new format (Micrografx Designer)

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
eric10600
Posts: 3
Joined: 24 Apr 2021, 22:48

new format (Micrografx Designer)

#1 Post by eric10600 »

Hello,

I've made a new filter for the Micrographx Designer format. The extension is DRW (which is already used by another software)

I've identified the fingerprint of this format. It seems to be very simple. On 3 differents files, the hexadecimal dumps give in the header:

Code: Select all

0000000 ff01 0402 0203 0200 0202 0521 0400 ff01
0000010 ff03 0200 000a 0800 xxxx xxxx (those parts are different)
there is no specific footer.

First I've added this in a new file_drw2.c (based on the template):

Code: Select all

  static const unsigned char DRW2_header[24]=  {
    0xff, 0x01, 0x04, 0x02, 0x02, 0x03, 0x02, 0x00, 0x02, 0x02, 0x05, 0x21, 0x04, 0x00, 0xff, 0x01, 0xff, 0x03, 0x02, 0x00, 0x00, 0x0a, 0x08, 0x00
I've compiled it, but it didn't work. So I've used the -C option in hexdump. Now I see every hexadecimal parts are "swapped" (ff01 becomes 01 ff)

This part is now correct:

Code: Select all

static void register_header_check_drw(file_stat_t *file_stat)
{
  static const unsigned char drw_header[8]=  {
    0x01, 0xff, 0x02, 0x04, 0x03, 0x02, 0x00, 0x02
  };
(I've only set 8 elements for this second try, maybe I should increase this number for a better recognison).

Now my question is, for proposing a pull request in github for an official inclusion, what is the best for the file naming? Label it file_drw2.c for example?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: new format (Micrografx Designer)

#2 Post by cgrenier »

file_drw2.c is OK.
Please provide some file samples. It may be possible to identify the filesize.

eric10600
Posts: 3
Joined: 24 Apr 2021, 22:48

Re: new format (Micrografx Designer)

#3 Post by eric10600 »

great.

I've made it and created the pull request there: https://github.com/cgsecurity/testdisk/pull/100

About some samples, there are a few in this archive:
https://archive.org/download/micrografx ... signer.zip

in the BEISPIEL folder.

i've used them to make some hexdump and noticed some differences sometimes after the 16th byte. Therefore I've only set the first 14 ones in the file_drw2.c

eric10600
Posts: 3
Joined: 24 Apr 2021, 22:48

Re: new format (Micrografx Designer)

#4 Post by eric10600 »

I've noticed some legit DRW files can have some differences after the 8th byte as well, for example:

Code: Select all

00000000  01 ff 02 04 03 02 00 02  02 02 21 05 00
00000000  01 ff 02 04 03 02 00 02  00 02 21 05 00
I can't disclose the examples because one of them is private, the other one is from the BEISPIEL folder.

On 4000 found drw files from the 8 first bytes, only 7 files had a single difference after the 8th byte. But maybe those files were damaged (or it's from different versions)...

I've changed the code to only check with the 8 first bytes, it should be sufficent.

Locked