Let’s take a look at some of the boot code of a pretty standard MBR. The first thing we want to do is a little house keeping, then relocate the code we loaded at 0000:7C1B to 0000:061B. Which is spelled out in the First Part of – The Black Art Of Data Recovery: BIOS, MBR, Virus.
MOV SI,07C1BÂ ;set SI (source index) to 7C1B
MOV DI,0061B ;set DI (destination index) to 061B
PUSH AXÂ Â Â Â Â Â Â Â Â Â Â ;PUSH AX for segment for RETF to 0
PUSH DIÂ Â Â Â Â Â Â Â Â Â Â Â ;PUSH DI for offset for RETF = 061B
MOV CX,01E5Â Â ;1E5 bytes to copy
REP MOVSBÂ Â Â Â Â ;Copy the MBR
RETFÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ;PULL 0000:061B off stack and JMP to MBR
Once we have the bootstrap code relocated we begin to scan the partition table for a bootable partition.The following figure is one record entry in a partition table. There can be a total of four entries in a partition table.
Partition Record Layout
|
Offset |
Size |
Description |
| 00h | Byte | Boot flag. 80h if partition is bootable, otherwise 0. |
| 01h | Byte | Starting head(0 to 254) |
| 02h | Word | Starting cylinder (0 to 1023) & sector (1 to 63) number |
| 04h | Byte | Partition type (07 NTFS, 06 FAT16, 0C FAT32) |
| 05h | Byte | Ending head number (0 to 254) |
| 06h | Word | Ending cylinder (0 to 1023) & sector (1 to 63) number |
| 08h | Dword | relative sectors to start of partition |
| 0Ch | Dword | Total number of sectors in partition |
Once a bootable partition is found, the boot code pointed to by the relative sectors field of the partition record is read into memory location 0000:7C00 and then an RETF is executed and the boot code for the operating system takes over. This type of boot system is called two phase because the MBR does not load the operating system, it only loads a loader.In other words, the MBR is a preloader for the OS boot loader.
During the boot process and the parsing of the partition records many things can go wrong.If there is not a boot flag set then the system may just hang with a blinking cursor in the upper left hand corner. You may get the message “Invalid partition table”, if the boot flag is set to something other than zero.You may also get the message “Missing operating system” in the AA55 magic number is not present in the OS boot loader. These errors can be fixed by hand. The following is a step by step approach to fixing the boot flag, as well as the OS magic number.
Repairing Boot Flag with WinHex
Each technician has his own set of tools that he relies on.In my case many of my tools are custom written since I am a software engineer. However, there are some tools that are just so good they cannot be improved upon.WinHex from X-Ways Software is such a tool.It has two attributes that are essential to a technician, one, it is extremely flexible, and two, it is very reliable. So, that being said fire up your copy of WinHex, and if you don’t have a copy, the download one, and let the boot flag repairing begin.First of all, as depicted in Figure A, the boot flag is located at offset 446, or 1BEh.In this particular case the boot flag is set to 80h, which is bit seven set. This is a normal partition record, in a single partitioned hard drive.
Figure A
In Figure B we can see what a multi partitioned drive looks like:
Finally, in Figure C we can see what bad boot flag value looks like. The bad boot flag value in Figure C is the value 65h. In order to fix this problem merely change the value to either 80h if you want it bootable, or 00h if you just want it mounted.
Figure C
As you can see, that hard part is knowing where the boot flags are, and then knowing which values you can place in them in order to mount the volume. I have given them both to you. Learn more about data recovery.