hi Borg. Just got a little time this morning and I've got the entry point. Sorry, only very raw disassemble. Just in case you really keen to know. I don't have much time explaining it.
Disassembly of ACORP 4865GQET with etBIOS (4865GQET14.BIN)
Code: Select all
E_seg:9A3E call init_descriptor_cache
E_seg:9A41 call search_ET_BIOS_sign_pos
E_seg:9A44 jb sign_not_found
E_seg:9A48 call relocate_ET_BIOS ; relocate ET_BIOS to right-above 1MB
E_seg:9A4B mov esi, 100000h ; hmmm... 1MB area
E_seg:9A51 mov eax, 54453EEBh ; is ET_BIOS signature is ok?
E_seg:9A57 cmp [esi], eax
E_seg:9A5B jnz sign_not_found
E_seg:9A5F jmp short ET_BIOS_sign_found
.................
E_seg:9A67 ET_BIOS_sign_found: ; CODE XREF: init_ET_BIOS+60j
E_seg:9A67 test byte ptr [esi+1Ch], 10h
E_seg:9A6C jnz short no_ctlr_reset
E_seg:9A6E call reset_IDE_n_FDD_ctlr
E_seg:9A71
E_seg:9A71 no_ctlr_reset: ; CODE XREF: init_ET_BIOS+6Dj
E_seg:9A71 mov edi, 100000h
E_seg:9A77 mov dword ptr es:[edi+24h], 4000000h
E_seg:9A81 mov bx, [esi+10h]
E_seg:9A85 cmp bx, 0
E_seg:9A88 jz short no_vesa_init
E_seg:9A8A mov ax, 4F02h
E_seg:9A8D int 10h ; - VIDEO - VESA SuperVGA BIOS - SET SuperVGA VIDEO MODE
E_seg:9A8D ; BX = mode, bit 15 set means don't clear video memory
E_seg:9A8D ; BX = bit 15 set means don't clear video memory
E_seg:9A8D ; Return: AL = 4Fh function supported
E_seg:9A8D ; AH = 00h successful, 01h failed
E_seg:9A8F
E_seg:9A8F no_vesa_init: ; CODE XREF: init_ET_BIOS+89j
E_seg:9A8F jmp short init__ET_BIOS_binary
................
E_seg:9A99 init__ET_BIOS_binary: ; CODE XREF: init_ET_BIOS:no_vesa_initj
E_seg:9A99 mov es:[edi+12h], al
E_seg:9A9E mov si, 19CEh
E_seg:9AA1 call setup_menu?
E_seg:9AA4 mov si, 99F7h
E_seg:9AA7 add si, ax
E_seg:9AA9 mov al, cs:[si]
E_seg:9AAC mov es:[edi+21h], al
E_seg:9AB1 call init_GDT
E_seg:9AB4 xor ebx, ebx
E_seg:9AB7 xor ecx, ecx
E_seg:9ABA mov bx, 99F1h
E_seg:9ABD mov cx, cs
E_seg:9ABF shl ecx, 4
E_seg:9AC3 add ecx, ebx
E_seg:9AC6 push ecx
E_seg:9AC8 xor eax, eax
E_seg:9ACB mov ax, 8
E_seg:9ACE push eax ; push code selector number (32-bit P-Mode selector)
E_seg:9AD0 mov ax, 9B1Bh ; addr following after retf (below)
E_seg:9AD3 xor ecx, ecx
E_seg:9AD6 mov cx, cs
E_seg:9AD8 shl ecx, 4 ; ecx = phy_addr(cs)
E_seg:9ADC add eax, ecx
E_seg:9ADF push eax
E_seg:9AE1 xor eax, eax
E_seg:9AE4 xor ecx, ecx
E_seg:9AE7 mov cx, ss
E_seg:9AE9 shl ecx, 4
E_seg:9AED mov ax, sp
E_seg:9AEF add ecx, eax
E_seg:9AF2 mov edi, 100000h ; edi = phy_addr_copy_of_et_BIOS
E_seg:9AF8 cli
E_seg:9AF9 lgdt qword ptr cs:word_E000_99F1
E_seg:9AFF mov eax, cr0
E_seg:9B02 or eax, 1 ; enter p-mode
E_seg:9B06 mov cr0, eax
E_seg:9B09 mov ax, 10h
E_seg:9B0C mov ds, ax
E_seg:9B0E assume ds:nothing
E_seg:9B0E mov es, ax
E_seg:9B10 assume es:nothing
E_seg:9B10 mov fs, ax
E_seg:9B12 assume fs:nothing
E_seg:9B12 mov gs, ax
E_seg:9B14 assume gs:nothing
E_seg:9B14 mov ss, ax
E_seg:9B16 assume ss:nothing
E_seg:9B16 mov esp, ecx
E_seg:9B19 db 66h
E_seg:9B19 retf ; jump below in P-Mode
E_seg:9B19 init_ET_BIOS endp ; sp = -3Ch
E_seg:9B19
E_seg:9B19 E_seg ends
E_seg:9B19
_exec_et_bios:0000000B ; ---------------------------------------------------------------------------
_exec_et_bios:0000000B ; ===========================================================================
_exec_et_bios:0000000B
_exec_et_bios:0000000B ; Segment type: Regular
_exec_et_bios:0000000B _exec_et_bios segment byte public '' use32
_exec_et_bios:0000000B assume cs:_exec_et_bios
_exec_et_bios:0000000B ;org 0Bh
_exec_et_bios:0000000B assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
_exec_et_bios:0000000B call edi ; call 10000:0000h (ET_BIOS:00000000h)
_exec_et_bios:0000000D pop ebx
_exec_et_bios:0000000E
_exec_et_bios:0000000E loc_E9B1_E:
_exec_et_bios:0000000E lgdt qword ptr [ebx]
_exec_et_bios:00000011 db 67h
_exec_et_bios:00000011 jmp small far ptr 20h:9B28h
....................................
E_seg:9C7A relocate_ET_BIOS proc near ; CODE XREF: init_ET_BIOS+49p
E_seg:9C7A mov edi, 100000h ; edi = target_addr (1MB)
E_seg:9C80 mov ecx, [esi+4]
E_seg:9C85 add ecx, 3FFh
E_seg:9C8C and ecx, 0FFFFFC00h ; size mod 1KB
E_seg:9C93 shr ecx, 2
E_seg:9C97 cld
E_seg:9C98 rep movs dword ptr es:[edi], dword ptr [esi]
E_seg:9C9C clc
E_seg:9C9D retn
E_seg:9C9D relocate_ET_BIOS endp
E_seg:9C9E search_ET_BIOS_sign_pos proc near ; CODE XREF: init_ET_BIOS+42p
E_seg:9C9E mov esi, 0FFF80000h
E_seg:9CA4 mov eax, 54453EEBh ; eax = et_bios first 4-bytes (including signature)
E_seg:9CAA
E_seg:9CAA next_16_bytes: ; CODE XREF: search_ET_BIOS_sign_pos+1Dj
E_seg:9CAA cmp [esi], eax
E_seg:9CAE jz short exit
E_seg:9CB0 add esi, 16
E_seg:9CB4 cmp esi, 0FFFF0000h
E_seg:9CBB jb short next_16_bytes
E_seg:9CBD stc
E_seg:9CBE retn
E_seg:9CBF ; ---------------------------------------------------------------------------
E_seg:9CBF
E_seg:9CBF exit: ; CODE XREF: search_ET_BIOS_sign_pos+10j
E_seg:9CBF clc
E_seg:9CC0 retn
E_seg:9CC0 search_ET_BIOS_sign_pos endp
..................
=====> here comes et_bios binary <============
ET_BIOS:00000000 loc_10000_0:
ET_BIOS:00000000 jmp short et_bios_start
ET_BIOS:00000000 ; ---------------------------------------------------------------------------
ET_BIOS:00000002 aEt db 'ET' ; ET BIOS signature
ET_BIOS:00000004 dw 0FC73h ; encoded etBIOS size
...........................
ET_BIOS:00000040 et_bios_start: ; CODE XREF: ET_BIOS:loc_10000_0j
ET_BIOS:00000040 cli
ET_BIOS:00000041 mov ds:1F3BA0h, esp
ET_BIOS:00000047 mov esp, 1F8000h
ET_BIOS:0000004C cld
ET_BIOS:0000004D lgdt qword ptr ds:1000A8h
ET_BIOS:00000054 pushf
ET_BIOS:00000055 pop eax
ET_BIOS:00000056 and ah, 0BFh
ET_BIOS:00000059 push eax
ET_BIOS:0000005A popf
ET_BIOS:0000005B call sub_10000_10A8
ET_BIOS:00000060 sub eax, eax
ET_BIOS:00000062 mov edi, 1A8010h
ET_BIOS:00000067 mov ecx, 1F3B94h
ET_BIOS:0000006C sub ecx, edi
ET_BIOS:0000006E shr ecx, 1
ET_BIOS:00000071 shr ecx, 1
ET_BIOS:00000074 rep stosd
ET_BIOS:00000076 call near ptr unk_10000_23D0 ; still need some research
ET_BIOS:0000007B jmp short return_to_system_bios
............................
ET_BIOS:00000081 return_to_system_bios: ; CODE XREF: ET_BIOS:0000007Bj
ET_BIOS:00000081 cli
ET_BIOS:00000082 mov ds:100033h, al
ET_BIOS:00000087 mov esp, ds:1F3BA0h
ET_BIOS:0000008D retn
mind you that et_bios binary is executed in 32-bit protected mode. I guess due to the code is compiled with EGCS (that only able to emit 32-bit plain binary back then). Anyway, I haven't dig down deeper. But, it seems to be there is some kind of decompressor indeed.
some hints:
--------------
E_seg --> lower 64KB of original.tmp. The routine above called in one of POST jump table entry (not directly, some calls exist in between).
Descriptor table that's used to switch to P-Mode prior to et_bios execution is initialized dynamically.
greetz,
a.k.a Pinczakko