DigestI
Detailed Explanation of Hard Disk Logical Locks
--------------------------------------------------------------------------------
2003-5-31 9:39:46
Have you ever run into a situation where the BIOS can detect the hard disk, but the computer cannot boot either from the floppy disk or from the hard disk? At that point you might think the hard disk is broken, but in fact, it is very likely that your hard disk has been hit by a logical lock.
There are three kinds of hard disk logical locks in total. In essence, all of them involve modifying the hard disk partition table. In the past only some hacker programs used this, but the first time it began causing large-scale harm to computers was during the notorious KV3000 anti-piracy incident. At that time, Jiangmin Company, in order to crack down on piracy, implanted a hacker program into the new KV3000 upgrade program. When it detected that the user was using a pirated copy of KV3000, it locked the hard disk partition table. This was called an “active logical lock”; actually it was just one kind of hard disk logical lock, but at the time it harmed countless innocent people, and Jiangmin Company was convicted because of it. That is old news, so we won’t talk about it further. Below we will introduce its three forms and the solutions.
First let us understand the hard disk partition table. The hard disk partition table is located at sector 1 of cylinder 0, head 0 of the disk. The 64 bytes starting from 01BEH in that sector are the partition table. The partition table is 64 bytes total, divided into 4 entries, each 16 bytes long describing one partition. If you use the FDISK program to partition, then at most only two entries are used: the first describes the primary boot partition, and the second describes the extended partition. The structure of the partition table and the meaning of each byte are as follows:
00H—active flag byte. The active DOS partition is 80H; others are 00H.
01H—the head number where logical sector 0 of this partition is located.
02H—the sector number within the cylinder where logical sector 0 is located.
03H—the cylinder number where logical sector 0 is located.
04H—partition type flag.
05H—the head number of the last sector of this partition.
06H—the sector number of the last sector.
07H—the cylinder number of the last cylinder.
08H—the total number of sectors on the hard disk before this partition, represented as a double word.
0CH—the total number of sectors in this partition, counted from logical sector 0 and not including hidden sectors, represented as a double word.
The last two bytes of the partition table are its valid signature. If they are changed, booting from the hard disk becomes impossible. This is the first simple way of locking a hard disk. However, it is relatively easy to solve: as long as you boot from a floppy disk, everything is normal. After booting, use Debug or Diskedit and similar software to restore the signature in the hard disk partition table. The second method is to modify the partition parameters. If all partition parameters are changed to 0, then after booting, because the partition parameters cannot be found, the system cannot boot from the hard disk. After booting from a boot disk on the floppy disk, the hard disk is still not recognized, but the machine can at least boot, and after booting we can use tools such as debug from the floppy disk to repair the altered partition table parameters. After rebooting there will be no problem.
What we want to focus on is the third type, namely the “active logical lock” mentioned above. It happens because the partition table parameters are modified into a dead loop. During normal booting, after DOS takes over the hard disk, it looks up the partition table. The primary boot partition is defined as drive C, then it looks for logical drives and defines them as D, then E, F, G. This active logical lock makes the next partition of the first logical drive (generally drive D) point to itself. It keeps reading the next one, but in fact it is reading itself, and the result is that it falls into a dead loop. Because DOS booting must include the basic input/output file io.sys (we can also see it under windows, located in the root directory of drive C). And it is rather stubborn: after starting up, it insists on reading the hard disk partition table completely before taking over. So no matter what we use to boot, once it searches for logical drives it falls into a dead loop, and then we see the hard disk light stay on constantly and the system hang.
So how do we unlock it? Fundamentally speaking, the key is to make io.sys not work, or to restore the partition table parameters before it takes effect.
1、debug method.
To use this method, you must first be able to boot the machine. On a normal computer, we can modify the io.sys file on the boot floppy disk, find the first “55aa” string, and after finding it change it to any other value. With this boot floppy disk, you can successfully boot with the locked hard disk attached. However, at this time the partition table of that hard disk is already abnormal, so we cannot use FDISK to delete or modify partitions, and we still cannot boot the system with a normal boot disk. At this point, we can use DEBUG to restore it manually. The specific commands are as follows:
a:\>debug
-a
-????:100 mov ax,0201(read one sector)
-????:103 mov bx,500(set a buffer address)
-????:106 mov cx,0001(set the hard disk pointer for the first hard disk)
-????:109 mov dx,0080(read head 0)
-????:10c int 13 (hard disk interrupt)
-????:10e int 20
-????:0110 press Enter
(Note: -???? differs on each hard disk; the later :1?? are displayed automatically. What we need to enter is only the content after that.)
-g
-d500 (view the contents of buffer address 500 after execution. At this time we will find that the contents starting at address 6be are the hard disk partition table information. If the hard disk extended partition points to itself, then when DOS or WINDOWS starts it will fall into a dead loop while searching for logical partitions.)Continue modifying the memory data at the DEBUG prompt:
E6BE
??.0 ??.0 ??.0……
……
……55 AA
55 AA is the valid signature of the hard disk, do not modify it. ??.0 means changing the previous data “??” to 0. Then use hard disk interrupt 13 to write the modified data back to the hard disk:
A:\>debug
a 100 (means modifying the assembly instruction at address 100)
-????:100 mov ax,0301 (write one sector to the hard disk)
-????: press Enter
-g (run)
-q (quit)
After exiting, run fdisk/mbr to reset the hard disk boot program, then reboot.
Although this method is a bit troublesome, it can restore the hard disk partition table, which means that after restoration the data on the hard disk will not be lost either. The following methods, although more convenient, either cannot guarantee the safety of the data on the hard disk, or have a certain degree of danger.
2、external software method
The principle of this method is to bypass BIOS detection of the hard disk and directly use some software that can search for the hard disk by itself to control it.
First there is DM. Now every hard disk manufacturer has its own DiskManager program, and each can fit onto one floppy disk. You can download one and use it. If you are not sure what brand your hard disk is, you can also use the universal edition of DM released by IBM, though its support for today’s large hard disks above 32G is not very good. First set the IDE port where the hard disk is located to none in BIOS (if you do not know which one it is, you can set all of them to none). Then boot the system with a boot disk. After booting is complete, remove the floppy disk, insert the floppy disk containing the DM software, and run DM. It will detect the existence of your sick hard disk, and then repartition it and that will solve the problem. The specific use of DM is quite simple, so I won’t go into detail, but for friends whose English is not very good it may be somewhat difficult, so ask the experts around you.
We can also use low-level format software. Each kind of hard disk also has its own low-level format software, but there is also the general-purpose Lformat program (only a little over 30k). The previous procedure is the same: still mask the hard disk in BIOS, boot with a boot disk, then swap floppy disks and run the low-level format program to perform a low-level format on the hard disk. Since the partition table is only at the very front part of the hard disk, you can roughly stop after formatting the front partition table area. Then reboot, re-enable the hard disk in BIOS, and you can partition it and do other operations as if it were a new hard disk.
3、hot plugging
This is the most dangerous method, and it is very possible to burn out your hard disk, so please be cautious. The procedure is very simple: first unplug the hard disk power cable, then boot the system from the floppy disk, and after booting is complete plug the hard disk power cable back in. At that point the system will be able to control the hard disk, and you can partition it, restore the partition table, and perform other operations. One newbie friend of mine managed to fix it after hot-plugging the hard disk 3 times. However, this method is dangerous and is strongly not recommended. If damage occurs because of this, I take no responsibility.
Actually, the best case is if you have a partition table backup. Then restoration is relatively easy, and the data will not be lost either. So, mending the pen after the sheep are lost is certainly not bad, but if you can do the protection work in advance, then there will be nothing to worry about.
--------------------------------------------------------------------------------
2003-5-31 9:39:46
Have you ever run into a situation where the BIOS can detect the hard disk, but the computer cannot boot either from the floppy disk or from the hard disk? At that point you might think the hard disk is broken, but in fact, it is very likely that your hard disk has been hit by a logical lock.
There are three kinds of hard disk logical locks in total. In essence, all of them involve modifying the hard disk partition table. In the past only some hacker programs used this, but the first time it began causing large-scale harm to computers was during the notorious KV3000 anti-piracy incident. At that time, Jiangmin Company, in order to crack down on piracy, implanted a hacker program into the new KV3000 upgrade program. When it detected that the user was using a pirated copy of KV3000, it locked the hard disk partition table. This was called an “active logical lock”; actually it was just one kind of hard disk logical lock, but at the time it harmed countless innocent people, and Jiangmin Company was convicted because of it. That is old news, so we won’t talk about it further. Below we will introduce its three forms and the solutions.
First let us understand the hard disk partition table. The hard disk partition table is located at sector 1 of cylinder 0, head 0 of the disk. The 64 bytes starting from 01BEH in that sector are the partition table. The partition table is 64 bytes total, divided into 4 entries, each 16 bytes long describing one partition. If you use the FDISK program to partition, then at most only two entries are used: the first describes the primary boot partition, and the second describes the extended partition. The structure of the partition table and the meaning of each byte are as follows:
00H—active flag byte. The active DOS partition is 80H; others are 00H.
01H—the head number where logical sector 0 of this partition is located.
02H—the sector number within the cylinder where logical sector 0 is located.
03H—the cylinder number where logical sector 0 is located.
04H—partition type flag.
05H—the head number of the last sector of this partition.
06H—the sector number of the last sector.
07H—the cylinder number of the last cylinder.
08H—the total number of sectors on the hard disk before this partition, represented as a double word.
0CH—the total number of sectors in this partition, counted from logical sector 0 and not including hidden sectors, represented as a double word.
The last two bytes of the partition table are its valid signature. If they are changed, booting from the hard disk becomes impossible. This is the first simple way of locking a hard disk. However, it is relatively easy to solve: as long as you boot from a floppy disk, everything is normal. After booting, use Debug or Diskedit and similar software to restore the signature in the hard disk partition table. The second method is to modify the partition parameters. If all partition parameters are changed to 0, then after booting, because the partition parameters cannot be found, the system cannot boot from the hard disk. After booting from a boot disk on the floppy disk, the hard disk is still not recognized, but the machine can at least boot, and after booting we can use tools such as debug from the floppy disk to repair the altered partition table parameters. After rebooting there will be no problem.
What we want to focus on is the third type, namely the “active logical lock” mentioned above. It happens because the partition table parameters are modified into a dead loop. During normal booting, after DOS takes over the hard disk, it looks up the partition table. The primary boot partition is defined as drive C, then it looks for logical drives and defines them as D, then E, F, G. This active logical lock makes the next partition of the first logical drive (generally drive D) point to itself. It keeps reading the next one, but in fact it is reading itself, and the result is that it falls into a dead loop. Because DOS booting must include the basic input/output file io.sys (we can also see it under windows, located in the root directory of drive C). And it is rather stubborn: after starting up, it insists on reading the hard disk partition table completely before taking over. So no matter what we use to boot, once it searches for logical drives it falls into a dead loop, and then we see the hard disk light stay on constantly and the system hang.
So how do we unlock it? Fundamentally speaking, the key is to make io.sys not work, or to restore the partition table parameters before it takes effect.
1、debug method.
To use this method, you must first be able to boot the machine. On a normal computer, we can modify the io.sys file on the boot floppy disk, find the first “55aa” string, and after finding it change it to any other value. With this boot floppy disk, you can successfully boot with the locked hard disk attached. However, at this time the partition table of that hard disk is already abnormal, so we cannot use FDISK to delete or modify partitions, and we still cannot boot the system with a normal boot disk. At this point, we can use DEBUG to restore it manually. The specific commands are as follows:
a:\>debug
-a
-????:100 mov ax,0201(read one sector)
-????:103 mov bx,500(set a buffer address)
-????:106 mov cx,0001(set the hard disk pointer for the first hard disk)
-????:109 mov dx,0080(read head 0)
-????:10c int 13 (hard disk interrupt)
-????:10e int 20
-????:0110 press Enter
(Note: -???? differs on each hard disk; the later :1?? are displayed automatically. What we need to enter is only the content after that.)
-g
-d500 (view the contents of buffer address 500 after execution. At this time we will find that the contents starting at address 6be are the hard disk partition table information. If the hard disk extended partition points to itself, then when DOS or WINDOWS starts it will fall into a dead loop while searching for logical partitions.)Continue modifying the memory data at the DEBUG prompt:
E6BE
??.0 ??.0 ??.0……
……
……55 AA
55 AA is the valid signature of the hard disk, do not modify it. ??.0 means changing the previous data “??” to 0. Then use hard disk interrupt 13 to write the modified data back to the hard disk:
A:\>debug
a 100 (means modifying the assembly instruction at address 100)
-????:100 mov ax,0301 (write one sector to the hard disk)
-????: press Enter
-g (run)
-q (quit)
After exiting, run fdisk/mbr to reset the hard disk boot program, then reboot.
Although this method is a bit troublesome, it can restore the hard disk partition table, which means that after restoration the data on the hard disk will not be lost either. The following methods, although more convenient, either cannot guarantee the safety of the data on the hard disk, or have a certain degree of danger.
2、external software method
The principle of this method is to bypass BIOS detection of the hard disk and directly use some software that can search for the hard disk by itself to control it.
First there is DM. Now every hard disk manufacturer has its own DiskManager program, and each can fit onto one floppy disk. You can download one and use it. If you are not sure what brand your hard disk is, you can also use the universal edition of DM released by IBM, though its support for today’s large hard disks above 32G is not very good. First set the IDE port where the hard disk is located to none in BIOS (if you do not know which one it is, you can set all of them to none). Then boot the system with a boot disk. After booting is complete, remove the floppy disk, insert the floppy disk containing the DM software, and run DM. It will detect the existence of your sick hard disk, and then repartition it and that will solve the problem. The specific use of DM is quite simple, so I won’t go into detail, but for friends whose English is not very good it may be somewhat difficult, so ask the experts around you.
We can also use low-level format software. Each kind of hard disk also has its own low-level format software, but there is also the general-purpose Lformat program (only a little over 30k). The previous procedure is the same: still mask the hard disk in BIOS, boot with a boot disk, then swap floppy disks and run the low-level format program to perform a low-level format on the hard disk. Since the partition table is only at the very front part of the hard disk, you can roughly stop after formatting the front partition table area. Then reboot, re-enable the hard disk in BIOS, and you can partition it and do other operations as if it were a new hard disk.
3、hot plugging
This is the most dangerous method, and it is very possible to burn out your hard disk, so please be cautious. The procedure is very simple: first unplug the hard disk power cable, then boot the system from the floppy disk, and after booting is complete plug the hard disk power cable back in. At that point the system will be able to control the hard disk, and you can partition it, restore the partition table, and perform other operations. One newbie friend of mine managed to fix it after hot-plugging the hard disk 3 times. However, this method is dangerous and is strongly not recommended. If damage occurs because of this, I take no responsibility.
Actually, the best case is if you have a partition table backup. Then restoration is relatively easy, and the data will not be lost either. So, mending the pen after the sheep are lost is certainly not bad, but if you can do the protection work in advance, then there will be nothing to worry about.
欢迎大家观临我的个人主页:
http://dosdiy.bluepc.com.cn/
http://dosdiy.ys168.com/
EMAIL: lydong@china.com.cn lydong@yeah.net
----------------------------------------------
http://dosdiy.bluepc.com.cn/
http://dosdiy.ys168.com/
EMAIL: lydong@china.com.cn lydong@yeah.net
----------------------------------------------
