A forum for reverse engineering, OS internals and malware analysis 

MBR Analysis

Discussion on reverse-engineering and debugging.

MBR Analysis

 #18315  by Tigzy
 Sat Feb 23, 2013 8:52 am
Hello

Got this piece of MBR code from bitlock2

I was wondering where I can find the decryption key in this
Code: Select all
seg000:001D                 xor     al, ds:7FCh
data segment at 7FCh is outside the MBR code, right?
Code: Select all
seg000:0000                 pushad
seg000:0002                 cld
seg000:0003                 mov     si, 7C00h
seg000:0006                 mov     di, 600h
seg000:0009                 mov     cx, 200h
seg000:000C                 rep movsb
seg000:000E                 mov     bx, 7C2Ch
seg000:0011                 sub     bx, 7C00h
seg000:0015                 add     bx, 600h
seg000:0019                 mov     cx, bx
seg000:001B
seg000:001B loc_1B:                                 ; CODE XREF: seg000:0028j
seg000:001B                 mov     al, [bx]
seg000:001D                 xor     al, ds:7FCh
seg000:0021                 mov     [bx], al
seg000:0023                 inc     bx
seg000:0024                 cmp     bx, 7FBh
seg000:0028                 jnz     short loc_1B
seg000:002A                 jmp     cx

Re: MBR Analysis

 #18320  by reverser
 Sun Feb 24, 2013 1:40 am
It copies itself to the address 0x600, which means the key byte is at offset 0x1FC (0x7fc-0x600) in the binary.

Re: MBR Analysis

 #18323  by Tigzy
 Sun Feb 24, 2013 4:50 pm
Thanks!
How do you see it copies to 0x600?

EDIT: Ok, found it
Code: Select all
seg000:0003                 mov     si, 7C00h
seg000:0006                 mov     di, 600h
seg000:0009                 mov     cx, 200h
seg000:000C                 rep movsb
=> Move ECX Bytes from ESI to EDI

Actually after a quick watch at 1FC, it wasn't so hard to find the key, I guess it's 7E :D
Capture.PNG
Capture.PNG (31.83 KiB) Viewed 608 times
 Return to “Reverse Engineering and Debugging”