Hello trid users,
some days ago i downloaded Firefox and Thunderbird from Mozilla FTP
server. Just for interest i download from updates sub directories samples
like firefox-78.4.1esr-78.5.0esr.partial.mar and
thunderbird-78.4.2-78.4.3.partial.mar.
All MAR examples are described wrong by m.trid.xml as "Maple Common Binary
file (generic)".
Only an older MAR file like firefox-1.5.0.1-1.5.0.2.partial.mar is described
correctly by ark-mar-mozilla.trid.xml as "Mozilla ARchive" (see appended
output/trid-v.txt).
So i run tridscan on undetected samples and i update a trid definition file
ark-mar-mozilla.trid.xml. All my samples start with mentioned start magic
That is expressed by XML pattern block like:
<Bytes>4D41523100</Bytes>
<ASCII> M A R 1</ASCII>
<Pos>0</Pos>
The second pattern block now vanished. That was expressed by XML construct
like:
<Bytes>425A6839314159265359</Bytes>
<ASCII> B Z h 9 1 A Y . S Y</ASCII>
<Pos>8</Pos>
According to reference on mozilla.org this should be the file size and the
beginning of the value for number of signatures. For newer MAR files this is
correct, bit for older examples like
thunderbird-1.5.0.9-1.5.0.10.partial.mar this interpretation is wrong.
Instead of unspecific mime type application/octet-stream i display a user
defined one. That is expressed by line like:
<Mime>application/x-mozilla-mar</Mime>
With the updated definition the non described described MAR examples are now
described correctly (see appended output/trid-new-v.txt). TrID definition,
some examples and output are stored in archive mar.zip. I hope that my XML
file can be used in future version of triddefs.
With best wishes
Jörg Jenderek
