IDA1>C@HM̻)yԑPo2@ B-tree v 1.6 (C) Pol 1990Y1F9)..>&$.>HDefault\ToolBars\Edition\Width .BS8'.>HDefault\ToolBars\86.*.'.(.# .>HCurrent\ToolBars\Views\Top*.>HDefault*.>HDefault\ToolBars\Hide/Unhide\Visible .CA .SDISK - READ SECTORS INTO MEMORY AL = number of sectors to read, CH = track, CL = sector DH = head, DL = drive, ES:BX -> buffer to fill Return: CF set on error, AH = status, AL = number of sectors read .SAIDAmetapcI  ( ag@ FP@@vh{P o_I"   zkLA u[F:& udTJ:$u_J   ymT     lY>`*  iQ?3# yZ@/PK<&S .BA.BN Hex Vi .BS8S .CASMissingOperatiInvalidPartiticaErrorLoadingOp{ oo many lines2The decision made by IDA was wrong and rolled back StructuresDoot NodeReattemptDiskReadMissingOperatingSystem1InvalidPartitionTable; StringLoopErintErrorLoadingOperatingSystem6ostDiskReadStatestatusL partitionTypeN numSectorsQlastCHSOLBAP .firstCHSMPartitionRecordKJumpToLoadedMemory'stallationFailedndirect execution flow.nextA IDA View-A@.nextC ex View-AB HaltSystemSoundBootableEntry4-ailed to trace the value of the stack pointer@FLAIR collision: the function with the given name already exists!Execution flows beyond limitsplayErrorMessage>iskReadSuccess6Decision to convert to instruction/data is made by IDAKeyboardSystemFlagV heckForTPM references (hint: redo analisys)!offset base (hint: delete offset)name (hint: use manual arg)comment (hint: delete comment)Afind alternative string for an operand (hint: delete alt. string)an't disassembleODE=sectorAndHighCylinderI lowCylinderJ.headH CHSstructG$ntion! Probably erroneous situation.ttemptLoadFromDiskY.Already data or code (hint: make 'unexplored') xref windowsE vmm functionsuser1 tructs( sarray+ ourcefiles*ignature names& sarray segs  sarrays registry>patches original user<ullsubs$NnmSerEAlibfuncs'mports gnore micropflags id numbersF sarray- hidden_areas, sarray#s"uncords%xups sarray fileregionsums) entry pointsauto type callees/MARKS ready?N$ Auto.QNPartitionRecord.numSectorsPNPartitionRecord.firstLBAdGNPartitionRecord.lastCHSOAHNNPartitionRecord.partitionTypedGNPartitionRecord.firstCHSMAHLNPartitionRecord.statusNPartitionRecordM,LM`NO`P Q KDJNCHSstruct.lowCylinderIN CHSstruct.sectorAndHighCylinderHNCHSstruct.headN CHSstructMHIJOGDMN $ id numbers FHstructsEN$ xref windowsDN StructuresNHex View-A.nexttU .xi Z K > 2 " ******|ocSE8 )      ******vW1H191,1 11!"("""""w%gXK?/!!!!!!!yi[M>%.           xn_ UD:U 7sAi<^0Width{%.>HDefa$.>HDef(.>HDefault&.>HDefault\ToolBar.$.>HDefaul$.>HDefaul".>HDefa!.>HDef%.>HDefault#.>HDefault\Tool#.).>HDefaul).>HDefaul'.>HDefa&.>HDef*.>HDefault(.>HDefault\ToolBars\Hide/Unhide\WidthEWidth{VisibleTopLeftHeightDockedindows\WidthVisibleTopLeftbHeightTo DebuggerDockedWatches\WidthEVisibleTopLeft HeightDockedViews\WidthEVisibleTopLeftHeightDocked Utilities\WidthJVisibleTopLeft HeightTo DebuggerDockedTracing\WidthVisibleTopLeft HeightTo StructuresDocked\Width.VisibleTop7Left HeightDockedtructures - Enumerations\Width.VisibleTopLeftFHeightDockedignatures - Types\WidthEVisibleTopLeftHeightDockedgments\WidthVisibleTopLeftHeightDockedSearch\WidthVisibleTopQLeft HeightDockedverview navigator\WidthVisibleTop7LeftHeightDocked Operands\WidthsVisibleTopLefthHeightDockedLists\WidthLVisibleTopLeftFHeightDockedJumps\S8N Hex View-ABAS<4"2NIDA View-A.nextAAS))-><Q--N IDA View-A@A?N $ Auto readyN $ registry nXI8)gSD0.    {P<-SDdE,wG x\H9$rf mYJ/        { q g ]P5tZC7%%%% %%%' '''''v'h)VF)4)%)) ))+******s,aP*<*******, '''''{'m)[ >2% %%%%%'!''r'e'Y'I';))"* * * * * * ,   4s 4g T *G *; & , ,  + +    ' ' 'y 'm '] 'O )= )  !         q #b )R #C #6 #* # #        ( (t (g ([ (K (= % ) / ) ) ) ) )     } m _ Q B 3 &   $*$$$$$|m^QE5'! !!!!!oaO#@#1#$#;ATop >HDefault\Left;HeightDocked Hide/Unhide\WidthsVisibleTop7LeftHeightDockedGraphs\WidthEVisibleTopLeftHeightDocked unctions\Width.VisibleTopLeft HeightDockedFiles\WidthVisibleTopLeft HeightToEnumsDocked numerations\WidthVisibleTop7LeftFHeightDockedEdition\WidthVisibleTopLeftHeightDockedsktop\WidthVisibleTopLeft|HeightTo DebuggerDockedDebugger commands\Width.VisibleTop7LeftfHeightDockedross references\Width\VisibleTop7LeftHeightDocked Comments\WidthVisibleTopLeftoHeightTo DebuggerDocked Breakpoints\Width.VisibleTopLeft>HeightDocked Analysis\ ToolBars\ToolBarWidth ScreenHeight8 PanelHeight ndowStateWidth VisibleTop6LeftHeight FormStyle Main window\ CommandLine Main Windows\Top{Left"Save database\TopYLeft"Rename address\TopLeftO Please enter\TopLeftCreate structure/union\ialog Windows\ ndowStateWidthVisibleTopLeftHeight FormStyleuctures\ ndowStateWidthVisibleTopLeftHeight FormStylerings\ StackPointer OpcodeBytes ndowStateWidthVisibleTopLeftHeight FormStyleNames\nstructionsIndention ndowStateWidth VisibleTopLeftHeightH FormStylemports\ ndowStateWidthXVisibleTopLeftHeight& FormStyle ArrowsWidth* IDA View-A\ ndowStateWidthXVisibleTopLeftHeight& FormStyle Hex View-A\ ndowStateWidthVisibleTopLeftGHeight FormStyle Functions\ ndowStateWidthVisibleTopLeftHeight FormStylexports\ ndowStateWidthVisibleTopLeftHeightb FormStyleEnums\Database Windows\=NCODESVSVSؼ3,} w$ꚵ-̻tfEA ;X mR\d0P2lܮv?on?bf(\5FFכ"Q}\ogc 8 cX2vk_H)=2'   F1|p3znbV K@ 9 2vkP }r[PD2    s]N8)f   }rc YN(  '    g d`/SyTRANSFER TO ROM BASIC causes transfer to ROM-based BASIC (IBM-PC) often reboots a compatible; often hS@AT Keyboard controller 8042. Enables writing the output portSGAT Keyboard controller 8042. Enables writing to the status registerSEnable A20 memory line'NJumpToLoadedMemory%SThis makes a call to the TPMN CheckForTPMSDisable interrupts for a whileSEnable interruptsVNCheckKeyboardSystemFlagXA@P  CheckByte2SPThe last two bytes are NOT AA55h, so there is no OS. Print an error message.SWe just loaded new code to 7C00h. Check to see if it has the bootable signature AA55. This signature indicates a VBR, which indicates an operating system*S Jump to the code we have loadedNPostDiskReadStateBG_cdecl=__cdecl;_pascal=__pascal;_huge=__huge;_near=__near;_far=__far;__inline=;_inline=;inline=;CM_WINNT;MPR50;_INTEGRAL_MAX_BITS=64;_MSC_VER=1400;_CHAR_UNSIGNED=1;_M_IX86=300;__MT__=1;__TLS__=1;_Windows=1;__WIN32__=1;_WIN32_WINNT=0x0500;WINVER=0x0500;_WIN32=1;OLEDBVER=0x0250;SECURITY_WIN32;WIN32_SUPPORT;DBNTWIN32;W32SUT_32;A4/Program Files/Microsoft Visual Studio/VC98/includeS Binary fileN Root Node3LL AQa}DD1D6D;SThis is the MBR signature dKALdKALdKALdKALSPaddingSUnique disk signatureSIRedirect to the error message at 9Ah, i.e. "Missing operating system"SORedirect to the error message at 7Bh, i.e. "Error loading operating system"SHRedirect to the error message at 63h, i.e. "Invalid Partition Table"NaMissingOperatiANaErrorLoadingOp{ANaInvalidPartiticA^xXX^SAT Keyboard controller 8042.XSCX = 0TxSTXHSThis stops the computer.SN HaltSystemQxEd@OS- VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE) AL = character, BH = display page (alpha modes) BL = foreground color (graphics modes)JAHxSFSVIs the next byte 0? We're looking at a 0 terminated string, so this is important.XQSLoad byte at DS:SI into ALENPrintErrorStringLoop@S?We now point to 700h + whatever offset we were given above.9X4S,Clear out the high byte of the AX register.>NDisplayErrorMessagedX);NPrintInvalidPartitionTable9x>dX6N!PrintErrorLoadingOperatingSystem4x>dX1NPrintMissingOperatingSystemXdhx'x'x'dhXxVSOAT Keyboard controller 8042. Reset the keyboard and start internal diagnosticsxVxVxxVx1d}XNDiskReadSuccessxYdLSDISK - RESET DISK SYSTEM DL = drive (if bit 7 is set both hard disks and floppy disks reset) This is important so we can try the read againXNReattemptDiskReadx4SRe-try on the first hard drivex6S5Is this drive letter 80h, i.e. the first hard drive?xSRemember this was set to 5 before? This is looping and trying the disk several times, (it might have failed while the disk spun up)xSVJump if CF = 0 i.e. The interrupt we just executed (either one) just succeeded.XSRestore all our registers .dLL } 7      'WJ?nH    >#   b bN0 yH/4NFoundBootableEntry`D2d`S"These 3 bytes are a CHS structureS Drive numberSThis is the destination bufferX_SThe extended read interrupt is not installed, so use the legacy version AH = 2 (Disk read sectors into memory) AL = 1 (Read 1 sector)NInstallationFailedxS3Pop the address packet we were using off the stackS Preserve the flags for a seconddL~SDISK - Extended Read Reads DS:SI into a disk appress packet a disk address packet is: 00 BYTE: Size of packet (10h or 18h) 01 BYTE: Reserved 02 WORD: Number of blocks to transfer 04 DWORD: Transfer buffer 08 QWORD: Starting absolute block number (LBA) 10 QWORD: 64-bit flat address of transfer buffer (optional, used if the DWORD at 04 is FFFFh:FFFFh) CF cleared if successful AH = 0 on success|S)Point to the address packet we just madeyS Drive numbertSPacket is size 10hqS ReservednS{Number of blocks Note that only the first byte is relevant, and the second is ignored, so we are only reading 7ChkSTransfer buffer%hDgS`Transfer buffer This is also the LBA of first absolute sector in the MBR partition recordaS LBA of 0_x[S$Did our sentinel value get changed?TNXHS(Save all our registers for a little bitYNAttemptLoadFromDiskVS_This acts like a sentinel value for whether or not the INT 13 extended read is installedTxYNxY~LDEHxYdLESDISK - Installation Check CF set on error CF cleared on success BX = AA55 if installed AH = major version of extensions CX = API subset DH = Extension version@DOP }0U@un@v  u@@d@@`|  @@duW@@f#  u;f@PT0C0PPAu2@0 r,f@hP 0@f@hP 0@f@hP 0@fSfSfUf@hP 0@f@hP |0@fah@  @ZW2|00W  WW  2_@_<@t @@@_+__Ad$A$AIPnpv aPl@i0d` partition pt aPb@l0e`EPrr or@ l`oad`in@g  opera ti@ng` sy`st@em MPisps0iPnPg0 poperating spy0sPtPe0mpc {  0 ` !0P p`@  ` 0Pp(`@j `0Pp(m`@ `0Pp`@ UU @Va4 4Y'16;>ESVc{DIDATILLocal type definitions