[File] [PATCH] Magdir/images unrecognized Ulead Pattern *.PST + Imaginfo thumbnail *.PE3 *.PE4
Christos Zoulas
christos at zoulas.com
Sun Jul 24 23:50:02 UTC 2022
Committed, thanks!
christos
> On Jul 19, 2022, at 8:26 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> some days ago i send patch for Outlook email folder. These have file
> name extension PST. For control reason i look for other files with
> PST extension on my systems. These belong to software made by Ulead.
> On my system images were part of CorelDraw Essentials 3 version
> 13.0.0.800.
>
> When running file command (version 5.42) on such examples and other
> Ulead images i get an output like:
>
> 1280 x 1024 Pixel.pst: data
> 160 x 120 Pixel.pst: data
> Distortion1.pst: data
> Vectorextrusion1.pst: data
> IMAGEIIO-animals.PE3: data
> IMAGEIIO-pcd.PE4: Ulead Photo Explorer5
> IMAGEIIO-sky_snow.PE3: data
> IMAGEIIO.PE4: Ulead Photo Explorer5
> IMAGINFO-animals.PE3: OpenPGP Secret Key
> IMAGINFO-business.PE4: data
> IMAGINFO-plants.PE3: data
> IMAGINFO-sky_snow.PE3: COM executable for DOS
> IMAGINFO.PE4: data
>
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). The PST examples are
> described as "Ulead Pattern image" by pst-ulead.trid.xml. The
> examples starting with IMAGINFO are described as "Ulead Imaginfo
> thumbnail". When these examples have PE3 file name extension these
> are described by additional "v3" phrase as version 3 by
> pe3-imaginfo.trid.xml . When these examples have PE4 file name
> extension these are described by additional "v4" phrase as version
> 4 by pe4-imaginfo.trid.xml.
>
> The examples starting with IMAGEIIO are described as "Ulead
> Imageiio/Imaginfo thumbnail". When these examples have PE3 file name
> extension these are described by pe3.trid.xml.
> When these examples have PE4 file name extension these are described
> by pe4.trid.xml (See appended trid-v-ulead.txt.gz).
> The last are described by file command as "Ulead Photo Explorer5"
>
> The description happens inside Magdir/images by line like:
> 0 string IIO2H Ulead Photo Explorer5
>
> The mentioned URL with jisyo.com site with view argument EXT=pe5
> shows no real content any more. So i replace it with TrID definition
> and page about Imageiio/imaginfo (Ulead) on file formats archive team
> site. That is now expressed by comment lines like:
>
> # URL: http://fileformats.archiveteam.org/
> # wiki/Imageiio/imaginfo_(Ulead)
> # Reference: http://mark0.net/download/triddefs_xml.7z/
> # defs/p/pe4.trid.xml
>
> And according to that information the starting magic is here
> characteristic for version 4 variant with PE4 file name extension,
> whereas the file command entry from Simon Horman refers to version 5
> with PE5 file name extension. So this now becomes like:
> 0 string IIO2H Ulead Photo Explorer 4 or 5
> !:mime image/x-ulead-pe4
> !:ext pe4/pe5
> Instead of generic application/octet-stream i display an user defined
> one. The real file name is always IMAGEIIO.PE4 in different
> directories. When i look in samples i see that most contain a jpeg
> signature. So i search for that signature and then call sub routine
> jpeg to describe apparently embeded JPEG thumbnail. This is done by
> lines like:
>> 0x4c2 search/0xE02/s JFIF with JPEG image data
>>> &-6 use jpeg
>
> The version 3 variant start with similar magic mentioned on web site.
> So this is now described by lines like:
> 0 string IIO1$ Ulead Photo Explorer 3
> !:mime image/x-ulead-pe3
> !:ext pe3
>
> But here i found no JFIF signature. Maybe here thumbnail image is
> stored in another image format. Here near the beginning a string is
> stored which is the corresponding image directory or full name of
> corresponding imaginfo.pe3 file like
> "S:\PI3\PIMPACT3\PROGRAMS\PATTERNS\imaginfo.pe3". This start with
> DOS/Windows drive letter (A-Z followed by colon and backslash
> character) or network path (starting with two backslash characters
> like in \\Lionking\). So that information is shown by lines like:
>> 5 search/192/s :\\
>>> &-1 string x "%s"
>> 5 default x
>>> 5 search/192/s \x5c\x5c
>>>> &0 string x "%s"
>
> For each file starting with IMAGEIIO there exist in same directory a
> companion file starting with IMAGINFO. These have no obvious magic
> signature, but some bytes seem to be always the same according to
> definition pe3-imaginfo.trid.xml generated by tridscan from samples.
> So look for these byte sequences and finally do displaying by calling
> sub routine ulead-imaginfo. This looks like:
> 11 string \001\0\0\0\0
>> 19 string \0\001\0\003\0
>>> 0 use ulead-imaginfo
> For IMAGEIIO.PE4 examples described by pe4-imaginfo.trid.xml this
> looks like:
> 11 string \001\0\0\0\0
>> 19 string \0\0\0\004\0
>>> 0 use ulead-imaginfo
>
> The second byte sequence seems to be a version part. That
> information is shown by sub routine ulead-imaginfo, which starts like
> :
>
> 0 name ulead-imaginfo
>> 22 ubyte x Ulead Imaginfo thumbnail
> !:mime image/x-ulead-imaginfo
>> 22 ubyte =3 \b, version 3
> !:ext pe3
>> 22 ubyte =4 \b, version 4
> !:ext pe4
> Maybe that this looks other for version like 5 or newer. Instead of
> generic application/octet-stream is display an user defined one.
>
> Here also near the beginning a directory string is stored. So use
> again step described as above. The difference is that here the
> drive letter (A-Z 0X41-0x5a) must also be checked and the strings
> are stored as pascal string with length information. So this looks
> like:
>
>>> 4 search/192/s :\x5c
>>>> &-1 ubyte >0x40
>>>>> &-5 pstring/l >0 \b, "%s"
>>>> &-1 default x
>>>>> 4 search/192/s \x5c\x5c
>>>>>> &-4 pstring/l >0 \b, "%s"
>>> 4 default x
>>>> 4 search/192/s \x5c\x5c
>>>>> &-4 pstring/l >0 \b, "%s"
>
> Afterwards the image names without directory (like 003.JPG
> NCARD4.TPL Img0001.pcd) and some additional information is stored.
> So i look for point character before file name suffix and then show
> the image file name extension. This is done by lines like:
>> 56 search/38/s .
>>> &1 string x with %-.3s images
>
> According to TrID definition Ulead PST examples start with same 4
> byte magic. At offset 8 a string is stored like: BlendPresetInfo
> DropShadowPresetInfo FileNewPresetInfo VectorExtrudePresetInfo
> EnvelopePresetInfo ContourPresetInfo DistortionPresetInfo. So check
> for shared phrase PresetInfo. This is done by lines like:
> 0 ubelong 0xFFFF0100
>> 8 search/21 PresetInfo Ulead pattern image
> !:mime image/x-ulead-pst
> !:ext pst
>>> 4 pstring/h x "%s"
>
>
> After applying the above mentioned modifications by patch
> file-5.42-images-ulead.diff and using Magdir/jpeg then all my Ulead
> images are now identfied and described with more details. This now
> looks like:
> 1280 x 1024 Pixel.pst: Ulead pattern image
> "CFileNewPresetInfo"
> 160 x 120 Pixel.pst: Ulead pattern image
> "CFileNewPresetInfo"
> Distortion1.pst: Ulead pattern image
> "CDistortionPresetInfo"
> Vectorextrusion1.pst: Ulead pattern image
> "CVectorExtrudePresetInfo"
> IMAGEIIO-animals.PE3: Ulead Photo Explorer 3
> "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS\
> imaginfo.pe3"
> IMAGEIIO-pcd.PE4: Ulead Photo Explorer 4 or 5 with
> JPEG image data, JFIF standard 1.00,
> resolution (DPI), density 72x72,
> segment length 16,
> comment: "U-Lead Systems, Inc."
> , baseline, precision 8, 96x64, components 3
> IMAGEIIO-sky_snow.PE3: Ulead Photo Explorer 3
> "T:\SAMPLES\TEXTURES\SKY_SNOW\IIOE371.TMP"
> IMAGEIIO.PE4: Ulead Photo Explorer 4 or 5 with
> JPEG image data, JFIF standard 1.00,
> resolution (DPI), density 72x72,
> segment length 16,
> comment: "U-Lead Systems, Inc."
> , baseline, precision 8, 128x85, components 3
> IMAGINFO-business.PE4: Ulead Imaginfo thumbnail
> , version 4,
> "\\FSX\SYS\OPPS\IPE.ENG\TEMPLATE\BUSINESS"
> with TPL images
> IMAGINFO-plants.PE3: Ulead Imaginfo thumbnail
> , version 3,
> "C:\TEMP\PLANTS"
> with JPG images
> IMAGINFO-sky_snow.PE3: Ulead Imaginfo thumbnail
> , version 3, "\\FSX\VOL2\PO\SAMPLES\TEXTURES\
> SKY_SNOW"
> with JPG images
> IMAGINFO.PE4: Ulead Imaginfo thumbnail
> , version 4,
> "E:\iPE\CDSample\Images\PCD"
> with pcd images
>
> I hope my diff file can be applied in future version of file
> utility.
>
> The misidentification as "OpenPGP Secret Key" happen inside
> Magdir\pgp-binary-keys by lines like:
> 0 ubyte =0xC5 OpenPGP Secret Key
> 0 ubyte&0xFC =0x94 OpenPGP Secret Key
> So here only one byte is checked. Obviously this magic is not
> strong enough. So additional test must be done before showing
> message text.
>
> The misidentification as "COM executable for DOS" happens also by
> weak one byte pattern inside Magdir/msdos. I will try to improve
> this in a future session.
>
> With best wishes,
> Jörg Jenderek
> - --
> Jörg Jenderek
>
>
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYtdLqgAKCRCv8rHJQhrU
> 1qcZAJ4nqZi8eXz1wiAh5MK8K3VP63zB8QCeP2QzNNuU33I/Gsvm5tvNJjMQ1dk=
> =PezD
> -----END PGP SIGNATURE-----
> <trid-v-ulead.txt.gz><file-5_42-images-ulead_diff.DEFANGED-1431><file-5_42-images-ulead_diff_sig.DEFANGED-1432>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20220724/ff5d983c/attachment.asc>
More information about the File
mailing list