Export (0) Print
Expand All

3.2 Sample Header

Office

The following is a sample binary dump of a Unicode PST File header (section 2.2.2.6), followed by the corresponding annotated, parsed contents.

 0000000000000000  21 42 44 4E 0E A9 9A 37-53 4D 17 00 13 00 01 01  *!BDN...7SM......*
 0000000000000010  5C 07 00 00 D0 7B 99 0B-04 00 00 00 01 00 00 00  *\....{..........*
 0000000000000020  54 02 00 00 00 00 00 00-45 00 00 00 00 04 00 00  *T.......E.......*
 0000000000000030  00 04 00 00 04 04 00 00-00 40 00 00 02 00 01 00  *.........@......*
 0000000000000040  04 04 00 00 00 04 00 00-00 04 00 00 00 80 00 00  *................*
 0000000000000050  00 04 00 00 00 04 00 00-00 04 00 00 00 04 00 00  *................*
 0000000000000060  04 04 00 00 04 04 00 00-04 04 00 00 00 04 00 00  *................*
 0000000000000070  00 04 00 00 00 04 00 00-00 04 00 00 00 04 00 00  *................*
 0000000000000080  00 04 00 00 00 04 00 00-00 04 00 00 00 04 00 00  *................*
 0000000000000090  00 04 00 00 00 04 00 00-00 04 00 00 00 04 00 00  *................*
 00000000000000A0  00 04 00 00 00 04 00 00-0F 04 00 00 00 00 00 00  *................*
 00000000000000B0  00 00 00 00 00 00 00 00-00 24 9F 00 00 00 00 00  *.........$......*
 00000000000000C0  00 44 9B 00 00 00 00 00-40 F2 12 00 00 00 00 00  *.D......@.......*
 00000000000000D0  00 00 00 00 00 00 00 00-4B 02 00 00 00 00 00 00  *........K.......*
 00000000000000E0  00 52 90 00 00 00 00 00-53 02 00 00 00 00 00 00  *.R......S.......*
 00000000000000F0  00 0A 90 00 00 00 00 00-02 00 00 00 00 00 00 00  *................*
 0000000000000100  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000110  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000120  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000130  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000140  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000150  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000160  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000170  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000180  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000190  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 00000000000001A0  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 00000000000001B0  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 00000000000001C0  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 00000000000001D0  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 00000000000001E0  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 00000000000001F0  FF FF FF FF FF FF FF FF-FF FF FF FF FF FF FF FF  *................*
 0000000000000200  80 01 00 00 34 14 00 00-00 00 00 00 D6 83 D2 1F  *....4...........*

Structure Header:
   dwMagic                  DWORD            0x4e444221 (1313096225) 
   dwCRCPartial             DWORD            0x379aa90e (932882702) 
   wMagicClient             WORD             0x4d53 (19795)
   wVer                     WORD             0x0017 (23)
   wVerClient               WORD             0x0013 (19)
   bPlatformCreate          byte             0x01 (1)
   bPlatformAccess          byte             0x01 (1)
   dwReserved1              DWORD            0x0000075c (1884) 
   dwReserved2              DWORD            0x0b997bd0 (194608080) 
   bidUnused                BID              0x0000000100000004 (4294967300)
   bidNextP                 BID              0x0000000000000254 (596)
   dwUnique                 DWORD            0x00000045 (69) 
   rgnid[]                  PtypMultipleInteger32       32 Element(s)
      rgnid[0]                0x00000400 (1024) 
      rgnid[1]                0x00000400 (1024) 
      rgnid[2]                0x00000404 (1028) 
      rgnid[3]                0x00004000 (16384) 
      rgnid[4]                0x00010002 (65538) 
      rgnid[5]                0x00000404 (1028) 
      rgnid[6]                0x00000400 (1024) 
      rgnid[7]                0x00000400 (1024) 
      rgnid[8]                0x00008000 (32768) 
      rgnid[9]                0x00000400 (1024) 
      rgnid[10]               0x00000400 (1024) 
      rgnid[11]               0x00000400 (1024) 
      rgnid[12]               0x00000400 (1024) 
      rgnid[13]               0x00000404 (1028) 
      rgnid[14]               0x00000404 (1028) 
      rgnid[15]               0x00000404 (1028) 
      rgnid[16]               0x00000400 (1024) 
      rgnid[17]               0x00000400 (1024) 
      rgnid[18]               0x00000400 (1024) 
      rgnid[19]               0x00000400 (1024) 
      rgnid[20]               0x00000400 (1024) 
      rgnid[21]               0x00000400 (1024) 
      rgnid[22]               0x00000400 (1024) 
      rgnid[23]               0x00000400 (1024) 
      rgnid[24]               0x00000400 (1024) 
      rgnid[25]               0x00000400 (1024) 
      rgnid[26]               0x00000400 (1024) 
      rgnid[27]               0x00000400 (1024) 
      rgnid[28]               0x00000400 (1024) 
      rgnid[29]               0x00000400 (1024) 
      rgnid[30]               0x00000400 (1024) 
      rgnid[31]               0x0000040f (1039) 
   qwUnused                   QWORD            0x0000000000000000 (0)
   Structure root:
      dwReserved              ULONG            0x00000000 (0) 
      ibFileEof                IB               0x00000000009f2400 (10429440)
      ibAMapLast               IB               0x00000000009b4400 (10175488)
      cbAMapFree               CB               0x000000000012f240 (1241664)
      cbPMapFree               CB               0x0000000000000000 (0)
      Structure BREFNBT:
         bid                      BID              0x000000000000024b (587)
         ib                       IB               0x0000000000905200 (9458176)
      Structure BREFBBT:
         bid                      BID              0x0000000000000253 (595)
         ib                       IB               0x0000000000900a00 (9439744)
      fAMapValid               byte             0x02 (2)
      bReserved                byte             0x00 (0)
      wReserved                WORD             0x0000 (0)
   rgbFM                    byte             128 Byte(s)
      0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0050: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      
   rgbFP                    byte             128 Byte(s)
      0000: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0050: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      0070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF - ................
      
   bSentinel                byte             0x80 (128)
   bCryptMethod             byte             0x01 (1)
   rgbReserved           byte             0x0000 (0)
   bidNextB                 BID              0x0000000000001434 (5172)
   dwCRCFull                DWORD            0x1fd283d6 (533890006) 
Show:
© 2014 Microsoft