Compago

...free knowledge

 
  • Increase font size
  • Default font size
  • Decrease font size
Home Manuali Programmazione Storia di un boot - Dentro la partizione

Storia di un boot - Dentro la partizione

E-mail Stampa PDF
Indice
Storia di un boot
Partition Boot Sector
Dentro la partizione
Tutte le pagine

Questa parte è solo abbozzata e richiede una analisi della tabella dei file.

Nella terza fase ricarica 16 settori (16*512=8192=2000h) a partire dal byte di offset 7E00h del disco
La prima parte del codice sarà esattamente la stessa di prima e quindi non verrà riportata
Per chiarezza questo blocco di codice si trova in memoria da D000h a F000h.

0D00:0000 
...
0D00:01FE 55AA ;Master Boot signature

0D00:0200 00000200 05
0D00:0201 00000201 004E0054004C0044 unicode string "NTLDR"
0052
0D00:020B 0000020B 0004
0D00:020D 0000020D 0024
0D00:020F 0000020F 004900
0D00:0212 00000212 3300
0D00:0214 00000214 3000
0D00:0216 00000216 00E0
0D00:0218 00000218 0000
0D00:021A 0000021A 00300000 ;variabile V9 (indica la posizione del prossimo blocco in memoria dopo la lettura 0D00:3000)
0D00:021E 0000021E 00000000 ;variabile V8
0D00:0222 00000222 00000000 ;variabile V5
0D00:0226 00000226 00000000 ;variabile V6
0D00:0228 0000022A 00000000 ;variabile V7
0D00:022E 0000022E 0000
0D00:0230 00000230 0000
0D00:0232 00000232 00000000 ;variabile V12
0D00:0236 00000236 0000
0D00:0238 00000238 0000
0D00:023A 0000023A 0000 ;variabile V13
0D00:023C 0000023C 0000
0D00:023E 0000023E 0000
0D00:0240 00000240 0000
0D00:0242 00000242 00000000 ;variabile V4
0D00:0246 00000246 0000
0D00:0248 00000248 0000
0D00:024A 0000024A 00000000 ;variabile V11
0D00:024E 0000024E 00000000 ;variabile V1 (N° byte per cluster)
0D00:0252 00000252 00000000 ;variabile V2 (N° byte per file record segment)
0D00:0256 00000256 EB129090 ;variabile V3 (N° settori per file record segment)
0D00:025A 0000025A 00000000 ;variabile V10
0D00:025E 0000025E 0000
0D00:0260 00000260 0000
0D00:0262 00000262 0000
0D00:0264 00000264 0000
0D00:0266 00000266 0000
0D00:0268 00000268 0000

Inizio codice

0D00:026A 0000026A 8CC8 mov ax,cs         ;AX=CS=0D00h 
0D00:026C 0000026C 8ED8 mov ds,ax ;DS=AX=CS=0D00h (il data segment deve essere lo stesso del codice)
0D00:026E 0000026E C1E004 shl ax,0x4 ;moltiplica per 16 AX => AX=D000h
0D00:0271 00000271 FA cli ;Disabilita interrupt
0D00:0272 00000272 8BE0 mov sp,ax ;Imposta lo stack pointer = AX = D000h e ricordando che lo stack segment SS è sempre rimasto a 0
;Equivale a usare come stack la parte di memoria che precede il codice (stack da 0 a D000h, codice da D000 in poi)
0D00:0274 00000274 FB sti ;riabilita interrupt
0D00:0275 00000275 E803FE call word 0x7b ;Chiama funzione di controllo disco per la verifica della sua capacità totale -> 0D00:007B
0D00:0278 00000278 660FB7060B00 movzx eax,word [0xb] ;inserisce in EAX la word presente all'indirizzo Bh = 200h (O1) N° byte per settore
0D00:027E 0000027E 660FB61E0D00 movzx ebx,byte [0xd] ;inserisce in EBX il byte presente all'indirizzo Dh = 8 (O2) N° settori per cluster
0D00:0284 00000284 66F7E3 mul ebx ;EAX=EAX*EBX=1000h = N° byte per cluster
0D00:0287 00000287 66A34E02 mov [0x24e],eax ;inserisce il risultato in una variabile in memoria (V1=1000h)
0D00:028B 0000028B 668B0E4000 mov ecx,[0x40] ;Inserisce in ECX la dword presente all'indirizzo 40h => O4 = F6h (N° cluster per file record segment)
0D00:0290 00000290 80F900 cmp cl,0x0 ;confronta CL (inizialmente = F6h) con 0
0D00:0293 00000293 0F8F0E00 jg word 0x2a5 ;Se CL è > 0 salta alla posizione -> 2A5h
0D00:0297 00000297 F6D9 neg cl ;??Altrimenti esegue il complemento a 2 di CL (es.F6h => Ah)
0D00:0299 00000299 66B801000000 mov eax,0x1 ;??Imposta EAX=1
0D00:029F 0000029F 66D3E0 shl eax,cl ;??Shifta EAX di un numero CL di volte (10 volte=>40h=1024)
0D00:02A2 000002A2 EB08 jmp short 0x2ac ;??Salta a -> 2AC
0D00:02A4 000002A4 90 nop
(J->293h)
0D00:02A5 000002A5 66A14E02 mov eax,[0x24e] ;Carica in EAX il valore della variabile all'indirizzo 24Eh = 1000h (V1=1000h) (N° byte per cluster)
0D00:02A9 000002A9 66F7E1 mul ecx ;EDX:EAX=ECX*EAX (F6h*1000h=F6000h) (N° byte per file record segment)
(J->2A2h)
0D00:02AC 000002AC 66A35202 mov [0x252],eax ;Inserisce il valore di EAX(F6000h) in memoria all'indirizzo 252h (V2=F6000h) (N° byte per file record segment)
0D00:02B0 000002B0 660FB71E0B00 movzx ebx,word [0xb] ;EBX=200h (O1) N° byte per settore
0D00:02B6 000002B6 6633D2 xor edx,edx ;EDX=0
0D00:02B9 000002B9 66F7F3 div ebx ;EAX=EDX:EAX/EBX resto in EDX (F6000h /200h = 7B0h) (N° settori per file record segment)
0D00:02BC 000002BC 66A35602 mov [0x256],eax ;Inserisce in memoria il risultato della divisione (V3=7B0h) (N° settori per file record segment)
0D00:02C0 000002C0 E80D04 call word 0x6d0 ;Chiama la funzione a -> 6D0h (lettura e copia in memoria dati disco...

0D00:02C3 000002C3 668B0E4A02 mov ecx,[0x24a] ;Inserisce la varibile V11 (=1EF008h) in ECX
0D00:02C8 000002C8 66890E2202 mov [0x222],ecx ;Salva ECX in memoria all'indirizzo 222h (V5)
0D00:02CD 000002CD 66030E5202 add ecx,[0x252] ;Somma ECX = 1EF008h + V2 = 1EF008h + F6000h = 2E5008h
0D00:02D2 000002D2 66890E2602 mov [0x226],ecx ;mette il risultato in memoria all'indirizzo 226h (V6)
0D00:02D7 000002D7 66030E5202 add ecx,[0x252] ;Ripete la somma precedente ECX=2E5008h + F6000h = 3DB008h
0D00:02DC 000002DC 66890E2A02 mov [0x22a],ecx ;memorizza anche questo risultato in memoria 22Ah (V7)
0D00:02E1 000002E1 66030E5202 add ecx,[0x252] ;Ripete la somma precedente ECX=3DB008h + F6000h = 4D1008h
0D00:02E6 000002E6 66890E3A02 mov [0x23a],ecx ;memorizza anche questo risultato in memoria 23Ah (V13)
0D00:02EB 000002EB 66030E5202 add ecx,[0x252] ;Ripete la somma precedente ECX=4D1008h + F6000h = 5C7008h
0D00:02F0 000002F0 66890E4202 mov [0x242],ecx ;memorizza anche questo risultato in memoria 242h (V4)
0D00:02F5 000002F5 66B890000000 mov eax,0x90 ;EAX = 90h
0D00:02FB 000002FB 668B0E2202 mov ecx,[0x222] ;ECX=V5=1EF008h (ripristina il valore iniziale V11)
0D00:0300 00000300 E8EC08 call word 0xbef ;???? Chiama la funzione a -> BEFh
0D00:0303 00000303 660BC0 or eax,eax ;OR su EAX
0D00:0306 00000306 0F8457FE jz word 0x161 ;Se EAX era = 0 allora salta a -> 161h (Mostra Errore lettura disco)
;Se EAX era diverso da 0 allora procede
0D00:030A 0000030A 66A32E02 mov [0x22e],eax
0D00:030E 0000030E 66B8A0000000 mov eax,0xa0
0D00:0314 00000314 668B0E2602 mov ecx,[0x226]
0D00:0319 00000319 E8D308 call word 0xbef ;???? Chiama la funzione a -> BEFh
0D00:031C 0000031C 66A33202 mov [0x232],eax
0D00:0320 00000320 66B8B0000000 mov eax,0xb0
0D00:0326 00000326 668B0E2A02 mov ecx,[0x22a]
0D00:032B 0000032B E8C108 call word 0xbef ;???? Chiama la funzione a -> BEFh
0D00:032E 0000032E 66A33602 mov [0x236],eax
0D00:0332 00000332 66A12E02 mov eax,[0x22e]
0D00:0336 00000336 660BC0 or eax,eax
0D00:0339 00000339 0F8424FE jz word 0x161
0D00:033D 0000033D 6780780800 cmp byte [eax+0x8],0x0
0D00:0342 00000342 0F851BFE jnz word 0x161
0D00:0346 00000346 67668D5010 lea edx,[eax+0x10]
0D00:034B 0000034B 67034204 add ax,[edx+0x4]
0D00:034F 0000034F 67660FB6480C movzx ecx,byte [eax+0xc]
0D00:0355 00000355 66890E6202 mov [0x262],ecx
0D00:035A 0000035A 67668B4808 mov ecx,[eax+0x8]
0D00:035F 0000035F 66890E5E02 mov [0x25e],ecx
0D00:0364 00000364 66A15E02 mov eax,[0x25e]
0D00:0368 00000368 660FB70E0B00 movzx ecx,word [0xb]
0D00:036E 0000036E 6633D2 xor edx,edx
0D00:0371 00000371 66F7F1 div ecx
0D00:0374 00000374 66A36602 mov [0x266],eax
0D00:0378 00000378 66A14202 mov eax,[0x242]
0D00:037C 0000037C 6603065E02 add eax,[0x25e]
0D00:0381 00000381 66A34602 mov [0x246],eax
0D00:0385 00000385 66833E320200 cmp dword [0x232],byte +0x0
0D00:038B 0000038B 0F841900 jz word 0x3a8
0D00:038F 0000038F 66833E360200 cmp dword [0x236],byte +0x0
0D00:0395 00000395 0F84C8FD jz word 0x161
0D00:0399 00000399 668B1E3602 mov ebx,[0x236]
0D00:039E 0000039E 1E push ds
0D00:039F 0000039F 07 pop es
0D00:03A0 000003A0 668B3E4602 mov edi,[0x246]
0D00:03A5 000003A5 E89201 call word 0x53a
0D00:03A8 000003A8 660FB70E0002 movzx ecx,word [0x200]
0D00:03AE 000003AE 66B802020000 mov eax,0x202
0D00:03B4 000003B4 E89607 call word 0xb4d
0D00:03B7 000003B7 660BC0 or eax,eax
0D00:03BA 000003BA 0F840A09 jz word 0xcc8
0D00:03BE 000003BE 67668B00 mov eax,[eax]
0D00:03C2 000003C2 1E push ds
0D00:03C3 000003C3 07 pop es
0D00:03C4 000003C4 668B3E3A02 mov edi,[0x23a]
0D00:03C9 000003C9 E8CE05 call word 0x99a
0D00:03CC 000003CC 66A13A02 mov eax,[0x23a]
0D00:03D0 000003D0 66BB80000000 mov ebx,0x80
0D00:03D6 000003D6 66B900000000 mov ecx,0x0
0D00:03DC 000003DC 66BA00000000 mov edx,0x0
0D00:03E2 000003E2 E8AC00 call word 0x491
0D00:03E5 000003E5 660BC0 or eax,eax
0D00:03E8 000003E8 0F853E00 jnz word 0x42a
0D00:03EC 000003EC 66B980000000 mov ecx,0x80
0D00:03F2 000003F2 66A13A02 mov eax,[0x23a]
0D00:03F6 000003F6 E85908 call word 0xc52
0D00:03F9 000003F9 660BC0 or eax,eax
0D00:03FC 000003FC 0F84C808 jz word 0xcc8
0D00:0400 00000400 1E push ds
0D00:0401 00000401 07 pop es
0D00:0402 00000402 668B3E3A02 mov edi,[0x23a]
0D00:0407 00000407 E89005 call word 0x99a
0D00:040A 0000040A 66A13A02 mov eax,[0x23a]
0D00:040E 0000040E 66BB80000000 mov ebx,0x80
0D00:0414 00000414 66B900000000 mov ecx,0x0
0D00:041A 0000041A 66BA00000000 mov edx,0x0
0D00:0420 00000420 E86E00 call word 0x491
0D00:0423 00000423 660BC0 or eax,eax
0D00:0426 00000426 0F849E08 jz word 0xcc8
0D00:042A 0000042A 67660FB7580C movzx ebx,word [eax+0xc]
0D00:0430 00000430 6681E3FF000000 and ebx,0xff
0D00:0437 00000437 0F859308 jnz word 0xcce
0D00:043B 0000043B 668BD8 mov ebx,eax
0D00:043E 0000043E 680020 push word 0x2000
0D00:0441 00000441 07 pop es
0D00:0442 00000442 662BFF sub edi,edi
0D00:0445 00000445 E8F200 call word 0x53a
0D00:0448 00000448 8A162400 mov dl,[0x24]
0D00:044C 0000044C B8E803 mov ax,0x3e8
0D00:044F 0000044F 8EC0 mov es,ax
0D00:0451 00000451 8D360B00 lea si,[0xb]
0D00:0455 00000455 2BC0 sub ax,ax
0D00:0457 00000457 680020 push word 0x2000
0D00:045A 0000045A 50 push ax
0D00:045B 0000045B CB retf
0D00:045C 0000045C 06 push es
0D00:045D 0000045D 1E push ds
0D00:045E 0000045E 6660 pushad
0D00:0460 00000460 668BDA mov ebx,edx
0D00:0463 00000463 660FB60E0D00 movzx ecx,byte [0xd]
0D00:0469 00000469 66F7E1 mul ecx
0D00:046C 0000046C 66A31000 mov [0x10],eax
0D00:0470 00000470 668BC3 mov eax,ebx
0D00:0473 00000473 66F7E1 mul ecx
0D00:0476 00000476 A30E00 mov [0xe],ax
0D00:0479 00000479 8BDF mov bx,di
0D00:047B 0000047B 83E30F and bx,byte +0xf
0D00:047E 0000047E 8CC0 mov ax,es
0D00:0480 00000480 66C1EF04 shr edi,0x4
0D00:0484 00000484 03C7 add ax,di
0D00:0486 00000486 50 push ax
0D00:0487 00000487 07 pop es
0D00:0488 00000488 E83CFC call word 0xc7
0D00:048B 0000048B 6661 popad
0D00:048D 0000048D 90 nop
0D00:048E 0000048E 1F pop ds
0D00:048F 0000048F 07 pop es
0D00:0490 00000490 C3 ret

(C->748h)
;Ricordare EBX=20h EDX=ECX=0 EAX=3000h
0D00:0491 00000491 67034014 add ax,[eax+0x14] ;AX=[3014h]=38h
(J->4E8)
0D00:0495 00000495 67668338FF cmp dword [eax],byte -0x1 ;Confronta [3038h]=10h con -1 (=FFh)
0D00:049A 0000049A 0F844C00 jz word 0x4ea ;Se è uguale termina la funzione -> 4EAh
0D00:049E 0000049E 67663918 cmp [eax],ebx ;Altrimenti confronta [3038h]=10h con EBX=20h
0D00:04A2 000004A2 0F853300 jnz word 0x4d9 ;Se diverso salta a -> 4D9h
0D00:04A6 000004A6 660BC9 or ecx,ecx ;
0D00:04A9 000004A9 0F850A00 jnz word 0x4b7 ;Se ECX è diverso da 0 salta a -> 4B7h
0D00:04AD 000004AD 6780780900 cmp byte [eax+0x9],0x0 ;confronta [3038h+9]=[3041h]=0 con 0
0D00:04B2 000004B2 0F852300 jnz word 0x4d9 ;Se è diverso da 0 salta a -> 4D9h
0D00:04B6 000004B6 C3 ret ;altrimenti ritorna alla funzione chiamante -> 74Bh
(J->4A9)
0D00:04B7 000004B7 673A4809 cmp cl,[eax+0x9] ;Confronta CL (dovrebbe essere diveso da zero) con [EAX+9]=[3041h]=0
0D00:04BB 000004BB 0F851A00 jnz word 0x4d9 ;se sono diversi salta a -> 4D9h
0D00:04BF 000004BF 668BF0 mov esi,eax ;Se invece sono uguali ESI=EAX=3038h o dword successive
0D00:04C2 000004C2 6703700A add si,[eax+0xa] ;SI=SI+[3038h+Ah]=38h+[3042h]=38h+18h=50h
0D00:04C6 000004C6 E85906 call word 0xb22 ;Chiama la funzione -> B22h ??
0D00:04C9 000004C9 6651 push ecx
0D00:04CB 000004CB 1E push ds
0D00:04CC 000004CC 07 pop es ;ES=DS = 0D00h
0D00:04CD 000004CD 668BFA mov edi,edx ;EDI=EDX=0
0D00:04D0 000004D0 F3A7 repe cmpsw ;confronta le word puntate da EDI e ESI fino a che non sono diverse ed CX diverso da 0
0D00:04D2 000004D2 6659 pop ecx
0D00:04D4 000004D4 0F850100 jnz word 0x4d9 ;se CX = 0 allora Salta a -> 4D9h Avanza al prossimo elemento
0D00:04D8 000004D8 C3 ret ;ritorna alla funzione chiamante -> 74Bh
(J->4A2)(J->4B2)
0D00:04D9 000004D9 676683780400 cmp dword [eax+0x4],byte +0x0 ;Confronta [3038h+4]=[303Ch]=60h con 0
0D00:04DF 000004DF 0F840700 jz word 0x4ea ;se è zero termina la procedura -> 4EAh
0D00:04E3 000004E3 6766034004 add eax,[eax+0x4] ;Altrimenti passa alla prossima DWord incrementando EAX (=303Ch)
0D00:04E8 000004E8 EBAB jmp short 0x495 ;riperi la procedura ritornando a -> 495h
Termina funzione (J->49Ah)(J->4DFh)
0D00:04EA 000004EA 662BC0 sub eax,eax ;Azzera EAX
0D00:04ED 000004ED C3 ret ;ritorna alla funzione chiamante -> 74Bh

0D00:04EE 000004EE 668BF3 mov esi,ebx
0D00:04F1 000004F1 E82E06 call word 0xb22
0D00:04F4 000004F4 67660300 add eax,[eax]
0D00:04F8 000004F8 67F7400C0200 test word [eax+0xc],0x2
0D00:04FE 000004FE 0F853400 jnz word 0x536
0D00:0502 00000502 67668D5010 lea edx,[eax+0x10]
0D00:0507 00000507 673A4A40 cmp cl,[edx+0x40]
0D00:050B 0000050B 0F851800 jnz word 0x527
0D00:050F 0000050F 67668D7242 lea esi,[edx+0x42]
0D00:0514 00000514 E80B06 call word 0xb22
0D00:0517 00000517 6651 push ecx
0D00:0519 00000519 1E push ds
0D00:051A 0000051A 07 pop es
0D00:051B 0000051B 668BFB mov edi,ebx
0D00:051E 0000051E F3A7 repe cmpsw
0D00:0520 00000520 6659 pop ecx
0D00:0522 00000522 0F850100 jnz word 0x527
0D00:0526 00000526 C3 ret
0D00:0527 00000527 6783780800 cmp word [eax+0x8],byte +0x0
0D00:052C 0000052C 0F840600 jz word 0x536
0D00:0530 00000530 67034008 add ax,[eax+0x8]
0D00:0534 00000534 EBC2 jmp short 0x4f8
0D00:0536 00000536 6633C0 xor eax,eax
0D00:0539 00000539 C3 ret

0D00:053A 0000053A 67807B0800 cmp byte [ebx+0x8],0x0
0D00:053F 0000053F 0F851C00 jnz word 0x55f
0D00:0543 00000543 06 push es
0D00:0544 00000544 1E push ds
0D00:0545 00000545 6660 pushad
0D00:0547 00000547 67668D5310 lea edx,[ebx+0x10]
0D00:054C 0000054C 67668B0A mov ecx,[edx]
0D00:0550 00000550 668BF3 mov esi,ebx
0D00:0553 00000553 67037204 add si,[edx+0x4]
0D00:0557 00000557 F3A4 rep movsb
0D00:0559 00000559 6661 popad
0D00:055B 0000055B 90 nop
0D00:055C 0000055C 1F pop ds
0D00:055D 0000055D 07 pop es
0D00:055E 0000055E C3 ret

0D00:055F 0000055F 67668D5310 lea edx,[ebx+0x10]
0D00:0564 00000564 67668B4A08 mov ecx,[edx+0x8]
0D00:0569 00000569 6641 inc ecx
0D00:056B 0000056B 662BC0 sub eax,eax
0D00:056E 0000056E E80100 call word 0x572
0D00:0571 00000571 C3 ret

0D00:0572 00000572 06 push es
0D00:0573 00000573 1E push ds
0D00:0574 00000574 6660 pushad
0D00:0576 00000576 67807B0801 cmp byte [ebx+0x8],0x1
0D00:057B 0000057B 0F840300 jz word 0x582
0D00:057F 0000057F E9DFFB jmp word 0x161
0D00:0582 00000582 6683F900 cmp ecx,byte +0x0
0D00:0586 00000586 0F850600 jnz word 0x590
0D00:058A 0000058A 6661 popad
0D00:058C 0000058C 90 nop
0D00:058D 0000058D 1F pop ds
0D00:058E 0000058E 07 pop es
0D00:058F 0000058F C3 ret

0D00:0590 00000590 6653 push ebx
0D00:0592 00000592 6650 push eax
0D00:0594 00000594 6651 push ecx
0D00:0596 00000596 6657 push edi
0D00:0598 00000598 06 push es
0D00:0599 00000599 E87304 call word 0xa0f
0D00:059C 0000059C 668BD1 mov edx,ecx
0D00:059F 0000059F 07 pop es
0D00:05A0 000005A0 665F pop edi
0D00:05A2 000005A2 6659 pop ecx
0D00:05A4 000005A4 663BCA cmp ecx,edx
0D00:05A7 000005A7 0F8D0300 jnl word 0x5ae
0D00:05AB 000005AB 668BD1 mov edx,ecx
0D00:05AE 000005AE E8ABFE call word 0x45c
0D00:05B1 000005B1 662BCA sub ecx,edx
0D00:05B4 000005B4 668BDA mov ebx,edx
0D00:05B7 000005B7 668BC2 mov eax,edx
0D00:05BA 000005BA 660FB6160D00 movzx edx,byte [0xd]
0D00:05C0 000005C0 66F7E2 mul edx
0D00:05C3 000005C3 660FB7160B00 movzx edx,word [0xb]
0D00:05C9 000005C9 66F7E2 mul edx
0D00:05CC 000005CC 6603F8 add edi,eax
0D00:05CF 000005CF 6658 pop eax
0D00:05D1 000005D1 6603C3 add eax,ebx
0D00:05D4 000005D4 665B pop ebx
0D00:05D6 000005D6 EBAA jmp short 0x582
0D00:05D8 000005D8 06 push es
0D00:05D9 000005D9 1E push ds
0D00:05DA 000005DA 6660 pushad
0D00:05DC 000005DC 67807B0801 cmp byte [ebx+0x8],0x1
0D00:05E1 000005E1 0F840300 jz word 0x5e8
0D00:05E5 000005E5 E979FB jmp word 0x161
0D00:05E8 000005E8 6683F900 cmp ecx,byte +0x0
0D00:05EC 000005EC 0F850600 jnz word 0x5f6
0D00:05F0 000005F0 6661 popad
0D00:05F2 000005F2 90 nop
0D00:05F3 000005F3 1F pop ds
0D00:05F4 000005F4 07 pop es
0D00:05F5 000005F5 C3 ret

0D00:05F6 000005F6 6653 push ebx
0D00:05F8 000005F8 6650 push eax
0D00:05FA 000005FA 6651 push ecx
0D00:05FC 000005FC 6657 push edi
0D00:05FE 000005FE 06 push es
0D00:05FF 000005FF 6651 push ecx
0D00:0601 00000601 6633D2 xor edx,edx
0D00:0604 00000604 660FB60E0D00 movzx ecx,byte [0xd]
0D00:060A 0000060A 66F7F1 div ecx
0D00:060D 0000060D 6652 push edx
0D00:060F 0000060F E8FD03 call word 0xa0f
0D00:0612 00000612 660FB61E0D00 movzx ebx,byte [0xd]
0D00:0618 00000618 66F7E3 mul ebx
0D00:061B 0000061B 665A pop edx
0D00:061D 0000061D 6603C2 add eax,edx
0D00:0620 00000620 6650 push eax
0D00:0622 00000622 660FB6060D00 movzx eax,byte [0xd]
0D00:0628 00000628 66F7E1 mul ecx
0D00:062B 0000062B 668BD0 mov edx,eax
0D00:062E 0000062E 6658 pop eax
0D00:0630 00000630 6659 pop ecx
0D00:0632 00000632 07 pop es
0D00:0633 00000633 665F pop edi
0D00:0635 00000635 6659 pop ecx
0D00:0637 00000637 663BCA cmp ecx,edx
0D00:063A 0000063A 0F8D0300 jnl word 0x641
0D00:063E 0000063E 668BD1 mov edx,ecx
0D00:0641 00000641 66A31000 mov [0x10],eax
0D00:0645 00000645 89160E00 mov [0xe],dx
0D00:0649 00000649 06 push es
0D00:064A 0000064A 1E push ds
0D00:064B 0000064B 6660 pushad
0D00:064D 0000064D 8BDF mov bx,di
0D00:064F 0000064F 83E30F and bx,byte +0xf
0D00:0652 00000652 8CC0 mov ax,es
0D00:0654 00000654 66C1EF04 shr edi,0x4
0D00:0658 00000658 03C7 add ax,di
0D00:065A 0000065A 50 push ax
0D00:065B 0000065B 07 pop es
0D00:065C 0000065C E868FA call word 0xc7
0D00:065F 0000065F 6661 popad
0D00:0661 00000661 90 nop
0D00:0662 00000662 1F pop ds
0D00:0663 00000663 07 pop es
0D00:0664 00000664 662BCA sub ecx,edx
0D00:0667 00000667 668BDA mov ebx,edx
0D00:066A 0000066A 668BC2 mov eax,edx
0D00:066D 0000066D 660FB7160B00 movzx edx,word [0xb]
0D00:0673 00000673 66F7E2 mul edx
0D00:0676 00000676 6603F8 add edi,eax
0D00:0679 00000679 6658 pop eax
0D00:067B 0000067B 6603C3 add eax,ebx
0D00:067E 0000067E 665B pop ebx
0D00:0680 00000680 E965FF jmp word 0x5e8
( C->72Fh ) Questa funzione viene eseguita in seguito alla lettura della MFT
0D00:0683 00000683 06 push es
0D00:0684 00000684 1E push ds
0D00:0685 00000685 6660 pushad
0D00:0687 00000687 2667660FB75F04 movzx ebx,word [es:edi+0x4] ;Mette in EBX il valore della variabile all'indrizzo ES:EDI+4 =0D00:3004h => EBX = 30h
0D00:068E 0000068E 2667660FB74F06 movzx ecx,word [es:edi+0x6] ;Mette in ECX il valore della variabile all'indrizzo ES:EDI+6 =0D00:3006h => ECX = 3
0D00:0695 00000695 660BC9 or ecx,ecx ;Test ECX = 0
0D00:0698 00000698 0F84C5FA jz word 0x161 ;Se ECX=0 -> 161h (errore lettura disco)
0D00:069C 0000069C 6603DF add ebx,edi ;Altrimenti EBX=EBX+EDI =30h+3000h=3030h
0D00:069F 0000069F 6683C302 add ebx,byte +0x2 ;EBX=EBX+2 =3032h EBX punta al 50-esimo byte della MFT
0D00:06A3 000006A3 6681C7FE010000 add edi,0x1fe ;EDI=EDI+1FEh =31FEh EDI punta alla fine del primo settore
0D00:06AA 000006AA 6649 dec ecx ;Decrementa ECX (inizialmente = 3)
( J->6C8h )
0D00:06AC 000006AC 660BC9 or ecx,ecx ;Test ECX = 0
0D00:06AF 000006AF 0F841700 jz word 0x6ca ;Se è zero vai a -> 6CAh
0D00:06B3 000006B3 26678B03 mov ax,[es:ebx] ;mette in AX il dato contenuto nella variabile puntata da ES:EBX (55Ah)
0D00:06B7 000006B7 26678907 mov [es:edi],ax ;mette nella variabile puntata da ES:EDI il valore di AX (che per altro era uguale)
0D00:06BB 000006BB 6683C302 add ebx,byte +0x2 ;EBX=EBX+2 =3034h EBX punta al 52-esimo byte della MFT
0D00:06BF 000006BF 6681C700020000 add edi,0x200 ;EDI=EDI+200h=33FEh sposta il puntatore avanti di un settore = 512 byte
0D00:06C6 000006C6 6649 dec ecx ;Decrementa ECX
0D00:06C8 000006C8 EBE2 jmp short 0x6ac ;Ripete la procedura ->6ACh
( J-> 6AFh e J-> 6C8h )Termine funzione
0D00:06CA 000006CA 6661 popad
0D00:06CC 000006CC 90 nop
0D00:06CD 000006CD 1F pop ds
0D00:06CE 000006CE 07 pop es
0D00:06CF 000006CF C3 ret ;Ritorna ->732h

(C->2C0h) Avvia processo di lettura da disco e copia in memoria
0D00:06D0 000006D0 06 push es
0D00:06D1 000006D1 1E push ds
0D00:06D2 000006D2 6660 pushad ;Salva i registri
0D00:06D4 000006D4 66B801000000 mov eax,0x1 ;EAX=1
0D00:06DA 000006DA 66A31E02 mov [0x21e],eax ;Variabile V8 = 1
0D00:06DE 000006DE 66A11A02 mov eax,[0x21a] ;EAX=V9=3000h (destinazione in memoria copia dati letti)
0D00:06E2 000006E2 6603065202 add eax,[0x252] ;EAX=EAX+V2 (=3000h+F6000h =>F9000h)
0D00:06E7 000006E7 66A35A02 mov [0x25a],eax ;V10=EAX (=F9000h)
0D00:06EB 000006EB 6603065202 add eax,[0x252] ;EAX=EAX+V2 (F9000h+F6000h=1EF000h)
0D00:06F0 000006F0 66A34A02 mov [0x24a],eax ;V11=EAX (=1EF000h)
0D00:06F4 000006F4 66A13000 mov eax,[0x30] ;EAX=C0000h (O3) N° cluster inizio MFT
0D00:06F8 000006F8 660FB61E0D00 movzx ebx,byte [0xd] ;EBX=8 (O2) N° settori per cluster
0D00:06FE 000006FE 66F7E3 mul ebx ;EAX=EAX*EBX=C0000h*8=600000h = N° settori inizio MFT
0D00:0701 00000701 668B1E4A02 mov ebx,[0x24a] ;EBX=V11 (=1EF000h)
0D00:0706 00000706 668907 mov [bx],eax ;BX=(F000h) [BX]=EAX=600000h = N° settori inizio MFT
;F000h è proprio l'indirizzo dove finisce questa parte di codice, quindi non sovrascrive nulla
0D00:0709 00000709 66A31000 mov [0x10],eax ;Inserisce il valore 600000h nella variabile O6 = offset dei settori in lettura
0D00:070D 0000070D 83C304 add bx,byte +0x4 ;BX=BX+4 =>BX=(F004h), cioe passa alla prossima DWord
0D00:0710 00000710 66A15602 mov eax,[0x256] ;EAX=V3 (=7B0h) (N° settori per file record segment)
0D00:0714 00000714 668907 mov [bx],eax ;inserisci il valore di EAX nella variabile puntata da BX=(F004h) => [BX]=7B0h
0D00:0717 00000717 A30E00 mov [0xe],ax ;Inserisce nella variabile dei settori da leggere => O5 = 7B0h (settori da leggere = N° settori per file record segment)
0D00:071A 0000071A 83C304 add bx,byte +0x4 ;BX=BX+4 =>BX=(F008h), cioe passa alla prossima DWord
0D00:071D 0000071D 66891E4A02 mov [0x24a],ebx ;V11=EBX=(1EF008h)
0D00:0722 00000722 668B1E1A02 mov ebx,[0x21a] ;EBX=V9=3000h
0D00:0727 00000727 1E push ds
0D00:0728 00000728 07 pop es ;ES=DS
0D00:0729 00000729 E89BF9 call word 0xc7 ;Chiama la procedura di lettura dati da disco e copia in memoria -> C7h
;ES:BX (=0D00:3000) è l'indirizzo di destinazione
;EAX (=V3=7B0h)
;Settori da leggere sono 7B0h (O5) = F6000 byte
;Settori letti 600000h , è la posizione del settore iniziale rispetto all'inizio partizione
;La lettura quindi inizierà dal settore del disco 600000h+3Fh=60003Fh (=C0007E00 byte)
;fine lettura al byte C00FDE00h ???
;In questo caso sta leggendo la MFT dal disco e la mette in 0D00:3000
0D00:072C 0000072C 668BFB mov edi,ebx ;EDI = EBX = 3000h
0D00:072F 0000072F E851FF call word 0x683 ;chiama la funzione -> 683h Manipola qualcosa nella MFT ???
0D00:0732 00000732 66A11A02 mov eax,[0x21a] ;Carica in EAX la posizione dell'inizio MFT in memoria
0D00:0736 00000736 66BB20000000 mov ebx,0x20 ;EBX=20h
0D00:073C 0000073C 66B900000000 mov ecx,0x0 ;ECX=0
0D00:0742 00000742 66BA00000000 mov edx,0x0 ;EDX=0
0D00:0748 00000748 E846FD call word 0x491 ;Chiama la funzione -> 491h ???
0D00:074B 0000074B 660BC0 or eax,eax ;
0D00:074E 0000074E 0F841601 jz word 0x868 ;Se EAX = 0 vai a -> 868h termina procedura
0D00:0752 00000752 668BD8 mov ebx,eax ;Altrimenti EBX=EAX
0D00:0755 00000755 1E push ds
0D00:0756 00000756 07 pop es ;ES=DS
0D00:0757 00000757 668B3E1602 mov edi,[0x216]
0D00:075C 0000075C E8DBFD call word 0x53a
0D00:075F 0000075F 668B1E1602 mov ebx,[0x216]
0D00:0764 00000764 66813F80000000 cmp dword [bx],0x80
0D00:076B 0000076B 0F84EB00 jz word 0x85a
0D00:076F 0000076F 035F04 add bx,[bx+0x4]
0D00:0772 00000772 EBF0 jmp short 0x764
0D00:0774 00000774 6653 push ebx
0D00:0776 00000776 668B4710 mov eax,[bx+0x10]
0D00:077A 0000077A 66F7265602 mul dword [0x256]
0D00:077F 0000077F 6650 push eax
0D00:0781 00000781 6633D2 xor edx,edx
0D00:0784 00000784 660FB61E0D00 movzx ebx,byte [0xd]
0D00:078A 0000078A 66F7F3 div ebx
0D00:078D 0000078D 6652 push edx
0D00:078F 0000078F E8DC00 call word 0x86e
0D00:0792 00000792 660BC0 or eax,eax
0D00:0795 00000795 0F84C8F9 jz word 0x161
0D00:0799 00000799 668B0E5602 mov ecx,[0x256]
0D00:079E 0000079E 660FB61E0D00 movzx ebx,byte [0xd]
0D00:07A4 000007A4 66F7E3 mul ebx
0D00:07A7 000007A7 665A pop edx
0D00:07A9 000007A9 6603C2 add eax,edx
0D00:07AC 000007AC 668B1E4A02 mov ebx,[0x24a]
0D00:07B1 000007B1 668907 mov [bx],eax
0D00:07B4 000007B4 83C304 add bx,byte +0x4
0D00:07B7 000007B7 660FB6060D00 movzx eax,byte [0xd]
0D00:07BD 000007BD 662BC2 sub eax,edx
0D00:07C0 000007C0 663BC1 cmp eax,ecx
0D00:07C3 000007C3 0F860300 jna word 0x7ca
0D00:07C7 000007C7 668BC1 mov eax,ecx
0D00:07CA 000007CA 668907 mov [bx],eax
0D00:07CD 000007CD 662BC8 sub ecx,eax
0D00:07D0 000007D0 665A pop edx
0D00:07D2 000007D2 0F847500 jz word 0x84b
0D00:07D6 000007D6 6603C2 add eax,edx
0D00:07D9 000007D9 6650 push eax
0D00:07DB 000007DB 6633D2 xor edx,edx
0D00:07DE 000007DE 660FB61E0D00 movzx ebx,byte [0xd]
0D00:07E4 000007E4 66F7F3 div ebx
0D00:07E7 000007E7 6651 push ecx
0D00:07E9 000007E9 E88200 call word 0x86e
0D00:07EC 000007EC 6659 pop ecx
0D00:07EE 000007EE 660BC0 or eax,eax
0D00:07F1 000007F1 0F846CF9 jz word 0x161
0D00:07F5 000007F5 660FB61E0D00 movzx ebx,byte [0xd]
0D00:07FB 000007FB 66F7E3 mul ebx
0D00:07FE 000007FE 668B1E4A02 mov ebx,[0x24a]
0D00:0803 00000803 668B17 mov edx,[bx]
0D00:0806 00000806 83C304 add bx,byte +0x4
0D00:0809 00000809 660317 add edx,[bx]
0D00:080C 0000080C 663BD0 cmp edx,eax
0D00:080F 0000080F 0F851500 jnz word 0x828
0D00:0813 00000813 660FB6060D00 movzx eax,byte [0xd]
0D00:0819 00000819 663BC1 cmp eax,ecx
0D00:081C 0000081C 0F860300 jna word 0x823
0D00:0820 00000820 668BC1 mov eax,ecx
0D00:0823 00000823 660107 add [bx],eax
0D00:0826 00000826 EBA5 jmp short 0x7cd
0D00:0828 00000828 83C304 add bx,byte +0x4
0D00:082B 0000082B 66891E4A02 mov [0x24a],ebx
0D00:0830 00000830 668907 mov [bx],eax
0D00:0833 00000833 83C304 add bx,byte +0x4
0D00:0836 00000836 660FB6060D00 movzx eax,byte [0xd]
0D00:083C 0000083C 663BC1 cmp eax,ecx
0D00:083F 0000083F 0F860300 jna word 0x846
0D00:0843 00000843 668BC1 mov eax,ecx
0D00:0846 00000846 668907 mov [bx],eax
0D00:0849 00000849 EB82 jmp short 0x7cd
0D00:084B 0000084B 83C304 add bx,byte +0x4
0D00:084E 0000084E 66FF061E02 inc dword [0x21e]
0D00:0853 00000853 66891E4A02 mov [0x24a],ebx
0D00:0858 00000858 665B pop ebx
0D00:085A 0000085A 035F04 add bx,[bx+0x4]
0D00:085D 0000085D 66813F80000000 cmp dword [bx],0x80
0D00:0864 00000864 0F840CFF jz word 0x774
0D00:0868 00000868 6661 popad ;ripristina i registri
0D00:086A 0000086A 90 nop
0D00:086B 0000086B 1F pop ds
0D00:086C 0000086C 07 pop es
0D00:086D 0000086D C3 ret ;Ritorna alla funzione chimante -> 2C3h


(->918)
0D00:086E 0000086E 668BD0 mov edx,eax ;Inserisce il valore di EAX in EDX
0D00:0871 00000871 668B0E1E02 mov ecx,[0x21e] ;Inserisce il valore della variabile all'indirizzo 21Eh in ECX
0D00:0876 00000876 668B365A02 mov esi,[0x25a] ;Inserisce il valore della variabile all'indirizzo 25Ah in ESI
0D00:087B 0000087B 6603365202 add esi,[0x252] ;Somma e inserisce il valore della variabile all'indirizzo 252h ad ESI , questo rappresenta l'indirizzo della variabile che contiene il valore da inserire nella variabile dei settori letti
0D00:0880 00000880 6652 push edx
0D00:0882 00000882 6651 push ecx
0D00:0884 00000884 6652 push edx
0D00:0886 00000886 668B1E5A02 mov ebx,[0x25a] ;Inserisce il valore della variabile all'indirizzo 25Ah in EBX
0D00:088B 0000088B 668B3E5602 mov edi,[0x256] ;Inserisce il valore della variabile all'indirizzo 256h in EDI

0D00:0890 00000890 668B04 mov eax,[si] ;Inserisce in EAX il valore della cella di memoria specificato dal registro SI che verrà inserito nella varibile che indica i settori letti
0D00:0893 00000893 66A31000 mov [0x10],eax ;Inserisce il valore di EAX nella variabile all'indirizzo 10h = Settori letti
0D00:0897 00000897 83C604 add si,byte +0x4 ;incrementa SI di 4 cioè passa alla prossima DWORD
0D00:089A 0000089A 668B04 mov eax,[si] ;Inserisce in EAX il valore della cella di memoria specificato dal registro SI , che rappresenta i settori da leggere
0D00:089D 0000089D A30E00 mov [0xe],ax ;Inserisce nella variabile dei settori da leggere il valore di AX
0D00:08A0 000008A0 83C604 add si,byte +0x4 ;incrementa SI di 4 cioè passa alla prossima DWORD
0D00:08A3 000008A3 1E push ds ;
0D00:08A4 000008A4 07 pop es ; ES=DS
0D00:08A5 000008A5 E81FF8 call word 0xc7 ;Chiama la funzione -> C7h (Lettura dati da disco e copia in memoria)
0D00:08A8 000008A8 662BF8 sub edi,eax ;EDI=EDI-EAX
0D00:08AB 000008AB 0F840800 jz word 0x8b7 ;Se EDI era uguale a EAX vai -> 8B7h
0D00:08AF 000008AF F7260B00 mul word [0xb] ;DX:AX=AX*[Bh] ??
0D00:08B3 000008B3 03D8 add bx,ax ;BX=BX+AX
0D00:08B5 000008B5 EBD9 jmp short 0x890 ;Ripeti il processo, va a -> 890h

0D00:08B7 000008B7 668B3E5A02 mov edi,[0x25a] ;Inserisce il valore della variabile all'indirizzo 25Ah in EDI
0D00:08BC 000008BC 1E push ds ;
0D00:08BD 000008BD 07 pop es ; ES=DS
0D00:08BE 000008BE E8C2FD call word 0x683 ;chiama la funzione -> 683h
0D00:08C1 000008C1 66A15A02 mov eax,[0x25a]
0D00:08C5 000008C5 66BB80000000 mov ebx,0x80
0D00:08CB 000008CB 66B900000000 mov ecx,0x0
0D00:08D1 000008D1 668BD1 mov edx,ecx
0D00:08D4 000008D4 E8BAFB call word 0x491
0D00:08D7 000008D7 660BC0 or eax,eax
0D00:08DA 000008DA 0F8483F8 jz word 0x161
0D00:08DE 000008DE 668BD8 mov ebx,eax
0D00:08E1 000008E1 6658 pop eax
0D00:08E3 000008E3 6656 push esi
0D00:08E5 000008E5 E82701 call word 0xa0f
0D00:08E8 000008E8 665E pop esi
0D00:08EA 000008EA 660BC0 or eax,eax
0D00:08ED 000008ED 0F840500 jz word 0x8f6
0D00:08F1 000008F1 665B pop ebx
0D00:08F3 000008F3 665B pop ebx
0D00:08F5 000008F5 C3 ret
0D00:08F6 000008F6 6659 pop ecx
0D00:08F8 000008F8 665A pop edx
0D00:08FA 000008FA E284 loop 0x880
0D00:08FC 000008FC 6633C0 xor eax,eax
0D00:08FF 000008FF C3 ret

0D00:0900 00000900 06 push es ;Salva il valore di ES nello stack
0D00:0901 00000901 1E push ds ;Salva il valore di DS nello stack
0D00:0902 00000902 6660 pushad ;Salva il valore dei registri nello stack
0D00:0904 00000904 6650 push eax ;Salva il valore di EAX nello stack
0D00:0906 00000906 6651 push ecx ;Salva il valore di ECX nello stack
0D00:0908 00000908 6633D2 xor edx,edx ;Azzera il registro EDX
0D00:090B 0000090B 660FB61E0D00 movzx ebx,byte [0xd] ;Inserisci in EBX il valore della variabile in Dh (inizialmente = 8)
0D00:0911 00000911 66F7F3 div ebx ;EAX=EDX:EAX/EBX il resto in EDX
0D00:0914 00000914 6652 push edx ;Salva il valore di EDX nello stack
0D00:0916 00000916 6657 push edi ;Salva il valore di EDI nello stack
0D00:0918 00000918 E853FF call word 0x86e ;Chiama la funzione ?? -> 86Eh
0D00:091B 0000091B 665F pop edi
0D00:091D 0000091D 660BC0 or eax,eax
0D00:0920 00000920 0F843DF8 jz word 0x161
0D00:0924 00000924 660FB61E0D00 movzx ebx,byte [0xd]
0D00:092A 0000092A 66F7E3 mul ebx
0D00:092D 0000092D 665A pop edx
0D00:092F 0000092F 6603C2 add eax,edx
0D00:0932 00000932 66A31000 mov [0x10],eax
0D00:0936 00000936 6659 pop ecx
0D00:0938 00000938 660FB61E0D00 movzx ebx,byte [0xd]
0D00:093E 0000093E 663BCB cmp ecx,ebx
0D00:0941 00000941 0F8E1300 jng word 0x958
0D00:0945 00000945 891E0E00 mov [0xe],bx
0D00:0949 00000949 662BCB sub ecx,ebx
0D00:094C 0000094C 6658 pop eax
0D00:094E 0000094E 6603C3 add eax,ebx
0D00:0951 00000951 6650 push eax
0D00:0953 00000953 6651 push ecx
0D00:0955 00000955 EB14 jmp short 0x96b
0D00:0957 00000957 90 nop
0D00:0958 00000958 6658 pop eax
0D00:095A 0000095A 6603C1 add eax,ecx
0D00:095D 0000095D 6650 push eax
0D00:095F 0000095F 890E0E00 mov [0xe],cx
0D00:0963 00000963 66B900000000 mov ecx,0x0
0D00:0969 00000969 6651 push ecx
0D00:096B 0000096B 06 push es
0D00:096C 0000096C 6657 push edi
0D00:096E 0000096E 8BDF mov bx,di
0D00:0970 00000970 83E30F and bx,byte +0xf
0D00:0973 00000973 8CC0 mov ax,es
0D00:0975 00000975 66C1EF04 shr edi,0x4
0D00:0979 00000979 03C7 add ax,di
0D00:097B 0000097B 50 push ax
0D00:097C 0000097C 07 pop es
0D00:097D 0000097D E847F7 call word 0xc7
0D00:0980 00000980 665F pop edi
0D00:0982 00000982 07 pop es
0D00:0983 00000983 66033E4E02 add edi,[0x24e]
0D00:0988 00000988 6659 pop ecx
0D00:098A 0000098A 6658 pop eax
0D00:098C 0000098C 6683F900 cmp ecx,byte +0x0
0D00:0990 00000990 0F8F70FF jg word 0x904
0D00:0994 00000994 6661 popad
0D00:0996 00000996 90 nop
0D00:0997 00000997 1F pop ds
0D00:0998 00000998 07 pop es
0D00:0999 00000999 C3 ret


0D00:099A 0000099A 06 push es
0D00:099B 0000099B 1E push ds
0D00:099C 0000099C 6660 pushad
0D00:099E 0000099E 66F7265602 mul dword [0x256]
0D00:09A3 000009A3 668B0E5602 mov ecx,[0x256]
0D00:09A8 000009A8 E855FF call word 0x900
0D00:09AB 000009AB E8D5FC call word 0x683
0D00:09AE 000009AE 6661 popad
0D00:09B0 000009B0 90 nop
0D00:09B1 000009B1 1F pop ds
0D00:09B2 000009B2 07 pop es
0D00:09B3 000009B3 C3 ret

0D00:09B4 000009B4 06 push es
0D00:09B5 000009B5 1E push ds
0D00:09B6 000009B6 6660 pushad
0D00:09B8 000009B8 66F7266602 mul dword [0x266]
0D00:09BD 000009BD 668B1E3202 mov ebx,[0x232]
0D00:09C2 000009C2 668B0E6602 mov ecx,[0x266]
0D00:09C7 000009C7 1E push ds
0D00:09C8 000009C8 07 pop es
0D00:09C9 000009C9 668B3E4202 mov edi,[0x242]
0D00:09CE 000009CE E807FC call word 0x5d8
0D00:09D1 000009D1 E8AFFC call word 0x683
0D00:09D4 000009D4 6661 popad
0D00:09D6 000009D6 90 nop
0D00:09D7 000009D7 1F pop ds
0D00:09D8 000009D8 07 pop es
0D00:09D9 000009D9 C3 ret
0D00:09DA 000009DA 6650 push eax
0D00:09DC 000009DC 6653 push ebx
0D00:09DE 000009DE 6651 push ecx
0D00:09E0 000009E0 668B1E4602 mov ebx,[0x246]
0D00:09E5 000009E5 668BC8 mov ecx,eax
0D00:09E8 000009E8 66C1E803 shr eax,0x3
0D00:09EC 000009EC 6683E107 and ecx,byte +0x7
0D00:09F0 000009F0 6603D8 add ebx,eax
0D00:09F3 000009F3 66B801000000 mov eax,0x1
0D00:09F9 000009F9 66D3E0 shl eax,cl
0D00:09FC 000009FC 678403 test [ebx],al
0D00:09FF 000009FF 0F840400 jz word 0xa07
0D00:0A03 00000A03 F8 clc
0D00:0A04 00000A04 EB02 jmp short 0xa08
0D00:0A06 00000A06 90 nop
0D00:0A07 00000A07 F9 stc
0D00:0A08 00000A08 6659 pop ecx
0D00:0A0A 00000A0A 665B pop ebx
0D00:0A0C 00000A0C 6658 pop eax
0D00:0A0E 00000A0E C3 ret

0D00:0A0F 00000A0F 67807B0801 cmp byte [ebx+0x8],0x1
0D00:0A14 00000A14 0F840400 jz word 0xa1c
0D00:0A18 00000A18 662BC0 sub eax,eax
0D00:0A1B 00000A1B C3 ret

0D00:0A1C 00000A1C 67668D7310 lea esi,[ebx+0x10]
0D00:0A21 00000A21 67668B5608 mov edx,[esi+0x8]
0D00:0A26 00000A26 663BC2 cmp eax,edx
0D00:0A29 00000A29 0F870B00 ja word 0xa38
0D00:0A2D 00000A2D 67668B16 mov edx,[esi]
0D00:0A31 00000A31 663BC2 cmp eax,edx
0D00:0A34 00000A34 0F830400 jnc word 0xa3c
0D00:0A38 00000A38 662BC0 sub eax,eax
0D00:0A3B 00000A3B C3 ret

0D00:0A3C 00000A3C 67035E10 add bx,[esi+0x10]
0D00:0A40 00000A40 662BF6 sub esi,esi
0D00:0A43 00000A43 67803B00 cmp byte [ebx],0x0
0D00:0A47 00000A47 0F843E00 jz word 0xa89
0D00:0A4B 00000A4B E88100 call word 0xacf
0D00:0A4E 00000A4E 6603F1 add esi,ecx
0D00:0A51 00000A51 E83900 call word 0xa8d
0D00:0A54 00000A54 6603CA add ecx,edx
0D00:0A57 00000A57 663BC1 cmp eax,ecx
0D00:0A5A 00000A5A 0F8C2100 jl word 0xa7f
0D00:0A5E 00000A5E 668BD1 mov edx,ecx
0D00:0A61 00000A61 6650 push eax
0D00:0A63 00000A63 67660FB60B movzx ecx,byte [ebx]
0D00:0A68 00000A68 668BC1 mov eax,ecx
0D00:0A6B 00000A6B 6683E00F and eax,byte +0xf
0D00:0A6F 00000A6F 66C1E904 shr ecx,0x4
0D00:0A73 00000A73 6603D9 add ebx,ecx
0D00:0A76 00000A76 6603D8 add ebx,eax
0D00:0A79 00000A79 6643 inc ebx
0D00:0A7B 00000A7B 6658 pop eax
0D00:0A7D 00000A7D EBC4 jmp short 0xa43
0D00:0A7F 00000A7F 662BC8 sub ecx,eax
0D00:0A82 00000A82 662BC2 sub eax,edx
0D00:0A85 00000A85 6603C6 add eax,esi
0D00:0A88 00000A88 C3 ret

0D00:0A89 00000A89 662BC0 sub eax,eax
0D00:0A8C 00000A8C C3 ret

0D00:0A8D 00000A8D 662BC9 sub ecx,ecx
0D00:0A90 00000A90 678A0B mov cl,[ebx]
0D00:0A93 00000A93 80E10F and cl,0xf
0D00:0A96 00000A96 6683F900 cmp ecx,byte +0x0
0D00:0A9A 00000A9A 0F850400 jnz word 0xaa2
0D00:0A9E 00000A9E 662BC9 sub ecx,ecx
0D00:0AA1 00000AA1 C3 ret

0D00:0AA2 00000AA2 6653 push ebx
0D00:0AA4 00000AA4 6652 push edx
0D00:0AA6 00000AA6 6603D9 add ebx,ecx
0D00:0AA9 00000AA9 67660FBE13 movsx edx,byte [ebx]
0D00:0AAE 00000AAE 6649 dec ecx
0D00:0AB0 00000AB0 664B dec ebx
0D00:0AB2 00000AB2 6683F900 cmp ecx,byte +0x0
0D00:0AB6 00000AB6 0F840D00 jz word 0xac7
0D00:0ABA 00000ABA 66C1E208 shl edx,0x8
0D00:0ABE 00000ABE 678A13 mov dl,[ebx]
0D00:0AC1 00000AC1 664B dec ebx
0D00:0AC3 00000AC3 6649 dec ecx
0D00:0AC5 00000AC5 EBEB jmp short 0xab2
0D00:0AC7 00000AC7 668BCA mov ecx,edx
0D00:0ACA 00000ACA 665A pop edx
0D00:0ACC 00000ACC 665B pop ebx
0D00:0ACE 00000ACE C3 ret
0D00:0ACF 00000ACF 6653 push ebx
0D00:0AD1 00000AD1 6652 push edx
0D00:0AD3 00000AD3 662BD2 sub edx,edx
0D00:0AD6 00000AD6 678A13 mov dl,[ebx]
0D00:0AD9 00000AD9 6683E20F and edx,byte +0xf
0D00:0ADD 00000ADD 662BC9 sub ecx,ecx
0D00:0AE0 00000AE0 678A0B mov cl,[ebx]
0D00:0AE3 00000AE3 C0E904 shr cl,0x4
0D00:0AE6 00000AE6 6683F900 cmp ecx,byte +0x0
0D00:0AEA 00000AEA 0F850800 jnz word 0xaf6
0D00:0AEE 00000AEE 662BC9 sub ecx,ecx
0D00:0AF1 00000AF1 665A pop edx
0D00:0AF3 00000AF3 665B pop ebx
0D00:0AF5 00000AF5 C3 ret

0D00:0AF6 00000AF6 6603DA add ebx,edx
0D00:0AF9 00000AF9 6603D9 add ebx,ecx
0D00:0AFC 00000AFC 67660FBE13 movsx edx,byte [ebx]
0D00:0B01 00000B01 6649 dec ecx
0D00:0B03 00000B03 664B dec ebx
0D00:0B05 00000B05 6683F900 cmp ecx,byte +0x0
0D00:0B09 00000B09 0F840D00 jz word 0xb1a
0D00:0B0D 00000B0D 66C1E208 shl edx,0x8
0D00:0B11 00000B11 678A13 mov dl,[ebx]
0D00:0B14 00000B14 664B dec ebx
0D00:0B16 00000B16 6649 dec ecx
0D00:0B18 00000B18 EBEB jmp short 0xb05
0D00:0B1A 00000B1A 668BCA mov ecx,edx
0D00:0B1D 00000B1D 665A pop edx
0D00:0B1F 00000B1F 665B pop ebx
0D00:0B21 00000B21 C3 ret

(C->4C6h) ;Ricordare che ESI=3050h
0D00:0B22 00000B22 660BC9 or ecx,ecx ;
0D00:0B25 00000B25 0F850100 jnz word 0xb2a ;Se ecx è diverso da 0 salta a -> B2Ah
0D00:0B29 00000B29 C3 ret ;Ritorna alla funzione chiamante -> 4C9h
(J->B25h)
0D00:0B2A 00000B2A 6651 push ecx
0D00:0B2C 00000B2C 6656 push esi
(L->B2Eh)
0D00:0B2E 00000B2E 67833E61 cmp word [esi],byte +0x61 ;Confronta [3050h]=35A2h con 61h
0D00:0B32 00000B32 0F8C0C00 jl word 0xb42 ;Se è inferiore salta a -> B42h
0D00:0B36 00000B36 67833E7A cmp word [esi],byte +0x7a ;altrimenti confronta [3050h]=35A2h con 7Ah
0D00:0B3A 00000B3A 0F8F0400 jg word 0xb42 ;Se è più grande salta a -> B42h
0D00:0B3E 00000B3E 67832E20 sub word [esi],byte +0x20 ;[3050h]=35A2h-20h=3582h
0D00:0B42 00000B42 6683C602 add esi,byte +0x2 ;ESI=3050h+2=3052h
0D00:0B46 00000B46 E2E6 loop 0xb2e ;ripete procedura finchè CX=0
0D00:0B48 00000B48 665E pop esi
0D00:0B4A 00000B4A 6659 pop ecx
0D00:0B4C 00000B4C C3 ret ;Ritorna alla funzione chiamante -> 4C9h

0D00:0B4D 00000B4D 6650 push eax
0D00:0B4F 00000B4F 6651 push ecx
0D00:0B51 00000B51 668BD0 mov edx,eax
0D00:0B54 00000B54 66A12E02 mov eax,[0x22e]
0D00:0B58 00000B58 67668D5810 lea ebx,[eax+0x10]
0D00:0B5D 00000B5D 67034304 add ax,[ebx+0x4]
0D00:0B61 00000B61 67668D4010 lea eax,[eax+0x10]
0D00:0B66 00000B66 668BDA mov ebx,edx
0D00:0B69 00000B69 E882F9 call word 0x4ee
0D00:0B6C 00000B6C 660BC0 or eax,eax
0D00:0B6F 00000B6F 0F840500 jz word 0xb78
0D00:0B73 00000B73 6659 pop ecx
0D00:0B75 00000B75 6659 pop ecx
0D00:0B77 00000B77 C3 ret

0D00:0B78 00000B78 66A13202 mov eax,[0x232]
0D00:0B7C 00000B7C 660BC0 or eax,eax
0D00:0B7F 00000B7F 0F850800 jnz word 0xb8b
0D00:0B83 00000B83 6659 pop ecx
0D00:0B85 00000B85 6659 pop ecx
0D00:0B87 00000B87 6633C0 xor eax,eax
0D00:0B8A 00000B8A C3 ret

0D00:0B8B 00000B8B 668B163202 mov edx,[0x232]
0D00:0B90 00000B90 67668D5210 lea edx,[edx+0x10]
0D00:0B95 00000B95 67668B4208 mov eax,[edx+0x8]
0D00:0B9A 00000B9A 6640 inc eax
0D00:0B9C 00000B9C 668B1E4E02 mov ebx,[0x24e]
0D00:0BA1 00000BA1 66F7E3 mul ebx
0D00:0BA4 00000BA4 6633D2 xor edx,edx
0D00:0BA7 00000BA7 66F7365E02 div dword [0x25e]
0D00:0BAC 00000BAC 6650 push eax
0D00:0BAE 00000BAE 6658 pop eax
0D00:0BB0 00000BB0 660BC0 or eax,eax
0D00:0BB3 00000BB3 0F843000 jz word 0xbe7
0D00:0BB7 00000BB7 6648 dec eax
0D00:0BB9 00000BB9 6650 push eax
0D00:0BBB 00000BBB E81CFE call word 0x9da
0D00:0BBE 00000BBE 72EE jc 0xbae
0D00:0BC0 00000BC0 E8F1FD call word 0x9b4
0D00:0BC3 00000BC3 665A pop edx
0D00:0BC5 00000BC5 6659 pop ecx
0D00:0BC7 00000BC7 665B pop ebx
0D00:0BC9 00000BC9 6653 push ebx
0D00:0BCB 00000BCB 6651 push ecx
0D00:0BCD 00000BCD 6652 push edx
0D00:0BCF 00000BCF 66A14202 mov eax,[0x242]
0D00:0BD3 00000BD3 67668D4018 lea eax,[eax+0x18]
0D00:0BD8 00000BD8 E813F9 call word 0x4ee
0D00:0BDB 00000BDB 660BC0 or eax,eax
0D00:0BDE 00000BDE 74CE jz 0xbae
0D00:0BE0 00000BE0 6659 pop ecx
0D00:0BE2 00000BE2 6659 pop ecx
0D00:0BE4 00000BE4 6659 pop ecx
0D00:0BE6 00000BE6 C3 ret

0D00:0BE7 00000BE7 6659 pop ecx
0D00:0BE9 00000BE9 6659 pop ecx
0D00:0BEB 00000BEB 6633C0 xor eax,eax
0D00:0BEE 00000BEE C3 ret

0D00:0BEF 00000BEF 6651 push ecx ;Salva il valore di ECX
0D00:0BF1 00000BF1 6650 push eax ;Salva il valore di EAX
0D00:0BF3 00000BF3 66B805000000 mov eax,0x5 ;inserisce il valore 5 in EAX
0D00:0BF9 00000BF9 1E push ds ;Inserisce il valore di DS nello stack
0D00:0BFA 00000BFA 07 pop es ;Assegna ad ES il valore di DS prendendolo dallo stack
0D00:0BFB 00000BFB 668BF9 mov edi,ecx ;EDI=ECX
0D00:0BFE 00000BFE E899FD call word 0x99a ;Chiama la funzione -> 99Ah
0D00:0C01 00000C01 668BC1 mov eax,ecx
0D00:0C04 00000C04 665B pop ebx
0D00:0C06 00000C06 6653 push ebx
0D00:0C08 00000C08 660FB70E0C02 movzx ecx,word [0x20c]
0D00:0C0E 00000C0E 66BA0E020000 mov edx,0x20e
0D00:0C14 00000C14 E87AF8 call word 0x491
0D00:0C17 00000C17 665B pop ebx
0D00:0C19 00000C19 6659 pop ecx
0D00:0C1B 00000C1B 660BC0 or eax,eax
0D00:0C1E 00000C1E 0F852F00 jnz word 0xc51
0D00:0C22 00000C22 668BC1 mov eax,ecx
0D00:0C25 00000C25 668BCB mov ecx,ebx
0D00:0C28 00000C28 6650 push eax
0D00:0C2A 00000C2A 6653 push ebx
0D00:0C2C 00000C2C E82300 call word 0xc52
0D00:0C2F 00000C2F 665B pop ebx
0D00:0C31 00000C31 665F pop edi
0D00:0C33 00000C33 660BC0 or eax,eax
0D00:0C36 00000C36 0F841700 jz word 0xc51
0D00:0C3A 00000C3A 1E push ds
0D00:0C3B 00000C3B 07 pop es
0D00:0C3C 00000C3C E85BFD call word 0x99a
0D00:0C3F 00000C3F 668BC7 mov eax,edi
0D00:0C42 00000C42 660FB70E0C02 movzx ecx,word [0x20c]
0D00:0C48 00000C48 66BA0E020000 mov edx,0x20e
0D00:0C4E 00000C4E E840F8 call word 0x491
0D00:0C51 00000C51 C3 ret

0D00:0C52 00000C52 6651 push ecx
0D00:0C54 00000C54 66BB20000000 mov ebx,0x20
0D00:0C5A 00000C5A 66B900000000 mov ecx,0x0
0D00:0C60 00000C60 66BA00000000 mov edx,0x0
0D00:0C66 00000C66 E828F8 call word 0x491
0D00:0C69 00000C69 660BC0 or eax,eax
0D00:0C6C 00000C6C 0F845200 jz word 0xcc2
0D00:0C70 00000C70 668BD8 mov ebx,eax
0D00:0C73 00000C73 1E push ds
0D00:0C74 00000C74 07 pop es
0D00:0C75 00000C75 668B3E1602 mov edi,[0x216]
0D00:0C7A 00000C7A E8BDF8 call word 0x53a
0D00:0C7D 00000C7D 1E push ds
0D00:0C7E 00000C7E 07 pop es
0D00:0C7F 00000C7F 668B1E1602 mov ebx,[0x216]
0D00:0C84 00000C84 6659 pop ecx
0D00:0C86 00000C86 2666390F cmp [es:bx],ecx
0D00:0C8A 00000C8A 0F842E00 jz word 0xcbc
0D00:0C8E 00000C8E 2666833FFF cmp dword [es:bx],byte -0x1
0D00:0C93 00000C93 0F842D00 jz word 0xcc4
0D00:0C97 00000C97 26837F0400 cmp word [es:bx+0x4],byte +0x0
0D00:0C9C 00000C9C 0F842400 jz word 0xcc4
0D00:0CA0 00000CA0 26660FB74704 movzx eax,word [es:bx+0x4]
0D00:0CA6 00000CA6 03D8 add bx,ax
0D00:0CA8 00000CA8 8BC3 mov ax,bx
0D00:0CAA 00000CAA 250080 and ax,0x8000
0D00:0CAD 00000CAD 74D7 jz 0xc86
0D00:0CAF 00000CAF 8CC0 mov ax,es
0D00:0CB1 00000CB1 050008 add ax,0x800
0D00:0CB4 00000CB4 8EC0 mov es,ax
0D00:0CB6 00000CB6 81E3FF7F and bx,0x7fff
0D00:0CBA 00000CBA EBCA jmp short 0xc86
0D00:0CBC 00000CBC 26668B4710 mov eax,[es:bx+0x10]
0D00:0CC1 00000CC1 C3 ret

0D00:0CC2 00000CC2 6659 pop ecx
0D00:0CC4 00000CC4 6633C0 xor eax,eax
0D00:0CC7 00000CC7 C3 ret

0D00:0CC8 00000CC8 A0F901 mov al,[0x1f9]
0D00:0CCB 00000CCB E996F4 jmp word 0x164
0D00:0CCE 00000CCE A0FA01 mov al,[0x1fa]
0D00:0CD1 00000CD1 E990F4 jmp word 0x164
0D00:0CD4 00000CD4 0000 add [bx+si],al
...
0D00:1FFE 00001FFE 0000 add [bx+si],al
0D00:2000 00002000 F0 lock
All'indirizzo 7B5h c'è il valore 2C


Ultimo aggiornamento ( Martedì 31 Maggio 2016 16:22 )  
Loading

Login