PDA

View Full Version : Understanding Assembly Code

Unity
June 1st, 2013, 07:08
Hi,

My knowledge regarding assembly code is very limited and I wanted to ask if someone could help me figure out what the following is doing? There is a routine that calls the disk ( loaded directly by BIOS) and I would like to know where this is and how it is called / executed.

This code seems to be a boot sector. It's loaded by the BIOS at boot. The code that loads this (assuming it is placed in the MBR) is in the BIOS, the boot-up code path. It appears it uses a XOR key to d-xor something but I cant see where it is getting this key? Can anybody assist? Thanks

Quote:
; --
; Format : Binary file
; Base Address: 0000h Range: 0000h - 0098h Loaded length: 0098h

.686p
.mmx
.model flat

; ==

; Segment type: Pure code
seg000 segment byte public 'CODE' use16
assume cs:seg000
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
cli
xor ax, ax
mov ss, ax
mov sp, 7C00h
mov si, sp
push ax
pop es
push ax
pop ds
sti
cld
mov di, 600h
mov cx, 100h
rep movsw
jmp far ptr 0:61Dh
; --
mov dh, 0
mov cx, 2
mov di, 5

loc_25: ; CODE XREF: seg000:0036j
mov bx, 700h
mov ax, 201h
push di
int 13h ; DISK - READ SECTORS INTO MEMORY
; AL = number of sectors to read, CH = track, CL = sector
; DH = head, DL = drive, ES:BX -> buffer to fill
; Return: CF set on error, AH = status, AL = number of sectors read
pop di
jnb short loc_3D
xor ax, ax
int 13h ; DISK - RESET DISK SYSTEM
; DL = drive (if bit 7 is set both hard disks and floppy disks reset)
dec di
jnz short loc_25
mov si, 68Ah
jmp short loc_78
; --

loc_3D: ; CODE XREF: seg000:002Fj
mov cx, 3

loc_40: ; DATA XREF: seg000:0083r
mov di, 5

loc_43: ; CODE XREF: seg000:0059j
mov bx, 2000h
push bx
pop es
assume es:nothing
mov bx, 0
mov ax, 220h ; DATA XREF: seg000:002Cr seg000:0033r ...
push di
int 13h ; DISK - READ SECTORS INTO MEMORY
; AL = number of sectors to read, CH = track, CL = sector
; DH = head, DL = drive, ES:BX -> buffer to fill
; Return: CF set on error, AH = status, AL = number of sectors read
pop di
jnb short loc_60
xor ax, ax
int 13h ; DISK - RESET DISK SYSTEM
; DL = drive (if bit 7 is set both hard disks and floppy disks reset)
dec di
jnz short loc_43
mov si, 68Ah
jmp short loc_78
; --

loc_60: ; CODE XREF: seg000:0052j
mov cx, 3FFFh
mov si, 800h
xor di, di

loc_68: ; CODE XREF: seg000:0071j
lodsw
and si, 0FFBFh
xor ax, es:[di]
stosw
dec cx
jnz short loc_68
jmp far ptr 2000h:0
; --

loc_78: ; CODE XREF: seg000:003Bj seg000:005Ej ...
lodsb
cmp al, 0
jz short loc_88
push si
mov bx, 7
mov ah, 0Eh
int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE)
; AL = character, BH = display page (alpha modes)
; BL = foreground color (graphics modes)
pop si
jmp short loc_78
; --

loc_88: ; CODE XREF: seg000:007Bj
; seg000:loc_88j
jmp short loc_88
; --
db 44h ; D
db 69h ; i
db 73h ; s
db 6Bh ; k
db 20h
db 49h ; I
db 2Fh ; /
db 4Fh ; O
db 20h
db 45h ; E
db 72h ; r
db 72h ; r
db 6Fh ; o
db 72h ; r
seg000 ends

end
dion
June 1st, 2013, 08:48
when i need to trace boot code, i used bochs
Unity
June 3rd, 2013, 16:12
I will try to trace and research more. If anyone has an idea of what the code is doing and how it would be helpful. Thanks!
Woodmann
June 3rd, 2013, 21:32
What dont you understand ?
If it's straight code, I suggest you learn that first.

If you dont know how to debug a MBR, read this:
http://www.phocean.net/2011/01/20/debugging-the-mbr-with-ida-pro-and-bochs.html

Woodmann
disavowed
June 4th, 2013, 08:58
Quote:
[Originally Posted by Unity;94804]where it is getting this key?

The XOR key begins at the beginning of the hard drive's third sector.
Unity
June 6th, 2013, 20:05
Quote:
[Originally Posted by disavowed;94834]The XOR key begins at the beginning of the hard drive's third sector.



I don't see how the xor key comes from the 3rd sector (start at 0x3FF +1) . Have you misread it as coming from sectors 33 (start at 0x3FFF +1) ? Thats the only other location that showed some sort of key.

Quote:
oc_60: ; CODE XREF: seg000:0052j
mov cx, 3FFFh
mov si, 800h
xor di, di

loc_68: ; CODE XREF: seg000:0071j
lodsw
and si, 0FFBFh
xor ax, es:[di]
stosw
dec cx
jnz short loc_68
jmp far ptr 2000h:0


where has
Quote:
DSE)SI
been filled since it holds the xor key?

Quote:
DSE)SI -> Ax n
( because of lodsw )

then

Quote:
xor ax, es:[di]