[File] [PATCH] Magdir/images unrecognized Ulead Pattern *.PST + Imaginfo thumbnail *.PE3 *.PE4
Jörg Jenderek
joerg.jen.der.ek at gmx.net
Wed Jul 20 00:26:19 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
some days ago i send patch for Outlook email folder. These have file
name extension PST. For control reason i look for other files with
PST extension on my systems. These belong to software made by Ulead.
On my system images were part of CorelDraw Essentials 3 version
13.0.0.800.
When running file command (version 5.42) on such examples and other
Ulead images i get an output like:
1280 x 1024 Pixel.pst: data
160 x 120 Pixel.pst: data
Distortion1.pst: data
Vectorextrusion1.pst: data
IMAGEIIO-animals.PE3: data
IMAGEIIO-pcd.PE4: Ulead Photo Explorer5
IMAGEIIO-sky_snow.PE3: data
IMAGEIIO.PE4: Ulead Photo Explorer5
IMAGINFO-animals.PE3: OpenPGP Secret Key
IMAGINFO-business.PE4: data
IMAGINFO-plants.PE3: data
IMAGINFO-sky_snow.PE3: COM executable for DOS
IMAGINFO.PE4: data
For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). The PST examples are
described as "Ulead Pattern image" by pst-ulead.trid.xml. The
examples starting with IMAGINFO are described as "Ulead Imaginfo
thumbnail". When these examples have PE3 file name extension these
are described by additional "v3" phrase as version 3 by
pe3-imaginfo.trid.xml . When these examples have PE4 file name
extension these are described by additional "v4" phrase as version
4 by pe4-imaginfo.trid.xml.
The examples starting with IMAGEIIO are described as "Ulead
Imageiio/Imaginfo thumbnail". When these examples have PE3 file name
extension these are described by pe3.trid.xml.
When these examples have PE4 file name extension these are described
by pe4.trid.xml (See appended trid-v-ulead.txt.gz).
The last are described by file command as "Ulead Photo Explorer5"
The description happens inside Magdir/images by line like:
0 string IIO2H Ulead Photo Explorer5
The mentioned URL with jisyo.com site with view argument EXT=pe5
shows no real content any more. So i replace it with TrID definition
and page about Imageiio/imaginfo (Ulead) on file formats archive team
site. That is now expressed by comment lines like:
# URL: http://fileformats.archiveteam.org/
# wiki/Imageiio/imaginfo_(Ulead)
# Reference: http://mark0.net/download/triddefs_xml.7z/
# defs/p/pe4.trid.xml
And according to that information the starting magic is here
characteristic for version 4 variant with PE4 file name extension,
whereas the file command entry from Simon Horman refers to version 5
with PE5 file name extension. So this now becomes like:
0 string IIO2H Ulead Photo Explorer 4 or 5
!:mime image/x-ulead-pe4
!:ext pe4/pe5
Instead of generic application/octet-stream i display an user defined
one. The real file name is always IMAGEIIO.PE4 in different
directories. When i look in samples i see that most contain a jpeg
signature. So i search for that signature and then call sub routine
jpeg to describe apparently embeded JPEG thumbnail. This is done by
lines like:
>0x4c2 search/0xE02/s JFIF with JPEG image data
>>&-6 use jpeg
The version 3 variant start with similar magic mentioned on web site.
So this is now described by lines like:
0 string IIO1$ Ulead Photo Explorer 3
!:mime image/x-ulead-pe3
!:ext pe3
But here i found no JFIF signature. Maybe here thumbnail image is
stored in another image format. Here near the beginning a string is
stored which is the corresponding image directory or full name of
corresponding imaginfo.pe3 file like
"S:\PI3\PIMPACT3\PROGRAMS\PATTERNS\imaginfo.pe3". This start with
DOS/Windows drive letter (A-Z followed by colon and backslash
character) or network path (starting with two backslash characters
like in \\Lionking\). So that information is shown by lines like:
>5 search/192/s :\\
>>&-1 string x "%s"
>5 default x
>>5 search/192/s \x5c\x5c
>>>&0 string x "%s"
For each file starting with IMAGEIIO there exist in same directory a
companion file starting with IMAGINFO. These have no obvious magic
signature, but some bytes seem to be always the same according to
definition pe3-imaginfo.trid.xml generated by tridscan from samples.
So look for these byte sequences and finally do displaying by calling
sub routine ulead-imaginfo. This looks like:
11 string \001\0\0\0\0
>19 string \0\001\0\003\0
>>0 use ulead-imaginfo
For IMAGEIIO.PE4 examples described by pe4-imaginfo.trid.xml this
looks like:
11 string \001\0\0\0\0
>19 string \0\0\0\004\0
>>0 use ulead-imaginfo
The second byte sequence seems to be a version part. That
information is shown by sub routine ulead-imaginfo, which starts like
:
0 name ulead-imaginfo
>22 ubyte x Ulead Imaginfo thumbnail
!:mime image/x-ulead-imaginfo
>22 ubyte =3 \b, version 3
!:ext pe3
>22 ubyte =4 \b, version 4
!:ext pe4
Maybe that this looks other for version like 5 or newer. Instead of
generic application/octet-stream is display an user defined one.
Here also near the beginning a directory string is stored. So use
again step described as above. The difference is that here the
drive letter (A-Z 0X41-0x5a) must also be checked and the strings
are stored as pascal string with length information. So this looks
like:
>>4 search/192/s :\x5c
>>>&-1 ubyte >0x40
>>>>&-5 pstring/l >0 \b, "%s"
>>>&-1 default x
>>>>4 search/192/s \x5c\x5c
>>>>>&-4 pstring/l >0 \b, "%s"
>>4 default x
>>>4 search/192/s \x5c\x5c
>>>>&-4 pstring/l >0 \b, "%s"
Afterwards the image names without directory (like 003.JPG
NCARD4.TPL Img0001.pcd) and some additional information is stored.
So i look for point character before file name suffix and then show
the image file name extension. This is done by lines like:
>56 search/38/s .
>>&1 string x with %-.3s images
According to TrID definition Ulead PST examples start with same 4
byte magic. At offset 8 a string is stored like: BlendPresetInfo
DropShadowPresetInfo FileNewPresetInfo VectorExtrudePresetInfo
EnvelopePresetInfo ContourPresetInfo DistortionPresetInfo. So check
for shared phrase PresetInfo. This is done by lines like:
0 ubelong 0xFFFF0100
>8 search/21 PresetInfo Ulead pattern image
!:mime image/x-ulead-pst
!:ext pst
>>4 pstring/h x "%s"
After applying the above mentioned modifications by patch
file-5.42-images-ulead.diff and using Magdir/jpeg then all my Ulead
images are now identfied and described with more details. This now
looks like:
1280 x 1024 Pixel.pst: Ulead pattern image
"CFileNewPresetInfo"
160 x 120 Pixel.pst: Ulead pattern image
"CFileNewPresetInfo"
Distortion1.pst: Ulead pattern image
"CDistortionPresetInfo"
Vectorextrusion1.pst: Ulead pattern image
"CVectorExtrudePresetInfo"
IMAGEIIO-animals.PE3: Ulead Photo Explorer 3
"\\Lionking\upi\SAMPLES\IMAGES\ANIMALS\
imaginfo.pe3"
IMAGEIIO-pcd.PE4: Ulead Photo Explorer 4 or 5 with
JPEG image data, JFIF standard 1.00,
resolution (DPI), density 72x72,
segment length 16,
comment: "U-Lead Systems, Inc."
, baseline, precision 8, 96x64, components 3
IMAGEIIO-sky_snow.PE3: Ulead Photo Explorer 3
"T:\SAMPLES\TEXTURES\SKY_SNOW\IIOE371.TMP"
IMAGEIIO.PE4: Ulead Photo Explorer 4 or 5 with
JPEG image data, JFIF standard 1.00,
resolution (DPI), density 72x72,
segment length 16,
comment: "U-Lead Systems, Inc."
, baseline, precision 8, 128x85, components 3
IMAGINFO-business.PE4: Ulead Imaginfo thumbnail
, version 4,
"\\FSX\SYS\OPPS\IPE.ENG\TEMPLATE\BUSINESS"
with TPL images
IMAGINFO-plants.PE3: Ulead Imaginfo thumbnail
, version 3,
"C:\TEMP\PLANTS"
with JPG images
IMAGINFO-sky_snow.PE3: Ulead Imaginfo thumbnail
, version 3, "\\FSX\VOL2\PO\SAMPLES\TEXTURES\
SKY_SNOW"
with JPG images
IMAGINFO.PE4: Ulead Imaginfo thumbnail
, version 4,
"E:\iPE\CDSample\Images\PCD"
with pcd images
I hope my diff file can be applied in future version of file
utility.
The misidentification as "OpenPGP Secret Key" happen inside
Magdir\pgp-binary-keys by lines like:
0 ubyte =0xC5 OpenPGP Secret Key
0 ubyte&0xFC =0x94 OpenPGP Secret Key
So here only one byte is checked. Obviously this magic is not
strong enough. So additional test must be done before showing
message text.
The misidentification as "COM executable for DOS" happens also by
weak one byte pattern inside Magdir/msdos. I will try to improve
this in a future session.
With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYtdLqgAKCRCv8rHJQhrU
1qcZAJ4nqZi8eXz1wiAh5MK8K3VP63zB8QCeP2QzNNuU33I/Gsvm5tvNJjMQ1dk=
=PezD
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-ulead.txt.gz
Type: application/x-gzip
Size: 791 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220720/1fa12a6a/attachment-0001.bin>
-------------- next part --------------
--- file-5.42/magic/Magdir/images.old 2022-05-22 00:50:17.000000000 +0200
+++ file-5.42/magic/Magdir/images 2022-07-20 02:00:20.189571500 +0200
@@ -2211,8 +2211,102 @@
>>0x53 uleshort x \b%d
+# From: Joerg Jenderek
+# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead)
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3.trid.xml
+# Note: called "Ulead Imageiio/Imaginfo thumbnail" by TrID
+0 string IIO1$ Ulead Photo Explorer 3
+#!:mime application/octet-stream
+!:mime image/x-ulead-pe3
+# IMAGEIIO.PE3
+!:ext pe3
+# look for DOS/Windows drive letter
+>5 search/192/s :\\
+# directory or full name of corresponding imaginfo.pe3 like: "T:\SAMPLES\TEXTURES\SKY_SNOW\IIOE371.TMP "S:\PI3\PIMPACT3\PROGRAMS\PATTERNS\imaginfo.pe3"
+>>&-1 string x "%s"
+# look for DOS/Windows network path if no drive letter part
+>5 default x
+>>5 search/192/s \x5c\x5c
+# full name of corresponding imaginfo.pe3 like: "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS\imaginfo.pe3"
+>>>&0 string x "%s"
# Type: Ulead Photo Explorer5 (.pe5)
-# URL: http://www.jisyo.com/cgibin/view.cgi?EXT=pe5 (Japanese)
+# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead)
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4.trid.xml
# From: Simon Horman <horms at debian.org>
-0 string IIO2H Ulead Photo Explorer5
+# Update: Joerg Jenderek
+# Note: some called "Ulead Imageiio/Imaginfo thumbnail" by TrID
+# and used in various Ulead applications
+0 string IIO2H Ulead Photo Explorer 4 or 5
+#!:mime application/octet-stream
+!:mime image/x-ulead-pe4
+# IMAGEIIO.PE4
+!:ext pe4/pe5
+# look in most samples for JPEG signature like: SAMPLES/IMAGES/SCENES/IMAGINFO.PE4
+>0x4c2 search/0xE02/s JFIF with JPEG image data
+>>&-6 use jpeg
+# near the end list of image names like: Img0001.pcd 1116012L.JPG NCARD4.TPL
+#
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3-imaginfo.trid.xml
+11 string \001\0\0\0\0
+# check for version 3 part
+>19 string \0\001\0\003\0
+>>0 use ulead-imaginfo
+# From: Joerg Jenderek
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4-imaginfo.trid.xml
+11 string \001\0\0\0\0
+# check for version 4 part
+>19 string \0\0\0\004\0
+>>0 use ulead-imaginfo
+# display information about Ulead Imaginfo thumbnail (version, directory, image extension)
+0 name ulead-imaginfo
+>22 ubyte x Ulead Imaginfo thumbnail
+#!:mime application/octet-stream
+!:mime image/x-ulead-imaginfo
+>22 ubyte =3 \b, version 3
+# IMAGINFO.PE3
+!:ext pe3
+>22 ubyte =4 \b, version 4
+# IMAGINFO.PE4
+!:ext pe4
+# MAYBE ALSO VERSION 5 ?
+#>22 ubyte =5 \b, version 5
+#!:ext pe5
+>22 ubyte x
+# look for DOS/Windows driver letter
+>>4 search/192/s :\x5c
+# skip f:\Programme\iPhoto Plus 4\Template\Business Cards\IMAGINFO.PE4
+# by looking for driver letter in range A-Z
+>>>&-1 ubyte >0x40
+# directory path like: "E:\iPE\CDSample\Images\Scenes" "D:\XmasCard\Samples" "C:\TEMP\PLANTS"
+>>>>&-5 pstring/l >0 \b, "%s"
+# look for DOS/Windows network path if no valid drive letter part
+>>>&-1 default x
+>>>>4 search/192/s \x5c\x5c
+# directory path like: "\\FSX\SYS\OPPS\IPE.ENG\TEMPLATE\BUSINESS" "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS"
+>>>>>&-4 pstring/l >0 \b, "%s"
+# look for DOS/Windows network path if no drive letter part
+>>4 default x
+>>>4 search/192/s \x5c\x5c
+# directory path like: "\\FSX\SYS\opps\ipe.eng\samples" "\\DANIEL\IPE_CD\IPE.ITA"
+>>>>&-4 pstring/l >0 \b, "%s"
+# look for point character inside image names
+>56 search/38/s .
+# image name extension like: bmp jpg pcd tpl
+>>&1 string x with %-.3s images
+# Summary: Ulead Pattern image (Corel Corporation)
+# URL: https://en.wikipedia.org/wiki/Ulead_Systems
+# https://www.file-extensions.org/pst-file-extension-ulead-pattern-image-format
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst-ulead.trid.xml
+# From: Joerg Jenderek
+# Note: used also by CorelDraw Essentials 3 version 13.0.0.800
+# there seems to exist other versions
+0 ubelong 0xFFFF0100
+>8 search/21 PresetInfo Ulead pattern image
+#!:mime application/octet-stream
+!:mime image/x-ulead-pst
+!:ext pst
+# string length like: 16 18 19 21 24
+#>>4 uleshort x n=%u
+# like: BlendPresetInfo DropShadowPresetInfo FileNewPresetInfo VectorExtrudePresetInfo EnvelopePresetInfo ContourPresetInfo DistortionPresetInfo
+>>4 pstring/h x "%s"
# Type: X11 cursor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.42-images-ulead.diff.sig
Type: application/octet-stream
Size: 1915 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220720/1fa12a6a/attachment-0001.obj>
More information about the File
mailing list