decode MBR from hex...
 
Notifications
Clear all

decode MBR from hex to extract partitions

17 Posts
7 Users
0 Reactions
4,182 Views
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

Hello!
I am new to this. I have a disk image which is 250MB (NTFS). I have corrupt partition table. So I have used sigfind to grab the MBR which will be 512 bytes ofcourse. I have got the hex representation of the MBR. But I am having trouble in decoding. Here's what I got for Partition#1

2063 6f6d 7072 6573 7365 6400 0d0a 5072 compressed…Pr

so since it is little endian

Starting LBA Address = 0x72500a0d
Size in Sectors = 0x00646573

ISSUE-
I think I am decoding the hex wrong, because the values I am getting for starting LBA and size in sectors is bigger than the actual disk size.

Can someone please help me with creating a 'DD' expression to get the first partition based on the above hex?

Thank you)


   
Quote
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
 

Your hex conversion is correct, but you are NOT looking at a partition table.

Look at a disk, and sector 0. This is very likely to have a partition table at offset 0x1be

The sector you are looking at is probably sector 0x3f or 0x800, the start of the NTFS partion, and not the pointer to it.


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

Thank you for your response, here is the hex for the entire MBR. Can you please help me get the start (LBA) and total size in sectors for first partition. Thanks)

0000000 eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS …..
0000010 0000 0000 00f8 0000 3800 0900 00a8 0000 ……..8…….
0000020 0000 0000 8000 8000 ffef 0000 0000 0000 …………….
0000030 0400 0000 0000 0000 ff0e 0000 0000 0000 …………….
0000040 f600 0000 0100 0000 1970 e865 ff66 0535 ………p.e.f.5
0000050 0000 0000 fa33 c08e d0bc 007c fb68 c007 …..3…..|.h..
0000060 1f1e 6866 00cb 8816 0e00 6681 3e03 004e ..hf……f.>..N
0000070 5446 5375 15b4 41bb aa55 cd13 720c 81fb TFSu..A..U..r…
0000080 55aa 7506 f7c1 0100 7503 e9d2 001e 83ec U.u…..u…….
0000090 1868 1a00 b448 8a16 0e00 8bf4 161f cd13 .h…H……….
00000a0 9f83 c418 9e58 1f72 e13b 060b 0075 dba3 …..X.r.;…u..
00000b0 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8 ……..Z3… +.
00000c0 66ff 0611 0003 160f 008e c2ff 0616 00e8 f……………
00000d0 4000 2bc8 77ef b800 bbcd 1a66 23c0 752d @.+.w……f#.u-
00000e0 6681 fb54 4350 4175 2481 f902 0172 1e16 f..TCPAu$….r..
00000f0 6807 bb16 6870 0e16 6809 0066 5366 5366 h…hp..h..fSfSf
0000100 5516 1616 68b8 0166 610e 07cd 1ae9 6a01 U…h..fa…..j.
0000110 9090 6660 1e06 66a1 1100 6603 061c 001e ..f`..f…f…..
0000120 6668 0000 0000 6650 0653 6801 0068 1000 fh….fP.Sh..h..
0000130 b442 8a16 0e00 161f 8bf4 cd13 6659 5b5a .B……….fY[Z
0000140 6659 6659 1f0f 8216 0066 ff06 1100 0316 fYfY…..f……
0000150 0f00 8ec2 ff0e 1600 75bc 071f 6661 c3a0 ……..u…fa..
0000160 f801 e808 00a0 fb01 e802 00eb feb4 018b …………….
0000170 f0ac 3c00 7409 b40e bb07 00cd 10eb f2c3 ..<.t………..
0000180 0d0a 4120 6469 736b 2072 6561 6420 6572 ..A disk read er
0000190 726f 7220 6f63 6375 7272 6564 000d 0a42 ror occurred…B
00001a0 4f4f 544d 4752 2069 7320 6d69 7373 696e OOTMGR is missin
00001b0 6700 0d0a 424f 4f54 4d47 5220 6973 2063 g…BOOTMGR is c
00001c0 6f6d 7072 6573 7365 6400 0d0a 5072 6573 ompressed…Pres
00001d0 7320 4374 726c 2b41 6c74 2b44 656c 2074 s Ctrl+Alt+Del t
00001e0 6f20 7265 7374 6172 740d 0a00 0000 0000 o restart…….
00001f0 0000 0000 0000 0000 809d b2ca 0000 55aa …………..U.


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

Hello!
I am new to this. I have a disk image which is 250MB (NTFS). I have corrupt partition table. So I have used sigfind to grab the MBR which will be 512 bytes ofcourse. I have got the hex representation of the MBR. But I am having trouble in decoding. Here's what I got for Partition#1

2063 6f6d 7072 6573 7365 6400 0d0a 5072 compressed…Pr

so since it is little endian

Starting LBA Address = 0x72500a0d
Size in Sectors = 0x00646573

ISSUE-
I think I am decoding the hex wrong, because the values I am getting for starting LBA and size in sectors is bigger than the actual disk size.

Can someone please help me with creating a 'DD' expression to get the first partition based on the above hex?

Thank you)

Why post a second thread on this ?


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

I stopped receiving response on the first and it went to second page. I am new to this forum, so I am not sure how this works. Also I thought you left the question, until I got the response from you today. I think it is due to time difference)


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

I stopped receiving response on the first and it went to second page. I am new to this forum, so I am not sure how this works. Also I thought you left the question, until I got the response from you today. I think it is due to time difference)

Apologies I popped out last night to pick up a new television.


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

no issues) I hope you got something good. Thank you for responding to my questions, I know I am not giving much to begin with(


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

I think that the issue is that you're not looking at the MBR…you're looking at the first 512 bytes of the partition itself, rather than a section of the disk that includes the partition table.


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

no issues) I hope you got something good. Thank you for responding to my questions, I know I am not giving much to begin with(

Didnt get any cables with it.


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

The other entries that I got from sigfind, have boot code 0'd out. I found only 2 entries that have hex values in boot code.
How do I know which entry is correct (I used sigfind to look for boot signature on the disk)


   
ReplyQuote
Page 1 / 2
Share: