Hello trid users,
some days ago just for interest i inspect efi executables starting with MZ
magic. Afterwards i look for other MZ-executables on my systems. Such
samples with FON file name extension are Windows fonts.
38 of my inspected samples are described correctly by fon.trid.xml as
"Windows Font". But 12 not described by fon.trid.xml. Such examples are only
described by dll.trid.xml as "Win32 Dynamic Link Library" or as "Generic
Win/DOS Executable" by exe-generic.trid.xml (See appended
output/trid-v-old.txt).
For comparison reasons i also run other identifying tools on such examples.
The file command identifies these examples as "MS-DOS executable", "NE for
MS Windows 3.x" and "DLL or font" (See appended output/file-5.39.txt).
So i run tridscan on undetected samples and i update a trid definition file
font.trid.xml. All my samples still start with typical Windows executable
phrase that is also found in other trid definitions exe-*.trid.xml. That is
expressed by XML pattern block like:
<Bytes>4D5A</Bytes>
<ASCII> M Z</ASCII>
<Pos>0</Pos>
Because 3 examples like DIALOG.FON, L1WBASE.FON and SYSFCLYS.FON do not
contain string FONTRES, now this pattern in global strings section vanish
like:
<String>FONTRES</String>
So only 1 pattern still exist in all fonts. That is still expressed by line
like:
<String>FONTDIR</String>
Some null patterns vanish like:
<Pattern>
<Bytes>00</Bytes>
<Pos>68</Pos>
</Pattern>
<Pattern>
<Bytes>00000000000000</Bytes>
<Pos>121</Pos>
</Pattern>
Or some null pattern become shorter like:
<Pattern>
<Bytes>00000000000000000000000000000000000000000000000000000000000000</Bytes>
<Pos>29</Pos>
</Pattern>
<Pattern>
<Bytes>0000000000000000000000000000000000000000000000000000</Bytes>
<Pos>34</Pos>
</Pattern>
Instead of page about Microsoft Windows on Wikipedia, now i use page about
FON file formats on archive team web site. That is now expressed by line
like:
<RefURL>
http://fileformats.archiveteam.org/wiki/FON</RefURL>
On that site also download links to examples are mentioned.
Because the FON file format is extended from DOS MZ executable, the file
command use mime type "application/x-dosexec" (see appended
output/file-i-5.39.txt). According to IANA for True Type fonts the mime type
font/ttf is used. So a choose a similar user defined type for FON
samples. That is now expressed by line like:
<Mime>font/x-fon</Mime>
With the updated definition my Windows FON samples are now recognized (See
appended output/trid-v-new.txt).
TrID definition, some examples and output are stored in archive fon.zip. I
hope that my XML file fon.trid.xml can be used in future version of triddefs.
I still find some other samples with FON name extension. Some belong to old
Lotus 123 program (Version about 1).
With best wishes
Jörg Jenderek
