I am a huge fan of the webcomic, XKCD, which is a very geeky and amusing comic for those of you who haven’t read it. On Friday, the following comic was posted:
And this of course reminded me of when I first started programming — I started with assembly language in 2000 with an 80286 I got out of the trash. I quickly became interested in low-level system programming, and created a number of MBR-based programs and other random programs in assembly. I haven’t programmed in assembly in a couple years, but this was pretty simple once I started going. 🙂
In any case, the comic has inspired me to write a Windows-based program that can write a “love note” to the MBR and display it when the computer starts. And of course, just for fun it shows the “Missing operating system” message as well. Shown is a screenshot:
OBVIOUSLY this can be a very dangerous program, and could very well destroy your computer. In fact, I would assume any antivirus program worth its salt would detect this as a virus (I haven’t formally tested this assumption). So, don’t use it unless you really know what you’re doing. The number of people that would fit that description is around 0.001% of the population of computer programmers.
DONT’S:
- Don’t use this program if you do not know how to uninstall this program
manually. For that reason, there is no uninstaller. - Don’t use this on 64-bit machines or ones with EFI — I really have no idea if it will work on those machines, but I seriously doubt it would. If you don’t know what EFI is, don’t use this program.
- Don’t use this on machines with GRUB, it will kill your system.
- Don’t use this on any system that is important to you or one that you do not own/control, it may kill that system, and you will get in trouble.
- Don’t use this program if you cannot pass the following quiz without any
references. Especially don’t use this program if you have no idea how to
decode the answers to the quiz.
Quiz:
- What is the difference between an MBR and a boot sector?
- What does interrupt 0x19 do?
- What offset does the partition table start at in an MBR, and how many bytes is each entry?
- What offset is the “signature” of the MBR located at, and what is it?
Quiz Answers (encoded in ROT13)
- Obbg frpgbef ner qrsvarq cre cnegvgvba, gurer vf bayl bar (hfrq) ZOE.
- Vg vf gur vagreehcg pnyyrq gb obbg sebz n qvfx.
- 0k1OR, fvkgrra olgrf
- Vg vf ybpngrq ng 0k1sr, naq vf 0k55 sbyybjrq ol 0kNN
How it works
You run love.exe in Windows, and it asks you for a message to put on the MBR. After clicking “destroy”, it does it. It will work in XP as administrator. It actually writes the love note to sector 3, the original MBR to sector 2, and a custom MBR to the MBR that displays the note, waits for a key to be pressed, and then loads the original MBR — at which point the computer will continue booting.
I used NASM to compile the MBR code, and Visual Studio 2005 to compile the Windows
installation program. I’ve never coded with MFC before, and this experience has not
motivated me to do it again anytime in the near future.
If you have any questions/comments/bug reports for this, feel free to contact me.
Download link: http://www.virtualroadside.com/software/
Note: In response to the comment by Criveti Mihai, the binary for the MBR sector actually is in the zip file at src/love/love/mbr.bin .. except if you were to install it via DD, you would need to install a message on sector 3 as well.
Note II: apparently the 4th answer to the quiz was incorrect for the last year or so… heh. Told you it was hard! Anyways, thanks to cm for pointing this out.
The encoded answer to question 4 is wrong. You swapped the low and high byte. It’s easy to remember this because in NASM’s alternative hex representation (appending ‘h’) which requires a leading decimal digit, the signature word does require a leading zero. (Unless you’re working on a big-endian machine, but you can’t write programs for any big-endian CPU using NASM.)
For anyone curious about playing around with this, you *MIGHT* be able to get away with it on a normal VirtualBox installation, but BE VERY CAREFUL, especially if there is important info on the computer or virtual computer. In general, you should not be playing with this on any remotely important machine, just as you shouldn’t be playing with atomic bombs outside the Nevada Desert.
I rather think you shouldn’t be playing with atomic bombs *inside* the Nevada Desert…
I JUST RAN THIS ON MY COMPUTER AND NOW WHEN I TURN IT ON NOTHING HAPPENS!!! HELPPPPP
SERIOUSLY MY MOM IS GOING TO BE SO PISSEDDDD!!!
Jorge, you’re a douche for installing it on her computer, you really should have just left it, the only way to recover this easilly is to put your windows disk in and use the recovery tools on it, they “should” re-write the MBR to the boot sector, if not then you will have to re-install windows, and again, you’re a douche
@person1873
Where is the partition table written? Does overwriting the MBR also kill your whole harddrive (making everything seem like it vanished)?
Personally I would’ve designed it as following:
Clone the mbr to a binary file, store it on the hdd and remember the offset on disk
Write new mbr, including a hook to unbork the machine (I like being a dick but not a complete dick, I’d end up having to fix it anyway), this unborking hook could then either draw more messages or otherwise do whatever before restoring the MBR.
The potential caveats of this are of course many, if the user defragments the drive, if the OS passively moves things around to prevent fragmentation or if the drive is compressed then this will proably fail horrendously (and as with anything there are workarounds but that’d require writing a microkernel that can read popular file systems to find the file itself, and search operations are expensive, not to mention to curb compression it’d have to support the compression schemes in use which isn’t brilliant)
Oh and this of course assumes the MBR image is entirely written in one piece without fragmentation, this should be the case most of the time since the MBR takes up one sector, but I could imagine scenarios when this doesn’t happen (most often if people mess with the drive settings to make the sectors appear smaller or if the drive is very close to full, assuming the os and hardware lets you write past sector boundaries)
so… needless complexity is needed to curb pitfalls, in which case I’d probably fork grub, and keep the bootloader functionality in to make it not explode on grub systems (would still brutally bork syslinux and lil0 systems, perhaps one should have a check for which bootloader is used and save that binary data as well along with a config for where exactly the file paths are, to prevent a search operation from having to take place).
But now I’m just rambling about how I would solve a silly problem on a post that is almost a decade old, seems kind of redundant but w/e
Yes, yes you are. 🙂
Wow what a smug, pretentious nerd.