Autor
LO IMPORTANTE
Hola,
Queria saber si alguien podria ayudarme a analizar el bootstrap de Windows NT 4.0 Workstation. Lo he desensamblado (?) con esta pagina: https://onlinedisassembler.com/ ya que no se que programa podria utilizar para hacer esto. Probablemente incluso tenga uno ya instalado pero no conozca la funcion. El codigo hexadecimal del mismo es:
Citar
00 00 00 00 00 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07 8E D8 C7 06 54 00 00 00 C7 06 56 00 00 00 C7 06 5B 00 10 00 B8 00 0D 8E C0 2B DB E8 07 00 68 00 0D 68 66 02 CB 50 53 51 52 06 66 A1 54 00 66 03 06 1C 00 66 33 D2 66 0F B7 0E 18 00 66 F7 F1 FE C2 88 16 5A 00 66 8B D0 66 C1 EA 10 F7 36 1A 00 88 16 25 00 A3 58 00 A1 18 00 2A 06 5A 00 40 3B 06 5B 00 76 03 A1 5B 00 50 B4 02 8B 16 58 00 B1 06 D2 E6 0A 36 5A 00 8B CA 86 E9 8A 36 25 00 B2 80 CD 13 58 72 2A 01 06 54 00 83 16 56 00 00 29 06 5B 00 76 0B C1 E0 05 8C C2 03 D0 8E C2 EB 8A 07 5A 59 5B 58 C3 BE 59 01 EB 08 BE E3 01 EB 03 BE 39 01 E8 09 00 BE AD 01 E8 03 00 FB EB FE AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 1D 00 45 72 72 6F 72 20 64 65 20 6C 65 63 74 75 72 61 64 65 20 64 69 73 63 6F 2E 20 20 0D 0A 00 29 00 46 61 6C 74 61 20 75 6E 20 61 72 63 68 69 76 6F 20 64 65 20 6E A3 63 6C 65 6F 20 65 6E 20 65 6C 20 64 69 73 63 6F 2E 0D 0A 00 25 00 41 72 63 68 69 76 6F 20 64 65 6C 20 6E A3 63 6C 65 6F 20 65 73 20 64 69 73 63 6F 6E 74 69 67 75 6F 2E 20 0D 0A 00 33 00 49 6E 73 65 72 74 65 20 75 6E 20 64 69 73 71 75 65 74 65 20 64 65 20 73 69 73 74 65 6D 61 20 79 20 72 65 69 0D 0A 6E 69 63 69 65 2E 20 20 20 20 20 0D 0A 00 15 00 5C 4E 54 4C 44 52 20 65 73 74 A0 20 63 6F 6D 70 72 69 2E 0D 0A 00 00 00 00 00 00
Espero perdonen lo cutre de la consulta sin exponer propiamente el desensamblaje del codigo, pero lo dicho, no se exactamente como hacerlo si no online o escribiendo un ensamblador (que palo ._.)
Concretamente me gustaria saber que hace cada linea del ensamblador, pero primero que alguien me sugiera un buen desensamblador de binarios "raw" para poder exponerles mis dudas citando lineas de codigo (no pido que me lo hagan todo)
Muchas gracias por tu atencion
FINALMENTE pude hacer un dump de los comandos. Use el Ollydbg:
Citar
Address Hex dump Command Comments
00401000 0000 ADD BYTE PTR DS:[EAX],AL
00401002 0000 ADD BYTE PTR DS:[EAX],AL
00401004 0000 ADD BYTE PTR DS:[EAX],AL
00401006 0000 ADD BYTE PTR DS:[EAX],AL
00401008 00FA ADD DL,BH
0040100A 33C0 XOR EAX,EAX
0040100C 8ED0 MOV SS,EAX ; Modification of segment register
0040100E BC 007CFBB8 MOV ESP,B8FB7C00 ; Suspicious use of stack pointer
00401013 C007 8E ROL BYTE PTR DS:[EDI],8E ; Shift out of range
00401016 D8C7 FADD ST,ST(7)
00401018 06 PUSH ES
00401019 54 PUSH ESP
0040101A 0000 ADD BYTE PTR DS:[EAX],AL
0040101C 00C7 ADD BH,AL
0040101E 06 PUSH ES
0040101F 56 PUSH ESI
00401020 0000 ADD BYTE PTR DS:[EAX],AL
00401022 00C7 ADD BH,AL
00401024 06 PUSH ES
00401025 5B POP EBX
00401026 0010 ADD BYTE PTR DS:[EAX],DL
00401028 00B8 000D8EC0 ADD BYTE PTR DS:[EAX+C08E0D00],BH
0040102E 2BDB SUB EBX,EBX
00401030 E8 07006800 CALL 00A8103C
00401035 0D 686602CB OR EAX,CB026668
0040103A 50 PUSH EAX
0040103B 53 PUSH EBX
0040103C 51 PUSH ECX
0040103D 52 PUSH EDX
0040103E 06 PUSH ES
0040103F 66:A1 5400660 MOV AX,WORD PTR DS:[3660054]
00401045 06 PUSH ES
00401046 1C 00 SBB AL,0
00401048 66:33D2 XOR DX,DX
0040104B 66:0FB70E MOVZX ECX,WORD PTR DS:[ESI] ; Superfluous operand size prefix
0040104F 1800 SBB BYTE PTR DS:[EAX],AL
00401051 66:F7F1 DIV CX
00401054 FEC2 INC DL
00401056 8816 MOV BYTE PTR DS:[ESI],DL
00401058 5A POP EDX
00401059 0066 8B ADD BYTE PTR DS:[ESI-75],AH
0040105C D066 C1 SHL BYTE PTR DS:[ESI-3F],1
0040105F EA 10F7361A 0 JMP FAR 8800:1A36F710 ; Far jump or call
00401066 16 PUSH SS
00401067 25 00A35800 AND EAX,0058A300
0040106C A1 18002A06 MOV EAX,DWORD PTR DS:[62A0018]
00401071 5A POP EDX
00401072 0040 3B ADD BYTE PTR DS:[EAX+3B],AL
00401075 06 PUSH ES
00401076 5B POP EBX
00401077 0076 03 ADD BYTE PTR DS:[ESI+3],DH
0040107A A1 5B0050B4 MOV EAX,DWORD PTR DS:[B450005B]
0040107F 028B 165800B1 ADD CL,BYTE PTR DS:[EBX+B1005816]
00401085 06 PUSH ES
00401086 D2E6 SHL DH,CL
00401088 0A36 OR DH,BYTE PTR DS:[ESI]
0040108A 5A POP EDX
0040108B 008B CA86E98A ADD BYTE PTR DS:[EBX+8AE986CA],CL
00401091 36:25 00B280C AND EAX,CD80B200 ; Superfluous segment override prefix
00401097 1358 72 ADC EBX,DWORD PTR DS:[EAX+72]
0040109A 2A01 SUB AL,BYTE PTR DS:[ECX]
0040109C 06 PUSH ES
0040109D 54 PUSH ESP
0040109E 0083 16560000 ADD BYTE PTR DS:[EBX+5616],AL
004010A4 2906 SUB DWORD PTR DS:[ESI],EAX
004010A6 5B POP EBX
004010A7 0076 0B ADD BYTE PTR DS:[ESI+0B],DH
004010AA C1E0 05 SHL EAX,5
004010AD 8CC2 MOV EDX,ES
004010AF 03D0 ADD EDX,EAX
004010B1 8EC2 MOV ES,EDX ; Modification of segment register
004010B3 ^ EB 8A JMP SHORT 0040103F
004010B5 07 POP ES ; Modification of segment register
004010B6 5A POP EDX
004010B7 59 POP ECX
004010B8 5B POP EBX
004010B9 58 POP EAX
004010BA C3 RETN
004010BB BE 5901EB08 MOV ESI,8EB0159
004010C0 BE E301EB03 MOV ESI,3EB01E3
004010C5 BE 3901E809 MOV ESI,9E80139
004010CA 00BE AD01E803 ADD BYTE PTR DS:[ESI+3E801AD],BH
004010D0 00FB ADD BL,BH
004010D2 EB FE JMP SHORT 004010D2
004010D4 AC LODS BYTE PTR DS:[ESI]
004010D5 3C 00 CMP AL,0
004010D7 74 09 JE SHORT 004010E2
004010D9 B4 0E MOV AH,0E
004010DB BB 0700CD10 MOV EBX,10CD0007
004010E0 ^ EB F2 JMP SHORT 004010D4
004010E2 C3 RETN
004010E3 1D 00457272 SBB EAX,72724500
004010E8 6F OUTS DX,DWORD PTR DS:[ESI] ; I/O command
004010E9 72 20 JB SHORT 0040110B
004010EB 64 FS: ; Two prefixes from the same group
004010EC 65:206C65 63 AND BYTE PTR GS:[EBP+63],CH
004010F1 74 75 JE SHORT 00401168
004010F3 72 61 JB SHORT 00401156
004010F5 64 FS: ; Two prefixes from the same group
004010F6 65:206469 73 AND BYTE PTR GS:[EBP*2+ECX+73],AH
004010FB 636F 2E ARPL WORD PTR DS:[EDI+2E],BP
004010FE 2020 AND BYTE PTR DS:[EAX],AH
00401100 0D 0A002900 OR EAX,0029000A
00401105 46 INC ESI
00401106 61 POPAD
00401107 6C INS BYTE PTR ES:[EDI],DX ; I/O command
00401108 74 61 JE SHORT 0040116B
0040110A 2075 6E AND BYTE PTR SS:[EBP+6E],DH
0040110D 2061 72 AND BYTE PTR DS:[ECX+72],AH
00401110 6368 69 ARPL WORD PTR DS:[EAX+69],BP
00401113 76 6F JBE SHORT 00401184
00401115 206465 20 AND BYTE PTR SS:[EBP+20],AH
00401119 6E OUTS DX,BYTE PTR DS:[ESI] ; I/O command
0040111A A3 636C656F MOV DWORD PTR DS:[6F656C63],EAX
0040111F 2065 6E AND BYTE PTR SS:[EBP+6E],AH
00401122 2065 6C AND BYTE PTR SS:[EBP+6C],AH
00401125 206469 73 AND BYTE PTR DS:[EBP*2+ECX+73],AH
00401129 636F 2E ARPL WORD PTR DS:[EDI+2E],BP
0040112C 0D 0A002500 OR EAX,0025000A
00401131 41 INC ECX
00401132 72 63 JB SHORT 00401197
00401134 68 69766F20 PUSH 206F7669
00401139 64 FS: ; Two prefixes from the same group
0040113A 65:6C INS BYTE PTR ES:[EDI],DX ; Superfluous segment override prefix
0040113C 206E A3 AND BYTE PTR DS:[ESI-5D],CH
0040113F 636C65 6F ARPL WORD PTR SS:[EBP+6F],BP
00401143 2065 73 AND BYTE PTR SS:[EBP+73],AH
00401146 206469 73 AND BYTE PTR DS:[EBP*2+ECX+73],AH
0040114A 636F 6E ARPL WORD PTR DS:[EDI+6E],BP
0040114D 74 69 JE SHORT 004011B8
0040114F 67:75 6F JNE SHORT 004011C1 ; Superfluous address size prefix
00401152 2E:200D 0A003 AND BYTE PTR CS:[33000A],CL
00401159 49 DEC ECX
0040115A 6E OUTS DX,BYTE PTR DS:[ESI] ; I/O command
0040115B 73 65 JAE SHORT 004011C2
0040115D 72 74 JB SHORT 004011D3
0040115F 65:2075 6E AND BYTE PTR GS:[EBP+6E],DH
00401163 206469 73 AND BYTE PTR DS:[EBP*2+ECX+73],AH
00401167 71 75 JNO SHORT 004011DE
00401169 65:74 65 JE SHORT 004011D1 ; Superfluous segment override prefix
0040116C 206465 20 AND BYTE PTR SS:[EBP+20],AH
00401170 73 69 JAE SHORT 004011DB
00401172 73 74 JAE SHORT 004011E8
00401174 65:6D INS DWORD PTR ES:[EDI],DX ; Superfluous segment override prefix
00401176 61 POPAD
00401177 2079 20 AND BYTE PTR DS:[ECX+20],BH
0040117A 72 65 JB SHORT 004011E1
0040117C 690D 0A6E6963 IMUL ECX,DWORD PTR DS:[63696E0A],202E6569
00401186 2020 AND BYTE PTR DS:[EAX],AH
00401188 2020 AND BYTE PTR DS:[EAX],AH
0040118A 0D 0A001500 OR EAX,0015000A
0040118F 5C POP ESP
00401190 4E DEC ESI
00401191 54 PUSH ESP
00401192 4C DEC ESP
00401193 44 INC ESP
00401194 52 PUSH EDX
00401195 2065 73 AND BYTE PTR SS:[EBP+73],AH
00401198 ^ 74 A0 JE SHORT 0040113A
0040119A 2063 6F AND BYTE PTR DS:[EBX+6F],AH
0040119D 6D INS DWORD PTR ES:[EDI],DX ; I/O command
0040119E 70 72 JO SHORT 00401212
004011A0 692E 0D0A0000 IMUL EBP,DWORD PTR DS:[ESI],0A0D
004011A6 0000 ADD BYTE PTR DS:[EAX],AL
004011A8 0000 ADD BYTE PTR DS:[EAX],AL
00401000 0000 ADD BYTE PTR DS:[EAX],AL
00401002 0000 ADD BYTE PTR DS:[EAX],AL
00401004 0000 ADD BYTE PTR DS:[EAX],AL
00401006 0000 ADD BYTE PTR DS:[EAX],AL
00401008 00FA ADD DL,BH
0040100A 33C0 XOR EAX,EAX
0040100C 8ED0 MOV SS,EAX ; Modification of segment register
0040100E BC 007CFBB8 MOV ESP,B8FB7C00 ; Suspicious use of stack pointer
00401013 C007 8E ROL BYTE PTR DS:[EDI],8E ; Shift out of range
00401016 D8C7 FADD ST,ST(7)
00401018 06 PUSH ES
00401019 54 PUSH ESP
0040101A 0000 ADD BYTE PTR DS:[EAX],AL
0040101C 00C7 ADD BH,AL
0040101E 06 PUSH ES
0040101F 56 PUSH ESI
00401020 0000 ADD BYTE PTR DS:[EAX],AL
00401022 00C7 ADD BH,AL
00401024 06 PUSH ES
00401025 5B POP EBX
00401026 0010 ADD BYTE PTR DS:[EAX],DL
00401028 00B8 000D8EC0 ADD BYTE PTR DS:[EAX+C08E0D00],BH
0040102E 2BDB SUB EBX,EBX
00401030 E8 07006800 CALL 00A8103C
00401035 0D 686602CB OR EAX,CB026668
0040103A 50 PUSH EAX
0040103B 53 PUSH EBX
0040103C 51 PUSH ECX
0040103D 52 PUSH EDX
0040103E 06 PUSH ES
0040103F 66:A1 5400660 MOV AX,WORD PTR DS:[3660054]
00401045 06 PUSH ES
00401046 1C 00 SBB AL,0
00401048 66:33D2 XOR DX,DX
0040104B 66:0FB70E MOVZX ECX,WORD PTR DS:[ESI] ; Superfluous operand size prefix
0040104F 1800 SBB BYTE PTR DS:[EAX],AL
00401051 66:F7F1 DIV CX
00401054 FEC2 INC DL
00401056 8816 MOV BYTE PTR DS:[ESI],DL
00401058 5A POP EDX
00401059 0066 8B ADD BYTE PTR DS:[ESI-75],AH
0040105C D066 C1 SHL BYTE PTR DS:[ESI-3F],1
0040105F EA 10F7361A 0 JMP FAR 8800:1A36F710 ; Far jump or call
00401066 16 PUSH SS
00401067 25 00A35800 AND EAX,0058A300
0040106C A1 18002A06 MOV EAX,DWORD PTR DS:[62A0018]
00401071 5A POP EDX
00401072 0040 3B ADD BYTE PTR DS:[EAX+3B],AL
00401075 06 PUSH ES
00401076 5B POP EBX
00401077 0076 03 ADD BYTE PTR DS:[ESI+3],DH
0040107A A1 5B0050B4 MOV EAX,DWORD PTR DS:[B450005B]
0040107F 028B 165800B1 ADD CL,BYTE PTR DS:[EBX+B1005816]
00401085 06 PUSH ES
00401086 D2E6 SHL DH,CL
00401088 0A36 OR DH,BYTE PTR DS:[ESI]
0040108A 5A POP EDX
0040108B 008B CA86E98A ADD BYTE PTR DS:[EBX+8AE986CA],CL
00401091 36:25 00B280C AND EAX,CD80B200 ; Superfluous segment override prefix
00401097 1358 72 ADC EBX,DWORD PTR DS:[EAX+72]
0040109A 2A01 SUB AL,BYTE PTR DS:[ECX]
0040109C 06 PUSH ES
0040109D 54 PUSH ESP
0040109E 0083 16560000 ADD BYTE PTR DS:[EBX+5616],AL
004010A4 2906 SUB DWORD PTR DS:[ESI],EAX
004010A6 5B POP EBX
004010A7 0076 0B ADD BYTE PTR DS:[ESI+0B],DH
004010AA C1E0 05 SHL EAX,5
004010AD 8CC2 MOV EDX,ES
004010AF 03D0 ADD EDX,EAX
004010B1 8EC2 MOV ES,EDX ; Modification of segment register
004010B3 ^ EB 8A JMP SHORT 0040103F
004010B5 07 POP ES ; Modification of segment register
004010B6 5A POP EDX
004010B7 59 POP ECX
004010B8 5B POP EBX
004010B9 58 POP EAX
004010BA C3 RETN
004010BB BE 5901EB08 MOV ESI,8EB0159
004010C0 BE E301EB03 MOV ESI,3EB01E3
004010C5 BE 3901E809 MOV ESI,9E80139
004010CA 00BE AD01E803 ADD BYTE PTR DS:[ESI+3E801AD],BH
004010D0 00FB ADD BL,BH
004010D2 EB FE JMP SHORT 004010D2
004010D4 AC LODS BYTE PTR DS:[ESI]
004010D5 3C 00 CMP AL,0
004010D7 74 09 JE SHORT 004010E2
004010D9 B4 0E MOV AH,0E
004010DB BB 0700CD10 MOV EBX,10CD0007
004010E0 ^ EB F2 JMP SHORT 004010D4
004010E2 C3 RETN
004010E3 1D 00457272 SBB EAX,72724500
004010E8 6F OUTS DX,DWORD PTR DS:[ESI] ; I/O command
004010E9 72 20 JB SHORT 0040110B
004010EB 64 FS: ; Two prefixes from the same group
004010EC 65:206C65 63 AND BYTE PTR GS:[EBP+63],CH
004010F1 74 75 JE SHORT 00401168
004010F3 72 61 JB SHORT 00401156
004010F5 64 FS: ; Two prefixes from the same group
004010F6 65:206469 73 AND BYTE PTR GS:[EBP*2+ECX+73],AH
004010FB 636F 2E ARPL WORD PTR DS:[EDI+2E],BP
004010FE 2020 AND BYTE PTR DS:[EAX],AH
00401100 0D 0A002900 OR EAX,0029000A
00401105 46 INC ESI
00401106 61 POPAD
00401107 6C INS BYTE PTR ES:[EDI],DX ; I/O command
00401108 74 61 JE SHORT 0040116B
0040110A 2075 6E AND BYTE PTR SS:[EBP+6E],DH
0040110D 2061 72 AND BYTE PTR DS:[ECX+72],AH
00401110 6368 69 ARPL WORD PTR DS:[EAX+69],BP
00401113 76 6F JBE SHORT 00401184
00401115 206465 20 AND BYTE PTR SS:[EBP+20],AH
00401119 6E OUTS DX,BYTE PTR DS:[ESI] ; I/O command
0040111A A3 636C656F MOV DWORD PTR DS:[6F656C63],EAX
0040111F 2065 6E AND BYTE PTR SS:[EBP+6E],AH
00401122 2065 6C AND BYTE PTR SS:[EBP+6C],AH
00401125 206469 73 AND BYTE PTR DS:[EBP*2+ECX+73],AH
00401129 636F 2E ARPL WORD PTR DS:[EDI+2E],BP
0040112C 0D 0A002500 OR EAX,0025000A
00401131 41 INC ECX
00401132 72 63 JB SHORT 00401197
00401134 68 69766F20 PUSH 206F7669
00401139 64 FS: ; Two prefixes from the same group
0040113A 65:6C INS BYTE PTR ES:[EDI],DX ; Superfluous segment override prefix
0040113C 206E A3 AND BYTE PTR DS:[ESI-5D],CH
0040113F 636C65 6F ARPL WORD PTR SS:[EBP+6F],BP
00401143 2065 73 AND BYTE PTR SS:[EBP+73],AH
00401146 206469 73 AND BYTE PTR DS:[EBP*2+ECX+73],AH
0040114A 636F 6E ARPL WORD PTR DS:[EDI+6E],BP
0040114D 74 69 JE SHORT 004011B8
0040114F 67:75 6F JNE SHORT 004011C1 ; Superfluous address size prefix
00401152 2E:200D 0A003 AND BYTE PTR CS:[33000A],CL
00401159 49 DEC ECX
0040115A 6E OUTS DX,BYTE PTR DS:[ESI] ; I/O command
0040115B 73 65 JAE SHORT 004011C2
0040115D 72 74 JB SHORT 004011D3
0040115F 65:2075 6E AND BYTE PTR GS:[EBP+6E],DH
00401163 206469 73 AND BYTE PTR DS:[EBP*2+ECX+73],AH
00401167 71 75 JNO SHORT 004011DE
00401169 65:74 65 JE SHORT 004011D1 ; Superfluous segment override prefix
0040116C 206465 20 AND BYTE PTR SS:[EBP+20],AH
00401170 73 69 JAE SHORT 004011DB
00401172 73 74 JAE SHORT 004011E8
00401174 65:6D INS DWORD PTR ES:[EDI],DX ; Superfluous segment override prefix
00401176 61 POPAD
00401177 2079 20 AND BYTE PTR DS:[ECX+20],BH
0040117A 72 65 JB SHORT 004011E1
0040117C 690D 0A6E6963 IMUL ECX,DWORD PTR DS:[63696E0A],202E6569
00401186 2020 AND BYTE PTR DS:[EAX],AH
00401188 2020 AND BYTE PTR DS:[EAX],AH
0040118A 0D 0A001500 OR EAX,0015000A
0040118F 5C POP ESP
00401190 4E DEC ESI
00401191 54 PUSH ESP
00401192 4C DEC ESP
00401193 44 INC ESP
00401194 52 PUSH EDX
00401195 2065 73 AND BYTE PTR SS:[EBP+73],AH
00401198 ^ 74 A0 JE SHORT 0040113A
0040119A 2063 6F AND BYTE PTR DS:[EBX+6F],AH
0040119D 6D INS DWORD PTR ES:[EDI],DX ; I/O command
0040119E 70 72 JO SHORT 00401212
004011A0 692E 0D0A0000 IMUL EBP,DWORD PTR DS:[ESI],0A0D
004011A6 0000 ADD BYTE PTR DS:[EAX],AL
004011A8 0000 ADD BYTE PTR DS:[EAX],AL
Mi primera pregunta es:
¿Por que los primeros bytes del bootstrap estan rellenados con ceros? ¿Que sentido tiene que el procesador ejecute eso?
En línea
