From 011eb71d13ebf36098b21c525af603b18c520c88 Mon Sep 17 00:00:00 2001
From: Benjamin Cance <49796265+rowingdude@users.noreply.github.com>
Date: Fri, 2 Aug 2024 11:23:25 -0400
Subject: [PATCH] mft.py - decodeMFTHeader value updates

Correct bit parsing using two's complement for signed integers.

Signed-off-by: Benjamin Cance <49796265+rowingdude@users.noreply.github.com>
---
 analyzemft/mft.py | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/analyzemft/mft.py b/analyzemft/mft.py
index f65f5e4..4058a93 100644
--- a/analyzemft/mft.py
+++ b/analyzemft/mft.py
@@ -385,22 +385,24 @@ def add_note(record, s):
 
 
 def decodeMFTHeader(record: Dict[str, Any], raw_record: bytes) -> None:
-
-    record['magic']       = struct.unpack("<I", raw_record[:4])[0]
-    record['upd_off']     = struct.unpack("<H", raw_record[4:6])[0]
-    record['upd_cnt']     = struct.unpack("<H", raw_record[6:8])[0]
-    record['lsn']         = struct.unpack("<d", raw_record[8:16])[0]
-    record['seq']         = struct.unpack("<H", raw_record[16:18])[0]
-    record['link']        = struct.unpack("<H", raw_record[18:20])[0]
-    record['attr_off']    = struct.unpack("<H", raw_record[20:22])[0]
-    record['flags']       = struct.unpack("<H", raw_record[22:24])[0]
-    record['size']        = struct.unpack("<I", raw_record[24:28])[0]
+    record['magic'] = struct.unpack("<I", raw_record[:4])[0]
+    record['upd_off'] = struct.unpack("<H", raw_record[4:6])[0]
+    record['upd_cnt'] = struct.unpack("<H", raw_record[6:8])[0]
+    record['lsn'] = struct.unpack("<q", raw_record[8:16])[0] 
+    record['seq'] = struct.unpack("<H", raw_record[16:18])[0]
+    record['link'] = struct.unpack("<H", raw_record[18:20])[0]
+    record['attr_off'] = struct.unpack("<H", raw_record[20:22])[0]
+    record['flags'] = struct.unpack("<H", raw_record[22:24])[0]
+    record['size'] = struct.unpack("<I", raw_record[24:28])[0]
     record['alloc_sizef'] = struct.unpack("<I", raw_record[28:32])[0]
-    record['base_ref']    = struct.unpack("<Lxx", raw_record[32:38])[0]
-    record['base_seq']    = struct.unpack("<H", raw_record[38:40])[0]
+    record['base_ref'] = struct.unpack("<q", raw_record[32:40])[0] 
     record['next_attrid'] = struct.unpack("<H", raw_record[40:42])[0]
-    record['f1']          = raw_record[42:44]  # Padding
-    record['recordnum']   = struct.unpack("<I", raw_record[44:48])[0]                         
+    record['f1'] = raw_record[42:44]  # Padding
+    record['recordnum'] = struct.unpack("<I", raw_record[44:48])[0]
+
+    # Convert unsigned integers to signed if necessary
+    if record['base_ref'] & 0x8000000000000000:
+        record['base_ref'] = -(~record['base_ref'] & 0xFFFFFFFFFFFFFFFF) - 1                        
 
 
 def decodeMFTmagic(record: Dict[str, Any]) -> str:
@@ -607,4 +609,4 @@ def decodeObjectID(s):
 def ObjectID(s: bytes) -> str:
     if s == b'\x00' * 16:
         return 'Undefined'
-    return f"{s[:4].hex()}-{s[4:6].hex()}-{s[6:8].hex()}-{s[8:10].hex()}-{s[10:16].hex()}"
\ No newline at end of file
+    return f"{s[:4].hex()}-{s[4:6].hex()}-{s[6:8].hex()}-{s[8:10].hex()}-{s[10:16].hex()}"