When we turn on a computer, the first code that runs is from the BIOS (Basic Input/Output System), a program embedded in the CPU.  It performs a power-on self-test (POST)  that makes sure connected hardware are working properly.  The BIOS loads the master boot record (MBR) to memory and then passes code execution.  The master boot record (MBR) was read from the first disk sector of the designated boot disk.  The MBR contains the bootstrap loader which is responsible for loading an operating system. 

If, for example, we want to debug a given MBR image, we can do that with an emulator called Bochs. Bochs can be downloaded from http://bochs.sourceforge.net/.

To test this out, we have provided a disk image that can be downloaded from https://github.com/PacktPublishing/Mastering-Reverse-Engineering/blob/master/ch8/mbrdemo.zip. This ZIP archive extracts to about 10MB. The file contains the mre.bin disk image and the bochsrc image configuration file that will be passed to Bochs.

If we open the mre.bin using IDA Pro, we should be able to statically analyze the MBR code. The MBR almost always starts at the 0x7c00 address. It is a 16-bit code that uses hardware interrupts to control the computer.  

When loading the file in IDA Pro, make sure to change the loading offset to 0x7c00, as shown in the following screenshot:

When asked about the disassembly mode, choose 16-bit mode. Since everything is still undefined, we need to turn the data into code. Select the first byte code, right-click to open the context menu, then select Code, as shown here:

When converted into disassembly code, we can see that IDA Pro was also able to identify the interrupt functions and how these are used. The following screenshot shows 16-bit disassembly and the use of interrupt 13h to read data from disk sectors:

To debug the MBR with Bochs, we will have to make sure that bochsrc contains the following line:

display_library: win32, options="gui_debug"

This line enables the use of the Bochs GUI debugger.

If we have a different disk image, we can change the file name of the disk image file in the at0-master line. In this demo, the disk image's filename is mre.bin:

ata0-master: type=disk, path="mre.bin", mode=flat

To emulate the disk image, execute these commands:

set $BXSHARE=C:Program Files (x86)Bochs-2.6.8
"C:Program Files (x86)Bochs-2.6.8ochsdbg.exe" -q -f bochsrc

You might need to change C:Program files (x86)Bochs-2.6.8 to the path where you have installed Bochs. Take note that, for the $BXSHARE environment variable, there are no quotes.

Here, Bochs was installed under a Windows environment. The paths can be changed if working in a Linux environment.

Once running, the console will be filled up with logged lines, as shown here:

This will bring up the debugging console, which should look like the one shown in this screenshot:

Another window that shows the output should also appear:

The MBR code begins at the 0x7c00 address. We will have to place a breakpoint at 0x7c00. Bochs GUI has a command line where we get to set the breakpoints at specified addresses. This is located at the bottom of the window. See the highlighted area in the following screenshot:

To set a breakpoint at 0x7c00, enter lb 0x7c00. To see a the list of commands, enter help. The most common commands used are the following:

c             Continue/Run
Ctrl-C        Break current execution
s [count]     Step.  count is the number of instructions to step
lb address    Set breakpoint at address
bpe n         Enable breakpoint where n is the breakpoint number
bpd n         Disable breakpoint where n is the breakpoint number
del n         Delete breakpoint where n is the breakpoint number
info break    To list the breakpoints and its respective numbers 

The GUI has also mapped keyboard keys with the commands. Select the Command menu to view these keys.

Press F5 to continue the code, until it reaches the MBR code at 0x7c00. We should now see the same disassembly code that we saw in IDA Pro. We can then start pressing F11 to step debug on each instruction line:

At some point, the code will enter an endless loop state. If we look at the output window, the end result should have the same message, as in the following screenshot: