Disk Probe tutorial, part 2: Files and boot sectors

Before beginning, I strongly urge you to back up the file on which you're working. It's easy to change a value accidentally. Usually, you can safely make changes to readable text embedded within a binary file, but making changes to the other gibberish you see actually modifies the executable code and usually causes the file not to run.

It's also important to know that some files are protected against any sort of modification. Such files contain an embedded checksum value. If the algorithm applied to the bytes within the file doesn't match the checksum value, code within the file designed to prevent it from running if modified renders the file useless. Therefore, always make a backup before you modify.

Modifying a file
Once you've loaded a file into Disk Probe (see the first tutorial), navigate through it using the blue arrow icons at the top of the window until you locate the section you want to modify.

Notice that the right side of the screen contains readable text that was extracted from the file, while the left side contains all the hexadecimal codes that compose the text. Unfortunately, you can't modify the readable text directly. Instead, you have to modify the hexadecimal code to make changes.

Screenshot Use Disk Probe to modify binary files.
Click to enlarge.

In the figure above, I'm using Disk Probe to look at error message text embedded within a Windows 98 IO.SYS file. The first error message you see in the figure states that "This version of Windows requires a 386 or better processor." Suppose that, for some sick reason, I wanted to change this line to say that this version of Windows requires a 286 or better processor. You can't just modify the readable text and change the 3 to a 2. Instead, you have to look at the line containing the text you want to modify and count characters from the left until you find the one you want to change. In this case, the 3 is eight characters from the left. Next, find the eighth pair of numbers in the hexadecimal code on that line. The eighth number is 33, which corresponds to the readable text number 3. If I change 33 to 32, the readable text changes to show that you need a 286 processor to run Windows. Of course changing this error message doesn't change Window's system requirements!

Now you must save your changes. The Save As screen is a little deceiving because it defaults to saving a file with a .DSK extension, using the file name SECTOR00. With these defaults, you might assume that only the current sector is going to be saved. However, this operation saves the entire file. You can of course assign any file name you want—if I wanted to, I could overwrite the existing IO.SYS file with my updated version.

Backing up a boot sector
Now that you know how to modify a file, let's look at another useful operation: backing up a boot sector. As you probably know, a boot sector virus can really ruin your day. You can use Disk Probe to back up a boot sector and restore it in the event of a viral infection. Of course, a system must be bootable before you can use Disk Probe, so this operation works best if you get a boot sector virus on a partition that isn't involved in the boot process. If the boot partition is damaged and the system is unbootable, you're pretty much out of luck. In that case, instead of using Disk Probe you have to use the Recovery Console's FIXBOOT command.

You can acquire all of the necessary boot sector information by opening the desired volume and using the NTFS Boot Sector command found on the View menu. If a boot sector already has been corrupted by either a virus or disk corruption, but you haven't backed it up yet, you're not completely out of luck. NTFS partitions contain a backup copy of the boot sector at the end of the volume (or at the logical center of the volume if the hard disk was originally formatted with Windows NT 3.51 or earlier). If your boot sector has become corrupt, you can locate the backup copy and use it to repair the damaged boot sector. Unfortunately, the procedure for doing this will vary from machine to machine because of differences in hard drive sizes.

As you can see, Disk Probe can be useful for recovering from viral attacks or for modifying binary files.