[File] [PATCH] Magdir/images Microsoft Paint image *.MSP without M, mime type and extension

Jörg Jenderek joerg.jen.der.ek at gmx.net
Sun Nov 27 01:49:46 UTC 2022


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some days ago i read an interesting article in German computer
magazine c't in number 24 from 2022. There was described the
efforts and methods of Microsoft to protect their system.
Unfortunately Microsoft is non-transparent like FIFA and do not
exactly explain why something is happing. Luckily in the article 39
file name suffix are listed which considered to be potential
dangerous. One extension is MSP.

So i look on my Systems for such files. One part are Microsoft
Windows Installer Patch. These are described by file command.
The other part are graphic images.  When running file command
version 5.43 on such MSP graphic images and related files i get an
output like:

EAGLE.MSP:    icrosoft Paint image data (version 1.x) (576 x 720)
FLAG_B24.MSP: Microsoft Paint image data (version 2.0) (128 x 124)
MARBLES.MSP:  icrosoft Paint image data (version 1.x) (1419 x 1001)
MARBLES.png:  PNG image data, 1419 x 1001, 1-bit colormap
PIRATE.MSP:   icrosoft Paint image data (version 1.x) (576 x 720)
WHT.MSP:      Microsoft Paint image data (version 2.0) (208 x 144)
WHT.png:      PNG image data, 208 x 144, 1-bit colormap

With option --extension only 3 byte sequence ??? is shown and with -i
option only generic application/octet-stream is shown.

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). All such MSP
described as "Microsoft Paint bitmap". The samples that are
described by file command by additional phrase "(version 2.0)" are
described by additional phrase "(V2)" via definition
bitmap-msp-v2.trid.xml. The other MSP samples are described by
additional phrase "(V1)" via definition bitmap-msp-v1.trid.xml (See
appended trid-v-msp.txt.gz).

For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/). This
identifies all examples as "Microsoft Paint" and file suffix MSP.
The V2 variant is here labelled as version 2 by fmt/912 and the V1
variant is labelled as version 1 by PUID x-fmt/214 (See appended
droid-msp.csv.gz).

Luckily with information given by the other tools i also found a
page about MSP (Microsoft Paint) on file formats archive team web
site. There also links for samples and references are listed.
That informations are expressed by comment lines inside Magdir/images
like:
# URL: 		http://fileformats.archiveteam.org
#		/wiki/MSP_(Microsoft_Paint)
# Reference:	http://mark0.net/download/triddefs_xml.7z
#		defs/b/bitmap-msp-v1.trid.xml
#		defs/b/bitmap-msp-v2.trid.xml

On that site download links for examples and graphic tools are
mentioned. I verified information by XnView command line tool
nconvert (See appended nconvert-msp.txt.gz), decoding tool deark (See
appended deark-msp.txt.gz) and RECOIL graphic converter by command
lines like:
	deark -l -d3 MARBLES.MSP
	nconvert -info *.MSP
	recoil2png -o MARBLES.png MARBLES.MSP; file MARBLES.png
As described on web site the Xnview tool can not open version 1
variant, but shows thumbnail images. For version 2 it works as
expected.

The description happens inside Magdir/images by lines like:
 0	string	DanM 	icrosoft Paint image data (version 1.x)
 0	string	LinS 	Microsoft Paint image data (version 2.0)
Obviously the M character of Microsoft is missing for version 1
variant.

To shown also the file name suffix and an user defined mime type
instead of generic application/octet-stream this now becomes like:
 0	string	DanM 	Microsoft Paint image data (version 1.x)
 !:mime	image/x-ms-msp
 !:ext	msp
 0	string	LinS 	Microsoft Paint image data (version 2.0)
 !:mime	image/x-ms-msp
 !:ext	msp
Afterwards the image dimension were printed by additional lines like:
 >4	uleshort	x	(%d
 >>6	uleshort	x	x %d)

For completeness i call afterwards an new sub routine that display
display more information about Microsoft Paint image. That looks like
:
 0	name		image-msp
 >8	uleshort	x	\b, ascpect %u
 >10	uleshort	x	x %u
 >12	uleshort	x	(printer %u
 >14	uleshort	x	x %u)
 >16	uleshort	x	\b, PrinterWidth %u
 >18	uleshort	x	\b, PrinterHeight %u
 >20	uleshort	!0	\b, XAspectCorr %u
 >22	uleshort	!0	\b, YAspectCorr %u
 >24	uleshort	x	\b, checksum %#x
 >26	belong		!0	\b, padding %#8.8x
 >>30	beshort		x	\b%4.4x

After applying the above mentioned modifications by patch
file-5.43-images-msp.diff then all my inspected MPS graphics are
now described with correct full name. When also using new sub
routine image-msp then more details are shown. This then looks like:

EAGLE.MSP:    Microsoft Paint image data (version 1.x) (576 x 720)
	      , ascpect 1 x 1 (printer 1 x 1)
	      , PrinterWidth 576, PrinterHeight 720
	      , checksum 0x2c2a
FLAG_B24.MSP: Microsoft Paint image data (version 2.0) (128 x 124)
	      , ascpect 124 x 124 (printer 124 x 124)
	      , PrinterWidth 124, PrinterHeight 124
	      , checksum 0x3ade
MARBLES.MSP:  Microsoft Paint image data (version 1.x) (1419 x 1001)
	      , ascpect 1419 x 1001 (printer 1419 x 1001)
	      , PrinterWidth 1419, PrinterHeight 1001
	      , checksum 0x2c2a
MARBLES.png:  PNG image data, 1419 x 1001, 1-bit colormap
PIRATE.MSP:   Microsoft Paint image data (version 1.x) (576 x 720)
	      , ascpect 1 x 1 (printer 1 x 1)
	      , PrinterWidth 576, PrinterHeight 720
	      , checksum 0x2c2a
WHT.MSP:      Microsoft Paint image data (version 2.0) (208 x 144)
	      , ascpect 200 x 144 (printer 200 x 144)
	      , PrinterWidth 200, PrinterHeight 144
	      , checksum 0x3a3a
WHT.png:      PNG image data, 208 x 144, 1-bit colormap

I hope my diff file can be applied in future version of file
utility. In the send variant i deactivate the sub routine because i
got no real bargain.

With best wishes,
Jörg Jenderek
- --
Jörg Jenderek



-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY4LCOgAKCRCv8rHJQhrU
1khYAJ0dInggBlylr/wxVXqXOxN5h++4GwCeI4xeZV/BxPmEAd6rm6vEJ27vWU4=
=Otg3
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: deark-msp.txt.gz
Type: application/x-gzip
Size: 3061 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221127/af1a7c8f/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nconvert-msp.txt.gz
Type: application/x-gzip
Size: 480 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221127/af1a7c8f/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-msp.txt.gz
Type: application/x-gzip
Size: 497 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221127/af1a7c8f/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: droid-msp.csv.gz
Type: application/x-gzip
Size: 457 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221127/af1a7c8f/attachment-0007.bin>
-------------- next part --------------
--- file-5.43/magic/Magdir/images.old	2022-09-13 20:05:39.000000000 +0200
+++ file-5.43/magic/Magdir/images	2022-11-27 02:39:32.149279000 +0100
@@ -3400,8 +3400,50 @@
 # http://www.fileformat.info/format/mspaint/egff.htm
-0	string	DanM 	icrosoft Paint image data (version 1.x)
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-msp-v1.trid.xml
+# URL: 		http://fileformats.archiveteam.org/wiki/MSP_(Microsoft_Paint)
+# Update:	Joerg Jenderek
+# Note:		called "Microsoft Paint bitmap (V1)" by TrID and
+#		"Microsoft Paint" by XnView partly `nconvert -fullinfo *.MSP` and
+#		"MS Paint v1" by `deark -l -d2 MARBLES.MSP` and 
+#		verified by RECOIL `recoil2png -o MARBLES.png MARBLES.MSP; file MARBLES.png`
+0	string	DanM 	Microsoft Paint image data (version 1.x)
+#!:mime	application/octet-stream
+!:mime	image/x-ms-msp
+!:ext	msp
 >4	uleshort	x	(%d
 >>6	uleshort	x	x %d)
+#>0		use		image-msp
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-msp-v2.trid.xml
+# Note:		called "Microsoft Paint bitmap (V2)" by TrID and
+#		"Microsoft Paint" by XnView partly `nconvert -fullinfo *.msp` and
+#		"MS Paint v2" by `deark -l -d2 FLAG_B24.MSP`
 0	string	LinS 	Microsoft Paint image data (version 2.0)
+#!:mime	application/octet-stream
+!:mime	image/x-ms-msp
+!:ext	msp
 >4	uleshort	x	(%d
 >>6	uleshort	x	x %d)
+#>0		use		image-msp
+#	display more information about Microsoft Paint image 
+# 0	name		image-msp
+# # XARBitmap; X Aspect ratio of the bitmap like: 11 96 or image SIZE
+# >8	uleshort	x	\b, ascpect %u
+# # YARBitmap; Y Aspect ratio of the bit map like: 16 72 or image SIZE
+# >10	uleshort	x	x %u
+# # XARPrinter; X Aspect ratio of the printer like: 150 300 or image SIZE
+# >12	uleshort	x	(printer %u
+# # YARPrinter; Y Aspect ratio of the printer like: 150 300 or image SIZE
+# >14	uleshort	x	x %u)
+# # PrinterWidth; width of the printer in pixels
+# >16	uleshort	x	\b, PrinterWidth %u
+# # PrinterHeight; height of the printer in pixels
+# >18	uleshort	x	\b, PrinterHeight %u
+# # XAspectCorr; X aspect correction (unused=0)
+# >20	uleshort	!0	\b, XAspectCorr %u
+# # YAspectCorr; Y aspect correction (unused=0)
+# >22	uleshort	!0	\b, YAspectCorr %u
+# # checksum; checksum of previous 24 bytes
+# >24	uleshort	x	\b, checksum %#x
+# # padding[3]; unused padding; often 0
+# >26	belong		!0	\b, padding %#8.8x
+# >>30	beshort		x	\b%4.4x
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-images-msp.diff.sig
Type: application/octet-stream
Size: 1090 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221127/af1a7c8f/attachment-0001.obj>


More information about the File mailing list