Inside BIOS

To modify BIOS, it is necessary to know its structure. True hackers modify the machine code directly by adding all required components manually. In ancient AT computers, the entire BIOS could fit within the last segment of the address space, ranging from F000:0000 to F000:FFFF . Contemporary firmware takes from 256 to 512 KB. To ensure backward compatibility, developers had to divide BIOS into several blocks. As the result, BIOS structure became modular. Understanding this structure in detail is not a trivial task.

For distinctness, consider the 06/19/2003-i845PE-W83627-9A69VPAlC-00 firmware, stored in the 4pe83619.bin file. How are you going to disassemble it? IDA goes crazy and doesn't provide anything useful. To begin with, assume that the last byte of the firmware is located at the F000h:FFFFh address and the BIOS entry point is located at the F000h:FFF0h address.

Load the file into HIEW or IDA, count 10h bytes from its end, and disassemble the code. With a probability close to one, you'll find an intersegment jump there (see Listings 32.1 and 32.2; the machine command located in the entry point is in bold).

 0007FFD0:  00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00 0007FFE0:  00 00 00 00-00 00 00 00-39 41 36 39-56 50 41 31          9A69VPA1 0007FFF0:  EA 5B E0 00-F0  2A 4D 52-42 2A 02 00-00 00 60 FF  e[a ?*MRB*