The file structure is based on the control of the Primary Volume Descriptor that points to the Root Directory Structure and to the Path Table. The Path Table Records point back to the Root Directory Structure to locate the actual file content in the proper directory. It is worth spending time with the date/time entry and digest its structure. It is very interesting how you can pick up a pattern if you know what you are looking for.
i.e. In this example the file name is "acrobat_installer.exe". The MAC time for the file as shown in Windows is:
Monday, July 01, 2002 - 4:33:00 a.m.
Data shown below: 66 07 01 05 21 00 F0
Year=1900+0x66(102)=2002
Month=07
Day=01
Hour=05
Minute=0x21(33)
Seconds=00
TimeZone Offset = 0xF0(-16)
GMT offset is from -48(West) to +52(East) that makes for 25 hours a day for some reason.
So, GMT offset -16 is in 15 minute intervals, thus the offset it -16/4= -4 ( EST ). In my experiments, it seems like some of the burning tools only record the GMT time with offset 00 without applying the actual offset. I'm still researching why the recoded 5 hours at -4 offset is displayed in Daylight Central Time at -5 as 4 a.m. instead of 5. If you know it, let me know.
The logical size of the file can be found as the first 4 bytes at offset 10 of the directory record. 009F3020 = 10,432,544 bytes
To find the file contents, we only need to look at the 4 bytes at offset 2 ( little endian ). In this case, 20010000->0x00000120->288. Thus, we can jump to logical sector 288 to see the content of this file.
Directory Records
length
in bytes contents
-------- ---------------------------------------------------------
1 R, the number of bytes in the record (which must be even)
1 0 [number of sectors in extended attribute record]
8 number of the first sector of file data or directory
(zero for an empty file), as a both endian double word
8 number of bytes of file data or length of directory,
excluding the extended attribute record,
as a both endian double word
1 number of years since 1900
1 month, where 1=January, 2=February, etc.
1 day of month, in the range from 1 to 31
1 hour, in the range from 0 to 23
1 minute, in the range from 0 to 59
1 second, in the range from 0 to 59
(for DOS this is always an even number)
1 offset from Greenwich Mean Time, in 15-minute intervals,
as a twos complement signed number, positive for time
zones east of Greenwich, and negative for time zones
west of Greenwich (DOS ignores this field)
1 flags, with bits as follows:
bit value
------ ------------------------------------------
0 (LS) 0 for a norma1 file, 1 for a hidden file
1 0 for a file, 1 for a directory
2 0 [1 for an associated file]
3 0 [1 for record format specified]
4 0 [1 for permissions specified]
5 0
6 0
7 (MS) 0 [1 if not the final record for the file]
1 0 [file unit size for an interleaved file]
1 0 [interleave gap size for an interleaved file]
4 1, as a both endian word [volume sequence number]
1 N, the identifier length
N identifier
P padding byte: if N is even, P = 1 and this field contains
a zero; if N is odd, P = 0 and this field is omitted
R-33-N-P unspecified field for system use; must contain an even
number of bytes
Path Table Record
length
in bytes contents
-------- ---------------------------------------------------------
1 N, the name length (or 1 for the root directory)
1 0 [number of sectors in extended attribute record]
4 number of the first sector in the directory, as a
double word
2 number of record for parent directory (or 1 for the root
directory), as a word; the first record is number 1,
the second record is number 2, etc.
N name (or 0 for the root directory)
0 or 1 padding byte: if N is odd, this field contains a zero; if
N is even, this field is omitted
Ref: http://alumnus.caltech.edu/~pje/iso9660.html
No comments:
Post a Comment