Though I am now out of the game, I guess that the preliminary work and maybe some of the conclusions I got to might be of use to someone willing to take part in it.
This post will be extremely long, and in some parts will be more similar to a RANT
than to a valid technical post, please try forgiving my verbosity and my critical attitude.
Let me state beforehand a few facts and personal
I find HP has been for yesrs the best firm in the world for pocket calculators (in my life I bought several tens of them)
I find HP has been for years the best firm in world for Laser printers (as well in my life I bought several tens of them)
I find HP has been for years the best firm in the world for plotters (as well in my life I bought several tens of them)
I find Compaq has been for years the best firm in the world for plotters (as well in my life I bought several tens of them - in the years 1992 up to 1995)
I find current HP policies with software and particularly with OS simply appalling
HP was facing to be condemned for similar practices in a Class action and opted for a settlement:
It seems like it is a common practice for HP to close with a settlement cases where they were accused to provide defective products and/or failed to give Customers satisfacting repairs/fixes:
In Italy there are currently several cases opened against HP following its refusal to reimbourse customers that do not want Vista on their PC's (Italian):
and an appeal to the Antitrust European Committee has been filed.
(but the above bears no connection to the issue at hand)
Let's get back to topic.
From what I have seen and understood from the reports, the "Softthinks" MBRINST.EXE ( in some cases renamed to MBR.DLL) is a MBR installing utility that works roughly this way:
- writes a "special" MBR
- analyzes the partitions on the hard disk
- if a partition with certain (unknown at the moment) settings/data is found, THEN:
- adds to the partition bootsector the word "RECOVERY"
- changes some data in the MBR accordingly
The above procedure is NOT repeatable, i.e. once the "RECOVERY" partition is made, the MBRINST.EXE does not recognize it as "RECOVERY" anymore.
Additionally, a bit seems like being set in the MBR if, even once, the MBR is booted and the "Recovery" partition is not found. (to be more exact byte 1B4h changes from 01 to 00)
Of course by disassembling or reverse engineering the MBRINST.EXE it should be possible to find out which checks are made, and thus being able to re-create the conditions where MBRINST.EXE recognizes the partition, but this procedure is out of the scope of the thread/board. (at least as I see it)
On the other hand, no Law prohibits trying to find how the thing works.
There are several versions of the MBRINST.EXE file.
I was able to find/examine three of them:
- 147,456 bytes in size dated 30-09-2005
- 159,744 bytes in size dated 12-03-2008
- 165,248 bytes in size dated 16-10-2008
They are all the same thing, but with "added options".
#1 has 4 options for "While counting display":
#2 has 7 options for "While counting display":
- Qplay HP
- Qplay GW
- HP F11 NTFS
- HP F11 BITL
#3 has 8 options for "While counting display":
- Qplay HP
- Qplay GW
- HP F11 NTFS
- HP F11 BITL
- HP F11 BL;QP
Now again my personal opinion:
- the tool was initially programmed "properly" (in a version before the first one listed)
- then it was "customized" and options were added to it (in the "wrong place", it simply makes no sense to have options in "While counting display"
- in my opinion this is the result of lazy programmers that do quick and dirty hacks instead of doing properly something
The app contains a number of different MBR's and also a few bootsectors.
For the curious ones, I wrote a small batch that, using gsar and dumphex, can extract these sectors from the app and "divide" them in three categories:
- UNKNOWN's (most probably parts of a multisector MBR)
Here it is.
You will need in the same directory of the batch, besides MBRINST.EXE, gsar and dumphex:
IF "%~nx1"=="" GOTO :Nofile
ECHO All files in current directory with extension .sec and .dmp will be deleted.
ECHO to abort press Ctrl+C NOW!
Set /A Counter=0
FOR /F "tokens=3 delims=:" %%A IN ('gsar -b -s:x00:x00:x55:xAA %Source% ^|FIND /V "found"') DO (
SET /A Counter=!Counter!+1
SET /A FoundOffset=%%A
SET /A Offset=!FoundOffset!-508
IF !Counter! lss 10 (SET Number=0!Counter!) ELSE (SET Number=!Counter!)
dsfo %Source% !Offset! 512 !Number!_!FoundOffset!.sec
FOR /F %%? IN ('DIR /B *.sec') DO (
CALL :Dorename %%?
CALL :Checktype !NewName!.sec
FOR /F "tokens=2,3 delims=: " %%B IN ('dumphex -s1B6 /l2 /nc %1 2^>nul') DO (
REN %1 !NewName!.sec
FOR /F "tokens=2,3 delims=: " %%D IN ('dumphex /l1 /nc %1 2^>nul') DO (
IF /I %%D==33 SET Type=MBR
IF /I %%D==E9 SET Type=BS
REN %1 !NewerName!.sec
dumphex /o!NewerName!.dmp !NewerName!.sec
ECHO you must supply a target file!
ECHO example %~nx0 MBRINST.EXE
Result will be a number of "couples" of files, named in the form:
(progressive number)_(Offset within_MBRINST.EXE)_(value of bytes 1B6h&1B7h)_(Type of sector).sec
(progressive number)_(Offset within_MBRINST.EXE)_(value of bytes 1B6h&1B7h)_(Type of sector).dmp
The .sec files are the binary sectors, the .dmp files are dumps, that you can open in Notepad or any tect editor.
Bytes at offset 1B6h&1B7h appear to be a way to "categorize the different MBR's.
Another interesting thing to do with the file is running BinText against it:
An interesting number of things can be found from reading the output, most noticeably the text description of the various MBR's (which is often truncated in the text box when running the tool):
0001D394 0041D394 0 unknown MBR
0001D3A0 0041D3A0 0 Special D*OEM MBR
0001D3B4 0041D3B4 0 MBR1STD (one sector, standard MBR, boot active partition)
0001D3F0 0041D3F0 0 MBR1STD
0001D3F8 0041D3F8 0 MBR1STH (one sector, force Stealth mode on "SMIMG ")
0001D430 0041D430 0 MBR1STH
0001D438 0041D438 0 MBR1sNSd (one sector, RP anywhere, dotted count)
0001D46C 0041D46C 0 MBR1sNGWQP: one sector, RP anywhere, Gateway, QuickPlay, quiet)
0001D4AC 0041D4AC 0 MBR1sNHPBLQP: one sec, RP any, HP F11, NTFS, QuickPlay, quiet, standard boot (BitLocker))
0001D508 0041D508 0 MBR1sNHPBL: one sector, RP anywhere, HP F11, NTFS, quiet, standard boot (BitLocker))
0001D560 0041D560 0 MBR1sNHPNT: one sector, RP anywhere, HP F11, NTFS, quiet)
0001D59C 0041D59C 0 MBR1sNHPQP: one sector, RP anywhere, HP, QuickPlay, quiet)
0001D5D8 0041D5D8 0 MBR1sNqC: one sector, RP anywhere, quiet count)
0001D608 0041D608 0 MBR1sNSq (one sector, RP anywhere, quiet)
0001D634 0041D634 0 MBR1sNS (one sector, RP anywhere, numbered count)
0001D668 0041D668 0 MBR1s0Bd (one sector, RP on start of disk, dotted count)
0001D6A4 0041D6A4 0 MBR1s0qC (one sector, RP on start of disk, quiet count)
0001D6DC 0041D6DC 0 MBR1s0Bq (one sector, RP on start of disk, quiet)
0001D710 0041D710 0 MBR1s0B (one sector, RP on start of disk, numbered count)
0001D74C 0041D74C 0 MBR1sIUd (one sector, RP in UP, dotted count)
0001D77C 0041D77C 0 MBR1sIqC (one sector, RP in UP, quiet count)
0001D7AC 0041D7AC 0 MBR1sIUq (one sector, RP in UP, quiet)
0001D7D4 0041D7D4 0 MBR1sIU (one sector, RP in UP, numbered count)
0001D804 0041D804 0 MBR8s (full featured eight sector MBR)
And some info about WHO actually wrote the tool:
0001DA00 0041DA00 0 MBRInst. Programmed for SoftThinks ©2001-2006,2008
00022148 00467148 0 XSS; Ulf Loesche
00022212 00467212 0 LegalCopyright
00022246 00467246 0 XSS 2001-2006,2007,2008
00022300 00467300 0 www.xss.com
0002231E 0046731E 0 ProductName
00022338 00467338 0 XSS Preinstall Environment MBR installation
Finding of other interesting strings is left to the reader.
I guess that people suffering from the problem may want to try contacting the author, Ulf Loesche
through his site http://www.xss.com/
- ask him for help in solving the matter
- show him their appreciation for the program
A last bit of text in the .exe, that as I see describes the whole stuff very well
0001DD90 0041DD90 0 ALLES GROSSE SCHEISSE!!!!