DigestI
A clever way to solve a hard disk logic lock
Old Gong:
I remember that in an issue of “You Ask, I Answer” last December, someone asked about “after being attacked by some hacker program, the hard disk could not boot; it could not even boot from CD or floppy, it would hang as soon as it booted, and it would not even work as a secondary disk.” I am a technician at a computer assembly shop, and I have encountered several similar hard disks. At the time you said there was a special software tool that could handle this problem. Where can this software be found? How exactly can it be solved? ( Nike)
Nike :
Previously I saw detailed methods and software for handling similar problems on an anti-virus website, but unfortunately that website seems to have closed now. However, I found other methods online to solve this problem. Before talking about the specific solutions, I will first describe why a hard disk locked by a “logic lock” cannot be booted by ordinary means:
When the computer boots the DOS system it will search all logical drives in order. When DOS is being booted, it first looks for the partition table information in the master boot sector, at the place starting from address OBEH in the first sector of head zero, cylinder zero of the hard disk. When the start of the partition information is 80H, it means it is the primary boot partition; the others are extended partitions. The primary boot partition is defined as logical drive C, then the logical drives in the extended partition are searched and defined as drive D, and so on to find E, F, G..... The “logic lock” works here, modifying the normal master boot partition record so that the first logical drive of the extended partition points to itself. When DOS starts up, after finding the first logical drive, when it searches for the next logical drive it always finds itself. In this way a dead loop is formed. This is why it cannot boot normally using a floppy drive, CD-ROM drive, or dual hard disks. In fact this “logic lock” merely makes use of a small flaw in DOS at startup, yet it leaves quite a few experts helpless. Once you know the “locking” principle of the “logic lock,” unlocking it is relatively easy. Previously I saw a friend use the method of “hot-plugging” the hard disk power supply to handle it: that is, when the system starts, do not connect the power cable to the locked hard disk first; wait until startup is complete and then “hot-plug” the power cable into the hard disk. At this point, if the hard disk has not burned out, the system can control the hard disk. Of course, this is a very dangerous method, and everyone should not try it lightly. Below are two relatively simple and safe handling methods.
Method 1: Modify the DOS startup file
First prepare a DOS6.22 system disk, with tools such as debug, pctools5.0, and fdisk. Then on a normal machine, use a binary editing tool you are familiar with (debug, pctools5.0, or ultraedit under windows are all fine) to modify the IO.SYS file on the floppy disk (before modifying, remember to change the file’s attributes to normal). Specifically, search for the first “55aa” string inside this file; after finding it, change it to any other value. With this modified system floppy disk, you can successfully boot with the locked hard disk attached. However, at this time, because the normal partition table of this hard disk has been maliciously modified by the hacker program, you cannot use FDISK to delete or modify partitions, and you still cannot use a normal boot disk to boot the system. At this point you can use DEBUG to restore it manually. The steps for manually repairing the hard disk with DEBUG are as follows:
a:\>debug
-a
-xxxx:100 mov ax,0201 read the contents of one sector
-xxxx:103 mov bx,500 set a cache address
-xxxx:106 mov cx,0001 set the hard disk pointer of the first hard disk
-xxxx:109 mov dx,0080 read head zero
-xxxx:10c int 13 hard disk interrupt
-xxxx:10e int 20
-xxxx:0110 exit the program and return to the prompt
-g run
-d500 view the contents at address 500 after running
At this time you will find that the contents starting at address 6be are the hard disk partition information. You will find that this hard disk’s extended partition points to itself, which makes DOS or WINDOWS enter a dead loop when starting up and searching for the hard disk logical drives. Under the DEBUG prompt, use the E command to modify the memory data. Specifically as follows:
E6BE
xx.0 xx.0 xx.0...............
.............................
.......................55 AA
55 AA indicates the valid marker of the hard disk; do not modify it. xx0 means changing the previous data “xx” to 0
Then use hard disk interrupt 13 to write the modified data into the hard disk. Specifically as follows:
A:\>debug
a 100 means modifying the assembly instruction at address 100
-xxxx:100 mov ax,0301 write one sector to the hard disk
-xxxx: press Enter directly here
-g run
-q quit
Then run FDISK/MBR (reset the boot program in the hard disk boot sector), and restart the computer.
How about it? This method is simple enough, right? And another advantage of this method is that it can preserve the data on the disk! If you do not need to preserve the data, there is an even simpler handling method:
Method 2: Cleverly set the BIOS and use DM to unlock
Everyone knows that DM software is hard disk recognition and installation software that does not depend on the motherboard BIOS, (so on old motherboards that cannot recognize large hard disks, DM can also be used to install and use large-capacity hard disks). Even if the hard disk is set to “NONE” in the BIOS, DM can still recognize and handle the hard disk.
First you need to find the DM software matched to the hard disk (ask JS for it or go searching online), then copy DM to a system disk. Connect the locked hard disk, power on, hold down the DEL key, enter CMOS setup, set all IDE hard disks to NONE (this is the key!), save the settings, and reboot. At this point the system can boot “with the lock.” After startup, run DM. You will find that DM can bypass the BIOS and recognize the hard disk. Select this hard disk, partition and format it, and it is OK. That simple? However, the weakness of this method is that all data on the hard disk will be lost.
Old Gong:
I remember that in an issue of “You Ask, I Answer” last December, someone asked about “after being attacked by some hacker program, the hard disk could not boot; it could not even boot from CD or floppy, it would hang as soon as it booted, and it would not even work as a secondary disk.” I am a technician at a computer assembly shop, and I have encountered several similar hard disks. At the time you said there was a special software tool that could handle this problem. Where can this software be found? How exactly can it be solved? ( Nike)
Nike :
Previously I saw detailed methods and software for handling similar problems on an anti-virus website, but unfortunately that website seems to have closed now. However, I found other methods online to solve this problem. Before talking about the specific solutions, I will first describe why a hard disk locked by a “logic lock” cannot be booted by ordinary means:
When the computer boots the DOS system it will search all logical drives in order. When DOS is being booted, it first looks for the partition table information in the master boot sector, at the place starting from address OBEH in the first sector of head zero, cylinder zero of the hard disk. When the start of the partition information is 80H, it means it is the primary boot partition; the others are extended partitions. The primary boot partition is defined as logical drive C, then the logical drives in the extended partition are searched and defined as drive D, and so on to find E, F, G..... The “logic lock” works here, modifying the normal master boot partition record so that the first logical drive of the extended partition points to itself. When DOS starts up, after finding the first logical drive, when it searches for the next logical drive it always finds itself. In this way a dead loop is formed. This is why it cannot boot normally using a floppy drive, CD-ROM drive, or dual hard disks. In fact this “logic lock” merely makes use of a small flaw in DOS at startup, yet it leaves quite a few experts helpless. Once you know the “locking” principle of the “logic lock,” unlocking it is relatively easy. Previously I saw a friend use the method of “hot-plugging” the hard disk power supply to handle it: that is, when the system starts, do not connect the power cable to the locked hard disk first; wait until startup is complete and then “hot-plug” the power cable into the hard disk. At this point, if the hard disk has not burned out, the system can control the hard disk. Of course, this is a very dangerous method, and everyone should not try it lightly. Below are two relatively simple and safe handling methods.
Method 1: Modify the DOS startup file
First prepare a DOS6.22 system disk, with tools such as debug, pctools5.0, and fdisk. Then on a normal machine, use a binary editing tool you are familiar with (debug, pctools5.0, or ultraedit under windows are all fine) to modify the IO.SYS file on the floppy disk (before modifying, remember to change the file’s attributes to normal). Specifically, search for the first “55aa” string inside this file; after finding it, change it to any other value. With this modified system floppy disk, you can successfully boot with the locked hard disk attached. However, at this time, because the normal partition table of this hard disk has been maliciously modified by the hacker program, you cannot use FDISK to delete or modify partitions, and you still cannot use a normal boot disk to boot the system. At this point you can use DEBUG to restore it manually. The steps for manually repairing the hard disk with DEBUG are as follows:
a:\>debug
-a
-xxxx:100 mov ax,0201 read the contents of one sector
-xxxx:103 mov bx,500 set a cache address
-xxxx:106 mov cx,0001 set the hard disk pointer of the first hard disk
-xxxx:109 mov dx,0080 read head zero
-xxxx:10c int 13 hard disk interrupt
-xxxx:10e int 20
-xxxx:0110 exit the program and return to the prompt
-g run
-d500 view the contents at address 500 after running
At this time you will find that the contents starting at address 6be are the hard disk partition information. You will find that this hard disk’s extended partition points to itself, which makes DOS or WINDOWS enter a dead loop when starting up and searching for the hard disk logical drives. Under the DEBUG prompt, use the E command to modify the memory data. Specifically as follows:
E6BE
xx.0 xx.0 xx.0...............
.............................
.......................55 AA
55 AA indicates the valid marker of the hard disk; do not modify it. xx0 means changing the previous data “xx” to 0
Then use hard disk interrupt 13 to write the modified data into the hard disk. Specifically as follows:
A:\>debug
a 100 means modifying the assembly instruction at address 100
-xxxx:100 mov ax,0301 write one sector to the hard disk
-xxxx: press Enter directly here
-g run
-q quit
Then run FDISK/MBR (reset the boot program in the hard disk boot sector), and restart the computer.
How about it? This method is simple enough, right? And another advantage of this method is that it can preserve the data on the disk! If you do not need to preserve the data, there is an even simpler handling method:
Method 2: Cleverly set the BIOS and use DM to unlock
Everyone knows that DM software is hard disk recognition and installation software that does not depend on the motherboard BIOS, (so on old motherboards that cannot recognize large hard disks, DM can also be used to install and use large-capacity hard disks). Even if the hard disk is set to “NONE” in the BIOS, DM can still recognize and handle the hard disk.
First you need to find the DM software matched to the hard disk (ask JS for it or go searching online), then copy DM to a system disk. Connect the locked hard disk, power on, hold down the DEL key, enter CMOS setup, set all IDE hard disks to NONE (this is the key!), save the settings, and reboot. At this point the system can boot “with the lock.” After startup, run DM. You will find that DM can bypass the BIOS and recognize the hard disk. Select this hard disk, partition and format it, and it is OK. That simple? However, the weakness of this method is that all data on the hard disk will be lost.
欢迎大家观临我的个人主页:
http://dosdiy.bluepc.com.cn/
http://dosdiy.ys168.com/
EMAIL: lydong@china.com.cn lydong@yeah.net
----------------------------------------------
http://dosdiy.bluepc.com.cn/
http://dosdiy.ys168.com/
EMAIL: lydong@china.com.cn lydong@yeah.net
----------------------------------------------
