📄 win2k.asm
字号:
;
; And that ends the code that makes up the traditional boot sector
; From here on out is a disassembly of the extra sector of boot
; code required for a FAT32 volume. Win2k stores this code at
; sector 13 on the file system.
;
00008000 660FB64610 movzx eax,byte [bp+NumberOfFats] ; Put the number of fats into eax
00008005 668B4E24 mov ecx,[bp+SectorsPerFatBig] ; Put the count of sectors per fat into ecx
00008009 66F7E1 mul ecx ; Multiply them, edx:eax = (eax * ecx)
0000800C 6603461C add eax,[bp+HiddenSectors] ; Add the hidden sectors to eax
00008010 660FB7560E movzx edx,word [bp+ReservedSectors] ; Put the count of reserved sectors into edx
00008015 6603C2 add eax,edx ; Add it to eax
00008018 668946FC mov [bp-0x4],eax ; eax now contains the start of the data area, so save it for later
0000801C 66C746F4FFFFFFFF mov dword [bp-0xc],0xffffffff ; Save 0xffffffff for later??
00008024 668B462C mov eax,[bp+RootDirStartCluster] ; Put the starting cluster of the root directory into eax
00008028 6683F802 cmp eax,byte +0x2 ; Check and see if the root directory starts at cluster 2 or above
0000802C 0F82A6FC jc near print_ntldr_error_message ; If not exit with error
00008030 663DF8FFFF0F cmp eax,0xffffff8 ; Check and see if the root directory start cluster is and end of cluster chain indicator
00008036 0F839CFC jnc near print_ntldr_error_message ; If so exit with error
search_root_directory_cluster:
0000803A 6650 push eax ; Save root directory start cluster on stack
0000803C 6683E802 sub eax,byte +0x2 ; Adjust it because the first two fat entries are unused so the third entry marks the first data area cluster
00008040 660FB65E0D movzx ebx,byte [bp+SectsPerCluster] ; Put the number of sectors per cluster in ebx
00008045 8BF3 mov si,bx ; Now store it also in si register
00008047 66F7E3 mul ebx ; Multiply sectors per cluster with root directory start cluster
0000804A 660346FC add eax,[bp-0x4] ; Add the start sector of the data area
read_directory_sector:
0000804E BB0082 mov bx,0x8200 ; We now have the start sector of the root directory, so load it to 0x8200
00008051 8BFB mov di,bx ; Put the address of the root directory sector in di also
00008053 B90100 mov cx,0x1 ; Read one sector
00008056 E887FC call read_sectors ; Perform the read
check_entry_for_ntldr:
00008059 382D cmp [di],ch ; Check the first byte of the root directory entry for zero
0000805B 741E jz ntldr_not_found ; If so then NTLDR is missing so exit with error
0000805D B10B mov cl,0xb ; Put the value 11 in cl so we can compare an 11-byte filename
0000805F 56 push si ; Save si (which contains the number of sectors per cluster)
00008060 BE707D mov si,NTLDR ;0x7d70 ; Check and see if "NTLDR" is the first file entry
00008063 F3A6 repe cmpsb ; Do the compare
00008065 5E pop si ; Restore sectors per cluster into si
00008066 741B jz ntldr_found ; If we found it then continue, else check next entry
00008068 03F9 add di,cx ; Add 0 to di? the next entry is 0x15 bytes away
0000806A 83C715 add di,byte +0x15 ; Add 0x15 to di
0000806D 3BFB cmp di,bx ; Check to see if we have reached the end of our sector we loaded, read_sectors sets bx = end address of data loaded
0000806F 72E8 jc check_entry_for_ntldr ; If we haven't reached the end then check the next entry
00008071 4E dec si ; decrement si, si holds the number of sectors per cluster
00008072 75DA jnz read_directory_sector ; If it's not zero then search the next sector for NTLDR
00008074 6658 pop eax ; If we got here that means we didn't find NTLDR in the previous root directory cluster, so restore eax with the start cluster
00008076 E86500 call get_fat_entry ; Get the next cluster in the fat chain
00008079 72BF jc search_root_directory_cluster ; If we reached end-of-file marker then don't jump, otherwise continue search
ntldr_not_found:
0000807B 83C404 add sp,byte +0x4
0000807E E955FC jmp print_ntldr_error_message
ntldr_load_segment_address dw 0x2000
ntldr_found:
00008083 83C404 add sp,byte +0x4 ; Adjust stack to remove root directory start cluster
00008086 8B7509 mov si,[di+0x9] ; Put start cluster high word in si
00008089 8B7D0F mov di,[di+0xf] ; Put start cluster low word in di
0000808C 8BC6 mov ax,si ; Put high word in ax
0000808E 66C1E010 shl eax,0x10 ; Shift it into position
00008092 8BC7 mov ax,di ; Put low word in ax, now eax contains start cluster of NTLDR
00008094 6683F802 cmp eax,byte +0x2 ; Check and see if the start cluster of NTLDR starts at cluster 2 or above
00008098 0F823AFC jc near print_ntldr_error_message ; If not exit with error
0000809C 663DF8FFFF0F cmp eax,0xffffff8 ; Check and see if the start cluster of NTLDR is and end of cluster chain indicator
000080A2 0F8330FC jnc near print_ntldr_error_message ; If so exit with error
load_next_ntldr_cluster:
000080A6 6650 push eax ; Save NTLDR start cluster for later
000080A8 6683E802 sub eax,byte +0x2 ; Adjust it because the first two fat entries are unused so the third entry marks the first data area cluster
000080AC 660FB64E0D movzx ecx,byte [bp+SectsPerCluster] ; Put the sectors per cluster into ecx
000080B1 66F7E1 mul ecx ; Multiply sectors per cluster by the start cluster, we now have the logical start sector
000080B4 660346FC add eax,[bp-0x4] ; Add the start of the data area logical sector
000080B8 BB0000 mov bx,0x0 ; Load NTLDR to offset zero
000080BB 06 push es ; Save es
000080BC 8E068180 mov es,[ntldr_load_segment_address] ; Get the segment address to load NTLDR to
000080C0 E81DFC call read_sectors ; Load the first cluster
000080C3 07 pop es ; Restore es
000080C4 6658 pop eax ; Restore eax to NTLDR start cluster
000080C6 C1EB04 shr bx,0x4 ; bx contains the amount of data we transferred, so divide it by 16
000080C9 011E8180 add [ntldr_load_segment_address],bx ; Add that value to the segment
000080CD E80E00 call get_fat_entry ; Get the next cluster in eax
000080D0 0F830200 jnc near jump_to_ntldr ; If we have reached the end of file then lets get to NTLDR
000080D4 72D0 jc load_next_ntldr_cluster ; If not, then load another cluster
jump_to_ntldr:
000080D6 8A5640 mov dl,[bp+BootDrive] ; Put the boot drive in dl
000080D9 EA00000020 jmp 0x2000:0x0 ; Jump to NTLDR
get_fat_entry:
000080DE 66C1E002 shl eax,0x2 ; Multiply cluster by 4
000080E2 E81100 call load_fat_sector ; Load the fat sector
000080E5 26668B01 mov eax,[es:bx+di] ; Get the fat entry
000080E9 6625FFFFFF0F and eax,0xfffffff ; Mask off the most significant 4 bits
000080EF 663DF8FFFF0F cmp eax,0xffffff8 ; Compare it to end of file marker to set the flags correctly
000080F5 C3 ret ; Return to caller
load_fat_sector:
000080F6 BF007E mov di,0x7e00 ; We will load the fat sector to 0x7e00
000080F9 660FB74E0B movzx ecx,word [bp+SectsPerCluster] ; Get the sectors per cluster
000080FE 6633D2 xor edx,edx ; We will divide (cluster * 4) / sectorspercluster
00008101 66F7F1 div ecx ; eax is already set before we get to this routine
00008104 663B46F4 cmp eax,[bp-0xc] ; Compare eax to 0xffffffff (initially, we set this value later)
00008108 743A jz load_fat_sector_end ; If it is the same return
0000810A 668946F4 mov [bp-0xc],eax ; Update that value
0000810E 6603461C add eax,[bp+HiddenSectors] ; Add the hidden sectors
00008112 660FB74E0E movzx ecx,word [bp+ReservedSectors] ; Add the reserved sectors
00008117 6603C1 add eax,ecx ; To the hidden sectors + the value we computed earlier
0000811A 660FB75E28 movzx ebx,word [bp+ExtendedFlags] ; Get extended flags and put into ebx
0000811F 83E30F and bx,byte +0xf ; Mask off upper 8 bits
00008122 7416 jz load_fat_sector_into_memory ; If fat is mirrored then skip fat calcs
00008124 3A5E10 cmp bl,[bp+NumberOfFats] ; Compare bl to number of fats
00008127 0F83ABFB jnc near print_ntldr_error_message ; If bl is bigger than numfats exit with error
0000812B 52 push dx ; Save dx
0000812C 668BC8 mov ecx,eax ; Put the current fat sector offset into ecx
0000812F 668B4624 mov eax,[bp+SectorsPerFatBig] ; Get the number of sectors occupied by one fat
00008133 66F7E3 mul ebx ; Multiplied by the active fat index
00008136 6603C1 add eax,ecx ; Add the current fat sector offset
00008139 5A pop dx ; Restore dx
load_fat_sector_into_memory:
0000813A 52 push dx ; Save dx, what is so important in dx??
0000813B 8BDF mov bx,di ; Put 0x7e00 in bx
0000813D B90100 mov cx,0x1 ; Load one sector
00008140 E89DFB call read_sectors ; Perform the read
00008143 5A pop dx ; Restore dx
load_fat_sector_end:
00008144 8BDA mov bx,dx ; Put it into bx, what is this value??
00008146 C3 ret ; Return
00008147 0000 add [bx+si],al
00008149 0000 add [bx+si],al
0000814B 0000 add [bx+si],al
0000814D 0000 add [bx+si],al
0000814F 0000 add [bx+si],al
00008151 0000 add [bx+si],al
00008153 0000 add [bx+si],al
00008155 0000 add [bx+si],al
00008157 0000 add [bx+si],al
00008159 0000 add [bx+si],al
0000815B 0000 add [bx+si],al
0000815D 0000 add [bx+si],al
0000815F 0000 add [bx+si],al
00008161 0000 add [bx+si],al
00008163 0000 add [bx+si],al
00008165 0000 add [bx+si],al
00008167 0000 add [bx+si],al
00008169 0000 add [bx+si],al
0000816B 0000 add [bx+si],al
0000816D 0000 add [bx+si],al
0000816F 0000 add [bx+si],al
00008171 0000 add [bx+si],al
00008173 0000 add [bx+si],al
00008175 0000 add [bx+si],al
00008177 0000 add [bx+si],al
00008179 0000 add [bx+si],al
0000817B 0000 add [bx+si],al
0000817D 0000 add [bx+si],al
0000817F 0000 add [bx+si],al
00008181 0000 add [bx+si],al
00008183 0000 add [bx+si],al
00008185 0000 add [bx+si],al
00008187 0000 add [bx+si],al
00008189 0000 add [bx+si],al
0000818B 0000 add [bx+si],al
0000818D 0000 add [bx+si],al
0000818F 0000 add [bx+si],al
00008191 0000 add [bx+si],al
00008193 0000 add [bx+si],al
00008195 0000 add [bx+si],al
00008197 0000 add [bx+si],al
00008199 0000 add [bx+si],al
0000819B 0000 add [bx+si],al
0000819D 0000 add [bx+si],al
0000819F 0000 add [bx+si],al
000081A1 0000 add [bx+si],al
000081A3 0000 add [bx+si],al
000081A5 0000 add [bx+si],al
000081A7 0000 add [bx+si],al
000081A9 0000 add [bx+si],al
000081AB 0000 add [bx+si],al
000081AD 0000 add [bx+si],al
000081AF 0000 add [bx+si],al
000081B1 0000 add [bx+si],al
000081B3 0000 add [bx+si],al
000081B5 0000 add [bx+si],al
000081B7 0000 add [bx+si],al
000081B9 0000 add [bx+si],al
000081BB 0000 add [bx+si],al
000081BD 0000 add [bx+si],al
000081BF 0000 add [bx+si],al
000081C1 0000 add [bx+si],al
000081C3 0000 add [bx+si],al
000081C5 0000 add [bx+si],al
000081C7 0000 add [bx+si],al
000081C9 0000 add [bx+si],al
000081CB 0000 add [bx+si],al
000081CD 0000 add [bx+si],al
000081CF 0000 add [bx+si],al
000081D1 0000 add [bx+si],al
000081D3 0000 add [bx+si],al
000081D5 0000 add [bx+si],al
000081D7 0000 add [bx+si],al
000081D9 0000 add [bx+si],al
000081DB 0000 add [bx+si],al
000081DD 0000 add [bx+si],al
000081DF 0000 add [bx+si],al
000081E1 0000 add [bx+si],al
000081E3 0000 add [bx+si],al
000081E5 0000 add [bx+si],al
000081E7 0000 add [bx+si],al
000081E9 0000 add [bx+si],al
000081EB 0000 add [bx+si],al
000081ED 0000 add [bx+si],al
000081EF 0000 add [bx+si],al
000081F1 0000 add [bx+si],al
000081F3 0000 add [bx+si],al
000081F5 0000 add [bx+si],al
000081F7 0000 add [bx+si],al
000081F9 0000 add [bx+si],al
000081FB 0000 add [bx+si],al
000081FD 0055AA add [di-0x56],dl ; We can't forget the infamous boot signature
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -