PDA

View Full Version : Understanding Assembly Code



Unity
05-15-2013, 07:33 PM
Hi,

My knowledge regarding assembly code is very limited and I wanted to ask if someone could help me figure out what the following is doing? There is a routine that calls the disk ( loaded directly by BIOS) and I would like to know where this is and how it is called / executed:


; ---------------------------------------------------------------------------
; Format : Binary file
; Base Address: 0000h Range: 0000h - 0098h Loaded length: 0098h

.686p
.mmx
.model flat

; ================================================== =========================

; Segment type: Pure code
seg000 segment byte public 'CODE' use16
assume cs:seg000
assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
cli
xor ax, ax
mov ss, ax
mov sp, 7C00h
mov si, sp
push ax
pop es
push ax
pop ds
sti
cld
mov di, 600h
mov cx, 100h
rep movsw
jmp far ptr 0:61Dh
; ---------------------------------------------------------------------------
mov dh, 0
mov cx, 2
mov di, 5

loc_25: ; CODE XREF: seg000:0036j
mov bx, 700h
mov ax, 201h
push di
int 13h ; DISK - READ SECTORS INTO MEMORY
; AL = number of sectors to read, CH = track, CL = sector
; DH = head, DL = drive, ES:BX -> buffer to fill
; Return: CF set on error, AH = status, AL = number of sectors read
pop di
jnb short loc_3D
xor ax, ax
int 13h ; DISK - RESET DISK SYSTEM
; DL = drive (if bit 7 is set both hard disks and floppy disks reset)
dec di
jnz short loc_25
mov si, 68Ah
jmp short loc_78
; ---------------------------------------------------------------------------

loc_3D: ; CODE XREF: seg000:002Fj
mov cx, 3

loc_40: ; DATA XREF: seg000:0083r
mov di, 5

loc_43: ; CODE XREF: seg000:0059j
mov bx, 2000h
push bx
pop es
assume es:nothing
mov bx, 0
mov ax, 220h ; DATA XREF: seg000:002Cr seg000:0033r ...
push di
int 13h ; DISK - READ SECTORS INTO MEMORY
; AL = number of sectors to read, CH = track, CL = sector
; DH = head, DL = drive, ES:BX -> buffer to fill
; Return: CF set on error, AH = status, AL = number of sectors read
pop di
jnb short loc_60
xor ax, ax
int 13h ; DISK - RESET DISK SYSTEM
; DL = drive (if bit 7 is set both hard disks and floppy disks reset)
dec di
jnz short loc_43
mov si, 68Ah
jmp short loc_78
; ---------------------------------------------------------------------------

loc_60: ; CODE XREF: seg000:0052j
mov cx, 3FFFh
mov si, 800h
xor di, di

loc_68: ; CODE XREF: seg000:0071j
lodsw
and si, 0FFBFh
xor ax, es:[di]
stosw
dec cx
jnz short loc_68
jmp far ptr 2000h:0
; ---------------------------------------------------------------------------

loc_78: ; CODE XREF: seg000:003Bj seg000:005Ej ...
lodsb
cmp al, 0
jz short loc_88
push si
mov bx, 7
mov ah, 0Eh
int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE)
; AL = character, BH = display page (alpha modes)
; BL = foreground color (graphics modes)
pop si
jmp short loc_78
; ---------------------------------------------------------------------------

loc_88: ; CODE XREF: seg000:007Bj
; seg000:loc_88j
jmp short loc_88
; ---------------------------------------------------------------------------
db 44h ; D
db 69h ; i
db 73h ; s
db 6Bh ; k
db 20h
db 49h ; I
db 2Fh ; /
db 4Fh ; O
db 20h
db 45h ; E
db 72h ; r
db 72h ; r
db 6Fh ; o
db 72h ; r
seg000 ends


end

it is loaded by the BIOS at boot. There is a part at which 32 sectors of data are read and loaded from the disk but I am unsure of what it is doing with this. I would like to know how loc_43 is being called and what it is doing to it

What we can see is that the bootloader is reading first the sector 1 of the disk and then loads it in memory. but after if we look at the way the code is chained, it just writes some data to the screen and that's all.

There is an other piece of code at loc_43 which is doing interesting things such as reading 32 sectors of the disk ( sector 1 to 33 ) in memory, making operations on them ( basically removing some junk data ) and then apparently loading it.

What we cannot understand at the moment is how the code at loc_43 gets executed.

If someone have any clue about how the code in loc_43 gets executed? I initially thought that since the bootloader was loaded at 0x7C00 , loc_43 was called using a pointer to the address in the memory but it seems that not.

So now the code at loc_43 is orphan.

If more information is needed Ill try my best to provide as much detail as possible.

Thanks!

Unity
05-29-2013, 04:31 PM
It seems the it is using xor to d-xor 32 sectors...But Im not sure where it is getting this key from?

xenvito
06-03-2013, 06:59 PM
@Unity:
In my understanding linear flow of execution from loc_40 will lead to execution of loc_43. As there is no branching after loc_40, the next execution is loc_43 (mov bx, 2000h), it will continue till (jnb short loc_60). At this point it will check for the condition JUMP NOT BELOW and check the content of CF. Based on the outcome it will continuetill next Jump (jnz short loc_43).

I would not think that the loc_43 part is orphan just yet :-)

Unity
06-08-2013, 02:09 AM
Thank you xenvito.
One more question

Could anyone provide some insight into the following:


loc_60: ; CODE XREF: seg000:0052j
mov cx, 3FFFh
mov si, 800h
xor di, di

loc_68: ; CODE XREF: seg000:0071j
lodsw
and si, 0FFBFh
xor ax, es:[di]
stosw
dec cx
jnz short loc_68
jmp far ptr 2000h:0

Does the XOR key come from sectors 33 (start at 0x3FFF +1) ?

where has


DS:(E)SI
been filled since it holds the XOR key?


DS:(E)SI -> Ax n
( because of lodsw ) then


xor ax, es:[di]