Author Topic: dpt-bootice.trid.xml for Disk Partition Table backup by BOOTICE *dpt  (Read 1583 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
Hello trid users,

some days ago i used a utility called BOOTICE to manipulate (install,
backup, restore) the MBR and PBR of disks. After selecting the
destination disk and menu entry "Parts Manage" the software can backup
partition tables. The disk partition table are saved in a format with
file name extension DPT. These are described by TrID as "Unknown!"
(See appended output/trid.txt).

For me the authors web site www.ipauly.com was not reachable. There
exist a website bootice.org dated about 2020, but it is only in
Chinese language and it contains only a short description about the
software. A reliable description and download link is available on
MajorGeeks web site. This is expressed inside trid definition by line
like:
   <RefURL>
   https://www.majorgeeks.com/files/details/bootice_64_bit.html
   </RefURL>

So i run tridscan on these samples and i get a trid definition file
dpt-bootice.trid.xml. All DPT samples start with typical text phrase.
That is expressed by XML pattern block like:
   <Bytes>44505420425920424F4F544943450000</Bytes>
   <ASCII> D P T   B Y   B O O T I C E</ASCII>
   <Pos>0</Pos>

Afterwards a 3 letter abbreviation like HD0 or RM9 for the selected
drive is stored. This is followed by a colon sign. That is expressed
by XML construct like:
   <Bytes>3A20</Bytes>
   <ASCII> :</ASCII>
   <Pos>19</Pos>

Afterwards a hard disk describing text starting with words like
"Generic-USB", "VBOX HARDDISK" is stored. That is followed by disk
size and used drive letters inside parentheses. That seems to be
filled with null bytes til 0x50 border. That is expressed by XML
construct like
   <Bytes>000000000000000000000000000000</Bytes>
   <Pos>65</Pos>

At offset 0x50 the date is stored as point separated string like
"02.11.2020 ". That is expressed by XML constructs like:
   <Pattern>
      <Bytes>2E</Bytes>
      <Pos>82</Pos>
   </Pattern>
   <Pattern>
      <Bytes>2E</Bytes>
      <Pos>85</Pos>
   </Pattern>
   <Pattern>
      <Bytes>20</Bytes>
      <Pos>90</Pos>
   </Pattern>

Afterwards the time is stored as as colon separated text string like
11:32:35. That is expressed by XML constructs like:
   <Pattern>
      <Bytes>3A</Bytes>
      <ASCII> :</ASCII>
      <Pos>93</Pos>
   </Pattern>
   <Pattern>
      <Bytes>3A</Bytes>
      <ASCII> :</ASCII>
      <Pos>96</Pos>
   </Pattern>

Afterwards until 0x110 border the bytes seems to be nil with one
exception. At 0x72 the byte value is 0x02. That is expressed by XML
construct like:
   <Pattern>
      <Bytes>0000000000000000000000000000020000</Bytes>
      <Pos>99</Pos>
   </Pattern>

At that offset the master boot record (MBR) itself is stored. That is
identified by mbr-dump.trid.xml is stored as pure binary. So
intermediate null pattern at offset 716 are triggered by lucky
instances. So i delete such pattern. The characteristic 2 end bytes of
a boot sector are described by XML construct like
   <Pattern>
      <Bytes>55AA</Bytes>
      <ASCII> U</ASCII>
      <Pos>782</Pos>
   </Pattern>

After the stored MBR comes a 16 byte structure mainly containing null
bytes. That is expressed by XL construct like:
   <Pattern>
      <Bytes>0000000000000000000000000000</Bytes>
      <Pos>786</Pos>
   </Pattern>

With the new definition the undetected Disk Partition Table examples
are now described (see appended output/trid-new-v.txt). TrID
definition, some examples and output are stored in archive dpt.zip. I
hope that my XML file can be used in future version of triddefs.

With best wishes
Jörg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: dpt-bootice.trid.xml for Disk Partition Table backup by BOOTICE *dpt
« Reply #1 on: November 02, 2020, 05:50:12 PM »
Thanks for the new def!
I think the first pattern should probably suffice. Will check!