A code that can penetrate the restore card and restore software
CVC/GB The windy man
Restore cards and restore software are widely used on computers in various public places, such as school computer rooms and Internet cafes. These restore cards and restore software (hereinafter referred to as virtual restore technology) can record all write operations to the hard disk. Whether you copy, delete or format partitions on the hard disk, as long as you restart, everything will be restored to the previous situation of this operation. Therefore, some virtual restore manufacturers will also add a sentence "can prevent all computer viruses" to the advertising slogan. This virtual restoration method can indeed play a good role in protecting computers in public computer rooms in most cases. Is there really no way to penetrate this protection mechanism? The answer is no, please listen to me one by one.
1. Principles of virtual restore technology
What this article is talking about is a technology that is commonly used in restore cards or restore software. Of course, different brands and manufacturers may not produce the same, but the principles are the same.
First, the restore card and restore software will seize the boot rights first, save the original 0-head, 0-channel, 1-fan in another sector (it is not certain to backup to which sector), and write your own code to 0-head, 0-channel, 1-fan, so that you can get execution rights before the operating system. This is similar to a boot-type virus; then, let's take a look at what virtual restore technology does before the operating system:
1. Save the entry address of INT13H in the interrupt vector table;
2. Write your code that replaces INT13H to memory and remember the entry address. Of course, this "write to memory" is not an ordinary "write", but a method we call "resident". We will not spend any additional time describing the implementation method of "resident programs". If you don't know anything, please find relevant information yourself, and you can also go to or find a man like a wind to communicate;
3. Change the entry address of INT13H in the interrupt vector table to the entry address of this resident program. To add, after modifying the INT13H entrance, the virtual restore program often modifies some other interrupt portals, which are also implemented through resident programs. These interrupts are used to monitor the INT13H entrance address in the interrupt vector table. Once it is found to be modified, it will be changed back immediately. This is also used to prevent being cracked by those who are interested.
OK, you have already seen that this code used to replace the INT13H provided by BIOS is the key to virtual restore technology. So what exactly does this code implement? Here is my simple understanding of this:
1. Intercept all operations on 0 heads, 0 channels, 1 fan in hard disk in INT13H
These include read and write operations, changing all operations on 0 heads, 0 channels, 1 sectors to operations on the sector backed up by the virtual restore program. The purpose of this is to protect the virtual restore code from being corrupted and cannot be read out and cracked by interested people. Even if you use the sector editing tool to view the main boot area, you actually see the main boot area of this backup.
2. Intercept all hard disk write operations in INT13H
This includes the write operations in INT13H that are positioned through heads, tracks, and sectors for hard disks below 8G, and the write operations on large hard disks based on sector address in INT13H, and even the write operations on some non-IDE interface hard disks in INT13H.
As for what to do after interception is the key to realizing virtual restore technology, it was possible to "do nothing" in early DOS systems, which means that when users write hard disks, they actually did nothing, but the current operating systems have to perform some necessary write operations on the hard disks, such as writing operations on virtual memory. As we all know, virtual memory is actually a hard disk, and if the operating system is prohibited from writing hard disk, the consequences will be unimaginable. Therefore, most virtual restore manufacturers use the method to occupy some hard disk space, record the write operations performed by the hard disk, and restore the record after the system restarts. However, how to scientifically record the write operations of the hard disk is a problem that I have never figured out. This "science" should be reflected in the time and the amount of hard disk space occupied, that is, how to record the write operations of the hard disk with the minimum time and minimum hard disk space is the key to realization. If you have any ideas in this regard, please communicate with me;
3. Back up the contents in ports 70H and 71H, and compare the contents of ports 70H and 71H at the last execution with the backup content. If the difference is different, it prompts whether the BIOS has been modified, whether it is restored, and verify whether it is legal to modify the BIOS through the password.
2. PC interrupt mechanism
Interrupt provides the most basic hardware and software interface, which makes programmers not have to understand the details of the hardware system. They can complete the corresponding functions by simply calling the interrupt service subroutine provided by the system, which can make programming more convenient. The implementation mechanism is as follows: When an interrupt source issues an interrupt request, the CPU can decide whether to respond to this interrupt request (when the CPU performs more important work, it can not respond for the time being). If the interrupt is allowed to respond, the CPU will push the next instruction address at the breakpoint, the contents of each register and the status of the flag bits onto the stack for protection after the current instruction is executed, and then go to the entrance of the interrupt source service program to perform interrupt processing. After the interrupt processing is completed, the reserved registers, flag bit status and instruction pointers will be restored to the breakpoint, so that the CPU will return to the breakpoint and continue to execute the next instruction.
In order to distinguish each interrupt, the CPC system assigns an interrupt number N to each interrupt. For example, INT 3H is a breakpoint interrupt, and INT 10H is a display interrupt. What we are going to discuss today is INT 13H disk read and write interrupt.
To clarify the interrupt mechanism on the PC, it is not enough to use this article. What I am talking about here is just a rough idea. If you don’t know, please consult some information or communicate with me. What we importantly want to say today is to take INT13H as an example to see what the interrupts provided to us by BIOS are doing? The so-called BIOS interrupt is simply an interrupt provided by the BIOS on your machine. So what exactly is behind the BIOS interrupt? In fact, it is some input and output operations on ports. Each port of the PC implements specific functions. We can use input and output instructions to operate these ports directly without calling the interrupts provided by the BIOS, so as to realize the same functions as calling BIOS interrupts. However, one premise is that you must have a detailed understanding of these ports. On the other hand, a major benefit of a PC interrupt system is that it allows programmers to program without understanding the hardware knowledge at the bottom of the system. From this point of view, interrupts are a bit like what we usually call "encapsulation". I don't know if this is right, but interrupts do "encapsulate" many details of the underlying system for us.
3. The specific meaning of hard disk read and write port
The commonly used ports for operating hard disks are ports 1f0h~1f7h, and the meanings of each port are as follows:
Port number Read or write Specific meaning
1F0H Read/write
1F1H
1F2H Read/Write The number of sectors to be read and written
1F3H Read/Write Use to put the sector number to be read and written
1F4H
1F5H
1F6H Read/write Used to store the disk number and head number to be read/write
No. 7th place �
No. 6th place �
No. 5th position �
The fourth position is 0, which represents the first hard drive, and the second hard drive is 1.
3rd to 0th bits
1f7H
No. 7th position �
No. 6 �
No. 5th position �
4th position �
The sector buffer is not ready when the third position is 1
2nd bit �
The first bit set this bit to 1 every week of disk rotation,
The previous command ended due to an error
Write this bit port is a command port and is used to issue the specified command
Format the track for 50h
Try to read sectors for 20h
Read sectors directly for 21h without verifying whether sectors are ready
Try to read long sectors (for early hard disks, each sector may not be 512 bytes, but values between 128 bytes and 1024)
Read the sector directly for 23h without verifying whether the sector is ready
Try writing sectors for 30h
For 31h, write sectors directly without verifying whether sectors are ready.
Try writing long sectors for 32h
For 33h, write long sectors directly without verifying whether the sector is ready.
Note: Of course, after reading this table, you will find that this method of reading and writing ports is actually based on the hard disk reading and writing methods of heads, cylinders, and sectors. However, the reading and writing methods of hard disks larger than 8G are also implemented through ports 1F0H~1F7H^_^
4. An example of reading and writing hard disk by operating on the hard disk input and output ports.
Let's take a look at an example about INT13H reading and writing hard disk program. In the example, the port used for the read and write operation of the hard disk is explained in detail, and the data obtained from the main boot area read through INT13H is compared with the data obtained from the input and output reading of the main boot area, thus confirming that the two operation functions are the same. The program fragment is as follows:
mov dx,1f6h ; The disk number and head number to be read
mov ;Disk 0, Head 0
out dx,al
mov �
mov �
out dx,al
mov ;Section number to be read
mov ;Section number is 1
out dx,al
mov ;The lower 8 digits of the cylinder to be read
mov �
out dx,al
mov �
mov al,0
; The cylinder number used to read is 0)
out dx,al
mov dx,1f7h ;Command Port
mov al,20h ; Try to read sector
out dx,al
still_going:
in al,dx
test al,8 ;Is the sector buffering ready?
jz ;If the sector buffer is not ready, jump and not execute downward until it is ready.
mov cx,512/2 ; Set the number of cycles (512/2 times)
mov di,offset buffer
mov ; One byte of data to be transferred
rep �
; ------
mov ;The following are 0 heads, 0 cylinders, and 1 sectors of the hard disk using INT13H
mov dx,80h
mov cx,1
mov bx,offset buffer2
int 13h
mov cx,512 ;The following parts are used to compare the hard disk data read in two methods.
mov si,offset buffer
mov di,offset buffer2
repe cmpsb
jne failure
mov ah,9
mov dx,offset readmsg
int 21h
jmp good_exit
failure:
mov ah,9
mov dx,offset failmsg
int 21h
good_exit: ;The following parts are used to end the program
mov ;Exit the program
int 21h
readmsg db 'The buffers match. Hard disk read using ports.
CVC/GB The windy man
Restore cards and restore software are widely used on computers in various public places, such as school computer rooms and Internet cafes. These restore cards and restore software (hereinafter referred to as virtual restore technology) can record all write operations to the hard disk. Whether you copy, delete or format partitions on the hard disk, as long as you restart, everything will be restored to the previous situation of this operation. Therefore, some virtual restore manufacturers will also add a sentence "can prevent all computer viruses" to the advertising slogan. This virtual restoration method can indeed play a good role in protecting computers in public computer rooms in most cases. Is there really no way to penetrate this protection mechanism? The answer is no, please listen to me one by one.
1. Principles of virtual restore technology
What this article is talking about is a technology that is commonly used in restore cards or restore software. Of course, different brands and manufacturers may not produce the same, but the principles are the same.
First, the restore card and restore software will seize the boot rights first, save the original 0-head, 0-channel, 1-fan in another sector (it is not certain to backup to which sector), and write your own code to 0-head, 0-channel, 1-fan, so that you can get execution rights before the operating system. This is similar to a boot-type virus; then, let's take a look at what virtual restore technology does before the operating system:
1. Save the entry address of INT13H in the interrupt vector table;
2. Write your code that replaces INT13H to memory and remember the entry address. Of course, this "write to memory" is not an ordinary "write", but a method we call "resident". We will not spend any additional time describing the implementation method of "resident programs". If you don't know anything, please find relevant information yourself, and you can also go to or find a man like a wind to communicate;
3. Change the entry address of INT13H in the interrupt vector table to the entry address of this resident program. To add, after modifying the INT13H entrance, the virtual restore program often modifies some other interrupt portals, which are also implemented through resident programs. These interrupts are used to monitor the INT13H entrance address in the interrupt vector table. Once it is found to be modified, it will be changed back immediately. This is also used to prevent being cracked by those who are interested.
OK, you have already seen that this code used to replace the INT13H provided by BIOS is the key to virtual restore technology. So what exactly does this code implement? Here is my simple understanding of this:
1. Intercept all operations on 0 heads, 0 channels, 1 fan in hard disk in INT13H
These include read and write operations, changing all operations on 0 heads, 0 channels, 1 sectors to operations on the sector backed up by the virtual restore program. The purpose of this is to protect the virtual restore code from being corrupted and cannot be read out and cracked by interested people. Even if you use the sector editing tool to view the main boot area, you actually see the main boot area of this backup.
2. Intercept all hard disk write operations in INT13H
This includes the write operations in INT13H that are positioned through heads, tracks, and sectors for hard disks below 8G, and the write operations on large hard disks based on sector address in INT13H, and even the write operations on some non-IDE interface hard disks in INT13H.
As for what to do after interception is the key to realizing virtual restore technology, it was possible to "do nothing" in early DOS systems, which means that when users write hard disks, they actually did nothing, but the current operating systems have to perform some necessary write operations on the hard disks, such as writing operations on virtual memory. As we all know, virtual memory is actually a hard disk, and if the operating system is prohibited from writing hard disk, the consequences will be unimaginable. Therefore, most virtual restore manufacturers use the method to occupy some hard disk space, record the write operations performed by the hard disk, and restore the record after the system restarts. However, how to scientifically record the write operations of the hard disk is a problem that I have never figured out. This "science" should be reflected in the time and the amount of hard disk space occupied, that is, how to record the write operations of the hard disk with the minimum time and minimum hard disk space is the key to realization. If you have any ideas in this regard, please communicate with me;
3. Back up the contents in ports 70H and 71H, and compare the contents of ports 70H and 71H at the last execution with the backup content. If the difference is different, it prompts whether the BIOS has been modified, whether it is restored, and verify whether it is legal to modify the BIOS through the password.
2. PC interrupt mechanism
Interrupt provides the most basic hardware and software interface, which makes programmers not have to understand the details of the hardware system. They can complete the corresponding functions by simply calling the interrupt service subroutine provided by the system, which can make programming more convenient. The implementation mechanism is as follows: When an interrupt source issues an interrupt request, the CPU can decide whether to respond to this interrupt request (when the CPU performs more important work, it can not respond for the time being). If the interrupt is allowed to respond, the CPU will push the next instruction address at the breakpoint, the contents of each register and the status of the flag bits onto the stack for protection after the current instruction is executed, and then go to the entrance of the interrupt source service program to perform interrupt processing. After the interrupt processing is completed, the reserved registers, flag bit status and instruction pointers will be restored to the breakpoint, so that the CPU will return to the breakpoint and continue to execute the next instruction.
In order to distinguish each interrupt, the CPC system assigns an interrupt number N to each interrupt. For example, INT 3H is a breakpoint interrupt, and INT 10H is a display interrupt. What we are going to discuss today is INT 13H disk read and write interrupt.
To clarify the interrupt mechanism on the PC, it is not enough to use this article. What I am talking about here is just a rough idea. If you don’t know, please consult some information or communicate with me. What we importantly want to say today is to take INT13H as an example to see what the interrupts provided to us by BIOS are doing? The so-called BIOS interrupt is simply an interrupt provided by the BIOS on your machine. So what exactly is behind the BIOS interrupt? In fact, it is some input and output operations on ports. Each port of the PC implements specific functions. We can use input and output instructions to operate these ports directly without calling the interrupts provided by the BIOS, so as to realize the same functions as calling BIOS interrupts. However, one premise is that you must have a detailed understanding of these ports. On the other hand, a major benefit of a PC interrupt system is that it allows programmers to program without understanding the hardware knowledge at the bottom of the system. From this point of view, interrupts are a bit like what we usually call "encapsulation". I don't know if this is right, but interrupts do "encapsulate" many details of the underlying system for us.
3. The specific meaning of hard disk read and write port
The commonly used ports for operating hard disks are ports 1f0h~1f7h, and the meanings of each port are as follows:
Port number Read or write Specific meaning
1F0H Read/write
1F1H
1F2H Read/Write The number of sectors to be read and written
1F3H Read/Write Use to put the sector number to be read and written
1F4H
1F5H
1F6H Read/write Used to store the disk number and head number to be read/write
No. 7th place �
No. 6th place �
No. 5th position �
The fourth position is 0, which represents the first hard drive, and the second hard drive is 1.
3rd to 0th bits
1f7H
No. 7th position �
No. 6 �
No. 5th position �
4th position �
The sector buffer is not ready when the third position is 1
2nd bit �
The first bit set this bit to 1 every week of disk rotation,
The previous command ended due to an error
Write this bit port is a command port and is used to issue the specified command
Format the track for 50h
Try to read sectors for 20h
Read sectors directly for 21h without verifying whether sectors are ready
Try to read long sectors (for early hard disks, each sector may not be 512 bytes, but values between 128 bytes and 1024)
Read the sector directly for 23h without verifying whether the sector is ready
Try writing sectors for 30h
For 31h, write sectors directly without verifying whether sectors are ready.
Try writing long sectors for 32h
For 33h, write long sectors directly without verifying whether the sector is ready.
Note: Of course, after reading this table, you will find that this method of reading and writing ports is actually based on the hard disk reading and writing methods of heads, cylinders, and sectors. However, the reading and writing methods of hard disks larger than 8G are also implemented through ports 1F0H~1F7H^_^
4. An example of reading and writing hard disk by operating on the hard disk input and output ports.
Let's take a look at an example about INT13H reading and writing hard disk program. In the example, the port used for the read and write operation of the hard disk is explained in detail, and the data obtained from the main boot area read through INT13H is compared with the data obtained from the input and output reading of the main boot area, thus confirming that the two operation functions are the same. The program fragment is as follows:
mov dx,1f6h ; The disk number and head number to be read
mov ;Disk 0, Head 0
out dx,al
mov �
mov �
out dx,al
mov ;Section number to be read
mov ;Section number is 1
out dx,al
mov ;The lower 8 digits of the cylinder to be read
mov �
out dx,al
mov �
mov al,0
; The cylinder number used to read is 0)
out dx,al
mov dx,1f7h ;Command Port
mov al,20h ; Try to read sector
out dx,al
still_going:
in al,dx
test al,8 ;Is the sector buffering ready?
jz ;If the sector buffer is not ready, jump and not execute downward until it is ready.
mov cx,512/2 ; Set the number of cycles (512/2 times)
mov di,offset buffer
mov ; One byte of data to be transferred
rep �
; ------
mov ;The following are 0 heads, 0 cylinders, and 1 sectors of the hard disk using INT13H
mov dx,80h
mov cx,1
mov bx,offset buffer2
int 13h
mov cx,512 ;The following parts are used to compare the hard disk data read in two methods.
mov si,offset buffer
mov di,offset buffer2
repe cmpsb
jne failure
mov ah,9
mov dx,offset readmsg
int 21h
jmp good_exit
failure:
mov ah,9
mov dx,offset failmsg
int 21h
good_exit: ;The following parts are used to end the program
mov ;Exit the program
int 21h
readmsg db 'The buffers match. Hard disk read using ports.