BACK TO: NTFS Boot Record Secrets asm/mbr/ MBR and Boot Records Index Page The Starman's Realm Index Page
Like all previous MS Boot Records (all the way back to MS-DOS 2.00), the first three bytes have often been called the Jump Instruction. But only the first two bytes (EB 52 in this case) have ever been used to form the actual JMP (Jump) instruction* to the rest of the executable x86 (PC) Assembly code; the third byte (90h) is just a NOP ('No Operation' or do nothing) instruction. The next 8 bytes are the "OEM ID" or System Name ("NTFS" and four blank spaces); followed by the BPB (BIOS Parameter Block).
Although this
Furthermore, the old 4-byte "Volume Serial Number" has been replaced with a new eight-byte NTFS Volume Serial Number (for more details on the NTFS BPB, see the NTFS Boot Record page).
Absolute Sector 63 (Cylinder 0, Head 1, Sector 1)
NTFS BPB "OEM ID"
| |
0 1 2 3 4 5 6 7 8 9 A B C| D E F |
0000: EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 .R.NTFS .....
0010: 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00 ........?...?...
0020: 00 00 00 00 80 00 80 00 AE 39 D7 00 00 00 00 00 .........9......
0030: 04 00 00 00 00 00 00 00 8D EF 00 00 00 00 00 00 ................
0040: F6 00 00 00 01 00 00 00 FC 5D E1 A4 99 E1 A4 B4 .........]......
0050: 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07 .....3.....|....
0060: 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00 ..........3.....
0070: 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4 ..S.h..hj....$..
0080: 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 ...s......f...@f
0090: 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F .....?.......Af.
00A0: B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A ..f..f. ...A..U.
00B0: 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01 .$...r...U.u....
00C0: 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66 t......f`..f...f
00D0: 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A ....f;. ...:..fj
00E0: 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00 .fP.Sfh.....>...
00F0: 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00 ........>.....a.
0100: B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07 .B..$.......fX[.
0110: 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00 fXfX..-f3.f.....
0120: 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36 f......f..f....6
0130: 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8 ......$.........
0140: 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66 ........... ...f
0150: FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61 ..........o...fa
0160: C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE ................
0170: B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 .....<.t........
0180: EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 .....A disk read
0190: 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00 error occurred.
01A0: 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 ..NTLDR is missi
01B0: 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F ng...NTLDR is co
01C0: 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73 mpressed...Press
01D0: 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
01E0: 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00 restart........
01F0: 00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA ..............U.
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
The last 125 bytes of the Boot Record's first sector contain Error Messages, the Message Offset bytes and the Word-sized signature ID (or Magic number) of AA55h. Remember that hex Words (numerical data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last to make CPU processing quicker!
Each Error Message begins with the Hex bytes 0Dh and 0Ah which are a Carriage Return and Line Feed, and ends with a 00h byte making these what's commonly known in various programming languages as zero-terminated strings or 'sz' strings (the string plus a zero byte).
The six physical sectors directly following the NTFS Boot Sector, contain the code which interfaces with the NTLDR file in order to boot up an OS partition after Windows™ XP or 2000 have been installed on the drive. This code is still necessary when booting up a Windows OS (even if the NTLDR file does not exist anywhere in its partition); the code will locate and make use of the NTLDR file in another partition.
The first sector of this “Bootstrap Code” (which we've also called the NTLDR Section elsewhere) looks like this (Hex offsets begin at start of NTLDR Section):
|
|
Code execution passes from the Boot sector of a bootable
NTFS volume to offset 6Ah of the NTLDR Bootstrap code (see above). The bytes "8C C8" comprise its first CPU instruction: MOV AX,CS. |
Although the exact purpose of each byte in the area with a RED background has not yet been determined, it's essentially used by the Bootstrap Code to store intermediate calculations and data about the partition.
The first time we examined this code, we thought there was a jump into this sector at
offset 56h -- since there's a JMP instruction there (EB 12; followed by 90 90) which could provide an easy
way to pass program execution to offset 6Ah (which begins with a "mov ax,cs" instruction); and the fact is that "EB 12"
does indeed disassemble to: JMP 6Ah. However, upon examining all of the code (see the page NTLDR Loader Disassembled for more information), we found program execution always jumps directly into this sector at offset
6Ah (from the NTFS Boot Record); no jumps were ever found to offset 56h. So, we're left to speculate as to why the four bytes (at offset 56h)
were placed there.
You can also view The Entire 16 Sectors of the VBR Area here.
The last sector (the 6th sector of the "Bootstrap Code"; the 7th sector of the entire "NTFS Boot Record") will appear as follows (Hex offsets are from start of NTLDR Section, so offset 0D75h is the last byte of the code):
|
You can write to us using this: online reply form. (It opens in a new window.)
BACK TO: NTFS Boot Record Secrets
asm/mbr/ MBR and Boot Records Index Page The Starman's Realm Index Page