Professional Documents
Culture Documents
html
Footnotes
This page describes each of the pathways that executing the Windows 7 MBR could possibly take, and what
conditions might 'trigger' the code to go down one path or another. We will note where those decisions are
made, so until you read otherwise, every instruction below will always be executed once the BIOS has loaded
the MBR into Memory and transferred control of the PC's processor to it.
1 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
Bochs normally displays 32-bit registers, but we've edited the screen to show only 16-bit registers (like MS-DEBUG).
Your screen will also display an eflags register like this: id vip vif ac vm rf nt IOPL=0 of df if tf SF zf af pf cf
There's a great deal of information here! We're ready to execute the first MBR instruction in Memory at
0x7c00; code shown in BLUE italics indicates we have just arrived at a 'Breakpoint,' which will turn brown
after being executed (all enabled Breakpoints are indicated by BROWN italic type). Among other things, the
BIOS put AA55 in the AX register, 80h in the DL register, and left the Stack Pointer (SP) set to FFD6. Note:
The CPU mode is always set to 16-bit REAL for execution of the MBR code. Only the SF (Sign) flag was set
to 1; making it 'Negative' (flags register = 0082h). See our page on the 8086 CPU Registers (including how
to interpret the "FLAGS" Register).
After entering an s on the command line to step into (execute) the first instruction, the one at 0x7c02 turns
bold GREEN; indicating it will be the next instruction to be executed. Of course, the AX register was cleared
to zero (by: xor ax,ax), the Sign flag was reset to 0 and both the ZF (Zero) and PF (Parity) flags have
been set to 1 (flags register = 0046h):
2 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
mov ss, ax copies the zeros from AX into the Stack Segment (SS) Register; but it already was zero, so no
real change there:
mov sp, 0x7c00 changes the Stack Pointer (SP) to 0x7c00, and you see all the bytes of the MBR sector
we're executing show up there (in RED):
3 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
NOTE: From this point on, for instructions in which very little changes, we'll provide only the following
'simplified text display' which is similar to that of the old MS-DOS DEBUG screen (but it shows both the Bochs
and DEGUB Flags names).
mov es,ax copies the zeros from AX into the ES (Extra Segment)
Register; which was already zero, so no real change in ES:
mov ds,ax copies the zeros from AX into the DS (Data Segment)
Register; which was already zero, so again no actual change:
mov si,7c00 puts 7C00 into the Source Index (SI) Register, because
we want to copy all the code from 7c00 thru 7dff to a new location:
mov di,0600 puts 0600 into the Destination Index (DI) Register, since
that's the new location in Memory we want to copy the MBR code to:
mov cx,0200 puts 0200 (hex) into the Count Register (CX), in order
to copy all 512 (decimal) bytes of the code to locations 600 - 6ff:
The Clear Direction (cld) instruction ensures the Direction Flag (df) is set to zero, so that any string
4 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
operations will INCREMENT the SI and/or DI Registers; that is, count up rather than down (decrement), since
we want to copy the code to increasing memory locations (not decreasing ones). But df was already zero
(indicating up), so it doesn't change:
The Bochs Debugger disassembles the machine code bytes F3 A4 as: rep movsb byte ptr es:[di], byte
ptr ds:[si], which helps us humans to understand this will REPeatedly copy a string of bytes, one byte at a
time, from the location pointed to by the DS:SI (Data Segment:Source Index) registers to the location pointed
to by the ES:DI (Extra Segment:Destination Index) registers. And from the previous instructions, we know it
will do so for 512 times (CX=0200), in an upwards direction. (See our notes on the REP Instruction in
Microsoft's MBR code for some side details.)
The following shows how executing this rep movsb instruction in a step-by-step manner would take 512
steps! We're going to step through only the first four and finish with the last four (showing only 8 of the 512
steps). The CX register decrements, and the SI and DI registers will increment. The previous step copied the
byte 33h from 7c00 to 0600 and each successive step will copy another of the MBR; until all 512 bytes are
copied:
5 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
NOTE: You can skip all 512 single steps above by simply entering: lb 0x7c17 and then c at the Command
line; which will take you directly to the following instruction.
The following shows the results of executing the last step above (the CX register becomes zero, so we can
move on to the next group of instructions which will push data onto the Stack):
The next two screens show the zero bytes of the AX register and the Word 0x061c being pushed onto the
Stack:
6 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
And with the execution of the retf (Return Far) instruction, both the Words we pushed onto the Stack are
removed from it, and we begin executing the next instruction at its new location of 0000:061C (the whole
sector having been copied to 0x600 through 0x7FF).
The sti (Set Interrupt Flag) sets this bit (IF = 1) in the Flags Register, enabling interrupts; MS-DEBUG's flag
indicator will change from "DI" (Disable Interrupts) to "EI" (Enable Interrupts). This means the processor
begins responding to external, maskable interrupts after the next instruction is executed. Apart from other
changes noted in the following instructions, the hex Word for the Flags Register becomes: 0246.
mov cx,0004 changes the Count (CX) Register; so if needed, all four
Partition Table entries will be checked for the Active indicator (80h):
mov bp,07be puts 07be into the Base Pointer (BP) Register, so we can
check for 80h at the correct offset in each of the 4 P. Table entries:
7 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
This multi-byte CMP (CoMPare) instruction compares the value at the Memory location pointed to by the
SS:BP registers and the given value (Zero), by: Subtracting the second operand (the Zero) from the first
operand (that value in Memory), then setting or clearing bits in the Flags Register according to the rules for
Subtraction (see How Flags are Set for more details). The only difference between this CMP instruction and its
corresponding SUB instruction ("80 6E 00 00") is that the Subtraction operation will also store the result in the
first operand.
The first byte in each of the four possible 16-byte Partition Table entries indicates whether that partition is the
Active partition or not. If, as in the case of most Windows™ OS installs, the Active partition is the first one,
then Memory location 0x7be will contain an 80 hex byte (as shown above); which results in the following:
Since 80h (at 0x7be) - 0 = 80h, the highest bit (bit 7) is a 1, so the Sign Flag is set (SF=1). The Zero Flag is
reset (zf=0) since the result is not all zero bits, and the Parity Flag is also reset (pf=0) since there's only one
1's bit (an odd number) in the result; all other flags are unaffected. (Note: Any byte with its highest bit set
indicates a Negative number and 2's Complement arithmetic; as explained on our 2-Byte Jumps page, must be
used).
8 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
The CMP instruction (just like Subtraction) uses signed bytes (80h actually represents a negative 128), thus
the reason the comparison results in a LESS THAN condition; or expressed differently: Whenever SF (Sign
Flag) is not equal to OF (Overflow Flag). So, execution jumps (forward; "+") by 11 bytes, to location 0x634:
More will be posted in the near future... this page is still Under
Construction !!!
If you need any help in setting up the Bochs Debugger, please email us.
Footnotes
1[Return to Text] The official Windows 7 OS install DVD creates 2 partitions on an un-partitioned drive: The first is labeled
"System Reserved" (with a capacity of 100 MiB); it is set to be the Active partition (Active meaning the partition which
'boots-up' first; there can only be one of these). The other (largest) partition, contains the Windows 7 OS and is set with the
drive letter C: and is also listed as the Boot partition as can be seen in Disk Management:
Disk Management view of small 25 GB Win 7 OS drive. The terms Active and Boot no longer refer to the same partition.
The term Boot refers to the partition which contains the operating system which will boot-up; not the first
"Boot Sector" that is loaded into Memory and executed, which in this case actually comes from the Active
partition. [Return to Text]
You can write to us using this: online reply form. (It opens in a new window.)
9 of 10 12/17/2013 7:17 PM
Pathways through the Windows 7 MBR (with BOCHS) http://starman.vertcomp.com/asm/bochs/W7MBRpaths.html
10 of 10 12/17/2013 7:17 PM