Author Topic: updated docfile.trid.xml + pmd-sm.trid.xml for SoftMaker PlanMaker; *.pmd *.pmv  (Read 3310 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
Hello trid users,

some days ago i handled some non Microsoft Office documents. When running
TrID on samples with file name extension PMD, PMV inspected examples are only
described as "Generic OLE2 / Multistream Compound File" by docfile.trid.xml or
are misidentified as "Windows Movie Maker project" by mswmm.trid.xml.
(See appended output/trid-v-old.txt).

For comparison reason i also run other file identifying tools.  The newest
file(1) command identifies most samples as "PlanMaker document or template" (See
appended output/file-new.txt).

So i run tridscan to generate Trid definition for PlanMaker documents.

Some information about SoftMaker Plan maker is found on Wikipedia.
That is expressed by reference URL line:
   <RefURL>https://en.wikipedia.org/wiki/SoftMaker</RefURL>

According to http://extension.nirsoft.net such PlanMaker documents get their
own mime type. That is expressed by line:
   <Mime>application/vnd.softmaker.planmaker</Mime>

The filename extension PMD is used for the PlanMaker documents and the PMV
extension is used for the templates. So i mention this fact in remark line
and this also expressed by line:
   <Ext>PMD/PMV</Ext>

Then i start to refine the trid definition file to get same structure as for
other SoftMaker trid definitions like prd-sm.trid.xml. So i name definition
file pmd-sm.trid.xml. The PlanMaker program can save the documents in
Microsoft Excel Format. I can also save documents in it's own file format.
The newer formats are ZIP based and use pmdx and pmvx. The older formats with
pmd and pmv extension are OLE2 compound files and are called "Planmaker
2010" and "Planmaker 2010". So i choose a corresponding description. That is
expressed by line:
   <FileType>
   SoftMaker PlanMaker Document or template (2010-2012)
   </FileType>

The first pattern is characteristic for OLE2 Multistream compound files and
is expressed by XML construct:
   <Pattern>
      <Bytes>D0CF11E0A1B11AE1</Bytes>
      <Pos>0</Pos>
   </Pattern>

At offset 28 a short byte order identifier is stored. The hexadecimal value
FFFE means big endian format. That only occurs in ancient files from
Macintosh computers, but since Apple switched to Intel CPU architecture file
formats with this signature are not found in newer files. So i assume that
for PlanMaker 2010 and 2012 always little endian format is used. That is
expressed by XML construct:
   <Pattern>
      <Bytes>FEFF</Bytes>
      <Pos>28</Pos>
   </Pattern>

Furthermore i remove accident patterns at higher offsets. I also remove in
global strings section garbage lines or lines referring to used fonts like:
   <String>K')'3</String>
   <String>A'T'I'M'E'S' 'N'E'W' 'R'O'M'A'N</String>
   <String>A'R'I'A'L'1</String>


For OLE2 based files no reference URL type is shown by docfile.trid.xml. So
i add the following line:
   <RefURL>
   https://en.wikipedia.org/wiki/Compound_File_Binary_Format
   </RefURL>

According to web site reposcope.com such files have their own mime
type. That is now expressed by line:
   <Mime>application/x-ole-storage</Mime>

With the trid definition for PlanMaker and the updated definition now the
unrecognized PlanMaker Documents are detected and definitions now have
reference URL and mime type. ( See appended output/trid-v-new.txt).

The TrID definitions, output and some examples stored in archive
pmd_pmv.zip. I hope that my 2 XML files can be used in future version of
triddefs.

With best wishes
Jörg Jenderek


Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2841
    • Mark0's Home Page
Thanks Jörg!