wok view BootProg/stuff/boot32.asm @ rev 25463
Up expat (2.4.9) fixes CVE-2022-40674
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Thu Sep 29 20:05:23 2022 +0000 (19 months ago) |
| parents | 7dd01dedad38 |
| children | 4c101652eb90 |
line source
1 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2 ;; ;;
3 ;; "BootProg" Loader v 1.5 by Alexey Frunze (c) 2000-2015 ;;
4 ;; 2-clause BSD license. ;;
5 ;; ;;
6 ;; ;;
7 ;; How to Compile: ;;
8 ;; ~~~~~~~~~~~~~~~ ;;
9 ;; nasm boot32.asm -f bin -o boot32.bin ;;
10 ;; ;;
11 ;; ;;
12 ;; Features: ;;
13 ;; ~~~~~~~~~ ;;
14 ;; - FAT32 supported using BIOS int 13h function 42h (IOW, it will only ;;
15 ;; work with modern BIOSes supporting HDDs bigger than 8 GB) ;;
16 ;; ;;
17 ;; - Loads a 16-bit executable file in the MS-DOS .COM or .EXE format ;;
18 ;; from the root directory of a disk and transfers control to it ;;
19 ;; (the "ProgramName" variable holds the name of the file to be loaded) ;;
20 ;; Its maximum size can be up to 637KB without Extended BIOS Data area. ;;
21 ;; ;;
22 ;; - Prints an error if the file isn't found or couldn't be read ;;
23 ;; ("File not found" or "Read error") ;;
24 ;; and waits for a key to be pressed, then executes the Int 19h ;;
25 ;; instruction and lets the BIOS continue bootstrap. ;;
26 ;; ;;
27 ;; ;;
28 ;; Known Bugs: ;;
29 ;; ~~~~~~~~~~~ ;;
30 ;; - All bugs are fixed as far as I know. The boot sector has been tested ;;
31 ;; on my HDD and an 8GB USB stick. ;;
32 ;; ;;
33 ;; ;;
34 ;; Memory Layout: ;;
35 ;; ~~~~~~~~~~~~~~ ;;
36 ;; The diagram below shows the typical memory layout. The actual location ;;
37 ;; of the boot sector and its stack may be lower than A0000H if the BIOS ;;
38 ;; reserves memory for its Extended BIOS Data Area just below A0000H and ;;
39 ;; reports less than 640 KB of RAM via its Int 12H function. ;;
40 ;; ;;
41 ;; physical address ;;
42 ;; +------------------------+ 00000H ;;
43 ;; | Interrupt Vector Table | ;;
44 ;; +------------------------+ 00400H ;;
45 ;; | BIOS Data Area | ;;
46 ;; +------------------------+ 00500H ;;
47 ;; | PrtScr Status / Unused | ;;
48 ;; +------------------------+ 00600H ;;
49 ;; | Loaded Image | ;;
50 ;; +------------------------+ nnnnnH ;;
51 ;; | Available Memory | ;;
52 ;; +------------------------+ A0000H - 1KB ;;
53 ;; | Boot Sector | ;;
54 ;; +------------------------+ A0000H - 0.5KB ;;
55 ;; | 0.5KB Boot Stack | ;;
56 ;; +------------------------+ A0000H ;;
57 ;; | Video RAM | ;;
58 ;; ;;
59 ;; ;;
60 ;; Boot Image Startup (register values): ;;
61 ;; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ;;
62 ;; ax = 0ffffh (both FCB in the PSP don't have a valid drive identifier), ;;
63 ;; bx = 0, dl = BIOS boot drive number (e.g. 0, 80H) ;;
64 ;; cs:ip = program entry point ;;
65 ;; ss:sp = program stack (don't confuse with boot sector's stack) ;;
66 ;; COM program defaults: cs = ds = es = ss = 50h, sp = 0, ip = 100h ;;
67 ;; EXE program defaults: ds = es = EXE data - 10h (fake MS-DOS psp), ;;
68 ;; cs:ip and ss:sp depends on EXE header ;;
69 ;; Magic numbers: ;;
70 ;; si = 16381 (prime number 2**14-3) ;;
71 ;; di = 32749 (prime number 2**15-19) ;;
72 ;; bp = 65521 (prime number 2**16-15) ;;
73 ;; The magic numbers let the program know whether it has been loaded by ;;
74 ;; this boot sector or by MS-DOS, which may be handy for universal, bare- ;;
75 ;; metal and MS-DOS programs. ;;
76 ;; The command line contains no arguments. ;;
77 ;; ;;
78 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
80 %define bx(label) bx+label-boot
81 %define si(label) si+label-boot
82 ClusterMask equ 1 ; +9 bytes
83 NullEntryCheck equ 1 ; +5 bytes
84 ReadRetry equ 1 ; +7 bytes
85 LBA48bits equ 1 ; +15 bytes
86 CHSsupport equ 1 ; +27 bytes
87 CHSupTo8GB equ 1 ; +11 bytes
88 CHSupTo32MB equ 1 ; +7 bytes
89 SectorOf512Bytes equ 1 ; -5 bytes
90 Always2FATs equ 0 ; -4 bytes
92 [BITS 16]
94 ImageLoadSeg equ 60h ; <=07Fh because of "push byte ImageLoadSeg" instructions
95 StackSize equ 512
97 [SECTION .text]
98 [ORG 0]
100 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
101 ;; Boot sector starts here ;;
102 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
104 boot:
105 DriveNumber equ boot+0
106 HiLBA equ boot+2
107 jmp short start ; MS-DOS/Windows checks for this jump
108 nop
109 bsOemName DB "BootProg" ; 0x03
111 ;;;;;;;;;;;;;;;;;;;;;;
112 ;; BPB1 starts here ;;
113 ;;;;;;;;;;;;;;;;;;;;;;
115 bpbBytesPerSector DW 0 ; 0x0B
116 bpbSectorsPerCluster DB 0 ; 0x0D
117 bpbReservedSectors DW 0 ; 0x0E
118 bpbNumberOfFATs DB 0 ; 0x10
119 bpbRootEntries DW 0 ; 0x11
120 bpbTotalSectors DW 0 ; 0x13
121 bpbMedia DB 0 ; 0x15
122 bpbSectorsPerFAT DW 0 ; 0x16
123 bpbSectorsPerTrack DW 0 ; 0x18
124 bpbHeadsPerCylinder DW 0 ; 0x1A
125 bpbHiddenSectors DD 0 ; 0x1C
126 bpbTotalSectorsBig DD 0 ; 0x20
128 ;;;;;;;;;;;;;;;;;;;;
129 ;; BPB1 ends here ;;
130 ;;;;;;;;;;;;;;;;;;;;
132 ;;;;;;;;;;;;;;;;;;;;;;
133 ;; BPB2 starts here ;;
134 ;;;;;;;;;;;;;;;;;;;;;;
136 bsSectorsPerFAT32 DD 0 ; 0x24
137 bsExtendedFlags DW 0 ; 0x28
138 bsFSVersion DW 0 ; 0x2A
139 bsRootDirectoryClusterNo DD 0 ; 0x2C
140 bsFSInfoSectorNo DW 0 ; 0x30
141 bsBackupBootSectorNo DW 0 ; 0x32
142 bsreserved times 12 DB 0 ; 0x34
143 bsDriveNumber DB 0 ; 0x40
144 bsreserved1 DB 0 ; 0x41
145 bsExtendedBootSignature DB 0 ; 0x42
146 bsVolumeSerialNumber DD 0 ; 0x43
147 bsVolumeLabel times 11 DB " " ; 0x47 "NO NAME "
148 bsFileSystemName times 8 DB " " ; 0x52 "FAT32 "
150 ;;;;;;;;;;;;;;;;;;;;
151 ;; BPB2 ends here ;;
152 ;;;;;;;;;;;;;;;;;;;;
154 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
155 ;; Boot sector code starts here ;;
156 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
158 start:
159 cld
161 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;
162 ;; How much RAM is there? ;;
163 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;
165 int 12h ; get conventional memory size (in KBs)
166 dec ax ; reserve 1K bytes for the code and the stack
167 mov cx, 106h
168 shl ax, cl ; and convert it to 16-byte paragraphs
170 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
171 ;; Reserve memory for the boot sector and its stack ;;
172 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
174 mov es, ax ; cs:0 = ds:0 = ss:0 -> top - 512 - StackSize
175 mov ss, ax
176 mov sp, 512+StackSize ; bytes 0-511 are reserved for the boot code
178 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
179 ;; Copy ourselves to top of memory ;;
180 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
182 mov si, 7C00h
183 xor di, di
184 mov ds, di
185 push es
186 mov [si(DriveNumber)], dx ; store BIOS boot drive number
187 rep movsw
189 ;;;;;;;;;;;;;;;;;;;;;;
190 ;; Jump to the copy ;;
191 ;;;;;;;;;;;;;;;;;;;;;;
193 push byte main
194 retf
196 main:
197 push cs
198 pop ds
200 xor ebx, ebx
202 %if ClusterMask != 0
203 and byte [bx(bsRootDirectoryClusterNo+3)], 0Fh ; mask cluster value
204 %endif
205 mov esi, [bx(bsRootDirectoryClusterNo)] ; esi=cluster # of root dir
207 push byte ImageLoadSeg
208 pop es
210 RootDirReadContinue:
211 call ReadClusterSector ; read one sector of the root dir
213 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
214 ;; Look for the COM/EXE file to load and run ;;
215 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
217 xor di, di ; es:di -> root entries array
219 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
220 ;; Looks for a file/dir by its name ;;
221 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
222 ;; Input: DS:SI -> file name (11 chars) ;;
223 ;; ES:DI -> root directory array ;;
224 ;; BP = paragraphs in sector ;;
225 ;; Output: ESI = cluster number ;;
226 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
228 FindNameCycle:
229 %if NullEntryCheck != 0
230 cmp byte [es:di], bh
231 je ErrFind ; end of root directory (NULL entry found)
232 %endif
233 pusha
234 mov cl, NameLength
235 mov si, ProgramName ; ds:si -> program name
236 repe cmpsb
237 je FindNameFound
238 popa
239 add di, byte 32
240 dec bp
241 dec bp
242 jnz FindNameCycle ; next root entry
243 loop RootDirReadContinue ; next sector in cluster
244 cmp esi, 0FFFFFF6h ; carry=0 if last cluster, and carry=1 otherwise
245 jnc RootDirReadContinue ; continue to the next root dir cluster
246 ErrFind:
247 call Error ; end of root directory (dir end reached)
248 db "File not found."
249 FindNameFound:
250 push word [es:di+14h-11]
251 push word [es:di+1Ah-11]
252 pop esi ; esi = cluster no. cx = 0
254 dec dword [es:di+1Ch-11] ; load ((n - 1)/256)*16 +1 paragraphs
255 imul di, [es:di+1Ch+1-11], byte 16 ; file size in paragraphs (full pages)
257 ;;;;;;;;;;;;;;;;;;;;;;;;;;
258 ;; Load the entire file ;;
259 ;;;;;;;;;;;;;;;;;;;;;;;;;;
261 push es
262 FileReadContinue:
263 push di
264 call ReadClusterSector ; read one sector of the boot file
265 dec cx
266 mov di, es
267 add di, bp
268 mov es, di ; es:bx updated
269 pop di
271 sub di, bp
272 jae FileReadContinue
273 xor ax, ax
274 pop bp
276 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
277 ;; Type detection, .COM or .EXE? ;;
278 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
280 mov ds, bp ; bp=ds=seg the file is loaded to
282 add bp, [bx+08h] ; bp = image base
283 mov di, [bx+18h] ; di = reloc table pointer
285 cmp word [bx], 5A4Dh ; "MZ" signature?
286 je RelocateEXE ; yes, it's an EXE program
288 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
289 ;; Setup and run a .COM program ;;
290 ;; Set CS=DS=ES=SS SP=0 IP=100h ;;
291 ;; AX=0ffffh BX=0 DX=drive and ;;
292 ;; cmdline=void ;;
293 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
295 mov di, 100h ; ip
296 mov bp, ImageLoadSeg-10h ; "org 100h" stuff :)
297 mov ss, bp
298 xor sp, sp
299 push bp ; cs, ds and es
300 jmp short Run
302 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
303 ;; Relocate, setup and run a .EXE program ;;
304 ;; Set CS:IP, SS:SP, DS, ES and AX according ;;
305 ;; to wiki.osdev.org/MZ#Initial_Program_State ;;
306 ;; AX=0ffffh BX=0 DX=drive cmdline=void ;;
307 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
309 ReloCycle:
310 add [di+2], bp ; item seg (abs)
311 les si, [di] ; si = item ofs, es = item seg
312 add [es:si], bp ; fixup
313 scasw ; di += 2
314 scasw ; point to next entry
316 RelocateEXE:
317 dec word [bx+06h] ; reloc items, 32768 max (128KB table)
318 jns ReloCycle
320 les si, [bx+0Eh]
321 add si, bp
322 mov ss, si ; ss for EXE
323 mov sp, es ; sp for EXE
325 lea si, [bp-10h] ; ds and es both point to the segment
326 push si ; containing the PSP structure
328 add bp, [bx+16h] ; cs for EXE
329 mov di, [bx+14h] ; ip for EXE
330 Run:
331 pop ds
332 push bp
333 push di
334 push ds
335 pop es
336 mov [80h], ax ; clear cmdline
337 dec ax ; both FCB in the PSP don't have a valid drive identifier
339 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
340 ;; Set the magic numbers so the program knows that it ;;
341 ;; has been loaded by this bootsector and not by MS-DOS ;;
342 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
343 mov si, 16381 ; prime number 2**14-3
344 mov di, 32749 ; prime number 2**15-19
345 mov bp, 65521 ; prime number 2**16-15
347 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
348 ;; All done, transfer control to the program now ;;
349 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
350 retf
352 ;;;;;;;;;;;;;;;;;;;;;;;;;;
353 ;; Error Messaging Code ;;
354 ;;;;;;;;;;;;;;;;;;;;;;;;;;
356 Error:
357 pop si
358 puts:
359 mov ah, 0Eh
360 mov bl, 7
361 lodsb
362 int 10h
363 cmp al, '.'
364 jne puts
365 cbw
366 int 16h ; wait for a key...
367 int 19h ; bootstrap
369 Stop:
370 hlt
371 jmp short Stop
373 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
374 ;; Reads a FAT32 sector ;;
375 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
376 ;; Inout: ES:BX -> buffer ;;
377 ;; EAX = prev sector ;;
378 ;; CX = rem sectors in cluster ;;
379 ;; ESI = next cluster ;;
380 ;; Output: EAX = current sector ;;
381 ;; CX = rem sectors in cluster ;;
382 ;; ESI = next cluster ;;
383 ;; BP -> para / sector ;;
384 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
386 ReadClusterSector:
387 %if SectorOf512Bytes != 0
388 mov bp, 32 ; bp = paragraphs per sector
389 %else
390 mov bp, [bx(bpbBytesPerSector)]
391 shr bp, 4 ; bp = paragraphs per sector
392 %endif
393 mov dx, 1 ; adjust LBA for next sector
394 inc cx
395 loop ReadSectorLBA
397 mul ebx ; edx:eax = 0
398 %if SectorOf512Bytes != 0
399 mov al, 128 ; ax=# of FAT32 entries per sector
400 %else
401 imul ax, bp, byte 4 ; ax=# of FAT32 entries per sector
402 %endif
403 lea edi, [esi-2] ; esi=cluster #
404 xchg eax, esi
405 div esi ; eax=FAT sector #, edx=entry # in sector
407 imul si, dx, byte 4 ; si=entry # in sector, clear C
408 %if LBA48bits != 0
409 xor dx, dx
410 %endif
411 call ReadSectorLBAfromFAT ; read 1 FAT32 sector
413 %if ClusterMask != 0
414 and byte [es:si+3], 0Fh ; mask cluster value
415 %endif
416 mov esi, [es:si] ; esi=next cluster #
418 %if Always2FATs != 0
419 imul eax, dword [bx(bsSectorsPerFAT32)], 2
420 %else
421 movzx eax, byte [bx(bpbNumberOfFATs)]
422 mul dword [bx(bsSectorsPerFAT32)]
423 %endif
425 xchg eax, edi
426 movzx ecx, byte [bx(bpbSectorsPerCluster)] ; 8..128
427 mul ecx ; edx:eax=sector number in data area
428 add eax, edi
429 %if LBA48bits != 0
430 adc dx, bx
431 %endif
433 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
434 ;; Reads a sector form the start of FAT ;;
435 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
437 ReadSectorLBAfromFAT:
438 add eax, [bx(bpbHiddenSectors)]
439 %if LBA48bits != 0
440 adc dx, bx
441 mov word [bx(HiLBA)], dx
442 %endif
443 mov dx, [bx(bpbReservedSectors)]
445 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
446 ;; Reads a sector using BIOS Int 13h fn 42h ;;
447 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
448 ;; Input: EAX = LBA ;;
449 ;; CX = sector count ;;
450 ;; ES:BX -> buffer address ;;
451 ;; Output: CF = 0 if no more sectors ;;
452 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
454 ReadSectorLBA:
455 add eax, edx
456 %if LBA48bits != 0
457 adc word [bx(HiLBA)], bx
458 %endif
459 mov dx, [bx(DriveNumber)] ; restore BIOS boot drive number
460 pusha
462 push bx
463 %if LBA48bits != 0
464 push word [bx(HiLBA)] ; 48-bit LBA
465 %else
466 push bx
467 %endif
468 push eax
469 push es
470 push bx
471 push byte 1 ; sector count word = 1
472 push byte 16 ; packet size byte = 16, reserved byte = 0
474 %if CHSsupport != 0
475 %if CHSupTo8GB != 0
476 push eax
477 pop cx ; save low LBA
478 pop ax ; get high LBA
479 cwd ; clear dx (assume LBA offset <1TB)
480 idiv word [bx(bpbSectorsPerTrack)] ; up to 8GB disks, avoid divide error
482 xchg ax, cx ; restore low LBA, save high LBA / SPT
483 %else
484 ; Busybox mkdosfs creates fat32 for floppies.
485 ; Floppies may support CHS only.
486 %if CHSupTo32MB != 0
487 xor dx, dx ; clear dx (LBA offset <32MB)
488 %else
489 cwd ; clear dx (LBA offset <16MB)
490 %endif
491 xor cx, cx ; high LBA / SPT = 0
492 %endif
493 idiv word [bx(bpbSectorsPerTrack)]
494 ; ax = LBA / SPT
495 ; dx = LBA % SPT = sector - 1
496 inc dx
498 xchg cx, dx ; restore high LBA / SPT, save sector no.
499 idiv word [bx(bpbHeadsPerCylinder)]
500 ; ax = (LBA / SPT) / HPC = cylinder
501 ; dx = (LBA / SPT) % HPC = head
503 xchg ch, al ; clear al
504 ; ch = LSB 0...7 of cylinder no.
505 %if CHSupTo8GB != 0 || CHSupTo32MB != 0
506 shr ax, 2
507 or cl, al
508 ; cl = MSB 8...9 of cylinder no. + sector no.
509 %endif
510 mov dh, dl
511 ; dh = head no.
512 mov dl, [bx(DriveNumber)] ; restore BIOS boot drive number
513 %endif
515 ReadSectorRetry:
516 mov si, sp
517 mov ah, 42h ; ah = 42h = extended read function no.
518 int 13h ; extended read sectors (DL, DS:SI)
519 jnc ReadSuccess ; CF = 0 if no error
521 %if CHSsupport != 0
522 mov ax, 201h ; al = sector count = 1
523 ; ah = 2 = read function no.
524 int 13h ; read sectors (AL, CX, DX, ES:BX)
526 jnc ReadSuccess ; CF = 0 if no error
527 %endif
528 %if ReadRetry != 0
529 %if CHSsupport != 0
530 cbw ; ah = 0 = reset function
531 %else
532 xor ax, ax ; ah = 0 = reset function
533 %endif
534 int 13h ; reset drive (DL)
536 dec bp ; up to 32 retries
537 jnz ReadSectorRetry
538 %endif
540 call Error
541 db "Read error."
543 ReadSuccess:
545 popa ; sp += 16
546 popa
547 ret
549 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
550 ;; Fill free space with zeroes ;;
551 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
553 times (512-13-($-$$)) db 0
555 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
556 ;; Name of the file to load and run ;;
557 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
559 NameLength equ 11
560 ProgramName times NameLength db 0 ; name and extension
562 ;;;;;;;;;;;;;;;;;;;;;;;;;;
563 ;; End of the sector ID ;;
564 ;;;;;;;;;;;;;;;;;;;;;;;;;;
566 dw 0AA55h ; BIOS checks for this ID