An Examination of the Code
This is a disassembled copy of the code (; with comments) after being loaded into
memory by the Win 7 NTFS Boot Sector; which has already loaded all 15 sectors of both the "Bootstrap"
data/code (3,624 bytes) and zero-byte padded area (4,056 bytes) into locations 007C0:0200 (or 0000:7E00) and following,
then transferred execution to location 07C0:027A (or Linear address 0x7E7A) as we'll refer to it below: ; ==================== S T A R T O F M A I N C O D E P A T H =====================================================
; ====================================================================================
; Computation of Bytes per Cluster :
7E7A 660FB7060B00 MOVZX EAX,WORD PTR [000B] ; Sector Size in (hex) bytes
; from the BPB. (Example:
; 200h = 512 bytes/sector.)
7E80 660FB61E0D00 MOVZX EBX,BYTE PTR [000D] ; Sectors per Cluster from BPB.
7E86 66F7E3 MUL EAX,EBX ; So, EAX will = Bytes per Cluster
7E89 66A35202 MOV [0252],EAX ; Store in --> [7E52]
; (Example: 1000h = 4096 bytes/cluster.)
; ====================================================================================
; Computation of Bytes per File Record Segment (Bytes per FRS)
; (This code also shows how a -10 in 0x7C40 turns into 1024 bytes per FRS):
7E8D 668B0E4000 MOV ECX,[0040] ; [ Clusters per File Record Segment ]
7E92 80F900 CMP CL,00 ; Normally CL is F6h (-10 as signed-byte).
7E95 0F8F0E00 JG 7EA7 ; If > 0, go to 7EA7. But in most cases it
; will be negative (Less Than Zero),...
7E99 F6D9 NEG CL ; So, Negation of F6(-10) = 0A (or +10).
7E9B 66B801000000 MOV EAX,00000001 ;| Put a 1 in EAX
7EA1 66D3E0 SHL EAX,CL ;| Shift Left 1 by 10 bits = 400h = 1024
7EA4 EB08 JMP 7EAE ;| So, default value is 1,024 bytes.
7EA6 90 NOP
7EA7 66A15202 MOV EAX,[0252] ; Multiply Bytes per Cluster by
7EAB 66F7E1 MUL EAX,ECX ; Clusters per File Record Segment =
; Bytes per File Record Segment!
7EAE 66A36602 MOV [0266],EAX ;| Store BpFRS in --> [7E66].
; ====================================================================================
; Computation of Sectors per File Record Segment :
7EB2 660FB71E0B00 MOVZX EBX,WORD PTR [000B] ; Put Bytes per Sector in EBX...
7EB8 6633D2 XOR EDX,EDX ; EDX = 0.
7EBB 66F7F3 DIV EAX,EBX ; Divide BpFRS (still in EAX) by Bytes
; per Sector, so EAX will become:
; Sectors per File Record Segment
; (With BpFRS=1024, we would get 2 here;
; if media is using 512 bytes/sector.)
7EBE 66A35602 MOV [0256],EAX ; Store it in [7E56].
; (Note: "EB 22 90 90" in Memory will
; be replaced by whatever is in EAX.)
7EC2 E89504 CALL 835A
7EC5 668B0E4E02 MOV ECX,[024E] ; 1st time for our example, [024E] = 0x2c08.
7ECA 66890E2602 MOV [0226],ECX ; Store it in [7E26].
7ECF 66030E6602 ADD ECX,[0266] ; Bytes per FRS (400h = 1024)
; 400h + 2c08 = 3008h.
7ED4 66890E2A02 MOV [022A],ECX ; Store it in [7E2A].
7ED9 66030E6602 ADD ECX,[0266] ; 400h + 3008h = 3408h.
7EDE 66890E2E02 MOV [022E],ECX ; Store it in [7E2E].
7EE3 66030E6602 ADD ECX,[0266] ; 400h + 3408h = 3808h.
7EE8 66890E3E02 MOV [023E],ECX ; Store it in [7E3E].
7EED 66030E6602 ADD ECX,[0266] ; 400h + 3808h = 3c08.
7EF2 66890E4602 MOV [0246],ECX ; Store it in [7E46].
7EF7 66B890000000 MOV EAX,00000090
7EFD 668B0E2602 MOV ECX,[0226]
7F02 E88309 CALL 8888
7F05 660BC0 OR EAX,EAX
7F08 0F845EFE JZ 7D6A ; Another use of code from the
; Boot Sector... in this case,
; to display error messages!
; We'll call this the Black-Hole Subroutine, since there
; is no escape
from it! If execution ends up here, your
; PC will lock-up after displaying an error message!
; ====================================== S U B R O U T I N E =============================================
7D6A A0F801 MOV AL,[7DF8] ; Contains 8Ch + 100 -> 7D8C h which
; points to: "A disk read error occurred"
7D6D E80900 CALL 7D79 ; Displays whatever is pointed to by byte in
; AL + 100h in Segment 07C0; so: 0x7D_byte_
7D76 F4 HLT ; HLT: Not found in Vista VBR code!
7D77 EBFD JMP 7D76
; ------------------------------ SUBROUTINE --------------------------------------------
; INT 10, Function 0Eh (Teletype Output) is used to display each
; character of the error messages.
7D79 B401 MOV AH,01 ; Adds 100h to offsets from above.
7D7B 8BF0 MOV SI,AX ; Offset of message -> Source Index Reg.
7D7D AC LODSB ; Load one character into AL from [SI].
7D7E 3C00 CMP AL,00 ;/ Have we reached end of message
7D80 7409 JZ 7D8B ;\ marker?(00) If so, then RETurn.
7D82 B40E MOV AH,0E ;/ Otherwise use Teletype Output to ...
7D84 BB0700 MOV BX,0007 ;| (BH = Display page 0, BL = 07 is
;| normal White on Black characters.)
7D87 CD10 INT 10 ;| ... display one character at a time,
7D89 EBF2 JMP 7D7D ;\ and go back for another character...
7D8B C3 RET
; Further down in the code, it will also CALL the following subroutine in the Boot Sector
; (at 07C0:011D through 07C0:0169), which we have referenced here as 0x7D1D
; through 0x7D69. It was used by the Boot Sector to read the
15 sectors following it
; (to load the entire Boot Record Area into Memory). But here it will be used to read
; sectors from the NTFS file system while
searching for the BOOTMGR file! (It's first
; CALLed from the instruction at 0x83B3; later from 80DC, 8532 and 860A.)
; =============================================================
; SUBROUTINE - INT 13 Function 42h Extended DISK READ
; =============================================================
7D1D 6660 * PUSHAD ; "Push All Double" - all 32-bit
; GP Regs pushed onto Stack!
7D1F 1E PUSH DS ;/ Both are 0x07C0
7D20 06 PUSH ES ;\ when we enter.
7D21 66A11100 MOV EAX,[0011] ; For our Samples, at 1st pass,
; [7C11-14] = 0x600000 or 0x10AA8
7D25 6603061C00 ADD EAX,[001C] ; Add Number of Hidden Sectors [001C] to
; Relative Sector offset within this Volume
; (already in EAX); result --> EAX Register.
; This gives us Abs. Sector on disk (or media) to start reading from below.
; For our Samples, this would give us: 0x600800 (6,293,504) or 0x112A8 (70,312).
7D2A 1E PUSH DS ; Put another 0x07C0 onto Stack.
7D2B 666800000000 * PUSH 00000000 ; Put 4 zero bytes onto Stack.
; (These would be used to read
; locations beyond 32 bits.)
7D31 6650 * PUSH EAX ; Starting Absolute Sector
7D33 06 PUSH ES ; Transfer Buffer _Segment:_
7D34 53 PUSH BX ; Transfer Buffer _:Offset_
7D35 680100 * PUSH 0001 ; Blocks to Transfer = 1
7D38 681000 * PUSH 0010 ; Size of Packet = 16 bytes
7D3B B442 MOV AH,42 ; Function 42h (INT13)
7D3D 8A160E00 MOV DL,[000E] ; Drive # (usually 80h) -> DL
; (Set at 7C66 in Boot Sector)
7D41 16 PUSH SS ; (which is zero)...
7D42 1F POP DS ; ...changing DS to zero.
7D43 8BF4 MOV SI,SP ; DS:SI (0000:7BA2) -> Disk Address Packet; which
; is: _The Stack_ we just PUSHed all that data onto!
7D45 CD13 INT 13 ; Read sector from media.
========================================================================
Upon entry into the INT 13 Interrupt with AX=4201, we have:
DL = drive number = 80h
DS:SI -> disk address packet = 0000:7BA2 (Top of Stack;
onto which we stored all required data as follows)
EXAMPLE VALUES are given for Reading from Absolute Sector 0x112A8
Format of Disk Address Packet:
=============================
Offst Size Description
------------------------------------------------------------------------
00 BYTE Size of packet (in this case: 10h or 16 bytes) [7BA2]
(The 16 bytes include & start with this byte!)
01 BYTE Reserved (0) [7BA3]
02 WORD Number of Blocks to Transfer (always 1 for us) [7BA4 - 7BA5]
("01 00" in Memory = 1 )
04 DWORD -> Transfer Buffer (as little-endian Segment:Offset value):
[7BA6 - 7BA9] = (00 24 C0 07) = 07C0:2400 which is the
same as Linear offset: 7C00 h + 2400 h = 0xA000.
08 QWORD Starting Absolute Sector Number: [7BAA - 7BB1] --->
("A8 12 01 00 00 00 00 00") = 0112A8h = 70,312
----------------------------------------------------------------------
(for non-LBA devices, compute as follows):
( (Cylinder x Number of Heads) + Selected Head) ) x Sectors/Track)
+ Selected Sector - 1, or for here:
( (69 x 16) + 12) x 63) + 5 - 1 = 70,312
----------------------------------------------------------------------
============================================
Return: CF clear if successful and AH = 00h
============================================
CF set on error; AH = error code
Disk Address Packet's block count field is set to number of blocks
successfully transferred
========================================================================
7D47 6659 * POP ECX ; Usually: 0x00010010
7D49 5B POP BX ; Offset we read from: 2400
7D4A 5A POP DX ; and its Segment: 07C0:
7D4B 6659 * POP ECX ; Sector we read from.
7D4D 6659 * POP ECX ; Zeros out ECX.
7D4F 1F POP DS ; Put 07C0 back in DS.
7D50 0F821600 * JB 7D6A ; Jump if Disk Read Error.
7D54 66FF061100 * INC DWORD PTR [0011] ; Add 1 to [7C11 - 7C14] so
; next sector will be read from.
7D59 03160F00 ADD DX,[000F] ; Just as the Boot Sector code did, by
; adding Bytes per Sector/16 to DX, this
; sets up INT 13 to read the next sector.
7D5D 8EC2 MOV ES,DX ; For our Example, DX and ES become:
; 7c0 + 20h = 7e0.
7D5F FF0E1600 DEC WORD PTR [0016] ; [7C16] Counts down number
; of sectors to be copied.
; This was set at line 83A1 first time; for other disk reads see lines:
; 80CA, 852A, 85D2 and 85EC.
7D63 75BC JNZ 7D21
7D65 07 POP ES
7D66 1F POP DS
7D67 6661 * POPAD ; "Pop All Double" - all 32-bit
; GP Regs reset from Stack!
7D69 C3 RET
7F0C 66A33202 MOV [0232],EAX ; Store it in [7E32].
7F10 66B8A0000000 MOV EAX,000000A0
7F16 668B0E2A02 MOV ECX,[022A]
7F1B E86A09 CALL 8888
7F1E 66A33602 MOV [0236],EAX ; Store it in [7E36].
7F22 66B8B0000000 MOV EAX,000000B0
7F28 668B0E2E02 MOV ECX,[022E]
7F2D E85809 CALL 8888
7F30 66A33A02 MOV [023A],EAX
7F34 66A13202 MOV EAX,[0232]
7F38 660BC0 OR EAX,EAX
7F3B 0F842BFE JZ 7D6A
7F3F 6780780800 CMP BYTE PTR 08[EAX],00
7F44 0F8522FE JNZ 7D6A
7F48 67668D5010 LEA EDX,10[EAX]
7F4D 67034204 ADD AX,04[EDX]
7F51 67660FB6480C MOVZX ECX,BYTE PTR 0C[EAX]
7F57 66890E7202 MOV [0272],ECX
7F5C 67668B4808 MOV ECX,08[EAX]
7F61 66890E6E02 MOV [026E],ECX
7F66 66A16E02 MOV EAX,[026E]
7F6A 660FB70E0B00 MOVZX ECX,WORD PTR [000B]
7F70 6633D2 XOR EDX,EDX
7F73 66F7F1 DIV ECX
7F76 66A37602 MOV [0276],EAX
7F7A 66A14602 MOV EAX,[0246]
7F7E 6603066E02 ADD EAX,[026E]
7F83 66A34A02 MOV [024A],EAX
7F87 66833E360200 CMP DWORD PTR [0236],+00
7F8D 0F841D00 JZ 7FAE
7F91 66833E3A0200 CMP DWORD PTR [023A],+00
7F97 0F84CFFD JZ 7D6A
7F9B 668B1E3A02 MOV EBX,[023A]
7FA0 1E PUSH DS
7FA1 07 POP ES
7FA2 668B3E4A02 MOV EDI,[024A]
7FA7 66A12E02 MOV EAX,[022E]
7FAB E8E001 CALL 818E
7FAE 660FB70E0002 MOVZX ECX,WORD PTR [0200] ; "BOOTMGR" in Unicode.
7FB4 66B802020000 MOV EAX,00000202
7FBA E82208 CALL 87DF
7FBD 660BC0 OR EAX,EAX
7FC0 0F851600 JNZ 7FDA
7FC4 660FB70E5A02 MOVZX ECX,WORD PTR [025A] ; "NTLDR" in Unicode.
7FCA 66B85C020000 MOV EAX,0000025C
7FD0 E80C08 CALL 87DF
7FD3 660BC0 OR EAX,EAX
7FD6 0F84420C JZ 8C1C
7FDA 67668B00 MOV EAX,[EAX]
7FDE 1E PUSH DS
7FDF 07 POP ES
7FE0 668B3E3E02 MOV EDI,[023E]
7FE5 E83F06 CALL 8627
7FE8 66A13E02 MOV EAX,[023E]
7FEC 66BB20000000 MOV EBX,00000020
7FF2 66B900000000 MOV ECX,00000000
7FF8 66BA00000000 MOV EDX,00000000
7FFE E8E400 CALL 80E5
8001 6685C0 TEST EAX,EAX
8004 0F852300 JNZ 802B
8008 66A13E02 MOV EAX,[023E]
800C 66BB80000000 MOV EBX,00000080
8012 66B900000000 MOV ECX,00000000
8018 66BA00000000 MOV EDX,00000000
801E E8C400 CALL 80E5
8021 660BC0 OR EAX,EAX
8024 0F854400 JNZ 806C
8028 E9F10B JMP 8C1C
802B 6633D2 XOR EDX,EDX
802E 66B980000000 MOV ECX,00000080
8034 66A13E02 MOV EAX,[023E]
8038 E8CA08 CALL 8905
803B 660BC0 OR EAX,EAX
803E 0F84DA0B JZ 8C1C
8042 1E PUSH DS
8043 07 POP ES
8044 668B3E3E02 MOV EDI,[023E]
8049 E8DB05 CALL 8627
804C 66A13E02 MOV EAX,[023E]
8050 66BB80000000 MOV EBX,00000080
8056 66B900000000 MOV ECX,00000000
805C 66BA00000000 MOV EDX,00000000
8062 E88000 CALL 80E5
8065 660BC0 OR EAX,EAX
8068 0F84B00B JZ 8C1C
806C 67660FB7580C MOVZX EBX,WORD PTR 0C[EAX]
8072 6681E3FF000000 AND EBX,000000FF
8079 0F85A50B JNZ 8C22
807D 668BD8 MOV EBX,EAX
8080 680020 PUSH WORD 2000
8083 07 POP ES
8084 662BFF SUB EDI,EDI
8087 66A13E02 MOV EAX,[023E]
808B E80001 CALL 818E
808E 680020 PUSH WORD 2000
8091 07 POP ES
8092 662BFF SUB EDI,EDI
8095 66A13E02 MOV EAX,[023E]
8099 E8AC0A CALL 8B48
; Exit Point to bootmgr program at Linear offset 0x20000:
809C 8A160E00 MOV DL,[000E] ; Drive Number - usually 80h (1st drive)
80A0 B8E803 MOV AX,03E8 ; 0x03E8 -> AX
80A3 8EC0 MOV ES,AX ; ES (Extra Segment) = 0x3E8
80A5 8D360B00 LEA SI,[000B] ; Bytes per Sector
80A9 2BC0 SUB AX,AX ; Zero-out AX (like: "XOR AX,AX")
80AB 680020 PUSH WORD 2000
80AE 50 PUSH AX
80AF CB RETF ; Jump to bootmgr program file in
; Memory at Linear offset 0x20000
; ======================================== E N D O F M A I N C O D E ======================================================
; ============================ S U B R O U T I N E =============================================
80B0 06 PUSH ES
80B1 1E PUSH DS
80B2 6660 PUSHAD
80B4 668BDA MOV EBX,EDX
80B7 660FB60E0D00 MOVZX ECX,BYTE PTR [000D]
80BD 66F7E1 MUL ECX
80C0 66A31100 MOV [0011],EAX
80C4 668BC3 MOV EAX,EBX
80C7 66F7E1 MUL ECX
80CA A31600 MOV [0016],AX
80CD 8BDF MOV BX,DI
80CF 83E30F AND BX,+0F
80D2 8CC0 MOV AX,ES
80D4 66C1EF04 SHR EDI,04
80D8 03C7 ADD AX,DI
80DA 50 PUSH AX
80DB 07 POP ES
80DC E83EFC CALL 7D1D
80DF 6661 POPAD
80E1 90 NOP
80E2 1F POP DS
80E3 07 POP ES
80E4 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
80E5 67034014 ADD AX,WORD PTR DS:[EAX+20] ; This would give us [A014] + 2400h; which
; for our first example equals: 2438h.
80E9 67668338FF CMP DWORD PTR [EAX],-01 ; Compare to 0xFFFFFFFF
80EE 0F844C00 JZ 813E ; Jumped when
; [A198] = 0xFFFFFFFF
80F2 67663918 CMP DS:[EAX],EBX ; [7c0:2438] = [A038] = 10h
; Or: [A098] = 30h
; Or: [A100] = 80h
; Or: [A148] = B0h
80F6 0F853300 JNZ 812D ; So not '0' with EBX = 20h
80FA 660BC9 OR ECX,ECX
80FD 0F850A00 JNZ 810B
8101 6780780900 CMP BYTE PTR DS:[EAX+09],00
8106 0F852300 JNZ 812D
810A C3 RET
810B 673A4809 CMP CL,09[EAX]
810F 0F851A00 JNZ 812D
8113 668BF0 MOV ESI,EAX
8116 6703700A ADD SI,0A[EAX]
811A E89706 CALL 87B4
811D 6651 PUSH ECX
811F 1E PUSH DS
8120 07 POP ES
8121 668BFA MOV EDI,EDX
8124 F3A7 REPE CMPSW
8126 6659 POP ECX
8128 0F850100 JNZ 812D
812C C3 RET
812D 676683780400 CMP DWORD PTR DS:[EAX+04],+00 ; [A03C] = 60h
8133 0F840700 JZ 813E
8137 6766034004 ADD EAX,DWORD PTR DS:[EAX+04] ; EAX + [A03C] = 2438h + 60h = 2498h
; Or: EAX+[A09C]=2498h + 68h = 2500h
; Or: EAX+[A104]=2500h + 48h = 2548h
; Or: EAX+[A14C]=2548h + 50h = 2598h
813C EBAB JMP 80E9
813E 662BC0 SUB EAX,EAX ; similar to XOR function; leaves zero.
8141 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8142 668BF3 MOV ESI,EBX
8145 E86C06 CALL 87B4
8148 67660300 ADD EAX,[EAX]
814C 67F7400C0200 TEST WORD PTR 0C[EAX],0002
8152 0F853400 JNZ 818A
8156 67668D5010 LEA EDX,10[EAX]
815B 673A4A40 CMP CL,40[EDX]
815F 0F851800 JNZ 817B
8163 67668D7242 LEA ESI,42[EDX]
8168 E84906 CALL 87B4
816B 6651 PUSH ECX
816D 1E PUSH DS
816E 07 POP ES
816F 668BFB MOV EDI,EBX
8172 F3A7 REPE CMPSW
8174 6659 POP ECX
8176 0F850100 JNZ 817B
817A C3 RET
817B 6783780800 CMP WORD PTR 08[EAX],+00
8180 0F840600 JZ 818A
8184 67034008 ADD AX,08[EAX]
8188 EBC2 JMP 814C
818A 6633C0 XOR EAX,EAX
818D C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
818E 67807B0800 CMP BYTE PTR 08[EBX],00
8193 0F851C00 JNZ 81B3
8197 06 PUSH ES
8198 1E PUSH DS
8199 6660 PUSHAD
819B 67668D5310 LEA EDX,10[EBX]
81A0 67668B0A MOV ECX,[EDX]
81A4 668BF3 MOV ESI,EBX
81A7 67037204 ADD SI,04[EDX]
81AB F3A4 REP MOVSB
81AD 6661 POPAD
81AF 90 NOP
81B0 1F POP DS
81B1 07 POP ES
81B2 C3 RET
81B3 6650 PUSH EAX
81B5 67668D5310 LEA EDX,10[EBX]
81BA 6685C0 TEST EAX,EAX
81BD 0F850A00 JNZ 81CB
81C1 67668B4A08 MOV ECX,08[EDX]
81C6 6641 INC ECX
81C8 EB11 JMP 81DB
81CA 90 NOP
81CB 67668B4218 MOV EAX,18[EDX]
81D0 6633D2 XOR EDX,EDX
81D3 66F7365202 DIV DWORD PTR [0252]
81D8 668BC8 MOV ECX,EAX
81DB 662BC0 SUB EAX,EAX
81DE 665E POP ESI
81E0 E80100 CALL 81E4
81E3 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
81E4 06 PUSH ES
81E5 1E PUSH DS
81E6 6660 PUSHAD
81E8 67807B0801 CMP BYTE PTR 08[EBX],01
81ED 0F840300 JZ 81F4
81F1 E976FB JMP 7D6A
81F4 6683F900 CMP ECX,+00
81F8 0F850600 JNZ 8202
81FC 6661 POPAD
81FE 90 NOP
81FF 1F POP DS
8200 07 POP ES
8201 C3 RET
;-----------------------------------------------------
8202 6653 PUSH EBX
8204 6650 PUSH EAX
8206 6651 PUSH ECX
8208 6656 PUSH ESI
820A 6657 PUSH EDI
820C 06 PUSH ES
820D E89104 CALL 86A1
8210 668BD1 MOV EDX,ECX
8213 07 POP ES
8214 665F POP EDI
8216 665E POP ESI
8218 6659 POP ECX
821A 6685C0 TEST EAX,EAX
821D 0F843400 JZ 8255
8221 663BCA CMP ECX,EDX
8224 0F8D0300 JGE 822B
8228 668BD1 MOV EDX,ECX
822B E882FE CALL 80B0
822E 662BCA SUB ECX,EDX
8231 668BDA MOV EBX,EDX
8234 668BC2 MOV EAX,EDX
8237 660FB6160D00 MOVZX EDX,BYTE PTR [000D]
823D 66F7E2 MUL EDX
8240 660FB7160B00 MOVZX EDX,WORD PTR [000B]
8246 66F7E2 MUL EDX
8249 6603F8 ADD EDI,EAX
824C 6658 POP EAX
824E 6603C3 ADD EAX,EBX
8251 665B POP EBX
8253 EB9F JMP 81F4
8255 6685F6 TEST ESI,ESI
8258 0F840EFB JZ 7D6A
825C 6651 PUSH ECX
825E 6657 PUSH EDI
8260 06 PUSH ES
8261 67660FB64309 MOVZX EAX,BYTE PTR 09[EBX]
8267 6685C0 TEST EAX,EAX
826A 0F842000 JZ 828E
826E 66D1E0 SHL EAX,1
8271 662BE0 SUB ESP,EAX
8274 668BFC MOV EDI,ESP
8277 6654 PUSH ESP
8279 6656 PUSH ESI
827B 67660FB7730A MOVZX ESI,WORD PTR 0A[EBX]
8281 6603F3 ADD ESI,EBX
8284 668BC8 MOV ECX,EAX
8287 F3A4 REP MOVSB
8289 665E POP ESI
828B EB03 JMP 8290
828D 90 NOP
828E 6650 PUSH EAX
8290 6650 PUSH EAX
8292 67668B03 MOV EAX,[EBX]
8296 6650 PUSH EAX
8298 67668B4318 MOV EAX,18[EBX]
829D 6650 PUSH EAX
829F 67668B5620 MOV EDX,20[ESI]
82A4 6685D2 TEST EDX,EDX
82A7 0F840B00 JZ 82B6
82AB 668BFE MOV EDI,ESI
82AE 1E PUSH DS
82AF 07 POP ES
82B0 668BC2 MOV EAX,EDX
82B3 E87103 CALL 8627
82B6 668BC6 MOV EAX,ESI
82B9 665A POP EDX
82BB 6659 POP ECX
82BD 6642 INC EDX
82BF 6651 PUSH ECX
82C1 6656 PUSH ESI
82C3 E83F06 CALL 8905
82C6 6685C0 TEST EAX,EAX
82C9 0F849DFA JZ 7D6A
82CD 665E POP ESI
82CF 6659 POP ECX
82D1 668BFE MOV EDI,ESI
82D4 1E PUSH DS
82D5 07 POP ES
82D6 E84E03 CALL 8627
82D9 668BC6 MOV EAX,ESI
82DC 668BD9 MOV EBX,ECX
82DF 6659 POP ECX
82E1 665A POP EDX
82E3 6651 PUSH ECX
82E5 6656 PUSH ESI
82E7 66D1E9 SHR ECX,1
82EA E8F8FD CALL 80E5
82ED 6685C0 TEST EAX,EAX
82F0 0F8476FA JZ 7D6A
82F4 665E POP ESI
82F6 6659 POP ECX
82F8 6603E1 ADD ESP,ECX
82FB 07 POP ES
82FC 665F POP EDI
82FE 6659 POP ECX
8300 668BD0 MOV EDX,EAX
8303 6658 POP EAX
8305 665B POP EBX
8307 668BDA MOV EBX,EDX
830A E9F5FE JMP 8202
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
830D 06 PUSH ES
830E 1E PUSH DS
830F 6660 PUSHAD
8311 2667660FB75F04 MOVZX EBX,WORD PTR ES:[EDI+04] ; ES:[EDI+4] = [7C0:2404] = [A004];
; should be the digit "0" (30h):
; the byte immediately to the right of the word "FILE" at the beginning of the $MFT file (and
; every other file entry within the $MFT file).
8318 2667660FB74F06 MOVZX ECX,WORD PTR ES:[EDI+06] ; [A006] should be 0x0003.
831F 660BC9 OR ECX,ECX
8322 0F8444FA JZ 7D6A
8326 6603DF ADD EBX,EDI ; EBX = 0x2430
8329 6683C302 ADD EBX,+02 ; EBX = 0x2432
832D 6681C7FE010000 ADD EDI,000001FE ; EDI = 0x25fe
8334 6649 DEC ECX ; ECX -> 0x0002
8336 660BC9 OR ECX,ECX
8339 0F841700 JZ 8354
833D 26678B03 MOV AX,ES:[EBX] ; [7C0:2432] = [A032] = 0xFFFF
; [7C0:2434] = [A034] = 0x0000
8341 26678907 MOV ES:[EDI],AX ; Write 0xFFFF -> [A1FE]
; (Before this, it contained 0x0002)
; Or: Write 0x0000 -> [A3FE]
; (It had also contained 0x0002)
8345 6683C302 ADD EBX,+02 ; EBX = 0x2434, 0x2436
8349 6681C700020000 ADD EDI,00000200 ; EDI = 0x27fe, 0x29fe
8350 6649 DEC ECX ; ECX -> 1 , or: -> 0.
8352 EBE2 JMP 8336
8354 6661 POPAD
8356 90 NOP
8357 1F POP DS
8358 07 POP ES
8359 C3 RET
; ==============================================================================================
; ====================================================================
; * S U B R O U T I N E *
; ====================================================================
; ============================ S U B R O U T I N E =============================================
835A 06 PUSH ES ; ES is often 0x09A0.
835B 1E PUSH DS ; DS is 0x07C0 at this time.
835C 6660 PUSHAD ; Push all GP "Double" Registers onto
; stack: EAX, ECX, EDX, EBX, original
; ESP, EBP, ESI, and EDI.
; Simply sets [0222] to 0x00000001 (why not preset this in the Data Area?)
835E 66B801000000 MOV EAX,00000001
8364 66A32202 MOV [0222],EAX ; Puts a 1 in [7E22]
; Makes Contents of 0x7E66 = BpFRS + 2400h
8368 66A11E02 MOV EAX,[021E] ; Put 2400h into EAX.
836C 6603066602 ADD EAX,[0266] ; Add Bytes per File Record Segment
8371 66A36A02 MOV [026A],EAX ; Puts (BpFRS + 2400h) into [026A], so for
; our Sample data, this now = 0x2800.
; Makes Contents of 0x7E4E = (2 x BpFRS) + 2400h
8375 6603066602 ADD EAX,[0266] ; Add Bytes per FRS again!
837A 66A34E02 MOV [024E],EAX ; Puts [(2 x BpFRS) + 2400h] into [024E]
; (for Sample data, this = 0x2C00 then.)
; Put "Starting Cluster Number of $MFT File" into EAX. Then multiply that
; by Sectors per Cluster (in EBX) and copy answer ("Starting Relative
; Sector of $MFT File") into DS:[BX] as well as [7C11 - 7C14].
837E 66A13000 MOV EAX,[0030] ; Starting Cluster Number $MFT File
; Examples: C0000h = Cluster 786432
; 2155h = Cluster 8533.
8382 660FB61E0D00 MOVZX EBX,BYTE PTR [000D] ; Sectors per Cluster -> EBX
8388 66F7E3 MUL EBX ; Examples: C0000h x 8 = 600000h in EAX
; 2155h x 8 = 10AA8h in EAX.
; So, Starting Relative Sector of $MFT file
; would be: 6291456 (for 600000h) or 68264 (for 10AA8h).
838B 668B1E4E02 MOV EBX,[024E] ; Using: 0x2C00 for these examples.
8390 668907 MOV [BX],EAX ; EAX -> DS:[BX] (DS=07C0)
; If BX = 2C00, Sample's location is:
; DS:[BX] = 7C0:2C00 = (0x7C00 + 0x2C00) = 0xA800; contains 0x600000 or 0x10AA8.
; So, as an example of the latter, a dump of Memory location 0xA800 would show:
; Location 0 1 2 3
; 0000:A800 A8 0A 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
8393 66A31100 MOV [0011],EAX ; EAX -> [7C11 thru 7C14]; also save
; Relative Sector location of $MFT
; file to [7C11-7C14] in the Volume.
8397 83C304 ADD BX,+04 ; Example: 2C00h + 4 = 2C04h
839A 66A15602 MOV EAX,[0256] ; Sectors per FRS -> EAX
839E 668907 MOV [BX],EAX ; (Example: EAX = 2 sectors per FRS)
; EAX -> DS:[BX] (DS=07C0), so:
; DS:[BX] = 7C0:2C04 = (0x7C000 + 0x2C04) = 0xA804; now containing 0x00000002
; So, a dump of Memory location 0xA800 would now show:
; Location 0 1 2 3 4 5 6 7
; 0000:A800 A8 0A 01 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
83A1 A31600 MOV [0016],AX ; Sectors per FRS -> [7C16]
; (In our example AX = 0x0002.)
83A4 83C304 ADD BX,+04 ; Example: 2C04h + 4 = 2C08h
83A7 66891E4E02 MOV [024E],EBX ; If BX was originally 0x2C04,
; we now save 0x2C08 to [024E].
83AC 668B1E1E02 MOV EBX,[021E] ; Reset EBX to 0x2400 (from [7E1E]).
83B1 1E PUSH DS ; DS is still 0x07C0
83B2 07 POP ES ;(ES was 09A0 up to this point, but
; now it's equal to DS = 0x7C00.)
83B3 E867F9 CALL 7D1D ; Copy first FRS from $MFT file into Memory.
; This (and any successive calls) is used to
; start searching for location of BOOTMGR.
83B6 668BFB MOV EDI,EBX ; EBX still contains 0x2400.
83B9 E851FF CALL 830D
83BC 66A11E02 MOV EAX,[021E] ; Put 2400h into EAX.
83C0 66BB20000000 MOV EBX,00000020 ; Put 20h (32) into EBX.
83C6 66B900000000 MOV ECX,00000000 ; Zeros in ECX, and
83CC 66BA00000000 MOV EDX,00000000 ; in EDX.
83D2 E810FD CALL 80E5
83D5 660BC0 OR EAX,EAX
83D8 0F841901 JZ 84F5
83DC 668BD8 MOV EBX,EAX
83DF 1E PUSH DS
83E0 07 POP ES
83E1 668B3E1A02 MOV EDI,[021A]
83E6 6633C0 XOR EAX,EAX
83E9 E8A2FD CALL 818E
83EC 668B1E1A02 MOV EBX,[021A]
83F1 66813F800000 CMP DWORD PTR [BX],00000080
00
83F8 0F84EB00 JZ 84E7
83FC 035F04 ADD BX,[BX+04]
83FF EBF0 JMP 83F1
8401 6653 PUSH EBX
8403 668B4710 MOV EAX,[BX+10]
8407 66F7265602 MUL DWORD PTR [0256]
840C 6650 PUSH EAX
840E 6633D2 XOR EDX,EDX
8411 660FB61E0D00 MOVZX EBX,BYTE PTR [000D]
8417 66F7F3 DIV EBX
841A 6652 PUSH EDX
841C E8DC00 CALL 84FB
841F 660BC0 OR EAX,EAX
8422 0F8444F9 JZ 7D6A
8426 668B0E5602 MOV ECX,[0256]
842B 660FB61E0D00 MOVZX EBX,BYTE PTR [000D]
8431 66F7E3 MUL EBX
8434 665A POP EDX
8436 6603C2 ADD EAX,EDX
8439 668B1E4E02 MOV EBX,[024E]
843E 668907 MOV [BX],EAX
8441 83C304 ADD BX,+04
8444 660FB6060D00 MOVZX EAX,BYTE PTR [000D]
844A 662BC2 SUB EAX,EDX
844D 663BC1 CMP EAX,ECX
8450 0F860300 JBE 8457
8454 668BC1 MOV EAX,ECX
8457 668907 MOV [BX],EAX
845A 662BC8 SUB ECX,EAX
845D 665A POP EDX
845F 0F847500 JZ 84D8
8463 6603C2 ADD EAX,EDX
8466 6650 PUSH EAX
8468 6633D2 XOR EDX,EDX
846B 660FB61E0D00 MOVZX EBX,BYTE PTR [000D]
8471 66F7F3 DIV EBX
8474 6651 PUSH ECX
8476 E88200 CALL 84FB
8479 6659 POP ECX
847B 660BC0 OR EAX,EAX
847E 0F84E8F8 JZ 7D6A
8482 660FB61E0D00 MOVZX EBX,BYTE PTR [000D]
8488 66F7E3 MUL EBX
848B 668B1E4E02 MOV EBX,[024E]
8490 668B17 MOV EDX,[BX]
8493 83C304 ADD BX,+04
8496 660317 ADD EDX,[BX]
8499 663BD0 CMP EDX,EAX
849C 0F851500 JNZ 84B5
84A0 660FB6060D00 MOVZX EAX,BYTE PTR [000D]
84A6 663BC1 CMP EAX,ECX
84A9 0F860300 JBE 84B0
84AD 668BC1 MOV EAX,ECX
84B0 660107 ADD [BX],EAX
84B3 EBA5 JMP 845A
84B5 83C304 ADD BX,+04
84B8 66891E4E02 MOV [024E],EBX
84BD 668907 MOV [BX],EAX
84C0 83C304 ADD BX,+04
84C3 660FB6060D00 MOVZX EAX,BYTE PTR [000D]
84C9 663BC1 CMP EAX,ECX
84CC 0F860300 JBE 84D3
84D0 668BC1 MOV EAX,ECX
84D3 668907 MOV [BX],EAX
84D6 EB82 JMP 845A
84D8 83C304 ADD BX,+04
84DB 66FF062202 INC DWORD PTR [0222]
84E0 66891E4E02 MOV [024E],EBX
84E5 665B POP EBX
84E7 035F04 ADD BX,[BX+04]
84EA 66813F80000000 CMP DWORD PTR [BX],00000080
84F1 0F840CFF JZ 8401
84F5 6661 POPAD
84F7 90 NOP
84F8 1F POP DS
84F9 07 POP ES
84FA C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
84FB 668BD0 MOV EDX,EAX
84FE 668B0E2202 MOV ECX,[0222]
8503 668B366A02 MOV ESI,[026A]
8508 6603366602 ADD ESI,[0266]
850D 6652 PUSH EDX
850F 6651 PUSH ECX
8511 6652 PUSH EDX
8513 668B1E6A02 MOV EBX,[026A]
8518 668B3E5602 MOV EDI,[0256]
851D 668B04 MOV EAX,[SI]
8520 66A31100 MOV [0011],EAX
8524 83C604 ADD SI,+04
8527 668B04 MOV EAX,[SI]
852A A31600 MOV [0016],AX
852D 83C604 ADD SI,+04
8530 1E PUSH DS
8531 07 POP ES
8532 E8E8F7 CALL 7D1D
8535 662BF8 SUB EDI,EAX
8538 0F840800 JZ 8544
853C F7260B00 MUL WORD PTR [000B]
8540 03D8 ADD BX,AX
8542 EBD9 JMP 851D
8544 668B3E6A02 MOV EDI,[026A]
8549 1E PUSH DS
854A 07 POP ES
854B E8BFFD CALL 830D
854E 66A16A02 MOV EAX,[026A]
8552 66BB80000000 MOV EBX,00000080
8558 66B900000000 MOV ECX,00000000
855E 668BD1 MOV EDX,ECX
8561 E881FB CALL 80E5
8564 660BC0 OR EAX,EAX
8567 0F84FFF7 JZ 7D6A
856B 668BD8 MOV EBX,EAX
856E 6658 POP EAX
8570 6656 PUSH ESI
8572 E82C01 CALL 86A1
8575 665E POP ESI
8577 660BC0 OR EAX,EAX
857A 0F840500 JZ 8583
857E 665B POP EBX
8580 665B POP EBX
8582 C3 RET
8583 6659 POP ECX
8585 665A POP EDX
8587 E284 LOOPW 850D
8589 6633C0 XOR EAX,EAX
858C C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
858D 06 PUSH ES
858E 1E PUSH DS
858F 6660 PUSHAD
8591 6650 PUSH EAX
8593 6651 PUSH ECX
8595 6633D2 XOR EDX,EDX
8598 660FB61E0D00 MOVZX EBX,BYTE PTR DS:[000D] ; Sectors per Cluster = 8.
859E 66F7F3 DIV EAX,EBX ; (0x000A / 0x0008) = 1 (remainder discarded)
85A1 6652 PUSH EDX
85A3 6657 PUSH EDI
85A5 E853FF CALL 84FB
85A8 665F POP EDI
85AA 660BC0 OR EAX,EAX
85AD 0F84B9F7 JZ 7D6A
85B1 660FB61E0D00 MOVZX EBX,BYTE PTR [000D]
85B7 66F7E3 MUL EBX
85BA 665A POP EDX
85BC 6603C2 ADD EAX,EDX
85BF 66A31100 MOV [0011],EAX
85C3 6659 POP ECX
85C5 660FB61E0D00 MOVZX EBX,BYTE PTR [000D]
85CB 663BCB CMP ECX,EBX
85CE 0F8E1300 JLE 85E5
85D2 891E1600 MOV [0016],BX
85D6 662BCB SUB ECX,EBX
85D9 6658 POP EAX
85DB 6603C3 ADD EAX,EBX
85DE 6650 PUSH EAX
85E0 6651 PUSH ECX
85E2 EB14 JMP 85F8
85E4 90 NOP
85E5 6658 POP EAX
85E7 6603C1 ADD EAX,ECX
85EA 6650 PUSH EAX
85EC 890E1600 MOV [0016],CX
85F0 66B900000000 MOV ECX,00000000
85F6 6651 PUSH ECX
85F8 06 PUSH ES
85F9 6657 PUSH EDI
85FB 8BDF MOV BX,DI
85FD 83E30F AND BX,+0F
8600 8CC0 MOV AX,ES
8602 66C1EF04 SHR EDI,04
8606 03C7 ADD AX,DI
8608 50 PUSH AX
8609 07 POP ES
860A E810F7 CALL 7D1D
860D 665F POP EDI
860F 07 POP ES
8610 66033E5202 ADD EDI,[0252]
8615 6659 POP ECX
8617 6658 POP EAX
8619 6683F900 CMP ECX,+00
861D 0F8F70FF JG 8591
8621 6661 POPAD
8623 90 NOP
8624 1F POP DS
8625 07 POP ES
8626 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8627 06 PUSH ES
8628 1E PUSH DS
8629 6660 PUSHAD
862B 66F7265602 MUL EAX,DWORD PTR DS:[0256] ; (5 x Sectors per FRS) > EAX
; 5 x 2 = 10 (or 0x000A).
8630 668B0E5602 MOV ECX,[0256]
8635 E855FF CALL 858D
8638 E8D2FC CALL 830D
863B 6661 POPAD
863D 90 NOP
863E 1F POP DS
863F 07 POP ES
8640 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8641 06 PUSH ES
8642 1E PUSH DS
8643 6660 PUSHAD
8645 66F7267202 MUL DWORD PTR [0272]
864A 668B1E3602 MOV EBX,[0236]
864F 668B0E7202 MOV ECX,[0272]
8654 668B362A02 MOV ESI,[022A]
8659 1E PUSH DS
865A 07 POP ES
865B 668B3E4602 MOV EDI,[0246]
8660 E881FB CALL 81E4
8663 E8A7FC CALL 830D
8666 6661 POPAD
8668 90 NOP
8669 1F POP DS
866A 07 POP ES
866B C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
866C 6650 PUSH EAX
866E 6653 PUSH EBX
8670 6651 PUSH ECX
8672 668B1E4A02 MOV EBX,[024A]
8677 668BC8 MOV ECX,EAX
867A 66C1E803 SHR EAX,03
867E 6683E107 AND ECX,+07
8682 6603D8 ADD EBX,EAX
8685 66B801000000 MOV EAX,00000001
868B 66D3E0 SHL EAX,CL
868E 678403 TEST [EBX],AL
8691 0F840400 JZ 8699
8695 F8 CLC
8696 EB02 JMP 869A
8698 90 NOP
8699 F9 STC
869A 6659 POP ECX
869C 665B POP EBX
869E 6658 POP EAX
86A0 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
86A1 67807B0801 CMP BYTE PTR 08[EBX],01
86A6 0F840400 JZ 86AE
86AA 662BC0 SUB EAX,EAX
86AD C3 RET
86AE 67668D7310 LEA ESI,10[EBX]
86B3 67668B5608 MOV EDX,08[ESI]
86B8 663BC2 CMP EAX,EDX
86BB 0F870B00 JA 86CA
86BF 67668B16 MOV EDX,[ESI]
86C3 663BC2 CMP EAX,EDX
86C6 0F830400 JAE 86CE
86CA 662BC0 SUB EAX,EAX
86CD C3 RET
86CE 67035E10 ADD BX,10[ESI]
86D2 662BF6 SUB ESI,ESI
86D5 67803B00 CMP BYTE PTR [EBX],00
86D9 0F843E00 JZ 871B
86DD E88100 CALL 8761
86E0 6603F1 ADD ESI,ECX
86E3 E83900 CALL 871F
86E6 6603CA ADD ECX,EDX
86E9 663BC1 CMP EAX,ECX
86EC 0F8C2100 JL 8711
86F0 668BD1 MOV EDX,ECX
86F3 6650 PUSH EAX
86F5 67660FB60B MOVZX ECX,BYTE PTR [EBX]
86FA 668BC1 MOV EAX,ECX
86FD 6683E00F AND EAX,+0F
8701 66C1E904 SHR ECX,04
8705 6603D9 ADD EBX,ECX
8708 6603D8 ADD EBX,EAX
870B 6643 INC EBX
870D 6658 POP EAX
870F EBC4 JMP 86D5
8711 662BC8 SUB ECX,EAX
8714 662BC2 SUB EAX,EDX
8717 6603C6 ADD EAX,ESI
871A C3 RET
871B 662BC0 SUB EAX,EAX
871E C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
871F 662BC9 SUB ECX,ECX
8722 678A0B MOV CL,[EBX]
8725 80E10F AND CL,0F
8728 6683F900 CMP ECX,+00
872C 0F850400 JNZ 8734
8730 662BC9 SUB ECX,ECX
8733 C3 RET
8734 6653 PUSH EBX
8736 6652 PUSH EDX
8738 6603D9 ADD EBX,ECX
873B 67660FBE13 MOVSX EDX,BYTE PTR [EBX]
8740 6649 DEC ECX
8742 664B DEC EBX
8744 6683F900 CMP ECX,+00
8748 0F840D00 JZ 8759
874C 66C1E208 SHL EDX,08
8750 678A13 MOV DL,[EBX]
8753 664B DEC EBX
8755 6649 DEC ECX
8757 EBEB JMP 8744
8759 668BCA MOV ECX,EDX
875C 665A POP EDX
875E 665B POP EBX
8760 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8761 6653 PUSH EBX
8763 6652 PUSH EDX
8765 662BD2 SUB EDX,EDX
8768 678A13 MOV DL,[EBX]
876B 6683E20F AND EDX,+0F
876F 662BC9 SUB ECX,ECX
8772 678A0B MOV CL,[EBX]
8775 C0E904 SHR CL,04
8778 6683F900 CMP ECX,+00
877C 0F850800 JNZ 8788
8780 662BC9 SUB ECX,ECX
8783 665A POP EDX
8785 665B POP EBX
8787 C3 RET
8788 6603DA ADD EBX,EDX
878B 6603D9 ADD EBX,ECX
878E 67660FBE13 MOVSX EDX,BYTE PTR [EBX]
8793 6649 DEC ECX
8795 664B DEC EBX
8797 6683F900 CMP ECX,+00
879B 0F840D00 JZ 87AC
879F 66C1E208 SHL EDX,08
87A3 678A13 MOV DL,[EBX]
87A6 664B DEC EBX
87A8 6649 DEC ECX
87AA EBEB JMP 8797
87AC 668BCA MOV ECX,EDX
87AF 665A POP EDX
87B1 665B POP EBX
87B3 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
87B4 660BC9 OR ECX,ECX
87B7 0F850100 JNZ 87BC
87BB C3 RET
87BC 6651 PUSH ECX
87BE 6656 PUSH ESI
87C0 67833E61 CMP WORD PTR [ESI],+61 ; ('a')
87C4 0F8C0C00 JL 87D4
87C8 67833E7A CMP WORD PTR [ESI],+7A ; ('z')
87CC 0F8F0400 JG 87D4
87D0 67832E20 SUB WORD PTR [ESI],+20 ; (a SPACE character)
87D4 6683C602 ADD ESI,+02
87D8 E2E6 LOOPW 87C0
87DA 665E POP ESI
87DC 6659 POP ECX
87DE C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
87DF 6650 PUSH EAX
87E1 6651 PUSH ECX
87E3 668BD0 MOV EDX,EAX
87E6 66A13202 MOV EAX,[0232]
87EA 67668D5810 LEA EBX,10[EAX]
87EF 67034304 ADD AX,04[EBX]
87F3 67668D4010 LEA EAX,10[EAX]
87F8 668BDA MOV EBX,EDX
87FB E844F9 CALL 8142
87FE 660BC0 OR EAX,EAX
8801 0F840500 JZ 880A
8805 6659 POP ECX
8807 6659 POP ECX
8809 C3 RET
880A 66A13602 MOV EAX,[0236]
880E 660BC0 OR EAX,EAX
8811 0F850800 JNZ 881D
8815 6659 POP ECX
8817 6659 POP ECX
8819 6633C0 XOR EAX,EAX
881C C3 RET
; ---------------------------------------------------------
881D 668B163602 MOV EDX,[0236]
8822 67668D5210 LEA EDX,10[EDX]
8827 67668B4218 MOV EAX,18[EDX]
882C 6633D2 XOR EDX,EDX
882F 66F7366E02 DIV DWORD PTR [026E]
8834 6633F6 XOR ESI,ESI
8837 6650 PUSH EAX
8839 6656 PUSH ESI
883B 6658 POP EAX
883D 665E POP ESI
883F 663BC6 CMP EAX,ESI
8842 0F843A00 JZ 8880
8846 6656 PUSH ESI
8848 6640 INC EAX
884A 6650 PUSH EAX
884C 6648 DEC EAX
884E E81BFE CALL 866C
8851 72E8 JB 883B
8853 E8EBFD CALL 8641
8856 665A POP EDX
8858 665E POP ESI
885A 6659 POP ECX
885C 665B POP EBX
885E 6653 PUSH EBX
8860 6651 PUSH ECX
8862 6656 PUSH ESI
8864 6652 PUSH EDX
8866 66A14602 MOV EAX,[0246]
886A 67668D4018 LEA EAX,18[EAX]
886F E8D0F8 CALL 8142
8872 660BC0 OR EAX,EAX
8875 74C4 JZ 883B
8877 6659 POP ECX
8879 6659 POP ECX
887B 6659 POP ECX
887D 6659 POP ECX
887F C3 RET
; ---------------------------------------------------------
8880 6659 POP ECX
8882 6659 POP ECX
8884 6633C0 XOR EAX,EAX
8887 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8888 6651 PUSH ECX
888A 6650 PUSH EAX
888C 66B805000000 MOV EAX,00000005
8892 1E PUSH DS
8893 07 POP ES
8894 668BF9 MOV EDI,ECX
8897 E88DFD CALL 8627
889A 668BC1 MOV EAX,ECX
889D 66BB20000000 MOV EBX,00000020
88A3 66B900000000 MOV ECX,00000000
88A9 66BA00000000 MOV EDX,00000000
88AF E833F8 CALL 80E5
88B2 665B POP EBX
88B4 6659 POP ECX
88B6 6685C0 TEST EAX,EAX
88B9 0F851500 JNZ 88D2
88BD 668BC1 MOV EAX,ECX
88C0 660FB70E1002 MOVZX ECX,WORD PTR [0210] ; "$I30" in Unicode.
88C6 66BA12020000 MOV EDX,00000212
88CC E816F8 CALL 80E5
88CF EB33 JMP 8904
88D1 90 NOP
; ---------------------------------------------------
88D2 6633D2 XOR EDX,EDX
88D5 668BC1 MOV EAX,ECX
88D8 668BCB MOV ECX,EBX
88DB 6650 PUSH EAX
88DD 6653 PUSH EBX
88DF E82300 CALL 8905
88E2 665B POP EBX
88E4 665F POP EDI
88E6 660BC0 OR EAX,EAX
88E9 0F841700 JZ 8904
88ED 1E PUSH DS
88EE 07 POP ES
88EF E835FD CALL 8627
88F2 668BC7 MOV EAX,EDI
88F5 660FB70E1002 MOVZX ECX,WORD PTR [0210] ; "$I30" in Unicode.
88FB 66BA12020000 MOV EDX,00000212
8901 E8E1F7 CALL 80E5
8904 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8905 6652 PUSH EDX
8907 6651 PUSH ECX
8909 66BB20000000 MOV EBX,00000020
890F 66B900000000 MOV ECX,00000000
8915 66BA00000000 MOV EDX,00000000
891B E8C7F7 CALL
891E 660BC0 OR EAX,EAX
8921 0F846300 JZ 8988
8925 668BD8 MOV EBX,EAX
8928 1E PUSH DS
8929 07 POP ES
892A 668B3E1A02 MOV EDI,[021A]
892F 6633C0 XOR EAX,EAX
8932 E859F8 CALL 818E
8935 1E PUSH DS
8936 07 POP ES
8937 668B1E1A02 MOV EBX,[021A]
893C 6659 POP ECX
893E 665A POP EDX
8940 2666390F CMP ES:[BX],ECX
8944 0F850C00 JNZ 8954
8948 2666395708 CMP ES:[BX+08],EDX
894D 0F843100 JZ 8982
8951 EB13 JMP 8966
8953 90 NOP
8954 2666833FFF CMP DWORD PTR ES:[BX],-01
8959 0F842F00 JZ 898C
895D 26837F0400 CMP WORD PTR ES:[BX+04],+00
8962 0F842600 JZ 898C
8966 26660FB74704 MOVZX EAX,WORD PTR ES:[BX+04]
896C 03D8 ADD BX,AX
896E 8BC3 MOV AX,BX
8970 250080 AND AX,8000
8973 74CB JZ 8940
8975 8CC0 MOV AX,ES
8977 050008 ADD AX,0800
897A 8EC0 MOV ES,AX
897C 81E3FF7F AND BX,7FFF
8980 EBBE JMP 8940
8982 26668B4710 MOV EAX,ES:[BX+10]
8987 C3 RET
8988 6659 POP ECX
898A 665A POP EDX
898C 6633C0 XOR EAX,EAX
898F C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8990 6650 PUSH EAX
8992 6651 PUSH ECX
8994 668BC7 MOV EAX,EDI
8997 66C1E804 SHR EAX,04
899B 06 PUSH ES
899C 59 POP CX
899D 03C8 ADD CX,AX
899F 51 PUSH CX
89A0 07 POP ES
89A1 6683E70F AND EDI,+0F
89A5 6659 POP ECX
89A7 6658 POP EAX
89A9 C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
89AA 60 PUSHA
89AB 06 PUSH ES
89AC BEBD0D MOV SI,0DBD
89AF BF0020 MOV DI,2000
89B2 1E PUSH DS
89B3 07 POP ES
89B4 B90D00 MOV CX,000D
89B7 90 NOP
89B8 F3A5 REP MOVSW
89BA 07 POP ES
89BB 61 POPA
89BC C3 RET
; ==============================================================================================
;====================================================================================
; Not sure what these areas are used for! May not be code! Appear to never be called.
;====================================================================================
89BD 0123 ADD [BP+DI],SP
89BF 45 INC BP
89C0 6789ABCDEFFEDC MOV DCFEEFCD[EBX],BP
89C7 BA9876 MOV DX,7698
89CA 54 PUSH SP
89CB 3210 XOR DL,[BX+SI]
89CD F0 LOCK (unused)
89CE E1D2 LOOPZW 89A2
89D0 C3 RET
;=======================================================================
89D1 0000 ADD [BX+SI],AL
89D3 0000 ADD [BX+SI],AL
89D5 2020 AND [BX+SI],AH
; ===================================================================================
; ============================ S U B R O U T I N E =============================================
89D7 60 PUSHA
89D8 8B361820 MOV SI,[2018]
89DC 268A05 MOV AL,ES:[DI]
89DF 8804 MOV [SI],AL
89E1 47 INC DI
89E2 46 INC SI
89E3 66FF061420 INC DWORD PTR [2014]
89E8 81FE6020 CMP SI,2060
89EC 7506 JNZ 89F4
89EE E85B00 CALL 8A4C
89F1 BE2020 MOV SI,2020
89F4 E2E6 LOOPW 89DC
89F6 89361820 MOV [2018],SI
89FA 61 POPA
89FB C3 RET
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
;=====================================================================
; S U B R O U T I N E
;=====================================================================
89FC 6660 PUSHAD
89FE 8B361820 MOV SI,[2018]
8A02 B080 MOV AL,80
8A04 8804 MOV [SI],AL
8A06 46 INC SI
8A07 32C0 XOR AL,AL
8A09 81FE6020 CMP SI,2060
8A0D 7506 JNZ 8A15
8A0F E83A00 CALL 8A4C
8A12 BE2020 MOV SI,2020
8A15 81FE5820 CMP SI,2058
8A19 75E9 JNZ 8A04
8A1B 6633C0 XOR EAX,EAX
8A1E 66A35820 MOV [2058],EAX
8A22 66A11420 MOV EAX,[2014]
8A26 66C1E003 SHL EAX,03
8A2A 660FC8 BSWAP EAX
8A2D 66A35C20 MOV [205C],EAX
8A31 E81800 CALL 8A4C
8A34 BB0020 MOV BX,2000
8A37 668B07 MOV EAX,[BX]
8A3A 660FC8 BSWAP EAX
8A3D 668907 MOV [BX],EAX
8A40 83C304 ADD BX,+04
8A43 81FB3420 CMP BX,2034
8A47 75EE JNZ 8A37
8A49 6661 POPAD
8A4B C3 RET
;================================================================
; E N D O F S U B R O U T I N E
;================================================================
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
;=====================================================================
; S U B R O U T I N E
;=====================================================================
8A4C 6660 PUSHAD
8A4E BB2020 MOV BX,2020
8A51 668B07 MOV EAX,[BX]
8A54 660FC8 BSWAP EAX
8A57 668907 MOV [BX],EAX
8A5A 83C304 ADD BX,+04
8A5D 81FB6020 CMP BX,2060
8A61 75EE JNZ 8A51
8A63 BB0020 MOV BX,2000
8A66 668B0F MOV ECX,[BX]
8A69 668B5704 MOV EDX,[BX+04]
8A6D 668B7708 MOV ESI,[BX+08]
8A71 668B7F0C MOV EDI,[BX+0C]
8A75 668B6F10 MOV EBP,[BX+10]
8A79 BB2020 MOV BX,2020
8A7C C7061A20300F MOV WORD PTR [201A],0F30
8A82 C6061C2014 MOV BYTE PTR [201C],14
8A87 90 NOP
8A88 53 PUSH BX
8A89 8B1E1A20 MOV BX,[201A]
8A8D FF17 CALL WORD PTR [BX]
8A8F 66034702 ADD EAX,[BX+02]
8A93 5B POP BX
8A94 6603E8 ADD EBP,EAX
8A97 66032F ADD EBP,[BX]
8A9A 668BC1 MOV EAX,ECX
8A9D 66C1C005 ROL EAX,05
8AA1 6603C5 ADD EAX,EBP
8AA4 668BEF MOV EBP,EDI
8AA7 668BFE MOV EDI,ESI
8AAA 668BF2 MOV ESI,EDX
8AAD 66C1C61E ROL ESI,1E
8AB1 668BD1 MOV EDX,ECX
8AB4 668BC8 MOV ECX,EAX
8AB7 668B07 MOV EAX,[BX]
8ABA 66334708 XOR EAX,[BX+08]
8ABE 66334720 XOR EAX,[BX+20]
8AC2 66334734 XOR EAX,[BX+34]
8AC6 66D1C0 ROL EAX,1
8AC9 66894740 MOV [BX+40],EAX
8ACD 83C304 ADD BX,+04
8AD0 FE0E1C20 DEC BYTE PTR [201C]
8AD4 75B2 JNZ 8A88
8AD6 83061A2006 ADD WORD PTR [201A],+06
8ADB 813E1A20480F CMP WORD PTR [201A],0F48
8AE1 759F JNZ 8A82
8AE3 BB0020 MOV BX,2000
8AE6 66010F ADD [BX],ECX
8AE9 66015704 ADD [BX+04],EDX
8AED 66017708 ADD [BX+08],ESI
8AF1 66017F0C ADD [BX+0C],EDI
8AF5 66016F10 ADD [BX+10],EBP
8AF9 6661 POPAD
8AFB C3 RET
;================================================================
; E N D O F S U B R O U T I N E
;================================================================
; ==============================================================================================
;===============================================================================================
; What are the following bytes used for? May be only DATA; or even garbage?
;===============================================================================================
8AFC 668BC6 MOV EAX,ESI
8AFF 6633C7 XOR EAX,EDI
8B02 6623C2 AND EAX,EDX
8B05 6633C7 XOR EAX,EDI
8B08 C3 RET
8B09 668BC2 MOV EAX,EDX
8B0C 6633C6 XOR EAX,ESI
8B0F 6633C7 XOR EAX,EDI
8B12 C3 RET
8B13 6653 PUSH EBX
8B15 668BC2 MOV EAX,EDX
8B18 6623C6 AND EAX,ESI
8B1B 668BDA MOV EBX,EDX
8B1E 6623DF AND EBX,EDI
8B21 660BC3 OR EAX,EBX
8B24 668BDE MOV EBX,ESI
8B27 6623DF AND EBX,EDI
8B2A 660BC3 OR EAX,EBX
8B2D 665B POP EBX
8B2F C3 RET
8B30 FC CLD
8B31 0E PUSH CS
8B32 99 CWD
8B33 7982 JNS 8AB7
8B35 5A POP DX
8B36 090F OR [BX],CX
8B38 A1EBD9 MOV AX,[D9EB]
8B3B 6E OUTSB
8B3C 130F ADC CX,[BX]
8B3E DCBC1B8F FDIVR DOUBLE PTR [SI+8F1B]
8B42 090F OR [BX],CX
8B44 D6 DB D6 INDICATOR THAT THIS IS ONLY A DATA OR GARBAGE AREA!
8B45 C162CA
; ==============================================================================================
; ============================ S U B R O U T I N E =============================================
8B48 06 PUSH ES
8B49 1E PUSH DS
8B4A 6660 PUSHAD
8B4C 6633DB XOR EBX,EBX
8B4F B800BB MOV AX,BB00
8B52 CD1A INT 1A
8B54 6623C0 AND EAX,EAX
8B57 0F85BB00 JNZ 8C16
8B5B 6681FB54435041 CMP EBX,41504354 ; "APCT" which is: "TCPA".
8B62 0F85B000 JNZ 8C16
8B66 81F90201 CMP CX,0102
8B6A 0F82A800 JB 8C16
8B6E 6661 POPAD
8B70 90 NOP
8B71 1F POP DS
8B72 07 POP ES
8B73 06 PUSH ES
8B74 1E PUSH DS
8B75 6660 PUSHAD
8B77 67807B0800 CMP BYTE PTR 08[EBX],00
8B7C 0F850C00 JNZ 8B8C
8B80 67668D5310 LEA EDX,10[EBX]
8B85 67668B0A MOV ECX,[EDX]
8B89 EB25 JMP 8BB0
8B8B 90 NOP
8B8C 67668D5310 LEA EDX,10[EBX]
8B91 67668B4A28 MOV ECX,28[EDX]
8B96 6681F900000800 CMP ECX,00080000
8B9D 0F830C00 JAE 8BAD
8BA1 67668B422C MOV EAX,2C[EDX]
8BA6 6623C0 AND EAX,EAX
8BA9 0F840300 JZ 8BB0
8BAD 6633C9 XOR ECX,ECX
8BB0 0E PUSH CS
8BB1 1F POP DS
8BB2 E8F5FD CALL 89AA
8BB5 6623C9 AND ECX,ECX
8BB8 0F843200 JZ 8BEE
8BBC 66BA00800000 MOV EDX,00008000
8BC2 663BCA CMP ECX,EDX
8BC5 0F861F00 JBE 8BE8
8BC9 662BCA SUB ECX,EDX
8BCC 06 PUSH ES
8BCD 6651 PUSH ECX
8BCF 6657 PUSH EDI
8BD1 6652 PUSH EDX
8BD3 668BCA MOV ECX,EDX
8BD6 E8B7FD CALL 8990
8BD9 E8FBFD CALL 89D7
8BDC 665A POP EDX
8BDE 665F POP EDI
8BE0 6659 POP ECX
8BE2 07 POP ES
8BE3 6603FA ADD EDI,EDX
8BE6 EBDA JMP 8BC2
8BE8 E8A5FD CALL 8990
8BEB E8E9FD CALL 89D7
8BEE E80BFE CALL 89FC
8BF1 0E PUSH CS
8BF2 07 POP ES
8BF3 66BB54435041 MOV EBX,41504354 ; "APCT" which is: "TCPA".
8BF9 66BF00200000 MOV EDI,00002000
8BFF 66B914000000 MOV ECX,00000014
8C05 66B807BB0000 MOV EAX,0000BB07
8C0B 66BA0A000000 MOV EDX,0000000A
8C11 6633F6 XOR ESI,ESI
8C14 CD1A INT 1A
8C16 6661 POPAD
8C18 90 NOP
8C19 1F POP DS
8C1A 07 POP ES
8C1B C3 RET
8C1C A0F901 MOV AL,[01F9]
8C1F E94BF1 JMP 7D6D
8C22 A0FA01 MOV AL,[01FA]
8C25 E945F1 JMP 7D6D
; ==============================================================================================
Memory Location 0000:8C27 is the last byte of the BOOTMGR Loader's
("Bootstrap") code. |
Enhanced DEBUG on this page by Vernon C. Brooks (current version, since MAY 2016,
is 1.32b); which is also debugs 32-bit assembly code! Or,
even set up the BOCHS GUI Debugger with a nice visual display, to step through this code, rather than
attempting to rely solely on the old 16-bit MS-DOS DEBUG program. Another very good program for disassembling
all of this code very quickly would be the free version of IDA Pro (v 5.0) which we mentioned on our "Assembly Language 101" page; include the VBR Boot Sector, set Segment to: 7C0, use 16-bit disassembly and begin decoding at
first byte of the Boot Sector. "c" must be pressed again at offset 27A (07C0:027A). ]