[rootkitreader]

Guys, Thank you for your responses.

Well I've started analysing of this code, but I think I'm stuck.
Here is my problem:
ntfs IPL program contains:

Code: Select all

seg000:0054 ntfs_start:                             ; CODE XREF: seg000:loc_0j
seg000:0054                 cli                     ; disable interrupts
seg000:0055                 xor     ax, ax          ; ax =0
seg000:0057                 mov     ss, ax          ; ss=0
seg000:0059                 mov     sp, 7C00h       ; sp=7c00
seg000:005C                 sti                     ; enable interrupts
seg000:005D                 mov     ax, 7C0h        ; ax= 7c0
seg000:0060                 mov     ds, ax          ; ds=0x7c0
seg000:0062                 assume ds:nothing
seg000:0062                 call    calculate_drivers_total_sectors ; load BIOS drive number (80h) to dl
seg000:0065                 mov     ax, 0D00h
seg000:0068                 mov     es, ax          ; es=0xd00
seg000:006A                 assume es:nothing
seg000:006A                 xor     bx, bx
seg000:006C                 mov     byte ptr ds:0Eh, 10h ; store read count index
seg000:0071                 call    read_disk       ; save registers on stack
seg000:0074                 push    0D00h           ; segment for retf
seg000:0077                 push    26Ah            ; offset for retf
seg000:007A                 retf

so after initial default actions it is moving to 0d00:26A where extended ipl should be.

At this address there is a code that is finally calling address 0x3c5 where is code:

Code: Select all

push    ax
seg000:03C6                 test    bp, bp
seg000:03C8                 push    359h
seg000:03CB                 xor     ax, ax
seg000:03CD                 pop     ax
seg000:03CE                 jnz     short loc_3F3

eb contains 0x3c5 so instruction at seg000:03CE should be invoked.
And now is code:

Code: Select all

seg000:03F3 loc_3F3:                                ; CODE XREF: seg000:03CEj
seg000:03F3                 pop     ax
seg000:03F4                 inc     word ptr [si]
seg000:03F6                 and     al, 58h
seg000:03F8                 push    ax
seg000:03F9                 push    cx
seg000:03FA                 push    bx
seg000:03FB                 push    359h
seg000:03FE                 xor     ax, ax
seg000:0400                 pop     bx
seg000:0401                 movzx   cx, byte ptr [bx+si-1]
seg000:0405                 dec     ax
seg000:0406                 movsx   bx, bx
seg000:0409                 shl     cx, 1
seg000:040B                 dec     ax
seg000:040C                 add     bx, cx
seg000:040E                 dec     ax
seg000:040F                 movsx   bx, word ptr [si]
seg000:0412                 sub     cx, [bx+si+3]
seg000:0415                 fisttp  qword ptr [bx+si-6Dh]
seg000:0418                 pop     bx
seg000:0419                 pop     cx
seg000:041A                 push    ax
seg000:041B                 retn

can you tell me where code shoud go next? ax is first zeroed, then dec 3 times?
Maybe my analysis till now is completly wrong?

~~~~~~~~
thanks!
~~~~~~~~

[rkhunter]

What are you want understand? How IPL loads ntldr?

[rootkitreader]

rkhunter,

thnak you for your response.
Well I've read articles that EP_XOFF suggested and this give me valuable input.
My problem is last listing I made in last post. Are you able to tell me where code will return is there is xor ax,ax, dec ax 3 times then push ax and retn?
Maybe I've made mistake before and this code is completely wrong... but till now I thnik my understanding should be ok- so where we will be?

~~~~~~~~
thanks!
~~~~~~~~

[rkhunter]

Actually this is can be code optimization by compiler, so you can spend a long time to understand it. Or you can find specific useful code area and analyze it. My advice, you may look loader sources, from ReactOS, for example.

[rootkitreader]

rkhunter,

Thank you for response,
But how can I read specific code parts if I can't see all code, only bytes, and intel has different legnth instruction set and this is 16 bit code in which data declarations can be in any place, so when I press "C" in IDA on one place it is possible that my interpretation of code will be bad?
I'm sorry for questioning this, I really appreciate your input.

~~~~~~~~
thanks!
~~~~~~~~

[rkhunter]

If you want understand what code do, best thing - debug, probably, several times.

[rootkitreader]

rkhunter,

Thank you again,
Yeah this is probably one of solutions.
But i understand I can't simply debug this code with windbg - am I right?
I thought I could allocate mem from my app then copy data and make jump to this code, but this code probably won't work since it is in special memry and it i 16bit code.
So how can I do it?
I was thinking about bochs project, but I've never used it. So what would you do on my position , any tutorials/howtos and so on?


~~~~~~~~
thanks!
~~~~~~~~