A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #10331  by Tigzy
 Tue Dec 13, 2011 9:03 am

I'm looking for a way to get ASM code from a mbr dump file.
Tried with IDA, but it gives me ASCII code instead of executable code...

Somebody knows a way to do?
 #10334  by Tigzy
 Tue Dec 13, 2011 10:43 am

Xylitol already gave me this, but I don't understand the "Install 'em all, then build your image file with mbr.py"
How am I supposed to build my image?

I've launched the .bat, but gave me an error (nasmw.exe not found)
 #10335  by EP_X0FF
 Tue Dec 13, 2011 12:52 pm
Open in IDA as 16 bit code. Select boot code block - press Analyze selected area.
 #10337  by Tigzy
 Tue Dec 13, 2011 2:13 pm
I got another question.
My aim is to determine if a bootsrap is associated to a particular OS, as lots of MBR tools do (mbr.exe, aswMBR, mbr check).
I got no idea on what are based these detection . Can someone give me some pointers?
 #10341  by Tigzy
 Tue Dec 13, 2011 3:48 pm
So this is by ASM signature?

EDIT: well begin to understand. There are some difference easily catchable.
Need to get back more dumps. thanks guys
 #10346  by rkhunter
 Tue Dec 13, 2011 4:26 pm
What you mean asm signature?
As i remember, bootstrap code not much has changed from 2k to Vista? What your purpose? NT-Cross-platform mbr restore?
 #10348  by Tigzy
 Tue Dec 13, 2011 6:11 pm
By asm signature I mean look for a certain sequence at a certain offset.
As i remember, bootstrap code not much has changed from 2k to Vista?
There are some difference I noticed when reversing them, with the help of E_X0FF link

No, I won't restore for the moment, only tagging MBR with an OS version.
f.i. : => Windows XP default MBR code detected and so on.

Further, I would analyse TDSS bootstrap as well to identify them

EDIT: To restore no need for that, I got the userland MBR code which is mostly the one which will be used as valid one (in case of TDSS f.i.)