From: Christos Zoulas <christos@zoulas.com> Date: Tue, 29 Jan 2013 19:31:33 +0000 (+0000) Subject: Don't confuse NTFS filesystems with Hitachi COFF (Joerg Jenderek) X-Git-Tag: FILE5_13~18 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=93c148b59b1075fb65de0fd3b690d19550ca768b;p=file Don't confuse NTFS filesystems with Hitachi COFF (Joerg Jenderek) The hitachi coff magic is too weak and perhaps it should be commented out? --- diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index 01c09046..b10595a4 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.71 2013/01/23 19:03:41 christos Exp $ +# $File: filesystems,v 1.72 2013/01/26 18:17:28 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 string \366\366\366\366 PC formatted floppy with no filesystem @@ -1184,7 +1184,17 @@ #>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) >>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 >>>>>>>>>>&-92 indirect x \b; contains -### DOS boot sector end +# For 2nd NTFS sector added by Joerg Jenderek at Jan 2013 +# http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm +# unused assembler instructions JMP y2;NOP;NOP +0x056 ulelong&0xFFFF0FFF 0x909002EB +# unicode loadername terminated by CTRL-D +>(0.s*2) ulelong&0xFFFFFF00 0x00040000 +# loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR +>>0x002 lestring16 x Microsoft Windows XP/VISTA bootloader %-5.5s +>>0x12 string $ +>>>0x0c lestring16 x \b%-2.2s +### DOS,NTFS boot sectors end 9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), >8404 string x last mounted on %s, diff --git a/magic/Magdir/hitachi-sh b/magic/Magdir/hitachi-sh index c539f091..1af89eed 100644 --- a/magic/Magdir/hitachi-sh +++ b/magic/Magdir/hitachi-sh @@ -1,11 +1,14 @@ #------------------------------------------------------------------------------ -# $File$ +# $File: hitachi-sh,v 1.5 2009/09/19 16:28:09 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF # +# below test line conflicts with 2nd NTFS filesystem sector 0 beshort 0x0500 Hitachi SH big-endian COFF +# 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR +#0 ubelong&0xFFFFNMPQ 0x0500NMPQ Hitachi SH big-endian COFF >18 beshort&0x0002 =0x0000 object >18 beshort&0x0002 =0x0002 executable >18 beshort&0x0008 =0x0008 \b, stripped