From cbc554c4b64b3daa13a93638650f1ee9c0c7af97 Mon Sep 17 00:00:00 2001 From: Christos Zoulas Date: Fri, 17 Mar 2017 21:35:28 +0000 Subject: [PATCH] remove trailing whitespace --- magic/Magdir/adventure | 6 +- magic/Magdir/amanda | 4 +- magic/Magdir/amigaos | 6 +- magic/Magdir/android | 12 +- magic/Magdir/animation | 16 +- magic/Magdir/apple | 56 +-- magic/Magdir/archive | 108 ++--- magic/Magdir/att3b | 4 +- magic/Magdir/audio | 18 +- magic/Magdir/blackberry | 4 +- magic/Magdir/blender | 6 +- magic/Magdir/c-lang | 4 +- magic/Magdir/cad | 58 +-- magic/Magdir/cafebabe | 8 +- magic/Magdir/clipper | 8 +- magic/Magdir/coff | 12 +- magic/Magdir/compress | 4 +- magic/Magdir/console | 10 +- magic/Magdir/cups | 6 +- magic/Magdir/database | 204 ++++----- magic/Magdir/der | 16 +- magic/Magdir/diff | 6 +- magic/Magdir/dolby | 4 +- magic/Magdir/dump | 14 +- magic/Magdir/dyadic | 6 +- magic/Magdir/editors | 6 +- magic/Magdir/filesystems | 816 ++++++++++++++++++------------------ magic/Magdir/fonts | 34 +- magic/Magdir/fsav | 24 +- magic/Magdir/games | 6 +- magic/Magdir/geo | 4 +- magic/Magdir/gnu | 4 +- magic/Magdir/gpt | 14 +- magic/Magdir/gringotts | 10 +- magic/Magdir/hitachi-sh | 18 +- magic/Magdir/ibm370 | 10 +- magic/Magdir/ibm6000 | 4 +- magic/Magdir/icc | 28 +- magic/Magdir/images | 104 ++--- magic/Magdir/intel | 6 +- magic/Magdir/isz | 4 +- magic/Magdir/jpeg | 10 +- magic/Magdir/kerberos | 4 +- magic/Magdir/kml | 6 +- magic/Magdir/linux | 14 +- magic/Magdir/lisp | 16 +- magic/Magdir/macintosh | 20 +- magic/Magdir/maple | 6 +- magic/Magdir/marc21 | 4 +- magic/Magdir/mathematica | 6 +- magic/Magdir/metastore | 4 +- magic/Magdir/meteorological | 4 +- magic/Magdir/microfocus | 4 +- magic/Magdir/mime | 4 +- magic/Magdir/misctools | 6 +- magic/Magdir/modem | 26 +- magic/Magdir/mozilla | 4 +- magic/Magdir/msdos | 176 ++++---- magic/Magdir/msvc | 12 +- magic/Magdir/msx | 6 +- magic/Magdir/mup | 14 +- magic/Magdir/nasa | 2 +- magic/Magdir/netbsd | 22 +- magic/Magdir/netscape | 6 +- magic/Magdir/nitpicker | 4 +- magic/Magdir/os2 | 8 +- magic/Magdir/os9 | 4 +- magic/Magdir/pc88 | 2 +- magic/Magdir/pc98 | 2 +- magic/Magdir/pdp | 6 +- magic/Magdir/pgf | 4 +- magic/Magdir/pgp | 20 +- magic/Magdir/printer | 22 +- magic/Magdir/project | 4 +- magic/Magdir/psdbms | 4 +- magic/Magdir/riff | 12 +- magic/Magdir/sccs | 4 +- magic/Magdir/scientific | 6 +- magic/Magdir/sendmail | 10 +- magic/Magdir/sequent | 6 +- magic/Magdir/sharc | 4 +- magic/Magdir/sketch | 4 +- magic/Magdir/sql | 8 +- magic/Magdir/sysex | 4 +- magic/Magdir/terminfo | 10 +- magic/Magdir/vms | 4 +- magic/Magdir/vmware | 4 +- magic/Magdir/vorbis | 10 +- magic/Magdir/windows | 156 +++---- magic/Magdir/xenix | 14 +- magic/Magdir/xilinx | 10 +- magic/Magdir/xwindows | 4 +- 92 files changed, 1209 insertions(+), 1209 deletions(-) diff --git a/magic/Magdir/adventure b/magic/Magdir/adventure index 94835e11..120e3d8c 100644 --- a/magic/Magdir/adventure +++ b/magic/Magdir/adventure @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: adventure,v 1.15 2015/09/07 10:03:21 christos Exp $ +# $File: adventure,v 1.16 2017/03/17 21:35:28 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin @@ -78,7 +78,7 @@ !:mime application/x-tads # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), -# "TADS2 save\n\r\032\0" and the interpreter version. +# "TADS2 save\n\r\032\0" and the interpreter version. 0 string TADS2\ save/g TADS >12 belong !0x0A0D1A00 saved game data, CORRUPTED >12 belong 0x0A0D1A00 @@ -109,7 +109,7 @@ # edited by David Griffith # Danny Milosavljevic # These are ADRIFT (adventure game standard) game files, extension .taf -# Checked from source at (http://www.adrift.co/) and various taf files +# Checked from source at (http://www.adrift.co/) and various taf files # found at the Interactive Fiction Archive (http://ifarchive.org/) 0 belong 0x3C423FC9 >4 belong 0x6A87C2CF Adrift game file version diff --git a/magic/Magdir/amanda b/magic/Magdir/amanda index 395ef545..e7fa5390 100644 --- a/magic/Magdir/amanda +++ b/magic/Magdir/amanda @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: amanda,v 1.5 2009/09/19 16:28:07 christos Exp $ +# $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $ # amanda: file(1) magic for amanda file format # -0 string AMANDA:\ AMANDA +0 string AMANDA:\ AMANDA >8 string TAPESTART\ DATE tape header file, >>23 string X >>>25 string >\ Unused %s diff --git a/magic/Magdir/amigaos b/magic/Magdir/amigaos index 8fdf3766..d9330bd1 100644 --- a/magic/Magdir/amigaos +++ b/magic/Magdir/amigaos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: amigaos,v 1.15 2012/06/21 01:13:59 christos Exp $ +# $File: amigaos,v 1.16 2017/03/17 21:35:28 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -11,7 +11,7 @@ 0 belong 0x000003e7 AmigaOS object/library data # 0 beshort 0xe310 Amiga Workbench ->2 beshort 1 +>2 beshort 1 >>48 byte 1 disk icon >>48 byte 2 drawer icon >>48 byte 3 tool icon @@ -49,7 +49,7 @@ 0 string/c @database AmigaGuide file # Amiga disk types -# +# 0 string RDSK Rigid Disk Block >160 string x on %.24s 0 string DOS\0 Amiga DOS disk diff --git a/magic/Magdir/android b/magic/Magdir/android index f1340d53..dca5c334 100644 --- a/magic/Magdir/android +++ b/magic/Magdir/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.9 2016/01/11 21:19:18 christos Exp $ +# $File: android,v 1.10 2017/03/17 21:35:28 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -61,9 +61,9 @@ # http://forum.xda-developers.com/showthread.php?t=816449 # Partition Information Table for Samsung's smartphone with Android # used by flash software Odin -0 ulelong 0x12349876 +0 ulelong 0x12349876 # 1st pit entry marker ->0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # minimal 13 and maximal 18 PIT entries found >>4 ulelong <128 Partition Information Table for Samsung smartphone >>>4 ulelong x \b, %d entries @@ -109,9 +109,9 @@ 0 name PIT-entry # garbage value implies end of pit entries ->0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # skip empty partition name ->>0x24 ubyte !0 +>>0x24 ubyte !0 # partition name >>>0x24 string >\0 %-.32s # flags @@ -122,7 +122,7 @@ >>>0x08 ulelong x (0x%x) # filename >>>0x44 string >\0 "%-.64s" -#>>>0x18 ulelong >0 +#>>>0x18 ulelong >0 # blocksize in 512 byte units ? #>>>>0x18 ulelong x \b, %db # partition size in blocks ? diff --git a/magic/Magdir/animation b/magic/Magdir/animation index fcd7d625..eb5d6c8c 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.59 2017/01/21 16:07:14 christos Exp $ +# $File: animation,v 1.60 2017/03/17 21:35:28 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -186,13 +186,13 @@ # MPEG sequences # Scans for all common MPEG header start codes -0 belong 0x00000001 +0 belong 0x00000001 >4 byte&0x1F 0x07 JVT NAL sequence, H.264 video >>5 byte 66 \b, baseline >>5 byte 77 \b, main >>5 byte 88 \b, extended >>7 byte x \b @ L %u -0 belong&0xFFFFFF00 0x00000100 +0 belong&0xFFFFFF00 0x00000100 >3 byte 0xBA MPEG sequence !:mime video/mpeg >>4 byte &0x40 \b, v2, program multiplex @@ -493,8 +493,8 @@ # GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448 # GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE) # FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries -#0 beshort&0xFFFE 0xFFFE -#>2 ubyte&0xF0 >0x0F +#0 beshort&0xFFFE 0xFFFE +#>2 ubyte&0xF0 >0x0F #>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1 ## rate #>>>2 byte&0xF0 0x10 \b, 32 kbps @@ -566,9 +566,9 @@ # MP2, M2A 0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 !:mime audio/mpeg -# rate +# rate >2 byte&0xF0 0x10 \b, 8 kbps ->2 byte&0xF0 0x20 \b, 16 kbps +>2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps @@ -636,7 +636,7 @@ # MP3, M25A 0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5 !:mime audio/mpeg -# rate +# rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps diff --git a/magic/Magdir/apple b/magic/Magdir/apple index ce03298f..391205f2 100644 --- a/magic/Magdir/apple +++ b/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.35 2016/08/17 09:45:13 christos Exp $ +# $File: apple,v 1.36 2017/03/17 21:35:28 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -67,15 +67,15 @@ # AppleWorks word processor: # URL: https://en.wikipedia.org/wiki/AppleWorks # Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx -# Update: Joerg Jenderek +# Update: Joerg Jenderek # NOTE: # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. # and/or look for unused bits of booleans bytes like zoom, paginated, mail merge # the newer AppleWorks is from claris with extension CWK -4 string O +4 string O # test for unused bits of zoom- , paginated-boolean bytes ->84 ubequad ^0x00Fe00000000Fe00 +>84 ubequad ^0x00Fe00000000Fe00 # look for tabstop definitions "=" no tab, "|" no tab # "<" left tab,"^" center tab,">" right tab, "." decimal tab, # unofficial "!" other , "\x8a" other @@ -92,9 +92,9 @@ !:ext awp # minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) >>>183 ubyte 30 3.0 ->>>183 ubyte !30 +>>>183 ubyte !30 >>>>183 ubyte !0 0x%x -# usual tabstop start sequence "=====<" +# usual tabstop start sequence "=====<" >>>5 string x \b, tabstop ruler "%6.6s" # tabstop ruler #>>>5 string >\0 \b, tabstops "%-79s" @@ -105,7 +105,7 @@ # contains any mail-merge commands >>>92 byte&0x01 >0 \b, with mail merge # left margin in 1/10 inches ( normally 0 or 10 ) ->>>91 ubyte >0 +>>>91 ubyte >0 >>>>91 ubyte x \b, %d/10 inch left margin # AppleWorks database: @@ -140,13 +140,13 @@ # GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) #0 belong&0xff00ff 0x80000 Applesoft BASIC program data -0 belong&0x00ff00ff 0x00080000 +0 belong&0x00ff00ff 0x00080000 # assuming that line number must be positive >2 leshort >0 Applesoft BASIC program data, first line number %d #>2 leshort x \b, first line number %d # ORCA/EZ assembler: -# +# # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF @@ -186,18 +186,18 @@ # From Johan Gade. # These entries are disabled for now until we fix the following issues. # -# Note there might be some problems with the "VAX COFF executable" -# entry. Note this entry should be placed before the mac filesystem section, +# Note there might be some problems with the "VAX COFF executable" +# entry. Note this entry should be placed before the mac filesystem section, # particularly the "Apple Partition data" entry. # -# The intended meaning of these tests is, that the file is only of the +# The intended meaning of these tests is, that the file is only of the # specified type if both of the lines are correct - i.e. if the first # line matches and the second doesn't then it is not of that type. # #0 long 0x7801730d #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) # -# Note that this entry is recognized correctly by the "Apple Partition +# Note that this entry is recognized correctly by the "Apple Partition # data" entry - however since this entry is more specific - this # information seems to be more useful. #0 long 0x45520200 @@ -288,7 +288,7 @@ # Apple disk partition stuff # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h -# Update: Joerg Jenderek +# Update: Joerg Jenderek # "ER" is APPLE_DRVR_MAP_MAGIC signature 0 beshort 0x4552 # display Apple Driver Map (strength=50) after Syslinux bootloader (71) @@ -315,7 +315,7 @@ # device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>10 ubeshort x \b, devid %u # driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) ->>12 ubelong >0 +>>12 ubelong >0 >>>12 ubelong x \b, driver data %u # number of driver descriptors sbDrvrCount <= 61 # (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) @@ -327,26 +327,26 @@ # >>500 use apple-driver-map # number of partitions is always same in every partition (map block count) #>>0x0204 ubelong x \b, %u partitions ->>0x0204 ubelong >0 \b, contains[@0x200]: +>>0x0204 ubelong >0 \b, contains[@0x200]: >>>0x0200 use apple-apm ->>0x0204 ubelong >1 \b, contains[@0x400]: +>>0x0204 ubelong >1 \b, contains[@0x400]: >>>0x0400 use apple-apm ->>0x0204 ubelong >2 \b, contains[@0x600]: +>>0x0204 ubelong >2 \b, contains[@0x600]: >>>0x0600 use apple-apm ->>0x0204 ubelong >3 \b, contains[@0x800]: +>>0x0204 ubelong >3 \b, contains[@0x800]: >>>0x0800 use apple-apm ->>0x0204 ubelong >4 \b, contains[@0xA00]: +>>0x0204 ubelong >4 \b, contains[@0xA00]: >>>0x0A00 use apple-apm ->>0x0204 ubelong >5 \b, contains[@0xC00]: +>>0x0204 ubelong >5 \b, contains[@0xC00]: >>>0x0C00 use apple-apm ->>0x0204 ubelong >6 \b, contains[@0xE00]: +>>0x0204 ubelong >6 \b, contains[@0xE00]: >>>0x0E00 use apple-apm ->>0x0204 ubelong >7 \b, contains[@0x1000]: +>>0x0204 ubelong >7 \b, contains[@0x1000]: >>>0x1000 use apple-apm # display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) 0 name apple-driver-map ->0 ubequad !0 -# descBlock first block of driver +>0 ubequad !0 +# descBlock first block of driver >>0 ubelong x \b, driver start block %u # descSize driver size in blocks >>4 ubeshort x \b, size %u @@ -355,11 +355,11 @@ # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: http://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the # magic stronger. # for apple partition map stored as a single file -0 belong 0x504d0000 +0 belong 0x504d0000 # to display Apple Partition Map (strength=70) after Syslinux bootloader (71) #!:strength +0 >0 use apple-apm @@ -417,7 +417,7 @@ 0 name appleworks >0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document >0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document ->0 default x +>0 default x >>0 belong x AppleWorks/ClarisWorks CWK Document >0 byte x \b, version %d >30 beshort x \b, %d diff --git a/magic/Magdir/archive b/magic/Magdir/archive index 6ba3bed3..8f159bfa 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.104 2017/02/10 14:03:22 christos Exp $ +# $File: archive,v 1.105 2017/03/17 21:35:28 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -249,9 +249,9 @@ # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive # Update: Joerg Jenderek # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others -0 string \0\6 +0 string \0\6 # look for first keyword of Panorama database *.pan ->12 search/261 DESIGN +>12 search/261 DESIGN # skip keyword with low entropy >12 default x TTComp archive, binary, 4K dictionary # (version 5.25) labeled the above entry as "TTComp archive data" @@ -447,9 +447,9 @@ 0 string SZ\x0a\4 SZip archive data # XPack DiskImage # *.XDI updated by Joerg Jenderek Sep 2015 -# ftp://ftp.sac.sk/pub/sac/pack/0index.txt +# ftp://ftp.sac.sk/pub/sac/pack/0index.txt # GRR: this test is still too general as it catches also text files starting with jm -0 string jm +0 string jm # only found examples with this additional characteristic 2 bytes >2 string \x2\x4 Xpack DiskImage archive data #!:ext xdi @@ -462,7 +462,7 @@ # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip # created by XPA32.EXE version 1.0.2 for Windows >0 string xpa\0\1 \b32 archive data -# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 +# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 >3 ubeshort !0x0001 \bck archive data # XPack Single Data # changed by Joerg Jenderek Sep 2015 back to like in version 5.12 @@ -552,7 +552,7 @@ >>0x36 string >\0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) -# Update: Joerg Jenderek +# Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html # @@ -561,16 +561,16 @@ # check 1st character of method id like -lz4- -lh5- or -pm2- >2 string - # check 5th character of method id ->>6 string - +>>6 string - # check header level 0 1 2 3 ->>>20 ubyte <4 +>>>20 ubyte <4 # check 2nd, 3th and 4th character of method id ->>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b +>>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b !:mime application/x-lzh-compressed # creator type "LHA " -!:apple ????LHA +!:apple ????LHA # display archive type name like "LHa/LZS archive data" or "LArc archive" ->>>>>2 string -lz \b +>>>>>2 string -lz \b !:ext lzs # already known -lzs- -lz4- -lz5- with old names >>>>>>2 string -lzs LHa/LZS archive data @@ -578,18 +578,18 @@ # missing -lz?- with wikipedia names >>>>>>3 regex \^lz[2378] LArc archive # display archive type name like "LHa (2.x) archive data" ->>>>>2 string -lh \b +>>>>>2 string -lh \b # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" # FOOBAR archiver use ".foo" as name extension instead usual one # "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment ->>>>>>>2 string -lh1 \b +>>>>>>>2 string -lh1 \b !:ext lha/lzh/ice >>>>>>3 regex \^lh[23d] LHa 2.x? archive data >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data >>>>>>3 regex \^lh[456] LHa (2.x) archive data ->>>>>>>2 string -lh5 \b +>>>>>>>2 string -lh5 \b # https://en.wikipedia.org/wiki/BIOS # Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like # bios.rom , kd7_v14.bin, 1010.004, ... @@ -599,7 +599,7 @@ # UNLHA32 2.67a >>>>>>2 string -lhx LHa (UNLHA32) archive # lha archives with standard file name extensions ".lha" ".lzh" ->>>>>>3 regex !\^(lh1|lh5) \b +>>>>>>3 regex !\^(lh1|lh5) \b !:ext lha/lzh # this should not happen if all -lh variants are described >>>>>>2 default x LHa (unknown) archive @@ -614,28 +614,28 @@ # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 ->0 ubyte x +>0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d -# attribute: 0x2~?? 0x10~symlink|target 0x20~normal +# attribute: 0x2~?? 0x10~symlink|target 0x20~normal #>19 ubyte x \b, 19_0x%x # level identifier 0 1 2 3 #>20 ubyte x \b, level %d # time stamp #>15 ubelong x DATE 0x%8.8x # OS ID for level 1 ->20 ubyte 1 +>20 ubyte 1 # 0x20 types find for *.rom files >>(21.b+24) ubyte <0x21 \b, 0x%x OS # ascii type like M for MSDOS >>(21.b+24) ubyte >0x20 \b, '%c' OS # OS ID for level 2 ->20 ubyte 2 +>20 ubyte 2 #>>23 ubyte x \b, OS ID 0x%x >>23 ubyte <0x21 \b, 0x%x OS >>23 ubyte >0x20 \b, '%c' OS # filename only for level 0 and 1 ->20 ubyte <2 +>20 ubyte <2 # length of filename >>21 ubyte >0 \b, with # filename @@ -643,73 +643,73 @@ # #2 string -lh0- LHarc 1.x/ARX archive data [lh0] #!:mime application/x-lharc -2 string -lh0- +2 string -lh0- >0 use lharc-file #2 string -lh1- LHarc 1.x/ARX archive data [lh1] #!:mime application/x-lharc -2 string -lh1- +2 string -lh1- >0 use lharc-file # NEW -lz2- ... -lz8- -2 string -lz2- +2 string -lz2- >0 use lharc-file -2 string -lz3- +2 string -lz3- >0 use lharc-file -2 string -lz4- +2 string -lz4- >0 use lharc-file -2 string -lz5- +2 string -lz5- >0 use lharc-file -2 string -lz7- +2 string -lz7- >0 use lharc-file -2 string -lz8- +2 string -lz8- >0 use lharc-file # [never seen any but the last; -lh4- reported in comp.compression:] #2 string -lzs- LHa/LZS archive data [lzs] -2 string -lzs- +2 string -lzs- >0 use lharc-file # According to wikipedia and others such a version does not exist #2 string -lh\40- LHa 2.x? archive data [lh ] #2 string -lhd- LHa 2.x? archive data [lhd] -2 string -lhd- +2 string -lhd- >0 use lharc-file #2 string -lh2- LHa 2.x? archive data [lh2] -2 string -lh2- +2 string -lh2- >0 use lharc-file #2 string -lh3- LHa 2.x? archive data [lh3] -2 string -lh3- +2 string -lh3- >0 use lharc-file #2 string -lh4- LHa (2.x) archive data [lh4] -2 string -lh4- +2 string -lh4- >0 use lharc-file #2 string -lh5- LHa (2.x) archive data [lh5] -2 string -lh5- +2 string -lh5- >0 use lharc-file #2 string -lh6- LHa (2.x) archive data [lh6] -2 string -lh6- +2 string -lh6- >0 use lharc-file #2 string -lh7- LHa (2.x)/LHark archive data [lh7] -2 string -lh7- +2 string -lh7- # !:mime application/x-lha # >20 byte x - header level %d >0 use lharc-file # NEW -lh8- ... -lhe- , -lhx- -2 string -lh8- +2 string -lh8- >0 use lharc-file -2 string -lh9- +2 string -lh9- >0 use lharc-file -2 string -lha- +2 string -lha- >0 use lharc-file -2 string -lhb- +2 string -lhb- >0 use lharc-file -2 string -lhc- +2 string -lhc- >0 use lharc-file -2 string -lhe- +2 string -lhe- >0 use lharc-file -2 string -lhx- +2 string -lhx- >0 use lharc-file # taken from idarc [JW] 2 string -lZ PUT archive data # already done by LHarc magics -# this should never happen if all sub types of LZS archive are identified +# this should never happen if all sub types of LZS archive are identified #2 string -lz LZS archive data 2 string -sw1- Swag archive data @@ -950,17 +950,17 @@ 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) -# Update: Joerg Jenderek +# Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # #2 string -pm0- PMarc archive data [pm0] -2 string -pm0- +2 string -pm0- >0 use lharc-file #2 string -pm1- PMarc archive data [pm1] -2 string -pm1- +2 string -pm1- >0 use lharc-file #2 string -pm2- PMarc archive data [pm2] -2 string -pm2- +2 string -pm2- >0 use lharc-file 2 string -pms- PMarc SFX archive (CP/M, DOS) #!:mime application/x-foobar-exec @@ -1155,12 +1155,12 @@ >3 ubyte 0 \b, no compression >3 ubyte 2 \b, fast compression (Z1) >3 ubyte 3 \b, medium compression (Z2) ->3 ubyte >3 +>3 ubyte >3 >>3 ubyte <11 \b, compression (Z%d-1) ->2 ubyte&0x08 0x00 +>2 ubyte&0x08 0x00 # ~ 30 byte password field only for *.gho >>12 ubequad !0 \b, password protected ->>44 ubyte !1 +>>44 ubyte !1 # 1~Image All, sector-by-sector only for *.gho >>>10 ubyte 1 \b, sector copy # 1~Image Boot track only for *.gho @@ -1170,8 +1170,8 @@ # optional image description only *.gho >>0xff string >\0 "%-.254s" # look for DOS sector end sequence ->0xE08 search/7776 \x55\xAA ->>&-512 indirect x \b; contains +>0xE08 search/7776 \x55\xAA +>>&-512 indirect x \b; contains # Google Chrome extensions # https://developer.chrome.com/extensions/crx diff --git a/magic/Magdir/att3b b/magic/Magdir/att3b index a3ed9c00..b83ae2ec 100644 --- a/magic/Magdir/att3b +++ b/magic/Magdir/att3b @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: att3b,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: att3b,v 1.10 2017/03/17 21:35:28 christos Exp $ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. @@ -36,6 +36,6 @@ #>18 beshort &00040000 and MAU hardware required #>22 beshort >0 - version %d # -# core file for 3b2 +# core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' diff --git a/magic/Magdir/audio b/magic/Magdir/audio index 8698c88b..8e5cd6dc 100644 --- a/magic/Magdir/audio +++ b/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.77 2017/03/17 19:20:43 christos Exp $ +# $File: audio,v 1.78 2017/03/17 21:35:28 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -300,7 +300,7 @@ >>5 byte &0x40 \b, extended header >>5 byte &0x20 \b, experimental >>5 byte &0x10 \b, footer present ->(6.I+10) indirect x \b, contains: +>(6.I+10) indirect x \b, contains: # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File @@ -314,7 +314,7 @@ >122 byte&0x1 =0 NTSC # NSFE (Extended NES sound file) magic -# http://slickproductions.org/docs/NSF/nsfespec.txt +# http://slickproductions.org/docs/NSF/nsfespec.txt # From: David Pflug 0 string NSFE Extended NES Sound File >48 search/0x1000 auth @@ -660,7 +660,7 @@ # From Fabio R. Schmidlin # VGM music file -0 string Vgm\ +0 string Vgm\ >9 ubyte >0 VGM Video Game Music dump v >>9 ubyte/16 >0 \b%d >>9 ubyte&0x0F x \b%d @@ -725,7 +725,7 @@ # URL: http://www.garmin.com/ # Reference: http://turboccc.wikispaces.com/share/view/28622555 # NOTE: there exist 2 other Garmin VPM formats -0 string AUDIMG +0 string AUDIMG # skip text files starting with string "AUDIMG" >13 ubyte <13 Garmin Voice Processing Module !:mime audio/x-vpm-wav-garmin @@ -745,17 +745,17 @@ # second of release (0-59) >>9 ubyte x \b:%.2d # if you select a language like german on your garmin device -# you can only select voice modules with correponding language byte ID like 1 +# you can only select voice modules with correponding language byte ID like 1 >>18 ubyte x \b, language ID %d # pointer to 1st audio WAV sample ->>16 uleshort >0 +>>16 uleshort >0 >>>(16.s) ulelong >0 \b, at offset 0x%x # WAV length >>>>(16.s+4) ulelong >0 %d Bytes # look for magic ->>>>>(&-8.l) string RIFF +>>>>>(&-8.l) string RIFF # determine type by ./riff ->>>>>>&-4 indirect x \b +>>>>>>&-4 indirect x \b # 2 - ~ 131 WAV samples following same way # From Martin Mueller Skarbiniks Pedersen diff --git a/magic/Magdir/blackberry b/magic/Magdir/blackberry index 4a61d4e9..2e38a54f 100644 --- a/magic/Magdir/blackberry +++ b/magic/Magdir/blackberry @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: blackberry,v 1.1 2014/01/31 01:51:32 christos Exp $ +# $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $ # blackberry: file(1) magic for BlackBerry file formats # -5 belong 0 +5 belong 0 >8 belong 010010010 BlackBerry RIM ETP file >>22 string x \b for %s diff --git a/magic/Magdir/blender b/magic/Magdir/blender index 5b9c8556..09485702 100644 --- a/magic/Magdir/blender +++ b/magic/Magdir/blender @@ -1,11 +1,11 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.6 2014/08/30 08:34:17 christos Exp $ +# $File: blender,v 1.7 2017/03/17 21:35:28 christos Exp $ # blender: file(1) magic for Blender 3D related files # -# Native format rule v1.2. For questions use the developers list +# Native format rule v1.2. For questions use the developers list # http://lists.blender.org/mailman/listinfo/bf-committers -# GLOB chunk was moved near start and provides subversion info since 2.42 +# GLOB chunk was moved near start and provides subversion info since 2.42 0 string =BLENDER Blender3D, >7 string =_ saved as 32-bits diff --git a/magic/Magdir/c-lang b/magic/Magdir/c-lang index bb594b06..41731c1d 100644 --- a/magic/Magdir/c-lang +++ b/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.24 2016/07/01 23:31:13 christos Exp $ +# $File: c-lang,v 1.25 2017/03/17 21:35:28 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -53,7 +53,7 @@ !:strength +25 !:mime text/x-objective-c -# From: Mikhail Teterin +# From: Mikhail Teterin 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will diff --git a/magic/Magdir/cad b/magic/Magdir/cad index 9b09fd7a..f4abc657 100644 --- a/magic/Magdir/cad +++ b/magic/Magdir/cad @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.13 2014/03/23 18:05:38 christos Exp $ +# $File: cad,v 1.14 2017/03/17 21:35:28 christos Exp $ # autocad: file(1) magic for cad files # @@ -9,7 +9,7 @@ # DGN is the default file extension of Microstation/Intergraph CAD files. # CIT is the proprietary raster format (similar to TIFF) used to attach # raster underlays to Microstation DGN (vector) drawings. -# +# # http://www.wotsit.org/search.asp # http://filext.com/detaillist.php?extdetail=DGN # http://filext.com/detaillist.php?extdetail=CIT @@ -42,7 +42,7 @@ >4 string \030\000\000 CITFile >4 string \030\000\003 CITFile -# AutoCAD +# AutoCAD # Merge of the different contributions and updates from http://en.wikipedia.org/wiki/Dwg # and http://www.iana.org/assignments/media-types/image/vnd.dwg 0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0 @@ -99,42 +99,42 @@ 0 string AC1027 DWG AutoDesk AutoCAD 2013/2014 !:mime image/vnd.dwg -# KOMPAS 2D drawing from ASCON +# KOMPAS 2D drawing from ASCON # This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor # gathered nor specification # ASCON http://ascon.net/main/ in English, # http://ascon.ru/ main site in Russian -# Extension is CDW for drawing and FRW for fragment of drawing +# Extension is CDW for drawing and FRW for fragment of drawing # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321, http://vkontakte.ru/id16076543) # From: # http://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292 # (in russian) and my experiments 0 string KF ->2 belong 0x4E00000C Kompas drawing 12.0 SP1 ->2 belong 0x4D00000C Kompas drawing 12.0 ->2 belong 0x3200000B Kompas drawing 11.0 SP1 ->2 belong 0x3100000B Kompas drawing 11.0 ->2 belong 0x2310000A Kompas drawing 10.0 SP1 ->2 belong 0x2110000A Kompas drawing 10.0 ->2 belong 0x08000009 Kompas drawing 9.0 SP1 ->2 belong 0x05000009 Kompas drawing 9.0 ->2 belong 0x33010008 Kompas drawing 8+ ->2 belong 0x1A000008 Kompas drawing 8.0 ->2 belong 0x2C010107 Kompas drawing 7+ ->2 belong 0x05000007 Kompas drawing 7.0 ->2 belong 0x32000006 Kompas drawing 6+ ->2 belong 0x09000006 Kompas drawing 6.0 ->2 belong 0x5C009005 Kompas drawing 5.11R03 ->2 belong 0x54009005 Kompas drawing 5.11R02 ->2 belong 0x51009005 Kompas drawing 5.11R01 ->2 belong 0x22009005 Kompas drawing 5.10R03 ->2 belong 0x22009005 Kompas drawing 5.10R02 mar ->2 belong 0x21009005 Kompas drawing 5.10R02 febr ->2 belong 0x19009005 Kompas drawing 5.10R01 ->2 belong 0xF4008005 Kompas drawing 5.9R01.003 ->2 belong 0x1C008005 Kompas drawing 5.9R01.002 ->2 belong 0x11008005 Kompas drawing 5.8R01.003 +>2 belong 0x4E00000C Kompas drawing 12.0 SP1 +>2 belong 0x4D00000C Kompas drawing 12.0 +>2 belong 0x3200000B Kompas drawing 11.0 SP1 +>2 belong 0x3100000B Kompas drawing 11.0 +>2 belong 0x2310000A Kompas drawing 10.0 SP1 +>2 belong 0x2110000A Kompas drawing 10.0 +>2 belong 0x08000009 Kompas drawing 9.0 SP1 +>2 belong 0x05000009 Kompas drawing 9.0 +>2 belong 0x33010008 Kompas drawing 8+ +>2 belong 0x1A000008 Kompas drawing 8.0 +>2 belong 0x2C010107 Kompas drawing 7+ +>2 belong 0x05000007 Kompas drawing 7.0 +>2 belong 0x32000006 Kompas drawing 6+ +>2 belong 0x09000006 Kompas drawing 6.0 +>2 belong 0x5C009005 Kompas drawing 5.11R03 +>2 belong 0x54009005 Kompas drawing 5.11R02 +>2 belong 0x51009005 Kompas drawing 5.11R01 +>2 belong 0x22009005 Kompas drawing 5.10R03 +>2 belong 0x22009005 Kompas drawing 5.10R02 mar +>2 belong 0x21009005 Kompas drawing 5.10R02 febr +>2 belong 0x19009005 Kompas drawing 5.10R01 +>2 belong 0xF4008005 Kompas drawing 5.9R01.003 +>2 belong 0x1C008005 Kompas drawing 5.9R01.002 +>2 belong 0x11008005 Kompas drawing 5.8R01.003 # CAD: file(1) magic for computer aided design files # Phillip Griffith diff --git a/magic/Magdir/cafebabe b/magic/Magdir/cafebabe index 6d97cebc..ecc550a6 100644 --- a/magic/Magdir/cafebabe +++ b/magic/Magdir/cafebabe @@ -1,14 +1,14 @@ #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.21 2015/10/15 20:56:51 christos Exp $ +# $File: cafebabe,v 1.22 2017/03/17 21:35:28 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, # the test must be performed in the same "magic" sequence to get both right. # The long at offset 4 in a Mach-O universal binary tells the number of # architectures; the short at offset 4 in a Java bytecode file is the JVM minor -# version and the short at offset 6 is the JVM major version. Since there are only -# only 18 labeled Mach-O architectures at current, and the first released +# version and the short at offset 6 is the JVM major version. Since there are only +# only 18 labeled Mach-O architectures at current, and the first released # Java class format was version 43.0, we can safely choose any number # between 18 and 39 to test the number of architectures against # (and use as a hack). Let's not use 18, because the Mach-O people @@ -47,7 +47,7 @@ 0 name mach-o \b [ >0 use mach-o-cpu \b ->(8.L) indirect \b: +>(8.L) indirect \b: >0 belong x \b] 0 belong 0xcafebabe diff --git a/magic/Magdir/clipper b/magic/Magdir/clipper index 98278ebf..2768b3af 100644 --- a/magic/Magdir/clipper +++ b/magic/Magdir/clipper @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: clipper,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: clipper,v 1.8 2017/03/17 21:35:28 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # -# >18 short !074000,000000 C1 R1 +# >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST @@ -15,7 +15,7 @@ # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # -# >18 short&074000 000000 C1 R1 +# >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST @@ -37,7 +37,7 @@ >12 long >0 not stripped >22 short >0 - version %d 0 short 0577 CLIPPER COFF executable ->18 short&074000 000000 C1 R1 +>18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 >18 short&074000 010000 C3 R1 >18 short&074000 074000 TEST diff --git a/magic/Magdir/coff b/magic/Magdir/coff index 02cbf9ce..b4addec5 100644 --- a/magic/Magdir/coff +++ b/magic/Magdir/coff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.1 2015/09/30 20:32:35 christos Exp $ +# $File: coff,v 1.2 2017/03/17 21:35:28 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF @@ -15,7 +15,7 @@ # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 uleshort&0x8E80 0 +>18 uleshort&0x8E80 0 >>0 clear x # f_magic - magic number # DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) @@ -25,7 +25,7 @@ # Hitachi SH little-endian COFF (./hitachi-sh) >>0 uleshort 0x0550 Hitachi SH little-endian # executable (RISC System/6000 V3.1) or obj module (./ibm6000) -#>>0 uleshort 0x01DF +#>>0 uleshort 0x01DF # TODO for other COFFs #>>0 uleshort 0xABCD COFF_TEMPLATE >>0 default x @@ -45,12 +45,12 @@ >>18 leshort &0x0008 \b, stripped >>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions -#0x0010 F_FDPR_PROF +#0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit #>>>18 leshort &0x0100 \b, 32 bit little endian -#0x1000 F_DYNLOAD +#0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY # f_nscns - number of sections @@ -62,7 +62,7 @@ >>8 ulelong >0 \b, symbol offset=0x%x # f_nsyms - number of symbols, only for not stripped >>12 ulelong >0 \b, %d symbols -# f_opthdr - optional header size +# f_opthdr - optional header size >>16 uleshort >0 \b, optional header size %d # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. diff --git a/magic/Magdir/compress b/magic/Magdir/compress index 3297d5dc..1b213591 100644 --- a/magic/Magdir/compress +++ b/magic/Magdir/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.66 2016/09/16 12:12:05 christos Exp $ +# $File: compress,v 1.67 2017/03/17 21:35:28 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -310,7 +310,7 @@ # Zlib https://www.ietf.org/rfc/rfc6713.txt 0 string/b x ->0 beshort%31 =0 +>0 beshort%31 =0 >>0 byte&0xf =8 >>>0 byte&0x80 =0 zlib compressed data !:mime application/zlib diff --git a/magic/Magdir/console b/magic/Magdir/console index de8a6de4..0d98a7ae 100644 --- a/magic/Magdir/console +++ b/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.29 2017/02/08 21:53:06 christos Exp $ +# $File: console,v 1.30 2017/03/17 21:35:28 christos Exp $ # Console game magic # Toby Deshane @@ -436,7 +436,7 @@ #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps # Too simple - MPi -#0 beshort 0x4142 MSX game cartridge dump +#0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren ) : @@ -491,7 +491,7 @@ # Double-check that the image type matches too, 0x8008 conflicts with # 8 character OMF-86 object file headers. -0 beshort 0x8008 +0 beshort 0x8008 >6 string BS93 Lynx homebrew cartridge >>2 beshort x \b, RAM start $%04x >6 string LYNX Lynx cartridge @@ -506,7 +506,7 @@ # is the offset 12 or the offset 16 correct? # GBS (Game Boy Sound) magic # ftp://ftp.modland.com/pub/documents/format_documentation/\ -# Gameboy%20Sound%20System%20(.gbs).txt +# Gameboy%20Sound%20System%20(.gbs).txt 0 string GBS Nintendo Gameboy Music/Audio Data #12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module >16 string >\0 ("%s" by @@ -546,7 +546,7 @@ # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording >0x4 lelong x \b, version %d -# version 4 is latest so far +# version 4 is latest so far >0x4 lelong <5 >>0x8 ledate x \b, recorded at %s >>0xc lelong >0 \b, rerecorded %d times diff --git a/magic/Magdir/cups b/magic/Magdir/cups index 4d0056bb..a065de39 100644 --- a/magic/Magdir/cups +++ b/magic/Magdir/cups @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cups,v 1.4 2016/10/17 18:51:02 christos Exp $ +# $File: cups,v 1.5 2017/03/17 21:35:28 christos Exp $ # Cups: file(1) magic for the cups raster file format # From: Laurent Martelli # http://www.cups.org/documentation.php/spec-raster.html @@ -39,7 +39,7 @@ >404 lelong 20 ColorSpace=AdobeRGB # Cups Raster image format, Big Endian -0 string RaS +0 string RaS >3 string t Cups Raster version 1, Big Endian >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian @@ -48,7 +48,7 @@ # Cups Raster image format, Little Endian -1 string SaR +1 string SaR >0 string t Cups Raster version 1, Little Endian >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian diff --git a/magic/Magdir/database b/magic/Magdir/database index 15f94b1f..c6f63f4f 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.49 2016/06/11 17:01:51 christos Exp $ +# $File: database,v 1.50 2017/03/17 21:35:28 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -84,7 +84,7 @@ # From Max Bowsher. 12 long 0x00040988 Berkeley DB >16 long >0 (Log, version %d, native byte-order) -12 belong 0x00040988 Berkeley DB +12 belong 0x00040988 Berkeley DB >16 belong >0 (Log, version %d, big-endian) 12 lelong 0x00040988 Berkeley DB >16 lelong >0 (Log, version %d, little-endian) @@ -103,7 +103,7 @@ >>>12 long !0 32bit aligned >>>>12 bedouble 8.642135e+130 big-endian >>>>>20 long 0 64bit long ->>>>>20 long !0 32bit long +>>>>>20 long !0 32bit long >>>>12 ledouble 8.642135e+130 little-endian >>>>>24 long 0 64bit long >>>>>24 long !0 32bit long (i386) @@ -128,22 +128,22 @@ # XXX: Weak magic. # Alex Ott ## Paradox file formats -#2 leshort 0x0800 Paradox -#>0x39 byte 3 v. 3.0 -#>0x39 byte 4 v. 3.5 -#>0x39 byte 9 v. 4.x -#>0x39 byte 10 v. 5.x -#>0x39 byte 11 v. 5.x -#>0x39 byte 12 v. 7.x -#>>0x04 byte 0 indexed .DB data file -#>>0x04 byte 1 primary index .PX file -#>>0x04 byte 2 non-indexed .DB data file -#>>0x04 byte 3 non-incrementing secondary index .Xnn file -#>>0x04 byte 4 secondary index .Ynn file -#>>0x04 byte 5 incrementing secondary index .Xnn file -#>>0x04 byte 6 non-incrementing secondary index .XGn file -#>>0x04 byte 7 secondary index .YGn file -#>>>0x04 byte 8 incrementing secondary index .XGn file +#2 leshort 0x0800 Paradox +#>0x39 byte 3 v. 3.0 +#>0x39 byte 4 v. 3.5 +#>0x39 byte 9 v. 4.x +#>0x39 byte 10 v. 5.x +#>0x39 byte 11 v. 5.x +#>0x39 byte 12 v. 7.x +#>>0x04 byte 0 indexed .DB data file +#>>0x04 byte 1 primary index .PX file +#>>0x04 byte 2 non-indexed .DB data file +#>>0x04 byte 3 non-incrementing secondary index .Xnn file +#>>0x04 byte 4 secondary index .Ynn file +#>>0x04 byte 5 incrementing secondary index .Xnn file +#>>0x04 byte 6 non-incrementing secondary index .XGn file +#>>0x04 byte 7 secondary index .YGn file +#>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files # updated by Joerg Jenderek at Feb 2013 @@ -151,33 +151,33 @@ # http://www.clicketyclick.dk/databases/xbase/format/dbf.html # http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 -0 ubelong&0x0000FFFF <0x00000C20 +0 ubelong&0x0000FFFF <0x00000C20 # skip Infocom game Z-machine ->2 ubyte >0 +>2 ubyte >0 # skip Androids *.xml ->>3 ubyte >0 ->>>3 ubyte <32 +>>3 ubyte >0 +>>>3 ubyte <32 # 1 < version VV ->>>>0 ubyte >1 +>>>>0 ubyte >1 # skip HELP.CA3 by test for reserved byte ( NULL ) ->>>>>27 ubyte 0 +>>>>>27 ubyte 0 # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) #>>>>>30 ubeshort x 30NULL?%x -# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) ->>>>>>24 ubelong&0xffFFFFff >0x01302000 +# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>24 ubelong&0xffFFFFff >0x01302000 # .DBF or .MDX ->>>>>>24 ubelong&0xffFFFFff <0x01302001 +>>>>>>24 ubelong&0xffFFFFff <0x01302001 # for Xbase Database file (*.DBF) reserved (NULL) for multi-user ->>>>>>>24 ubelong&0xffFFFFff =0 +>>>>>>>24 ubelong&0xffFFFFff =0 # test for 2 reserved NULL bytes,transaction and encryption byte flag ->>>>>>>>12 ubelong&0xFFFFfEfE 0 +>>>>>>>>12 ubelong&0xFFFFfEfE 0 # test for MDX flag ->>>>>>>>>28 ubyte x ->>>>>>>>>28 ubyte&0xf8 0 +>>>>>>>>>28 ubyte x +>>>>>>>>>28 ubyte&0xf8 0 # header size >= 32 ->>>>>>>>>>8 uleshort >31 +>>>>>>>>>>8 uleshort >31 # skip PIC15736.PCX by test for language driver name or field name ->>>>>>>>>>>32 ubyte >0 +>>>>>>>>>>>32 ubyte >0 #!:mime application/x-dbf; charset=unknown-8bit ?? #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type @@ -202,22 +202,22 @@ >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT >>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer # 1st record offset + 1 = header size ->>>>>>>>>>>>8 uleshort >0 ->>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>8 uleshort >0 +>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>8 uleshort >0 \b, at offset %d ->>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>>&-1 string >\0 1st record "%s" -# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) ->>>>>>>24 ubelong&0x0133f7ff >0 +# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) +>>>>>>>24 ubelong&0x0133f7ff >0 # test for reserved NULL byte ->>>>>>>>47 ubyte 0 +>>>>>>>>47 ubyte 0 # test for valid TAG key format (0x10 or 0) ->>>>>>>>>559 ubyte&0xeF 0 +>>>>>>>>>559 ubyte&0xeF 0 # test MM <= 12 ->>>>>>>>>>45 ubeshort <0x0C20 ->>>>>>>>>>>45 ubyte >0 ->>>>>>>>>>>>46 ubyte <32 ->>>>>>>>>>>>>46 ubyte >0 +>>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>>46 ubyte >0 #!:mime application/x-mdx >>>>>>>>>>>>>>0 use xbase-type >>>>>>>>>>>>>>0 ubyte x \b MDX @@ -236,11 +236,11 @@ # 2nd tag name #>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # -# Print the xBase names of different version variants +# Print the xBase names of different version variants 0 name xbase-type ->0 ubyte <2 +>0 ubyte <2 # 1 < version ->0 ubyte >1 +>0 ubyte >1 >>0 ubyte 0x02 FoxBase # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III @@ -293,7 +293,7 @@ # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT !:mime application/x-dbf -# HiPer-Six format;Clipper SIX, with SMT memo file +# HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx @@ -318,12 +318,12 @@ # test and print the date of xBase .DBF .MDX 0 name xbase-date # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 ->0 ubelong x ->1 ubyte <13 ->>1 ubyte >0 ->>>2 ubyte >0 ->>>>2 ubyte <32 ->>>>>0 ubyte x +>0 ubelong x +>1 ubyte <13 +>>1 ubyte >0 +>>>2 ubyte >0 +>>>>2 ubyte <32 +>>>>>0 ubyte x # YY is interpreted as 20YY or 19YY >>>>>>0 ubyte <100 \b %.2d # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY @@ -333,56 +333,56 @@ # dBase memo files .DBT or .FPT # http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx -16 ubyte <4 ->16 ubyte !2 ->>16 ubyte !1 +16 ubyte <4 +>16 ubyte !2 +>>16 ubyte !1 # next free block index is positive ->>>0 ulelong >0 +>>>0 ulelong >0 # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size ->>>>17 ubelong&0xFFfdFE00 0x00000000 +>>>>17 ubelong&0xFFfdFE00 0x00000000 # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h ->>>>>20 ubelong&0xFF01209B 0x00000000 +>>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III ->>>>>>16 ubyte 3 +>>>>>>16 ubyte 3 # dBASE III DBT >>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage ->>>>>>16 ubyte 0 +>>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF ->>>>>>>20 uleshort 0 +>>>>>>>20 uleshort 0 # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage ->>>>>>>>8 ulong =0 ->>>>>>>>>6 ubeshort >0 +>>>>>>>>8 ulong =0 +>>>>>>>>>6 ubeshort >0 # skip emacs.PIF ->>>>>>>>>>4 ushort 0 +>>>>>>>>>>4 ushort 0 >>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage ->>>>>>>>>6 ubeshort 0 +>>>>>>>>>6 ubeshort 0 # skip MM*DD*.bin by test for for reserved NULL byte ->>>>>>>>>>510 ubeshort 0 +>>>>>>>>>>510 ubeshort 0 # skip TK-DOS11.img image by looking for memo text ->>>>>>>>>>>512 ubelong <0xfeffff03 +>>>>>>>>>>>512 ubelong <0xfeffff03 # skip EFI executables by looking for memo text ->>>>>>>>>>>>512 ubelong >0x1F202020 ->>>>>>>>>>>>>513 ubyte >0 +>>>>>>>>>>>>512 ubelong >0x1F202020 +>>>>>>>>>>>>>513 ubyte >0 # unusual dBASE III DBT like adressen.dbt >>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF ->>>>>>>>8 ubelong !0 +>>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes ->>>>>>>>>510 ubeshort 0 +>>>>>>>>>510 ubeshort 0 # skip some DBF by test of invalid version ->>>>>>>>>>0 ubyte >5 ->>>>>>>>>>>0 ubyte <48 +>>>>>>>>>>0 ubyte >5 +>>>>>>>>>>>0 ubyte <48 >>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size ->>>>>>>20 uleshort >0 -# dBASE IV DBT with valid block length like 512, 1024 +>>>>>>>20 uleshort >0 +# dBASE IV DBT with valid block length like 512, 1024 # multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero ->>>>>>>>20 uleshort&0x800f 0 +>>>>>>>>20 uleshort&0x800f 0 >>>>>>>>>0 use dbase4-memo-print -# Print the information of dBase III DBT memo file +# Print the information of dBase III DBT memo file 0 name dbase3-memo-print >0 ubyte x dBase III DBT # instead 3 as version number 0 for unusual examples like biblio.dbt @@ -395,45 +395,45 @@ >20 uleshort !0 \b, block length %u # dBase III memo field terminated by \032\032 >512 string >\0 \b, 1st item "%s" -# Print the information of dBase IV DBT memo file +# Print the information of dBase IV DBT memo file 0 name dbase4-memo-print >0 lelong x dBase IV DBT !:mime application/x-dbt !:ext dbt # 8 character shorted main name of coresponding dBASE IV DBF file ->8 ubelong >0x20000000 +>8 ubelong >0x20000000 # skip unusual like for angest.dbt ->>20 uleshort >0 +>>20 uleshort >0 >>>8 string >\0 \b of %-.8s.DBF # value 0 implies 512 as size #>4 ulelong =0 \b, blocks size %u # size of blocks not reliable like 0x2020204C in angest.dbt ->4 ulelong !0 +>4 ulelong !0 >>4 ulelong&0x0000003f 0 \b, blocks size %u # dBase IV DBT with positive block length (found 512 , 1024) >20 uleshort >0 \b, block length %u # next available block #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u ->20 uleshort >0 ->>(20.s) ubelong x +>20 uleshort >0 +>>(20.s) ubelong x >>>&-4 use dbase4-memofield-print # unusual dBase IV DBT without block length (implies 512 as length) ->20 uleshort =0 ->>512 ubelong x +>20 uleshort =0 +>>512 ubelong x >>>&-4 use dbase4-memofield-print -# Print the information of dBase IV memo field +# Print the information of dBase IV memo field 0 name dbase4-memofield-print # free dBase IV memo field ->0 ubelong !0xFFFF0800 +>0 ubelong !0xFFFF0800 >>0 lelong x \b, next free block %u >>4 lelong x \b, next used block %u # used dBase IV memo field ->0 ubelong =0xFFFF0800 +>0 ubelong =0xFFFF0800 # length of memo field >>4 lelong x \b, field length %d >>>8 string >\0 \b, 1st used item "%s" -# Print the information of FoxPro FPT memo file +# Print the information of FoxPro FPT memo file 0 name foxpro-memo-print >0 belong x FoxPro FPT # Size of blocks for FoxPro ( 64,256 ) @@ -441,14 +441,14 @@ # next available block #>0 belong =0 \b, next free block index %u >0 belong !0 \b, next free block index %u -# field type ( 0~picture, 1~memo, 2~object ) +# field type ( 0~picture, 1~memo, 2~object ) >512 ubelong <3 \b, field type %u # length of memo field ->512 ubelong 1 +>512 ubelong 1 >>516 belong >0 \b, field length %d >>>520 string >\0 \b, 1st item "%s" -# TODO: +# TODO: # DBASE index file *.NDX # DBASE Compound Index file *.CDX # dBASE IV Printer Driver *.PRF @@ -465,9 +465,9 @@ # Reference: https://github.com/libyal/libesedb/archive/master.zip # libesedb-master/documentation/ # Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc -# Note: also known as "JET Blue". Used by numerous Windows components such as +# Note: also known as "JET Blue". Used by numerous Windows components such as # Windows Search, Mail, Exchange and Active Directory. -4 ubelong 0xefcdab89 +4 ubelong 0xefcdab89 # unknown1 >132 ubelong 0 Extensible storage engine !:mime application/x-ms-ese @@ -497,8 +497,8 @@ # From: Joerg Jenderek # URL: http://forensicswiki.org/wiki/Windows_Application_Compatibility # Note: files contain application compatibility fixes, application compatibility modes and application help messages. -8 string sdbf ->7 ubyte 0 +8 string sdbf +>7 ubyte 0 # TAG_TYPE_LIST+TAG_INDEXES >>12 uleshort 0x7802 Windows application compatibility Shim DataBase # version? 2 3 @@ -600,10 +600,10 @@ # Reference: http://www.provue.com/Panorama/ # From: Joerg Jenderek # NOTE: test only versions 4 and 6.0 with Windows -# length of Panorama database name -5 ubyte >0 +# length of Panorama database name +5 ubyte >0 # look after database name for "some" null bits ->(5.B+7) ubelong&0xF3ffF000 0 +>(5.B+7) ubelong&0xF3ffF000 0 # look for first keyword >>&1 search/2 DESIGN Panorama database #!:mime application/x-panorama-database diff --git a/magic/Magdir/der b/magic/Magdir/der index abfbf9b8..9c25f00c 100644 --- a/magic/Magdir/der +++ b/magic/Magdir/der @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: der,v 1.1 2016/01/19 15:07:45 christos Exp $ +# $File: der,v 1.2 2017/03/17 21:35:28 christos Exp $ # der: file(1) magic for DER encoded files # @@ -32,37 +32,37 @@ # Key Pairs 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int65=x >&0 der int3=010001 DER Encoded Key Pair, 512 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int129=x >&0 der int3=010001 DER Encoded Key Pair, 1024 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int257=x >&0 der int3=010001 DER Encoded Key Pair, 2048 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int513=x >&0 der int3=010001 DER Encoded Key Pair, 4096 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int1025=x >&0 der int3=010001 DER Encoded Key Pair, 8192 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int2049=x >&0 der int3=010001 DER Encoded Key Pair, 16k bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int4097=x >&0 der int3=010001 DER Encoded Key Pair, 32k bits diff --git a/magic/Magdir/diff b/magic/Magdir/diff index 59243801..866c7d85 100644 --- a/magic/Magdir/diff +++ b/magic/Magdir/diff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: diff,v 1.14 2012/09/16 23:08:54 christos Exp $ +# $File: diff,v 1.15 2017/03/17 21:35:28 christos Exp $ # diff: file(1) magic for diff(1) output # 0 search/1 diff\ diff output text @@ -20,9 +20,9 @@ # unified diff -0 search/4096 ---\ +0 search/4096 ---\ >&0 search/1024 \n ->>&0 search/1 +++\ +>>&0 search/1 +++\ >>>&0 search/1024 \n >>>>&0 search/1 @@ unified diff output text !:mime text/x-diff diff --git a/magic/Magdir/dolby b/magic/Magdir/dolby index 573398f3..8034eddc 100644 --- a/magic/Magdir/dolby +++ b/magic/Magdir/dolby @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dolby,v 1.7 2014/01/08 22:37:23 christos Exp $ +# $File: dolby,v 1.8 2017/03/17 21:35:28 christos Exp $ # ATSC A/53 aka AC-3 aka Dolby Digital # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! @@ -23,7 +23,7 @@ >5 byte&0x07 = 0x04 \b, dialogue (D) >5 byte&0x07 = 0x05 \b, commentary (C) >5 byte&0x07 = 0x06 \b, emergency (E) ->5 beshort&0x07e0 0x0720 \b, voiceover (VO) +>5 beshort&0x07e0 0x0720 \b, voiceover (VO) >5 beshort&0x07e0 >0x0720 \b, karaoke # acmod >6 byte&0xe0 = 0x00 1+1 front, diff --git a/magic/Magdir/dump b/magic/Magdir/dump index 1a20ace2..64742b7a 100644 --- a/magic/Magdir/dump +++ b/magic/Magdir/dump @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dump,v 1.13 2014/04/30 21:41:02 christos Exp $ +# $File: dump,v 1.14 2017/03/17 21:35:28 christos Exp $ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. @@ -62,23 +62,23 @@ >824 string >\0 Host %s, >888 belong >0 Flags %x -24 belong 60012 new-fs dump file (big endian), +24 belong 60012 new-fs dump file (big endian), >0 use new-dump-be -24 belong 60011 old-fs dump file (big endian), +24 belong 60011 old-fs dump file (big endian), >0 use old-dump-be -24 lelong 60012 new-fs dump file (little endian), +24 lelong 60012 new-fs dump file (little endian), >0 use \^new-dump-be -24 lelong 60011 old-fs dump file (little endian), +24 lelong 60011 old-fs dump file (little endian), >0 use \^old-dump-be -24 belong 0x19540119 new-fs dump file (ufs2, big endian), +24 belong 0x19540119 new-fs dump file (ufs2, big endian), >0 use ufs2-dump-be -24 lelong 0x19540119 new-fs dump file (ufs2, little endian), +24 lelong 0x19540119 new-fs dump file (ufs2, little endian), >0 use \^ufs2-dump-be 18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), diff --git a/magic/Magdir/dyadic b/magic/Magdir/dyadic index ab734658..185970e4 100644 --- a/magic/Magdir/dyadic +++ b/magic/Magdir/dyadic @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dyadic,v 1.7 2015/05/27 18:02:48 christos Exp $ +# $File: dyadic,v 1.8 2017/03/17 21:35:28 christos Exp $ # Dyadic: file(1) magic for Dyalog APL. # # updated by Joerg Jenderek at Oct 2013 @@ -10,9 +10,9 @@ # .DIN Dyalog APL Input Table # .DOT Dyalog APL Output Table # .DFT Dyalog APL Format File -0 ubeshort&0xFF60 0xaa00 +0 ubeshort&0xFF60 0xaa00 # skip biblio.dbt ->1 byte !4 +>1 byte !4 # real Dyalog APL have non zero version numbers like 7.3 or 13.4 >>2 ubeshort >0x0000 Dyalog APL >>>1 byte 0x00 aplcore diff --git a/magic/Magdir/editors b/magic/Magdir/editors index fa6cbc64..78f3a840 100644 --- a/magic/Magdir/editors +++ b/magic/Magdir/editors @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: editors,v 1.10 2016/07/18 17:44:49 christos Exp $ -# T602 editor documents +# $File: editors,v 1.11 2017/03/17 21:35:28 christos Exp $ +# T602 editor documents # by David Necas 0 string @CT\ T602 document data, >4 string 0 Kamenicky @@ -9,7 +9,7 @@ >4 string 2 KOI8-CS >4 string >2 unknown encoding -# Vi IMproved Encrypted file +# Vi IMproved Encrypted file # by David Necas 0 string VimCrypt~ Vim encrypted file data diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index 65de4184..85fd3d74 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.117 2017/02/11 19:44:28 christos Exp $ +# $File: filesystems,v 1.118 2017/03/17 21:35:28 christos Exp $ # filesystems: file(1) magic for different filesystems # -0 name partid +0 name partid >0 ubyte 0x00 Unused >0 ubyte 0x01 12-bit FAT >0 ubyte 0x02 XENIX / @@ -187,7 +187,7 @@ 0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: -0774 beshort 0xdabe +0774 beshort 0xdabe # modified by Joerg Jenderek, because original test # succeeds for Cabinet archive dao360.dl_ with negative blocks >0770 long >0 Sun disk label @@ -213,50 +213,50 @@ # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string SBMBAKUP_ Smart Boot Manager backup file >9 string x \b, version %-5.5s ->>14 string =_ +>>14 string =_ >>>15 string x %-.1s >>>>16 string =_ \b. >>>>>17 string x \b%-.1s >>>>>>18 string =_ \b. >>>>>>>19 string x \b%-.1s ->>>22 ubyte 0 +>>>22 ubyte 0 >>>>21 ubyte x \b, from drive 0x%x ->>>22 ubyte >0 +>>>22 ubyte >0 >>>>21 string x \b, from drive %s ->>>535 search/17 \x55\xAA ->>>>&-512 indirect x \b; contains +>>>535 search/17 \x55\xAA +>>>>&-512 indirect x \b; contains # updated by Joerg Jenderek at Nov 2012 # DOS Emulator image is 128 byte, null right padded header + harddisc image -0 string DOSEMU\0 ->0x27E leshort 0xAA55 +0 string DOSEMU\0 +>0x27E leshort 0xAA55 #offset is 128 ->>19 ubyte 128 +>>19 ubyte 128 >>>(19.b-1) ubyte 0x0 DOS Emulator image >>>>7 ulelong >0 \b, %u heads >>>>11 ulelong >0 \b, %d sectors/track >>>>15 ulelong >0 \b, %d cylinders ->>>>128 indirect x \b; contains +>>>>128 indirect x \b; contains # added by Joerg Jenderek at Nov 2012 # http://www.thenakedpc.com/articles/v04/08/0408-05.html # Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data 0 string PNCIHISK\0 Norton Utilities disc image data # real x86 boot sector with jump instruction ->509 search/1026 \x55\xAA\xeb ->>&-1 indirect x \b; contains +>509 search/1026 \x55\xAA\xeb +>>&-1 indirect x \b; contains # http://file-extension.net/seeker/file_extension_dat 0 string PNCIUNDO Norton Disk Doctor UnDo file # # DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013 # for any allowed sector sizes -30 search/481 \x55\xAA +30 search/481 \x55\xAA # to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) # DOS BPB information (70) and after DOS floppy (120) like in previous file version !:strength +65 # for sector sizes < 512 Bytes ->11 uleshort <512 +>11 uleshort <512 >>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector # for sector sizes with 512 or more Bytes >0x1FE leshort 0xAA55 DOS/MBR boot sector @@ -270,18 +270,18 @@ >2 string OSBS OS/BS MBR # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/ # and http://en.wikipedia.org/wiki/Master_Boot_Record -# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by +# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by # characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00 >0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR # Microsoft Windows 95A and early ( http://thestarman.pcministry.com/asm/mbr/STDMBR.htm ) # assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld ->>8 ubequad 0x8bf45007501ffbfc +>>8 ubequad 0x8bf45007501ffbfc # http://thestarman.pcministry.com/asm/mbr/200MBR.htm >>>0x16 ubyte 0xF3 \b,DOS 2 >>>>219 regex Author\ -\ Author: # found "David Litton" , "A Pehrsson " >>>>>&0 string x "%s" ->>>0x16 ubyte 0xF2 +>>>0x16 ubyte 0xF2 # NEC MS-DOS 3.30 Rev. 3 . See http://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm # assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz >>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3 @@ -316,7 +316,7 @@ >>>>>>(0x79.b) string >\0 "%s" # Microsoft Windows 95B to XP (http://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm) # assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b ->>8 ubequad 0x5007501ffcbe1b7c +>>8 ubequad 0x5007501ffcbe1b7c # assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 >>>24 ubequad 0xf3a4cbbebe07b104 9M # "Invalid partition table" nn=0x10F for english version @@ -361,7 +361,7 @@ >>>>(0x1b7.b+0x100) string >\0 "%s" # Microsoft Windows Vista or 7 # assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00 ->>8 ubequad 0xc08ed8be007cbf00 +>>8 ubequad 0xc08ed8be007cbf00 # Microsoft Windows Vista (http://thestarman.pcministry.com/asm/mbr/VistaMBR.htm) # assembler instructions: jnz 0729;cmp ebx,"TCPA" >>>0xEC ubequad 0x753b6681fb544350 Vista @@ -402,38 +402,38 @@ # http://en.wikipedia.org/wiki/MBR_disk_signature#ID >>0x1b8 ulelong >0 \b, disk signature 0x%-.4x # driveID/timestamp for Win 95B,98,98SE and ME. See http://thestarman.pcministry.com/asm/mbr/mystery.htm ->>0xDA uleshort 0 +>>0xDA uleshort 0 >>>0xDC ulelong >0 \b, created # physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive >>>>0xDC ubyte x with driveID 0x%x -# hours, minutes and seconds +# hours, minutes and seconds >>>>0xDf ubyte x at %x >>>>0xDe ubyte x \b:%x >>>>0xDd ubyte x \b:%x # special case for Microsoft MS-DOS 3.21 spanish -# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov ->0 ubequad 0xfab830008ed0bc00 -# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov +# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov +>0 ubequad 0xfab830008ed0bc00 +# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov >>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish # Microsoft MBR IPL end # dr-dos with some upper-, lowercase variants ->0x9D string Invalid\ partition\ table$ ->>181 string No\ Operating\ System$ +>0x9D string Invalid\ partition\ table$ +>>181 string No\ Operating\ System$ >>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 ->0x9D string Invalid\ partition\ table$ ->>181 string No\ operating\ system$ +>0x9D string Invalid\ partition\ table$ +>>181 string No\ operating\ system$ >>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 ->342 string Invalid\ partition\ table$ ->>366 string No\ operating\ system$ +>342 string Invalid\ partition\ table$ +>>366 string No\ operating\ system$ >>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03 ->295 string NEWLDR\0 ->>302 string Bad\ PT\ $ ->>>310 string No\ OS\ $ ->>>>317 string OS\ load\ err$ ->>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r ->>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ ->>>>>>>387 string Copyright\ (c)\ 1984,1998 +>295 string NEWLDR\0 +>>302 string Bad\ PT\ $ +>>>310 string No\ OS\ $ +>>>>317 string OS\ load\ err$ +>>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r +>>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ +>>>>>>>387 string Copyright\ (c)\ 1984,1998 >>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) # # tests for different MS-DOS Master Boot Records (MBR) moved and merged @@ -441,15 +441,15 @@ #>0x145 string Default:\ F \b, FREE-DOS MBR #>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR >0x145 search/7 Default:\ F \b, FREE-DOS MBR -#>>313 string F0\ .\ .\ . -#>>>322 string disk\ 1 -#>>>>382 string FAT3 ->64 string no\ active\ partition\ found +#>>313 string F0\ .\ .\ . +#>>>322 string disk\ 1 +#>>>>382 string FAT3 +>64 string no\ active\ partition\ found >>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR # Ranish Partition Manager http://www.ranish.com/part/ ->387 search/4 \0\ Error!\r ->>378 search/7 Virus! ->>>397 search/4 Booting\ +>387 search/4 \0\ Error!\r +>>378 search/7 Virus! +>>>397 search/4 Booting\ >>>>408 search/4 HD1/\0 \b, Ranish MBR ( >>>>>416 string Writing\ changes... \b2.37 >>>>>>438 ubyte x \b,0x%x dots @@ -466,23 +466,23 @@ # # SYSLINUX MBR moved # http://www.acronis.de/ ->362 string MBR\ Error\ \0\r ->>376 string ress\ any\ key\ to\ +>362 string MBR\ Error\ \0\r +>>376 string ress\ any\ key\ to\ >>>392 string boot\ from\ floppy...\0 \b, Acronis MBR # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ ->309 string No\ bootable\ partition\ found\r +>309 string No\ bootable\ partition\ found\r >>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR ->349 string No\ bootable\ partition\ found\r +>349 string No\ bootable\ partition\ found\r >>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR # bootloader, bootmanager ->0x40 string SBML +>0x40 string SBML # label with 11 characters of FAT 12 bit filesystem ->>43 string SMART\ BTMGR +>>43 string SMART\ BTMGR >>>430 string SBMK\ Bad!\r \b, Smart Boot Manager # OEM-ID not always "SBM" -#>>>>3 strings SBM +#>>>>3 strings SBM >>>>6 string >\0 \b, version %s >382 string XOSLLOADXCF \b, eXtended Operating System Loader >6 string LILO \b, LInux i386 boot LOader @@ -492,11 +492,11 @@ # variables according to grub-0.97/stage1/stage1.S or # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders ->342 search/60 \0Geom\0 +>342 search/60 \0Geom\0 #>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 ->>0x41 ubyte <2 +>>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader -# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 +# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 >>>>0x3E ubyte x \b, stage1 version 0x%x #If it is 0xFF, use a drive passed by BIOS >>>>0x40 ubyte <0xFF \b, boot drive 0x%x @@ -521,497 +521,497 @@ >>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>385 string GRUB\ \0 \b, GRUB version 0.97 # unknown version ->>>343 string Geom\0Read\0\ Error\0 +>>>343 string Geom\0Read\0\ Error\0 >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>374 string GRUB\ \0 \b, GRUB version n.m # SYSLINUX bootloader moved >395 string chksum\0\ ERROR!\0 \b, Gujin bootloader # http://www.bcdwb.de/bcdw/index_e.htm ->3 string BCDL +>3 string BCDL >>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) # mbr partition table entries updated by Joerg Jenderek at Sep 2013 # skip Norton Utilities disc image data ->3 string !IHISK +>3 string !IHISK # skip Linux style boot sector starting with assember instructions mov 0x7c0,ax; ->>0 belong !0xb8c0078e -# not Linux kernel ->>>514 string !HdrS +>>0 belong !0xb8c0078e +# not Linux kernel +>>>514 string !HdrS # not BeOS ->>>>422 string !Be\ Boot\ Loader -# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr ->>>>>0 ubelong&0xFD000000 =0xE9000000 +>>>>422 string !Be\ Boot\ Loader +# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr +>>>>>0 ubelong&0xFD000000 =0xE9000000 # AdvanceMAME mbr ->>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e +>>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e >>>>>>>446 use partition-table # mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader ->>>>>0 ubelong&0xFD000000 !0xE9000000 +>>>>>0 ubelong&0xFD000000 !0xE9000000 # skip FSInfosector ->>>>>>0 string !RRaA +>>>>>>0 string !RRaA # skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, # http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm ->>>>>>>0 ubequad !0xfa660fb64610668b +>>>>>>>0 ubequad !0xfa660fb64610668b # skip 13rd sector of MS x86 bootloader ->>>>>>>>0 ubequad !0x660fb64610668b4e +>>>>>>>>0 ubequad !0x660fb64610668b4e # skip sector starting with DOS new line ->>>>>>>>>0 string !\r\n +>>>>>>>>>0 string !\r\n # allowed active flag 0,80h-FFh ->>>>>>>>>>446 ubyte 0 +>>>>>>>>>>446 ubyte 0 >>>>>>>>>>>446 use partition-table ->>>>>>>>>>446 ubyte >0x7F +>>>>>>>>>>446 ubyte >0x7F >>>>>>>>>>>446 use partition-table # TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries # mbr partition table entries end # http://www.acronis.de/ #FAT label=ACRONIS\ SZ #OEM-ID=BOOTWIZ0 ->442 string Non-system\ disk,\ +>442 string Non-system\ disk,\ >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader # updated by Joerg Jenderek at Nov 2012, Sep 2013 # DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes # display 1 space ->>>447 ubyte x \b +>>>447 ubyte x \b >>>477 use DOS-filename # ->185 string FDBOOT\ Version\ ->>204 string \rNo\ Systemdisk.\ ->>>220 string Booting\ from\ harddisk.\n\r ->>>245 string Cannot\ load\ from\ harddisk.\n\r ->>>>273 string Insert\ Systemdisk\ +>185 string FDBOOT\ Version\ +>>204 string \rNo\ Systemdisk.\ +>>>220 string Booting\ from\ harddisk.\n\r +>>>245 string Cannot\ load\ from\ harddisk.\n\r +>>>>273 string Insert\ Systemdisk\ >>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader >>>>>>200 string >\0 \b, version %-3s ->242 string Bootsector\ from\ C.H.\ Hochst\204 +>242 string Bootsector\ from\ C.H.\ Hochst\204 # http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c # updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string # skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut ->242 search/127 Bootsector\ from\ C.H.\ Hochst ->>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk +>242 search/127 Bootsector\ from\ C.H.\ Hochst +>>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk # followed by variants with point,CR-NL or NL-CR ->>>208 search/261 Cannot\ load\ from\ harddisk. +>>>208 search/261 Cannot\ load\ from\ harddisk. # followed by variants CR-NL or NL-CR ->>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. +>>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. # followed by variants with point,CR-NL or NL-CR >>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader # followed by string like "6.50 (c) 1993-2004 Gilles Vollant" >>>>>>&0 string x \b, version %-4.4s ->(1.b+2) ubyte 0xe ->>(1.b+3) ubyte 0x1f ->>>(1.b+4) ubyte 0xbe +>(1.b+2) ubyte 0xe +>>(1.b+3) ubyte 0x1f +>>>(1.b+4) ubyte 0xbe # message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others ->>>>(1.b+5) ubyte&0xd3 0x53 ->>>>>(1.b+6) ubyte 0x7c +>>>>(1.b+5) ubyte&0xd3 0x53 +>>>>>(1.b+6) ubyte 0x7c # assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah, ->>>>>>(1.b+7) ubyte 0xac ->>>>>>>(1.b+8) ubyte 0x22 ->>>>>>>>(1.b+9) ubyte 0xc0 ->>>>>>>>>(1.b+10) ubyte 0x74 ->>>>>>>>>>(1.b+11) ubyte 0x0b ->>>>>>>>>>>(1.b+12) ubyte 0x56 +>>>>>>(1.b+7) ubyte 0xac +>>>>>>>(1.b+8) ubyte 0x22 +>>>>>>>>(1.b+9) ubyte 0xc0 +>>>>>>>>>(1.b+10) ubyte 0x74 +>>>>>>>>>>(1.b+11) ubyte 0x0b +>>>>>>>>>>>(1.b+12) ubyte 0x56 >>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display # FAT1X version ->>>>>>>>>>>>>(1.b+5) ubyte 0x5b +>>>>>>>>>>>>>(1.b+5) ubyte 0x5b >>>>>>>>>>>>>>0x5b string >\0 "%-s" # FAT32 version ->>>>>>>>>>>>>(1.b+5) ubyte 0x77 +>>>>>>>>>>>>>(1.b+5) ubyte 0x77 >>>>>>>>>>>>>>0x77 string >\0 "%-s" >214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display -#>>244 string from\ dosemu-freedos-*-bin.tgz\r -#>>>170 string Sorry,\ could\ not\ load\ an\ -#>>>>195 string operating\ system.\r\n +#>>244 string from\ dosemu-freedos-*-bin.tgz\r +#>>>170 string Sorry,\ could\ not\ load\ an\ +#>>>>195 string operating\ system.\r\n # ->103 string This\ is\ not\ a\ bootable\ disk.\ ->>132 string Please\ insert\ a\ bootable\ ->>>157 string floppy\ and\r\n +>103 string This\ is\ not\ a\ bootable\ disk.\ +>>132 string Please\ insert\ a\ bootable\ +>>>157 string floppy\ and\r\n >>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display # ->66 string Solaris\ Boot\ Sector ->>99 string Incomplete\ MDBoot\ load. +>66 string Solaris\ Boot\ Sector +>>99 string Incomplete\ MDBoot\ load. >>>89 string Version \b, Sun Solaris Bootloader >>>>97 byte x version %c # ->408 string OS/2\ !!\ SYS01475\r\0 ->>429 string OS/2\ !!\ SYS02025\r\0 ->>>450 string OS/2\ !!\ SYS02027\r\0 +>408 string OS/2\ !!\ SYS01475\r\0 +>>429 string OS/2\ !!\ SYS02025\r\0 +>>>450 string OS/2\ !!\ SYS02027\r\0 >>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader # ->409 string OS/2\ !!\ SYS01475\r\0 ->>430 string OS/2\ !!\ SYS02025\r\0 ->>>451 string OS/2\ !!\ SYS02027\r\0 +>409 string OS/2\ !!\ SYS01475\r\0 +>>430 string OS/2\ !!\ SYS02025\r\0 +>>>451 string OS/2\ !!\ SYS02027\r\0 >>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader ->112 string This\ disk\ is\ not\ bootable\r ->>142 string If\ you\ wish\ to\ make\ it\ bootable ->>>176 string run\ the\ DOS\ program\ SYS\ ->>>200 string after\ the\r ->>>>216 string system\ has\ been\ loaded\r\n ->>>>>242 string Please\ insert\ a\ DOS\ diskette\ ->>>>>271 string into\r\n\ the\ drive\ and\ +>112 string This\ disk\ is\ not\ bootable\r +>>142 string If\ you\ wish\ to\ make\ it\ bootable +>>>176 string run\ the\ DOS\ program\ SYS\ +>>>200 string after\ the\r +>>>>216 string system\ has\ been\ loaded\r\n +>>>>>242 string Please\ insert\ a\ DOS\ diskette\ +>>>>>271 string into\r\n\ the\ drive\ and\ >>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display # XP ->430 string NTLDR\ is\ missing\xFF\r\n ->>449 string Disk\ error\xFF\r\n +>430 string NTLDR\ is\ missing\xFF\r\n +>>449 string Disk\ error\xFF\r\n >>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader # DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # ->430 string NTLDR\ nicht\ gefunden\xFF\r\n ->>453 string Datentr\204gerfehler\xFF\r\n +>430 string NTLDR\ nicht\ gefunden\xFF\r\n +>>453 string Datentr\204gerfehler\xFF\r\n >>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german) ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # offset variant ->>>>379 string \0 ->>>>>368 ubyte&0xDF >0 +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s # ->430 string NTLDR\ fehlt\xFF\r\n ->>444 string Datentr\204gerfehler\xFF\r\n +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Datentr\204gerfehler\xFF\r\n >>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german) ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # variant ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # ->430 string NTLDR\ fehlt\xFF\r\n ->>444 string Medienfehler\xFF\r\n +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Medienfehler\xFF\r\n >>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german) ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # ->430 string Datentr\204ger\ entfernen\xFF\r\n ->>454 string Medienfehler\xFF\r\n +>430 string Datentr\204ger\ entfernen\xFF\r\n +>>454 string Medienfehler\xFF\r\n >>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) ->>>>379 string \0 ->>>>>368 ubyte&0xDF >0 +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # -#>3 string NTFS\ \ \ \ ->389 string Fehler\ beim\ Lesen\ +#>3 string NTFS\ \ \ \ +>389 string Fehler\ beim\ Lesen\ >>407 string des\ Datentr\204gers ->>>426 string NTLDR\ fehlt +>>>426 string NTLDR\ fehlt >>>>440 string NTLDR\ ist\ komprimiert >>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german) -#>3 string NTFS\ \ \ \ +#>3 string NTFS\ \ \ \ >313 string A\ disk\ read\ error\ occurred.\r ->>345 string A\ kernel\ file\ is\ missing\ ->>>370 string from\ the\ disk.\r ->>>>484 string NTLDR\ is\ compressed ->>>>>429 string Insert\ a\ system\ diskette\ +>>345 string A\ kernel\ file\ is\ missing\ +>>>370 string from\ the\ disk.\r +>>>>484 string NTLDR\ is\ compressed +>>>>>429 string Insert\ a\ system\ diskette\ >>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS # DOS loader variants different languages,offsets >472 ubyte&0xDF >0 ->>389 string Invalid\ system\ disk\xFF\r\n ->>>411 string Disk\ I/O\ error ->>>>428 string Replace\ the\ disk,\ and\ +>>389 string Invalid\ system\ disk\xFF\r\n +>>>411 string Disk\ I/O\ error +>>>>428 string Replace\ the\ disk,\ and\ >>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader #IO.SYS ->>>>>>472 ubyte&0xDF >0 +>>>>>>472 ubyte&0xDF >0 >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s ->>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>390 string Invalid\ system\ disk\xFF\r\n ->>>412 string Disk\ I/O\ error\xFF\r\n ->>>>429 string Replace\ the\ disk,\ and\ +>>390 string Invalid\ system\ disk\xFF\r\n +>>>412 string Disk\ I/O\ error\xFF\r\n +>>>>429 string Replace\ the\ disk,\ and\ >>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader ->>388 string Ungueltiges\ System\ \xFF\r\n ->>>410 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>427 string Datentraeger\ wechseln\ und\ +>>388 string Ungueltiges\ System\ \xFF\r\n +>>>410 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>427 string Datentraeger\ wechseln\ und\ >>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german) #WINBOOT.SYS only not spaces (0xDF) ->>>>>>497 ubyte&0xDF >0 +>>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.5s ->>>>>>>>502 ubyte&0xDF >0 +>>>>>>>>502 ubyte&0xDF >0 >>>>>>>>>502 string x \b%-.1s ->>>>>>>>>>503 ubyte&0xDF >0 +>>>>>>>>>>503 ubyte&0xDF >0 >>>>>>>>>>>503 string x \b%-.1s ->>>>>>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>>>>>504 string x \b%-.1s ->>>>>>505 ubyte&0xDF >0 +>>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s ->>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>390 string Ungueltiges\ System\ \xFF\r\n ->>>412 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>429 string Datentraeger\ wechseln\ und\ +>>390 string Ungueltiges\ System\ \xFF\r\n +>>>412 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>429 string Datentraeger\ wechseln\ und\ >>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German) #WINBOOT.SYS only not spaces (0xDF) ->>>>>>497 ubyte&0xDF >0 +>>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.7s ->>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>504 string x \b%-.1s ->>>>>>505 ubyte&0xDF >0 +>>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.6s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>389 string Ungueltiges\ System\ \xFF\r\n ->>>411 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>428 string Datentraeger\ wechseln\ und\ +>>389 string Ungueltiges\ System\ \xFF\r\n +>>>411 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>428 string Datentraeger\ wechseln\ und\ >>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN) # DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes >>>>>>472 string x %-.2s ->>>>>>>474 ubyte&0xDF >0 +>>>>>>>474 ubyte&0xDF >0 >>>>>>>>474 string x \b%-.5s ->>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>479 string x \b%-.1s ->>>>>>480 ubyte&0xDF >0 +>>>>>>480 ubyte&0xDF >0 >>>>>>>480 string x \b.%-.3s >>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>483 string x \b%-.5s ->>>>>>>488 ubyte&0xDF >0 +>>>>>>>488 ubyte&0xDF >0 >>>>>>>>488 string x \b%-.2s ->>>>>>>>490 ubyte&0xDF >0 +>>>>>>>>490 ubyte&0xDF >0 >>>>>>>>>490 string x \b%-.1s ->>>>>>>491 ubyte&0xDF >0 +>>>>>>>491 ubyte&0xDF >0 >>>>>>>>491 string x \b.%-.3s >479 ubyte&0xDF >0 ->>416 string Kein\ System\ oder\ ->>>433 string Laufwerksfehler +>>416 string Kein\ System\ oder\ +>>>433 string Laufwerksfehler >>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german) #IO.SYS >>>>>479 string x \b %-.2s ->>>>>>481 ubyte&0xDF >0 +>>>>>>481 ubyte&0xDF >0 >>>>>>>481 string x \b%-.6s ->>>>>487 ubyte&0xDF >0 +>>>>>487 ubyte&0xDF >0 >>>>>>487 string x \b.%-.3s #MSDOS.SYS >>>>>>490 ubyte&0xDF >0 \b+ >>>>>>>490 string x \b%-.5s ->>>>>>>>495 ubyte&0xDF >0 +>>>>>>>>495 ubyte&0xDF >0 >>>>>>>>>495 string x \b%-.3s ->>>>>>>498 ubyte&0xDF >0 +>>>>>>>498 ubyte&0xDF >0 >>>>>>>>498 string x \b.%-.3s # ->376 search/41 Non-System\ disk\ or\ ->>395 search/41 disk\ error\r ->>>407 search/41 Replace\ and\ +>376 search/41 Non-System\ disk\ or\ +>>395 search/41 disk\ error\r +>>>407 search/41 Replace\ and\ >>>>419 search/41 press\ \b, >>>>419 search/41 strike\ \b, old >>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader #449 Disk\ Boot\ failure\r MS 3.21 #466 Boot\ Failure\r MS 3.30 ->>>>>468 search/18 \0 +>>>>>468 search/18 \0 #IO.SYS,IBMBIO.COM >>>>>>&0 string x \b %-.2s ->>>>>>>&-20 ubyte&0xDF >0 +>>>>>>>&-20 ubyte&0xDF >0 >>>>>>>>&-1 string x \b%-.4s ->>>>>>>>>&-16 ubyte&0xDF >0 +>>>>>>>>>&-16 ubyte&0xDF >0 >>>>>>>>>>&-1 string x \b%-.2s >>>>>>&8 ubyte&0xDF >0 \b. >>>>>>>&-1 string x \b%-.3s #MSDOS.SYS,IBMDOS.COM >>>>>>&11 ubyte&0xDF >0 \b+ >>>>>>>&-1 string x \b%-.5s ->>>>>>>>&-6 ubyte&0xDF >0 +>>>>>>>>&-6 ubyte&0xDF >0 >>>>>>>>>&-1 string x \b%-.1s ->>>>>>>>>>&-5 ubyte&0xDF >0 +>>>>>>>>>>&-5 ubyte&0xDF >0 >>>>>>>>>>>&-1 string x \b%-.2s >>>>>>>&7 ubyte&0xDF >0 \b. >>>>>>>>&-1 string x \b%-.3s >441 string Cannot\ load\ from\ harddisk.\n\r ->>469 string Insert\ Systemdisk\ +>>469 string Insert\ Systemdisk\ >>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader -#>43 string \224R-LOADER\ \ SYS =label +#>43 string \224R-LOADER\ \ SYS =label >54 string SYS >>324 string VASKK >>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS) # ->98 string Press\ a\ key\ to\ retry\0\r ->>120 string Cannot\ find\ file\ \0\r ->>>139 string Disk\ read\ error\0\r +>98 string Press\ a\ key\ to\ retry\0\r +>>120 string Cannot\ find\ file\ \0\r +>>>139 string Disk\ read\ error\0\r >>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader #DRBIOS.SYS ->>>>>44 ubyte&0xDF >0 +>>>>>44 ubyte&0xDF >0 >>>>>>44 string x \b %-.6s ->>>>>>>50 ubyte&0xDF >0 +>>>>>>>50 ubyte&0xDF >0 >>>>>>>>50 string x \b%-.2s ->>>>>>52 ubyte&0xDF >0 +>>>>>>52 ubyte&0xDF >0 >>>>>>>52 string x \b.%-.3s # ->70 string IBMBIO\ \ COM ->>472 string Cannot\ load\ DOS!\ +>70 string IBMBIO\ \ COM +>>472 string Cannot\ load\ DOS!\ >>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader ->>471 string Cannot\ load\ DOS\ +>>471 string Cannot\ load\ DOS\ >>487 string press\ key\ to\ retry \b, Open-DOS Bootloader #?? ->444 string KERNEL\ \ SYS +>444 string KERNEL\ \ SYS >>314 string BOOT\ error! \b, FREE-DOS Bootloader ->499 string KERNEL\ \ SYS +>499 string KERNEL\ \ SYS >>305 string BOOT\ err!\0 \b, Free-DOS Bootloader ->449 string KERNEL\ \ SYS +>449 string KERNEL\ \ SYS >>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader # ->449 string Loading\ FreeDOS +>449 string Loading\ FreeDOS >>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # >331 string Error!.0 \b, FREE-DOS 1.0 bootloader # ->125 string Loading\ FreeDOS...\r +>125 string Loading\ FreeDOS...\r >>311 string BOOT\ error!\r \b, FREE-DOS bootloader ->>>441 ubyte&0xDF >0 +>>>441 ubyte&0xDF >0 >>>>441 string x \b %-.6s ->>>>>447 ubyte&0xDF >0 +>>>>>447 ubyte&0xDF >0 >>>>>>447 string x \b%-.1s ->>>>>>>448 ubyte&0xDF >0 +>>>>>>>448 ubyte&0xDF >0 >>>>>>>>448 string x \b%-.1s ->>>>449 ubyte&0xDF >0 +>>>>449 ubyte&0xDF >0 >>>>>449 string x \b.%-.3s ->124 string FreeDOS\0 +>124 string FreeDOS\0 >>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader # DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s ->336 string Error!\ +>336 string Error!\ >>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ # OEM-ID=Visopsys ->478 ulelong 0 ->>(1.b+326) string I/O\ Error\ reading\ ->>>(1.b+344) string Visopsys\ loader\r +>478 ulelong 0 +>>(1.b+326) string I/O\ Error\ reading\ +>>>(1.b+344) string Visopsys\ loader\r >>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader # http://alexfru.chat.ru/epm.html#bootprog ->494 ubyte >0x4D ->>495 string >E ->>>495 string 494 ubyte >0x4D +>>495 string >E +>>>495 string >>>3 string BootProg +>>>>3 string BootProg # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes ->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader +>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader >>>>>499 use DOS-filename #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. @@ -1025,23 +1025,23 @@ # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO # and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector ->0 string RRaA +>0 string RRaA >>0x1E4 string rrAa \b, FSInfosector #>>0x1FC uleshort =0 SHOULD BE ZERO >>>0x1E8 ulelong <0xffffffff \b, %u free clusters >>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u # updated by Joerg Jenderek at Sep 2007 ->3 ubyte 0 +>3 ubyte 0 #no active flag ->>446 ubyte 0 +>>446 ubyte 0 # partition 1 not empty ->>>450 ubyte >0 +>>>450 ubyte >0 # partitions 3,4 empty ->>>>482 ubyte 0 ->>>>>498 ubyte 0 +>>>>482 ubyte 0 +>>>>>498 ubyte 0 # partition 2 ID=0,5,15 ->>>>>>466 ubyte <0x10 +>>>>>>466 ubyte <0x10 >>>>>>>466 ubyte 0x05 \b, extended partition table >>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) >>>>>>>466 ubyte 0x0 \b, extended partition table (last) @@ -1054,35 +1054,35 @@ # Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension # like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS 0 name DOS-filename -# space=0x20 (00100000b) means empty ->0 ubyte&0xDF >0 +# space=0x20 (00100000b) means empty +>0 ubyte&0xDF >0 >>0 ubyte x \b%c ->>>1 ubyte&0xDF >0 +>>>1 ubyte&0xDF >0 >>>>1 ubyte x \b%c ->>>>>2 ubyte&0xDF >0 +>>>>>2 ubyte&0xDF >0 >>>>>>2 ubyte x \b%c ->>>>>>>3 ubyte&0xDF >0 +>>>>>>>3 ubyte&0xDF >0 >>>>>>>>3 ubyte x \b%c ->>>>>>>>>4 ubyte&0xDF >0 +>>>>>>>>>4 ubyte&0xDF >0 >>>>>>>>>>4 ubyte x \b%c ->>>>>>>>>>>5 ubyte&0xDF >0 +>>>>>>>>>>>5 ubyte&0xDF >0 >>>>>>>>>>>>5 ubyte x \b%c ->>>>>>>>>>>>>6 ubyte&0xDF >0 +>>>>>>>>>>>>>6 ubyte&0xDF >0 >>>>>>>>>>>>>>6 ubyte x \b%c ->>>>>>>>>>>>>>>7 ubyte&0xDF >0 +>>>>>>>>>>>>>>>7 ubyte&0xDF >0 >>>>>>>>>>>>>>>>7 ubyte x \b%c # DOS filename extension >>8 ubyte&0xDF >0 \b. >>>8 ubyte x \b%c ->>>>9 ubyte&0xDF >0 +>>>>9 ubyte&0xDF >0 >>>>>9 ubyte x \b%c ->>>>>>10 ubyte&0xDF >0 +>>>>>>10 ubyte&0xDF >0 >>>>>>>10 ubyte x \b%c # Print 2 following DOS filenames from directory entry form # like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com 0 name 2xDOS-filename # display 1 space ->0 ubyte x \b +>0 ubyte x \b >0 use DOS-filename >11 ubyte x \b+ >11 use DOS-filename @@ -1101,10 +1101,10 @@ # partition type ID > 0 >4 ubyte >0 # active flag 0 ->>0 ubyte 0 +>>0 ubyte 0 >>>0 use partition-entry -# active flag 0x80, 0x81, ... ->>0 ubyte >0x7F +# active flag 0x80, 0x81, ... +>>0 ubyte >0x7F >>>0 use partition-entry # Print entry of partition table 0 name partition-entry @@ -1136,7 +1136,7 @@ # sector >1 ubyte&0x3F x \b,%u -# FATX +# FATX 0 string FATX FATX filesystem data # romfs filesystems - Juan Cespedes @@ -1157,7 +1157,7 @@ # http://syslinux.zytor.com/iso.php # tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05 # assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop -0 ulequad&0x909000007cc0eafa 0x909000007c40eafa +0 ulequad&0x909000007cc0eafa 0x909000007c40eafa >631 search/689 ISOLINUX\ isolinux Loader >>&0 string x (version %-4.4s) # http://syslinux.zytor.com/pxe.php @@ -1174,88 +1174,88 @@ >11 string x (version %-4.4s) # syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX" -0 ulelong&0x80909bEB 0x009018EB +0 ulelong&0x80909bEB 0x009018EB # OEM-ID not always "SYSLINUX" ->434 search/47 Boot\ failed -# followed by \r\n\0 or :\ +>434 search/47 Boot\ failed +# followed by \r\n\0 or :\ >>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older) >>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9) ->459 search/30 Boot\ error\r\n\0 +>459 search/30 Boot\ error\r\n\0 >>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer) # SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: mov di,0600h;mov cx,0100h -16 search/4 \xbf\x00\x06\xb9\x00\x01 +16 search/4 \xbf\x00\x06\xb9\x00\x01 # to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21) !:strength +36 ->94 search/249 Missing\ operating\ system +>94 search/249 Missing\ operating\ system # followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other # skip Ranish MBR ->>408 search/4 HD1/\0 ->>408 default x +>>408 search/4 HD1/\0 +>>408 default x >>>250 search/118 \0Operating\ system\ load SYSLINUX MBR # followed by "ing " or space ->>>>292 search/98 error +>>>>292 search/98 error >>>>>&0 string \r (version 3.35 or older) >>>>>&0 string .\r (version 3.52 or newer) >>>>>&0 default x (version 3.36-3.51 ) >368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR ->>156 search/10 \0Boot\ partition\ not\ found\r\n +>>156 search/10 \0Boot\ partition\ not\ found\r\n >>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older) ->>174 search/10 \0Missing\ OS\r\n +>>174 search/10 \0Missing\ OS\r\n >>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer) # SYSLINUX END # NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012 # assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax, -0 ubequad 0x31c08ed0bc007c8e +0 ubequad 0x31c08ed0bc007c8e # mbr_bootsel magic before partition table not reliable with small ipl fragments -#>444 uleshort 0xb5e1 ->0004 uleshort x +#>444 uleshort 0xb5e1 +>0004 uleshort x # ERRorTeXT >>181 search/166 Error\ \0\r\n NetBSD mbr # NT Drive Serial Number http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS >>>0x1B8 ubelong >0 \b,Serial 0x%-.8x # BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx >>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector -# BOOT_EXTENDED definitions contains assembler instructions: +# BOOT_EXTENDED definitions contains assembler instructions: # xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13 >>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended # COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al >>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO # not TERSE_ERROR ->>>196 search/106 No\ active\ partition\0 ->>>>&0 string Disk\ read\ error\0 +>>>196 search/106 No\ active\ partition\0 +>>>>&0 string Disk\ read\ error\0 >>>>>&0 string No\ operating\ system\0 \b,verbose # not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13 >>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS # not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13 >>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check # assembler instructions: movw nametab,bx ->>>0x26 search/21 \xBB\x94\x07 +>>>0x26 search/21 \xBB\x94\x07 # not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf ->>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 ->>>>>181 search/166 Error\ \0 +>>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 +>>>>>181 search/166 Error\ \0 # "a: disk" , "Fn: diskn" or "NetBSD MBR boot" >>>>>>&3 string x \b,"%s" >>>446 use partition-table # Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html # added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 # assembler instructions: jmp short 0x58;nop;ASCII -0 ubequad&0xeb58908000000000 0xeb58900000000000 +0 ubequad&0xeb58908000000000 0xeb58900000000000 # assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss, ->(1.b+2) ubequad 0xfa31c08ed88ec08e +>(1.b+2) ubequad 0xfa31c08ed88ec08e # Error messages at end of code ->>376 string No\ operating\ system\r\n\0 ->>>398 string Disk\ error\r\n\0FDD\0HDD\0 +>>376 string No\ operating\ system\r\n\0 +>>>398 string Disk\ error\r\n\0FDD\0HDD\0 >>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr -# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ +# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ # added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11 # for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI, # or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS, -0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC +0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC # pointer to the data starting with Neil Turton signature string ->(0x1BC.s) string NDTmbr +>(0x1BC.s) string NDTmbr >>&-14 string 1234F\0 Turton mbr ( # parameters also viewed by install-mbr --list >>>(0x1BC.s+7) ubyte x \b%u<= @@ -1269,23 +1269,23 @@ #0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot #>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x # for older versions ->>>(0x1BC.s+9) ubyte <2 +>>>(0x1BC.s+9) ubyte <2 #>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x ->>>>(0x1BC.s+13) ubyte >1 +>>>>(0x1BC.s+13) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x # not 1st hard disc >>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x # for version >= 2 maximal timeout can be 65534 ->>>(0x1BC.s+9) ubyte >1 +>>>(0x1BC.s+9) ubyte >1 #>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds >>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x ->>>>(0x1BC.s+14) ubyte >1 +>>>>(0x1BC.s+14) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x # not 1st hard disc @@ -1297,14 +1297,14 @@ # grub-1.94/kern/i386/pc/startup.S # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders -0x200 uleshort 0x70EA +0x200 uleshort 0x70EA # found only version 3.{1,2} ->0x206 ubeshort >0x0300 +>0x206 ubeshort >0x0300 # GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00" ->>0x212 ubyte >0x29 ->>>0x213 ubyte >0x29 +>>0x212 ubyte >0x29 +>>>0x213 ubyte >0x29 # not iso9660_stage1_5 -#>>>0 ulelong&0x00BE5652 0x00BE5652 +#>>>0 ulelong&0x00BE5652 0x00BE5652 >>>>0x213 ubyte >0x29 GRand Unified Bootloader # config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2" >>>>0x217 ubyte 0xFF stage1_5 @@ -1316,7 +1316,7 @@ #>>>>0x208 ulelong =0xffffff \b, %lu (default) >>>>0x208 ulelong >0xffffff \b, installed partition %u # GRUB 0.5.95 unofficial ->>>>0x20C ulelong&0x2E300000 0x2E300000 +>>>>0x20C ulelong&0x2E300000 0x2E300000 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs >>>>>0x20C ubyte x \b, identifier 0x%x #>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default) @@ -1324,17 +1324,17 @@ # GRUB version as string >>>>>0x20E string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default ->>>>>>0x215 ulong 0xffffffff +>>>>>>0x215 ulong 0xffffffff >>>>>>>0x219 string >\0 \b, configuration file %-s ->>>>>>0x215 ulong !0xffffffff +>>>>>>0x215 ulong !0xffffffff >>>>>>>0x215 string >\0 \b, configuration file %-s # newer GRUB versions ->>>>0x20C ulelong&0x2E300000 !0x2E300000 +>>>>0x20C ulelong&0x2E300000 !0x2E300000 ##>>>>>0x20C ulelong =0 \b, saved entry %d (usual) >>>>>0x20C ulelong >0 \b, saved entry %d # for 1.94 contains kernel image size # for 0.93,0.94,0.96,0.97 -# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 +# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 >>>>>0x210 ubyte x \b, identifier 0x%x # The flag for LBA forcing is in most cases 0 #>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default) @@ -1342,9 +1342,9 @@ # GRUB version as string >>>>>0x212 string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default ->>>>>0x217 ulong 0xffffffff +>>>>>0x217 ulong 0xffffffff >>>>>>0x21b string >\0 \b, configuration file %-s ->>>>>0x217 ulong !0xffffffff +>>>>>0x217 ulong !0xffffffff >>>>>>0x217 string >\0 \b, configuration file %-s # DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 @@ -1360,13 +1360,13 @@ # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 ->11 uleshort&0x001f 0 ->>11 uleshort <32769 ->>>11 uleshort >31 ->>>>21 ubyte&0xf0 0xF0 +>11 uleshort&0x001f 0 +>>11 uleshort <32769 +>>>11 uleshort >31 +>>>>21 ubyte&0xf0 0xF0 >>>>>0 ubyte 0xEB DOS/MBR boot sector >>>>>>1 ubyte x \b, code offset 0x%x+2 ->>>>>0 ubyte 0xE9 +>>>>>0 ubyte 0xE9 >>>>>>1 uleshort x \b, code offset 0x%x+3 >>>>>3 string >\0 \b, OEM-ID "%-.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC @@ -1377,10 +1377,10 @@ >>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) # for lazy FAT32 implementation like Transcend digital photo frame PF830 ->>>>>82 string/c fat32 +>>>>>82 string/c fat32 >>>>>>14 uleshort !32 \b, reserved sectors %u #>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) ->>>>>82 string/c !fat32 +>>>>>82 string/c !fat32 >>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) #>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) @@ -1390,7 +1390,7 @@ >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u #>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) ->>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) +>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) #>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) @@ -1402,20 +1402,20 @@ #>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>26 ubyte =1 \b, heads %u # valid only for sector sizes with more then 32 Bytes ->>>>>11 uleshort >32 +>>>>>11 uleshort >32 # http://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block # skip for values 2,2Ah,70h,73h,DFh # and continue for extended boot signature values 0,28h,29h,80h ->>>>>>38 ubyte&0x56 =0 +>>>>>>38 ubyte&0x56 =0 >>>>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) ->>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) +>>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) -# FAT<32 bit specific ->>>>>>>82 string/c !fat32 +# FAT<32 bit specific +>>>>>>>82 string/c !fat32 #>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) #>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>>>36 ubyte !0x80 +>>>>>>>>36 ubyte !0x80 >>>>>>>>>36 ubyte !0 \b, physical drive 0x%x # VGA-copy CRC or # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too @@ -1435,27 +1435,27 @@ # if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, # otherwise FAT is 16 bit. # http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html ->>>>>82 string/c !fat32 +>>>>>82 string/c !fat32 >>>>>>54 string FAT12 \b, FAT (12 bit) >>>>>>54 string FAT16 \b, FAT (16 bit) ->>>>>>54 default x +>>>>>>54 default x # determinate FAT bit size by media descriptor # small floppies implies FAT12 >>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor) # with media descriptor F0h floppy or maybe superfloppy with FAT16 ->>>>>>>21 ubyte =0xF0 +>>>>>>>21 ubyte =0xF0 # superfloppy (many sectors) implies FAT16 >>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors) # no superfloppy with media descriptor F0h implies FAT12 >>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors) # with media descriptor F8h floppy or hard disc with FAT12 or FAT16 ->>>>>>>21 ubyte =0xF8 +>>>>>>>21 ubyte =0xF8 # 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry) # hard disc with FAT12 or FAT16 >>>>>>>>19 default x \b, FAT (1Y bit by descriptor) # with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc ->>>>>>>21 ubyte =0xFA +>>>>>>>21 ubyte =0xFA # 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry) # RAM disc with FAT12 or FAT16 or Tandy hard disc @@ -1479,17 +1479,17 @@ # 0 or 0xFFFF instead of usual 6 means no backup sector >>>>>>50 uleshort =0xFFFF \b, no Backup boot sector >>>>>>50 uleshort =0 \b, no Backup boot sector -#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) ->>>>>>50 default x +#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) +>>>>>>50 default x >>>>>>>50 uleshort x \b, Backup boot sector %u # corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO >>>>>>52 ulelong >0 \b, reserved1 0x%x >>>>>>56 ulelong >0 \b, reserved2 0x%x >>>>>>60 ulelong >0 \b, reserved3 0x%x -# same structure as FAT1X +# same structure as FAT1X #>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) #>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>64 ubyte !0x80 +>>>>>>64 ubyte !0x80 >>>>>>>64 ubyte >0 \b, physical drive 0x%x # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too >>>>>>65 ubyte >0 \b, reserved 0x%x @@ -1500,10 +1500,10 @@ >>>>>>>71 string >NO\ NAME \b, label: "%11.11s" >>>>>>>71 string =NO\ NAME \b, unlabeled # additional tests for floppy image added by Joerg Jenderek -# no fixed disk ->>>>>21 ubyte !0xF8 +# no fixed disk +>>>>>21 ubyte !0xF8 # floppy media with 12 bit FAT ->>>>>>54 string !FAT16 +>>>>>>54 string !FAT16 # test for FAT after bootsector >>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT # floppy image @@ -1511,11 +1511,11 @@ # NTFS specific added by Joerg Jenderek at Mar 2011 according to http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm # and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html # 0 FATs ->>>>>16 ubyte =0 +>>>>>16 ubyte =0 # 0 root entries ->>>>>>17 uleshort =0 +>>>>>>17 uleshort =0 # 0 DOS sectors ->>>>>>>19 uleshort =0 +>>>>>>>19 uleshort =0 # 0 sectors/FAT # dos < 4.0 BootSector value found is 0x80 #38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x) @@ -1526,30 +1526,30 @@ >>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld >>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld # Values 0 to 127 represent MFT record sizes of 0 to 127 clusters. -# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. ->>>>>>>>>64 lelong <256 +# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. +>>>>>>>>>64 lelong <256 >>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d >>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i) # Values 0 to 127 represent index block sizes of 0 to 127 clusters. # Values 128 to 255 represent index block sizes of 2^(256-N) byte ->>>>>>>>>68 ulelong <256 +>>>>>>>>>68 ulelong <256 >>>>>>>>>>68 ulelong <128 \b, clusters/index block %d #>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) >>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) >>>>>>>>>72 ulequad x \b, serial number 0%llx >>>>>>>>>80 ulelong >0 \b, checksum 0x%x #>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) ->>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 ->>>>>>>>>>&-92 indirect x \b; contains +>>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 +>>>>>>>>>>&-92 indirect x \b; contains # For 2nd NTFS sector added by Joerg Jenderek at Jan 2013 # http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm # unused assembler instructions JMP y2;NOP;NOP -0x056 ulelong&0xFFFF0FFF 0x909002EB +0x056 ulelong&0xFFFF0FFF 0x909002EB # unicode loadername terminated by CTRL-D ->(0.s*2) ulelong&0xFFFFFF00 0x00040000 +>(0.s*2) ulelong&0xFFFFFF00 0x00040000 # loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR >>0x002 lestring16 x Microsoft Windows XP/VISTA bootloader %-5.5s ->>0x12 string $ +>>0x12 string $ >>>0x0c lestring16 x \b%-2.2s ### DOS,NTFS boot sectors end @@ -1828,7 +1828,7 @@ # FE 250K 8-inch, 1-sided, single-density # FD 500K 8-inch, 2-sided, single-density # FE 1.2 MB 8-inch, 2-sided, double-density -# F8 ----- Fixed disk +# F8 ----- Fixed disk # # FC xxxK Apricot 70x1x9 boot disk. # @@ -1856,7 +1856,7 @@ # all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013 # http://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions # Too Weak. -#512 ubelong&0xE0ffff00 0xE0ffff00 +#512 ubelong&0xE0ffff00 0xE0ffff00 # without valid Media descriptor in place of BPB, cases with are done at other places #>21 ubyte <0xE5 floppy with old FAT filesystem # but valid Media descriptor at begin of FAT @@ -1868,61 +1868,61 @@ #>>512 ubyte =0xfb 640k #>>512 ubyte =0xfc 180k # look like an an old DOS directory entry -#>>>0xA0E ubequad 0 -#>>>>0xA00 ubequad !0 +#>>>0xA0E ubequad 0 +#>>>>0xA00 ubequad !0 #!:mime application/x-ima -#>>512 ubyte =0xfd +#>>512 ubyte =0xfd # look for 2nd FAT at different location to distinguish between 360k and 500k #>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k #>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k -#>>>0xA0E ubequad 0 +#>>>0xA0E ubequad 0 #!:mime application/x-ima -#>>512 ubyte =0xfe +#>>512 ubyte =0xfe #>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k -#>>>>0x60E ubequad 0 -#>>>>>0x600 ubequad !0 +#>>>>0x60E ubequad 0 +#>>>>>0x600 ubequad !0 #!:mime application/x-ima #>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k #>>512 ubyte =0xff 320k -#>>>0x60E ubequad 0 -#>>>>0x600 ubequad !0 +#>>>0x60E ubequad 0 +#>>>>0x600 ubequad !0 #!:mime application/x-ima #>>512 ubyte x \b, Media descriptor 0x%x # without x86 jump instruction -#>>0 ulelong&0x804000E9 !0x000000E9 -# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV +#>>0 ulelong&0x804000E9 !0x000000E9 +# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV #>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader # IOSYS.COM+MSDOS.COM #>>>>0xc4 use 2xDOS-filename -#>>0 ulelong&0x804000E9 =0x000000E9 +#>>0 ulelong&0x804000E9 =0x000000E9 # only x86 short jump instruction found #>>>0 ubyte =0xEB #>>>>1 ubyte x \b, code offset 0x%x+2 # http://thestarman.pcministry.com/DOS/ibm100/Boot.htm -# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 -#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 +#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader # ibmbio.com+ibmdos.com #>>>>>0x176 use DOS-filename #>>>>>0x181 ubyte x \b+ #>>>>>0x182 use DOS-filename # http://thestarman.pcministry.com/DOS/ibm110/Boot.htm -# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV -#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV +#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader # ibmbio.com+ibmdos.com #>>>>>0x18b use DOS-filename #>>>>>0x196 ubyte x \b+ #>>>>>0x197 use DOS-filename # http://en.wikipedia.org/wiki/Zenith_Data_Systems -# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 +# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 #>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x20 use 2xDOS-filename # http://en.wikipedia.org/wiki/Corona_Data_Systems -# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; +# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; #>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x69 use 2xDOS-filename -# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; +# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; #>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader # defect IO.SYS+MSDOS.SYS ? #>>>>>0x162 use 2xDOS-filename @@ -2143,7 +2143,7 @@ >>8 ledate x created: %s # AFS Dump Magic -# From: Ty Sarna +# From: Ty Sarna 0 string \x01\xb3\xa1\x13\x22 AFS Dump >&0 belong x (v%d) >>&0 byte 0x76 @@ -2258,7 +2258,7 @@ # From: "Nelson A. de Oliveira" 0 string *dvdisaster* dvdisaster error correction file -# xfs metadump image +# xfs metadump image # mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog # but can we do the << ? For now it's always 512 (0x200) anyway. 0 string XFSM @@ -2330,8 +2330,8 @@ 0 string td\000 floppy image data (TeleDisk, compressed) 0 string TD\000 floppy image data (TeleDisk) -0 string CQ\024 floppy image data (CopyQM, ->16 leshort x %d sectors, +0 string CQ\024 floppy image data (CopyQM, +>16 leshort x %d sectors, >18 leshort x %d heads.) 0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) diff --git a/magic/Magdir/fonts b/magic/Magdir/fonts index e53dacee..aab74121 100644 --- a/magic/Magdir/fonts +++ b/magic/Magdir/fonts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fonts,v 1.34 2016/12/01 15:30:33 christos Exp $ +# $File: fonts,v 1.35 2017/03/17 21:35:28 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -19,17 +19,17 @@ # URL: https://en.wikipedia.org/wiki/PostScript_fonts # Reference: http://partners.adobe.com/public/developer/en/font/5178.PFM.pdf # Modified by: Joerg Jenderek -# Note: moved from ./msdos magic -# dfVersion 256=0100h -0 uleshort 0x0100 +# Note: moved from ./msdos magic +# dfVersion 256=0100h +0 uleshort 0x0100 # GRR: line above is too general as it catches also TrueType font, # raw G3 data FAX, WhatsApp encrypted and Panorama database # dfType 129=0081h ->66 uleshort 0x0081 +>66 uleshort 0x0081 # dfVertRes 300=012Ch not needed as additional test -#>>70 uleshort 0x012c +#>>70 uleshort 0x012c # dfHorizRes 300=012Ch -#>>>72 uleshort 0x012c +#>>>72 uleshort 0x012c # dfDriverInfo points to postscript information section >>(101.l) string/c Postscript Printer Font Metrics # above labeled "PFM data" by ./msdos (version 5.28) or "Adobe Printer Font Metrics" by TrID @@ -40,13 +40,13 @@ # dfCopyright 60 byte null padded Copyright string. uncomment it to get old looking #>>>6 string >\060 - %-.60s # dfDriverInfo ->>>139 ulelong >0 +>>>139 ulelong >0 # often abbreviated and same as filename >>>>(139.l) string x %s # dfSize >>>2 ulelong x \b, %d bytes # dfFace 210=D2h 9Eh ->>>105 ulelong >0 +>>>105 ulelong >0 # Windows font name >>>>(105.l) string x \b, %s # dfItalic @@ -72,7 +72,7 @@ #>104 belong 00000004 X11 SNF font data, MSB first !:mime application/x-font-sfn # GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX -0 lelong 00000004 +0 lelong 00000004 >104 lelong 00000004 X11 SNF font data, LSB first !:mime application/x-font-sfn @@ -82,19 +82,19 @@ # From: Joerg Jenderek # URL: http://grub.gibibit.com/New_font_format # Reference: util/grub-mkfont.c -# include/grub/fontformat.h +# include/grub/fontformat.h # FONT_FORMAT_SECTION_NAMES_FILE -0 string FILE +0 string FILE # FONT_FORMAT_PFF2_MAGIC ->8 string PFF2 +>8 string PFF2 # leng 4 only at the moment ->>4 ubelong 4 +>>4 ubelong 4 # FONT_FORMAT_SECTION_NAMES_FONT_NAME >>>12 string NAME GRUB2 font !:mime application/x-font-pf2 !:ext pf2 # length of font_name ->>>>16 ubelong >0 +>>>>16 ubelong >0 # font_name >>>>>20 string >\0 "%-s" @@ -156,8 +156,8 @@ 0 string OTTO OpenType font data !:mime application/vnd.ms-opentype -# Gurkan Sengun , www.linuks.mine.nu -0 string SplineFontDB: Spline Font Database +# Gurkan Sengun , www.linuks.mine.nu +0 string SplineFontDB: Spline Font Database !:mime application/vnd.font-fontforge-sfd >14 string x version %s diff --git a/magic/Magdir/fsav b/magic/Magdir/fsav index ecdc4f65..5714798e 100644 --- a/magic/Magdir/fsav +++ b/magic/Magdir/fsav @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ +# $File: fsav,v 1.14 2017/03/17 21:35:28 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) @@ -29,11 +29,11 @@ #>>>>10 byte 11 \b12- #>>>>9 ubyte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip -#0 ubyte 0x62 -#>1 ubyte 0xF5 -#>>2 ubyte 0x1 -#>>>3 ubyte 0x1 -#>>>>4 ubyte 0x0e +#0 ubyte 0x62 +#>1 ubyte 0xF5 +#>>2 ubyte 0x1 +#>>>3 ubyte 0x1 +#>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures #>>>>>>11 ubyte x size 0x%02x #>>>>>>12 ubyte x \b%02x @@ -44,16 +44,16 @@ # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files -0 string ClamAV-VDB: +0 string ClamAV-VDB: >11 string >\0 Clam AntiVirus database %-.23s ->>34 string : ->>>35 string !: \b, version +>>34 string : +>>>35 string !: \b, version >>>>35 string x \b%-.1s ->>>>>36 string !: +>>>>>36 string !: >>>>>>36 string x \b%-.1s ->>>>>>>37 string !: +>>>>>>>37 string !: >>>>>>>>37 string x \b%-.1s ->>>>>>>>>38 string !: +>>>>>>>>>38 string !: >>>>>>>>>>38 string x \b%-.1s >512 string \037\213 \b, gzipped >769 string ustar\0 \b, tarred diff --git a/magic/Magdir/games b/magic/Magdir/games index 779bc6cf..9f72661d 100644 --- a/magic/Magdir/games +++ b/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.14 2014/04/30 21:41:02 christos Exp $ +# $File: games,v 1.15 2017/03/17 21:35:28 christos Exp $ # games: file(1) for games # Fabio Bonelli @@ -39,7 +39,7 @@ #0 string -1\x0a Quake I demo #>30 string x version %.4s -#>61 string x level %s +#>61 string x level %s #0 string 5\x0a Quake I save @@ -240,7 +240,7 @@ # Summary: NetImmerse game engine file # Extension .nif # Created by: Abel Cheung -0 string NetImmerse\ File\ Format,\ Versio +0 string NetImmerse\ File\ Format,\ Versio >&0 string n\ NetImmerse game engine file >>&0 regex [0-9a-z.]+ \b, version %s diff --git a/magic/Magdir/geo b/magic/Magdir/geo index 9a765fed..f93abd80 100644 --- a/magic/Magdir/geo +++ b/magic/Magdir/geo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geo,v 1.3 2013/01/04 00:47:02 christos Exp $ +# $File: geo,v 1.4 2017/03/17 21:35:28 christos Exp $ # Geo- files from Kurt Schwehr ###################################################################### @@ -57,7 +57,7 @@ 4 beshort 0x2002 GeoSwath RDF 0 string Start:- GeoSwatch auf text file -# Seabeam 2100 +# Seabeam 2100 # mbsystem code mb41 0 string SB2100 SeaBeam 2100 multibeam sonar 0 string SB2100DR SeaBeam 2100 DR multibeam sonar diff --git a/magic/Magdir/gnu b/magic/Magdir/gnu index 24609c16..8d5c9721 100644 --- a/magic/Magdir/gnu +++ b/magic/Magdir/gnu @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gnu,v 1.17 2016/07/16 22:17:04 christos Exp $ +# $File: gnu,v 1.18 2017/03/17 21:35:28 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format @@ -71,7 +71,7 @@ # they will ordinarily reported as "compressed", but at least -z helps 39 string = +# From: James Youngman # gnu find magic 0 string \0LOCATE GNU findutils locate database data >7 string >\0 \b, format %s diff --git a/magic/Magdir/gpt b/magic/Magdir/gpt index c48a58f7..76a223c3 100644 --- a/magic/Magdir/gpt +++ b/magic/Magdir/gpt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gpt,v 1.3 2014/04/30 21:41:02 christos Exp $ +# $File: gpt,v 1.4 2017/03/17 21:35:28 christos Exp $ # # GPT Partition table patterns. # Author: Rogier Goossens (goossens.rogier@gmail.com) @@ -36,7 +36,7 @@ >>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(454.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -66,7 +66,7 @@ >>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(470.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -96,7 +96,7 @@ >>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(486.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -126,7 +126,7 @@ >>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(502.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -166,7 +166,7 @@ ##>(8.l*8192) string EFI\ PART ##>>(8.l*8192) use gpt-mbr-type ##>>&-8 use gpt-table -##>>0 ubyte x of 8192 bytes +##>>0 ubyte x of 8192 bytes ##>(8.l*8192) string !EFI\ PART ##>>(8.l*4096) string EFI\ PART GPT partition table ##>>>0 use gpt-mbr-type @@ -212,7 +212,7 @@ >>486 ulelong !1 \b (nonstandard: not at LBA 1) # GPT with protective MBR entry in partition 4 >498 ubyte 0xee ->>502 ulelong 1 +>>502 ulelong 1 >>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>502 ulelong !1 \b (nonstandard: not at LBA 1) diff --git a/magic/Magdir/gringotts b/magic/Magdir/gringotts index 2bfef1b7..b6747540 100644 --- a/magic/Magdir/gringotts +++ b/magic/Magdir/gringotts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gringotts,v 1.5 2009/09/19 16:28:09 christos Exp $ +# $File: gringotts,v 1.6 2017/03/17 21:35:28 christos Exp $ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo @@ -9,10 +9,10 @@ #file format 1 >3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9 #file format 2 ->3 string 2 v.2, MCRYPT S2K, +>3 string 2 v.2, MCRYPT S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, ->>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, @@ -27,10 +27,10 @@ >>8 byte&0x03 0x02 lvl.6 >>8 byte&0x03 0x03 lvl.9 #file format 3 ->3 string 3 v.3, OpenPGP S2K, +>3 string 3 v.3, OpenPGP S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, ->>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, diff --git a/magic/Magdir/hitachi-sh b/magic/Magdir/hitachi-sh index 1b615ae9..0238ed7e 100644 --- a/magic/Magdir/hitachi-sh +++ b/magic/Magdir/hitachi-sh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: hitachi-sh,v 1.7 2015/09/30 20:32:35 christos Exp $ +# $File: hitachi-sh,v 1.8 2017/03/17 21:35:28 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF @@ -9,20 +9,20 @@ # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html -# below test line conflicts with 2nd NTFS filesystem sector +# below test line conflicts with 2nd NTFS filesystem sector # 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR # and Portable Gaming Notation Compressed format (*.WID http://pgn.freeservers.com/) -0 beshort 0x0500 +0 beshort 0x0500 # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 ubeshort&0x8E80 0 +>18 ubeshort&0x8E80 0 # use big endian variant of subroutine to display name+variables+flags -# for common object formated files +# for common object formated files >>0 use \^display-coff -0 leshort 0x0550 +0 leshort 0x0550 # test for unused flag bits in f_flags ->18 uleshort&0x8E80 0 -# use little endian variant of subroutine to -# display name+variables+flags for common object formated files +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formated files >>0 use display-coff diff --git a/magic/Magdir/ibm370 b/magic/Magdir/ibm370 index 7887dc3c..a49b28f5 100644 --- a/magic/Magdir/ibm370 +++ b/magic/Magdir/ibm370 @@ -1,28 +1,28 @@ #------------------------------------------------------------------------------ -# $File: ibm370,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: ibm370,v 1.10 2017/03/17 21:35:28 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". # What the heck *is* "USS/370"? # AIX 4.1's "/etc/magic" has # -# 0 short 0535 370 sysV executable +# 0 short 0535 370 sysV executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format -# 0 short 0530 370 sysV pure executable +# 0 short 0530 370 sysV pure executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # # instead of the "USS/370" versions of the same magic numbers. # -0 beshort 0537 370 XA sysV executable +0 beshort 0537 370 XA sysV executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format -0 beshort 0532 370 XA sysV pure executable +0 beshort 0532 370 XA sysV pure executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format diff --git a/magic/Magdir/ibm6000 b/magic/Magdir/ibm6000 index 7f45072a..8b48f370 100644 --- a/magic/Magdir/ibm6000 +++ b/magic/Magdir/ibm6000 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm6000,v 1.12 2013/09/16 15:12:42 christos Exp $ +# $File: ibm6000,v 1.13 2017/03/17 21:35:28 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module @@ -21,7 +21,7 @@ 0 beshort 0x01f7 64-bit XCOFF executable or object module >20 belong 0 not stripped # GRR: this test is still too general as it catches also many FATs of DOS filesystems -4 belong &0x0feeddb0 +4 belong &0x0feeddb0 # real core dump could not be 32-bit and 64-bit together >7 byte&0x03 !3 AIX core file >>1 byte &0x01 fulldump diff --git a/magic/Magdir/icc b/magic/Magdir/icc index f8a45e13..19741db9 100644 --- a/magic/Magdir/icc +++ b/magic/Magdir/icc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: icc,v 1.2 2016/12/02 19:32:15 christos Exp $ +# $File: icc,v 1.3 2017/03/17 21:35:28 christos Exp $ # icc: file(1) magic for International Color Consortium file formats # @@ -21,9 +21,9 @@ # # check and display ICC/ICM color profile 0 name color-profile ->36 string acsp +>36 string acsp # skip ASCII like Cognacspirit.txt by month <= 12 ->>26 ubeshort <13 +>>26 ubeshort <13 # platform/operating system. Only 5 mentioned # @@ -53,7 +53,7 @@ #>>>40 string x (%.4s) !:mime application/vnd.iccprofile # for "ICM" extension only versions 2.x and for Kodak "CC" 2.0 is found ->>>8 ubyte =2 +>>>8 ubyte =2 # do not use empty message text to a avoid error like # icc, 82: Warning: Current entry does not yet have a description for adding a EXTENSION type # file.exe: could not find any valid magic files! @@ -89,9 +89,9 @@ # eleven device classes >>>12 string x \b-%.4s device # skip 00001964h in hpf69000.icc or 0h in XRDC50Q.ICM or " ROT" in brmsl05f.icm ->>>52 string >\ +>>>52 string >\ # skip "none" model like in "Trinitron Compatible 9300K G2.2.icm" ->>>>52 ubelong !0x6e6f6e65 +>>>>52 ubelong !0x6e6f6e65 # device manufacturer field like "HP " "IBM " EPSO >>>>>48 string x \b, %.2s >>>>>50 string >\ \b%.1s @@ -107,7 +107,7 @@ # profile size >>>0 ubelong x \b, %u bytes # skip invalid date 0 like in linearSRGB.icc ->>>24 ubequad !0 +>>>24 ubequad !0 # datetime dd-mm-yyyy hh:mm:ss >>>>28 ubeshort x \b, %u # month <= 12 @@ -181,10 +181,10 @@ # tag table # 6 <= tags count <= 43 #>>>128 ubelong >43 \b, %u tags ->>>128 ubelong x +>>>128 ubelong x # shall contain the profileDescriptionTag "desc" , copyrightTag "cprt" # search range = tags count * 12 -8=< maximal tag count * 12 -8= 43 * 12 -8= 508 ->>>>132 search/508 cprt +>>>>132 search/508 cprt # but no copyright tag in linearSRGB.icc # beneath /System/Library/Frameworks/WebKit.framework/ # Versions/A/Frameworks/WebCore.framework/Versions/A/Resources @@ -195,20 +195,20 @@ #>>>140 ubelong x 0x%x len # 2nd tag,... # look also for profileDescriptionTag "desc" ->>>132 search/508 desc +>>>132 search/508 desc # look further for TextDescriptionType "desc" signature ->>>>(&0.L) string =desc +>>>>(&0.L) string =desc >>>>>&4 pstring/l x "%s" # look alternative for multiLocalizedUnicodeType "mluc" signature like in VideoPAL.icc ->>>>(&0.L) string =mluc ->>>>>&(&8.L) ubequad x +>>>>(&0.L) string =mluc +>>>>>&(&8.L) ubequad x >>>>>>&4 bestring16 x '%s' # Any other profile. # XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles, # and use "acsp" for everything else and dump the "primary platform" # string in those cases? -36 string acsp +36 string acsp >0 use color-profile diff --git a/magic/Magdir/images b/magic/Magdir/images index f9622e2d..f739e633 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.121 2016/12/01 16:20:13 christos Exp $ +# $File: images,v 1.122 2017/03/17 21:35:28 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -26,19 +26,19 @@ # test of Color Map Type 0~no 1~color map # and Image Type 1 2 3 9 10 11 32 33 # and Color Map Entry Size 0 15 16 24 32 -0 ubequad&0x00FeC400000000C0 0 +0 ubequad&0x00FeC400000000C0 0 # skip more garbage by looking for positive image type ->2 ubyte >0 +>2 ubyte >0 # skip some compiled terminfo by looking for image type less equal 33 ->>2 ubyte <34 +>>2 ubyte <34 # skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel sizes 15 16 24 32 ->>>16 ubyte <33 +>>>16 ubyte <33 # skip more by looking for pixel size 0Fh 10h 18h 20h ->>>>16 ubyte&0xC0 0x00 +>>>>16 ubyte&0xC0 0x00 # skip 260-16.ico by looking for no color map ->>>>>1 ubyte 0 +>>>>>1 ubyte 0 # implies no first map entry ->>>>>>3 uleshort 0 +>>>>>>3 uleshort 0 >>>>>>>0 use tga-image # Color Map >>>>>1 belong&0xfff7ffff 0x01010000 @@ -82,7 +82,7 @@ >14 uleshort =0 65536 # Image Pixel Size 15 16 24 32 >16 ubyte x x %d -# X origin of image. 0 normal +# X origin of image. 0 normal >8 uleshort >0 +%d # Y origin of image. 0 normal; positive for top >10 uleshort >0 +%d @@ -94,27 +94,27 @@ >17 ubyte &0x10 - right #>17 ubyte ^0x10 - left # some info say other bits 6-7 should be zero -# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm +# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm # 00 - no interleave;01 - even/odd interleave; 10 - four way interleave; 11 - reserved #>17 ubyte&0xC0 0x00 - no interleave >17 ubyte&0xC0 0x40 - interleave >17 ubyte&0xC0 0x80 - four way interleave >17 ubyte&0xC0 0xC0 - reserved -# positive length implies identification field ->0 ubyte >0 +# positive length implies identification field +>0 ubyte >0 >>18 string x "%s" # last 18 bytes of newer tga file footer signature ->18 search/4261301/s TRUEVISION-XFILE.\0 +>18 search/4261301/s TRUEVISION-XFILE.\0 # extension area offset if not 0 ->>&-8 ulelong >0 +>>&-8 ulelong >0 # length of the extension area. normal 495 for version 2.0 ->>>(&-4.l) uleshort 0x01EF +>>>(&-4.l) uleshort 0x01EF # AuthorName[41] >>>>&0 string >\0 - author "%-.40s" # Comment[324]=4 * 80 null terminated >>>>&41 string >\0 - comment "%-.80s" # date ->>>>&365 ubequad&0xffffFFFFffff0000 !0 +>>>>&365 ubequad&0xffffFFFFffff0000 !0 # Day >>>>>&-6 uleshort x %d # Month @@ -122,7 +122,7 @@ # Year >>>>>&-4 uleshort x \b-%d # time ->>>>&371 ubequad&0xffffFFFFffff0000 !0 +>>>>&371 ubequad&0xffffFFFFffff0000 !0 # hour >>>>>&-8 uleshort x %d # minutes @@ -132,14 +132,14 @@ # JobName[41] >>>>&377 string >\0 - job "%-.40s" # JobHour Jobminute Jobsecond ->>>>&418 ubequad&0xffffFFFFffff0000 !0 +>>>>&418 ubequad&0xffffFFFFffff0000 !0 >>>>>&-8 uleshort x %d >>>>>&-6 uleshort x \b:%.2d >>>>>&-4 uleshort x \b:%.2d # SoftwareId[41] >>>>&424 string >\0 - %-.40s # SoftwareVersionNumber ->>>>&424 ubyte >0 +>>>>&424 ubyte >0 >>>>>&40 uleshort/100 x %d >>>>>&40 uleshort%100 x \b.%d # VersionLetter @@ -147,16 +147,16 @@ # KeyColor >>>>&468 ulelong >0 - keycolor 0x%8.8x # Denominator of Pixel ratio. 0~no pixel aspect ->>>>&474 uleshort >0 +>>>>&474 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - aspect %d >>>>>&-2 uleshort x \b/%d # Denominator of Gamma ratio. 0~no Gamma value ->>>>&478 uleshort >0 +>>>>&478 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - gamma %d >>>>>&-2 uleshort x \b/%d -# ColorOffset +# ColorOffset #>>>>&480 ulelong x - col offset 0x%8.8x # StampOffset #>>>>&484 ulelong x - stamp offset 0x%8.8x @@ -174,14 +174,14 @@ >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s -0 search/1 P1 +0 search/1 P1 >0 regex/4 P1\\s >>0 use netpbm >>>0 string x \b, bitmap !:strength + 45 !:mime image/x-portable-bitmap -0 search/1 P2 +0 search/1 P2 >0 regex/4 P2\\s >>0 use netpbm >>>0 string x \b, greymap @@ -195,21 +195,21 @@ !:strength + 45 !:mime image/x-portable-pixmap -0 string P4 +0 string P4 >0 regex/4 P4\\s >>0 use netpbm >>>0 string x \b, rawbits, bitmap !:strength + 45 !:mime image/x-portable-bitmap -0 string P5 +0 string P5 >0 regex/4 P5\\s >>0 use netpbm >>>0 string x \b, rawbits, greymap !:strength + 45 !:mime image/x-portable-greymap -0 string P6 +0 string P6 >0 regex/4 P6\\s >>0 use netpbm >>>0 string x \b, rawbits, pixmap @@ -307,7 +307,7 @@ >>>8 leshort 0x8765 \bJBIG >>>8 leshort 0x8798 \bJPEG2000 >>>8 leshort 0x8799 \bNikon NEF Compressed ->>>8 default x +>>>8 default x >>>>8 leshort x \b(unknown 0x%x) >>>12 use tiff_entry >0 leshort 0x106 \b, PhotometricIntepretation= @@ -443,13 +443,13 @@ !:mime image/x-unknown # # GRR 950115: this is Jeremy Wohl's Free Graphics Format (better): -# +# 0 string FGF95a FGF image (GIF+deflate beta) !:mime image/x-unknown # # GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal # (best; not yet implemented): -# +# 0 string PBF PBF image (deflate compression) !:mime image/x-unknown @@ -533,19 +533,19 @@ # http://www.blackfiveservices.co.uk/awbmtools.shtml # http://biosgfx.narod.ru/v3/ # http://biosgfx.narod.ru/abr-2/ -0 string AWBM +0 string AWBM >4 leshort <1981 Award BIOS bitmap !:mime image/x-award-bmp # image width is a multiple of 4 ->>4 leshort&0x0003 0 +>>4 leshort&0x0003 0 >>>4 leshort x \b, %d >>>6 leshort x x %d >>4 leshort&0x0003 >0 \b, ->>>4 leshort&0x0003 =1 +>>>4 leshort&0x0003 =1 >>>>4 leshort x %d+3 ->>>4 leshort&0x0003 =2 +>>>4 leshort&0x0003 =2 >>>>4 leshort x %d+2 ->>>4 leshort&0x0003 =3 +>>>4 leshort&0x0003 =3 >>>>4 leshort x %d+1 >>>6 leshort x x %d # at offset 8 starts imagedata followed by "RGB " marker @@ -769,11 +769,11 @@ # http://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt # GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 # test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT -0 ubelong&0xffF8fe00 0x0a000000 -# for PCX bit depth > 0 ->3 ubyte >0 +0 ubelong&0xffF8fe00 0x0a000000 +# for PCX bit depth > 0 +>3 ubyte >0 # test for valid versions ->>1 ubyte <6 +>>1 ubyte <6 >>>1 ubyte !1 PCX !:mime image/x-pcx #!:mime image/pcx @@ -833,29 +833,29 @@ # Update: Joerg Jenderek # See http://fileformats.archiveteam.org/wiki/GEM_Raster # For variations, also see: -# http://www.seasip.info/Gem/ff_img.html (Ventura) +# http://www.seasip.info/Gem/ff_img.html (Ventura) # http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT) # http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT) # http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG) 0 beshort 0x0001 # header_size ->2 beshort 0x0008 +>2 beshort 0x0008 >>0 use gem_info ->2 beshort 0x0009 +>2 beshort 0x0009 >>0 use gem_info # no example for NOSIG ->2 beshort 24 +>2 beshort 24 >>0 use gem_info # no example for HYPERPAINT ->2 beshort 25 +>2 beshort 25 >>0 use gem_info -16 string XIMG\0 +16 string XIMG\0 >0 use gem_info # no example -16 string STTT\0\x10 +16 string STTT\0\x10 >0 use gem_info # no example or description -16 string TIMG\0 +16 string TIMG\0 >0 use gem_info 0 name gem_info @@ -864,15 +864,15 @@ # http://www.snowstone.org.uk/riscos/mimeman/mimemap.txt !:mime image/x-gem # header_size 24 25 27 59 779 words for colored bitmaps ->>2 beshort >9 +>>2 beshort >9 >>>16 string STTT\0\x10 STTT >>>16 string TIMG\0 TIMG # HYPERPAINT or NOSIG variant ->>>16 string \0\x80 +>>>16 string \0\x80 >>>>2 beshort =24 NOSIG >>>>2 beshort !24 HYPERPAINT # NOSIG or XIMG variant ->>>16 default x +>>>16 default x >>>>16 string !XIMG\0 NOSIG >>16 string =XIMG\0 XIMG Image data !:ext img/ximg @@ -1182,7 +1182,7 @@ # updated by: Joerg Jenderek # URL: http://techmods.net/nuvi/ 0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file -# extension is also used for +# extension is also used for # Sony SRF raw image (image/x-sony-srf) # SRF map # Terragen Surface Map (http://www.planetside.co.uk/terragen) @@ -1323,7 +1323,7 @@ !:mime image/x-icns !:apple ????icns !:ext icns ->4 ubelong >0 +>4 ubelong >0 # file size >>4 ubelong x \b, %d bytes # icon type diff --git a/magic/Magdir/intel b/magic/Magdir/intel index 3f96b758..c4f02544 100644 --- a/magic/Magdir/intel +++ b/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.14 2015/11/10 00:13:27 christos Exp $ +# $File: intel,v 1.15 2017/03/17 21:35:28 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -36,8 +36,8 @@ # ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file" # ./intel (version 5.25) label labeled the next entry as "80386 COFF executable" # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan -0 leshort =0514 -# use subroutine to display name+flags+variables for common object formated files +0 leshort =0514 +# use subroutine to display name+flags+variables for common object formated files >0 use display-coff #>12 lelong >0 not stripped # no hint found, that at offset 22 is version diff --git a/magic/Magdir/isz b/magic/Magdir/isz index 3388a82a..af68db2b 100644 --- a/magic/Magdir/isz +++ b/magic/Magdir/isz @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: isz,v 1.3 2014/04/30 21:41:02 christos Exp $ -# ISO Zipped file format +# $File: isz,v 1.4 2017/03/17 21:35:28 christos Exp $ +# ISO Zipped file format # http://www.ezbsystems.com/isz/iszspec.txt 0 string IsZ! ISO Zipped file >4 byte x \b, header size %u diff --git a/magic/Magdir/jpeg b/magic/Magdir/jpeg index 2b49c21c..57adb1e5 100644 --- a/magic/Magdir/jpeg +++ b/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.30 2016/07/04 15:18:23 christos Exp $ +# $File: jpeg,v 1.31 2017/03/17 21:35:28 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -53,14 +53,14 @@ >>5 beshort x \b%d >>9 byte x \b, frames %d ->0 beshort 0xFFC1 +>0 beshort 0xFFC1 >>(2.S+2) use jpeg_segment >>4 byte x \b, extended sequential, precision %d >>7 beshort x \b, %dx >>5 beshort x \b%d >>9 byte x \b, frames %d ->0 beshort 0xFFC2 +>0 beshort 0xFFC2 >>(2.S+2) use jpeg_segment >>4 byte x \b, progressive, precision %d >>7 beshort x \b, %dx @@ -71,11 +71,11 @@ >0 beshort 0xFFC4 >>(2.S+2) use jpeg_segment ->0 beshort 0xFFE1 +>0 beshort 0xFFE1 # Recursion handled by FFE0 #>>(2.S+2) use jpeg_segment >>4 string Exif \b, Exif Standard: [ ->>>10 indirect/r x +>>>10 indirect/r x >>>10 string x \b] # Application specific markers diff --git a/magic/Magdir/kerberos b/magic/Magdir/kerberos index cb07fedb..93b8f79d 100644 --- a/magic/Magdir/kerberos +++ b/magic/Magdir/kerberos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: kerberos,v 1.1 2014/12/10 18:45:43 christos Exp $ +# $File: kerberos,v 1.2 2017/03/17 21:35:28 christos Exp $ # kerberos: MIT kerberos file binary formats # @@ -38,7 +38,7 @@ >>>>>&0 bedate x \b, date=%s >>>>>>&0 byte x \b, kvno=%u #>>>>>>>&0 pstring/H x -#>>>>>>>>&0 belong x +#>>>>>>>>&0 belong x #>>>>>>>>>>&0 use keytab_entry 0 belong 0x05020000 Kerberos Keytab file diff --git a/magic/Magdir/kml b/magic/Magdir/kml index ed0f42ed..d603ea80 100644 --- a/magic/Magdir/kml +++ b/magic/Magdir/kml @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $ +# $File: kml,v 1.4 2017/03/17 21:35:28 christos Exp $ # Type: Google KML, formerly Keyhole Markup Language # Future development of this format has been handed # over to the Open Geospatial Consortium. # http://www.opengeospatial.org/standards/kml/ # From: Asbjoern Sloth Toennesen 0 string/t \20 search/400 \ xmlns= +>20 search/400 \ xmlns= >>&0 regex ['"]http://earth.google.com/kml Google KML document !:mime application/vnd.google-earth.kml+xml >>>&1 string 2.0' \b, version 2.0 @@ -25,7 +25,7 @@ >>>&1 string/t 2.2 \b, version 2.2 #------------------------------------------------------------------------------ -# Type: Google KML Archive (ZIP based) +# Type: Google KML Archive (ZIP based) # http://code.google.com/apis/kml/documentation/kml_tut.html # From: Asbjoern Sloth Toennesen 0 string PK\003\004 diff --git a/magic/Magdir/linux b/magic/Magdir/linux index c8cc0df5..0630a8a7 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.63 2015/08/24 05:16:11 christos Exp $ +# $File: linux,v 1.64 2017/03/17 21:35:28 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan @@ -199,7 +199,7 @@ ############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless ->5 string . +>5 string . >>4 string >\0 \b, libc version %s 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable @@ -213,7 +213,7 @@ >2 byte&0x40 !0 \b, A_PURE >2 byte&0x80 !0 \b, A_TOVLY >28 long !0 \b, not stripped ->37 string . +>37 string . >>36 string >\0 \b, libc version %s # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable @@ -241,7 +241,7 @@ >24 lelong x %d symbols >28 lelong x %d ocons -# Linux Logical Volume Manager (LVM) +# Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT # # System ID, UUID and volume group name are 128 bytes long @@ -301,7 +301,7 @@ >>&0x20 lequad x \b, size: %lld 0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) ->&(&-12.l-0x21) byte x +>&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s @@ -340,7 +340,7 @@ # Summary: Xen saved domain file # Created by: Radek Vokal 0 string LinuxGuestRecord Xen saved domain ->20 search/256 (name +>20 search/256 (name >>&1 string x (name %s) # Type: Xen, the virtual machine monitor @@ -397,7 +397,7 @@ >>0x1046 ubeshort x \b%04x # Linux device tree: -# File format description can be found in the Linux kernel sources at +# File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed diff --git a/magic/Magdir/lisp b/magic/Magdir/lisp index db0592e7..43d102e1 100644 --- a/magic/Magdir/lisp +++ b/magic/Magdir/lisp @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: lisp,v 1.24 2015/11/30 20:54:26 christos Exp $ +# $File: lisp,v 1.25 2017/03/17 21:35:28 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) # updated by Joerg Jenderek # GRR: This lot is too weak -#0 string ;; +#0 string ;; # windows INF files often begin with semicolon and use CRLF as line end # lisp files are mainly created on unix system with LF as line end #>2 search/4096 !\r Lisp/Scheme program text @@ -28,9 +28,9 @@ # URL: https://en.wikipedia.org/wiki/Emacs_Lisp # Reference: http://ftp.gnu.org/old-gnu/emacs/elisp-manual-18-1.03.tar.gz -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Emacs 18 - this is always correct, but not very magical. -0 string \012( +0 string \012( # look for emacs lisp keywords # GRR: split regex because it is too long or get error like # lisp, 36: Warning: cannot get string from `^(defun|defvar|defconst|defmacro|setq|fset|put|provide|require|' @@ -50,13 +50,13 @@ # Emacs 19+ - ver. recognition added by Ian Springer # Also applies to XEmacs 19+ .elc files; could tell them apart with regexs # - Chris Chittleborough -# Update: Joerg Jenderek -0 string ;ELC +# Update: Joerg Jenderek +0 string ;ELC # version\0\0\0 >4 byte >18 Emacs/XEmacs v%d byte-compiled Lisp data # why less than 32 ? does not make sense to me. GNU Emacs version is 24.5 at April 2015 #>4 byte <32 Emacs/XEmacs v%d byte-compiled Lisp data -!:mime application/x-elc +!:mime application/x-elc !:apple EMAxTEXT !:ext elc @@ -67,7 +67,7 @@ 0 long 0x70768BD2 CLISP memory image data 0 long 0xD28B7670 CLISP memory image data, other endian -#.com and .bin for MIT scheme +#.com and .bin for MIT scheme 0 string \372\372\372\372 MIT scheme (library?) # From: David Allouche diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh index d7f20f20..e7c0e5e8 100644 --- a/magic/Magdir/macintosh +++ b/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.26 2015/11/25 00:36:02 christos Exp $ +# $File: macintosh,v 1.27 2017/03/17 21:35:28 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -109,9 +109,9 @@ # the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will # have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, # and that 74 will be 0. So something like -# +# # 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data -# +# # >73 byte&0x01 0x01 \b, inited # >73 byte&0x02 0x02 \b, changed # >73 byte&0x04 0x04 \b, busy @@ -254,7 +254,7 @@ >0x9C string INDEX data file index >0x9C string VIEW data view -# spss magic for SPSS system and portable files, +# spss magic for SPSS system and portable files, # from Bruce Foster (bef@nwu.edu). 0 long 0xc1e2c3c9 SPSS Portable File @@ -273,7 +273,7 @@ # entries depend on the data arithmetic added after v.35 # There's also some Pascal strings in here, ditto... -# The boot block signature, according to IM:Files, is +# The boot block signature, according to IM:Files, is # "for HFS volumes, this field always contains the value 0x4C4B." # But if this is true for MFS or HFS+ volumes, I don't know. # Alternatively, the boot block is supposed to be zeroed if it's @@ -291,10 +291,10 @@ # *.hfs updated by Joerg Jenderek # http://en.wikipedia.org/wiki/Hierarchical_File_System # "BD" gives many false positives -0x400 beshort 0x4244 +0x400 beshort 0x4244 # ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h # first block of volume bit map (always 3) ->0x40e ubeshort 0x0003 +>0x40e ubeshort 0x0003 # maximal length of volume name is 27 >>0x424 ubyte <28 Macintosh HFS data !:mime application/x-apple-diskimage @@ -351,15 +351,15 @@ #>0x230 string x first type: %s, #>0x210 string x name: %s, #>0x254 belong x number of blocks: %d, -#>0x400 beshort 0x504D +#>0x400 beshort 0x504D #>>0x430 string x second type: %s, #>>0x410 string x name: %s, #>>0x454 belong x number of blocks: %d, -#>>0x800 beshort 0x504D +#>>0x800 beshort 0x504D #>>>0x830 string x third type: %s, #>>>0x810 string x name: %s, #>>>0x854 belong x number of blocks: %d, -#>>>0xa00 beshort 0x504D +#>>>0xa00 beshort 0x504D #>>>>0xa30 string x fourth type: %s, #>>>>0xa10 string x name: %s, #>>>>0xa54 belong x number of blocks: %d diff --git a/magic/Magdir/maple b/magic/Magdir/maple index 05a8eaf2..44ab2842 100644 --- a/magic/Magdir/maple +++ b/magic/Magdir/maple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: maple,v 1.7 2013/01/11 16:45:23 christos Exp $ +# $File: maple,v 1.8 2017/03/17 21:35:28 christos Exp $ # maple: file(1) magic for maple files # "H. Nanosecond" # Maple V release 4, a multi-purpose math program @@ -13,7 +13,7 @@ # no magic for these :-( # they are compiled indexes for maple files -# .hdb +# .hdb 0 string \000\004\000\000 Maple help database # .mhp @@ -40,7 +40,7 @@ # from byte 4 it is either 'nul E' or 'soh R' # I think 'nul E' means a file that was saved as a different name # a sort of revision marking -# 'soh R' means new +# 'soh R' means new >4 string \000\105 An old revision >4 string \001\122 The latest save diff --git a/magic/Magdir/marc21 b/magic/Magdir/marc21 index 7e859a38..6819a8dd 100644 --- a/magic/Magdir/marc21 +++ b/magic/Magdir/marc21 @@ -2,14 +2,14 @@ # marc21: file(1) magic for MARC 21 Format # # Kevin Ford (kefo@loc.gov) -# +# # MARC21 formats are for the representation and communication # of bibliographic and related information in machine-readable # form. For more info, see http://www.loc.gov/marc/ # leader position 20-21 must be 45 -20 string 45 +20 string 45 # leader starts with 5 digits, followed by codes specific to MARC format >0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic diff --git a/magic/Magdir/mathematica b/magic/Magdir/mathematica index a93899e8..e76957ee 100644 --- a/magic/Magdir/mathematica +++ b/magic/Magdir/mathematica @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: mathematica,v 1.8 2015/04/09 20:01:40 christos Exp $ +# $File: mathematica,v 1.9 2017/03/17 21:35:28 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" # Mathematica a multi-purpose math program @@ -49,7 +49,7 @@ #0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ loaded\ with\ Get.*) Mathematica binary file 0 string (*This\ is\ a\ Mathematica\ binary\ Mathematica binary file -#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 +#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 # >71... is optional >88 string >\0 from %s @@ -59,7 +59,7 @@ 0 string MMAPBF\000\001\000\000\000\203\000\001\000 Mathematica PBF (fonts I think) # .ml files These are menu resources I think -# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ +# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ # how to put that into a magic rule? 4 string \ A~ MAthematica .ml file diff --git a/magic/Magdir/metastore b/magic/Magdir/metastore index 285c3cfa..53f5b37c 100644 --- a/magic/Magdir/metastore +++ b/magic/Magdir/metastore @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: metastore,v 1.1 2011/04/06 12:37:44 christos Exp $ +# $File: metastore,v 1.2 2017/03/17 21:35:28 christos Exp $ # metastore: file(1) magic for metastore files # From: Thomas Wissen # see http://david.hardeman.nu/software.php#metastore -0 string MeTaSt00r3 Metastore data file, +0 string MeTaSt00r3 Metastore data file, >10 bequad x version %0llx diff --git a/magic/Magdir/meteorological b/magic/Magdir/meteorological index 541bbbff..9e7a3f1b 100644 --- a/magic/Magdir/meteorological +++ b/magic/Magdir/meteorological @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: meteorological,v 1.1 2014/08/04 06:26:16 christos Exp $ +# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -34,7 +34,7 @@ >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/meteorological ->80 search/256 XXRINEXN RINEX Data, Navigation +>80 search/256 XXRINEXN RINEX Data, Navigation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/navigation diff --git a/magic/Magdir/microfocus b/magic/Magdir/microfocus index b2d204b1..e5b247cd 100644 --- a/magic/Magdir/microfocus +++ b/magic/Magdir/microfocus @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: microfocus,v 1.1 2016/02/09 01:22:49 christos Exp $ -# Micro Focus COBOL data files. +# $File: microfocus,v 1.2 2017/03/17 21:35:28 christos Exp $ +# Micro Focus COBOL data files. # http://documentation.microfocus.com/help/index.jsp?topic=\ # %2FGUID-0E0191D8-C39A-44D1-BA4C-D67107BAF784%2FHRFLRHFILE05.html diff --git a/magic/Magdir/mime b/magic/Magdir/mime index 42ca52dc..5c782fc8 100644 --- a/magic/Magdir/mime +++ b/magic/Magdir/mime @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: mime,v 1.6 2010/11/25 15:00:12 christos Exp $ +# $File: mime,v 1.7 2017/03/17 21:35:28 christos Exp $ # mime: file(1) magic for MIME encoded files # -0 string/t Content-Type:\ +0 string/t Content-Type:\ >14 string >\0 %s 0 string/t Content-Type: >13 string >\0 %s diff --git a/magic/Magdir/misctools b/magic/Magdir/misctools index eeb518d4..3ce91b56 100644 --- a/magic/Magdir/misctools +++ b/magic/Magdir/misctools @@ -1,6 +1,6 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.16 2016/02/14 15:46:52 christos Exp $ +# $File: misctools,v 1.17 2017/03/17 21:35:28 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text @@ -14,7 +14,7 @@ #!:mime text/x-vcard !:mime text/vcard # VERSION must come right after BEGIN for 3.0 or 4.0 except in 2.1 , where it can be anywhere ->12 search/14000/c VERSION: +>12 search/14000/c VERSION: # VERSION 2.1 , 3.0 or 4.0 >>&0 string x \b, version %-.3s @@ -48,7 +48,7 @@ >12 ulelong !0x20 \b, 0x%8.8x RVA # CheckSum 0 >16 ulelong !0 \b, CheckSum 0x%8.8x -# Reserved or TimeDateStamp +# Reserved or TimeDateStamp >20 ledate x \b, %s # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx # Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800 diff --git a/magic/Magdir/modem b/magic/Magdir/modem index e4decfda..d988e903 100644 --- a/magic/Magdir/modem +++ b/magic/Magdir/modem @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: modem,v 1.7 2016/01/08 00:56:42 christos Exp $ +# $File: modem,v 1.8 2017/03/17 21:35:28 christos Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche @@ -13,24 +13,24 @@ # URL: https://de.wikipedia.org/wiki/Fax # Reference: http://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others -0 short 0x0100 +0 short 0x0100 # 16 0-bits near beginning like True Type fonts *.ttf, Postscript PrinterFontMetric *.pfm, FTYPE.HYPERCARD, XFER ->2 search/9 \0\0 +>2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 ->2 default x +>2 default x # skip IRCAM file (VAX big-endian) ./audio ->>0 belong !0x0001a364 +>>0 belong !0x0001a364 # skip GEM Image data ./images ->>>2 beshort !0x0008 +>>>2 beshort !0x0008 # look for first keyword of Panorama database *.pan ->>>>11 search/262 \x06DESIGN +>>>>11 search/262 \x06DESIGN # skip Panorama database ->>>>11 default x +>>>>11 default x # old Apple DreamWorld DreamGrafix *.3200 with keyword at end of g3 looking files ->>>>>27118 search/1864 DreamWorld ->>>>>27118 default x +>>>>>27118 search/1864 DreamWorld +>>>>>27118 default x # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom ->>>>>>8 ubequad !0x2e01010454010203 +>>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom >>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" @@ -39,9 +39,9 @@ !:ext g3 # unusual image starting with black pixel #0 short 0x1300 raw G3 (Group 3) FAX -0 short 0x1400 +0 short 0x1400 # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom ->2 search/9 \0\0 +>2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 >2 default x raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" diff --git a/magic/Magdir/mozilla b/magic/Magdir/mozilla index 173018c3..23288019 100644 --- a/magic/Magdir/mozilla +++ b/magic/Magdir/mozilla @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: mozilla,v 1.6 2015/01/25 16:20:46 christos Exp $ -# mozilla: file(1) magic for Mozilla XUL fastload files +# $File: mozilla,v 1.7 2017/03/17 21:35:28 christos Exp $ +# mozilla: file(1) magic for Mozilla XUL fastload files # (XUL.mfasl and XPC.mfasl) # URL: http://www.mozilla.org/ # From: Josh Triplett diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index e4b5258a..e383b9d1 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.116 2017/03/12 22:08:51 christos Exp $ +# $File: msdos,v 1.117 2017/03/17 21:35:28 christos Exp $ # msdos: file(1) magic for MS-DOS files # # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) # updated by Joerg Jenderek at Oct 2008,Apr 2011 -0 string/t @ +0 string/t @ >1 string/cW \ echo\ off DOS batch file text !:mime text/x-msdos-batch >1 string/cW echo\ off DOS batch file text @@ -230,7 +230,7 @@ >>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s ->>&(&0x42.l-3) byte x +>>&(&0x42.l-3) byte x >>>&0x26 string UPX \b, UPX compressed # and yet another guess: small .text, and after large .data is unusal, could be 32lite >>&0x2c search/0xa0 .text @@ -240,8 +240,8 @@ >(8.s*16) string $WdX \b, WDos/X DOS extender # By now an executable type should have been printed out. The executable -# may be a self-uncompressing archive, so look for evidence of that and -# print it out. +# may be a self-uncompressing archive, so look for evidence of that and +# print it out. # # Some signatures below from Greg Roelofs, newt@uchicago.edu. # @@ -283,8 +283,8 @@ # Skip to the end of the EXE. This will usually work fine in the PE case # because the MZ image is hardcoded into the toolchain and almost certainly # won't match any of these signatures. ->(4.s*512) long x ->>&(2.s-517) byte x +>(4.s*512) long x +>>&(2.s-517) byte x >>>&0 string PK\3\4 \b, ZIP self-extracting archive >>>&0 string Rar! \b, RAR self-extracting archive >>>&0 string =!\x11 \b, AIN 2.x self-extracting archive @@ -312,77 +312,77 @@ # only version=0x100 found >3 uleshort x \b, version 0x%x # length of string containing author,info and special characters ->6 ubyte >0 +>6 ubyte >0 #>>6 pstring x \b, name=%s >>7 string >\0 \b, author=%-.14s >>7 search/254 \xff \b, info= #>>>&0 string x \b%-s >>>&0 string x \b%-.15s -# for FreeDOS *.KL files +# for FreeDOS *.KL files 0 string/b KLF FreeDOS KEYBoard Layout file # only version=0x100 or 0x101 found >3 uleshort x \b, version 0x%x # stringlength ->5 ubyte >0 +>5 ubyte >0 >>8 string x \b, name=%-.2s -0 string \xffKEYB\ \ \ \0\0\0\0 +0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file # DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 # https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 -0 ulequad&0x07a0ffffffff 0xffffffff +0 ulequad&0x07a0ffffffff 0xffffffff >0 use msdos-driver 0 name msdos-driver DOS executable ( #!:mime application/octet-stream !:mime application/x-dosdriver # also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN !:ext sys/dev/bin ->40 search/7 UPX! \bUPX compressed +>40 search/7 UPX! \bUPX compressed # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver # character device >4 uleshort&0x8000 0x8000 \b ->>4 uleshort&0x0008 0x0008 \bclock +>>4 uleshort&0x0008 0x0008 \bclock # fast video output by int 29h ->>4 uleshort&0x0010 0x0010 \bfast +>>4 uleshort&0x0010 0x0010 \bfast # standard input/output device ->>4 uleshort&0x0003 >0 \bstandard +>>4 uleshort&0x0003 >0 \bstandard >>>4 uleshort&0x0001 0x0001 \binput >>>4 uleshort&0x0003 0x0003 \b/ ->>>4 uleshort&0x0002 0x0002 \boutput +>>>4 uleshort&0x0002 0x0002 \boutput >>4 uleshort&0x8000 0x8000 \bcharacter device driver ->0 ubyte x +>0 ubyte x # upx compressed device driver has garbage instead of real in name field of header ->>40 search/7 UPX! ->>40 default x +>>40 search/7 UPX! +>>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped ->>>12 ubyte >0x2E \b ->>>>10 ubyte >0x20 ->>>>>10 ubyte !0x2E +>>>12 ubyte >0x2E \b +>>>>10 ubyte >0x20 +>>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c ->>>>11 ubyte >0x20 +>>>>11 ubyte >0x20 >>>>>11 ubyte !0x2E \b%c ->>>>12 ubyte >0x20 ->>>>>12 ubyte !0x39 +>>>>12 ubyte >0x20 +>>>>>12 ubyte !0x39 >>>>>>12 ubyte !0x2E \b%c ->>>13 ubyte >0x20 +>>>13 ubyte >0x20 >>>>13 ubyte !0x2E \b%c ->>>>14 ubyte >0x20 +>>>>14 ubyte >0x20 >>>>>14 ubyte !0x2E \b%c ->>>>15 ubyte >0x20 +>>>>15 ubyte >0x20 >>>>>15 ubyte !0x2E \b%c ->>>>16 ubyte >0x20 ->>>>>16 ubyte !0x2E +>>>>16 ubyte >0x20 +>>>>>16 ubyte !0x2E >>>>>>16 ubyte <0xCB \b%c ->>>>17 ubyte >0x20 ->>>>>17 ubyte !0x2E +>>>>17 ubyte >0x20 +>>>>>17 ubyte !0x2E >>>>>>17 ubyte <0x90 \b%c # some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field ->>>12 ubyte <0x2F +>>>12 ubyte <0x2F # they have their real name at offset 22 # also block device drivers like DUMBDRV.SYS >>>>22 string >\056 %-.6s ->4 uleshort&0x8000 0x0000 +>4 uleshort&0x8000 0x0000 # 32 bit sector addressing ( > 32 MB) for block devices >>4 uleshort&0x0002 0x0002 \b,32-bit sector- # support by driver functions 13h, 17h, 18h @@ -390,42 +390,42 @@ # open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh >4 uleshort&0x0800 0x0800 \b,close media- # output until busy support by int 10h for character device driver ->4 uleshort&0x8000 0x8000 +>4 uleshort&0x8000 0x8000 >>4 uleshort&0x2000 0x2000 \b,until busy- # direct read/write support by driver functions 03h,0Ch >4 uleshort&0x4000 0x4000 \b,control strings- ->4 uleshort&0x8000 0x8000 +>4 uleshort&0x8000 0x8000 >>4 uleshort&0x6840 >0 \bsupport ->4 uleshort&0x8000 0x0000 +>4 uleshort&0x8000 0x0000 >>4 uleshort&0x4842 >0 \bsupport >0 ubyte x \b) -# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header -0 ulequad 0x0513c00000000012 +# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header +0 ulequad 0x0513c00000000012 >0 use msdos-driver # DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field -0 ulequad 0x32f28000ffff0016 +0 ulequad 0x32f28000ffff0016 >0 use msdos-driver -0 ulequad 0x007f00000000ffff +0 ulequad 0x007f00000000ffff >0 use msdos-driver -0 ulequad 0x001600000000ffff +0 ulequad 0x001600000000ffff >0 use msdos-driver # DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field -0 ulequad 0x0bf708c2ffffffff +0 ulequad 0x0bf708c2ffffffff >0 use msdos-driver -0 ulequad 0x07bd08c2ffffffff +0 ulequad 0x07bd08c2ffffffff >0 use msdos-driver # updated by Joerg Jenderek -# GRR: line below too general as it catches also +# GRR: line below too general as it catches also # rt.lib DYADISKS.PIC and many more # start with assembler instruction MOV -0 ubyte 0x8c +0 ubyte 0x8c # skip "AppleWorks word processor data" like ARTICLE.1 ./apple ->4 string !O==== +>4 string !O==== # skip some unknown basic binaries like RocketRnger.SHR ->>5 string !MAIN +>>5 string !MAIN # skip "GPG symmetrically encrypted data" ./gnu -# skip "PGP symmetric key encrypted data" ./pgp +# skip "PGP symmetric key encrypted data" ./pgp # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type >>>4 ubyte >13 DOS executable (COM, 0x8C-variant) # the remaining files should be DOS *.COM executables @@ -443,7 +443,7 @@ # updated by Joerg Jenderek at Oct 2008 0 ulelong 0xffff10eb DR-DOS executable (COM) # byte 0xeb conflicts with "sequent" magic leshort 0xn2eb -0 ubeshort&0xeb8d >0xeb00 +0 ubeshort&0xeb8d >0xeb00 # DR-DOS STACKER.COM SCREATE.SYS missed 0 name msdos-com @@ -478,9 +478,9 @@ # updated by Joerg Jenderek at Oct 2008,2015 # following line is too general -0 ubyte 0xb8 +0 ubyte 0xb8 # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux ->0 string !\xb8\xc0\x07\x8e +>0 string !\xb8\xc0\x07\x8e # modified by Joerg Jenderek # syslinux COM32 or COM32R executable >>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT @@ -511,8 +511,8 @@ #!:mime application/x-msdos-program !:ext com -0 string/b \x81\xfc ->4 string \x77\x02\xcd\x20\xb9 +0 string/b \x81\xfc +>4 string \x77\x02\xcd\x20\xb9 >>36 string UPX! FREE-DOS executable (COM), UPX compressed 252 string Must\ have\ DOS\ version DR-DOS executable (COM) # added by Joerg Jenderek at Oct 2008 @@ -529,10 +529,10 @@ #IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 5 string \xcd\x21 COM executable for DOS #DELTMP.COm HASFAT32.cOM -7 string \xcd\x21 +7 string \xcd\x21 >0 byte !0xb8 COM executable for DOS #COMP.cOM MORE.COm -10 string \xcd\x21 +10 string \xcd\x21 >5 string !\xcd\x21 COM executable for DOS #comecho.com 13 string \xcd\x21 COM executable for DOS @@ -627,11 +627,11 @@ # Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf # Note: newer Lotus versions >2 use longer BOF record # record type (BeginningOfFile=0000h) + length (001Ah) -0 belong 0x00001a00 +0 belong 0x00001a00 # reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 -#>18 uleshort&0x73E0 0 +#>18 uleshort&0x73E0 0 # Lotus Multi Byte Character Set (LMBCS=1-31) ->20 ubyte >0 +>20 ubyte >0 >>20 ubyte <32 Lotus 1-2-3 #!:mime application/x-123 !:mime application/vnd.lotus-1-2-3 @@ -668,10 +668,10 @@ !:ext fXX # main revision number >>>>4 uleshort x \b, revision 0x%x ->>>6 uleshort =0x0004 \b, cell range +>>>6 uleshort =0x0004 \b, cell range # active cellcoord range (start row, page,column ; end row, page, column) # start values normally 0~1st sheet A1 ->>>>8 ulelong !0 +>>>>8 ulelong !0 >>>>>10 ubyte >0 \b%d* >>>>>8 uleshort x \b%d, >>>>>11 ubyte x \b%d- @@ -684,9 +684,9 @@ >>>>20 ubyte >1 \b, character set 0x%x # flags >>>>21 ubyte x \b, flags 0x%x ->>>6 uleshort !0x0004 +>>>6 uleshort !0x0004 # record type (FONTNAME=00AEh) ->>>>30 search/29 \0\xAE +>>>>30 search/29 \0\xAE # variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) >>>>>&4 string >\0 \b, 1st font "%s" # @@ -695,12 +695,12 @@ # Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT # Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x # record type (BeginningOfFile=0000h) + length (0002h) -0 belong 0x00000200 +0 belong 0x00000200 # GRR: line above is too general as it catches also MS Windows CURsor # to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) !:strength -1 # skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h ->7 ubyte 0 +>7 ubyte 0 # skip Windows cursors with image width 256 and keep Lotus with positiv opcode >>6 ubyte >0 Lotus # !:mime application/x-123 @@ -765,9 +765,9 @@ # check and then display Lotus worksheet cells range 0 name lotus-cells # look for type (RANGE=0006h) + length (0008h) at record begin ->0 ubelong 0x06000800 \b, cell range +>0 ubelong 0x06000800 \b, cell range # cell range (start column, row, end column, row) start values normally 0,0~A1 cell ->>4 ulong !0 +>>4 ulong !0 >>>4 uleshort x \b%d, >>>6 uleshort x \b%d- # end of cell range @@ -823,16 +823,16 @@ # Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG 0 belong 0x00000100 >9 byte 0 ->>0 byte x +>>0 byte x >>0 use cur-ico-dir >9 ubyte 0xff ->>0 byte x +>>0 byte x >>0 use cur-ico-dir # displays number of icons and information for icon or cursor 0 name cur-ico-dir # skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with # 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h ->18 ulelong &0x00000006 +>18 ulelong &0x00000006 # skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) >>(18.l) ulelong x MS Windows >>>0 ubelong 0x00000100 icon resource @@ -845,7 +845,7 @@ # 1st icon >>>>0x06 use ico-entry # 2nd icon ->>>>4 uleshort >1 +>>>>4 uleshort >1 >>>>>0x16 use ico-entry >>>0 ubelong 0x00000200 cursor resource #!:mime image/x-cur @@ -882,10 +882,10 @@ # offset of PNG or DIB image #>12 ulelong x \b, offset 0x%x # PNG header (\x89PNG) ->(12.l) ubelong =0x89504e47 ->>&-4 indirect x \b with +>(12.l) ubelong =0x89504e47 +>>&-4 indirect x \b with # DIB image ->(12.l) ubelong !0x89504e47 +>(12.l) ubelong !0x89504e47 #>>&-4 use dib-image # Windows non-animated cursors @@ -900,13 +900,13 @@ >>0 use cur-ico-dir # .chr files -0 string/b PK\010\010BGI Borland font +0 string/b PK\010\010BGI Borland font >4 string >\0 %s # then there is a copyright notice # .bgi files -0 string/b pk\010\010BGI Borland device +0 string/b pk\010\010BGI Borland device >4 string >\0 %s # then there is a copyright notice @@ -937,7 +937,7 @@ 0 lelong 0x08086b70 TurboC BGI file 0 lelong 0x08084b50 TurboC Font file -# Debian#712046: The magic below identifies "Delphi compiled form data". +# Debian#712046: The magic below identifies "Delphi compiled form data". # An additional source of information is available at: # http://www.woodmann.com/fravia/dafix_t1.htm 0 string TPF0 @@ -946,7 +946,7 @@ # tests for DBase files moved, updated and merged to database 0 string PMCC Windows 3.x .GRP file -1 string RDC-meg MegaDots +1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file 0 lelong 0x4C @@ -963,16 +963,16 @@ #>0x181 leshort x \b, offset %x #>0x183 leshort x \b, offsetdata %x #>0x185 leshort x \b, section length %x ->0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 ->>&0x5e ubyte >0 +>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 +>>&0x5e ubyte >0 >>>&-1 string >>&-1 string PIFMGR.DLL \b, icon=%s >>>&-1 string >PIFMGR.DLL \b, icon=%s ->>&0xF0 ubyte >0 +>>&0xF0 ubyte >0 >>>&-1 string >>&-1 string =Terminal \b, font=%.32s >>>&-1 string >Terminal \b, font=%.32s ->>&0x110 ubyte >0 +>>&0x110 ubyte >0 >>>&-1 string >>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s >>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s @@ -996,7 +996,7 @@ >>>20 long >0 TIFF starts at byte %d >>>>24 long >0 length %d -# TNEF magic From "Joomy" +# TNEF magic From "Joomy" # Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 0 leshort 0x223e9f78 TNEF !:mime application/vnd.ms-tnef @@ -1004,7 +1004,7 @@ # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # http://en.wikipedia.org/wiki/Norton_Guides -0 string NG\0\001 +0 string NG\0\001 # only value 0x100 found at offset 2 >2 ulelong 0x00000100 Norton Guide # Title[40] @@ -1014,7 +1014,7 @@ >>48 string >\0 \b, %-.66s >>114 string >\0 %-.66s -# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS +# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of http://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm 0 ulelong 0x48443408 4DOS help file @@ -1062,7 +1062,7 @@ # Windows Enhanced Metafile (EMF) -# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp +# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. 0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data @@ -1124,7 +1124,7 @@ 0 string/b MSWIM\000\000\000 Windows imaging (WIM) image 0 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format -# The second byte of these signatures is a file version; I don't know what, +# The second byte of these signatures is a file version; I don't know what, # if anything, produced files with version numbers 0-2. # From: John Elliott 0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) diff --git a/magic/Magdir/msvc b/magic/Magdir/msvc index bf4ab0ca..6d8ba012 100644 --- a/magic/Magdir/msvc +++ b/magic/Magdir/msvc @@ -1,10 +1,10 @@ #------------------------------------------------------------------------------ -# $File: msvc,v 1.6 2016/01/26 00:03:19 christos Exp $ +# $File: msvc,v 1.7 2017/03/17 21:35:28 christos Exp $ # msvc: file(1) magic for msvc # "H. Nanosecond" # Microsoft visual C -# +# # I have version 1.0 # .aps @@ -30,10 +30,10 @@ # Summary: Symbol Table / Debug info used by Microsoft compilers # URL: https://en.wikipedia.org/wiki/Program_database # Reference: https://code.google.com/p/pdbparser/wiki/MSF_Format -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Note: test only for Windows XP+SP3 x86 , 8.1 x64 arm and 10.1 x86 # info does only applies partly for older files like msvbvm50.pdb about year 2001 -0 string Microsoft\ C/C++\ +0 string Microsoft\ C/C++\ # "Microsoft Program DataBase" by TrID >24 search/14 \r\n\x1A MSVC program database !:mime application/x-ms-pdb @@ -42,13 +42,13 @@ >>16 regex \([0-9.]+\) ver %s #>>>0x38 search/128123456 /LinkInfo \b with linkinfo # "MSF 7.00" variant ->>0x1e leshort 0 +>>0x1e leshort 0 # PageSize 400h 1000h >>>0x20 lelong x \b, %d # Page Count >>>0x28 lelong x \b*%d bytes # "program database 2.00" variant ->>0x1e leshort !0 +>>0x1e leshort !0 # PageSize 400h >>>0x2c lelong x \b, %d # Page Count for msoo-dll.pdb 4379h diff --git a/magic/Magdir/msx b/magic/Magdir/msx index 37fd17b9..3eb46baa 100644 --- a/magic/Magdir/msx +++ b/magic/Magdir/msx @@ -7,7 +7,7 @@ ############## MSX Music file formats ############## # Gigamix MGSDRV music file -0 string/b MGS MSX Gigamix MGSDRV3 music file, +0 string/b MGS MSX Gigamix MGSDRV3 music file, >6 ubeshort 0x0D0A >>3 byte x \bv%c >>4 byte x \b.%c @@ -35,7 +35,7 @@ >>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+) >>0xF byte&0x02 0x02 \b, soundchips: SN76489 >>>0xF byte&0x04 0x04 stereo ->>0xF byte&0x01 0x01 \b, +>>0xF byte&0x01 0x01 \b, >>>0xF byte&0x18 0x00 \bYM2413 >>>0xF byte&0x18 0x08 \bYM2413, Y8950 >>>0xF byte&0x18 0x18 \bYM2413+Y8950 pseudostereo @@ -296,7 +296,7 @@ 4 uleshort 0x0900 >0xF byte 1 >>0x14 byte 0 ->>>0x1E string \ \ \ +>>>0x1E string \ \ \ >>>>0x23 byte 1 >>>>>0x25 byte 0 >>>>>>0x15 string >\x30 diff --git a/magic/Magdir/mup b/magic/Magdir/mup index 5060c01d..05b9471b 100644 --- a/magic/Magdir/mup +++ b/magic/Magdir/mup @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# $File: mup,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: mup,v 1.5 2017/03/17 21:35:28 christos Exp $ # mup: file(1) magic for Mup (Music Publisher) input file. # # From: Abel Cheung @@ -12,13 +12,13 @@ # 0 search/1 //!Mup Mup music publication program input text >6 string -Arkkra (Arkkra) ->>13 string - ->>>16 string . +>>13 string - +>>>16 string . >>>>14 string x \b, need V%.4s ->>>15 string . +>>>15 string . >>>>14 string x \b, need V%.3s ->6 string - ->>9 string . +>6 string - +>>9 string . >>>7 string x \b, need V%.4s ->>8 string . +>>8 string . >>>7 string x \b, need V%.3s diff --git a/magic/Magdir/nasa b/magic/Magdir/nasa index 49673b32..de3545f8 100644 --- a/magic/Magdir/nasa +++ b/magic/Magdir/nasa @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# nasa: file(1) magic +# nasa: file(1) magic # From: Barry Carter 0 string DAF/SPK NASA SPICE file (binary format) diff --git a/magic/Magdir/netbsd b/magic/Magdir/netbsd index eb0847b6..5ee2d712 100644 --- a/magic/Magdir/netbsd +++ b/magic/Magdir/netbsd @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: netbsd,v 1.23 2015/11/29 01:55:14 christos Exp $ +# $File: netbsd,v 1.24 2017/03/17 21:35:28 christos Exp $ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. @@ -10,7 +10,7 @@ # 0 belong&0377777777 041400413 a.out NetBSD/i386 demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -32,7 +32,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 041600413 a.out NetBSD/m68k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable @@ -54,7 +54,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042000413 a.out NetBSD/m68k4k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable @@ -76,7 +76,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042200413 a.out NetBSD/ns32532 demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -101,7 +101,7 @@ >12 string >\0 from '%s' 0 belong&0377777777 042400413 a.out NetBSD/SPARC demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable @@ -123,7 +123,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042600413 a.out NetBSD/pmax demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -145,7 +145,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 043000413 a.out NetBSD/vax 1k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -167,7 +167,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 045400413 a.out NetBSD/vax 4k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -189,7 +189,7 @@ >32 lelong !0 (signal %d) # NetBSD/alpha does not support (and has never supported) a.out objects, -# so no rules are provided for them. NetBSD/alpha ELF objects are +# so no rules are provided for them. NetBSD/alpha ELF objects are # dealt with in "elf". 0 lelong 0x00070185 ECOFF NetBSD/alpha binary >10 leshort 0x0001 not stripped @@ -199,7 +199,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 043400413 a.out NetBSD/mips demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable diff --git a/magic/Magdir/netscape b/magic/Magdir/netscape index a9b43cdd..0e1ca613 100644 --- a/magic/Magdir/netscape +++ b/magic/Magdir/netscape @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: netscape,v 1.7 2015/08/24 05:20:52 christos Exp $ +# $File: netscape,v 1.8 2017/03/17 21:35:28 christos Exp $ # netscape: file(1) magic for Netscape files # "H. Nanosecond" # version 3 and 4 I think @@ -15,8 +15,8 @@ # .snm Caches 0 string #\ Netscape\ folder\ cache Netscape folder cache 0 string \000\036\204\220\000 Netscape folder cache -# .n2p -# Net 2 Phone +# .n2p +# Net 2 Phone #0 string 123\130\071\066\061\071\071\071\060\070\061\060\061\063\060 0 string SX961999 Net2phone diff --git a/magic/Magdir/nitpicker b/magic/Magdir/nitpicker index 2486dee0..48c3d63a 100644 --- a/magic/Magdir/nitpicker +++ b/magic/Magdir/nitpicker @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: nitpicker,v 1.6 2014/04/30 21:41:02 christos Exp $ +# $File: nitpicker,v 1.7 2017/03/17 21:35:28 christos Exp $ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann http://www.nitpicker.de -0 string NPFF NItpicker Flow File +0 string NPFF NItpicker Flow File >4 byte x V%d. >5 byte x %d >6 bedate x started: %s diff --git a/magic/Magdir/os2 b/magic/Magdir/os2 index 21c1c001..ace69cb3 100644 --- a/magic/Magdir/os2 +++ b/magic/Magdir/os2 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: os2,v 1.9 2016/05/11 15:51:57 christos Exp $ +# $File: os2,v 1.10 2017/03/17 21:35:28 christos Exp $ # os2: file(1) magic for OS/2 files # @@ -25,7 +25,7 @@ #>5 string >\ (Local file) <%s> # >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) -# Carl Hauser (chauser.parc@xerox.com) and +# Carl Hauser (chauser.parc@xerox.com) and # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) # list the following header format in inf02a.doc: # @@ -35,11 +35,11 @@ # // bit 0: set if INF style file # // bit 4: set if HLP style file # // patching this byte allows reading HLP files -# // using the VIEW command, while help files +# // using the VIEW command, while help files # // seem to work with INF settings here as well. # int16 hdrsize; // total size of header # int16 unknown2; // unknown purpose -# +# 0 string HSP\x01\x9b\x00 OS/2 INF >107 string >0 (%s) 0 string HSP\x10\x9b\x00 OS/2 HLP diff --git a/magic/Magdir/os9 b/magic/Magdir/os9 index 52b04be3..74b47f35 100644 --- a/magic/Magdir/os9 +++ b/magic/Magdir/os9 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: os9,v 1.7 2011/05/13 22:15:54 christos Exp $ +# $File: os9,v 1.8 2017/03/17 21:35:28 christos Exp $ # # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. # @@ -15,7 +15,7 @@ # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; diff --git a/magic/Magdir/pc88 b/magic/Magdir/pc88 index e604a3b4..03822f50 100644 --- a/magic/Magdir/pc88 +++ b/magic/Magdir/pc88 @@ -9,7 +9,7 @@ >>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 >>>0x1A ubyte&0xEF 0 >>>>0x1B ubyte&0x8F 0 ->>>>>0x1B ubyte&70 <0x40 +>>>>>0x1B ubyte&70 <0x40 >>>>>>0x1C ulelong >0x21 >>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s >>>>>>>>0x1B ubyte 0 \b, media=2D diff --git a/magic/Magdir/pc98 b/magic/Magdir/pc98 index 30f1ea38..3b995ed0 100644 --- a/magic/Magdir/pc98 +++ b/magic/Magdir/pc98 @@ -8,7 +8,7 @@ # http://www.jisyo.com/viewer/faq/maki_tech.htm 0 string/b MAKI01 Maki-chan v1. >6 ubyte|0x20 x \b%c image ->8 ubelong >0x40404040 \b, system ID: +>8 ubelong >0x40404040 \b, system ID: >>8 byte x %c >>9 byte x \b%c >>10 byte x \b%c diff --git a/magic/Magdir/pdp b/magic/Magdir/pdp index 0afee0c9..2d18b62d 100644 --- a/magic/Magdir/pdp +++ b/magic/Magdir/pdp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pdp,v 1.10 2014/04/30 21:41:02 christos Exp $ +# $File: pdp,v 1.11 2017/03/17 21:35:28 christos Exp $ # pdp: file(1) magic for PDP-11 executable/object and APL workspace # 0 lelong 0101555 PDP-11 single precision APL workspace @@ -14,8 +14,8 @@ # updated by Joerg Jenderek at Mar 2013 # GRR: line below too general as it catches also Windows precompiled setup information *.PNF -0 leshort 0401 -# skip *.PNF with WinDirPathOffset 58h +0 leshort 0401 +# skip *.PNF with WinDirPathOffset 58h >68 ulelong !0x00000058 PDP-11 UNIX/RT ldp # skip *.PNF with high byte of InfVersionDatumCount zero #>>15 byte !0 PDP-11 UNIX/RT ldp diff --git a/magic/Magdir/pgf b/magic/Magdir/pgf index 825f5f68..b5a251ef 100644 --- a/magic/Magdir/pgf +++ b/magic/Magdir/pgf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgf,v 1.1 2013/04/22 15:19:49 christos Exp $ +# $File: pgf,v 1.2 2017/03/17 21:35:28 christos Exp $ # pgf: file(1) magic for Progressive Graphics File (PGF) # # @@ -42,7 +42,7 @@ >>20 byte 19 RGB color 12, >>20 byte 20 RGB color 16, >>20 byte 255 unknown format, ->>20 default x format +>>20 default x format >>>20 byte x \b %d, >>21 byte x %d bpc # PGFPostHeader diff --git a/magic/Magdir/pgp b/magic/Magdir/pgp index 64fcfe33..585475db 100644 --- a/magic/Magdir/pgp +++ b/magic/Magdir/pgp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgp,v 1.13 2017/01/22 21:13:13 christos Exp $ +# $File: pgp,v 1.14 2017/03/17 21:35:28 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # @@ -77,7 +77,7 @@ >0 byte 0x30 >>1 byte&0xc0 0x00 Unused [0%x] >>1 byte&0xc0 0x40 User Attribute ->>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data +>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data >>1 byte&0xc0 0xc0 Modification Detection Code # magic signatures to detect PGP crypto material (from stef) @@ -206,7 +206,7 @@ >0 byte 19 ECDSA >0 byte 20 ElGamal (Encrypt or Sign) >0 byte 21 Diffie-Hellman ->0 default x +>0 default x >>0 ubyte <22 unknown (pub %d) # this should never happen >>0 ubyte >21 invalid (%d) @@ -482,16 +482,16 @@ >1 use pgpkey 0 byte 0x97 PGP Secret Sub-key - >1 use pgpkey -0 byte 0x9d +0 byte 0x9d # Update: Joerg Jenderek # secret subkey packet (tag 7) with same structure as secret key packet (tag 5) # skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len ->1 ubeshort >0 +>1 ubeshort >0 #>1 ubeshort x \b, body length 0x%x # next packet type often 88h,89h~(tag 2)~Signature Packet #>>(1.S+3) ubyte x \b, next packet type 0x%x # skip Dragon.SHR DEMO.INIT by looking for positive version ->>3 ubyte >0 +>>3 ubyte >0 # skip BUISSON.13 GUITAR1 by looking for low version number >>>3 ubyte <5 PGP Secret Sub-key # sub-key are normally part of secret key. So it does not occur as standalone file @@ -500,7 +500,7 @@ >>>>3 ubyte x (v%d) >>>>3 ubyte x - # old versions 2 or 3 but no real example found ->>>>3 ubyte <4 +>>>>3 ubyte <4 # 2 byte for key bits in version 5.28 look >>>>>11 ubeshort x %db >>>>>4 beldate x created on %s - @@ -508,15 +508,15 @@ #>>>>>8 ubeshort x 0x%x # display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman >>>>>10 use key_algo ->>>>>(11.S/8) ubequad x +>>>>>(11.S/8) ubequad x # look after first key >>>>>>&5 use keyend # new version ->>>>3 ubyte >3 +>>>>3 ubyte >3 >>>>>9 ubeshort x %db >>>>>4 beldate x created on %s - # display key algorithm >>>>>8 use key_algo ->>>>>(9.S/8) ubequad x +>>>>>(9.S/8) ubequad x # look after first key for something like s2k >>>>>>&3 use keyend diff --git a/magic/Magdir/printer b/magic/Magdir/printer index 10168266..dcf95ded 100644 --- a/magic/Magdir/printer +++ b/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.26 2014/04/12 14:51:52 christos Exp $ +# $File: printer,v 1.27 2017/03/17 21:35:28 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -13,7 +13,7 @@ >>>15 string EPS \b, type %s >>>15 string Query \b, type %s >>>15 string ExitServer \b, type %s ->>>15 search/1000 %%LanguageLevel:\ +>>>15 search/1000 %%LanguageLevel:\ >>>>&0 string >\0 \b, Level %s # Some PCs have the annoying habit of adding a ^D as a document separator 0 string \004%! PostScript document text @@ -24,7 +24,7 @@ >>>16 string EPS \b, type %s >>>16 string Query \b, type %s >>>16 string ExitServer \b, type %s ->>>16 search/1000 %%LanguageLevel:\ +>>>16 search/1000 %%LanguageLevel:\ >>>>&0 string >\0 \b, Level %s 0 string \033%-12345X%!PS PostScript document @@ -49,18 +49,18 @@ # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data # HP Printer Job Language -# The header found on Win95 HP plot files is the "Silliest Thing possible" +# The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes -# +# 0 string \033%-12345X@PJL HP Printer Job Language data ->&0 string >\0 %s ->>&0 string >\0 %s ->>>&0 string >\0 %s ->>>>&0 string >\0 %s +>&0 string >\0 %s +>>&0 string >\0 %s +>>>&0 string >\0 %s +>>>>&0 string >\0 %s #>15 string \ ENTER\ LANGUAGE\ = #>31 string PostScript PostScript @@ -143,8 +143,8 @@ #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file -0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware +0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From: Paolo -# Epson ESC/Page, ESC/PageColor +# Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data diff --git a/magic/Magdir/project b/magic/Magdir/project index efa5d40f..9180b57d 100644 --- a/magic/Magdir/project +++ b/magic/Magdir/project @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: project,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: project,v 1.5 2017/03/17 21:35:28 christos Exp $ # project: file(1) magic for Project management -# +# # Magic strings for ftnchek project files. Alexander Mai 0 string FTNCHEK_\ P project file for ftnchek >10 string 1 version 2.7 diff --git a/magic/Magdir/psdbms b/magic/Magdir/psdbms index 1d218c0b..3eec9657 100644 --- a/magic/Magdir/psdbms +++ b/magic/Magdir/psdbms @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: psdbms,v 1.7 2016/01/08 00:41:02 christos Exp $ +# $File: psdbms,v 1.8 2017/03/17 21:35:28 christos Exp $ # psdbms: file(1) magic for psdatabase # # Update: Joerg Jenderek # GRR: line below too general as it catches also some Panorama database *.pan , # AppleWorks word processor -0 belong&0xff00ffff 0x56000000 +0 belong&0xff00ffff 0x56000000 # assume version starts with digit >1 regex/s =^[0-9] ps database >>1 string >\0 version %s diff --git a/magic/Magdir/riff b/magic/Magdir/riff index 55cfb20b..adf0fc9f 100644 --- a/magic/Magdir/riff +++ b/magic/Magdir/riff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: riff,v 1.31 2015/02/14 17:30:03 christos Exp $ +# $File: riff,v 1.32 2017/03/17 21:35:28 christos Exp $ # riff: file(1) magic for RIFF format # See # @@ -75,7 +75,7 @@ >>18 leshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap ->>16 string BM +>>16 string BM >>>30 leshort 12 \b, OS/2 1.x format >>>>34 leshort x \b, %d x >>>>36 leshort x %d @@ -226,9 +226,9 @@ >8 string sfbk SoundFont/Bank # MPEG-1 wrapped in a RIFF, apparently >8 string CDXA \b, wrapped MPEG-1 (CDXA) ->8 string 4XMV \b, 4X Movie file +>8 string 4XMV \b, 4X Movie file # AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV ->8 string AMV\040 \b, AMV +>8 string AMV\040 \b, AMV >8 string WEBP \b, Web/P image !:mime image/webp >>12 use riff-walk @@ -246,7 +246,7 @@ >>18 beshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap ->>16 string BM +>>16 string BM >>>30 beshort 12 \b, OS/2 1.x format >>>>34 beshort x \b, %d x >>>>36 beshort x %d @@ -284,7 +284,7 @@ #------------------------------------------------------------------------------ # Sony Wave64 # see http://www.vcs.de/fileadmin/user_upload/MBS/PDF/Whitepaper/Informations_about_Sony_Wave64.pdf -# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian +# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian 0 string riff\x2E\x91\xCF\x11\xA5\xD6\x28\xDB\x04\xC1\x00\x00 Sony Wave64 RIFF data # 128 bit + total file size (64 bits) so 24 bytes # then WAVE-GUID { 65766177-ACF3-11D3-8CD1-00C04F8EDB8A } diff --git a/magic/Magdir/sccs b/magic/Magdir/sccs index 95b3a5db..4717948f 100644 --- a/magic/Magdir/sccs +++ b/magic/Magdir/sccs @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sccs,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File: sccs,v 1.7 2017/03/17 21:35:28 christos Exp $ # sccs: file(1) magic for SCCS archives # # SCCS archive structure: @@ -17,6 +17,6 @@ # Maybe we should just switch everybody from SCCS to RCS! # Further, you can't just say '\001h0', because the five-digit number # is a checksum that could (presumably) have any leading digit, -# and we don't have regular expression matching yet. +# and we don't have regular expression matching yet. # Hence the following official kludge: 8 string \001s\ SCCS archive data diff --git a/magic/Magdir/scientific b/magic/Magdir/scientific index e39720cf..1919e3eb 100644 --- a/magic/Magdir/scientific +++ b/magic/Magdir/scientific @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.10 2015/08/24 05:18:55 christos Exp $ -# scientific: file(1) magic for scientific formats +# $File: scientific,v 1.11 2017/03/17 21:35:28 christos Exp $ +# scientific: file(1) magic for scientific formats # # From: Joe Krahn @@ -90,7 +90,7 @@ # format DD-MMM-YY, e.g., 01-JAN-70, and the IDcode consists of numbers and # uppercase letters. However, examples have been seen without the date string, # e.g., the example on the chemime site. -0 string HEADER\ \ \ \ +0 string HEADER\ \ \ \ >&0 regex/1l \^.{40} >>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} >>>&0 regex/1ls [A-Z0-9]{4}.{14}$ diff --git a/magic/Magdir/sendmail b/magic/Magdir/sendmail index 29004104..3cfeda74 100644 --- a/magic/Magdir/sendmail +++ b/magic/Magdir/sendmail @@ -1,27 +1,27 @@ #------------------------------------------------------------------------------ -# $File: sendmail,v 1.8 2015/11/11 15:27:03 christos Exp $ +# $File: sendmail,v 1.9 2017/03/17 21:35:28 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? # -# Update: Joerg Jenderek +# Update: Joerg Jenderek # GRR: this test is too general as it catches also # READ.ME.FIRST.AWP Sendmail frozen configuration # - version ====|====|====|====|====|====|====|====|====|====|====|====|=== # Email_23_f217153422.ts Sendmail frozen configuration # - version \330jK\354 -0 byte 046 +0 byte 046 # http://www.sendmail.com/sm/open_source/docs/older_release_notes/ # freezed configuration file (dbm format?) created from sendmal.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed # valid version numbers look like "7.14.4" and should be simliar to output of commands -# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" +# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration # normally only /etc/sendmail.fc or /var/adm/sendmail/sendmail.fc !:ext fc >>16 string >\0 - version %s -0 short 0x271c +0 short 0x271c # look for valid version number >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration !:ext fc diff --git a/magic/Magdir/sequent b/magic/Magdir/sequent index 5137c0ed..780d77e5 100644 --- a/magic/Magdir/sequent +++ b/magic/Magdir/sequent @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sequent,v 1.12 2014/08/16 16:07:12 christos Exp $ +# $File: sequent,v 1.13 2017/03/17 21:35:28 christos Exp $ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins . @@ -33,9 +33,9 @@ # http://en.wikipedia.org/wiki/Sequent_Computer_Systems # below test line conflicts with MS-DOS 2.11 floppies and Acronis loader #0 leshort 0x42eb SYMMETRY i386 standalone executable -0 leshort 0x42eb +0 leshort 0x42eb # skip unlike negative version ->124 lelong >-1 +>124 lelong >-1 # assuming version 28867614 is very low probable >>124 lelong !28867614 SYMMETRY i386 standalone executable >>>16 lelong >0 not stripped diff --git a/magic/Magdir/sharc b/magic/Magdir/sharc index b40e6523..e54088bc 100644 --- a/magic/Magdir/sharc +++ b/magic/Magdir/sharc @@ -1,9 +1,9 @@ #------------------------------------------------------------------------ -# $File: sharc,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: sharc,v 1.8 2017/03/17 21:35:28 christos Exp $ # file(1) magic for sharc files # -# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by +# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by # FutureGroove Music (dsp@futuregroove.de) #------------------------------------------------------------------------ diff --git a/magic/Magdir/sketch b/magic/Magdir/sketch index 82dacb8f..ee731ddd 100644 --- a/magic/Magdir/sketch +++ b/magic/Magdir/sketch @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sketch,v 1.4 2009/09/19 16:28:12 christos Exp $ -# Sketch Drawings: http://sketch.sourceforge.net/ +# $File: sketch,v 1.5 2017/03/17 21:35:28 christos Exp $ +# Sketch Drawings: http://sketch.sourceforge.net/ # From: Edwin Mons 0 search/1 ##Sketch Sketch document text diff --git a/magic/Magdir/sql b/magic/Magdir/sql index b07350a6..acc45293 100644 --- a/magic/Magdir/sql +++ b/magic/Magdir/sql @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sql,v 1.20 2016/07/05 19:49:59 christos Exp $ +# $File: sql,v 1.21 2017/03/17 21:35:28 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" @@ -73,7 +73,7 @@ >>3 byte x Version %d #------------------------------------------------------------------------------ -# iRiver H Series database file +# iRiver H Series database file # From Ken Guest # As observed from iRivNavi.iDB and unencoded firmware # @@ -133,9 +133,9 @@ 0 string PSDB\0 Panasonic channel list DataBase !:ext db/bin #!:mime application/x-db-svl-panasonic ->126 string SQLite\ format\ 3 +>126 string SQLite\ format\ 3 #!:mime application/x-panasonic-sqlite3 ->>&-15 indirect x \b; contains +>>&-15 indirect x \b; contains # H2 Database from http://www.h2database.com/ 0 string --\ H2\ 0.5/B\ --\ \n H2 Database file diff --git a/magic/Magdir/sysex b/magic/Magdir/sysex index 97472e27..fc9cbf4e 100644 --- a/magic/Magdir/sysex +++ b/magic/Magdir/sysex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------ -# $File: sysex,v 1.8 2014/06/03 19:17:27 christos Exp $ +# $File: sysex,v 1.9 2017/03/17 21:35:28 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems @@ -256,7 +256,7 @@ >1 belong&0xffffff00 0x00011d00 Nemesys >1 belong&0xffffff00 0x00011e00 DBX >1 belong&0xffffff00 0x00011f00 Syndyne ->1 belong&0xffffff00 0x00012000 Bitheadz +>1 belong&0xffffff00 0x00012000 Bitheadz >1 belong&0xffffff00 0x00012100 Cakewalk >1 belong&0xffffff00 0x00012200 Staccato >1 belong&0xffffff00 0x00012300 National Semicon. diff --git a/magic/Magdir/terminfo b/magic/Magdir/terminfo index b201bcae..064b1d6b 100644 --- a/magic/Magdir/terminfo +++ b/magic/Magdir/terminfo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: terminfo,v 1.7 2016/03/17 21:02:29 christos Exp $ +# $File: terminfo,v 1.8 2017/03/17 21:35:28 christos Exp $ # terminfo: file(1) magic for terminfo # # XXX - byte order for screen images? @@ -9,16 +9,16 @@ # Reference: ncurses-5.9/ncurses/tinfo/write_entry.c # Update: Joerg Jenderek # -# GRR: line below too general as it catches also +# GRR: line below too general as it catches also # Targa image type 1 with 26 long identification field # and HELP.DSK -0 string \032\001 +0 string \032\001 # 5th character of terminal name list, but not Targa image pixel size (15 16 24 32) ->16 ubyte >32 +>16 ubyte >32 # namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0.4.1" >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled terminfo entry "%-s" !:mime application/x-terminfo # no extension -#!:ext +#!:ext 0 short 0433 Curses screen image 0 short 0434 Curses screen image diff --git a/magic/Magdir/vms b/magic/Magdir/vms index 49393039..56d57ae9 100644 --- a/magic/Magdir/vms +++ b/magic/Magdir/vms @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vms,v 1.9 2014/08/17 13:47:59 christos Exp $ +# $File: vms,v 1.10 2017/03/17 21:35:28 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) @@ -25,6 +25,6 @@ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # # GRR this test is still too general as it catches example adressen.dbt -0 belong 0x03000000 +0 belong 0x03000000 >8 ubelong 0xec020000 VMS Alpha executable >>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption diff --git a/magic/Magdir/vmware b/magic/Magdir/vmware index b6b6a619..cd1a9d95 100644 --- a/magic/Magdir/vmware +++ b/magic/Magdir/vmware @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vmware,v 1.7 2009/09/19 16:28:13 christos Exp $ +# $File: vmware,v 1.8 2017/03/17 21:35:28 christos Exp $ # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) -0 belong 0x4d52564e VMware nvram +0 belong 0x4d52564e VMware nvram diff --git a/magic/Magdir/vorbis b/magic/Magdir/vorbis index 3b5e51f5..5335ca87 100644 --- a/magic/Magdir/vorbis +++ b/magic/Magdir/vorbis @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vorbis,v 1.22 2015/03/28 15:14:55 christos Exp $ +# $File: vorbis,v 1.23 2017/03/17 21:35:28 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner @@ -95,7 +95,7 @@ # in a different place, so we must use an indirect offset. >>>(84.b+85) string \x03vorbis >>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I ->>>>>(84.b+120) string >00000000 +>>>>>(84.b+120) string >00000000 # Map to beta version numbers: >>>>>>(84.b+120) string <20000508 (>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2) @@ -117,7 +117,7 @@ >>>>>>(84.b+120) string >20011231 (pre-1.0 CVS) # For the 1.0 release, Xiphophorus is replaced by Xiph.Org >>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I ->>>>>(84.b+117) string >00000000 +>>>>>(84.b+117) string >00000000 >>>>>>(84.b+117) string <20020717 (pre-1.0 CVS) >>>>>>(84.b+117) string 20020717 (1.0) >>>>>>(84.b+117) string 20030909 (1.0.1) @@ -128,13 +128,13 @@ !:mime audio/ogg >>>36 ubyte >0x0F UNKNOWN VERSION %u, >>>36 ubyte &0x0F version 0.%d ->>>>46 ubyte >1 +>>>>46 ubyte >1 >>>>>46 ubyte !255 unknown channel mapping family %u, >>>>>37 ubyte x %u channels >>>>46 ubyte 0 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo ->>>>46 ubyte 1 +>>>>46 ubyte 1 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo >>>>>37 ubyte 3 linear surround diff --git a/magic/Magdir/windows b/magic/Magdir/windows index faaa7e29..7766ce8d 100644 --- a/magic/Magdir/windows +++ b/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $ +# $File: windows,v 1.15 2017/03/17 21:35:28 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -29,7 +29,7 @@ # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) -0 string PAGE +0 string PAGE >4 string DUMP MS Windows 32bit crash dump >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE @@ -66,13 +66,13 @@ # Summary: Old format help files # URL: https://en.wikipedia.org/wiki/WinHelp # Reference: http://www.oocities.org/mwinterhoff/helpfile.htm -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Created by: Dirk Jagdmann # # check and then display version and date inside MS Windows HeLP file fragment 0 name help-ver-date # look for Magic of SYSTEMHEADER ->0 leshort 0x036C +>0 leshort 0x036C # version Major 1 for right file fragment >>4 leshort 1 Windows # print non empty string above to avoid error message @@ -93,7 +93,7 @@ >>>6 ldate x \b, %s # # Magic for HeLP files -0 lelong 0x00035f3f +0 lelong 0x00035f3f # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" # file header magic 0x293B at DirectoryStart+9 >(4.l+9) uleshort 0x293B MS @@ -101,37 +101,37 @@ >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation !:mime application/x-winhelp !:ext ann ->>0xD4 string !\x62\x6D\x66\x01\x00 +>>0xD4 string !\x62\x6D\x66\x01\x00 # "GID Help index" by TrID >>>(4.l+0x65) string =|Pete Windows help Global Index !:mime application/x-winhelp !:ext gid # HeLP Bookmark or # "Windows HELP File" by TrID ->>>(4.l+0x65) string !|Pete +>>>(4.l+0x65) string !|Pete # maybe there exist a cleaner way to detect HeLP fragments # brute search for Magic 0x036C with matching Major maximal 7 iterations # discapp.hlp ->>>>16 search/0x49AF/s \x6c\x03 +>>>>16 search/0x49AF/s \x6c\x03 >>>>>&0 use help-ver-date ->>>>>&4 leshort !1 +>>>>>&4 leshort !1 # putty.hlp ->>>>>>&0 search/0x69AF/s \x6c\x03 +>>>>>>&0 search/0x69AF/s \x6c\x03 >>>>>>>&0 use help-ver-date ->>>>>>>&4 leshort !1 ->>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>&4 leshort !1 +>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>&0 use help-ver-date ->>>>>>>>>&4 leshort !1 ->>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>&4 leshort !1 +>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 # GCC.HLP is detected after 7 iterations >>>>>>>>>>>>>>>>>&0 use help-ver-date # this only happens if bigger hlp file is detected after used search iterations @@ -139,7 +139,7 @@ !:mime application/winhelp !:ext hlp # repeat search again or following default line does not work ->>>>16 search/0x49AF/s \x6c\x03 +>>>>16 search/0x49AF/s \x6c\x03 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) >>>>16 default x Windows help Bookmark !:mime application/x-winhelp @@ -180,21 +180,21 @@ #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx # start with colon or semicolon for comment line like Back2Life.cnt -0 regex \^(:|;) +0 regex \^(:|;) # look for first keyword Base ->0 search/45 :Base +>0 search/45 :Base >>&0 use cnt-name # only solution to search again from beginning , because relative offsets changes when use is called ->0 search/45 :Base ->0 default x +>0 search/45 :Base +>0 default x # look for other keyword Title like in putty.cnt ->>0 search/45 :Title +>>0 search/45 :Title >>>&0 use cnt-name # # display mime type and name of Windows help Content source 0 name cnt-name # skip space at beginning ->0 string \ +>0 string \ # name without extension and greater character or name with hlp extension >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" !:mime text/plain @@ -210,7 +210,7 @@ # Summary: Hyper terminal # Extension: .ht # Created by: unknown -0 string HyperTerminal\ +0 string HyperTerminal\ >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile # http://ithreats.files.wordpress.com/2009/05/\ @@ -293,7 +293,7 @@ # Extension: .reg # Submitted by: Abel Cheung 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) -0 string Windows\ Registry\ Editor\ +0 string Windows\ Registry\ Editor\ >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 @@ -301,10 +301,10 @@ # PR/383: remove unicode BOM because it is not portable across regex impls 0 regex/s \\`(\\r\\n|;|[[]) # left bracket in section line ->&0 search/8192 [ +>&0 search/8192 [ # http://en.wikipedia.org/wiki/Autorun.inf # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx ->>&0 regex/c \^(autorun)]\r\n +>>&0 regex/c \^(autorun)]\r\n >>>&0 ubyte =0x5b INItialization configuration !:mime application/x-wine-extension-ini # From: Pal Tamas @@ -343,31 +343,31 @@ # http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information >>&0 regex/c \^(boot\x20loader)] Windows boot.ini !:mime application/x-wine-extension-ini ->>>&0 ubyte x +>>>&0 ubyte x # http://en.wikipedia.org/wiki/CONFIG.SYS >>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS # http://support.microsoft.com/kb/118579/ >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS # VERS string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # STRI string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 # NGS] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation !:mime application/x-setupscript # unknown keyword after opening bracket ->>&0 default x ->>>&0 search/8192 [ +>>&0 default x +>>>&0 search/8192 [ # version Strings FileIdentification ->>>>&0 string/c version Windows setup INFormation +>>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript # VERS string unicoded case-independent ->>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other #>>>>&0 default x Generic INItialization configuration @@ -376,21 +376,21 @@ # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp -0 leshort&0xFeFe 0x0000 +0 leshort&0xFeFe 0x0000 !:strength -5 # test for unused null bits in PNF_FLAGs ->4 ulelong&0xFCffFe00 0x00000000 +>4 ulelong&0xFCffFe00 0x00000000 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure ->>68 ulelong >0x57 +>>68 ulelong >0x57 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF !:mime application/x-pnf # currently only found Major Version=1 and Minor Version=1 -#>>>>0 uleshort =0x0101 +#>>>>0 uleshort =0x0101 #>>>>>1 ubyte x \b, version %u #>>>>>0 ubyte x \b.%u ->>>>0 uleshort !0x0101 +>>>>0 uleshort !0x0101 >>>>>1 ubyte x \b, version %u >>>>>0 ubyte x \b.%u # 1 ,2 (windows 98 SE) @@ -416,10 +416,10 @@ #>>>>16 ulelong x \b, InfVersionDataSize 0x%x # only found positive values lower 0x00ffFFff for InfVersionDataOffset >>>>20 ulelong x \b, at 0x%x ->>>>4 ulelong&0x00000001 =0x00000001 -# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature +>>>>4 ulelong&0x00000001 =0x00000001 +# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature >>>>>(20.l) lestring16 x "%s" ->>>>4 ulelong&0x00000001 !0x00000001 +>>>>4 ulelong&0x00000001 !0x00000001 >>>>>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx @@ -435,23 +435,23 @@ #>>>>64 ulelong x \b, InfValueBlockSize 0x%x # WinDirPathOffset #>>>>68 ulelong x \b, at 0x%x ->>>>68 ulelong >0x57 ->>>>>4 ulelong&0x00000001 =0x00000001 ->>>>>>(68.l) ubequad =0x43003a005c005700 +>>>>68 ulelong >0x57 +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(68.l) ubequad =0x43003a005c005700 # normally unicoded C:\Windows #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>>(68.l) ubequad !0x43003a005c005700 +>>>>>>(68.l) ubequad !0x43003a005c005700 >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # normally ASCII C:\WINDOWS #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" -# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF +# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF #>>>>72 ulelong >0 \b, at 0x%x >>>>72 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(72.l) lestring16 x OsLoaderPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # seldom C:\ instead empty >>>>>>(72.l) string x OsLoaderPath "%s" # 1fdh @@ -462,16 +462,16 @@ # InfSourcePathOffset often 0 #>>>>80 ulelong >0 \b, at 0x%x >>>>80 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(80.l) lestring16 x SourcePath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(80.l) string >\0 SourcePath "%s" # OriginalInfNameOffset often 0 #>>>>84 ulelong >0 \b, at 0x%x >>>>84 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(84.l) lestring16 x InfName "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(84.l) string >\0 InfName "%s" # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 @@ -480,13 +480,13 @@ # URL: http://en.wikipedia.org/wiki/NTBackup # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF # Descriptor BloCK name of Microsoft Tape Format -0 string TAPE +0 string TAPE # Format Logical Address is zero ->20 ulequad 0 +>20 ulequad 0 # Reserved for MBC is zero ->>28 uleshort 0 +>>28 uleshort 0 # Control Block ID is zero ->>>36 ulelong 0 +>>>36 ulelong 0 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive #!:mime application/x-ntbackup @@ -508,7 +508,7 @@ >>>>>4 ulelong&0x00000004 !0 \b, compressed # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit ->>>>>4 ulelong&0x00020000 0 +>>>>>4 ulelong&0x00020000 0 # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape >>>>>>4 ulelong&0x00010000 !0 \b, with catalog # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present @@ -531,37 +531,37 @@ # Media Based Catalog Type (1,2) #>>>>>66 uleshort x \b, catalog type %4.4x # size of Media Name (66,68,6Eh) ->>>>>68 uleshort >0 +>>>>>68 uleshort >0 # offset of Media Name (5Eh) ->>>>>>70 uleshort >0 +>>>>>>70 uleshort >0 # 0~, 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 +>>>>>>>48 ubyte 1 # size terminated ansi coded string normally followed by "MTF Media Label" >>>>>>>>(70.s) string >\0 \b, name: %s ->>>>>>>48 ubyte 2 +>>>>>>>48 ubyte 2 # Not null, but size terminated unicoded string >>>>>>>>(70.s) lestring16 x \b, name: %s # size of Media Label (104h) ->>>>>72 uleshort >0 +>>>>>72 uleshort >0 # offset of Media Label (C4h,C6h,CCh) ->>>>>74 uleshort >0 ->>>>>>48 ubyte 1 +>>>>>74 uleshort >0 +>>>>>>48 ubyte 1 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields >>>>>>>(74.s) string >\0 \b, label: %s ->>>>>>48 ubyte 2 +>>>>>>48 ubyte 2 >>>>>>>(74.s) lestring16 x \b, label: %s # size of password name (0,1Ch) #>>>>>76 uleshort >0 \b, password size %4.4x # Software Vendor ID (CBEh) >>>>>86 uleshort x \b, software (0x%x) # size of Software Name (6Eh) ->>>>>80 uleshort >0 +>>>>>80 uleshort >0 # offset of Software Name (1C8h,1CAh,1D0h) ->>>>>>82 uleshort >0 +>>>>>>82 uleshort >0 # 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 +>>>>>>>48 ubyte 1 >>>>>>>>(82.s) string >\0 \b: %s ->>>>>>>48 ubyte 2 +>>>>>>>48 ubyte 2 # size terminated unicoded coded string normally followed by "SPAD" >>>>>>>>(82.s) lestring16 x \b: %s # Format Logical Block Size (512,1024) diff --git a/magic/Magdir/xenix b/magic/Magdir/xenix index 89de6033..fb83faa8 100644 --- a/magic/Magdir/xenix +++ b/magic/Magdir/xenix @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xenix,v 1.10 2016/04/19 18:14:19 christos Exp $ +# $File: xenix,v 1.11 2017/03/17 21:35:28 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small @@ -16,14 +16,14 @@ # Reference: http://www.azillionmonkeys.com/qed/Omfg.pdf # Update: Joerg Jenderek # recordtype~TranslatorHEADerRecord -0 byte 0x80 +0 byte 0x80 # GRR: line above is too general as it catches also Extensible storage engine DataBase # skip examples like GENA.SND Switch.Snd by looking for record length maximal 1024-3 ->1 uleshort <1022 +>1 uleshort <1022 # skip examples like GAME.PICTURE Strange.Pic by looking for positiv record length ->>1 uleshort >0 +>>1 uleshort >0 # skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positiv string length ->>>3 ubyte >0 +>>>3 ubyte >0 # skip examples like OMBRE.6 with "UUUUUU" by looking for filename like "hello.c" >>>>4 regex [a-zA-Z_/]{1,8}[.] 8086 relocatable (Microsoft) #!:mime application/octet-stream @@ -54,8 +54,8 @@ >0x1c byte &0x9 286 >0x1c byte &0xa 386 >0x1f byte <0x040 small model ->0x1f byte =0x048 large model ->0x1f byte =0x049 huge model +>0x1f byte =0x048 large model +>0x1f byte =0x049 huge model >0x1e leshort &0x1 executable >0x1e leshort ^0x1 object file >0x1e leshort &0x40 Large Text diff --git a/magic/Magdir/xilinx b/magic/Magdir/xilinx index 91e84d91..a5219778 100644 --- a/magic/Magdir/xilinx +++ b/magic/Magdir/xilinx @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: xilinx,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: xilinx,v 1.8 2017/03/17 21:35:28 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 # -# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, -# fixes at least reading of bitfiles from Spartan 2, 3, 6. +# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, +# fixes at least reading of bitfiles from Spartan 2, 3, 6. # http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm # # First there is the sync header and its length @@ -20,7 +20,7 @@ >>>>&0 pstring/H x - from %s # And then 'b' >>>>>&1 string b -# Then the model / part number: +# Then the model / part number: >>>>>>&0 pstring/H x - for %s # Then 'c' >>>>>>>&1 string c @@ -36,5 +36,5 @@ >>>>>>>>>>>>&0 belong x - data length 0x%x # Raw bitstream files -0 long 0xffffffff +0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) diff --git a/magic/Magdir/xwindows b/magic/Magdir/xwindows index eb208927..85f64c8c 100644 --- a/magic/Magdir/xwindows +++ b/magic/Magdir/xwindows @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: xwindows,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: xwindows,v 1.10 2017/03/17 21:35:28 christos Exp $ # xwindows: file(1) magic for various X/Window system file formats. -# Compiled X Keymap +# Compiled X Keymap # XKM (compiled X keymap) files (including version and byte ordering) 1 string mkx Compiled XKB Keymap: lsb, >0 byte >0 version %d -- 2.40.0