Mark0's Forum
		Software => TrID File Identifier => Topic started by: jenderek on March 27, 2020, 02:02:37 PM
		
			
			- 
				Hello trid users,
 
 some days ago i handled some non Microsoft Office documents. When running
 TrID on samples with file name extension PMD, PMV inspected examples are only
 described as "Generic OLE2 / Multistream Compound File" by docfile.trid.xml or
 are misidentified as "Windows Movie Maker project" by mswmm.trid.xml.
 (See appended output/trid-v-old.txt).
 
 For comparison reason i also run other file identifying tools.  The newest
 file(1) command identifies most samples as "PlanMaker document or template" (See
 appended output/file-new.txt).
 
 So i run tridscan to generate Trid definition for PlanMaker documents.
 
 Some information about SoftMaker Plan maker is found on Wikipedia.
 That is expressed by reference URL line:
 <RefURL>https://en.wikipedia.org/wiki/SoftMaker</RefURL>
 
 According to http://extension.nirsoft.net such PlanMaker documents get their
 own mime type. That is expressed by line:
 <Mime>application/vnd.softmaker.planmaker</Mime>
 
 The filename extension PMD is used for the PlanMaker documents and the PMV
 extension is used for the templates. So i mention this fact in remark line
 and this also expressed by line:
 <Ext>PMD/PMV</Ext>
 
 Then i start to refine the trid definition file to get same structure as for
 other SoftMaker trid definitions like prd-sm.trid.xml. So i name definition
 file pmd-sm.trid.xml. The PlanMaker program can save the documents in
 Microsoft Excel Format. I can also save documents in it's own file format.
 The newer formats are ZIP based and use pmdx and pmvx. The older formats with
 pmd and pmv extension are OLE2 compound files and are called "Planmaker
 2010" and "Planmaker 2010". So i choose a corresponding description. That is
 expressed by line:
 <FileType>
 SoftMaker PlanMaker Document or template (2010-2012)
 </FileType>
 
 The first pattern is characteristic for OLE2 Multistream compound files and
 is expressed by XML construct:
 <Pattern>
 <Bytes>D0CF11E0A1B11AE1</Bytes>
 <Pos>0</Pos>
 </Pattern>
 
 At offset 28 a short byte order identifier is stored. The hexadecimal value
 FFFE means big endian format. That only occurs in ancient files from
 Macintosh computers, but since Apple switched to Intel CPU architecture file
 formats with this signature are not found in newer files. So i assume that
 for PlanMaker 2010 and 2012 always little endian format is used. That is
 expressed by XML construct:
 <Pattern>
 <Bytes>FEFF</Bytes>
 <Pos>28</Pos>
 </Pattern>
 
 Furthermore i remove accident patterns at higher offsets. I also remove in
 global strings section garbage lines or lines referring to used fonts like:
 <String>K')'3</String>
 <String>A'T'I'M'E'S' 'N'E'W' 'R'O'M'A'N</String>
 <String>A'R'I'A'L'1</String>
 
 
 For OLE2 based files no reference URL type is shown by docfile.trid.xml. So
 i add the following line:
 <RefURL>
 https://en.wikipedia.org/wiki/Compound_File_Binary_Format
 </RefURL>
 
 According to web site reposcope.com such files have their own mime
 type. That is now expressed by line:
 <Mime>application/x-ole-storage</Mime>
 
 With the trid definition for PlanMaker and the updated definition now the
 unrecognized PlanMaker Documents are detected and definitions now have
 reference URL and mime type. ( See appended output/trid-v-new.txt).
 
 The TrID definitions, output and some examples stored in archive
 pmd_pmv.zip. I hope that my 2 XML files can be used in future version of
 triddefs.
 
 With best wishes
 Jörg Jenderek
 
 
- 
				Thanks Jörg!