by Alan Pinck
The same L (Load) command used to load files in DEBUG can, with the addition of parameters, be used to load physical sectors of a disk into memory. The four necessary parameters are:
-L memory_address drive#
drive_sector# number_of_sectors_to_load
-L mem drv sec num
Note that more recent versions of Microsoft Windows (e.g. Windows XP and later) may refuse to let you examine a disk directly using DEBUG. You may need to find a version of Windows that can reboot into pure-DOS mode.
For drive #2 (drive "C:"), we load the BOOT sector (sector #0) and display the first 32 (20h) bytes:
C:\> DEBUG -L 0000 2 0 1 -D 0000 001F 1026:0000 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 04 01 00 .<.MSDOS5.0..... 1026:0010 02 00 02 00 00 F8 F8 00-11 00 10 00 11 00 00 00 ................
Using a table of BOOT block offsets, we can examine the above BOOT sector memory dump and decode various values. (In the list below, we use the notation "/n" to denote a quantity that is "n" bytes long, e.g. /2 means the data item takes two bytes. Since this is an Intel dump, all multi-byte quantities are Little-Endian and must have their byte order reversed when being written down. The dump is colour-coded to point out exactly where in the dump we get each data item.)
How many sectors does the root directory occupy on this disk?
What is the layout of this Disk? | |||
---|---|---|---|
Data Structure | Number of Sectors (hex) | Start Sector (hex) | End Sector (hex) |
Boot sector: | one (always!) | 0 | 0 |
FAT (2 copies): | 2 * F8h = 1F0h | 1 | 1F0h |
Root Directory: | 200*20/200 = 20h | 1F1h | 210h |
File Allocation Space: | 4 sectors per cluster | 211h | ... to end of disk ... |
The Root Directory starts at sector 1F1h and has a size of 20h sectors. The space to hold file data starts at sector 211h, which is the start of the first data file cluster, numbered cluster #2. (Cluster numbers 0 and 1 are reserved for the BOOT area.) We will need to know this start sector 211h to find data on the disk.
For this specific disk, we can load and examine the ROOT Directory given the previously derived information that shows the ROOT directory starting at sector 1F1h with a size of 20h sectors:
-L 0000 2 1F1 20 -D 0000 00FF 1026:0000 49 4F 20 20 20 20 20 20-53 59 53 07 00 00 00 00 IO SYS..... 1026:0010 00 00 00 00 00 00 00 28-89 16 02 00 96 82 00 00 .......(........ 1026:0020 4D 53 44 4F 53 20 20 20-53 59 53 07 00 00 00 00 MSDOS SYS..... 1026:0030 00 00 00 00 00 00 00 28-89 16 13 00 12 92 00 00 .......(........ 1026:0040 43 4F 4D 4D 41 4E 44 20-43 4F 4D 20 00 00 00 00 COMMAND COM .... 1026:0050 00 00 00 00 00 00 00 28-89 16 40 00 E5 BA 00 00 .......(..@..... 1026:0060 43 4F 4E 46 49 47 20 20-53 59 53 20 00 00 00 00 CONFIG SYS .... 1026:0070 00 00 00 00 00 00 F9 96-CD 22 18 0A 2A 01 00 00 ........."..*... 1026:0080 41 55 54 4F 45 58 45 43-4F 4C 44 20 00 00 00 00 AUTOEXECOLD .... 1026:0090 00 00 00 00 00 00 2E 77-66 1D 83 A1 45 01 00 00 .......wf...E... 1026:00A0 44 4F 53 20 20 20 20 20-20 20 20 10 00 00 00 00 DOS ..... 1026:00B0 00 00 00 00 00 00 1A 40-99 19 53 00 00 00 00 00 .......@..S..... 1026:00C0 4D 53 2D 44 4F 53 5F 35-20 20 20 28 00 00 00 00 MS-DOS_5 (.... 1026:00D0 00 00 00 00 00 00 56 41-99 19 00 00 00 00 00 00 ......VA........ 1026:00E0 57 49 4E 41 32 30 20 20-33 38 36 20 00 00 00 00 WINA20 386 .... 1026:00F0 00 00 00 00 00 00 00 28-89 16 83 04 85 24 00 00 .......(.....$.. Within a directory entry, we use these offsets:
These DUMP lines are taken from the ROOT directory dump, above.
1026:0020 4D 53 44 4F 53 20 20 20-53 59 53 07 00 00 00 00 MSDOS SYS..... 1026:0030 00 00 00 00 00 00 00 28-89 16 13 00 12 92 00 00 .......(........
Primary name: | MSDOS |
---|---|
Extension: | SYS |
Attribute: | 07h = 0000 0111 (bin) System, Hidden, Read Only |
Starting Cluster: | 0013h |
Size: | 00009212h (37394 decimal) bytes |
Furthermore, given previous information from the boot
sector:
File allocation space starts at sector 211h and there are 4
sectors per allocation unit (cluster);
Plus the knowledge that the first cluster number for the file
allocation space is cluster number 2;
We can duplicate the activity of the Operating System in locating
this file.
Based on its starting cluster number of 0013h,
the data for the file should begin at sector: 211h + (0013h - 2)*4
= 255h
If we were going to load the first sector of this file data into memory, we would use these commands:
-L 0 2 255 1 -D 0
These DUMP lines are taken from the ROOT directory dump, above.
1026:0080 41 55 54 4F 45 58 45 43-4F 4C 44 20 00 00 00 00 AUTOEXECOLD .... 1026:0090 00 00 00 00 00 00 2E 77-66 1D 83 A1 45 01 00 00 .......wf...E...
Primary name: | AUTOEXEC |
---|---|
Extension: | OLD |
Attribute: | 20h = 0010 0000 (bin) Archive required (modified since last backup) |
Starting Cluster: | A183h |
Size: | 00000145h (325 decimal) bytes |
Note that since AUTOEXEC.OLD is not a hidden file, the size can be verified using a standard DIR command:
C:\>DIR AUTOEXEC.OLD Volume in drive C is MS-DOS_5 Volume Serial Number is 1999-4156 Directory of C:\ AUTOEXEC OLD 325 11-06-94 2:57p 1 file(s) 325 bytes 6340608 bytes free
Furthermore, given previous information from the boot
sector:
File allocation space starts at sector 211h and there are 4
sectors per allocation unit (cluster);
Plus the knowledge that the first cluster number for the file
allocation space is cluster number 2;
We can duplicate the activity of the Operating System in locating
this file.
Based on its starting cluster number of A183h,
the data for the file should begin at sector: 211h + (A183h - 2)*4
= 28815h
Loading this sector into memory and examining it gives:
-L 0 2 28815 1 -D 0 1026:0000 40 45 43 48 4F 20 4F 46-46 0D 0A 53 45 54 20 43 @ECHO OFF..SET C 1026:0010 4F 4D 53 50 45 43 3D 43-3A 5C 44 4F 53 5C 43 4F OMSPEC=C:\DOS\CO 1026:0020 4D 4D 41 4E 44 2E 43 4F-4D 0D 0A 50 52 4F 4D 50 MMAND.COM..PROMP 1026:0030 54 20 24 70 24 67 0D 0A-50 41 54 48 20 43 3A 5C T $p$g..PATH C:\ 1026:0040 57 49 4E 44 4F 57 53 2E-33 30 30 3B 43 3A 5C 42 WINDOWS.300;C:\B 1026:0050 41 54 3B 43 3A 5C 44 4F-53 3B 63 3A 5C 75 74 69 AT;C:\DOS;c:\uti 1026:0060 6C 3B 63 3A 5C 3B 43 3A-5C 6D 61 73 6D 0D 0A 53 l;c:\;C:\masm..S 1026:0070 45 54 20 54 45 4D 50 3D-43 3A 5C 0D 0A 54 4F 47 ET TEMP=C:\..TOGAs it happens, this is a pure ASCII text file, so we can verify this by using the MS-DOS TYPE command:
C:\>TYPE AUTOEXEC.OLD @ECHO OFF SET COMSPEC=C:\DOS\COMMAND.COM PROMPT $p$g PATH C:\WINDOWS.300;C:\BAT;C:\DOS;c:\util;c:\;C:\masm SET TEMP=C:\ ...etc...
These DUMP lines are taken from the ROOT directory dump, above.
1026:00A0 44 4F 53 20 20 20 20 20-20 20 20 10 00 00 00 00 DOS ..... 1026:00B0 00 00 00 00 00 00 1A 40-99 19 53 00 00 00 00 00 .......@..S.....
Primary name: | DOS |
---|---|
Extension: | (none) |
Attribute: | 10h = 0001 0000 (bin) Subirectory |
Starting Cluster: | 0053h |
Size: | 00000000h bytes (which is not actually true) |
Again we can duplicate the activity of the Operating System in
locating this directory.
Based on its starting cluster number of 0053h, it should begin in
memory at
sector: 211h + (0053h - 2)*4
= 355h
Loading this sector into memory and examining it gives:
-L 0000 2 355 1 -D 0000 00FF 1026:0000 2E 20 20 20 20 20 20 20-20 20 20 10 00 00 00 00 . ..... 1026:0010 00 00 00 00 00 00 1A 40-99 19 53 00 00 00 00 00 .......@..S..... 1026:0020 2E 2E 20 20 20 20 20 20-20 20 20 10 00 00 00 00 .. ..... 1026:0030 00 00 00 00 00 00 1A 40-99 19 00 00 00 00 00 00 .......@........ 1026:0040 43 4F 55 4E 54 52 59 20-53 59 53 20 00 00 00 00 COUNTRY SYS .... 1026:0050 00 00 00 00 00 00 00 28-89 16 2B 00 AD 42 00 00 .......(..+..B.. 1026:0060 45 47 41 20 20 20 20 20-53 59 53 20 00 00 00 00 EGA SYS .... 1026:0070 00 00 00 00 00 00 00 28-89 16 34 00 15 13 00 00 .......(..4..... 1026:0080 46 4F 52 4D 41 54 20 20-43 4F 4D 20 00 00 00 00 FORMAT COM .... 1026:0090 00 00 00 00 00 00 00 28-89 16 37 00 8F 80 00 00 .......(..7..... 1026:00A0 4B 45 59 42 20 20 20 20-43 4F 4D 20 00 00 00 00 KEYB COM .... 1026:00B0 00 00 00 00 00 00 00 28-89 16 5E 00 8A 3A 00 00 .......(..^..:.. 1026:00C0 4B 45 59 42 4F 41 52 44-53 59 53 20 00 00 00 00 KEYBOARDSYS .... 1026:00D0 00 00 00 00 00 00 00 28-89 16 66 00 89 87 00 00 .......(..f..... 1026:00E0 4E 4C 53 46 55 4E 43 20-45 58 45 20 00 00 00 00 NLSFUNC EXE .... 1026:00F0 00 00 00 00 00 00 00 28-89 16 77 00 8C 1B 00 00 .......(..w.....Although the first two entries appear a little unusual, this is obviously another directory structure.
The first entry has a "Primary name" that is just a "dot"; notice that its "First cluster number" is 0053h, the cluster number of this subdirectory itself.
The second entry has a "Primary name" that is two "dots"; notice that its "First cluster number" is 0000h, the cluster number of the "root" directory, its "parent".
The single dot (.) and double dot (..) notation should be familiar to anyone who has worked in either MS-DOS or UNIX (as used in the command: cd ..). They are simply convenient names for the current and parent directories.
These DUMP lines are taken from the ROOT directory dump, above.
1026:00C0 4D 53 2D 44 4F 53 5F 35-20 20 20 28 00 00 00 00 MS-DOS_5 (.... 1026:00D0 00 00 00 00 00 00 56 41-99 19 00 00 00 00 00 00 ......VA........
Name: | MS-DOS_5 |
---|---|
Attribute: | 28h = 0010 1000 (bin) Archive required, Volume label |
Starting Cluster: | 0000h |
Size: | 00000000h bytes |
This is the disk volume label as reported (for example) by the DIR command. There should only be one of these on any disk.