flat assembler
Message board for the users of flat assembler.

Index > Heap > stupid accident

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
fdisk /mbr doesn't fix the trouble? You may still need to recreate the partition table but I think you will be able to do that yourself or you can just use a program that does that automatically (I know of a very old one but can't remember its name).
Post 22 Nov 2009, 03:48
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
if i understand well, the bootloader for win98 just do one thing:

load the first sector of first active partition.
this partition seems to start @ LBA 63, approsimatelly 32 kb of wasted disk beetween boot and partition 1.

i will verify it later.
Post 22 Nov 2009, 04:04
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
As dosin recommended your *first* time ( Confused ), use TestDisk. It should locate your "lost" partitions and recreate the MBR partition table accordingly, unless of course you overwrote the entire disk (and therefore all boot records), which I doubt.


edfed wrote:

if i understand well, the bootloader for win98 just do one thing:

load the first sector of first active partition.
this partition seems to start @ LBA 63, approsimatelly 32 kb of wasted disk beetween boot and partition 1.

This is true for all boot loaders in all operating systems. The first track is usually not used for filesystem system/data blocks and may instead be used by some (big) third-party boot managers.
Post 22 Nov 2009, 10:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17279
Location: In your JS exploiting you and your system
revolution
This needs to be said (because obviously someone is not doing it):

Backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup, backup.
Post 22 Nov 2009, 18:17
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
yes, of course, this accident appends exactlly after the last backup i've made.

because i have this good reflexe to save my work when it will be tested with dangerous code.

i am working on a MBR restorer, if it works, i will restore windoze install.
if it don'twork, i will try to use ths drive as a cobaye for my code.
Post 22 Nov 2009, 18:37
View user's profile Send private message Visit poster's website Reply with quote
dosin



Joined: 24 Aug 2007
Posts: 337
dosin
The big thing would be what was over writen... if just the boot loader.. your fine.. just replace it..

What you could do is at the beginning of your code - save how ever many sectors your writing and save them to a free spot on the disk.. and make a back-up util that will earese them or put them back if needed... you can use a hexedit
to find free space..

should be pretty easy..

also you dont have to overwrite the MBR... you can use a floppy...

The best thing to do is use a hex editor and study your disk drive..
so your not to overwrite anything ... Thats what I did..

I load my os on sectors 3 and 4 the files system goes next and it uses those free sectors up til windows boot loader..

Then use a floppy mbr to boot it..

and don't allow your write code to go past it with an if statment
if = or greator than sector 1023 error out of reserved disk space...
or less than 1
example: on one disk winxp starts at sector 1024 - all before it is empty
up til sector 0 the MBR...

So sector 1 - 1023 you can play with.. unless you use grub.. I think you would have to start on sector 4 or 5..

just dome ideas for ya!
good luck with everything!
Post 22 Nov 2009, 19:06
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
thanks for advices.
that is what i am currently doing.
i try to create a valid partition table from a mbr.bin copy of another drive.

but i have a problem:

my partition table for a 523c,255h,63s drive is:
Code:
org 1beh
dd 00010180h
dd 0bbffe0bh
dd 0000003fh
dd 008072cdh
dd 0,0,0,0
dd 0,0,0,0
dd 0,0,0,0
dw 0aa55h
    


the location of boot sector is 0/1/1 and if i refer to helppc, the values in the mbr means the boot sector is at 100h/1,1.
... i don't understand.
Post 22 Nov 2009, 21:39
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
edfed wrote:
i try to create a valid partition table from a mbr.bin copy of another drive.

You'll only get the first partition's start location right. Both the C/H/S last sector and partition size will be wrong. Plus you still need to recreate a valid boot loader code. Why don't you just use TestDisk?


edfed wrote:

Code:
org 1beh
dd 00010180h
dd 0bbffe0bh
dd 0000003fh
dd 008072cdh
dd 0,0,0,0
dd 0,0,0,0
dd 0,0,0,0
dw 0aa55h
    


the location of boot sector is 0/1/1 and if i refer to helppc, the values in the mbr means the boot sector is at 100h/1,1.

0x80 means it's an active partition.
0x01/0x01/0x00 means C/H/S 0/1/1 (Where did you get the "100h" thing?)
0x0000003f means it starts at LBA block 63 (zero-based).
That looks perfectly healthy for a (standard) first partition.

0x008072cd means it's an 4.xGB-big partition.
Post 22 Nov 2009, 22:12
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
problem half solved.
to recover a win98 mbr it is very easy.

start from the install cd.
at the prompt, type fdsik/mbr
hit enter.
that's all.


conclusion:
Code:
a:/>fdisk/mbr 
    

to restore a win98 mbr.
Post 22 Nov 2009, 22:52
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
That restored the partition table too or just the master boot code?
Post 22 Nov 2009, 22:56
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
it restore everything in my case.
i think it will just replace bootsector with a mbr.bin, and set partition table depending on destination disk's geometry.
Post 22 Nov 2009, 23:01
View user's profile Send private message Visit poster's website Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
fdisk only "recovers" the binary code, not the partition table, and in some Windows versions may even *overwrite* the partition table removing any chance to see your partitions again (unless using a utility such as TestDisk).

If you haven't done anything else to the MBR and you can now access your partition fine, it means you never lost the partition table to begin with.

So are you able to access the partition (e.g. c:\) or boot Windows?


Quote:
and set partition table depending on destination disk's geometry

Disk geometry =/= partition coordinates
So what happens when you have, say, 4 partitions?


BTW, why "half solved"?
Post 22 Nov 2009, 23:04
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
half solved because i didn't solved it with fasm.

it restore the binary code AND the partition table.

my old one was completelly lost, or windows saves a mbr copy somewhere.

but it is not hard to recreate a partition as it is only a set of pointers. and as a system is a software, it will recreate the pointers with drive geometry and maybe some sector checking, to verify the location of active partition and presence of a system in it.


Last edited by edfed on 23 Nov 2009, 01:17; edited 1 time in total
Post 23 Nov 2009, 00:44
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
OK, just tried with a WIN98SE I have in a VirtualPC. As edfed says the partition table is also restored (I have a single partition).

Before running "fdisk /mbr" I first used plain fdisk to see the partitions defined and it reported that none was present, then I proceeded with the MBR recovery and then I used fdisk again to see the partitions and it shown a partition defined again. I've also tried rebooting and the system was still running correctly.

In my test I've destroyed the first sector only.
Post 23 Nov 2009, 00:56
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
Wink it would be cool to create the win98mbr.asm disassembly one day...
Post 23 Nov 2009, 01:12
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Quote:
it would be cool to create the win98mbr.asm disassembly one day...

Sounds like a tough job... it has almost 512 bytes of code, after all!
Post 23 Nov 2009, 02:22
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Ok, something to start with Smile

I had to pretend the BIOS loads the MBR into 0:600. If someone knows how to change the ORG in the middle of the segment I could do a more precise disassembly (but it wouldn't make a big difference because very few instructions are executed above 7C00 offset).

I've used IDA Pro 4.9 Freeware Version.


Description:
Download
Filename: Win98SE_Spanish_MBR.zip
Filesize: 8.01 KB
Downloaded: 58 Time(s)

Post 23 Nov 2009, 03:10
View user's profile Send private message Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
edfed wrote:
Wink it would be cool to create the win98mbr.asm disassembly one day...

There's a lot of info here on windows MBR and bootsectors(I think it even includes a disassembly of it.):
http://home.att.net/~rayknights/pc_boot/pc_boot.htm

_________________
----> * <---- My star, won HERE
Post 23 Nov 2009, 03:46
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Yep, here: http://home.att.net/~rayknights/pc_boot/w95b_mbr.htm#Disassembly

At least until the point I've disassembled it looks identical to the Win98SE MBC.

Thanks for spoiling Wink
Post 23 Nov 2009, 03:59
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
edfed wrote:
but it is not hard to recreate a partition as it is only a set of pointers.

And in the case fdisk /mbr fails (like it did for me more than once), how would you guess the "pointers" without having an MBR backup or scanning the whole disk for valid boot records from LBA 0 to LBA <size of the disk>? Answer: you can't.


edfed wrote:
it will recreate the pointers with drive geometry and maybe some sector checking

That's what TestDisk and other software do. Only using the geometry would only work if you have a single partition spanning the whole disk (as in your case?)


edfed wrote:
to verify the location of active partition and presence of a system in it

Maybe you have 4 used partitions with installed operating systems and valid boot records?!?!?! Again, the only way is to scan the entire disk.
And, whether a partition is active or not can only be known from the MBR, ... which was destroyed in your case.
Post 23 Nov 2009, 10:31
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.