I have managed to alter the MBR of a USB pen drive so as to display the string 'MR.ROBOT' in graphics mode while booting and then continuing with the pre-installed Linux Distro (Kali Linux) after waiting for a keypress.
Graph. Mode: (AL= 0Dh 320x200 16 colors)
MBR Dump:
Code highlighted in red is 62 bytes total.
8C C8 8E D8 8E C0 BD 4C 7D FF E5 33 ED 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 33 ED FA 8E D5 BC 00 7C FB FC 66 31 DB 66 31 C9 66 53 66 51 06 57 8E DD 8E C5 52 BE 00 7C BF 00 06 B9 00 01 F3 A5 EA 4B 06 00 00 52 B4 41 BB AA 55 31 C9 30 F6 F9 CD 13 72 16 81 FB 55 AA 75 10 83 E1 01 74 0B 66 C7 06 F1 06 B4 42 EB 15 EB 00 5A 51 B4 08 CD 13 83 E1 3F 5B 51 0F B6 C6 40 50 F7 E1 53 52 50 BB 00 7C B9 04 00 66 A1 B0 07 E8 44 00 0F 82 80 00 66 40 80 C7 02 E2 F2 66 81 3E 40 7C FB C0 78 70 75 09 FA BC EC 7B EA 44 7C 00 00 E8 83 00 4D 52 2E 52 4F 42 4F 54 20 20 20 20 20 6D 69 73 73 69 6E 67 20 6F 72 20 63 6F 72 72 75 70 74 2E 0D 0A 66 60 66 31 D2 66 03 06 F8 7B 66 13 16 FC 7B 66 52 66 50 06 53 6A 01 6A 10 89 E6 66 F7 36 E8 7B C0 E4 06 88 E1 88 C5 92 F6 36 EE 7B 88 C6 08 E1 41 B8 01 02 8A 16 F2 7B CD 13 8D 64 10 66 61 C3 E8 1E 00 4F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 20 6C 6F 61 64 20 65 72 72 6F 72 2E 0D 0A 5E AC B4 0E 8A 3E 62 04 B3 07 CD 10 3C 0A 75 F1 CD 18 F4 EB FD B0 0D CD 10 B4 13 B0 01 B3 04 B9 08 00 B7 00 BD B4 7C 89 D6 B6 09 B2 10 CD 10 89 F2 30 E4 CD 16 8C C8 8E D8 8E C0 BD 0B 7C FF E5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BC B9 02 00 00 00 00 00 05 FF 7C 1E 00 00 80 02 01 00 17 3F E0 B0 40 00 00 00 C0 87 1D 00 00 00 C1 B1 01 3F E0 FF 00 88 1D 00 00 A5 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
Output and Ascii View:
Analysis:
8C C8 8E D8 8E C0 BD 4C 7D FF E5 : Jump forward to where the code is stored (7d4f)
[Start at OFFSET 7c00] [Linux boot starts at OFFSET 7c0b]
11 bytes
mov ax, cs ; Where are we now? ; Could be 0000:7c00
; or 07c0:0000 or some other combo.
mov ds, ax ; Our data is here too.
mov es, ax ; ES:BP is the pointer to the string.
; ES should match DS and CS.
mov bp, 7d4f ; Offset of our code
jmp bp ; Go to offset
4D 52 2E 52 4F 42 4F : String
[String stored at OFFSET 7cb4]
8 bytes
DB 'MR.ROBOT'
B0 0D CD 10 B4 13 B0 01 B3 04 B9 08 00 B7 00 BD B4 7C 89 D6 B6 09 B2 10 CD 10 89 F2 30 E4 CD 16 8C C8 8E D8 8E C0 BD 0B 7C FF E5 : Change to graph mode + Draw string on screen + Wait for keypress + Jump backwards to 7c0b
[Code stored at OFFSET 7d4f]
43 bytes
mov al,0d ; Select graph mode 320x200 16 colours
int 10h ; Bios call
mov ah,13 ; Write string function
mov al,1 ; Write mode
mov bl,4 ; Color red
mov cx,8 ; String lenth. No. of bytes=8
mov bh,0 ; Page number =0
mov bp,7cb4 ; Point to where the string is located.
mov si, dx ; Temporarily store value of DX
; to retrieve later otherwise boot will freeze.
mov dh,9 ; Row to place the string = 9
mov dl,10 ; Column to place the string = 10
int 10h ; Bios call
mov dx,si ; Recover value of DX
xor ah,ah ; Wait for keypress
int 16h ; Keyboard interrupt
mov ax, cs ; Where are we now?
mov ds, ax ; Our data is here too.
mov es, ax ; ES:BP is the pointer to the string.
; ES should match DS and CS.
mov bp, 7c0b ; Offset to go back
jmp bp ; Go to offset and resume linux bootload
No comments:
Post a Comment