PMA 421: Understanding the MBR (15 pts + 55 extra)

What You Need

Purpose

To examine the normal bootup process. This is important to understand low-level malware, including BIOS viruses, Bootkits, and Rootkits.

Task 1: Understanding the Bootup Process

This section is reading-only and serves as background information for the hands-on tasks that follow it.s

Boot Process Overview

Here's a high-level overview, based on this page.

Master Boot Record (MBR)

The MBR is 512 bytes long, and is loaded into RAM by the BIOS. Then the Bootstrap Code is executed. The Partition Table is used to find the active partition.

Partition Boot Sector

This sector begins with a single JMP instruction which goes to the sector's bootstrap code.

Bootloader

The bootloader selects and launches an operating system kernel, such as Linux or Windows.


Task 2: Booting FreeDOS in the Bochs Emulator

Installing Bochs

If you don't have Bochs yet, get it here: https://sourceforge.net/projects/bochs/

Installing 7-Zip

Download and install the 64-bit version of: https://www.7-zip.org/

Downloading a FreeDos Disk Image

On your Windows machine, in Firefox, go to https://sourceforge.net/projects/bochs/files

Click "Disk Images". Click "FreeDos", as shown below.

Click fdos-10meg.tar.gz. Click "Problems Downloading?". Click "direct link". Save the file in your Downloads folder.

Right-click the fdos-10meg.tar.gz file and click 7-Zip, "Extract Here".

A new file appears named fdos-10meg.tar. Right-click it and extract it the same way.

A folder appears, named fdos-10meg. Move that folder to

C:\Program Files (x86)\Bochs-2-6-9

Launching the FreeDos System

Right-click the Start button and click "Command Prompt (Admin)".

In the User Account Control box, click Yes.

In the Administrator Command Prompt window, execute these commands:


cd C:\Program Files (x86)\Bochs-2.6.9\fdos-10meg
notepad fdos.txt
Paste in this text, as shown below.

# configuration file generated by Bochs
# config_interface: textconfig
# display_library: x
megs: 32
romimage: file=../BIOS-bochs-latest
vgaromimage: file=../VGABIOS-lgpl-latest
boot: disk
# no floppya
# no floppyb
ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14
ata0-master: type=disk, mode=flat, translation=auto, path="fdosmini.img", cylinders=20, heads=16, spt=63, biosdetect=auto, model="Generic 1234"
ata1: enabled=0
ata1-master: type=cdrom, path="/dev/hdc", status=inserted, biosdetect=auto, model="Generic 1234"
ata2: enabled=0
ata3: enabled=0
parport1: enabled=1, file=""
parport2: enabled=0
com1: enabled=1, mode=null, dev=""
pci: enabled=1, chipset=i440fx
floppy_bootsig_check: disabled=0
vga: extension=vbe, update_freq=15
keyboard: serial_delay=250, paste_delay=100000, type=mf, user_shortcut=none
cpu: ips=15000000
mouse: enabled=0
private_colormap: enabled=0
clock: sync=none
# no loader
log: bochsout.txt
logprefix: %t%e%d
debugger_log: -
panic: action=fatal
error: action=report
info: action=report
debug: action=ignore
# no cmosimage

In Notepad, click File, Save. Close Notepad.

In the Administrator Command Prompt window, execute this command:


bochsdbg.exe -q -f fdos.txt
The Boch emulator window opens, showing icons on the top row indicating the status of the floppy drives, CD, mouse, etc.

The Command Prompt window shows a <bochs:1> prompt.

Click in the Command Prompt window and execute this command, as shown below.


c

Using the Emulator

Within a minute or two, the emulator boots up.

Click in the emulator window. At the C:\ prompt, enter this commands:


dir
You see an old-style DOS file system, as shown below.

Shutting Down the Emulator

Click in the Command Prompt window and press Ctrl+C, Ctrl+C, Enter.

Task 3: Viewing Bootup Sectors in Hex

Structure of the MBR

The Master Boot Record (MBR) is the first 512 bytes of a hard disk. It's the same for every operating system.

The figure below shows its structure, from : this page.

The last two bytes are always 55 AA:

The partition table is 64 bytes long, consisting of four entries:

Each 16-byte parition record has this structure. The CHS values specify a location on a hard disk by Cylinder, Head, and Sector numbers.

Viewing the MBR in HxD

Open HxD. In HxD, open this file:

C:\Program Files (x86)\Bochs-2.6.9\fdos-10meg\fdosmini.img

Notice these features, as shown below:

Structure of the Partition Boot Record (PBR)

In HxD, scroll down to address 7E00, as shown below.

The Partition Boot Record (PBR) is the first 512 bytes of an active partition, as explained here.

Notice these items, as shown below.


Task 3: Debugging the FreeDOS Bootup Process

Starting FreeDOS

In the Administrator Command Prompt window, execute this command:

bochsdbg.exe -q -f fdos.txt
The Boch emulator window opens, showing icons on the top row indicating the status of the floppy drives, CD, mouse, etc.

The Command Prompt window shows a <bochs:1> prompt.

Click in the Command Prompt window and execute these commands, as shown below.


r
trace on
s
The "r" command displays the registers, which are all zero except for the rip which contains address fff0.

The "trace on" command tells the debugger to display each instruction as it executes it.

The "s" command performs one instruction (a "step").

As shown below, the first instruction is a jmpf to the address 0xf000:e05b

The next instruction is at location fe05b. This is the way addressing works in 20-bit real mode, which is a very old addressing mode used during boot-up.

Proceeding to the MBR

The code we are seeing now is actually in the BIOS. Let's jump ahead to the MBR, which the BIOS loads at address 7c00.

To do that, execute these commands, which set a breakpoint at 7c00, turn off tracing, and continue executing.

(Note that the first command begins with lowercase LB and does not begin with the numeral "one".)


lb 0x7c00
trace off
c
As shown below, some text appears in the Display window.

Note these items:

Viewing the MBR in RAM

In the Bochs Console window, at the <bochs:8> prompt, execute this command:

x /128x 0x7c00
As shown below, the entire MBR is here, from the 33 C0 to the 55 AA.

Since Intel is little-endian, the bytes are out of order, filing in from the right side of each word first.

In the Bochs Console window, at the <bochs:8> prompt, execute this command:


u /20
This unassembles the next 20 commands. As shown below, there's a repne command, which copies a block of data to address 0x0600, followed by a jmpf 0x0000:0667 command at address 7c16.

To see the data at 0x0600, execute this command:


x /128 0x0600
As shown below, the bytes here are almost all zeroes.

To proceed to the jmpf, execute these commands:


lb 0x7c16
c
x /128 0x0600
As shown below, the bytes after 0x0600 are now full of data. This data begins with 33 c0 and ends with a Boot Record Signature of 55 AA.

To proceed through the jmpf, execute these commands:


trace on
s 30

Flag PMA 421.1: BIOS Command (15 pts)

As shown below, the processor proceeds from 0x0667 through 0x0712 and then executes an "Interrupt 0x10", which types out a character.

The flag is covered by a green rectangle in the imager below.


To see the characters one by one, execute these commands:


lb 0x070e
c
c
c
c
c
c
c
c
As shown below, a message appears saying "F1 ."


Modified Boot Loader to Print "A" (10 pts extra)

The 16-bit object code to print an "A" and halt is shown below.

Copy the "fdosmini.img" file to a file named "fdosA.img".

Edit it to begin with the object code to print an "A", as shown below.

Copy the "fdos.txt" file to a file named "fdosA.txt". Edit it to boot from "fdosA.img" and run it.


Flag PMA 421.2: "A" Bootloader (10 pts extra)

In the Bochs command window, execute these commands:

lb 0x7c00
c
trace on
c
The flag is covered by a green rectangle in the image below.



Cyber Hacker! (15 pts extra)

Insert this bootloader, as shown below:

               bits       16

start:
               mov     bx, 0x7c11
               mov     ah, 0x0e                ; print char service
.loop          mov     al, [bx]
               or      al, al                  ; end of string?
               jz      halt
               inc     bx
               int     0x10                    ; print char
               jmp     .loop                   ; next char

halt:          hlt                             ; halt

msg:           db        "Cyber Hacker!", 0


Flag PMA 421.3: "Cyber Hacker!" Bootloader (15 pts extra)

In the Bochs command window, execute these commands:

show int
c
The flag is covered by a green rectangle in the image below.



Flag PMA 421.4: Secret code (15 pts extra)

Download, unzip, and run this system:

IN5.zip

Enter the secret code to see the flag, as shown below:



Flag PMA 421.5: Secret code #2 (25 pts extra)

Download, unzip, and run this system:

IN6.zip

Enter the secret code to see the flag, as shown below:


Sources

Bochs Hacking Guide
How to Set Up and Run The Bochs Emulator on a Windows™ PC
The BIOS/MBR Boot Process
Wikipedia: MBR
MBR/EBR Partition Tables
Using Bochs internal debugger
Realmode Assembly - Writing bootable stuff - Part 1
BIOS interrupt call
Keyboard Support


Posted 11-18-19
Flags 421.4 and 5 added, and flag numbers corrected: 11-20-19