From: Christos Zoulas <christos@zoulas.com>
Date: Tue, 29 Jan 2013 19:31:33 +0000 (+0000)
Subject: Don't confuse NTFS filesystems with Hitachi COFF (Joerg Jenderek)
X-Git-Tag: FILE5_13~18
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=93c148b59b1075fb65de0fd3b690d19550ca768b;p=file

Don't confuse NTFS filesystems with Hitachi COFF (Joerg Jenderek)
The hitachi coff magic is too weak and perhaps it should be commented out?
---

diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems
index 01c09046..b10595a4 100644
--- a/magic/Magdir/filesystems
+++ b/magic/Magdir/filesystems
@@ -1,6 +1,6 @@
 
 #------------------------------------------------------------------------------
-# $File: filesystems,v 1.71 2013/01/23 19:03:41 christos Exp $
+# $File: filesystems,v 1.72 2013/01/26 18:17:28 christos Exp $
 # filesystems:  file(1) magic for different filesystems
 #
 0	string	\366\366\366\366	PC formatted floppy with no filesystem
@@ -1184,7 +1184,17 @@
 #>>>>>>>>>80	ulelong		=0		\b, checksum 0x%x=0 (usual)
 >>>>>>>>>0x258	ulelong&0x00009090	=0x00009090	
 >>>>>>>>>>&-92		indirect	x	\b; contains 
-### DOS boot sector end
+# For 2nd NTFS sector added by Joerg Jenderek at Jan 2013
+# http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm
+# unused assembler instructions JMP y2;NOP;NOP
+0x056		ulelong&0xFFFF0FFF	0x909002EB	
+# unicode loadername terminated by CTRL-D
+>(0.s*2)	ulelong&0xFFFFFF00	0x00040000		
+# loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR
+>>0x002		lestring16	x	Microsoft Windows XP/VISTA bootloader %-5.5s
+>>0x12		string		$	
+>>>0x0c		lestring16	x	\b%-2.2s
+### DOS,NTFS boot sectors end
 
 9564	lelong		0x00011954	Unix Fast File system [v1] (little-endian),
 >8404	string		x		last mounted on %s,
diff --git a/magic/Magdir/hitachi-sh b/magic/Magdir/hitachi-sh
index c539f091..1af89eed 100644
--- a/magic/Magdir/hitachi-sh
+++ b/magic/Magdir/hitachi-sh
@@ -1,11 +1,14 @@
 
 #------------------------------------------------------------------------------
-# $File$
+# $File: hitachi-sh,v 1.5 2009/09/19 16:28:09 christos Exp $
 # hitach-sh: file(1) magic for Hitachi Super-H
 #
 # Super-H COFF
 #
+# below test line conflicts with 2nd NTFS filesystem sector 
 0	beshort		0x0500		Hitachi SH big-endian COFF
+# 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR
+#0	ubelong&0xFFFFNMPQ	0x0500NMPQ     Hitachi SH big-endian COFF
 >18	beshort&0x0002	=0x0000		object
 >18	beshort&0x0002	=0x0002		executable
 >18	beshort&0x0008	=0x0008		\b, stripped