rendered paste body
; Kon-B00t VGA display code
; executed at 0000h:2C00h
; es:bx = 9XXXh:0000h, 41 KB allocated memory & 128 sectors read in there, data
; 2 sectors from sector LBA 10
; 126 sectors from sector LBA 12
; 128 sectors = 64 KB, most probably some picture data
; ds:0000h = picture data (like es)
; this module handles VGA display
00000000 90 nop
; display the initial picture (the picture data is passed in ds:0000h)
00000001 E8B300 call word Display_Raw_Picture
00000004 E80201 call word Clear_768_bytes_Buffer ; clear 768 bytes after the picture
; get the current video mode
00000007 B40F mov ah,0Fh ; Function 0Fh = Get Current Video Mode
00000009 CD10 int 0x10 ; Video Interrupt, al = display mode, bh = active page
0000000B 50 push ax ; remember the display mode (al)
0000000C 1E push ds
; set the video mode to 13h = T 40x25 9x16 360x400 16 8 B800 VGA
0000000D B81300 mov ax,0013h ; Function 00h = Set Video Mode
00000010 CD10 int 0x10
; reset the palette using the zeroed 768 bytes
00000012 E8DB00 call word Set_VGA_Palette
; display the picture using the new video mode
00000015 E89F00 call word Display_Raw_Picture
; set a new palette
00000018 33DB xor bx,bx ; palette multipler = 0+
Loop_Palette_1:
0000001A E85701 call word Wait_For_Vertical_Retrace_Sync
0000001D E82301 call word Clone_Palette
00000020 E8CD00 call word Set_VGA_Palette
00000023 B80A00 mov ax,10
00000026 E8EE00 call word Wait_Refresh_Cycle ; wait 10 refresh cycles
00000029 43 inc bx ; next time
0000002A 83FB20 cmp bx,byte +0x20 ; 20 times
0000002D 75EB jnz Loop_Palette_1
0000002F E85001 call word Get_Font_Pointer
00000032 33DB xor bx,bx
Show_User_Interface_Animation:
00000034 E85B01 call word Display_KryptosLogic_Message ; display the message
00000037 B8F000 mov ax,0xf0
0000003A E8DA00 call word Wait_Refresh_Cycle ; wait 240 refresh cycles
0000003D 1E push ds
0000003E 06 push es
0000003F 1F pop ds ; set ds to es
00000040 E87400 call word Display_Raw_Picture
00000043 1F pop ds
00000044 43 inc bx ; multiplier for the displayed message position
00000045 83FB0A cmp bx,byte +0xa ; within range (10)?
00000048 7C02 jl Within_Range
0000004A 33DB xor bx,bx ; otherwise wrap around
Something_1:
0000004C B401 mov ah,0x1 ; 01h Check For Keystroke
0000004E CD16 int 0x16
00000050 74E2 jz Show_User_Interface_Animation ; if not, repeat
00000052 1F pop ds
; set another palette
00000053 BB2000 mov bx,0x20 ; palette multiplier = 32-
Loop_Palette_2:
00000056 E81B01 call word Wait_For_Vertical_Retrace_Sync
00000059 E8E700 call word Clone_Palette
0000005C E89100 call word Set_VGA_Palette
0000005F B80A00 mov ax,10
00000062 E8B200 call word Wait_Refresh_Cycle ; wait 10 refresh cycles
00000065 4B dec bx ; next time
00000066 75EE jnz Loop_Palette_2
; wait for a keypress
00000068 32E4 xor ah,ah ; Function 00h = Get Keystroke
0000006A CD16 int 0x16 ; Keyboard Interrupt
; reset to the original video mode
0000006C 58 pop ax ; restore the original mode
0000006D B400 mov ah,0x0 ; Function 00h = Set Video Mode
0000006F CD10 int 0x10 ; Video Interrupt
; return to the boot sector
00000071 6A00 push byte +0x0 ; segment = 0000h
00000073 68937C push word 0x7c93 ; offset = 7C93h
00000076 CB retf
; some interesting data:
00000077 FPU_Data_1 dw 00B4h
00000079 FPU_Data_2 dw 0000h
0000007B FPU_Data_3 dw 0004h
0000007D FPU_Data_4 dw 0005h
0000007F FPU_Data_5 dw 0130h ; some pixel position multiplier
00000081 FPU_Data_6 dw 0005h
; some interesting FPU function:
00000083 9BDBE3 finit
00000086 2EDF06772C fild word [cs:FPU_Data_1]
0000008B D9EB fldpi
0000008D DEF9 fdivp st1
0000008F 2EDF067D2C fild word [cs:FPU_Data_4]
00000094 DEC9 fmulp st1
00000096 2EDF067F2C fild word [cs:FPU_Data_5]
0000009B DEC9 fmulp st1
0000009D 2EDF06812C fild word [cs:FPU_Data_6]
000000A2 DEC1 faddp st1
000000A4 D9FE fsin
000000A6 2EDF067B2C fild word [cs:FPU_Data_3]
000000AB DEC9 fmulp st1
000000AD 2EDF1E792C fistp word [cs:FPU_Data_2]
000000B2 2EA1792C mov ax,[cs:FPU_Data_2] ; return value in ax
000000B6 C3 ret
Display_Raw_Picture:
; copys a raw picture from ds:0000h to A000h:0000h
; picture must be 360*400 resolution with 4 bits per pixel
000000B7 06 push es ; of course store register contents
000000B8 60 pushaw
000000B9 B800A0 mov ax,0A000h ; = VGA buffer
000000BC 8EC0 mov es,ax ; es will point to it
000000BE 33FF xor di,di ; destination = A000h:0000h
000000C0 33F6 xor si,si ; source = ds:0000h
000000C2 B9007D mov cx,0x7d00 ; size = 32000 * 2 bytes
000000C5 FC cld
000000C6 F3A5 rep movsw ; copy!
000000C8 61 popaw ; restore the register contents
000000C9 07 pop es
000000CA C3 ret
Erase_VGA_memory: ; (unused)
; erasing the VGA memory
000000CB 06 push es
000000CC 60 pushaw
000000CD B800A0 mov ax,0A000h ; = VGA buffer
000000D0 8EC0 mov es,ax
000000D2 33FF xor di,di
000000D4 33C0 xor ax,ax ; store zeroes
000000D6 B9007D mov cx,0x7d00 ; size = 32000 * 2 bytes
000000D9 FC cld
000000DA F3AB rep stosw
000000DC 61 popaw ; restore the register contents
000000DD 07 pop es
000000DE C3 ret
Set_VGA_Palette_2: ; (unused)
; sets a new palette (source = ds:FC00h) using the Digital-Analog Converter Registers
000000DF 32C0 xor al,al ; register zero = Palette
000000E1 BAC803 mov dx,0x3c8 ; 3C8h PEL Address Register
000000E4 EE out dx,al ; select register 0, writing palette to data port
000000E5 42 inc dx ; 3C8h PEL Address Register
000000E6 B90003 mov cx,768 ; data (palette) size = 768 bytes
000000E9 BE00FC mov si,0xfc00 ; ds:FC00h (FF00h was the first palette)
000000EC F36E rep outsb ; write out
000000EE C3 ret
000000EF C3 ret ; JUNK
Set_VGA_Palette:
; sets a new palette (source = ds:FF00h) using the Digital-Analog Converter Registers
000000F0 1E push ds
000000F1 8CD8 mov ax,ds ; get data segment
000000F3 05F00F add ax,0xff0 ; + FF0h, = + 63,75 KB
000000F6 BE0000 mov si,0x0 ; offset = 0000h
000000F9 8ED8 mov ds,ax ; segment = somewhere at end of memory + 0FF0h
000000FB 32C0 xor al,al ; register zero = Palette
000000FD BAC803 mov dx,0x3C8 ; 3C8h PEL Address Register
00000100 EE out dx,al ; select register 0, writing palette to data port
00000101 42 inc dx ; 3C9h PEL Data Register
00000102 B90003 mov cx,768 ; data (palette) size = 768 bytes
00000105 F36E rep outsb ; write out!
00000107 1F pop ds
00000108 C3 ret
Clear_768_bytes_Buffer:
; clearing es:di
00000109 06 push es ; store es even it won't be modified
0000010A 8CC0 mov ax,es ; this is a joke
0000010C 8EC0 mov es,ax ; is it (these 2 instructions have no effect)
0000010E B90003 mov cx,768 ; size = 768 bytes
00000111 32C0 xor al,al ; overwrite it with zeroes
00000113 F3AA rep stosb
00000115 07 pop es
00000116 C3 ret
Wait_Refresh_Cycle:
; waits for refresh cycles, must be eax * 19E5h / 64h times
00000117 60 pushaw
00000118 66BBE5190000 mov ebx,0x19e5
0000011E 66B964000000 mov ecx,0x64
00000124 66F7E3 mul ebx ; * 19E5h
00000127 66F7F1 div ecx ; / 64h
0000012A 668BC8 mov ecx,eax
0000012D E461 in al,0x61 ; System Control Port
0000012F 2410 and al,00010000b ; bit 4: toggles with each refresh request
00000131 8AE0 mov ah,al
Wait_Refresh_Cycle_Loop:
00000133 E461 in al,0x61 ; System Control Port
00000135 2410 and al,00010000b ; bit 4: toggles with each refresh request
00000137 3AC4 cmp al,ah ; always a full refresh cycle (1 to 0 and 0 to 1)
00000139 74F8 jz Wait_Refresh_Cycle_Loop
0000013B 8AE0 mov ah,al
0000013D 6649 dec ecx ; in a loop
0000013F 75F2 jnz Wait_Refresh_Cycle_Loop
00000141 61 popaw
00000142 C3 ret
Clone_Palette:
; bl = multiplier (x16) for each palette color
00000143 06 push es ; of course store segment registers
00000144 1E push ds
00000145 33C0 xor ax,ax ; (junk code)
00000147 8CC0 mov ax,es
00000149 05F00F add ax,0xff0 ; + FF0h, palette 1
0000014C BF0000 mov di,0x0 ; (destination offset = 0000h)
0000014F 8EC0 mov es,ax
00000151 8CD8 mov ax,ds
00000153 05C00F add ax,0xfc0 ; + FC0h, palette 2
00000156 BE0000 mov si,0x0 ; (source offset = 0000h)
00000159 8ED8 mov ds,ax
0000015B 33ED xor bp,bp ; bp will be used as index
Multiply_Palette_Loop:
0000015D 33C0 xor ax,ax
0000015F 3E8A02 mov al,[ds:bp+si] ; get source palette color
00000162 F6E3 mul bl ; multiplier
00000164 C1E805 shr ax,0x5 ; * 16
00000167 268803 mov [es:bp+di],al ; store the modified color
0000016A 45 inc bp ; next palette color
0000016B 81FD0003 cmp bp,768 ; already the whole palette?
0000016F 75EC jnz Multiply_Palette_Loop
00000171 1F pop ds ; restore segment registers
00000172 07 pop es
00000173 C3 ret
Wait_For_Vertical_Retrace_Sync:
; waits until vertrical retrace is cleared
00000174 BADA03 mov dx,0x3da ; 3DAh Input Status #1 Register
Vertical_Retrace_loop:
00000177 EC in al,dx ; (read it)
00000178 A808 test al,00001000b ; bit 3: Vertical Retrace in progress if set
0000017A 75FB jnz Vertical_Retrace_loop ; wait until it is synced
Vertical_Retrace_loop2:
0000017C EC in al,dx ; second time
0000017D A808 test al,00001000b
0000017F 74FB jz Vertical_Retrace_loop2
00000181 C3 ret
Get_Font_Pointer:
00000182 06 push es
00000183 55 push bp
00000184 B83011 mov ax,0x1130 ; 11h = Get Font Information
00000187 B703 mov bh,0x3 ; 03h ROM 8x8 double dot font pointer
00000189 CD10 int 0x10 ; get it
0000018B 8BF5 mov si,bp ; ES:BP = specified pointer
0000018D 5D pop bp
0000018E 06 push es ; ds:bp will point to the font table
0000018F 1F pop ds
00000190 07 pop es
00000191 C3 ret
Display_KryptosLogic_Message:
00000192 60 pushaw
00000193 BFE92D mov di,KryptosLogic_Message ; write out the message
00000196 33ED xor bp,bp ; index
00000198 2E8B0E7F2C mov cx,[cs:FPU_Data_5] ; initial value 304
0000019D 49 dec cx ; -1
0000019E 83E909 sub cx,9 ; -9 (why not)
000001A1 51 push cx ; store that initial value
Next_Message_Character:
000001A2 83C107 add cx,7 ; +7, pixelz?
000001A5 81F93001 cmp cx,0x130 ; in the range?
000001A9 7F2B jg End_Text_Message
000001AB 83F900 cmp cx,byte +0x0 ; negative value?
000001AE 7E23 jng Next_Character
000001B0 81FDE800 cmp bp,233-1 ; index > strlen(Message)?
000001B4 7F20 jg End_Text_Message ; if yes done!
000001B6 2E8A3B mov bh,[cs:bp+di] ; otherwise get the next character
000001B9 2E890E7F2C mov [cs:FPU_Data_5],cx ; store some run data
000001BE 33C0 xor ax,ax
000001C0 B3FF mov bl,0xff
000001C2 8BD1 mov dx,cx
000001C4 05AF00 add ax,0xaf
000001C7 E80801 call word Display_Text_In_Line
000001CA 40 inc ax
000001CB 4A dec dx
000001CC B370 mov bl,0x70
000001CE 8BD1 mov dx,cx
000001D0 E8FF00 call word Display_Text_In_Line
Next_Character:
000001D3 45 inc bp ; next character (index++)
000001D4 EBCC jmp short Next_Message_Character ; to print out
End_Text_Message:
000001D6 2E8F067F2C pop word [cs:FPU_Data_5] ; restore that initial value
000001DB 83F920 cmp cx,byte +0x20 ; if cx > 20h
000001DE 7F07 jg End_Text_Message_Done
000001E0 2EC7067F2C3001 mov word [cs:FPU_Data_5],0x130 ; restore original value
End_Text_Message_Done:
000001E7 61 popaw
000001E8 C3 ret
; 1E9h
KryptosLogic_Message:
db "KryptosLogic.com proudly presents, a Piotr Bania project: -> KON-BOOT <- a Windows and Linux password hacking utility"
db " *** stay tuned for new releases!!! *** >>> www.kryptoslogic.com ..... www.piotrbania.com <<<"
Display_Text_In_Line: ; or something
; store register contents
000002D2 06 push es
000002D3 60 pushaw
000002D4 6800A0 push word 0xA000 ; = VGA buffer
000002D7 07 pop es ; es will point to it
000002D8 52 push dx
000002D9 69C04001 imul ax,ax,word 0x140 ; pixel position * width (320)
000002DD 5A pop dx
000002DE 8BF8 mov di,ax ; destination
000002E0 03FA add di,dx ; + line offset
000002E2 0FB6C7 movzx ax,bh
000002E5 C1E003 shl ax,0x3
000002E8 03F0 add si,ax
000002EA 8AC3 mov al,bl
000002EC B90800 mov cx,8 ; 8 lines
Next_Line:
000002EF 8A1C mov bl,[si]
000002F1 B401 mov ah,0x1
000002F3 BD0700 mov bp,0x7
000002F6 84DC test ah,bl
000002F8 7403 jz 0x2fd
000002FA 268803 mov [es:bp+di],al
000002FD D0E4 shl ah,1
000002FF 4D dec bp
00000300 73F4 jnc 0x2f6
00000302 46 inc si
00000303 81C74001 add di,320 ; next line, +320 pixels
00000307 E2E6 loop Next_Line
; restore register contents and exit
00000309 61 popaw
0000030A 07 pop es
0000030B C3 ret
; fill with nops
times 1024-($-$$) db 90h