Little-Endian Format • Microprocessors Differ in the Position of the Least Significant Byte

WinHex WinHex Editor

• A hex editor is capable of completely displaying the contents of each file type. • A hex editor even displays control codes (e.g. linefeed and carriage-return characters) and executable code, using a two-digit number based on the hexadecimal system. • One byte is a sequence of 8 bits. • Each bit is either 0 or 1 (two possible states). • Therefore one byte can have one of 2•2•2•2•2•2•2•2 = 28 = 256 different values. • Since 256 is the square of 16, a byte value can be defined by a two-digit number based on the hexadecimal system, where each digit represents 4 bits. • The sixteen digits used in the hexadecimal system are 0-9, A-F. 0000 = 0 1000 = 8 0001 = 1 1001 = 9 0010 = 2 1010 = A 0011 = 3 1011 = B 0100 = 4 1100 = C 0101 = 5 1101 = D 0110 = 6 1110 = E 0111 = 7 1111 = F • Example: A byte whose decimal value is 65 is displayed as 41 in hexadecimal notation (4•16+1=65) and as the letter A in text mode. The ASCII character set defines the capital letter A to have the decimal value of 65. * When editing files of a certain type (for instance executable files), it is essential not to change the file size. * Moving the addresses of executable code and included data results in severely damaging such files * Please note that changing the contents of a file generally may be the reason for the corresponding application to behave anomalously. * It is quite safe to edit text passages in a file. * At any rate, it is recommendable to create backup files before editing.

Endian-ness: little-endian format • Microprocessors differ in the position of the least significant byte. • Intel®, MIPS®, National Semiconductor, and VAX processors have the least significant byte first. • A multi-byte value is stored in memory from the lowest byte (the “little end”) to the highest byte. • For example, the hexadecimal number 12345678 is stored as 78 56 34 12.

Endian-ness: big-endian format • Motorola and Sparc processors have the least significant byte last. • A multi-byte value is stored in memory from the highest byte (the “big end”) to the lowest byte. • For example, the hexadecimal number 12345678 is stored as 12 34 56 78. • Unless stated otherwise, multi-byte numbers are stored in little-endian format, meaning that the first byte of a number is the least significant and the last byte is the most significant. • This is the common format for computers running Microsoft Windows. • Following the little-endian paradigm, the hexadecimal values 10 27 can be interpreted as the hexadecimal number 2710 (decimal: 10,000).

Integer Data Types

Attribute Legend

A: to be archived R: read-only H: hidden S: system X: not indexed P: NTFS reparse point O: offline T: temporary

Attribute Legend

I: has object ID C: compressed at filesystem level c: compressed in archive E: encrypted at filesystem level e: encrypted in archive e!: file type specific encryption/DRM e?: high entropy, possibly fully encrypted Attribute Legend

(Res): HFS+ resouce ($EFS): NTFS encryption metadata (INDX): NTFS non-directory index attribute (ADS): NTFS alternate data stream (SC): found in a volume shadow copy (SUID): Set User ID (SGID): Set Group ID

Master Boot Record

Operating system indicators

Detailed Explanation of FAT Boot Sector

The Boot Process The boot process of 80x86-based personal computers (as opposed to RISC- based systems) makes direct use of a file system boot sector for executing instructions. The initial boot process can be summarized as follows: • Power On Self Test (or POST) initiated by system BIOS and CPU. • BIOS determines which device to use as the "boot device." • BIOS loads the first physical sector from the boot device into memory and transfers CPU execution to the start of that memory address. If the boot device is a hard drive, the sector loaded in step 3 is the MBR, and the boot process proceeds as follows: • MBR code loads the boot sector referenced by the partition table for the "active primary partition" into memory and transfers CPU execution to the start of that memory address.

Inside the FAT Boot Sector

• Because the MBR transfers CPU execution to the boot sector, the first few bytes of the FAT boot sector must be valid executable instructions for an 80x86 CPU. In practice these first instructions constitute a "jump" instruction and occupy the first 3 bytes of the boot sector. This jump serves to skip over the next several bytes which are not "executable." • Following the jump instruction is an 8 byte "OEM ID". This is typically a string of characters that identifies the operating system that formatted the volume. • Following the OEM ID is a structure known as the BIOS Parameter Block, or "BPB." Taken as a whole, the BPB provides enough information for the executable portion of the boot sector to be able to locate the NTLDR file. Because the BPB always starts at the same offset, standard parameters are always in a known location. • Because the first instruction in the boot sector is a jump, the BPB can be extended in the future, provided new information is appended to the end. In such a case, the jump instruction would only need a minor adjustment. Also, the actual executable code can be fairly generic. All the variability associated with running on disks of different sizes and geometries is encapsulated in the BPB. • The BPB is stored in a packed (that is, unaligned) format. The following table lists the byte offset of each field in the BPB. A description of each field follows the table. • Bytes Per Sector: This is the size of a hardware sector and for most disks in use in the United States, the value of this field will be 512. • Sectors Per Cluster: Because FAT is limited in the number of clusters (or "allocation units") that it can track, large volumes are supported by increasing the number of sectors per cluster. The cluster factor for a FAT volume is entirely dependent on the size of the volume. Valid values for this field are 1, 2, 4, 8, 16, 32, 64, and 128. Query in the Microsoft Knowledge Base for the term "Default Cluster Size" for more information on this subject. • Reserved Sectors: This represents the number of sectors preceding the start of the first FAT, including the boot sector itself. It should always have a value of at least 1. • FATs: This is the number of copies of the FAT table stored on the disk. Typically, the value of this field is 2. • Root Entries: This is the total number of file name entries that can be stored in the root directory of the volume. On a typical hard drive, the value of this field is 512. Note, however, that one entry is always used as a Volume Label, and that files with long file names will use up multiple entries per file. This means the largest number of files in the root directory is typically 511, but that you will run out of entries before that if long file names are used. • Small Sectors: This field is used to store the number of sectors on the disk if the size of the volume is small enough. For larger volumes, this field has a value of 0, and we refer instead to the "Large Sectors" value which comes later. • Media Descriptor: This byte provides information about the media being used. The following table lists some of the recognized media descriptor values and their associated media. Note that the media descriptor byte may be associated with more than one disk capacity.

• Sectors Per FAT: This is the number of sectors occupied by each of the FATs on the volume. Given this information, together with the number of FATs and reserved sectors listed above, we can compute where the root directory begins. Given the number of entries in the root directory, we can also compute where the user data area of the disk begins. • Sectors Per Track and Heads: These values are a part of the apparent disk geometry in use when the disk was formatted.

• Hidden Sectors: This is the number of sectors on the physical disk preceding the start of the volume. (that is, before the boot sector itself) It is used during the boot sequence in order to calculate the absolute offset to the root directory and data areas. • Large Sectors: If the Small Sectors field is zero, this field contains the total number of sectors used by the FAT volume. • Some additional fields follow the standard BIOS Parameter Block and constitute an "extended BIOS Parameter Block." The next fields are: • Physical Drive Number: This is related to the BIOS physical drive number. Floppy drives are numbered starting with 0x00 for the A: drive, while physical hard disks are numbered starting with 0x80. Typically, you would set this value prior to issuing an INT 13 BIOS call in order to specify the device to access. The on-disk value stored in this field is typically 0x00 for floppies and 0x80 for hard disks, regardless of how many physical disk drives exist, because the value is only relevant if the device is a boot device. • Current Head: This is another field typically used when doing INT13 BIOS calls. The value would originally have been used to store the track on which the boot record was located, but the value stored on disk is not currently used as such. Therefore, Windows NT uses this field to store two flags: • The low order bit is a "dirty" flag, used to indicate that autochk should run chkdsk against the volume at boot time. • The second lowest bit is a flag indicating that a surface scan should also be run.

• Signature: The extended boot record signature must be either 0x28 or 0x29 in order to be recognized by Windows NT.

ID: The ID is a random serial number assigned at format time in order to aid in distinguishing one disk from another. • Volume Label: This field was used to store the volume label, but the volume label is now stored as a special file in the root directory.

System ID: This field is either "FAT12" or "FAT16," depending on the format of the disk. • Finally, the last two bytes in any boot sector always have the hexidecimal values: 0x55 0xAA.