Disassemble the MBR
UPDATE: This is why we *LOVE* our readers! After posting a 32-bit disassembly of 16-bit MBR code, I was gently informed of my misstep by three sharp-eyed readers. I’ve corrected the original post below. Thanks go out to Ramon Sola, Jeroen Frijters and 'pedantic gnome' for keeping us honest. Thanks guys!
Hi Everyone,
One of our readers, Pete, asked a very interesting question about disassembling the MBR and I'd like to take a moment to show you the quick & dirty way to do this.
First, dump the MBR to a file using a low-level sector editor such as the Microsoft Resource Kit utility DiskProbe. Once you've saved the file, launch a program (like Notepad) and attach to it using Windbg (the Windows Debugger).
Next, find a valid, but unoccupied range of memory (the default heap is a good candidate). The memory range needs to be at least 512 (0x200) bytes. For example, here's where I found mine:
000120a0 00000000 00000000 00000000 00000000
000120b0 00000000 00000000 00000000 00000000
000120c0 00000000 00000000 00000000 00000000
000120d0 00000000 00000000 00000000 00000000
000120e0 00000000 00000000 00000000 00000000
000120f0 00000000 00000000 00000000 00000000
00012100 00000000 00000000 00000000 00000000
00012110 00000000 00000000 00000000 00000000
00012120 00000000 00000000 00000000 00000000
<snip>...
Once you've found a good memory range in your process, read the file contents into that memory location using the following command:
0:001> .readmem c:\<<path>>\sector00.bin 120a0 120a0+0x1ff
Tada! You now have the MBR in memory and it is fully examinable just like any other assembly code.
0:001> db 000120a0
000120a0 33 c0 8e d0 bc 00 7c 8e-c0 8e d8 be 00 7c bf 00 3.....|......|..
000120b0 06 b9 00 02 fc f3 a4 50-68 1c 06 cb fb b9 04 00 .......Ph.......
000120c0 bd be 07 80 7e 00 00 7c-0b 0f 85 10 01 83 c5 10 ....~..|........
000120d0 e2 f1 cd 18 88 56 00 55-c6 46 11 05 c6 46 10 00 .....V.U.F...F..
000120e0 b4 41 bb aa 55 cd 13 5d-72 0f 81 fb 55 aa 75 09 .A..U..]r...U.u.
000120f0 f7 c1 01 00 74 03 fe 46-10 66 60 80 7e 10 00 74 ....t..F.f`.~..t
00012100 26 66 68 00 00 00 00 66-ff 76 08 68 00 00 68 00 &fh....f.v.h..h.
00012110 7c 68 01 00 68 10 00 b4-42 8a 56 00 8b f4 cd 13 |h..h...B.V.....
Since this is 16-bit assembly, you can unassemble using ‘ur’:
0:001> ur 120a0
000120a0 33c0 xor ax,ax
000120a2 8ed0 mov ss,ax
000120a4 bc007c mov sp,7C00h
000120a7 8ec0 mov es,ax
000120a9 8ed8 mov ds,ax
000120ab be007c mov si,7C00h
000120ae bf0006 mov di,600h
000120b1 b90002 mov cx,200h
<snip>...
Have fun Pete!
DiskProbe: https://technet.microsoft.com/en-us/library/bb457122.aspx
WinDbg: https://www.microsoft.com/whdc/devtools/debugging/default.mspx
- David
Comments
- Anonymous
July 05, 2008
Why not use debug.exe ? It's included even in Vista and disassembles 16-bit code just fine.