The data in the Header section can be obtained by going to the offset specified in the Signature. Back to our infamous Control.4096.dat. The Header section in HEX: 80 20 80 98 81 0b 80 c0 d7 a5 80 80 80 0b You'll understand why I chose the number of bytes that I did after understanding how deserialization works. The field definitions would lead you to believe that these are some sort of fixed integers (like in the header). They are not! In fact, they are specifically encoded integers, that are VARIABLE length. Let's look at the first field. It's type is int and it's name is BytesPerCluster. After doing a bit of Googling I figured out that there should be 4096 bytes per cluster. So how do you get 4096 out of Hex 80, or is it 80 20, or maybe 20 80 ? Let me spare you the gory details of how I figured this out, here's the secret: Each byte's first bit determines whether the next byte is part of the same value. So let's look at this in binary: 80 = 10000000 20 = 00100000 Also, because the first bit plays this special role, it does not compute into the actual value. Now that we know this, how do we calculate the value of these? The value is actually stored as little-endian signed numbers (not decimal floats), and the first bit of each byte does not play a role in the value calculation. So here's a simple deserialization algorithm: Step 1. Find the number of bytes participating in this value. So based on the information above, the number of bytes in this case is 2. Since the first encountered byte with its first bit set to 0 is byte number 2. Step 2. Go through each bit starting from the most-significant bit to the least significant bit adding up the values. Apply the sign bit. I know this is hard to understand and visualize, so I'll try to explain what I mean: So our 2 bytes in binary are: 10000000 00100000 The bits that are part of the value, starting from the least significant to the most significant are: * 6 5 4 3 2 1 0 * +- 12 11 10 9 8 7
^
This means to read the next byte, we're not done.
^
This means we're done and the next byte is part of the next value.
Bits: 1 0 0 0 0 0 0 0 | 0 0 1 0 0 0 0 0
+- = Sign bit.
Now that we have the significance of each bit, this is how you convert significance to bit-value:
2 ^ significance = bit-value
To determine the final value, just add up all the bit values. So in this case we only have one bit set and the bit-value is 2 ^ 12 = 4096.
So now we know that the first field value for "BytesPerCluster" is 4096.
If the number had been bigger you would, of course, have had more bytes participating.