According to the documentation provided by Microsoft the header structure of the oncetoc2 must be at the beginning of the file and must have the value
{43FF2FA1-EFD9-4C76-9EE2-10EA5722765F}
Characters Stripped
43FF2FA1EFD94C769EE210EA5722765F
Looking through the file with a hex editor I am unable to find a match for this string, nor can I find it after stripping all the characters and flipping the string. (Endianess?)
F5672275AE012EE967C49DFE1AF2FF34
Then I attempted to find a match with the hex equivalents of the string,
7b34334646324641312d454644392d344337362d394545322d3130454135373232373635467d
This can not be right, as it is much over 16 bytes.
I have been staring at this for a while and can't see what I am missing here. Not finding a pattern match with search tools.
What am I not doing right ?
OneNote onteoc2 file structure:
https://msdn.microsoft.com/en-us/library/dd906213(v=office.12).aspx
Interesting question.
I just had a look at the doc, being completely perplexed by it last time.
Here's what seems to be going on.
The first 16 bytes of the fileA1 2F FF 43 D9 EF 76 4C 9E E2 10 EA 57 22 76 5F
Lets break it down like this
A1 2F FF 43 flip it 43 FF 2F A1D9 EF flip it EF D976 4C flip it 4C 76
9E E2 dont flip it 9E E210 EA 57 22 76 5F dont flip it 10 EA 57 22 76 5F
And we get
{43F2FA1-EFD9-4C76-9EE2-10EA5722765F}
If you take bytes 48 to 633F DD 9A 10 1B 91 F5 49 A5 D0 17 91 ED C8 AE D8
And apply the same formula we get
{109ADD3F-911B-49F5-A5D0-1791EDC8AED8} - guidFileFormat (16 bytes)
I hope this helps.