00F0 50 52 B8 00 42 8A 56 24-CD 13 5A 58 8D 64 10 72 PR..B.V$..ZX.d.r
0100 0A 40 75 01 42 80 C7 02-E2 F7 F8 5E C3 EB 74 B7
.@u.B......^..t.
0110 D6 C7 F8 B1 ED CE DE D0-A7 A1 A3 B0 B2 D7 B0 B3 ................
0120 CC D0 F2 CE DE B7 A8 BC-CC D0 F8 A1 A3 00 BC D3 ................
0130 D4 D8 B2 D9 D7 F7 CF B5-CD B3 CA B1 B3 F6 CF D6 ................
0140 B4 ED CE F3 A1 A3 B0 B2-D7 B0 B3 CC D0 F2 CE DE ................
0150 B7 A8 BC CC D0 F8 A1 A3-00 C8 B1 C9 D9 B2 D9 D7 ................
0160 F7 CF B5 CD B3 00 00 00-00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0180 00 00 00 8B FC 1E 57 8B-F5 CB 00 00 00 00 00 00 ......W.........
0190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 2C 44 63-B5 D7 B5 D7 00 00 80 01 .....,Dc........
01C0 01 00 0B FE 7F FD 3F 00-00 00 3F 04 7D 00 00 00 ......?...?.}...
01D0 41 FE 0C FE FF FF 7E 04-7D 00 7D 9B E5 01 00 00 A.....~.}.}.....
01E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U.
由于程序代码从0000:7C00开始,下面看反编译的结果(经过修改)
7C00 33C0 XOR AX,AX AX=0
7C02 8ED0 MOV SS,AX SS=0
7C04 BC007C MOV SP,7C00 SP=7C00
7C07 FB STI 中断允许
7C08 50 PUSH AX
7C09 07 POP ES ES=0
7C0A 50 PUSH AX
7C0B 1F POP DS DS=0
7C0C FC CLD 字符串操作方向:从低到高
7C0D BE1B7C MOV SI,7C1B 源地址 DS:SI=0000:7C1B
7C10 BF1B06 MOV DI,061B 目的地址 ESI=0000:061B
7C13 50 PUSH AX
7C14 57 PUSH DI
7C15 B9E501 MOV CX,01E5 共1E5h个字节
7C18 F3 REPZ
7C19 A4 MOVSB 将MBR从0000:7C00移动到0000:0600
7C1A CB RETF 跳转到0000:061B处
PARTITION_SEARCH_LOOP:
061B BEBE07 MOV SI,07BE SI指向分区表的开始
061E B104 MOV CL,04 循环4次,硬盘最多4个主分区
0620 382C CMP [SI],CH
0622 7C09 JL ACTIVE_PARTITION_FOUND
;分区是活动分区
0624 7515 JNZ INVALID_PARTITION_TABLE
无效的分区表
0626 83C610 ADD SI,+10 每个分区占用16个字节,SI指向下一个分区
0629 E2F5 LOOP PARTITION_SEARCH_LOOP
062B CD18 INT 18 分区表搜索完,无活动分区,INT 18h=DISKLESS BOOT HOOK
ACTIVE_PARTITON_FOUND:
062D 8B14 MOV DX,[SI] 下面的搜索保证只存在一个活动分区,否则分区表无效
062F 8BEE MOV BP,SI 找到的引导分区标志和开始地址分别存入DX,BP
ONLY_ONE_ACTIVE_PARTITON_SEARCH_LOOP:
0631 83C610 ADD SI,+10
0634 49 DEC CX
硬盘MBR全面分析(2) www.jdcok.com/anli/5/589.html
