Unknown APP 13 item

neebah · December 29, 2015, 07:17:03 PM

I recently did a WIC query on a photo and found two bits of information that I haven't been able to decipher. EXIFTOOL doesn't provide any insight.

I'm not sure how familiar you are with WIC queries (microsoft provides some info in general, but not in all. Here are the WIC query strings

"/app13/{ushort=0}/{ulonglong=88271599437876}/{}"
"/app13/{ushort=0}/{ulonglong=88271599437877}/{}"

The first four bytes of the information in these queries if translated to ASCII spell out PHUT

Hayo Baan · December 30, 2015, 01:35:19 AM

What is a WIC scan and how did you find these strings?

neebah · December 30, 2015, 01:48:27 AM

Windows Imaging Component. In .NET programming one can acquire image metadata by performing a WIC query. It is possible to perform a query on all available metadata. When I did so this string popped up. If you look up Native Metadata Query on google you'll find out more info.

Phil Harvey · December 30, 2015, 10:11:58 AM

PHUT is a signature that I have seen for Photoshop IRB resources, and APP13 is the one that Photoshop uses for IRB resources. So I suspect this is IRB format, but with a different header. Send me a sample and I'll take a look. (philharvey66 at gmail.com)

- Phil

StarGeek · December 30, 2015, 12:05:13 PM

There's a sample image in this github thread.

neebah · December 30, 2015, 05:29:03 PM

sent to your email

Phil Harvey · December 30, 2015, 05:51:23 PM

I got your sample. I thought you were talking about an unknown APP13 segment with a "PHUT" header. But this is a standard Photoshop APP13 segment which contains a PHUT IRB with a tag ID of 0x0835. ExifTool reads this, but this tag ID is not known. The values is all zeros anyway, so not useful information.

- Phil

neebah · December 30, 2015, 06:47:39 PM

What is a PHUT IRB?

Phil Harvey · January 01, 2016, 01:04:28 PM

It is a photoshop Image Resource Block with a "PHUT" signature instead of the usual "8BIM".

- Phil

News:

Unknown APP 13 item