From 0dd82374d1526d12906334d26a111047903e0448 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Thu, 5 Mar 2015 15:04:51 +0100 Subject: [PATCH] updated test magic file --- ext/fileinfo/tests/magic | 4152 ++++++++++++++++++++++++++------------ 1 file changed, 2882 insertions(+), 1270 deletions(-) diff --git a/ext/fileinfo/tests/magic b/ext/fileinfo/tests/magic index 938ac5f73a..78ec97a0c1 100644 --- a/ext/fileinfo/tests/magic +++ b/ext/fileinfo/tests/magic @@ -5,14 +5,7 @@ # to the maintainers, at file@mx.gw.com #------------------------------------------------------------------------------ -# Localstuff: file(1) magic for locally observed files -# -# $File: Localstuff,v 1.4 2003/03/23 04:17:27 christos Exp $ -# Add any locally observed files here. Remember: -# text if readable, executable if runnable binary, data if unreadable. - -#------------------------------------------------------------------------------ -# $File: acorn,v 1.5 2009/09/19 16:28:07 christos Exp $ +# $File$ # acorn: file(1) magic for files found on Acorn systems # @@ -81,7 +74,7 @@ >>10 leshort !1 %d patterns #------------------------------------------------------------------------------ -# $File: adi,v 1.4 2009/09/19 16:28:07 christos Exp $ +# $File$ # adi: file(1) magic for ADi's objects # From Gregory McGarry # @@ -94,7 +87,7 @@ >18 lelong ^010 not stripped #------------------------------------------------------------------------------ -# $File: adventure,v 1.14 2012/06/21 01:32:26 christos Exp $ +# $File: adventure,v 1.13 2010/12/31 16:32:54 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin @@ -204,7 +197,7 @@ #!:mime application/x-adrift #------------------------------------------------------------------------------ -# $File: allegro,v 1.4 2009/09/19 16:28:07 christos Exp $ +# $File$ # allegro: file(1) magic for Allegro datafiles # Toby Deshane # @@ -213,7 +206,7 @@ 0 belong 0x736C682B Allegro datafile (appended exe data) #------------------------------------------------------------------------------ -# $File: alliant,v 1.7 2009/09/19 16:28:07 christos Exp $ +# $File$ # alliant: file(1) magic for Alliant FX series a.out files # # If the FX series is the one that had a processor with a 68K-derived @@ -231,7 +224,39 @@ >16 long >0 not stripped #------------------------------------------------------------------------------ -# $File: amanda,v 1.5 2009/09/19 16:28:07 christos Exp $ +# $File$ +# alpha architecture description +# + +0 leshort 0603 COFF format alpha +>22 leshort&030000 !020000 executable +>24 leshort 0410 pure +>24 leshort 0413 paged +>22 leshort&020000 !0 dynamically linked +>16 lelong !0 not stripped +>16 lelong 0 stripped +>22 leshort&030000 020000 shared library +>24 leshort 0407 object +>27 byte x - version %d +>26 byte x .%d +>28 byte x -%d + +# Basic recognition of Digital UNIX core dumps - Mike Bremford +# +# The actual magic number is just "Core", followed by a 2-byte version +# number; however, treating any file that begins with "Core" as a Digital +# UNIX core dump file may produce too many false hits, so we include one +# byte of the version number as well; DU 5.0 appears only to be up to +# version 2. +# +0 string Core\001 Alpha COFF format core dump (Digital UNIX) +>24 string >\0 \b, from '%s' +0 string Core\002 Alpha COFF format core dump (Digital UNIX) +>24 string >\0 \b, from '%s' + + +#------------------------------------------------------------------------------ +# $File$ # amanda: file(1) magic for amanda file format # 0 string AMANDA:\ AMANDA @@ -243,7 +268,7 @@ >>13 string >\ DATE %s #------------------------------------------------------------------------------ -# $File: amigaos,v 1.15 2012/06/21 01:13:59 christos Exp $ +# $File: amigaos,v 1.14 2009/09/19 16:28:07 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -311,7 +336,7 @@ 0 string .key AmigaDOS script #------------------------------------------------------------ -# $File: android,v 1.3 2013/11/08 01:24:22 christos Exp $ +# $File: android,v 1.6 2014/08/04 06:00:36 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -326,54 +351,11 @@ >0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) >4 string >000 version %s -# http://android.stackexchange.com/questions/23357/\ -# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ -# 23608#23608 -0 string ANDROID\040BACKUP\n Android Backup ->15 string 1\n \b, version 1 ->17 string 0\n \b, uncompressed ->17 string 1\n \b, compressed ->19 string none\n \b, unencrypted ->19 string AES-256\n \b, encrypted AES-256 - -# Android bootimg format -# From https://android.googlesource.com/\ -# platform/system/core/+/master/mkbootimg/bootimg.h -0 string ANDROID! Android bootimg ->8 lelong >0 \b, kernel ->>12 lelong >0 \b (0x%x) ->16 lelong >0 \b, ramdisk ->>20 lelong >0 \b (0x%x) ->24 lelong >0 \b, second stage ->>28 lelong >0 \b (0x%x) ->36 lelong >0 \b, page size: %d ->38 string >0 \b, name: %s ->64 string >0 \b, cmdline (%s) -# Dalvik .dex format. http://retrodev.com/android/dexformat.html -# From "Mike Fleming" -# Fixed to avoid regexec 17 errors on some dex files -# From "Tim Strazzere" -0 string dex\n ->0 regex dex\n[0-9]{2}\0 Dalvik dex file ->4 string >000 version %s -0 string dey\n ->0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) ->4 string >000 version %s - -# http://android.stackexchange.com/questions/23357/\ -# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ -# 23608#23608 -0 string ANDROID\040BACKUP\n Android Backup ->15 string 1\n \b, version 1 ->17 string 0\n \b, uncompressed ->17 string 1\n \b, compressed ->19 string none\n \b, unencrypted ->19 string AES-256\n \b, encrypted AES-256 - # Android bootimg format # From https://android.googlesource.com/\ # platform/system/core/+/master/mkbootimg/bootimg.h 0 string ANDROID! Android bootimg +>1024 string LOKI\01 \b, LOKI'd >8 lelong >0 \b, kernel >>12 lelong >0 \b (0x%x) >16 lelong >0 \b, ramdisk @@ -400,18 +382,100 @@ >17 string 0\n \b, Not-Compressed >17 string 1\n \b, Compressed # any string as long as it's not the word none (which is matched below) ->>19 regex/1 \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) +>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) >>19 string none\n \b, Not-Encrypted # Commented out because they don't seem useful to print # (but they are part of the header - the tar file comes after them): -#>>>&1 regex/1 .* \b, Password salt: %s -#>>>>&1 regex/1 .* \b, Master salt: %s -#>>>>>&1 regex/1 .* \b, PBKDF2 rounds: %s -#>>>>>>&1 regex/1 .* \b, IV: %s -#>>>>>>>&1 regex/1 .* \b, Key: %s +#>>>&1 regex/1l .* \b, Password salt: %s +#>>>>&1 regex/1l .* \b, Master salt: %s +#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s +#>>>>>>&1 regex/1l .* \b, IV: %s +#>>>>>>>&1 regex/1l .* \b, Key: %s + +# *.pit files by Joerg Jenderek +# http://forum.xda-developers.com/showthread.php?p=9122369 +# http://forum.xda-developers.com/showthread.php?t=816449 +# Partition Information Table for Samsung's smartphone with Android +# used by flash software Odin +0 ulelong 0x12349876 +# 1st pit entry marker +>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# minimal 13 and maximal 18 PIT entries found +>>4 ulelong <128 Partition Information Table for Samsung smartphone +>>>4 ulelong x \b, %d entries +# 1. pit entry +>>>4 ulelong >0 \b; #1 +>>>0x01C use PIT-entry +>>>4 ulelong >1 \b; #2 +>>>0x0A0 use PIT-entry +>>>4 ulelong >2 \b; #3 +>>>0x124 use PIT-entry +>>>4 ulelong >3 \b; #4 +>>>0x1A8 use PIT-entry +>>>4 ulelong >4 \b; #5 +>>>0x22C use PIT-entry +>>>4 ulelong >5 \b; #6 +>>>0x2B0 use PIT-entry +>>>4 ulelong >6 \b; #7 +>>>0x334 use PIT-entry +>>>4 ulelong >7 \b; #8 +>>>0x3B8 use PIT-entry +>>>4 ulelong >8 \b; #9 +>>>0x43C use PIT-entry +>>>4 ulelong >9 \b; #10 +>>>0x4C0 use PIT-entry +>>>4 ulelong >10 \b; #11 +>>>0x544 use PIT-entry +>>>4 ulelong >11 \b; #12 +>>>0x5C8 use PIT-entry +>>>4 ulelong >12 \b; #13 +>>>>0x64C use PIT-entry +# 14. pit entry +>>>4 ulelong >13 \b; #14 +>>>>0x6D0 use PIT-entry +>>>4 ulelong >14 \b; #15 +>>>0x754 use PIT-entry +>>>4 ulelong >15 \b; #16 +>>>0x7D8 use PIT-entry +>>>4 ulelong >16 \b; #17 +>>>0x85C use PIT-entry +# 18. pit entry +>>>4 ulelong >17 \b; #18 +>>>0x8E0 use PIT-entry + +0 name PIT-entry +# garbage value implies end of pit entries +>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# skip empty partition name +>>0x24 ubyte !0 +# partition name +>>>0x24 string >\0 %-.32s +# flags +>>>0x0C ulelong&0x00000002 2 \b+RW +# partition ID: +# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER +# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW +>>>0x08 ulelong x (0x%x) +# filename +>>>0x44 string >\0 "%-.64s" +#>>>0x18 ulelong >0 +# blocksize in 512 byte units ? +#>>>>0x18 ulelong x \b, %db +# partition size in blocks ? +#>>>>0x22 ulelong x \b*%d + +# Android bootimg format +# From https://android.googlesource.com/\ +# platform/system/core/+/master/libsparse/sparse_format.h +0 lelong 0xed26ff3a Android sparse image +>4 leshort x \b, version: %d +>6 leshort x \b.%d +>16 lelong x \b, Total of %d +>12 lelong x \b %d-byte output blocks in +>20 lelong x \b %d input chunks. #------------------------------------------------------------------------------ -# $File: animation,v 1.49 2013/08/15 13:15:11 christos Exp $ +# $File: animation,v 1.55 2014/09/13 14:29:51 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -443,43 +507,155 @@ !:mime application/x-quicktime-player 4 string/W jP JPEG 2000 image !:mime image/jp2 +# http://www.ftyps.com/ with local additions 4 string ftyp ISO Media ->8 string isom \b, MPEG v4 system, version 1 -!:mime video/mp4 ->8 string iso2 \b, MPEG v4 system, part 12 revision ->8 string mp41 \b, MPEG v4 system, version 1 -!:mime video/mp4 ->8 string mp42 \b, MPEG v4 system, version 2 -!:mime video/mp4 ->8 string mp7t \b, MPEG v4 system, MPEG v7 XML ->8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML ->8 string/W jp2 \b, JPEG 2000 -!:mime image/jp2 +>8 string 3g2 \b, MPEG v4 system, 3GPP2 +!:mime video/3gpp2 +>>11 byte 4 \b v4 (H.263/AMR GSM 6.10) +>>11 byte 5 \b v5 (H.263/AMR GSM 6.10) +>>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) +>>11 byte a \b C.S0050-0 V1.0 +>>11 byte b \b C.S0050-0-A V1.0.0 +>>11 byte c \b C.S0050-0-B V1.0 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp +>>11 byte 6 \b, Release 6 MBMS Extended Presentations +>>11 byte 7 \b, Release 7 MBMS Extended Presentations >8 string 3gg \b, MPEG v4 system, 3GPP +>11 byte 6 \b, Release 6 General Profile !:mime video/3gpp >8 string 3gp \b, MPEG v4 system, 3GPP +>11 byte 1 \b, Release %d (non existent) +>11 byte 2 \b, Release %d (non existent) +>11 byte 3 \b, Release %d (non existent) +>11 byte 4 \b, Release %d +>11 byte 5 \b, Release %d +>11 byte 6 \b, Release %d +>11 byte 7 \b, Release %d Streaming Servers !:mime video/3gpp >8 string 3gs \b, MPEG v4 system, 3GPP +>11 byte 7 \b, Release %d Streaming Servers !:mime video/3gpp ->8 string 3g2 \b, MPEG v4 system, 3GPP2 +>8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC [ISO 14496-12:2005] +!:mime video/mp4 +>8 string/W qt \b, Apple QuickTime movie +!:mime video/quicktime +>8 string CAEP \b, Canon Digital Camera +>8 string caqv \b, Casio Digital Camera +>8 string CDes \b, Convergent Design +>8 string da0a \b, DMB MAF w/ MPEG Layer II aud, MOT slides, DLS, JPG/PNG/MNG +>8 string da0b \b, DMB MAF, ext DA0A, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da1a \b, DMB MAF audio with ER-BSAC audio, JPG/PNG/MNG images +>8 string da1b \b, DMB MAF, ext da1a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da2a \b, DMB MAF aud w/ HE-AAC v2 aud, MOT slides, DLS, JPG/PNG/MNG +>8 string da2b \b, DMB MAF, ext da2a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da3a \b, DMB MAF aud with HE-AAC aud, JPG/PNG/MNG images +>8 string da3b \b, DMB MAF, ext da3a w/ BIFS, 3GPP, DID, TVA, REL, IPMP +>8 string dmb1 \b, DMB MAF supporting all the components defined in the spec +>8 string dmpf \b, Digital Media Project +>8 string drc1 \b, Dirac (wavelet compression), encap in ISO base media (MP4) +>8 string dv1a \b, DMB MAF vid w/ AVC vid, ER-BSAC aud, BIFS, JPG/PNG/MNG, TS +>8 string dv1b \b, DMB MAF, ext dv1a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dv2a \b, DMB MAF vid w/ AVC vid, HE-AAC v2 aud, BIFS, JPG/PNG/MNG, TS +>8 string dv2b \b, DMB MAF, ext dv2a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dv3a \b, DMB MAF vid w/ AVC vid, HE-AAC aud, BIFS, JPG/PNG/MNG, TS +>8 string dv3b \b, DMB MAF, ext dv3a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dvr1 \b, DVB (.DVB) over RTP +!:mime video/vnd.dvb.file +>8 string dvt1 \b, DVB (.DVB) over MPEG-2 Transport Stream +!:mime video/vnd.dvb.file +>8 string F4V \b, Video for Adobe Flash Player 9+ (.F4V) +!:mime video/mp4 +>8 string F4P \b, Protected Video for Adobe Flash Player 9+ (.F4P) +!:mime video/mp4 +>8 string F4A \b, Audio for Adobe Flash Player 9+ (.F4A) +!:mime audio/mp4 +>8 string F4B \b, Audio Book for Adobe Flash Player 9+ (.F4B) +!:mime audio/mp4 +>8 string isc2 \b, ISMACryp 2.0 Encrypted File +# ?/enc-isoff-generic +>8 string iso2 \b, MP4 Base Media v2 [ISO 14496-12:2005] +!:mime video/mp4 +>8 string isom \b, MP4 Base Media v1 [IS0 14496-12:2003] +!:mime video/mp4 +>8 string/W jp2 \b, JPEG 2000 +!:mime image/jp2 +>8 string JP2 \b, JPEG 2000 Image (.JP2) [ISO 15444-1 ?] +!:mime image/jp2 +>8 string JP20 \b, Unknown, from GPAC samples (prob non-existent) +>8 string jpm \b, JPEG 2000 Compound Image (.JPM) [ISO 15444-6] +!:mime image/jpm +>8 string jpx \b, JPEG 2000 w/ extensions (.JPX) [ISO 15444-2] +!:mime image/jpx +>8 string KDDI \b, 3GPP2 EZmovie for KDDI 3G cellphones !:mime video/3gpp2 ->>11 byte 4 \b v4 (H.263/AMR GSM 6.10) ->>11 byte 5 \b v5 (H.263/AMR GSM 6.10) ->>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) +>8 string M4A \b, Apple iTunes ALAC/AAC-LC (.M4A) Audio +!:mime audio/x-m4a +>8 string M4B \b, Apple iTunes ALAC/AAC-LC (.M4B) Audio Book +!:mime audio/mp4 +>8 string M4P \b, Apple iTunes ALAC/AAC-LC (.M4P) AES Protected Audio +!:mime video/mp4 +>8 string M4V \b, Apple iTunes Video (.M4V) Video +!:mime video/x-m4v +>8 string M4VH \b, Apple TV (.M4V) +!:mime video/x-m4v +>8 string M4VP \b, Apple iPhone (.M4V) +!:mime video/x-m4v +>8 string mj2s \b, Motion JPEG 2000 [ISO 15444-3] Simple Profile +!:mime video/mj2 +>8 string mjp2 \b, Motion JPEG 2000 [ISO 15444-3] General Profile +!:mime video/mj2 +>8 string mmp4 \b, MPEG-4/3GPP Mobile Profile (.MP4 / .3GP) (for NTT) +!:mime video/mp4 +>8 string mobi \b, MPEG-4, MOBI format +!:mime video/mp4 +>8 string mp21 \b, MPEG-21 [ISO/IEC 21000-9] +>8 string mp41 \b, MP4 v1 [ISO 14496-1:ch13] +!:mime video/mp4 +>8 string mp42 \b, MP4 v2 [ISO 14496-14] +!:mime video/mp4 +>8 string mp71 \b, MP4 w/ MPEG-7 Metadata [per ISO 14496-12] +>8 string mp7t \b, MPEG v4 system, MPEG v7 XML +>8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML >8 string mmp4 \b, MPEG v4 system, 3GPP Mobile !:mime video/mp4 ->8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC -!:mime video/3gpp ->8 string/W M4A \b, MPEG v4 system, iTunes AAC-LC +>8 string MPPI \b, Photo Player, MAF [ISO/IEC 23000-3] +>8 string mqt \b, Sony / Mobile QuickTime (.MQV) US Pat 7,477,830 +!:mime video/quicktime +>8 string MSNV \b, MPEG-4 (.MP4) for SonyPSP !:mime audio/mp4 ->8 string/W M4V \b, MPEG v4 system, iTunes AVC-LC +>8 string NDAS \b, MP4 v2 [ISO 14496-14] Nero Digital AAC Audio +!:mime audio/mp4 +>8 string NDSC \b, MPEG-4 (.MP4) Nero Cinema Profile !:mime video/mp4 ->8 string/W M4P \b, MPEG v4 system, iTunes AES encrypted ->8 string/W M4B \b, MPEG v4 system, iTunes bookmarked ->8 string/W qt \b, Apple QuickTime movie +>8 string NDSH \b, MPEG-4 (.MP4) Nero HDTV Profile +!:mime video/mp4 +>8 string NDSM \b, MPEG-4 (.MP4) Nero Mobile Profile +!:mime video/mp4 +>8 string NDSP \b, MPEG-4 (.MP4) Nero Portable Profile +!:mime video/mp4 +>8 string NDSS \b, MPEG-4 (.MP4) Nero Standard Profile +!:mime video/mp4 +>8 string NDXC \b, H.264/MPEG-4 AVC (.MP4) Nero Cinema Profile +!:mime video/mp4 +>8 string NDXH \b, H.264/MPEG-4 AVC (.MP4) Nero HDTV Profile +!:mime video/mp4 +>8 string NDXM \b, H.264/MPEG-4 AVC (.MP4) Nero Mobile Profile +!:mime video/mp4 +>8 string NDXP \b, H.264/MPEG-4 AVC (.MP4) Nero Portable Profile +!:mime video/mp4 +>8 string NDXS \b, H.264/MPEG-4 AVC (.MP4) Nero Standard Profile +!:mime video/mp4 +>8 string odcf \b, OMA DCF DRM Format 2.0 (OMA-TS-DRM-DCF-V2_0-20060303-A) +>8 string opf2 \b, OMA PDCF DRM Format 2.1 (OMA-TS-DRM-DCF-V2_1-20070724-C) +>8 string opx2 \b, OMA PDCF DRM + XBS ext (OMA-TS-DRM_XBS-V1_0-20070529-C) +>8 string pana \b, Panasonic Digital Camera +>8 string qt \b, Apple QuickTime (.MOV/QT) !:mime video/quicktime +>8 string ROSS \b, Ross Video +>8 string sdv \b, SD Memory Card Video +>8 string ssc1 \b, Samsung stereo, single stream (patent pending) +>8 string ssc2 \b, Samsung stereo, dual stream (patent pending) # MPEG sequences # Scans for all common MPEG header start codes @@ -862,6 +1038,7 @@ # MP2, M2A 0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 +!:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps @@ -1031,7 +1208,7 @@ # Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS !:mime audio/x-mp4a-latm -#>1 beshort&0x1FFF x \b, %u byte packet +#>1 beshort&0x1FFF x \b, %hu byte packet >3 byte&0xE0 0x40 >>4 byte&0x3C 0x04 \b, single stream >>4 byte&0x3C 0x08 \b, 2 streams @@ -1129,16 +1306,16 @@ !:mime video/x-mng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a ->>16 belong x %ld x ->>20 belong x %ld +>>16 belong x %d x +>>20 belong x %d # JNG Video Format, 0 string \x8bJNG JNG video data, !:mime video/x-jng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a ->>16 belong x %ld x ->>20 belong x %ld +>>16 belong x %d x +>>20 belong x %d # Vivo video (Wolfram Kleff) 3 string \x0D\x0AVersion:Vivo Vivo video data @@ -1199,25 +1376,26 @@ # MPEG file # MPEG sequences -# FIXME: This section is from the old magic.mime file and needs integrating with the rest -0 belong 0x000001BA ->4 byte &0x40 -!:mime video/mp2p ->4 byte ^0x40 -!:mime video/mpeg -0 belong 0x000001BB -!:mime video/mpeg -0 belong 0x000001B0 -!:mime video/mp4v-es -0 belong 0x000001B5 -!:mime video/mp4v-es -0 belong 0x000001B3 -!:mime video/mpv -0 belong&0xFF5FFF10 0x47400010 -!:mime video/mp2t -0 belong 0x00000001 ->4 byte&0x1F 0x07 -!:mime video/h264 +# FIXME: This section is from the old magic.mime file and needs +# integrating with the rest +#0 belong 0x000001BA +#>4 byte &0x40 +#!:mime video/mp2p +#>4 byte ^0x40 +#!:mime video/mpeg +#0 belong 0x000001BB +#!:mime video/mpeg +#0 belong 0x000001B0 +#!:mime video/mp4v-es +#0 belong 0x000001B5 +#!:mime video/mp4v-es +#0 belong 0x000001B3 +#!:mime video/mpv +#0 belong&0xFF5FFF10 0x47400010 +#!:mime video/mp2t +#0 belong 0x00000001 +#>4 byte&0x1F 0x07 +#!:mime video/h264 # Type: Bink Video # Extension: .bik @@ -1305,7 +1483,7 @@ >12 lelong x %d frames #------------------------------------------------------------------------------ -# $File: aout,v 1.1 2013/01/09 22:37:23 christos Exp $ +# $File$ # aout: file(1) magic for a.out executable/object/etc entries that # handle executables on multiple platforms. # @@ -1351,14 +1529,14 @@ #------------------------------------------------------------------------------ -# $File: apl,v 1.6 2009/09/19 16:28:07 christos Exp $ +# $File$ # apl: file(1) magic for APL (see also "pdp" and "vax" for other APL # workspaces) # 0 long 0100554 APL workspace (Ken's original?) #------------------------------------------------------------------------------ -# $File: apple,v 1.27 2013/03/09 22:36:00 christos Exp $ +# $File: apple,v 1.28 2014/04/28 12:04:50 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -1562,15 +1740,15 @@ # purposes in YellowStep/Cocoa, including some nib files. # From: David Remahl 2 string typedstream NeXT/Apple typedstream data, big endian ->0 byte x \b, version %hhd +>0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b ->>>14 ubeshort x \b, system %hd +>>>14 ubeshort x \b, system %d 2 string streamtyped NeXT/Apple typedstream data, little endian ->0 byte x \b, version %hhd +>0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b ->>>14 uleshort x \b, system %hd +>>>14 uleshort x \b, system %d #------------------------------------------------------------------------------ # CAF: Apple CoreAudio File Format @@ -1660,7 +1838,7 @@ 0 string \0\0\0\1Bud1\0 Apple Desktop Services Store #------------------------------------------------------------------------------ -# $File: applix,v 1.5 2009/09/19 16:28:08 christos Exp $ +# $File$ # applix: file(1) magic for Applixware # From: Peter Soos # @@ -1672,7 +1850,7 @@ >7 string MACRO Macro >7 string BUILDER Builder Object #------------------------------------------------------------------------------ -# $File: archive,v 1.81 2014/01/08 22:27:31 christos Exp $ +# $File: archive,v 1.87 2014/06/03 19:15:58 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -1765,9 +1943,10 @@ # "debian". # 0 string =!\ndebian -!:mime application/x-debian-package >8 string debian-split part of multipart Debian package +!:mime application/vnd.debian.binary-package >8 string debian-binary Debian binary package +!:mime application/vnd.debian.binary-package >8 string !debian >68 string >\0 (format %s) # These next two lines do not work, because a bzip2 Debian archive @@ -1941,7 +2120,7 @@ >9 string \0 >>0 string KWAJ >>>7 string \321\003 MS Compress archive data ->>>>14 ulong >0 \b, original size: %ld bytes +>>>>14 ulong >0 \b, original size: %d bytes >>>>18 ubyte >0x65 >>>>>18 string x \b, was %.8s >>>>>(10.b-4) string x \b.%.3s @@ -2170,7 +2349,7 @@ # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, -#>2 leshort >1 %u files, +#>2 leshort >1 %hu files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC @@ -2546,7 +2725,7 @@ # From: Dirk Jagdmann # xar archive format: http://code.google.com/p/xar/ 0 string xar! xar archive ->6 beshort x - version %ld +>6 beshort x - version %d # From: "Nelson A. de Oliveira" # .kgb @@ -2593,8 +2772,41 @@ >36 byte 16 \b, back-to-front >42 beshort x \b, (%dx, >44 beshort x %d) -#------------------------------------------------------------------------------ -# $File: assembler,v 1.6 2013/12/11 14:14:20 christos Exp $ + +# Symantec GHOST image by Joerg Jenderek at May 2014 +# http://us.norton.com/ghost/ +# http://www.garykessler.net/library/file_sigs.html +0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image +# *.GHO +>2 ubyte&0x08 0x00 \b, first file +# *.GHS or *.[0-9] with cns program option +>2 ubyte&0x08 0x08 \b, split file +# part of split index interesting for *.ghs +>>4 ubyte x id=0x%x +# compression tag minus one equals numeric compression command line switch z[1-9] +>3 ubyte 0 \b, no compression +>3 ubyte 2 \b, fast compression (Z1) +>3 ubyte 3 \b, medium compression (Z2) +>3 ubyte >3 +>>3 ubyte <11 \b, compression (Z%d-1) +>2 ubyte&0x08 0x00 +# ~ 30 byte password field only for *.gho +>>12 ubequad !0 \b, password protected +>>44 ubyte !1 +# 1~Image All, sector-by-sector only for *.gho +>>>10 ubyte 1 \b, sector copy +# 1~Image Boot track only for *.gho +>>>43 ubyte 1 \b, boot track +# 1~Image Disc only for *.gho implies Image Boot track and sector copy +>>44 ubyte 1 \b, disc sector copy +# optional image description only *.gho +>>0xff string >\0 "%-.254s" +# look for DOS sector end sequence +>0xE08 search/7776 \x55\xAA +>>&-512 indirect x \b; contains + +#------------------------------------------------------------------------------ +# $File: assembler,v 1.5 2013/09/17 17:33:36 christos Exp $ # make: file(1) magic for assembler source # 0 regex \^[\040\t]{0,50}\\.asciiz assembler source text @@ -2613,7 +2825,7 @@ !:mime text/x-asm #------------------------------------------------------------------------------ -# $File: asterix,v 1.5 2009/09/19 16:28:08 christos Exp $ +# $File$ # asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character # strings as "long" - we assume they're just strings: # From: guy@netapp.com (Guy Harris) @@ -2642,10 +2854,10 @@ # The 3B20 conflicts with SCCS. #0 beshort 0550 3b20 COFF executable #>12 belong >0 not stripped -#>22 beshort >0 - version %ld +#>22 beshort >0 - version %d #0 beshort 0551 3b20 COFF executable (TV) #>12 belong >0 not stripped -#>22 beshort >0 - version %ld +#>22 beshort >0 - version %d # # WE32K # @@ -2660,19 +2872,19 @@ >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0443 (target shared library) ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 0561 WE32000 COFF executable (TV) >12 belong >0 not stripped #>18 beshort &00020000 - 32100 required #>18 beshort &00040000 and MAU hardware required -#>22 beshort >0 - version %ld +#>22 beshort >0 - version %d # # core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' #------------------------------------------------------------------------------ -# $File: audio,v 1.68 2013/12/02 13:32:26 christos Exp $ +# $File: audio,v 1.71 2014/05/14 23:30:28 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -2776,7 +2988,7 @@ # first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data ->4 belong x - version %ld +>4 belong x - version %d # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED # [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] @@ -2972,7 +3184,7 @@ >>5 byte &0x40 \b, extended header >>5 byte &0x20 \b, experimental >>5 byte &0x10 \b, footer present ->(6.I) indirect x \b, contains: +>(6.I+10) indirect x \b, contains: # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File @@ -3310,7 +3522,7 @@ # From: Mike Melanson 0 string wvpk WavPack Lossless Audio -# From Fábio R. Schmidlin +# From Fabio R. Schmidlin # VGM music file 0 string Vgm\ >9 ubyte >0 VGM Video Game Music dump v @@ -3374,7 +3586,7 @@ #---------------------------------------------------------------- -# $File: basis,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File$ # basis: file(1) magic for BBx/Pro5-files # Oliver Dammer 2005/11/07 # http://www.basis.com business-basic-files. @@ -3398,7 +3610,7 @@ # From Philippe De Muyter # 0 string bFLT BFLT executable ->4 belong x - version %ld +>4 belong x - version %d >4 belong 4 >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic @@ -3406,7 +3618,7 @@ >>36 belong&0x8 0x8 gzdata #------------------------------------------------------------------------------ -# $File: blackberry,v 1.1 2014/01/31 01:51:32 christos Exp $ +# $File: apple,v 1.27 2013/03/09 22:36:00 christos Exp $ # blackberry: file(1) magic for BlackBerry file formats # 5 belong 0 @@ -3478,7 +3690,7 @@ 0 string #!BPY Blender3D BPython script #------------------------------------------------------------------------------ -# $File: blit,v 1.8 2009/09/19 16:28:08 christos Exp $ +# $File$ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... @@ -3498,7 +3710,7 @@ #0 short 0520 tty630 layers executable #------------------------------------------------------------------------------ -# $File: bout,v 1.5 2009/09/19 16:28:08 christos Exp $ +# $File$ # i80960 b.out objects and archives # 0 long 0x10d i960 b.out relocatable object @@ -3520,7 +3732,7 @@ >32 byte 0x6a (uses shared libs) # same as in SunOS 4.x, except for static shared libraries -0 belong&077777777 0600413 sparc demand paged +0 belong&077777777 0600413 SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable @@ -3529,13 +3741,13 @@ >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) -0 belong&077777777 0600410 sparc pure +0 belong&077777777 0600410 SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) -0 belong&077777777 0600407 sparc +0 belong&077777777 0600407 SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped @@ -3551,7 +3763,7 @@ 0 string XIS Chiasmus key #------------------------------------------------------------------------------ -# $File: btsnoop,v 1.5 2009/09/19 16:28:08 christos Exp $ +# $File$ # BTSnoop: file(1) magic for BTSnoop files # # From @@ -3564,7 +3776,7 @@ >>12 belong x type %d #------------------------------------------------------------------------------ -# $File: c64,v 1.5 2009/09/19 16:28:08 christos Exp $ +# $File$ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann @@ -3757,8 +3969,13 @@ # 3DS (3d Studio files) Conflicts with diff output 0x3d '=' #16 beshort 0x3d3d image/x-3ds +# MegaCAD 2D/3D drawing (.prt) +# http://megacad.de/ +# From: Markus Heidelberg +0 string MegaCad23\0 MegaCAD 2D/3D drawing + #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.14 2013/02/27 16:59:59 christos Exp $ +# $File: cafebabe,v 1.17 2015/01/01 17:07:00 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, @@ -3774,8 +3991,8 @@ # ### JAVA START ### 0 belong 0xcafebabe -!:mime application/x-java-applet >4 belong >30 compiled Java class data, +!:mime application/x-java-applet >>6 beshort x version %d. >>4 beshort x \b%d # Which is which? @@ -3786,6 +4003,8 @@ >>4 belong 0x0030 (Java 1.4) >>4 belong 0x0031 (Java 1.5) >>4 belong 0x0032 (Java 1.6) +>>4 belong 0x0033 (Java 1.7) +>>4 belong 0x0034 (Java 1.8) 0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. @@ -3803,14 +4022,14 @@ 0 name mach-o \b [ >0 use mach-o-cpu \b ->&(8.L) indirect \b: +>(8.L) indirect \b: >0 belong x \b] 0 belong 0xcafebabe >4 belong 1 Mach-O universal binary with 1 architecture: >>8 use mach-o \b >4 belong >1 ->>4 belong <20 Mach-O universal binary with %ld architectures: +>>4 belong <20 Mach-O universal binary with %d architectures: >>>8 use mach-o \b >>>28 use mach-o \b >>4 belong >2 @@ -3821,7 +4040,28 @@ ### MACH-O END ### #------------------------------------------------------------------------------ -# $File: cddb,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File: elf,v 1.68 2014/09/19 19:05:57 christos Exp $ +# cbor: file(1) magic for CBOR files as defined in RFC 7049 + +0 string \xd9\xd9\xf7 Concise Binary Object Representation (CBOR) container +!:mime application/cbor +>3 ubyte <0x20 (positive integer) +>3 ubyte <0x40 +>>3 ubyte >0x1f (negative integer) +>3 ubyte <0x60 +>>3 ubyte >0x3f (byte string) +>3 ubyte <0x80 +>>3 ubyte >0x5f (text string) +>3 ubyte <0xa0 +>3 ubyte >0x7f (array) +>3 ubyte <0xc0 +>>3 ubyte >0x9f (map) +>3 ubyte <0xe0 +>>3 ubyte >0xbf (tagged) +>3 ubyte >0xdf (other) + +#------------------------------------------------------------------------------ +# $File$ # CDDB: file(1) magic for CDDB(tm) format CD text data files # # From @@ -3833,7 +4073,7 @@ 0 search/1/w #\040xmcd CDDB(tm) format CD text data #------------------------------------------------------------------------------ -# $File: chord,v 1.5 2010/09/20 19:19:16 rrt Exp $ +# $File: chord,v 1.4 2009/09/19 16:28:08 christos Exp $ # chord: file(1) magic for Chord music sheet typesetting utility input files # # From Philippe De Muyter @@ -3848,7 +4088,7 @@ 0 string ptab\004\000 Power-Tab v4 Tablature File #------------------------------------------------------------------------------ -# $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File$ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code @@ -3860,7 +4100,7 @@ >7 string >\0 for '%s' #------------------------------------------------------------------------------ -# $File: citrus,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File$ # citrus locale declaration # @@ -3940,7 +4180,7 @@ >2 leshort &0x0010 \b, compressed >2 leshort &0x0040 \b, read only # number of records ->5 lelong x \b, %ld records +>5 lelong x \b, %d records # Memo files 0 leshort 0x334d Clarion Developer (v2 and above) memo data @@ -4034,7 +4274,7 @@ >20 short 0413 (demand paged) >20 short 0443 (target shared library) >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d 0 short 0577 CLIPPER COFF executable >18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 @@ -4046,7 +4286,7 @@ >20 short 0413 (paged) >20 short 0443 (target shared library) >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d >48 long&01 01 alignment trap enabled >52 byte 1 -Ctnc >52 byte 2 -Ctsw @@ -4064,17 +4304,24 @@ 4 string prof CLIPPER instruction profile #------------------------------------------------------------------------------ -# $File: commands,v 1.46 2013/03/25 14:06:55 christos Exp $ +# $File: commands,v 1.50 2014/05/30 16:48:44 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text 0 string/wt #!\ /bin/sh POSIX shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /bin/sh POSIX shell script executable (binary data) +!:mime text/x-shellscript + 0 string/wt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript + # korn shell magic, sent by George Wu, gwu@clyde.att.com 0 string/wt #!\ /bin/ksh Korn shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /bin/ksh Korn shell script executable (binary data) +!:mime text/x-shellscript + 0 string/wt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/bin/tcsh Tenex C shell script text executable @@ -4113,7 +4360,7 @@ !:mime text/x-awk 0 string/wt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk -0 regex =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text +0 regex/4096 =^\\s{0,100}BEGIN\\s{0,100}[{] awk or perl script text # AT&T Bell Labs' Plan 9 shell 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable @@ -4121,12 +4368,20 @@ # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string/wt #!\ /bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript 0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /usr/bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript 0 string/wt #!\ /usr/local/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /usr/local/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript # PHP scripts # Ulf Harnhammar @@ -4159,7 +4414,7 @@ 0 string #!/usr/bin/pdmenu Pdmenu configuration file text #---------------------------------------------------------------------------- -# $File: communications,v 1.5 2009/09/19 16:28:08 christos Exp $ +# $File$ # communication # TTCN is the Tree and Tabular Combined Notation described in ISO 9646-3. @@ -4180,7 +4435,7 @@ 0 string msc Message Sequence Chart (chart) 0 string submsc Message Sequence Chart (subchart) #------------------------------------------------------------------------------ -# $File: compress,v 1.53 2014/01/05 15:55:21 christos Exp $ +# $File: compress,v 1.61 2014/09/12 20:57:45 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -4372,8 +4627,8 @@ # Type: LZMA 0 lelong&0xffffff =0x5d -!:mime application/x-lzma >12 leshort 0xff LZMA compressed data, +!:mime application/x-lzma >>5 lequad =0xffffffffffffffff streamed >>5 lequad !0xffffffffffffffff non-streamed, size %lld >12 leshort 0 LZMA compressed data, @@ -4391,9 +4646,12 @@ !:mime application/x-lrzip # http://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html -0 lelong 0x184d2204 LZ4 compressed data +0 lelong 0x184d2204 LZ4 compressed data (v1.4+) !:mime application/x-lz4 -0 lelong 0x184c2102 LZ4 compressed data, legacy format +# Added by osm0sis@xda-developers.com +0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) +!:mime application/x-lz4 +0 lelong 0x184c2102 LZ4 compressed data (v0.1-v0.9) !:mime application/x-lz4 # AFX compressed files (Wolfram Kleff) @@ -4425,9 +4683,23 @@ >0x4 lelong x \b, version %u >0x8 lelong x \b, %u entries +# Snappy framing format +# http://code.google.com/p/snappy/source/browse/trunk/framing_format.txt +0 string \377\006\0\0sNaPpY snappy framed data +!:mime application/x-snappy-framed + +# qpress, http://www.quicklz.com/ +0 string qpress10 qpress compressed data +!:mime application/x-qpress + +# Zlib https://www.ietf.org/rfc/rfc6713.txt +0 beshort%31 =0 +>0 byte&0xf =8 +>>0 byte&0x80 =0 zlib compressed data +!:mime application/zlib #------------------------------------------------------------------------------ -# $File: console,v 1.19 2013/02/06 14:18:52 christos Exp $ +# $File: console,v 1.18 2010/09/20 19:19:17 rrt Exp $ # Console game magic # Toby Deshane # ines: file(1) magic for Marat's iNES Nintendo Entertainment System @@ -4443,9 +4715,9 @@ >6 byte&0x04 =0x8 \b, [4-Scr] #------------------------------------------------------------------------------ -# game boy: file(1) magic for the Nintendo (Color) Game Boy raw ROM format +# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # -0x104 belong 0xCEED6666 Game Boy ROM: +0x104 belong 0xCEED6666 Gameboy ROM: >0x134 string >\0 "%.16s" >0x146 byte 0x03 \b,[SGB] >0x147 byte 0x00 \b, [ROM ONLY] @@ -4605,8 +4877,8 @@ 0 string \x01ZZZZZ\x01 3DO "Opera" file system # From Gurkan Sengun , www.linuks.mine.nu -0 string GBS Nintendo Game Boy Music/Audio Data -12 string GameBoy\ Music\ Module Nintendo Game Boy Music Module +0 string GBS Nintendo Gameboy Music/Audio Data +12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module # Playstations Patch Files from: From: Thomas Klausner 0 string PPF30 Playstation Patch File version 3.0 @@ -4691,7 +4963,7 @@ >12 string >\0 "%s" #------------------------------------------------------------------------------ -# $File: convex,v 1.8 2012/10/03 23:44:43 christos Exp $ +# $File: convex,v 1.7 2009/09/19 16:28:08 christos Exp $ # convex: file(1) magic for Convex boxes # # Convexes are big-endian. @@ -4760,7 +5032,7 @@ >84 belong&0x18000000 =0x18000000 undefined fpmode #------------------------------------------------------------------------------ -# $File: cracklib,v 1.7 2009/09/19 16:28:08 christos Exp $ +# $File$ # cracklib: file (1) magic for cracklib v2.7 0 lelong 0x70775631 Cracklib password index, little endian @@ -4774,7 +5046,7 @@ >12 belong >0 (%i words) # ---------------------------------------------------------------------------- -# $File: ctags,v 1.6 2009/09/19 16:28:08 christos Exp $ +# $File$ # ctags: file (1) magic for Exuberant Ctags files # From: Alexander Mai 0 search/1 =!_TAG Exuberant Ctags tag file text @@ -4803,7 +5075,7 @@ >&0 regex [0-9]+\.[0-9]+ \b, v%s #------------------------------------------------------------------------------ -# $File: cubemap,v 1.1 2012/06/06 13:03:20 christos Exp $ +# $File: cubemaps,v 1.0 2011/12/22 09:01:05 christos Exp $ # file(1) magic(5) data for cubemaps Martin Erik Werner # 0 string ACMP Map file for the AssaultCube FPS game @@ -4817,7 +5089,7 @@ # http://www.cups.org/documentation.php/spec-raster.html # -0 name cups-be +0 name cups-le >280 lelong x \b, %d >284 lelong x \bx%d dpi >376 lelong x \b, %dx @@ -4855,7 +5127,7 @@ >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian !:mime application/vnd.cups-raster ->0 use ^cups-be +>0 use ^cups-le # Cups Raster image format, Little Endian @@ -4864,10 +5136,10 @@ >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian !:mime application/vnd.cups-raster ->0 use \^cups-be +>0 use cups-le #------------------------------------------------------------------------------ -# $File: dact,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File$ # dact: file(1) magic for DACT compressed files # 0 long 0x444354C3 DACT compressed data @@ -4878,7 +5150,7 @@ >15 long >30 $BS, block size: %i bytes #------------------------------------------------------------------------------ -# $File: database,v 1.36 2013/12/09 20:31:53 christos Exp $ +# $File: database,v 1.42 2014/08/19 14:18:04 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -4887,9 +5159,17 @@ # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # -0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian +0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit +!:mime application/x-gdbm +0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old +!:mime application/x-gdbm +0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit +!:mime application/x-gdbm +0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit !:mime application/x-gdbm -0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian +0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old +!:mime application/x-gdbm +0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit !:mime application/x-gdbm 0 string GDBM GNU dbm 2.x database !:mime application/x-gdbm @@ -4983,7 +5263,7 @@ >>8 quad 0 64bit aligned >>>16 bedouble 8.642135e+130 big-endian >>>>24 long 0 64bit long (s390x) ->>>>24 long !0 32bit long (hppa/mips/ppc/s390/sparc) +>>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) >>>16 ledouble 8.642135e+130 little-endian >>>>28 long 0 64bit long (alpha/amd64/ia64) >>>>28 long !0 32bit long (armel/mipsel) @@ -5048,14 +5328,13 @@ >>>>>>>>>>8 uleshort >31 # skip PIC15736.PCX by test for language driver name or field name >>>>>>>>>>>32 ubyte >0 -!:mime application/x-dbf #!:mime application/x-dbf; charset=unknown-8bit ?? #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type # database file >>>>>>>>>>>>0 ubyte x \b DBF >>>>>>>>>>>>4 lelong 0 \b, no records ->>>>>>>>>>>>4 lelong >0 \b, %ld record +>>>>>>>>>>>>4 lelong >0 \b, %d record # plural s appended >>>>>>>>>>>>>4 lelong >1 \bs # http://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF @@ -5081,27 +5360,27 @@ # for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) >>>>>>>24 ubelong&0x0133f7ff >0 # test for reserved NULL byte ->>>>>>>>47 ubyte x +>>>>>>>>47 ubyte 0 # test for valid TAG key format (0x10 or 0) >>>>>>>>>559 ubyte&0xeF 0 # test MM <= 12 ->>>>>>>>>45 ubeshort <0x0C20 ->>>>>>>>>>45 ubyte >0 ->>>>>>>>>>>46 ubyte <32 ->>>>>>>>>>>>46 ubyte >0 +>>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>>46 ubyte >0 #!:mime application/x-mdx ->>>>>>>>>>>>>0 use xbase-type ->>>>>>>>>>>>>0 ubyte x \b MDX ->>>>>>>>>>>>>1 ubyte x \b, creation-date ->>>>>>>>>>>>>1 use xbase-date ->>>>>>>>>>>>>44 ubyte x \b, update-date ->>>>>>>>>>>>>44 use xbase-date +>>>>>>>>>>>>>>0 use xbase-type +>>>>>>>>>>>>>>0 ubyte x \b MDX +>>>>>>>>>>>>>>1 ubyte x \b, creation-date +>>>>>>>>>>>>>>1 use xbase-date +>>>>>>>>>>>>>>44 ubyte x \b, update-date +>>>>>>>>>>>>>>44 use xbase-date # No.of tags in use (1,2,5,12) ->>>>>>>>>>>>>28 uleshort x \b, %d +>>>>>>>>>>>>>>28 uleshort x \b, %d # No. of entries in tag (0x30) ->>>>>>>>>>>>>25 ubyte x \b/%d tags +>>>>>>>>>>>>>>25 ubyte x \b/%d tags # Length of tag ->>>>>>>>>>>>>26 ubyte x * %d +>>>>>>>>>>>>>>26 ubyte x * %d # 1st tag name_ >>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" # 2nd tag name @@ -5115,47 +5394,69 @@ >>0 ubyte 0x02 FoxBase # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III +!:mime application/x-dbf # dBASE IV no memo file >>0 ubyte 0x04 dBase IV +!:mime application/x-dbf # dBASE V no memo file >>0 ubyte 0x05 dBase V +!:mime application/x-dbf >>0 ubyte 0x30 Visual FoxPro +!:mime application/x-dbf >>0 ubyte 0x31 Visual FoxPro, autoincrement +!:mime application/x-dbf # Visual FoxPro, with field type Varchar or Varbinary >>0 ubyte 0x32 Visual FoxPro, with field type Varchar +!:mime application/x-dbf # dBASE IV SQL, no memo;dbv memo var size (Flagship) >>0 ubyte 0x43 dBase IV, with SQL table +!:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0x62 dBase IV, with SQL table +#!:mime application/x-dbf # dBASE IV, with memo!! >>0 ubyte 0x7b dBase IV, with memo +!:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0x82 dBase IV, with SQL system +#!:mime application/x-dbf # FoxBase+/dBaseIII+ with memo .DBT! >>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT +!:mime application/x-dbf # VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file >>0 ubyte 0x87 VISUAL OBJECTS, with memo file +!:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT +#!:mime application/x-dbf # dBASE IV with memo! >>0 ubyte 0x8B dBase IV, with memo .DBT +!:mime application/x-dbf # dBase IV with SQL Table,no memo? >>0 ubyte 0x8E dBase IV, with SQL table +!:mime application/x-dbf # .dbv and .dbt memo (Flagship)? >>0 ubyte 0xB3 Flagship # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0xCA dBase IV with memo .DBT +#!:mime application/x-dbf # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT +!:mime application/x-dbf # HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo +!:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0xF4 dBase IV, with SQL table, with memo +#!:mime application/x-dbf >>0 ubyte 0xF5 FoxPro with memo +!:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0xFA FoxPro 2.x, with memo +#!:mime application/x-dbf # unknown version (should not happen) >>0 default x xBase +!:mime application/x-dbf >>>0 ubyte x (0x%x) # flags in version byte # DBT flag (with dBASE III memo .DBT)!! @@ -5194,60 +5495,103 @@ # dBASE III >>>>>>16 ubyte 3 # dBASE III DBT ->>>>>>>0 use xbase-memo-print -# dBASE IV DBT , FoxPro FPT or many PNG , ZIP , DBF garbage +>>>>>>>0 use dbase3-memo-print +# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 -# dBASE IV DBT with DBF name or DBF garbage ->>>>>>>8 ubelong >0x40000000 -# skip DBF and catch dBASE IV DBT with DBF name and with non big index of next free block ->>>>>>>>0 ulelong <0x01010002 ->>>>>>>>>0 use xbase-memo-print ->>>>>>>8 ubelong 0 +# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF +>>>>>>>20 uleshort 0 +# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage +>>>>>>>>8 ulong =0 +>>>>>>>>>6 ubeshort >0 +# skip emacs.PIF +>>>>>>>>>>4 ushort 0 +>>>>>>>>>>>0 use foxpro-memo-print +# dBASE III DBT , garbage +>>>>>>>>>6 ubeshort 0 # skip MM*DD*.bin by test for for reserved NULL byte ->>>>>>>>508 ubelong 0 -# real memo files should contain text here ->>>>>>>>>520 ubelong >0x20202019 ->>>>>>>>>>520 ubelong <0xFEFEFEFF ->>>>>>>>>>>0 use xbase-memo-print -# garbage PCX , ZIP , JAR , XPI ->>>>>>>8 default x - -# Print the information of dBase DBT or FoxPro FPT memo files -0 name xbase-memo-print ->0 ubyte x -# test version -# memo file ->>16 ubyte 3 dBase III DBT ->>16 ubyte 0 ->>>512 ubelong <0x00000003 FoxPro FPT -# Size of blocks for FoxPro ->>>>6 ubeshort x \b, blocks size %lu -# Number of next available block for appending data for FoxPro ->>>>0 ubelong =0 \b, next free block index %lu ->>>>0 ubelong !0 \b, next free block index %lu ->>>512 default x dBase IV DBT -# DBF file name without extension ->>>>8 string >\0 \b of %-.8s.DBF -# size of blocks ; not reliable 0x2020204C -#>>>>4 ulelong =0 \b, blocks size %lu ->>>>4 ulelong !0 \b, blocks size %lu -# Block length found 0 , 512 -#>>>>20 uleshort =0 \b, block length %u ->>>>20 uleshort !0 \b, block length %u +>>>>>>>>>>510 ubeshort 0 +# skip TK-DOS11.img image by looking for memo text +>>>>>>>>>>>512 ubelong <0xfeffff03 +# skip EFI executables by looking for memo text +>>>>>>>>>>>>512 ubelong >0x1F202020 +>>>>>>>>>>>>>513 ubyte >0 +# unusual dBASE III DBT like adressen.dbt +>>>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE III DBT like angest.dbt, or garbage PCX DBF +>>>>>>>>8 ubelong !0 +# skip PCX and some DBF by test for for reserved NULL bytes +>>>>>>>>>510 ubeshort 0 +# skip some DBF by test of invalid version +>>>>>>>>>>0 ubyte >5 +>>>>>>>>>>>0 ubyte <48 +>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE IV DBT with positive block size +>>>>>>>20 uleshort >0 +>>>>>>>>0 use dbase4-memo-print + +# Print the information of dBase III DBT memo file +0 name dbase3-memo-print +>0 ubyte x dBase III DBT +# instead 3 as version number 0 for unusual examples like biblio.dbt +>16 ubyte !3 \b, version number %u # Number of next available block for appending data ->>>>0 ulelong =0 \b, next free block index %lu ->>>>0 ulelong !0 \b, next free block index %lu ->>512 ubelong x ->>>512 ubelong =0xFFFF0800 ->>>>520 string >\0 \b, 1st used item "%s" -# FoxPro ->>>512 ubelong <3 -# FoxPro memo ->>>>512 ubelong =1 ->>>>520 string >\0 \b, 1st used item "%s" ->>>512 default x -# may be deleted memo field ->>>>512 string >\0 \b, 1st item "%s" +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +# no positiv block length +#>20 uleshort =0 \b, block length %u +>20 uleshort !0 \b, block length %u +# dBase III memo field terminated by \032\032 +>512 string >\0 \b, 1st item "%s" +# Print the information of dBase IV DBT memo file +0 name dbase4-memo-print +>0 lelong x dBase IV DBT +# 8 character shorted main name of coresponding dBASE IV DBF file +>8 ubelong >0x20000000 +# skip unusual like for angest.dbt +>>20 uleshort >0 +>>>8 string >\0 \b of %-.8s.DBF +# value 0 implies 512 as size +#>4 ulelong =0 \b, blocks size %u +# size of blocks not reliable like 0x2020204C in angest.dbt +>4 ulelong !0 +>>4 ulelong&0x0000003f 0 \b, blocks size %u +# dBase IV DBT with positive block length (found 512 , 1024) +>20 uleshort >0 \b, block length %u +# next available block +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +>20 uleshort >0 +>>(20.s) ubelong x +>>>&-4 use dbase4-memofield-print +# unusual dBase IV DBT without block length (implies 512 as length) +>20 uleshort =0 +>>512 ubelong x +>>>&-4 use dbase4-memofield-print +# Print the information of dBase IV memo field +0 name dbase4-memofield-print +# free dBase IV memo field +>0 ubelong !0xFFFF0800 +>>0 lelong x \b, next free block %u +>>4 lelong x \b, next used block %u +# used dBase IV memo field +>0 ubelong =0xFFFF0800 +# length of memo field +>>4 lelong x \b, field length %d +>>>8 string >\0 \b, 1st used item "%s" +# Print the information of FoxPro FPT memo file +0 name foxpro-memo-print +>0 belong x FoxPro FPT +# Size of blocks for FoxPro ( 64,256 ) +>6 ubeshort x \b, blocks size %u +# next available block +#>0 belong =0 \b, next free block index %u +>0 belong !0 \b, next free block index %u +# field type ( 0~picture, 1~memo, 2~object ) +>512 ubelong <3 \b, field type %u +# length of memo field +>512 ubelong 1 +>>516 belong >0 \b, field length %d +>>>520 string >\0 \b, 1st item "%s" # TODO: # DBASE index file *.NDX @@ -5347,7 +5691,7 @@ 0 string IDA1 IDA (Interactive Disassembler) database #------------------------------------------------------------------------------ -# $File: diamond,v 1.7 2009/09/19 16:28:08 christos Exp $ +# $File$ # diamond: file(1) magic for Diamond system # # ... diamond is a multi-media mail and electronic conferencing system.... @@ -5359,7 +5703,7 @@ 0 string =\n8 belong x signature strength=%d) #------------------------------------------------------------------------------ -# $File: digital,v 1.11 2013/01/11 16:45:23 christos Exp $ +# $File: digital,v 1.10 2011/05/03 01:44:17 christos Exp $ # Digital UNIX - Info # 0 string =!\n________64E Alpha archive @@ -5457,7 +5801,7 @@ >6 short 0x40 for Alpha #------------------------------------------------------------------------------ -# $File: dolby,v 1.7 2014/01/08 22:37:23 christos Exp $ +# $File: dolby,v 1.6 2012/10/31 13:39:42 christos Exp $ # ATSC A/53 aka AC-3 aka Dolby Digital # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! @@ -5534,7 +5878,7 @@ 0 name new-dump-be >4 bedate x Previous dump %s, >8 bedate x This dump %s, ->12 belong >0 Volume %ld, +>12 belong >0 Volume %d, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, @@ -5553,7 +5897,7 @@ 0 name old-dump-be #>4 bedate x Previous dump %s, #>8 bedate x This dump %s, ->12 belong >0 Volume %ld, +>12 belong >0 Volume %d, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, @@ -5572,7 +5916,7 @@ 0 name ufs2-dump-be >896 beqdate x Previous dump %s, >904 beqdate x This dump %s, ->12 belong >0 Volume %ld, +>12 belong >0 Volume %d, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, @@ -5610,7 +5954,7 @@ 18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), >2 medate x Previous dump %s, >6 medate x This dump %s, ->10 leshort >0 Volume %ld, +>10 leshort >0 Volume %d, >0 leshort 1 tape header. >0 leshort 2 beginning of file record. >0 leshort 3 map of inodes on tape. @@ -5623,50 +5967,60 @@ # $File: dyadic,v 1.5 2010/09/20 18:55:20 rrt Exp $ # Dyadic: file(1) magic for Dyalog APL. # -0 byte 0xaa ->1 byte <4 Dyalog APL ->>1 byte 0x00 incomplete workspace ->>1 byte 0x01 component file ->>1 byte 0x02 external variable ->>1 byte 0x03 workspace ->>2 byte x version %d ->>3 byte x .%d - -0 beshort 0xaa03 Dyalog APL ->2 byte x workspace type %d ->3 byte x subtype %d ->7 byte&0x28 0x00 32-bit ->7 byte&0x28 0x20 64-bit ->7 byte&0x0c 0x00 classic ->7 byte&0x0c 0x04 unicode ->7 byte&0x88 0x00 big-endian ->7 byte&0x88 0x80 little-endian - -0 byte 0xaa Dyalog APL ->1 byte 0x00 aplcore ->1 byte 0x01 component file 32-bit non-journaled non-checksummed ->1 byte 0x02 external variable exclusive ->1 byte 0x06 external variable shared ->1 byte 0x07 session ->1 byte 0x08 mapped file 32-bit ->1 byte 0x09 component file 64-bit non-journaled non-checksummed ->1 byte 0x0a mapped file 64-bit ->1 byte 0x0b component file 32-bit level 1 journaled non-checksummed ->1 byte 0x0c component file 64-bit level 1 journaled non-checksummed ->1 byte 0x0d component file 32-bit level 1 journaled checksummed ->1 byte 0x0e component file 64-bit level 1 journaled checksummed ->1 byte 0x0f component file 32-bit level 2 journaled checksummed ->1 byte 0x10 component file 64-bit level 2 journaled checksummed ->1 byte 0x11 component file 32-bit level 3 journaled checksummed ->1 byte 0x12 component file 64-bit level 3 journaled checksummed ->1 byte 0x13 component file 32-bit non-journaled checksummed ->1 byte 0x14 component file 64-bit non-journaled checksummed ->1 byte 0x80 DDB - +# updated by Joerg Jenderek at Oct 2013 +# http://en.wikipedia.org/wiki/Dyalog_APL +# http://www.dyalog.com/ +# .DXV Dyalog APL External Variable +# .DIN Dyalog APL Input Table +# .DOT Dyalog APL Output Table +# .DFT Dyalog APL Format File +0 ubeshort&0xFF60 0xaa00 +# skip biblio.dbt +>1 byte !4 +# real Dyalog APL have non zero version numbers like 7.3 or 13.4 +>>2 ubeshort >0x0000 Dyalog APL +>>>1 byte 0x00 aplcore +#>>>1 byte 0x00 incomplete workspace +# *.DCF Dyalog APL Component File +>>>1 byte 0x01 component file 32-bit non-journaled non-checksummed +#>>>1 byte 0x01 component file +>>>1 byte 0x02 external variable exclusive +#>>>1 byte 0x02 external variable +# *.DWS Dyalog APL Workspace +>>>1 byte 0x03 workspace +>>>>7 byte&0x28 0x00 32-bit +>>>>7 byte&0x28 0x20 64-bit +>>>>7 byte&0x0c 0x00 classic +>>>>7 byte&0x0c 0x04 unicode +>>>>7 byte&0x88 0x00 big-endian +>>>>7 byte&0x88 0x80 little-endian +>>>1 byte 0x06 external variable shared +# *.DSE Dyalog APL Session , *.DLF Dyalog APL Session Log File +>>>1 byte 0x07 session +>>>1 byte 0x08 mapped file 32-bit +>>>1 byte 0x09 component file 64-bit non-journaled non-checksummed +>>>1 byte 0x0a mapped file 64-bit +>>>1 byte 0x0b component file 32-bit level 1 journaled non-checksummed +>>>1 byte 0x0c component file 64-bit level 1 journaled non-checksummed +>>>1 byte 0x0d component file 32-bit level 1 journaled checksummed +>>>1 byte 0x0e component file 64-bit level 1 journaled checksummed +>>>1 byte 0x0f component file 32-bit level 2 journaled checksummed +>>>1 byte 0x10 component file 64-bit level 2 journaled checksummed +>>>1 byte 0x11 component file 32-bit level 3 journaled checksummed +>>>1 byte 0x12 component file 64-bit level 3 journaled checksummed +>>>1 byte 0x13 component file 32-bit non-journaled checksummed +>>>1 byte 0x14 component file 64-bit non-journaled checksummed +>>>1 byte 0x80 DDB +>>>2 byte x version %d +>>>3 byte x \b.%d +#>>>2 byte x type %d +#>>>3 byte x subtype %d + +# *.DXF Dyalog APL Transfer File 0 short 0x6060 Dyalog APL transfer #------------------------------------------------------------------------------ -# $File: ebml,v 1.1 2010/07/02 00:07:03 christos Exp $ +# $File$ # ebml: file(1) magic for various Extensible Binary Meta Language # http://www.matroska.org/technical/specs/index.html#track 0 belong 0x1a45dfa3 EBML file @@ -5674,7 +6028,7 @@ >>&1 string x \b, creator %.8s #------------------------------------------------------------------------------ -# $File: editors,v 1.8 2009/09/19 16:28:09 christos Exp $ +# $File$ # T602 editor documents # by David Necas 0 string @CT\ T602 document data, @@ -5704,10 +6058,10 @@ >>&0 lelong 0x01000007 \b, x86_64 >>&20 lelong 7 \b, i386 >>&20 lelong 0x01000007 \b, x86_64 ->4 lelong >2 Universal EFI binary with %ld architectures +>4 lelong >2 Universal EFI binary with %d architectures #------------------------------------------------------------------------------ -# $File: elf,v 1.64 2013/08/04 09:31:47 christos Exp $ +# $File: elf,v 1.67 2014/06/12 13:52:48 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the @@ -5739,15 +6093,15 @@ >16 leshort &0xff00 processor-specific, >18 clear x >18 leshort 0 no machine, ->18 leshort 1 AT&T WE32100 ->18 leshort 2 SPARC +>18 leshort 1 AT&T WE32100, +>18 leshort 2 SPARC, >18 leshort 3 Intel 80386, ->18 leshort 4 Motorola +>18 leshort 4 Motorola m68k, >>4 byte 1 >>>36 lelong &0x01000000 68000, >>>36 lelong &0x00810000 CPU32, >>>36 lelong 0 68020, ->18 leshort 5 Motorola 88000, +>18 leshort 5 Motorola m88k, >18 leshort 6 Intel 80486, >18 leshort 7 Intel 80860, # The official e_machine number for MIPS is now #8, regardless of endianness. @@ -5803,6 +6157,7 @@ >>>36 lelong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, >>>36 lelong&0xffff00 0x000400 HaL R1 Extensions Required, >>>36 lelong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, +>18 leshort 19 Intel 80960, >18 leshort 20 PowerPC or cisco 4500, >18 leshort 21 64-bit PowerPC or cisco 7500, >18 leshort 22 IBM S/390, @@ -5820,7 +6175,6 @@ >>>36 lelong &0x00800000 BE8 >>>36 lelong &0x00400000 LE8 >18 leshort 41 Alpha, ->18 leshort 0xa390 IBM S/390 (obsolete), >18 leshort 42 Renesas SH, >18 leshort 43 SPARC V9, >>4 byte 2 @@ -5850,6 +6204,8 @@ >18 leshort 61 Tinyj emb., >18 leshort 62 x86-64, >18 leshort 63 Sony DSP, +>18 leshort 64 DEC PDP-10, +>18 leshort 65 DEC PDP-11, >18 leshort 66 FX66, >18 leshort 67 ST9+ 8/16 bit, >18 leshort 68 ST7 8 bit, @@ -5879,18 +6235,118 @@ >18 leshort 92 OpenRISC, >18 leshort 93 ARC Cores Tangent-A5, >18 leshort 94 Tensilica Xtensa, +>18 leshort 95 Alphamosaic VideoCore, +>18 leshort 96 Thompson Multimedia, >18 leshort 97 NatSemi 32k, +>18 leshort 98 Tenor Network TPC, +>18 leshort 99 Trebia SNP 1000, +>18 leshort 100 STMicroelectronics ST200, +>18 leshort 101 Ubicom IP2022, +>18 leshort 102 MAX Processor, +>18 leshort 103 NatSemi CompactRISC, +>18 leshort 104 Fujitsu F2MC16, +>18 leshort 105 TI msp430, >18 leshort 106 Analog Devices Blackfin, +>18 leshort 107 S1C33 Family of Seiko Epson, +>18 leshort 108 Sharp embedded, +>18 leshort 109 Arca RISC, +>18 leshort 110 PKU-Unity Ltd., +>18 leshort 111 eXcess: 16/32/64-bit, +>18 leshort 112 Icera Deep Execution Processor, >18 leshort 113 Altera Nios II, ->18 beshort 138 LatticeMico32, +>18 leshort 114 NatSemi CRX, +>18 leshort 115 Motorola XGATE, +>18 leshort 116 Infineon C16x/XC16x, +>18 leshort 117 Renesas M16C series, +>18 leshort 118 Microchip dsPIC30F, +>18 leshort 119 Freescale RISC core, +>18 leshort 120 Renesas M32C series, +>18 leshort 131 Altium TSK3000 core, +>18 leshort 132 Freescale RS08, +>18 leshort 134 Cyan Technology eCOG2, +>18 leshort 135 Sunplus S+core7 RISC, +>18 leshort 136 New Japan Radio (NJR) 24-bit DSP, +>18 leshort 137 Broadcom VideoCore III, +>18 leshort 138 LatticeMico32, +>18 leshort 139 Seiko Epson C17 family, +>18 leshort 140 TI TMS320C6000 DSP family, +>18 leshort 141 TI TMS320C2000 DSP family, +>18 leshort 142 TI TMS320C55x DSP family, +>18 leshort 160 STMicroelectronics 64bit VLIW DSP, +>18 leshort 161 Cypress M8C, +>18 leshort 162 Renesas R32C series, +>18 leshort 163 NXP TriMedia family, +>18 leshort 164 QUALCOMM DSP6, +>18 leshort 165 Intel 8051 and variants, +>18 leshort 166 STMicroelectronics STxP7x family, +>18 leshort 167 Andes embedded RISC, +>18 leshort 168 Cyan eCOG1X family, +>18 leshort 169 Dallas MAXQ30, +>18 leshort 170 New Japan Radio (NJR) 16-bit DSP, +>18 leshort 171 M2000 Reconfigurable RISC, +>18 leshort 172 Cray NV2 vector architecture, +>18 leshort 173 Renesas RX family, >18 leshort 174 META, +>18 leshort 175 MCST Elbrus, +>18 leshort 176 Cyan Technology eCOG16 family, +>18 leshort 177 NatSemi CompactRISC, +>18 leshort 178 Freescale Extended Time Processing Unit, +>18 leshort 179 Infineon SLE9X, +>18 leshort 180 Intel L1OM, +>18 leshort 181 Intel K1OM, >18 leshort 183 ARM aarch64, +>18 leshort 185 Atmel 32-bit family, +>18 leshort 186 STMicroeletronics STM8 8-bit, >18 leshort 187 Tilera TILE64, >18 leshort 188 Tilera TILEPro, +>18 leshort 189 Xilinx MicroBlaze 32-bit RISC, +>18 leshort 190 NVIDIA CUDA architecture, >18 leshort 191 Tilera TILE-Gx, +>18 leshort 197 Renesas RL78 family, +>18 leshort 199 Renesas 78K0R, +>18 leshort 200 Freescale 56800EX, +>18 leshort 201 Beyond BA1, +>18 leshort 202 Beyond BA2, +>18 leshort 203 XMOS xCORE, +>18 leshort 204 Microchip 8-bit PIC(r), +>18 leshort 210 KM211 KM32, +>18 leshort 211 KM211 KMX32, +>18 leshort 212 KM211 KMX16, +>18 leshort 213 KM211 KMX8, +>18 leshort 214 KM211 KVARC, +>18 leshort 215 Paneve CDP, +>18 leshort 216 Cognitive Smart Memory, +>18 leshort 217 iCelero CoolEngine, +>18 leshort 218 Nanoradio Optimized RISC, +>18 leshort 243 UCB RISC-V, +>18 leshort 0x1057 AVR (unofficial), +>18 leshort 0x1059 MSP430 (unofficial), +>18 leshort 0x1223 Adapteva Epiphany (unofficial), +>18 leshort 0x2530 Morpho MT (unofficial), +>18 leshort 0x3330 FR30 (unofficial), >18 leshort 0x3426 OpenRISC (obsolete), +>18 leshort 0x4688 Infineon C166 (unofficial), +>18 leshort 0x5441 Cygnus FRV (unofficial), +>18 leshort 0x5aa5 DLX (unofficial), +>18 leshort 0x7650 Cygnus D10V (unofficial), +>18 leshort 0x7676 Cygnus D30V (unofficial), +>18 leshort 0x8217 Ubicom IP2xxx (unofficial), >18 leshort 0x8472 OpenRISC (obsolete), +>18 leshort 0x9025 Cygnus PowerPC (unofficial), >18 leshort 0x9026 Alpha (unofficial), +>18 leshort 0x9041 Cygnus M32R (unofficial), +>18 leshort 0x9080 Cygnus V850 (unofficial), +>18 leshort 0xa390 IBM S/390 (obsolete), +>18 leshort 0xabc7 Old Xtensa (unofficial), +>18 leshort 0xad45 xstormy16 (unofficial), +>18 leshort 0xbaab Old MicroBlaze (unofficial),, +>18 leshort 0xbeef Cygnus MN10300 (unofficial), +>18 leshort 0xdead Cygnus MN10200 (unofficial), +>18 leshort 0xf00d Toshiba MeP (unofficial), +>18 leshort 0xfeb0 Renesas M32C (unofficial), +>18 leshort 0xfeba Vitesse IQ2000 (unofficial), +>18 leshort 0xfebb NIOS (unofficial), +>18 leshort 0xfeed Moxie (unofficial), >18 default x >>18 leshort x *unknown arch 0x%x* >20 lelong 0 invalid version @@ -5942,17 +6398,17 @@ >20 short 0x10b demand-paged executable >20 short 0x10f unsupported executable >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d >22 short 0 - #>4 date x stamp %s 0 short 0x155 Encore unsupported executable >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d >22 short 0 - #>4 date x stamp %s #------------------------------------------------------------------------------ -# $File: epoc,v 1.9 2013/12/21 14:28:15 christos Exp $ +# $File: epoc,v 1.8 2012/06/16 14:43:36 christos Exp $ # EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1] # Stefan Praszalowicz and Peter Breitenlohner # Useful information for improving this file can be found at: @@ -6014,7 +6470,7 @@ 0 lelong 0x1000007A Psion Series 5 executable #------------------------------------------------------------------------------ -# $File: erlang,v 1.6 2010/09/20 19:19:17 rrt Exp $ +# $File: erlang,v 1.5 2009/09/19 16:28:09 christos Exp $ # erlang: file(1) magic for Erlang JAM and BEAM files # URL: http://www.erlang.org/faq/x779.html#AEN812 @@ -6035,7 +6491,7 @@ 0 bequad 0x0000000000ABCDEF Erlang DETS file #------------------------------------------------------------------------------ -# $File: esri,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File$ # ESRI Shapefile format (.shp .shx .dbf=DBaseIII) # Based on info from # @@ -6063,7 +6519,7 @@ >32 lelong =31 type MultiPatch #------------------------------------------------------------------------------ -# $File: fcs,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File$ # fcs: file(1) magic for FCS (Flow Cytometry Standard) data files # From Roger Leigh 0 string FCS1.0 Flow Cytometry Standard (FCS) data, version 1.0 @@ -6071,7 +6527,7 @@ 0 string FCS3.0 Flow Cytometry Standard (FCS) data, version 3.0 #------------------------------------------------------------------------------ -# $File: filesystems,v 1.85 2013/11/19 23:54:05 christos Exp $ +# $File: filesystems,v 1.107 2014/12/03 18:02:52 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 name partid @@ -6276,8 +6732,8 @@ >>0752 short >0 %d alt cyls, >>0754 short >0 %d heads/partition, >>0756 short >0 %d sectors/track, ->>0764 long >0 start cyl %ld, ->>0770 long x %ld blocks +>>0764 long >0 start cyl %d, +>>0770 long x %d blocks # Is there a boot block written 1 sector in? >512 belong&077777777 0600407 \b, boot block present @@ -6321,24 +6777,25 @@ 0 string PNCIUNDO Norton Disk Doctor UnDo file # -# DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011 +# DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013 # for any allowed sector sizes 30 search/481 \x55\xAA # to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) # DOS BPB information (70) and after DOS floppy (120) like in previous file version -!:strength +72 +!:strength +65 # for sector sizes < 512 Bytes >11 uleshort <512 >>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector # for sector sizes with 512 or more Bytes >0x1FE leshort 0xAA55 DOS/MBR boot sector + # keep old DOS/MBR boot sector as dummy for mbr and bootloader displaying # only for sector sizes with 512 or more Bytes -0x1FE leshort 0xAA55 DOS/MBR boot sector -!:strength +72 +0x1FE leshort 0xAA55 DOS/MBR boot sector +# # to display information (50) before DOS BPB (strength=70) and after DOS floppy (120) like in old file version -#!:strength +21 ->2 string OSBS \b, OS/BS MBR +!:strength +65 +>2 string OSBS OS/BS MBR # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/ # and http://en.wikipedia.org/wiki/Master_Boot_Record # test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by @@ -6391,8 +6848,8 @@ # assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 >>>24 ubequad 0xf3a4cbbebe07b104 9M # "Invalid partition table" nn=0x10F for english version -# "Ungültige Partitionstabelle" nn=0x10F for german version -# "Table de partition erronée" nn=0x10F for french version +# "Ung\201ltige Partitionstabelle" nn=0x10F for german version +# "Table de partition erron\202e" nn=0x10F for french version # "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x10F for russian version >>>>(0x3C.b+0x0FF) string Invalid\ partition\ table english >>>>(0x3C.b+0x0FF) string Ung\201ltige\ Partitionstabelle german @@ -6402,13 +6859,13 @@ >>>>(0x3C.b+0x0FF) string >\0 "%s" # "Error loading operating system" nn=0x127 for english version # "Fehler beim Laden des Betriebssystems" nn=0x12b for german version -# "Erreur lors du chargement du système d'exploitation" nn=0x12a for french version +# "Erreur lors du chargement du syst\212me d'exploitation" nn=0x12a for french version # "\216\350\250\241\252\240 \257\340\250 \247\240\243\340\343\247\252\245 \256\257\245\340\240\346\250\256\255\255\256\251 \341\250\341\342\245\254\353" nn=0x12d for russian version >>>>0xBD ubyte x at offset 0x1%x >>>>(0xBD.b+0x100) string >\0 "%s" # "Missing operating system" nn=0x146 for english version # "Betriebssystem fehlt" nn=0x151 for german version -# "Système d'exploitation manquant" nn=0x15e for french version +# "Syst\212me d'exploitation manquant" nn=0x15e for french version # "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x156 for russian version >>>>0xA9 ubyte x at offset 0x1%x >>>>(0xA9.b+0x100) string >\0 "%s" @@ -6419,7 +6876,7 @@ >>>>0x1B4 ubelong&0x00FFFFFF 0x002c4463 english >>>>0x1B4 ubelong&0x00FFFFFF 0x002c486e german # "Invalid partition table" xx=0x12C for english version -# "Ungültige Partitionstabelle" xx=0x12C for german version +# "Ung\201ltige Partitionstabelle" xx=0x12C for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x144 for english version @@ -6440,7 +6897,7 @@ >>>>0x1B4 ubelong&0x00FFFFFF 0x00627a99 english #>>>>0x1B4 ubelong&0x00FFFFFF ? german # "Invalid partition table" xx=0x162 for english version -# "Ungültige Partitionstabelle" xx=0x1?? for german version +# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x17a for english version @@ -6458,7 +6915,7 @@ >>>>0x1B4 ubelong&0x00FFFFFF 0x00637b9a english #>>>>0x1B4 ubelong&0x00FFFFFF ? german # "Invalid partition table" xx=0x163 for english version -# "Ungültige Partitionstabelle" xx=0x1?? for german version +# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x17b for english version @@ -6591,7 +7048,7 @@ >>>>>379 string GRUB\ \0 \b, GRUB version 0.95 or 0.96 >>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>385 string GRUB\ \0 \b, GRUB version 0.97 -#unknown version +# unknown version >>>343 string Geom\0Read\0\ Error\0 >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 @@ -6610,6 +7067,8 @@ >>>514 string !HdrS # not BeOS >>>>422 string !Be\ Boot\ Loader +>>>>>32769 string CD001 +>>>>>>0 use cdrom # jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr >>>>>0 ubelong&0xFD000000 =0xE9000000 # AdvanceMAME mbr @@ -6638,16 +7097,11 @@ #OEM-ID=BOOTWIZ0 >442 string Non-system\ disk,\ >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader -# updated by Joerg Jenderek at Nov 2012 +# updated by Joerg Jenderek at Nov 2012, Sep 2013 # DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes ->>>477 ubyte&0xDF >0 ->>>>477 string x \b %-.3s ->>>>>480 ubyte&0xDF >0 ->>>>>>480 string x \b%-.4s ->>>>>>>484 ubyte&0xDF >0 ->>>>>>>>484 string x \b%-.1s ->>>>485 ubyte&0xDF >0 ->>>>>485 string x \b.%-.3s +# display 1 space +>>>447 ubyte x \b +>>>477 use DOS-filename # >185 string FDBOOT\ Version\ >>204 string \rNo\ Systemdisk.\ @@ -7087,75 +7541,45 @@ # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes ->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader ->>>>>499 string x \b %-.1s ->>>>>>500 ubyte&0xDF >0 ->>>>>>>500 string x \b%-.1s ->>>>>>>>501 ubyte&0xDF >0 ->>>>>>>>>501 string x \b%-.1s ->>>>>>>>>>502 ubyte&0xDF >0 ->>>>>>>>>>>502 string x \b%-.1s ->>>>>>>>>>>>503 ubyte&0xDF >0 ->>>>>>>>>>>>>503 string x \b%-.1s ->>>>>>>>>>>>>>504 ubyte&0xDF >0 ->>>>>>>>>>>>>>>504 string x \b%-.1s ->>>>>>>>>>>>>>>>505 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>505 string x \b%-.1s ->>>>>>>>>>>>>>>>>>506 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>>>506 string x \b%-.1s -#name extension ->>>>>507 ubyte&0xDF >0 \b. ->>>>>>507 string x \b%-.1s ->>>>>>>508 ubyte&0xDF >0 ->>>>>>>>508 string x \b%-.1s ->>>>>>>>>509 ubyte&0xDF >0 ->>>>>>>>>>509 string x \b%-.1s +>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader +>>>>>499 use DOS-filename #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. #If the boot sector fails to find needed program in the root directory, #it also hangs with another message ("NF"). >>>>>492 string RENF \b, FAT (12 bit) >>>>>495 string RENF \b, FAT (16 bit) -# http://alexfru.chat.ru/epm.html#bootprog ->494 ubyte >0x4D ->>495 string >E ->>>495 string >>>3 string BootProg -# It just looks for a program file name at the root directory -# and loads corresponding file with following execution. -# DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes ->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader ->>>>>499 string x \b %-.1s ->>>>>>500 ubyte&0xDF >0 ->>>>>>>500 string x \b%-.1s ->>>>>>>>501 ubyte&0xDF >0 ->>>>>>>>>501 string x \b%-.1s ->>>>>>>>>>502 ubyte&0xDF >0 ->>>>>>>>>>>502 string x \b%-.1s ->>>>>>>>>>>>503 ubyte&0xDF >0 ->>>>>>>>>>>>>503 string x \b%-.1s ->>>>>>>>>>>>>>504 ubyte&0xDF >0 ->>>>>>>>>>>>>>>504 string x \b%-.1s ->>>>>>>>>>>>>>>>505 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>505 string x \b%-.1s ->>>>>>>>>>>>>>>>>>506 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>>>506 string x \b%-.1s -#name extension ->>>>>507 ubyte&0xDF >0 \b. ->>>>>>507 string x \b%-.1s ->>>>>>>508 ubyte&0xDF >0 ->>>>>>>>508 string x \b%-.1s ->>>>>>>>>509 ubyte&0xDF >0 ->>>>>>>>>>509 string x \b%-.1s #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. -#If the boot sector fails to find needed program in the root directory, -#it also hangs with another message ("NF"). ->>>>>492 string RENF \b, FAT (12 bit) ->>>>>495 string RENF \b, FAT (16 bit) # x86 bootloader end +# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO +# and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector +>0 string RRaA +>>0x1E4 string rrAa \b, FSInfosector +#>>0x1FC uleshort =0 SHOULD BE ZERO +>>>0x1E8 ulelong <0xffffffff \b, %u free clusters +>>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u + +# updated by Joerg Jenderek at Sep 2007 +>3 ubyte 0 +#no active flag +>>446 ubyte 0 +# partition 1 not empty +>>>450 ubyte >0 +# partitions 3,4 empty +>>>>482 ubyte 0 +>>>>>498 ubyte 0 +# partition 2 ID=0,5,15 +>>>>>>466 ubyte <0x10 +>>>>>>>466 ubyte 0x05 \b, extended partition table +>>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) +>>>>>>>466 ubyte 0x0 \b, extended partition table (last) + +# DOS x86 sector separated and moved from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 + +>0x200 lelong 0x82564557 \b, BSD disklabel + # by Joerg Jenderek at Apr 2013 # Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension # like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS @@ -7193,33 +7617,6 @@ >11 ubyte x \b+ >11 use DOS-filename -# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO -# and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector ->0 string RRaA ->>0x1E4 string rrAa \b, FSInfosector -#>>0x1FC uleshort =0 SHOULD BE ZERO ->>>0x1E8 ulelong <0xffffffff \b, %u free clusters ->>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u - -# updated by Joerg Jenderek at Sep 2007 ->3 ubyte 0 -#no active flag ->>446 ubyte 0 -# partition 1 not empty ->>>450 ubyte >0 -# partitions 3,4 empty ->>>>482 ubyte 0 ->>>>>498 ubyte 0 -# partition 2 ID=0,5,15 ->>>>>>466 ubyte <0x10 ->>>>>>>466 ubyte 0x05 \b, extended partition table ->>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) ->>>>>>>466 ubyte 0x0 \b, extended partition table (last) - -# DOS x86 sector separated and moved from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 - ->0x200 lelong 0x82564557 \b, BSD disklabel - # http://en.wikipedia.org/wiki/Master_boot_record#PTE # display standard partition table 0 name partition-table @@ -7370,6 +7767,7 @@ >>>>>181 search/166 Error\ \0 # "a: disk" , "Fn: diskn" or "NetBSD MBR boot" >>>>>>&3 string x \b,"%s" +>>>446 use partition-table # Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html # added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 # assembler instructions: jmp short 0x58;nop;ASCII @@ -7402,7 +7800,7 @@ #>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x # for older versions >>>(0x1BC.s+9) ubyte <2 -#>>>>(0x1BC.s+12) ubyte 18 \b,%u/18 seconds +#>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x @@ -7445,7 +7843,7 @@ >>>>0x207 ubyte x \b.%u # module_size for 1.94 >>>>0x208 ulelong <0xffffff \b, installed partition %u -#>>>>0x208 ulelong =0xffffff \b, %u (default) +#>>>>0x208 ulelong =0xffffff \b, %lu (default) >>>>0x208 ulelong >0xffffff \b, installed partition %u # GRUB 0.5.95 unofficial >>>>0x20C ulelong&0x2E300000 0x2E300000 @@ -7487,18 +7885,19 @@ # minimal short forward jump found 0x29 for bootloaders or 0x0 # maximal short forward jump is 0x7f # OEM-ID is empty or contain readable bytes -0 ulelong&0x804000E9 0x000000E9 +0 ulelong&0x804000E9 0x000000E9 +!:strength +60 # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 ->11 uleshort&0xf001f 0 +>11 uleshort&0x001f 0 >>11 uleshort <32769 >>>11 uleshort >31 >>>>21 ubyte&0xf0 0xF0 ->>>>>0 ubyte 0xEB +>>>>>0 ubyte 0xEB DOS/MBR boot sector >>>>>>1 ubyte x \b, code offset 0x%x+2 >>>>>0 ubyte 0xE9 ->>>>>>1 uleshort x \b, code offset 0x%x+2 +>>>>>>1 uleshort x \b, code offset 0x%x+3 >>>>>3 string >\0 \b, OEM-ID "%-.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC >>>>>>8 string IHC \b cached by Windows 9M @@ -7507,10 +7906,11 @@ >>>>>11 uleshort <512 \b, Bytes/sector %u >>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) ->>>>>82 string FAT32 +# for lazy FAT32 implementation like Transcend digital photo frame PF830 +>>>>>82 string/c fat32 >>>>>>14 uleshort !32 \b, reserved sectors %u #>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) ->>>>>82 string !FAT32 +>>>>>82 string/c !fat32 >>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) #>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) @@ -7519,38 +7919,43 @@ >>>>>16 ubyte =1 \b, FAT %u >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u -#>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32) +#>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) >>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) -#>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32) +#>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) >>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x >>>>>22 uleshort >0 \b, sectors/FAT %u -#>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32) +#>>>>>22 uleshort =0 \b, sectors/FAT %hu=0 (usual Fat32) >>>>>24 uleshort x \b, sectors/track %u >>>>>26 ubyte >2 \b, heads %u #>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>26 ubyte =1 \b, heads %u # valid only for sector sizes with more then 32 Bytes >>>>>11 uleshort >32 -# skip for Digital Research DOS (version 3.41) 1440 kB Bootdisk ->>>>>>38 ubyte !0x70 +# http://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block +# skip for values 2,2Ah,70h,73h,DFh +# and continue for extended boot signature values 0,28h,29h,80h +>>>>>>38 ubyte&0x56 =0 >>>>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) >>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) # FAT<32 bit specific ->>>>>>>82 string !FAT32 +>>>>>>>82 string/c !fat32 #>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) #>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>>>36 ubyte !0x80 >>>>>>>>>36 ubyte !0 \b, physical drive 0x%x +# VGA-copy CRC or +# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too >>>>>>>>37 ubyte >0 \b, reserved 0x%x #>>>>>>>>37 ubyte =0 \b, reserved 0x%x -# value is 0x80 for NTFS +# extended boot signatur value is 0x80 for NTFS, 0x28 or 0x29 for others >>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) ->>>>>>>>38 ubyte =0x29 +>>>>>>>>38 ubyte&0xFE =0x28 >>>>>>>>>39 ulelong x \b, serial number 0x%x +>>>>>>>>38 ubyte =0x29 >>>>>>>>>43 string >>>>>>>>43 string >NO\ NAME \b, label: "%11.11s" >>>>>>>>>43 string =NO\ NAME \b, unlabeled @@ -7560,15 +7965,39 @@ # if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, # otherwise FAT is 16 bit. # http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html ->>>>>>54 string FAT \b, FAT ->>>>>>>54 string FAT12 \b (12 bit) ->>>>>>>54 string FAT16 \b (16 bit) +>>>>>82 string/c !fat32 +>>>>>>54 string FAT12 \b, FAT (12 bit) +>>>>>>54 string FAT16 \b, FAT (16 bit) +>>>>>>54 default x +# determinate FAT bit size by media descriptor +# small floppies implies FAT12 +>>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor) +# with media descriptor F0h floppy or maybe superfloppy with FAT16 +>>>>>>>21 ubyte =0xF0 +# superfloppy (many sectors) implies FAT16 +>>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors) +# no superfloppy with media descriptor F0h implies FAT12 +>>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors) +# with media descriptor F8h floppy or hard disc with FAT12 or FAT16 +>>>>>>>21 ubyte =0xF8 +# 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12 +>>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry) +# hard disc with FAT12 or FAT16 +>>>>>>>>19 default x \b, FAT (1Y bit by descriptor) +# with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc +>>>>>>>21 ubyte =0xFA +# 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12 +>>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry) +# RAM disc with FAT12 or FAT16 or Tandy hard disc +>>>>>>>>19 default x \b, FAT (1Y bit by descriptor) +# others are floppy +>>>>>>>21 default x \b, FAT (12 bit by descriptor) # FAT32 bit specific ->>>>>82 string FAT32 \b, FAT (32 bit) +>>>>>82 string/c fat32 \b, FAT (32 bit) >>>>>>36 ulelong x \b, sectors/FAT %u # http://technet.microsoft.com/en-us/library/cc977221.aspx >>>>>>40 uleshort >0 \b, extension flags 0x%x -#>>>>>>40 uleshort =0 \b, extension flags %u +#>>>>>>40 uleshort =0 \b, extension flags %hu >>>>>>42 uleshort >0 \b, fsVersion %u #>>>>>>42 uleshort =0 \b, fsVersion %u (usual) >>>>>>44 ulelong >2 \b, rootdir cluster %u @@ -7577,9 +8006,12 @@ >>>>>>48 uleshort >1 \b, infoSector %u #>>>>>>48 uleshort =1 \b, infoSector %u (usual) >>>>>>48 uleshort <1 \b, infoSector %u ->>>>>>50 uleshort >6 \b, Backup boot sector %u +# 0 or 0xFFFF instead of usual 6 means no backup sector +>>>>>>50 uleshort =0xFFFF \b, no Backup boot sector +>>>>>>50 uleshort =0 \b, no Backup boot sector #>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) ->>>>>>50 uleshort <6 \b, Backup boot sector %u +>>>>>>50 default x +>>>>>>>50 uleshort x \b, Backup boot sector %u # corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO >>>>>>52 ulelong >0 \b, reserved1 0x%x >>>>>>56 ulelong >0 \b, reserved2 0x%x @@ -7627,13 +8059,13 @@ # Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. >>>>>>>>>64 lelong <256 >>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d ->>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%hhi) +>>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i) # Values 0 to 127 represent index block sizes of 0 to 127 clusters. # Values 128 to 255 represent index block sizes of 2^(256-N) byte >>>>>>>>>68 ulelong <256 >>>>>>>>>>68 ulelong <128 \b, clusters/index block %d #>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) ->>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%hhi) +>>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) >>>>>>>>>72 ulequad x \b, serial number 0%llx >>>>>>>>>80 ulelong >0 \b, checksum 0x%x #>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) @@ -7681,7 +8113,7 @@ >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %ld, +>&-264 lelong x pending inodes to free %d, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization @@ -7701,7 +8133,7 @@ >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %ld, +>&-264 lelong x pending inodes to free %d, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization @@ -7741,7 +8173,7 @@ >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %ld, +>&-264 belong x pending inodes to free %d, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization @@ -7761,7 +8193,7 @@ >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %ld, +>&-264 belong x pending inodes to free %d, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization @@ -7942,9 +8374,10 @@ # all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013 # http://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions -512 ubelong&0xE0ffff00 0xE0ffff00 +# Too Weak. +#512 ubelong&0xE0ffff00 0xE0ffff00 # without valid Media descriptor in place of BPB, cases with are done at other places ->21 ubyte <0xE5 floppy with old FAT filesystem +#>21 ubyte <0xE5 floppy with old FAT filesystem # but valid Media descriptor at begin of FAT #>>512 ubyte =0xed 720k #>>512 ubyte =0xf0 1440k @@ -7952,73 +8385,72 @@ #>>512 ubyte =0xf9 1220k #>>512 ubyte =0xfa 320k #>>512 ubyte =0xfb 640k ->>512 ubyte =0xfc 180k +#>>512 ubyte =0xfc 180k # look like an an old DOS directory entry ->>>0xA0E ubequad 0 ->>>>0xA00 ubequad !0 -!:mime application/x-ima ->>512 ubyte =0xfd +#>>>0xA0E ubequad 0 +#>>>>0xA00 ubequad !0 +#!:mime application/x-ima +#>>512 ubyte =0xfd # look for 2nd FAT at different location to distinguish between 360k and 500k ->>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k +#>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k #>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k ->>>0xA0E ubequad 0 -!:mime application/x-ima ->>512 ubyte =0xfe ->>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k ->>>>0x60E ubequad 0 ->>>>>0x600 ubequad !0 -!:mime application/x-ima +#>>>0xA0E ubequad 0 +#!:mime application/x-ima +#>>512 ubyte =0xfe +#>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k +#>>>>0x60E ubequad 0 +#>>>>>0x600 ubequad !0 +#!:mime application/x-ima #>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k ->>512 ubyte =0xff 320k ->>>0x60E ubequad 0 ->>>>0x600 ubequad !0 -!:mime application/x-ima ->>512 ubyte x \b, Media descriptor 0x%x +#>>512 ubyte =0xff 320k +#>>>0x60E ubequad 0 +#>>>>0x600 ubequad !0 +#!:mime application/x-ima +#>>512 ubyte x \b, Media descriptor 0x%x # without x86 jump instruction ->>0 ulelong&0x804000E9 !0x000000E9 +#>>0 ulelong&0x804000E9 !0x000000E9 # assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV ->>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader +#>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader # IOSYS.COM+MSDOS.COM ->>>>0xc4 use 2xDOS-filename ->>0 ulelong&0x804000E9 =0x000000E9 +#>>>>0xc4 use 2xDOS-filename +#>>0 ulelong&0x804000E9 =0x000000E9 # only x86 short jump instruction found ->>>0 ubyte =0xEB ->>>>1 ubyte x \b, code offset 0x%x+2 +#>>>0 ubyte =0xEB +#>>>>1 ubyte x \b, code offset 0x%x+2 # http://thestarman.pcministry.com/DOS/ibm100/Boot.htm # assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 ->>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader +#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader # ibmbio.com+ibmdos.com ->>>>>0x176 use DOS-filename ->>>>>0x181 ubyte x \b+ ->>>>>0x182 use DOS-filename +#>>>>>0x176 use DOS-filename +#>>>>>0x181 ubyte x \b+ +#>>>>>0x182 use DOS-filename # http://thestarman.pcministry.com/DOS/ibm110/Boot.htm # assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV ->>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader +#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader # ibmbio.com+ibmdos.com ->>>>>0x18b use DOS-filename ->>>>>0x196 ubyte x \b+ ->>>>>0x197 use DOS-filename +#>>>>>0x18b use DOS-filename +#>>>>>0x196 ubyte x \b+ +#>>>>>0x197 use DOS-filename # http://en.wikipedia.org/wiki/Zenith_Data_Systems # assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 ->>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader +#>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS ->>>>>0x20 use 2xDOS-filename +#>>>>>0x20 use 2xDOS-filename # http://en.wikipedia.org/wiki/Corona_Data_Systems # assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; ->>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader +#>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS ->>>>>0x69 use 2xDOS-filename +#>>>>>0x69 use 2xDOS-filename # assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; ->>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader +#>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader # defect IO.SYS+MSDOS.SYS ? #>>>>>0x162 use 2xDOS-filename -# CDROM Filesystems -# Modified for UDF by gerardo.cacciari@gmail.com -32769 string CD001 # -!:mime application/x-iso9660-image +0 name cdrom >38913 string !NSR0 ISO 9660 CD-ROM filesystem data +!:mime application/x-iso9660-image >38913 string NSR0 UDF filesystem data +!:mime application/x-iso9660-image >>38917 string 1 (version 1.0) >>38917 string 2 (version 1.5) >>38917 string 3 (version 2.0) @@ -8031,29 +8463,41 @@ !:mime application/x-iso9660-image 32777 string CDROM High Sierra CD-ROM filesystem data +# CDROM Filesystems +# https://en.wikipedia.org/wiki/ISO_9660 +# Modified for UDF by gerardo.cacciari@gmail.com +32769 string CD001 +# mime line at that position does not work +# to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51) +!:strength -11 +# to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51) +# does not work +#!:strength +33 +>0 use cdrom + # .cso files 0 string CISO Compressed ISO CD image # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian ->4 lelong x size %lu +>4 lelong x size %u >8 lelong &1 version #2 >8 lelong &2 sorted_dirs >8 lelong &4 hole_support >32 lelong x CRC 0x%x, ->36 lelong x edition %lu, ->40 lelong x %lu blocks, ->44 lelong x %lu files +>36 lelong x edition %u, +>40 lelong x %u blocks, +>44 lelong x %u files 0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian ->4 belong x size %lu +>4 belong x size %u >8 belong &1 version #2 >8 belong &2 sorted_dirs >8 belong &4 hole_support >32 belong x CRC 0x%x, ->36 belong x edition %lu, ->40 belong x %lu blocks, ->44 belong x %lu files +>36 belong x edition %u, +>40 belong x %u blocks, +>44 belong x %u files # reiserfs - russell@coker.com.au 0x10034 string ReIsErFs ReiserFS V3.5 @@ -8213,6 +8657,7 @@ #---------------------------------------------------------- #delta ISO Daniel Novotny (dnovotny@redhat.com) 0 string DISO Delta ISO data +!:strength +50 >4 belong x version %d # VMS backup savesets - gerardo.cacciari@gmail.com @@ -8264,7 +8709,6 @@ # which is mapped to VBN 2 of [000000]INDEXF.SYS;1 - gerardo.cacciari@gmail.com # 1008 string DECFILE11 Files-11 On-Disk Structure ->525 byte x Level %d >525 byte x (ODS-%d); >1017 string A RSX-11, VAX/VMS or OpenVMS VAX file system; >1017 string B @@ -8318,8 +8762,8 @@ >16 ulequad >0 \b fblock table at %lld, >24 ulequad >0 \b inode table at %lld, >32 ulequad >0 \b root at %lld, ->40 ulelong >0 \b fblock size = %ld, ->44 ulelong >0 \b block size = %ld, +>40 ulelong >0 \b fblock size = %d, +>44 ulelong >0 \b block size = %d, >48 ulequad >0 \b bytes = %lld # Type: xfs metadump image @@ -8397,22 +8841,68 @@ # http://www.forensicswiki.org/wiki/Encase_image_file_format 0 string EVF\x09\x0d\x0a\xff\x00 EWF/Expert Witness/EnCase image file format -#------------------------------------------------------------------------------ -# $File: flash,v 1.9 2009/11/08 01:30:01 christos Exp $ +# UBIfs +# Linux kernel sources: fs/ubifs/ubifs-media.h +0 lelong 0x06101831 +>0x16 leshort 0 UBIfs image +>0x08 lequad x \b, sequence number %llu +>0x10 leshort x \b, length %u +>0x04 lelong x \b, CRC 0x%08x + +0 lelong 0x23494255 +>0x04 leshort <2 +>0x05 string \0\0\0 +>0x1c string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>0x04 leshort x UBI image, version %u + +# NEC PC-88 2D disk image +# From Fabio R. Schmidlin +0x20 ulelong&0xFFFFFEFF 0x2A0 +>0x10 string \0\0\0\0\0\0\0\0\0\0 +>>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>0x1A ubyte&0xEF 0 +>>>>0x1B ubyte&0x8F 0 +>>>>>0x1B ubyte&70 <0x40 +>>>>>>0x1C ulelong >0x21 +>>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s +>>>>>>>>0x1B ubyte 0 \b, media=2D +>>>>>>>>0x1B ubyte 0x10 \b, media=2DD +>>>>>>>>0x1B ubyte 0x20 \b, media=2HD +>>>>>>>>0x1B ubyte 0x30 \b, media=1D +>>>>>>>>0x1B ubyte 0x40 \b, media=1DD +>>>>>>>>0x1A ubyte 0x10 \b, write-protected + +#------------------------------------------------------------------------------ +# $File: flash,v 1.10 2014/03/06 16:07:24 christos Exp $ # flash: file(1) magic for Macromedia Flash file format # # See # # http://www.macromedia.com/software/flash/open/ +# http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/\ +# en/devnet/swf/pdf/swf-file-format-spec.pdf page 27 # -0 string FWS Macromedia Flash data, ->3 byte x version %d + +0 name swf-details +>0 string F Macromedia Flash data +!:mime application/x-shockwave-flash +>0 string C Macromedia Flash data (compressed) !:mime application/x-shockwave-flash -0 string CWS Macromedia Flash data (compressed), +>0 string Z Macromedia Flash data (lzma compressed) !:mime application/x-shockwave-flash ->3 byte x version %d +>3 byte x \b, version %d + +1 string WS +>4 lelong !0 +>>3 byte 255 Suspicious +>>>0 use swf-details + +>>3 ubyte <32 +>>>3 ubyte !0 +>>>>0 use swf-details + # From: Cal Peake -0 string FLV Macromedia Flash Video +0 string FLV\x01 Macromedia Flash Video !:mime video/x-flv # @@ -8519,18 +9009,18 @@ 0 string wOFF Web Open Font Format >4 belong x \b, flavor %d >8 belong x \b, length %d ->20 beshort x \b, version %hd ->22 beshort x \b.%hd +>20 beshort x \b, version %d +>22 beshort x \b.%d #------------------------------------------------------------------------------ # $File: fortran,v 1.7 2012/06/21 01:55:02 christos Exp $ # FORTRAN source -0 regex/100 \^[Cc][\ \t] FORTRAN program +0 regex/100l \^[Cc][\ \t] FORTRAN program !:mime text/x-fortran !:strength - 5 #------------------------------------------------------------------------------ -# $File: frame,v 1.12 2009/09/19 16:28:09 christos Exp $ +# $File$ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is @@ -8580,7 +9070,7 @@ !:mime application/x-mif #------------------------------------------------------------------------------ -# $File: freebsd,v 1.7 2009/09/19 16:28:09 christos Exp $ +# $File$ # freebsd: file(1) magic for FreeBSD objects # # All new-style FreeBSD magic numbers are in host byte order (i.e., @@ -8724,7 +9214,7 @@ >>11 byte x %d chars high #------------------------------------------------------------------------------ -# $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ +# $File: fsav,v 1.12 2013/03/23 14:15:30 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) @@ -8790,7 +9280,7 @@ >33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files #------------------------------------------------------------------------------ -# $File: fusecompress,v 1.2 2011/08/08 09:05:55 christos Exp $ +# $File: mcrypt,v 1.5 2009/09/19 16:28:10 christos Exp $ # fusecompress: file(1) magic for fusecompress 0 string \037\135\211 FuseCompress(ed) data >3 byte 0x00 (none format) @@ -8808,14 +9298,14 @@ # Fabio Bonelli # Quake II - III data files 0 string IDP2 Quake II 3D Model file, ->20 long x %lu skin(s), ->8 long x (%lu x ->12 long x %lu), ->40 long x %lu frame(s), ->16 long x Frame size %lu bytes, ->24 long x %lu vertices/frame, ->28 long x %lu texture coordinates, ->32 long x %lu triangles/frame +>20 long x %u skin(s), +>8 long x (%u x +>12 long x %u), +>40 long x %u frame(s), +>16 long x Frame size %u bytes, +>24 long x %u vertices/frame, +>28 long x %u texture coordinates, +>32 long x %u triangles/frame 0 string IBSP Quake >4 long 0x26 II Map file (BSP) @@ -8948,7 +9438,7 @@ 0 string MComprHD MAME CHD compressed hard disk image, ->12 belong x version %lu +>12 belong x version %u # doom - submitted by Jon Dowland @@ -9067,7 +9557,7 @@ >20 lelong !0 \b, exports: %i #------------------------------------------------------------------------------ -# $File: gcc,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File$ # gcc: file(1) magic for GCC special files # 0 string gpch GCC precompiled header @@ -9084,7 +9574,7 @@ >4 byte 79 for Objective C++ #------------------------------------------------------------------------------ -# $File: geo,v 1.3 2013/01/04 00:47:02 christos Exp $ +# $File: geo,v 1.2 2013/01/02 15:27:53 christos Exp $ # Geo- files from Kurt Schwehr ###################################################################### @@ -9201,7 +9691,7 @@ #------------------------------------------------------------------------------ -# $File: geos,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File$ # GEOS files (Vidar Madsen, vidar@gimp.org) # semi-commonly used in embedded and handheld systems. 0 belong 0xc745c153 GEOS @@ -9241,8 +9731,8 @@ >9 string file version 0, >9 string v version >>10 string >\0 %s, ->14 belong x %lu x ->18 belong x %lu, +>14 belong x %u x +>18 belong x %u, >22 belong 0 RGB Color >22 belong 1 Greyscale >22 belong 2 Indexed Color @@ -9268,7 +9758,7 @@ 0 string #\040GIMP\040Curves\040File GIMP curve file #------------------------------------------------------------------------------ -# $File: gnome,v 1.3 2013/02/05 15:20:47 christos Exp $ +# $File: gnome,v 1.4 2014/04/28 12:04:50 christos Exp $ # GNOME related files # Contributed by Josh Triplett @@ -9277,9 +9767,9 @@ >&0 ubyte 0 \b, major version 0 >>&0 ubyte 0 \b, minor version 0 >>>&0 ubyte 0 \b, crypto type 0 (AES) ->>>&0 ubyte >0 \b, crypto type %hhu (unknown) +>>>&0 ubyte >0 \b, crypto type %u (unknown) >>>&1 ubyte 0 \b, hash type 0 (MD5) ->>>&1 ubyte >0 \b, hash type %hhu (unknown) +>>>&1 ubyte >0 \b, hash type %u (unknown) >>>&2 ubelong 0xFFFFFFFF \b, name NULL >>>&2 ubelong !0xFFFFFFFF >>>>&-4 ubelong >255 \b, name too long for file's pstring type @@ -9327,7 +9817,7 @@ >22 leshort x \b/%d local #------------------------------------------------------------------------------ -# $File: gnu,v 1.15 2014/02/06 14:21:02 christos Exp $ +# $File: gnu,v 1.14 2012/10/03 23:38:12 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format @@ -9410,7 +9900,7 @@ !:mime text/x-po #------------------------------------------------------------------------------ -# $File: gnumeric,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File$ # gnumeric: file(1) magic for Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps @@ -9418,7 +9908,7 @@ !:mime application/x-gnumeric #------------------------------------------------------------------------------ -# $File: gpt,v 1.1 2013/02/18 18:31:09 christos Exp $ +# $File: gpt,v 1.2 2014/04/28 12:04:50 christos Exp $ # # GPT Partition table patterns. # Author: Rogier Goossens (goossens.rogier@gmail.com) @@ -9638,7 +10128,6 @@ 0 name gpt-table >10 uleshort x \b, version %u >8 uleshort x \b.%u -# a GUID is just like a UUID, except it's displayed mixed-endian. >56 ulelong x \b, GUID: %08x >60 uleshort x \b-%04x >62 uleshort x \b-%04x @@ -9659,7 +10148,7 @@ #------------------------------------------------------------------------------ -# $File: grace,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File$ # ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE # # ACE/gr binary @@ -9686,13 +10175,13 @@ # FIXME: These patterns match too generally. For example, the first # line matches a LaTeX file containing the word "graph" (with a { # following later) and the second line matches this file. -#0 regex/100 [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text +#0 regex/100l [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text #!:mime text/vnd.graphviz -#0 regex/100 [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text +#0 regex/100l [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text #!:mime text/vnd.graphviz #------------------------------------------------------------------------------ -# $File: gringotts,v 1.5 2009/09/19 16:28:09 christos Exp $ +# $File$ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo @@ -9740,7 +10229,7 @@ >3 string >3 v.%.1s (unknown details) #------------------------------------------------------------------------------ -# $File: guile,v 1.1 2011/12/16 17:44:33 christos Exp $ +# $File: grace,v 1.4 2009/09/19 16:28:09 christos Exp $ # Guile file magic from # http://www.gnu.org/s/guile/ # http://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 @@ -9753,7 +10242,7 @@ >13 regex .\.. \b, bytecode v%s #------------------------------------------------------------------------------ -# $File: hitachi-sh,v 1.6 2013/01/29 19:31:33 christos Exp $ +# $File: hitachi-sh,v 1.5 2009/09/19 16:28:09 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF @@ -9816,10 +10305,10 @@ #### Old Apollo stuff 0 beshort 0627 Apollo m68k COFF executable >18 beshort ^040000 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 0624 apollo a88k COFF executable >18 beshort ^040000 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 long 01203604016 TML 0123 byte-order format 0 long 01702407010 TML 1032 byte-order format 0 long 01003405017 TML 2301 byte-order format @@ -9903,58 +10392,58 @@ #### 500 0 long 0x02080106 HP s500 relocatable executable ->16 long >0 - version %ld +>16 long >0 - version %d 0 long 0x02080107 HP s500 executable ->16 long >0 - version %ld +>16 long >0 - version %d 0 long 0x02080108 HP s500 pure executable ->16 long >0 - version %ld +>16 long >0 - version %d #### 200 0 belong 0x020c0108 HP s200 pure executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0107 HP s200 executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c010b HP s200 demand-load executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0106 HP s200 relocatable executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >6 beshort >0 - highwater %d >8 belong &0x80000000 save fp regs >8 belong &0x20000000 debuggable >8 belong &0x10000000 PIC 0 belong 0x020a0108 HP s200 (2.x release) pure executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >36 belong >0 not stripped 0 belong 0x020a0107 HP s200 (2.x release) executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >36 belong >0 not stripped 0 belong 0x020c010e HP s200 shared library ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >6 beshort >0 - highwater %d >36 belong >0 not stripped 0 belong 0x020c010d HP s200 dynamic load library ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >6 beshort >0 - highwater %d >36 belong >0 not stripped @@ -9967,7 +10456,7 @@ 0 long 0x015821a6 HP core file 0 long 0x4da7eee8 HP-WINDOWS font ->8 byte >0 - version %ld +>8 byte >0 - version %d 0 string Bitmapfile HP Bitmapfile 0 string IMGfile CIS compimg HP Bitmapfile @@ -10214,7 +10703,7 @@ #------------------------------------------------------------------------------ -# $File: human68k,v 1.5 2009/09/19 16:28:09 christos Exp $ +# $File$ # human68k: file(1) magic for Human68k (X680x0 DOS) binary formats # Magic too short! #0 string HU Human68k @@ -10276,19 +10765,19 @@ >12 belong >0 not stripped 0 beshort 0531 SVR2 executable (Amdahl-UTS) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d 0 beshort 0534 SVR2 pure executable (Amdahl-UTS) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d 0 beshort 0530 SVR2 pure executable (USS/370) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d 0 beshort 0535 SVR2 executable (USS/370) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d #------------------------------------------------------------------------------ -# $File: ibm6000,v 1.12 2013/09/16 15:12:42 christos Exp $ +# $File: ibm6000,v 1.11 2013/01/08 20:13:01 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module @@ -10319,7 +10808,7 @@ >>>0x524 string >\0 \b, %s #------------------------------------------------------------------------------ -# $File: icc,v 1.1 2013/01/08 01:43:18 christos Exp $ +# $File$ # icc: file(1) magic for International Color Consortium file formats # @@ -10370,7 +10859,7 @@ #------------------------------------------------------------------------------ -# $File: iff,v 1.13 2011/09/06 11:00:06 christos Exp $ +# $File: iff,v 1.12 2009/09/19 16:28:09 christos Exp $ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic @@ -10441,7 +10930,7 @@ >8 string IFZS \b, Z-machine or Glulx saved game file (Quetzal) #------------------------------------------------------------------------------ -# $File: images,v 1.87 2013/12/11 14:14:20 christos Exp $ +# $File: images,v 1.104 2015/01/24 22:45:46 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -10459,57 +10948,66 @@ # `xv' recognizes only a subset of the following (RGB with pixelsize = 24) # `tgatoppm' recognizes a superset (Index may be anything) 1 belong&0xfff7ffff 0x01010000 Targa image data - Map +!:strength + 2 >2 byte&8 8 - RLE ->12 leshort >0 %hd x ->14 leshort >0 %hd +>12 leshort >0 %d x +>14 leshort >0 %d 1 belong&0xfff7ffff 0x00020000 Targa image data - RGB +!:strength + 2 >2 byte&8 8 - RLE ->12 leshort >0 %hd x ->14 leshort >0 %hd +>12 leshort >0 %d x +>14 leshort >0 %d 1 belong&0xfff7ffff 0x00030000 Targa image data - Mono +!:strength + 2 >2 byte&8 8 - RLE ->12 leshort >0 %hd x ->14 leshort >0 %hd +>12 leshort >0 %d x +>14 leshort >0 %d # PBMPLUS images # The next byte following the magic is always whitespace. # strength is changed to try these patterns before "x86 boot sector" +0 name netpbm +>3 regex/s =[0-9]{1,50}\ [0-9]{1,50} Netpbm PPM image data +>>&0 regex =[0-9]{1,50} \b, size = %s x +>>>&0 regex =[0-9]{1,50} \b %s + 0 search/1 P1 ->3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PBM image text ->3 regex =[0-9]{1,50}\ \b, size = %sx ->>3 regex =\ [0-9]{1,50} \b%s +>0 use netpbm +>>0 string x \b, bitmap !:strength + 45 !:mime image/x-portable-bitmap + 0 search/1 P2 ->3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PGM image text ->3 regex =[0-9]{1,50}\ \b, size = %sx ->>3 regex =\ [0-9]{1,50} \b%s +>0 use netpbm +>>0 string x \b, greymap !:strength + 45 !:mime image/x-portable-greymap + 0 search/1 P3 ->3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PPM image text ->3 regex =[0-9]{1,50}\ \b, size = %sx ->>3 regex =\ [0-9]{1,50} \b%s +>0 use netpbm +>>0 string x \b, pixmap !:strength + 45 !:mime image/x-portable-pixmap + + 0 string P4 ->3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PBM "rawbits" image data ->3 regex =[0-9]{1,50}\ \b, size = %sx ->>3 regex =\ [0-9]{1,50} \b%s +>0 use netpbm +>>0 string x \b, rawbits, bitmap !:strength + 45 !:mime image/x-portable-bitmap + 0 string P5 ->3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PGM "rawbits" image data ->3 regex =[0-9]{1,50}\ \b, size = %sx ->>3 regex =\ [0-9]{1,50} \b%s +>0 use netpbm +>>0 string x \b, rawbits, greymap !:strength + 45 !:mime image/x-portable-greymap + 0 string P6 ->3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PPM "rawbits" image data ->3 regex =[0-9]{1,50}\ \b, size = %sx ->>3 regex =\ [0-9]{1,50} \b%s +>0 use netpbm +>>0 string x \b, rawbits, pixmap !:strength + 45 !:mime image/x-portable-pixmap + 0 string P7 Netpbm PAM image file !:mime image/x-portable-pixmap @@ -10553,8 +11051,155 @@ # never changed. The TIFF specification recommends testing for it. 0 string MM\x00\x2a TIFF image data, big-endian !:mime image/tiff +>(4.L) use \^tiff_ifd 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff +>(4.l) use tiff_ifd + +0 name tiff_ifd +>0 leshort x \b, direntries=%d +>2 use tiff_entry + +0 name tiff_entry +# NewSubFileType +>0 leshort 0xfe +>>12 use tiff_entry +>0 leshort 0x100 +>>4 lelong 1 +>>>12 use tiff_entry +>>>8 leshort x \b, width=%d +>0 leshort 0x101 +>>4 lelong 1 +>>>8 leshort x \b, height=%d +>>>12 use tiff_entry +>0 leshort 0x102 +>>8 leshort x \b, bps=%d +>>12 use tiff_entry +>0 leshort 0x103 +>>4 lelong 1 \b, compression= +>>>8 leshort 1 \bnone +>>>8 leshort 2 \bhuffman +>>>8 leshort 3 \bbi-level group 3 +>>>8 leshort 4 \bbi-level group 4 +>>>8 leshort 5 \bLZW +>>>8 leshort 6 \bJPEG (old) +>>>8 leshort 7 \bJPEG +>>>8 leshort 8 \bdeflate +>>>8 leshort 9 \bJBIG, ITU-T T.85 +>>>8 leshort 0xa \bJBIG, ITU-T T.43 +>>>8 leshort 0x7ffe \bNeXT RLE 2-bit +>>>8 leshort 0x8005 \bPackBits (Macintosh RLE) +>>>8 leshort 0x8029 \bThunderscan RLE +>>>8 leshort 0x807f \bRasterPadding (CT or MP) +>>>8 leshort 0x8080 \bRLE (Line Work) +>>>8 leshort 0x8081 \bRLE (High-Res Cont-Tone) +>>>8 leshort 0x8082 \bRLE (Binary Line Work) +>>>8 leshort 0x80b2 \bDeflate (PKZIP) +>>>8 leshort 0x80b3 \bKodak DCS +>>>8 leshort 0x8765 \bJBIG +>>>8 leshort 0x8798 \bJPEG2000 +>>>8 leshort 0x8799 \bNikon NEF Compressed +>>>8 default x +>>>>8 leshort x \b(unknown 0x%x) +>>>12 use tiff_entry +>0 leshort 0x106 \b, PhotometricIntepretation= +>>8 clear x +>>8 leshort 0 \bWhiteIsZero +>>8 leshort 1 \bBlackIsZero +>>8 leshort 2 \bRGB +>>8 leshort 3 \bRGB Palette +>>8 leshort 4 \bTransparency Mask +>>8 leshort 5 \bCMYK +>>8 leshort 6 \bYCbCr +>>8 leshort 8 \bCIELab +>>8 default x +>>>8 leshort x \b(unknown=0x%x) +>>12 use tiff_entry +# FillOrder +>0 leshort 0x10a +>>4 lelong 1 +>>>12 use tiff_entry +# DocumentName +>0 leshort 0x10d +>>(8.l) string x \b, name=%s +>>>12 use tiff_entry +# ImageDescription +>0 leshort 0x10e +>>(8.l) string x \b, description=%s +>>>12 use tiff_entry +# Make +>0 leshort 0x10f +>>(8.l) string x \b, manufacturer=%s +>>>12 use tiff_entry +# Model +>0 leshort 0x110 +>>(8.l) string x \b, model=%s +>>>12 use tiff_entry +# StripOffsets +>0 leshort 0x111 +>>12 use tiff_entry +# Orientation +>0 leshort 0x112 \b, orientation= +>>8 leshort 1 \bupper-left +>>8 leshort 3 \blower-right +>>8 leshort 6 \bupper-right +>>8 leshort 8 \blower-left +>>8 leshort 9 \bundefined +>>8 default x +>>>8 leshort x \b[*%d*] +>>12 use tiff_entry +# XResolution +>0 leshort 0x11a +>>8 lelong x \b, xresolution=%d +>>12 use tiff_entry +# YResolution +>0 leshort 0x11b +>>8 lelong x \b, yresolution=%d +>>12 use tiff_entry +# ResolutionUnit +>0 leshort 0x128 +>>8 leshort x \b, resolutionunit=%d +>>12 use tiff_entry +# Software +>0 leshort 0x131 +>>(8.l) string x \b, software=%s +>>12 use tiff_entry +# Datetime +>0 leshort 0x132 +>>(8.l) string x \b, datetime=%s +>>12 use tiff_entry +# HostComputer +>0 leshort 0x13c +>>(8.l) string x \b, hostcomputer=%s +>>12 use tiff_entry +# WhitePoint +>0 leshort 0x13e +>>12 use tiff_entry +# PrimaryChromaticities +>0 leshort 0x13f +>>12 use tiff_entry +# YCbCrCoefficients +>0 leshort 0x211 +>>12 use tiff_entry +# YCbCrPositioning +>0 leshort 0x213 +>>12 use tiff_entry +# ReferenceBlackWhite +>0 leshort 0x214 +>>12 use tiff_entry +# Copyright +>0 leshort 0x8298 +>>(8.l) string x \b, copyright=%s +>>12 use tiff_entry +# ExifOffset +>0 leshort 0x8769 +>>12 use tiff_entry +# GPS IFD +>0 leshort 0x8825 \b, GPS-Data +>>12 use tiff_entry + +#>0 leshort x \b, unknown=0x%x +#>>12 use tiff_entry 0 string MM\x00\x2b Big TIFF image data, big-endian !:mime image/tiff @@ -10569,8 +11214,8 @@ # 0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data !:mime image/png ->16 belong x \b, %ld x ->20 belong x %ld, +>16 belong x \b, %d x +>20 belong x %d, >24 byte x %d-bit >25 byte 0 grayscale, >25 byte 2 \b/color RGB, @@ -10605,8 +11250,8 @@ !:apple 8BIMGIFf >4 string 7a \b, version 8%s, >4 string 9a \b, version 8%s, ->6 leshort >0 %hd x ->8 leshort >0 %hd +>6 leshort >0 %d x +>8 leshort >0 %d #>10 byte &0x80 color mapped, #>10 byte&0x07 =0x00 2 colors #>10 byte&0x07 =0x01 4 colors @@ -10924,7 +11569,7 @@ >>>>1 ubyte 3 ver. 2.8 image data, without palette >>>>1 ubyte 4 for Windows image data >>>>1 ubyte 5 ver. 3.0 image data ->>>>4 uleshort x bounding box [%hd, +>>>>4 uleshort x bounding box [%d, >>>>6 uleshort x %d] - >>>>8 uleshort x [%d, >>>>10 uleshort x %d], @@ -11059,7 +11704,7 @@ # Author: Hans-Joachim Baader 0 string PaRtImAgE-VoLuMe PartImage >0x0020 string 0.6.1 file version %s ->>0x0060 lelong >-1 volume %ld +>>0x0060 lelong >-1 volume %d #>>0x0064 8 byte identifier #>>0x007c reserved >>0x0200 string >\0 type %s @@ -11082,8 +11727,8 @@ # Kodak Cineon format for scanned negatives # http://www.kodak.com/US/en/motion/support/dlad/ 0 lelong 0xd75f2a80 Cineon image data ->200 belong >0 \b, %ld x ->204 belong >0 %ld +>200 belong >0 \b, %d x +>204 belong >0 %d # Bio-Rad .PIC is an image format used by microscope control systems @@ -11095,10 +11740,10 @@ 14 leshort <2 >62 leshort <2 >>54 leshort 12345 Bio-Rad .PIC Image File ->>>0 leshort >0 %hd x ->>>2 leshort >0 %hd, +>>>0 leshort >0 %d x +>>>2 leshort >0 %d, >>>4 leshort =1 1 image in file ->>>4 leshort >1 %hd images in file +>>>4 leshort >1 %d images in file # From Jan "Yenya" Kasprzak # The description of *.mrw format can be found at @@ -11264,7 +11909,7 @@ 0 string/t [BitmapInfo2] Polar Monitor Bitmap text !:mime image/x-polar-monitor-bitmap -# From: Rick Richardson +# From: Rick Richardson 0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file # Type: Ulead Photo Explorer5 (.pe5) @@ -11329,13 +11974,67 @@ # From: "Tano M. Fotang" 0 string \x46\x4d\x52\x00 ISO/IEC 19794-2 Format Minutiae Record (FMR) -# WEBP https://developers.google.com/speed/webp/docs/riff_container -0 string RIFF ->8 string WEBP Web/P image data ->>4 lelong x \b, %d bytes +# doc: http://www.shikino.co.jp/eng/products/images/FLOWER.jpg.zip +# example: http://www.shikino.co.jp/eng/products/images/FLOWER.wdp.zip +90 bequad 0x574D50484F544F00 JPEG-XR Image +>98 byte&0x08 =0x08 \b, hard tiling +>99 byte&0x80 =0x80 \b, tiling present +>99 byte&0x40 =0x40 \b, codestream present +>99 byte&0x38 x \b, spatial xform= +>99 byte&0x38 0x00 \bTL +>99 byte&0x38 0x08 \bBL +>99 byte&0x38 0x10 \bTR +>99 byte&0x38 0x18 \bBR +>99 byte&0x38 0x20 \bBT +>99 byte&0x38 0x28 \bRB +>99 byte&0x38 0x30 \bLT +>99 byte&0x38 0x38 \bLB +>100 byte&0x80 =0x80 \b, short header +>>102 beshort+1 x \b, %d +>>104 beshort+1 x \bx%d +>100 byte&0x80 =0x00 \b, long header +>>102 belong+1 x \b, %x +>>106 belong+1 x \bx%x +>101 beshort&0xf x \b, bitdepth= +>>101 beshort&0xf 0x0 \b1-WHITE=1 +>>101 beshort&0xf 0x1 \b8 +>>101 beshort&0xf 0x2 \b16 +>>101 beshort&0xf 0x3 \b16-SIGNED +>>101 beshort&0xf 0x4 \b16-FLOAT +>>101 beshort&0xf 0x5 \b(reserved 5) +>>101 beshort&0xf 0x6 \b32-SIGNED +>>101 beshort&0xf 0x7 \b32-FLOAT +>>101 beshort&0xf 0x8 \b5 +>>101 beshort&0xf 0x9 \b10 +>>101 beshort&0xf 0xa \b5-6-5 +>>101 beshort&0xf 0xb \b(reserved %d) +>>101 beshort&0xf 0xc \b(reserved %d) +>>101 beshort&0xf 0xd \b(reserved %d) +>>101 beshort&0xf 0xe \b(reserved %d) +>>101 beshort&0xf 0xf \b1-BLACK=1 +>101 beshort&0xf0 x \b, colorfmt= +>>101 beshort&0xf0 0x00 \bYONLY +>>101 beshort&0xf0 0x10 \bYUV240 +>>101 beshort&0xf0 0x20 \bYWV422 +>>101 beshort&0xf0 0x30 \bYWV444 +>>101 beshort&0xf0 0x40 \bCMYK +>>101 beshort&0xf0 0x50 \bCMYKDIRECT +>>101 beshort&0xf0 0x60 \bNCOMPONENT +>>101 beshort&0xf0 0x70 \bRGB +>>101 beshort&0xf0 0x80 \bRGBE +>>101 beshort&0xf0 >0x80 \b(reserved 0x%x) + +# From: Johan van der Knijff +# +# BPG (Better Portable Graphics) format +# http://bellard.org/bpg/ +# http://fileformats.archiveteam.org/wiki/BPG +# +0 string \x42\x50\x47\xFB BPG (Better Portable Graphics) +!:mime image/bpg #------------------------------------------------------------------------------ -# $File: inform,v 1.5 2009/09/19 16:28:09 christos Exp $ +# $File$ # inform: file(1) magic for Inform interactive fiction language # URL: http://www.inform-fiction.org/ @@ -11360,24 +12059,24 @@ # 0 leshort 0502 basic-16 executable >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d 0 leshort 0503 basic-16 executable (TV) >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d 0 leshort 0510 x86 executable >12 lelong >0 not stripped 0 leshort 0511 x86 executable (TV) >12 lelong >0 not stripped 0 leshort =0512 iAPX 286 executable small model (COFF) >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d 0 leshort =0522 iAPX 286 executable large model (COFF) >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan 0 leshort =0514 80386 COFF executable >12 lelong >0 not stripped ->22 leshort >0 - version %ld +>22 leshort >0 - version %d # rom: file(1) magic for BIOS ROM Extensions found in intel machines # mapped into memory between 0xC0000 and 0xFFFFF @@ -11397,7 +12096,7 @@ 16 lelong 0x0ff0a55a Intel serial flash for PCH ROM #------------------------------------------------------------------------------ -# $File: interleaf,v 1.10 2009/09/19 16:28:10 christos Exp $ +# $File$ # interleaf: file(1) magic for InterLeaf TPS: # 0 string =\210OPS Interleaf saved data @@ -11406,7 +12105,7 @@ >>17 string >\0 %.3s #------------------------------------------------------------------------------ -# $File: island,v 1.5 2009/09/19 16:28:10 christos Exp $ +# $File$ # island: file(1) magic for IslandWite/IslandDraw, from SunOS 5.5.1 # "/etc/magic": # From: guy@netapp.com (Guy Harris) @@ -11416,7 +12115,7 @@ #------------------------------------------------------------------------------ -# $File: ispell,v 1.8 2009/09/19 16:28:10 christos Exp $ +# $File$ # ispell: file(1) magic for ispell # # Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic @@ -11479,7 +12178,7 @@ >20 long x stblsize %d #------------------------------------------------------------------------------ -# $File: isz,v 1.1 2010/03/27 16:17:09 christos Exp $ +# $File: isz,v 1.2 2014/04/28 12:04:50 christos Exp $ # ISO Zipped file format # http://www.ezbsystems.com/isz/iszspec.txt 0 string IsZ! ISO Zipped file @@ -11494,7 +12193,7 @@ #>36 lelong x \b, block size %u #------------------------------------------------------------ -# $File: java,v 1.16 2013/09/24 20:22:03 christos Exp $ +# $File: java,v 1.15 2013/08/14 09:10:36 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". @@ -11514,7 +12213,7 @@ !:mime text/x-java #------------------------------------------------------------------------------ -# $File: javascript,v 1.1 2012/06/16 13:30:36 christos Exp $ +# $File: $ # javascript: magic for javascript and node.js scripts. # 0 search/1/w #!/bin/node Node.js script text executable @@ -11531,7 +12230,7 @@ !:mime application/javascript #------------------------------------------------------------------------------ -# $File: jpeg,v 1.19 2013/02/04 15:50:03 christos Exp $ +# $File: jpeg,v 1.26 2015/01/02 22:40:27 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -11543,7 +12242,7 @@ 0 beshort 0xffd8 JPEG image data !:mime image/jpeg !:apple 8BIMJPEG -!:strength +2 +!:strength *3 >6 string JFIF \b, JFIF standard # The following added by Erik Rossen 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these @@ -11553,132 +12252,76 @@ >>11 byte x \b %d. >>12 byte x \b%02d # Next, the resolution or aspect ratio of the image: -#>>13 byte 0 \b, aspect ratio -#>>13 byte 1 \b, resolution (DPI) -#>>13 byte 2 \b, resolution (DPCM) -#>>4 beshort x \b, segment length %d +>>13 byte 0 \b, aspect ratio +>>13 byte 1 \b, resolution (DPI) +>>13 byte 2 \b, resolution (DPCM) +>>14 beshort x \b, density %dx +>>16 beshort x \b%d +>>4 beshort x \b, segment length %d # Next, show thumbnail info, if it exists: >>18 byte !0 \b, thumbnail %dx >>>19 byte x \b%d - -# EXIF moved down here to avoid reporting a bogus version number, -# and EXIF version number printing added. -# - Patrik R=E5dman ->6 string Exif \b, EXIF standard -# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. -# All possible combinations of entries have to be enumerated, since no looping -# is possible. And both endians are possible... -# The combinations included below are from real-world JPEGs. -# Little-endian ->>12 string II -# IFD 0 Entry #5: ->>>70 leshort 0x8769 -# EXIF IFD Entry #1: ->>>>(78.l+14) leshort 0x9000 ->>>>>(78.l+23) byte x %c ->>>>>(78.l+24) byte x \b.%c ->>>>>(78.l+25) byte !0x30 \b%c -# IFD 0 Entry #9: ->>>118 leshort 0x8769 -# EXIF IFD Entry #3: ->>>>(126.l+38) leshort 0x9000 ->>>>>(126.l+47) byte x %c ->>>>>(126.l+48) byte x \b.%c ->>>>>(126.l+49) byte !0x30 \b%c -# IFD 0 Entry #10 ->>>130 leshort 0x8769 -# EXIF IFD Entry #3: ->>>>(138.l+38) leshort 0x9000 ->>>>>(138.l+47) byte x %c ->>>>>(138.l+48) byte x \b.%c ->>>>>(138.l+49) byte !0x30 \b%c -# EXIF IFD Entry #4: ->>>>(138.l+50) leshort 0x9000 ->>>>>(138.l+59) byte x %c ->>>>>(138.l+60) byte x \b.%c ->>>>>(138.l+61) byte !0x30 \b%c -# EXIF IFD Entry #5: ->>>>(138.l+62) leshort 0x9000 ->>>>>(138.l+71) byte x %c ->>>>>(138.l+72) byte x \b.%c ->>>>>(138.l+73) byte !0x30 \b%c -# IFD 0 Entry #11 ->>>142 leshort 0x8769 -# EXIF IFD Entry #3: ->>>>(150.l+38) leshort 0x9000 ->>>>>(150.l+47) byte x %c ->>>>>(150.l+48) byte x \b.%c ->>>>>(150.l+49) byte !0x30 \b%c -# EXIF IFD Entry #4: ->>>>(150.l+50) leshort 0x9000 ->>>>>(150.l+59) byte x %c ->>>>>(150.l+60) byte x \b.%c ->>>>>(150.l+61) byte !0x30 \b%c -# EXIF IFD Entry #5: ->>>>(150.l+62) leshort 0x9000 ->>>>>(150.l+71) byte x %c ->>>>>(150.l+72) byte x \b.%c ->>>>>(150.l+73) byte !0x30 \b%c -# Big-endian ->>12 string MM -# IFD 0 Entry #9: ->>>118 beshort 0x8769 -# EXIF IFD Entry #1: ->>>>(126.L+14) beshort 0x9000 ->>>>>(126.L+23) byte x %c ->>>>>(126.L+24) byte x \b.%c ->>>>>(126.L+25) byte !0x30 \b%c -# EXIF IFD Entry #3: ->>>>(126.L+38) beshort 0x9000 ->>>>>(126.L+47) byte x %c ->>>>>(126.L+48) byte x \b.%c ->>>>>(126.L+49) byte !0x30 \b%c -# IFD 0 Entry #10 ->>>130 beshort 0x8769 -# EXIF IFD Entry #3: ->>>>(138.L+38) beshort 0x9000 ->>>>>(138.L+47) byte x %c ->>>>>(138.L+48) byte x \b.%c ->>>>>(138.L+49) byte !0x30 \b%c -# EXIF IFD Entry #5: ->>>>(138.L+62) beshort 0x9000 ->>>>>(138.L+71) byte x %c ->>>>>(138.L+72) byte x \b.%c ->>>>>(138.L+73) byte !0x30 \b%c -# IFD 0 Entry #11 ->>>142 beshort 0x8769 -# EXIF IFD Entry #4: ->>>>(150.L+50) beshort 0x9000 ->>>>>(150.L+59) byte x %c ->>>>>(150.L+60) byte x \b.%c ->>>>>(150.L+61) byte !0x30 \b%c -# Here things get sticky. We can do ONE MORE marker segment with -# indirect addressing, and that's all. It would be great if we could -# do pointer arithemetic like in an assembler language. Christos? -# And if there was some sort of looping construct to do searches, plus a few -# named accumulators, it would be even more effective... -# At least we can show a comment if no other segments got inserted before: ->(4.S+5) byte 0xFE \b, comment: ->>(4.S+6) pstring/HJ x "%s" -# Or, we can show the encoding type (I've included only the three most common) -# and image dimensions if we are lucky and the SOFn (image segment) is here: ->(4.S+5) byte 0xC0 \b, baseline ->>(4.S+6) byte x \b, precision %d ->>(4.S+7) beshort x \b, %dx ->>(4.S+9) beshort x \b%d ->(4.S+5) byte 0xC1 \b, extended sequential ->>(4.S+6) byte x \b, precision %d ->>(4.S+7) beshort x \b, %dx ->>(4.S+9) beshort x \b%d ->(4.S+5) byte 0xC2 \b, progressive ->>(4.S+6) byte x \b, precision %d ->>(4.S+7) beshort x \b, %dx ->>(4.S+9) beshort x \b%d -# I've commented-out quantisation table reporting. I doubt anyone cares yet. -#>(4.S+5) byte 0xDB \b, quantisation table -#>>(4.S+6) beshort x \b length=%d -#>14 beshort x \b, %d x -#>16 beshort x \b %d +>6 string Exif \b, Exif standard: [ +>>12 indirect/r x +>>12 string x \b] + +# Jump to the first segment +>(4.S+4) use jpeg_segment + +# This uses recursion... +0 name jpeg_segment +>0 beshort 0xFFFE +# Recursion handled by FFE0 +#>>(2.S+2) use jpeg_segment +>>2 pstring/HJ x \b, comment: "%s" + +>0 beshort 0xFFC0 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, baseline, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, frames %d + +>0 beshort 0xFFC1 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, extended sequential, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, frames %d + +>0 beshort 0xFFC2 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, progressive, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, frames %d + +# Define Huffman Tables +>0 beshort 0xFFC4 +>>(2.S+2) use jpeg_segment + +>0 beshort 0xFFE1 +# Recursion handled by FFE0 +#>>(2.S+2) use jpeg_segment +>>4 string Exif \b, Exif Standard: [ +>>>10 indirect/r x +>>>10 string x \b] + +# Application specific markers +>0 beshort&0xFFE0 =0xFFE0 +>>(2.S+2) use jpeg_segment + +# DB: Define Quantization tables +# DD: Define Restart interval [XXX: wrong here, it is 4 bytes] +# D8: Start of image +# D9: End of image +# Dn: Restart +>0 beshort&0xFFD0 =0xFFD0 +>>0 beshort&0xFFE0 !0xFFE0 +>>>(2.S+2) use jpeg_segment + +#>0 beshort x unknown 0x%x +#>>(2.S+2) use jpeg_segment # HSI is Handmade Software's proprietary JPEG encoding scheme 0 string hsi1 JPEG image data, HSI proprietary @@ -11711,10 +12354,10 @@ # From 0 string KarmaRHD Version Karma Data Structure Version ->16 belong x %lu +>16 belong x %u #------------------------------------------------------------------------------ -# $File: kde,v 1.5 2010/11/25 15:00:12 christos Exp $ +# $File: kde,v 1.4 2009/09/19 16:28:10 christos Exp $ # kde: file(1) magic for KDE 0 string/t [KDE\ Desktop\ Entry] KDE desktop entry @@ -11725,7 +12368,7 @@ !:mime text/x-xmcd #------------------------------------------------------------------------------ -# $File: keepass,v 1.1 2012/12/24 22:14:56 christos Exp $ +# $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $ # keepass: file(1) magic for KeePass file # # Keepass Password Safe: @@ -11745,7 +12388,52 @@ >4 lelong 0xB54BFB67 2.x KDBX #------------------------------------------------------------------------------ -# $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $ +# $File: map,v 1.1 2014/06/03 18:22:25 christos Exp $ +# kerberos: MIT kerberos file binary formats +# + +# This magic entry is for demonstration purposes and could be improved +# if the following features were implemented in file: +# +# Strings inside [[ .. ]] in the descriptions have special meanings and +# are not printed. +# +# - Provide some form of iteration in number of components +# [[${counter}=%d]] in the description +# then append +# [${counter}--] in the offset of the entries +# - Provide a way to round the next offset +# Add [R:4] after the offset? +# - Provide a way to have optional entries +# XXX: Syntax: +# - Provide a way to "save" entries to print them later. +# if the description is [[${name}=%s]], then nothing is +# printed and a subsequent entry in the same magic file +# can refer to ${name} +# - Provide a way to format strings as hex values +# +# http://www.gnu.org/software/shishi/manual/html_node/\ +# The-Keytab-Binary-File-Format.html +# + +0 name keytab_entry +#>0 beshort x \b, size=%d +#>2 beshort x \b, components=%d +>4 pstring/H x \b, realm=%s +>>&0 pstring/H x \b, principal=%s/ +>>>&0 pstring/H x \b%s +>>>>&0 belong x \b, type=%d +>>>>>&0 bedate x \b, date=%s +>>>>>>&0 byte x \b, kvno=%u +#>>>>>>>&0 pstring/H x +#>>>>>>>>&0 belong x +#>>>>>>>>>>&0 use keytab_entry + +0 belong 0x05020000 Kerberos Keytab file +>4 use keytab_entry + +#------------------------------------------------------------------------------ +# $File: kml,v 1.2 2009/09/19 16:28:10 christos Exp $ # Type: Google KML, formerly Keyhole Markup Language # Future development of this format has been handed # over to the Open Geospatial Consortium. @@ -11779,13 +12467,13 @@ !:mime application/vnd.google-earth.kmz #------------------------------------------------------------------------------ -# $File: lecter,v 1.4 2009/09/19 16:28:10 christos Exp $ +# $File$ # DEC SRC Virtual Paper: Lectern files # Karl M. Hegbloom 0 string lect DEC SRC Virtual Paper Lectern file #------------------------------------------------------------------------------ -# $File: lex,v 1.6 2009/09/19 16:28:10 christos Exp $ +# $File$ # lex: file(1) magic for lex # # derived empirically, your offsets may vary! @@ -11797,7 +12485,7 @@ 0 search/1 %{ lex description text #------------------------------------------------------------------------------ -# $File: lif,v 1.8 2009/09/19 16:28:10 christos Exp $ +# $File$ # lif: file(1) magic for lif # # (Daniel Quinlan ) @@ -11805,7 +12493,7 @@ 0 beshort 0x8000 lif file #------------------------------------------------------------------------------ -# $File: linux,v 1.53 2014/01/08 22:26:12 christos Exp $ +# $File: linux,v 1.58 2014/08/04 06:21:30 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan @@ -11845,6 +12533,7 @@ >28 long !0 not stripped # core dump file, from Bill Reynolds 216 lelong 0421 Linux/i386 core file +!:strength / 2 >220 string >\0 of '%s' >200 lelong >0 (signal %d) # @@ -12200,9 +12889,45 @@ >>0x1042 ubelong x \b-%08x >>0x1046 ubeshort x \b%04x - -#------------------------------------------------------------------------------ -# $File: lisp,v 1.23 2009/09/19 16:28:10 christos Exp $ +# Linux device tree: +# File format description can be found in the Linux kernel sources at +# Documentation/devicetree/booting-without-of.txt +# From Christoph Biedl +0 belong 0xd00dfeed +# structure and strings must be within blob +>&(8.L) byte x +>>&(12.L) byte x +>>>20 belong >1 Device Tree Blob version %d +>>>>4 belong x \b, size=%d +>>>>20 belong >1 +>>>>>28 belong x \b, boot CPU=%d +>>>>20 belong >2 +>>>>>32 belong x \b, string block size=%d +>>>>20 belong >16 +>>>>>36 belong x \b, DT structure block size=%d + +# glibc locale archive as defined in glibc locale/locarchive.h +0 lelong 0xde020109 locale archive +>24 lelong x %d strings + +# Summary: Database file for mlocate +# Description: A database file as used by mlocate, a fast implementation +# of locate/updatedb. It uses merging to reuse the existing +# database and avoid rereading most of the filesystem. It's +# the default version of locate on Arch Linux (and others). +# File path: /var/lib/mlocate/mlocate.db by default (but configurable) +# Site: https://fedorahosted.org/mlocate/ +# Format docs: http://linux.die.net/man/5/mlocate.db +# Type: mlocate database file +# URL: https://fedorahosted.org/mlocate/ +# From: Wander Nauta +0 string \0mlocate mlocate database +>12 byte x \b, version %d +>13 byte 1 \b, require visibility +>16 string x \b, root %s + +#------------------------------------------------------------------------------ +# $File$ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) @@ -12254,7 +12979,7 @@ !:mime text/texmacs #------------------------------------------------------------------------------ -# $File: llvm,v 1.8 2013/01/12 03:09:51 christos Exp $ +# $File: llvm,v 1.7 2013/01/08 01:34:38 christos Exp $ # llvm: file(1) magic for LLVM byte-codes # URL: http://llvm.org/docs/BitCodeFormat.html # From: Al Stone @@ -12275,7 +13000,7 @@ 0 string BC\xc0\xde LLVM IR bitcode #------------------------------------------------------------------------------ -# $File: lua,v 1.6 2013/01/09 16:23:17 christos Exp $ +# $File: lua,v 1.5 2009/09/19 16:28:10 christos Exp $ # lua: file(1) magic for Lua scripting language # URL: http://www.lua.org/ # From: Reuben Thomas , Seo Sanghyeon @@ -12297,7 +13022,7 @@ >4 byte 0x52 version 5.2 #------------------------------------------------------------------------------ -# $File: luks,v 1.4 2009/09/19 16:28:10 christos Exp $ +# $File$ # luks: file(1) magic for Linux Unified Key Setup # URL: http://luks.endorphin.org/spec # From: Anthon van der Neut @@ -12309,14 +13034,14 @@ >72 string x %s] >168 string x UUID: %s #------------------------------------------------------------------------------ -# $File: m4,v 1.1 2011/12/08 12:12:46 rrt Exp $ +# $File$ # make: file(1) magic for M4 scripts # 0 regex \^dnl\ M4 macro processor script text !:mime text/x-m4 #------------------------------------------------------------ -# $File: mach,v 1.17 2013/03/07 02:22:52 christos Exp $ +# $File: mach,v 1.18 2014/03/29 15:40:34 christos Exp $ # Mach has two magic numbers, 0xcafebabe and 0xfeedface. # Unfortunately the first, cafebabe, is shared with # Java ByteCode, so they are both handled in the file "cafebabe". @@ -12347,7 +13072,7 @@ >>>4 belong&0x00ffffff 10 vax8650 >>>4 belong&0x00ffffff 11 vax8800 >>>4 belong&0x00ffffff 12 uvaxIII ->>>4 belong&0x00ffffff >12 vax subarchitecture=%ld +>>>4 belong&0x00ffffff >12 vax subarchitecture=%d >>0 belong&0x00ffffff 2 romp >>0 belong&0x00ffffff 3 architecture=3 >>0 belong&0x00ffffff 4 ns32032 @@ -12367,40 +13092,40 @@ >>>>4 belong&0x00fffff0 0x30 pentium_2_m3 >>>>4 belong&0x00fffff0 0x40 pentium_2_m0x40 >>>>4 belong&0x00fffff0 0x50 pentium_2_m5 ->>>>4 belong&0x00fffff0 >0x50 pentium_2_m0x%lx +>>>>4 belong&0x00fffff0 >0x50 pentium_2_m0x%x >>>4 belong&0x0000000f 7 celeron ->>>>4 belong&0x00fffff0 0x00 \b_m0x%lx ->>>>4 belong&0x00fffff0 0x10 \b_m0x%lx ->>>>4 belong&0x00fffff0 0x20 \b_m0x%lx ->>>>4 belong&0x00fffff0 0x30 \b_m0x%lx ->>>>4 belong&0x00fffff0 0x40 \b_m0x%lx ->>>>4 belong&0x00fffff0 0x50 \b_m0x%lx +>>>>4 belong&0x00fffff0 0x00 \b_m0x%x +>>>>4 belong&0x00fffff0 0x10 \b_m0x%x +>>>>4 belong&0x00fffff0 0x20 \b_m0x%x +>>>>4 belong&0x00fffff0 0x30 \b_m0x%x +>>>>4 belong&0x00fffff0 0x40 \b_m0x%x +>>>>4 belong&0x00fffff0 0x50 \b_m0x%x >>>>4 belong&0x00fffff0 0x60 >>>>4 belong&0x00fffff0 0x70 \b_mobile ->>>>4 belong&0x00fffff0 >0x70 \b_m0x%lx +>>>>4 belong&0x00fffff0 >0x70 \b_m0x%x >>>4 belong&0x0000000f 8 pentium_3 >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_m >>>>4 belong&0x00fffff0 0x20 \b_xeon ->>>>4 belong&0x00fffff0 >0x20 \b_m0x%lx +>>>>4 belong&0x00fffff0 >0x20 \b_m0x%x >>>4 belong&0x0000000f 9 pentiumM >>>>4 belong&0x00fffff0 0x00 ->>>>4 belong&0x00fffff0 >0x00 \b_m0x%lx +>>>>4 belong&0x00fffff0 >0x00 \b_m0x%x >>>4 belong&0x0000000f 10 pentium_4 >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_m ->>>>4 belong&0x00fffff0 >0x10 \b_m0x%lx +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x >>>4 belong&0x0000000f 11 itanium >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_2 ->>>>4 belong&0x00fffff0 >0x10 \b_m0x%lx +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x >>>4 belong&0x0000000f 12 xeon >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_mp ->>>>4 belong&0x00fffff0 >0x10 \b_m0x%lx ->>>4 belong&0x0000000f >12 ia32 family=%ld +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x +>>>4 belong&0x0000000f >12 ia32 family=%d >>>>4 belong&0x00fffff0 0x00 ->>>>4 belong&0x00fffff0 >0x00 model=%lx +>>>>4 belong&0x00fffff0 >0x00 model=%x >>0 belong&0x00ffffff 8 mips >>>4 belong&0x00ffffff 1 R2300 >>>4 belong&0x00ffffff 2 R2600 @@ -12409,35 +13134,35 @@ >>>4 belong&0x00ffffff 5 R2000 >>>4 belong&0x00ffffff 6 R3000a >>>4 belong&0x00ffffff 7 R3000 ->>>4 belong&0x00ffffff >7 subarchitecture=%ld +>>>4 belong&0x00ffffff >7 subarchitecture=%d >>0 belong&0x00ffffff 9 ns32532 >>0 belong&0x00ffffff 10 mc98000 >>0 belong&0x00ffffff 11 hppa >>>4 belong&0x00ffffff 0 7100 >>>4 belong&0x00ffffff 1 7100LC ->>>4 belong&0x00ffffff >1 subarchitecture=%ld +>>>4 belong&0x00ffffff >1 subarchitecture=%d >>0 belong&0x00ffffff 12 arm >>>4 belong&0x00ffffff 0 ->>>4 belong&0x00ffffff 1 subarchitecture=%ld ->>>4 belong&0x00ffffff 2 subarchitecture=%ld ->>>4 belong&0x00ffffff 3 subarchitecture=%ld ->>>4 belong&0x00ffffff 4 subarchitecture=%ld +>>>4 belong&0x00ffffff 1 subarchitecture=%d +>>>4 belong&0x00ffffff 2 subarchitecture=%d +>>>4 belong&0x00ffffff 3 subarchitecture=%d +>>>4 belong&0x00ffffff 4 subarchitecture=%d >>>4 belong&0x00ffffff 5 \b_v4t >>>4 belong&0x00ffffff 6 \b_v6 >>>4 belong&0x00ffffff 7 \b_v5tej >>>4 belong&0x00ffffff 8 \b_xscale >>>4 belong&0x00ffffff 9 \b_v7 >>>4 belong&0x00ffffff 10 \b_v7f ->>>4 belong&0x00ffffff 11 subarchitecture=%ld +>>>4 belong&0x00ffffff 11 subarchitecture=%d >>>4 belong&0x00ffffff 12 \b_v7k ->>>4 belong&0x00ffffff >12 subarchitecture=%ld +>>>4 belong&0x00ffffff >12 subarchitecture=%d # 13 m88k >>0 belong&0x00ffffff 13 >>>4 belong&0x00ffffff 0 mc88000 >>>4 belong&0x00ffffff 1 mc88100 >>>4 belong&0x00ffffff 2 mc88110 ->>>4 belong&0x00ffffff >2 mc88000 subarchitecture=%ld ->>0 belong&0x00ffffff 14 sparc +>>>4 belong&0x00ffffff >2 mc88000 subarchitecture=%d +>>0 belong&0x00ffffff 14 SPARC >>0 belong&0x00ffffff 15 i860g >>0 belong&0x00ffffff 16 alpha >>0 belong&0x00ffffff 17 rs6000 @@ -12455,36 +13180,36 @@ >>>4 belong&0x00ffffff 10 \b_7400 >>>4 belong&0x00ffffff 11 \b_7450 >>>4 belong&0x00ffffff 100 \b_970 ->>>4 belong&0x00ffffff >100 subarchitecture=%ld ->>0 belong&0x00ffffff >18 architecture=%ld +>>>4 belong&0x00ffffff >100 subarchitecture=%d +>>0 belong&0x00ffffff >18 architecture=%d >0 belong&0x01000000 0x01000000 # # 64-bit ABIs. # ->>0 belong&0x00ffffff 0 64-bit architecture=%ld ->>0 belong&0x00ffffff 1 64-bit architecture=%ld ->>0 belong&0x00ffffff 2 64-bit architecture=%ld ->>0 belong&0x00ffffff 3 64-bit architecture=%ld ->>0 belong&0x00ffffff 4 64-bit architecture=%ld ->>0 belong&0x00ffffff 5 64-bit architecture=%ld ->>0 belong&0x00ffffff 6 64-bit architecture=%ld +>>0 belong&0x00ffffff 0 64-bit architecture=%d +>>0 belong&0x00ffffff 1 64-bit architecture=%d +>>0 belong&0x00ffffff 2 64-bit architecture=%d +>>0 belong&0x00ffffff 3 64-bit architecture=%d +>>0 belong&0x00ffffff 4 64-bit architecture=%d +>>0 belong&0x00ffffff 5 64-bit architecture=%d +>>0 belong&0x00ffffff 6 64-bit architecture=%d >>0 belong&0x00ffffff 7 x86_64 ->>>4 belong&0x00ffffff 0 subarchitecture=%ld ->>>4 belong&0x00ffffff 1 subarchitecture=%ld ->>>4 belong&0x00ffffff 2 subarchitecture=%ld +>>>4 belong&0x00ffffff 0 subarchitecture=%d +>>>4 belong&0x00ffffff 1 subarchitecture=%d +>>>4 belong&0x00ffffff 2 subarchitecture=%d >>>4 belong&0x00ffffff 3 >>>4 belong&0x00ffffff 4 \b_arch1 ->>>4 belong&0x00ffffff >4 subarchitecture=%ld ->>0 belong&0x00ffffff 8 64-bit architecture=%ld ->>0 belong&0x00ffffff 9 64-bit architecture=%ld ->>0 belong&0x00ffffff 10 64-bit architecture=%ld ->>0 belong&0x00ffffff 11 64-bit architecture=%ld ->>0 belong&0x00ffffff 12 64-bit architecture=%ld ->>0 belong&0x00ffffff 13 64-bit architecture=%ld ->>0 belong&0x00ffffff 14 64-bit architecture=%ld ->>0 belong&0x00ffffff 15 64-bit architecture=%ld ->>0 belong&0x00ffffff 16 64-bit architecture=%ld ->>0 belong&0x00ffffff 17 64-bit architecture=%ld +>>>4 belong&0x00ffffff >4 subarchitecture=%d +>>0 belong&0x00ffffff 8 64-bit architecture=%d +>>0 belong&0x00ffffff 9 64-bit architecture=%d +>>0 belong&0x00ffffff 10 64-bit architecture=%d +>>0 belong&0x00ffffff 11 64-bit architecture=%d +>>0 belong&0x00ffffff 12 64-bit architecture=%d +>>0 belong&0x00ffffff 13 64-bit architecture=%d +>>0 belong&0x00ffffff 14 64-bit architecture=%d +>>0 belong&0x00ffffff 15 64-bit architecture=%d +>>0 belong&0x00ffffff 16 64-bit architecture=%d +>>0 belong&0x00ffffff 17 64-bit architecture=%d >>0 belong&0x00ffffff 18 ppc64 >>>4 belong&0x00ffffff 0 >>>4 belong&0x00ffffff 1 \b_601 @@ -12499,8 +13224,8 @@ >>>4 belong&0x00ffffff 10 \b_7400 >>>4 belong&0x00ffffff 11 \b_7450 >>>4 belong&0x00ffffff 100 \b_970 ->>>4 belong&0x00ffffff >100 subarchitecture=%ld ->>0 belong&0x00ffffff >18 64-bit architecture=%ld +>>>4 belong&0x00ffffff >100 subarchitecture=%d +>>0 belong&0x00ffffff >18 64-bit architecture=%d 0 name mach-o-be @@ -12518,7 +13243,7 @@ >12 belong 10 dSYM companion file >12 belong 11 kext bundle >12 belong >11 ->>12 belong x filetype=%ld +>>12 belong x filetype=%d # 0 lelong&0xfffffffe 0xfeedface Mach-O @@ -12530,7 +13255,7 @@ >0 use mach-o-be #------------------------------------------------------------------------------ -# $File: macintosh,v 1.23 2013/11/19 18:47:58 christos Exp $ +# $File: macintosh,v 1.24 2014/08/30 08:34:17 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -12818,20 +13543,38 @@ >0x412 beshort x number of blocks: %d, >0x424 pstring x volume name: %s +# *.hfs updated by Joerg Jenderek +# http://en.wikipedia.org/wiki/Hierarchical_File_System # "BD" gives many false positives -#0x400 beshort 0x4244 Macintosh HFS data -#>0 beshort 0x4C4B (bootable) -#>0x40a beshort &0x8000 (locked) -#>0x40a beshort ^0x0100 (mounted) -#>0x40a beshort &0x0200 (spared blocks) -#>0x40a beshort &0x0800 (unclean) -#>0x47C beshort 0x482B (Embedded HFS+ Volume) -#>0x402 beldate-0x7C25B080 x created: %s, -#>0x406 beldate-0x7C25B080 x last modified: %s, -#>0x440 beldate-0x7C25B080 >0 last backup: %s, -#>0x414 belong x block size: %d, -#>0x412 beshort x number of blocks: %d, -#>0x424 pstring x volume name: %s +0x400 beshort 0x4244 +# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h +# first block of volume bit map (always 3) +>0x40e ubeshort 0x0003 +# maximal length of volume name is 27 +>>0x424 ubyte <28 Macintosh HFS data +#!:mime application/octet-stream +# these mime and apple types are not sure +!:mime application/x-apple-diskimage +#!:apple hfsdINIT +#!:apple MACSdisk +>>>0 beshort 0x4C4B (bootable) +#>>>0 beshort 0x0000 (not bootable) +>>>0x40a beshort &0x8000 (locked) +>>>0x40a beshort ^0x0100 (mounted) +>>>0x40a beshort &0x0200 (spared blocks) +>>>0x40a beshort &0x0800 (unclean) +>>>0x47C beshort 0x482B (Embedded HFS+ Volume) +# http://www.epochconverter.com/ +# 0x7C245F00 seconds ~ 2082758400 ~ 01 Jan 2036 00:00:00 ~ 66 years to 1970 +# 0x7C25B080 seconds ~ 2082844800 ~ 02 Jan 2036 00:00:00 +# construct not working +#>>>0x402 beldate-0x7C25B080 x created: %s, +#>>>0x406 beldate-0x7C25B080 x last modified: %s, +#>>>0x440 beldate-0x7C25B080 >0 last backup: %s, +# found block sizes 200h,1200h,2800h +>>>0x414 belong x block size: %d, +>>>0x412 beshort x number of blocks: %d, +>>>0x424 pstring x volume name: %s 0x400 beshort 0x482B Macintosh HFS Extended >&0 beshort x version %d data @@ -12852,43 +13595,9 @@ >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d -# I don't think this is really necessary since it doesn't do much and -# anything with a valid driver descriptor will also have a valid -# partition map -#0 beshort 0x4552 Apple Device Driver data -#>&24 beshort =1 \b, MacOS - -# Is that the partition type a cstring or a pstring? Well, IM says "strings -# shorter than 32 bytes must be terminated with NULL" so I'll treat it as a -# cstring. Of course, partitions can contain more than four entries, but -# what're you gonna do? -# GRR: This magic is too weak, it is just "PM" -#0x200 beshort 0x504D Apple Partition data -#>0x2 beshort x (block size: %d): -#>0x230 string x first type: %s, -#>0x210 string x name: %s, -#>0x254 belong x number of blocks: %d, -#>0x400 beshort 0x504D -#>>0x430 string x second type: %s, -#>>0x410 string x name: %s, -#>>0x454 belong x number of blocks: %d, -#>>0x600 beshort 0x504D -#>>>0x630 string x third type: %s, -#>>>0x610 string x name: %s, -#>>>0x654 belong x number of blocks: %d, -#>>0x800 beshort 0x504D -#>>>0x830 string x fourth type: %s, -#>>>0x810 string x name: %s, -#>>>0x854 belong x number of blocks: %d, -#>>>0xa00 beshort 0x504D -#>>>>0xa30 string x fifth type: %s, -#>>>>0xa10 string x name: %s, -#>>>>0xa54 belong x number of blocks: %d -#>>>0xc00 beshort 0x504D -#>>>>0xc30 string x sixth type: %s, -#>>>>0xc10 string x name: %s, -#>>>>0xc54 belong x number of blocks: %d ## AFAIK, only the signature is different +# same as Apple Partition Map +# GRR: This magic is too weak, it is just "TS" #0x200 beshort 0x5453 Apple Old Partition data #>0x2 beshort x block size: %d, #>0x230 string x first type: %s, @@ -12923,14 +13632,14 @@ >>&4 belong 0x504f5354 Mac OSX datafork font, PostScript #------------------------------------------------------------------------------ -# $File: macos,v 1.1 2012/12/21 16:41:07 christos Exp $ +# $File: cups,v 1.2 2012/11/02 21:50:29 christos Exp $ # MacOS files # 0 string book\0\0\0\0mark\0\0\0\0 MacOS Alias file #------------------------------------------------------------------------------ -# $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ +# $File: magic,v 1.9 2009/09/19 16:28:10 christos Exp $ # magic: file(1) magic for magic files # 0 string/t #\ Magic magic text file for file(1) cmd @@ -12939,7 +13648,7 @@ 0 belong 0xF11E041C magic binary file for file(1) cmd >4 belong x (version %d) (big endian) #------------------------------------------------------------------------------ -# $File: mail.news,v 1.22 2013/01/04 14:22:07 christos Exp $ +# $File: mail.news,v 1.21 2012/06/21 01:44:52 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. @@ -13006,7 +13715,7 @@ >12 lelong =1 version 1, little-endian >12 belong x version %d, network-endian #------------------------------------------------------------------------------ -# $File: make,v 1.1 2011/12/08 12:12:46 rrt Exp $ +# $File$ # make: file(1) magic for makefiles # 0 regex \^CFLAGS makefile script text @@ -13021,8 +13730,33 @@ 0 regex \^SUBDIRS automake makefile script text !:mime text/x-makefile + #------------------------------------------------------------------------------ -# $File: maple,v 1.7 2013/01/11 16:45:23 christos Exp $ +# $File: msdos,v 1.99 2014/06/03 01:40:24 christos Exp $ +# map: file(1) magic for Map data +# + +# Garmin .FIT files http://pub.ks-and-ks.ne.jp/cycling/edge500_fit.shtml +8 string .FIT FIT Map data +>15 byte 0 +>>35 belong x \b, unit id %d +# 20 years after unix epoch +>>39 lelong x \b, serial %u +>>43 ledate/631152000 x \b, %s + +>>47 leshort x \b, manufacturer %d +>>47 leshort 1 \b (garmin) +>>49 leshort x \b, product %d +>>53 byte x \b, type %d +>>53 byte 1 \b (Device) +>>53 byte 2 \b (Settings) +>>53 byte 3 \b (Sports/Cycling) +>>53 byte 4 \b (Activity) +>>53 byte 8 \b (Elevations) +>>53 byte 10 \b (Totals) + +#------------------------------------------------------------------------------ +# $File: maple,v 1.6 2009/09/19 16:28:10 christos Exp $ # maple: file(1) magic for maple files # "H. Nanosecond" # Maple V release 4, a multi-purpose math program @@ -13091,23 +13825,23 @@ 20 string 45 # leader starts with 5 digits, followed by codes specific to MARC format ->0 regex/1 (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic +>0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic !:mime application/marc ->0 regex/1 (^[0-9]{5})[acdnosx][z] MARC21 Authority +>0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority !:mime application/marc ->0 regex/1 (^[0-9]{5})[cdn][uvxy] MARC21 Holdings +>0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings !:mime application/marc -0 regex/1 (^[0-9]{5})[acdn][w] MARC21 Classification +0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification !:mime application/marc ->0 regex/1 (^[0-9]{5})[cdn][q] MARC21 Community +>0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community !:mime application/marc # leader position 22-23, should be "00" but is it? ->0 regex/1 (^.{21})([^0]{2}) (non-conforming) +>0 regex/1l (^.{21})([^0]{2}) (non-conforming) !:mime application/marc #------------------------------------------------------------------------------ -# $File: mathcad,v 1.5 2009/09/19 16:28:10 christos Exp $ +# $File$ # mathcad: file(1) magic for Mathcad documents # URL: http://www.mathsoft.com/ # From: Josh Triplett @@ -13115,7 +13849,7 @@ 0 string .MCAD\t Mathcad document #------------------------------------------------------------------------------ -# $File: mathematica,v 1.7 2009/09/19 16:28:10 christos Exp $ +# $File$ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" # Mathematica a multi-purpose math program @@ -13185,7 +13919,7 @@ #------------------------------------------------------------------------------ -# $File: matroska,v 1.8 2013/02/08 17:25:16 christos Exp $ +# $File: matroska,v 1.7 2012/08/26 10:06:15 christos Exp $ # matroska: file(1) magic for Matroska files # # See http://www.matroska.org/ @@ -13202,7 +13936,7 @@ !:mime video/x-matroska #------------------------------------------------------------------------------ -# $File: mcrypt,v 1.5 2009/09/19 16:28:10 christos Exp $ +# $File$ # Mavroyanopoulos Nikos # mcrypt: file(1) magic for mcrypt 2.2.x; 0 string \0m\3 mcrypt 2.5 encrypted data, @@ -13240,7 +13974,7 @@ >5 byte 3 keymode: MD5 hash #------------------------------------------------------------------------------ -# $File: mercurial,v 1.4 2009/09/19 16:28:10 christos Exp $ +# $File$ # mercurial: file(1) magic for Mercurial changeset bundles # http://www.selenic.com/mercurial/wiki/ # @@ -13253,7 +13987,7 @@ >4 string BZ (bzip2 compressed) #------------------------------------------------------------------------------ -# $File: metastore,v 1.1 2011/04/06 12:37:44 christos Exp $ +# $File: mathematica,v 1.7 2009/09/19 16:28:10 christos Exp $ # metastore: file(1) magic for metastore files # From: Thomas Wissen # see http://david.hardeman.nu/software.php#metastore @@ -13261,7 +13995,56 @@ >10 bequad x version %0llx #------------------------------------------------------------------------------ -# $File: mime,v 1.6 2010/11/25 15:00:12 christos Exp $ +# $File: rinex,v 1.4 2011/05/03 01:44:17 christos Exp $ +# rinex: file(1) magic for RINEX files +# http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt +# ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf +# data for testing: ftp://cddis.gsfc.nasa.gov/pub/gps/data +60 string RINEX +>80 search/256 XXRINEXB RINEX Data, GEO SBAS Broadcast +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/broadcast +>80 search/256 XXRINEXD RINEX Data, Observation (Hatanaka comp) +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/observation +>80 search/256 XXRINEXC RINEX Data, Clock +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/clock +>80 search/256 XXRINEXH RINEX Data, GEO SBAS Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXG RINEX Data, GLONASS Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXL RINEX Data, Galileo Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXM RINEX Data, Meteorological +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/meteorological +>80 search/256 XXRINEXN RINEX Data, Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXO RINEX Data, Observation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/observation + +# https://en.wikipedia.org/wiki/GRIB +0 string GRIB +>7 byte =1 Gridded binary (GRIB) version 1 +>7 byte =2 Gridded binary (GRIB) version 2 + +#------------------------------------------------------------------------------ +# $File: mime,v 1.5 2009/09/19 16:28:10 christos Exp $ # mime: file(1) magic for MIME encoded files # 0 string/t Content-Type:\ @@ -13280,8 +14063,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x0162 MIPSEL-BE ECOFF executable >20 beshort 0407 (impure) @@ -13290,7 +14073,7 @@ >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d ->22 byte x \b.%ld +>22 byte x \b.%d # 0 beshort 0x6001 MIPSEB-LE ECOFF executable >20 beshort 03401 (impure) @@ -13299,7 +14082,7 @@ >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d ->22 byte x \b.%ld +>22 byte x \b.%d # 0 beshort 0x6201 MIPSEL ECOFF executable >20 beshort 03401 (impure) @@ -13307,8 +14090,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # # MIPS 2 additions # @@ -13318,8 +14101,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable >20 beshort 0407 (impure) @@ -13327,8 +14110,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable >20 beshort 03401 (impure) @@ -13336,8 +14119,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # 0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable >20 beshort 03401 (impure) @@ -13345,8 +14128,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # # MIPS 3 additions # @@ -13356,8 +14139,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable >20 beshort 0407 (impure) @@ -13365,8 +14148,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable >20 beshort 03401 (impure) @@ -13374,8 +14157,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # 0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable >20 beshort 03401 (impure) @@ -13383,14 +14166,14 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # 0 beshort 0x180 MIPSEB Ucode 0 beshort 0x182 MIPSEL-BE Ucode #------------------------------------------------------------------------------ -# $File: mirage,v 1.7 2009/09/19 16:28:10 christos Exp $ +# $File$ # mirage: file(1) magic for Mirage executables # # XXX - byte order? @@ -13420,8 +14203,13 @@ # From: Daniel Novotny 0 string MDMP\x93\xA7 MDMP crash report data +# Summary: abook addressbook file +# Submitted by: Mark Schreiber +0 string #\x20abook\x20addressbook\x20file abook address book +!:mime application/x-abook-addressbook + #------------------------------------------------------------------------------ -# $File: mkid,v 1.6 2009/09/19 16:28:10 christos Exp $ +# $File$ # mkid: file(1) magic for mkid(1) databases # # ID is the binary tags database produced by mkid(1). @@ -13432,7 +14220,7 @@ >2 short >0 version %d #------------------------------------------------------------------------------ -# $File: mlssa,v 1.4 2009/09/19 16:28:10 christos Exp $ +# $File$ # mlssa: file(1) magic for MLSSA datafiles # 0 lelong 0xffffabcd MLSSA datafile, @@ -13440,7 +14228,7 @@ >10 lelong x %d samples #------------------------------------------------------------------------------ -# $File: mmdf,v 1.6 2009/09/19 16:28:10 christos Exp $ +# $File$ # mmdf: file(1) magic for MMDF mail files # 0 string \001\001\001\001 MMDF mailbox @@ -13479,6 +14267,17 @@ 0 string PVF2\n portable voice format >5 string >\0 (ascii %s) +# From: Bernd Nuernberger +# Brooktrout G3 fax data incl. 128 byte header +# Common suffixes: 3??, BRK, BRT, BTR +0 leshort 0x01bb +>2 leshort 0x0100 Brooktrout 301 fax image, +>>9 leshort x %d x +>>0x2d leshort x %d +>>6 leshort 200 \b, fine resolution +>>6 leshort 100 \b, normal resolution +>>11 byte 1 \b, G3 compression +>>11 byte 2 \b, G32D compression #------------------------------------------------------------------------------ # $File: motorola,v 1.10 2009/09/19 16:28:11 christos Exp $ @@ -13521,27 +14320,27 @@ # not larger than 1 MB (which is a lot on ST). # The additional 0x601b distinction I took from Doug Lee's magic. 0 belong&0xFFFFFFF0 0x601A0000 Atari ST M68K contiguous executable ->2 belong x (txt=%ld, ->6 belong x dat=%ld, ->10 belong x bss=%ld, ->14 belong x sym=%ld) +>2 belong x (txt=%d, +>6 belong x dat=%d, +>10 belong x bss=%d, +>14 belong x sym=%d) 0 belong&0xFFFFFFF0 0x601B0000 Atari ST M68K non-contig executable ->2 belong x (txt=%ld, ->6 belong x dat=%ld, ->10 belong x bss=%ld, ->14 belong x sym=%ld) +>2 belong x (txt=%d, +>6 belong x dat=%d, +>10 belong x bss=%d, +>14 belong x sym=%d) # Atari ST/TT... program format (sent by Wolfram Kleff ) 0 beshort 0x601A Atari 68xxx executable, ->2 belong x text len %lu, ->6 belong x data len %lu, ->10 belong x BSS len %lu, ->14 belong x symboltab len %lu, +>2 belong x text len %u, +>6 belong x data len %u, +>10 belong x BSS len %u, +>14 belong x symboltab len %u, >18 belong 0 >22 belong &0x01 fastload flag, >22 belong &0x02 may be loaded to alternate RAM, >22 belong &0x04 malloc may be from alternate RAM, ->22 belong x flags: 0x%lX, +>22 belong x flags: 0x%X, >26 beshort 0 no relocation tab >26 beshort !0 + relocation tab >30 string SFX [Self-Extracting LZH SFX archive] @@ -13549,19 +14348,20 @@ >44 string ZIP! [Self-Extracting ZIP SFX archive] 0 beshort 0x0064 Atari 68xxx CPX file ->8 beshort x (version %04lx) +>8 beshort x (version %04x) #------------------------------------------------------------------------------ -# $File: mozilla,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: mozilla,v 1.5 2015/01/24 15:48:42 christos Exp $ # mozilla: file(1) magic for Mozilla XUL fastload files # (XUL.mfasl and XPC.mfasl) # URL: http://www.mozilla.org/ # From: Josh Triplett 0 string XPCOM\nMozFASL\r\n\x1A Mozilla XUL fastload data +0 string mozLz4a Mozilla lz4 compressed bookmark data #------------------------------------------------------------------------------ -# $File: msdos,v 1.86 2014/01/08 22:10:18 christos Exp $ +# $File: msdos,v 1.99 2014/06/03 01:40:24 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -13603,9 +14403,9 @@ # Many of the compressed formats were extraced from IDARC 1.23 source code. # 0 string/b MZ -!:mime application/x-dosexec # All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. >0x18 leshort <0x40 MS-DOS executable +!:mime application/x-dosexec # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) @@ -13617,6 +14417,7 @@ # Maybe it's a PE? >>(0x3c.l) string PE\0\0 PE +!:mime application/x-dosexec >>>(0x3c.l+24) leshort 0x010b \b32 executable >>>(0x3c.l+24) leshort 0x020b \b32+ executable >>>(0x3c.l+24) leshort 0x0107 ROM image @@ -13695,8 +14496,10 @@ # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable +!:mime application/x-dosexec >>(0x3c.l) string NE \b, NE +!:mime application/x-dosexec >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS @@ -13711,6 +14514,7 @@ >>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) >>(0x3c.l) string LX\0\0 \b, LX +!:mime application/x-dosexec >>>(0x3c.l+0x0a) leshort <1 (unknown OS) >>>(0x3c.l+0x0a) leshort 1 for OS/2 >>>(0x3c.l+0x0a) leshort 2 for MS Windows @@ -13729,8 +14533,10 @@ # MS Windows system file, supposedly a collection of LE executables >>(0x3c.l) string W3 \b, W3 for MS Windows +!:mime application/x-dosexec >>(0x3c.l) string LE\0\0 \b, LE executable +!:mime application/x-dosexec >>>(0x3c.l+0x0a) leshort 1 # some DOS extenders use LE files with OS/2 header >>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender @@ -13757,6 +14563,7 @@ # and definitely not NE/LE/LX/PE >>0x3c lelong >0x20000000 >>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS +!:mime application/x-dosexec # header data too small for extended executable >2 long !0 >>0x18 leshort <0x40 @@ -13764,17 +14571,19 @@ >>>>&(2.s-514) string !LE >>>>>&-2 string !BW \b, MZ for MS-DOS +!:mime application/x-dosexec >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender # educated guess since indirection is still not capable enough for complex offset # calculations (next embedded executable would be at &(&2*512+&0-2) # I suspect there are only LE executables in these multi-exe files >>>>&(2.s-514) string BW ->>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded) ->>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS +>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) +>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS # This sequence skips to the first COFF segment, usually .text >(4.s*512) leshort 0x014c \b, COFF +!:mime application/x-dosexec >>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s @@ -13934,7 +14743,7 @@ # they have their real name at offset 22 >>>>>22 string >\0 \b%-.5s >4 uleshort&0x8000 0x0000 -# 32 bit sector adressing ( > 32 MB) for block devices +# 32 bit sector addressing ( > 32 MB) for block devices >>4 uleshort&0x0002 0x0002 \b,32-bit sector- # support by driver functions 13h, 17h, 18h >4 uleshort&0x0040 0x0040 \b,IOCTL- @@ -14139,16 +14948,48 @@ #ico files 0 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows -# Windows icons (Ian Springer ) -0 string/b \000\000\001\000 MS Windows icon resource +# Windows icons +0 name ico-dir +# not entirely accurate, the number of icons is part of the header +>0 byte 1 - 1 icon +>0 ubyte >1 - %d icons +>2 byte 0 \b, 256x +>2 byte !0 \b, %dx +>3 byte 0 \b256 +>3 byte !0 \b%d +>4 ubyte !0 \b, %d colors + +0 belong 0x00000100 +>9 byte 0 +>>0 byte x MS Windows icon resource !:mime image/x-icon ->4 byte 1 - 1 icon ->4 byte >1 - %d icons ->>6 byte >0 \b, %dx ->>>7 byte >0 \b%d ->>8 byte 0 \b, 256-colors ->>8 byte >0 \b, %d-colors - +>>4 use ico-dir +>9 ubyte 0xff +>>0 byte x MS Windows icon resource +!:mime image/x-icon +>>4 use ico-dir + +# Windows non-animated cursors +0 name cur-dir +# not entirely accurate, the number of icons is part of the header +>0 byte 1 - 1 icon +>0 ubyte >1 - %d icons +>2 byte 0 \b, 256x +>2 byte !0 \b, %dx +>3 byte 0 \b256 +>3 byte !0 \b%d +>6 uleshort x \b, hotspot @%dx +>8 uleshort x \b%d + +0 belong 0x00000200 +>9 byte 0 +>>0 byte x MS Windows cursor resource +!:mime image/x-cur +>>4 use cur-dir +>9 ubyte 0xff +>>0 byte x MS Windows cursor resource +!:mime image/x-cur +>>4 use cur-dir # .chr files 0 string/b PK\010\010BGI Borland font @@ -14206,6 +15047,12 @@ 0 lelong 0x08086b70 TurboC BGI file 0 lelong 0x08084b50 TurboC Font file +# Debian#712046: The magic below identifies "Delphi compiled form data". +# An additional source of information is available at: +# http://www.woodmann.com/fravia/dafix_t1.htm +0 string TPF0 +>4 pstring >\0 Delphi compiled form '%s' + # tests for DBase files moved, updated and merged to database 0 string PMCC Windows 3.x .GRP file @@ -14263,6 +15110,19 @@ 0 leshort 0x223e9f78 TNEF !:mime application/vnd.ms-tnef +# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C +# of http://www.davep.org/norton-guides/ng2h-105.tgz +# http://en.wikipedia.org/wiki/Norton_Guides +0 string NG\0\001 +# only value 0x100 found at offset 2 +>2 ulelong 0x00000100 Norton Guide +# Title[40] +>>8 string >\0 "%-.40s" +#>>6 uleshort x \b, MenuCount=%u +# szCredits[5][66] +>>48 string >\0 \b, %-.66s +>>114 string >\0 %-.66s + # 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of http://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm @@ -14317,105 +15177,6 @@ >40 string \ EMF Windows Enhanced Metafile (EMF) image data >>44 ulelong x version 0x%x -# From: Alex Beregszaszi -0 string/b COWD VMWare3 ->4 byte 3 disk image ->>32 lelong x (%d/ ->>36 lelong x \b%d/ ->>40 lelong x \b%d) ->4 byte 2 undoable disk image ->>32 string >\0 (%s) - -0 string/b VMDK VMware4 disk image -0 string/b KDMV VMware4 disk image - -#-------------------------------------------------------------------- -# Qemu Emulator Images -# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) -# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) -# Made by reading sources, reading documentation, and doing trial and error -# on existing QCOW files -0 string/b QFI\xFB QEMU QCOW Image - -# Uncomment the following line to display Magic (only used for debugging -# this magic number) -#>0 string/b x , Magic: %s - -# There are currently 2 Versions: "1" and "2". -# http://www.gnome.org/~markmc/qcow-image-format-version-1.html ->4 belong 1 (v1) - -# Using the existence of the Backing File Offset to determine whether -# to read Backing File Information ->>12 belong >0 \b, has backing file ( -# Note that this isn't a null-terminated string; the length is actually -# (16.L). Assuming a null-terminated string happens to work usually, but it -# may spew junk until it reaches a \0 in some cases. ->>>(12.L) string >\0 \bpath %s - -# Modification time of the Backing File -# Really useful if you want to know if your backing -# file is still usable together with this image ->>>>20 bedate >0 \b, mtime %s) ->>>>20 default x \b) - -# Size is stored in bytes in a big-endian u64. ->>24 bequad x \b, %lld bytes - -# 1 for AES encryption, 0 for none. ->>36 belong 1 \b, AES-encrypted - -# http://www.gnome.org/~markmc/qcow-image-format.html ->4 belong 2 (v2) -# Using the existence of the Backing File Offset to determine whether -# to read Backing File Information ->>8 bequad >0 \b, has backing file -# Note that this isn't a null-terminated string; the length is actually -# (16.L). Assuming a null-terminated string happens to work usually, but it -# may spew junk until it reaches a \0 in some cases. Also, since there's no -# .Q modifier, we just use the bottom four bytes as an offset. Note that if -# the file is over 4G, and the backing file path is stored after the first 4G, -# the wrong filename will be printed. (This should be (8.Q), when that syntax -# is introduced.) ->>>(12.L) string >\0 (path %s) ->>24 bequad x \b, %lld bytes ->>32 belong 1 \b, AES-encrypted - ->4 belong 3 (v3) -# Using the existence of the Backing File Offset to determine whether -# to read Backing File Information ->>8 bequad >0 \b, has backing file -# Note that this isn't a null-terminated string; the length is actually -# (16.L). Assuming a null-terminated string happens to work usually, but it -# may spew junk until it reaches a \0 in some cases. Also, since there's no -# .Q modifier, we just use the bottom four bytes as an offset. Note that if -# the file is over 4G, and the backing file path is stored after the first 4G, -# the wrong filename will be printed. (This should be (8.Q), when that syntax -# is introduced.) ->>>(12.L) string >\0 (path %s) ->>24 bequad x \b, %lld bytes ->>32 belong 1 \b, AES-encrypted - ->4 default x (unknown version) - -0 string/b QEVM QEMU suspend to disk image - -# QEMU QED Image -# http://wiki.qemu.org/Features/QED/Specification -0 string/b QED\0 QEMU QED Image - -# VDI Image -64 string/b \x7f\x10\xda\xbe VDI Image ->68 string/b \x01\x00\x01\x00 version 1.1 ->0 string >\0 (%s) ->368 lequad x \b, %lld bytes - -0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, ->32 string x type %s, ->48 string x subtype %s - -0 lelong 0x02468ace Bochs Sparse disk image - # from http://filext.com by Derek M Jones # False positive with PPT (also currently this string is too long) #0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer @@ -14449,8 +15210,8 @@ # URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp # From: Morten Hustveit 0 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), ->16 lelong >0 %hd x ->12 lelong >0 %hd, +>16 lelong >0 %d x +>12 lelong >0 %d, >84 string x %.4s # Type: Microsoft Document Imaging Format (.mdi) @@ -14499,7 +15260,7 @@ 0 string PK\003\004 !:strength +10 # make sure the first file is correct ->0x1E regex \[Content_Types\]\.xml|_rels/\.rels +>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels # skip to the second local file header # since some documents include a 520-byte extra field following the file # header, we need to scan for the next header @@ -14519,7 +15280,7 @@ >>>>&26 default x Microsoft OOXML #------------------------------------------------------------------------------ -# $File: msvc,v 1.5 2009/09/19 16:28:11 christos Exp $ +# $File$ # msvc: file(1) magic for msvc # "H. Nanosecond" # Microsoft visual C @@ -14566,7 +15327,7 @@ #------------------------------------------------------------------------------ # msx: file(1) magic for the MSX Home Computer # v1.1 -# Fábio R. Schmidlin +# Fabio R. Schmidlin ############## MSX Music file formats ############## @@ -14819,7 +15580,7 @@ #>>>0x7B string \0x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00 Metal Gear 1 savegame # ------------------------------------------------------------------------ -# $File: mup,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File$ # mup: file(1) magic for Mup (Music Publisher) input file. # # From: Abel Cheung @@ -14842,7 +15603,7 @@ >>8 string . >>>7 string x \b, need V%.3s #------------------------------------------------------------------------------ -# $File: music,v 1.1 2011/11/25 03:28:17 christos Exp $ +# $File: cracklib,v 1.7 2009/09/19 16:28:08 christos Exp $ # music: file (1) magic for music formats # BWW format used by Bagpipe Music Writer Gold by Robert MacNeil Musicworks @@ -14872,7 +15633,7 @@ 0 string RSRC National Instruments, # Check if it's a LabVIEW File >8 string LV LabVIEW File, -# Check wich kind of file is +# Check which kind of file it is >>10 string SB Code Resource File, data >>10 string IN Virtual Instrument Program, data >>10 string AR VI Library, data @@ -14895,27 +15656,27 @@ >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000615 Tower/XP rel 2 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000620 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000625 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000630 Tower32/600/400 68020 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000640 Tower32/800 68020 >18 beshort &020000 w/68881 object >18 beshort &040000 compatible object @@ -14923,17 +15684,29 @@ >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000645 Tower32/800 68010 >18 beshort &040000 compatible object >18 beshort &060000 object >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d + +#------------------------------------------------------------ +# $File: java,v 1.12 2009/09/19 16:28:10 christos Exp $ + +# From: Mikhail Gusarov +# NekoVM (http://nekovm.org/) bytecode +0 string NEKO NekoVM bytecode +>4 lelong x (%d global symbols, +>8 lelong x %d global fields, +>12 lelong x %d bytecode ops) +!:mime application/x-nekovm-bytecode + #------------------------------------------------------------------------------ -# $File: netbsd,v 1.20 2013/01/09 22:37:24 christos Exp $ +# $File: netbsd,v 1.21 2014/03/29 15:40:34 christos Exp $ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. @@ -15033,25 +15806,25 @@ 0 belong&0377777777 045200507 a.out NetBSD/powerpc core >12 string >\0 from '%s' -0 belong&0377777777 042400413 a.out NetBSD/sparc demand paged +0 belong&0377777777 042400413 a.out NetBSD/SPARC demand paged >0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&0377777777 042400410 a.out NetBSD/sparc pure +0 belong&0377777777 042400410 a.out NetBSD/SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&0377777777 042400407 a.out NetBSD/sparc +0 belong&0377777777 042400407 a.out NetBSD/SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 belong !0 executable >>20 belong =0 object file >16 belong >0 not stripped -0 belong&0377777777 042400507 a.out NetBSD/sparc core +0 belong&0377777777 042400507 a.out NetBSD/SPARC core >12 string >\0 from '%s' >32 belong !0 (signal %d) @@ -15180,14 +15953,14 @@ # Kernel core dump format 0 belong&0x0000ffff 0x00008fca NetBSD kernel core file >0 belong&0x03ff0000 0x00000000 \b, Unknown ->0 belong&0x03ff0000 0x00001000 \b, sun 68010/68020 +>0 belong&0x03ff0000 0x00010000 \b, sun 68010/68020 >0 belong&0x03ff0000 0x00020000 \b, sun 68020 >0 belong&0x03ff0000 0x00640000 \b, 386 PC >0 belong&0x03ff0000 0x00860000 \b, i386 BSD >0 belong&0x03ff0000 0x00870000 \b, m68k BSD (8K pages) >0 belong&0x03ff0000 0x00880000 \b, m68k BSD (4K pages) >0 belong&0x03ff0000 0x00890000 \b, ns32532 BSD ->0 belong&0x03ff0000 0x008a0000 \b, sparc/32 BSD +>0 belong&0x03ff0000 0x008a0000 \b, SPARC/32 BSD >0 belong&0x03ff0000 0x008b0000 \b, pmax BSD >0 belong&0x03ff0000 0x008c0000 \b, vax BSD (1K pages) >0 belong&0x03ff0000 0x008d0000 \b, alpha BSD @@ -15195,20 +15968,24 @@ >0 belong&0x03ff0000 0x008f0000 \b, arm6 BSD >0 belong&0x03ff0000 0x00900000 \b, m68k BSD (2K pages) >0 belong&0x03ff0000 0x00910000 \b, sh3 BSD ->0 belong&0x03ff0000 0x00920000 \b, ppc BSD (Big Endian) ->0 belong&0x03ff0000 0x00930000 \b, vax BSD (4K pages) ->0 belong&0x03ff0000 0x00940000 \b, mips1 BSD ->0 belong&0x03ff0000 0x00950000 \b, mips2 BSD ->0 belong&0x03ff0000 0x00960000 \b, parisc BSD ->0 belong&0x03ff0000 0x00970000 \b, sh5/64 BSD ->0 belong&0x03ff0000 0x00980000 \b, sparc/64 BSD ->0 belong&0x03ff0000 0x00990000 \b, amd64 BSD ->0 belong&0x03ff0000 0x009a0000 \b, hp200 (68010) BSD ->0 belong&0x03ff0000 0x009b0000 \b, hp300 (68020+68881) BSD ->0 belong&0x03ff0000 0x009b0000 \b, hp300 (68020+68881) BSD ->0 belong&0x03ff0000 0x00c80000 \b, hp200 ->0 belong&0x03ff0000 0x020b0000 \b, hp300 (68020+68881) HP-UX ->0 belong&0x03ff0000 0x020c0000 \b, hp300 (68020+68881) HP-UX +>0 belong&0x03ff0000 0x00950000 \b, ppc BSD (Big Endian) +>0 belong&0x03ff0000 0x00960000 \b, vax BSD (4K pages) +>0 belong&0x03ff0000 0x00970000 \b, mips1 BSD +>0 belong&0x03ff0000 0x00980000 \b, mips2 BSD +>0 belong&0x03ff0000 0x00990000 \b, m88k BSD +>0 belong&0x03ff0000 0x00920000 \b, parisc BSD +>0 belong&0x03ff0000 0x009b0000 \b, sh5/64 BSD +>0 belong&0x03ff0000 0x009c0000 \b, SPARC/64 BSD +>0 belong&0x03ff0000 0x009d0000 \b, amd64 BSD +>0 belong&0x03ff0000 0x009e0000 \b, sh5/32 BSD +>0 belong&0x03ff0000 0x009f0000 \b, ia64 BSD +>0 belong&0x03ff0000 0x00b70000 \b, aarch64 BSD +>0 belong&0x03ff0000 0x00b80000 \b, or1k BSD +>0 belong&0x03ff0000 0x00b90000 \b, Risk-V BSD +>0 belong&0x03ff0000 0x00c80000 \b, hp200 BSD +>0 belong&0x03ff0000 0x012c0000 \b, hp300 BSD +>0 belong&0x03ff0000 0x020b0000 \b, hp800 HP-UX +>0 belong&0x03ff0000 0x020c0000 \b, hp200/hp300 HP-UX >0 belong&0xfc000000 0x04000000 \b, CPU >0 belong&0xfc000000 0x08000000 \b, DATA >0 belong&0xfc000000 0x10000000 \b, STACK @@ -15217,7 +15994,7 @@ >6 lelong x \b, segments = %d) #------------------------------------------------------------------------------ -# $File: netscape,v 1.6 2009/09/19 16:28:11 christos Exp $ +# $File$ # netscape: file(1) magic for Netscape files # "H. Nanosecond" # version 3 and 4 I think @@ -15242,14 +16019,14 @@ 0 string JG\004\016\0\0\0\0 ART #------------------------------------------------------------------------------ -# $File: netware,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File$ # netware: file(1) magic for NetWare Loadable Modules (NLMs) # From: Mads Martin Joergensen 0 string NetWare\ Loadable\ Module NetWare Loadable Module #------------------------------------------------------------------------------ -# $File: news,v 1.6 2009/09/19 16:28:11 christos Exp $ +# $File$ # news: file(1) magic for SunOS NeWS fonts (not "news" as in "netnews") # 0 string StartFontMetrics ASCII font metrics @@ -15262,7 +16039,7 @@ 8 belong 0x137A2B48 X11/NeWS font family #------------------------------------------------------------------------------ -# $File: nitpicker,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: nitpicker,v 1.5 2014/04/28 12:04:50 christos Exp $ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann http://www.nitpicker.de 0 string NPFF NItpicker Flow File @@ -15288,7 +16065,7 @@ 0 string %SEMI-OASIS\r\n OASIS Stream file #------------------------------------------------------------------------------ -# $File: ocaml,v 1.5 2010/09/20 18:55:20 rrt Exp $ +# $File: ocaml,v 1.4 2009/09/19 16:28:11 christos Exp $ # ocaml: file(1) magic for Objective Caml files. 0 string Caml1999 OCaml >8 string X exec file @@ -15302,13 +16079,13 @@ >9 string >\0 (Version %3.3s) #------------------------------------------------------------------------------ -# $File: octave,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File$ # octave binary data file(1) magic, from Dirk Eddelbuettel 0 string Octave-1-L Octave binary data (little endian) 0 string Octave-1-B Octave binary data (big endian) #------------------------------------------------------------------------------ -# $File: ole2compounddocs,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File$ # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # storage (http://en.wikipedia.org/wiki/Structured_Storage) # Additional tests for OLE 2 Compound Documents should be under this recipe. @@ -15322,7 +16099,7 @@ > 0x480 string V\000i\000s\000i\000o\000D\000o\000c : Visio Document #------------------------------------------------------------------------------ -# $File: olf,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File$ # olf: file(1) magic for OLF executables # # We have to check the byte order flag to see what byte order all the @@ -15427,7 +16204,8 @@ # Provided 1998/08/22 by # David Mediavilla 1 search/1 InternetShortcut MS Windows 95 Internet shortcut text ->24 search/1 >\ (URL=<%s>) +>17 search/100 URL= (URL=< +>>&0 string x \b%s>) # OS/2 URL objects # Provided 1998/08/22 by @@ -15468,7 +16246,7 @@ 0 string \xff\xff\xff\xff\x14\0\0\0 OS/2 INI #------------------------------------------------------------------------------ -# $File: os400,v 1.5 2009/09/19 16:28:11 christos Exp $ +# $File$ # os400: file(1) magic for IBM OS/400 files # # IBM OS/400 (i5/OS) Save file (SAVF) - gerardo.cacciari@gmail.com @@ -15507,7 +16285,7 @@ >&213 byte 0x30 \b, at least V2R3 to open #------------------------------------------------------------------------------ -# $File: os9,v 1.7 2011/05/13 22:15:54 christos Exp $ +# $File: os9,v 1.6 2009/09/19 16:28:11 christos Exp $ # # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. # @@ -15587,7 +16365,7 @@ >0x12 byte 15 device descriptor #------------------------------------------------------------------------------ -# $File: osf1,v 1.7 2009/09/19 16:28:11 christos Exp $ +# $File$ # # Mach magic number info # @@ -15597,7 +16375,7 @@ 0 short 0565 i386 COFF object #------------------------------------------------------------------------------ -# $File: palm,v 1.11 2013/12/31 19:18:02 christos Exp $ +# $File: palm,v 1.12 2014/03/28 19:11:40 christos Exp $ # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # # Brian Lalor @@ -15738,8 +16516,12 @@ >>(0x4E.L+1) byte x %02d) # Palm OS .prc file types -60 string libr Palm OS dynamic library data ->0 string >\0 "%s" +60 string libr +# flags, only bit 0 or bit 6 +# http://en.wikipedia.org/wiki/PRC_%28Palm_OS%29 +# http://web.mit.edu/tytso/www/pilot/prc-format.html +>0x20 beshort&0xffbe 0 +>>0 string >\0 Palm OS dynamic library data "%s" 60 string ptch Palm OS operating system patch data >0 string >\0 "%s" @@ -15748,7 +16530,7 @@ >0 string >\0 "%s" #------------------------------------------------------------------------------ -# $File: parix,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File$ # # Parix COFF executables # From: Ignatios Souvatzis @@ -15760,7 +16542,7 @@ >19 byte&0x02 0x00 object >19 byte&0x0c 0x00 not stripped #------------------------------------------------------------------------------ -# $File: parrot,v 1.1 2010/07/08 20:18:40 christos Exp $ +# $File$ # parrot: file(1) magic for Parrot Virtual Machine # URL: http://www.lua.org/ # From: Lubomir Rintel @@ -15787,13 +16569,13 @@ # 0 search/8192 (input, Pascal source text !:mime text/x-pascal -0 regex \^program Pascal source text -!:mime text/x-pascal -0 regex \^record Pascal source text -!:mime text/x-pascal +#0 regex \^program Pascal source text +#!:mime text/x-pascal +#0 regex \^record Pascal source text +#!:mime text/x-pascal #------------------------------------------------------------------------------ -# $File: pbf,v 1.1 2013/12/21 14:27:24 christos Exp $ +# $File: cubemap,v 1.1 2012/06/06 13:03:20 christos Exp $ # file(1) magic(5) data for OpenStreetMap # OpenStreetMap Protocolbuffer Binary Format (.osm.pbf) @@ -15804,7 +16586,7 @@ >>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format #------------------------------------------------------------------------------ -# $File: pbm,v 1.6 2009/09/19 16:28:11 christos Exp $ +# $File$ # pbm: file(1) magic for Portable Bitmap files # # XXX - byte order? @@ -15821,6 +16603,11 @@ >5 byte x \b, version %c >7 byte x \b.%c +0 string \012%PDF- PDF document +!:mime application/pdf +>6 byte x \b, version %c +>8 byte x \b.%c + # From: Nick Schmalenberger # Forms Data Format 0 string %FDF- FDF document @@ -15839,7 +16626,7 @@ # 0 leshort 0407 PDP-11 executable >8 leshort >0 not stripped ->15 byte >0 - version %ld +>15 byte >0 - version %d # updated by Joerg Jenderek at Mar 2013 # GRR: line below too general as it catches also Windows precompiled setup information *.PNF @@ -15852,11 +16639,11 @@ 0 leshort 0410 PDP-11 pure executable >8 leshort >0 not stripped ->15 byte >0 - version %ld +>15 byte >0 - version %d 0 leshort 0411 PDP-11 separate I&D executable >8 leshort >0 not stripped ->15 byte >0 - version %ld +>15 byte >0 - version %d 0 leshort 0437 PDP-11 kernel overlay @@ -15870,7 +16657,7 @@ 0 leshort 0431 PDP-11 overlaid separate executable >8 leshort >0 not stripped #------------------------------------------------------------------------------ -# $File: perl,v 1.21 2013/12/08 23:33:18 christos Exp $ +# $File: perl,v 1.22 2014/04/28 12:04:35 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. @@ -15889,7 +16676,7 @@ 0 search/1 #!\ /usr/bin/env\ perl Perl script text executable !:mime text/x-perl 0 search/1 #! ->0 regex \^#!.*/bin/perl$ Perl script text executable +>0 regex \^#!.*/bin/perl([[:space:]].*)*$ Perl script text executable !:mime text/x-perl # by Dmitry V. Levin and Alexey Tourbin @@ -15929,8 +16716,91 @@ >>4 byte =4 (major 2) >>5 byte >0 (minor %d) +# This is Debian #742949 by Zefram : +# ----------------------------------------------------------- +# The Perl module Hash::SharedMem +# defines a file format +# for a key/value store. Details of the file format are in the "DESIGN" +# file in the module distribution. Magic: +0 bequad =0xa58afd185cbf5af7 Hash::SharedMem master file, big-endian +>8 bequad <0x1000000 +>>15 byte >2 \b, line size 2^%d byte +>>14 byte >2 \b, page size 2^%d byte +>>13 byte &1 +>>>13 byte >1 \b, max fanout %d +0 lequad =0xa58afd185cbf5af7 Hash::SharedMem master file, little-endian +>8 lequad <0x1000000 +>>8 byte >2 \b, line size 2^%d byte +>>9 byte >2 \b, page size 2^%d byte +>>10 byte &1 +>>>10 byte >1 \b, max fanout %d +0 bequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, big-endian +>8 bequad <0x1000000 +>>15 byte >2 \b, line size 2^%d byte +>>14 byte >2 \b, page size 2^%d byte +>>13 byte &1 +>>>13 byte >1 \b, max fanout %d +0 lequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, little-endian +>8 lequad <0x1000000 +>>8 byte >2 \b, line size 2^%d byte +>>9 byte >2 \b, page size 2^%d byte +>>10 byte &1 +>>>10 byte >1 \b, max fanout %d + #------------------------------------------------------------------------------ -# $File: pgp,v 1.9 2009/09/19 16:28:11 christos Exp $ +# $File: matroska,v 1.8 2013/02/08 17:25:16 christos Exp $ +# pgf: file(1) magic for Progressive Graphics File (PGF) +# +# +# 2013 by Philipp Hahn +0 string PGF Progressive Graphics image data, +!:mime image/x-pgf +>3 string 2 version %s, +>3 string 4 version %s, +>3 string 5 version %s, +>3 string 6 version %s, +# PGFPreHeader +#>>4 lelong x header size %d, +# PGFHeader +>>8 lelong x %d x +>>12 lelong x %d, +>>16 byte x %d levels, +>>17 byte x compression level %d, +>>18 byte x %d bpp, +>>19 byte x %d channels, +>>20 clear x +>>20 byte 0 bitmap, +>>20 byte 1 gray scale, +>>20 byte 2 indexed color, +>>20 byte 3 RGB color, +>>20 byte 4 CYMK color, +>>20 byte 5 HSL color, +>>20 byte 6 HSB color, +>>20 byte 7 multi-channel, +>>20 byte 8 duo tone, +>>20 byte 9 LAB color, +>>20 byte 10 gray scale 16, +>>20 byte 11 RGB color 48, +>>20 byte 12 LAB color 48, +>>20 byte 13 CYMK color 64, +>>20 byte 14 deep multi-channel, +>>20 byte 15 duo tone 16, +>>20 byte 17 RGBA color, +>>20 byte 18 gray scale 32, +>>20 byte 19 RGB color 12, +>>20 byte 20 RGB color 16, +>>20 byte 255 unknown format, +>>20 default x format +>>>20 byte x \b %d, +>>21 byte x %d bpc +# PGFPostHeader +# Level-Sizes +#>>(4.l+4) lelong x level 0 size: %d +#>>(4.l+8) lelong x level 1 size: %d +#>>(4.l+12) lelong x level 2 size: %d + +#------------------------------------------------------------------------------ +# $File: pgp,v 1.10 2014/10/14 16:50:37 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # @@ -15951,20 +16821,462 @@ 2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- PGP public key block !:mime application/pgp-keys +>10 search/100 \n\n +>>&0 use pgp 0 string -----BEGIN\040PGP\40MESSAGE- PGP message !:mime application/pgp +>10 search/100 \n\n +>>&0 use pgp 0 string -----BEGIN\040PGP\40SIGNATURE- PGP signature !:mime application/pgp-signature - -#------------------------------------------------------------------------------ -# $File: pkgadd,v 1.6 2009/09/19 16:28:11 christos Exp $ +>10 search/100 \n\n +>>&0 use pgp + +# Decode the type of the packet based on it's base64 encoding. +# Idea from Mark Martinec +# The specification is in RFC 4880, section 4.2 and 4.3: +# http://tools.ietf.org/html/rfc4880#section-4.2 + +0 name pgp +>0 byte 0x67 Reserved (old) +>0 byte 0x68 Public-Key Encrypted Session Key (old) +>0 byte 0x69 Signature (old) +>0 byte 0x6a Symmetric-Key Encrypted Session Key (old) +>0 byte 0x6b One-Pass Signature (old) +>0 byte 0x6c Secret-Key (old) +>0 byte 0x6d Public-Key (old) +>0 byte 0x6e Secret-Subkey (old) +>0 byte 0x6f Compressed Data (old) +>0 byte 0x70 Symmetrically Encrypted Data (old) +>0 byte 0x71 Marker (old) +>0 byte 0x72 Literal Data (old) +>0 byte 0x73 Trust (old) +>0 byte 0x74 User ID (old) +>0 byte 0x75 Public-Subkey (old) +>0 byte 0x76 Unused (old) +>0 byte 0x77 +>>1 byte&0xc0 0x00 Reserved +>>1 byte&0xc0 0x40 Public-Key Encrypted Session Key +>>1 byte&0xc0 0x80 Signature +>>1 byte&0xc0 0xc0 Symmetric-Key Encrypted Session Key +>0 byte 0x78 +>>1 byte&0xc0 0x00 One-Pass Signature +>>1 byte&0xc0 0x40 Secret-Key +>>1 byte&0xc0 0x80 Public-Key +>>1 byte&0xc0 0xc0 Secret-Subkey +>0 byte 0x79 +>>1 byte&0xc0 0x00 Compressed Data +>>1 byte&0xc0 0x40 Symmetrically Encrypted Data +>>1 byte&0xc0 0x80 Marker +>>1 byte&0xc0 0xc0 Literal Data +>0 byte 0x7a +>>1 byte&0xc0 0x00 Trust +>>1 byte&0xc0 0x40 User ID +>>1 byte&0xc0 0x80 Public-Subkey +>>1 byte&0xc0 0xc0 Unused [z%x] +>0 byte 0x30 +>>1 byte&0xc0 0x00 Unused [0%x] +>>1 byte&0xc0 0x40 User Attribute +>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data +>>1 byte&0xc0 0xc0 Modification Detection Code + +# magic signatures to detect PGP crypto material (from stef) +# detects and extracts metadata from: +# - symmetric encrypted packet header +# - RSA (e=65537) secret (sub-)keys + +# 1024b RSA encrypted data + +0 string \x84\x8c\x03 PGP RSA encrypted session key - +>3 lelong x keyid: %X +>7 lelong x %X +>11 byte 0x01 RSA (Encrypt or Sign) 1024b +>11 byte 0x02 RSA Encrypt-Only 1024b +>12 string \x04\x00 +>12 string \x03\xff +>12 string \x03\xfe +>12 string \x03\xfd +>12 string \x03\xfc +>12 string \x03\xfb +>12 string \x03\xfa +>12 string \x03\xf9 +>142 byte 0xd2 . + +# 2048b RSA encrypted data + +0 string \x85\x01\x0c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 2048b +>12 byte 0x02 RSA Encrypt-Only 2048b +>13 string \x08\x00 +>13 string \x07\xff +>13 string \x07\xfe +>13 string \x07\xfd +>13 string \x07\xfc +>13 string \x07\xfb +>13 string \x07\xfa +>13 string \x07\xf9 +>271 byte 0xd2 . + +# 3072b RSA encrypted data + +0 string \x85\x01\x8c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 3072b +>12 byte 0x02 RSA Encrypt-Only 3072b +>13 string \x0c\x00 +>13 string \x0b\xff +>13 string \x0b\xfe +>13 string \x0b\xfd +>13 string \x0b\xfc +>13 string \x0b\xfb +>13 string \x0b\xfa +>13 string \x0b\xf9 +>399 byte 0xd2 . + +# 3072b RSA encrypted data + +0 string \x85\x02\x0c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 4096b +>12 byte 0x02 RSA Encrypt-Only 4096b +>13 string \x10\x00 +>13 string \x0f\xff +>13 string \x0f\xfe +>13 string \x0f\xfd +>13 string \x0f\xfc +>13 string \x0f\xfb +>13 string \x0f\xfa +>13 string \x0f\xf9 +>527 byte 0xd2 . + +# 4096b RSA encrypted data + +0 string \x85\x04\x0c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 8129b +>12 byte 0x02 RSA Encrypt-Only 8129b +>13 string \x20\x00 +>13 string \x1f\xff +>13 string \x1f\xfe +>13 string \x1f\xfd +>13 string \x1f\xfc +>13 string \x1f\xfb +>13 string \x1f\xfa +>13 string \x1f\xf9 +>1039 byte 0xd2 . + +# crypto algo mapper + +0 name crypto +>0 byte 0x00 Plaintext or unencrypted data +>0 byte 0x01 IDEA +>0 byte 0x02 TripleDES +>0 byte 0x03 CAST5 (128 bit key) +>0 byte 0x04 Blowfish (128 bit key, 16 rounds) +>0 byte 0x07 AES with 128-bit key +>0 byte 0x08 AES with 192-bit key +>0 byte 0x09 AES with 256-bit key +>0 byte 0x0a Twofish with 256-bit key + +# hash algo mapper + +0 name hash +>0 byte 0x01 MD5 +>0 byte 0x02 SHA-1 +>0 byte 0x03 RIPE-MD/160 +>0 byte 0x08 SHA256 +>0 byte 0x09 SHA384 +>0 byte 0x0a SHA512 +>0 byte 0x0b SHA224 + +# pgp symmetric encrypted data + +0 byte 0x8c PGP symmetric key encrypted data - +>1 byte 0x0d +>1 byte 0x0c +>2 byte 0x04 +>3 use crypto +>4 byte 0x01 salted - +>>5 use hash +>>14 byte 0xd2 . +>>14 byte 0xc9 . +>4 byte 0x03 salted & iterated - +>>5 use hash +>>15 byte 0xd2 . +>>15 byte 0xc9 . + +# encrypted keymaterial needs s2k & can be checksummed/hashed + +0 name chkcrypto +>0 use crypto +>1 byte 0x00 Simple S2K +>1 byte 0x01 Salted S2K +>1 byte 0x03 Salted&Iterated S2K +>2 use hash + +# all PGP keys start with this prolog +# containing version, creation date, and purpose + +0 name keyprolog +>0 byte 0x04 +>1 beldate x created on %s - +>5 byte 0x01 RSA (Encrypt or Sign) +>5 byte 0x02 RSA Encrypt-Only + +# end of secret keys known signature +# contains e=65537 and the prolog to +# the encrypted parameters + +0 name keyend +>0 string \x00\x11\x01\x00\x01 e=65537 +>5 use crypto +>5 byte 0xff checksummed +>>6 use chkcrypto +>5 byte 0xfe hashed +>>6 use chkcrypto + +# PGP secret keys contain also the public parts +# these vary by bitsize of the key + +0 name x1024 +>0 use keyprolog +>6 string \x03\xfe +>6 string \x03\xff +>6 string \x04\x00 +>136 use keyend + +0 name x2048 +>0 use keyprolog +>6 string \x80\x00 +>6 string \x07\xfe +>6 string \x07\xff +>264 use keyend + +0 name x3072 +>0 use keyprolog +>6 string \x0b\xfe +>6 string \x0b\xff +>6 string \x0c\x00 +>392 use keyend + +0 name x4096 +>0 use keyprolog +>6 string \x10\x00 +>6 string \x0f\xfe +>6 string \x0f\xff +>520 use keyend + +# \x00|\x1f[\xfe\xff]).{1024})' +0 name x8192 +>0 use keyprolog +>6 string \x20\x00 +>6 string \x1f\xfe +>6 string \x1f\xff +>1032 use keyend + +# depending on the size of the pkt +# we branch into the proper key size +# signatures defined as x{keysize} + +>0 name pgpkey +>0 string \x01\xd8 1024b +>>2 use x1024 +>0 string \x01\xeb 1024b +>>2 use x1024 +>0 string \x01\xfb 1024b +>>2 use x1024 +>0 string \x01\xfd 1024b +>>2 use x1024 +>0 string \x01\xf3 1024b +>>2 use x1024 +>0 string \x01\xee 1024b +>>2 use x1024 +>0 string \x01\xfe 1024b +>>2 use x1024 +>0 string \x01\xf4 1024b +>>2 use x1024 +>0 string \x02\x0d 1024b +>>2 use x1024 +>0 string \x02\x03 1024b +>>2 use x1024 +>0 string \x02\x05 1024b +>>2 use x1024 +>0 string \x02\x15 1024b +>>2 use x1024 +>0 string \x02\x00 1024b +>>2 use x1024 +>0 string \x02\x10 1024b +>>2 use x1024 +>0 string \x02\x04 1024b +>>2 use x1024 +>0 string \x02\x06 1024b +>>2 use x1024 +>0 string \x02\x16 1024b +>>2 use x1024 +>0 string \x03\x98 2048b +>>2 use x2048 +>0 string \x03\xab 2048b +>>2 use x2048 +>0 string \x03\xbb 2048b +>>2 use x2048 +>0 string \x03\xbd 2048b +>>2 use x2048 +>0 string \x03\xcd 2048b +>>2 use x2048 +>0 string \x03\xb3 2048b +>>2 use x2048 +>0 string \x03\xc3 2048b +>>2 use x2048 +>0 string \x03\xc5 2048b +>>2 use x2048 +>0 string \x03\xd5 2048b +>>2 use x2048 +>0 string \x03\xae 2048b +>>2 use x2048 +>0 string \x03\xbe 2048b +>>2 use x2048 +>0 string \x03\xc0 2048b +>>2 use x2048 +>0 string \x03\xd0 2048b +>>2 use x2048 +>0 string \x03\xb4 2048b +>>2 use x2048 +>0 string \x03\xc4 2048b +>>2 use x2048 +>0 string \x03\xc6 2048b +>>2 use x2048 +>0 string \x03\xd6 2048b +>>2 use x2048 +>0 string \x05X 3072b +>>2 use x3072 +>0 string \x05k 3072b +>>2 use x3072 +>0 string \x05{ 3072b +>>2 use x3072 +>0 string \x05} 3072b +>>2 use x3072 +>0 string \x05\x8d 3072b +>>2 use x3072 +>0 string \x05s 3072b +>>2 use x3072 +>0 string \x05\x83 3072b +>>2 use x3072 +>0 string \x05\x85 3072b +>>2 use x3072 +>0 string \x05\x95 3072b +>>2 use x3072 +>0 string \x05n 3072b +>>2 use x3072 +>0 string \x05\x7e 3072b +>>2 use x3072 +>0 string \x05\x80 3072b +>>2 use x3072 +>0 string \x05\x90 3072b +>>2 use x3072 +>0 string \x05t 3072b +>>2 use x3072 +>0 string \x05\x84 3072b +>>2 use x3072 +>0 string \x05\x86 3072b +>>2 use x3072 +>0 string \x05\x96 3072b +>>2 use x3072 +>0 string \x07[ 4096b +>>2 use x4096 +>0 string \x07\x18 4096b +>>2 use x4096 +>0 string \x07+ 4096b +>>2 use x4096 +>0 string \x07; 4096b +>>2 use x4096 +>0 string \x07= 4096b +>>2 use x4096 +>0 string \x07M 4096b +>>2 use x4096 +>0 string \x073 4096b +>>2 use x4096 +>0 string \x07C 4096b +>>2 use x4096 +>0 string \x07E 4096b +>>2 use x4096 +>0 string \x07U 4096b +>>2 use x4096 +>0 string \x07. 4096b +>>2 use x4096 +>0 string \x07> 4096b +>>2 use x4096 +>0 string \x07@ 4096b +>>2 use x4096 +>0 string \x07P 4096b +>>2 use x4096 +>0 string \x074 4096b +>>2 use x4096 +>0 string \x07D 4096b +>>2 use x4096 +>0 string \x07F 4096b +>>2 use x4096 +>0 string \x07V 4096b +>>2 use x4096 +>0 string \x0e[ 8192b +>>2 use x8192 +>0 string \x0e\x18 8192b +>>2 use x8192 +>0 string \x0e+ 8192b +>>2 use x8192 +>0 string \x0e; 8192b +>>2 use x8192 +>0 string \x0e= 8192b +>>2 use x8192 +>0 string \x0eM 8192b +>>2 use x8192 +>0 string \x0e3 8192b +>>2 use x8192 +>0 string \x0eC 8192b +>>2 use x8192 +>0 string \x0eE 8192b +>>2 use x8192 +>0 string \x0eU 8192b +>>2 use x8192 +>0 string \x0e. 8192b +>>2 use x8192 +>0 string \x0e> 8192b +>>2 use x8192 +>0 string \x0e@ 8192b +>>2 use x8192 +>0 string \x0eP 8192b +>>2 use x8192 +>0 string \x0e4 8192b +>>2 use x8192 +>0 string \x0eD 8192b +>>2 use x8192 +>0 string \x0eF 8192b +>>2 use x8192 +>0 string \x0eV 8192b +>>2 use x8192 + +# PGP RSA (e=65537) secret (sub-)key header + +0 byte 0x95 PGP Secret Key - +>1 use pgpkey +0 byte 0x97 PGP Secret Sub-key - +>1 use pgpkey +0 byte 0x9d PGP Secret Sub-key - +>1 use pgpkey + +#------------------------------------------------------------------------------ +# $File$ # pkgadd: file(1) magic for SysV R4 PKG Datastreams # 0 string #\ PaCkAgE\ DaTaStReAm pkg Datastream (SVR4) !:mime application/x-svr4-package #------------------------------------------------------------------------------ -# $File: plan9,v 1.5 2009/09/19 16:28:11 christos Exp $ +# $File$ # plan9: file(1) magic for AT&T Bell Labs' Plan 9 executables # From: "Stefan A. Haubenthal" # @@ -15982,7 +17294,7 @@ 0 belong 0x0000084B Plan 9 executable, DEC Alpha #------------------------------------------------------------------------------ -# $File: plus5,v 1.6 2009/09/19 16:28:11 christos Exp $ +# $File$ # plus5: file(1) magic for Plus Five's UNIX MUMPS # # XXX - byte order? Paging Hokey.... @@ -16068,6 +17380,22 @@ 0 string \033%-12345X@PJL >&0 search/10000 %! PJL encapsulated PostScript document text +# Rick Richardson + +# For Fuji-Xerox Printers - HBPL stands for Host Based Printer Language +# For Oki Data Printers - HIPERC +# For Konica Minolta Printers - LAVAFLOW +# For Samsung Printers - QPDL +# For HP Printers - ZJS stands for Zenographics ZJStream +0 string \033%-12345X@PJL HP Printer Job Language data +>0 search/10000 @PJL\ ENTER\ LANGUAGE=HBPL - HBPL +>0 search/10000 @PJL\ ENTER\ LANGUAGE=HIPERC - Oki Data HIPERC +>0 search/10000 @PJL\ ENTER\ LANGUAGE=LAVAFLOW - Konica Minolta LAVAFLOW +>0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL +>0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL +>0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS + + # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string \033E\033 HP PCL printer data >3 string \&l0A - default page size @@ -16108,7 +17436,7 @@ #------------------------------------------------------------------------------ # zenographics: file(1) magic for Zenographics ZjStream printer data -# Rick Richardson rickr@mn.rr.com +# Rick Richardson 0 string JZJZ >0x12 string ZZ Zenographics ZjStream printer data (big-endian) 0 string ZJZJ @@ -16117,7 +17445,7 @@ #------------------------------------------------------------------------------ # Oak Technologies printer stream -# Rick Richardson +# Rick Richardson 0 string OAK >0x07 byte 0 >0x0b byte 0 Oak Technologies printer stream @@ -16134,7 +17462,7 @@ 0 string \x1b\x01@EJL Epson ESC/Page language printer data #------------------------------------------------------------------------------ -# $File: project,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File$ # project: file(1) magic for Project management # # Magic strings for ftnchek project files. Alexander Mai @@ -16144,7 +17472,7 @@ >10 string 3 version 2.11 or later #------------------------------------------------------------------------------ -# $File: psdbms,v 1.6 2009/09/19 16:28:11 christos Exp $ +# $File$ # psdbms: file(1) magic for psdatabase # 0 belong&0xff00ffff 0x56000000 ps database @@ -16152,7 +17480,7 @@ >4 string >\0 from kernel %s #------------------------------------------------------------------------------ -# $File: pulsar,v 1.5 2009/09/19 16:28:12 christos Exp $ +# $File$ # pulsar: file(1) magic for Pulsar POP3 daemon binary files # # http://pulsar.sourceforge.net @@ -16165,7 +17493,7 @@ #------------------------------------------------------------------------------ -# $File: pwsafe,v 1.1 2012/10/25 00:12:19 christos Exp $ +# $File: vax,v 1.7 2009/09/19 16:28:13 christos Exp $ # pwsafe: file(1) magic for passwordsafe file # # Password Safe @@ -16179,7 +17507,7 @@ 0 string PWS3 Password Safe V3 database #------------------------------------------------------------------------------ -# $File: pyramid,v 1.7 2009/09/19 16:28:12 christos Exp $ +# $File$ # pyramid: file(1) magic for Pyramids # # XXX - byte order? @@ -16191,7 +17519,7 @@ >16 long >0 not stripped #------------------------------------------------------------------------------ -# $File: python,v 1.23 2013/12/11 14:14:20 christos Exp $ +# $File: python,v 1.25 2014/05/06 16:08:32 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages @@ -16214,6 +17542,7 @@ 0 belong 0x4f0c0d0a python 3.1 byte-compiled 0 belong 0x6c0c0d0a python 3.2 byte-compiled 0 belong 0x9e0c0d0a python 3.3 byte-compiled +0 belong 0xee0c0d0a python 3.4 byte-compiled 0 search/1/w #!\ /usr/bin/python Python script text executable !:mime text/x-python @@ -16235,13 +17564,13 @@ !:mime text/x-python # comments -0 search/4096 ''' ->&0 regex .*'''$ Python script text executable -!:mime text/x-python +#0 search/4096 ''' +#>&0 regex .*'''$ Python script text executable +#!:mime text/x-python -0 search/4096 """ ->&0 regex .*"""$ Python script text executable -!:mime text/x-python +#0 search/4096 """ +#>&0 regex .*"""$ Python script text executable +#!:mime text/x-python # try: # except: or finally: @@ -16254,11 +17583,30 @@ # def name(args, args): 0 regex \^(\ |\\t){0,50}def\ {1,50}[a-zA-Z]{1,100} ->&0 regex \ {0,50}\\(([a-zA-Z]|,|\ ){1,500}\\):$ Python script text executable +>&0 regex \ {0,50}\\(([a-zA-Z]|,|\ ){1,255}\\):$ Python script text executable !:mime text/x-python #------------------------------------------------------------------------------ -# $File: revision,v 1.9 2013/02/06 14:18:52 christos Exp $ +# $File: qt,v 1.1 2014/12/12 16:48:39 christos Exp $ +# qt: file(1) magic for Qt + +# http://doc.qt.io/qt-5/resources.html +0 string \ Qt Resource Collection file + +# https://qt.gitorious.org/qt/qtbase/source/\ +# 5367fa356233da4c0f28172a8f817791525f5457:\ +# src/tools/rcc/rcc.cpp#L840 +0 string qres\0\0 Qt Binary Resource file +0 search/1024 The\040Resource\040Compiler\040for\040Qt Qt C-code resource file + +# https://qt.gitorious.org/qt/qtbase/source/\ +# 5367fa356233da4c0f28172a8f817791525f5457:\ +# src/corelib/kernel/qtranslator.cpp#L62 +0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 +>8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file + +#------------------------------------------------------------------------------ +# $File: revision,v 1.8 2010/11/25 15:00:12 christos Exp $ # file(1) magic for revision control files # From Hendrik Scholz 0 string/t /1\ :pserver: cvs password text file @@ -16310,12 +17658,72 @@ 0 string #\ Bazaar\ merge\ directive\ format Bazaar merge directive #------------------------------------------------------------------------------ -# $File: riff,v 1.24 2013/11/19 23:58:17 christos Exp $ +# $File: riff,v 1.30 2014/09/23 17:02:12 christos Exp $ # riff: file(1) magic for RIFF format # See # # http://www.seanet.com/users/matts/riffmci/riffmci.htm # + +# audio format tag. Assume limits: max 1024 bit, 128 channels, 1 MHz +0 name riff-wave +>0 leshort 1 \b, Microsoft PCM +>>14 leshort >0 +>>>14 leshort <1024 \b, %d bit +>0 leshort 2 \b, Microsoft ADPCM +>0 leshort 6 \b, ITU G.711 A-law +>0 leshort 7 \b, ITU G.711 mu-law +>0 leshort 8 \b, Microsoft DTS +>0 leshort 17 \b, IMA ADPCM +>0 leshort 20 \b, ITU G.723 ADPCM (Yamaha) +>0 leshort 49 \b, GSM 6.10 +>0 leshort 64 \b, ITU G.721 ADPCM +>0 leshort 80 \b, MPEG +>0 leshort 85 \b, MPEG Layer 3 +>0 leshort 0x2001 \b, DTS +>2 leshort =1 \b, mono +>2 leshort =2 \b, stereo +>2 leshort >2 +>>2 leshort <128 \b, %d channels +>4 lelong >0 +>>4 lelong <1000000 %d Hz + +# try to find "fmt " +0 name riff-walk +>0 string fmt\x20 +>>4 lelong <0x80 +>>>8 use riff-wave +>0 string LIST +>>&(4.l+4) use riff-walk +>0 string DISP +>>&(4.l+4) use riff-walk +>0 string bext +>>&(4.l+4) use riff-walk +>0 string Fake +>>&(4.l+4) use riff-walk +>0 string fact +>>&(4.l+4) use riff-walk +>0 string VP8 +>>11 byte 0x9d +>>>12 byte 0x01 +>>>>13 byte 0x2a \b, VP8 encoding +>>>>>14 leshort&0x3fff x \b, %d +>>>>>16 leshort&0x3fff x \bx%d, Scaling: +>>>>>14 leshort&0xc000 0x0000 \b [none] +>>>>>14 leshort&0xc000 0x1000 \b [5/4] +>>>>>14 leshort&0xc000 0x2000 \b [5/3] +>>>>>14 leshort&0xc000 0x3000 \b [2] +>>>>>14 leshort&0xc000 0x0000 \bx[none] +>>>>>14 leshort&0xc000 0x1000 \bx[5/4] +>>>>>14 leshort&0xc000 0x2000 \bx[5/3] +>>>>>14 leshort&0xc000 0x3000 \bx[2] +>>>>>15 byte&0x80 =0x00 \b, YUV color +>>>>>15 byte&0x80 =0x80 \b, bad color specification +>>>>>15 byte&0x40 =0x40 \b, no clamping required +>>>>>15 byte&0x40 =0x00 \b, decoders should clamp +#>0 string x we got %s +#>>&(4.l+4) use riff-walk + # AVI section extended by Patrik Radman # 0 string RIFF RIFF (little-endian) data @@ -16345,35 +17753,21 @@ # Microsoft WAVE format (*.wav) >8 string WAVE \b, WAVE audio !:mime audio/x-wav ->>20 leshort 1 \b, Microsoft PCM ->>>34 leshort >0 \b, %d bit ->>20 leshort 2 \b, Microsoft ADPCM ->>20 leshort 6 \b, ITU G.711 A-law ->>20 leshort 7 \b, ITU G.711 mu-law ->>20 leshort 8 \b, Microsoft DTS ->>20 leshort 17 \b, IMA ADPCM ->>20 leshort 20 \b, ITU G.723 ADPCM (Yamaha) ->>20 leshort 49 \b, GSM 6.10 ->>20 leshort 64 \b, ITU G.721 ADPCM ->>20 leshort 80 \b, MPEG ->>20 leshort 85 \b, MPEG Layer 3 ->>20 leshort 0x2001 \b, DTS ->>22 leshort =1 \b, mono ->>22 leshort =2 \b, stereo ->>22 leshort >2 \b, %d channels ->>24 lelong >0 %d Hz +>>12 string >\0 +>>>12 use riff-walk # Corel Draw Picture >8 string CDRA \b, Corel Draw Picture !:mime image/x-coreldraw >8 string CDR6 \b, Corel Draw Picture, version 6 !:mime image/x-coreldraw +>8 string NUNDROOT \b, Steinberg CuBase # AVI == Audio Video Interleave >8 string AVI\040 \b, AVI !:mime video/x-msvideo >>12 string LIST >>>20 string hdrlavih ->>>>&36 lelong x \b, %lu x ->>>>&40 lelong x %lu, +>>>>&36 lelong x \b, %u x +>>>>&40 lelong x %u, >>>>&4 lelong >1000000 <1 fps, >>>>&4 lelong 1000000 1.00 fps, >>>>&4 lelong 500000 2.00 fps, @@ -16493,6 +17887,9 @@ >8 string 4XMV \b, 4X Movie file # AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV >8 string AMV\040 \b, AMV +>8 string WEBP \b, Web/P image +!:mime image/webp +>>12 use riff-walk # # XXX - some of the below may only appear in little-endian form. @@ -16569,9 +17966,8 @@ >>&6 leshort >2 \b, %d channels >>&8 lelong >0 %d Hz - #------------------------------------------------------------------------------ -# $File: rinex,v 1.4 2011/05/03 01:44:17 christos Exp $ +# $File: rinex,v 1.3 2011/04/04 21:12:03 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -16615,7 +18011,7 @@ !:mime rinex/observation #------------------------------------------------------------------------------ -# $File: rpm,v 1.12 2013/01/11 16:45:23 christos Exp $ +# $File: rpm,v 1.11 2011/06/14 12:47:41 christos Exp $ # # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) # @@ -16660,7 +18056,7 @@ >>10 string x %s #------------------------------------------------------------------------------ -# $File: rtf,v 1.7 2009/09/19 16:28:12 christos Exp $ +# $File$ # rtf: file(1) magic for Rich Text Format (RTF) # # Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk @@ -16676,7 +18072,7 @@ >5 default x unknown version #------------------------------------------------------------------------------ -# $File: ruby,v 1.5 2010/07/21 16:47:17 christos Exp $ +# $File: ruby,v 1.4 2010/07/08 20:24:13 christos Exp $ # ruby: file(1) magic for Ruby scripting language # URL: http://www.ruby-lang.org/ # From: Reuben Thomas @@ -16704,14 +18100,14 @@ !:mime text/x-ruby #------------------------------------------------------------------------------ -# $File: sc,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File$ # sc: file(1) magic for "sc" spreadsheet # 38 string Spreadsheet sc spreadsheet file !:mime application/x-sc #------------------------------------------------------------------------------ -# $File: sccs,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File$ # sccs: file(1) magic for SCCS archives # # SCCS archive structure: @@ -16824,12 +18220,12 @@ # uppercase letters. However, examples have been seen without the date string, # e.g., the example on the chemime site. 0 string HEADER\ \ \ \ ->&0 regex/1 \^.{40} ->>&0 regex/1 [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} ->>>&0 regex/1s [A-Z0-9]{4}.{14}$ ->>>>&0 regex/1 [A-Z0-9]{4} Protein Data Bank data, ID Code %s +>&0 regex/1l \^.{40} +>>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} +>>>&0 regex/1ls [A-Z0-9]{4}.{14}$ +>>>>&0 regex/1l [A-Z0-9]{4} Protein Data Bank data, ID Code %s !:mime chemical/x-pdb ->>>>0 regex/1 [0-9]{2}-[A-Z]{3}-[0-9]{2} \b, %s +>>>>0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2} \b, %s # Type: GDSII Stream file 0 belong 0x00060002 GDSII Stream file @@ -16839,7 +18235,7 @@ >>5 byte x \b.%d #------------------------------------------------------------------------------ -# $File: securitycerts,v 1.4 2009/09/19 16:28:12 christos Exp $ +# $File$ 0 search/1 -----BEGIN\ CERTIFICATE------ RFC1421 Security Certificate text 0 search/1 -----BEGIN\ NEW\ CERTIFICATE RFC1421 Security Certificate Signing Request text 0 belong 0xedfeedfe Sun 'jks' Java Keystore File data @@ -16869,7 +18265,7 @@ #0 search gen_sens( SE Linux policy MLS constraints source #------------------------------------------------------------------------------ -# $File: sendmail,v 1.7 2009/09/19 16:28:12 christos Exp $ +# $File$ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? @@ -16889,42 +18285,84 @@ #------------------------------------------------------------------------------ -# $File: sequent,v 1.8 2009/09/19 16:28:12 christos Exp $ +# $File: sequent,v 1.11 2014/06/02 19:27:54 christos Exp $ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins . # For Sequent's multiprocessor systems (incomplete). 0 lelong 0x00ea BALANCE NS32000 .o >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 lelong 0x10ea BALANCE NS32000 executable (0 @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 lelong 0x20ea BALANCE NS32000 executable (invalid @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 lelong 0x30ea BALANCE NS32000 standalone executable >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d # # Symmetry information added by Jason Merrill . # Symmetry magic nums will not be reached if DOS COM comes before them; # byte 0xeb is matched before these get a chance. 0 leshort 0x12eb SYMMETRY i386 .o >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 leshort 0x22eb SYMMETRY i386 executable (0 @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 leshort 0x32eb SYMMETRY i386 executable (invalid @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld -0 leshort 0x42eb SYMMETRY i386 standalone executable ->16 lelong >0 not stripped ->124 lelong >0 version %ld - -#------------------------------------------------------------------------------ -# $File: sgi,v 1.19 2013/01/12 03:09:51 christos Exp $ +>124 lelong >0 version %d +# http://en.wikipedia.org/wiki/Sequent_Computer_Systems +# below test line conflicts with MS-DOS 2.11 floppies and Acronis loader +#0 leshort 0x42eb SYMMETRY i386 standalone executable +0 leshort 0x42eb +# skip unlike negative version +>124 lelong >-1 +# assuming version 28867614 is very low probable +>>124 lelong !28867614 SYMMETRY i386 standalone executable +>>>16 lelong >0 not stripped +>>>124 lelong >0 version %d + +#------------------------------------------------------------------------------ +# $File: sereal,v 1.2 2014/11/11 20:10:49 christos Exp $ +# sereal: file(1) magic the Sereal binary serialization format +# +# From: Ævar Arnfjörð Bjarmason +# +# See the specification of the format at +# https://github.com/Sereal/Sereal/blob/master/sereal_spec.pod#document-header-format +# +# I'd have liked to do the byte&0xF0 matching against 0, 1, 2 ... by +# doing (byte&0xF0)>>4 here, but unfortunately that's not +# supported. So when we print out a message about an unknown format +# we'll print out e.g. 0x30 instead of the more human-readable +# 0x30>>4. +# +# See https://github.com/Sereal/Sereal/commit/35372ae01d in the +# Sereal.git repository for test Sereal data. +0 name sereal +>4 byte&0x0F x (version %d, +>4 byte&0xF0 0x00 uncompressed) +>4 byte&0xF0 0x10 compressed with non-incremental Snappy) +>4 byte&0xF0 0x20 compressed with incremental Snappy) +>4 byte&0xF0 >0x20 unknown subformat, flag: %d>>4) + +0 string/b \=srl Sereal data packet +!:mime application/sereal +>&0 use sereal +0 string/b \=\xF3rl Sereal data packet +!:mime application/sereal +>&0 use sereal +0 string/b \=\xC3\xB3rl Sereal data packet, UTF-8 encoded +!:mime application/sereal +>&0 use sereal + + +#------------------------------------------------------------------------------ +# $File: sgi,v 1.20 2014/03/10 00:53:38 christos Exp $ # sgi: file(1) magic for Silicon Graphics operating systems and applications # # Executable images are handled either in aout (for old-style a.out @@ -16941,16 +18379,16 @@ 0 beshort 0x0506 IRIS Showcase file >2 byte 0x49 - ->3 byte x - version %ld +>3 byte x - version %d 0 beshort 0x0226 IRIS Showcase template >2 byte 0x63 - ->3 byte x - version %ld +>3 byte x - version %d 0 belong 0x5343464d IRIS Showcase file ->4 byte x - version %ld +>4 byte x - version %d 0 belong 0x5443464d IRIS Showcase template ->4 byte x - version %ld +>4 byte x - version %d 0 belong 0xdeadbabe IRIX Parallel Arena ->8 belong >0 - version %ld +>8 belong >0 - version %d # core files # @@ -16973,7 +18411,7 @@ # Trusted IRIX info 0 string SGIAUDIT SGI Audit file >8 byte x - version %d ->9 byte x \b.%ld +>9 byte x \b.%d # 0 string WNGZWZSC Wingz compiled script 0 string WNGZWZSS Wingz spreadsheet @@ -17006,11 +18444,11 @@ #>20 lelong -2 temporal index #>20 lelong -1 metadata #>20 lelong 0 log volume #0 -#>20 lelong >0 log volume #%ld +#>20 lelong >0 log volume #%d >20 belong -2 temporal index >20 belong -1 metadata >20 belong 0 log volume #0 ->20 belong >0 log volume #%ld +>20 belong >0 log volume #%d >24 string >\0 host: %s 0 string PCPFolio PCP >9 string Version: Archive Folio @@ -17052,7 +18490,7 @@ >11 byte x dataformat %d # Alias Maya files -0 string/t //Maya ASCII Alias Maya Ascii File, +0 string/t //Maya\040ASCII Alias Maya Ascii File, >13 string >\0 version %s 8 string MAYAFOR4 Alias Maya Binary File, >32 string >\0 version %s scene @@ -17061,7 +18499,7 @@ 8 string CIMG Alias Maya Image File 8 string DEEP Alias Maya Image File #------------------------------------------------------------------------------ -# $File: sgml,v 1.30 2013/12/21 14:27:24 christos Exp $ +# $File: sgml,v 1.29 2012/08/26 10:25:41 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres 0 string \2 leshort >1 , %hd sections +>2 leshort >1 , %d sections >>12 lelong >0 , not stripped #------------------------------------------------------------------------------ -# $File: sinclair,v 1.5 2009/09/19 16:28:12 christos Exp $ +# $File$ # sinclair: file(1) sinclair QL # additions to /etc/magic by Thomas M. Ott (ThMO) @@ -17256,13 +18694,13 @@ >5 regex [0-9.]+ %s #------------------------------------------------------------------------------ -# $File: sketch,v 1.4 2009/09/19 16:28:12 christos Exp $ +# $File$ # Sketch Drawings: http://sketch.sourceforge.net/ # From: Edwin Mons 0 search/1 ##Sketch Sketch document text #----------------------------------------------- -# $File: smalltalk,v 1.5 2009/09/19 16:28:12 christos Exp $ +# $File$ # GNU Smalltalk image, starting at version 1.6.2 # From: catull_us@yahoo.com # @@ -17287,7 +18725,7 @@ #------------------------------------------------------------------------------ -# $File: smile,v 1.1 2011/08/17 17:37:18 christos Exp $ +# $File$ # smile: file(1) magic for Smile serialization # # The Smile serialization format uses a 4-byte header: @@ -17321,7 +18759,7 @@ #------------------------------------------------------------------------------ -# $File: sniffer,v 1.19 2013/01/06 01:11:04 christos Exp $ +# $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $ # sniffer: file(1) magic for packet capture files # # From: guy@alum.mit.edu (Guy Harris) @@ -17592,7 +19030,7 @@ 0 string \xaa\xaa\xaa\xaa 5View capture file #------------------------------------------------------------------------------ -# $File: softquad,v 1.13 2009/09/19 16:28:12 christos Exp $ +# $File$ # softquad: file(1) magic for SoftQuad Publishing Software # # Author/Editor and RulesBuilder @@ -17629,7 +19067,7 @@ 0 string X\ ps SoftQuad troff Context intermediate for PostScript #------------------------------------------------------------------------------ -# $File: spec,v 1.4 2009/09/19 16:28:12 christos Exp $ +# $File$ # spec: file(1) magic for SPEC raw results (*.raw, *.rsf) # # Cloyce D. Spradling @@ -17650,7 +19088,7 @@ >>16 string <: v%.4s raw result text #------------------------------------------------------------------------------ -# $File: spectrum,v 1.7 2010/09/20 18:55:20 rrt Exp $ +# $File: spectrum,v 1.6 2009/09/19 16:28:12 christos Exp $ # spectrum: file(1) magic for Spectrum emulator files. # # John Elliott @@ -17704,7 +19142,7 @@ >7 byte x \b, version 0x%02x #------------------------------------------------------------------------------ -# $File: sql,v 1.13 2013/08/27 04:02:33 christos Exp $ +# $File: sql,v 1.14 2014/04/28 12:04:50 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" @@ -17773,7 +19211,7 @@ # SQLite Write-Ahead Log from SQLite version >= 3.7.0 # http://www.sqlite.org/fileformat.html#walformat 0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, ->4 belong x version %ld +>4 belong x version %d # SQLite Rollback Journal # http://www.sqlite.org/fileformat.html#rollbackjournal @@ -17790,12 +19228,14 @@ 0 string SSH\ PRIVATE\ KEY OpenSSH RSA1 private key, >28 string >\0 version %s +0 string -----BEGIN\ OPENSSH\ PRIVATE\ KEY----- OpenSSH private key 0 string ssh-dss\ OpenSSH DSA public key 0 string ssh-rsa\ OpenSSH RSA public key 0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key +0 string ssh-ed25519 OpenSSH ED25519 public key # Type: OpenSSL certificates/key files # From: Nicolas Collignon @@ -17806,7 +19246,7 @@ 0 string -----BEGIN\ EC\ PRIVATE PEM EC private key #------------------------------------------------------------------------------ -# $File: sun,v 1.25 2013/01/09 22:37:24 christos Exp $ +# $File: sun,v 1.26 2014/03/29 15:40:34 christos Exp $ # sun: file(1) magic for Sun machines # # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x @@ -17815,7 +19255,7 @@ # are in aout, as they're indistinguishable from other big-endian # 32-bit a.out files. # -0 belong&077777777 0600413 a.out SunOS sparc demand paged +0 belong&077777777 0600413 a.out SunOS SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable @@ -17823,12 +19263,12 @@ >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&077777777 0600410 a.out SunOS sparc pure +0 belong&077777777 0600410 a.out SunOS SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&077777777 0600407 a.out SunOS sparc +0 belong&077777777 0600407 a.out SunOS SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped @@ -17903,7 +19343,7 @@ # which is the IANA registry of Snoop datalink types) # 0 string snoop Snoop capture file ->8 belong >0 - version %ld +>8 belong >0 - version %d >12 belong 0 (IEEE 802.3) >12 belong 1 (IEEE 802.4) >12 belong 2 (IEEE 802.5) @@ -17914,24 +19354,24 @@ >12 belong 7 (IBM channel-to-channel adapter) >12 belong 8 (FDDI) >12 belong 9 (Other) ->12 belong 10 (type %ld) ->12 belong 11 (type %ld) ->12 belong 12 (type %ld) ->12 belong 13 (type %ld) ->12 belong 14 (type %ld) ->12 belong 15 (type %ld) +>12 belong 10 (type %d) +>12 belong 11 (type %d) +>12 belong 12 (type %d) +>12 belong 13 (type %d) +>12 belong 14 (type %d) +>12 belong 15 (type %d) >12 belong 16 (Fibre Channel) >12 belong 17 (ATM) >12 belong 18 (ATM Classical IP) ->12 belong 19 (type %ld) ->12 belong 20 (type %ld) ->12 belong 21 (type %ld) ->12 belong 22 (type %ld) ->12 belong 23 (type %ld) ->12 belong 24 (type %ld) ->12 belong 25 (type %ld) +>12 belong 19 (type %d) +>12 belong 20 (type %d) +>12 belong 21 (type %d) +>12 belong 22 (type %d) +>12 belong 23 (type %d) +>12 belong 24 (type %d) +>12 belong 25 (type %d) >12 belong 26 (IP over Infiniband) ->12 belong >26 (type %ld) +>12 belong >26 (type %d) #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie (a @@ -17949,7 +19389,7 @@ #------------------------------------------------------------------------------ # msx: file(1) magic for the SymbOS operating system # http://www.symbos.de -# Fábio R. Schmidlin +# Fabio R. Schmidlin # SymbOS EXE file 0x30 string SymExe SymbOS executable @@ -18338,13 +19778,13 @@ >0 regex \^package[\ \t]+req Tcl script #------------------------------------------------------------------------------ -# $File: teapot,v 1.4 2009/09/19 16:28:12 christos Exp $ +# $File$ # teapot: file(1) magic for "teapot" spreadsheet # 0 string #!teapot\012xdr teapot work sheet (XDR format) #------------------------------------------------------------------------------ -# $File: terminfo,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File$ # terminfo: file(1) magic for terminfo # # XXX - byte order for screen images? @@ -18461,8 +19901,39 @@ 0 string #LyX LyX document text +# ConTeXt documents +# http://wiki.contextgarden.net/ +0 search/4096 \\setupcolors[ ConTeXt document text +!:strength + 15 +0 search/4096 \\definecolor[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupinteraction[ ConTeXt document text +!:strength + 15 +0 search/4096 \\useURL[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuppapersize[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuplayout[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupfooter[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupfootertexts[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuppagenumbering[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupbodyfont[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuphead[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupitemize[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupwhitespace[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupindenting[ ConTeXt document text +!:strength + 15 + #------------------------------------------------------------------------------ -# $File: tgif,v 1.7 2010/09/20 19:03:46 rrt Exp $ +# $File: tgif,v 1.6 2010/09/20 18:55:20 rrt Exp $ # file(1) magic for tgif(1) files # From Hendrik Scholz 0 string %TGIF\ Tgif file version @@ -18691,7 +20162,7 @@ >49 byte 0x24 type: application, >49 byte 0x25 type: certificate, >49 byte 0x3e type: license, ->74 lelong >0 size: %ld bytes +>74 lelong >0 size: %d bytes # VTi & TiEmu skins (TI Graphing Calculators). # From: Romain Lievin (roms@lpg.ticalc.org). @@ -18708,7 +20179,7 @@ >>10 byte x \b%c #------------------------------------------------------------------------------ -# $File: timezone,v 1.11 2009/09/19 16:28:12 christos Exp $ +# $File$ # timezone: file(1) magic for timezone data # # from Daniel Quinlan (quinlan@yggdrasil.com) @@ -18756,9 +20227,9 @@ !:mime text/troff 0 search/1 ''' troff or preprocessor input text !:mime text/troff -0 regex/20 \^\\.[A-Za-z0-9][A-Za-z0-9][\ \t] troff or preprocessor input text +0 regex/20l \^\\.[A-Za-z0-9][A-Za-z0-9][\ \t] troff or preprocessor input text !:mime text/troff -0 regex/20 \^\\.[A-Za-z0-9][A-Za-z0-9]$ troff or preprocessor input text +0 regex/20l \^\\.[A-Za-z0-9][A-Za-z0-9]$ troff or preprocessor input text !:mime text/troff # ditroff intermediate output text @@ -18778,7 +20249,7 @@ 0 string \100\357 very old (C/A/T) troff output data #------------------------------------------------------------------------------ -# $File: tuxedo,v 1.4 2009/09/19 16:28:13 christos Exp $ +# $File$ # tuxedo: file(1) magic for BEA TUXEDO data files # # from Ian Springer @@ -18786,7 +20257,7 @@ 0 string \0\0\1\236\0\0\0\0\0\0\0\0\0\0\0\0 BEA TUXEDO DES mask data #------------------------------------------------------------------------------ -# $File: typeset,v 1.8 2009/09/19 16:28:13 christos Exp $ +# $File$ # typeset: file(1) magic for other typesetting # 0 string Interpress/Xerox Xerox InterPress data @@ -18794,7 +20265,7 @@ >>17 string >\0 %s) #------------------------------------------------------------------------------ -# $File: unicode,v 1.6 2010/09/20 18:55:20 rrt Exp $ +# $File: unicode,v 1.5 2009/09/19 16:28:13 christos Exp $ # Unicode: BOM prefixed text files - Adrian Havill # GRR: These types should be recognised in file_ascmagic so these # encodings can be treated by text patterns. @@ -18810,7 +20281,7 @@ 0 string \016\376\377 Unicode text, SCSU (Standard Compression Scheme for Unicode) #------------------------------------------------------------------------------ -# $File: unknown,v 1.8 2013/01/09 22:37:24 christos Exp $ +# $File: unknown,v 1.7 2009/09/19 16:28:13 christos Exp $ # unknown: file(1) magic for unknown machines # # 0x107 is 0407, 0x108 is 0410, and 0x109 is 0411; those are all PDP-11 @@ -18844,7 +20315,7 @@ 0 long 0x10e unknown readable demand paged pure executable #------------------------------------------------------------------------------ -# $File: uterus,v 1.1 2012/12/18 18:53:32 christos Exp $ +# $File: uterus,v 1.2 2014/04/28 12:04:50 christos Exp $ # file(1) magic for uterus files # http://freecode.com/projects/uterus # @@ -18860,7 +20331,7 @@ >10 byte &8 \b, compressed #------------------------------------------------------------------------------ -# $File: uuencode,v 1.7 2009/09/19 16:28:13 christos Exp $ +# $File$ # uuencode: file(1) magic for ASCII-encoded files # @@ -18917,7 +20388,7 @@ >7 string >\0 version '%s' # gnu gmon magic From: Eugen Dedu 0 string gmon GNU prof performance data ->4 long x - version %ld +>4 long x - version %d # From: Dave Pearson # Harbour HRB files. 0 string \xc0HRB Harbour HRB file @@ -18942,24 +20413,52 @@ 0 string/t #!\ / a >3 string >\0 %s script text executable !:strength / 2 + +0 string/b #!\ / a +>3 string >\0 %s script executable (binary data) +!:strength / 2 + 0 string/t #!\t/ a >3 string >\0 %s script text executable !:strength / 2 + +0 string/b #!\t/ a +>3 string >\0 %s script executable (binary data) +!:strength / 2 + 0 string/t #!/ a >2 string >\0 %s script text executable !:strength / 2 + +0 string/b #!/ a +>2 string >\0 %s script executable (binary data) +!:strength / 2 + 0 string/t #!\ script text executable >3 string >\0 for %s !:strength / 3 +0 string/b #!\ script executable +>3 string >\0 for %s (binary data) +!:strength / 3 + # using env 0 string/t #!/usr/bin/env a >15 string/t >\0 %s script text executable !:strength / 10 + +0 string/b #!/usr/bin/env a +>15 string/b >\0 %s script executable (binary data) +!:strength / 10 + 0 string/t #!\ /usr/bin/env a >16 string/t >\0 %s script text executable !:strength / 10 +0 string/b #!\ /usr/bin/env a +>16 string/b >\0 %s script executable (binary data) +!:strength / 10 + # From: arno # mozilla xpconnect typelib # see http://www.mozilla.org/scriptable/typelib_file.html @@ -18989,13 +20488,13 @@ # 0 leshort 0570 VAX COFF executable >12 lelong >0 not stripped ->22 leshort >0 - version %ld +>22 leshort >0 - version %d 0 leshort 0575 VAX COFF pure executable >12 lelong >0 not stripped ->22 leshort >0 - version %ld +>22 leshort >0 - version %d #------------------------------------------------------------------------------ -# $File: vicar,v 1.4 2009/09/19 16:28:13 christos Exp $ +# $File$ # vicar: file(1) magic for VICAR files. # # From: Ossama Othman # Microsoft hard disk images for: # Virtual Server @@ -19021,15 +20520,121 @@ # .vhd 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC +# libvirt +# From: Philipp Hahn +0 string LibvirtQemudSave Libvirt QEMU Suspend Image +>0x10 lelong x \b, version %u +>0x14 lelong x \b, XML length %u +>0x18 lelong 1 \b, running +>0x1c lelong 1 \b, compressed + +0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image +# From: Alex Beregszaszi +0 string/b COWD VMWare3 +>4 byte 3 disk image +>>32 lelong x (%d/ +>>36 lelong x \b%d/ +>>40 lelong x \b%d) +>4 byte 2 undoable disk image +>>32 string >\0 (%s) + +0 string/b VMDK VMware4 disk image +0 string/b KDMV VMware4 disk image + +#-------------------------------------------------------------------- +# Qemu Emulator Images +# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) +# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) +# Made by reading sources, reading documentation, and doing trial and error +# on existing QCOW files +0 string/b QFI\xFB QEMU QCOW Image + +# Uncomment the following line to display Magic (only used for debugging +# this magic number) +#>0 string/b x , Magic: %s + +# There are currently 2 Versions: "1" and "2". +# http://www.gnome.org/~markmc/qcow-image-format-version-1.html +>4 belong 1 (v1) + +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>12 belong >0 \b, has backing file ( +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. +>>>(12.L) string >\0 \bpath %s + +# Modification time of the Backing File +# Really useful if you want to know if your backing +# file is still usable together with this image +>>>>20 bedate >0 \b, mtime %s) +>>>>20 default x \b) + +# Size is stored in bytes in a big-endian u64. +>>24 bequad x \b, %lld bytes + +# 1 for AES encryption, 0 for none. +>>36 belong 1 \b, AES-encrypted + +# http://www.gnome.org/~markmc/qcow-image-format.html +>4 belong 2 (v2) +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>8 bequad >0 \b, has backing file +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. Also, since there's no +# .Q modifier, we just use the bottom four bytes as an offset. Note that if +# the file is over 4G, and the backing file path is stored after the first 4G, +# the wrong filename will be printed. (This should be (8.Q), when that syntax +# is introduced.) +>>>(12.L) string >\0 (path %s) +>>24 bequad x \b, %lld bytes +>>32 belong 1 \b, AES-encrypted + +>4 belong 3 (v3) +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>8 bequad >0 \b, has backing file +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. Also, since there's no +# .Q modifier, we just use the bottom four bytes as an offset. Note that if +# the file is over 4G, and the backing file path is stored after the first 4G, +# the wrong filename will be printed. (This should be (8.Q), when that syntax +# is introduced.) +>>>(12.L) string >\0 (path %s) +>>24 bequad x \b, %lld bytes +>>32 belong 1 \b, AES-encrypted + +>4 default x (unknown version) + +0 string/b QEVM QEMU suspend to disk image + +# QEMU QED Image +# http://wiki.qemu.org/Features/QED/Specification +0 string/b QED\0 QEMU QED Image + +# VDI Image # Sun xVM VirtualBox Disk Image # From: Richard W.M. Jones # VirtualBox Disk Image 0x40 ulelong 0xbeda107f VirtualBox Disk Image >0x44 uleshort >0 \b, major %u >0x46 uleshort >0 \b, minor %u +>0 string >\0 (%s) +>368 lequad x \b, %lld bytes + +0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, +>32 string x type %s, +>48 string x subtype %s + +0 lelong 0x02468ace Bochs Sparse disk image + #------------------------------------------------------------------------------ -# $File: virtutech,v 1.4 2009/09/19 16:28:13 christos Exp $ +# $File$ # Virtutech Compressed Random Access File Format # # From @@ -19041,7 +20646,7 @@ >24 belong 0 not clean #------------------------------------------------------------------------------ -# $File: visx,v 1.5 2009/09/19 16:28:13 christos Exp $ +# $File$ # visx: file(1) magic for Visx format files # 0 short 0x5555 VISX image file @@ -19073,7 +20678,7 @@ >2 string .VISIX (ascii text) #------------------------------------------------------------------------------ -# $File: vms,v 1.7 2013/03/09 22:36:00 christos Exp $ +# $File: vms,v 1.8 2014/08/17 12:58:54 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) @@ -19103,13 +20708,13 @@ >>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption #------------------------------------------------------------------------------ -# $File: vmware,v 1.7 2009/09/19 16:28:13 christos Exp $ +# $File$ # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) 0 belong 0x4d52564e VMware nvram #------------------------------------------------------------------------------ -# $File: vorbis,v 1.16 2009/09/19 16:28:13 christos Exp $ +# $File: vorbis,v 1.20 2014/09/23 16:35:08 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner @@ -19132,7 +20737,6 @@ # --- Ogg Framing --- #0 search/1000 OggS Ogg data 0 string OggS Ogg data -!:mime application/ogg >4 byte !0 UNKNOWN REVISION %u ##>4 byte 0 revision 0 >4 byte 0 @@ -19140,9 +20744,12 @@ # non-Vorbis content: FLAC (Free Lossless Audio Codec, http://flac.sourceforge.net) >>28 string \x7fFLAC \b, FLAC audio # non-Vorbis content: Theora +!:mime audio/ogg >>28 string \x80theora \b, Theora video +!:mime video/ogg # non-Vorbis content: Kate ->>28 string \x80kate\0\0\0\0 \b, Kate +>>28 string \x80kate\0\0\0\0 \b, Kate (Karaoke and Text) +!:mime application/ogg >>>37 ubyte x v%u >>>38 ubyte x \b.%u, >>>40 byte 0 utf8 encoding, @@ -19153,25 +20760,29 @@ >>>76 string \0 no category set # non-Vorbis content: Skeleton >>28 string fishead\0 \b, Skeleton ->>>36 short x v%u ->>>40 short x \b.%u +!:mime video/ogg +>>>36 leshort x v%u +>>>40 leshort x \b.%u # non-Vorbis content: Speex >>28 string Speex\ \ \ \b, Speex audio +!:mime audio/ogg # non-Vorbis content: OGM >>28 string \x01video\0\0\0 \b, OGM video +!:mime video/ogg >>>37 string/c div3 (DivX 3) >>>37 string/c divx (DivX 4) >>>37 string/c dx50 (DivX 5) >>>37 string/c xvid (XviD) # --- First vorbis packet - general header --- >>28 string \x01vorbis \b, Vorbis audio, ->>>35 lelong !0 UNKNOWN VERSION %lu, +!:mime audio/ogg +>>>35 lelong !0 UNKNOWN VERSION %u, ##>>>35 lelong 0 version 0, >>>35 lelong 0 >>>>39 ubyte 1 mono, >>>>39 ubyte 2 stereo, >>>>39 ubyte >2 %u channels, ->>>>40 lelong x %lu Hz +>>>>40 lelong x %u Hz # Minimal, nominal and maximal bitrates specified when encoding >>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \b, # The above tests if at least one of these is specified: @@ -19181,13 +20792,13 @@ # Vorbis 1.0 uses 0 instead of -1. >>>>>>52 lelong !0 >>>>>>>52 lelong !-1000 ->>>>>>>>52 lelong x <%lu +>>>>>>>>52 lelong x <%u >>>>>48 lelong !-1 ->>>>>>48 lelong x ~%lu +>>>>>>48 lelong x ~%u >>>>>44 lelong !-1 >>>>>>44 lelong !-1000 >>>>>>>44 lelong !0 ->>>>>>>>44 lelong x >%lu +>>>>>>>>44 lelong x >%u >>>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff bps # -- Second vorbis header packet - the comments # A kludge to read the vendor string. It's a counted string, not a @@ -19227,7 +20838,7 @@ >>>>>>(84.b+117) string 20040629 (1.1.0 RC1) #------------------------------------------------------------------------------ -# $File: vxl,v 1.4 2009/09/19 16:28:13 christos Exp $ +# $File$ # VXL: file(1) magic for VXL binary IO data files # # from Ian Scott @@ -19241,7 +20852,7 @@ >0 leshort >0 schema version no %d #------------------------------------------------------------------------------ -# $File: warc,v 1.3 2010/11/25 15:05:43 christos Exp $ +# $File: warc,v 1.2 2009/09/19 16:28:13 christos Exp $ # warc: file(1) magic for WARC files 0 string WARC/ WARC Archive @@ -19273,7 +20884,7 @@ #0 string =!! Bennet Yee's "face" format #------------------------------------------------------------------------------ -# $File: windows,v 1.6 2013/04/19 20:12:29 christos Exp $ +# $File: windows,v 1.9 2014/09/23 23:42:44 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -19309,7 +20920,7 @@ >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump ->>0x068 lelong x \b, %ld pages +>>0x068 lelong x \b, %d pages >4 string DU64 MS Windows 64bit crash dump >>0xf98 lelong 1 \b, full dump >>0xf98 lelong 2 \b, kernel dump @@ -19432,8 +21043,9 @@ >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 -# emtpy ,comment , section , unicode line -0 regex/s \\`(\r\n|;|[[]|\xFF\xFE) +# empty ,comment , section +# PR/383: remove unicode BOM because it is not portable across regex impls +0 regex/s \\`(\\r\\n|;|[[]) # left bracket in section line >&0 search/8192 [ # http://en.wikipedia.org/wiki/Autorun.inf @@ -19609,14 +21221,14 @@ #------------------------------------------------------------------------------ -# $File: wireless,v 1.2 2009/09/19 16:28:13 christos Exp $ +# $File$ # wireless-regdb: file(1) magic for CRDA wireless-regdb file format # 0 string RGDB CRDA wireless regulatory database file >4 belong 19 (Version 1) #------------------------------------------------------------------------------ -# $File: wordprocessors,v 1.18 2013/06/03 19:07:29 christos Exp $ +# $File: wordprocessors,v 1.17 2013/02/06 14:18:52 christos Exp $ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: @@ -19788,7 +21400,7 @@ 0 ulelong&0x8080FFFF 0x00001204 gfxboot compiled html help file #------------------------------------------------------------------------------ -# $File: wsdl,v 1.3 2013/02/06 14:18:52 christos Exp $ +# $File: wsdl,v 1.2 2013/02/05 15:20:47 christos Exp $ # wsdl: PHP WSDL Cache, http://www.php.net/manual/en/book.soap.php # Cache format extracted from source: # http://svn.php.net/viewvc/php/php-src/trunk/ext/soap/php_sdl.c?revision=HEAD&view=markup @@ -19811,7 +21423,7 @@ >>>>>>&-4 pstring/l x \b, target_ns: "%s" #------------------------------------------------------------------------------ -# $File: xdelta,v 1.5 2011/08/08 09:01:05 christos Exp $ +# $File: xdelta,v 1.4 2009/09/19 16:28:13 christos Exp $ # file(1) magic(5) data for xdelta Josh MacDonald # 0 string %XDELTA% XDelta binary patch file 0.14 @@ -19824,7 +21436,7 @@ 0 string \xD6\xC3\xC4\x00 VCDIFF binary diff #------------------------------------------------------------------------------ -# $File: xenix,v 1.9 2009/09/19 16:28:13 christos Exp $ +# $File$ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small @@ -19930,14 +21542,14 @@ # Then 'e' >>>>>>>>>>>&1 string e # And length of data ->>>>>>>>>>>>&0 belong x - data length 0x%lx +>>>>>>>>>>>>&0 belong x - data length 0x%x # Raw bitstream files 0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) #------------------------------------------------------------------------------ -# $File: xo65,v 1.4 2009/09/19 16:28:13 christos Exp $ +# $File$ # xo65 object files # From: "Ullrich von Bassewitz" # @@ -19985,10 +21597,10 @@ # Jaleo XFS files 0 long 395726 Jaleo XFS file ->4 long x - version %ld ->8 long x - [%ld - ->20 long x \b%ldx ->24 long x \b%ldx +>4 long x - version %d +>8 long x - [%d - +>20 long x \b%dx +>24 long x \b%dx >28 long 1008 \bYUV422] >28 long 1000 \bRGB24] @@ -19998,8 +21610,8 @@ # http://cgit.freedesktop.org/xorg/lib/libXcursor/tree/include/X11/Xcursor/Xcursor.h 0 string Xcur Xcursor data !:mime image/x-xcursor ->10 leshort x version %hd ->>8 leshort x \b.%hd +>10 leshort x version %d +>>8 leshort x \b.%d #------------------------------------------------------------------------------ # zfs: file(1) magic for ZFS dumps # @@ -20039,14 +21651,14 @@ # Big-endian values 8 string \000\000\000\002\365\272\313\254 ZFS shapshot (big-endian machine), ->20 belong x version %lu, +>20 belong x version %u, >32 belong 0 type: NONE, >32 belong 1 type: META, >32 belong 2 type: ZFS, >32 belong 3 type: ZVOL, >32 belong 4 type: OTHER, >32 belong 5 type: ANY, ->32 belong >5 type: UNKNOWN (%lu), +>32 belong >5 type: UNKNOWN (%u), >40 byte x destination GUID: %02X >41 byte x %02X >42 byte x %02X @@ -20069,14 +21681,14 @@ # Little-endian values 8 string \254\313\272\365\002\000\000\000 ZFS shapshot (little-endian machine), ->16 lelong x version %lu, +>16 lelong x version %u, >32 lelong 0 type: NONE, >32 lelong 1 type: META, >32 lelong 2 type: ZFS, >32 lelong 3 type: ZVOL, >32 lelong 4 type: OTHER, >32 lelong 5 type: ANY, ->32 lelong >5 type: UNKNOWN (%lu), +>32 lelong >5 type: UNKNOWN (%u), >47 byte x destination GUID: %02X >46 byte x %02X >45 byte x %02X @@ -20098,7 +21710,7 @@ >56 string >\0 name: '%s' #------------------------------------------------------------------------------ -# $File: zilog,v 1.7 2009/09/19 16:28:13 christos Exp $ +# $File$ # zilog: file(1) magic for Zilog Z8000. # # Was it big-endian or little-endian? My Product Specification doesn't @@ -20110,7 +21722,7 @@ 0 long 0xe805 overlay object file (z8000 a.out) #------------------------------------------------------------------------------ -# $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $ +# $File$ # zyxel: file(1) magic for ZyXEL modems # # From -- 2.40.0