;DMDE Disk Editor Templates DEFINE _t(%1%) x:$x,%1% ENDDEFINE DEFINE _ift(%1%,%2%,%3%) %1%,x:$x,%2% x:0,w:$x,%3% ENDDEFINE DEFINE _iftl(%1%,%2%,%3%) _ift(%1%,%2%,%3%) EOL ENDDEFINE DEFINE _ift(%1%,%2%,%3%,%4%) %1%,x:$x,%3%,%2% x:0,w:$x,%4% ENDDEFINE DEFINE _iftl(%1%,%2%,%3%,%4%) _ift(%1%,%2%,%3%,%4%) EOL ENDDEFINE DEFINE _sft(%1%,%2%,%3%) _ift({%1%},%2%,%3%) ENDDEFINE DEFINE _sft(%1%,%2%,%3%,%4%) _ift({%1%},%2%,%3%,%4%) ENDDEFINE DEFINE _sftl(%1%,%2%,%3%) _iftl({%1%},%2%,%3%) ENDDEFINE DEFINE _sftl(%1%,%2%,%3%,%4%) _iftl({%1%},%2%,%3%,%4%) ENDDEFINE [Test] fuse:0 $i:=0 WHILE $i<5 $i:=$i+1 $j:=0 $x:=10 WHILE $j<5 $j:=$j+1 {4},x:$x,%u $x:=$x+11 ENDWHILE EOL ENDWHILE ;////////////////////////////////////////// [MFT Record] ;remove guid not to use by default: guid:{1df5ef71-7ae4-b176-c967-f94c63c5fb7a} flow:1 CALCSIZESTART $1:={0x1C,2} IF $1<1024 $1:=1024 ENDIF $RECSIZE:=$1 CALCSIZEEND DEFINE _ntfs_fixuprec(%flush%, %recsign%) IF (%recsign% = 0) OR ({0x00,4} = %recsign%) $fx_srcofs:={0x04,2} $fx_count:={0x06,2} $fx_minofs:= 0x28 ;INDX IF (%recsign% = 0) $fx_minofs:= 0x2A ;FILE ENDIF IF ($fx_srcofs >= $fx_minofs) AND ($fx_srcofs < 0x1FE) AND ($fx_count > 1) $fx_value:={$fx_srcofs,2} $fx_dstofs:=0x1FE IF (%flush%) OR ({$fx_dstofs,2} = {$fx_srcofs,2}) WHILE ($fx_count > 1) AND ($fx_dstofs + 2 <= $RECSIZE) $fx_srcofs:=$fx_srcofs+2 $fx_count:=$fx_count-1 IF (%flush%) {$fx_srcofs,2}:={$fx_dstofs,2} {$fx_dstofs,2}:=$fx_value ELSE {$fx_dstofs,2}:={$fx_srcofs,2} ENDIF $fx_dstofs:=$fx_dstofs+0x200 ENDWHILE ENDIF ENDIF ENDIF ENDDEFINE LOADSTART _ntfs_fixuprec(0, 0) LOADEND FLUSHSTART _ntfs_fixuprec(1, 0) FLUSHEND $OPENFILERECOFS:=0x00 $63:=TOGGLE:0,x:1 $10:=0 ;default color IF {0x00,4}!=0x454c4946 $10:=8 ;error color ENDIF IF {0x16,2}&1 $13:=0 ;default color ELSE $13:=10 ;grayed (removed) ENDIF x:5,c:$10,File # IF {0x04,2}>=0x30 ({0x2C,4}),x:10,#%10u ENDIF ({0x10,2}),x:22,(%u) IF $63 EOL $XOFS:=5 $x:=17 _sftl(4, %4c, c:$10, magic ("FILE")) $10:=0 $fx_srcofs:={$NEXTOFS,2} IF ($fx_srcofs<0x2A) OR ($fx_srcofs>=$RECSIZE) $10:=8 ENDIF _sftl(2, %X, c:$10, fixups offset 0x) $10:=$13 IF {$NEXTOFS,2}<2 $10:=8 ENDIF _sftl(2, %u, fixups count) _sftl(4, %08X, LSNlo 0x) _sftl(4, %08X, LSNHi 0x) _sftl(2, %u, seq. number) _sftl(2, %u, hlink number) _sftl(2, %X, attrs offset) _sftl(2, %X, flags) _sftl(4, %u, used size) _sftl(4, %u, record size) _sftl(4, %u, basefileref) _sftl(2, %X, [0x24] 0x) _sftl(2, %u, basefileref seq.) _sftl(2, %u, next attribute #) IF $fx_srcofs>=0x30 _sftl(2, %X, [0x2A] 0x) _sftl(4, %u, file #) ENDIF IF $fx_srcofs>=0x2A AND $fx_srcofs<0x1FE _ift({$fx_srcofs,2}, %04X, fixup 0x) ENDIF ELSE ;if grayed IF NOT $10 AND $13 $10:=$13 ENDIF x:31," {0x00,4},x:32,c:$10,%4c x:36," ENDIF ;Attributes $2:={0x14,2} WHILE 1 EOL $XOFS:=1 $1:=$2 IF $1<0x2A OR $1>=$RECSIZE x:4,c:8,ERROR Attribute Offset EOL BREAK ENDIF $OFFSET:=$1 $9:={0x00,4} IF $9!=0xFFFFFFFF $63:=TOGGLE:$1,x:0 ELSE {0x00,4},x:10,c:10,%8X x:18,h End Mark BREAK ENDIF $OPENATTROFS:=$1 x:4,# $3:={0x0E,2} $3,x:5,%u IF NOT $63 {0x00,4},x:10,c:$13,%8X x:18,h ENDIF IF NOT $63 AND {0x09,1} ;Attr name $3:={0x0A,2} $4:={0x09,1}<<1 x:20,: IF ($3<=0) OR ($3>={0x04,4}) OR ($3>=$RECSIZE-$OFFSET) x:21,c:8,ERROR Attrname Offset ELSEIF ($4>0) {$3,$4},x:21,c:$13,U ENDIF EOL ENDIF $x:=20 IF $9=0x10 _t($STANDARD_INFORMATION) ELSEIF $9=0x20 _t($ATTRIBUTE_LIST) ELSEIF $9=0x30 _t($FILE_NAME) ELSEIF $9=0x50 _t($SECURITY_DESCRIPTOR) ELSEIF $9=0x60 _t($VOLUME_NAME) ELSEIF $9=0x70 _t($VOLUME_INFORMATION) ELSEIF $9=0x80 _t($DATA) ELSEIF $9=0x90 _t($INDEX_ROOT) ELSEIF $9=0xA0 _t($INDEX_ALLOCATION) ELSEIF $9=0xB0 _t($BITMAP) ELSEIF $9=0x100 _t($LOGGED_UTILITY_STREAM) ELSE _t(Other Attribute) ENDIF $10:=0 ;color $2:={0x04,4} $5:=$2 ;full attr length IF $2<=0 $10:=8 ;error color ELSE $2:=$1+$2 ;next attribute offset IF $2>$RECSIZE $2:=$RECSIZE $5:=$2-$1 $10:=8 ENDIF ENDIF $XOFS:=$XOFS+4 $x:=15 IF $63 EOL _iftl({0, 4}, %X, Attr. type 0x) _iftl({4, 4}, %X, c:$10, Attr. length 0x) ELSEIF $10 EOL _iftl({4, 4}, %X, c:$10, Attr. length 0x) ENDIF IF $2<=0 EOL BREAK ENDIF IF $63 _iftl({0x08,1}, %u, Non-resident) _iftl({0x09,1}, %u, Attrname len) _iftl({0x0A,2}, %X, Attrname ofs 0x) _ift( {0x0C,2}, %04X, Flags 0x) {0x0C:0,2},x:$x+11,F:C-+- {0x0C:14,2},x:$x+14,F:E-S- EOL _iftl({0x0E,2}, %u, Attr. number) ENDIF IF NOT {0x08,1} ;resident attribute $10:=0 ;color for offset $11:=0 ;color for size $3:={0x14,2} ;data offset $4:={0x10,4} ;data size IF $3>$5 ;$3>full attr length $3:=$5 $4:=0 $10:=8 ENDIF IF $3+$4>$5 $4:=$5-$3 $11:=8 ENDIF IF NOT $63 $x:=27 IF {0x00,4}=0x80 ;$DATA: ;if grayed IF NOT $11 AND $13 $11:=$13 ENDIF {0x10,4},x:$x,c:$11,%u EOL ELSEIF $11 EOL x:0,c:$11,Data Size {0x10,4},x:$x,c:$11,%u EOL ENDIF IF $10 EOL _iftl({0x14,2}, %X, c:$10, Data Offset 0x) ENDIF ELSE $x:=15 _iftl({0x10,4}, %u, c:$11, Data Size) _iftl({0x14,2}, %X, c:$10, Data Offset 0x) $9:={0x09,1}<<1 IF $9 $8:={0x0A,2} IF ($8<=0) OR ($8>={0x04,4}) OR ($8>=$RECSIZE-$OFFSET) _iftl(, ERROR Attrname Offset, c:8, Attr. name) ELSE _iftl({$8,$9}, U, Attr. name) ENDIF ENDIF ENDIF $NEXTOFS:=$3 $XOFS:= $XOFS+4 $x:=18 IF {0x00,4}=0x10 ;standard information IF NOT $63 $NEXTOFS:=$NEXTOFS+8 $4:=$4-8 {8},x:$x+16,c:$13,FILETIME EOL ELSE _sftl(8, FILETIME, created) _sftl(8, FILETIME, modified) _sftl(8, FILETIME, changed) _sftl(8, FILETIME, accessed) _sft( 2, F:R-H-S-V-D-A-d-n-t-s-r-c-o-i-e-+-, attrs) {2},x:$x+17,F:+-+-+-+-+-+-+-+-+-+-+-+-D-I-+-+- EOL $4:=$4 - ($NEXTOFS - $3) $3:=$NEXTOFS IF $4>=12 _sftl(4, %u, Max versions) _sftl(4, %u, Version) _sftl(4, %u, Class Id) $4:=$4 - ($NEXTOFS - $3) $3:=$NEXTOFS IF $4>=24 _sftl(4, %u, Owner Id) _sftl(4, %u, Security Id) _sftl(8, %u, Quota Charged) _sftl(8, %u, USN) ENDIF ENDIF ENDIF $4:=$4 - ($NEXTOFS - $3) $3:=$NEXTOFS ELSEIF {0x00,4}=0x20 ;attribute list IF $63 $XOFS:= $XOFS-4 x:0,attr.type len n.len n.ofs vcn MFT (#) attr# name EOL $8:=$OFFSET $OFFSET:=$OFFSET+$3 WHILE $4>0 IF {0x04,2} $OPENFILENUM:={0x10,4} {0x00,4},x:0,%8X x:8,h ENDIF $9:= {0x04,2},x:10,%u IF NOT $9 BREAK ENDIF {0x06,1},x:15,%u $7:= {0x07,1},x:20,%3X x:23,h {0x08,8},x:26,%d {0x10,6},x:44,%u {0x16,2},x:54,%u {0x18,2},x:59,%u $6:={0x06,1}<<1 IF $6 {$7,$6},x:65,U ENDIF EOL IF $9>$4 $9:=$4 ENDIF IF NOT $9 BREAK ENDIF $OFFSET:=$OFFSET+$9 $3:=$3+$9 $4:=$4-$9 ENDWHILE $OFFSET:=$8 ENDIF ELSEIF {0x00,4}=0x30 ;file name $OPENFILENUM:={$3,4} IF $63 _ift({6}, %u, directory) x:$x+12,( {2},x:$x+13,%u x:$x+18,) EOL _sftl(8, FILETIME, created) _sftl(8, FILETIME, modified) _sftl(8, FILETIME, changed) _sftl(8, FILETIME, accessed) _sftl(8, %u, allocated) _sftl(8, %u, size) _sft( 2, F:R-H-S-V-D-A-d-n-t-s-r-c-o-i-e-+-, attrs) {2},x:$x+17,F:+-+-+-+-+-+-+-+-+-+-+-+-D-I-+-+- EOL _sftl(4, %u, reparse) _sftl(1, %u, name len) _sftl(1, %u, posix) x:0,name ELSE $NEXTOFS:=$NEXTOFS+0x42 $x:= $x+5 ENDIF $9:={$3+0x40,1}<<1 IF $9 {$9},x:$x,c:$13,U ENDIF EOL $4:=$4 - ($NEXTOFS - $3) $3:=$NEXTOFS ELSEIF {0x00,4}=0x60 EOL $x:=18 _iftl({$3,$4}, U, c:$13, Volume Name) $3:=$3+$4 $4:=0 ELSEIF $63 AND {0x00,4}=0x90 AND {$3,4}=0x30 AND $4>0x20 ;INDX ROOT ;IF {0x10,2}=0x10 $8:=$OFFSET ;store $OFFSET:=$OFFSET+$3+0x20 $3:=$3+0x20 $4:=$4-0x20 $10:=0 ;color ...
jb-airbrush