From: Christos Zoulas Date: Wed, 4 Jun 2008 18:03:16 +0000 (+0000) Subject: From: =?UTF-8?B?VG9tw6HFoQ==?= Smetana X-Git-Tag: FILE5_05~380 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b6a23b4820639769c87b88d374b29e51fff5a736;p=file From: =?UTF-8?B?VG9tw6HFoQ==?= Smetana file-4.24-efi.patch: Changes the detection of MS-DOS executables, adds support for various PE32/PE32+ executables, reports Windows executables as PE32 not MS-DOS file-4.24-gfs2.patch: Adds GFS2 filesystem detection file-4.24-lvm.patch: LVM snapshots file-4.24-oracle.patch: Oracle filesystems --- diff --git a/magic/Magdir/elf b/magic/Magdir/elf index b578929d..2e3db981 100644 --- a/magic/Magdir/elf +++ b/magic/Magdir/elf @@ -213,10 +213,10 @@ >>18 beshort 16 nCUBE, >>18 beshort 17 Fujitsu VPP500, >>18 beshort 18 SPARC32PLUS, ->>>36 belong&0xffff00 &0x000100 V8+ Required, ->>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required, ->>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required, ->>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required, +>>>36 belong&0xffff00 0x000100 V8+ Required, +>>>36 belong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, +>>>36 belong&0xffff00 0x000400 HaL R1 Extensions Required, +>>>36 belong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, >>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 21 64-bit PowerPC or cisco 7500, >>18 beshort 22 IBM S/390, @@ -231,9 +231,9 @@ >>18 beshort 41 Alpha, >>18 beshort 42 Renesas SH, >>18 beshort 43 SPARC V9, ->>>48 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required, ->>>48 belong&0xffff00 &0x000400 HaL R1 Extensions Required, ->>>48 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required, +>>>48 belong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, +>>>48 belong&0xffff00 0x000400 HaL R1 Extensions Required, +>>>48 belong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, >>>48 belong&0x3 0 total store ordering, >>>48 belong&0x3 1 partial store ordering, >>>48 belong&0x3 2 relaxed memory ordering, diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index 24ceaaad..0e0db4ac 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1268,18 +1268,31 @@ # Summary: Oracle Clustered Filesystem # Created by: Aaron Botsis -8 string OracleCFS Oracle Clustered Filesystem, ->4 long x rev %d ->0 long x \b.%d, ->560 string x label: %.64s, ->136 string x mountpoint: %.128s +8 string OracleCFS Oracle Clustered Filesystem, +>4 long x rev %d +>0 long x \b.%d, +>560 string x label: %.64s, +>136 string x mountpoint: %.128s # Summary: Oracle ASM tagged volume # Created by: Aaron Botsis -32 string ORCLDISK Oracle ASM Volume, ->40 string x Disk Name: %0.12s -32 string ORCLCLRD Oracle ASM Volume (cleared), ->40 string x Disk Name: %0.12s +32 string ORCLDISK Oracle ASM Volume, +>40 string x Disk Name: %0.12s +32 string ORCLCLRD Oracle ASM Volume (cleared), +>40 string x Disk Name: %0.12s + +# Oracle Clustered Filesystem - Aaron Botsis +8 string OracleCFS Oracle Clustered Filesystem, +>4 long x rev %d +>0 long x \b.%d, +>560 string x label: %.64s, +>136 string x mountpoint: %.128s + +# Oracle ASM tagged volume - Aaron Botsis +32 string ORCLDISK Oracle ASM Volume, +>40 string x Disk Name: %0.12s +32 string ORCLCLRD Oracle ASM Volume (cleared), +>40 string x Disk Name: %0.12s # Compaq/HP RILOE floppy image # From: Dirk Jagdmann @@ -1304,3 +1317,9 @@ # really le32 operation,destination,payloadsize (but quite predictable) # 01 00 00 00 00 00 00 c0 00 02 00 00 0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware + +# From Eric Sandeen +# GFS2 +0x10000 belong 0x01161970 GFS2 Filesystem +>0x10024 belong x (blocksize %d, +>0x10060 string >\0 lockproto %s) diff --git a/magic/Magdir/linux b/magic/Magdir/linux index 1234d783..aaedff42 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -231,6 +231,14 @@ 0x618 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x614.l+0x600) string >\0 , UUID: %s +# LVM snapshot +# from Jason Farrel +0 string SnAp LVM Snapshot (CopyOnWrite store) +>4 lelong !0 - valid, +>4 lelong 0 - invalid, +>8 lelong x version %d, +>12 lelong x chunk_size %d + # SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index 83533dc3..d2e2e226 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -10,9 +10,9 @@ !:mime text/x-msdos-batch >1 string/cB echo\ off MS-DOS batch file text !:mime text/x-msdos-batch ->1 string/cB rem\ MS-DOS batch file text +>1 string/cB rem\ MS-DOS batch file text !:mime text/x-msdos-batch ->1 string/cB set\ MS-DOS batch file text +>1 string/cB set\ MS-DOS batch file text !:mime text/x-msdos-batch @@ -43,14 +43,15 @@ # # Required OS version and subsystem version were 4.0 on some NT 3.51 # executables built with Visual C++ 4.0, so it's not clear that -# they're interesting. The user version was 0.0, but there's +# they're interesting. The user version was 0.0, but there's # probably some linker directive to set it. The linker version was # 3.0, except for one ".exe" which had it as 4.20 (same damn linker!). # # many of the compressed formats were extraced from IDARC 1.23 source code # -0 string MZ MS-DOS executable +0 string MZ !:mime application/x-dosexec +>0x18 leshort <0x40 MS-DOS executable >0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows >>&18 leshort&0x2000 >0 (DLL) >>&88 leshort 0 (unknown subsystem) @@ -76,27 +77,35 @@ !:mime application/zip >0x18 leshort >0x3f ->>(0x3c.l) string PE\0\0 PE +>>(0x3c.l) string PE\0\0 PE +>>>(0x3c.l+25) byte 1 \b32 executable +>>>(0x3c.l+25) byte 2 \b32+ executable # hooray, there's a DOS extender using the PE format, with a valid PE # executable inside (which just prints a message and exits if run in win) ->>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender ->>>(8.s*16) string !32STUB for MS Windows ->>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) ->>>>(0x3c.l+92) leshort 0 (unknown subsystem) ->>>>(0x3c.l+92) leshort 1 (native) ->>>>(0x3c.l+92) leshort 2 (GUI) ->>>>(0x3c.l+92) leshort 3 (console) ->>>>(0x3c.l+92) leshort 7 (POSIX) ->>>>(0x3c.l+4) leshort 0x0 unknown processor ->>>>(0x3c.l+4) leshort 0x14c Intel 80386 ->>>>(0x3c.l+4) leshort 0x166 MIPS R4000 ->>>>(0x3c.l+4) leshort 0x184 Alpha ->>>>(0x3c.l+4) leshort 0x268 Motorola 68000 ->>>>(0x3c.l+4) leshort 0x1f0 PowerPC ->>>>(0x3c.l+4) leshort 0x290 PA-RISC ->>>>(0x3c.l+22) leshort&0x0100 >0 32-bit ->>>>(0x3c.l+22) leshort&0x1000 >0 system file ->>>>(0x3c.l+232) lelong >0 Mono/.Net assembly +>>>(0x3c.l+92) leshort <10 +>>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender +>>>>(8.s*16) string !32STUB for MS Windows +>>>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) +>>>>>(0x3c.l+92) leshort 0 (unknown subsystem) +>>>>>(0x3c.l+92) leshort 1 (native) +>>>>>(0x3c.l+92) leshort 2 (GUI) +>>>>>(0x3c.l+92) leshort 3 (console) +>>>>>(0x3c.l+92) leshort 7 (POSIX) +>>>(0x3c.l+92) leshort 10 (EFI application) +>>>(0x3c.l+92) leshort 11 (EFI boot service driver) +>>>(0x3c.l+92) leshort 12 (EFI runtime driver) +>>>(0x3c.l+92) leshort 13 (XBOX) +>>>(0x3c.l+4) leshort 0x0 unknown processor +>>>(0x3c.l+4) leshort 0x14c Intel 80386 +>>>(0x3c.l+4) leshort 0x166 MIPS R4000 +>>>(0x3c.l+4) leshort 0x184 Alpha +>>>(0x3c.l+4) leshort 0x268 Motorola 68000 +>>>(0x3c.l+4) leshort 0x1f0 PowerPC +>>>(0x3c.l+4) leshort 0x290 PA-RISC +>>>(0x3c.l+4) leshort 0x200 Intel Itanium +>>>(0x3c.l+22) leshort&0x0100 >0 32-bit +>>>(0x3c.l+22) leshort&0x1000 >0 system file +>>>(0x3c.l+232) lelong >0 Mono/.Net assembly >>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed >>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed @@ -125,6 +134,8 @@ >>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>>>0x30 string Inno \b, InnoSetup self-extracting archive +>>(0x3c.l) string !PE\0\0 MS-DOS executable + >>(0x3c.l) string NE \b, NE >>>(0x3c.l+0x36) byte 0 (unknown OS) >>>(0x3c.l+0x36) byte 1 for OS/2 1.x @@ -186,7 +197,7 @@ >>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS # header data too small for extended executable >2 long !0 ->>0x18 leshort <0x40 +>>0x18 leshort <0x40 >>>(4.s*512) leshort !0x014c >>>>&(2.s-514) string !LE @@ -216,31 +227,31 @@ # .EXE formats (Greg Roelofs, newt@uchicago.edu) # ->0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed +>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed >0xe7 string LH/2\ Self-Extract \b, %s >0x1c string diet \b, diet compressed >0x1c string LZ09 \b, LZEXE v0.90 compressed >0x1c string LZ91 \b, LZEXE v0.91 compressed ->0x1c string tz \b, TinyProg compressed +>0x1c string tz \b, TinyProg compressed >0x1e string PKLITE \b, %s compressed ->0x64 string W\ Collis\0\0 \b, Compack compressed +>0x64 string W\ Collis\0\0 \b, Compack compressed >0x24 string LHa's\ SFX \b, LHa self-extracting archive !:mime application/x-lha >0x24 string LHA's\ SFX \b, LHa self-extracting archive !:mime application/x-lha ->0x24 string \ $ARX \b, ARX self-extracting archive ->0x24 string \ $LHarc \b, LHarc self-extracting archive ->0x20 string SFX\ by\ LARC \b, LARC self-extracting archive +>0x24 string \ $ARX \b, ARX self-extracting archive +>0x24 string \ $LHarc \b, LHarc self-extracting archive +>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive >1638 string -lh5- \b, LHa self-extracting archive v2.13S ->0x17888 string Rar! \b, RAR self-extracting archive ->0x40 string aPKG \b, aPackage self-extracting archive +>0x17888 string Rar! \b, RAR self-extracting archive +>0x40 string aPKG \b, aPackage self-extracting archive ->32 string AIN ->>35 string 2 \b, AIN 2.x compressed ->>35 string <2 \b, AIN 1.x compressed ->>35 string >2 \b, AIN 1.x compressed ->28 string UC2X \b, UCEXE compressed ->28 string WWP\ \b, WWPACK compressed +>32 string AIN +>>35 string 2 \b, AIN 2.x compressed +>>35 string <2 \b, AIN 1.x compressed +>>35 string >2 \b, AIN 1.x compressed +>28 string UC2X \b, UCEXE compressed +>28 string WWP\ \b, WWPACK compressed # skip to the end of the exe >(4.s*512) long x @@ -267,15 +278,15 @@ # TELVOX Teleinformatica CODEC self-extractor for OS/2: >49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 ->>49824 leshort =1 \b, 1 file ->>49824 leshort >1 \b, %u files +>>49824 leshort =1 \b, 1 file +>>49824 leshort >1 \b, %u files # .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) # Uncommenting only the first two lines will cover about 2/3 of COM files, # but it isn't feasible to match all COM files since there must be at least # two dozen different one-byte "magics". #0 byte 0xe9 DOS executable (COM) -#>0x1FE leshort 0xAA55 \b, boot code +#>0x1FE leshort 0xAA55 \b, boot code >6 string SFX\ of\ LHarc (%s) 0 belong 0xffffffff DOS executable (device driver) #CMD640X2.SYS @@ -301,22 +312,22 @@ #0 byte 0x8c DOS executable (COM) # 0xeb conflicts with "sequent" magic #0 byte 0xeb DOS executable (COM) -#>0x1FE leshort 0xAA55 \b, boot code +#>0x1FE leshort 0xAA55 \b, boot code #>85 string UPX \b, UPX compressed #>4 string \ $ARX \b, ARX self-extracting archive #>4 string \ $LHarc \b, LHarc self-extracting archive -#>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive +#>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive #0 byte 0xb8 COM executable # modified by Joerg Jenderek ->1 lelong !0x21cd4cff for DOS +>1 lelong !0x21cd4cff for DOS # http://syslinux.zytor.com/comboot.php # (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode # start with assembler instructions mov eax,21cd4cffh ->1 lelong 0x21cd4cff (32-bit COMBOOT) +>1 lelong 0x21cd4cff (32-bit COMBOOT) 0 string \x81\xfc >4 string \x77\x02\xcd\x20\xb9 ->>36 string UPX! FREE-DOS executable (COM), UPX compressed -252 string Must\ have\ DOS\ version DR-DOS executable (COM) +>>36 string UPX! FREE-DOS executable (COM), UPX compressed +252 string Must\ have\ DOS\ version DR-DOS executable (COM) # GRR search is not working #2 search/28 \xcd\x21 COM executable for MS-DOS #WHICHFAT.cOM @@ -374,7 +385,7 @@ 0 belong 0x31be0000 Microsoft Word Document !:mime application/msword # -0 string PO^Q` Microsoft Word 6.0 Document +0 string PO^Q` Microsoft Word 6.0 Document !:mime application/msword # 0 string \376\067\0\043 Microsoft Office Document @@ -406,7 +417,7 @@ >4 belong 0x07800100 fm3 or fmb document data >4 belong 0x07800000 fm3 or fmb document data # -0 belong 0x00000200 Lotus 1-2-3 +0 belong 0x00000200 Lotus 1-2-3 !:mime application/x-123 >4 belong 0x06040600 wk1 document data >4 belong 0x06800200 fmt document data @@ -420,13 +431,13 @@ 0 string \161\250\000\000\001\002 DeIsL1.isu whatever that is # Winamp .avs -#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player -0 string Nullsoft\ AVS\ Preset\ Winamp plug in +#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player +0 string Nullsoft\ AVS\ Preset\ Winamp plug in # Windows Metafont .WMF -0 string \327\315\306\232 ms-windows metafont .wmf -0 string \002\000\011\000 ms-windows metafont .wmf -0 string \001\000\011\000 ms-windows metafont .wmf +0 string \327\315\306\232 ms-windows metafont .wmf +0 string \002\000\011\000 ms-windows metafont .wmf +0 string \001\000\011\000 ms-windows metafont .wmf #tz3 files whatever that is (MS Works files) 0 string \003\001\001\004\070\001\000\000 tz3 ms-works file @@ -486,13 +497,13 @@ ##### put in Either Magic/font or Magic/news -# Acroread or something files wrongly identified as G3 .pfm +# Acroread or something files wrongly identified as G3 .pfm # these have the form \000 \001 any? \002 \000 \000 # or \000 \001 any? \022 \000 \000 -#0 string \000\001 pfm? -#>3 string \022\000\000Copyright\ yes -#>3 string \002\000\000Copyright\ yes -#>3 string >\0 oops, not a font file. Cancel that. +#0 string \000\001 pfm? +#>3 string \022\000\000Copyright\ yes +#>3 string \002\000\000Copyright\ yes +#>3 string >\0 oops, not a font file. Cancel that. #it clashes with ttf files so put it lower down. # From Doug Lee via a FreeBSD pr @@ -540,7 +551,7 @@ !:mime application/vnd.ms-tnef # HtmlHelp files (.chm) -0 string ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data +0 string ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data # GFA-BASIC (Wolfram Kleff) 2 string GFA-BASIC3 GFA-BASIC 3 data @@ -555,8 +566,8 @@ # InstallShield Cabinet files 0 string ISc( InstallShield Cabinet archive data ->5 byte&0xf0 =0x60 version 6, ->5 byte&0xf0 !0x60 version 4/5, +>5 byte&0xf0 =0x60 version 6, +>5 byte&0xf0 !0x60 version 4/5, >(12.l+40) lelong x %u files # Windows CE package files @@ -570,27 +581,27 @@ >20 lelong 10004 \b, Hitachi SH3E >20 lelong 10005 \b, Hitachi SH4 >20 lelong 70001 \b, ARM 7TDMI ->52 leshort 1 \b, 1 file ->52 leshort >1 \b, %u files ->56 leshort 1 \b, 1 registry entry ->56 leshort >1 \b, %u registry entries +>52 leshort 1 \b, 1 file +>52 leshort >1 \b, %u files +>56 leshort 1 \b, 1 registry entry +>56 leshort >1 \b, %u registry entries # Windows Enhanced Metafile (EMF) # See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. -0 ulelong 1 +0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data ->>44 ulelong x version 0x%x +>>44 ulelong x version 0x%x # From: Alex Beregszaszi 0 string COWD VMWare3 ->4 byte 3 disk image +>4 byte 3 disk image >>32 lelong x (%d/ >>36 lelong x \b%d/ >>40 lelong x \b%d) ->4 byte 2 undoable disk image ->>32 string >\0 (%s) +>4 byte 2 undoable disk image +>>32 string >\0 (%s) 0 string VMDK VMware4 disk image 0 string KDMV VMware4 disk image @@ -600,39 +611,39 @@ # Lines written by Friedrich Schwittay (f.schwittay@yousable.de) # Made by reading sources and doing trial and error on existing # qcow files -0 string QFI Qemu Image, Format: Qcow +0 string QFI Qemu Image, Format: Qcow # Uncomment the following line to display Magic (only used for debugging # this magic number) -#>0 string x , Magic: %s +#>0 string x , Magic: %s # There are currently 2 Versions: "1" and "2" # I do not use Version 2 and therefor branch here # but can assure: it works (tested on both versions) # Also my Qemu 0.9.0 which uses this Version 2 refuses # to start in its bios ->0x04 belong 2 , Version: 2 ->0x04 belong 1 , Version: 1 +>0x04 belong 2 , Version: 2 +>0x04 belong 1 , Version: 1 # Using the existence of the Backing File Offset to Branch or not # to read Backing File Information ->>0xc belong >0 , Backing File( Offset: %lu ->>>(0xc.L) string >\0 , Path: %s +>>0xc belong >0 , Backing File( Offset: %lu +>>>(0xc.L) string >\0 , Path: %s # Didn't get the trick here how qemu stores the "Size" at this Position # There is actually something stored but nothing makes sense # The header in the sources talks about it -#>>>16 lelong x , Size: %lu +#>>>16 lelong x , Size: %lu # Modification time of the Backing File # Really useful if you want to know if your backing # file is still usable together with this image ->>>20 bedate x , Mtime: %s ) +>>>20 bedate x , Mtime: %s ) # Don't know how to calculate in Magicfiles # Also: this Information is not reliably -# stored in image-files ->>24 lelong x , Disk Size could be: %d * 256 bytes +# stored in image-files +>>24 lelong x , Disk Size could be: %d * 256 bytes 0 string QEVM QEMU's suspend to disk image @@ -646,14 +657,14 @@ # False positive with PPT (also currently this string is too long) #0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 0 string \320\317\021\340\241\261\032\341 Microsoft Office Document -#>48 byte 0x1B Excel Document -#!:mime application/vnd.ms-excel +#>48 byte 0x1B Excel Document +#!:mime application/vnd.ms-excel >546 string bjbj Microsoft Word Document !:mime application/msword >546 string jbjb Microsoft Word Document !:mime application/msword -0 string \224\246\056 Microsoft Word Document +0 string \224\246\056 Microsoft Word Document !:mime application/msword 512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document @@ -667,19 +678,19 @@ >48 string x version %.3s # Type: Microsoft DirectDraw Surface -# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp +# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp # From: Morten Hustveit -0 string DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), +0 string DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), >16 lelong >0 %hd x >12 lelong >0 %hd, >84 string x %.4s # Type: Microsoft Document Imaging Format (.mdi) -# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format +# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format # From: Daniele Sempione 0 short 0x5045 Microsoft Document Imaging Format # MS eBook format (.lit) -0 string ITOLITLS Microsoft Reader eBook Data +0 string ITOLITLS Microsoft Reader eBook Data >8 lelong x \b, version %u !:mime application/x-ms-reader