An effective way to unlock hard disk logic lock lock
Xi'an North West Industrial University 418 mailbox (710072) Xiao Huayong
One · preamble
I don't know if you have encountered the situation where you can't start from the floppy disk and the hard disk. Generally, the hard disk partition table of the general computer is infected by the virus, if the machine cannot be activated, it is usually possible to start from the floppy disk. However, in a serious case, not only from the hard disk can't start the machine, it is from floppy disk that cannot be started. Some vicious viruses can cause the hard disk to be dead. When I played with hard disk locks at my machine, I was locked once. As a result, in the hard disk, select the DOS or WIN95 mode starter, crane, in the floppy disk, start using DOS, and select the hard disk type in COMS, although you can start from the floppy disk, but there is no hard disk, use the fdisk command on the floppy disk I don't have a door to restrict or format. Get me.
Originally, when the hard disk was locked, the DOS version of 3.0 or less can be used. Although the machine is started, although it does not recognize the hard disk, the reason why it does not recognize the current hard disk, so you can modify the hard disk partition table with DEBUG. , You can start after modification. But in the age of Windows, the DOS below 3.0 is difficult to find, even if you find it, you may not be able to use because there is no 5-inch soft drive. Therefore, the best way is to prepare a program to solve this problem. Through trying and thinking, I find a relatively practical approach to easily unlock the dead hard drive, and of course unlocked my hard drive. Here, I introduce this method.
Second, hard drive locking principle
The hard disk lock is usually the partition table for the hard disk, so you should first understand the partition table of the hard disk. The hard disk partition table is located in the 0 cylinder 0 head 1 sector. In the front of the sector, more than 200 bytes are the main bootstrap, and the 64 bytes starting from 01 bEH are partition tables. A total of 64 bytes of partition tables, divided into 4 columns, 16 bytes per column, used to describe a partition. If it is partitioned with a DOS's FDISK program, only one column, the first column describes the basic DOS partition, the second column describes the extended DOS partition.
The structure of the partition table column is as follows:
00h- logo activity bytes, the activity DOS partition is 80h, and the other is 00h.
01H- The magnetic head number where the partition logic 0 sector is located.
02H-Logic 0 sector number in the cylinders in the sector.
03H-logic 0 The column number where the sector is located.
04H-partition type logo.
05H- The magnetic head number of the last sector of this partition.
06H- The sector number of the last sector.
07h- The column number of the last cylinder.
08H- The total number of sectors before the partition before the partition is represented by two words.
0ch- Total number of sectors in this partition, count from logic 0 sectors, without hidden sectors, represented by double words.
Although the cylinder and the sector number given in the above introduction, although each byte, the actual sector number is indicated by 6 digits, the column number is indicated by 10 bits, and the highest two digits of the sector number are actually It is the highest two digits of the column.
The last two bytes of the partition table are the valid flag of the partition table, and if it changes it, it will not be started from the hard disk, which is a simple to lock the hard disk. The solution is to start from the floppy disk, and the hard drive can still be used after startup. Restore the flag in the hard disk in the partition table in Debug or Noratn, there is no problem from the hard disk. Another way to lock the hard disk is to make a hand feet on the partition parameters. If all the partition parameters turn to 0, start the partition parameter, from the hard disk can't start, from the floppy disk starts, do not recognize the hard disk, If you are knocked into the disk letter C and enter, you will appear invalid Driver Specification. Fortunately, after all, you can start the machine, you don't know the hard disk, you can still read the contents of the hard disk 0 cylinder 0 head 1 sector in the A disk, and modify the 0 cylinder 0 head 1 after modification There is no problem with the sector and restarting machine. If the partition table parameters are free to other parameters, it is possible that it is possible to start the DOS system disk that can be installed, and then the memory allocation error will appear after the F3 is exited. If the DOS command interpreter Command, the system will be dead. I have encountered this situation. But with a floppy disk that is formatted into a system disk can start smoothly, as long as there is Debug, you can still modify the partition table parameters back. The terrible thing is that if you are unfortunate to change the partition table parameters into a circulating chain, the next partition of the C disk point to D drive, the next partition of D drives again to the C zone, so that the DOS start or Win95 starts Because there is no restented reading logic drive, only the deadline is. This is as long as there is a hard disk exists, no matter how you use a floppy disk or a hard disk, it can't start the machine. Dead, the author encounters this situation. Don't believe, you only need to change the 1D0H of the hard disk 0 cylinder 0 head 1 sector to 1 (if your D drive is not big enough, it is 1), it will change 1D1H to 0, indicate The beginning of the D disk is the same as the C drive, see if your computer can still start, but you must never try before you are not fully prepared. A complete hard disk lock program, but rewrote the boot program of the 0 cylinder 0 head 1 sector, and destroy the partition table or deliberately creates a loop partition table, and put the real hard disk partition table parameters and boot programs in other Hide sectors and protect it, if the password is not correct, the machine cannot be activated, and the password is launched smoothly. This hard disk lock program can also be launched with a floppy disk; the situation is serious is that the floppy disk cannot be started, the hard disk is really locked.
Three-tolerance of hard disk lock
If the hard disk is locked, is it really unspeakable? of course not. Look at the problem of the problem, the root source is the IO.sys file in DOS, which contains the four modules of Loader, IO1, IO2, IO3, where IO1 contains a critical program sysint_i, which is very stubborn in the startup To read the partition table, and do not read the partition table to do not give up. If it comes to the partition table, it is only a dead. This is the vulnerability and incompleteness of DOS. In fact, this can not blame DOS, because DOS must read the partition table parameters in order to obtain the hard disk use, and DOS has no more than 26, but only does not take into account such cycle partition emotions. In a word, the machine cannot start but is caused by the DOS operating system, and if you write one operating system, you may start the machine. Of course this is just a joke.
I understand that the cause is DOS, and the problem is good. Does DOS startup want to read a hard disk partition table? I don't let you read the partition table, even the hard drive does not let you read, and you can't start smoothly. This is true that the process of unlocking hard disk lock is based on this idea. Of course, this is only started from the floppy disk. Take a look at the computer's startup process, and the first multi-hardware self-test, which is first-powered, there is no relationship, we care about what it is when it starts with the disk. If you choose to start from your hard drive, the computer and disk starts to deal to read the contents of the hard disk 0 cylinder 0 head 1 sector and jump to 0000: 7C00 execution; if you choose to start from the floppy disk, then the computer And the disk starts to deal with the contents of the A disk 0 track 0 head 1 sector, and jump to 0000: 7C00 execution. During the execution process, the computer does not check what is the content of the sector. , Only mechanically perform read commands, which makes many system-type viruses to survive. But using this, it is precisely with our program to unlock the law. If we format a system flush that can activate the machine, the content of the 0 track 0 head 1 sector of the floppy disk is moved to the back blank sector, and the program is rewritten to the 0 track 0 magnetic head of the floppy disk. 1 sector, so that the first execution is the program we have written when starting with a floppy disk. In this program, there is such a function: first intercept the int 13h before the startup, resident high-end memory and monitor INT 13h, determine if it is read hard disk, if you are reading the hard disk, then the hard disk is prohibited, Anti-DOS reading hard disk loop partition table is avoided; while intercepting the reading of the floppy disk, if the 0 track 0 magnetic head of the floppy disk is 1 sector, it is changed to the sector that reads the active boot program and disk parameter table, lest DOS can't stand the disk parameter table of the floppy disk in the startup. While completing these tasks, you should also read the real boot program of the floppy disk and give the control to it.
This method can be called universal because it is started with a floppy disk, which is never deal with the hard disk, so that your hard drive is used to lock, there is no impact on DOS. Of course, this started machine is not a hard disk, but this does not matter. After you start the machine, use Debug to call up the new INT 13H program that resides the high-end memory, change it to only one statement directly executing the old INT 13h, so you can read the hard disk 0 cylinder with INT 13H under Debug The content of the magnetic head 1 sector, if you have a backup, restore the partition table parameters and then write 0 Cylindrical 0 head 1 sector, restart your computer. If there is no backup, remove the cyclic chain in the partition table, at least re-opposing the hard disk after restarting the machine with the normal DOS boot disk, not in the hard disk being locked.
Top four programs and instructions
1 · The following is a source program key.com for writing a floppy disk 0 track 0 1 sector, and the program is input.
C> Debug
-a100
100 CLI
101 xor ax, AX
103 MOV DS, AX
105 MOV ES, AX
107 MOV SS, AX
109 MOV AX, 7C00
10c MOV SP, AX
10E STI
10F MOV SI, AX
111 MOV DI, 7E00
114 CLD
115 MOV CX, 0200
118 RepNZ
119 MOVSB
11A JMP 0000: 7E1F
11F MOV CX, 0003
122 push cx
123 MOV AX, 0201; Read the boot sector of the floppy disk
126 MOV BX, 7C00
129 MOV CX, 4F01
12C MOV DX, 0100
12f INT 13
131 POP CX
132 DEC CX
133 JNZ 0122
135 MOV AX, [004C]; get the position of INT 13H
138 MOV [7E88], AX
13B MOV AX, [004e]
13E MOV [7E8A], AX
141 MOV AX, [0413]
144 DEC AX
145 MOV [0413], AX
148 MOV CL, 06
14A SHL AX, CL
14c MOV ES, AX
14e xor AX, AX
150 MOV DS, AX
152 MOV SI, 7E6D; Copy the rewritten INT 13H program to high-end memory
155 MOV Di, 0000
158 MOV CX, 0030
15b repnz
015C MOVSB
015D MOV AX, 0000; write new INT 13H position to interrupt vector table
0160 MOV [004c], AX
0163 MOV AX, ES
0165 MOV [004e], AX
0168 JMP 0000: 7C00
016D Pushf; New INT 13H program
016E CMP DX, 0080; Whether it is a hard disk
0172 JNZ 0176; Continue to the hard disk
0174 POPF
0175 IRET; is the hard disk returns directly
0176 CMP DX, 00; Do you read a floppy disk Boot area?
0179 JNZ 0186
017B CMP CX, 01
017e jnz 0186
0180 MOV CX, 4F01;, read 79 track 1 magnetic head 1 sector
0183 MOV DX, 0100
0186 POPF
0187 JMP 0000: 0000; This is jumped to perform the old INT 13,
The position of the old INT 13H is written after the previous program is obtained.
N key.com
RCX
200
W
Qi
2 · Machine loading
Before performing the following work, first use DOS to format a bundled system disk, and ensure that there is no bad sector, it is best to start the test, make sure it can activate the machine. Since most of the machine is only 3 inch soft drives, there is a 3.5-inch floppy disk of 1.44m. Then use Debug Key.com to transfer the program key.com to the memory offset address of 100 h, and write a loader at 400h. which is:
C> Debug key.com
-A400
400 MOV CX, 0003
403 Push CX
404 MOV AX, 0201; read the A disk boot program into memory 1000h
407 MOV BX, 1000; To ensure success, repeated reading 3 times
40A MOV CX, 0001
40D MOV DX, 0000
410 INT 13
412 POP CX
413 DEC CX
414 JNZ 0403
416 MOV AX, 0301; write the floppy disk boot program that has been read into the floppy disk
419 MOV BX, 1000; the last track of the first track 41c MOV CX, 4F01
41F MOV DX, 0100
422 INT 13
424 MOV AX, 0301; write key.com to floppy disk 0 track 0 head 1 sector
427 MOV BX, 0100
42A MOV CX, 0001
42D MOV DX, 0000
430 INT 13
432 INT 3
In order to ensure that there is no loss, it is best to re-read the content of the two sectors of the floppy disk to ensure that it is successful. Do this, insurance is still tested, that is, use the floppy disk to start a machine, see if it is successful, if you start, you can use the loop partition table to lock the hard disk, see if you can start under normal DOS, Then use this floppy drive to get the machine and see how the effect is?
After starting from the floppy disk, do not recognize the hard disk, and the new INT 13h program is resided in high-end memory, which is actually from 16d to 187 in key.com. Since there is this program exists, you can not read hard drives under Debug, but you can't restore the hard disk partition table. Therefore, you should first modify this program after the machine starts. Now the basic memory is usually 640K, so that this program is located in memory 9FC0: 0000, under Debug, use U9FC0: 0 to display this program, you can see a jump instruction at 9FC0: 001A, The jump instruction is turned to perform the most original INT 13h. Since the BIOS version is different, the position points to the jump instruction may not be the same, as the author machine is a JMP F000: A5D4 statement. At this time, write such a statement in Debug: A9FC0: 0 JMP F000: A5D4. In this way, no longer works on the ban and bits of the hard disk, and use INT 13h's No. 2 sub-function to read the hard disk partition table, and then write back the data back to the partition table after modifying the recovery. Exit Debug, start the computer again, you can start the computer.
Incidentally, under normal DOS, this floppy disk does not have a disk parameter table because there is no Boot area, so that the General Failure Reading Drive A prompts will appear with DIR A: command. Don't pay attention to it, this does not affect it as a special boot disk.
Five · suggestion
To better protect your hard drive, the author suggests that you will best put your hard disk partition information backup. There are two ways for backup, one is to store partition information of each logical disk for each logical disk in the file; the other is to back up the partition information in the hard disk hidden sector. For example, the 0 cylinder 0 head 1 sector can be backed up on the 0 cylinder 0 head 3 sector, and the D disk starts the column number 0 head 1 sector backup on the cylinder 0 head 3 sector, other logical discs are also . This method is simple, convenient, and is also very reliable. It is easy to operate and implement using DISKEDI in Nortan. With the backup partition information, you are not afraid to destroy the virus of the partition table; plus the procedure I gave you, even if someone really locks your hard drive, you can easily unlock it.
