Researching file formats isn’t for everyone. Others may find it boring or even odd. Trying to explain to others the nuances of a binary format versus a container format would bring many tears. Their reactions sometimes are similar to hearing someone explain their belief in aliens. Passionate, but a bit on the crazy side.
So with aliens and containers on my mind, let’s take a look at a format with the extension UFO. It is not an unidentified flying object or a UAP, it may as well be an unidentified file object, but in this case it is a “Ulead File for Objects” format. It is the exclusive file format for use with the PhotoImpact software from Ulead Systems, a Taiwanese developer known for many popular software programs. First released in 1996 with version 3, the PhotoImpact software was marketed as “a fully object-based tool, which pioneered a number of important innovations“.
The reason it was a considered a full object-based tool was the UFO format is based on the, at the time, popular OLE Compound File Storage object format developed by Microsoft. So by using some OLE tools we can take a closer look at some of these Unidentified File Objects……..
oleid Sample.ufo
oleid 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Filename: Sample.ufo
--------------------+--------------------+----------+--------------------------
Indicator |Value |Risk |Description
--------------------+--------------------+----------+--------------------------
File format |Generic OLE file / |info |Unrecognized OLE file.
|Compound File | |Root CLSID: - None
|(unknown format) | |
--------------------+--------------------+----------+--------------------------
Container format |OLE |info |Container type
--------------------+--------------------+----------+--------------------------
Encrypted |False |none |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros |No |none |This file does not contain
| | |VBA macros.
--------------------+--------------------+----------+--------------------------
XLM Macros |No |none |This file does not contain
| | |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External |0 |none |External relationships
Relationships | | |such as remote templates,
| | |remote OLE objects, etc
--------------------+--------------------+----------+--------------------------
Well, it is a OLE file, but is unrecognized/unidentified by the oletools software. It also appears to be missing the root entry and CLSID you commonly find in OLE files. Since this is an OLE container we can also just use 7zip to peek inside as well.
Path = Sample.ufo
Type = Compound
Physical Size = 937984
Extension = compound
Cluster Size = 512
Sector Size = 64
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
1999-05-25 03:33:05 D.... OS-3
1999-05-25 03:33:04 D.... OS-1
1999-05-25 03:33:03 D.... OS-0
..... 31122 31232 OS-0/ObjectImage
..... 1316 1344 OS-0/ObjectData
..... 137996 138240 OS-0/PathStream
..... 19591 19968 OS-0/ObjectMask0
1999-05-25 03:33:05 D.... OS-2
..... 43405 43520 OS-2/ObjectImage
..... 1316 1344 OS-2/ObjectData
..... 176204 176640 OS-2/PathStream
..... 25524 25600 OS-2/ObjectMask0
..... 41588 41984 OS-1/ObjectImage
..... 1316 1344 OS-1/ObjectData
..... 170132 170496 OS-1/PathStream
..... 25221 25600 OS-1/ObjectMask0
..... 34505 34816 LtfMainImage
..... 656 704 LtfHeader
1999-05-25 03:33:06 D.... OS-4
..... 19249 19456 OS-4/ObjectImage
..... 1316 1344 OS-4/ObjectData
..... 4842 5120 LtfPreviewImage
..... 1160 1216 LtfObjectList
..... 31753 32256 OS-3/ObjectImage
..... 1316 1344 OS-3/ObjectData
..... 131892 132096 OS-3/PathStream
..... 19439 19456 OS-3/ObjectMask0
------------------- ----- ------------ ------------ ------------------------
1999-05-25 03:33:06 920859 925120 22 files, 5 folders
In this sample file, we have a bunch of directories and objects, but none of what we expect to see in an OLE file, such as a “SummaryInformation” or “DocumentSummaryInformation” like we would see in a Word DOC file. By not having the standard contents of the container, it makes these files very specific to PhotoImpact software.
Path = PhotoImpactX3-s01.ufo
Type = Compound
Physical Size = 5120
Extension = compound
Cluster Size = 512
Sector Size = 64
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
..... 20 64 HotspotStream
..... 656 704 LtfHeader
..... 20 64 SliceInfoStream
..... 412 448 LtfPreviewImage
..... 714 768 WebPropStream
..... 20 64 ManualHotspotScriptInfoStream
..... 20 64 ObjectHotspotScriptInfoStream
------------------- ----- ------------ ------------ ------------------------
1862 2176 7 files
Here is another UFO file from the last version of the software PhotoImpact X3 when it was owned by Corel, but phased out in 2009. This is the basic file structure with no objects added to the file. We can be fairly confident these are the base files in most every other UFO file. It doesn’t have any of the “OS” folders which contain the objects, so I think the LtfHeader file might be our best bet for a signature. Let’s take a look at the Hex values for a few of them.
hexdump -C PhotoImpactX3-s01/LtfHeader| head
00000000 90 02 00 00 4c 54 46 00 58 02 00 00 02 00 ba dc |....LTF.X.......|
00000010 ee 02 00 00 26 02 00 00 80 fc 0a 00 80 fc 0a 00 |....&...........|
00000020 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
hexdump -C Sample/LtfHeader| head
00000000 90 02 00 00 4c 54 46 00 90 01 00 00 02 00 f7 bf |....LTF.........|
00000010 90 01 00 00 90 01 00 00 80 fc 0a 00 80 fc 0a 00 |................|
00000020 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
hexdump -C v3/ANIMALS/LtfHeader| head
00000000 90 02 00 00 4c 54 46 00 64 00 00 00 02 00 6e 00 |....LTF.d.....n.|
00000010 40 01 00 00 c8 00 00 00 80 fc 0a 00 80 fc 0a 00 |@...............|
00000020 00 00 00 00 11 00 00 00 01 00 00 00 01 00 00 00 |................|
00000030 01 00 00 00 60 00 00 00 3c 00 00 00 60 00 00 00 |....`...<...`...|
Making a signature using the first 8 bytes of the LtfHeader file appears to have worked for all the 3,400+ sample files I have collected. Problem is it also worked for another extension found in the some of the later versions of PhotoImpact.
When you have successfully finished your template, make sure to save it in the Ulead File For Photo Project format (*.UFP). This allows you to open and use your template in the Photo Projects dialog box. In the Template tab, click Open Project and browse for the created file.
They appear to be a template version for the format so we should be fine just adding the extension to the same signature.
Well, this Unidentified File Object is no longer unidentifiable. Was it sent by aliens? Possibly, but at least we know where these UFO’s came from, PhotoImpact. Take a look at the samples and proposed signature in my GitHub.
Also be sure to join us at this years iPres conference and attend our workshop on container signatures in PRONOM!