Disassemble the MBR

Disassemble the MBR

  • Comments 1

 

UPDATE:  This is why we *LOVE* our readers!  After posting a 32-bit disassembly of 16-bit MBR code, I was gently informed of my misstep by three sharp-eyed readers.  I’ve corrected the original post below.  Thanks go out to Ramon Sola, Jeroen Frijters and 'pedantic gnome' for keeping us honest.  Thanks guys!

 

 

Hi Everyone,

 

One of our readers, Pete, asked a very interesting question about disassembling the MBR and I'd like to take a moment to show you the quick & dirty way to do this.

 

First, dump the MBR to a file using a low-level sector editor such as the Microsoft Resource Kit utility DiskProbe.  Once you've saved the file, launch a program (like Notepad) and attach to it using Windbg (the Windows Debugger). 

 

Next, find a valid, but unoccupied range of memory (the default heap is a good candidate).  The memory range needs to be at least 512 (0x200) bytes.  For example, here's where I found mine:

 

000120a0  00000000 00000000 00000000 00000000

000120b0  00000000 00000000 00000000 00000000

000120c0  00000000 00000000 00000000 00000000

000120d0  00000000 00000000 00000000 00000000

000120e0  00000000 00000000 00000000 00000000

000120f0  00000000 00000000 00000000 00000000

00012100  00000000 00000000 00000000 00000000

00012110  00000000 00000000 00000000 00000000

00012120  00000000 00000000 00000000 00000000

<snip>...

 

Once you've found a good memory range in your process, read the file contents into that memory location using the following command:

 

0:001> .readmem c:\<<path>>\sector00.bin 120a0 120a0+0x1ff

 

Tada!  You now have the MBR in memory and it is fully examinable just like any other assembly code. 

 

0:001> db 000120a0 

000120a0  33 c0 8e d0 bc 00 7c 8e-c0 8e d8 be 00 7c bf 00  3.....|......|..

000120b0  06 b9 00 02 fc f3 a4 50-68 1c 06 cb fb b9 04 00  .......Ph.......

000120c0  bd be 07 80 7e 00 00 7c-0b 0f 85 10 01 83 c5 10  ....~..|........

000120d0  e2 f1 cd 18 88 56 00 55-c6 46 11 05 c6 46 10 00  .....V.U.F...F..

000120e0  b4 41 bb aa 55 cd 13 5d-72 0f 81 fb 55 aa 75 09  .A..U..]r...U.u.

000120f0  f7 c1 01 00 74 03 fe 46-10 66 60 80 7e 10 00 74  ....t..F.f`.~..t

00012100  26 66 68 00 00 00 00 66-ff 76 08 68 00 00 68 00  &fh....f.v.h..h.

00012110  7c 68 01 00 68 10 00 b4-42 8a 56 00 8b f4 cd 13  |h..h...B.V.....

 

Since this is 16-bit assembly, you can unassemble using ‘ur’:

0:001> ur 120a0
000120a0 33c0            xor     ax,ax
000120a2 8ed0            mov     ss,ax
000120a4 bc007c          mov     sp,7C00h
000120a7 8ec0            mov     es,ax
000120a9 8ed8            mov     ds,ax
000120ab be007c          mov     si,7C00h
000120ae bf0006          mov     di,600h
000120b1 b90002          mov     cx,200h
<snip>...

 

Have fun Pete!

 

DiskProbe:       http://technet.microsoft.com/en-us/library/bb457122.aspx

WinDbg:           http://www.microsoft.com/whdc/devtools/debugging/default.mspx

 

  - David

Leave a Comment
  • Please add 4 and 3 and type the answer here:
  • Post
  • Why not use debug.exe ? It's included even in Vista and disassembles 16-bit code just fine.

Page 1 of 1 (1 items)