Preparation
-
Boot to the student CD-ROM and GHOST in DOS. Accept the size offered (2GB) and restart the machine when prompted. As it reboots remove the CD-ROM. The system will boot to true MS-DOS 6.22. At the C:\> prompt start DEBUG and proceed with the following exercise.
Procedures
The DEBUG LOAD command only reads COOKED sectors as opposed to RAW sectors. In our language a RAW sector is read AS IS by BIOS off of the disk. A COOKED sector is located and retrieved or written using the partition's fully functional file system. In the event that the file system has been compromised then it is impossible to access COOKED sectors. They must be accessed RAW, directly by their geometric coordinate.
The HDD's Master Boot Record resides outside of the partitions it defines and as such it cannot be located within any particular drive letter and does not have a file system logical offset. It is by definition then a pure RAW sector and cannot be accessed ever by the DEBUG LOAD command. It will now be accessed using the BIOS INT 13h call.
The MBR is ALWAYS located at Cyl=0, Head=0, Sector=1 of the physical disk. In this exercise, the MBR of the first physical HDD will accessed, which is BIOS drive # 80h. Therefore the required parameters are:
AH = 02, AL = 01 so AX = 0201
BX = 0100
CH = 00, CL = 01 so CX = 0001
DH = 00, DL = 80 so DX = 0080
The assembly language instructions are then:
mov ax, 0201 then drop the leading zeros: mov ax, 201
mov bx, 0100 => mov bx, 100
mov cx, 0001 => mov cx, 1
mov dx, 0080 => mov dx, 80
Now start DEBUG's assembly language processor at offset 300h and input the program:
-a 300
242C:0300 mov ax, 201
242C:0303 mov bx, 100
242C:0306 mov cx, 1
242C:0309 mov dx, 80
242C:030C int 13
242C:030E int 3
242C:030F (press [Enter] here to exit the assembler)
-_
Execute the program with the "g=300" command and watch for the "No Carry" flag indicator:
-g=300
AX=0001 BX=0100 CX=0001 DX=0080 SP=FFEE BP=0000 SI=0000 DI=0000
DS=242C ES=242C SS=242C CS=242C IP=030E NV UP EI PL ZR NA PE NC
242C:030E CC INT 3
-_
The INT 13h call read the MBR into RAM. Display the top half of it on screen:
-d 100 1ff
242C:0100 FA 33 C0 8E D0 BC 00 7C-8B F4 50 07 50 1F FB FC .3.....|..P.P...
242C:0110 BF 00 06 B9 00 01 F2 A5-EA 1D 06 00 00 BE BE 07 ................
242C:0120 B3 04 80 3C 80 74 0E 80-3C 00 75 1C 83 C6 10 FE ...<.t..<.u.....
242C:0130 CB 75 EF CD 18 8B 14 8B-4C 02 8B EE 83 C6 10 FE .u......L.......
242C:0140 CB 74 1A 80 3C 00 74 F4-BE 8B 06 AC 3C 00 74 0B .t..<.t.....<.t.
242C:0150 56 BB 07 00 B4 0E CD 10-5E EB F0 EB FE BF 05 00 V.......^.......
242C:0160 BB 00 7C B8 01 02 57 CD-13 5F 73 0C 33 C0 CD 13 ..|...W.._s.3...
242C:0170 4F 75 ED BE A3 06 EB D3-BE C2 06 BF FE 7D 81 3D Ou...........}.=
242C:0180 55 AA 75 C7 8B F5 EA 00-7C 00 00 49 6E 76 61 6C U.u.....|..Inval
242C:0190 69 64 20 70 61 72 74 69-74 69 6F 6E 20 74 61 62 id partition tab
242C:01A0 6C 65 00 45 72 72 6F 72-20 6C 6F 61 64 69 6E 67 le.Error loading
242C:01B0 20 6F 70 65 72 61 74 69-6E 67 20 73 79 73 74 65 operating syste
242C:01C0 6D 00 4D 69 73 73 69 6E-67 20 6F 70 65 72 61 74 m.Missing operat
242C:01D0 69 6E 67 20 73 79 73 74-65 6D 00 00 81 31 57 12 ing system...1W.
242C:01E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:01F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
-_
The error messages that it can display are visible. The 1st stage OS boot strap loader program code is above them. Now display the bottom half of the sector:
-d 200 2ff
242C:0200 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0210 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0220 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0230 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0240 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0260 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0270 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0280 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:0290 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:02A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:02B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 01 ................
242C:02C0 01 00 06 FE 7F 04 3F 00-00 00 86 FA 3F 00 00 00 ......?.....?...
242C:02D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:02E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
242C:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U.
-_
The bottom of the sector is very sparse BUT the values that are here are CRITICAL, the primary DOS partition is defined here, and the sector ends in the boot signature of 55 AA. Without that, the BIOS boot strap loader will ignore the sector as invalid and the system will not boot up at all from the HDD. In the previous exercise, Using DEBUG to read the MBR, the layout of this sector and the partition tables within it was covered in full. Refer to this now. Locate the first partition table and record all values in one of the worksheet tables described in that exercise. The result should look like this:
|
Offset
|
Size
|
Value
|
|
00h
|
1 byte
|
80
|
|
01h
|
1 byte
|
01
|
|
02h
|
1 byte
|
01
|
|
03h
|
1 byte
|
00
|
|
04h
|
1 byte
|
06
|
|
05h
|
1 byte
|
FE
|
|
06h
|
1 byte
|
7F
|
|
07h
|
1 byte
|
04
|
|
08h
|
4 bytes
|
3F 00 00 00
|
|
0Ch
|
4 bytes
|
86 FA 3F 00
|
From this information the CHS geometric coordinate of the starting sector of this partition is then: Cylinder=0, Head=1, S=1. The first sector of any partition will contain the operating system's 2nd stage OS loader (this is not necessarily true but most OS designers do this, Microsoft is the rule not the exception.) This sector for DOS/Windows operating systems is called the DOS Boot Record or DBR. If this sector is damaged, the operating system will acknowledge the existence of the drive letter which is defined in the MBR partition table, but it will be unable to read it with such error messages as "Invalid media type reading drive C, Abort, Retry, Fail?" We will see exactly why in a moment. Based on the geometric coordinate of the sector, build the BIOS INT 13h program code to read it into the DEBUG RAM workspace:
AX = 02 01: mov ax, 201
BX = 0100: mov bx, 100
CX = 00 01: mov cx, 1
DX = 01 80: mov dx, 180
int 13
int 3
Start the assembly language interpreter at offset 300 and input the program:
-a 300
242C:0300 mov ax, 201
242C:0303 mov bx, 100
242C:0306 mov cx, 1
242C:0309 mov dx, 180
242C:030C int 13
242C:030E int 3
242C:030F (press [Enter] here to exit the assembler)
-_
Execute the program with the "g=300" command and watch for the "No Carry" flag indicator:
-g=300
AX=0001 BX=0100 CX=0001 DX=0180 SP=FFEE BP=0000 SI=0000 DI=0000
DS=242C ES=242C SS=242C CS=242C IP=030E NV UP EI PL ZR NA PE NC
242C:030E CC INT 3
-_
Notice that the ONLY difference between the two is the SINGLE digit in the instruction "mov dx, 180" but it makes a massive difference as to which sector has been read into RAM: the MBR or the C: drive's DBR. Now display the top half of the DBR on screen:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
In the far right of the rows the ASCII text "MSDOS5.0" and "FAT16" are casual observable indicators that this is a FAT16 DBR built by the MSDOS 5.0 file system drivers. These drivers were not changed through the end of the DOS era; this partition does in fact have MSDOS 6.22 installed. Now display the bottom half of the sector:
-d 200 2ff
242C:0200 58 58 58 EB E8 8B 47 1A-48 48 8A 1E 0D 7C 32 FF XXX...G.HH...|2.
242C:0210 F7 E3 03 06 49 7C 13 16-4B 7C BB 00 07 B9 03 00 ....I|..K|......
242C:0220 50 52 51 E8 3A 00 72 D8-B0 01 E8 54 00 59 5A 58 PRQ.:.r....T.YZX
242C:0230 72 BB 05 01 00 83 D2 00-03 1E 0B 7C E2 E2 8A 2E r..........|....
242C:0240 15 7C 8A 16 24 7C 8B 1E-49 7C A1 4B 7C EA 00 00 .|..$|..I|.K|...
242C:0250 70 00 AC 0A C0 74 29 B4-0E BB 07 00 CD 10 EB F2 p....t).........
242C:0260 3B 16 18 7C 73 19 F7 36-18 7C FE C2 88 16 4F 7C ;..|s..6.|....O|
242C:0270 33 D2 F7 36 1A 7C 88 16-25 7C A3 4D 7C F8 C3 F9 3..6.|..%|.M|...
242C:0280 C3 B4 02 8B 16 4D 7C B1-06 D2 E6 0A 36 4F 7C 8B .....M|.....6O|.
242C:0290 CA 86 E9 8A 16 24 7C 8A-36 25 7C CD 13 C3 0D 0A .....$|.6%|.....
242C:02A0 4E 6F 6E 2D 53 79 73 74-65 6D 20 64 69 73 6B 20 Non-System disk
242C:02B0 6F 72 20 64 69 73 6B 20-65 72 72 6F 72 0D 0A 52 or disk error..R
242C:02C0 65 70 6C 61 63 65 20 61-6E 64 20 70 72 65 73 73 eplace and press
242C:02D0 20 61 6E 79 20 6B 65 79-20 77 68 65 6E 20 72 65 any key when re
242C:02E0 61 64 79 0D 0A 00 49 4F-20 20 20 20 20 20 53 59 ady...IO SY
242C:02F0 53 4D 53 44 4F 53 20 20-20 53 59 53 00 00 55 AA SMSDOS SYS..U.
-_
The ubiquitous "Non-system disk or disk error..." message that is displayed when accidentally booting to a floppy is clearly visible and now we see where this message comes from: the DBR. By the way, a floppy's first physical sector located on Side=0, Track=0, Sector=1 is the DBR. It directly loads IO.SYS into RAM and passes control to it. The BIOS expects to find a DBR and NOT an MBR on a floppy for obvious reasons: they are too small to partition and do not need partitions since one would not expect to have multiple operating systems on a floppy and they are not larger than the largest possible file system structure (i.e. the largest FAT16B partition is 2GB.) Partitions are an industry standardized solution implemented in the BIOS Boot Strap Loader interpretation of the MBR structures that allows the GENERAL PURPOSE microcomputer to have any OS installed on it and to be able to support multiple operating systems. Partitions also solve the problem of file systems not being able to handle the physical size of the hard drive by allowing a partition to define a smaller part of it that the file system can handle. The boot signature, which BIOS needs to see is also clearly visible in the last two bytes: "55 AA"
The layout of the FAT16 hard drive partition DBR sector is:
|
Offset
|
Size
|
Field
|
|
00h
|
3 bytes
|
Jump Instruction
|
|
03h
|
58 bytes
|
Drive Parameter Block (basic DPB)
|
|
3Eh
|
446 bytes
|
2nd stage OS Boot Strap Loader
|
|
1FEh
|
2 bytes
|
Boot Signature (55 AA)
|
The major structure of importance to the data recovery specialist is the DPB. This is the structure that the DOS file system drivers use to determine the number and size of the file allocation tables, the size of the root directory and therefore their locations and the location of the first and therefore all following data clusters across the partition. Without this map of the file system structures, the file system drivers cannot access any data within the partition. Likewise the data recovery specialist can read the DPB and determine the same information manually. The layout of a DOS/Windows FAT16 basic DPB is:
|
Offset
|
Size
|
Field
|
|
00h
|
3 bytes
|
Jump Instruction to bypass the DPB
|
|
03h
|
8 bytes ASCII
|
File System Driver Signature
|
|
0Bh
|
1 word
|
Bytes/Sector
|
|
0Dh
|
1 byte
|
Sectors/Cluster
|
|
0Eh
|
1 word
|
Reserved Sectors
|
|
10h
|
1 byte
|
# of FAT's
|
|
11h
|
1 word
|
max. # of root dir entries
|
|
13h
|
1 word
|
total sectors (partitions < 32MB)
|
|
15h
|
1 byte
|
Media Descriptor
|
|
16h
|
1 word
|
sectors/FAT
|
|
18h
|
1 word
|
sectors/track
|
|
1Ah
|
1 word
|
total heads
|
|
1Ch
|
dword
|
Hidden sectors
|
|
20h
|
dword
|
total sectors (partitions > 32MB)
|
|
24h
|
26 bytes
|
Extended DPB
|
Starting with the MSDOS 5.0 file system drivers, the standard DBR does have an EDPB. The following table continues using the offsets of the sector to indicate the fields of the EDPB:
|
Offset
|
Size
|
Field
|
|
24h
|
1 byte
|
BIOS drive #
|
|
25h
|
1 byte
|
current head
|
|
26h
|
1 byte
|
extended DPB signature
|
|
27h
|
dword
|
volume serial #
|
|
2Bh
|
11 bytes ASCII
|
Volume Label
|
|
36h
|
8 bytes ASCII
|
File System Type
|
The DBR from DOS 5.0 through Windows ME contains a DPB with 20 different fields of information. No one is expected to memorize it, but they are expected to have this map and to be able to use it effectively. First, create a blank reusable DPB analysis table that looks like this:
|
Offset
|
Size
|
Value
|
Field
|
|
00h
|
3 bytes
|
|
Jump Instruction to bypass the DPB
|
|
03h
|
8 bytes
|
|
File System Driver Signature
|
|
0Bh
|
1 word
|
|
Bytes/Sector
|
|
0Dh
|
1 byte
|
|
Sectors/Cluster
|
|
0Eh
|
1 word
|
|
Reserved Sectors
|
|
10h
|
1 byte
|
|
# of FAT's
|
|
11h
|
1 word
|
|
max. # of root dir entries
|
|
13h
|
1 word
|
|
total sectors (partitions < 32MB)
|
|
15h
|
1 byte
|
|
Media Descriptor
|
|
16h
|
1 word
|
|
sectors/FAT
|
|
18h
|
1 word
|
|
sectors/track
|
|
1Ah
|
1 word
|
|
total heads
|
|
1Ch
|
dword
|
|
Hidden sectors
|
|
20h
|
dword
|
|
total sectors (partitions > 32MB)
|
|
24h
|
1 byte
|
|
BIOS drive #
|
|
25h
|
1 byte
|
|
current head
|
|
26h
|
1 byte
|
|
extended DPB signature
|
|
27h
|
dword
|
|
volume serial #
|
|
2Bh
|
11 bytes ASCII
|
|
Volume Label
|
|
36h
|
8 bytes ASCII
|
|
File System Type
|
The above table should be cut and pasted into a word processor program and printed many times so that it can be used as a DBR worksheet. The DBR must be dissected in almost every data recovery of every HDD. These and the partition table worksheets will come in handy. For the Windows NT family and other operating systems like IBM OS/2, Linux, etc. The first sector of the partition is called generically the VBR or Volume Boot Record. The DBR is the VBR of a partition created by any member of the DOS/Windows family of operating systems. Display the top half of the DBR on screen again and locate the field at offset 00h which is three bytes in length:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
Record these hexadecimal values in the "Value" column of the DBR field at offset 00h. Locate the field at offset 03h of the DBR:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
This field has a data type of ASCII. Record the value "MSDOS5.0" in the Value column of the DBR worksheet for the field located at offset 03h. Locate the field at offset 0Bh:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
This value is a "word" data type. Because the Intel x86 family and compatible processors are little endian machines, they store the bytes of single numerical values that consist of more than one byte from right to left. Reverse the bytes as displayed: 00 02 =x=> 02 00 and record this in the value column of the DBR worksheet for the field located at offset 0Bh. Locate the field at offset 0Dh:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
This field is one byte in size. Record the value in the Value column of the DBR worksheet for the field at offset 0Dh. Locate the field at offset 0Eh of the DBR:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
This field is also a word data type. Reverse the bytes found: 01 00 =x=> 00 01 and record these inthe value column of the DBR worksheet for the value of the field at offset 0Eh. Locate the field at offset 10h:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
This field is 1 byte in size. Record this value in the value column of the DBR worksheet for the value of the field located at offset 10h. Remeber that DEBUG has imposed the offset of 100h where the DBR sector starts at offset 00h. So 100h must be added to each offset as observed on screen. Locate the field at offset 11h. It is a word so reverse these bytes and record them as "02 00" in the value column of the DBR worksheet:
-d 100 1ff
242C:0100 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 40 01 00 .<.MSDOS5.0..@..
242C:0110 02 00 02 00 00 F8 00 01-3F 00 FF 00 3F 00 00 00 ........?...?...
242C:0120 86 FA 3F 00 80 00 29 76-04 21 22 4E 4F 20 4E 41 ..?...)v.!"NO NA
242C:0130 4D 45 20 20 20 20 46 41-54 31 36 20 20 20 FA 33 ME FAT16 .3
242C:0140 C0 8E D0 BC 00 7C 16 07-BB 78 00 36 C5 37 1E 56 .....|...x.6.7.V
242C:0150 16 53 BF 3E 7C B9 0B 00-FC F3 A4 06 1F C6 45 FE .S.>|.........E.
242C:0160 0F 8B 0E 18 7C 88 4D F9-89 47 02 C7 07 3E 7C FB ....|.M..G...>|.
242C:0170 CD 13 72 79 33 C0 39 06-13 7C 74 08 8B 0E 13 7C ..ry3.9..|t....|
242C:0180 89 0E 20 7C A0 10 7C F7-26 16 7C 03 06 1C 7C 13 .. |..|.&.|...|.
242C:0190 16 1E 7C 03 06 0E 7C 83-D2 00 A3 50 7C 89 16 52 ..|...|....P|..R
242C:01A0 7C A3 49 7C 89 16 4B 7C-B8 20 00 F7 26 11 7C 8B |.I|..K|. ..&.|.
242C:01B0 1E 0B 7C 03 C3 48 F7 F3-01 06 49 7C 83 16 4B 7C ..|..H....I|..K|
242C:01C0 00 BB 00 05 8B 16 52 7C-A1 50 7C E8 92 00 72 1D ......R|.P|...r.
242C:01D0 B0 01 E8 AC 00 72 16 8B-FB B9 0B 00 BE E6 7D F3 .....r........}.
242C:01E0 A6 75 0A 8D 7F 20 B9 0B-00 F3 A6 74 18 BE 9E 7D .u... .....t...}
242C:01F0 E8 5F 00 33 C0 CD 16 5E-1F 8F 04 8F 44 02 CD 19 ._.3...^....D...
-_
Continue locating each field and recording its value into the DBR worksheet. Only WORD and DWORD types get byte reversed. ASCII fields do NOT get byte reversed. The resulting table will look like this:
|
Offset
|
Size
|
Value
|
Field
|
|
00h
|
3 bytes
|
EB 3C 90
|
Jump Instruction to bypass the DPB
|
|
03h
|
8 bytes
|
"MSDOS5.0"
|
File System Driver Signature
|
|
0Bh
|
1 word
|
02 00
|
Bytes/Sector
|
|
0Dh
|
1 byte
|
40
|
Sectors/Cluster
|
|
0Eh
|
1 word
|
00 01
|
Reserved Sectors
|
|
10h
|
1 byte
|
02
|
# of FAT's
|
|
11h
|
1 word
|
02 00
|
max. # of root dir entries
|
|
13h
|
1 word
|
00 00
|
total sectors (partitions < 32MB)
|
|
15h
|
1 byte
|
F8
|
Media Descriptor
|
|
16h
|
1 word
|
01 00
|
sectors/FAT
|
|
18h
|
1 word
|
00 3F
|
sectors/track
|
|
1Ah
|
1 word
|
00 FF
|
total heads
|
|
1Ch
|
dword
|
00 00 00 3F
|
Hidden sectors
|
|
20h
|
dword
|
00 3F FA 86
|
total sectors (partitions > 32MB)
|
|
24h
|
1 byte
|
80
|
BIOS drive #
|
|
25h
|
1 byte
|
00
|
current head
|
|
26h
|
1 byte
|
29
|
extended DPB signature
|
|
27h
|
dword
|
22 21 04 76
|
volume serial #
|
|
2Bh
|
11 bytes ASCII
|
"NO NAME "
|
Volume Label
|
|
36h
|
8 bytes ASCII
|
"FAT16 "
|
File System Type
|
Pad all ASCII fields with the appropriate space characters. The volume label is followed by 4 spaces and the file system type is followed by three spaces (ASCII code 20h.) In the next exercise, the DBR values will be analysed.
Working complete PC