- - - - - - - - - - - - - - - - - - - - - - - - - - - - ;; Description: Heroic Attempt to Disassemble The Windows 95 Boot sector .; Date: 16. AUG. 1998; Author: Mr. X; Email: unknown; Comment: this boot code is message: this boot code is messagey .; Status: Part I, II and III Are Now Pretty Much Done .; Important: "SHLD EDX, EAX, 16 "this is a microsoft patent .; Also Take a Look at the" list ner EOF ";; ---> cut here if you like to listen to me <- ;; this file will assemble Into A Fully Functional (I Hope) Win95B Boot Code. ;; TASM WIN95 / M; TLINK WIN95, WIN95.BIN / T ;; Ask Someone for The Propper Dropper code ... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ;; at disassemblying i Have this impression: ;; this is what bill gates said ... When Win95 WAS Going to be release: ;; "Gates: OK, THEN We're Ready to Press The cd's and start shipping out; this new loading of shit, but off number no shit, but the new loading company will notice ... harr harr .; e MPLOYEE: Hey, Mr. Gates What About The Boot Sector ?? We Haven't; Written The Fat32 Support Routines There Yet ...; Gates: Ah, That's Right ... anybody ?? We Have Just 45 Minutes ... Employee # 2: Well, I Think I can Hack Some Shit Together ...; Gates: Fine, Go for It ... Remember You Have Only 44 Minutes ...; Employee # 2: I Think i Can do IT. Gates: Fine, Then I'll Just Go Home ... We've Made it !! ";; funny? ;; There is some real strange code in this boot record .... ;; i bet bill Gates Hired Some Crazy Mother Fucker To Write this shit .; It seems like he had real tried to make the code FIT with one sector .; but by didn't hid '' ''
This is a typical microsoft solution, they mix stupid 8086 code ... with; cheap solutions and then suddenly they use 386 code ... ;; And then there is the new FAT32 data structures where they have moved; the volume label, FileSystem ID and serial number down to make room for; some extended FAT32 variables ... it sucks Why not rearange the whole;. structure ... An OS would not try to interpret the shit anyway, because; the Partitioni Table SYSID has changed with FAT32. ;; As I Said ... Crazy Mother Fucker ... ;; Well, Well ... Here's Some of the stuff ... with a mix of mine and source's; comments ... ;; Another Thing About Tasm , Which I use I Didn't Buy It ... I'm; Have A Shareware Version On A 30 Year Trial Period. ;; Back to What I Was About To Say Again ... WHEN i Use the brxxxx Variables; in Indexing with BP, Tasm Genereates 16-Bit Offset in Operands Even; The Win95 Code Uses Byte Offsets (I'm Not Sure; if I'm Expressing Myself Clear Here) .hen I change The code from: ;; MOV AX, [BP BRHPC] to MOV AX, [BP 128], TASM DID Use the Byte Offset Form ...; this name my code a little less readable ... But the Comments SHOULD Give; you an ided. ;; Basical this boot sector code is 32 bit extension for a 16 bit patch to; an 8 bit boot sector originally coded for a 4 bit microprocessor, Written; BY A 2 BIT Company , That Can't Stand 1 bit of compleition. ;;; ---> cut here if you does not like to listen to me <- .386c code segment use16 assume cs: code, ds: code, ss: nothing; Boot Record - Part I - Main Boot Sector Code; Just So I'VE SAID IT - ASM OPCODES ARE ONLY WHEN CAPITALIZED,
but I forgot to set the option in sourcer ... so I wrote a small TP program; that capitalized everything but what's after the semicolon ... Win95b PROC FAR JMP SkipData; 0000h brINT13Flag DB 90H; 0002h - 0EH for INT13 AH = 42 READbrOEM DB 'MSWIN4.1'; 0003h - OEM ID - Windows 95BbrBPS DW 512; 000Bh - Bytes per sectorbrSPC DB 8; 000Dh - Sector per clusterbrResCount DW 32; 000Eh - Reserved sectorsbrFATs DB 2; 0010h - FAT copiesbrRootEntries DW 0; 0011h - root directory entriesbrSectorCount DW 0; 0013h - Sectors in volume, <32MBbrMedia DB 0F8H; 0015h - Media descriptorbrSPF DW 0; 0016h - Sectors per FATbrSPH DW 63; 0018h - Sectors per head / trackbrHPC DW 128 ; 001Ah - Heads per cylinderbrHidden DD 63; 001Ch - Hidden sectorsbrSectors DD 6305985; 0020h - Total number of sectorsbrSPF32 DD 6153; 0024h - Sector per FAT (FAT32) brFlags DW 0; 0028h - Flags (FAT32) brVersion DW 0; 002Ah - FS Version (FAT32) brRootCluster DD 2; 002Ch - Root start cluster (FAT32) brFSInfoSector DW 1; 0030h - FS Info Sector (FAT32) brBackupBoot DW 6; 0032h - Backup Boot RecordbrReserved DB 6 DUP (0); 0038h - ReservedbrShitter DB 6 DUP (0);
003Bh - Unused filler ?? brDrive DB 80H; 0040h - BIOS drive numberbrHeadTemp DB 00H; 0041h - Head / temp number ???? brSignature DB 29H; 0042h - Extended Boot Record sig.brSerialNum DD 404418EAH; 0043h - Volume serial numberbrLabel DB ' HardDisk '; 0047H - Volume Labelbrfsid DB' FAT32 '; 0052H - File System ID Skipdata: CLI XOR CX, CX MOV SS, CX; SS = CX = 0; SET UP STACK 8 BYTES BELOW US, Do you know why ??? ;, It's bread, the shitter whit of Data Area DWORD AT 7C00H - 4 and; The value -1 at 7C00H - 8 ... COOL? MOV SP, 7C00H - 8 MOV ES, CX; ES = CX = 0 MOV BP, 78H; Point DS: Si To Int 1e - Diskette Params Structure ... LDS SI, DWORD PTR SS: [BP] PushdspushsipushSpushbp MoV Di, 522H MOV SS: [BP], DI; Setup Our Int 1e Mov SS: [BP 2], CX; Copy 11 Bytes from Old Diskette Parameter Table INTO; ES : 522H, That iS 0000: 0522 or 0050: 0022 - I assume That 0001-0021 is buy for something else 0050: 0000 i know; is the prtscr flag byte. Mov Cl, 11 CLD Rep Movsb MOV DS, CX; DS = CX = 0 MOV BP, 7C00H;
Point Bp To Start of US Mov Byte Ptr [Di-2], 0FH; Modify Head Settle Time MoV AX, SS: [BP 18H] MOV [Di-7], Al; Modify Sectors Per Track; Compare Drive Number with 0 ...; if Greater Than or Equal ... Go to MbrreadError; I Guess That Lower Than Zero ... Must be -1 .. -128 (80h..ffh); Which Would Mean Harddisk Boot ... CMP SS : [BP 40H], Cl; Boot from Diskette? JGE MbrreadError Mov AX, CX; AX = CX = 0 CWD; DX = AX [15] -> (ZERO) MOV BX, 0700H; Use 0000: 0700 for sector; Read Buffer Call Readsector; Load Master Boot Record JC MbrreadError; Error? Sub BX, 58; BX = 08C6H (700H - 3AH) Point to "Start" Field Mov Eax, DS: [7C1CH]; Load Hidden Sectorscheckmbr: CMP EAX, [BX]; IS this OUR Entry ?? MOV DL, [BX-4]; PUT SYSTEM ID in DL JNZ NOTOTOTOTOTOTOTOTOT; JUMP IF NOT ORY "Partition Type", IS 0ch Or 0EH, Readsector; Will Use Int13 / 42H ... OR DL, 2; Set Bit 1, To Allow for; Types 0ch Or 0EH To BE;
Thought of asboth 0eh. Mov SS: [BP 2], DL; SET BRINT13FLAGNOTOTOTOTOTOTOTOTOTOTOTOTOTOTOTOURS: Add BL, 16; Skip to next entry ... jnb checkmbr; more entries? MbrreadError: MOV DI, 2; FAT32 - IS Sector Per FAT ZERO? CMP WORD PTR SS: [BP 16H], 0 JNE Showerrmsg1; Put Number of Hidden Sectors in DX: AX MOV AX, WORD PTR SS: [BP 1CH] MOV DX, WORD PTR SS: [BP 1EH ] MOV CX, 3; Boot Record IS 3 Sectors ...; Start Loading Reminder of Boot Record for Fat32LoadIt: DEC CX Inc AX; Next Boot Record Sector JNZ Skipper; AX Wrap-Around? Inc DX; Yes, Inc DX tooskipper: MOV BX, 7E00H; INTO 0000: 7E00 Call ReadsectorX; Read Sector JNC READOK; NO ERROR? MOV AL, 0F8H; What's ???? decdi jz Nomore; Jump if no more Sectors Mov AX, SS: [BP 32H]; Get Backup Boot Sector XOR DX, DX MOV CX, 3 CMP CX, AX; Compare Backup BS Num Ja Showerrmsg1; With 3 (or Vice Versa); IF 3 is Higher Than; Backup Sector Number,; Bill '
SiOOUTTA Here ... MOV SI, SS: [BP 0EH]; Si = # of Reserved Sectors CMP CX, Si Jae Showerrmsg1; Same Thing Here ... IF 3 is; higher dam... Bill's; Get Number Reserved Sectors; Excluding The Three Boot; Sectors ...; Add Number of Hidden Sectors to DX: AX Add Ax, Word Ptr SS: [BP 1CH] ADC DX, Word Ptr SS: [BP 1EH] JMP loadItnomore: JUMP IF carry = 0 JMP Showerrmsg2readok: CMP Word PTR SS: [BP 2AH], 0 JA Showerrmsg1; Jump if not Versi on 0.0 JMP GOFAT32ShowErrMsg1: MOV SI, OFFSET ErrMsg1 7C00HPrintMessage: LODSB; get msg Skip length CBW ADD SI, AX; Skip control dataNextChar:?? LODSB; get chacacter TESTAL, AL JZ LastChar; End of string CMP AL, -1 JE Skipchar; END OF FIRST PART? MOV AH, 0EH; TTY WRITE CHARACTER MOV BX, 7 INT 10H JMP nextchar;
repeat write ... SkipChar: MOV SI, OFFSET ErrMsg4 7C00H; point to tail message JMP PrintMessageShowErrMsg2: MOV SI, OFFSET ErrMsg2 7C00H JMP PrintMessageLastChar: CBW; Ah, clever ... save one byte, take; advantage of the fact That Lodsb Int 16H; Returns The Null-Terminator. Pop Si; Restore The Stack ... Why ??? Pop DS; The Stack IS Killed At Startup ... Pop DWORD PTR [Si] Int 19h; BIOS Bootstrap Loader .. Win95b Endp; ============================================== ============================; Read sector; ================================================================================================================================================================================================ ============================================================================================================================================================================================================= ====== Readsector Proc Near Inc CX;
increase SECTOR COUNTReadSectorX: rsReadMore: PUSHSIPUSHDWORD PTR 0 PUSH DX PUSH AXPUSHES PUSH BXPUSH1PUSH10H MOV SI, SP; save stack pointer; for later use by LEA PUSHA; Save "all" registers CMP BYTE PTR SS: [BP 2], 0EH; Use INT13 EXTENSIONS? JNE RSOLDINT13 MOV AH, 42H; Do Ext Int13 Read JMP RSDiskiorsoldINT13: XCHG CX, AX; SWAP CX And Ax Xchg DX, AX; SWAP DX AND AX XOR DX, DX; CLEAR DX DIV WORD PTR SS: [BP 18h]; DIV LBA_hi by Sectors / Track Xchg CX, AX; Save Result In Cx and Put; The LBA_LO in Ax Di V Word PTR SS: [BP 18H]; Divide Reminder and lba_lo; by Sectors / Track TOO INC DX; Make Sector 1-Based XCHG CX, DX; Save It In Cx and Get The; Result of The 1st Division; in DX Div Word PTR SS: [BP 1AH]; Divide this New Result by; Heads Per Cylinder MOV DH, DL; Save Head of Chs in DH;
HEAD WAS in The Reminder; AL; Save Lo Cylinder; Cylinder Was In The Result; After The Division Above Ror Ah, 2; Rotate Ah To Make Bits 8-9; Of Cylinder Appear As Bits 6-7 in Ah and ... or cl, ah; or it with the sector num MOV AX, 201h; Setup forread - 1 SectRSDiskio: MOV DL, SS: [BP 40H]; loading drive number int 13h; Call INT13 POPA; Restore "All" registers; The entry code pushed 12h bytes on the stack ...; the last word pushed WAS 0001H, Restore SP to Point to it ... Leasp, [Si 10h]; Load Effective Addr; Now, Si Should Contain 0001H POPSI; WAS THERE An Error from INT13? JC RSDOONE INC AX; Increment LBA Sector Num Jnz Rsskip; Wrap-Around? Inc DX; YES Raise High Word Toorsskip: Add BX, SS: [BP 0BH]; Increment By Sector Size Dec CX; Decrement Sector Count Jnz RsreadMore; Jump If More To ReadrSdone: Ret Readsector Endp; ======== =========
============================================================================================================================================================================================================= =========; Data Area for Messages - in "Norsk" norwegian; ============================= =============================================== RMSG1 DB 03H ; Skip counter for message1ErrMsg2 DB 18H; Skip counter for message2ErrMsg3 DB 01H; Skip counter for message3ErrMsg4 DB 27H; Skip counter for message4 DB 13,10, 'Ugyldig systemdisk', -1 DB 13,10, 'Disk I / U-feil ', -1 db 13, 10,' sett inn en, o o e e;; ====================== ============================================================================================================================================================================================================= ==== DB 0, 0; Padding?; Root file names to search for ...? IO_SYS DB 'IO SYS'MSDOS_SYS DB'
MSDOS Sys' DB 7EH, 1, 0; What is this? WinBoot_sys DB 'WinBoot Sys'; WHEN IS THIS USED? DB 0, 0; Padding? DW 0AA55H; 1st Boot Signature ;; Boot Record - Part II - Fsinfo Sector; DB 'rRaA'; FAT32 Extension Signature DB480 DUP (0); FSINFO information ... DB 'rrAa'; FAT32 FSINFO Signature brFreeClusters DD 56990; I have 233431040 bytes free brNextFree DD 466175;!! My next free cluster DD 3 DUP ( ? 0); Reserved, acroding to FAT32API.HLP DW; word padding DW 0AA55H; 2nd Boot Signature ;; BOOT RECORD - PART III - FAT32 specific code, I think only Bill knows; GOFAT32: CLI; calculate total size of FAT?? Area Movzx Eax, Byt E PTR SS: [BP 10H]; Number of Fats MoV ECX, SS: [BP 24H]; SECTORS Per Fat Mul Ecx; Mul'em; Add Hidden Sectors Add Eax, SS: [BP 1CH]; add reserved Sectors Movzx EDX, Word PTR SS: [BP 0EH] Add Eax, EDX XOR CX, CX; Clear Cx for Some Reason ...; by Looking Down The Code, I can't; Seem to Find Out Why CX IS Clead It's set to 1 down there ...; before it '
SAVER USED ...; EVER USED ...; Save Start of Data Area Below US AT 0000: 7BFC, or the Around ... MOV SS: [BP-4], Eax; Save Another Value To ... this one is checked by getfat32sector Mov DWORD PTR SS: [BP-8], 0FFFFFFFFH; OH ... AT Microsoft They Take No Change ... Disable INTS AGAIN!; This is what i Call Proper Software Writing! Hail M $ CLI; Load Root Start Cli; Load Root Start Cluster in Eax Mov Eax, SS: [BP 2CH]; Is IT Cluster 2? CMP Eax, 2 JB Showerrmsg1; Error IF LESS THAN 2; Is IT An Eof Marker Or Something Above? Cmp Eax, 0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8H JAE Showerrmsg1; Error IT IT IS; PUT UPPER 16-BITS OF Cluster Number INTO DX ?? SHLD EDX, EAX, 16 STI; Puh. Safe Again.GetrootCluster: Push DX Push AX CLI; EH?; Clear Upper 16-Bits of Cluster Number, And Of Course Move Up, 16; Shift Lower 16-Bits of Cluster Number Back Down, And at the Same of CLUSER BAME Time SHIFT IN THE HIGH 16-BIME SHRD EAX, EDX, 16; Make Cluster Number 0-Based ... "The Way it's supposed to be" Sub Eax, 2; PUT SECTORS Per Cluster in EBX MOVZX EBX, Byte Ptr SS: [BP 0DH]; Save IT in Si Too! Yippi Mov Si, BX;
Calculate Relative Sector of First Part of root ... Right? Mul Ebx; add the "Start of Data Area" Value We Saved Below US! Add Eax, SS: [BP-4]; Maybe Now, SHITTER IS TRYING to MAKE DX: AX What EAX IS ??; SHIFT UPPER 16-BITS OF EAX INTO DX ... AND AX IS LOWER BITS ... SHLD EDX, EAX, 10H STI; Enable InterruptsGetrootsector:; use 0070: 0000 as a Directory Buffer. .. MOV BX, 0700H MOV DI, BX; Read 1 Sector MOV CX, 1 Call ReadsectorX; this Shit SHOULD BE PRETTY JC Showerrmsg2; Obvious ... CheckenTry: CMP [di], ch; is the first entry of the Je endofroot Root Empty ??? MOV CL, 11; The Stupid CP / M FileNames; Are 11 bytes ... Pushi Mov Si, Offset IO_SYS 7C00H REPE CMPSB; IS IO.SYS? POPSI JZ FOUNDOS; YEAH ... Add di, cx; add what's left after cmpsb add di, 15h; and then 21 more ...; yeah, Yeah, Anyway ... Point to the next dir entry ...; and check if it is above the last entry ... int13 increments; bx with 512 on the sector read, so it points paste the sector. CMP Di, BX JB CheckenTry; Jump if Below; Are there is any more letter in this cluster ??? decsi jnz getrootsector
YEAP, READ MORE POP AX; Restore Cluster Number Pop DX; Get Fat Value ... "getfat32value" Will Compare the value with; -8, and the jb below continues if Below ... That IS, NON-EOF / BAD; The "previous cluster" Value Is Taken from DX: AX (As Restored; Above with POP). Call getfat32val; if not end of root ... Go to getrootcluster .. endofroot:; EOF / BAD Cluster ... add SP, 4; Clean Up Stack ... JMP Showerrmsg1; and print Error MessageFoundos: Add SP, 4; Clean Up ...; now ... di shop point just letter about the io.sys name ...; si would Be Set to Direntry [14h] - Starting Cluster (Hi); Di Would Be Set To Direntry [1AH] - Starting Cluster (LO) MOV SI, [DI 09H] MOVDI, [DI 0FH]; COPY FAT32 Starting Cluster Up, Si CLI; Disable Interrupts; Shift Cluster High Into Upper Half of Eax and Store Lower Half; From Di Into Ax SHL Eax, 10h MOV AX, DI; Cluster Out of Range ?? CMP EAX, 2; clusters start with 2 JB InvalidCluster CMP EAX, 0FFFFFF8H; cluster 0FFFFFF8 is EOF JAE InvalidCluster DEC EAX; make it 0-based ... DEC EAX; Multiply cluster number with "sectors per cluster" MOVZX ECX, BYTE PTR SS: [BP
0DH] mul ecx; add the "start of data area" Value That Was Saved Back There ... Add Eax, SS: [BP-4]; and for the N'th Time, Make DX: AX Same As Eax - Sector Number. SHLD EDX, EAX, 10H STI; AHA ... MOV BX, 0700H; IO.SYS LOADS Here! Push BX MOV CX, 4; Load 4 Io.sys Sectors Call ReadsectorX; 2K Is Minimum Fat32 Cluster Pop Bx; Size Anyway ... jc showerrmsg2; error ... ???; comment:;;, there is enough; ... to read the entire io.sys; file into memory. this code Has code to go through the fat There is code to read cluster ... Blala. And still only 2k; io.sys is read. If the entire file was read ... io.sys would; not help do do this ... Well Well. ;; is The Room? Cmp Word PTR [BX], 'ZM'; EXE SIGNATURE ... JNE INVALIDCLUSTER; is The Room? Cmp Word PTR DS: [0200H] [ BX], 'JB'; IO.SYS SIGNATURE? JE EXECUTIOSYS; The Above Shit Appear in The I.sys File At Offsets 0 and 200h; The Mz Is The Usual Exe Signature While The "BJ" IS UNKNOWN TO; ME. Maybe The Chose It Because It Translates To Harmless Code:;; Inc DX - DX, PRETTY DULL IF you ask me; InvalidCluster: MOV SI, OFFSET ERRMSG3
7C00H JMP PrintMessageexecutiosys: db 0eah; jump to io.sys at 0070: 0200 dw 0200h, 0070h; ============================= ======================================================; Get Fat32 value; ============================================================================================================================================================================================================= ======================== Getfat32Value Proc Near Add Ax, Ax; Multiply DX: AX by 4, ADC DX, DX Add Ax, Ax; Convert DX : AX from FAT32 ADC DX, DX; Index Value To Offset; DX: AX IS Passed ON as The Fat Offt32seTor; Read Fat Sector; The Correct Sector Is Returned ... with di as index .. . ??; at Least That's What The Mov Below Assumes ... Cli Mov Eax, ES: [BX DI]; EAX = Cluster Value; Mask of Top 4 Bits of Because Microso FT Say It's Reserved. And Eax, 0FFFFFFH;
Make DX: AX The Cluster Number Too ... SHLD EDX, EAX, 16; EAX [Hi] INTO EDX [LO]; Check for EOF / BAD CMP EAX, 0FFFFFFFFFFFFf8H; Is IT The EOF Marker? STI; RETURN with ZF = 1 if The; Last Cluster Was READ ?? RET getfat32value Endp; ==================================== ======================================= g FAT32 sector; ======= ============================================================================================================================================================================================================= =================; ON entry dx: AX is the fat offset in bytes ... getfat32sector proc Near; When this is caled 0070: 0200 Seems to be the buffer in ES : Bx; but, the code belie ... MOV DI, 7E00H CLI; Disable Interrupts; Make Eax The Sector Number Again ... Move DX INTO TOP of Eax ... SHL Eax, 16 SHRD EAX, EDX, 16; MO VE BYTES Per Se: [BP 0BH]; Divide Edx: EAX BY BPS ... EAX = Sector, EDX =
Offset in sector ... xor Edx, Edx Div ECX; Check Fat Sector Number Agains ... Saved Value on Stack ...; this one is initially -1 (Also KNown As 0ffffffh) CMP Eax, SS: [BP-8 ] JE LOC_30; if Sector is <> from -1, save this sector at 0000: 7BF8 MOV SS: [BP-8], Eax; Add Hidden Sectors ... Add Eax, SS: [BP 1CH]; add reserved Sectors Too ... Movzx ECX, Word PTR SS: [BP 0EH] Add Eax, ECX; Get Fat32 Flags Into EBX MOVZX EBX, Word PTR SS: [BP 28H]; Keep "Active Fat" bits 0-3 and BX, 0FH; if Zero, We're At The Correct Fat Jz Correctfat; Compare Active Fat with Number of Fats ... CMP BL, SS: [BP 10H] JAE Showerrmsg1; OOPS ... Invalid Active Fat Push DX; SAV E DX for a while ...; save fat sector in ECX MOV ECX, EAX; PUT SECTORS PER FAT IN EAX MOV EAX, SS: [BP 24h]; Multiply Active Fat Number with Sectors Per Fat Mul Ebx; Add to First Fat Sector Number We Already Had ... Add Eax, EcX; Now, Eax Contains The Correct Fat Sector Number. Pop DxcorRectfat: Push Dx; And for the N'th Time, Make Dx: AX Same As Eax - Sector Number. SHLD EDX, EAX, 16 STI; Enable Interrupts MOV BX, DI; Read Fat Sector Into
