partition, means that data must also be updated in the Registry at the same time! See our BCD page for an introduction to this file. Our objectives here are to identify the purpose of the bytes in the Data Area (or as many as we can) and the function of the major blocks of code, such as subroutines; not to cover every instruction in these seven full sectors (plus 40 bytes in an 8th) of code and data.
NOTE: From observations, it appears that all Win 7 NTFS Boot Records begin with identical bytes in the BOOTMGR Loader's "Data Area" as we're calling it (see below for more info).

The MBR loads the Win 7 “Boot Sector” into Memory at location 0000:7C00, after which the Boot Sector code then loads the remaining 15 sectors of the Boot Record Area immediately after it. So our Examination of the Code below will be done as if it were already loaded into Memory at 07C0:0200 (or 0000:7E00 or Linear Memory location 0x7E00) and following since that's where the code is actually located when it's executed.

[Note: In order to properly understand this code, one should use an updated debugger, such as Enhanced DEBUG on this page by Vernon C. Brooks (current version, since MAY 2016, is 1.32b); which is also debugs 32-bit assembly code! Or, even set up the BOCHS GUI Debugger with a nice visual display, to step through this code, rather than attempting to rely solely on the old 16-bit MS-DOS DEBUG program. Another very good program for disassembling all of this code very quickly would be the free version of IDA Pro (v 5.0) which we mentioned on our "Assembly Language 101" page; include the VBR Boot Sector, set Segment to: 7C0, use 16-bit disassembly and begin decoding at first byte of the Boot Sector. "c" must be pressed again at offset 27A (07C0:027A). ]

Take this link, to see: How the entire VBR Area appears in a Disk Editor.

 



The “Data Area” at the beginning of the
BOOTMGR Loader's (“Bootstrap”) Code

Hex Dump of the "BOOTMGR Loader Data Area":

 Absolute Sector 2049 (Cylinder 0, Head 32, Sector 34) or 
 Relative Sector    1

  Off.   0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

 0200:  07 00 42 00 4F 00 4F 00 54 00 4D 00 47 00 52 00  ..B.O.O.T.M.G.R.
 0210:  04 00 24 00 49 00 33 00 30 00 00 D4 00 00 00 24  ..$.I.3.0......$
 0220:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0230:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0240:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0250:  00 00 00 00 00 00 EB 22 90 90 05 00 4E 00 54 00  ......."....N.T.
 0260:  4C 00 44 00 52 00 00 00 00 00 00 00 00 00 00 00  L.D.R...........
 0270:  00 00 00 00 00 00 00 00 00 00                    ..........

After searching through the code below, we were able to establish that all of the underlined 4-byte buffer or intermediate storage locations shown in the Data Area above are used by this code (links are to the secton of code below where each Double Word first occurs or is computed, followed by the location of each instruction using this value; we have also included a sample value for each one, so you will have an example of the relationships between them):

[0252] Bytes per Cluster (often 1000h = 4096 or eight 512-byte sectors); (7E89, 7EA7, 81D3, 8610). Example / Sample:
            Bytes per Cluster = 0x1000 (4096).
[0266] Bytes per File Record Segment (or Bytes per FRS); (7EAE, 7ECF, 7ED9, 7EE3, 7EED, 836C, 8375, 850B). Sample:
            Bytes per FRS = 0x0400 (1024).
[0256] Sectors per File Record Segment (or Sectors per FRS); (7EBE, 839A, 8407, 8426, 8518, 862B, 8630).
            Note: The data you currently see at 0256 ("EB 12 90 90") is overwritten by the instruction at 7EBE. Sample:
            Sectors per FRS = 0x0002.
[0222] Only used to store 0x00000001 (8364, 84DB, 84FE); why couldn't this have been preset in Data Area?
[021E] Contains preset value of: 0x2400 (9,216); (8368, 83AC, 83BC).
[026A] Bytes per FRS + 2400h; (8371, 8503, 8513, 8544, 854E). Sample:
            BpFRS + 2400h = 0x2800 (10,240).
[024E] (2 x Bytes per FRS) + 2400h or: [(2 x BpFRS) + 2400h]; (7EC5, 837A, 838B). Sample:
            (2 x BpFRS) + 2400h = 0x2C00 (11,264).
            However, due to BX being incremented by 4 at both 8397 and 83A4, [024E] results in being incremented by 8 at:
            83A7 (and 8439, 848B as well), so here [024E] = (2 x BpFRS) + 2400h + 8 = 0x2C08 (11,272).

What the following Memory locations are used for is still under construction . . . as are most comments regarding them in the code below.

WHAT HAPPENS TO [024E] AT THESE LOCATIONS: 84B8, 84E0). ? ? ?


[021A] Contains preset value of: 0xD400 (54,272); (83E1, 83EC, 892A, 8937).

[0200] Contains upper-case Unicode string for "BOOTMGR", (7FAE).
[0210] Contains upper-case Unicode string for "$I30", (88C0, 88F5).
[025A] Contains upper-case Unicode string for "NTLDR", (7FC4).

[0226] (7ECA, 7EFD).
[022A] Set to: (7ED4, 7F16, 8654).
[022E] Set to: (7EDE, 7F28, 7FA7).
[0232] Set to: (7F0C, 7F34, 87E6).
[0236] Set to: (7F1E, 7F87, 864A, 880A, 881D).
[023A] Set to: (7F30, 7F91, 7F9B).
[023E] Set to: (7EE8, 7FE0, 7FE8, 8008, 8034, 8044, 804C, 8087, 8095).
We did not find any reference to: [0242]).
[0246] Set to: (7EF2, 7F7A, 865B, 8866).
[026E] Set to: (7F61, 7F66, 7F7E, 882F), .
[0272] Set to: (7F57, 8645, 864F), .
and [0276] Set to: (7F76), .
Curiously, there is only one instance of [0276] in this code, so it may possibly be used later by the bootmgr program.

From the instruction at offset 7EBE below, we know the bytes at offsets 0256 through 0259 of this Data Area ("EB 22 90 90") are never executed, since these same bytes after being loaded into Memory are overwritten by that instruction to store some data from EAX after a division operation! Furthermore, after examining many other NTFS partitions, we have always found the same exact bytes in this "Data Area" location on every disk. Our Conclusion: This area is never changed on any hard drive, but it is used to store data after being copied into Memory. However, it is a fact that if code execution was ever passed to Memory location 0000:7E56 before being overwritten, the "EB 22" would jump to location 0000:7E7A; where this BOOTMGR Loader code currently begins. So, for whatever reason, we can't help but assume some programmer chose these bytes for that purpose, even though they appear to no longer be used (unless someone can find a Boot Sector that still has the location 07C0:0256 coded into it?).

 


An Examination of the Code

This is a disassembled copy of the code (; with comments) after being loaded into memory by the Win 7 NTFS Boot Sector; which has already loaded all 15 sectors of both the "Bootstrap" data/code (3,624 bytes) and zero-byte padded area (4,056 bytes) into locations 007C0:0200 (or 0000:7E00) and following, then transferred execution to location 07C0:027A (or Linear address 0x7E7A) as we'll refer to it below:

    ; ====================   S T A R T    O F    M A I N    C O D E   P A T H    =====================================================
    
    ; ====================================================================================
    ; Computation of Bytes per Cluster :
    
    7E7A 660FB7060B00    MOVZX   EAX,WORD PTR [000B]  ; Sector Size in (hex) bytes 
                                                      ; from the BPB.  (Example:
                                                      ; 200h = 512 bytes/sector.)
    7E80 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]  ; Sectors per Cluster from BPB.
    
    7E86 66F7E3          MUL     EAX,EBX          ; So, EAX will = Bytes per Cluster 
    7E89 66A35202        MOV     [0252],EAX       ;     Store in --> [7E52]
                                                  ; (Example: 1000h = 4096 bytes/cluster.)
    ; ====================================================================================
    ; Computation of Bytes per File Record Segment (Bytes per FRS)
    ; (This code also shows how a -10 in 0x7C40 turns into 1024 bytes per FRS):
    
    7E8D 668B0E4000      MOV     ECX,[0040]   ; [ Clusters per File Record Segment ]
    7E92 80F900          CMP     CL,00        ; Normally CL is F6h (-10 as signed-byte).
    7E95 0F8F0E00        JG      7EA7         ; If > 0, go to 7EA7. But in most cases it
                                              ;   will be negative (Less Than Zero),...
    7E99 F6D9            NEG     CL           ;   So, Negation of F6(-10) = 0A (or +10).
    7E9B 66B801000000    MOV     EAX,00000001 ;|  Put a 1 in EAX
    7EA1 66D3E0          SHL     EAX,CL       ;| Shift Left 1 by 10 bits = 400h = 1024
    7EA4 EB08            JMP     7EAE         ;| So, default value is 1,024 bytes.
    7EA6 90              NOP
    7EA7 66A15202        MOV     EAX,[0252]   ; Multiply Bytes per Cluster by
    7EAB 66F7E1          MUL     EAX,ECX      ;   Clusters per File Record Segment =
                                              ;   Bytes per File Record Segment!
    7EAE 66A36602        MOV     [0266],EAX   ;| Store BpFRS in --> [7E66].
    
    ; ====================================================================================
    ; Computation of Sectors per File Record Segment :
    
    7EB2 660FB71E0B00    MOVZX   EBX,WORD PTR [000B] ; Put Bytes per Sector in EBX...
    7EB8 6633D2          XOR     EDX,EDX             ; EDX = 0.
    7EBB 66F7F3          DIV     EAX,EBX      ; Divide BpFRS (still in EAX) by Bytes
                                              ;  per Sector, so EAX will become:
                                              ;  Sectors per File Record Segment 
                                              ; (With BpFRS=1024, we would get 2 here;
                                              ;  if media is using 512 bytes/sector.)
    7EBE 66A35602        MOV     [0256],EAX   ; Store it in [7E56].
                                              ; (Note: "EB 22 90 90" in Memory will
                                              ;   be replaced by whatever is in EAX.)
    7EC2 E89504          CALL    835A
    
    7EC5 668B0E4E02      MOV     ECX,[024E]    ; 1st time for our example, [024E] = 0x2c08.
    
    7ECA 66890E2602      MOV     [0226],ECX    ; Store it in [7E26].
    7ECF 66030E6602      ADD     ECX,[0266]    ; Bytes per FRS (400h = 1024)
                                               ;  400h +  2c08 = 3008h.
    7ED4 66890E2A02      MOV     [022A],ECX    ; Store it in [7E2A].
    7ED9 66030E6602      ADD     ECX,[0266]    ;  400h + 3008h = 3408h.
    7EDE 66890E2E02      MOV     [022E],ECX    ; Store it in [7E2E].
    7EE3 66030E6602      ADD     ECX,[0266]    ;  400h + 3408h = 3808h.
    7EE8 66890E3E02      MOV     [023E],ECX    ; Store it in [7E3E].
    7EED 66030E6602      ADD     ECX,[0266]    ;  400h + 3808h = 3c08.
    7EF2 66890E4602      MOV     [0246],ECX    ; Store it in [7E46].
    7EF7 66B890000000    MOV     EAX,00000090
    7EFD 668B0E2602      MOV     ECX,[0226]
    7F02 E88309          CALL    8888
    
    7F05 660BC0          OR      EAX,EAX
    7F08 0F845EFE        JZ      7D6A       ; Another use of code from the
                                            ;  Boot Sector... in this case,
                                            ;  to display error messages!

    ; We'll call this the Black-Hole Subroutine, since there
    ; is no escape from it! If execution ends up here, your
    ; PC will lock-up after displaying an error message!
    ; ====================================== S U B R O U T I N E =============================================
    
    7D6A A0F801        MOV     AL,[7DF8]  ; Contains 8Ch + 100 -> 7D8C h which
                                          ;  points to: "A disk read error occurred" 
    
    7D6D E80900        CALL    7D79       ; Displays whatever is pointed to by byte in
                                          ; AL + 100h in Segment 07C0; so: 0x7D_byte_
    7D76 F4            HLT                ; HLT: Not found in Vista VBR code!
    7D77 EBFD          JMP     7D76
    
    ; ------------------------------ SUBROUTINE --------------------------------------------
    ;     INT 10, Function 0Eh (Teletype Output) is used to display each
    ; character of the error messages.
    
    7D79 B401          MOV     AH,01      ; Adds 100h to offsets from above. 
    7D7B 8BF0          MOV     SI,AX      ; Offset of message -> Source Index Reg.
    7D7D AC            LODSB              ; Load one character into AL from [SI].
    7D7E 3C00          CMP     AL,00      ;/ Have we reached end of message
    7D80 7409          JZ      7D8B       ;\   marker?(00) If so, then RETurn.
    7D82 B40E          MOV     AH,0E      ;/ Otherwise use Teletype Output to ...
    7D84 BB0700        MOV     BX,0007    ;| (BH = Display page 0,  BL = 07 is
                                          ;|  normal White on Black characters.)
    7D87 CD10          INT     10         ;| ... display one character at a time,
    7D89 EBF2          JMP     7D7D       ;\ and go back for another character...
    
    7D8B C3            RET
    

    ; Further down in the code, it will also CALL the following subroutine in the Boot Sector
    ; (at 07C0:011D through 07C0:0169), which we have referenced here as 0x7D1D
    ; through 0x7D69. It was used by the Boot Sector to read the 15 sectors following it
    ; (to load the entire Boot Record Area into Memory). But here it will be used to read
    ; sectors from the NTFS file system while searching for the BOOTMGR file! (It's first
    ; CALLed from the instruction at 0x83B3; later from 80DC, 8532 and 860A.)

    ; =============================================================
    ;    SUBROUTINE - INT 13 Function 42h Extended DISK READ
    ; =============================================================
    7D1D 6660         * PUSHAD             ; "Push All Double" - all 32-bit
                                           ;   GP Regs pushed onto Stack!
    7D1F 1E             PUSH    DS         ;/ Both are 0x07C0
    7D20 06             PUSH    ES         ;\  when we enter.
    7D21 66A11100       MOV     EAX,[0011] ; For our Samples, at 1st pass,
                                           ; [7C11-14] = 0x600000 or 0x10AA8 
    7D25 6603061C00     ADD     EAX,[001C] ; Add Number of Hidden Sectors  [001C] to
                                           ; Relative Sector offset within this Volume
                                           ; (already in EAX); result --> EAX Register.
    ;       This gives us Abs. Sector on disk (or media) to start reading from below.
    ; For our Samples, this would give us: 0x600800 (6,293,504) or  0x112A8 (70,312).
    
    7D2A 1E             PUSH    DS         ; Put another 0x07C0 onto Stack.
    7D2B 666800000000 * PUSH    00000000   ;   Put 4 zero bytes onto Stack.
                                           ;   (These would be used to read
                                           ;    locations beyond 32 bits.)
    7D31 6650         * PUSH    EAX        ; Starting Absolute Sector
    7D33 06             PUSH    ES         ; Transfer Buffer _Segment:_
    7D34 53             PUSH    BX         ; Transfer Buffer _:Offset_
    7D35 680100       * PUSH    0001       ; Blocks to Transfer = 1
    7D38 681000       * PUSH    0010       ; Size of Packet = 16 bytes
    7D3B B442           MOV     AH,42      ; Function 42h (INT13)
    7D3D 8A160E00       MOV     DL,[000E]  ; Drive # (usually 80h) -> DL
                                           ; (Set at 7C66 in Boot Sector)
    7D41 16             PUSH    SS         ; (which is zero)...
    7D42 1F             POP     DS         ;  ...changing DS to zero.
    7D43 8BF4           MOV     SI,SP      ; DS:SI (0000:7BA2) -> Disk Address Packet; which
                                           ; is: _The Stack_ we just PUSHed all that data onto!
    7D45 CD13           INT     13         ; Read sector from media.
    ========================================================================
    Upon entry into the INT 13 Interrupt with AX=4201, we have:
    
         DL = drive number = 80h
      DS:SI -> disk address packet = 0000:7BA2 (Top of Stack;
            onto which we stored all required data as follows)
    
      EXAMPLE VALUES are given for Reading from Absolute Sector 0x112A8
    
                Format of Disk Address Packet:
                =============================
    Offst Size  Description
    ------------------------------------------------------------------------
      00  BYTE  Size of packet (in this case: 10h or 16 bytes) [7BA2]
                (The 16 bytes include & start with this byte!)
      01  BYTE  Reserved (0)                                   [7BA3]
      02  WORD  Number of Blocks to Transfer (always 1 for us) [7BA4 - 7BA5]
                ("01 00" in Memory = 1 )
    
      04 DWORD  -> Transfer Buffer (as little-endian Segment:Offset value):
                   [7BA6 - 7BA9] = (00 24 C0 07) = 07C0:2400 which is the
                    same as Linear offset: 7C00 h + 2400 h = 0xA000.
    
      08 QWORD  Starting Absolute Sector Number: [7BAA - 7BB1] --->
                   ("A8 12 01 00 00 00 00 00") =  0112A8h = 70,312
      ----------------------------------------------------------------------
      (for non-LBA devices, compute as follows):
      ( (Cylinder x Number of Heads) + Selected Head) ) x Sectors/Track)
                  + Selected Sector  - 1, or for here:
    
         ( (69 x 16) + 12) x 63) + 5 - 1 = 70,312
      ----------------------------------------------------------------------
        ============================================
        Return: CF clear if successful and AH = 00h
        ============================================
    	    CF set on error; AH = error code
        Disk Address Packet's block count field is set to number of blocks
        successfully transferred
    ========================================================================
    
    7D47 6659         * POP     ECX        ; Usually: 0x00010010
    7D49 5B             POP     BX         ; Offset we read from: 2400
    7D4A 5A             POP     DX         ;  and its Segment: 07C0:
    7D4B 6659         * POP     ECX        ; Sector we read from.
    7D4D 6659         * POP     ECX        ; Zeros out ECX.
    7D4F 1F             POP     DS         ; Put 07C0 back in DS.
    7D50 0F821600     * JB      7D6A       ; Jump if Disk Read Error.
    7D54 66FF061100   * INC     DWORD PTR [0011]  ; Add 1 to [7C11 - 7C14] so
                                                  ; next sector will be read from.
    7D59 03160F00       ADD     DX,[000F]  ; Just as the Boot Sector code did, by
                                           ; adding Bytes per Sector/16 to DX, this
                                           ; sets up INT 13 to read the next sector.
    7D5D 8EC2           MOV     ES,DX      ; For our Example, DX and ES become:
                                           ; 7c0 + 20h = 7e0.
    
    7D5F FF0E1600       DEC     WORD PTR [0016]  ; [7C16] Counts down number
                                                 ;  of sectors to be copied.
    ; This was set at line 83A1 first time; for other disk reads see lines:
    ; 80CA, 852A, 85D2 and 85EC.
    
    7D63 75BC           JNZ     7D21
    7D65 07             POP     ES
    7D66 1F             POP     DS
    7D67 6661         * POPAD              ; "Pop All Double" - all 32-bit
                                           ;   GP Regs reset from Stack!
    
    7D69 C3             RET
    
    
    

    
    7F0C 66A33202        MOV     [0232],EAX    ; Store it in [7E32].
    7F10 66B8A0000000    MOV     EAX,000000A0
    7F16 668B0E2A02      MOV     ECX,[022A]
    7F1B E86A09          CALL    8888
    
    7F1E 66A33602        MOV     [0236],EAX    ; Store it in [7E36].
    7F22 66B8B0000000    MOV     EAX,000000B0
    7F28 668B0E2E02      MOV     ECX,[022E]
    7F2D E85809          CALL    8888
    
    7F30 66A33A02        MOV     [023A],EAX
    7F34 66A13202        MOV     EAX,[0232]
    7F38 660BC0          OR      EAX,EAX
    7F3B 0F842BFE        JZ      7D6A
    7F3F 6780780800      CMP     BYTE PTR 08[EAX],00
    7F44 0F8522FE        JNZ     7D6A
    7F48 67668D5010      LEA     EDX,10[EAX]
    7F4D 67034204        ADD     AX,04[EDX]
    7F51 67660FB6480C    MOVZX   ECX,BYTE PTR 0C[EAX]
    7F57 66890E7202      MOV     [0272],ECX
    7F5C 67668B4808      MOV     ECX,08[EAX]
    7F61 66890E6E02      MOV     [026E],ECX
    7F66 66A16E02        MOV     EAX,[026E]
    7F6A 660FB70E0B00    MOVZX   ECX,WORD PTR [000B]
    7F70 6633D2          XOR     EDX,EDX
    7F73 66F7F1          DIV     ECX
    7F76 66A37602        MOV     [0276],EAX
    7F7A 66A14602        MOV     EAX,[0246]
    7F7E 6603066E02      ADD     EAX,[026E]
    7F83 66A34A02        MOV     [024A],EAX
    7F87 66833E360200    CMP     DWORD PTR [0236],+00
    7F8D 0F841D00        JZ      7FAE
    7F91 66833E3A0200    CMP     DWORD PTR [023A],+00
    7F97 0F84CFFD        JZ      7D6A
    7F9B 668B1E3A02      MOV     EBX,[023A]
    7FA0 1E              PUSH    DS
    7FA1 07              POP     ES
    7FA2 668B3E4A02      MOV     EDI,[024A]
    7FA7 66A12E02        MOV     EAX,[022E]
    7FAB E8E001          CALL    818E 
    
    
    7FAE 660FB70E0002    MOVZX   ECX,WORD PTR [0200]    ; "BOOTMGR" in Unicode.
    7FB4 66B802020000    MOV     EAX,00000202
    7FBA E82208          CALL    87DF 
    
    
    7FBD 660BC0          OR      EAX,EAX
    7FC0 0F851600        JNZ     7FDA
    
    7FC4 660FB70E5A02    MOVZX   ECX,WORD PTR [025A]    ; "NTLDR" in Unicode.
    7FCA 66B85C020000    MOV     EAX,0000025C
    7FD0 E80C08          CALL    87DF 
    
    
    7FD3 660BC0          OR      EAX,EAX
    7FD6 0F84420C        JZ      8C1C
    7FDA 67668B00        MOV     EAX,[EAX]
    7FDE 1E              PUSH    DS
    7FDF 07              POP     ES
    7FE0 668B3E3E02      MOV     EDI,[023E]
    7FE5 E83F06          CALL    8627 
    
    
    7FE8 66A13E02        MOV     EAX,[023E]
    7FEC 66BB20000000    MOV     EBX,00000020
    7FF2 66B900000000    MOV     ECX,00000000
    7FF8 66BA00000000    MOV     EDX,00000000
    7FFE E8E400          CALL    80E5 
    
    
    8001 6685C0          TEST    EAX,EAX
    8004 0F852300        JNZ     802B
    8008 66A13E02        MOV     EAX,[023E]
    800C 66BB80000000    MOV     EBX,00000080
    8012 66B900000000    MOV     ECX,00000000
    8018 66BA00000000    MOV     EDX,00000000
    801E E8C400          CALL    80E5 
    
    
    8021 660BC0          OR      EAX,EAX
    8024 0F854400        JNZ     806C
    8028 E9F10B          JMP     8C1C
    
    
    802B 6633D2          XOR     EDX,EDX
    802E 66B980000000    MOV     ECX,00000080
    8034 66A13E02        MOV     EAX,[023E]
    8038 E8CA08          CALL    8905 
    
    
    803B 660BC0          OR      EAX,EAX
    803E 0F84DA0B        JZ      8C1C
    8042 1E              PUSH    DS
    8043 07              POP     ES
    8044 668B3E3E02      MOV     EDI,[023E]
    8049 E8DB05          CALL    8627 
    
    
    804C 66A13E02        MOV     EAX,[023E]
    8050 66BB80000000    MOV     EBX,00000080
    8056 66B900000000    MOV     ECX,00000000
    805C 66BA00000000    MOV     EDX,00000000
    8062 E88000          CALL    80E5 
    
    
    8065 660BC0            OR      EAX,EAX
    8068 0F84B00B          JZ      8C1C
    806C 67660FB7580C      MOVZX   EBX,WORD PTR 0C[EAX]
    8072 6681E3FF000000    AND     EBX,000000FF
    8079 0F85A50B          JNZ     8C22
    807D 668BD8            MOV     EBX,EAX
    8080 680020            PUSH    WORD 2000
    8083 07                POP     ES
    8084 662BFF            SUB     EDI,EDI
    8087 66A13E02          MOV     EAX,[023E]
    808B E80001            CALL    818E 
    
    
    808E 680020          PUSH    WORD 2000
    8091 07              POP     ES
    8092 662BFF          SUB     EDI,EDI
    8095 66A13E02        MOV     EAX,[023E]
    8099 E8AC0A          CALL    8B48 
    ; Exit Point to bootmgr program at Linear offset 0x20000:
    809C 8A160E00        MOV     DL,[000E]    ; Drive Number - usually 80h (1st drive)
    80A0 B8E803          MOV     AX,03E8      ; 0x03E8 -> AX
    80A3 8EC0            MOV     ES,AX        ; ES (Extra Segment) = 0x3E8
    80A5 8D360B00        LEA     SI,[000B]    ; Bytes per Sector 
    80A9 2BC0            SUB     AX,AX        ; Zero-out AX (like: "XOR AX,AX")
    80AB 680020          PUSH    WORD 2000
    80AE 50              PUSH    AX
    80AF CB              RETF               ; Jump to bootmgr program file in
                                            ; Memory at Linear offset 0x20000
    
    ; ========================================    E N D    O F    M A I N    C O D E   ======================================================
    
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    80B0 06              PUSH    ES
    80B1 1E              PUSH    DS
    80B2 6660            PUSHAD
    80B4 668BDA          MOV     EBX,EDX
    80B7 660FB60E0D00    MOVZX   ECX,BYTE PTR [000D]
    80BD 66F7E1          MUL     ECX
    80C0 66A31100        MOV     [0011],EAX
    80C4 668BC3          MOV     EAX,EBX
    80C7 66F7E1          MUL     ECX
    80CA A31600          MOV     [0016],AX
    80CD 8BDF            MOV     BX,DI
    80CF 83E30F          AND     BX,+0F
    80D2 8CC0            MOV     AX,ES
    80D4 66C1EF04        SHR     EDI,04
    80D8 03C7            ADD     AX,DI
    80DA 50              PUSH    AX
    80DB 07              POP     ES
    80DC E83EFC          CALL    7D1D 
    
    80DF 6661            POPAD
    
    80E1 90            NOP
    
    80E2 1F            POP     DS
    80E3 07            POP     ES
    80E4 C3            RET
    ; ==============================================================================================
    
    
    ; ============================ S U B R O U T I N E =============================================
    80E5 67034014      ADD     AX,WORD PTR DS:[EAX+20]  ; This would give us [A014] + 2400h; which
                                                        ; for our first example equals: 2438h.
    
    80E9 67668338FF    CMP     DWORD PTR [EAX],-01      ;  Compare to  0xFFFFFFFF
    80EE 0F844C00      JZ      813E                     ; Jumped when
                                                        ;     [A198] = 0xFFFFFFFF
    80F2 67663918      CMP     DS:[EAX],EBX             ; [7c0:2438] = [A038] = 10h
                                                        ;          Or: [A098] = 30h
                                                        ;          Or: [A100] = 80h
                                                        ;          Or: [A148] = B0h
    
    
    80F6 0F853300      JNZ     812D                     ; So not '0' with EBX = 20h
    80FA 660BC9        OR      ECX,ECX
    80FD 0F850A00      JNZ     810B
    8101 6780780900    CMP     BYTE PTR DS:[EAX+09],00
    8106 0F852300      JNZ     812D
    810A C3            RET
    
    810B 673A4809      CMP     CL,09[EAX]
    810F 0F851A00      JNZ     812D
    8113 668BF0        MOV     ESI,EAX
    8116 6703700A      ADD     SI,0A[EAX]
    811A E89706        CALL    87B4 
    
    811D 6651          PUSH    ECX
    811F 1E            PUSH    DS
    8120 07            POP     ES
    8121 668BFA        MOV     EDI,EDX
    8124 F3A7          REPE    CMPSW
    8126 6659          POP     ECX
    8128 0F850100      JNZ     812D
    812C C3            RET
    
    
    812D 676683780400    CMP     DWORD PTR DS:[EAX+04],+00  ; [A03C] = 60h
    8133 0F840700        JZ      813E
    8137 6766034004      ADD     EAX,DWORD PTR DS:[EAX+04]  ; EAX + [A03C] = 2438h + 60h = 2498h
                                                            ; Or: EAX+[A09C]=2498h + 68h = 2500h
                                                            ; Or: EAX+[A104]=2500h + 48h = 2548h
                                                            ; Or: EAX+[A14C]=2548h + 50h = 2598h
    
    813C EBAB            JMP     80E9
    
    813E 662BC0          SUB     EAX,EAX                 ; similar to XOR function; leaves zero.
    8141 C3              RET
    ; ==============================================================================================
    
    
    ; ============================ S U B R O U T I N E =============================================
    8142 668BF3          MOV     ESI,EBX
    8145 E86C06          CALL    87B4 
    
    8148 67660300        ADD     EAX,[EAX]
    814C 67F7400C0200    TEST    WORD PTR 0C[EAX],0002
    8152 0F853400        JNZ     818A
    8156 67668D5010      LEA     EDX,10[EAX]
    815B 673A4A40        CMP     CL,40[EDX]
    815F 0F851800        JNZ     817B
    8163 67668D7242      LEA     ESI,42[EDX]
    8168 E84906          CALL    87B4 
    
    816B 6651            PUSH    ECX
    816D 1E              PUSH    DS
    816E 07              POP     ES
    816F 668BFB          MOV     EDI,EBX
    8172 F3A7            REPE    CMPSW
    8174 6659            POP     ECX
    8176 0F850100        JNZ     817B
    817A C3              RET
    
    817B 6783780800    CMP     WORD PTR 08[EAX],+00
    8180 0F840600      JZ      818A
    8184 67034008      ADD     AX,08[EAX]
    8188 EBC2          JMP     814C
    
    818A 6633C0        XOR     EAX,EAX
    818D C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    818E 67807B0800    CMP     BYTE PTR 08[EBX],00
    8193 0F851C00      JNZ     81B3
    8197 06            PUSH    ES
    8198 1E            PUSH    DS
    8199 6660          PUSHAD
    819B 67668D5310    LEA     EDX,10[EBX]
    81A0 67668B0A      MOV     ECX,[EDX]
    81A4 668BF3        MOV     ESI,EBX
    81A7 67037204      ADD     SI,04[EDX]
    81AB F3A4          REP     MOVSB
    81AD 6661          POPAD
    
    81AF 90            NOP
    
    81B0 1F            POP     DS
    81B1 07            POP     ES
    81B2 C3            RET
    
    81B3 6650          PUSH    EAX
    81B5 67668D5310    LEA     EDX,10[EBX]
    81BA 6685C0        TEST    EAX,EAX
    81BD 0F850A00      JNZ     81CB
    81C1 67668B4A08    MOV     ECX,08[EDX]
    81C6 6641          INC     ECX
    81C8 EB11          JMP     81DB
    
    81CA 90            NOP
    
    81CB 67668B4218    MOV     EAX,18[EDX]
    81D0 6633D2        XOR     EDX,EDX
    81D3 66F7365202    DIV     DWORD PTR [0252]
    81D8 668BC8        MOV     ECX,EAX
    81DB 662BC0        SUB     EAX,EAX
    81DE 665E          POP     ESI
    81E0 E80100        CALL    81E4 
    
    81E3 C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    81E4 06            PUSH    ES
    81E5 1E            PUSH    DS
    81E6 6660          PUSHAD
    81E8 67807B0801    CMP     BYTE PTR 08[EBX],01
    81ED 0F840300      JZ      81F4
    81F1 E976FB        JMP     7D6A
    
    
    81F4 6683F900      CMP     ECX,+00
    81F8 0F850600      JNZ     8202
    81FC 6661          POPAD
    81FE 90            NOP
    81FF 1F            POP     DS
    8200 07            POP     ES
    8201 C3            RET
    
    
    ;-----------------------------------------------------
    8202 6653          PUSH    EBX
    8204 6650          PUSH    EAX
    8206 6651          PUSH    ECX
    8208 6656          PUSH    ESI
    820A 6657          PUSH    EDI
    820C 06            PUSH    ES
    820D E89104        CALL    86A1 
    
    8210 668BD1        MOV     EDX,ECX
    8213 07            POP     ES
    8214 665F          POP     EDI
    8216 665E          POP     ESI
    8218 6659          POP     ECX
    821A 6685C0        TEST    EAX,EAX
    821D 0F843400      JZ      8255
    8221 663BCA        CMP     ECX,EDX
    8224 0F8D0300      JGE     822B
    8228 668BD1        MOV     EDX,ECX
    822B E882FE        CALL    80B0 
    
    822E 662BCA          SUB     ECX,EDX
    8231 668BDA          MOV     EBX,EDX
    8234 668BC2          MOV     EAX,EDX
    8237 660FB6160D00    MOVZX   EDX,BYTE PTR [000D]
    823D 66F7E2          MUL     EDX
    8240 660FB7160B00    MOVZX   EDX,WORD PTR [000B]
    8246 66F7E2          MUL     EDX
    8249 6603F8          ADD     EDI,EAX
    824C 6658            POP     EAX
    824E 6603C3          ADD     EAX,EBX
    8251 665B            POP     EBX
    8253 EB9F            JMP     81F4
    
    8255 6685F6          TEST    ESI,ESI
    8258 0F840EFB        JZ      7D6A
    825C 6651            PUSH    ECX
    825E 6657            PUSH    EDI
    8260 06              PUSH    ES
    8261 67660FB64309    MOVZX   EAX,BYTE PTR 09[EBX]
    8267 6685C0          TEST    EAX,EAX
    826A 0F842000        JZ      828E
    826E 66D1E0          SHL     EAX,1
    8271 662BE0          SUB     ESP,EAX
    8274 668BFC          MOV     EDI,ESP
    8277 6654            PUSH    ESP
    8279 6656            PUSH    ESI
    827B 67660FB7730A    MOVZX   ESI,WORD PTR 0A[EBX]
    8281 6603F3          ADD     ESI,EBX
    8284 668BC8          MOV     ECX,EAX
    8287 F3A4            REP     MOVSB
    8289 665E            POP     ESI
    828B EB03            JMP     8290
    
    828D 90            NOP
    
    828E 6650          PUSH    EAX
    8290 6650          PUSH    EAX
    8292 67668B03      MOV     EAX,[EBX]
    8296 6650          PUSH    EAX
    8298 67668B4318    MOV     EAX,18[EBX]
    829D 6650          PUSH    EAX
    829F 67668B5620    MOV     EDX,20[ESI]
    82A4 6685D2        TEST    EDX,EDX
    82A7 0F840B00      JZ      82B6
    82AB 668BFE        MOV     EDI,ESI
    82AE 1E            PUSH    DS
    82AF 07            POP     ES
    82B0 668BC2        MOV     EAX,EDX
    82B3 E87103        CALL    8627 
    
    82B6 668BC6        MOV     EAX,ESI
    82B9 665A          POP     EDX
    82BB 6659          POP     ECX
    82BD 6642          INC     EDX
    82BF 6651          PUSH    ECX
    82C1 6656          PUSH    ESI
    82C3 E83F06        CALL    8905 
    
    82C6 6685C0        TEST    EAX,EAX
    82C9 0F849DFA      JZ      7D6A
    82CD 665E          POP     ESI
    82CF 6659          POP     ECX
    82D1 668BFE        MOV     EDI,ESI
    82D4 1E            PUSH    DS
    82D5 07            POP     ES
    82D6 E84E03        CALL    8627 
    
    82D9 668BC6        MOV     EAX,ESI
    82DC 668BD9        MOV     EBX,ECX
    82DF 6659          POP     ECX
    82E1 665A          POP     EDX
    82E3 6651          PUSH    ECX
    82E5 6656          PUSH    ESI
    82E7 66D1E9        SHR     ECX,1
    82EA E8F8FD        CALL    80E5 
    
    82ED 6685C0        TEST    EAX,EAX
    82F0 0F8476FA      JZ      7D6A
    82F4 665E          POP     ESI
    82F6 6659          POP     ECX
    82F8 6603E1        ADD     ESP,ECX
    82FB 07            POP     ES
    82FC 665F          POP     EDI
    82FE 6659          POP     ECX
    8300 668BD0        MOV     EDX,EAX
    8303 6658          POP     EAX
    8305 665B          POP     EBX
    8307 668BDA        MOV     EBX,EDX
    830A E9F5FE        JMP     8202
    ; ==============================================================================================
    
    
    ; ============================ S U B R O U T I N E =============================================
    830D 06                 PUSH    ES
    830E 1E                 PUSH    DS
    830F 6660               PUSHAD
    8311 2667660FB75F04     MOVZX   EBX,WORD PTR ES:[EDI+04]  ; ES:[EDI+4] = [7C0:2404] = [A004];
                                                              ; should be the digit "0" (30h):
    ; the byte immediately to the right of the word "FILE" at the beginning of the $MFT file (and
    ; every other file entry within the $MFT file).
    
    8318 2667660FB74F06     MOVZX   ECX,WORD PTR ES:[EDI+06]  ; [A006] should be 0x0003.
    831F 660BC9             OR      ECX,ECX
    8322 0F8444FA           JZ      7D6A
    8326 6603DF             ADD     EBX,EDI                   ; EBX = 0x2430
    8329 6683C302           ADD     EBX,+02                   ; EBX = 0x2432
    832D 6681C7FE010000     ADD     EDI,000001FE              ; EDI = 0x25fe
    8334 6649               DEC     ECX                       ; ECX -> 0x0002
    8336 660BC9             OR      ECX,ECX
    8339 0F841700           JZ      8354
    833D 26678B03           MOV     AX,ES:[EBX]               ; [7C0:2432] = [A032] = 0xFFFF
                                                              ; [7C0:2434] = [A034] = 0x0000
    8341 26678907           MOV     ES:[EDI],AX               ; Write 0xFFFF -> [A1FE]
                                                              ; (Before this, it contained 0x0002)
                                                              ; Or: Write 0x0000 -> [A3FE]
                                                              ;     (It had also contained 0x0002)
    8345 6683C302           ADD     EBX,+02                   ; EBX = 0x2434, 0x2436
    8349 6681C700020000     ADD     EDI,00000200              ; EDI = 0x27fe, 0x29fe
    8350 6649               DEC     ECX                       ; ECX -> 1 , or: -> 0.
    8352 EBE2               JMP     8336
    
    8354 6661               POPAD
    
    8356 90               NOP
    
    8357 1F               POP     DS
    8358 07               POP     ES
    8359 C3               RET
    ; ==============================================================================================
    
    
    ; ====================================================================
    ; *                      S U B R O U T I N E                         *
    ; ====================================================================
    ; ============================ S U B R O U T I N E =============================================
    835A 06               PUSH    ES           ; ES is often 0x09A0.
    835B 1E               PUSH    DS           ; DS is 0x07C0 at this time.
    835C 6660             PUSHAD               ; Push all GP "Double" Registers onto
                                               ; stack: EAX, ECX, EDX, EBX, original
                                               ;        ESP, EBP, ESI, and EDI.
    
    ; Simply sets [0222] to 0x00000001 (why not preset this in the Data Area?)
    835E 66B801000000     MOV     EAX,00000001
    8364 66A32202         MOV     [0222],EAX   ; Puts a 1 in [7E22]
    
    ; Makes Contents of 0x7E66 = BpFRS + 2400h
    8368 66A11E02         MOV     EAX,[021E]   ; Put 2400h into EAX.
    836C 6603066602       ADD     EAX,[0266]   ; Add Bytes per File Record Segment
    8371 66A36A02         MOV     [026A],EAX   ; Puts (BpFRS + 2400h) into [026A], so for
                                               ;    our Sample data, this now = 0x2800.
    
    ; Makes Contents of 0x7E4E = (2 x BpFRS) + 2400h
    8375 6603066602      ADD     EAX,[0266]    ; Add Bytes per FRS again!
    837A 66A34E02        MOV     [024E],EAX    ; Puts [(2 x BpFRS) + 2400h] into [024E]
                                               ; (for Sample data, this = 0x2C00 then.)
    
    ; Put "Starting Cluster Number of $MFT File" into EAX. Then multiply that
    ; by Sectors per Cluster (in EBX) and copy answer ("Starting Relative
    ; Sector of $MFT File") into DS:[BX] as well as [7C11 - 7C14].
    
    837E 66A13000        MOV     EAX,[0030]    ; Starting Cluster Number $MFT File
                                               ; Examples: C0000h = Cluster 786432
                                               ;            2155h = Cluster   8533.
    
    8382 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]   ; Sectors per Cluster -> EBX
    8388 66F7E3          MUL     EBX        ; Examples: C0000h x 8 = 600000h in EAX
                                            ;            2155h x 8 =  10AA8h in EAX.
                                            ; So, Starting Relative Sector of $MFT file
                               ; would be: 6291456 (for 600000h) or 68264 (for 10AA8h).
    
    838B 668B1E4E02      MOV     EBX,[024E]    ; Using: 0x2C00 for these examples. 
    8390 668907          MOV     [BX],EAX      ;  EAX -> DS:[BX] (DS=07C0)
                                               ; If BX = 2C00, Sample's location is:
    ; DS:[BX] = 7C0:2C00 = (0x7C00 + 0x2C00) = 0xA800; contains 0x600000 or 0x10AA8.
    ; So, as an example of the latter, a dump of Memory location 0xA800 would show:
    ;  Location   0  1  2  3
    ; 0000:A800  A8 0A 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    
    8393 66A31100        MOV     [0011],EAX    ; EAX -> [7C11 thru 7C14]; also save
                                               ; Relative Sector location of $MFT
                                               ; file to [7C11-7C14] in the Volume.
    
    8397 83C304          ADD     BX,+04        ; Example: 2C00h + 4 = 2C04h
    839A 66A15602        MOV     EAX,[0256]    ; Sectors per FRS -> EAX
    839E 668907          MOV     [BX],EAX      ; (Example: EAX = 2 sectors per FRS)
                                               ; EAX -> DS:[BX] (DS=07C0), so:
    ; DS:[BX] = 7C0:2C04 = (0x7C000 + 0x2C04) = 0xA804; now containing 0x00000002
    ; So, a dump of Memory location 0xA800 would now show:
    ;  Location   0  1  2  3  4  5  6  7
    ; 0000:A800  A8 0A 01 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
    
    83A1 A31600          MOV     [0016],AX     ; Sectors per FRS -> [7C16]
                                               ; (In our example AX = 0x0002.)
    
    83A4 83C304          ADD     BX,+04        ; Example: 2C04h + 4 = 2C08h
    83A7 66891E4E02      MOV     [024E],EBX    ; If BX was originally 0x2C04,
                                               ; we now save 0x2C08 to [024E].
    
    83AC 668B1E1E02      MOV     EBX,[021E]    ; Reset EBX to 0x2400 (from [7E1E]).
    83B1 1E              PUSH    DS            ; DS is still 0x07C0
    83B2 07              POP     ES            ;(ES was 09A0 up to this point, but
                                               ; now it's equal to DS = 0x7C00.)
    
    83B3 E867F9          CALL    7D1D          ; Copy first FRS from $MFT file into Memory.
                                               ; This (and any successive calls) is used to
                                               ; start searching for location of BOOTMGR.
    83B6 668BFB          MOV     EDI,EBX       ; EBX still contains 0x2400.
    83B9 E851FF          CALL    830D 
    
    83BC 66A11E02        MOV     EAX,[021E]    ; Put 2400h into EAX.
    83C0 66BB20000000    MOV     EBX,00000020  ; Put 20h (32) into EBX.
    83C6 66B900000000    MOV     ECX,00000000  ; Zeros in ECX, and
    83CC 66BA00000000    MOV     EDX,00000000  ;       in EDX.
    83D2 E810FD          CALL    80E5 
    
    83D5 660BC0          OR      EAX,EAX
    83D8 0F841901        JZ      84F5
    83DC 668BD8          MOV     EBX,EAX
    83DF 1E              PUSH    DS
    83E0 07              POP     ES
    83E1 668B3E1A02      MOV     EDI,[021A]
    83E6 6633C0          XOR     EAX,EAX
    83E9 E8A2FD          CALL    818E 
    
    83EC 668B1E1A02      MOV     EBX,[021A]
    83F1 66813F800000    CMP     DWORD PTR [BX],00000080
         00              
    83F8 0F84EB00        JZ      84E7
    83FC 035F04          ADD     BX,[BX+04]
    83FF EBF0            JMP     83F1
    
    8401 6653            PUSH    EBX
    8403 668B4710        MOV     EAX,[BX+10]
    8407 66F7265602      MUL     DWORD PTR [0256]
    840C 6650            PUSH    EAX
    840E 6633D2          XOR     EDX,EDX
    8411 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]
    8417 66F7F3          DIV     EBX
    841A 6652            PUSH    EDX
    841C E8DC00          CALL    84FB 
    
    841F 660BC0          OR      EAX,EAX
    8422 0F8444F9        JZ      7D6A
    8426 668B0E5602      MOV     ECX,[0256]
    842B 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]
    8431 66F7E3          MUL     EBX
    8434 665A            POP     EDX
    8436 6603C2          ADD     EAX,EDX
    8439 668B1E4E02      MOV     EBX,[024E]
    843E 668907          MOV     [BX],EAX
    8441 83C304          ADD     BX,+04
    8444 660FB6060D00    MOVZX   EAX,BYTE PTR [000D]
    844A 662BC2          SUB     EAX,EDX
    844D 663BC1          CMP     EAX,ECX
    8450 0F860300        JBE     8457
    8454 668BC1          MOV     EAX,ECX
    8457 668907          MOV     [BX],EAX
    845A 662BC8          SUB     ECX,EAX
    845D 665A            POP     EDX
    845F 0F847500        JZ      84D8
    8463 6603C2          ADD     EAX,EDX
    8466 6650            PUSH    EAX
    8468 6633D2          XOR     EDX,EDX
    846B 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]
    8471 66F7F3          DIV     EBX
    8474 6651            PUSH    ECX
    8476 E88200          CALL    84FB 
    
    8479 6659            POP     ECX
    847B 660BC0          OR      EAX,EAX
    847E 0F84E8F8        JZ      7D6A
    8482 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]
    8488 66F7E3          MUL     EBX
    848B 668B1E4E02      MOV     EBX,[024E]
    8490 668B17          MOV     EDX,[BX]
    8493 83C304          ADD     BX,+04
    8496 660317          ADD     EDX,[BX]
    8499 663BD0          CMP     EDX,EAX
    849C 0F851500        JNZ     84B5
    84A0 660FB6060D00    MOVZX   EAX,BYTE PTR [000D]
    84A6 663BC1          CMP     EAX,ECX
    84A9 0F860300        JBE     84B0
    84AD 668BC1          MOV     EAX,ECX
    84B0 660107          ADD     [BX],EAX
    84B3 EBA5            JMP     845A
    
    84B5 83C304          ADD     BX,+04
    84B8 66891E4E02      MOV     [024E],EBX
    84BD 668907          MOV     [BX],EAX
    84C0 83C304          ADD     BX,+04
    84C3 660FB6060D00    MOVZX   EAX,BYTE PTR [000D]
    84C9 663BC1          CMP     EAX,ECX
    84CC 0F860300        JBE     84D3
    84D0 668BC1          MOV     EAX,ECX
    84D3 668907          MOV     [BX],EAX
    84D6 EB82            JMP     845A
    
    84D8 83C304            ADD     BX,+04
    84DB 66FF062202        INC     DWORD PTR [0222]
    84E0 66891E4E02        MOV     [024E],EBX
    84E5 665B              POP     EBX
    84E7 035F04            ADD     BX,[BX+04]
    84EA 66813F80000000    CMP     DWORD PTR [BX],00000080
    84F1 0F840CFF          JZ      8401
    84F5 6661              POPAD
    
    84F7 90            NOP
    
    84F8 1F            POP     DS
    84F9 07            POP     ES
    84FA C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    84FB 668BD0        MOV     EDX,EAX
    84FE 668B0E2202    MOV     ECX,[0222]
    8503 668B366A02    MOV     ESI,[026A]
    8508 6603366602    ADD     ESI,[0266]
    850D 6652          PUSH    EDX
    850F 6651          PUSH    ECX
    8511 6652          PUSH    EDX
    8513 668B1E6A02    MOV     EBX,[026A]
    8518 668B3E5602    MOV     EDI,[0256]
    851D 668B04        MOV     EAX,[SI]
    8520 66A31100      MOV     [0011],EAX
    8524 83C604        ADD     SI,+04
    8527 668B04        MOV     EAX,[SI]
    852A A31600        MOV     [0016],AX
    852D 83C604        ADD     SI,+04
    8530 1E            PUSH    DS
    8531 07            POP     ES
    8532 E8E8F7        CALL    7D1D 
    
    8535 662BF8        SUB     EDI,EAX
    8538 0F840800      JZ      8544
    853C F7260B00      MUL     WORD PTR [000B]
    8540 03D8          ADD     BX,AX
    8542 EBD9          JMP     851D
    
    8544 668B3E6A02    MOV     EDI,[026A]
    8549 1E            PUSH    DS
    854A 07            POP     ES
    854B E8BFFD        CALL    830D 
    
    854E 66A16A02        MOV     EAX,[026A]
    8552 66BB80000000    MOV     EBX,00000080
    8558 66B900000000    MOV     ECX,00000000
    855E 668BD1          MOV     EDX,ECX
    8561 E881FB          CALL    80E5 
    
    8564 660BC0        OR      EAX,EAX
    8567 0F84FFF7      JZ      7D6A
    856B 668BD8        MOV     EBX,EAX
    856E 6658          POP     EAX
    8570 6656          PUSH    ESI
    8572 E82C01        CALL    86A1 
    
    8575 665E          POP     ESI
    8577 660BC0        OR      EAX,EAX
    857A 0F840500      JZ      8583
    857E 665B          POP     EBX
    8580 665B          POP     EBX
    8582 C3            RET
    
    8583 6659          POP     ECX
    8585 665A          POP     EDX
    8587 E284          LOOPW   850D
    
    8589 6633C0        XOR     EAX,EAX
    858C C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    858D 06              PUSH    ES
    858E 1E              PUSH    DS
    858F 6660            PUSHAD
    8591 6650            PUSH    EAX
    8593 6651            PUSH    ECX
    8595 6633D2          XOR     EDX,EDX
    8598 660FB61E0D00    MOVZX   EBX,BYTE PTR DS:[000D]  ; Sectors per Cluster = 8.
    859E 66F7F3          DIV     EAX,EBX          ; (0x000A / 0x0008) = 1 (remainder discarded)
    85A1 6652            PUSH    EDX
    85A3 6657            PUSH    EDI
    85A5 E853FF          CALL    84FB 
    
    85A8 665F            POP     EDI
    85AA 660BC0          OR      EAX,EAX
    85AD 0F84B9F7        JZ      7D6A
    85B1 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]
    85B7 66F7E3          MUL     EBX
    85BA 665A            POP     EDX
    85BC 6603C2          ADD     EAX,EDX
    85BF 66A31100        MOV     [0011],EAX
    85C3 6659            POP     ECX
    85C5 660FB61E0D00    MOVZX   EBX,BYTE PTR [000D]
    85CB 663BCB          CMP     ECX,EBX
    85CE 0F8E1300        JLE     85E5
    85D2 891E1600        MOV     [0016],BX
    85D6 662BCB          SUB     ECX,EBX
    85D9 6658            POP     EAX
    85DB 6603C3          ADD     EAX,EBX
    85DE 6650            PUSH    EAX
    85E0 6651            PUSH    ECX
    85E2 EB14            JMP     85F8
    
    85E4 90            NOP
    
    85E5 6658            POP     EAX
    85E7 6603C1          ADD     EAX,ECX
    85EA 6650            PUSH    EAX
    85EC 890E1600        MOV     [0016],CX
    85F0 66B900000000    MOV     ECX,00000000
    85F6 6651            PUSH    ECX
    85F8 06              PUSH    ES
    85F9 6657            PUSH    EDI
    85FB 8BDF            MOV     BX,DI
    85FD 83E30F          AND     BX,+0F
    8600 8CC0            MOV     AX,ES
    8602 66C1EF04        SHR     EDI,04
    8606 03C7            ADD     AX,DI
    8608 50              PUSH    AX
    8609 07              POP     ES
    860A E810F7          CALL    7D1D 
    
    860D 665F          POP     EDI
    860F 07            POP     ES
    8610 66033E5202    ADD     EDI,[0252]
    8615 6659          POP     ECX
    8617 6658          POP     EAX
    8619 6683F900      CMP     ECX,+00
    861D 0F8F70FF      JG      8591
    8621 6661          POPAD
    
    8623 90            NOP
    
    8624 1F            POP     DS
    8625 07            POP     ES
    8626 C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    8627 06            PUSH    ES
    8628 1E            PUSH    DS
    8629 6660          PUSHAD
    862B 66F7265602    MUL     EAX,DWORD PTR DS:[0256]  ; (5 x Sectors per FRS) > EAX
                                                        ;  5 x 2 = 10 (or 0x000A).
    8630 668B0E5602    MOV     ECX,[0256]
    8635 E855FF        CALL    858D
    
    8638 E8D2FC        CALL    830D 
    
    863B 6661          POPAD
    
    863D 90            NOP
    
    863E 1F            POP     DS
    863F 07            POP     ES
    8640 C3            RET
    ; ==============================================================================================
    
    
    ; ============================ S U B R O U T I N E =============================================
    8641 06            PUSH    ES
    8642 1E            PUSH    DS
    8643 6660          PUSHAD
    8645 66F7267202    MUL     DWORD PTR [0272]
    864A 668B1E3602    MOV     EBX,[0236]
    864F 668B0E7202    MOV     ECX,[0272]
    8654 668B362A02    MOV     ESI,[022A]
    8659 1E            PUSH    DS
    865A 07            POP     ES
    865B 668B3E4602    MOV     EDI,[0246]
    8660 E881FB        CALL    81E4 
    
    8663 E8A7FC        CALL    830D 
    
    8666 6661          POPAD
    
    8668 90            NOP
    
    8669 1F            POP     DS
    866A 07            POP     ES
    866B C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    866C 6650            PUSH    EAX
    866E 6653            PUSH    EBX
    8670 6651            PUSH    ECX
    8672 668B1E4A02      MOV     EBX,[024A]
    8677 668BC8          MOV     ECX,EAX
    867A 66C1E803        SHR     EAX,03
    867E 6683E107        AND     ECX,+07
    8682 6603D8          ADD     EBX,EAX
    8685 66B801000000    MOV     EAX,00000001
    868B 66D3E0          SHL     EAX,CL
    868E 678403          TEST    [EBX],AL
    8691 0F840400        JZ      8699
    8695 F8              CLC
    8696 EB02            JMP     869A
    
    8698 90            NOP
    
    8699 F9            STC
    869A 6659          POP     ECX
    869C 665B          POP     EBX
    869E 6658          POP     EAX
    86A0 C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    86A1 67807B0801    CMP     BYTE PTR 08[EBX],01
    86A6 0F840400      JZ      86AE
    86AA 662BC0        SUB     EAX,EAX
    86AD C3            RET
    
    86AE 67668D7310    LEA     ESI,10[EBX]
    86B3 67668B5608    MOV     EDX,08[ESI]
    86B8 663BC2        CMP     EAX,EDX
    86BB 0F870B00      JA      86CA
    86BF 67668B16      MOV     EDX,[ESI]
    86C3 663BC2        CMP     EAX,EDX
    86C6 0F830400      JAE     86CE
    86CA 662BC0        SUB     EAX,EAX
    86CD C3            RET
    
    86CE 67035E10      ADD     BX,10[ESI]
    86D2 662BF6        SUB     ESI,ESI
    86D5 67803B00      CMP     BYTE PTR [EBX],00
    86D9 0F843E00      JZ      871B
    86DD E88100        CALL    8761 
    
    86E0 6603F1        ADD     ESI,ECX
    86E3 E83900        CALL    871F 
    
    86E6 6603CA        ADD     ECX,EDX
    86E9 663BC1        CMP     EAX,ECX
    86EC 0F8C2100      JL      8711
    86F0 668BD1        MOV     EDX,ECX
    86F3 6650          PUSH    EAX
    86F5 67660FB60B    MOVZX   ECX,BYTE PTR [EBX]
    86FA 668BC1        MOV     EAX,ECX
    86FD 6683E00F      AND     EAX,+0F
    8701 66C1E904      SHR     ECX,04
    8705 6603D9        ADD     EBX,ECX
    8708 6603D8        ADD     EBX,EAX
    870B 6643          INC     EBX
    870D 6658          POP     EAX
    870F EBC4          JMP     86D5
    
    8711 662BC8        SUB     ECX,EAX
    8714 662BC2        SUB     EAX,EDX
    8717 6603C6        ADD     EAX,ESI
    871A C3            RET
    
    871B 662BC0        SUB     EAX,EAX
    871E C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    871F 662BC9        SUB     ECX,ECX
    8722 678A0B        MOV     CL,[EBX]
    8725 80E10F        AND     CL,0F
    8728 6683F900      CMP     ECX,+00
    872C 0F850400      JNZ     8734
    8730 662BC9        SUB     ECX,ECX
    8733 C3            RET
    
    8734 6653          PUSH    EBX
    8736 6652          PUSH    EDX
    8738 6603D9        ADD     EBX,ECX
    873B 67660FBE13    MOVSX   EDX,BYTE PTR [EBX]
    8740 6649          DEC     ECX
    8742 664B          DEC     EBX
    8744 6683F900      CMP     ECX,+00
    8748 0F840D00      JZ      8759
    874C 66C1E208      SHL     EDX,08
    8750 678A13        MOV     DL,[EBX]
    8753 664B          DEC     EBX
    8755 6649          DEC     ECX
    8757 EBEB          JMP     8744
    
    8759 668BCA        MOV     ECX,EDX
    875C 665A          POP     EDX
    875E 665B          POP     EBX
    8760 C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    8761 6653          PUSH    EBX
    8763 6652          PUSH    EDX
    8765 662BD2        SUB     EDX,EDX
    8768 678A13        MOV     DL,[EBX]
    876B 6683E20F      AND     EDX,+0F
    876F 662BC9        SUB     ECX,ECX
    8772 678A0B        MOV     CL,[EBX]
    8775 C0E904        SHR     CL,04
    8778 6683F900      CMP     ECX,+00
    877C 0F850800      JNZ     8788
    8780 662BC9        SUB     ECX,ECX
    8783 665A          POP     EDX
    8785 665B          POP     EBX
    8787 C3            RET
    
    8788 6603DA        ADD     EBX,EDX
    878B 6603D9        ADD     EBX,ECX
    878E 67660FBE13    MOVSX   EDX,BYTE PTR [EBX]
    8793 6649          DEC     ECX
    8795 664B          DEC     EBX
    8797 6683F900      CMP     ECX,+00
    879B 0F840D00      JZ      87AC
    879F 66C1E208      SHL     EDX,08
    87A3 678A13        MOV     DL,[EBX]
    87A6 664B          DEC     EBX
    87A8 6649          DEC     ECX
    87AA EBEB          JMP     8797
    
    87AC 668BCA        MOV     ECX,EDX
    87AF 665A          POP     EDX
    87B1 665B          POP     EBX
    87B3 C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    87B4 660BC9        OR      ECX,ECX
    87B7 0F850100      JNZ     87BC
    87BB C3            RET
    
    87BC 6651          PUSH    ECX
    87BE 6656          PUSH    ESI
    87C0 67833E61      CMP     WORD PTR [ESI],+61   ; ('a')
    87C4 0F8C0C00      JL      87D4
    87C8 67833E7A      CMP     WORD PTR [ESI],+7A   ; ('z')
    87CC 0F8F0400      JG      87D4
    87D0 67832E20      SUB     WORD PTR [ESI],+20   ; (a SPACE character)
    87D4 6683C602      ADD     ESI,+02
    87D8 E2E6          LOOPW   87C0
    
    87DA 665E          POP     ESI
    87DC 6659          POP     ECX
    87DE C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    87DF 6650          PUSH    EAX
    87E1 6651          PUSH    ECX
    87E3 668BD0        MOV     EDX,EAX
    87E6 66A13202      MOV     EAX,[0232]
    87EA 67668D5810    LEA     EBX,10[EAX]
    87EF 67034304      ADD     AX,04[EBX]
    87F3 67668D4010    LEA     EAX,10[EAX]
    87F8 668BDA        MOV     EBX,EDX
    87FB E844F9        CALL    8142 
    
    87FE 660BC0        OR      EAX,EAX
    8801 0F840500      JZ      880A
    8805 6659          POP     ECX
    8807 6659          POP     ECX
    8809 C3            RET
    
    
    880A 66A13602      MOV     EAX,[0236]
    880E 660BC0        OR      EAX,EAX
    8811 0F850800      JNZ     881D
    8815 6659          POP     ECX
    8817 6659          POP     ECX
    8819 6633C0        XOR     EAX,EAX
    881C C3            RET
    
    ; ---------------------------------------------------------
    881D 668B163602    MOV     EDX,[0236]
    8822 67668D5210    LEA     EDX,10[EDX]
    8827 67668B4218    MOV     EAX,18[EDX]
    882C 6633D2        XOR     EDX,EDX
    882F 66F7366E02    DIV     DWORD PTR [026E]
    8834 6633F6        XOR     ESI,ESI
    8837 6650          PUSH    EAX
    8839 6656          PUSH    ESI
    883B 6658          POP     EAX
    883D 665E          POP     ESI
    883F 663BC6        CMP     EAX,ESI
    8842 0F843A00      JZ      8880
    8846 6656          PUSH    ESI
    8848 6640          INC     EAX
    884A 6650          PUSH    EAX
    884C 6648          DEC     EAX
    884E E81BFE        CALL    866C 
    
    8851 72E8          JB      883B
    8853 E8EBFD        CALL    8641 
    
    8856 665A          POP     EDX
    8858 665E          POP     ESI
    885A 6659          POP     ECX
    885C 665B          POP     EBX
    885E 6653          PUSH    EBX
    8860 6651          PUSH    ECX
    8862 6656          PUSH    ESI
    8864 6652          PUSH    EDX
    8866 66A14602      MOV     EAX,[0246]
    886A 67668D4018    LEA     EAX,18[EAX]
    886F E8D0F8        CALL    8142 
    
    8872 660BC0        OR      EAX,EAX
    8875 74C4          JZ      883B
    8877 6659          POP     ECX
    8879 6659          POP     ECX
    887B 6659          POP     ECX
    887D 6659          POP     ECX
    887F C3            RET
    
    ; ---------------------------------------------------------
    8880 6659          POP     ECX
    8882 6659          POP     ECX
    8884 6633C0        XOR     EAX,EAX
    8887 C3            RET
    ; ==============================================================================================
    
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    8888 6651            PUSH    ECX
    888A 6650            PUSH    EAX
    888C 66B805000000    MOV     EAX,00000005
    8892 1E              PUSH    DS
    8893 07              POP     ES
    8894 668BF9          MOV     EDI,ECX
    8897 E88DFD          CALL    8627
    
    
    889A 668BC1          MOV     EAX,ECX
    889D 66BB20000000    MOV     EBX,00000020
    88A3 66B900000000    MOV     ECX,00000000
    88A9 66BA00000000    MOV     EDX,00000000
    88AF E833F8          CALL    80E5
    
    88B2 665B            POP     EBX
    88B4 6659            POP     ECX
    88B6 6685C0          TEST    EAX,EAX
    88B9 0F851500        JNZ     88D2
    88BD 668BC1          MOV     EAX,ECX
    
    88C0 660FB70E1002    MOVZX   ECX,WORD PTR [0210]    ; "$I30" in Unicode.
    88C6 66BA12020000    MOV     EDX,00000212
    88CC E816F8          CALL    80E5 
    
    88CF EB33            JMP     8904
    
    88D1 90            NOP
    
    ; ---------------------------------------------------
    88D2 6633D2        XOR     EDX,EDX
    88D5 668BC1        MOV     EAX,ECX
    88D8 668BCB        MOV     ECX,EBX
    88DB 6650          PUSH    EAX
    88DD 6653          PUSH    EBX
    88DF E82300        CALL    8905 
    
    88E2 665B          POP     EBX
    88E4 665F          POP     EDI
    88E6 660BC0        OR      EAX,EAX
    88E9 0F841700      JZ      8904
    88ED 1E            PUSH    DS
    88EE 07            POP     ES
    88EF E835FD        CALL    8627 
    
    88F2 668BC7          MOV     EAX,EDI
    88F5 660FB70E1002    MOVZX   ECX,WORD PTR [0210]    ; "$I30" in Unicode.
    88FB 66BA12020000    MOV     EDX,00000212
    8901 E8E1F7          CALL    80E5 
    
    8904 C3              RET
    ; ==============================================================================================
    
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    8905 6652            PUSH    EDX
    8907 6651            PUSH    ECX
    8909 66BB20000000    MOV     EBX,00000020
    890F 66B900000000    MOV     ECX,00000000
    8915 66BA00000000    MOV     EDX,00000000
    891B E8C7F7          CALL                                                                                            
    
    891E 660BC0        OR      EAX,EAX
    8921 0F846300      JZ      8988
    8925 668BD8        MOV     EBX,EAX
    8928 1E            PUSH    DS
    8929 07            POP     ES
    892A 668B3E1A02    MOV     EDI,[021A]
    892F 6633C0        XOR     EAX,EAX
    8932 E859F8        CALL    818E 
    
    8935 1E            PUSH    DS
    8936 07            POP     ES
    8937 668B1E1A02    MOV     EBX,[021A]
    893C 6659          POP     ECX
    893E 665A          POP     EDX
    8940 2666390F      CMP     ES:[BX],ECX
    8944 0F850C00      JNZ     8954
    8948 2666395708    CMP     ES:[BX+08],EDX
    894D 0F843100      JZ      8982
    8951 EB13          JMP     8966
    
    8953 90            NOP
    
    8954 2666833FFF      CMP     DWORD PTR ES:[BX],-01
    8959 0F842F00        JZ      898C
    895D 26837F0400      CMP     WORD PTR ES:[BX+04],+00
    8962 0F842600        JZ      898C
    8966 26660FB74704    MOVZX   EAX,WORD PTR ES:[BX+04]
    896C 03D8            ADD     BX,AX
    896E 8BC3            MOV     AX,BX
    8970 250080          AND     AX,8000
    8973 74CB            JZ      8940
    8975 8CC0            MOV     AX,ES
    8977 050008          ADD     AX,0800
    897A 8EC0            MOV     ES,AX
    897C 81E3FF7F        AND     BX,7FFF
    8980 EBBE            JMP     8940
    
    8982 26668B4710    MOV     EAX,ES:[BX+10]
    8987 C3            RET
    
    8988 6659          POP     ECX
    898A 665A          POP     EDX
    898C 6633C0        XOR     EAX,EAX
    898F C3            RET
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    8990 6650          PUSH    EAX
    8992 6651          PUSH    ECX
    8994 668BC7        MOV     EAX,EDI
    8997 66C1E804      SHR     EAX,04
    899B 06            PUSH    ES
    899C 59            POP     CX
    899D 03C8          ADD     CX,AX
    899F 51            PUSH    CX
    89A0 07            POP     ES
    89A1 6683E70F      AND     EDI,+0F
    89A5 6659          POP     ECX
    89A7 6658          POP     EAX
    89A9 C3            RET
    ; ==============================================================================================
    
    
    ; ============================ S U B R O U T I N E =============================================
    89AA 60            PUSHA
    89AB 06            PUSH    ES
    89AC BEBD0D        MOV     SI,0DBD
    89AF BF0020        MOV     DI,2000
    89B2 1E            PUSH    DS
    89B3 07            POP     ES
    89B4 B90D00        MOV     CX,000D
    
    89B7 90            NOP
    
    89B8 F3A5          REP     MOVSW
    89BA 07            POP     ES
    89BB 61            POPA
    89BC C3            RET
    ; ==============================================================================================
    
    
    ;====================================================================================
    ; Not sure what these areas are used for! May not be code! Appear to never be called.
    ;====================================================================================
    89BD 0123              ADD     [BP+DI],SP
    89BF 45                INC     BP
    89C0 6789ABCDEFFEDC    MOV     DCFEEFCD[EBX],BP
    89C7 BA9876            MOV     DX,7698
    89CA 54                PUSH    SP
    89CB 3210              XOR     DL,[BX+SI]
    89CD F0                LOCK    (unused)
    89CE E1D2              LOOPZW  89A2
    89D0 C3                RET
    ;=======================================================================
    89D1 0000          ADD     [BX+SI],AL
    89D3 0000          ADD     [BX+SI],AL
    89D5 2020          AND     [BX+SI],AH
    ; ===================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    89D7 60            PUSHA
    89D8 8B361820      MOV     SI,[2018]
    89DC 268A05        MOV     AL,ES:[DI]
    89DF 8804          MOV     [SI],AL
    89E1 47            INC     DI
    89E2 46            INC     SI
    89E3 66FF061420    INC     DWORD PTR [2014]
    89E8 81FE6020      CMP     SI,2060
    89EC 7506          JNZ     89F4
    89EE E85B00        CALL    8A4C 
    
    89F1 BE2020        MOV     SI,2020
    89F4 E2E6          LOOPW   89DC
    
    89F6 89361820      MOV     [2018],SI
    89FA 61            POPA
    89FB C3            RET
    ; ==============================================================================================
    
    
    ; ============================ S U B R O U T I N E =============================================
    ;=====================================================================
    ;                    S U B R O U T I N E
    ;=====================================================================
    89FC 6660        PUSHAD
    89FE 8B361820    MOV     SI,[2018]
    8A02 B080        MOV     AL,80
    8A04 8804        MOV     [SI],AL
    8A06 46          INC     SI
    8A07 32C0        XOR     AL,AL
    8A09 81FE6020    CMP     SI,2060
    8A0D 7506        JNZ     8A15
    8A0F E83A00      CALL    8A4C 
    
    8A12 BE2020      MOV     SI,2020
    8A15 81FE5820    CMP     SI,2058
    8A19 75E9        JNZ     8A04
    8A1B 6633C0      XOR     EAX,EAX
    8A1E 66A35820    MOV     [2058],EAX
    8A22 66A11420    MOV     EAX,[2014]
    8A26 66C1E003    SHL     EAX,03
    8A2A 660FC8      BSWAP   EAX
    8A2D 66A35C20    MOV     [205C],EAX
    8A31 E81800      CALL    8A4C 
    
    8A34 BB0020      MOV     BX,2000
    8A37 668B07      MOV     EAX,[BX]
    8A3A 660FC8      BSWAP   EAX
    8A3D 668907      MOV     [BX],EAX
    8A40 83C304      ADD     BX,+04
    8A43 81FB3420    CMP     BX,2034
    8A47 75EE        JNZ     8A37
    8A49 6661        POPAD
    8A4B C3          RET
    ;================================================================
    ;         E N D     O F       S U B R O U T I N E 
    ;================================================================
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    ;=====================================================================
    ;                    S U B R O U T I N E
    ;=====================================================================
    8A4C 6660            PUSHAD
    8A4E BB2020          MOV     BX,2020
    8A51 668B07          MOV     EAX,[BX]
    8A54 660FC8          BSWAP   EAX
    8A57 668907          MOV     [BX],EAX
    8A5A 83C304          ADD     BX,+04
    8A5D 81FB6020        CMP     BX,2060
    8A61 75EE            JNZ     8A51
    8A63 BB0020          MOV     BX,2000
    8A66 668B0F          MOV     ECX,[BX]
    8A69 668B5704        MOV     EDX,[BX+04]
    8A6D 668B7708        MOV     ESI,[BX+08]
    8A71 668B7F0C        MOV     EDI,[BX+0C]
    8A75 668B6F10        MOV     EBP,[BX+10]
    8A79 BB2020          MOV     BX,2020
    8A7C C7061A20300F    MOV     WORD PTR [201A],0F30
    8A82 C6061C2014      MOV     BYTE PTR [201C],14
    
    8A87 90            NOP
    
    8A88 53              PUSH    BX
    8A89 8B1E1A20        MOV     BX,[201A]
    8A8D FF17            CALL    WORD PTR [BX]
    
    8A8F 66034702        ADD     EAX,[BX+02]
    8A93 5B              POP     BX
    8A94 6603E8          ADD     EBP,EAX
    8A97 66032F          ADD     EBP,[BX]
    8A9A 668BC1          MOV     EAX,ECX
    8A9D 66C1C005        ROL     EAX,05
    8AA1 6603C5          ADD     EAX,EBP
    8AA4 668BEF          MOV     EBP,EDI
    8AA7 668BFE          MOV     EDI,ESI
    8AAA 668BF2          MOV     ESI,EDX
    8AAD 66C1C61E        ROL     ESI,1E
    8AB1 668BD1          MOV     EDX,ECX
    8AB4 668BC8          MOV     ECX,EAX
    8AB7 668B07          MOV     EAX,[BX]
    8ABA 66334708        XOR     EAX,[BX+08]
    8ABE 66334720        XOR     EAX,[BX+20]
    8AC2 66334734        XOR     EAX,[BX+34]
    8AC6 66D1C0          ROL     EAX,1
    8AC9 66894740        MOV     [BX+40],EAX
    8ACD 83C304          ADD     BX,+04
    8AD0 FE0E1C20        DEC     BYTE PTR [201C]
    8AD4 75B2            JNZ     8A88
    8AD6 83061A2006      ADD     WORD PTR [201A],+06
    8ADB 813E1A20480F    CMP     WORD PTR [201A],0F48
    8AE1 759F            JNZ     8A82
    8AE3 BB0020          MOV     BX,2000
    8AE6 66010F          ADD     [BX],ECX
    8AE9 66015704        ADD     [BX+04],EDX
    8AED 66017708        ADD     [BX+08],ESI
    8AF1 66017F0C        ADD     [BX+0C],EDI
    8AF5 66016F10        ADD     [BX+10],EBP
    8AF9 6661            POPAD
    8AFB C3              RET
    ;================================================================
    ;         E N D     O F       S U B R O U T I N E 
    ;================================================================
    ; ==============================================================================================
    
    
    ;===============================================================================================
    ; What are the following bytes used for?                May be only DATA; or even garbage? 
    ;===============================================================================================
    8AFC 668BC6        MOV     EAX,ESI
    8AFF 6633C7        XOR     EAX,EDI
    8B02 6623C2        AND     EAX,EDX
    8B05 6633C7        XOR     EAX,EDI
    8B08 C3            RET
    8B09 668BC2        MOV     EAX,EDX
    8B0C 6633C6        XOR     EAX,ESI
    8B0F 6633C7        XOR     EAX,EDI
    8B12 C3            RET
    8B13 6653          PUSH    EBX
    8B15 668BC2        MOV     EAX,EDX
    8B18 6623C6        AND     EAX,ESI
    8B1B 668BDA        MOV     EBX,EDX
    8B1E 6623DF        AND     EBX,EDI
    8B21 660BC3        OR      EAX,EBX
    8B24 668BDE        MOV     EBX,ESI
    8B27 6623DF        AND     EBX,EDI
    8B2A 660BC3        OR      EAX,EBX
    8B2D 665B          POP     EBX
    8B2F C3            RET
    8B30 FC            CLD
    8B31 0E            PUSH    CS
    8B32 99            CWD
    8B33 7982          JNS     8AB7
    8B35 5A            POP     DX
    8B36 090F          OR      [BX],CX
    8B38 A1EBD9        MOV     AX,[D9EB]
    8B3B 6E            OUTSB
    8B3C 130F          ADC     CX,[BX]
    8B3E DCBC1B8F      FDIVR   DOUBLE PTR [SI+8F1B]
    8B42 090F          OR      [BX],CX
    8B44 D6            DB      D6          INDICATOR THAT THIS IS ONLY A DATA OR GARBAGE AREA!
    8B45 C162CA
    ; ==============================================================================================
    
    
    
    ; ============================ S U B R O U T I N E =============================================
    8B48 06            PUSH    ES
    8B49 1E            PUSH    DS
    8B4A 6660          PUSHAD
    8B4C 6633DB        XOR     EBX,EBX
    8B4F B800BB        MOV     AX,BB00
    8B52 CD1A          INT     1A
    
    
    8B54 6623C0            AND     EAX,EAX
    8B57 0F85BB00          JNZ     8C16
    8B5B 6681FB54435041    CMP     EBX,41504354		; "APCT" which is: "TCPA".
    8B62 0F85B000          JNZ     8C16
    8B66 81F90201          CMP     CX,0102
    8B6A 0F82A800          JB      8C16
    8B6E 6661              POPAD
    
    8B70 90            NOP
    
    8B71 1F            POP     DS
    8B72 07            POP     ES
    8B73 06            PUSH    ES
    8B74 1E            PUSH    DS
    8B75 6660          PUSHAD
    8B77 67807B0800    CMP     BYTE PTR 08[EBX],00
    8B7C 0F850C00      JNZ     8B8C
    8B80 67668D5310    LEA     EDX,10[EBX]
    8B85 67668B0A      MOV     ECX,[EDX]
    8B89 EB25          JMP     8BB0
    
    8B8B 90            NOP
    
    8B8C 67668D5310        LEA     EDX,10[EBX]
    8B91 67668B4A28        MOV     ECX,28[EDX]
    8B96 6681F900000800    CMP     ECX,00080000
    8B9D 0F830C00          JAE     8BAD
    8BA1 67668B422C        MOV     EAX,2C[EDX]
    8BA6 6623C0            AND     EAX,EAX
    8BA9 0F840300          JZ      8BB0
    8BAD 6633C9            XOR     ECX,ECX
    8BB0 0E                PUSH    CS
    8BB1 1F                POP     DS
    8BB2 E8F5FD            CALL    89AA 
    
    8BB5 6623C9          AND     ECX,ECX
    8BB8 0F843200        JZ      8BEE
    8BBC 66BA00800000    MOV     EDX,00008000
    8BC2 663BCA          CMP     ECX,EDX
    8BC5 0F861F00        JBE     8BE8
    8BC9 662BCA          SUB     ECX,EDX
    8BCC 06              PUSH    ES
    8BCD 6651            PUSH    ECX
    8BCF 6657            PUSH    EDI
    8BD1 6652            PUSH    EDX
    8BD3 668BCA          MOV     ECX,EDX
    8BD6 E8B7FD          CALL    8990 
    
    8BD9 E8FBFD          CALL    89D7 
    
    8BDC 665A          POP     EDX
    8BDE 665F          POP     EDI
    8BE0 6659          POP     ECX
    8BE2 07            POP     ES
    8BE3 6603FA        ADD     EDI,EDX
    8BE6 EBDA          JMP     8BC2
    
    8BE8 E8A5FD        CALL    8990 
    
    8BEB E8E9FD        CALL    89D7 
    
    8BEE E80BFE        CALL    89FC 
    
    8BF1 0E              PUSH    CS
    8BF2 07              POP     ES
    8BF3 66BB54435041    MOV     EBX,41504354		; "APCT" which is: "TCPA".
    8BF9 66BF00200000    MOV     EDI,00002000
    8BFF 66B914000000    MOV     ECX,00000014
    8C05 66B807BB0000    MOV     EAX,0000BB07
    8C0B 66BA0A000000    MOV     EDX,0000000A
    8C11 6633F6          XOR     ESI,ESI
    8C14 CD1A            INT     1A
    
    8C16 6661          POPAD
    
    8C18 90            NOP
    
    8C19 1F            POP     DS
    8C1A 07            POP     ES
    8C1B C3            RET
    
    8C1C A0F901        MOV     AL,[01F9]
    8C1F E94BF1        JMP     7D6D
    
    8C22 A0FA01        MOV     AL,[01FA]
    8C25 E945F1        JMP     7D6D
    ; ==============================================================================================
    

Memory Location 0000:8C27 is the last byte of the BOOTMGR Loader's ("Bootstrap") code.  


This page is still under construction . . . .

First Published: July 31, 2015 (31.07.2015).
Updated: 31 JUL 2015 (31.07.2015); there were many updates during AUG 2015 (08.2015).
Last Update: 30 AUG 2015 (30.08.2015). [ Well, life became more complicated yet again, so there have been no updates since AUG 2015!]


 

  Back to The Starman's Realm MBR pages

The Starman's Realm Index Page