I have grub v1.98 and after disassembling the MBR, I found the following code fragment that I do not understand:
xor ax,ax mov [si+0x4],ax inc ax mov [si-0x1],al mov [si+0x2],ax mov word [si],0x10 mov ebx,[0x7c5c] mov [si+0x8],ebx mov ebx,[0x7c60] mov [si+0xc],ebx mov word [si+0x6],0x7000 mov ah,0x42 int 0x13
It seems that this piece of code is trying to set up the disk address of the code in step 1.5, and then load and run it. However, how can I find out which physical block he is trying to read? What else, what is the purpose of the code for step 1.5? 0x7000 ?
I mean the MBR for Windows 7, which loads the following 0x7c00 boot code. This MBR is first loaded at 0x7c00 , it contains a code fragment copying the MBR from 0x7c00 to 0x0600 , and then goes to 0x0600 if the source code is damaged. Will the download stage 1.5 code 0x7000 conflict with the source code to the address 0x7000 ? What more, I also find:
jmp short 0x65 nop sar byte [si+0x7c00],1 mov es,ax mov ds,ax mov si,0x7c00 mov di,0x600 mov cx,0x200 cld rep movsb push ax push word 0x61c retf
at the beginning of the MBR. It seems that the code is trying to do the same thing as in the Windows 7 MBR to copy the original MBR from 0x7c00 to 0x0600 , with the exception of the first jmp instruction. Will these codes actually be executed? If so, when will he manage the jumps here. (I think the answer is YES, but the lead jmp bothers me).