### Principle of Hard Disk Locking
A hard disk logical lock usually tamper with the partition table of the hard disk, so first, one should understand the hard disk partition table. The hard disk partition table is located in cylinder 0, head 0, sector 1. The first more than 200 bytes of this sector are the master boot program, and from 01BEH onwards, there are 64 bytes of the partition table. The partition table is 64 bytes long and is divided into 4 columns, each column being 16 bytes, used to describe a partition. If partitioned using the DOS FDISK program, at most two columns are used. The first column describes the basic DOS partition, and the second column describes the extended DOS partition.
The structure of one column of the partition table and the meaning of each byte are as follows:
- 00H - Active byte. An active DOS partition is 80H, others are 00H.
- 01H - The head number of the logical sector 0 of this partition.
- 02H - The sector number in the cylinder of logical sector 0.
- 03H - The cylinder number of logical sector 0.
- 04H - Partition type flag.
- 05H - The head number of the last sector of this partition.
- 06H - The sector number of the last sector.
- 07H - The cylinder number of the last cylinder.
- 08H - The total number of sectors before this partition on the hard disk, represented by a double word.
- 0CH - The total number of sectors of this partition, counted from logical sector 0, excluding hidden sectors, represented by a double word.
Although the cylinder number and sector number given in the above introduction each occupy one byte, actually, the sector number is represented by 6 bits, and the cylinder number is represented by 10 bits. The highest two bits of the byte where the sector number is located are actually the highest two bits of the cylinder number.
The last two bytes of the partition table are the valid flag of the partition table. If it is changed, booting from the hard disk will not be possible. This is a simple method to lock the hard disk. The solution is to boot from a floppy disk, and the hard disk can still be used after booting. Use Debug or Diskedit software in Norton to restore the flag in the partition table of the hard disk, and then booting from the hard disk will also be fine. Another method to lock the hard disk is to tamper with the partition parameters. If all partition parameters are changed to 0, when booting, since the partition parameters cannot be found, booting from the hard disk is impossible. After booting from a floppy disk, the hard disk is not recognized. If you type the drive letter C and press Enter, a prompt "Invalid driver specification" will appear. But fortunately, the computer can still be booted. It doesn't matter if the hard disk is not recognized. On drive A, you can still use DOS Debug to read the content of cylinder 0, head 0, sector 1 of the hard disk, modify it, and then write it back to cylinder 0, head 0, sector 1. Restarting the computer will be fine again. If the partition table parameters are arbitrarily changed to other parameters, it may not be possible to boot with a DOS system disk that can install DOS. After pressing F3 to exit, a memory allocation error will occur, and a prompt that the command interpreter COMMAND of DOS cannot be loaded will appear, and the system will crash. The author has encountered such a situation. But with a floppy disk formatted as a system disk, it can be booted smoothly. As long as there is Debug, you can still modify the partition table parameters back. The terrible thing is that if you unfortunately change the partition table parameters to a cyclic chain, that is, the next partition of drive C points to drive D, and the next partition of drive D points to drive C, and so on cyclically, when DOS or WIN95 boots, due to endless reading of logical drives, it will only crash. As long as the hard disk exists, whether you use a floppy disk or a hard disk, the computer cannot be booted. Since the inability to boot is caused by the hard disk, even if you remove the hard disk and put it on another computer, it cannot be used. Thus, the hard disk is completely locked. The author has encountered such a situation. If you don't believe it, you can just change the 1D0H at cylinder 0, head 0, sector 1 of the hard disk to 1 (if the starting cylinder number of your drive D is not large enough, this place is originally 1), and change the 1D1H to 0, indicating that the starting cylinder number of drive D is the same as that of drive C, and see if your computer can still boot. But don't try it without sufficient preparation.
A complete hard disk locking program is nothing more than rewriting the boot program of cylinder 0, head 0, sector 1, and destroying or deliberately creating a cyclic partition table, while placing the real hard disk partition table parameters and boot program in other hidden sectors and protecting them. If the password is incorrect during booting, the computer cannot be booted. If the password is correct, it can be booted smoothly. For such a hard disk locking program, in a good situation, it can be booted from a floppy disk; in a serious situation, even the floppy disk cannot be booted, and the hard disk is really locked.
### Program Method to Unlock the Hard Disk Lock
If the hard disk is locked, is it really impossible to unlock it? Of course not. Let's see the crux of the problem. The root lies in the IO.SYS file in DOS, which contains four modules: LOADER, IO1, IO2, IO3. Among them, IO1 contains a very critical program SysInt_I, which is very stubborn during booting and must read the partition table, and will not stop until it finishes reading the partition table. If it encounters a cyclic partition table, it will only crash. This is the fragility and incompleteness of DOS. Actually, this cannot be blamed on DOS, because in order to obtain the right to use the hard disk, DOS must read the partition table parameters, and DOS also stipulates that the drive number cannot exceed 26, but it did not consider such a cyclic partition table situation. In a word, the computer cannot be booted only because of the DOS operating system. If another operating system is written, perhaps the computer can be booted. Of course, this is just a joke.
After understanding that the cause of the problem is DOS, the problem is easy to solve. Doesn't DOS need to read the hard disk partition table during booting? If we prevent it from reading the partition table or even prevent it from reading the hard disk, it can be booted smoothly. Indeed, this is the case. The implementation method of the hard disk locking program is based on this idea. Of course, this can only start from booting from a floppy disk.
Let's look at the computer boot process. The multiple hardware self-tests carried out first when power is on have nothing to do with us. What we care about is what it does when it first deals with the disk. If booting from the hard disk is selected, the computer first deals with the disk by reading the content of cylinder 0, head 0, sector 1 of the hard disk into memory 0000:7C00 and jumping to 0000:7C00 to execute it. If booting from a floppy disk is selected, the computer first deals with the disk by reading the content of track 0, head 0, sector 1 of drive A into memory 0000:7C00 and jumping to 0000:7C00 to execute it. During execution, the computer does not check what the content of this sector is, but mechanically executes the read command, which makes many system viruses survive. But using this point, it just gives our program unlocking method a place to use. If we use DOS to format a system floppy disk that can boot the computer, move the content of track 0, head 0, sector 1 of this floppy disk to the subsequent blank sectors, and rewrite a section of program to track 0, head 0, sector 1 of this floppy disk, then when booting from the floppy disk, the program we wrote will be executed first. In this section of program, it has such functions: intercept INT13H in advance before DOS boots, stay in the upper memory and monitor INT13H, judge whether it is reading the hard disk, and if it is reading the hard disk, directly return. This prohibits reading the hard disk, thus avoiding the crash caused by DOS reading the cyclic partition table of the hard disk. At the same time, intercept the reading of the floppy disk. If it is reading track 0, head 0, sector 1 of the floppy disk, change it to reading the sector that really has the boot program and the disk parameter table, so as to avoid DOS crashing because it cannot find the disk parameter table of the floppy disk during booting. While completing these tasks, it is also necessary to read the real boot program of the floppy disk and hand over the control to it.
This method can be called universal because when booting from a floppy disk, it never deals with the hard disk, so no matter how the hard disk is locked by any method, it has no impact on the booting of DOS. Of course, the computer booted in this way does not recognize the hard disk, but this is okay. After the computer boots, you can use Debug to transfer the new INT 13H program staying in the upper memory, change it to a statement that directly executes the old INT 13H. In this way, under Debug, you can use INT 13H to read the content of cylinder 0, head 0, sector 1 of the hard disk. If you have a backup, restore the partition table parameters and then write them back to cylinder 0, head 0, sector 1. Restarting the computer will be fine. If there is really no backup, remove the cyclic chain in the partition table. After restarting the computer with a normal DOS boot disk, you can at least re-partition the hard disk again, so that the hard disk will not be locked and cannot be opened.
### Program and Instructions
1. The following is the source program key.com written to track 0, head 1, sector 1 of the floppy disk. The program is input with debug.
C>debug
-a100
100 CLI
101 XOR AX,AX
103 MOV DS,AX
105 MOV ES,AX
107 MOV SS,AX
109 MOV AX,7C00
10C MOV SP,AX
10E STI
10F MOV SI,AX
111 MOV DI,7E00
114 CLD
115 MOV CX,0200
118 REPNZ
119 MOVSB
11A JMP 0000:7E1F
11F MOV CX,0003
122 PUSH CX
123 MOV AX,0201;Read the boot sector of the boot floppy disk
126 MOV BX,7C00
129 MOV CX,4F01
12C MOV DX,0100
12F INT 13
131 POP CX
132 DEC CX
133 JNZ 0122
135 MOV AX,;Pre-emptively obtain the position of INT 13H
138 MOV ,AX
13B MOV AX,
13E MOV ,AX
141 MOV AX,
144 DEC AX
145 MOV ,AX
148 MOV CL,06
14A SHL AX,CL
14C MOV ES,AX
14E XOR AX,AX
150 MOV DS,AX
152 MOV SI,7E6D;Copy the rewritten INT 13H program to the upper memory
155 MOV DI,0000
158 MOV CX,0030
15B REPNZ
015C MOVSB
015D MOV AX,0000;Write the new INT 13H position to the interrupt vector table
0160 MOV ,AX
0163 MOV AX,ES
0165 MOV ,AX
0168 JMP 0000:7C00
016D PUSHF;New INT 13H program
016E CMP DX,0080;Is it the hard disk
0172 JNZ 0176;If not the hard disk, continue
0174 POPF
0175 IRET;If it is the hard disk, directly return
0176 CMP DX,+00;Is it reading the boot area of the floppy disk?
0179 JNZ 0186
017B CMP CX,+01
017E JNZ 0186
0180 MOV CX,4F01;If yes, read track 79, head 1, sector 1
0183 MOV DX,0100
0186 POPF
0187 JMP 0000:0000;Jump here to execute the old INT 13. The position of the old INT 13H is obtained earlier and written.
N key.com
RCX
200
W
Q
2. Loading of the program
Before carrying out the following work, first use DOS to format a bootable system disk, and ensure there are no bad sectors. It is best to carry out a boot test to ensure that it can boot the computer. Since most computers now only have a 3-inch floppy drive, choose a 3.5-inch floppy disk with 1.44M.
Then use debug key.com to load the program key.com into memory at offset address 100H, and at the same time write a loading program at 400H. That is:
C>debug key.com
-a400
400 MOV CX,0003
403 PUSH CX
404 MOV AX,0201;Read the boot program of drive A into memory at 1000H
407 MOV BX,1000;To ensure success, read 3 times repeatedly for the first time
40A MOV CX,0001
40D MOV DX,0000
410 INT 13
412 POP CX
413 DEC CX
414 JNZ 0403
416 MOV AX,0301;Write the read boot program of the floppy disk to the floppy disk
419 MOV BX,1000;The first sector of the last track
41C MOV CX,4F01
41F MOV DX,0100
422 INT 13
424 MOV AX,0301;Write the key.com program to track 0, head 1, sector 1 of the floppy disk
427 MOV BX,0100
42A MOV CX,0001
42D MOV DX,0000
430 INT 13
432 INT 3
To be absolutely safe, it is best to read the content of these two sectors of the floppy disk again to ensure that the writing is successful. After doing all this, it is still safe to carry out a test, that is, boot the computer once with this floppy disk and see if it is successful. If it boots successfully, you can use the cyclic partition table method to lock the hard disk, see if it can be booted from the normal DOS, and then boot the computer with this floppy disk to see how effective it is?
After booting from this floppy disk, the hard disk is not recognized, and the new INT13H program stays in the upper memory. This section of program is actually the part from 16D to 187 in key.com. Due to the existence of this section of program, the hard disk cannot be read under debug, and thus the hard disk partition table cannot be restored. Therefore, after the computer boots, this section of program should be modified first. The basic memory of the current computer is usually 640K, so this section of program is located at 9FC0:0000 in the memory. Under debug, use U9FC0:0 to display this section of program. You can see that at 9FC0:001A, there is a jump instruction, which jumps to execute the original INT 13H. Since the BIOS version is different, the position pointed to by the jump instruction may be different. For example, on the computer, there is a JMP F000:A5D4 statement. At this time, under debug, write such a statement: a9FC0:0 JMP F000:A5D4. In this way, the writing and reading ban on the hard disk no longer work. Under debug, use the 2nd sub-function of INT13H to read the hard disk partition table, modify and restore it, and then use the 3rd sub-function to write the data back to the partition table. Exit debug and restart the computer with the normal DOS.
By the way, under the normal DOS, since this floppy disk has no boot area, there is no disk parameter table, and thus it cannot be used. The command DIR A: will appear a General failure reading drive A prompt. Ignore it, which does not affect it as a special boot disk.
### Suggestion
To better protect your hard disk, the author suggests that you had better back up the partition table information of your hard disk. There are two ways to back up.
One is to store the partition information of each logical disk of the hard disk in the form of a file. The other is to back up the partition information in the hidden sectors of the hard disk. For example, you can back up cylinder 0, head 0, sector 1 to cylinder 0, head 0, sector 3, back up the starting cylinder number of drive D, head 0, sector 1 to cylinder 0, head 0, sector 3 of the same cylinder, and so on for other logical disks. This method is simple, convenient, and very reliable. It is very easy to operate and implement with DISKEDI in NORTAN. With the backed-up partition table information, you are not afraid of viruses that destroy the partition table; plus the program I gave you, even if someone really locks your hard disk, you can easily unlock it.
[ Last edited by sgtao on 2005-12-13 at 14:23 ]
