From c7efbd714df10c1a03b97f8f55ebd92aeb77f646 Mon Sep 17 00:00:00 2001 From: Christos Zoulas Date: Sat, 5 Aug 2000 17:12:08 +0000 Subject: [PATCH] more magic changes. --- magic/Magdir/alpha | 9 ++ magic/Magdir/animation | 8 ++ magic/Magdir/apple | 103 +++++++++++++++++++ magic/Magdir/blender | 17 ++++ magic/Magdir/commands | 7 ++ magic/Magdir/database | 133 ++++++++++--------------- magic/Magdir/filesystems | 15 ++- magic/Magdir/images | 5 +- magic/Magdir/macintosh | 209 +++++++++++++++++++++++++++++++++------ magic/Magdir/mail.news | 3 + magic/Magdir/msvc | 2 +- magic/Magdir/python | 5 + magic/Magdir/sniffer | 45 +++++++++ magic/Magdir/troff | 2 +- magic/Magdir/vmware | 13 ++- 15 files changed, 456 insertions(+), 120 deletions(-) create mode 100644 magic/Magdir/blender create mode 100644 magic/Magdir/python diff --git a/magic/Magdir/alpha b/magic/Magdir/alpha index 1a8cb147..c0191fb9 100644 --- a/magic/Magdir/alpha +++ b/magic/Magdir/alpha @@ -17,5 +17,14 @@ # Basic recognition of Digital UNIX core dumps - Mike Bremford # +# The actual magic number is just "Core", followed by a 2-byte version +# number; however, treating any file that begins with "Core" as a Digital +# UNIX core dump file may produce too many false hits, so we include one +# byte of the version number as well; DU 5.0 appears only to be up to +# version 2. +# 0 string Core\001 Alpha COFF format core dump (Digital UNIX) >24 string >\0 \b, from '%s' +0 string Core\002 Alpha COFF format core dump (Digital UNIX) +>24 string >\0 \b, from '%s' + diff --git a/magic/Magdir/animation b/magic/Magdir/animation index 5e1ce76f..de0bf518 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -11,8 +11,16 @@ #>4 beshort&0xfff0 x (%d x #>5 beshort&0x0fff x %d) 0 belong 0x000001ba MPEG system stream data + # MPEG Audio (*.mpx) # from dreesen@math.fu-berlin.de + +# XXX +# This conflicts with the FF FE signature for UTF-16-encoded Unicode +# text, which will be identified as an MP3 file. I don't have any MP3s +# so I don't know how to (or even if it's possible to) change this to +# tell the two apart. enf@pobox.com + 0 beshort &0xfff0 MP # MPEG 1.0 >1 byte&0x08 =0x08 \b diff --git a/magic/Magdir/apple b/magic/Magdir/apple index 20231293..82ee9944 100644 --- a/magic/Magdir/apple +++ b/magic/Magdir/apple @@ -10,3 +10,106 @@ 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file +# magic for Newton PDA package formats +# from Ruda Moura +0 string package Newton package, +>7 byte 48 NOS 1.x, +>7 byte 49 NOS 2.x, +>12 belong &0x80000000 AutoRemove, +>12 belong &0x40000000 CopyProtect, +>12 belong &0x10000000 NoCompression, +>12 belong &0x04000000 Relocation, +>12 belong &0x02000000 UseFasterCompression, +>16 belong x version %d + +# The following entries for the Apple II are for files that have +# been transferred as raw binary data from an Apple, without having +# been encapsulated by any of the above archivers. +# +# In general, Apple II formats are hard to identify because Apple DOS +# and especially Apple ProDOS have strong typing in the file system and +# therefore programmers never felt much need to include type information +# in the files themselves. +# +# Eric Fischer + +# AppleWorks word processor: +# +# This matches the standard tab stops for an AppleWorks file, but if +# a file has a tab stop set in the first four columns this will fail. +# +# The "O" is really the magic number, but that's so common that it's +# necessary to check the tab stops that follow it to avoid false positives. + +4 string O==== AppleWorks word processor data +>85 byte&0x01 >0 \b, zoomed +>90 byte&0x01 >0 \b, paginated +>92 byte&0x01 >0 \b, with mail merge +#>91 byte x \b, left margin %d + +# AppleWorks database: +# +# This isn't really a magic number, but it's the closest thing to one +# that I could find. The 1 and 2 really mean "order in which you defined +# categories" and "left to right, top to bottom," respectively; the D and R +# mean that the cursor should move either down or right when you press Return. + +30 string \x01D AppleWorks database data +30 string \x02D AppleWorks database data +30 string \x01R AppleWorks database data +30 string \x02R AppleWorks database data + +# AppleWorks spreadsheet: +# +# Likewise, this isn't really meant as a magic number. The R or C means +# row- or column-order recalculation; the A or M means automatic or manual +# recalculation. + +131 string RA AppleWorks spreadsheet data +131 string RM AppleWorks spreadsheet data +131 string CA AppleWorks spreadsheet data +131 string CM AppleWorks spreadsheet data + +# Applesoft BASIC: +# +# This is incredibly sloppy, but will be true if the program was +# written at its usual memory location of 2048 and its first line +# number is less than 256. Yuck. + +0 belong&0xff00ff 0x80000 Applesoft BASIC program data +#>2 leshort x \b, first line number %d + +# ORCA/EZ assembler: +# +# This will not identify ORCA/M source files, since those have +# some sort of date code instead of the two zero bytes at 6 and 7 + +4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data +>5 byte x \b, build number %d + +# Broderbund Fantavision +# +# I don't know what these values really mean, but they seem to recur. +# Will they cause too many conflicts? + +2 belong&0xFF00FF 0x040008 Fantavision movie data + +# Some attempts at images. +# +# These are actually just bit-for-bit dumps of the frame buffer, so +# there's really no reasonably way to distinguish them except for their +# address (if preserved) -- 8192 or 16384 -- and their length -- 8192 +# or, occasionally, 8184. +# +# Nevertheless this will manage to catch a lot of images that happen +# to have a solid-colored line at the bottom of the screen. + +8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background +8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background +8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background +8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background +8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background + +# Beagle Bros. Apple Mechanic fonts + +0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font diff --git a/magic/Magdir/blender b/magic/Magdir/blender new file mode 100644 index 00000000..01d4e54f --- /dev/null +++ b/magic/Magdir/blender @@ -0,0 +1,17 @@ +#------------------------------------------------------------------------------ +# blender: file(1) magic for Blender 3D data files +# +# Coded by Guillermo S. Romero using the +# data from Ton Roosendaal . Ton or his company do not +# support the rule, so mail GSR if problems with it. Rule version: 1.1. +# You can get latest version with comments and details about the format +# at http://acd.asoc.euitt.upm.es/~gsromero/3d/blender/magic.blender + +0 string =BLENDER Blender3D, +>7 string =_ saved as 32-bits +>7 string =- saved as 64-bits +>8 string =v little endian +>8 string =V big endian +>9 byte x with version %c. +>10 byte x \b%c +>11 byte x \b%c diff --git a/magic/Magdir/commands b/magic/Magdir/commands index f7aeda45..16308aa6 100644 --- a/magic/Magdir/commands +++ b/magic/Magdir/commands @@ -44,6 +44,13 @@ 0 string/b #!\ /bin/bash Bourne-Again shell script text executable 0 string/b #!\ /usr/local/bin/bash Bourne-Again shell script text executable +# using env +0 string #!/usr/bin/env a +>15 string >\0 %s script text executable +0 string #!\ /usr/bin/env a +>16 string >\0 %s script text executable + + # generic shell magic 0 string #!\ / a >3 string >\0 %s script text executable diff --git a/magic/Magdir/database b/magic/Magdir/database index 071576c4..60058a61 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -12,84 +12,59 @@ 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian 0 string GDBM GNU dbm 2.x database # -0 belong 0x061561 Berkeley DB ->4 belong >2 1.86 ->4 belong <3 1.85 ->8 belong 4321 Hash/Big Endian ->8 belong 1234 Hash/Little Endian ->4 belong >0 (Version %d, ->12 belong x Bucket Size %d, ->16 belong x Bucket Shift %d, ->20 belong x Directory Size %d, ->24 belong x Segment Size %d, ->28 belong x Segment Shift %d, ->32 belong x Overflow Point %d, ->36 belong x Last Freed %d, ->40 belong x Max Bucket %d, ->44 belong x High Mask 0x%x, ->48 belong x Low Mask 0x%x, ->52 belong x Fill Factor %d, ->56 belong x Number of Keys %d) +# Berkeley DB # +# Ian Darwin's file /etc/magic files: big/little-endian version. # -0 belong 0x053162 Berkeley DB 1.85/1.86 Btree/Big Endian ->4 belong >0 (Version %d, ->8 belong x Page Size %d, ->12 belong x Free Page %d, ->16 belong x Number of Records %d, ->20 belong x Flags 0x%x) -0 lelong 0x053162 Berkeley DB 1.85/1.86 Btree/Little Endian ->4 lelong >0 (Version %d, ->8 lelong x Page Size %d, ->12 lelong x Free Page %d, ->16 lelong x Number of Records %d, ->20 lelong x Flags 0x%x) -# -# -12 belong 0x061561 Berkeley DB 2.X Hash/Big Endian ->16 belong >0 (Version %d, ->0 belong x Logical sequence number: file - %d, ->4 belong x offset - %d, ->20 belong x Bucket Size %d, ->24 belong x Overflow Point %d, ->28 belong x Last Freed %d, ->32 belong x Max Bucket %d, ->36 belong x High Mask 0x%x, ->40 belong x Low Mask 0x%x, ->44 belong x Fill Factor %d, ->48 belong x Number of Keys %d) -# -# DB2.X formats from Khimenko Victor -# -12 lelong 0x061561 Berkeley DB 2.X Hash/Little Endian ->16 lelong >0 (Version %d, ->0 lelong x Logical sequence number: file - %d, ->4 lelong x offset - %d, ->20 lelong x Bucket Size %d, ->24 lelong x Overflow Point %d, ->28 lelong x Last Freed %d, ->32 lelong x Max Bucket %d, ->36 lelong x High Mask 0x%x, ->40 lelong x Low Mask 0x%x, ->44 lelong x Fill Factor %d, ->48 lelong x Number of Keys %d) -# -# -12 belong 0x053162 Berkeley DB 2.X Btree/Big Endian ->16 belong >0 (Version %d, ->0 belong x Logical sequence number: file - %d, ->4 belong x offset - %d, ->20 belong x Page Size %d, ->24 belong x Maxkey %d, ->28 belong x Minkey %d, ->32 belong x Free Page %d) -# -# -12 lelong 0x053162 Berkeley DB 2.X Btree/Little Endian ->16 lelong >0 (Version %d, ->0 lelong x Logical sequence number: file - %d, ->4 lelong x offset - %d, ->20 lelong x Page Size %d, ->24 lelong x Maxkey %d, ->28 lelong x Minkey %d, ->32 lelong x Free Page %d) +# Hash 1.85/1.86 databases store metadata in network byte order. +# Btree 1.85/1.86 databases store the metadata in host byte order. +# Hash and Btree 2.X and later databases store the metadata in host byte order. + +0 long 0x00061561 Berkeley DB +>8 belong 4321 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, native byte-order) +>8 belong 1234 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, little-endian) + +0 belong 0x00061561 Berkeley DB +>8 belong 4321 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, big-endian) +>8 belong 1234 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, native byte-order) + +0 long 0x00053162 Berkeley DB 1.85/1.86 +>4 long >0 (Btree, version %d, native byte-order) +0 belong 0x00053162 Berkeley DB 1.85/1.86 +>4 belong >0 (Btree, version %d, big-endian) +0 lelong 0x00053162 Berkeley DB 1.85/1.86 +>4 lelong >0 (Btree, version %d, little-endian) + +12 long 0x00061561 Berkeley DB +>16 long >0 (Hash, version %d, native byte-order) +12 belong 0x00061561 Berkeley DB +>16 belong >0 (Hash, version %d, big-endian) +12 lelong 0x00061561 Berkeley DB +>16 lelong >0 (Hash, version %d, little-endian) + +12 long 0x00053162 Berkeley DB +>16 long >0 (Btree, version %d, native byte-order) +12 belong 0x00053162 Berkeley DB +>16 belong >0 (Btree, version %d, big-endian) +12 lelong 0x00053162 Berkeley DB +>16 lelong >0 (Btree, version %d, little-endian) + +12 long 0x00042253 Berkeley DB +>16 long >0 (Queue, version %d, native byte-order) +12 belong 0x00042253 Berkeley DB +>16 belong >0 (Queue, version %d, big-endian) +12 lelong 0x00042253 Berkeley DB +>16 lelong >0 (Queue, version %d, little-endian) + diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index c6f6b40b..80b5ea3c 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -2,7 +2,6 @@ #------------------------------------------------------------------------------ # filesystems: file(1) magic for different filesystems # -0x438 leshort 0xEF53 Linux/i386 ext2 filesystem 0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: @@ -76,3 +75,17 @@ >8256 lelong x disk rotational speed %drps, >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization + +# ext2/ext3 filesystems - Andreas Dilger +0x438 leshort 0xEF53 Linux +>0x44c lelong x rev %d +>0x43e leshort x \b.%d +>0x45c lelong ^0x0000004 ext2 filesystem data +>>0x43a leshort ^0x0000001 (mounted or unclean) +>0x45c lelong &0x0000004 ext3 filesystem data +>>0x460 lelong &0x0000004 (needs journal recovery) +>0x43a leshort &0x0000002 (errors) +>0x460 lelong &0x0000001 (compressed) +#>0x460 lelong &0x0000002 (filetype) +#>0x464 lelong &0x0000001 (sparse_super) +>0x464 lelong &0x0000002 (large files) diff --git a/magic/Magdir/images b/magic/Magdir/images index eb7a2b03..7b5e6cb7 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -255,7 +255,10 @@ 0 beshort 0x1010 PEX Binary Archive # Visio drawings -03000 string Visio\ (TM)\ Drawing %s +03000 string Visio\ (TM)\ Drawing %s # Tgif files 0 string \%TGIF\ x Tgif file version %s + +# DICOM medical imaging data +128 string DICM DICOM medical imaging data diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh index 81f8117b..841deb23 100644 --- a/magic/Magdir/macintosh +++ b/magic/Magdir/macintosh @@ -11,69 +11,214 @@ # files obtained from most archives. (franklsm@tuns.ca) 0 string SIT! StuffIt Archive (data) >2 string x : %s -65 string SIT! StuffIt Archive (rsrc + data) ->2 string x : %s 0 string SITD StuffIt Deluxe (data) >2 string x : %s -65 string SITD StuffIt Deluxe (rsrc + data) ->2 string x : %s 0 string Seg StuffIt Deluxe Segment (data) >2 string x : %s -65 string Seg StuffIt Deluxe Segment (rsrc + data) ->2 string x : %s # Macintosh Applications and Installation binaries (franklsm@tuns.ca) 0 string APPL Macintosh Application (data) ->2 string x : %s -65 string APPL Macintosh Application (rsrc + data) ->2 string x : %s +>2 string x \b: %s # Macintosh System files (franklsm@tuns.ca) 0 string zsys Macintosh System File (data) -65 string zsys Macintosh System File(rsrc + data) 0 string FNDR Macintosh Finder (data) -65 string FNDR Macintosh Finder(rsrc + data) 0 string libr Macintosh Library (data) >2 string x : %s -65 string libr Macintosh Library(rsrc + data) ->2 string x : %s 0 string shlb Macintosh Shared Library (data) >2 string x : %s -65 string shlb Macintosh Shared Library(rsrc + data) ->2 string x : %s 0 string cdev Macintosh Control Panel (data) >2 string x : %s -65 string cdev Macintosh Control Panel(rsrc + data) ->2 string x : %s 0 string INIT Macintosh Extension (data) >2 string x : %s -65 string INIT Macintosh Extension(rsrc + data) ->2 string x : %s 0 string FFIL Macintosh Truetype Font (data) >2 string x : %s -65 string FFIL Macintosh Truetype Font(rsrc + data) ->2 string x : %s 0 string LWFN Macintosh Postscript Font (data) >2 string x : %s -65 string LWFN Macintosh Postscript Font(rsrc + data) ->2 string x : %s # Additional Macintosh Files (franklsm@tuns.ca) - 0 string PACT Macintosh Compact Pro Archive (data) >2 string x : %s -65 string PACT Macintosh Compact Pro Archive(rsrc + data) ->2 string x : %s 0 string ttro Macintosh TeachText File (data) >2 string x : %s -65 string ttro Macintosh TeachText File(rsrc + data) ->2 string x : %s 0 string TEXT Macintosh TeachText File (data) >2 string x : %s -65 string TEXT Macintosh TeachText File(rsrc + data) ->2 string x : %s 0 string PDF Macintosh PDF File (data) >2 string x : %s -65 string PDF Macintosh PDF File(rsrc + data) ->2 string x : %s +# MacBinary format (Eric Fischer, enf@pobox.com) +# +# Unfortunately MacBinary doesn't really have a magic number prior +# to the MacBinary III format. The checksum is really the way to +# do it, but the magic file format isn't up to the challenge. +# +# 0 byte 0 +# 1 byte # filename length +# 2 string # filename +# 65 string # file type +# 69 string # file creator +# 73 byte # Finder flags +# 74 byte 0 +# 75 beshort # vertical posn in window +# 77 beshort # horiz posn in window +# 79 beshort # window or folder ID +# 81 byte # protected? +# 82 byte 0 +# 83 belong # length of data segment +# 87 belong # length of resource segment +# 91 belong # file creation date +# 95 belong # file modification date +# 99 beshort # length of comment after resource +# 101 byte # new Finder flags +# 102 string mBIN # (only in MacBinary III) +# 106 byte # char. code of file name +# 107 byte # still more Finder flags +# 116 belong # total file length +# 120 beshort # length of add'l header +# 122 byte 129 # for MacBinary II +# 122 byte 130 # for MacBinary III +# 123 byte 129 # minimum version that can read fmt +# 124 beshort # checksum +# +# This attempts to use the version numbers as a magic number, requiring +# that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second +# be 0x81. This works for the files I have, but maybe not for everyone's. + +122 beshort&0xFCFF 0x8081 Macintosh MacBinary data + +# MacBinary I doesn't have the version number field at all, but MacBinary II +# has been in use since 1987 so I hope there aren't many really old files +# floating around that this will miss. The original spec calls for using +# the nulls in 0, 74, and 82 as the magic number. +# +# Another possibility, that would also work for MacBinary I, is to use +# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will +# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, +# and that 74 will be 0. So something like +# +# 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data +# +# >73 byte&0x01 0x01 \b, inited +# >73 byte&0x02 0x02 \b, changed +# >73 byte&0x04 0x04 \b, busy +# >73 byte&0x08 0x08 \b, bozo +# >73 byte&0x10 0x10 \b, system +# >73 byte&0x10 0x20 \b, bundle +# >73 byte&0x10 0x40 \b, invisible +# >73 byte&0x10 0x80 \b, locked + +>65 string x \b, type "%4.4s" + +>65 string 8BIM (PhotoShop) +>65 string ALB3 (PageMaker 3) +>65 string ALB4 (PageMaker 4) +>65 string ALT3 (PageMaker 3) +>65 string APPL (application) +>65 string AWWP (AppleWorks word processor) +>65 string CIRC (simulated circuit) +>65 string DRWG (MacDraw) +>65 string EPSF (Encapsulated PostScript) +>65 string FFIL (font suitcase) +>65 string FKEY (function key) +>65 string FNDR (Macintosh Finder) +>65 string GIFf (GIF image) +>65 string Gzip (GNU gzip) +>65 string INIT (system extension) +>65 string LIB\ (library) +>65 string LWFN (PostScript font) +>65 string MSBC (Microsoft BASIC) +>65 string PACT (Compact Pro archive) +>65 string PDF\ (Portable Document Format) +>65 string PICT (picture) +>65 string PNTG (MacPaint picture) +>65 string PREF (preferences) +>65 string PROJ (Think C project) +>65 string QPRJ (Think Pascal project) +>65 string SCFL (Defender scores) +>65 string SCRN (startup screen) +>65 string SITD (StuffIt Deluxe) +>65 string SPn3 (SuperPaint) +>65 string STAK (HyperCard stack) +>65 string Seg\ (StuffIt segment) +>65 string TARF (Unix tar archive) +>65 string TEXT (ASCII) +>65 string TIFF (TIFF image) +>65 string TOVF (Eudora table of contents) +>65 string WDBN (Microsoft Word word processor) +>65 string WORD (MacWrite word processor) +>65 string XLS\ (Microsoft Excel) +>65 string ZIVM (compress (.Z)) +>65 string ZSYS (Pre-System 7 system file) +>65 string acf3 (Aldus FreeHand) +>65 string cdev (control panel) +>65 string dfil (Desk Acessory suitcase) +>65 string libr (library) +>65 string nX^d (WriteNow word processor) +>65 string nX^w (WriteNow dictionary) +>65 string rsrc (resource) +>65 string scbk (Scrapbook) +>65 string shlb (shared library) +>65 string ttro (SimpleText read-only) +>65 string zsys (system file) + +>69 string x \b, creator "%4.4s" + +# Somewhere, Apple has a repository of registered Creator IDs. These are +# just the ones that I happened to have files from and was able to identify. + +>69 string 8BIM (Adobe Photoshop) +>69 string ALD3 (PageMaker 3) +>69 string ALD4 (PageMaker 4) +>69 string ALFA (Alpha editor) +>69 string APLS (Apple Scanner) +>69 string APSC (Apple Scanner) +>69 string BRKL (Brickles) +>69 string BTFT (BitFont) +>69 string CCL2 (Common Lisp 2) +>69 string CCL\ (Common Lisp) +>69 string CDmo (The Talking Moose) +>69 string CPCT (Compact Pro) +>69 string CSOm (Eudora) +>69 string DMOV (Font/DA Mover) +>69 string DSIM (DigSim) +>69 string EDIT (Macintosh Edit) +>69 string ERIK (Macintosh Finder) +>69 string EXTR (self-extracting archive) +>69 string Gzip (GNU gzip) +>69 string KAHL (Think C) +>69 string LWFU (LaserWriter Utility) +>69 string LZIV (compress) +>69 string MACA (MacWrite) +>69 string MACS (Macintosh operating system) +>69 string MAcK (MacKnowledge terminal emulator) +>69 string MLND (Defender) +>69 string MPNT (MacPaint) +>69 string MSBB (Microsoft BASIC (binary)) +>69 string MSWD (Microsoft Word) +>69 string NCSA (NCSA Telnet) +>69 string PJMM (Think Pascal) +>69 string PSAL (Hunt the Wumpus) +>69 string PSI2 (Apple File Exchange) +>69 string R*ch (BBEdit) +>69 string RMKR (Resource Maker) +>69 string RSED (Resource Editor) +>69 string Rich (BBEdit) +>69 string SIT! (StuffIt) +>69 string SPNT (SuperPaint) +>69 string Unix (NeXT Mac filesystem) +>69 string VIM! (Vim editor) +>69 string WILD (HyperCard) +>69 string XCEL (Microsoft Excel) +>69 string aCa2 (Fontographer) +>69 string aca3 (Aldus FreeHand) +>69 string dosa (Macintosh MS-DOS file system) +>69 string movr (Font/DA Mover) +>69 string nX^n (WriteNow) +>69 string pdos (Apple ProDOS file system) +>69 string scbk (Scrapbook) +>69 string ttxt (SimpleText) +>69 string ufox (Foreign File Access) + +# Just in case... + +102 string mBIN MacBinary III data with surprising version number diff --git a/magic/Magdir/mail.news b/magic/Magdir/mail.news index 6577ea62..9713d29b 100644 --- a/magic/Magdir/mail.news +++ b/magic/Magdir/mail.news @@ -19,3 +19,6 @@ 0 string Received: RFC 822 mail text 0 string MIME-Version: MIME entity text #0 string Content- MIME entity text + +# TNEF files... +0 lelong 0x223E9F78 Transport Neutral Encapsulation Format diff --git a/magic/Magdir/msvc b/magic/Magdir/msvc index fc91cb9c..95853fec 100644 --- a/magic/Magdir/msvc +++ b/magic/Magdir/msvc @@ -24,7 +24,7 @@ 0 string \360\175\000\000 Microsoft Visual C library #.pch -0 string DTJPCH0\000\022\103\006\200 Microsoft visula C .pch +0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch # .pdb # too long 0 string Microsoft\ C/C++\ program\ database\ diff --git a/magic/Magdir/python b/magic/Magdir/python new file mode 100644 index 00000000..2e7bbe75 --- /dev/null +++ b/magic/Magdir/python @@ -0,0 +1,5 @@ +# often the module starts with a multiline string +0 string """ a python script text executable +# MAGIC as specified in Python/import.c (1.5.2/1.6) +# 20121 ( YEAR - 1995 ) + MONTH + DAY (little endian followed by "\r\n" +0 belong 0x994e0d0a python compiled diff --git a/magic/Magdir/sniffer b/magic/Magdir/sniffer index 7188cd23..81cb3130 100644 --- a/magic/Magdir/sniffer +++ b/magic/Magdir/sniffer @@ -104,6 +104,51 @@ >20 lelong 14 (BSD/OS PPP >16 lelong x \b, capture length %d) +# +# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. +# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is +# the main program that uses that format, but there are other programs +# that use "libpcap", or that use the same capture file format.) +# +0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) +>4 beshort x - version %d +>6 beshort x \b.%d +>20 belong 0 (No link-layer encapsulation +>20 belong 1 (Ethernet +>20 belong 2 (3Mb Ethernet +>20 belong 3 (AX.25 +>20 belong 4 (ProNET +>20 belong 5 (CHAOS +>20 belong 6 (IEEE 802.x network +>20 belong 7 (ARCNET +>20 belong 8 (SLIP +>20 belong 9 (PPP +>20 belong 10 (FDDI +>20 belong 11 (RFC 1483 ATM +>20 belong 12 (raw IP +>20 belong 13 (BSD/OS SLIP +>20 belong 14 (BSD/OS PPP +>16 belong x \b, capture length %d) +0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) +>4 leshort x - version %d +>6 leshort x \b.%d +>20 lelong 0 (No link-layer encapsulation +>20 lelong 1 (Ethernet +>20 lelong 2 (3Mb Ethernet +>20 lelong 3 (AX.25 +>20 lelong 4 (ProNET +>20 lelong 5 (CHAOS +>20 lelong 6 (IEEE 802.x network +>20 lelong 7 (ARCNET +>20 lelong 8 (SLIP +>20 lelong 9 (PPP +>20 lelong 10 (FDDI +>20 lelong 11 (RFC 1483 ATM +>20 lelong 12 (raw IP +>20 lelong 13 (BSD/OS SLIP +>20 lelong 14 (BSD/OS PPP +>16 lelong x \b, capture length %d) + # # AIX "iptrace" capture files. # diff --git a/magic/Magdir/troff b/magic/Magdir/troff index ea75e851..ec964e8e 100644 --- a/magic/Magdir/troff +++ b/magic/Magdir/troff @@ -11,7 +11,7 @@ 0 string \\" troff or preprocessor input text # ditroff intermediate output text -0 string x\ T ditroff text +0 string x\ T ditroff output text >4 string cat for the C/A/T phototypesetter >4 string ps for PostScript >4 string dvi for DVI diff --git a/magic/Magdir/vmware b/magic/Magdir/vmware index 22291a63..857a4a94 100644 --- a/magic/Magdir/vmware +++ b/magic/Magdir/vmware @@ -2,8 +2,11 @@ # ----------------------------------------------------------- # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) -0 belong 0x4d52564e VMware nvram -0 belong 0x434f5744 VMware virtual disk ->32 lelong x (%d/ ->36 lelong x \b%d/ ->40 lelong x \b%d) +0 belong 0x4d52564e VMware nvram +0 belong 0x434f5744 +>8 byte 3 VMware virtual disk +>>32 lelong x (%d/ +>>36 lelong x \b%d/ +>>40 lelong x \b%d) +>8 byte 2 VMware undoable disk +>>32 string >\0 (%s) -- 2.50.1