[Klozov]

Have now downloaded a number of what I believed to be a variety of different RAR files only to find eMule eventually identifying them as MPEG Audio files, NOT RAR files at all. I looked at the files with a Hex editor and came to find out they were actually a string of hundreds of copies of the same unknown file / unknown file type.

example: 1. I down load what I believe to be **** contained in a 100MB RAR file. 2. As I am receiving the file emule indicates it is not a RAR but an MPEG Audio file. 3. I try to use my media player to see what I received but it doesn't play. 4. I open the file with a Hex editor and find it is actually the same 10MB file repeated 10 times.

The Header of this/these files all start with a string of zeros before the Alphanumeric characters "GF!" (no quotations)are seen.

eMule thinks this is a MP3 file even though the header looks nothing like an MP3 header.

And of course I cant decode, playback, or open the file/files with anything I've tried.

Now my curiosity has gotten the best of me and I'm trying to figure out what I continue to occasionally receive here instead of the files I'm looking for.

Kaspersky has not ID any of these files as being a virus so I continue to search for an answer.

Thanks in advance for any thoughts or info.

This post has been edited by torpon: 22 September 2009 - 05:48 AM

[jestheonlyone]

hi

Klozov, on 22 September 2009 - 04:19 AM, said:

The Header of this/these files all start with a string of zeros before the Alphanumeric characters "GF!" (no quotations)are seen.

Obviously, this not a RAR file...

Klozov, on 22 September 2009 - 04:19 AM, said:

eMule thinks this is a MP3 file even though the header looks nothing like an MP3 header.

Do you really know how should look a "MP3 header"?
I don't think so... (MP3 files do not have a header )

Quote

I try to use my media player to see what I received but it doesn't play

This does not necessarilly mean that this is not a genuine MP3 file.
WMP, to name only one, is unable to play a lot of genuine MP3 files...

Anyway, there are also many supposed MP3 files available on p2p networks that contain enough correct mpeg frame headers to be identified as MP3s, but only contain garbage instead of actual audio data (and of course, some of those files may well be labelled, by some clients, as .rar or .whatever).


edit:
In "Support - Do You Need Help?" > "Quick help & guides", you'll find several topics about fakes files and how to avoid them.



edit 2:
BTW, a genuine (uncompressed) RAR file can be also a genuine playable MP3

This post has been edited by jestheonlyone: 24 September 2009 - 01:15 AM

[fox88]

There are also files which have type .mp3, but they must be split into individual .mp3 files. I once encountered such file.

[Klozov]

Thanks for all the inputs. But I have to comment on "Do you really know how should look a "MP3 header"?
I don't think so... (MP3 files do not have a header)."

That's funny. I've looked at the hex guts of a lot of files including a variety of MP3s and have found, personally, that they ALL HAVE HEADERS which ID them within the the first couple lines of code.

My answer is: I know what many of the more common MP3 headers look like.

My question is: Have you ever looked yourself or have you just heard or read somewhere that MP3s don't have headers? Because I can assure you that if you sent me an anonymous set of files containing just the first 32 or so (non zero) hex characters of those files I would be willing to bet that I (not a software IDing program or such), with my 2 failing eyes, could ID the MP3/s in the bunch. So put your files where your words are or discontinue disseminating skewed information.

Otherwise, thanks for taking the time to read my issue.

-kozov

[jestheonlyone]

Obviously, you really don't know

An MP3 file contains a number of MPEG frames, each one with its own DWORD header.
Inside those headers, only a very few bits are common to all MPEG (or even MP3) frame headers. Most bits are used to define the MPEG version, bitrate, stereo mode, etc...
MP3 files are designed to be playable from anywhere, and to be error tolerant (for streaming purposes). So the first MPEG frame does not have to be located at the beginning of the file, and additional or missing data may be expected.
Which means that any MP3 file can contain other data (such as an ID3 tag, or a .RAR file header) at the beginning, or anywhere, between two MPEG frames
(or even inside an MPEG frame, but in that case the decoder should either skip the corrupted frame, or fill the blank with calculated values).


And I have sometimes seen non-MP3 files with an ID3 tag at the beginning...
Edit:
if you're using win XP, you probably have (or had) in one of the default folders, a .WMA file with an embedded picture. This picture is actually embedded in an ID3 tag inside the .WMA file (but in that case, the ID3 tag is not located at the beginning of the file).

This post has been edited by jestheonlyone: 01 October 2009 - 01:52 AM

[Klozov]

jestheonlyone, on 30 September 2009 - 06:27 PM, said:

Obviously, you really don't know

An MP3 file contains a number of MPEG frames, each one with its own DWORD header.
Inside those headers...

Thank You for a level of insight that definitely supports your "Obviously..." statement. I guess you could say I'm rather lazy in that I have to be provoked into learning that kind of detail about a subject. There are so many pieces of the grand puzzle to know that I, most of the time, just shoot from the hip hoping to knock a few things loose and clear the path. There never seems to be enough time to learn every tangent in an array of possibilities while trying to keep in mind that these secondary and tertiary 'projects' are leading you further away from the simple task you just wanted to be done with.

Many times, when it looks like the target is going to require a sniper rifle instead of my shotgun, instead of spending the time and resources procuring 50cal long barrel, mounting a scope, sighting it it as I work on my breathing and windage calculations for a year or so, I look for a trained sharpshooter instead. When fishing the knowledge pool I never expect anything less than to be humbled. ...but I CAN cook a really mean ratatouille MoFo!

Thanks Man.

-Klozov

[Klozov]

I thought this might make things a little easier to visualize in hopes that maybe someone will take a look and say something like "Oh yeah! ...that's an old Goobergooky & Wiseman Random Database File" ...or some such thing.

So, just for your viewing pleasure, I cut and pasted a section (just the first few lines) of one of the file types in question using a hex editor. Again this is just an example of the signature 'header' seen in hundreds of similar ~1 to 10mb file parts within the ~50 to 550mb files found as RARs like I mentioned.

It is about this much repeated 'header' data before these files may start to a define a unique identity for another 1 to 10mb where it ends. Then the same header repeats after 10 or so lines of zeros. In some cases it's the same exact file repeated hundreds of times within the main file.

Ever seen anything like this in a header? NOTE the ASCII " GF! " in the 6th line. ...In a place where a GIF, JFIF, or PK, etc. would make it a recognizable file type.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  FF FB 10 C0 02 08 04 06 09 02 08 0B 03 09 02 0A  ÿû.À............
00000010  0B 04 06 04 05 04 01 07 07 0B 08 08 04 09 05 00  ................
00000020  0B 09 07 07 0B 04 09 00 02 09 07 02 07 05 08 03  ................
00000030  09 07 07 06 09 0A 09 07 02 05 06 00 07 04 00 00  ................
00000040  0C 90 89 FD B4 CB 82 59 11 A1 80 26 9A 78 DD A4  ..‰ý´Ë‚Y.¡€&šxݤ
00000050  99 47 46 21 3B 5A 6D D6 E3 4F FE 0C C4 65 D5 83  ™GF!;ZmÖãOþ.ÄeÕƒ
00000060  AF F6 6E 13 29 41 9C 94 C1 6D 7E FC A1 CB AF C7  ¯ön.)Aœ”Ám~ü¡Ë¯Ç
00000070  62 5C BE 9C 25 93 DE 2D DF 5B DE 5F F4 5C 5B AB  b\¾œ%“Þ-ß[Þ_ô\[«

TIA for any further insights.

-Klozov

[fox88]

If you do not like what was posted for you above, try to search in the net for mp3 file format.

[jestheonlyone]

I forgot an important thing:
One mpeg frame is useless and meaningless in itself.
To tell if a file might be an mp3, or to attempt to play it, the decoder has to find at least a 2nd frame at the expected position (depending on the bits set in the first frame header).
And of course, the audio data inside each frame has to be consistent.

At first sight, FF FB 10 C0 looks like an mpeg frame header (mpeg 1 layer 3, mono, 32kbit/s, if I'm not wrong).
But this does not mean that the file is actually an MP3.

[Klozov]

I've tried a number of codec packages and players and none even recognize these files as mp3 or any other multimedia file. This seems very strange since, obviously, eMule did recognize it as being an mpeg audio file when it announced in red letters (file details window) that the .wmv extension in the original filename was incorrect. ...the curiosity continues to deepen.

I now have a collection of these >300mb files waiting for the Rosetta Stone to decode.

-Klozov

[fox88]

I think you should edit your post to comply with the rules.
Keep in mind that this forum is not for helping with files you get from eMule.

This post has been edited by fox88: 19 October 2009 - 07:12 AM

[torpon]

I assume Rosetta Stone is nothing related to the files but a literary lincense.

Cheers

[fox88]

My assumption is different. Here.

[Klozov]

fox88, on 20 October 2009 - 10:08 AM, said:

My assumption is different. Here.

I'm not as software savvy as you guys obviously.

My reference was to the historic Rosetta Stone which, call me crazy, should be the first interpretation that anyone might think of considering it's function as well as timeless global historic & cultural significance. As opposed to a title someone 'borrowed' from that history to name a couple lines of code written and used for a few years at the turn of this century which will, I believe, never quite have the same impact on the history of civilization as did it's predecessor. (If, in some remote way, one could even go as far as to put it into the same category of historic events).

Without mentioning more examples of this phenomena, I can tell you that my first thoughts of certain historic Names/Events are not of a software package or company name that someone somewhere might have also used, nor should I feel that I, or anyone, need to concerned about in this respect.

-Klozov

[fox88]

Sorry, I my mistake.
However, it's more than two lines of code; and that program uses sound data as well.