好多的资料上面分析分区第一个扇区的数据时是从头也就是第一个字节开开始的。
假设c盘起始是从扇区0,1,1开始,那么从每一个字节开始是
"jmp 指令" 占用3 BYTES 一般是EB XX XX
"制造厂商的标识" 占用8 BYTES 如MSWIN4.1
接着就是bpb结构
我上面贴的是MSDN 中的,你可以搜索FAT32就会查到了
其中
A_BF_BPB_RootDirStrtClus
The cluster number of the first cluster in the FAT32 drive's root directory.
就是FAT32根目录的起始簇的低字
A_BF_BPB_RootDirStrtClusHi
The high word of the FAT32 starting cluster number.
是高字
下面是win2k的引导扇区的0x0c扇区中的遍历根目录中文件项以搜寻ntldr文件的部分代码, 你可仔细看看sub_0_80de子程:
loc_0_8000: ; CODE XREF: seg000:7CB5^j
movzx eax, byte ptr [bp+10h] ; number of FATs
mov ecx, [bp+24h] ; sectors per FAT
mul ecx
add eax, [bp+1Ch] ; hidden sectors
movzx edx, word ptr [bp+0Eh] ; reserved sectors
add eax, edx
mov [bp-4], eax ; the 1st data sector rel. to the disk physically
mov dword ptr [bp-0Ch], 0FFFFFFFFh
mov eax, [bp+2Ch] ; Root dir 1st cluster
cmp eax, 2
jb loc_0_7CD6 ; less than 2? It's error! go away
cmp eax, 0FFFFFF8h
jnb loc_0_7CD6 ; greater than 0fffffff8h? unreasonable, go away
loc_0_803A: ; CODE XREF: seg000:8079^j
push eax
sub eax, 2 ; data section starting with the cluster of 2
movzx ebx, byte ptr [bp+0Dh] ; sectors per cluster
mov si, bx
mul ebx
add eax, [bp-4] ; now, eax points to the sector of the cluster rel. to the phy. disk
loc_0_8059: ; CODE XREF: seg000:806F^j
cmp [di], ch ; byte 00 of the dir. sector means ending of the dir. items
jz loc_0_807B
mov cl, 0Bh
push si
mov si, 7D70h ; db 'NTLDR '
rep cmpsb ; Is it the file of "NTLDR" ?
pop si
jz loc_0_8083 ; yes, found it, go ...
add di, cx
add di, 15h ; points to the next dir. item
cmp di, bx ; bx points to the next sector buffer while returning from sub_7ce0
jb loc_0_8059 ; there are more dir. items, goto check the next dir. item
dec si ; the next sector of the cluster
jnz loc_0_804E ; there are more sector in the cluster, go to check the next sector
pop eax
call sub_0_80DE ; get the next cluster number from FAT
jb loc_0_803A ; there is the next cluster, go to check it
sub_0_80DE proc near ; CODE XREF: seg000:8076^p seg000:80CD^p
shl eax, 2 ; cluster*4=position in FAT
call sub_0_80F6
mov eax, es:[bx+di] ; get the next cluster number
and eax, 0FFFFFFFh
cmp eax, 0FFFFFF8h ; Is the current the last one ?
retn
sub_0_80DE endp