AgentSmithers
November 23rd, 2009, 02:09 PM
I'm sorry if this post is in the wrong section.
I'm doing some reading and in http://mirror.href.com/thestarman/asm/mbr/NTFSbrHexEd.htm
And I'm wondering My Code looks like this with Disk Investigator
0000 EB 52 90 4E 54 46 53 20 . R . N T F S 235 82 144 78 84 70 83 32
0008 20 20 20 00 02 08 00 00 . . . . . 32 32 32 0 2 8 0 0
0010 00 00 00 00 00 F8 00 00 . . . . . . . . 0 0 0 0 0 248 0 0
0018 3F 00 FF 00 3F 00 00 00 ? . . . ? . . . 63 0 255 0 63 0 0 0
0020 00 00 00 00 80 00 80 00 . . . . . . . . 0 0 0 0 128 0 128 0
0028 C0 A5 50 09 00 00 00 00 . . P . . . . . 192 165 80 9 0 0 0 0
0030 00 00 0C 00 00 00 00 00 . . . . . . . . 0 0 12 0 0 0 0 0
0038 5C 0A 95 00 00 00 00 00 \ . . . . . . . 92 10 149 0 0 0 0 0
0040 F6 00 00 00 01 00 00 00 . . . . . . . . 246 0 0 0 1 0 0 0
0048 2C 64 BF 80 94 BF 80 EC , d . . . . . . 44 100 191 128 148 191 128 236
0050 00 00 00 00 FA 33 C0 8E . . . . . 3 . . 0 0 0 0 250 51 192 142
0058 D0 BC 00 7C FB B8 C0 07 . . . | . . . . 208 188 0 124 251 184 192 7
0060 8E D8 E8 16 00 B8 00 0D . . . . . . . . 142 216 232 22 0 184 0 13
0068 8E C0 33 DB C6 06 0E 00 . . 3 . . . . . 142 192 51 219 198 6 14 0
0070 10 E8 53 00 68 00 0D 68 . . S . h . . h 16 232 83 0 104 0 13 104
0078 6A 02 CB 8A 16 24 00 B4 j . . . . $ . . 106 2 203 138 22 36 0 180
0080 08 CD 13 73 05 B9 FF FF . . . s . . . . 8 205 19 115 5 185 255 255
0088 8A F1 66 0F B6 C6 40 66 . . f . . . @ f 138 241 102 15 182 198 64 102
0090 0F B6 D1 80 E2 3F F7 E2 . . . . . ? . . 15 182 209 128 226 63 247 226
0098 86 CD C0 ED 06 41 66 0F . . . . . A f . 134 205 192 237 6 65 102 15
00A0 B7 C9 66 F7 E1 66 A3 20 . . f . . f . 183 201 102 247 225 102 163 32
00A8 00 C3 B4 41 BB AA 55 8A . . . A . . U . 0 195 180 65 187 170 85 138
00B0 16 24 00 CD 13 72 0F 81 . $ . . . r . . 22 36 0 205 19 114 15 129
00B8 FB 55 AA 75 09 F6 C1 01 . U . u . . . . 251 85 170 117 9 246 193 1
00C0 74 04 FE 06 14 00 C3 66 t . . . . . . f 116 4 254 6 20 0 195 102
00C8 60 1E 06 66 A1 10 00 66 ` . . f . . . f 96 30 6 102 161 16 0 102
00D0 03 06 1C 00 66 3B 06 20 . . . . f ; . 3 6 28 0 102 59 6 32
00D8 00 0F 82 3A 00 1E 66 6A . . . : . . f j 0 15 130 58 0 30 102 106
00E0 00 66 50 06 53 66 68 10 . f P . S f h . 0 102 80 6 83 102 104 16
00E8 00 01 00 80 3E 14 00 00 . . . . > . . . 0 1 0 128 62 20 0 0
00F0 0F 85 0C 00 E8 B3 FF 80 . . . . . . . . 15 133 12 0 232 179 255 128
00F8 3E 14 00 00 0F 84 61 00 > . . . . . a . 62 20 0 0 15 132 97 0
0100 B4 42 8A 16 24 00 16 1F . B . . $ . . . 180 66 138 22 36 0 22 31
0108 8B F4 CD 13 66 58 5B 07 . . . . f X [ . 139 244 205 19 102 88 91 7
0110 66 58 66 58 1F EB 2D 66 f X f X . . - f 102 88 102 88 31 235 45 102
0118 33 D2 66 0F B7 0E 18 00 3 . f . . . . . 51 210 102 15 183 14 24 0
0120 66 F7 F1 FE C2 8A CA 66 f . . . . . . f 102 247 241 254 194 138 202 102
0128 8B D0 66 C1 EA 10 F7 36 . . f . . . . 6 139 208 102 193 234 16 247 54
0130 1A 00 86 D6 8A 16 24 00 . . . . . . $ . 26 0 134 214 138 22 36 0
0138 8A E8 C0 E4 06 0A CC B8 . . . . . . . . 138 232 192 228 6 10 204 184
0140 01 02 CD 13 0F 82 19 00 . . . . . . . . 1 2 205 19 15 130 25 0
0148 8C C0 05 20 00 8E C0 66 . . . . . . f 140 192 5 32 0 142 192 102
0150 FF 06 10 00 FF 0E 0E 00 . . . . . . . . 255 6 16 0 255 14 14 0
0158 0F 85 6F FF 07 1F 66 61 . . o . . . f a 15 133 111 255 7 31 102 97
0160 C3 A0 F8 01 E8 09 00 A0 . . . . . . . . 195 160 248 1 232 9 0 160
0168 FB 01 E8 03 00 FB EB FE . . . . . . . . 251 1 232 3 0 251 235 254
0170 B4 01 8B F0 AC 3C 00 74 . . . . . < . t 180 1 139 240 172 60 0 116
0178 09 B4 0E BB 07 00 CD 10 . . . . . . . . 9 180 14 187 7 0 205 16
0180 EB F2 C3 0D 0A 41 20 64 . . . . . A d 235 242 195 13 10 65 32 100
0188 69 73 6B 20 72 65 61 64 i s k r e a d 105 115 107 32 114 101 97 100
0190 20 65 72 72 6F 72 20 6F e r r o r o 32 101 114 114 111 114 32 111
0198 63 63 75 72 72 65 64 00 c c u r r e d . 99 99 117 114 114 101 100 0
01A0 0D 0A 4E 54 4C 44 52 20 . . N T L D R 13 10 78 84 76 68 82 32
01A8 69 73 20 6D 69 73 73 69 i s m i s s i 105 115 32 109 105 115 115 105
01B0 6E 67 00 0D 0A 4E 54 4C n g . . . N T L 110 103 0 13 10 78 84 76
01B8 44 52 20 69 73 20 63 6F D R i s c o 68 82 32 105 115 32 99 111
01C0 6D 70 72 65 73 73 65 64 m p r e s s e d 109 112 114 101 115 115 101 100
01C8 00 0D 0A 50 72 65 73 73 . . . P r e s s 0 13 10 80 114 101 115 115
01D0 20 43 74 72 6C 2B 41 6C C t r l + A l 32 67 116 114 108 43 65 108
01D8 74 2B 44 65 6C 20 74 6F t + D e l t o 116 43 68 101 108 32 116 111
01E0 20 72 65 73 74 61 72 74 r e s t a r t 32 114 101 115 116 97 114 116
01E8 0D 0A 00 00 00 00 00 00 . . . . . . . . 13 10 0 0 0 0 0 0
01F0 00 00 00 00 00 00 00 00 . . . . . . . . 0 0 0 0 0 0 0 0
01F8 83 A0 B3 C9 00 00 55 AA . . . . . . U . 131 160 179 201 0 0 85 170
Is this the very first thing that is executed from the hard drive?
Which is copy-ed straight from this file? spcmdcon.sys
Is this considered the MBR or the NTFS bootsector, are they the same?
Im kinda confused after my read, it does not appear to be, if not what is the first thing that the computer reads from the harddrive, I assume its the MBR, is that ALWAYS at the same location on a harddisk?
Disasm of this is found here? http://bootmaster.filerecovery.biz/appnote3.html
Can you write to one while in windows XP/NT /Greater? Link Src?
I'm doing some reading and in http://mirror.href.com/thestarman/asm/mbr/NTFSbrHexEd.htm
And I'm wondering My Code looks like this with Disk Investigator
0000 EB 52 90 4E 54 46 53 20 . R . N T F S 235 82 144 78 84 70 83 32
0008 20 20 20 00 02 08 00 00 . . . . . 32 32 32 0 2 8 0 0
0010 00 00 00 00 00 F8 00 00 . . . . . . . . 0 0 0 0 0 248 0 0
0018 3F 00 FF 00 3F 00 00 00 ? . . . ? . . . 63 0 255 0 63 0 0 0
0020 00 00 00 00 80 00 80 00 . . . . . . . . 0 0 0 0 128 0 128 0
0028 C0 A5 50 09 00 00 00 00 . . P . . . . . 192 165 80 9 0 0 0 0
0030 00 00 0C 00 00 00 00 00 . . . . . . . . 0 0 12 0 0 0 0 0
0038 5C 0A 95 00 00 00 00 00 \ . . . . . . . 92 10 149 0 0 0 0 0
0040 F6 00 00 00 01 00 00 00 . . . . . . . . 246 0 0 0 1 0 0 0
0048 2C 64 BF 80 94 BF 80 EC , d . . . . . . 44 100 191 128 148 191 128 236
0050 00 00 00 00 FA 33 C0 8E . . . . . 3 . . 0 0 0 0 250 51 192 142
0058 D0 BC 00 7C FB B8 C0 07 . . . | . . . . 208 188 0 124 251 184 192 7
0060 8E D8 E8 16 00 B8 00 0D . . . . . . . . 142 216 232 22 0 184 0 13
0068 8E C0 33 DB C6 06 0E 00 . . 3 . . . . . 142 192 51 219 198 6 14 0
0070 10 E8 53 00 68 00 0D 68 . . S . h . . h 16 232 83 0 104 0 13 104
0078 6A 02 CB 8A 16 24 00 B4 j . . . . $ . . 106 2 203 138 22 36 0 180
0080 08 CD 13 73 05 B9 FF FF . . . s . . . . 8 205 19 115 5 185 255 255
0088 8A F1 66 0F B6 C6 40 66 . . f . . . @ f 138 241 102 15 182 198 64 102
0090 0F B6 D1 80 E2 3F F7 E2 . . . . . ? . . 15 182 209 128 226 63 247 226
0098 86 CD C0 ED 06 41 66 0F . . . . . A f . 134 205 192 237 6 65 102 15
00A0 B7 C9 66 F7 E1 66 A3 20 . . f . . f . 183 201 102 247 225 102 163 32
00A8 00 C3 B4 41 BB AA 55 8A . . . A . . U . 0 195 180 65 187 170 85 138
00B0 16 24 00 CD 13 72 0F 81 . $ . . . r . . 22 36 0 205 19 114 15 129
00B8 FB 55 AA 75 09 F6 C1 01 . U . u . . . . 251 85 170 117 9 246 193 1
00C0 74 04 FE 06 14 00 C3 66 t . . . . . . f 116 4 254 6 20 0 195 102
00C8 60 1E 06 66 A1 10 00 66 ` . . f . . . f 96 30 6 102 161 16 0 102
00D0 03 06 1C 00 66 3B 06 20 . . . . f ; . 3 6 28 0 102 59 6 32
00D8 00 0F 82 3A 00 1E 66 6A . . . : . . f j 0 15 130 58 0 30 102 106
00E0 00 66 50 06 53 66 68 10 . f P . S f h . 0 102 80 6 83 102 104 16
00E8 00 01 00 80 3E 14 00 00 . . . . > . . . 0 1 0 128 62 20 0 0
00F0 0F 85 0C 00 E8 B3 FF 80 . . . . . . . . 15 133 12 0 232 179 255 128
00F8 3E 14 00 00 0F 84 61 00 > . . . . . a . 62 20 0 0 15 132 97 0
0100 B4 42 8A 16 24 00 16 1F . B . . $ . . . 180 66 138 22 36 0 22 31
0108 8B F4 CD 13 66 58 5B 07 . . . . f X [ . 139 244 205 19 102 88 91 7
0110 66 58 66 58 1F EB 2D 66 f X f X . . - f 102 88 102 88 31 235 45 102
0118 33 D2 66 0F B7 0E 18 00 3 . f . . . . . 51 210 102 15 183 14 24 0
0120 66 F7 F1 FE C2 8A CA 66 f . . . . . . f 102 247 241 254 194 138 202 102
0128 8B D0 66 C1 EA 10 F7 36 . . f . . . . 6 139 208 102 193 234 16 247 54
0130 1A 00 86 D6 8A 16 24 00 . . . . . . $ . 26 0 134 214 138 22 36 0
0138 8A E8 C0 E4 06 0A CC B8 . . . . . . . . 138 232 192 228 6 10 204 184
0140 01 02 CD 13 0F 82 19 00 . . . . . . . . 1 2 205 19 15 130 25 0
0148 8C C0 05 20 00 8E C0 66 . . . . . . f 140 192 5 32 0 142 192 102
0150 FF 06 10 00 FF 0E 0E 00 . . . . . . . . 255 6 16 0 255 14 14 0
0158 0F 85 6F FF 07 1F 66 61 . . o . . . f a 15 133 111 255 7 31 102 97
0160 C3 A0 F8 01 E8 09 00 A0 . . . . . . . . 195 160 248 1 232 9 0 160
0168 FB 01 E8 03 00 FB EB FE . . . . . . . . 251 1 232 3 0 251 235 254
0170 B4 01 8B F0 AC 3C 00 74 . . . . . < . t 180 1 139 240 172 60 0 116
0178 09 B4 0E BB 07 00 CD 10 . . . . . . . . 9 180 14 187 7 0 205 16
0180 EB F2 C3 0D 0A 41 20 64 . . . . . A d 235 242 195 13 10 65 32 100
0188 69 73 6B 20 72 65 61 64 i s k r e a d 105 115 107 32 114 101 97 100
0190 20 65 72 72 6F 72 20 6F e r r o r o 32 101 114 114 111 114 32 111
0198 63 63 75 72 72 65 64 00 c c u r r e d . 99 99 117 114 114 101 100 0
01A0 0D 0A 4E 54 4C 44 52 20 . . N T L D R 13 10 78 84 76 68 82 32
01A8 69 73 20 6D 69 73 73 69 i s m i s s i 105 115 32 109 105 115 115 105
01B0 6E 67 00 0D 0A 4E 54 4C n g . . . N T L 110 103 0 13 10 78 84 76
01B8 44 52 20 69 73 20 63 6F D R i s c o 68 82 32 105 115 32 99 111
01C0 6D 70 72 65 73 73 65 64 m p r e s s e d 109 112 114 101 115 115 101 100
01C8 00 0D 0A 50 72 65 73 73 . . . P r e s s 0 13 10 80 114 101 115 115
01D0 20 43 74 72 6C 2B 41 6C C t r l + A l 32 67 116 114 108 43 65 108
01D8 74 2B 44 65 6C 20 74 6F t + D e l t o 116 43 68 101 108 32 116 111
01E0 20 72 65 73 74 61 72 74 r e s t a r t 32 114 101 115 116 97 114 116
01E8 0D 0A 00 00 00 00 00 00 . . . . . . . . 13 10 0 0 0 0 0 0
01F0 00 00 00 00 00 00 00 00 . . . . . . . . 0 0 0 0 0 0 0 0
01F8 83 A0 B3 C9 00 00 55 AA . . . . . . U . 131 160 179 201 0 0 85 170
Is this the very first thing that is executed from the hard drive?
Which is copy-ed straight from this file? spcmdcon.sys
Is this considered the MBR or the NTFS bootsector, are they the same?
Im kinda confused after my read, it does not appear to be, if not what is the first thing that the computer reads from the harddrive, I assume its the MBR, is that ALWAYS at the same location on a harddisk?
Disasm of this is found here? http://bootmaster.filerecovery.biz/appnote3.html
Can you write to one while in windows XP/NT /Greater? Link Src?