{
	"id": "2cd03838-03ed-4e64-a9b7-5de671a19caf",
	"created_at": "2026-04-06T00:11:04.763206Z",
	"updated_at": "2026-04-10T13:12:42.350345Z",
	"deleted_at": null,
	"sha1_hash": "450ab827d177066d5b52bc95bc21100deeff024c",
	"title": "Malware-analysis-and-Reverse-engineering/Debugging MBR - IDA + Bochs Emulator/Debugging MBR - IDA + Bochs Emulator.md at main · Dump-GUY/Malware-analysis-and-Reverse-engineering",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2341783,
	"plain_text": "Malware-analysis-and-Reverse-engineering/Debugging MBR - IDA\r\n+ Bochs Emulator/Debugging MBR - IDA + Bochs Emulator.md at\r\nmain · Dump-GUY/Malware-analysis-and-Reverse-engineering\r\nBy Dump-GUY\r\nArchived: 2026-04-05 18:14:48 UTC\r\nDebugging MBR - IDA + Bochs Emulator (CTF example)\r\nThis post will explain how to setup Bochs Emulator to debug MBR in IDA environment on Windows OS. It could\r\nbe quite useful if we are struggling with some kind of MBR Locker/Wiper or another kind of MBR modifier\r\nwhere we have to RE the bootstrap code.\r\nA master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass\r\nstorage devices like fixed disks or removable drives. The MBR consists of 512 bytes located in the first sector of\r\nthe drive. We are especially interested in analyzing the Bootstrap code area which starts at file offset 0x0000.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 1 of 15\n\nFirst of all, we could be in situation where we have the infected drive or already carved out MBR “bin file”. If we\r\nhave the infected drive, we could carve out the first 512 bytes of it with some Hex editor or Unix “dd” command-line utility etc…\r\nAs an example in this post, we will be using MBR from one of challenges CrowdStrike Intelligence Adversary\r\nQuest CTF.\r\n[CrowdStrike Intelligence Adversary Quest]\r\nThis challenge was called “The Proclamation”. We simple got MBR bin file and have to obtain the right flag.\r\nMBR to download from this challenge is available here [MBR sample].\r\nAnother real world sample of MBR wiper \"WhisperGate\" [Download Here].\r\nInstalling Bochs Emulator\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 2 of 15\n\nDownload and install Bochs x86 PC emulator available here [Bochs x86 PC emulator]. IDA is recommending\r\nversion v2.6.x. The latest version now (30. 1. 2021) is 2.6.11 so this should be ok.\r\nCreating a Bochs Disk Image\r\nNow we have to create Bochs disk image where we will inject our MBR sample. Open a new Administrator\r\nCommand Prompt window. In the Administrator Command Prompt window, navigate to install directory of Bochs\r\nemulator and run these commands to create Bochs Disk image:\r\ncd C:\\Program Files\\Bochs-2.6.11\r\nbximage.exe\r\nThe \"bximage\" tool launches, as shown below.\r\nEnter these items:\r\n1 to create a new image\r\nEnter for \"hd\"\r\nEnter for \"flat\"\r\nEnter for 512 byte hard disk sectors\r\nEnter for size \"10\"\r\nEnter to accept the default name or rename to \" my_new_image_.img\"\r\nEnter to continue and exit bximage\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 3 of 15\n\nCreating the Configuration File\r\nIn the Administrator Command Prompt window, execute these commands:\r\nnotepad bochsrc.bxrc\r\nA Notepad box pops up, asking if we want to create a new file.\r\nClick Yes.\r\nEnter this text into Notepad, as shown below.\r\nmegs: 512\r\nromimage: file=\"BIOS-bochs-latest\"\r\nvgaromimage: file=\"VGABIOS-lgpl-latest\"\r\nboot: cdrom, disk\r\nata0-master: type=disk, path=\"my_new_image_.img\", mode=flat\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 4 of 15\n\nmouse: enabled=0\r\ncpu: ips=90000000\r\nIf this config is too slow, try to change:\r\nboot: disk\r\ncpu: ips=3000000\r\nSometimes less is better... Be careful on the “path” parameter – must match the name we chase during image\r\ncreation.\r\nIn Notepad, click File, Save. Close Notepad.\r\nInjecting MBR in newly created Bochs Disk Image\r\nWhen we are injecting our MBR bin file we are simply replacing first 512 bytes of created Bochs image\r\n“my_new_image_.img” with 512 bytes of our MBR. We can do this in any HEX editor or simply with python as\r\nyou can see in the picture below.\r\nWe can check that 512 bytes of MBR were really injected in Bochs Disk Image in Hex editor:\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 5 of 15\n\nOpening previously created configuration file “bochsrc.bxrc” in IDA.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 6 of 15\n\nIf IDA got a problem with locating the Bochs debugger “bochsdbg.exe”, check the dbg_bochs.cfg in location\r\n(“IDA install directory\\cfg\\dbg_bochs.cfg”) and modify the (BOCHSDBG = \"C:\\\\Program Files\\\\Bochs-https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 7 of 15\n\n2.6.11\\\\bochsdbg.exe\";) to point to the location where we installed the Bochs emulator.\r\nWe do not have to bother with the line “//BOCHSRC = \"c:\\\\program files\\\\IDA Pro 7.5\\\\cfg\\\\bochsrc.cfg\";”\r\nbecause we already gave IDA the Bochs configuration file as “bochsrc.bxrc”.\r\nLet´s start debugging\r\nPut a breakpoint on the start address „BOOT_SECTOR:7C00“. Don´t be surprised about the 0x7C00 address –\r\nlittle explanation:\r\nA bootloader runs under certain conditions. The following pertains to bootloaders initiated by the PC BIOS:\r\nThe first sector of a drive contains its boot loader.\r\nOne sector is usually 512 bytes — the last two bytes must be 0xAA55 (i.e. 0x55 followed by 0xAA), or\r\nelse the BIOS will treat the drive as unbootable.\r\nIf everything is in order, said first sector will be placed at RAM address 0000:7C00, and the BIOS's role is\r\nover as it transfers control to 0000:7C00. (I.e. it JMPs to that address)\r\nIDA sets almost everything for us automatically after opening “bochsrc.bxrc” file but in case we would not like to\r\nuse the Bochs configuration file and want to analyze the bootstrap code of MBR alone just remember to load it as\r\nx86 16 bit LE code.\r\nStart debugging:\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 8 of 15\n\nNow we are in state of debugging bootstrap code of MBR so next section will be focusing on solving the\r\nchallenge “The Proclamation” of CrowdStrike Intelligence Adversary Quest [CrowdStrike Intelligence Adversary\r\nQuest] CTF.\r\nMBR to download from this challenge is available here [MBR sample].\r\nAnalyzing and solving challenge “The Proclamation”\r\nAt first, when we reach breakpoint on the start address 0x7C00, we can see two interrupts and calling function\r\nsub_7C1B.\r\nThese two interrupts are only setting cursor position and color of the background and foreground text which will\r\nbe printed as it is described in the picture below.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 9 of 15\n\nIDA already helped us a lot with arguments description. But for sure, below is more information to INT 10h / AH\r\n= 07h\r\nFor BH value as attribute is table explaining this value below.\r\nSo the background color is set to Dark grey and foreground color is set to light green. Cursor position is upper left.\r\nLet’s move on to analyzing function sub_7C1B.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 10 of 15\n\nIn sub_7C1B we can immediately see some XOR routine.\r\nThis function is basically reading byte after byte from some offset and decrypt it via XOR routine. If decrypted\r\nbyte is 00, the XOR routine ends – function ends. If decrypted byte is 0A, another 2 interrupts occur. These\r\ninterrupts behave as new line creator which read current cursor position and set cursor position on new line. If\r\ndecrypted byte is not 00 or 0A, another interrupt occurs – int 10h, ah = 0E --\u003e Prints character on screen (this\r\ninterrupt is described below). All this routine we can see annotated:\r\nDescription “int 10h, ah = 0E”:\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 11 of 15\n\nWe can clearly see that first byte which will be decrypted on address 0x7C78, the value of this byte is 2E:\r\nLet´s put a breakpoint on the jump address when decrypted byte is 00 (loc_7C5F). After we continue debugging,\r\nwe can see that decrypted text is printed on the screen.\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 12 of 15\n\nBut as we can see, the flag is somehow missing. Let´s note the SI value = 0x7DCA which is pointing on the next\r\nbyte which could be decrypted if decrypted byte 00 did not occur.\r\nThe main point is that there is more data to be decrypted after decrypted byte 00 which ends our decryption\r\nfunction. Restart the debugging and put a conditional breakpoint on address 0x7C44 (SI==0x7DCA), where\r\nconditional jump occurs and is done if decrypted byte is 00.\r\nSetting the conditional breakpoint on address 0x7C44 when value of SI register is 0x7DCA:\r\nContinue debugging. We reached our conditional breakpoint. We can clearly see that there is more data which\r\ncould be decrypted in the picture below (check the VA address 0x7DCA).\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 13 of 15\n\nWhen we want to continue in decryption routine, we can simply change the value of ZF =0 and not performing\r\njump to the function end. Press continue and check the output in Bochs emulator display.\r\nAnd here it is - CS{0rd3r_0f_0x20_b00tl0ad3r} – Our winning flag.\r\nAuthor:\r\n[Twitter]\r\n[Github]\r\nDownload:\r\n[Download PDF]\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 14 of 15\n\nSource: https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20B\r\nochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md\r\nhttps://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-\r\n%20IDA%20+%20Bochs%20Emulator.md\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md"
	],
	"report_names": [
		"Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434264,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/450ab827d177066d5b52bc95bc21100deeff024c.pdf",
		"text": "https://archive.orkl.eu/450ab827d177066d5b52bc95bc21100deeff024c.txt",
		"img": "https://archive.orkl.eu/450ab827d177066d5b52bc95bc21100deeff024c.jpg"
	}
}