The Starman's FREE TOOLS Page
MBR and Boot Records Index
The Starman's Realm Index Page
An Examination of the IPL1
Boot Record Code found in
Microsoft's® setupdd.sys
file after
downloading it for Windows™ 2000 SP3
Web Presentation and Text are Copyright © 2003 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of
the Author!
This page examines the code that may be written to the first sector of either a Floppy or Hard Disk when used in some way by the Microsoft® Windows™ 2000 OS. It was simply found inside of the file setupdd.sys and nothing more is known about it at this time.
Although the code was found inside the setupdd.sys
file, for this disk editor view we'll assume it could also be found in the
first sector; that's Absolute (or Physical) Sector 0 or CHS 0,0,1 of
a Floppy or Hard Disk. (See Examination of the Code below
to find out where this data would end up in Memory if that's true.)
Absolute Sector 0 (Cylinder 0, Head 0, Sector 1)
0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 EB 0A 90 90 49 50 4C 31 00 00 00 1E A0 84 05 B4 ....IPL1........
0010 8E CD 1B A8 20 74 22 32 DB B4 14 CD 1B 72 1A 80 .... t"2.....r..
0020 FB 84 75 15 E8 96 00 73 03 EB 6B 90 B4 24 BB 00 ..u....s..k..$..
0030 04 B9 30 12 BA 40 01 CD 1B BB 00 01 B4 84 CD 1B ..0..@..........
0040 B4 06 33 C9 33 D2 50 8C C8 2D C0 03 8E C0 58 33 ..3.3.P..-....X3
0050 ED CD 1B 72 41 B4 06 BA 01 00 81 C5 00 08 CD 1B ...rA...........
0060 72 34 BA 04 00 F7 C3 00 AA 74 03 BA 02 00 B4 06 r4.......t......
0070 BB 00 1C 81 C5 00 08 CD 1B 72 1B 50 8B C5 B1 04 .........r.P....
0080 D3 E8 8C C1 03 C1 8B F0 58 E8 15 00 2E 89 36 0A ........X.....6.
0090 00 2E FF 1E 08 00 E8 08 00 B4 0E CD 1B B9 01 00 ................
00A0 CB 56 A0 84 05 32 DB B4 14 CD 1B 72 0E 80 FB 84 .V...2.....r....
00B0 75 09 2E C6 06 D4 00 00 E8 02 00 5E C3 B4 B0 BE u..........^....
00C0 D0 00 BA 06 00 1E 0E 1F CD 1B B4 B0 CD 1B 1F C3 ................
00D0 1E 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00E0 00 00 00 00 00 00 00 00 00 00 00 00 0D 00 55 AA ..............U.
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U.
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
The first four bytes are comprised of a two-byte Jump Instruction ("EB 0A") to the rest of the code, followed by two NOPs (90h bytes). The next 196 bytes (0Ch through CFh) of the 512-byte sector are all executable code. The next 32 bytes (D0h through EFh) appear as if they might be some kind of data area (note how it ends with the same signature Word as the last two bytes in the sector). This is followed by 270 zero-bytes (the bulk of the sector) and it ends with the Word-sized signature ID of AA55h (often called the sector's Magic number; On Intel CPU systems, hex Words are stored with the Low-byte first and the High-byte last).
So what's the purpose of this code? Is it some kind of a boot sector, or not one at all?
...
7C00 EB0A JMP 7C0C 7C02 90 NOP 7C03 90 NOP 7C0C A08405 MOV AL,[0584] 7C0F B48E MOV AH,8E 7C11 CD1B INT 1B 7C13 A820 TEST AL,20 7C15 7422 JZ 7C39 7C17 32DB XOR BL,BL 7C19 B414 MOV AH,14 7C1B CD1B INT 1B 7C1D 721A JB 7C39 7C1F 80FB84 CMP BL,84 7C22 7515 JNZ 7C39 7C24 E89600 CALL 7CBD 7C27 7303 JNB 7C2C 7C29 EB6B JMP 7C96 7C2B 90 NOP 7C2C B424 MOV AH,24 7C2E BB0004 MOV BX,0400 7C31 B93012 MOV CX,1230 7C34 BA4001 MOV DX,0140 7C37 CD1B INT 1B 7C39 BB0001 MOV BX,0100 7C3C B484 MOV AH,84 7C3E CD1B INT 1B 7C40 B406 MOV AH,06 7C42 33C9 XOR CX,CX 7C44 33D2 XOR DX,DX 7C46 50 PUSH AX 7C47 8CC8 MOV AX,CS 7C49 2DC003 SUB AX,03C0 7C4C 8EC0 MOV ES,AX 7C4E 58 POP AX 7C4F 33ED XOR BP,BP 7C51 CD1B INT 1B 7C53 7241 JB 7C96 7C55 B406 MOV AH,06 7C57 BA0100 MOV DX,0001 7C5A 81C50008 ADD BP,0800 7C5E CD1B INT 1B 7C60 7234 JB 7C96 7C62 BA0400 MOV DX,0004 7C65 F7C300AA TEST BX,AA00 7C69 7403 JZ 7C6E 7C6B BA0200 MOV DX,0002 7C6E B406 MOV AH,06 7C70 BB001C MOV BX,1C00 7C73 81C50008 ADD BP,0800 7C77 CD1B INT 1B 7C79 721B JB 7C96 7C7B 50 PUSH AX 7C7C 8BC5 MOV AX,BP 7C7E B104 MOV CL,04 7C80 D3E8 SHR AX,CL 7C82 8CC1 MOV CX,ES 7C84 03C1 ADD AX,CX 7C86 8BF0 MOV SI,AX 7C88 58 POP AX 7C89 E81500 CALL 7CA1 7C8C 2E CS: 7C8D 89360A00 MOV [000A],SI 7C91 2E CS: 7C92 FF1E0800 CALL FAR [0008] 7C96 E80800 CALL 7CA1 7C99 B40E MOV AH,0E 7C9B CD1B INT 1B 7C9D B90100 MOV CX,0001 7CA0 CB RETF 7CA1 56 PUSH SI 7CA2 A08405 MOV AL,[0584] 7CA5 32DB XOR BL,BL 7CA7 B414 MOV AH,14 7CA9 CD1B INT 1B 7CAB 720E JB 7CBB 7CAD 80FB84 CMP BL,84 7CB0 7509 JNZ 7CBB 7CB2 2E CS: 7CB3 C606D40000 MOV BYTE PTR [00D4],00 7CB8 E80200 CALL 7CBD 7CBB 5E POP SI 7CBC C3 RET 7CBD B4B0 MOV AH,B0 7CBF BED000 MOV SI,00D0 7CC2 BA0600 MOV DX,0006 7CC5 1E PUSH DS 7CC6 0E PUSH CS 7CC7 1F POP DS 7CC8 CD1B INT 1B 7CCA B4B0 MOV AH,B0 7CCC CD1B INT 1B 7CCE 1F POP DS 7CCF C3 RET
You can write to me using this:
online reply form.
(It opens in a new window.)
The Starman's FREE TOOLS Page
MBR and Boot Records Index
The Starman's Realm Index Page
