diff options
Diffstat (limited to 'magic/Magdir')
340 files changed, 45070 insertions, 0 deletions
diff --git a/magic/Magdir/acorn b/magic/Magdir/acorn new file mode 100644 index 0000000..37a4ed7 --- /dev/null +++ b/magic/Magdir/acorn @@ -0,0 +1,102 @@ + +#------------------------------------------------------------------------------ +# $File: acorn,v 1.8 2021/04/26 15:56:00 christos Exp $ +# acorn: file(1) magic for files found on Acorn systems +# + +# RISC OS Chunk File Format +# From RISC OS Programmer's Reference Manual, Appendix D +# We guess the file type from the type of the first chunk. +0 lelong 0xc3cbc6c5 RISC OS Chunk data +>12 string OBJ_ \b, AOF object +>12 string LIB_ \b, ALF library + +# RISC OS AIF, contains "SWI OS_Exit" at offset 16. +16 lelong 0xef000011 RISC OS AIF executable + +# RISC OS Draw files +# From RISC OS Programmer's Reference Manual, Appendix E +0 string Draw RISC OS Draw file data + +# RISC OS new format font files +# From RISC OS Programmer's Reference Manual, Appendix E +0 string FONT\0 RISC OS outline font data, +>5 byte x version %d +0 string FONT\1 RISC OS 1bpp font data, +>5 byte x version %d +0 string FONT\4 RISC OS 4bpp font data +>5 byte x version %d + +# RISC OS Music files +# From RISC OS Programmer's Reference Manual, Appendix E +0 string Maestro\r RISC OS music file +>8 byte x version %d + +>8 byte x type %d + +# Digital Symphony data files +# From: Bernard Jungen (bern8817@euphonynet.be) +0 string \x02\x01\x13\x13\x13\x01\x0d\x10 Digital Symphony sound sample (RISC OS), +>8 byte x version %d, +>9 pstring x named "%s", +>(9.b+19) byte =0 8-bit logarithmic +>(9.b+19) byte =1 LZW-compressed linear +>(9.b+19) byte =2 8-bit linear signed +>(9.b+19) byte =3 16-bit linear signed +>(9.b+19) byte =4 SigmaDelta-compressed linear +>(9.b+19) byte =5 SigmaDelta-compressed logarithmic +>(9.b+19) byte >5 unknown format + +0 string \x02\x01\x13\x13\x14\x12\x01\x0b Digital Symphony song (RISC OS), +>8 byte x version %d, +>9 byte =1 1 voice, +>9 byte !1 %d voices, +>10 leshort =1 1 track, +>10 leshort !1 %d tracks, +>12 leshort =1 1 pattern +>12 leshort !1 %d patterns + +0 string \x02\x01\x13\x13\x10\x14\x12\x0e +>9 byte =0 Digital Symphony sequence (RISC OS), +>>8 byte x version %d, +>>10 byte =1 1 line, +>>10 byte !1 %d lines, +>>11 leshort =1 1 position +>>11 leshort !1 %d positions +>9 byte =1 Digital Symphony pattern data (RISC OS), +>>8 byte x version %d, +>>10 leshort =1 1 pattern +>>10 leshort !1 %d patterns + +# From: Joerg Jenderek +# URL: https://www.kyzer.me.uk/pack/xad/#PackDir +# reference: https://www.kyzer.me.uk/pack/xad/xad_PackDir.lha/PackDir.c +# GRR: line below is too general as it matches also "Git pack" in ./revision +0 string PACK\0 +# check for valid compression method 0-4 +>5 ulelong <5 +# https://www.riscosopen.org/wiki/documentation/show/Introduction%20To%20Filing%20Systems +# To skip "Git pack" version 0 test for root directory object like +# ADFS::RPC.$.websitezip.FONTFIX +>>9 string >ADFS\ PackDir archive (RISC OS) +# TrID labels above as "Acorn PackDir compressed Archive" +# compression mode y (0 - 4) for GIF LZW with a maximum n bits +# (y~n,0~12,1~13,2~14,3~15,4~16) +>>>5 ulelong+12 x \b, LZW %u-bits compression +# https://www.filebase.org.uk/filetypes +# !Packdir compressed archive has three hexadecimal digits code 68E +!:mime application/x-acorn-68E +!:ext pkd/bin +# null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo +>>>9 string x \b, root "%s" +# load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time +>>>>&1 ulelong x \b, load address %#x +# execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC +>>>>&5 ulelong x \b, exec address %#x +# attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write) +>>>>&9 ulelong x \b, attributes %#x +# number of entries in this directory. for root dir 0 +#>>>&13 ulelong x \b, entries %#x +# the entries start here with object name +>>>>&17 string x \b, 1st object "%s" + diff --git a/magic/Magdir/adi b/magic/Magdir/adi new file mode 100644 index 0000000..2fe79d4 --- /dev/null +++ b/magic/Magdir/adi @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: adi,v 1.4 2009/09/19 16:28:07 christos Exp $ +# adi: file(1) magic for ADi's objects +# From Gregory McGarry <g.mcgarry@ieee.org> +# +0 leshort 0x521c COFF DSP21k +>18 lelong &02 executable, +>18 lelong ^02 +>>18 lelong &01 static object, +>>18 lelong ^01 relocatable object, +>18 lelong &010 stripped +>18 lelong ^010 not stripped diff --git a/magic/Magdir/adventure b/magic/Magdir/adventure new file mode 100644 index 0000000..bd7f863 --- /dev/null +++ b/magic/Magdir/adventure @@ -0,0 +1,122 @@ + +#------------------------------------------------------------------------------ +# $File: adventure,v 1.18 2019/04/19 00:42:27 christos Exp $ +# adventure: file(1) magic for Adventure game files +# +# from Allen Garvin <earendil@faeryland.tamu-commerce.edu> +# Edited by Dave Chapeskie <dchapes@ddm.on.ca> Jun 28, 1998 +# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 +# +# ALAN +# I assume there are other, lower versions, but these are the only ones I +# saw in the archive. +0 beshort 0x0206 ALAN game data +>2 byte <10 version 2.6%d + + +# Infocom (see z-machine) +#------------------------------------------------------------------------------ +# Z-machine: file(1) magic for Z-machine binaries. +# Sanity checks by David Griffith <dave@661.org> +# Updated by Adam Buchbinder <adam.buchbinder@gmail.com> +# +#http://www.gnelson.demon.co.uk/zspec/sect11.html +#https://www.jczorkmid.net/~jpenney/ZSpec11-latest.txt +#https://en.wikipedia.org/wiki/Z-machine +# The first byte is the Z-machine revision; it is always between 1 and 8. We +# had false matches (for instance, inbig5.ocp from the Omega TeX extension as +# well as an occasional MP3 file), so we sanity-check the version number. +# +# It might be possible to sanity-check the release number as well, as it seems +# (at least in classic Infocom games) to always be a relatively small number, +# always under 150 or so, but as this isn't rigorous, we'll wait on that until +# it becomes clear that it's needed. +# +0 ubyte >0 +>0 ubyte <9 +>>16 belong&0xfe00f0f0 0x3030 +>>>0 ubyte < 10 +>>>>2 ubeshort x +>>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9] +>>>>>>0 ubyte < 10 Infocom (Z-machine %d +>>>>>>>2 ubeshort x \b, Release %d +>>>>>>>>18 string >\0 \b, Serial %.6s +>>>>>>>>18 string x \b) +!:strength + 40 +!:mime application/x-zmachine + +#------------------------------------------------------------------------------ +# Glulx: file(1) magic for Glulx binaries. +# +# David Griffith <dave@661.org> +# I haven't checked for false matches yet. +# +0 string Glul Glulx game data +>4 beshort x (Version %d +>>6 byte x \b.%d +>>8 byte x \b.%d) +>36 string Info Compiled by Inform +!:mime application/x-glulx + + +# For Quetzal and blorb magic see iff + + +# TADS (Text Adventure Development System) version 2 +# All files are machine-independent (games compile to byte-code) and are tagged +# with a version string of the form "V2.<digit>.<digit>\0". +# Game files start with "TADS2 bin\n\r\032\0" then the compiler version. +0 string TADS2\ bin TADS +>9 belong !0x0A0D1A00 game data, CORRUPTED +>9 belong 0x0A0D1A00 +>>13 string >\0 %s game data +!:mime application/x-tads +# Resource files start with "TADS2 rsc\n\r\032\0" then the compiler version. +0 string TADS2\ rsc TADS +>9 belong !0x0A0D1A00 resource data, CORRUPTED +>9 belong 0x0A0D1A00 +>>13 string >\0 %s resource data +!:mime application/x-tads +# Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian +# 2-byte length N, the N-char name of the game file *without* a NUL (darn!), +# "TADS2 save\n\r\032\0" and the interpreter version. +0 string TADS2\ save/g TADS +>12 belong !0x0A0D1A00 saved game data, CORRUPTED +>12 belong 0x0A0D1A00 +>>(16.s+32) string >\0 %s saved game data +!:mime application/x-tads +# Other saved game files start with "TADS2 save\n\r\032\0" and the interpreter +# version. +0 string TADS2\ save TADS +>10 belong !0x0A0D1A00 saved game data, CORRUPTED +>10 belong 0x0A0D1A00 +>>14 string >\0 %s saved game data +!:mime application/x-tads + +# TADS (Text Adventure Development System) version 3 +# Game files start with "T3-image\015\012\032" +0 string T3-image\015\012\032 +>11 leshort x TADS 3 game data (format version %d) +# Saved game files start with "T3-state-v####\015\012\032" +# where #### is a format version number +0 string T3-state-v +>14 string \015\012\032 TADS 3 saved game data (format version +>>10 byte x %c +>>11 byte x \b%c +>>12 byte x \b%c +>>13 byte x \b%c) +!:mime application/x-t3vm-image + +# edited by David Griffith <dave@661.org> +# Danny Milosavljevic <danny.milo@gmx.net> +# These are ADRIFT (adventure game standard) game files, extension .taf +# Checked from source at (http://www.adrift.co/) and various taf files +# found at the Interactive Fiction Archive (https://ifarchive.org/) +0 belong 0x3C423FC9 +>4 belong 0x6A87C2CF Adrift game file version +>>8 belong 0x94453661 3.80 +>>8 belong 0x94453761 3.90 +>>8 belong 0x93453E61 4.0 +>>8 belong 0x92453E61 5.0 +>>8 default x unknown +!:mime application/x-adrift diff --git a/magic/Magdir/aes b/magic/Magdir/aes new file mode 100644 index 0000000..e5e1edc --- /dev/null +++ b/magic/Magdir/aes @@ -0,0 +1,29 @@ + +#------------------------------------------------------------------------------ +# $File: aes,v 1.1 2020/08/18 21:20:22 christos Exp $ +# +# aes: magic file for AES encrypted files + +# Summary: AES Crypt Encrypted Data File +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard +# Reference: https://www.aescrypt.com/aes_file_format.html +0 string AES +>3 ubyte <3 AES encrypted data, version %u +#!:mime application/aes +!:mime application/x-aes-encrypted +!:ext aes +# For Version 2 the encrypted file can have text tags +>>3 ubyte =2 +# length of an extension identifier and contents like: 0 24 33 38 +#>>5 ubeshort x \b, tag length %u +#>>5 pstring/H x '%s' +# standard extension tags like CREATED_BY +>>>7 string CREATED_BY \b, created by +# software product, manufacturer like "SharpAESCrypt v1.3.3.0" "aescrypt (Windows GUI) 3.10" ... +>>>>&1 string x "%s" +# TODO: more other tags +# tag CREATED_DATE like YYYY-MM-DD +# tag CREATED_TIME like HH:MM:SS +# + diff --git a/magic/Magdir/algol68 b/magic/Magdir/algol68 new file mode 100644 index 0000000..1ca1fad --- /dev/null +++ b/magic/Magdir/algol68 @@ -0,0 +1,35 @@ + +#------------------------------------------------------------------------------ +# $File: algol68,v 1.6 2022/11/06 18:36:55 christos Exp $ +# algol68: file(1) magic for Algol 68 source +# +# URL: https://en.wikipedia.org/wiki/ALGOL_68 +# Reference: http://www.softwarepreservation.org/projects/ALGOL/report/Algol68_revised_report-AB.pdf +# Update: Joerg Jenderek +0 search/8192 (input, +>0 use algol_68 +# graph_2d.a68 +0 regex/4006 \^PROC[[:space:]][a-zA-Z0-9_[:space:]]*[[:space:]]= +>0 use algol_68 +0 regex/1024 \bMODE[\t\ ] +>0 use algol_68 +0 regex/1024 \bMODE[\t\ ] +>0 use algol_68 +0 regex/1024 \bREF[\t\ ] +>0 use algol_68 +0 regex/1024 \bFLEX[\t\ ]\*\\[ +>0 use algol_68 + +# display information like mime type and file name extension of Algol 68 source text +0 name algol_68 Algol 68 source text +!:mime text/x-Algol68 +# https://file-extension.net/seeker/file_extension_a68 +!:ext a68 +#!:ext a68/alg + +#0 regex [\t\ ]OD Algol 68 source text +#>0 use algol_68 +#!:mime text/x-Algol68 +#0 regex [\t\ ]FI Algol 68 source text +#>0 use algol_68 +#!:mime text/x-Algol68 diff --git a/magic/Magdir/allegro b/magic/Magdir/allegro new file mode 100644 index 0000000..b937c9c --- /dev/null +++ b/magic/Magdir/allegro @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: allegro,v 1.4 2009/09/19 16:28:07 christos Exp $ +# allegro: file(1) magic for Allegro datafiles +# Toby Deshane <hac@shoelace.digivill.net> +# +0 belong 0x736C6821 Allegro datafile (packed) +0 belong 0x736C682E Allegro datafile (not packed/autodetect) +0 belong 0x736C682B Allegro datafile (appended exe data) diff --git a/magic/Magdir/alliant b/magic/Magdir/alliant new file mode 100644 index 0000000..9620202 --- /dev/null +++ b/magic/Magdir/alliant @@ -0,0 +1,18 @@ + +#------------------------------------------------------------------------------ +# $File: alliant,v 1.7 2009/09/19 16:28:07 christos Exp $ +# alliant: file(1) magic for Alliant FX series a.out files +# +# If the FX series is the one that had a processor with a 68K-derived +# instruction set, the "short" should probably become "beshort" and the +# "long" should probably become "belong". +# If it's the i860-based one, they should probably become either the +# big-endian or little-endian versions, depending on the mode they ran +# the 860 in.... +# +0 short 0420 0420 Alliant virtual executable +>2 short &0x0020 common library +>16 long >0 not stripped +0 short 0421 0421 Alliant compact executable +>2 short &0x0020 common library +>16 long >0 not stripped diff --git a/magic/Magdir/amanda b/magic/Magdir/amanda new file mode 100644 index 0000000..e7fa539 --- /dev/null +++ b/magic/Magdir/amanda @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $ +# amanda: file(1) magic for amanda file format +# +0 string AMANDA:\ AMANDA +>8 string TAPESTART\ DATE tape header file, +>>23 string X +>>>25 string >\ Unused %s +>>23 string >\ DATE %s +>8 string FILE\ dump file, +>>13 string >\ DATE %s diff --git a/magic/Magdir/amigaos b/magic/Magdir/amigaos new file mode 100644 index 0000000..fdd947f --- /dev/null +++ b/magic/Magdir/amigaos @@ -0,0 +1,218 @@ + +#------------------------------------------------------------------------------ +# $File: amigaos,v 1.20 2021/09/20 00:42:19 christos Exp $ +# amigaos: file(1) magic for AmigaOS binary formats: + +# +# From ignatios@cs.uni-bonn.de (Ignatios Souvatzis) +# +0 belong 0x000003fa AmigaOS shared library +0 belong 0x000003f3 AmigaOS loadseg()ble executable/binary +0 belong 0x000003e7 AmigaOS object/library data +# +0 beshort 0xe310 Amiga Workbench +>2 beshort 1 +>>48 byte 1 disk icon +>>48 byte 2 drawer icon +>>48 byte 3 tool icon +>>48 byte 4 project icon +>>48 byte 5 garbage icon +>>48 byte 6 device icon +>>48 byte 7 kickstart icon +>>48 byte 8 workbench application icon +>2 beshort >1 icon, vers. %d +# +# various sound formats from the Amiga +# G=F6tz Waschk <waschk@informatik.uni-rostock.de> +# +0 string FC14 Future Composer 1.4 Module sound file +0 string SMOD Future Composer 1.3 Module sound file +0 string AON4artofnoise Art Of Noise Module sound file +1 string MUGICIAN/SOFTEYES Mugician Module sound file +58 string SIDMON\ II\ -\ THE Sidmon 2.0 Module sound file +0 string Synth4.0 Synthesis Module sound file +0 string ARP. The Holy Noise Module sound file +0 string BeEp\0 JamCracker Module sound file +0 string COSO\0 Hippel-COSO Module sound file +# Too simple (short, pure ASCII, deep), MPi +#26 string V.3 Brian Postma's Soundmon Module sound file v3 +#26 string BPSM Brian Postma's Soundmon Module sound file v3 +#26 string V.2 Brian Postma's Soundmon Module sound file v2 + +# The following are from: "Stefan A. Haubenthal" <polluks@web.de> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Amiga_bitmap_font +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/font-amiga.trid.xml +# https://wiki.amigaos.net/wiki/Graphics_Library_and_Text +# fch_FileID=FCH_ID=0x0f00 +0 beshort 0x0f00 +# skip some AVM powerline firmware images by check for positive number of font elements +# https://download.avm.de/fritzpowerline/fritzpowerline-1000e-t/other/fritz.os/fritz.powerline_1000ET_01_05.image +>2 ubeshort >0 AmigaOS bitmap font +#!:mime application/octet-stream +!:mime font/x-amiga-font +!:ext font +# struct FontContents fch_FC; 1st fc_FileName [MAXFONTPATH=256]; ~ filename "/" fc_YSize +# like: topazb/6 suits/8 Excel/9e emerald/17 Franklin/23 DIAMONDS/60.8C +>>4 string x "%.256s" +# fc_YSize ~number after slash in fc_FileName; like: 6 7 8 9 11 12 16 17 21 23 45 60 +>>260 beshort x \b, fc_YSize %u +# fch_NumEntries; number of FontContents elements like: +# 1 (often) 2 3 (IconCondensed.font tempfont.font) 4 (Franklin.font) 6 (mcoop.font) +>>2 ubeshort >1 \b, %u elements +#>>2 beshort x \b, %u element +# plural s +#>>2 beshort !1 \bs +# like: 6 7 8 9 11 12 16 17 21 23 45 60 +#>>262 beshort x \b, FLAGS_STYLE +>>2 beshort >1 \b, 2nd +# 2nd fc_FileName like: Franklin/36 +>>>264 string x "%.256s" +>>2 beshort >2 \b, 3rd +# 3rd fc_FileName like: Franklin/18 +>>>524 string x "%.256s" +# URL: http://fileformats.archiveteam.org/wiki/Amiga_bitmap_font +# Reference: https://wiki.amigaos.net/wiki/Graphics_Library_and_Text +# http://mark0.net/download/triddefs_xml.7z/defs/f/font-amiga-var2.trid.xml +# Note: called by TrID "Amiga bitmap Font (var.2)" +# fch_FileID=TFCH_ID=0x0f02 +0 beshort 0x0f02 +# skip possible misidentified foo by check for positive number of font elements +>2 ubeshort >0 AmigaOS bitmap font (TFCH) +#!:mime application/octet-stream +!:mime font/x-amiga-font +!:ext font +# struct TFontContents fch_TFC[]; 1st tfc_FileName [254]; ~ filename "/" fc_YSize +# like: Abbey/45 XScript/75 XTriumvirate/45 +>>4 string x "%.254s" +# tfc_TagCount; including the TAG_END tag like: 4 +>>258 ubeshort x \b, tfc_TagCount %u +# tfc_YSize ~number after slash in tfc_FileName; like: 45 75 +>>260 beshort x \b, tfc_YSize %u +# tfc_Style; tfc_Flags like: 8022h 8222h +#>>262 ubeshort x \b, FLAGS_STYLE %#x +# fch_NumEntries; number of FontContents elements like: 1 (abbey.font) 2 (xscript.font xtriumvirate.font) +>>2 ubeshort >1 \b, %u elements +>>2 beshort >1 \b, 2nd +# 2nd tfc_FileName like: XScript/45 XTriumvirate/30 +>>>264 string x "%.254s" +0 beshort 0x0f03 AmigaOS outline font +0 belong 0x80001001 AmigaOS outline tag +0 string ##\ version catalog translation +0 string EMOD\0 Amiga E module +8 string ECXM\0 ECX module +0 string/c @database AmigaGuide file + +# Amiga disk types +# display information like volume name of root block on Amiga (floppy) disk +0 name adf-rootblock +# block primary type = T_HEADER (value 2) +>0x000 ubelong !2 \b, type %u +# header_key; unused in rootblock (value 0) +>0x004 ubelong !0 \b, header_key %u +# high_seq; unused (value 0) +>0x008 ubelong !0 \b, high_seq %u +# ht_size; hash table size; 0x48 for flopies +>0x00c ubelong !0x48 \b, hash table size %#x +# bm_flag; bitmap flag, -1 means VALID +>0x138 belong !-1 \b, bitmap flag %#x +# bm_ext; first bitmap extension block (Hard disks only) +>0x1A0 ubelong !0 \b, bitmap extension block %#x +# name_len; volume name length; diskname[30]; volume name +>0x1B0 pstring >\0 \b, "%s" +# first directory cache block for FFS; otherwise 0 +>0x1F8 ubelong !0 \b, directory cache block %#x +# block secondary type = ST_ROOT (value 1) +>0x1FC ubelong !1 \b, sec_type %#x +# +0 string RDSK Rigid Disk Block +>160 string x on %.24s +# URL: http://fileformats.archiveteam.org/wiki/ADF_(Amiga) +# https://en.wikipedia.org/wiki/Amiga_Fast_File_System +# Reference: http://lclevy.free.fr/adflib/adf_info.html +# Update: Joerg Jenderek +# Note: created by ADFOpus.exe +# and verified by `unadf -l TURBO_SILVER_SV.ADF` +0 string DOS +# skip DOS Client Message Files like IPXODI.MSG DOSRQSTR.MSG +>3 ubyte <8 Amiga +# https://reposcope.com/mimetype/application/x-amiga-disk-format +!:mime application/x-amiga-disk-format +!:ext adf +>>3 ubyte 0 DOS disk +>>3 ubyte 1 FFS disk +>>3 ubyte 2 Inter DOS disk +>>3 ubyte 3 Inter FFS disk +# For Fastdir mode the international mode is also enabled, +>>3 ubyte 4 Fastdir DOS disk +>>3 ubyte 5 Fastdir FFS dis +# called by TrID "Amiga Disk image File (OFS+INTL+DIRC)" +>>3 ubyte 6 Inter Fastdir DOS disk +# called by TrID "Amiga Disk image File (FFS+INTL+DIRC)" +>>3 ubyte 7 Inter Fastdir FFS disk +# but according to Wikipedia variants with long name support +#>>3 ubyte 6 long name DOS disk +#>>3 ubyte 7 long name FFS disk +# DOES NOT only work! Partly for file size ~< FILE_BYTES_MAX=1 MiB defined in ../../src/file.h +#>>-0 offset x \b, %lld bytes +# Correct file size, but next lines are NOT executed +#>>-0 offset 901120 (DD 880 KiB floppy) +# 880 KiB Double Density floppy disk by characteristic hash table size 0x48 and T_HEADER=2 +>>0x6E00C ubelong 0x48 +>>>0x6E000 ubelong 2 (DD 880 KiB) +# 1760 KiB High Density floppy disk (1802240 bytes) by characteristic hash table size 0x48 +>>0xDC00C ubelong 0x48 +>>>0xDC000 ubelong 2 (HD 1760 KiB) +# Chksum; special block checksum like: 0 0x44ccf4c0 0x51f32cac 0xe33d0e7d ... +#>>4 ubelong x \b, CRC %#x +# Rootblock: 0 880 (often for DD and HD) 1146049280 (IMAGINE_1_0_DISK_01.ADF TURBO_SILVER_SV.ADF) +>>8 ubelong >0 \b, probably root block %d +# bootblock code +>>12 quad !0 \b, bootable +# assembler instructions: lea exp(pc),a1; moveq 25h,d0; jsr -552(a6) +>>>12 ubequad =0x43fa003e70254eae AmigaDOS 3.0 +>>>12 default x +>>>>12 ubequad !0x43fa003e70254eae %#llx.. +# 880 KiB Double Density floppy disk (901120 bytes) +>>0x6E00C ubelong 0x48 +>>>0x6E000 ubelong 2 +>>>>0x6E000 use adf-rootblock +# 1760 KiB High Density floppy disk (1802240 bytes) +>>0xDC00C ubelong 0x48 +>>>0xDC000 ubelong 2 +>>>>0xDC000 use adf-rootblock +# 1 MiB hard disc by test for T_HEADER=2 and header_key=0=high_seq +>>0x80000 ubelong 2 +>>>0x80004 quad 0 +>>>>0x80000 use adf-rootblock +# 2 MiB hard disc; only works if in ../../src/file.h FILE_BYTES_MAX is raised to 2 MiB +#>>0x100000 ubelong x 2 MiB TEST +#>>0x100000 ubelong 2 \b, 2 MiB hard disc rootblock +#>>>0x100000 use adf-rootblock +0 string KICK Kickstart disk + +# From: Alex Beregszaszi <alex@fsn.hu> +0 string LZX LZX compressed archive (Amiga) + +# From: Przemek Kramarczyk <pkramarczyk@gmail.com> +0 string .KEY AmigaDOS script +0 string .key AmigaDOS script + +# AMOS Basic file formats +# https://www.exotica.org.uk/wiki/AMOS_file_formats +0 string AMOS\040Basic\040 AMOS Basic source code +>11 byte =0x56 \b, tested +>11 byte =0x76 \b, untested +0 string AMOS\040Pro AMOS Basic source code +>11 byte =0x56 \b, tested +>11 byte =0x76 \b, untested +0 string AmSp AMOS Basic sprite bank +>4 beshort x \b, %d sprites +0 string AmIc AMOS Basic icon bank +>4 beshort x \b, %d icons +0 string AmBk AMOS Basic memory bank +>4 beshort x \b, bank number %d +>8 belong&0xFFFFFFF x \b, length %d +>12 regex .{8} \b, type %s +0 string AmBs AMOS Basic memory banks +>4 beshort x \b, %d banks diff --git a/magic/Magdir/android b/magic/Magdir/android new file mode 100644 index 0000000..8a2dedf --- /dev/null +++ b/magic/Magdir/android @@ -0,0 +1,259 @@ + +#------------------------------------------------------------ +# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $ +# Various android related magic entries +#------------------------------------------------------------ + +# Dalvik .dex format. http://retrodev.com/android/dexformat.html +# From <mkf@google.com> "Mike Fleming" +# Fixed to avoid regexec 17 errors on some dex files +# From <diff@lookout.com> "Tim Strazzere" +0 string dex\n +>0 regex dex\n[0-9]{2}\0 Dalvik dex file +>4 string >000 version %s +0 string dey\n +>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) +>4 string >000 version %s + +# Android bootimg format +# From https://android.googlesource.com/\ +# platform/system/core/+/master/mkbootimg/bootimg.h +# https://github.com/djrbliss/loki/blob/master/loki.h#L43 +0 string ANDROID! Android bootimg +>1024 string LOKI \b, LOKI'd +>>1028 lelong 0 \b (boot) +>>1028 lelong 1 \b (recovery) +>8 lelong >0 \b, kernel +>>12 lelong >0 \b (%#x) +>16 lelong >0 \b, ramdisk +>>20 lelong >0 \b (%#x) +>24 lelong >0 \b, second stage +>>28 lelong >0 \b (%#x) +>36 lelong >0 \b, page size: %d +>38 string >0 \b, name: %s +>64 string >0 \b, cmdline (%s) + +# Android Backup archive +# From: Ariel Shkedi +# Update: Joerg Jenderek +# URL: https://github.com/android/platform_frameworks_base/blob/\ +# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ +# android/server/BackupManagerService.java#L2367 +# Reference: https://sourceforge.net/projects/adbextractor/ +# android-backup-extractor/perl/backupencrypt.pl +# Note: only unix line feeds "\n" found +# After the header comes a tar file +# If compressed, the entire tar file is compressed with JAVA deflate +# +# Include the version number hardcoded with the magic string to avoid +# false positives +0 string/b ANDROID\ BACKUP\n Android Backup +# maybe look for some more characteristics like linefeed '\n' or version +#>16 string \n +# No mime-type defined officially +!:mime application/x-google-ab +!:ext ab +# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2) +>15 string >\0 \b, version %s +# "1" on 3rd line means compressed +>17 string 0\n \b, Not-Compressed +>17 string 1\n \b, Compressed +# The 4th line is encryption "none" or "AES-256" +# any string as long as it's not the word none (which is matched below) +>19 string none\n \b, Not-Encrypted +# look for backup content after line with encryption info +#>>19 search/7 \n +# data part after header for not encrypted Android Backup +#>>>&0 ubequad x \b, content %#16.16llx... +# look for zlib compressed by ./compress after message with 1 space at end +#>>>&0 indirect x \b; contains +# look for tar archive block by ./archive for package name manifest +>>288 string ustar \b; contains +>>>31 use tar-file +# look for zip/jar archive by ./archive ./zip after message with 1 space at end +#>>2079 search/1025/s PK\003\004 \b; contains +#>>>&0 indirect x +>19 string !none +>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) +# Commented out because they don't seem useful to print +# (but they are part of the header - the tar file comes after them): +# The 5th line is User Password Salt (128 Hex) +# string length too high with standard src configuration +#>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s" +#>>>&1 regex/1l .* \b, Password salt: %s +# The 6th line is Master Key Checksum Salt (128 Hex) +#>>>>&1 regex/1l .* \b, Master salt: %s +# The 7th line is Number of PBDKF2 Rounds (10000) +#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s +# The 8th line is User key Initialization Vector (IV) (32 Hex) +#>>>>>>&1 regex/1l .* \b, IV: %s +#>>>>>>&1 regex/1l .* \b, IV: %s +# The 9th line is Master IV+Key+Checksum (192 Hex) +#>>>>>>>&1 regex/1l .* \b, Key: %s +# look for new line separator char after line number 9 +#>>>0x204 ubyte 0x0a NL found +#>>>>&1 ubequad x \b, Content magic %16.16llx + +# *.pit files by Joerg Jenderek +# https://forum.xda-developers.com/showthread.php?p=9122369 +# https://forum.xda-developers.com/showthread.php?t=816449 +# Partition Information Table for Samsung's smartphone with Android +# used by flash software Odin +0 ulelong 0x12349876 +# 1st pit entry marker +>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# minimal 13 and maximal 18 PIT entries found +>>4 ulelong <128 Partition Information Table for Samsung smartphone +>>>4 ulelong x \b, %d entries +# 1. pit entry +>>>4 ulelong >0 \b; #1 +>>>0x01C use PIT-entry +>>>4 ulelong >1 \b; #2 +>>>0x0A0 use PIT-entry +>>>4 ulelong >2 \b; #3 +>>>0x124 use PIT-entry +>>>4 ulelong >3 \b; #4 +>>>0x1A8 use PIT-entry +>>>4 ulelong >4 \b; #5 +>>>0x22C use PIT-entry +>>>4 ulelong >5 \b; #6 +>>>0x2B0 use PIT-entry +>>>4 ulelong >6 \b; #7 +>>>0x334 use PIT-entry +>>>4 ulelong >7 \b; #8 +>>>0x3B8 use PIT-entry +>>>4 ulelong >8 \b; #9 +>>>0x43C use PIT-entry +>>>4 ulelong >9 \b; #10 +>>>0x4C0 use PIT-entry +>>>4 ulelong >10 \b; #11 +>>>0x544 use PIT-entry +>>>4 ulelong >11 \b; #12 +>>>0x5C8 use PIT-entry +>>>4 ulelong >12 \b; #13 +>>>>0x64C use PIT-entry +# 14. pit entry +>>>4 ulelong >13 \b; #14 +>>>>0x6D0 use PIT-entry +>>>4 ulelong >14 \b; #15 +>>>0x754 use PIT-entry +>>>4 ulelong >15 \b; #16 +>>>0x7D8 use PIT-entry +>>>4 ulelong >16 \b; #17 +>>>0x85C use PIT-entry +# 18. pit entry +>>>4 ulelong >17 \b; #18 +>>>0x8E0 use PIT-entry + +0 name PIT-entry +# garbage value implies end of pit entries +>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# skip empty partition name +>>0x24 ubyte !0 +# partition name +>>>0x24 string >\0 %-.32s +# flags +>>>0x0C ulelong&0x00000002 2 \b+RW +# partition ID: +# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER +# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW +>>>0x08 ulelong x (%#x) +# filename +>>>0x44 string >\0 "%-.64s" +#>>>0x18 ulelong >0 +# blocksize in 512 byte units ? +#>>>>0x18 ulelong x \b, %db +# partition size in blocks ? +#>>>>0x22 ulelong x \b*%d + +# Android sparse img format +# From https://android.googlesource.com/\ +# platform/system/core/+/master/libsparse/sparse_format.h +0 lelong 0xed26ff3a Android sparse image +>4 leshort x \b, version: %d +>6 leshort x \b.%d +>16 lelong x \b, Total of %d +>12 lelong x \b %d-byte output blocks in +>20 lelong x \b %d input chunks. + +# Android binary XML magic +# In include/androidfw/ResourceTypes.h: +# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), +# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). +# The strength is increased to avoid misidentifying as Targa image data +0 lelong 0x00080003 Android binary XML +!:strength +1 + +# Android cryptfs footer +# From https://android.googlesource.com/\ +# platform/system/vold/+/refs/heads/master/cryptfs.h +0 lelong 0xd0b5b1c4 Android cryptfs footer +>4 leshort x \b, version: %d +>6 leshort x \b.%d + +# Android Vdex format +# From https://android.googlesource.com/\ +# platform/art/+/master/runtime/vdex_file.h +0 string vdex Android vdex file, +>4 string >000 verifier deps version: %s, +>8 string >000 dex section version: %s, +>12 lelong >0 number of dex files: %d, +>16 lelong >0 verifier deps size: %d + +# Android Vdex format, dexfile is currently being updated +# by android system +# From https://android.googlesource.com/\ +# platform/art/+/master/dex2oat/dex2oat.cc +0 string wdex Android vdex file, being processed by dex2oat, +>4 string >000 verifier deps version: %s, +>8 string >000 dex section version: %s, +>12 lelong >0 number of dex files: %d, +>16 lelong >0 verifier deps size: %d + +# Disassembled DEX files +0 string/t .class\x20 +>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali) +!:ext smali + +# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileTranscoder.java +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileVersion.java +0 string pro\x00 +>0 regex pro\x000[0-9][0-9]\x00 Android ART profile +!:ext prof +>>4 string 001\x00 \b, version 001 N +>>4 string 005\x00 \b, version 005 O +>>4 string 009\x00 \b, version 009 O MR1 +>>4 string 010\x00 \b, version 010 P +>>4 string 015\x00 \b, version 015 S +0 string prm\x00 +>0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata +!:ext profm +>>4 string 001\x00 \b, version 001 N +>>4 string 002\x00 \b, version 002 + +# Android package resource table (ARSC): resources.arsc +# Reference: https://android.googlesource.com/platform/tools/base/\ +# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\ +# src/main/java/com/google/devrel/gmscore/tools/apk/arsc +# 00: resource table type = 0x0002 (2) + header size = 12 (2) +# 04: chunk size (4, skipped) +# 08: #packages (4) +0 ulelong 0x000c0002 Android package resource table (ARSC) +!:ext arsc +>8 ulelong !1 \b, %d packages +# 12: string pool type = 0x0001 (2) + header size = 28 (2) +# 16: chunk size (4, skipped) +# 20: #strings (4), #styles (4), flags (4) +>12 ulelong 0x001c0001 +>>20 ulelong !0 \b, %d string(s) +>>24 ulelong !0 \b, %d style(s) +>>28 ulelong &1 \b, sorted +>>28 ulelong &256 \b, utf8 + +# extracted APK Signing Block +-16 string APK\x20Sig\x20Block\x2042 APK Signing Block diff --git a/magic/Magdir/animation b/magic/Magdir/animation new file mode 100644 index 0000000..aab93ca --- /dev/null +++ b/magic/Magdir/animation @@ -0,0 +1,1206 @@ + +#------------------------------------------------------------------------------ +# $File: animation,v 1.94 2023/06/16 20:06:50 christos Exp $ +# animation: file(1) magic for animation/movie formats +# +# animation formats +# MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) +# FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) + +# SGI and Apple formats +0 string MOVI Silicon Graphics movie file +!:mime video/x-sgi-movie +4 string moov Apple QuickTime +!:mime video/quicktime +>12 string mvhd \b movie (fast start) +>12 string mdra \b URL +>12 string cmov \b movie (fast start, compressed header) +>12 string rmra \b multiple URLs +4 string mdat Apple QuickTime movie (unoptimized) +!:mime video/quicktime +4 string wide Apple QuickTime movie (unoptimized) +!:mime video/quicktime +#4 string skip Apple QuickTime movie (modified) +#!:mime video/quicktime +#4 string free Apple QuickTime movie (modified) +#!:mime video/quicktime +4 string idsc Apple QuickTime image (fast start) +!:mime image/x-quicktime +#4 string idat Apple QuickTime image (unoptimized) +#!:mime image/x-quicktime +4 string pckg Apple QuickTime compressed archive +!:mime application/x-quicktime-player + +#### MP4 #### +# https://www.ftyps.com/ with local additions +# https://cconcolato.github.io/mp4ra/filetype.html +4 string ftyp ISO Media +# https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ +>8 string XAVC \b, MPEG v4 system, Sony XAVC Codec +!:mime video/mp4 +>>96 string x \b, Audio "%.4s" +>>118 beshort x at %dHz +>>140 string x \b, Video "%.4s" +>>168 beshort x %d +>>170 beshort x \bx%d +>8 string 3g2 \b, MPEG v4 system, 3GPP2 +!:mime video/3gpp2 +>>11 byte 4 \b v4 (H.263/AMR GSM 6.10) +>>11 byte 5 \b v5 (H.263/AMR GSM 6.10) +>>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) +# https://www.3gpp2.org/Public_html/Specs/C.S0050-B_v1.0_070521.pdf +# Section 8.1.1, corresponds to a, b, c +>>11 byte 0x61 \b C.S0050-0 V1.0 +>>11 byte 0x62 \b C.S0050-0-A V1.0.0 +>>11 byte 0x63 \b C.S0050-0-B V1.0 +>8 string 3ge \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 6 \b, Release %d MBMS Extended Presentations +>>11 byte 7 \b, Release %d MBMS Extended Presentations +>>11 byte 9 \b, Release %d MBMS Extended Presentations +>8 string 3gf \b, MPEG v4 system, 3GPP +>>11 byte 9 \b, Release %d File-delivery profile +>8 string 3gg \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 6 \b, Release %d General Profile +>>11 byte 9 \b, Release %d General Profile +>8 string 3gh \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 9 \b, Release %d Adaptive Streaming Profile +>8 string 3gm \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 9 \b, Release %d Media Segment Profile +>8 string 3gp \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 1 \b, Release %d (non existent) +>>11 byte 2 \b, Release %d (non existent) +>>11 byte 3 \b, Release %d (non existent) +>>11 byte 4 \b, Release %d +>>11 byte 5 \b, Release %d +>>11 byte 6 \b, Release %d +>>11 byte 7 \b, Release %d Streaming Servers +>8 string 3gr \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 6 \b, Release %d Progressive Download Profile +>>11 byte 9 \b, Release %d Progressive Download Profile +>8 string 3gs \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 6 \b, Release %d Streaming Servers +>>11 byte 7 \b, Release %d Streaming Servers +>>11 byte 9 \b, Release %d Streaming Servers +>8 string 3gt \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 8 \b, Release %d Media Stream Recording Profile +>>11 byte 9 \b, Release %d Media Stream Recording Profile +>8 string ARRI \b, MPEG v4 system, ARRI Digital Camera +!:mime video/mp4 +>8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC [ISO 14496-12:2005] +!:mime video/mp4 +>8 string bbxm \b, Blinkbox Master File: H.264 video/16-bit LE LPCM audio +!:mime video/mp4 +>8 string/W qt \b, Apple QuickTime movie +!:mime video/quicktime +>8 string CAEP \b, Canon Digital Camera +>8 string caqv \b, Casio Digital Camera +>8 string CDes \b, Convergent Design +>8 string caaa \b, CMAF Media Profile - AAC Adaptive Audio +>8 string caac \b, CMAF Media Profile - AAC Core +>8 string caqv \b, Casio Digital Camera Casio +>8 string ccea \b, CMAF Supplemental Data - CEA-608/708 +>8 string ccff \b, Common container file format +>8 string cfhd \b, CMAF Media Profile - AVC HD +>8 string cfsd \b, CMAF Media Profile - AVC SD +>8 string chd1 \b, CMAF Media Profile - HEVC HDR10 +>8 string chdf \b, CMAF Media Profile - AVC HDHF +>8 string chhd \b, CMAF Media Profile - HEVC HHD8 +>8 string chh1 \b, CMAF Media Profile - HEVC HHD10 +>8 string clg1 \b, CMAF Media Profile - HEVC HLG10 +>8 string cmfc \b, CMAF Track Format +>8 string cmff \b, CMAF Fragment Format +>8 string cmfl \b, CMAF Chunk Format +>8 string cmfs \b, CMAF Segment Format +>8 string cud1 \b, CMAF Media Profile - HEVC UHD10 +>8 string cud8 \b, CMAF Media Profile - HEVC UHD8 +>8 string cwvt \b, CMAF Media Profile - WebVTT +>8 string da0a \b, DMB MAF w/ MPEG Layer II aud, MOT slides, DLS, JPG/PNG/MNG +>8 string da0b \b, DMB MAF, ext DA0A, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da1a \b, DMB MAF audio with ER-BSAC audio, JPG/PNG/MNG images +>8 string da1b \b, DMB MAF, ext da1a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da2a \b, DMB MAF aud w/ HE-AAC v2 aud, MOT slides, DLS, JPG/PNG/MNG +>8 string da2b \b, DMB MAF, ext da2a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da3a \b, DMB MAF aud with HE-AAC aud, JPG/PNG/MNG images +>8 string da3b \b, DMB MAF, ext da3a w/ BIFS, 3GPP, DID, TVA, REL, IPMP +>8 string dash \b, MPEG v4 system, Dynamic Adaptive Streaming over HTTP +!:mime video/mp4 +>8 string dby1 \b, MP4 files with Dolby content +>8 string dsms \b, Media Segment DASH conformant +>8 string dts1 \b, MP4 track file with audio codecs dtsc dtsh or dtse +>8 string dts2 \b, MP4 track file with audio codec dtsx +>8 string dts3 \b, MP4 track file with audio codec dtsy +>8 string dxo$20 \b, DxO ONE camera +>8 string dmb1 \b, DMB MAF supporting all the components defined in the spec +>8 string dmpf \b, Digital Media Project +>8 string drc1 \b, Dirac (wavelet compression), encap in ISO base media (MP4) +>8 string dv1a \b, DMB MAF vid w/ AVC vid, ER-BSAC aud, BIFS, JPG/PNG/MNG, TS +>8 string dv1b \b, DMB MAF, ext dv1a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dv2a \b, DMB MAF vid w/ AVC vid, HE-AAC v2 aud, BIFS, JPG/PNG/MNG, TS +>8 string dv2b \b, DMB MAF, ext dv2a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dv3a \b, DMB MAF vid w/ AVC vid, HE-AAC aud, BIFS, JPG/PNG/MNG, TS +>8 string dv3b \b, DMB MAF, ext dv3a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dvr1 \b, DVB (.DVB) over RTP +!:mime video/vnd.dvb.file +>8 string dvt1 \b, DVB (.DVB) over MPEG-2 Transport Stream +>8 string emsg \b, Event message box present +!:mime video/vnd.dvb.file +>8 string F4V \b, Video for Adobe Flash Player 9+ (.F4V) +!:mime video/mp4 +>8 string F4P \b, Protected Video for Adobe Flash Player 9+ (.F4P) +!:mime video/mp4 +>8 string F4A \b, Audio for Adobe Flash Player 9+ (.F4A) +!:mime audio/mp4 +>8 string F4B \b, Audio Book for Adobe Flash Player 9+ (.F4B) +!:mime audio/mp4 +>8 string ifrm \b, Apple iFrame Specification, Version 8.1 Jan 2013 +>8 string im1i \b, CMAF Media Profile - IMSC1 Image +>8 string im1t \b, CMAF Media Profile - IMSC1 Text +>8 string isc2 \b, ISMACryp 2.0 Encrypted File +# ?/enc-isoff-generic +>8 string iso \b, MP4 Base Media +!:mime video/mp4 +!:ext mp4 +>>11 string m v1 [ISO 14496-12:2003] +>>11 string 2 v2 [ISO 14496-12:2005] +>>11 string 4 v4 +>>11 string 5 v5 +>>11 string 6 v6 +>8 string isml \b, MP4 Base Media v2 [ISO 14496-12:2005] +!:mime video/mp4 +>8 string J2P0 \b, JPEG2000 Profile 0 +>8 string J2P1 \b, JPEG2000 Profile 1 +>8 string/W jp2 \b, JPEG 2000 +!:mime image/jp2 +>8 string JP2 \b, JPEG 2000 Image (.JP2) [ISO 15444-1 ?] +!:mime image/jp2 +>8 string JP20 \b, Unknown, from GPAC samples (prob non-existent) +>8 string jpm \b, JPEG 2000 Compound Image (.JPM) [ISO 15444-6] +!:mime image/jpm +>8 string jpsi \b, The JPSearch data interchange format +>8 string jpx \b, JPEG 2000 w/ extensions (.JPX) [ISO 15444-2] +!:mime image/jpx +>8 string KDDI \b, 3GPP2 EZmovie for KDDI 3G cellphones +!:mime video/3gpp2 +>8 string LCAG \b, Leica digital camera +>8 string lmsg \b, Last Media Segment indicator for ISO base media file format. +>8 string M4A \b, Apple iTunes ALAC/AAC-LC (.M4A) Audio +!:mime audio/x-m4a +>8 string M4B \b, Apple iTunes ALAC/AAC-LC (.M4B) Audio Book +!:mime audio/mp4 +>8 string M4P \b, Apple iTunes ALAC/AAC-LC (.M4P) AES Protected Audio +!:mime video/mp4 +>8 string M4V \b, Apple iTunes Video (.M4V) Video +!:mime video/x-m4v +>8 string M4VH \b, Apple TV (.M4V) +!:mime video/x-m4v +>8 string M4VP \b, Apple iPhone (.M4V) +!:mime video/x-m4v +>8 string mj2s \b, Motion JPEG 2000 [ISO 15444-3] Simple Profile +!:mime video/mj2 +>8 string mjp2 \b, Motion JPEG 2000 [ISO 15444-3] General Profile +>8 string MFSM \b, Media File for Samsung video Metadata +>8 string MGSV \b, Sony Home and Mobile Multimedia Platform (HMMP) +!:mime video/mj2 +>8 string mmp4 \b, MPEG-4/3GPP Mobile Profile (.MP4 / .3GP) (for NTT) +!:mime video/mp4 +>8 string mobi \b, MPEG-4, MOBI format +!:mime video/mp4 +>8 string mp21 \b, MPEG-21 [ISO/IEC 21000-9] +>8 string mp41 \b, MP4 v1 [ISO 14496-1:ch13] +!:mime video/mp4 +>8 string mp42 \b, MP4 v2 [ISO 14496-14] +!:mime video/mp4 +>8 string mp71 \b, MP4 w/ MPEG-7 Metadata [per ISO 14496-12] +>8 string mp7t \b, MPEG v4 system, MPEG v7 XML +>8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML +>8 string mpuf \b, Compliance with the MMT Processing Unit format +>8 string msdh \b, Media Segment conforming to ISO base media file format. +>8 string msix \b, Media Segment conforming to ISO base media file format. +>8 string mmp4 \b, MPEG v4 system, 3GPP Mobile +!:mime video/mp4 +>8 string MPPI \b, Photo Player, MAF [ISO/IEC 23000-3] +>8 string mqt \b, Sony / Mobile QuickTime (.MQV) US Pat 7,477,830 +!:mime video/quicktime +>8 string MSNV \b, MPEG-4 (.MP4) for SonyPSP +!:mime audio/mp4 +>8 string NDAS \b, MP4 v2 [ISO 14496-14] Nero Digital AAC Audio +!:mime audio/mp4 +>8 string NDSC \b, MPEG-4 (.MP4) Nero Cinema Profile +!:mime video/mp4 +>8 string NDSH \b, MPEG-4 (.MP4) Nero HDTV Profile +!:mime video/mp4 +>8 string NDSM \b, MPEG-4 (.MP4) Nero Mobile Profile +!:mime video/mp4 +>8 string NDSP \b, MPEG-4 (.MP4) Nero Portable Profile +!:mime video/mp4 +>8 string NDSS \b, MPEG-4 (.MP4) Nero Standard Profile +!:mime video/mp4 +>8 string NDXC \b, H.264/MPEG-4 AVC (.MP4) Nero Cinema Profile +!:mime video/mp4 +>8 string NDXH \b, H.264/MPEG-4 AVC (.MP4) Nero HDTV Profile +!:mime video/mp4 +>8 string NDXM \b, H.264/MPEG-4 AVC (.MP4) Nero Mobile Profile +!:mime video/mp4 +>8 string NDXP \b, H.264/MPEG-4 AVC (.MP4) Nero Portable Profile +!:mime video/mp4 +>8 string NDXS \b, H.264/MPEG-4 AVC (.MP4) Nero Standard Profile +>8 string niko \b, Nikon Digital Camera +!:mime video/mp4 +>8 string odcf \b, OMA DCF DRM Format 2.0 (OMA-TS-DRM-DCF-V2_0-20060303-A) +>8 string opf2 \b, OMA PDCF DRM Format 2.1 (OMA-TS-DRM-DCF-V2_1-20070724-C) +>8 string opx2 \b, OMA PDCF DRM + XBS ext (OMA-TS-DRM_XBS-V1_0-20070529-C) +>8 string pana \b, Panasonic Digital Camera +>8 string piff \b, Protected Interoperable File Format +>8 string pnvi ]b, Panasonic Video Intercom +>8 string qt \b, Apple QuickTime (.MOV/QT) +!:mime video/quicktime +# HEIF image format +# see https://nokiatech.github.io/heif/technical.html +>8 string mif1 \b, HEIF Image +!:mime image/heif +>8 string msf1 \b, HEIF Image Sequence +!:mime image/heif-sequence +>8 string heic \b, HEIF Image HEVC Main or Main Still Picture Profile +!:mime image/heic +>8 string heix \b, HEIF Image HEVC Main 10 Profile +!:mime image/heic +>8 string hevc \b, HEIF Image Sequenz HEVC Main or Main Still Picture Profile +!:mime image/heic-sequence +>8 string hevx \b, HEIF Image Sequence HEVC Main 10 Profile +!:mime image/heic-sequence +# following HEIF brands are not mentioned in the heif technical info currently (Oct 2017) +# but used in the reference implementation: +# https://github.com/nokiatech/heif/blob/d5e9a21c8ba8df712bdf643021dd9f6518134776/Srcs/reader/hevcimagefilereader.cpp +>8 string heim \b, HEIF Image L-HEVC +!:mime image/heif +>8 string heis \b, HEIF Image L-HEVC +!:mime image/heif +>8 string avic \b, HEIF Image AVC +!:mime image/heif +>8 string hevm \b, HEIF Image Sequence L-HEVC +!:mime image/heif-sequence +>8 string hevs \b, HEIF Image Sequence L-HEVC +!:mime image/heif-sequence +>8 string avcs \b, HEIF Image Sequence AVC +!:mime image/heif-sequence +# AVIF image format +# see https://aomediacodec.github.io/av1-avif/ +>8 string avif \b, AVIF Image +!:mime image/avif +>8 string avis \b, AVIF Image Sequence +!:mime image/avif +>8 string risx \b, Representation Index Segment for MPEG-2 TS Segments +>8 string ROSS \b, Ross Video +>8 string sdv \b, SD Memory Card Video +>8 string ssc1 \b, Samsung stereo, single stream (patent pending) +>8 string ssc2 \b, Samsung stereo, dual stream (patent pending) +>8 string SEAU \b, Sony Home and Mobile Multimedia Platform (HMMP) +>8 string SEBK \b, Sony Home and Mobile Multimedia Platform (HMMP) +>8 string senv \b, Video contents Sony Entertainment Network +>8 string sims \b, Media Segment for Sub-Indexed Media Segment format +>8 string sisx \b, Single Index Segment forindex MPEG-2 TS +>8 string ssss \b, Subsegment Index Segment used to index MPEG-2 Segments +>8 string uvvu \b, UltraViolet file brand for DECE Common Format + +# MPEG sequences +# Scans for all common MPEG header start codes +0 belong 0x00000001 +>4 byte&0x1F 0x07 JVT NAL sequence, H.264 video +>>5 byte 66 \b, baseline +>>5 byte 77 \b, main +>>5 byte 88 \b, extended +>>7 byte x \b @ L %u +0 belong&0xFFFFFF00 0x00000100 +>3 byte 0xBA MPEG sequence +!:mime video/mpeg +# http://fileformats.archiveteam.org/wiki/Enhanced_VOB +# https://reposcope.com/mimetype/video/mpeg +!:ext vob/evo/mpg/mpeg +>>4 byte &0x40 \b, v2, program multiplex +>>4 byte ^0x40 \b, v1, system multiplex +>3 byte 0xBB MPEG sequence, v1/2, multiplex (missing pack header) +>3 byte&0x1F 0x07 MPEG sequence, H.264 video +>>4 byte 66 \b, baseline +>>4 byte 77 \b, main +>>4 byte 88 \b, extended +>>6 byte x \b @ L %u +# GRR too general as it catches also FoxPro Memo example NG.FPT +>3 byte 0xB0 MPEG sequence, v4 +# TODO: maybe this extra line exclude FoxPro Memo example NG.FPT starting with 000001b0 00000100 00000000 +#>>4 byte !0 MPEG sequence, v4 +!:mime video/mpeg4-generic +>>5 belong 0x000001B5 +>>>9 byte &0x80 +>>>>10 byte&0xF0 16 \b, video +>>>>10 byte&0xF0 32 \b, still texture +>>>>10 byte&0xF0 48 \b, mesh +>>>>10 byte&0xF0 64 \b, face +>>>9 byte&0xF8 8 \b, video +>>>9 byte&0xF8 16 \b, still texture +>>>9 byte&0xF8 24 \b, mesh +>>>9 byte&0xF8 32 \b, face +>>4 byte 1 \b, simple @ L1 +>>4 byte 2 \b, simple @ L2 +>>4 byte 3 \b, simple @ L3 +>>4 byte 4 \b, simple @ L0 +>>4 byte 17 \b, simple scalable @ L1 +>>4 byte 18 \b, simple scalable @ L2 +>>4 byte 33 \b, core @ L1 +>>4 byte 34 \b, core @ L2 +>>4 byte 50 \b, main @ L2 +>>4 byte 51 \b, main @ L3 +>>4 byte 53 \b, main @ L4 +>>4 byte 66 \b, n-bit @ L2 +>>4 byte 81 \b, scalable texture @ L1 +>>4 byte 97 \b, simple face animation @ L1 +>>4 byte 98 \b, simple face animation @ L2 +>>4 byte 99 \b, simple face basic animation @ L1 +>>4 byte 100 \b, simple face basic animation @ L2 +>>4 byte 113 \b, basic animation text @ L1 +>>4 byte 114 \b, basic animation text @ L2 +>>4 byte 129 \b, hybrid @ L1 +>>4 byte 130 \b, hybrid @ L2 +>>4 byte 145 \b, advanced RT simple @ L! +>>4 byte 146 \b, advanced RT simple @ L2 +>>4 byte 147 \b, advanced RT simple @ L3 +>>4 byte 148 \b, advanced RT simple @ L4 +>>4 byte 161 \b, core scalable @ L1 +>>4 byte 162 \b, core scalable @ L2 +>>4 byte 163 \b, core scalable @ L3 +>>4 byte 177 \b, advanced coding efficiency @ L1 +>>4 byte 178 \b, advanced coding efficiency @ L2 +>>4 byte 179 \b, advanced coding efficiency @ L3 +>>4 byte 180 \b, advanced coding efficiency @ L4 +>>4 byte 193 \b, advanced core @ L1 +>>4 byte 194 \b, advanced core @ L2 +>>4 byte 209 \b, advanced scalable texture @ L1 +>>4 byte 210 \b, advanced scalable texture @ L2 +>>4 byte 211 \b, advanced scalable texture @ L3 +>>4 byte 225 \b, simple studio @ L1 +>>4 byte 226 \b, simple studio @ L2 +>>4 byte 227 \b, simple studio @ L3 +>>4 byte 228 \b, simple studio @ L4 +>>4 byte 229 \b, core studio @ L1 +>>4 byte 230 \b, core studio @ L2 +>>4 byte 231 \b, core studio @ L3 +>>4 byte 232 \b, core studio @ L4 +>>4 byte 240 \b, advanced simple @ L0 +>>4 byte 241 \b, advanced simple @ L1 +>>4 byte 242 \b, advanced simple @ L2 +>>4 byte 243 \b, advanced simple @ L3 +>>4 byte 244 \b, advanced simple @ L4 +>>4 byte 245 \b, advanced simple @ L5 +>>4 byte 247 \b, advanced simple @ L3b +>>4 byte 248 \b, FGS @ L0 +>>4 byte 249 \b, FGS @ L1 +>>4 byte 250 \b, FGS @ L2 +>>4 byte 251 \b, FGS @ L3 +>>4 byte 252 \b, FGS @ L4 +>>4 byte 253 \b, FGS @ L5 +>3 byte 0xB5 MPEG sequence, v4 +!:mime video/mpeg4-generic +>>4 byte &0x80 +>>>5 byte&0xF0 16 \b, video (missing profile header) +>>>5 byte&0xF0 32 \b, still texture (missing profile header) +>>>5 byte&0xF0 48 \b, mesh (missing profile header) +>>>5 byte&0xF0 64 \b, face (missing profile header) +>>4 byte&0xF8 8 \b, video (missing profile header) +>>4 byte&0xF8 16 \b, still texture (missing profile header) +>>4 byte&0xF8 24 \b, mesh (missing profile header) +>>4 byte&0xF8 32 \b, face (missing profile header) +>3 byte 0xB3 MPEG sequence +!:mime video/mpeg +>>12 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video +>>12 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video +>>12 belong 0x000001B5 \b, v2, +>>>16 byte&0x0F 1 \b HP +>>>16 byte&0x0F 2 \b Spt +>>>16 byte&0x0F 3 \b SNR +>>>16 byte&0x0F 4 \b MP +>>>16 byte&0x0F 5 \b SP +>>>17 byte&0xF0 64 \b@HL +>>>17 byte&0xF0 96 \b@H-14 +>>>17 byte&0xF0 128 \b@ML +>>>17 byte&0xF0 160 \b@LL +>>>17 byte &0x08 \b progressive +>>>17 byte ^0x08 \b interlaced +>>>17 byte&0x06 2 \b Y'CbCr 4:2:0 video +>>>17 byte&0x06 4 \b Y'CbCr 4:2:2 video +>>>17 byte&0x06 6 \b Y'CbCr 4:4:4 video +>>11 byte &0x02 +>>>75 byte &0x01 +>>>>140 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video +>>>>140 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video +>>>>140 belong 0x000001B5 \b, v2, +>>>>>144 byte&0x0F 1 \b HP +>>>>>144 byte&0x0F 2 \b Spt +>>>>>144 byte&0x0F 3 \b SNR +>>>>>144 byte&0x0F 4 \b MP +>>>>>144 byte&0x0F 5 \b SP +>>>>>145 byte&0xF0 64 \b@HL +>>>>>145 byte&0xF0 96 \b@H-14 +>>>>>145 byte&0xF0 128 \b@ML +>>>>>145 byte&0xF0 160 \b@LL +>>>>>145 byte &0x08 \b progressive +>>>>>145 byte ^0x08 \b interlaced +>>>>>145 byte&0x06 2 \b Y'CbCr 4:2:0 video +>>>>>145 byte&0x06 4 \b Y'CbCr 4:2:2 video +>>>>>145 byte&0x06 6 \b Y'CbCr 4:4:4 video +>>76 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video +>>76 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video +>>76 belong 0x000001B5 \b, v2, +>>>80 byte&0x0F 1 \b HP +>>>80 byte&0x0F 2 \b Spt +>>>80 byte&0x0F 3 \b SNR +>>>80 byte&0x0F 4 \b MP +>>>80 byte&0x0F 5 \b SP +>>>81 byte&0xF0 64 \b@HL +>>>81 byte&0xF0 96 \b@H-14 +>>>81 byte&0xF0 128 \b@ML +>>>81 byte&0xF0 160 \b@LL +>>>81 byte &0x08 \b progressive +>>>81 byte ^0x08 \b interlaced +>>>81 byte&0x06 2 \b Y'CbCr 4:2:0 video +>>>81 byte&0x06 4 \b Y'CbCr 4:2:2 video +>>>81 byte&0x06 6 \b Y'CbCr 4:4:4 video +>>4 belong&0xFFFFFF00 0x78043800 \b, HD-TV 1920P +>>>7 byte&0xF0 0x10 \b, 16:9 +>>4 belong&0xFFFFFF00 0x50002D00 \b, SD-TV 1280I +>>>7 byte&0xF0 0x10 \b, 16:9 +>>4 belong&0xFFFFFF00 0x30024000 \b, PAL Capture +>>>7 byte&0xF0 0x10 \b, 4:3 +>>4 beshort&0xFFF0 0x2C00 \b, 4CIF +>>>5 beshort&0x0FFF 0x01E0 \b NTSC +>>>5 beshort&0x0FFF 0x0240 \b PAL +>>>7 byte&0xF0 0x20 \b, 4:3 +>>>7 byte&0xF0 0x30 \b, 16:9 +>>>7 byte&0xF0 0x40 \b, 11:5 +>>>7 byte&0xF0 0x80 \b, PAL 4:3 +>>>7 byte&0xF0 0xC0 \b, NTSC 4:3 +>>4 belong&0xFFFFFF00 0x2801E000 \b, LD-TV 640P +>>>7 byte&0xF0 0x10 \b, 4:3 +>>4 belong&0xFFFFFF00 0x1400F000 \b, 320x240 +>>>7 byte&0xF0 0x10 \b, 4:3 +>>4 belong&0xFFFFFF00 0x0F00A000 \b, 240x160 +>>>7 byte&0xF0 0x10 \b, 4:3 +>>4 belong&0xFFFFFF00 0x0A007800 \b, 160x120 +>>>7 byte&0xF0 0x10 \b, 4:3 +>>4 beshort&0xFFF0 0x1600 \b, CIF +>>>5 beshort&0x0FFF 0x00F0 \b NTSC +>>>5 beshort&0x0FFF 0x0120 \b PAL +>>>7 byte&0xF0 0x20 \b, 4:3 +>>>7 byte&0xF0 0x30 \b, 16:9 +>>>7 byte&0xF0 0x40 \b, 11:5 +>>>7 byte&0xF0 0x80 \b, PAL 4:3 +>>>7 byte&0xF0 0xC0 \b, NTSC 4:3 +>>>5 beshort&0x0FFF 0x0240 \b PAL 625 +>>>>7 byte&0xF0 0x20 \b, 4:3 +>>>>7 byte&0xF0 0x30 \b, 16:9 +>>>>7 byte&0xF0 0x40 \b, 11:5 +>>4 beshort&0xFFF0 0x2D00 \b, CCIR/ITU +>>>5 beshort&0x0FFF 0x01E0 \b NTSC 525 +>>>5 beshort&0x0FFF 0x0240 \b PAL 625 +>>>7 byte&0xF0 0x20 \b, 4:3 +>>>7 byte&0xF0 0x30 \b, 16:9 +>>>7 byte&0xF0 0x40 \b, 11:5 +>>4 beshort&0xFFF0 0x1E00 \b, SVCD +>>>5 beshort&0x0FFF 0x01E0 \b NTSC 525 +>>>5 beshort&0x0FFF 0x0240 \b PAL 625 +>>>7 byte&0xF0 0x20 \b, 4:3 +>>>7 byte&0xF0 0x30 \b, 16:9 +>>>7 byte&0xF0 0x40 \b, 11:5 +>>7 byte&0x0F 1 \b, 23.976 fps +>>7 byte&0x0F 2 \b, 24 fps +>>7 byte&0x0F 3 \b, 25 fps +>>7 byte&0x0F 4 \b, 29.97 fps +>>7 byte&0x0F 5 \b, 30 fps +>>7 byte&0x0F 6 \b, 50 fps +>>7 byte&0x0F 7 \b, 59.94 fps +>>7 byte&0x0F 8 \b, 60 fps +>>11 byte &0x04 \b, Constrained + +# MPEG ADTS Audio (*.mpx/mxa/aac) +# from dreesen@math.fu-berlin.de +# modified to fully support MPEG ADTS + +# MP3, M1A +# modified by Joerg Jenderek +# GRR the original test are too common for many DOS files +# so don't accept as MP3 until we've tested the rate +# But also beat GEMDOS fonts +0 beshort&0xFFFE 0xFFFA +# rates +>2 byte&0xF0 !0 +>>2 byte&0xF0 !0xF0 MPEG ADTS, layer III, v1 +!:strength +20 +!:mime audio/mpeg +>2 byte&0xF0 0x10 \b, 32 kbps +>2 byte&0xF0 0x20 \b, 40 kbps +>2 byte&0xF0 0x30 \b, 48 kbps +>2 byte&0xF0 0x40 \b, 56 kbps +>2 byte&0xF0 0x50 \b, 64 kbps +>2 byte&0xF0 0x60 \b, 80 kbps +>2 byte&0xF0 0x70 \b, 96 kbps +>2 byte&0xF0 0x80 \b, 112 kbps +>2 byte&0xF0 0x90 \b, 128 kbps +>2 byte&0xF0 0xA0 \b, 160 kbps +>2 byte&0xF0 0xB0 \b, 192 kbps +>2 byte&0xF0 0xC0 \b, 224 kbps +>2 byte&0xF0 0xD0 \b, 256 kbps +>2 byte&0xF0 0xE0 \b, 320 kbps +# timing +>2 byte&0x0C 0x00 \b, 44.1 kHz +>2 byte&0x0C 0x04 \b, 48 kHz +>2 byte&0x0C 0x08 \b, 32 kHz +# channels/options +>3 byte&0xC0 0x00 \b, Stereo +>3 byte&0xC0 0x40 \b, JntStereo +>3 byte&0xC0 0x80 \b, 2x Monaural +>3 byte&0xC0 0xC0 \b, Monaural +#>1 byte ^0x01 \b, Data Verify +#>2 byte &0x02 \b, Packet Pad +#>2 byte &0x01 \b, Custom Flag +#>3 byte &0x08 \b, Copyrighted +#>3 byte &0x04 \b, Original Source +#>3 byte&0x03 1 \b, NR: 50/15 ms +#>3 byte&0x03 3 \b, NR: CCIT J.17 + +# MP2, M1A +0 beshort&0xFFFE 0xFFFC MPEG ADTS, layer II, v1 +!:mime audio/mpeg +# rates +>2 byte&0xF0 0x10 \b, 32 kbps +>2 byte&0xF0 0x20 \b, 48 kbps +>2 byte&0xF0 0x30 \b, 56 kbps +>2 byte&0xF0 0x40 \b, 64 kbps +>2 byte&0xF0 0x50 \b, 80 kbps +>2 byte&0xF0 0x60 \b, 96 kbps +>2 byte&0xF0 0x70 \b, 112 kbps +>2 byte&0xF0 0x80 \b, 128 kbps +>2 byte&0xF0 0x90 \b, 160 kbps +>2 byte&0xF0 0xA0 \b, 192 kbps +>2 byte&0xF0 0xB0 \b, 224 kbps +>2 byte&0xF0 0xC0 \b, 256 kbps +>2 byte&0xF0 0xD0 \b, 320 kbps +>2 byte&0xF0 0xE0 \b, 384 kbps +# timing +>2 byte&0x0C 0x00 \b, 44.1 kHz +>2 byte&0x0C 0x04 \b, 48 kHz +>2 byte&0x0C 0x08 \b, 32 kHz +# channels/options +>3 byte&0xC0 0x00 \b, Stereo +>3 byte&0xC0 0x40 \b, JntStereo +>3 byte&0xC0 0x80 \b, 2x Monaural +>3 byte&0xC0 0xC0 \b, Monaural +#>1 byte ^0x01 \b, Data Verify +#>2 byte &0x02 \b, Packet Pad +#>2 byte &0x01 \b, Custom Flag +#>3 byte &0x08 \b, Copyrighted +#>3 byte &0x04 \b, Original Source +#>3 byte&0x03 1 \b, NR: 50/15 ms +#>3 byte&0x03 3 \b, NR: CCIT J.17 + +# MPA, M1A +# updated by Joerg Jenderek +# GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448 +# GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE) +# FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries +#0 beshort&0xFFFE 0xFFFE +#>2 ubyte&0xF0 >0x0F +#>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1 +## rate +#>>>2 byte&0xF0 0x10 \b, 32 kbps +#>>>2 byte&0xF0 0x20 \b, 64 kbps +#>>>2 byte&0xF0 0x30 \b, 96 kbps +#>>>2 byte&0xF0 0x40 \b, 128 kbps +#>>>2 byte&0xF0 0x50 \b, 160 kbps +#>>>2 byte&0xF0 0x60 \b, 192 kbps +#>>>2 byte&0xF0 0x70 \b, 224 kbps +#>>>2 byte&0xF0 0x80 \b, 256 kbps +#>>>2 byte&0xF0 0x90 \b, 288 kbps +#>>>2 byte&0xF0 0xA0 \b, 320 kbps +#>>>2 byte&0xF0 0xB0 \b, 352 kbps +#>>>2 byte&0xF0 0xC0 \b, 384 kbps +#>>>2 byte&0xF0 0xD0 \b, 416 kbps +#>>>2 byte&0xF0 0xE0 \b, 448 kbps +## timing +#>>>2 byte&0x0C 0x00 \b, 44.1 kHz +#>>>2 byte&0x0C 0x04 \b, 48 kHz +#>>>2 byte&0x0C 0x08 \b, 32 kHz +## channels/options +#>>>3 byte&0xC0 0x00 \b, Stereo +#>>>3 byte&0xC0 0x40 \b, JntStereo +#>>>3 byte&0xC0 0x80 \b, 2x Monaural +#>>>3 byte&0xC0 0xC0 \b, Monaural +##>1 byte ^0x01 \b, Data Verify +##>2 byte &0x02 \b, Packet Pad +##>2 byte &0x01 \b, Custom Flag +##>3 byte &0x08 \b, Copyrighted +##>3 byte &0x04 \b, Original Source +##>3 byte&0x03 1 \b, NR: 50/15 ms +##>3 byte&0x03 3 \b, NR: CCIT J.17 + +# MP3, M2A +0 beshort&0xFFFE 0xFFF2 MPEG ADTS, layer III, v2 +!:mime audio/mpeg +# rate +>2 byte&0xF0 0x10 \b, 8 kbps +>2 byte&0xF0 0x20 \b, 16 kbps +>2 byte&0xF0 0x30 \b, 24 kbps +>2 byte&0xF0 0x40 \b, 32 kbps +>2 byte&0xF0 0x50 \b, 40 kbps +>2 byte&0xF0 0x60 \b, 48 kbps +>2 byte&0xF0 0x70 \b, 56 kbps +>2 byte&0xF0 0x80 \b, 64 kbps +>2 byte&0xF0 0x90 \b, 80 kbps +>2 byte&0xF0 0xA0 \b, 96 kbps +>2 byte&0xF0 0xB0 \b, 112 kbps +>2 byte&0xF0 0xC0 \b, 128 kbps +>2 byte&0xF0 0xD0 \b, 144 kbps +>2 byte&0xF0 0xE0 \b, 160 kbps +# timing +>2 byte&0x0C 0x00 \b, 22.05 kHz +>2 byte&0x0C 0x04 \b, 24 kHz +>2 byte&0x0C 0x08 \b, 16 kHz +# channels/options +>3 byte&0xC0 0x00 \b, Stereo +>3 byte&0xC0 0x40 \b, JntStereo +>3 byte&0xC0 0x80 \b, 2x Monaural +>3 byte&0xC0 0xC0 \b, Monaural +#>1 byte ^0x01 \b, Data Verify +#>2 byte &0x02 \b, Packet Pad +#>2 byte &0x01 \b, Custom Flag +#>3 byte &0x08 \b, Copyrighted +#>3 byte &0x04 \b, Original Source +#>3 byte&0x03 1 \b, NR: 50/15 ms +#>3 byte&0x03 3 \b, NR: CCIT J.17 + +# MP2, M2A +0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 +!:mime audio/mpeg +# rate +>2 byte&0xF0 0x10 \b, 8 kbps +>2 byte&0xF0 0x20 \b, 16 kbps +>2 byte&0xF0 0x30 \b, 24 kbps +>2 byte&0xF0 0x40 \b, 32 kbps +>2 byte&0xF0 0x50 \b, 40 kbps +>2 byte&0xF0 0x60 \b, 48 kbps +>2 byte&0xF0 0x70 \b, 56 kbps +>2 byte&0xF0 0x80 \b, 64 kbps +>2 byte&0xF0 0x90 \b, 80 kbps +>2 byte&0xF0 0xA0 \b, 96 kbps +>2 byte&0xF0 0xB0 \b, 112 kbps +>2 byte&0xF0 0xC0 \b, 128 kbps +>2 byte&0xF0 0xD0 \b, 144 kbps +>2 byte&0xF0 0xE0 \b, 160 kbps +# timing +>2 byte&0x0C 0x00 \b, 22.05 kHz +>2 byte&0x0C 0x04 \b, 24 kHz +>2 byte&0x0C 0x08 \b, 16 kHz +# channels/options +>3 byte&0xC0 0x00 \b, Stereo +>3 byte&0xC0 0x40 \b, JntStereo +>3 byte&0xC0 0x80 \b, 2x Monaural +>3 byte&0xC0 0xC0 \b, Monaural +#>1 byte ^0x01 \b, Data Verify +#>2 byte &0x02 \b, Packet Pad +#>2 byte &0x01 \b, Custom Flag +#>3 byte &0x08 \b, Copyrighted +#>3 byte &0x04 \b, Original Source +#>3 byte&0x03 1 \b, NR: 50/15 ms +#>3 byte&0x03 3 \b, NR: CCIT J.17 + +# MPA, M2A +0 beshort&0xFFFE 0xFFF6 MPEG ADTS, layer I, v2 +!:mime audio/mpeg +# rate +>2 byte&0xF0 0x10 \b, 32 kbps +>2 byte&0xF0 0x20 \b, 48 kbps +>2 byte&0xF0 0x30 \b, 56 kbps +>2 byte&0xF0 0x40 \b, 64 kbps +>2 byte&0xF0 0x50 \b, 80 kbps +>2 byte&0xF0 0x60 \b, 96 kbps +>2 byte&0xF0 0x70 \b, 112 kbps +>2 byte&0xF0 0x80 \b, 128 kbps +>2 byte&0xF0 0x90 \b, 144 kbps +>2 byte&0xF0 0xA0 \b, 160 kbps +>2 byte&0xF0 0xB0 \b, 176 kbps +>2 byte&0xF0 0xC0 \b, 192 kbps +>2 byte&0xF0 0xD0 \b, 224 kbps +>2 byte&0xF0 0xE0 \b, 256 kbps +# timing +>2 byte&0x0C 0x00 \b, 22.05 kHz +>2 byte&0x0C 0x04 \b, 24 kHz +>2 byte&0x0C 0x08 \b, 16 kHz +# channels/options +>3 byte&0xC0 0x00 \b, Stereo +>3 byte&0xC0 0x40 \b, JntStereo +>3 byte&0xC0 0x80 \b, 2x Monaural +>3 byte&0xC0 0xC0 \b, Monaural +#>1 byte ^0x01 \b, Data Verify +#>2 byte &0x02 \b, Packet Pad +#>2 byte &0x01 \b, Custom Flag +#>3 byte &0x08 \b, Copyrighted +#>3 byte &0x04 \b, Original Source +#>3 byte&0x03 1 \b, NR: 50/15 ms +#>3 byte&0x03 3 \b, NR: CCIT J.17 + +# MP3, M25A +0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5 +!:mime audio/mpeg +# rate +>2 byte&0xF0 0x10 \b, 8 kbps +>2 byte&0xF0 0x20 \b, 16 kbps +>2 byte&0xF0 0x30 \b, 24 kbps +>2 byte&0xF0 0x40 \b, 32 kbps +>2 byte&0xF0 0x50 \b, 40 kbps +>2 byte&0xF0 0x60 \b, 48 kbps +>2 byte&0xF0 0x70 \b, 56 kbps +>2 byte&0xF0 0x80 \b, 64 kbps +>2 byte&0xF0 0x90 \b, 80 kbps +>2 byte&0xF0 0xA0 \b, 96 kbps +>2 byte&0xF0 0xB0 \b, 112 kbps +>2 byte&0xF0 0xC0 \b, 128 kbps +>2 byte&0xF0 0xD0 \b, 144 kbps +>2 byte&0xF0 0xE0 \b, 160 kbps +# timing +>2 byte&0x0C 0x00 \b, 11.025 kHz +>2 byte&0x0C 0x04 \b, 12 kHz +>2 byte&0x0C 0x08 \b, 8 kHz +# channels/options +>3 byte&0xC0 0x00 \b, Stereo +>3 byte&0xC0 0x40 \b, JntStereo +>3 byte&0xC0 0x80 \b, 2x Monaural +>3 byte&0xC0 0xC0 \b, Monaural +#>1 byte ^0x01 \b, Data Verify +#>2 byte &0x02 \b, Packet Pad +#>2 byte &0x01 \b, Custom Flag +#>3 byte &0x08 \b, Copyrighted +#>3 byte &0x04 \b, Original Source +#>3 byte&0x03 1 \b, NR: 50/15 ms +#>3 byte&0x03 3 \b, NR: CCIT J.17 + +# AAC (aka MPEG-2 NBC audio) and MPEG-4 audio + +# Stored AAC streams (instead of the MP4 format) +0 string ADIF MPEG ADIF, AAC +!:mime audio/x-hx-aac-adif +>4 byte &0x80 +>>13 byte &0x10 \b, VBR +>>13 byte ^0x10 \b, CBR +>>16 byte&0x1E 0x02 \b, single stream +>>16 byte&0x1E 0x04 \b, 2 streams +>>16 byte&0x1E 0x06 \b, 3 streams +>>16 byte &0x08 \b, 4 or more streams +>>16 byte &0x10 \b, 8 or more streams +>>4 byte &0x80 \b, Copyrighted +>>13 byte &0x40 \b, Original Source +>>13 byte &0x20 \b, Home Flag +>4 byte ^0x80 +>>4 byte &0x10 \b, VBR +>>4 byte ^0x10 \b, CBR +>>7 byte&0x1E 0x02 \b, single stream +>>7 byte&0x1E 0x04 \b, 2 streams +>>7 byte&0x1E 0x06 \b, 3 streams +>>7 byte &0x08 \b, 4 or more streams +>>7 byte &0x10 \b, 8 or more streams +>>4 byte &0x40 \b, Original Stream(s) +>>4 byte &0x20 \b, Home Source + +# Live or stored single AAC stream (used with MPEG-2 systems) +0 beshort&0xFFF6 0xFFF0 MPEG ADTS, AAC +!:mime audio/x-hx-aac-adts +>1 byte &0x08 \b, v2 +>1 byte ^0x08 \b, v4 +# profile +>>2 byte &0xC0 \b LTP +>2 byte&0xc0 0x00 \b Main +>2 byte&0xc0 0x40 \b LC +>2 byte&0xc0 0x80 \b SSR +# timing +>2 byte&0x3c 0x00 \b, 96 kHz +>2 byte&0x3c 0x04 \b, 88.2 kHz +>2 byte&0x3c 0x08 \b, 64 kHz +>2 byte&0x3c 0x0c \b, 48 kHz +>2 byte&0x3c 0x10 \b, 44.1 kHz +>2 byte&0x3c 0x14 \b, 32 kHz +>2 byte&0x3c 0x18 \b, 24 kHz +>2 byte&0x3c 0x1c \b, 22.05 kHz +>2 byte&0x3c 0x20 \b, 16 kHz +>2 byte&0x3c 0x24 \b, 12 kHz +>2 byte&0x3c 0x28 \b, 11.025 kHz +>2 byte&0x3c 0x2c \b, 8 kHz +# channels +>2 beshort&0x01c0 0x0040 \b, monaural +>2 beshort&0x01c0 0x0080 \b, stereo +>2 beshort&0x01c0 0x00c0 \b, stereo + center +>2 beshort&0x01c0 0x0100 \b, stereo+center+LFE +>2 beshort&0x01c0 0x0140 \b, surround +>2 beshort&0x01c0 0x0180 \b, surround + LFE +>2 beshort &0x01C0 \b, surround + side +#>1 byte ^0x01 \b, Data Verify +#>2 byte &0x02 \b, Custom Flag +#>3 byte &0x20 \b, Original Stream +#>3 byte &0x10 \b, Home Source +#>3 byte &0x08 \b, Copyrighted + +# Live MPEG-4 audio streams (instead of RTP FlexMux) +0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS +!:mime audio/x-mp4a-latm +#>1 beshort&0x1FFF x \b, %hu byte packet +>3 byte&0xE0 0x40 +>>4 byte&0x3C 0x04 \b, single stream +>>4 byte&0x3C 0x08 \b, 2 streams +>>4 byte&0x3C 0x0C \b, 3 streams +>>4 byte &0x08 \b, 4 or more streams +>>4 byte &0x20 \b, 8 or more streams +>3 byte&0xC0 0 +>>4 byte&0x78 0x08 \b, single stream +>>4 byte&0x78 0x10 \b, 2 streams +>>4 byte&0x78 0x18 \b, 3 streams +>>4 byte &0x20 \b, 4 or more streams +>>4 byte &0x40 \b, 8 or more streams +# This magic isn't strong enough (matches plausible ISO-8859-1 text) +#0 beshort 0x4DE1 MPEG-4 LO-EP audio stream +#!:mime audio/x-mp4a-latm + +# Summary: FLI animation format +# Created by: Daniel Quinlan <quinlan@yggdrasil.com> +# Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection) +4 leshort 0xAF11 +# standard FLI always has 320x200 resolution and 8 bit color +>8 leshort 320 +>>10 leshort 200 +>>>12 leshort 8 FLI animation, 320x200x8 +!:mime video/x-fli +>>>>6 leshort x \b, %d frames +# frame speed is multiple of 1/70s +>>>>16 leshort x \b, %d/70s per frame + +# Summary: FLC animation format +# Created by: Daniel Quinlan <quinlan@yggdrasil.com> +# Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection) +4 leshort 0xAF12 +# standard FLC always use 8 bit color +>12 leshort 8 FLC animation +!:mime video/x-flc +>>8 leshort x \b, %d +>>10 leshort x \bx%dx8 +>>6 uleshort x \b, %d frames +>>16 uleshort x \b, %dms per frame + +# DL animation format +# XXX - collision with most `mips' magic +# +# I couldn't find a real magic number for these, however, this +# -appears- to work. Note that it might catch other files, too, so be +# careful! +# +# Note that title and author appear in the two 20-byte chunks +# at decimal offsets 2 and 22, respectively, but they are XOR'ed with +# 255 (hex FF)! The DL format is really bad. +# +#0 byte 1 DL version 1, medium format (160x100, 4 images/screen) +#!:mime video/x-unknown +#>42 byte x - %d screens, +#>43 byte x %d commands +#0 byte 2 DL version 2 +#!:mime video/x-unknown +#>1 byte 1 - large format (320x200,1 image/screen), +#>1 byte 2 - medium format (160x100,4 images/screen), +#>1 byte >2 - unknown format, +#>42 byte x %d screens, +#>43 byte x %d commands +# Based on empirical evidence, DL version 3 have several nulls following the +# \003. Most of them start with non-null values at hex offset 0x34 or so. +#0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3 + +# iso 13818 transport stream +# +# from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 (ISO 13818.1) +# syncbyte 8 bit 0x47 +# error_ind 1 bit - +# payload_start 1 bit 1 +# priority 1 bit - +# PID 13 bit 0x0000 +# scrambling 2 bit - +# adaptfld_ctrl 2 bit 1 or 3 +# conti_count 4 bit - +0 belong&0xFF5FFF10 0x47400010 +>188 byte 0x47 MPEG transport stream data +!:mime video/MP2T +!:ext ts + +# Blu-ray disc Audio-Video MPEG-2 transport stream +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/MPEG_transport_stream +# Note: similar to ISO 13818.1 but with 4 extra bytes per packets +4 belong&0xFF5FFF10 =0x47400010 +>196 byte =0x47 BDAV MPEG-2 Transport Stream (M2TS) +!:mime video/MP2T +!:ext m2ts/mts + +# DIF digital video file format <mpruett@sgi.com> +0 belong&0xffffff00 0x1f070000 DIF +!:mime video/x-dv +>4 byte &0x01 (DVCPRO) movie file +>4 byte ^0x01 (DV) movie file +>3 byte &0x80 (PAL) +>3 byte ^0x80 (NTSC) + +# MNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/> +0 string \x8aMNG MNG video data, +!:mime video/x-mng +>4 belong !0x0d0a1a0a CORRUPTED, +>4 belong 0x0d0a1a0a +>>16 belong x %d x +>>20 belong x %d + +# JNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/> +0 string \x8bJNG JNG video data, +!:mime video/x-jng +>4 belong !0x0d0a1a0a CORRUPTED, +>4 belong 0x0d0a1a0a +>>16 belong x %d x +>>20 belong x %d + +# Vivo video (Wolfram Kleff) +3 string \x0D\x0AVersion:Vivo Vivo video data + +# ABC (alembic.io 3d models) +0 string 0gawa ABC 3d model + +#--------------------------------------------------------------------------- +# HVQM4: compressed movie format designed by Hudson for Nintendo GameCube +# From Mark Sheppard <msheppard@climax.co.uk>, 2002-10-03 +# +0 string HVQM4 %s +>6 string >\0 v%s +>0 byte x GameCube movie, +>0x34 ubeshort x %d x +>0x36 ubeshort x %d, +>0x26 ubeshort x %dus, +>0x42 ubeshort 0 no audio +>0x42 ubeshort >0 %dHz audio + +# From: Stefan A. Haubenthal <polluks@sdf.lonestar.org> +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/VOB +0 string DVDVIDEO-VTS Video title set, +!:mime video/x-ifo +!:ext ifo/bup +>0x21 byte x v%x +0 string DVDVIDEO-VMG Video manager, +!:mime video/x-ifo +!:ext ifo/bup +>0x21 byte x v%x + +# From: Stefan A. Haubenthal <polluks@sdf.lonestar.org> +0 string xMovieSetter MovieSetter movie +0 string xSceneEditor MovieSetter movie + +# From: Behan Webster <behanw@websterwood.com> +# NuppelVideo used by Mythtv (*.nuv) +# Note: there are two identical stanzas here differing only in the +# initial string matched. It used to be done with a regex, but we're +# trying to get rid of those. +0 string NuppelVideo MythTV NuppelVideo +>12 string x v%s +>20 lelong x (%d +>24 lelong x \bx%d), +>36 string P \bprogressive, +>36 string I \binterlaced, +>40 ledouble x \baspect:%.2f, +>48 ledouble x \bfps:%.2f +0 string MythTV MythTV NuppelVideo +>12 string x v%s +>20 lelong x (%d +>24 lelong x \bx%d), +>36 string P \bprogressive, +>36 string I \binterlaced, +>40 ledouble x \baspect:%.2f, +>48 ledouble x \bfps:%.2f + +# MPEG file +# MPEG sequences +# FIXME: This section is from the old magic.mime file and needs +# integrating with the rest +#0 belong 0x000001BA +#>4 byte &0x40 +#!:mime video/mp2p +#>4 byte ^0x40 +#!:mime video/mpeg +#0 belong 0x000001BB +#!:mime video/mpeg +#0 belong 0x000001B0 +#!:mime video/mp4v-es +#0 belong 0x000001B5 +#!:mime video/mp4v-es +#0 belong 0x000001B3 +#!:mime video/mpv +#0 belong&0xFF5FFF10 0x47400010 +#!:mime video/mp2t +#0 belong 0x00000001 +#>4 byte&0x1F 0x07 +#!:mime video/h264 + +# Type: Bink Video +# Extension: .bik +# URL: https://wiki.multimedia.cx/index.php?title=Bink_Container +# From: <hoehle@users.sourceforge.net> 2008-07-18 +0 name bik +#>4 ulelong x size %d +>20 ulelong x \b, %d +>24 ulelong x \bx%d +>8 ulelong x \b, %d frames +>32 ulelong x at rate %d/ +>28 ulelong >1 \b%d +>40 ulelong =0 \b, no audio +>40 ulelong !0 \b, %d audio track +>>40 ulelong !1 \bs +# follow properties of the first audio track only +>>48 uleshort x %dHz +>>51 byte&0x20 0 mono +>>51 byte&0x20 !0 stereo +#>>51 byte&0x10 0 FFT +#>>51 byte&0x10 !0 DCT + +0 string BIK +>3 regex =[bdfghi] Bink Video rev.%s +>>0 use bik + +0 string KB2 +>3 regex =[adfghi] Bink Video 2 rev.%s +>>0 use bik + +# Type: NUT Container +# URL: https://wiki.multimedia.cx/index.php?title=NUT +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +0 string nut/multimedia\ container\0 NUT multimedia container + +# Type: Nullsoft Video (NSV) +# URL: https://wiki.multimedia.cx/index.php?title=Nullsoft_Video +# From: Mike Melanson <mike@multimedia.cx> +0 string NSVf Nullsoft Video + +# Type: REDCode Video +# URL: https://www.red.com/ ; https://wiki.multimedia.cx/index.php?title=REDCode +# From: Mike Melanson <mike@multimedia.cx> +4 string RED1 REDCode Video + +# Type: MTV Multimedia File +# URL: https://wiki.multimedia.cx/index.php?title=MTV +# From: Mike Melanson <mike@multimedia.cx> +0 string AMVS MTV Multimedia File + +# Type: ARMovie +# URL: https://wiki.multimedia.cx/index.php?title=ARMovie +# From: Mike Melanson <mike@multimedia.cx> +0 string ARMovie\012 ARMovie + +# Type: Interplay MVE Movie +# URL: https://wiki.multimedia.cx/index.php?title=Interplay_MVE +# From: Mike Melanson <mike@multimedia.cx> +0 string Interplay\040MVE\040File\032 Interplay MVE Movie + +# Type: Windows Television DVR File +# URL: https://wiki.multimedia.cx/index.php?title=WTV +# From: Mike Melanson <mike@mutlimedia.cx> +# This takes the form of a Windows-style GUID +0 bequad 0xB7D800203749DA11 +>8 bequad 0xA64E0007E95EAD8D Windows Television DVR Media + +# Type: Sega FILM/CPK Multimedia +# URL: https://wiki.multimedia.cx/index.php?title=Sega_FILM +# From: Mike Melanson <mike@multimedia.cx> +0 string FILM Sega FILM/CPK Multimedia, +>32 belong x %d x +>28 belong x %d + +# Type: Nintendo THP Multimedia +# URL: https://wiki.multimedia.cx/index.php?title=THP +# From: Mike Melanson <mike@multimedia.cx> +0 string THP\0 Nintendo THP Multimedia + +# Type: BBC Dirac Video +# URL: https://wiki.multimedia.cx/index.php?title=Dirac +# From: Mike Melanson <mike@multimedia.cx> +0 string BBCD BBC Dirac Video + +# Type: RAD Game Tools Smacker Multimedia +# URL: https://wiki.multimedia.cx/index.php?title=Smacker +# From: Mike Melanson <mike@multimedia.cx> +0 string SMK RAD Game Tools Smacker Multimedia +>3 byte x version %c, +>4 lelong x %d x +>8 lelong x %d, +>12 lelong x %d frames + +# Material Exchange Format +# More information: +# https://en.wikipedia.org/wiki/Material_Exchange_Format +# http://www.freemxf.org/ +0 string \x06\x0e\x2b\x34\x02\x05\x01\x01\x0d\x01\x02\x01\x01\x02 Material exchange container format +!:ext mxf +!:mime application/mxf + +# Recognize LucasArts Smush video files (cf. +# https://wiki.multimedia.cx/index.php/Smush) +0 string ANIM +>8 string AHDR LucasArts Smush Animation Format (SAN) video +0 string SANM +>8 string SHDR LucasArts Smush v2 (SANM) video + +# Type: Scaleform video +# Extension: .usm +# URL: https://wiki.multimedia.cx/index.php/USM +# From: David Korth <gerbilsoft@gerbilsoft.com> +0 string CRID +>32 string @UTF Scaleform video + +# http://www.jerrysguide.com/tips/demystify-tvs-file-format.html +0 string TVS\015\012 +>&0 string Version\040 TeamViewer Session File +>>&0 string x \b, version %s + +# SER file format - simple uncompressed video format for astronomical use +# Initially developed by Lucam Recorder, +# as of 2021 maintained by Heiko Wilkens, Grischa Hahn +# Typical extensions: .SER +# http://www.grischa-hahn.homepage.t-online.de/astro/ser/SER%20Doc%20V3b.pdf +0 string LUCAM-RECORDER SER video sequence +!:ext ser +>18 lelong 0 \b, bayer: mono +>18 lelong 8 \b, bayer: RGGB +>18 lelong 9 \b, bayer: GRBG +>18 lelong 10 \b, bayer: GBRG +>18 lelong 11 \b, bayer: BGGR +>18 lelong 16 \b, bayer: CYYM +>18 lelong 17 \b, bayer: YCMY +>18 lelong 18 \b, bayer: YMCY +>18 lelong 19 \b, bayer: MYYC +>18 lelong 100 \b, bayer: RGB +>18 lelong 101 \b, bayer: BGR +>22 lelong 0 \b, big-endian +>22 lelong 1 \b, little-endian +>26 lelong x \b, width: %d +>30 lelong x \b, height: %d +>34 lelong x \b, %d bit +>38 lelong x \b, frames: %d + +# https://wiki.multimedia.cx/index.php/Duck_IVF +0 string DKIF Duck IVF video file +!:mime video/x-ivf +>4 leshort >0 \b, version %d +>8 string x \b, codec %s +>12 leshort x \b, %d +>14 leshort x \bx%d +>24 lelong >0 \b, %d frames diff --git a/magic/Magdir/aout b/magic/Magdir/aout new file mode 100644 index 0000000..69b6ec6 --- /dev/null +++ b/magic/Magdir/aout @@ -0,0 +1,46 @@ + +#------------------------------------------------------------------------------ +# $File: aout,v 1.1 2013/01/09 22:37:23 christos Exp $ +# aout: file(1) magic for a.out executable/object/etc entries that +# handle executables on multiple platforms. +# + +# +# Little-endian 32-bit-int a.out, merged from bsdi (for BSD/OS, from +# BSDI), netbsd, and vax (for UNIX/32V and BSD) +# +# XXX - is there anything we can look at to distinguish BSD/OS 386 from +# NetBSD 386 from various VAX binaries? The BSD/OS shared library flag +# works only for binaries using shared libraries. Grabbing the entry +# point from the a.out header, using it to find the first code executed +# in the program, and looking at that might help. +# +0 lelong 0407 a.out little-endian 32-bit executable +>16 lelong >0 not stripped +>32 byte 0x6a (uses BSD/OS shared libs) + +0 lelong 0410 a.out little-endian 32-bit pure executable +>16 lelong >0 not stripped +>32 byte 0x6a (uses BSD/OS shared libs) + +0 lelong 0413 a.out little-endian 32-bit demand paged pure executable +>16 lelong >0 not stripped +>32 byte 0x6a (uses BSD/OS shared libs) + +# +# Big-endian 32-bit-int a.out, merged from sun (for old 68010 SunOS a.out), +# mips (for old 68020(!) SGI a.out), and netbsd (for old big-endian a.out). +# +# XXX - is there anything we can look at to distinguish old SunOS 68010 +# from old 68020 IRIX from old NetBSD? Again, I guess we could look at +# the first instruction or instructions in the program. +# +0 belong 0407 a.out big-endian 32-bit executable +>16 belong >0 not stripped + +0 belong 0410 a.out big-endian 32-bit pure executable +>16 belong >0 not stripped + +0 belong 0413 a.out big-endian 32-bit demand paged executable +>16 belong >0 not stripped + diff --git a/magic/Magdir/apache b/magic/Magdir/apache new file mode 100755 index 0000000..d896b50 --- /dev/null +++ b/magic/Magdir/apache @@ -0,0 +1,28 @@ + +#------------------------------------------------------------------------------ +# $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $ +# apache: file(1) magic for Apache Big Data formats + +# Avro files +0 string Obj Apache Avro +>3 byte x version %d + +# ORC files +# Important information is in file footer, which we can't index to :( +0 string ORC Apache ORC + +# Parquet files +0 string PAR1 Apache Parquet + +# Hive RC files +0 string RCF Apache Hive RC file +>3 byte x version %d + +# Sequence files (and the careless first version of RC file) + +0 string SEQ +>3 byte <6 Apache Hadoop Sequence file version %d +>3 byte >6 Apache Hadoop Sequence file version %d +>3 byte =6 +>>5 string org.apache.hadoop.hive.ql.io.RCFile$KeyBuffer Apache Hive RC file version 0 +>>3 default x Apache Hadoop Sequence file version 6 diff --git a/magic/Magdir/apl b/magic/Magdir/apl new file mode 100644 index 0000000..d717e37 --- /dev/null +++ b/magic/Magdir/apl @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: apl,v 1.6 2009/09/19 16:28:07 christos Exp $ +# apl: file(1) magic for APL (see also "pdp" and "vax" for other APL +# workspaces) +# +0 long 0100554 APL workspace (Ken's original?) diff --git a/magic/Magdir/apple b/magic/Magdir/apple new file mode 100644 index 0000000..547b0ac --- /dev/null +++ b/magic/Magdir/apple @@ -0,0 +1,773 @@ + +#------------------------------------------------------------------------------ +# $File: apple,v 1.48 2023/05/01 14:20:21 christos Exp $ +# apple: file(1) magic for Apple file formats +# +0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text +0 string \x0aGL Binary II (apple ][) data +0 string \x76\xff Squeezed (apple ][) data +0 string NuFile NuFile archive (apple ][) data +0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data +0 belong 0x00051600 AppleSingle encoded Macintosh file +0 belong 0x00051607 AppleDouble encoded Macintosh file + +# Type: Apple Emulator A2R format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/a2r2-reference/ +# Ref: https://applesaucefdc.com/a2r/ +0 string A2R +>3 string \x31\xFF\x0A\x0D\x0A Applesauce A2R 1.x Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Applesauce A2R 2.x Disk Image +>3 string \x33\xFF\x0A\x0D\x0A Applesauce A2R 3.x Disk Image +>8 string INFO +>>49 byte 01 \b, 5.25″ SS 40trk +>>49 byte 02 \b, 3.5″ DS 80trk +>>49 byte 03 \b, 5.25″ DS 80trk +>>49 byte 04 \b, 5.25″ DS 40trk +>>49 byte 05 \b, 3.5″ DS 80trk +>>49 byte 06 \b, 8″ DS +>>50 byte 01 \b, write protected +>>51 byte 01 \b, cross track synchronized +>>17 string/T x \b, %.32s + +# Type: Apple Emulator WOZ format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/woz/reference/ +# Ref: https://applesaucefdc.com/woz/reference2/ +0 string WOZ +>3 string \x31\xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image +>12 string INFO +>>21 byte 01 \b, 5.25 inch +>>21 byte 02 \b, 3.5 inch +>>22 byte 01 \b, write protected +>>23 byte 01 \b, cross track synchronized +>>25 string/T x \b, %.32s + +# Type: Apple Macintosh Emulator MOOF format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/moof-reference/ +0 string MOOF +>4 string \xFF\x0A\x0D\x0A Apple Macintosh MOOF Disk Image +>12 string INFO +>>21 byte 01 \b, SSDD GCR (400K) +>>21 byte 02 \b, DSDD GCR (800K) +>>21 byte 03 \b, DSHD MFM (1.44M) +>>22 byte 01 \b, write protected +>>23 byte 01 \b, cross track synchronized +>>25 string/T x \b, %.32s + +# Type: Apple Emulator disk images +# From: Greg Wildman <greg@apple2.org.za> +# ProDOS boot loader? +0 string \x01\x38\xB0\x03\x4C Apple ProDOS Image +# Detect Volume Directory block ($02) +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +# ProDOS ordered ? +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# Proboot HD +0 string \x01\x8A\x48\xD8\x2C\x82\xC0\x8D\x0E\xC0\x8D\x0C Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\xA8\x8A\x20\x7B\xF8\x29\x07\x09\xC0\x99\x30 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x4A\xD0\x34\xE6\x3D\x8A\x20\x7B\xF8\x09\xC0 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# ProDOS formatted +0 string \x01\xBD\x88\xC0\x20\x2F\xFB\x20\x58\xFC\x20\x40 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x38\xB0\x03\x4C\x1C\x09\x78\x86\x43\xC9\x03 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# DOS3 boot loader +0 string \x01\xA5\x27\xC9\x09\xD0 +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Image +>>0x11006 ubyte x \b, Volume #%03u +>>0x11034 ubyte x \b, %u Tracks +>>0x11035 ubyte x \b, %u Sectors +>>0x11036 uleshort x \b, %u bytes per sector +# +# DOS3 uninitialized disk +0 string \x01\xA6\x2B\xBD\x88\xC0\x8A\x4A\x4A +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Unbootable Image +>>>0x11006 ubyte x \b, Volume #%03u +>>>0x11034 ubyte x \b, %u Tracks +>>>0x11035 ubyte x \b, %u Sectors +>>>0x11036 uleshort x \b, %u bytes per sector +# +# Pascal boot loader? +0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD +>0xd6 pstring SYSTEM.APPLE +>>0xb00 leshort 0x0000 +>>>0xb04 leshort 0x0000 Apple Pascal Image +>>>>0xb06 pstring x \b, Volume %s: +>>>>0xb0e leshort x \b, %u Blocks +>>>>0xb10 leshort x \b, %u Files +# +# Diversi Dos boot loader? +0 string \x01\xA8\xAD\x81\xC0\xEE\x09\x08\xAD +>0x11001 string \x11\x0F\x03 Apple Diversi Dos Image +>>0x11006 byte x \b, Volume %u +>>0x11034 byte x \b, %u Tracks +>>0x11035 byte x \b, %u Sectors +>>0x11036 leshort x \b, %u bytes per sector + +# Type: Apple Emulator 2IMG format +# From: Radek Vokal <rvokal@redhat.com> +# Update: Greg Wildman <greg@apple2.org.za> +0 string 2IMG Apple ][ 2IMG Disk Image +>4 clear x +>4 string XGS! \b, XGS +>4 string CTKG \b, Catakig +>4 string ShIm \b, Sheppy's ImageMaker +>4 string SHEP \b, Sheppy's ImageMaker +>4 string WOOF \b, Sweet 16 +>4 string B2TR \b, Bernie ][ the Rescue +>4 string \!nfc \b, ASIMOV2 +>4 string \>BD\< \b, Brutal Deluxe's Cadius +>4 string CdrP \b, CiderPress +>4 string Vi][ \b, Virtual ][ +>4 string PRFS \b, ProFUSE +>4 string FISH \b, FishWings +>4 string RVLW \b, Revival for Windows +>4 default x +>>4 string x \b, Creator tag "%-4.4s" +>0xc byte 00 \b, DOS 3.3 sector order +>>0x10 byte 00 \b, Volume 254 +>>0x10 byte&0x7f x \b, Volume %u +>0xc byte 01 \b, ProDOS sector order +# Detect Volume Directory block ($02) + 2mg header offset +>>0x440 string \x00\x00\x03\x00 +>>>0x444 byte &0xF0 +>>>>0x445 string x \b, Volume /%s +>>>>0x469 uleshort x \b, %u Blocks +>0xc byte 02 \b, NIB data + +# Type: Peter Ferrie QBoot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/qboot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ QBoot Image + +# Type: Peter Ferrie 0Boot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/0boot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ 0Boot Image + +# Different proprietary boot sectors +0 string \x01\x0F\x21\x74\x00\x01\x6B\x00\x02\x30\x81\x5D Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xA2\x00\x8E\x78\x04\x8E\xF4\x03 Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xAD\x51\xC0\xAD\x54\xC0\xA6\x2B Apple ][ Disk Image +0 string \x01\x20\x89\xFE\x20\x93\xFE\xA6\x2B\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x25\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x2D\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x38\x90\x2A\xC9\x01\xF0\x33\xA8\xC8\xC0\x10 Apple ][ Disk Image +0 string \x01\x38\xB0\x03\x4C\x32\xA1\x87\x43\xC9\x03\x08 Apple ][ Disk Image +0 string \x01\x4C\x04\x08\xA9\x2A\x8D\x02\x08\x86\x2B\xEE Apple ][ Disk Image +0 string \x01\x4C\x60\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x4C\x92\x08\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\x4C\xB3\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x8D\xFB\x03\x8E\xFC\x03\x8C\xFD\x03\x8A\x29 Apple ][ Disk Image +0 string \x01\xA2\xFF\x9A\xD8\x20\x20\x08\x20\x34\x08\xAD Apple ][ Disk Image +0 string \x01\xA5\x27\xBD\x88\xC0\x2C\x10\xC0\xA2\x00\xA9 Apple ][ Disk Image +0 string \x01\xA5\x2B\xAE\x51\xC0\xEA\xAA\xBD\x88\xC0\x20 Apple ][ Disk Image +0 string \x01\xA6\x27\xBD\x0B\x08\x48\xBD\x0A\x08\x48\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x01\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x25\x85 Apple ][ Disk Image +0 string \x01\xA8\xC0\x0F\x90\x16\xF0\x12\xA0\xFF\x18\xAD Apple ][ Disk Image +0 string \x01\xA9\x00\x85\xF0\xA9\x04\x85\xF1\xA0\x00\xA9 Apple ][ Disk Image +0 string \x01\xA9\x5C\x8D\xF2\x03\xA9\xC6\x8D\xF3\x03\x49 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x2F\xFB\x20\x58\xFC Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x49\x08\xA9\x0A\x85 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x2C\x82\xC0\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x86\x43\x8A\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\x86\xFF\xB5\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xB2\x8D\xF2\x03\xA9 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xFF\x8D\xF3\x03\x8D Apple ][ Disk Image +0 string \x01\xAC\x00\x08\xF0\x19\xB9\x30\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAC\x23\x08\x30\x2E\xB9\x24\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAD\x00\x08\xC9\x09\xB0\x20\x69\x02\x8D\x00 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\x86\x2B\x8A\x4A Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\xA9\xF5\x8D\xF2 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3F\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x48\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x09\xC0\x8D Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x8D\x2F\x08 Apple ][ Disk Image +0 string \x01\xD8\x2C\x81\xC0\xA9\x60\x4D\x58\xFF\xD0\xFE Apple ][ Disk Image +0 string \x01\xD8\x78\xBD\x88\xC0\xA9\xFD\x85\x37\x85\x39 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\x16\x09\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xCB\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEE\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEF\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x70\xB0\x04\xE0\x40\xB0\x39\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xEA\x8D\xF4\x03\xA9\x60\x9D\x88\xC0\x8D\x51 Apple ][ Disk Image + +# magic for Newton PDA package formats +# from Ruda Moura <ruda@helllabs.org> +0 string package0 Newton package, NOS 1.x, +>12 belong &0x80000000 AutoRemove, +>12 belong &0x40000000 CopyProtect, +>12 belong &0x10000000 NoCompression, +>12 belong &0x04000000 Relocation, +>12 belong &0x02000000 UseFasterCompression, +>16 belong x version %d + +0 string package1 Newton package, NOS 2.x, +>12 belong &0x80000000 AutoRemove, +>12 belong &0x40000000 CopyProtect, +>12 belong &0x10000000 NoCompression, +>12 belong &0x04000000 Relocation, +>12 belong &0x02000000 UseFasterCompression, +>16 belong x version %d + +0 string package4 Newton package, +>8 byte 8 NOS 1.x, +>8 byte 9 NOS 2.x, +>12 belong &0x80000000 AutoRemove, +>12 belong &0x40000000 CopyProtect, +>12 belong &0x10000000 NoCompression, + +# The following entries for the Apple II are for files that have +# been transferred as raw binary data from an Apple, without having +# been encapsulated by any of the above archivers. +# +# In general, Apple II formats are hard to identify because Apple DOS +# and especially Apple ProDOS have strong typing in the file system and +# therefore programmers never felt much need to include type information +# in the files themselves. +# +# Eric Fischer <enf@pobox.com> + +# AppleWorks word processor: +# URL: https://en.wikipedia.org/wiki/AppleWorks +# Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx +# Update: Joerg Jenderek +# NOTE: +# The "O" is really the magic number, but that's so common that it's +# necessary to check the tab stops that follow it to avoid false positives. +# and/or look for unused bits of booleans bytes like zoom, paginated, mail merge +# the newer AppleWorks is from claris with extension CWK +4 string O +# test for unused bits of zoom- , paginated-boolean bytes +>84 ubequad ^0x00Fe00000000Fe00 +# look for tabstop definitions "=" no tab, "|" no tab +# "<" left tab,"^" center tab,">" right tab, "." decimal tab, +# unofficial "!" other , "\x8a" other +# official only if SFMinVers is nonzero +>>5 regex/s [=.<>|!^\x8a]{79} AppleWorks Word Processor +# AppleWorks Word Processor File (Apple II) +# ./apple (version 5.25) labeled the entry as "AppleWorks word processor data" +# application/x-appleworks is mime type for claris version with cwk extension +!:mime application/x-appleworks3 +# http://home.earthlink.net/~hughhood/appleiiworksenvoy/ +# ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type') +# $70 $1A $F8 $FF is this the apple type ? +#:apple pdosp^Z\xf8\xff +!:ext awp +# minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) +>>>183 ubyte 30 3.0 +>>>183 ubyte !30 +>>>>183 ubyte !0 %#x +# usual tabstop start sequence "=====<" +>>>5 string x \b, tabstop ruler "%6.6s" +# tabstop ruler +#>>>5 string >\0 \b, tabstops "%-79s" +# zoom switch +>>>85 byte&0x01 >0 \b, zoomed +# whether paginated +>>>90 byte&0x01 >0 \b, paginated +# contains any mail-merge commands +>>>92 byte&0x01 >0 \b, with mail merge +# left margin in 1/10 inches ( normally 0 or 10 ) +>>>91 ubyte >0 +>>>>91 ubyte x \b, %d/10 inch left margin + +# AppleWorks database: +# +# This isn't really a magic number, but it's the closest thing to one +# that I could find. The 1 and 2 really mean "order in which you defined +# categories" and "left to right, top to bottom," respectively; the D and R +# mean that the cursor should move either down or right when you press Return. + +#30 string \x01D AppleWorks database data +#30 string \x02D AppleWorks database data +#30 string \x01R AppleWorks database data +#30 string \x02R AppleWorks database data + +# AppleWorks spreadsheet: +# +# Likewise, this isn't really meant as a magic number. The R or C means +# row- or column-order recalculation; the A or M means automatic or manual +# recalculation. + +#131 string RA AppleWorks spreadsheet data +#131 string RM AppleWorks spreadsheet data +#131 string CA AppleWorks spreadsheet data +#131 string CM AppleWorks spreadsheet data + +# Applesoft BASIC: +# +# This is incredibly sloppy, but will be true if the program was +# written at its usual memory location of 2048 and its first line +# number is less than 256. Yuck. +# update by Joerg Jenderek at Feb 2013 + +# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) +#0 belong&0xff00ff 0x80000 Applesoft BASIC program data +0 belong&0x00ff00ff 0x00080000 +# assuming that line number must be positive +>2 leshort >0 Applesoft BASIC program data, first line number %d +#>2 leshort x \b, first line number %d + +# ORCA/EZ assembler: +# +# This will not identify ORCA/M source files, since those have +# some sort of date code instead of the two zero bytes at 6 and 7 +# XXX Conflicts with ELF +#4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data +#>5 byte x \b, build number %d + +# Broderbund Fantavision +# +# I don't know what these values really mean, but they seem to recur. +# Will they cause too many conflicts? + +# Probably :-) +#2 belong&0xFF00FF 0x040008 Fantavision movie data + +# Some attempts at images. +# +# These are actually just bit-for-bit dumps of the frame buffer, so +# there's really no reasonably way to distinguish them except for their +# address (if preserved) -- 8192 or 16384 -- and their length -- 8192 +# or, occasionally, 8184. +# +# Nevertheless this will manage to catch a lot of images that happen +# to have a solid-colored line at the bottom of the screen. + +# GRR: Magic too weak +#8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background +#8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background +#8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background +#8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background +#8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background + +# Beagle Bros. Apple Mechanic fonts + +0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font + +# Apple Universal Disk Image Format (UDIF) - dmg files. +# From Johan Gade. +# These entries are disabled for now until we fix the following issues. +# +# Note there might be some problems with the "VAX COFF executable" +# entry. Note this entry should be placed before the mac filesystem section, +# particularly the "Apple Partition data" entry. +# +# The intended meaning of these tests is, that the file is only of the +# specified type if both of the lines are correct - i.e. if the first +# line matches and the second doesn't then it is not of that type. +# +#0 long 0x7801730d +#>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) +# +# Note that this entry is recognized correctly by the "Apple Partition +# data" entry - however since this entry is more specific - this +# information seems to be more useful. +#0 long 0x45520200 +#>0x410 string disk\ image UDIF read/write image (UDRW) + +# From: Toby Peterson <toby@apple.com> +# From https://www.nationalarchives.gov.uk/pronom/fmt/866 +0 string bplist00 +>8 search/500 WebMainResource Apple Safari Webarchive +!:mime application/x-webarchive +!:strength +50 +0 string bplist00 Apple binary property list +!:mime application/x-bplist + +# Apple binary property list (bplist) +# Assumes version bytes are hex. +# Provides content hints for version 0 files. Assumes that the root +# object is the first object (true for CoreFoundation implementation). +# From: David Remahl <dremahl@apple.com> +0 string bplist +>6 byte x \bCoreFoundation binary property list data, version %#c +>>7 byte x \b%c +>6 string 00 \b +>>8 byte&0xF0 0x00 \b +>>>8 byte&0x0F 0x00 \b, root type: null +>>>8 byte&0x0F 0x08 \b, root type: false boolean +>>>8 byte&0x0F 0x09 \b, root type: true boolean +>>8 byte&0xF0 0x10 \b, root type: integer +>>8 byte&0xF0 0x20 \b, root type: real +>>8 byte&0xF0 0x30 \b, root type: date +>>8 byte&0xF0 0x40 \b, root type: data +>>8 byte&0xF0 0x50 \b, root type: ascii string +>>8 byte&0xF0 0x60 \b, root type: unicode string +>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) +>>8 byte&0xF0 0xa0 \b, root type: array +>>8 byte&0xF0 0xd0 \b, root type: dictionary + +# Apple/NeXT typedstream data +# Serialization format used by NeXT and Apple for various +# purposes in YellowStep/Cocoa, including some nib files. +# From: David Remahl <dremahl@apple.com> +2 string typedstream NeXT/Apple typedstream data, big endian +>0 byte x \b, version %d +>0 byte <5 \b +>>13 byte 0x81 \b +>>>14 ubeshort x \b, system %d +2 string streamtyped NeXT/Apple typedstream data, little endian +>0 byte x \b, version %d +>0 byte <5 \b +>>13 byte 0x81 \b +>>>14 uleshort x \b, system %d + +#------------------------------------------------------------------------------ +# CAF: Apple CoreAudio File Format +# +# Container format for high-end audio purposes. +# From: David Remahl <dremahl@apple.com> +# +0 string caff CoreAudio Format audio file +>4 beshort <10 version %d +>6 beshort x + + +#------------------------------------------------------------------------------ +# Keychain database files +0 string kych Mac OS X Keychain File + +#------------------------------------------------------------------------------ +# Code Signing related file types +0 belong 0xfade0c00 Mac OS X Code Requirement +>8 belong 1 (opExpr) +>4 belong x - %d bytes + +0 belong 0xfade0c01 Mac OS X Code Requirement Set +>8 belong >1 containing %d items +>4 belong x - %d bytes + +0 belong 0xfade0c02 Mac OS X Code Directory +>8 belong x version %x +>12 belong >0 flags %#x +>4 belong x - %d bytes + +0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) +>4 belong x - %d bytes + +0 belong 0xfade0cc1 Mac OS X Detached Code Signature +>8 belong >1 (%d elements) +>4 belong x - %d bytes + +# From: "Nelson A. de Oliveira" <naoliv@gmail.com> +# .vdi +4 string innotek\ VirtualBox\ Disk\ Image %s + +# Apple disk partition stuff +# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map +# Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h +# Update: Joerg Jenderek +# "ER" is APPLE_DRVR_MAP_MAGIC signature +0 beshort 0x4552 +# display Apple Driver Map (strength=50) after Syslinux bootloader (71) +#!:strength +0 +# strengthen the magic by looking for used blocksizes 512 2048 +>2 ubeshort&0xf1FF 0 Apple Driver Map +# last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid +#>>504 ubequad&0x0000FFffFFff0000 0 +!:mime application/x-apple-diskimage +!:apple ????devr +# https://en.wikipedia.org/wiki/Apple_Disk_Image +!:ext dmg/iso +# sbBlkSize for driver descriptor map 512 2048 +>>2 beshort x \b, blocksize %d +# sbBlkCount sometimes garbish like +# 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg +# 0xf2720100 for bunziped Firefox 48.0-2.dmg +# 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso +# 0x00009090 by syslinux-6.03/utils/isohybrid.c +>>4 ubelong x \b, blockcount %u +# following device/driver information not very useful +# device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) +>>8 ubeshort x \b, devtype %u +# device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) +>>10 ubeshort x \b, devid %u +# driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) +>>12 ubelong >0 +>>>12 ubelong x \b, driver data %u +# number of driver descriptors sbDrvrCount <= 61 +# (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) +>>16 ubeshort x \b, driver count %u +# 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map +# >>18 use apple-driver-map +# >>26 use apple-driver-map +# # ... +# >>500 use apple-driver-map +# number of partitions is always same in every partition (map block count) +#>>0x0204 ubelong x \b, %u partitions +>>0x0204 ubelong >0 \b, contains[@0x200]: +>>>0x0200 use apple-apm +>>0x0204 ubelong >1 \b, contains[@0x400]: +>>>0x0400 use apple-apm +>>0x0204 ubelong >2 \b, contains[@0x600]: +>>>0x0600 use apple-apm +>>0x0204 ubelong >3 \b, contains[@0x800]: +>>>0x0800 use apple-apm +>>0x0204 ubelong >4 \b, contains[@0xA00]: +>>>0x0A00 use apple-apm +>>0x0204 ubelong >5 \b, contains[@0xC00]: +>>>0x0C00 use apple-apm +>>0x0204 ubelong >6 \b, contains[@0xE00]: +>>>0x0E00 use apple-apm +>>0x0204 ubelong >7 \b, contains[@0x1000]: +>>>0x1000 use apple-apm +# display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) +0 name apple-driver-map +>0 ubequad !0 +# descBlock first block of driver +>>0 ubelong x \b, driver start block %u +# descSize driver size in blocks +>>4 ubeshort x \b, size %u +# descType driver system type 1 701h F8FFh FFFFh +>>6 ubeshort x \b, type %#x + +# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map +# Reference: https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h +# Update: Joerg Jenderek +# Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the +# magic stronger. +# for apple partition map stored as a single file +0 belong 0x504d0000 +# to display Apple Partition Map (strength=70) after Syslinux bootloader (71) +#!:strength +0 +>0 use apple-apm +# magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type +# file: could not find any valid magic files! +#!:ext bin +# display apple partition map. Normally called after Apple driver map +0 name apple-apm +>0 belong 0x504d0000 Apple Partition Map +# number of partitions +>>4 ubelong x \b, map block count %u +# logical block (512 bytes) start of partition +>>8 ubelong x \b, start block %u +>>12 ubelong x \b, block count %u +>>16 string >0 \b, name %s +>>48 string >0 \b, type %s +# processor type dpme_process_id[16] e.g. "68000" "68020" +>>120 string >0 \b, processor %s +# A/UX boot arguments BootArgs[128] +>>136 string >0 \b, boot arguments %s +# status of partition dpme_flags +>>88 belong & 1 \b, valid +>>88 belong & 2 \b, allocated +>>88 belong & 4 \b, in use +>>88 belong & 8 \b, has boot info +>>88 belong & 16 \b, readable +>>88 belong & 32 \b, writable +>>88 belong & 64 \b, pic boot code +>>88 belong & 128 \b, chain compatible driver +>>88 belong & 256 \b, real driver +>>88 belong & 512 \b, chain driver +# mount automatically at startup APPLE_PS_AUTO_MOUNT +>>88 ubelong &0x40000000 \b, mount at startup +# is the startup partition APPLE_PS_STARTUP +>>88 ubelong &0x80000000 \b, is the startup partition + +#https://wiki.mozilla.org/DS_Store_File_Format +#https://en.wikipedia.org/wiki/.DS_Store +0 string \0\0\0\1Bud1\0 Apple Desktop Services Store + +# HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015) +# Usually not in separate files, but have either filename rsrc with +# no extension, or a filename corresponding to another file, with +# extensions rsr/rsrc +# URL: http://fileformats.archiveteam.org/wiki/Macintosh_resource_file +# https://en.wikipedia.org/wiki/Resource_fork +# Reference: https://github.com/kreativekorp/ksfl/wiki/Macintosh-Resource-File-Format +# http://developer.apple.com/legacy/mac/library/documentation/mac/pdf/MoreMacintoshToolbox.pdf +# https://formats.kaitai.io/resource_fork/ +# Update: Joerg Jenderek +# Note: verified often by command like `deark -m macrsrc Icon_.rsrc` +# offset of resource data; usually starts at offset 0x0100 +0 string \000\000\001\000 +# skip NPETraceSession.etl with invalid "low" map offset 0 +>4 ubelong >0xFF +# skip few Atari DEGAS Elite bitmap (eil2.pi1 nastro.pi1) with ivalid "high" 0x6550766 0x7510763 map length +>>12 ubelong <0x8001 +# most examples with zeroed system reserved field +>>>16 lelong =0 +>>>>0 use apple-rsr +# few samples with not zeroed system reserved field like: Empty.rsrc.rsr OpenSans-CondBold.dfont +>>>16 lelong !0 +# resource fork variant with not zeroed system reserved field and copy of header +>>>>(4.L) ubelong 0x100 +# GRR: the line above only works if in ../../src/file.h FILE_BYTES_MAX is raised from 1 MiB above 0x6ab0f4 (HelveticaNeue.dfont) +>>>>>0 use apple-rsr +# data fork variant with not zeroed system reserved field and no copy of header +>>>>(4.L) ubelong 0 +>>>>>0 use apple-rsr +# Note: moved and merged from ./macintosh +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: https://en.wikipedia.org/wiki/Datafork_TrueType +# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is +# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I +# don't know what they mean. +# display information about Mac OSX datafork font DFONT +0 name apple-dfont +>(4.L+30) ubelong x Mac OSX datafork font, +# https://en.wikipedia.org/wiki/Datafork_TrueType +!:mime application/x-dfont +!:ext dfont +# https://exiftool.org/TagNames/RSRC.html +>(4.L+30) ubelong 0x73666e74 TrueType +>(4.L+30) ubelong 0x464f4e54 'FONT' +>(4.L+30) ubelong 0x4e464e54 'NFNT' +>(4.L+30) ubelong 0x504f5354 PostScript +>(4.L+30) ubelong 0x464f4e44 'FOND' +>(4.L+30) ubelong 0x76657273 'vers' +# display information about Macintosh resource +0 name apple-rsr +>(4.L+30) ubelong 0x73666e74 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x4e464e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x504f5354 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e44 +>>0 use apple-dfont +>(4.L+30) ubelong 0x76657273 +>>0 use apple-dfont +>(4.L+30) default x Apple HFS/HFS+ resource fork +#!:mime application/octet-stream +!:mime application/x-apple-rsr +!:ext rsrc/rsr +# offset to resource data; usually starts at offset 0x0100 +>0 ubelong !0x100 \b, data offset %#x +# offset to resource map; positive but not nil like in NPETraceSession.etl +>4 ubelong x \b, map offset %#x +# length of resource map; positive with 32K limitation but not +# nil like in NPETraceSession.etl or high like 0x7510763 in nastro.pi1 +>12 ubelong x \b, map length %#x +# length of resource data; positive but not nil like in NPETraceSession.etl +>8 ubelong x \b, data length %#x +# reserved 112 bytes for system use; apparently often nil, but 8fd20000h in Empty.rsrc.rsr and 0x00768c2b in OpenSans-CondBold.dfont +>16 ubelong !0 \b, at 16 %#8.8x +# https://fontforge.org/docs/techref/macformats.html +# jump to resource map +# a copy of resource header or 16 bytes of zeros for data fork +#>(4.L) ubelong x \b, DATA offset %#x +#>(4.L+4) ubelong x \b, MAP offset %#x +#>(4.L+8) ubelong x \b, DATA length %#x +#>(4.L+12) ubelong x \b, MAP length %#x +# nextResourceMap; handle to next resource map; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+16) ubelong !0 \b, nextResourceMap %#x +# fileRef; file reference number; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+20) ubeshort !0 \b, fileRef %#x +# attributes; Resource fork attributes (80h~read-only 40h~compression needed 20h~changed); other bits are reserved and should be zero +>(4.L+22) ubeshort !0 \b, attributes %#x +# typeListOffset; offset from resource map to start of type list like: 1Ch +>(4.L+24) ubeshort x \b, list offset %#x +# nameListOffset; offset from esource map to start of name list like: 32h 46h 56h (XLISP.RSR XLISPTIN.RSR) 13Eh (HelveticaNeue.dfont) +>(4.L+26) ubeshort x \b, name offset %#x +# typeCount; number of types in the map minus 1; If there are no resources, this is 0xFFFF +>(4.L+28) beshort+1 >0 \b, %u type +# plural s +>>(4.L+28) beshort+1 >1 \bs +# resource type list array; 1st resource type like: ALRT CODE FOND MPSR icns scsz +>>(4.L+30) ubelong x \b, %#x +>>(4.L+30) string x '%-.4s' +# resourceCount; number of this type resources minus one. If there is one resource of this type, this is 0x0000 +>>(4.L+34) beshort+1 x * %d +# resourceListOffset; offset from type list to resource list like: Ah 12h DAh +>(4.L+36) ubeshort x resource offset %#x + +#https://en.wikipedia.org/wiki/AppleScript +0 string FasdUAS AppleScript compiled + +# AppleWorks/ClarisWorks +# https://github.com/joshenders/appleworks_format +# http://fileformats.archiveteam.org/wiki/AppleWorks +0 name appleworks +>0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document +>0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document +>0 default x +>>0 belong x AppleWorks/ClarisWorks CWK Document +>0 byte x \b, version %d +>30 beshort x \b, %d +>32 beshort x \bx%d +!:ext cwk + +4 string BOBO +>0 byte >4 +>>12 belong 0 +>>>26 belong 0 +>>>>0 use appleworks +>0 belong 0x0481ad00 +>>0 use appleworks + +# magic for Apple File System (APFS) +# from Alex Myczko <alex@aiei.ch> +32 string NXSB Apple File System (APFS) +>36 ulelong x \b, blocksize %u + +# iTunes cover art (versions 1 and 2) +4 string itch +>24 string artw +>>0x1e8 string data iTunes cover art +>>>0x1ed string PNG (PNG) +>>>0x1ec beshort 0xffd8 (JPEG) + +# MacPaint image +65 string PNTGMPNT MacPaint image data +#0 belong 2 MacPaint image data diff --git a/magic/Magdir/application b/magic/Magdir/application new file mode 100644 index 0000000..f316608 --- /dev/null +++ b/magic/Magdir/application @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: application,v 1.1 2016/10/17 12:13:01 christos Exp $ +# application: file(1) magic for applications on small devices +# +# Pebble Application +0 string PBLAPP\000\000 Pebble application diff --git a/magic/Magdir/applix b/magic/Magdir/applix new file mode 100644 index 0000000..f3f362e --- /dev/null +++ b/magic/Magdir/applix @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: applix,v 1.5 2009/09/19 16:28:08 christos Exp $ +# applix: file(1) magic for Applixware +# From: Peter Soos <sp@osb.hu> +# +0 string *BEGIN Applixware +>7 string WORDS Words Document +>7 string GRAPHICS Graphic +>7 string RASTER Bitmap +>7 string SPREADSHEETS Spreadsheet +>7 string MACRO Macro +>7 string BUILDER Builder Object diff --git a/magic/Magdir/apt b/magic/Magdir/apt new file mode 100644 index 0000000..2d9f159 --- /dev/null +++ b/magic/Magdir/apt @@ -0,0 +1,52 @@ + +#------------------------------------------------------------------------------ +# $File: apt,v 1.1 2016/10/17 19:51:57 christos Exp $ +# apt: file(1) magic for APT Cache files +# <http://www.fifi.org/doc/libapt-pkg-doc/cache.html/ch2.html> +# <https://anonscm.debian.org/cgit/apt/apt.git/tree/apt-pkg/pkgcache.h#n292> + +# before version 10 ("old format"), data was in arch-specific long/short + +# old format 64 bit +0 name apt-cache-64bit-be +>12 beshort 1 \b, dirty +>40 bequad x \b, %llu packages +>48 bequad x \b, %llu versions + +# old format 32 bit +0 name apt-cache-32bit-be +>8 beshort 1 \b, dirty +>40 belong x \b, %u packages +>44 belong x \b, %u versions + +# new format +0 name apt-cache-be +>6 byte 1 \b, dirty +>24 belong x \b, %u packages +>28 belong x \b, %u versions + +0 bequad 0x98FE76DC +>8 ubeshort <10 APT cache data, version %u +>>10 beshort x \b.%u, 64 bit big-endian +>>0 use apt-cache-64bit-be + +0 lequad 0x98FE76DC +>8 uleshort <10 APT cache data, version %u +>>10 leshort x \b.%u, 64 bit little-endian +>>0 use \^apt-cache-64bit-be + +0 belong 0x98FE76DC +>4 ubeshort <10 APT cache data, version %u +>>6 ubeshort x \b.%u, 32 bit big-endian +>>0 use apt-cache-32bit-be +>4 ubyte >9 APT cache data, version %u +>>5 ubyte x \b.%u, big-endian +>>0 use apt-cache-be + +0 lelong 0x98FE76DC +>4 uleshort <10 APT cache data, version %u +>>6 uleshort x \b.%u, 32 bit little-endian +>>0 use \^apt-cache-32bit-be +>4 ubyte >9 APT cache data, version %u +>>5 ubyte x \b.%u, little-endian +>>0 use \^apt-cache-be diff --git a/magic/Magdir/archive b/magic/Magdir/archive new file mode 100644 index 0000000..6e1f967 --- /dev/null +++ b/magic/Magdir/archive @@ -0,0 +1,2607 @@ +#------------------------------------------------------------------------------ +# $File: archive,v 1.193 2023/07/27 17:55:58 christos Exp $ +# archive: file(1) magic for archive formats (see also "msdos" for self- +# extracting compressed archives) +# +# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. +# pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c. + +# POSIX tar archives +# URL: https://en.wikipedia.org/wiki/Tar_(computing) +# Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current +# header mainly padded with nul bytes +500 quad 0 +!:strength /2 +# filename or extended attribute printable strings in range space null til umlaut ue +>0 ubeshort >0x1F00 +>>0 ubeshort <0xFCFD +# last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad +# at https://sourceforge.net/projects/s-tar/files/testscripts/ +>>>508 ubelong&0x8B9E8DFF 0 +# nul, space or ascii digit 0-7 at start of mode +>>>>100 ubyte&0xC8 =0 +>>>>>101 ubyte&0xC8 =0 +# nul, space at end of check sum +>>>>>>155 ubyte&0xDF =0 +# space or ascii digit 0 at start of check sum +>>>>>>>148 ubyte&0xEF =0x20 +# FOR DEBUGGING: +#>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s" +# check for 1st image main name with digits used for sorting +# and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP +>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) +>>>>>>>>>0 use tar-cbt +# check for 1st member name with ovf suffix +>>>>>>>>0 regex \^.{1,96}[.](ovf) +>>>>>>>>>0 use tar-ova +# if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive +>>>>>>>>0 default x +>>>>>>>>>0 use tar-file +# minimal check and then display tar archive information which can also be +# embedded inside others like Android Backup, Clam AntiVirus database +0 name tar-file +>257 string !ustar +# header padded with nuls +>>257 ulong =0 +# GNU tar version 1.29 with non pax format option without refusing +# creates misleading V7 header for Long path, Multi-volume, Volume type +>>>156 ubyte 0x4c GNU tar archive +!:mime application/x-gtar +!:ext tar/gtar +>>>156 ubyte 0x4d GNU tar archive +!:mime application/x-gtar +!:ext tar/gtar +>>>156 ubyte 0x56 GNU tar archive +!:mime application/x-gtar +!:ext tar/gtar +>>>156 default x tar archive (V7) +!:mime application/x-tar +!:ext tar +# other stuff in padding +# some implementations add new fields to the blank area at the end of the header record +# created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option +>>257 ulong !0 tar archive (old) +!:mime application/x-tar +!:ext tar +# magic in newer, GNU, posix variants +>257 string =ustar +# 2 last char of magic and UStar version because string expression does not work +# 2 space characters followed by a null for GNU variant +>>261 ubelong =0x72202000 POSIX tar archive (GNU) +!:mime application/x-gtar +!:ext tar/gtar +# UStar version with ASCII "00" +>>261 ubelong 0x72003030 POSIX +# gLOBAL and ExTENSION type only found in POSIX.1-2001 format +>>>156 ubyte 0x67 \b.1-2001 +>>>156 ubyte 0x78 \b.1-2001 +>>>156 ubyte x tar archive +!:mime application/x-ustar +!:ext tar/ustar +# version with 2 binary nuls embedded in Android Backup like com.android.settings.ab +>>261 ubelong 0x72000000 tar archive (ustar) +!:mime application/x-ustar +!:ext tar/ustar +# not seen ustar variant with garbish version +>>261 default x tar archive (unknown ustar) +!:mime application/x-ustar +!:ext tar/ustar +# type flag of 1st tar archive member +#>156 ubyte x \b, %c-type +>156 ubyte x +>>156 ubyte 0 \b, file +>>156 ubyte 0x30 \b, file +>>156 ubyte 0x31 \b, hard link +>>156 ubyte 0x32 \b, symlink +>>156 ubyte 0x33 \b, char device +>>156 ubyte 0x34 \b, block device +>>156 ubyte 0x35 \b, directory +>>156 ubyte 0x36 \b, fifo +>>156 ubyte 0x37 \b, reserved +>>156 ubyte 0x4c \b, long path +>>156 ubyte 0x4d \b, multi volume +>>156 ubyte 0x56 \b, volume +>>156 ubyte 0x67 \b, global +>>156 ubyte 0x78 \b, extension +>>156 default x \b, type +>>>156 ubyte x '%c' +# name[100] +>0 string >\0 %-.60s +# mode mainly stored as an octal number in ASCII null or space terminated +>100 string >\0 \b, mode %-.7s +# user id mainly as octal numbers in ASCII null or space terminated +>108 string >\0 \b, uid %-.7s +# group id mainly as octal numbers in ASCII null or space terminated +>116 string >\0 \b, gid %-.7s +# size mainly as octal number in ASCII +>124 ubyte <0x38 +>>124 string >\0 \b, size %-.12s +# coding indicated by setting the high-order bit of the leftmost byte +>124 ubyte >0xEF \b, size 0x +>>124 ubyte !0xff \b%2.2x +>>125 ubyte !0xff \b%2.2x +>>126 ubyte !0xff \b%2.2x +>>127 ubyte !0xff \b%2.2x +>>128 ubyte !0xff \b%2.2x +>>129 ubyte !0xff \b%2.2x +>>130 ubyte !0xff \b%2.2x +>>131 ubyte !0xff \b%2.2x +>>132 ubyte !0xff \b%2.2x +>>133 ubyte !0xff \b%2.2x +>>134 ubyte !0xff \b%2.2x +>>135 ubyte !0xff \b%2.2x +# seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated +>136 string >\0 \b, seconds %-.11s +# header checksum stored as an octal number in ASCII null or space terminated +#>148 string x \b, cksum %.7s +# linkname[100] +>157 string >\0 \b, linkname %-.40s +# additional fields for ustar +>257 string =ustar +# owner user name null terminated +>>265 string >\0 \b, user %-.32s +# group name null terminated +>>297 string >\0 \b, group %-.32s +# device major minor if not zero +>>329 ubequad&0xCFCFCFCFcFcFcFdf !0 +>>>329 string x \b, devmaj %-.7s +>>337 ubequad&0xCFCFCFCFcFcFcFdf !0 +>>>337 string x \b, devmin %-.7s +# prefix[155] +>>345 string >\0 \b, prefix %-.155s +# old non ustar/POSIX tar +>257 string !ustar +>>508 string =tar\0 +# padding[255] in old star +>>>257 string >\0 \b, padding: %-.40s +>>508 default x +# padding[255] in old tar sometimes comment field +>>>257 string >\0 \b, comment: %-.40s +# Summary: Comic Book Archive *.CBT with TAR format +# URL: https://en.wikipedia.org/wiki/Comic_book_archive +# http://fileformats.archiveteam.org/wiki/Comic_Book_Archive +# Note: there exist also RAR, ZIP, ACE and 7Z packed variants +0 name tar-cbt +>0 string x Comic Book archive, tar archive +#!:mime application/x-tar +!:mime application/vnd.comicbook +#!:mime application/vnd.comicbook+tar +!:ext cbt +# name[100] probably like: 19.jpg 0001.png 0002.png +# or maybe like ComicInfo.xml +>0 string >\0 \b, 1st image %-.60s +# Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format +# http://fileformats.archiveteam.org/wiki/OVF_(Open_Virtualization_Format) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ova.trid.xml +# Note: called "Open Virtualization Format package" by TrID +# assuming *.ovf comes first +0 name tar-ova +>0 string x Open Virtualization Format Archive +#!:mime application/x-ustar +# http://extension.nirsoft.net/ova +!:mime application/x-virtualbox-ova +!:ext ova +# assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf +>0 string >\0 \b, with %-.60s + +# Incremental snapshot gnu-tar format from: +# https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html +0 string GNU\ tar- GNU tar incremental snapshot data +>&0 regex [0-9]\\.[0-9]+-[0-9]+ version %s + +# cpio archives +# +# Yes, the top two "cpio archive" formats *are* supposed to just be "short". +# The idea is to indicate archives produced on machines with the same +# byte order as the machine running "file" with "cpio archive", and +# to indicate archives produced on machines with the opposite byte order +# from the machine running "file" with "byte-swapped cpio archive". +# +# The SVR4 "cpio(4)" hints that there are additional formats, but they +# are defined as "short"s; I think all the new formats are +# character-header formats and thus are strings, not numbers. +# URL: http://fileformats.archiveteam.org/wiki/Cpio +# https://en.wikipedia.org/wiki/Cpio +# Reference: https://people.freebsd.org/~kientzle/libarchive/man/cpio.5.txt +# Update: Joerg Jenderek +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin.trid.xml +# Note: called "CPIO archive (binary)" by TrID, "cpio/Binary LE" by 7-Zip and "CPIO" by DROID via PUID fmt/635 +0 short 070707 +# skip DROID fmt-635-signature-id-960.cpio by looking for pathname of 1st entry +>26 string >\0 cpio archive +!:mime application/x-cpio +# https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-NET-x86_64-Media.iso +# boot/x86_64/loader/bootlogo +# message.cpi +!:ext /cpio/cpi +>>0 use cpio-bin +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin-sw.trid.xml +# Note: called "CPIO archive (byte swapped binary)" by TrID and "Cpio/Binary BE" by 7-Zip +0 short 0143561 byte-swapped cpio archive +!:mime application/x-cpio # encoding: swapped +# https://telparia.com/fileFormatSamples/archive/cpio/skeleton2.cpio +!:ext cpio +>0 use cpio-bin-be +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio.trid.xml +# Note: called "CPIO archive (portable)" by TrID, "cpio/Portable ASCII" by 7-Zip and "cpio/odc" by GNU cpio +0 string 070707 ASCII cpio archive (pre-SVR4 or odc) +!:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/ pthreads-1.60B5.osr5src.cpio cinema.cpi VOL.000.008 VOL.000.012 +!:ext cpio/cpi/008/012 +# Note: called "CPIO archive (portable)" by TrID, "cpio/New ASCII" by 7-Zip and "cpio/newc" by GNU cpio +0 string 070701 ASCII cpio archive (SVR4 with no CRC) +!:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/MainActor-2.06.3.cpio +!:ext cpio +# Note: called "CPIO archive (portable)" by TrID, "cpio/New CRC" by 7-Zip and "cpio/crc" by GNU cpio +0 string 070702 ASCII cpio archive (SVR4 with CRC) +!:mime application/x-cpio +# http://ftp.gnu.org/gnu/tar/tar-1.27.cpio.gz +# https://telparia.com/fileFormatSamples/archive/cpio/pcmcia +!:ext /cpio +# display information of old binary cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `cpio -ivt --numeric-uid-gid --file=clam.bin-le.cpio` +0 name cpio-bin +# c_dev; device number; WHAT IS THAT? +>2 uleshort x \b; device %u +# c_ino; truncated inode number; use `ls --inode` +>4 uleshort x \b, inode %u +# c_mode; mode specifies permissions and file type like: ?622~?rw-r--r-- by `ls -l` +>6 uleshort x \b, mode %o +# c_uid; numeric user id; use `ls --numeric-uid-gid` +>8 uleshort x \b, uid %u +# c_gid; numeric group id +>10 uleshort x \b, gid %u +# c_nlink; links to this file; directories at least 2 +>12 uleshort >1 \b, %u links +# c_rdev; device number for block and character entries; zero for all other entries by writers +# like 0x0440 for /dev/ttyS0 +>14 uleshort >0 \b, device %#4.4x +# c_mtime[2]; modification time in seconds since 1 January 1970; most-significant 16 bits first +>16 medate x \b, modified %s +# c_filesize[2]; size of pathname; most-significant 16 bits first like: 544 +>22 melong x \b, %u bytes +# c_namesize; bytes in the pathname that follows the header like: 9 +#>20 uleshort x \b, namesize %u +# pathname of entry like: "clam.exe" +>26 string x "%s" +# display information of old binary byte swapped cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `LANGUAGE=C cpio -ivt --numeric-uid-gid --file=clam.bin-be.cpio` +0 name cpio-bin-be +>2 ubeshort x \b; device %u +>4 ubeshort x \b, inode %u +>6 ubeshort x \b, mode %o +>8 ubeshort x \b, uid %u +>10 ubeshort x \b, gid %u +>12 ubeshort >1 \b, %u links +>14 ubeshort >0 \b, device %#4.4x +>16 bedate x \b, modified %s +>22 ubelong x \b, %u bytes +#>20 ubeshort x \b, namesize %u +>26 string x "%s" + +# +# Various archive formats used by various versions of the "ar" +# command. +# + +# +# Original UNIX archive formats. +# They were written with binary values in host byte order, and +# the magic number was a host "int", which might have been 16 bits +# or 32 bits. We don't say "PDP-11" or "VAX", as there might have +# been ports to little-endian 16-bit-int or 32-bit-int platforms +# (x86?) using some of those formats; if none existed, feel free +# to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian +# 32-bit. There might have been big-endian ports of that sort as +# well. +# +0 leshort 0177555 very old 16-bit-int little-endian archive +0 beshort 0177555 very old 16-bit-int big-endian archive +0 lelong 0177555 very old 32-bit-int little-endian archive +0 belong 0177555 very old 32-bit-int big-endian archive + +0 leshort 0177545 old 16-bit-int little-endian archive +>2 string __.SYMDEF random library +0 beshort 0177545 old 16-bit-int big-endian archive +>2 string __.SYMDEF random library +0 lelong 0177545 old 32-bit-int little-endian archive +>4 string __.SYMDEF random library +0 belong 0177545 old 32-bit-int big-endian archive +>4 string __.SYMDEF random library + +# +# From "pdp" (but why a 4-byte quantity?) +# +0 lelong 0x39bed PDP-11 old archive +0 lelong 0x39bee PDP-11 4.0 archive + +# +# XXX - what flavor of APL used this, and was it a variant of +# some ar archive format? It's similar to, but not the same +# as, the APL workspace magic numbers in pdp. +# +0 long 0100554 apl workspace + +# +# System V Release 1 portable(?) archive format. +# +0 string =<ar> System V Release 1 ar archive +!:mime application/x-archive + +# +# Debian package; it's in the portable archive format, and needs to go +# before the entry for regular portable archives, as it's recognized as +# a portable archive whose first member has a name beginning with +# "debian". +# +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Deb_(file_format) +0 string =!<arch>\ndebian +# https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html +>14 string -split part of multipart Debian package +!:mime application/vnd.debian.binary-package +# udeb is used for stripped down deb file +!:ext deb/udeb +>14 string -binary Debian binary package +!:mime application/vnd.debian.binary-package +# For ipk packager see also https://en.wikipedia.org/wiki/Opkg +!:ext deb/udeb/ipk +# This should not happen +>14 default x Unknown Debian package +# NL terminated version; for most Debian cases this is 2.0 or 2.1 for split +>68 string >\0 (format %s) +#>68 string !2.0\n +#>>68 string x (format %.3s) +>68 string =2.0\n +# 2nd archive name=control archive name like control.tar.gz or control.tar.xz +# or control.tar.zst +>>72 string >\0 \b, with %.15s +# look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma} +>>0 search/0x93e4f data.tar. \b, data compression +# the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised +# for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb +>>>&0 string x %.2s +# skip space (0x20 BSD) and slash (0x2f System V) character marking end of name +>>>&2 ubyte !0x20 +>>>>&-1 ubyte !0x2f +# display 3rd character of file name extension like 2 of bz2 or m of lzma +>>>>>&-1 ubyte x \b%c +>>>>>>&0 ubyte !0x20 +>>>>>>>&-1 ubyte !0x2f +# display 4th character of file name extension like a of lzma +>>>>>>>>&-1 ubyte x \b%c +# split debian package case +>68 string =2.1\n +# dpkg-1.18.25/dpkg-split/info.c +# NL terminated ASCII package name like ckermit +>>&0 string x \b, %s +# NL terminated package version like 302-5.3 +>>>&1 string x %s +# NL terminated MD5 checksum +>>>>&1 string x \b, MD5 %s +# NL terminated original package length +>>>>>&1 string x \b, unsplitted size %s +# NL terminated part length +>>>>>>&1 string x \b, part length %s +# NL terminated package part like n/m +>>>>>>>&1 string x \b, part %s +# NL terminated package architecture like armhf since dpkg 1.16.1 or later +>>>>>>>>&1 string x \b, %s + +# +# MIPS archive; they're in the portable archive format, and need to go +# before the entry for regular portable archives, as it's recognized as +# a portable archive whose first member has a name beginning with +# "__________E". +# +0 string =!<arch>\n__________E MIPS archive +!:mime application/x-archive +>20 string U with MIPS Ucode members +>21 string L with MIPSEL members +>21 string B with MIPSEB members +>19 string L and an EL hash table +>19 string B and an EB hash table +>22 string X -- out of date + +# +# BSD/SVR2-and-later portable archive formats. +# +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/AR +# Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/ +# Note: Mach-O universal binary in ./cafebabe is dependent +# TODO: unify current ar archive, MIPS archive, Debian package +# distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR; +# *.ar packages from *.a libraries. handle empty archive +0 string =!<arch>\n current ar archive +# print first and possibly second ar_name[16] for debugging purpose +#>8 string x \b, 1st "%.16s" +#>68 string x \b, 2nd "%.16s" +!:mime application/x-archive +# a in most case for libraries; lib for Microsoft libraries; ar else cases +!:ext a/lib/ar +>8 string __.SYMDEF random library +# first member with long marked name __.SYMDEF SORTED implies BSD library +>68 string __.SYMDEF\ SORTED random library +# Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf +# "archive file" entry moved from ./hp +# LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture +# LST header a_magic 0619h~relocatable library +>68 belong 0x020b0619 - PA-RISC1.0 relocatable library +>68 belong 0x02100619 - PA-RISC1.1 relocatable library +>68 belong 0x02110619 - PA-RISC1.2 relocatable library +>68 belong 0x02140619 - PA-RISC2.0 relocatable library +#EOF for common ar archives + +# +# "Thin" archive, as can be produced by GNU ar. +# +0 string =!<thin>\n thin archive with +>68 belong 0 no symbol entries +>68 belong 1 %d symbol entry +>68 belong >1 %d symbol entries + +0 search/1 -h- Software Tools format archive text + +# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) +# +# The first byte is the magic (0x1a), byte 2 is the compression type for +# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS +# filename of the first file (null terminated). Since some types collide +# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), +# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. +0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW +!:mime application/x-arc +0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed +!:mime application/x-arc +0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed +!:mime application/x-arc +0 lelong&0x8080ffff 0x0000031a ARC archive data, packed +!:mime application/x-arc +0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed +!:mime application/x-arc +0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched +!:mime application/x-arc +# [JW] stuff taken from idarc, obviously ARC successors: +0 lelong&0x8080ffff 0x00000a1a PAK archive data +!:mime application/x-arc +0 lelong&0x8080ffff 0x0000141a ARC+ archive data +!:mime application/x-arc +0 lelong&0x8080ffff 0x0000481a HYP archive data +!:mime application/x-arc + +# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) +# I can't create either SPARK or ArcFS archives so I have not tested this stuff +# [GRR: the original entries collide with ARC, above; replaced with combined +# version (not tested)] +#0 byte 0x1a RISC OS archive (spark format) +0 string \032archive RISC OS archive (ArcFS format) +0 string Archive\000 RISC OS archive (ArcFS format) + +# All these were taken from idarc, many could not be verified. Unfortunately, +# there were many low-quality sigs, i.e. easy to trigger false positives. +# Please notify me of any real-world fishy/ambiguous signatures and I'll try +# to get my hands on the actual archiver and see if I find something better. [JW] +# probably many can be enhanced by finding some 0-byte or control char near the start + +# idarc calls this Crush/Uncompressed... *shrug* +0 string CRUSH Crush archive data +# Squeeze It (.sqz) +0 string HLSQZ Squeeze It archive data +# SQWEZ +0 string SQWEZ SQWEZ archive data +# HPack (.hpk) +0 string HPAK HPack archive data +# HAP +0 string \x91\x33HF HAP archive data +# MD/MDCD +0 string MDmd MDCD archive data +# LIM +0 string LIM\x1a LIM archive data +# SAR +3 string LH5 SAR archive data +# BSArc/BS2 +0 string \212\3SB\020\0 BSArc/BS2 archive data +# Bethesda Softworks Archive (Oblivion) +0 string BSA\0 BSArc archive data +>4 lelong x version %d +# MAR +2 string =-ah MAR archive data +# ACB +#0 belong&0x00f800ff 0x00800000 ACB archive data +# CPZ +# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data +# JRC +0 string JRchive JRC archive data +# Quantum +0 string DS\0 Quantum archive data +# ReSOF +0 string PK\3\6 ReSOF archive data +# QuArk +0 string 7\4 QuArk archive data +# YAC +14 string YC YAC archive data +# X1 +0 string X1 X1 archive data +0 string XhDr X1 archive data +# CDC Codec (.dqt) +0 belong&0xffffe000 0x76ff2000 CDC Codec archive data +# AMGC +0 string \xad6" AMGC archive data +# NuLIB +0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data +# PakLeo +0 string LEOLZW PAKLeo archive data +# ChArc +0 string SChF ChArc archive data +# PSA +0 string PSA PSA archive data +# CrossePAC +0 string DSIGDCC CrossePAC archive data +# Freeze +0 string \x1f\x9f\x4a\x10\x0a Freeze archive data +# KBoom +0 string \xc2\xa8MP\xc2\xa8 KBoom archive data +# NSQ, must go after CDC Codec +0 string \x76\xff NSQ archive data +# DPA +0 string Dirk\ Paehl DPA archive data +# BA +# TODO: idarc says "bytes 0-2 == bytes 3-5" +# TTComp +# URL: http://fileformats.archiveteam.org/wiki/TTComp_archive +# Update: Joerg Jenderek +# GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others +0 string \0\6 +# look for first keyword of Panorama database *.pan +>12 search/261 DESIGN +# skip keyword with low entropy +>12 default x +# skip DOS 2.0 backup id file, sequence 6 with many nils like BACKUPID_xx6.@@@ handled by ./msdos +>>8 quad !0 +>>>0 use ttcomp +# variant ASCII, 4K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? +0 string \1\6 +# TODO: +# skip VAX-order 68k Blit mpx/mux executable (strength=50) handled by ./blit +!:strength -2 +>0 use ttcomp +0 string \0\5 +# skip some DOS 2.0 backup id file, sequence 5 with many nils like BACKUPID_075.@@@ handled by ./msdos +>8 quad !0 +>>0 use ttcomp +0 string \1\5 +# TODO: +# variant ASCII, 2K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? +# skip ctab data (strength=50) handled by ./ibm6000 +# skip locale data table (strength=50) handled by ./digital +!:strength -2 +>0 use ttcomp +0 string \0\4 +# skip many Maple help database *.hdb with version tag handled by ./maple +>1028 string !version +# skip veclib maple.hdb by looking for Mable keyword +>>4 search/1091 Maple\040 +#>4 search/34090 Maple\040 +>>4 default x +# skip DOS 2.0-3.2 backed up sequence 4 with many nils like LOTUS5.RAR handled by ./msdos +# skip xBASE Compound Index file *.CDX with many nils +>>>0x54 quad !0 +>>>>0 use ttcomp +0 string \1\4 +# TODO: +# skip shared library (strength=50) handled by ./ibm6000 +!:strength -2 +# skip Commodore PET BASIC programs (Mastermind.prg) with last 3 nil bytes (\0~end of line followed by 0000h line offset) +#>-4 ubelong x LAST_BYTES=%8.8x +>-4 ubelong&0x00FFffFF !0 +>>0 use ttcomp +# display information of TTComp archive +0 name ttcomp +# (version 5.25) labeled the entry as "TTComp archive data" +>0 ubyte x TTComp archive data +!:mime application/x-compress-ttcomp +# PBACKSCR.PI1 +!:ext $xe/$ts/pi1/__d +# compression type: 0~binary compression 1~ASCII compression +>0 ubyte 0 \b, binary +>0 ubyte 1 \b, ASCII +# size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes +>1 ubyte 4 \b, 1K +>1 ubyte 5 \b, 2K +>1 ubyte 6 \b, 4K +>1 ubyte x dictionary +# https://mark0.net/forum/index.php?topic=848 +# last 3 bytes probably have only 8 possible bit sequences +# xxxxxxxx 0000000x 11111111 ____FFh +# xxxxxxxx 10000000 01111111 __807Fh +# 0xxxxxxx 11000000 00111111 __C03Fh +# 00xxxxxx 11100000 00011111 __E01Fh +# 000xxxxx 11110000 00001111 __F00Fh +# 0000xxxx 11111000 00000111 __F807h +# 00000xxx 11111100 00000011 __FC03h +# 000000xx 11111110 00000001 __FE01h +# but for quickgif.__d 0A7DD4h +#>-3 ubyte x \b, last 3 bytes 0x%2.2x +#>-2 ubeshort x \b%4.4x +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Disk_Copy +# reference: http://nulib.com/library/FTN.e00005.htm +0x52 ubeshort 0x0100 +# test for disk image size equal or above 400k +>0x40 ubelong >409599 +# test also for disk image size equal or below 1440k to skip +# windows7en.mbr UNICODE.DAT +#>>0x40 ubelong <1474561 +# test now for "low" disk image size equal or below 64 MiB to skip +# windows7en.mbr (B441BBAAh) UNICODE.DAT (0400AF05h) +>>0x40 ubelong <0x04000001 +# To skip Flags$StringJoiner.class with size 00106A61h test also for valid disk image sizes +# 00064000 for 400k GCR disks dc42-400k-gcr.trid.xml +# 000c8000 for 800k GCR disks dc42-800k-gcr.trid.xml +# 000b4000 for 720k MFM disks dc42-720k-mfm.trid.xml +# 00168000 for 1440k MFM disks dc42-1440k-mfm.trid.xml +# https://lisaem.sunder.net/LisaProjectDocs.txt +# 00500000 05M available +# 00A00000 10M available +# 01800000 24M possible +# 02000000 32M uncertain +# 04000000 64M uncertain +>>>0x40 ubelong&0xf8003fFF 0 +# skip samples with invalid disk name length like: +# 181 (biosmd80.rom) 202 (Flags$StringJoiner.class) 90 (UNICODE.DAT) +>>>>0x0 ubyte <64 +>>>>>0 use dc42-floppy +# display information of Apple DiskCopy 4.2 floppy image +0 name dc42-floppy +# disk name length; maximal 63 +#>0 ubyte x DISK NAME LENGTH %u +# ASCII image pascal (maximal 63 bytes) name padded with NULs like: +# "Microsoft Mail" "Disquette 2" "IIe Installer Disk" +# "-lisaem.sunder.net hd-" (dc42-lisaem.trid.xml) "-not a Macintosh disk" (dc42-nonmac.trid.xml) +>00 pstring/B x Apple DiskCopy 4.2 image %s +#!:mime application/octet-stream +!:mime application/x-dc42-floppy-image +!:apple dCpydImg +# probably also img like: "Utilitaires 2.img" "Installation 7.img" +!:ext image/dc42/img +# data size in bytes like: 409600 737280 819200 1474560 +>0x40 ubelong x \b, %u bytes +# for debugging purpose size in hexadecimal +#>0x40 ubelong x (%#8.8x) +# tag size in bytes like: 0 (often) 2580h (PUID fmt/625) 4B00h (Microsoft Mail.image) +>0x44 ubelong >0 \b, %#x tag size +# data checksum +#>0x48 ubelong x \b, %#x checksum +# tag checksum +#>0x4c ubelong x \b, %#x tag checksum +# disk encoding like: 0 1 2 3 (PUID: fmt/625) +>0x50 ubyte 0 \b, GCR CLV ssdd (400k) +>0x50 ubyte 1 \b, GCR CLV dsdd (800k) +>0x50 ubyte 2 \b, MFM CAV dsdd (720k) +>0x50 ubyte 3 \b, MFM CAV dshd (1440k) +>0x50 ubyte >3 \b, %#x encoding +# format byte like: 12h (Lisa 400K) 24h (400K Macintosh) 96h (800K Apple II disk) +# 2 (Mac 400k "Disquette Installation 13.image") +# 22h (double-sided MFM or Mac 800k "Disco 12.image" "IIe Installer Disk.image") +>0x51 ubyte x \b, %#x format +#>0x54 ubequad x \b, data %#16.16llx +# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? +0 string ESP ESP archive data +# ZPack +0 string \1ZPK\1 ZPack archive data +# Sky +0 string \xbc\x40 Sky archive data +# UFA +0 string UFA UFA archive data +# Dry +0 string =-H2O DRY archive data +# FoxSQZ +0 string FOXSQZ FoxSQZ archive data +# AR7 +0 string ,AR7 AR7 archive data +# PPMZ +0 string PPMZ PPMZ archive data +# MS Compress +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression +# Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html +# Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z +4 string \x88\xf0\x27 +# KWAJ variant +>0 string KWAJ MS Compress archive data, KWAJ variant +!:mime application/x-ms-compress-kwaj +# extension not working in version 5.32 +# magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?' +# file: line 284: Bad magic entry ' ??_' +!:ext ??_ +# compression method (0-4) +>>8 uleshort x \b, %u method +# offset of compressed data +>>10 uleshort x \b, %#x offset +#>>(10.s) uleshort x +#>>>&-6 string x \b, TEST extension %-.3s +# header flags to mark header extensions +>>12 uleshort >0 \b, %#x flags +# 4 bytes: decompressed length of file +>>12 uleshort &0x01 +>>>14 ulelong x \b, original size: %u bytes +# 2 bytes: unknown purpose +# 2 bytes: length of unknown data + mentioned bytes +# 1-9 bytes: null-terminated file name +# 1-4 bytes: null-terminated file extension +>>12 uleshort &0x08 +>>>12 uleshort ^0x01 +>>>>12 uleshort ^0x02 +>>>>>12 uleshort ^0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>14 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>14 string x \b, %-.8s +>>>>>>>>&1 string x \b.%-.3s +>>>>>12 uleshort &0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>(14.s) uleshort x +>>>>>>>>&14 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>(14.s) uleshort x +>>>>>>>>&14 string x \b, %-.8s +>>>>>>>>>&1 string x \b.%-.3s +>>>>12 uleshort &0x02 +>>>>>12 uleshort ^0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>16 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>16 string x \b, %-.8s +>>>>>>>>&1 string x \b.%-.3s +>>>>>12 uleshort &0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>(16.s) uleshort x +>>>>>>>>&16 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>(16.s) uleshort x +>>>>>>>&16 string x %-.8s +>>>>>>>>&1 string x \b.%-.3s +>>>12 uleshort &0x01 +>>>>12 uleshort ^0x02 +>>>>>12 uleshort ^0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>18 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>18 string x \b, %-.8s +>>>>>>>>&1 string x \b.%-.3s +>>>>>12 uleshort &0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>(18.s) uleshort x +>>>>>>>>&18 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>(18.s) uleshort x +>>>>>>>>&18 string x \b, %-.8s +>>>>>>>>>&1 string x \b.%-.3s +>>>>12 uleshort &0x02 +>>>>>12 uleshort ^0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>20 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>20 string x \b, %-.8s +>>>>>>>>&1 string x \b.%-.3s +>>>>>12 uleshort &0x04 +>>>>>>12 uleshort ^0x10 +>>>>>>>(20.s) uleshort x +>>>>>>>>&20 string x \b, %-.8s +>>>>>>12 uleshort &0x10 +>>>>>>>(20.s) uleshort x +>>>>>>>>&20 string x \b, %-.8s +>>>>>>>>>&1 string x \b.%-.3s +# 2 bytes: length of data + mentioned bytes +# +# SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ +# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression +# Reference: http://www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html +# http://mark0.net/download/triddefs_xml.7z/defs/s/szdd.trid.xml +# Note: called "Microsoft SZDD compressed (Haruhiko Okumura's LZSS)" by TrID +# verfied by 7-Zip `7z l -tMsLZ -slt *.??_` as MsLZ +# `deark -l -m lzss_oku -d2 setup-1-41.bin` as "LZSS.C by Haruhiko Okumura" +>0 string SZDD MS Compress archive data, SZDD variant +# 2nd part of signature +#>>4 ubelong 0x88F02733 \b, SIGNATURE OK +!:mime application/x-ms-compress-szdd +!:ext ??_ +# The character missing from the end of the filename (0=unknown) +>>9 string >\0 \b, %-.1s is last character of original name +# https://www.betaarchive.com/forum/viewtopic.php?t=26161 +# Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e +>>8 string !A \b, %-.1s method +>>10 ulelong >0 \b, original size: %u bytes +# Summary: InstallShield archive with SZDD compressed +# URL: https://community.flexera.com/t5/InstallShield-Knowledge-Base/InstallShield-Redistributable-Files/ta-p/5647 +# From: Joerg Jenderek +1 search/48/bs SZDD\x88\xF0\x27\x33 InstallShield archive +#!:mime application/octet-stream +!:mime application/x-installshield-compress-szdd +!:ext ibt +# name of compressed archive member like: setup.dl_ _setup7int.dl_ _setup2k.dl_ _igdi.dl_ cabinet.dl_ +>0 string x %s +# name of uncompressed archive member like: setup.dll _Setup.dll IGdi.dll CABINET.DLL +>>&1 string x (%s) +# probably version like: 9.0.0.333 9.1.0.429 11.50.0.42618 +>>>&1 string x \b, version %s +# SZDD member length like: 168048 169333 181842 +>>>>&1 string x \b, %s bytes +# MS Compress archive data +#>&0 string SZDD \b, SIGNATURE FOUND +>&0 indirect x +# QBasic SZDD variant +3 string \x88\xf0\x27 +>0 string SZ\x20 MS Compress archive data, QBasic variant +!:mime application/x-ms-compress-sz +!:ext ??$ +>>8 ulelong >0 \b, original size: %u bytes + +# Summary: lzss compressed/EDI Pack +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/EDI_Install_packed_file +# Note: called "EDI Install LZS compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 BOOK01A.IC$` as "EDI Pack LZSS1" +0 string EDILZSS +>7 string 1 +# look for point character before orginal file name extension +>>8 search/9/b . +# check suffix of possible orginal file anme +#>>>&0 ubelong x SUFFIX=%8.8x +# samples without valid character after point in original file name field like: FENNEL.LZS PLANTAIN.LZS +>>>&0 ubyte <0x20 +>>>>0 use edi-lzs +# samples with valid character after point in original file name field +>>>&0 ubyte >0x1F +# check 2nd charcter of suffix +#>>>>&0 ubyte x 2ND_SUFFIX=%x +# sample with one valid character after point followed by \0 in original file name field like: SPELMATE.H$ +>>>>&0 ubyte =0 +>>>>>0 use edi-pack +>>>>&0 ubyte >0x1F +# check 3rd charcter of suffix +#>>>>>&0 ubyte x 3RD_SUFFIX=%x +# no sample with 2 valid characters after point followed by \0 in original file name field +>>>>>&0 ubyte =0 +>>>>>>0 use edi-pack +# samples with valid 3rd character after point in original file name field +>>>>>&0 ubyte >0x1F +# sample with 3 valid character after point followed by \0 in original file name field like: BOOK01A.IC$ CTL3D.DL$ +>>>>>>&0 ubyte =0 +>>>>>>>0 use edi-pack +# sample with 3 valid character after point followed by no \0 in original file name field like: HERBTEXT.LZS +>>>>>>&0 ubyte !0 +>>>>>>>0 use edi-lzs +# no sample with invalid 3rd character after point in original file name field +>>>>>&0 default x +>>>>>>0 use edi-lzs +# sample with invalid 2nd character after point in original file name field like: LACERATE.LZS SPLINTER.LZS +>>>>&0 default x +>>>>>0 use edi-lzs +# sample without point character in original file name field like GUNSHOT.LZS +>>8 default x +>>>0 use edi-lzs +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/edi-lzss2.trid.xml +# Note: called "EDI Install Pro LZSS2 compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 4WAY.WA$` as "EDI Pack LZSS2" +>7 string 2 EDI LZSS2 packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/??_ +# original filename, NUL-terminated, padded to 13 bytes like: mci.vbx 4way.wav skymap.exe cmdialog.vbx +>>8 string x "%-0.13s" +# original file size, as a 4-byte integer. +>>21 ulelong x \b, %u bytes +# compressed data like: ff5249464606ec00 ff4d5aa601010000 +>>>25 ubequad x \b, data %#16.16llx... +0 name edi-pack +# Note: verified by command like `deark -l -d2 SPELMATE.H$` as "EDI Pack LZSS1" +# original filename, NUL-terminated, padded to 13 bytes like: ctl3d.dll spelmate.h filemenu.rc owl.def index-it.exe +# but not like \377Aloe.lzs\273 (HERBTEXT.LZS) +>8 string x EDI LZSS packed "%-.13s" +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/?$ +# compressed data like: f7000001eff02020 ff4d5aa900020000 ff2f2a207370656c +>21 ubequad x \b, data %#16.16llx... +# URL: http://fileformats.archiveteam.org/wiki/EDI_LZSSLib +# Note: verified partly by command like `deark -l -m edi_pack -d2 GUNSHOT.LZS` as "EDI LZSSLib" +0 name edi-lzs +# Note: verified by command like `deark -l -d2 GUNSHOT.LZS` as "EDI LZSSLib" +# no original filename looks like: \277BM\226.\0 \277BM.n\001 \277BM\226.\0 \277BM.g\001 \377Aloe.lzs\273 +>8 string x EDI LZSSLib packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# The name of a compressed file ends with LZS suffix +!:ext lzs +# compressed data like: bf424df6e10100f3 ff416c6f652e6c7a ff416c6f652e6c7a +>8 ubequad x \b, data %#16.16llx... + +# Summary: CAZIP compressed file +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CAZIP +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/caz.trid.xml +# Note: Format is distinct from CAZIPXP compressed +0 string \x0D\x0A\x1ACAZIP CAZIP compressed file +#!:mime application/octet-stream +!:mime application/x-compress-cazip +# like: BLINKER.WR_ CLIPDEFS._ CAOSETUP.EX_ CLIPPER.EX_ FILEIO.C_ +!:ext ??_/?_/_ + +# Summary: FTCOMP compressed archive +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/FTCOMP +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ftcomp.trid.xml +# Note: called by TrID "FTCOMP compressed archive" +# extracted by `unpack seahelp.hl_` +24 string/b FTCOMP FTCOMP compressed archive +#!:mime application/octet-stream +!:mime application/x-compress-ftcomp +!:ext ??_/??@/dll/drv/pk2/ +# probably A596FDFF magic at the beginning +>0 ubelong !0xA596FDFF \b, at beginning %#x +# probably original file name with directory like: \OS2\unpack.exe \SYSTEM\8514.DRV MAHJONGG.EXE +>41 string x "%s" + +# MP3 (archiver, not lossy audio compression) +0 string MP3\x1a MP3-Archiver archive data +# ZET +0 string OZ\xc3\x9d ZET archive data +# TSComp +0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data +# ARQ +0 string gW\4\1 ARQ archive data +# Squash +3 string OctSqu Squash archive data +# Terse +0 string \5\1\1\0 Terse archive data +# UHarc +0 string UHA UHarc archive data +# ABComp +0 string \2AB ABComp archive data +0 string \3AB2 ABComp archive data +# CMP +0 string CO\0 CMP archive data +# Splint +0 string \x93\xb9\x06 Splint archive data +# InstallShield +0 string \x13\x5d\x65\x8c InstallShield Z archive Data +# Gather +1 string GTH Gather archive data +# BOA +0 string BOA BOA archive data +# RAX +0 string ULEB\xa RAX archive data +# Xtreme +0 string ULEB\0 Xtreme archive data +# Pack Magic +0 string @\xc3\xa2\1\0 Pack Magic archive data +# BTS +0 belong&0xfeffffff 0x1a034465 BTS archive data +# ELI 5750 +0 string Ora\ ELI 5750 archive data +# QFC +0 string \x1aFC\x1a QFC archive data +0 string \x1aQF\x1a QFC archive data +# PRO-PACK https://www.segaretro.org/Rob_Northen_compression +0 string RNC +>3 byte 1 PRO-PACK archive data (compression 1) +>3 byte 2 PRO-PACK archive data (compression 2) +# 777 +0 string 777 777 archive data +# LZS221 +0 string sTaC LZS221 archive data +# HPA +0 string HPA HPA archive data +# Arhangel +0 string LG Arhangel archive data +# EXP1, uses bzip2 +0 string 0123456789012345BZh EXP1 archive data +# IMP +0 string IMP\xa IMP archive data +# NRV +0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data +# Squish +0 string \x73\xb2\x90\xf4 Squish archive data +# Par +0 string PHILIPP Par archive data +0 string PAR Par archive data +# HIT +0 string UB HIT archive data +# SBX +0 belong&0xfffff000 0x53423000 SBX archive data +# NaShrink +0 string NSK NaShrink archive data +# SAPCAR +0 string #\ CAR\ archive\ header SAPCAR archive data +0 string CAR\ 2.00 SAPCAR archive data +0 string CAR\ 2.01 SAPCAR archive data +#!:mime application/octet-stream +!:mime application/vnd.sar +!:ext sar +# Disintegrator +0 string DST Disintegrator archive data +# ASD +0 string ASD ASD archive data +# InstallShield CAB +# Update: Joerg Jenderek at Nov 2021 +# URL: https://en.wikipedia.org/wiki/InstallShield +# Reference: https://github.com/twogood/unshield/blob/master/lib/cabfile.h +# Note: Not compatible with Microsoft CAB files +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield.trid.xml +# CAB_SIGNATURE 0x28635349 +0 string ISc( InstallShield +#!:mime application/octet-stream +!:mime application/x-installshield +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield-hdr.trid.xml +>16 ulelong !0 setup header +# like: _SYS1.HDR _USER1.HDR data1.hdr +!:ext hdr +>16 ulelong =0 CAB +# like: _SYS1.CAB _USER1.CAB DATA1.CAB data2.cab +!:ext cab +# https://github.com/twogood/unshield/blob/master/lib/helper.c +# version like: 0x1005201 0x100600c 0x1007000 0x1009500 +# 0x2000578 0x20005dc 0x2000640 0x40007d0 0x4000834 +>4 ulelong x \b, version %#x +# volume_info like: 0 +>8 ulelong !0 \b, volume_info %#x +# cab_descriptor_offset like: 0x200 +>12 ulelong !0x200 \b, offset %#x +#>0x200 ubequad x \b, at 0x200 %#16.16llx +# cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2 +>16 ulelong !0 \b, descriptor size %#x +# TOP4 +0 string T4\x1a TOP4 archive data +# BatComp left out: sig looks like COM executable +# so TODO: get real 4dos batcomp file and find sig +# BlakHole +0 string BH\5\7 BlakHole archive data +# BIX +0 string BIX0 BIX archive data +# ChiefLZA +0 string ChfLZ ChiefLZA archive data +# Blink +0 string Blink Blink archive data +# Logitech Compress +0 string \xda\xfa Logitech Compress archive data +# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) +1 string (C)\ STEPANYUK ARS-Sfx archive data +# AKT/AKT32 +0 string AKT32 AKT32 archive data +0 string AKT AKT archive data +# NPack +0 string MSTSM NPack archive data +# PFT +0 string \0\x50\0\x14 PFT archive data +# SemOne +0 string SEM SemOne archive data +# PPMD +0 string \x8f\xaf\xac\x84 PPMD archive data +# FIZ +0 string FIZ FIZ archive data +# MSXiE +0 belong&0xfffff0f0 0x4d530000 MSXiE archive data +# DeepFreezer +0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data +# DC +0 string =<DC- DC archive data +# TPac +0 string \4TPAC\3 TPac archive data +# Ai +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Ai_Archiver +0 string Ai\1\1\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +0 string Ai\1\0\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# Ai32 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ai.trid.xml +# Note: called "Ai Archivator compressed archive" by TrID +0 string Ai\2\0 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# according to TrID the next 3 bytes are nil +>5 ubyte !0 \b, at 5 %#x +>6 ubyte !0 \b, at 6 %#x +>7 ubyte !0 \b, at 7 %#x +# the fourth byte with value 0 is probably a flag for "non solid" mode +#>3 ubyte =0x00 \b, unsolid mode +0 string Ai\2\1 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# the fourth byte with value 0x01 is probably a flag for "solid" mode; this is not the default +>3 ubyte =0x01 \b, solid mode +# SBC +0 string SBC SBC archive data +# Ybs +0 string YBS Ybs archive data +# DitPack +0 string \x9e\0\0 DitPack archive data +# DMS +0 string DMS! DMS archive data +# EPC +0 string \x8f\xaf\xac\x8c EPC archive data +# VSARC +0 string VS\x1a VSARC archive data +# PDZ +0 string PDZ PDZ archive data +# ReDuq +0 string rdqx ReDuq archive data +# GCA +0 string GCAX GCA archive data +# PPMN +0 string pN PPMN archive data +# WinImage +3 string WINIMAGE WinImage archive data +# Compressia +0 string CMP0CMP Compressia archive data +# UHBC +0 string UHB UHBC archive data +# WinHKI +0 string \x61\x5C\x04\x05 WinHKI archive data +# WWPack data file +0 string WWP WWPack archive data +# BSN (BSA, PTS-DOS) +0 string \xffBSG BSN archive data +1 string \xffBSG BSN archive data +3 string \xffBSG BSN archive data +1 string \0\xae\2 BSN archive data +1 string \0\xae\3 BSN archive data +1 string \0\xae\7 BSN archive data +# AIN +0 string \x33\x18 AIN archive data +0 string \x33\x17 AIN archive data +# XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015 +# SZip (TODO: doesn't catch all versions) +0 string SZ\x0a\4 SZip archive data +# XPack DiskImage +# *.XDI updated by Joerg Jenderek Sep 2015 +# ftp://ftp.sac.sk/pub/sac/pack/0index.txt +# GRR: this test is still too general as it catches also text files starting with jm +0 string jm +# only found examples with this additional characteristic 2 bytes +>2 string \x2\x4 Xpack DiskImage archive data +#!:ext xdi +# XPack Data +# *.xpa updated by Joerg Jenderek Sep 2015 +# ftp://ftp.elf.stuba.sk/pub/pc/pack/ +0 string xpa XPA +!:ext xpa +# XPA32 +# ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip +# created by XPA32.EXE version 1.0.2 for Windows +>0 string xpa\0\1 \b32 archive data +# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 +>3 ubeshort !0x0001 \bck archive data +# XPack Single Data +# changed by Joerg Jenderek Sep 2015 back to like in version 5.12 +# letter 'I'+ acute accent is equivalent to \xcd +0 string \xcd\ jm Xpack single archive data +#!:mime application/x-xpa-compressed +!:ext xpa + +# TODO: missing due to unknown magic/magic at end of file: +#DWC +#ARG +#ZAR +#PC/3270 +#InstallIt +#RKive +#RK +#XPack Diskimage + +# These were inspired by idarc, but actually verified +# Dzip archiver (.dz) +# Update: Joerg Jenderek +# URL: http://speeddemosarchive.com/dzip/ +# reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c +# GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt +0 string DZ +# latest version is 2.9 dated 7 may 2003 +>2 byte <4 Dzip archive data +!:mime application/x-dzip +!:ext dz +>>2 byte x \b, version %i +>>3 byte x \b.%i +>>4 ulelong x \b, offset %#x +>>8 ulelong x \b, %u files +# ZZip archiver (.zz) +0 string ZZ\ \0\0 ZZip archive data +0 string ZZ0 ZZip archive data +# PAQ archiver (.paq) +0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data +0 string PAQ PAQ archive data +>3 byte&0xf0 0x30 +>>3 byte x (v%c) +# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JAR_(ARJ_Software) +# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jar.trid.xml +# https://www.sac.sk/download/pack/jar102x.exe/TECHNOTE.DOC +# Note: called "JAR compressed archive" by TrID +0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data +#!:mime application/octet-stream +!:mime application/x-compress-j +>0 ulelong x \b, CRC32 %#x +# standard suffix is ".j"; for multi volumes following order j01 j02 ... j99 100 ... 990 +!:ext j/j01/j02 +# URL: http://fileformats.archiveteam.org/wiki/JARCS +# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jarcs.trid.xml +# Note: called "JARCS compressed archive" by TrID +0 string JARCS JAR (ARJ Software, Inc.) archive data +#!:mime application/octet-stream +!:mime application/x-compress-jar +!:ext jar + +# ARJ archiver (jason@jarthur.Claremont.EDU) +# URL: http://fileformats.archiveteam.org/wiki/ARJ +# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-arj.trid.xml +# https://github.com/FarGroup/FarManager/ +# blob/master/plugins/multiarc/arc.doc/arj.txt +# Note: called "ARJ compressed archive" by TrID and +# "ARJ File Format" by DROID via PUID fmt/610 +# verified by `7z l -tarj PHRACK1.ARJ` and +# `arj.exe l TEST-hk9.ARJ` +0 leshort 0xea60 +# skip DROID fmt-610-signature-id-946.arj by check for valid file type of main header +>0xA ubyte 2 +>>0 use arj-archive +0 name arj-archive +>0 leshort x ARJ archive +!:mime application/x-arj +# look for terminating 0-character of filename +>0x26 search/1024 \0 +# file name extension is normally .arj but not for parts of multi volume +#>>&-5 string x extension %.4s +>>&-5 string/c .arj data +!:ext arj +>>&-5 default x +# for multi volume first name is archive.arj then following parts archive.a01 archive.a02 ... +>>>8 byte &0x04 data +!:ext a01/a02 +# for SFX first name is archive.exe then following parts archive.e01 archive.e02 ... +>>>8 byte ^0x04 data, SFX multi-volume +!:ext e01/e02 +# basic header size like: 0x002b 0x002c 0x04e0 0x04e3 0x04e7 +#>2 uleshort x basic header size %#4.4x +# next fragment content like: 0x0a200a003a8fc713 0x524a000010bb3471 0x524a0000c73c70f9 +#>(2.s) ubequad x NEXT FRAGMENT CONTENT %#16.16llx +# first_hdr_size; seems to be same as basic header size +#>2 uleshort x 1st header size %#x +# archiver version number like: 3 4 6 11 102 +>5 byte x \b, v%d +# minimum archiver version to extract like: 1 +>6 ubyte !1 \b, minimum %u to extract +# FOR DEBUGGING +#>8 byte x \b, FLAGS %#x +# GARBLED_FLAG1; garble with password; g switch +>8 byte &0x01 \b, password-protected +# encryption version: 0~old 1~old 2~new 3~reserved 4~40 bit key GOST +>>0x20 ubyte x (v%u) +#>8 byte &0x02 \b, secured +# ANSIPAGE_FLAG; indicates ANSI codepage used by ARJ32; hy switch +>8 byte &0x02 \b, ANSI codepage +# VOLUME_FLAG indicates presence of succeeding volume; but apparently not for SFX +>8 byte &0x04 \b, multi-volume +#>8 byte &0x08 \b, file-offset +# ARJPROT_FLAG; build with data protection record; hk switch +>8 byte &0x08 \b, recoverable +# arj protection factor; maximal 10; switch hky -> factor=y+1 +>>0x22 byte x (factor %u) +>8 byte &0x10 \b, slash-switched +# BACKUP_FLAG; obsolete +>8 byte &0x20 \b, backup +# SECURED_FLAG; +>8 byte &0x40 \b, secured, +# ALTNAME_FLAG; indicates dual-name archive +>8 byte &0x80 \b, dual-name +# security version; 0~old 2~current +>9 ubyte !0 +>>9 ubyte !2 \b, security version %u +# file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel +>0xA ubyte !2 \b, file type %u +# date+time when original archive was created in MS-DOS format via ./msdos +>0xC ulelong x \b, created +>0xC use dos-date +# or date and time by new internal function +#>0xE lemsdosdate x %s +#>0xC lemsdostime x %s +# FOR DEBUGGING +#>0x12 uleshort x RAW DATE %#4.4x +#>0x10 uleshort x RAW TIME %#4.4x +# date+time when archive was last modified; sometimes nil or +# maybe wrong like in HP4DRVR.ARJ +#>0x10 ulelong >0 \b, modified +#>>0x10 use dos-date +# or date and time by new internal function +#>>0x12 lemsdosdate x %s +#>>0x10 lemsdostime x %s +# archive size (currently used only for secured archives); MAYBE? +#>0x14 ulelong !0 \b, file size %u +# security envelope file position; MAYBE? +#>0x18 ulelong !0 \b, at %#x security envelope +# filespec position in filename; WHAT IS THAT? +#>0x1C uleshort >0 \b, filespec position %#x +# length in bytes of security envelope data like: 2CAh 301h 364h 471h +>0x1E uleshort !0 \b, security envelope length %#x +# last chapter like: 0 1 +>0x21 ubyte !0 \b, last chapter %u +# filename (null-terminated string); sometimes at 0x26 when 4 bytes for extra data +>34 byte x \b, original name: +# with extras data +>34 byte <0x0B +>>38 string x %s +# without extras data +>34 byte >0x0A +>>34 string x %s +# host OS: 0~MSDOS ... 11~WIN32 +>7 byte 0 \b, os: MS-DOS +>7 byte 1 \b, os: PRIMOS +>7 byte 2 \b, os: Unix +>7 byte 3 \b, os: Amiga +>7 byte 4 \b, os: Macintosh +>7 byte 5 \b, os: OS/2 +>7 byte 6 \b, os: Apple ][ GS +>7 byte 7 \b, os: Atari ST +>7 byte 8 \b, os: NeXT +>7 byte 9 \b, os: VAX/VMS +>7 byte 10 \b, os: WIN95 +>7 byte 11 \b, os: WIN32 +# [JW] idarc says this is also possible +2 leshort 0xea60 ARJ archive data +#2 leshort 0xea60 +#>2 use arj-archive + +# HA archiver (Greg Roelofs, newt@uchicago.edu) +# This is a really bad format. A file containing HAWAII will match this... +#0 string HA HA archive data, +#>2 leshort =1 1 file, +#>2 leshort >1 %hu files, +#>4 byte&0x0f =0 first is type CPY +#>4 byte&0x0f =1 first is type ASC +#>4 byte&0x0f =2 first is type HSC +#>4 byte&0x0f =0x0e first is type DIR +#>4 byte&0x0f =0x0f first is type SPECIAL +# suggestion: at least identify small archives (<1024 files) +0 belong&0xffff00fc 0x48410000 HA archive data +>2 leshort =1 1 file, +>2 leshort >1 %u files, +>4 byte&0x0f =0 first is type CPY +>4 byte&0x0f =1 first is type ASC +>4 byte&0x0f =2 first is type HSC +>4 byte&0x0f =0x0e first is type DIR +>4 byte&0x0f =0x0f first is type SPECIAL + +# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) +0 string HPAK HPACK archive data + +# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net +0 string \351,\001JAM\ JAM archive, +>7 string >\0 version %.4s +>0x26 byte =0x27 - +>>0x2b string >\0 label %.11s, +>>0x27 lelong x serial %08x, +>>0x36 string >\0 fstype %.8s + +# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/LHA_(file_format) +# Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html +# +# check and display information of lharc (LHa,PMarc) file +0 name lharc-file +# check 1st character of method id like -lz4- -lh5- or -pm2- +>2 string - +# check 5th character of method id +>>6 string - +# check header level 0 1 2 3 +>>>20 ubyte <4 +# check 2nd, 3th and 4th character of method id +>>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b +!:mime application/x-lzh-compressed +# creator type "LHA " +!:apple ????LHA +# display archive type name like "LHa/LZS archive data" or "LArc archive" +>>>>>2 string -lz \b +!:ext lzs +# already known -lzs- -lz4- -lz5- with old names +>>>>>>2 string -lzs LHa/LZS archive data +>>>>>>3 regex \^lz[45] LHarc 1.x archive data +# missing -lz?- with wikipedia names +>>>>>>3 regex \^lz[2378] LArc archive +# display archive type name like "LHa (2.x) archive data" +>>>>>2 string -lh \b +# already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names +>>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data +# LHice archiver use ".ICE" as name extension instead usual one ".lzh" +# FOOBAR archiver use ".foo" as name extension instead usual one +# "Florian Orjanov's and Olga Bachetska's ARchiver" not found at the moment +>>>>>>>2 string -lh1 \b +!:ext lha/lzh/ice +>>>>>>3 regex \^lh[23d] LHa 2.x? archive data +>>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data +>>>>>>3 regex \^lh[456] LHa (2.x) archive data +>>>>>>>2 string -lh5 \b +# https://en.wikipedia.org/wiki/BIOS +# Some mainboard BIOS like Award use LHa compression. So archives with unusual extension are found like +# bios.rom , kd7_v14.bin, 1010.004, ... +!:ext lha/lzh/rom/bin +# missing -lh?- variants (Joe Jared) +>>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive +# UNLHA32 2.67a +>>>>>>2 string -lhx LHa (UNLHA32) archive +# lha archives with standard file name extensions ".lha" ".lzh" +>>>>>>3 regex !\^(lh1|lh5) \b +!:ext lha/lzh +# this should not happen if all -lh variants are described +>>>>>>2 default x LHa (unknown) archive +#!:ext lha +# PMarc +>>>>>3 regex \^pm[012] PMarc archive data +!:ext pma +# append method id without leading and trailing minus character +>>>>>3 string x [%3.3s] +>>>>>>0 use lharc-header +# +# check and display information of lharc header +0 name lharc-header +# header size 0x4 , 0x1b-0x61 +>0 ubyte x +# compressed data size != compressed file size +#>7 ulelong x \b, data size %d +# attribute: 0x2~?? 0x10~symlink|target 0x20~normal +#>19 ubyte x \b, 19_%#x +# level identifier 0 1 2 3 +#>20 ubyte x \b, level %d +# time stamp +#>15 ubelong x DATE %#8.8x +# OS ID for level 1 +>20 ubyte 1 +# 0x20 types find for *.rom files +>>(21.b+24) ubyte <0x21 \b, %#x OS +# ascii type like M for MSDOS +>>(21.b+24) ubyte >0x20 \b, '%c' OS +# OS ID for level 2 +>20 ubyte 2 +#>>23 ubyte x \b, OS ID %#x +>>23 ubyte <0x21 \b, %#x OS +>>23 ubyte >0x20 \b, '%c' OS +# filename only for level 0 and 1 +>20 ubyte <2 +# length of filename +>>21 ubyte >0 \b, with +# filename +>>>21 pstring x "%s" +# +#2 string -lh0- LHarc 1.x/ARX archive data [lh0] +#!:mime application/x-lharc +2 string -lh0- +>0 use lharc-file +#2 string -lh1- LHarc 1.x/ARX archive data [lh1] +#!:mime application/x-lharc +2 string -lh1- +>0 use lharc-file +# NEW -lz2- ... -lz8- +2 string -lz2- +>0 use lharc-file +2 string -lz3- +>0 use lharc-file +2 string -lz4- +>0 use lharc-file +2 string -lz5- +>0 use lharc-file +2 string -lz7- +>0 use lharc-file +2 string -lz8- +>0 use lharc-file +# [never seen any but the last; -lh4- reported in comp.compression:] +#2 string -lzs- LHa/LZS archive data [lzs] +2 string -lzs- +>0 use lharc-file +# According to wikipedia and others such a version does not exist +#2 string -lh\40- LHa 2.x? archive data [lh ] +#2 string -lhd- LHa 2.x? archive data [lhd] +2 string -lhd- +>0 use lharc-file +#2 string -lh2- LHa 2.x? archive data [lh2] +2 string -lh2- +>0 use lharc-file +#2 string -lh3- LHa 2.x? archive data [lh3] +2 string -lh3- +>0 use lharc-file +#2 string -lh4- LHa (2.x) archive data [lh4] +2 string -lh4- +>0 use lharc-file +#2 string -lh5- LHa (2.x) archive data [lh5] +2 string -lh5- +>0 use lharc-file +#2 string -lh6- LHa (2.x) archive data [lh6] +2 string -lh6- +>0 use lharc-file +#2 string -lh7- LHa (2.x)/LHark archive data [lh7] +2 string -lh7- +# !:mime application/x-lha +# >20 byte x - header level %d +>0 use lharc-file +# NEW -lh8- ... -lhe- , -lhx- +2 string -lh8- +>0 use lharc-file +2 string -lh9- +>0 use lharc-file +2 string -lha- +>0 use lharc-file +2 string -lhb- +>0 use lharc-file +2 string -lhc- +>0 use lharc-file +2 string -lhe- +>0 use lharc-file +2 string -lhx- +>0 use lharc-file +# taken from idarc [JW] +2 string -lZ PUT archive data +# already done by LHarc magics +# this should never happen if all sub types of LZS archive are identified +#2 string -lz LZS archive data +2 string -sw1- Swag archive data + +0 name rar-file-header +>24 byte 15 \b, v1.5 +>24 byte 20 \b, v2.0 +>24 byte 29 \b, v4 +>15 byte 0 \b, os: MS-DOS +>15 byte 1 \b, os: OS/2 +>15 byte 2 \b, os: Win32 +>15 byte 3 \b, os: Unix +>15 byte 4 \b, os: Mac OS +>15 byte 5 \b, os: BeOS + +0 name rar-archive-header +>3 leshort&0x1ff >0 \b, flags: +>>3 leshort &0x01 ArchiveVolume +>>3 leshort &0x02 Commented +>>3 leshort &0x04 Locked +>>3 leshort &0x10 NewVolumeNaming +>>3 leshort &0x08 Solid +>>3 leshort &0x20 Authenticated +>>3 leshort &0x40 RecoveryRecordPresent +>>3 leshort &0x80 EncryptedBlockHeader +>>3 leshort &0x100 FirstVolume + +# RAR (Roshal Archive) archive +0 string Rar!\x1a\7\0 RAR archive data +!:mime application/x-rar +!:ext rar/cbr +# file header +>(0xc.l+9) byte 0x74 +>>(0xc.l+7) use rar-file-header +# subblock seems to share information with file header +>(0xc.l+9) byte 0x7a +>>(0xc.l+7) use rar-file-header +>9 byte 0x73 +>>7 use rar-archive-header + +0 string Rar!\x1a\7\1\0 RAR archive data, v5 +!:mime application/x-rar +!:ext rar + +# Very old RAR archive +# https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf +0 string RE\x7e\x5e RAR archive data (<v1.5) +!:mime application/x-rar +!:ext rar/cbr + +# SQUISH archiver (Greg Roelofs, newt@uchicago.edu) +0 string SQSH squished archive data (Acorn RISCOS) + +# UC2 archiver (Greg Roelofs, newt@uchicago.edu) +# [JW] see exe section for self-extracting version +0 string UC2\x1a UC2 archive data + +# PKZIP multi-volume archive +0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract +!:mime application/zip +!:ext zip/cbz + +# Android APK file (Zip archive) +0 string PK\003\004 +!:strength +1 +# Starts with AndroidManifest.xml (file name length = 19) +>26 uleshort 19 +>>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/com/android/build/gradle/app-metadata.properties +>26 uleshort 57 +>>30 string META-INF/com/android/build/gradle/ +>>>&0 string app-metadata.properties Android package (APK), with gradle app-metadata.properties +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with classes.dex (file name length = 11) +>26 uleshort 11 +>>30 string classes.dex Android package (APK), with classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/MANIFEST.MF (file name length = 20) +# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files +>26 uleshort 20 +>>30 string META-INF/MANIFEST.MF +# Contains resources.arsc (near the end, in the central directory) +>>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>-22 string PK\005\006 +>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>>-22 string PK\005\006 +>>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar +# Starts with zipflinger virtual entry (28 + 104 = 132 bytes) +# See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 +>4 string \x00\x00\x00\x00\x00\x00 +>>&0 string \x21\x08\x21\x02 +>>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +>>>>&0 string \x00\x00 Android package (APK), with zipflinger virtual entry +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# APK Signing Block +>0 default x +>>-22 string PK\005\006 +>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk + +# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +0 string PK\005\006 Zip archive data (empty) +!:mime application/zip +!:ext zip/cbz +!:strength +1 +0 string PK\003\004 +!:strength +1 + +# Specialised zip formats which start with a member named 'mimetype' +# (stored uncompressed, with no 'extra field') containing the file's MIME type. +# Check for have 8-byte name, 0-byte extra field, name "mimetype", and +# contents starting with "application/": +>26 string \x8\0\0\0mimetypeapplication/ + +# KOffice / OpenOffice & StarOffice / OpenDocument formats +# From: Abel Cheung <abel@oaka.org> + +# KOffice (1.2 or above) formats +# (mimetype contains "application/vnd.kde.<SUBTYPE>") +>>50 string vnd.kde. KOffice (>=1.2) +>>>58 string karbon Karbon document +>>>58 string kchart KChart document +>>>58 string kformula KFormula document +>>>58 string kivio Kivio document +>>>58 string kontour Kontour document +>>>58 string kpresenter KPresenter document +>>>58 string kspread KSpread document +>>>58 string kword KWord document + +# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) +# (mimetype contains "application/vnd.sun.xml.<SUBTYPE>") +# URL: https://en.wikipedia.org/wiki/OpenOffice.org_XML +# reference: http://fileformats.archiveteam.org/wiki/OpenOffice.org_XML +>>50 string vnd.sun.xml. OpenOffice.org 1.x +>>>62 string writer Writer +>>>>68 byte !0x2e document +!:mime application/vnd.sun.xml.writer +!:ext sxw +>>>>68 string .template template +!:mime application/vnd.sun.xml.writer.template +!:ext stw +>>>>68 string .web Web template +!:mime application/vnd.sun.xml.writer.web +!:ext stw +>>>>68 string .global global document +!:mime application/vnd.sun.xml.writer.global +!:ext sxg +>>>62 string calc Calc +>>>>66 byte !0x2e spreadsheet +!:mime application/vnd.sun.xml.calc +!:ext sxc +>>>>66 string .template template +!:mime application/vnd.sun.xml.calc.template +!:ext stc +>>>62 string draw Draw +>>>>66 byte !0x2e document +!:mime application/vnd.sun.xml.draw +!:ext sxd +>>>>66 string .template template +!:mime application/vnd.sun.xml.draw.template +!:ext std +>>>62 string impress Impress +>>>>69 byte !0x2e presentation +!:mime application/vnd.sun.xml.impress +!:ext sxi +>>>>69 string .template template +!:mime application/vnd.sun.xml.impress.template +!:ext sti +>>>62 string math Math document +!:mime application/vnd.sun.xml.math +!:ext sxm +>>>62 string base Database file +!:mime application/vnd.sun.xml.base +!:ext sdb + +# URL: https://wiki.openoffice.org/wiki/Documentation/DevGuide/Extensions/File_Format +# From: Joerg Jenderek +# Note: only few OXT samples are detected here by mimetype member +# is used by OpenOffice and LibreOffice and probably also NeoOffice +# verified by `unzip -Zv *.oxt` or `7z l -slt *.oxt` +>>50 string vnd.openofficeorg. OpenOffice +>>>68 string extension \b/LibreOffice Extension +# http://extension.nirsoft.net/oxt +!:mime application/vnd.openofficeorg.extension +# like: Gallery-Puzzle.2.1.0.1.oxt +!:ext oxt + +# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) +# URL: http://fileformats.archiveteam.org/wiki/OpenDocument +# https://lists.oasis-open.org/archives/office/200505/msg00006.html +# (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>") +>>50 string vnd.oasis.opendocument. OpenDocument +>>>73 string text +>>>>77 byte !0x2d Text +!:mime application/vnd.oasis.opendocument.text +!:ext odt +>>>>77 string -template Text Template +!:mime application/vnd.oasis.opendocument.text-template +!:ext ott +>>>>77 string -web HTML Document Template +!:mime application/vnd.oasis.opendocument.text-web +!:ext oth +>>>>77 string -master +>>>>>84 byte !0x2d Master Document +!:mime application/vnd.oasis.opendocument.text-master +!:ext odm +>>>>>84 string -template Master Template +!:mime application/vnd.oasis.opendocument.text-master-template +!:ext otm +>>>73 string graphics +>>>>81 byte !0x2d Drawing +!:mime application/vnd.oasis.opendocument.graphics +!:ext odg +>>>>81 string -template Drawing Template +!:mime application/vnd.oasis.opendocument.graphics-template +!:ext otg +>>>73 string presentation +>>>>85 byte !0x2d Presentation +!:mime application/vnd.oasis.opendocument.presentation +!:ext odp +>>>>85 string -template Presentation Template +!:mime application/vnd.oasis.opendocument.presentation-template +!:ext otp +>>>73 string spreadsheet +>>>>84 byte !0x2d Spreadsheet +!:mime application/vnd.oasis.opendocument.spreadsheet +!:ext ods +>>>>84 string -template Spreadsheet Template +!:mime application/vnd.oasis.opendocument.spreadsheet-template +!:ext ots +>>>73 string chart +>>>>78 byte !0x2d Chart +!:mime application/vnd.oasis.opendocument.chart +!:ext odc +>>>>78 string -template Chart Template +!:mime application/vnd.oasis.opendocument.chart-template +!:ext otc +>>>73 string formula +>>>>80 byte !0x2d Formula +!:mime application/vnd.oasis.opendocument.formula +!:ext odf +>>>>80 string -template Formula Template +!:mime application/vnd.oasis.opendocument.formula-template +!:ext otf +# https://www.loc.gov/preservation/digital/formats/fdd/fdd000441.shtml +>>>73 string database Database +!:mime application/vnd.oasis.opendocument.database +!:ext odb +# Valid for LibreOffice Base 6.0.1.1 at least +>>>73 string base Database +# https://bugs.documentfoundation.org/show_bug.cgi?id=45854 +!:mime application/vnd.oasis.opendocument.base +!:ext odb +>>>73 string image +>>>>78 byte !0x2d Image +!:mime application/vnd.oasis.opendocument.image +!:ext odi +>>>>78 string -template Image Template +!:mime application/vnd.oasis.opendocument.image-template +!:ext oti + +# EPUB (OEBPS) books using OCF (OEBPS Container Format) +# https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4. +# From: Ralf Brown <ralf.brown@gmail.com> +>>50 string epub+zip EPUB document +!:mime application/epub+zip + +# From: Hajin Jang <jb6804@naver.com> +# hwpx (OWPML) document format follows OCF specification. +# Hangul Word Processor 2010+ supports HWPX format. +# URL: https://www.hancom.com/etc/hwpDownload.do +# https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101 +# https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331 +>>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX +!:mime application/x-hwp+zip +!:ext hwpx + +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/CorelDRAW +# NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based +>>50 string x-vnd.corel. Corel +>>>62 string draw.document+zip Draw drawing, version 14-16 +!:mime application/x-vnd.corel.draw.document+zip +!:ext cdr +>>>62 string draw.template+zip Draw template, version 14-16 +!:mime application/x-vnd.corel.draw.template+zip +!:ext cdrt +>>>62 string zcf.draw.document+zip Draw drawing, version 17-22 +!:mime application/x-vnd.corel.zcf.draw.document+zip +!:ext cdr +>>>62 string zcf.draw.template+zip Draw template, version 17-22 +!:mime application/x-vnd.corel.zcf.draw.template+zip +!:ext cdt/cdrt +# URL: http://product.corel.com/help/CorelDRAW/540240626/Main/EN/Doc/CorelDRAW-Other-file-formats.html +>>>62 string zcf.pattern+zip Draw pattern, version 22 +!:mime application/x-vnd.corel.zcf.pattern+zip +!:ext pat +# URL: https://en.wikipedia.org/wiki/Corel_Designer +# Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer +# Note: called by TrID "Corel DESIGN graphics" +>>>62 string designer.document+zip DESIGNER graphics, version 14-16 +!:mime application/x-vnd.corel.designer.document+zip +!:ext des +>>>62 string zcf.designer.document+zip DESIGNER graphics, version 17-21 +!:mime application/x-vnd.corel.zcf.designer.document+zip +!:ext des +# URL: http://product.corel.com/help/CorelDRAW/540223850/Main/EN/Documentation/ +# CorelDRAW-Corel-Symbol-Library-CSL.html +>>>62 string symbol.library+zip Symbol Library, version 6-16.3 +!:mime application/x-vnd.corel.symbol.library+zip +!:ext csl +>>>62 string zcf.symbol.library+zip Symbol Library, version 17-22 +!:mime application/x-vnd.corel.zcf.symbol.library+zip +!:ext csl + +# Catch other ZIP-with-mimetype formats +# In a ZIP file, the bytes immediately after a member's contents are +# always "PK". The 2 regex rules here print the "mimetype" member's +# contents up to the first 'P'. Luckily, most MIME types don't contain +# any capital 'P's. This is a kludge. +# (mimetype contains "application/<OTHER>") +>>50 default x Zip data +>>>38 regex [!-OQ-~]+ (MIME type "%s"?) +!:mime application/zip +# (mimetype contents other than "application/*") +>26 string \x8\0\0\0mimetype +>>38 string !application/ +>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) +!:mime application/zip + +# Java Jar files (see also APK files above) +>(26.s+30) leshort 0xcafe Java archive data (JAR) +!:mime application/java-archive +!:ext jar + +# iOS App +>(26.s+30) leshort !0xcafe +>>26 string !\x8\0\0\0mimetype +>>>30 string Payload/ +>>>>38 search/64 .app/ iOS App +!:mime application/x-ios-app + +# Dup, see above. +#>30 search/100/b application/epub+zip EPUB document +#!:mime application/epub+zip + +# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +# Next line excludes specialized formats: +>(26.s+30) leshort !0xcafe +>>30 search/100/b !application/epub+zip +>>>26 string !\x8\0\0\0mimetype Zip archive data +!:mime application/zip +>>>>4 beshort x \b, at least +>>>>4 use zipversion +>>>>4 beshort x to extract +>>>>8 beshort x \b, compression method= +>>>>8 use zipcompression +>>>>0x161 string WINZIP \b, WinZIP self-extracting + +# StarView Metafile +# From Pierre Ducroquet <pinaraf@pinaraf.info> +0 string VCLMTF StarView MetaFile +>6 beshort x \b, version %d +>8 belong x \b, size %d + +# Zoo archiver +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Zoo_(file_format) +# http://fileformats.archiveteam.org/wiki/Zoo +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-zoo-strict.trid.xml +# http://distcache.freebsd.org/ports-distfiles/zoo-2.10pl1.tar.gz/zoo.h +# Note: called "ZOO compressed archive (strict)" by TrID and "ZOO Compressed Archive" by DROID via PUID x-fmt/269 +# verified by command like `deark -m zoo -l -d2 WHRCGA.ZOO` +20 lelong 0xfdc4a7dc +# skip DROID x-fmt-269-signature-id-621.zoo by looking for valid major version to manipulate archive +>32 byte >0 Zoo archive data +!:mime application/x-zoo +# bak is extension of backup-ed zoo +!:ext zoo/bak +# version in text form like: 1.50 2.00 2.10 +>>4 byte >48 \b, v%c. +>>>6 byte >47 \b%c +>>>>7 byte >47 \b%c +# ZOO files typically start with "ZOO ?.?? Archive.", followed by the bytes 0x1a 0x0 0x0; not used by Zoo and they may be anything +>>8 string !\040Archive.\032 \b, at 8 +>>>8 string x text "%0.10s" +# major_ver.minor_ver; minimum version needed to manipulate archive like: 1.0 2.0 +>>32 byte >0 \b, modify: v%d +>>>33 byte x \b.%d+ +# major_ver.minor_ver; minimum version needed to extract after modify like in old versions +>>(24.l+28) ubyte x \b, extract: v%u +>>(24.l+29) ubyte x \b.%u+ +# with zoo 2.00 additional fields have been added in the archive header +>>32 byte >1 +# type; type of archive header like: 1 2 +>>>34 ubyte !1 \b, header type %u +# acmt_pos; position of archive comment like: 6258 30599 61369 149501 +>>>35 lelong >0 \b, at %d +# acmt_len; length of archive comment like: 258 +>>>>39 uleshort x %u bytes comment +#>>>>(35.l) ubequad x COMMENT=%16.16llx +# 1st character of comment maybe is CarriageReturn (0x0d) +>>>>(35.l) ubyte <040 +# 2nd character of comment maybe is LineFeed (0x0a) +>>>>>(35.l+1) ubyte <040 +# comment string after CRLF like "Anonymous ftp site garbo.uwasa.fi 128.214.87.1 moderated by" +>>>>>>(35.l+2) string x %s +# next character of remaining comment maybe is CarriageReturn (0x0d) +>>>>>>>&0 ubyte <040 +>>>>>>>>&0 ubyte <040 +# 2nd comment part like: Timo Salmi ts@chyde.uwasa.fi PC directories and uploads\015\012Harri Valkama hv@chyde.uwasa.fi PC, Mac, Unix files, and upload +>>>>>>>>>&0 string >037 %s +# vdata; archive-level versioning byte like: 1 3 +>>>41 ubyte !1 \b, vdata %#x +# zoo_start; pointer to 1st entry header +>>24 lelong x \b; at %u +# zoo_minus; zoo_start -1 for consistency checking +#>>28 lelong x \b, zoo_minus %#x +# zoo_tag; tag for check +#>>(24.l+0) ulelong !0xfdc4a7dc \b, zoo_tag=%8.8x +# type; type of directory entry like: 1 2 +>>(24.l+4) ubyte !2 type=%u +# packing_method; 0~no packing 1~normal LZW 2~lzh +>>(24.l+5) ubyte x method= +>>>(24.l+5) ubyte 0 \bnot-compressed +>>>(24.l+5) ubyte 1 \blzd +>>>(24.l+5) ubyte 2 \blzh +# next; position of next directory entry +>>(24.l+6) ulelong x \b, next entry at %u +# offset; position of file data for this entry +#>>(24.l+10) ulelong x \b, data at %u +# file_crc; CRC-16 of file data +>>(24.l+18) uleshort x \b, CRC %#4.4x +# comment; zero if none or points to entry comment like ADD9h (WHRCGA.ZOO) +>>(24.l+32) lelong >0 \b, at %#x +# cmt_size; if not 0 for none then length of entry comment like: 46 +>>>(24.l+36) uleshort >0 %u bytes comment +# entry comment itself like: "CGA .GL file showing menu input from keyboard" +>>>>(&-6.l) string x "%s" +# org_size; original size of file +>>(24.l+20) ulelong x \b, size %u +# size_now; compressed size of file +>>(24.l+24) ulelong x (%u compressed) +# major_ver.minor_ver; minimum version needed to extract already done +# deleted; will be 1 if deleted, 0 if not +>>(24.l+30) ubyte =1 \b, deleted +# struc; file structure if any; WHAT IS THAT? +>>(24.l+31) ubyte !0 \b, structured +# fname[13]; short/DOS file name like 12345678.012 +>>(24.l+38) string x \b, %0.13s +# for directory entry type 2 with variable part +>>(24.l+4) ubyte =2 +# var_dir_len; length of variable part of dir entry +>>>(24.l+51) uleshort >0 +#>>>(24.l+51) uleshort >0 \b, variable part length %u +# namlen; length of long filename +#>>>>(24.l+56) ubyte x \b, namlen %u +# dirlen; length of directory name +#>>>>(24.l+57) ubyte x \b, dirlen %u +# if file length positive then show long file name +>>>>(24.l+56) ubyte >0 +# lfname[256]; long file name \0-terminated +>>>>>(24.l+58) string x "%s" +# if directory length positive then jump before file name field and then jump this addtional length plus 2 (\0-terminator + dirlen field) to following directory name +>>>>(24.l+57) ubyte >0 +>>>>>(24.l+55) ubyte x +# dirname[256]; directory name \0-terminated +>>>>>>&(&0.b+2) string x in "%s" +# dir_crc; CRC of directory entry +#>>>(24.l+54) uleshort x \b, entry CRC %#4.4x +# tz; timezone where file was archived; 7Fh~unknown 4~1.00hoursWestOfUTC 12 16 20~5.00hoursWestOfUTC -107~26.75hoursEastOfUTC -4~1.00hoursEastOfUTC +>>>(24.l+53) byte !0x7f \b, time zone %d/4 +# date; last mod file date in DOS format +>>>(24.l+14) lemsdosdate x \b, modified %s +# time; last mod file time in DOS format +>>>(24.l+16) lemsdostime x %s + +# Shell archives +10 string #\ This\ is\ a\ shell\ archive shell archive text +!:mime application/octet-stream + +# +# LBR. NB: May conflict with the questionable +# "binary Computer Graphics Metafile" format. +# +0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data +# +# PMA (CP/M derivative of LHA) +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/LHA_(file_format) +# +#2 string -pm0- PMarc archive data [pm0] +2 string -pm0- +>0 use lharc-file +#2 string -pm1- PMarc archive data [pm1] +2 string -pm1- +>0 use lharc-file +#2 string -pm2- PMarc archive data [pm2] +2 string -pm2- +>0 use lharc-file +2 string -pms- PMarc SFX archive (CP/M, DOS) +#!:mime application/x-foobar-exec +!:ext com +5 string -pc1- PopCom compressed executable (CP/M) +#!:mime application/x- +#!:ext com + +# From Rafael Laboissiere <rafael@laboissiere.net> +# The Project Revision Control System (see +# http://prcs.sourceforge.net) generates a packaged project +# file which is recognized by the following entry: +0 leshort 0xeb81 PRCS packaged project + +# Microsoft cabinets +# by David Necas (Yeti) <yeti@physics.muni.cz> +#0 string MSCF\0\0\0\0 Microsoft cabinet file data, +#>25 byte x v%d +#>24 byte x \b.%d +# MPi: All CABs have version 1.3, so this is pointless. +# Better magic in debian-additions. + +# GTKtalog catalogs +# by David Necas (Yeti) <yeti@physics.muni.cz> +4 string gtktalog\ GTKtalog catalog data, +>13 string 3 version 3 +>>14 beshort 0x677a (gzipped) +>>14 beshort !0x677a (not gzipped) +>13 string >3 version %s + +############################################################################ +# Parity archive reconstruction file, the 'par' file format now used on Usenet. +0 string PAR\0 PARity archive data +>48 leshort =0 - Index file +>48 leshort >0 - file number %d + +# Felix von Leitner <felix-file@fefe.de> +0 string d8:announce BitTorrent file +!:mime application/x-bittorrent +!:ext torrent +# Durval Menezes, <jmgthbfile at durval dot com> +0 string d13:announce-list BitTorrent file +!:mime application/x-bittorrent +!:ext torrent +0 string d7:comment BitTorrent file +!:mime application/x-bittorrent +!:ext torrent +0 string d4:info BitTorrent file +!:mime application/x-bittorrent +!:ext torrent + +# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> +# URL: http://fileformats.archiveteam.org/wiki/MSA_(Magic_Shadow_Archiver) +# Reference: http://info-coach.fr/atari/documents/_mydoc/FD_Image_File_Format.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/m/msa.trid.xml +# Update: Joerg Jenderek +# Note: called by TrID "Atari MSA Disk Image" and verified by +# command like `deark -l -m msa -d2 PDATS578.msa` as " Atari ST floppy disk image" +# GRR: line below is too general as it matches setup.skin +0 beshort 0x0e0f +# skip foo setup.skin with unrealistic high number 52255 of sides by check for valid "low" value +>4 ubeshort <2 Atari MSA archive data +#!:mime application/octet-stream +!:mime application/x-atari-msa +!:ext msa +# sectors per track like: 9 10 +>>2 beshort x \b, %d sectors per track +# sides (0 or 1; add 1 to this to get correct number of sides) +>>4 beshort 0 \b, 1 sided +>>4 beshort 1 \b, 2 sided +# starting track like: 0 +>>6 beshort x \b, starting track: %d +# ending track like: 39 79 80 81 +>>8 beshort x \b, ending track: %d +# tracks content +#>>10 ubequad x \b, track content %#16.16llx + +# Alternate ZIP string (amc@arwen.cs.berkeley.edu) +0 string PK00PK\003\004 Zip archive data +!:mime application/zip +!:ext zip/cbz + +# Recognize ZIP archives with prepended data by end-of-central-directory record +# https://en.wikipedia.org/wiki/ZIP_(file_format)#End_of_central_directory_record_(EOCD) +# by Michal Gorny <mgorny@gentoo.org> +-2 uleshort 0 +>&-22 string PK\005\006 +# without #! +>>0 string !#! Zip archive, with extra data prepended +!:mime application/zip +!:ext zip/cbz +# with #! +>>0 string/w #!\ a +>>>&-1 string/T x %s script executable (Zip archive) + +# ACE archive (from http://www.wotsit.org/download.asp?f=ace) +# by Stefan `Sec` Zehl <sec@42.org> +7 string **ACE** ACE archive data +!:mime application/x-ace-compressed +!:ext ace +>15 byte >0 version %d +>16 byte =0x00 \b, from MS-DOS +>16 byte =0x01 \b, from OS/2 +>16 byte =0x02 \b, from Win/32 +>16 byte =0x03 \b, from Unix +>16 byte =0x04 \b, from MacOS +>16 byte =0x05 \b, from WinNT +>16 byte =0x06 \b, from Primos +>16 byte =0x07 \b, from AppleGS +>16 byte =0x08 \b, from Atari +>16 byte =0x09 \b, from Vax/VMS +>16 byte =0x0A \b, from Amiga +>16 byte =0x0B \b, from Next +>14 byte x \b, version %d to extract +>5 leshort &0x0080 \b, multiple volumes, +>>17 byte x \b (part %d), +>5 leshort &0x0002 \b, contains comment +>5 leshort &0x0200 \b, sfx +>5 leshort &0x0400 \b, small dictionary +>5 leshort &0x0800 \b, multi-volume +>5 leshort &0x1000 \b, contains AV-String +>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered) +>5 leshort &0x2000 \b, with recovery record +>5 leshort &0x4000 \b, locked +>5 leshort &0x8000 \b, solid +# Date in MS-DOS format (whatever that is) +#>18 lelong x Created on + +# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann +# <doj@cubic.org> +0x1A string sfArk sfArk compressed Soundfont +>0x15 string 2 +>>0x1 string >\0 Version %s +>>0x2A string >\0 : %s + +# DR-DOS 7.03 Packed File *.??_ +# Reference: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm +# Note: unpacked by PNUNPACK.EXE +0 string Packed\ File\ +# by looking for Control-Z skip ASCII text starting with Packed File +>0x18 ubyte 0x1a Personal NetWare Packed File +!:mime application/x-novell-compress +!:ext ??_ +>>12 string x \b, was "%.12s" +# 1 or 2 +#>>0x19 ubyte x \b, at 0x19 %u +>>0x1b ulelong x with %u bytes + +# EET archive +# From: Tilman Sauerbeck <tilman@code-monkey.de> +0 belong 0x1ee7ff00 EET archive +!:mime application/x-eet + +# rzip archives +0 string RZIP rzip compressed data +>4 byte x - version %d +>5 byte x \b.%d +>6 belong x (%d bytes) + +# From: Joerg Jenderek +# URL: https://help.foxitsoftware.com/kb/install-fzip-file.php +# reference: http://mark0.net/download/triddefs_xml.7z/ +# defs/f/fzip.trid.xml +# Note: unknown compression; No "PK" zip magic; normally in directory like +# "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install" +0 ubequad 0x2506781901010000 Foxit add-on/update +!:mime application/x-fzip +!:ext fzip + +# From: "Robert Dale" <robdale@gmail.com> +0 belong 123 dar archive, +>4 belong x label "%.8x +>>8 belong x %.8x +>>>12 beshort x %.4x" +>14 byte 0x54 end slice +>14 beshort 0x4e4e multi-part +>14 beshort 0x4e53 multi-part, with -S + +# Symbian installation files +# https://www.thouky.co.uk/software/psifs/sis.html +# http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf +8 lelong 0x10000419 Symbian installation file +!:mime application/vnd.symbian.install +>4 lelong 0x1000006D (EPOC release 3/4/5) +>4 lelong 0x10003A12 (EPOC release 6) +0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x) +!:mime x-epoc/x-sisx-app + +# From "Nelson A. de Oliveira" <naoliv@gmail.com> +0 string MPQ\032 MoPaQ (MPQ) archive + +# From: "Nelson A. de Oliveira" <naoliv@gmail.com> +# .kgb +0 string KGB_arch KGB Archiver file +>10 string x with compression level %.1s + +# xar (eXtensible ARchiver) archive +# URL: https://en.wikipedia.org/wiki/Xar_(archiver) +# xar archive format: https://code.google.com/p/xar/ +# From: "David Remahl" <dremahl@apple.com> +# Update: Joerg Jenderek +# TODO: lzma compression; X509Data for pkg and xip +# Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or +# 7z t -txar Xcode_10.2_beta_4.xip` +0 string xar! xar archive +!:mime application/x-xar +# pkg for Mac OSX installer package like FullBundleUpdate.pkg +# xip for signed Apple software like Xcode_10.2_beta_4.xip +!:ext xar/pkg/xip +# always 28 in older archives +>4 ubeshort >28 \b, header size %u +# currently there exit only version 1 since about 2014 +>6 ubeshort >1 version %u, +>8 ubequad x compressed TOC: %llu, +#>16 ubequad x uncompressed TOC: %llu, +# cksum_alg 0-2 in older and also 3-4 in newer +>24 belong 0 no checksum +>24 belong 1 SHA-1 checksum +>24 belong 2 MD5 checksum +>24 belong 3 SHA-256 checksum +>24 belong 4 SHA-512 checksum +>24 belong >4 unknown %#x checksum +#>24 belong >4 checksum +# For no compression jump 0 bytes +>24 belong 0 +>>0 ubyte x +# jump more bytes forward by header size +>>>&(4.S) ubyte x +# jump more bytes forward by compressed table of contents size +#>>>>&(8.Q) ubequad x \b, heap data %#llx +>>>>&(8.Q) ubyte x +# look for data by ./compress after message with 1 space at end +>>>>>&-3 indirect x \b, contains +# For SHA-1 jump 20 minus 2 bytes +>24 belong 1 +>>18 ubyte x +# jump more bytes forward by header size +>>>&(4.S) ubyte x +# jump more bytes forward by compressed table of contents size +>>>>&(8.Q) ubyte x +# data compressed by gzip, bzip, lzma or none +>>>>>&-1 indirect x \b, contains +# For SHA-256 jump 32 minus 2 bytes +>24 belong 3 +>>30 ubyte x +# jump more bytes forward by header size +>>>&(4.S) ubyte x +# jump more bytes forward by compressed table of contents size +>>>>&(8.Q) ubyte x +>>>>>&-1 indirect x \b, contains +# For SHA-512 jump 64 minus 2 bytes +>24 belong 4 +>>62 ubyte x +# jump more bytes forward by header size +>>>&(4.S) ubyte x +# jump more bytes forward by compressed table of contents size +>>>>&(8.Q) ubyte x +>>>>>&-1 indirect x \b, contains + +# Type: Parity Archive +# From: Daniel van Eeden <daniel_e@dds.nl> +0 string PAR2 Parity Archive Volume Set + +# Bacula volume format. (Volumes always start with a block header.) +# URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +12 string BB02 Bacula volume +>20 bedate x \b, started %s + +# ePub is XHTML + XML inside a ZIP archive. The first member of the +# archive must be an uncompressed file called 'mimetype' with contents +# 'application/epub+zip' + + +# From: "Michael Gorny" <mgorny@gentoo.org> +# ZPAQ: http://mattmahoney.net/dc/zpaq.html +0 string zPQ ZPAQ stream +>3 byte x \b, level %d +# From: Barry Carter <carter.barry@gmail.com> +# https://encode.ru/threads/456-zpaq-updates/page32 +0 string 7kSt ZPAQ file + +# BBeB ebook, unencrypted (LRF format) +# URL: https://www.sven.de/librie/Librie/LrfFormat +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted +>8 beshort x \b, version %d +>36 byte 1 \b, front-to-back +>36 byte 16 \b, back-to-front +>42 beshort x \b, (%dx, +>44 beshort x %d) + +# Symantec GHOST image by Joerg Jenderek at May 2014 +# https://us.norton.com/ghost/ +# https://www.garykessler.net/library/file_sigs.html +0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image +# *.GHO +>2 ubyte&0x08 0x00 \b, first file +# *.GHS or *.[0-9] with cns program option +>2 ubyte&0x08 0x08 \b, split file +# part of split index interesting for *.ghs +>>4 ubyte x id=%#x +# compression tag minus one equals numeric compression command line switch z[1-9] +>3 ubyte 0 \b, no compression +>3 ubyte 2 \b, fast compression (Z1) +>3 ubyte 3 \b, medium compression (Z2) +>3 ubyte >3 +>>3 ubyte <11 \b, compression (Z%d-1) +>2 ubyte&0x08 0x00 +# ~ 30 byte password field only for *.gho +>>12 ubequad !0 \b, password protected +>>44 ubyte !1 +# 1~Image All, sector-by-sector only for *.gho +>>>10 ubyte 1 \b, sector copy +# 1~Image Boot track only for *.gho +>>>43 ubyte 1 \b, boot track +# 1~Image Disc only for *.gho implies Image Boot track and sector copy +>>44 ubyte 1 \b, disc sector copy +# optional image description only *.gho +>>0xff string >\0 "%-.254s" +# look for DOS sector end sequence +>0xE08 search/7776 \x55\xAA +>>&-512 indirect x \b; contains + +# Google Chrome extensions +# https://developer.chrome.com/extensions/crx +# https://developer.chrome.com/extensions/hosting +0 string Cr24 Google Chrome extension +!:mime application/x-chrome-extension +>4 ulong x \b, version %u + +# SeqBox - Sequenced container +# ext: sbx, seqbox +# Marco Pontello marcopon@gmail.com +# reference: https://github.com/MarcoPon/SeqBox +0 string SBx SeqBox, +>3 byte x version %d + +# LyNX archive +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Lynx_archive +# Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml +# Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64 +# TODO: merge and unify with Commodore C64 BASIC program +56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive +# display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64 +#!:strength +0 +#!:mime application/octet-stream +!:mime application/x-commodore-lnx +!:ext lnx +# afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn +>86 search/10 \x8910\0\0\0\r \b, +# for DEBUGGING +#>>&0 string x STRING="%s" +# number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5 +>>&0 regex [0-9]{1,5} %s directory blocks +# signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*" +>>>&2 regex [^\r]{1,24} \b, signature "%s" +# number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?) +>>>>&1 regex [0-9]{1,3} \b, %s files + +# From: Joerg Jenderek +# URL: https://www.acronis.com/ +# Reference: https://en.wikipedia.org/wiki/TIB_(file_format) +# Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110 +0 ubequad 0xce24b9a220000000 Acronis True Image backup +!:mime application/x-acronis-tib +!:ext tib +# 01000000 +#>20 ubelong x \b, at 20 %#x +# 20000000 +#>28 ubelong x \b, at 28 %#x +# strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0" +# ??? +# strings like "\Device\0000011e" "\Device\0000015a" +#>0 search/0x6852300/cs \\Device\\ +#>>&-1 pstring x \b, %s +# "\Device\HarddiskVolume30" "\Device\HarddiskVolume39" +#>>>&1 search/180/cs \\Device\\ +#>>>>&-1 pstring x \b, %s +#>>>>>&0 search/29/cs \0\0\xc8\0 +# disk label +#>>>>>>&10 lestring16 x \b, disk label %11.11s +#>>>>>>&9 plestring16 x \b, disk label "%11.11s" +#>>>>>>&10 ubequad x %16.16llx + + +# Gentoo XPAK binary package +# by Michal Gorny <mgorny@gentoo.org> +# https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5 +-4 string STOP +>-16 string XPAKSTOP Gentoo binary package (XPAK) +!:mime application/vnd.gentoo.xpak + +# From: Joerg Jenderek +# URL: https://kodi.wiki/view/TexturePacker +# Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz +# /xbmc-Krypton/xbmc/guilib/XBTF.h +# /xbmc-Krypton/xbmc/guilib/XBTF.cpp +0 string XBTF +# skip ASCII text by looking for terminating \0 of path +>264 ubyte 0 XBMC texture package +!:mime application/x-xbmc-xbt +!:ext xbt +# XBTF_VERSION 2 +>>4 string !2 \b, version %-.1s +# nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp +>>5 ulelong x \b, %u file +# plural s +>>5 ulelong >1 \bs +# path[CXBTFFile[MaximumPathLength=256] +>>9 string x \b, 1st %s + +# ALZIP archive +# by Hyungjun Park <hyungjun.park@worksmobile.com>, Hajin Jang <hajin_jang@worksmobile.com> +# http://kippler.com/win/unalz/ +# https://salsa.debian.org/l10n-korean-team/unalz +0 string ALZ\001 ALZ archive data +!:ext alz + +# https://cf-aldn.altools.co.kr/setup/EGG_Specification.zip +0 string EGGA EGG archive data, +!:ext egg +>5 byte x version %u +>4 byte x \b.%u +>>0x0E ulelong =0x08E28222 +>>0x0E ulelong =0x24F5A262 \b, split +>>0x0E ulelong =0x24E5A060 \b, solid +>>0x0E default x \b, unknown + +# PAQ9A archive +# URL: http://mattmahoney.net/dc/#paq9a +# Note: Line 1186 of paq9a.cpp gives the magic bytes +0 string pQ9\001 PAQ9A archive + +# From wof (wof@stachelkaktus.net) +0 string Unison\ archive\ format Unison archive format + +# https://ankiweb.net +30 string collection.anki2 Anki APKG file +#!:ext .apkg + +# Synology archive (DiskStation Manager 7.0+) +# From: Alexandre Iooss <erdnaxe@crans.org> +# Note: These archives are signed and encrypted. +0 ulelong&0xFFFFFF00 0xEFBEAD00 +# MessagePack header (fixarray of 5 elements starting with a bin of 32 bytes) +>8 ulelong&0x00FFFFFF 0x20C495 Synology archive +!:ext spk +# Extract some properties from MessagePack third item +>>43 search/0x10000 package= +>>>&0 string x \b, package %s +>>43 search/0x10000 arch= +>>>&0 string x %s +>>43 search/0x10000 version= +>>>&0 string x %s +>>43 search/0x10000 create_time= +>>>&0 string x \b, created on %s + +# MonoGame/XNA processed assets archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/MonoGame/MonoGame/blob/v3.8.1/MonoGame.Framework/Content/ContentManager.cs +0 string XNB +# XNB must be version 4 or 5 +>4 byte <6 +>>4 byte >3 +# Size must be positive +>>>6 lelong >0 MonoGame/XNA processed assets +!:ext xnb +>>>>3 string =w \b, for Windows +>>>>3 string =x \b, for Xbox360 +>>>>3 string =i \b, for iOS +>>>>3 string =a \b, for Android +>>>>3 string =d \b, for DesktopGL +>>>>3 string =X \b, for MacOSX +>>>>3 string =W \b, for WindowsStoreApp +>>>>3 string =n \b, for NativeClient +>>>>3 string =M \b, for WindowsPhone8 +>>>>3 string =r \b, for RaspberryPi +>>>>3 string =P \b, for PlayStation4 +>>>>3 string =5 \b, for PlayStation5 +>>>>3 string =O \b, for XboxOne +>>>>3 string =S \b, for Nintendo Switch +>>>>3 string =G \b, for Google Stadia +>>>>3 string =b \b, for WebAssembly and Bridge.NET +>>>>3 string =m \b, for WindowsPhone7.0 (XNA) +>>>>3 string =p \b, for PlayStationMobile +>>>>3 string =v \b, for PSVita +>>>>3 string =g \b, for Windows (OpenGL) +>>>>3 string =l \b, for Linux +>>>>4 byte x \b, version %d +>>>>5 byte &0x80 \b, LZX compressed +>>>>>10 lelong x \b, decompressed size: %d bytes +>>>>5 byte &0x40 \b, LZ4 compressed +>>>>>10 lelong x \b, decompressed size: %d bytes + +# Electron ASAR archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/electron/asar +0 ulelong 4 +# Match JSON header start and end +>16 string {"files":{" +>>(12.l+12) string }}}} Electron ASAR archive +!:ext asar +>>>12 ulelong x \b, header length: %d bytes diff --git a/magic/Magdir/aria b/magic/Magdir/aria new file mode 100644 index 0000000..c3a6bf5 --- /dev/null +++ b/magic/Magdir/aria @@ -0,0 +1,38 @@ + +#------------------------------------------------------------------------------ +# URL: https://de.wikipedia.org/wiki/Aria_(Software) +# Reference: https://github.com/aria2/aria2/blob/master/doc/manual-src/en/technical-notes.rst +# From: Joerg Jenderek +# Note: only version 1 suited +# check for valid version one +0 beshort 0x0001 +# skip most uncompressed DEGAS med-res bitmap *.PI2 and GEM bitmap (v1) *.IMG +# by test for valid infoHashCheck extension +>2 ubelong&0xffFFffFE 0x00000000 +# skip DEGAS med-res bitmap DIAGRAM1.PI2 by test for valid length of download +>>(6.L+14) ubequad >0 +>>>0 use aria +0 name aria +# version; (0x0000) or (0x0001); for 0 all multi-byte are in host byte order. For 1 big endian +>0 beshort x aria2 control file, version %u +#!:mime application/octet-stream +!:mime application/x-aria +!:ext aria2 +# EXTension; if EXT[3]&1 == 1 checks whether saved InfoHash and current downloading the same; infoHashCheck extension +>2 ubelong !0 \b, infoHashCheck %#x +# info hash length like: 0 14h +>6 ubelong !0 \b, %#x bytes info hash +# info hash; BitTorrent InfoHash +>>10 ubequad x %#16.16llx... +# piece length; the length of the piece like: 400h 100000h +>(6.L+10) ubelong x \b, piece length 0x%x +# total length; the total length of the download +>(6.L+14) ubequad x \b, total length %llu +#>(6.L+14) ubequad x \b, total length %#llx +# upload length; the uploaded length of download like: 0 400h +>(6.L+22) ubequad !0 \b, upload length %#llx +# bitfield length; the length of bitfield like: 4 6 Ah 10h 13h 167h +>(6.L+30) ubelong x \b, %#x bytes bitfield +# bitfield; bitfield which represents current download progress +>(6.L+34) ubequad !0 %#llx... + diff --git a/magic/Magdir/arm b/magic/Magdir/arm new file mode 100644 index 0000000..c514320 --- /dev/null +++ b/magic/Magdir/arm @@ -0,0 +1,50 @@ +#------------------------------------------------------------------------------ +# $File: arm,v 1.3 2022/10/31 14:35:39 christos Exp $ +# arm: file(1) magic for ARM COFF +# +# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format + +# Aarch64 +0 leshort 0xaa64 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARM +0 leshort 0x01c0 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARM Thumb +0 leshort 0x01c2 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARMv7 Thumb +0 leshort 0x01c4 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARM64EC +0 leshort 0xa641 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 diff --git a/magic/Magdir/asf b/magic/Magdir/asf new file mode 100644 index 0000000..744a0af --- /dev/null +++ b/magic/Magdir/asf @@ -0,0 +1,132 @@ + +#------------------------------------------------------------------------------ +# $File: asf,v 1.4 2022/10/31 13:22:26 christos Exp $ +# asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files +# http://www.staroceans.org/e-book/ASF_Specification.pdf + +0 name asf-name +# ASF_Data_Object +#>0 guid 75B22636-668E-11CF-A6D9-00AA0062CE6C +#>16 lequad >0 +#>>(16.q) use asf-object +# ASF_Simple_Index_Object +>0 guid 33000890-E5B1-11CF-89F4-00A0C90349CB +>0 guid D6E229D3-35DA-11D1-9034-00A0C90349BE ASF_Index_Object +>0 guid FEB103F8-12AD-4C64-840F-2A1D2F7AD48C ASF_Media_Object_Index_Object +>0 guid 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C ASF_Timecode_Index_Object + +# ASF_File_Properties_Object +>0 guid 8CABDCA1-A947-11CF-8EE4-00C00C205365 + +# ASF_Stream_Properties_Object +>0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 +#>>56 lequad x Time Offset %lld +#>>64 lelong x Type-Specific Data Length %d +#>>68 lelong x Error Correction Data Length %d +#>>72 leshort x Flags %#x +#>>74 lelong x Reserved %x +# ASF_Audio_Media +>>24 guid F8699E40-5B4D-11CF-A8FD-00805F5C442B \b, Audio Media ( +>>>78 leshort x \bCodec Id %d +>>>80 leshort x \b, Number of channels %d +>>>82 lelong x \b, Samples Per Second %d +>>>86 lelong x \b, Average Number of Bytes Per Second %d +>>>90 lelong x \b, Block Alignment %d +>>>94 leshort x \b, Bits Per Sample %d +# ASF_Video_Media +>>24 guid BC19EFC0-5B4D-11CF-A8FD-00805F5C442B \b, Video Media ( +>>>78 lelong x \bEncoded Image Width %d +>>>82 lelong x \b, Encoded Image Height %d +#>>>85 leshort x \b, Format Data Size %x +>>>93 lelong x \b, Image Width %d +>>>97 lelong x \b, Image Height %d +#>>>101 leshort x \b, Reserved %#x +>>>103 leshort x \b, Bits Per Pixel Count %d +#>>>105 lelong x \b, Compression ID %d +#>>>109 lelong x \b, Image Size %d +#>>>113 lelong x \b, Horizontal Pixels Per Meter %d +#>>>117 lelong x \b, Vertical Pixels Per Meter %d +#>>>121 lelong x \b, Colors Used Count %d +#>>>125 lelong x \b, Important Colors Count %d +>>0 lelong x \b, Error correction type +>>40 use asf-name +>>0 lelong x \b) +#ASF_Header_Extension_Object +>0 guid 5FBF03B5-A92E-11CF-8EE3-00C00C205365 +# ASF_Codec_List_Object +>0 guid 86D15240-311D-11D0-A3A4-00A0C90348F6 +>0 guid 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ASF_Script_Command_Object +>0 guid F487CD01-A951-11CF-8EE6-00C00C205365 ASF_Marker_Object +>0 guid D6E229DC-35DA-11D1-9034-00A0C90349BE ASF_Bitrate_Mutual_Exclusion_Object +>0 guid 75B22635-668E-11CF-A6D9-00AA0062CE6C ASF_Error_Correction_Object +# ASF_Content_Description_Object +>0 guid 75B22633-668E-11CF-A6D9-00AA0062CE6C +#>>24 leshort title length %d +#>>26 leshort author length %d +#>>28 leshort copyright length %d +#>>30 leshort descriptor length %d +#>>32 leshort rating length %d +>0 guid D2D0A440-E307-11D2-97F0-00A0C95EA850 ASF_Extended_Content_Description_Object +>0 guid 2211B3FA-BD23-11D2-B4B7-00A0C955FC6E ASF_Content_Branding_Object +>0 guid 7BF875CE-468D-11D1-8D82-006097C9A2B2 ASF_Stream_Bitrate_Properties_Object +>0 guid 2211B3FB-BD23-11D2-B4B7-00A0C955FC6E ASF_Content_Encryption_Object +>0 guid 298AE614-2622-4C17-B935-DAE07EE9289C ASF_Extended_Content_Encryption_Object +>0 guid 2211B3FC-BD23-11D2-B4B7-00A0C955FC6E ASF_Digital_Signature_Object +# ASF_Padding_Object +>0 guid 1806D474-CADF-4509-A4BA-9AABCB96AAE8 +>0 guid 14E6A5CB-C672-4332-8399-A96952065B5A ASF_Extended_Stream_Properties_Object +>0 guid A08649CF-4775-4670-8A16-6E35357566CD ASF_Advanced_Mutual_Exclusion_Object +>0 guid D1465A40-5A79-4338-B71B-E36B8FD6C249 ASF_Group_Mutual_Exclusion_Object +>0 guid D4FED15B-88D3-454F-81F0-ED5C45999E24 ASF_Stream_Prioritization_Object +>0 guid A69609E6-517B-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Object +>0 guid 7C4346A9-EFE0-4BFC-B229-393EDE415C85 ASF_Language_List_Object +>0 guid C5F8CBEA-5BAF-4877-8467-AA8C44FA4CCA ASF_Metadata_Object +>0 guid 44231C94-9498-49D1-A141-1D134E457054 ASF_Metadata_Library_Object +>0 guid D6E229DF-35DA-11D1-9034-00A0C90349BE ASF_Index_Parameters_Object +>0 guid 6B203BAD-3F11-48E4-ACA8-D7613DE2CFA7 ASF_Media_Object_Index_Parameters_Object +>0 guid F55E496D-9797-4B5D-8C8B-604DFE9BFB24 ASF_Timecode_Index_Parameters_Object +>0 guid 26F18B5D-4584-47EC-9F5F-0E651F0452C9 ASF_Compatibility_Object +>0 guid 43058533-6981-49E6-9B74-AD12CB86D58C ASF_Advanced_Content_Encryption_Object +>0 guid 59DACFC0-59E6-11D0-A3AC-00A0C90348F6 ASF_Command_Media +>0 guid B61BE100-5B4E-11CF-A8FD-00805F5C442B ASF_JFIF_Media +>0 guid 35907DE0-E415-11CF-A917-00805F5C442B ASF_Degradable_JPEG_Media +>0 guid 91BD222C-F21C-497A-8B6D-5AA86BFC0185 ASF_File_Transfer_Media +>0 guid 3AFB65E2-47EF-40F2-AC2C-70A90D71D343 ASF_Binary_Media +>0 guid 776257D4-C627-41CB-8F81-7AC7FF1C40CC ASF_Web_Stream_Media_Subtype +>0 guid DA1E6B13-8359-4050-B398-388E965BF00C ASF_Web_Stream_Format +>0 guid 20FB5700-5B55-11CF-A8FD-00805F5C442B ASF_No_Error_Correction +>0 guid BFC3CD50-618F-11CF-8BB2-00AA00B4E220 ASF_Audio_Spread +>0 guid ABD3D211-A9BA-11cf-8EE6-00C00C205365 ASF_Reserved_1 +>0 guid 7A079BB6-DAA4-4e12-A5CA-91D38DC11A8D ASF_Content_Encryption_System_Windows_Media_DRM +# _Network_Devices +>0 guid 86D15241-311D-11D0-A3A4-00A0C90348F6 ASF_Reserved_2 +>0 guid 4B1ACBE3-100B-11D0-A39B-00A0C90348F6 ASF_Reserved_3 +>0 guid 4CFEDB20-75F6-11CF-9C0F-00A0C90349CB ASF_Reserved_4 +>0 guid D6E22A00-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Language +>0 guid D6E22A01-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Bitrate +>0 guid D6E22A02-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Unknown +>0 guid AF6060AA-5197-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Exclusive +>0 guid AF6060AB-5197-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Partial +>0 guid 399595EC-8667-4E2D-8FDB-98814CE76C1E ASF_Payload_Extension_System_Timecode +>0 guid E165EC0E-19ED-45D7-B4A7-25CBD1E28E9B ASF_Payload_Extension_System_File_Name +>0 guid D590DC20-07BC-436C-9CF7-F3BBFBF1A4DC ASF_Payload_Extension_System_Content_Type +>0 guid 1B1EE554-F9EA-4BC8-821A-376B74E4C4B8 ASF_Payload_Extension_System_Pixel_Aspect_Ratio +>0 guid C6BD9450-867F-4907-83A3-C77921B733AD ASF_Payload_Extension_System_Sample_Duration +>0 guid 6698B84E-0AFA-4330-AEB2-1C0A98D7A44D ASF_Payload_Extension_System_Encryption_Sample_ID +>0 guid 00E1AF06-7BEC-11D1-A582-00C04FC29CFB ASF_Payload_Extension_System_Degradable_JPEG + +0 name asf-object +>0 use asf-name +#>>16 lequad >0 (size %lld) [ +>>16 lequad >0 +>>>(16.q) use asf-object +#>>16 lequad 0 ] + +# Microsoft Advanced Streaming Format (ASF) <mpruett@sgi.com> +0 guid 75B22630-668E-11CF-A6D9-00AA0062CE6C Microsoft ASF +!:mime video/x-ms-asf +#>16 lequad >0 (size %lld +#>>24 lelong x \b, %d header objects) +>16 lequad >0 +>>30 use asf-object +>>(16.q) use asf-object diff --git a/magic/Magdir/assembler b/magic/Magdir/assembler new file mode 100644 index 0000000..805a326 --- /dev/null +++ b/magic/Magdir/assembler @@ -0,0 +1,18 @@ +#------------------------------------------------------------------------------ +# $File: assembler,v 1.6 2013/12/11 14:14:20 christos Exp $ +# make: file(1) magic for assembler source +# +0 regex \^[\040\t]{0,50}\\.asciiz assembler source text +!:mime text/x-asm +0 regex \^[\040\t]{0,50}\\.byte assembler source text +!:mime text/x-asm +0 regex \^[\040\t]{0,50}\\.even assembler source text +!:mime text/x-asm +0 regex \^[\040\t]{0,50}\\.globl assembler source text +!:mime text/x-asm +0 regex \^[\040\t]{0,50}\\.text assembler source text +!:mime text/x-asm +0 regex \^[\040\t]{0,50}\\.file assembler source text +!:mime text/x-asm +0 regex \^[\040\t]{0,50}\\.type assembler source text +!:mime text/x-asm diff --git a/magic/Magdir/asterix b/magic/Magdir/asterix new file mode 100644 index 0000000..a9ea885 --- /dev/null +++ b/magic/Magdir/asterix @@ -0,0 +1,18 @@ + +#------------------------------------------------------------------------------ +# $File: asterix,v 1.5 2009/09/19 16:28:08 christos Exp $ +# asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character +# strings as "long" - we assume they're just strings: +# From: guy@netapp.com (Guy Harris) +# +0 string *STA Aster*x +>7 string WORD Words Document +>7 string GRAP Graphic +>7 string SPRE Spreadsheet +>7 string MACR Macro +0 string 2278 Aster*x Version 2 +>29 byte 0x36 Words Document +>29 byte 0x35 Graphic +>29 byte 0x32 Spreadsheet +>29 byte 0x38 Macro + diff --git a/magic/Magdir/att3b b/magic/Magdir/att3b new file mode 100644 index 0000000..b83ae2e --- /dev/null +++ b/magic/Magdir/att3b @@ -0,0 +1,41 @@ + +#------------------------------------------------------------------------------ +# $File: att3b,v 1.10 2017/03/17 21:35:28 christos Exp $ +# att3b: file(1) magic for AT&T 3B machines +# +# The `versions' should be un-commented if they work for you. +# (Was the problem just one of endianness?) +# +# 3B20 +# +# The 3B20 conflicts with SCCS. +#0 beshort 0550 3b20 COFF executable +#>12 belong >0 not stripped +#>22 beshort >0 - version %d +#0 beshort 0551 3b20 COFF executable (TV) +#>12 belong >0 not stripped +#>22 beshort >0 - version %d +# +# WE32K +# +0 beshort 0560 WE32000 COFF +>18 beshort ^00000020 object +>18 beshort &00000020 executable +>12 belong >0 not stripped +>18 beshort ^00010000 N/A on 3b2/300 w/paging +>18 beshort &00020000 32100 required +>18 beshort &00040000 and MAU hardware required +>20 beshort 0407 (impure) +>20 beshort 0410 (pure) +>20 beshort 0413 (demand paged) +>20 beshort 0443 (target shared library) +>22 beshort >0 - version %d +0 beshort 0561 WE32000 COFF executable (TV) +>12 belong >0 not stripped +#>18 beshort &00020000 - 32100 required +#>18 beshort &00040000 and MAU hardware required +#>22 beshort >0 - version %d +# +# core file for 3b2 +0 string \000\004\036\212\200 3b2 core file +>364 string >\0 of '%s' diff --git a/magic/Magdir/audio b/magic/Magdir/audio new file mode 100644 index 0000000..55c5cd0 --- /dev/null +++ b/magic/Magdir/audio @@ -0,0 +1,1291 @@ + +#------------------------------------------------------------------------------ +# $File: audio,v 1.127 2023/03/05 20:15:49 christos Exp $ +# audio: file(1) magic for sound formats (see also "iff") +# +# Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), +# and others +# + +# Sun/NeXT audio data +0 string .snd Sun/NeXT audio data: +>12 belong 1 8-bit ISDN mu-law, +!:mime audio/basic +>12 belong 2 8-bit linear PCM [REF-PCM], +!:mime audio/basic +>12 belong 3 16-bit linear PCM, +!:mime audio/basic +>12 belong 4 24-bit linear PCM, +!:mime audio/basic +>12 belong 5 32-bit linear PCM, +!:mime audio/basic +>12 belong 6 32-bit IEEE floating point, +!:mime audio/basic +>12 belong 7 64-bit IEEE floating point, +!:mime audio/basic +>12 belong 8 Fragmented sample data, +>12 belong 10 DSP program, +>12 belong 11 8-bit fixed point, +>12 belong 12 16-bit fixed point, +>12 belong 13 24-bit fixed point, +>12 belong 14 32-bit fixed point, +>12 belong 18 16-bit linear with emphasis, +>12 belong 19 16-bit linear compressed, +>12 belong 20 16-bit linear with emphasis and compression, +>12 belong 21 Music kit DSP commands, +>12 belong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.), +!:mime audio/x-adpcm +>12 belong 24 compressed (8-bit CCITT G.722 ADPCM) +>12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM), +>12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM), +>12 belong 27 8-bit A-law (CCITT G.711), +>20 belong 1 mono, +>20 belong 2 stereo, +>20 belong 4 quad, +>16 belong >0 %d Hz + +# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format +# that uses little-endian encoding and has a different magic number +0 lelong 0x0064732E DEC audio data: +>12 lelong 1 8-bit ISDN mu-law, +!:mime audio/x-dec-basic +>12 lelong 2 8-bit linear PCM [REF-PCM], +!:mime audio/x-dec-basic +>12 lelong 3 16-bit linear PCM, +!:mime audio/x-dec-basic +>12 lelong 4 24-bit linear PCM, +!:mime audio/x-dec-basic +>12 lelong 5 32-bit linear PCM, +!:mime audio/x-dec-basic +>12 lelong 6 32-bit IEEE floating point, +!:mime audio/x-dec-basic +>12 lelong 7 64-bit IEEE floating point, +!:mime audio/x-dec-basic +>12 belong 8 Fragmented sample data, +>12 belong 10 DSP program, +>12 belong 11 8-bit fixed point, +>12 belong 12 16-bit fixed point, +>12 belong 13 24-bit fixed point, +>12 belong 14 32-bit fixed point, +>12 belong 18 16-bit linear with emphasis, +>12 belong 19 16-bit linear compressed, +>12 belong 20 16-bit linear with emphasis and compression, +>12 belong 21 Music kit DSP commands, +>12 lelong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.), +!:mime audio/x-dec-basic +>12 belong 24 compressed (8-bit CCITT G.722 ADPCM) +>12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM), +>12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM), +>12 belong 27 8-bit A-law (CCITT G.711), +>20 lelong 1 mono, +>20 lelong 2 stereo, +>20 lelong 4 quad, +>16 lelong >0 %d Hz + +# Creative Labs AUDIO stuff +0 string MThd Standard MIDI data +!:mime audio/midi +>8 beshort x (format %d) +>10 beshort x using %d track +>10 beshort >1 \bs +>12 beshort&0x7fff x at 1/%d +>12 beshort&0x8000 >0 SMPTE + +0 string CTMF Creative Music (CMF) data +!:mime audio/x-unknown +0 string SBI SoundBlaster instrument data +!:mime audio/x-unknown +0 string Creative\ Voice\ File Creative Labs voice data +!:mime audio/x-unknown +# is this next line right? it came this way... +>19 byte 0x1A +>23 byte >0 - version %d +>22 byte >0 \b.%d + +# first entry is also the string "NTRK" +0 belong 0x4e54524b MultiTrack sound data +>4 belong x - version %d + +# Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED +# [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] +0 string EMOD Extended MOD sound data, +>4 byte&0xf0 x version %d +>4 byte&0x0f x \b.%d, +>45 byte x %d instruments +>83 byte 0 (module) +>83 byte 1 (song) + +# Real Audio (Magic .ra\0375) +0 belong 0x2e7261fd RealAudio sound file +!:mime audio/x-pn-realaudio +0 string .RMF\0\0\0 RealMedia file +!:mime application/vnd.rn-realmedia +#video/x-pn-realvideo +#video/vnd.rn-realvideo +#application/vnd.rn-realmedia +# sigh, there are many mimes for that but the above are the most common. + +# MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net] +# Oct 31, 1995 +# fixed by <doj@cubic.org> 2003-06-24 +# Too short... +#0 string MTM MultiTracker Module sound file +#0 string if Composer 669 Module sound data +#0 string JN Composer 669 Module sound data (extended format) +0 string MAS_U ULT(imate) Module sound data + +#0 string FAR Module sound data +#>4 string >\15 Title: "%s" + +0x2c string SCRM ScreamTracker III Module sound data +>0 string >\0 Title: "%s" +!:mime audio/x-s3m + +# .stm before it got above .s3m extension +0x16 string \!Scream\! ScreamTracker Module sound data +>0 string >\0 Title: "%s" + +# Gravis UltraSound patches +# From <ache@nagual.ru> + +0 string GF1PATCH110\0ID#000002\0 GUS patch +0 string GF1PATCH100\0ID#000002\0 Old GUS patch + +# mime types according to http://www.geocities.com/nevilo/mod.htm: +# audio/it .it +# audio/x-zipped-it .itz +# audio/xm fasttracker modules +# audio/x-s3m screamtracker modules +# audio/s3m screamtracker modules +# audio/x-zipped-mod mdz +# audio/mod mod +# audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) + +# +# Taken from loader code from mikmod version 2.14 +# by Steve McIntyre (stevem@chiark.greenend.org.uk) +# <doj@cubic.org> added title printing on 2003-06-24 +0 string MAS_UTrack_V00 +>14 string >/0 ultratracker V1.%.1s module sound data +!:mime audio/x-mod +#audio/x-tracker-module + +0 string UN05 MikMod UNI format module sound data + +0 string Extended\ Module: Fasttracker II module sound data +!:mime audio/x-mod +#audio/x-tracker-module +>17 string >\0 Title: "%s" + +21 string/c =!SCREAM! Screamtracker 2 module sound data +!:mime audio/x-mod +#audio/x-screamtracker-module +21 string BMOD2STM Screamtracker 2 module sound data +!:mime audio/x-mod +#audio/x-screamtracker-module + +1080 string \!PM! 4-channel Protracker module sound data +!:mime audio/x-mod +#audio/x-protracker-module +>0 string >\0 Title: "%s" + +1080 string M.K. 4-channel Protracker module sound data +!:mime audio/x-mod +#audio/x-protracker-module +>0 string >\0 Title: "%s" + +1080 string M!K! 4-channel Protracker module sound data +!:mime audio/x-mod +#audio/x-protracker-module +>0 string >\0 Title: "%s" + +1080 string FLT4 4-channel Startracker module sound data +!:mime audio/x-mod +#audio/x-startracker-module +>0 string >\0 Title: "%s" + +1080 string FLT8 8-channel Startracker module sound data +!:mime audio/x-mod +#audio/x-startracker-module +>0 string >\0 Title: "%s" + +1080 string 4CHN 4-channel Fasttracker module sound data +!:mime audio/x-mod +#audio/x-fasttracker-module +>0 string >\0 Title: "%s" + +1080 string 6CHN 6-channel Fasttracker module sound data +!:mime audio/x-mod +#audio/x-fasttracker-module +>0 string >\0 Title: "%s" + +1080 string 8CHN 8-channel Fasttracker module sound data +!:mime audio/x-mod +#audio/x-fasttracker-module +>0 string >\0 Title: "%s" + +1080 string CD81 8-channel Octalyser module sound data +!:mime audio/x-mod +#audio/x-octalysertracker-module +>0 string >\0 Title: "%s" + +1080 string OKTA 8-channel Octalyzer module sound data +!:mime audio/x-mod +#audio/x-octalysertracker-module +>0 string >\0 Title: "%s" + +# Not good enough. +#1082 string CH +#>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data +1080 string 16CN 16-channel Taketracker module sound data +!:mime audio/x-mod +#audio/x-taketracker-module +>0 string >\0 Title: "%s" +1080 string 32CN 32-channel Taketracker module sound data +!:mime audio/x-mod +#audio/x-taketracker-module +>0 string >\0 Title: "%s" + +# TOC sound files -Trevor Johnson <trevor@jpj.net> +# +0 string TOC TOC sound file + +# sidfiles <pooka@iki.fi> +# added name,author,(c) and new RSID type by <doj@cubic.org> 2003-06-24 +0 string SIDPLAY\ INFOFILE Sidplay info file + +0 string PSID PlaySID v2.2+ (AMIGA) sidtune +>4 beshort >0 w/ header v%d, +>14 beshort =1 single song, +>14 beshort >1 %d songs, +>16 beshort >0 default song: %d +>0x16 string >\0 name: "%s" +>0x36 string >\0 author: "%s" +>0x56 string >\0 copyright: "%s" + +0 string RSID RSID sidtune PlaySID compatible +>4 beshort >0 w/ header v%d, +>14 beshort =1 single song, +>14 beshort >1 %d songs, +>16 beshort >0 default song: %d +>0x16 string >\0 name: "%s" +>0x36 string >\0 author: "%s" +>0x56 string >\0 copyright: "%s" + +# IRCAM sound files - Michael Pruett <michael@68k.org> +# http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/IRCAM/IRCAM.html +0 belong 0x64a30100 IRCAM file (VAX little-endian) +0 belong 0x0001a364 IRCAM file (VAX big-endian) +0 belong 0x64a30200 IRCAM file (Sun big-endian) +0 belong 0x0002a364 IRCAM file (Sun little-endian) +0 belong 0x64a30300 IRCAM file (MIPS little-endian) +0 belong 0x0003a364 IRCAM file (MIPS big-endian) +0 belong 0x64a30400 IRCAM file (NeXT big-endian) +0 belong 0x64a30400 IRCAM file (NeXT big-endian) +0 belong 0x0004a364 IRCAM file (NeXT little-endian) + +# NIST SPHERE <mpruett@sgi.com> +0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file + +# Sample Vision <mpruett@sgi.com> +0 string SOUND\ SAMPLE\ DATA\ Sample Vision file + +# Audio Visual Research <tonigonenstein@users.sourceforge.net> +0 string 2BIT Audio Visual Research file, +>12 beshort =0 mono, +>12 beshort =-1 stereo, +>14 beshort x %d bits +>16 beshort =0 unsigned, +>16 beshort =-1 signed, +>22 belong&0x00ffffff x %d Hz, +>18 beshort =0 no loop, +>18 beshort =-1 loop, +>21 ubyte <128 note %d, +>22 byte =0 replay 5.485 KHz +>22 byte =1 replay 8.084 KHz +>22 byte =2 replay 10.971 KHz +>22 byte =3 replay 16.168 KHz +>22 byte =4 replay 21.942 KHz +>22 byte =5 replay 32.336 KHz +>22 byte =6 replay 43.885 KHz +>22 byte =7 replay 47.261 KHz + +# SGI SoundTrack <mpruett@sgi.com> +0 string _SGI_SoundTrack SGI SoundTrack project file +# ID3 version 2 tags <waschk@informatik.uni-rostock.de> +0 string ID3 Audio file with ID3 version 2 +>3 byte x \b.%d +>4 byte x \b.%d +>>5 byte &0x80 \b, unsynchronized frames +>>5 byte &0x40 \b, extended header +>>5 byte &0x20 \b, experimental +>>5 byte &0x10 \b, footer present +>(6.I+10) indirect x \b, contains: + +# NSF (NES sound file) magic +0 string NESM\x1a NES Sound File +>14 string >\0 ("%s" by +>46 string >\0 %s, copyright +>78 string >\0 %s), +>5 byte x version %d, +>6 byte x %d tracks, +>122 byte&0x2 =1 dual PAL/NTSC +>122 byte&0x1 =1 PAL +>122 byte&0x1 =0 NTSC + +# NSFE (Extended NES sound file) magic +# http://slickproductions.org/docs/NSF/nsfespec.txt +# From: David Pflug <david@pflug.email> +0 string NSFE Extended NES Sound File +>48 search/0x1000 auth +>>&0 string >\0 ("%s" +>>>&1 string >\0 by %s +>>>>&1 string >\0 \b, copyright %s +>>>>>&1 string >\0 \b, ripped by %s +>20 byte x \b), %d tracks, +>18 byte&0x2 =1 dual PAL/NTSC +>18 byte&0x2 =0 +>>18 byte&0x1 =1 PAL +>>18 byte&0x1 =0 NTSC + +# Type: SNES SPC700 sound files +# From: Josh Triplett <josh@freedesktop.org> +0 string SNES-SPC700\ Sound\ File\ Data\ v SNES SPC700 sound file +>&0 string 0.30 \b, version %s +>>0x23 byte 0x1B \b, without ID666 tag +>>0x23 byte 0x1A \b, with ID666 tag +>>>0x2E string >\0 \b, song "%.32s" +>>>0x4E string >\0 \b, game "%.32s" + +# Impulse tracker module (audio/x-it) +0 string IMPM Impulse Tracker module sound data - +!:mime audio/x-mod +>4 string >\0 "%s" +>40 leshort !0 compatible w/ITv%x +>42 leshort !0 created w/ITv%x + +# Imago Orpheus module (audio/x-imf) +60 string IM10 Imago Orpheus module sound data - +>0 string >\0 "%s" + +# From <collver1@attbi.com> +# These are the /etc/magic entries to decode modules, instruments, and +# samples in Impulse Tracker's native format. + +0 string IMPS Impulse Tracker Sample +>18 byte &2 16 bit +>18 byte ^2 8 bit +>18 byte &4 stereo +>18 byte ^4 mono +0 string IMPI Impulse Tracker Instrument +>28 leshort !0 ITv%x +>30 byte !0 %d samples + +# Yamaha TX Wave: file(1) magic for Yamaha TX Wave audio files +# From <collver1@attbi.com> +0 string LM8953 Yamaha TX Wave +>22 byte 0x49 looped +>22 byte 0xC9 non-looped +>23 byte 1 33kHz +>23 byte 2 50kHz +>23 byte 3 16kHz + +# scream tracker: file(1) magic for Scream Tracker sample files +# +# From <collver1@attbi.com> +76 string SCRS Scream Tracker Sample +>0 byte 1 sample +>0 byte 2 adlib melody +>0 byte >2 adlib drum +>31 byte &2 stereo +>31 byte ^2 mono +>31 byte &4 16bit little endian +>31 byte ^4 8bit +>30 byte 0 unpacked +>30 byte 1 packed + +# audio +# From: Cory Dikkers <cdikkers@swbell.net> +0 string MMD0 MED music file, version 0 +0 string MMD1 OctaMED Pro music file, version 1 +0 string MMD3 OctaMED Soundstudio music file, version 3 +0 string OctaMEDCmpr OctaMED Soundstudio compressed file +0 string MED MED_Song +0 string SymM Symphonie SymMOD music file +# +# Track Length (TRL), Tracks (TRK), Samples (SMP), Subsongs (SS) +# http://lclevy.free.fr/exotica/ahx/ahxformat.txt +0 string THX AHX version +>3 byte =0 1 module data +>3 byte =1 2 module data +>11 ubyte x TRK: %u +>10 ubyte x TRL: %u +>12 ubyte x SMP: %u +>13 ubyte x SS: %u +>(4.H) string x Title: "%.128s" + +# header is mostly AHX format +0 string HVL +>3 byte <2 Hively Tracker Song +>3 byte =0 v1 module data +>3 byte =1 v2 module data +>11 ubyte x TRK: %u +>10 ubyte x TRL: %u +>12 ubyte x SMP: %u +>13 ubyte x SS: %u +>8 ubyte/4 =0 CHN: 4 +>8 ubyte/4 >0 CHN: 4+%u +#>-0 offset <0xffff +>(4.H) string x Title: "%.128s" + +# +0 string OKTASONG Oktalyzer module data +# +0 string DIGI\ Booster\ module\0 %s +>20 byte >0 %c +>>21 byte >0 \b%c +>>>22 byte >0 \b%c +>>>>23 byte >0 \b%c +>610 string >\0 \b, "%s" +# +0 string DBM0 DIGI Booster Pro Module +>4 byte >0 V%X. +>>5 byte x \b%02X +>16 string >\0 \b, "%s" +# +0 string FTMN FaceTheMusic module +>16 string >\0d \b, "%s" + +# From: <doj@cubic.org> 2003-06-24 +0 string AMShdr\32 Velvet Studio AMS Module v2.2 +0 string Extreme Extreme Tracker AMS Module v1.3 +0 string DDMF Xtracker DMF Module +>4 byte x v%i +>0xD string >\0 Title: "%s" +>0x2B string >\0 Composer: "%s" +0 string DSM\32 Dynamic Studio Module DSM +0 string SONG DigiTrekker DTM Module +0 string DMDL DigiTrakker MDL Module +0 string PSM\32 Protracker Studio PSM Module +44 string PTMF Poly Tracker PTM Module +>0 string >\32 Title: "%s" +0 string MT20 MadTracker 2.0 Module MT2 +0 string RAD\40by\40REALiTY!! RAD Adlib Tracker Module RAD +0 string RTMM RTM Module +0x426 string MaDoKaN96 XMS Adlib Module +>0 string >\0 Composer: "%s" +0 string AMF AMF Module +>4 string >\0 Title: "%s" +0 string MODINFO1 Open Cubic Player Module Information MDZ +0 string Extended\40Instrument: Fast Tracker II Instrument + +# From: Takeshi Hamasaki <hma@syd.odn.ne.jp> +# NOA Nancy Codec file +0 string \210NOA\015\012\032 NOA Nancy Codec Movie file +# Yamaha SMAF format +0 string MMMD Yamaha SMAF file +# Sharp Jisaku Melody format for PDC +0 string \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody +>20 string Ver01.00 Ver. 1.00 +>>32 byte x , %d tracks + +# Free lossless audio codec <http://flac.sourceforge.net> +# From: Przemyslaw Augustyniak <silvathraec@rpg.pl> +0 string fLaC FLAC audio bitstream data +!:mime audio/flac +>4 byte&0x7f >0 \b, unknown version +>4 byte&0x7f 0 \b +# some common bits/sample values +>>20 beshort&0x1f0 0x030 \b, 4 bit +>>20 beshort&0x1f0 0x050 \b, 6 bit +>>20 beshort&0x1f0 0x070 \b, 8 bit +>>20 beshort&0x1f0 0x0b0 \b, 12 bit +>>20 beshort&0x1f0 0x0f0 \b, 16 bit +>>20 beshort&0x1f0 0x170 \b, 24 bit +>>20 byte&0xe 0x0 \b, mono +>>20 byte&0xe 0x2 \b, stereo +>>20 byte&0xe 0x4 \b, 3 channels +>>20 byte&0xe 0x6 \b, 4 channels +>>20 byte&0xe 0x8 \b, 5 channels +>>20 byte&0xe 0xa \b, 6 channels +>>20 byte&0xe 0xc \b, 7 channels +>>20 byte&0xe 0xe \b, 8 channels +# sample rates derived from known oscillator frequencies; +# 24.576 MHz (video/fs=48kHz), 22.5792 (audio/fs=44.1kHz) and +# 16.384 (other/fs=32kHz). +>>17 belong&0xfffff0 0x02b110 \b, 11.025 kHz +>>17 belong&0xfffff0 0x03e800 \b, 16 kHz +>>17 belong&0xfffff0 0x056220 \b, 22.05 kHz +>>17 belong&0xfffff0 0x05dc00 \b, 24 kHz +>>17 belong&0xfffff0 0x07d000 \b, 32 kHz +>>17 belong&0xfffff0 0x0ac440 \b, 44.1 kHz +>>17 belong&0xfffff0 0x0bb800 \b, 48 kHz +>>17 belong&0xfffff0 0x0fa000 \b, 64 kHz +>>17 belong&0xfffff0 0x158880 \b, 88.2 kHz +>>17 belong&0xfffff0 0x177000 \b, 96 kHz +>>17 belong&0xfffff0 0x1f4000 \b, 128 kHz +>>17 belong&0xfffff0 0x2b1100 \b, 176.4 kHz +>>17 belong&0xfffff0 0x2ee000 \b, 192 kHz +>>17 belong&0xfffff0 0x3e8000 \b, 256 kHz +>>17 belong&0xfffff0 0x562200 \b, 352.8 kHz +>>17 belong&0xfffff0 0x5dc000 \b, 384 kHz +>>21 byte&0xf >0 \b, >4G samples +>>21 byte&0xf 0 \b +>>>22 belong >0 \b, %u samples +>>>22 belong 0 \b, length unknown + +# (ISDN) VBOX voice message file (Wolfram Kleff) +0 string VBOX VBOX voice message data + +# ReBorn Song Files (.rbs) +# David J. Singer <doc@deadvirgins.org.uk> +8 string RB40 RBS Song file +>29 string ReBorn created by ReBorn +>37 string Propellerhead created by ReBirth + +# Synthesizer Generator and Kimwitu share their file format +0 string A#S#C#S#S#L#V#3 Synthesizer Generator or Kimwitu data +# Kimwitu++ uses a slightly different magic +0 string A#S#C#S#S#L#HUB Kimwitu++ data + +# From "Simon Hosie +0 string TFMX-SONG TFMX module sound data + +# Monkey's Audio compressed audio format (.ape) +# From danny.milo@gmx.net (Danny Milosavljevic) +# New version from Abel Cheung <abel (@) oaka.org> +0 string MAC\040 Monkey's Audio compressed format +!:mime audio/x-ape +>4 uleshort >0x0F8B version %d +>>(0x08.l) uleshort =1000 with fast compression +>>(0x08.l) uleshort =2000 with normal compression +>>(0x08.l) uleshort =3000 with high compression +>>(0x08.l) uleshort =4000 with extra high compression +>>(0x08.l) uleshort =5000 with insane compression +>>(0x08.l+18) uleshort =1 \b, mono +>>(0x08.l+18) uleshort =2 \b, stereo +>>(0x08.l+20) ulelong x \b, sample rate %d +>4 uleshort <0x0F8C version %d +>>6 uleshort =1000 with fast compression +>>6 uleshort =2000 with normal compression +>>6 uleshort =3000 with high compression +>>6 uleshort =4000 with extra high compression +>>6 uleshort =5000 with insane compression +>>10 uleshort =1 \b, mono +>>10 uleshort =2 \b, stereo +>>12 ulelong x \b, sample rate %d + +# adlib sound files +# From: Alex Myczko <alex@aiei.ch> + +# https://github.com/rerrahkr/BambooTracker +0 string BambooTracker BambooTracker +>13 string Mod Module +>13 string Ist Instrument +>13 string Bnk Bank +>22 byte x \b, version %u +>21 byte x \b.%u +>20 byte x \b.%u + +0 string CC2x CheeseCutter 2 song + +0 string RAWADATA RdosPlay RAW + +1068 string RoR AMUSIC Adlib Tracker + +0 string JCH EdLib + +0 string mpu401tr MPU-401 Trakker + +0 string SAdT Surprise! Adlib Tracker +>4 byte x Version %d + +0 string XAD! eXotic ADlib + +0 string ofTAZ! eXtra Simple Music + +0 string FMK! FM Kingtracker Song + +0 string DFM DFM Song + +0 string \<CUD-FM-File\> CFF Song + +0 string _A2module A2M Song + +# Spectrum 128 tunes (.ay files). +# From: Emanuel Haupt <ehaupt@critical.ch> +0 string ZXAYEMUL Spectrum 128 tune + +0 string \0BONK BONK, +#>5 byte x version %d +>14 byte x %d channel(s), +>15 byte =1 lossless, +>15 byte =0 lossy, +>16 byte x mid-side + +384 string LockStream LockStream Embedded file (mostly MP3 on old Nokia phones) + +# format VQF (proprietary codec for sound) +# some infos on the header file available at : +# http://www.twinvq.org/english/technology_format.html +0 string TWIN97012000 VQF data +>27 short 0 \b, Mono +>27 short 1 \b, Stereo +>31 short >0 \b, %d kbit/s +>35 short >0 \b, %d kHz + +# Nelson A. de Oliveira (naoliv@gmail.com) +# .eqf +0 string Winamp\ EQ\ library\ file %s +# it will match only versions like v<digit>.<digit> +# Since I saw only eqf files with version v1.1 I think that it's OK +>23 string x \b%.4s +# .preset +0 string [Equalizer\ preset] XMMS equalizer preset +# .m3u +0 search/1 #EXTM3U M3U playlist text +# .pls +0 search/1 [playlist] PLS playlist text +# licq.conf +1 string [licq] LICQ configuration file + +# Atari ST audio files by Dirk Jagdmann <doj@cubic.org> +# NOTE: Most SNDH music is packed using ICE, which has +# magic numbers "ICE!" and "Ice!". Some SNDH music is +# not packed, so we check for both packed and unpacked. +12 string SNDH SNDH Atari ST music +0 belong&0xFFDFDFFF 0x49434521 +>14 search/40 NDH SNDH Atari ST music +>14 search/40 TITL SNDH Atari ST music +0 string SC68\ Music-file\ /\ (c)\ (BeN)jami sc68 Atari ST music + +# musepak support From: "Jiri Pejchal" <jiri.pejchal@gmail.com> +0 string MP+ Musepack audio (MP+) +!:mime audio/x-musepack +>3 byte 255 \b, SV pre8 +>3 byte&0xF 0x6 \b, SV 6 +>3 byte&0xF 0x8 \b, SV 8 +>3 byte&0xF 0x7 \b, SV 7 +>>3 byte&0xF0 0x0 \b.0 +>>3 byte&0xF0 0x10 \b.1 +>>3 byte&0xF0 240 \b.15 +>>10 byte&0xF0 0x0 \b, no profile +>>10 byte&0xF0 0x10 \b, profile 'Unstable/Experimental' +>>10 byte&0xF0 0x50 \b, quality 0 +>>10 byte&0xF0 0x60 \b, quality 1 +>>10 byte&0xF0 0x70 \b, quality 2 (Telephone) +>>10 byte&0xF0 0x80 \b, quality 3 (Thumb) +>>10 byte&0xF0 0x90 \b, quality 4 (Radio) +>>10 byte&0xF0 0xA0 \b, quality 5 (Standard) +>>10 byte&0xF0 0xB0 \b, quality 6 (Xtreme) +>>10 byte&0xF0 0xC0 \b, quality 7 (Insane) +>>10 byte&0xF0 0xD0 \b, quality 8 (BrainDead) +>>10 byte&0xF0 0xE0 \b, quality 9 +>>10 byte&0xF0 0xF0 \b, quality 10 +>>27 byte 0x0 \b, Buschmann 1.7.0-9, Klemm 0.90-1.05 +>>27 byte 102 \b, Beta 1.02 +>>27 byte 104 \b, Beta 1.04 +>>27 byte 105 \b, Alpha 1.05 +>>27 byte 106 \b, Beta 1.06 +>>27 byte 110 \b, Release 1.1 +>>27 byte 111 \b, Alpha 1.11 +>>27 byte 112 \b, Beta 1.12 +>>27 byte 113 \b, Alpha 1.13 +>>27 byte 114 \b, Beta 1.14 +>>27 byte 115 \b, Alpha 1.15 + +0 string MPCK Musepack audio (MPCK) +!:mime audio/x-musepack + +# IMY +# from http://filext.com/detaillist.php?extdetail=IMY +# https://cellphones.about.com/od/cellularfaqs/f/rf_imelody.htm +# http://download.ncl.ie/doc/api/ie/ncl/media/music/IMelody.html +# http://www.wx800.com/msg/download/irda/iMelody.pdf +0 string BEGIN:IMELODY iMelody Ringtone Format + +# From: "Mateus Caruccio" <mateus@caruccio.com> +# guitar pro v3,4,5 from http://filext.com/file-extension/gp3 +0 string \030FICHIER\ GUITAR\ PRO\ v3. Guitar Pro Ver. 3 Tablature + +# From: "Leslie P. Polzer" <leslie.polzer@gmx.net> +60 string SONG SoundFX Module sound file + +# Type: Adaptive Multi-Rate Codec +# URL: http://filext.com/detaillist.php?extdetail=AMR +# From: Russell Coker <russell@coker.com.au> +0 string #!AMR Adaptive Multi-Rate Codec (GSM telephony) +!:mime audio/amr +!:ext amr + +# Type: SuperCollider 3 Synth Definition File Format +# From: Mario Lang <mlang@debian.org> +0 string SCgf SuperCollider3 Synth Definition file, +>4 belong x version %d + +# Type: True Audio Lossless Audio +# URL: https://wiki.multimedia.cx/index.php?title=True_Audio +# From: Mike Melanson <mike@multimedia.cx> +0 string TTA1 True Audio Lossless Audio + +# Type: WavPack Lossless Audio +# URL: https://wiki.multimedia.cx/index.php?title=WavPack +# From: Mike Melanson <mike@multimedia.cx> +0 string wvpk WavPack Lossless Audio + +# From Fabio R. Schmidlin <frs@pop.com.br> +# VGM music file +0 string Vgm\040 +>9 ubyte >0 VGM Video Game Music dump v +!:mime audio/x-vgm +!:ext vgm +>>9 ubyte/16 >0 \b%d +>>9 ubyte&0x0F x \b%d +>>8 ubyte/16 x \b.%d +>>8 ubyte&0x0F >0 \b%d +#Get soundchips +>>8 ubyte x \b, soundchip(s)= +>>0x0C ulelong >0 SN76489 (PSG), +>>0x10 ulelong >0 YM2413 (OPLL), +>>0x2C ulelong >0 YM2612 (OPN2), +>>0x30 ulelong >0 YM2151 (OPM), +>>0x38 ulelong >0 Sega PCM, +>>0x34 ulelong >0xC +>>>0x40 ulelong >0 RF5C68 (PCM), +>>0x34 ulelong >0x10 +>>>0x44 ulelong >0 YM2203 (OPN), +>>0x34 ulelong >0x14 +>>>0x48 ulelong >0 YM2608 (OPNA), +>>0x34 ulelong >0x18 +>>>0x4C lelong >0 YM2610 (OPNB), +>>>0x4C lelong <0 YM2610B (OPNB+2FM), +>>0x34 ulelong >0x1C +>>>0x50 ulelong >0 YM3812 (OPL2), +>>0x34 ulelong >0x20 +>>>0x54 ulelong >0 YM3526 (OPL), +>>0x34 ulelong >0x24 +>>>0x58 ulelong >0 Y8950 (MSX-Audio), +>>0x34 ulelong >0x28 +>>>0x5C ulelong >0 YMF262 (OPL3), +>>0x34 ulelong >0x2C +>>>0x60 ulelong >0 YMF278B (OPL4), +>>0x34 ulelong >0x30 +>>>0x64 ulelong >0 YMF271 (OPX), +>>0x34 ulelong >0x34 +>>>0x68 ulelong >0 YMZ280B (PCMD8), +>>0x34 ulelong >0x38 +>>>0x6C ulelong >0 RF5C164 (PCM), +>>0x34 ulelong >0x3C +>>>0x70 ulelong >0 PWM, +>>0x34 ulelong >0x40 +>>>0x74 ulelong >0 +>>>>0x78 ubyte 0x00 AY-3-8910, +>>>>0x78 ubyte 0x01 AY-3-8912, +>>>>0x78 ubyte 0x02 AY-3-8913, +>>>>0x78 ubyte 0x03 AY-3-8930, +>>>>0x78 ubyte 0x10 YM2149, +>>>>0x78 ubyte 0x11 YM3439, +>>>>0x78 ubyte 0x12 YMZ284, +>>>>0x78 ubyte 0x13 YMZ294, +# VGM 1.61 +>>0x34 ulelong >0x4C +>>>0x80 ulelong >0 DMG, +>>0x34 ulelong >0x50 +>>>0x84 lelong >0 NES APU, +>>>0x84 lelong <0 NES APU with FDS, +>>0x34 ulelong >0x54 +>>>0x88 ulelong >0 MultiPCM, +>>0x34 ulelong >0x58 +>>>0x8C ulelong >0 uPD7759 (ADPCM Speech), +>>0x34 ulelong >0x5C +>>>0x90 ulelong >0 OKIM6258 (ADPCM Speech), +>>0x34 ulelong >0x64 +>>>0x98 ulelong >0 OKIM6295 (ADPCM), +>>0x34 ulelong >0x68 +>>>0x9C ulelong >0 K051649, +>>0x34 ulelong >0x6C +>>>0xA0 ulelong >0 K054539, +>>0x34 ulelong >0x70 +>>>0xA4 ulelong >0 HuC6280, +>>0x34 ulelong >0x74 +>>>0xA8 ulelong >0 C140, +>>0x34 ulelong >0x78 +>>>0xAC ulelong >0 K053260, +>>0x34 ulelong >0x7C +>>>0xB0 ulelong >0 Pokey, +>>0x34 ulelong >0x80 +>>>0xB4 ulelong >0 QSound, +# VGM 1.71 +>>0x34 ulelong >0x84 +>>>0xB8 ulelong >0 SCSP, +>>0x34 ulelong >0x8C +>>>0xC0 ulelong >0 WonderSwan, +>>0x34 ulelong >0x90 +>>>0xC4 ulelong >0 VSU, +>>0x34 ulelong >0x94 +>>>0xC8 ulelong >0 SAA1099, +>>0x34 ulelong >0x98 +>>>0xCC ulelong >0 ES5503 (DOC), +>>0x34 ulelong >0x9C +>>>0xD0 lelong >0 ES5505 (OTIS), +>>>0xD0 lelong <0 ES5506 (OTTO), +>>0x34 ulelong >0xA4 +>>>0xD8 ulelong >0 X1-010, +>>0x34 ulelong >0xA8 +>>>0xDC ulelong >0 C352, +>>0x34 ulelong >0xAC +>>>0xE0 ulelong >0 GA20, + +# GVOX Encore file format +# Since this is a proprietary file format and there is no publicly available +# format specification, this is just based on induction +# +0 string SCOW +>4 byte 0xc4 GVOX Encore music, version 5.0 or above +>4 byte 0xc2 GVOX Encore music, version < 5.0 + +0 string ZBOT +>4 byte 0xc5 GVOX Encore music, version < 5.0 + +# Summary: Garmin Voice Processing Module (WAVE audios) +# From: Joerg Jenderek +# URL: https://www.garmin.com/ +# Reference: http://www.poi-factory.com/node/19580 +# NOTE: there exist 2 other Garmin VPM formats +0 string AUDIMG +# skip text files starting with string "AUDIMG" +>13 ubyte <13 Garmin Voice Processing Module +!:mime audio/x-vpm-wav-garmin +!:ext vpm +# 3 bytes indicating the voice version (200,220) +>>6 string x \b, version %3.3s +# day of release (01-31) +>>12 ubyte x \b, %.2d +# month of release (01-12) +>>13 ubyte x \b.%.2d +# year of release (like 2006, 2007, 2008) +>>14 uleshort x \b.%.4d +# hour of release (0-23) +>>11 ubyte x %.2d +# minute of release (0-59) +>>10 ubyte x \b:%.2d +# second of release (0-59) +>>9 ubyte x \b:%.2d +# if you select a language like german on your garmin device +# you can only select voice modules with corresponding language byte ID like 1 +>>18 ubyte x \b, language ID %d +# structure for phrases/sentences? +# number of voice sample in the 1st phrase? +#>>19 uleshort x \b, %#x samples +#>>>21 uleshort >0 \b, at %#4.4x +#>>>(21.s) ubequad x %#llx +# 2nd phrase? +#>>23 uleshort x \b, %#x samples +#>>>25 uleshort >0 \b, at %#4.4x +#>>>(25.s) ubequad x %#llx +# pointer to 1st audio WAV sample +>>16 uleshort >0 +>>>(16.s) ulelong >0 \b, at %#x +# WAV length +# 1 space char after "bytes" to get phrase "bytes RIFF" +>>>>(16.s+4) ulelong >0 %u bytes +# look for magic +>>>>>(&-8.l) string RIFF +# determine type by ./riff +>>>>>>&-4 indirect x +# 2 - ~ 131 WAV samples following same way +# +# Summary: encrypted Garmin Voice Processing Module +# From: Joerg Jenderek +# URL: https://www.garmin.com/us/products/ontheroad/voicestudio +# NOTE: Encrypted variant used in voices like DrNightmare, Elfred, Yeti. +# There exist 2 other Garmin VPM formats +0 ubequad 0xa141190fecc8ced6 Garmin Voice Processing Module (encrypted) +!:mime audio/x-vpm-garmin +!:ext vpm + +# From Martin Mueller Skarbiniks Pedersen +0 string GDM +>0x3 byte 0xFE General Digital Music. +>0x4 string >\0 title: "%s" +>0x24 string >\0 musician: "%s" +>>0x44 beshort 0x0D0A +>>>0x46 byte 0x1A +>>>>0x47 string GMFS Version +>>>>0x4B byte x %d. +>>>>0x4C byte x \b%02d +>>>>0x4D beshort 0x000 (2GDM v +>>>>0x4F byte x \b%d. +>>>>>0x50 byte x \b%d) + +0 string MTM Multitracker +>0x3 byte/16 x Version %d. +>0x3 byte&0x0F x \b%02d +>>0x4 string >\0 title: "%s" + +0 string MO3 +>3 ubyte <6 MOdule with MP3 +>>3 byte 0 Version 0 (With MP3 and lossless) +>>3 byte 1 Version 1 (With ogg and lossless) +>>3 byte 3 Version 2.2 +>>3 byte 4 (With no LAME header) +>>3 byte 5 Version 2.4 + +0 string ADRVPACK AProSys module + +# ftp://ftp.modland.com/pub/documents/format_documentation/\ +# Art%20Of%20Noise%20(.aon).txt +0 string AON +>4 string "ArtOfNoise by Bastian Spiegel(twice/lego)" +>0x2e string NAME Art of Noise Tracker Song +>3 string <9 +>3 string 4 (4 voices) +>3 string 8 (8 voices) +>>0x36 string >\0 Title: "%s" + +0 string FAR +>0x2c byte 0x0d +>0x2d byte 0x0a +>0x2e byte 0x1a +>>0x3 byte 0xFE Farandole Tracker Song +>>>0x31 byte/16 x Version %d. +>>>0x31 byte&0x0F x \b%02d +>>>>0x4 string >\0 \b, title: "%s" + +# magic for Klystrack, https://kometbomb.github.io/klystrack/ +# from Alex Myczko <alex@aiei.ch> +0 string cyd!song Klystrack song +>8 byte >0 \b, version %u +>8 byte >26 +#>>9 byte x \b, channels %u +#>>10 leshort x \b, time signature %u +#>>12 leshort x \b, sequence step %u +#>>14 byte x \b, instruments %u +#>>15 leshort x \b, patterns %u +#>>17 leshort x \b, sequences %u +#>>19 leshort x \b, length %u +#>>21 leshort x \b, loop point %u +#>>23 byte x \b, master volume %u +#>>24 byte x \b, song speed %u +#>>25 byte x \b, song speed2 %u +#>>26 byte x \b, song rate %u +#>>27 belong x \b, flags %#x +#>>31 byte x \b, multiplex period %u +#>>32 byte x \b, pitch inaccuracy %u +>>149 pstring x \b, title %s + +0 string cyd!inst Klystrack instrument + +# magic for WOPL instrument files, https://github.com/Wohlstand/OPL3BankEditor +# see Specifications/WOPL-and-OPLI-Specification.txt + +0 string WOPL3-INST\0 WOPL instrument +>11 leshort x \b, version %u +0 string WOPL3-BANK\0 WOPL instrument bank +>11 leshort x \b, version %u + +# AdLib/OPL instrument files. Format specifications on +# http://www.shikadi.net/moddingwiki +0 string Junglevision\ Patch\ File Junglevision instrument data +0 string #OPL_II# DMX OP2 instrument data +0 string IBK\x1a IBK instrument data +0 string 2OP\x1a IBK instrument data, 2 operators +0 string 4OP\x1a IBK instrument data, 4 operators +2 string ADLIB- AdLib instrument data +>0 byte x \b, version %u +>1 byte x \b.%u + +# CRI ADX ADPCM audio +# Used by various Sega games. +# https://en.wikipedia.org/wiki/ADX_(file_format) +# https://wiki.multimedia.cx/index.php/CRI_ADX_file +# Added by David Korth <gerbilsoft@gerbilsoft.com> +0x00 beshort 0x8000 +>(2.S-2) string (c)CRI CRI ADX ADPCM audio +!:ext adx +!:mime audio/x-adx +!:strength +50 +>>0x12 byte x v%u +>>0x04 byte 0x02 \b, pre-set prediction coefficients +>>0x04 byte 0x03 \b, standard ADX +>>0x04 byte 0x04 \b, exponential scale +>>0x04 byte 0x10 \b, AHX (Dreamcast) +>>0x04 byte 0x11 \b, AHX +>>0x08 belong x \b, %u Hz +>>0x12 byte 0x03 +>>>0x02 beshort >0x2B +>>>>0x18 belong !0 \b, looping +>>0x12 byte 0x04 +>>>0x02 beshort >0x37 +>>>>0x24 belong !0 \b, looping +>>0x13 byte&0x08 0x08 \b, encrypted + +# Lossless audio (.la) (http://www.lossless-audio.com/) +0 string LA +>2 string 03 Lossless audio version 0.3 +>2 string 04 Lossless audio version 0.4 + +# Sony PlayStation Audio (.xa) +0 leshort 0x4158 Sony PlayStation Audio + +# Portable Sound Format +# Used for audio rips for various consoles. +# http://fileformats.archiveteam.org/wiki/Portable_Sound_Format +# Added by David Korth <gerbilsoft@gerbilsoft.com> +0 string PSF +>3 byte 0x01 +>3 byte 0x02 +>3 byte 0x11 +>3 byte 0x12 +>3 byte 0x13 +>3 byte 0x21 +>3 byte 0x22 +>3 byte 0x23 +>3 byte 0x41 +>>0 string PSF Portable Sound Format +!:mime audio/x-psf +>>>3 byte 0x01 (Sony PlayStation) +>>>3 byte 0x02 (Sony PlayStation 2) +>>>3 byte 0x11 (Sega Saturn) +>>>3 byte 0x12 (Sega Dreamcast) +>>>3 byte 0x13 (Sega Mega Drive) +>>>3 byte 0x21 (Nintendo 64) +>>>3 byte 0x22 (Game Boy Advance) +>>>3 byte 0x23 (Super NES) +>>>3 byte 0x41 (Capcom QSound) + +# Atari 8-bit SAP audio format +# http://asap.sourceforge.net/sap-format.html +# Added by David Korth <gerbilsoft@gerbilsoft.com> +0 string SAP\r\n Atari 8-bit SAP audio file +!:mime audio/x-sap +!:ext sap +>5 search/1024 NAME +>>&1 string x \b: %s +>>5 search/1024 AUTHOR +>>>&1 string x by %s + +# Nintendo Wii BRSTM audio format (fields) +# NOTE: Assuming HEAD starts at 0x40. +# FIXME: Replace 0x48 with HEAD offset plus 8. +0 name nintendo-wii-brstm-fields +>(0x10.L) string HEAD \b: +>>(0x10.L+0x0C) belong x +>>>(&-4.L+0x48) belong x +>>>>&-4 byte 0 PCM, signed 8-bit, +>>>>&-4 byte 1 PCM, signed 16-bit, +>>>>&-4 byte 2 THP ADPCM, +>>>>&-3 byte !0 looping, +>>>>&-2 byte 1 mono +>>>>&-2 byte 2 stereo +>>>>&-2 byte 3 3 channels +>>>>&-2 byte 4 quad +>>>>&-2 byte >4 %u channels +>>>>&0 beshort !0 %u Hz + +# Nintendo Wii BRSTM audio format +# https://wiibrew.org/wiki/BRSTM_file +# Added by David Korth <gerbilsoft@gerbilsoft.com> +0 string RSTM Nintendo Wii BRSTM audio file +!:mime audio/x-brstm +!:ext brstm +# Wii is big-endian, so default to BE. +>4 beshort 0xFEFF +>>0 use nintendo-wii-brstm-fields +>4 leshort 0xFEFF +>>0 use \^nintendo-wii-brstm-fields + +# Nintendo 3DS BCSTM audio format (fields) +0 name nintendo-3ds-bcstm-fields +>(0x18.l) string INFO \b: +# INFO block: Stream information starts at 0x20 (minus 4 for the 'INFO' magic) +>>&0x1C byte 0 PCM, signed 8-bit, +>>&0x1C byte 1 PCM, signed 16-bit, +>>&0x1C byte 2 DSP ADPCM, +>>&0x1C byte 3 IMA ADPCM, +>>&0x1D byte !0 looping, +>>&0x1E byte 1 mono +>>&0x1E byte 2 stereo +>>&0x1E byte 3 3 channels +>>&0x1E byte 4 quad +>>&0x1E byte >4 %u channels +>>&0x20 lelong !0 %u Hz + +# Nintendo 3DS BCSTM audio format +# https://www.3dbrew.org/wiki/BCSTM +# Added by David Korth <gerbilsoft@gerbilsoft.com> +0 string CSTM Nintendo 3DS BCSTM audio file +!:mime audio/x-bcstm +!:ext bcstm +# 3DS is little-endian, so default to LE. +>4 leshort 0xFEFF +>>0 use nintendo-3ds-bcstm-fields +>4 beshort 0xFEFF +>>0 use \^nintendo-3ds-bcstm-fields + +# Nintendo Wii U BFSTM audio format +# http://mk8.tockdom.com/wiki/BFSTM_(File_Format) +# NOTE: This format is very similar to BCSTM. +# Added by David Korth <gerbilsoft@gerbilsoft.com> +0 string FSTM Nintendo Wii U BFSTM audio file +!:mime audio/x-bfstm +!:ext bfstm +# BFSTM is used on both Wii U (BE) and Switch (LE), +# so default to LE. +>4 leshort 0xFEFF +>>0 use nintendo-3ds-bcstm-fields +>4 beshort 0xFEFF +>>0 use \^nintendo-3ds-bcstm-fields + +# Nintendo 3DS BCSTM audio format (fields) +0 name nintendo-3ds-bcwav-fields +>(0x18.l) string INFO \b: +# INFO block (minus 4 for INFO magic) +>>&0x4 byte 0 PCM, signed 8-bit, +>>&0x4 byte 1 PCM, signed 16-bit, +>>&0x4 byte 2 DSP ADPCM, +>>&0x4 byte 3 IMA ADPCM, +>>&0x5 byte !0 looping, +>>&0x8 lelong x stereo +>>&0x8 lelong !0 %u Hz + +# Nintendo 3DS BCWAV audio format +# https://www.3dbrew.org/wiki/BCWAV +# Added by David Korth <gerbilsoft@gerbilsoft.com> +0 string CWAV Nintendo 3DS BCWAV audio file +!:mime audio/x-bcwav +!:ext bcwav +# 3DS is little-endian, so default to LE. +>4 leshort 0xFEFF +>>0 use nintendo-3ds-bcwav-fields +>4 beshort 0xFEFF +>>0 use \^nintendo-3ds-bcwav-fields + +# Philips DSDIFF audio format (Direct Stream Digital Interchange File Format) +# Used for DSD audio recordings and Super Audio CD (SACD) mastering annotations +# https://dsd-guide.com/sites/default/files/white-papers/DSDIFF_1.5_Spec.pdf +# From: Toni Ruottu <toni.ruottu@iki.fi> +0 string FRM8 +12 string DSD\x20 DSDIFF audio bitstream data +!:mime audio/x-dff +!:ext dff + +# format version chunk +>&0 string FVER +# version 1 +>>&8 byte 1 + +# v1 / sampling resolution ( 1 bit PDM only ) +>>>&0 string x \b, 1 bit + +# v1 / sound property chunk +>>>&0 search/0xff PROP +>>>>&8 string SND + +# v1 / sound property chunk / channel configuration chunk +>>>>>&0 search/0xff CHNL +>>>>>>&8 ubeshort 1 \b, mono +>>>>>>&8 ubeshort 2 +>>>>>>>&0 string SLFTSRGT \b, stereo +>>>>>>>&0 default x \b, 2 channels +>>>>>>&8 ubeshort 3 +>>>>>>>&0 string SLFTSRGTLFE\x20 \b, 2.1 stereo +>>>>>>>&0 string SLFTSRGTC\x20\x20\x20 \b, 3.0 stereo +>>>>>>>&0 default x \b, 3 channels +>>>>>>&8 ubeshort 4 +>>>>>>>&0 string MLFTMRGTLS\x20\x20RS\x20\x20 \b, 4.0 surround +>>>>>>>&0 string SLFTSRGTC\x20\x20\x20LFE\x20 \b, 3.1 stereo +>>>>>>>&0 default x \b, 4 channels +>>>>>>&8 ubeshort 5 +>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LS\x20\x20RS\x20\x20 \b, 5.0 surround +>>>>>>>&0 string MLFTMRGTLFE\x20LS\x20\x20RS\x20\x20 \b, 4.1 surround +>>>>>>>&0 default x \b, 5 channels +>>>>>>&8 ubeshort 6 +>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LFE\x20LS\x20\x20RS\x20\x20 \b, 5.1 surround +>>>>>>>&0 default x \b, 6 channels +>>>>>>&8 ubeshort >6 \b, %u channels + +# v1 / sound property chunk / sample rate chunk +>>>>>&0 search/0xff FS\x20\x20 +>>>>>>&0 string x \b, +>>>>>>&8 ubelong%44100 0 +>>>>>>>&-4 ubelong/44100 x "DSD %u" +>>>>>>>&-4 ubelong x %u Hz + +# v1 / sound property chunk / compression type chunk +>>>>>&0 search/0xff CMPR +>>>>>>&8 string DSD\x20 \b, no compression +>>>>>>&8 string DST\x20 \b, DST compression +>>>>>>&8 default x \b, unknown compression + +# v1 / quest for metadata +>>>&0 string x + +# v1 / quest for metadata / edited master information chunk +>>>>&0 search DIIN +>>>>>&0 ubequad >0 \b, "edited master" metadata + +# v1 / quest for metadata / ID3 chunk ( defacto standard ) +>>>>&0 search ID3\x20 +>>>>>&8 string ID3 \b, ID3 version 2 +>>>>>&0 byte x \b.%u +>>>>>&1 byte x \b.%u + +# v1 / quest for metadata / failure ( possibly due to -P bytes=... being too low ) +>>>>&0 default x \b, ID3 missing (or unreachable) + +# version > 1 or 0 +>>&0 default x \b, unknown version + +# Sony DSF audio format (Direct Stream Digital Stream File) +# Used for lossless digital storage of songs produced as DSD audio +# Portable analog of a track stored on a Super Audio CD (SACD) +# https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf +# From: Toni Ruottu <toni.ruottu@iki.fi> +0 string DSD\x20 DSF audio bitstream data +!:mime audio/x-dsf +!:ext dsf + +# format chunk +>28 string fmt\x20 +# version 1 +>>&8 ulelong 1 + +# v1 / sampling resolution ( 1 bit PDM only ) +# NOTE: the spec incorrectly uses "bits per sample" instead of "bits per byte" +>>>&0 string x \b, 1 bit + +# v1 / channel configuration +>>>>&4 ulelong 1 \b, mono +>>>>&4 ulelong 2 \b, stereo +>>>>&4 ulelong 3 \b, 3.0 stereo +>>>>&4 ulelong 4 \b, 4.0 surround +>>>>&4 ulelong 5 \b, 3.1 stereo +>>>>&4 ulelong 6 \b, 5.0 surround +>>>>&4 ulelong 7 \b, 5.1 surround +>>>>&0 default x +>>>>>&4 ulelong x \b, %u channels + +# v1 / sample rate chunk +>>>>&0 string x \b, +>>>>&12 ulelong%44100 0 +>>>>>&-4 ulelong/44100 x "DSD %u" +>>>>&12 ulelong x %u Hz + +# v1 / compression +>>>>&0 string x +>>>>>&0 ulelong 0 \b, no compression +>>>>>&0 default x \b, unknown compression + +# v1 / embedded ID3v2 metadata +>>>0 string x \b, ID3 +>>>>20 ulequad !0 +>>>>>(20.q) string ID3 version 2 +>>>>>>&0 byte x \b.%u +>>>>>>&1 byte x \b.%u +# unable to verify ID3 ( possibly due to -P bytes=... being too low ) +>>>>>&0 default x unreachable +>>>>&0 default x missing + +# version > 1 or 0 +>>&0 default x \b, unknown version diff --git a/magic/Magdir/avm b/magic/Magdir/avm new file mode 100644 index 0000000..86e96d1 --- /dev/null +++ b/magic/Magdir/avm @@ -0,0 +1,33 @@ + +#------------------------------------------------------------------------------ +# $File: avm,v 1.1 2020/08/28 20:37:58 christos Exp $ +# avm: file(1) magic for avm files; this is not use + +# Summary: FRITZ!Box router configuration backup +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Fritz!Box +# Reference: http://www.mengelke.de/Projekte/FritzBoxTools2 +# Note: only tested with models 4040 and 6490 Cable (lgi) +0 string ****\ FRITZ!Box\ FRITZ!Box configuration backup +#!:mime text/plain +!:mime application/x-avm-export +!:ext export +# router model name like "4040" , "6490 Cable (lgi)" followed by " CONFIGURATION EXPORT" +>15 string x of %-.4s +# on 2nd line hashed password +#>41 search/54 Password= \b, password +# on 3rd line firmware version like: 141.06.24 141.06.50 141.07.10 ... 155.06.83 +>41 search/172 FirmwareVersion= \b, firmware version +>>&0 string x %s +# on 5th line oem like: avme lgi +>41 search/285 OEM= \b, oem +>>&0 string x %s +# on 7th line language like: de en +>41 search/305 Language= \b, language +>>&0 string x %s +# on 10th line cfg file name like: /var/tmp.cfg +>41 search/349 tmp.cfg +# on 11th line date inside c-comment like: Thu Jun 4 22:25:19 2015 +>>&4 string x \b, %s +# + diff --git a/magic/Magdir/basis b/magic/Magdir/basis new file mode 100644 index 0000000..19dd463 --- /dev/null +++ b/magic/Magdir/basis @@ -0,0 +1,18 @@ + +#---------------------------------------------------------------- +# $File: basis,v 1.5 2019/04/19 00:42:27 christos Exp $ +# basis: file(1) magic for BBx/Pro5-files +# Oliver Dammer <dammer@olida.de> 2005/11/07 +# https://www.basis.com business-basic-files. +# +0 string \074\074bbx\076\076 BBx +>7 string \000 indexed file +>7 string \001 serial file +>7 string \002 keyed file +>>13 short 0 (sort) +>7 string \004 program +>>18 byte x (LEVEL %d) +>>>23 string >\000 psaved +>7 string \006 mkeyed file +>>13 short 0 (sort) +>>8 string \000 (mkey) diff --git a/magic/Magdir/beetle b/magic/Magdir/beetle new file mode 100644 index 0000000..94a835c --- /dev/null +++ b/magic/Magdir/beetle @@ -0,0 +1,7 @@ +#------------------------------------------------------------------------------ +# $File: beetle,v 1.2 2018/02/05 23:42:17 rrt Exp $ +# beetle: file(1) magic for Beetle VM object files +# https://github.com/rrthomas/beetle/ + +# Beetle object module +0 string BEETLE\000 Beetle VM object file diff --git a/magic/Magdir/ber b/magic/Magdir/ber new file mode 100644 index 0000000..15288c6 --- /dev/null +++ b/magic/Magdir/ber @@ -0,0 +1,65 @@ + +#------------------------------------------------------------------------------ +# $File: ber,v 1.2 2019/04/19 00:42:27 christos Exp $ +# ber: file(1) magic for several BER formats used in the mobile +# telecommunications industry (Georg Sauthoff) + +# The file formats are standardized by the GSMA (GSM association). +# They are specified via ASN.1 schemas and some prose. Basic encoding +# rules (BER) is the used encoding. The formats are used for exchanging +# call data records (CDRs) between mobile operators and associated +# parties for roaming clearing purposes and fraud detection. + +# The magic file covers: + +# - TAP files (TD.57) - CDR batches and notifications +# - RAP files (TD.32) - return batches and acknowledgements +# - NRT files (TD.35) - CDR batches for 'near real time' processing + +# +# TAP 3 Files +# TAP -> Transferred Account Procedure +# cf. https://www.gsma.com/newsroom/wp-content/uploads/TD.57-v32.31.pdf +# TransferBatch short tag +0 byte 0x61 +# BatchControlInfo short tag +>&1 search/b5 \x64 +# Sender long tag #TAP 3.x (BER encoded) +>>&1 search/b8 \x5f\x81\x44 +# <SpecificationVersionNumber>3</><ReleaseVersionNumber> block +>>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 +>>>>&0 byte x TAP 3.%d Batch (TD.57, Transferred Account) + +# Notification short tag +0 byte 0x62 +# Sender long tag +>2 search/b8 \x5f\x81\x44 +# <SpecificationVersionNumber>3</><ReleaseVersionNumber> block +>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 +>>>&0 byte x TAP 3.%d Notification (TD.57, Transferred Account) + + +# NRT Files +# NRT a.k.a. NRTRDE +0 byte 0x61 +# <SpecificationVersionNumber>2</><ReleaseVersionNumber> block +>&1 search/b8 \x5f\x29\x01\x02\x5f\x25\x01 +>>&0 byte x NRT 2.%d (TD.35, Near Real Time Roaming Data Exchange) + +# RAP Files +# cf. https://www.gsma.com/newsroom/wp-content/uploads/TD.32-v6.11.pdf +# Long ReturnBatch tag +0 string \x7f\x84\x16 +# Long RapBatchControlInfo tag +>&1 search/b8 \x7f\x84\x19 +# <SpecificationVersionNumber>3</><ReleaseVersionNumber> block +>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 +# <RapSpecificationVersionNumber>1</><RapReleaseVersionNumber> block +>>>&1 string/b \x5f\x84\x20\x01\x01\x5f\x84\x1f\x01 +>>>>&0 byte x RAP 1.%d Batch (TD.32, Returned Account Procedure), +>>>&0 byte x TAP 3.%d + +# Long Acknowledgement tag +0 string \x7f\x84\x17 +# Long Sender tag +>&1 search/b5 \x5f\x81\x44 RAP Acknowledgement (TD.32, Returned Account Procedure) diff --git a/magic/Magdir/bflt b/magic/Magdir/bflt new file mode 100644 index 0000000..c46b4db --- /dev/null +++ b/magic/Magdir/bflt @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: bflt,v 1.5 2014/04/30 21:41:02 christos Exp $ +# bFLT: file(1) magic for BFLT uclinux binary files +# +# From Philippe De Muyter <phdm@macqel.be> +# +0 string bFLT BFLT executable +>4 belong x - version %d +>4 belong 4 +>>36 belong&0x1 0x1 ram +>>36 belong&0x2 0x2 gotpic +>>36 belong&0x4 0x4 gzip +>>36 belong&0x8 0x8 gzdata diff --git a/magic/Magdir/bhl b/magic/Magdir/bhl new file mode 100644 index 0000000..6f57f03 --- /dev/null +++ b/magic/Magdir/bhl @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: bhl,v 1.1 2017/06/11 22:20:02 christos Exp $ +# BlockHashLoc +# ext: bhl +# Marco Pontello marcopon@gmail.com +# reference: https://github.com/MarcoPon/BlockHashLoc +0 string BlockHashLoc\x1a BlockHashLoc recovery info, +>13 byte x version %d +!:ext bhl diff --git a/magic/Magdir/bioinformatics b/magic/Magdir/bioinformatics new file mode 100644 index 0000000..2966fa6 --- /dev/null +++ b/magic/Magdir/bioinformatics @@ -0,0 +1,178 @@ + +#------------------------------------------------------------------------------ +# $File: bioinformatics,v 1.5 2019/04/19 00:42:27 christos Exp $ +# bioinfomatics: file(1) magic for Bioinfomatics file formats + +############################################################################### +# BGZF (Blocked GNU Zip Format) - gzip compatible, but also indexable +# used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml) +############################################################################### +0 string \037\213 +>3 byte &0x04 +>>12 string BC +>>>14 leshort &0x02 Blocked GNU Zip Format (BGZF; gzip compatible) +>>>>16 leshort x \b, block length %d +!:mime application/x-gzip + + +############################################################################### +# Tabix index file +# used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml) +############################################################################### +0 string TBI\1 SAMtools TBI (Tabix index format) +>0x04 lelong =1 \b, with %d reference sequence +>0x04 lelong >1 \b, with %d reference sequences +>0x08 lelong &0x10000 \b, using half-closed-half-open coordinates (BED style) +>0x08 lelong ^0x10000 +>>0x08 lelong =0 \b, using closed and one based coordinates (GFF style) +>>0x08 lelong =1 \b, using SAM format +>>0x08 lelong =2 \b, using VCF format +>0x0c lelong x \b, sequence name column: %d +>0x10 lelong x \b, region start column: %d +>0x08 lelong =0 +>>0x14 lelong x \b, region end column: %d +>0x18 byte x \b, comment character: %c +>0x1c lelong x \b, skip line count: %d + + +############################################################################### +# BAM (Binary Sequence Alignment/Map format) +# used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) +# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it +############################################################################### +0 string BAM\1 SAMtools BAM (Binary Sequence Alignment/Map) +>0x04 lelong >0 +>>&0x00 regex =^[@]HD\t.*VN: \b, with SAM header +>>>&0 regex =[0-9.]+ \b version %s +>>&(0x04) lelong >0 \b, with %d reference sequences + + +############################################################################### +# BAI (BAM indexing format) +# used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) +############################################################################### +0 string BAI\1 SAMtools BAI (BAM indexing format) +>0x04 lelong >0 \b, with %d reference sequences + + +############################################################################### +# CRAM (Binary Sequence Alignment/Map format) +############################################################################### +0 string CRAM CRAM +>0x04 byte >-1 version %d. +>0x05 byte >-1 \b%d +>0x06 string >\0 (identified as %s) + + +############################################################################### +# BCF (Binary Call Format), version 1 +# used by SAMtools & VCFtools (http://vcftools.sourceforge.net/bcf.pdf) +# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it +############################################################################### +0 string BCF\4 +# length of seqnm data in bytes is positive +>&0x00 lelong >0 +# length of smpl data in bytes is positive +>>&(&-0x04) lelong >0 SAMtools BCF (Binary Call Format) +# length of meta in bytes +>>>&(&-0x04) lelong >0 +# have meta text string +>>>>&0x00 search ##samtoolsVersion= +>>>>>&0x00 string x \b, generated by SAMtools version %s + + +############################################################################### +# BCF (Binary Call Format), version 2.1 +# used by SAMtools (https://samtools.github.io/hts-specs/BCFv2_qref.pdf) +# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it +############################################################################### +0 string BCF\2\1 Binary Call Format (BCF) version 2.1 +# length of header text +>&0x00 lelong >0 +# have header string +>>&0x00 search ##samtoolsVersion= +>>>&0x00 string x \b, generated by SAMtools version %s + + +############################################################################### +# BCF (Binary Call Format), version 2.2 +# used by SAMtools (https://samtools.github.io/hts-specs/BCFv2_qref.pdf) +# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it +############################################################################### +0 string BCF\2\2 Binary Call Format (BCF) version 2.2 +# length of header text +>&0x00 lelong >0 +# have header string +>>&0x00 search ##samtoolsVersion= +>>>&0x00 string x \b, generated by SAMtools version %s + +############################################################################### +# VCF (Variant Call Format) +# used by VCFtools (http://vcftools.sourceforge.net/) +############################################################################### +0 search ##fileformat=VCFv Variant Call Format (VCF) +>&0 string x \b version %s + +############################################################################### +# FASTQ +# used by MAQ (http://maq.sourceforge.net/fastq.shtml) +############################################################################### +# XXX Broken? +# @<seqname> +#0 regex =^@[A-Za-z0-9_.:-]+\?\n +# <seq> +#>&1 regex =^[A-Za-z\n.~]++ +# +[<seqname>] +#>>&1 regex =^[A-Za-z0-9_.:-]*\?\n +# <qual> +#>>>&1 regex =^[!-~\n]+\n FASTQ + +############################################################################### +# FASTA +# used by FASTA (https://fasta.bioch.virginia.edu/fasta_www2/fasta_guide.pdf) +############################################################################### +#0 byte 0x3e +# q>0 regex =^[>][!-~\t\ ]+$ +# Amino Acid codes: [A-IK-Z*-]+ +#>>1 regex !=[!-'Jj;:=?@^`|~\\] FASTA +# IUPAC codes/gaps: [ACGTURYKMSWBDHVNX-]+ +# not in IUPAC codes/gaps: [EFIJLOPQZ] +#>>>1 regex !=[EFIJLOPQZefijlopqz] \b, with IUPAC nucleotide codes +#>>>1 regex =^[EFIJLOPQZefijlopqz]+$ \b, with Amino Acid codes + +############################################################################### +# SAM (Sequence Alignment/Map format) +# used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) +############################################################################### +# Short-cut version to recognise SAM files with (optional) header at beginning +############################################################################### +0 string @HD\t +>4 search VN: Sequence Alignment/Map (SAM), with header +>>&0 regex [0-9.]+ \b version %s +############################################################################### +# Longer version to recognise SAM alignment lines using (many) regexes +############################################################################### +# SAM Alignment QNAME +0 regex =^[!-?A-~]{1,255}(\t[^\t]+){11} +# SAM Alignment FLAG +>0 regex =^([^\t]+\t){1}[0-9]{1,5}\t +# SAM Alignment RNAME +>>0 regex =^([^\t]+\t){2}\\*|[^*=]*\t +# SAM Alignment POS +>>>0 regex =^([^\t]+\t){3}[0-9]{1,9}\t +# SAM Alignment MAPQ +>>>>0 regex =^([^\t]+\t){4}[0-9]{1,3}\t +# SAM Alignment CIGAR +>>>>>0 regex =\t(\\*|([0-9]+[MIDNSHPX=])+)\t +# SAM Alignment RNEXT +>>>>>>0 regex =\t(\\*|=|[!-()+->?-~][!-~]*)\t +# SAM Alignment PNEXT +>>>>>>>0 regex =^([^\t]+\t){7}[0-9]{1,9}\t +# SAM Alignment TLEN +>>>>>>>>0 regex =\t[+-]{0,1}[0-9]{1,9}\t.*\t +# SAM Alignment SEQ +>>>>>>>>>0 regex =^([^\t]+\t){9}(\\*|[A-Za-z=.]+)\t +# SAM Alignment QUAL +>>>>>>>>>>0 regex =^([^\t]+\t){10}[!-~]+ Sequence Alignment/Map (SAM) +>>>>>>>>>>>0 regex =^[@]HD\t.*VN: \b, with header +>>>>>>>>>>>>&0 regex =[0-9.]+ \b version %s diff --git a/magic/Magdir/biosig b/magic/Magdir/biosig new file mode 100644 index 0000000..7d41713 --- /dev/null +++ b/magic/Magdir/biosig @@ -0,0 +1,154 @@ + +############################################################################## +# +# Magic ids for biomedical signal file formats +# Copyright (C) 2018 Alois Schloegl <alois.schloegl@gmail.com> +# +# The list has been derived from biosig projects +# http://biosig.sourceforge.net +# https://pub.ist.ac.at/~schloegl/matlab/eeg/ +# https://pub.ist.ac.at/~schloegl/biosig/TESTED +# +############################################################################## +# +0 string ABF\x20 Biosig/Axon Binary format +!:mime biosig/abf2 +0 string ABF2\0\0 Biosig/Axon Binary format +!:mime biosig/abf2 +# +0 string ATES\x20MEDICA\x20SOFT.\x20EEG\x20for\x20Windows Biosig/ATES MEDICA SOFT. EEG for Windows +!:mime biosig/ates +# +0 string ATF\x09 Biosig/Axon Text format +!:mime biosig/atf +# +0 string ADU1 Biosig/Axona file format +!:mime biosig/axona +0 string ADU2 Biosig/Axona file format +!:mime biosig/axona +# +0 string ALPHA-TRACE-MEDICAL Biosig/alpha trace +!:mime biosig/alpha +# +0 string AxGr Biosig/AXG +0 string axgx Biosig/AXG +!:mime biosig/axg +# +0 string HeaderLen= Biosig/BCI2000 +0 string BCI2000V Biosig/BCI2000 +!:mime biosig/bci2000 +# +### Specification: https://www.biosemi.com/faq/file_format.htm +0 string \xffBIOSEMI Biosig/Biosemi data format +!:mime biosig/bdf +# +0 string Brain\x20Vision\x20Data\x20Exchange\x20Header\x20File Biosig/Brainvision data file +0 string Brain\x20Vision\x20V-Amp\x20Data\x20Header\x20File\x20Version Biosig/Brainvision V-Amp file +0 string Brain\x20Vision\x20Data\x20Exchange\x20Marker\x20File,\x20Version Biosig/Brainvision Marker file +!:mime biosig/brainvision +# +0 string CEDFILE Biosig/CFS: Cambridge Electronic devices File format +!:mime biosig/ced +# +### Specification: https://www.edfplus.info/specs/index.html +0 string 0\x20\x20\x20\x20\x20\x20\x20 Biosig/EDF: European Data format +!:mime biosig/edf +# +### Specifications: https://arxiv.org/abs/cs/0608052 +0 string GDF Biosig/GDF: General data format for biosignals +!:mime biosig/gdf +# +0 string DATA\0\0\0\0 Biosig/Heka Patchmaster +0 string DAT1\0\0\0\0 Biosig/Heka Patchmaster +0 string DAT2\0\0\0\0 Biosig/Heka Patchmaster +!:mime biosig/heka +# +0 string (C)\x20CED\x2087 Biosig/CED SMR +!:mime biosig/ced-smr +# +0 string CFWB\1\0\0\0 Biosig/CFWB +!:mime biosig/cfwb +# +0 string DEMG Biosig/DEMG +!:mime biosig/demg +# +0 string EBS\x94\x0a\x13\x1a\x0d Biosig/EBS +!:mime biosig/ebs +# +0 string Embla\x20data\x20file Biosig/Embla +!:mime biosig/embla +# +0 string Header\r\nFile Version Biosig/ETG4000 +!:mime biosig/etg4000 +# +0 string GALILEO\x20EEG\x20TRACE\x20FILE Biosig/Galileo +!:mime biosig/galileo +# +0 string IGOR Biosig/IgorPro ITX file +!:mime biosig/igorpro +# +# Specification: http://www.ampsmedical.com/uploads/2017-12-7/The_ISHNE_Format.pdf +0 string ISHNE1.0 Biosig/ISHNE +!:mime biosig/ishne +# +# CEN/ISO 11073/22077 series, http://www.mfer.org/en/document.htm +0 string @\x20\x20MFER\x20 Biosig/MFER +0 string @\x20MFR\x20 Biosig/MFER +!:mime biosig/mfer +# +0 string NEURALEV Biosig/NEV +0 string N.EV.\0 Biosig/NEV +!:mime biosig/nev +# +0 string NEX1 Biosig/NEX +!:mime biosig/nex1 +# +0 string PLEX Biosig/Plexon v1.0 +10 string PLEXON Biosig/Plexon v2.0 +!:mime biosig/plexon +# +0 string \x02\x27\x91\xC6 Biosig/RHD2000: Intan RHD2000 format +# +# Specification: CEN 1064:2005/ISO 11073:91064 +16 string SCPECG\0\0 Biosig/SCP-ECG format CEN 1064:2005/ISO 11073:91064 +!:mime biosig/scpecg +# +0 string IAvSFo Biosig/SIGIF +!:mime biosig/sigif +# +0 string POLY\x20SAMPLE\x20FILEversion\x20 Biosig/TMS32 +!:mime biosig/tms32 +# +0 string FileId=TMSi\x20PortiLab\x20sample\x20log\x20file\x0a\x0dVersion= Biosig/TMSiLOG +!:mime biosig/tmsilog +# +4 string Synergy\0\48\49\50\46\48\48\51\46\48\48\48\46\48\48\48\0\28\0\0\0\2\0\0\0 +>63 string CRawDataElement +>>85 string CRawDataBuffer Biosig/SYNERGY +!:mime biosig/synergy +# +4 string \40\0\4\1\44\1\102\2\146\3\44\0\190\3 Biosig/UNIPRO +!:mime biosig/unipro +# +0 string VER=9\r\nCTIME= Biosig/WCP +!:mime biosig/wcp +# +0 string \xAF\xFE\xDA\xDA Biosig/Walter Graphtek +0 string \xDA\xDA\xFE\xAF Biosig/Walter Graphtek +0 string \x55\x55\xFE\xAF Biosig/Walter Graphtek +!:mime biosig/walter-graphtek +# +0 string V3.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 +>32 string [PatInfo] Biosig/Sigma +!:mime biosig/sigma +# +0 string \067\069\078\013\010\0x1a\04\0x84 Biosig/File exchange format (FEF) +!:mime biosig/fef +0 string \67\69\78\0x13\0x10\0x1a\4\0x84 Biosig/File exchange format (FEF) +!:mime biosig/fef +# +0 string \0\0\0\x64\0\0\0\x1f\0\0\0\x14\0\0\0\0\0\1 +>36 string \0\0\0\x65\0\0\0\3\0\0\0\4\0\0 +>>56 string \0\0\0\x6a\0\0\0\3\0\0\0\4\0\0\0\0\xff\xff\xff\xff\0\0 Biosig/FIFF +!:mime biosig/fiff +# diff --git a/magic/Magdir/blackberry b/magic/Magdir/blackberry new file mode 100644 index 0000000..2e38a54 --- /dev/null +++ b/magic/Magdir/blackberry @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $ +# blackberry: file(1) magic for BlackBerry file formats +# +5 belong 0 +>8 belong 010010010 BlackBerry RIM ETP file +>>22 string x \b for %s diff --git a/magic/Magdir/blcr b/magic/Magdir/blcr new file mode 100644 index 0000000..d2f901a --- /dev/null +++ b/magic/Magdir/blcr @@ -0,0 +1,25 @@ +# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files +# https://ftg.lbl.gov/checkpoint +0 string C\0\0\0R\0\0\0 BLCR +>16 lelong 1 x86 +>16 lelong 3 alpha +>16 lelong 5 x86-64 +>16 lelong 7 ARM +>8 lelong x context data (little endian, version %d) +# Uncomment the following only of your "file" program supports "search" +#>0 search/1024 VMA\06 for kernel +#>>&1 byte x %d. +#>>&2 byte x %d. +#>>&3 byte x %d +0 string \0\0\0C\0\0\0R BLCR +>16 belong 2 SPARC +>16 belong 4 ppc +>16 belong 6 ppc64 +>16 belong 7 ARMEB +>16 belong 8 SPARC64 +>8 belong x context data (big endian, version %d) +# Uncomment the following only of your "file" program supports "search" +#>0 search/1024 VMA\06 for kernel +#>>&1 byte x %d. +#>>&2 byte x \b%d. +#>>&3 byte x \b%d diff --git a/magic/Magdir/blender b/magic/Magdir/blender new file mode 100644 index 0000000..5a89711 --- /dev/null +++ b/magic/Magdir/blender @@ -0,0 +1,50 @@ + +#------------------------------------------------------------------------------ +# $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $ +# blender: file(1) magic for Blender 3D related files +# +# Native format rule v1.2. For questions use the developers list +# https://lists.blender.org/mailman/listinfo/bf-committers +# GLOB chunk was moved near start and provides subversion info since 2.42 +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/BLEND +# http://www.blender.org/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/blend.trid.xml +# http://formats.kaitai.io/blender_blend/index.html +# Note: called "Blender 3D data" by TrID +# and gzip compressed variant handled by ./compress +0 string =BLENDER Blender3D, +#!:mime application/octet-stream +!:mime application/x-blender +!:ext blend +# no sample found with extension blender +#!:ext blend/blender +>7 string =_ saved as 32-bits +>>8 string =v little endian +>>>9 byte x with version %c. +>>>10 byte x \b%c +>>>11 byte x \b%c +>>>0x40 string =GLOB \b. +>>>>0x58 leshort x \b%.4d +>>8 string =V big endian +>>>9 byte x with version %c. +>>>10 byte x \b%c +>>>11 byte x \b%c +>>>0x40 string =GLOB \b. +>>>>0x58 beshort x \b%.4d +>7 string =- saved as 64-bits +>>8 string =v little endian +>>9 byte x with version %c. +>>10 byte x \b%c +>>11 byte x \b%c +>>0x44 string =GLOB \b. +>>>0x60 leshort x \b%.4d +>>8 string =V big endian +>>>9 byte x with version %c. +>>>10 byte x \b%c +>>>11 byte x \b%c +>>>0x44 string =GLOB \b. +>>>>0x60 beshort x \b%.4d + +# Scripts that run in the embedded Python interpreter +0 string #!BPY Blender3D BPython script diff --git a/magic/Magdir/blit b/magic/Magdir/blit new file mode 100644 index 0000000..5ce7870 --- /dev/null +++ b/magic/Magdir/blit @@ -0,0 +1,24 @@ + +#------------------------------------------------------------------------------ +# $File: blit,v 1.9 2021/07/03 14:01:46 christos Exp $ +# blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine +# +# Note that this 0407 conflicts with several other a.out formats... +# +# XXX - should this be redone with "be" and "le", so that it works on +# little-endian machines as well? If so, what's the deal with +# "VAX-order" and "VAX-order2"? +# +#0 long 0407 68K Blit (standalone) executable +#0 short 0407 VAX-order2 68K Blit (standalone) executable +0 short 03401 VAX-order 68K Blit (standalone) executable +0 long 0406 68k Blit mpx/mux executable +0 short 0406 VAX-order2 68k Blit mpx/mux executable +# GRR: line below is too general as it matches also TTComp archive, ASCII, 4K handled by ./archive +0 short 03001 VAX-order 68k Blit mpx/mux executable +# TODO: +# skip TTComp archive, ASCII, 4K by looking for executable keyword like main +#>0 search/5536 main\0 VAX-order 68k Blit mpx/mux executable +# Need more values for WE32 DMD executables. +# Note that 0520 is the same as COFF +#0 short 0520 tty630 layers executable diff --git a/magic/Magdir/bm b/magic/Magdir/bm new file mode 100644 index 0000000..a9a1d5b --- /dev/null +++ b/magic/Magdir/bm @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: bm,v 1.2 2021/03/14 16:56:51 christos Exp $ +# bm: file(1) magic for "Birtual Machine", cf. https://github.com/tsoding/bm + +0 string bm\001\244 Birtual Machine +>4 leshort x \b, version %d +>6 lelong x \b, program size %u +>14 lelong x \b, memory size %u +>22 lelong x \b, memory capacity %u diff --git a/magic/Magdir/bout b/magic/Magdir/bout new file mode 100644 index 0000000..693cc2a --- /dev/null +++ b/magic/Magdir/bout @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: bout,v 1.5 2009/09/19 16:28:08 christos Exp $ +# i80960 b.out objects and archives +# +0 long 0x10d i960 b.out relocatable object +>16 long >0 not stripped +# +# b.out archive (hp-rt on i960) +0 string =!<bout> b.out archive +>8 string __.SYMDEF random library diff --git a/magic/Magdir/bsdi b/magic/Magdir/bsdi new file mode 100644 index 0000000..8499b0c --- /dev/null +++ b/magic/Magdir/bsdi @@ -0,0 +1,33 @@ + +#------------------------------------------------------------------------------ +# $File: bsdi,v 1.7 2014/03/29 15:40:34 christos Exp $ +# bsdi: file(1) magic for BSD/OS (from BSDI) objects +# Some object/executable formats use the same magic numbers as are used +# in other OSes; those are handled by entries in aout. +# + +0 lelong 0314 386 compact demand paged pure executable +>16 lelong >0 not stripped +>32 byte 0x6a (uses shared libs) + +# same as in SunOS 4.x, except for static shared libraries +0 belong&077777777 0600413 SPARC demand paged +>0 byte &0x80 +>>20 belong <4096 shared library +>>20 belong =4096 dynamically linked executable +>>20 belong >4096 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped +>36 belong 0xb4100001 (uses shared libs) + +0 belong&077777777 0600410 SPARC pure +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped +>36 belong 0xb4100001 (uses shared libs) + +0 belong&077777777 0600407 SPARC +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped +>36 belong 0xb4100001 (uses shared libs) diff --git a/magic/Magdir/bsi b/magic/Magdir/bsi new file mode 100644 index 0000000..87e0fec --- /dev/null +++ b/magic/Magdir/bsi @@ -0,0 +1,10 @@ +# Chiasmus is an encryption standard developed by the German Federal +# Office for Information Security (Bundesamt fuer Sicherheit in der +# Informationstechnik). + +# https://www.bsi.bund.de/EN/Topics/OtherTopics/Chiasmus/Chiasmus_node.html +0 string XIA1\r Chiasmus Encrypted data +!:ext xia + +0 string XIS Chiasmus key +!:ext xis diff --git a/magic/Magdir/btsnoop b/magic/Magdir/btsnoop new file mode 100644 index 0000000..d72daad --- /dev/null +++ b/magic/Magdir/btsnoop @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: btsnoop,v 1.5 2009/09/19 16:28:08 christos Exp $ +# BTSnoop: file(1) magic for BTSnoop files +# +# From <marcel@holtmann.org> +0 string btsnoop\0 BTSnoop +>8 belong x version %d, +>12 belong 1001 Unencapsulated HCI +>12 belong 1002 HCI UART (H4) +>12 belong 1003 HCI BCSP +>12 belong 1004 HCI Serial (H5) +>>12 belong x type %d diff --git a/magic/Magdir/burp b/magic/Magdir/burp new file mode 100644 index 0000000..460d18c --- /dev/null +++ b/magic/Magdir/burp @@ -0,0 +1,7 @@ + +#------------------------------------------------------------ +# $File: burp,v 1.1 2022/07/04 17:15:09 christos Exp $ +# Burp file, I don't know the version +#------------------------------------------------------------ +# From wof (wof@stachelkaktus.net) +0 bequad 0x6685828000000001 Burp project save file diff --git a/magic/Magdir/bytecode b/magic/Magdir/bytecode new file mode 100644 index 0000000..dca961c --- /dev/null +++ b/magic/Magdir/bytecode @@ -0,0 +1,41 @@ + +#------------------------------------------------------------ +# $File: bytecode,v 1.5 2023/02/20 16:25:05 christos Exp $ +# magic for various bytecodes + +# From: Mikhail Gusarov <dottedmag@dottedmag.net> +# NekoVM (https://nekovm.org/) bytecode +0 string NEKO NekoVM bytecode +>4 lelong x (%d global symbols, +>8 lelong x %d global fields, +>12 lelong x %d bytecode ops) +!:mime application/x-nekovm-bytecode + +# https://www.iana.org/assignments/media-types/application/vnd.resilient.logic +# From: Benedikt Muessig <benedikt@resilient-group.de> +0 belong 0x07524c4d Resilient Logic bytecode +!:mime application/vnd.resilient.logic +>4 byte/16 x \b, version %d +>4 byte&0x0f x \b.%d + +# Guile file magic from <dalepsmith@gmail.com> +# https://www.gnu.org/s/guile/ +# https://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 + +0 string GOOF---- Guile Object +>8 string LE \b, little endian +>8 string BE \b, big endian +>11 string 4 \b, 32bit +>11 string 8 \b, 64bit +>13 regex .\\.. \b, bytecode v%s + +# Racket file magic +# From: Haelwenn (lanodan) Monnier <contact+libmagic@hacktivis.me> +# https://racket-lang.org/ +# https://github.com/racket/racket/blob/master/racket/src/expander/compile/write-linklet.rkt +0 string #~ +>&0 pstring x +>>&0 pstring racket +>>>0 string #~ Racket bytecode +>>>>&0 pstring x (version %s) + diff --git a/magic/Magdir/c-lang b/magic/Magdir/c-lang new file mode 100644 index 0000000..6e375a0 --- /dev/null +++ b/magic/Magdir/c-lang @@ -0,0 +1,110 @@ +#------------------------------------------------------------------------------ +# $File: c-lang,v 1.32 2023/06/16 19:57:19 christos Exp $ +# c-lang: file(1) magic for C and related languages programs +# +# The strength is to beat standard HTML + +# BCPL +0 search/8192 "libhdr" BCPL source text +!:mime text/x-bcpl +0 search/8192 "LIBHDR" BCPL source text +!:mime text/x-bcpl + +# C +# Check for class if include is found, otherwise class is beaten by include because of lowered strength +0 search/8192 #include +>0 regex \^#include C +>>0 regex \^class[[:space:]]+ +>>>&0 regex \\{[\.\*]\\}(;)?$ \b++ +>>&0 clear x source text +!:strength + 15 +!:mime text/x-c +0 search/8192 pragma +>0 regex \^#[[:space:]]*pragma C source text +!:mime text/x-c +0 search/8192 endif +>0 regex \^#[[:space:]]*(if\|ifn)def +>>&0 regex \^#[[:space:]]*endif$ C source text +!:mime text/x-c +0 search/8192 define +>0 regex \^#[[:space:]]*(if\|ifn)def +>>&0 regex \^#[[:space:]]*define C source text +!:mime text/x-c +0 search/8192 char +>0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text +!:mime text/x-c +0 search/8192 double +>0 regex \^[[:space:]]*double(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text +!:mime text/x-c +0 search/8192 extern +>0 regex \^[[:space:]]*extern[[:space:]]+ C source text +!:mime text/x-c +0 search/8192 float +>0 regex \^[[:space:]]*float(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text +!:mime text/x-c +0 search/8192 struct +>0 regex \^struct[[:space:]]+ C source text +!:mime text/x-c +0 search/8192 union +>0 regex \^union[[:space:]]+ C source text +!:mime text/x-c +0 search/8192 main( +>&0 search/64 String Java source text +!:mime text/x-java +>&0 default x +>>&0 regex \\)[[:space:]]*\\{ C source text +!:mime text/x-c + +# C++ +# The strength of these rules is increased so they beat the C rules above +0 search/8192 namespace +>0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text +!:strength + 30 +!:mime text/x-c++ +# using namespace [namespace] or using std::[lib] +0 search/8192 using +>0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text +!:strength + 30 +!:mime text/x-c++ +0 search/8192 template +>0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text +!:strength + 30 +!:mime text/x-c++ +0 search/8192 virtual +>0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text +!:strength + 30 +!:mime text/x-c++ +# But class alone is reduced to avoid beating php (Jens Schleusener) +0 search/8192 class +>0 regex \^[[:space:]]*class[[:space:]]+[[:digit:][:alpha:]:_]+[[:space:]]*\\{(.*[\n]*)*\\}(;)?$ C++ source text +!:strength + 13 +!:mime text/x-c++ +0 search/8192 public +>0 regex \^[[:space:]]*public: C++ source text +!:strength + 30 +!:mime text/x-c++ +0 search/8192 private +>0 regex \^[[:space:]]*private: C++ source text +!:strength + 30 +!:mime text/x-c++ +0 search/8192 protected +>0 regex \^[[:space:]]*protected: C++ source text +!:strength + 30 +!:mime text/x-c++ + +# Objective-C +0 search/8192 #import +>0 regex \^#import[[:space:]]+["<] Objective-C source text +!:strength + 25 +!:mime text/x-objective-c + +# From: Mikhail Teterin <mi@aldan.algebra.com> +0 string cscope cscope reference data +>7 string x version %.2s +# We skip the path here, because it is often long (so file will +# truncate it) and mostly redundant. +# The inverted index functionality was added some time between +# versions 11 and 15, so look for -q if version is above 14: +>7 string >14 +>>10 search/100 \ -q\ with inverted index +>10 search/100 \ -c\ text (non-compressed) diff --git a/magic/Magdir/c64 b/magic/Magdir/c64 new file mode 100644 index 0000000..6c87320 --- /dev/null +++ b/magic/Magdir/c64 @@ -0,0 +1,549 @@ + +#------------------------------------------------------------------------------ +# $File: c64,v 1.14 2023/06/16 19:24:06 christos Exp $ +# c64: file(1) magic for various commodore 64 related files +# +# From: Dirk Jagdmann <doj@cubic.org> + +0x16500 belong 0x12014100 D64 Image +0x16500 belong 0x12014180 D71 Image +0x61800 belong 0x28034400 D81 Image +0 belong 0x43154164 X64 Image + +# C64 (and other CBM) cartridges +# Extended by David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://vice-emu.sourceforge.io/vice_17.html#SEC391 + +0 string C64\40CARTRIDGE Commodore 64 cartridge +>0x20 ubyte 0 \b, +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s", +>0x16 beshort 0 +>>0x18 beshort 0x0000 16 KB game +>>0x18 beshort 0x0001 8 KB game +>>0x18 beshort 0x0100 UltiMax mode +>>0x18 beshort 0x0101 RAM/disabled +>0x16 beshort 1 Action Replay +>0x16 beshort 2 KCS Power Cartridge +>0x16 beshort 3 Final Cartridge III +>0x16 beshort 4 Simons' BASIC +>0x16 beshort 5 Ocean type 1 +>0x16 beshort 6 Expert Cartridge +>0x16 beshort 7 Fun Play, Power Play +>0x16 beshort 8 Super Games +>0x16 beshort 9 Atomic Power +>0x16 beshort 10 Epyx Fastload +>0x16 beshort 11 Westermann Learning +>0x16 beshort 12 Rex Utility +>0x16 beshort 13 Final Cartridge I +>0x16 beshort 14 Magic Formel +>0x16 beshort 15 C64 Game System, System 3 +>0x16 beshort 16 Warp Speed +>0x16 beshort 17 Dinamic +>0x16 beshort 18 Zaxxon / Super Zaxxon (Sega) +>0x16 beshort 19 Magic Desk, Domark, HES Australia +>0x16 beshort 20 Super Snapshot V5 +>0x16 beshort 21 Comal-80 +>0x16 beshort 22 Structured BASIC +>0x16 beshort 23 Ross +>0x16 beshort 24 Dela EP64 +>0x16 beshort 25 Dela EP7x8 +>0x16 beshort 26 Dela EP256 +>0x16 beshort 27 Rex EP256 +>0x16 beshort 28 Mikro Assembler +>0x16 beshort 29 Final Cartridge Plus +>0x16 beshort 30 Action Replay 4 +>0x16 beshort 31 Stardos +>0x16 beshort 32 EasyFlash +>0x16 beshort 33 EasyFlash Xbank +>0x16 beshort 34 Capture +>0x16 beshort 35 Action Replay 3 +>0x16 beshort 36 +>>0x1A ubyte 1 Nordic Replay +>>0x1A ubyte !1 Retro Replay +>0x16 beshort 37 MMC64 +>0x16 beshort 38 MMC Replay +>0x16 beshort 39 IDE64 +>0x16 beshort 40 Super Snapshot V4 +>0x16 beshort 41 IEEE-488 +>0x16 beshort 42 Game Killer +>0x16 beshort 43 Prophet64 +>0x16 beshort 44 EXOS +>0x16 beshort 45 Freeze Frame +>0x16 beshort 46 Freeze Machine +>0x16 beshort 47 Snapshot64 +>0x16 beshort 48 Super Explode V5.0 +>0x16 beshort 49 Magic Voice +>0x16 beshort 50 Action Replay 2 +>0x16 beshort 51 MACH 5 +>0x16 beshort 52 Diashow-Maker +>0x16 beshort 53 Pagefox +>0x16 beshort 54 Kingsoft +>0x16 beshort 55 Silverrock 128K Cartridge +>0x16 beshort 56 Formel 64 +>0x16 beshort 57 +>>0x1A ubyte 1 Hucky +>>0x1A ubyte !1 RGCD +>0x16 beshort 58 RR-Net MK3 +>0x16 beshort 59 EasyCalc +>0x16 beshort 60 GMod2 +>0x16 beshort 61 MAX Basic +>0x16 beshort 62 GMod3 +>0x16 beshort 63 ZIPP-CODE 48 +>0x16 beshort 64 Blackbox V8 +>0x16 beshort 65 Blackbox V3 +>0x16 beshort 66 Blackbox V4 +>0x16 beshort 67 REX RAM-Floppy +>0x16 beshort 68 BIS-Plus +>0x16 beshort 69 SD-BOX +>0x16 beshort 70 MultiMAX +>0x16 beshort 71 Blackbox V9 +>0x16 beshort 72 Lt. Kernal Host Adaptor +>0x16 beshort 73 RAMLink +>0x16 beshort 74 H.E.R.O. +>0x16 beshort 75 IEEE Flash! 64 +>0x16 beshort 76 Turtle Graphics II +>0x16 beshort 77 Freeze Frame MK2 + +0 string C128\40CARTRIDGE Commodore 128 cartridge +>0x20 ubyte 0 \b, +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s", +>0x16 beshort 0 generic cartridge +>0x16 beshort 1 Warpspeed128 +>>0x1A ubyte 1 \b, REU support +>>0x1A ubyte 2 \b, REU support, with I/O and ROM banking + +0 string CBM2\40CARTRIDGE Commodore CBM-II cartridge +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s" + +0 string VIC20\40CARTRIDGE Commodore VIC-20 cartridge +>0x20 ubyte 0 \b, +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s", +>0x16 beshort 0 generic cartridge +>0x16 beshort 1 Mega-Cart +>0x16 beshort 2 Behr Bonz +>0x16 beshort 3 Vic Flash Plugin +>0x16 beshort 4 UltiMem +>0x16 beshort 5 Final Expansion + +0 string PLUS4\40CARTRIDGE Commodore 16/Plus4 cartridge +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s" + + +# DreamLoad archives see: +# https://www.lemon64.com/forum/viewtopic.php?t=37415\ +# &sid=494dc2ca91289e05dadf80a7f8a968fe (at the bottom). +# https://www.c64-wiki.com/wiki/DreamLoad. +# Example HVSC Commodore 64 music collection: +# https://kohina.duckdns.org/HVSC/C64Music/10_Years_HVSC.dfi + +0 byte 0 +>1 string DREAMLOAD\40FILE\40ARCHIVE +>>0x17 byte 0 DFI Image +>>>0x1a leshort x version: %d. +>>>0x18 leshort x \b%d +>>>0x1c lelong x tracks: %d + +0 string GCR-1541 GCR Image +>8 byte x version: %i +>9 byte x tracks: %i + +9 string PSUR ARC archive (c64) +2 string -LH1- LHA archive (c64) + +0 string C64File PC64 Emulator file +>8 string >\0 "%s" +0 string C64Image PC64 Freezer Image + +0 beshort 0x38CD C64 PCLink Image +0 string CBM\144\0\0 Power 64 C64 Emulator Snapshot + +0 belong 0xFF424CFF WRAptor packer (c64) + +0 string C64S\x20tape\x20file T64 tape Image +>32 leshort x Version:%#x +>36 leshort !0 Entries:%i +>40 string x Name:%.24s + +0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image +>32 leshort x Version:%#x +>36 leshort !0 Entries:%i +>40 string x Name:%.24s + +0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image +>32 leshort x Version:%#x +>36 leshort !0 Entries:%i +>40 string x Name:%.24s + +# Raw tape file format (.tap files) +# Esa Hyyti <esa@netlab.tkk.fi> +0 string C64-TAPE-RAW C64 Raw Tape File (.tap), +>0x0c byte x Version:%u, +>0x10 lelong x Length:%u cycles + +# magic for Goattracker2, http://covertbitops.c64.org/ +# from Alex Myczko <alex@aiei.ch> +0 string GTS5 GoatTracker 2 song +>4 string >\0 \b, "%s" +>36 string >\0 \b by %s +>68 string >\0 \b (C) %s +>100 byte >0 \b, %u subsong(s) + +# CBM BASIC (cc65 compiled) +# Summary: binary executable or Basic program for Commodore C64 computers +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Commodore_BASIC_tokenized_file +# Reference: https://www.c64-wiki.com/wiki/BASIC_token +# https://github.com/thezerobit/bastext/blob/master/bastext.doc +# http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c64.trid.xml +# TODO: unify Commodore BASIC/program sub routines +# Note: "PUCrunch archive data" moved from ./archive and merged with c64-exe +0 leshort 0x0801 +# display Commodore C64 BASIC program (strength=50) after "Lynx archive" (strength=330) handled by ./archive +#!:strength +0 +# if first token is not SYS this implies BASIC program in most cases +>6 ubyte !0x9e +# but sELF-ExTRACTING-zIP executable unzp6420.prg contains SYS token at end of second BASIC line (at 0x35) +>>23 search/30 \323ELF-E\330TRACTING-\332IP +>>>0 use c64-exe +>>23 default x +>>>0 use c64-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use c64-exe +# display information about C64 binary executable (memory address, line number, token) +0 name c64-exe +>0 uleshort x Commodore C64 +# http://a1bert.kapsi.fi/Dev/pucrunch/ +# start address 0801h; next offset 080bh; BASIC line number is 239=00EFh; BASIC instruction is SYS 2061 +# the above combination appartly also occur for other Commodore programs like: gunzip111.c64.prg +# and there exist PUCrunch archive for other machines like C16 with other magics +>0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program, probably PUCrunch archive data +!:mime application/x-compress-pucrunch +!:ext prg/pck +>0 string !\x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# valid 2nd BASIC fragment found only in sELF-ExTRACTING-zIP executable unzp6420.prg +>>23 search/30 \323ELF-E\330TRACTING-\332IP +# jump again from beginning +>>>(2.s-0x800) ubyte x +>>>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C64 BASIC program (memory address, line number, token) +0 name c64-prg +>0 uleshort x Commodore C64 BASIC program +!:mime application/x-commodore-basic +# Tokenized BASIC programs were stored by Commodore as file type program "PRG" in separate field in directory structures. +# So file name can have no suffix like in saveroms; When transferring to other platforms, they are often saved with .prg extensions. +# BAS suffix is typically used for the BASIC source but also found in program pods.bas +!:ext prg/bas/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C128 computers +# URL: https://en.wikipedia.org/wiki/Commodore_128 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c128.trid.xml +# From: Joerg Jenderek +# Note: Commodore 128 BASIC 7.0 variant; there exist varaints with different start addresses +0 leshort 0x1C01 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches SVr3 curses screen image, big-endian with strength (50) handled by ./terminfo +# probably skip SVr3 curses images with "invalid high" second line offset +>2 uleshort <0x1D02 +# skip foo with "invalid low" second line offset +>>2 uleshort >0x1C06 +# if first token is not SYS this implies BASIC program +>>>6 ubyte !0x9e +>>>>0 use c128-prg +# if first token is SYS this implies binary executable +>>>6 ubyte =0x9e +>>>>0 use c128-exe +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.1 extension by Rick Simon +# start adress 132Dh +#0 leshort 0x132D THIS_IS_C128_7.1 +#>0 use c128-prg +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.0 saved with graphics mode enabled +# start adress 4001h +#0 leshort 0x4001 THIS_IS_C128_GRAPHIC +#>0 use c128-prg +# display information about tokenized C128 BASIC program (memory address, line number, token) +0 name c128-prg +>0 uleshort x Commodore C128 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about C128 program (memory address, line number, token) +0 name c128-exe +>0 uleshort x Commodore C128 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in Commodore executables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C16/VIC-20/Plus4 computers +# URL: https://en.wikipedia.org/wiki/Commodore_Plus/4 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20.trid.xml +# defs/p/prg-plus4.trid.xml +# From: Joerg Jenderek +# Note: there exist VIC-20 variants with different start address +# GRR: line below is too generic because it matches Novell LANalyzer capture +# with regular trace header record handled by ./sniffer +0 leshort 0x1001 +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" token value 54h +>6 ubyte >0x7F +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" second line offset 4Ch +#>>2 uleshort >0x1006 OFFSET_NOT_TOO_LOW +# skip foo with "invalid high" second line offset but not for 0x123b (Minefield.prg) +#>>>2 uleshort <0x1102 OFFSET_NOT_TOO_HIGH +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +# valid second end of line separator implies BASIC program +>>>(2.s-0x1000) ubyte =0 +>>>>0 use c16-prg +# invalid second end of line separator !=0 implies binary executable like: Minefield.prg +>>>(2.s-0x1000) ubyte !0 +>>>>0 use c16-exe +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use c16-exe +# display information about C16 program (memory address, line number, token) +0 name c16-exe +>0 uleshort x Commodore C16/VIC-20/Plus4 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C16 BASIC program (memory address, line number, token) +0 name c16-prg +>0 uleshort x Commodore C16/VIC-20/Plus4 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore VIC-20 computer with 8K RAM expansion +# URL: https://en.wikipedia.org/wiki/VIC-20 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20-8k.trid.xml +# From: Joerg Jenderek +# Note: Basic v2.0 with Basic v4.0 extension (VIC20); there exist VIC-20 variants with different start addresses +# start adress 1201h +0 leshort 0x1201 +# if first token is not SYS this implies BASIC program +>6 ubyte !0x9e +>>0 use vic-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use vic-exe +# display information about Commodore VIC-20 BASIC+8K program (memory address, line number, token) +0 name vic-prg +>0 uleshort x Commodore VIC-20 +8K BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1200) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore VIC-20 +8K program (memory address, line number, token) +0 name vic-exe +>0 uleshort x Commodore VIC-20 +8K program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore PET computers +# URL: https://en.wikipedia.org/wiki/Commodore_PET +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-pet.trid.xml +# From: Joerg Jenderek +# start adress 0401h +0 leshort 0x0401 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches TTComp archive data, ASCII, 1K dictionary +# (strength=48=50-2) handled by ./archive and shared library (strength=50) handled by ./ibm6000 +# skip TTComp archive data, ASCII, 1K dictionary ttcomp-ascii-1k.bin with "invalid high" second line offset 4162h +>2 uleshort <0x0502 +# skip foo with "invalid low" second line offset +#>>2 uleshort >0x0406 OFFSET_NOT_TOO_LOW +# skip bar with "invalid end of line" +#>>>(2.s-0x0400) ubyte =0 END_OF_LINE_OK +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +>>>0 use pet-prg +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use pet-exe +# display information about Commodore PET BASIC program (memory address, line number, token) +0 name pet-prg +>0 uleshort x Commodore PET BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore PET program (memory address, line number, token) +0 name pet-exe +>0 uleshort x Commodore PET program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized BASIC line (memory address, line number, Token) +0 name basic-line +# pointer to memory address of beginning of "next" BASIC line +# greater then previous offset but maximal 100h difference +>0 uleshort x \b, offset %#4.4x +# offset 0x0000 indicates the end of BASIC program; so bytes afterwards may be some other data +>0 uleshort 0 +# not line number but first 2 data bytes +>>2 ubeshort x \b, data %#4.4x +# not token but next 2 data bytes +>>4 ubeshort x \b%4.4x +# not token arguments but next data bytes +>>6 ubequad x \b%16.16llx +>>14 ubequad x \b%16.16llx... +# like 0x0d20352020204c594e5820495820204259205749 "\r 5 LYNX IX BY WILL CORLEY" for LyNX archive Darkon.lnx handled by ./archive +#>>3 string x "%-0.30s" +>0 uleshort >0 +# BASIC line number with range from 0 to 65520; practice to increment numbers by some value (5, 10 or 100) +>>2 uleshort x \b, line %u +# https://www.c64-wiki.com/wiki/BASIC_token +# The "high-bit" bytes from #128-#254 stood for the various BASIC commands and mathematical operators +>>4 ubyte x \b, token (%#x) +# https://www.c64-wiki.com/wiki/REM +>>4 string \x8f REM +# remark string like: ** SYNTHESIZER BY RICOCHET ** +>>>5 string >\0 %s +#>>>>&1 uleshort x \b, NEXT OFFSET %#4.4x +# https://www.c64-wiki.com/wiki/PRINT +>>4 string \x99 PRINT +# string like: "Hello world" "\021 \323ELF-E\330TRACTING-\332IP (64 ONLY)\016\231":\2362141 +>>>5 string x %s +#>>>>&0 ubequad x AFTER_PRINT=%#16.16llx +# https://www.c64-wiki.com/wiki/POKE +>>4 string \x97 POKE +# <Memory address>,<number> +>>>5 regex \^[0-9,\040]+ %s +# BASIC command delimiter colon (:=3Ah) +>>>>&-2 ubyte =0x3A +# after BASIC command delimiter colon remaining (<255) other tokenized BASIC commands +>>>>>&0 string x "%s" +# https://www.c64-wiki.com/wiki/SYS 0x9e=\236 +>>4 string \x9e SYS +# SYS <Address> parameter is a 16-bit unsigned integer; in the range 0 - 65535 +>>>5 regex \^[0-9]{1,5} %s +# maybe followed by spaces, "control-characters" or colon (:) followed by next commnds or in victracker.prg +# (\302(43)\252256\254\302(44)\25236) /T.L.R/ +#>>>5 string x SYS_STRING="%s" +# https://www.c64-wiki.com/wiki/GOSUB +>>4 string \x8d GOSUB +# <line> +>>>5 string >\0 %s diff --git a/magic/Magdir/cad b/magic/Magdir/cad new file mode 100644 index 0000000..0bead6e --- /dev/null +++ b/magic/Magdir/cad @@ -0,0 +1,437 @@ + +#------------------------------------------------------------------------------ +# $File: cad,v 1.31 2022/12/09 15:36:23 christos Exp $ +# autocad: file(1) magic for cad files +# + +# Microstation DGN/CIT Files (www.bentley.com) +# Last updated July 29, 2005 by Lester Hightower +# DGN is the default file extension of Microstation/Intergraph CAD files. +# CIT is the proprietary raster format (similar to TIFF) used to attach +# raster underlays to Microstation DGN (vector) drawings. +# +# http://www.wotsit.org/search.asp +# https://filext.com/detaillist.php?extdetail=DGN +# https://filext.com/detaillist.php?extdetail=CIT +# +# https://www.bentley.com/products/default.cfm?objectid=97F351F5-9C35-4E5E-89C2 +# 3F86C928&method=display&p_objectid=97F351F5-9C35-4E5E-89C280A93F86C928 +# https://www.bentley.com/products/default.cfm?objectid=A5C2FD43-3AC9-4C71-B682 +# 721C479F&method=display&p_objectid=A5C2FD43-3AC9-4C71-B682C7BE721C479F +# +# URL: https://en.wikipedia.org/wiki/MicroStation +# reference: http://dgnlib.maptools.org/dgn.html +# http://dgnlib.maptools.org/dl/ref18.pdf +# Update: Joerg Jenderek +# Note: verfied by command like `dgndump seed2d_b.dgn` +# test for level 8 and type 5 or 9 +0 beshort&0x3F73 0x0801 +# level of element like 8 +#>0 ubyte&0x3F x \b, level %u +#>0 ubyte &0x80 \b, complex +#>0 ubyte &0x40 \b, reserved +# type of element 9~TCB 8~Digitizer setup 5~Group Data Elements +#>1 ubyte&0x7F x \b, type %u +# words to follow in element: 17H~CEL library 2FEh~DGN 9FEh,DFEh~CIT +#>2 uleshort x \b, words %#4.4x to follow +# test for 3 reserved 0 bytes in CIT or "conversion" in ViewInfo structure (DGN CEL) +#>508 ubelong x \b, RESERVED %8.8x +>508 ubelong&0xFFffFF00 =0 +# test for level 8 and type 9 for INGR raster image +>>0 beshort 0x0809 +# test for length of 1st element is multiple of blocks a 512 bytes +>>>2 ubyte 0xfe +>>>>0 use ingr-image +# test for DGN or CEL by jump words (uleshort) forward to next element +>(2.s*2) ulong x +# 2nd element type: 8~Digitizer~DesiGNfile 1~library cell header other~CIT +#>>&1 ubyte&0x7F x \b, 2nd type %u +# DGN +>>&1 ubyte&0x7F 8 +>>>2 uleshort =0x02FE Bentley/Intergraph Microstation CAD drawing +!:mime application/x-bentley-dgn +!:ext dgn +# The 0x40 bit of this byte is 1 if the file is 3D, otherwise 0 +>>>>1214 ubyte &0x40 3D +>>>>1214 ubyte ^0x40 2D +# 2 chars for name of subunits like ft FT in IN mu m mm '\0 '\040 +>>>>1120 string x \b, units %-.2s +# 2 chars for name of master unit like IN in ML SU tn th TH HU mm "\0 "\040 \0\0 +>>>>1122 string >\0 %-.2s +#>>>>1120 ubelong x \b, units %#8.8x +# element range low,high x y z like xlow=0 08010000h 01080000h +#>>>>4 ubelong !0 \b, xlow %8.8x +#>>>>8 ubelong !0 \b, ylow %8.8x +#>>>>12 ubelong !0 \b, zlow %8.8x +#>>>>16 ubelong !0 \b, xhigh %8.8x +#>>>>20 ubelong !0 \b, yhigh %8.8x +#>>>>24 ubelong !0 \b, zhigh %8.8x +# graphic group number; all other elements in that group have same non-0 number +#>>>>28 leshort x \b, grphgrp %#4.4x +# words to optional attribute linkage +#>>>>30 ubyte x \b, attindx \%o +#>>>>31 ubyte x \b\%o +# >>30 string \026\105 DGNFile +# >>30 string \034\105 DGNFile +# >>30 string \073\107 DGNFile +# >>30 string \073\110 DGNFile +# >>30 string \106\107 DGNFile +# >>30 string \110\103 DGNFile +# >>30 string \120\104 DGNFile +# >>30 string \172\104 DGNFile +# >>30 string \172\105 DGNFile +# >>30 string \172\106 DGNFile +# >>30 string \234\106 DGNFile +# >>30 string \273\105 DGNFile +# >>30 string \306\106 DGNFile +# >>30 string \310\104 DGNFile +# >>30 string \341\104 DGNFile +# >>30 string \372\103 DGNFile +# >>30 string \372\104 DGNFile +# >>30 string \372\106 DGNFile +# >>30 string \376\103 DGNFile +# elements properties indicator +#>>>>32 uleshort !0 \b, properties %#4.4x +# class 0~Primary +#>>>>>32 uleshort&0x000F !0 \b, class %#4.4x +# Symbology +#>>>>>34 uleshort x \b, Symbology %#4.4x +# test for 2nd element type 1~library cell header +>>&1 ubyte&0x7F 1 +# test for 1st element with level 8 and type 5 for cell library +>>>0 beshort 0x0805 Bentley/Intergraph Microstation CAD cell library +!:mime application/x-bentley-cel +!:ext cel +# +# URL: http://fileformats.archiveteam.org/wiki/Intergraph_Raster +# reference: https://web.archive.org/web/20140903185431/ +# http://oreilly.com/www/centers/gff/formats/ingr/index.htm +# note: verfied by command like `nconvert -fullinfo LONGLAT.CIT` +# display information for intergraph raster bitmap +0 name ingr-image +# in 5.37 "Microstation CITFile" "Bentley/Intergraph MicroStation CIT raster CAD" +# DataTypeCode indicates format, depth of the pixel data and used compression +>4 uleshort x Intergraph raster image +>>4 uleshort 0x0009 \b, Run-Length Encoded 1-bit +!:mime image/x-intergraph-rle +!:ext rel +>>4 uleshort 0x0018 \b, CCITT Group 4 1-bit +!:mime image/x-intergraph-cit +!:ext cit +>>4 uleshort 27 \b, Adaptive RLE RGB +!:mime image/x-intergraph-rgb +!:ext rgb +>>4 default x +>>>4 uleshort x \b, Type %u +!:mime image/x-intergraph +# TODO: +#>4 uleshort 0 \b, no data +# ... +#>4 uleshort 0x0045 \b, Continuous Tone CMKY (Uncompressed) +# ApplicationType: 0~generic raster image 3~drawing, scanning +# 8~I/IMAGE and MicroStation Imager 9~ModelView +>6 uleshort !0 \b, ApplicationType %u +#>6 uleshort x \b, ApplicationType %u +# XViewOrigin; Raster grid data X origin +#>8 ulequad !0 \b, XViewOrigin %llx +# PixelsPerLine is the number of pixels in a scan line of bitmapp +>184 ulelong x \b, %u x +# NumberOfLines is height of the raster data in scanlines +>188 ulelong x %u +# DeviceResolution; resolution of scanning device +# positive indicates number of micros between lines; negative indicates DPI +#>192 leshort x \b, DeviceResolution %d +# ScanlineOrient indicates the origin and the orientation of the scan lines +#>194 ubyte x \b, ScanlineOrient %x +>194 ubyte x \b, orientation +>194 ubyte &0x01 right +>194 ubyte ^0x01 left +>194 ubyte &0x02 down +>194 ubyte ^0x02 top +>194 ubyte &0x04 horizontal +>194 ubyte ^0x04 vertical +# ScannableFlag; Scanline indexing method used +#>195 ubyte !0 \b, ScannableFlag %#x +# RotationAngle; Rotation angle of raster data +#>196 ubequad !0 \b, RotationAngle %#llx +# SkewAngle; Skew angle of raster data +#>204 ubequad !0 \b, SkewAngle %llx +# DataTypeModifier; Additional raster data format info +#>212 uleshort !0 \b, DataTypeModifier %#4.4x +# DesignFile[66]; Name of the design file +>214 string >\0 \b, DesignFile %-.66s +# DatabaseFile[66]; Name of the database file +>280 string >\0 \b, DatabaseFile %-.66s +# ParentGridFile[66]; Name of parent grid file +>346 string >\0 \b, ParentGridFile %-.66s +# FileDescription[80]; Text description of file and contents +>412 string >\0 \b, FileDescription %-.80s +# MinValue +#>492 ubequad !0 \b, MinValue %#llx +# MaxValue +#>500 ubequad !0 \b, MaxValue %#llx +# Reserved[3]; Unused (always 0) +#>508 ubelong&0xFFffFF00 x \b, RESERVED %8.8x +# GridFileVersion; Grid File Version like 2 3 +#>511 ubyte x \b, GridFileVersion %x + +# AutoCAD +# Merge of the different contributions and updates from https://en.wikipedia.org/wiki/Dwg +# and https://www.iana.org/assignments/media-types/image/vnd.dwg +0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0 +!:mime image/vnd.dwg +0 string AC1.2 DWG AutoDesk AutoCAD Release 1.2 +!:mime image/vnd.dwg +0 string AC1.3 DWG AutoDesk AutoCAD Release 1.3 +!:mime image/vnd.dwg +0 string AC1.40 DWG AutoDesk AutoCAD Release 1.40 +!:mime image/vnd.dwg +0 string AC1.50 DWG AutoDesk AutoCAD Release 2.05 +!:mime image/vnd.dwg +0 string AC2.10 DWG AutoDesk AutoCAD Release 2.10 +!:mime image/vnd.dwg +0 string AC2.21 DWG AutoDesk AutoCAD Release 2.21 +!:mime image/vnd.dwg +0 string AC2.22 DWG AutoDesk AutoCAD Release 2.22 +!:mime image/vnd.dwg +0 string AC1001 DWG AutoDesk AutoCAD Release 2.22 +!:mime image/vnd.dwg +0 string AC1002 DWG AutoDesk AutoCAD Release 2.50 +!:mime image/vnd.dwg +0 string AC1003 DWG AutoDesk AutoCAD Release 2.60 +!:mime image/vnd.dwg +0 string AC1004 DWG AutoDesk AutoCAD Release 9 +!:mime image/vnd.dwg +0 string AC1006 DWG AutoDesk AutoCAD Release 10 +!:mime image/vnd.dwg +0 string AC1009 DWG AutoDesk AutoCAD Release 11/12 +!:mime image/vnd.dwg +# AutoCAD DWG versions R13/R14 (www.autodesk.com) +# Written December 01, 2003 by Lester Hightower +# Based on the DWG File Format Specifications at http://www.opendwg.org/ +# AutoCad, from Nahuel Greco +# AutoCAD DWG versions R12/R13/R14 (www.autodesk.com) +0 string AC1012 DWG AutoDesk AutoCAD Release 13 +!:mime image/vnd.dwg +0 string AC1013 DWG AutoDesk AutoCAD Release 13c3 +!:mime image/vnd.dwg +0 string AC1014 DWG AutoDesk AutoCAD Release 14 +!:mime image/vnd.dwg +0 string AC1015 DWG AutoDesk AutoCAD 2000 +!:mime image/vnd.dwg + +# A new version of AutoCAD DWG +# Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, +# ICQ 358572321) +# From various sources like: +# https://autodesk.blogs.com/between_the_lines/autocad-release-history.html +0 string AC1018 DWG AutoDesk AutoCAD 2004/2005/2006 +!:mime image/vnd.dwg +0 string AC1021 DWG AutoDesk AutoCAD 2007/2008/2009 +!:mime image/vnd.dwg +0 string AC1024 DWG AutoDesk AutoCAD 2010/2011/2012 +!:mime image/vnd.dwg +0 string AC1027 DWG AutoDesk AutoCAD 2013-2017 +!:mime image/vnd.dwg + +# From GNU LibreDWG +0 string AC1032 DWG AutoDesk AutoCAD 2018/2019/2020 +!:mime image/vnd.dwg +0 string AC1035 DWG AutoDesk AutoCAD 2021 +!:mime image/vnd.dwg + +# KOMPAS 2D drawing from ASCON +# This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor +# gathered nor specification +# ASCON https://ascon.net/main/ in English, +# https://ascon.ru/ main site in Russian +# Extension is CDW for drawing and FRW for fragment of drawing +# Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, +# ICQ 358572321, https://vkontakte.ru/id16076543) +# From: +# https://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292 +# (in russian) and my experiments +0 string KF +>2 belong 0x4E00000C Kompas drawing 12.0 SP1 +>2 belong 0x4D00000C Kompas drawing 12.0 +>2 belong 0x3200000B Kompas drawing 11.0 SP1 +>2 belong 0x3100000B Kompas drawing 11.0 +>2 belong 0x2310000A Kompas drawing 10.0 SP1 +>2 belong 0x2110000A Kompas drawing 10.0 +>2 belong 0x08000009 Kompas drawing 9.0 SP1 +>2 belong 0x05000009 Kompas drawing 9.0 +>2 belong 0x33010008 Kompas drawing 8+ +>2 belong 0x1A000008 Kompas drawing 8.0 +>2 belong 0x2C010107 Kompas drawing 7+ +>2 belong 0x05000007 Kompas drawing 7.0 +>2 belong 0x32000006 Kompas drawing 6+ +>2 belong 0x09000006 Kompas drawing 6.0 +>2 belong 0x5C009005 Kompas drawing 5.11R03 +>2 belong 0x54009005 Kompas drawing 5.11R02 +>2 belong 0x51009005 Kompas drawing 5.11R01 +>2 belong 0x22009005 Kompas drawing 5.10R03 +>2 belong 0x22009005 Kompas drawing 5.10R02 mar +>2 belong 0x21009005 Kompas drawing 5.10R02 febr +>2 belong 0x19009005 Kompas drawing 5.10R01 +>2 belong 0xF4008005 Kompas drawing 5.9R01.003 +>2 belong 0x1C008005 Kompas drawing 5.9R01.002 +>2 belong 0x11008005 Kompas drawing 5.8R01.003 + +# CAD: file(1) magic for computer aided design files +# Phillip Griffith <phillip dot griffith at gmail dot com> +# AutoCAD magic taken from the Open Design Alliance's OpenDWG specifications. +# + +# 3DS (3d Studio files) +0 leshort 0x4d4d +>6 leshort 0x2 +>>8 lelong 0xa +>>>16 leshort 0x3d3d 3D Studio model +# Beat sgi MMV +!:strength +20 +!:mime image/x-3ds +!:ext 3ds + +# MegaCAD 2D/3D drawing (.prt) +# https://megacad.de/ +# From: Markus Heidelberg <markus.heidelberg@web.de> +0 string MegaCad23\0 MegaCAD 2D/3D drawing + +# Hoops CAD files +# https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\ +# HSF_architecture.html +# Stephane Charette <stephane.charette@gmail.com> +0 string ;;\040HSF\040V OpenHSF (Hoops Stream Format) +>7 regex/9 V[.0-9]{4,5}\040 %s +!:ext hsf + +# AutoCAD Drawing Exchange Format +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DXF +# https://en.wikipedia.org/wiki/AutoCAD_DXF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/ +# dxf-var0.trid.xml dxf-var0u.trid.xml dxf-var2.trid.xml dxf-var2u.trid.xml +# Note: called "AutoCAD Drawing eXchange Format" by TrID and +# "Drawing Interchange File Format (ASCII)" by DROID +# GRR: some samples does not match 1st test like: abydos.dxf +0 regex \^[\ \t]*0\r?\000$ +>1 regex \^[\ \t]*SECTION\r?$ +>>2 regex \^[\ \t]*2\r?$ +# GRR: some samples without HEADER section like: airplan2.dxf +>>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format +#!:mime application/x-dxf +!:mime image/vnd.dxf +!:ext dxf +# DROID PUID fmt/64 fmt-64-signature-id-99.dxf +>>>>&1 search/8192 MC0.0 \b, 1.0 +# DROID PUID fmt/65 fmt-65-signature-id-100.dxf +>>>>&1 search/8192 AC1.2 \b, 1.2 +# DROID PUID fmt/66 fmt-66-signature-id-101.dxf +>>>>&1 search/8192 AC1.3 \b, 1.3 +# DROID PUID fmt/67 fmt-67-signature-id-102.dxf +>>>>&1 search/8192 AC1.40 \b, 1.4 +# DROID PUID fmt/68 fmt-68-signature-id-103.dxf +>>>>&1 search/8192 AC1.50 \b, 2.0 +# DROID PUID fmt/69 fmt-69-signature-id-104.dxf +>>>>&1 search/8192 AC2.10 \b, 2.1 +# DROID PUID fmt/70 fmt-70-signature-id-105.dxf +>>>>&1 search/8192 AC2.21 \b, 2.2 +# DROID PUID fmt/71 fmt-71-signature-id-106.dxf +>>>>&1 search/8192 AC1002 \b, 2.5 +# DROID PUID fmt/72 fmt-72-signature-id-107.dxf +>>>>&1 search/8192 AC1003 \b, 2.6 +# DROID PUID fmt/73 fmt-73-signature-id-108.dxf +>>>>&1 search/8192 AC1004 \b, R9 +>>>>&1 search/8192 AC1006 \b, R10 +# http://cd.textfiles.com/amigaenv/DXF/OBJEKTE/LASTMINUTE/apple.dxf +#>>>>&1 search/8192 AC1008 \b, Rfoo +>>>>&1 search/8192 AC1009 \b, R11/R12 +>>>>&1 search/8192 AC1012 \b, R13 +>>>>&1 search/8192 AC1013 \b, R13c3 +>>>>&1 search/8192 AC1014 \b, R14 +>>>>&1 search/8192 AC1015 \b, version 2000 +>>>>&1 search/8192 AC1018 \b, version 2004 +>>>>&1 search/8192 AC1021 \b, version 2007 +>>>>&1 search/8192 AC1024 \b, version 2010 +>>>>&1 search/8192 AC1027 \b, version 2013 +>>>>&1 search/8192 AC1032 \b, version 2018 +>>>>&1 search/8192 AC1035 \b, version 2021 + +# The Sketchup 3D model format https://www.sketchup.com/ +0 string \xff\xfe\xff\x0e\x53\x00\x6b\x00\x65\x00\x74\x00\x63\x00\x68\x00\x55\x00\x70\x00\x20\x00\x4d\x00\x6f\x00\x64\x00\x65\x00\x6c\x00 SketchUp Model +!:mime application/vnd.sketchup.skp +!:ext skp + +4 regex/b P[0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9] NAXOS CAD System file from version %s +!:strength +40 + +# glTF (GL Transmission Format) - by the Khronos Group +# Reference: https://github.com/KhronosGroup/glTF/tree/master/specification/2.0#glb-file-format-specification +0 string glTF glTF binary model +>4 ulelong x \b, version %d +>8 ulelong x \b, length %d bytes +!:mime model/gltf-binary +!:ext glb + +# FBX (FilmBoX) - by Kaydara/Autodesk +# Reference: https://code.blender.org/2013/08/fbx-binary-file-format-specification +0 string Kaydara\ FBX\ Binary\ \ \0 Kaydara FBX model, +>&2 ulelong x version %d +!:ext fbx + +# PLY (Polygon File Format/Stanford Triangle Format) - by Greg Turk +# Reference: https://web.archive.org/web/20161204152348/http://www.dcs.ed.ac.uk/teaching/cs4/www/graphics/Web/ply.html +0 string ply\n PLY model, +!:ext ply +>4 string format\ ascii\ ASCII, +>>&0 regex/6 [0-9.]+ version %s +>4 string format\ binary binary, +>>&0 string _little_endian\ little endian, +>>>&0 regex/6 [0-9.]+ version %s +>>&0 string _big_endian\ big endian, +>>>&0 regex/6 [0-9.]+ version %s + +# VRML (Virtual Reality Modeling Language) - by the Web3D Consortium +# From: Michel Briand <michelbriand@free.fr> +# Reference: https://www.web3d.org/standards +0 string/w #VRML\ V1.0\ ascii VRML 1 file +!:mime model/vrml +!:ext wrl +0 string/w #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file +!:mime model/vrml +!:ext wrl +# X3D, VRML encoded +0 string #X3D X3D (Extensible 3D) model, VRML format +>4 string V +>>5 regex/6 [0-9.]+ \b, version %s +!:mime model/x3d+vrml +!:ext x3dv + +## XML-based 3D CAD Formats +# From: Michel Briand <michelbriand@free.fr>, Oliver Galvin <odg@riseup.net> +0 string/w \<?xml\ version= +!:strength + 5 +# X3D (Extensible 3D) +# Schema: https://www.web3d.org/specifications/x3d-3.2.dtd +# MIME Type: https://www.iana.org/assignments/media-types/model/x3d+xml +# Example: https://www.web3d.org/x3d/content/examples/Basic/course/CreateX3DFromStringRandomSpheres.x3d +>20 search/1000/w \<!DOCTYPE\ X3D X3D (Extensible 3D) model, XML document +!:mime model/x3d+xml +!:ext x3d +# COLLADA (COLLAborative Design Activity) - by the Khronos Group +# Schema: http://www.collada.org/2005/11/COLLADASchema +# Reference: https://www.khronos.org/collada +>20 search/1000/w \<COLLADA COLLADA model, XML document +!:mime model/vnd.collada+xml +!:ext dae +# 3MF (3D Manufacturing Format) - by the 3MF Consortium +# Schema: http://schemas.microsoft.com/3dmanufacturing/core/2015/02 +# Reference: https://3mf.io/specification +>20 search/1000/w xmlns="http://schemas.microsoft.com/3dmanufacturing 3MF (3D Manufacturing Format) model, XML document +!:mime model/3mf +!:ext 3mf +# AMF (Additive Manufacturing File) +# Reference: https://www.astm.org/Standards/ISOASTM52915.htm +>20 search/1000/w \<amf AMF (Additive Manufacturing Format) model, XML document +!:mime application/x-amf +!:ext amf diff --git a/magic/Magdir/cafebabe b/magic/Magdir/cafebabe new file mode 100644 index 0000000..4f97cc0 --- /dev/null +++ b/magic/Magdir/cafebabe @@ -0,0 +1,107 @@ + +#------------------------------------------------------------------------------ +# $File: cafebabe,v 1.28 2022/07/01 23:24:47 christos Exp $ +# Cafe Babes unite! +# +# Since Java bytecode and Mach-O universal binaries have the same magic number, +# the test must be performed in the same "magic" sequence to get both right. +# The long at offset 4 in a Mach-O universal binary tells the number of +# architectures; the short at offset 4 in a Java bytecode file is the JVM minor +# version and the short at offset 6 is the JVM major version. Since there are only +# only 18 labeled Mach-O architectures at current, and the first released +# Java class format was version 43.0, we can safely choose any number +# between 18 and 39 to test the number of architectures against +# (and use as a hack). Let's not use 18, because the Mach-O people +# might add another one or two as time goes by... +# +### JAVA START ### +# Reference: http://en.wikipedia.org/wiki/Java_class_file +# Update: Joerg Jenderek +0 belong 0xcafebabe +>4 ubelong >30 compiled Java class data, +!:mime application/x-java-applet +#!:mime application/java-byte-code +!:ext class +>>6 ubeshort x version %d. +>>4 ubeshort x \b%d +# for debugging purpose version as hexadecimal to compare with Mach-O universal binary +#>>4 ubelong x (%#8.8x) +# Which is which? +# https://docs.oracle.com/javase/specs/jvms/se6/html/ClassFile.doc.html +#>>4 belong 0x002b (Java 0.?) +#>>4 belong 0x032d (Java 1.0) +#>>4 belong 0x032d (Java 1.1) +>>4 belong 0x002e (Java 1.2) +>>4 belong 0x002f (Java 1.3) +>>4 belong 0x0030 (Java 1.4) +>>4 belong 0x0031 (Java 1.5) +>>4 belong 0x0032 (Java 1.6) +>>4 belong 0x0033 (Java 1.7) +>>4 belong 0x0034 (Java 1.8) +>>4 belong 0x0035 (Java SE 9) +>>4 belong 0x0036 (Java SE 10) +>>4 belong 0x0037 (Java SE 11) +>>4 belong 0x0038 (Java SE 12) +>>4 belong 0x0039 (Java SE 13) +>>4 belong 0x003A (Java SE 14) +>>4 belong 0x003B (Java SE 15) +>>4 belong 0x003C (Java SE 16) +>>4 belong 0x003D (Java SE 17) +>>4 belong 0x003E (Java SE 18) +>>4 belong 0x003F (Java SE 19) +>>4 belong 0x0040 (Java SE 20) +# pool count unequal zero +#>>8 beshort x \b, pool count %#x +# pool table +#>>10 ubequad x \b, pool %#16.16llx... + +0 belong 0xcafed00d JAR compressed with pack200, +>5 byte x version %d. +>4 byte x \b%d +!:mime application/x-java-pack200 + + +0 belong 0xcafed00d JAR compressed with pack200, +>5 byte x version %d. +>4 byte x \b%d +!:mime application/x-java-pack200 + +### JAVA END ### +### MACH-O START ### +# URL: https://en.wikipedia.org/wiki/Mach-O + +0 name mach-o \b [ +# for debugging purpose CPU type as hexadecimal +#>0 ubequad x CPU=%16.16llx +# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... +>0 use mach-o-cpu \b +# for debugging purpose print offset to 1st mach_header like: +# 1000h 4000h seldom 2d000h 88000h 5b000h 10e000 h +#>8 ubelong x at %#x offset +>(8.L) indirect x \b: +>0 belong x \b] + +# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ +# include/mach-o/fat.h +# include/mach/machine.h +0 belong 0xcafebabe +>4 belong 1 Mach-O universal binary with 1 architecture: +!:mime application/x-mach-binary +>>8 use mach-o \b +# nfat_arch; number of CPU architectures; highest is 18 for CPU_TYPE_POWERPC in 2020 +>4 ubelong >1 +>>4 ubelong <20 Mach-O universal binary with %d architectures: +!:mime application/x-mach-binary +>>>8 use mach-o \b +>>>4 ubelong >1 +>>>>28 use mach-o \b +>>>4 ubelong >2 +>>>>48 use mach-o \b +>>>4 ubelong >3 +>>>>68 use mach-o \b +>>>4 ubelong >4 +>>>>88 use mach-o \b +>>>4 ubelong >5 +>>>>108 use mach-o \b + +### MACH-O END ### diff --git a/magic/Magdir/cbor b/magic/Magdir/cbor new file mode 100644 index 0000000..c780dc6 --- /dev/null +++ b/magic/Magdir/cbor @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: cbor,v 1.1 2015/01/28 01:05:21 christos Exp $ +# cbor: file(1) magic for CBOR files as defined in RFC 7049 + +0 string \xd9\xd9\xf7 Concise Binary Object Representation (CBOR) container +!:mime application/cbor +>3 ubyte <0x20 (positive integer) +>3 ubyte <0x40 +>>3 ubyte >0x1f (negative integer) +>3 ubyte <0x60 +>>3 ubyte >0x3f (byte string) +>3 ubyte <0x80 +>>3 ubyte >0x5f (text string) +>3 ubyte <0xa0 +>3 ubyte >0x7f (array) +>3 ubyte <0xc0 +>>3 ubyte >0x9f (map) +>3 ubyte <0xe0 +>>3 ubyte >0xbf (tagged) +>3 ubyte >0xdf (other) diff --git a/magic/Magdir/ccf b/magic/Magdir/ccf new file mode 100644 index 0000000..1d5ba19 --- /dev/null +++ b/magic/Magdir/ccf @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: ccf,v 1.1 2022/02/15 12:57:45 christos Exp $ +# file(1) magic(5) data for Phillips remote controls + +# Exchange format for Philips Pronto universal infrared remote controls +# A CCF file describes a learned/customized remote control, +# i.e. it contains button UI and infrared pulse code definitions +# (Georg Sauthoff) +# http://files.remotecentral.com/download/45/pan-air-csakr.zip.html +# https://github.com/gsauthof/pronto-ccf/blob/ + +8 string @\xa5Z@_CCF +>32 string CCF\x00 Philips Pronto IR remote control CCF diff --git a/magic/Magdir/cddb b/magic/Magdir/cddb new file mode 100644 index 0000000..5d8a851 --- /dev/null +++ b/magic/Magdir/cddb @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: cddb,v 1.4 2009/09/19 16:28:08 christos Exp $ +# CDDB: file(1) magic for CDDB(tm) format CD text data files +# +# From <steve@gracenote.com> +# +# This is the /etc/magic entry to decode datafiles as used by +# CDDB-enabled CD player applications. +# + +0 search/1/w #\040xmcd CDDB(tm) format CD text data diff --git a/magic/Magdir/chord b/magic/Magdir/chord new file mode 100644 index 0000000..00d0bec --- /dev/null +++ b/magic/Magdir/chord @@ -0,0 +1,15 @@ + +#------------------------------------------------------------------------------ +# $File: chord,v 1.5 2010/09/20 19:19:16 rrt Exp $ +# chord: file(1) magic for Chord music sheet typesetting utility input files +# +# From Philippe De Muyter <phdm@macqel.be> +# File format is actually free, but many distributed files begin with `{title' +# +0 string {title Chord text file + +# Type: PowerTab file format +# URL: http://www.power-tab.net/ +# From: Jelmer Vernooij <jelmer@samba.org> +0 string ptab\003\000 Power-Tab v3 Tablature File +0 string ptab\004\000 Power-Tab v4 Tablature File diff --git a/magic/Magdir/cisco b/magic/Magdir/cisco new file mode 100644 index 0000000..0279bbb --- /dev/null +++ b/magic/Magdir/cisco @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $ +# cisco: file(1) magic for cisco Systems routers +# +# Most cisco file-formats are covered by the generic elf code +# +# Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. +0 belong&0xffffff00 0x85011400 cisco IOS microcode +>7 string >\0 for '%s' +0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode +>7 string >\0 for '%s' diff --git a/magic/Magdir/citrus b/magic/Magdir/citrus new file mode 100644 index 0000000..1801a55 --- /dev/null +++ b/magic/Magdir/citrus @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: citrus,v 1.5 2021/01/04 19:48:31 christos Exp $ +# citrus locale declaration +# + +0 string RuneCT Citrus locale declaration for LC_CTYPE +0 string CtrsME Citrus locale declaration for LC_MESSAGES +0 string CtrsMO Citrus locale declaration for LC_MONETARY +0 string CtrsNU Citrus locale declaration for LC_NUMERIC +0 string CtrsTI Citrus locale declaration for LC_TIME + diff --git a/magic/Magdir/clarion b/magic/Magdir/clarion new file mode 100644 index 0000000..9fa0049 --- /dev/null +++ b/magic/Magdir/clarion @@ -0,0 +1,27 @@ + +#------------------------------------------------------------------------------ +# $File: clarion,v 1.5 2014/04/30 21:41:02 christos Exp $ +# clarion: file(1) magic for # Clarion Personal/Professional Developer +# (v2 and above) +# From: Julien Blache <jb@jblache.org> + +# Database files +# signature +0 leshort 0x3343 Clarion Developer (v2 and above) data file +# attributes +>2 leshort &0x0001 \b, locked +>2 leshort &0x0004 \b, encrypted +>2 leshort &0x0008 \b, memo file exists +>2 leshort &0x0010 \b, compressed +>2 leshort &0x0040 \b, read only +# number of records +>5 lelong x \b, %d records + +# Memo files +0 leshort 0x334d Clarion Developer (v2 and above) memo data + +# Key/Index files +# No magic? :( + +# Help files +0 leshort 0x49e0 Clarion Developer (v2 and above) help data diff --git a/magic/Magdir/claris b/magic/Magdir/claris new file mode 100644 index 0000000..6a1b68f --- /dev/null +++ b/magic/Magdir/claris @@ -0,0 +1,48 @@ + +#------------------------------------------------------------------------------ +# $File: claris,v 1.8 2016/07/18 19:23:38 christos Exp $ +# claris: file(1) magic for claris +# "H. Nanosecond" <aldomel@ix.netcom.com> +# Claris Works a word processor, etc. +# Version 3.0 + +# .pct claris works clip art files +#0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 +#* +#0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 +#null to byte 1000 octal +514 string \377\377\377\377\000 +>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art +514 string \377\377\377\377\001 +>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art + +# Claris works files +# .cwk +# Moved to Apple AppleWorks document +#0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works document +# .plt +0 string \020\341\000\000\010\010 Claris Works palette files .plt + +# .msp a dictionary file I am not sure about this I have only one .msp file +0 string \002\271\262\000\040\002\000\164 Claris works dictionary + +# .usp are user dictionary bits +# I am not sure about a magic header: +#0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151 +# soh S p f 8 U D sp ^ S cr nl p o d i +#0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043 +# a t r i s t sp ^ S cr nl d i v sp # + +# .mth Thesaurus +# starts with \0 but no magic header + +# .chy Hyphenation file +# I am not sure: 000 210 034 000 000 + +# other claris files +#./windows/claris/useng.ndx: data +#./windows/claris/xtndtran.l32: data +#./windows/claris/xtndtran.lst: data +#./windows/claris/clworks.lbl: data +#./windows/claris/clworks.prf: data +#./windows/claris/userd.spl: data diff --git a/magic/Magdir/clipper b/magic/Magdir/clipper new file mode 100644 index 0000000..484caeb --- /dev/null +++ b/magic/Magdir/clipper @@ -0,0 +1,65 @@ + +#------------------------------------------------------------------------------ +# $File: clipper,v 1.9 2020/12/15 23:57:27 christos Exp $ +# clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. +# +# XXX - what byte order does the Clipper use? +# +# XXX - what's the "!" stuff: +# +# >18 short !074000,000000 C1 R1 +# >18 short !074000,004000 C2 R1 +# >18 short !074000,010000 C3 R1 +# >18 short !074000,074000 TEST +# +# I shall assume it's ANDing the field with the first value and +# comparing it with the second, and rewrite it as: +# +# >18 short&074000 000000 C1 R1 +# >18 short&074000 004000 C2 R1 +# >18 short&074000 010000 C3 R1 +# >18 short&074000 074000 TEST +# +# as SVR3.1's "file" doesn't support anything of the "!074000,000000" +# sort, nor does SunOS 4.x, so either it's something Intergraph added +# in CLIX, or something AT&T added in SVR3.2 or later, or something +# somebody else thought was a good idea; it's not documented in the +# man page for this version of "magic", nor does it appear to be +# implemented (at least not after I blew off the bogus code to turn +# old-style "&"s into new-style "&"s, which just didn't work at all). +# +0 short 0575 CLIPPER COFF executable (VAX #) +>20 short 0407 (impure) +>20 short 0410 (5.2 compatible) +>20 short 0411 (pure) +>20 short 0413 (demand paged) +>20 short 0443 (target shared library) +>12 long >0 not stripped +>22 short >0 - version %d +0 short 0577 CLIPPER COFF executable +>18 short&074000 000000 C1 R1 +>18 short&074000 004000 C2 R1 +>18 short&074000 010000 C3 R1 +>18 short&074000 074000 TEST +>20 short 0407 (impure) +>20 short 0410 (pure) +>20 short 0411 (separate I&D) +>20 short 0413 (paged) +>20 short 0443 (target shared library) +>12 long >0 not stripped +>22 short >0 - version %d +>48 long&01 01 alignment trap enabled +>52 byte 1 -Ctnc +>52 byte 2 -Ctsw +>52 byte 3 -Ctpw +>52 byte 4 -Ctcb +>53 byte 1 -Cdnc +>53 byte 2 -Cdsw +>53 byte 3 -Cdpw +>53 byte 4 -Cdcb +>54 byte 1 -Csnc +>54 byte 2 -Cssw +>54 byte 3 -Cspw +>54 byte 4 -Cscb +#4 string pipe CLIPPER instruction trace +#4 string prof CLIPPER instruction profile diff --git a/magic/Magdir/clojure b/magic/Magdir/clojure new file mode 100644 index 0000000..1f1cddf --- /dev/null +++ b/magic/Magdir/clojure @@ -0,0 +1,30 @@ +#------------------------------------------------------------------------------ +# file: file(1) magic for Clojure +# URL: https://clojure.org/ +# From: Jason Felice <jason.m.felice@gmail.com> + +0 string/w #!\ /usr/bin/clj Clojure script text executable +!:mime text/x-clojure +0 string/w #!\ /usr/local/bin/clj Clojure script text executable +!:mime text/x-clojure +0 string/w #!\ /usr/bin/clojure Clojure script text executable +!:mime text/x-clojure +0 string/w #!\ /usr/local/bin/clojure Clojure script text executable +!:mime text/x-clojure +0 string/W #!/usr/bin/env\ clj Clojure script text executable +!:mime text/x-clojure +0 string/W #!/usr/bin/env\ clojure Clojure script text executable +!:mime text/x-clojure +0 string/W #!\ /usr/bin/env\ clj Clojure script text executable +!:mime text/x-clojure +0 string/W #!\ /usr/bin/env\ clojure Clojure script text executable +!:mime text/x-clojure + +0 regex \^\\\(ns[[:space:]]+[a-z] Clojure module source text +!:mime text/x-clojure + +0 regex \^\\\(ns[[:space:]]+\\\^\\{: Clojure module source text +!:mime text/x-clojure + +0 regex \^\\\(defn-?[[:space:]] Clojure module source text +!:mime text/x-clojure diff --git a/magic/Magdir/coff b/magic/Magdir/coff new file mode 100644 index 0000000..5123b72 --- /dev/null +++ b/magic/Magdir/coff @@ -0,0 +1,98 @@ + +#------------------------------------------------------------------------------ +# $File: coff,v 1.7 2022/11/21 22:30:22 christos Exp $ +# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures +# +# COFF +# +# by Joerg Jenderek at Oct 2015, Feb 2021 +# https://en.wikipedia.org/wiki/COFF +# https://de.wikipedia.org/wiki/Common_Object_File_Format +# http://www.delorie.com/djgpp/doc/coff/filhdr.html + +# display name+variables+flags of Common Object Files Format (32bit) +# Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel, +# mips,motorola,msdos,osf1,sharc,varied.out,vax +0 name display-coff +# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags +>18 uleshort&0x8E80 0 +# skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections +>>2 uleshort >0 +# skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections +>>>2 uleshort <4207 +>>>>0 clear x +# f_magic - magic number +# DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) +>>>>0 uleshort 0x014C Intel 80386 +# Hitachi SH big-endian COFF (./hitachi-sh) +>>>>0 uleshort 0x0500 Hitachi SH big-endian +# Hitachi SH little-endian COFF (./hitachi-sh) +>>>>0 uleshort 0x0550 Hitachi SH little-endian +# executable (RISC System/6000 V3.1) or obj module (./ibm6000) +#>>>>0 uleshort 0x01DF +# MS Windows COFF Intel Itanium, AMD64 +# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx +>>>>0 uleshort 0x0200 Intel ia64 +>>>>0 uleshort 0x8664 Intel amd64 +# ARM COFF (./arm) +>>>>0 uleshort 0xaa64 Aarch64 +>>>>0 uleshort 0x01c0 ARM +>>>>0 uleshort 0xa641 ARM64EC +>>>>0 uleshort 0x01c2 ARM Thumb +>>>>0 uleshort 0x01c4 ARMv7 Thumb +# TODO for other COFFs +#>>>>0 uleshort 0xABCD COFF_TEMPLATE +>>>>0 default x +>>>>>0 uleshort x type %#04x +>>>>0 uleshort x COFF +# F_EXEC flag bit +>>>>18 leshort ^0x0002 object file +!:mime application/x-coff +!:ext o/obj/lib +# no cof sample found +#!:ext cof/o/obj/lib +>>>>18 leshort &0x0002 executable +#!:mime application/x-coffexec +# F_RELFLG flag bit,static object +>>>>18 leshort &0x0001 \b, no relocation info +# F_LNNO flag bit +>>>>18 leshort &0x0004 \b, no line number info +# F_LSYMS flag bit +>>>>18 leshort &0x0008 \b, stripped +>>>>18 leshort ^0x0008 \b, not stripped +# flags in other COFF versions +#0x0010 F_FDPR_PROF +#0x0020 F_FDPR_OPTI +#0x0040 F_DSA +# F_AR32WR flag bit +#>>>>18 leshort &0x0100 \b, 32 bit little endian +#0x1000 F_DYNLOAD +#0x2000 F_SHROBJ +#0x4000 F_LOADONLY +# f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124 +>>>>2 uleshort <2 \b, %u section +>>>>2 uleshort >1 \b, %u sections +# f_symptr - symbol table pointer, only for not stripped +# like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0 +>>>>8 ulelong >0 \b, symbol offset=%#x +# f_nsyms - number of symbols, only for not stripped +# like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 +>>>>12 ulelong >0 \b, %d symbols +# f_opthdr - optional header size. An object file should have a value of 0 +>>>>16 uleshort >0 \b, optional header size %u +# f_timdat - file time & date stamp only for little endian +>>>>4 ledate >0 \b, created %s +# at offset 20 can be optional header, extra bytes FILHSZ-20 because +# do not rely on sizeof(FILHDR) to give the correct size for header. +# or first section header +# additional variables for other COFF files +>>>>16 uleshort =0 +# first section name s_name[8] like: .text .data .debug$S .drectve .testseg +>>>>>20 string x \b, 1st section name "%.8s" +# >20 beshort 0407 (impure) +# >20 beshort 0410 (pure) +# >20 beshort 0413 (demand paged) +# >20 beshort 0421 (standalone) +# >22 leshort >0 - version %d +# >168 string .lowmem Apple toolbox + diff --git a/magic/Magdir/commands b/magic/Magdir/commands new file mode 100644 index 0000000..6ad87fd --- /dev/null +++ b/magic/Magdir/commands @@ -0,0 +1,201 @@ + +#------------------------------------------------------------------------------ +# $File: commands,v 1.73 2022/11/06 18:39:23 christos Exp $ +# commands: file(1) magic for various shells and interpreters +# +#0 string/w : shell archive or script for antique kernel text +0 string/fwt #!\ /bin/sh POSIX shell script text executable +!:mime text/x-shellscript +0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data) +!:mime text/x-shellscript +>10 string #\040This\040script\040was\040generated\040using\040Makeself \b, self-executable archive +>>53 string x \b, Makeself %s + +0 string/fwt #!\ /bin/csh C shell script text executable +!:mime text/x-shellscript + +# korn shell magic, sent by George Wu, gwu@clyde.att.com +0 string/fwt #!\ /bin/ksh Korn shell script text executable +!:mime text/x-shellscript +0 string/fwb #!\ /bin/ksh Korn shell script executable (binary data) +!:mime text/x-shellscript + +0 string/fwt #!\ /bin/tcsh Tenex C shell script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/tcsh Tenex C shell script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/tcsh Tenex C shell script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/bin/tcsh Tenex C shell script text executable +!:mime text/x-shellscript + +# +# zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) +0 string/fwt #!\ /bin/zsh Paul Falstad's zsh script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/env\ zsh Paul Falstad's zsh script text executable +!:mime text/x-shellscript + +0 string/fwt #!\ /bin/ash Neil Brown's ash script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/ash Neil Brown's ash script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/bin/ash Neil Brown's ash script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/bin/ae Neil Brown's ae script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /bin/nawk new awk script text executable +!:mime text/x-nawk +0 string/fwt #!\ /usr/bin/nawk new awk script text executable +!:mime text/x-nawk +0 string/fwt #!\ /usr/local/bin/nawk new awk script text executable +!:mime text/x-nawk +0 string/fwt #!\ /bin/gawk GNU awk script text executable +!:mime text/x-gawk +0 string/wt #!\ /usr/bin/gawk GNU awk script text executable +!:mime text/x-gawk +0 string/fwt #!\ /usr/local/bin/gawk GNU awk script text executable +!:mime text/x-gawk +# +0 string/fwt #!\ /bin/awk awk script text executable +!:mime text/x-awk +0 string/fwt #!\ /usr/bin/awk awk script text executable +!:mime text/x-awk +0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text + +# AT&T Bell Labs' Plan 9 shell +0 string/fwt #!\ /bin/rc Plan 9 rc shell script text executable + +# bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) +0 string/fwt #!\ /bin/bash Bourne-Again shell script text executable +!:mime text/x-shellscript +0 string/fwb #!\ /bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/bash Bourne-Again shell script text executable +!:mime text/x-shellscript +0 string/fwb #!\ /usr/bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/bash Bourne-Again shell script text executable +!:mime text/x-shellscript +0 string/fwb #!\ /usr/local/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/bin/bash Bourne-Again shell script text executable +!:mime text/x-shellscript +0 string/fwb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable +!:mime text/x-shellscript + +# Fish shell magic +# From: Benjamin Lowry <ben@ben.gmbh> +0 string/fwt #!\ /usr/local/bin/fish fish shell script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/fish fish shell script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable +!:mime text/x-shellscript + +0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable +!:mime text/x-tcl + +0 search/1/fwt #!\ /usr/bin/texlua LuaTex script text executable +!:mime text/x-luatex + +0 search/1/fwt #!\ /usr/bin/luatex LuaTex script text executable +!:mime text/x-luatex + +0 search/1/fwt #!\ /usr/bin/stap Systemtap script text executable +!:mime text/x-systemtap + +# From: Kylie McClain <kylie@somas.is> +# Type: execline scripts +# URL: https://skarnet.org/software/execline/ +0 string/fwt #!\ /command/execlineb execline script text executable +!:mime text/x-execline +0 string/fwt #!\ /bin/execlineb execline script text executable +!:mime text/x-execline +0 string/fwt #!\ /usr/bin/execlineb execline script text executable +!:mime text/x-execline +0 string/fwt #!\ /usr/bin/env\ execlineb execline script text executable +!:mime text/x-execline + +0 string #! +>0 regex \^#!.*/bin/execlineb([[:space:]].*)*$ execline script text executable +!:mime text/x-execline + +# PHP scripts +# Ulf Harnhammar <ulfh@update.uu.se> +0 search/1/c =<?php PHP script text +!:strength + 30 +!:mime text/x-php +0 search/1 =<?\n PHP script text +!:mime text/x-php +0 search/1 =<?\r PHP script text +!:mime text/x-php +0 search/1/w #!\ /usr/local/bin/php PHP script text executable +!:strength + 10 +!:mime text/x-php +0 search/1/w #!\ /usr/bin/php PHP script text executable +!:strength + 10 +!:mime text/x-php +# Smarty compiled template, https://www.smarty.net/ +# Elan Ruusamae <glen@delfi.ee> +0 string =<?php +>5 regex [\ \n] +>>6 string /*\ Smarty\ version Smarty compiled template +>>>24 regex [0-9.]+ \b, version %s +!:mime text/x-php + +0 string Zend\x00 PHP script Zend Optimizer data + +# From: Anatol Belski <ab@php.net> +0 string OPCACHE +>7 ubyte 0 PHP opcache filecache data + +0 search/64 --TEST-- +>16 search/64 --FILE-- +>24 search/8192 --EXPECT PHP core test +!:ext phpt + +# https://www.php.net/manual/en/phar.fileformat.signature.php +-4 string GBMB PHP phar archive +>-8 ubyte 0x1 with MD5 signature +!:ext phar +>-8 ubyte 0x2 with SHA1 signature +!:ext phar +>-8 ubyte 0x3 with SHA256 signature +!:ext phar +>-8 ubyte 0x4 with SHA512 signature +!:ext phar +>-8 ubyte 0x10 with OpenSSL signature +!:ext phar +>-8 ubyte 0x11 with OpenSSL SHA256 signature +!:ext phar +>-8 ubyte 0x12 with OpenSSL SHA512 signature +!:ext phar + +0 string/t $! DCL command file + +# Type: Pdmenu +# URL: https://packages.debian.org/pdmenu +# From: Edward Betts <edward@debian.org> +0 string #!/usr/bin/pdmenu Pdmenu configuration file text + +# From Danny Weldon +0 string \x0b\x13\x08\x00 +>0x04 uleshort <4 ksh byte-code version %d + +# From: arno <arenevier@fdn.fr> +# mozilla xpconnect typelib +# see https://www.mozilla.org/scriptable/typelib_file.html +0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib +>0x10 byte x version %d +>>0x11 byte x \b.%d + +0 string/fwt #!\ /usr/bin/env\ runghc GHC script executable +0 string/fwt #!\ /usr/bin/env\ runhaskell Haskell script executable +0 string/fwt #!\ /usr/bin/env\ julia Julia script executable diff --git a/magic/Magdir/communications b/magic/Magdir/communications new file mode 100644 index 0000000..8e1d908 --- /dev/null +++ b/magic/Magdir/communications @@ -0,0 +1,22 @@ + +#---------------------------------------------------------------------------- +# $File: communications,v 1.5 2009/09/19 16:28:08 christos Exp $ +# communication + +# TTCN is the Tree and Tabular Combined Notation described in ISO 9646-3. +# It is used for conformance testing of communication protocols. +# Added by W. Borgert <debacle@debian.org>. +0 string $Suite TTCN Abstract Test Suite +>&1 string $SuiteId +>>&1 string >\n %s +>&2 string $SuiteId +>>&1 string >\n %s +>&3 string $SuiteId +>>&1 string >\n %s + +# MSC (message sequence charts) are a formal description technique, +# described in ITU-T Z.120, mainly used for communication protocols. +# Added by W. Borgert <debacle@debian.org>. +0 string mscdocument Message Sequence Chart (document) +0 string msc Message Sequence Chart (chart) +0 string submsc Message Sequence Chart (subchart) diff --git a/magic/Magdir/compress b/magic/Magdir/compress new file mode 100644 index 0000000..c3f93fa --- /dev/null +++ b/magic/Magdir/compress @@ -0,0 +1,461 @@ +#------------------------------------------------------------------------------ +# $File: compress,v 1.91 2023/06/16 19:37:47 christos Exp $ +# compress: file(1) magic for pure-compression formats (no archives) +# +# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. +# +# Formats for various forms of compressed data +# Formats for "compress" proper have been moved into "compress.c", +# because it tries to uncompress it to figure out what's inside. + +# standard unix compress +0 string \037\235 compress'd data +!:mime application/x-compress +!:apple LZIVZIVU +!:ext Z +>2 byte&0x80 >0 block compressed +>2 byte&0x1f x %d bits + +# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) +# URL: https://en.wikipedia.org/wiki/Gzip +# Reference: https://tools.ietf.org/html/rfc1952 +# Update: Joerg Jenderek, Apr 2019, Dec 2022 +# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 +# * Original filename is only at offset 10 if "extra field" absent +# * Produce shorter output - notably, only report compression methods +# other than 8 ("deflate", the only method defined in RFC 1952). +# Note: find defs -iname '*.trid.xml' -exec grep -q '<Bytes>1F8B08' {} \; -ls +# TODO: +# FBR Blueberry FlashBack screen Record https://www.flashbackrecorder.com/ +# KPR KOffice/Calligra KPresenter application/x-kpresenter +# KPT KOffice/Calligra KPresenter template? application/x-kpresenter +# SAV Diggles Saved Game File http://www.innonics.com +# SAV FarCry (demo) saved game http://www.farcry-thegame.com +# DAT ZOAGZIP game data format http://en.wikipedia.org/wiki/SD_Gundam_Capsule_Fighter +0 string \037\213 +# to display gzip compressed (strength=100=2*50) before other (strength=50)? +#!:strength * 2 +# no FNAME and FCOMMENT bit implies no file name/comment. That means only binary +>3 byte&0x18 =0 +# For binary gzipped no ASCII text should occur +# mcd-monu-cad.trid.xml +>>10 string MCD Monu-Cad Drawing, Component or Font +#>>36 string Created\ with\ MONU-CAD +#!:mime application/octet-stream +# http://fileformats.archiveteam.org/wiki/Monu-CAD +# http://www.monucad.com/downloads/FullDemo-2005.EXE +# /HANDS96.MCC Component +# /DEMO_DD01.MCD Drawing +# /MCALF020.FNT Font +!:ext mcc/mcd/fnt +# http://www.generalcadd.com +>>10 string GXD General CADD, Drawing or Component +#!:mime application/octet-stream +# /gxc/BUILDINGEDGE.gxc Component +# /gxd/HOCKETT-STPAUL-WRHSE.gxd Drawing +# /gxd/POWERLAND-MILL-ADD-11.gxd Drawing v9.1.06 +!:ext gxc/gxd +#>>>13 ubyte 0 \b, version 0 +>>>13 string 09 \b, version 9 +# other gzipped binary like gzipped tar, VirtualBox extension package,... +>>10 default x gzip compressed data +!:mime application/gzip +>>>0 use gzip-info +# size of the original (uncompressed) input data modulo 2^32 +# TODO: check for GXD MCD cad the reported size +>>>-4 ulelong x \b, original size modulo 2^32 %u +# gzipped TAR or VirtualBox extension package +#!:mime application/x-compressed-tar +#!:mime application/x-virtualbox-vbox-extpack +# https://www.w3.org/TR/SVG/mimereg.html +#!:mime image/svg+xml-compressed +# zlib.3.gz +# microcode-20180312.tgz +# tpz same as tgz +# lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg +# Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack +# trees.blend http://fileformats.archiveteam.org/wiki/BLEND +# 2020-07-19-Note-16-24.xoj https://xournal.sourceforge.net/manual.html +# MYgnucash-gz.gnucash https://wiki.gnucash.org/wiki/GnuCash_XML_format +# text-rotate.dia https://en.wikipedia.org/wiki/Dia_(software) +# MYrdata.RData https://en.wikipedia.org/wiki/R_(programming_language) +!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz/blend/dia/gnucash/rdata/xoj +# FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text +>3 byte&0x18 >0 gzip compressed data +!:mime application/gzip +# gzipped tar, gzipped Abiword document +#!:mime application/x-compressed-tar +#!:mime application/x-abiword-compressed +#!:mime image/image/svg+xml-compressed +# kleopatra_splashscreen.svgz gzipped .svg +# RSI-Mega-Demo_Disk1.adz gzipped .adf http://fileformats.archiveteam.org/wiki/ADF_(Amiga) +# PostbankTest.kmy gzipped XML https://docs.kde.org/stable5/en/kmymoney/kmymoney/details.formats.compressed.html +# Logo.xcfgz gzipped .xcf http://fileformats.archiveteam.org/wiki/XCF +!:ext gz/tgz/tpz/zabw/svgz/adz/kmy/xcfgz +>>0 use gzip-info +# size of the original (uncompressed) input data modulo 2^32 +>>-4 ulelong x \b, original size modulo 2^32 %u +# display information of gzip compressed files +0 name gzip-info +#>2 byte x THIS iS GZIP +>2 byte <8 \b, reserved method +>2 byte >8 \b, unknown method +>3 byte &0x01 \b, ASCII +>3 byte &0x02 \b, has CRC +>3 byte &0x04 \b, extra field +>3 byte&0xC =0x08 +>>10 string x \b, was "%s" +>3 byte &0x10 \b, has comment +>3 byte &0x20 \b, encrypted +>4 ledate >0 \b, last modified: %s +>8 byte 2 \b, max compression +>8 byte 4 \b, max speed +>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) +>9 byte =0x01 \b, from Amiga +>9 byte =0x02 \b, from VMS +>9 byte =0x03 \b, from Unix +>9 byte =0x04 \b, from VM/CMS +>9 byte =0x05 \b, from Atari +>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT) +>9 byte =0x07 \b, from MacOS +>9 byte =0x08 \b, from Z-System +>9 byte =0x09 \b, from CP/M +>9 byte =0x0A \b, from TOPS/20 +>9 byte =0x0B \b, from NTFS filesystem (NT) +>9 byte =0x0C \b, from QDOS +>9 byte =0x0D \b, from Acorn RISCOS +# size of the original (uncompressed) input data modulo 2^32 +#>-4 ulelong x \b, original size modulo 2^32 %u +#ERROR: line 114: non zero offset 1048572 at level 1 + +# packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis +0 string \037\036 packed data +!:mime application/octet-stream +!:ext z +>2 belong >1 \b, %d characters originally +>2 belong =1 \b, %d character originally +# +# This magic number is byte-order-independent. +0 short 0x1f1f old packed data +!:mime application/octet-stream + +# XXX - why *two* entries for "compacted data", one of which is +# byte-order independent, and one of which is byte-order dependent? +# +0 short 0x1fff compacted data +!:mime application/octet-stream +# This string is valid for SunOS (BE) and a matching "short" is listed +# in the Ultrix (LE) magic file. +0 string \377\037 compacted data +!:mime application/octet-stream +0 short 0145405 huf output +!:mime application/octet-stream + +# bzip2 +0 string BZh bzip2 compressed data +!:mime application/x-bzip2 +!:ext bz2 +>3 byte >47 \b, block size = %c00k + +# bzip a block-sorting file compressor +# by Julian Seward <sewardj@cs.man.ac.uk> and others +0 string BZ0 bzip compressed data +!:mime application/x-bzip +>3 byte >47 \b, block size = %c00k + +# lzip +0 string LZIP lzip compressed data +!:mime application/x-lzip +!:ext lz +>4 byte x \b, version: %d + +# squeeze and crunch +# Michael Haardt <michael@cantor.informatik.rwth-aachen.de> +0 beshort 0x76FF squeezed data, +>4 string x original name %s +0 beshort 0x76FE crunched data, +>2 string x original name %s +0 beshort 0x76FD LZH compressed data, +>2 string x original name %s + +# Freeze +0 string \037\237 frozen file 2.1 +0 string \037\236 frozen file 1.0 (or gzip 0.5) + +# SCO compress -H (LZH) +0 string \037\240 SCO compress -H (LZH) data + +# European GSM 06.10 is a provisional standard for full-rate speech +# transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse +# excitation/long term prediction) coding at 13 kbit/s. +# +# There's only a magic nibble (4 bits); that nibble repeats every 33 +# bytes. This isn't suited for use, but maybe we can use it someday. +# +# This will cause very short GSM files to be declared as data and +# mismatches to be declared as data too! +#0 byte&0xF0 0xd0 data +#>33 byte&0xF0 0xd0 +#>66 byte&0xF0 0xd0 +#>99 byte&0xF0 0xd0 +#>132 byte&0xF0 0xd0 GSM 06.10 compressed audio + +# lzop from <markus.oberhumer@jk.uni-linz.ac.at> +0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data +!:ext lzo +>9 beshort <0x0940 +>>9 byte&0xf0 =0x00 - version 0. +>>9 beshort&0x0fff x \b%03x, +>>13 byte 1 LZO1X-1, +>>13 byte 2 LZO1X-1(15), +>>13 byte 3 LZO1X-999, +## >>22 bedate >0 last modified: %s, +>>14 byte =0x00 os: MS-DOS +>>14 byte =0x01 os: Amiga +>>14 byte =0x02 os: VMS +>>14 byte =0x03 os: Unix +>>14 byte =0x05 os: Atari +>>14 byte =0x06 os: OS/2 +>>14 byte =0x07 os: MacOS +>>14 byte =0x0A os: Tops/20 +>>14 byte =0x0B os: WinNT +>>14 byte =0x0E os: Win32 +>9 beshort >0x0939 +>>9 byte&0xf0 =0x00 - version 0. +>>9 byte&0xf0 =0x10 - version 1. +>>9 byte&0xf0 =0x20 - version 2. +>>9 beshort&0x0fff x \b%03x, +>>15 byte 1 LZO1X-1, +>>15 byte 2 LZO1X-1(15), +>>15 byte 3 LZO1X-999, +## >>25 bedate >0 last modified: %s, +>>17 byte =0x00 os: MS-DOS +>>17 byte =0x01 os: Amiga +>>17 byte =0x02 os: VMS +>>17 byte =0x03 os: Unix +>>17 byte =0x05 os: Atari +>>17 byte =0x06 os: OS/2 +>>17 byte =0x07 os: MacOS +>>17 byte =0x0A os: Tops/20 +>>17 byte =0x0B os: WinNT +>>17 byte =0x0E os: Win32 + +# 4.3BSD-Quasijarus Strong Compression +# https://minnie.tuhs.org/Quasijarus/compress.html +0 string \037\241 Quasijarus strong compressed data + +# From: Cory Dikkers <cdikkers@swbell.net> +0 string XPKF Amiga xpkf.library compressed data +0 string PP11 Power Packer 1.1 compressed data +0 string PP20 Power Packer 2.0 compressed data, +>4 belong 0x09090909 fast compression +>4 belong 0x090A0A0A mediocre compression +>4 belong 0x090A0B0B good compression +>4 belong 0x090A0C0C very good compression +>4 belong 0x090A0C0D best compression + +# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) +# https://www.7-zip.org or DOC/7zFormat.txt +# +0 string 7z\274\257\047\034 7-zip archive data, +>6 byte x version %d +>7 byte x \b.%d +!:mime application/x-7z-compressed +!:ext 7z/cb7 + +0 name lzma LZMA compressed data, +!:mime application/x-lzma +!:ext lzma +>5 lequad =0xffffffffffffffff streamed +>5 lequad !0xffffffffffffffff non-streamed, size %lld + +# Type: LZMA +0 lelong&0xffffff =0x5d +>12 leshort 0xff +>>0 use lzma +>12 leshort 0 +>>0 use lzma + +# http://tukaani.org/xz/xz-file-format.txt +0 ustring \xFD7zXZ\x00 XZ compressed data, checksum +!:strength * 2 +!:mime application/x-xz +!:ext xz +>7 byte&0xf 0x0 NONE +>7 byte&0xf 0x1 CRC32 +>7 byte&0xf 0x4 CRC64 +>7 byte&0xf 0xa SHA-256 + +# https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt +0 string LRZI LRZIP compressed data +!:mime application/x-lrzip +>4 byte x - version %d +>5 byte x \b.%d +>22 byte 1 \b, encrypted + +# https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html +0 lelong 0x184d2204 LZ4 compressed data (v1.4+) +!:mime application/x-lz4 +!:ext lz4 +# Added by osm0sis@xda-developers.com +0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) +!:mime application/x-lz4 +0 lelong 0x184c2102 LZ4 compressed data (v0.1-v0.9) +!:mime application/x-lz4 + +# Zstandard/LZ4 skippable frames +# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md +0 lelong&0xFFFFFFF0 0x184D2A50 +>(4.l+8) indirect x + +# Zstandard Dictionary ID subroutine +0 name zstd-dictionary-id +# Single Segment = True +>0 byte &0x20 \b, Dictionary ID: +>>0 byte&0x03 0 None +>>0 byte&0x03 1 +>>>1 byte x %u +>>0 byte&0x03 2 +>>>1 leshort x %u +>>0 byte&0x03 3 +>>>1 lelong x %u +# Single Segment = False +>0 byte ^0x20 \b, Dictionary ID: +>>0 byte&0x03 0 None +>>0 byte&0x03 1 +>>>2 byte x %u +>>0 byte&0x03 2 +>>>2 leshort x %u +>>0 byte&0x03 3 +>>>2 lelong x %u + +# Zstandard compressed data +# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md +0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) +!:mime application/zstd +!:ext zst +0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) +!:mime application/zstd +!:ext zst +0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) +!:mime application/zstd +!:ext zst +0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) +!:mime application/zstd +!:ext zst +0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) +!:mime application/zstd +!:ext zst +0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) +!:mime application/zstd +!:ext zst +>4 use zstd-dictionary-id +0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) +!:mime application/zstd +!:ext zst +>4 use zstd-dictionary-id + +# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md +0 lelong 0xEC30A437 Zstandard dictionary +!:mime application/x-std-dictionary +>4 lelong x (ID %u) + +# AFX compressed files (Wolfram Kleff) +2 string -afx- AFX compressed file data + +# Supplementary magic data for the file(1) command to support +# rzip(1). The format is described in magic(5). +# +# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with +# this file. +# +0 string RZIP rzip compressed data +>4 byte x - version %d +>5 byte x \b.%d +>6 belong x (%d bytes) + +0 string ArC\x01 FreeArc archive <http://freearc.org> + +# Type: DACT compressed files +0 long 0x444354C3 DACT compressed data +>4 byte >-1 (version %i. +>5 byte >-1 %i. +>6 byte >-1 %i) +>7 long >0 , original size: %i bytes +>15 long >30 , block size: %i bytes + +# Valve Pack (VPK) files +0 lelong 0x55aa1234 Valve Pak file +>0x4 lelong x \b, version %u +>0x8 lelong x \b, %u entries + +# Snappy framing format +# https://code.google.com/p/snappy/source/browse/trunk/framing_format.txt +0 string \377\006\0\0sNaPpY snappy framed data +!:mime application/x-snappy-framed + +# qpress, https://www.quicklz.com/ +0 string qpress10 qpress compressed data +!:mime application/x-qpress + +# Zlib https://www.ietf.org/rfc/rfc6713.txt +0 string/b x +>0 beshort%31 =0 +>>0 byte&0xf =8 +>>>0 byte&0x80 =0 zlib compressed data +!:mime application/zlib + +# BWC compression +0 string BWC +>3 byte 0 BWC compressed data + +# UCL compression +0 bequad 0x00e955434cff011a UCL compressed data + +# Softlib archive +0 string SLIB Softlib archive +>4 leshort x \b, version %d +>6 leshort x (contains %d files) + +# URL: https://github.com/lzfse/lzfse/blob/master/src/lzfse_internal.h#L276 +# From: Eric Hall <eric.hall@darkart.com> +0 string bvx- lzfse encoded, no compression +0 string bvx1 lzfse compressed, uncompressed tables +0 string bvx2 lzfse compressed, compressed tables +0 string bvxn lzfse encoded, lzvn compressed + +# pcxLib.exe compression program +# http://www.shikadi.net/moddingwiki/PCX_Library +0 string/b pcxLib +>0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/SW/ORA/ORAFormatSpecification.htm +0 uleshort 0x7c49 +>2 lelong 0x80 ORA FASTQ compressed file +>>6 ulelong x \b, DNA size %u +>>10 ulelong x \b, read names size %u +>>14 ulelong x \b, quality buffer 1 size %u +>>18 ulelong x \b, quality buffer 2 size %u +>>22 ulelong x \b, sequence buffer size %u +>>26 ulelong x \b, N-position buffer size %u +>>30 ulelong x \b, crypto buffer size %u +>>34 ulelong x \b, misc buffer 1 size %u +>>38 ulelong x \b, misc buffer 2 size %u +>>42 ulelong x \b, flags %#x +>>46 lelong x \b, read size %d +>>50 lelong x \b, number of reads %d +>>54 leshort x \b, version %d + +# https://github.com/kspalaiologos/bzip3/blob/master/doc/file_format.md +0 string/b BZ3v1 bzip3 compressed data +>5 ulelong x \b, blocksize %u + + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/\ +# SW/ORA/ORAFormatSpecification.htm +# From Guillaume Rizk +0 short =0x7C49 DRAGEN ORA file, +>-261 short =0x7C49 with metadata: +>-125 u8 x NB reads: %llu, +>-109 u8 x NB bases: %llu. +>-219 u4&0x02 2 File contains interleaved paired reads diff --git a/magic/Magdir/console b/magic/Magdir/console new file mode 100644 index 0000000..0ed53fe --- /dev/null +++ b/magic/Magdir/console @@ -0,0 +1,1226 @@ + +#------------------------------------------------------------------------------ +# $File: console,v 1.72 2023/06/16 19:24:06 christos Exp $ +# Console game magic +# Toby Deshane <hac@shoelace.digivill.net> + +# ines: file(1) magic for Marat's iNES Nintendo Entertainment System ROM dump format +# Updated by David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://wiki.nesdev.com/w/index.php/INES +# - https://wiki.nesdev.com/w/index.php/NES_2.0 + +# Common header for iNES, NES 2.0, and Wii U iNES. +0 name nes-rom-image-ines +>7 byte&0x0C =0x8 (NES 2.0) +>4 byte x \b: %ux16k PRG +>5 byte x \b, %ux8k CHR +>6 byte&0x08 =0x8 [4-Scr] +>6 byte&0x09 =0x0 [H-mirror] +>6 byte&0x09 =0x1 [V-mirror] +>6 byte&0x02 =0x2 [SRAM] +>6 byte&0x04 =0x4 [Trainer] +>7 byte&0x03 =0x2 [PC10] +>7 byte&0x03 =0x1 [VS] +>>7 byte&0x0C =0x8 +# NES 2.0: VS PPU +>>>13 byte&0x0F =0x0 \b, RP2C03B +>>>13 byte&0x0F =0x1 \b, RP2C03G +>>>13 byte&0x0F =0x2 \b, RP2C04-0001 +>>>13 byte&0x0F =0x3 \b, RP2C04-0002 +>>>13 byte&0x0F =0x4 \b, RP2C04-0003 +>>>13 byte&0x0F =0x5 \b, RP2C04-0004 +>>>13 byte&0x0F =0x6 \b, RP2C03B +>>>13 byte&0x0F =0x7 \b, RP2C03C +>>>13 byte&0x0F =0x8 \b, RP2C05-01 +>>>13 byte&0x0F =0x9 \b, RP2C05-02 +>>>13 byte&0x0F =0xA \b, RP2C05-03 +>>>13 byte&0x0F =0xB \b, RP2C05-04 +>>>13 byte&0x0F =0xC \b, RP2C05-05 +# TODO: VS protection hardware? +>>7 byte x \b] +# NES 2.0-specific flags. +>7 byte&0x0C =0x8 +>>12 byte&0x03 =0x0 [NTSC] +>>12 byte&0x03 =0x1 [PAL] +>>12 byte&0x02 =0x2 [NTSC+PAL] + +# Standard iNES ROM header. +0 string NES\x1A NES ROM image (iNES) +!:mime application/x-nes-rom +>0 use nes-rom-image-ines + +# Wii U Virtual Console iNES ROM header. +0 belong 0x4E455300 NES ROM image (Wii U Virtual Console) +!:mime application/x-nes-rom +>0 use nes-rom-image-ines + +#------------------------------------------------------------------------------ +# unif: file(1) magic for UNIF-format Nintendo Entertainment System ROM images +# Reference: https://wiki.nesdev.com/w/index.php/UNIF +# From: David Korth <gerbilsoft@gerbilsoft.com> +# +# NOTE: The UNIF format uses chunks instead of a fixed header, +# so most of the data isn't easily parseable. +# +0 string UNIF +>4 lelong <16 NES ROM image (UNIF v%d format) +!:mime application/x-nes-rom + +#------------------------------------------------------------------------------ +# fds: file(1) magic for Famicom Disk System disk images +# Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format +# From: David Korth <gerbilsoft@gerbilsoft.com> +# TODO: Check "Disk info block" and get info from that in addition to the optional header. + +# Disk info block. (block 1) +0 name nintendo-fds-disk-info-block +>23 byte !1 FMC- +>23 byte 1 FSC- +>16 string x \b%.3s +>15 ubyte x \b, mfr %02X +>20 ubyte x (Rev.%02u) + +# Headered version. +0 string FDS\x1A +>0x11 string *NINTENDO-HVC* Famicom Disk System disk image: +!:mime application/x-fds-disk +>>0x10 use nintendo-fds-disk-info-block +>4 byte 1 (%u side) +>4 byte !1 (%u sides) + +# Unheadered version. +1 string *NINTENDO-HVC* Famicom Disk System disk image: +!:mime application/x-fds-disk +>0 use nintendo-fds-disk-info-block + +#------------------------------------------------------------------------------ +# tnes: file(1) magic for TNES-format Nintendo Entertainment System ROM images +# Used by Nintendo 3DS NES Virtual Console games. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# +0 string TNES NES ROM image (Nintendo 3DS Virtual Console) +!:mime application/x-nes-rom +>4 byte 100 \b: FDS, +>>0x2010 use nintendo-fds-disk-info-block +>4 byte !100 \b: TNES mapper %u +>>5 byte x \b, %ux8k PRG +>>6 byte x \b, %ux8k CHR +>>7 byte&0x08 =1 [WRAM] +>>8 byte&0x09 =1 [H-mirror] +>>8 byte&0x09 =2 [V-mirror] +>>8 byte&0x02 =3 [VRAM] + +#------------------------------------------------------------------------------ +# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format +# Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header +# +0x104 bequad 0xCEED6666CC0D000B Game Boy ROM image +# TODO: application/x-gameboy-color-rom for GBC. +!:mime application/x-gameboy-rom +>0x143 byte&0x80 0x80 +>>0x134 string >\0 \b: "%.15s" +>0x143 byte&0x80 !0x80 +>>0x134 string >\0 \b: "%.16s" +>0x14c byte x (Rev.%02u) + +# Machine type. (SGB, CGB, SGB+CGB) +# Old licensee code 0x33 is required for SGB, but not CGB. +>0x14b byte 0x33 +>>0x146 byte 0x03 +>>>0x143 byte&0x80 0x80 [SGB+CGB] +>>>0x143 byte&0x80 !0x80 [SGB] +>>0x146 byte !0x03 +>>>0x143 byte&0xC0 0x80 [CGB] +>>>0x143 byte&0xC0 0xC0 [CGB ONLY] +>0x14b byte !0x33 +>>0x143 byte&0xC0 0x80 [CGB] +>>0x143 byte&0xC0 0xC0 [CGB ONLY] + +# Mapper. +>0x147 byte 0x00 [ROM ONLY] +>0x147 byte 0x01 [MBC1] +>0x147 byte 0x02 [MBC1+RAM] +>0x147 byte 0x03 [MBC1+RAM+BATT] +>0x147 byte 0x05 [MBC2] +>0x147 byte 0x06 [MBC2+BATTERY] +>0x147 byte 0x08 [ROM+RAM] +>0x147 byte 0x09 [ROM+RAM+BATTERY] +>0x147 byte 0x0B [MMM01] +>0x147 byte 0x0C [MMM01+SRAM] +>0x147 byte 0x0D [MMM01+SRAM+BATT] +>0x147 byte 0x0F [MBC3+TIMER+BATT] +>0x147 byte 0x10 [MBC3+TIMER+RAM+BATT] +>0x147 byte 0x11 [MBC3] +>0x147 byte 0x12 [MBC3+RAM] +>0x147 byte 0x13 [MBC3+RAM+BATT] +>0x147 byte 0x19 [MBC5] +>0x147 byte 0x1A [MBC5+RAM] +>0x147 byte 0x1B [MBC5+RAM+BATT] +>0x147 byte 0x1C [MBC5+RUMBLE] +>0x147 byte 0x1D [MBC5+RUMBLE+SRAM] +>0x147 byte 0x1E [MBC5+RUMBLE+SRAM+BATT] +>0x147 byte 0xFC [Pocket Camera] +>0x147 byte 0xFD [Bandai TAMA5] +>0x147 byte 0xFE [Hudson HuC-3] +>0x147 byte 0xFF [Hudson HuC-1] + +# ROM size. +>0x148 byte 0 \b, ROM: 256Kbit +>0x148 byte 1 \b, ROM: 512Kbit +>0x148 byte 2 \b, ROM: 1Mbit +>0x148 byte 3 \b, ROM: 2Mbit +>0x148 byte 4 \b, ROM: 4Mbit +>0x148 byte 5 \b, ROM: 8Mbit +>0x148 byte 6 \b, ROM: 16Mbit +>0x148 byte 7 \b, ROM: 32Mbit +>0x148 byte 0x52 \b, ROM: 9Mbit +>0x148 byte 0x53 \b, ROM: 10Mbit +>0x148 byte 0x54 \b, ROM: 12Mbit + +# RAM size. +>0x149 byte 1 \b, RAM: 16Kbit +>0x149 byte 2 \b, RAM: 64Kbit +>0x149 byte 3 \b, RAM: 256Kbit +>0x149 byte 4 \b, RAM: 1Mbit +>0x149 byte 5 \b, RAM: 512Kbit + +#------------------------------------------------------------------------------ +# genesis: file(1) magic for various Sega Mega Drive / Genesis ROM image and disc formats +# Updated by David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://www.retrodev.com/segacd.html +# - http://devster.monkeeh.com/sega/32xguide1.txt +# + +# Common Sega Mega Drive header format. +# FIXME: Name fields are 48 bytes, but have spaces for padding instead of 00s. +0 name sega-mega-drive-header +# ROM title. (Use domestic if present; if not, use international.) +>0x120 byte >0x20 +>>0x120 string >\0 \b: "%.16s" +>0x120 byte <0x21 +>>0x150 string >\0 \b: "%.16s" +# Other information. +>0x180 string >\0 (%.14s +>>0x110 string >\0 \b, %.16s +>0x180 byte 0 +>>0x110 string >\0 (%.16s +>0 byte x \b) + +# TODO: Check for 32X CD? +# Sega Mega CD disc images: 2048-byte sectors. +0 string SEGADISCSYSTEM\ \ Sega Mega CD disc image +!:mime application/x-sega-cd-rom +>0 use sega-mega-drive-header +>0 byte x \b, 2048-byte sectors +0 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image +!:mime application/x-sega-cd-rom +>0 use sega-mega-drive-header +>0 byte x \b, 2048-byte sectors +# Sega Mega CD disc images: 2352-byte sectors. +0x10 string SEGADISCSYSTEM\ \ Sega Mega CD disc image +!:mime application/x-sega-cd-rom +>0x10 use sega-mega-drive-header +>0 byte x \b, 2352-byte sectors +0x10 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image +!:mime application/x-sega-cd-rom +>0x10 use sega-mega-drive-header +>0 byte x \b, 2352-byte sectors + +# Sega Mega Drive: Identify the system ID. +0x100 string SEGA +>0x3C0 string MARS\ CHECK\ MODE Sega 32X ROM image +!:mime application/x-genesis-32x-rom +>>0 use sega-mega-drive-header +>0x104 string \ PICO Sega Pico ROM image +!:mime application/x-sega-pico-rom +>>0 use sega-mega-drive-header +>0x104 string TOYS\ PICO Sega Pico ROM image +!:mime application/x-sega-pico-rom +>>0 use sega-mega-drive-header +>0x104 string \ TOYS\ PICO Sega Pico ROM image +!:mime application/x-sega-pico-rom +>>0 use sega-mega-drive-header +>0x104 string \ IAC Sega Pico ROM image +!:mime application/x-sega-pico-rom +>>0 use sega-mega-drive-header +>0x104 string \ TERA68K Sega Teradrive (68K) ROM image +!:mime application/x-sega-teradrive-rom +>>0 use sega-mega-drive-header +>0x104 string \ TERA286 Sega Teradrive (286) ROM image +!:mime application/x-sega-teradrive-rom +>>0 use sega-mega-drive-header +>0x180 string BR Sega Mega CD Boot ROM image +!:mime application/x-genesis-rom +>>0 use sega-mega-drive-header +>0x104 default x Sega Mega Drive / Genesis ROM image +!:mime application/x-genesis-rom +>>0 use sega-mega-drive-header + +# Sega Mega Drive: Some ROMs have "SEGA" at 0x101, not 0x100. +0x100 string \ SEGA Sega Mega Drive / Genesis ROM image +>0 use sega-mega-drive-header + +# Sega Pico ROMs that don't start with "SEGA". +0x100 string SAMSUNG\ PICO Samsung Pico ROM image +!:mime application/x-sega-pico-rom +>0 use sega-mega-drive-header +0x100 string IMA\ IKUNOUJYUKU Samsung Pico ROM image +!:mime application/x-sega-pico-rom +>0 use sega-mega-drive-header +0x100 string IMA IKUNOJYUKU Samsung Pico ROM image +!:mime application/x-sega-pico-rom +>0 use sega-mega-drive-header + +# Sega Picture Magic (modified 32X) +0x100 string Picture\ Magic +>0x3C0 string PICTURE MAGIC-01 Sega 32X ROM image +!:mime application/x-genesis-32x-rom +>>0 use sega-mega-drive-header + +#------------------------------------------------------------------------------ +# genesis: file(1) magic for the Super MegaDrive ROM dump format +# + +# NOTE: Due to interleaving, we can't display anything +# other than the copier header information. +0 name sega-genesis-smd-header +>0 byte x %dx16k blocks +>2 byte 0 \b, last in series or standalone +>2 byte >0 \b, split ROM + +# "Sega Genesis" header. +0x280 string EAGN +>8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format): +!:mime application/x-genesis-rom +>>0 use sega-genesis-smd-header + +# "Sega Mega Drive" header. +0x280 string EAMG +>8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format): +!:mime application/x-genesis-rom +>>0 use sega-genesis-smd-header + +#------------------------------------------------------------------------------ +# smsgg: file(1) magic for Sega Master System and Game Gear ROM images +# Detects all Game Gear and export Sega Master System ROM images, +# and some Japanese Sega Master System ROM images. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://www.smspower.org/Development/ROMHeader +# + +# General SMS header rule. +# The SMS boot ROM checks the header at three locations. +0 name sega-master-system-rom-header +# Machine type. +>0x0F byte&0xF0 0x30 Sega Master System +!:mime application/x-sms-rom +>0x0F byte&0xF0 0x40 Sega Master System +!:mime application/x-sms-rom +>0x0F byte&0xF0 0x50 Sega Game Gear +!:mime application/x-gamegear-rom +>0x0F byte&0xF0 0x60 Sega Game Gear +!:mime application/x-gamegear-rom +>0x0F byte&0xF0 0x70 Sega Game Gear +!:mime application/x-gamegear-rom +>0x0F default x Sega Master System / Game Gear +!:mime application/x-sms-rom +>0 byte x ROM image: +# Product code. +>0x0E byte&0xF0 0x10 1 +>0x0E byte&0xF0 0x20 2 +>0x0E byte&0xF0 0x30 3 +>0x0E byte&0xF0 0x40 4 +>0x0E byte&0xF0 0x50 5 +>0x0E byte&0xF0 0x60 6 +>0x0E byte&0xF0 0x70 7 +>0x0E byte&0xF0 0x80 8 +>0x0E byte&0xF0 0x90 9 +>0x0E byte&0xF0 0xA0 10 +>0x0E byte&0xF0 0xB0 11 +>0x0E byte&0xF0 0xC0 12 +>0x0E byte&0xF0 0xD0 13 +>0x0E byte&0xF0 0xE0 14 +>0x0E byte&0xF0 0xF0 15 +# If the product code is 5 digits, we'll need to backspace here. +>0x0E byte&0xF0 !0 +>>0x0C leshort x \b%04x +>0x0E byte&0xF0 0 +>>0x0C leshort x %04x +# Revision. +>0x0E byte&0x0F x (Rev.%02d) +# ROM size. (Used for the boot ROM checksum routine.) +>0x0F byte&0x0F 0x0A (8 KB) +>0x0F byte&0x0F 0x0B (16 KB) +>0x0F byte&0x0F 0x0C (32 KB) +>0x0F byte&0x0F 0x0D (48 KB) +>0x0F byte&0x0F 0x0E (64 KB) +>0x0F byte&0x0F 0x0F (128 KB) +>0x0F byte&0x0F 0x00 (256 KB) +>0x0F byte&0x0F 0x01 (512 KB) +>0x0F byte&0x0F 0x02 (1 MB) + +# SMS/GG header locations. +0x7FF0 string TMR\ SEGA +>0x7FF0 use sega-master-system-rom-header +0x3FF0 string TMR\ SEGA +>0x3FF0 use sega-master-system-rom-header +0x1FF0 string TMR\ SEGA +>0x1FF0 use sega-master-system-rom-header + +#------------------------------------------------------------------------------ +# saturn: file(1) magic for the Sega Saturn disc image format. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# + +# Common Sega Saturn disc header format. +# NOTE: Title is 112 bytes, but we're only showing 32 due to space padding. +# TODO: Release date, device information, region code, others? +0 name sega-saturn-disc-header +>0x60 string >\0 \b: "%.32s" +>0x20 string >\0 (%.10s +>>0x2A string >\0 \b, %.6s) +>>0x2A byte 0 \b) + +# 2048-byte sector version. +0 string SEGA\ SEGASATURN\ Sega Saturn disc image +!:mime application/x-saturn-rom +>0 use sega-saturn-disc-header +>0 byte x (2048-byte sectors) +# 2352-byte sector version. +0x10 string SEGA\ SEGASATURN\ Sega Saturn disc image +!:mime application/x-saturn-rom +>0x10 use sega-saturn-disc-header +>0 byte x (2352-byte sectors) + +#------------------------------------------------------------------------------ +# dreamcast: file(1) magic for the Sega Dreamcast disc image format. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://mc.pp.se/dc/ip0000.bin.html +# + +# Common Sega Dreamcast disc header format. +# NOTE: Title is 128 bytes, but we're only showing 32 due to space padding. +# TODO: Release date, device information, region code, others? +0 name sega-dreamcast-disc-header +>0x80 string >\0 \b: "%.32s" +>0x40 string >\0 (%.10s +>>0x4A string >\0 \b, %.6s) +>>0x4A byte 0 \b) + +# 2048-byte sector version. +0 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image +!:mime application/x-dc-rom +>0 use sega-dreamcast-disc-header +>0 byte x (2048-byte sectors) +# 2352-byte sector version. +0x10 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image +!:mime application/x-dc-rom +>0x10 use sega-dreamcast-disc-header +>0 byte x (2352-byte sectors) + +#------------------------------------------------------------------------------ +# dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format +# +0 belong 0x21068028 Sega Dreamcast VMU game image +0 string LCDi Dream Animator file + +#------------------------------------------------------------------------------ +# z64: file(1) magic for the Z64 format N64 ROM dumps +# Reference: http://forum.pj64-emu.com/showthread.php?t=2239 +# From: David Korth <gerbilsoft@gerbilsoft.com> +# +0 bequad 0x803712400000000F Nintendo 64 ROM image +!:mime application/x-n64-rom +>0x20 string >\0 \b: "%.20s" +>0x3B string x (%.4s +>0x3F byte x \b, Rev.%02u) + +#------------------------------------------------------------------------------ +# v64: file(1) magic for the V64 format N64 ROM dumps +# Same as z64 format, but with 16-bit byteswapping. +# +0 bequad 0x3780401200000F00 Nintendo 64 ROM image (V64) +!:mime application/x-n64-rom + +#------------------------------------------------------------------------------ +# n64-swap2: file(1) magic for the swap2 format N64 ROM dumps +# Same as z64 format, but with swapped 16-bit words. +# +0 bequad 0x12408037000F0000 Nintendo 64 ROM image (wordswapped) +!:mime application/x-n64-rom + +#------------------------------------------------------------------------------ +# n64-le32: file(1) magic for the 32-bit byteswapped format N64 ROM dumps +# Same as z64 format, but with 32-bit byteswapping. +# +0 bequad 0x401237800F000000 Nintendo 64 ROM image (32-bit byteswapped) +!:mime application/x-n64-rom + +#------------------------------------------------------------------------------ +# gba: file(1) magic for the Nintendo Game Boy Advance raw ROM format +# Reference: https://problemkaputt.de/gbatek.htm#gbacartridgeheader +# +# Original version from: "Nelson A. de Oliveira" <naoliv@gmail.com> +# Updated version from: David Korth <gerbilsoft@gerbilsoft.com> +# +4 bequad 0x24FFAE51699AA221 Game Boy Advance ROM image +!:mime application/x-gba-rom +>0xA0 string >\0 \b: "%.12s" +>0xAC string x (%.6s +>0xBC byte x \b, Rev.%02u) + +#------------------------------------------------------------------------------ +# nds: file(1) magic for the Nintendo DS(i) raw ROM format +# Reference: https://problemkaputt.de/gbatek.htm#dscartridgeheader +# +# Original version from: "Nelson A. de Oliveira" <naoliv@gmail.com> +# Updated version from: David Korth <gerbilsoft@gerbilsoft.com> +# +0xC0 bequad 0x24FFAE51699AA221 Nintendo DS ROM image +!:mime application/x-nintendo-ds-rom +>0x00 string >\0 \b: "%.12s" +>0x0C string x (%.6s +>0x1E byte x \b, Rev.%02u) +>0x12 byte 2 (DSi enhanced) +>0x12 byte 3 (DSi only) +# Secure Area check. +>0x20 lelong <0x4000 (homebrew) +>0x20 lelong >0x3FFF +>>0x4000 lequad 0x0000000000000000 (multiboot) +>>0x4000 lequad !0x0000000000000000 +>>>0x4000 lequad 0xE7FFDEFFE7FFDEFF (decrypted) +>>>0x4000 lequad !0xE7FFDEFFE7FFDEFF +>>>>0x1000 lequad 0x0000000000000000 (encrypted) +>>>>0x1000 lequad !0x0000000000000000 (mask ROM) + +#------------------------------------------------------------------------------ +# nds_passme: file(1) magic for Nintendo DS ROM images for GBA cartridge boot. +# This is also used for loading .nds files using the MSET exploit on 3DS. +# Reference: https://github.com/devkitPro/ndstool/blob/master/source/ndscreate.cpp +0xC0 bequad 0xC8604FE201708FE2 Nintendo DS Slot-2 ROM image (PassMe) +!:mime application/x-nintendo-ds-rom + +#------------------------------------------------------------------------------ +# ngp: file(1) magic for the Neo Geo Pocket (Color) raw ROM format. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp +# - https://www.devrs.com/ngp/files/ngpctech.txt +# +0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket +!:mime application/x-neo-geo-pocket-rom +>0x23 byte 0x10 Color +>0 byte x ROM image +>0x24 string >\0 \b: "%.12s" +>0x21 uleshort x \b, NEOP%04X +>0x1F ubyte 0xFF (debug mode enabled) + +#------------------------------------------------------------------------------ +# msx: file(1) magic for MSX game cartridge dumps +# Too simple - MPi +#0 beshort 0x4142 MSX game cartridge dump + +#------------------------------------------------------------------------------ +# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : +0 string PS-X\ EXE Sony Playstation executable +>16 lelong x PC=%#08x, +>20 lelong !0 GP=%#08x, +>24 lelong !0 .text=[%#08x, +>>28 lelong x \b%#x], +>32 lelong !0 .data=[%#08x, +>>36 lelong x \b%#x], +>40 lelong !0 .bss=[%#08x, +>>44 lelong x \b%#x], +>48 lelong !0 Stack=%#08x, +>48 lelong =0 No Stack!, +>52 lelong !0 StackSize=%#x, +#>76 string >\0 (%s) +# Area: +>113 string x (%s) + +# CPE executables +0 string CPE CPE executable +>3 byte x (version %d) + +# Sony PlayStation archive (PSARC) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.psdevwiki.com/ps3/PlayStation_archive_(PSARC) +0 string PSAR Sony PlayStation Archive +!:ext psarc +>4 ubeshort x \b, version %d. +>6 ubeshort x \b%d +>8 string zlib \b, zlib compression +>8 string lzma \b, LZMA compression +>28 ubeshort&2 0 \b, relative paths +>28 ubeshort&2 2 \b, absolute paths +>28 ubeshort&1 1 \b, ignore case + +#------------------------------------------------------------------------------ +# Microsoft Xbox executables .xbe (Esa Hyytia <ehyytia@cc.hut.fi>) +0 string XBEH Microsoft Xbox executable +!:mime audio/x-xbox-executable +!:ext xbe +# expect base address of 0x10000 +>0x0104 ulelong =0x10000 +>>(0x0118.l-0x0FFF4) lestring16 x \b: "%.40s" +>>(0x0118.l-0x0FFF5) byte x (%c +>>(0x0118.l-0x0FFF6) byte x \b%c- +>>(0x0118.l-0x0FFF8) uleshort x \b%03u) +>>(0x0118.l-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions +>>(0x0118.l-0x0FF60) ulelong&0x80000007 !0x80000007 +>>>(0x0118.l-0x0FF60) ulelong >0 (regions: +>>>>(0x0118.l-0x0FF60) ulelong &0x00000001 NA +>>>>(0x0118.l-0x0FF60) ulelong &0x00000002 Japan +>>>>(0x0118.l-0x0FF60) ulelong &0x00000004 Rest_of_World +>>>>(0x0118.l-0x0FF60) ulelong &0x80000000 Manufacturer +>>>(0x0118.l-0x0FF60) ulelong >0 \b) +# probabilistic checks whether signed or not +>0x0004 ulelong =0x0 +>>&2 ulelong =0x0 +>>>&2 ulelong =0x0 \b, not signed +>0x0004 ulelong >0 +>>&2 ulelong >0 +>>>&2 ulelong >0 \b, signed + +# -------------------------------- +# Microsoft Xbox data file formats +0 string XIP0 XIP, Microsoft Xbox data +0 string XTF0 XTF, Microsoft Xbox data + +#------------------------------------------------------------------------------ +# Microsoft Xbox 360 executables (.xex) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://free60project.github.io/wiki/XEX.html +# - https://github.com/xenia-project/xenia/blob/HEAD/src/xenia/kernel/util/xex2_info.h + +# Title ID (part of Execution ID section) +0 name xbox-360-xex-execution-id +>(0.L+0xC) byte x (%c +>(0.L+0xD) byte x \b%c +>(0.L+0xE) beshort x \b-%04u, media ID: +>(0.L) belong x %08X) + +# Region code (part of Security Info) +0 name xbox-360-xex-region-code +>0 ubelong 0xFFFFFFFF \b, all regions +>0 ubelong !0xFFFFFFFF +>>0 ubelong >0 (regions: +>>0 ubelong&0x000000FF 0x000000FF USA +>>0 ubelong&0x00000100 0x00000100 Japan +>>0 ubelong&0x00000200 0x00000200 China +>>0 ubelong&0x0000FC00 0x0000FC00 Asia +>>0 ubelong&0x00FF0000 0x00FF0000 PAL +>>0 ubelong&0x00FF0000 0x00FE0000 PAL [except AU/NZ] +>>0 ubelong&0x00FF0000 0x00010000 AU/NZ +>>0 ubelong&0xFF000000 0xFF000000 Other +>>0 ubelong >0 \b) + +0 string XEX2 Microsoft Xbox 360 executable +!:mime audio/x-xbox360-executable +!:ext xex +>0x18 search/0x100 \x00\x04\x00\x06 +>>&0 use xbox-360-xex-execution-id +>(0x010.L+0x178) use xbox-360-xex-region-code + +0 string XEX1 Microsoft Xbox 360 executable (XEX1) +!:mime audio/x-xbox360-executable +!:ext xex +>0x18 search/0x100 \x00\x04\x00\x06 +>>&0 use xbox-360-xex-execution-id +>(0x010.L+0x154) use xbox-360-xex-region-code + +#------------------------------------------------------------------------------ +# Microsoft Xbox 360 packages +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://free60project.github.io/wiki/STFS.html +# - https://github.com/xenia-project/xenia/blob/HEAD/src/xenia/kernel/util/xex2_info.h + +# TODO: More information for console-signed packages. + +0 name xbox-360-package +>0x360 byte x (%c +>0x361 byte x \b%c +>0x362 beshort x \b-%04u, media ID: +>0x354 belong x %08X) +>0x344 belong x \b, content type: +>>0x344 belong 0x1 Saved Game +>>0x344 belong 0x2 Marketplace Content +>>0x344 belong 0x3 Publisher +>>0x344 belong 0x1000 Xbox 360 Title +>>0x344 belong 0x2000 IPTV Pause Buffer +>>0x344 belong 0x4000 Installed Game +>>0x344 belong 0x5000 Original Xbox Game +>>0x344 belong 0x9000 Avatar Item +>>0x344 belong 0x10000 Profile +>>0x344 belong 0x20000 Gamer Picture +>>0x344 belong 0x30000 Theme +>>0x344 belong 0x40000 Cache File +>>0x344 belong 0x50000 Storage Download +>>0x344 belong 0x60000 Xbox Saved Game +>>0x344 belong 0x70000 Xbox Download +>>0x344 belong 0x80000 Game Demo +>>0x344 belong 0x90000 Video +>>0x344 belong 0xA0000 Game +>>0x344 belong 0xB0000 Installer +>>0x344 belong 0xC0000 Game Trailer +>>0x344 belong 0xD0000 Arcade Title +>>0x344 belong 0xE0000 XNA +>>0x344 belong 0xF0000 License Store +>>0x344 belong 0x100000 Movie +>>0x344 belong 0x200000 TV +>>0x344 belong 0x300000 Music Video +>>0x344 belong 0x400000 Game Video +>>0x344 belong 0x500000 Podcast Video +>>0x344 belong 0x600000 Viral Video +>>0x344 belong 0x2000000 Community Game + +0 string CON\x20 Microsoft Xbox 360 package (console-signed) +>0 use xbox-360-package +0 string PIRS +>0 belong 0 Microsoft Xbox 360 package (non-Xbox Live) +>>0 use xbox-360-package +0 string LIVE +>0x104 belong 0 Microsoft Xbox 360 package (Xbox Live) +>>0 use xbox-360-package + +# Atari Lynx cartridge dump (EXE/BLL header) +# From: "Stefan A. Haubenthal" <polluks@sdf.lonestar.org> +# Reference: +# https://raw.githubusercontent.com/cc65/cc65/master/libsrc/lynx/exehdr.s +# Double-check that the image type matches too, 0x8008 conflicts with +# 8 character OMF-86 object file headers. +0 beshort 0x8008 +>6 string BS93 Lynx homebrew cartridge +!:mime application/x-atari-lynx-rom +>>2 beshort x \b, RAM start $%04x +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnx.trid.xml +# Note: called "Atari Lynx ROM" by TrID +0 string LYNX Lynx cartridge +!:mime application/x-atari-lynx-rom +!:ext lnx +# bank 0 page size like: 128 256 512 +>4 leshort/4 >0 \b, bank 0 %dk +>6 leshort/4 >0 \b, bank 1 %dk +# 32 bytes cart name like: "jconnort.lyx" "viking~1.lyx" "Eye of the Beholder" "C:\EMU\LYNX\ROMS\ULTCHESS.LYX" +>10 string >\0 \b, "%.32s" +# 16 bytes manufacturer like: "Atari" "NuFX Inc." "Matthias Domin" +>42 string >\0 \b, "%.16s" +# version number +#>8 leshort !1 \b, version number %u +# rotation: 1~left Lexis (NA).lnx 2~right Centipede (Prototype).lnx +>58 ubyte >0 \b, rotation %u +# spare +#>59 lelong !0 \b, spare %#x + +# Opera file system that is used on the 3DO console +# From: Serge van den Boom <svdb@stack.nl> +0 string \x01ZZZZZ\x01 3DO "Opera" file system + +# From: Alex Myczko <alex@aiei.ch> +# From: David Pflug <david@pflug.email> +# is the offset 12 or the offset 16 correct? +# GBS (Game Boy Sound) magic +# ftp://ftp.modland.com/pub/documents/format_documentation/\ +# Gameboy%20Sound%20System%20(.gbs).txt +0 string GBS Nintendo Gameboy Music/Audio Data +#12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module +>16 string >\0 ("%.32s" by +>48 string >\0 %.32s, copyright +>80 string >\0 %.32s), +>3 byte x version %u, +>4 byte x %u tracks + +# IPS Patch Files from: From: Thomas Klausner <tk@giga.or.at> +# see https://zerosoft.zophar.net/ips.php +0 string PATCH IPS patch file +!:ext ips + +# BPS Patch Files - from: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://www.romhacking.net/documents/746/ +0 string BPS1 BPS patch file +!:ext bps + +# APS Patch Files - from: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://github.com/btimofeev/UniPatcher/wiki/APS-(N64) +0 string APS10 APS patch file +!:ext aps +>5 byte 0 \b, simple patch +>5 byte 1 \b, N64-specific patch for +>>58 byte x N%c +>>59 byte x \b%c +>>60 byte x \b%c +>7 byte !0x20 +# FIXME: /T specifier isn't working with a fixed-length string. +>>7 string x \b: "%.50s" + +# UPS Patch Files - from: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: http://fileformats.archiveteam.org/wiki/UPS_(binary_patch_format) +0 string UPS1 UPS patch file +!:ext ups + +# Playstations Patch Files from: From: Thomas Klausner <tk@giga.or.at> +0 string PPF30 Playstation Patch File version 3.0 +>5 byte 0 \b, PPF 1.0 patch +>5 byte 1 \b, PPF 2.0 patch +>5 byte 2 \b, PPF 3.0 patch +>>56 byte 0 \b, Imagetype BIN (any) +>>56 byte 1 \b, Imagetype GI (PrimoDVD) +>>57 byte 0 \b, Blockcheck disabled +>>57 byte 1 \b, Blockcheck enabled +>>58 byte 0 \b, Undo data not available +>>58 byte 1 \b, Undo data available +>6 string x \b, description: %s + +0 string PPF20 Playstation Patch File version 2.0 +>5 byte 0 \b, PPF 1.0 patch +>5 byte 1 \b, PPF 2.0 patch +>>56 lelong >0 \b, size of file to patch %d +>6 string x \b, description: %s + +0 string PPF10 Playstation Patch File version 1.0 +>5 byte 0 \b, Simple Encoding +>6 string x \b, description: %s + +# Compressed ISO disc image (used mostly by PSP, PS2 and MegaDrive) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/.CSO +# NOTE: This is NOT the same as Compact ISO or GameCube/Wii disc image, +# though it has the same magic number. +0 string CISO +# Match CISO version 1 with ISO-9660 sector size +>20 ubyte <2 +>>16 ulelong =2048 CSO v1 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>8 ulequad x \b, original size %llu bytes +>>>16 ulelong x \b, datablock size %u bytes +# Match CISO version 2 +>20 ubyte =2 +>>22 uleshort =0 +>>>4 ulelong =24 CSO v2 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>>8 ulequad x \b, original size %llu bytes +>>>>16 ulelong x \b, datablock size %u bytes + +# From: Daniel Dawson <ddawson@icehouse.net> +# SNES9x .smv "movie" file format. +0 string SMV\x1A SNES9x input recording +>0x4 lelong x \b, version %d +# version 4 is latest so far +>0x4 lelong <5 +>>0x8 ledate x \b, recorded at %s +>>0xc lelong >0 \b, rerecorded %d times +>>0x10 lelong x \b, %d frames long +>>0x14 byte >0 \b, data for controller(s): +>>>0x14 byte &0x1 #1 +>>>0x14 byte &0x2 #2 +>>>0x14 byte &0x4 #3 +>>>0x14 byte &0x8 #4 +>>>0x14 byte &0x10 #5 +>>0x15 byte ^0x1 \b, begins from snapshot +>>0x15 byte &0x1 \b, begins from reset +>>0x15 byte ^0x2 \b, NTSC standard +>>0x15 byte &0x2 \b, PAL standard +>>0x17 byte &0x1 \b, settings: +# WIP1Timing not used as of version 4 +>>>0x4 lelong <4 +>>>>0x17 byte &0x2 WIP1Timing +>>>0x17 byte &0x4 Left+Right +>>>0x17 byte &0x8 VolumeEnvX +>>>0x17 byte &0x10 FakeMute +>>>0x17 byte &0x20 SyncSound +# New flag as of version 4 +>>>0x4 lelong >3 +>>>>0x17 byte &0x80 NoCPUShutdown +>>0x4 lelong <4 +>>>0x18 lelong >0x23 +>>>>0x20 leshort !0 +>>>>>0x20 lestring16 x \b, metadata: "%s" +>>0x4 lelong >3 +>>>0x24 byte >0 \b, port 1: +>>>>0x24 byte 1 joypad +>>>>0x24 byte 2 mouse +>>>>0x24 byte 3 SuperScope +>>>>0x24 byte 4 Justifier +>>>>0x24 byte 5 multitap +>>>0x24 byte >0 \b, port 2: +>>>>0x25 byte 1 joypad +>>>>0x25 byte 2 mouse +>>>>0x25 byte 3 SuperScope +>>>>0x25 byte 4 Justifier +>>>>0x25 byte 5 multitap +>>>0x18 lelong >0x43 +>>>>0x40 leshort !0 +>>>>>0x40 lestring16 x \b, metadata: "%s" +>>0x17 byte &0x40 \b, ROM: +>>>(0x18.l-26) lelong x CRC32 %#08x +>>>(0x18.l-23) string x "%s" + +# Type: scummVM savegame files +# From: Sven Hartge <debian@ds9.argh.org> +0 string SCVM ScummVM savegame +>12 string >\0 "%s" + +#------------------------------------------------------------------------------ +# Nintendo GameCube / Wii file formats. +# + +# Type: Nintendo GameCube/Wii common disc header data. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://wiibrew.org/wiki/Wii_Disc +0 name nintendo-gcn-disc-common +>0x20 string x "%.64s" +>0x00 string x (%.6s +>0x06 byte >0 +>>0x06 byte 1 \b, Disc 2 +>>0x06 byte 2 \b, Disc 3 +>>0x06 byte 3 \b, Disc 4 +>0x07 byte x \b, Rev.%02u) +>0x18 belong 0x5D1C9EA3 +>>0x60 beshort 0x0101 \b (Unencrypted) +>0x200 string NKIT \b (NKit compressed) + + +# Type: Nintendo GameCube disc image +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://wiibrew.org/wiki/Wii_Disc +0x1C belong 0xC2339F3D Nintendo GameCube disc image: +!:mime application/x-gamecube-rom +>0 use nintendo-gcn-disc-common + +# Type: Nintendo GameCube embedded disc image +# Commonly found on demo discs. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: http://hitmen.c02.at/files/yagcd/yagcd/index.html#idx14.8 +0 belong 0xAE0F38A2 +>0x0C belong 0x00100000 +>>(8.L+0x1C) belong 0xC2339F3D Nintendo GameCube embedded disc image: +!:mime application/x-gamecube-rom +>>>(8.L) use nintendo-gcn-disc-common + +# Type: Nintendo Wii disc image +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://wiibrew.org/wiki/Wii_Disc +0x18 belong 0x5D1C9EA3 Nintendo Wii disc image: +>0 use nintendo-gcn-disc-common + +# Type: Nintendo Wii disc image (WBFS format) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://wiibrew.org/wiki/Wii_Disc +0 string WBFS +>0x218 belong 0x5D1C9EA3 Nintendo Wii disc image (WBFS format): +!:mime application/x-wii-rom +>>0x200 use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (CISO format) +# NOTE: This is NOT the same as Compact ISO or PSP CISO, +# though it has the same magic number. +0 string CISO +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - None of the above: Compact ISO. +>4 lelong 0x200000 +>>8 byte 1 +>>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): +!:mime application/x-wii-rom +>>>>0x8000 use nintendo-gcn-disc-common +>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): +!:mime application/x-wii-rom +>>>>0x8000 use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (GCZ format) +# Due to zlib compression, we can't get the actual disc information. +0 lelong 0xB10BC001 +>4 lelong 0 Nintendo GameCube disc image (GCZ format) +!:mime application/x-gamecube-rom +>4 lelong 1 Nintendo Wii disc image (GCZ format) +!:mime application/x-wii-rom +>4 default x Nintendo GameCube/Wii disc image (GCZ format) + +# Type: Nintendo GameCube/Wii disc image (WDF format) +0 string WII\001DISC +>8 belong 1 +# WDFv1 +>>0x54 belong 0xC2339F3D Nintendo GameCube disc image (WDFv1 format): +!:mime application/x-gamecube-rom +>>>0x38 use nintendo-gcn-disc-common +>>0x58 belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv1 format): +!:mime application/x-wii-rom +>>>0x38 use nintendo-gcn-disc-common +>8 belong 2 +# WDFv2 +>>(12.L+0x1C) belong 0xC2339F3D Nintendo GameCube disc image (WDFv2 format): +!:mime application/x-gamecube-rom +>>>(12.L) use nintendo-gcn-disc-common +>>(12.L+0x18) belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv2 format): +!:mime application/x-wii-rom +>>>(12.L) use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (WIA format) +0 string WIA\001 Nintendo +>0x48 belong 1 GameCube +!:mime application/x-gamecube-rom +>0x48 belong 2 Wii +!:mime application/x-wii-rom +>0x48 default x GameCube/Wii +>0x48 belong x disc image (WIA format): +>>0x58 use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (with SDK header) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://wiibrew.org/wiki/Wii_Disc +0 belong 0xFFFF0000 +>0x18 belong 0x00000000 +>>0x1C belong 0x00000000 +>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii SDK disc image: +!:mime application/x-wii-rom +>>>>0x8000 use nintendo-gcn-disc-common +>>>0x801C belong 0xC2339F3D Nintendo GameCube SDK disc image: +!:mime application/x-gamecube-rom +>>>>0x8000 use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (RVZ format) +0 string RVZ\001 Nintendo +>0x48 belong 1 GameCube +!:mime application/x-gamecube-rom +>0x48 belong 2 Wii +!:mime application/x-wii-rom +>0x48 default x GameCube/Wii +>0x48 belong x disc image (RVZ format): +>>0x58 use nintendo-gcn-disc-common + +#------------------------------------------------------------------------------ +# Nintendo 3DS file formats. +# + +# Type: Nintendo 3DS "NCSD" image. (game cards and eMMC) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://www.3dbrew.org/wiki/NCSD +0x100 string NCSD +>0x118 lequad 0 Nintendo 3DS Game Card image +# NCCH header for partition 0. (game data) +>>0x1150 string >\0 \b: "%.16s" +>>0x312 byte x (Rev.%02u) +>>0x118C byte 2 (New3DS only) +>>0x18D byte 0 (inner device) +>>0x18D byte 1 (Card1) +>>0x18D byte 2 (Card2) +>>0x18D byte 3 (extended device) +>0x118 bequad 0x0102020202000000 Nintendo 3DS eMMC dump (Old3DS) +>0x118 bequad 0x0102020203000000 Nintendo 3DS eMMC dump (New3DS) + +# Nintendo 3DS version code. +# Reference: https://www.3dbrew.org/wiki/Titles +# Format: leshort containing three fields: +# - 6-bit: Major +# - 6-bit: Minor +# - 4-bit: Revision +# NOTE: Only supporting major/minor versions from 0-15 right now. +# NOTE: Should be prefixed with "v". +0 name nintendo-3ds-version-code +# Raw version. +>0 leshort x \b%u, +# Major version. +>0 leshort&0xFC00 0x0000 0 +>0 leshort&0xFC00 0x0400 1 +>0 leshort&0xFC00 0x0800 2 +>0 leshort&0xFC00 0x0C00 3 +>0 leshort&0xFC00 0x1000 4 +>0 leshort&0xFC00 0x1400 5 +>0 leshort&0xFC00 0x1800 6 +>0 leshort&0xFC00 0x1C00 7 +>0 leshort&0xFC00 0x2000 8 +>0 leshort&0xFC00 0x2400 9 +>0 leshort&0xFC00 0x2800 10 +>0 leshort&0xFC00 0x2C00 11 +>0 leshort&0xFC00 0x3000 12 +>0 leshort&0xFC00 0x3400 13 +>0 leshort&0xFC00 0x3800 14 +>0 leshort&0xFC00 0x3C00 15 +# Minor version. +>0 leshort&0x03F0 0x0000 \b.0 +>0 leshort&0x03F0 0x0010 \b.1 +>0 leshort&0x03F0 0x0020 \b.2 +>0 leshort&0x03F0 0x0030 \b.3 +>0 leshort&0x03F0 0x0040 \b.4 +>0 leshort&0x03F0 0x0050 \b.5 +>0 leshort&0x03F0 0x0060 \b.6 +>0 leshort&0x03F0 0x0070 \b.7 +>0 leshort&0x03F0 0x0080 \b.8 +>0 leshort&0x03F0 0x0090 \b.9 +>0 leshort&0x03F0 0x00A0 \b.10 +>0 leshort&0x03F0 0x00B0 \b.11 +>0 leshort&0x03F0 0x00C0 \b.12 +>0 leshort&0x03F0 0x00D0 \b.13 +>0 leshort&0x03F0 0x00E0 \b.14 +>0 leshort&0x03F0 0x00F0 \b.15 +# Revision. +>0 leshort&0x000F x \b.%u + +# Type: Nintendo 3DS "NCCH" container. +# https://www.3dbrew.org/wiki/NCCH +0x100 string NCCH Nintendo 3DS +>0x18D byte&2 0 File Archive (CFA) +>0x18D byte&2 2 Executable Image (CXI) +>0x150 string >\0 \b: "%.16s" +>0x18D byte 0x05 +>>0x10E leshort x (Old3DS System Update v +>>0x10E use nintendo-3ds-version-code +>>0x10E leshort x \b) +>0x18D byte 0x15 +>>0x10E leshort x (New3DS System Update v +>>0x10E use nintendo-3ds-version-code +>>0x10E leshort x \b) +>0x18D byte !0x05 +>>0x18D byte !0x15 +>>>0x112 byte x (v +>>>0x112 use nintendo-3ds-version-code +>>>0x112 byte x \b) +>0x18C byte 2 (New3DS only) + +# Type: Nintendo 3DS "SMDH" file. (application description) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://3dbrew.org/wiki/SMDH +0 string SMDH Nintendo 3DS SMDH file +>0x208 leshort !0 +>>0x208 lestring16 x \b: "%.128s" +>>0x388 leshort !0 +>>>0x388 lestring16 x by %.128s +>0x208 leshort 0 +>>0x008 leshort !0 +>>>0x008 lestring16 x \b: "%.128s" +>>>0x188 leshort !0 +>>>>0x188 lestring16 x by %.128s + +# Type: Nintendo 3DS Homebrew Application. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://3dbrew.org/wiki/3DSX_Format +0 string 3DSX Nintendo 3DS Homebrew Application (3DSX) + +# Type: Nintendo 3DS Banner Model Data. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://3dbrew.org/wiki/CBMD +0 string CBMD\0\0\0\0 Nintendo 3DS Banner Model Data + +#------------------------------------------------------------------------------ +# a7800: file(1) magic for the Atari 7800 raw ROM format. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://sites.google.com/site/atari7800wiki/a78-header + +0 byte >0 +>0 byte <3 +>>1 string ATARI7800 Atari 7800 ROM image +!:mime application/x-atari-7800-rom +>>>0x11 string >\0 \b: "%.32s" +# Display type. +>>>0x39 byte 0 (NTSC) +>>>0x39 byte 1 (PAL) +>>>0x36 byte&1 1 (POKEY) + +#------------------------------------------------------------------------------ +# vectrex: file(1) magic for the GCE Vectrex raw ROM format. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: http://www.playvectrex.com/designit/chrissalo/hello1.htm +# +# NOTE: Title is terminated with 0x80, not 0. +# The header is terminated with a 0, so that will +# terminate the title as well. +# +0 string g\ GCE Vectrex ROM image +>0x11 string >\0 \b: "%.16s" + +#------------------------------------------------------------------------------ +# amiibo: file(1) magic for Nintendo amiibo NFC dumps. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://www.3dbrew.org/wiki/Amiibo +0x00 byte 0x04 +>0x0A beshort 0x0FE0 +>>0x0C belong 0xF110FFEE +>>>0x208 beshort 0x0100 +>>>>0x020A byte 0x0F +>>>>>0x020C bequad 0x000000045F000000 +>>>>>>0x5B byte 0x02 +>>>>>>>0x54 belong x Nintendo amiibo NFC dump - amiibo ID: %08X- +>>>>>>>0x58 belong x \b%08X + +#------------------------------------------------------------------------------ +# Type: Nintendo Switch XCI (Game Cartridge Image) +# From: Benjamin Lowry <ben@ben.gmbh> +# Reference: https://switchbrew.org/wiki/Gamecard_Format +0x100 string HEAD +>0x10D byte 0xFA Nintendo Switch cartridge image (XCI), 1GB +>0x10D byte 0xF8 Nintendo Switch cartridge image (XCI), 2GB +>0x10D byte 0xF0 Nintendo Switch cartridge image (XCI), 4GB +>0x10D byte 0xE0 Nintendo Switch cartridge image (XCI), 8GB +>0x10D byte 0xE1 Nintendo Switch cartridge image (XCI), 16GB +>0x10D byte 0xE2 Nintendo Switch cartridge image (XCI), 32GB + +#------------------------------------------------------------------------------ +# Type: Nintendo Switch Executable +# From: Benjamin Lowry <ben@ben.gmbh> +# Reference: https://switchbrew.org/wiki/NSO +0x00 string NSO0 Nintendo Switch executable (NSO) + +#------------------------------------------------------------------------------ +# Type: Nintendo Switch PFS0 +# From: Benjamin Lowry <ben@ben.gmbh> +# Reference: https://switchbrew.org/wiki/NCA_Format#PFS0 +0x00 string PFS0 Nintendo Switch partition filesystem (PFS0) +>0x04 ulelong x \b, %d files + +#------------------------------------------------------------------------------ +# amiibo: file(1) magic for Nintendo Badge Arcade files. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/GerbilSoft/rom-properties/issues/92 +# - https://github.com/CaitSith2/BadgeArcadeTool +# - https://github.com/TheMachinumps/Advanced-badge-editor + +# PRBS: Individual badge and/or mega badge. +0 string PRBS +>0x44 byte >0x20 Nintendo Badge Arcade +>>0xB8 ulelong <2 +>>>0xBC ulelong <2 badge: +>>>0xBC ulelong >1 Mega Badge +>>>>0xB8 ulelong x (%ux +>>>>0xBC ulelong x \b%u): +>>0xB8 ulelong >1 Mega Badge +>>>0xB8 ulelong x (%ux +>>>0xBC ulelong x \b%u): +>0x44 string x "%s" +>0x3C ulelong x \b, badge ID: %u +>0x74 byte >0x20 +>>0x74 string x \b, set: "%s" +>0xA8 ulelong !0xFFFFFFFF +>>0xA8 ulelong x \b, launch title ID: %08X +>>0xA4 ulelong x \b-%08X + +# CABS: Badge set. +0 string CABS +>0x2C byte >0x20 Nintendo Badge Arcade badge set: +>>0x2C string x "%.48s" +>>0x24 ulelong x \b, set ID: %u + +#------------------------------------------------------------------------------ +# sufami: file(1) magic for Sufami Turbo ROM images. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://problemkaputt.de/fullsnes.htm#snescartsufamiturbominicartridgeadaptor +0 string BANDAI\ SFC-ADX +>0x10 string !SFC-ADX\ BACKUP Sufami Turbo ROM image: +>>0x10 string/T x "%.14s" +>>0x30 byte x \b, ID %02X +>>0x31 byte x \b%02X +>>0x32 byte x \b%02X +>>0x33 ubyte >0 \b, series index %u +>>0x34 ubyte 0 [SlowROM] +>>0x34 ubyte 1 [FastROM] +>>0x35 ubyte 1 [SRAM] +>>0x35 ubyte 3 [Special] diff --git a/magic/Magdir/convex b/magic/Magdir/convex new file mode 100644 index 0000000..6b28f76 --- /dev/null +++ b/magic/Magdir/convex @@ -0,0 +1,69 @@ + +#------------------------------------------------------------------------------ +# $File: convex,v 1.8 2012/10/03 23:44:43 christos Exp $ +# convex: file(1) magic for Convex boxes +# +# Convexes are big-endian. +# +# /*\ +# * Below are the magic numbers and tests added for Convex. +# * Added at beginning, because they are expected to be used most. +# \*/ +0 belong 0507 Convex old-style object +>16 belong >0 not stripped +0 belong 0513 Convex old-style demand paged executable +>16 belong >0 not stripped +0 belong 0515 Convex old-style pre-paged executable +>16 belong >0 not stripped +0 belong 0517 Convex old-style pre-paged, non-swapped executable +>16 belong >0 not stripped +0 belong 0x011257 Core file +# +# The following are a series of dump format magic numbers. Each one +# corresponds to a drastically different dump format. The first on is +# the original dump format on a 4.1 BSD or earlier file system. The +# second marks the change between the 4.1 file system and the 4.2 file +# system. The Third marks the changing of the block size from 1K +# to 2K to be compatible with an IDC file system. The fourth indicates +# a dump that is dependent on Convex Storage Manager, because data in +# secondary storage is not physically contained within the dump. +# The restore program uses these number to determine how the data is +# to be extracted. +# +24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible) +24 belong =60014 dump format, Convex Storage Manager by-reference dump +# +# what follows is a bunch of bit-mask checks on the flags field of the opthdr. +# If there is no `=' sign, assume just checking for whether the bit is set? +# +0 belong 0601 Convex SOFF +>88 belong&0x000f0000 =0x00000000 c1 +>88 belong &0x00010000 c2 +>88 belong &0x00020000 c2mp +>88 belong &0x00040000 parallel +>88 belong &0x00080000 intrinsic +>88 belong &0x00000001 demand paged +>88 belong &0x00000002 pre-paged +>88 belong &0x00000004 non-swapped +>88 belong &0x00000008 POSIX +# +>84 belong &0x80000000 executable +>84 belong &0x40000000 object +>84 belong&0x20000000 =0 not stripped +>84 belong&0x18000000 =0x00000000 native fpmode +>84 belong&0x18000000 =0x10000000 ieee fpmode +>84 belong&0x18000000 =0x18000000 undefined fpmode +# +0 belong 0605 Convex SOFF core +# +0 belong 0607 Convex SOFF checkpoint +>88 belong&0x000f0000 =0x00000000 c1 +>88 belong &0x00010000 c2 +>88 belong &0x00020000 c2mp +>88 belong &0x00040000 parallel +>88 belong &0x00080000 intrinsic +>88 belong &0x00000008 POSIX +# +>84 belong&0x18000000 =0x00000000 native fpmode +>84 belong&0x18000000 =0x10000000 ieee fpmode +>84 belong&0x18000000 =0x18000000 undefined fpmode diff --git a/magic/Magdir/coverage b/magic/Magdir/coverage new file mode 100644 index 0000000..9f2c3dc --- /dev/null +++ b/magic/Magdir/coverage @@ -0,0 +1,91 @@ + +#------------------------------------------------------------------------------ +# $File: coverage,v 1.3 2021/02/23 00:51:10 christos Exp $ +# xoverage: file(1) magic for test coverage data + +# File formats used to store test coverage data +# 2016-05-21, Georg Sauthoff <mail@georg.so> + + +# - GCC gcno - written by GCC at compile time when compiling with +# gcc -ftest-coverage +# - GCC gcda - written by a program that was compiled with +# gcc -fprofile-arcs +# - LLVM raw profiles - generated by a program compiled with +# clang -fprofile-instr-generate -fcoverage-mapping ... +# - LLVM indexed profiles - generated by +# llvm-profdata +# - GCOV reports, i.e. the annotated source code +# - LCOV trace files, i.e. aggregated GCC profiles +# +# GCC coverage tracefiles +# .gcno file are created during compile time, +# while data collected during runtime is stored in .gcda files +# cf. gcov-io.h +# https://gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc/Gcov-Data-Files.html +# Examples: +# Fedora 23/x86-64/gcc-5.3.1: 6f 6e 63 67 52 33 30 35 +# Debian 8 PPC64/gcc-4.9.2 : 67 63 6e 6f 34 30 39 2a +0 lelong 0x67636e6f GCC gcno coverage (-ftest-coverage), +>&3 byte x version %c. +>&1 byte x \b%c + +# big endian +0 belong 0x67636e6f GCC gcno coverage (-ftest-coverage), +>&0 byte x version %c. +>&2 byte x \b%c (big-endian) + +# Examples: +# Fedora 23/x86-64/gcc-5.3.1: 61 64 63 67 52 33 30 35 +# Debian 8 PPC64/gcc-4.9.2 : 67 63 64 61 34 30 39 2a +0 lelong 0x67636461 GCC gcda coverage (-fprofile-arcs), +>&3 byte x version %c. +>&1 byte x \b%c + +# big endian +0 belong 0x67636461 GCC gcda coverage (-fprofile-arcs), +>&0 byte x version %c. +>&2 byte x \b%c (big-endian) + + +# LCOV tracefiles +# cf. http://ltp.sourceforge.net/coverage/lcov/geninfo.1.php +0 string TN: +>&0 search/64 \nSF:/ LCOV coverage tracefile + + +# Coverage reports generated by gcov +# i.e. source code annotated with coverage information +0 string \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Source: +>&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Graph: +>>&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Data: GCOV coverage report + + +# LLVM coverage files + +# raw data after running a program compiled with: +# `clang -fprofile-instr-generate -fcoverage-mapping ...` +# default name: default.profraw +# magic is: \xFF lprofr \x81 +# cf. https://llvm.org/docs/doxygen/html/InstrProfData_8inc_source.html +0 lequad 0xff6c70726f667281 LLVM raw profile data, +>&0 byte x version %d + +# big endian +0 bequad 0xff6c70726f667281 LLVM raw profile data, +>&7 byte x version %d (big-endian) + + +# LLVM indexed instruction profile (as generated by llvm-profdata) +# magic is: reverse(\xFF lprofi \x81) +# cf. https://llvm.org/docs/CoverageMappingFormat.html +# https://llvm.org/docs/doxygen/html/namespacellvm_1_1IndexedInstrProf.html +# https://llvm.org/docs/CommandGuide/llvm-cov.html +# https://llvm.org/docs/CommandGuide/llvm-profdata.html +0 lequad 0x8169666f72706cff LLVM indexed profile data, +>&0 byte x version %d + +# big endian +0 bequad 0x8169666f72706cff LLVM indexed profile data, +>&7 byte x version %d (big-endian) + diff --git a/magic/Magdir/cracklib b/magic/Magdir/cracklib new file mode 100644 index 0000000..1676596 --- /dev/null +++ b/magic/Magdir/cracklib @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: cracklib,v 1.7 2009/09/19 16:28:08 christos Exp $ +# cracklib: file (1) magic for cracklib v2.7 + +0 lelong 0x70775631 Cracklib password index, little endian +>4 long >0 (%i words) +>4 long 0 ("64-bit") +>>8 long >-1 (%i words) +0 belong 0x70775631 Cracklib password index, big endian +>4 belong >-1 (%i words) +# really bellong 0x0000000070775631 +0 search/1 \0\0\0\0pwV1 Cracklib password index, big endian ("64-bit") +>12 belong >0 (%i words) diff --git a/magic/Magdir/crypto b/magic/Magdir/crypto new file mode 100644 index 0000000..910df8d --- /dev/null +++ b/magic/Magdir/crypto @@ -0,0 +1,49 @@ + +#------------------------------------------------------------------------------ +# $File: crypto,v 1.4 2023/07/17 16:41:48 christos Exp $ +# crypto: file(1) magic for crypto formats +# +# Bitcoin block files +0 lelong 0xD9B4BEF9 Bitcoin +>(4.l+40) lelong 0xD9B4BEF9 reverse block +>>4 lelong x \b, size %u +# normal block below +>0 default x block +>>4 lelong x \b, size %u +>>8 lelong&0xE0000000 0x20000000 +>>>8 lelong x \b, BIP9 0x%x +>>8 lelong&0xE0000000 !0x20000000 +>>>8 lelong x \b, version 0x%x +>>76 ledate x \b, %s UTC +# VarInt counter +>>88 ubyte <0xfd \b, txcount %u +>>88 ubyte 0xfd +>>>89 leshort x \b, txcount %u +>>88 ubyte 0xfe +>>>89 lelong x \b, txcount %u +>>88 ubyte 0xff +>>>89 lequad x \b, txcount %llu +!:ext dat +# option to find more blocks in the file +#>>(4.l+8) indirect x ; + +# LevelDB +-8 lequad 0xdb4775248b80fb57 LevelDB table data + +# http://www.tarsnap.com/scrypt.html +# see scryptenc_setup() in lib/scryptenc/scryptenc.c +0 string scrypt\0 scrypt encrypted file +>7 byte x \b, N=2**%d +>8 belong x \b, r=%d +>12 belong x \b, p=%d + +# https://age-encryption.org/ +# Only the first recipient is printed in detail to prevent repetitive output +# in extreme cases ("ssh-rsa, ssh-rsa, ssh-rsa, ..."). +0 string age-encryption.org/v1\n age encrypted file +>25 regex/128 \^[^\040]+ \b, %s recipient +>>25 string scrypt +>>>&0 regex/64 [0-9]+\$ (N=2**%s) +>>&0 search/256 \n->\040 \b, among others + +0 string -----BEGIN\040AGE\040ENCRYPTED\040FILE----- age encrypted file, ASCII armored diff --git a/magic/Magdir/ctags b/magic/Magdir/ctags new file mode 100644 index 0000000..f480d32 --- /dev/null +++ b/magic/Magdir/ctags @@ -0,0 +1,6 @@ + +# ---------------------------------------------------------------------------- +# $File: ctags,v 1.6 2009/09/19 16:28:08 christos Exp $ +# ctags: file (1) magic for Exuberant Ctags files +# From: Alexander Mai <mai@migdal.ikp.physik.tu-darmstadt.de> +0 search/1 =!_TAG Exuberant Ctags tag file text diff --git a/magic/Magdir/ctf b/magic/Magdir/ctf new file mode 100644 index 0000000..d91684d --- /dev/null +++ b/magic/Magdir/ctf @@ -0,0 +1,23 @@ + +#-------------------------------------------------------------- +# ctf: file(1) magic for CTF (Common Trace Format) trace files +# +# Specs. available here: <https://www.efficios.com/ctf> +#-------------------------------------------------------------- + +# CTF trace data +0 lelong 0xc1fc1fc1 Common Trace Format (CTF) trace data (LE) +0 belong 0xc1fc1fc1 Common Trace Format (CTF) trace data (BE) + +# CTF metadata (packetized) +0 lelong 0x75d11d57 Common Trace Format (CTF) packetized metadata (LE) +>35 byte x \b, v%d +>36 byte x \b.%d +0 belong 0x75d11d57 Common Trace Format (CTF) packetized metadata (BE) +>35 byte x \b, v%d +>36 byte x \b.%d + +# CTF metadata (plain text) +0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata +!:strength + 5 # this is to make sure we beat C +>&0 regex [0-9]+\\.[0-9]+ \b, v%s diff --git a/magic/Magdir/cubemap b/magic/Magdir/cubemap new file mode 100644 index 0000000..e2f87d8 --- /dev/null +++ b/magic/Magdir/cubemap @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: cubemap,v 1.1 2012/06/06 13:03:20 christos Exp $ +# file(1) magic(5) data for cubemaps Martin Erik Werner <martinerikwerner@gmail.com> +# +0 string ACMP Map file for the AssaultCube FPS game +0 string CUBE Map file for cube and cube2 engine games +0 string MAPZ) Map file for the Blood Frontier/Red Eclipse FPS games diff --git a/magic/Magdir/cups b/magic/Magdir/cups new file mode 100644 index 0000000..6dd14ac --- /dev/null +++ b/magic/Magdir/cups @@ -0,0 +1,56 @@ + +#------------------------------------------------------------------------------ +# $File: cups,v 1.6 2019/04/19 00:42:27 christos Exp $ +# Cups: file(1) magic for the cups raster file format +# From: Laurent Martelli <martellilaurent@gmail.com> +# https://www.cups.org/documentation.php/spec-raster.html +# + +0 name cups-le +>280 lelong x \b, %d +>284 lelong x \bx%d dpi +>376 lelong x \b, %dx +>380 lelong x \b%d pixels +>388 lelong x %d bits/color +>392 lelong x %d bits/pixel +>400 lelong 0 ColorOrder=Chunky +>400 lelong 1 ColorOrder=Banded +>400 lelong 2 ColorOrder=Planar +>404 lelong 0 ColorSpace=gray +>404 lelong 1 ColorSpace=RGB +>404 lelong 2 ColorSpace=RGBA +>404 lelong 3 ColorSpace=black +>404 lelong 4 ColorSpace=CMY +>404 lelong 5 ColorSpace=YMC +>404 lelong 6 ColorSpace=CMYK +>404 lelong 7 ColorSpace=YMCK +>404 lelong 8 ColorSpace=KCMY +>404 lelong 9 ColorSpace=KCMYcm +>404 lelong 10 ColorSpace=GMCK +>404 lelong 11 ColorSpace=GMCS +>404 lelong 12 ColorSpace=WHITE +>404 lelong 13 ColorSpace=GOLD +>404 lelong 14 ColorSpace=SILVER +>404 lelong 15 ColorSpace=CIE XYZ +>404 lelong 16 ColorSpace=CIE Lab +>404 lelong 17 ColorSpace=RGBW +>404 lelong 18 ColorSpace=sGray +>404 lelong 19 ColorSpace=sRGB +>404 lelong 20 ColorSpace=AdobeRGB + +# Cups Raster image format, Big Endian +0 string RaS +>3 string t Cups Raster version 1, Big Endian +>3 string 2 Cups Raster version 2, Big Endian +>3 string 3 Cups Raster version 3, Big Endian +!:mime application/vnd.cups-raster +>0 use \^cups-le + + +# Cups Raster image format, Little Endian +1 string SaR +>0 string t Cups Raster version 1, Little Endian +>0 string 2 Cups Raster version 2, Little Endian +>0 string 3 Cups Raster version 3, Little Endian +!:mime application/vnd.cups-raster +>0 use cups-le diff --git a/magic/Magdir/dact b/magic/Magdir/dact new file mode 100644 index 0000000..04627c9 --- /dev/null +++ b/magic/Magdir/dact @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: dact,v 1.4 2009/09/19 16:28:08 christos Exp $ +# dact: file(1) magic for DACT compressed files +# +0 long 0x444354C3 DACT compressed data +>4 byte >-1 (version %i. +>5 byte >-1 $BS%i. +>6 byte >-1 $BS%i) +>7 long >0 $BS, original size: %i bytes +>15 long >30 $BS, block size: %i bytes diff --git a/magic/Magdir/database b/magic/Magdir/database new file mode 100644 index 0000000..03ac423 --- /dev/null +++ b/magic/Magdir/database @@ -0,0 +1,886 @@ + +#------------------------------------------------------------------------------ +# $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $ +# database: file(1) magic for various databases +# +# extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) +# +# +# GDBM magic numbers +# Will be maintained as part of the GDBM distribution in the future. +# <downsj@teeny.org> +0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit +!:mime application/x-gdbm +0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old +!:mime application/x-gdbm +0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit +!:mime application/x-gdbm +0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit +!:mime application/x-gdbm +0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old +!:mime application/x-gdbm +0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit +!:mime application/x-gdbm +0 string GDBM GNU dbm 2.x database +!:mime application/x-gdbm +# +# Berkeley DB +# +# Ian Darwin's file /etc/magic files: big/little-endian version. +# +# Hash 1.85/1.86 databases store metadata in network byte order. +# Btree 1.85/1.86 databases store the metadata in host byte order. +# Hash and Btree 2.X and later databases store the metadata in host byte order. + +0 long 0x00061561 Berkeley DB +!:mime application/x-dbm +>8 belong 4321 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, native byte-order) +>8 belong 1234 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, little-endian) + +0 belong 0x00061561 Berkeley DB +>8 belong 4321 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, big-endian) +>8 belong 1234 +>>4 belong >2 1.86 +>>4 belong <3 1.85 +>>4 belong >0 (Hash, version %d, native byte-order) + +0 long 0x00053162 Berkeley DB 1.85/1.86 +>4 long >0 (Btree, version %d, native byte-order) +0 belong 0x00053162 Berkeley DB 1.85/1.86 +>4 belong >0 (Btree, version %d, big-endian) +0 lelong 0x00053162 Berkeley DB 1.85/1.86 +>4 lelong >0 (Btree, version %d, little-endian) + +12 long 0x00061561 Berkeley DB +>16 long >0 (Hash, version %d, native byte-order) +12 belong 0x00061561 Berkeley DB +>16 belong >0 (Hash, version %d, big-endian) +12 lelong 0x00061561 Berkeley DB +>16 lelong >0 (Hash, version %d, little-endian) + +12 long 0x00053162 Berkeley DB +>16 long >0 (Btree, version %d, native byte-order) +12 belong 0x00053162 Berkeley DB +>16 belong >0 (Btree, version %d, big-endian) +12 lelong 0x00053162 Berkeley DB +>16 lelong >0 (Btree, version %d, little-endian) + +12 long 0x00042253 Berkeley DB +>16 long >0 (Queue, version %d, native byte-order) +12 belong 0x00042253 Berkeley DB +>16 belong >0 (Queue, version %d, big-endian) +12 lelong 0x00042253 Berkeley DB +>16 lelong >0 (Queue, version %d, little-endian) + +# From Max Bowsher. +12 long 0x00040988 Berkeley DB +>16 long >0 (Log, version %d, native byte-order) +12 belong 0x00040988 Berkeley DB +>16 belong >0 (Log, version %d, big-endian) +12 lelong 0x00040988 Berkeley DB +>16 lelong >0 (Log, version %d, little-endian) + +# +# +# Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch> +0 string/b RRD\0 RRDTool DB +>4 string/b x version %s + +>>10 short !0 16bit aligned +>>>10 bedouble 8.642135e+130 big-endian +>>>>18 short x 32bit long (m68k) + +>>10 short 0 +>>>12 long !0 32bit aligned +>>>>12 bedouble 8.642135e+130 big-endian +>>>>>20 long 0 64bit long +>>>>>20 long !0 32bit long +>>>>12 ledouble 8.642135e+130 little-endian +>>>>>24 long 0 64bit long +>>>>>24 long !0 32bit long (i386) +>>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian +>>>>>24 short !0 32bit long (arm) + +>>8 quad 0 64bit aligned +>>>16 bedouble 8.642135e+130 big-endian +>>>>24 long 0 64bit long (s390x) +>>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) +>>>16 ledouble 8.642135e+130 little-endian +>>>>28 long 0 64bit long (alpha/amd64/ia64) +>>>>28 long !0 32bit long (armel/mipsel) + +#---------------------------------------------------------------------- +# ROOT: file(1) magic for ROOT databases +# +0 string root\0 ROOT file +>4 belong x Version %d +>33 belong x (Compression: %d) + +# XXX: Weak magic. +# Alex Ott <ott@jet.msk.su> +## Paradox file formats +#2 leshort 0x0800 Paradox +#>0x39 byte 3 v. 3.0 +#>0x39 byte 4 v. 3.5 +#>0x39 byte 9 v. 4.x +#>0x39 byte 10 v. 5.x +#>0x39 byte 11 v. 5.x +#>0x39 byte 12 v. 7.x +#>>0x04 byte 0 indexed .DB data file +#>>0x04 byte 1 primary index .PX file +#>>0x04 byte 2 non-indexed .DB data file +#>>0x04 byte 3 non-incrementing secondary index .Xnn file +#>>0x04 byte 4 secondary index .Ynn file +#>>0x04 byte 5 incrementing secondary index .Xnn file +#>>0x04 byte 6 non-incrementing secondary index .XGn file +#>>0x04 byte 7 secondary index .YGn file +#>>>0x04 byte 8 incrementing secondary index .XGn file + +## XBase database files +# updated by Joerg Jenderek at Feb 2013 +# https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm +# https://www.clicketyclick.dk/databases/xbase/format/dbf.html +# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +0 ubelong&0x0000FFFF <0x00000C20 +!:strength +10 +# skip Infocom game Z-machine +>2 ubyte >0 +# skip Androids *.xml +>>3 ubyte >0 +>>>3 ubyte <32 +# 1 < version VV +>>>>0 ubyte >1 +# skip HELP.CA3 by test for reserved byte ( NULL ) +>>>>>27 ubyte 0 +# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) +#>>>>>30 ubeshort x 30NULL?%x +# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>24 ubelong&0xffFFFFff >0x01302000 +# .DBF or .MDX +>>>>>>24 ubelong&0xffFFFFff <0x01302001 +# for Xbase Database file (*.DBF) reserved (NULL) for multi-user +>>>>>>>24 ubelong&0xffFFFFff =0 +# test for 2 reserved NULL bytes,transaction and encryption byte flag +>>>>>>>>12 ubelong&0xFFFFfEfE 0 +# test for MDX flag +>>>>>>>>>28 ubyte x +>>>>>>>>>28 ubyte&0xf8 0 +# header size >= 32 +>>>>>>>>>>8 uleshort >31 +# skip PIC15736.PCX by test for language driver name or field name +>>>>>>>>>>>32 ubyte >0 +#!:mime application/x-dbf; charset=unknown-8bit ?? +#!:mime application/x-dbase +>>>>>>>>>>>>0 use xbase-type +# database file +>>>>>>>>>>>>28 ubyte&0x04 =0 \b DBF +!:ext dbf +>>>>>>>>>>>>28 ubyte&0x04 =4 \b DataBaseContainer +!:ext dbc +>>>>>>>>>>>>4 lelong 0 \b, no records +>>>>>>>>>>>>4 lelong >0 \b, %d record +# plural s appended +>>>>>>>>>>>>>4 lelong >1 \bs +# https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF +# 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) +>>>>>>>>>>>>10 uleshort x * %d +# file size = records * record size + header size +>>>>>>>>>>>>1 ubyte x \b, update-date +>>>>>>>>>>>>1 use xbase-date +# https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx +#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=%#x +# 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? +>>>>>>>>>>>>29 ubyte >0 \b, codepage ID=%#x +#>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file +# MDX or CDX index +>>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX +>>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT +#>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer +# 1st record offset + 1 = header size +>>>>>>>>>>>>8 uleshort >0 +>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>8 uleshort >0 \b, at offset %d +>>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>>&-1 string >\0 1st record "%s" +# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>>24 ubelong&0x0133f7ff >0 +# test for reserved NULL byte +>>>>>>>>47 ubyte 0 +# test for valid TAG key format (0x10 or 0) +>>>>>>>>>559 ubyte&0xeF 0 +# test MM <= 12 +>>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>>46 ubyte >0 +#!:mime application/x-mdx +>>>>>>>>>>>>>>0 use xbase-type +>>>>>>>>>>>>>>0 ubyte x \b MDX +>>>>>>>>>>>>>>1 ubyte x \b, creation-date +>>>>>>>>>>>>>>1 use xbase-date +>>>>>>>>>>>>>>44 ubyte x \b, update-date +>>>>>>>>>>>>>>44 use xbase-date +# No.of tags in use (1,2,5,12) +>>>>>>>>>>>>>>28 uleshort x \b, %d +# No. of entries in tag (0x30) +>>>>>>>>>>>>>>25 ubyte x \b/%d tags +# Length of tag +>>>>>>>>>>>>>>26 ubyte x * %d +# 1st tag name_ +>>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" +# 2nd tag name +#>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" +# +# Print the xBase names of different version variants +0 name xbase-type +>0 ubyte <2 +# 1 < version +>0 ubyte >1 +>>0 ubyte 0x02 FoxBase +!:mime application/x-dbf +# like: ACCESS.DBF USER.DBF dbase3date.dbf mitarbei.dbf produkte.dbf umlaut-test-v2.dbf +# FoxBase+/dBaseIII+, no memo +>>0 ubyte 0x03 FoxBase+/dBase III +!:mime application/x-dbf +# like: 92DATA.DBF MSCATLOG.DBF SYLLABI2.DBF SYLLABUS.DBF T4.DBF Teleadr.dbf us_city.dbf +# dBASE IV no memo file +>>0 ubyte 0x04 dBase IV +!:mime application/x-dbf +# like: Quattro-test11.dbf umlaut-test-v4.dbf +# dBASE V no memo file +>>0 ubyte 0x05 dBase V +!:mime application/x-dbf +# like: dbase4double.dbf Quattro-test2.dbf umlaut-test7.dbf +!:ext dbf +# probably Apollo Database Server 9.7? xBase (0x6) +>>0 ubyte 0x06 Apollo +!:mime application/x-dbf +# like: ALIAS.DBF CRYPT.DBF PROCS.DBF USERS.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x2F FoxBase+/Dbase III plus, no memo +!:mime application/x-dbf +# no example +>>0 ubyte 0x30 Visual FoxPro +!:mime application/x-dbf +# like: 26FRX.DBF 30DBC.DBF 30DBCPRO.DBF BEHINDSC.DBF USER_LEV.DBF +# Microsoft Visual FoxPro Database Container File like: FOXPRO-DB-TEST.DBC TESTDATA.DBC TASTRADE.DBC +>>0 ubyte 0x31 Visual FoxPro, autoincrement +!:mime application/x-dbf +# like: AI_Table.DBF dbase_31.dbf w_cityFoxpro.dbf +# Visual FoxPro, with field type Varchar or Varbinary +>>0 ubyte 0x32 Visual FoxPro, with field type Varchar +!:mime application/x-dbf +# like: dbase_32.dbf +# dBASE IV SQL, no memo;dbv memo var size (Flagship) +>>0 ubyte 0x43 dBase IV, with SQL table +!:mime application/x-dbf +# like: ASSEMBLY.DBF INVENTRY.DBF STAFF.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x62 dBase IV, with SQL table +#!:mime application/x-dbf +# no example +# dBASE IV, with memo!! +>>0 ubyte 0x7b dBase IV, with memo +!:mime application/x-dbf +# like: test3memo.DBF dbase5.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x82 dBase IV, with SQL system +#!:mime application/x-dbf +# no example +# FoxBase+/dBaseIII+ with memo .DBT! +>>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT +!:mime application/x-dbf +# like: T2.DBF t3.DBF biblio.dbf dbase_83.dbf dbase3dbt0_4.dbf fsadress.dbf stop.dbf +# VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file +>>0 ubyte 0x87 VISUAL OBJECTS, with memo file +!:mime application/x-dbf +# like: ACCESS.DBF dbase3date.dbf dbase3float.dbf holdings.dbf mitarbei.dbf +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT +#!:mime application/x-dbf +# no example +# dBASE IV with memo! +>>0 ubyte 0x8B dBase IV, with memo .DBT +!:mime application/x-dbf +# like: animals.dbf archive.dbf callin.dbf dbase_8b.dbf phnebook.dbf t6.dbf +# dBase IV with SQL Table,no memo? +>>0 ubyte 0x8E dBase IV, with SQL table +!:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF +# .dbv and .dbt memo (Flagship)? +>>0 ubyte 0xB3 Flagship +!:mime application/x-dbf +# no example +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0xCA dBase IV with memo .DBT +#!:mime application/x-dbf +# no example +# dBASE IV with SQL table, with memo .DBT +>>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT +!:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF +# HiPer-Six format;Clipper SIX, with SMT memo file +>>0 ubyte 0xE5 Clipper SIX with memo +!:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF testClipper.dbf DATA.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0xF4 dBase IV, with SQL table, with memo +#!:mime application/x-dbf +# no example +>>0 ubyte 0xF5 FoxPro with memo +!:mime application/x-dbf +# like: CUSTOMER.DBF FOXUSER1.DBF Invoice.DBF NG.DBF OBJSAMP.DBF dbase_f5.dbf kunde.dbf +# probably Apollo Database Server 9.7 with SQL and memo mask? xBase (0xF6) +>>0 ubyte 0xF6 Apollo, with SQL table with memo +!:mime application/x-dbf +# like: SCRIPTS.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +#>>0 ubyte 0xFA FoxPro 2.x, with memo +#!:mime application/x-dbf +# no example +# unknown version (should not happen) +>>0 default x xBase +!:mime application/x-dbf +>>>0 ubyte x (%#x) +# flags in version byte +# DBT flag (with dBASE III memo .DBT)!! +# >>0 ubyte&0x80 >0 DBT_FLAG=%x +# memo flag ?? +# >>0 ubyte&0x08 >0 MEMO_FLAG=%x +# SQL flag ?? +# >>0 ubyte&0x70 >0 SQL_FLAG=%x +# test and print the date of xBase .DBF .MDX +0 name xbase-date +# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +>0 ubelong x +>1 ubyte <13 +>>1 ubyte >0 +>>>2 ubyte >0 +>>>>2 ubyte <32 +>>>>>0 ubyte x +# YY is interpreted as 20YY or 19YY +>>>>>>0 ubyte <100 \b %.2d +# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY +>>>>>>0 ubyte >99 \b %d +>>>>>1 ubyte x \b-%d +>>>>>2 ubyte x \b-%d + +# dBase memo files .DBT or .FPT +# https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx +16 ubyte <4 +>16 ubyte !2 +>>16 ubyte !1 +# next free block index is positive +>>>0 ulelong >0 +# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size +>>>>17 ubelong&0xFFfdFEff 0x00000000 +# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h +>>>>>20 ubelong&0xFF01209B 0x00000000 +# dBASE III +>>>>>>16 ubyte 3 +# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod +>>>>>>>512 ubyte >040 +# skip with valid 1st item "rintf" keylayouts.mod +# by looking for valid terminating character Ctrl-Z like in test.dbt +>>>>>>>>513 search/3308 \032 +# skip GRUB plan9.mod with invalid second terminating character 007 +# by checking second terminating character Ctrl-Z like in test.dbt +>>>>>>>>>&0 ubyte 032 +# dBASE III DBT with two Ctr-Z terminating characters +>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod +>>>>>>>>>&0 ubyte 0 +# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 +>>>>>>>>>>0x1ad string !grub_mod_init +# like dbase-memo.dbt +>>>>>>>>>>>0 use dbase3-memo-print +# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage +>>>>>>16 ubyte 0 +# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF +>>>>>>>20 uleshort 0 +# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage +>>>>>>>>8 ulong =0 +>>>>>>>>>6 ubeshort >0 +# skip emacs.PIF +>>>>>>>>>>4 ushort 0 +# check for valid FoxPro field type +>>>>>>>>>>>512 ubelong <3 +# skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh +>>>>>>>>>>>>6 ubeshort&0x002f 0 +>>>>>>>>>>>>>0 use foxpro-memo-print +# dBASE III DBT , garbage +# skip WORD1XW.DOC with improbably high free block index +>>>>>>>>>0 ulelong <0x400000 +# skip WinStore.App.exe by looking for printable 2nd character of 1st memo item +>>>>>>>>>>513 ubyte >037 +# skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item +>>>>>>>>>>>512 ubyte >037 +# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 +>>>>>>>>>>>>512 ubyte <0377 +# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) +# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>513 search/523 \032 +# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character +#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o +# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt +>>>>>>>>>>>>>>&0 ubyte 032 +>>>>>>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>&0 ubyte 0 +# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" +>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show +# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt +>>>>>>>>>>>>>>>514 default x +# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE III DBT like angest.dbt, or garbage PCX DBF +>>>>>>>>8 ubelong !0 +# skip PCX and some DBF by test for for reserved NULL bytes +>>>>>>>>>510 ubeshort 0 +# skip bad symples with improbably high free block index above 2 GiB file limit +>>>>>>>>>>0 ulelong <0x400000 +# skip AI070GEP.EPS by printable 1st character of 1st memo item +>>>>>>>>>>>512 ubyte >037 +# skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB +>>>>>>>>>>>>512 ubyte <0200 +# skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character +>>>>>>>>>>>>>513 ubyte >037 +# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like +# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" +# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" +# "10586.494.amd64fre.th2_release_sec.160630-1736" +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>>513 search/0x11E \032 +# followed by second character Ctrl-Z implies typical DBT +>>>>>>>>>>>>>>>&0 ubyte 032 +# examples like: angest.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>>>&0 ubyte 0 +# no example found here with terminating sequence CTRL-Z + \0 +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE IV DBT with positive block size +>>>>>>>20 uleshort >0 +# dBASE IV DBT with valid block length like 512, 1024 +# multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero +# skip also 3600h 3E00h size +>>>>>>>>20 uleshort&0xE00f 0 +>>>>>>>>>0 use dbase4-memo-print + +# Print the information of dBase III DBT memo file +0 name dbase3-memo-print +>0 ubyte x dBase III DBT +!:mime application/x-dbt +!:ext dbt +# instead 3 as version number 0 for unusual examples like biblio.dbt +>16 ubyte !3 \b, version number %u +# Number of next available block for appending data +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +# no positive block length +#>20 uleshort =0 \b, block length %u +>20 uleshort !0 \b, block length %u +# dBase III memo field terminated often by \032\032 +# like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT +>512 string >\0 \b, 1st item "%s" +# For DEBUGGING +#>512 ubelong x \b, 1ST item %#8.8x +#>513 search/0x225 \032 FOUND_TERMINATOR +#>>&0 ubyte 032 2xCTRL_Z +# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte +#>>&0 ubyte 0 1xCTRL_Z + +# https://www.clicketyclick.dk/databases/xbase/format/dbt.html +# Print the information of dBase IV DBT memo file +0 name dbase4-memo-print +>0 lelong x dBase IV DBT +!:mime application/x-dbt +!:ext dbt +# 8 character shorted main name of corresponding dBASE IV DBF file +>8 ubelong >0x20000000 +# skip unusual like for angest.dbt +>>20 uleshort >0 +>>>8 string >\0 \b of %-.8s.DBF +# value 0 implies 512 as size +#>4 ulelong =0 \b, blocks size %u +# size of blocks not reliable like 0x2020204C in angest.dbt +>4 ulelong !0 +>>4 ulelong&0x0000003f 0 \b, blocks size %u +# dBase IV DBT with positive block length (found 512 , 1024) +>20 uleshort >0 \b, block length %u +# next available block +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +>20 uleshort >0 +>>(20.s) ubelong x +>>>&-4 use dbase4-memofield-print +# unusual dBase IV DBT without block length (implies 512 as length) +>20 uleshort =0 +>>512 ubelong x +>>>&-4 use dbase4-memofield-print +# Print the information of dBase IV memo field +0 name dbase4-memofield-print +# free dBase IV memo field +>0 ubelong !0xFFFF0800 +>>0 lelong x \b, next free block %u +>>4 lelong x \b, next used block %u +# used dBase IV memo field +>0 ubelong =0xFFFF0800 +# length of memo field +>>4 lelong x \b, field length %d +>>>8 string >\0 \b, 1st used item "%s" +# http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm +# Print the information of FoxPro FPT memo file +0 name foxpro-memo-print +>0 belong x FoxPro FPT +!:mime application/x-fpt +!:ext fpt +# Size of blocks for FoxPro ( 64,256 ); probably a multiple of two +>6 ubeshort x \b, blocks size %u +# next available block +#>0 belong =0 \b, next free block index %u +>0 belong !0 \b, next free block index %u +# field type ( 0~picture, 1~memo, 2~object ) +>512 ubelong <3 \b, field type %u +# length of memo field +>512 ubelong 1 +>>516 belong >0 \b, field length %d +>>>520 string >\0 \b, 1st item "%s" + +# Summary: DBASE Compound Index file *.CDX and FoxPro index *.IDX +# From: Joerg Jenderek +# URL: https://www.clicketyclick.dk/databases/xbase/format/cdx.html +# https://www.clicketyclick.dk/databases/xbase/format/idx.html +# https://www.clicketyclick.dk/databases/xbase/format/idx_comp.html +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/s/sybase-ianywhere-cdx.trid.xml +# https://mark0.net/download/triddefs_xml.7z/defs/c/cdx-vfp7.trid.xml +# like: kunde.cdx +0 ulelong 0x1C00 +>0 use xbase-index +# like: SYLLABI2.CDX SYLLABUS.CDX +0 ulelong 0x0800 +>0 use xbase-index +# often in xBase index pointer to root node 400h +0 ulelong 0x0400 +# skip most Maple help database *.hdb with version tag handled by ./maple +>1028 string !version +# skip Maple help database hsum.hdb checking for valid reserved area +>>492 quad =0 +# skip remaining Maple help database *.hdb by checking key length +#>>>12 uleshort !0x000F KEY_LENGTHVALID +>>>0 use xbase-index +# display information about dBase/FoxPro index +0 name xbase-index +>0 ulelong x xBase +!:mime application/x-dbase-index +>14 ubyte &0x40 compound index +# DCX for FoxPro database index like: TESTDATA.DCX +!:ext cdx/dcx +>14 ubyte ^0x40 index +# only 1 example like: TEST.IDX +!:ext idx +# pointer to root node like: 1C00h 800h often 400h +>0 ulelong !0x400 \b, root pointer %#x +# Pointer to free node list: often 0 but -1 if not present +>4 ulelong !0 \b, free node pointer %#x +# MAYBE number of pages in file (Foxbase, FoxPro 1.x) or +# http://www.foxpert.com/foxpro/knowlbits/files/knowlbits_200708_1.HTM +# Whenever Visual FoxPro updates the index file it increments this reserved field +# Reserved for internal use like: 02000000h 03000000h 460c0000h 780f0000h 89000000h 9fdc0100h often 0 +>8 ulelong !0 \b, reserved counter %#x +# length of key like: mostly 000Ah 0028h (TEST.IDX) +>12 uleshort !0x000A \b, key length %#x +# index options like: 24h E0h E8h +# 1~a unique index 8~index has FOR clause 32~compact index format 64~compound index header +# 16~Bit vector (SoftC) 128~Structure index (FoxPro) +>14 ubyte x \b, index options (%#x +>14 ubyte &0x01 \b, unique +>14 ubyte &0x08 \b, has FOR clause +>14 ubyte &0x10 \b, bit vector (SoftC) +>14 ubyte &0x20 \b, compact format +#>14 ubyte &0x40 \b, compound header +>14 ubyte &0x80 \b, structure +>14 ubyte x \b) +# WHAT EXACTLY IS THAT? index signature like: 0 (sybase-ianywhere-cdx.trid.xml) 1 (cdx-vfp7.trid.xml) +>15 ubyte !0 \b, index signature %u +# reserved area (0-bytes) til about 500, but not for uncompressed Index files *.idx +>16 quad !0 \b, at 16 reserved %#llx +>492 quad !0 \b, at 492 reserved %#llx +# for IDX variant +#>14 ubyte ^0x40 IDX +# for CDX variant +>14 ubyte &0x40 +# Ascending or descending: 0~ascending 1~descending +>>502 uleshort x \b, sort order %u +# Total expression length (FoxPro 2) like: 0 1 +>>504 uleshort !0 \b, expression length %u +# FOR expression pool length like: 1 +>>506 uleshort !1 \b, FOR expression pool length %#x +# reserved for internal use like: 0 +>>508 uleshort !0 \b, at 0x508 reserved %#x +# Key expression pool length like: 1 +>>510 uleshort !1 \b, key expression pool length %#x +# 512 - 1023 Key & FOR expression pool (uncompiled) +>>512 quad !0 \b, key expression pool %#llx +#>>520 quad !0 \b, key expression pool %#llx + +# Summary: dBASE IV Printer Form *.PRF +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/.dbf#Other_file_types_found_in_dBASE +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/p/prf-dbase.trid.xml +0 ubeshort 0x0400 +# skip some Xbase Index files *.ndx and Infocom (Z-machine 4) *.z4 handled by ./adventure +# by looking for valid printer driver name extension +>0x58 search/8 .PR2 +>>0 use xbase-prf +# display information of dbase print form like printer driver *.PR2 +0 name xbase-prf dBase Printer Form +!:mime application/x-dbase-prf +!:ext prf +# MAYBE version? like: 4~DBASE IV +#>0 ubyte x \b, version %u +# MAYBE flag like: 1~with output file name 0~not +#>2 ubyte !0 \b, flag %u +# optional printer text output file name like E:\DBASE\IV\T6.txt +>3 string >\0 \b, output file %s +# probably padding with nils til 0x53 +#>0x48 uquad !0 \b, at 0x48 padding %#llx +# dBASE IV printer driver name like: Generic.PR2 ASCII.PR2 +>0x56 string >\0 \b, using printer driver %s +# 2 is probably last character of previous dBASE printer driver name +#>0x60 ubyte !0x32 \b, at 0x60 %#x +# probably padding with nils til 0xa8 +#>0x61 uquad !0 \b, at 0x61 padding %#llx +# unknown 0x03020300 0x03020100 at 0xa8 +>0xa8 ubelong x \b, at 0xa8 unknown %#8.8x +# probably padding with nils til 0x2aa +#>0x2a0 uquad !0 \b, at 0x2a0 padding %#llx +# unknown 0x100ff7f01000001 at 0x2AB +>0x2ab ubequad !0x100ff7f01000001 \b, at 0x2ab unknown %#llx +# unknown 0x0042 at 0x2b3 +>0x2b3 ubeshort !0x0042 \b, at 0x2b3 unknown %#4.4x +# unknown last 4 bytes at 0x2b6 like: 0 0x23 +>0x2b6 ubelong !0 \b, at 0x2b6 unknown %#8.8x + +# TODO: +# DBASE index file *.NDX +# dBASE compiled Format *.FMO +# FoxPro Database memo file *.DCT +# FoxPro Forms Memo *.SCT +# FoxPro Generated Menu Program *.MPR +# FoxPro Report *.FRX +# FoxPro Report Memo *.FRT +# Foxpro Generated Screen Program *.SPR +# Foxpro memo *.PJT +## End of XBase database stuff + +# MS Access database +4 string Standard\ Jet\ DB Microsoft Access Database +!:mime application/x-msaccess +4 string Standard\ ACE\ DB Microsoft Access Database +!:mime application/x-msaccess + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine +# Reference: https://github.com/libyal/libesedb/archive/master.zip +# libesedb-master/documentation/ +# Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc +# Note: also known as "JET Blue". Used by numerous Windows components such as +# Windows Search, Mail, Exchange and Active Directory. +4 ubelong 0xefcdab89 +# unknown1 +>132 ubelong 0 Extensible storage engine +!:mime application/x-ms-ese +# file_type 0~database 1~stream +>>12 ulelong 0 DataBase +# Security DataBase (sdb) +!:ext edb/sdb +>>12 ulelong 1 STreaMing +!:ext stm +# format_version 620h +>>8 uleshort x \b, version %#x +>>10 uleshort >0 revision %#4.4x +>>0 ubelong x \b, checksum %#8.8x +# Page size 4096 8192 32768 +>>236 ulequad x \b, page size %lld +# database_state +>>52 ulelong 1 \b, JustCreated +>>52 ulelong 2 \b, DirtyShutdown +#>>52 ulelong 3 \b, CleanShutdown +>>52 ulelong 4 \b, BeingConverted +>>52 ulelong 5 \b, ForceDetach +# Windows NT major version when the databases indexes were updated. +>>216 ulelong x \b, Windows version %d +# Windows NT minor version +>>220 ulelong x \b.%d + +# From: Joerg Jenderek +# URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility +# Note: files contain application compatibility fixes, application compatibility modes and application help messages. +8 string sdbf +>7 ubyte 0 +# TAG_TYPE_LIST+TAG_INDEXES +>>12 uleshort 0x7802 Windows application compatibility Shim DataBase +# version? 2 3 +#>>>0 ulelong x \b, version %d +!:mime application/x-ms-sdb +!:ext sdb + +# TDB database from Samba et al - Martin Pool <mbp@samba.org> +0 string TDB\ file TDB database +>32 lelong 0x2601196D version 6, little-endian +>>36 lelong x hash size %d bytes + +# SE Linux policy database +0 lelong 0xf97cff8c SE Linux policy +>16 lelong x v%d +>20 lelong 1 MLS +>24 lelong x %d symbols +>28 lelong x %d ocons + +# ICE authority file data (Wolfram Kleff) +2 string ICE ICE authority data + +# X11 Xauthority file (Wolfram Kleff) +10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data +18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data + +# From: Maxime Henrion <mux@FreeBSD.org> +# PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org> +0 string PGDMP PostgreSQL custom database dump +>5 byte x - v%d +>6 byte x \b.%d +>5 beshort <0x101 \b-0 +>5 beshort >0x100 +>>7 byte x \b-%d + +# Type: Advanced Data Format (ADF) database +# URL: https://www.grc.nasa.gov/WWW/cgns/adf/ +# From: Nicolas Chauvat <nicolas.chauvat@logilab.fr> +0 string @(#)ADF\ Database CGNS Advanced Data Format + +# Tokyo Cabinet magic data +# http://tokyocabinet.sourceforge.net/index.html +0 string ToKyO\ CaBiNeT\n Tokyo Cabinet +>14 string x \b (%s) +>32 byte 0 \b, Hash +!:mime application/x-tokyocabinet-hash +>32 byte 1 \b, B+ tree +!:mime application/x-tokyocabinet-btree +>32 byte 2 \b, Fixed-length +!:mime application/x-tokyocabinet-fixed +>32 byte 3 \b, Table +!:mime application/x-tokyocabinet-table +>33 byte &1 \b, [open] +>33 byte &2 \b, [fatal] +>34 byte x \b, apow=%d +>35 byte x \b, fpow=%d +>36 byte &0x01 \b, [large] +>36 byte &0x02 \b, [deflate] +>36 byte &0x04 \b, [bzip] +>36 byte &0x08 \b, [tcbs] +>36 byte &0x10 \b, [excodec] +>40 lequad x \b, bnum=%lld +>48 lequad x \b, rnum=%lld +>56 lequad x \b, fsiz=%lld + +# Type: QDBM Quick Database Manager +# From: Benoit Sibaud <bsibaud@april.org> +0 string \\[depot\\]\n\f Quick Database Manager, little endian +0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian + +# Type: TokyoCabinet database +# URL: http://tokyocabinet.sourceforge.net/ +# From: Benoit Sibaud <bsibaud@april.org> +0 string ToKyO\ CaBiNeT\n TokyoCabinet database +>14 string x (version %s) + +# From: Stephane Blondon https://www.yaal.fr +# Database file for Zope (done by FileStorage) +0 string FS21 Zope Object Database File Storage v3 (data) +0 string FS30 Zope Object Database File Storage v4 (data) + +# Cache file for the database of Zope (done by ClientStorage) +0 string ZEC3 Zope Object Database Client Cache File (data) + +# IDA (Interactive Disassembler) database +0 string IDA1 IDA (Interactive Disassembler) database + +# Hopper (reverse engineering tool) https://www.hopperapp.com/ +0 string hopperdb Hopper database + +# URL: https://en.wikipedia.org/wiki/Panorama_(database_engine) +# Reference: http://www.provue.com/Panorama/ +# From: Joerg Jenderek +# NOTE: test only versions 4 and 6.0 with Windows +# length of Panorama database name +5 ubyte >0 +# look after database name for "some" null bits +>(5.B+7) ubelong&0xF3ffF000 0 +# look for first keyword +>>&1 search/2 DESIGN Panorama database +#!:mime application/x-panorama-database +!:apple KASXZEPD +!:ext pan +# database name +>>>5 pstring x \b, "%s" + +# +# +# askSam Database by Stefan A. Haubenthal <polluks@web.de> +0 string askw40\0 askSam DB + +# +# +# MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de> +0 string MBSTV\040 MUIbase DB +>6 string x version %s + +# +# CDB database +0 string NBCDB\012 NetBSD Constant Database +>7 byte x \b, version %d +>8 string x \b, for '%s' +>24 lelong x \b, datasize %d +>28 lelong x \b, entries %d +>32 lelong x \b, index %d +>36 lelong x \b, seed %#x + +# +# Redis RDB - https://redis.io/topics/persistence +0 string REDIS Redis RDB file, +>5 regex [0-9][0-9][0-9][0-9] version %s + +# Mork database. +# Used by older versions of Mozilla Suite and Firefox, +# and current versions of Thunderbird. +# From: David Korth <gerbilsoft@gerbilsoft.com> +0 string //\ <!--\ <mdb:mork:z\ v=" Mozilla Mork database +>23 string x \b, version %.3s + +# URL: https://en.wikipedia.org/wiki/Management_Information_Format +# Reference: https://www.dmtf.org/sites/default/files/standards/documents/DSP0005.pdf +# From: Joerg Jenderek +# Note: only tested with monitor asset reports of Dell Display Manager +# skip start like Language=fr|CA|iso8859-1 +0 search/27/C Start\040Component DMI Management Information Format +#!:mime text/plain +!:mime text/x-dmtf-mif +!:ext mif + diff --git a/magic/Magdir/dataone b/magic/Magdir/dataone new file mode 100644 index 0000000..566633e --- /dev/null +++ b/magic/Magdir/dataone @@ -0,0 +1,47 @@ + +#------------------------------------------------------------------------------ +# $File: dataone,v 1.3 2022/04/18 21:38:10 christos Exp $ +# +# DataONE- files from Dave Vieglais <dave.vieglais@gmail.com> & +# Pratik Shrivastava <pratikshrivastava23@gmail.com> +# +# file formats: https://cn.dataone.org/cn/v2/formats +#------------------------------------------------------------------------------ + +# EML (Ecological Metadata Language Format) +0 string \<?xml\ version= +>&0 regex/1024 eml-[0-9]\\.[0-9]\\.[0-9]+ eml://ecoinformatics.org/%s + +# onedcx (DataONE Dublin Core Extended v1.0) +>&0 regex/1024 onedcx/v[0-9]\\.[0-9]+ https://ns.dataone.org/metadata/schema/onedcx/v1.0 + +# FGDC-STD-001-1998 (Content Standard for Digital Geospatial Metadata, +# version 001-1998) +>&0 search/1024 fgdc FGDC-STD-001-1998 + +# Mercury (Oak Ridge National Lab Mercury Metadata version 1.0) +>&0 regex/1024 mercury/terms/v[0-9]\\.[0-9] https://purl.org/ornl/schema/mercury/terms/v1.0 + +# ISOTC211 (Geographic MetaData (GMD) Extensible Markup Language) +>&0 search/1024 isotc211 +>>&0 search/1024 eng;USA https://www.isotc211.org/2005/gmd + +# ISOTC211 (NOAA Variant Geographic MetaData (GMD) Extensible Markup Language) +>>&0 regex/1024 gov\\.noaa\\.nodc:[0-9]+ https://www.isotc211.org/2005/gmd-noaa + +# ISOTC211 PANGAEA Variant Geographic MetaData (GMD) Extensible Markup Language +>>&0 regex/1024 pangaea\\.dataset[0-9][0-9][0-9][0-9][0-9][0-9]+ https://www.isotc211.org/2005/gmd-pangaea +!:mime text/xml + + +# Object Reuse and Exchange Vocabulary +0 string \<?xml\ version= +>&0 search/1024 rdf +>>&0 search/1024 openarchives https://www.openarchives.org/ore/terms +!:mime application/rdf+xml + + +# Dryad Metadata Application Profile Version 3.1 +0 string <DryadData +>&0 regex/1024 dryad-bibo/v[0-9]\\.[0-9] https://datadryad.org/profile/v3.1 +!:mime text/xml diff --git a/magic/Magdir/dbpf b/magic/Magdir/dbpf new file mode 100644 index 0000000..df07ff8 --- /dev/null +++ b/magic/Magdir/dbpf @@ -0,0 +1,15 @@ + +#------------------------------------------------------------------------------ +# $File: dbpf,v 1.3 2019/04/19 00:42:27 christos Exp $ +# dppf: Maxis Database Packed Files, the stored data file format used by all +# Maxis games after the Sims: http://wiki.niotso.org/DBPF +# https://www.wiki.sc4devotion.com/index.php?title=DBPF +# 13 Oct 2017, Kip Warner <kip at thevertigo dot com> +0 string DBPF Maxis Database Packed File +>4 ulelong x \b, version: %u. +>>8 ulelong x \b%u +>>>36 ulelong x \b, files: %u +>>24 ledate !0 \b, created: %s +>>28 ledate !0 \b, modified: %s +!:ext dbpf/package/dat/sc4 +!:mime application/x-maxis-dbpf diff --git a/magic/Magdir/der b/magic/Magdir/der new file mode 100644 index 0000000..3bc2e38 --- /dev/null +++ b/magic/Magdir/der @@ -0,0 +1,146 @@ +#------------------------------------------------------------------------------ +# $File: der,v 1.6 2023/01/11 23:59:49 christos Exp $ +# der: file(1) magic for DER encoded files +# + +# Certificate information piece +0 name certinfo +>0 der seq +>>&0 der set +>>>&0 der seq +>>>>&0 der obj_id3=550406 +>>>>&0 der prt_str=x \b, countryName=%s +>>&0 der set +>>>&0 der seq +>>>>&0 der obj_id3=550408 +>>>>&0 der utf8_str=x \b, stateOrProvinceName=%s +>>&0 der set +>>>&0 der seq +>>>>&0 der obj_id3=55040a +>>>>&0 der utf8_str=x \b, organizationName=%s +>>&0 der set +>>>&0 der seq +>>>>&0 der obj_id3=550403 +>>>>&0 der utf8_str=x \b, commonName=%s +>>&0 der seq + +# Certificate requests +0 der seq +>&0 der seq +>>&0 der int1=00 DER Encoded Certificate request +>>&0 use certinfo + +# Key Pairs +0 der seq +>&0 der int1=00 +>&0 der int65=x +>&0 der int3=010001 DER Encoded Key Pair, 512 bits + +0 der seq +>&0 der int1=00 +>&0 der int129=x +>&0 der int3=010001 DER Encoded Key Pair, 1024 bits + +0 der seq +>&0 der int1=00 +>&0 der int257=x +>&0 der int3=010001 DER Encoded Key Pair, 2048 bits + +0 der seq +>&0 der int1=00 +>&0 der int513=x +>&0 der int3=010001 DER Encoded Key Pair, 4096 bits + +0 der seq +>&0 der int1=00 +>&0 der int1025=x +>&0 der int3=010001 DER Encoded Key Pair, 8192 bits + +0 der seq +>&0 der int1=00 +>&0 der int2049=x +>&0 der int3=010001 DER Encoded Key Pair, 16k bits + +0 der seq +>&0 der int1=00 +>&0 der int4097=x +>&0 der int3=010001 DER Encoded Key Pair, 32k bits + +# Certificates +0 der seq +>&0 der seq +>>&0 der int2=0dfa DER Encoded Certificate, 512 bits +>>&0 der int2=0dfb DER Encoded Certificate, 1024 bits +>>&0 der int2=0dfc DER Encoded Certificate, 2048 bits +>>&0 der int2=0dfd DER Encoded Certificate, 4096 bits +>>&0 der int2=0dfe DER Encoded Certificate, 8192 bits +>>&0 der int2=0dff DER Encoded Certificate, 16k bits +>>&0 der int2=0e04 DER Encoded Certificate, 32k bits +>>&0 der int2=x DER Encoded Certificate, ? bits (%s) +>>&0 der seq +>>>&0 der obj_id9=2a864886f70d010105 \b, sha1WithRSAEncryption +>>>&0 der obj_id9=x \b, ? Encryption (%s) +>>>&0 der null +>>&0 der seq +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=550406 +>>>>>&0 der prt_str=x \b, countryName=%s +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=550408 +>>>>>&0 der prt_str=x \b, stateOrProvinceName=%s +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=550407 +>>>>>&0 der prt_str=x \b, localityName=%s +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=55040a +>>>>>&0 der prt_str=x \b, organizationName=%s +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=55040b +>>>>>&0 der prt_str=x \b, organizationUnitName=%s +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=550403 +>>>>>&0 der prt_str=x \b, commonName=%s +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id9=2a864886f70d010901 +>>>>>&0 der ia5_str=x \b, emailAddress=%s +#>>&0 der seq +#>>>&0 der utc_time=x \b, utcTime=%s +#>>>&0 der utc_time=x \b, utcTime=%s +>>&0 use certinfo + +0 der seq +>&0 der seq +>>&0 der eoc +>>>&0 der int1=02 Certificate, Version=3 +>>>&0 der int1=x Certificate, Version=%s +>>&0 der int9=x \b, Serial=%s +>>&0 der seq +>>>&0 der obj_id9=2a864886f70d01010b +>>>&0 der null +>>&0 der seq +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=550403 +>>>>>&0 der utf8_str=x \b, Issuer=%s +#>>&0 der seq +#>>>&0 der utc_time=x \b, not-valid-before=%s +#>>>&0 der utc_time=x \b, not-valid-after=%s +>>&0 der seq +>>>&0 der set +>>>>&0 der seq +>>>>>&0 der obj_id3=550403 +>>>>>&0 der utf8_str=x \b, Subject=%s + +# PKCS#7 Signed Data (e.g. JAR Signature Block File) +# OID 1.2.840.113549.1.7.2 (2a864886f70d010702) +# Reference: https://www.rfc-editor.org/rfc/rfc2315 +0 der seq +>&0 der obj_id9=2a864886f70d010702 DER Encoded PKCS#7 Signed Data +!:ext RSA/DSA/EC diff --git a/magic/Magdir/diamond b/magic/Magdir/diamond new file mode 100644 index 0000000..39d1ed6 --- /dev/null +++ b/magic/Magdir/diamond @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: diamond,v 1.7 2009/09/19 16:28:08 christos Exp $ +# diamond: file(1) magic for Diamond system +# +# ... diamond is a multi-media mail and electronic conferencing system.... +# +# XXX - I think it was either renamed Slate, or replaced by Slate.... +# +# The full deal is too long... +#0 string <list>\n<protocol\ bbn-multimedia-format> Diamond Multimedia Document +0 string =<list>\n<protocol\ bbn-m Diamond Multimedia Document diff --git a/magic/Magdir/dif b/magic/Magdir/dif new file mode 100644 index 0000000..9d7e5fd --- /dev/null +++ b/magic/Magdir/dif @@ -0,0 +1,33 @@ + +#------------------------------------------------------------------------------ +# $File: dif,v 1.1 2020/04/09 19:14:01 christos Exp $ +# dif: file(1) magic for DIF text files + +#------------------------------------------------------------------------------ +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/Data_Interchange_Format +# http://fileformats.archiveteam.org/wiki/Data_Interchange_Format +# Note: called by TrID "Data Interchange Format", +# by DROID x-fmt/368 "VisiCalc Database" +0 string TABLE +# skip text starting with TABLE by looking for numeric version on 2nd line +>6 search/2 0, +# skip DROID x-fmt-41-signature-id-380.dif by looking for key word TUPLES at the beginning +>>27 search/128 TUPLES Data Interchange Format +# https://www.pcmatic.com/company/libraries/fileextension/detail.asp?ext=dif.html +#!:mime application/x-dif-spreadsheet Gnumeric +# https://github.com/LibreOffice/online/blob/master/discovery.xml +#!:mime application/x-dif-document LibreOffice +# https://www.wikidata.org/wiki/Wikidata:WikiProject_Informatics/File_formats/Lists/File_formats +!:mime application/x-dif +# https://extension.nirsoft.net/dif +#!:mime application/vnd.ms-excel +#!:mime text/plain +!:ext dif +# look for double quote 0x22 on 3rd line +>>>10 search/3 " +# skip if next character also double quote +>>>>&0 ubyte !0x22 \b, generator or table name +# comment like EXCEL, pwm enclosed in double quotes +>>>>>&-2 string x %s + diff --git a/magic/Magdir/diff b/magic/Magdir/diff new file mode 100644 index 0000000..a6124e3 --- /dev/null +++ b/magic/Magdir/diff @@ -0,0 +1,41 @@ + +#------------------------------------------------------------------------------ +# $File: diff,v 1.17 2020/08/22 18:16:58 christos Exp $ +# diff: file(1) magic for diff(1) output +# +0 search/1 diff\040 diff output text +!:mime text/x-diff +0 search/1 ***\040 +>&0 search/1024 \n---\040 context diff output text +!:mime text/x-diff +0 search/1 Only\040in\040 diff output text +!:mime text/x-diff +0 search/1 Common\040subdirectories:\040 diff output text +!:mime text/x-diff + +0 search/1 Index: RCS/CVS diff output text +!:mime text/x-diff + +# bsdiff: file(1) magic for bsdiff(1) output +0 string/b BSDIFF40 bsdiff(1) patch file + + +# unified diff +0 search/4096 ---\040 +>&0 search/1024 \n +>>&0 search/1 +++\040 +>>>&0 search/1024 \n +>>>>&0 search/1 @@ unified diff output text +!:mime text/x-diff +!:strength + 90 + +# librsync -- the library for network deltas +# +# Copyright (C) 2001 by Martin Pool. You may do whatever you want with +# this file. +# +0 belong 0x72730236 rdiff network-delta data + +0 belong 0x72730136 rdiff network-delta signature data +>4 belong x (block length=%d, +>8 belong x signature strength=%d) diff --git a/magic/Magdir/digital b/magic/Magdir/digital new file mode 100644 index 0000000..b2753b9 --- /dev/null +++ b/magic/Magdir/digital @@ -0,0 +1,59 @@ + +#------------------------------------------------------------------------------ +# $File: digital,v 1.12 2021/07/03 14:01:46 christos Exp $ +# Digital UNIX - Info +# +0 string =!<arch>\n________64E Alpha archive +>22 string X -- out of date +# + +0 leshort 0603 +>24 leshort 0410 COFF format alpha pure +>24 leshort 0413 COFF format alpha demand paged +>>22 leshort&030000 !020000 executable +>>22 leshort&020000 !0 dynamically linked +>>16 lelong !0 not stripped +>>16 lelong 0 stripped +>>27 byte x - version %d +>>26 byte x \b.%d +>>28 byte x \b-%d +>24 leshort 0407 COFF format alpha object +>>22 leshort&030000 020000 shared library +>>27 byte x - version %d +>>26 byte x \b.%d +>>28 byte x \b-%d + +# Basic recognition of Digital UNIX core dumps - Mike Bremford <mike@opac.bl.uk> +# +# The actual magic number is just "Core", followed by a 2-byte version +# number; however, treating any file that begins with "Core" as a Digital +# UNIX core dump file may produce too many false hits, so we include one +# byte of the version number as well; DU 5.0 appears only to be up to +# version 2. +# +0 string Core\001 Alpha COFF format core dump (Digital UNIX) +>24 string >\0 \b, from '%s' +0 string Core\002 Alpha COFF format core dump (Digital UNIX) +>24 string >\0 \b, from '%s' +# +# The next is incomplete, we could tell more about this format, +# but its not worth it. +0 leshort 0x188 Alpha compressed COFF +0 leshort 0x18f Alpha u-code object +# +# +# Some other interesting Digital formats, +0 string \377\377\177 ddis/ddif +0 string \377\377\174 ddis/dots archive +0 string \377\377\176 ddis/dtif table data +0 string \033c\033 LN03 output +0 long 04553207 X image +# +0 string =!<PDF>!\n profiling data file +# +# Locale data tables (MIPS and Alpha). +# +# GRR: line below is too general as it matches also TTComp archive, ASCII, 2K handled by ./archive +0 short 0x0501 locale data table +>6 short 0x24 for MIPS +>6 short 0x40 for Alpha diff --git a/magic/Magdir/dolby b/magic/Magdir/dolby new file mode 100644 index 0000000..d73e7d3 --- /dev/null +++ b/magic/Magdir/dolby @@ -0,0 +1,69 @@ + +#------------------------------------------------------------------------------ +# $File: dolby,v 1.9 2019/04/19 00:42:27 christos Exp $ +# ATSC A/53 aka AC-3 aka Dolby Digital <ashitaka@gmx.at> +# from https://www.atsc.org/standards/a_52a.pdf +# corrections, additions, etc. are always welcome! +# +# syncword +0 beshort 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream, +# Proposed audio/ac3 RFC/4184 +!:mime audio/vnd.dolby.dd-raw +# fscod +>4 byte&0xc0 = 0x00 48 kHz, +>4 byte&0xc0 = 0x40 44.1 kHz, +>4 byte&0xc0 = 0x80 32 kHz, +# is this one used for 96 kHz? +>4 byte&0xc0 = 0xc0 reserved frequency, +# +>5 byte&0x07 = 0x00 \b, complete main (CM) +>5 byte&0x07 = 0x01 \b, music and effects (ME) +>5 byte&0x07 = 0x02 \b, visually impaired (VI) +>5 byte&0x07 = 0x03 \b, hearing impaired (HI) +>5 byte&0x07 = 0x04 \b, dialogue (D) +>5 byte&0x07 = 0x05 \b, commentary (C) +>5 byte&0x07 = 0x06 \b, emergency (E) +>5 beshort&0x07e0 0x0720 \b, voiceover (VO) +>5 beshort&0x07e0 >0x0720 \b, karaoke +# acmod +>6 byte&0xe0 = 0x00 1+1 front, +>>6 byte&0x10 = 0x10 LFE on, +>6 byte&0xe0 = 0x20 1 front/0 rear, +>>6 byte&0x10 = 0x10 LFE on, +>6 byte&0xe0 = 0x40 2 front/0 rear, +# dsurmod (for stereo only) +>>6 byte&0x18 = 0x00 Dolby Surround not indicated +>>6 byte&0x18 = 0x08 not Dolby Surround encoded +>>6 byte&0x18 = 0x10 Dolby Surround encoded +>>6 byte&0x18 = 0x18 reserved Dolby Surround mode +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0x60 3 front/0 rear, +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0x80 2 front/1 rear, +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0xa0 3 front/1 rear, +>>6 byte&0x01 = 0x01 LFE on, +>6 byte&0xe0 = 0xc0 2 front/2 rear, +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0xe0 3 front/2 rear, +>>6 byte&0x01 = 0x01 LFE on, +# +>4 byte&0x3e = 0x00 \b, 32 kbit/s +>4 byte&0x3e = 0x02 \b, 40 kbit/s +>4 byte&0x3e = 0x04 \b, 48 kbit/s +>4 byte&0x3e = 0x06 \b, 56 kbit/s +>4 byte&0x3e = 0x08 \b, 64 kbit/s +>4 byte&0x3e = 0x0a \b, 80 kbit/s +>4 byte&0x3e = 0x0c \b, 96 kbit/s +>4 byte&0x3e = 0x0e \b, 112 kbit/s +>4 byte&0x3e = 0x10 \b, 128 kbit/s +>4 byte&0x3e = 0x12 \b, 160 kbit/s +>4 byte&0x3e = 0x14 \b, 192 kbit/s +>4 byte&0x3e = 0x16 \b, 224 kbit/s +>4 byte&0x3e = 0x18 \b, 256 kbit/s +>4 byte&0x3e = 0x1a \b, 320 kbit/s +>4 byte&0x3e = 0x1c \b, 384 kbit/s +>4 byte&0x3e = 0x1e \b, 448 kbit/s +>4 byte&0x3e = 0x20 \b, 512 kbit/s +>4 byte&0x3e = 0x22 \b, 576 kbit/s +>4 byte&0x3e = 0x24 \b, 640 kbit/s diff --git a/magic/Magdir/dump b/magic/Magdir/dump new file mode 100644 index 0000000..cc5644d --- /dev/null +++ b/magic/Magdir/dump @@ -0,0 +1,96 @@ + +#------------------------------------------------------------------------------ +# $File: dump,v 1.17 2018/06/26 01:07:17 christos Exp $ +# dump: file(1) magic for dump file format--for new and old dump filesystems +# +# We specify both byte orders in order to recognize byte-swapped dumps. +# +0 name new-dump-be +>4 bedate x This dump %s, +>8 bedate x Previous dump %s, +>12 belong >0 Volume %d, +>692 belong 0 Level zero, type: +>692 belong >0 Level %d, type: +>0 belong 1 tape header, +>0 belong 2 beginning of file record, +>0 belong 3 map of inodes on tape, +>0 belong 4 continuation of file record, +>0 belong 5 end of volume, +>0 belong 6 map of inodes deleted, +>0 belong 7 end of medium (for floppy), +>676 string >\0 Label %s, +>696 string >\0 Filesystem %s, +>760 string >\0 Device %s, +>824 string >\0 Host %s, +>888 belong >0 Flags %x + +0 name old-dump-be +#>4 bedate x This dump %s, +#>8 bedate x Previous dump %s, +>12 belong >0 Volume %d, +>692 belong 0 Level zero, type: +>692 belong >0 Level %d, type: +>0 belong 1 tape header, +>0 belong 2 beginning of file record, +>0 belong 3 map of inodes on tape, +>0 belong 4 continuation of file record, +>0 belong 5 end of volume, +>0 belong 6 map of inodes deleted, +>0 belong 7 end of medium (for floppy), +>676 string >\0 Label %s, +>696 string >\0 Filesystem %s, +>760 string >\0 Device %s, +>824 string >\0 Host %s, +>888 belong >0 Flags %x + +0 name ufs2-dump-be +>896 beqdate x This dump %s, +>904 beqdate x Previous dump %s, +>12 belong >0 Volume %d, +>692 belong 0 Level zero, type: +>692 belong >0 Level %d, type: +>0 belong 1 tape header, +>0 belong 2 beginning of file record, +>0 belong 3 map of inodes on tape, +>0 belong 4 continuation of file record, +>0 belong 5 end of volume, +>0 belong 6 map of inodes deleted, +>0 belong 7 end of medium (for floppy), +>676 string >\0 Label %s, +>696 string >\0 Filesystem %s, +>760 string >\0 Device %s, +>824 string >\0 Host %s, +>888 belong >0 Flags %x + +24 belong 60012 new-fs dump file (big endian), +>0 use new-dump-be + +24 belong 60011 old-fs dump file (big endian), +>0 use old-dump-be + +24 lelong 60012 new-fs dump file (little endian), +# to correctly recognize '*.mo' GNU message catalog (little endian) +!:strength - 15 +>0 use \^new-dump-be + +24 lelong 60011 old-fs dump file (little endian), +>0 use \^old-dump-be + + +24 belong 0x19540119 new-fs dump file (ufs2, big endian), +>0 use ufs2-dump-be + +24 lelong 0x19540119 new-fs dump file (ufs2, little endian), +>0 use \^ufs2-dump-be + +18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), +>2 medate x Previous dump %s, +>6 medate x This dump %s, +>10 leshort >0 Volume %d, +>0 leshort 1 tape header. +>0 leshort 2 beginning of file record. +>0 leshort 3 map of inodes on tape. +>0 leshort 4 continuation of file record. +>0 leshort 5 end of volume. +>0 leshort 6 map of inodes deleted. +>0 leshort 7 end of medium (for floppy). diff --git a/magic/Magdir/dwarfs b/magic/Magdir/dwarfs new file mode 100644 index 0000000..3700a33 --- /dev/null +++ b/magic/Magdir/dwarfs @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: dwarfs,v 1.2 2023/05/23 13:37:32 christos Exp $ +# dwarfs: file(1) magic for DwarFS File System Image files +# URL: https://github.com/mhx/dwarfs for details about DwarFS +# From: Marcus Holland-Moritz <github@mhxnet.de> + +#### DwarFS Version Macro +0 name dwarfsversion +>&0 byte x \b, version %d +>&1 byte x \b.%d + +#### DwarFS Compression Macro +0 name dwarfscompression +>&0 leshort =0 \b, uncompressed +>&0 leshort =1 \b, LZMA compression +>&0 leshort =2 \b, ZSTD compression +>&0 leshort =3 \b, LZ4 compression +>&0 leshort =4 \b, LZ4HC compression +>&0 leshort =5 \b, BROTLI compression + +#### DwarFS files without header +## We first check against a DWARFS magic at the start of the file, then +## validate by checking the block count / section type to be all zeros +## for the first block. Finally, we check that the *next* block also +## has the correct DWARFS magic. +0 string DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image +>>>&0 use dwarfsversion +>>&0 use dwarfscompression + +#### DwarFS files with header +## We search for a DWARFS magic in the first 64k of the file (images with +## headers longer than 64k won't be recognized), then validate by checking +## the block count / section type to be all zeros for the first block. +## Finally, we check that the *next* block also has the correct DWARFS magic. +## If we find a DWARFS magic that doesn't pass validation, we continue with +## an indirect match recursively. +1 search/65536/b DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image (with header) +>>>&0 use dwarfsversion +>>&0 use dwarfscompression +>&-1 indirect x diff --git a/magic/Magdir/dyadic b/magic/Magdir/dyadic new file mode 100644 index 0000000..c57f81b --- /dev/null +++ b/magic/Magdir/dyadic @@ -0,0 +1,61 @@ + +#------------------------------------------------------------------------------ +# $File: dyadic,v 1.9 2019/04/19 00:42:27 christos Exp $ +# Dyadic: file(1) magic for Dyalog APL. +# +# updated by Joerg Jenderek at Oct 2013 +# https://en.wikipedia.org/wiki/Dyalog_APL +# https://www.dyalog.com/ +# .DXV Dyalog APL External Variable +# .DIN Dyalog APL Input Table +# .DOT Dyalog APL Output Table +# .DFT Dyalog APL Format File +0 ubeshort&0xFF60 0xaa00 +# skip biblio.dbt +>1 byte !4 +# real Dyalog APL have non zero version numbers like 7.3 or 13.4 +>>2 ubeshort >0x0000 Dyalog APL +>>>1 byte 0x00 aplcore +#>>>1 byte 0x00 incomplete workspace +# *.DCF Dyalog APL Component File +>>>1 byte 0x01 component file 32-bit non-journaled non-checksummed +#>>>1 byte 0x01 component file +>>>1 byte 0x02 external variable exclusive +#>>>1 byte 0x02 external variable +# *.DWS Dyalog APL Workspace +>>>1 byte 0x03 workspace +>>>>7 byte&0x28 0x00 32-bit +>>>>7 byte&0x28 0x20 64-bit +>>>>7 byte&0x0c 0x00 classic +>>>>7 byte&0x0c 0x04 unicode +>>>>7 byte&0x88 0x00 big-endian +>>>>7 byte&0x88 0x80 little-endian +>>>1 byte 0x06 external variable shared +# *.DSE Dyalog APL Session , *.DLF Dyalog APL Session Log File +>>>1 byte 0x07 session +>>>1 byte 0x08 mapped file 32-bit +>>>1 byte 0x09 component file 64-bit non-journaled non-checksummed +>>>1 byte 0x0a mapped file 64-bit +>>>1 byte 0x0b component file 32-bit level 1 journaled non-checksummed +>>>1 byte 0x0c component file 64-bit level 1 journaled non-checksummed +>>>1 byte 0x0d component file 32-bit level 1 journaled checksummed +>>>1 byte 0x0e component file 64-bit level 1 journaled checksummed +>>>1 byte 0x0f component file 32-bit level 2 journaled checksummed +>>>1 byte 0x10 component file 64-bit level 2 journaled checksummed +>>>1 byte 0x11 component file 32-bit level 3 journaled checksummed +>>>1 byte 0x12 component file 64-bit level 3 journaled checksummed +>>>1 byte 0x13 component file 32-bit non-journaled checksummed +>>>1 byte 0x14 component file 64-bit non-journaled checksummed +>>>1 byte 0x15 component file under construction +>>>1 byte 0x16 DFS component file 64-bit level 1 journaled checksummed +>>>1 byte 0x17 DFS component file 64-bit level 2 journaled checksummed +>>>1 byte 0x18 DFS component file 64-bit level 3 journaled checksummed +>>>1 byte 0x19 external workspace +>>>1 byte 0x80 DDB +>>>2 byte x version %d +>>>3 byte x \b.%d +#>>>2 byte x type %d +#>>>3 byte x subtype %d + +# *.DXF Dyalog APL Transfer File +0 short 0x6060 Dyalog APL transfer diff --git a/magic/Magdir/ebml b/magic/Magdir/ebml new file mode 100644 index 0000000..d37b5c0 --- /dev/null +++ b/magic/Magdir/ebml @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: ebml,v 1.2 2019/04/19 00:42:27 christos Exp $ +# ebml: file(1) magic for various Extensible Binary Meta Language +# https://www.matroska.org/technical/specs/index.html#track +0 belong 0x1a45dfa3 EBML file +>4 search/b/100 \102\202 +>>&1 string x \b, creator %.8s diff --git a/magic/Magdir/edid b/magic/Magdir/edid new file mode 100644 index 0000000..a17b6c4 --- /dev/null +++ b/magic/Magdir/edid @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: edid,v 1.1 2019/03/28 12:36:01 christos Exp $ +# edid: file(1) magic for EDID dump files + +0 quad 0x00ffffffffffff00 Extended display identification data dump +!:mime application/x-edid-dump +>18 byte 0x01 Version 1 +>>19 byte <0x04 \b.%d +>18 byte 0x02 Version 2 +>>19 byte 0x00 \b.0 diff --git a/magic/Magdir/editors b/magic/Magdir/editors new file mode 100644 index 0000000..48eaa11 --- /dev/null +++ b/magic/Magdir/editors @@ -0,0 +1,43 @@ + +#------------------------------------------------------------------------------ +# $File: editors,v 1.12 2020/10/11 20:28:07 christos Exp $ +# T602 editor documents +# by David Necas <yeti@physics.muni.cz> +0 string @CT\ T602 document data, +>4 string 0 Kamenicky +>4 string 1 CP 852 +>4 string 2 KOI8-CS +>4 string >2 unknown encoding + +# Vi IMproved Encrypted file +# by David Necas <yeti@physics.muni.cz> +# updated by Osman Surkatty +0 string VimCrypt~ Vim encrypted file data +>9 string 01! with zip cryptmethod +>9 string 02! with blowfish cryptmethod +>9 string 03! with blowfish2 cryptmethod + +0 name vimnanoswap +>67 byte 0 +>>107 byte 0 +#>>>2 string x %s swap file +>>>24 ulelong x \b, pid %d +>>>28 string >\0 \b, user %s +>>>68 string >\0 \b, host %s +>>>108 string >\0 \b, file %s +>>>1007 byte 0x55 \b, modified + +# Vi IMproved Swap file +# by Sven Wegener <swegener@gentoo.org> +0 string b0VIM\ Vim swap file +>&0 string >\0 \b, version %s +>0 use vimnanoswap + + +# Lock/swap file for several editors, at least +# Vi IMproved and nano +0 string b0nano Nano swap file +>0 use vimnanoswap + +# kate (K Advanced Text Editor) +0 string \x00\x00\x00\x12Kate\ Swap\ File\ 2.0\x00 Kate swap file diff --git a/magic/Magdir/efi b/magic/Magdir/efi new file mode 100644 index 0000000..7760100 --- /dev/null +++ b/magic/Magdir/efi @@ -0,0 +1,15 @@ + +#------------------------------------------------------------------------------ +# $File: efi,v 1.5 2014/04/30 21:41:02 christos Exp $ +# efi: file(1) magic for Universal EFI binaries + +0 lelong 0x0ef1fab9 +>4 lelong 1 Universal EFI binary with 1 architecture +>>&0 lelong 7 \b, i386 +>>&0 lelong 0x01000007 \b, x86_64 +>4 lelong 2 Universal EFI binary with 2 architectures +>>&0 lelong 7 \b, i386 +>>&0 lelong 0x01000007 \b, x86_64 +>>&20 lelong 7 \b, i386 +>>&20 lelong 0x01000007 \b, x86_64 +>4 lelong >2 Universal EFI binary with %d architectures diff --git a/magic/Magdir/elf b/magic/Magdir/elf new file mode 100644 index 0000000..d3ec026 --- /dev/null +++ b/magic/Magdir/elf @@ -0,0 +1,379 @@ + +#------------------------------------------------------------------------------ +# $File: elf,v 1.88 2023/01/08 17:09:18 christos Exp $ +# elf: file(1) magic for ELF executables +# +# We have to check the byte order flag to see what byte order all the +# other stuff in the header is in. +# +# What're the correct byte orders for the nCUBE and the Fujitsu VPP500? +# +# https://www.sco.com/developers/gabi/latest/ch4.eheader.html +# +# Created by: unknown +# Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com> +# Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support) +# Modified by (3): Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> (fix of core support) +# Modified by (4): <gerardo.cacciari@gmail.com> (VMS Itanium) +# Modified by (5): Matthias Urlichs <smurf@debian.org> (Listing of many architectures) + +0 name elf-mips +>0 lelong&0xf0000000 0x00000000 MIPS-I +>0 lelong&0xf0000000 0x10000000 MIPS-II +>0 lelong&0xf0000000 0x20000000 MIPS-III +>0 lelong&0xf0000000 0x30000000 MIPS-IV +>0 lelong&0xf0000000 0x40000000 MIPS-V +>0 lelong&0xf0000000 0x50000000 MIPS32 +>0 lelong&0xf0000000 0x60000000 MIPS64 +>0 lelong&0xf0000000 0x70000000 MIPS32 rel2 +>0 lelong&0xf0000000 0x80000000 MIPS64 rel2 +>0 lelong&0xf0000000 0x90000000 MIPS32 rel6 +>0 lelong&0xf0000000 0xa0000000 MIPS64 rel6 + +0 name elf-sparc +>0 lelong&0x00ffff00 0x00000100 V8+ Required, +>0 lelong&0x00ffff00 0x00000200 Sun UltraSPARC1 Extensions Required, +>0 lelong&0x00ffff00 0x00000400 HaL R1 Extensions Required, +>0 lelong&0x00ffff00 0x00000800 Sun UltraSPARC3 Extensions Required, +>0 lelong&0x3 0 total store ordering, +>0 lelong&0x3 1 partial store ordering, +>0 lelong&0x3 2 relaxed memory ordering, + +0 name elf-pa-risc +>2 leshort 0x020b 1.0 +>2 leshort 0x0210 1.1 +>2 leshort 0x0214 2.0 +>0 leshort &0x0008 (LP64) + +0 name elf-riscv +>0 lelong&0x00000001 0x00000001 RVC, +>0 lelong&0x00000008 0x00000008 RVE, +>0 lelong&0x00000006 0x00000000 soft-float ABI, +>0 lelong&0x00000006 0x00000002 single-float ABI, +>0 lelong&0x00000006 0x00000004 double-float ABI, +>0 lelong&0x00000006 0x00000006 quad-float ABI, + +0 name elf-le +>16 leshort 0 no file type, +!:mime application/octet-stream +>16 leshort 1 relocatable, +!:mime application/x-object +>16 leshort 2 executable, +!:mime application/x-executable +>16 leshort 3 ${x?pie executable:shared object}, + +!:mime application/x-${x?pie-executable:sharedlib} +>16 leshort 4 core file, +!:mime application/x-coredump +# OS-specific +>7 byte 202 +>>16 leshort 0xFE01 executable, +!:mime application/x-executable +# Core file detection is not reliable. +#>>>(0x38+0xcc) string >\0 of '%s' +#>>>(0x38+0x10) lelong >0 (signal %d), +>16 leshort &0xff00 +>>18 leshort !8 processor-specific, +>>18 leshort 8 +>>>16 leshort 0xFF80 PlayStation 2 IOP module, +!:mime application/x-sharedlib +>>>16 leshort !0xFF80 processor-specific, +>18 clear x +>18 leshort 0 no machine, +>18 leshort 1 AT&T WE32100, +>18 leshort 2 SPARC, +>18 leshort 3 Intel 80386, +>18 leshort 4 Motorola m68k, +>>4 byte 1 +>>>36 lelong &0x01000000 68000, +>>>36 lelong &0x00810000 CPU32, +>>>36 lelong 0 68020, +>18 leshort 5 Motorola m88k, +>18 leshort 6 Intel 80486, +>18 leshort 7 Intel 80860, +# The official e_machine number for MIPS is now #8, regardless of endianness. +# The second number (#10) will be deprecated later. For now, we still +# say something if #10 is encountered, but only gory details for #8. +>18 leshort 8 MIPS, +>>4 byte 1 +>>>36 lelong &0x20 N32 +>18 leshort 10 MIPS, +>>4 byte 1 +>>>36 lelong &0x20 N32 +>18 leshort 8 +# only for 32-bit +>>4 byte 1 +>>>36 use elf-mips +# only for 64-bit +>>4 byte 2 +>>>48 use elf-mips +>18 leshort 9 Amdahl, +>18 leshort 10 MIPS (deprecated), +>18 leshort 11 RS6000, +>18 leshort 15 PA-RISC, +# only for 32-bit +>>4 byte 1 +>>>36 use elf-pa-risc +# only for 64-bit +>>4 byte 2 +>>>48 use elf-pa-risc +>18 leshort 16 nCUBE, +>18 leshort 17 Fujitsu VPP500, +>18 leshort 18 SPARC32PLUS, +# only for 32-bit +>>4 byte 1 +>>>36 use elf-sparc +>18 leshort 19 Intel 80960, +>18 leshort 20 PowerPC or cisco 4500, +>18 leshort 21 64-bit PowerPC or cisco 7500, +>>48 lelong 0 Unspecified or Power ELF V1 ABI, +>>48 lelong 1 Power ELF V1 ABI, +>>48 lelong 2 OpenPOWER ELF V2 ABI, +>18 leshort 22 IBM S/390, +>18 leshort 23 Cell SPU, +>18 leshort 24 cisco SVIP, +>18 leshort 25 cisco 7200, +>18 leshort 36 NEC V800 or cisco 12000, +>18 leshort 37 Fujitsu FR20, +>18 leshort 38 TRW RH-32, +>18 leshort 39 Motorola RCE, +>18 leshort 40 ARM, +>>4 byte 1 +>>>36 lelong&0xff000000 0x04000000 EABI4 +>>>36 lelong&0xff000000 0x05000000 EABI5 +>>>36 lelong &0x00800000 BE8 +>>>36 lelong &0x00400000 LE8 +>18 leshort 41 Alpha, +>18 leshort 42 Renesas SH, +>18 leshort 43 SPARC V9, +>>4 byte 2 +>>>48 use elf-sparc +>18 leshort 44 Siemens Tricore Embedded Processor, +>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., +>18 leshort 46 Renesas H8/300, +>18 leshort 47 Renesas H8/300H, +>18 leshort 48 Renesas H8S, +>18 leshort 49 Renesas H8/500, +>18 leshort 50 IA-64, +>18 leshort 51 Stanford MIPS-X, +>18 leshort 52 Motorola Coldfire, +>18 leshort 53 Motorola M68HC12, +>18 leshort 54 Fujitsu MMA, +>18 leshort 55 Siemens PCP, +>18 leshort 56 Sony nCPU, +>18 leshort 57 Denso NDR1, +>18 leshort 58 Start*Core, +>18 leshort 59 Toyota ME16, +>18 leshort 60 ST100, +>18 leshort 61 Tinyj emb., +>18 leshort 62 x86-64, +>18 leshort 63 Sony DSP, +>18 leshort 64 DEC PDP-10, +>18 leshort 65 DEC PDP-11, +>18 leshort 66 FX66, +>18 leshort 67 ST9+ 8/16 bit, +>18 leshort 68 ST7 8 bit, +>18 leshort 69 MC68HC16, +>18 leshort 70 MC68HC11, +>18 leshort 71 MC68HC08, +>18 leshort 72 MC68HC05, +>18 leshort 73 SGI SVx or Cray NV1, +>18 leshort 74 ST19 8 bit, +>18 leshort 75 Digital VAX, +>18 leshort 76 Axis cris, +>18 leshort 77 Infineon 32-bit embedded, +>18 leshort 78 Element 14 64-bit DSP, +>18 leshort 79 LSI Logic 16-bit DSP, +>18 leshort 80 MMIX, +>18 leshort 81 Harvard machine-independent, +>18 leshort 82 SiTera Prism, +>18 leshort 83 Atmel AVR 8-bit, +>18 leshort 84 Fujitsu FR30, +>18 leshort 85 Mitsubishi D10V, +>18 leshort 86 Mitsubishi D30V, +>18 leshort 87 NEC v850, +>18 leshort 88 Renesas M32R, +>18 leshort 89 Matsushita MN10300, +>18 leshort 90 Matsushita MN10200, +>18 leshort 91 picoJava, +>18 leshort 92 OpenRISC, +>18 leshort 93 Synopsys ARCompact ARC700 cores, +>18 leshort 94 Tensilica Xtensa, +>18 leshort 95 Alphamosaic VideoCore, +>18 leshort 96 Thompson Multimedia, +>18 leshort 97 NatSemi 32k, +>18 leshort 98 Tenor Network TPC, +>18 leshort 99 Trebia SNP 1000, +>18 leshort 100 STMicroelectronics ST200, +>18 leshort 101 Ubicom IP2022, +>18 leshort 102 MAX Processor, +>18 leshort 103 NatSemi CompactRISC, +>18 leshort 104 Fujitsu F2MC16, +>18 leshort 105 TI msp430, +>18 leshort 106 Analog Devices Blackfin, +>18 leshort 107 S1C33 Family of Seiko Epson, +>18 leshort 108 Sharp embedded, +>18 leshort 109 Arca RISC, +>18 leshort 110 PKU-Unity Ltd., +>18 leshort 111 eXcess: 16/32/64-bit, +>18 leshort 112 Icera Deep Execution Processor, +>18 leshort 113 Altera Nios II, +>18 leshort 114 NatSemi CRX, +>18 leshort 115 Motorola XGATE, +>18 leshort 116 Infineon C16x/XC16x, +>18 leshort 117 Renesas M16C series, +>18 leshort 118 Microchip dsPIC30F, +>18 leshort 119 Freescale RISC core, +>18 leshort 120 Renesas M32C series, +>18 leshort 131 Altium TSK3000 core, +>18 leshort 132 Freescale RS08, +>18 leshort 134 Cyan Technology eCOG2, +>18 leshort 135 Sunplus S+core7 RISC, +>18 leshort 136 New Japan Radio (NJR) 24-bit DSP, +>18 leshort 137 Broadcom VideoCore III, +>18 leshort 138 LatticeMico32, +>18 leshort 139 Seiko Epson C17 family, +>18 leshort 140 TI TMS320C6000 DSP family, +>18 leshort 141 TI TMS320C2000 DSP family, +>18 leshort 142 TI TMS320C55x DSP family, +>18 leshort 144 TI Programmable Realtime Unit +>18 leshort 160 STMicroelectronics 64bit VLIW DSP, +>18 leshort 161 Cypress M8C, +>18 leshort 162 Renesas R32C series, +>18 leshort 163 NXP TriMedia family, +>18 leshort 164 QUALCOMM DSP6, +>18 leshort 165 Intel 8051 and variants, +>18 leshort 166 STMicroelectronics STxP7x family, +>18 leshort 167 Andes embedded RISC, +>18 leshort 168 Cyan eCOG1X family, +>18 leshort 169 Dallas MAXQ30, +>18 leshort 170 New Japan Radio (NJR) 16-bit DSP, +>18 leshort 171 M2000 Reconfigurable RISC, +>18 leshort 172 Cray NV2 vector architecture, +>18 leshort 173 Renesas RX family, +>18 leshort 174 META, +>18 leshort 175 MCST Elbrus, +>18 leshort 176 Cyan Technology eCOG16 family, +>18 leshort 177 NatSemi CompactRISC, +>18 leshort 178 Freescale Extended Time Processing Unit, +>18 leshort 179 Infineon SLE9X, +>18 leshort 180 Intel L1OM, +>18 leshort 181 Intel K1OM, +>18 leshort 183 ARM aarch64, +>18 leshort 185 Atmel 32-bit family, +>18 leshort 186 STMicroeletronics STM8 8-bit, +>18 leshort 187 Tilera TILE64, +>18 leshort 188 Tilera TILEPro, +>18 leshort 189 Xilinx MicroBlaze 32-bit RISC, +>18 leshort 190 NVIDIA CUDA architecture, +>18 leshort 191 Tilera TILE-Gx, +>18 leshort 195 Synopsys ARCv2/HS3x/HS4x cores, +>18 leshort 197 Renesas RL78 family, +>18 leshort 199 Renesas 78K0R, +>18 leshort 200 Freescale 56800EX, +>18 leshort 201 Beyond BA1, +>18 leshort 202 Beyond BA2, +>18 leshort 203 XMOS xCORE, +>18 leshort 204 Microchip 8-bit PIC(r), +>18 leshort 210 KM211 KM32, +>18 leshort 211 KM211 KMX32, +>18 leshort 212 KM211 KMX16, +>18 leshort 213 KM211 KMX8, +>18 leshort 214 KM211 KVARC, +>18 leshort 215 Paneve CDP, +>18 leshort 216 Cognitive Smart Memory, +>18 leshort 217 iCelero CoolEngine, +>18 leshort 218 Nanoradio Optimized RISC, +>18 leshort 219 CSR Kalimba architecture family +>18 leshort 220 Zilog Z80 +>18 leshort 221 Controls and Data Services VISIUMcore processor +>18 leshort 222 FTDI Chip FT32 high performance 32-bit RISC architecture +>18 leshort 223 Moxie processor family +>18 leshort 224 AMD GPU architecture +>18 leshort 243 UCB RISC-V, +# only for 32-bit +>>4 byte 1 +>>>36 use elf-riscv +# only for 64-bit +>>4 byte 2 +>>>48 use elf-riscv +>18 leshort 244 Lanai 32-bit processor, +>18 leshort 245 CEVA Processor Architecture Family, +>18 leshort 246 CEVA X2 Processor Family, +>18 leshort 247 eBPF, +>18 leshort 248 Graphcore Intelligent Processing Unit, +>18 leshort 249 Imagination Technologies, +>18 leshort 250 Netronome Flow Processor, +>18 leshort 251 NEC Vector Engine, +>18 leshort 252 C-SKY processor family, +>18 leshort 253 Synopsys ARCv3 64-bit ISA/HS6x cores, +>18 leshort 254 MOS Technology MCS 6502 processor, +>18 leshort 255 Synopsys ARCv3 32-bit, +>18 leshort 256 Kalray VLIW core of the MPPA family, +>18 leshort 257 WDC 65816/65C816, +>18 leshort 258 LoongArch, +>18 leshort 259 ChipON KungFu32, +>18 leshort 0x1057 AVR (unofficial), +>18 leshort 0x1059 MSP430 (unofficial), +>18 leshort 0x1223 Adapteva Epiphany (unofficial), +>18 leshort 0x2530 Morpho MT (unofficial), +>18 leshort 0x3330 FR30 (unofficial), +>18 leshort 0x3426 OpenRISC (obsolete), +>18 leshort 0x4688 Infineon C166 (unofficial), +>18 leshort 0x5441 Cygnus FRV (unofficial), +>18 leshort 0x5aa5 DLX (unofficial), +>18 leshort 0x7650 Cygnus D10V (unofficial), +>18 leshort 0x7676 Cygnus D30V (unofficial), +>18 leshort 0x8217 Ubicom IP2xxx (unofficial), +>18 leshort 0x8472 OpenRISC (obsolete), +>18 leshort 0x9025 Cygnus PowerPC (unofficial), +>18 leshort 0x9026 Alpha (unofficial), +>18 leshort 0x9041 Cygnus M32R (unofficial), +>18 leshort 0x9080 Cygnus V850 (unofficial), +>18 leshort 0xa390 IBM S/390 (obsolete), +>18 leshort 0xabc7 Old Xtensa (unofficial), +>18 leshort 0xad45 xstormy16 (unofficial), +>18 leshort 0xbaab Old MicroBlaze (unofficial),, +>18 leshort 0xbeef Cygnus MN10300 (unofficial), +>18 leshort 0xdead Cygnus MN10200 (unofficial), +>18 leshort 0xf00d Toshiba MeP (unofficial), +>18 leshort 0xfeb0 Renesas M32C (unofficial), +>18 leshort 0xfeba Vitesse IQ2000 (unofficial), +>18 leshort 0xfebb NIOS (unofficial), +>18 leshort 0xfeed Moxie (unofficial), +>18 default x +>>18 leshort x *unknown arch %#x* +>20 lelong 0 invalid version +>20 lelong 1 version 1 + +0 string \177ELF ELF +!:strength *2 +>4 byte 0 invalid class +>4 byte 1 32-bit +>4 byte 2 64-bit +>5 byte 0 invalid byte order +>5 byte 1 LSB +>>0 use elf-le +>5 byte 2 MSB +>>0 use \^elf-le +>7 byte 0 (SYSV) +>7 byte 1 (HP-UX) +>7 byte 2 (NetBSD) +>7 byte 3 (GNU/Linux) +>7 byte 4 (GNU/Hurd) +>7 byte 5 (86Open) +>7 byte 6 (Solaris) +>7 byte 7 (Monterey) +>7 byte 8 (IRIX) +>7 byte 9 (FreeBSD) +>7 byte 10 (Tru64) +>7 byte 11 (Novell Modesto) +>7 byte 12 (OpenBSD) +>7 byte 13 (OpenVMS) +>7 byte 14 (HP NonStop Kernel) +>7 byte 15 (AROS Research Operating System) +>7 byte 16 (FenixOS) +>7 byte 17 (Nuxi CloudABI) +>7 byte 97 (ARM) +>7 byte 202 (Cafe OS) +>7 byte 255 (embedded) diff --git a/magic/Magdir/encore b/magic/Magdir/encore new file mode 100644 index 0000000..287b388 --- /dev/null +++ b/magic/Magdir/encore @@ -0,0 +1,22 @@ + +#------------------------------------------------------------------------------ +# $File: encore,v 1.7 2014/04/30 21:41:02 christos Exp $ +# encore: file(1) magic for Encore machines +# +# XXX - needs to have the byte order specified (NS32K was little-endian, +# dunno whether they run the 88K in little-endian mode or not). +# +0 short 0x154 Encore +>20 short 0x107 executable +>20 short 0x108 pure executable +>20 short 0x10b demand-paged executable +>20 short 0x10f unsupported executable +>12 long >0 not stripped +>22 short >0 - version %d +>22 short 0 - +#>4 date x stamp %s +0 short 0x155 Encore unsupported executable +>12 long >0 not stripped +>22 short >0 - version %d +>22 short 0 - +#>4 date x stamp %s diff --git a/magic/Magdir/epoc b/magic/Magdir/epoc new file mode 100644 index 0000000..6f4ab5f --- /dev/null +++ b/magic/Magdir/epoc @@ -0,0 +1,62 @@ + +#------------------------------------------------------------------------------ +# $File: epoc,v 1.9 2013/12/21 14:28:15 christos Exp $ +# EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1] +# Stefan Praszalowicz <hpicollo@worldnet.fr> and Peter Breitenlohner <peb@mppmu.mpg.de> +# Useful information for improving this file can be found at: +# http://software.frodo.looijaard.name/psiconv/formats/Index.html +#------------------------------------------------------------------------------ +0 lelong 0x10000037 Psion Series 5 +>4 lelong 0x10000039 font file +>4 lelong 0x1000003A printer driver +>4 lelong 0x1000003B clipboard +>4 lelong 0x10000042 multi-bitmap image +!:mime image/x-epoc-mbm +>4 lelong 0x1000006A application information file +>4 lelong 0x1000006D +>>8 lelong 0x1000007D Sketch image +!:mime image/x-epoc-sketch +>>8 lelong 0x1000007E voice note +>>8 lelong 0x1000007F Word file +!:mime application/x-epoc-word +>>8 lelong 0x10000085 OPL program (TextEd) +!:mime application/x-epoc-opl +>>8 lelong 0x10000087 Comms settings +>>8 lelong 0x10000088 Sheet file +!:mime application/x-epoc-sheet +>>8 lelong 0x100001C4 EasyFax initialisation file +>4 lelong 0x10000073 OPO module +!:mime application/x-epoc-opo +>4 lelong 0x10000074 OPL application +!:mime application/x-epoc-app +>4 lelong 0x1000008A exported multi-bitmap image +>4 lelong 0x1000016D +>>8 lelong 0x10000087 Comms names + +0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image + +0 lelong 0x10000050 Psion Series 5 +>4 lelong 0x1000006D database +>>8 lelong 0x10000084 Agenda file +!:mime application/x-epoc-agenda +>>8 lelong 0x10000086 Data file +!:mime application/x-epoc-data +>>8 lelong 0x10000CEA Jotter file +!:mime application/x-epoc-jotter +>4 lelong 0x100000E4 ini file + +0 lelong 0x10000079 Psion Series 5 binary: +>4 lelong 0x00000000 DLL +>4 lelong 0x10000049 comms hardware library +>4 lelong 0x1000004A comms protocol library +>4 lelong 0x1000005D OPX +>4 lelong 0x1000006C application +>4 lelong 0x1000008D DLL +>4 lelong 0x100000AC logical device driver +>4 lelong 0x100000AD physical device driver +>4 lelong 0x100000E5 file transfer protocol +>4 lelong 0x100000E5 file transfer protocol +>4 lelong 0x10000140 printer definition +>4 lelong 0x10000141 printer definition + +0 lelong 0x1000007A Psion Series 5 executable diff --git a/magic/Magdir/erlang b/magic/Magdir/erlang new file mode 100644 index 0000000..df7aa2a --- /dev/null +++ b/magic/Magdir/erlang @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: erlang,v 1.7 2019/04/19 00:42:27 christos Exp $ +# erlang: file(1) magic for Erlang JAM and BEAM files +# URL: https://www.erlang.org/faq/x779.html#AEN812 + +# OTP R3-R4 +0 string \0177BEAM! Old Erlang BEAM file +>6 short >0 - version %d + +# OTP R5 and onwards +0 string FOR1 +>8 string BEAM Erlang BEAM file + +# 4.2 version may have a copyright notice! +4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 +79 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 + +4 string 1.0\ Fri\ Feb\ 3\ 09:55:56\ MET\ 1995 Erlang JAM file - version 4.3 + +0 bequad 0x0000000000ABCDEF Erlang DETS file diff --git a/magic/Magdir/espressif b/magic/Magdir/espressif new file mode 100644 index 0000000..a97c093 --- /dev/null +++ b/magic/Magdir/espressif @@ -0,0 +1,57 @@ + +# $File: espressif,v 1.3 2021/04/26 15:56:00 christos Exp $ +# configuration dump of Tasmota firmware for ESP8266 based devices by Espressif +# URL: https://github.com/arendst/Sonoff-Tasmota/ +# Reference: https://codeload.github.com/arendst/Sonoff-Tasmota/zip/release-6.2/ +# Sonoff-Tasmota-release-6.2.zip/Sonoff-Tasmota-release-6.2/sonoff/settings.h +# From: Joerg Jenderek +# +# cfg_holder=4617=0x1209 +0 uleshort 4617 +# remaining settings normally 0x5A+offset XORed; free_1D5[20] empty since 5.12.0e +>0x1D5 ubequad 0x2f30313233343536 configuration of Tasmota firmware (ESP8266) +!:mime application/x-tasmota-dmp +!:ext dmp +# version like 6.2.1.0 ~ 0x06020100 XORed to 0x63666262 +>>11 ubyte^0x65 x \b, version %u +>>10 ubyte^0x64 x \b.%u +>>9 ubyte^0x63 x \b.%u +>>8 ubyte^0x62 x \b.%u +#>8 ubelong x (%#x) +# hostname[33] XORed +>>0x165 ubyte^0x1BF x \b, hostname %c +>>0x166 ubyte^0x1C0 >037 \b%c +>>0x167 ubyte^0x1C1 >037 \b%c +>>0x168 ubyte^0x1C2 >037 \b%c +>>0x169 ubyte^0x1C3 >037 \b%c +>>0x16A ubyte^0x1C4 >037 \b%c +>>0x16B ubyte^0x1C5 >037 \b%c +>>0x16C ubyte^0x1C6 >037 \b%c +>>0x16D ubyte^0x1C7 >037 \b%c +>>0x16E ubyte^0x1C8 >037 \b%c +>>0x16F ubyte^0x1C9 >037 \b%c +>>0x170 ubyte^0x1CA >037 \b%c +>>0x171 ubyte^0x1CB >037 \b%c +>>0x172 ubyte^0x1CC >037 \b%c +>>0x173 ubyte^0x1CD >037 \b%c +>>0x174 ubyte^0x1CE >037 \b%c +>>0x175 ubyte^0x1CF >037 \b%c +>>0x176 ubyte^0x1D0 >037 \b%c +>>0x177 ubyte^0x1D1 >037 \b%c +>>0x178 ubyte^0x1D2 >037 \b%c +>>0x179 ubyte^0x1D3 >037 \b%c +>>0x17A ubyte^0x1D4 >037 \b%c +>>0x17B ubyte^0x1D5 >037 \b%c +>>0x17C ubyte^0x1D6 >037 \b%c +>>0x17D ubyte^0x1D7 >037 \b%c +>>0x17E ubyte^0x1D8 >037 \b%c +>>0x17F ubyte^0x1D9 >037 \b%c +>>0x180 ubyte^0x1DA >037 \b%c +>>0x181 ubyte^0x1DB >037 \b%c +>>0x182 ubyte^0x1DC >037 \b%c +>>0x183 ubyte^0x1DD >037 \b%c +>>0x184 ubyte^0x1DE >037 \b%c +>>0x185 ubyte^0x1DF >037 \b%c +#>>0x165 string x (%.33s) + + diff --git a/magic/Magdir/esri b/magic/Magdir/esri new file mode 100644 index 0000000..e49a7ce --- /dev/null +++ b/magic/Magdir/esri @@ -0,0 +1,28 @@ + +#------------------------------------------------------------------------------ +# $File: esri,v 1.5 2019/04/19 00:42:27 christos Exp $ +# ESRI Shapefile format (.shp .shx .dbf=DBaseIII) +# Based on info from +# <URL:https://www.esri.com/library/whitepapers/pdfs/shapefile.pdf> +0 belong 9994 ESRI Shapefile +>4 belong =0 +>8 belong =0 +>12 belong =0 +>16 belong =0 +>20 belong =0 +>28 lelong x version %d +>24 belong x length %d +>32 lelong =0 type Null Shape +>32 lelong =1 type Point +>32 lelong =3 type PolyLine +>32 lelong =5 type Polygon +>32 lelong =8 type MultiPoint +>32 lelong =11 type PointZ +>32 lelong =13 type PolyLineZ +>32 lelong =15 type PolygonZ +>32 lelong =18 type MultiPointZ +>32 lelong =21 type PointM +>32 lelong =23 type PolyLineM +>32 lelong =25 type PolygonM +>32 lelong =28 type MultiPointM +>32 lelong =31 type MultiPatch diff --git a/magic/Magdir/fcs b/magic/Magdir/fcs new file mode 100644 index 0000000..613437f --- /dev/null +++ b/magic/Magdir/fcs @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: fcs,v 1.4 2009/09/19 16:28:09 christos Exp $ +# fcs: file(1) magic for FCS (Flow Cytometry Standard) data files +# From Roger Leigh <roger@whinlatter.uklinux.net> +0 string FCS1.0 Flow Cytometry Standard (FCS) data, version 1.0 +0 string FCS2.0 Flow Cytometry Standard (FCS) data, version 2.0 +0 string FCS3.0 Flow Cytometry Standard (FCS) data, version 3.0 + diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems new file mode 100644 index 0000000..cd72130 --- /dev/null +++ b/magic/Magdir/filesystems @@ -0,0 +1,2694 @@ +#------------------------------------------------------------------------------ +# $File: filesystems,v 1.158 2023/05/21 17:19:08 christos Exp $ +# filesystems: file(1) magic for different filesystems +# +0 name partid +>0 ubyte 0x00 Unused +>0 ubyte 0x01 12-bit FAT +>0 ubyte 0x02 XENIX / +>0 ubyte 0x03 XENIX /usr +>0 ubyte 0x04 16-bit FAT, less than 32M +>0 ubyte 0x05 extended partition +>0 ubyte 0x06 16-bit FAT, more than 32M +>0 ubyte 0x07 OS/2 HPFS, NTFS, QNX2, Adv. UNIX +>0 ubyte 0x08 AIX or os, or etc. +>0 ubyte 0x09 AIX boot partition or Coherent +>0 ubyte 0x0a O/2 boot manager or Coherent swap +>0 ubyte 0x0b 32-bit FAT +>0 ubyte 0x0c 32-bit FAT, LBA-mapped +>0 ubyte 0x0d 7XXX, LBA-mapped +>0 ubyte 0x0e 16-bit FAT, LBA-mapped +>0 ubyte 0x0f extended partition, LBA-mapped +>0 ubyte 0x10 OPUS +>0 ubyte 0x11 OS/2 DOS 12-bit FAT +>0 ubyte 0x12 Compaq diagnostics +>0 ubyte 0x14 OS/2 DOS 16-bit FAT <32M +>0 ubyte 0x16 OS/2 DOS 16-bit FAT >=32M +>0 ubyte 0x17 OS/2 hidden IFS +>0 ubyte 0x18 AST Windows swapfile +>0 ubyte 0x19 Willowtech Photon coS +>0 ubyte 0x1b hidden win95 fat 32 +>0 ubyte 0x1c hidden win95 fat 32 lba +>0 ubyte 0x1d hidden win95 fat 16 lba +>0 ubyte 0x20 Willowsoft OFS1 +>0 ubyte 0x21 reserved +>0 ubyte 0x23 reserved +>0 ubyte 0x24 NEC DOS +>0 ubyte 0x26 reserved +>0 ubyte 0x31 reserved +>0 ubyte 0x32 Alien Internet Services NOS +>0 ubyte 0x33 reserved +>0 ubyte 0x34 reserved +>0 ubyte 0x35 JFS on OS2 +>0 ubyte 0x36 reserved +>0 ubyte 0x38 Theos +>0 ubyte 0x39 Plan 9, or Theos spanned +>0 ubyte 0x3a Theos ver 4 4gb partition +>0 ubyte 0x3b Theos ve 4 extended partition +>0 ubyte 0x3c PartitionMagic recovery +>0 ubyte 0x3d Hidden Netware +>0 ubyte 0x40 VENIX 286 or LynxOS +>0 ubyte 0x41 PReP +>0 ubyte 0x42 linux swap sharing DRDOS disk +>0 ubyte 0x43 linux sharing DRDOS disk +>0 ubyte 0x44 GoBack change utility +>0 ubyte 0x45 Boot US Boot manager +>0 ubyte 0x46 EUMEL/Elan or Ergos 3 +>0 ubyte 0x47 EUMEL/Elan or Ergos 3 +>0 ubyte 0x48 EUMEL/Elan or Ergos 3 +>0 ubyte 0x4a ALFX/THIN filesystem for DOS +>0 ubyte 0x4c Oberon partition +>0 ubyte 0x4d QNX4.x +>0 ubyte 0x4e QNX4.x 2nd part +>0 ubyte 0x4f QNX4.x 3rd part +>0 ubyte 0x50 DM (disk manager) +>0 ubyte 0x51 DM6 Aux1 (or Novell) +>0 ubyte 0x52 CP/M or Microport SysV/AT +>0 ubyte 0x53 DM6 Aux3 +>0 ubyte 0x54 DM6 DDO +>0 ubyte 0x55 EZ-Drive (disk manager) +>0 ubyte 0x56 Golden Bow (disk manager) +>0 ubyte 0x57 Drive PRO +>0 ubyte 0x5c Priam Edisk (disk manager) +>0 ubyte 0x61 SpeedStor +>0 ubyte 0x63 GNU HURD or Mach or Sys V/386 +>0 ubyte 0x64 Novell Netware 2.xx or Speedstore +>0 ubyte 0x65 Novell Netware 3.xx +>0 ubyte 0x66 Novell 386 Netware +>0 ubyte 0x67 Novell +>0 ubyte 0x68 Novell +>0 ubyte 0x69 Novell +>0 ubyte 0x70 DiskSecure Multi-Boot +>0 ubyte 0x71 reserved +>0 ubyte 0x73 reserved +>0 ubyte 0x74 reserved +>0 ubyte 0x75 PC/IX +>0 ubyte 0x76 reserved +>0 ubyte 0x77 M2FS/M2CS partition +>0 ubyte 0x78 XOSL boot loader filesystem +>0 ubyte 0x80 MINIX until 1.4a +>0 ubyte 0x81 MINIX since 1.4b +>0 ubyte 0x82 Linux swap or Solaris +>0 ubyte 0x83 Linux native +>0 ubyte 0x84 OS/2 hidden C: drive +>0 ubyte 0x85 Linux extended partition +>0 ubyte 0x86 NT FAT volume set +>0 ubyte 0x87 NTFS volume set or HPFS mirrored +>0 ubyte 0x8a Linux Kernel AiR-BOOT partition +>0 ubyte 0x8b Legacy Fault tolerant FAT32 +>0 ubyte 0x8c Legacy Fault tolerant FAT32 ext +>0 ubyte 0x8d Hidden free FDISK FAT12 +>0 ubyte 0x8e Linux Logical Volume Manager +>0 ubyte 0x90 Hidden free FDISK FAT16 +>0 ubyte 0x91 Hidden free FDISK DOS EXT +>0 ubyte 0x92 Hidden free FDISK FAT16 Big +>0 ubyte 0x93 Amoeba filesystem +>0 ubyte 0x94 Amoeba bad block table +>0 ubyte 0x95 MIT EXOPC native partitions +>0 ubyte 0x97 Hidden free FDISK FAT32 +>0 ubyte 0x98 Datalight ROM-DOS Super-Boot +>0 ubyte 0x99 Mylex EISA SCSI +>0 ubyte 0x9a Hidden free FDISK FAT16 LBA +>0 ubyte 0x9b Hidden free FDISK EXT LBA +>0 ubyte 0x9f BSDI? +>0 ubyte 0xa0 IBM Thinkpad hibernation +>0 ubyte 0xa1 HP Volume expansion (SpeedStor) +>0 ubyte 0xa3 HP Volume expansion (SpeedStor) +>0 ubyte 0xa4 HP Volume expansion (SpeedStor) +>0 ubyte 0xa5 386BSD partition type +>0 ubyte 0xa6 OpenBSD partition type +>0 ubyte 0xa7 NeXTSTEP 486 +>0 ubyte 0xa8 Apple UFS +>0 ubyte 0xa9 NetBSD partition type +>0 ubyte 0xaa Olivetty Fat12 1.44MB Service part +>0 ubyte 0xab Apple Boot +>0 ubyte 0xae SHAG OS filesystem +>0 ubyte 0xaf Apple HFS +>0 ubyte 0xb0 BootStar Dummy +>0 ubyte 0xb1 reserved +>0 ubyte 0xb3 reserved +>0 ubyte 0xb4 reserved +>0 ubyte 0xb6 reserved +>0 ubyte 0xb7 BSDI BSD/386 filesystem +>0 ubyte 0xb8 BSDI BSD/386 swap +>0 ubyte 0xbb Boot Wizard Hidden +>0 ubyte 0xbe Solaris 8 partition type +>0 ubyte 0xbf Solaris partition type +>0 ubyte 0xc0 CTOS +>0 ubyte 0xc1 DRDOS/sec (FAT-12) +>0 ubyte 0xc2 Hidden Linux +>0 ubyte 0xc3 Hidden Linux swap +>0 ubyte 0xc4 DRDOS/sec (FAT-16, < 32M) +>0 ubyte 0xc5 DRDOS/sec (EXT) +>0 ubyte 0xc6 DRDOS/sec (FAT-16, >= 32M) +>0 ubyte 0xc7 Syrinx (Cyrnix?) or HPFS disabled +>0 ubyte 0xc8 Reserved for DR-DOS 8.0+ +>0 ubyte 0xc9 Reserved for DR-DOS 8.0+ +>0 ubyte 0xca Reserved for DR-DOS 8.0+ +>0 ubyte 0xcb DR-DOS 7.04+ Secured FAT32 CHS +>0 ubyte 0xcc DR-DOS 7.04+ Secured FAT32 LBA +>0 ubyte 0xcd CTOS Memdump +>0 ubyte 0xce DR-DOS 7.04+ FAT16X LBA +>0 ubyte 0xcf DR-DOS 7.04+ EXT LBA +>0 ubyte 0xd0 REAL/32 secure big partition +>0 ubyte 0xd1 Old Multiuser DOS FAT12 +>0 ubyte 0xd4 Old Multiuser DOS FAT16 Small +>0 ubyte 0xd5 Old Multiuser DOS Extended +>0 ubyte 0xd6 Old Multiuser DOS FAT16 Big +>0 ubyte 0xd8 CP/M 86 +>0 ubyte 0xdb CP/M or Concurrent CP/M +>0 ubyte 0xdd Hidden CTOS Memdump +>0 ubyte 0xde Dell PowerEdge Server utilities +>0 ubyte 0xdf DG/UX virtual disk manager +>0 ubyte 0xe0 STMicroelectronics ST AVFS +>0 ubyte 0xe1 DOS access or SpeedStor 12-bit +>0 ubyte 0xe3 DOS R/O or Storage Dimensions +>0 ubyte 0xe4 SpeedStor 16-bit FAT < 1024 cyl. +>0 ubyte 0xe5 reserved +>0 ubyte 0xe6 reserved +>0 ubyte 0xeb BeOS +>0 ubyte 0xee GPT Protective MBR +>0 ubyte 0xef EFI system partition +>0 ubyte 0xf0 Linux PA-RISC boot loader +>0 ubyte 0xf1 SpeedStor or Storage Dimensions +>0 ubyte 0xf2 DOS 3.3+ Secondary +>0 ubyte 0xf3 reserved +>0 ubyte 0xf4 SpeedStor large partition +>0 ubyte 0xf5 Prologue multi-volumen partition +>0 ubyte 0xf6 reserved +>0 ubyte 0xf9 pCache: ext2/ext3 persistent cache +>0 ubyte 0xfa Bochs x86 emulator +>0 ubyte 0xfb VMware File System +>0 ubyte 0xfc VMware Swap +>0 ubyte 0xfd Linux RAID partition persistent sb +>0 ubyte 0xfe LANstep or IBM PS/2 IML +>0 ubyte 0xff Xenix Bad Block Table + +0 string \366\366\366\366 PC formatted floppy with no filesystem +# Sun disk labels +# From /usr/include/sun/dklabel.h: +0774 beshort 0xdabe +# modified by Joerg Jenderek, because original test +# succeeds for Cabinet archive dao360.dl_ with negative blocks +>0770 long >0 Sun disk label +>>0 string x '%s +>>>31 string >\0 \b%s +>>>>63 string >\0 \b%s +>>>>>95 string >\0 \b%s +>>0 string x \b' +>>0734 short >0 %d rpm, +>>0736 short >0 %d phys cys, +>>0740 short >0 %d alts/cyl, +>>0746 short >0 %d interleave, +>>0750 short >0 %d data cyls, +>>0752 short >0 %d alt cyls, +>>0754 short >0 %d heads/partition, +>>0756 short >0 %d sectors/track, +>>0764 long >0 start cyl %d, +>>0770 long x %d blocks +# Is there a boot block written 1 sector in? +>512 belong&077777777 0600407 \b, boot block present + +# Joerg Jenderek: Smart Boot Manager backup file is 25 (MSDOS) or 41 (LINUX) byte header + first sectors of disk +# (http://btmgr.sourceforge.net/docs/user-guide-3.html) +0 string SBMBAKUP_ Smart Boot Manager backup file +>9 string x \b, version %-5.5s +>>14 string =_ +>>>15 string x %-.1s +>>>>16 string =_ \b. +>>>>>17 string x \b%-.1s +>>>>>>18 string =_ \b. +>>>>>>>19 string x \b%-.1s +>>>22 ubyte 0 +>>>>21 ubyte x \b, from drive %#x +>>>22 ubyte >0 +>>>>21 string x \b, from drive %s +>>>535 search/17 \x55\xAA +>>>>&-512 indirect x \b; contains + +# updated by Joerg Jenderek at Nov 2012 +# DOS Emulator image is 128 byte, null right padded header + harddisc image +0 string DOSEMU\0 +>0x27E leshort 0xAA55 +#offset is 128 +>>19 ubyte 128 +>>>(19.b-1) ubyte 0x0 DOS Emulator image +>>>>7 ulelong >0 \b, %u heads +>>>>11 ulelong >0 \b, %d sectors/track +>>>>15 ulelong >0 \b, %d cylinders +>>>>128 indirect x \b; contains + +# added by Joerg Jenderek at Nov 2012 +# http://www.thenakedpc.com/articles/v04/08/0408-05.html +# Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data +0 string PNCIHISK\0 Norton Utilities disc image data +# real x86 boot sector with jump instruction +>509 search/1026 \x55\xAA\xeb +>>&-1 indirect x \b; contains +# http://file-extension.net/seeker/file_extension_dat +0 string PNCIUNDO Norton Disk Doctor UnDo file +# + +# DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013 +# for any allowed sector sizes +30 search/481 \x55\xAA +# to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) +# DOS BPB information (70) and after DOS floppy (120) like in previous file version +!:strength +65 +# for sector sizes < 512 Bytes +>11 uleshort <512 +>>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector +# for sector sizes with 512 or more Bytes +>0x1FE leshort 0xAA55 DOS/MBR boot sector + +# ExFAT +3 string/w =EXFAT +>0x1FE leshort 0xAA55 +>>0x6E ubyte 1 +>>>0x6F ubyte 0x80 +>>>0 ubyte 0xEB DOS/MBR boot sector, +>>>0x69 ubyte x ExFAT Filesystem version %d. +>>>0x68 ubyte x \b%d +>>>0x6d ubyte x \b, (1<<%d) sectors per cluster +>>>0x48 ulequad x \b, sectors %lld +>>>0x64 ulelong x \b, serial number %#x + +# keep old DOS/MBR boot sector as dummy for mbr and bootloader displaying +# only for sector sizes with 512 or more Bytes +0x1FE leshort 0xAA55 DOS/MBR boot sector +# +# to display information (50) before DOS BPB (strength=70) and after DOS floppy (120) like in old file version +!:strength +65 +>2 string OSBS OS/BS MBR +# added by Joerg Jenderek at Feb 2013 according to https://thestarman.pcministry.com/asm/mbr/ +# and https://en.wikipedia.org/wiki/Master_Boot_Record +# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by +# characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00 +>0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR +# Microsoft Windows 95A and early ( https://thestarman.pcministry.com/asm/mbr/STDMBR.htm ) +# assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld +>>8 ubequad 0x8bf45007501ffbfc +# https://thestarman.pcministry.com/asm/mbr/200MBR.htm +>>>0x16 ubyte 0xF3 \b,DOS 2 +>>>>219 regex Author\ -\ Author: +# found "David Litton" , "A Pehrsson " +>>>>>&0 string x "%s" +>>>0x16 ubyte 0xF2 +# NEC MS-DOS 3.30 Rev. 3 . See https://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm +# assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz +>>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3 +# version MS-DOS 3.30 til MS-Windows 95A (WinVer=4.00.1111) +>>>>0x22 default x \b,D0S version 3.3-7.0 +# error messages are printed by assembler instructions: mov si,06nn;...;int 10 (0xBEnn06;...) +# where nn is string offset varying for different languages +# "Invalid partition table" nn=0x8b for english version +>>>>>(0x49.b) string Invalid\ partition\ table english +>>>>>(0x49.b) string Ung\201ltige\ Partitionstabelle german +>>>>>(0x49.b) string Table\ de\ partition\ invalide french +>>>>>(0x49.b) string Tabela\ de\ parti\207ao\ inv\240lida portuguese +>>>>>(0x49.b) string Tabla\ de\ partici\242n\ no\ v\240lida spanish +>>>>>(0x49.b) string Tavola\ delle\ partizioni\ non\ valida italian +>>>>>0x49 ubyte >0 at offset %#x +>>>>>>(0x49.b) string >\0 "%s" +# "Error loading operating system" nn=0xa3 for english version +# "Fehler beim Laden des Betriebssystems" nn=0xa7 for german version +# "Erreur en chargeant syst\212me d'exploitation" nn=0xa7 for french version +# "Erro na inicializa\207ao do sistema operacional" nn=0xa7 for portuguese Brazilian version +# "Error al cargar sistema operativo" nn=0xa8 for spanish version +# "Errore durante il caricamento del sistema operativo" nn=0xae for italian version +>>>>>0x74 ubyte >0 at offset %#x +>>>>>>(0x74.b) string >\0 "%s" +# "Missing operating system" nn=0xc2 for english version +# "Betriebssystem fehlt" nn=0xcd for german version +# "Syst\212me d'exploitation absent" nn=0xd2 for french version +# "Sistema operacional nao encontrado" nn=0xd4 for portuguese Brazilian version +# "Falta sistema operativo" nn=0xca for spanish version +# "Sistema operativo mancante" nn=0xe2 for italian version +>>>>>0x79 ubyte >0 at offset %#x +>>>>>>(0x79.b) string >\0 "%s" +# Microsoft Windows 95B to XP (https://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm) +# assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b +>>8 ubequad 0x5007501ffcbe1b7c +# assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 +>>>24 ubequad 0xf3a4cbbebe07b104 9M +# "Invalid partition table" nn=0x10F for english version +# "Ung\201ltige Partitionstabelle" nn=0x10F for german version +# "Table de partition erron\202e" nn=0x10F for french version +# "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x10F for russian version +>>>>(0x3C.b+0x0FF) string Invalid\ partition\ table english +>>>>(0x3C.b+0x0FF) string Ung\201ltige\ Partitionstabelle german +>>>>(0x3C.b+0x0FF) string Table\ de\ partition\ erron\202e french +>>>>(0x3C.b+0x0FF) string \215\245\257\340\240\242\250\253\354\255\240\357\ \342\240\241\253\250\346\240 russian +>>>>0x3C ubyte x at offset %#x+0xFF +>>>>(0x3C.b+0x0FF) string >\0 "%s" +# "Error loading operating system" nn=0x127 for english version +# "Fehler beim Laden des Betriebssystems" nn=0x12b for german version +# "Erreur lors du chargement du syst\212me d'exploitation" nn=0x12a for french version +# "\216\350\250\241\252\240 \257\340\250 \247\240\243\340\343\247\252\245 \256\257\245\340\240\346\250\256\255\255\256\251 \341\250\341\342\245\254\353" nn=0x12d for russian version +>>>>0xBD ubyte x at offset 0x1%x +>>>>(0xBD.b+0x100) string >\0 "%s" +# "Missing operating system" nn=0x146 for english version +# "Betriebssystem fehlt" nn=0x151 for german version +# "Syst\212me d'exploitation manquant" nn=0x15e for french version +# "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x156 for russian version +>>>>0xA9 ubyte x at offset 0x1%x +>>>>(0xA9.b+0x100) string >\0 "%s" +# https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm +# assembler instructions: rep;movsb;retf;mov BP,07be;mov cl,04 +>>>24 ubequad 0xf3a4cbbdbe07b104 XP +# where xxyyzz are lower bits from offsets of error messages varying for different languages +>>>>0x1B4 ubelong&0x00FFFFFF 0x002c4463 english +>>>>0x1B4 ubelong&0x00FFFFFF 0x002c486e german +# "Invalid partition table" xx=0x12C for english version +# "Ung\201ltige Partitionstabelle" xx=0x12C for german version +>>>>0x1b5 ubyte >0 at offset 0x1%x +>>>>(0x1b5.b+0x100) string >\0 "%s" +# "Error loading operating system" yy=0x144 for english version +# "Fehler beim Laden des Betriebssystems" yy=0x148 for german version +>>>>0x1b6 ubyte >0 at offset 0x1%x +>>>>(0x1b6.b+0x100) string >\0 "%s" +# "Missing operating system" zz=0x163 for english version +# "Betriebssystem nicht vorhanden" zz=0x16e for german version +>>>>0x1b7 ubyte >0 at offset 0x1%x +>>>>(0x1b7.b+0x100) string >\0 "%s" +# Microsoft Windows Vista or 7 +# assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00 +>>8 ubequad 0xc08ed8be007cbf00 +# Microsoft Windows Vista (https://thestarman.pcministry.com/asm/mbr/VistaMBR.htm) +# assembler instructions: jnz 0729;cmp ebx,"TCPA" +>>>0xEC ubequad 0x753b6681fb544350 Vista +# where xxyyzz are lower bits from offsets of error messages varying for different languages +>>>>0x1B4 ubelong&0x00FFFFFF 0x00627a99 english +#>>>>0x1B4 ubelong&0x00FFFFFF ? german +# "Invalid partition table" xx=0x162 for english version +# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version +>>>>0x1b5 ubyte >0 at offset 0x1%x +>>>>(0x1b5.b+0x100) string >\0 "%s" +# "Error loading operating system" yy=0x17a for english version +# "Fehler beim Laden des Betriebssystems" yy= 0x1?? for german version +>>>>0x1b6 ubyte >0 at offset 0x1%x +>>>>(0x1b6.b+0x100) string >\0 "%s" +# "Missing operating system" zz=0x199 for english version +# "Betriebssystem nicht vorhanden" zz=0x1?? for german version +>>>>0x1b7 ubyte >0 at offset 0x1%x +>>>>(0x1b7.b+0x100) string >\0 "%s" +# Microsoft Windows 7 (https://thestarman.pcministry.com/asm/mbr/W7MBR.htm) +# assembler instructions: cmp ebx,"TCPA";cmp +>>>0xEC ubequad 0x6681fb5443504175 Windows 7 +# where xxyyzz are lower bits from offsets of error messages varying for different languages +>>>>0x1B4 ubelong&0x00FFFFFF 0x00637b9a english +#>>>>0x1B4 ubelong&0x00FFFFFF ? german +# "Invalid partition table" xx=0x163 for english version +# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version +>>>>0x1b5 ubyte >0 at offset 0x1%x +>>>>(0x1b5.b+0x100) string >\0 "%s" +# "Error loading operating system" yy=0x17b for english version +# "Fehler beim Laden des Betriebssystems" yy=0x1?? for german version +>>>>0x1b6 ubyte >0 at offset 0x1%x +>>>>(0x1b6.b+0x100) string >\0 "%s" +# "Missing operating system" zz=0x19a for english version +# "Betriebssystem nicht vorhanden" zz=0x1?? for german version +>>>>0x1b7 ubyte >0 at offset 0x1%x +>>>>(0x1b7.b+0x100) string >\0 "%s" +# https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DiskSigs +# https://en.wikipedia.org/wiki/MBR_disk_signature#ID +>>0x1b8 ulelong >0 \b, disk signature %#-.4x +# driveID/timestamp for Win 95B,98,98SE and ME. See https://thestarman.pcministry.com/asm/mbr/mystery.htm +>>0xDA uleshort 0 +>>>0xDC ulelong >0 \b, created +# physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive +>>>>0xDC ubyte x with driveID %#x +# hours, minutes and seconds +>>>>0xDf ubyte x at %x +>>>>0xDe ubyte x \b:%x +>>>>0xDd ubyte x \b:%x +# special case for Microsoft MS-DOS 3.21 spanish +# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov +>0 ubequad 0xfab830008ed0bc00 +# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov +>>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish +# Microsoft MBR IPL end + +# dr-dos with some upper-, lowercase variants +>0x9D string Invalid\ partition\ table$ +>>181 string No\ Operating\ System$ +>>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 +>0x9D string Invalid\ partition\ table$ +>>181 string No\ operating\ system$ +>>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 +>342 string Invalid\ partition\ table$ +>>366 string No\ operating\ system$ +>>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03 +>295 string NEWLDR\0 +>>302 string Bad\ PT\ $ +>>>310 string No\ OS\ $ +>>>>317 string OS\ load\ err$ +>>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r +>>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ +>>>>>>>387 string Copyright\ (c)\ 1984,1998 +>>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) +# +# tests for different MS-DOS Master Boot Records (MBR) moved and merged +# +#>0x145 string Default:\ F \b, FREE-DOS MBR +#>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR +>0x145 search/7 Default:\ F \b, FREE-DOS MBR +#>>313 string F0\ .\ .\ . +#>>>322 string disk\ 1 +#>>>>382 string FAT3 +>64 string no\ active\ partition\ found +>>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR +# Ranish Partition Manager http://www.ranish.com/part/ +>387 search/4 \0\ Error!\r +>>378 search/7 Virus! +>>>397 search/4 Booting\040 +>>>>408 search/4 HD1/\0 \b, Ranish MBR ( +>>>>>416 string Writing\ changes... \b2.37 +>>>>>>438 ubyte x \b,%#x dots +>>>>>>440 ubyte >0 \b,virus check +>>>>>>441 ubyte >0 \b,partition %c +#2.38,2.42,2.44 +>>>>>416 string !Writing\ changes... \b +>>>>>>418 ubyte 1 \bvirus check, +>>>>>>419 ubyte x \b%#x seconds +>>>>>>420 ubyte&0x0F >0 \b,partition +>>>>>>>420 ubyte&0x0F <5 \b %x +>>>>>>>420 ubyte&0x0F 0Xf \b ask +>>>>>420 ubyte x \b) +# +# SYSLINUX MBR moved +# https://www.acronis.de/ +>362 string MBR\ Error\ \0\r +>>376 string ress\ any\ key\ to\040 +>>>392 string boot\ from\ floppy...\0 \b, Acronis MBR +# added by Joerg Jenderek +# https://www.visopsys.org/ +# https://partitionlogic.org.uk/ +>309 string No\ bootable\ partition\ found\r +>>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR +>349 string No\ bootable\ partition\ found\r +>>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR +# bootloader, bootmanager +>0x40 string SBML +# label with 11 characters of FAT 12 bit filesystem +>>43 string SMART\ BTMGR +>>>430 string SBMK\ Bad!\r \b, Smart Boot Manager +# OEM-ID not always "SBM" +#>>>>3 strings SBM +>>>>6 string >\0 \b, version %s +>382 string XOSLLOADXCF \b, eXtended Operating System Loader +>6 string LILO \b, LInux i386 boot LOader +>>120 string LILO \b, version 22.3.4 SuSe +>>172 string LILO \b, version 22.5.8 Debian +# updated by Joerg Jenderek at Oct 2008 +# variables according to grub-0.97/stage1/stage1.S or +# https://www.gnu.org/software/grub/manual/grub.html#Embedded-data +# usual values are marked with comments to get only information of strange GRUB loaders +>342 search/60 \0Geom\0 +#>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 +>>0x41 ubyte <2 +>>>0x3E ubyte >2 \b; GRand Unified Bootloader +# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 +>>>>0x3E ubyte x \b, stage1 version %#x +#If it is 0xFF, use a drive passed by BIOS +>>>>0x40 ubyte <0xFF \b, boot drive %#x +# in most case 0,1,0x2e for GRUB 0.5.95 +>>>>0x41 ubyte >0 \b, LBA flag %#x +>>>>0x42 uleshort <0x8000 \b, stage2 address %#x +#>>>>0x42 uleshort =0x8000 \b, stage2 address %#x (usual) +>>>>0x42 uleshort >0x8000 \b, stage2 address %#x +#>>>>0x44 ulelong =1 \b, 1st sector stage2 %#x (default) +>>>>0x44 ulelong >1 \b, 1st sector stage2 %#x +>>>>0x48 uleshort <0x800 \b, stage2 segment %#x +#>>>>0x48 uleshort =0x800 \b, stage2 segment %#x (usual) +>>>>0x48 uleshort >0x800 \b, stage2 segment %#x +>>>>402 string Geom\0Hard\ Disk\0Read\0\ Error\0 +>>>>>394 string stage1 \b, GRUB version 0.5.95 +>>>>382 string Geom\0Hard\ Disk\0Read\0\ Error\0 +>>>>>376 string GRUB\ \0 \b, GRUB version 0.93 or 1.94 +>>>>383 string Geom\0Hard\ Disk\0Read\0\ Error\0 +>>>>>377 string GRUB\ \0 \b, GRUB version 0.94 +>>>>385 string Geom\0Hard\ Disk\0Read\0\ Error\0 +>>>>>379 string GRUB\ \0 \b, GRUB version 0.95 or 0.96 +>>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 +>>>>>385 string GRUB\ \0 \b, GRUB version 0.97 +# unknown version +>>>343 string Geom\0Read\0\ Error\0 +>>>>321 string Loading\ stage1.5 \b, GRUB version x.y +>>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 +>>>>374 string GRUB\ \0 \b, GRUB version n.m +# SYSLINUX bootloader moved +>395 string chksum\0\ ERROR!\0 \b, Gujin bootloader +# http://www.bcdwb.de/bcdw/index_e.htm +>3 string BCDL +>>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) +# mbr partition table entries updated by Joerg Jenderek at Sep 2013 +# skip Norton Utilities disc image data +>3 string !IHISK +# skip Linux style boot sector starting with assembler instructions mov 0x7c0,ax; +>>0 belong !0xb8c0078e +# not Linux kernel +>>>514 string !HdrS +# not BeOS +>>>>422 string !Be\ Boot\ Loader +# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr +>>>>>0 ubelong&0xFD000000 =0xE9000000 +# AdvanceMAME mbr +>>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e +>>>>>>>446 use partition-table +# mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader +>>>>>0 ubelong&0xFD000000 !0xE9000000 +# skip FSInfosector +>>>>>>0 string !RRaA +# skip 3rd sector of MS x86 bootloader with assembler instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, +# https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm +>>>>>>>0 ubequad !0xfa660fb64610668b +# skip 13rd sector of MS x86 bootloader +>>>>>>>>0 ubequad !0x660fb64610668b4e +# skip sector starting with DOS new line +>>>>>>>>>0 string !\r\n +# allowed active flag 0,80h-FFh +>>>>>>>>>>446 ubyte 0 +>>>>>>>>>>>446 use partition-table +>>>>>>>>>>446 ubyte >0x7F +>>>>>>>>>>>446 use partition-table +# TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries +# mbr partition table entries end +# https://www.acronis.de/ +#FAT label=ACRONIS\ SZ +#OEM-ID=BOOTWIZ0 +>442 string Non-system\ disk,\040 +>>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader +# updated by Joerg Jenderek at Nov 2012, Sep 2013 +# DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes +# display 1 space +>>>447 ubyte x \b +>>>477 use DOS-filename +# +>185 string FDBOOT\ Version\040 +>>204 string \rNo\ Systemdisk.\040 +>>>220 string Booting\ from\ harddisk.\n\r +>>>245 string Cannot\ load\ from\ harddisk.\n\r +>>>>273 string Insert\ Systemdisk\040 +>>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader +>>>>>>200 string >\0 \b, version %-3s +>242 string Bootsector\ from\ C.H.\ Hochst\204 +# http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c +# updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string +# skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut +>242 search/127 Bootsector\ from\ C.H.\ Hochst +>>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk +# followed by variants with point,CR-NL or NL-CR +>>>208 search/261 Cannot\ load\ from\ harddisk. +# followed by variants CR-NL or NL-CR +>>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. +# followed by variants with point,CR-NL or NL-CR +>>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader +# followed by string like "6.50 (c) 1993-2004 Gilles Vollant" +>>>>>>&0 string x \b, version %-4.4s +>(1.b+2) ubyte 0xe +>>(1.b+3) ubyte 0x1f +>>>(1.b+4) ubyte 0xbe +# message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others +>>>>(1.b+5) ubyte&0xd3 0x53 +>>>>>(1.b+6) ubyte 0x7c +# assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah, +>>>>>>(1.b+7) ubyte 0xac +>>>>>>>(1.b+8) ubyte 0x22 +>>>>>>>>(1.b+9) ubyte 0xc0 +>>>>>>>>>(1.b+10) ubyte 0x74 +>>>>>>>>>>(1.b+11) ubyte 0x0b +>>>>>>>>>>>(1.b+12) ubyte 0x56 +>>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display +# FAT1X version +>>>>>>>>>>>>>(1.b+5) ubyte 0x5b +>>>>>>>>>>>>>>0x5b string >\0 "%-s" +# FAT32 version +>>>>>>>>>>>>>(1.b+5) ubyte 0x77 +>>>>>>>>>>>>>>0x77 string >\0 "%-s" +>214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display +#>>244 string from\ dosemu-freedos-*-bin.tgz\r +#>>>170 string Sorry,\ could\ not\ load\ an\040 +#>>>>195 string operating\ system.\r\n +# +>103 string This\ is\ not\ a\ bootable\ disk.\040 +>>132 string Please\ insert\ a\ bootable\040 +>>>157 string floppy\ and\r\n +>>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display +# +>66 string Solaris\ Boot\ Sector +>>99 string Incomplete\ MDBoot\ load. +>>>89 string Version \b, Sun Solaris Bootloader +>>>>97 byte x version %c +# +>408 string OS/2\ !!\ SYS01475\r\0 +>>429 string OS/2\ !!\ SYS02025\r\0 +>>>450 string OS/2\ !!\ SYS02027\r\0 +>>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader +# +>409 string OS/2\ !!\ SYS01475\r\0 +>>430 string OS/2\ !!\ SYS02025\r\0 +>>>451 string OS/2\ !!\ SYS02027\r\0 +>>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader +>112 string This\ disk\ is\ not\ bootable\r +>>142 string If\ you\ wish\ to\ make\ it\ bootable +>>>176 string run\ the\ DOS\ program\ SYS\040 +>>>200 string after\ the\r +>>>>216 string system\ has\ been\ loaded\r\n +>>>>>242 string Please\ insert\ a\ DOS\ diskette\040 +>>>>>271 string into\r\n\ the\ drive\ and\040 +>>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display +# XP +>430 string NTLDR\ is\ missing\xFF\r\n +>>449 string Disk\ error\xFF\r\n +>>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader +# DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes +>>>>417 ubyte&0xDF >0 +>>>>>417 string x %-.5s +>>>>>>422 ubyte&0xDF >0 +>>>>>>>422 string x \b%-.3s +>>>>>425 ubyte&0xDF >0 +>>>>>>425 string >\ \b.%-.3s +# +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 +>>>>>>368 string x %-.5s +>>>>>>>373 ubyte&0xDF >0 +>>>>>>>>373 string x \b%-.3s +>>>>>>376 ubyte&0xDF >0 +>>>>>>>376 string x \b.%-.3s +# +>430 string NTLDR\ nicht\ gefunden\xFF\r\n +>>453 string Datentr\204gerfehler\xFF\r\n +>>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german) +>>>>417 ubyte&0xDF >0 +>>>>>417 string x %-.5s +>>>>>>422 ubyte&0xDF >0 +>>>>>>>422 string x \b%-.3s +>>>>>425 ubyte&0xDF >0 +>>>>>>425 string >\ \b.%-.3s +# offset variant +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 +>>>>>>368 string x %-.5s +>>>>>>>373 ubyte&0xDF >0 +>>>>>>>>373 string x \b%-.3s +# +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Datentr\204gerfehler\xFF\r\n +>>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german) +>>>>417 ubyte&0xDF >0 +>>>>>417 string x %-.5s +>>>>>>422 ubyte&0xDF >0 +>>>>>>>422 string x \b%-.3s +>>>>>425 ubyte&0xDF >0 +>>>>>>425 string >\ \b.%-.3s +# variant +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 +>>>>>>368 string x %-.5s +>>>>>>>373 ubyte&0xDF >0 +>>>>>>>>373 string x \b%-.3s +>>>>>>376 ubyte&0xDF >0 +>>>>>>>376 string x \b.%-.3s +# +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Medienfehler\xFF\r\n +>>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german) +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 +>>>>>>368 string x %-.5s +>>>>>>>373 ubyte&0xDF >0 +>>>>>>>>373 string x \b%-.3s +>>>>>>376 ubyte&0xDF >0 +>>>>>>>376 string x \b.%-.3s +# variant +>>>>417 ubyte&0xDF >0 +>>>>>417 string x %-.5s +>>>>>>422 ubyte&0xDF >0 +>>>>>>>422 string x \b%-.3s +>>>>>425 ubyte&0xDF >0 +>>>>>>425 string >\ \b.%-.3s +# +>430 string Datentr\204ger\ entfernen\xFF\r\n +>>454 string Medienfehler\xFF\r\n +>>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 +>>>>>>368 string x %-.5s +>>>>>>>373 ubyte&0xDF >0 +>>>>>>>>373 string x \b%-.3s +>>>>>>376 ubyte&0xDF >0 +>>>>>>>376 string x \b.%-.3s +# variant +>>>>417 ubyte&0xDF >0 +>>>>>417 string x %-.5s +>>>>>>422 ubyte&0xDF >0 +>>>>>>>422 string x \b%-.3s +>>>>>425 ubyte&0xDF >0 +>>>>>>425 string >\ \b.%-.3s +# + +#>3 string NTFS\ \ \ \040 +>389 string Fehler\ beim\ Lesen\040 +>>407 string des\ Datentr\204gers +>>>426 string NTLDR\ fehlt +>>>>440 string NTLDR\ ist\ komprimiert +>>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german) +#>3 string NTFS\ \ \ \040 +>313 string A\ disk\ read\ error\ occurred.\r +>>345 string A\ kernel\ file\ is\ missing\040 +>>>370 string from\ the\ disk.\r +>>>>484 string NTLDR\ is\ compressed +>>>>>429 string Insert\ a\ system\ diskette\040 +>>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS +# DOS loader variants different languages,offsets +>472 ubyte&0xDF >0 +>>389 string Invalid\ system\ disk\xFF\r\n +>>>411 string Disk\ I/O\ error +>>>>428 string Replace\ the\ disk,\ and\040 +>>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader +#IO.SYS +>>>>>>472 ubyte&0xDF >0 +>>>>>>>472 string x \b %-.2s +>>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>>474 string x \b%-.5s +>>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>>479 string x \b%-.1s +>>>>>>>480 ubyte&0xDF >0 +>>>>>>>>480 string x \b.%-.3s +#MSDOS.SYS +>>>>>>>483 ubyte&0xDF >0 \b+ +>>>>>>>>483 string x \b%-.5s +>>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>>488 string x \b%-.3s +>>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>>491 string x \b.%-.3s +# +>>390 string Invalid\ system\ disk\xFF\r\n +>>>412 string Disk\ I/O\ error\xFF\r\n +>>>>429 string Replace\ the\ disk,\ and\040 +>>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader +>>388 string Ungueltiges\ System\ \xFF\r\n +>>>410 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>427 string Datentraeger\ wechseln\ und\040 +>>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german) +#WINBOOT.SYS only not spaces (0xDF) +>>>>>>497 ubyte&0xDF >0 +>>>>>>>497 string x %-.5s +>>>>>>>>502 ubyte&0xDF >0 +>>>>>>>>>502 string x \b%-.1s +>>>>>>>>>>503 ubyte&0xDF >0 +>>>>>>>>>>>503 string x \b%-.1s +>>>>>>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>>>>>>504 string x \b%-.1s +>>>>>>505 ubyte&0xDF >0 +>>>>>>>505 string x \b.%-.3s +#IO.SYS +>>>>>>472 ubyte&0xDF >0 or +>>>>>>>472 string x \b %-.2s +>>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>>474 string x \b%-.5s +>>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>>479 string x \b%-.1s +>>>>>>>480 ubyte&0xDF >0 +>>>>>>>>480 string x \b.%-.3s +#MSDOS.SYS +>>>>>>>483 ubyte&0xDF >0 \b+ +>>>>>>>>483 string x \b%-.5s +>>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>>488 string x \b%-.3s +>>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>>491 string x \b.%-.3s +# +>>390 string Ungueltiges\ System\ \xFF\r\n +>>>412 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>429 string Datentraeger\ wechseln\ und\040 +>>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German) +#WINBOOT.SYS only not spaces (0xDF) +>>>>>>497 ubyte&0xDF >0 +>>>>>>>497 string x %-.7s +>>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>>504 string x \b%-.1s +>>>>>>505 ubyte&0xDF >0 +>>>>>>>505 string x \b.%-.3s +#IO.SYS +>>>>>>472 ubyte&0xDF >0 or +>>>>>>>472 string x \b %-.2s +>>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>>474 string x \b%-.6s +>>>>>>>480 ubyte&0xDF >0 +>>>>>>>>480 string x \b.%-.3s +#MSDOS.SYS +>>>>>>>483 ubyte&0xDF >0 \b+ +>>>>>>>>483 string x \b%-.5s +>>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>>488 string x \b%-.3s +>>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>>491 string x \b.%-.3s +# +>>389 string Ungueltiges\ System\ \xFF\r\n +>>>411 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>428 string Datentraeger\ wechseln\ und\040 +>>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN) +# DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes +>>>>>>472 string x %-.2s +>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 string x \b%-.5s +>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>479 string x \b%-.1s +>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 string x \b.%-.3s +>>>>>>483 ubyte&0xDF >0 \b+ +>>>>>>>483 string x \b%-.5s +>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>488 string x \b%-.2s +>>>>>>>>490 ubyte&0xDF >0 +>>>>>>>>>490 string x \b%-.1s +>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 string x \b.%-.3s +>479 ubyte&0xDF >0 +>>416 string Kein\ System\ oder\040 +>>>433 string Laufwerksfehler +>>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german) +#IO.SYS +>>>>>479 string x \b %-.2s +>>>>>>481 ubyte&0xDF >0 +>>>>>>>481 string x \b%-.6s +>>>>>487 ubyte&0xDF >0 +>>>>>>487 string x \b.%-.3s +#MSDOS.SYS +>>>>>>490 ubyte&0xDF >0 \b+ +>>>>>>>490 string x \b%-.5s +>>>>>>>>495 ubyte&0xDF >0 +>>>>>>>>>495 string x \b%-.3s +>>>>>>>498 ubyte&0xDF >0 +>>>>>>>>498 string x \b.%-.3s +# +>376 search/41 Non-System\ disk\ or\040 +>>395 search/41 disk\ error\r +>>>407 search/41 Replace\ and\040 +>>>>419 search/41 press\ \b, +>>>>419 search/41 strike\ \b, old +>>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader +#449 Disk\ Boot\ failure\r MS 3.21 +#466 Boot\ Failure\r MS 3.30 +>>>>>468 search/18 \0 +#IO.SYS,IBMBIO.COM +>>>>>>&0 string x \b %-.2s +>>>>>>>&-20 ubyte&0xDF >0 +>>>>>>>>&-1 string x \b%-.4s +>>>>>>>>>&-16 ubyte&0xDF >0 +>>>>>>>>>>&-1 string x \b%-.2s +>>>>>>&8 ubyte&0xDF >0 \b. +>>>>>>>&-1 string x \b%-.3s +#MSDOS.SYS,IBMDOS.COM +>>>>>>&11 ubyte&0xDF >0 \b+ +>>>>>>>&-1 string x \b%-.5s +>>>>>>>>&-6 ubyte&0xDF >0 +>>>>>>>>>&-1 string x \b%-.1s +>>>>>>>>>>&-5 ubyte&0xDF >0 +>>>>>>>>>>>&-1 string x \b%-.2s +>>>>>>>&7 ubyte&0xDF >0 \b. +>>>>>>>>&-1 string x \b%-.3s +>441 string Cannot\ load\ from\ harddisk.\n\r +>>469 string Insert\ Systemdisk\040 +>>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader +#>43 string \224R-LOADER\ \ SYS =label +>54 string SYS +>>324 string VASKK +>>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS) +# +>98 string Press\ a\ key\ to\ retry\0\r +>>120 string Cannot\ find\ file\ \0\r +>>>139 string Disk\ read\ error\0\r +>>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader +#DRBIOS.SYS +>>>>>44 ubyte&0xDF >0 +>>>>>>44 string x \b %-.6s +>>>>>>>50 ubyte&0xDF >0 +>>>>>>>>50 string x \b%-.2s +>>>>>>52 ubyte&0xDF >0 +>>>>>>>52 string x \b.%-.3s +# +>70 string IBMBIO\ \ COM +>>472 string Cannot\ load\ DOS!\040 +>>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader +>>471 string Cannot\ load\ DOS\040 +>>487 string press\ key\ to\ retry \b, Open-DOS Bootloader +#?? +>444 string KERNEL\ \ SYS +>>314 string BOOT\ error! \b, FREE-DOS Bootloader +>499 string KERNEL\ \ SYS +>>305 string BOOT\ err!\0 \b, Free-DOS Bootloader +>449 string KERNEL\ \ SYS +>>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader +# +>449 string Loading\ FreeDOS +>>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader +>>>497 ubyte&0xDF >0 +>>>>497 string x \b %-.6s +>>>>>503 ubyte&0xDF >0 +>>>>>>503 string x \b%-.1s +>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 string x \b%-.1s +>>>>505 ubyte&0xDF >0 +>>>>>505 string x \b.%-.3s +# +>331 string Error!.0 \b, FREE-DOS 1.0 bootloader +# +>125 string Loading\ FreeDOS...\r +>>311 string BOOT\ error!\r \b, FREE-DOS bootloader +>>>441 ubyte&0xDF >0 +>>>>441 string x \b %-.6s +>>>>>447 ubyte&0xDF >0 +>>>>>>447 string x \b%-.1s +>>>>>>>448 ubyte&0xDF >0 +>>>>>>>>448 string x \b%-.1s +>>>>449 ubyte&0xDF >0 +>>>>>449 string x \b.%-.3s +>124 string FreeDOS\0 +>>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader +# DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes +>>>497 ubyte&0xDF >0 +>>>>497 string x \b %-.6s +>>>>>503 ubyte&0xDF >0 +>>>>>>503 string x \b%-.1s +>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 string x \b%-.1s +>>>>505 ubyte&0xDF >0 +>>>>>505 string x \b.%-.3s +>>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader +>>>497 ubyte&0xDF >0 +>>>>497 string x \b %-.6s +>>>>>503 ubyte&0xDF >0 +>>>>>>503 string x \b%-.1s +>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 string x \b%-.1s +>>>>505 ubyte&0xDF >0 +>>>>>505 string x \b.%-.3s +>>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader +>>>497 ubyte&0xDF >0 +>>>>497 string x \b %-.6s +>>>>>503 ubyte&0xDF >0 +>>>>>>503 string x \b%-.1s +>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 string x \b%-.1s +>>>>505 ubyte&0xDF >0 +>>>>>505 string x \b.%-.3s +>336 string Error!\040 +>>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader +>>>497 ubyte&0xDF >0 +>>>>497 string x \b %-.6s +>>>>>503 ubyte&0xDF >0 +>>>>>>503 string x \b%-.1s +>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 string x \b%-.1s +>>>>505 ubyte&0xDF >0 +>>>>>505 string x \b.%-.3s +# added by Joerg Jenderek +# https://www.visopsys.org/ +# https://partitionlogic.org.uk/ +# OEM-ID=Visopsys +>478 ulelong 0 +>>(1.b+326) string I/O\ Error\ reading\040 +>>>(1.b+344) string Visopsys\ loader\r +>>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader +# http://alexfru.chat.ru/epm.html#bootprog +>494 ubyte >0x4D +>>495 string >E +>>>495 string <S +#OEM-ID is not reliable +>>>>3 string BootProg +# It just looks for a program file name at the root directory +# and loads corresponding file with following execution. +# DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes +>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader +>>>>>499 use DOS-filename +#If the boot sector fails to read any other sector, +#it prints a very short message ("RE") to the screen and hangs the computer. +#If the boot sector fails to find needed program in the root directory, +#it also hangs with another message ("NF"). +>>>>>492 string RENF \b, FAT (12 bit) +>>>>>495 string RENF \b, FAT (16 bit) +#If the boot sector fails to read any other sector, +#it prints a very short message ("RE") to the screen and hangs the computer. +# x86 bootloader end + +# added by Joerg Jenderek at Feb 2013 according to https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO +# and https://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector +>0 string RRaA +>>0x1E4 string rrAa \b, FSInfosector +#>>0x1FC uleshort =0 SHOULD BE ZERO +>>>0x1E8 ulelong <0xffffffff \b, %u free clusters +>>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u + +# updated by Joerg Jenderek at Sep 2007 +>3 ubyte 0 +#no active flag +>>446 ubyte 0 +# partition 1 not empty +>>>450 ubyte >0 +# partitions 3,4 empty +>>>>482 ubyte 0 +>>>>>498 ubyte 0 +# partition 2 ID=0,5,15 +>>>>>>466 ubyte <0x10 +>>>>>>>466 ubyte 0x05 \b, extended partition table +>>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) +>>>>>>>466 ubyte 0x0 \b, extended partition table (last) + +# DOS x86 sector separated and moved from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 + +>0x200 lelong 0x82564557 \b, BSD disklabel + +# by Joerg Jenderek at Apr 2013 +# Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension +# like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS +0 name DOS-filename +# space=0x20 (00100000b) means empty +>0 ubyte&0xDF >0 +>>0 ubyte x \b%c +>>>1 ubyte&0xDF >0 +>>>>1 ubyte x \b%c +>>>>>2 ubyte&0xDF >0 +>>>>>>2 ubyte x \b%c +>>>>>>>3 ubyte&0xDF >0 +>>>>>>>>3 ubyte x \b%c +>>>>>>>>>4 ubyte&0xDF >0 +>>>>>>>>>>4 ubyte x \b%c +>>>>>>>>>>>5 ubyte&0xDF >0 +>>>>>>>>>>>>5 ubyte x \b%c +>>>>>>>>>>>>>6 ubyte&0xDF >0 +>>>>>>>>>>>>>>6 ubyte x \b%c +>>>>>>>>>>>>>>>7 ubyte&0xDF >0 +>>>>>>>>>>>>>>>>7 ubyte x \b%c +# DOS filename extension +>>8 ubyte&0xDF >0 \b. +>>>8 ubyte x \b%c +>>>>9 ubyte&0xDF >0 +>>>>>9 ubyte x \b%c +>>>>>>10 ubyte&0xDF >0 +>>>>>>>10 ubyte x \b%c +# Print 2 following DOS filenames from directory entry form +# like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com +0 name 2xDOS-filename +# display 1 space +>0 ubyte x \b +>0 use DOS-filename +>11 ubyte x \b+ +>11 use DOS-filename + +# https://en.wikipedia.org/wiki/Master_boot_record#PTE +# display standard partition table +0 name partition-table +#>0 ubyte x PARTITION-TABLE +# test and display 1st til 4th partition table entry +>0 use partition-entry-test +>16 use partition-entry-test +>32 use partition-entry-test +>48 use partition-entry-test +# test for entry of partition table +0 name partition-entry-test +# partition type ID > 0 +>4 ubyte >0 +# active flag 0 +>>0 ubyte 0 +>>>0 use partition-entry +# active flag 0x80, 0x81, ... +>>0 ubyte >0x7F +>>>0 use partition-entry +# Print entry of partition table +0 name partition-entry +# partition type ID > 0 +>4 ubyte >0 \b; partition +>>64 leshort 0xAA55 1 +>>48 leshort 0xAA55 2 +>>32 leshort 0xAA55 3 +>>16 leshort 0xAA55 4 +>>4 ubyte x : ID=%#x +>>0 ubyte&0x80 0x80 \b, active +>>0 ubyte >0x80 %#x +>>1 ubyte x \b, start-CHS ( +>>1 use partition-chs +>>5 ubyte x \b), end-CHS ( +>>5 use partition-chs +>>8 ulelong x \b), startsector %u +>>12 ulelong x \b, %u sectors +# Print cylinder,head,sector (CHS) of partition entry +0 name partition-chs +# cylinder +>1 ubyte x \b0x +>1 ubyte&0xC0 0x40 \b1 +>1 ubyte&0xC0 0x80 \b2 +>1 ubyte&0xC0 0xC0 \b3 +>2 ubyte x \b%x +# head +>0 ubyte x \b,%u +# sector +>1 ubyte&0x3F x \b,%u + +# FATX +0 string FATX FATX filesystem data + +# romfs filesystems - Juan Cespedes <cespedes@debian.org> +0 string -rom1fs- romfs filesystem, version 1 +>8 belong x %d bytes, +>16 string x named %s. + +# netboot image - Juan Cespedes <cespedes@debian.org> +0 lelong 0x1b031336L Netboot image, +>4 lelong&0xFFFFFF00 0 +>>4 lelong&0x100 0x000 mode 2 +>>4 lelong&0x100 0x100 mode 3 +>4 lelong&0xFFFFFF00 !0 unknown mode + +0x18b string OS/2 OS/2 Boot Manager + +# updated by Joerg Jenderek at Oct 2008 and Sep 2012 +# https://syslinux.zytor.com/iso.php +# tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05 +# assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop +0 ulequad&0x909000007cc0eafa 0x909000007c40eafa +>631 search/689 ISOLINUX\ isolinux Loader +>>&0 string x (version %-4.4s) +# https://syslinux.zytor.com/pxe.php +# assembler instructions: jmp 7C05 +0 ulelong 0x007c05ea pxelinux loader (version 2.13 or older) +# assembler instructions: pushfd;pushad +0 ulelong 0x60669c66 pxelinux loader +# assembler instructions: jmp 05 +0 ulelong 0xc00005ea pxelinux loader (version 3.70 or newer) +# https://syslinux.zytor.com/wiki/index.php/SYSLINUX +0 string LDLINUX\ SYS\ SYSLINUX loader +>12 string x (older version %-4.4s) +0 string \r\nSYSLINUX\ SYSLINUX loader +>11 string x (version %-4.4s) +# syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 +# assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX" +0 ulelong&0x80909bEB 0x009018EB +# OEM-ID not always "SYSLINUX" +>434 search/47 Boot\ failed +# followed by \r\n\0 or :\ +>>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older) +>>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9) +>459 search/30 Boot\ error\r\n\0 +>>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer) +# SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 +# assembler instructions: mov di,0600h;mov cx,0100h +16 search/4 \xbf\x00\x06\xb9\x00\x01 +# to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21) +!:strength +36 +>94 search/249 Missing\ operating\ system +# followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other +# skip Ranish MBR +>>408 search/4 HD1/\0 +>>408 default x +>>>250 search/118 \0Operating\ system\ load SYSLINUX MBR +# followed by "ing " or space +>>>>292 search/98 error +>>>>>&0 string \r (version 3.35 or older) +>>>>>&0 string .\r (version 3.52 or newer) +>>>>>&0 default x (version 3.36-3.51 ) +>368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR +>>156 search/10 \0Boot\ partition\ not\ found\r\n +>>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older) +>>174 search/10 \0Missing\ OS\r\n +>>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer) +# SYSLINUX END + +# NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012 +# assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax, +0 ubequad 0x31c08ed0bc007c8e +# mbr_bootsel magic before partition table not reliable with small ipl fragments +#>444 uleshort 0xb5e1 +>0004 uleshort x +# ERRorTeXT +>>181 search/166 Error\ \0\r\n NetBSD mbr +# NT Drive Serial Number https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS +>>>0x1B8 ubelong >0 \b,Serial %#-.8x +# BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx +>>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector +# BOOT_EXTENDED definitions contains assembler instructions: +# xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13 +>>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended +# COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al +>>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO +# not TERSE_ERROR +>>>196 search/106 No\ active\ partition\0 +>>>>&0 string Disk\ read\ error\0 +>>>>>&0 string No\ operating\ system\0 \b,verbose +# not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13 +>>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS +# not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13 +>>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check +# assembler instructions: movw nametab,bx +>>>0x26 search/21 \xBB\x94\x07 +# not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf +>>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 +>>>>>181 search/166 Error\ \0 +# "a: disk" , "Fn: diskn" or "NetBSD MBR boot" +>>>>>>&3 string x \b,"%s" +>>>446 use partition-table +# Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html +# added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 +# assembler instructions: jmp short 0x58;nop;ASCII +0 ubequad&0xeb58908000000000 0xeb58900000000000 +# assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss, +>(1.b+2) ubequad 0xfa31c08ed88ec08e +# Error messages at end of code +>>376 string No\ operating\ system\r\n\0 +>>>398 string Disk\ error\r\n\0FDD\0HDD\0 +>>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr + +# Neil Turton mbr loader variant of https://www.chiark.greenend.org.uk/~neilt/mbr/ +# added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11 +# for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI, +# or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS, +0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC +# pointer to the data starting with Neil Turton signature string +>(0x1BC.s) string NDTmbr +>>&-14 string 1234F\0 Turton mbr ( +# parameters also viewed by install-mbr --list +>>>(0x1BC.s+7) ubyte x \b%u<= +>>>(0x1BC.s+9) ubyte x \bVersion<=%u +#>>>(0x1BC.s+8) ubyte x asm_flag_%x +>>>(0x1BC.s+8) ubyte&1 1 \b,Y2K-Fix +# variant used by testdisk of https://www.cgsecurity.org/wiki/Menu_MBRCode +>>>(0x1BC.s+8) ubyte&2 2 \b,TestDisk +#0x1~1,..,0x8~4,0x10~F,0x80~A enabled +#>>>(0x1BC.s+10) ubyte x \b,flags %#x +#0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot +#>>>(0x1BC.s+11) ubyte x \b,cfg_def %#x +# for older versions +>>>(0x1BC.s+9) ubyte <2 +#>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds +>>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds +# floppy A: or B: +>>>>(0x1BC.s+13) ubyte <2 \b,floppy %#x +>>>>(0x1BC.s+13) ubyte >1 +# 1st hard disc +#>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive %#x +# not 1st hard disc +>>>>>(0x1BC.s+13) ubyte !0x80 \b,drive %#x +# for version >= 2 maximal timeout can be 65534 +>>>(0x1BC.s+9) ubyte >1 +#>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds +>>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds +# floppy A: or B: +>>>>(0x1BC.s+14) ubyte <2 \b,floppy %#x +>>>>(0x1BC.s+14) ubyte >1 +# 1st hard disc +#>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive %#x +# not 1st hard disc +>>>>>(0x1BC.s+14) ubyte !0x80 \b,drive %#x +>>>0 ubyte x \b) + +# added by Joerg Jenderek +# In the second sector (+0x200) are variables according to grub-0.97/stage2/asm.S or +# grub-1.94/kern/i386/pc/startup.S +# https://www.gnu.org/software/grub/manual/grub.html#Embedded-data +# usual values are marked with comments to get only information of strange GRUB loaders +0x200 uleshort 0x70EA +# found only version 3.{1,2} +>0x206 ubeshort >0x0300 +# GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00" +>>0x212 ubyte >0x29 +>>>0x213 ubyte >0x29 +# not iso9660_stage1_5 +#>>>0 ulelong&0x00BE5652 0x00BE5652 +>>>>0x213 ubyte >0x29 GRand Unified Bootloader +# config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2" +>>>>0x217 ubyte 0xFF stage1_5 +>>>>0x217 ubyte <0xFF stage2 +>>>>0x206 ubyte x \b version %u +>>>>0x207 ubyte x \b.%u +# module_size for 1.94 +>>>>0x208 ulelong <0xffffff \b, installed partition %u +#>>>>0x208 ulelong =0xffffff \b, %lu (default) +>>>>0x208 ulelong >0xffffff \b, installed partition %u +# GRUB 0.5.95 unofficial +>>>>0x20C ulelong&0x2E300000 0x2E300000 +# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs +>>>>>0x20C ubyte x \b, identifier %#x +#>>>>>0x20D ubyte =0 \b, LBA flag %#x (default) +>>>>>0x20D ubyte >0 \b, LBA flag %#x +# GRUB version as string +>>>>>0x20E string >\0 \b, GRUB version %-s +# for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default +>>>>>>0x215 ulong 0xffffffff +>>>>>>>0x219 string >\0 \b, configuration file %-s +>>>>>>0x215 ulong !0xffffffff +>>>>>>>0x215 string >\0 \b, configuration file %-s +# newer GRUB versions +>>>>0x20C ulelong&0x2E300000 !0x2E300000 +##>>>>>0x20C ulelong =0 \b, saved entry %d (usual) +>>>>>0x20C ulelong >0 \b, saved entry %d +# for 1.94 contains kernel image size +# for 0.93,0.94,0.96,0.97 +# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 +>>>>>0x210 ubyte x \b, identifier %#x +# The flag for LBA forcing is in most cases 0 +#>>>>>0x211 ubyte =0 \b, LBA flag %#x (default) +>>>>>0x211 ubyte >0 \b, LBA flag %#x +# GRUB version as string +>>>>>0x212 string >\0 \b, GRUB version %-s +# for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default +>>>>>0x217 ulong 0xffffffff +>>>>>>0x21b string >\0 \b, configuration file %-s +>>>>>0x217 ulong !0xffffffff +>>>>>>0x217 string >\0 \b, configuration file %-s + +# DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 +# JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 +# over BIOS parameter block (BPB) +# https://thestarman.pcministry.com/asm/2bytejumps.htm#FWD +# older drives may use Near JuMP instruction E9 xx xx +# minimal short forward jump found 0x29 for bootloaders or 0x0 +# maximal short forward jump is 0x7f +# OEM-ID is empty or contain readable bytes +0 ulelong&0x804000E9 0x000000E9 +!:strength +60 +# mtools-3.9.8/msdos.h +# usual values are marked with comments to get only information of strange FAT systems +# valid sectorsize must be a power of 2 from 32 to 32768 +>11 uleshort&0x001f 0 +>>11 uleshort <32769 +>>>11 uleshort >31 +>>>>21 ubyte&0xf0 0xF0 +>>>>>0 ubyte 0xEB DOS/MBR boot sector +>>>>>>1 ubyte x \b, code offset %#x+2 +>>>>>0 ubyte 0xE9 +>>>>>>1 uleshort x \b, code offset %#x+3 +>>>>>3 string >\0 \b, OEM-ID "%-.8s" +#http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC +>>>>>>8 string IHC \b cached by Windows 9M +>>>>>11 uleshort >512 \b, Bytes/sector %u +#>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual) +>>>>>11 uleshort <512 \b, Bytes/sector %u +>>>>>13 ubyte >1 \b, sectors/cluster %u +#>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) +# for lazy FAT32 implementation like Transcend digital photo frame PF830 +>>>>>82 string/c fat32 +>>>>>>14 uleshort !32 \b, reserved sectors %u +#>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) +>>>>>82 string/c !fat32 +>>>>>>14 uleshort >1 \b, reserved sectors %u +#>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) +#>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) +>>>>>16 ubyte >2 \b, FATs %u +#>>>>>16 ubyte =2 \b, FATs %u (usual) +>>>>>16 ubyte =1 \b, FAT %u +>>>>>16 ubyte >0 +>>>>>17 uleshort >0 \b, root entries %u +#>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) +>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) +#>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) +>>>>>21 ubyte >0xF0 \b, Media descriptor %#x +#>>>>>21 ubyte =0xF0 \b, Media descriptor %#x (usual floppy) +>>>>>21 ubyte <0xF0 \b, Media descriptor %#x +>>>>>22 uleshort >0 \b, sectors/FAT %u +#>>>>>22 uleshort =0 \b, sectors/FAT %hu=0 (usual Fat32) +>>>>>24 uleshort x \b, sectors/track %u +>>>>>26 ubyte >2 \b, heads %u +#>>>>>26 ubyte =2 \b, heads %u (usual floppy) +>>>>>26 ubyte =1 \b, heads %u +# valid only for sector sizes with more then 32 Bytes +>>>>>11 uleshort >32 +# https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block +# skip for values 2,2Ah,70h,73h,DFh +# and continue for extended boot signature values 0,28h,29h,80h +>>>>>>38 ubyte&0x56 =0 +>>>>>>>28 ulelong >0 \b, hidden sectors %u +#>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) +>>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) +#>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) +# FAT<32 bit specific +>>>>>>>82 string/c !fat32 +#>>>>>>>>36 ubyte 0x80 \b, physical drive %#x=0x80 (usual harddisk) +#>>>>>>>>36 ubyte 0 \b, physical drive %#x=0 (usual floppy) +>>>>>>>>36 ubyte !0x80 +>>>>>>>>>36 ubyte !0 \b, physical drive %#x +# VGA-copy CRC or +# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too +>>>>>>>>37 ubyte >0 \b, reserved %#x +#>>>>>>>>37 ubyte =0 \b, reserved %#x +# extended boot signature value is 0x80 for NTFS, 0x28 or 0x29 for others +>>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (%#x) +>>>>>>>>38 ubyte&0xFE =0x28 +>>>>>>>>>39 ulelong x \b, serial number %#x +>>>>>>>>38 ubyte =0x29 +>>>>>>>>>43 string <NO\ NAME \b, label: "%11.11s" +>>>>>>>>>43 string >NO\ NAME \b, label: "%11.11s" +>>>>>>>>>43 string =NO\ NAME \b, unlabeled +# there exist some old floppies without word FAT at offset 54 +# a word like "FATnm " is only a hint for a FAT size on nm-bits +# Normally the number of clusters is calculated by the values of BPP. +# if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, +# otherwise FAT is 16 bit. +# http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html +>>>>>82 string/c !fat32 +>>>>>>54 string FAT12 \b, FAT (12 bit) +>>>>>>54 string FAT16 \b, FAT (16 bit) +>>>>>>54 default x +# determinate FAT bit size by media descriptor +# small floppies implies FAT12 +>>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor) +# with media descriptor F0h floppy or maybe superfloppy with FAT16 +>>>>>>>21 ubyte =0xF0 +# superfloppy (many sectors) implies FAT16 +>>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors) +# no superfloppy with media descriptor F0h implies FAT12 +>>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors) +# with media descriptor F8h floppy or hard disc with FAT12 or FAT16 +>>>>>>>21 ubyte =0xF8 +# 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12 +>>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry) +# hard disc with FAT12 or FAT16 +>>>>>>>>19 default x \b, FAT (1Y bit by descriptor) +# with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc +>>>>>>>21 ubyte =0xFA +# 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12 +>>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry) +# RAM disc with FAT12 or FAT16 or Tandy hard disc +>>>>>>>>19 default x \b, FAT (1Y bit by descriptor) +# others are floppy +>>>>>>>21 default x \b, FAT (12 bit by descriptor) +# FAT32 bit specific +>>>>>82 string/c fat32 \b, FAT (32 bit) +>>>>>>36 ulelong x \b, sectors/FAT %u +# https://technet.microsoft.com/en-us/library/cc977221.aspx +>>>>>>40 uleshort >0 \b, extension flags %#x +#>>>>>>40 uleshort =0 \b, extension flags %hu +>>>>>>42 uleshort >0 \b, fsVersion %u +#>>>>>>42 uleshort =0 \b, fsVersion %u (usual) +>>>>>>44 ulelong >2 \b, rootdir cluster %u +#>>>>>>44 ulelong =2 \b, rootdir cluster %u +#>>>>>>44 ulelong =1 \b, rootdir cluster %u +>>>>>>48 uleshort >1 \b, infoSector %u +#>>>>>>48 uleshort =1 \b, infoSector %u (usual) +>>>>>>48 uleshort <1 \b, infoSector %u +# 0 or 0xFFFF instead of usual 6 means no backup sector +>>>>>>50 uleshort =0xFFFF \b, no Backup boot sector +>>>>>>50 uleshort =0 \b, no Backup boot sector +#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) +>>>>>>50 default x +>>>>>>>50 uleshort x \b, Backup boot sector %u +# corrected by Joerg Jenderek at Feb 2011 according to https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO +>>>>>>52 ulelong >0 \b, reserved1 %#x +>>>>>>56 ulelong >0 \b, reserved2 %#x +>>>>>>60 ulelong >0 \b, reserved3 %#x +# same structure as FAT1X +#>>>>>>64 ubyte =0x80 \b, physical drive %#x=80 (usual harddisk) +#>>>>>>64 ubyte =0 \b, physical drive %#x=0 (usual floppy) +>>>>>>64 ubyte !0x80 +>>>>>>>64 ubyte >0 \b, physical drive %#x +# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too +>>>>>>65 ubyte >0 \b, reserved %#x +>>>>>>66 ubyte !0x29 \b, dos < 4.0 BootSector (%#x) +>>>>>>66 ubyte =0x29 +>>>>>>>67 ulelong x \b, serial number %#x +>>>>>>>71 string <NO\ NAME \b, label: "%11.11s" +>>>>>>>71 string >NO\ NAME \b, label: "%11.11s" +>>>>>>>71 string =NO\ NAME \b, unlabeled +# additional tests for floppy image added by Joerg Jenderek +# no fixed disk +>>>>>21 ubyte !0xF8 +# floppy media with 12 bit FAT +>>>>>>54 string !FAT16 +# test for FAT after bootsector +>>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT +# floppy image +!:mime application/x-ima +# NTFS specific added by Joerg Jenderek at Mar 2011 according to https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm +# and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html +# 0 FATs +>>>>>16 ubyte =0 +# 0 root entries +>>>>>>17 uleshort =0 +# 0 DOS sectors +>>>>>>>19 uleshort =0 +# 0 sectors/FAT +# dos < 4.0 BootSector value found is 0x80 +#38 ubyte =0x80 \b, dos < 4.0 BootSector (%#x) +>>>>>>>>22 uleshort =0 \b; NTFS +>>>>>>>>>24 uleshort >0 \b, sectors/track %u +>>>>>>>>>36 ulelong !0x800080 \b, physical drive %#x +>>>>>>>>>40 ulequad >0 \b, sectors %lld +>>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld +>>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld +# Values 0 to 127 represent MFT record sizes of 0 to 127 clusters. +# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. +>>>>>>>>>64 lelong <256 +>>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d +>>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i) +# Values 0 to 127 represent index block sizes of 0 to 127 clusters. +# Values 128 to 255 represent index block sizes of 2^(256-N) byte +>>>>>>>>>68 ulelong <256 +>>>>>>>>>>68 ulelong <128 \b, clusters/index block %d +#>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) +>>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) +>>>>>>>>>72 ulequad x \b, serial number 0%llx +>>>>>>>>>80 ulelong >0 \b, checksum %#x +#>>>>>>>>>80 ulelong =0 \b, checksum %#x=0 (usual) +# unicode loadername size jump +>>>>>>>>>(0x200.s*2) ubyte x +# in next sector loadername terminated by unicode CTRL-D and $ +>>>>>>>>>>&0x1FF ulequad&0x0000FFffFFffFF00 0x0000002400040000 \b; contains +# if 2nd NTFS sectors is found then assume whole filesystem +#!:mime application/x-raw-disk-image +!:ext img/bin/ntfs +>>>>>>>>>>>0x200 use ntfs-sector2 + +# For 2nd NTFS sector added by Joerg Jenderek at Jan 2013, Mar 2019 +# https://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm +# unused assembler instructions short JMP y2;NOP;NOP +0x056 ulelong&0xFFFF0FFF 0x909002EB NTFS +#!:mime application/octet-stream +!:ext bin +>0 use ntfs-sector2 +# https://memory.dataram.com/products-and-services/software/ramdisk +# assembler instructions JMP C000;NOP +0x056 ulelong 0x9000c0e9 NTFS +#!:mime application/octet-stream +!:ext bin +>0 use ntfs-sector2 +# check for characteristics of second NTFS sector and then display loader name +0 name ntfs-sector2 +# number of utf16 characters of loadername +>0 uleshort <8 +# unused assembler instructions JMP y2;NOP;NOP or JMP C000;NOP +>>0x056 ulelong&0xFF0000FD 0x900000E9 +# loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR +>>>0x002 lestring16 x bootstrap %-5.5s +# check for 7 character length of loader name like BOOTMGR +>>>0 uleshort 7 +>>>>0x0c lestring16 x \b%-2.2s +### DOS,NTFS boot sectors end + +# ntfsclone-image is a special save format for NTFS volumes, +# created and restored by the ntfsclone program +0 string \0ntfsclone-image ntfsclone image, +>0x10 byte x version %d. +>0x11 byte x \b%d, +>0x12 lelong x cluster size %d, +>0x16 lequad x device size %lld, +>0x1e lequad x %lld total clusters, +>0x26 lequad x %lld clusters in use + + +0 name ffsv1 +>8404 string x last mounted on %s, +#>9504 ledate x last checked at %s, +>8224 ledate x last written at %s, +>8401 byte x clean flag %d, +>8228 lelong x number of blocks %d, +>8232 lelong x number of data blocks %d, +>8236 lelong x number of cylinder groups %d, +>8240 lelong x block size %d, +>8244 lelong x fragment size %d, +>8252 lelong x minimum percentage of free blocks %d, +>8256 lelong x rotational delay %dms, +>8260 lelong x disk rotational speed %drps, +>8320 lelong 0 TIME optimization +>8320 lelong 1 SPACE optimization + +9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), +>0 use ffsv1 + +9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), +>7168 belong 0x4c41424c Apple UFS Volume +>>7186 string x named %s, +>>7176 belong x volume label version %d, +>>7180 bedate x created on %s, +>0 use \^ffsv1 + +0 name ffsv2 +>212 string x last mounted on %s, +>680 string >\0 volume name %s, +>1072 leqldate x last written at %s, +>209 byte x clean flag %d, +>210 byte x readonly flag %d, +>1080 lequad x number of blocks %lld, +>1088 lequad x number of data blocks %lld, +>44 lelong x number of cylinder groups %d, +>48 lelong x block size %d, +>52 lelong x fragment size %d, +>1196 lelong x average file size %d, +>1200 lelong x average number of files in dir %d, +>1104 lequad x pending blocks to free %lld, +>1112 lelong x pending inodes to free %d, +>712 lequad x system-wide uuid %0llx, +>60 lelong x minimum percentage of free blocks %d, +>128 lelong 0 TIME optimization +>128 lelong 1 SPACE optimization + +42332 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use ffsv2 + +42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>40960 use ffsv2 + +42332 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use \^ffsv2 + +42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) +>40960 use \^ffsv2 + +66908 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use ffsv2 + +66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>65536 use ffsv2 + +66908 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use \^ffsv2 + +66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) +>65536 use \^ffsv2 + +0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), +>0x90 lelong+1 x volume %d +>0x94 lelong x (of %d), +>0x50 string x name %s, +>0x98 ulelong x version %u, +>0xa0 ulelong x flags %#x + +0 ulequad 0x48414d3205172011 HAMMER2 filesystem (little-endian), +>0x3b byte x volume %d, +>0x28 ulequad/1073741824 x size %lluGB, +>0x30 ulelong x version %u, +>0x34 ulelong x flags %#x + +# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca> +# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net> +# volume label and UUID Russell Coker +# https://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ +0x438 leshort 0xEF53 Linux +>0x44c lelong x rev %d +>0x43e leshort x \b.%d +# No journal? ext2 +>0x45c lelong ^0x0000004 ext2 filesystem data +>>0x43a leshort ^0x0000001 (mounted or unclean) +# Has a journal? ext3 or ext4 +>0x45c lelong &0x0000004 +# and small INCOMPAT? +>>0x460 lelong <0x0000040 +# and small RO_COMPAT? +>>>0x464 lelong <0x0000008 ext3 filesystem data +# else large RO_COMPAT? +>>>0x464 lelong >0x0000007 ext4 filesystem data +# else large INCOMPAT? +>>0x460 lelong >0x000003f ext4 filesystem data +>0x468 ubelong x \b, UUID=%08x +>0x46c ubeshort x \b-%04x +>0x46e ubeshort x \b-%04x +>0x470 ubeshort x \b-%04x +>0x472 ubelong x \b-%08x +>0x476 ubeshort x \b%04x +>0x478 string >0 \b, volume name "%s" +# General flags for any ext* fs +>0x460 lelong &0x0000004 (needs journal recovery) +>0x43a leshort &0x0000002 (errors) +# INCOMPAT flags +>0x460 lelong &0x0000001 (compressed) +#>0x460 lelong &0x0000002 (filetype) +#>0x460 lelong &0x0000010 (meta bg) +>0x460 lelong &0x0000040 (extents) +>0x460 lelong &0x0000080 (64bit) +#>0x460 lelong &0x0000100 (mmp) +#>0x460 lelong &0x0000200 (flex bg) +# RO_INCOMPAT flags +#>0x464 lelong &0x0000001 (sparse super) +>0x464 lelong &0x0000002 (large files) +>0x464 lelong &0x0000008 (huge files) +#>0x464 lelong &0x0000010 (gdt checksum) +#>0x464 lelong &0x0000020 (many subdirs) +#>0x463 lelong &0x0000040 (extra isize) + +# f2fs filesystem - Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> +0x400 lelong 0xF2F52010 F2FS filesystem +>0x46c ubelong x \b, UUID=%08x +>0x470 ubeshort x \b-%04x +>0x472 ubeshort x \b-%04x +>0x474 ubeshort x \b-%04x +>0x476 ubelong x \b-%08x +>0x47a ubeshort x \b%04x +>0x147c lestring16 x \b, volume name "%s" + +# Minix filesystems - Juan Cespedes <cespedes@debian.org> +0x410 leshort 0x137f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1, 14 char names, %d zones +>0x1e string minix \b, bootable +0x410 beshort 0x137f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1 (big endian), %d zones +>0x1e string minix \b, bootable +0x410 leshort 0x138f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1, 30 char names, %d zones +>0x1e string minix \b, bootable +0x410 beshort 0x138f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1, 30 char names (big endian), %d zones +>0x1e string minix \b, bootable +# Weak Magic: this is $x +#0x410 leshort 0x2468 +#>0x402 beshort < 100 +#>>0x402 beshort > -1 Minix filesystem, V2, 14 char names +#>0x1e string minix \b, bootable +#0x410 beshort 0x2468 +#>0x402 beshort < 100 +#>0x402 beshort > -1 Minix filesystem, V2 (big endian) +#>0x1e string minix \b, bootable +#0x410 leshort 0x2478 +#>0x402 beshort < 100 +#>0x402 beshort > -1 Minix filesystem, V2, 30 char names +#>0x1e string minix \b, bootable +#0x410 leshort 0x2478 +#>0x402 beshort < 100 +#>0x402 beshort > -1 Minix filesystem, V2, 30 char names +#>0x1e string minix \b, bootable +#0x410 beshort 0x2478 +#>0x402 beshort !0 Minix filesystem, V2, 30 char names (big endian) +#>0x1e string minix \b, bootable +# Weak Magic! this is MD +#0x418 leshort 0x4d5a +#>0x402 beshort <100 +#>>0x402 beshort > -1 Minix filesystem, V3, 60 char names + +# SGI disk labels - Nathan Scott <nathans@debian.org> +0 belong 0x0BE5A941 SGI disk label (volume header) + +# SGI XFS filesystem - Nathan Scott <nathans@debian.org> +0 belong 0x58465342 SGI XFS filesystem data +>0x4 belong x (blksz %d, +>0x68 beshort x inosz %d, +>0x64 beshort ^0x2004 v1 dirs) +>0x64 beshort &0x2004 v2 dirs) + +############################################################################ +# Minix-ST kernel floppy +0x800 belong 0x46fc2700 Atari-ST Minix kernel image +# https://en.wikipedia.org/wiki/BIOS_parameter_block +# floppies with valid BPB and any instruction at beginning +>19 string \240\005\371\005\0\011\0\2\0 \b, 720k floppy +>19 string \320\002\370\005\0\011\0\1\0 \b, 360k floppy + +############################################################################ +# Hmmm, is this a better way of detecting _standard_ floppy images ? +19 string \320\002\360\003\0\011\0\1\0 DOS floppy 360k +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector +19 string \240\005\371\003\0\011\0\2\0 DOS floppy 720k +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector +19 string \100\013\360\011\0\022\0\2\0 DOS floppy 1440k +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector + +19 string \240\005\371\005\0\011\0\2\0 DOS floppy 720k, IBM +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector +19 string \100\013\371\005\0\011\0\2\0 DOS floppy 1440k, mkdosfs +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector + +19 string \320\002\370\005\0\011\0\1\0 Atari-ST floppy 360k +19 string \240\005\371\005\0\011\0\2\0 Atari-ST floppy 720k +# | | | | | +# | | | | heads +# | | | sectors/track +# | | sectors/FAT +# | media descriptor +# BPB: sectors + +# Valid media descriptor bytes for MS-DOS: +# +# Byte Capacity Media Size and Type +# ------------------------------------------------- +# +# F0 2.88 MB 3.5-inch, 2-sided, 36-sector +# F0 1.44 MB 3.5-inch, 2-sided, 18-sector +# F9 720K 3.5-inch, 2-sided, 9-sector +# F9 1.2 MB 5.25-inch, 2-sided, 15-sector +# FD 360K 5.25-inch, 2-sided, 9-sector +# FF 320K 5.25-inch, 2-sided, 8-sector +# FC 180K 5.25-inch, 1-sided, 9-sector +# FE 160K 5.25-inch, 1-sided, 8-sector +# FE 250K 8-inch, 1-sided, single-density +# FD 500K 8-inch, 2-sided, single-density +# FE 1.2 MB 8-inch, 2-sided, double-density +# F8 ----- Fixed disk +# +# FC xxxK Apricot 70x1x9 boot disk. +# +# Originally a bitmap: +# xxxxxxx0 Not two sided +# xxxxxxx1 Double sided +# xxxxxx0x Not 8 SPT +# xxxxxx1x 8 SPT +# xxxxx0xx Not Removable drive +# xxxxx1xx Removable drive +# 11111xxx Must be one. +# +# But now it's rather random: +# 111111xx Low density disk +# 00 SS, Not 8 SPT +# 01 DS, Not 8 SPT +# 10 SS, 8 SPT +# 11 DS, 8 SPT +# +# 11111001 Double density 3 1/2 floppy disk, high density 5 1/4 +# 11110000 High density 3 1/2 floppy disk +# 11111000 Hard disk any format +# + +# all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013 +# https://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions +# Too Weak. +#512 ubelong&0xE0ffff00 0xE0ffff00 +# without valid Media descriptor in place of BPB, cases with are done at other places +#>21 ubyte <0xE5 floppy with old FAT filesystem +# but valid Media descriptor at begin of FAT +#>>512 ubyte =0xed 720k +#>>512 ubyte =0xf0 1440k +#>>512 ubyte =0xf8 720k +#>>512 ubyte =0xf9 1220k +#>>512 ubyte =0xfa 320k +#>>512 ubyte =0xfb 640k +#>>512 ubyte =0xfc 180k +# look like an old DOS directory entry +#>>>0xA0E ubequad 0 +#>>>>0xA00 ubequad !0 +#!:mime application/x-ima +#>>512 ubyte =0xfd +# look for 2nd FAT at different location to distinguish between 360k and 500k +#>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k +#>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k +#>>>0xA0E ubequad 0 +#!:mime application/x-ima +#>>512 ubyte =0xfe +#>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k +#>>>>0x60E ubequad 0 +#>>>>>0x600 ubequad !0 +#!:mime application/x-ima +#>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k +#>>512 ubyte =0xff 320k +#>>>0x60E ubequad 0 +#>>>>0x600 ubequad !0 +#!:mime application/x-ima +#>>512 ubyte x \b, Media descriptor %#x +# without x86 jump instruction +#>>0 ulelong&0x804000E9 !0x000000E9 +# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV +#>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader +# IOSYS.COM+MSDOS.COM +#>>>>0xc4 use 2xDOS-filename +#>>0 ulelong&0x804000E9 =0x000000E9 +# only x86 short jump instruction found +#>>>0 ubyte =0xEB +#>>>>1 ubyte x \b, code offset %#x+2 +# https://thestarman.pcministry.com/DOS/ibm100/Boot.htm +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 +#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader +# ibmbio.com+ibmdos.com +#>>>>>0x176 use DOS-filename +#>>>>>0x181 ubyte x \b+ +#>>>>>0x182 use DOS-filename +# https://thestarman.pcministry.com/DOS/ibm110/Boot.htm +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV +#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader +# ibmbio.com+ibmdos.com +#>>>>>0x18b use DOS-filename +#>>>>>0x196 ubyte x \b+ +#>>>>>0x197 use DOS-filename +# https://en.wikipedia.org/wiki/Zenith_Data_Systems +# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 +#>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader +# IO.SYS+MSDOS.SYS +#>>>>>0x20 use 2xDOS-filename +# https://en.wikipedia.org/wiki/Corona_Data_Systems +# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; +#>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader +# IO.SYS+MSDOS.SYS +#>>>>>0x69 use 2xDOS-filename +# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; +#>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader +# defect IO.SYS+MSDOS.SYS ? +#>>>>>0x162 use 2xDOS-filename + +0 name cdrom +>38913 string !NSR0 ISO 9660 CD-ROM filesystem data +!:mime application/x-iso9660-image +!:ext iso/iso9660 +>38913 string NSR0 UDF filesystem data +!:mime application/x-iso9660-image +!:ext iso/udf +>>38917 string 1 (version 1.0) +>>38917 string 2 (version 1.5) +>>38917 string 3 (version 2.0) +>>38917 byte >0x33 (unknown version, ID %#X) +>>38917 byte <0x31 (unknown version, ID %#X) +# The next line is not necessary because the MBR staff is done looking for boot signature +>0x1FE leshort 0xAA55 (DOS/MBR boot sector) +# "application id" which appears to be used as a volume label +>32808 string/T >\0 '%.32s' +>34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) +37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) +!:mime application/x-iso9660-image +32777 string CDROM High Sierra CD-ROM filesystem data +# "application id" which appears to be used as a volume label +>32816 string/T >\0 '%.32s' + + +# CDROM Filesystems +# https://en.wikipedia.org/wiki/ISO_9660 +# Modified for UDF by gerardo.cacciari@gmail.com +32769 string CD001 +# mime line at that position does not work +# to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51) +#!:strength -11 +# to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51) +!:strength +35 +>0 use cdrom + +# URL: https://en.wikipedia.org/wiki/NRG_(file_format) +# Reference: https://dl.opendesktop.org/api/files/download/id/1460731811/ +# 11577-mount-iso-0.9.5.tar.bz2/mount-iso-0.9.5/install.sh +# From: Joerg Jenderek +# Note: Only for nero disc with once (DAO) type after 300 KB header +339969 string CD001 Nero CD image at 0x4B000 +!:mime application/x-nrg +!:ext nrg +>307200 use cdrom + +# .cso files +# Reference: https://pismotec.com/ciso/ciso.h +# NOTE: There are two other formats with the same magic but +# completely incompatible specifications: +# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h +# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h +0 string CISO +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - 0x10 == 0x00004000: For >2GB files using maxcso... +# https://github.com/unknownbrackets/maxcso/issues/26 +# - None of the above: Compact ISO. +>4 lelong !0 +>>4 lelong !0x200000 +>>>16 lelong !0x800 +>>>>16 lelong !0x4000 Compressed ISO CD image + +# cramfs filesystem - russell@coker.com.au +0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian +>4 lelong x size %u +>8 lelong &1 version #2 +>8 lelong &2 sorted_dirs +>8 lelong &4 hole_support +>32 lelong x CRC %#x, +>36 lelong x edition %u, +>40 lelong x %u blocks, +>44 lelong x %u files + +0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian +>4 belong x size %u +>8 belong &1 version #2 +>8 belong &2 sorted_dirs +>8 belong &4 hole_support +>32 belong x CRC %#x, +>36 belong x edition %u, +>40 belong x %u blocks, +>44 belong x %u files + +# reiserfs - russell@coker.com.au +0x10034 string ReIsErFs ReiserFS V3.5 +0x10034 string ReIsEr2Fs ReiserFS V3.6 +0x10034 string ReIsEr3Fs ReiserFS V3.6.19 +>0x1002c leshort x block size %d +>0x10032 leshort &2 (mounted or unclean) +>0x10000 lelong x num blocks %d +>0x10040 lelong 1 tea hash +>0x10040 lelong 2 yura hash +>0x10040 lelong 3 r5 hash + +# EST flat binary format (which isn't, but anyway) +# From: Mark Brown <broonie@sirena.org.uk> +0 string ESTFBINR EST flat binary + +# Aculab VoIP firmware +# From: Mark Brown <broonie@sirena.org.uk> +0 string VoIP\ Startup\ and Aculab VoIP firmware +>35 string x format %s + +# From: Mark Brown <broonie@sirena.org.uk> [old] +# From: Behan Webster <behanw@websterwood.com> +0 belong 0x27051956 u-boot legacy uImage, +>32 string x %s, +>28 byte 0 Invalid os/ +>28 byte 1 OpenBSD/ +>28 byte 2 NetBSD/ +>28 byte 3 FreeBSD/ +>28 byte 4 4.4BSD/ +>28 byte 5 Linux/ +>28 byte 6 SVR4/ +>28 byte 7 Esix/ +>28 byte 8 Solaris/ +>28 byte 9 Irix/ +>28 byte 10 SCO/ +>28 byte 11 Dell/ +>28 byte 12 NCR/ +>28 byte 13 LynxOS/ +>28 byte 14 VxWorks/ +>28 byte 15 pSOS/ +>28 byte 16 QNX/ +>28 byte 17 Firmware/ +>28 byte 18 RTEMS/ +>28 byte 19 ARTOS/ +>28 byte 20 Unity OS/ +>28 byte 21 INTEGRITY/ +>29 byte 0 \bInvalid CPU, +>29 byte 1 \bAlpha, +>29 byte 2 \bARM, +>29 byte 3 \bIntel x86, +>29 byte 4 \bIA64, +>29 byte 5 \bMIPS, +>29 byte 6 \bMIPS 64-bit, +>29 byte 7 \bPowerPC, +>29 byte 8 \bIBM S390, +>29 byte 9 \bSuperH, +>29 byte 10 \bSparc, +>29 byte 11 \bSparc 64-bit, +>29 byte 12 \bM68K, +>29 byte 13 \bNios-32, +>29 byte 14 \bMicroBlaze, +>29 byte 15 \bNios-II, +>29 byte 16 \bBlackfin, +>29 byte 17 \bAVR32, +>29 byte 18 \bSTMicroelectronics ST200, +>29 byte 19 \bSandbox architecture, +>29 byte 20 \bANDES Technology NDS32, +>29 byte 21 \bOpenRISC 1000, +>29 byte 22 \bARM 64-bit, +>29 byte 23 \bDesignWare ARC, +>29 byte 24 \bx86_64, +>29 byte 25 \bXtensa, +>29 byte 26 \bRISC-V, +>30 byte 0 Invalid Image +>30 byte 1 Standalone Program +>30 byte 2 OS Kernel Image +>30 byte 3 RAMDisk Image +>30 byte 4 Multi-File Image +>30 byte 5 Firmware Image +>30 byte 6 Script File +>30 byte 7 Filesystem Image (any type) +>30 byte 8 Binary Flat Device Tree BLOB +>31 byte 0 (Not compressed), +>31 byte 1 (gzip), +>31 byte 2 (bzip2), +>31 byte 3 (lzma), +>12 belong x %d bytes, +>8 bedate x %s, +>16 belong x Load Address: %#08X, +>20 belong x Entry Point: %#08X, +>4 belong x Header CRC: %#08X, +>24 belong x Data CRC: %#08X + +# JFFS2 file system +0 leshort 0x1984 Linux old jffs2 filesystem data little endian +0 beshort 0x1984 Linux old jffs2 filesystem data big endian +0 leshort 0x1985 Linux jffs2 filesystem data little endian +0 beshort 0x1985 Linux jffs2 filesystem data big endian + +# Squashfs +0 name squashfs +>28 beshort x version %d. +>30 beshort x \b%d, +>20 beshort 0 uncompressed, +>20 beshort 1 zlib +>20 beshort 2 lzma +>20 beshort 3 lzo +>20 beshort 4 xz +>20 beshort 5 lz4 +>20 beshort 6 zstd +>20 beshort >0 compressed, +>28 beshort <3 +>>8 belong x %d bytes, +>28 beshort >2 +>>28 beshort <4 +>>>63 bequad x %lld bytes, +>>28 beshort >3 +>>>40 bequad x %lld bytes, +#>>67 belong x %d bytes, +>4 belong x %d inodes, +>28 beshort <2 +>>32 beshort x blocksize: %d bytes, +>28 beshort >1 +>>28 beshort <4 +>>>51 belong x blocksize: %d bytes, +>>28 beshort >3 +>>>12 belong x blocksize: %d bytes, +>28 beshort <4 +>>39 bedate x created: %s +>28 beshort >3 +>>8 bedate x created: %s + +0 string sqsh Squashfs filesystem, big endian, +>0 use squashfs + +0 string hsqs Squashfs filesystem, little endian, +>0 use \^squashfs + +# AFS Dump Magic +# From: Ty Sarna <tsarna@sarna.org> +0 string \x01\xb3\xa1\x13\x22 AFS Dump +>&0 belong x (v%d) +>>&0 byte 0x76 +>>>&0 belong x Vol %d, +>>>>&0 byte 0x6e +>>>>>&0 string x %s +>>>>>>&1 byte 0x74 +>>>>>>>&0 beshort 2 +>>>>>>>>&4 bedate x on: %s +>>>>>>>>&0 bedate =0 full dump +>>>>>>>>&0 bedate !0 incremental since: %s + +#---------------------------------------------------------- +#delta ISO Daniel Novotny (dnovotny@redhat.com) +0 string DISO Delta ISO data +!:strength +50 +>4 belong x version %d + +# VMS backup savesets - gerardo.cacciari@gmail.com +# +4 string \x01\x00\x01\x00\x01\x00 +>(0.s+16) string \x01\x01 +>>&(&0.b+8) byte 0x42 OpenVMS backup saveset data +>>>40 lelong x (block size %d, +>>>49 string >\0 original name '%s', +>>>2 short 1024 VAX generated) +>>>2 short 2048 AXP generated) +>>>2 short 4096 I64 generated) + +# Summary: Oracle Clustered Filesystem +# Created by: Aaron Botsis <redhat@digitalmafia.org> +8 string OracleCFS Oracle Clustered Filesystem, +>4 long x rev %d +>0 long x \b.%d, +>560 string x label: %.64s, +>136 string x mountpoint: %.128s + +# Summary: Oracle ASM tagged volume +# Created by: Aaron Botsis <redhat@digitalmafia.org> +32 string ORCLDISK Oracle ASM Volume, +>40 string x Disk Name: %0.12s +32 string ORCLCLRD Oracle ASM Volume (cleared), +>40 string x Disk Name: %0.12s + +# Oracle Clustered Filesystem - Aaron Botsis <redhat@digitalmafia.org> +8 string OracleCFS Oracle Clustered Filesystem, +>4 long x rev %d +>0 long x \b.%d, +>560 string x label: %.64s, +>136 string x mountpoint: %.128s + +# Oracle ASM tagged volume - Aaron Botsis <redhat@digitalmafia.org> +32 string ORCLDISK Oracle ASM Volume, +>40 string x Disk Name: %0.12s +32 string ORCLCLRD Oracle ASM Volume (cleared), +>40 string x Disk Name: %0.12s + +# Compaq/HP RILOE floppy image +# From: Dirk Jagdmann <doj@cubic.org> +0 string CPQRFBLO Compaq/HP RILOE floppy image + +#------------------------------------------------------------------------------ +# Files-11 On-Disk Structure (File system for various RSX-11 and VMS flavours). +# These bits come from LBN 1 (home block) of ODS-1, ODS-2 and ODS-5 volumes, +# which is mapped to VBN 2 of [000000]INDEXF.SYS;1 - gerardo.cacciari@gmail.com +# +1008 string DECFILE11 Files-11 On-Disk Structure +>525 byte x (ODS-%d); +>1017 string A RSX-11, VAX/VMS or OpenVMS VAX file system; +>1017 string B +>>525 byte 2 VAX/VMS or OpenVMS file system; +>>525 byte 5 OpenVMS Alpha or Itanium file system; +>984 string x volume label is '%-12.12s' + +# From: Thomas Klausner <wiz@NetBSD.org> +# https://filext.com/file-extension/DAA +# describes the daa file format. The magic would be: +0 string DAA\x0\x0\x0\x0\x0 PowerISO Direct-Access-Archive + +# From Albert Cahalan <acahalan@gmail.com> +# really le32 operation,destination,payloadsize (but quite predictable) +# 01 00 00 00 00 00 00 c0 00 02 00 00 +0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware + +# From Eric Sandeen +# GFS2 +0x10000 belong 0x01161970 +>0x10018 belong 0x0000051d GFS1 Filesystem +>>0x10024 belong x (blocksize %d, +>>0x10060 string >\0 lockproto %s) +>0x10018 belong 0x00000709 GFS2 Filesystem +>>0x10024 belong x (blocksize %d, +>>0x10060 string >\0 lockproto %s) + +# Russell Coker <russell@coker.com.au> +0x10040 string _BHRfS_M BTRFS Filesystem +>0x1012b string >\0 label "%s", +>0x10090 lelong x sectorsize %d, +>0x10094 lelong x nodesize %d, +>0x10098 lelong x leafsize %d, +>0x10020 ubelong x UUID=%08x- +>0x10024 ubeshort x \b%04x- +>0x10026 ubeshort x \b%04x- +>0x10028 ubeshort x \b%04x- +>0x1002a ubeshort x \b%04x +>0x1002c ubelong x \b%08x, +>0x10078 lequad x %lld/ +>0x10070 lequad x \b%lld bytes used, +>0x10088 lequad x %lld devices + +0 string btrfs-stream BTRFS stream file + +# dvdisaster's .ecc +# From: "Nelson A. de Oliveira" <naoliv@gmail.com> +0 string *dvdisaster* dvdisaster error correction file + +# xfs metadump image +# mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog +# but can we do the << ? For now it's always 512 (0x200) anyway. +0 string XFSM +>0x200 string XFSB XFS filesystem metadump image + +# Type: CROM filesystem +# From: Werner Fink <werner@suse.de> +0 string CROMFS CROMFS +>6 string >\0 \b version %2.2s, +>8 ulequad >0 \b block data at %lld, +>16 ulequad >0 \b fblock table at %lld, +>24 ulequad >0 \b inode table at %lld, +>32 ulequad >0 \b root at %lld, +>40 ulelong >0 \b fblock size = %d, +>44 ulelong >0 \b block size = %d, +>48 ulequad >0 \b bytes = %lld + +# Type: xfs metadump image +# From: Daniel Novotny <dnovotny@redhat.com> +# mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog +# but can we do the << ? For now it's always 512 (0x200) anyway. +0 string XFSM +>0x200 string XFSB XFS filesystem metadump image + +# Type: delta ISO +# From: Daniel Novotny <dnovotny@redhat.com> +0 string DISO Delta ISO data, +>4 belong x version %d + +# JFS2 (Journaling File System) image. (Old JFS1 has superblock at 0x1000.) +# See linux/fs/jfs/jfs_superblock.h for layout; see jfs_filsys.h for flags. +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +0x8000 string JFS1 +# Because it's text-only magic, check a binary value (version) to be sure. +# Should always be 2, but mkfs.jfs writes it as 1. Needs to be 2 or 1 to be +# mountable. +>&0 lelong <3 JFS2 filesystem image +# Label is followed by a UUID; we have to limit string length to avoid +# appending the UUID in the case of a 16-byte label. +>>&144 regex [\x20-\x7E]{1,16} (label "%s") +>>&0 lequad x \b, %lld blocks +>>&8 lelong x \b, blocksize %d +>>&32 lelong&0x00000006 >0 (dirty) +>>&36 lelong >0 (compressed) + +# LFS +0 lelong 0x070162 LFS filesystem image +>4 lelong 1 version 1, +>>8 lelong x \b blocks %u, +>>12 lelong x \b blocks per segment %u, +>4 lelong 2 version 2, +>>8 lelong x \b fragments %u, +>>12 lelong x \b bytes per segment %u, +>16 lelong x \b disk blocks %u, +>20 lelong x \b block size %u, +>24 lelong x \b fragment size %u, +>28 lelong x \b fragments per block %u, +>32 lelong x \b start for free list %u, +>36 lelong x \b number of free blocks %d, +>40 lelong x \b number of files %u, +>44 lelong x \b blocks available for writing %d, +>48 lelong x \b inodes in cache %d, +>52 lelong x \b inode file disk address %#x, +>56 lelong x \b inode file inode number %u, +>60 lelong x \b address of last segment written %#x, +>64 lelong x \b address of next segment to write %#x, +>68 lelong x \b address of current segment written %#x + +0 string td\000 floppy image data (TeleDisk, compressed) +0 string TD\000 floppy image data (TeleDisk) + +0 string CQ\024 floppy image data (CopyQM, +>16 leshort x %d sectors, +>18 leshort x %d heads.) + +0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) + +# URL: http://fileformats.archiveteam.org/wiki/LoadDskF/SaveDskF +# Update: Joerg Jenderek +# Note: called "IBM SKF disk image" by TrID +# verfied by 7-Zip `7z l -tFAT -slt *.dsk` and +# `deark -l -m loaddskf 06200D19.DSK` +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf-old.trid.xml +0 beshort 0xAA58 +>0 use SaveDskF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf.trid.xml +0 beshort 0xAA59 +>0 use SaveDskF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf-comp.trid.xml +0 beshort 0xAA5A +# skip foo by additional check for unused upper byte of media type in SaveDskF header +#>3 ubyte =0 +# skip bar by additional check for valid "low" number of heads in SaveDskF header +#>>26 uleshort <3 +# skip foo by additional check for unused double word field in SaveDskF header +#>>>30 long =0 +#>>>>0 use SaveDskF +>0 use SaveDskF +# display information about IBM SaveDskF floppy disk images +0 name SaveDskF +# SaveDskF magic +>0 beshort x floppy image data (IBM SaveDskF +#!:mime application/octet-stream +!:mime application/x-ibm-dsk +!:ext dsk +# also suffix with digit (1dk .2dk ...); NO example FOUND! +#!:ext dsk/1dk/2dk +>1 ubyte =0x58 \b, old) +>1 ubyte =0x59 \b) +>1 ubyte =0x5A \b, compressed) +# media type; the first byte of the FAT like: 0xF0 (usual floppy) 0xF9 0xFE +# https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system +>2 ubyte !0xF0 \b, Media descriptor %#x +# upper byte of media type is not used; so this seems to be nil +>3 ubyte !0 \b, upper byte of media type %#x +# sector size in bytes as in the BIOS parameter block like: 512 ; SAVEDSKF.EXE with other sizes produce garbage images +>4 uleshort !512 \b, Bytes/sector %u +# cluster mask; number of sectors per cluster, minus 1 +>6 uleshort+1 >1 \b, sectors/cluster %u +#>6 uleshort+1 x \b, sectors/cluster %u +# cluster shift; log2(cluster size / sector size) like: 0~1=ClusterSize/SectorSize +>7 ubyte >0 \b, cluster shift %u +#>7 ubyte x \b, cluster shift %u +# reserved sectors; as in the BIOS parameter block like: 1 256 (2M256R-K.DSK) +>8 uleshort >1 \b, reserved sectors %u +#>8 uleshort x \b, reserved sectors %u +# FAT copies; as in the BIOS parameter block like: 2 (usual) 1 (2-NK.DSK) +>10 ubyte !2 \b, FAT +# plural s +>>10 ubyte >1 \bs +>>10 ubyte x %u +# root directory entries; as in the BIOS parameter block like: 224 (usual) 64 (H1-NK.DSK) 4096 (2-NK.DSK) +>11 uleshort !224 \b, root entries %u +# sector number of first cluster (count sectors used by boot sector, FATs and root directory) like: 7 10 29 33 288 +>13 uleshort !33 \b, 1st cluster at sector %u +# number of clusters in image; empty clusters at the end are not saved and counted like: 2372 2848 +>15 uleshort x \b, %u clusters +# sectors/FAT; as in the BIOS parameter block like: 1 (H1-NK.DSK) 7 9 +>17 ubyte !9 \b, sectors/FAT %u +# sector number of root directory (ie, count of sectors used by boot sector and FATs) like: 3 (H1-NK.DSK) 9 10 15 19 274 (2M256R-K.DSK) +>18 uleshort !19 \b, root directory at sector %u +# checksum; sum of all bytes in the file +>20 ulelong x \b, checksum %#8.8x +# cylinders; number of cylinders like: 40 80 +>24 uleshort !80 \b, %u cylinders +#>24 uleshort x \b, %u cylinders +# heads; number of heads as in the BIOS parameter block like: 1 (H1-NK.DSK) 2 +>26 uleshort !2 \b, heads %u +#>26 uleshort x \b, heads %u +# sectors/track; number of sectors per track as in the BIOS parameter block like: 8 15 18 36 +>28 uleshort !18 \b, sectors/track %u +#>28 uleshort x \b, sectors/track %u +# unused double word field seems to be always like: 0 +>30 ulelong !0 \b, at 0x1E %#x +# number of sectors in images like: 1017 2786 2880 +>34 uleshort x \b, sectors %u +# if string is "printable" it can be a real comment +>(36.s) ubyte !0x00 +# if 1st sector is far enough away (> 0x29) then there is space for comment part +>>38 uleshort >41 +# offset to comment string like: 28h=40 +>>>36 uleshort x \b, at %#x +# comment string terminated with \r\n\0 +>>>(36.s) string x "%s" +# offset to the first sector like: 0 (If this is 0, assume it is 0x200) 29h=41 (DISPLAY3.DSK) 31h 43h 45h 46h 48h 50h 200h=512 +>38 uleshort !0 \b, 1st sector at %#x +# FOR DEBUGGING! +#>(38.s) ubelong x SECTOR CONTENT %x +# not compressed floppy image implies readable DOS boot sector inside image +>>1 ubyte !0x5A +# when not compressed it is readable as DOS boot sector via ./filesystems +#>>>(38.s) indirect x \b; contains +>38 uleshort =0 \b, 1st sector at 0x200 (0) +# maybe standard DOS boot sector; NO example FOUND HERE! +#>>0x200 indirect x \b; contains + +0 string \074CPM_Disk\076 disk image data (YAZE) + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Central_Point_Software#cite_note-6 +# Reference: https://www.robcraig.com/download/transcopy-5-x-file-format +# https://www.robcraig.com/download/transcopy-file-format-by-gene-thompson +# http://mark0.net/download/triddefs_xml.7z/defs/t/tc-transcopy.trid.xml +# TransCopy signature +0 beshort 0x5AA5 +# skip Intel serial flash ROM with invalid 0 disk sides handled by ./intel +>0x103 ubyte !0 +# skip Intel serial flash ROM with unlikely "high" start cylinder 100 handled by ./intel +#>>0x101 ubyte <100 VALID_START_CYLINDER +# skip Intel serial flash ROM with unlikely description handled by ./intel +#>>>2 beshort !0xF00f VALID_DESCRIPTION +# skip Intel serial flash ROM with invalid disk types 89h 88h handled by ./intel +#>>>>0x100 byte !0x89 VALID_DISK_TYPE +>>0 use tc-floppy +# display information of Central Point Software (CPS) Option Board TransCopy floppy image +0 name tc-floppy +>0 beshort x TransCopy disk image +#!:mime application/octet-stream +!:mime application/x-floppy-image-tc +# like: disk04.tc VOCALC2.TC WIZ5_A.tc WIZ2_720.IMG +!:ext tc/img +# 1st description (optional 0-terminated maximal 32) like: +# "Project Workbench 2.20" "Visi On Calc" "Wizardry V Disk 1 of 3" +>2 string >\0 %.32s +# 2nd desc. (optional 0-terminated maximal 32) like: +# "(1988)." "Advanced - Utility" 'Program Disk 2" +>0x22 string >\0 "%.32s" +# Looks like ascii (like MESSAGES) formatted with attribute bytes (190)? +# not needed for disk copy +#>>0x42 string x '%.190s' +#>>0x88 lestring16 x "%.8s" +# disktype: 2~MFM High Density 3~MFM Double Density 4~Apple II GCR 5~FM Single Density +# 6~Commodore GCR 7~MFM Double Density 8~Commodore Amiga Ch~Atari FM FFh~Unknown +>0x100 ubyte !0xFF \b, disk type %u +# StartingCylinder like: 0 +>0x101 ubyte x \b, cylinder +>0x101 ubyte !0 start=%u +# EndingCylinder like: 40 (often) 41 79 +>0x102 ubyte x end=%u +# NumberOfSides like: 2 +>0x103 ubyte !2 \b, %u sides +# TrackIncrement like: 1 +>0x104 ubyte !1 \b, track increment %u +# TrackPosTbl Track skew +#>0x105 ubequad x \b, Track skew %#16.16llx +# TrackOffsTbl +#>0x305 ubequad x \b, TrackOffsTbl %#16.16llx +# TrackLngthTbl +#>0x505 ubequad x \b, TrackLngthTbl %#16.16llx +# TrackTypeTable +#>0x705 ubequad x \b, TrackTypeTable %#16.16llx +# Address mark timing +#>0x905 ubequad x \b, Address mark timing %#16.16llx +# Track fragment +#>0x2905 ubequad !0 \b, Track fragment %#16.16llx +# Track data +#>0x4000 ubequad !0 \b, Track data %#16.16llx + +# ReFS +# Richard W.M. Jones <rjones@redhat.com> +0 string \0\0\0ReFS\0 ReFS filesystem image + +# EFW encase image file format: +# Gregoire Passault +# http://www.forensicswiki.org/wiki/Encase_image_file_format +0 string EVF\x09\x0d\x0a\xff\x00 EWF/Expert Witness/EnCase image file format + +# UBIfs +# Linux kernel sources: fs/ubifs/ubifs-media.h +0 lelong 0x06101831 +>0x16 leshort 0 UBIfs image +>0x08 lequad x \b, sequence number %llu +>0x10 leshort x \b, length %u +>0x04 lelong x \b, CRC %#08x + +0 lelong 0x23494255 +>0x04 leshort <2 +>0x05 string \0\0\0 +>0x1c string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>0x04 leshort x UBI image, version %u + +# NEC PC-88 2D disk image +# From Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net> +0x20 ulelong&0xFFFFFEFF 0x2A0 +>0x10 string \0\0\0\0\0\0\0\0\0\0 +>>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>0x1A ubyte&0xEF 0 +>>>>0x1B ubyte&0x8F 0 +>>>>>0x1B ubyte&70 <0x40 +>>>>>>0x1C ulelong >0x21 +>>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s +>>>>>>>>0x1B ubyte 0 \b, media=2D +>>>>>>>>0x1B ubyte 0x10 \b, media=2DD +>>>>>>>>0x1B ubyte 0x20 \b, media=2HD +>>>>>>>>0x1B ubyte 0x30 \b, media=1D +>>>>>>>>0x1B ubyte 0x40 \b, media=1DD +>>>>>>>>0x1A ubyte 0x10 \b, write-protected + +# HDD Raw Copy Tool disk image, file extension: .imgc +# From Benjamin Vanheuverzwijn <bvanheu@gmail.com> +0 pstring HDD\ Raw\ Copy\ Tool %s +>0x100 pstring x %s +>0x200 pstring x - HD model: %s +#>0x300 pstring x unknown %s +>0x400 pstring x serial: %s +#>0x500 pstring x unknown: %s +!:ext imgc + +# http://martin.hinner.info/fs/bfs/bfs-structure.html +0 lelong 0x1BADFACE SCO UnixWare BFS filesystem + +# https://arstechnica.com/information-technology/2018/07/the-beos-filesystem/ +32 lelong 0x42465331 BE/OS BFS1 filesystem +>36 lelong x \b, byte order %d +>40 lelong x \b, block size %d +>44 lelong x \b, block shift %d +>48 lequad x \b, total blocks %lld +>56 lequad x \b, used blocks %lld + + +0 name next +>0 lelong x \b, size %d +>4 string x \b, label %s + +# https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-44.3\ +# /IONeXTPartitionScheme.h +0 string NeXT NeXT version 1 disklabel +>12 use next +0 string dlV1 NeXT version 2 disklabel +>12 use next +0 string dlV2 NeXT version 3 disklabel +>12 use next + +# bcachefs +# From: Thomas Weißschuh <thomas@t-8ch.de> + +0 name bcachefs-uuid +>0 ubelong x \b%08x +>4 ubeshort x \b-%04x +>6 ubeshort x \b-%04x +>8 ubeshort x \b-%04x +>10 ubelong x \b-%08x +>14 ubeshort x \b%04x + +0 name bcachefs bcachefs +>0x68 lequad 8 \b, UUID= +>>0x38 use bcachefs-uuid +>>0x48 string >0 \b, label "%.32s" +>>0x10 uleshort x \b, version %u +>>0x12 uleshort x \b, min version %u +>>0x7a byte x \b, device %d +# assumes the first field is the members field +>>0x2f4 ulelong 0x01 \b/UUID= +>>>0x2f0 default x +>>>&(0x07a.b*56) use bcachefs-uuid +>>0x07b byte x \b, %d devices +>>0x090 byte ^0x02 \b (unclean) + +0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 +>0x1000 use bcachefs + +0x1018 string \xc6\x85\x73\xf6\x66\xce\x90\xa9\xd9\x6a\x60\xcf\x80\x3d\xf7\xef +>0x1000 use bcachefs + +# EROFS +# https://kernel.googlesource.com/pub/scm/linux/kernel/git/xiang/erofs-utils/\ +# +/refs/heads/experimental/include/erofs_fs.h#12 +1024 lelong 0xE0F5E1E2 EROFS filesystem +#>1028 lelong x \b, checksum=%#x +>1032 lelong >0 \b, compat: +>>1032 lelong &1 SB_CHKSUM +>>1032 lelong &2 MTIME +>1036 byte x \b, blocksize=%u +>1037 byte x \b, exslots=%u +#>1038 leshort x \b, root_nid=%d +#>1040 lequad x \b, inodes=%ld +#>1048 leldate x \b, build_time=%s +#>1056 lelong x \b.%d +#>1060 lelong x \b, blocks=%d +#>1064 lelong x \b, metadata@%#x +#>1068 lelong x \b, xattr@%#x +>1072 guid x \b, uuid=%s +>1088 string >0 \b, name=%s +>1104 lelong >0 \b, incompat: +>>1104 lelong &1 LZ4_0PADDING +>>1104 lelong &2 BIG_PCLUSTER +>>1104 lelong &4 CHUNKED_FILE +>>1104 lelong &8 DEVICE_TABLE +>>1104 lelong &16 ZTAILPACKING + +# YAFFS +# The layout itself is undocumented, determined by the memory layout of the +# reference implementation. This signature is derived from the +# reference implementation code and generated test cases +# We recognize the start of an object header defined by yaffs_obj_hdr: +# (Note the values being encoded depending on platform endianess) + +# u32 type /* enum yaffs_obj_type, valid 1-5 */ +# u32 parent_obj_id; /* 1 for root objects we recognize */ +# u16 sum_no_longer_used; /* checksum of name. Not used by YAFFS and memset to 0xFF */ +# YCHAR name[YAFFS_MAX_NAME_LENGTH + 1]; + +# mkyaffsimage always writes a root directory with empty name, then processing the target directory contents +# mkyaffs2image directly proceeds to writing entries with the appropriate u32 YAFFS_OBJECT_TYPE (1-5 valid), each with parent id 1 + +0 name yaffs +>0 ulelong 1 \b, type file +>0 ulelong 2 \b, type symlink +>0 ulelong 3 \b, type root or directory +>0 ulelong 4 \b, type hardlink +>0 ulelong 5 \b, type special +>0xA byte 0 \b, v1 root directory +>0xA byte !0 \b, object entry +>>0xA string x (name: "%s") + +# Little Endian: XX 00 00 00 01 00 00 00 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x1 string \x00\x00\x00\x01\x00\x00\x00\xFF\xFF +>0 ulelong 0 +>0 ulelong >5 +>0 default x YAFFS filesystem root entry (little endian) +>>0 use yaffs + +# Big Endian: 00 00 00 XX 00 00 00 01 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x4 string \x00\x00\x00\x01\xFF\xFF +>0 string \x00\x00\x00 +>>0 ubelong 0 +>>0 ubelong >5 +>>0 default x YAFFS filesystem root entry (big endian) +>>>0 use \^yaffs diff --git a/magic/Magdir/finger b/magic/Magdir/finger new file mode 100644 index 0000000..ab43ac6 --- /dev/null +++ b/magic/Magdir/finger @@ -0,0 +1,16 @@ + +#------------------------------------------------------------------------------ +# $File: finger,v 1.3 2019/04/19 00:42:27 christos Exp $ +# fingerprint: file(1) magic for fingerprint data +# XPM bitmaps) +# + +# https://cgit.freedesktop.org/libfprint/libfprint/tree/libfprint/data.c + +0 string FP1 libfprint fingerprint data V1 +>3 beshort x \b, driver_id %x +>5 belong x \b, devtype %x + +0 string FP2 libfprint fingerprint data V2 +>3 beshort x \b, driver_id %x +>5 belong x \b, devtype %x diff --git a/magic/Magdir/firmware b/magic/Magdir/firmware new file mode 100644 index 0000000..4835b12 --- /dev/null +++ b/magic/Magdir/firmware @@ -0,0 +1,133 @@ +#------------------------------------------------------------------------------ +# $File: firmware,v 1.7 2023/03/11 18:52:03 christos Exp $ +# firmware: file(1) magic for firmware files +# + +# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure +# examples: https://github.com/cweiske/frontier-silicon-firmwares +0 lelong 0x00001176 +>4 lelong 0x7c Frontier Silicon firmware download +>>8 lelong x \b, MeOS version %x +>>12 string/32/T x \b, version %s +>>40 string/64/T x \b, customization %s + +# HPE iLO firmware update image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ +# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images +0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00 +>16 ubeshort =0xCFDD HPE iLO2 firmware update image +>16 ubeshort =0x6444 HPE iLO1 firmware update image +# iLO3 images (ilo3_*.bin) start directly with image name +0 string iLO3\x20v\x20 HPE iLO3 firmware update image, +>7 string x version %s +# iLO4 images (ilo4_*.bin) start with a signature and a certificate +0 string --=</Begin\x20HP\x20Signed +>75 string label_HPBBatch +>>5828 string iLO\x204 +>>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image, +>>>6947 string x version %s +# iLO5 images (ilo5_*.bin) start with a signature +>75 string label_HPE-HPB-BMC-ILO5-4096 +>>880 string HPIMAGE\x00 HPE iLO5 firmware update image, +>>944 string x version %s + +# IBM POWER Secure Boot Container +# from https://github.com/open-power/skiboot/blob/master/libstb/container.h +0 belong 0x17082011 POWER Secure Boot Container, +>4 beshort x version %u +>6 bequad x container size %llu +# These are always zero +# >14 bequad x target HRMOR %llx +# >22 bequad x stack pointer %llx +>4096 ustring \xFD7zXZ\x00 XZ compressed +0 belong 0x1bad1bad POWER boot firmware +>256 belong 0x48002030 (PHYP entry point) + +# ARM Cortex-M vector table +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties +# Match stack MSB +3 byte 0x20 +# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match) +>4 ulelong&0xE0000001 1 +>>8 ulelong&0xE0000001 1 +>>>12 ulelong&0xE0000001 1 +>>>>44 ulelong&0xE0000001 1 +>>>>>56 ulelong&0xE0000001 1 +# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF) +>>>>>>28 ulelong+1 <2 +>>>>>>>32 ulelong+1 <2 +>>>>>>>>36 ulelong+1 <2 +>>>>>>>>>40 ulelong+1 <2 +>>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware +>>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x +>>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x +>>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x +>>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x +>>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x +>>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x + +# ESP-IDF partition table entry +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h +0 string \xAA\x50 +>2 ubyte <2 ESP-IDF partition table entry +>>12 string/16 x \b, label: "%s" +>>2 ubyte 0 +>>>3 ubyte 0x00 \b, factory app +>>>3 ubyte 0x10 \b, OTA_0 app +>>>3 ubyte 0x11 \b, OTA_1 app +>>>3 ubyte 0x12 \b, OTA_2 app +>>>3 ubyte 0x13 \b, OTA_3 app +>>>3 ubyte 0x14 \b, OTA_4 app +>>>3 ubyte 0x15 \b, OTA_5 app +>>>3 ubyte 0x16 \b, OTA_6 app +>>>3 ubyte 0x17 \b, OTA_7 app +>>>3 ubyte 0x18 \b, OTA_8 app +>>>3 ubyte 0x19 \b, OTA_9 app +>>>3 ubyte 0x1A \b, OTA_10 app +>>>3 ubyte 0x1B \b, OTA_11 app +>>>3 ubyte 0x1C \b, OTA_12 app +>>>3 ubyte 0x1D \b, OTA_13 app +>>>3 ubyte 0x1E \b, OTA_14 app +>>>3 ubyte 0x1F \b, OTA_15 app +>>>3 ubyte 0x20 \b, test app +>>2 ubyte 1 +>>>3 ubyte 0x00 \b, OTA selection data +>>>3 ubyte 0x01 \b, PHY init data +>>>3 ubyte 0x02 \b, NVS data +>>>3 ubyte 0x03 \b, coredump data +>>>3 ubyte 0x04 \b, NVS keys +>>>3 ubyte 0x05 \b, emulated eFuse data +>>>3 ubyte 0x06 \b, undefined data +>>>3 ubyte 0x80 \b, ESPHTTPD partition +>>>3 ubyte 0x81 \b, FAT partition +>>>3 ubyte 0x82 \b, SPIFFS partition +>>>3 ubyte 0xFF \b, any data +>>4 ulelong x \b, offset: 0x%X +>>8 ulelong x \b, size: 0x%X +>>28 ulelong&0x1 1 \b, encrypted + +# ESP-IDF application image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h +# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t +# First segment contains esp_app_desc_t +0 ubyte 0xE9 +>32 ulelong 0xABCD5432 ESP-IDF application image +>>12 uleshort 0x0000 for ESP32 +>>12 uleshort 0x0002 for ESP32-S2 +>>12 uleshort 0x0005 for ESP32-C3 +>>12 uleshort 0x0009 for ESP32-S3 +>>12 uleshort 0x000A for ESP32-H2 Beta1 +>>12 uleshort 0x000C for ESP32-C2 +>>12 uleshort 0x000D for ESP32-C6 +>>12 uleshort 0x000E for ESP32-H2 Beta2 +>>12 uleshort 0x0010 for ESP32-H2 +>>80 string/32 x \b, project name: "%s" +>>48 string/32 x \b, version %s +>>128 string/16 x \b, compiled on %s +>>>112 string/16 x %s +>>144 string/32 x \b, IDF version: %s +>>4 ulelong x \b, entry address: 0x%08X diff --git a/magic/Magdir/flash b/magic/Magdir/flash new file mode 100644 index 0000000..33b7344 --- /dev/null +++ b/magic/Magdir/flash @@ -0,0 +1,62 @@ + +#------------------------------------------------------------------------------ +# $File: flash,v 1.15 2019/04/19 00:42:27 christos Exp $ +# flash: file(1) magic for Macromedia Flash file format +# +# See +# +# https://www.macromedia.com/software/flash/open/ +# https://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/\ +# en/devnet/swf/pdf/swf-file-format-spec.pdf page 27 +# + +0 name swf-details + +>0 string F +>>8 byte&0xfd 0x08 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte&0xfe 0x10 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte 0x18 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 beshort&0xff87 0x2000 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 beshort&0xffe0 0x3000 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte&0x7 0 +>>>8 ubyte >0x2f +>>>>9 ubyte <0x20 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>>>3 byte x \b, version %d + +>0 string C +>>8 byte 0x78 Macromedia Flash data (compressed) +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d + +>0 string Z +>>8 byte 0x5d Macromedia Flash data (lzma compressed) +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d + + +1 string WS +>4 ulelong >14 +>>3 ubyte !0 +>>>0 use swf-details + +# From: Cal Peake <cp@absolutedigital.net> +0 string FLV\x01 Macromedia Flash Video +!:mime video/x-flv + +# +# Yosu Gomez +0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document +0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document +# From Dave Wilson +0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document diff --git a/magic/Magdir/flif b/magic/Magdir/flif new file mode 100644 index 0000000..9406208 --- /dev/null +++ b/magic/Magdir/flif @@ -0,0 +1,36 @@ + +#------------------------------------------------------------------------------ +# $File: flif,v 1.1 2015/11/23 22:04:36 christos Exp $ +# flif: Magic data for file(1) command. +# FLIF (Free Lossless Image Format) + +0 string FLIF FLIF +>4 string <H image data +>>6 beshort x \b, %u +>>8 beshort x \bx%u +>>5 string 1 \b, 8-bit/color, +>>5 string 2 \b, 16-bit/color, +>>4 string 1 \b, grayscale, non-interlaced +>>4 string 3 \b, RGB, non-interlaced +>>4 string 4 \b, RGBA, non-interlaced +>>4 string A \b, grayscale +>>4 string C \b, RGB, interlaced +>>4 string D \b, RGBA, interlaced +>4 string >H \b, animation data +>>5 ubyte <255 \b, %i frames +>>>7 beshort x \b, %u +>>>9 beshort x \bx%u +>>>6 string =1 \b, 8-bit/color +>>>6 string =2 \b, 16-bit/color +>>5 ubyte 0xFF +>>>6 beshort x \b, %i frames, +>>>9 beshort x \b, %u +>>>11 beshort x \bx%u +>>>8 string =1 \b, 8-bit/color +>>>8 string =2 \b, 16-bit/color +>>4 string =Q \b, grayscale, non-interlaced +>>4 string =S \b, RGB, non-interlaced +>>4 string =T \b, RGBA, non-interlaced +>>4 string =a \b, grayscale +>>4 string =c \b, RGB, interlaced +>>4 string =d \b, RGBA, interlaced diff --git a/magic/Magdir/fonts b/magic/Magdir/fonts new file mode 100644 index 0000000..17373b5 --- /dev/null +++ b/magic/Magdir/fonts @@ -0,0 +1,449 @@ + +#------------------------------------------------------------------------------ +# $File: fonts,v 1.51 2022/08/16 11:16:39 christos Exp $ +# fonts: file(1) magic for font data +# +0 search/1 FONT ASCII vfont text +0 short 0436 Berkeley vfont data +0 short 017001 byte-swapped Berkeley vfont data + +# PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com +# Modified by: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/PostScript_fonts +# http://fileformats.archiveteam.org/wiki/Adobe_Type_1 +# Reference: http://mark0.net/download/triddefs_xml.7z +# defs/p/pfb.trid.xml +# Note: PFB stands for Printer Font Binary +0 string %!PS-AdobeFont-1. PostScript Type 1 font text +#!:mime font/x-postscript-pfb +#!:ext pfb +>20 string >\0 (%s) +# http://www.nationalarchives.gov.uk/pronom/fmt/525 +6 string %!PS-AdobeFont-1. +# skip DROID fmt-525-signature-id-816.pfb by checking for content after header +>24 ubyte x PostScript Type 1 font program data +#!:mime application/octet-stream +!:mime font/x-postscript-pfb +!:ext pfb +# often followed by colon (3Ah) and space (20h) and font name like: DarkGardenMK LetterGothic +>>24 ubyte =0x3A +>>>26 string >\0 (%s) +# some times instead of colon %%CreationDate: and "font name" later +>>24 ubyte !0x3A +# font name directive followed by def like: c0633bt_.pfb +>>>25 search/1247 /FontName\040/ +# show font name in parentheses like: Frankfurt Lithos CharterBT-BoldItalic Courier10PitchBT-Bold +>>>>&0 regex [A-Za-z0-9-]+ (%s) +# http://cd.textfiles.com/maxfonts/ATM/M/MIRROR__.PFB +6 string %PS-AdobeFont-1. PostScript Type 1 font program data +!:mime font/x-postscript-pfb +!:ext pfb +# font name like: Times-Mirror +>25 string >\0 (%s) +0 string %!FontType1 PostScript Type 1 font program data +#!:mime font/x-postscript-pfb +#!:ext pfb +6 string %!FontType1 PostScript Type 1 font program data +#!:mime application/octet-stream +!:mime font/x-postscript-pfb +!:ext pfb +# font name like: CaslonOpenFace FetteFraktur Kaufmann Linotext MesozoicGothic Old-Town +>23 string >\0 (%s) +# http://cd.textfiles.com/maxfonts/ATM/P/PLAYBI.PFB +230 string %!FontType1 PostScript Type 1 font program data +!:mime font/x-postscript-pfb +!:ext pfb +# font name like: Playbill +>247 string >\0 (%s) +0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text +#!:mime font/x-postscript-pfb +#!:ext pfb + +# Summary: PostScript Type 1 Printer Font Metrics +# URL: https://en.wikipedia.org/wiki/PostScript_fonts +# Reference: https://partners.adobe.com/public/developer/en/font/5178.PFM.pdf +# Modified by: Joerg Jenderek +# Note: moved from ./msdos magic +# dfVersion 256=0100h +0 uleshort 0x0100 +# GRR: line above is too general as it catches also TrueType font, +# raw G3 data FAX, WhatsApp encrypted and Panorama database +# dfType 129=0081h +>66 uleshort 0x0081 +# dfVertRes 300=012Ch not needed as additional test +#>>70 uleshort 0x012c +# dfHorizRes 300=012Ch +#>>>72 uleshort 0x012c +# dfDriverInfo points to postscript information section +>>(101.l) string/c Postscript Printer Font Metrics +# above labeled "PFM data" by ./msdos (version 5.28) or "Adobe Printer Font Metrics" by TrID +!:mime application/x-font-pfm +# AppleShare Print Server +#!:apple ASPS???? +!:ext pfm +# dfCopyright 60 byte null padded Copyright string. uncomment it to get old looking +#>>>6 string >\060 - %-.60s +# dfDriverInfo +>>>139 ulelong >0 +# often abbreviated and same as filename +>>>>(139.l) string x %s +# dfSize +>>>2 ulelong x \b, %d bytes +# dfFace 210=D2h 9Eh +>>>105 ulelong >0 +# Windows font name +>>>>(105.l) string x \b, %s +# dfItalic +>>>80 ubyte 1 italic +# dfUnderline +>>>81 ubyte 1 underline +# dfStrikeOut +>>>82 ubyte 1 strikeout +# dfWeight 400=0x0190 300=0x012c 500=0x01f4 600=0x0258 700=0x02bc +>>>83 uleshort >699 bold +# dfPitchAndFamily 16 17 48 49 64 65 +>>>90 ubyte 16 serif +>>>90 ubyte 17 serif proportional +#>>>90 ubyte 48 other +>>>90 ubyte 49 proportional +>>>90 ubyte 64 script +>>>90 ubyte 65 script proportional + +# X11 font files in SNF (Server Natural Format) format +# updated by Joerg Jenderek at Feb 2013 and Nov 2021 +# http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm +# URL: http://fileformats.archiveteam.org/wiki/SNF +# Reference: https://cgit.freedesktop.org/xorg/lib/libXfont/tree/src/bitmap/snfstr.h +0 belong 00000004 +# version2 same as version1 in struct _snfFontInfo +>104 belong 00000004 X11 SNF font data, MSB first +# GRR: line above is too general as it catches also DEGAS low-res bitmap like: +# http://cd.textfiles.com/geminiatari/FILES/GRAPHICS/ANIMAT/SPID_PAT/BIGSPID.PI1 +!:mime application/x-font-sfn +!:ext snf +# GRR: line below is too general as it catches also Xbase index file t3-CHAR.NDX +0 lelong 00000004 +>104 lelong 00000004 X11 SNF font data, LSB first +!:mime application/x-font-sfn +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/snf-x11-lsb.trid.xml +!:ext snf + +# X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) +0 search/1 STARTFONT\ X11 BDF font text + +# From: Joerg Jenderek +# URL: https://grub.gibibit.com/New_font_format +# Reference: util/grub-mkfont.c +# include/grub/fontformat.h +# FONT_FORMAT_SECTION_NAMES_FILE +0 string FILE +# FONT_FORMAT_PFF2_MAGIC +>8 string PFF2 +# leng 4 only at the moment +>>4 ubelong 4 +# FONT_FORMAT_SECTION_NAMES_FONT_NAME +>>>12 string NAME GRUB2 font +!:mime application/x-font-pf2 +!:ext pf2 +# length of font_name +>>>>16 ubelong >0 +# font_name +>>>>>20 string >\0 "%-s" + +# X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) +# PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides) +0 string \001fcp X11 Portable Compiled Font data, +>12 lelong ^0x08 bit: LSB, +>12 lelong &0x08 bit: MSB, +>12 lelong ^0x04 byte: LSB first +>12 lelong &0x04 byte: MSB first +0 string D1.0\015 X11 Speedo font data + +#------------------------------------------------------------------------------ +# FIGlet fonts and controlfiles +# From figmagic supplied with Figlet version 2.2 +# "David E. O'Brien" <obrien@FreeBSD.ORG> +0 string flf FIGlet font +>3 string >2a version %-2.2s +0 string flc FIGlet controlfile +>3 string >2a version %-2.2s + +# libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu) +# Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++ +0 belong 0x14025919 libGrx font data, +>8 leshort x %dx +>10 leshort x \b%d +>40 string x %s +# Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CPI +# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/58/17.html +0 belong 0xff464f4e DOS code page font data collection +!:mime font/x-dos-cpi +!:ext cpi +0 string \x7fDRFONT DR-DOS code page font data collection +!:mime font/x-drdos-cpi +!:ext cpi +7 belong 0x00454741 DOS code page font data +7 belong 0x00564944 DOS code page font data (from Linux?) +4098 string DOSFONT DOSFONT2 encrypted font data + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GEM_bitmap_font +# Reference: http://cd.textfiles.com/ataricompendium/BOOK/HTML/APPENDC.HTM#cnt +# +# usual case with lightening mask and skewing mask 5555h~UU +#62 ulelong 0x55555555 +# skip cl8m8ocofedso.testfile by looking for face size lower/equal 72 +#>2 uleshort <73 +#>>0 use gdos-font +# BOX18.GFT COWBOY30.GFT ROYALK30.GFT +#62 ulelong 0 +# skip ISO 9660 CD-ROM ./filesystem by looking for low positive face size +#>2 uleshort >2 +# skip DOS 2.0 backup id file ./msdos by looking for face size lower/equal 72 +#>>2 uleshort <73 +# skip MS oem.hlp, some Windows ICO ./msdos by looking for valid long name like WYE +#>>>4 ulelong >0x001F1f1F +# skip Microsoft WinWord 2.0 ./msdos by looking for positive offset to font data +#>>>>76 ulelong >83 +#>>>>>0 use gdos-font +0 name gdos-font +>0 uleshort x GEM GDOS font +!:mime application/x-font-gdos +# also .eps found like AA070GEP.EPS AI360GEP.EPS +!:ext fnt/gtf +# font name like Big&Tall, Celtic #s, Courier, University Bold, WYE +>4 string x %.32s +# face size in points 3-72 SLSS03CG.FNT H1CELT72.FNT +>2 uleshort x %u +# face ID (must be unique) +>0 uleshort x \b, ID %#4.4x +# lowest character index in face (4 but usually 32 for disk-loaded fonts) +#>36 uleshort !32 \b, unusual character index %u +# width of the widest character like 0 8 10 12 16 24 32 +#>50 uleshort x \b, %u char width +# width of the widest character cell like 8 11 12 14 15 16 33 67 +#>52 uleshort x \b, %u cell width +# thickening size in pixel like 0 1 2 3 4 5 6 7 8 +#>58 uleshort x \b, %u thick +# lightening mask to eliminate pixels, usually 5555h +>62 uleshort !0x5555 \b, lightening mask %#x +# skewing mask to determine when to perform additional rotation when skewing, usually 5555h +>64 uleshort !0x5555 \b, skewing mask %#x +# offset to optional horizontal offset table 0 58h~88 5eh 252h +#>68 ulelong x \b, %#x horizontal table offset +# offset of character offset table 54h for many *.GFT 55h 58h 5Eh 120h 1D4h 202h 220h +#>72 ulelong x \b, %#x coffset +# offset to font data like 116h 118h 158 20Ah 20Eh +>76 ulelong x \b, %#x foffset +# form width in bytes like 58 67 156 190 227 317 345 +#>80 uleshort x \b, %u fwidth +# form height in bytes like 4 8 11 17 26 56 70 90 120 146 150 +#>82 uleshort x \b, %u fheight +# pointer to the next font like 0 10000h 20000h 30000h 40000h 60000h 80000h E0000h D0000h +#>84 ulelong x \b, %#x noffset + +# downloadable fonts for browser (prints type) anthon@mnt.org +# https://tools.ietf.org/html/rfc3073 +0 string PFR1 Portable Font Resource font data (new) +>102 string >0 \b: %s +0 string PFR0 Portable Font Resource font data (old) +>4 beshort >0 version %d + +# True Type fonts +# Modified by: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/TrueType +# Reference: https://developer.apple.com/fonts/TrueType-Reference-Manual/ +# +# sfnt version "typ1" used by some Apple, but no example found +0 string typ1 +>0 use sfnt-font +>0 use sfnt-names +# sfnt version "true" used by some Apple +0 string true +>0 use sfnt-font +>0 use sfnt-names +# GRR: below test is too general +# sfnt version often 0x00010000 +0 string \000\001\000\000 +>0 use sfnt-font +>0 use sfnt-names +# validate and display sfnt font data like number of tables +0 name sfnt-font +# file 5.30 version assumes 00FFh as maximal number of tables +#>4 ubeshort <0x0100 +# maximal 27 tables found like in Skia.ttf +# 46 different table names mentioned on Apple specification +# skip 1st sequence of DOS 2 backup with path separator (\~92 or /~47) misinterpreted as table number +>4 ubeshort <47 +# skip bad examples with garbage table names like in a5.show HYPERC MAC +# tag names consist of up to four characters padded with spaces at end like +# BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ... +>>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ] +#>>>0 ubelong x \b, sfnt version %#x +>>>0 ubelong !0x4f54544f TrueType +!:mime font/sfnt +!:apple ????tfil +# .ttf for TrueType font +# EUDC.tte created by privat character editor %WINDIR%\system32\eudcedit.exe +!:ext ttf/tte +# sfnt version 4F54544Fh~OTTO +>>>0 ubelong =0x4f54544f OpenType +!:mime font/otf +!:apple ????OTTO +!:ext otf +>>>0 ubelong x Font data +# DSIG=44454947h table name implies a digitally signed font +# search range = number of tables * 16 =< maximal number of tables * 16 = 27 * 16 = 432 +>>>12 search/432 DSIG \b, digitally signed +>>>4 ubeshort x \b, %d tables +# minimal 9 tables found like in NISC18030.ttf +#>>>4 ubeshort <10 TMIN +#>>>4 ubeshort >24 TBIG +# table directory entries +>>>12 string x \b, 1st "%4.4s" + +# search and display 1st name in sfnt font which is often copyright text +# does not work inside font collections +0 name sfnt-names +# search for naming table +>12 search/432/s name +# biggest offset 0x0100bd28 like Windows10 Fonts\simsunb.ttf +#>>>>&8 ubelong >0x0100bd27 BIGGEST OFFSET +>>&8 ubelong >0x00100000 +# offset of name table +>>>&-4 ubelong x \b, name offset %#x +# GRR: pointer to name table only works if offset ~< FILE_BYTES_MAX = 100000h defined in src\file.h +>>&8 ubelong <0x00100000 +>>>&-16 ubelong x +# name table +>>>>(&8.L) ubequad x +# invalid format selector +#>>>>>&-8 ubeshort !0 \b, invalid selector %x +# minimal 3 name records found like in c:\Program Files (x86)\Tesseract-OCR\tessdata\pdf.ttf +# maximal 1227 name records found like in Apple Chancery.ttf +#>>>>>&-6 ubeshort <0x4 mincount +#>>>>>&-6 ubeshort >130 maxcount +>>>>>&-6 ubeshort x \b, %d names +# offset to start of string storage from start of table +#>>>>>&-4 ubeshort x \b, record offset %d +# 1st name record +# string offset from start of storage area +#>>>>>&8 ubeshort x \b, string offset %d +# string length +#>>>>>&6 ubeshort x \b, string length %d +# minimal name string 7 like in c:\Program Files (x86)\Kodi\addons\webinterface.default\lib\video-js\font\VideoJS.ttf +# also found 0 like in SWZCONLN.TTF +#>>>>>&6 ubeshort <8 MIN STRING +# maximal name string 806 like in c:\Windows\Fonts\palabi.ttf +#>>>>>&6 ubeshort >805 MAX STRING +# platform identifier: 0~Apple Unicode, 1~Macintosh, 3~Microsoft +#>>>>>&-2 ubeshort >3 BAD PLATFORM +>>>>>&-2 ubeshort 0 \b, Unicode +>>>>>&-2 ubeshort 1 \b, Macintosh +>>>>>&-2 ubeshort 3 \b, Microsoft +# languageID (0~english Macintosh, 0409h~english Microsoft, ...) +>>>>>&2 ubeshort >0 \b, language %#x +# name identifiers +# often 0~copyright, 1~font, 2~font subfamily, 5~version, 13~license, 19~sample, ... +>>>>>&4 ubeshort >0 \b, type %d string +# platform specific encoding: +# 0~undefined character set, 1~UGL set with Unicode, 3~Unicode 2.0 BMP only, 4~Unicode 2.0 +#>>>>>&0 ubeshort x \b, %d encoding +>>>>>&0 ubeshort 0 +# handle only name string offset 0 because do not know how to add 2 relative offsets +>>>>>>&6 ubeshort 0 +>>>>>>>&(&-14.S-18) ubyte !0 +# GRR: instead 806 only first MAXstring = 96 characters are displayed as defined in src\file.h +# often copyright string that starts like \251 2006 The Monotype Corporation +>>>>>>>>&-1 string x \b, %-11.96s +# test for unicode string +>>>>>>>&(&-14.S-18) ubyte 0 +>>>>>>>>&0 lestring16 x \b, %-11.96s +# unicode encoding +>>>>>&0 ubeshort >0 +>>>>>>&6 ubeshort 0 +>>>>>>>&(&-14.S-17) lestring16 x \b, %-11.96s + +0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font +0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font + +# TrueType/OpenType font collections (.ttc) +# URL: https://en.wikipedia.org/wiki/OpenType +# https://www.microsoft.com/typography/otspec/otff.htm +# Modified by: Joerg Jenderek +# Note: container for TrueType, OpenType font +0 string ttcf +# skip ASCII text +>4 ubyte 0 +# sfnt version often 0x00010000 of 1st table is TrueType +>>(12.L) ubelong !0x4f54544f TrueType +!:mime font/ttf +!:apple ????tfil +!:ext ttc +# sfnt version 4F54544Fh~OTTO of 1st table is OpenType font +>>(12.L) ubelong =0x4f54544f OpenType +!:mime font/otf +!:apple ????OTTO +# no example found for otc +!:ext ttc/otc +>>4 ubyte x font collection data +#!:mime font/collection +# TCC version +>>4 belong 0x00010000 \b, 1.0 +>>4 belong 0x00020000 \b, 2.0 +>>8 ubelong >0 \b, %d fonts +# array offset size = fonts * offsetsize = fonts * 4 +>>(8.L*4) ubequad x +# 0x44454947 = 'DSIG' +>>>&4 belong 0x44534947 \b, digitally signed +# offset to 1st font +>>12 ubelong x \b, at %#x +# point to 1st font that starts with sfnt version +>>(12.L) use sfnt-font + +# Opentype font data from Avi Bercovich +0 string OTTO OpenType font data +!:mime application/vnd.ms-opentype + +# From: Alex Myczko <alex@aiei.ch> +0 string SplineFontDB: Spline Font Database +!:mime application/vnd.font-fontforge-sfd +>14 string x version %s + +# EOT +0x40 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>0x22 string LP Embedded OpenType (EOT) +# workaround until there's lepstring16 +# >>0x52 lepstring16/h >\0 \b, %s family +>>0x52 short !0 +>>>0x54 lestring16 x \b, %s family +!:mime application/vnd.ms-fontobject + +# Web Open Font Format (.woff) +0 name woff +>4 belong 0x00010000 \b, TrueType +>4 belong 0x4F54544F \b, CFF +>4 belong 0x74727565 \b, TrueType +>4 default x +>>4 belong x \b, flavor %d +>8 belong x \b, length %d +#>12 beshort x \b, numTables %d +#>14 beshort x \b, reserved %d +#>16 belong x \b, totalSfntSize %d + +# https://www.w3.org/TR/WOFF/ +0 string wOFF Web Open Font Format +!:mime font/woff +>0 use woff +>20 beshort x \b, version %d +>22 beshort x \b.%d +# https://www.w3.org/TR/WOFF2/ +0 string wOF2 Web Open Font Format (Version 2) +!:mime font/woff2 +!:ext woff2 +>0 use woff +#>20 belong x \b, totalCompressedSize %d +>24 beshort x \b, version %d +>26 beshort x \b.%d diff --git a/magic/Magdir/forth b/magic/Magdir/forth new file mode 100644 index 0000000..34c9181 --- /dev/null +++ b/magic/Magdir/forth @@ -0,0 +1,82 @@ + +#------------------------------------------------------------------------------ +# $File: forth,v 1.4 2021/04/26 15:56:00 christos Exp $ +# forth: file(1) magic for various Forth environments +# From: Lubomir Rintel <lkundrak@v3.sk> +# + +# Has a FORTH stack diagram and something that looks very much like a FORTH +# multi-line word definition. Probably a FORTH source. +0 regex \[[:space:]]\\(([[:space:]].*)?\ --\ (.*[[:space:]])?\\) +>0 regex \^:\[[:space:]] +>>0 regex \^;$ FORTH program +!:mime text/x-forth + +# Inline word definition complete with a stack diagram +0 regex \^:[[:space:]].*[[:space:]]\\(([[:space:]].*)?\ --\ (.*[[:space:]])?\\)[[:space:]].*[[:space:]];$ FORTH program +!:mime text/x-forth + +# Various dictionary images used by OpenFirware FORTH environment + +0 lelong 0xe1a00000 +>8 lelong 0xe1a00000 +# skip raspberry pi kernel image kernel7.img by checking for positive text length +>>24 lelong >0 ARM OpenFirmware FORTH Dictionary, +>>>24 lelong x Text length: %d bytes, +>>>28 lelong x Data length: %d bytes, +>>>32 lelong x Text Relocation Table length: %d bytes, +>>>36 lelong x Data Relocation Table length: %d bytes, +>>>40 lelong x Entry Point: %#08X, +>>>44 lelong x BSS length: %d bytes + +0 string MP +>28 lelong 1 x86 OpenFirmware FORTH Dictionary, +>>4 leshort x %d blocks +>>2 leshort x + %d bytes, +>>6 leshort x %d relocations, +>>8 leshort x Header length: %d paragraphs, +>>10 leshort x Data Size: %d +>>12 leshort x - %d 4K pages, +>>14 lelong x Initial Stack Pointer: %#08X, +>>20 lelong x Entry Point: %#08X, +>>24 lelong x First Relocation Item: %d, +>>26 lelong x Overlay Number: %d, +>>18 leshort x Checksum: %#08X + +0 belong 0x48000020 PowerPC OpenFirmware FORTH Dictionary, +>4 belong x Text length: %d bytes, +>8 belong x Data length: %d bytes, +>12 belong x BSS length: %d bytes, +>16 belong x Symbol Table length: %d bytes, +>20 belong x Entry Point: %#08X, +>24 belong x Text Relocation Table length: %d bytes, +>28 belong x Data Relocation Table length: %d bytes + +0 lelong 0x10000007 MIPS OpenFirmware FORTH Dictionary, +>4 lelong x Text length: %d bytes, +>8 lelong x Data length: %d bytes, +>12 lelong x BSS length: %d bytes, +>16 lelong x Symbol Table length: %d bytes, +>20 lelong x Entry Point: %#08X, +>24 lelong x Text Relocation Table length: %d bytes, +>28 lelong x Data Relocation Table length: %d bytes + +# Dictionary images used by minimal C FORTH environments, any platform, +# using native byte order. + +# Weak. +#0 short 0x5820 cForth 16-bit Dictionary, +#>2 short x Serial: %#08X, +#>4 short x Dictionary Start: %#08X, +#>6 short x Dictionary Size: %d bytes, +#>8 short x User Area Start: %#08X, +#>10 short x User Area Size: %d bytes, +#>12 short x Entry Point: %#08X + +0 long 0x581120 cForth 32-bit Dictionary, +>4 long x Serial: %#08X, +>8 long x Dictionary Start: %#08X, +>12 long x Dictionary Size: %d bytes, +>16 long x User Area Start: %#08X, +>20 long x User Area Size: %d bytes, +>24 long x Entry Point: %#08X diff --git a/magic/Magdir/fortran b/magic/Magdir/fortran new file mode 100644 index 0000000..6abc2f7 --- /dev/null +++ b/magic/Magdir/fortran @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: fortran,v 1.10 2015/11/05 18:47:16 christos Exp $ +# FORTRAN source +# Check that the first 100 lines start with C or whitespace first. +0 regex/100l !\^[^Cc\ \t].*$ +>0 regex/100l \^[Cc][\ \t] FORTRAN program text +!:mime text/x-fortran +!:strength - 5 diff --git a/magic/Magdir/frame b/magic/Magdir/frame new file mode 100644 index 0000000..c0fd840 --- /dev/null +++ b/magic/Magdir/frame @@ -0,0 +1,62 @@ + +#------------------------------------------------------------------------------ +# $File: frame,v 1.14 2019/11/25 00:31:30 christos Exp $ +# frame: file(1) magic for FrameMaker files +# +# This stuff came on a FrameMaker demo tape, most of which is +# copyright, but this file is "published" as witness the following: +# +# Note that this is the Framemaker Maker Interchange Format, not the +# Normal format which would be application/vnd.framemaker. +# +0 string \<MakerFile FrameMaker document +!:mime application/x-mif +>11 string 5.5 (5.5 +>11 string 5.0 (5.0 +>11 string 4.0 (4.0 +>11 string 3.0 (3.0 +>11 string 2.0 (2.0 +>11 string 1.0 (1.0 +>14 byte x %c) +# URL: http://fileformats.archiveteam.org/wiki/Maker_Interchange_Format +# Reference: https://help.adobe.com/en_US/framemaker/mifreference/mifref.pdf +# Update: Joerg Jenderek 2019 Nov +0 string \<MIFFile FrameMaker MIF (ASCII) file +# https://www.iana.org/assignments/media-types/application/vnd.mif +!:mime application/vnd.mif +# mif most but also find bookTOC.framemif +!:ext mif/framemif +# followed by space~20h +#>8 ubyte 0x20 \b, space before version +# 3 characters of version number of the MIF language like 1.0, 2.0 ... 2015 ... +>9 string x (%.3s +# if not greater sign then display 4th character of version +>12 ubyte =0x3e \b) +>12 ubyte !0x3e \b%c) +# comment starting with # shows the name+version number of generating program +>13 search/3 # +>>&0 string x "%s" +0 search/1 \<MakerDictionary FrameMaker Dictionary text +!:mime application/x-mif +>17 string 3.0 (3.0) +>17 string 2.0 (2.0) +>17 string 1.0 (1.x) +0 string \<MakerScreenFont FrameMaker Font file +!:mime application/x-mif +>17 string 1.01 (%s) +0 string \<MML FrameMaker MML file +!:mime application/x-mif +0 string \<BookFile FrameMaker Book file +!:mime application/x-mif +>10 string 3.0 (3.0 +>10 string 2.0 (2.0 +>10 string 1.0 (1.0 +>13 byte x %c) +# XXX - this book entry should be verified, if you find one, uncomment this +#0 string \<Book\040 FrameMaker Book (ASCII) file +#!:mime application/x-mif +#>6 string 3.0 (3.0) +#>6 string 2.0 (2.0) +#>6 string 1.0 (1.0) +0 string \<Maker\040Intermediate\040Print\040File FrameMaker IPL file +!:mime application/x-mif diff --git a/magic/Magdir/freebsd b/magic/Magdir/freebsd new file mode 100644 index 0000000..66aff6c --- /dev/null +++ b/magic/Magdir/freebsd @@ -0,0 +1,164 @@ + +#------------------------------------------------------------------------------ +# $File: freebsd,v 1.9 2022/01/19 12:44:13 christos Exp $ +# freebsd: file(1) magic for FreeBSD objects +# +# All new-style FreeBSD magic numbers are in host byte order (i.e., +# little-endian on x86). +# +# XXX - this comes from the file "freebsd" in a recent FreeBSD version of +# "file"; it, and the NetBSD stuff in "netbsd", appear to use different +# schemes for distinguishing between executable images, shared libraries, +# and object files. +# +# FreeBSD says: +# +# Regardless of whether it's pure, demand-paged, or none of the +# above: +# +# if the entry point is < 4096, then it's a shared library if +# the "has run-time loader information" bit is set, and is +# position-independent if the "is position-independent" bit +# is set; +# +# if the entry point is >= 4096 (or >4095, same thing), then it's +# an executable, and is dynamically-linked if the "has run-time +# loader information" bit is set. +# +# On x86, NetBSD says: +# +# If it's neither pure nor demand-paged: +# +# if it has the "has run-time loader information" bit set, it's +# a dynamically-linked executable; +# +# if it doesn't have that bit set, then: +# +# if it has the "is position-independent" bit set, it's +# position-independent; +# +# if the entry point is non-zero, it's an executable, otherwise +# it's an object file. +# +# If it's pure: +# +# if it has the "has run-time loader information" bit set, it's +# a dynamically-linked executable, otherwise it's just an +# executable. +# +# If it's demand-paged: +# +# if it has the "has run-time loader information" bit set, +# then: +# +# if the entry point is < 4096, it's a shared library; +# +# if the entry point is = 4096 or > 4096 (i.e., >= 4096), +# it's a dynamically-linked executable); +# +# if it doesn't have the "has run-time loader information" bit +# set, then it's just an executable. +# +# (On non-x86, NetBSD does much the same thing, except that it uses +# 8192 on 68K - except for "68k4k", which is presumably "68K with 4K +# pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's +# had 8K pages; dunno about MIPS.) +# +# I suspect the two will differ only in perverse and uninteresting cases +# ("shared" libraries that aren't demand-paged and whose pages probably +# won't actually be shared, executables with entry points <4096). +# +# I leave it to those more familiar with FreeBSD and NetBSD to figure out +# what the right answer is (although using ">4095", FreeBSD-style, is +# probably better than separately checking for "=4096" and ">4096", +# NetBSD-style). (The old "netbsd" file analyzed FreeBSD demand paged +# executables using the NetBSD technique.) +# +0 lelong&0377777777 041400407 FreeBSD/i386 +>20 lelong <4096 +>>3 byte&0xC0 &0x80 shared library +>>3 byte&0xC0 0x40 PIC object +>>3 byte&0xC0 0x00 object +>20 lelong >4095 +>>3 byte&0x80 0x80 dynamically linked executable +>>3 byte&0x80 0x00 executable +>16 lelong >0 not stripped + +0 lelong&0377777777 041400410 FreeBSD/i386 pure +>20 lelong <4096 +>>3 byte&0xC0 &0x80 shared library +>>3 byte&0xC0 0x40 PIC object +>>3 byte&0xC0 0x00 object +>20 lelong >4095 +>>3 byte&0x80 0x80 dynamically linked executable +>>3 byte&0x80 0x00 executable +>16 lelong >0 not stripped + +0 lelong&0377777777 041400413 FreeBSD/i386 demand paged +>20 lelong <4096 +>>3 byte&0xC0 &0x80 shared library +>>3 byte&0xC0 0x40 PIC object +>>3 byte&0xC0 0x00 object +>20 lelong >4095 +>>3 byte&0x80 0x80 dynamically linked executable +>>3 byte&0x80 0x00 executable +>16 lelong >0 not stripped + +0 lelong&0377777777 041400314 FreeBSD/i386 compact demand paged +>20 lelong <4096 +>>3 byte&0xC0 &0x80 shared library +>>3 byte&0xC0 0x40 PIC object +>>3 byte&0xC0 0x00 object +>20 lelong >4095 +>>3 byte&0x80 0x80 dynamically linked executable +>>3 byte&0x80 0x00 executable +>16 lelong >0 not stripped + +# XXX gross hack to identify core files +# cores start with a struct tss; we take advantage of the following: +# byte 7: highest byte of the kernel stack pointer, always 0xfe +# 8/9: kernel (ring 0) ss value, always 0x0010 +# 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0 +# 28: low order byte of the current PTD entry, always 0 since the +# PTD is page-aligned +# +7 string \357\020\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 FreeBSD/i386 a.out core file +>1039 string >\0 from '%s' + +# /var/run/ld.so.hints +# What are you laughing about? +0 lelong 011421044151 ld.so hints file (Little Endian +>4 lelong >0 \b, version %d) +>4 belong <1 \b) +0 belong 011421044151 ld.so hints file (Big Endian +>4 belong >0 \b, version %d) +>4 belong <1 \b) + +# +# Files generated by FreeBSD scrshot(1)/vidcontrol(1) utilities +# +0 string SCRSHOT_ scrshot(1) screenshot, +>8 byte x version %d, +>9 byte 2 %d bytes in header, +>>10 byte x %d chars wide by +>>11 byte x %d chars high + +# +# FreeBSD kernel minidumps +# +0 string minidump\040FreeBSD/ FreeBSD kernel minidump +# powerpc uses 32-byte magic, followed by 32-byte mmu kind, then version +>17 string powerpc +>>17 string >\0 for %s, +>>>32 string >\0 %s, +>>>>64 byte 0 big endian, +>>>>>64 belong x version %d +>>>>64 default x little endian, +>>>>>64 lelong x version %d +# all other architectures use 24-byte magic, followed by version +>17 default x +>>17 string >\0 for %s, +>>>24 byte 0 big endian, +>>>>24 belong x version %d +>>>24 default x little endian, +>>>>24 lelong x version %d diff --git a/magic/Magdir/fsav b/magic/Magdir/fsav new file mode 100644 index 0000000..5c1d6e2 --- /dev/null +++ b/magic/Magdir/fsav @@ -0,0 +1,128 @@ + +#------------------------------------------------------------------------------ +# $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $ +# fsav: file(1) magic for datafellows fsav virus definition files +# Anthon van der Neut (anthon@mnt.org) + +# ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} +0 beshort 0x1575 fsav macro virus signatures +>8 leshort >0 (%d- +>11 byte >0 \b%02d- +>10 byte >0 \b%02d) +# ftp://ftp.f-prot.com/pub/sign.zip +#10 ubyte <12 +#>9 ubyte <32 +#>>8 ubyte 0x0a +#>>>12 ubyte 0x07 +#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- +#>>>>10 byte 0 \b01- +#>>>>10 byte 1 \b02- +#>>>>10 byte 2 \b03- +#>>>>10 byte 3 \b04- +#>>>>10 byte 4 \b05- +#>>>>10 byte 5 \b06- +#>>>>10 byte 6 \b07- +#>>>>10 byte 7 \b08- +#>>>>10 byte 8 \b09- +#>>>>10 byte 9 \b10- +#>>>>10 byte 10 \b11- +#>>>>10 byte 11 \b12- +#>>>>9 ubyte >0 \b%02d) +# ftp://ftp.f-prot.com/pub/sign2.zip +#0 ubyte 0x62 +#>1 ubyte 0xF5 +#>>2 ubyte 0x1 +#>>>3 ubyte 0x1 +#>>>>4 ubyte 0x0e +#>>>>>13 ubyte >0 fsav virus signatures +#>>>>>>11 ubyte x size %#02x +#>>>>>>12 ubyte x \b%02x +#>>>>>>13 ubyte x \b%02x bytes + +# Joerg Jenderek: joerg dot jenderek at web dot de +# clamav-0.100.2\docs\html\node60.html +# https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf +# ClamAV virus database files start with a 512 bytes colon separated header +# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime +# + gzipped (optional) tarball files +# output can often be verified by `sigtool --info=FILE` +0 string ClamAV-VDB: Clam AntiVirus +# padding spaces implies database +>511 ubyte =0x20 database +!:mime application/x-clamav-database +# empty build time +>>10 string =:: (unsigned) +# sigtool(1) man page +!:ext cud +# display some text to avoid error like: +# Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type +# file: could not find any valid magic files! (No error) +>>10 default x (with buildtime) +#>>10 default x +# clamtmp is used for temporarily database like update process +# for pure tar database only cld extension found +!:ext cld/cvd/clamtmp/cud +>511 default x file +!:mime application/x-clamav +!:ext info +>11 string >\0 +# buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE` +>>11 regex \^[^:]{0,23} \b, %s +# version like 25170 +>>>&1 regex \^[^:]{1,6} \b, version %s +# signaturesNumbers like 4566249 +>>>>&1 regex \^[^:]{1,10} \b, %s signatures +# functionalityLevelRequired like 60 +>>>>>&1 regex \^[^:]{1,4} \b, level %s +# X for nothing or MD5 +#>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s" +>>>>>>&1 regex \^[^:]{1,32} +# X for nothing or digital signature starting like AIzk/LYbX +#>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s" +>>>>>>>&1 regex \^[^:]{1,255} +# builder like neo +>>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s +# buildTime like 1506611558 +#>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s +>>>>>>>>>&1 regex \^[^:]{1,10} +# padding with spaces +#>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx +>510 ubyte =0x20 +# inspect real database content +#>>512 ubeshort x \b, database MAGIC %#x +# ./archive handle pure tar archives +>>1012 quad =0 \b, with +>>>512 use tar-file +# not pure tar +>>1012 quad !0 +# one space at the end of text and then handles gzipped archives by ./compress +>>>512 string \037\213 \b, with +>>>>512 indirect x + +# Type: Grisoft AVG AntiVirus +# From: David Newgas <david@newgas.net> +0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data + +0 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR +>33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files + +# From: Joerg Jenderek +# URL: https://www.avira.com/ +# Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows) +# tested with version 15.0.43.23 at November 2019 +0 string AntiVir\ Qua Avira AntiVir quarantined +!:mime application/x-avira-qua +#!:mime application/octet-stream +!:ext qua +>156 string SUSPICIOUS_FILE +# file path of suspicious file +>>220 lestring16 x %s +>156 string !SUSPICIOUS_FILE +# file path of virus file +>>228 lestring16 x %s +# quarantined date +>60 ldate x at %s +# virus/danger name +>156 string !SUSPICIOUS_FILE +>>156 string x \b, category "%s" + diff --git a/magic/Magdir/fusecompress b/magic/Magdir/fusecompress new file mode 100644 index 0000000..165cf3c --- /dev/null +++ b/magic/Magdir/fusecompress @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: fusecompress,v 1.2 2011/08/08 09:05:55 christos Exp $ +# fusecompress: file(1) magic for fusecompress +0 string \037\135\211 FuseCompress(ed) data +>3 byte 0x00 (none format) +>3 byte 0x01 (bz2 format) +>3 byte 0x02 (gz format) +>3 byte 0x03 (lzo format) +>3 byte 0x04 (xor format) +>3 byte >0x04 (unknown format) +>4 long x uncompressed size: %d diff --git a/magic/Magdir/games b/magic/Magdir/games new file mode 100644 index 0000000..0ccb4ac --- /dev/null +++ b/magic/Magdir/games @@ -0,0 +1,696 @@ + +#------------------------------------------------------------------------------ +# $File: games,v 1.31 2023/03/29 22:57:27 christos Exp $ +# games: file(1) for games + +# Fabio Bonelli <fabiobonelli@libero.it> +# Quake II - III data files +0 string IDP2 Quake II 3D Model file, +>20 long x %u skin(s), +>8 long x (%u x +>12 long x %u), +>40 long x %u frame(s), +>16 long x Frame size %u bytes, +>24 long x %u vertices/frame, +>28 long x %u texture coordinates, +>32 long x %u triangles/frame + +0 string IBSP Quake +>4 long 0x26 II Map file (BSP) +>4 long 0x2E III Map file (BSP) + +0 string IDS2 Quake II SP2 sprite file + +#--------------------------------------------------------------------------- +# Doom and Quake +# submitted by Nicolas Patrois + +0 string \xcb\x1dBoom\xe6\xff\x03\x01 Boom or linuxdoom demo +# some doom lmp files don't match, I've got one beginning with \x6d\x02\x01\x01 + +24 string LxD\ 203 Linuxdoom save +>0 string x , name=%s +>44 string x , world=%s + +# Quake + +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/PAK +# reference: https://quakewiki.org/wiki/.pak +# GRR: line below is too general as it matches also Acorn PackDir compressed Archive +# and Git pack ./revision +0 string PACK +# real Quake examples like pak0.pak have only some hundreds like 150 files +# So test for few files +>8 ulelong <0x01000000 +# in file version 5.32 test for null terminator is only true for +# offset ~< FILE_BYTES_MAX = 1 MB defined in ../../src/file.h +# look for null terminator of 1st entry name +>>(4.l+55) ubyte 0 Quake I or II world or extension +!:mime application/x-dzip +!:ext pak +#>>>8 ulelong x \b, table size %u +# dividing this by entry size (64) gives number of files +>>>8 ulelong/64 x \b, %u files +# offset to the beginning of the file table +>>>4 ulelong x \b, offset %#x +# 1st file entry +>>>(4.l) use pak-entry +# 2nd file entry +#>>>4 ulelong+64 x \b, offset %#x +#>>>(4.l+64) use pak-entry +# +# display file table entry of Quake PAK archive +0 name pak-entry +# normally entry start after header which implies offset 12 or higher +>56 ulelong >11 +# the offset from the beginning of pak to beginning of this entry file contents +>>56 ulelong x at %#x +# the size of file for this entry +>>60 ulelong x %u bytes +# 56 byte null-terminated entry name string includes path like maps/e1m1.bsp +>>0 string x '%-.56s' +# inspect entry content by jumping to entry offset +>>(56) indirect x \b: + +#0 string -1\x0a Quake I demo +#>30 string x version %.4s +#>61 string x level %s + +#0 string 5\x0a Quake I save + +# The levels + +# Quake 1 + +0 string 5\x0aIntroduction Quake I save: start Introduction +0 string 5\x0athe_Slipgate_Complex Quake I save: e1m1 The slipgate complex +0 string 5\x0aCastle_of_the_Damned Quake I save: e1m2 Castle of the damned +0 string 5\x0athe_Necropolis Quake I save: e1m3 The necropolis +0 string 5\x0athe_Grisly_Grotto Quake I save: e1m4 The grisly grotto +0 string 5\x0aZiggurat_Vertigo Quake I save: e1m8 Ziggurat vertigo (secret) +0 string 5\x0aGloom_Keep Quake I save: e1m5 Gloom keep +0 string 5\x0aThe_Door_To_Chthon Quake I save: e1m6 The door to Chthon +0 string 5\x0aThe_House_of_Chthon Quake I save: e1m7 The house of Chthon +0 string 5\x0athe_Installation Quake I save: e2m1 The installation +0 string 5\x0athe_Ogre_Citadel Quake I save: e2m2 The ogre citadel +0 string 5\x0athe_Crypt_of_Decay Quake I save: e2m3 The crypt of decay (dopefish lives!) +0 string 5\x0aUnderearth Quake I save: e2m7 Underearth (secret) +0 string 5\x0athe_Ebon_Fortress Quake I save: e2m4 The ebon fortress +0 string 5\x0athe_Wizard's_Manse Quake I save: e2m5 The wizard's manse +0 string 5\x0athe_Dismal_Oubliette Quake I save: e2m6 The dismal oubliette +0 string 5\x0aTermination_Central Quake I save: e3m1 Termination central +0 string 5\x0aVaults_of_Zin Quake I save: e3m2 Vaults of Zin +0 string 5\x0athe_Tomb_of_Terror Quake I save: e3m3 The tomb of terror +0 string 5\x0aSatan's_Dark_Delight Quake I save: e3m4 Satan's dark delight +0 string 5\x0athe_Haunted_Halls Quake I save: e3m7 The haunted halls (secret) +0 string 5\x0aWind_Tunnels Quake I save: e3m5 Wind tunnels +0 string 5\x0aChambers_of_Torment Quake I save: e3m6 Chambers of torment +0 string 5\x0athe_Sewage_System Quake I save: e4m1 The sewage system +0 string 5\x0aThe_Tower_of_Despair Quake I save: e4m2 The tower of despair +0 string 5\x0aThe_Elder_God_Shrine Quake I save: e4m3 The elder god shrine +0 string 5\x0athe_Palace_of_Hate Quake I save: e4m4 The palace of hate +0 string 5\x0aHell's_Atrium Quake I save: e4m5 Hell's atrium +0 string 5\x0athe_Nameless_City Quake I save: e4m8 The nameless city (secret) +0 string 5\x0aThe_Pain_Maze Quake I save: e4m6 The pain maze +0 string 5\x0aAzure_Agony Quake I save: e4m7 Azure agony +0 string 5\x0aShub-Niggurath's_Pit Quake I save: end Shub-Niggurath's pit + +# Quake DeathMatch levels + +0 string 5\x0aPlace_of_Two_Deaths Quake I save: dm1 Place of two deaths +0 string 5\x0aClaustrophobopolis Quake I save: dm2 Claustrophobopolis +0 string 5\x0aThe_Abandoned_Base Quake I save: dm3 The abandoned base +0 string 5\x0aThe_Bad_Place Quake I save: dm4 The bad place +0 string 5\x0aThe_Cistern Quake I save: dm5 The cistern +0 string 5\x0aThe_Dark_Zone Quake I save: dm6 The dark zone + +# Scourge of Armagon + +0 string 5\x0aCommand_HQ Quake I save: start Command HQ +0 string 5\x0aThe_Pumping_Station Quake I save: hip1m1 The pumping station +0 string 5\x0aStorage_Facility Quake I save: hip1m2 Storage facility +0 string 5\x0aMilitary_Complex Quake I save: hip1m5 Military complex (secret) +0 string 5\x0athe_Lost_Mine Quake I save: hip1m3 The lost mine +0 string 5\x0aResearch_Facility Quake I save: hip1m4 Research facility +0 string 5\x0aAncient_Realms Quake I save: hip2m1 Ancient realms +0 string 5\x0aThe_Gremlin's_Domain Quake I save: hip2m6 The gremlin's domain (secret) +0 string 5\x0aThe_Black_Cathedral Quake I save: hip2m2 The black cathedral +0 string 5\x0aThe_Catacombs Quake I save: hip2m3 The catacombs +0 string 5\x0athe_Crypt__ Quake I save: hip2m4 The crypt +0 string 5\x0aMortum's_Keep Quake I save: hip2m5 Mortum's keep +0 string 5\x0aTur_Torment Quake I save: hip3m1 Tur torment +0 string 5\x0aPandemonium Quake I save: hip3m2 Pandemonium +0 string 5\x0aLimbo Quake I save: hip3m3 Limbo +0 string 5\x0athe_Edge_of_Oblivion Quake I save: hipdm1 The edge of oblivion (secret) +0 string 5\x0aThe_Gauntlet Quake I save: hip3m4 The gauntlet +0 string 5\x0aArmagon's_Lair Quake I save: hipend Armagon's lair + +# Malice + +0 string 5\x0aThe_Academy Quake I save: start The academy +0 string 5\x0aThe_Lab Quake I save: d1 The lab +0 string 5\x0aArea_33 Quake I save: d1b Area 33 +0 string 5\x0aSECRET_MISSIONS Quake I save: d3b Secret missions +0 string 5\x0aThe_Hospital Quake I save: d10 The hospital (secret) +0 string 5\x0aThe_Genetics_Lab Quake I save: d11 The genetics lab (secret) +0 string 5\x0aBACK_2_MALICE Quake I save: d4b Back to Malice +0 string 5\x0aArea44 Quake I save: d1c Area 44 +0 string 5\x0aTakahiro_Towers Quake I save: d2 Takahiro towers +0 string 5\x0aA_Rat's_Life Quake I save: d3 A rat's life +0 string 5\x0aInto_The_Flood Quake I save: d4 Into the flood +0 string 5\x0aThe_Flood Quake I save: d5 The flood +0 string 5\x0aNuclear_Plant Quake I save: d6 Nuclear plant +0 string 5\x0aThe_Incinerator_Plant Quake I save: d7 The incinerator plant +0 string 5\x0aThe_Foundry Quake I save: d7b The foundry +0 string 5\x0aThe_Underwater_Base Quake I save: d8 The underwater base +0 string 5\x0aTakahiro_Base Quake I save: d9 Takahiro base +0 string 5\x0aTakahiro_Laboratories Quake I save: d12 Takahiro laboratories +0 string 5\x0aStayin'_Alive Quake I save: d13 Stayin' alive +0 string 5\x0aB.O.S.S._HQ Quake I save: d14 B.O.S.S. HQ +0 string 5\x0aSHOWDOWN! Quake I save: d15 Showdown! + +# Malice DeathMatch levels + +0 string 5\x0aThe_Seventh_Precinct Quake I save: ddm1 The seventh precinct +0 string 5\x0aSub_Station Quake I save: ddm2 Sub station +0 string 5\x0aCrazy_Eights! Quake I save: ddm3 Crazy eights! +0 string 5\x0aEast_Side_Invertationa Quake I save: ddm4 East side invertationa +0 string 5\x0aSlaughterhouse Quake I save: ddm5 Slaughterhouse +0 string 5\x0aDOMINO Quake I save: ddm6 Domino +0 string 5\x0aSANDRA'S_LADDER Quake I save: ddm7 Sandra's ladder + + +0 string MComprHD MAME CHD compressed hard disk image, +>12 belong x version %u + +# MAME input recordings + +0 string MAMEINP\0 MAME input recording +>8 leqdate x at %s, +>16 leshort x format version %d. +>18 leshort x \b%d, +>20 string x %s driver, +>32 string x %s + +# doom - submitted by Jon Dowland + +0 string =IWAD doom main IWAD data +>4 lelong x containing %d lumps +0 string =PWAD doom patch PWAD data +>4 lelong x containing %d lumps + +# Build engine group files (Duke Nukem, Shadow Warrior, ...) +# Extension: .grp +# Created by: "Ganael Laplanche" <ganael.laplanche@martymac.org> +0 string KenSilverman Build engine group file +>12 lelong x containing %d files + +# Summary: Warcraft 3 save +# Extension: .w3g +# Created by: "Nelson A. de Oliveira" <naoliv@gmail.com> +0 string Warcraft\ III\ recorded\ game %s + + +# Summary: Warcraft 3 map +# Extension: .w3m +# Created by: "Nelson A. de Oliveira" <naoliv@gmail.com> +0 string HM3W Warcraft III map file + + +# Summary: SGF Smart Game Format +# Extension: .sgf +# Reference: https://www.red-bean.com/sgf/ +# Created by: Eduardo Sabbatella <eduardo_sabbatella@yahoo.com.ar> +# Modified by (1): Abel Cheung (regex, more game format) +# FIXME: Some games don't have GM (game type) +0 regex \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format +>2 search/0x200/b GM[ +>>&0 string 1] (Go) +>>&0 string 2] (Othello) +>>&0 string 3] (chess) +>>&0 string 4] (Gomoku+Renju) +>>&0 string 5] (Nine Men's Morris) +>>&0 string 6] (Backgammon) +>>&0 string 7] (Chinese chess) +>>&0 string 8] (Shogi) +>>&0 string 9] (Lines of Action) +>>&0 string 10] (Ataxx) +>>&0 string 11] (Hex) +>>&0 string 12] (Jungle) +>>&0 string 13] (Neutron) +>>&0 string 14] (Philosopher's Football) +>>&0 string 15] (Quadrature) +>>&0 string 16] (Trax) +>>&0 string 17] (Tantrix) +>>&0 string 18] (Amazons) +>>&0 string 19] (Octi) +>>&0 string 20] (Gess) +>>&0 string 21] (Twixt) +>>&0 string 22] (Zertz) +>>&0 string 23] (Plateau) +>>&0 string 24] (Yinsh) +>>&0 string 25] (Punct) +>>&0 string 26] (Gobblet) +>>&0 string 27] (hive) +>>&0 string 28] (Exxit) +>>&0 string 29] (Hnefatal) +>>&0 string 30] (Kuba) +>>&0 string 31] (Tripples) +>>&0 string 32] (Chase) +>>&0 string 33] (Tumbling Down) +>>&0 string 34] (Sahara) +>>&0 string 35] (Byte) +>>&0 string 36] (Focus) +>>&0 string 37] (Dvonn) +>>&0 string 38] (Tamsk) +>>&0 string 39] (Gipf) +>>&0 string 40] (Kropki) + +############################################## +# NetImmerse/Gamebryo game engine entries + +# Summary: Gamebryo game engine file +# Extension: .nif, .kf +# Created by: Abel Cheung <abelcheung@gmail.com> +0 string Gamebryo\ File\ Format,\ Version\ Gamebryo game engine file +>&0 regex [0-9a-z.]+ \b, version %s + +# Summary: Gamebryo game engine file +# Extension: .kfm +# Created by: Abel Cheung <abelcheung@gmail.com> +0 string ;Gamebryo\ KFM\ File\ Version\ Gamebryo game engine animation File +>&0 regex [0-9a-z.]+ \b, version %s + +# Summary: NetImmerse game engine file +# Extension .nif +# Created by: Abel Cheung <abelcheung@gmail.com> +0 string NetImmerse\ File\ Format,\ Version +>&0 string n\ NetImmerse game engine file +>>&0 regex [0-9a-z.]+ \b, version %s + +# Type: SGF Smart Game Format +# URL: https://www.red-bean.com/sgf/ +# From: Eduardo Sabbatella <eduardo_sabbatella@yahoo.com.ar> +2 regex/c \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format +>2 regex/c GM\\[1\\] - Go Game +>2 regex/c GM\\[6\\] - BackGammon Game +>2 regex/c GM\\[11\\] - Hex Game +>2 regex/c GM\\[18\\] - Amazons Game +>2 regex/c GM\\[19\\] - Octi Game +>2 regex/c GM\\[20\\] - Gess Game +>2 regex/c GM\\[21\\] - twix Game + +# Epic Games/Unreal Engine Package +# URL: https://docs.unrealengine.com/udk/Three/ContentCooking.html +# https://eliotvu.com/page/unreal-package-file-format +# Little-endian version (such as x86 PC) +0 lelong 0x9E2A83C1 Unreal Engine package (little-endian) +!:ext xxx/tfc/upk/me1/u +>4 uleshort !0 \b, version %u +>>6 uleshort !0 \b/%03u +>>0 use upk_header +# Big-endian version (such as PS3) +0 belong 0x9E2A83C1 Unreal Engine package (big-endian) +!:ext xxx/tfc +>6 ubeshort !0 \b, version %u +>>4 ubeshort !0 \b/%03u +>>0 use \^upk_header + +0 name upk_header +# Identify game from version and licensee +>4 ulelong 0x000002b2 (Alice Madness Returns) +>4 ulelong 0x002f0313 (Aliens: Colonial Marines) +>4 ulelong 0x005b021b (Alpha Protocol) +>4 ulelong 0x0000032c (AntiChamber) +>4 ulelong 0x00200223 (APB: All Points Bulletin) +>4 ulelong 0x004b02d7 (Bioshock Infinite) +>4 ulelong 0x00380340 (Borderlands 2) +>4 ulelong 0x001d02e6 (Bulletstorm) +>4 ulelong 0x00050240 (CrimeCraft) +>4 ulelong 0x00000356 (Deadlight) +>4 ulelong 0x001e0321 (Dishonored) +>4 ulelong 0x000202a6 (Dungeon Defenders) +>4 ulelong 0x000901ea (Gears of War) +>4 ulelong 0x0000023f (Gears of War 2) +>4 ulelong 0x0000033c (Gears of War 3) +>4 ulelong 0x0000034e (Gears of War: Judgement) +>4 ulelong 0x0004035c (Hawken) +>4 ulelong 0x0001034a (Infinity Blade 2) +>4 ulelong 0x00000350 (InMomentum) +>4 ulelong 0x0015037D (Life Is Strange) +>4 ulelong 0x000b01a5 (Medal of Honor: Airborne) +>4 ulelong 0x002b0218 (Mirrors Edge) +>4 ulelong 0x0000027e (Monday Night Combat) +>4 ulelong 0x0000024b (MoonBase Alpha) +>4 ulelong 0x002e01d8 (Mortal Kombat Komplete Edition 2605) +>4 ulelong 0x0000035c (Painkiller HD) +>4 ulelong 0x0000034d (Q.U.B.E) +>4 ulelong 0x80660340 (Quantum Conundrum) +>4 ulelong 0x0000035b (Ravaged) +>4 ulelong 0x00150340 (Remember Me) +>4 ulelong 0x00060171 (Roboblitz) +>4 ulelong 0x00000325 (Rock of Ages) +>4 ulelong 0x0000032a (Sanctum) +>4 ulelong 0x00030248 (Saw) +>4 ulelong 0x007e0248 (Singularity) +>4 ulelong 0x00090388 (Soldier Front 2) +>4 ulelong 0x000701e6 (Stargate Worlds) +>4 ulelong 0x00000334 (Super Monday Night Combat) +>4 ulelong 0x000002c2 (The Ball) +>4 ulelong 0x000e0262 (The Exiled Realm of Arborea or TERA) +>4 ulelong 0x0000035b (The Five Cores) +>4 ulelong 0x00000349 (The Haunted: Hells Reach) +>4 ulelong 0x00000354 (Unmechanical) +>4 ulelong 0x035c0298 (Unreal Development Kit) +>4 ulelong 0x00000200 (Unreal Tournament 3) +>4 ulelong 0x0000032d (Waves) +>4 ulelong 0x003b034d (XCOM: Enemy Unknown) +# Newer versions insert more headers +>4 ulelong&0xFFFF <249 +>>12 lelong !0 \b, names: %d +>>28 lelong !0 \b, imports: %d +>>20 lelong !0 \b, exports: %d +>4 ulelong&0xFFFF >248 +>>12 belong&0xFF !0 +>>>12 string x \b, folder "%s" +>>>>&5 lelong !0 \b, names: %d +>>>>&21 lelong !0 \b, imports: %d +>>>>&13 lelong !0 \b, exports: %d +>>12 belong&0xFF 0 +>>>16 belong&0xFF !0 +>>>>16 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d +>>>16 belong&0xFF 0 +>>>>20 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d + +0 string ESVG +>4 lelong 0x00160000 +>10 string TOC\020 Empire Deluxe for DOS saved game + +# Sid Meier's Civilization V/VI +# From: Benjamin Lowry <ben@ben.gmbh> +0 string CIV5 +>4 byte 0x08 Sid Meier's Civilization V saved game, +>>12 regex [0-9a-z.]+ saved by game version %s +>4 byte 0x01 Sid Meier's Civilization V replay data, +>>12 regex [0-9a-z.]+ saved by game version %s + +0 string CIV6 Sid Meier's Civilization VI saved game + +# https://syzygy-tables.info/ +# From Michel Van den Bergh +0 string \327f\f\245 Syzygy DTZ tablebase +!:mime application/syzygy +0 string q\350#] Syzygy WDL tablebase +!:mime application/syzygy + +############################################################################## +# Grand Theft Auto (GTA) file formats. +# +# Summary: +# Includes GTA-specific formats used in all games from 1997 to present. Games +# and formats were created by Rockstar North, formerly DMA Design. Magic tests +# were written based on a combination of official and community documentation. +# +# Created by: Oliver Galvin <odg@riseup.net> +# +# References: +# * Classic GTA documentation and research: +# <https://gitlab.com/classic-gta/gta-data> +# * Official RenderWare documentation available from EA: +# <https://github.com/electronicarts/RenderWare3Docs> +# * Lots of community research in the GTAMods wiki: +# <https://gtamods.com/wiki> + +# GTA 2D-Era data - 'Classic' top down games (1/L/2) + +## GTA text + +0 string \xbf\xf8\xbd\x49\x62\xbe GTA1 in-game text (FXT), +0 string GBL GTA2 in-game text (GXT), +>3 string E English, +>>4 uleshort x version %d +>3 string F French, +>>4 uleshort x version %d +>3 string G German, +>>4 uleshort x version %d +>3 string I Italian, +>>4 uleshort x version %d +>3 string S Spanish, +>>4 uleshort x version %d +>3 string J Japanese, +>>4 uleshort x version %d + +## GTA maps + +0 ulelong 331 GTA1 map layout (CMP), +>4 byte 1 Level 1 +>4 byte 2 Level 2 +>4 byte 3 Level 3 +0 string GBMP GTA2/GBH map layout (GMP), +>4 uleshort x version %d +0 string/t [MapFiles] GTA2 multiplayer map metadata (MMP) +0 string/t MainOrBonus\ =\ MAIN GTA2 single player map listing (test1.seq) + +## GTA 2D sprites and textures + +0 ulelong 290 GTA1 style data (GRX), 8 bit editor graphics +0 ulelong 325 GTA1 style data (GRY), 8 bit in-game graphics +0 ulelong 336 GTA1 style data (G24), 24 bit in-game graphics +0 string GBST GTA2/GBH style data (STY), in-game graphics, +>4 uleshort x version %d + +## GTA audio index + +0 ulelong 0 +>4 ulelong <0x40000 +>>8 ulelong >4500 +>>>8 ulelong <45000 GTA audio index data (SDT) + +## GTA scripts + +0 ulelong 0x00080000 +>4 uleshort 0x0024 GTA2 binary main script (SCR) + +0 uleshort 0x063c GTA2 binary mission script (SCR), Residential area (ste) +0 uleshort 0x055b GTA2 binary mission script (SCR), Downtown area (wil) +0 uleshort 0x0469 GTA2 binary mission script (SCR), Industrial area (bil) + +0 string v9.6\0\0 GTA2 replay file (REP), +>8 regex/30c [a-z0-9:\ ]+\0\0 created on %s + +# GTA 3D-Era (III/VC/SA/LCS/VCS) - used by the RenderWare engine by Criterion Games + +## GTA 3D models and textures - RenderWare binary streams + +8 ulelong 0x00000310 RenderWare data, v3.1.0.0, used in GTA III on PS2, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0401ffff RenderWare data, v3.1.0.1, used in GTA III on PC/PS2, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0800ffff RenderWare data, v3.2.0.0, used in GTA III on PC, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0c00ffff RenderWare data, v3.3.0.0, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0c02ffff RenderWare data, v3.3.0.2, used in GTA III PC and GTA VC PS2, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1000ffff RenderWare data, v3.4.0.0, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1003ffff RenderWare data, v3.4.0.3, used in GTA VC PC, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1005ffff RenderWare data, v3.4.0.5, used in GTA III/VC on Android, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1400ffff RenderWare data, v3.5.0.0, used in GTA III/VC on Xbox, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1803ffff RenderWare data, v3.6.0.3, used in GTA SA, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) + +0 string COL RenderWare collision data (COL), +>3 string L version 1, used in GTA III/VC/SA +>3 string 2 version 2, used in GTA SA +>3 string 3 version 3, used in GTA SA +>3 string 4 version 4, used in GTA SA + +## GTA items and animations + +0 string/c #\ ipl\ generated\ from\ max\ file GTA Item Placement data (IPL), used in GTA III/VC +0 string/b bnry GTA Item Placement data (IPL), used in GTA SA/IV, +>4 ulelong x %d items + +0 string ANP GTA animation data (IFP), +>3 string K version 1, used in GTA III/VC +>3 string 3 version 2, used in GTA SA + +0 string GtaSA29 GTA Replay data (REP), used in GTA SA + +## GTA text + +0 string TKEY GTA in-game text (GXT), version 2, used in GTA III +0 string TABL GTA in-game text (GXT), version 3, used in GTA VC/LS/VCS + +## GTA scripts + +0 string \x02\x00\x01 GTA script (SCM), used in GTA III/VC/SA + +## GTA archives + +0 string VER2 GTA archive (IMG), version 2, used in GTA SA, +>4 ulelong x %d items + +# GTA HD-Era (IV/V) - used by the Rockstar Advanced Game Engine (RAGE) + +## GTA models and textures - RAGE resources +# Note: GTA IV formats not yet documented - WAD, WBD, WBN, WHM, WPL + +0 ulelong 0x00695254 GTA Drawable data (WDR), model and weapon data, used in GTA IV +0 ulelong 0x00695238 GTA Windows Frag Type (WFT), vehicle models, used in GTA IV +0 ulelong 0x006953A4 GTA Ped and LOD models (WDD), used in GTA IV +0 ulelong 0x00695384 GTA Windows Texture Dictionary (WTD), used in GTA IV + +## GTA text + +4 string TABL GTA in-game text (GXT), +>0 uleshort x version %d, used in GTA SA/IV +0 string 2GXT GTA in-game text (GXT2), used in GTA V + +## GTA scripts + +0 ulelong 0x0d524353 GTA script (SCO), unencrypted, used in GTA IV, +>4 ulelong x %d code bytes, +>>8 ulelong x %d static variables, +>>>12 ulelong x %d global variables +0 ulelong 0x0e726373 GTA script (SCO), encrypted, used in GTA IV +>4 ulelong x %d code bytes, +>>8 ulelong x %d static variables, +>>>12 ulelong x %d global variables + +## GTA archives + +0 ulelong 0xa94e2a52 GTA archive (IMG), +>4 ulelong x version %d, used in GTA IV, +>>8 ulelong x %d items + +# RPF[0-8] +0 ulelong&0xfffffff0 =0x52504630 +>0 ulelong&0xf <9 RAGE Package Format (RPF), version %d, used in +>>0 ulelong&0xf =0 Rockstar Table Tennis, +>>0 ulelong&0xf =1 *unknown* +>>0 ulelong&0xf =2 GTA IV, +>>0 ulelong&0xf =3 GTA IV Audio & Midnight Club: LA, +>>0 ulelong&0xf =4 Max Payne 3, +>>0 ulelong&0xf =5 *unknown* +>>0 ulelong&0xf =6 RDR, +>>0 ulelong&0xf =7 GTA V, +>>0 ulelong&0xf =8 RDR 2, +>>4 ulelong x %d bytes, +>>>8 ulelong x %d entries + +# Blitz3D Model File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/B3DExport/blob/master/B3DExport.py +0 string BB3D +>4 lelong >0 +>>8 lelong >0 Blitz3D Model +!:ext b3d +>>>8 lelong x \b, version %d + +# Minetest Schematic File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/minetest/blob/5.6.1/src/mapgen/mg_schematic.h +0 string MTSM Minetest Schematic +!:ext mts +>4 ubeshort x \b, version %d +>6 ubeshort x \b, size [%d +>8 ubeshort x \b, %d +>10 ubeshort x \b, %d] + +# MagicaVoxel File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/ephtracy/voxel-model/blob/ee2216c28a78ebb68691dc6cfa9c4ba429117ea2/MagicaVoxel-file-format-vox.txt +# Note: This format is used in Veloren voxel RPG. +0 string VOX\x20 +>4 lelong >0 MagicaVoxel model +!:ext vox +>>4 lelong x \b, version %d + +# Wwise SoundBank +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_SoundBank_(*.bnk) +0 string BKHD +# Little-endian version (such as x86 PC) +>4 ulelong <0x100 Wwise SoundBank (little-endian) +!:ext bnk +>>0 use wwise_bkhd +# Big-endian version (such as PS3) +>4 ubelong <0x100 Wwise SoundBank (big-endian) +!:ext bnk +>>0 use \^wwise_bkhd + +0 name wwise_bkhd +>8 ulelong x \b, version %d +>12 ulelong x \b, id %08X +>16 ulelong =0x00 \b, SFX +>16 ulelong =0x01 \b, arabic +>16 ulelong =0x02 \b, bulgarian +>16 ulelong =0x03 \b, chinese (HK) +>16 ulelong =0x04 \b, chinese (PRC) +>16 ulelong =0x05 \b, chinese (Taiwan) +>16 ulelong =0x06 \b, czech +>16 ulelong =0x07 \b, danish +>16 ulelong =0x08 \b, dutch +>16 ulelong =0x09 \b, english (Australia) +>16 ulelong =0x0A \b, english (India) +>16 ulelong =0x0B \b, english (UK) +>16 ulelong =0x0C \b, english (US) +>16 ulelong =0x0D \b, finnish +>16 ulelong =0x0E \b, french (Canada) +>16 ulelong =0x0F \b, french (France) +>16 ulelong =0x10 \b, german +>16 ulelong =0x11 \b, greek +>16 ulelong =0x12 \b, hebrew +>16 ulelong =0x13 \b, hungarian +>16 ulelong =0x14 \b, indonesian +>16 ulelong =0x15 \b, italian +>16 ulelong =0x16 \b, japanese +>16 ulelong =0x17 \b, korean +>16 ulelong =0x18 \b, latin +>16 ulelong =0x19 \b, norwegian +>16 ulelong =0x1A \b, polish +>16 ulelong =0x1B \b, portuguese (Brazil) +>16 ulelong =0x1C \b, portuguese (Portugal) +>16 ulelong =0x1D \b, romanian +>16 ulelong =0x1E \b, russian +>16 ulelong =0x1F \b, slovenian +>16 ulelong =0x20 \b, spanish (Mexico) +>16 ulelong =0x21 \b, spanish (Spain) +>16 ulelong =0x22 \b, spanish (US) +>16 ulelong =0x23 \b, swedish +>16 ulelong =0x24 \b, turkish +>16 ulelong =0x25 \b, ukrainian +>16 ulelong =0x26 \b, vietnamese + +# Wwise Audio Package +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_Audio_PCK +0 string AKPK +# Little-endian version (such as x86 PC) +>8 ulelong <0x100 Wwise Audio Package (little-endian) +!:ext pck +# Big-endian version (such as PS3) +>8 ubelong <0x100 Wwise Audio Package (big-endian) +!:ext pck diff --git a/magic/Magdir/gcc b/magic/Magdir/gcc new file mode 100644 index 0000000..ae98dc7 --- /dev/null +++ b/magic/Magdir/gcc @@ -0,0 +1,17 @@ + +#------------------------------------------------------------------------------ +# $File: gcc,v 1.5 2016/07/01 23:31:13 christos Exp $ +# gcc: file(1) magic for GCC special files +# +0 string gpch GCC precompiled header + +# The version field is annoying. It's 3 characters, not zero-terminated. +>5 byte x (version %c +>6 byte x \b%c +>7 byte x \b%c) + +# 67 = 'C', 111 = 'o', 43 = '+', 79 = 'O' +>4 byte 67 for C +>4 byte 111 for Objective-C +>4 byte 43 for C++ +>4 byte 79 for Objective-C++ diff --git a/magic/Magdir/gconv b/magic/Magdir/gconv new file mode 100644 index 0000000..eec5ddc --- /dev/null +++ b/magic/Magdir/gconv @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: gconv +# gconv: file(1) magic for iconv/gconv module configuration cache +# +# Magic number defined in glibc/iconv/iconvconfig.h as GCONVCACHE_MAGIC +# +# From: Marek Cermak <macermak@redhat.com> +# +0 lelong 0x20010324 gconv module configuration cache data diff --git a/magic/Magdir/gentoo b/magic/Magdir/gentoo new file mode 100644 index 0000000..f988047 --- /dev/null +++ b/magic/Magdir/gentoo @@ -0,0 +1,85 @@ +#------------------------------------------------------------------------------ +# $File: gentoo,v 1.5 2022/12/26 17:16:55 christos Exp $ +# gentoo: file(1) magic for gentoo specific formats +# +# Summary: Gentoo ebuild Manifest files (GLEP 74) +# Reference: https://www.gentoo.org/glep/glep-0074.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +# Start by doing a fast check for the most common tags. +0 string AUX +>0 use gentoo-manifest +0 string DATA +>0 use gentoo-manifest +0 string DIST +>0 use gentoo-manifest +0 string EBUILD +>0 use gentoo-manifest +0 string MANIFEST +>0 use gentoo-manifest + +# Manifest can be PGP-signed. +0 string -----BEGIN\040PGP\040SIGNED\040MESSAGE----- +>34 search/32 \n\n +>>&0 string AUX +>>>&0 use gentoo-manifest +>>&0 string DATA +>>>&0 use gentoo-manifest +>>&0 string DIST +>>>&0 use gentoo-manifest +>>&0 string EBUILD +>>>&0 use gentoo-manifest +>>&0 string MANIFEST +>>>&0 use gentoo-manifest + +# Use a more detailed regex to verify that we were correct. +# <tag> <filename> <size> <hash-name> <hash-value>... +# (<tag>'s already been matched prior to calling) +0 name gentoo-manifest +>&0 regex [[:space:]]+[[:print:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[[:alnum:]]+[[:space:]]+[[:xdigit:]]{32} Gentoo Manifest (GLEP 74) +!:mime application/vnd.gentoo.manifest + +# Summary: Gentoo ebuild and eclass files +# Reference: https://projects.gentoo.org/pms/8/pms.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +0 search/512 EAPI= +>0 regex .*\n[\040\t]*EAPI=["']? Gentoo ebuild +>>&0 regex [[:alnum:]+_.-]+ \b, EAPI %s +!:mime application/vnd.gentoo.ebuild + +0 search/512 @ECLASS:\040 Gentoo eclass +>&0 string x %s +!:mime application/vnd.gentoo.eclass + +# Summary: Gentoo supplementary package and category metadata files +# Reference: https://www.gentoo.org/glep/glep-0068.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +0 string \<?xml +>0 search/512 \<catmetadata Gentoo category metadata file +!:mime application/vnd.gentoo.catmetadata+xml +>0 search/512 \<pkgmetadata Gentoo package metadata file +!:mime application/vnd.gentoo.pkgmetadata+xml + +# Summary: Gentoo GLEP 78 binary package +# Reference: https://www.gentoo.org/glep/glep-0078.html +# Note: assumes the strict format +# Submitted by: Michal Gorny <mgorny@gentoo.org> + +# GPKG uses ustar (or ustar-compatible GNU format) that starts with +# a <directory>/gpkg-1 file +257 string ustar +>0 search/100 /gpkg-1\0 +>>0 regex [^/]+ Gentoo GLEP 78 (GPKG) binary package for "%s" +!:mime application/vnd.gentoo.gpkg +!:ext tar +# the logic below requires the gpkg-1 file to be empty +>>>124 string 00000000000\0 +# determine the compression used by looking at the second member name +>>>>512 search/100 .tar. +>>>>>&0 string gz\0 using gzip compression +>>>>>&0 string bz2\0 using bzip2 compression +>>>>>&0 string lz\0 using lzip compression +>>>>>&0 string lz4\0 using lz4 compression +>>>>>&0 string lzo\0 using lzo compression +>>>>>&0 string xz\0 using xz compression +>>>>>&0 string zst\0 using zstd compression +>>>>(636.o+1024) search/611 .sig\0 \b, signed diff --git a/magic/Magdir/geo b/magic/Magdir/geo new file mode 100644 index 0000000..1fde25e --- /dev/null +++ b/magic/Magdir/geo @@ -0,0 +1,166 @@ + +#------------------------------------------------------------------------------ +# $File: geo,v 1.10 2022/10/31 13:22:26 christos Exp $ +# Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> + +###################################################################### +# +# Acoustic Doppler Current Profilers (ADCP) +# +###################################################################### + +0 beshort 0x7f7f RDI Acoustic Doppler Current Profiler (ADCP) + +###################################################################### +# +# Metadata +# +###################################################################### + +0 string Identification_Information FGDC ASCII metadata + +###################################################################### +# +# Seimsic / Subbottom +# +###################################################################### + +# Knudsen subbottom chirp profiler - Binary File Format: B9 +# KEB D409-03167 V1.75 Huffman +0 string KEB\ Knudsen seismic KEL binary (KEB) - +>4 regex [-A-Z0-9]+ Software: %s +>>&1 regex V[0-9]+\\.[0-9]+ version %s + +###################################################################### +# +# LIDAR - Laser altimetry or bathy +# +###################################################################### + + +# Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data +0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar +>4 regex [0-9]+\\.[0-9]+ version %s + +0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data +>3 byte x version %d . +>4 byte x %d + + +###################################################################### +# +# MULTIBEAM SONARS https://www.ldeo.columbia.edu/res/pi/MB-System/formatdoc/ +# +###################################################################### + +# GeoAcoustics - GeoSwath Plus +# Update: Joerg Jenderek +# URL: https://www.mbari.org/products/research-software/mb-system/ +# Reference: http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/ +# GS%2B-6063-BB-GS%2B-Broadcast-Raw-Data-File-Format-Command-Specification.pdf +# Note: All data is written using Intel 80x86 byte ordering (LSB to MSB) +# raw_header_siz; file header size is 544 bytes +4 beshort 0x2002 +# GRR: line above is too general as it matches also some Microsoft Event Trace Logs *.ETL +# skip many (63/753) Microsoft Event Trace Logs (AMSITrace.etl lxcore_kernel.etl NotificationUxBroker.052.etl WindowsBackup.4.etl) with invalid "low" ping header size 0 +>6 leshort >0 GeoSwath RDF +# skip foo samples with invalid "high" spare bytes +#>>536 ulequad =0 OK_THIS_IS_GeoSwath_RDF +#!:mime application/octet-stream +!:mime application/x-geoswath-rdf +# http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/060116342.rdf +!:ext rdf +# filename; original file name like: "C:\GS+\Projects\Default\Raw Data Files\060116342.rdf" +>>8 string x "%-.512s" +# version[8]; recording software version number like: 3.16c +>>527 string x \b, version %-.8s +# creation; unsigned int file creation time; WHAT time format is this? +>>0 ulelong x \b, creation time %#8.8x +# raw_ping_header_size; size of ping header in bytes like: 64 +>>6 leshort !64 \b, ping header size %d +# frequency; system frequency in hertz like: 500000 +>>520 lelong x \b, frequency %d +# echo_type; Echosounder type index like: 1 +>>524 leshort x \b, echo type %#x +# file_mode; file mode mask (0x00 bathy & sidescan, 0x80 bathy, 0x40 sidescan, 0x20 seismic) +>>526 ubyte !0 \b, file mode %#2.2x +# pps_mode; PPS synch mode like: 2 +>>535 byte x \b, pps mode %#x +# char spare[8]; apparently zeroed +>>536 ubequad !0 \b, spare %#16.16llx +# Ping_number; 1st ping number like: 4944 +>>544 lelong x \b, 1st ping number %d + +0 string Start:- GeoSwatch auf text file + +# Seabeam 2100 +# mbsystem code mb41 +0 string SB2100 SeaBeam 2100 multibeam sonar +0 string SB2100DR SeaBeam 2100 DR multibeam sonar +0 string SB2100PR SeaBeam 2100 PR multibeam sonar + +# This corresponds to MB-System format 94, L-3/ELAC/SeaBeam XSE vendor +# format. It is the format of our upgraded SeaBeam 2112 on R/V KNORR. +0 string $HSF XSE multibeam + +# mb121 https://www.saic.com/maritime/gsf/ +8 string GSF-v SAIC generic sensor format (GSF) sonar data, +>&0 regex [0-9]+\\.[0-9]+ version %s + +# MGD77 - https://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm +# mb161 +9 string MGD77 MGD77 Header, Marine Geophysical Data Exchange Format + +# MBSystem processing caches the mbinfo output +1 string Swath\ Data\ File: mbsystem info cache + +# Caris John Hughes Clark format +0 string HDCS Caris multibeam sonar related data +1 string Start/Stop\ parameter\ header: Caris ASCII project summary + +###################################################################### +# +# Visualization and 3D modeling +# +###################################################################### + +# IVS - IVS3d.com Tagged Data Representation +0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file + +# http://www.ecma-international.org/publications/standards/Ecma-363.htm +# 3D in PDFs +0 string U3D ECMA-363, Universal 3D + +###################################################################### +# +# Support files +# +###################################################################### + +# https://midas.psi.ch/elog/ +0 string $@MID@$ elog journal entry + +# Geospatial Designs https://www.geospatialdesigns.com/surfer6_format.htm +0 string DSBB Surfer 6 binary grid file +>4 leshort x \b, %d +>6 leshort x \bx%d +>8 ledouble x \b, minx=%g +>16 ledouble x \b, maxx=%g +>24 ledouble x \b, miny=%g +>32 ledouble x \b, maxy=%g +>40 ledouble x \b, minz=%g +>48 ledouble x \b, maxz=%g + +# magic for LAS format files +# alex myczko <alex@aiei.ch> +# https://www.asprs.org/wp-content/uploads/2010/12/LAS_1_3_r11.pdf +0 string LASF LIDAR point data records +>24 byte >0 \b, version %u +>25 byte >0 \b.%u +>26 string >\0 \b, SYSID %s +>58 string >\0 \b, Generating Software %s + +# magic for PCD format files +# alex myczko <alex@aiei.ch> +# http://pointclouds.org/documentation/tutorials/pcd_file_format.php +0 string #\ .PCD Point Cloud Data diff --git a/magic/Magdir/geos b/magic/Magdir/geos new file mode 100644 index 0000000..66c2bd1 --- /dev/null +++ b/magic/Magdir/geos @@ -0,0 +1,20 @@ + +#------------------------------------------------------------------------------ +# $File: geos,v 1.4 2009/09/19 16:28:09 christos Exp $ +# GEOS files (Vidar Madsen, vidar@gimp.org) +# semi-commonly used in embedded and handheld systems. +0 belong 0xc745c153 GEOS +>40 byte 1 executable +>40 byte 2 VMFile +>40 byte 3 binary +>40 byte 4 directory label +>40 byte <1 unknown +>40 byte >4 unknown +>4 string >\0 \b, name "%s" +#>44 short x \b, version %d +#>46 short x \b.%d +#>48 short x \b, rev %d +#>50 short x \b.%d +#>52 short x \b, proto %d +#>54 short x \br%d +#>168 string >\0 \b, copyright "%s" diff --git a/magic/Magdir/gimp b/magic/Magdir/gimp new file mode 100644 index 0000000..e763cbe --- /dev/null +++ b/magic/Magdir/gimp @@ -0,0 +1,77 @@ + +#------------------------------------------------------------------------------ +# $File: gimp,v 1.10 2019/10/15 18:19:40 christos Exp $ +# GIMP Gradient: file(1) magic for the GIMP's gradient data files (.ggr) +# by Federico Mena <federico@nuclecu.unam.mx> + +0 string/t GIMP\ Gradient GIMP gradient data +#!:mime text/plain +!:mime text/x-gimp-ggr +!:ext ggr + +# GIMP palette (.gpl) +# From: Markus Heidelberg <markus.heidelberg@web.de> +0 string/t GIMP\ Palette GIMP palette data +# URL: https://docs.gimp.org/en/gimp-concepts-palettes.html +# Reference: http://fileformats.archiveteam.org/wiki/GIMP_Palette +#!:mime text/plain +!:mime text/x-gimp-gpl +!:ext gpl + +#------------------------------------------------------------------------------ +# XCF: file(1) magic for the XCF image format used in the GIMP (.xcf) developed +# by Spencer Kimball and Peter Mattis +# ('Bucky' LaDieu, nega@vt.edu) + +# URL: https://en.wikipedia.org/wiki/XCF_(file_format) +# Reference: https://gitlab.gnome.org/GNOME/gimp/blob/master/devel-docs/xcf.txt +0 string gimp\ xcf GIMP XCF image data, +!:mime image/x-xcf +!:ext xcf +>9 string file version 0, +>9 string v version +>>10 string >\0 %s, +>14 belong x %u x +>18 belong x %u, +>22 belong 0 RGB Color +>22 belong 1 Greyscale +>22 belong 2 Indexed Color +>22 belong >2 Unknown Image Type. + +#------------------------------------------------------------------------------ +# XCF: file(1) magic for the patterns used in the GIMP (.pat), developed +# by Spencer Kimball and Peter Mattis +# ('Bucky' LaDieu, nega@vt.edu) + +# Reference: http://fileformats.archiveteam.org/wiki/GIMP_Pattern +20 string GPAT GIMP pattern data, +>24 string x %s +!:mime image/x-gimp-pat +!:ext pat + +#------------------------------------------------------------------------------ +# XCF: file(1) magic for the brushes used in the GIMP (.gbr), developed +# by Spencer Kimball and Peter Mattis +# ('Bucky' LaDieu, nega@vt.edu) + +20 string GIMP GIMP brush data +# Reference: http://fileformats.archiveteam.org/wiki/GIMP_Brush +!:mime image/x-gimp-gbr +# some sources also list gpb +!:ext gbr + +# From: Joerg Jenderek +# URL: https://docs.gimp.org/en/gimp-using-animated-brushes.html +# Reference: http://fileformats.archiveteam.org/wiki/GIMP_Animated_Brush +# share\gimp\2.0\brushes\Legacy\confetti.gih +0 search/21/b \040ncells: GIMP animated brush data +!:mime image/x-gimp-gih +!:ext gih + +# GIMP Curves File +# From: "Nelson A. de Oliveira" <naoliv@gmail.com> +0 string #\040GIMP\040Curves\040File GIMP curve file +#!:mime text/plain +!:mime text/x-gimp-curve +!:ext /txt + diff --git a/magic/Magdir/git b/magic/Magdir/git new file mode 100644 index 0000000..67eab32 --- /dev/null +++ b/magic/Magdir/git @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: git,v 1.2 2020/08/09 16:57:15 christos Exp $ +# git: file(1) magic for Git objects + +0 string blob\040 +>5 regex [0-9a-f]+ Git blob %s + +0 string tree\040 +>5 regex [0-9a-f]+ Git tree %s + +0 string commit\040 +>7 regex [0-9a-f]+ Git commit %s diff --git a/magic/Magdir/glibc b/magic/Magdir/glibc new file mode 100644 index 0000000..3b856f3 --- /dev/null +++ b/magic/Magdir/glibc @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: glibc,v 1.1 2018/10/11 15:35:43 christos Exp $ +# glibc locale files +# +# https://sourceware.org/git/?p=glibc.git;f=locale/localeinfo.h;h=68822a63#l32 + +0 belong 0x20070920 glibc locale file LC_CTYPE +0 belong 0x14110320 glibc locale file LC_NUMERIC +0 belong 0x17110320 glibc locale file LC_TIME +0 belong 0x17100520 glibc locale file LC_COLLATE +0 belong 0x11110320 glibc locale file LC_MONETARY +0 belong 0x10110320 glibc locale file LC_MESSAGES +0 belong 0x13110320 glibc locale file LC_ALL +0 belong 0x12110320 glibc locale file LC_PAPER +0 belong 0x1d110320 glibc locale file LC_NAME +0 belong 0x1c110320 glibc locale file LC_ADDRESS +0 belong 0x1f110320 glibc locale file LC_TELEPHONE +0 belong 0x1e110320 glibc locale file LC_MEASUREMENT +0 belong 0x19110320 glibc locale file LC_IDENTIFICATION + diff --git a/magic/Magdir/gnome b/magic/Magdir/gnome new file mode 100644 index 0000000..7a45d1d --- /dev/null +++ b/magic/Magdir/gnome @@ -0,0 +1,59 @@ + +#------------------------------------------------------------------------------ +# $File: gnome,v 1.7 2020/06/23 16:17:08 christos Exp $ +# GNOME related files + +# Contributed by Josh Triplett +# FIXME: Could be simplified if pstring supported two-byte counts +0 string GnomeKeyring\n\r\0\n GNOME keyring +>&0 ubyte 0 \b, major version 0 +>>&0 ubyte 0 \b, minor version 0 +>>>&0 ubyte 0 \b, crypto type 0 (AES) +>>>&0 ubyte >0 \b, crypto type %u (unknown) +>>>&1 ubyte 0 \b, hash type 0 (MD5) +>>>&1 ubyte >0 \b, hash type %u (unknown) +>>>&2 ubelong 0xFFFFFFFF \b, name NULL +>>>&2 ubelong !0xFFFFFFFF +>>>>&-4 ubelong >255 \b, name too long for file's pstring type +>>>>&-4 ubelong <256 +>>>>>&-1 pstring x \b, name "%s" +>>>>>>&0 ubeqdate x \b, last modified %s +>>>>>>&8 ubeqdate x \b, created %s +>>>>>>&16 ubelong &1 +>>>>>>>&0 ubelong x \b, locked if idle for %u seconds +>>>>>>&16 ubelong ^1 \b, not locked if idle +>>>>>>&24 ubelong x \b, hash iterations %u +>>>>>>&28 ubequad x \b, salt %llu +>>>>>>&52 ubelong x \b, %u item(s) + +# From: Alex Beregszaszi <alex@fsn.hu> +4 string gtktalog GNOME Catalogue (gtktalog) +>13 string >\0 version %s + +# Summary: GStreamer binary registry +# Extension: .bin +# Submitted by: Josh Triplett <josh@joshtriplett.org> +0 belong 0xc0def00d GStreamer binary registry +>4 string x \b, version %s + +# GVariant Database file +# By Elan Ruusamae <glen@delfi.ee> +# https://github.com/GNOME/gvdb/blob/master/gvdb-format.h +# It's always "GVariant", it's byte swapped on incompatible archs +# See https://github.com/GNOME/gvdb/blob/master/gvdb-builder.c +# file_builder_serialise() +# https://developer.gnome.org/glib/2.34/glib-GVariant.html#GVariant +0 string GVariant GVariant Database file, +# version is never filled. probably future extension +>8 lelong x version %d +# not sure are these usable, so commented out +#>>16 lelong x start %d, +#>>>20 lelong x end %d + +# G-IR database made by gobject-introspect toolset, +# https://live.gnome.org/GObjectIntrospection +0 string GOBJ\nMETADATA\r\n\032 G-IR binary database +>16 byte x \b, v%d +>17 byte x \b.%d +>20 short x \b, %d entries +>22 short x \b/%d local diff --git a/magic/Magdir/gnu b/magic/Magdir/gnu new file mode 100644 index 0000000..761d657 --- /dev/null +++ b/magic/Magdir/gnu @@ -0,0 +1,173 @@ + +#------------------------------------------------------------------------------ +# $File: gnu,v 1.24 2021/04/26 15:56:00 christos Exp $ +# gnu: file(1) magic for various GNU tools +# +# GNU nlsutils message catalog file format +# +# GNU message catalog (.mo and .gmo files) + +# Update: Joerg Jenderek +# URL: https://www.gnu.org/software/gettext/manual/html_node/MO-Files.html +# Reference: ftp://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.8.tar.gz/ +# gettext-0.19.8.1/gettext-runtime/intl/gmo.h +# Note: maybe call it like "GNU translation gettext machine object" +0 string \336\22\4\225 GNU message catalog (little endian), +#0 ulelong 0x950412DE GNU-format message catalog data +# TODO: write lines in such a way that code can also be called for big endian variant +#>0 use gettext-object +#0 name gettext-object +>4 ulelong x revision +!:mime application/x-gettext-translation +# mo extension is also used for Easeus Partition Master PE32 executable module +# like ConvertFatToNTFS.mo +!:ext gmo/mo +# only found three revision combinations 0.0 0.1 1.1 as unsigned 32-bit +# major revision +>4 ulelong/0xFFff x %u. +# minor revision +>4 ulelong&0x0000FFff x \b%u +>>8 ulelong x \b, %u message +# plural s +>>8 ulelong >1 \bs +# size of hashing table +#>20 ulelong x \b, %u hash +#>20 ulelong >1 \bes +#>24 ulelong x at %#x +# for revision x.0 offset of table with originals is 1Ch if directly after header +>4 ulelong&0x0000FFff =0 +>>12 ulelong !0x1C \b, at %#x string table +# but for x.1 table offset i found is 30h. That means directly after bigger header +>4 ulelong&0x0000FFff >0 +>>12 ulelong !0x30 \b, at %#x string table +# The following variables are only used in .mo files with minor revision >= 1 +# number of system dependent segments +#>>28 ulelong x \b, %u segment +#>>28 ulelong >1 \bs +# offset of table describing system dependent segments +#>>32 ulelong x at %#x +# number of system dependent strings pairs +>>36 ulelong x \b, %u sysdep message +>>36 ulelong >1 \bs +# offset of table with start offsets of original sysdep strings +#>>40 ulelong x \b, at %#x sysdep strings +# offset of table with start offsets of translated sysdep strings +#>>44 ulelong x \b, at %#x sysdep translations +# >>(44.l) ulelong x %#x chars +# >>>&0 ulelong x at %#x +# >>>>(&-4) string x "%s" +# string table after big header +#>>48 ubequad x \b, string table %#llx +# +# 0th string length seems to be always 0 +#>(12.l) ulelong x \b, %u chars +#>>&0 ulelong x at %#x +# if 1st string length positive inspect offset and string +#>(12.l+8) ulelong >0 \b, %u chars +#>>&0 ulelong x at %#x +# if 2nd string length positive inspect offset and string +# >(12.l+16) ulelong >0 \b, %u chars +# >>&0 ulelong x at %#x +# skip newline byte +#>>>(&-4) ubyte =0x0A +#>>>>&0 string x "%s" +#>>>(&-4) ubyte !0x0A +#>>>>&-1 string x '%s' +# offset of table with translation strings +#>16 ulelong x \b, at %#x translation table +# check translation 0 length and offset +>(16.l) ulelong >0 +>>&0 ulelong x +# translation 0 seems to be often Project-Id with name and version +>>>(&-4) string x \b, %s +# trans. 1 with bytes >= 1 unlike icoutils-0.31.0\po\en@boldquot.gmo with 1 NL +>(16.l+8) ulelong >1 +>>&0 ulelong x +>>>(&-4) ubyte !0x0A +>>>>&-1 string x '%s' +# 1 New Line like in tar-1.29\po\de.gmo +>>>(&-4) ubyte =0x0A +>>>>&0 ubyte !0x0A +>>>>>&-1 string x '%s' +# 2nd New Line like in parted-3.1\po\de.gmo +>>>>&0 ubyte =0x0A +>>>>>&0 string x '%s' + +0 string \225\4\22\336 GNU message catalog (big endian), +#0 ubelong 0x950412DE GNU-format message catalog data +!:mime application/x-gettext-translation +!:ext gmo/mo +# TODO: for big endian use same code as for little endian +#>0 use \^gettext-object +# DEBUG code +#>16 ubelong x \b, at %#x translation table +#>(16.L) ubelong x %#x chars +#>>&0 ubelong x at %#x +# unexpected value HERE! +#>>>(&-4) ubequad x %#llx +# +>4 beshort x revision %d. +>6 beshort >0 \b%d, +>>8 belong x %d messages, +>>36 belong x %d sysdep messages +>6 beshort =0 \b%d, +>>8 belong x %d messages + + +# GnuPG +# The format is very similar to pgp +0 string \001gpg GPG key trust database +>4 byte x version %d +# Note: magic.mime had 0x8501 for the next line instead of 0x8502 +0 beshort 0x8502 GPG encrypted data +!:mime text/PGP # encoding: data + +# Update: Joerg Jenderek +# Note: PGP and GPG use same data structure. +# So recognition is now done by ./pgp with start test for byte 0x99 +# This magic is not particularly good, as the keyrings don't have true +# magic. Nevertheless, it covers many keyrings. +# 0 ubeshort-0x9901 <2 +# >3 byte 4 +# >>4 bedate x GPG key public ring, created %s +# !:mime application/x-gnupg-keyring + +# Symmetric encryption +0 leshort 0x0d8c +>4 leshort 0x0203 +>>2 leshort 0x0204 GPG symmetrically encrypted data (3DES cipher) +>>2 leshort 0x0304 GPG symmetrically encrypted data (CAST5 cipher) +>>2 leshort 0x0404 GPG symmetrically encrypted data (BLOWFISH cipher) +>>2 leshort 0x0704 GPG symmetrically encrypted data (AES cipher) +>>2 leshort 0x0804 GPG symmetrically encrypted data (AES192 cipher) +>>2 leshort 0x0904 GPG symmetrically encrypted data (AES256 cipher) +>>2 leshort 0x0a04 GPG symmetrically encrypted data (TWOFISH cipher) +>>2 leshort 0x0b04 GPG symmetrically encrypted data (CAMELLIA128 cipher) +>>2 leshort 0x0c04 GPG symmetrically encrypted data (CAMELLIA192 cipher) +>>2 leshort 0x0d04 GPG symmetrically encrypted data (CAMELLIA256 cipher) + + +# GnuPG Keybox file +# <https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=kbx/keybox-blob.c;hb=HEAD> +# From: Philipp Hahn <hahn@univention.de> +0 belong 32 +>4 byte 1 +>>8 string KBXf GPG keybox database +>>>5 byte 1 version %d +>>>16 bedate x \b, created-at %s +>>>20 bedate x \b, last-maintained %s + + +# From: James Youngman <jay@gnu.org> +# gnu find magic +0 string \0LOCATE GNU findutils locate database data +>7 string >\0 \b, format %s +>7 string 02 \b (frcode) + +# Files produced by GNU gettext + +# gettext message catalogue +0 search/1024 \nmsgid +>&0 search/1024 \nmsgstr GNU gettext message catalogue text +!:strength +100 +!:mime text/x-po diff --git a/magic/Magdir/gnumeric b/magic/Magdir/gnumeric new file mode 100644 index 0000000..928ad3e --- /dev/null +++ b/magic/Magdir/gnumeric @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: gnumeric,v 1.4 2009/09/19 16:28:09 christos Exp $ +# gnumeric: file(1) magic for Gnumeric spreadsheet +# This entry is only semi-helpful, as Gnumeric compresses its files, so +# they will ordinarily reported as "compressed", but at least -z helps +39 string =<gmr:Workbook Gnumeric spreadsheet +!:mime application/x-gnumeric diff --git a/magic/Magdir/gpt b/magic/Magdir/gpt new file mode 100644 index 0000000..c2fd51c --- /dev/null +++ b/magic/Magdir/gpt @@ -0,0 +1,240 @@ + +#------------------------------------------------------------------------------ +# $File: gpt,v 1.5 2020/12/12 20:01:47 christos Exp $ +# +# GPT Partition table patterns. +# Author: Rogier Goossens (goossens.rogier@gmail.com) +# Note that a GPT-formatted disk must contain an MBR as well. +# + +# The initial segment (up to >>>>>>>>422) was copied from the X86 +# partition table code (aka MBR). +# This is kept separate, so that MBR partitions are not reported as well. +# (use -k if you do want them as well) + +# First, detect the MBR partition table +# If more than one GPT protective MBR partition exists, don't print anything +# (the other MBR detection code will then just print the MBR partition table) +0x1FE leshort 0xAA55 +>3 string !MS +>>3 string !SYSLINUX +>>>3 string !MTOOL +>>>>3 string !NEWLDR +>>>>>5 string !DOS +# not FAT (32 bit) +>>>>>>82 string !FAT32 +#not Linux kernel +>>>>>>>514 string !HdrS +#not BeOS +>>>>>>>>422 string !Be\ Boot\ Loader +# GPT with protective MBR entry in partition 1 (only) +>>>>>>>>>450 ubyte 0xee +>>>>>>>>>>466 ubyte !0xee +>>>>>>>>>>>482 ubyte !0xee +>>>>>>>>>>>>498 ubyte !0xee +#>>>>>>>>>>>>>446 use gpt-mbr-partition +>>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(454.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(454.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(454.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(454.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(454.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(454.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(454.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes +# GPT with protective MBR entry in partition 2 (only) +>>>>>>>>>450 ubyte !0xee +>>>>>>>>>>466 ubyte 0xee +>>>>>>>>>>>482 ubyte !0xee +>>>>>>>>>>>>498 ubyte !0xee +#>>>>>>>>>>>>>462 use gpt-mbr-partition +>>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(470.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(470.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(470.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(470.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(470.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(470.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(470.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes +# GPT with protective MBR entry in partition 3 (only) +>>>>>>>>>450 ubyte !0xee +>>>>>>>>>>466 ubyte !0xee +>>>>>>>>>>>482 ubyte 0xee +>>>>>>>>>>>>498 ubyte !0xee +#>>>>>>>>>>>>>478 use gpt-mbr-partition +>>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(486.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(486.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(486.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(486.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(486.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(486.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(486.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes +# GPT with protective MBR entry in partition 4 (only) +>>>>>>>>>450 ubyte !0xee +>>>>>>>>>>466 ubyte !0xee +>>>>>>>>>>>482 ubyte !0xee +>>>>>>>>>>>>498 ubyte 0xee +#>>>>>>>>>>>>>494 use gpt-mbr-partition +>>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(502.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(502.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(502.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(502.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(502.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(502.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(502.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes + +# The following code does GPT detection and processing, including +# sector size detection. +# It has to be duplicated above because the top-level pattern +# (i.e. not called using 'use') must print *something* for file +# to count it as a match. Text only printed in named patterns is +# not counted, and causes file to continue, and try and match +# other patterns. +# +# Unfortunately, when assuming sector sizes >=16k, if the sector size +# happens to be 512 instead, we may find confusing data after the GPT +# table... If the GPT table has less than 128 entries, this may even +# happen for assumed sector sizes as small as 4k +# This could be solved by checking for the presence of the backup GPT +# header as well, but that makes the logic extremely complex +##0 name gpt-mbr-partition +##>(8.l*8192) string EFI\ PART +##>>(8.l*8192) use gpt-mbr-type +##>>&-8 use gpt-table +##>>0 ubyte x of 8192 bytes +##>(8.l*8192) string !EFI\ PART +##>>(8.l*4096) string EFI\ PART GPT partition table +##>>>0 use gpt-mbr-type +##>>>&-8 use gpt-table +##>>>0 ubyte x of 4096 bytes +##>>(8.l*4096) string !EFI\ PART +##>>>(8.l*2048) string EFI\ PART GPT partition table +##>>>>0 use gpt-mbr-type +##>>>>&-8 use gpt-table +##>>>>0 ubyte x of 2048 bytes +##>>>(8.l*2048) string !EFI\ PART +##>>>>(8.l*1024) string EFI\ PART GPT partition table +##>>>>>0 use gpt-mbr-type +##>>>>>&-8 use gpt-table +##>>>>>0 ubyte x of 1024 bytes +##>>>>(8.l*1024) string !EFI\ PART +##>>>>>(8.l*512) string EFI\ PART GPT partition table +##>>>>>>0 use gpt-mbr-type +##>>>>>>&-8 use gpt-table +##>>>>>>0 ubyte x of 512 bytes + +# Print details of MBR type for a GPT-disk +# Calling code ensures that there is only one 0xee partition. +0 name gpt-mbr-type +# GPT with protective MBR entry in partition 1 +>450 ubyte 0xee +>>454 ulelong 1 +>>>462 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>454 ulelong !1 \b (nonstandard: not at LBA 1) +# GPT with protective MBR entry in partition 2 +>466 ubyte 0xee +>>470 ulelong 1 +>>>478 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>>478 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>470 ulelong !1 \b (nonstandard: not at LBA 1) +# GPT with protective MBR entry in partition 3 +>482 ubyte 0xee +>>486 ulelong 1 +>>>494 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>>494 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>486 ulelong !1 \b (nonstandard: not at LBA 1) +# GPT with protective MBR entry in partition 4 +>498 ubyte 0xee +>>502 ulelong 1 +>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>502 ulelong !1 \b (nonstandard: not at LBA 1) + +# Print the information from a GPT partition table structure +0 name gpt-table +>10 uleshort x \b, version %u +>8 uleshort x \b.%u +>56 ulelong x \b, GUID: %08x +>60 uleshort x \b-%04x +>62 uleshort x \b-%04x +>64 ubeshort x \b-%04x +>66 ubeshort x \b-%04x +>68 ubelong x \b%08x +#>80 uleshort x \b, %d partition entries +>32 ulequad+1 x \b, disk size: %lld sectors + +# In case a GPT data-structure is at LBA 0, report it as well +# This covers systems which are not GPT-aware, and which show +# and allow access to the protective partition. This code will +# detect the contents of such a partition. +0 string EFI\ PART GPT data structure (nonstandard: at LBA 0) +>0 use gpt-table +>0 ubyte x (sector size unknown) + + diff --git a/magic/Magdir/gpu b/magic/Magdir/gpu new file mode 100644 index 0000000..36d7124 --- /dev/null +++ b/magic/Magdir/gpu @@ -0,0 +1,28 @@ + +#------------------------------------------------------------------------------ +# $File: gpu,v 1.3 2021/04/26 15:56:00 christos Exp $ +# gpu: file(1) magic for GPU input files + +# Standard Portable Intermediate Representation (SPIR) +# Documentation: https://www.khronos.org/spir +# Typical file extension: .spv + +0 belong 0x07230203 Khronos SPIR-V binary, big-endian +>4 belong x \b, version %#08x +>8 belong x \b, generator %#08x + +0 lelong 0x07230203 Khronos SPIR-V binary, little-endian +>4 lelong x \b, version %#08x +>8 lelong x \b, generator %#08x + +# Vulkan Trace file +# Documentation: +# https://github.com/LunarG/VulkanTools/blob/master/vktrace/vktrace_common/\ +# vktrace_trace_packet_identifiers.h +# Typical file extension: .vktrace + +8 lequad 0xABADD068ADEAFD0C Vulkan trace file, little-endian +>0 leshort x \b, version %d + +8 bequad 0xABADD068ADEAFD0C Vulkan trace file, big-endian +>0 beshort x \b, version %d diff --git a/magic/Magdir/grace b/magic/Magdir/grace new file mode 100644 index 0000000..25bd759 --- /dev/null +++ b/magic/Magdir/grace @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: grace,v 1.4 2009/09/19 16:28:09 christos Exp $ +# ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE +# +# ACE/gr binary +0 string \000\000\0001\000\000\0000\000\000\0000\000\000\0002\000\000\0000\000\000\0000\000\000\0003 old ACE/gr binary file +>39 byte >0 - version %c +# ACE/gr ascii +0 string #\ xvgr\ parameter\ file ACE/gr ascii file +0 string #\ xmgr\ parameter\ file ACE/gr ascii file +0 string #\ ACE/gr\ parameter\ file ACE/gr ascii file +# Grace projects +0 string #\ Grace\ project\ file Grace project file +>23 string @version\ (version +>>32 byte >0 %c +>>33 string >\0 \b.%.2s +>>35 string >\0 \b.%.2s) +# ACE/gr fit description files +0 string #\ ACE/gr\ fit\ description\ ACE/gr fit description file +# end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE diff --git a/magic/Magdir/graphviz b/magic/Magdir/graphviz new file mode 100644 index 0000000..d8bf22d --- /dev/null +++ b/magic/Magdir/graphviz @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: graphviz,v 1.9 2019/04/30 04:01:40 christos Exp $ +# graphviz: file(1) magic for https://www.graphviz.org/ + +# FIXME: These patterns match too generally. For example, the first +# line matches a LaTeX file containing the word "graph" (with a { +# following later) and the second line matches this file. +#0 regex/100l [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text +#!:mime text/vnd.graphviz +#0 regex/100l [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text +#!:mime text/vnd.graphviz diff --git a/magic/Magdir/gringotts b/magic/Magdir/gringotts new file mode 100644 index 0000000..b674754 --- /dev/null +++ b/magic/Magdir/gringotts @@ -0,0 +1,48 @@ + +#------------------------------------------------------------------------------ +# $File: gringotts,v 1.6 2017/03/17 21:35:28 christos Exp $ +# gringotts: file(1) magic for Gringotts +# http://devel.pluto.linux.it/projects/Gringotts/ +# author: Germano Rizzo <mano@pluto.linux.it> +#GRG3????Y +0 string GRG Gringotts data file +#file format 1 +>3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9 +#file format 2 +>3 string 2 v.2, MCRYPT S2K, +>>8 byte&0x70 0x00 RIJNDAEL-128 crypt, +>>8 byte&0x70 0x10 SERPENT crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x30 CAST-256 crypt, +>>8 byte&0x70 0x40 SAFER+ crypt, +>>8 byte&0x70 0x50 LOKI97 crypt, +>>8 byte&0x70 0x60 3DES crypt, +>>8 byte&0x70 0x70 RIJNDAEL-256 crypt, +>>8 byte&0x08 0x00 SHA1 hash, +>>8 byte&0x08 0x08 RIPEMD-160 hash, +>>8 byte&0x04 0x00 ZLib +>>8 byte&0x04 0x04 BZip2 +>>8 byte&0x03 0x00 lvl.0 +>>8 byte&0x03 0x01 lvl.3 +>>8 byte&0x03 0x02 lvl.6 +>>8 byte&0x03 0x03 lvl.9 +#file format 3 +>3 string 3 v.3, OpenPGP S2K, +>>8 byte&0x70 0x00 RIJNDAEL-128 crypt, +>>8 byte&0x70 0x10 SERPENT crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x30 CAST-256 crypt, +>>8 byte&0x70 0x40 SAFER+ crypt, +>>8 byte&0x70 0x50 LOKI97 crypt, +>>8 byte&0x70 0x60 3DES crypt, +>>8 byte&0x70 0x70 RIJNDAEL-256 crypt, +>>8 byte&0x08 0x00 SHA1 hash, +>>8 byte&0x08 0x08 RIPEMD-160 hash, +>>8 byte&0x04 0x00 ZLib +>>8 byte&0x04 0x04 BZip2 +>>8 byte&0x03 0x00 lvl.0 +>>8 byte&0x03 0x01 lvl.3 +>>8 byte&0x03 0x02 lvl.6 +>>8 byte&0x03 0x03 lvl.9 +#file format >3 +>3 string >3 v.%.1s (unknown details) diff --git a/magic/Magdir/hardware b/magic/Magdir/hardware new file mode 100644 index 0000000..e92986c --- /dev/null +++ b/magic/Magdir/hardware @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: hardware,v 1.1 2018/08/02 06:32:52 christos Exp $ +# hardware magic + +# EDID +# https://en.wikipedia.org/wiki/Extended_Display_Identification_Data +0 string \x00\xFF\xFF\xFF\xFF\xFF\xFF\x00 +>19 byte x +>>18 byte x EDID data, version %u. +>>19 byte x \b%u +#>>17 ubyte+1990 <255 \b, manufactured %u diff --git a/magic/Magdir/hitachi-sh b/magic/Magdir/hitachi-sh new file mode 100644 index 0000000..f64489f --- /dev/null +++ b/magic/Magdir/hitachi-sh @@ -0,0 +1,30 @@ + +#------------------------------------------------------------------------------ +# $File: hitachi-sh,v 1.10 2020/12/12 20:01:47 christos Exp $ +# hitach-sh: file(1) magic for Hitachi Super-H +# +# Super-H COFF +# +# updated by Joerg Jenderek at Oct 2015 +# https://en.wikipedia.org/wiki/COFF +# https://de.wikipedia.org/wiki/Common_Object_File_Format +# http://www.delorie.com/djgpp/doc/coff/filhdr.html +# below test line conflicts with 2nd NTFS filesystem sector +# 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR +# and Portable Gaming Notation Compressed format (*.WID http://pgn.freeservers.com/) +0 beshort 0x0500 +# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags +>18 ubeshort&0x8E80 0 +# use big endian variant of subroutine to display name+variables+flags +# for common object formatted files +>>0 use \^display-coff +!:strength -10 + +0 leshort 0x0550 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + diff --git a/magic/Magdir/hp b/magic/Magdir/hp new file mode 100644 index 0000000..d57169e --- /dev/null +++ b/magic/Magdir/hp @@ -0,0 +1,433 @@ + +#------------------------------------------------------------------------------ +# $File: hp,v 1.25 2019/01/13 00:32:38 christos Exp $ +# hp: file(1) magic for Hewlett Packard machines (see also "printer") +# +# XXX - somebody should figure out whether any byte order needs to be +# applied to the "TML" stuff; I'm assuming the Apollo stuff is +# big-endian as it was mostly 68K-based. +# +# I think the 500 series was the old stack-based machines, running a +# UNIX environment atop the "SUN kernel"; dunno whether it was +# big-endian or little-endian. +# +# Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based; +# hp300 are 68020+68881 based; hp400 are also 68k. The following basic +# HP magic is useful for reference, but using "long" magic is a better +# practice in order to avoid collisions. +# +# Guy Harris (guy@netapp.com): some additions to this list came from +# HP-UX 10.0's "/usr/include/sys/unistd.h" (68030, 68040, PA-RISC 1.1, +# 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0 +# "/etc/magic", though, except for the "archive file relocatable library" +# stuff, and the 68030 and 68040 stuff isn't there at all - are they not +# used in executables, or have they just not yet updated "/etc/magic" +# completely? +# +# 0 beshort 200 hp200 (68010) BSD binary +# 0 beshort 300 hp300 (68020+68881) BSD binary +# 0 beshort 0x20c hp200/300 HP-UX binary +# 0 beshort 0x20d hp400 (68030) HP-UX binary +# 0 beshort 0x20e hp400 (68040?) HP-UX binary +# 0 beshort 0x20b PA-RISC1.0 HP-UX binary +# 0 beshort 0x210 PA-RISC1.1 HP-UX binary +# 0 beshort 0x211 PA-RISC1.2 HP-UX binary +# 0 beshort 0x214 PA-RISC2.0 HP-UX binary + +# +# The "misc" stuff needs a byte order; the archives look suspiciously +# like the old 177545 archives (0xff65 = 0177545). +# +#### Old Apollo stuff +0 beshort 0627 Apollo m68k COFF executable +>18 beshort ^040000 not stripped +>22 beshort >0 - version %d +0 beshort 0624 apollo a88k COFF executable +>18 beshort ^040000 not stripped +>22 beshort >0 - version %d +0 long 01203604016 TML 0123 byte-order format +0 long 01702407010 TML 1032 byte-order format +0 long 01003405017 TML 2301 byte-order format +0 long 01602007412 TML 3210 byte-order format +#### PA-RISC 1.1 +0 belong 0x02100106 PA-RISC1.1 relocatable object +0 belong 0x02100107 PA-RISC1.1 executable +>168 belong &0x00000004 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x02100108 PA-RISC1.1 shared executable +>168 belong&0x4 0x4 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x0210010b PA-RISC1.1 demand-load executable +>168 belong&0x4 0x4 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x0210010e PA-RISC1.1 shared library +>96 belong >0 - not stripped + +0 belong 0x0210010d PA-RISC1.1 dynamic load library +>96 belong >0 - not stripped + +#### PA-RISC 2.0 +0 belong 0x02140106 PA-RISC2.0 relocatable object + +0 belong 0x02140107 PA-RISC2.0 executable +>168 belong &0x00000004 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x02140108 PA-RISC2.0 shared executable +>168 belong &0x00000004 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x0214010b PA-RISC2.0 demand-load executable +>168 belong &0x00000004 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x0214010e PA-RISC2.0 shared library +>96 belong >0 - not stripped + +0 belong 0x0214010d PA-RISC2.0 dynamic load library +>96 belong >0 - not stripped + +#### 800 +0 belong 0x020b0106 PA-RISC1.0 relocatable object + +0 belong 0x020b0107 PA-RISC1.0 executable +>168 belong&0x4 0x4 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x020b0108 PA-RISC1.0 shared executable +>168 belong&0x4 0x4 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x020b010b PA-RISC1.0 demand-load executable +>168 belong&0x4 0x4 dynamically linked +>(144) belong 0x054ef630 dynamically linked +>96 belong >0 - not stripped + +0 belong 0x020b010e PA-RISC1.0 shared library +>96 belong >0 - not stripped + +0 belong 0x020b010d PA-RISC1.0 dynamic load library +>96 belong >0 - not stripped + +#### 500 +0 long 0x02080106 HP s500 relocatable executable +>16 long >0 - version %d + +0 long 0x02080107 HP s500 executable +>16 long >0 - version %d + +0 long 0x02080108 HP s500 pure executable +>16 long >0 - version %d + +#### 200 +0 belong 0x020c0108 HP s200 pure executable +>4 beshort >0 - version %d +>8 belong &0x80000000 save fp regs +>8 belong &0x40000000 dynamically linked +>8 belong &0x20000000 debuggable +>36 belong >0 not stripped + +0 belong 0x020c0107 HP s200 executable +>4 beshort >0 - version %d +>8 belong &0x80000000 save fp regs +>8 belong &0x40000000 dynamically linked +>8 belong &0x20000000 debuggable +>36 belong >0 not stripped + +0 belong 0x020c010b HP s200 demand-load executable +>4 beshort >0 - version %d +>8 belong &0x80000000 save fp regs +>8 belong &0x40000000 dynamically linked +>8 belong &0x20000000 debuggable +>36 belong >0 not stripped + +0 belong 0x020c0106 HP s200 relocatable executable +>4 beshort >0 - version %d +>6 beshort >0 - highwater %d +>8 belong &0x80000000 save fp regs +>8 belong &0x20000000 debuggable +>8 belong &0x10000000 PIC + +0 belong 0x020a0108 HP s200 (2.x release) pure executable +>4 beshort >0 - version %d +>36 belong >0 not stripped + +0 belong 0x020a0107 HP s200 (2.x release) executable +>4 beshort >0 - version %d +>36 belong >0 not stripped + +0 belong 0x020c010e HP s200 shared library +>4 beshort >0 - version %d +>6 beshort >0 - highwater %d +>36 belong >0 not stripped + +0 belong 0x020c010d HP s200 dynamic load library +>4 beshort >0 - version %d +>6 beshort >0 - highwater %d +>36 belong >0 not stripped + +#### MISC +0 long 0x0000ff65 HP old archive +0 long 0x020aff65 HP s200 old archive +0 long 0x020cff65 HP s200 old archive +0 long 0x0208ff65 HP s500 old archive + +0 long 0x015821a6 HP core file + +0 long 0x4da7eee8 HP-WINDOWS font +>8 byte >0 - version %d +0 string Bitmapfile HP Bitmapfile + +0 string IMGfile CIS compimg HP Bitmapfile +# XXX - see "lif" +#0 short 0x8000 lif file +0 long 0x020c010c compiled Lisp + +0 string msgcat01 HP NLS message catalog, +>8 long >0 %d messages + +# Summary: HP-48/49 calculator +# Created by: phk@data.fls.dk +# Modified by (1): AMAKAWA Shuhei <sa264@cam.ac.uk> +# Modified by (2): Samuel Thibault <samuel.thibault@ens-lyon.org> (HP49 support) +0 string HPHP HP +>4 string 48 48 binary +>4 string 49 49 binary +>7 byte >64 - Rev %c +>8 leshort 0x2911 (ADR) +>8 leshort 0x2933 (REAL) +>8 leshort 0x2955 (LREAL) +>8 leshort 0x2977 (COMPLX) +>8 leshort 0x299d (LCOMPLX) +>8 leshort 0x29bf (CHAR) +>8 leshort 0x29e8 (ARRAY) +>8 leshort 0x2a0a (LNKARRAY) +>8 leshort 0x2a2c (STRING) +>8 leshort 0x2a4e (HXS) +>8 leshort 0x2a74 (LIST) +>8 leshort 0x2a96 (DIR) +>8 leshort 0x2ab8 (ALG) +>8 leshort 0x2ada (UNIT) +>8 leshort 0x2afc (TAGGED) +>8 leshort 0x2b1e (GROB) +>8 leshort 0x2b40 (LIB) +>8 leshort 0x2b62 (BACKUP) +>8 leshort 0x2b88 (LIBDATA) +>8 leshort 0x2d9d (PROG) +>8 leshort 0x2dcc (CODE) +>8 leshort 0x2e48 (GNAME) +>8 leshort 0x2e6d (LNAME) +>8 leshort 0x2e92 (XLIB) + +0 string %%HP: HP text +>6 string T(0) - T(0) +>6 string T(1) - T(1) +>6 string T(2) - T(2) +>6 string T(3) - T(3) +>10 string A(D) A(D) +>10 string A(R) A(R) +>10 string A(G) A(G) +>14 string F(.) F(.); +>14 string F(,) F(,); + + +# Summary: HP-38/39 calculator +# Created by: Samuel Thibault <samuel.thibault@ens-lyon.org> +0 string HP3 +>3 string 8 HP 38 +>3 string 9 HP 39 +>4 string Bin binary +>4 string Asc ASCII +>7 string A (Directory List) +>7 string B (Zaplet) +>7 string C (Note) +>7 string D (Program) +>7 string E (Variable) +>7 string F (List) +>7 string G (Matrix) +>7 string H (Library) +>7 string I (Target List) +>7 string J (ASCII Vector specification) +>7 string K (wildcard) + +# Summary: HP-38/39 calculator +# Created by: Samuel Thibault <samuel.thibault@ens-lyon.org> +0 string HP3 +>3 string 8 HP 38 +>3 string 9 HP 39 +>4 string Bin binary +>4 string Asc ASCII +>7 string A (Directory List) +>7 string B (Zaplet) +>7 string C (Note) +>7 string D (Program) +>7 string E (Variable) +>7 string F (List) +>7 string G (Matrix) +>7 string H (Library) +>7 string I (Target List) +>7 string J (ASCII Vector specification) +>7 string K (wildcard) + +# hpBSD magic numbers +0 beshort 200 hp200 (68010) BSD +>2 beshort 0407 impure binary +>2 beshort 0410 read-only binary +>2 beshort 0413 demand paged binary +0 beshort 300 hp300 (68020+68881) BSD +>2 beshort 0407 impure binary +>2 beshort 0410 read-only binary +>2 beshort 0413 demand paged binary +# +# From David Gero <dgero@nortelnetworks.com> +# HP-UX 10.20 core file format from /usr/include/sys/core.h +# Unfortunately, HP-UX uses corehead blocks without specifying the order +# There are four we care about: +# CORE_KERNEL, which starts with the string "HP-UX" +# CORE_EXEC, which contains the name of the command +# CORE_PROC, which contains the signal number that caused the core dump +# CORE_FORMAT, which contains the version of the core file format (== 1) +# The only observed order in real core files is KERNEL, EXEC, FORMAT, PROC +# but we include all 6 variations of the order of the first 3, and +# assume that PROC will always be last +# Order 1: KERNEL, EXEC, FORMAT, PROC +0x10 string HP-UX +>0 belong 2 +>>0xC belong 0x3C +>>>0x4C belong 0x100 +>>>>0x58 belong 0x44 +>>>>>0xA0 belong 1 +>>>>>>0xAC belong 4 +>>>>>>>0xB0 belong 1 +>>>>>>>>0xB4 belong 4 core file +>>>>>>>>>0x90 string >\0 from '%s' +>>>>>>>>>0xC4 belong 3 - received SIGQUIT +>>>>>>>>>0xC4 belong 4 - received SIGILL +>>>>>>>>>0xC4 belong 5 - received SIGTRAP +>>>>>>>>>0xC4 belong 6 - received SIGABRT +>>>>>>>>>0xC4 belong 7 - received SIGEMT +>>>>>>>>>0xC4 belong 8 - received SIGFPE +>>>>>>>>>0xC4 belong 10 - received SIGBUS +>>>>>>>>>0xC4 belong 11 - received SIGSEGV +>>>>>>>>>0xC4 belong 12 - received SIGSYS +>>>>>>>>>0xC4 belong 33 - received SIGXCPU +>>>>>>>>>0xC4 belong 34 - received SIGXFSZ +# Order 2: KERNEL, FORMAT, EXEC, PROC +>>>0x4C belong 1 +>>>>0x58 belong 4 +>>>>>0x5C belong 1 +>>>>>>0x60 belong 0x100 +>>>>>>>0x6C belong 0x44 +>>>>>>>>0xB4 belong 4 core file +>>>>>>>>>0xA4 string >\0 from '%s' +>>>>>>>>>0xC4 belong 3 - received SIGQUIT +>>>>>>>>>0xC4 belong 4 - received SIGILL +>>>>>>>>>0xC4 belong 5 - received SIGTRAP +>>>>>>>>>0xC4 belong 6 - received SIGABRT +>>>>>>>>>0xC4 belong 7 - received SIGEMT +>>>>>>>>>0xC4 belong 8 - received SIGFPE +>>>>>>>>>0xC4 belong 10 - received SIGBUS +>>>>>>>>>0xC4 belong 11 - received SIGSEGV +>>>>>>>>>0xC4 belong 12 - received SIGSYS +>>>>>>>>>0xC4 belong 33 - received SIGXCPU +>>>>>>>>>0xC4 belong 34 - received SIGXFSZ +# Order 3: FORMAT, KERNEL, EXEC, PROC +0x24 string HP-UX +>0 belong 1 +>>0xC belong 4 +>>>0x10 belong 1 +>>>>0x14 belong 2 +>>>>>0x20 belong 0x3C +>>>>>>0x60 belong 0x100 +>>>>>>>0x6C belong 0x44 +>>>>>>>>0xB4 belong 4 core file +>>>>>>>>>0xA4 string >\0 from '%s' +>>>>>>>>>0xC4 belong 3 - received SIGQUIT +>>>>>>>>>0xC4 belong 4 - received SIGILL +>>>>>>>>>0xC4 belong 5 - received SIGTRAP +>>>>>>>>>0xC4 belong 6 - received SIGABRT +>>>>>>>>>0xC4 belong 7 - received SIGEMT +>>>>>>>>>0xC4 belong 8 - received SIGFPE +>>>>>>>>>0xC4 belong 10 - received SIGBUS +>>>>>>>>>0xC4 belong 11 - received SIGSEGV +>>>>>>>>>0xC4 belong 12 - received SIGSYS +>>>>>>>>>0xC4 belong 33 - received SIGXCPU +>>>>>>>>>0xC4 belong 34 - received SIGXFSZ +# Order 4: EXEC, KERNEL, FORMAT, PROC +0x64 string HP-UX +>0 belong 0x100 +>>0xC belong 0x44 +>>>0x54 belong 2 +>>>>0x60 belong 0x3C +>>>>>0xA0 belong 1 +>>>>>>0xAC belong 4 +>>>>>>>0xB0 belong 1 +>>>>>>>>0xB4 belong 4 core file +>>>>>>>>>0x44 string >\0 from '%s' +>>>>>>>>>0xC4 belong 3 - received SIGQUIT +>>>>>>>>>0xC4 belong 4 - received SIGILL +>>>>>>>>>0xC4 belong 5 - received SIGTRAP +>>>>>>>>>0xC4 belong 6 - received SIGABRT +>>>>>>>>>0xC4 belong 7 - received SIGEMT +>>>>>>>>>0xC4 belong 8 - received SIGFPE +>>>>>>>>>0xC4 belong 10 - received SIGBUS +>>>>>>>>>0xC4 belong 11 - received SIGSEGV +>>>>>>>>>0xC4 belong 12 - received SIGSYS +>>>>>>>>>0xC4 belong 33 - received SIGXCPU +>>>>>>>>>0xC4 belong 34 - received SIGXFSZ +# Order 5: FORMAT, EXEC, KERNEL, PROC +0x78 string HP-UX +>0 belong 1 +>>0xC belong 4 +>>>0x10 belong 1 +>>>>0x14 belong 0x100 +>>>>>0x20 belong 0x44 +>>>>>>0x68 belong 2 +>>>>>>>0x74 belong 0x3C +>>>>>>>>0xB4 belong 4 core file +>>>>>>>>>0x58 string >\0 from '%s' +>>>>>>>>>0xC4 belong 3 - received SIGQUIT +>>>>>>>>>0xC4 belong 4 - received SIGILL +>>>>>>>>>0xC4 belong 5 - received SIGTRAP +>>>>>>>>>0xC4 belong 6 - received SIGABRT +>>>>>>>>>0xC4 belong 7 - received SIGEMT +>>>>>>>>>0xC4 belong 8 - received SIGFPE +>>>>>>>>>0xC4 belong 10 - received SIGBUS +>>>>>>>>>0xC4 belong 11 - received SIGSEGV +>>>>>>>>>0xC4 belong 12 - received SIGSYS +>>>>>>>>>0xC4 belong 33 - received SIGXCPU +>>>>>>>>>0xC4 belong 34 - received SIGXFSZ +# Order 6: EXEC, FORMAT, KERNEL, PROC +>0 belong 0x100 +>>0xC belong 0x44 +>>>0x54 belong 1 +>>>>0x60 belong 4 +>>>>>0x64 belong 1 +>>>>>>0x68 belong 2 +>>>>>>>0x74 belong 0x2C +>>>>>>>>0xB4 belong 4 core file +>>>>>>>>>0x44 string >\0 from '%s' +>>>>>>>>>0xC4 belong 3 - received SIGQUIT +>>>>>>>>>0xC4 belong 4 - received SIGILL +>>>>>>>>>0xC4 belong 5 - received SIGTRAP +>>>>>>>>>0xC4 belong 6 - received SIGABRT +>>>>>>>>>0xC4 belong 7 - received SIGEMT +>>>>>>>>>0xC4 belong 8 - received SIGFPE +>>>>>>>>>0xC4 belong 10 - received SIGBUS +>>>>>>>>>0xC4 belong 11 - received SIGSEGV +>>>>>>>>>0xC4 belong 12 - received SIGSYS +>>>>>>>>>0xC4 belong 33 - received SIGXCPU +>>>>>>>>>0xC4 belong 34 - received SIGXFSZ + + diff --git a/magic/Magdir/human68k b/magic/Magdir/human68k new file mode 100644 index 0000000..707c740 --- /dev/null +++ b/magic/Magdir/human68k @@ -0,0 +1,26 @@ + +#------------------------------------------------------------------------------ +# $File: human68k,v 1.6 2021/04/26 15:56:00 christos Exp $ +# human68k: file(1) magic for Human68k (X680x0 DOS) binary formats +# Magic too short! +#0 string HU Human68k +#>68 string LZX LZX compressed +#>>72 string >\0 (version %s) +#>(8.L+74) string LZX LZX compressed +#>>(8.L+78) string >\0 (version %s) +#>60 belong >0 binded +#>(8.L+66) string #HUPAIR hupair +#>0 string HU X executable +#>(8.L+74) string #LIBCV1 - linked PD LIBC ver 1 +#>4 belong >0 - base address %#x +#>28 belong >0 not stripped +#>32 belong >0 with debug information +#0 beshort 0x601a Human68k Z executable +#0 beshort 0x6000 Human68k object file +#0 belong 0xd1000000 Human68k ar binary archive +#0 belong 0xd1010000 Human68k ar ascii archive +#0 beshort 0x0068 Human68k lib archive +#4 string LZX Human68k LZX compressed +#>8 string >\0 (version %s) +#>4 string LZX R executable +#2 string #HUPAIR Human68k hupair R executable diff --git a/magic/Magdir/ibm370 b/magic/Magdir/ibm370 new file mode 100644 index 0000000..dc976f8 --- /dev/null +++ b/magic/Magdir/ibm370 @@ -0,0 +1,52 @@ + +#------------------------------------------------------------------------------ +# $File: ibm370,v 1.11 2021/03/14 16:51:45 christos Exp $ +# ibm370: file(1) magic for IBM 370 and compatibles. +# +# "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". +# What the heck *is* "USS/370"? +# AIX 4.1's "/etc/magic" has +# +# 0 short 0535 370 sysV executable +# >12 long >0 not stripped +# >22 short >0 - version %d +# >30 long >0 - 5.2 format +# 0 short 0530 370 sysV pure executable +# >12 long >0 not stripped +# >22 short >0 - version %d +# >30 long >0 - 5.2 format +# +# instead of the "USS/370" versions of the same magic numbers. +# +0 beshort 0537 370 XA sysV executable +>12 belong >0 not stripped +>22 beshort >0 - version %d +>30 belong >0 - 5.2 format +0 beshort 0532 370 XA sysV pure executable +>12 belong >0 not stripped +>22 beshort >0 - version %d +>30 belong >0 - 5.2 format +0 beshort 054001 370 sysV pure executable +>12 belong >0 not stripped +0 beshort 055001 370 XA sysV pure executable +>12 belong >0 not stripped +0 beshort 056401 370 sysV executable +>12 belong >0 not stripped +0 beshort 057401 370 XA sysV executable +>12 belong >0 not stripped +0 beshort 0531 SVR2 executable (Amdahl-UTS) +>12 belong >0 not stripped +>24 belong >0 - version %d +0 beshort 0534 SVR2 pure executable (Amdahl-UTS) +>12 belong >0 not stripped +>24 belong >0 - version %d +0 beshort 0530 SVR2 pure executable (USS/370) +>12 belong >0 not stripped +>24 belong >0 - version %d +0 beshort 0535 SVR2 executable (USS/370) +>12 belong >0 not stripped +>24 belong >0 - version %d + +# NETDATA (https://en.wikipedia.org/wiki/NETDATA) +# -\INMR01 In EBCDIC +0 string \x60\xe0\xc9\xd5\xd4\xd9\xf0\xf1 IBM NETDATA file diff --git a/magic/Magdir/ibm6000 b/magic/Magdir/ibm6000 new file mode 100644 index 0000000..724b64d --- /dev/null +++ b/magic/Magdir/ibm6000 @@ -0,0 +1,35 @@ + +#------------------------------------------------------------------------------ +# $File: ibm6000,v 1.15 2021/07/03 14:01:46 christos Exp $ +# ibm6000: file(1) magic for RS/6000 and the RT PC. +# +0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module +>12 belong >0 not stripped +# Breaks sun4 statically linked execs. +#0 beshort 0x0103 executable (RT Version 2) or obj module +#>2 byte 0x50 pure +#>28 belong >0 not stripped +#>6 beshort >0 - version %ld +# GRR: line below is too general as it matches also TTComp archive, ASCII, 1K handled by ./archive +0 beshort 0x0104 shared library +# GRR: line below is too general as it matches also TTComp archive, ASCII, 2K handled by ./archive +0 beshort 0x0105 ctab data +0 beshort 0xfe04 structured file +0 string 0xabcdef AIX message catalog +0 belong 0x000001f9 AIX compiled message catalog +0 string \<aiaff> archive +0 string \<bigaf> archive (big format) +0 belong 0x09006bea AIX backup/restore format file +0 belong 0x09006fea AIX backup/restore format file + +0 beshort 0x01f7 64-bit XCOFF executable or object module +>20 belong 0 not stripped +# GRR: this test is still too general as it catches also many FATs of DOS filesystems +4 belong &0x0feeddb0 +# real core dump could not be 32-bit and 64-bit together +>7 byte&0x03 !3 AIX core file +>>1 byte &0x01 fulldump +>>7 byte &0x01 32-bit +>>>0x6e0 string >\0 \b, %s +>>7 byte &0x02 64-bit +>>>0x524 string >\0 \b, %s diff --git a/magic/Magdir/icc b/magic/Magdir/icc new file mode 100644 index 0000000..15fd76b --- /dev/null +++ b/magic/Magdir/icc @@ -0,0 +1,214 @@ + +#------------------------------------------------------------------------------ +# $File: icc,v 1.7 2021/04/26 15:56:00 christos Exp $ +# icc: file(1) magic for International Color Consortium file formats + +# +# Color profiles as per the ICC's "Image technology colour management - +# Architecture, profile format, and data structure" specification. +# See +# +# http://www.color.org/specification/ICC1v43_2010-12.pdf +# +# for Specification ICC.1:2010 (Profile version 4.3.0.0). +# URL: http://fileformats.archiveteam.org/wiki/ICC_profile +# Reference: http://www.color.org/iccmax/ICC.2-2016-7.pdf +# Update: Joerg Jenderek +# +# Bytes 36 to 39 contain a generic profile file signature of "acsp"; +# bytes 40 to 43 "may be used to identify the primary platform/operating +# system framework for which the profile was created". +# +# check and display ICC/ICM color profile +0 name color-profile +>36 string acsp +# skip ASCII like Cognacspirit.txt by month <= 12 +>>26 ubeshort <13 +# platform/operating system. Only 5 mentioned + +# +# This appears to be what's used for Apple ColorSync profiles. +# Instead of adding that, Apple just changed the generic "acsp" entry +# to be for "ColorSync ICC Color Profile" rather than "Kodak Color +# Management System, ICC Profile". +# Yes, it's "APPL", not "AAPL"; see the spec. +>>>40 string APPL ColorSync + +# Microsoft ICM color profile +>>>40 string MSFT Microsoft + +# Yes, that's a blank after "SGI". +>>>40 string SGI\ SGI + +# XXX - is this what's used for the Sun KCMS or not? The standard file +# uses just "acsp" for that, but Apple's file uses it for "ColorSync", +# and there *is* an identified "primary platform" value of SUNW. +>>>40 string SUNW Sun KCMS + +# 5th platform +>>>40 string TGNT Taligent + +# remaining "l" "e" of "color profile" printed later to avoid error +>>>40 string x color profi +#>>>40 string x (%.4s) +!:mime application/vnd.iccprofile +# for "ICM" extension only versions 2.x and for Kodak "CC" 2.0 is found +>>>8 ubyte =2 +# do not use empty message text to avoid error like +# icc, 82: Warning: Current entry does not yet have a description for adding a EXTENSION type +# file.exe: could not find any valid magic files! +>>>>9 ubyte !0 \ble +!:ext icc/icm +# minor version +>>>>9 ubyte =0 \bl +# Kodak colour management system +>>>>>4 string =KCMS \be +!:ext icc/icm/cc +>>>>>4 string !KCMS \be +!:ext icc/icm +>>>8 ubyte !2 \ble +!:ext icc +# Profile version major.4bit-minor.sub1.sub2 like 4.3.0.0 (04300000h) +>>>8 ubyte x %u +>>>9 ubyte/16 x \b.%u +# reserved and shall be null but 205.205 in umx1220u.icm +>>>10 ubyte >0 \b.%u +>>>>11 ubyte >0 \b.%u +# preferred colour management module like appl CCMS KCMS Lino UCCM "Win " "FF " +# skip space like in brmsl08f.icm and null like in brmsl09f.icm, brmsl07f.icm +>>>4 string >\ \b, type %.2s +>>>>6 string >\ \b%.1s +>>>>>7 string >\ \b%.1s +# colour space "XYZ " "Lab " "RGB " CMYK GRAY ... +>>>16 string x \b, %.3s +>>>19 string >\ \b%.1s +# Profile Connection Space (PCS) field usually "XYZ " or "Lab " but sometimes +# null or CMYK like in ISOcoated_v2_to_PSOcoated_v3_DeviceLink.icc +>>>20 string >\0 \b/%.3s +>>>>23 string >\ \b%.1s +# eleven device classes +>>>12 string x \b-%.4s device +# skip 00001964h in hpf69000.icc or 0h in XRDC50Q.ICM or " ROT" in brmsl05f.icm +>>>52 string >\040 +# skip "none" model like in "Trinitron Compatible 9300K G2.2.icm" +>>>>52 ubelong !0x6e6f6e65 +# device manufacturer field like "HP " "IBM " EPSO +>>>>>48 string x \b, %.2s +>>>>>50 string >\ \b%.1s +>>>>>51 string >\ \b%.1s +# model like "ADI " "A265" and skip 20000404h in IS330.icm for RICOH RUSSIAN-SC +>>>>>52 string >\ \ \b/%.3s +>>>>>>55 string >\ \b%.1s +>>>>>52 string x model +# creator (often same as manufacture) like HP SONY XROX or null like in A925A.icm +>>>80 string >\0 by %.2s +>>>>82 string >\ \b%.1s +>>>>>83 string >\ \b%.1s +# profile size +>>>0 ubelong x \b, %u bytes +# skip invalid date 0 like in linearSRGB.icc +>>>24 ubequad !0 +# datetime dd-mm-yyyy hh:mm:ss +>>>>28 ubeshort x \b, %u +# month <= 12 +>>>>26 ubeshort x \b-%u +# year +>>>>24 ubeshort x \b-%u +# do not display midnight time like in CNHP8308.ICC +>>>>30 ubequad&0xFFffFFffFFff0000 !0 +# hour <= 24 +>>>>>30 ubeshort x %u +# minutes <= 59 +>>>>>32 ubeshort x \b:%.2u +# seconds <= 59 +>>>>>34 ubeshort x \b:%.2u +# vendor specific flags like 2 in HPCLJ5.ICM +>>>44 ubeshort >0 \b, %#x vendor flags +# profile flags bits 0-2 of least 16 used by ICC +#>>>44 ubelong >0 \b, %#x flags +# icEmbeddedProfileTrue +>>>44 ubelong &1 \b, embedded +# icEmbeddedProfileFalse +#>>>44 ubelong ^1 \b, not embedded +# icUseWithEmbeddedDataOnly +>>>44 ubelong &2 \b, dependently +# icUseAnywhere +#>>>44 ubelong ^2 \b, independently +>>>44 ubelong &4 \b, MCS +#>>>44 ubelong ^4 \b, no MCS +# vendor specific device attributes 1~srgb.icc +# E000D00h~CNB7QEDA.ICM C000A00h~CNB5FCAA.ICM 01040401h~CNB25PE3.ICM +>>>56 ubelong >0 \b, %#x vendor attribute +# ICC device attributes bits 0-7 used +#>>>60 ubelong x \b, %#x attribute +# http://www.color.org/icc34.h +>>>60 ubelong &0x01 \b, transparent +#>>>60 ubelong ^0x01 \b, reflective +>>>60 ubelong &0x02 \b, matte +#>>>60 ubelong ^0x02 \b, glossy +>>>60 ubelong &0x04 \b, negative +#>>>60 ubelong ^0x04 \b, positive +>>>60 ubelong &0x08 \b, black&white +#>>>60 ubelong ^0x08 \b, colour +>>>60 ubelong &0x10 \b, non-paper +#>>>60 ubelong ^0x10 \b, paper +>>>60 ubelong &0x20 \b, non-textured +#>>>60 ubelong ^0x20 \b, textured +>>>60 ubelong &0x40 \b, non-isotropic +#>>>60 ubelong ^0x40 \b, isotropic +>>>60 ubelong &0x80 \b, self-luminous +#>>>60 ubelong ^0x80 \b, non-self-luminous +# rendering intent 0-3 but 7AEA5027h in EE051__1.ICM 6CB1BCh in EE061__1.ICM +>>>64 ubelong >3 \b, %#x rendering intent +#>>>64 ubelong =0 \b, perceptual +>>>64 ubelong =1 \b, relative colorimetric +>>>64 ubelong =2 \b, saturation +>>>64 ubelong =3 \b, absolute colorimetric +# PCS illuminant (3*s15Fixed16Numbers) often 0000f6d6 00010000 0000d32d +>>>71 ubequad !0xd6000100000000d3 \b, PCS +# usually X~0.9642*65536=63189.8112~63190=F6D5h ; but also found +# often F6D6 in gt5000r.icm, F6B8 in kodakce.icm, F6CA in RSWOP.icm +>>>>68 ubelong !0x0000f6d5 X=%#x +# usually Y=1.0~00010000h but Y=0 in brmsl07f.icm +>>>>72 ubelong !0x00010000 Y=%#x +# usually Z~0.8249*65536=54060.6464~54061=D32Dh ; but also found +# D2F7 in hp1200c.icm, often D32C in A925A.icm, D309 in RSWOP.icm , D2F8 in kodak_dc.icm +>>>>76 ubelong !0x0000d32d Z=%#x +# Profile ID. MD5 fingerprinting method as defined in Internet RFC 1321. +>>>84 ubequad >0 \b, %#llx MD5 +# reserved in older versions should be zero but also found CDCDCDCDCDCDCDCD +#>>100 ubequad x \b %#llx reserved +# tag table +# 6 <= tags count <= 43 +#>>>128 ubelong >43 \b, %u tags +>>>128 ubelong x +# shall contain the profileDescriptionTag "desc" , copyrightTag "cprt" +# search range = tags count * 12 -8=< maximal tag count * 12 -8= 43 * 12 -8= 508 +>>>>132 search/508 cprt +# but no copyright tag in linearSRGB.icc +# beneath /System/Library/Frameworks/WebKit.framework/ +# Versions/A/Frameworks/WebCore.framework/Versions/A/Resources +>>>>132 default x \b, no copyright tag +# 1st tag +#>>>132 string x \b, 1st tag %.4s +#>>>136 ubelong x %#x offset +#>>>140 ubelong x %#x len +# 2nd tag,... +# look also for profileDescriptionTag "desc" +>>>132 search/508 desc +# look further for TextDescriptionType "desc" signature +>>>>(&0.L) string =desc +>>>>>&4 pstring/l x "%s" +# look alternative for multiLocalizedUnicodeType "mluc" signature like in VideoPAL.icc +>>>>(&0.L) string =mluc +>>>>>&(&8.L) ubequad x +>>>>>>&4 bestring16 x '%s' + +# Any other profile. +# XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles, +# and use "acsp" for everything else and dump the "primary platform" +# string in those cases? +36 string acsp +>0 use color-profile + + diff --git a/magic/Magdir/iff b/magic/Magdir/iff new file mode 100644 index 0000000..258d16a --- /dev/null +++ b/magic/Magdir/iff @@ -0,0 +1,80 @@ + +#------------------------------------------------------------------------------ +# $File: iff,v 1.18 2022/03/21 19:57:18 christos Exp $ +# iff: file(1) magic for Interchange File Format (see also "audio" & "images") +# +# Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic +# Arts for file interchange. It has also been used by Apple, SGI, and +# especially Commodore-Amiga. +# +# IFF files begin with an 8 byte FORM header, followed by a 4 character +# FORM type, which is followed by the first chunk in the FORM. + +0 string FORM IFF data +#>4 belong x \b, FORM is %d bytes long +# audio formats +>8 string AIFF \b, AIFF audio +!:mime audio/x-aiff +>8 string AIFC \b, AIFF-C compressed audio +!:mime audio/x-aiff +>8 string 8SVX \b, 8SVX 8-bit sampled sound voice +!:mime audio/x-aiff +>8 string 16SV \b, 16SV 16-bit sampled sound voice +>8 string SAMP \b, SAMP sampled audio +>8 string MAUD \b, MAUD MacroSystem audio +>8 string SMUS \b, SMUS simple music +>8 string CMUS \b, CMUS complex music +# image formats +>8 string ILBMBMHD \b, ILBM interleaved image +>>20 beshort x \b, %d x +>>22 beshort x %d +>8 string RGBN \b, RGBN 12-bit RGB image +>8 string RGB8 \b, RGB8 24-bit RGB image +>8 string DEEP \b, DEEP TVPaint/XiPaint image +>8 string DR2D \b, DR2D 2-D object +>8 string TDDD \b, TDDD 3-D rendering +>8 string LWOB \b, LWOB 3-D object +>8 string LWO2 \b, LWO2 3-D object, v2 +>8 string LWLO \b, LWLO 3-D layered object +>8 string REAL \b, REAL Real3D rendering +>8 string MC4D \b, MC4D MaxonCinema4D rendering +>8 string ANIM \b, ANIM animation +>8 string YAFA \b, YAFA animation +>8 string SSA\ \b, SSA super smooth animation +>8 string FANT \b, Fantavision animation +>8 string ACBM \b, ACBM continuous image +>8 string FAXX \b, FAXX fax image +>8 string STFX \b, ST-Fax image +>8 string IMAGIHDR \b, CD-i image +# other formats +>8 string FTXT \b, FTXT formatted text +>8 string CTLG \b, CTLG message catalog +>8 string PREF \b, PREF preferences +>8 string DTYP \b, DTYP datatype description +>8 string PTCH \b, PTCH binary patch +>8 string AMFF \b, AMFF AmigaMetaFile format +>8 string WZRD \b, WZRD StormWIZARD resource +>8 string DOC\040 \b, DOC desktop publishing document +>8 string SWRT \b, SWRT Final Copy/Writer document +>8 string WORD \b, ProWrite document +>8 string WTXT \b, WTXT Wordworth document +>8 string WOWO \b, WOWO Wordworth document +>8 string WVQA \b, Westwood Studios VQA Multimedia, +>>24 leshort x %d video frames, +>>26 leshort x %d x +>>28 leshort x %d +>8 string MOVE \b, Wing Commander III Video +>>12 string _PC_ \b, PC version +>>12 string 3DO_ \b, 3DO version + +# These go at the end of the iff rules +# +# David Griffith <dave@661.org> +# I don't see why these might collide with anything else. +# +# Interactive Fiction related formats +# +>8 string IFRS \b, Blorb Interactive Fiction +>>24 string Exec with executable chunk +>8 string IFZS \b, Z-machine or Glulx saved game file (Quetzal) +!:mime application/x-blorb diff --git a/magic/Magdir/images b/magic/Magdir/images new file mode 100644 index 0000000..48e9f6d --- /dev/null +++ b/magic/Magdir/images @@ -0,0 +1,4219 @@ + +#------------------------------------------------------------------------------ +# $File: images,v 1.243 2023/07/17 16:49:09 christos Exp $ +# images: file(1) magic for image formats (see also "iff", and "c-lang" for +# XPM bitmaps) +# +# originally from jef@helios.ee.lbl.gov (Jef Poskanzer), +# additions by janl@ifi.uio.no as well as others. Jan also suggested +# merging several one- and two-line files into here. +# +# little magic: PCX (first byte is 0x0a) + +# Targa - matches `povray', `ppmtotga' and `xv' outputs +# by Philippe De Muyter <phdm@macqel.be> +# URL: http://justsolve.archiveteam.org/wiki/TGA +# Reference: http://www.dca.fee.unicamp.br/~martino/disciplinas/ea978/tgaffs.pdf +# Update: Joerg Jenderek +# at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11 +# ,32 or 33 (both not observed) +# at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise +# or theoretically 2-128 reserved for use by Truevision or 128-255 may be used for developer applications +# at 3, leshort Index is 0 for povray, ppmtotga and xv outputs +# `xv' recognizes only a subset of the following (RGB with pixelsize = 24) +# `tgatoppm' recognizes a superset (Index may be anything) +# +# test of Color Map Type 0~no 1~color map +# and Image Type 1 2 3 9 10 11 32 33 +# and Color Map Entry Size 0 15 16 24 32 +0 ubequad&0x00FeC400000000C0 0 +# Conflict with MPEG sequences. +!:strength -40 +# Prevent conflicts with CRI ADX. +#>(2.S-2) belong !0x28632943 +# above line does not work for rgb32_top_left_rle.tga +# skip some MPEG sequence *.vob and some CRI ADX audio with improbable interleave bits +>17 ubyte&0xC0 !0xC0 +# skip more garbage like *.iso by looking for positive image type +>>2 ubyte >0 +# skip some compiled terminfo like xterm+tmux by looking for image type less equal 33 +>>>2 ubyte <34 +# skip some MPEG sequence *.vob HV001T01.EVO winnicki.mpg with unacceptable alpha channel depth 11 +>>>>17 ubyte&0x0F !11 +# skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel depth 1 8 15 16 24 32 +>>>>>16 ubyte 1 +>>>>>>0 use tga-image +>>>>>16 ubyte 8 +>>>>>>0 use tga-image +>>>>>16 ubyte 15 +>>>>>>0 use tga-image +>>>>>16 ubyte 16 +>>>>>>0 use tga-image +>>>>>16 ubyte 24 +>>>>>>0 use tga-image +>>>>>16 ubyte 32 +>>>>>>0 use tga-image +# display tga bitmap image information +0 name tga-image +>2 ubyte <34 Targa image data +!:mime image/x-tga +!:apple ????TPIC +# normal extension .tga but some Truevision products used others: +# tpic (Apple),icb (Image Capture Board),vda (Video Display Adapter),vst (NuVista),win (UNSURE about that) +!:ext tga/tpic/icb/vda/vst +# image type 1 2 3 9 10 11 32 33 +>2 ubyte&0xF7 1 - Map +>2 ubyte&0xF7 2 - RGB +# alpha channel +>>17 ubyte&0x0F >0 \bA +>2 ubyte&0xF7 3 - Mono +# type not found, but by http://www.fileformat.info/format/tga/corion.htm +# Compressed color-mapped data, using Huffman, Delta, and runlength encoding +>2 ubyte 32 - Color +# Compressed color-mapped data, using Huffman, Delta, and RLE. 4-pass quadtree- type process +>2 ubyte 33 - Color +# Color Map Type 0~no 1~color map +>1 ubyte 1 ( +# first color map entry, 0 normal +>>3 uleshort >0 \b%d- +# color map length 0 2 1dh 3bh d9h 100h +>>5 uleshort x \b%d) +# 8~run length encoding bit +>2 ubyte&0x08 8 - RLE +# gimp can create big pictures! +>12 uleshort >0 %d x +>12 uleshort =0 65536 x +# image height. 0 interpreted as 65536 +>14 uleshort >0 %d +>14 uleshort =0 65536 +# Image Pixel depth 1 8 15 16 24 32 +>16 ubyte x x %d +# X origin of image. 0 normal +>8 uleshort >0 +%d +# Y origin of image. 0 normal; positive for top +>10 uleshort >0 +%d +# Image descriptor: bits 3-0 give the alpha channel depth, bits 5-4 give direction +# alpha depth like: 1 8 +>17 ubyte&0x0F >0 - %d-bit alpha +# bits 5-4 give direction. normal bottom left +>17 ubyte &0x20 - top +#>17 ubyte ^0x20 - bottom +>17 ubyte &0x10 - right +#>17 ubyte ^0x10 - left +# some info say other bits 6-7 should be zero +# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm +# 00 - no interleave;01 - even/odd interleave; 10 - four way interleave; 11 - reserved +#>17 ubyte&0xC0 0x00 - no interleave +>17 ubyte&0xC0 0x40 - interleave +>17 ubyte&0xC0 0x80 - four way interleave +>17 ubyte&0xC0 0xC0 - reserved +# positive length implies identification field +>0 ubyte >0 +>>18 string x "%s" +# last 18 bytes of newer tga file footer signature +>18 search/4261301/s TRUEVISION-XFILE.\0 +# extension area offset if not 0 +>>&-8 ulelong >0 +# length of the extension area. normal 495 for version 2.0 +>>>(&-4.l) uleshort 0x01EF +# AuthorName[41] +>>>>&0 string >\0 - author "%-.40s" +# Comment[324]=4 * 80 null terminated +>>>>&41 string >\0 - comment "%-.80s" +# date +>>>>&365 ubequad&0xffffFFFFffff0000 !0 +# Day +>>>>>&-6 uleshort x %d +# Month +>>>>>&-8 uleshort x \b-%d +# Year +>>>>>&-4 uleshort x \b-%d +# time +>>>>&371 ubequad&0xffffFFFFffff0000 !0 +# hour +>>>>>&-8 uleshort x %d +# minutes +>>>>>&-6 uleshort x \b:%.2d +# second +>>>>>&-4 uleshort x \b:%.2d +# JobName[41] +>>>>&377 string >\0 - job "%-.40s" +# JobHour Jobminute Jobsecond +>>>>&418 ubequad&0xffffFFFFffff0000 !0 +>>>>>&-8 uleshort x %d +>>>>>&-6 uleshort x \b:%.2d +>>>>>&-4 uleshort x \b:%.2d +# SoftwareId[41] +>>>>&424 string >\0 - %-.40s +# SoftwareVersionNumber +>>>>&424 ubyte >0 +>>>>>&40 uleshort/100 x %d +>>>>>&40 uleshort%100 x \b.%d +# VersionLetter +>>>>>&42 ubyte >0x20 \b%c +# KeyColor +>>>>&468 ulelong >0 - keycolor %#8.8x +# Denominator of Pixel ratio. 0~no pixel aspect +>>>>&474 uleshort >0 +# Numerator +>>>>>&-4 uleshort >0 - aspect %d +>>>>>&-2 uleshort x \b/%d +# Denominator of Gamma ratio. 0~no Gamma value +>>>>&478 uleshort >0 +# Numerator +>>>>>&-4 uleshort >0 - gamma %d +>>>>>&-2 uleshort x \b/%d +# ColorOffset +#>>>>&480 ulelong x - col offset %#8.8x +# StampOffset +#>>>>&484 ulelong x - stamp offset %#8.8x +# ScanOffset +#>>>>&488 ulelong x - scan offset %#8.8x +# AttributesType +#>>>>&492 ubyte x - Attributes %#x +## EndOfTGA + +# PBMPLUS images +# URL: https://en.wikipedia.org/wiki/Netpbm +# The next byte following the magic is always whitespace. +# adding 65 to strength so that Netpbm images comes before "x86 boot sector" or +# "DOS/MBR boot sector" identified by ./filesystems +0 name netpbm +>3 regex/s =\^[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data +>>&0 regex =[0-9]{1,50} \b, size = %s x +>>>&0 regex =[0-9]{1,50} \b %s + +0 search/1 P1 +# test for whitespace after 2 byte magic +>2 regex/2 [\040\t\f\r\n] +# skip DROID x-fmt-164-signature-id-583.pbm with ten 0 digits +>>3 string !000000000 +>>>0 use netpbm +>>>0 string x \b, bitmap +!:strength + 65 +!:mime image/x-portable-bitmap +!:ext pbm +# check for character # starting a comment line +>>>3 ubyte =0x23 +>>>>4 string x %s + +0 search/1 P2 +>0 regex/4 P2[\040\t\f\r\n] +>>0 use netpbm +>>0 string x \b, greymap +!:strength + 65 +# american spelling gray +!:mime image/x-portable-graymap +!:ext pgm + +0 search/1 P3 +>0 regex/4 P3[\040\t\f\r\n] +>>0 use netpbm +>>0 string x \b, pixmap +!:strength + 65 +!:mime image/x-portable-pixmap +!:ext ppm + +0 string P4 +>0 regex/4 P4[\040\t\f\r\n] +>>0 use netpbm +>>0 string x \b, rawbits, bitmap +!:strength + 65 +!:mime image/x-portable-bitmap +!:ext pbm + +0 string P5 +>0 regex/4 P5[\040\t\f\r\n] +>>0 use netpbm +>>0 string x \b, rawbits, greymap +!:strength + 65 +!:mime image/x-portable-greymap +!:ext pgm + +0 string P6 +>0 regex/4 P6[\040\t\f\r\n] +>>0 use netpbm +>>0 string x \b, rawbits, pixmap +!:strength + 65 +!:mime image/x-portable-pixmap +!:ext ppm/pnm + +# URL: https://en.wikipedia.org/wiki/Netpbm#PAM_graphics_format +# Reference: http://fileformats.archiveteam.org/wiki/Portable_Arbitrary_Map +# Update: Joerg Jenderek +0 string P7 +# skip DROID fmt-405-signature-id-589.pam by looking for character like New Line +>2 ubyte !0xAB +#>2 ubyte =0x0A +>>3 search/256/b WIDTH Netpbm PAM image file, size = +!:mime image/x-portable-arbitrarymap +!:ext pam +!:strength + 65 +>>>&1 string x %s +>>>3 search/256/b HEIGHT x +>>>>&1 string x %s +# at offset 2 a New Line character (0xA) should appear +>>>2 ubyte !0x0A \b, %#x at offset 2 instead new line + +# From: bryanh@giraffe-data.com (Bryan Henderson) +0 string \117\072 Solitaire Image Recorder format +>4 string \013 MGI Type 11 +>4 string \021 MGI Type 17 +0 string .MDA MicroDesign data +>21 ubyte 48 version 2 +>21 ubyte 51 version 3 +0 string .MDP MicroDesign page data +>21 ubyte 48 version 2 +>21 ubyte 51 version 3 + +# NIFF (Navy Interchange File Format, a modification of TIFF) images +# [GRR: this *must* go before TIFF] +0 string IIN1 NIFF image data +!:mime image/x-niff + +# Canon RAW version 1 (CRW) files are a type of Canon Image File Format +# (CIFF) file. These are apparently all little-endian. +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: https://www.sno.phy.queensu.ca/~phil/exiftool/canon_raw.html +0 string II\x1a\0\0\0HEAPCCDR Canon CIFF raw image data +!:mime image/x-canon-crw +>16 uleshort x \b, version %d. +>14 uleshort x \b%d + +# Canon RAW version 2 (CR2) files are a kind of TIFF with an extra magic +# number. Put this above the TIFF test to make sure we detect them. +# These are apparently all little-endian. +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: https://libopenraw.freedesktop.org/wiki/Canon_CR2 +0 string II\x2a\0\x10\0\0\0CR Canon CR2 raw image data +!:mime image/x-canon-cr2 +!:strength +80 +>10 ubyte x \b, version %d. +>11 ubyte x \b%d + +# Fujifilm RAF RAW image files with embedded JPEG data and compressed +# or uncompressed CFA RAW data. Byte order: Big Endian. +# URL: https://libopenraw.freedesktop.org/formats/raf/ +# Useful info from http://fileformats.archiveteam.org/wiki/Fujifilm_RAF. +# File extension: RAF +# Works for both the FinePix S2 Pro and the X-T3. Anybody have some more Fuji +# raw samples available? +# -- David Dyer-Bennet <dd-b@dd-b.net> 9-Sep-2021 +0 string FUJIFILMCCD-RAW Fujifilm RAF raw image data +!:mime image/x-fuji-raf +!:ext raf +>0x10 string x \b, format version %4.4s +>0x1C string x \b, camera %s + +# Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) +# The second word of TIFF files is the TIFF version number, 42, which has +# never changed. The TIFF specification recommends testing for it. +0 string MM\x00\x2a TIFF image data, big-endian +!:strength +70 +!:mime image/tiff +!:ext tif/tiff +>(4.L) use \^tiff_ifd +0 string II\x2a\x00 TIFF image data, little-endian +!:mime image/tiff +!:strength +70 +!:ext tif/tiff +>(4.l) use tiff_ifd + +0 name tiff_ifd +>0 uleshort x \b, direntries=%d +>2 use tiff_entry + +0 name tiff_entry +# NewSubFileType +>0 uleshort 0xfe +>>12 use tiff_entry +>0 uleshort 0x100 +>>4 ulelong 1 +>>>12 use tiff_entry +>>>8 uleshort x \b, width=%d +>0 uleshort 0x101 +>>4 ulelong 1 +>>>8 uleshort x \b, height=%d +>>>12 use tiff_entry +>0 uleshort 0x102 +>>8 uleshort x \b, bps=%d +>>12 use tiff_entry +>0 uleshort 0x103 +>>4 ulelong 1 \b, compression= +>>>8 uleshort 1 \bnone +>>>8 uleshort 2 \bhuffman +>>>8 uleshort 3 \bbi-level group 3 +>>>8 uleshort 4 \bbi-level group 4 +>>>8 uleshort 5 \bLZW +>>>8 uleshort 6 \bJPEG (old) +>>>8 uleshort 7 \bJPEG +>>>8 uleshort 8 \bdeflate +>>>8 uleshort 9 \bJBIG, ITU-T T.85 +>>>8 uleshort 0xa \bJBIG, ITU-T T.43 +>>>8 uleshort 0x7ffe \bNeXT RLE 2-bit +>>>8 uleshort 0x8005 \bPackBits (Macintosh RLE) +>>>8 uleshort 0x8029 \bThunderscan RLE +>>>8 uleshort 0x807f \bRasterPadding (CT or MP) +>>>8 uleshort 0x8080 \bRLE (Line Work) +>>>8 uleshort 0x8081 \bRLE (High-Res Cont-Tone) +>>>8 uleshort 0x8082 \bRLE (Binary Line Work) +>>>8 uleshort 0x80b2 \bDeflate (PKZIP) +>>>8 uleshort 0x80b3 \bKodak DCS +>>>8 uleshort 0x8765 \bJBIG +>>>8 uleshort 0x8798 \bJPEG2000 +>>>8 uleshort 0x8799 \bNikon NEF Compressed +>>>8 default x +>>>>8 uleshort x \b(unknown %#x) +>>>12 use tiff_entry +>0 uleshort 0x106 \b, PhotometricInterpretation= +>>8 clear x +>>8 uleshort 0 \bWhiteIsZero +>>8 uleshort 1 \bBlackIsZero +>>8 uleshort 2 \bRGB +>>8 uleshort 3 \bRGB Palette +>>8 uleshort 4 \bTransparency Mask +>>8 uleshort 5 \bCMYK +>>8 uleshort 6 \bYCbCr +>>8 uleshort 8 \bCIELab +>>8 default x +>>>8 uleshort x \b(unknown=%#x) +>>12 use tiff_entry +# FillOrder +>0 uleshort 0x10a +>>4 ulelong 1 +>>>12 use tiff_entry +# DocumentName +>0 uleshort 0x10d +>>(8.l) string x \b, name=%s +>>>12 use tiff_entry +# ImageDescription +>0 uleshort 0x10e +>>(8.l) string x \b, description=%s +>>>12 use tiff_entry +# Make +>0 uleshort 0x10f +>>(8.l) string x \b, manufacturer=%s +>>>12 use tiff_entry +# Model +>0 uleshort 0x110 +>>(8.l) string x \b, model=%s +>>>12 use tiff_entry +# StripOffsets +>0 uleshort 0x111 +>>12 use tiff_entry +# Orientation +>0 uleshort 0x112 \b, orientation= +>>8 uleshort 1 \bupper-left +>>8 uleshort 3 \blower-right +>>8 uleshort 6 \bupper-right +>>8 uleshort 8 \blower-left +>>8 uleshort 9 \bundefined +>>8 default x +>>>8 uleshort x \b[*%d*] +>>12 use tiff_entry +# XResolution +>0 uleshort 0x11a +>>8 ulelong x \b, xresolution=%d +>>12 use tiff_entry +# YResolution +>0 uleshort 0x11b +>>8 ulelong x \b, yresolution=%d +>>12 use tiff_entry +# ResolutionUnit +>0 uleshort 0x128 +>>8 uleshort x \b, resolutionunit=%d +>>12 use tiff_entry +# Software +>0 uleshort 0x131 +>>(8.l) string x \b, software=%s +>>12 use tiff_entry +# Datetime +>0 uleshort 0x132 +>>(8.l) string x \b, datetime=%s +>>12 use tiff_entry +# HostComputer +>0 uleshort 0x13c +>>(8.l) string x \b, hostcomputer=%s +>>12 use tiff_entry +# WhitePoint +>0 uleshort 0x13e +>>12 use tiff_entry +# PrimaryChromaticities +>0 uleshort 0x13f +>>12 use tiff_entry +# YCbCrCoefficients +>0 uleshort 0x211 +>>12 use tiff_entry +# YCbCrPositioning +>0 uleshort 0x213 +>>12 use tiff_entry +# ReferenceBlackWhite +>0 uleshort 0x214 +>>12 use tiff_entry +# Copyright +>0 uleshort 0x8298 +>>(8.l) string x \b, copyright=%s +>>12 use tiff_entry +# ExifOffset +>0 uleshort 0x8769 +>>12 use tiff_entry +# GPS IFD +>0 uleshort 0x8825 \b, GPS-Data +>>12 use tiff_entry + +#>0 uleshort x \b, unknown=%#x +#>>12 use tiff_entry + +0 string MM\x00\x2b Big TIFF image data, big-endian +!:mime image/tiff +0 string II\x2b\x00 Big TIFF image data, little-endian +!:mime image/tiff + +# PNG [Portable Network Graphics, or "PNG's Not GIF"] images +# (Greg Roelofs, newt@uchicago.edu) +# (Albert Cahalan, acahalan@cs.uml.edu) +# +# 137 P N G \r \n ^Z \n [4-byte length] I H D R [HEAD data] [HEAD crc] ... +# + +# IHDR parser +0 name png-ihdr +>0 ubelong x \b, %d x +>4 ubelong x %d, +>8 ubyte x %d-bit +>9 ubyte 0 grayscale, +>9 ubyte 2 \b/color RGB, +>9 ubyte 3 colormap, +>9 ubyte 4 gray+alpha, +>9 ubyte 6 \b/color RGBA, +#>10 ubyte 0 deflate/32K, +>12 ubyte 0 non-interlaced +>12 ubyte 1 interlaced + +# Standard PNG image. +0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data +!:mime image/png +!:ext png +!:strength +10 +>16 use png-ihdr + +# Apple CgBI PNG image. +0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x04CgBI +>24 string \x00\x00\x00\x0DIHDR PNG image data (CgBI) +!:mime image/png +!:ext png +!:strength +10 +>>32 use png-ihdr + +# possible GIF replacements; none yet released! +# (Greg Roelofs, newt@uchicago.edu) +# +# GRR 950115: this was mine ("Zip GIF"): +0 string GIF94z ZIF image (GIF+deflate alpha) +!:mime image/x-unknown +# +# GRR 950115: this is Jeremy Wohl's Free Graphics Format (better): +# +0 string FGF95a FGF image (GIF+deflate beta) +!:mime image/x-unknown +# +# GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal +# (best; not yet implemented): +# +0 string PBF PBF image (deflate compression) +!:mime image/x-unknown + +# GIF +# Strength set up to beat 0x55AA DOS/MBR signature word lookups (+65) +0 string GIF8 GIF image data +!:strength +80 +!:mime image/gif +!:apple 8BIMGIFf +!:ext gif +>4 string 7a \b, version 8%s, +>4 string 9a \b, version 8%s, +>6 uleshort >0 %d x +>8 uleshort >0 %d +#>10 ubyte &0x80 color mapped, +#>10 ubyte&0x07 =0x00 2 colors +#>10 ubyte&0x07 =0x01 4 colors +#>10 ubyte&0x07 =0x02 8 colors +#>10 ubyte&0x07 =0x03 16 colors +#>10 ubyte&0x07 =0x04 32 colors +#>10 ubyte&0x07 =0x05 64 colors +#>10 ubyte&0x07 =0x06 128 colors +#>10 ubyte&0x07 =0x07 256 colors + +# ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster, +# 1 plane, no encoding. +0 string \361\0\100\273 CMU window manager raster image data +>4 ulelong >0 %d x +>8 ulelong >0 %d, +>12 ulelong >0 %d-bit + +# Magick Image File Format +# URL: https://imagemagick.org/script/miff.php +# Reference: http://fileformats.archiveteam.org/wiki/MIFF +# Update: Joerg Jenderek +# http://www.nationalarchives.gov.uk/pronom/fmt/930 +0 search/256/bc id=imagemagick +# skip bad ASCII text by following new line~0x0A or space~0x20 character +#>&0 ubyte x \b, next character %#x +# called by TriD ImageMagick Machine independent File Format bitmap +>&0 ubyte&0xD5 0 MIFF image data +# https://reposcope.com/mimetype/image/miff +#!:mime image/miff +!:mime image/x-miff +!:ext miff/mif +# examples with standard file(1) magic +#>>0 string =id=ImageMagick with standard magic +# examples with unusual file(1) magic like +>>0 string !id=ImageMagick starting with +# start with comment (brace) like http://samples.fileformat.info/.../AQUARIUM.MIF +>>>0 ubyte =0x7b comment +# skip second character which is often a newline and show comment +>>>>2 string x "%s" +# does not start with comment, probably letters with other case like Id=ImageMagick +# ImageMagick-7.0.9-2/Magick++/demo/smile_anim.miff +>>>0 ubyte !0x7b +>>>>0 string >\0 '%-.14s' +# URL: https://imagemagick.org/ +# Reference: https://imagemagick.org/script/magick-vector-graphics.php +# From: Joerg Jenderek +# Note: all white-spaces between commands are ignored +0 string push +# skip some white spaces +>5 search/3 graphic-context ImageMagick Vector Graphic +# TODO: look for dangerous commands like CVE-2016-3715 +#!:mime text/plain +!:mime image/x-mvg +!:ext mvg + +# Artisan +0 long 1123028772 Artisan image data +>4 long 1 \b, rectangular 24-bit +>4 long 2 \b, rectangular 8-bit with colormap +>4 long 3 \b, rectangular 32-bit (24-bit with matte) + +# FIG (Facility for Interactive Generation of figures), an object-based format +# URL: http://fileformats.archiveteam.org/wiki/Fig +# https://en.wikipedia.org/wiki/Xfig +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fig.trid.xml +# https://web.archive.org/web/20070920204655/http://epb.lbl.gov/xfig/fig-format.html +# Update: Joerg Jenderek +# Note: called "FIG vector drawing" by TrID, +# 4 byte magic is assumed to be always at offset 0 and +# verified by `fig2mpdf -v bootloader.fig && file bootloader.pdf` +#0 search/1/tb #FIG FIG image text +# GRR: with --keep-going option the line above gives duplicate messages +0 search/1/ts #FIG +>&0 use image-xfig +# binary data variant with non ASCII text characters like Control-A or °C in thermostat.fig +0 search/1/bs #FIG +>&0 use image-xfig +# display XFIG image describing text, mime type, file name extension and version +0 name image-xfig +>8 ubyte x FIG image text +#!:mime text/plain +# https://reposcope.com/mimetype/image/x-xfig +!:mime image/x-xfig +!:ext fig +# version string like: 1.4 2.1 3.1 3.2 +>5 string x \b, version %.3s +# some times after version text like: "Produced by xfig version 3.2.5-alpha5" +>8 ubyte >0x0D +>>8 string x "%s" +# should be point character (2Eh) of version string according to TrID +#>6 ubyte !0x2E \b, at 6 %#x +# caret character (23h) at the beginning in most or probably all examples +#>0 ubyte !0x23 \b, starting with character %#x +# URL: http://fileformats.archiveteam.org/wiki/DeskMate_Draw +# http://en.wikipedia.org/wiki/Deskmate +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dm-fig.trid.xml +# From: Joerg Jenderek +# Note: called "DeskMate Draw drawing" by TrID +0 string \x14FIG DeskMate Drawing +#!:mime application/octet-stream +!:mime image/x-deskmate-fig +!:ext fig +# TODO: +# "Cabri 3D Figure" by TrID fig-cabri.trid.xml +# "Playmation Figure" by TrID fig-playmation.trid.xml + +# PHIGS +0 string ARF_BEGARF PHIGS clear text archive +0 string @(#)SunPHIGS SunPHIGS +# version number follows, in the form m.n +>40 string SunBin binary +>32 string archive archive + +# GKS (Graphics Kernel System) +0 string GKSM GKS Metafile +>24 string SunGKS \b, SunGKS + +# CGM image files +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CGM +# https://en.wikipedia.org/wiki/Computer_Graphics_Metafile +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-ct.trid.xml +# http://standards.iso.org/ittf/PubliclyAvailableStandards/c032381_ISO_IEC_8632-4_1999(E).zip +# Note: called "Computer Graphics Metafile (Clear Text)" by TrID and +# "Computer Graphics Metafile ASCII" by DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# According to TrID only letter B and M are always upcased and by DROID often only B is upcased for command BEGIN METAFILE +0 string/c begmf +# skip SOME DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>5 short !0 +# skip other versions of DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>>5 short !0xABab clear text Computer Graphics Metafile +# https://reposcope.com/mimetype/image/cgm +!:mime image/cgm +!:ext cgm +# SF:NAME like: 'metafile example'; +>>>5 string x %s +# look for command METAFILE VERSION (MFVERSION <SOFTSEP> <I:VERSION>) +>>>2 search/128/c mfversion +#>>>>&0 ubyte x SOFTSEP=%#x +# version like: 1 3 4 +>>>>&1 ubyte >0x31 \b, version %c +# Summary: Computer Graphics Metafile (binary) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-bin.trid.xml +# https://standards.iso.org/ittf/PubliclyAvailableStandards/c032380_ISO_IEC_8632-3_1999(E).zip +# Note: called "Computer Graphics Metafile (binary)" by TrID and DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# look for BEGIN METAFILE (element Class 0 and ID 1 and "random" Parameter) that is binary C C C C 0 0 0 0 0 0 1 P P P P P +0 ubeshort&0xFFe0 0x0020 +# skip SOME DROID fmt-303-signature-id-368.cgm fmt-304-signature-id-369.cgm fmt-305-signature-id-370.cgm fmt-306-signature-id-371.cgm +# with containing only 28 bytes +>28 ubyte x +# look for METAFILE VERSION (element class 1 and id 1 and parameter P1 with length 2) that is binary 0 0 0 1 i i i i i i 1 P P P 1 P +# with "low" version; 2nd worst case argentin.cgm with parameter length 56 +# worst MS.CGM +#>>2 search/73/b \x10\x22\0 binary Computer Graphics Metafile +>>2 search/128/b \x10\x22\0 binary Computer Graphics Metafile +!:mime image/cgm +!:ext cgm +# metafile 2 byte version number like: 1 (most) 2 3 4 +>>>&-1 ubeshort >1 \b, version %u +# length number of 1st parameter octets in range 0 to 30 implies short command +>>>0 ubeshort&0x001F <31 \b, parameter length %u +# length of string like: 8 9 10 11 12 29 +#>>>>2 ubyte x \b, %u BYTES (SHORT) +# string like: 'HiJaak 2' 'Example 1' 'sahara.cgm' 'MASTERCLIPS--Art Of Business ' +>>>>2 pstring >\0 '%s' +# after 1st short command with even parameter length comes 2nd command like: 1022h 0010h (EAF00010.CGM 'HiJaak 2' FLOPPY2.CGM TIGER.CGM 'B:\TIGER.CGM') +>>>>0 ubeshort&0x0001 =0 +>>>>>(2.b+3) ubeshort !0x1022 \b, 2nd command %#4.4x (short even) +# after 1st short command with odd parameter length comes nil padding byte followed 2nd command like: 1022h +>>>>0 ubeshort&0x0001 =1 +#>>>>>(2.b+3) ubyte !0 \b, PADDING %#x +>>>>>(2.b+4) ubeshort !0x1022 \b, 2nd command %#4.4x (short odd) +# 11111 binary (decimal 31) in the parameter field indicates that the command is in long-form +>>>0 ubeshort&0x001F =0x1F +# bit 15 is partition flag with 1 for 'not-last' partition and 0 for 'last' partition +>>>>2 ubeshort&0x8000 !0 \b, partition flag %#4.4x +# bits 0 to 14 is parameter list length; the number of following parameter octets; range 0 to 32767 +# length of 1st long command parameter like: 53 +>>>>2 ubeshort&0x7Fff x \b, parameter length %u (long) +# The two header words are then followed by lenghth of 1st string like: 52 +#>>>>4 ubyte x \b, %u BYTES +# string like: 'K:\PROJECTS\GRAPHICS\DWKS3.5\CLIPART\FLAGS\Italy.cgm' +>>>>4 pstring/B x '%s' +# odd long parameter length implies single null padding octet to start command on word boundary +>>>>2 ubeshort&0x0001 =1 +# after 1st long command with odd parameter length comes nil padding byte followed by 2nd command like: 1022h +#>>>>>(4.b+5) ubyte !0 \b, PADDING %#x +>>>>>(4.b+6) ubeshort !0x1022 \b, 2nd command %#4.4x (long odd) +# even long parameter length implies next command directly is following +>>>>2 ubeshort&0x0001 =0 +# after 1st long command with even parameter length comes 2nd command like: 1022h 0x1054 (MS.CGM) +>>>>>(4.b+5) ubeshort !0x1022 \b, 2nd command %#4.4x (long even) +# look for END METAFILE (element class 0 and id 2 and 0 parameter) that is binary 0 0 0 0 i i i i i 1 i P P P P P +>>>-2 ubeshort !0x0040 \b, NOT_FOUND_END_METAFILE + +# MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) +0 string yz MGR bitmap, modern format, 8-bit aligned +0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned +0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned +0 string yx MGR bitmap, modern format, squeezed + +# Fuzzy Bitmap (FBM) images +0 string %bitmap\0 FBM image data +>30 long 0x31 \b, mono +>30 long 0x33 \b, color + +# facsimile data +1 string PC\ Research,\ Inc group 3 fax data +>29 ubyte 0 \b, normal resolution (204x98 DPI) +>29 ubyte 1 \b, fine resolution (204x196 DPI) +# From: Herbert Rosmanith <herp@wildsau.idv.uni.linz.at> +0 string Sfff structured fax file + +# From: Joerg Jenderek <joerg.jen.der.ek@gmx.net> +# URL: http://fileformats.archiveteam.org/wiki/Award_BIOS_logo +# Note: verified by XnView command `nconvert -fullinfo *.EPA` +0 string \x11\x06 Award BIOS Logo, 136 x 84 +!:mime image/x-award-bioslogo +!:ext epa +0 string \x11\x09 Award BIOS Logo, 136 x 126 +!:mime image/x-award-bioslogo +!:ext epa +# https://telparia.com/fileFormatSamples/image/epa/IO.EPA +# Note: by bitmap-awbm-v1x1009.trid.xml called "Award BIOS logo bitmap (128x126) (v1)" +# verified by RECOIL `recoil2png -o tmp.png IO.EPA; file tmp.png` +0 string \x10\x09 Award BIOS Logo, 128 x 126 +!:mime image/x-award-bioslogo +!:ext epa +#0 string \x07\x1f BIOS Logo corrupted? +# http://www.blackfiveservices.co.uk/awbmtools.shtml +# http://biosgfx.narod.ru/v3/ +# http://biosgfx.narod.ru/abr-2/ +0 string AWBM +# Note: by bitmap-awbm.trid.xml called "Award BIOS logo bitmap (v2)" +>4 uleshort <1981 Award BIOS Logo, version 2 +#>4 uleshort <1981 Award BIOS bitmap +!:mime image/x-award-bioslogo2 +#!:mime image/x-award-bmp +!:ext epa/bmp +# image width is a multiple of 4 +>>4 uleshort&0x0003 0 +>>>4 uleshort x \b, %d +>>>6 uleshort x x %d +>>4 uleshort&0x0003 >0 \b, +>>>4 uleshort&0x0003 =1 +>>>>4 uleshort x %d+3 +>>>4 uleshort&0x0003 =2 +>>>>4 uleshort x %d+2 +>>>4 uleshort&0x0003 =3 +>>>>4 uleshort x %d+1 +>>>6 uleshort x x %d +# at offset 8 starts imagedata followed by "RGB " marker + +# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) +# https://en.wikipedia.org/wiki/BMP_file_format#DIB_header_.\ +# 28bitmap_information_header.29 +# Note: variant starting direct with DIB header see +# http://fileformats.archiveteam.org/wiki/BMP +# verified by ImageMagick version 6.8.9-8 command `identify *.dib` +0 uleshort 40 +# skip bad samples like GAME by looking for valid number of color planes +>12 uleshort 1 Device independent bitmap graphic +!:mime image/x-ms-bmp +!:apple ????BMPp +!:ext dib +>>4 ulelong x \b, %d x +>>8 ulelong x %d x +>>14 uleshort x %d +# number of color planes (must be 1) +#>>12 uleshort >1 \b, %u color planes +# compression method: 0~no 1~RLE 8-bit/pixel 3~Huffman 1D +#>>16 ulelong 3 \b, Huffman 1D compression +>>16 ulelong >0 \b, %u compression +# image size is the size of raw bitmap; a dummy 0 can be given for BI_RGB bitmaps +>>20 ulelong x \b, image size %u +# horizontal and vertical resolution of the image (pixel per metre, signed integer) +>>24 ulelong >0 \b, resolution %d x +>>>28 ulelong x %d px/m +# number of colors in palette, or 0 to default to 2**n +#>>32 ulelong >0 \b, %u colors +# number of important colors used, or 0 when every color is important +>>36 ulelong >0 \b, %u important colors +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/VBM_(VDC_BitMap) +# Reference: http://csbruce.com/cbm/postings/csc19950906-1.txt +# http://mark0.net/download/triddefs_xml.7z +# defs/b/bitmap-vbm.trid.xml +# defs/b/bitmap-vbm-v3.trid.xml +# Note: called "VDC BitMap" by TrID +# verified by RECOIL `recoil2png -o tmp.png coke_can.vbm; file tmp.png` +# begin with a signature of 'B' 'M' 0xCB, followed by a version byte 2 or 3 +# Similar to the unrelated Windows BMP format +# check for VDC bitmap and then display image dimension and version +0 name bitmap-vbm +>2 ubyte 0xCB VDC bitmap +!:mime image/x-commodore-vbm +# http://recoil.sourceforge.net/formats.html +!:ext bm/vbm +# the VBM format version number: 2 or 3 +>>3 ubyte x \b, version %u +# width of the image in Hi/Lo format +>>4 ubeshort x \b, %u +# height of the image +>>6 ubeshort x x %u +# version 3 images have the following additional header information +>>3 ubyte =3 +# data-encoding type: 0~uncompressed 1~RLE-compressed +>>>8 ubyte 0 \b, uncompressed +>>>8 ubyte 1 \b, RLE-compressed +# byte code for general RLE repetitions +#>>>9 ubyte x \b, RLE repetition code 0x%x +# reserved := 0 +#>>>14 short >0 \b, reserved 0x%x +# length of comment text; 0~no comment text +#>>>16 ubeshort >0 \b, comment length %u +>>>16 pstring/H >0 \b, comment "%s" +# +0 string BM +# check for magic and version 2 of VDC bitmap or BMP with cbSize=715=CB02 +>2 ubeshort 0xCB02 +>>6 short =0 +>>>0 use bitmap-bmp +# VDC bitmap height or maybe a few OS/2 BMP with nonzero "hotspot coordinates" +>>6 short !0 +>>>0 use bitmap-vbm +# check for magic and version 3 of VDC bitmap or BMP with cbSize=971=CB03 +>2 ubeshort 0xCB03 +# check for reserved value (=0) of VDC bitmap +>>14 short =0 +>>>0 use bitmap-vbm +# BMP with cbSize=????03CBh and dib header size != 0 +>>14 short !0 +>>>0 use bitmap-bmp +# cbSize is size of header or file size of Windows BMP bitmap +>2 default x +>>0 use bitmap-bmp +0 name bitmap-bmp +>14 ulelong 12 PC bitmap, OS/2 1.x format +!:mime image/bmp +!:ext bmp +>>18 uleshort x \b, %d x +>>20 uleshort x %d +# number of color planes (must be 1) +#>>22 uleshort !1 \b, %u color planes +# number of bits per pixel (color depth); found 4 8 +>>24 uleshort x x %d +# x, y coordinates of the hotspot +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file or header like 1Ah 228C8h +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%8.8x +# offBits; offset to bitmap data like: +>>10 ulelong x \b, bits offset %u +# http://fileformats.archiveteam.org/wiki/BMP#OS.2F2_BMP_2.0 no examples found +>14 ulelong 48 PC bitmap, OS/2 2.x format (DIB header size=48) +>14 ulelong 24 PC bitmap, OS/2 2.x format (DIB header size=24) +# http://entropymine.com/jason/bmpsuite/bmpsuite/q/pal8os2v2-16.bmp +# Note: by bitmap-bmp-v2o.trid.xml called "Windows Bitmap (v2o)" +>14 ulelong 16 PC bitmap, OS/2 2.x format (DIB header size=16) +!:mime image/bmp +!:apple ????BMPp +!:ext bmp +# image width and height fields are unsigned integers for OS/2 +>>18 ulelong x \b, %u x +>>22 ulelong x %u +# number of bits per pixel (color depth); found 8 +>>28 uleshort >1 x %u +# x, y coordinates of the hotspot +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# number of color planes (must be 1) +#>>26 uleshort >1 \b, %u color planes +# cbSize; size of file like: 241E +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 41E +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +>14 ulelong 64 PC bitmap, OS/2 2.x format +!:mime image/bmp +!:apple ????BMPp +!:ext bmp +# image width and height fields are unsigned integers for OS/2 +>>18 ulelong x \b, %u x +>>22 ulelong x %u +# number of bits per pixel (color depth); found 1 4 8 +>>28 uleshort >1 x %u +# x, y coordinates of the hotspot +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +>>26 uleshort >1 \b, %u color planes +# cbSize; size of file or headers +>>2 ulelong x \b, cbSize %u +# BMP with cbSize 000002CBh=715 or 000003CBh=971 maybe misinterpreted as VDC bitmap +#>>2 ulelong x \b, cbSize %#x +# offBits; offset to bitmap data like 56h 5Eh 8Eh 43Eh +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset %#x +#>>(10.l) ubequad !0 \b, bits %#16.16llx +# BITMAPV2INFOHEADER adds RGB bit masks +>14 ulelong 52 PC bitmap, Adobe Photoshop +!:mime image/bmp +!:apple ????BMPp +!:ext bmp +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# number of bits per pixel (color depth); found 16 32 +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 14A 7F42 +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 42h +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +# BITMAPV3INFOHEADER adds alpha channel bit mask +>14 ulelong 56 PC bitmap, Adobe Photoshop with alpha channel mask +!:mime image/bmp +!:apple ????BMPp +!:ext bmp +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# number of bits per pixel (color depth); found 16 32 +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 4E 7F46 131DE 14046h +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 46h +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +>14 ulelong 40 +# jump 4 bytes before end of file/header to skip fmt-116-signature-id-118.dib +# broken for large bitmaps +#>>(2.l-4) ulong x PC bitmap, Windows 3.x format +>>14 ulelong 40 PC bitmap, Windows 3.x format +!:mime image/bmp +!:apple ????BMPp +>>>18 ulelong x \b, %d x +>>>22 ulelong x %d +# 320 x 400 https://en.wikipedia.org/wiki/LOGO.SYS +>>>18 ulequad =0x0000019000000140 x +!:ext bmp/sys +>>>18 ulequad !0x0000019000000140 +# compression method 2~RLE 4-bit/pixel implies also extension rle +>>>>30 ulelong 2 x +!:ext bmp/rle +# not RLE compressed and not 320x400 dimension +>>>>30 default x +# "small" dimensions like: 14x15 15x16 16x14 16x16 32x32 +# https://en.wikipedia.org/wiki/Favicon +>>>>>18 ulequad&0xffFFffC0ffFFffC0 =0 x +# https://www.politi-kdigital.de/favicon.ico +# http://forum.rpc1.org/favicon.ico +!:ext bmp/ico +# "big" dimensions > 63 +>>>>>18 default x x +!:ext bmp +# number of bits per pixel (color depth); found 1 2 4 8 16 24 32 +>>>28 uleshort x %d +# x, y coordinates of the hotspot; there is no hotspot in bitmaps, so values 0 +#>>>6 uleshort >0 \b, hotspot %ux +#>>>>8 uleshort x \b%u +# number of color planes (must be 1), except badplanes.bmp for testing +#>>>26 uleshort >1 \b, %u color planes +# compression method: 0~no 1~RLE 8-bit/pixel 2~RLE 4-bit/pixel 3~Huffman 1D 6~RGBA bit field masks +#>>>30 ulelong 3 \b, Huffman 1D compression +>>>30 ulelong >0 \b, %u compression +# image size is the size of raw bitmap; a dummy 0 can be given for BI_RGB bitmaps +>>>34 ulelong >0 \b, image size %u +# horizontal and vertical resolution of the image (pixel per metre, signed integer) +>>>38 ulelong >0 \b, resolution %d x +>>>>42 ulelong x %d px/m +# number of colors in palette 16 256, or 0 to default to 2**n +#>>>46 ulelong >0 \b, %u colors +# number of important colors used, or 0 when every color is important +>>>50 ulelong >0 \b, %u important colors +# cbSize; often size of file +>>>2 ulelong x \b, cbSize %u +#>>>2 ulelong x \b, cbSize %#x +# offBits; offset to bitmap data like 36h 76h BEh 236h 406h 436h 4E6h +>>>10 ulelong x \b, bits offset %u +#>>>10 ulelong x \b, bits offset %#x +#>>>(10.l) ubequad !0 \b, bits %#16.16llxd +>14 ulelong 124 PC bitmap, Windows 98/2000 and newer format +!:mime image/bmp +!:ext bmp +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# color planes; must be 1 +#>>>26 uleshort >1 \b, %u color planes +# number of bits per pixel (color depth); found 4 8 16 24 32 1 (fmt-119-signature-id-121.bmp) 0 (rgb24jpeg.bmp rgb24png.bmp) +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 8E AA 48A 999 247A 4F02 7F8A 3F88E B216E 1D4C8A 100008A +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 8A 47A ABABABAB (fmt-119-signature-id-121.bmp) +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +>14 ulelong 108 PC bitmap, Windows 95/NT4 and newer format +!:mime image/bmp +!:ext bmp +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# number of bits per pixel (color depth); found 8 24 32 +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 82 8A 9A 9F86 1E07A 3007A 88B7A C007A +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 7A 7E 46A +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/OS/2_Icon +# Reference: http://www.fileformat.info +# /format/os2bmp/spec/902d5c253f2a43ada39c2b81034f27fd/view.htm +# Note: verified by command like `deark -l -d3 OS2MEMU.ICO` +0 string IC +# skip Lotus smart icon *.smi by looking for valid hotspot coordinates +>6 ulelong&0xFF00FF00 =0 OS/2 icon +# jump 4 bytes before end of header/file and test for accessibility +#>>(2.l-4) ubelong x End of header is OK! +!:mime image/x-os2-ico +!:ext ico +# cbSize; size of header or file in bytes like 1ah 120h 420h +>>2 ulelong x \b, cbSize %u +# xHotspot, yHotspot; coordinates of the hotspot for icons like 16 32 +>>6 uleshort x \b, hotspot %ux +>>8 uleshort x \b%u +# offBits; offset in bytes to the beginning of the bit-map pel data like 20h +>>10 ulelong x \b, bits offset %u +#>>(10.l) ubequad x \b, bits %#16.16llx +#0 string PI PC pointer image data +#0 string CI PC color icon data +0 string CI +# test also for valid dib header sizes 12 or 64 +>14 ulelong <65 OS/2 +# test also for valid hotspot coordinates +#>>6 ulelong&0xFE00FE00 =0 OS/2 +!:mime image/x-os2-ico +!:ext ico +>>14 ulelong 12 1.x color icon +# image width and height fields are unsigned integers for OS/2 +>>>18 uleshort x %u x +# stored height = 2 * real height +>>>20 uleshort/2 x %u +# number of bits per pixel (color depth). Typical 32 24 16 8 4 but only 1 found +>>>24 uleshort >1 x %u +# color planes; must be 1 +#>>>22 uleshort >1 \b, %u color planes +>>14 ulelong 64 2.x color icon +# image width and height +>>>18 ulelong x %u x +# stored height = 2 * real height +>>>22 ulelong/2 x %u +# number of bits per pixel (color depth). only 1 found +>>>28 uleshort >1 x %u +#>>>26 uleshort >1 \b, %u color planes +# compression method: 0~no 3~Huffman 1D +>>>30 ulelong 3 \b, Huffman 1D compression +#>>>30 ulelong >0 \b, %u compression +# xHotspot, yHotspot; coordinates of the hotspot like 0 1 16 20 32 33 63 64 +>>6 uleshort x \b, hotspot %ux +>>8 uleshort x \b%u +# cbSize; size of header or maybe file in bytes like 1Ah 4Eh 84Eh +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize %x +# offBits; offset to bitmap data (pixel array) like E4h 3Ah 66h 6Ah 33Ah 4A4h +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset %#x +#>>(10.l) ubequad !0 \b, bits %#16.16llx +# dib header size: 12~Ch~OS/2 1.x 64~40h~OS/2 2.x +#>>14 ulelong x \b, dib header size %u +#0 string CP PC color pointer image data +# URL: http://fileformats.archiveteam.org/wiki/OS/2_Pointer +# Reference: http://www.fileformat.info/format/os2bmp/egff.htm +0 string CP +# skip many Corel Photo-Paint image "CPT9FILE" by checking for positive bits offset +>10 ulelong >0 +# skip CPU-Z Report by checking for valid dib header sizes 12 or 64 +>>14 ulelong =12 +>>>0 use os2-ptr +>>14 ulelong =64 +>>>0 use os2-ptr +# display information of OS/2 pointer bitmaps +0 name os2-ptr +>14 ulelong x OS/2 +# http://extension.nirsoft.net/PTR +!:mime image/x-ibm-pointer +!:ext ptr +>>14 ulelong 12 1.x color pointer +# image width and height fields are unsigned integers for OS/2 +>>>18 uleshort x %u x +# stored height = 2 * real height +>>>20 uleshort/2 x %u +# number of bits per pixel (color depth). Typical 32 24 16 8 4 but only 1 found +>>>24 uleshort >1 x %u +# color planes; must be 1 +#>>>22 uleshort >1 \b, %u color planes +>>14 ulelong 64 2.x color pointer +# image width and height +>>>18 ulelong x %u x +# stored height = 2 * real height +>>>22 ulelong/2 x %u +# number of bits per pixel (color depth). only 1 found +>>>28 uleshort >1 x %u +#>>>26 uleshort >1 \b, %u color planes +# compression method: 0~no 3~Huffman 1D +>>>30 ulelong 3 \b, Huffman 1D compression +#>>>30 ulelong >0 \b, %u compression +# xHotspot, yHotspot; coordinates of the hotspot like 0 3 4 8 15 16 23 27 31 +>>6 uleshort x \b, hotspot %ux +>>8 uleshort x \b%u +# cbSize; size of header or maybe file in bytes like 1Ah 4Eh +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize %x +# offBits; offset to bitmap data (pixel array) like 6Ah A4h E4h 4A4h +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset %#x +#>>(10.l) ubequad !0 \b, bits %#16.16llx +# dib header size: 12~Ch~OS/2 1.x 64~40h~OS/2 2.x +#>>14 ulelong x \b, dib header size %u +# Conflicts with other entries [BABYL] +# URL: http://fileformats.archiveteam.org/wiki/BMP#OS.2F2_Bitmap_Array +# Note: container for OS/2 icon "IC", color icon "CI", color pointer "CP" or bitmap "BM" +#0 string BA PC bitmap array data +0 string BA +# skip old Emacs RMAIL BABYL ./mail.news by checking for low header size +>2 ulelong <0x004c5942 OS/2 graphic array +!:mime image/x-os2-graphics +#!:apple ????BMPf +# cbSize; size of header like 28h 5Ch +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize %#x +# offNext; offset to data like 0 48h F2h 4Eh 64h C6h D2h D6h DAh E6h EAh 348h +>>6 ulelong >0 \b, data offset %u +#>>6 ulelong >0 \b, data offset %#x +#>>(6.l) ubequad !0 \b, data %#16.16llx +# dimensions of the intended device like 640 x 480 for VGA or 1024 x 768 +>>10 uleshort >0 \b, display %u +>>>12 uleshort >0 x %u +# usType of first array element +#>>14 string x \b, usType %2.2s +# 1 space char after "1st" +# no *.bga examples found https://www.openwith.org/file-extensions/bga/1342 +>>14 string BM \b; 1st +!:ext bmp/bga +>>14 string CI \b; 1st +!:ext ico +>>14 string CP \b; 1st +!:ext ico +>>14 string IC \b; 1st +!:ext ico +# no white-black pointer found +#>>14 string PT \b; 1st +#!:ext +>>14 indirect x + +# XPM icons (Greg Roelofs, newt@uchicago.edu) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/XPM +# Reference: http://www.x.org/docs/XPM/xpm.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-xpm.trid.xml +# Note: called "X PixMap bitmap" by TrID and "X-Windows Pixmap Image" by DROID via PUID x-fmt/208 +# starting with c comment like: logo.xpm +0 string /*\040 +# 9 byte c-comment "/* XPM */" not at the beginning like: mozicon16.xpm mozicon50.xpm (thunderbird) +>0 search/0xCE /*\ XPM\ */ +# skip DROID x-fmt-208-signature-id-620.xpm by looking for char array without explict length +# and match mh-logo.xpm (emacs) +>>&0 search/1249 [] +>>>0 use xpm-image +# non standard because no 9 byte c-comment "/* XPM */" like: logo.xpm in qemu package +>0 default x +# words are separated by a white space which can be composed of space and tabulation characters +>>0 search/0x52 static\040char\040 +# skip debug.c testmlc.c by looking for char array without explict length +# https://www.clamav.net/downloads/production/clamav-0.104.2.tar.gz +# clamav-0.104.2\libclammspack\mspack\debug.c +>>>&0 search/64 [] +>>>>0 use xpm-image +# display X pixmap image information +0 name xpm-image +>0 string x X pixmap image text +#!:mime text/plain +# https://reposcope.com/mimetype/image/x-xpixmap +# alias +#!:mime image/x-xpm +!:mime image/x-xpixmap +!:ext xpm +# NO pm example found! +#!:ext xpm/pm +# look for start of character array at beginning of a line like: psetupl.xpm (OpenOffice 4.1.7) +>0 search/0x406 \n" +# DEBUG VALUES string +#>>&0 string x '%s' +# width with optional white space before like: 16 24 32 48 1280 +>>&0 regex/8 [0-9]{1,5} \b, %s +# height with white space like: 15 16 17 24 32 48 1024 +>>>&0 regex/8 [0-9]{1,5} x %s +# number of colors with white space like: 1 2 3 4 5 8 11 14 162 255 but unrelistic 4294967295 by hardcopy tool +>>>>&0 regex/12 [0-9]{1,9} x %s +# chars_per_pixel with white space like: 1 2 +>>>>>&0 regex/14 [0-9]{1,2} \b, %s chars/pixel +# non standard because not starting with 9 byte c-comment "/* XPM */" +>0 string !/*\ XPM\ */ +>>0 string x \b, 1st line "%s" + +# Utah Raster Toolkit RLE images (janl@ifi.uio.no) +0 uleshort 0xcc52 RLE image data, +>6 uleshort x %d x +>8 uleshort x %d +>2 uleshort >0 \b, lower left corner: %d +>4 uleshort >0 \b, lower right corner: %d +>10 ubyte&0x1 =0x1 \b, clear first +>10 ubyte&0x2 =0x2 \b, no background +>10 ubyte&0x4 =0x4 \b, alpha channel +>10 ubyte&0x8 =0x8 \b, comment +>11 ubyte >0 \b, %d color channels +>12 ubyte >0 \b, %d bits per pixel +>13 ubyte >0 \b, %d color map channels + +# image file format (Robert Potter, potter@cs.rochester.edu) +0 string Imagefile\ version- iff image data +# this adds the whole header (inc. version number), informative but longish +>10 string >\0 %s + +# Sun raster images, from Daniel Quinlan (quinlan@yggdrasil.com) +0 ubelong 0x59a66a95 Sun raster image data +>4 ubelong >0 \b, %d x +>8 ubelong >0 %d, +>12 ubelong >0 %d-bit, +#>16 ubelong >0 %d bytes long, +>20 ubelong 0 old format, +#>20 ubelong 1 standard, +>20 ubelong 2 compressed, +>20 ubelong 3 RGB, +>20 ubelong 4 TIFF, +>20 ubelong 5 IFF, +>20 ubelong 0xffff reserved for testing, +>24 ubelong 0 no colormap +>24 ubelong 1 RGB colormap +>24 ubelong 2 raw colormap +#>28 ubelong >0 colormap is %d bytes long + +# SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com) +# +# See +# http://reality.sgi.com/grafica/sgiimage.html +# +0 ubeshort 474 SGI image data +#>2 ubyte 0 \b, verbatim +>2 ubyte 1 \b, RLE +#>3 ubyte 1 \b, normal precision +>3 ubyte 2 \b, high precision +>4 ubeshort x \b, %d-D +>6 ubeshort x \b, %d x +>8 ubeshort x %d +>10 ubeshort x \b, %d channel +>10 ubeshort !1 \bs +>80 string >0 \b, "%s" + +0 string IT01 FIT image data +>4 ubelong x \b, %d x +>8 ubelong x %d x +>12 ubelong x %d +# +0 string IT02 FIT image data +>4 ubelong x \b, %d x +>8 ubelong x %d x +>12 ubelong x %d +# +2048 string PCD_IPI Kodak Photo CD image pack file +>0xe02 ubyte&0x03 0x00 , landscape mode +>0xe02 ubyte&0x03 0x01 , portrait mode +>0xe02 ubyte&0x03 0x02 , landscape mode +>0xe02 ubyte&0x03 0x03 , portrait mode +0 string PCD_OPA Kodak Photo CD overview pack file + +# FITS format. Jeff Uphoff <juphoff@tarsier.cv.nrao.edu> +# FITS is the Flexible Image Transport System, the de facto standard for +# data and image transfer, storage, etc., for the astronomical community. +# (FITS floating point formats are big-endian.) +0 string SIMPLE\ \ = FITS image data +!:mime image/fits +!:ext fits/fts +>109 string 8 \b, 8-bit, character or unsigned binary integer +>108 string 16 \b, 16-bit, two's complement binary integer +>107 string \ 32 \b, 32-bit, two's complement binary integer +>107 string -32 \b, 32-bit, floating point, single precision +>107 string -64 \b, 64-bit, floating point, double precision + +# other images +0 string This\ is\ a\ BitMap\ file Lisp Machine bit-array-file + +# From SunOS 5.5.1 "/etc/magic" - appeared right before Sun raster image +# stuff. +# +0 ubeshort 0x1010 PEX Binary Archive + +# DICOM medical imaging data +# URL: https://en.wikipedia.org/wiki/DICOM#Data_format +# Note: "dcm" is the official file name extension +# XnView mention also "dc3" and "acr" as file name extension +128 string DICM DICOM medical imaging data +!:mime application/dicom +!:ext dcm/dicom/dic + +# XWD - X Window Dump file. +# URL: http://fileformats.archiveteam.org/wiki/XWD +# Reference: https://wiki.multimedia.cx/index.php?title=XWD +# http://mark0.net/download/triddefs_xml.7z/defs/x/xdm-x11.trid.xml +# Note: called "X-Windows Screen Dump (X11)" by TrID and +# "X-Windows Screen Dump" version X11 by DROID via PUID fmt/483 +# verfied by XnView `nconvert -in xwd -info *` +# and ImageMagick 6.9.11 `identify -verbose *` as XWD X Windows system window dump +# and `xwud -in fig41.wxd -dumpheader` +# As described in /usr/X11R6/include/X11/XWDFile.h +# used by the xwd program. +# Bradford Castalia, idaeim, 1/01 +# updated by Adam Buchbinder, 2/09 and Joerg Jenderek, May 2022 +# The following assumes version 7 of the format; the first long is the length +# of the header, which is at least 25 4-byte longs, and the one at offset 8 +# is a constant which is always either 1 or 2. Offset 12 is the pixmap depth, +# which is a maximum of 32. +# Size of the entire file header (bytes) like: 100 104 105 106 107 109 110 113 114 115 118 172 +0 ubelong >99 +# pixmap_format; Pixmap format; 0~1-bit (XYBitmap) format 1~single-plane (XYPixmap) 2~bitmap with two or more planes (ZPixmap) +>8 ubelong <3 +# pixmap_depth; Pixmap depth; value 1 - 32 +>>12 ubelong <33 +# file_version; XWD_FILE_VERSION=7 +>>>4 ubelong 7 +# skip DROID fmt-401-signature-id-618.xwd by test for existing border field +>>>>96 ubelong x X-Window screen dump image data, version X11 +# ./images (version 1.205) labeled the above entry as "XWD X Window Dump image data" +# https://reposcope.com/mimetype/image/x-xwindowdump +!:mime image/x-xwindowdump +#!:ext xwd +!:ext xwd/dmp +# https://www.xnview.com/en/image_formats/ NO example with x11 suffix FOUND! +#!:ext xwd/dmp/x11 +# https://www.nationalarchives.gov.uk/PRONOM/fmt/401 NO example with xdm suffix FOUND! +#!:ext xwd/dmp/x11/xmd +# file comment if header > 100; so not in MARBLES.XWD and hardcopy-x-window-v11.xwd +>>>>>0 ubelong >100 +# comment or windows name +>>>>>>100 string >\0 \b, "%s" +# pixmap_width; pixmap width like: 576 800 1014 1280 1419 NOT -1414812757=abABabABh +>>>>>16 ubelong x \b, %dx +# pixmap_height; pixmap height like: 449 454 600 704 720 1001 1024 NOT -1414812757=abABabABh +>>>>>20 ubelong x \b%dx +# pixmap_depth; pixmap depth +>>>>>12 ubelong x \b%d +# XOffset; Bitmap X offset; pixel numbers to ignore at the beginning of each scan-line +#>>>>>24 ubelong x \b, %u ignore +# ByteOrder; byte order of image data: 0~least significant byte first 1~most significant byte first +>>>>>28 ubelong >0 \b, order %u +# BitmapUnit; bitmap base data size unit in each scan line like: 8 16 32 +#>>>>>32 ubelong x \b, unit %u +# BitmapBitOrder; bit-order of image data; apparently same as ByteOrder +#>>>>>36 ubelong x \b, bit order %u +# BitmapPad; number of padding bits added to each scan line like: 8 16 32 +#>>>>>40 ubelong x \b, pad %u +# BitsPerPixel; Bits per pixel: 1~StaticGray and GrayScale 2-15~StaticColor and PseudoColor 16,24,32~TrueColor and DirectColor +#>>>>>44 ubelong x \b, %u bits/pixel +# BytesPerLine; size of each scan line in bytes +#>>>>>48 ubelong x \b, %u bytes/line +# VisualClass; class of the image: 0~StaticGray 1~GrayScale 2~StaticColor 3~PseudoColor 4~TrueColor 5~DirectColor +#>>>>>52 ubelong x \b, %u Class +# RedMask; red RGB mask values used by ZPixmaps like: 0 0xff0000 +#>>>>>56 ubelong !0 \b, %#x red +# GreenMask; green mask like: 0 +#>>>>>60 ubelong !0 \b, %#x green +# BlueMask; blue mask like: 0 0xff +#>>>>>64 ubelong !0 \b, %#x blue +# BitsPerRgb; Size of each color mask in bits like: 0 1 8 24 +#>>>>>68 ubelong x \b, %u bits/RGB +# NumberOfColors; number of colors in image like: 256 4 2 0 (WHAT DOES THIS MEAN?) +>>>>>72 ubelong x \b, %u colors +# ColorMapEntries; number of entries in color map like: 256 16 2 0~no color map +>>>>>76 ubelong x %u entries +# WindowWidth; window width +#>>>>>80 ubelong x \b, %u width +# WindowHeight; window height +#>>>>>84 ubelong x \b, %u height +# WindowX; Window upper left X coordinate like: 0 24 32 80 237 290 422 466 568 (lenna.dmp) +>>>>>88 ubelong !0 \b, x=%d +# WindowY; Window upper left Y coordinate like: 0 8 18 26 60 73 107 (fig41.xwd) 128 +>>>>>92 ubelong !0 \b, y=%d +# WindowBorderWidth; Window border width; apparently pixmap_width=WindowWidth+2*WindowBorderWidth +# like: 1 (fig41.xwd) 2 (maze.dmp) 3 (lenna.dmp mandrill.dmp) +>>>>>96 ubelong >0 \b, %u border +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/x/xdm-x10.trid.xml +# Note: called "X-Windows Screen Dump (X10)" by TrID and +# "X-Windows Screen Dump" version X10 by DROID via PUID x-fmt/300 +# verfied by XnView `nconvert -in xwd -info *` +# HeaderSize is the size of the header in bytes; always 40 for X10 variant +0 ubelong =0x000000028 +# FileVersion; always 6 for X10 variant +>4 ubelong =6 +# skip DROID x-fmt-300-signature-id-619.xdm by test existing border field +>>36 ubeshort x X-Window screen dump image data, version X10 +!:mime image/x-xwindowdump +!:ext xwd +# http://www.nationalarchives.gov.uk/pronom/fmt/401 NO example with xdm suffix FOUND! +#!:ext xwd/xdm +# PixmapWidth; pixmap width like: 127 1280 +>>>20 ubelong x \b, %d +# PixmapHeight; pixmap height like: 64 1024 +>>>24 ubelong x \bx%d +# DisplayPlanes; number of display planes like: 1 4 8 +>>>12 ubelong x \bx%u +# DisplayType; display type like: 1 3 +#>>>8 ubelong x \b, type %u +# PixmapFormat; pixmap format like: 1~bitmap with two or more planes (ZPixmap) 0~single-plane bitmap (XYBitmap) +#>>>16 ubelong x \b, %u format +# WindowWidth; window width; probably PixmapWidth=WindowWidth+2*WindowBorderWidth +#>>>28 ubeshort x \b, width %u +# WindowHeight; window height; probably PixmapWidth=PixmapHeight+2*WindowBorderWidth +#>>>30 ubeshort x \b, height %u +# WindowX; window upper left X coordinate like: 0 +>>>32 ubeshort !0 \b, x=%d +# WindowY; window upper left Y coordinate like: 0 +>>>34 ubeshort !0 \b, y=%d +# WindowBorderWidth; window border width like: 0 +>>>36 ubeshort !0 \b, %u border +# WindowNumColors; Number of color entries in window like: 2 16 256 +#>>>38 ubeshort x \b, %u colors +# if the image is a PseudoColor image, a color map immediately follows the header. X10COLORMAP[WindowNumColors]; +# EntryNumber; number of the color-map entry like: 0 +#>>>40 ubeshort x \b, colors #%u +# Red; red-channel value +#>>>42 ubeshort !0 \b, red %#x +# Green; green-channel value +#>>>44 ubeshort !0 \b, green %#x +# Blue; blue-channel value +#>>>46 ubeshort !0 \b, blue %#x +# 2ND Entry like: 2 +#>>>48 ubeshort x \b, colors #%u + +# PDS - Planetary Data System +# These files use Parameter Value Language in the header section. +# Unfortunately, there is no certain magic, but the following +# strings have been found to be most likely. +0 string NJPL1I00 PDS (JPL) image data +2 string NJPL1I PDS (JPL) image data +0 string CCSD3ZF PDS (CCSD) image data +2 string CCSD3Z PDS (CCSD) image data +0 string PDS_ PDS image data +0 string LBLSIZE= PDS (VICAR) image data + +# pM8x: ATARI STAD compressed bitmap format +# +# from Oskar Schirmer <schirmer@scara.com> Feb 2, 2001 +# p M 8 5/6 xx yy zz data... +# Atari ST STAD bitmap is always 640x400, bytewise runlength compressed. +# bytes either run horizontally (pM85) or vertically (pM86). yy is the +# most frequent byte, xx and zz are runlength escape codes, where xx is +# used for runs of yy. +# +0 string pM85 Atari ST STAD bitmap image data (hor) +>5 ubyte 0x00 (white background) +>5 ubyte 0xFF (black background) +0 string pM86 Atari ST STAD bitmap image data (vert) +>5 ubyte 0x00 (white background) +>5 ubyte 0xFF (black background) + +# From: Alex Myczko <alex@aiei.ch> +# https://www.atarimax.com/jindroush.atari.org/afmtatr.html +0 uleshort 0x0296 Atari ATR image + +# URL: http://fileformats.archiveteam.org/wiki/DEGAS_image +# Reference: https://wiki.multimedia.cx/index.php?title=Degas +# From: Joerg Jenderek +# http://mark0.net/download/triddefs_xml.7z/defs/b +# bitmap-pi2-degas.trid.xml bitmap-pi3-degas.trid.xml +# bitmap-pc1-degas.trid.xml bitmap-pc2-degas.trid.xml bitmap-pc3-degas.trid.xml +# Note: verified by NetPBM `pi3topbm sigirl1.pi3 | file` +# `deark -m degas -l -d2 ataribak.pi1` +# XnView `nconvert -fullinfo *.p??` +# DEGAS low-res uncompressed bitmap *.pi1 +0 beshort 0x0000 +# skip some ISO 9660 CD-ROM filesystems like plpbt.iso by test for 4 non black colors in palette entries +>2 quad !0 +# skip g3test.g3 by test for unused bits of 2nd color entry +>>4 ubeshort&0xF000 0 +#>>>0 beshort x 1ST_VALUE=%x +#>>>-0 offset x FILE_SIZE=%lld +# standard DEGAS low-res uncompressed bitmap *.pi1 with file size 32034 +>>>-0 offset =32034 +#>>>>0 beshort x 1st_VALUE=%x +# like: 8ball.pi1 teddy.pi1 sonic01.pi1 +>>>>0 use degas-bitmap +# about 61 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32066 +>>>-0 offset =32066 +# like: spider.pi1 pinkgirl.pi1 frog3.pi1 +>>>>0 use degas-bitmap +# about 55 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32128 +>>>-0 offset =32128 +# like: mountain.pi1 bigspid.pi1 alf33.pi1 +>>>>0 use degas-bitmap +# 1 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 44834 +>>>-0 offset =44834 +# like: kenshin.pi1 +>>>>0 use degas-bitmap +# DEGAS mid-res uncompressed bitmap *.pi2 (strength=50) after GEM Images like: +# BEETHVEN.IMG CHURCH.IMG GAMEOVR4.IMG TURKEY.IMG clinton.img +0 beshort 0x0001 +#!:strength +0 +# skip many control files like gnucash-4.8.setup.exe.aria2 by test for non black in 4 palette entries +>2 quad !0 +# skip control file load-v0001.aria2 and many GEM Image data like +# GAMEOVR4.IMG BEETHVEN.IMG CHURCH.IMG TURKEY.IMG clinton.img +# by test for valid file sizes +# standard DEGAS mid-res uncompressed bitmap *.pi2 with file size 32034 +>>-0 offset =32034 +# (39/41) like: GEMINI03.PI2 ST_TOOLS.PI2 TBX_DEMO.PI2 +>>>0 use degas-bitmap +# few DEGAS Elite mid-res uncompressed bitmap *.pi2 with file size 32066 +>>-0 offset =32066 +# (2/41) like: medres.pi2 +>>>0 use degas-bitmap +# DEGAS high-res uncompressed bitmap *.pi3 +0 beshort 0x0002 +# skip Intel ia64 COFF msvcrt.lib by test for unused bits of 1st atari color palette entry +>2 ubeshort&0xF000 0 +# skip few Adobe PhotoShop Brushes like Faux-Spitzen.abr by check +# for invalid Adobe PhotoShop Brush UTF16-LE string length +>>19 ubyte =0 +# many like: 4th_ofj2.pi3 GEMINI03.PI3 PEOPLE18.PI3 POWERFIX.PI3 abydos.pi3 highres.pi3 sigirl1.pi3 vanna5.pi3 +>>>0 use degas-bitmap +# Adobe PhotoShop Brush UTF16-LE string length 15 "Gitter - klein " 8 "Kreis 1 " +>>19 ubyte !0 +#>>19 ubyte !0 \b, NOTE LENGTH %u +#>>>21 lestring16 x \b, BRUSH NOTE "%s" +>>>(19.b*2) ubequad x +# maybe last character of Adobe PhotoShop Brush UTF16-LE string and terminating nul char like +# 006e0000 for n in "Faux-Spitzen.abr" 00310000 for 1 in "Verschiedene Spitzen.abr" +# 00000000 "LEREDACT.PI3" 03730773 "TBX_DEMO.PI3" +#>>>>&8 ubelong x \b, LAST CHAR+NIL %8.8x +>>>>&8 ubelong&0xff00ffFF !0 +# skip many Adobe Photoshop Color swatch (ANPA-Farben.aco TOYO-Farbsystem.aco) with invalid 3rd color entry (1319 2201 2206 21f5 2480 24db 25fd) +>>>>>6 ubeshort&0xF000 0 +# skip few Adobe Photoshop Color swatch (FOCOLTONE-Farben.aco "PANTONE process coated.aco") with invalid 4th color entry (ffff) +>>>>>>8 ubeshort&0xF000 0 +# many DEGAS bitmap like: ARABDEMO.PI3 ELMRSESN.PI3 GEMVIEW.PI3 LEREDACT.PI3 PICCOLO.PI3 REPRO_JR.PI3 ST_TOOLS.PI3 TBX_DEMO.PI3 evgem7.pi3 +>>>>>>>0 use degas-bitmap +# test for last character of Adobe PhotoShop Brush UTF16-LE string and terminating nul char +>>>>&8 ubelong&0xff00ffFF =0 +# select last DEGAS bitmaps by invalid last char of brush note like BASICNES.PI3 DB_HELP.PI3 DB_WRITR.PI3 LEREDACT.PI3 +>>>>>&-4 ubelong&0x00FF0000 <0x00200000 +>>>>>>0 use degas-bitmap +# last character of Adobe PhotoShop Brush UTF16-LE note +#>>>>>&-4 ubelong&0x00FF0000 >0x001F0000 \b, THAT IS ABR +# DEGAS low-res compressed bitmap *.pc1 like: BATTLSHP.PC1 GNUCHESS.PC1 MEDUSABL.PC1 MOONLORD.PC1 WILDROSE.PC1 +0 beshort 0x8000 +# skip lif files handled via ./lif by test for unused bits of 1st palette entry +>2 ubeshort&0xF000 0 +# skip CRI ADX ADPCM audio (R04HT.adx R03T-15552.adx) with 44100 Hz misinterpreted as 5th color entry value AC44h +>>10 ubeshort&0xF000 0 +# skip few (fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx) by test for 4 first non black colors in palette entries +>>>2 quad !0 +>>>>0 use degas-bitmap +# DEGAS mid-res compressed bitmap *.pc2 like: abydos.pc2 ARTIS3.PC2 SMTHDRAW.PC2 STAR_2K.PC2 TX2_DEMO.PC2 +0 beshort 0x8001 +# skip many (1274/1369) PostScript Type 1 font (DarkGardenMK.pfb coupbi.pfb MONOBOLD.PFB) with invalid 1st atari color palette entry 5506 5b06 6906 7906 7e06 fb15 +>2 ubeshort&0xF000 0 +# skip some (95/1369) PostScript Type 1 font (fmt-525-signature-id-816.pfb LUXEMBRG.PFB) with invalid 3rd atari color palette entry 2521 +>>6 ubeshort&0xF000 0 +>>>0 use degas-bitmap +# DEGAS high-res compressed bitmap *.pc3 like: abydos.pc3 COYOTE.PC3 ELEPHANT.PC3 TX2_DEMO.PC3 SMTHDRAW.PC3 +0 beshort 0x8002 +# skip some (36/212) Python Pickle (factor_cache.pickle environment.pickle) with invalid 1st atari color entry (2863 6363 7d71) +>2 ubeshort&0xF000 0 +>>0 use degas-bitmap +# display information of Atari DEGAS and DEGAS Elite bitmap images +0 name degas-bitmap +>0 ubyte x Atari DEGAS +#!:mime application/octet-stream +!:mime image/x-atari-degas +# compressed +>0 ubyte =0x80 Elite compressed +# uncompressed +#>0 ubyte =0x00 uncompressed +#>0 ubyte =0x00 un. +>0 ubyte =0x00 +# check for existence of footer for DEGAS Elite images +>>32042 ubequad x Elite +>0 beshort 0x0000 bitmap +!:ext pi1 +>0 beshort 0x0001 bitmap +!:ext pi2 +>0 beshort 0x0002 bitmap +# no example with SUH extension found +#!:ext pi3/suh +!:ext pi3 +>0 beshort 0x8000 bitmap +!:ext pc1 +>0 beshort 0x8001 bitmap +!:ext pc2 +>0 beshort 0x8002 bitmap +!:ext pc3 +# low resolution; 320x200, 16 colors +>1 ubyte =0 320 x 200 x 16 +# medium resolution; 640x200, 4 colors +>1 ubyte =1 640 x 200 x 4 +# high resolution; 640x400, 2 colors +>1 ubyte =2 640 x 400 x 2 +# http://fileformats.archiveteam.org/wiki/Atari_ST_color_palette +# hardware_palette[16]; 9 bit ?????RRR?GGG?BBB; 12 bit ????RRRRGGGGBBBB for Atari STE +# for Atari DEGAS apparently no Spectrum 512 Enhanced 15 bit palette RGB?RRRRGGGGBBBB +# Red Green Blue unused bit ? often 0 but not bilboule.pi1; color_value (examples or numbers) +# 1st color palette entry like: 0777 (61) 0fff (LEREDACT.PI3) 0fcf (devgem7.pi3) 0001 (9) +>2 ubeshort x \b, color palette %4.4x +# 2nd palette entry like: 0000 (32) 0700 (38) 0f00 (LEREDACT.PI3 devgem7.pi3) +>4 ubeshort x %4.4x +# 3rd palette entry +>6 ubeshort x %4.4x +# 4th palette entry like: 0000 (72) +>8 ubeshort x %4.4x +# 5th palette entry +>10 ubeshort x %4.4x +>2 ubeshort x ... +# 6th palette entry +#>12 ubeshort x %4.4x +# 7th palette entry like: 0000 (16) 0001 (ELMRSESN.PI3 elmrsesn.pi3) 0070 (51) 00f0 (BASICNES.PI3 LEREDACT.PI3) 00f8 (devgem7.pi3) +#>14 ubeshort x %4.4x +# 8th palette entry +#>16 ubeshort x %4.4x +# 9 palette entry +#>18 ubeshort x %4.4x +# 10 palette entry +#>20 ubeshort x %4.4x +# 11 palette entry +#>22 ubeshort x %4.4x +# 12 palette entry +#>24 ubeshort x %4.4x +# 13 palette entry +#>26 ubeshort x %4.4x +# 14th palette entry +#>28 ubeshort x %4.4x +# 15th palette entry +#>30 ubeshort x %4.4x +# 16th palette entry +#>32 ubeshort x %4.4x +# data[16000] for uncompressed images; pixel data +#>34 ubequad x \b, DATA %#16.16llx... +# footer for Elite variant images +# https://www.fileformat.info/format/atari/egff.htm +# https://pulkomandy.tk/projects/GrafX2/wiki/Develop/FileFormats/Atari +# left_color_animation[4]; like: 0000000000000000 0000000100020003 fffafff000000030 (bigspid.pi1) +#>32034 ubequad !0 \b, color animations %16.16llx (left) +# right_color_animation[4]; like: 0000000000000000 0000000100020003 +#>>32042 ubequad !0 %16.16llx (right) +# channel_direction[4]; 0~left 1~none 2~right like: 0001000100010001 0002000000010001 (cycle2.pi1) +# sometimes unexpected like: feaafc0000000000 (bigspid.pi1) +#>32050 ubequad !0 \b, channel directions %16.16llx +# channel_delay[4]; 128 - channel delay, timebase 1/60 s +#>32058 ubequad !0 \b, channel delays %16.16llx + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GED +# https://recoil.sourceforge.net/formats.html#Atari-8-bit +# Reference: https://sourceforge.net/projects/recoil/files/recoil/6.3.4/recoil-6.3.4.tar.gz +# recoil-6.3.4/recoil.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-ged.trid.xml +# Note: called "Atari GED bitmap" by TrID; file size 11302 +# and verified by RECOIL graphic tool +0 string \xFF\xFF0SO\x7F Atari GED bitmap, 160x200 +#!:mime application/octet-stream +!:mime image/x-atari-ged +!:ext ged + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/ImageLab/PrintTechnic +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-b_w.trid.xml +# Note: called "ImageLab bitmap" by TrID +# verfied by XnView `nconvert -fullinfo "MAEDCHEN.B&W"` +0 string B&W256 ImageLab bitmap +!:mime image/x-ilab +# https://www.xnview.com/de/image_formats/ +# GRR: add char & inside parse_ext in ../../src/apprentice.c to avoid in file version 5.40 error like: +# Magdir\images, 1090: Warning: EXTENSION type ` b_w/b&w' has bad char '&' +!:ext b_w/b&w +# Width +>6 ubeshort x \b, %u +# Height +>8 ubeshort x x %u + +# XXX: +# This is bad magic 0x5249 == 'RI' conflicts with RIFF and other +# magic. +# SGI RICE image file <mpruett@sgi.com> +#0 ubeshort 0x5249 RICE image +#>2 ubeshort x v%d +#>4 ubeshort x (%d x +#>6 ubeshort x %d) +#>8 ubeshort 0 8 bit +#>8 ubeshort 1 10 bit +#>8 ubeshort 2 12 bit +#>8 ubeshort 3 13 bit +#>10 ubeshort 0 4:2:2 +#>10 ubeshort 1 4:2:2:4 +#>10 ubeshort 2 4:4:4 +#>10 ubeshort 3 4:4:4:4 +#>12 ubeshort 1 RGB +#>12 ubeshort 2 CCIR601 +#>12 ubeshort 3 RP175 +#>12 ubeshort 4 YUV + +# PCX image files +# From: Dan Fandrich <dan@coneharvesters.com> +# updated by Joerg Jenderek at Feb 2013 by https://de.wikipedia.org/wiki/PCX +# https://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt +# GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 +# test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT +0 ubelong&0xffF8fe00 0x0a000000 +# for PCX bit depth > 0 +>3 ubyte >0 +# test for valid versions +>>1 ubyte <6 +>>>1 ubyte !1 PCX +!:mime image/x-pcx +#!:mime image/pcx +>>>>1 ubyte 0 ver. 2.5 image data +>>>>1 ubyte 2 ver. 2.8 image data, with palette +>>>>1 ubyte 3 ver. 2.8 image data, without palette +>>>>1 ubyte 4 for Windows image data +>>>>1 ubyte 5 ver. 3.0 image data +>>>>4 uleshort x bounding box [%d, +>>>>6 uleshort x %d] - +>>>>8 uleshort x [%d, +>>>>10 uleshort x %d], +>>>>65 ubyte >1 %d planes each of +>>>>3 ubyte x %d-bit +>>>>68 ubyte 1 colour, +>>>>68 ubyte 2 grayscale, +# this should not happen +>>>>68 default x image, +>>>>12 uleshort >0 %d x +>>>>>14 uleshort x %d dpi, +>>>>2 ubyte 0 uncompressed +>>>>2 ubyte 1 RLE compressed + +# Adobe Photoshop +# From: Asbjoern Sloth Toennesen <asbjorn@lila.io> +# URL: http://fileformats.archiveteam.org/wiki/PSD +# Reference: https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/ +# Note: verfied by XnView `nconvert -fullinfo *.psd *.psb *.pdd` +# and ImageMagick `identify -verbose *.pdd` +0 string 8BPS +# skip DROID x-fmt-92-signature-id-277.psd by checking valid width +>18 ubelong >0 Adobe Photoshop +!:mime image/vnd.adobe.photoshop +!:apple ????8BPS +# version: always equal to 1, but 2 for PSB +>>4 beshort 1 +# URL: http://fileformats.archiveteam.org/wiki/PhotoDeluxe +# EXTRAS/PHOTOS/DEMOPIX/ORIGINAL.PDD +>>>34 search/0xC0d7 PHUT Image (PhotoDeluxe) +!:ext pdd +>>>34 default x Image +!:ext psd +# URL: http://fileformats.archiveteam.org/wiki/PSB +>>4 beshort 2 Image (PSB) +!:ext psb +# width in pixels: 1-30000 1-300000 for PSB +>>18 belong x \b, %d x +>>14 belong x %d, +# The color mode; 0~Bitmap 1~Grayscale 2~Indexed 3~RGB 4~CMYK 7~Multichannel 9~Duotone 9~Lab +>>24 beshort 0 bitmap +>>24 beshort 1 grayscale +# the number of channels; range is 1 to 56 +>>>12 beshort 2 with alpha +>>24 beshort 2 indexed +>>24 beshort 3 RGB +>>>12 beshort 4 \bA +>>24 beshort 4 CMYK +>>>12 beshort 5 \bA +>>24 beshort 7 multichannel +>>24 beshort 8 duotone +>>24 beshort 9 lab +>>12 beshort > 1 +>>>12 beshort x \b, %dx +>>12 beshort 1 \b, +>>22 beshort x %d-bit channel +>>12 beshort > 1 \bs +# 6 reserved bytes; must be zero, but spaces inside ImageMagick input.psd +# https://download.imagemagick.org/ImageMagick/download/ImageMagick-7.0.11-11.zip +# ImageMagick-7.0.11-11\PerlMagick\t\input.psd +>>6 bequad&0xFFffFFffFFff0000 !0 \b, at offset 6 +>>>6 belong x 0x%8.8x +>>>6 beshort x \b%4.4x + +# From: Joerg Jenderek +# URL: https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/ +# http://fileformats.archiveteam.org/wiki/Photoshop +# Reference: http://www.nomodes.com/aco.html +# Note: registers as Photoshop.SwatchesFile for Photoshop.exe on Windows +# check for valid versions like: 2 (newest) 1 (old) 0 (oldest no examples) +0 ubeshort <3 +# skip few Atari DEGAS med-res bitmap (DIAGRAM1.PI2) and many ISO 9660 CD-ROM by check for invalid low color numbers (0) +>2 ubeshort >0 +# skip few Targa (bmpsuite-15col.tga rgb24_top_left_colormap.tga) by check for invalid high color space ID (F0 1D) +>>4 ubeshort <16 +# skip many (69/327) Targa image *.TGA by check of accessing near the ending of first color space section (size=nc*5*2) +>>>(2.S*10) ubelong x +# RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort =0 +# skip many (220/327) Targa by check of for invalid high RGB color z value (hexadecimal 2 3 2e03 4600 5e04 7502 8002 8b05 c700) +>>>>>12 ubeshort =0 +# RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>>0 ubeshort <2 +>>>>>>>0 use adobe-aco +# RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>>0 ubeshort =2 +# skip many (74/176) Atari DEGAS hi-res bitmap (*.PI3) by check for invalid low color name length (0) +>>>>>>>16 ubeshort >0 +>>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort !0 +# non RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>0 ubeshort <2 +# skip many GEM Image (CHURCH.IMG TIGER.IMG) by check for invalid second high color space ID (55 114 143 157 256 288 450) +>>>>>>14 ubeshort <16 +>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>0 ubeshort =2 +# skip few Atari DEGAS hi-res bitmap (pal1wb-blue.pi3) and few ABR by check for invalid "high" nil bytes (7) before color name length +>>>>>>14 ubeshort =0 +>>>>>>>0 use adobe-aco +# display Adobe Photoshop Color swatch file information (version, number of colors, color spaces, coordinates, names) +0 name adobe-aco +>0 ubeshort x Adobe Photoshop Color swatch, version %u +#!:mime application/octet-stream +!:mime application/x-adobe-aco +!:apple ????8BCO +!:ext aco +>0 ubeshort <2 +>>(2.S*10) ubelong x +# version 2 section after version 1 section +>>>&0 ubeshort 2 and 2 +# nc; number of colors like: 20 50 86 88 126 204 300 1050 1137 1280 2092 3010 4096 +>2 ubeshort x \b, %u colors +# maybe last 4 bytes of first section (probably y z color value) like: 0 0x66660000 0xfe700000 0xffff0000 +#>(2.S*10) ubelong x 1ST_SECTION_END=%#8.8x +>0 ubeshort <2 \b; 1st +# first older Adobe Photoshop Color entry +>>4 use aco-color +>>>2 ubeshort >1 \b; 2nd +# second older Adobe Photoshop Color entry +>>>>14 use aco-color +>0 ubeshort =2 \b; 1st +# first new Adobe Photoshop Color entry +>>4 use aco-color-v2 +>>>2 ubeshort >1 \b; 2nd +# jump first color name length words +>>>>(16.S*2) ubequad x +# second new Adobe Photoshop Color entry +>>>>>&10 use aco-color-v2 +# display Adobe Photoshop Color entry (color space, color coordinates) +0 name aco-color +# each color spec entry occupies five words +# color space: 0~RGB 1~HSB 2~CMYK 3~Pantone 4~Focoltone 5~Trumatch 6~Toyo 7~Lab 8~Grayscale 9?~wideCMYK 10~HKS ... +#>0 ubeshort x COLOR_ENTRY +>0 ubeshort 0 RGB +>0 ubeshort 1 HSB +>0 ubeshort 2 CMYK +>0 ubeshort 3 Pantone +>0 ubeshort 4 Focoltone +>0 ubeshort 5 Trumatch +>0 ubeshort 6 Toyo +>0 ubeshort 7 Lab +>0 ubeshort 8 Grayscale +>0 ubeshort 9 wide CMYK +>0 ubeshort 10 HKS +# unofficial +# >0 ubeshort 12 foo +# >0 ubeshort 13 bar +# >0 ubeshort 14 FOO +# >0 ubeshort 15 BAR +>0 ubeshort x space (%u) +# color coordinate w +>2 ubeshort x \b, w %#x +# color coordinate x +>4 ubeshort x \b, x %#x +# color coordinate y +>6 ubeshort x \b, y %#x +# color coordinate z; zero for RGB space +>8 ubeshort x \b, z %#x +# display Adobe Photoshop Color entry version 2 (color space, color coordinates names) +0 name aco-color-v2 +>0 use aco-color +#>10 ubeshort x \b, NUL_BYTES %#x +# color name length plus one (len+1) like: 7 8 9 13 14 15 16 17 22 26 +#>>12 ubeshort x \b, LENGTH %u +>>12 ubeshort-1 x \b, %u chars +# len words; UTF-16 representation of the color name like: "DIC 1s" "PANTONE Process Yellow PC" +>>14 bestring16 x "%s" +# followed by nil word + +# XV thumbnail indicator (ThMO) +# URL: https://en.wikipedia.org/wiki/Xv_(software) +# Reference: http://fileformats.archiveteam.org/wiki/XV_thumbnail +# Update: Joerg Jenderek +0 string P7\ 332 XV thumbnail image data +#0 string P7\ 332 XV "thumbnail file" (icon) data +!:mime image/x-xv-thumbnail +# thumbnail .xvpic/foo.bar for graphic foo.bar +!:ext p7/gif/tif/xpm/jpg + +# NITF is defined by United States MIL-STD-2500A +0 string NITF National Imagery Transmission Format +>25 string >\0 dated %.14s + +# GEM Image: Version 1, Headerlen 8 (Wolfram Kleff) +# Format variations from: Bernd Nuernberger <bernd.nuernberger@web.de> +# Update: Joerg Jenderek +# See http://fileformats.archiveteam.org/wiki/GEM_Raster +# For variations, also see: +# https://www.seasip.info/Gem/ff_img.html (Ventura) +# http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT) +# http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT) +# http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG) +0 beshort 0x0001 +# header_size +>2 beshort 0x0008 +>>0 use gem_info +>2 beshort 0x0009 +>>0 use gem_info +# no example for NOSIG +>2 beshort 24 +>>0 use gem_info +# no example for HYPERPAINT +>2 beshort 25 +>>0 use gem_info +16 string XIMG\0 +>0 use gem_info +# no example +16 string STTT\0\x10 +>0 use gem_info +# no example or description +16 string TIMG\0 +>0 use gem_info + +0 name gem_info +# version is 2 for some XIMG and 1 for all others +>0 ubeshort <0x0003 GEM +# https://www.snowstone.org.uk/riscos/mimeman/mimemap.txt +!:mime image/x-gem +# header_size 24 25 27 59 779 words for colored bitmaps +>>2 ubeshort >9 +>>>16 string STTT\0\x10 STTT +>>>16 string TIMG\0 TIMG +# HYPERPAINT or NOSIG variant +>>>16 string \0\x80 +>>>>2 ubeshort =24 NOSIG +>>>>2 ubeshort !24 HYPERPAINT +# NOSIG or XIMG variant +>>>16 default x +>>>>16 string !XIMG\0 NOSIG +>>16 string =XIMG\0 XIMG Image data +!:ext img/ximg +# to avoid Warning: Current entry does not yet have a description for adding a EXTENSION type +>>16 string !XIMG\0 Image data +!:ext img +# header_size is 9 for Ventura files and 8 for other GEM Paint files +>>2 ubeshort 9 (Ventura) +#>>2 ubeshort 8 (Paint) +>>12 ubeshort x %d x +>>14 ubeshort x %d, +# 1 4 8 +>>4 ubeshort x %d planes, +# in tenths of a millimetre +>>8 ubeshort x %d x +>>10 ubeshort x %d pixelsize +# pattern_size 1-8. 2 for GEM Paint +>>6 ubeshort !2 \b, pattern size %d + +# GEM Metafile (Wolfram Kleff) +0 ulelong 0x0018FFFF GEM Metafile data +>4 uleshort x version %d + +# +# SMJPEG. A custom Motion JPEG format used by Loki Entertainment +# Software Torbjorn Andersson <d91tan@Update.UU.SE>. +# +0 string \0\nSMJPEG SMJPEG +>8 ubelong x %d.x data +# According to the specification you could find any number of _TXT +# headers here, but I can't think of any way of handling that. None of +# the SMJPEG files I tried it on used this feature. Even if such a +# file is encountered the output should still be reasonable. +>16 string _SND \b, +>>24 ubeshort >0 %d Hz +>>26 ubyte 8 8-bit +>>26 ubyte 16 16-bit +>>28 string NONE uncompressed +# >>28 string APCM ADPCM compressed +>>27 ubyte 1 mono +>>28 ubyte 2 stereo +# Help! Isn't there any way to avoid writing this part twice? +# Yes, use a name/use +>>32 string _VID \b, +# >>>48 string JFIF JPEG +>>>40 ubelong >0 %d frames +>>>44 ubeshort >0 (%d x +>>>46 ubeshort >0 %d) +>16 string _VID \b, +# >>32 string JFIF JPEG +>>24 ubelong >0 %d frames +>>28 ubeshort >0 (%d x +>>30 ubeshort >0 %d) + +0 string Paint\ Shop\ Pro\ Image\ File Paint Shop Pro Image File + +# taken from fkiss: (<yav@mte.biglobe.ne.jp> ?) +0 string KiSS KISS/GS +>4 ubyte 16 color +>>5 ubyte x %d bit +>>8 uleshort x %d colors +>>10 uleshort x %d groups +>4 ubyte 32 cell +>>5 ubyte x %d bit +>>8 uleshort x %d x +>>10 uleshort x %d +>>12 uleshort x +%d +>>14 uleshort x +%d + +# Webshots (www.webshots.com), by John Harrison +0 string C\253\221g\230\0\0\0 Webshots Desktop .wbz file + +# Hercules DASD image files +# From Jan Jaeger <jj@septa.nl> and Jay Maynard <jaymaynard@gmail.com> +0 string CKD_P370 Hercules CKD DASD image file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X + +0 string CKD_C370 Hercules compressed CKD DASD image file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X +>552 lelong x \b, %d total cylinders +>>557 byte 0 \b, no compression +>>557 byte 1 \b, ZLIB compression +>>557 byte 2 \b, BZ2 compression + +0 string CKD_S370 Hercules CKD DASD shadow file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X + +0 string CKD_P064 Hercules CKD64 DASD image file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X + +0 string CKD_C064 Hercules compressed CKD64 DASD image file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X +>524 lelong x \b, %d total cylinders +>>585 byte 0 \b, no compression +>>585 byte 1 \b, ZLIB compression +>>585 byte 2 \b, BZ2 compression + +0 string CKD_S064 Hercules CKD64 DASD shadow file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X + +# Squeak images and programs - etoffi@softhome.net +0 string \146\031\0\0 Squeak image data +0 search/1 'From\040Squeak Squeak program text + +# partimage: file(1) magic for PartImage files (experimental, incomplete) +# Author: Hans-Joachim Baader <hjb@pro-linux.de> +0 string PaRtImAgE-VoLuMe PartImage +>0x0020 string 0.6.1 file version %s +>>0x0060 ulelong >-1 volume %d +#>>0x0064 8 byte identifier +#>>0x007c reserved +>>0x0200 string >\0 type %s +>>0x1400 string >\0 device %s, +>>0x1600 string >\0 original filename %s, +# Some fields omitted +>>0x2744 ulelong 0 not compressed +>>0x2744 ulelong 1 gzip compressed +>>0x2744 ulelong 2 bzip2 compressed +>>0x2744 ulelong >2 compressed with unknown algorithm +>0x0020 string >0.6.1 file version %s +>0x0020 string <0.6.1 file version %s + +# DCX is multi-page PCX, using a simple header of up to 1024 +# offsets for the respective PCX components. +# From: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DCX +0 ulelong 987654321 DCX multi-page +# http://www.nationalarchives.gov.uk/pronom/x-fmt/348 +!:mime image/x-dcx +!:ext dcx +# The first file offset usually starts at file offset 0x1004 +# print 1 space after 0x100? offset and then handles PCX images by ./images +>4 ulelong x \b, at %#x +>(4.l) indirect x +# possible 2nd PCX image +#>8 ulelong !0 \b, at %#x +#>>(8.l) indirect x +# possible 3rd PCX image +#>12 ulelong !0 \b, at %#x +#>>(12.l) indirect x + +# Simon Walton <simonw@matteworld.com> +# Kodak Cineon format for scanned negatives +# http://www.kodak.com/US/en/motion/support/dlad/ +0 ulelong 0xd75f2a80 Cineon image data +>200 ubelong >0 \b, %d x +>204 ubelong >0 %d + + +# Bio-Rad .PIC is an image format used by microscope control systems +# and related image processing software used by biologists. +# From: Vebjorn Ljosa <vebjorn@ljosa.com> +# BOOL values are two-byte integers; use them to rule out false positives. +# https://web.archive.org/web/20050317223257/www.cs.ubc.ca/spider/ladic/text/biorad.txt +# Samples: https://www.loci.wisc.edu/software/sample-data +14 uleshort <2 +>62 uleshort <2 +>>54 uleshort 12345 Bio-Rad .PIC Image File +>>>0 uleshort >0 %d x +>>>2 uleshort >0 %d, +>>>4 uleshort =1 1 image in file +>>>4 uleshort >1 %d images in file + +# From Jan "Yenya" Kasprzak <kas@fi.muni.cz> +# The description of *.mrw format can be found at +# http://www.dalibor.cz/minolta/raw_file_format.htm +0 string \000MRM Minolta Dimage camera raw image data + +# Summary: DjVu image / document +# Extension: .djvu +# Reference: http://djvu.org/docs/DjVu3Spec.djvu +# Submitted by: Stephane Loeuillet <stephane.loeuillet@tiscali.fr> +# Modified by (1): Abel Cheung <abelcheung@gmail.com> +0 string AT&TFORM +>12 string DJVM DjVu multiple page document +!:mime image/vnd.djvu +>12 string DJVU DjVu image or single page document +!:mime image/vnd.djvu +>12 string DJVI DjVu shared document +!:mime image/vnd.djvu +>12 string THUM DjVu page thumbnails +!:mime image/vnd.djvu + +# Originally by Marc Espie +# Modified by Robert Minsk <robertminsk at yahoo.com> +# https://www.openexr.com/openexrfilelayout.pdf +0 ulelong 20000630 OpenEXR image data, +!:mime image/x-exr +>4 ulelong&0x000000ff x version %d, +>4 ulelong ^0x00000200 storage: scanline +>4 ulelong &0x00000200 storage: tiled +>8 search/0x1000 compression\0 \b, compression: +>>&16 ubyte 0 none +>>&16 ubyte 1 rle +>>&16 ubyte 2 zips +>>&16 ubyte 3 zip +>>&16 ubyte 4 piz +>>&16 ubyte 5 pxr24 +>>&16 ubyte 6 b44 +>>&16 ubyte 7 b44a +>>&16 ubyte 8 dwaa +>>&16 ubyte 9 dwab +>>&16 ubyte >9 unknown +>8 search/0x1000 dataWindow\0 \b, dataWindow: +>>&10 ulelong x (%d +>>&14 ulelong x %d)- +>>&18 ulelong x \b(%d +>>&22 ulelong x %d) +>8 search/0x1000 displayWindow\0 \b, displayWindow: +>>&10 ulelong x (%d +>>&14 ulelong x %d)- +>>&18 ulelong x \b(%d +>>&22 ulelong x %d) +>8 search/0x1000 lineOrder\0 \b, lineOrder: +>>&14 ubyte 0 increasing y +>>&14 ubyte 1 decreasing y +>>&14 ubyte 2 random y +>>&14 ubyte >2 unknown + +# SMPTE Digital Picture Exchange Format, SMPTE DPX +# +# ANSI/SMPTE 268M-1994, SMPTE Standard for File Format for Digital +# Moving-Picture Exchange (DPX), v1.0, 18 February 1994 +# Robert Minsk <robertminsk at yahoo.com> +# Modified by Harry Mallon <hjmallon at gmail.com> +0 string SDPX DPX image data, big-endian, +!:mime image/x-dpx +>0 use dpx_info +0 string XPDS DPX image data, little-endian, +!:mime image/x-dpx +>0 use \^dpx_info + +0 name dpx_info +>768 ubeshort <4 +>>772 ubelong x %dx +>>776 ubelong x \b%d, +>768 ubeshort >3 +>>776 ubelong x %dx +>>772 ubelong x \b%d, +>768 ubeshort 0 left to right/top to bottom +>768 ubeshort 1 right to left/top to bottom +>768 ubeshort 2 left to right/bottom to top +>768 ubeshort 3 right to left/bottom to top +>768 ubeshort 4 top to bottom/left to right +>768 ubeshort 5 top to bottom/right to left +>768 ubeshort 6 bottom to top/left to right +>768 ubeshort 7 bottom to top/right to left + +# From: Tom Hilinski <tom.hilinski@comcast.net> +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/NetCDF +# http://fileformats.archiveteam.org/wiki/NetCDF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/netcdf.trid.xml +# https://www.loc.gov/preservation/digital/formats/fdd/fdd000330.shtml +# Note: called "NetCDF Network Common Data Form" by TrID and +# "netCDF-3 Classic" by DROID via PUID fmt/282 +# https://www.unidata.ucar.edu/packages/netcdf/ +0 string CDF\001 +# skip DROID fmt-282-signature-id-298.nc by test for more content bytes +>3 uleshort >0 NetCDF Data Format data +#!:mime application/netcdf +# https://reposcope.com/mimetype/application/x-netcdf +!:mime application/x-netcdf +!:ext nc +# https://fileinfo.com/extension/cdf +# https://www.file-extensions.org/cdf-file-extension-unidata-network-common-data-form +# in 1994 changed from CDF to NC file extension avoid a clash with other file formats +#!:ext nc/cdf +# 64-bit offset netcdf Classic https://www.unidata.ucar.edu/software/netcdf/docs/file_format_specifications +# Note: called "netCDF-3 64-bit" by DROID via PUID fmt/283 +0 string CDF\002 +# skip DROID fmt-283-signature-id-299.nc by test for more content bytes +>3 uleshort >0 NetCDF Data Format data (64-bit offset) +#!:mime application/netcdf +!:mime application/x-netcdf +!:ext nc + +# From: Michael Liu +# https://en.wikipedia.org/wiki/Common_Data_Format +0 ubelong 0xCDF30001 Common Data Format (Version 3 or later) data +!:mime application/x-cdf + +0 ubelong 0xCDF26002 Common Data Format (Version 2.6 or 2.7) data +!:mime application/x-cdf + +0 ubelong 0x0000FFFF Common Data Format (Version 2.5 or earlier) data +!:mime application/x-cdf + +# Hierarchical Data Format, used to facilitate scientific data exchange +# specifications at http://hdf.ncsa.uiuc.edu/ +# URL: http://fileformats.archiveteam.org/wiki/HDF +# https://en.wikipedia.org/wiki/Hierarchical_Data_Format +# Reference: https://portal.hdfgroup.org/download/attachments/52627880/HDF5_File_Format_Specification_Version-3.0.pdf +0 ubelong 0x0e031301 Hierarchical Data Format (version 4) data +!:mime application/x-hdf +!:ext hdf/hdf4/h4 +0 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) data +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 +512 string \211HDF\r\n\032\n +# skip Matlab v5 mat-file testhdf5_7.4_GLNX86.mat handled by ./mathematica +>0 string !MATLAB Hierarchical Data Format (version 5) with 512 bytes user block +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 +1024 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 1k user block +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 +2048 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 2k user block +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 +4096 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 4k user block +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 + +# From: Tobias Burnus <burnus@net-b.de> +# Xara (for a while: Corel Xara) is a graphic package, see +# http://www.xara.com/ for Windows and as GPL application for Linux +0 string XARA\243\243 Xara graphics file + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Corel_Gallery +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bmf-corel.trid.xml +# Note: called "Corel Binary Material Format" by TrID and +# "Corel Flow" by XnView +0 string @CorelBMF\n\rCorel\040Corporation Corel GALLERY Clipart +!:mime image/x-corel-bmf +!:ext bmf + +# https://www.cartesianinc.com/Tech/ +# Reference: http://fileformats.archiveteam.org/wiki/Cartesian_Perceptual_Compression +0 string CPC\262 Cartesian Perceptual Compression image +!:mime image/x-cpi +!:ext cpi/cpc + +# From Albert Cahalan <acahalan@gmail.com> +# puredigital used it for the CVS disposable camcorder +#8 lelong 4 ZBM bitmap image data +#>4 uleshort x %u x +#>6 uleshort x %u + +# From Albert Cahalan <acahalan@gmail.com> +# uncompressed 5:6:5 HighColor image for OLPC XO firmware icons +0 string C565 OLPC firmware icon image data +>4 uleshort x %u x +>6 uleshort x %u + +# Applied Images - Image files from Cytovision +# Gustavo Junior Alves <gjalves@gjalves.com.br> +0 string \xce\xda\xde\xfa Cytovision Metaphases file +0 string \xed\xad\xef\xac Cytovision Karyotype file +0 string \x0b\x00\x03\x00 Cytovision FISH Probe file +0 string \xed\xfe\xda\xbe Cytovision FLEX file +0 string \xed\xab\xed\xfe Cytovision FLEX file +0 string \xad\xfd\xea\xad Cytovision RATS file + +# Wavelet Scalar Quantization format used in gray-scale fingerprint images +# From Tano M Fotang <mfotang@quanteq.com> +0 string \xff\xa0\xff\xa8\x00 Wavelet Scalar Quantization image data + +# Type: PCO B16 image files +# URL: http://www.pco.de/fileadmin/user_upload/db/download/MA_CWDCOPIE_0412b.pdf +# From: Florian Philipp <florian.philipp@binarywings.net> +# Extension: .b16 +# Description: Pixel image format produced by PCO Camware, typically used +# together with PCO cameras. +# Note: Different versions exist for e.g. 8 bit and 16 bit images. +# Documentation is incomplete. +0 string/b PCO- PCO B16 image data +>12 ulelong x \b, %dx +>16 ulelong x \b%d +>20 ulelong 0 \b, short header +>20 ulelong -1 \b, extended header +>>24 ulelong 0 \b, grayscale +>>>36 ulelong 0 linear LUT +>>>36 ulelong 1 logarithmic LUT +>>>28 ulelong x [%d +>>>32 ulelong x \b,%d] +>>24 ulelong 1 \b, color +>>>64 ulelong 0 linear LUT +>>>64 ulelong 1 logarithmic LUT +>>>40 ulelong x r[%d +>>>44 ulelong x \b,%d] +>>>48 ulelong x g[%d +>>>52 ulelong x \b,%d] +>>>56 ulelong x b[%d +>>>60 ulelong x \b,%d] + +# Polar Monitor Bitmap (.pmb) used as logo for Polar Electro watches +# From: Markus Heidelberg <markus.heidelberg at web.de> +0 string/t [BitmapInfo2] Polar Monitor Bitmap text +!:mime image/x-polar-monitor-bitmap + +# From: Rick Richardson <rickrich@gmail.com> +# updated by: Joerg Jenderek +# URL: http://techmods.net/nuvi/ +0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file +# extension is also used for +# Sony SRF raw image (image/x-sony-srf) +# SRF map +# Terragen Surface Map (https://www.planetside.co.uk/terragen) +# FileLocator Pro search criteria file (https://www.mythicsoft.com/filelocatorpro) +!:ext srf +#!:mime image/x-garmin-srf +# version 1.00,2.00,2.10,2.40,2.50 +>0x2f string >0 \b, version %4.4s +# width (2880,2881,3240) +>0x55 uleshort >0 \b, %dx +# height (80,90) +>>0x53 uleshort x \b%d + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3.trid.xml +# Note: called "Ulead Imageiio/Imaginfo thumbnail" by TrID +0 string IIO1$ Ulead Photo Explorer 3 +#!:mime application/octet-stream +!:mime image/x-ulead-pe3 +# IMAGEIIO.PE3 +!:ext pe3 +# look for DOS/Windows drive letter +>5 search/192/s :\\ +# directory or full name of corresponding imaginfo.pe3 like: "T:\SAMPLES\TEXTURES\SKY_SNOW\IIOE371.TMP "S:\PI3\PIMPACT3\PROGRAMS\PATTERNS\imaginfo.pe3" +>>&-1 string x "%s" +# look for DOS/Windows network path if no drive letter part +>5 default x +>>5 search/192/s \x5c\x5c +# full name of corresponding imaginfo.pe3 like: "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS\imaginfo.pe3" +>>>&0 string x "%s" +# Type: Ulead Photo Explorer5 (.pe5) +# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4.trid.xml +# From: Simon Horman <horms@debian.org> +# Update: Joerg Jenderek +# Note: some called "Ulead Imageiio/Imaginfo thumbnail" by TrID +# and used in various Ulead applications +0 string IIO2H Ulead Photo Explorer 4 or 5 +#!:mime application/octet-stream +!:mime image/x-ulead-pe4 +# IMAGEIIO.PE4 +!:ext pe4/pe5 +# look in most samples for JPEG signature like: SAMPLES/IMAGES/SCENES/IMAGINFO.PE4 +>0x4c2 search/0xE02/s JFIF with JPEG image data +>>&-6 use jpeg +# near the end list of image names like: Img0001.pcd 1116012L.JPG NCARD4.TPL +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3-imaginfo.trid.xml +11 string \001\0\0\0\0 +# check for version 3 part +>19 string \0\001\0\003\0 +>>0 use ulead-imaginfo +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4-imaginfo.trid.xml +11 string \001\0\0\0\0 +# check for version 4 part +>19 string \0\0\0\004\0 +>>0 use ulead-imaginfo +# display information about Ulead Imaginfo thumbnail (version, directory, image extension) +0 name ulead-imaginfo +>22 ubyte x Ulead Imaginfo thumbnail +#!:mime application/octet-stream +!:mime image/x-ulead-imaginfo +>22 ubyte =3 \b, version 3 +# IMAGINFO.PE3 +!:ext pe3 +>22 ubyte =4 \b, version 4 +# IMAGINFO.PE4 +!:ext pe4 +# MAYBE ALSO VERSION 5 ? +#>22 ubyte =5 \b, version 5 +#!:ext pe5 +>22 ubyte x +# look for DOS/Windows driver letter +>>4 search/192/s :\x5c +# skip f:\Programme\iPhoto Plus 4\Template\Business Cards\IMAGINFO.PE4 +# by looking for driver letter in range A-Z +>>>&-1 ubyte >0x40 +# directory path like: "E:\iPE\CDSample\Images\Scenes" "D:\XmasCard\Samples" "C:\TEMP\PLANTS" +>>>>&-5 pstring/l >0 \b, "%s" +# look for DOS/Windows network path if no valid drive letter part +>>>&-1 default x +>>>>4 search/192/s \x5c\x5c +# directory path like: "\\FSX\SYS\OPPS\IPE.ENG\TEMPLATE\BUSINESS" "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS" +>>>>>&-4 pstring/l >0 \b, "%s" +# look for DOS/Windows network path if no drive letter part +>>4 default x +>>>4 search/192/s \x5c\x5c +# directory path like: "\\FSX\SYS\opps\ipe.eng\samples" "\\DANIEL\IPE_CD\IPE.ITA" +>>>>&-4 pstring/l >0 \b, "%s" +# look for point character inside image names +>56 search/38/s . +# image name extension like: bmp jpg pcd tpl +>>&1 string x with %-.3s images +# Summary: Ulead Pattern image (Corel Corporation) +# URL: https://en.wikipedia.org/wiki/Ulead_Systems +# https://www.file-extensions.org/pst-file-extension-ulead-pattern-image-format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst-ulead.trid.xml +# From: Joerg Jenderek +# Note: used also by CorelDraw Essentials 3 version 13.0.0.800 +# there seems to exist other versions +0 ubelong 0xFFFF0100 +>8 search/21 PresetInfo Ulead pattern image +#!:mime application/octet-stream +!:mime image/x-ulead-pst +!:ext pst +# string length like: 16 18 19 21 24 +#>>4 uleshort x n=%u +# like: BlendPresetInfo DropShadowPresetInfo FileNewPresetInfo VectorExtrudePresetInfo EnvelopePresetInfo ContourPresetInfo DistortionPresetInfo +>>4 pstring/h x "%s" + +# Type: X11 cursor +# URL: http://webcvs.freedesktop.org/mime/shared-mime-info/freedesktop.org.xml.in?view=markup +# From: Mathias Brodala <info@noctus.net> +0 string Xcur X11 cursor + +# Type: Olympus ORF raw images. +# URL: https://libopenraw.freedesktop.org/wiki/Olympus_ORF +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +0 string MMOR Olympus ORF raw image data, big-endian +!:mime image/x-olympus-orf +0 string IIRO Olympus ORF raw image data, little-endian +!:mime image/x-olympus-orf +0 string IIRS Olympus ORF raw image data, little-endian +!:mime image/x-olympus-orf + +# Type: files used in modern AVCHD camcoders to store clip information +# Extension: .cpi +# From: Alexander Danilov <alexander.a.danilov@gmail.com> +0 string HDMV0100 AVCHD Clip Information + +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ +# Radiance HDR; usually has .pic or .hdr extension. +0 string #?RADIANCE\n Radiance HDR image data +!:mime image/vnd.radiance + +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: https://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf +# Used by the pfstools packages. The regex matches for the image size could +# probably use some work. The MIME type is made up; if there's one in +# actual common use, it should replace the one below. +0 string PFS1\x0a PFS HDR image data +#!mime image/x-pfs +>1 regex [0-9]*\ \b, %s +>>1 regex \ [0-9]{4} \bx%s + +# Type: Foveon X3F +# URL: https://www.photofo.com/downloads/x3f-raw-format.pdf +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# Note that the MIME type isn't defined anywhere that I can find; if +# there's a canonical type for this format, it should replace this one. +0 string FOVb Foveon X3F raw image data +!:mime image/x-x3f +>6 uleshort x \b, version %d. +>4 uleshort x \b%d +>28 ulelong x \b, %dx +>32 ulelong x \b%d + +# Paint.NET file +# From Adam Buchbinder <adam.buchbinder@gmail.com> +0 string PDN3 Paint.NET image data +!:mime image/x-paintnet + +# Not really an image. +# From: "Tano M. Fotang" <mfotang@quanteq.com> +0 string \x46\x4d\x52\x00 ISO/IEC 19794-2 Format Minutiae Record (FMR) + +# doc: https://www.shikino.co.jp/eng/products/images/FLOWER.jpg.zip +# example: https://www.shikino.co.jp/eng/products/images/FLOWER.wdp.zip +90 ubequad 0x574D50484F544F00 JPEG-XR Image +>98 ubyte&0x08 =0x08 \b, hard tiling +>99 ubyte&0x80 =0x80 \b, tiling present +>99 ubyte&0x40 =0x40 \b, codestream present +>99 ubyte&0x38 x \b, spatial xform= +>99 ubyte&0x38 0x00 \bTL +>99 ubyte&0x38 0x08 \bBL +>99 ubyte&0x38 0x10 \bTR +>99 ubyte&0x38 0x18 \bBR +>99 ubyte&0x38 0x20 \bBT +>99 ubyte&0x38 0x28 \bRB +>99 ubyte&0x38 0x30 \bLT +>99 ubyte&0x38 0x38 \bLB +>100 ubyte&0x80 =0x80 \b, short header +>>102 ubeshort+1 x \b, %d +>>104 ubeshort+1 x \bx%d +>100 ubyte&0x80 =0x00 \b, long header +>>102 ubelong+1 x \b, %x +>>106 ubelong+1 x \bx%x +>101 ubeshort&0xf x \b, bitdepth= +>>101 ubeshort&0xf 0x0 \b1-WHITE=1 +>>101 ubeshort&0xf 0x1 \b8 +>>101 ubeshort&0xf 0x2 \b16 +>>101 ubeshort&0xf 0x3 \b16-SIGNED +>>101 ubeshort&0xf 0x4 \b16-FLOAT +>>101 ubeshort&0xf 0x5 \b(reserved 5) +>>101 ubeshort&0xf 0x6 \b32-SIGNED +>>101 ubeshort&0xf 0x7 \b32-FLOAT +>>101 ubeshort&0xf 0x8 \b5 +>>101 ubeshort&0xf 0x9 \b10 +>>101 ubeshort&0xf 0xa \b5-6-5 +>>101 ubeshort&0xf 0xb \b(reserved %d) +>>101 ubeshort&0xf 0xc \b(reserved %d) +>>101 ubeshort&0xf 0xd \b(reserved %d) +>>101 ubeshort&0xf 0xe \b(reserved %d) +>>101 ubeshort&0xf 0xf \b1-BLACK=1 +>101 ubeshort&0xf0 x \b, colorfmt= +>>101 ubeshort&0xf0 0x00 \bYONLY +>>101 ubeshort&0xf0 0x10 \bYUV240 +>>101 ubeshort&0xf0 0x20 \bYWV422 +>>101 ubeshort&0xf0 0x30 \bYWV444 +>>101 ubeshort&0xf0 0x40 \bCMYK +>>101 ubeshort&0xf0 0x50 \bCMYKDIRECT +>>101 ubeshort&0xf0 0x60 \bNCOMPONENT +>>101 ubeshort&0xf0 0x70 \bRGB +>>101 ubeshort&0xf0 0x80 \bRGBE +>>101 ubeshort&0xf0 >0x80 \b(reserved %#x) + +# From: Johan van der Knijff <johan.vanderknijff@kb.nl> +# +# BPG (Better Portable Graphics) format +# https://bellard.org/bpg/ +# http://fileformats.archiveteam.org/wiki/BPG +# +0 string \x42\x50\x47\xFB BPG (Better Portable Graphics) +!:mime image/bpg + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Apple_Icon_Image_format +0 string icns Mac OS X icon +!:mime image/x-icns +!:apple ????icns +!:ext icns +>4 ubelong >0 +# file size +>>4 ubelong x \b, %d bytes +# icon type +>>8 string x \b, "%4.4s" type + +# TIM images +# URL: http://fileformats.archiveteam.org/wiki/TIM_(PlayStation_graphics) +# Reference: https://mrclick.zophar.net/TilEd/download/timgfx.txt +# Update: Joerg Jenderek +# Note: called as "PSX TIM *bpp bitmap" by bitmap-tim-*.trid.xml +# verified as "TIM PSX" by XnView `nconvert -fullinfo *.tim` and +# by RECOIL `recoil2png -o TMP.PNG input.tim; file TMP.PNG` and often +# as "PSX TIM" by ImageMagick version 7.1.0-10 command `identify *.tim` +# here signed integers are used but according to Kaitai unsigned +0 ulelong 0x00000010 +# 32 Flag bits *cttt; c~CLUT flag t~type 000~4BPP 001~8BPP 010~16BPP 011~24BPP 100~Mixed +#>4 ulelong x FLAGS=%#x +# 12+Size of CLUT (2Ch for 4BPP; 20Ch 40Ch 60Ch 80Ch C0Ch for 8BPP) or +# +image data size (800Ch 2000Ch 2580C for 16BPP) (02000003h for dBase memo test.dbt) +#>8 ulelong x \b, 12+CLUT or data size=%#8.8x +# CLUT or data size remainder is 12 (Ch), but 03 for dBase memo test.dbt +#>8 ubyte&0x0F =0x0C \b, SIZE REMAINDER IS 12 +# skip dBase III memo test.dbt with invalid flags 22D10189h +>4 ulelong&0xffFFffF0 =0 Sony PlayStation PSX image, +# file (version 5.40) labeled the above entry as "TIM image" +!:mime image/x-sony-tim +!:ext tim +#>>4 ulelong&0x00000007 x \b, BPP~%u +# 4BPP and 8BPP examples exist with CLUT or without CLUT +>>4 ulelong&0x07 0x0 4-Bit, +>>4 ulelong&0x07 0x1 8-Bit, +# 16BPP and 24BPP examples have no CLUT +>>4 ulelong 0x2 15-Bit, +>>4 ulelong 0x3 24-Bit, +# no example +>>4 ulelong&0x07 0x4 Mixed-Bit, +# CLUT flag set +>>4 ulelong &8 +# 12 + size of CLUT like: 1000Ch 800Ch 400Ch 40Ch and 2FEh (KAGE.TIM) +#>>>(8.l+8) ulelong x \b, 12+CLUT SIZE=%#8.8x +>>>(8.l+12) uleshort x Pixel at (%d, +>>>(8.l+14) uleshort x \b%d) Size= +# image width (to get actual width multiply by 4 for 4BPP and by 2 for 8BPP) +>>>>4 ulelong 0x8 +>>>>>(8.l+16) uleshort*4 x \b%d +>>>>4 ulelong 0x9 +>>>>>(8.l+16) uleshort*2 x \b%d +# image height like: 32 64 128 144 160 208 256 +>>>(8.l+18) uleshort x \bx%d, +>>>4 ulelong 0x8 16 CLUT Entries at +>>>4 ulelong 0x9 256 CLUT Entries at +>>>12 uleshort x (%d, +>>>14 uleshort x \b%d) +# no Color LookUp Table (CLUT) +>>4 ulelong ^8 +# image origin X Y +>>>12 uleshort x Pixel at (%d, +>>>14 uleshort x \b%d) Size= +# real image width = multiply by 4 (4BPP) 2 (8BPP) 1 (16BPP) 2/3 (24BPP) +>>>>4 ulelong 0x0 +>>>>>16 uleshort*4 x \b%d +>>>>4 ulelong 0x1 +>>>>>16 uleshort*2 x \b%d +>>>>4 ulelong 0x2 +>>>>>16 uleshort x \b%d +>>>>4 ulelong 0x3 +# GRR: NOT working +#>>>>>16 uleshort*2/3 x \b%d +>>>>>16 uleshort x \b2/3*%d +# mixed format width not explained! +>>>>4 ulelong 0x4 +>>>>>16 uleshort x \b%d +# image height like: 64 240 256 +>>>18 uleshort x \bx%d +# TIM image data + +# MDEC streams +0 ulelong 0x80010160 MDEC video stream, +>16 uleshort x %dx +>18 uleshort x \b%d +#>8 ulelong x %d frames +#>4 uleshort x secCount=%d; +#>6 uleshort x nSectors=%d; +#>12 ulelong x frameSize=%d; + +# BS encoded bitstreams +2 uleshort 0x3800 BS image, +# GRR: the above line is also true for binary Computer Graphics Metafile SAB00012.CGM with long parameter length 56 (=38h) +>6 uleshort x Version %d, +>4 uleshort x Quantization %d, +>0 uleshort x (Decompresses to %d words) + +# Type: farbfeld image. +# Url: http://tools.suckless.org/farbfeld/ +# From: Ian D. Scott <ian@iandouglasscott.com> +# +0 string farbfeld farbfeld image data, +>8 ubelong x %dx +>12 ubelong x \b%d + +# Type: Microsoft DirectDraw Surface (DXGI formats) +# URL: https://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp +# From: Morten Hustveit <morten@debian.org> +# Updated by: David Korth <gerbilsoft@gerbilsoft.com> +0 name ms-directdraw-dx10 +>0 ulelong x \b, DXGI format: +>0 ulelong 1 R32G32B32A32_TYPELESS +>0 ulelong 2 R32G32B32A32_FLOAT +>0 ulelong 3 R32G32B32A32_UINT +>0 ulelong 4 R32G32B32A32_SINT +>0 ulelong 5 R32G32B32_TYPELESS +>0 ulelong 6 R32G32B32_FLOAT +>0 ulelong 7 R32G32B32_UINT +>0 ulelong 8 R32G32B32_SINT +>0 ulelong 9 R16G16B16A16_TYPELESS +>0 ulelong 10 R16G16B16A16_FLOAT +>0 ulelong 11 R16G16B16A16_UNORM +>0 ulelong 12 R16G16B16A16_UINT +>0 ulelong 13 R16G16B16A16_SNORM +>0 ulelong 14 R16G16B16A16_SINT +>0 ulelong 15 R32G32_TYPELESS +>0 ulelong 16 R32G32_FLOAT +>0 ulelong 17 R32G32_UINT +>0 ulelong 18 R32G32_SINT +>0 ulelong 19 R32G8X24_TYPELESS +>0 ulelong 20 D32_FLOAT_S8X24_UINT +>0 ulelong 21 R32_FLOAT_X8X24_TYPELESS +>0 ulelong 22 X32_TYPELESS_G8X24_UINT +>0 ulelong 23 R10G10B10A2_TYPELESS +>0 ulelong 24 R10G10B10A2_UNORM +>0 ulelong 25 R10G10B10A2_UINT +>0 ulelong 26 R11G11B10_FLOAT +>0 ulelong 27 R8G8B8A8_TYPELESS +>0 ulelong 28 R8G8B8A8_UNORM +>0 ulelong 29 R8G8B8A8_UNORM_SRGB +>0 ulelong 30 R8G8B8A8_UINT +>0 ulelong 31 R8G8B8A8_SNORM +>0 ulelong 32 R8G8B8A8_SINT +>0 ulelong 33 R16G16_TYPELESS +>0 ulelong 34 R16G16_FLOAT +>0 ulelong 35 R16G16_UNORM +>0 ulelong 36 R16G16_UINT +>0 ulelong 37 R16G16_SNORM +>0 ulelong 38 R16G16_SINT +>0 ulelong 39 R32_TYPELESS +>0 ulelong 40 D32_FLOAT +>0 ulelong 41 R32_FLOAT +>0 ulelong 42 R32_UINT +>0 ulelong 43 R32_SINT +>0 ulelong 44 R24G8_TYPELESS +>0 ulelong 45 D24_UNORM_S8_UINT +>0 ulelong 46 R24_UNORM_X8_TYPELESS +>0 ulelong 47 X24_TYPELESS_G8_UINT +>0 ulelong 48 R8G8_TYPELESS +>0 ulelong 49 R8G8_UNORM +>0 ulelong 50 R8G8_UINT +>0 ulelong 51 R8G8_SNORM +>0 ulelong 52 R8G8_SINT +>0 ulelong 53 R16_TYPELESS +>0 ulelong 54 R16_FLOAT +>0 ulelong 55 D16_UNORM +>0 ulelong 56 R16_UNORM +>0 ulelong 57 R16_UINT +>0 ulelong 58 R16_SNORM +>0 ulelong 59 R16_SINT +>0 ulelong 60 R8_TYPELESS +>0 ulelong 61 R8_UNORM +>0 ulelong 62 R8_UINT +>0 ulelong 63 R8_SNORM +>0 ulelong 64 R8_SINT +>0 ulelong 65 A8_UNORM +>0 ulelong 66 R1_UNORM +>0 ulelong 67 R9G9B9E5_SHAREDEXP +>0 ulelong 68 R8G8_B8G8_UNORM +>0 ulelong 69 G8R8_G8B8_UNORM +>0 ulelong 70 BC1_TYPELESS +>0 ulelong 71 BC1_UNORM +>0 ulelong 72 BC1_UNORM_SRGB +>0 ulelong 73 BC2_TYPELESS +>0 ulelong 74 BC2_UNORM +>0 ulelong 75 BC2_UNORM_SRGB +>0 ulelong 76 BC3_TYPELESS +>0 ulelong 77 BC3_UNORM +>0 ulelong 78 BC3_UNORM_SRGB +>0 ulelong 79 BC4_TYPELESS +>0 ulelong 80 BC4_UNORM +>0 ulelong 81 BC4_SNORM +>0 ulelong 82 BC5_TYPELESS +>0 ulelong 83 BC5_UNORM +>0 ulelong 84 BC5_SNORM +>0 ulelong 85 B5G6R5_UNORM +>0 ulelong 86 B5G5R5A1_UNORM +>0 ulelong 87 B8G8R8A8_UNORM +>0 ulelong 88 B8G8R8X8_UNORM +>0 ulelong 89 R10G10B10_XR_BIAS_A2_UNORM +>0 ulelong 90 B8G8R8A8_TYPELESS +>0 ulelong 91 B8G8R8A8_UNORM_SRGB +>0 ulelong 92 B8G8R8X8_TYPELESS +>0 ulelong 93 B8G8R8X8_UNORM_SRGB +>0 ulelong 94 BC6H_TYPELESS +>0 ulelong 95 BC6H_UF16 +>0 ulelong 96 BC6H_SF16 +>0 ulelong 97 BC7_TYPELESS +>0 ulelong 98 BC7_UNORM +>0 ulelong 99 BC7_UNORM_SRGB +>0 ulelong 100 AYUV +>0 ulelong 101 Y410 +>0 ulelong 102 Y416 +>0 ulelong 103 NV12 +>0 ulelong 104 P010 +>0 ulelong 105 P016 +>0 ulelong 106 420_OPAQUE +>0 ulelong 107 YUY2 +>0 ulelong 108 Y210 +>0 ulelong 109 Y216 +>0 ulelong 110 NV11 +>0 ulelong 111 AI44 +>0 ulelong 112 IA44 +>0 ulelong 113 P8 +>0 ulelong 114 A8P8 +>0 ulelong 115 B4G4R4A4_UNORM + +>0 ulelong 116 XBOX_R10G10B10_7E3_A2_FLOAT +>0 ulelong 117 XBOX_R10G10B10_6E4_A2_FLOAT +>0 ulelong 118 XBOX_D16_UNORM_S8_UINT +>0 ulelong 119 XBOX_R16_UNORM_X8_TYPELESS +>0 ulelong 120 XBOX_X16_TYPELESS_G8_UINT + +>0 ulelong 130 DXGI_FORMAT_P208 +>0 ulelong 131 DXGI_FORMAT_V208 +>0 ulelong 132 DXGI_FORMAT_V408 + +>0 ulelong 133 ASTC_4X4_TYPELESS +>0 ulelong 134 ASTC_4X4_UNORM +>0 ulelong 135 ASTC_4X4_UNORM_SRGB +>0 ulelong 137 ASTC_5X4_TYPELESS +>0 ulelong 138 ASTC_5X4_UNORM +>0 ulelong 139 ASTC_5X4_UNORM_SRGB +>0 ulelong 141 ASTC_5X5_TYPELESS +>0 ulelong 142 ASTC_5X5_UNORM +>0 ulelong 143 ASTC_5X5_UNORM_SRGB +>0 ulelong 145 ASTC_6X5_TYPELESS +>0 ulelong 146 ASTC_6X5_UNORM +>0 ulelong 147 ASTC_6X5_UNORM_SRGB +>0 ulelong 149 ASTC_6X6_TYPELESS +>0 ulelong 150 ASTC_6X6_UNORM +>0 ulelong 151 ASTC_6X6_UNORM_SRGB +>0 ulelong 153 ASTC_8X5_TYPELESS +>0 ulelong 154 ASTC_8X5_UNORM +>0 ulelong 155 ASTC_8X5_UNORM_SRGB +>0 ulelong 157 ASTC_8X6_TYPELESS +>0 ulelong 158 ASTC_8X6_UNORM +>0 ulelong 159 ASTC_8X6_UNORM_SRGB +>0 ulelong 161 ASTC_8X8_TYPELESS +>0 ulelong 162 ASTC_8X8_UNORM +>0 ulelong 163 ASTC_8X8_UNORM_SRGB +>0 ulelong 165 ASTC_10X5_TYPELESS +>0 ulelong 166 ASTC_10X5_UNORM +>0 ulelong 167 ASTC_10X5_UNORM_SRGB +>0 ulelong 169 ASTC_10X6_TYPELESS +>0 ulelong 170 ASTC_10X6_UNORM +>0 ulelong 171 ASTC_10X6_UNORM_SRGB +>0 ulelong 173 ASTC_10X8_TYPELESS +>0 ulelong 174 ASTC_10X8_UNORM +>0 ulelong 175 ASTC_10X8_UNORM_SRGB +>0 ulelong 177 ASTC_10X10_TYPELESS +>0 ulelong 178 ASTC_10X10_UNORM +>0 ulelong 179 ASTC_10X10_UNORM_SRGB +>0 ulelong 181 ASTC_12X10_TYPELESS +>0 ulelong 182 ASTC_12X10_UNORM +>0 ulelong 183 ASTC_12X10_UNORM_SRGB +>0 ulelong 185 ASTC_12X12_TYPELESS +>0 ulelong 186 ASTC_12X12_UNORM +>0 ulelong 187 ASTC_12X12_UNORM_SRGB + +>0 ulelong 190 XBOX_R10G10B10_SNORM_A2_UNORM +>0 ulelong 189 XBOX_R4G4_UNORM +>0 ulelong 0xFFFFFFFF DXGI_FORMAT_FORCE_UINT + +# Type: Microsoft DirectDraw Surface (common data) +# URL: https://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp +# From: Morten Hustveit <morten@debian.org> +# Updated by: David Korth <gerbilsoft@gerbilsoft.com> +0 name ms-directdraw-surface +>0x10 ulelong x %u x +>0x0C ulelong x %u +# Color depth. +>0x58 ulelong >0 \b, %u-bit color +# Determine the pixel format. +>0x50 ulelong&0x4 4 +# FIXME: Handle DX10 and XBOX formats. +>>0x54 string DX10 +>>>0x80 use ms-directdraw-dx10 +>>0x54 string !DX10 \b, compressed using %.4s +>0x50 ulelong&0x2 0x2 \b, alpha only +>0x50 ulelong&0x200 0x200 \b, YUV +>0x50 ulelong&0x20000 0x20000 \b, luminance +# RGB pixel format +>0x50 ulelong&0x40 0x40 + +# Determine the RGB format using the color masks. +# ulequad order: 0xGGGGGGGGRRRRRRRR, 0xAAAAAAAABBBBBBBB + +>>0x58 ulelong 16 + +# NOTE: 15-bit color formats usually have 16-bit listed as the color depth. +>>>0x5C ulequad 0x000003E000007C00 +>>>>0x64 ulequad 0x000000000000001F \b, RGB555 +>>>0x5C ulequad 0x000003E000001F00 +>>>>0x64 ulequad 0x000000000000007C \b, BGR555 + +>>>0x5C ulequad 0x000007E00000F800 +>>>>0x64 ulequad 0x000000000000001F \b, RGB565 +>>>0x5C ulequad 0x000007E000001F00 +>>>>0x64 ulequad 0x00000000000000F8 \b, BGR565 + +>>>0x5C ulequad 0x000000F000000F00 +>>>>0x64 ulequad 0x0000F0000000000F \b, ARGB4444 +>>>0x5C ulequad 0x000000F00000000F +>>>>0x64 ulequad 0x0000F00000000F00 \b, ABGR4444 + +>>>0x5C ulequad 0x00000F000000F000 +>>>>0x64 ulequad 0x0000000F000000F0 \b, RGBA4444 +>>>0x5C ulequad 0x00000F00000000F0 +>>>>0x64 ulequad 0x0000000F0000F000 \b, BGRA4444 + +>>>0x5C ulequad 0x000000F000000F00 +>>>>0x64 ulequad 0x000000000000000F \b, xRGB4444 +>>>0x5C ulequad 0x000000F00000000F +>>>>0x64 ulequad 0x0000000000000F00 \b, xBGR4444 + +>>>0x5C ulequad 0x00000F000000F000 +>>>>0x64 ulequad 0x00000000000000F0 \b, RGBx4444 +>>>0x5C ulequad 0x00000F00000000F0 +>>>>0x64 ulequad 0x000000000000F000 \b, BGRx4444 + +>>>0x5C ulequad 0x000003E000007C00 +>>>>0x64 ulequad 0x000080000000001F \b, ARGB1555 +>>>0x5C ulequad 0x000003E000001F00 +>>>>0x64 ulequad 0x000080000000007C \b, ABGR1555 +>>>0x5C ulequad 0x000007C00000F800 +>>>>0x64 ulequad 0x000000010000003E \b, RGBA5551 +>>>0x5C ulequad 0x000007C00000003E +>>>>0x64 ulequad 0x000000010000F800 \b, BGRA5551 + +>>88 ulelong 24 +>>>0x5C ulequad 0x0000FF0000FF0000 +>>>>0x64 ulequad 0x00000000000000FF \b, RGB888 +>>>0x5C ulequad 0x0000FF00000000FF +>>>>0x64 ulequad 0x0000000000FF0000 \b, BGR888 + +>>88 ulelong 32 +>>>0x5C ulequad 0x0000FF0000FF0000 +>>>>0x64 ulequad 0xFF000000000000FF \b, ARGB8888 +>>>0x5C ulequad 0x0000FF00000000FF +>>>>0x64 ulequad 0xFF00000000FF0000 \b, ABGR8888 + +>>>0x5C ulequad 0x00FF0000FF000000 +>>>>0x64 ulequad 0x000000FF0000FF00 \b, RGBA8888 +>>>0x5C ulequad 0x00FF00000000FF00 +>>>>0x64 ulequad 0x000000FFFF000000 \b, BGBA8888 + +>>>0x5C ulequad 0x0000FF0000FF0000 +>>>>0x64 ulequad 0x00000000000000FF \b, xRGB8888 +>>>0x5C ulequad 0x0000FF00000000FF +>>>>0x64 ulequad 0x0000000000FF0000 \b, xBGR8888 + +>>>0x5C ulequad 0x00FF0000FF000000 +>>>>0x64 ulequad 0x000000000000FF00 \b, RGBx8888 +>>>0x5C ulequad 0x00FF00000000FF00 +>>>>0x64 ulequad 0x00000000FF000000 \b, BGBx8888 + +# Less common 32-bit color formats. +>>>0x5C ulequad 0xFFFF00000000FFFF +>>>>0x64 ulequad 0x0000000000000000 \b, G16R16 +>>>0x5C ulequad 0x0000FFFFFFFF0000 +>>>>0x64 ulequad 0x0000000000000000 \b, R16G16 + +>>>0x5C ulequad 0x000FFC003FF00000 +>>>>0x64 ulequad 0xC0000000000003FF \b, A2R10G10B10 +>>>0x5C ulequad 0x000FFC00000003FF +>>>>0x64 ulequad 0xC00000003FF00000 \b, A2B10G10R10 + +# Type: Microsoft DirectDraw Surface +# URL: https://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp +# From: Morten Hustveit <morten@debian.org> +# Updated by: David Korth <gerbilsoft@gerbilsoft.com> +0 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS): +>0 use ms-directdraw-surface + +# Type: Sega PVR image. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://fabiensanglard.net/Mykaruga/tools/segaPVRFormat.txt +# - https://github.com/yazgoo/pvrx2png +# - https://github.com/nickworonekin/puyotools + +# Sega PVR header. +0 name sega-pvr-image-header +>0x0C uleshort x %u x +>0x0E uleshort x %u +# Image format. +>0x08 ubyte 0 \b, ARGB1555 +>0x08 ubyte 1 \b, RGB565 +>0x08 ubyte 2 \b, ARGB4444 +>0x08 ubyte 3 \b, YUV442 +>0x08 ubyte 4 \b, Bump +>0x08 ubyte 5 \b, 4bpp +>0x08 ubyte 6 \b, 8bpp +# Image data type. +>0x09 ubyte 0x01 \b, square twiddled +>0x09 ubyte 0x02 \b, square twiddled & mipmap +>0x09 ubyte 0x03 \b, VQ +>0x09 ubyte 0x04 \b, VQ & mipmap +>0x09 ubyte 0x05 \b, 8-bit CLUT twiddled +>0x09 ubyte 0x06 \b, 4-bit CLUT twiddled +>0x09 ubyte 0x07 \b, 8-bit direct twiddled +>0x09 ubyte 0x08 \b, 4-bit direct twiddled +>0x09 ubyte 0x09 \b, rectangle +>0x09 ubyte 0x0B \b, rectangular stride +>0x09 ubyte 0x0D \b, rectangular twiddled +>0x09 ubyte 0x10 \b, small VQ +>0x09 ubyte 0x11 \b, small VQ & mipmap +>0x09 ubyte 0x12 \b, square twiddled & mipmap + +# Sega PVR image. +0 string PVRT +>0x10 string DDS\040\174\000\000\000 Sega PVR (Xbox) image: +>>0x20 use ms-directdraw-surface +>0x10 ubelong !0x44445320 Sega PVR image: +>>0 use sega-pvr-image-header + +# Sega PVR image with GBIX. +0 string GBIX +>0x10 string PVRT +>>0x10 string DDS\040\174\000\000\000 Sega PVR (Xbox) image: +>>>0x20 use ms-directdraw-surface +>>0x10 ubelong !0x44445320 Sega PVR image: +>>>0x10 use sega-pvr-image-header +>>0x08 ulelong x \b, global index = %u + +# Sega GVR header. +0 name sega-gvr-image-header +>0x0C ubeshort x %u x +>0x0E ubeshort x %u +# Image data format. +>0x0B ubyte 0 \b, I4 +>0x0B ubyte 1 \b, I8 +>0x0B ubyte 2 \b, IA4 +>0x0B ubyte 3 \b, IA8 +>0x0B ubyte 4 \b, RGB565 +>0x0B ubyte 5 \b, RGB5A3 +>0x0B ubyte 6 \b, ARGB8888 +>0x0B ubyte 8 \b, CI4 +>0x0B ubyte 9 \b, CI8 +>0x0B ubyte 14 \b, DXT1 + +# Sega GVR image. +0 string GVRT Sega GVR image: +>0x10 use sega-gvr-image-header + +# Sega GVR image with GBIX. +0 string GBIX +>0x10 string GVRT Sega GVR image: +>>0x10 use sega-gvr-image-header +>>0x08 ubelong x \b, global index = %u + +# Sega GVR image with GCIX. (Wii) +0 string GCIX +>0x10 string GVRT Sega GVR image: +>>0x10 use sega-gvr-image-header +>>0x08 ubelong x \b, global index = %u + +# Light Field Picture +# Documentation: http://optics.miloush.net/lytro/TheFileFormat.aspx +# Typical file extensions: .lfp .lfr .lfx + +0 ubelong 0x894C4650 +>4 ubelong 0x0D0A1A0A +>12 ubelong 0x00000000 Lytro Light Field Picture +>8 ubelong x \b, version %d + +# Type: Vision Research Phantom CINE Format +# URL: https://www.phantomhighspeed.com/ +# URL2: http://phantomhighspeed.force.com/vriknowledge/servlet/fileField?id=0BEU0000000Cfyk +# From: Harry Mallon <hjmallon at gmail.com> +# +# This has a short "CI" code but the 44 is the size of the struct which is +# stable +0 string CI +>2 uleshort 44 Vision Research CINE Video, +>>4 uleshort 0 Grayscale, +>>4 uleshort 1 JPEG Compressed, +>>4 uleshort 2 RAW, +>>6 uleshort x version %d, +>>20 ulelong x %d frames, +>>48 ulelong x %dx +>>52 ulelong x \b%d + +# Type: ARRI Raw Image +# Info: SMPTE RDD30:2014 +# From: Harry Mallon <hjmallon at gmail.com> +0 string ARRI ARRI ARI image data, +>4 ulelong 0x78563412 little-endian, +>4 ulelong 0x12345678 big-endian, +>12 ulelong x version %d, +>20 ulelong x %dx +>24 ulelong x \b%d + +# Type: Khronos KTX texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://www.khronos.org/opengles/sdk/tools/KTX/file_format_spec/ + +# glEnum decoding. +# NOTE: Only the most common formats are listed here. +0 name khronos-ktx-glEnum +>0 ulelong 0x1907 \b, RGB +>0 ulelong 0x1908 \b, RGBA +>0 ulelong 0x1909 \b, LUMINANCE +>0 ulelong 0x190A \b, LUMINANCE_ALPHA +>0 ulelong 0x80E1 \b, BGR +>0 ulelong 0x80E2 \b, BGRA +>0 ulelong 0x83A0 \b, RGB_S3TC +>0 ulelong 0x83A1 \b, RGB4_S3TC +>0 ulelong 0x83A2 \b, RGBA_S3TC +>0 ulelong 0x83A3 \b, RGBA4_S3TC +>0 ulelong 0x83A4 \b, RGBA_DXT5_S3TC +>0 ulelong 0x83A5 \b, RGBA4_DXT5_S3TC +>0 ulelong 0x83F0 \b, COMPRESSED_RGB_S3TC_DXT1_EXT +>0 ulelong 0x83F1 \b, COMPRESSED_RGBA_S3TC_DXT1_EXT +>0 ulelong 0x83F2 \b, COMPRESSED_RGBA_S3TC_DXT3_EXT +>0 ulelong 0x83F3 \b, COMPRESSED_RGBA_S3TC_DXT5_EXT +>0 ulelong 0x8D64 \b, ETC1_RGB8_OES +>0 ulelong 0x9270 \b, COMPRESSED_R11_EAC +>0 ulelong 0x9271 \b, COMPRESSED_SIGNED_R11_EAC +>0 ulelong 0x9272 \b, COMPRESSED_RG11_EAC +>0 ulelong 0x9273 \b, COMPRESSED_SIGNED_RG11_EAC +>0 ulelong 0x9274 \b, COMPRESSED_RGB8_ETC2 +>0 ulelong 0x9275 \b, COMPRESSED_SRGB8_ETC2 +>0 ulelong 0x9276 \b, COMPRESSED_RGB8_PUNCHTHROUGH_ALPHA1_ETC2 +>0 ulelong 0x9277 \b, COMPRESSED_SRGB8_PUNCHTHROUGH_ALPHA1_ETC2 +>0 ulelong 0x9278 \b, COMPRESSED_RGBA2_ETC2_EAC +>0 ulelong 0x9279 \b, COMPRESSED_SRGB8_ALPHA8_ETC2_EAC +>0 ulelong 0x93B0 \b, COMPRESSED_RGBA_ASTC_4x4_KHR +>0 ulelong 0x93B1 \b, COMPRESSED_RGBA_ASTC_5x4_KHR +>0 ulelong 0x93B2 \b, COMPRESSED_RGBA_ASTC_5x5_KHR +>0 ulelong 0x93B3 \b, COMPRESSED_RGBA_ASTC_6x5_KHR +>0 ulelong 0x93B4 \b, COMPRESSED_RGBA_ASTC_6x6_KHR +>0 ulelong 0x93B5 \b, COMPRESSED_RGBA_ASTC_8x5_KHR +>0 ulelong 0x93B6 \b, COMPRESSED_RGBA_ASTC_8x6_KHR +>0 ulelong 0x93B7 \b, COMPRESSED_RGBA_ASTC_8x8_KHR +>0 ulelong 0x93B8 \b, COMPRESSED_RGBA_ASTC_10x5_KHR +>0 ulelong 0x93B9 \b, COMPRESSED_RGBA_ASTC_10x6_KHR +>0 ulelong 0x93BA \b, COMPRESSED_RGBA_ASTC_10x8_KHR +>0 ulelong 0x93BB \b, COMPRESSED_RGBA_ASTC_10x10_KHR +>0 ulelong 0x93BC \b, COMPRESSED_RGBA_ASTC_12x10_KHR +>0 ulelong 0x93BD \b, COMPRESSED_RGBA_ASTC_12x12_KHR +>0 ulelong 0x93D0 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_4x4_KHR +>0 ulelong 0x93D1 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_5x4_KHR +>0 ulelong 0x93D2 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_5x5_KHR +>0 ulelong 0x93D3 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_6x5_KHR +>0 ulelong 0x93D4 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_6x6_KHR +>0 ulelong 0x93D5 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x5_KHR +>0 ulelong 0x93D6 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x6_KHR +>0 ulelong 0x93D7 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x8_KHR +>0 ulelong 0x93D8 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x5_KHR +>0 ulelong 0x93D9 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x6_KHR +>0 ulelong 0x93DA \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x8_KHR +>0 ulelong 0x93DB \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x10_KHR +>0 ulelong 0x93DC \b, COMPRESSED_SRGB8_ALPHA8_ASTC_12x10_KHR +>0 ulelong 0x93DD \b, COMPRESSED_SRGB8_ALPHA8_ASTC_12x12_KHR + +# Endian-specific KTX header. +# TODO: glType (all textures I've seen so far are GL_UNSIGNED_BYTE) +0 name khronos-ktx-endian-header +>20 ulelong x \b, %u +>24 ulelong >1 x %u +>28 ulelong >1 x %u +>8 ulelong >0 +>>8 use khronos-ktx-glEnum +>8 ulelong 0 +>>12 use khronos-ktx-glEnum + +# Main KTX header. +# Determine endianness, then check the rest of the header. +0 string \xABKTX\ 11\xBB\r\n\x1A\n Khronos KTX texture +>12 ulelong 0x04030201 (little-endian) +>>16 use khronos-ktx-endian-header +>12 ubelong 0x04030201 (big-endian) +>>16 use \^khronos-ktx-endian-header + +# Type: Khronos KTX2 texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Based on draft19. +# Reference: http://github.khronos.org/KTX-Specification/ + +# Supercompression enum. +0 name khronos-ktx2-supercompression +>0 ulelong 1 BasisLZ +>0 ulelong 2 Zstandard +>0 ulelong 3 ZLIB + +# Vulkan format identifier. +# NOTE: Formats prohibited from KTX2 are commented out. +0 name khronos-ktx2-vkFormat +>0 ulelong 0 UNDEFINED +>0 ulelong 1 R4G4_UNORM_PACK8 +>0 ulelong 2 R4G4B4A4_UNORM_PACK16 +>0 ulelong 3 B4G4R4A4_UNORM_PACK16 +>0 ulelong 4 R5G6B5_UNORM_PACK16 +>0 ulelong 5 B5G6R5_UNORM_PACK16 +>0 ulelong 6 R5G5B5A1_UNORM_PACK16 +>0 ulelong 7 B5G5R5A1_UNORM_PACK16 +>0 ulelong 8 A1R5G5B5_UNORM_PACK16 +>0 ulelong 9 R8_UNORM +>0 ulelong 10 R8_SNORM +#>0 ulelong 11 R8_USCALED +#>0 ulelong 12 R8_SSCALED +>0 ulelong 13 R8_UINT +>0 ulelong 14 R8_SINT +>0 ulelong 15 R8_SRGB +>0 ulelong 16 R8G8_UNORM +>0 ulelong 17 R8G8_SNORM +#>0 ulelong 18 R8G8_USCALED +#>0 ulelong 19 R8G8_SSCALED +>0 ulelong 20 R8G8_UINT +>0 ulelong 21 R8G8_SINT +>0 ulelong 22 R8G8_SRGB +>0 ulelong 23 R8G8B8_UNORM +>0 ulelong 24 R8G8B8_SNORM +#>0 ulelong 25 R8G8B8_USCALED +#>0 ulelong 26 R8G8B8_SSCALED +>0 ulelong 27 R8G8B8_UINT +>0 ulelong 28 R8G8B8_SINT +>0 ulelong 29 R8G8B8_SRGB +>0 ulelong 30 B8G8R8_UNORM +>0 ulelong 31 B8G8R8_SNORM +#>0 ulelong 32 B8G8R8_USCALED +#>0 ulelong 33 B8G8R8_SSCALED +>0 ulelong 34 B8G8R8_UINT +>0 ulelong 35 B8G8R8_SINT +>0 ulelong 36 B8G8R8_SRGB +>0 ulelong 37 R8G8B8A8_UNORM +>0 ulelong 38 R8G8B8A8_SNORM +#>0 ulelong 39 R8G8B8A8_USCALED +#>0 ulelong 40 R8G8B8A8_SSCALED +>0 ulelong 41 R8G8B8A8_UINT +>0 ulelong 42 R8G8B8A8_SINT +>0 ulelong 43 R8G8B8A8_SRGB +>0 ulelong 44 B8G8R8A8_UNORM +>0 ulelong 45 B8G8R8A8_SNORM +#>0 ulelong 46 B8G8R8A8_USCALED +#>0 ulelong 47 B8G8R8A8_SSCALED +>0 ulelong 48 B8G8R8A8_UINT +>0 ulelong 49 B8G8R8A8_SINT +>0 ulelong 50 B8G8R8A8_SRGB +#>0 ulelong 51 A8B8G8R8_UNORM_PACK32 +#>0 ulelong 52 A8B8G8R8_SNORM_PACK32 +#>0 ulelong 53 A8B8G8R8_USCALED_PACK32 +#>0 ulelong 54 A8B8G8R8_SSCALED_PACK32 +#>0 ulelong 55 A8B8G8R8_UINT_PACK32 +#>0 ulelong 56 A8B8G8R8_SINT_PACK32 +#>0 ulelong 57 A8B8G8R8_SRGB_PACK32 +>0 ulelong 58 A2R10G10B10_UNORM_PACK32 +>0 ulelong 59 A2R10G10B10_SNORM_PACK32 +#>0 ulelong 60 A2R10G10B10_USCALED_PACK32 +#>0 ulelong 61 A2R10G10B10_SSCALED_PACK32 +>0 ulelong 62 A2R10G10B10_UINT_PACK32 +>0 ulelong 63 A2R10G10B10_SINT_PACK32 +>0 ulelong 64 A2B10G10R10_UNORM_PACK32 +>0 ulelong 65 A2B10G10R10_SNORM_PACK32 +#>0 ulelong 66 A2B10G10R10_USCALED_PACK32 +#>0 ulelong 67 A2B10G10R10_SSCALED_PACK32 +>0 ulelong 68 A2B10G10R10_UINT_PACK32 +>0 ulelong 69 A2B10G10R10_SINT_PACK32 +>0 ulelong 70 R16_UNORM +>0 ulelong 71 R16_SNORM +#>0 ulelong 72 R16_USCALED +#>0 ulelong 73 R16_SSCALED +>0 ulelong 74 R16_UINT +>0 ulelong 75 R16_SINT +>0 ulelong 76 R16_SFLOAT +>0 ulelong 77 R16G16_UNORM +>0 ulelong 78 R16G16_SNORM +#>0 ulelong 79 R16G16_USCALED +#>0 ulelong 80 R16G16_SSCALED +>0 ulelong 81 R16G16_UINT +>0 ulelong 82 R16G16_SINT +>0 ulelong 83 R16G16_SFLOAT +>0 ulelong 84 R16G16B16_UNORM +>0 ulelong 85 R16G16B16_SNORM +#>0 ulelong 86 R16G16B16_USCALED +#>0 ulelong 87 R16G16B16_SSCALED +>0 ulelong 88 R16G16B16_UINT +>0 ulelong 89 R16G16B16_SINT +>0 ulelong 90 R16G16B16_SFLOAT +>0 ulelong 91 R16G16B16A16_UNORM +>0 ulelong 92 R16G16B16A16_SNORM +#>0 ulelong 93 R16G16B16A16_USCALED +#>0 ulelong 94 R16G16B16A16_SSCALED +>0 ulelong 95 R16G16B16A16_UINT +>0 ulelong 96 R16G16B16A16_SINT +>0 ulelong 97 R16G16B16A16_SFLOAT +>0 ulelong 98 R32_UINT +>0 ulelong 99 R32_SINT +>0 ulelong 100 R32_SFLOAT +>0 ulelong 101 R32G32_UINT +>0 ulelong 102 R32G32_SINT +>0 ulelong 103 R32G32_SFLOAT +>0 ulelong 104 R32G32B32_UINT +>0 ulelong 105 R32G32B32_SINT +>0 ulelong 106 R32G32B32_SFLOAT +>0 ulelong 107 R32G32B32A32_UINT +>0 ulelong 108 R32G32B32A32_SINT +>0 ulelong 109 R32G32B32A32_SFLOAT +>0 ulelong 110 R64_UINT +>0 ulelong 111 R64_SINT +>0 ulelong 112 R64_SFLOAT +>0 ulelong 113 R64G64_UINT +>0 ulelong 114 R64G64_SINT +>0 ulelong 115 R64G64_SFLOAT +>0 ulelong 116 R64G64B64_UINT +>0 ulelong 117 R64G64B64_SINT +>0 ulelong 118 R64G64B64_SFLOAT +>0 ulelong 119 R64G64B64A64_UINT +>0 ulelong 120 R64G64B64A64_SINT +>0 ulelong 121 R64G64B64A64_SFLOAT +>0 ulelong 122 B10G11R11_UFLOAT_PACK32 +>0 ulelong 123 E5B9G9R9_UFLOAT_PACK32 +>0 ulelong 124 D16_UNORM +>0 ulelong 125 X8_D24_UNORM_PACK32 +>0 ulelong 126 D32_SFLOAT +>0 ulelong 127 S8_UINT +>0 ulelong 128 D16_UNORM_S8_UINT +>0 ulelong 129 D24_UNORM_S8_UINT +>0 ulelong 130 D32_SFLOAT_S8_UINT + +>0 ulelong 131 BC1_RGB_UNORM_BLOCK +>0 ulelong 132 BC1_RGB_SRGB_BLOCK +>0 ulelong 133 BC1_RGBA_UNORM_BLOCK +>0 ulelong 134 BC1_RGBA_SRGB_BLOCK +>0 ulelong 135 BC2_UNORM_BLOCK +>0 ulelong 136 BC2_SRGB_BLOCK +>0 ulelong 137 BC3_UNORM_BLOCK +>0 ulelong 138 BC3_SRGB_BLOCK +>0 ulelong 139 BC4_UNORM_BLOCK +>0 ulelong 140 BC4_SNORM_BLOCK +>0 ulelong 141 BC5_UNORM_BLOCK +>0 ulelong 142 BC5_SNORM_BLOCK +>0 ulelong 143 BC6H_UFLOAT_BLOCK +>0 ulelong 144 BC6H_SFLOAT_BLOCK +>0 ulelong 145 BC7_UNORM_BLOCK +>0 ulelong 146 BC7_SRGB_BLOCK + +>0 ulelong 147 ETC2_R8G8B8_UNORM_BLOCK +>0 ulelong 148 ETC2_R8G8B8_SRGB_BLOCK +>0 ulelong 149 ETC2_R8G8B8A1_UNORM_BLOCK +>0 ulelong 150 ETC2_R8G8B8A1_SRGB_BLOCK +>0 ulelong 151 ETC2_R8G8B8A8_UNORM_BLOCK +>0 ulelong 152 ETC2_R8G8B8A8_SRGB_BLOCK + +>0 ulelong 153 EAC_R11_UNORM_BLOCK +>0 ulelong 154 EAC_R11_SNORM_BLOCK +>0 ulelong 155 EAC_R11G11_UNORM_BLOCK +>0 ulelong 156 EAC_R11G11_SNORM_BLOCK + +>0 ulelong 157 ASTC_4x4_UNORM_BLOCK +>0 ulelong 158 ASTC_4x4_SRGB_BLOCK +>0 ulelong 159 ASTC_5x4_UNORM_BLOCK +>0 ulelong 160 ASTC_5x4_SRGB_BLOCK +>0 ulelong 161 ASTC_5x5_UNORM_BLOCK +>0 ulelong 162 ASTC_5x5_SRGB_BLOCK +>0 ulelong 163 ASTC_6x5_UNORM_BLOCK +>0 ulelong 164 ASTC_6x5_SRGB_BLOCK +>0 ulelong 165 ASTC_6x6_UNORM_BLOCK +>0 ulelong 166 ASTC_6x6_SRGB_BLOCK +>0 ulelong 167 ASTC_8x5_UNORM_BLOCK +>0 ulelong 168 ASTC_8x5_SRGB_BLOCK +>0 ulelong 169 ASTC_8x6_UNORM_BLOCK +>0 ulelong 170 ASTC_8x6_SRGB_BLOCK +>0 ulelong 171 ASTC_8x8_UNORM_BLOCK +>0 ulelong 172 ASTC_8x8_SRGB_BLOCK +>0 ulelong 173 ASTC_10x5_UNORM_BLOCK +>0 ulelong 174 ASTC_10x5_SRGB_BLOCK +>0 ulelong 175 ASTC_10x6_UNORM_BLOCK +>0 ulelong 176 ASTC_10x6_SRGB_BLOCK +>0 ulelong 177 ASTC_10x8_UNORM_BLOCK +>0 ulelong 178 ASTC_10x8_SRGB_BLOCK +>0 ulelong 179 ASTC_10x10_UNORM_BLOCK +>0 ulelong 180 ASTC_10x10_SRGB_BLOCK +>0 ulelong 181 ASTC_12x10_UNORM_BLOCK +>0 ulelong 182 ASTC_12x10_SRGB_BLOCK +>0 ulelong 183 ASTC_12x12_UNORM_BLOCK +>0 ulelong 184 ASTC_12x12_SRGB_BLOCK + +>0 ulelong 1000156000 G8B8G8R8_422_UNORM +>0 ulelong 1000156001 B8G8R8G8_422_UNORM +>0 ulelong 1000156002 G8_B8_R8_3PLANE_420_UNORM +>0 ulelong 1000156003 G8_B8R8_2PLANE_420_UNORM +>0 ulelong 1000156004 G8_B8_R8_3PLANE_422_UNORM +>0 ulelong 1000156005 G8_B8R8_2PLANE_422_UNORM +>0 ulelong 1000156006 G8_B8_R8_3PLANE_444_UNORM +>0 ulelong 1000156007 R10X6_UNORM_PACK16 +>0 ulelong 1000156008 R10X6G10X6_UNORM_2PACK16 +>0 ulelong 1000156009 R10X6G10X6B10X6A10X6_UNORM_4PACK16 +>0 ulelong 1000156010 G10X6B10X6G10X6R10X6_422_UNORM_4PACK16 +>0 ulelong 1000156011 B10X6G10X6R10X6G10X6_422_UNORM_4PACK16 +>0 ulelong 1000156012 G10X6_B10X6_R10X6_3PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156013 G10X6_B10X6R10X6_2PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156014 G10X6_B10X6_R10X6_3PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156015 G10X6_B10X6R10X6_2PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156016 G10X6_B10X6_R10X6_3PLANE_444_UNORM_3PACK16 +>0 ulelong 1000156017 R12X4_UNORM_PACK16 +>0 ulelong 1000156018 R12X4G12X4_UNORM_2PACK16 +>0 ulelong 1000156019 R12X4G12X4B12X4A12X4_UNORM_4PACK16 +>0 ulelong 1000156020 G12X4B12X4G12X4R12X4_422_UNORM_4PACK16 +>0 ulelong 1000156021 B12X4G12X4R12X4G12X4_422_UNORM_4PACK16 +>0 ulelong 1000156022 G12X4_B12X4_R12X4_3PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156023 G12X4_B12X4R12X4_2PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156024 G12X4_B12X4_R12X4_3PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156025 G12X4_B12X4R12X4_2PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156026 G12X4_B12X4_R12X4_3PLANE_444_UNORM_3PACK16 +>0 ulelong 1000156027 G16B16G16R16_422_UNORM +>0 ulelong 1000156028 B16G16R16G16_422_UNORM +>0 ulelong 1000156029 G16_B16_R16_3PLANE_420_UNORM +>0 ulelong 1000156030 G16_B16R16_2PLANE_420_UNORM +>0 ulelong 1000156031 G16_B16_R16_3PLANE_422_UNORM +>0 ulelong 1000156032 G16_B16R16_2PLANE_422_UNORM +>0 ulelong 1000156033 G16_B16_R16_3PLANE_444_UNORM + +>0 ulelong 1000054000 PVRTC1_2BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054001 PVRTC1_4BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054002 PVRTC2_2BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054003 PVRTC2_4BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054004 PVRTC1_2BPP_SRGB_BLOCK_IMG +>0 ulelong 1000054005 PVRTC1_4BPP_SRGB_BLOCK_IMG +>0 ulelong 1000054006 PVRTC2_2BPP_SRGB_BLOCK_IMG +>0 ulelong 1000054007 PVRTC2_4BPP_SRGB_BLOCK_IMG + +>0 ulelong 1000066000 ASTC_4x4_SFLOAT_BLOCK_EXT +>0 ulelong 1000066001 ASTC_5x4_SFLOAT_BLOCK_EXT +>0 ulelong 1000066002 ASTC_5x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066003 ASTC_6x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066004 ASTC_6x6_SFLOAT_BLOCK_EXT +>0 ulelong 1000066005 ASTC_8x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066006 ASTC_8x6_SFLOAT_BLOCK_EXT +>0 ulelong 1000066007 ASTC_8x8_SFLOAT_BLOCK_EXT +>0 ulelong 1000066008 ASTC_10x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066009 ASTC_10x6_SFLOAT_BLOCK_EXT +>0 ulelong 1000066010 ASTC_10x8_SFLOAT_BLOCK_EXT +>0 ulelong 1000066011 ASTC_10x10_SFLOAT_BLOCK_EXT +>0 ulelong 1000066012 ASTC_12x10_SFLOAT_BLOCK_EXT +>0 ulelong 1000066013 ASTC_12x12_SFLOAT_BLOCK_EXT + +# Main KTX2 header. +0 string \xABKTX\ 20\xBB\r\n\x1A\n Khronos KTX2 texture +>20 ulelong x \b, %u +>24 ulelong >1 x %u +>28 ulelong >1 x %u +>32 ulelong >1 \b, %u layers +>36 ulelong >1 \b, %u faces +>40 ulelong >1 \b, %u mipmaps +>44 ulelong >0 \b, +>>44 use khronos-ktx2-supercompression +>12 ulelong >0 \b, +>>12 use khronos-ktx2-vkFormat + +# Type: Valve VTF texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://developer.valvesoftware.com/wiki/Valve_Texture_Format + +# VTF image formats. +0 name vtf-image-format +>0 ulelong 0 RGBA8888 +>0 ulelong 1 ABGR8888 +>0 ulelong 2 RGB888 +>0 ulelong 3 BGR888 +>0 ulelong 4 RGB565 +>0 ulelong 5 I8 +>0 ulelong 6 IA88 +>0 ulelong 7 P8 +>0 ulelong 8 A8 +>0 ulelong 9 RGB888 (bluescreen) +>0 ulelong 10 BGR888 (bluescreen) +>0 ulelong 11 ARGB8888 +>0 ulelong 12 BGRA8888 +>0 ulelong 13 DXT1 +>0 ulelong 14 DXT3 +>0 ulelong 15 DXT5 +>0 ulelong 16 BGRx8888 +>0 ulelong 17 BGR565 +>0 ulelong 18 BGRx5551 +>0 ulelong 19 BGRA4444 +>0 ulelong 20 DXT1+A1 +>0 ulelong 21 BGRA5551 +>0 ulelong 22 UV88 +>0 ulelong 23 UVWQ8888 +>0 ulelong 24 RGBA16161616F +>0 ulelong 25 RGBA16161616 +>0 ulelong 26 UVLX8888 + +# Main VTF header. +0 string VTF\0 Valve Texture Format +>4 ulelong x v%u +>8 ulelong x \b.%u +>0x10 uleshort x \b, %u +>0x12 uleshort >1 x %u +>4 lequad 0x0000000700000002 +>>0x3F uleshort >1 x %u +>0x18 uleshort >1 \b, %u frames +>0x38 ubyte x \b, mipmaps: %u +>0x34 ulelong >-1 \b, +>>0x34 use vtf-image-format + +# Type: Valve VTF3 (PS3) texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +0 string VTF3 Valve Texture Format (PS3) +>0x14 ubeshort x \b, %u +>0x16 ubeshort x \b x %u +>0x10 ubelong&0x2000 0 \b, DXT1 +>0x10 ubelong&0x2000 0x2000 \b, DXT5 + +# Type: ASTC texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://stackoverflow.com/questions/22600678/determine-internal-format-of-given-astc-compressed-image-through-its-header +# - https://stackoverflow.com/a/22682244 +0 ulelong 0x5ca1ab13 ASTC +>4 ubyte x %u +>5 ubyte x \bx%u +>6 ubyte >1 \bx%u +# X, Y, and Z dimensions are stored as 24-bit LE. +# Pretend it's 32-bit and mask off the high byte. +>7 ulelong&0x00FFFFFF x texture, %u +>10 ulelong&0x00FFFFFF x x %u +>13 ulelong&0x00FFFFFF >1 x %u + +# Zebra Metafile graphic +# http://www.fileformat.info/format/zbr/egff.htm +0 ubeshort 0x9a02 Zebra Metafile graphic +>2 uleshort 1 (version 1.x) +>2 uleshort 2 (version 1.1x or 1.2x) +>2 uleshort 3 (version 1.49) +>2 uleshort 4 (version 1.50) +>4 string x (comment = %s) + +# Microsoft Paint graphic +# http://www.fileformat.info/format/mspaint/egff.htm +0 string DanM icrosoft Paint image data (version 1.x) +>4 uleshort x (%d +>>6 uleshort x x %d) +0 string LinS Microsoft Paint image data (version 2.0) +>4 uleshort x (%d +>>6 uleshort x x %d) + +# reMarkable tablet internal file format (https://www.remarkable.com/) +# https://github.com/ax3l/lines-are-beautiful +# https://plasma.ninja/blog/devices/remarkable/binary/format/2017/12/26/\ +# reMarkable-lines-file-format.html#what-to-do-next +# from Axel Huebl +0 string reMarkable +>11 string lines +>>17 string with +>>>22 string selections +>>>>33 string and +>>>>>37 string layers +>>>>>>43 ulelong x reMarkable tablet notebook lines, 1404 x 1872, %x page(s) + +# newer per-page files for the reMarkable +0 string reMarkable +>11 string .lines +>>18 string file, +>>>24 string version= +>>>>32 ubyte x reMarkable tablet page (v%c), 1404 x 1872, +>>>>>43 ulelong x %d layer(s) + +# Type: PVR3 texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - http://cdn.imgtec.com/sdk-documentation/PVR+File+Format.Specification.pdf + +# PVR3 pixel formats. +0 name pvr3-pixel-format +>0 ulelong 0 PVRTC 2bpp RGB +>0 ulelong 1 PVRTC 2bpp RGBA +>0 ulelong 2 PVRTC 4bpp RGB +>0 ulelong 3 PVRTC 4bpp RGBA +>0 ulelong 4 PVRTC-II 2bpp +>0 ulelong 5 PVRTC-II 4bpp +>0 ulelong 6 ETC1 +>0 ulelong 7 DXT1 +>0 ulelong 8 DXT2 +>0 ulelong 9 DXT3 +>0 ulelong 10 DXT4 +>0 ulelong 11 DXT5 +>0 ulelong 12 BC4 +>0 ulelong 13 BC5 +>0 ulelong 14 BC6 +>0 ulelong 15 BC7 +>0 ulelong 16 UYVY +>0 ulelong 17 YUY2 +>0 ulelong 18 BW1bpp +>0 ulelong 19 R9G9B9E5 Shared Exponent +>0 ulelong 20 RGBG8888 +>0 ulelong 21 GRGB8888 +>0 ulelong 22 ETC2 RGB +>0 ulelong 23 ETC2 RGBA +>0 ulelong 24 ETC2 RGB A1 +>0 ulelong 25 EAC R11 +>0 ulelong 26 EAC RG11 +>0 ulelong 27 ASTC_4x4 +>0 ulelong 28 ASTC_5x4 +>0 ulelong 29 ASTC_5x5 +>0 ulelong 30 ASTC_6x5 +>0 ulelong 31 ASTC_6x6 +>0 ulelong 32 ASTC_8x5 +>0 ulelong 33 ASTC_8x6 +>0 ulelong 34 ASTC_8x8 +>0 ulelong 35 ASTC_10x5 +>0 ulelong 36 ASTC_10x6 +>0 ulelong 37 ASTC_10x8 +>0 ulelong 38 ASTC_10x10 +>0 ulelong 39 ASTC_12x10 +>0 ulelong 40 ASTC_12x12 +>0 ulelong 41 ASTC_3x3x3 +>0 ulelong 42 ASTC_4x3x3 +>0 ulelong 43 ASTC_4x4x3 +>0 ulelong 44 ASTC_4x4x4 +>0 ulelong 45 ASTC_5x4x4 +>0 ulelong 46 ASTC_5x5x4 +>0 ulelong 47 ASTC_5x5x5 +>0 ulelong 48 ASTC_6x5x5 +>0 ulelong 49 ASTC_6x6x5 +>0 ulelong 50 ASTC_6x6x6 + +0 string PVR\x03 PowerVR 3.0 texture: +>0x18 ulelong x %u x +>0x1C ulelong x %u +>0x20 ulelong >1 x %u +>0x08 ubyte x \b, +>0x0C ulelong 0 +>>0x08 use pvr3-pixel-format +>0x0C ulelong !0 +>>0x08 ubyte !0 %c +>>>0x0C ubyte !0 \b%u +>>0x09 ubyte !0 \b%c +>>>0x0D ubyte !0 \b%u +>>0x0A ubyte !0 \b%c +>>>0x0E ubyte !0 \b%u +>>0x0B ubyte !0 \b%c +>>>0x0F ubyte !0 \b%u +>0x10 ulelong 1 \b, sRGB +>0x04 ulelong&0x02 0x02 \b, premultiplied alpha + +0 string \x03RVP PowerVR 3.0 texture: BE, +>0x18 ubelong x %u x +>0x1C ubelong x %u +>0x20 ubelong >1 x %u +>0x08 ubyte x \b, +>0x0C ubelong 0 +>>0x08 use pvr3-pixel-format +>0x0C ubelong !0 +>>0x0B ubyte !0 %c +>>>0x0F ubyte !0 \b%u +>>0x0A ubyte !0 \b%c +>>>0x0E ubyte !0 \b%u +>>0x09 ubyte !0 \b%c +>>>0x0D ubyte !0 \b%u +>>0x08 ubyte !0 \b%c +>>>0x0C ubyte !0 \b%u +>0x10 ubelong 1 \b, sRGB +>0x04 ubelong&0x02 0x02 \b, premultiplied alpha + +# Type: Microsoft Xbox XPR0 texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/Cxbx-Reloaded/Cxbx-Reloaded/blob/develop/src/core/hle/D3D8/XbD3D8Types.h + +# XPR pixel formats. +0 name xbox-xpr-pixel-format +>0 ubyte 0x00 L8 +>0 ubyte 0x01 AL8 +>0 ubyte 0x02 ARGB1555 +>0 ubyte 0x03 RGB555 +>0 ubyte 0x04 ARGB4444 +>0 ubyte 0x05 RGB565 +>0 ubyte 0x06 ARGB8888 +>0 ubyte 0x07 xRGB8888 +>0 ubyte 0x0B P8 +>0 ubyte 0x0C DXT1 +>0 ubyte 0x0E DXT2 +>0 ubyte 0x0F DXT4 +>0 ubyte 0x10 Linear ARGB1555 +>0 ubyte 0x11 Linear RGB565 +>0 ubyte 0x12 Linear ARGB8888 +>0 ubyte 0x13 Linear L8 +>0 ubyte 0x16 Linear R8B8 +>0 ubyte 0x17 Linear G8B8 +>0 ubyte 0x19 A8 +>0 ubyte 0x1A A8L8 +>0 ubyte 0x1B Linear AL8 +>0 ubyte 0x1C Linear RGB555 +>0 ubyte 0x1D Linear ARGB4444 +>0 ubyte 0x1E Linear xRGB8888 +>0 ubyte 0x1F Linear A8 +>0 ubyte 0x20 Linear A8L8 +>0 ubyte 0x24 YUY2 +>0 ubyte 0x25 UYVY +>0 ubyte 0x27 L6V5U5 +>0 ubyte 0x28 V8U8 +>0 ubyte 0x29 R8B8 +>0 ubyte 0x2A D24S8 +>0 ubyte 0x2B F24S8 +>0 ubyte 0x2C D16 +>0 ubyte 0x2D F16 +>0 ubyte 0x2E Linear D24S8 +>0 ubyte 0x2F Linear F24S8 +>0 ubyte 0x30 Linear D16 +>0 ubyte 0x31 Linear F16 +>0 ubyte 0x32 L16 +>0 ubyte 0x33 V16U16 +>0 ubyte 0x35 Linear L16 +>0 ubyte 0x36 Linear V16U16 +>0 ubyte 0x37 Linear L6V5U5 +>0 ubyte 0x38 RGBA5551 +>0 ubyte 0x39 RGBA4444 +>0 ubyte 0x3A QWVU8888 +>0 ubyte 0x3B BGRA8888 +>0 ubyte 0x3C RGBA8888 +>0 ubyte 0x3D Linear RGBA5551 +>0 ubyte 0x3E Linear RGBA4444 +>0 ubyte 0x3F Linear ABGR8888 +>0 ubyte 0x40 Linear BGRA8888 +>0 ubyte 0x41 Linear RGBA8888 +>0 ubyte 0x64 Vertex Data + +0 string XPR0 Microsoft Xbox XPR0 texture +>0x19 ubyte x \b, format: +>>0x19 use xbox-xpr-pixel-format + +# ILDA Image Data Transfer Format +# https://www.ilda.com/resources/StandardsDocs/ILDA_IDTF14_rev011.pdf +# +# Updated by Chuck Hein (laser@geekdude.com) +# +0 string ILDA ILDA Image Data Transfer Format +>7 ubyte 0x00 3D Coordinates with Indexed Color +>7 ubyte 0x01 2D Coordinates with Indexed Color +>7 ubyte 0x02 Color Palette +>7 ubyte 0x04 3D Coordinates with True Color +>7 ubyte 0x05 2D Coordinates with True Color +>8 string >0 \b, palette %s +>16 string >0 \b, company %s +>24 ubeshort >0 \b, number of records %d +>>26 ubeshort x \b, palette number %d +>>28 ubeshort >0 \b, number of frames %d +>>30 ubyte >0 \b, projector number %d + +# Dropbox "lepton" compressed jpeg format +# https://github.com/dropbox/lepton +0 ubelong&0xfffff0ff 0xcf84005a Lepton image file +>2 ubyte x (version %d) + +# Apple QuickTake camera raw images +# https://en.wikipedia.org/wiki/Apple_QuickTake +# dcraw can decode them +0 name quicktake +>4 ubelong 8 +>>544 ubeshort x \b, %dx +>>546 ubeshort x \b%d +>4 ubelong 4 +>>546 ubeshort x \b, %dx +>>544 ubeshort x \b%d + +0 string qktk Apple QuickTake 100 Raw Image +>0 use quicktake + +0 string qktn +>4 ubyte 0 Apple QuickTake 150 Raw Image +>4 ubyte >0 Apple QuickTake 200 Raw Image +>0 use quicktake + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Corel_Photo-Paint_image +# Reference: http://blog.argasinski.eu/wp-content/uploads/2011/08/cpt-specification-0.01.pdf +0 string CPT +>4 string FILE Corel Photo-Paint image, version +# version like 7, 9 or 8 +>>3 ubyte x %c, +!:mime image/x-corel-cpt +!:ext cpt +# if blocks_array_offset available jump blockNumber*8 bytes +>>0x34 ulelong >0 +>>>(0x28.l*8) ubyte x +# jump additional stored blocks_array_offset bytes forward to object block +>>>>&(0x34.l-1) ulelong x %u +# object height in pixels +>>>>>&0 ulelong x x %u +# if no blocks_array_offset available jump blockNumber*8 bytes +>>0x34 ulelong =0 +>>>(0x28.l*8) ubyte x +# jump additional 0x13C bytes forward to object block +>>>>&0x13B ulelong x %u +>>>>>&0 ulelong x x %u +# image color model used +>>0x8 ulelong x +>>>0x8 ulelong 0x1 RGB 24 bits +>>>0x8 ulelong 0x3 CMYK 24 bits +>>>0x8 ulelong 0x5 greyscale 8 bits +>>>0x8 ulelong 0x6 black and white 1 bit +>>>0x8 ulelong 0xA RGB 8 bits +# palette_length number of colors * 3 in case of 8-bit RGB paletted image +# 0 otherwise. Allowed values: 0 or [1..256] * 3 +#>>0xC ulelong >0 \b, palette length %u +>>>>0xC ulelong/3 <256 \b, %u colors +>>>0x8 ulelong 0xB LAB +>>>0x8 ulelong 0xC RGB 48 bits +>>>0x8 ulelong 0xE greyscale 16 bits +# this should not happen +>>>0x8 default x color model +>>>>0x8 ulelong x %#x +# bit 1 in CPT file flags: UCS-2 file comment present +>>0x31 ubyte &0x02 +# look for comment marker +>>>0x100 search/0xc9d \4\2\0\0 +# UCS-2 file comment +>>>>&0 lestring16 x "%s" +# if no UCS-2 is present show ANSI file comment[112] if available +>>0x31 ubyte&0x02 =0 +>>>0x3C string >\0 "%-.112s" +# reserved seems to be always 0 +#>>0x10 ulelong >0 \b, reserved1 %u +# horizontal real dpi = dpi_h * 25.4 / 10**6 +>>0x18 ulelong x \b, %u micro dots/mm +# image vertical DPI in CPT DPI unit +#>>0x1C ulelong x \b, %u micro dots/mm +# reserved seems to be always 0 +#>>0x20 ulelong >0 \b, reserved2 %u +#>>0x24 ulelong >0 \b, reserved3 %u +# blocks_count; number of CPT_Block blocks. Allowed values: > 0 +>>0x28 ulelong x \b, %u block +# plural s +>>0x28 ulelong !1 \bs +# CPT file flags +# lower byte of CPT file flags: 0x94~CPT9FILE 0x01~often CPT7FILE 0x8C~CPT8FILE +#>>0x30 ubyte x \b, lower flags %#x +# upper byte of CPT file flags: +#>>0x31 ubyte >0 \b, upper flags %#x +# bit 2 in CPT file flags: unknown +#>>0x31 ubyte &0x04 \b, with UNKNOWN +# bits 3-7 in CPT file flags: unknown, seem to be often 0 +# show unusual flag combinations +>>0x31 ubyte&0xFC >0 +>>>0x30 uleshort x \b, flags %#4.4x +# reserved seems to be always 0 +#>>0x32 uleshort >0 \b, reserved4 %#x +# blocks_array_offset is always 0 for CPT7 and CPT8 files created by PP7-PP8 +# typical values like: 13Ch 154h 43Ch 4F0h DA8h +>>0x34 ulelong x \b, array offset %#x +# reserved seems to be often 0 +>>0x38 ulelong >0 \b, reserved5 %#x +# possible next master block +#>>0x100 ubequad !0 \b, next block=%#llx... +# bit 0: ICC profile block present +>>0x31 ubyte &0x01 \b, with ICC profile +# check for characteristic string acsp of color profile for DEBUGGING +#>>>0x178 string x icc=%.4s +# display ICC/ICM color profile by ./icc +#>>>0x154 use color-profile + +# URL: http://fileformats.archiveteam.org/wiki/CorelDRAW +# https://en.wikipedia.org/wiki/CorelDRAW +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-gen.trid.xml +# Note: called "CorelDRAW drawing (generic)" by TrID +# version til 2 WL-based; from version 3 til 13 handled by ./riff and from 14 zip based handled by ./archive +0 ubelong&0xFFffF7ff 0x574C6500 Corel Draw Picture +#!:mime image/x-coreldraw +!:mime application/vnd.corel-draw +!:ext cdr +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-10.trid.xml +# Note: called "CorelDRAW drawing (v1.0)" by TrID and +# "CorelDraw Drawing" with version "1.0" by DROID via PUID fmt/467 +# only DROID fmt-467-signature-id-726.cdr example +>2 ubyte 0x65 \b, version 1.0 +#>>4 ubelong !0x45000000 \b, at 4 %#8.8x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-20.trid.xml +# Note: called "CorelDRAW drawing (v2.0)" by TrID and +# "CorelDraw Drawing" with version "2.0" by DROID via PUID fmt/466 +>2 ubyte 0x6D \b, version 2.0 +# According to DROID 0xed080000 or 0x25050000 +#>>4 ubelong !0xed080000 +#>>>4 ubelong !0x25050000 \b, at 4 %#8.8x + +# Type: Crunch compressed texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/BinomialLLC/crunch/blob/44c8402e24441c7524ca364941fd224ab3b971e9/inc/crn_decomp.h#L267 +0 ubelong 0x4878004A Crunch compressed texture: +>0x0C ubeshort x %u x +>0x0E ubeshort x %u +>0x12 ubyte 0 \b, DXT1 +>0x12 ubyte 1 \b, DXT3 +>0x12 ubyte 2 \b, DXT5 +>0x12 ubyte 3 \b, DXT5 CCxY +>0x12 ubyte 4 \b, DXT5 xGxR +>0x12 ubyte 5 \b, DXT5 xGBR +>0x12 ubyte 6 \b, DXT5 AGBR +>0x12 ubyte 7 \b, DXn XY +>0x12 ubyte 8 \b, DXn YX +>0x12 ubyte 9 \b, DXT5 Alpha +>0x12 ubyte 10 \b, ETC1 +>0x10 ubyte >1 \b, %u images +>0x11 ubyte >1 \b, %u faces +# TODO: Flags at 0x13? (ubeshort) + +# Type: BasisLZ compressed texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/BinomialLLC/basis_universal/blob/master/spec/basis_spec.txt +0 uleshort 0x4273 +>0x04 uleshort 0x4D BasisLZ +>>0x02 uleshort x v%x compressed texture: +>>0x14 ubyte 0 ETC1S +>>0x14 ubyte 1 UASTC 4x4 +>>0x0E ulelong&0xFFFFFF >1 \b, %u slices +>>0x11 ulelong&0xFFFFFF >1 \b, %u images +>>0x15 uleshort&0x02 2 \b, Y-flipped + +# MIME registration: https://www.iana.org/assignments/media-types/model/e57 +# Sample files: http://www.libe57.org/data.html +# Reference implementation: http://www.libe57.org/ +# https://www.ri.cmu.edu/pub_files/2011/1/2011-huber-e57-v3.pdf +0 string ASTM-E57 ASTM E57 three-dimensional model +!:mime model/e57 +!:ext e57 + +# QOI [Quite OK Image Format] images +# (Horia Mihai David, mihaidavid@posteo.net) +# +# QOI format by Dominic Szablewski <http://phoboslab.org/> +# <https://qoiformat.org/> +# +# Based on spec v1.0 (2022.01.05) <https://qoiformat.org/qoi-specification.pdf> + +0 string qoif QOI image data +!:ext qoi +!:mime image/x-qoi +# See <https://github.com/phoboslab/qoi/issues/167> +>4 ubelong x %ux +>8 ubelong x \b%u, +>>13 ubyte 0 s +>>>12 ubyte 3 \bRGB +>>>12 ubyte 4 \bRGBA +>>>12 default x +>>>>12 ubyte x \b*bad channels %u* +>>>13 ubyte 0 (linear alpha) +>>13 ubyte 1 +>>>12 ubyte 3 RGB +>>>12 ubyte 4 RGBA +>>>13 ubyte 1 (all channels linear) +>>13 default x +>>>13 ubyte x *bad colorspace %u* + + +# Type: Godot 3, 4 texture (pixel format) +# From: David Korth <gerbilsoft@gerbilsoft.com> +0 name godot-pixel-format +>0 ulelong&0xFFFFF 0 L8 +>0 ulelong&0xFFFFF 1 LA8 +>0 ulelong&0xFFFFF 2 R8 +>0 ulelong&0xFFFFF 3 RG8 +>0 ulelong&0xFFFFF 4 RGB8 +>0 ulelong&0xFFFFF 5 RGBA8 +>0 ulelong&0xFFFFF 6 RGBA4444 +>0 ulelong&0xFFFFF 7 RGB565 +>0 ulelong&0xFFFFF 8 RF +>0 ulelong&0xFFFFF 9 RGF +>0 ulelong&0xFFFFF 10 RGBF +>0 ulelong&0xFFFFF 11 RGBAF +>0 ulelong&0xFFFFF 12 RH +>0 ulelong&0xFFFFF 13 RGH +>0 ulelong&0xFFFFF 14 RGBH +>0 ulelong&0xFFFFF 15 RGBAH +>0 ulelong&0xFFFFF 16 RGBE9995 +>0 ulelong&0xFFFFF 17 DXT1 +>0 ulelong&0xFFFFF 18 DXT3 +>0 ulelong&0xFFFFF 19 DXT5 +>0 ulelong&0xFFFFF 20 RGTC_R +>0 ulelong&0xFFFFF 21 RGTC_RG +>0 ulelong&0xFFFFF 22 BPTC_RGBA +>0 ulelong&0xFFFFF 23 BPTC_RGBF +>0 ulelong&0xFFFFF 24 BPTC_RGBFU +>0 ulelong&0xFFFFF 25 PVRTC1_2 +>0 ulelong&0xFFFFF 26 PVRTC1_2A +>0 ulelong&0xFFFFF 27 PVRTC1_4 +>0 ulelong&0xFFFFF 28 PVRTC1_4A +>0 ulelong&0xFFFFF 29 ETC +>0 ulelong&0xFFFFF 30 ETC2_R11 +>0 ulelong&0xFFFFF 31 ETC2_R11S +>0 ulelong&0xFFFFF 32 ETC2_RG11 +>0 ulelong&0xFFFFF 33 ETC2_RG11S +>0 ulelong&0xFFFFF 34 ETC2_RGB8 +>0 ulelong&0xFFFFF 35 ETC2_RGBA8 +>0 ulelong&0xFFFFF 36 ETC2_RGB8A1 +>0 ulelong&0xFFFFF 37 ASTC_8x8 + +# Type: Godot 3, 4 texture (rescale display, width) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Shows rescale value if it's not a power of 2. +0 name godot-rescale-display-w +>0 uleshort 0 +>0 uleshort 1 +>0 uleshort 2 +>0 uleshort 4 +>0 uleshort 8 +>0 uleshort 16 +>0 uleshort 32 +>0 uleshort 64 +>0 uleshort 128 +>0 uleshort 256 +>0 uleshort 512 +>0 uleshort 1024 +>0 uleshort 2048 +>0 uleshort 4096 +>0 uleshort 8192 +>0 uleshort 16384 +>0 uleshort 32768 +>0 default x +>>0 uleshort x (rescale to %u x + +# Type: Godot 3, 4 texture (rescale display, height) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Shows rescale value if it's not a power of 2. +0 name godot-rescale-display-h +>0 clear x +>0 uleshort 0 +>0 uleshort 1 +>0 uleshort 2 +>0 uleshort 4 +>0 uleshort 8 +>0 uleshort 16 +>0 uleshort 32 +>0 uleshort 64 +>0 uleshort 128 +>0 uleshort 256 +>0 uleshort 512 +>0 uleshort 1024 +>0 uleshort 2048 +>0 uleshort 4096 +>0 uleshort 8192 +>0 uleshort 16384 +>0 uleshort 32768 +>0 default x +>>0 uleshort x %u) + +# Type: Godot 3 texture +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/godotengine/godot/blob/3.3/core/image.h +# - https://github.com/godotengine/godot/blob/3.3/scene/resources/texture.cpp +# - https://github.com/godotengine/godot/blob/3.3/scene/resources/texture.h +# TODO: Don't show "rescale to" if it matches the image size. +0 string GDST Godot 3 texture: +!:ext stex +!:mime image/x-godot-stex +>4 uleshort x %u x +>8 uleshort x %u +>6 uleshort 0 \b, +>6 uleshort !0 +>>6 use godot-rescale-display-w +>>10 use godot-rescale-display-h +>>10 uleshort x \b, +>16 ulelong&0x800000 !0 has mipmaps, +>16 ulelong&0x100000 0x100000 lossless encoding +>16 ulelong&0x200000 0x200000 lossy encoding +>16 ulelong&0x300000 0 +>>16 use godot-pixel-format + +# Type: Godot 4 texture +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/godotengine/godot/blob/master/core/io/image.h +# - https://github.com/godotengine/godot/blob/master/scene/resources/texture.cpp +# - https://github.com/godotengine/godot/blob/master/scene/resources/texture.h +# TODO: Don't show "rescale to" if it matches the image size. +0 string GST2 Godot 4 texture +!:ext stex +!:mime image/x-godot-stex +>4 ulelong x v%u: +>0x28 uleshort x %u x +>0x2A uleshort x %u +>8 use godot-rescale-display-w +>12 use godot-rescale-display-h +>12 uleshort x \b, +>0x2C ulelong >1 %u mipmaps, +>0x30 use godot-pixel-format +>0x24 ulelong 1 \b, embedded PNG image +>0x24 ulelong 2 \b, embedded WebP image +>0x24 ulelong 3 \b, Basis Universal + +# Summary: iCEDraw graphic *.IDF +# URL: http://fileformats.archiveteam.org/wiki/ICEDraw +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/idf-icedraw.trid.xml +# From: Joerg Jenderek +# Note: called "iCEDraw graphic" by TrID, "iCEDraw text" by FFmpeg and "iCE Draw" by Ansilove +# verified by FFmpeg command `ffprobe ICE-9605.IDF` and `ansilove -s SQ-FORCE.IDF` +0 string \0041.4\0\0\0\0O\0 iCEDraw graphic +#!:mime application/octet-stream +!:mime image/x-idf +!:ext idf + +# Type: ColoRIX VGA Paint Image File (.rix/.sci/.scX) +# From: Eddy Jansson <github.com/eloj> +# Reference: https://www.fileformat.info/format/rix/spec/ +# +0 name rix-header +>0 uleshort x \b, %u x +>2 uleshort x %u +# palette type: +# .. if direct color, low bits encode bpp +>4 ubyte&128 0 +>>4 ubyte&127 x \b %u bpp (direct color) +# .. else palette +>4 ubyte&128 128 +>>4 ubyte&7 0 \b x 2 +>>4 ubyte&7 1 \b x 4 +>>4 ubyte&7 2 \b x 8 +>>4 ubyte&7 3 \b x 16 +>>4 ubyte&7 4 \b x 32 +>>4 ubyte&7 5 \b x 64 +>>4 ubyte&7 6 \b x 128 +>>4 ubyte&7 7 \b x 256 +# storage type +#>5 ubyte&15 0 \b, Linear +>5 ubyte&15 1 \b, Planar (0213) +>5 ubyte&15 2 \b, Planar +>5 ubyte&15 3 \b, Text +>5 ubyte&15 4 \b, Planar lines +>5 ubyte&128 128 \b (compressed) +>5 ubyte&64 64 \b (extension) +>5 ubyte&32 32 \b (encrypted) + +0 string RIX3 ColoRIX Image +>4 use rix-header + +0 string RIX7 ColoRIX Slideshow + +# http://fileformats.archiveteam.org/wiki/PaperPort_(MAX) +0 string ViG Visioneer PaperPort +>3 string Ae 2 +>3 string Be 2 +>3 string Cj 3-4 +>3 string Em 5-7 +>3 string Fk 8-12 +>3 default x MAX diff --git a/magic/Magdir/inform b/magic/Magdir/inform new file mode 100644 index 0000000..fe518ec --- /dev/null +++ b/magic/Magdir/inform @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: inform,v 1.5 2009/09/19 16:28:09 christos Exp $ +# inform: file(1) magic for Inform interactive fiction language + +# URL: http://www.inform-fiction.org/ +# From: Reuben Thomas <rrt@sc3d.org> + +0 search/100/cW constant\ story Inform source text diff --git a/magic/Magdir/intel b/magic/Magdir/intel new file mode 100644 index 0000000..5177fea --- /dev/null +++ b/magic/Magdir/intel @@ -0,0 +1,310 @@ + +#------------------------------------------------------------------------------ +# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $ +# intel: file(1) magic for x86 Unix +# +# Various flavors of x86 UNIX executable/object (other than Xenix, which +# is in "microsoft"). DOS is in "msdos"; the ambitious soul can do +# Windows as well. +# +# Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and +# whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere +# as well, if, as, and when IBM makes it portable. +# +# The `versions' should be un-commented if they work for you. +# (Was the problem just one of endianness?) +# +0 leshort 0502 basic-16 executable +>12 lelong >0 not stripped +#>22 leshort >0 - version %d +0 leshort 0503 basic-16 executable (TV) +>12 lelong >0 not stripped +#>22 leshort >0 - version %d +0 leshort 0510 x86 executable +>12 lelong >0 not stripped +0 leshort 0511 x86 executable (TV) +>12 lelong >0 not stripped +0 leshort =0512 iAPX 286 executable small model (COFF) +>12 lelong >0 not stripped +#>22 leshort >0 - version %d +0 leshort =0522 iAPX 286 executable large model (COFF) +>12 lelong >0 not stripped +#>22 leshort >0 - version %d +# updated by Joerg Jenderek at Oct 2015 +# https://de.wikipedia.org/wiki/Common_Object_File_Format +# http://www.delorie.com/djgpp/doc/coff/filhdr.html +# ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file" +# ./intel (version 5.25) label labeled the next entry as "80386 COFF executable" +# SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan +0 leshort =0514 +# use subroutine to display name+flags+variables for common object formatted files +>0 use display-coff +#>12 lelong >0 not stripped +# no hint found, that at offset 22 is version +#>22 leshort >0 - version %d +0 leshort 0x0200 +# no F_EXEC flag bit implies Intel ia64 COFF object file without optional header +>18 leshort ^0x0002 +# skip some DEGAS high-res uncompressed bitmap *.pi3 handled by ./images like +# GEMINI03.PI3 MODEM2.PI3 POWERFIX.PI3 sigirl1.pi3 vanna5.pi3 +# by test for valid starting character (often point 0x2E) of 1st section name +>>20 ubyte >0x1F +>>>0 use display-coff +# F_EXEC flag bit implies Intel ia64 COFF executable +>18 leshort &0x0002 +>>0 use display-coff +0 leshort 0x8664 +>0 use display-coff + +# rom: file(1) magic for BIOS ROM Extensions found in intel machines +# mapped into memory between 0xC0000 and 0xFFFFF +# From: Alex Myczko <alex@aiei.ch> +# updated by Joerg Jenderek +# https://en.wikipedia.org/wiki/Option_ROM +# URL: http://fileformats.archiveteam.org/wiki/BIOS +# Reference: http://www.lejabeach.com/sisubb/BIOS_Disassembly_Ninjutsu_Uncovered.pdf +0 beshort 0x55AA +# skip misidentified raspberry pi pieeprom-*.bin by check for +# unlikely high ROM size (0xF0*512=240*512) and not observed start instruction 0x0F +>2 ubeshort !0xF00F +# skip 2 byte sized eof.bin with start magic +>>0 use rom-x86 +0 name rom-x86 +>0 beshort x BIOS (ia32) ROM Ext. +#!:mime application/octet-stream +!:mime application/x-ibm-rom +!:ext rom/bin +################################################################################ +# not Plug aNd Play ($PnP) like 00000000 (ide_xtp.bin kvmvapic.bin V7VGA.ROM) 000000fc (MCT-VGA.bin) +# 55aaf00f (pieeprom-*.bin) 55aa40e9 (Trm3x5.bin) 24506f4f (sgabios-bin.rom) +# 55aa4be9 (vgabios-stdvga.rom vgabios-cirrus-bin.rom vgabios-vmware-bin.rom) +>(26.s) ubelong !0x24506e50 +#>(26.s) ubelong !0x24506e50 NOT PNP=%8.8x +# also not PCI (PCIR) implies "old" ISA cards or foo like: 8a168404 (MCT-VGA.bin) +# 55aaf00f (pieeprom*.bin) +>>(24.s) ubelong !0x50434952 +#>>(24.s) ubelong !0x50434952 ISA CARD=%8.8x +# "old" identification strings used in file version 5.41 and earlier +# probably an USB controller +>>>5 string USB USB +# probably https://en.wikipedia.org/wiki/Preboot_Execution_Environment +>>>7 string LDR UNDI image +# probably another Adaptec SCSI controller +>>>26 string Adaptec Adaptec +# http://minuszerodegrees.net/rom/bin/adaptec_aha1542cp_bios_908501-00.bin +# already done by PNP variant +#>>>28 string Adaptec Adaptec +# probably Promise SCSI controller +>>>42 string PROMISE Promise +# old test for IBM compatible Video cards; INTERNAL FACTS WHY IS THIS WORKING? +>30 string IBM IBM comp. Video +# display exact text for IBM compatible Video cards with longer text +>>33 ubyte !0 +>>>30 string x "%s" +# http://minuszerodegrees.net/rom/bin/unknown/MCT-VGA-16%20-%20TDVGA%203588%20BIOS%20Version%20V1.04A.zip +# "IBM COMPATIBLETDVGA 3588 BIOS Version V1.04A2+" "MCT-VGA-16 - TDVGA 3588 BIOS Version V1.04A.bin" +# "IBM VGA Compatible\001" NVidia44.bin +# "IBM EGA ROM Video Seven BIOS Code, Version 1.04" V7VGA.ROM +# "IBM" vgabios-stdvga.rom +# "IBM" vgabios-vmware-bin.rom: +# "IBM" vgabios-cirrus-bin.rom +# "IBM" vgabios-virtio-bin.rom +################################################################################ +# ROM size in 512B blocks must be interpreted as unsigned for ROM of network cards +# like: efi-eepro100.rom efi-rtl8139.rom pxe-e1000.rom +>2 ubyte x (%u*512) +# file name file size calculated size remark +# eof.bin 2 - with start magic nothing is shown here +# orchid.bin 188 0 =0*512 on window 95 CD in Drivers\audio\orchid3d +# multiboot.bin 1024 1024 =2*512 QEMU emulator +# loader1.bin 512 2048 =4*512 +# ide_xtp.bin 8192 8192 =16*512 +# kvmvapic.bin 9216 9216 =18*512 +# V7VGA.ROM 18832 16384 =32*512 +# adaptec1542.bin 32768 16384 =32*512 +# MCT-VGA.bin 32768 24576 =48*512 +# 2975BIOS.BIN 32768 32256 =63*512 +# efi-e1000.rom 196608 64000 =125*512 +# efi-rtl8139.rom 176640 66048 =129*512 +# pieeprom*.bin 524288 122880 =240*512 +################################################################################ +# initialization vector with executable code; often near JuMP instruction E9 yy zz +>3 ubyte =0xE9 jmp +# jmp offset like: 008fh 0093h 009fh 00afh 0143h 3ad7h 5417h 54ech 594dh 895fh +>>4 uleshort x %#4.4x +# for initialization vector samples without 3 byte jump instruction +>3 ubyte !0xE9 instruction +# eb4b3734h NVidia44.bin +# 00003234h V7VGA.ROM +# 060e0731h kvmvapic.bin +# cb000000h linuxboot-bin.rom +# e80d0fcbh PXE-Intel.rom +# b8004875h orchid.bin +>>3 ubelong x %#8.8x +# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f +#>2 ubeshort x \b, AT 2 %#4.4x +################################################################################ +# new sections for BIOS (ia32) ROM Extension +# 4 bytes ASCII Signature "$PnP" for Plug aNd Play expansion header +>(26.s) string =$PnP \b; +#>(26.s) string =$PnP FOUND $PnP +# at 1Ah possible offset to expansion header structure; new for Plug aNd Play +>>26 uleshort x at %#x PNP +# Plug and Play vendor+device ID like: 0 0x000f1000 (2975BIOS.BIN) 0x31121095 (4243.bin) 0x04904215 (adaptec1542.bin) +#>>(26.s+0x0A) ulelong !0 NOT-nullID=%8.8x +>>(26.s+0x0A) uleshort !0 +# show PnP Vendor identification in human readable text form instead of numeric +# For adaptec_ava1515_bios_585201-00.bin reverted endian! BUT IS THIS ALWAYS TRUE? +>>>(26.s+0x0C) use \^PCI-vendor +>>>(26.s+0x0A) ubeshort x device=%#4.4x +# 3 byte Device type code; probably the same meaning as in PCI section? +# OK for storage controller SCSI (2975BIOS.BIN adaptec1542.bin) +# and network controller ethernet (efi-e1000.rom efi-rtl8139.rom) +>>(26.s+0x12) use PCI-class +# structure revision like: 01h +>>(26.s+4) ubyte !1 \b, revision %u +# PnP Header structure length in multiple of 16 bytes like: 2 +>>(26.s+5) uleshort !2 \b, length %u*16 +# offset to next header; 0 if none +>>(26.s+7) uleshort !0 \b, at %#x next header +# reserved byte; seems to be zero +>>(26.s+8) ubyte !0 \b, reserved %#x +# 8-bit checksum for this header; calculated and patched by patch2pnprom +>>(26.s+9) ubyte !0 \b, CRC %#x +# pointer to optional manufacturer string; like: 0 (4243.bin) 59h 5ch 60h c7h 14eh 27ch 296h 324h 3662h +>>(26.s+0x0E) uleshort >0 \b, at %#x +>>>(26.s+0x0C) uleshort x +# manufacturer ASCII-Z string like "http://ipxe.org" "Plop - Elmar Hanlhofer www.plop.at" "QEMU" +>>>>(&0.s) string x "%s" +# pointer to optional product string; like: 0 (2975BIOS.BIN) 6ch 70h 7ch d9h 160h 281h 29bh 329h +>>(26.s+0x10) uleshort >0 \b, at %#x +>>>(26.s+0x0E) uleshort x +# often human readable product ASCII-Z string like "iPXE" "Plop Boot Manager" +# "multiboot loader" "Intel UNDI, PXE-2.0 (build 082)" +>>>>(&0.s) string x "%s" +# PnP Device indicators; contains bits that identify the device as being capable of bootable +#>>(26.s+0x15) ubyte x \b, INDICATORS %#x +# device is a display device +>>(26.s+0x15) ubyte &0x01 \b, display +# device is an input device +>>(26.s+0x15) ubyte &0x02 \b, input +# device is an IPL device +>>(26.s+0x15) ubyte &0x04 \b, IPL +#>>(26.s+0x15) ubyte &0x08 reserved +# ROM is only required if this device is selected as a boot device +>>(26.s+0x15) ubyte &0x10 \b, bootable +# indicates ROM is read cacheable +>>(26.s+0x15) ubyte &0x20 \b, cacheable +# ROM may be shadowed in RAM +>>(26.s+0x15) ubyte &0x40 \b, shadowable +# ROM supports the device driver initialization model +>>(26.s+0x15) ubyte &0x80 \b, InitialModel +# boot connection vector; an offset to a routine that hook into INT 9h, INT 10h, or INT 13h +# 0 means disabled 0x0429 (4650_sr5.bin) 0x0072 (adaptec1542.bin) +>>(26.s+0x16) uleshort !0 \b, boot vector offset %#x +# disconnect vector; offset to routine that do cleanup from an unsuccessful boot attempt +>>(26.s+0x18) uleshort !0 \b, disconnect offset %#x +# bootstrap entry point/vector (BEV); offset to a routine (like RPL) that hook into INT 19h +# 0 means disabled 0x3c (multiboot.bin) 0x358 (efi-rtl8139.rom) 0xae7 (PXE-Intel.rom) +>>(26.s+0x1A) uleshort !0 \b, bootstrap offset %#x +# 2nd reserved area; seems to be zero +>>(26.s+0x1C) uleshort !0 \b, 2nd reserved %#x +# static resource information vector; 0 means disabled +>>(26.s+0x1E) uleshort !0 \b, static offset %#4.4x +################################################################################ +# 4 bytes ASCII Signature "PCIR" for PCI Data Structure +#>(24.s) string =PCIR FOUND PCIR +>(24.s) string =PCIR \b; +# pointer to PCI data structure like: 1Ch 38h 104h 8E44h +>>24 uleshort x at %#x PCI +# Vendor identification (ID) https://pci-ids.ucw.cz/v2.2/pci.ids +#>>(24.s+4) uleshort x ID=%4.4x +# show Vendor identification in human readable text form instead of numeric +>>(24.s+4) use PCI-vendor +# device identification (ID) +>>(24.s+6) uleshort x device=%#4.4x +# Base+sub class code https://wiki.osdev.org/PCI +>>(24.s+0x0D) use PCI-class +# pointer to vital product data (VPD); 0 indicates no VPD; WHAT EXACTLY iS VPD? +>>(24.s+8) uleshort !0 \b, at %#x VPD +# PCI data structure length like: 24h 28h +>>(24.s+0xA) uleshort >0x28 \b, length %u +# PCI data structure revision like: 0 3 +>>(24.s+0xC) ubyte >0 \b, revision %u +# image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83 +# Apparently this gives the same information as given by byte at offset 2 but as 16-bit +#>>(24.s+0x10) uleshort x \b, length %u*512 +# revision level of code/data like: 0 1 201h 502h +>>(24.s+0xC) ubyte >1 \b, code revision %#x +# code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved +>>(24.s+0x14) ubyte >0 \b, code type %#x +# last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved +>>(24.s+0x15) ubyte >0 +>>>(24.s+0x15) ubyte =0x80 \b, last ROM +# THIS SHOULD NOT HAPPEN! +>>>(24.s+0x15) ubyte !0x80 \b, indicator %x +# 3rd reserved area; seems to be zero in most cases but not for +# efi-e1000.rom efi-rtl8139.rom +>>(24.s+0x16) ubeshort !0 \b, 3rd reserved %#x + +# Flash descriptors for Intel SPI flash roms. +# From Dr. Jesus <j@hug.gs> +0 lelong 0x0ff0a55a Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step +16 lelong 0x0ff0a55a Intel serial flash for PCH ROM + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface +# Reference: https://uefi.org/sites/default/files/resources/ACPI_6_3_final_Jan30.pdf +# Note: generated for example by `cat /sys/firmware/acpi/tables/DSDT MyDSDT.aml` +0 string DSDT +>0 use acpi-table +# not tested or other file format +0 string APIC +>0 use acpi-table +#0 string ASF! +#>0 use acpi-table +0 string FACP +>0 use acpi-table +#0 string FACS +#>0 use acpi-table +0 string MCFG +>0 use acpi-table +0 string SLIC +>0 use acpi-table +0 string SSDT +>0 use acpi-table +0 name acpi-table +# skip ASCII text starting with DSDT by looking for valid "low" revision +>8 ubyte <17 ACPI Machine Language file +# assume that ACPI tables size are lower than 16 MiB +#>4 ulelong <0x01000000 +# DSDT for Differentiated System Description Table +>>0 string x '%.4s' +#!:mime application/octet-stream +!:mime application/x-intel-aml +!:ext aml +# the manufacture model ID like: VBOXBIOS BXDSDT +>>16 string >\0 %.8s +# OEM revision of DSDT for supplied OEM Table ID like: 0 1 2 20090511 +>>>24 ulelong x %x +# OEM ID like: INTEL VBOX (VirtualBox) BXDSDT (qemu) MEDION or \030\001\0\0 for s3pt.aml +>>10 ubyte >040 by %c +>>>11 ubyte >040 \b%c +>>>>12 ubyte >040 \b%c +>>>>>13 ubyte >040 \b%c +>>>>>>14 ubyte >040 \b%c +>>>>>>>15 ubyte >040 \b%c +# This field also sets the global integer width for the AML interpreter. +# Values less than two will cause the interpreter to use 32-bit. +# Values of two and greater will cause the interpreter to use full 64-bit. +# 16 for asf!.aml, 67 fo rsdp.aml +>>8 ubyte x \b, revision %u +# length, in bytes, of the entire DSDT (including the header) +>>4 ulelong x \b, %u bytes +# entire table must sum to zero +#>>9 ubyte x \b, checksum %#x +# vendor ID for the ASL Compiler like: INTL MSFT ... +>>28 string >\0 \b, created by %.4s +# revision number of the ASL Compiler like: 20051117 20140724 20190703 20200110 ... +>>>32 ulelong x %x + diff --git a/magic/Magdir/interleaf b/magic/Magdir/interleaf new file mode 100644 index 0000000..8e3aaf5 --- /dev/null +++ b/magic/Magdir/interleaf @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: interleaf,v 1.10 2009/09/19 16:28:10 christos Exp $ +# interleaf: file(1) magic for InterLeaf TPS: +# +0 string =\210OPS Interleaf saved data +0 string =<!OPS Interleaf document text +>5 string ,\ Version\ = \b, version +>>17 string >\0 %.3s diff --git a/magic/Magdir/island b/magic/Magdir/island new file mode 100644 index 0000000..f40521a --- /dev/null +++ b/magic/Magdir/island @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: island,v 1.5 2009/09/19 16:28:10 christos Exp $ +# island: file(1) magic for IslandWite/IslandDraw, from SunOS 5.5.1 +# "/etc/magic": +# From: guy@netapp.com (Guy Harris) +# +4 string pgscriptver IslandWrite document +13 string DrawFile IslandDraw document + diff --git a/magic/Magdir/ispell b/magic/Magdir/ispell new file mode 100644 index 0000000..57a6e9e --- /dev/null +++ b/magic/Magdir/ispell @@ -0,0 +1,63 @@ + +#------------------------------------------------------------------------------ +# $File: ispell,v 1.8 2009/09/19 16:28:10 christos Exp $ +# ispell: file(1) magic for ispell +# +# Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic +# will match 0x9600 through 0x9603 in *both* little endian and big endian. +# (No other current magic entries collide.) +# +# Updated by Daniel Quinlan (quinlan@yggdrasil.com) +# +0 leshort&0xFFFC 0x9600 little endian ispell +>0 byte 0 hash file (?), +>0 byte 1 3.0 hash file, +>0 byte 2 3.1 hash file, +>0 byte 3 hash file (?), +>2 leshort 0x00 8-bit, no capitalization, 26 flags +>2 leshort 0x01 7-bit, no capitalization, 26 flags +>2 leshort 0x02 8-bit, capitalization, 26 flags +>2 leshort 0x03 7-bit, capitalization, 26 flags +>2 leshort 0x04 8-bit, no capitalization, 52 flags +>2 leshort 0x05 7-bit, no capitalization, 52 flags +>2 leshort 0x06 8-bit, capitalization, 52 flags +>2 leshort 0x07 7-bit, capitalization, 52 flags +>2 leshort 0x08 8-bit, no capitalization, 128 flags +>2 leshort 0x09 7-bit, no capitalization, 128 flags +>2 leshort 0x0A 8-bit, capitalization, 128 flags +>2 leshort 0x0B 7-bit, capitalization, 128 flags +>2 leshort 0x0C 8-bit, no capitalization, 256 flags +>2 leshort 0x0D 7-bit, no capitalization, 256 flags +>2 leshort 0x0E 8-bit, capitalization, 256 flags +>2 leshort 0x0F 7-bit, capitalization, 256 flags +>4 leshort >0 and %d string characters +0 beshort&0xFFFC 0x9600 big endian ispell +>1 byte 0 hash file (?), +>1 byte 1 3.0 hash file, +>1 byte 2 3.1 hash file, +>1 byte 3 hash file (?), +>2 beshort 0x00 8-bit, no capitalization, 26 flags +>2 beshort 0x01 7-bit, no capitalization, 26 flags +>2 beshort 0x02 8-bit, capitalization, 26 flags +>2 beshort 0x03 7-bit, capitalization, 26 flags +>2 beshort 0x04 8-bit, no capitalization, 52 flags +>2 beshort 0x05 7-bit, no capitalization, 52 flags +>2 beshort 0x06 8-bit, capitalization, 52 flags +>2 beshort 0x07 7-bit, capitalization, 52 flags +>2 beshort 0x08 8-bit, no capitalization, 128 flags +>2 beshort 0x09 7-bit, no capitalization, 128 flags +>2 beshort 0x0A 8-bit, capitalization, 128 flags +>2 beshort 0x0B 7-bit, capitalization, 128 flags +>2 beshort 0x0C 8-bit, no capitalization, 256 flags +>2 beshort 0x0D 7-bit, no capitalization, 256 flags +>2 beshort 0x0E 8-bit, capitalization, 256 flags +>2 beshort 0x0F 7-bit, capitalization, 256 flags +>4 beshort >0 and %d string characters +# ispell 4.0 hash files kromJx <kromJx@crosswinds.net> +# Ispell 4.0 +0 string ISPL ispell +>4 long x hash file version %d, +>8 long x lexletters %d, +>12 long x lexsize %d, +>16 long x hashsize %d, +>20 long x stblsize %d diff --git a/magic/Magdir/isz b/magic/Magdir/isz new file mode 100644 index 0000000..4d9c030 --- /dev/null +++ b/magic/Magdir/isz @@ -0,0 +1,15 @@ + +#------------------------------------------------------------------------------ +# $File: isz,v 1.5 2019/04/19 00:42:27 christos Exp $ +# ISO Zipped file format +# https://www.ezbsystems.com/isz/iszspec.txt +0 string IsZ! ISO Zipped file +>4 byte x \b, header size %u +>5 byte x \b, version %u +>8 lelong x \b, serial %u +#12 leshort x \b, sector size %u +#>16 lelong x \b, total sectors %u +>17 byte >0 \b, password protected +#>24 lequad x \b, segment size %llu +#>32 lelong x \b, blocks %u +#>36 lelong x \b, block size %u diff --git a/magic/Magdir/java b/magic/Magdir/java new file mode 100644 index 0000000..d361275 --- /dev/null +++ b/magic/Magdir/java @@ -0,0 +1,52 @@ + +#------------------------------------------------------------ +# $File: java,v 1.22 2023/01/11 23:59:49 christos Exp $ +# Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the +# same magic number, 0xcafebabe, so they are both handled +# in the entry called "cafebabe". +#------------------------------------------------------------ +# Java serialization +# From Martin Pool (m.pool@pharos.com.au) +0 beshort 0xaced Java serialization data +>2 beshort >0x0004 \b, version %d + +0 belong 0xfeedfeed Java KeyStore +!:mime application/x-java-keystore +0 belong 0xcececece Java JCE KeyStore +!:mime application/x-java-jce-keystore + +# Java source +0 regex \^import.*;$ Java source +!:mime text/x-java + +# Java HPROF dumps +# https://java.net/downloads/heap-snapshot/hprof-binary-format.html +0 string JAVA\x20PROFILE\x201.0. +>0x12 byte 0 +>>0x11 ubyte-0x31 <2 Java HPROF dump, +>>>0x17 beqdate/1000 x created %s + +# Java jmod module +# See https://hg.openjdk.java.net/jdk9/jdk9/jdk/file/tip/src/java.base/share/classes/jdk/internal/jmod/JmodFile.java +# Grr. 2 byte magic "JM", really? In 2019? +0 belong 0x4a4d0100 Java jmod module version 1.0 +!:mime application/x-java-jmod + +# Java jlinked image +# See https://hg.openjdk.java.net/jdk9/jdk9/jdk/file/tip/src/java.base/share/native/libjimage/imageFile.hpp +0 belong 0xcafedada Java module image (big endian) +>4 beshort >0x00 \b, version %d +>6 beshort x \b.%d +!:mime application/x-java-image + +0 lelong 0xcafedada Java module image (little endian) +>6 leshort >0x00 \b, version %d +>4 leshort x \b.%d +!:mime application/x-java-image + +# JAR Manifest & Signature File +# Reference: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html +0 string/t Manifest-Version:\x201.0 JAR Manifest +!:ext MF +0 string/t Signature-Version:\x201.0 JAR Signature File +!:ext SF diff --git a/magic/Magdir/javascript b/magic/Magdir/javascript new file mode 100644 index 0000000..90a09cc --- /dev/null +++ b/magic/Magdir/javascript @@ -0,0 +1,171 @@ + +#------------------------------------------------------------------------------ +# $File: javascript,v 1.5 2023/01/12 00:02:16 christos Exp $ +# javascript: magic for javascript and node.js scripts. +# +0 string/tw #!/bin/node Node.js script executable +!:mime application/javascript +0 string/tw #!/usr/bin/node Node.js script executable +!:mime application/javascript +0 string/tw #!/bin/nodejs Node.js script executable +!:mime application/javascript +0 string/tw #!/usr/bin/nodejs Node.js script executable +!:mime application/javascript +0 string/t #!/usr/bin/env\ node Node.js script executable +!:mime application/javascript +0 string/t #!/usr/bin/env\ nodejs Node.js script executable +!:mime application/javascript + +# JavaScript +# The strength is increased to beat the C++ & HTML rules +0 search "use\x20strict" JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 search 'use\x20strict' JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex module(\\.|\\[["'])exports.*= JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(const|var|let).*=.*require\\( JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^export\x20(function|class|default|const|var|let|async)\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \\((async\x20)?function[(\x20] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export).*\x20from\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export)\x20["']\\./ JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^require\\(["'] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex typeof.*[!=]== JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js + +# React Native minified JavaScript +0 search/128 __BUNDLE_START_TIME__= React Native minified JavaScript +!:strength +30 +!:mime application/javascript +!:ext bundle/jsbundle + +# Hermes by Facebook https://hermesengine.dev/ +# https://github.com/facebook/hermes/blob/master/include/hermes/\ +# BCGen/HBC/BytecodeFileFormat.h#L24 +0 lequad 0x1F1903C103BC1FC6 Hermes JavaScript bytecode +>8 lelong x \b, version %d + +# v8 JavaScript engine bytecode +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://v8.dev/docs/ignition +# Note: used in bytenode and NW.js protected source code +# V8 bytecode extraction was added in NodeJS v5.7.0 (V8 4.6.85.31). +# Version information is provided for some v8 versions found in NodeJS releases. +2 uleshort =0xC0DE +>0 ulelong^0xC0DE0000 >0 +# Reservation table starts at 40 +>>40 ulelong&0xFFFFFF00 =0x80000000 +# Stub keys present +>>>24 ulelong >0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0xEE4BF478 version 5.1.281.111, +>>>>4 ulelong =0xC4A0100C version 5.5.372.43, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x cpu features: %#08X, +>>>>16 ulelong x flag hash: %#08X, +>>>>20 ulelong x %u reservations, +>>>>28 ulelong x payload size: %u bytes, +>>>>32 ulelong x checksum1: %#08X, +>>>>36 ulelong x checksum2: %#08X +# No stub keys +>>>24 ulelong =0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x54F0AD81 version 6.2.414.46, +>>>>4 ulelong =0X7D1BF182 version 6.2.414.54, +>>>>4 ulelong =0x35BA122E version 6.2.414.77, +>>>>4 ulelong =0X9319F9C2 version 6.2.414.78, +>>>>4 ulelong =0xB1240060 version 6.6.346.32, +>>>>4 ulelong =0x2B757060 version 6.7.288.46, +>>>>4 ulelong =0x09D147AA version 6.7.288.49, +>>>>4 ulelong =0xF4D4F48A version 6.8.275.32, +>>>>4 ulelong =0xD3961326 version 7.0.276.38, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x cpu features: %#08X, +>>>>16 ulelong x flag hash: %#08X, +>>>>20 ulelong x %u reservations, +>>>>28 ulelong x payload size: %u bytes, +>>>>32 ulelong x checksum1: %#08X, +>>>>36 ulelong x checksum2: %#08X +# Reservation table starts at 32 +>>32 ulelong&0xFFFFFF00 =0x80000000 +# Second checksum present +>>>28 ulelong >0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x21DDF627 version 7.4.288.21, +>>>>4 ulelong =0x1FC9FE84 version 7.4.288.27, +>>>>4 ulelong =0x60A99E8B version 7.5.288.22, +>>>>4 ulelong =0x4F665E90 version 7.6.303.29, +>>>>4 ulelong =0xC7ACFCDE version 7.7.299.11, +>>>>4 ulelong =0x7F641D8F version 7.7.299.13, +>>>>4 ulelong =0xFD9A4F2E version 7.8.279.17, +>>>>4 ulelong =0x3A845324 version 7.8.279.23, +>>>>4 ulelong =0xFF52FEAF version 7.9.317.25, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x flag hash: %#08X, +>>>>16 ulelong x %u reservations, +>>>>20 ulelong x payload size: %u bytes, +>>>>24 ulelong x checksum1: %#08X, +>>>>28 ulelong x checksum2: %#08X +# No second checksum +>>>28 ulelong =0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x8725E0F8 version 8.1.307.30, +>>>>4 ulelong =0x09ED1289 version 8.1.307.31, +>>>>4 ulelong =0xA5728C87 version 8.3.110.9, +>>>>4 ulelong =0xB45C5D30 version 8.4.371.23, +>>>>4 ulelong =0xED9C278B version 8.4.371.19, +>>>>4 ulelong =0xD27BFF42 version 8.6.395.16, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x flag hash: %#08X, +>>>>16 ulelong x %u reservations, +>>>>20 ulelong x payload size: %u bytes, +>>>>24 ulelong x payload checksum: %#08X +# No reservation table and code starts at 24 +>>32 ulelong =0 +>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>4 ulelong =0x9A6F0B0F version 9.0.257.17, +>>>4 ulelong =0x271D5D1E version 9.0.257.24, +>>>4 ulelong =0x4EEA75DF version 9.0.257.25, +>>>4 ulelong =0x80809479 version 9.1.269.36, +>>>4 ulelong =0x55C46F65 version 9.1.269.38, +>>>4 ulelong =0x8A9C758A version 9.2.230.21, +>>>4 ulelong =0x9712F0E1 version 9.3.345.16, +>>>4 ulelong =0x29593715 version 9.4.146.19, +>>>4 ulelong =0xCD991825 version 9.4.146.24, +>>>4 ulelong =0xACDD64EE version 9.4.146.26, +>>>4 ulelong =0xC96B4CD5 version 9.5.172.21, +>>>4 ulelong =0xBCCE4578 version 9.5.172.25, +>>>4 ulelong =0xA2EEA077 version 9.6.180.15, +>>>4 ulelong =0xFD350011 version 10.1.124.8, +>>>4 ulelong =0xBEF4028F version 10.2.154.13, +>>>4 ulelong =0xAF632352 version 10.2.154.4, +>>>8 ulelong x source size: %u bytes, +>>>12 ulelong x flag hash: %#08X, +>>>16 ulelong x payload size: %u bytes, +>>>20 ulelong x payload checksum: %#08X diff --git a/magic/Magdir/jpeg b/magic/Magdir/jpeg new file mode 100644 index 0000000..9cebada --- /dev/null +++ b/magic/Magdir/jpeg @@ -0,0 +1,252 @@ + +#------------------------------------------------------------------------------ +# $File: jpeg,v 1.38 2022/12/02 17:42:04 christos Exp $ +# JPEG images +# SunOS 5.5.1 had +# +# 0 string \377\330\377\340 JPEG file +# 0 string \377\330\377\356 JPG file +# +# both of which turn into "JPEG image data" here. +# +0 belong 0xffd8fff7 JPEG-LS image data +!:mime image/jls +!:ext jls +>0 use jpeg + +0 belong&0xffffff00 0xffd8ff00 JPEG image data +!:mime image/jpeg +!:apple 8BIMJPEG +!:strength *3 +!:ext jpeg/jpg/jpe/jfif +>0 use jpeg + +0 name jpeg +>6 string JFIF \b, JFIF standard +# The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06 +# in a vain attempt to add image size reporting for JFIF. Note that these +# tests are not fool-proof since some perfectly valid JPEGs are currently +# impossible to specify in magic(4) format. +# First, a little JFIF version info: +>>11 byte x \b %d. +>>12 byte x \b%02d +# Next, the resolution or aspect ratio of the image: +>>13 byte 0 \b, aspect ratio +>>13 byte 1 \b, resolution (DPI) +>>13 byte 2 \b, resolution (DPCM) +>>14 beshort x \b, density %dx +>>16 beshort x \b%d +>>4 beshort x \b, segment length %d +# Next, show thumbnail info, if it exists: +>>18 byte !0 \b, thumbnail %dx +>>>19 byte x \b%d +>6 string Exif \b, Exif standard: [ +>>12 indirect/r x +>>12 string x \b] + +# Jump to the first segment +>(4.S+4) use jpeg_segment + +# This uses recursion... +0 name jpeg_segment +>0 beshort 0xFFFE +# Recursion handled by FFE0 +#>>(2.S+2) use jpeg_segment +>>2 pstring/HJ x \b, comment: "%s" + +>0 beshort 0xFFC0 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, baseline, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, components %d + +>0 beshort 0xFFC1 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, extended sequential, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, components %d + +>0 beshort 0xFFC2 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, progressive, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, components %d + +# Define Huffman Tables +>0 beshort 0xFFC4 +>>(2.S+2) use jpeg_segment + +>0 beshort 0xFFE1 +# Recursion handled by FFE0 +#>>(2.S+2) use jpeg_segment +>>4 string Exif \b, Exif Standard: [ +>>>10 indirect/r x +>>>10 string x \b] + +# Application specific markers +>0 beshort&0xFFE0 =0xFFE0 +>>(2.S+2) use jpeg_segment + +# DB: Define Quantization tables +# DD: Define Restart interval [XXX: wrong here, it is 4 bytes] +# D8: Start of image +# D9: End of image +# Dn: Restart +>0 beshort&0xFFD0 =0xFFD0 +>>0 beshort&0xFFE0 !0xFFE0 +>>>(2.S+2) use jpeg_segment + +#>0 beshort x unknown %#x +#>>(2.S+2) use jpeg_segment + +# HSI is Handmade Software's proprietary JPEG encoding scheme +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HSI_JPEG +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-hsi1.trid.xml +# Note: called by TrID "HSI JPEG bitmap" +0 string hsi1 JPEG image data, HSI proprietary +#!:mime application/octet-stream +!:mime image/x-hsi +!:ext hsi/jpg + +# From: David Santinoli <david@santinoli.com> +0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 +# delete from ./animation (version 1.87) with jP (=6A50h) magic at offset 4 +# From: Johan van der Knijff <johan.vanderknijff@kb.nl> +# Added sub-entries for JP2, JPX, JPM and MJ2 formats; added mimetypes +# https://github.com/bitsgalore/jp2kMagic +# +# Now read value of 'Brand' field, which yields a few possibilities: +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JP2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpeg2k.trid.xml +# Note: called by TrID "JPEG 2000 bitmap" +>20 string \x6a\x70\x32\x20 Part 1 (JP2) +# aliases image/jpeg2000, image/jpeg2000-image, image/x-jpeg2000-image +!:mime image/jp2 +!:ext jp2 +# URL: http://fileformats.archiveteam.org/wiki/JPX +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpx.trid.xml +# Note: called by TrID "JPEG 2000 eXtended bitmap" +>20 string \x6a\x70\x78\x20 Part 2 (JPX) +!:mime image/jpx +!:ext jpf/jpx +# URL: http://fileformats.archiveteam.org/wiki/JPM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpm.trid.xml +# Note: called by TrID "JPEG 2000 eXtended bitmap" +>20 string \x6a\x70\x6d\x20 Part 6 (JPM) +!:mime image/jpm +!:ext jpm +# URL: http://fileformats.archiveteam.org/wiki/MJ2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/v/video-mj2.trid.xml +# Note: called by TrID "Motion JPEG 2000 video" +>20 string \x6d\x6a\x70\x32 Part 3 (MJ2) +!:mime video/mj2 +!:ext mj2/mjp2 + +# Type: JPEG 2000 codesream +# From: Mathieu Malaterre <mathieu.malaterre@gmail.com> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_2000_codestream +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpc.trid.xml +# Note: called by TrID "JPEG-2000 Code Stream bitmap" +0 belong 0xff4fff51 JPEG 2000 codestream +# value like: 0701h FF50h +#>45 ubeshort x \b, at 45 %#4.4x +#!:mime application/octet-stream +# https://reposcope.com/mimetype/image/x-jp2-codestream +!:mime image/x-jp2-codestream +!:ext jpc/j2c/j2k +# MAYBE also JHC like in byte_causal.jhc ? +# WHAT IS THAT? DEAD ENTRY? +#45 beshort 0xff52 + +# JPEG extended range +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XR +# Reference: https://www.itu.int/rec/T-REC-T.832 +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wmp.trid.xml +# Note: called by TrID "JPEG XR bitmap" +0 string \x49\x49\xbc +# FILE_VERSION_ID; shall be equal to 1; other values are reserved for future use +>3 byte 1 +# FIRST_IFD_OFFSET; shall be an integer multiple of 2; so skip DROID fmt-590-signature-id-931.wdp +>>4 lelong%2 0 JPEG-XR +#!:mime image/vnd.ms-photo +!:mime image/jxr +# NO example for HDP ! +!:ext jxr/wdp/hdp +# MAYBE also WMP ? +#!:ext jxr/wdp/hdp/wmp +# moved from ./images (version 1.205 ), merged and +# partly verified by XnView `nconvert -info abydos.jxr FLOWER.wdp` +# example: https://web.archive.org/web/20160403012904/ +# http://shikino.co.jp/solution/upfile/FLOWER.wdp.zip +>90 bequad 0x574D50484F544F00 +>>98 byte&0x08 =0x08 \b, hard tiling +>>99 byte&0x80 =0x80 \b, tiling present +>>99 byte&0x40 =0x40 \b, codestream present +>>99 byte&0x38 x \b, spatial xform= +>>99 byte&0x38 0x00 \bTL +>>99 byte&0x38 0x08 \bBL +>>99 byte&0x38 0x10 \bTR +>>99 byte&0x38 0x18 \bBR +>>99 byte&0x38 0x20 \bBT +>>99 byte&0x38 0x28 \bRB +>>99 byte&0x38 0x30 \bLT +>>99 byte&0x38 0x38 \bLB +>>100 byte&0x80 =0x80 \b, short header +>>>102 beshort+1 x \b, %d +>>>104 beshort+1 x \bx%d +>>100 byte&0x80 =0x00 \b, long header +>>>102 belong+1 x \b, %x +>>>106 belong+1 x \bx%x +>>101 beshort&0xf x \b, bitdepth= +>>>101 beshort&0xf 0x0 \b1-WHITE=1 +>>>101 beshort&0xf 0x1 \b8 +>>>101 beshort&0xf 0x2 \b16 +>>>101 beshort&0xf 0x3 \b16-SIGNED +>>>101 beshort&0xf 0x4 \b16-FLOAT +>>>101 beshort&0xf 0x5 \b(reserved 5) +>>>101 beshort&0xf 0x6 \b32-SIGNED +>>>101 beshort&0xf 0x7 \b32-FLOAT +>>>101 beshort&0xf 0x8 \b5 +>>>101 beshort&0xf 0x9 \b10 +>>>101 beshort&0xf 0xa \b5-6-5 +>>>101 beshort&0xf 0xb \b(reserved %d) +>>>101 beshort&0xf 0xc \b(reserved %d) +>>>101 beshort&0xf 0xd \b(reserved %d) +>>>101 beshort&0xf 0xe \b(reserved %d) +>>>101 beshort&0xf 0xf \b1-BLACK=1 +>>101 beshort&0xf0 x \b, colorfmt= +>>>101 beshort&0xf0 0x00 \bYONLY +>>>101 beshort&0xf0 0x10 \bYUV240 +>>>101 beshort&0xf0 0x20 \bYWV422 +>>>101 beshort&0xf0 0x30 \bYWV444 +>>>101 beshort&0xf0 0x40 \bCMYK +>>>101 beshort&0xf0 0x50 \bCMYKDIRECT +>>>101 beshort&0xf0 0x60 \bNCOMPONENT +>>>101 beshort&0xf0 0x70 \bRGB +>>>101 beshort&0xf0 0x80 \bRGBE +>>>101 beshort&0xf0 >0x80 \b(reserved %#x) + +# JPEG XL +# From: Ian Tester +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl.trid.xml +# Note: called by TrID "JPEG XL bitmap" +0 string \xff\x0a JPEG XL codestream +!:mime image/jxl +!:ext jxl + +# JPEG XL (transcoded JPEG file) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl-iso.trid.xml +# Note: called by TrID "JPEG XL bitmap (ISOBMFF)" +0 string \x00\x00\x00\x0cJXL\x20\x0d\x0a\x87\x0a JPEG XL container +!:mime image/jxl +!:ext jxl diff --git a/magic/Magdir/karma b/magic/Magdir/karma new file mode 100644 index 0000000..938a51d --- /dev/null +++ b/magic/Magdir/karma @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: karma,v 1.8 2015/08/29 07:10:35 christos Exp $ +# karma: file(1) magic for Karma data files +# +# From <rgooch@atnf.csiro.au> + +0 string KarmaRHD\040Version Karma Data Structure Version +>16 belong x %u diff --git a/magic/Magdir/kde b/magic/Magdir/kde new file mode 100644 index 0000000..dda5819 --- /dev/null +++ b/magic/Magdir/kde @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: kde,v 1.5 2010/11/25 15:00:12 christos Exp $ +# kde: file(1) magic for KDE + +0 string/t [KDE\ Desktop\ Entry] KDE desktop entry +!:mime application/x-kdelnk +0 string/t #\ KDE\ Config\ File KDE config file +!:mime application/x-kdelnk +0 string/t #\ xmcd xmcd database file for kscd +!:mime text/x-xmcd diff --git a/magic/Magdir/keepass b/magic/Magdir/keepass new file mode 100644 index 0000000..3d26efa --- /dev/null +++ b/magic/Magdir/keepass @@ -0,0 +1,20 @@ + +#------------------------------------------------------------------------------ +# $File: keepass,v 1.2 2019/04/19 00:42:27 christos Exp $ +# keepass: file(1) magic for KeePass file +# +# Keepass Password Safe: +# * original one: https://keepass.info/ +# * *nix port: https://www.keepassx.org/ +# * android port: https://code.google.com/p/keepassdroid/ + +0 lelong 0x9AA2D903 Keepass password database +>4 lelong 0xB54BFB65 1.x KDB +>>48 lelong >0 \b, %d groups +>>52 lelong >0 \b, %d entries +>>8 lelong&0x0f 1 \b, SHA-256 +>>8 lelong&0x0f 2 \b, AES +>>8 lelong&0x0f 4 \b, RC4 +>>8 lelong&0x0f 8 \b, Twofish +>>120 lelong >0 \b, %d key transformation rounds +>4 lelong 0xB54BFB67 2.x KDBX diff --git a/magic/Magdir/kerberos b/magic/Magdir/kerberos new file mode 100644 index 0000000..df6dc52 --- /dev/null +++ b/magic/Magdir/kerberos @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: kerberos,v 1.3 2019/04/19 00:42:27 christos Exp $ +# kerberos: MIT kerberos file binary formats +# + +# This magic entry is for demonstration purposes and could be improved +# if the following features were implemented in file: +# +# Strings inside [[ .. ]] in the descriptions have special meanings and +# are not printed. +# +# - Provide some form of iteration in number of components +# [[${counter}=%d]] in the description +# then append +# [${counter}--] in the offset of the entries +# - Provide a way to round the next offset +# Add [R:4] after the offset? +# - Provide a way to have optional entries +# XXX: Syntax: +# - Provide a way to "save" entries to print them later. +# if the description is [[${name}=%s]], then nothing is +# printed and a subsequent entry in the same magic file +# can refer to ${name} +# - Provide a way to format strings as hex values +# +# https://www.gnu.org/software/shishi/manual/html_node/\ +# The-Keytab-Binary-File-Format.html +# + +0 name keytab_entry +#>0 beshort x \b, size=%d +#>2 beshort x \b, components=%d +>4 pstring/H x \b, realm=%s +>>&0 pstring/H x \b, principal=%s/ +>>>&0 pstring/H x \b%s +>>>>&0 belong x \b, type=%d +>>>>>&0 bedate x \b, date=%s +>>>>>>&0 byte x \b, kvno=%u +#>>>>>>>&0 pstring/H x +#>>>>>>>>&0 belong x +#>>>>>>>>>>&0 use keytab_entry + +0 belong 0x05020000 Kerberos Keytab file +>4 use keytab_entry diff --git a/magic/Magdir/kicad b/magic/Magdir/kicad new file mode 100644 index 0000000..212a550 --- /dev/null +++ b/magic/Magdir/kicad @@ -0,0 +1,85 @@ + +#------------------------------------------------------------------------------ +# $File: kicad,v 1.2 2020/05/06 14:03:28 christos Exp $ +# kicad: file(1) magic for KiCad files +# +# See +# +# http://kicad-pcb.org +# + +# KiCad Schematic Document +0 string (kicad_sch +>10 byte 0x20 KiCad Schematic Document +!:ext kicad_sch/kicad_sch-bak +>>11 string (version +>>>19 byte 0x20 +>>>>20 regex [0-9.]+ (Version %s) + +# KiCad Schematic Document (Legacy) +0 string EESchema +>8 byte 0x20 +>>9 string Schematic +>>>18 byte 0x20 KiCad Schematic Document (Legacy) +!:ext sch/bak +>>>>24 string Version +>>>>>31 byte 0x20 +>>>>>>32 string x (Version %s) + +# KiCad Symbol Library +0 string (kicad_symbol_lib +>17 byte 0x20 KiCad Symbol Library +!:ext kicad_sym +>>18 string (version +>>>26 byte 0x20 +>>>>27 regex [0-9.]+ (Version %s) + +# KiCad Symbol Library (Legacy) +0 string EESchema-LIBRARY +>16 byte 0x20 KiCad Symbol Library (Legacy) +!:ext lib +>>17 string Version +>>>24 byte 0x20 +>>>>25 string x (Version %s) + +# KiCad Symbol Library Documentation (Legacy) +0 string EESchema-DOCLIB +>15 byte 0x20 KiCad Symbol Library Documentation (Legacy) +!:ext dcm +>>17 string Version +>>>24 byte 0x20 +>>>>25 string x (Version %s) + +# KiCad Board Layout +0 string (kicad_pcb +>10 byte 0x20 KiCad Board Layout +!:ext kicad_pcb/kicad_pcb-bak +>>11 string (version +>>>19 byte 0x20 +>>>>20 regex [0-9.]+ (Version %s) + +# KiCad Footprint +0 string (module +>7 byte 0x20 KiCad Footprint +!:ext kicad_mod + +# KiCad Footprint (Legacy) +0 string PCBNEW-LibModule-V1 KiCad Footprint (Legacy) +!:ext mod + +# KiCad Netlist +0 string (export +>7 byte 0x20 KiCad Netlist +!:ext net + +# KiCad Symbol Library Table +0 string (sym_lib_table +>14 byte 0xA KiCad Symbol Library Table +>14 byte 0xD KiCad Symbol Library Table +>14 byte 0x20 KiCad Symbol Library Table + +# KiCad Footprint Library Table +0 string (fp_lib_table +>13 byte 0xA KiCad Footprint Library Table +>13 byte 0xD KiCad Footprint Library Table +>13 byte 0x20 KiCad Footprint Library Table diff --git a/magic/Magdir/kml b/magic/Magdir/kml new file mode 100644 index 0000000..904f3b5 --- /dev/null +++ b/magic/Magdir/kml @@ -0,0 +1,34 @@ + +#------------------------------------------------------------------------------ +# $File: kml,v 1.6 2019/05/21 04:50:10 christos Exp $ +# Type: Google KML, formerly Keyhole Markup Language +# Future development of this format has been handed +# over to the Open Geospatial Consortium. +# https://www.opengeospatial.org/standards/kml/ +# From: Asbjoern Sloth Toennesen <asbjorn@lila.io> +0 string/t \<?xml +>20 search/400 \ xmlns= +>>&0 regex ['"]http://earth.google.com/kml Google KML document +!:mime application/vnd.google-earth.kml+xml +>>>&1 string 2.0' \b, version 2.0 +>>>&1 string 2.1' \b, version 2.1 +>>>&1 string 2.2' \b, version 2.2 + +#------------------------------------------------------------------------------ +# Type: OpenGIS KML, formerly Keyhole Markup Language +# This standard is maintained by the +# Open Geospatial Consortium. +# https://www.opengeospatial.org/standards/kml/ +# From: Asbjoern Sloth Toennesen <asbjorn@lila.io> +>>&0 regex ['"]http://www.opengis.net/kml OpenGIS KML document +!:mime application/vnd.google-earth.kml+xml +>>>&1 string/t 2.2 \b, version 2.2 + +#------------------------------------------------------------------------------ +# Type: Google KML Archive (ZIP based) +# https://code.google.com/apis/kml/documentation/kml_tut.html +# From: Asbjoern Sloth Toennesen <asbjorn@lila.io> +0 string PK\003\004 +>4 byte 0x14 +>>30 string doc.kml Compressed Google KML Document, including resources. +!:mime application/vnd.google-earth.kmz diff --git a/magic/Magdir/lammps b/magic/Magdir/lammps new file mode 100644 index 0000000..5424383 --- /dev/null +++ b/magic/Magdir/lammps @@ -0,0 +1,64 @@ +#------------------------------------------------------------------------------ +# $File: lammps,v 1.1 2021/03/14 16:24:18 christos Exp $ +# + +# Magic file patterns for use with file(1) for the +# LAMMPS molecular dynamics simulation software. +# https://lammps.sandia.gov +# +# Updated: 2021-03-14 by akohlmey@gmail.com + +# Binary restart file for the LAMMPS MD code +0 string LammpS\ RestartT LAMMPS binary restart file +>0x14 long x (rev %d), +>>0x20 string x Version %s, +>>>0x10 lelong 0x0001 Little Endian +>>>0x10 lelong 0x1000 Big Endian + +# Atom style binary dump file for the LAMMPS MD code +# written on a little endian machine +0 lequad -8 +>0x08 string DUMPATOM LAMMPS atom style binary dump +>>0x14 long x (rev %d), +>>>0x10 lelong 0x0001 Little Endian, +>>>>0x18 lequad x First time step: %lld + +# written on a big endian machine +0 bequad -8 +>0x08 string DUMPATOM LAMMPS atom style binary dump +>>0x14 belong x (rev %d), +>>>0x10 lelong 0x1000 Big Endian, +>>>>0x18 bequad x First time step: %lld + +# Atom style binary dump file for the LAMMPS MD code +# written on a little endian machine +0 lequad -10 +>0x08 string DUMPCUSTOM LAMMPS custom style binary dump +>>0x16 lelong x (rev %d), +>>>0x12 lelong 0x0001 Little Endian, +>>>>0x1a lequad x First time step: %lld + +# written on a big endian machine +0 bequad -10 +>0x08 string DUMPCUSTOM LAMMPS custom style binary dump +>>0x16 belong x (rev %d), +>>>0x12 lelong 0x1000 Big Endian, +>>>>0x1a bequad x First time step: %lld + +# LAMMPS log file +0 string LAMMPS\ ( LAMMPS log file +>8 regex/16 [0-9]+\ [A-Za-z]+\ [0-9]+ written by version %s + +# Data file written either by LAMMPS, msi2lmp or VMD/TopoTools +0 string LAMMPS\ data\ file LAMMPS data file +>0x12 string CGCMM\ style written by TopoTools +>0x12 string msi2lmp written by msi2lmp +>0x11 string via\ write_data written by LAMMPS + +# LAMMPS data file written by OVITO +0 string #\ LAMMPS\ data\ file LAMMPS data file +>0x13 string written\ by\ OVITO written by OVITO + +# LAMMPS text mode dump file +0 string ITEM:\ TIMESTEP LAMMPS text mode dump, +>15 regex/16 [0-9]+ First time step: %s diff --git a/magic/Magdir/lecter b/magic/Magdir/lecter new file mode 100644 index 0000000..6ae87c1 --- /dev/null +++ b/magic/Magdir/lecter @@ -0,0 +1,6 @@ + +#------------------------------------------------------------------------------ +# $File: lecter,v 1.4 2009/09/19 16:28:10 christos Exp $ +# DEC SRC Virtual Paper: Lectern files +# Karl M. Hegbloom <karlheg@inetarena.com> +0 string lect DEC SRC Virtual Paper Lectern file diff --git a/magic/Magdir/lex b/magic/Magdir/lex new file mode 100644 index 0000000..cc9fac5 --- /dev/null +++ b/magic/Magdir/lex @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: lex,v 1.6 2009/09/19 16:28:10 christos Exp $ +# lex: file(1) magic for lex +# +# derived empirically, your offsets may vary! +0 search/100 yyprevious C program text (from lex) +>3 search/1 >\0 for %s +# C program text from GNU flex, from Daniel Quinlan <quinlan@yggdrasil.com> +0 search/100 generated\ by\ flex C program text (from flex) +# lex description file, from Daniel Quinlan <quinlan@yggdrasil.com> +0 search/1 %{ lex description text diff --git a/magic/Magdir/lif b/magic/Magdir/lif new file mode 100644 index 0000000..3474a48 --- /dev/null +++ b/magic/Magdir/lif @@ -0,0 +1,50 @@ + +#------------------------------------------------------------------------------ +# $File: lif,v 1.11 2022/10/19 20:15:16 christos Exp $ +# lif: file(1) magic for lif +# +# (Daniel Quinlan <quinlan@yggdrasil.com>) +# +# Modified by: Joerg Jenderek +# URL: https://www.hp9845.net/9845/projects/hpdir/ +# https://github.com/bug400/lifutils +# Reference: https://www.hp9845.net/9845/downloads/manuals/LIF_excerpt_64941-90906_flpRef_Jan84.pdf +# Note: called by TrID "HP Logical Interchange Format disk image" +0 beshort 0x8000 +# GRR: line above is too general as it catches also compressed DEGAS low-res bitmap *.pc1 +# skip many compressed DEGAS low-res bitmap *.pc1 by test for unused bytes +>14 beshort =0 +# skip MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for low version number +>>20 ubeshort <0x0100 +# skip DROID fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx by test for ASCII like volume name +>>>2 ubelong >0x2020201F +>>>>0 use lif-file +0 name lif-file +# LIF ID +>0 beshort x lif file +!:mime application/x-lif-disk +# lif used by Tony Duell LIF utilities; enhanced version by Joachim Siebold use also dat; hpi used by hpdir +!:ext lif/hpi/dat +# volume label; A-Z 0-9 _ ; default are 6 spaces +>2 string x "%.6s" +#>2 ubelong x LABEL=%8.8x +# version number; 0 for systems without extensions or 1 for model 64000 +>20 ubeshort x \b, version %u +# LIF identifier; 010000 for system 3000 +>12 beshort !0x1000 \b, LIF identifier %#x +# directory start address in units like: 2 +>8 ubelong x \b, directory +>8 ubelong !2 start address %u +# length of directory like: 2 4 7 10 12 14 (for model 64000) 16 18 20 24 30 50 57 77 80 +>16 ubelong x length %u +# level 1 extensions +>20 beshort =0 +>>24 ubequad !0 \b, for extensions %#llx... +>20 beshort >0 +>>24 ubequad !0 \b, extensions %#llx... +# word 21-126 reserved for extensions and future use; set to nil +>42 ubequad !0 \b, RESERVED %#llx +# lif first file name for standard directory; 0xffff... means uninitialized +>8 ubelong 2 +>>512 string <\xff\xff \b, 1st file %-.10s + diff --git a/magic/Magdir/linux b/magic/Magdir/linux new file mode 100644 index 0000000..ae18114 --- /dev/null +++ b/magic/Magdir/linux @@ -0,0 +1,627 @@ + +#------------------------------------------------------------------------------ +# $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $ +# linux: file(1) magic for Linux files +# +# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> +# The following basic Linux magic is useful for reference, but using +# "long" magic is a better practice in order to avoid collisions. +# +# 2 leshort 100 Linux/i386 +# >0 leshort 0407 impure executable (OMAGIC) +# >0 leshort 0410 pure executable (NMAGIC) +# >0 leshort 0413 demand-paged executable (ZMAGIC) +# >0 leshort 0314 demand-paged executable (QMAGIC) +# +0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC) +>16 lelong 0 \b, stripped +0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC) +>16 lelong 0 \b, stripped +0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) +>16 lelong 0 \b, stripped +0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC) +>16 lelong 0 \b, stripped +# +0 string \007\001\000 Linux/i386 object file +>20 lelong >0x1020 \b, DLL library +# Linux-8086 stuff: +0 string \01\03\020\04 Linux-8086 impure executable +>28 long !0 not stripped +0 string \01\03\040\04 Linux-8086 executable +>28 long !0 not stripped +# +0 string \243\206\001\0 Linux-8086 object file +# +0 string \01\03\020\20 Minix-386 impure executable +>28 long !0 not stripped +0 string \01\03\040\20 Minix-386 executable +>28 long !0 not stripped +0 string \01\03\04\20 Minix-386 NSYM/GNU executable +>28 long !0 not stripped +# core dump file, from Bill Reynolds <bill@goshawk.lanl.gov> +216 lelong 0421 Linux/i386 core file +!:strength / 2 +>220 string >\0 of '%s' +>200 lelong >0 (signal %d) +# +# LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com> +# this can be overridden by the DOS executable (COM) entry +2 string LILO Linux/i386 LILO boot/chain loader +# +# Linux make config build file, from Ole Aamot <oka@oka.no> +# Updated by Ken Sharp +28 string make\ config Linux make config build file (old) +49 search/70 Kernel\ Configuration Linux make config build file + +# +# PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com> +# Updated by Adam Buchbinder <adam.buchbinder@gmail.com> +# See: https://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html +0 leshort 0x0436 Linux/i386 PC Screen Font v1 data, +>2 byte&0x01 0 256 characters, +>2 byte&0x01 !0 512 characters, +>2 byte&0x02 0 no directory, +>2 byte&0x02 !0 Unicode directory, +>3 byte >0 8x%d +0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data, +>16 lelong x %d characters, +>12 lelong&0x01 0 no directory, +>12 lelong&0x01 !0 Unicode directory, +>28 lelong x %d +>24 lelong x \bx%d + +# Linux swap and hibernate files +# Linux kernel: include/linux/swap.h +# util-linux: libblkid/src/superblocks/swap.c + +# format v0, unsupported since 2002 +0xff6 string SWAP-SPACE Linux old swap file, 4k page size +0x1ff6 string SWAP-SPACE Linux old swap file, 8k page size +0x3ff6 string SWAP-SPACE Linux old swap file, 16k page size +0x7ff6 string SWAP-SPACE Linux old swap file, 32k page size +0xfff6 string SWAP-SPACE Linux old swap file, 64k page size + +# format v1, supported since 1998 +0 name linux-swap +>0x400 lelong 1 little endian, version %u, +>>0x404 lelong x size %u pages, +>>0x408 lelong x %u bad pages, +>0x400 belong 1 big endian, version %u, +>>0x404 belong x size %u pages, +>>0x408 belong x %u bad pages, +>0x41c string \0 no label, +>0x41c string >\0 LABEL=%s, +>0x40c ubelong x UUID=%08x +>0x410 ubeshort x \b-%04x +>0x412 ubeshort x \b-%04x +>0x414 ubeshort x \b-%04x +>0x416 ubelong x \b-%08x +>0x41a ubeshort x \b%04x + +0xff6 string SWAPSPACE2 Linux swap file, 4k page size, +>0 use linux-swap +0x1ff6 string SWAPSPACE2 Linux swap file, 8k page size, +>0 use linux-swap +0x3ff6 string SWAPSPACE2 Linux swap file, 16k page size, +>0 use linux-swap +0x7ff6 string SWAPSPACE2 Linux swap file, 32k page size, +>0 use linux-swap +0xfff6 string SWAPSPACE2 Linux swap file, 64k page size, +>0 use linux-swap + +0 name linux-hibernate +>0 string S1SUSPEND \b, with SWSUSP1 image +>0 string S2SUSPEND \b, with SWSUSP2 image +>0 string ULSUSPEND \b, with uswsusp image +>0 string LINHIB0001 \b, with compressed hibernate image +>0 string \xed\xc3\x02\xe9\x98\x56\xe5\x0c \b, with tuxonice image +>0 default x \b, with unknown hibernate image + +0xfec string SWAPSPACE2 Linux swap file, 4k page size, +>0 use linux-swap +>0xff6 use linux-hibernate +0x1fec string SWAPSPACE2 Linux swap file, 8k page size, +>0 use linux-swap +>0x1ff6 use linux-hibernate +0x3fec string SWAPSPACE2 Linux swap file, 16k page size, +>0 use linux-swap +>0x3ff6 use linux-hibernate +0x7fec string SWAPSPACE2 Linux swap file, 32k page size, +>0 use linux-swap +>0x7ff6 use linux-hibernate +0xffec string SWAPSPACE2 Linux swap file, 64k page size, +>0 use linux-swap +>0xfff6 use linux-hibernate + +# +# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu> +# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de> +# and Nicolas Lichtmaier <nick@debian.org> +# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 +# Linux kernel boot images (i386 arch) (Wolfram Kleff) +# URL: https://www.kernel.org/doc/Documentation/x86/boot.txt +514 string HdrS Linux kernel +!:strength + 55 +# often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes +# Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin +# DamnSmallLinux 1.5 damnsmll.lnx +!:ext /dat/bin/lnx +>510 leshort 0xAA55 x86 boot executable +>>518 leshort >0x1ff +>>>529 byte 0 zImage, +>>>529 byte 1 bzImage, +>>>526 lelong >0 +>>>>(526.s+0x200) string >\0 version %s, +>>498 leshort 1 RO-rootFS, +>>498 leshort 0 RW-rootFS, +>>508 leshort >0 root_dev %#X, +>>502 leshort >0 swap_dev %#X, +>>504 leshort >0 RAMdisksize %u KB, +>>506 leshort 0xFFFF Normal VGA +>>506 leshort 0xFFFE Extended VGA +>>506 leshort 0xFFFD Prompt for Videomode +>>506 leshort >0 Video mode %d +# This also matches new kernels, which were caught above by "HdrS". +0 belong 0xb8c0078e Linux kernel +>0x1e3 string Loading version 1.3.79 or older +>0x1e9 string Loading from prehistoric times + +# System.map files - Nicolas Lichtmaier <nick@debian.org> +8 search/1 \ A\ _text Linux kernel symbol map text + +# LSM entries - Nicolas Lichtmaier <nick@debian.org> +0 search/1 Begin3 Linux Software Map entry text +0 search/1 Begin4 Linux Software Map entry text (new format) + +# From Matt Zimmerman, enhanced for v3 by Matthew Palmer +0 belong 0x4f4f4f4d User-mode Linux COW file +>4 belong <3 \b, version %d +>>8 string >\0 \b, backing file %s +>4 belong >2 \b, version %d +>>32 string >\0 \b, backing file %s + +############################################################################ +# Linux kernel versions + +0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux +>497 leshort 0 x86 boot sector +>>514 belong 0x8e of a kernel from the dawn of time! +>>514 belong 0x908ed8b4 version 0.99-1.1.42 +>>514 belong 0x908ed8b8 for memtest86 + +>497 leshort !0 x86 kernel +>>504 leshort >0 RAMdisksize=%u KB +>>502 leshort >0 swap=%#X +>>508 leshort >0 root=%#X +>>>498 leshort 1 \b-ro +>>>498 leshort 0 \b-rw +>>506 leshort 0xFFFF vga=normal +>>506 leshort 0xFFFE vga=extended +>>506 leshort 0xFFFD vga=ask +>>506 leshort >0 vga=%d +>>514 belong 0x908ed881 version 1.1.43-1.1.45 +>>514 belong 0x15b281cd +>>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 +>>>0xa99 belong 0x55AA5a5a version 1.3.1,2 +>>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30 +>>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41 +>>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45 +>>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72 +>>514 string HdrS +>>>518 leshort >0x1FF +>>>>529 byte 0 \b, zImage +>>>>529 byte 1 \b, bzImage +>>>>(526.s+0x200) string >\0 \b, version %s + +# Linux boot sector thefts. +0 belong 0xb8c0078e Linux +>0x1e6 belong 0x454c4b53 ELKS Kernel +>0x1e6 belong !0x454c4b53 style boot sector + +############################################################################ +# Linux S390 kernel image +# Created by: Jan Kaluza <jkaluza@redhat.com> +8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390 +>0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc +# 64bit +>>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel +>>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel +>>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel +>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel +# 32bit +>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel +>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel +>>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel +>>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel + +############################################################################ +# Linux ARM compressed kernel image +# From: Kevin Cernekee <cernekee@gmail.com> +# Update: Joerg Jenderek +0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage +# There are three possible situations: LE, BE with LE bootloader and pure BE. +# In order to aid telling these apart a new endian flag was added. In order +# to support kernels before the flag and BE with LE bootloader was added we'll +# do a negative check against the BE variant of the flag when we see a LE magic. +>0x30 belong !0x04030201 (little-endian) +# raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" +!:ext img/bin +>0x30 belong 0x04030201 (big-endian) +0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) + +############################################################################ +# Linux AARCH64 kernel image +0x38 lelong 0x644d5241 Linux kernel ARM64 boot executable Image +>0x18 lelong ^1 \b, little-endian +>0x18 lelong &1 \b, big-endian +>0x18 lelong &2 \b, 4K pages +>0x18 lelong &4 \b, 16K pages +>0x18 lelong &6 \b, 32K pages + +############################################################################ +# Linux 8086 executable +0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless +>5 string . +>>4 string >\0 \b, libc version %s + +0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable +>2 byte&0x01 !0 \b, unmapped zero page +>2 byte&0x20 0 \b, impure +>2 byte&0x20 !0 +>>2 byte&0x10 !0 \b, A_EXEC +>2 byte&0x02 !0 \b, A_PAL +>2 byte&0x04 !0 \b, A_NSYM +>2 byte&0x08 !0 \b, A_STAND +>2 byte&0x40 !0 \b, A_PURE +>2 byte&0x80 !0 \b, A_TOVLY +>28 long !0 \b, not stripped +>37 string . +>>36 string >\0 \b, libc version %s + +# 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable +# 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable +# 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable +# 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable + +# SYSLINUX boot logo files (from 'ppmtolss16' sources) +# https://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: +# file extension .lss .16 +0 lelong =0x1413f33d SYSLINUX' LSS16 image data +# syslinux-4.05/mime/image/x-lss16.xml +!:mime image/x-lss16 +>4 leshort x \b, width %d +>6 leshort x \b, height %d + +0 string OOOM User-Mode-Linux's Copy-On-Write disk image +>4 belong x version %d + +# SE Linux policy database +# From: Mike Frysinger <vapier@gentoo.org> +0 lelong 0xf97cff8c SE Linux policy +>16 lelong x v%d +>20 lelong 1 MLS +>24 lelong x %d symbols +>28 lelong x %d ocons + +# Linux Logical Volume Manager (LVM) +# Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net> +# +# System ID, UUID and volume group name are 128 bytes long +# but they should never be full and initialized with zeros... +# +# LVM1 +# +0x0 string/b HM\001 LVM1 (Linux Logical Volume Manager), version 1 +>0x12c string/b >\0 , System ID: %s + +0x0 string/b HM\002 LVM1 (Linux Logical Volume Manager), version 2 +>0x12c string/b >\0 , System ID: %s + +# LVM2 +# +# It seems that the label header can be in one the four first sector +# of the disk... (from _find_labeller in lib/label/label.c of LVM2) +# +# 0x200 seems to be the common case +0 name lvm2 +# display UUID in LVM format + display all 32 bytes (instead of max string length: 31) +>0x0 string >\x2f \b, UUID: %.6s +>0x6 string >\x2f \b-%.4s +>0xa string >\x2f \b-%.4s +>0xe string >\x2f \b-%.4s +>0x12 string >\x2f \b-%.4s +>0x16 string >\x2f \b-%.4s +>0x1a string >\x2f \b-%.6s +>0x20 lequad x \b, size: %lld + + +# read the offset to add to the start of the header, and the header +# start in 0x200 +0x218 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) +>&(&-12.l-0x20) use lvm2 + +0x018 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) +>&(&-12.l-0x20) use lvm2 + +0x418 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) +>&(&-12.l-0x20) use lvm2 + +0x618 string/b LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) +>&(&-12.l-0x20) use lvm2 + +# LVM snapshot +# from Jason Farrel +0 string SnAp LVM Snapshot (CopyOnWrite store) +>4 lelong !0 - valid, +>4 lelong 0 - invalid, +>8 lelong x version %d, +>12 lelong x chunk_size %d + +# SE Linux policy database +0 lelong 0xf97cff8c SE Linux policy +>16 lelong x v%d +>20 lelong 1 MLS +>24 lelong x %d symbols +>28 lelong x %d ocons + +# Summary: Xen saved domain file +# Created by: Radek Vokal <rvokal@redhat.com> +0 string LinuxGuestRecord Xen saved domain +>20 search/256 (name +>>&1 string x (name %s) + +# Type: Xen, the virtual machine monitor +# From: Radek Vokal <rvokal@redhat.com> +0 string LinuxGuestRecord Xen saved domain +#>2 regex \(name\ [^)]*\) %s +>20 search/256 (name (name +>>&1 string x %s...) + +# Systemd journald files +# See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. +# From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> +# Update: Joerg Jenderek +# URL: https://systemd.io/JOURNAL_FILE_FORMAT/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml +# Note: called "systemd journal" by TrID +# verified by `journalctl --file=user-1000.journal` +# check magic signature[8] +0 string LPKSHHRH +# check that state is one of known values +# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 +>16 ubyte&252 0 +# check that each half of three unique id128s is non-zero +# file_id +>>24 ubequad >0 +>>>32 ubequad >0 +# machine_id +>>>>40 ubequad >0 +>>>>>48 ubequad >0 +# boot_id; last writer +>>>>>>56 ubequad >0 +>>>>>>>64 ubequad >0 Journal file +#!:mime application/octet-stream +!:mime application/x-linux-journal +# provide more info +# head_entry_realtime; contains a POSIX timestamp stored in microseconds +>>>>>>>>184 leqdate/1000000 !0 \b, %s +>>>>>>>>184 leqdate 0 empty +# If a file is closed after writing the state field should be set to STATE_OFFLINE +>>>>>>>>16 ubyte 0 \b, +# for offline and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 offline +# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html +# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: +# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' +!:ext journal~ +# for offline and non empty often *.journal~ but also user-1001.journal +>>>>>>>>>184 leqdate !0 offline +!:ext journal/journal~ +# if a file is opened for writing the state field should be set to STATE_ONLINE +>>>>>>>>16 ubyte 1 \b, +# for online and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 online +# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~ +!:ext journal~ +# for online and non empty only journal extension found +>>>>>>>>>184 leqdate !0 online +# system.journal user-1000.journal +!:ext journal +# after a file has been rotated it should be set to STATE_ARCHIVED +>>>>>>>>16 ubyte 2 \b, archived +!:ext journal +# no *.journal~ found +#!:ext journal/journal~ +# compatible_flags +>>>>>>>>8 ulelong&1 1 \b, sealed +# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 +#>>>>>>>>12 ulelong x FLAGS=%#x +>>>>>>>>12 ulelong&1 1 \b, compressed +>>>>>>>>12 ulelong&2 !0 \b, compressed lz4 +>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 +>>>>>>>>12 ulelong&8 !0 \b, compressed zstd +>>>>>>>>12 ulelong&16 !0 \b, compact +# uint8_t reserved[7]; apparently nil +#>>17 long !0 \b, reserved %#8.8x +# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 +#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx +#>>>>>>>>80 ubequad x b%16.16llx +# header_size like: 100h +>>>>>>>>88 ulequad !0x100h \b, header size %#llx +# arena_size like: 0 7fff00h ffff00h 17fff00h +#>>>>>>>>96 ulequad >0 \b, arena size %#llx +# data_hash_table_offset like: 0 15f0h 15f0h +#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx +# data_hash_table_size like: 0 38e380h +#>>>>>>>>112 ulequad >0 \b, hash table size %#llx +# field_hash_table_offset like: 0 110h +#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx +# field_hash_table_size like: 0 14d0h +#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx +# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h +#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx +# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh +#>>>>>>>>144 ulequad >0 \b, objects %#llx +# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h +>>>>>>>>152 ulequad >0 \b, entries %#llx +# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh +#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx +# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah +#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx +# entry_array_offset like: 0 390058h 3909d8h 3909e0h +#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx + +# BCache backing and cache devices +# From: Gabriel de Perthuis <g2p.code@gmail.com> +0x1008 lequad 8 +>0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache +>>0x1010 ulequad 0 cache device +>>0x1010 ulequad 1 backing device +>>0x1010 ulequad 3 cache device +>>0x1010 ulequad 4 backing device +>>0x1048 string >0 \b, label "%.32s" +>>0x1028 ubelong x \b, uuid %08x +>>0x102c ubeshort x \b-%04x +>>0x102e ubeshort x \b-%04x +>>0x1030 ubeshort x \b-%04x +>>0x1032 ubelong x \b-%08x +>>0x1036 ubeshort x \b%04x +>>0x1038 ubelong x \b, set uuid %08x +>>0x103c ubeshort x \b-%04x +>>0x103e ubeshort x \b-%04x +>>0x1040 ubeshort x \b-%04x +>>0x1042 ubelong x \b-%08x +>>0x1046 ubeshort x \b%04x + +# Linux device tree: +# File format description can be found in the Linux kernel sources at +# Documentation/devicetree/booting-without-of.txt +# From Christoph Biedl +0 belong 0xd00dfeed +# structure must be within blob, strings are omitted to handle devicetrees > 1M +>&(8.L) byte x +>>20 belong >1 Device Tree Blob version %d +>>>4 belong x \b, size=%d +>>>20 belong >1 +>>>>28 belong x \b, boot CPU=%d +>>>20 belong >2 +>>>>32 belong x \b, string block size=%d +>>>20 belong >16 +>>>>36 belong x \b, DT structure block size=%d + +# glibc locale archive as defined in glibc locale/locarchive.h +0 lelong 0xde020109 locale archive +>24 lelong x %d strings + +# Linux Software RAID (mdadm) +# Russell Coker <russell@coker.com.au> +0 name linuxraid +>16 belong x UUID=%8x: +>20 belong x \b%8x: +>24 belong x \b%8x: +>28 belong x \b%8x +>32 string x name=%s +>72 lelong x level=%d +>92 lelong x disks=%d + +4096 lelong 0xa92b4efc Linux Software RAID +>4100 lelong x version 1.2 (%d) +>4096 use linuxraid + +0 lelong 0xa92b4efc Linux Software RAID +>4 lelong x version 1.1 (%d) +>0 use linuxraid + +# Summary: Database file for mlocate +# Description: A database file as used by mlocate, a fast implementation +# of locate/updatedb. It uses merging to reuse the existing +# database and avoid rereading most of the filesystem. It's +# the default version of locate on Arch Linux (and others). +# File path: /var/lib/mlocate/mlocate.db by default (but configurable) +# Site: https://fedorahosted.org/mlocate/ +# Format docs: https://linux.die.net/man/5/mlocate.db +# Type: mlocate database file +# URL: https://fedorahosted.org/mlocate/ +# From: Wander Nauta <info@wandernauta.nl> +0 string \0mlocate mlocate database +>12 byte x \b, version %d +>13 byte 1 \b, require visibility +>16 string x \b, root %s + +# Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: +# https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 +# From: Pavel Emelyanov <xemul@parallels.com> +0 lelong 0x45311224 iproute2 routes dump +0 lelong 0x47361222 iproute2 addresses dump + +# Image and service files for CRIU tool. +# URL: https://criu.org +# From: Pavel Emelyanov <xemul@parallels.com> +0 lelong 0x54564319 CRIU image file v1.1 +0 lelong 0x55105940 CRIU service file +0 lelong 0x58313116 CRIU inventory + +# Kdump compressed dump files +# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION + +0 string KDUMP\x20\x20\x20 Kdump compressed dump +>0 use kdump-compressed-dump + +0 name kdump-compressed-dump +>8 long x v%d +>12 string >\0 \b, system %s +>77 string >\0 \b, node %s +>142 string >\0 \b, release %s +>207 string >\0 \b, version %s +>272 string >\0 \b, machine %s +>337 string >\0 \b, domain %s + +# Flattened format +0 string makedumpfile +>16 bequad 1 +>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump +>>>0x1010 use kdump-compressed-dump + +# Device Tree files +0 search/1024 /dts-v1/ Device Tree File (v1) +# beat c code +!:strength +14 + + +# e2fsck undo file +# David Gilman <davidgilman1@gmail.com> +0 string E2UNDO02 e2fsck undo file, version 2 +>44 lelong x \b, undo file is +>>44 lelong&1 0 not finished +>>44 lelong&1 1 finished +>48 lelong x \b, undo file features: +>>48 lelong&1 0 lacks filesystem offset +>>48 lelong&1 1 has filesystem offset +>>>64 lequad x at %#llx + +# ansible vault (does not really belong here) +0 string $ANSIBLE_VAULT; Ansible Vault +>&0 regex [0-9]+\\.[0-9]+ \b, version %s +>>&0 string ; +>>>&0 regex [A-Z0-9]+ \b, encryption %s + +# From: Joerg Jenderek +# URL: https://www.gnu.org/software/grub +# Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz +# grub-2.06/include/grub/keyboard_layouts.h +# grub-2.06/grub-core/commands/keylayouts.c +# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC +0 string GRUBLAYO GRUB Keyboard +!:mime application/x-grub-keyboard +!:ext gkb +# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10 +>8 ulelong !10 \b, version %u +# 4 grub_uint32_t grub_keyboard_layout[160] +# for normal french keyboard this is letter a +>92 ubyte !0x71 +>>92 ubyte >0x40 \b, english q is %c +#>732 ubyte x \b, english Q is %c +# for normal german keyboard this is letter z +>124 ubyte !0x79 +>>124 ubyte >0x40 \b, english y is %c +#>764 ubyte x \b, english Y is %c diff --git a/magic/Magdir/lisp b/magic/Magdir/lisp new file mode 100644 index 0000000..c854fb7 --- /dev/null +++ b/magic/Magdir/lisp @@ -0,0 +1,78 @@ + +#------------------------------------------------------------------------------ +# $File: lisp,v 1.27 2020/08/14 19:23:39 christos Exp $ +# lisp: file(1) magic for lisp programs +# +# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) + +# updated by Joerg Jenderek +# GRR: This lot is too weak +#0 string ;; +# windows INF files often begin with semicolon and use CRLF as line end +# lisp files are mainly created on unix system with LF as line end +#>2 search/4096 !\r Lisp/Scheme program text +#>2 search/4096 \r Windows INF file + +0 search/4096 (setq\ Lisp/Scheme program text +!:mime text/x-lisp +0 search/4096 (defvar\ Lisp/Scheme program text +!:mime text/x-lisp +0 search/4096 (defparam\ Lisp/Scheme program text +!:mime text/x-lisp +0 search/4096 (defun\ Lisp/Scheme program text +!:mime text/x-lisp +0 search/4096 (autoload\ Lisp/Scheme program text +!:mime text/x-lisp +0 search/4096 (custom-set-variables\ Lisp/Scheme program text +!:mime text/x-lisp + +# URL: https://en.wikipedia.org/wiki/Emacs_Lisp +# Reference: https://ftp.gnu.org/old-gnu/emacs/elisp-manual-18-1.03.tar.gz +# Update: Joerg Jenderek +# Emacs 18 - this is always correct, but not very magical. +0 string \012( +# look for emacs lisp keywords +# GRR: split regex because it is too long or get error like +# lisp, 36: Warning: cannot get string from `^(defun|defvar|defconst|defmacro|setq|fset|put|provide|require|' +>&0 regex \^(defun|defvar|defconst|defmacro|setq|fset) Emacs v18 byte-compiled Lisp data +!:mime application/x-elc +# https://searchcode.com/codesearch/view/2173420/ +# not really pure text +!:apple EMAxTEXT +!:ext elc +# remaining regex +>&0 regex \^(put|provide|require|random) Emacs v18 byte-compiled Lisp data +!:mime application/x-elc +!:apple EMAxTEXT +!:ext elc +# missed cl.elc dbx.elc simple.elc look like normal lisp starting with ;;; + +# Emacs 19+ - ver. recognition added by Ian Springer +# Also applies to XEmacs 19+ .elc files; could tell them apart with regexs +# - Chris Chittleborough <cchittleborough@yahoo.com.au> +# Update: Joerg Jenderek +0 string ;ELC +# version\0\0\0 +>4 byte >18 Emacs/XEmacs v%d byte-compiled Lisp data +# why less than 32 ? does not make sense to me. GNU Emacs version is 24.5 at April 2015 +#>4 byte <32 Emacs/XEmacs v%d byte-compiled Lisp data +!:mime application/x-elc +!:apple EMAxTEXT +!:ext elc + +# Files produced by GNU/Emacs pdumper +0 string DUMPEDGNUEMACS GNU/Emacs pdumper image + +# Files produced by CLISP Common Lisp From: Bruno Haible <haible@ilog.fr> +0 string (SYSTEM::VERSION\040' CLISP byte-compiled Lisp program (pre 2004-03-27) +0 string (|SYSTEM|::|VERSION|\040' CLISP byte-compiled Lisp program text + +0 long 0x70768BD2 CLISP memory image data +0 long 0xD28B7670 CLISP memory image data, other endian + +#.com and .bin for MIT scheme +0 string \372\372\372\372 MIT scheme (library?) + +# From: David Allouche <david@allouche.net> +0 search/1 \<TeXmacs| TeXmacs document text +!:mime text/texmacs diff --git a/magic/Magdir/llvm b/magic/Magdir/llvm new file mode 100644 index 0000000..6befe7a --- /dev/null +++ b/magic/Magdir/llvm @@ -0,0 +1,22 @@ + +#------------------------------------------------------------------------------ +# $File: llvm,v 1.10 2023/03/11 17:54:17 christos Exp $ +# llvm: file(1) magic for LLVM byte-codes +# URL: https://llvm.org/docs/BitCodeFormat.html +# From: Al Stone <ahs3@fc.hp.com> + +0 string llvm LLVM byte-codes, uncompressed +0 string llvc0 LLVM byte-codes, null compression +0 string llvc1 LLVM byte-codes, gzip compression +0 string llvc2 LLVM byte-codes, bzip2 compression +0 string CPCH LLVM Pre-compiled header file + +0 lelong 0x0b17c0de LLVM bitcode, wrapper +# Are these Mach-O ABI values? They appear to be. +>16 lelong 0x01000007 x86_64 +>16 lelong 0x00000007 i386 +>16 lelong 0x00000012 ppc +>16 lelong 0x01000012 ppc64 +>16 lelong 0x0000000c arm + +0 string BC\xc0\xde LLVM IR bitcode diff --git a/magic/Magdir/locoscript b/magic/Magdir/locoscript new file mode 100644 index 0000000..87771cc --- /dev/null +++ b/magic/Magdir/locoscript @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: locoscript,v 1.1 2021/01/03 20:56:25 christos Exp $ +# locoscript: file(1) magic for LocoScript documents and related files +# +# See http://fileformats.archiveteam.org/wiki/LocoScript +0 string JOY\x01\x01 LocoScript 1 document +0 string JOY\x01\x02 LocoScript 2 document +0 string JOY\x01\x04 LocoScript 3 document +0 string JOY\x01\x06 LocoScript 4 document +0 string DOC\x01\x01 LocoScript PC document +0 string DOC\x01\x03 LocoScript Professional document diff --git a/magic/Magdir/lua b/magic/Magdir/lua new file mode 100644 index 0000000..ab17374 --- /dev/null +++ b/magic/Magdir/lua @@ -0,0 +1,31 @@ + +#------------------------------------------------------------------------------ +# $File: lua,v 1.8 2020/10/08 23:23:56 christos Exp $ +# lua: file(1) magic for Lua scripting language +# URL: https://www.lua.org/ +# From: Reuben Thomas <rrt@sc3d.org>, Seo Sanghyeon <tinuviel@sparcs.kaist.ac.kr> + +# Lua scripts +0 search/1/w #!\ /usr/bin/lua Lua script text executable +!:mime text/x-lua +0 search/1/w #!\ /usr/local/bin/lua Lua script text executable +!:mime text/x-lua +0 search/1 #!/usr/bin/env\ lua Lua script text executable +!:mime text/x-lua +0 search/1 #!\ /usr/bin/env\ lua Lua script text executable +!:mime text/x-lua + +# Lua bytecode +0 string \033Lua Lua bytecode, +# 2.4 uses 0x23 as its version byte because it shares the format +# with 2.3 (which was never released publicly). +>4 byte 0x23 version 2.4 +>4 byte 0x25 version 2.5/3.0 +>4 byte 0x31 version 3.1 +>4 byte 0x32 version 3.2 +>4 byte 0x40 version 4.0 +>4 byte 0x50 version 5.0 +>4 byte 0x51 version 5.1 +>4 byte 0x52 version 5.2 +>4 byte 0x53 version 5.3 +>4 byte 0x54 version 5.4 diff --git a/magic/Magdir/luks b/magic/Magdir/luks new file mode 100644 index 0000000..1604251 --- /dev/null +++ b/magic/Magdir/luks @@ -0,0 +1,126 @@ + +#------------------------------------------------------------------------------ +# $File: luks,v 1.5 2022/09/07 11:23:44 christos Exp $ +# luks: file(1) magic for Linux Unified Key Setup +# URL: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup +# http://fileformats.archiveteam.org/wiki/LUKS +# From: Anthon van der Neut <anthon@mnt.org> +# Update: Joerg Jenderek +# Note: verfied by command like `cryptsetup luksDump /dev/sda3` + +0 string LUKS\xba\xbe LUKS encrypted file, +# https://reposcope.com/mimetype/application/x-raw-disk-image +!:mime application/x-raw-disk-image +#!:mime application/x-luks-volume +# img is the generic extension; no suffix for partitions; luksVolumeHeaderBackUp via zuluCrypt +!:ext /luks/img/luksVolumeHeaderBackUp +# version like: 1 2 +>6 beshort x ver %d +# test for version 1 variant +>6 beshort 1 +>>0 use luks-v1 +# test for version 2 variant +>6 beshort >1 +>>0 use luks-v2 +# Reference: https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/l/luks.trid.xml +# display information about LUKS version 1 +0 name luks-v1 +# cipher-name like: aes twofish +>8 string x [%s, +# cipher-mode like: xts-plain64 cbc-essiv +>40 string x %s, +# hash specification like: sha256 sha1 ripemd160 +>72 string x %s] +>168 string x UUID: %s +# NEW PART! +# payload-offset; start offset of the bulk data +>104 ubelong x \b, at %#x data +# key-bytes; number of key bytes; key-bytes*8=MK-bits +>108 ubelong x \b, %u key bytes +# mk-digest[20]; master key checksum from PBKDF2 +>112 ubequad x \b, MK digest %#16.16llx +>>120 ubequad x \b%16.16llx +>>128 ubelong x \b%8.8x +# mk-digest-salt[32]; salt parameter for master key PBKDF2 +>132 ubequad x \b, MK salt %#16.16llx +>>140 ubequad x \b%16.16llx +>>148 ubequad x \b%16.16llx +>>156 ubequad x \b%16.16llx +# mk-digest-iter; iterations parameter for master key PBKDF2 +>164 ubelong x \b, %u MK iterations +# key slot 1 +>208 ubelong =0x00AC71F3 \b; slot #0 +>>208 use luks-slot +# key slot 2 +>256 ubelong =0x00AC71F3 \b; slot #1 +>>256 use luks-slot +# key slot 3 +>304 ubelong =0x00AC71F3 \b; slot #2 +>>304 use luks-slot +# key slot 4 +>352 ubelong =0x00AC71F3 \b; slot #3 +>>352 use luks-slot +# key slot 5 +>400 ubelong =0x00AC71F3 \b; slot #4 +>>400 use luks-slot +# key slot 6 +>448 ubelong =0x00AC71F3 \b; slot #5 +>>448 use luks-slot +# key slot 7 +>496 ubelong =0x00AC71F3 \b; slot #6 +>>496 use luks-slot +# key slot 8 +>544 ubelong =0x00AC71F3 \b; slot #7 +>>544 use luks-slot +# Reference: https://gitlab.com/cryptsetup/LUKS2-docs/-/raw/master/luks2_doc_wip.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/l/luks2.trid.xml +# display information about LUKS version 2 +0 name luks-v2 +# hdr_size; size including JSON area called Metadata area by cryptsetup with value like: 16384 +>8 ubequad x \b, header size %llu +# possible check for MAGIC_2ND after header +#>(8.Q) string SKUL\xba\xbe \b, 2nd_HEADER_OK +# seqid; sequence ID, increased on update; called Epoch by cryptsetup with value like: 3 4 8 10 +>16 ubequad x \b, ID %llu +# label[48]; optional ASCII label or empty; called Label by cryptsetup with value like: "LUKS2_EXT4_ROOT" +>24 string >\0 \b, label %s +# csum_alg[32]; checksum algorithm like: sha256 sha1 sha512 wirlpool ripemd160 +>72 string x \b, algo %s +# salt[64]; salt , unique for every header +>104 ubequad x \b, salt %#llx... +# uuid[40]; UID of device as string like: 242256c6-396e-4a35-af5f-5b70cb7af9a7 +>168 string x \b, UUID: %-.40s +# subsystem[48]; optional owner subsystem label or empty +>208 string >\0 \b, sub label %-.48s +# hdr_offset; offset from device start [ bytes ] like: 0 +>256 ubequad !0 \b, offset %llx +# char _padding [184]; must be zeroed +#>264 ubequad x \b, padding %#16.16llx +#>440 ubequad x \b...%16.16llx +# csum[64]; header checksum +>448 ubequad x \b, crc %#llx... +# char _padding4096 [7*512]; Padding , must be zeroed +#>512 ubequad x \b, more padding %#16.16llx +#>4088 ubequad x \b...%16.16llx +# JSON text data terminated by the zero character; unused remainder empty and filled with zeroes like: +# {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse" +>0x1000 string x \b, at 0x1000 %s +#>0x1000 indirect x +# display information (like active) about LUKS1 slot +0 name luks-slot +# state of keyslot; 0x00AC71F3~active 0x0000DEAD~inactive +#>0 ubelong x \b, status %#8.8x +>0 ubelong =0x00AC71F3 active +>0 ubelong =0x0000DEAD inactive +# iteration parameter for PBKDF2 +#>4 ubelong x \b, %u iterations +# salt parameter for PBKDF2 +#>8 ubequad x \b, salt %#16.16llx +#>>16 ubequad x \b%16.16llx +#>>24 ubequad x \b%16.16llx +#>>32 ubequad x \b%16.16llx +# start sector of key material like: 8 0x200 0x3f8 0x5f0 0xdd0 +>40 ubelong x \b, %#x material offset +# number of anti-forensic stripes like: 4000 +>44 ubelong !4000 \b, %u stripes diff --git a/magic/Magdir/m4 b/magic/Magdir/m4 new file mode 100644 index 0000000..587ebe8 --- /dev/null +++ b/magic/Magdir/m4 @@ -0,0 +1,11 @@ +#------------------------------------------------------------------------------ +# $File: m4,v 1.3 2019/02/27 16:46:23 christos Exp $ +# make: file(1) magic for M4 scripts +# +0 search/8192 dnl +>0 regex \^dnl\ M4 macro processor script text +!:mime text/x-m4 +0 search/8192 AC_DEFUN +>0 regex \^AC_DEFUN\\(\\[ M4 macro processor script text +!:strength + 15 +!:mime text/x-m4 diff --git a/magic/Magdir/mach b/magic/Magdir/mach new file mode 100644 index 0000000..7eb98ff --- /dev/null +++ b/magic/Magdir/mach @@ -0,0 +1,303 @@ + +#------------------------------------------------------------ +# $File: mach,v 1.29 2021/04/26 15:56:00 christos Exp $ +# Mach has two magic numbers, 0xcafebabe and 0xfeedface. +# Unfortunately the first, cafebabe, is shared with +# Java ByteCode, so they are both handled in the file "cafebabe". +# The "feedface" ones are handled herein. +#------------------------------------------------------------ +# if set, it's for the 64-bit version of the architecture +# yes, this is separate from the low-order magic number bit +# it's also separate from the "64-bit libraries" bit in the +# upper 8 bits of the CPU subtype + +# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ +# include/mach-o/loader.h +# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... +0 name mach-o-cpu +>0 belong&0xff000000 0 +# +# 32-bit ABIs. +# +# 1 vax +>>0 belong&0x00ffffff 1 +>>>4 belong&0x00ffffff 0 vax +>>>4 belong&0x00ffffff 1 vax11/780 +>>>4 belong&0x00ffffff 2 vax11/785 +>>>4 belong&0x00ffffff 3 vax11/750 +>>>4 belong&0x00ffffff 4 vax11/730 +>>>4 belong&0x00ffffff 5 uvaxI +>>>4 belong&0x00ffffff 6 uvaxII +>>>4 belong&0x00ffffff 7 vax8200 +>>>4 belong&0x00ffffff 8 vax8500 +>>>4 belong&0x00ffffff 9 vax8600 +>>>4 belong&0x00ffffff 10 vax8650 +>>>4 belong&0x00ffffff 11 vax8800 +>>>4 belong&0x00ffffff 12 uvaxIII +>>>4 belong&0x00ffffff >12 vax subarchitecture=%d +>>0 belong&0x00ffffff 2 romp +>>0 belong&0x00ffffff 3 architecture=3 +>>0 belong&0x00ffffff 4 ns32032 +>>0 belong&0x00ffffff 5 ns32332 +>>0 belong&0x00ffffff 6 m68k +# 7 x86 +>>0 belong&0x00ffffff 7 +>>>4 belong&0x0000000f 3 i386 +>>>4 belong&0x0000000f 4 i486 +>>>>4 belong&0x00fffff0 0 +>>>>4 belong&0x00fffff0 0x80 \bsx +>>>4 belong&0x0000000f 5 i586 +>>>4 belong&0x0000000f 6 +>>>>4 belong&0x00fffff0 0 p6 +>>>>4 belong&0x00fffff0 0x10 pentium_pro +>>>>4 belong&0x00fffff0 0x20 pentium_2_m0x20 +>>>>4 belong&0x00fffff0 0x30 pentium_2_m3 +>>>>4 belong&0x00fffff0 0x40 pentium_2_m0x40 +>>>>4 belong&0x00fffff0 0x50 pentium_2_m5 +>>>>4 belong&0x00fffff0 >0x50 pentium_2_m%#x +>>>4 belong&0x0000000f 7 celeron +>>>>4 belong&0x00fffff0 0x00 \b_m%#x +>>>>4 belong&0x00fffff0 0x10 \b_m%#x +>>>>4 belong&0x00fffff0 0x20 \b_m%#x +>>>>4 belong&0x00fffff0 0x30 \b_m%#x +>>>>4 belong&0x00fffff0 0x40 \b_m%#x +>>>>4 belong&0x00fffff0 0x50 \b_m%#x +>>>>4 belong&0x00fffff0 0x60 +>>>>4 belong&0x00fffff0 0x70 \b_mobile +>>>>4 belong&0x00fffff0 >0x70 \b_m%#x +>>>4 belong&0x0000000f 8 pentium_3 +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_m +>>>>4 belong&0x00fffff0 0x20 \b_xeon +>>>>4 belong&0x00fffff0 >0x20 \b_m%#x +>>>4 belong&0x0000000f 9 pentiumM +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 >0x00 \b_m%#x +>>>4 belong&0x0000000f 10 pentium_4 +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_m +>>>>4 belong&0x00fffff0 >0x10 \b_m%#x +>>>4 belong&0x0000000f 11 itanium +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_2 +>>>>4 belong&0x00fffff0 >0x10 \b_m%#x +>>>4 belong&0x0000000f 12 xeon +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_mp +>>>>4 belong&0x00fffff0 >0x10 \b_m%#x +>>>4 belong&0x0000000f >12 ia32 family=%d +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 >0x00 model=%x +>>0 belong&0x00ffffff 8 mips +>>>4 belong&0x00ffffff 1 R2300 +>>>4 belong&0x00ffffff 2 R2600 +>>>4 belong&0x00ffffff 3 R2800 +>>>4 belong&0x00ffffff 4 R2000a +>>>4 belong&0x00ffffff 5 R2000 +>>>4 belong&0x00ffffff 6 R3000a +>>>4 belong&0x00ffffff 7 R3000 +>>>4 belong&0x00ffffff >7 subarchitecture=%d +>>0 belong&0x00ffffff 9 ns32532 +>>0 belong&0x00ffffff 10 mc98000 +>>0 belong&0x00ffffff 11 hppa +>>>4 belong&0x00ffffff 0 7100 +>>>4 belong&0x00ffffff 1 7100LC +>>>4 belong&0x00ffffff >1 subarchitecture=%d +>>0 belong&0x00ffffff 12 arm +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 subarchitecture=%d +>>>4 belong&0x00ffffff 2 subarchitecture=%d +>>>4 belong&0x00ffffff 3 subarchitecture=%d +>>>4 belong&0x00ffffff 4 subarchitecture=%d +>>>4 belong&0x00ffffff 5 \bv4t +>>>4 belong&0x00ffffff 6 \bv6 +>>>4 belong&0x00ffffff 7 \bv5tej +>>>4 belong&0x00ffffff 8 \bxscale +>>>4 belong&0x00ffffff 9 \bv7 +>>>4 belong&0x00ffffff 10 \bv7f +>>>4 belong&0x00ffffff 11 \bv7s +>>>4 belong&0x00ffffff 12 \bv7k +>>>4 belong&0x00ffffff 13 \bv8 +>>>4 belong&0x00ffffff 14 \bv6m +>>>4 belong&0x00ffffff 15 \bv7m +>>>4 belong&0x00ffffff 16 \bv7em +>>>4 belong&0x00ffffff >16 subarchitecture=%d +# 13 m88k +>>0 belong&0x00ffffff 13 +>>>4 belong&0x00ffffff 0 mc88000 +>>>4 belong&0x00ffffff 1 mc88100 +>>>4 belong&0x00ffffff 2 mc88110 +>>>4 belong&0x00ffffff >2 mc88000 subarchitecture=%d +>>0 belong&0x00ffffff 14 SPARC +>>0 belong&0x00ffffff 15 i860g +>>0 belong&0x00ffffff 16 alpha +>>0 belong&0x00ffffff 17 rs6000 +>>0 belong&0x00ffffff 18 ppc +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \b_601 +>>>4 belong&0x00ffffff 2 \b_602 +>>>4 belong&0x00ffffff 3 \b_603 +>>>4 belong&0x00ffffff 4 \b_603e +>>>4 belong&0x00ffffff 5 \b_603ev +>>>4 belong&0x00ffffff 6 \b_604 +>>>4 belong&0x00ffffff 7 \b_604e +>>>4 belong&0x00ffffff 8 \b_620 +>>>4 belong&0x00ffffff 9 \b_750 +>>>4 belong&0x00ffffff 10 \b_7400 +>>>4 belong&0x00ffffff 11 \b_7450 +>>>4 belong&0x00ffffff 100 \b_970 +>>>4 belong&0x00ffffff >100 subarchitecture=%d +>>0 belong&0x00ffffff >18 architecture=%d +>0 belong&0xff000000 0x01000000 +# +# 64-bit ABIs. +# +>>0 belong&0x00ffffff 0 64-bit architecture=%d +>>0 belong&0x00ffffff 1 64-bit architecture=%d +>>0 belong&0x00ffffff 2 64-bit architecture=%d +>>0 belong&0x00ffffff 3 64-bit architecture=%d +>>0 belong&0x00ffffff 4 64-bit architecture=%d +>>0 belong&0x00ffffff 5 64-bit architecture=%d +>>0 belong&0x00ffffff 6 64-bit architecture=%d +>>0 belong&0x00ffffff 7 x86_64 +>>>4 belong&0x00ffffff 0 subarchitecture=%d +>>>4 belong&0x00ffffff 1 subarchitecture=%d +>>>4 belong&0x00ffffff 2 subarchitecture=%d +>>>4 belong&0x00ffffff 3 +>>>4 belong&0x00ffffff 4 \b_arch1 +>>>4 belong&0x00ffffff 8 \b_haswell +>>>4 belong&0x00ffffff >4 subarchitecture=%d +>>0 belong&0x00ffffff 8 64-bit architecture=%d +>>0 belong&0x00ffffff 9 64-bit architecture=%d +>>0 belong&0x00ffffff 10 64-bit architecture=%d +>>0 belong&0x00ffffff 11 64-bit architecture=%d +>>0 belong&0x00ffffff 12 arm64 +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \bv8 +>>>4 belong&0x00ffffff 2 \be +>>>>7 ubyte&0xff >0 (caps: +>>>>7 ubyte&0xff <0x80 %#02x +>>>>7 ubyte&0xc0 0x80 PAC +>>>>>7 ubyte&0x3f x \b%02d +>>>>7 ubyte&0xc0 0xc0 PAK +>>>>>7 ubyte&0x3f x \b%02d +>>>>7 ubyte&0xff x \b) +>>>4 belong&0x00ffffff >2 subarchitecture=%d +>>0 belong&0x00ffffff 13 64-bit architecture=%d +>>0 belong&0x00ffffff 14 64-bit architecture=%d +>>0 belong&0x00ffffff 15 64-bit architecture=%d +>>0 belong&0x00ffffff 16 64-bit architecture=%d +>>0 belong&0x00ffffff 17 64-bit architecture=%d +>>0 belong&0x00ffffff 18 ppc64 +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \b_601 +>>>4 belong&0x00ffffff 2 \b_602 +>>>4 belong&0x00ffffff 3 \b_603 +>>>4 belong&0x00ffffff 4 \b_603e +>>>4 belong&0x00ffffff 5 \b_603ev +>>>4 belong&0x00ffffff 6 \b_604 +>>>4 belong&0x00ffffff 7 \b_604e +>>>4 belong&0x00ffffff 8 \b_620 +>>>4 belong&0x00ffffff 9 \b_650 +>>>4 belong&0x00ffffff 10 \b_7400 +>>>4 belong&0x00ffffff 11 \b_7450 +>>>4 belong&0x00ffffff 100 \b_970 +>>>4 belong&0x00ffffff >100 subarchitecture=%d +>>0 belong&0x00ffffff >18 64-bit architecture=%d +>0 belong&0xff000000 0x02000000 +# +# 64_32-bit ABIs. +# +>>0 belong&0x00ffffff 0 64_32-bit architecture=%d +>>0 belong&0x00ffffff 1 64_32-bit architecture=%d +>>0 belong&0x00ffffff 2 64_32-bit architecture=%d +>>0 belong&0x00ffffff 3 64_32-bit architecture=%d +>>0 belong&0x00ffffff 4 64_32-bit architecture=%d +>>0 belong&0x00ffffff 5 64_32-bit architecture=%d +>>0 belong&0x00ffffff 6 64_32-bit architecture=%d +>>0 belong&0x00ffffff 7 64_32-bit architecture=%d +>>0 belong&0x00ffffff 8 64_32-bit architecture=%d +>>0 belong&0x00ffffff 9 64_32-bit architecture=%d +>>0 belong&0x00ffffff 10 64_32-bit architecture=%d +>>0 belong&0x00ffffff 11 64_32-bit architecture=%d +>>0 belong&0x00ffffff 12 64_32-bit arm +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \bv8 +>>>4 belong&0x00ffffff >1 subarchitecture=%d +>>0 belong&0x00ffffff 13 64_32-bit architecture=%d +>>0 belong&0x00ffffff 14 64_32-bit architecture=%d +>>0 belong&0x00ffffff 15 64_32-bit architecture=%d +>>0 belong&0x00ffffff 16 64_32-bit architecture=%d +>>0 belong&0x00ffffff 17 64_32-bit architecture=%d +>>0 belong&0x00ffffff 18 64_32-bit architecture=%d +>>0 belong&0x00ffffff >18 64_32-bit architecture=%d + +0 name mach-o-be +>0 byte 0xcf 64-bit +>4 use mach-o-cpu +>12 belong 1 object +# GRR: Does not work for Mach-O with 2 architectures; instead display oo +#!:ext o +!:ext o/ +>12 belong 2 executable +# the executables normally have no file extension like perl, +# but exceptions like perl5.18 perl5.16 +!:ext 16/18/ +>12 belong 3 fixed virtual memory shared library +>12 belong 4 core +>12 belong 5 preload executable +>12 belong 6 dynamically linked shared library +# GRR: Does not work for Mach-O with 2 architectures; instead display dylibdylib +#!:ext dylib +!:ext dylib/ +>12 belong 7 dynamic linker +>12 belong 8 bundle +# normally name extension bundle; but exceptions like: AMDil_r700.dylib +!:ext bundle/dylib/ +>12 belong 9 dynamically linked shared library stub +>12 belong 10 dSYM companion file +>12 belong 11 kext bundle +>12 belong >11 +>>12 belong x filetype=%d +>24 belong >0 \b, flags:< +>>24 belong &0x00000001 \bNOUNDEFS +>>24 belong &0x00000002 \b|INCRLINK +>>24 belong &0x00000004 \b|DYLDLINK +>>24 belong &0x00000008 \b|BINDATLOAD +>>24 belong &0x00000010 \b|PREBOUND +>>24 belong &0x00000020 \b|SPLIT_SEGS +>>24 belong &0x00000040 \b|LAZY_INIT +>>24 belong &0x00000080 \b|TWOLEVEL +>>24 belong &0x00000100 \b|FORCE_FLAT +>>24 belong &0x00000200 \b|NOMULTIDEFS +>>24 belong &0x00000400 \b|NOFIXPREBINDING +>>24 belong &0x00000800 \b|PREBINDABLE +>>24 belong &0x00001000 \b|ALLMODSBOUND +>>24 belong &0x00002000 \b|SUBSECTIONS_VIA_SYMBOLS +>>24 belong &0x00004000 \b|CANONICAL +>>24 belong &0x00008000 \b|WEAK_DEFINES +>>24 belong &0x00010000 \b|BINDS_TO_WEAK +>>24 belong &0x00020000 \b|ALLOW_STACK_EXECUTION +>>24 belong &0x00040000 \b|ROOT_SAFE +>>24 belong &0x00080000 \b|SETUID_SAFE +>>24 belong &0x00100000 \b|NO_REEXPORTED_DYLIBS +>>24 belong &0x00200000 \b|PIE +>>24 belong &0x00400000 \b|DEAD_STRIPPABLE_DYLIB +>>24 belong &0x00800000 \b|HAS_TLV_DESCRIPTORS +>>24 belong &0x01000000 \b|NO_HEAP_EXECUTION +>>24 belong &0x02000000 \b|APP_EXTENSION_SAFE +>>24 belong &0x04000000 \b|NLIST_OUTOFSYNC_WITH_DYLDINFO +>>24 belong &0x08000000 \b|SIM_SUPPORT +>>24 belong &0x80000000 \b|DYLIB_IN_CACHE +>>24 belong x \b> + +# +0 lelong&0xfffffffe 0xfeedface Mach-O +!:strength +1 +!:mime application/x-mach-binary +>0 use \^mach-o-be + +0 belong&0xfffffffe 0xfeedface Mach-O +!:strength +1 +!:mime application/x-mach-binary +>0 use mach-o-be diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh new file mode 100644 index 0000000..a74aac4 --- /dev/null +++ b/magic/Magdir/macintosh @@ -0,0 +1,505 @@ + +#------------------------------------------------------------------------------ +# $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $ +# macintosh description +# +# BinHex is the Macintosh ASCII-encoded file format (see also "apple") +# Daniel Quinlan, quinlan@yggdrasil.com +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/BinHex +# Reference: http://fileformats.archiveteam.org/wiki/BinHex +# Note: only tested with version 4.0 and hqx extension +# Any text/binary before the characteristic comment sentence is to be ignored like in +# http://ftp.vim.org/pub/ftp/ftp/infomac/disk/mac-update-40b7.hqx +0 search/1602 (This\ file\ +>&0 use binhex +# http://ftp.vim.org/pub/ftp/ftp/infomac/_Disk_&_File/zap-res-forks-101.hqx +0 search/2652/b (This\ file\ +>&0 use binhex +0 name binhex +# keep split search string format similar like in version 5.37 +>0 string must\ be\ converted\ with\ BinHex\ BinHex binary text, version +# http://www.macdisk.com/binhexen.php3 +!:apple BNHQTEXT +# http://www.faqs.org/faqs/macintosh/comm-faq/part1/ +>>&0 string 1.0 1.0 +!:mime application/mac-binhex +!:ext hex +>>&0 string 2.0 2.0 +!:mime application/mac-binhex +!:ext hcx +# BinHex 3.0 never existed +>>&0 string 4.0 4.0 +!:mime application/mac-binhex40 +!:ext hqx +# BinHex 5.0 also MacBinary I +>>&0 string 5.0 5.0 +!:mime application/mac-binhex40 +!:ext hqx +# this should never happen +>>&0 default x +>>>&0 string x %.3s +!:mime application/mac-binhex +!:ext hqx + +# Stuffit archives are the de facto standard of compression for Macintosh +# files obtained from most archives. (franklsm@tuns.ca) +0 string SIT! StuffIt Archive (data) +!:mime application/x-stuffit +!:apple SIT!SIT! +>2 string x : %s +0 string SITD StuffIt Deluxe (data) +>2 string x : %s +0 string Seg StuffIt Deluxe Segment (data) +>2 string x : %s + +# Newer StuffIt archives (grant@netbsd.org) +0 string StuffIt StuffIt Archive +!:mime application/x-stuffit +!:apple SIT!SIT! +#>162 string >0 : %s + +# Macintosh Applications and Installation binaries (franklsm@tuns.ca) +# GRR: Too weak +#0 string APPL Macintosh Application (data) +#>2 string x \b: %s + +# Macintosh System files (franklsm@tuns.ca) +# GRR: Too weak +#0 string zsys Macintosh System File (data) +#0 string FNDR Macintosh Finder (data) +#0 string libr Macintosh Library (data) +#>2 string x : %s +#0 string shlb Macintosh Shared Library (data) +#>2 string x : %s +#0 string cdev Macintosh Control Panel (data) +#>2 string x : %s +#0 string INIT Macintosh Extension (data) +#>2 string x : %s +#0 string FFIL Macintosh Truetype Font (data) +#>2 string x : %s +#0 string LWFN Macintosh Postscript Font (data) +#>2 string x : %s + +# Additional Macintosh Files (franklsm@tuns.ca) +# GRR: Too weak +#0 string PACT Macintosh Compact Pro Archive (data) +#>2 string x : %s +#0 string ttro Macintosh TeachText File (data) +#>2 string x : %s +#0 string TEXT Macintosh TeachText File (data) +#>2 string x : %s +#0 string PDF Macintosh PDF File (data) +#>2 string x : %s + +# MacBinary format (Eric Fischer, enf@pobox.com) +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/MacBinary +# http://fileformats.archiveteam.org/wiki/MacBinary +# Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt +# Note: verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and +# `deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin` +# +# Unfortunately MacBinary doesn't really have a magic number prior +# to the MacBinary III format. +# + +# old version number, must be kept at zero for compatibility +0 byte 0 +# length of filename (must be in the range 1-63) +>1 ubyte >0 +# skip T.PIC.LZ INSTRUMENT.7T INVENTORY +>>1 ubyte <64 +# skip Docs.MWII ReadMe.MacWrite "Notes (MacWrite II)" +# by looking for printable characters at beginning of file name +>>>2 ubelong >0x1F000000 +# zero fill, must be zero for compatibility +>>>>74 byte 0 +# zero fill, must be zero for compatibility +>>>>>82 byte 0 +# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00 +>>>>>>2 ubelong <0xffff0000 +# MacBinary I test for valid version numbers +>>>>>>>122 ubeshort 0 +# additional check for undefined header fields in MacBinary I +#>>>>>>>>101 ulong 0 +>>>>>>>>0 use mac-bin +# MacBinary II the newer versions begins at 129 +>>>>>>>122 ubeshort 0x8181 +>>>>>>>>0 use mac-bin +# MacBinary III with MacBinary II to read +>>>>>>122 ubeshort 0x8281 +>>>>>>>0 use mac-bin + +# display information of MacBinary file +0 name mac-bin +>122 ubyte x MacBinary +# versions for MacBinary II/III +>122 ubyte 129 II +>122 ubyte 130 III +# only in MacBinary III +>>102 string !mBIN with surprising version +!:mime application/x-macbinary +!:apple PSPTBINA +!:ext bin/macbin +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary +#>1 ubyte >63 \b, name length %u too BIG! +#>122 ubeshort x \b, version %#x +# Finder flags if not 0 +# >73 byte !0 \b, flags 0x +# >73 byte =0 +# >>101 byte !0 \b, flags 0x +# # original Finder flags (Bits 8-15) +# >73 byte !0 \b%x +# # finder flags, bits 0-7 +# >101 byte !0 \b%x +>73 byte &0x01 \b, inited +>73 byte &0x02 \b, changed +>73 byte &0x04 \b, busy +>73 byte &0x08 \b, bozo +>73 byte &0x10 \b, system +>73 byte &0x20 \b, bundle +>73 byte &0x40 \b, invisible +>73 byte &0x80 \b, locked + +# 75 beshort # vertical posn in window +#>75 beshort !0 \b, v.pos %u +# 77 beshort # horiz posn in window +#>77 beshort !0 \b, h.pos %u +# 79 beshort # window or folder ID +>79 ubeshort !0 \b, ID %#x +# protected flag +>81 byte !0 \b, protected %#x +# length of comment after resource +>99 ubeshort !0 \b, comment length %u +# char. code of file name +>106 ubyte !0 \b, char. code %#x +# still more Finder flags +>107 ubyte !0 \b, more flags %#x +# length of total files when unpacked only used when pack and unpack on the fly +>116 ubelong !0 \b, total length %u +# 120 beshort # length of add'l header +>120 ubeshort !0 \b, 2nd header length %u +# 124 beshort # checksum +#>124 ubeshort !0 \b, CRC %#x +# creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 +# few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields +>91 long !0 +>>91 beldate-0x7C25B080 x \b, %s +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow +>91 ubelong <0x7c25b080 INVALID date +# reported date seconds by deark +#>91 ubelong x deark-DATE=%u +# last modified date +>95 long !0 +>>95 beldate-0x7C25B080 x \b, modified %s +# Apple creator+typ if not null +# file creator (normally expressed as four characters) +>69 ulong !0 \b, creator +# instead 4 character code display full creator name +>>69 use apple-creator +# file type (normally expressed as four characters) +>65 ulong !0 \b, type +>>65 use apple-type +# length of data segment +>83 ubelong !0 \b, %u bytes +# filename (in the range 1-63) +# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2 (.sea)" +>1 pstring x "%s" +# print 1 space and then at offset 128 inspect data fork content if it has one +>83 ubelong !0 \b +>>128 indirect x +# Afterwards resource fork if length of resource segment not zero +>87 ubelong !0 +# calculate resource fork offset +>>83 ubelong+128 x \b, at %#x +# length of resource segment +>>87 ubelong !0 %u bytes +>>(83.S+128) ubequad x resource +# further resource fork content inspection +>>>&-8 indirect x + +# Apple Type/Creator Database +# URL: https://en.wikipedia.org/wiki/Type_code +# Reference: https://www.lacikam.co.il/tcdb/ +# https://www.macdisk.com/macsigen.php +# Note: classic Mac OS files have two 4 character codes for type and creator. +# Thereby the Finder attach documents types to applications. + +#>65 string x \b, type "%4.4s" + +# display information about apple type +0 name apple-type +>0 string 8BIM PhotoShop +>0 string ALB3 PageMaker 3 +>0 string ALB4 PageMaker 4 +>0 string ALT3 PageMaker 3 +>0 string APPL application +>0 string AWWP AppleWorks word processor +>0 string CIRC simulated circuit +>0 string DRWG MacDraw +>0 string EPSF Encapsulated PostScript +>0 string FFIL font suitcase +>0 string FKEY function key +>0 string FNDR Macintosh Finder +>0 string GIFf GIF image +>0 string Gzip GNU gzip +>0 string INIT system extension +>0 string LIB\ library +>0 string LWFN PostScript font +>0 string MSBC Microsoft BASIC +>0 string PACT Compact Pro archive +>0 string PDF\ Portable Document Format +>0 string PICT picture +>0 string PNTG MacPaint picture +>0 string PREF preferences +>0 string PROJ Think C project +>0 string QPRJ Think Pascal project +>0 string SCFL Defender scores +>0 string SCRN startup screen +>0 string SITD StuffIt Deluxe +>0 string SPn3 SuperPaint +>0 string STAK HyperCard stack +>0 string Seg\ StuffIt segment +>0 string TARF Unix tar archive +>0 string TEXT ASCII +>0 string TIFF TIFF image +>0 string TOVF Eudora table of contents +>0 string WDBN Microsoft Word word processor +>0 string WORD MacWrite word processor +>0 string XLS\ Microsoft Excel +>0 string ZIVM compress (.Z) +>0 string ZSYS Pre-System 7 system file +>0 string acf3 Aldus FreeHand +>0 string cdev control panel +>0 string dfil Desk Accessory suitcase +>0 string libr library +>0 string nX^d WriteNow word processor +>0 string nX^w WriteNow dictionary +>0 string rsrc resource +>0 string scbk Scrapbook +>0 string shlb shared library +>0 string ttro SimpleText read-only +>0 string zsys system file + +# additional types added in Dec 2017 +>0 string BINA binary file +>0 string BMPp BMP image +>0 string JPEG JPEG image +#>0 string W4BN Microsoft Word x.y word processor? +# if type name is not known display 4 character identifier +>0 default x +>>0 string x '%4.4s' + +#>69 string x \b, creator "%4.4s" + +# Now Apple has no repository of registered Creator IDs any more. These are +# just the ones that I happened to have files from and was able to identify. + +# display information about apple creator +0 name apple-creator +>0 string 8BIM Adobe Photoshop +>0 string ALD3 PageMaker 3 +>0 string ALD4 PageMaker 4 +>0 string ALFA Alpha editor +>0 string APLS Apple Scanner +>0 string APSC Apple Scanner +>0 string BRKL Brickles +>0 string BTFT BitFont +>0 string CCL2 Common Lisp 2 +>0 string CCL\ Common Lisp +>0 string CDmo The Talking Moose +>0 string CPCT Compact Pro +>0 string CSOm Eudora +>0 string DMOV Font/DA Mover +>0 string DSIM DigSim +>0 string EDIT Macintosh Edit +>0 string ERIK Macintosh Finder +>0 string EXTR self-extracting archive +>0 string Gzip GNU gzip +>0 string KAHL Think C +>0 string LWFU LaserWriter Utility +>0 string LZIV compress +>0 string MACA MacWrite +>0 string MACS Macintosh operating system +>0 string MAcK MacKnowledge terminal emulator +>0 string MLND Defender +>0 string MPNT MacPaint +>0 string MSBB Microsoft BASIC (binary) +>0 string MSWD Microsoft Word +>0 string NCSA NCSA Telnet +>0 string PJMM Think Pascal +>0 string PSAL Hunt the Wumpus +#>0 string PSI2 Apple File Exchange +>0 string R*ch BBEdit +>0 string RMKR Resource Maker +>0 string RSED Resource Editor +>0 string Rich BBEdit +>0 string SIT! StuffIt +>0 string SPNT SuperPaint +>0 string Unix NeXT Mac filesystem +>0 string VIM! Vim editor +>0 string WILD HyperCard +>0 string XCEL Microsoft Excel +>0 string aCa2 Fontographer +>0 string aca3 Aldus FreeHand +>0 string dosa Macintosh MS-DOS file system +>0 string movr Font/DA Mover +>0 string nX^n WriteNow +>0 string pdos Apple ProDOS file system +>0 string scbk Scrapbook +>0 string ttxt SimpleText +>0 string ufox Foreign File Access +# additional creators added in Dec 2017 +# Claris/Apple Works +>0 string BOBO Apple Works +# CU-SeeMe_0.87b3_(68K).bin +#>0 string CUce bar +>0 string PSPT Apple File Exchange +# Disk_Copy_4.2.sea.bin +#>0 string NCse foo +# probably StuffIt/Aladdin by Smith Micro Software, Inc. +>0 string STi0 stuffit +# MacGzip-1.1.3.sea.bin +#>0 string aust bar +# D-Disk_Copy_6.3.3.smi.bin +>0 string oneb Disk Copy Self Mounting +# if creator name is not known display 4 character identifier +>0 default x +>>0 string x '%4.4s' + +# sas magic from Bruce Foster (bef@nwu.edu) +# +#0 string SAS SAS +#>8 string x %s +0 string SAS SAS +>24 string DATA data file +>24 string CATALOG catalog +>24 string INDEX data file index +>24 string VIEW data view +# sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com) +# +0x54 string SAS SAS 7+ +>0x9C string DATA data file +>0x9C string CATALOG catalog +>0x9C string INDEX data file index +>0x9C string VIEW data view + +# spss magic for SPSS system and portable files, +# from Bruce Foster (bef@nwu.edu). + +0 long 0xc1e2c3c9 SPSS Portable File +>40 string x %s + +0 string $FL2 SPSS System File +>24 string x %s + +0 string $FL3 SPSS System File +>24 string x %s + +# Macintosh filesystem data +# From "Tom N Harris" <telliamed@mac.com> +# Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net> +# The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these +# entries depend on the data arithmetic added after v.35 +# There's also some Pascal strings in here, ditto... + +# The boot block signature, according to IM:Files, is +# "for HFS volumes, this field always contains the value 0x4C4B." +# But if this is true for MFS or HFS+ volumes, I don't know. +# Alternatively, the boot block is supposed to be zeroed if it's +# unused, so a simply >0 should suffice. + +0x400 beshort 0xD2D7 Macintosh MFS data +>0 beshort 0x4C4B (bootable) +>0x40a beshort &0x8000 (locked) +>0x402 beldate-0x7C25B080 x created: %s, +>0x406 beldate-0x7C25B080 >0 last backup: %s, +>0x414 belong x block size: %d, +>0x412 beshort x number of blocks: %d, +>0x424 pstring x volume name: %s + +# *.hfs updated by Joerg Jenderek +# https://en.wikipedia.org/wiki/Hierarchical_File_System +# "BD" gives many false positives +0x400 beshort 0x4244 +# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h +# first block of volume bit map (always 3) +>0x40e ubeshort 0x0003 +# maximal length of volume name is 27 +>>0x424 ubyte <28 Macintosh HFS data +!:mime application/x-apple-diskimage +#!:apple hfsdINIT +#!:apple MACSdisk +# https://www.macdisk.com/macsigen.php +#!:apple ddskdevi +!:apple ????devi +# https://en.wikipedia.org/wiki/Apple_Disk_Image +!:ext hfs/dmg +>>>0 beshort 0x4C4B (bootable) +#>>>0 beshort 0x0000 (not bootable) +>>>0x40a beshort &0x8000 (locked) +>>>0x40a beshort ^0x0100 (mounted) +>>>0x40a beshort &0x0200 (spared blocks) +>>>0x40a beshort &0x0800 (unclean) +>>>0x47C beshort 0x482B (Embedded HFS+ Volume) +# https://www.epochconverter.com/ +# 0x7C245F00 seconds ~ 2082758400 ~ 01 Jan 2036 00:00:00 ~ 66 years to 1970 +# 0x7C25B080 seconds ~ 2082844800 ~ 02 Jan 2036 00:00:00 +# construct not working +#>>>0x402 beldate-0x7C25B080 x created: %s, +#>>>0x406 beldate-0x7C25B080 x last modified: %s, +#>>>0x440 beldate-0x7C25B080 >0 last backup: %s, +# found block sizes 200h,1200h,2800h +>>>0x414 belong x block size: %d, +>>>0x412 beshort x number of blocks: %d, +>>>0x424 pstring x volume name: %s + +0 name hfsplus +>&0 beshort x version %d data +>0 beshort 0x4C4B (bootable) +>0x404 belong ^0x00000100 (mounted) +>&2 belong &0x00000200 (spared blocks) +>&2 belong &0x00000800 (unclean) +>&2 belong &0x00008000 (locked) +>&6 string x last mounted by: '%.4s', +# really, that should be treated as a belong and we print a string +# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1" +>&14 beldate-0x7C25B080 x created: %s, +# only the creation date is local time, all other timestamps in HFS+ are UTC. +>&18 bedate-0x7C25B080 x last modified: %s, +>&22 bedate-0x7C25B080 >0 last backup: %s, +>&26 bedate-0x7C25B080 >0 last checked: %s, +>&38 belong x block size: %d, +>&42 belong x number of blocks: %d, +>&46 belong x free blocks: %d + +0x400 beshort 0x482B Apple HFS Plus +>&0 use hfsplus +0x400 beshort 0x4858 Apple HFS Plus Extended +>&0 use hfsplus + +## AFAIK, only the signature is different +# same as Apple Partition Map +# GRR: This magic is too weak, it is just "TS" +#0x200 beshort 0x5453 Apple Old Partition data +#>0x2 beshort x block size: %d, +#>0x230 string x first type: %s, +#>0x210 string x name: %s, +#>0x254 belong x number of blocks: %d, +#>0x400 beshort 0x504D +#>>0x430 string x second type: %s, +#>>0x410 string x name: %s, +#>>0x454 belong x number of blocks: %d, +#>>0x800 beshort 0x504D +#>>>0x830 string x third type: %s, +#>>>0x810 string x name: %s, +#>>>0x854 belong x number of blocks: %d, +#>>>0xa00 beshort 0x504D +#>>>>0xa30 string x fourth type: %s, +#>>>>0xa10 string x name: %s, +#>>>>0xa54 belong x number of blocks: %d + +# From: Remi Mommsen <mommsen@slac.stanford.edu> +0 string BOMStore Mac OS X bill of materials (BOM) file + diff --git a/magic/Magdir/macos b/magic/Magdir/macos new file mode 100644 index 0000000..0bacc13 --- /dev/null +++ b/magic/Magdir/macos @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: macos,v 1.1 2012/12/21 16:41:07 christos Exp $ +# MacOS files +# + +0 string book\0\0\0\0mark\0\0\0\0 MacOS Alias file diff --git a/magic/Magdir/magic b/magic/Magdir/magic new file mode 100644 index 0000000..c8aa054 --- /dev/null +++ b/magic/Magdir/magic @@ -0,0 +1,71 @@ + +#------------------------------------------------------------------------------ +# $File: magic,v 1.11 2023/06/27 13:42:49 christos Exp $ +# magic: file(1) magic for magic files +# +# Update: Joerg Jenderek +# skip Magicsee_R1.cfg found on retropie starting with # Magicsee R1 one-handed controller +0 string/t #\ Magic\ magic text file for file(1) cmd +#!:mime text/plain +!:mime text/x-file +# no suffix in ../Header +!:ext / +# +# some samples start with a comment line +0 ubyte =0x23 +# many samples start with separator line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st comment line and without seperator comment line +>4 default x +# few sample with 1st comment line and without seperator comment line and regular expression like: sisu +>>1 search/112 regex\x09 +>>>0 use magic-fragment +>>1 default x +# few samples with 1st comment line and without seperator comment line and string value like: +# blcr bsi selinux ssh (file 3.34) digital gnu wordperfect +>>>1 search/471 string\x09 +>>>>0 use magic-fragment +>>>1 default x +# few samples with 1st comment line and without seperator comment line and short value like: +# (file 3.34) os9 osf1 +>>>>1 search/1716 short\x09 +>>>>>0 use magic-fragment +# but many samples start with an empty first line +0 ubyte =0x0A +# many samples sttart with separator comment line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st empty line and without seperator comment line like: biosig espressif +>4 default x +>>1 search/581 \041:mime +>>>0 use magic-fragment +# display information (lines) about magic text fragment +0 name magic-fragment +>0 string x magic text fragment for file(1) cmd +!:mime text/x-file +# most without suffix but mail.news varied.out varied.script +!:ext /news/out/script +# next lines are mainly for control reasons +# some (34/339) samples start comment line +>0 ubyte !0x0A +>>0 string x \b, 1st line "%s" +>>>&1 string x \b, 2nd line "%s" +# but most (305/339) samples start with an empty first line +>0 ubyte =0x0A +>>1 string x \b, 2nd line "%s" +>>>&1 string x \b, 3rd line "%s" +# +# URL: http://en.wikipedia.org/wiki/File_(command) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mgc.trid.xml +# Note: called "magic compiled data (LE)" by TrID +0 lelong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc +>4 lelong x (version %d) (little endian) +0 belong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc +>4 belong x (version %d) (big endian) diff --git a/magic/Magdir/mail.news b/magic/Magdir/mail.news new file mode 100644 index 0000000..3ca3b40 --- /dev/null +++ b/magic/Magdir/mail.news @@ -0,0 +1,132 @@ +#------------------------------------------------------------------------------ +# $File: mail.news,v 1.30 2022/10/31 13:22:26 christos Exp $ +# mail.news: file(1) magic for mail and news +# +# Unfortunately, saved netnews also has From line added in some news software. +#0 string From mail text +0 string/t Relay-Version: old news text +!:mime message/rfc822 +0 string/t #!\ rnews batched news text +!:mime message/rfc822 +0 string/t N#!\ rnews mailed, batched news text +!:mime message/rfc822 +0 string/t Forward\ to mail forwarding text +!:mime message/rfc822 +0 string/t Pipe\ to mail piping text +!:mime message/rfc822 +0 string/tc delivered-to: SMTP mail text +!:mime message/rfc822 +0 string/tc return-path: SMTP mail text +!:mime message/rfc822 +0 string/t Path: news text +!:mime message/news +0 string/t Xref: news text +!:mime message/news +0 string/t From: news or mail text +!:mime message/rfc822 +0 string/t Date: news or mail text +!:mime message/rfc822 +0 string/t Article saved news text +!:mime message/news +# Reference: http://quimby.gnus.org/notes/BABYL +# Update: Joerg Jenderek +# Note: used by Rmail in Emacs version 22 and before +# is not text because of characters like Control-L Control-_ +0 string/b BABYL\ OPTIONS: Emacs RMAIL +#0 string/t BABYL Emacs RMAIL text +# https://reposcope.com/mimetype/message/x-gnu-rmail +!:mime message/x-gnu-rmail +# ~/RMAIL +!:ext / +0 string/t Received: RFC 822 mail text +!:mime message/rfc822 +0 string/t MIME-Version: MIME entity text +#0 string/t Content- MIME entity text + +# TNEF files... +# URL: http://fileformats.archiveteam.org/wiki/Transport_Neutral_Encapsulation_Format +# https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tnef.trid.xml +# https://interoperability.blob.core.windows.net/files/MS-OXTNEF/%5bMS-OXTNEF%5d-210817.pdf +# Update: Joerg Jenderek +# Note: moved and merged from ./msdos (version 1.154) there just called "TNEF" +# partly verified by `tnef --list -v -f voice.tnef` and `ytnef -v triples.tnef` +# TNEF magic From "Joomy" <joomy@se-ed.net> +# TNEF_SIGNATURE +0 lelong 0x223E9F78 Transport Neutral Encapsulation Format (TNEF) +!:mime application/vnd.ms-tnef +# winmail.dat or win.dat by Microsoft Outlook +!:ext tnef/dat +# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxtnef/7fdb64ee-7f63-4d95-9af1-c672e7475c3a +# LegacyKey +#>4 uleshort x \b, key %#4.4x +# attrLevelMessage; Level where attribute applies like: 1~attrLevelMessage 2~attrLevelAttachment +>6 ubyte !1 \b, 1st level %#2.2x +# other ID (like 02900000h) or TnefVersion ID (idTnefVersion=06900800h) +>7 ubelong !0x06900800 \b, 1st id %#8.8x +>7 ubelong =0x06900800 +# TnefVersion length like: 4 +>>11 ulelong !4 \b, TnefVersion length %x +# TNEFVersionData; TnefVersion data like: 00010000h +>>15 ulelong !0x00010000h \b, version %#8.8x +# Checksum like: 1 +>>19 uleshort !1 \b, checksum %#4.4x +# attrLevelMessage; level of attOemCodepage like: 1 +>>21 ubyte !1 \b, level %#2.2x +# idOEMCodePage; OEMCodePage ID like: 07900600h +>>22 ubelong =0x07900600 \b, OEM codepage +# OEMCodePage length like: 8 +>>>26 ulelong =8 +# OEMCodePageData; PrimaryCodePage like: 1251 1252 +>>>>30 ulelong x %u +# OEMCodePageData; SecondaryCodePage; unused and SHOULD contain zero +>>>>34 ulelong !0 and %u +# OEMCodePageData Checksum like: E7h E8h +>>>>38 uleshort x (checksum %#x) +# attrLevelMessage of attMessageClass like: 1 +>>40 ubyte !1 \b, level %u +# idMessageClass; ID of attMessageClass like: 08800700h +>>41 ubelong =0x08800700 \b, MessageAttribute +# attMessageClass length like: 16 24 25 +#>>>45 ulelong x (length %u) +# attMessageClass data like: "IPM.Microsoft Mail.Note" "IPM.Note.Portada Newseum" +# "IPM.Appointment" "IPM.Note.Microsoft.Voicemail.UM.CA" +>>>45 pstring/l x "%s" + +# From: Kevin Sullivan <ksulliva@psc.edu> +0 string *mbx* MBX mail folder + +# From: Simon Matter <simon.matter@invoca.ch> +0 string \241\002\213\015skiplist\ file\0\0\0 Cyrus skiplist DB +0 string \241\002\213\015twoskip\ file\0\0\0\0 Cyrus twoskip DB + +# JAM(mbp) Fidonet message area databases +# JHR file +0 string JAM\0 JAM message area header file +>12 leshort >0 (%d messages) + +# Squish Fidonet message area databases +# SQD file (requires at least one message in the area) +# XXX: Weak magic +#256 leshort 0xAFAE4453 Squish message area data file +#>4 leshort >0 (%d messages) + +#0 string \<!--\ MHonArc text/html; x-type=mhonarc + +# Cyrus: file(1) magic for compiled Cyrus sieve scripts +# URL: https://www.cyrusimap.org/docs/cyrus-imapd/2.4.6/internal/bytecode.php +# URL: http://git.cyrusimap.org/cyrus-imapd/tree/sieve/bytecode.h?h=master +# From: Philipp Hahn <hahn@univention.de> + +# Compiled Cyrus sieve script +0 string CyrSBytecode Cyrus sieve bytecode data, +>12 belong =1 version 1, big-endian +>12 lelong =1 version 1, little-endian +>12 belong x version %d, network-endian + +# Dovecot mail server, version 2.2 and later. +# Dovecot mailing list: dovecot@dovecot.org +# File format spec: https://wiki.dovecot.org/Design/Dcrypt/#File_format +# From: Stephen Gildea +0 string CRYPTED\003\007 Dovecot encrypted message +>9 byte x \b, dcrypt version %d diff --git a/magic/Magdir/make b/magic/Magdir/make new file mode 100644 index 0000000..1abdf7a --- /dev/null +++ b/magic/Magdir/make @@ -0,0 +1,21 @@ +#------------------------------------------------------------------------------ +# $File: make,v 1.5 2022/03/12 15:09:47 christos Exp $ +# make: file(1) magic for makefiles +# +# URL: https://en.wikipedia.org/wiki/Make_(software) +0 regex/100l \^(CFLAGS|VPATH|LDFLAGS|all:|\\.PRECIOUS) makefile script text +!:mime text/x-makefile +!:strength -15 +# Update: Joerg Jenderek +# Reference: https://www.freebsd.org/cgi/man.cgi?make(1) +# exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST" +# by additional escaping point character +# exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT" +# and NSIS script with "!include" by additional escaping point character +0 regex/100l \^\\.(BEGIN|endif|include) BSD makefile script text +!:mime text/x-makefile +!:ext /mk +!:strength -10 +0 regex/100l \^SUBDIRS[[:space:]]+= automake makefile script text +!:mime text/x-makefile +!:strength -15 diff --git a/magic/Magdir/map b/magic/Magdir/map new file mode 100644 index 0000000..2d56df0 --- /dev/null +++ b/magic/Magdir/map @@ -0,0 +1,413 @@ + + +#------------------------------------------------------------------------------ +# $File: map,v 1.10 2023/02/03 20:41:57 christos Exp $ +# map: file(1) magic for Map data +# + +# Garmin .FIT files https://pub.ks-and-ks.ne.jp/cycling/edge500_fit.shtml +8 string .FIT FIT Map data +>15 byte 0 +>>35 belong x \b, unit id %d +>>39 lelong x \b, serial %u +# https://pub.ks-and-ks.ne.jp/cycling/edge500_fit.shtml +# 20 years after unix epoch +# TZ=GMT date -d '1989-12-31 0:00' +%s +>>43 leldate+631065600 x \b, %s + +>>47 leshort x \b, manufacturer %d +>>47 leshort 1 \b (garmin) +>>49 leshort x \b, product %d +>>53 byte x \b, type %d +>>53 byte 1 \b (Device) +>>53 byte 2 \b (Settings) +>>53 byte 3 \b (Sports/Cycling) +>>53 byte 4 \b (Activity) +>>53 byte 8 \b (Elevations) +>>53 byte 10 \b (Totals) + +# Summary: Garmin map +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Garmin_.img +# Reference: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/IMG_File_Format +# sourceforge.net/projects/garmin-img/files/IMG%20File%20Format/1.0/imgformat-1.0.pdf +# GRR: similar to MBR boot sector handled by ./filesystems +0x1FE leshort =0xAA55 +# look for valid map signature +>0x13 string =IMG\0 +>>0 use garmin-map +0 name garmin-map +>0 ubyte x Garmin +!:mime application/x-garmin-map +# If non-zero, every byte of the entire .img file is to be XORed with this value +>0 ubyte !0 \b, %#x XORed +# goto block before FAT +>(0x40.b*512) ubyte x +# 1st fat name "DLLINFO TXT" only found for vpm +>>&512 string =DLLINFO\ TXT map (Voice Processing) +# there exist 2 other Garmin VPM formats; see ./audio +!:ext vpm +# Deutsch__Yannick_D4481-00_0210.vpm +#>>>512 search/0x0116da60/s RIFF \b; with +# determine type voice type by ./riff +#>>>>&0 indirect x \b +>>&512 string !DLLINFO\ TXT map +!:ext img +# 9 zeros +>1 ubelong !0 \b, zeroes %#x +# Map's version major +>8 ubyte x v%u +# Map's version minor +>9 ubyte x \b.%.2u +# Map description[20], 0x20 padded +>0x49 string x %.20s +# Map name, continued (0x20 padded, \0 terminated) +>0x65 string >\ \b%.31s +# Update year (+1900 for val >= 0x63, +2000 for val <= 0x62) +>0xB ubyte x \b, updated +>>0xB ubyte >0x62 +>>>0xB ubyte-100 x 20%.2u +>>0xB ubyte <0x63 +>>>0xB ubyte x 20%.2u +# Update month (0-11) +>0xA ubyte x \b-%.2u +# All zeroes +>0xc uleshort !0 \b, zeroes %#x +# Mapsource flag, 1 - file created by Mapsource, 0 - Garmin map visible in Basecamp and Homeport +#>0xE ubyte !0 \b, Mapsource flag %#x +>0xE ubyte 1 \b, Mapsource +# Checksum, sum of all bytes modulo 256 should be 0 +#>0xF ubyte x \b, Checksum %#x +# Signature: DSKIMG 0x00 or DSDIMG 0x00 for demo map +>0x10 string !DSKIMG \b, signature "%.7s" +>0x39 use garmin-date +# Map file identifier like GARMIN\0 +>0x41 string !GARMIN \b, id "%.7s" +# Block size exponent, E1; appears to always be 0x09; minimum block size 512 bytes +>0x61 ubyte !0x09 \b, E1=%u +# Block size exponent, E2 ; file blocksize=2**(E1+E2) +>>0x62 ubyte x \b, E2=%u +>0x61 ubyte =0x09 \b, blocksize +>>0x62 ubyte 0 512 +>>0x62 ubyte 1 1024 +>>0x62 ubyte 2 2048 +>>0x62 ubyte 3 4096 +>>0x62 ubyte 4 8192 +>>0x62 ubyte 5 16384 +>>0x62 default x +>>>0x62 ubyte x E2=%u +# MBR signature +>0x1FE leshort !0xAA55 \b, invalid MBR +# 512 zeros +>0x200 uquad !0 \b, zeroes %#llx +# First sub-file offset (absolute); sometimes NO/UNKNOWN sub file! +>0x40C ulelong >0 \b, at %#x +# sub-file Header length +#>>(0x40C.l) uleshort x \b, header len %#x +>>(0x40C.l) uleshort x %u bytes +# sub-file Type[10] like "GARMIN RGN" "GARMIN TRE", "GARMIN TYP", etc. +>>(0x40C.l+2) ubyte >0x1F +>>>(0x40C.l+2) ubyte <0xFF +>>>>(0x40C.l+2) string x "%.10s" +# 0x00 for most maps, 0x80 for locked maps (City Nav, City Select, etc.) +>>>>(0x40C.l+13) ubyte >0 \b, locked %#x +# Block sequence numbers like 0000 0100 0200 ... FFFF +# >0x420 ubequad >0 \b, seq. %#16.16llx +# >>0x428 ubequad >0 \b%16.16llx +# >>>0x430 ubequad >0 \b%16.16llx +# >>>>0x438 ubequad >0 \b%16.16llx +# >>>>>0x440 ubequad >0 \b%16.16llx +# >>>>>>0x448 ubequad >0 \b%16.16llx +# >>>>>>>0x450 ubequad >0 \b%16.16llx +# >>>>>>>>0x458 ubequad >0 \b%16.16llx +# >>>>>>>>>0x460 ubequad >0 \b%16.16llx +# >>>>>>>>>>0x468 ubequad >0 \b%16.16llx +# >>>>>>>>>>>0x470 ubequad >0 \b%16.16llx +# >>>>>>>>>>>>0x478 ubequad >0 \b%16.16llx +# >>>>>>>>>>>>>0x480 ubequad >0 \b%16.16llx +# >>>>>>>>>>>>>>0x488 ubequad >0 \b%16.16llx +# >>>>>>>>>>>>>>>0x490 ubequad >0 \b%16.16llx +# >>>>>>>>>>>>>>>>0x498 ubequad >0 \b%16.16llx +# >>>>>>>>>>>>>>>>>0x4A0 ubequad >0 \b%16.16llx +# >>>>>>>>>>>>>>>>>>0x4A8 ubequad >0 \b%16.16llx +# look for end of FAT +#>>0x420 search/512/s \xff\xff FAT END +# Physical block number of FAT header +#>0x40 ubyte x \b, FAT at phy. block %u +>0x40 ubyte x +>>(0x40.b*512) ubyte x +# 1st FAT block +>>>&511 use garmin-fat +# 2nd FAT block +>>>&1023 use garmin-fat +# 3th FAT block +>>>&1535 use garmin-fat +# 4th FAT block +>>>&2047 use garmin-fat +# ... xth FAT block +# +# 314 zeros but not in vpm and also gmaptz.img +>0x84 uquad !0 \b, at 0x84 %#llx +# display FileAllocationTable block entry in garmin map +0 name garmin-fat +>0 ubyte x \b; +# sub file part; 0x0003 seems to be garbage +>0x10 uleshort !0 next %#4.4x +>0x10 uleshort =0 +# fat flag 0~dummy block 1~true sub file +>>0 ubyte !1 flag %u +>>0 ubyte =1 +# sub-file name like MAKEGMAP 12345678 +>>>0x1 string x %.8s +# sub-file typ like RGN TRE MDR LBL +>>>0x9 string x \b.%.3s +# size of sub file +>>>0xC ulelong x \b, %u bytes +# 32-bit block sequence numbers +#>>>0x20 ubequad x \b, seq. %#16.16llx + +# display date stored inside Garmin maps like yyyy-mm-dd h:mm:ss +0 name garmin-date +# year like 2018 +>0 uleshort x \b, created %u +# month (0-11) +>2 ubyte x \b-%.2u +# day (1-31) +>3 ubyte x \b-%.2u +# hour (0-23) +>4 ubyte x %u +# minute (0-59) +>5 ubyte x \b:%.2u +# second (0-59) +>6 ubyte x \b:%.2u + +# Summary: Garmin Map subfiles +# From: Joerg Jenderek +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/IMG_File_Format +# Garmin Common Header +2 string GARMIN\ +# skip ASCII text by checking for low header length +>0 uleshort <0x1000 Garmin map, +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/GMP_Subfile_Format +>>9 string GMP subtile +!:mime application/x-garmin-gpm +!:ext gmp +# copyright message +>>>(0.s) string x %s +>>>0x0E use garmin-date +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/MDR_Subfile_Format +# This contains the searchable address table used for finding routing destinations +>>9 string MDR address table +!:mime application/x-garmin-mdr +!:ext mdr +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/NOD_Subfile_Format +# http://svn.parabola.me.uk/display/trunk/doc/nod.txt +# This contains the routing information +>>9 string NOD routing +!:mime application/x-garmin-nod +!:ext nod +>>>0x0E use garmin-date +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes NOD1 +#>>>0x25 ulelong x \b, at %#x +#>>>0x29 ulelong x %#x bytes NOD2 +#>>>0x31 ulelong x \b, at %#x +#>>>0x35 ulelong x %#x bytes NOD3 +# URL: http://www.pinns.co.uk/osm/net.html +# routable highways (length, direction, allowed speed,house address information) +>>9 string NET highways +!:mime application/x-garmin-net +!:ext net +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes NET1 +#>>>0x22 ulelong >0 +#>>>>0x1E ulelong x \b, at %#x +#>>>>0x22 ulelong x %#x bytes NET2 +#>>>0x2B ulelong >0 +#>>>>0x27 ulelong x \b, at %#x +#>>>>0x2B ulelong x %#x bytes NET3 +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/LBL_Subfile_Format +>>9 string LBL labels +!:mime application/x-garmin-lbl +!:ext lbl +>>>(0.s) string x %s +# Label coding type 6h 9h and ah +>>>0x1E ubyte x \b, coding type %#x +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes LBL1 +#>>>0x1F ulelong x \b, at %#x +#>>>0x23 ulelong x %#x bytes LBL2 +#>>>0x2D ulelong x \b, at %#x +#>>>0x31 ulelong x %#x bytes LBL3 +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/SRT_Subfile_Format +# A lookup table of the chars in the map's codepage, and their collating sequence +>>9 string SRT sort table +!:mime application/x-garmin-srt +!:ext srt +>>>0x0E use garmin-date +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/TRE_Subfile_Format +>>9 string TRE tree +!:mime application/x-garmin-tre +!:ext tre +# title like City Nav Europe NTU 2019.2 Basemap +# or OSM Street map +>>>(0.s) string x %s +# 2nd title like Copyright 1995-2018 by GARMIN Corporation. +# or http://www.openstreetmap.org/ +>>>>&1 string x %s +>>>0x0E use garmin-date +#>>>0x21 ulelong x \b, at %#x +#>>>0x25 ulelong x %#x bytes TRE1 +#>>>0x29 ulelong x \b, at %#x +#>>>0x2D ulelong x %#x bytes TRE2 +#>>>0x31 ulelong x \b, at %#x +#>>>0x35 ulelong x %#x bytes TRE3 +# Copyright record size +#>>>0x39 uleshort x \b, copyright record size %u +# Map ID +>>>0x74 ulelong x \b, ID %#x +# URL: https://www.gpspower.net/garmin-tutorials/353310-basecamp-installing-free-desktop-map.html +# For road traffic information service (RDS/TMS/TMC). Commonly seen in City Navigator maps +>>9 string TRF traffic, +!:mime application/x-garmin-trf +!:ext trf +# city/region like Preitenegg +>>>(0.s+1) string x 1st %s +# highway part like L606/L148 +>>>>&1 string x %s +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/Format +# Reference: http://www.pinns.co.uk/osm/typformat.html +# customize the appearance of objects. For GPS and MapSource/Qlandkarte better looking maps +>>9 string TYP types +!:mime application/x-garmin-typ +!:ext typ +>>>0x0E use garmin-date +# character set 1252 65001~UTF8 +>>>0x15 uleshort x \b, code page %u +# POIs +#>>>0x17 ulelong x \b, at %#x +#>>>0x1B ulelong x %#x bytes TYP1 +# extra pois +#>>>0x5B ulelong x \b, at %#x +#>>>0x5F ulelong x %#x bytes TYP8 +# URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/RGN_Subfile_Format +# http://www.pinns.co.uk/osm/RGN.html +# region data used by the Garmin software +>>9 string RGN region +!:mime application/x-garmin-rgn +!:ext rgn +# POIs,Indexed POIs,Polylines or Polygons or first map level +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes RGN1 +# polygons with extended types +#>>>0x21 ulelong >0 +#>>>>0x1D ulelong x \b, at %#x +#>>>>0x21 ulelong x %#x bytes RGN2 +# polylines with extended types +#>>>0x3D ulelong >0 +#>>>>0x39 ulelong x \b, at %#x +#>>>>0x3D ulelong x %#x bytes RGN3 +# extended POIs +#>>>0x59 ulelong >0 +#>>>>0x55 ulelong x \b, at %#x +#>>>>0x59 ulelong x %#x bytes RGN3 +#>>9 default x unknown map type +# Header length; GMP:31h 35h 3Dh,MDR:11Eh 238h 2C4h 310h,NOD:3Fh 7Fh,NET:64h, +# LBL:2A9h,SRT:1Dh 25h 27h,TRE:CFh 135h,TRF:5Ah,TYP:5Bh 6Eh 7Ch AEh,RGN:7Dh +>>0 uleshort x \b, header length %#x + +# URL: https://www.memotech.franken.de/FileFormats/ +# Reference: https://www.memotech.franken.de/FileFormats/Garmin_RGN_Format.pdf +# From: Joerg Jenderek +0 string KpGr Garmin update +# format version like: 0064h~1.0 +>0x4 uleshort !0x0064 +>>4 uleshort/100 x \b, version %u +>>4 uleshort%100 x \b.%u +# 1st Garmin entry +>6 use garmin-entry +# 2nd Garmin entry +>(0x6.l+10) ubyte x +>>&0 use garmin-entry +# 3rd entry +>(0x6.l+10) ubyte x +>>&(&0.l+4) ubyte x +>>>&0 use garmin-entry +# look again at version to use default clause +>0x4 uleshort x +# test for region content by looking for +# Garmin *.srf by ./images with normal builder name "SQA" or longer "hales" +# 1 space after equal sign +>>0x3a search/5/s GARMIN\ BITMAP \b= +!:mime image/x-garmin-exe +!:ext exe +>>>&0 indirect x +# if not bitmap *.srf then region; 1 space after equal sign +>>0x3a default x \b= +!:mime application/x-garmin-rgn +!:ext rgn +# recursiv embedded +>>>0x3a search/5/s KpGrd +>>>>&0 indirect x +# look for ZIP or JAR archive by ./archive and ./zip +>>>0x3a search/5/s PK\003\004 +>>>>&0 indirect x +# TODO: other garmin RGN record content like foo +#>>0x3a search/5/s bar BAR +# display information of Garmin RGN record +0 name garmin-entry +# record length: 2 for Data, for Application often 1Bh sometimes 1Dh, "big" for Region +#>0 ulelong x \b, length %#x +# data record (ID='D') with version content like 0064h~1.0 +>4 ubyte =0x44 +>>5 uleshort !0x0064 \b; Data +>>>5 uleshort/100 x \b, version %u +>>>5 uleshort%100 x \b.%u +# Application Record (ID='A') +>4 ubyte =0x41 \b; App +# version content like 00c8h~2.0 +>>5 uleshort !0x00C8 +>>>5 uleshort/100 x \b, version %u +>>>5 uleshort%100 x \b.%u +# builder name like: SQA sqa build hales +>>7 string x \b, build by %s +# build date like: Oct 25 1999, Oct 1 2008, Feb 23 2009, Dec 15 2009 +>>>&1 string x %s +# build time like: 11:26:12, 11:45:54, 14:16:13, 18:23:01 +>>>>&1 string x %s +# region record (ID='R') +>4 ubyte =0x52 \b; Region +# region ID:14~fw_all.bin: 78~ZIP, RGN or SRF bitmap; 148~ZIP or JAR; 249~display firmware; 251~WiFi or GCD firmware; 255~ZIP +>>5 uleshort x ID=%u +# delay in ms: like 0, 500 +>>7 ulelong !0 \b, %u ms +# region size (is record length - 10) +#>>11 ulelong x \b, length %#x +# region content like: +# "KpGr"~recursiv embedded,"GARMIN BITMAP"~Garmin Bitmap *.srf, "PK"~ZIP archive +#>>15 string x \b, content "%s" +>>15 ubequad x \b, content %#llx... +# This does NOT WORK! +#>>15 indirect x \b; contains +>4 default x \b; other +# garmin Record ID Identifies the record content like: D A R +>>4 ubyte x ID '%c' + +# TOM TOM GPS watches ttbin files: +# https://github.com/ryanbinns/ttwatch/tree/master/ttbin +# From: Daniel Lenski +0 byte 0x20 +>1 leshort 0x0007 +>>0x76 byte 0x20 +>>>0x77 leshort 0x0075 TomTom activity file, v7 +>>>>8 leldate x (%s, +>>>>3 byte x device firmware %d. +>>>>4 byte x \b%d. +>>>>5 byte x \b%d, +>>>>6 leshort x product ID %04d) + +# Garmin firmware: +# https://www.memotech.franken.de/FileFormats/Garmin_GCD_Format.pdf +# https://www.gpsrchive.com/GPSMAP/GPSMAP%2066sr/Firmware.html +0 string GARMIN +>6 uleshort 100 GARMIN firmware (version 1.0) diff --git a/magic/Magdir/maple b/magic/Magdir/maple new file mode 100644 index 0000000..80cf9f2 --- /dev/null +++ b/magic/Magdir/maple @@ -0,0 +1,109 @@ + +#------------------------------------------------------------------------------ +# $File: maple,v 1.10 2021/08/30 13:31:25 christos Exp $ +# maple: file(1) magic for maple files +# "H. Nanosecond" <aldomel@ix.netcom.com> +# Maple V release 4, a multi-purpose math program +# + +# maple library .lib +# URL: https://en.wikipedia.org/wiki/Maple_(software) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lib-maple-v-r4.trid.xml +# Update: Joerg Jenderek +0 string \000MVR4\nI Maple Vr4 library +#!:mime application/octet-stream +!:mime application/x-maple-lib +!:ext lib + +# URL: https://en.wikipedia.org/wiki/Maple_(software) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lib-maple-v-r5.trid.xml +# From: Joerg Jenderek +0 string \000MVR5\n Maple Vr5 library +#!:mime application/octet-stream +!:mime application/x-maple-lib +!:ext lib + +# From: Joerg Jenderek +0x400 string M7R0\nI Maple Vr7 library +#!:mime application/octet-stream +!:mime application/x-maple-lib +!:ext lib +# null terminated library name like: C:\Maple12/Cliffordlib\maple.lib ../Maplets/Tutors.lib +>5 string x %s +# probably library name padding with nil or points (0x2E) +#>0xF8 uquad x \b, PADDING 0x%16.16llx +# null terminated strings like: Exterior Clifford FunctionArithmetics +# like: 1 20 40 +>0x115 ulelong x \b, %u string +# plural s +>0x115 ulelong >1 \bs +>0x119 string x 1st '%s' +# probably second name section padding with nil or points (0x2E) +#>0x3F0 uquad x \b, 2nd PADDING 0x%16.16llx +# line feed separated ASCII string with maximal 79 length +#>0x407 string x \b, section "%s" +>0x454 ubyte !0x0a \b, at 0x454 0x%x + +# .ind +# no magic for these :-( +# they are compiled indexes for maple files + +# .hdb +# Update: Joerg Jenderek +# URL: https://www.maplesoft.com/support/help/maple/view.aspx?path=Formats/HDB +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hdb-maple.trid.xml +# Note: This format was replaced in Maple 18 by the Maple Help format (*.help) +0 string \000\004\000\000 +# skip xBASE Compound Index file *.CDX by looking for version +>1028 string version Maple help database +# length of string version +#>>1024 ulelong !7 \b, at 0x400 unexpected %u +#!:mime application/octet-stream +!:mime application/x-maple-hdb +!:ext hdb +>1028 default x +# skip more xBASE Compound Index file *.CDX by looking for keyword Maple +# like hsum.hdb +>>4 search/0xCC41 Maple Maple help database +!:mime application/x-maple-hdb +!:ext hdb + +# .mhp +# this has the form <PACKAGE=name> +0 string \<PACKAGE= Maple help file +0 string \<HELP\ NAME= Maple help file +0 string \n\<HELP\ NAME= Maple help file with extra carriage return at start (yuck) +#0 string #\ Newton Maple help file, old style +0 string #\ daub Maple help file, old style +#0 string #=========== Maple help file, old style + +# .mws +0 string \000\000\001\044\000\221 Maple worksheet +#this is anomalous +0 string WriteNow\000\002\000\001\000\000\000\000\100\000\000\000\000\000 Maple worksheet, but weird +# this has the form {VERSION 2 3 "IBM INTEL NT" "2.3" }\n +# that is {VERSION major_version miunor_version computer_type version_string} +0 string {VERSION\ Maple worksheet +>9 string >\0 version %.1s. +>>11 string >\0 %.1s + +# .mps +0 string \0\0\001$ Maple something +# from byte 4 it is either 'nul E' or 'soh R' +# I think 'nul E' means a file that was saved as a different name +# a sort of revision marking +# 'soh R' means new +>4 string \000\105 An old revision +>4 string \001\122 The latest save + +# .mpl +# some of these are the same as .mps above +#0000000 000 000 001 044 000 105 same as .mps +#0000000 000 000 001 044 001 122 same as .mps + +0 string #\n##\ <SHAREFILE= Maple something +0 string \n#\n##\ <SHAREFILE= Maple something +0 string ##\ <SHAREFILE= Maple something +0 string #\r##\ <SHAREFILE= Maple something +0 string \r#\r##\ <SHAREFILE= Maple something +0 string #\ \r##\ <DESCRIBE> Maple something anomalous. diff --git a/magic/Magdir/marc21 b/magic/Magdir/marc21 new file mode 100644 index 0000000..bb4998e --- /dev/null +++ b/magic/Magdir/marc21 @@ -0,0 +1,30 @@ +#-------------------------------------------- +# marc21: file(1) magic for MARC 21 Format +# +# Kevin Ford (kefo@loc.gov) +# +# MARC21 formats are for the representation and communication +# of bibliographic and related information in machine-readable +# form. For more info, see https://www.loc.gov/marc/ + + +# leader position 20-21 must be 45 +# and 22-23 also 00 so far, but we check that later. +20 string 45 +>0 search/2048 \x1e + +# leader starts with 5 digits, followed by codes specific to MARC format +>>0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic +!:mime application/marc +>>0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority +!:mime application/marc +>>0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings +!:mime application/marc +>>0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification +!:mime application/marc +>>0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community +!:mime application/marc + +# leader position 22-23, should be "00" but is it? +>>0 regex/1l (^.{21})([^0]{2}) (non-conforming) +!:mime application/marc diff --git a/magic/Magdir/mathcad b/magic/Magdir/mathcad new file mode 100644 index 0000000..b186641 --- /dev/null +++ b/magic/Magdir/mathcad @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: mathcad,v 1.5 2009/09/19 16:28:10 christos Exp $ +# mathcad: file(1) magic for Mathcad documents +# URL: http://www.mathsoft.com/ +# From: Josh Triplett <josh@freedesktop.org> + +0 string .MCAD\t Mathcad document diff --git a/magic/Magdir/mathematica b/magic/Magdir/mathematica new file mode 100644 index 0000000..dda71e8 --- /dev/null +++ b/magic/Magdir/mathematica @@ -0,0 +1,192 @@ + +#------------------------------------------------------------------------------ +# $File: mathematica,v 1.17 2023/06/16 19:33:58 christos Exp $ +# mathematica: file(1) magic for mathematica files +# "H. Nanosecond" <aldomel@ix.netcom.com> +# Mathematica a multi-purpose math program +# versions 2.2 and 3.0 + +0 name wolfram +>0 string x Mathematica notebook version 2.x +!:ext mb +!:mime application/vnd.wolfram.mathematica + +#mathematica .mb +0 string \064\024\012\000\035\000\000\000 +>0 use wolfram +0 string \064\024\011\000\035\000\000\000 +>0 use wolfram + +# +0 search/1000 Content-type:\040application/mathematica Mathematica notebook version 2.x +!:ext nb +!:mime application/mathematica + + +# .ma +# multiple possibilities: + +0 string (*^\n\n::[\011frontEndVersion\ = +#>41 string >\0 %s +>0 use wolfram + +#0 string (*^\n\n::[\011palette + +#0 string (*^\n\n::[\011Information +#>675 string >\0 %s #doesn't work well + +# there may be 'cr' instead of 'nl' in some does this matter? + +# generic: +0 string (*^\r\r::[\011 +>0 use wolfram +0 string (*^\r\n\r\n::[\011 +>0 use wolfram +0 string (*^\015 +>0 use wolfram +0 string (*^\n\r\n\r::[\011 +>0 use wolfram +0 string (*^\r::[\011 +>0 use wolfram +0 string (*^\r\n::[\011 +>0 use wolfram +0 string (*^\n\n::[\011 +>0 use wolfram +0 string (*^\n::[\011 +>0 use wolfram + + +# Mathematica .mx files + +#0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ loaded\ with\ Get.*) Mathematica binary file +0 string (*This\ is\ a\ Mathematica\ binary\ Mathematica binary file +#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 +# >71... is optional +>88 string >\0 from %s + + +# Mathematica files PBF: +# 115 115 101 120 102 106 000 001 000 000 000 203 000 001 000 +0 string MMAPBF\000\001\000\000\000\203\000\001\000 Mathematica PBF (fonts I think) + +# .ml files These are menu resources I think +# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ +# how to put that into a magic rule? +4 string \ A~ MAthematica .ml file + +# .nb files +#too long 0 string (***********************************************************************\n\n\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ Mathematica-Compatible Notebook Mathematica 3.0 notebook +0 string (*********************** Mathematica 3.0 notebook + +# other (* matches it is a comment start in these langs +# GRR: Too weak; also matches other languages e.g. ML +#0 string (* Mathematica, or Pascal, Modula-2 or 3 code text + +######################### +# MatLab v5 +# URL: http://fileformats.archiveteam.org/wiki/MAT +# Reference: https://www.mathworks.com/help/pdf_doc/matlab/matfile_format.pdf +# first 116 bytes of header contain text in human-readable form +0 string MATLAB Matlab v +#>11 string/T x \b, at 11 "%.105s" +#!:mime application/octet-stream +!:mime application/x-matlab-data +!:ext mat +# https://de.mathworks.com/help/matlab/import_export/mat-file-versions.html +# level of the MAT-file like: 5.0 7.0 or maybe 7.3 +#>7 string x LEVEL "%.3s" +>7 ubyte =0x35 \b5 mat-file +>7 ubyte !0x35 +>>7 string x \b%.3s mat-file +>126 short 0x494d (big endian) +>>124 beshort x version %#04x +>126 short 0x4d49 (little endian) +# 0x0100 for level 5.0 and 0x0200 for level 7.0 +>>124 leshort x version %#04x +# test again so that default clause works +>126 short x +# created by MATLAB include Platform sometimes without leading comma (0x2C) or missing +# like: GLNX86 PCWIN PCWIN64 SOL2 Windows\0407 nt posix +>>20 search/2 Platform:\040 \b, platform +>>>&0 string x %-0.2s +>>>&2 ubyte !0x2C \b%c +>>>>&0 ubyte !0x2C \b%c +>>>>>&0 ubyte !0x2C \b%c +>>>>>>&0 ubyte !0x2C \b%c +>>>>>>>&0 ubyte !0x2C \b%c +>>>>>>>>&0 ubyte !0x2C \b%c +>>>>>>>>>&0 ubyte !0x2C \b%c +# examples without Platform tag like one_by_zero_char.mat +>>20 default x +>>>11 string x "%s" +# created by MATLAB include time like: Fri Feb 20 15:26:59 2009 +>34 search/9/c created\040on:\040 \b, created +>>&0 string x %-.24s +# MatLab v4 +# From: Joerg Jenderek +# check for valid imaginary flag of Matlab matrix version 4 +13 ushort 0 +# check for valid ASCII matrix name +>20 ubyte >0x1F +# skip PreviousEntries.dat with "invalid high" name \304P\344@\001 +>>20 ubyte <0304 +# skip some Netwfw*.dat and $I3KREPH.dat by checking for non zero number of rows +>>>4 ulong !0 +# skip some CD-ROM filesystem like test-hfs.iso by looking for valid big endian type flag +>>>>0 ubelong&0xFFffFF00 0x00000300 +>>>>>0 use matlab4 +# no example for 8-bit and 16-bit integers matrix +>>>>0 ubelong&0xFFffFF00 0x00000400 +>>>>>0 use matlab4 +# branch for Little-Endian variant of Matlab MATrix version 4 +# skip big endian variant by looking for valid low lttle endian type flag +>>>>0 ulelong <53 +# skip tokens.dat and some Netwfw*.dat by check for valid imaginary flag value of MAT version 4 +>>>>>12 ulelong <2 +# no misidentified little endian MATrix example with "short" matrix name +>>>>>>16 ulelong <3 +# skip radeon firmware BONAIRE_sdma.bin HAWAII_sdma.bin KABINI_sdma.bin KAVERI_sdma.bin MULLINS_sdma.bin +# by check for non zero matrix name length +>>>>>>>16 ubelong >0 +>>>>>>>>0 use \^matlab4 +# little endian MATrix with "long" matrix name or some misidentified samples +>>>>>>16 ulelong >2 +# skip TileCacheLogo-*.dat with invalid 2nd character \001 of matrix name with length 96 +>>>>>>>21 ubyte >0x1F +>>>>>>>>0 use \^matlab4 +# Note: called "MATLAB Mat File" with version "Level 4" by DROID via PUID fmt/1550 +# display information of Matlab v4 mat-file +0 name matlab4 Matlab v4 mat-file +#!:mime application/octet-stream +!:mime application/x-matlab-data +!:ext mat +# 20-byte header with 5 long integers that contains information describing certain attributes of the Matrix +# type flag decimal MOPT; maximal 4052=FD4h; maximal 52=34h for little endian +#>0 ubelong x \b, type flag %u +#>0 ubelong x (%#x) +# M: 0~little endian 1~Big Endian 2~VAX D-float 3~VAX G-float 4~Cray +#>0 ubelong/1000 x \b, M=%u +>0 ubelong/1000 0 (little endian) +>0 ubelong/1000 1 (big endian) +>0 ubelong/1000 2 (VAX D-float) +>0 ubelong/1000 3 (VAX G-float) +>0 ubelong/1000 4 (Cray) +# namlen; the length of the matrix name +#>16 ubelong x \b, name length %u +#>(16.L+19) ubyte x \b, TERMINATING NAME CHARACTER=%#x +# nul terminated matrix name like: fit_params testmatrix testsparsecomplex teststringarray +#>20 string x \b, MATRIX NAME="%s" +#>21 ubyte x \b, MAYBE 2ND CHAR=%c +>16 pstring/L x %s +# T indicates the matrix type: 0~numeric 1~text 2~sparse +#>0 ubelong%10 x \b, T=%u +>0 ubelong%10 0 \b, numeric +>0 ubelong%10 1 \b, text +>0 ubelong%10 2 \b, sparse +# mrows; number of rows in the matrix like: 1 3 8 +>4 ubelong x \b, rows %u +# ncols; number of columns in the matrix like: 1 3 4 5 9 43 +>8 ubelong x \b, columns %u +# imagf; imaginary flag; 1~matrix has an imaginary part 0~only real data +>12 ubelong !0 \b, imaginary (%u) +# real; Real part of the matrix consists of mrows * ncols numbers diff --git a/magic/Magdir/matroska b/magic/Magdir/matroska new file mode 100644 index 0000000..271af55 --- /dev/null +++ b/magic/Magdir/matroska @@ -0,0 +1,17 @@ + +#------------------------------------------------------------------------------ +# $File: matroska,v 1.9 2019/04/19 00:42:27 christos Exp $ +# matroska: file(1) magic for Matroska files +# +# See https://www.matroska.org/ +# + +# EBML id: +0 belong 0x1a45dfa3 +# DocType id: +>4 search/4096 \x42\x82 +# DocType contents: +>>&1 string webm WebM +!:mime video/webm +>>&1 string matroska Matroska data +!:mime video/x-matroska diff --git a/magic/Magdir/mcrypt b/magic/Magdir/mcrypt new file mode 100644 index 0000000..f2edd08 --- /dev/null +++ b/magic/Magdir/mcrypt @@ -0,0 +1,52 @@ + +#------------------------------------------------------------------------------ +# $File: mcrypt,v 1.6 2022/02/08 18:51:45 christos Exp $ +# Mavroyanopoulos Nikos <nmav@hellug.gr> +# mcrypt: file(1) magic for mcrypt 2.2.x; +# URL: https://en.wikipedia.org/wiki/Mcrypt +# http://fileformats.archiveteam.org/wiki/MCrypt +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nc-mcrypt.trid.xml +# Update: Joerg Jenderek +# Note: called by TrID "mcrypt encrypted (v2.5)" +0 string \0m\3 mcrypt 2.5 encrypted data, +#!:mime application/octet-stream +!:mime application/x-crypt-nc +!:ext nc +>4 string >\0 algorithm: %s, +>>&1 leshort >0 keysize: %d bytes, +>>>&0 string >\0 mode: %s, + +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nc-mcrypt-22.trid.xml +# Note: called by TrID "mcrypt encrypted (v2.2)" +0 string \0m\2 mcrypt 2.2 encrypted data, +#!:mime application/octet-stream +!:mime application/x-crypt-nc +# no example +!:ext nc +>3 byte 0 algorithm: blowfish-448, +>3 byte 1 algorithm: DES, +>3 byte 2 algorithm: 3DES, +>3 byte 3 algorithm: 3-WAY, +>3 byte 4 algorithm: GOST, +>3 byte 6 algorithm: SAFER-SK64, +>3 byte 7 algorithm: SAFER-SK128, +>3 byte 8 algorithm: CAST-128, +>3 byte 9 algorithm: xTEA, +>3 byte 10 algorithm: TWOFISH-128, +>3 byte 11 algorithm: RC2, +>3 byte 12 algorithm: TWOFISH-192, +>3 byte 13 algorithm: TWOFISH-256, +>3 byte 14 algorithm: blowfish-128, +>3 byte 15 algorithm: blowfish-192, +>3 byte 16 algorithm: blowfish-256, +>3 byte 100 algorithm: RC6, +>3 byte 101 algorithm: IDEA, +>4 byte 0 mode: CBC, +>4 byte 1 mode: ECB, +>4 byte 2 mode: CFB, +>4 byte 3 mode: OFB, +>4 byte 4 mode: nOFB, +>5 byte 0 keymode: 8bit +>5 byte 1 keymode: 4bit +>5 byte 2 keymode: SHA-1 hash +>5 byte 3 keymode: MD5 hash diff --git a/magic/Magdir/measure b/magic/Magdir/measure new file mode 100644 index 0000000..42e7186 --- /dev/null +++ b/magic/Magdir/measure @@ -0,0 +1,44 @@ + +#------------------------------------------------------------------------------ +# $File: measure,v 1.3 2021/03/25 17:30:10 christos Exp $ +# measure: file(1) magic for measurement data + +# DIY-Thermocam raw data +0 name diy-thermocam-parser +>0 beshort x scale %d- +>2 beshort x \b%d, +>4 lefloat x spot sensor temperature %f, +>9 ubyte 0 unit celsius, +>9 ubyte 1 unit fahrenheit, +>8 ubyte x color scheme %d +>10 ubyte 1 \b, show spot sensor +>11 ubyte 1 \b, show scale bar +>12 ubyte &1 \b, minimum point enabled +>12 ubyte &2 \b, maximum point enabled +>13 lefloat x \b, calibration: offset %f, +>17 lefloat x slope %f + +0 name diy-thermocam-checker +>9 ubyte <2 +>>10 ubyte <2 +>>>11 ubyte <2 +>>>>12 ubyte <4 +>>>>>17 lefloat >0.0001 DIY-Thermocam raw data + +# V2 and Leption 3.x: +38408 ubyte <19 +>38400 use diy-thermocam-checker +>>38400 default x (Lepton 3.x), +>>>38400 use diy-thermocam-parser + +# V1 or Lepton 2.x +9608 ubyte <19 +>9600 use diy-thermocam-checker +>>9600 default x (Lepton 2.x), +>>>9600 use diy-thermocam-parser + +# Becker & Hickl Photon Counting (PMS) data file +# format documentation: https://www.becker-hickl.com/wp-content/uploads/2018/11/opm-pms400-v01.pdf (page 57) +(0x02.l) string *IDENTIFICATION Becker & Hickl PMS Data File +>0x12 short x (%d data blocks) +!:ext sdt diff --git a/magic/Magdir/mercurial b/magic/Magdir/mercurial new file mode 100644 index 0000000..b8f3cdd --- /dev/null +++ b/magic/Magdir/mercurial @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: mercurial,v 1.5 2019/04/19 00:42:27 christos Exp $ +# mercurial: file(1) magic for Mercurial changeset bundles +# https://www.selenic.com/mercurial/wiki/ +# +# Jesse Glick (jesse.glick@sun.com) +# + +0 string HG10 Mercurial changeset bundle +>4 string UN (uncompressed) +>4 string GZ (gzip compressed) +>4 string BZ (bzip2 compressed) diff --git a/magic/Magdir/metastore b/magic/Magdir/metastore new file mode 100644 index 0000000..e64e704 --- /dev/null +++ b/magic/Magdir/metastore @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: metastore,v 1.3 2019/04/19 00:42:27 christos Exp $ +# metastore: file(1) magic for metastore files +# From: Thomas Wissen +# see https://david.hardeman.nu/software.php#metastore +0 string MeTaSt00r3 Metastore data file, +>10 bequad x version %0llx diff --git a/magic/Magdir/meteorological b/magic/Magdir/meteorological new file mode 100644 index 0000000..725982f --- /dev/null +++ b/magic/Magdir/meteorological @@ -0,0 +1,53 @@ + +#------------------------------------------------------------------------------ +# $File: meteorological,v 1.4 2022/12/09 18:02:09 christos Exp $ +# rinex: file(1) magic for RINEX files +# http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt +# ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf +# data for testing: ftp://cddis.gsfc.nasa.gov/pub/gps/data +60 string RINEX +>80 search/256 XXRINEXB RINEX Data, GEO SBAS Broadcast +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/broadcast +>80 search/256 XXRINEXD RINEX Data, Observation (Hatanaka comp) +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/observation +>80 search/256 XXRINEXC RINEX Data, Clock +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/clock +>80 search/256 XXRINEXH RINEX Data, GEO SBAS Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXG RINEX Data, GLONASS Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXL RINEX Data, Galileo Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXM RINEX Data, Meteorological +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/meteorological +>80 search/256 XXRINEXN RINEX Data, Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXO RINEX Data, Observation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/observation + +# https://en.wikipedia.org/wiki/GRIB +0 string GRIB +>7 byte =1 Gridded binary (GRIB) version 1 +!:mime application/x-grib +!:ext grb/grib +>7 byte =2 Gridded binary (GRIB) version 2 +!:mime application/x-grib2 +!:ext grb2/grib2 diff --git a/magic/Magdir/microfocus b/magic/Magdir/microfocus new file mode 100644 index 0000000..93e39aa --- /dev/null +++ b/magic/Magdir/microfocus @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: microfocus,v 1.3 2019/04/19 00:42:27 christos Exp $ +# Micro Focus COBOL data files. + +# https://documentation.microfocus.com/help/index.jsp?topic=\ +# %2FGUID-0E0191D8-C39A-44D1-BA4C-D67107BAF784%2FHRFLRHFILE05.html +# http://www.cobolproducts.com/datafile/data-viewer.html +# https://github.com/miracle2k/mfcobol-export + +0 string \x30\x00\x00\x7C +>36 string \x00\x3E Micro Focus File with Header (DAT) +!:mime application/octet-stream + +0 string \x30\x7E\x00\x00 +>36 string \x00\x3E Micro Focus File with Header (DAT) +!:mime application/octet-stream + +39 string \x02 +>136 string \x02\x02\x04\x04 Micro Focus Index File (IDX) +!:mime application/octet-stream diff --git a/magic/Magdir/mime b/magic/Magdir/mime new file mode 100644 index 0000000..57b2dd5 --- /dev/null +++ b/magic/Magdir/mime @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: mime,v 1.8 2017/03/17 22:20:22 christos Exp $ +# mime: file(1) magic for MIME encoded files +# +0 string/t Content-Type:\040 +>14 string >\0 %s +0 string/t Content-Type: +>13 string >\0 %s diff --git a/magic/Magdir/mips b/magic/Magdir/mips new file mode 100644 index 0000000..fe83614 --- /dev/null +++ b/magic/Magdir/mips @@ -0,0 +1,120 @@ + +#------------------------------------------------------------------------------ +# $File: mips,v 1.10 2014/04/30 21:41:02 christos Exp $ +# mips: file(1) magic for MIPS ECOFF and Ucode, as used in SGI IRIX +# and DEC Ultrix +# +0 beshort 0x0160 MIPSEB ECOFF executable +>20 beshort 0407 (impure) +>20 beshort 0410 (swapped) +>20 beshort 0413 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>22 byte x - version %d +>23 byte x \b.%d +# +0 beshort 0x0162 MIPSEL-BE ECOFF executable +>20 beshort 0407 (impure) +>20 beshort 0410 (swapped) +>20 beshort 0413 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>23 byte x - version %d +>22 byte x \b.%d +# +0 beshort 0x6001 MIPSEB-LE ECOFF executable +>20 beshort 03401 (impure) +>20 beshort 04001 (swapped) +>20 beshort 05401 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>23 byte x - version %d +>22 byte x \b.%d +# +0 beshort 0x6201 MIPSEL ECOFF executable +>20 beshort 03401 (impure) +>20 beshort 04001 (swapped) +>20 beshort 05401 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>23 byte x - version %d +>22 byte x \b.%d +# +# MIPS 2 additions +# +0 beshort 0x0163 MIPSEB MIPS-II ECOFF executable +>20 beshort 0407 (impure) +>20 beshort 0410 (swapped) +>20 beshort 0413 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>22 byte x - version %d +>23 byte x \b.%d +# +0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable +>20 beshort 0407 (impure) +>20 beshort 0410 (swapped) +>20 beshort 0413 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>22 byte x - version %d +>23 byte x \b.%d +# +0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable +>20 beshort 03401 (impure) +>20 beshort 04001 (swapped) +>20 beshort 05401 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>23 byte x - version %d +>22 byte x \b.%d +# +0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable +>20 beshort 03401 (impure) +>20 beshort 04001 (swapped) +>20 beshort 05401 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>23 byte x - version %d +>22 byte x \b.%d +# +# MIPS 3 additions +# +0 beshort 0x0140 MIPSEB MIPS-III ECOFF executable +>20 beshort 0407 (impure) +>20 beshort 0410 (swapped) +>20 beshort 0413 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>22 byte x - version %d +>23 byte x \b.%d +# +0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable +>20 beshort 0407 (impure) +>20 beshort 0410 (swapped) +>20 beshort 0413 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>22 byte x - version %d +>23 byte x \b.%d +# +0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable +>20 beshort 03401 (impure) +>20 beshort 04001 (swapped) +>20 beshort 05401 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>23 byte x - version %d +>22 byte x \b.%d +# +0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable +>20 beshort 03401 (impure) +>20 beshort 04001 (swapped) +>20 beshort 05401 (paged) +>8 belong >0 not stripped +>8 belong 0 stripped +>23 byte x - version %d +>22 byte x \b.%d +# +0 beshort 0x180 MIPSEB Ucode +0 beshort 0x182 MIPSEL-BE Ucode diff --git a/magic/Magdir/mirage b/magic/Magdir/mirage new file mode 100644 index 0000000..cdeb3fc --- /dev/null +++ b/magic/Magdir/mirage @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: mirage,v 1.7 2009/09/19 16:28:10 christos Exp $ +# mirage: file(1) magic for Mirage executables +# +# XXX - byte order? +# +0 long 31415 Mirage Assembler m.out executable diff --git a/magic/Magdir/misctools b/magic/Magdir/misctools new file mode 100644 index 0000000..dc1542a --- /dev/null +++ b/magic/Magdir/misctools @@ -0,0 +1,140 @@ + +#----------------------------------------------------------------------------- +# $File: misctools,v 1.21 2023/02/03 20:43:48 christos Exp $ +# misctools: file(1) magic for miscellaneous UNIX tools. +# +0 search/1 %%!! X-Post-It-Note text +# URL: http://fileformats.archiveteam.org/wiki/ICalendar +# https://en.wikipedia.org/wiki/ICalendar +# Update: Joerg Jenderek +# Reference: https://www.rfc-editor.org/rfc/rfc5545 +# http://mark0.net/download/triddefs_xml.7z/defs/v/vcs.trid.xml +# Note: called "iCalendar - vCalendar" by TrID +0 string/c BEGIN:vcalendar +# skip DROID fmt-387-signature-id-572.vcs fmt-388-signature-id-573.ics +# with invalid separator 0x0 or 0xAB instead of CarriageReturn (0x0D) or LineFeed (0x0A) +>15 ubyte&0xF8 =0x08 +# look for VERSION keyword often on second line but sometimes later as in holidays_NRW_2014.ics +>>0 search/188 VERSION +# after VERSION keword :1.0 or often :2.0 but sometimes also ;VALUE=TEXT:2.0 like in Jewish religious Juish.ics +# http://www.webcal.guru/de-DE/kalender_herunterladen?calendar_instance_id=217 +# \n\040:2.0 like in import-real-world-2004-11-19.ics found at +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-real-world-2004-11-19.ics +#>>>&0 string x AFTER_VERSION=%.15s +# Note: called "Internet Calendar and Scheduling format" by DROID via PUID fmt/388 +# skip optional verparam=;other-param like ;VALUE=TEXT and look for version 2.0 that implies iCalendar variant +>>>&0 search/81 :2.0 iCalendar calendar +# look for Free/Busy component +>>>>15 search/278 :VFREEBUSY file, with Free/Busy component +!:mime text/calendar +!:apple ????iFBf +# no real examples found but only example on Wikipedia page +!:ext ifb +# iCalendar calendar without Free/Busy component +>>>>15 default x +# look for ALARM component +>>>>>15 search/154 :VALARM file, with ALARM component +!:mime text/calendar +!:apple ????iCal +# found on macOS beneath /Users/$USER/Library/Calendars/ as EventAllDayAlarms.icsalarm or EventTimedAlarms.icsalarm +# no isc examples found +!:ext icsalarm/ics +# iCalendar calendar without Free/Busy component and ALARM component +>>>>>15 default x file +!:mime text/calendar +!:apple ????iCal +# no examples found with .ical .icalender suffix +!:ext ics +# if no VERSION 2.0 is found then assume it is VERSION 1.0, that is older vCalendar +# URL: http://fileformats.archiveteam.org/wiki/VCalendar +# Note: called "VCalendar format" by DROID via fmt/387 +>>>&0 default x vCalendar calendar file +# deprecated +!:mime text/x-vcalendar +!:ext vcs +# GRR: without VERSION keyword violates specification but accepted by Thunderbird like +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-with-timezone.ics +>>0 default x vCalendar calendar file, without VERSION +!:mime text/x-vcalendar +#!:mime text/calendar +# no vcs example found +!:ext ics/vcs +# GRR: According to newest specification CarriageReturn (0xD) and LineFeed (0xA) should be used as separator but others accepted by Thunderbird +# like CRLF,LF in Sport Today.vcs created by calendar plugin of TV-Browser https://enwiki.tvbrowser.org/index.php/Calendar_Export +# or LF like https://www.schulferien.org/media/ical/deutschland/ferien_nordrhein-westfalen_2023.ics?k=foo +>>15 ubeshort !0x0D0A \b, without CRLF + +# updated by Joerg Jenderek at Apr 2015, May 2021 +# https://en.wikipedia.org/wiki/VCard +# URL: http://fileformats.archiveteam.org/wiki/VCard +# https://datatracker.ietf.org/doc/html/rfc6350 +# the value is case-insensitive +0 string/c begin:vcard +# skip DROID fmt-395-signature-id-634.vcf +>13 string !VERSION:END vCard visiting card +# deprecated +#!:mime text/x-vcard +!:mime text/vcard +!:apple ????vCrd +!:ext vcf/vcard +# VERSION must come right after BEGIN for 3.0 or 4.0 except in 2.1 , where it can be anywhere +# Joerg_Jenderek_67.vcf +>>12 search/0x113b4/c version: +# VERSION 2.1 , 3.0 or 4.0 +>>>&0 string x \b, version %-.3s +>>>&0 string !2.1 +>>>>13 string !VERSION: \b, 2nd line does not start with VERSION: +# downcase violates RFC 6350, but some "bad" software produce such vcards +>>0 string !BEGIN \b, not up case +# http://ftp.mozilla.org/pub/thunderbird/candidates/ +# 78.10.1-candidates/build1/source/thunderbird-78.10.1.source.tar.xz +# thunderbird-78.10.1/comm/mailnews/import/test/unit/resources/basic_vcard_addressbook.vcf +>>11 beshort !0x0D0A \b, lines not separated by CRLF + +# Summary: Libtool library file +# Extension: .la +# Submitted by: Tomasz Trojanowski <tomek@uninet.com.pl> +0 search/80 .la\ -\ a\ libtool\ library\ file libtool library file + +# Summary: Libtool object file +# Extension: .lo +# Submitted by: Abel Cheung <abelcheung@gmail.com> +0 search/80 .lo\ -\ a\ libtool\ object\ file libtool object file + +# From: Daniel Novotny <dnovotny@redhat.com> +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Core_dump#User-mode_memory_dumps +# Reference: https://msdn.microsoft.com/en-us/library/ms680378%28VS.85%29.aspx +# +# "Windows Minidump" by TrID +# ./misctools (version 5.25) labeled the entry as "MDMP crash report data" +0 string MDMP Mini DuMP crash report +# https://filext.com/file-extension/DMP +!:mime application/x-dmp +!:ext dmp/mdmp +# The high-order word is an internal value that is implementation specific. +# The low-order word is MINIDUMP_VERSION 0xA793 +>4 ulelong&0x0000FFFF !0xA793 \b, version %#4.4x +# NumberOfStreams 8,9,10,13 +>8 ulelong x \b, %d streams +# StreamDirectoryRva 0x20 +>12 ulelong !0x20 \b, %#8.8x RVA +# CheckSum 0 +>16 ulelong !0 \b, CheckSum %#8.8x +# Reserved or TimeDateStamp +>20 ledate x \b, %s +# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx +# Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800 +>24 ulelong x \b, %#x type +# >24 ulelong >0 \b; include +# >>24 ulelong &0x00000001 \b data sections, +# >>24 ulelong &0x00000020 \b list of unloaded modules, +# >>24 ulelong &0x00000100 \b process and thread information, +# >>24 ulelong &0x00000800 \b memory information, + +# Summary: abook addressbook file +# Submitted by: Mark Schreiber <mark7@alumni.cmu.edu> +0 string #\x20abook\x20addressbook\x20file abook address book +!:mime application/x-abook-addressbook diff --git a/magic/Magdir/mkid b/magic/Magdir/mkid new file mode 100644 index 0000000..faad396 --- /dev/null +++ b/magic/Magdir/mkid @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: mkid,v 1.6 2009/09/19 16:28:10 christos Exp $ +# mkid: file(1) magic for mkid(1) databases +# +# ID is the binary tags database produced by mkid(1). +# +# XXX - byte order? +# +0 string \311\304 ID tags data +>2 short >0 version %d diff --git a/magic/Magdir/mlssa b/magic/Magdir/mlssa new file mode 100644 index 0000000..3c8875e --- /dev/null +++ b/magic/Magdir/mlssa @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: mlssa,v 1.4 2009/09/19 16:28:10 christos Exp $ +# mlssa: file(1) magic for MLSSA datafiles +# +0 lelong 0xffffabcd MLSSA datafile, +>4 leshort x algorithm %d, +>10 lelong x %d samples diff --git a/magic/Magdir/mmdf b/magic/Magdir/mmdf new file mode 100644 index 0000000..5576a66 --- /dev/null +++ b/magic/Magdir/mmdf @@ -0,0 +1,6 @@ + +#------------------------------------------------------------------------------ +# $File: mmdf,v 1.6 2009/09/19 16:28:10 christos Exp $ +# mmdf: file(1) magic for MMDF mail files +# +0 string \001\001\001\001 MMDF mailbox diff --git a/magic/Magdir/modem b/magic/Magdir/modem new file mode 100644 index 0000000..5d59401 --- /dev/null +++ b/magic/Magdir/modem @@ -0,0 +1,92 @@ + +#------------------------------------------------------------------------------ +# $File: modem,v 1.11 2022/10/19 20:15:16 christos Exp $ +# modem: file(1) magic for modem programs +# +# From: Florian La Roche <florian@knorke.saar.de> +1 string PC\ Research,\ Inc Digifax-G3-File +>29 byte 1 \b, fine resolution +>29 byte 0 \b, normal resolution + +# Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header). +# Modified by: Joerg Jenderek +# URL: https://de.wikipedia.org/wiki/Fax +# http://fileformats.archiveteam.org/wiki/CCITT_Group_3 +# Reference: https://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm +# GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others +0 short 0x0100 +# 16 0-bits near beginning like True Type fonts *.ttf, Postscript PrinterFontMetric *.pfm, FTYPE.HYPERCARD, XFER +>2 search/9 \0\0 +# maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 +>2 default x +# skip IRCAM file (VAX big-endian) ./audio +>>0 belong !0x0001a364 +# skip GEM Image data ./images +>>>2 beshort !0x0008 +# look for first keyword of Panorama database *.pan +>>>>11 search/262 \x06DESIGN +# skip Panorama database +>>>>11 default x +# old Apple DreamWorld DreamGrafix *.3200 with keyword at end of g3 looking files +>>>>>27118 search/1864 DreamWorld +>>>>>27118 default x +# skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom +>>>>>>8 ubequad !0x2e01010454010203 +# skip PICTUREH.SML found on Golden Orchard Apple II CD Rom +>>>>>>>8 ubequad !0x5dee74ad1aa56394 +# skip few (5/41) DEGAS mid-res bitmap (GEMINI01.PI2 GEMINI02.PI2 GEMINI03.PI2 CODE_RAM.PI2 TBX_DEMO.PI2) +# with file size 32034 +>>>>>>>>-0 offset !32034 raw G3 (Group 3) FAX, byte-padded +# version 5.25 labeled the entry above "raw G3 data, byte-padded" +!:mime image/g3fax +#!:apple ????TIFF +!:ext g3 +# unusual image starting with black pixel +#0 short 0x1300 raw G3 (Group 3) FAX +0 short 0x1400 +# 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom +>2 search/9 \0\0 +# maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 +>2 default x +# skip some (84/1246) MacBinary II/III (Cyberdog2.068k.smi.bin FileMakerPro4.img.bin Hypercard1.25.image.bin UsbStorage1.3.5.smi.bin) with "non random" numbers by versions values 81h/82h + 81h +>>122 ubeshort&0xFcFf !0x8081 raw G3 (Group 3) FAX +# version 5.25 labeled the above entry as "raw G3 data" +!:mime image/g3fax +!:ext g3 +# unusual image with black pixel near beginning +#0 short 0x1900 raw G3 (Group 3) FAX + +# +# Magic data for vgetty voice formats +# (Martin Seine & Marc Eberhard) + +# +# raw modem data version 1 +# +0 string RMD1 raw modem data +>4 string >\0 (%s / +>20 short >0 compression type %#04x) + +# +# portable voice format 1 +# +0 string PVF1\n portable voice format +>5 string >\0 (binary %s) + +# +# portable voice format 2 +# +0 string PVF2\n portable voice format +>5 string >\0 (ascii %s) + +# From: Bernd Nuernberger <bernd.nuernberger@web.de> +# Brooktrout G3 fax data incl. 128 byte header +# Common suffixes: 3??, BRK, BRT, BTR +0 leshort 0x01bb +>2 leshort 0x0100 Brooktrout 301 fax image, +>>9 leshort x %d x +>>0x2d leshort x %d +>>6 leshort 200 \b, fine resolution +>>6 leshort 100 \b, normal resolution +>>11 byte 1 \b, G3 compression +>>11 byte 2 \b, G32D compression diff --git a/magic/Magdir/modulefile b/magic/Magdir/modulefile new file mode 100644 index 0000000..46c3baf --- /dev/null +++ b/magic/Magdir/modulefile @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: modulefile,v 1.1 2019/10/15 18:04:40 christos Exp $ +# modulefile: file(1) magic for user's environment modulefile +# URL: http://modules.sourceforge.net/ +# Reference: https://modules.readthedocs.io/en/stable/modulefile.html +# From: Xavier Delaruelle <xavier.delaruelle@cea.fr> +0 string #%Module modulefile +!:mime text/x-modulefile diff --git a/magic/Magdir/motorola b/magic/Magdir/motorola new file mode 100644 index 0000000..af93720 --- /dev/null +++ b/magic/Magdir/motorola @@ -0,0 +1,71 @@ + +#------------------------------------------------------------------------------ +# $File: motorola,v 1.12 2021/04/26 15:56:00 christos Exp $ +# motorola: file(1) magic for Motorola 68K and 88K binaries +# +# 68K +# +0 beshort 0520 mc68k COFF +>18 beshort ^00000020 object +>18 beshort &00000020 executable +>12 belong >0 not stripped +>168 string .lowmem Apple toolbox +>20 beshort 0407 (impure) +>20 beshort 0410 (pure) +>20 beshort 0413 (demand paged) +>20 beshort 0421 (standalone) +0 beshort 0521 mc68k executable (shared) +>12 belong >0 not stripped +0 beshort 0522 mc68k executable (shared demand paged) +>12 belong >0 not stripped +# +# Motorola/UniSoft 68K Binary Compatibility Standard (BCS) +# +0 beshort 0554 68K BCS executable +# +# 88K +# +# Motorola/88Open BCS +# +0 beshort 0555 88K BCS executable +# +# Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de> +0 string S0 Motorola S-Record; binary data in text format + +# ATARI ST relocatable PRG +# +# from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 +# (according to Roland Waldi, Oct 21, 1987) +# besides the magic 0x601a, the text segment size is checked to be +# not larger than 1 MB (which is a lot on ST). +# The additional 0x601b distinction I took from Doug Lee's magic. +0 belong&0xFFFFFFF0 0x601A0000 Atari ST M68K contiguous executable +>2 belong x (txt=%d, +>6 belong x dat=%d, +>10 belong x bss=%d, +>14 belong x sym=%d) +0 belong&0xFFFFFFF0 0x601B0000 Atari ST M68K non-contig executable +>2 belong x (txt=%d, +>6 belong x dat=%d, +>10 belong x bss=%d, +>14 belong x sym=%d) + +# Atari ST/TT... program format (sent by Wolfram Kleff <kleff@cs.uni-bonn.de>) +0 beshort 0x601A Atari 68xxx executable, +>2 belong x text len %u, +>6 belong x data len %u, +>10 belong x BSS len %u, +>14 belong x symboltab len %u, +>18 belong 0 +>22 belong &0x01 fastload flag, +>22 belong &0x02 may be loaded to alternate RAM, +>22 belong &0x04 malloc may be from alternate RAM, +>22 belong x flags: %#X, +>26 beshort 0 no relocation tab +>26 beshort !0 + relocation tab +>30 string SFX [Self-Extracting LZH SFX archive] +>38 string SFX [Self-Extracting LZH SFX archive] +>44 string ZIP! [Self-Extracting ZIP SFX archive] + +0 beshort 0x0064 Atari 68xxx CPX file +>8 beshort x (version %04x) diff --git a/magic/Magdir/mozilla b/magic/Magdir/mozilla new file mode 100644 index 0000000..32f3bb7 --- /dev/null +++ b/magic/Magdir/mozilla @@ -0,0 +1,37 @@ + +#------------------------------------------------------------------------------ +# $File: mozilla,v 1.12 2021/04/26 15:56:00 christos Exp $ +# mozilla: file(1) magic for Mozilla XUL fastload files +# (XUL.mfasl and XPC.mfasl) +# URL: https://www.mozilla.org/ +# From: Josh Triplett <josh@freedesktop.org> + +0 string XPCOM\nMozFASL\r\n\x1A Mozilla XUL fastload data +# Probably the next magic line contains misspelled "mozLz40\0" +0 string mozLz4a Mozilla lz4 compressed bookmark data +# From: Joerg Jenderek +# URL: https://lz4.github.io/lz4/ +# Reference: https://github.com/avih/dejsonlz4/archive/master.zip/ +# dejsonlz4-master\src\dejsonlz4.c +# Note: mostly JSON compressed with a non-standard LZ4 header +# can be unpacked by dejsonlz4 but not lz4 program. +0 string mozLz40\0 Mozilla lz4 compressed data +!:mime application/x-lz4+json +# mozlz4 extension seems to be used for search/store, while jsonlz4 for bookmarks +!:ext jsonlz4/mozlz4 +# decomp_size +>8 ulelong x \b, originally %u bytes +# lz4 data +#>12 ubequad x \b, lz4 data %#16.16llx + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Firefox_4 +# Reference: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT +# Note: Most ZIP utilities are able to extract such archives +# maybe only partly or after some warnings. Example: +# zip -FF omni.ja --out omni.zip +4 string PK\001\002 Mozilla archive omni.ja +!:mime application/x-zip +!:ext ja +# TODO: +#>4 use zip-dir-entry diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos new file mode 100644 index 0000000..aacf859 --- /dev/null +++ b/magic/Magdir/msdos @@ -0,0 +1,2304 @@ + +#------------------------------------------------------------------------------ +# $File: msdos,v 1.169 2023/04/17 16:39:19 christos Exp $ +# msdos: file(1) magic for MS-DOS files +# + +# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) +# updated by Joerg Jenderek at Oct 2008,Apr 2011 +0 string/t @ +>1 string/cW \ echo\ off DOS batch file text +!:mime text/x-msdos-batch +!:ext bat +>1 string/cW echo\ off DOS batch file text +!:mime text/x-msdos-batch +!:ext bat +>1 string/cW rem DOS batch file text +!:mime text/x-msdos-batch +!:ext bat +>1 string/cW set\ DOS batch file text +!:mime text/x-msdos-batch +!:ext bat + + +# OS/2 batch files are REXX. the second regex is a bit generic, oh well +# the matched commands seem to be common in REXX and uncommon elsewhere +100 search/0xffff rxfuncadd +>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text +100 search/0xffff say +>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text + +# updated by Joerg Jenderek at Oct 2015 +# https://de.wikipedia.org/wiki/Common_Object_File_Format +# http://www.delorie.com/djgpp/doc/coff/filhdr.html +# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" +#0 leshort 0x14c MS Windows COFF Intel 80386 object file +#>4 ledate x stamp %s +0 leshort 0x166 MS Windows COFF MIPS R4000 object file +#>4 ledate x stamp %s +0 leshort 0x184 MS Windows COFF Alpha object file +#>4 ledate x stamp %s +0 leshort 0x268 MS Windows COFF Motorola 68000 object file +#>4 ledate x stamp %s +0 leshort 0x1f0 MS Windows COFF PowerPC object file +#>4 ledate x stamp %s +0 leshort 0x290 MS Windows COFF PA-RISC object file +#>4 ledate x stamp %s + +# Tests for various EXE types. +# +# Many of the compressed formats were extracted from IDARC 1.23 source code. +# +# e_magic +0 string/b MZ +# TODO +# FLT: Syntrillium CoolEdit Filter https://en.wikipedia.org/wiki/Adobe_Audition +# FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FOD: WIFE Font Driver +# GAU: MS Flight Simulator Gauge +# IFS: OS/2 Installable File System https://en.wikipedia.org/wiki/OS/2 +# MEXW32:MATLAB Windows 32bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MEXW64:MATLAB Windows 64bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya +# PFL: PhotoFilter plugin http://photofiltre.free.fr +# 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html +# PLG: Aston Shell plugin http://www.astonshell.com/ +# QLB: Microsoft Basic Quick library https://en.wikipedia.org/wiki/QuickBASIC +# SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm +# TBK: Asymetrix ToolBook application http://www.toolbook.com +# TBP: The Bat! plugin http://www.ritlabs.com +# UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com +# XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com +# XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/ +# ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com +# +# NEXT LINES FOR DEBUGGING! +# e_cblp; bytes on last page of file +# e_cp; pages in file +#>4 uleshort x \b, e_cp 0x%x +# e_lfanew; file address of new exe header +#>0x3c ulelong x \b, e_lfanew 0x%x +# e_lfarlc; address of relocation table +#>0x18 uleshort x \b, e_lfarlc=0x%x +# e_ovno; overlay number. If zero, this is the main executable foo +#>0x1a uleshort !0 \b, e_ovno 0x%x +#>0x1C ubequad !0 \b, e_res 0x%16.16llx +# e_oemid; often 0 +#>0x24 uleshort !0 \b, e_oemid 0x%x +# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV) +# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV) +#>0x26 uleshort !0 \b, e_oeminfo 0x%x +# e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe +# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE +#>0x28 ubequad !0 \b, e_res2 0x%16.16llx +# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593 +# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs +# new exe header magic like: PE NE LE LX W3 W4 +# no examples found for ZM DL MP P2 P3 +#>(0x3c.l) string x \b, at [0x3c] %.2s +#>(0x3c.l) ubelong x \b, at [0x3c] %#8.8x +#>(0x3c.l+4) ubelong x \b, at [0x3c+4] %#8.8x +# +# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file. +# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe e_lfarlc=0x8ead +# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE e_lfarlc=0x1c +# some EFI apps Shell_Full.efi ext4_x64_signed.efi e_lfarlc=0 +# Icon library WORD60.ICL e_lfarlc=0 +# Microsoft compiled help format 2.0 WINWORD.DEV.HXS e_lfarlc=0 +>0x18 uleshort <0x40 +# check magic of new second header +# NE executable with low e_lfarlc like: WORD60.ICL +# ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library +>>(0x3c.l) string NE Windows Icons Library 16-bit +!:mime image/x-ms-icl +!:ext icl +# handle LX executable with low e_lfarlc like: PCISCAN.EXE +>>(0x3c.l) string LX +>>>(0x3c.l) use lx-executable +# skip Portable Executable (PE) with low e_lfarlc here, because handled later +# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS +>>(0x3c.l) string PE +# not New Executable (NE) and not PE with low e_lfarlc like: +# MACCNV55.EXE WORK_RTF.EXE TELE200.EXE NDD.EXE iflash.exe +>>(0x3c.l) default x MS-DOS executable, MZ for MS-DOS +!:mime application/x-dosexec +# Windows and later versions of DOS will allow .EXEs to be named with a .COM +# extension, mostly for compatibility's sake. +# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM +# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml +# also like: BGISRV.DRV +!:ext exe/com/vlm/drv +# These traditional tests usually work but not always. When test quality support is +# implemented these can be turned on. +#>>0x18 leshort 0x1c (Borland compiler) +#>>0x18 leshort 0x1e (MS compiler) + +# Maybe it's a PE? +# URL: http://fileformats.archiveteam.org/wiki/Portable_Executable +# Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format +>(0x3c.l) string PE\0\0 PE +!:mime application/vnd.microsoft.portable-executable +# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics +# DLL Characteristics +#>>(0x3c.l+22) uleshort x \b, CHARACTERISTICS %#4.4x, +# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file +# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program. +# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL) +>>(0x3c.l+24) leshort 0x010b \b32 executable +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u +>>(0x3c.l+24) leshort 0x020b \b32+ executable +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u +>>(0x3c.l+24) leshort 0x0107 ROM image +>>(0x3c.l+24) default x Unknown PE signature +>>>&0 leshort x %#x +>>(0x3c.l+22) leshort&0x2000 >0 (DLL) +# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem +>>(0x3c.l+92) leshort 0 ( +# Summary: Microsoft compiled help *.HXS format 2.0 +# URL: https://en.wikipedia.org/wiki/Microsoft_Help_2 +# Reference: http://www.russotto.net/chm/itolitlsformat.html +# https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml +# Note: 2 PE sections (.rsrc, .its) implies Microsoft compiled help format; the .its section contains the help content ITOLITLS +# verified by command like `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS` +>>>(0x3c.l+6) uleshort =2 \bMicrosoft compiled help format 2.0) +!:ext hxs +# 3 PE sections (.text, .reloc, .rsrc) implies some Control Panel Item like: +# CPL: Control Panel item for WINE 1.7.28 https://www.winehq.org/ +>>>(0x3c.l+6) uleshort !2 \bControl Panel Item) +!:ext cpl +# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes +>>(0x3c.l+92) leshort 1 +# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the +# drivers in Windows/System32/drivers/*.sys. +>>>(0x3c.l+22) leshort&0x2000 >0 (native) +!:ext dll/sys +>>>(0x3c.l+22) leshort&0x2000 0 (native) +!:ext exe/sys +# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI The Windows graphical user interface (GUI) subsystem +>>(0x3c.l+92) leshort 2 +>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) +# These could probably be at least partially distinguished from one another by +# looking for specific exported functions. +# CPL: Control Panel item +# TLB: Type library +# OCX: OLE/ActiveX control +# ACM: Audio compression manager codec +# AX: DirectShow source filter +# IME: Input method editor +!:ext dll/cpl/tlb/ocx/acm/ax/ime +>>>(0x3c.l+22) leshort&0x2000 0 (GUI) +# Screen savers typically include code from the scrnsave.lib static library, but +# that's not guaranteed. +!:ext exe/scr +# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI The Windows character subsystem +>>(0x3c.l+92) leshort 3 +>>>(0x3c.l+22) leshort&0x2000 >0 (console) +!:ext dll/cpl/tlb/ocx/acm/ax/ime +>>>(0x3c.l+22) leshort&0x2000 0 (console) +!:ext exe/com +# NO Windows Subsystem number 4! +>>(0x3c.l+92) leshort 4 (Unknown subsystem 4) +# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem +>>(0x3c.l+92) leshort 5 (OS/2) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-os2 +# NO Windows Subsystem number 6! +>>(0x3c.l+92) leshort 6 (Unknown subsystem 6) +# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem +>>(0x3c.l+92) leshort 7 (POSIX +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: PSXDLL.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: PAX.EXE +!:ext exe +# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver +>>(0x3c.l+92) leshort 8 (Win9x) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-win98 +# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE +>>(0x3c.l+92) leshort 9 (Windows CE +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: NNGStart.exe navigator.exe +!:ext exe +# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application +>>(0x3c.l+92) leshort 10 (EFI application) +# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi +!:ext efi +# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services +>>(0x3c.l+92) leshort 11 (EFI boot service driver) +# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi +!:ext efi +>>(0x3c.l+92) leshort 12 (EFI runtime driver) +# no sample found +!:ext efi +# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image +>>(0x3c.l+92) leshort 13 (EFI ROM) +# no sample found +!:ext efi +# 14~IMAGE_SUBSYSTEM_XBOX XBOX +>>(0x3c.l+92) leshort 14 (XBOX) +#!:ext foo-xbox +# NO Windows Subsystem number 15! +>>(0x3c.l+92) leshort 15 (Unknown subsystem 15) +# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application +>>(0x3c.l+92) leshort 16 (Windows boot application +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll +!:ext efi/exe +# GRR: the next 2 lines are not executed! +#>>(0x3c.l+92) default x (Unknown subsystem +#>>>&0 leshort x %#x) +>>(0x3c.l+92) leshort >16 (Unknown subsystem +>>>&0 leshort x %#x) +>>(0x3c.l+4) leshort 0x14c Intel 80386 +>>(0x3c.l+4) leshort 0x166 MIPS R4000 +>>(0x3c.l+4) leshort 0x168 MIPS R10000 +>>(0x3c.l+4) leshort 0x184 Alpha +>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 +>>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP +>>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 +>>(0x3c.l+4) leshort 0x169 MIPS WCE v2 +>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 +>>(0x3c.l+4) leshort 0x1c0 ARM +>>(0x3c.l+4) leshort 0x1c2 ARM Thumb +>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb +>>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 +>>(0x3c.l+4) leshort 0x1f0 PowerPC +>>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU +>>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) +>>(0x3c.l+4) leshort 0x200 Intel Itanium +>>(0x3c.l+4) leshort 0x266 MIPS16 +>>(0x3c.l+4) leshort 0x268 Motorola 68000 +>>(0x3c.l+4) leshort 0x290 PA-RISC +>>(0x3c.l+4) leshort 0x366 MIPSIV +>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU +>>(0x3c.l+4) leshort 0xebc EFI byte code +>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit +>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit +>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit +>>(0x3c.l+4) leshort 0x6232 LoongArch 32-bit +>>(0x3c.l+4) leshort 0x6264 LoongArch 64-bit +>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R +>>(0x3c.l+4) leshort 0x8664 x86-64 +>>(0x3c.l+4) leshort 0xaa64 Aarch64 +>>(0x3c.l+4) leshort 0xc0ee MSIL +# GRR: the next 2 lines are not executed! +>>(0x3c.l+4) default x Unknown processor type +>>>&0 leshort x %#x +>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) +>>(0x3c.l+22) leshort&0x1000 >0 system file +>>(0x3c.l+24) leshort 0x010b +>>>(0x3c.l+232) lelong >0 Mono/.Net assembly +>>(0x3c.l+24) leshort 0x020b +>>>(0x3c.l+248) lelong >0 Mono/.Net assembly + +# hooray, there's a DOS extender using the PE format, with a valid PE +# executable inside (which just prints a message and exits if run in win) +>>(8.s*16) string 32STUB \b, 32rtm DOS extender +>>(8.s*16) string !32STUB \b, for MS Windows +>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed +>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed +>>(0x3c.l+0xf8) search/0x140 UPX2 +>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) +>>(0x3c.l+0xf8) search/0x140 .idata +>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) +>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive +>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive +>>(0x3c.l+0xf8) search/0x140 .rsrc +>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive +>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive +>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive +>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive +>>(0x3c.l+0xf8) search/0x140 .data +>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive +>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed +>>>(0x3c.l+0xf7) byte x +>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive +>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive +>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive +>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) +>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive +>>0x30 string Inno \b, InnoSetup self-extracting archive +# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc. +# PE used as container have less sections +>>(0x3c.l+6) leshort >1 \b, %u sections +# do not display for 1 section to get output like in version 5.43 and to keep output columns low +#>>(0x3c.l+6) leshort =1 \b, %u section + +# If the relocation table is 0x40 or more bytes into the file, it's definitely +# not a DOS EXE. +>0x18 uleshort >0x3f + +# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, +# must be one of the unusual subformats. +>>(0x3c.l) string !PE\0\0 MS-DOS executable +#!:mime application/x-dosexec + +>>(0x3c.l) string NE \b, NE +#!:mime application/x-dosexec +!:mime application/x-ms-ne-executable +# FOR DEBUGGING! +# Reference: https://wiki.osdev.org/NE +# ProgFlags; Program flags, bitmapped +#>>>(0x3c.l+0x0C) ubyte x \b, ProgFlags 0x%2.2x +# >>>(0x3c.l+0x0c) ubyte&0x03 =0 \b, none +# >>>(0x3c.l+0x0c) ubyte&0x03 =1 \b, single shared +# >>>(0x3c.l+0x0c) ubyte&0x03 =2 \b, multiple +# >>>(0x3c.l+0x0c) ubyte&0x03 =3 \b, (null) +# >>>(0x3c.l+0x0c) ubyte &0x04 \b, Global initialization +# >>>(0x3c.l+0x0c) ubyte &0x08 \b, Protected mode only +# >>>(0x3c.l+0x0c) ubyte &0x10 \b, 8086 instructions +# >>>(0x3c.l+0x0c) ubyte &0x20 \b, 80286 instructions +# >>>(0x3c.l+0x0c) ubyte &0x40 \b, 80386 instructions +# >>>(0x3c.l+0x0c) ubyte &0x80 \b, 80x87 instructions +# ApplFlags; Application flags, bitmapped +# https://www.fileformat.info/format/exe/corion-ne.htm +#>>>(0x3c.l+0x0D) ubyte x \b, ApplFlags 0x%2.2x +# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API) +# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =1 \b, Full screen +#>>>(0x3c.l+0x0D) ubyte&0x07 =2 \b, Compatible with Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =3 \b, use Windows/P.M. API +# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle +#>>>(0x3c.l+0x0D) ubyte &0x80 \b, DLL or driver +# AutoDataSegIndex; automatic data segment index like: 0 2 3 22 +# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared +#>>>(0x3c.l+0x0e) uleshort x \b, AutoDataSegIndex %u +# InitHeapSize; intial local heap size like; 0 400h 1400h +# zero if there is no local allocation +#>>>(0x3c.l+0x10) uleshort !0 \b, InitHeapSize 0x%x +# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h +# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h +# 6D60h 8000h 40000h +# zero if the SS register value does not equal the DS register value +#>>>(0x3c.l+0x12) uleshort !0 \b, InitStackSize 0x%x +# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h +#>>>(0x3c.l+0x14) ulelong !0 \b, EntryPoint 0x%x +# InitStack; specifies the segment offset value of stack pointer SS:SP +# like: 0 20000h 160000h +#>>>(0x3c.l+0x18) ulelong !0 \b, InitStack 0x%x +# SegCount; number of segments in segment table like: 0 1 2 3 16h +#>>>(0x3c.l+0x1C) uleshort x \b, SegCount 0x%x +# ModRefs; number of module references (DLLs) like; 0 1 3 +#>>>(0x3c.l+0x1E) uleshort !0 \b, ModRefs %u +# NoResNamesTabSiz; size in bytes of non-resident names table +# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh +#>>>(0x3c.l+0x20) uleshort x \b, NoResNamesTabSiz 0x%x +# SegTableOffset; offset of Segment table like: 40h +#>>>(0x3c.l+0x22) uleshort !0x40 \b, SegTableOffset 0x%x +# ResTableOffset; offset of resources table like: 40h 50h 58h F0h +# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON +#>>>(0x3c.l+0x24) uleshort x \b, ResTableOffset 0x%x +# ResidNamTable; offset of resident names table +# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h +#>>>(0x3c.l+0x26) uleshort x \b, ResidNamTable 0x%x +# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h) +# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh +#>>>(0x3c.l+0x2a) uleshort x \b, ImportNameTable 0x%x +# OffStartNonResTab; offset from start of file to non-resident names table +# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h +#>>>(0x3c.l+0x2c) ulelong x \b, OffStartNonResTab 0x%x +# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446 +#>>>(0x3c.l+0x30) uleshort !0 \b, MovEntryCount %u +# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default) +#>>>(0x3c.l+0x32) uleshort !9 \b, FileAlnSzShftCnt %u +# nResTabEntries; number of resource table entries like: 0 2 +#>>>(0x3c.l+0x34) uleshort !0 \b, nResTabEntries %u +# targOS; Target OS; 0~unknown~OS/2 1.0 or MS Windows 1-2 +# OS/2 1.0 like: DTM.DLL SHELL11F.EXE HELPMSG.EXE CREATEDD.EXE +# or Windows 1.03 - 2.1 like: MSDOSD.EXE KARTEI.EXE KALENDER.EXE +#>>>(0x3c.l+0x36) byte x TARGOS %x +>>>(0x3c.l+0x36) byte 0 for OS/2 1.0 or MS Windows 1-2 +>>>(0x3c.l+0x36) byte 1 for OS/2 1.x +>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x +>>>(0x3c.l+0x36) byte 3 for MS-DOS +>>>(0x3c.l+0x36) byte 4 for Windows 386 +>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services +# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip +# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE +# GRR: WHAT OS is this? +#>>>(0x3c.l+0x36) byte 6 for TARGET SIX +# https://en.wikipedia.org/wiki/Phar_Lap_(company) +>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender, OS/2 +# like: CVP7.EXE +>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap DOS extender, Windows +>>>(0x3c.l+0x36) default x +>>>>(0x3c.l+0x36) ubyte x (unknown OS %#x) +# expctwinver; expected Windows version (minor first) like: +# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR +>>>(0x3c.l+0x3F) ubyte x (%u +>>>(0x3c.l+0x3E) ubyte x \b.%u) +# OS2EXEFlags; other EXE flags +# 0~Long filename support 1~2.x protected mode 4~2.x proportional fonts 8~Executable has gangload area +#>>>(0x3c.l+0x37) byte !0 \b, OS2EXEFlags 0x%x +# retThunkOffset; offset to return thunks or start of gangload area like: 0 34h 58h 246h +#>>>(0x3c.l+0x38) uleshort !0 \b, retThunkOffset 0x%x +# segrefthunksoff; offset to segment reference thunks or size of gangload area +# like: 0 33Eh 39Ah AEEh +#>>>(0x3c.l+0x3A) uleshort !0 \b, segrefthunksoff 0x%x +# mincodeswap; minimum code swap area size like 0 620Ch +#>>>(0x3c.l+0x3C) uleshort !0 \b, mincodeswap 0x%x +>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) +# DRV: Driver +# 3GR: Grabber device driver +# CPL: Control Panel Item +# VBX: Visual Basic Extension https://en.wikipedia.org/wiki/Visual_Basic +# FON: Bitmap font http://fileformats.archiveteam.org/wiki/FON +# FOT: Font resource file +# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE +# CNV: Microsoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data +!:ext dll/drv/3gr/cpl/vbx/fon/fot +>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) +!:ext exe/scr +>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive +>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) + +>>(0x3c.l) string LX\0\0 \b, LX +!:mime application/x-dosexec +>>>(0x3c.l+0x0a) leshort <1 (unknown OS) +>>>(0x3c.l+0x0a) leshort 1 for OS/2 +>>>(0x3c.l+0x0a) leshort 2 for MS Windows +>>>(0x3c.l+0x0a) leshort 3 for DOS +>>>(0x3c.l+0x0a) leshort >3 (unknown OS) +>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) +>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) +>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) +>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) +>>>(0x3c.l+0x08) leshort 1 i80286 +>>>(0x3c.l+0x08) leshort 2 i80386 +>>>(0x3c.l+0x08) leshort 3 i80486 +>>>(8.s*16) string emx \b, emx +>>>>&1 string x %s +>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive + +# MS Windows system file, supposedly a collection of LE executables +# like vmm32.vxd WIN386.EXE +>>(0x3c.l) string W3 \b, W3 for MS Windows +#!:mime application/x-dosexec +!:mime application/x-ms-w3-executable +!:ext vxd/exe +# W4 executable +>>(0x3c.l) string W4 \b, W4 for MS Windows +#!:mime application/x-dosexec +!:mime application/x-ms-w4-executable +# windows 98 VMM32.VXD +!:ext vxd + +>>(0x3c.l) string LE\0\0 \b, LE executable +!:mime application/x-dosexec +>>>(0x3c.l+0x0a) leshort 1 +# some DOS extenders use LE files with OS/2 header +>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender +>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender +>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender +>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender +>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) +>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) +>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) +# this is a wild guess; hopefully it is a specific signature +>>>>&0x24 lelong <0x50 +>>>>>(&0x4c.l) string \xfc\xb8WATCOM +>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed +# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP +#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 +# fails with DOS-Extenders. +>>>(0x3c.l+0x0a) leshort 2 for MS Windows +>>>(0x3c.l+0x0a) leshort 3 for DOS +>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) +# VXD: VxD for Windows 95/98/Me +# 386: VxD for Windows 2.10, 3.0, 3.1x +# PDR: Port driver +# MPD: Miniport driver (?) +!:ext vxd/386/pdr/mpd +>>>(&0x7c.l+0x26) string UPX \b, UPX compressed +>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive + +# looks like ASCII, probably some embedded copyright message. +# and definitely not NE/LE/LX/PE +>>0x3c lelong >0x20000000 +>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS +!:mime application/x-dosexec +!:ext exe/com +# header data too small for extended executable +>2 long !0 +>>0x18 uleshort <0x40 +>>>(4.s*512) leshort !0x014c + +>>>>&(2.s-514) string !LE +>>>>>&-2 string !BW +#>>>>>>(0x3c.l) string x \b, 2ND MAGIC %.2s +# but some LX executable appear here also like: PCISCAN.EXE +>>>>>>(0x3c.l) string !LX +# because Portable Executable (PE) already done skip many here like: +# xcopy32.exe stinger64.exe WimUtil.exe +# NO such DOS examples found and +# DOS examples seems to be already handled by e_lfarlc <0x40 like: CMD8086.COM CMD-FR.COM +>>>>>>>(0x3c.l) string !PE \b, MZ for MS-DOS +!:mime application/x-dosexec +>>>>&(2.s-514) string LE \b, LE +>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender +# educated guess since indirection is still not capable enough for complex offset +# calculations (next embedded executable would be at &(&2*512+&0-2) +# I suspect there are only LE executables in these multi-exe files +>>>>&(2.s-514) string BW +>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) +>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS + +# This sequence skips to the first COFF segment, usually .text +>(4.s*512) leshort 0x014c \b, COFF +!:mime application/x-dosexec +>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender +>>(8.s*16) string emx +>>>&1 string x for DOS, Win or OS/2, emx %s +>>&(&0x42.l-3) byte x +>>>&0x26 string UPX \b, UPX compressed +# and yet another guess: small .text, and after large .data is unusual, could be 32lite +>>&0x2c search/0xa0 .text +>>>&0x0b lelong <0x2000 +>>>>&0 lelong >0x6000 \b, 32lite compressed + +>(8.s*16) string $WdX \b, WDos/X DOS extender + +# By now an executable type should have been printed out. The executable +# may be a self-uncompressing archive, so look for evidence of that and +# print it out. +# +# Some signatures below from Greg Roelofs, newt@uchicago.edu. +# +>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed +>0xe7 string LH/2\ Self-Extract \b, %s +>0x1c string UC2X \b, UCEXE compressed +>0x1c string WWP\ \b, WWPACK compressed +>0x1c string RJSX \b, ARJ self-extracting archive +>0x1c string diet \b, diet compressed +>0x1c string LZ09 \b, LZEXE v0.90 compressed +>0x1c string LZ91 \b, LZEXE v0.91 compressed +>0x1c string tz \b, TinyProg compressed +>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive +!:mime application/zip +# Yes, this really is "Copr", not "Corp." +>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive +!:mime application/zip +# winarj stores a message in the stub instead of the sig in the MZ header +>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive +>0x20 string AIN +>>0x23 string 2 \b, AIN 2.x compressed +>>0x23 string <2 \b, AIN 1.x compressed +>>0x23 string >2 \b, AIN 1.x compressed +>0x24 string LHa's\ SFX \b, LHa self-extracting archive +!:mime application/x-lha +>0x24 string LHA's\ SFX \b, LHa self-extracting archive +!:mime application/x-lha +>0x24 string \ $ARX \b, ARX self-extracting archive +>0x24 string \ $LHarc \b, LHarc self-extracting archive +>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive +>0x40 string aPKG \b, aPackage self-extracting archive +>0x64 string W\ Collis\0\0 \b, Compack compressed +>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive +>>&0xf4 search/0x140 \x0\x40\x1\x0 +>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive +>1638 string -lh5- \b, LHa self-extracting archive v2.13S +>0x17888 string Rar! \b, RAR self-extracting archive + +# Skip to the end of the EXE. This will usually work fine in the PE case +# because the MZ image is hardcoded into the toolchain and almost certainly +# won't match any of these signatures. +>(4.s*512) long x +>>&(2.s-517) byte x +>>>&0 string PK\3\4 \b, ZIP self-extracting archive +>>>&0 string Rar! \b, RAR self-extracting archive +>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive +>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive +>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive +>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive +>>>&7 search/400 **ACE** \b, ACE self-extracting archive +>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive + +# a few unknown ZIP sfxes, no idea if they are needed or if they are +# already captured by the generic patterns above +>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) +# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive +# + +# TELVOX Teleinformatica CODEC self-extractor for OS/2: +>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 +>>49824 leshort =1 \b, 1 file +>>49824 leshort >1 \b, %u files + +# Summary: OS/2 LX Library and device driver (no DOS stub) +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/EXE +# Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt +# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h +# Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)" +# TODO: unify with DOS stub variant (MZ magic) +0 string/b LX +>2 ushort =0 +>>0 use lx-executable +# no examples found for big endian variant +>2 ushort =0x0101 +>>0 use \^lx-executable +0 name lx-executable +# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" +#>0x00 uleshort x executable, +# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE +>0x00 uleshort =0x584c LX +>0x00 uleshort =0x454C LE +>0x00 uleshort x executable +#!:mime application/x-msdownload +!:mime application/x-lx-executable +!:ext exe +# byte order: 00h~little-endian non-zero=1~big-endian +#>0x02 ubyte =0 (little-endian) +>0x02 ubyte !0 (big-endian) +# FOR DEBUGGING! +# word order: 00h~little-endian non-zero=1~big-endian +#>0x03 ubyte =0 \b, little-endian word order +#>0x03 ubyte !0 \b, big-endian word order +# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 +#>0x08 uleshort x \b, CPU %u +# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386 +#>0x0A leshort x \b, OS %u +# flags; module type flags +#>0x10 ulelong x \b, FLAGS %#8.8x +# 00000002h ~Reserved for system use +#>0x10 ulelong &0x00000002 \b, 2h reserved +# OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file is invalid +#>0x10 ulelong &0x00000004 \b, per-process library Initialization +# OSF_INTERNAL_FIXUPS_DONE=00000010h ~Internal fixups for the module have been applied +#>0x10 ulelong &0x00000010 \b, int. fixup +# OSF_EXTERNAL_FIXUPS_DONE=00000020h ~External fixups for the module have been applied +#>0x10 ulelong &0x00000020 \b, ext. fixup +# OSF_NOT_PM_COMPATIBLE=00000100h ~Incompatible with PM windowing +#>0x10 ulelong&0x00000100 =0x00000100 \b, incompatible with PM windowing +# OSF_PM_COMPATIBLE=00000200h ~Compatible with PM windowing +#>0x10 ulelong&0x00000200 =0x00000200 \b, compatible with PM windowing +# bit 17; device driver +#>0x10 ulelong&0x00020000 >0 \b, device driver +# Per-process Library Termination; setting this bit for EXE file is invalid +#>0x10 ulelong&0x40000000 =0x40000000 \b, per-process library termination +>0x0a leshort 1 for OS/2 +# no example found +>0x0a leshort 3 for DOS +# http://www.ctyme.com/intr/rb-2939.htm#Table1610 +# library by module type mask 00038000h (bits 15-17); +# 0h ~executable Program module +>0x10 ulelong&0x00038000 =0x00000000 (program) +#!:ext exe +# OSF_IS_DLL=8000h ~Library module (DLL) +>0x10 ulelong&0x00038000 >0x00000000 +# OSF_PHYS_DEVICE=00020000h ~device driver +>>0x10 ulelong&0x00020000 >0 (device driver) +!:ext sys +# if not device driver it is library (DLL) +>>0x10 ulelong&0x00020000 =0 (library) +!:ext dll +# bits 8-10; OSF_PM_APP=300h in flags ~Uses PM windowing API; either it is GUI or console +>0x10 ulelong&0x00000300 =0x00000300 (GUI) +>0x10 ulelong&0x00000300 !0x00000300 (console) +# CPU type +>0x08 uleshort 1 i80286 +# all inspected examples +>0x08 uleshort 2 i80386 +>0x08 uleshort 3 i80486 +>0x08 uleshort 4 i80586 +# 21h Intel "N11" or compatible +# 40h MIPS Mark I ( R2000, R3000) or compatible +# 41h MIPS Mark II ( R6000 ) or compatible +# 42h MIPS Mark III ( R4000 ) or compatible + +# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc +# and https://www.freedos.org/software/?prog=kpdos +# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD +0 string/b KCF FreeDOS KEYBoard Layout collection +# only version=0x100 found +>3 uleshort x \b, version %#x +# length of string containing author,info and special characters +>6 ubyte >0 +#>>6 pstring x \b, name=%s +>>7 string >\0 \b, author=%-.14s +>>7 search/254 \xff \b, info= +#>>>&0 string x \b%-s +>>>&0 string x \b%-.15s +# for FreeDOS *.KL files +0 string/b KLF FreeDOS KEYBoard Layout file +# only version=0x100 or 0x101 found +>3 uleshort x \b, version %#x +# stringlength +>5 ubyte >0 +>>8 string x \b, name=%-.2s +0 string \xffKEYB\ \ \ \0\0\0\0 +>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file + +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023 +# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver +# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html +# http://www.o3one.org/hwdocs/bios_doc/dosref22.html +0 ulequad&0x07a0ffffffff 0xffffffff +# skip OS/2 INI ./os2 +>4 ubelong !0x14000000 +#>>10 ubequad x MAYBE_DRIVER_NAME=%16.16llx +# https://bugs.astron.com/view.php?id=434 +# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like" +>>10 ubequad !0 +>>>0 use msdos-driver +0 name msdos-driver DOS executable ( +#!:mime application/octet-stream +!:mime application/x-dosdriver +# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN +# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used? +# PROTMAN.DOS ELNKPL.DOS +!:ext sys/dev/bin/dos +# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device" +>40 search/7 UPX! \bUPX compressed +# DOS device driver attributes +>4 uleshort&0x8000 0x0000 \bblock device driver +# character device +>4 uleshort&0x8000 0x8000 \b +# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$" +>>4 uleshort&0x0008 0x0008 \bclock +# fast video output by int 29h +# 1 space char after "fast" to get phrase like "fast standard input/output character device driver" +>>4 uleshort&0x0010 0x0010 \bfast +# standard input/output device +# 1 space char after "standard" to get phrase like "standard input/output character device driver" +>>4 uleshort&0x0003 >0 \bstandard +>>>4 uleshort&0x0001 0x0001 \binput +>>>4 uleshort&0x0003 0x0003 \b/ +# 1 space char after "output" to get phrase like "input/output character device driver" +>>>4 uleshort&0x0002 0x0002 \boutput +>>4 uleshort&0x8000 0x8000 \bcharacter device driver +>0 ubyte x +# upx compressed device driver has garbage instead of real in name field of header +>>40 search/7 UPX! +>>40 default x +# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped +# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE" +>>>12 ubyte >0x23 \b +>>>>10 ubyte >0x20 +>>>>>10 ubyte !0x2E +>>>>>>10 ubyte !0x2A \b%c +>>>>11 ubyte >0x20 +>>>>>11 ubyte !0x2E \b%c +>>>>12 ubyte >0x20 +>>>>>12 ubyte !0x39 +>>>>>>12 ubyte !0x2E \b%c +>>>13 ubyte >0x20 +>>>>13 ubyte !0x2E \b%c +>>>>14 ubyte >0x20 +>>>>>14 ubyte !0x2E \b%c +>>>>15 ubyte >0x20 +>>>>>15 ubyte !0x2E \b%c +>>>>16 ubyte >0x20 +>>>>>16 ubyte !0x2E +>>>>>>16 ubyte <0xCB \b%c +>>>>17 ubyte >0x20 +>>>>>17 ubyte !0x2E +>>>>>>17 ubyte <0x90 \b%c +# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field +>>>12 ubyte <0x2F +# they have their real name at offset 22 +# also block device drivers like DUMBDRV.SYS +>>>>22 string >\056 %-.6s +>4 uleshort&0x8000 0x0000 +# 32 bit sector addressing ( > 32 MB) for block devices +>>4 uleshort&0x0002 0x0002 \b,32-bit sector- +# support by driver functions 13h, 17h, 18h +>4 uleshort&0x0040 0x0040 \b,IOCTL- +# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh +>4 uleshort&0x0800 0x0800 \b,close media- +# output until busy support by int 10h for character device driver +>4 uleshort&0x8000 0x8000 +>>4 uleshort&0x2000 0x2000 \b,until busy- +# direct read/write support by driver functions 03h,0Ch +>4 uleshort&0x4000 0x4000 \b,control strings- +>4 uleshort&0x8000 0x8000 +>>4 uleshort&0x6840 >0 \bsupport +>4 uleshort&0x8000 0x0000 +>>4 uleshort&0x4842 >0 \bsupport +>0 ubyte x \b) +>0 ulelong !0xffffffff with pointer %#x +# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header +0 ulequad 0x0513c00000000012 +>0 use msdos-driver +# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field +0 ulequad 0x32f28000ffff0016 +>0 use msdos-driver +0 ulequad 0x007f00000000ffff +>0 use msdos-driver +# https://www.uwe-sieber.de/files/cfg_echo.zip +0 ulequad 0x001600000000ffff +>0 use msdos-driver +# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field +0 ulequad 0x0bf708c2ffffffff +>0 use msdos-driver +0 ulequad 0x07bd08c2ffffffff +>0 use msdos-driver +# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS +0 ulequad 0x027ac0c0ffffffff +>0 use msdos-driver +# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS +0 ulequad 0x00228880ffffffff +>0 use msdos-driver + +# updated by Joerg Jenderek +# GRR: line below too general as it catches also +# rt.lib DYADISKS.PIC and many more +# start with assembler instruction MOV +0 ubyte 0x8c +# skip "AppleWorks word processor data" like ARTICLE.1 ./apple +>4 string !O==== +# skip some unknown basic binaries like RocketRnger.SHR +>>5 string !MAIN +# skip "GPG symmetrically encrypted data" ./gnu +# skip "PGP symmetric key encrypted data" ./pgp +# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type +>>>4 ubyte >13 +>>>>0 use msdos-com +# the remaining files should be DOS *.COM executables +# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd +# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 +# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b +# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b +# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b +# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b +# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e +# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e + +0 name msdos-com +# URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com) +>0 byte x DOS executable ( +# DOS executable with JuMP 16-bit instruction +>0 byte =0xE9 +# check for probably nil padding til offset 64 of Lotus driver name +>>56 quad =0 +# check for "long" alphabetic Lotus driver name like: +# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus" +>>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s +!:mime application/x-dosexec +# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2) +!:ext drv +# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1) +>>>24 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable with JuMP 16-bit and without nil padding +>>56 quad !0 +# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot +# TODO: HOWTO distinguish COMboot from pure DOS executables? +# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program +>>>1 search/0xc088 \xcd\x22 \bCOM or COMBOOT 16-bit) +!:mime application/x-dosexec +# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2) +!:ext com/cbt +>>>1 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable without JuMP 16-bit instruction +>0 byte !0xE9 +# SCREATE.SYS https://en.wikipedia.org/wiki/Stac_Electronics +>>10 string =?STACVOL \bSCREATE.SYS) +!:mime application/x-dosexec +!:ext sys +# COM executable without JuMP 16-bit instruction and not SCREATE.SYS +>>10 string !?STACVOL \bCOM) +!:mime application/x-dosexec +!:ext com +>6 string SFX\ of\ LHarc \b, %s +>0x1FE leshort 0xAA55 \b, boot code +>85 string UPX \b, UPX compressed +>4 string \ $ARX \b, ARX self-extracting archive +>4 string \ $LHarc \b, LHarc self-extracting archive +>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive +# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2) +>1 search/0xc088 \xcd\x22 \b, maybe with interrupt 22h +>0 ubelong x \b, start instruction %#8.8x +# show more instructions but not in samples like: rem.com (DJGPP) +>4 ubelong x %8.8x + +# JMP 8bit +0 byte 0xeb +# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent +# allow forward jumps only +>1 byte >-1 +# that offset must be accessible +# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc +>>(1.b+2) byte x +# if look like COM executable with x86 boot signature then this +# implies FAT volume with x86 real mode code already handled by ./filesystems +# +# No x86 boot signature implies often DOS executable +# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable +# like: FIXBIOS.COM (50 bytes) +>>>16 ubyte >3 +# https://www.drivedroid.io/ +# skip MBR disk image drivedroid.img version 12 July 2013 by start message +>>>>2 string !DriveDroid +# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/ +# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM) +# by check for characteristic message text near the beginning +>>>>>15 string !Non\040System\040disk +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar" +# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux +# by check for characteristic message text near the beginning +>>>>>>6 string !read\040error\015 +# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip +# skip ventoy 1.0.78 boot_hybrid.img +>>>>>>>24 string !\220\220\353I$\022\017 +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar" +# skip unusual floppy image PCDOS100.IMG of DOS 1.0 +# by check for characteristic message text near the beginning +>>>>>>>>9 string !7-May-81 +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar" +# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems +# by check for characteristic message near the beginning +>>>>>>>>>3 string !\370sdfS\270 +# like: FIXBIOS.COM (50 bytes) +>>>>>>>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable +# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15) +>>>16 ubyte =0 +# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux) +>>>>0x1FE leshort =0xAA55 +>>>>0x1FE default x +# https://thestarman.pcministry.com/tool/hxd/dimtut.htm +# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10 +# by check for characteristic bootloader names near end of boot sector +>>>>>395 string !ibmbio\040\040com +>>>>>>0 use msdos-com +# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems +# like: balder.img +>>>16 default x +# skip disk images with boot signature at end of 1st sector +# like: TDSK-64b.img +>>>>(11.s-2) uleshort !0xAA55 +# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18) +# by check for characteristic file system type text for FAT (12 bit or 16 bit) +>>>>>54 string !FAT +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar" +# skip unusual floppy image Disk4.img without boot signature and file system type text +# by check for characteristic OEM-ID text +>>>>>>3 string !COMPAQ\040\040 +# no such DOS COM executables found +>>>>>>>0 use msdos-com +# JMP 16bit +0 byte 0xe9 +# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM +#>1 leshort x \b, OFFSET %d +# forward jumps +>1 leshort >-1 +# that offset must be accessible +# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc +>>(1.s+3) byte x +# check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable +# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes) +>>>16 ubyte >3 +>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable +# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV +>>>16 ubyte =0 +>>>>0 use msdos-com +# maybe disc image with valid number of FATs or DOS executable +# like: IPXODI.COM PERUSE.COM TASKID.COM +>>>16 default x +# invalid low media descriptor. Then it is not a disk image and it is a DOS executable +>>>>21 ubyte <0xE5 +>>>>>0 use msdos-com +# valid media descriptor. Then it is maybe disk image or DOS executable +>>>>21 ubyte >0xE4 +# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable +# like: LEARN.COM (Word 1.15) +>>>>>11 uleshort&0x001f !0 +>>>>>>0 use msdos-com +# negative offset, must not lead into PSP +# like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4) +# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS) +>1 leshort <-259 +# that offset must be accessible +# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset +>>(1,s+65539) byte x +# after jump next instruction for DEBUGGING! +#>>>&-1 ubelong x \b, NEXT instruction %#8.8x +>>>0 use msdos-com + +# updated by Joerg Jenderek at Oct 2008,2015,2022 +# following line is too general +0 ubyte 0xb8 +# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux +>0 string !\xb8\xc0\x07\x8e +# modified by Joerg Jenderek +# syslinux COM32 or COM32R executable +>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT +# https://www.syslinux.org/wiki/index.php/Comboot_API +# Since version 5.00 c32 modules switched from the COM32 object format to ELF +!:mime application/x-c32-comboot-syslinux-exec +!:ext c32 +# https://syslinux.zytor.com/comboot.php +# older syslinux version ( <4 ) +# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode +# start with assembler instructions mov eax,21cd4cffh +>>>1 lelong 0x21CD4CFf \b) +# syslinux:doc/comboot.txt +# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov +# eax,21cd4cfeh) as a magic number. +# syslinux version (4.x) +# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID +>>>1 lelong 0x21CD4CFe \b, relocatable) +>>1 default x +# look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x) +>>>3 search/118 \xCD +# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) +# 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS) +#>>>>&0 ubyte x \b, INTERUPT %#x +# few examples with interrupt 0x13 instruction +>>>>&0 ubyte =0x13 +# FOR DEBUGGING! +#>>>>>3 ubequad x \b, 2nd INSTRUCTION %#16.16llx +# skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax +>>>>>3 ubequad !0x8ec0b8c0078ed88d +# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com +# http://bootcd.narod.ru/bcdw150z_en.zip +>>>>>>0 use msdos-com +# few examples with interrupt 0x16 instruction like flashimg.img +>>>>&0 ubyte =0x16 +# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz +>>>>>8 ubelong !0x3DE4E475 +# no DOS executable with interrupt 0x16 found +>>>>>>0 use msdos-com +# most examples with interrupt instruction unequal 0x13 and 0x16 +>>>>&0 default x +#>>>>>&-1 ubyte x \b, INTERUPT %#x +# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com +>>>>>0 use msdos-com +# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM +# or some EUC-KR text files or one Ulead Imaginfo thumbnail +>>>3 default x +# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM) +# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt) +#>>>>3 ubyte x \b, 2nd INSTRUCTION %#x +# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow) +# inside SAMPLES/TEXTURES/SKY_SNOW +# from https://archive.org/download/PI3CANON/PI3CANON.iso +>>>>3 ubyte !0x0 +# skip some EUC-KR text files like: euckr_falsepositive.txt +# https://bugs.astron.com/view.php?id=186 +>>>>>3 ubyte !0xb1 +# like: RESTART.COM (DOS 7.10) REBOOT.COM +>>>>>>0 use msdos-com + +# URL: https://en.wikipedia.org/wiki/UPX +# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ +# src/stub/src/i086-dos16.com.S +# Update: Joerg Jenderek +# assembler instructions: cmp sp, offset sp_limit +0 string/b \x81\xfc +#>2 uleshort x \b, sp_limit=%#x +# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy +>4 string \x77\x02\xcd\x20\xb9 +#>9 uleshort x \b, [bytes_to_copy]=%#x +# at different offsets assembler instructions: push di; jump decomp_start_n2b +>0x1e search/3 \x57\xe9 +#>>&0 uleshort x \b, decomp_start_n2b=%#x +# src/stub/src/include/header.S; UPX_MAGIC_LE32 +>>&2 string UPX! FREE-DOS executable (COM), UPX +!:mime application/x-dosexec +# UPX compressed *.CPI; See ./fonts +>>>&21 string =FONT compressed DOS code page font +!:ext cpx +>>>&21 string !FONT compressed +!:ext com +# compressed size? +#>>>&14 uleshort+152 x \b, %u bytes +# uncompressed len +>>>&12 uleshort x \b, uncompressed %u bytes +252 string Must\ have\ DOS\ version DR-DOS executable (COM) +!:mime application/x-dosexec +!:ext com +# GRR search is not working +#2 search/28 \xcd\x21 COM executable for MS-DOS +#WHICHFAT.cOM +2 string \xcd\x21 COM executable for DOS +!:mime application/x-dosexec +!:ext com +#DELTREE.cOM DELTREE2.cOM +4 string \xcd\x21 COM executable for DOS +!:mime application/x-dosexec +!:ext com +#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM +5 string \xcd\x21 COM executable for DOS +!:mime application/x-dosexec +!:ext com +#DELTMP.COm HASFAT32.cOM +7 string \xcd\x21 +>0 byte !0xb8 COM executable for DOS +!:mime application/x-dosexec +!:ext com +#COMP.cOM MORE.COm +10 string \xcd\x21 +>5 string !\xcd\x21 COM executable for DOS +!:mime application/x-dosexec +!:ext com +#comecho.com +13 string \xcd\x21 COM executable for DOS +!:mime application/x-dosexec +!:ext com +#HELP.COm EDIT.coM +18 string \xcd\x21 +# not printable before it? +>17 byte >32 +>>17 byte <126 +>>17 default x COM executable for MS-DOS +!:mime application/x-dosexec +!:ext com +#NWRPLTRM.COm +23 string \xcd\x21 COM executable for MS-DOS +!:mime application/x-dosexec +!:ext com +#LOADFIX.cOm LOADFIX.cOm +30 string \xcd\x21 COM executable for MS-DOS +!:mime application/x-dosexec +!:ext com +#syslinux.com 3.11 +70 string \xcd\x21 COM executable for DOS +!:mime application/x-dosexec +!:ext com +# many compressed/converted COMs start with a copy loop instead of a jump +0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS +!:mime application/x-dosexec +!:ext com +0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS +!:mime application/x-dosexec +!:ext com +>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed +0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed +!:mime application/x-dosexec +!:ext com +# FIXME: missing diet .com compression + +# miscellaneous formats +0 string/b LZ MS-DOS executable (built-in) +#0 byte 0xf0 MS-DOS program library data +# + +# AAF files: +# <stuartc@rd.bbc.co.uk> Stuart Cunningham +0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage +>30 byte 9 (512B sectors) +>30 byte 12 (4kB sectors) +0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage +>30 byte 9 (512B sectors) +>30 byte 12 (4kB sectors) + +# Popular applications +# +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DOC +# Reference: https://web.archive.org/web/20170206041048/ +# http://www.msxnet.org/word2rtf/formats/ffh-dosword5 +# wIdent+dty +0 belong 0x31be0000 +# skip droid skeleton like x-fmt-274-signature-id-488.doc +>128 ubyte >0 Microsoft +>>96 uleshort =0 Word +!:mime application/msword +!:apple MSWDWDBN +# DCX is used in the Unix version. +!:ext doc/dcx +>>>0x6E ulequad =0 1.0-4.0 +>>>0x6E ulequad !0 5.0-6.0 +>>>0x6E ulequad x (DOS) Document +# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt +>>96 uleshort !0 Write 3.0 (Windows) Document +!:mime application/x-mswrite +!:apple MSWDWDBN +# sometimes also doc like in splitter.doc srchtest.doc +!:ext wri/doc +# wTool must be 0125400 octal +#>>4 uleshort !0xAB00 \b, wTool %o +# reserved; must be zero +#>>6 ulelong !0 \b, reserved %u +# block pointer to the block containing optional file manager information +#>>0x1C uleshort x \b, at %#x info block +# jump to File manager information block +>>(0x1C.s*128) uleshort x +# test for valid information start; maybe also 0012h +>>>&-2 uleshort =0x0014 +# Document ASCIIZ name +>>>>&0x12 string x %s +# author name +>>>>>&1 string x \b, author %s +# reviser name +>>>>>>&1 string x \b, reviser %s +# keywords +>>>>>>>&1 string x \b, keywords %s +# comment +>>>>>>>>&1 string x \b, comment %s +# version number +>>>>>>>>>&1 string x \b, version %s +# date of last change MM/DD/YY +>>>>>>>>>>&1 string x \b, %-.8s +# creation date MM/DD/YY +>>>>>>>>>>&9 string x created %-.8s +# file name of print format like NORMAL.STY +>>0x1E string >0 \b, formatted by %-.66s +# count of pages in whole file for write variant; maybe some times wrong +>>96 uleshort >0 \b, %u pages +# name of the printer driver like HPLASMS +>>0x62 string >0 \b, %-.8s printer +# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 +>>0x6A uleshort >0 \b, %u blocks +# bit field for corrected text areas +#>>0x6C uleshort x \b, %#x bit field +# text of document; some times start with 4 non printable characters like CR LF +>>128 ubyte x \b, +>>>128 ubyte >0x1F +>>>>128 string x %s +>>>128 ubyte <0x20 +>>>>129 ubyte >0x1F +>>>>>129 string x %s +>>>>129 ubyte <0x20 +>>>>>130 ubyte >0x1F +>>>>>>130 string x %s +>>>>>130 ubyte <0x20 +>>>>>>131 ubyte >0x1F +>>>>>>>131 string x %s +>>>>>>131 ubyte <0x20 +>>>>>>>132 ubyte >0x1F +>>>>>>>>132 string x %s +>>>>>>>132 ubyte <0x20 +>>>>>>>>133 ubyte >0x1F +>>>>>>>>>133 string x %s +# +0 string/b PO^Q` Microsoft Word 6.0 Document +!:mime application/msword +# +4 long 0 +>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 +!:mime application/msword +!:ext mcw +>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 +!:mime application/msword +!:ext mcw +>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 +!:mime application/msword +!:ext mcw +>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 +!:mime application/msword +!:ext mcw + +0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document +!:mime application/msword +!:ext doc +# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs +#512 string/b \354\245\301 Microsoft Word Document +#!:mime application/msword + +# +0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document +!:mime application/msword +# +0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document +!:mime application/msword + +# +0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet +!:mime application/vnd.ms-excel +# https://www.macdisk.com/macsigen.php +!:apple XCELXLS4 +!:ext xls +# +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 +# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf +# Note: newer Lotus versions >2 use longer BOF record +# record type (BeginningOfFile=0000h) + length (001Ah) +0 belong 0x00001a00 +# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 +#>18 uleshort&0x73E0 0 +# Lotus Multi Byte Character Set (LMBCS=1-31) +>20 ubyte >0 +>>20 ubyte <32 Lotus 1-2-3 +#!:mime application/x-123 +!:mime application/vnd.lotus-1-2-3 +!:apple ????L123 +# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" +>>>4 uleshort 0x1000 WorKsheet, version 3 +!:ext wk3 +# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" +>>>4 uleshort 0x1002 WorKsheet, version 4 +# also worksheet template 4 (.wt4) +!:ext wk4/wt4 +# no example or documentation for wk5 +#>>4 uleshort 0x???? WorKsheet, version 4 +#!:ext wk5 +# only MacrotoScript.123 example +>>>4 uleshort 0x1003 WorKsheet, version 97 +# also worksheet template Smartmaster (.12M)? +!:ext 123 +# only Set_Y2K.123 example +>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium +!:ext 123 +# no example for this version +>>>4 uleshort 0x8001 FoRMatting data +!:ext frm +# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" +# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" +>>>4 uleshort 0x8007 ForMatting data, version 3 +!:ext fm3 +>>>4 default x unknown +# file revision sub code 0004h for worksheets +>>>>6 uleshort =0x0004 worksheet +!:ext wXX +>>>>6 uleshort !0x0004 formatting data +!:ext fXX +# main revision number +>>>>4 uleshort x \b, revision %#x +>>>6 uleshort =0x0004 \b, cell range +# active cellcoord range (start row, page,column ; end row, page, column) +# start values normally 0~1st sheet A1 +>>>>8 ulelong !0 +>>>>>10 ubyte >0 \b%d* +>>>>>8 uleshort x \b%d, +>>>>>11 ubyte x \b%d- +# end page mostly 0 +>>>>14 ubyte >0 \b%d* +# end raw, column normally not 0 +>>>>12 uleshort x \b%d, +>>>>15 ubyte x \b%d +# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) +>>>>20 ubyte >1 \b, character set %#x +# flags +>>>>21 ubyte x \b, flags %#x +>>>6 uleshort !0x0004 +# record type (FONTNAME=00AEh) +>>>>30 search/29 \0\xAE +# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) +>>>>>&4 string >\0 \b, 1st font "%s" +# +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 +# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT +# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x +# record type (BeginningOfFile=0000h) + length (0002h) +0 belong 0x00000200 +# GRR: line above is too general as it catches also MS Windows CURsor +# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) +!:strength -1 +# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h +>7 ubyte 0 +# skip Windows cursors with image width 256 and keep Lotus with positive opcode +>>6 ubyte >0 Lotus +# !:mime application/x-123 +!:mime application/vnd.lotus-1-2-3 +!:apple ????L123 +# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) +# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" +>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) +!:ext cnf +>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J +!:ext cnf +>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 +!:ext cnf +>>>4 uleshort 0x0802 Symphony CoNFiguration +!:ext cnf +>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 +!:ext cnf +>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 +!:ext cnf +>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x +!:ext cnf +>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x +!:ext cnf +# (version 5.26) labeled the entry as "Lotus 123" +# TrID labeles the entry as "Lotus 123 Worksheet (generic)" +>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 +# extension "wks" also for Microsoft Works document +!:ext wks +# (version 5.26) labeled the entry as "Lotus 123" +# TrID labeles the entry as "Lotus 123 Worksheet (generic)" +>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 +!:ext wrk/wr1 +# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" +# TrID labeles the entry as "Lotus 123 Worksheet (V2)" +>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 +# Symphony (.wr1) +!:ext wk1/wr1 +# no example for this japan version +>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ +!:ext wj1 +# no example or documentation for wk2 +#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 +#!:ext wk2 +# undocumented japan version +>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J +!:ext wj3 +# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" +>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x +# japan version 2.4J (fj3) +!:ext fmt/fj3 +# no example for this version +>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 +!:ext frm +# (version 5.26) labeled the entry as "Lotus 1-2-3" +>>>4 default x unknown worksheet or configuration +!:ext cnf +>>>>4 uleshort x \b, revision %#x +# 2nd record for most worksheets describes cells range +>>>6 use lotus-cells +# 3rd record for most japan worksheets describes cells range +>>>(8.s+10) use lotus-cells +# check and then display Lotus worksheet cells range +0 name lotus-cells +# look for type (RANGE=0006h) + length (0008h) at record begin +>0 ubelong 0x06000800 \b, cell range +# cell range (start column, row, end column, row) start values normally 0,0~A1 cell +>>4 ulong !0 +>>>4 uleshort x \b%d, +>>>6 uleshort x \b%d- +# end of cell range +>>8 uleshort x \b%d, +>>10 uleshort x \b%d +# EndOfLotus123 +0 string/b WordPro\0 Lotus WordPro +!:mime application/vnd.lotus-wordpro +0 string/b WordPro\r\373 Lotus WordPro +!:mime application/vnd.lotus-wordpro + + +# Summary: Script used by InstallScield to uninstall applications +# Extension: .isu +# Submitted by: unknown +# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) +0 string \x71\xa8\x00\x00\x01\x02 +>12 string Stirling\ Technologies, InstallShield Uninstall Script + +# Winamp .avs +#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player +0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in + +# Windows Metafile .WMF +# URL: http://fileformats.archiveteam.org/wiki/Windows_Metafile +# http://en.wikipedia.org/wiki/Windows_Metafile +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml +# Note: called "Windows Metafile" by TrID and +# verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File) +# META_PLACEABLE Record (Aldus Placeable Metafile signature) +0 string/b \327\315\306\232 +# Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119 +# and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile" +# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h +# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300 +>26 uleshort&0xFDff =0x0100 Windows metafile +# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0 +# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf +>>4 uleshort !0 \b, resource handle %#x +# BoundingBox; the rectangle in the playback context measured in logical units for displaying +# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024) +# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589) +#>>6 ubequad x \b, bounding box %#16.16llx +# Left; x-coordinate of the upper-left corner of the rectangle +>>6 leshort x \b, bounding box (%d +# Top; y-coordinate upper-left corner +>>8 leshort x \b,%d +# Right; x-coordinate lower-right corner +>>10 leshort x / %d +# Bottom; y-coordinate lower-right corner +>>12 leshort x \b,%d) +# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540 +>>14 uleshort x \b, dpi %u +# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf +>>16 ulelong !0 \b, reserved %#x +# Checksum; checksum for the previous 10 words +>>20 uleshort x \b, checksum %#x +# META_HEADER Record after META_PLACEABLE Record +>>22 use wmf-head +# GRR: no example for type 2 (DISKMETAFILE) variant found under few thousands WMF +0 string/b \002\000\011\000 Windows metafile +>0 use wmf-head +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml +# Note: called "Windows Metafile (old Win 3.x format)" by TrID and +# "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119 +# verified by XnView `nconvert -info *.wmf` as Windows metafile +# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9 +0 string/b \001\000\011\000 +# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011) +>18 ulelong >0 Windows metafile +# GRR: in version 5.44 unequal and not endian variant not working! +#>18 ulelong !0 THIS_SHOULD_NOT_HAPPEN +#>18 long !0 THIS_SHOULD_NOT_HAPPEN +>>0 use wmf-head +# display information of Windows metafile header (type, size, objects) +0 name wmf-head +# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk +>0 uleshort !0x0001 \b, type %#x +# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes) +>2 uleshort*2 !18 \b, header size %u +# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported +# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf +>4 uleshort =0x0100 \b, DIBs not supported +>4 uleshort =0x0300 +#>4 uleshort =0x0300 \b, DIBs supported +# this should not happen! +>4 default x \b, version +>>4 uleshort x %#x +# Size; the number of WORDs in the entire metafile +>6 ulelong x \b, size %u words +#>6 ulelong*2 x \b, size %u bytes +!:mime image/wmf +!:ext wmf +# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF +>10 uleshort x \b, %u objects +# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h +>12 ulelong x \b, largest record size %#x +# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf +>16 uleshort !0 \b, %u members + +#tz3 files whatever that is (MS Works files) +0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file +0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file +0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file + +# PGP sig files .sig +#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig +0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig +0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig +0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig +0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig +0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig +0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig + +# windows zips files .dmf +0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file + +# Windows icons +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CUR_(file_format) +# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG +0 belong 0x00000100 +>9 byte 0 +>>0 byte x +>>0 use cur-ico-dir +>9 ubyte 0xff +>>0 byte x +>>0 use cur-ico-dir +# displays number of icons and information for icon or cursor +0 name cur-ico-dir +# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with +# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h +>18 ulelong &0x00000006 +# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) +>>(18.l) ulelong x MS Windows +>>>0 ubelong 0x00000100 icon resource +# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon +!:mime image/vnd.microsoft.icon +#!:mime image/x-icon +!:ext ico +>>>>4 uleshort x - %d icon +# plural s +>>>>4 uleshort >1 \bs +# 1st icon +>>>>0x06 use ico-entry +# 2nd icon +>>>>4 uleshort >1 +>>>>>0x16 use ico-entry +>>>0 ubelong 0x00000200 cursor resource +#!:mime image/x-cur +!:mime image/x-win-bitmap +!:ext cur +>>>>4 uleshort x - %d icon +>>>>4 uleshort >1 \bs +# 1st cursor +>>>>0x06 use cur-entry +#>>>>0x16 use cur-entry +# display information of one cursor entry +0 name cur-entry +>0 use cur-ico-entry +>4 uleshort x \b, hotspot @%dx +>6 uleshort x \b%d +# display information of one icon entry +0 name ico-entry +>0 use cur-ico-entry +# normally 0 1 but also found 14 +>4 uleshort >1 \b, %d planes +# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 +>6 uleshort >1 \b, %d bits/pixel +# display shared information of cursor or icon entry +0 name cur-ico-entry +>0 byte =0 \b, 256x +>0 byte !0 \b, %dx +>1 byte =0 \b256 +>1 byte !0 \b%d +# number of colors in palette +>2 ubyte !0 \b, %d colors +# reserved 0 FFh +#>3 ubyte x \b, reserved %x +#>8 ulelong x \b, image size %d +# offset of PNG or DIB image +#>12 ulelong x \b, offset %#x +# PNG header (\x89PNG) +>(12.l) ubelong =0x89504e47 +# 1 space char after "with" to get phrase "with PNG image" by magic in ./images +>>&-4 indirect x \b with +# DIB image +>(12.l) ubelong !0x89504e47 +#>>&-4 use dib-image + +# Windows non-animated cursors +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CUR_(file_format) +# Note: similar to Windows ICOn. container for BMP ( only DIB part) +# GRR: line below is too general as it catches also Lotus 1-2-3 files +0 belong 0x00000200 +>9 byte 0 +>>0 use cur-ico-dir +>9 ubyte 0xff +>>0 use cur-ico-dir + +# .chr files +0 string/b PK\010\010BGI Borland font +>4 string >\0 %s +# then there is a copyright notice + + +# .bgi files +0 string/b pk\010\010BGI Borland device +>4 string >\0 %s +# then there is a copyright notice + + +# Windows Recycle Bin record file (named INFO2) +# By Abel Cheung (abelcheung AT gmail dot com) +# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes +# Since Vista uses another structure, INFO2 structure probably won't change +# anymore. Detailed analysis in: +# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf +0 lelong 0x00000004 +>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) + +0 lelong 0x00000005 +>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) + +# From Doug Lee via a FreeBSD pr +9 string GERBILDOC First Choice document +9 string GERBILDB First Choice database +9 string GERBILCLIP First Choice database +0 string GERBIL First Choice device file +9 string RABBITGRAPH RabbitGraph file +0 string DCU1 Borland Delphi .DCU file +0 string =!<spell> MKS Spell hash list (old format) +0 string =!<spell2> MKS Spell hash list +# Too simple - MPi +#0 string AH Halo(TM) bitmapped font file +0 lelong 0x08086b70 TurboC BGI file +0 lelong 0x08084b50 TurboC Font file + +# Debian#712046: The magic below identifies "Delphi compiled form data". +# An additional source of information is available at: +# http://www.woodmann.com/fravia/dafix_t1.htm +0 string TPF0 +>4 pstring >\0 Delphi compiled form '%s' + +# tests for DBase files moved, updated and merged to database + +0 string PMCC Windows 3.x .GRP file +1 string RDC-meg MegaDots +>8 byte >0x2F version %c +>9 byte >0x2F \b.%c file + +# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm +# only for windows versions equal or greater 3.0 +0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File +!:mime application/x-dosexec +!:ext pif +#>2 string >\0 \b, Title:%.30s +>0x24 string >\0 \b for %.63s +>0x65 string >\0 \b, directory=%.64s +>0xA5 string >\0 \b, parameters=%.64s +#>0x181 leshort x \b, offset %x +#>0x183 leshort x \b, offsetdata %x +#>0x185 leshort x \b, section length %x +>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 +>>&0x5e ubyte >0 +>>>&-1 string <PIFMGR.DLL \b, icon=%s +#>>>&-1 string PIFMGR.DLL \b, icon=%s +>>>&-1 string >PIFMGR.DLL \b, icon=%s +>>&0xF0 ubyte >0 +>>>&-1 string <Terminal \b, font=%.32s +#>>>&-1 string =Terminal \b, font=%.32s +>>>&-1 string >Terminal \b, font=%.32s +>>&0x110 ubyte >0 +>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s +#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s +>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s +#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style +#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style +>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style +#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style +>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS +#>>&06 string x \b:%s +>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT +#>>&06 string x \b:%s + +# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C +# of http://www.davep.org/norton-guides/ng2h-105.tgz +# https://en.wikipedia.org/wiki/Norton_Guides +0 string NG\0\001 +# only value 0x100 found at offset 2 +>2 ulelong 0x00000100 Norton Guide +!:mime application/x-norton-guide +# often like NORTON.NG but some times like NC.HLP +!:ext ng/hlp +# Title[40] +>>8 string >\0 "%-.40s" +#>>6 uleshort x \b, MenuCount=%u +# szCredits[5][66] +>>48 string >\0 \b, %-.66s +>>114 string >\0 %-.66s + +# URL: https://en.wikipedia.org/wiki/Norton_Commander +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml +# From: Joerg Jenderek +# Note: Message file is used by executable with same main name. +# Only tested with version 5.50 (english) and 2.01 (Windows) +0 string Abort +# \0 or i +#>5 ubyte x %x +# skip ASCII Abort text by looking for error message like in NCVIEW.MSG +>6 search/7089 Non-DOS\ disk Norton Commander module message +!:mime application/x-norton-msg +!:ext msg + +# URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml +# From: Joerg Jenderek +0 string DOS\ Client\ Message\ File: Novell DOS client message +#!:mime application/octet-stream +#!:mime application/x-novell-msg +!:ext msg +# look for second letter instead space character +>26 ubyte >0x20 +# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr +>>25 ubyte !0x20 %c +>>>26 ubyte !0x20 \b%c +>>>>27 ubyte !0x20 \b%c +>>>>>28 ubyte !0x20 \b%c +>>>>>>29 ubyte !0x20 \b%c +>>>>>>>30 ubyte !0x20 \b%c +>>>>>>>>31 ubyte !0x20 \b%c +>>>>>>>>>32 ubyte !0x20 \b%c +>>>>>>>>>>33 ubyte !0x20 \b%c +>>>>>>>>>>>34 ubyte !0x20 \b%c +>>>>>>>>>>>>35 ubyte !0x20 \b%c +>>>>>>>>>>>>>36 ubyte !0x20 \b%c +# followed by string like: 0 v.10 V1.20 +# +# followed by ,\040Tran +>28 search/14 ,\040Tran +# probably translated version string like: 0 v1.00 +>>&0 string x \b, tran version %s +# followed by Ctrl-J Ctrl-Z +>>>&0 ubyte !0xa \b, terminated by %#2.2x +>>>>&0 ubyte x \b%2.2x +# Ctrl-Z +>0x65 ubyte !0x1A \b, at 0x65 %#x +# one +>0x66 ubyte !0x01 \b, at 0x66 %#x +# URL: https://en.wikipedia.org/wiki/NetWare +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml +# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html +# From: Joerg Jenderek +0 string Novell\ Message\ Librarian\ Data\ File Novell message librarian data +#>35 string Version\ 1.00 +#>49 string COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc. +#>83 string \ \ All\ Rights\ Reserved +#!:mime application/octet-stream +#!:mime application/x-novell-msg +!:ext msg +#!:ext msg/dat +# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS +# of https://www.4dos.info/ +# pointer,HelpID[8]=4DHnnnmm +0 ulelong 0x48443408 4DOS help file +>4 string x \b, version %-4.4s + +# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp +0 ulequad 0x3a000000024e4c MS Advisor help file + +# HtmlHelp files (.chm) +0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data +!:mime application/vnd.ms-htmlhelp +!:ext chm + +# GFA-BASIC (Wolfram Kleff) +2 string/b GFA-BASIC3 GFA-BASIC 3 data + +#------------------------------------------------------------------------------ +# From Stuart Caie <kyzer@4u.net> (developer of cabextract) +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) +# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx +# Note: verified by `7z l *.cab` +# Microsoft Cabinet files +0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data +# +# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool +# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE +# because some archive does not have *.diag* as 1st or 2nd archive member like +# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab +# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section +>0x2c search/980/c .diag \b, Diagnostic +!:mime application/vnd.ms-cab-compressed +!:ext diagcab +# http://fileformats.archiveteam.org/wiki/PUZ +# Microsoft Publisher version about 2003 has a "Pack and Go" feature that +# bundles a Publisher document *PNG.pub with all links into a CAB +>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go +!:mime application/vnd.ms-cab-compressed +!:ext puz +# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation +>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go +!:mime application/vnd.ms-powerpoint +#!:mime application/mspowerpoint +!:ext ppz +# URL: https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets +# Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/ +# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget +>0x2c search/968/c gadget.xml \b, Windows Desktop Gadget +#!:mime application/vnd.ms-cab-compressed +# http://extension.nirsoft.net/gadget +!:mime application/x-windows-gadget +!:ext gadget +# http://www.incredimail.com/ +# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims +>0x2c search/3369/c content.ini\0 \b, IncrediMail +!:mime application/x-incredimail +# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf +>>0x2c search/83/c Flavor.htm\0 ecard +!:ext imf +# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims +>>0x2c search/211/c .swf\0 skin +!:ext ims +# member anim.im3 implies IncrediMail animation like in letter_fold.ima +>>0x2c search/92/c anim.im3\0 animation +!:ext ima +# other IncrediMail cab archive +>>0x2c default x +>>>0x2c search/116/c thumb ecard, image, notifier or skin +!:ext imf/imi/imn/ims +# http://file-extension.net/seeker/file_extension_ime +>>>0x2c default x emoticons or sound +!:ext ime/imw +# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail +>0x2c default x +# look for 1st member name +>>(16.l+16) ubyte x +# From: Joerg Jenderek +# URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml +>>>&-1 string PackageInfo.xml \b, Device Metadata Package +!:mime application/vnd.ms-cab-compressed +!:ext devicemetadata-ms +# https://en.wikipedia.org/wiki/SNP_file_format +>>>&-1 string/c _accrpt_.snp \b, Access report snapshot +!:mime application/msaccess +!:ext snp +# https://en.wikipedia.org/wiki/Microsoft_InfoPath +>>>&-1 string manifest.xsf \b, InfoPath Form Template +!:mime application/vnd.ms-cab-compressed +#!:mime application/vnd.ms-infopath +!:ext xsn +# https://www.cabextract.org.uk/wince_cab_format/ +# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer +>>>&7 string =.000 \b, WinCE install +!:mime application/vnd.ms-cab-compressed +!:ext cab + +# https://support.microsoft.com/kb/934307/en-US +# All inspected MSU contain a file with name WSUSSCAN.cab +# that is called "Windows Update meta data" by Microsoft +>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update +!:mime application/vnd.ms-cab-compressed +!:ext msu +>>>&-1 default x +# look at point character of 1st archive member name for file name extension +# GRR: search range is maybe too large and match point else where like in EN600x64.cab! +>>>>&-1 search/255 . +# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm +# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 +# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB +>>>>>&0 string/c ppt\0 +>>>>>>28 uleshort >1 \b, PowerPoint Packed and Go +!:mime application/vnd.ms-powerpoint +#!:mime application/mspowerpoint +!:ext ppz +# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386 +>>>>>>28 uleshort =1 \b, one packed PowerPoint +!:mime application/vnd.ms-cab-compressed +!:ext pp_ +# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx +# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack +# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack +>>>>>&0 string/c theme \b, Windows +!:mime application/x-windows-themepack +# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 +# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack +# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme +>>>>>>(16.l+16) string =Panoram 8 +!:ext deskthemepack +>>>>>>(16.l+16) string !Panoram 7 or 8 +!:ext themepack/deskthemepack +>>>>>>(16.l+16) ubyte x Theme Pack +# URL: https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format +# http://fileformats.archiveteam.org/wiki/OneNote +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml +# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor Öffnen.onetoc2" +>>>>>&0 string/c one \b, OneNote Package +!:mime application/msonenote +!:ext onepkg +>>>>>&0 default x +# look for null terminator of 1st member name +>>>>>>&0 search/255 \0 +# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu +>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update +!:mime application/vnd.ms-cab-compressed +!:ext msu +>>>>>>>&16 default x +# archive with more then one file need some output in version 5.32 to avoid error message like +# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type +# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type +# file: could not find any valid magic files! +>>>>>>>>28 uleshort >1 \b, many +!:mime application/vnd.ms-cab-compressed +!:ext cab +# remaining archives with just one file +>>>>>>>>28 uleshort =1 +# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 +>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup +# cut of last char of source extension and add underscore to generate extension +# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ +!:mime application/vnd.ms-cab-compressed +!:ext _/?_/??_ +# archive need some output like "single" in version 5.32 to avoid error messages +>>>>>>>>>30 uleshort !0x0000 \b, single +!:mime application/vnd.ms-cab-compressed +!:ext cab +# first archive name without point character +>>>>&-1 default x +>>>>>28 uleshort =1 \b, single +!:mime application/vnd.ms-cab-compressed +# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._ +!:ext _ +>>>>>28 uleshort >1 \b, many +!:mime application/vnd.ms-cab-compressed +# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab +!:ext cab +# TODO: additional extensions like +# .xtp InfoPath Template Part +# .lvf Logitech Video Effects Face Accessory +>8 ulelong x \b, %u bytes +>28 uleshort 1 \b, 1 file +>28 uleshort >1 \b, %u files +# Reserved fields, set to zero +#>4 belong !0 \b, reserved1 %x +#>12 belong !0 \b, reserved2 %x +# offset of the first CFFILE entry coffFiles: minimal 2Ch +>16 ulelong x \b, at %#x +>(16.l) use cab-file +# at least also 2nd member +>28 uleshort >1 +>>(16.l+16) ubyte x +>>>&0 search/255 \0 +# second member info +>>>>&0 use cab-file +#>20 belong !0 \b, reserved %x +# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 +>24 ubeshort !0x0301 \b version %#x +# number of CFFOLDER entries +>26 uleshort >1 \b, %u cffolders +# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields +# only found for flags 0 1 2 3 4 not 7 +>30 uleshort >0 \b, flags %#x +# Cabinet files have a 16-bit cabinet setID field that is designed for application use. +# default is zero, however, the -i option of cabarc can be used to set this field +>32 uleshort >0 \b, ID %u +# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet +#>34 uleshort x \b, iCabinet %u +# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* +>34 uleshort+1 x \b, number %u +>30 uleshort &0x0004 \b, extra bytes +# cbCFHeader optional size of per-cabinet reserved area 14h 1800h +>>36 uleshort >0 %u in head +# cbCFFolder is optional size of per-folder reserved area +>>38 ubyte >0 %u in folder +# cbCFData is optional size of per-datablock reserved area +>>39 ubyte >0 %u in data block +# optional per-cabinet reserved area abReserve[cbCFHeader] +>>36 uleshort >0 +# 1st CFFOLDER after reserved area in header +>>>(36.s+40) use cab-folder +# no reserved area in header +>30 uleshort ^0x0004 +# no previous and next cab archive +>>30 uleshort =0x0000 +>>>36 use cab-folder +# only previous cab archive +>>30 uleshort =0x0001 \b, previous +>>>36 use cab-anchor +# only next cab archive +>>30 uleshort =0x0002 \b, next +>>>36 use cab-anchor +# previous+next cab archive +# can not use sub routine cab-anchor to display previous and next cabinet together +#>>>36 use cab-anchor +#>>>>&0 use cab-anchor +>>30 uleshort =0x0003 \b, previous +>>>36 string x %s +# optional name of previous disk szDisk* +>>>>&1 string x disk %s +>>>>>&1 string x \b, next %s +# optional name of previous disk szDisk* +>>>>>>&1 string x disk %s +>>>>>>>&1 use cab-folder +# display filename and disk name of previous or next cabinet +0 name cab-anchor +# optional name of previous/next cabinet file szCabinet*[255] +>&0 string x %s +# optional name of previous/next disk szDisk*[255] +>>&1 string x disk %s +# display folder structure CFFOLDER information like compression of cabinet +0 name cab-folder +# offset of the CFDATA block in this folder +#>0 ulelong x \b, coffCabStart %#x +# number of CFDATA blocks in folder +>4 uleshort x \b, %u datablock +# plural s +>4 uleshort >1 \bs +# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 +>6 uleshort x \b, %#x compression +# optional per-folder reserved area +#>8 ubequad x \b, abReserve %#llx +# display member structure CFFILE information like member name of cabinet +0 name cab-file +# cbFile is uncompressed size of file in bytes +#>0 ulelong x \b, cbFile %u +# uoffFolderStart is uncompressed offset of file in folder +#>4 ulelong >0 \b, uoffFolderStart %#x +# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet +# define ifoldCONTINUED_FROM_PREV (0xFFFD) +# define ifoldCONTINUED_TO_NEXT (0xFFFE) +# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) +>8 uleshort >0 \b, iFolder %#x +# date stamp for file +>10 lemsdosdate x last modified %s +# time stamp for file +>12 lemsdostime x %s +# attribs is attribute flags for file +# define _A_RDONLY (0x01) file is read-only +# define _A_HIDDEN (0x02) file is hidden +# define _A_SYSTEM (0x04) file is a system file +# define _A_ARCH (0x20) file modified since last backup +# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab +# define _A_EXEC (0x40) run after extraction +# define _A_NAME_IS_UTF (0x80) szName[] contains UTF +# define UNKNOWN (0x0100) undocumented or accident +#>14 uleshort x \b, attribs %#x +>14 uleshort >0 + +>>14 uleshort &0x0001 \bR +>>14 uleshort &0x0002 \bH +>>14 uleshort &0x0004 \bS +>>14 uleshort &0x0020 \bA +>>14 uleshort &0x0040 \bX +>>14 uleshort &0x0080 \bUtf +# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB +>>14 uleshort &0x0100 \b? +# szName is name of archive member +>16 string x "%s" +# next archive member name if more files +#>>&17 string >\0 \b, NEXT NAME %-.50s + +# InstallShield Cabinet files +0 string/b ISc( InstallShield Cabinet archive data +>5 byte&0xf0 =0x60 version 6, +>5 byte&0xf0 !0x60 version 4/5, +>(12.l+40) lelong x %u files + +# Windows CE package files +0 string/b MSCE\0\0\0\0 Microsoft WinCE install header +>20 lelong 0 \b, architecture-independent +>20 lelong 103 \b, Hitachi SH3 +>20 lelong 104 \b, Hitachi SH4 +>20 lelong 0xA11 \b, StrongARM +>20 lelong 4000 \b, MIPS R4000 +>20 lelong 10003 \b, Hitachi SH3 +>20 lelong 10004 \b, Hitachi SH3E +>20 lelong 10005 \b, Hitachi SH4 +>20 lelong 70001 \b, ARM 7TDMI +>52 leshort 1 \b, 1 file +>52 leshort >1 \b, %u files +>56 leshort 1 \b, 1 registry entry +>56 leshort >1 \b, %u registry entries + + +# Windows Enhanced Metafile (EMF) +# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp +# for further information. +0 ulelong 1 +>40 string \ EMF Windows Enhanced Metafile (EMF) image data +>>44 ulelong x version %#x + + +0 string/b \224\246\056 Microsoft Word Document +!:mime application/msword + +# From: "Nelson A. de Oliveira" <naoliv@gmail.com> +# Magic type for Dell's BIOS .hdr files +# Dell's .hdr +0 string/b $RBU +>23 string Dell %s system BIOS +>5 byte 2 +>>48 byte x version %d. +>>49 byte x \b%d. +>>50 byte x \b%d +>5 byte <2 +>>48 string x version %.3s + +# Type: Microsoft Document Imaging Format (.mdi) +# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format +# From: Daniele Sempione <scrows@oziosi.org> +# Too weak (EP) +#0 short 0x5045 Microsoft Document Imaging Format + +# MS eBook format (.lit) +0 string/b ITOLITLS Microsoft Reader eBook Data +>8 lelong x \b, version %u +!:mime application/x-ms-reader + +# Windows CE Binary Image Data Format +# From: Dr. Jesus <j@hug.gs> +0 string/b B000FF\n Windows Embedded CE binary image + +# The second byte of these signatures is a file version; I don't know what, +# if anything, produced files with version numbers 0-2. +# From: John Elliott <johne@seasip.demon.co.uk> +0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) +0 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) +0 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) +0 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) + +0 string MIOPEN Mallard BASIC Jetsam data +0 string Jetsam0 Mallard BASIC Jetsam index data + +# DOS backup 2.0 to 3.2 +# URL: http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS) +# Reference: http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm +# backupid.@@@ + +# plausibility check for date +0x3 ushort >1979 +>0x5 ubyte-1 <31 +>>0x6 ubyte-1 <12 +# actually 121 nul bytes +>>>0x7 string \0\0\0\0\0\0\0\0 +>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d +#!:mime application/octet-stream +!:ext @@@ +>>>>0x0 ubyte 0xff \b, last disk + +# backed up file + +# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd +# by looking for trailing nul of maximal file name string +0x52 ubyte 0 +# test for flag byte: FFh~complete file, 00h~split file +# FFh -127 = -1 -127 = -128 +# 00h -127 = 0 -127 = -127 +>0 byte-127 <-126 +# plausibility check for file name length +>>0x53 ubyte-1 <78 +# looking for terminating nul of file name string +>>>(0x53.b+4) ubyte 0 +# looking if last char of string is valid DOS file name +>>>>(0x53.b+3) ubyte >0x1F +# actually 44 nul bytes +# but sometimes garbage according to Ralf Quint. So can not be used as test +#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator +# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE +>>>>>5 ubyte&0x8C 0x0C +# ./msdos (version 5.30) labeled the entry as +# "DOS 2.0 backed up file %s, split file, sequence %d" or +# "DOS 2.0 backed up file %s, complete file" +>>>>>>0 ubyte x DOS 2.0-3.2 backed up +#>>>>>>0 ubyte 0xff complete +>>>>>>0 ubyte 0 +>>>>>>>1 uleshort x sequence %d of +# full file name with path but without drive letter and colon stored from 0x05 til 0x52 +>>>>>>0x5 string x file %s +#!:mime application/octet-stream +# backup name is original filename +#!:ext doc/exe/rar/zip +#!:ext * +# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' +# file: line 1169: Bad magic entry ' *' +# after header original file content +>>>>>>128 indirect x \b; + + +# DOS backup 3.3 to 5.x + +# CONTROL.nnn files +0 string \x8bBACKUP\x20 +# actually 128 nul bytes +>0xa string \0\0\0\0\0\0\0\0 +>>0x9 ubyte x DOS 3.3 backup control file, sequence %d +>>0x8a ubyte 0xff \b, last disk + +# NB: The BACKUP.nnn files consist of the files backed up, +# concatenated. + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time +# Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime +# Note: DOS date+time format is different from formats such as Unix epoch +# bit encoded; uses year values relative to 1980 and 2 second precision +0 name dos-date +# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2) +#>0 uleshort x RAW TIME [%#4.4x] +# hour part +#>0 uleshort/2048 x hour [%u] +# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31) +#>2 uleshort x RAW DATE [%#4.4x] +# day part +>2 uleshort&0x001F x %u +#>2 uleshort/16 x MONTH PART [%#x] +# GRR: not working +#>2 uleshort/16 &0x000F MONTH [%u] +#>2 uleshort&0x01E0 x MONTH PART [%#4.4x] +>2 uleshort&0x01E0 =0x0020 jan +>2 uleshort&0x01E0 =0x0040 feb +>2 uleshort&0x01E0 =0x0060 mar +>2 uleshort&0x01E0 =0x0080 apr +>2 uleshort&0x01E0 =0x00A0 may +>2 uleshort&0x01E0 =0x00C0 jun +>2 uleshort&0x01E0 =0x00E0 jul +>2 uleshort&0x01E0 =0x0100 aug +>2 uleshort&0x01E0 =0x0120 sep +>2 uleshort&0x01E0 =0x0140 oct +>2 uleshort&0x01E0 =0x0160 nov +>2 uleshort&0x01E0 =0x0180 dec +# year part +>2 uleshort/512 x 1980+%u +# diff --git a/magic/Magdir/msooxml b/magic/Magdir/msooxml new file mode 100644 index 0000000..905017e --- /dev/null +++ b/magic/Magdir/msooxml @@ -0,0 +1,68 @@ + +#------------------------------------------------------------------------------ +# $File: msooxml,v 1.19 2023/03/14 19:46:15 christos Exp $ +# msooxml: file(1) magic for Microsoft Office XML +# From: Ralf Brown <ralf.brown@gmail.com> + +# .docx, .pptx, and .xlsx are XML plus other files inside a ZIP +# archive. The first member file is normally "[Content_Types].xml". +# but some libreoffice generated files put this later. Perhaps skip +# the "[Content_Types].xml" test? +# Since MSOOXML doesn't have anything like the uncompressed "mimetype" +# file of ePub or OpenDocument, we'll have to scan for a filename +# which can distinguish between the three types + +0 name msooxml +>0 string word/ Microsoft Word 2007+ +!:mime application/vnd.openxmlformats-officedocument.wordprocessingml.document +!:ext docx +>0 string ppt/ Microsoft PowerPoint 2007+ +!:mime application/vnd.openxmlformats-officedocument.presentationml.presentation +!:ext pptx +>0 string xl/ Microsoft Excel 2007+ +!:mime application/vnd.openxmlformats-officedocument.spreadsheetml.sheet +!:ext xlsx +>0 string visio/ Microsoft Visio 2013+ +!:mime application/vnd.ms-visio.drawing.main+xml +>0 string AppManifest.xaml Microsoft Silverlight Application +!:mime application/x-silverlight-app + +# start by checking for ZIP local file header signature +0 string PK\003\004 +!:strength +10 +# make sure the first file is correct +>0x1E use msooxml +>0x1E default x +>>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels|docProps|customXml +# skip to the second local file header +# since some documents include a 520-byte extra field following the file +# header, we need to scan for the next header +>>>(18.l+49) search/6000 PK\003\004 +# now skip to the *third* local file header; again, we need to scan due to a +# 520-byte extra field following the file header +>>>>&26 search/6000 PK\003\004 +# and check the subdirectory name to determine which type of OOXML +# file we have. Correct the mimetype with the registered ones: +# https://technet.microsoft.com/en-us/library/cc179224.aspx +>>>>>&26 use msooxml +>>>>>&26 default x +# OpenOffice/Libreoffice orders ZIP entry differently, so check the 4th file +>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 use msooxml +# Some OOXML generators add an extra customXml directory. Check another file. +>>>>>>>&26 default x +>>>>>>>>&26 search/6000 PK\003\004 +>>>>>>>>>&26 use msooxml +>>>>>>>>>&26 default x Microsoft OOXML +>>>>>>>&26 default x Microsoft OOXML +>>>>>&26 default x Microsoft OOXML +>>0x1E regex \\[trash\\] +>>>&26 search/6000 PK\003\004 +>>>>&26 search/6000 PK\003\004 +>>>>>&26 use msooxml +>>>>>&26 default x +>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 use msooxml +>>>>>>>&26 default x Microsoft OOXML +>>>>>>&26 default x Microsoft OOXML +>>>>>&26 default x Microsoft OOXML diff --git a/magic/Magdir/msvc b/magic/Magdir/msvc new file mode 100644 index 0000000..fbfa4f2 --- /dev/null +++ b/magic/Magdir/msvc @@ -0,0 +1,222 @@ + +#------------------------------------------------------------------------------ +# $File: msvc,v 1.11 2022/01/17 17:17:30 christos Exp $ +# msvc: file(1) magic for msvc +# "H. Nanosecond" <aldomel@ix.netcom.com> +# Microsoft visual C +# +# I have version 1.0 + +# .aps +0 string HWB\000\377\001\000\000\000 Microsoft Visual C .APS file + +# .ide +#too long 0 string \102\157\162\154\141\156\144\040\103\053\053\040\120\162\157\152\145\143\164\040\106\151\154\145\012\000\032\000\002\000\262\000\272\276\372\316 MSVC .ide +0 string \102\157\162\154\141\156\144\040\103\053\053\040\120\162\157 MSVC .ide + +# .res +0 string \000\000\000\000\040\000\000\000\377 MSVC .res +0 string \377\003\000\377\001\000\020\020\350 MSVC .res +0 string \377\003\000\377\001\000\060\020\350 MSVC .res + +#.lib +# URL: https://en.wikipedia.org/wiki/Microsoft_Visual_C%2B%2B +# http://fileformats.archiveteam.org/wiki/Microsoft_Library +# http://fileformats.archiveteam.org/wiki/OMF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lib-msvc.trid.xml +# https://pierrelib.pagesperso-orange.fr/exec_formats/OMF_v1.1.pdf +# Update: Joerg Jenderek +#0 string \360\015\000\000 Microsoft Visual C library +#0 string \360\075\000\000 Microsoft Visual C library +#0 string \360\175\000\000 Microsoft Visual C library +# test for RecordType~LibraryHeaderRecord=0xF0 + RecordLength=???Dh + dictionary offset is multiple of 0x200 +0 ubelong&0xFF0f80ff =0xF00d0000 +# Microsoft Visual C library (strength=70) before MIDI SysEx messages (strength=50) handled by ./sysex +#!:strength +0 +# test for valid 2nd RecordType~Translator Header Record=THEADR=80h or LHEADR=82h +>(1.s+3) ubyte&0xFD =0x80 +>>0 use omf-lib +# display information about Microsoft Visual C/OMF library +0 name omf-lib +# RecordType~LibraryHeaderRecord=0xF0 +#>0 byte 0xF0 Microsoft Visual C library +# the above description was used in file version 5.41 +>0 byte 0xF0 Microsoft Visual C/OMF library +#>0 byte 0xF0 relocatable Object Module Format (OMF) libray +#!:mime application/octet-stream +!:mime application/x-omf-lib +!:ext lib +# 1st record data length like 13=0Dh 29=1Dh 61=3Dh 125=7Dh 509=01FDh ... 32765=7FFDh +#>1 uleshort x \b, 1st record data length %u +#>1 uleshort x \b, 1st record data length %#x +# 2**4=16 <= RecordLength+3 = PageSize = 2**n {16 32 512 no examples 64 128 256 1024 2048 ...32768} <= 2**15=32768 +>1 uleshort+3 x \b, page size %u +# dictionary offset like: 400h 600h a00h c00h 1200h 1800h 2400h 5600h 12800h 19200h 28a00h +>3 ulelong x \b, at %#x dictionary +# dictionary block a 512 bytes; the first 37 bytes correspond to the 37 buckets +#>(3.l) ubequad x (%#16.16llx...) +# dictionary size; length in 512-byte blocks; a prime number? like: +# 1 2 3 4 5 6 7 9 11 13 15 16 18 21 22 23 24 25 31 50 53 89 101 117 277 +>7 uleshort x with %u block +# plurals s +>7 uleshort >1 \bs +# If dictionary byte 38 (FFLAG) has the value 255, there is no space left +>(3.l+37) ubyte <0xFF (FFLAG=%#x) +>(3.l+37) ubyte =0xFF (FFLAG=full) +# dictionary entry; length byte of following symbol, the following text bytes of symbol, two bytes specifies the page number +# like: dbfntx1! DBFNTX.LIB zlibCompileFlags_ ZLIB.LIB atoi! mwlibc.lib +>(3.l+38) pstring x 1st entry %s +# like: 1 33 41 47 458 8783 +>>&0 uleshort x in page %u +# library flags; 0 or 1, but WHAT IS 0x4d in MOUSE.LIB ? +>9 ubyte >1 \b, flags %#x +>9 ubyte =1 case sensitive +# In the library after header comes first object module with a Library Module Header Record (LHEADR=82h) +# but in examples Translator Header Record (THEADR=80h) which is handled identically +>(1.s+3) ubyte x \b, 2nd record +>(1.s+3) ubyte !0x80 (type %#x) +#>(1.s+4) uleshort x \b, 2nd record data length %u +# Module name often source name like "dos\crt0.asm" in mlibce.lib or "QB4UTIL.ASM" in QB4UTIL.LIB +# or "C:\Documents and Settings\Allan Campbell\My Documents\FDOSBoot\zlib\zutil.c" in ZLIB.LIB +# or title like "87INIT" in FP87.LIB or "ACOSASIN" in MATHC.LIB or "Copyright" in calc-bcc.lib +>(1.s+6) pstring x "%s" +# 2nd record checksum +#>>&0 ubyte x checksum %#x +# 3rd RecordType: 96h~LNAMES 88h~COMENT +>>&1 ubyte x \b, 3rd record +>>&1 ubyte !0x88 +>>>&-1 ubyte !0x96 +# 3rd unusual record type +>>>>&-1 ubyte x (type %#x) +# 3rd record is a List of Names Record (LNAMES=96h) +>>&1 ubyte =0x96 LNAMES +# LNAMES record length like: 2 15 19 +#>>>&0 uleshort x \b, LNAMES record length %u +>>>&0 uleshort >2 +# 1st LNAME string length; null is valid; maximal 255 +#>>>>&0 ubyte x 1st LNAME length %u +>>>>&0 ubyte =0 +# 2nd LNAME length like: 4 7 8 17 31 +#>>>>>&0 ubyte x 2nd LNAME length %u +# name used for segment, class, group, overlay, etc like: +# CODE (mwlibc.lib) _TEXT32 (JMPPM32.LIB) _OVLCODE (WOVL.LIB) +>>>>>&0 pstring x %s +# 3rd LNAME length like: 4 5 +#>>>>>>&0 ubyte x 3rd LNAME length %u +# like: DATA (mwlibc.lib) CODE (JMPPM32.LIB) _TEXT (EMU87.LIB) +>>>>>>&0 pstring x %s +# maybe 4th LNAME length like: 4 6 +>>>>>>>&0 ubyte <44 +# like: DATA (DEBUG.LIB) DGROUP (mwlibc.lib MOUSE.LIB) +>>>>>>>>&-1 pstring x %s +# 3rd record is a COMMENT (Including all comment class extensions) +>>&1 ubyte =0x88 COMMENT +# comment record length like: 3 FLIB7M.LIB 1Bh 1Eh 23h 27h 2Bh 30h freetype-bcc.lib +#>>>&0 uleshort x \b, record length %#x +# real comment length = record length - 1 (comment type) - 1 (comment Class) - 1 (checksum) -1 (char count) +# like: 2 LIBFL.LIB 4 "UUID" 5 "dscap" 6 "int386" 7 "qb4util" 8 "AMSGEXIT" 16 REXX.LIB 20 27 35 44 freetype-bcc.lib +#>>>>&-2 uleshort-4 >0 \b, comment length %u +# check that record contain at least comment type (1 byte), comment class (1 byte), checksum (1 byte) +# probably always true +>>>&0 uleshort >2 +# comment type: 80h~NP~no purge bit 40h~NL~no list bit +#>>>>&0 ubyte !0 Type %#x +>>>>&0 ubyte &0x80 Preserved +# no example +>>>>&0 ubyte &0x40 NoList +# comment class like: 0~Translator A0~OMF extensions A3~LIBMOD A1~New OMF extensions AA~UNKNOWN +>>>>&1 ubyte x class=%#x +# check that comment record contains at least real content +>>>>&-2 uleshort >3 +# Translator comment record (0); it may name the source language or translator +>>>>>&1 ubyte =0 Translator +#>>>>>>&0 ubyte x Translator length %u +# like: "TC86 Borland Turbo C 2.01 " (GEMS.LIB) "TC86 Borland Turbo C++ 3.00" (CATDB.LIB) +>>>>>>&0 pstring x "%s" +# OMF extensions comment record (A0); first byte of commentary string identifies subtype +>>>>>&1 ubyte =0xA0 OMF extensions +# A0 subtype like: 1~IMPDEF +>>>>>>&0 ubyte !1 subtype %#x +# Import Definition Record (Comment Class A0, Subtype 01~IMPDEF) +>>>>>>&0 ubyte 1 IMPDEF +# ordinal flag; determines form of Entry Ident field. If nonzero (seems to be 1) Entry is ordinal +>>>>>>>&0 ubyte !0 ordinal +# like: IMPORT.LIB DOSCALLS.LIB mlibw.lib mwinlibc.lib REXX.LIB +>>>>>>>>&-1 ubyte >1 %u +# Internal Name in count, char string format; module name for the imported symbol +# like: 7 "REXXSAA" 9 11 13 14 15 16 20 21 26 "_Z10_clip_linePdS_S_S_dddd" +#>>>>>>>&1 ubyte x internal name length %u +# internal module name like: _DllGetVersion DllGetVersion BezierTerminationTest Copyright +>>>>>>>&1 pstring x %s +# module name in count, char string format; DLL name that supplies a matching export symbol +# like: jpeg62.dll (jpeg-bcc.lib) unrar3.dll (unrar-bcc.lib) REXX (REXX.LIB) +>>>>>>>>&0 pstring x exported by %s +# Entry Ident; 16-bit if ordinal flag != 0 or imported name in count, char string format if ordinal flag = 0 +# like: \0 (calc-bcc.lib) DllGetVersion (libtiff-bcc.lib) UTF8ToHtml (libxml2-bcc.lib) xslAddCall (libxslt-bcc.lib) +#>>>>>>>>>&0 pstring >\0 entry ident %s +# "New OMF" extensions comment (A1); indicate version of symbolic debug information +# like: LIBFL.LIB +>>>>>&1 ubyte =0xA1 New OMF extensions +# symbolic debug information version n +>>>>>>&0 ubyte x n=%u +# symbolic debug information style like: HL~IBM PM Debugger style (LIBFL.LIB) DX~AIX style CV~Microsoft symbol and type style +>>>>>>>&0 string HL IBM style +>>>>>>>&0 string DX AIX style +>>>>>>>&0 string CV Microsoft style +# LIBMOD comment record (A3) used only by the librarian +# Microsoft extension added for LIB version 3.07 in macro assembler (MASM 5.0) +>>>>>&1 ubyte =0xA3 LIBMOD +# The A3 LIBMOD record contains only the ASCII string of the module name in count char format +#>>>>>>&0 ubyte x LIBMOD length %u +# LIBMOD comment record module name without path and extension like: +# qb4util (QB4UTIL.LIB) affaldiv (libh.lib) crt0 (slibc.lib) clipper (DDDRAWS.LIB) dinpdev (DINPUTS.LIB) UUID (UUID.LIB) +>>>>>>&0 pstring x %s +# GRR: WHAT iS THAT? AA foo comment record +#>>>>>&1 ubyte =0xAA AA-comment +# like: OS220 +#>>>>>>&0 string x what=%-5.5s +# + +#.pch +0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch + +# Summary: Symbol Table / Debug info used by Microsoft compilers +# URL: https://en.wikipedia.org/wiki/Program_database +# Reference: https://code.google.com/p/pdbparser/wiki/MSF_Format +# Update: Joerg Jenderek +# Note: test only for Windows XP+SP3 x86 , 8.1 x64 arm and 10.1 x86 +# info does only applies partly for older files like msvbvm50.pdb about year 2001 +0 string Microsoft\ C/C++\040 +# "Microsoft Program DataBase" by TrID +>24 search/14 \r\n\x1A MSVC program database +!:mime application/x-ms-pdb +!:ext pdb +# "MSF 7.00" "program database 2.00" for msvbvm50.pdb +>>16 regex \([0-9.]+\) ver %s +#>>>0x38 search/128123456 /LinkInfo \b with linkinfo +# "MSF 7.00" variant +>>0x1e leshort 0 +# PageSize 400h 1000h +>>>0x20 lelong x \b, %d +# Page Count +>>>0x28 lelong x \b*%d bytes +# "program database 2.00" variant +>>0x1e leshort !0 +# PageSize 400h +>>>0x2c lelong x \b, %d +# Page Count for msoo-dll.pdb 4379h +>>>0x32 leshort x \b*%d bytes + +# Reference: https://github.com/Microsoft/vstest/pull/856/commits/fdc7a9f074ca5a8dfeec83b1be9162bf0cf4000d +0 string/c bsjb\001\000\001\000\000\000\000\000\f\000\000\000pdb\ v1.0 Microsoft Roslyn C# debugging symbols version 1.0 + +#.sbr +0 string \000\002\000\007\000 MSVC .sbr +>5 string >\0 %s + +#.bsc +0 string \002\000\002\001 MSVC .bsc + +#.wsp +0 string 1.00\ .0000.0000\000\003 MSVC .wsp version 1.0000.0000 +# these seem to start with the version and contain menus diff --git a/magic/Magdir/msx b/magic/Magdir/msx new file mode 100644 index 0000000..60e1656 --- /dev/null +++ b/magic/Magdir/msx @@ -0,0 +1,309 @@ + +#------------------------------------------------------------------------------ +# msx: file(1) magic for the MSX Home Computer +# v1.3 +# Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net> + +############## MSX Music file formats ############## + +# Gigamix MGSDRV music file +0 string/b MGS MSX Gigamix MGSDRV3 music file, +>6 ubeshort 0x0D0A +>>3 byte x \bv%c +>>4 byte x \b.%c +>>5 byte x \b%c +>>8 string >\0 \b, title: %s + +1 string/b mgs2\ MSX Gigamix MGSDRV2 music file +>6 uleshort 0x80 +>>0x2E uleshort 0 +>>>0x30 string >\0 \b, title: %s + +# KSS music file +0 string/b KSCC KSS music file v1.03 +>0xE byte 0 +>>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+) +>>0xF byte&0x02 2 \b, soundchip(s): SN76489 +>>>0xF byte&0x04 4 stereo +>>0xF byte&0x01 1 \b, YM2413 +>>0xF byte&0x08 8 \b, Y8950 + +0 string/b KSSX KSS music file v1.20 +>0xE byte&0xEF 0 +>>0xF byte&0x40 0x00 \b, 60Hz +>>0xF byte&0x40 0x40 \b, 50Hz +>>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+) +>>0xF byte&0x02 0x02 \b, soundchips: SN76489 +>>>0xF byte&0x04 0x04 stereo +>>0xF byte&0x01 0x01 \b, +>>>0xF byte&0x18 0x00 \bYM2413 +>>>0xF byte&0x18 0x08 \bYM2413, Y8950 +>>>0xF byte&0x18 0x18 \bYM2413+Y8950 pseudostereo +>>0xF byte&0x18 0x10 \b, Majyutsushi DAC + +# Moonblaster for Moonsound +0 string/b MBMS +>4 byte 0x10 MSX Moonblaster for MoonSound music + +# Music Player K-kaz +0 string/b MPK MSX Music Player K-kaz song +>6 ubeshort 0x0D0A +>>3 byte x v%c +>>4 byte x \b.%c +>>5 byte x \b%c + +# I don't know why these don't work +#0 search/0xFFFF \r\n.FM9 +#>0 search/0xFFFF \r\n#FORMAT MSX Music Player K-kaz source MML file +#0 search/0xFFFF \r\nFM1\ \= +#>0 search/0xFFFF \r\nPSG1\= +#>>0 search/0xFFFF \r\nSCC1\= MSX MuSiCa MML source file + +# OPX Music file +0x35 beshort 0x0d0a +>0x7B beshort 0x0d0a +>>0x7D byte 0x1a +>>>0x87 uleshort 0 MSX OPX Music file +>>>>0x86 byte 0 v1.5 +>>>>>0 string >\32 \b, title: %s +>>>>0x86 byte 1 v2.4 +>>>>>0 string >\32 \b, title: %s + +# SCMD music file +0x8B string/b SCMD +>0xCE uleshort 0 MSX SCMD Music file +#>>-2 uleshort 0x6a71 ; The file must end with this value. How to code this here? +>>0x8F string >\0 \b, title: %s + +0 search/0xFFFF \r\n@title +>&0 search/0xFFFF \r\n@m=[ MSX SCMD source MML file + + +############## MSX image file formats ############## + +# MSX raw VRAM dump +0 ubyte 0xFE +>1 uleshort 0 +>>5 uleshort 0 +>>>3 uleshort 0x37FF MSX SC2/GRP raw image +>>>3 uleshort 0x6A00 MSX Graph Saurus SR5 raw image +>>>3 uleshort >0x769E +>>>>3 uleshort <0x8000 MSX GE5/GE6 raw image +>>>>>3 uleshort 0x7FFF \b, with sprite patterns +>>>3 uleshort 0xD3FF MSX screen 7-12 raw image +>>>3 uleshort 0xD400 MSX Graph Saurus SR7/SR8/SRS raw image + +# Graph Saurus compressed images +0 ubyte 0xFD +>1 uleshort 0 +>>5 uleshort 0 +>>>3 uleshort >0x013D MSX Graph Saurus compressed image + +# MSX G9B image file +0 string/b G9B +>1 uleshort 11 +>>3 uleshort >10 +>>>5 ubyte >0 MSX G9B image, depth=%d +>>>>8 uleshort x \b, %dx +>>>>10 uleshort x \b%d +>>>>5 ubyte <9 +>>>>>6 ubyte 0 +>>>>>>7 ubyte x \b, codec=%d RGB color palettes +>>>>>6 ubyte 64 \b, codec=RGB fixed color +>>>>>6 ubyte 128 \b, codec=YJK +>>>>>6 ubyte 192 \b, codec=YUV +>>>>5 ubyte >8 codec=RGB fixed color +>>>>12 ubyte 0 \b, raw +>>>>12 ubyte 1 \b, bitbuster compression + +############## Other MSX file formats ############## + +# MSX internal ROMs +0 ubeshort 0xF3C3 +>2 uleshort <0x4000 +>>8 ubyte 0xC3 +>>>9 uleshort <0x4000 +>>>>0x0B ubeshort 0x00C3 +>>>>>0x0D uleshort <0x4000 +>>>>>>0x0F ubeshort 0x00C3 +>>>>>>>0x11 uleshort <0x4000 +>>>>>>>>0x13 ubeshort 0x00C3 +>>>>>>>>>0x15 uleshort <0x4000 +>>>>>>>>>>0x50 ubyte 0xC3 +>>>>>>>>>>>0x51 uleshort <0x4000 +>>>>>>>>>>>>(9.s) ubyte 0xC3 +>>>>>>>>>>>>>&0 uleshort >0x4000 +>>>>>>>>>>>>>>&0 ubyte 0xC3 MSX BIOS+BASIC +>>>>>>>>>>>>>>>0x002D ubyte+1 <3 \b. version=MSX%d +>>>>>>>>>>>>>>>0x002D ubyte 2 \b, version=MSX2+ +>>>>>>>>>>>>>>>0x002D ubyte 3 \b, version=MSX Turbo-R +>>>>>>>>>>>>>>>0x002D ubyte >3 \b, version=Unknown MSX %d version +>>>>>>>>>>>>>>>0x0006 ubyte x \b, VDP.DR=%#2x +>>>>>>>>>>>>>>>0x0007 ubyte x \b, VDP.DW=%#2x +>>>>>>>>>>>>>>>0x002B ubyte&0xF 0 \b, charset=Japanese +>>>>>>>>>>>>>>>0x002B ubyte&0xF 1 \b, charset=International +>>>>>>>>>>>>>>>0x002B ubyte&0xF 2 \b, charset=Korean +>>>>>>>>>>>>>>>0x002B ubyte&0xF >2 \b, charset=Unknown id:%d +>>>>>>>>>>>>>>>0x002B ubyte&0x70 0x00 \b, date format=Y-M-D +>>>>>>>>>>>>>>>0x002B ubyte&0x70 0x10 \b, date format=M-D-Y +>>>>>>>>>>>>>>>0x002B ubyte&0x70 0x20 \b, date format=D-M-Y +>>>>>>>>>>>>>>>0x002B ubyte&0x80 0x00 \b, vfreq=60Hz +>>>>>>>>>>>>>>>0x002B ubyte&0x80 0x80 \b, vfreq=50Hz +>>>>>>>>>>>>>>>0x002C ubyte&0x0F 0 \b, keyboard=Japanese +>>>>>>>>>>>>>>>0x002C ubyte&0x0F 1 \b, keyboard=International +>>>>>>>>>>>>>>>0x002C ubyte&0x0F 2 \b, keyboard=French +>>>>>>>>>>>>>>>0x002C ubyte&0x0F 3 \b, keyboard=UK +>>>>>>>>>>>>>>>0x002C ubyte&0x0F 4 \b, keyboard=German +>>>>>>>>>>>>>>>0x002C ubyte&0x0F 5 \b, keyboard=Unknown id:%d +>>>>>>>>>>>>>>>0x002C ubyte&0x0F 6 \b, keyboard=Spanish +>>>>>>>>>>>>>>>0x002C ubyte&0x0F >6 \b, keyboard=Unknown id:%d +>>>>>>>>>>>>>>>0x002C ubyte&0xF0 0x00 \b, basic=Japanese +>>>>>>>>>>>>>>>0x002C ubyte&0xF0 0x10 \b, basic=International +>>>>>>>>>>>>>>>0x002C ubyte&0xF0 >0x10 \b, basic=Unknown id:%d +>>>>>>>>>>>>>>>0x002E ubyte&1 1 \b, built-in MIDI + + +0 string/b CD +>2 uleshort >0x10 +>>2 uleshort <0x4000 +>>>4 uleshort <0x4000 +>>>>6 uleshort <0x4000 +>>>>>8 ubyte 0xC3 +>>>>>>9 uleshort <0x4000 +>>>>>>>0x10 ubyte 0xC3 +>>>>>>>>0x11 uleshort <0x4000 +>>>>>>>>>0x14 ubyte 0xC3 +>>>>>>>>>>0x15 uleshort <0x4000 MSX2/2+/TR SubROM + +0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>0x5F0 ubequad 0x8282828244380000 +>>0x150 ubyte 0x38 +>>>0x170 string \20\20\20 +>>>>0x1E32 string ()) +>>>>>0x2130 ubequad 0xA5A5594924231807 +>>>>>0x2138 ubequad 0x4A4A3424488830C0 MSX Kanji Font + + + +# MSX extension ROMs +0 string/b AB +>2 uleshort 0x0010 MSX ROM +>>2 uleshort x \b, init=%#4x +>>4 uleshort >0 \b, stahdl=%#4x +>>6 uleshort >0 \b, devhdl=%#4x +>>8 uleshort >0 \b, bas=%#4x +>2 uleshort 0x4010 MSX ROM +>>2 uleshort x \b, init=%#04x +>>4 uleshort >0 \b, stahdl=%#04x +>>6 uleshort >0 \b, devhdl=%#04x +>>8 uleshort >0 \b, bas=%#04x +>2 uleshort 0x8010 MSX ROM +>>2 uleshort x \b, init=%#04x +>>4 uleshort >0 \b, stahdl=%#04x +>>6 uleshort >0 \b, devhdl=%#04x +>>8 uleshort >0 \b, bas=%#04x +0 string/b AB\0\0 +>6 uleshort 0 +>>4 uleshort >0x400F MSX-BASIC extension ROM +>>>4 uleshort >0 \b, stahdl=%#04x +>>>6 uleshort >0 \b, devhdl=%#04x +>>>0x1C string OPLL \b, MSX-Music +>>>>0x18 string PAC2 \b (external) +>>>>0x18 string APRL \b (internal) + +0 string/b AB\0\0\0\0 +>6 uleshort >0x400F MSX device BIOS +>>6 uleshort >0 \b, devhdl=%#04x + + +0 string/b AB +#>2 string 5JSuperLAYDOCK MSX Super Laydock ROM +#>3 string @HYDLIDE3MSX MSX Hydlide-3 ROM +#>3 string @3\x80IA862 Golvellius MSX1 ROM +>2 uleshort >15 +>>2 uleshort <0xC000 +>>>8 string \0\0\0\0\0\0\0\0 +>>>>(2.s&0x3FFF) uleshort >0 MSX ROM +>>>>>0x10 string YZ\0\0\0\0 Konami Game Master 2 MSX ROM +>>>>>0x10 string CD \b, Konami RC- +>>>>>>0x12 ubyte x \b%d +>>>>>>0x13 ubyte/16 x \b%d +>>>>>>0x13 ubyte&0xF x \b%d +>>>>>0x10 string EF \b, Konami RC- +>>>>>>0x12 ubyte x \b%d +>>>>>>0x13 ubyte/16 x \b%d +>>>>>>0x13 ubyte&0xF x \b%d +>>>>>2 uleshort x \b, init=%#04x +>>>>>4 uleshort >0 \b, stahdl=%#04x +>>>>>6 uleshort >0 \b, devhdl=%#04x +>>>>>8 uleshort >0 \b, bas=%#04x +>>>2 uleshort 0 +>>>>4 uleshort 0 +>>>>>6 uleshort 0 +>>>>>>8 uleshort >0 MSX BASIC program in ROM, bas=%#04x + +0x4000 string/b AB +>0x4002 uleshort >0x400F +>>0x400A string \0\0\0\0\0\0 MSX ROM with nonstandard page order +>>>0x4002 uleshort x \b, init=%#04x +>>>0x4004 uleshort >0 \b, stahdl=%#04x +>>>0x4006 uleshort >0 \b, devhdl=%#04x +>>>0x4008 uleshort >0 \b, bas=%#04x + +0x8000 string/b AB +>0x8002 uleshort >0x400F +>>0x800A string \0\0\0\0\0\0 MSX ROM with nonstandard page order +>>>0x8002 uleshort x \b, init=%#04x +>>>0x8004 uleshort >0 \b, stahdl=%#04x +>>>0x8006 uleshort >0 \b, devhdl=%#04x +>>>0x8008 uleshort >0 \b, bas=%#04x + + +0x3C000 string/b AB +>0x3C008 string \0\0\0\0\0\0\0\0 MSX MegaROM with nonstandard page order +>>0x3C002 uleshort x \b, init=%#04x +>>0x3C004 uleshort >0 \b, stahdl=%#04x +>>0x3C006 uleshort >0 \b, devhdl=%#04x +>>0x3C008 uleshort >0 \b, bas=%#04x + +# MSX BIN file +#0 byte 0xFE +#>1 uleshort >0x8000 +#>>3 uleshort >0x8004 +#>>>5 uleshort >0x8000 MSX BIN file + +# MSX-BASIC file +0 byte 0xFF +>3 uleshort 0x000A +>>1 uleshort >0x8000 MSX-BASIC program + +# MSX .CAS file +0 string/b \x1F\xA6\xDE\xBA\xCC\x13\x7D\x74 MSX cassette archive + +# Mega-Assembler file +0 byte 0xFE +>1 uleshort 0x0001 +>>5 uleshort 0xffff +>>>6 byte 0x0A MSX Mega-Assembler source + +# Execrom Patchfile +0 string ExecROM\ patchfile\x1A MSX ExecROM patchfile +>0x12 ubyte/16 x v%d +>0x12 ubyte&0xF x \b.%d +>0x13 ubyte x \b, contains %d patches + +# Konami's King's Valley-2 custom stage (ELG file) +4 uleshort 0x0900 +>0xF byte 1 +>>0x14 byte 0 +>>>0x1E string \040\040\040 +>>>>0x23 byte 1 +>>>>>0x25 byte 0 +>>>>>>0x15 string >\x30 +>>>>>>>0x15 string <\x5A Konami King's Valley-2 custom stage, title: "%-8.8s" +>>>>>>>>0x1D byte <32 \b, theme: %d + +# Metal Gear 1 savegame +#0x4F string \x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF +#>>0x60 string \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF +#>>>0x7B string \0x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00 Metal Gear 1 savegame diff --git a/magic/Magdir/mup b/magic/Magdir/mup new file mode 100644 index 0000000..05b9471 --- /dev/null +++ b/magic/Magdir/mup @@ -0,0 +1,24 @@ + +# ------------------------------------------------------------------------ +# $File: mup,v 1.5 2017/03/17 21:35:28 christos Exp $ +# mup: file(1) magic for Mup (Music Publisher) input file. +# +# From: Abel Cheung <abel (@) oaka.org> +# +# NOTE: This header is mainly proposed in the Arkkra mailing list, +# and is not a mandatory header because of old mup input file +# compatibility. Noteedit also use mup format, but is not forcing +# user to use any header as well. +# +0 search/1 //!Mup Mup music publication program input text +>6 string -Arkkra (Arkkra) +>>13 string - +>>>16 string . +>>>>14 string x \b, need V%.4s +>>>15 string . +>>>>14 string x \b, need V%.3s +>6 string - +>>9 string . +>>>7 string x \b, need V%.4s +>>8 string . +>>>7 string x \b, need V%.3s diff --git a/magic/Magdir/music b/magic/Magdir/music new file mode 100644 index 0000000..ad8da65 --- /dev/null +++ b/magic/Magdir/music @@ -0,0 +1,17 @@ +#------------------------------------------------------------------------------ +# $File: music,v 1.1 2011/11/25 03:28:17 christos Exp $ +# music: file (1) magic for music formats + +# BWW format used by Bagpipe Music Writer Gold by Robert MacNeil Musicworks +# and Bagpipe Writer by Doug Wickstrom +# +0 string Bagpipe Bagpipe +>8 string Reader Reader +>>15 string >\0 (version %.3s) +>8 string Music\ Writer Music Writer +>>20 string : +>>>21 string >\0 (version %.3s) +>>21 string Gold Gold +>>>25 string : +>>>>26 string >\0 (version %.3s) + diff --git a/magic/Magdir/nasa b/magic/Magdir/nasa new file mode 100644 index 0000000..de3545f --- /dev/null +++ b/magic/Magdir/nasa @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# nasa: file(1) magic + +# From: Barry Carter <carter.barry@gmail.com> +0 string DAF/SPK NASA SPICE file (binary format) +0 string DAFETF\ NAIF\ DAF\ ENCODED NASA SPICE file (transfer format) diff --git a/magic/Magdir/natinst b/magic/Magdir/natinst new file mode 100644 index 0000000..7a55dde --- /dev/null +++ b/magic/Magdir/natinst @@ -0,0 +1,24 @@ + +#----------------------------------------------------------------------------- +# $File: natinst,v 1.6 2014/06/03 19:17:27 christos Exp $ +# natinst: file(1) magic for National Instruments Code Files + +# +# From <egamez@fcfm.buap.mx> Enrique Gamez-Flores +# version 1 +# Many formats still missing, we use, for the moment LabVIEW +# We guess VXI format file. VISA, LabWindowsCVI, BridgeVIEW, etc, are missing +# +0 string RSRC National Instruments, +# Check if it's a LabVIEW File +>8 string LV LabVIEW File, +# Check which kind of file it is +>>10 string SB Code Resource File, data +>>10 string IN Virtual Instrument Program, data +>>10 string AR VI Library, data +# This is for Menu Libraries +>8 string LMNULBVW Portable File Names, data +# This is for General Resources +>8 string rsc Resources File, data +# This is for VXI Package +0 string VMAP National Instruments, VXI File, data diff --git a/magic/Magdir/ncr b/magic/Magdir/ncr new file mode 100644 index 0000000..21b09ab --- /dev/null +++ b/magic/Magdir/ncr @@ -0,0 +1,49 @@ + +#------------------------------------------------------------------------------ +# $File: ncr,v 1.8 2014/04/30 21:41:02 christos Exp $ +# ncr: file(1) magic for NCR Tower objects +# +# contributed by +# Michael R. Wayne *** TMC & Associates *** INTERNET: wayne@ford-vax.arpa +# uucp: {philabs | pyramid} !fmsrl7!wayne OR wayne@fmsrl7.UUCP +# +0 beshort 000610 Tower/XP rel 2 object +>12 belong >0 not stripped +>20 beshort 0407 executable +>20 beshort 0410 pure executable +>22 beshort >0 - version %d +0 beshort 000615 Tower/XP rel 2 object +>12 belong >0 not stripped +>20 beshort 0407 executable +>20 beshort 0410 pure executable +>22 beshort >0 - version %d +0 beshort 000620 Tower/XP rel 3 object +>12 belong >0 not stripped +>20 beshort 0407 executable +>20 beshort 0410 pure executable +>22 beshort >0 - version %d +0 beshort 000625 Tower/XP rel 3 object +>12 belong >0 not stripped +>20 beshort 0407 executable +>20 beshort 0410 pure executable +>22 beshort >0 - version %d +0 beshort 000630 Tower32/600/400 68020 object +>12 belong >0 not stripped +>20 beshort 0407 executable +>20 beshort 0410 pure executable +>22 beshort >0 - version %d +0 beshort 000640 Tower32/800 68020 +>18 beshort &020000 w/68881 object +>18 beshort &040000 compatible object +>18 beshort &060000 object +>20 beshort 0407 executable +>20 beshort 0413 pure executable +>12 belong >0 not stripped +>22 beshort >0 - version %d +0 beshort 000645 Tower32/800 68010 +>18 beshort &040000 compatible object +>18 beshort &060000 object +>20 beshort 0407 executable +>20 beshort 0413 pure executable +>12 belong >0 not stripped +>22 beshort >0 - version %d diff --git a/magic/Magdir/netbsd b/magic/Magdir/netbsd new file mode 100644 index 0000000..77e64f0 --- /dev/null +++ b/magic/Magdir/netbsd @@ -0,0 +1,251 @@ + +#------------------------------------------------------------------------------ +# $File: netbsd,v 1.26 2019/01/01 03:11:23 christos Exp $ +# netbsd: file(1) magic for NetBSD objects +# +# All new-style magic numbers are in network byte order. +# The old-style magic numbers are indistinguishable from the same magic +# numbers used in other systems, and are handled, for all those systems, +# in aout. +# + +0 name netbsd-detail +>20 lelong x @%#x +>4 lelong >0 \b+T=%d +>8 lelong >0 \b+D=%d +>12 lelong >0 \b+B=%d +>16 lelong >0 \b+S=%d +>24 lelong >0 \b+TR=%d +>28 lelong >0 \b+TD=%d + +0 name netbsd-4096 +>0 byte &0x80 +>>20 lelong <4096 shared library +>>20 lelong =4096 dynamically linked executable +>>20 lelong >4096 dynamically linked executable +>0 byte ^0x80 executable +>16 lelong >0 not stripped + +0 name netbsd-8192 +>0 byte &0x80 +>>20 lelong <8192 shared library +>>20 lelong =8192 dynamically linked executable +>>20 lelong >8192 dynamically linked executable +>0 byte ^0x80 executable +>16 lelong >0 not stripped +>0 use netbsd-detail + +0 name netbsd-normal +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 +>>0 byte &0x40 position independent +>>20 lelong !0 executable +>>20 lelong =0 object file +>16 lelong >0 not stripped +>0 use netbsd-detail + +0 name netbsd-pure +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 lelong >0 not stripped +>0 use netbsd-detail + +0 name netbsd-core +>12 string >\0 from '%s' +>32 lelong !0 (signal %d) + +0 belong&0377777777 041400413 a.out NetBSD/i386 demand paged +>0 use netbsd-4096 + +0 belong&0377777777 041400410 a.out NetBSD/i386 pure +>0 use netbsd-pure + +0 belong&0377777777 041400407 a.out NetBSD/i386 +>0 use netbsd-normal + +0 belong&0377777777 041400507 a.out NetBSD/i386 core +>0 use netbsd-core + +0 belong&0377777777 041600413 a.out NetBSD/m68k demand paged +>0 use \^netbsd-8192 + +0 belong&0377777777 041600410 a.out NetBSD/m68k pure +>0 use \^netbsd-pure + +0 belong&0377777777 041600407 a.out NetBSD/m68k +>0 use \^netbsd-normal + +0 belong&0377777777 041600507 a.out NetBSD/m68k core +>0 use \^netbsd-core + +0 belong&0377777777 042000413 a.out NetBSD/m68k4k demand paged +>0 use \^netbsd-4096 + +0 belong&0377777777 042000410 a.out NetBSD/m68k4k pure +>0 use \^netbsd-pure + +0 belong&0377777777 042000407 a.out NetBSD/m68k4k +>0 use \^netbsd-normal + +0 belong&0377777777 042000507 a.out NetBSD/m68k4k core +>0 use \^netbsd-core + +0 belong&0377777777 042200413 a.out NetBSD/ns32532 demand paged +>0 use netbsd-4096 + +0 belong&0377777777 042200410 a.out NetBSD/ns32532 pure +>0 use netbsd-pure + +0 belong&0377777777 042200407 a.out NetBSD/ns32532 +>0 use netbsd-normal + +0 belong&0377777777 042200507 a.out NetBSD/ns32532 core +>0 use netbsd-core + +0 belong&0377777777 045200507 a.out NetBSD/powerpc core +>0 use netbsd-core + +0 belong&0377777777 042400413 a.out NetBSD/SPARC demand paged +>0 use \^netbsd-8192 + +0 belong&0377777777 042400410 a.out NetBSD/SPARC pure +>0 use \^netbsd-pure + +0 belong&0377777777 042400407 a.out NetBSD/SPARC +>0 use \^netbsd-normal + +0 belong&0377777777 042400507 a.out NetBSD/SPARC core +>0 use \^netbsd-core + +0 belong&0377777777 042600413 a.out NetBSD/pmax demand paged +>0 use netbsd-4096 + +0 belong&0377777777 042600410 a.out NetBSD/pmax pure +>0 use \^netbsd-pure + +0 belong&0377777777 042600407 a.out NetBSD/pmax +>0 use netbsd-normal + +0 belong&0377777777 042600507 a.out NetBSD/pmax core +>0 use netbsd-core + +0 belong&0377777777 043000413 a.out NetBSD/vax 1k demand paged +>0 use netbsd-4096 + +0 belong&0377777777 043000410 a.out NetBSD/vax 1k pure +>0 use netbsd-pure + +0 belong&0377777777 043000407 a.out NetBSD/vax 1k +>0 use netbsd-normal + +0 belong&0377777777 043000507 a.out NetBSD/vax 1k core +>0 use netbsd-core + +0 belong&0377777777 045400413 a.out NetBSD/vax 4k demand paged +>0 use netbsd-4096 + +0 belong&0377777777 045400410 a.out NetBSD/vax 4k pure +>0 use netbsd-pure + +0 belong&0377777777 045400407 a.out NetBSD/vax 4k +>0 use netbsd-normal + +0 belong&0377777777 045400507 a.out NetBSD/vax 4k core +>0 use netbsd-core + +# NetBSD/alpha does not support (and has never supported) a.out objects, +# so no rules are provided for them. NetBSD/alpha ELF objects are +# dealt with in "elf". +0 lelong 0x00070185 ECOFF NetBSD/alpha binary +>10 leshort 0x0001 not stripped +>10 leshort 0x0000 stripped +0 belong&0377777777 043200507 a.out NetBSD/alpha core +>12 string >\0 from '%s' +>32 lelong !0 (signal %d) + +0 belong&0377777777 043400413 a.out NetBSD/mips demand paged +>0 use \^netbsd-8192 + +>16 belong >0 not stripped +0 belong&0377777777 043400410 a.out NetBSD/mips pure +>0 use netbsd-pure + +0 belong&0377777777 043400407 a.out NetBSD/mips +>0 use netbsd-normal + +0 belong&0377777777 043400507 a.out NetBSD/mips core +>0 use netbsd-core + +0 belong&0377777777 043600413 a.out NetBSD/arm32 demand paged +>0 use netbsd-4096 + +0 belong&0377777777 043600410 a.out NetBSD/arm32 pure +>0 use netbsd-pure + +0 belong&0377777777 043600407 a.out NetBSD/arm32 +>0 use netbsd-normal + +# NetBSD/arm26 has always used ELF objects, but it shares a core file +# format with NetBSD/arm32. +0 belong&0377777777 043600507 a.out NetBSD/arm core +>0 use netbsd-core + +# Kernel core dump format +0 belong&0x0000ffff 0x00008fca NetBSD kernel core file +>0 belong&0x03ff0000 0x00000000 \b, Unknown +>0 belong&0x03ff0000 0x00010000 \b, sun 68010/68020 +>0 belong&0x03ff0000 0x00020000 \b, sun 68020 +>0 belong&0x03ff0000 0x00640000 \b, 386 PC +>0 belong&0x03ff0000 0x00860000 \b, i386 BSD +>0 belong&0x03ff0000 0x00870000 \b, m68k BSD (8K pages) +>0 belong&0x03ff0000 0x00880000 \b, m68k BSD (4K pages) +>0 belong&0x03ff0000 0x00890000 \b, ns32532 BSD +>0 belong&0x03ff0000 0x008a0000 \b, SPARC/32 BSD +>0 belong&0x03ff0000 0x008b0000 \b, pmax BSD +>0 belong&0x03ff0000 0x008c0000 \b, vax BSD (1K pages) +>0 belong&0x03ff0000 0x008d0000 \b, alpha BSD +>0 belong&0x03ff0000 0x008e0000 \b, mips BSD (Big Endian) +>0 belong&0x03ff0000 0x008f0000 \b, arm6 BSD +>0 belong&0x03ff0000 0x00900000 \b, m68k BSD (2K pages) +>0 belong&0x03ff0000 0x00910000 \b, sh3 BSD +>0 belong&0x03ff0000 0x00950000 \b, ppc BSD (Big Endian) +>0 belong&0x03ff0000 0x00960000 \b, vax BSD (4K pages) +>0 belong&0x03ff0000 0x00970000 \b, mips1 BSD +>0 belong&0x03ff0000 0x00980000 \b, mips2 BSD +>0 belong&0x03ff0000 0x00990000 \b, m88k BSD +>0 belong&0x03ff0000 0x00920000 \b, parisc BSD +>0 belong&0x03ff0000 0x009b0000 \b, sh5/64 BSD +>0 belong&0x03ff0000 0x009c0000 \b, SPARC/64 BSD +>0 belong&0x03ff0000 0x009d0000 \b, amd64 BSD +>0 belong&0x03ff0000 0x009e0000 \b, sh5/32 BSD +>0 belong&0x03ff0000 0x009f0000 \b, ia64 BSD +>0 belong&0x03ff0000 0x00b70000 \b, aarch64 BSD +>0 belong&0x03ff0000 0x00b80000 \b, or1k BSD +>0 belong&0x03ff0000 0x00b90000 \b, Risk-V BSD +>0 belong&0x03ff0000 0x00c80000 \b, hp200 BSD +>0 belong&0x03ff0000 0x012c0000 \b, hp300 BSD +>0 belong&0x03ff0000 0x020b0000 \b, hp800 HP-UX +>0 belong&0x03ff0000 0x020c0000 \b, hp200/hp300 HP-UX +>0 belong&0xfc000000 0x04000000 \b, CPU +>0 belong&0xfc000000 0x08000000 \b, DATA +>0 belong&0xfc000000 0x10000000 \b, STACK +>4 leshort x \b, (headersize = %d +>6 leshort x \b, segmentsize = %d +>8 lelong x \b, segments = %d) + +# little endian only for now. +0 name ktrace +>4 leshort 7 +>>6 leshort <3 NetBSD ktrace file version %d +>>>12 string x from %s +>>>56 string x \b, emulation %s +>>>8 lelong <65536 \b, pid=%d + +56 string netbsd +>0 use ktrace +56 string linux +>0 use ktrace +56 string sunos +>0 use ktrace +56 string hpux +>0 use ktrace diff --git a/magic/Magdir/netscape b/magic/Magdir/netscape new file mode 100644 index 0000000..0e1ca61 --- /dev/null +++ b/magic/Magdir/netscape @@ -0,0 +1,26 @@ + +#------------------------------------------------------------------------------ +# $File: netscape,v 1.8 2017/03/17 21:35:28 christos Exp $ +# netscape: file(1) magic for Netscape files +# "H. Nanosecond" <aldomel@ix.netcom.com> +# version 3 and 4 I think +# + +# Netscape Address book .nab +0 string \000\017\102\104\000\000\000\000\000\000\001\000\000\000\000\002\000\000\000\002\000\000\004\000 Netscape Address book + +# Netscape Communicator address book +0 string \000\017\102\111 Netscape Communicator address book + +# .snm Caches +0 string #\ Netscape\ folder\ cache Netscape folder cache +0 string \000\036\204\220\000 Netscape folder cache +# .n2p +# Net 2 Phone +#0 string 123\130\071\066\061\071\071\071\060\070\061\060\061\063\060 +0 string SX961999 Net2phone + +# +#This is files ending in .art, FIXME add more rules +0 string JG\004\016\0\0\0\0 AOL ART image +0 string JG\003\016\0\0\0\0 AOL ART image diff --git a/magic/Magdir/netware b/magic/Magdir/netware new file mode 100644 index 0000000..089a243 --- /dev/null +++ b/magic/Magdir/netware @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: netware,v 1.5 2020/09/04 16:30:51 christos Exp $ +# netware: file(1) magic for NetWare Loadable Modules (NLMs) +# From: Mads Martin Joergensen <mmj@suse.de> +# URL: https://en.wikipedia.org/wiki/NetWare_Loadable_Module + +0 string NetWare\ Loadable\ Module NetWare Loadable Module +#!:mime application/octet-stream +!:ext nlm + diff --git a/magic/Magdir/news b/magic/Magdir/news new file mode 100644 index 0000000..eea8aed --- /dev/null +++ b/magic/Magdir/news @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: news,v 1.6 2009/09/19 16:28:11 christos Exp $ +# news: file(1) magic for SunOS NeWS fonts (not "news" as in "netnews") +# +0 string StartFontMetrics ASCII font metrics +0 string StartFont ASCII font bits +0 belong 0x137A2944 NeWS bitmap font +0 belong 0x137A2947 NeWS font family +0 belong 0x137A2950 scalable OpenFont binary +0 belong 0x137A2951 encrypted scalable OpenFont binary +8 belong 0x137A2B45 X11/NeWS bitmap font +8 belong 0x137A2B48 X11/NeWS font family diff --git a/magic/Magdir/nifty b/magic/Magdir/nifty new file mode 100644 index 0000000..151d869 --- /dev/null +++ b/magic/Magdir/nifty @@ -0,0 +1,202 @@ + +#------------------------------------------------------------------------------ +# $File: nifty,v 1.1 2022/02/14 16:51:15 christos Exp $ +# file(1) magic for the NIfTI file format + +# Type: NIfTI, Neuroimaging file format +# URL: https://nifti.nimh.nih.gov/ +# From: Yann Leprince <yann.leprince@cea.fr>, 2022 + +344 string n+1\0 NIfTI-1 neuroimaging data, +!:mime image/x.nifti +!:ext nii +>0 use nifti1 +344 string ni1\0 NIfTI-1 neuroimaging data header, +!:mime image/x.nifti +!:ext hdr +>0 use nifti1 + +4 string n+2\0\r\n\032\n NIfTI-2 neuroimaging data, +!:mime image/x.nifti +!:ext nii +>0 use nifti2 +4 string ni2\0\r\n\032\n NIfTI-2 neuroimaging data header, +!:mime image/x.nifti +!:ext hdr +>0 use nifti2 + +# Main subroutine for NIfTI-1 +0 name nifti1 +>0 clear x +>0 lelong =348 little endian +>>70 use nifti-datatype-le +>>112 lefloat !0 with scaling +>>0 use nifti1-dim-le +>>252 leshort >0 \b, with qform +>>>252 use xform-code-nifti1-le +>>254 leshort >0 \b, with sform +>>>254 use xform-code-nifti1-le +>>136 string >\0 \b, description: %s +>0 belong =348 big endian +>>70 use \^nifti-datatype-le +>>112 befloat !0 with scaling +>>0 use \^nifti1-dim-le +>>252 beshort >0 \b, with qform +>>>252 use \^xform-code-nifti1-le +>>254 beshort >0 \b, with sform +>>>254 use \^xform-code-nifti1-le +>>136 string >\0 \b, description: %s +>0 default x +>>0 long x invalid sizeof_hdr=%d + +# Main subroutine for NIfTI-2 +0 name nifti2 +>0 clear x +>0 lelong =540 little endian +>>12 use nifti-datatype-le +>>176 lefloat !0 with scaling +>>0 use nifti2-dim-le +>>344 lelong >0 \b, with qform +>>>344 use xform-code-nifti2-le +>>348 lelong >0 \b, with sform +>>>348 use xform-code-nifti2-le +>>240 string >\0 \b, description: %s +>0 belong =540 big endian +>>12 use \^nifti-datatype-le +>>176 befloat !0 with scaling +>>0 use \^nifti2-dim-le +>>344 lelong >0 \b, with qform +>>>344 use \^xform-code-nifti2-le +>>348 lelong >0 \b, with sform +>>>348 use \^xform-code-nifti2-le +>>240 string >\0 \b, description: %s +>0 default x +>>0 long x invalid sizeof_hdr=%d + + +# Other subroutines for details of NIfTI files + +0 name nifti-datatype-le +>0 clear x +>0 leshort =1 \b, binary datatype +>0 leshort =2 \b, uint8 datatype +>0 leshort =4 \b, int16 datatype +>0 leshort =8 \b, int32 datatype +>0 leshort =16 \b, float32 datatype +>0 leshort =32 \b, complex64 datatype +>0 leshort =64 \b, float64 datatype +>0 leshort =128 \b, RGB24 datatype +>0 leshort =256 \b, int8 datatype +>0 leshort =512 \b, uint16 datatype +>0 leshort =768 \b, uint32 datatype +>0 leshort =1024 \b, int64 datatype +>0 leshort =1280 \b, uint64 datatype +>0 leshort =1536 \b, float128 datatype +>0 leshort =1792 \b, complex128 datatype +>0 leshort =2048 \b, complex256 datatype +>0 leshort =2304 \b, RGBA32 datatype +>0 default x +>>0 leshort x \b, unknown datatype 0x%x +>>2 leshort x (%d bits/pixel) + +0 name nifti1-dim-le +>0 clear x +>40 leshort <0 \b, INVALID dim[0]=%d +>40 leshort >7 \b, INVALID dim[0]=%d +>0 default x +>>40 leshort x \b, %d-dimensional (size +>>42 leshort x %d +>>40 leshort >1 +>>>44 leshort x \bx%d +>>40 leshort >2 +>>>46 leshort x \bx%d +>>40 leshort >3 +>>>48 leshort x \bx%d +>>40 leshort >4 +>>>50 leshort x \bx%d +>>40 leshort >5 +>>>52 leshort x \bx%d +>>40 leshort >6 +>>>54 leshort x \bx%d +>>80 lefloat x \b, voxel size %f +>>40 leshort >1 +>>>84 lefloat x x %f +>>40 leshort >2 +>>>88 lefloat x x %f +>>123 use nifti1-xyz-unit +>>40 leshort >3 +>>>92 lefloat x x %f +>>>123 use nifti1-t-unit +>>40 leshort x \b) + +0 name nifti2-dim-le +>0 clear x +>16 lequad <0 \b, INVALID dim[0]=%lld +>16 lequad >7 \b, INVALID dim[0]=%lld +>0 default x +>>16 lequad x \b, %lld-dimensional (size +>>24 lequad x %lld +>>16 lequad >1 +>>>32 lequad x \bx%lld +>>16 lequad >2 +>>>40 lequad x \bx%lld +>>16 lequad >3 +>>>48 lequad x \bx%lld +>>16 lequad >4 +>>>56 lequad x \bx%lld +>>16 lequad >5 +>>>64 lequad x \bx%lld +>>16 lequad >6 +>>>72 lequad x \bx%lld, +>>112 ledouble x \b, voxel size %f +>>16 lequad >1 +>>>120 ledouble x x %f +>>16 lequad >2 +>>>128 ledouble x x %f +>>500 use nifti2-xyz-unit +>>16 lequad >3 +>>>136 ledouble x x %f +>>>500 use nifti2-t-unit +>>16 lequad x \b) + +0 name xform-code-nifti1-le +>0 leshort =1 to scanner-based coordinates +>0 leshort =2 to aligned coordinates +>0 leshort =3 to Talairach coordinates +>0 leshort =4 to MNI152 coordinates +>0 leshort =5 to template coordinates + +0 name xform-code-nifti2-le +>0 lelong =1 to scanner-based coordinates +>0 lelong =2 to aligned coordinates +>0 lelong =3 to Talairach coordinates +>0 lelong =4 to MNI152 coordinates +>0 lelong =5 to template coordinates + +0 name nifti1-xyz-unit +>0 byte &0x01 +>>0 byte ^0x02 m +>>0 byte &0x02 micron +>0 byte ^0x01 +>>0 byte &0x02 mm + +0 name nifti1-t-unit +>0 byte &0x08 +>>0 byte ^0x10 s +>>0 byte &0x10 ms +>0 byte ^0x08 +>>0 byte &0x10 microsecond + +0 name nifti2-xyz-unit +>0 lelong &0x01 +>>0 lelong ^0x02 m +>>0 lelong &0x02 micron +>0 lelong ^0x01 +>>0 lelong &0x02 mm + +0 name nifti2-t-unit +>0 lelong &0x08 +>>0 lelong ^0x10 s +>>0 lelong &0x10 ms +>0 lelong ^0x08 +>>0 lelong &0x10 microsecond diff --git a/magic/Magdir/nim-lang b/magic/Magdir/nim-lang new file mode 100644 index 0000000..bc2cf98 --- /dev/null +++ b/magic/Magdir/nim-lang @@ -0,0 +1,29 @@ + +#------------------------------------------------------------------------------ +# $File: nim-lang,v 1.3 2021/07/06 12:34:06 christos Exp $ +# nim-lang: file(1) magic for nim +# URL: https://nim-lang.org/ + +0 search/8192 import +>&0 search/64 os +>>&0 use nim1 +>&0 default x +>>&0 search/64 osproc +>>>&0 use nim1 +>>&0 default x +>>>&0 search/64 strutils +>>>>&0 use nim1 + +0 name nim1 +>&0 search/8192 proc +>>&0 use nim2 +>&0 default x +>>&0 search/8192 template +>>>&0 use nim2 +>>&0 default x +>>>&0 search/8192 let +>>>>&0 use nim2 + +0 name nim2 +>&0 search/8192 when Nim source code +!:ext nim diff --git a/magic/Magdir/nitpicker b/magic/Magdir/nitpicker new file mode 100644 index 0000000..bea96c3 --- /dev/null +++ b/magic/Magdir/nitpicker @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: nitpicker,v 1.8 2019/04/19 00:42:27 christos Exp $ +# nitpicker: file(1) magic for Flowfiles. +# From: Christian Jachmann <C.Jachmann@gmx.net> https://www.nitpicker.de +0 string NPFF NItpicker Flow File +>4 byte x V%d. +>5 byte x %d +>6 bedate x started: %s +>10 bedate x stopped: %s +>14 belong x Bytes: %u +>18 belong x Bytes1: %u +>22 belong x Flows: %u +>26 belong x Pkts: %u diff --git a/magic/Magdir/numpy b/magic/Magdir/numpy new file mode 100644 index 0000000..c1520dd --- /dev/null +++ b/magic/Magdir/numpy @@ -0,0 +1,9 @@ + +#------------------------------------------------------------------------------ +# $File: numpy,v 1.1 2019/05/09 16:24:36 christos Exp $ +# numpy: file(1) magic for NumPy array binary serialization format +# Reference: https://docs.scipy.org/doc/numpy/reference/generated/numpy.lib.format.html +0 string \x93NUMPY NumPy array, +>6 ubyte x version %d +>7 ubyte x \b.%d, +>8 uleshort x header length %d diff --git a/magic/Magdir/oasis b/magic/Magdir/oasis new file mode 100644 index 0000000..45ad6d1 --- /dev/null +++ b/magic/Magdir/oasis @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: oasis,v 1.2 2014/06/03 19:17:27 christos Exp $ +# OASIS +# Summary: OASIS stream file +# Long description: Open Artwork System Interchange Standard +# File extension: .oas +# Full name: Ben Cowley (bcowley@broadcom.com) +# Philip Dixon (pdixon@broadcom.com) +# Reference: http://www.wrcad.com/oasis/oasis-3626-042303-draft.pdf +# (see page 3) +0 string %SEMI-OASIS\r\n OASIS Stream file diff --git a/magic/Magdir/ocaml b/magic/Magdir/ocaml new file mode 100644 index 0000000..3ec3100 --- /dev/null +++ b/magic/Magdir/ocaml @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: ocaml,v 1.5 2010/09/20 18:55:20 rrt Exp $ +# ocaml: file(1) magic for Objective Caml files. +0 string Caml1999 OCaml +>8 string X exec file +>8 string I interface file (.cmi) +>8 string O object file (.cmo) +>8 string A library file (.cma) +>8 string Y native object file (.cmx) +>8 string Z native library file (.cmxa) +>8 string M abstract syntax tree implementation file +>8 string N abstract syntax tree interface file +>9 string >\0 (Version %3.3s) diff --git a/magic/Magdir/octave b/magic/Magdir/octave new file mode 100644 index 0000000..49ea3e7 --- /dev/null +++ b/magic/Magdir/octave @@ -0,0 +1,6 @@ + +#------------------------------------------------------------------------------ +# $File: octave,v 1.4 2009/09/19 16:28:11 christos Exp $ +# octave binary data file(1) magic, from Dirk Eddelbuettel <edd@debian.org> +0 string Octave-1-L Octave binary data (little endian) +0 string Octave-1-B Octave binary data (big endian) diff --git a/magic/Magdir/ole2compounddocs b/magic/Magdir/ole2compounddocs new file mode 100644 index 0000000..2c451a9 --- /dev/null +++ b/magic/Magdir/ole2compounddocs @@ -0,0 +1,760 @@ + +#------------------------------------------------------------------------------ +# $File: ole2compounddocs,v 1.26 2023/05/15 16:46:12 christos Exp $ +# Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured +# storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format) +# Additional tests for OLE 2 Compound Documents should be under this recipe. +# reference: https://www.openoffice.org/sc/compdocfileformat.pdf + +0 string \320\317\021\340\241\261\032\341 +# https://digital-preservation.github.io/droid/ +# skip droid skeleton like fmt-39-signature-id-128.doc by valid version +>0x1A ushort !0xABAB OLE 2 Compound Document +#>0x1C uleshort x \b, endnian %#4.4x +# big endian not tested +>>0x1C ubeshort =0xfffe \b, big-endian +>>>546 string jbjb : Microsoft Word Document +!:mime application/msword +!:apple MSWDWDBN +!:ext doc +# Byte Order 0xFFFE means little-endian found in real world applications +#>>0x1C uleshort =0xfffe \b, little-endian +>>0x1C uleshort =0xfffe +# From: Joerg Jenderek +# Major Version 3 or 4 +>>>0x1A uleshort x \b, v%u +# Minor Version 32h=50 3Bh=59 3Eh=62 +>>>0x18 uleshort x \b.%u +# SecID of first sector of the directory stream is often 1 but high like 3144h +>>>48 ulelong x \b, SecID %#x +# Sector Shift Exponent in short-stream container stream: 6~64 bytes +>>>32 uleshort !6 \b, exponent of short stream %u +# total number of sectors used for the FAT +>>>44 ulelong >1 \b, %u FAT sectors +# SecID of first sector of the short-sector allocation table (Mini FAT) +# or -2 (End Of ChainSecID) if not extant +>>>60 ulelong !0xffFFffFE \b, Mini FAT start sector %#x +# total number of sectors used for the short-sector allocation table +>>>64 ulelong !1 \b, %u Mini FAT sector +# plural s +>>>>64 ulelong >1 \bs +# SecID of first sector of the master sector allocation table (DIFAT) +# or -2 (End Of Chain SecID) if no additional sectors used +>>>68 ulelong !0xffFFffFE \b, DIFAT start sector %#x +# total number of sectors used for the master sector allocation table (DIFAT) +>>>72 ulelong >0 \b, %u DIFAT sectors +# First part of the master sector allocation table (DIFAT) containing 109 SecIDs +#>>>76 ubequad x \b, DIFAT=%#16.16llx +#>>>84 ubequad x \b%16.16llx... +# pointer to root entry only works with standard configuration for SecID ~< 800h +# Red-Carpet-presentation-1.0-1.sdd sg10.sdv 2000_GA_Annual_Review_Data.xls +# "ORLEN Factbook 2017.xls" XnView_metadata.doc +# "Barham, Lisa - Die Shopping-Prinzessinnen.doc" then not recognized +>>>48 ulelong >0x800 too big for FILE_BYTES_MAX = 1 MiB +# Sector Shift Exponent 9~512 for major version 3 or C~4096 for major version 4 +>>>0x1E uleshort 0xc \b, blocksize 4096 +# jump to one block (4096 bytes per block) before root storage block +>>>>(48.l*4096) ubyte x +>>>>>&4095 use ole2-directory +#>>>0x1E uleshort 9 \b, blocksize 512 +>>>0x1E uleshort 9 +# jump to one block (512 bytes per block) before root storage block +# in 5.37 only true for offset ~< FILE_BYTES_MAX=7 MiB defined in ../../src/file.h +>>>>(48.l*512) ubyte x +>>>>>&511 use ole2-directory +# check directory entry structure and display types by GUID +0 name ole2-directory +# directory entry name like "Root Entry" +#>0 lestring16 x \b, 1st %.10s +# type of the entry; 5~Root storage +#>66 ubyte x \b, type %x +# node colour of the entry: 00H ~ Red 01H ~ Black +#>67 ubyte x \b, color %x +# the DirIDs of the child nodes. Should both be -1 in the root storage entry +#>68 bequad !0xffffffffffffffff \b, DirIDs %llx +# NEXT lines for DEBUGGING +# second directory entry name like VisioDocument Control000 +#>128 lestring16 x \b, 2nd %.20s +# third directory entry like WordDocument +#>256 lestring16 x \b, 3rd %.20s +# forth +#>384 lestring16 x \b, 4th %.10s +# 5th +#>512 lestring16 x \b, 5th %.10s +# 6th +#>640 lestring16 x \b, 6th %.10s +# 7th +#>768 lestring16 x \b, 7th %.10s +# https://wikileaks.org/ciav7p1/cms/page_13762814.html +# https://m.blog.naver.com/superman4u/40047693679 +# https://misc.daniel-marschall.de/projects/guid_analysis/guid.txt +# https://toolslick.com/conversion/data/guid +#>80 ubequad !0 \b, clsid %#16.16llx +#>>88 ubequad x \b%16.16llx +# test for "Root Entry" inside directory by type 5 value +>66 ubyte 5 +# look for CLSID GUID 0 +>>88 ubequad 0x0 +>>>80 ubequad 0x0 +# - Microstation V8 DGN files (www.bentley.com) +# URL: https://en.wikipedia.org/wiki/MicroStation +# Last update on 10/23/2006 by Lester Hightower +# 07/24/2019 by Joerg Jenderek +# Second directory entry name like Dgn~H Dgn~S +>>>>128 lestring16 Dgn~ : Microstation V8 CAD +#!:mime application/x-ole-storage +!:mime application/x-bentley-dgn +# http://www.q-cad.com/files/samples_cad_files/1344468165.dgn +!:ext dgn +# +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect +# Second directory entry name PerfectOffice_ +>>>>128 lestring16 PerfectOffice_ : WordPerfect 7-X3 presentations Master, Document or Graphic +!:mime application/vnd.wordperfect +# https://www.macdisk.com/macsigen.php "WPC2" for Wordperfect 2 *.wpd +!:apple ????WPC7 +!:ext mst/wpd/wpg +# +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor +# Second directory entry name MatOST_ +>>>>128 lestring16 MatOST : Microsoft Works 3.0 document +!:mime application/vnd.ms-works +!:apple ????AWWP +!:ext wps +# +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Spreadsheet +# 3rd directory entry name WksSSWorkBook +>>>>256 lestring16 WksSSWorkBook : Microsoft Works 6-9 spreadsheet +!:mime application/vnd.ms-works +!:apple ????AWSS +!:ext xlr +# +# URL: http://fileformats.archiveteam.org/wiki/XLS +# what is the difference to {00020820-0000-0000-c000-000000000046} ? +# Second directory entry name Workbook +>>>>128 lestring16 Workbook +>>>>>256 lestring16 !WksSSWorkBook : Microsoft Excel 97-2003 worksheet 0 clsid +!:mime application/vnd.ms-excel +# https://www.macdisk.com/macsigen.php XLS5 for Excel 5 +!:apple ????XLS9 +!:ext xls +# +# URL: http://fileformats.archiveteam.org/wiki/PPT +# Second directory entry name Object1 Object12 Object35 +>>>>128 lestring16 Object : Microsoft PowerPoint 4 presentation +!:mime application/vnd.ms-powerpoint +# https://www.macdisk.com/macsigen.php +!:apple ????PPT3 +!:ext ppt +# +# URL: https://www.msoutlook.info/question/164 +# Second directory entry name __CollDataStm +>>>>128 lestring16 __CollDataStm : Microsoft Outlook Send Receive Settings +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-srs +# %APPDATA%\Microsoft\Outlook\Outlook.srs +!:ext srs +# +# URL: https://www.file-extensions.org/cag-file-extension +# Second directory entry name Category +>>>>128 lestring16 Category : Microsoft Clip Art Gallery +#!:mime application/x-ole-storage +!:mime application/x-ms-cag +!:apple MScgCGdb +!:ext cag/ +# +# URL: https://www.filesuffix.com/de/extension/rra +# 3rd directory entry name StrIndex_StringTable +>>>>256 lestring16 StrIndex_StringTable : Windows temporarily installer +#!:mime application/x-ole-storage +!:mime application/x-ms-rra +!:ext rra +# +# URL: https://www.forensicswiki.org/wiki/Jump_Lists +# 3rd directory entry name DestList +>>>>256 lestring16 DestList : Windows jump list +#!:mime application/x-ole-storage +!:mime application/x-ms-jumplist +# %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms +!:ext automaticDestinations-ms +# +# URL: https://en.wikipedia.org/wiki/Windows_thumbnail_cache +# Second directory entry name 256_ +>>>>128 lestring16 256_ : Windows thumbnail database 256 +#!:mime application/x-ole-storage +!:mime application/x-ms-thumbnail +# Thumbs.db +!:ext db +>>>>128 lestring16 96_ : Windows thumbnail database 96 +!:mime application/x-ms-thumbnail +!:ext db +# 3rd directory entry name Catalog_ +>>>>256 lestring16 Catalog : Windows thumbnail database +!:mime application/x-ms-thumbnail +!:ext db +# +# URL: https://support.microsoft.com/en-us/help/300887/how-to-use-system-information-msinfo32-command-line-tool-switches +# Note: older Microsoft Systeminfo (MSInfo Configuration File of msinfo32); newer use xml based +# Second directory entry name Control000 +>>>>128 lestring16 Control000 : Microsoft old Systeminfo +#!:mime application/x-ole-storage +!:mime application/x-ms-info +!:ext nfo +# +# From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns-v14.trid.xml +# Note: older versions til 13 about middle 2021 handled by ./windows +# called "Sysinternals Autoruns data (v14)" by TrID +# second, third and fourth directory entry name like Header Items 0 +>>>>128 lestring16 Header : Microsoft sysinternals AutoRuns data, version 14 +#!:mime application/x-ole-storage +!:mime application/x-ms-arn +# like: MyHOSTNAME.arn +!:ext arn +# +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Access +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mdz.trid.xml +# http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: only version foo tested and called "Microsoft Access Wizard template" by TrID +# Fourth directory entry name TemplateID +>>>>384 lestring16 TemplateID : Microsoft Access wizard template +# Second directory entry name like \005SummaryInformation and 3rd name like \005DocumentSummaryInformation +#!:mime application/x-ole-storage +#!:mime application/vnd.ms-office +#!:mime application/vnd.ms-access +#!:mime application/msaccess +!:mime application/x-ms-mdz +# http://extension.nirsoft.net/mdz +!:ext mdz +# +# URL: http://fileformats.archiveteam.org/wiki/Corel_Print_House +# Second directory entry name Thumbnail +>>>>128 lestring16 Thumbnail : Corel PrintHouse image +#!:mime application/x-ole-storage +!:mime application/x-corel-cph +!:ext cph +# 3rd directory entry name Thumbnail +>>>>256 lestring16 Thumbnail : Corel PrintHouse image +!:mime application/x-corel-cph +!:ext cph +# URL: http://fileformats.archiveteam.org/wiki/Corel_Gallery +# Note: format since Gallery 2; sometimes called Corel Multimedia Manager Album +# third directory entry name _INFO_ +>>>>256 lestring16 _INFO_ : Corel Gallery +# second directory entry name _ITEM_ or _DATA_ +# later directory entry names: _ALBUM_ _THUMBNAIL_ +#!:mime application/x-ole-storage +!:mime application/x-corel-gal +!:ext gal +# +# From: Joerg Jenderek +# URL: https://archive.org/details/iPhoto-Plus-4 +# https://filext.com/file-extension/TPL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tpl-ulead.trid.xml +# Note: found in Template sub directory in program directory of software iPhoto Plus version 4 +# second, third and fourth directory entry name like TplHeader TplMainImage TplPreview +>>>>128 lestring16 TplHeader : Ulead iPhoto Template +#!:mime application/x-ole-storage +!:mime image/x-ulead-tpl +# https://www.file-extensions.org/tpl-file-extension-ulead-photo-express-template +!:ext tpl +# +# URL: https://en.wikipedia.org/wiki/Hangul_(word_processor) +# https://www.hancom.com/etc/hwpDownload.do +# Note: "HWP Document File" signature found in FileHeader +# Hangul Word Processor WORDIAN, 2002 and later is using HWP 5.0 format. +# Second directory entry name FileHeader hint for Thinkfree Office document +>>>>128 lestring16 FileHeader : Hancom HWP (Hangul Word Processor) file, version 5.0 +#!:mime application/haansofthwp +!:mime application/x-hwp +# https://example-files.online-convert.com/document/hwp/example.hwp +!:ext hwp +# +# URL: https://ask.libreoffice.org/en/question/26303/creating-new-themes-for-the-gallery-not-functioning/ +# Second directory entry name like dd2000 dd2001 dd2036 dd2060 dd2083 +>>>>128 lestring16 dd2 : StarOffice Gallery view +#!:mime application/x-ole-storage +!:mime application/x-star-sdv +!:ext sdv +# URL: https://en.wikipedia.org/wiki/SoftMaker_Office +# second directory entry name Current User +>>>>128 lestring16 Current\ User : SoftMaker +# third directory entry name SMNativeObjData +>>>>>256 lestring16 SMNativeObjData +# 5th directory entry name PowerPoint +>>>>>>512 lestring16 PowerPoint PowerPoint presentation or template +!:mime application/vnd.ms-powerpoint +!:ext ppt/pps/pot +# 4th directory entry name PowerPoint +>>>>>384 lestring16 PowerPoint Presentations or template +# http://extension.nirsoft.net/prv +!:mime application/vnd.softmaker.presentations +!:ext prd/prv +# third directory entry name like Current User +>>>>256 lestring16 Current\ User : SoftMaker +# 5th directory entry name PowerPoint +>>>>>512 lestring16 PowerPoint Presentations or template +# http://extension.nirsoft.net/prd +!:mime application/vnd.softmaker.presentations +!:ext prd/prv +# 2nd directory entry name Pictures +>>>>>>128 lestring16 Pictures with pictures +# +# URL: http://fileformats.archiveteam.org/wiki/PageMaker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p +# pagemaker-generic.trid.xml +# pagemaker-pm6.trid.xml +# pagemaker-pm65.trid.xml +# pmd-pm7.trid.xml +# From: Joerg Jenderek +# Note: since version 6 embedd as stream with PageMaker name the "old" format handled by ./wordprocessors +# verified by Michal Mutl Structured Storage Viewer `SSView.exe brochus.pt6` +# Second directory entry name PageMaker +>>>>128 lestring16 PageMaker : +# look for magic of "old" PageMaker like in 02TEMPLT.T65 +>>>>>0 search/0xa900/s \0\0\0\0\0\0\xff\x99 +# GRR: jump to PageMaker stream and inspect it by sub routine PageMaker of ./wordprocessors failed with wrong version! +#>>>>>>&0 use PageMaker +# THIS WORKS PARTLY! +>>>>>>&0 indirect x +# remaining null clsid +>>>>128 default x +>>>>>0 use ole2-unknown +# look for CLSID where "second" part is 0 +>>>80 ubequad !0x0 +# +# Summary: Family Tree Maker +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Family_Tree_Maker +# https://en.wikipedia.org/wiki/Family_Tree_Maker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/ftw.trid.xml +# Note called "Family Tree Maker Family Tree" by TrID and +# "FamilyTree Maker Database" with version "1-4" by DROID via PUID fmt/1352 +# tested only with version 2.0 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe my.ftw` +# newer versions are SQLite based and handled by ./sql +# directory names like: IND.DB AUX.DB GENERAL.DB NAME.NDX BIRTH.NDX EXTRA.DB +>>>>80 ubequad 0x5702000000000000 : Family Tree Maker Windows database, version 1-4 +# look for "File Format (C) Copyright 1993 Banner Blue Software Inc. - All Rights Reserved" in GENERAL.DB +#>>>>>0 search/0x5460c/s F\0i\0l\0e\0\040\0F\0o\0r\0m\0a\0t\0\040\0(\0C\0)\0 \b, VERSION +# GRR: jump to version value like 2 does not work! +#>>>>>>&-8 ubyte x %u +#!:mime application/x-ole-storage +!:mime application/x-fmt +# FBK is used for backup of FTW +!:ext ftw/fbk +# +>>>>80 default x +>>>>>0 use ole2-unknown +# look for known clsid GUID +# - Visio documents +# URL: http://fileformats.archiveteam.org/wiki/Visio +# Last update on 10/23/2006 by Lester Hightower, 07/20/2019 by Joerg Jenderek +>>88 ubequad 0xc000000000000046 +>>>80 ubequad 0x131a020000000000 : Microsoft Visio 2000-2002 Document, stencil or template +!:mime application/vnd.visio +# VSD~Drawing VSS~Stencil VST~Template +!:ext vsd/vss/vst +>>>80 ubequad 0x141a020000000000 : Microsoft Visio 2003-2010 Document, stencil or template +!:mime application/vnd.visio +!:ext vsd/vss/vst +# +# URL: http://fileformats.archiveteam.org/wiki/Windows_Installer +# https://en.wikipedia.org/wiki/Windows_Installer#ICE_validation +# Update: Joerg Jenderek +# Windows Installer Package *.MSI or validation module *.CUB +>>>80 ubequad 0x84100c0000000000 : Microsoft Windows Installer Package or validation module +!:mime application/x-msi +#!:mime application/x-ms-win-installer +# https://learn.microsoft.com/en-us/windows/win32/msi/internal-consistency-evaluators-ices +# cub is used for validation module like: Vstalogo.cub XPlogo.cub darice.cub logo.cub mergemod.cub +#!:mime application/x-ms-cub +!:ext msi/cub +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/Windows_Installer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mst.trid.xml +# called "Windows SDK Setup Transform script" by TrID +>>>80 ubequad 0x82100c0000000000 : Microsoft Windows Installer transform script +#!:mime application/x-ole-storage +!:mime application/x-ms-mst +!:ext mst +>>>80 ubequad 0x86100c0000000000 : Microsoft Windows Installer Patch +# ?? +!:mime application/x-wine-extension-msp +#!:mime application/x-ms-msp +!:ext msp +# +# URL: http://fileformats.archiveteam.org/wiki/DOC +>>>80 ubequad 0x0009020000000000 : Microsoft Word 6-95 document or template +!:mime application/msword +# for template MSWDW8TN +!:apple MSWDWDBN +!:ext doc/dot +>>>80 ubequad 0x0609020000000000 : Microsoft Word 97-2003 document or template +!:mime application/msword +!:apple MSWDWDBN +# dot for template; no extension on Macintosh +!:ext doc/dot/ +# +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor +>>>80 ubequad 0x0213020000000000 : Microsoft Works 3-4 document or template +!:mime application/vnd.ms-works +!:apple ????AWWP +# ps for template https://filext.com/file-extension/PS bps for backup +!:ext wps/ps/bps +# +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database +>>>80 ubequad 0x0313020000000000 : Microsoft Works 3-4 database or template +!:mime application/vnd.ms-works-db +# https://www.macdisk.com/macsigen.php +!:apple ????AWDB +# db for template www.file-extensions.org/db-file-extension-microsoft-works-data bdb for backup +!:ext wdb/db/bdb +# +# URL: https://en.wikipedia.org/wiki/Microsoft_Excel +>>>80 ubequad 0x1008020000000000 : Microsoft Excel 5-95 worksheet, addin or template +!:mime application/vnd.ms-excel +# https://www.macdisk.com/macsigen.php +!:apple ????XLS5 +# worksheet/addin/template/no extension on Macintosh +!:ext xls/xla/xlt/ +# +>>>80 ubequad 0x2008020000000000 : Microsoft Excel 97-2003 +!:mime application/vnd.ms-excel +# https://www.macdisk.com/macsigen.php XLS5 for Excel 5 +!:apple ????XLS9 +# 3rd directory entry name +>>>>256 lestring16 _VBA_PROJECT_CUR addin +!:ext xla/ +# 4th directory entry name +>>>>384 lestring16 _VBA_PROJECT_CUR addin +!:ext xla +#!:ext xla/ +>>>>256 default x worksheet or template +!:ext xls/xlt +#!:ext xls/xlt/ +# +# URL: http://fileformats.archiveteam.org/wiki/OLE2 +>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 item +#>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 Message +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-msg +!:ext msg +# URL: https://wiki.fileformat.com/email/oft/ +>>>80 ubequad 0x46f0060000000000 : Microsoft Outlook 97-2003 item template +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-oft +!:ext oft +# +# URL: http://fileformats.archiveteam.org/wiki/PPT +>>>80 ubequad 0x5148040000000000 : Microsoft PowerPoint 4.0 presentation +!:mime application/vnd.ms-powerpoint +# https://www.macdisk.com/macsigen.php +!:apple ????PPT3 +!:ext ppt +# Summary: "newer" Greenstreet Art drawing +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GST_ART +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/art-gst-docfile.trid.xml +# Note: called like "Greenstreet Art drawing" by TrID +# Note: CONTENT stream contains binary part of older versions with phrase GST:ART at offset 16 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe BCARD2.ART` +>>>80 ubequad 0x602c020000000000 : Greenstreet Art drawing +#!:mime application/x-ole-storage +!:mime image/x-greenstreet-art +!:ext art +>>>80 default x +>>>>0 use ole2-unknown +#?? +# URL: http://www.checkfilename.com/view-details/Microsoft-Works/RespageIndex/0/sTab/2/ +>>88 ubequad 0xa29a00aa004a1a72 : Microsoft +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor +>>>80 ubequad 0xc2dbcd28e20ace11 Works 4 document +!:mime application/vnd.ms-works +!:apple ????AWWP +!:ext wps +# +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database +>>>80 ubequad 0xc3dbcd28e20ace11 Works 4 database +!:mime application/vnd.ms-works-db +!:apple ????AWDB +!:ext wdb/bdb +#?? +>>88 ubequad 0xa40700c04fb932ba : Microsoft +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor +>>>80 ubequad 0xb25aa40e0a9ed111 Works 5-6 document +!:mime application/vnd.ms-works +!:apple ????AWWP +!:ext wps +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Works +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: probably version 6 and 7 +# organize pictures like JPFG images in streams __cf1 with names like +# 001.JPG, 002.JPG ... in streams __fname +>>88 ubequad 0xa1c800c04f612452 : Microsoft +>>>80 ubequad 0xc0c7266eb98cd311 Works portfolio +# 2nd directory entry name PfOrder, 3rd __LastID and 4th __SizeUsed +#!:mime application/x-ole-storage +# https://www.iana.org/assignments/media-types/application/vnd.ms-works +!:mime application/vnd.ms-works +# https://extension.nirsoft.net/wsb +# like: wsbsamp.wsb WORKS2003_CD:\MSWorks\Common\Sammlung.wsb +!:ext wsb +#?? +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Publisher +>>88 ubequad 0x00c0000000000046 : Microsoft +>>>80 ubequad 0x0112020000000000 Publisher +!:mime application/vnd.ms-publisher +!:ext pub +# +# URL: http://fileformats.archiveteam.org/wiki/PPT +#?? +>>88 ubequad 0xa90300aa00510ea3 : Microsoft +>>>80 ubequad 0x70ae7bea3bfbcd11 PowerPoint 95 presentation +!:mime application/vnd.ms-powerpoint +# https://www.macdisk.com/macsigen.php +!:apple ????PPT3 +!:ext ppt/pot +#?? +>>88 ubequad 0x86ea00aa00b929e8 : Microsoft +>>>80 ubequad 0x108d81649b4fcf11 PowerPoint 97-2003 presentation or template +!:mime application/vnd.ms-powerpoint +!:apple ????PPT3 +# /autostart/template +!:ext ppt/pps/pot +# From: Joerg Jenderek +# URL: https://www.file-extensions.org/ppa-file-extension +# https://en.wikipedia.org/wiki/Microsoft_PowerPoint#cite_note-231 +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +>>88 ubequad 0x871800aa0060263b : Microsoft +# only version 8 (97) tested; PowerPoint 4.0 to 11.0 (2004) (Wikipedia); 97 to 2003 (file-extensions.org) +>>>80 ubequad 0xf04672810a72cf11 PowerPoint Addin or Wizard +# second, third and fourth directory entry name like VBA PROJECT PROJECTwm +# http://extension.nirsoft.net/pwz +!:mime application/vnd.ms-powerpoint +# like: BSHPPT97.PPA "AutoContent Wizard.pwz" +!:ext ppa/pwz +# +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/AWD_(At_Work_Document) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/awd-fax.trid.xml +# Note: called "Microsoft At Work Fax document" by TrID +>>88 ubequad 0xb29400dd010f2bf9 : Microsoft +>>>80 ubequad 0x801cb0023de01a10 At Work fax Document +#!:mime application/x-ole-storage +!:mime image/x-ms-awd +!:ext awd +# +# URL: https://en.wikipedia.org/wiki/Microsoft_Project +#?? +>>88 ubequad 0xbe1100c04fb6faf1 : Microsoft +>>>80 ubequad 0x3a8fb774c8c8d111 Project +!:mime application/vnd.ms-project +!:ext mpp +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Office_shared_tools#Binder +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/obd.trid.xml +# http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: only version 8 tested and called "Office Binder Document" by TrID and +# "Microsoft Office Binder File for Windows" version 97-2000 by DROID fmt/240 +>>88 ubequad 0xb21c00aa004ba90b : Microsoft +>>>80 ubequad 0x0004855964661b10 Office Binder Document, Template or wizard +# second directory entry name like Binder +# https://www.file-extensions.org/obd-file-extension +#!:mime application/vnd.ms-binder +!:mime application/x-msbinder +# obt for template; obz for Microsoft Office Binder wizard +!:ext obd/obt/obz +# +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# https://github.com/OneWingedShark/WordPerfect/ +# blob/master/doc/SDK_Help/FileFormats/WPFF_DocumentStructure.htm +# From: Joerg Jenderek +# Note: internal version x.2 or 2.2 like in embedded ole6-PerfectOffice_MAIN.wpd +# 3rd directory entry name PerfectOffice_OBJECT and 2nd PerfectOffice_MAIN, +# which contains WordPerfect document \xffWPC signature handled by ./wordprocessors +>>88 ubequad 0x19370000929679cd : WordPerfect 7 +>>>80 ubequad 0xff739851ad2d2002 Document +!:mime application/vnd.wordperfect +#!:apple ????WPC? +# https://fossies.org/linux/wp2latex/test/ole6.wpd +!:ext wpd +#>>>>0 search/0xc01/s \xffWPC \b, WPC SIGNATURE +# inspect embedded WordPerfect document by ./wordprocessors with 1 space at end +#>>>>>&0 indirect x \b; contains +# GRR: the above expression does not work correctly +# +# URL: http://fileformats.archiveteam.org/wiki/SHW_(Corel) +#??? +>>88 ubequad 0x99ae04021c007002 : WordPerfect +>>>80 ubequad 0x62fe2e4099191b10 7-X3 presentation +!:mime application/x-corelpresentations +#!:mime application/x-shw-viewer +#!:mime image/x-presentations +!:ext shw +# +# URL: http://www.checkfilename.com/view-details/WordPerfect-Office-X3/RespageIndex/0/sTab/2/ +>>>80 ubequad 0x60fe2e4099191b10 9 Graphic +#!:mime application/x-wpg +#!:mime image/x-wordperfect-graphics +!:mime image/x-wpg +# https://www.macdisk.com/macsigen.php "WPC2" for Wordperfect 2 *.wpd +!:apple ????WPC9 +!:ext wpg +# +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CorelCAD +# https://en.wikipedia.org/wiki/CorelCAD +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/ccd-corelcad.trid.xml +# Note: called "CorelCAD Drawing" by TrID and CorelCAD +# directory entry names like Contents ViewInfo CustomViewDescriptions LayerInfo +>>88 ubequad 0xbe26db67235e2689 : Corel +>>>80 ubequad 0x20f414de1cacce11 \bCAD Drawing or Template +#!:mime application/x-ole-storage +!:mime application/x-corel-cad +# CCT for CorelCAD Template +!:ext ccd/cct +# +# URL: http://fileformats.archiveteam.org/wiki/StarOffice_binary_formats +>>88 ubequad 0x996104021c007002 : StarOffice +>>>80 ubequad 0x407e5cdc5cb31b10 StarWriter 3.0 document or template +# https://www.openoffice.org/framework/documentation/mimetypes/mimetypes.html +!:mime application/x-starwriter +!:ext sdw/vor +# +>>>80 ubequad 0xa03f543fa6b61b10 StarCalc 3.0 spreadsheet or template +!:mime application/x-starcalc +!:ext sdc/vor +# +>>>80 ubequad 0xe0aa10af6db31b10 StarDraw 3.0 drawing or template +!:mime application/x-starimpress +#!:mime application/x-stardraw +# sda ?? +!:ext sdd/sda/vor +#?? +>>88 ubequad 0x89cb008029e4b0b1 : StarOffice +>>>80 ubequad 0x41d461633542d011 StarCalc 4.0 spreadsheet or template +!:mime application/x-starcalc +!:ext sdc/vor +# +>>>80 ubequad 0x61b8a5c6d685d111 StarCalc 5.0 spreadsheet or template +!:mime application/vnd.stardivision.cal +!:ext sdc/vor +# +>>>80 ubequad 0xc03c2d011642d011 StarImpress 4.0 presentation or template +!:mime application/x-starimpress +!:ext sdd/vor +#?? +>>88 ubequad 0xb12a04021c007002 : StarOffice +>>>80 ubequad 0x600459d4fd351c10 StarMath 3.0 +!:mime application/x-starmath +!:ext smf +#?? +>>88 ubequad 0x8e2c00001b4cc711 : StarOffice +>>>80 ubequad 0xe0999cfb6d2c1c10 StarChart 3.0 +!:mime application/x-starchart +!:ext sds +#?? +>>88 ubequad 0xa45e00a0249d57b1 : StarOffice +>>>80 ubequad 0xb0e9048b0e42d011 StarWriter 4.0 document or template +!:mime application/x-starwriter +!:ext sdw/vor +#?? +>>88 ubequad 0x89ca008029e4b0b1 : StarOffice +>>>80 ubequad 0xe1b7b3022542d011 StarMath 4.0 +!:mime application/x-starmath +!:ext smf +# +>>>80 ubequad 0xe0b7b3022542d011 StarChart 4.0 +!:mime application/x-starchart +!:ext sds +#?? +>>88 ubequad 0xa53f00a0249d57b1 : StarOffice +>>>80 ubequad 0x70c90a340de3d011 Master 4.0 document +!:mime application/x-starwriter-global +!:ext sgl +#?? +>>88 ubequad 0x89d0008029e4b0b1 : StarOffice +>>>80 ubequad 0x40e6b5ffde85d111 StarMath 5.0 +!:mime application/vnd.stardivision.math +!:ext smf +# +>>>80 ubequad 0xa005892ebd85d111 StarDraw 5.0 drawing or template +!:mime application/vnd.stardivision.draw +!:ext sda/vor +# +>>>80 ubequad 0x21725c56bc85d111 StarImpress 5.0 presentation or template +!:mime application/vnd.stardivision.impress +# sda is used for what? +!:ext sdd/vor/sda +# +>>>80 ubequad 0x214388bfdd85d111 StarChart 5.0 +!:mime application/vnd.stardivision.chart +!:ext sds +# ?? +>>88 ubequad 0xaab4006097da561a : StarOffice +>>>80 ubequad 0xd1f90cc2ae85d111 StarWriter 5.0 document or template +!:mime application/vnd.stardivision.writer +!:ext sdw/vor +# +>>>80 ubequad 0xd3f90cc2ae85d111 Master 5.0 document +!:mime application/vnd.stardivision.writer-global +!:ext sgl +#?? +# URL: http://fileformats.archiveteam.org/wiki/FlashPix +>>88 ubequad 0x855300aa00a1f95b : Kodak +>>>80 ubequad 0x0067615654c1ce11 FlashPIX Image +!:mime image/vnd.fpx +!:apple ????FPix +!:ext fpx +# URL: https://en.wikipedia.org/wiki/SoftMaker_Office +>>88 ubequad 0x95f600a0cc3cca14 : PlanMaker +>>>80 ubequad 0x9174088a6452d411 document or template +!:mime application/vnd.softmaker.planmaker +# pmv for template https://www.file-extensions.org/pmv-file-extension +!:ext pmd/pmv +# URL: http://fileformats.archiveteam.org/wiki/MAX_(3ds_Max) +# https://en.wikipedia.org/wiki/Autodesk_3ds_Max +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: called "3D Studio Max Scene" by TrID and "3DS Max" by DROID and +# "3DSMax thumbnail" by XnView and verfied by `nconvert -info A380.max` +# applies only to "newer" versions (about 2008-2020) +>>88 ubequad 0x9fed04143144cc1e : Autodesk +>>>80 ubequad 0x7b8cdd1cc081a045 3ds Max +#!:mime application/x-ole-storage +!:mime model/x-autodesk-max +# like: https://static.free3d.com/models/dropbox/dropbox/sq/A380.7z/A380.max +!:ext max +# also chr for character file according to DROID https://www.nationalarchives.gov.uk/PRONOM/fmt/978 +#!:ext max/chr +# remaining non null clsid +>>88 default x +>>>0 use ole2-unknown +# display information about directory for not detected CDF files +0 name ole2-unknown +>80 ubequad x : UNKNOWN +# https://reposcope.com/mimetype/application/x-ole-storage +!:mime application/x-ole-storage +# according to file version 5.41 with -e soft option +#!:mime application/CDFV2 +#!:ext ??? +>80 ubequad !0 \b, clsid %#16.16llx +>>88 ubequad x \b%16.16llx +# converted hexadecimal format to standard GUUID notation +>>80 guid x {%s} +# second directory entry name like VisioDocument Control000 +>128 lestring16 x with names %.20s +# third directory entry like WordDocument Preview.dib +>256 lestring16 x %.20s +# forth like \005SummaryInformation +>384 lestring16 x %.25s +# 5th +>512 lestring16 x %.10s +# 6th +>640 lestring16 x %.10s +# 7th +>768 lestring16 x %.10s diff --git a/magic/Magdir/olf b/magic/Magdir/olf new file mode 100644 index 0000000..6ae3fc0 --- /dev/null +++ b/magic/Magdir/olf @@ -0,0 +1,98 @@ + +#------------------------------------------------------------------------------ +# $File: olf,v 1.4 2009/09/19 16:28:11 christos Exp $ +# olf: file(1) magic for OLF executables +# +# We have to check the byte order flag to see what byte order all the +# other stuff in the header is in. +# +# MIPS R3000 may also be for MIPS R2000. +# What're the correct byte orders for the nCUBE and the Fujitsu VPP500? +# +# Created by Erik Theisen <etheisen@openbsd.org> +# Based on elf from Daniel Quinlan <quinlan@yggdrasil.com> +0 string \177OLF OLF +>4 byte 0 invalid class +>4 byte 1 32-bit +>4 byte 2 64-bit +>7 byte 0 invalid os +>7 byte 1 OpenBSD +>7 byte 2 NetBSD +>7 byte 3 FreeBSD +>7 byte 4 4.4BSD +>7 byte 5 Linux +>7 byte 6 SVR4 +>7 byte 7 esix +>7 byte 8 Solaris +>7 byte 9 Irix +>7 byte 10 SCO +>7 byte 11 Dell +>7 byte 12 NCR +>5 byte 0 invalid byte order +>5 byte 1 LSB +>>16 leshort 0 no file type, +>>16 leshort 1 relocatable, +>>16 leshort 2 executable, +>>16 leshort 3 shared object, +# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de> +# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> +>>16 leshort 4 core file +>>>(0x38+0xcc) string >\0 of '%s' +>>>(0x38+0x10) lelong >0 (signal %d), +>>16 leshort &0xff00 processor-specific, +>>18 leshort 0 no machine, +>>18 leshort 1 AT&T WE32100 - invalid byte order, +>>18 leshort 2 SPARC - invalid byte order, +>>18 leshort 3 Intel 80386, +>>18 leshort 4 Motorola 68000 - invalid byte order, +>>18 leshort 5 Motorola 88000 - invalid byte order, +>>18 leshort 6 Intel 80486, +>>18 leshort 7 Intel 80860, +>>18 leshort 8 MIPS R3000_BE - invalid byte order, +>>18 leshort 9 Amdahl - invalid byte order, +>>18 leshort 10 MIPS R3000_LE, +>>18 leshort 11 RS6000 - invalid byte order, +>>18 leshort 15 PA-RISC - invalid byte order, +>>18 leshort 16 nCUBE, +>>18 leshort 17 VPP500, +>>18 leshort 18 SPARC32PLUS, +>>18 leshort 20 PowerPC, +>>18 leshort 0x9026 Alpha, +>>20 lelong 0 invalid version +>>20 lelong 1 version 1 +>>36 lelong 1 MathCoPro/FPU/MAU Required +>8 string >\0 (%s) +>5 byte 2 MSB +>>16 beshort 0 no file type, +>>16 beshort 1 relocatable, +>>16 beshort 2 executable, +>>16 beshort 3 shared object, +>>16 beshort 4 core file, +>>>(0x38+0xcc) string >\0 of '%s' +>>>(0x38+0x10) belong >0 (signal %d), +>>16 beshort &0xff00 processor-specific, +>>18 beshort 0 no machine, +>>18 beshort 1 AT&T WE32100, +>>18 beshort 2 SPARC, +>>18 beshort 3 Intel 80386 - invalid byte order, +>>18 beshort 4 Motorola 68000, +>>18 beshort 5 Motorola 88000, +>>18 beshort 6 Intel 80486 - invalid byte order, +>>18 beshort 7 Intel 80860, +>>18 beshort 8 MIPS R3000_BE, +>>18 beshort 9 Amdahl, +>>18 beshort 10 MIPS R3000_LE - invalid byte order, +>>18 beshort 11 RS6000, +>>18 beshort 15 PA-RISC, +>>18 beshort 16 nCUBE, +>>18 beshort 17 VPP500, +>>18 beshort 18 SPARC32PLUS, +>>18 beshort 20 PowerPC or cisco 4500, +>>18 beshort 21 cisco 7500, +>>18 beshort 24 cisco SVIP, +>>18 beshort 25 cisco 7200, +>>18 beshort 36 cisco 12000, +>>18 beshort 0x9026 Alpha, +>>20 belong 0 invalid version +>>20 belong 1 version 1 +>>36 belong 1 MathCoPro/FPU/MAU Required diff --git a/magic/Magdir/openfst b/magic/Magdir/openfst new file mode 100644 index 0000000..8df9b56 --- /dev/null +++ b/magic/Magdir/openfst @@ -0,0 +1,17 @@ + +#------------------------------------------------------------------------------ +# $File: openfst,v 1.1 2019/09/30 15:58:24 christos Exp $ +# openfs: file(1) magic for OpenFST (Weighted finite-state tranducer library) + +0 long 0x7eb2fdd6 OpenFst binary FST data +>&0 pstring/l x \b, fst type: %s +>>&0 pstring/l x \b, arc type: %s +>>>&0 long x \b, version: %d +>>>>&20 quad x \b, num states: %lld +>>>>>&0 quad >0 \b, num arcs: %lld + +0 long 0x56515c OpenFst binary FAR data, far type: stlist +>4 long x \b, version: %d + +0 long 0x7eb2f35c OpenFst binary FAR data, far type: sttable +>4 long x \b, version: %d diff --git a/magic/Magdir/opentimestamps b/magic/Magdir/opentimestamps new file mode 100644 index 0000000..f2f0e3e --- /dev/null +++ b/magic/Magdir/opentimestamps @@ -0,0 +1,16 @@ + +#------------------------------------------------------------ +# $File: opentimestamps,v 1.1 2019/05/27 01:27:31 christos Exp $ +# OpenTimestamps related magic entries +# https://opentimestamps.org/ +# https://en.wikipedia.org/wiki/OpenTimestamps +# "Emanuele Cisbani" <emanuele.cisbani@gmail.com> +#------------------------------------------------------------ + +# OpenTimestamps Proof .ots format. +# Magic is defined here: +# https://github.com/opentimestamps/python-opentimestamps/\ +# blob/master/opentimestamps/core/timestamp.py#L273 + +0 string \x00\x4f\x70\x65\x6e\x54\x69\x6d\x65\x73\x74\x61\x6d\x70\x73\x00 OpenTimestamps +>16 string \x00\x50\x72\x6f\x6f\x66\x00\xbf\x89\xe2\xe8\x84\xe8\x92\x94\x01 Proof diff --git a/magic/Magdir/oric b/magic/Magdir/oric new file mode 100644 index 0000000..38c02c5 --- /dev/null +++ b/magic/Magdir/oric @@ -0,0 +1,16 @@ + +#------------------------------------------------------------------------------ +# $File: oric,v 1.2 2022/04/25 17:28:20 christos Exp $ +# Oric tape files +# From: Stefan A. Haubenthal <polluks@sdf.lonestar.org> +# References: +# http://fileformats.archiveteam.org/wiki/TAP_(Oric) +# http://fileformats.archiveteam.org/wiki/DSK_(Oric) +0 string \x16\x16\x16\x24 Oric tape, +>6 byte =0x00 BASIC, +>6 byte =0x80 memory block, +>7 byte >0x00 autorun, +>13 string x "%.15s" + +0 string ORICDISK Oric Image +0 string MFM_DISK Oric Image diff --git a/magic/Magdir/os2 b/magic/Magdir/os2 new file mode 100644 index 0000000..cb43e99 --- /dev/null +++ b/magic/Magdir/os2 @@ -0,0 +1,186 @@ + +#------------------------------------------------------------------------------ +# $File: os2,v 1.14 2022/03/21 21:25:50 christos Exp $ +# os2: file(1) magic for OS/2 files +# + +# Provided 1998/08/22 by +# David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net> +1 search/100 InternetShortcut MS Windows 95 Internet shortcut text +!:mime application/x-mswinurl +!:ext url +>17 search/100 URL= (URL=< +>>&0 string x \b%s>) + +# OS/2 URL objects +# Provided 1998/08/22 by +# David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net> +#0 string http: OS/2 URL object text +#>5 string >\ (WWW) <http:%s> +#0 string mailto: OS/2 URL object text +#>7 string >\ (email) <%s> +#0 string news: OS/2 URL object text +#>5 string >\ (Usenet) <%s> +#0 string ftp: OS/2 URL object text +#>4 string >\ (FTP) <ftp:%s> +#0 string file: OS/2 URL object text +#>5 string >\ (Local file) <%s> + +# >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) +# URL: http://fileformats.archiveteam.org/wiki/INF/HLP_(OS/2) +# Reference: http://www.edm2.com/0308/inf.html +# Carl Hauser (chauser.parc@xerox.com) and +# Marcus Groeber (marcusg@ph-cip.uni-koeln.de) +# list the following header format in inf02a.doc: +# +# int16 ID; // ID magic word (5348h = "HS") +# int8 unknown1; // unknown purpose, could be third letter of ID +# int8 flags; // probably a flag word... +# // bit 0: set if INF style file +# // bit 4: set if HLP style file +# // patching this byte allows reading HLP files +# // using the VIEW command, while help files +# // seem to work with INF settings here as well. +# int16 hdrsize; // total size of header +# int16 unknown2; // unknown purpose +# +0 string HSP\x01\x9b\x00 OS/2 INF +!:mime application/x-os2-inf +!:ext inf +>107 string >0 (%s) +0 string HSP\x10\x9b\x00 OS/2 HLP +!:mime application/x-os2-hlp +!:ext hlp +>107 string >0 (%s) + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MSG_(OS/2) +# Reference: https://github.com/OS2World/UTIL-SYSTEM-MKMSGF/blob/master/mkmsgf.h +# Note: created by MKMSGF.EXE. Text source can be recreated by E_MSGF +# example like OS001H.MSG +0 string \xffMKMSGF\0 OS/2 help message +!:mime application/x-os2-msg +!:ext msg +# identifier[3] like: DOS NET REX SYS ... +>8 string x '%.3s' +# msgnumber: number of messages +>11 uleshort x \b, %u messages +# firstmsgnumber; number of the first message like: some times 0 often 1 169 1000 3502 +>13 uleshort >1 \b, 1st number %u +# offset16bit; 1~Index table has 16-bit offsets (files<64k) 0~Index table has 32-bit offsets +>15 ubyte =0 \b, 32-bit +#>15 ubyte =1 \b, 16-bit +# version; file version: 2~new 0~old +>16 uleshort !2 \b, version %u +# indextaboffset; offset of index table: 1F~after header 0~no index table for version 0? +>18 uleshort >0 +>>18 uleshort !0x1f \b, at %#x index +# 32-bit offset +>>15 ubyte =0 +# offset with message table +>>>(18.s) ulelong x \b, at %#x +# 1st message +# http://www.os2museum.com/files/docs/os210ptk/os2-1.0-ptk-tools-1988.pdf +# message type: E~Error H~Help I~Information P~Prompt W~Warning ? +>>>>(&-4.l) ubyte x %c-type +>>>>>&0 string x %s +# 16-bit offset +>>15 ubyte =1 +# msgnum; message number +>>>(18.s) uleshort x \b, number %u +# msgindex; offset of message from begin of file +>>>(18.s+2) uleshort x at %#x +# message type E H I P W ? +>>>>(&-2.s) ubyte x %c-type +# skip newline carriage return +>>>>>&0 ubeshort =0x0D0a +>>>>>>&0 string x %s +>>>>>&0 ubeshort !0x0D0a +>>>>>>&-2 string x %s +# for version 0 index table apparently at offset 1F +>16 uleshort 0 +>>15 ubyte 1 +# 1st message 16-bit +>>>0x1F uleshort x \b, at %#x +# message type: E~Error H~Help I~Information P~Prompt W~Warning ? +>>>>(0x1F.s) ubyte x %c-type +>>>>>&0 string x %s +# 2nd message 16-bit +>>>0x21 uleshort x \b, at %#x +>>>>(0x21.s) ubyte x %c-type +>>>>>&0 string x %s +# 3rd message 16-bit +>>>0x23 uleshort x \b, at %#x +>>>>(0x23.s) ubyte x %c-type +>>>>>&0 string x %s +# version 0 32-bit +>>15 ubyte 0 +# 1st message 32-bit +>>>0x1f ulelong x \b, at %#x +>>>>(0x1F.l) ubyte x %c-type +>>>>>&0 string x %s +# 2nd message 32-bit +>>>0x23 ulelong x \b, at %#x +>>>>(0x23.l) ubyte x %c-type +>>>>>&0 string x %s +# 3rd message 32-bit +>>>0x27 ulelong x \b, AT %#x +>>>>(0x27.l) ubyte x %c-type +>>>>>&0 string x %s +# countryinfo; offset of country info block: 0 for version 0 +>20 uleshort !0 \b, at %#x countryinfo +# nextcoutryinfo +>>22 uleshort >0 \b, at %#x next +# reserved[5]; Must be 0 +>>25 ulelong !0 \b, RESERVED %#x +>>(20.s) use os2-msg-info +# display country info block of MKMSGF message file +0 name os2-msg-info +# bytesperchar; bytes per char: 1~SBCS 2~DBCS +>0 ubyte >1 \b, %u bytes/char +# reserved; Not known +>1 uleshort !0 \b, reserved %#x +# langfamilyID; language family ID like: 0~? 1~Arabic ... 7~German ... 9~English ... 34~Slovene +>3 uleshort >0 \b, language %u +# langversionID; like: 7_1~German 7_2~Swiss German 12_1~French 12_3~Canadian French +>>5 uleshort x \b_%u +# langfamilyID too high. This should not happen +>3 uleshort >34 (invalid language) +# codepagesnumber; number of codepages like: 1 2 ... 16 +>7 uleshort x \b, %u code page +# plural s +>7 uleshort >1 \bs +# too many number of codepages. This should not happen +>7 uleshort >16 (Too many) +# codepages[16]; codepages list like 437 850 ... +>7 uleshort <17 +# 1st code page +>>9 uleshort >0 %u +# possible 2nd code page number +>>>7 uleshort >1 +>>>>11 uleshort x %u +# filename[260]; name of file like: dbaseos2.msg dde4c01e.msg os2ldr.mgr xdfh.msg ... +>41 string x \b, %s + +# OS/2 INI (this is a guess) +0 string \xff\xff\xff\xff\x14\0\0\0 OS/2 INI +!:mime application/x-os2-ini +!:ext ini + +# From: Joerg Jenderek +# URL: http://warpin.netlabs.org/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-wpi.trid.xml +# Note: called by TrID "WarpIN Installer" +# probably magic at the beginning +0 ubelong =0x770402BE WarpIN Installer +#>4 ubelong =0x03000000 +#!:mime application/octet-stream +!:mime application/x-os2-wpi +!:ext wpi +# creator program name like: "reserved" or "WIC x.y.z" +>0x106 string x \b, created by %s +# name like: "reserved" or "OS/2 Netlabs" +>0x146 string x \b, '%s' +# name like: "N/A" "http://warpin.netlabs.org" +>0x186 string x \b, URL %s + diff --git a/magic/Magdir/os400 b/magic/Magdir/os400 new file mode 100644 index 0000000..6a05f08 --- /dev/null +++ b/magic/Magdir/os400 @@ -0,0 +1,39 @@ + +#------------------------------------------------------------------------------ +# $File: os400,v 1.5 2009/09/19 16:28:11 christos Exp $ +# os400: file(1) magic for IBM OS/400 files +# +# IBM OS/400 (i5/OS) Save file (SAVF) - gerardo.cacciari@gmail.com +# In spite of its quite variable format (due to internal memory page +# length differences between CISC and RISC versions of the OS) the +# SAVF structure hasn't suitable offsets to identify the catalog +# header in the first descriptor where there are some useful infos, +# so we must search in a somewhat large area for a particular string +# that represents the EBCDIC encoding of 'QSRDSSPC' (save/restore +# descriptor space) preceded by a two byte constant. +# +1090 search/7393 \x19\xDB\xD8\xE2\xD9\xC4\xE2\xE2\xD7\xC3 IBM OS/400 save file data +>&212 byte 0x01 \b, created with SAVOBJ +>&212 byte 0x02 \b, created with SAVLIB +>&212 byte 0x07 \b, created with SAVCFG +>&212 byte 0x08 \b, created with SAVSECDTA +>&212 byte 0x0A \b, created with SAVSECDTA +>&212 byte 0x0B \b, created with SAVDLO +>&212 byte 0x0D \b, created with SAVLICPGM +>&212 byte 0x11 \b, created with SAVCHGOBJ +>&213 byte 0x44 \b, at least V5R4 to open +>&213 byte 0x43 \b, at least V5R3 to open +>&213 byte 0x42 \b, at least V5R2 to open +>&213 byte 0x41 \b, at least V5R1 to open +>&213 byte 0x40 \b, at least V4R5 to open +>&213 byte 0x3F \b, at least V4R4 to open +>&213 byte 0x3E \b, at least V4R3 to open +>&213 byte 0x3C \b, at least V4R2 to open +>&213 byte 0x3D \b, at least V4R1M4 to open +>&213 byte 0x3B \b, at least V4R1 to open +>&213 byte 0x3A \b, at least V3R7 to open +>&213 byte 0x35 \b, at least V3R6 to open +>&213 byte 0x36 \b, at least V3R2 to open +>&213 byte 0x34 \b, at least V3R1 to open +>&213 byte 0x31 \b, at least V3R0M5 to open +>&213 byte 0x30 \b, at least V2R3 to open diff --git a/magic/Magdir/os9 b/magic/Magdir/os9 new file mode 100644 index 0000000..74b47f3 --- /dev/null +++ b/magic/Magdir/os9 @@ -0,0 +1,80 @@ + +#------------------------------------------------------------------------------ +# $File: os9,v 1.8 2017/03/17 21:35:28 christos Exp $ +# +# Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# +# +# OS9/6809 module descriptions: +# +0 beshort 0x87CD OS9/6809 module: +# +>6 byte&0x0f 0x00 non-executable +>6 byte&0x0f 0x01 machine language +>6 byte&0x0f 0x02 BASIC I-code +>6 byte&0x0f 0x03 Pascal P-code +>6 byte&0x0f 0x04 C I-code +>6 byte&0x0f 0x05 COBOL I-code +>6 byte&0x0f 0x06 Fortran I-code +# +>6 byte&0xf0 0x10 program executable +>6 byte&0xf0 0x20 subroutine +>6 byte&0xf0 0x30 multi-module +>6 byte&0xf0 0x40 data module +# +>6 byte&0xf0 0xC0 system module +>6 byte&0xf0 0xD0 file manager +>6 byte&0xf0 0xE0 device driver +>6 byte&0xf0 0xF0 device descriptor +# +# OS9/m68k stuff (to be continued) +# +0 beshort 0x4AFC OS9/68K module: +# +# attr +>0x14 byte&0x80 0x80 re-entrant +>0x14 byte&0x40 0x40 ghost +>0x14 byte&0x20 0x20 system-state +# +# lang: +# +>0x13 byte 1 machine language +>0x13 byte 2 BASIC I-code +>0x13 byte 3 Pascal P-code +>0x13 byte 4 C I-code +>0x13 byte 5 COBOL I-code +>0x13 byte 6 Fortran I-code +# +# +# type: +# +>0x12 byte 1 program executable +>0x12 byte 2 subroutine +>0x12 byte 3 multi-module +>0x12 byte 4 data module +>0x12 byte 11 trap library +>0x12 byte 12 system module +>0x12 byte 13 file manager +>0x12 byte 14 device driver +>0x12 byte 15 device descriptor diff --git a/magic/Magdir/osf1 b/magic/Magdir/osf1 new file mode 100644 index 0000000..4e91471 --- /dev/null +++ b/magic/Magdir/osf1 @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: osf1,v 1.7 2009/09/19 16:28:11 christos Exp $ +# +# Mach magic number info +# +0 long 0xefbe OSF/Rose object +# I386 magic number info +# +0 short 0565 i386 COFF object diff --git a/magic/Magdir/palm b/magic/Magdir/palm new file mode 100644 index 0000000..5d2b913 --- /dev/null +++ b/magic/Magdir/palm @@ -0,0 +1,156 @@ + +#------------------------------------------------------------------------------ +# $File: palm,v 1.15 2021/12/16 21:50:06 christos Exp $ +# palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks +# +# Brian Lalor <blalor@hcirisc.cs.binghamton.edu> + +# These are weak, byte 59 is not guaranteed to be 0 and there are +# 8 character identifiers at byte 60, one I found for appl is BIGb. +# What are the possibilities and where is this documented? + +# The common header format for PalmOS .pdb/.prc files is +# { +# char name[ 32 ]; +# Word attributes; +# Word version; +# DWord creationDate; +# DWord modificationDate; +# DWord lastBackupDate; +# DWord modificationNumber; +# DWord appInfoID; +# DWord sortInfoID; +# char type[4]; +# char creator[4]; +# DWord uniqueIDSeed; +# RecordListType recordList; +# }; +# +# Datestamps are unsigned seconds since the MacOS epoch (Jan 1, 1904), +# or Unix/POSIX time + 2082844800. + +0 name aportisdoc +# date is supposed to be big-endian seconds since 1 Jan 1904, but many +# files contain the timestamp in little-endian or a completely +# nonsensical value... +#>36 bedate-2082844800 >0 \b, created %s +# compression: 1=uncomp, 2=orig, 0x4448=HuffDic +>(78.L) beshort =1 \b, uncompressed +# compressed +>(78.L) beshort >1 +>>(78.L+4) belong x \b, %d bytes uncompressed + +# appl +#60 string appl PalmOS application +#>0 string >\0 "%s" + +# HACK +#60 string HACK HackMaster hack +#>0 string >\0 "%s" + +# iSiloX e-book +60 string SDocSilX iSiloX E-book +>0 string >\0 "%s" + +# Mobipocket (www.mobipocket.com), donated by Carl Witty +# expanded by Ralf Brown +60 string BOOKMOBI Mobipocket E-book +!:mime application/x-mobipocket-ebook +# MobiPocket stores a full title, pointed at by the belong at offset +# 0x54 in its header at (78.L), with length given by the belong at +# offset 0x58. +# there's no guarantee that the title string is null-terminated, but +# we currently can't specify a variable-length string where the length +# field is not at the start of the string; in practice, the data +# following the string always seems to start with a zero byte +>(78.L) belong x +>>&(&0x50.L-4) string >\0 "%s" +>0 use aportisdoc +>>(78.L+0x68) belong >0 \b, version %d +>>(78.L+0x1C) belong !0 \b, codepage %d +>>(78.L+0x0C) beshort >0 \b, encrypted (type %d) + +# AportisDoc/PalmDOC +60 string TEXtREAd AportisDoc/PalmDOC E-book +>0 string >\0 "%s" +>0 use aportisdoc + +# Variety of PalmOS document types +# Michael-John Turner <mj@debian.org> +# Thanks to Hasan Umit Ezerce <humit@tr-net.net.tr> for his DocType +60 string BVokBDIC BDicty PalmOS document +>0 string >\0 "%s" +60 string DB99DBOS DB PalmOS document +>0 string >\0 "%s" +60 string vIMGView FireViewer/ImageViewer PalmOS document +>0 string >\0 "%s" +60 string PmDBPmDB HanDBase PalmOS document +>0 string >\0 "%s" +60 string InfoINDB InfoView PalmOS document +>0 string >\0 "%s" +60 string ToGoToGo iSilo PalmOS document +>0 string >\0 "%s" +60 string JfDbJBas JFile PalmOS document +>0 string >\0 "%s" +60 string JfDbJFil JFile Pro PalmOS document +>0 string >\0 "%s" +60 string DATALSdb List PalmOS document +>0 string >\0 "%s" +60 string Mdb1Mdb1 MobileDB PalmOS document +>0 string >\0 "%s" +60 string PNRdPPrs PeanutPress PalmOS document +>0 string >\0 "%s" +60 string DataPlkr Plucker PalmOS document +>0 string >\0 "%s" +60 string DataSprd QuickSheet PalmOS document +>0 string >\0 "%s" +60 string SM01SMem SuperMemo PalmOS document +>0 string >\0 "%s" +60 string TEXtTlDc TealDoc PalmOS document +>0 string >\0 "%s" +60 string InfoTlIf TealInfo PalmOS document +>0 string >\0 "%s" +60 string DataTlMl TealMeal PalmOS document +>0 string >\0 "%s" +60 string DataTlPt TealPaint PalmOS document +>0 string >\0 "%s" +60 string dataTDBP ThinkDB PalmOS document +>0 string >\0 "%s" +60 string TdatTide Tides PalmOS document +>0 string >\0 "%s" +60 string ToRaTRPW TomeRaider PalmOS document +>0 string >\0 "%s" + +# A GutenPalm zTXT etext for use on Palm Pilots (http://gutenpalm.sf.net) +# For version 1.xx zTXTs, outputs version and numbers of bookmarks and +# annotations. +# For other versions, just outputs version. +# +60 string zTXT A GutenPalm zTXT e-book +>0 string >\0 "%s" +>(0x4E.L) byte 0 +>>(0x4E.L+1) byte x (v0.%02d) +>(0x4E.L) byte 1 +>>(0x4E.L+1) byte x (v1.%02d) +>>>(0x4E.L+10) beshort >0 +>>>>(0x4E.L+10) beshort <2 - 1 bookmark +>>>>(0x4E.L+10) beshort >1 - %d bookmarks +>>>(0x4E.L+14) beshort >0 +>>>>(0x4E.L+14) beshort <2 - 1 annotation +>>>>(0x4E.L+14) beshort >1 - %d annotations +>(0x4E.L) byte >1 (v%d. +>>(0x4E.L+1) byte x %02d) + +# Palm OS .prc file types +60 string libr +# flags, only bit 0 or bit 6 +# https://en.wikipedia.org/wiki/PRC_%28Palm_OS%29 +# https://web.mit.edu/tytso/www/pilot/prc-format.html +>0x20 beshort&0xffbe 0 +>>0 string >\0 Palm OS dynamic library data "%s" +60 string ptch Palm OS operating system patch data +>0 string >\0 "%s" + +# Mobipocket (www.mobipocket.com), donated by Carl Witty +60 string BOOKMOBI Mobipocket E-book +>0 string >\0 "%s" diff --git a/magic/Magdir/parix b/magic/Magdir/parix new file mode 100644 index 0000000..ba5cbf5 --- /dev/null +++ b/magic/Magdir/parix @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: parix,v 1.5 2020/03/08 22:18:32 christos Exp $ +# +# Parix COFF executables +# From: Ignatios Souvatzis <ignatios@cs.uni-bonn.de> +# +0 beshort&0xefff 0x8ACE PARIX +>0 byte&0xf0 0x80 T800 +>0 byte&0xf0 0x90 T9000 +>19 byte&0x02 0x02 executable +>19 byte&0x02 0x00 object +>19 byte&0x0c 0x00 not stripped diff --git a/magic/Magdir/parrot b/magic/Magdir/parrot new file mode 100644 index 0000000..b2a56c8 --- /dev/null +++ b/magic/Magdir/parrot @@ -0,0 +1,22 @@ +#------------------------------------------------------------------------------ +# $File: parrot,v 1.2 2019/04/19 00:42:27 christos Exp $ +# parrot: file(1) magic for Parrot Virtual Machine +# URL: https://www.lua.org/ +# From: Lubomir Rintel <lkundrak@v3.sk> + +# Compiled Parrot byte code +0 string \376PBC\r\n\032\n Parrot bytecode +>64 byte x %d. +>72 byte x \b%d, +>8 byte >0 %d byte words, +>16 byte 0 little-endian, +>16 byte 1 big-endian, +>32 byte 0 IEEE-754 8 byte double floats, +>32 byte 1 x86 12 byte long double floats, +>32 byte 2 IEEE-754 16 byte long double floats, +>32 byte 3 MIPS 16 byte long double floats, +>32 byte 4 AIX 16 byte long double floats, +>32 byte 5 4-byte floats, +>40 byte x Parrot %d. +>48 byte x \b%d. +>56 byte x \b%d diff --git a/magic/Magdir/pascal b/magic/Magdir/pascal new file mode 100644 index 0000000..6168802 --- /dev/null +++ b/magic/Magdir/pascal @@ -0,0 +1,39 @@ +#------------------------------------------------------------------------------ +# $File: pascal,v 1.4 2022/07/30 16:53:06 christos Exp $ +# pascal: file(1) magic for Pascal source +# +0 search/8192 (input, Pascal source text +!:mime text/x-pascal +#0 regex \^program Pascal source text +#!:mime text/x-pascal +#0 regex \^record Pascal source text +#!:mime text/x-pascal + +# Free Pascal +0 string PPU Pascal unit +>3 string x \b, version %s + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Dan_Bricklin +0 string/b Type +# URL: https://dl.winworldpc.com/Dan%20Bricklins%20Demo%20II%20Version%202%20Manual.7z +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-v2.trid.xml +>4 string D2 Dan Bricklin's Demo 2 demo +#!:mime application/octet-stream +!:ext dbd +# URL: https://muhaz.org/turbo-pascal-download-details.html +# From: Joerg Jenderek +# Note: used by Turbo Pascal 5.5 TOUR.EXE +>4 string T2 Turbo Pascal TOUR data +#!:mime application/octet-stream +!:mime application/x-borland-cbt +!:ext cbt +# WHAT iS THAT? +#>4 string \040P Dan Bricklin's Demo 2 foo +#!:mime application/octet-stream +# _PPRINT.SG2 _PASCII.SG2 +#!:ext sg2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-gen.trid.xml +>4 default x Dan Bricklin's Demo demo (generic) +#!:mime application/octet-stream +!:ext dbd diff --git a/magic/Magdir/pbf b/magic/Magdir/pbf new file mode 100644 index 0000000..0ab7a88 --- /dev/null +++ b/magic/Magdir/pbf @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: pbf,v 1.3 2019/04/19 00:42:27 christos Exp $ +# file(1) magic(5) data for OpenStreetMap + +# OpenStreetMap Protocolbuffer Binary Format (.osm.pbf) +# https://wiki.openstreetmap.org/wiki/PBF_Format +# From: Markus Heidelberg <markus.heidelberg@web.de> +0 belong&0xfffffff0 0 +>4 beshort 0x0A09 +>>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format diff --git a/magic/Magdir/pbm b/magic/Magdir/pbm new file mode 100644 index 0000000..40ecf49 --- /dev/null +++ b/magic/Magdir/pbm @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: pbm,v 1.6 2009/09/19 16:28:11 christos Exp $ +# pbm: file(1) magic for Portable Bitmap files +# +# XXX - byte order? +# +0 short 0x2a17 "compact bitmap" format (Poskanzer) diff --git a/magic/Magdir/pc88 b/magic/Magdir/pc88 new file mode 100644 index 0000000..03822f5 --- /dev/null +++ b/magic/Magdir/pc88 @@ -0,0 +1,24 @@ +#------------------------------------------------------------------------------ +# pc88: file(1) magic for the NEC Home Computer +# v1.0 +# Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net> + +# PC88 2D disk image +0x20 ulelong&0xFFFFFEFF 0x2A0 +>0x10 string \0\0\0\0\0\0\0\0\0\0 +>>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>0x1A ubyte&0xEF 0 +>>>>0x1B ubyte&0x8F 0 +>>>>>0x1B ubyte&70 <0x40 +>>>>>>0x1C ulelong >0x21 +>>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s +>>>>>>>>0x1B ubyte 0 \b, media=2D +>>>>>>>>0x1B ubyte 0x10 \b, media=2DD +>>>>>>>>0x1B ubyte 0x20 \b, media=2HD +>>>>>>>>0x1B ubyte 0x30 \b, media=1D +>>>>>>>>0x1B ubyte 0x40 \b, media=1DD +>>>>>>>>0x1A ubyte 0x10 \b, write-protected + + + + diff --git a/magic/Magdir/pc98 b/magic/Magdir/pc98 new file mode 100644 index 0000000..e8f6b8a --- /dev/null +++ b/magic/Magdir/pc98 @@ -0,0 +1,77 @@ +#------------------------------------------------------------------------------ +# pc98: file(1) magic for the MSX Home Computer +# v1.0 +# Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net> + +# Maki-chan v1 Graphic format +# The image resolution should be X=(44.L - 40.L) and Y=(46.L - 42.L), but I couldn't find a way to do so +# http://www.jisyo.com/viewer/faq/maki_tech.htm +0 string/b MAKI01 Maki-chan v1. +>6 ubyte|0x20 x \b%c image +>8 ubelong >0x40404040 \b, system ID: +>>8 byte x %c +>>9 byte x \b%c +>>10 byte x \b%c +>>11 byte x \b%c +>44 ubeshort x \b, %dx +>46 ubeshort x \b%d +>38 ubeshort&2 0 \b, 16 paletted RGB colors +>38 ubeshort&2 2 \b, 8 fixed RGB colors +>38 ubeshort&1 1 \b, 2:1 dot aspect ratio + +# Maki-chan v2 Graphic format +# http://www.jisyo.com/viewer/faq/mag_tech.htm +# https://mooncore.eu/bunny/txt/makichan.htm +# http://metanest.jp/mag/mag.xhtml +0 string/b MAKI02\ \ Maki-chan v2 image, +>8 byte x system ID: %c +>9 byte x \b%c +>10 byte x \b%c +>11 byte x \b%c, +>13 search/0x200 \x1A +#Maki-chan video modes are a bit messy and seems to have been expanded over the years without too much planing: +#1) When offset1(ubeshort) !=0x0344: +# 1.1) And offset3(ubyte).b7=0: +# - b0=pixel aspect ratio: 1=2:1 (note: this ignores that the machine's 1:1 pixel aspect ratio isn't really 1:1) +# - b1=number of colors: 0=16 colors, 1=8 colors +# - b2=Palette or fixed colors flag (called "analog" and "digital" in the doc): 0=Paletted, 1=Fixed colors encoded directly in the pixel data +# 1.2) And offset3(ubyte).B7=1: +# - b0=256 paletted colors +# - b1=256 fixed colors using the MSX SCR8 palette +#2) When offset1(ubeshort) =0x0344: +# - 256x212 image with 19268 YJK colors. The usual resolution and color information fields from the file must be ignored +>>&1 ubeshort 0x0344 256x212, 19268 fixed YJK colors +>>&1 ubeshort !0x0344 +>>>&5 uleshort+1 x %dx +>>>&7 uleshort+1 x \b%d, +>>>&0 ubyte&0x86 0x00 16 paletted RGB colors +>>>&0 ubyte&0x86 0x02 8 paletted RGB colors +>>>&0 ubyte&0x86 0x04 16 fixed RGB colors +>>>&0 ubyte&0x86 0x06 8 fixed RGB colors +>>>&0 ubyte&0x81 0x80 256 paletted RGB colors +>>>&0 ubyte&0x81 0x81 256 fixed MSX-SCR8 colors +>>>&0 ubyte&0x01 1 \b, 2:1 dot aspect ratio + +# XLD4 (Q4) picture +11 string/b MAJYO XLD4(Q4) picture + +# Yanagisawa Pi picture +#0 string Pi\x1A\0 Yanagisawa Pi picture +#>3 search/0x200 \x04 +0 string Pi +>2 search/0x200 \x1A +>>&0 ubyte 0 +>>>&3 ubyte 4 Yanagisawa Pi 16 color picture, +>>>&4 byte x system ID: %c +>>>&5 byte x \b%c +>>>&6 byte x \b%c +>>>&7 byte x \b%c, +>>>&10 ubeshort x %dx +>>>&12 ubeshort x \b%d +>>>&3 ubyte 8 Yanagisawa Pi 256 color picture +>>>&4 byte x system ID: %c +>>>&5 byte x \b%c +>>>&6 byte x \b%c +>>>&7 byte x \b%c, +>>>&10 ubeshort x %dx +>>>&12 ubeshort x \b%d diff --git a/magic/Magdir/pci_ids b/magic/Magdir/pci_ids new file mode 100644 index 0000000..34bc2e2 --- /dev/null +++ b/magic/Magdir/pci_ids @@ -0,0 +1,116 @@ + +#------------------------------------------------------------------------------ +# $File: pci_ids,v 1.1 2022/04/02 14:47:42 christos Exp $ +# pci.ids: file(1) magic for PCI specific informations +# + +# Vendor identification (ID) https://pci-ids.ucw.cz/v2.2/pci.ids +# show hexadecimal PCI vendor identification in human readable text form +0 name PCI-vendor +# ID vendor name +#>0 uleshort =0x0f00 fOO +>0 uleshort =0x1000 Broadcom +>0 uleshort =0x1002 AMD/ATI +>0 uleshort =0x1013 Cirrus Logic +>0 uleshort =0x1014 IBM +>0 uleshort =0x1022 AMD +>0 uleshort =0x1050 Winbond +>0 uleshort =0x105a Promise +>0 uleshort =0x1095 Silicon +>0 uleshort =0x10EC Realtek +>0 uleshort =0x10de NVIDIA +>0 uleshort =0x1106 VIA +# Woodward McCoach, Inc. +>0 uleshort =0x1231 Woodward +# +>0 uleshort =0x1234 Bochs +>0 uleshort =0x15ad VMware +>0 uleshort =0x1af4 Virtio +>0 uleshort =0x1b36 QEMU +>0 uleshort =0x1de1 Tekram +# maybe also Promise? +#>0 uleshort =0x4289 Promise +#>0 uleshort =0x66a1 FOO +>0 uleshort =0x8086 Intel +>0 uleshort =0x9004 Adaptec +# also Adaptec; but no example +>0 uleshort =0x9005 Adaptec +# for unknown/missing manufactors +>0 default x UNKNOWN +>>0 uleshort x (%#4.4x) + +# https://blog.ladsai.com/pci-configuration-space-class-code.html +# Base class code https://wiki.osdev.org/PCI +# show hexadecimal PCI class+sub+ProgIF identification in human readable text form +0 name PCI-class +#>0 ubyte x CLASS=%x +>0 ubyte x +# Device was built prior definition of the class code field +>>0 ubyte 0x00 PRIOR +# Any device except for VGA-Compatible devices like: 2975BIOS.BIN Trm3x5.bin +# BUT also NVidia44.bin vgabios-stdvga-bin.rom +#>>>0 ubyte 0x00 NOT VGA +# VGA-Compatible Device; NO EXAMPLE found here!! +#>>>0 ubyte 0x01 VGA +# like 4243.bin +#>>>0 ubyte 0x04 SUB_CLASS_4 +>>0 ubyte 0x01 storage controller +# device sub-type and its definition is dependent upon the base-type code +>>>1 ubyte 0x00 SCSI +>>>1 ubyte 0x01 IDE +>>>1 ubyte 0x02 Floppy +>>>1 ubyte 0x03 IPI +>>>0 ubyte 0x04 RAID +>>>1 ubyte 0x05 ATA +>>>1 ubyte 0x06 SATA +>>>1 ubyte 0x07 SAS +>>>1 ubyte 0x08 NVM +# 4650_sr5.bin "PROMISE" "FT TX4650 Ary X" +>>>1 ubyte 0x80 OTHER +>>0 ubyte 0x02 network controller +>>>1 ubyte 0x00 ethernet +>>>1 ubyte 0x01 token ring +>>>1 ubyte 0x02 FDDI +>>>1 ubyte 0x03 ATM +>>>1 ubyte 0x04 ISDN +>>>1 ubyte 0x05 WorldFip +# PICMG 2.14 Multi Computing +>>>1 ubyte 0x06 PICMG +>>>1 ubyte 0x80 OTHER +>>0 ubyte 0x03 display controller +>>0 ubyte 0x04 multimedia controller +>>0 ubyte 0x05 memory controller +>>0 ubyte 0x06 bridge device +# Simple Communication Controllers +>>0 ubyte 0x07 communication controller +# Base System Peripherals +>>0 ubyte 0x08 base peripheral +# Input Devices +>>0 ubyte 0x09 input device +# Docking Stations +>>0 ubyte 0x0A docking station +>>0 ubyte 0x0B processor +>>0 ubyte 0x0C serial bus controller +>>0 ubyte 0x0D wireless controller +# Intelligent I/O Controllers +>>0 ubyte 0x0E I/O controller +# Satellite Communication Controllers +>>0 ubyte 0x0F satellite controller +# Encryption/Decryption Controllers +>>0 ubyte 0x10 encryption controller +# Data Acquisition and Signal Processing Controllers +>>0 ubyte 0x11 signal controller +# Processing Accelerator +>>0 ubyte 0x12 processing accelerator +# Non-Essential Instrumentation +>>0 ubyte 0x13 non-essential +# reserved or unassigned +>>0 default x +# device does not fit any defined class; Unassigned Class (Vendor specific) +>>>0 ubyte 0xFF UNASSIGNED +# THIS SHOULD NOT HAPPEN! BUT CLASS=8f for Promise 4650_sr5.bin 8660_sr5.bin +>>>0 default x RESERVED +>>>>0 ubyte x (%#x) +# Prog IF of PCI class code? +# defines the specific device programming interface +>2 ubyte >0 \b, ProgIF=%u diff --git a/magic/Magdir/pcjr b/magic/Magdir/pcjr new file mode 100644 index 0000000..c3ab7a2 --- /dev/null +++ b/magic/Magdir/pcjr @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: pcjr,v 1.1 2021/01/09 15:09:58 christos Exp $ +# pcjr: file(1) magic for PCjr Cartridge image file format +# From: Francis Laniel <laniel_francis@privacyrequired.com> +0 string PCjr +>0x80 beshort 0x55aa PCjr Cartridge image +>0x200 beshort 0x55aa PCjr Cartridge image diff --git a/magic/Magdir/pdf b/magic/Magdir/pdf new file mode 100644 index 0000000..7a99d8d --- /dev/null +++ b/magic/Magdir/pdf @@ -0,0 +1,51 @@ + +#------------------------------------------------------------------------------ +# $File: pdf,v 1.18 2023/07/17 15:57:18 christos Exp $ +# pdf: file(1) magic for Portable Document Format +# + +0 name pdf +>8 search /Count +>>&0 regex [0-9]+ \b, %s page(s) +>8 search/512 /Filter/FlateDecode/ (zip deflate encoded) + +0 string %PDF- PDF document +!:mime application/pdf +!:strength +60 +!:ext pdf +>5 byte x \b, version %c +>7 byte x \b.%c +>0 use pdf + +0 string \012%PDF- PDF document +!:mime application/pdf +!:strength +60 +!:ext pdf +>6 byte x \b, version %c +>8 byte x \b.%c +>0 use pdf + +0 string \xef\xbb\xbf%PDF- PDF document (UTF-8) +!:mime application/pdf +!:strength +60 +!:ext pdf +>6 byte x \b, version %c +>8 byte x \b.%c +>0 use pdf + +# From: Nick Schmalenberger <nick@schmalenberger.us> +# Forms Data Format +0 string %FDF- FDF document +!:mime application/vnd.fdf +!:strength +60 +!:ext pdf +>5 byte x \b, version %c +>7 byte x \b.%c + +0 search/1024 %PDF- PDF document +!:mime application/pdf +!:strength +60 +!:ext pdf +>&0 byte x \b, version %c +>&2 byte x \b.%c +>0 use pdf diff --git a/magic/Magdir/pdp b/magic/Magdir/pdp new file mode 100644 index 0000000..2d18b62 --- /dev/null +++ b/magic/Magdir/pdp @@ -0,0 +1,42 @@ + +#------------------------------------------------------------------------------ +# $File: pdp,v 1.11 2017/03/17 21:35:28 christos Exp $ +# pdp: file(1) magic for PDP-11 executable/object and APL workspace +# +0 lelong 0101555 PDP-11 single precision APL workspace +0 lelong 0101554 PDP-11 double precision APL workspace +# +# PDP-11 a.out +# +0 leshort 0407 PDP-11 executable +>8 leshort >0 not stripped +>15 byte >0 - version %d + +# updated by Joerg Jenderek at Mar 2013 +# GRR: line below too general as it catches also Windows precompiled setup information *.PNF +0 leshort 0401 +# skip *.PNF with WinDirPathOffset 58h +>68 ulelong !0x00000058 PDP-11 UNIX/RT ldp +# skip *.PNF with high byte of InfVersionDatumCount zero +#>>15 byte !0 PDP-11 UNIX/RT ldp +0 leshort 0405 PDP-11 old overlay + +0 leshort 0410 PDP-11 pure executable +>8 leshort >0 not stripped +>15 byte >0 - version %d + +0 leshort 0411 PDP-11 separate I&D executable +>8 leshort >0 not stripped +>15 byte >0 - version %d + +0 leshort 0437 PDP-11 kernel overlay + +# These last three are derived from 2.11BSD file(1) +0 leshort 0413 PDP-11 demand-paged pure executable +>8 leshort >0 not stripped + +0 leshort 0430 PDP-11 overlaid pure executable +>8 leshort >0 not stripped + +0 leshort 0431 PDP-11 overlaid separate executable +>8 leshort >0 not stripped diff --git a/magic/Magdir/perl b/magic/Magdir/perl new file mode 100644 index 0000000..4a3756a --- /dev/null +++ b/magic/Magdir/perl @@ -0,0 +1,100 @@ +#------------------------------------------------------------------------------ +# $File: perl,v 1.27 2023/07/17 16:01:36 christos Exp $ +# perl: file(1) magic for Larry Wall's perl language. +# +# The `eval' lines recognizes an outrageously clever hack. +# Keith Waclena <keith@cerberus.uchicago.edu> +# Send additions to <perl5-porters@perl.org> +0 search/1024 eval\ "exec\ perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ "exec\ /bin/perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ "exec\ /usr/bin/perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ "exec\ /usr/local/bin/perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ 'exec\ perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ 'exec\ /bin/perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ 'exec\ /usr/bin/perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ 'exec\ /usr/local/bin/perl Perl script text +!:mime text/x-perl +0 search/1024 eval\ '(exit\ $?0)'\ &&\ eval\ 'exec Perl script text +!:mime text/x-perl +0 string #!/usr/bin/env\ perl Perl script text executable +!:mime text/x-perl +0 string #!\ /usr/bin/env\ perl Perl script text executable +!:mime text/x-perl +0 string #! +>0 regex \^#!.*/bin/perl([[:space:]].*)*$ Perl script text executable +!:mime text/x-perl + +# by Dmitry V. Levin and Alexey Tourbin +# check the first line +0 search/8192 package +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; Perl5 module source text +!:strength + 40 +# not 'p', check other lines +0 search/8192 !p +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; +>>0 regex \^1[[:space:]]*;|\^(use|sub|my)[[:space:]].*[(;{=] Perl5 module source text +!:strength + 75 + +# Perl POD documents +# From: Tom Hukins <tom@eborcom.com> +0 search/1024/W \=pod\n Perl POD document text +0 search/1024/W \n\=pod\n Perl POD document text +0 search/1024/W \=head1\ Perl POD document text +0 search/1024/W \n\=head1\ Perl POD document text +0 search/1024/W \=head2\ Perl POD document text +0 search/1024/W \n\=head2\ Perl POD document text +0 search/1024/W \=encoding\ Perl POD document text +0 search/1024/W \n\=encoding\ Perl POD document text + + +# Perl Storable data files. +0 string perl-store perl Storable (v0.6) data +>4 byte >0 (net-order %d) +>>4 byte &01 (network-ordered) +>>4 byte =3 (major 1) +>>4 byte =2 (major 1) + +0 string pst0 perl Storable (v0.7) data +>4 byte >0 +>>4 byte &01 (network-ordered) +>>4 byte =5 (major 2) +>>4 byte =4 (major 2) +>>5 byte >0 (minor %d) + +# This is Debian #742949 by Zefram <zefram@fysh.org>: +# ----------------------------------------------------------- +# The Perl module Hash::SharedMem +# <https://metacpan.org/release/Hash-SharedMem> defines a file format +# for a key/value store. Details of the file format are in the "DESIGN" +# file in the module distribution. Magic: +0 bequad =0xa58afd185cbf5af7 Hash::SharedMem master file, big-endian +>8 bequad <0x1000000 +>>15 byte >2 \b, line size 2^%d byte +>>14 byte >2 \b, page size 2^%d byte +>>13 byte &1 +>>>13 byte >1 \b, max fanout %d +0 lequad =0xa58afd185cbf5af7 Hash::SharedMem master file, little-endian +>8 lequad <0x1000000 +>>8 byte >2 \b, line size 2^%d byte +>>9 byte >2 \b, page size 2^%d byte +>>10 byte &1 +>>>10 byte >1 \b, max fanout %d +0 bequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, big-endian +>8 bequad <0x1000000 +>>15 byte >2 \b, line size 2^%d byte +>>14 byte >2 \b, page size 2^%d byte +>>13 byte &1 +>>>13 byte >1 \b, max fanout %d +0 lequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, little-endian +>8 lequad <0x1000000 +>>8 byte >2 \b, line size 2^%d byte +>>9 byte >2 \b, page size 2^%d byte +>>10 byte &1 +>>>10 byte >1 \b, max fanout %d diff --git a/magic/Magdir/pgf b/magic/Magdir/pgf new file mode 100644 index 0000000..8318ce1 --- /dev/null +++ b/magic/Magdir/pgf @@ -0,0 +1,52 @@ + +#------------------------------------------------------------------------------ +# $File: pgf,v 1.3 2021/02/23 00:51:10 christos Exp $ +# pgf: file(1) magic for Progressive Graphics File (PGF) +# +# <http://www.libpgf.org/uploads/media/PGF_Details_01.pdf> +# 2013 by Philipp Hahn <pmhahn debian org> +0 string PGF Progressive Graphics image data, +!:mime image/x-pgf +>3 string 2 version %s, +>3 string 4 version %s, +>3 string 5 version %s, +>3 string 6 version %s, +# PGFPreHeader +#>>4 lelong x header size %d, +# PGFHeader +>>8 lelong x %d x +>>12 lelong x %d, +>>16 byte x %d levels, +>>17 byte x compression level %d, +>>18 byte x %d bpp, +>>19 byte x %d channels, +>>20 clear x +>>20 byte 0 bitmap, +>>20 byte 1 gray scale, +>>20 byte 2 indexed color, +>>20 byte 3 RGB color, +>>20 byte 4 CMYK color, +>>20 byte 5 HSL color, +>>20 byte 6 HSB color, +>>20 byte 7 multi-channel, +>>20 byte 8 duo tone, +>>20 byte 9 LAB color, +>>20 byte 10 gray scale 16, +>>20 byte 11 RGB color 48, +>>20 byte 12 LAB color 48, +>>20 byte 13 CMYK color 64, +>>20 byte 14 deep multi-channel, +>>20 byte 15 duo tone 16, +>>20 byte 17 RGBA color, +>>20 byte 18 gray scale 32, +>>20 byte 19 RGB color 12, +>>20 byte 20 RGB color 16, +>>20 byte 255 unknown format, +>>20 default x format +>>>20 byte x \b %d, +>>21 byte x %d bpc +# PGFPostHeader +# Level-Sizes +#>>(4.l+4) lelong x level 0 size: %d +#>>(4.l+8) lelong x level 1 size: %d +#>>(4.l+12) lelong x level 2 size: %d diff --git a/magic/Magdir/pgp b/magic/Magdir/pgp new file mode 100644 index 0000000..d818838 --- /dev/null +++ b/magic/Magdir/pgp @@ -0,0 +1,581 @@ + +#------------------------------------------------------------------------------ +# $File: pgp,v 1.25 2021/04/26 15:56:00 christos Exp $ +# pgp: file(1) magic for Pretty Good Privacy + +# Handling of binary PGP keys is in pgp-binary-keys. +# see https://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html +# +0 beshort 0xa600 PGP encrypted data +#!:mime application/pgp-encrypted +#0 string -----BEGIN\040PGP text/PGP armored data +!:mime text/PGP # encoding: armored data +#>15 string PUBLIC\040KEY\040BLOCK- public key block +#>15 string MESSAGE- message +#>15 string SIGNED\040MESSAGE- signed message +#>15 string PGP\040SIGNATURE- signature + +# Update: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/Pretty_Good_Privacy +# Reference: https://reposcope.com/mimetype/application/pgp-keys +2 string ---BEGIN\040PGP\040PRIVATE\040KEY\040BLOCK- PGP private key block +#!:mime text/PGP +!:mime application/pgp-keys +!:ext asc +2 string ---BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK- PGP public key block +!:mime application/pgp-keys +!:ext asc +>10 search/100 \n\n +>>&0 use pgp +0 string -----BEGIN\040PGP\040MESSAGE- PGP message +# https://reposcope.com/mimetype/application/pgp-encrypted +#!:mime application/pgp +!:mime application/pgp-encrypted +!:ext asc +#!:ext asc/pgp/gpg +>10 search/100 \n\n +>>&0 use pgp +# Reference: https://www.gnupg.org/gph/en/manual/x135.html +0 string -----BEGIN\040PGP\040SIGNED\040MESSAGE- PGP signed message +#!:mime text/plain +!:mime text/PGP +#!:mime application/pgp +!:ext asc +0 string -----BEGIN\040PGP\040SIGNATURE- PGP signature +# https://reposcope.com/mimetype/application/pgp-signature +!:mime application/pgp-signature +!:ext asc +>10 search/100 \n\n +>>&0 use pgp + +# Decode the type of the packet based on it's base64 encoding. +# Idea from Mark Martinec +# The specification is in RFC 4880, section 4.2 and 4.3: +# https://tools.ietf.org/html/rfc4880#section-4.2 + +0 name pgp +>0 byte 0x67 Reserved (old) +>0 byte 0x68 Public-Key Encrypted Session Key (old) +>0 byte 0x69 Signature (old) +>0 byte 0x6a Symmetric-Key Encrypted Session Key (old) +>0 byte 0x6b One-Pass Signature (old) +>0 byte 0x6c Secret-Key (old) +>0 byte 0x6d Public-Key (old) +>0 byte 0x6e Secret-Subkey (old) +>0 byte 0x6f Compressed Data (old) +>0 byte 0x70 Symmetrically Encrypted Data (old) +>0 byte 0x71 Marker (old) +>0 byte 0x72 Literal Data (old) +>0 byte 0x73 Trust (old) +>0 byte 0x74 User ID (old) +>0 byte 0x75 Public-Subkey (old) +>0 byte 0x76 Unused (old) +>0 byte 0x77 +>>1 byte&0xc0 0x00 Reserved +>>1 byte&0xc0 0x40 Public-Key Encrypted Session Key +>>1 byte&0xc0 0x80 Signature +>>1 byte&0xc0 0xc0 Symmetric-Key Encrypted Session Key +>0 byte 0x78 +>>1 byte&0xc0 0x00 One-Pass Signature +>>1 byte&0xc0 0x40 Secret-Key +>>1 byte&0xc0 0x80 Public-Key +>>1 byte&0xc0 0xc0 Secret-Subkey +>0 byte 0x79 +>>1 byte&0xc0 0x00 Compressed Data +>>1 byte&0xc0 0x40 Symmetrically Encrypted Data +>>1 byte&0xc0 0x80 Marker +>>1 byte&0xc0 0xc0 Literal Data +>0 byte 0x7a +>>1 byte&0xc0 0x00 Trust +>>1 byte&0xc0 0x40 User ID +>>1 byte&0xc0 0x80 Public-Subkey +>>1 byte&0xc0 0xc0 Unused [z%x] +>0 byte 0x30 +>>1 byte&0xc0 0x00 Unused [0%x] +>>1 byte&0xc0 0x40 User Attribute +>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data +>>1 byte&0xc0 0xc0 Modification Detection Code + +# magic signatures to detect PGP crypto material (from stef) +# detects and extracts metadata from: +# - symmetric encrypted packet header +# - RSA (e=65537) secret (sub-)keys + +# 1024b RSA encrypted data + +0 string \x84\x8c\x03 PGP RSA encrypted session key - +>3 belong x keyid: %08X +>7 belong x %08X +>11 byte 0x01 RSA (Encrypt or Sign) 1024b +>11 byte 0x02 RSA Encrypt-Only 1024b +>12 string \x04\x00 +>12 string \x03\xff +>12 string \x03\xfe +>12 string \x03\xfd +>12 string \x03\xfc +>12 string \x03\xfb +>12 string \x03\xfa +>12 string \x03\xf9 +>142 byte 0xd2 . + +# 2048b RSA encrypted data + +0 string \x85\x01\x0c\x03 PGP RSA encrypted session key - +>4 belong x keyid: %08X +>8 belong x %08X +>12 byte 0x01 RSA (Encrypt or Sign) 2048b +>12 byte 0x02 RSA Encrypt-Only 2048b +>13 string \x08\x00 +>13 string \x07\xff +>13 string \x07\xfe +>13 string \x07\xfd +>13 string \x07\xfc +>13 string \x07\xfb +>13 string \x07\xfa +>13 string \x07\xf9 +>271 byte 0xd2 . + +# 3072b RSA encrypted data + +0 string \x85\x01\x8c\x03 PGP RSA encrypted session key - +>4 belong x keyid: %08X +>8 belong x %08X +>12 byte 0x01 RSA (Encrypt or Sign) 3072b +>12 byte 0x02 RSA Encrypt-Only 3072b +>13 string \x0c\x00 +>13 string \x0b\xff +>13 string \x0b\xfe +>13 string \x0b\xfd +>13 string \x0b\xfc +>13 string \x0b\xfb +>13 string \x0b\xfa +>13 string \x0b\xf9 +>399 byte 0xd2 . + +# 4096b RSA encrypted data + +0 string \x85\x02\x0c\x03 PGP RSA encrypted session key - +>4 belong x keyid: %08X +>8 belong x %08X +>12 byte 0x01 RSA (Encrypt or Sign) 4096b +>12 byte 0x02 RSA Encrypt-Only 4096b +>13 string \x10\x00 +>13 string \x0f\xff +>13 string \x0f\xfe +>13 string \x0f\xfd +>13 string \x0f\xfc +>13 string \x0f\xfb +>13 string \x0f\xfa +>13 string \x0f\xf9 +>527 byte 0xd2 . + +# 8192b RSA encrypted data + +0 string \x85\x04\x0c\x03 PGP RSA encrypted session key - +>4 belong x keyid: %08X +>8 belong x %08X +>12 byte 0x01 RSA (Encrypt or Sign) 8192b +>12 byte 0x02 RSA Encrypt-Only 8192b +>13 string \x20\x00 +>13 string \x1f\xff +>13 string \x1f\xfe +>13 string \x1f\xfd +>13 string \x1f\xfc +>13 string \x1f\xfb +>13 string \x1f\xfa +>13 string \x1f\xf9 +>1039 byte 0xd2 . + +# 1024b Elgamal encrypted data + +0 string \x85\x01\x0e\x03 PGP Elgamal encrypted session key - +>4 belong x keyid: %08X +>8 belong x %08X +>12 byte 0x10 Elgamal Encrypt-Only 1024b. +>13 string \x04\x00 +>13 string \x03\xff +>13 string \x03\xfe +>13 string \x03\xfd +>13 string \x03\xfc +>13 string \x03\xfb +>13 string \x03\xfa +>13 string \x03\xf9 + +# 2048b Elgamal encrypted data + +0 string \x85\x02\x0e\x03 PGP Elgamal encrypted session key - +>4 belong x keyid: %08X +>8 belong x %08X +>12 byte 0x10 Elgamal Encrypt-Only 2048b. +>13 string \x08\x00 +>13 string \x07\xff +>13 string \x07\xfe +>13 string \x07\xfd +>13 string \x07\xfc +>13 string \x07\xfb +>13 string \x07\xfa +>13 string \x07\xf9 + +# 3072b Elgamal encrypted data + +0 string \x85\x03\x0e\x03 PGP Elgamal encrypted session key - +>4 belong x keyid: %08X +>8 belong x %08X +>12 byte 0x10 Elgamal Encrypt-Only 3072b. +>13 string \x0c\x00 +>13 string \x0b\xff +>13 string \x0b\xfe +>13 string \x0b\xfd +>13 string \x0b\xfc +>13 string \x0b\xfb +>13 string \x0b\xfa +>13 string \x0b\xf9 + +# crypto algo mapper + +0 name crypto +>0 byte 0x00 Plaintext or unencrypted data +>0 byte 0x01 IDEA +>0 byte 0x02 TripleDES +>0 byte 0x03 CAST5 (128 bit key) +>0 byte 0x04 Blowfish (128 bit key, 16 rounds) +>0 byte 0x07 AES with 128-bit key +>0 byte 0x08 AES with 192-bit key +>0 byte 0x09 AES with 256-bit key +>0 byte 0x0a Twofish with 256-bit key + +# hash algo mapper + +0 name hash +>0 byte 0x01 MD5 +>0 byte 0x02 SHA-1 +>0 byte 0x03 RIPE-MD/160 +>0 byte 0x08 SHA256 +>0 byte 0x09 SHA384 +>0 byte 0x0a SHA512 +>0 byte 0x0b SHA224 + +# display public key algorithms as human readable text +0 name key_algo +>0 byte 0x01 RSA (Encrypt or Sign) +# keep old look of version 5.28 without parentheses +>0 byte 0x02 RSA Encrypt-Only +>0 byte 0x03 RSA (Sign-Only) +>0 byte 16 ElGamal (Encrypt-Only) +>0 byte 17 DSA +>0 byte 18 Elliptic Curve +>0 byte 19 ECDSA +>0 byte 20 ElGamal (Encrypt or Sign) +>0 byte 21 Diffie-Hellman +>0 default x +>>0 ubyte <22 unknown (pub %d) +# this should never happen +>>0 ubyte >21 invalid (%d) + +# pgp symmetric encrypted data + +0 byte 0x8c PGP symmetric key encrypted data - +>1 byte 0x0d +>1 byte 0x0c +>2 byte 0x04 +>3 use crypto +>4 byte 0x01 salted - +>>5 use hash +>>14 byte 0xd2 . +>>14 byte 0xc9 . +>4 byte 0x03 salted & iterated - +>>5 use hash +>>15 byte 0xd2 . +>>15 byte 0xc9 . + +# encrypted keymaterial needs s2k & can be checksummed/hashed + +0 name chkcrypto +>0 use crypto +>1 byte 0x00 Simple S2K +>1 byte 0x01 Salted S2K +>1 byte 0x03 Salted&Iterated S2K +>2 use hash + +# all PGP keys start with this prolog +# containing version, creation date, and purpose + +0 name keyprolog +>0 byte 0x04 +>1 beldate x created on %s - +>5 byte 0x01 RSA (Encrypt or Sign) +>5 byte 0x02 RSA Encrypt-Only + +# end of secret keys known signature +# contains e=65537 and the prolog to +# the encrypted parameters + +0 name keyend +>0 string \x00\x11\x01\x00\x01 e=65537 +>5 use crypto +>5 byte 0xff checksummed +>>6 use chkcrypto +>5 byte 0xfe hashed +>>6 use chkcrypto + +# PGP secret keys contain also the public parts +# these vary by bitsize of the key + +0 name x1024 +>0 use keyprolog +>6 string \x03\xfe +>6 string \x03\xff +>6 string \x04\x00 +>136 use keyend + +0 name x2048 +>0 use keyprolog +>6 string \x80\x00 +>6 string \x07\xfe +>6 string \x07\xff +>264 use keyend + +0 name x3072 +>0 use keyprolog +>6 string \x0b\xfe +>6 string \x0b\xff +>6 string \x0c\x00 +>392 use keyend + +0 name x4096 +>0 use keyprolog +>6 string \x10\x00 +>6 string \x0f\xfe +>6 string \x0f\xff +>520 use keyend + +# \x00|\x1f[\xfe\xff]).{1024})' +0 name x8192 +>0 use keyprolog +>6 string \x20\x00 +>6 string \x1f\xfe +>6 string \x1f\xff +>1032 use keyend + +# depending on the size of the pkt +# we branch into the proper key size +# signatures defined as x{keysize} + +0 name pgpkey +>0 string \x01\xd8 1024b +>>2 use x1024 +>0 string \x01\xeb 1024b +>>2 use x1024 +>0 string \x01\xfb 1024b +>>2 use x1024 +>0 string \x01\xfd 1024b +>>2 use x1024 +>0 string \x01\xf3 1024b +>>2 use x1024 +>0 string \x01\xee 1024b +>>2 use x1024 +>0 string \x01\xfe 1024b +>>2 use x1024 +>0 string \x01\xf4 1024b +>>2 use x1024 +>0 string \x02\x0d 1024b +>>2 use x1024 +>0 string \x02\x03 1024b +>>2 use x1024 +>0 string \x02\x05 1024b +>>2 use x1024 +>0 string \x02\x15 1024b +>>2 use x1024 +>0 string \x02\x00 1024b +>>2 use x1024 +>0 string \x02\x10 1024b +>>2 use x1024 +>0 string \x02\x04 1024b +>>2 use x1024 +>0 string \x02\x06 1024b +>>2 use x1024 +>0 string \x02\x16 1024b +>>2 use x1024 +>0 string \x03\x98 2048b +>>2 use x2048 +>0 string \x03\xab 2048b +>>2 use x2048 +>0 string \x03\xbb 2048b +>>2 use x2048 +>0 string \x03\xbd 2048b +>>2 use x2048 +>0 string \x03\xcd 2048b +>>2 use x2048 +>0 string \x03\xb3 2048b +>>2 use x2048 +>0 string \x03\xc3 2048b +>>2 use x2048 +>0 string \x03\xc5 2048b +>>2 use x2048 +>0 string \x03\xd5 2048b +>>2 use x2048 +>0 string \x03\xae 2048b +>>2 use x2048 +>0 string \x03\xbe 2048b +>>2 use x2048 +>0 string \x03\xc0 2048b +>>2 use x2048 +>0 string \x03\xd0 2048b +>>2 use x2048 +>0 string \x03\xb4 2048b +>>2 use x2048 +>0 string \x03\xc4 2048b +>>2 use x2048 +>0 string \x03\xc6 2048b +>>2 use x2048 +>0 string \x03\xd6 2048b +>>2 use x2048 +>0 string \x05X 3072b +>>2 use x3072 +>0 string \x05k 3072b +>>2 use x3072 +>0 string \x05{ 3072b +>>2 use x3072 +>0 string \x05} 3072b +>>2 use x3072 +>0 string \x05\x8d 3072b +>>2 use x3072 +>0 string \x05s 3072b +>>2 use x3072 +>0 string \x05\x83 3072b +>>2 use x3072 +>0 string \x05\x85 3072b +>>2 use x3072 +>0 string \x05\x95 3072b +>>2 use x3072 +>0 string \x05n 3072b +>>2 use x3072 +>0 string \x05\x7e 3072b +>>2 use x3072 +>0 string \x05\x80 3072b +>>2 use x3072 +>0 string \x05\x90 3072b +>>2 use x3072 +>0 string \x05t 3072b +>>2 use x3072 +>0 string \x05\x84 3072b +>>2 use x3072 +>0 string \x05\x86 3072b +>>2 use x3072 +>0 string \x05\x96 3072b +>>2 use x3072 +>0 string \x07[ 4096b +>>2 use x4096 +>0 string \x07\x18 4096b +>>2 use x4096 +>0 string \x07+ 4096b +>>2 use x4096 +>0 string \x07; 4096b +>>2 use x4096 +>0 string \x07= 4096b +>>2 use x4096 +>0 string \x07M 4096b +>>2 use x4096 +>0 string \x073 4096b +>>2 use x4096 +>0 string \x07C 4096b +>>2 use x4096 +>0 string \x07E 4096b +>>2 use x4096 +>0 string \x07U 4096b +>>2 use x4096 +>0 string \x07. 4096b +>>2 use x4096 +>0 string \x07> 4096b +>>2 use x4096 +>0 string \x07@ 4096b +>>2 use x4096 +>0 string \x07P 4096b +>>2 use x4096 +>0 string \x074 4096b +>>2 use x4096 +>0 string \x07D 4096b +>>2 use x4096 +>0 string \x07F 4096b +>>2 use x4096 +>0 string \x07V 4096b +>>2 use x4096 +>0 string \x0e[ 8192b +>>2 use x8192 +>0 string \x0e\x18 8192b +>>2 use x8192 +>0 string \x0e+ 8192b +>>2 use x8192 +>0 string \x0e; 8192b +>>2 use x8192 +>0 string \x0e= 8192b +>>2 use x8192 +>0 string \x0eM 8192b +>>2 use x8192 +>0 string \x0e3 8192b +>>2 use x8192 +>0 string \x0eC 8192b +>>2 use x8192 +>0 string \x0eE 8192b +>>2 use x8192 +>0 string \x0eU 8192b +>>2 use x8192 +>0 string \x0e. 8192b +>>2 use x8192 +>0 string \x0e> 8192b +>>2 use x8192 +>0 string \x0e@ 8192b +>>2 use x8192 +>0 string \x0eP 8192b +>>2 use x8192 +>0 string \x0e4 8192b +>>2 use x8192 +>0 string \x0eD 8192b +>>2 use x8192 +>0 string \x0eF 8192b +>>2 use x8192 +>0 string \x0eV 8192b +>>2 use x8192 + +# PGP RSA (e=65537) secret (sub-)key header + +0 byte 0x97 PGP Secret Sub-key - +>1 use pgpkey +0 byte 0x9d +# Update: Joerg Jenderek +# secret subkey packet (tag 7) with same structure as secret key packet (tag 5) +# skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len +>1 ubeshort >0 +#>1 ubeshort x \b, body length %#x +# next packet type often 88h,89h~(tag 2)~Signature Packet +#>>(1.S+3) ubyte x \b, next packet type %#x +# skip Dragon.SHR DEMO.INIT by looking for positive version +>>3 ubyte >0 +# skip BUISSON.13 GUITAR1 by looking for low version number +>>>3 ubyte <5 PGP Secret Sub-key +# sub-key are normally part of secret key. So it does not occur as standalone file +#!:ext bin +# version 2,3~old 4~new . Comment following line for version 5.28 look +>>>>3 ubyte x (v%d) +>>>>3 ubyte x - +# old versions 2 or 3 but no real example found +>>>>3 ubyte <4 +# 2 byte for key bits in version 5.28 look +>>>>>11 ubeshort x %db +>>>>>4 beldate x created on %s - +# old versions use 2 additional bytes after time stamp +#>>>>>8 ubeshort x %#x +# display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman +>>>>>10 use key_algo +>>>>>(11.S/8) ubequad x +# look after first key +>>>>>>&5 use keyend +# new version +>>>>3 ubyte >3 +>>>>>9 ubeshort x %db +>>>>>4 beldate x created on %s - +# display key algorithm +>>>>>8 use key_algo +>>>>>(9.S/8) ubequad x +# look after first key for something like s2k +>>>>>>&3 use keyend diff --git a/magic/Magdir/pgp-binary-keys b/magic/Magdir/pgp-binary-keys new file mode 100644 index 0000000..1ce76d9 --- /dev/null +++ b/magic/Magdir/pgp-binary-keys @@ -0,0 +1,388 @@ + +#------------------------------------------------------------------------------ +# $File: pgp-binary-keys,v 1.2 2021/04/26 15:56:00 christos Exp $ +# pgp-binary-keys: This file handles pgp binary keys. +# +# An PGP certificate or message doesn't have a fixed header. Instead, +# they are sequences of packets: +# +# https://tools.ietf.org/html/rfc4880#section-4.3 +# +# whose order conforms to a grammar: +# +# https://tools.ietf.org/html/rfc4880#section-11 +# +# Happily most packets have a few fields that are constrained, which +# allow us to fingerprint them with relatively high certainty. +# +# A PGP packet is described by a single byte: the so-called CTB. The +# high-bit is always set. If bit 6 is set, then it is a so-called +# new-style CTB; if bit 6 is clear, then it is a so-called old-style +# CTB. Old-style CTBs have only four bits of type information; bits +# 1-0 are used to describe the length. New-style CTBs have 6 bits of +# type information. +# +# Following the CTB is the packet's length in bytes. If we blindly +# advance the file cursor by this amount past the end of the length +# information we come to the next packet. +# +# Data Structures +# =============== +# +# New Style CTB +# ------------- +# +# https://tools.ietf.org/html/rfc4880#section-4.2.2 +# +# 76543210 +# ||\----/ +# || tag +# |always 1 +# always 1 +# +# Tag bits 7 and 6 set +# 0 0xC0 -- Reserved - a packet tag MUST NOT have this value +# 1 0xC1 -- Public-Key Encrypted Session Key Packet +# 2 0xC2 -- Signature Packet +# 3 0xC3 -- Symmetric-Key Encrypted Session Key Packet +# 4 0xC4 -- One-Pass Signature Packet +# 5 0xC5 -- Secret-Key Packet +# 6 0xC6 -- Public-Key Packet +# 7 0xC7 -- Secret-Subkey Packet +# 8 0xC8 -- Compressed Data Packet +# 9 0xC9 -- Symmetrically Encrypted Data Packet +# 10 0xCA -- Marker Packet +# 11 0xCB -- Literal Data Packet +# 12 0xCC -- Trust Packet +# 13 0xCD -- User ID Packet +# 14 0xCE -- Public-Subkey Packet +# 17 0xD1 -- User Attribute Packet +# 18 0xD2 -- Sym. Encrypted and Integrity Protected Data Packet +# 19 0xD3 -- Modification Detection Code Packet +# 60 to 63 -- Private or Experimental Values +# +# The CTB is followed by the length header, which is densely encoded: +# +# if length[0] is: +# 0..191: one byte length (length[0]) +# 192..223: two byte length ((length[0] - 192) * 256 + length[2] + 192 +# 224..254: four byte length (big endian interpretation of length[1..5]) +# 255: partial body encoding +# +# The partial body encoding is similar to HTTP's chunk encoding. It +# is only allowed for container packets (SEIP, Compressed Data and +# Literal). +# +# Old Style CTB +# ------------- +# +# https://tools.ietf.org/html/rfc4880#section-4.2.1 +# +# CTB: +# +# 76543210 +# ||\--/\/ +# || | length encoding +# || tag +# |always 0 +# always 1 +# +# Tag: +# +# Tag bit 7 set, bits 6, 1, 0 clear +# 0 0x80 -- Reserved - a packet tag MUST NOT have this value +# 1 0x84 -- Public-Key Encrypted Session Key Packet +# 2 0x88 -- Signature Packet +# 3 0x8C -- Symmetric-Key Encrypted Session Key Packet +# 4 0x90 -- One-Pass Signature Packet +# 5 0x94 -- Secret-Key Packet +# 6 0x98 -- Public-Key Packet +# 7 0x9C -- Secret-Subkey Packet +# 8 0xA0 -- Compressed Data Packet +# 9 0xA4 -- Symmetrically Encrypted Data Packet +# 10 0xA8 -- Marker Packet +# 11 0xAC -- Literal Data Packet +# 12 0xB0 -- Trust Packet +# 13 0xB4 -- User ID Packet +# 14 0xB8 -- Public-Subkey Packet +# +# Length encoding: +# +# Value +# 0 1 byte length (following byte is the length) +# 1 2 byte length (following two bytes are the length) +# 2 4 byte length (following four bytes are the length) +# 3 indeterminate length: natural end of packet, e.g., EOF +# +# An indeterminate length is only allowed for container packets +# (SEIP, Compressed Data and Literal). +# +# Certificates +# ------------ +# +# We check the first three packets to determine if a sequence of +# OpenPGP packets is likely to be a certificate. The grammar allows +# the following prefixes: +# +# [Primary Key] [SIG] (EOF or another certificate) +# [Primary Key] [SIG] [User ID] [SIG]... +# [Primary Key] [SIG] [User Attribute] [SIG]... +# [Primary Key] [SIG] [Subkey] [SIG]... +# [Primary Key] [User ID] [SIG]... +# [Primary Key] [User Attribute] [SIG]... +# [Primary Key] [Subkey] [SIG]... +# +# Any number of marker packets are also allowed between each packet, +# but they are not normally used and we don't currently check for +# them. +# +# The keys and subkeys may be public or private. +# + +# Key packets and signature packets are versioned. There are two +# packet versions that we need to worry about in practice: v3 and v4. +# v4 packets were introduced in RFC 2440, which was published in 1998. +# It also deprecated v3 packets. There are no actively used v3 +# certificates (GnuPG removed the code to support them in November +# 2014). But there are v3 keys lying around and it is useful to +# identify them. The next version of OpenPGP will introduce v5 keys. +# The document has not yet been standardized so changes are still +# possible. But, for our purposes, it appears that v5 data structures +# will be identical to v4 data structures modulo the version number. +# +# https://tools.ietf.org/html/rfc2440 +# https://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000358.html +# https://www.ietf.org/id/draft-ietf-openpgp-rfc4880bis-09.html#name-key-material-packet + + + + +# The first packet has to be a public key or a secret key. +# +# New-Style Public Key +0 ubyte =0xC6 OpenPGP Public Key +>&0 use primary_key_length_new +# New-Style Secret Key +0 ubyte =0xC5 OpenPGP Secret Key +>&0 use primary_key_length_new +# Old-Style Public Key +0 ubyte&0xFC =0x98 OpenPGP Public Key +>&-1 use primary_key_length_old +# Old-Style Secret Key +0 ubyte&0xFC =0x94 OpenPGP Secret Key +>&-1 use primary_key_length_old + +# Parse the length, check the packet's body and finally advance to the +# next packet. + +# There are 4 different new-style length encodings, but the partial +# body encoding is only acceptable for the SEIP, Compressed Data, and +# Literal packets, which isn't valid for any packets in a certificate +# so we ignore it. +0 name primary_key_length_new +>&0 ubyte <192 +#>>&0 ubyte x (1 byte length encoding, %d bytes) +>>&0 use pgp_binary_key_pk_check +>>>&(&-1.B) use sig_or_component_1 +>&0 ubyte >191 +>>&-1 ubyte <225 +# offset = ((offset[0] - 192) << 8) + offset[1] + 192 (for the length header) +# raw - (192 * 256 - 192) +# = 48960 +#>>>&0 ubeshort x (2 byte length encoding, %d bytes) +>>>&1 use pgp_binary_key_pk_check +>>>>&(&-2.S-48960) use sig_or_component_1 +>&0 ubyte =255 +#>>&0 belong x (5 byte length encoding, %d bytes) +>>&4 use pgp_binary_key_pk_check +>>>&(&-4.L) use sig_or_component_1 +# Partial body encoding (only valid for container packets). +# >&0 ubyte >224 +# >>&0 ubyte <255 partial body encoding + +# There are 4 different old-style length encodings, but the +# indeterminate length encoding is only acceptable for the SEIP, +# Compressed Data, and Literal packets, which isn't valid for any +# packets in a certificate. +0 name primary_key_length_old +#>&0 ubyte x (ctb: %x) +>&0 ubyte&0x3 =0 +#>>&0 ubyte x (1 byte length encoding, %d bytes) +>>&1 use pgp_binary_key_pk_check +>>>&(&-1.B) use sig_or_component_1 +>&0 ubyte&0x3 =1 +#>>&0 ubeshort x (2 byte length encoding, %d bytes) +>>&2 use pgp_binary_key_pk_check +>>>&(&-2.S) use sig_or_component_1 +>&0 ubyte&0x3 =2 +#>>&0 ubelong x (4 byte length encoding, %d bytes) +>>&4 use pgp_binary_key_pk_check +>>>&(&-4.L) use sig_or_component_1 + +# Check the Key. +# +# https://tools.ietf.org/html/rfc4880#section-5.5.2 +0 name pgp_binary_key_pk_check +# Valid versions are: 2, 3, 4. 5 is proposed in RFC 4880bis. +# Anticipate a v6 / v7 format that like v5 is compatible with v4. +# key format in a decade or so :D. +>&0 ubyte >1 +>>&-1 ubyte <8 +>>>&-1 byte x Version %d +# Check that keys were created after 1990. +# (1990 - 1970) * 365.2524 * 24 * 60 * 60 = 631156147 +>>>&0 bedate >631156147 \b, Created %s +>>>>&-5 ubyte >3 +>>>>>&4 use pgp_binary_key_algo +>>>>&-5 ubyte <4 +>>>>>&6 use pgp_binary_key_algo + +# Print out the key's algorithm and the number of bits, if this is +# relevant (ECC keys are a fixed size). +0 name pgp_binary_key_algo +>0 clear x +>&0 ubyte =1 \b, RSA (Encrypt or Sign, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =2 \b, RSA (Encrypt, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =3 \b, RSA (Sign, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =16 \b, El Gamal (Encrypt, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =17 \b, DSA +>>&0 ubeshort x \b (%d bits) +>&0 ubyte =18 \b, ECDH +>&0 ubyte =19 \b, ECDSA +>&0 ubyte =20 \b, El Gamal (Encrypt or Sign, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =22 \b, EdDSA +>&0 default x +>>&0 ubyte x \b, Unknown Algorithm (%#x) + +# Match all possible second packets. +0 name sig_or_component_1 +#>0 ubyte x (ctb: %x) +>&0 ubyte =0xC2 +>>0 ubyte x \b; Signature +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xCD +>>0 ubyte x \b; User ID +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xCE +>>0 ubyte x \b; Public Subkey +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xC7 +>>0 ubyte x \b; Secret Subkey +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xD1 +>>0 ubyte x \b; User Attribute +>>&0 use sig_or_component_1_length_new +>&0 ubyte&0xFC =0x88 +>>0 ubyte x \b; Signature +>>&-1 use sig_or_component_1_length_old +>&0 ubyte&0xFC =0xB4 +>>0 ubyte x \b; User ID +>>&-1 use sig_or_component_1_length_old +>&0 ubyte&0xFC =0xB8 +>>0 ubyte x \b; Public Subkey +>>&-1 use sig_or_component_1_length_old +>&0 ubyte&0xFC =0x9C +>>0 ubyte x \b; Secret Subkey +>>&-1 use sig_or_component_1_length_old + +# Copy of 'primary_key_length_new', but calls cert_packet_3. +0 name sig_or_component_1_length_new +>&0 ubyte <192 +#>>&0 ubyte x (1 byte new length encoding, %d bytes) +>>&(&-1.B) use cert_packet_3 +>&0 ubyte >191 +>>&-1 ubyte <225 +# offset = ((offset[0] - 192) << 8) + offset[1] + 192 + 1 (for the length header) +# raw - (192 * 256 - 192 - 1) +# = 48959 +#>>>&-1 ubeshort x (2 byte new length encoding, %d bytes) +>>>&(&-1.S-48959) use cert_packet_3 +>&0 ubyte =255 +#>>&0 belong x (5 byte new length encoding, %d bytes) +>>&(&-4.L) use cert_packet_3 +# Partial body encoding (only valid for container packets). +# >&0 ubyte >224 +# >>&0 ubyte <255 partial body encoding + +0 name sig_or_component_1_length_old +#>&0 ubyte x (ctb: %x) +>&0 ubyte&0x3 =0 +#>>&0 ubyte x (1 byte old length encoding, %d bytes) +>>&(&0.B+1) use cert_packet_3 +>&0 ubyte&0x3 =1 +#>>&0 ubeshort x (2 byte old length encoding, %d bytes) +>>&(&0.S+2) use cert_packet_3 +>&0 ubyte&0x3 =2 +#>>&0 ubelong x (4 byte old length encoding, %d bytes) +>>&(&0.L+4) use cert_packet_3 + +# Copy of above. +0 name cert_packet_3 +#>0 ubyte x (ctb: %x) +>&0 ubyte =0xC2 +>>0 ubyte x \b; Signature +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xCD +>>0 ubyte x \b; User ID +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xCE +>>0 ubyte x \b; Public Subkey +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xC7 +>>0 ubyte x \b; Secret Subkey +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xD1 +>>0 ubyte x \b; User Attribute +>>&0 use cert_packet_3_length_new +>&0 ubyte&0xFC =0x88 +>>0 ubyte x \b; Signature +>>&-1 use cert_packet_3_length_old +>&0 ubyte&0xFC =0xB4 +>>0 ubyte x \b; User ID +>>&-1 use cert_packet_3_length_old +>&0 ubyte&0xFC =0xB8 +>>0 ubyte x \b; Public Subkey +>>&-1 use cert_packet_3_length_old +>&0 ubyte&0xFC =0x9C +>>0 ubyte x \b; Secret Subkey +>>&-1 use cert_packet_3_length_old + +# Copy of above. +0 name cert_packet_3_length_new +>&0 ubyte <192 +#>>&0 ubyte x (1 byte new length encoding, %d bytes) +>>&(&-1.B) use pgp_binary_keys_end +>&0 ubyte >191 +>>&-1 ubyte <225 +# offset = ((offset[0] - 192) << 8) + offset[1] + 192 + 1 (for the length header) +# raw - (192 * 256 - 192 - 1) +# = 48959 +#>>>&-1 ubeshort x (2 byte new length encoding, %d bytes) +>>>&(&-1.S-48959) use pgp_binary_keys_end +>&0 ubyte =255 +#>>&0 belong x (5 byte new length encoding, %d bytes) +>>&(&-4.L) use pgp_binary_keys_end + +0 name cert_packet_3_length_old +#>&0 ubyte x (ctb: %x) +>&0 ubyte&0x3 =0 +#>>&0 ubyte x (1 byte old length encoding, %d bytes) +>>&(&0.B+1) use pgp_binary_keys_end +>&0 ubyte&0x3 =1 +#>>&0 ubeshort x (2 byte old length encoding, %d bytes) +>>&(&0.S+2) use pgp_binary_keys_end +>&0 ubyte&0x3 =2 +#>>&0 ubelong x (4 byte old length encoding, %d bytes) +>>&(&0.L+4) use pgp_binary_keys_end + +# We managed to parse the first three packets of the certificate. Declare +# victory. +0 name pgp_binary_keys_end +>0 byte x \b; OpenPGP Certificate +!:mime application/pgp-keys +!:ext pgp/gpg/pkr/asd diff --git a/magic/Magdir/pkgadd b/magic/Magdir/pkgadd new file mode 100644 index 0000000..7dfb286 --- /dev/null +++ b/magic/Magdir/pkgadd @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: pkgadd,v 1.6 2009/09/19 16:28:11 christos Exp $ +# pkgadd: file(1) magic for SysV R4 PKG Datastreams +# +0 string #\ PaCkAgE\ DaTaStReAm pkg Datastream (SVR4) +!:mime application/x-svr4-package diff --git a/magic/Magdir/plan9 b/magic/Magdir/plan9 new file mode 100644 index 0000000..db06847 --- /dev/null +++ b/magic/Magdir/plan9 @@ -0,0 +1,25 @@ + +#------------------------------------------------------------------------------ +# $File: plan9,v 1.6 2021/07/30 12:25:13 christos Exp $ +# plan9: file(1) magic for AT&T Bell Labs' Plan 9 executables and object files +# From: "Stefan A. Haubenthal" <polluks@web.de> +# +0 belong 0x00000107 Plan 9 executable, Motorola 68k +0 belong 0x00000197 Plan 9 executable, AT&T Hobbit +0 belong 0x000001EB Plan 9 executable, Intel 386 +0 belong 0x00000247 Plan 9 executable, Intel 960 +0 belong 0x000002AB Plan 9 executable, SPARC +0 belong 0x00000407 Plan 9 executable, MIPS R3000 +0 belong 0x0000048B Plan 9 executable, AT&T DSP 3210 +0 belong 0x00000517 Plan 9 executable, MIPS R4000 BE +0 belong 0x000005AB Plan 9 executable, AMD 29000 +0 belong 0x00000647 Plan 9 executable, ARM 7-something +0 belong 0x000006EB Plan 9 executable, PowerPC +0 belong 0x00000797 Plan 9 executable, MIPS R4000 LE +0 belong 0x0000084B Plan 9 executable, DEC Alpha + +0 belong 0x3A11013C Plan 9 object file, MIPS R3000 +0 belong 0x430D013C Plan 9 object file, AT&T Hobbit +0 belong 0x4D013201 Plan 9 object file, Motorola 68k +0 belong 0x7410013C Plan 9 object file, SPARC +0 belong 0x7E004501 Plan 9 object file, Intel 386 diff --git a/magic/Magdir/playdate b/magic/Magdir/playdate new file mode 100644 index 0000000..77f8c68 --- /dev/null +++ b/magic/Magdir/playdate @@ -0,0 +1,57 @@ + +#------------------------------------------------------------------------------ +# $File: playdate,v 1.1 2022/11/04 13:34:48 christos Exp $ +# +# Various native file formats for the Playdate portable video game console. +# +# These are unofficially documented at +# https://github.com/jaames/playdate-reverse-engineering +# +# The SDK is a source for many test files, and can be used to +# create others. https://play.date/dev/ + + +# pdi: static image +0 string Playdate\ IMG Playdate image data +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d +>12 belong&0x80 0x00 (uncompressed) +>>16 leshort x %d x +>>18 leshort x %d + +# pdt: multiple static images +0 string Playdate\ IMT Playdate image data set +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d, +>>28 lelong x %d cells +>12 belong&0x80 0x00 (uncompressed) +>>20 lelong x tile grid %d x +>>24 lelong x %d + +# pds: string tables +0 string Playdate\ STR Playdate localization strings +>12 belong&0x80 0x80 (compressed) +>12 belong&0x80 0x00 (uncompressed) + +# pda: audio +0 string Playdate\ AUD Playdate audio file +>12 lelong&0xffffff x %d Hz, +>15 byte 0 unsigned, 8-bit PCM, 1 channel +>15 byte 1 unsigned, 8-bit PCM, 2 channel +>15 byte 2 signed, 16-bit little-endian PCM, 1 channel +>15 byte 3 signed, 16-bit little-endian PCM, 1 channel +>15 byte 4 4-bit ADPCM, 1 channel +>15 byte 5 4-bit ADPCM, 2 channel + +# pda: video +0 string Playdate\ VID Playdate video file +>24 leshort x %d x +>26 leshort x %d, +>16 leshort x %d frames, +>20 lefloat x %.2f FPS + +# pdz: executable package +# Not a lot we can do, as it's a stream of entries with no summary information. +0 string Playdate\ PDZ Playdate executable package diff --git a/magic/Magdir/plus5 b/magic/Magdir/plus5 new file mode 100644 index 0000000..795cca1 --- /dev/null +++ b/magic/Magdir/plus5 @@ -0,0 +1,18 @@ + +#------------------------------------------------------------------------------ +# $File: plus5,v 1.6 2009/09/19 16:28:11 christos Exp $ +# plus5: file(1) magic for Plus Five's UNIX MUMPS +# +# XXX - byte order? Paging Hokey.... +# +0 short 0x259 mumps avl global +>2 byte >0 (V%d) +>6 byte >0 with %d byte name +>7 byte >0 and %d byte data cells +0 short 0x25a mumps blt global +>2 byte >0 (V%d) +>8 short >0 - %d byte blocks +>15 byte 0x00 - P/D format +>15 byte 0x01 - P/K/D format +>15 byte 0x02 - K/D format +>15 byte >0x02 - Bad Flags diff --git a/magic/Magdir/pmem b/magic/Magdir/pmem new file mode 100644 index 0000000..c0ead73 --- /dev/null +++ b/magic/Magdir/pmem @@ -0,0 +1,46 @@ + +#------------------------------------------------------------------------------ +# $File: pmem,v 1.4 2021/04/26 15:56:00 christos Exp $ +# pmem: file(1) magic for Persistent Memory Development Kit pool files +# +0 string PMEM +>4 string POOLSET Persistent Memory Poolset file +>>11 search REPLICA with replica +>4 regex LOG|BLK|OBJ Persistent Memory Pool file, type: %s, +>>8 lelong >0 version: %#x, +>>12 lelong x compat: %#x, +>>16 lelong x incompat: %#x, +>>20 lelong x ro_compat: %#x, + + +>>120 leqldate x crtime: %s, +>>128 lequad x alignment_desc: %#016llx, + +>>136 clear x +>>136 byte 2 machine_class: 64-bit, +>>136 default x machine_class: unknown +>>>136 byte x (%#d), + +>>137 clear x +>>137 byte 1 data: little-endian, +>>137 byte 2 data: big-endian, +>>137 default x data: unknown +>>>137 byte x (%#d), + +>>138 byte !0 reserved[0]: %d, +>>139 byte !0 reserved[1]: %d, +>>140 byte !0 reserved[2]: %d, +>>141 byte !0 reserved[3]: %d, + +>>142 clear x +>>142 leshort 62 machine: x86_64 +>>142 leshort 183 machine: aarch64 +>>142 default x machine: unknown +>>>142 leshort x (%#d) + +>4 string BLK +>>4096 lelong x \b, blk.bsize: %d + +>4 string OBJ +>>4096 string >0 \b, obj.layout: '%s' +>>4096 string <0 \b, obj.layout: NULL diff --git a/magic/Magdir/polyml b/magic/Magdir/polyml new file mode 100644 index 0000000..1cc0109 --- /dev/null +++ b/magic/Magdir/polyml @@ -0,0 +1,23 @@ + +#------------------------------------------------------------------------------ +# $File: polyml,v 1.2 2019/04/19 00:42:27 christos Exp $ +# polyml: file(1) magic for PolyML +# +# PolyML +# MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) +# FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) + +# [0]: https://www.polyml.org/ +# [1]: https://github.com/polyml/polyml/blob/master/\ +# libpolyml/savestate.cpp#L146-L147 +# [2]: https://github.com/polyml/polyml/blob/master/\ +# libpolyml/savestate.cpp#L1262-L1263 + +# Type: Poly/ML saved data +# From: Matthew Fernandez <matthew.fernandez@gmail.com> + +0 string POLYSAVE Poly/ML saved state +>8 long x version %u + +0 string POLYMODU Poly/ML saved module +>8 long x version %u diff --git a/magic/Magdir/printer b/magic/Magdir/printer new file mode 100644 index 0000000..b45a202 --- /dev/null +++ b/magic/Magdir/printer @@ -0,0 +1,278 @@ + +#------------------------------------------------------------------------------ +# $File: printer,v 1.34 2023/06/16 19:27:12 christos Exp $ +# printer: file(1) magic for printer-formatted files +# + +# PostScript, updated by Daniel Quinlan (quinlan@yggdrasil.com) +0 string %! PostScript document text +!:mime application/postscript +!:apple ASPSTEXT +>2 string PS-Adobe- conforming +>>11 string >\0 DSC level %.3s +>>>15 string EPS \b, type %s +>>>15 string Query \b, type %s +>>>15 string ExitServer \b, type %s +>>>15 search/1000 %%LanguageLevel:\040 +>>>>&0 string >\0 \b, Level %s +# Some PCs have the annoying habit of adding a ^D as a document separator +0 string \004%! PostScript document text +!:mime application/postscript +!:apple ASPSTEXT +>3 string PS-Adobe- conforming +>>12 string >\0 DSC level %.3s +>>>16 string EPS \b, type %s +>>>16 string Query \b, type %s +>>>16 string ExitServer \b, type %s +>>>16 search/1000 %%LanguageLevel:\040 +>>>>&0 string >\0 \b, Level %s +0 string \033%-12345X%!PS PostScript document + +# DOS EPS Binary File Header +# From: Ed Sznyter <ews@Black.Market.NET> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Encapsulated_PostScript +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/eps-adobe.trid.xml +# Note: called "Encapsulated PostScript binary" by TrID and +# verified partly by ImageMagick `identify -verbose *` as EPT (Encapsulated PostScript with TIFF preview) +0 belong 0xC5D0D3C6 +# skip DROID fmt-122-signature-id-174.eps fmt-123-signature-id-178.eps fmt-124-signature-id-180.eps +# by looking for content after header +# GRR: in version 5.44 unequal and not endian variant not working! +>32 ulelong >0 DOS EPS Binary File +!:mime image/x-eps +# TODO: check that "long" is false on big endian machines +# Postscript often (850/857) comes after header; so values like: 30 32 or 2788 10644 43350 71828 +>>4 long >0 at byte %d +# 1 space char after length value to get phrase like "length 263893 PostScript document text" +>>>8 long >0 length %d +# PostScript document text handled by ./printer +>>>>(4.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-wmf.trid.xml +# Note: called "Encapsulated PostScript binary (with WMF preview)" by TrID +# verified partly by XnView `nconvert -info *.EP?` as TIFF epsp +>>>>12 long >0 at byte %d +!:ext eps +# GRR: in file version 5.44 calling indirect of ./msdos produce phrase like "length 452\012- Windows metafile" +>>>>16 long >0 length %d +# Windows metafile data handled by ./msdos +>>>>>(12.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-tiff.trid.xml +# Note: called "Encapsulated PostScript binary (with TIFF preview)" by TrID +>>>>20 long >0 at byte %d +# For the variant with the TIFF preview image sometimes the file extension ept is used +!:ext eps/ept +# GRR: in file version 5.44 calling indirect of ./images produce phrase like "length 43320\012- TIFF image data," +>>>>>24 long >0 length %d +# TIFF image data handled by ./images +>>>>>>(20.l) indirect x + +# Summary: Adobe's PostScript Printer Description File +# Extension: .ppd +# Reference: https://partners.adobe.com/public/developer/en/ps/5003.PPD_Spec_v4.3.pdf, Section 3.8 +# Submitted by: Yves Arrouye <arrouye@marin.fdn.fr> +# +0 string *PPD-Adobe:\x20 PPD file +>&0 string x \b, version %s +!:ext ppd +!:mime application/vnd.cups-ppd + +# HP Printer Job Language +0 string \033%-12345X@PJL HP Printer Job Language data +# HP Printer Job Language +# The header found on Win95 HP plot files is the "Silliest Thing possible" +# (TM) +# Every driver puts the language at some random position, with random case +# (LANGUAGE and Language) +# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 +# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de> +# +0 string \033%-12345X@PJL HP Printer Job Language data +>&0 string >\0 %s +>>&0 string >\0 %s +>>>&0 string >\0 %s +>>>>&0 string >\0 %s +#>15 string \ ENTER\ LANGUAGE\ = +#>31 string PostScript PostScript + +# From: Stefan Thurner <thurners@nicsys.de> +0 string \033%-12345X@PJL +>&0 search/10000 %! PJL encapsulated PostScript document text + +# Rick Richardson <rickrich@gmail.com> + +# For Fuji-Xerox Printers - HBPL stands for Host Based Printer Language +# For Oki Data Printers - HIPERC +# For Konica Minolta Printers - LAVAFLOW +# For Samsung Printers - QPDL +# For HP Printers - ZJS stands for Zenographics ZJStream +0 string \033%-12345X@PJL HP Printer Job Language data +>0 search/10000 @PJL\ ENTER\ LANGUAGE=HBPL - HBPL +>0 search/10000 @PJL\ ENTER\ LANGUAGE=HIPERC - Oki Data HIPERC +>0 search/10000 @PJL\ ENTER\ LANGUAGE=LAVAFLOW - Konica Minolta LAVAFLOW +>0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL +>0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL +>0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS +# Summary: Hewlett-Packard printer firmware update +# From: Joerg Jenderek +# URL: https://support.hp.com/us-en/drivers/selfservice/hp-envy-6000e-all-in-one-printer-series/2100187505/model/2100187513 +# Note: firmware update tested with ENVY 6000 All-in-One Printer +0 string @PJL\ ENTER\ LANGUAGE=FWUPDATE2 HP Printer firmware update +#!:mime application/octet-stream +#!:mime application/x-hp-firmware +# https://ftp.hp.com/pub/softlib/software13/printers/en6000/2214/EN6000_2214B.exe +# vasari_base_dist_pp1_001.2214B_nonassert_appsigned_lbi_rootfs_secure_signed.ful2 +!:ext ful2 + +# HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) +0 string \033E\033 HP PCL printer data +>3 string \&l0A - default page size +>3 string \&l1A - US executive page size +>3 string \&l2A - US letter page size +>3 string \&l3A - US legal page size +>3 string \&l26A - A4 page size +>3 string \&l80A - Monarch envelope size +>3 string \&l81A - No. 10 envelope size +>3 string \&l90A - Intl. DL envelope size +>3 string \&l91A - Intl. C5 envelope size +>3 string \&l100A - Intl. B5 envelope size +>3 string \&l-81A - No. 10 envelope size (landscape) +>3 string \&l-90A - Intl. DL envelope size (landscape) + +# IMAGEN printer-ready files: +0 string @document( Imagen printer +# this only works if "language xxx" is first item in Imagen header. +>10 string language\ impress (imPRESS data) +>10 string language\ daisy (daisywheel text) +>10 string language\ diablo (daisywheel text) +>10 string language\ printer (line printer emulation) +>10 string language\ tektronix (Tektronix 4014 emulation) +# Add any other languages that your Imagen uses - remember +# to keep the word `text' if the file is human-readable. +# [GRR 950115: missing "postscript" or "ultrascript" (whatever it was called)] +# +# Now magic for IMAGEN font files... +0 string Rast RST-format raster font data +>45 string >0 face %s +# From Jukka Ukkonen +0 string \033[K\002\0\0\017\033(a\001\0\001\033(g Canon Bubble Jet BJC formatted data + +# From <mike@flyn.org> +# These are the /etc/magic entries to decode data sent to an Epson printer. +0 string \x1B\x40\x1B\x28\x52\x08\x00\x00REMOTE1P Epson Stylus Color 460 data + + +#------------------------------------------------------------------------------ +# zenographics: file(1) magic for Zenographics ZjStream printer data +# Rick Richardson <rickrich@gmail.com> +0 string JZJZ +>0x12 string ZZ Zenographics ZjStream printer data (big-endian) +0 string ZJZJ +>0x12 string ZZ Zenographics ZjStream printer data (little-endian) + + +#------------------------------------------------------------------------------ +# Oak Technologies printer stream +# Rick Richardson <rickrich@gmail.com> +0 string OAK +>0x07 byte 0 +>0x0b byte 0 Oak Technologies printer stream + +# This would otherwise be recognized as PostScript - nick@debian.org +0 string %!VMF SunClock's Vector Map Format data + +#------------------------------------------------------------------------------ +# HP LaserJet 1000 series downloadable firmware file +0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware + +# From: Paolo <oopla@users.sf.net> +# Epson ESC/Page, ESC/PageColor +0 string \x1b\x01@EJL Epson ESC/Page language printer data + +# Summary: Hewlett-Packard Graphics Language +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HP-GL +# https://en.wikipedia.org/wiki/HPGL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpg.trid.xml +# Note: called "Hewlett-Packard Graphics Language" by TrID and +# "Hewlett Packard Graphics Language" by DROID via PUID x-fmt/293 and +# HPGL by XnView command `nconvert -info *` +# initialize, start a plotting job +0 string IN; +>0 use hpgl +# fill.plt +0 string INPS +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test1.hpgl +0 string DF; +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test3.hpgl +# Select Pen n; If no pen number or 0, the controller performs an end of file command; n in range between -32767 and 32768 like: 6 +0 string SP +# skip text Linux-syscall-note inside qemu sources starting with SPDX-Exception-Identifier: Linux-syscall-note +# by checking for valid Pen number +>2 regex \^([0-9]{1,5}) +#>2 regex \^([0-9]{1,5}) PEN_NUMBER=%s +>>0 use hpgl +# charsize.hp pages.hp set the scaling points (P1 and P2) to their default positions +0 string IP0 +>0 use hpgl +# ci.hp +0 string CO\040 +>0 use hpgl +# iw.hp 286x192.5_lh.hpg 286x192.5_lq.hpg +0 string PS\040 +>0 use hpgl +# thick.hp +0 string PS9 +>0 use hpgl +# ul.hp +0 string PS4 +>0 use hpgl +# la.hp +0 string BP +>0 use hpgl +# miter.hp +# Plot Absolute x,y{,x,y{...}}; x and y in range between -32767 and 32768 like: PA4000,3000; +0 string PA +# skip shell scripts test_msa_run_32r5eb.sh test_msa_run_32r5eb.sh with variable PATH_TO_QEMU +# by checking for valid x coordinate +>2 regex \^([-]{0,1}[0-9]{1,5}) +#>2 regex \^([-]{0,1}[0-9]{1,5}) COORDINATE=%s +>>0 use hpgl +# pw.hpg number of pens x +0 string NP +>0 use hpgl +# win_1.hp +#0 string \003INCA WHAT_IS_THAT +#>0 use hpgl +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpgl2.trid.xml +# Note: called "Hewlett-Packard Graphics Language 2" by TrID +0 string \033%-1B Hewlett-Packard Graphics Language 2 +!:mime application/vnd.hp-HPGL +# like: dt.plt +!:ext plt +#!:ext plt/gl2/hpg2/spl +# remaining part after escsape sequnce +>5 string x with "%-.10s" +# display Hewlett-Packard Graphics Language vector graphic information +0 name hpgl +>0 string x Hewlett-Packard Graphics Language +#!:mime vector/x-hpgl +# https://www.iana.org/assignments/media-types/application/vnd.hp-HPGL +!:mime application/vnd.hp-HPGL +# no example with HPL suffix found +!:ext hpgl/hpg/hp/plt +# like: "IN;" "DF;IN;LT;PU1000,1000;PD2000,10" "SP6;DI0,1;SR0.70,1.90;SC0,800," +# "CO Concentric circles drawn with different linewidths;" +>0 string x \b, starting with "%-.54s" +# continue but not for 1 long line without CR or LF +>>&0 ubyte <0x0E +#>>&0 ubyte <0x0E TERMINATOR=%x +# second line after 1 terminator character +>>>&0 string >\r with "%-.10s" +# next character again CR or LF +>>>&0 ubyte <0x0E +#>>>&0 ubyte <0x0E 2ND_CHARACTER=%x +# second line after 2 terminator characters +>>>>&0 string >\r with "%-.10s" diff --git a/magic/Magdir/project b/magic/Magdir/project new file mode 100644 index 0000000..9180b57 --- /dev/null +++ b/magic/Magdir/project @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: project,v 1.5 2017/03/17 21:35:28 christos Exp $ +# project: file(1) magic for Project management +# +# Magic strings for ftnchek project files. Alexander Mai +0 string FTNCHEK_\ P project file for ftnchek +>10 string 1 version 2.7 +>10 string 2 version 2.8 to 2.10 +>10 string 3 version 2.11 or later diff --git a/magic/Magdir/psdbms b/magic/Magdir/psdbms new file mode 100644 index 0000000..3eec965 --- /dev/null +++ b/magic/Magdir/psdbms @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: psdbms,v 1.8 2017/03/17 21:35:28 christos Exp $ +# psdbms: file(1) magic for psdatabase +# +# Update: Joerg Jenderek +# GRR: line below too general as it catches also some Panorama database *.pan , +# AppleWorks word processor +0 belong&0xff00ffff 0x56000000 +# assume version starts with digit +>1 regex/s =^[0-9] ps database +>>1 string >\0 version %s +# kernel name +>>4 string >\0 from kernel %s diff --git a/magic/Magdir/psl b/magic/Magdir/psl new file mode 100644 index 0000000..0296540 --- /dev/null +++ b/magic/Magdir/psl @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: psl,v 1.3 2019/04/19 00:42:27 christos Exp $ +# psl: file(1) magic for Public Suffix List representations +# From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +# URL: https://publicsuffix.org +# see also: https://thread.gmane.org/gmane.network.dns.libpsl.bugs/162/focus=166 + +0 search/512 \n\n//\ ===BEGIN\ ICANN\ DOMAINS===\n\n Public Suffix List data + +0 string .DAFSA@PSL_ +>15 string \n Public Suffix List data (optimized) +>>11 byte >0x2f +>>>11 byte <0x3a (Version %c) diff --git a/magic/Magdir/pulsar b/magic/Magdir/pulsar new file mode 100644 index 0000000..7cb6f18 --- /dev/null +++ b/magic/Magdir/pulsar @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: pulsar,v 1.5 2009/09/19 16:28:12 christos Exp $ +# pulsar: file(1) magic for Pulsar POP3 daemon binary files +# +# http://pulsar.sourceforge.net +# mailto:rok.papez@lugos.si +# + +0 belong 0x1ee7f11e Pulsar POP3 daemon mailbox cache file. +>4 ubelong x Version: %d. +>8 ubelong x \b%d + diff --git a/magic/Magdir/puzzle b/magic/Magdir/puzzle new file mode 100644 index 0000000..ac983f3 --- /dev/null +++ b/magic/Magdir/puzzle @@ -0,0 +1,17 @@ + +#------------------------------------------------------------------------------ +# $File: puzzle,v 1.2 2021/10/07 15:40:40 christos Exp $ +# wsdl: Magic for various puzzles + +# PUZ crossword puzzles from Alan De Smet +# Test files can be found at +# https://theworld.com/~wij/puzzles/wij-themed.html or using the +# "Universal" or "WS Journal" links on the right side of +# https://www.cruciverb.com/ . + +2 string ACROSS&DOWN PUZ crossword puzzle +>0x2c byte x %d x +>0x2d byte x %d, +>0x2e leshort x %d clues, +>0x1e leshort 0x0000 plain text solution +>0x1e leshort !0x0000 scrambled solution diff --git a/magic/Magdir/pwsafe b/magic/Magdir/pwsafe new file mode 100644 index 0000000..549093f --- /dev/null +++ b/magic/Magdir/pwsafe @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: pwsafe,v 1.2 2019/04/19 00:42:27 christos Exp $ +# pwsafe: file(1) magic for passwordsafe file +# +# Password Safe +# http://passwordsafe.sourceforge.net/ +# file format specs +# https://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/formatV3.txt +# V2 https://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/formatV2.txt +# V1 https://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/notes.txt +# V2 and V1 have no easy identifier that I can find +# .psafe3 +0 string PWS3 Password Safe V3 database diff --git a/magic/Magdir/pyramid b/magic/Magdir/pyramid new file mode 100644 index 0000000..ee47c80 --- /dev/null +++ b/magic/Magdir/pyramid @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: pyramid,v 1.7 2009/09/19 16:28:12 christos Exp $ +# pyramid: file(1) magic for Pyramids +# +# XXX - byte order? +# +0 long 0x50900107 Pyramid 90x family executable +0 long 0x50900108 Pyramid 90x family pure executable +>16 long >0 not stripped +0 long 0x5090010b Pyramid 90x family demand paged pure executable +>16 long >0 not stripped diff --git a/magic/Magdir/python b/magic/Magdir/python new file mode 100644 index 0000000..00d90d1 --- /dev/null +++ b/magic/Magdir/python @@ -0,0 +1,305 @@ + +#------------------------------------------------------------------------------ +# $File: python,v 1.45 2022/07/24 23:59:37 christos Exp $ +# python: file(1) magic for python +# +# Outlook puts """ too for urgent messages +# From: David Necas <yeti@physics.muni.cz> +# often the module starts with a multiline string +0 string/t """ Python script text executable +# MAGIC as specified in Python/import.c (1.0 to 3.7) +# and in Lib/importlib/_bootstrap_external.py (3.5+) +# two bytes of magic followed by "\r\n" in little endian order +0 belong 0x02099900 python 1.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x03099900 python 1.1/1.2 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x892e0d0a python 1.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x04170d0a python 1.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x994e0d0a python 1.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xfcc40d0a python 1.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xfdc40d0a python 1.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x87c60d0a python 2.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x88c60d0a python 2.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2aeb0d0a python 2.1 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2beb0d0a python 2.1 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2ded0d0a python 2.2 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2eed0d0a python 2.2 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x3bf20d0a python 2.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x3cf20d0a python 2.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x45f20d0a python 2.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x59f20d0a python 2.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x63f20d0a python 2.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x6df20d0a python 2.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x6ef20d0a python 2.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x77f20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x81f20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x8bf20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x8cf20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x95f20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x9ff20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xa9f20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xb3f20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xb4f20d0a python 2.5 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xc7f20d0a python 2.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xd1f20d0a python 2.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xd2f20d0a python 2.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xdbf20d0a python 2.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xe5f20d0a python 2.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xeff20d0a python 2.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xf9f20d0a python 2.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x03f30d0a python 2.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x04f30d0a python 2.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x0af30d0a PyPy2.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xb80b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xc20b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xcc0b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xd60b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xe00b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xea0b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xf40b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xf50b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xff0b0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x090c0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x130c0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x1d0c0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x1f0c0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x270c0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x3b0c0d0a python 3.0 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x450c0d0a python 3.1 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x4f0c0d0a python 3.1 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x580c0d0a python 3.2 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x620c0d0a python 3.2 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x6c0c0d0a python 3.2 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x760c0d0a python 3.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x800c0d0a python 3.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x8a0c0d0a python 3.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x940c0d0a python 3.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x9e0c0d0a python 3.3 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xb20c0d0a python 3.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xbc0c0d0a python 3.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xc60c0d0a python 3.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xd00c0d0a python 3.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xda0c0d0a python 3.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xe40c0d0a python 3.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xee0c0d0a python 3.4 byte-compiled +!:mime application/x-bytecode.python +0 belong 0xf80c0d0a python 3.5.1- byte-compiled +!:mime application/x-bytecode.python +0 belong 0x020d0d0a python 3.5.1- byte-compiled +!:mime application/x-bytecode.python +0 belong 0x0c0d0d0a python 3.5.1- byte-compiled +!:mime application/x-bytecode.python +0 belong 0x160d0d0a python 3.5.1- byte-compiled +!:mime application/x-bytecode.python +0 belong 0x170d0d0a python 3.5.2+ byte-compiled +!:mime application/x-bytecode.python +0 belong 0x200d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x210d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2a0d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2b0d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2c0d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2d0d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x2f0d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x300d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x310d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x320d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x330d0d0a python 3.6 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x3e0d0d0a python 3.7 byte-compiled +!:mime application/x-bytecode.python +0 belong 0x3f0d0d0a python 3.7 byte-compiled +!:mime application/x-bytecode.python + +# magic 3392+ implements PEP 552: Deterministic pycs +0 name pyc-pep552 +# the flag field determines how .pyc validity is checked +>4 ulelong&1 0 timestamp-based, +>>8 uledate x .py timestamp: %s UTC, +>>12 ulelong x .py size: %d bytes +>4 ulelong&1 !0 hash-based, check-source flag +>>4 ulelong&2 0 unset, +>>4 ulelong&2 !0 set, +>>8 ulequad x hash: 0x%llx + +# uleshort magic followed by \x0d\0xa +2 string \x0d\x0a +# extra check: only two bits of flag field are currently used +>4 ulelong <0x4 +# \x0d as part of magic should suffice till Python 3.14 (magic 3600) +>>1 ubyte 0x0d Byte-compiled Python module for +!:mime application/x-bytecode.python +# now look at the magic number to determine the version +>>>0 uleshort <3400 CPython 3.7, +>>>0 default x +>>>>0 uleshort <3420 CPython 3.8, +>>>>0 default x +>>>>>0 uleshort <3430 CPython 3.9, +>>>>>0 default x +>>>>>>0 uleshort <3450 CPython 3.10, +>>>>>>0 default x +>>>>>>>0 uleshort <3500 CPython 3.11, +>>>>>>>0 default x CPython 3.12 or newer, +>>>0 use pyc-pep552 +>>0 uleshort 240 Byte-compiled Python module for PyPy3.7, +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 +>>0 uleshort 256 Byte-compiled Python module for PyPy3.8, +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 +>>0 uleshort 336 Byte-compiled Python module for PyPy3.9, +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 + +0 search/1/w #!\040/usr/bin/python Python script text executable +!:strength + 15 +!:mime text/x-script.python +0 search/1/w #!\040/usr/local/bin/python Python script text executable +!:strength + 15 +!:mime text/x-script.python +0 search/10/w #!\040/usr/bin/env\040python Python script text executable +!:strength + 15 +!:mime text/x-script.python + + +# from module.submodule import func1, func2 +0 search/8192 import +>0 regex \^from[\040\t]+([A-Za-z0-9_]|\\.)+[\040\t]+import.*$ Python script text executable +!:strength + 15 +!:mime text/x-script.python + +# def __init__ (self, ...): +0 search/4096 def\ __init__ +>&0 search/64 self Python script text executable +!:strength + 15 +!:mime text/x-script.python + +# if __name__ == "__main__": +0 search/4096 if\ __name__ +>&0 search/64 '__main__' Python script text executable +>&0 search/64 "__main__" Python script text executable +!:strength + 15 +!:mime text/x-script.python + +# import module [as abrev] +0 search/8192 import +>0 regex \^import\ [_[:alpha:]]+\ as\ [[:alpha:]][[:space:]]*$ Python script text executable +!:mime text/x-script.python + +# comments +#0 search/4096 ''' +#>&0 regex .*'''$ Python script text executable +#!:mime text/x-script.python + +#0 search/4096 """ +#>&0 regex .*"""$ Python script text executable +#!:mime text/x-script.python + +# try: +# except: or finally: +# block +0 search/4096 try: +>&0 regex \^[[:space:]]*except.*:$ Python script text executable +!:strength + 15 +!:mime text/x-script.python +>&0 search/4096 finally: Python script text executable +!:mime text/x-script.python + +# class name[(base classes,)]: [pass] +0 search/8192 class +>0 regex \^class\ [_[:alpha:]]+(\\(.*\\))?(\ )*:([\ \t]+pass)?$ Python script text executable +!:strength + 15 +!:mime text/x-script.python + +# def name(*args, **kwargs): +0 search/8192 def\ +>0 regex \^[[:space:]]{0,50}def\ {1,50}[_a-zA-Z]{1,100} +>>&0 regex \\(([[:alpha:]*_,\ ]){0,255}\\):$ Python script text executable +!:strength + 15 +!:mime text/x-script.python + +# https://numpy.org/devdocs/reference/generated/numpy.lib.format.html +0 string \223NUMPY NumPy data file +!:mime application/x-numpy-data +>6 byte x \b, version %d +>7 byte x \b.%d +#>8 leshort x \b, header length=%d +>10 string x \b, description %s diff --git a/magic/Magdir/qt b/magic/Magdir/qt new file mode 100644 index 0000000..68085f2 --- /dev/null +++ b/magic/Magdir/qt @@ -0,0 +1,30 @@ + +#------------------------------------------------------------------------------ +# $File: qt,v 1.4 2022/11/11 14:50:23 christos Exp $ +# qt: file(1) magic for Qt + +# https://doc.qt.io/qt-5/resources.html +0 string \<!DOCTYPE\040RCC\> Qt Resource Collection file + +# https://qt.gitorious.org/qt/qtbase/source/\ +# 5367fa356233da4c0f28172a8f817791525f5457:\ +# src/tools/rcc/rcc.cpp#L840 +0 string qres\0\0 Qt Binary Resource file +0 search/1024 The\040Resource\040Compiler\040for\040Qt Qt C-code resource file + +# https://qt.gitorious.org/qt/qtbase/source/\ +# 5367fa356233da4c0f28172a8f817791525f5457:\ +# src/corelib/kernel/qtranslator.cpp#L62 +0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 +>8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file + + +# Qt V4 Javascript engine compiled unit +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/qt/qtdeclarative/blob/v6.4.0/src/qml/common/qv4compileddata_p.h +0 string qv4cdata QV4 compiled unit +!:ext qmlc +>8 ulelong x \b, version %d +>12 byte x \b, Qt %d +>13 byte x \b.%d +>14 byte x \b.%d diff --git a/magic/Magdir/revision b/magic/Magdir/revision new file mode 100644 index 0000000..824220a --- /dev/null +++ b/magic/Magdir/revision @@ -0,0 +1,66 @@ + +#------------------------------------------------------------------------------ +# $File: revision,v 1.11 2019/04/19 00:42:27 christos Exp $ +# file(1) magic for revision control files +# From Hendrik Scholz <hendrik@scholz.net> +0 string/t /1\ :pserver: cvs password text file + +# Conary changesets +# From: Jonathan Smith <smithj@rpath.com> +0 belong 0xea3f81bb Conary changeset data + +# Type: Git bundles (git-bundle) +# From: Josh Triplett <josh@freedesktop.org> +0 string #\ v2\ git\ bundle\n Git bundle + +# Type: Git pack +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Git +# reference: https://github.com/git/git/blob/master/Documentation/technical/pack-format.txt +# The actual magic is 'PACK', but that clashes with Doom/Quake packs. However, +# those have a little-endian offset immediately following the magic 'PACK', +# the first byte of which is never 0, while the first byte of the Git pack +# version, since it's a tiny number stored in big-endian format, is always 0. +0 string PACK +# GRR: line above is too general as it matches also PackDir archive ./acorn +# test for major version. Git 2017 accepts version number 2 or 3 +>4 ubelong <9 +# Acorn PackDir with method 0 compression has root like ADFS::HardDisc4.$.AsylumSrc +# or SystemDevice::foobar +>>9 search/13 :: +# but in git binary +>>9 default x Git pack +!:mime application/x-git +!:ext pack +# 4 GB limit implies unsigned integer +>>>4 ubelong x \b, version %u +>>>8 ubelong x \b, %u objects + +# Type: Git pack index +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +0 string \377tOc Git pack index +>4 belong =2 \b, version 2 + +# Type: Git index file +# From: Frederic Briare <fbriere@fbriere.net> +0 string DIRC Git index +>4 belong >0 \b, version %d +>>8 belong >0 \b, %d entries + +# Type: Mercurial bundles +# From: Seo Sanghyeon <tinuviel@sparcs.kaist.ac.kr> +0 string HG10 Mercurial bundle, +>4 string UN uncompressed +>4 string BZ bzip2 compressed + +# Type: Subversion (SVN) dumps +# From: Uwe Zeisberger <zeisberg@informatik.uni-freiburg.de> +0 string SVN-fs-dump-format-version: Subversion dumpfile +>28 string >\0 (version: %s) + +# Type: Bazaar revision bundles and merge requests +# URL: https://www.bazaar-vcs.org/ +# From: Jelmer Vernooij <jelmer@samba.org> +0 string #\ Bazaar\ revision\ bundle\ v Bazaar Bundle +0 string #\ Bazaar\ merge\ directive\ format Bazaar merge directive diff --git a/magic/Magdir/riff b/magic/Magdir/riff new file mode 100644 index 0000000..9b913a5 --- /dev/null +++ b/magic/Magdir/riff @@ -0,0 +1,840 @@ + +#------------------------------------------------------------------------------ +# $File: riff,v 1.45 2022/07/24 23:47:49 christos Exp $ +# riff: file(1) magic for RIFF format +# See +# +# https://www.seanet.com/users/matts/riffmci/riffmci.htm +# http://www-mmsp.ece.mcgill.ca/Documents/AudioFormats/WAVE/Docs/riffmci.pdf +# https://www.iana.org/assignments/wave-avi-codec-registry/wave-avi-codec-registry.xml +# + +# audio format tag. Assume limits: max 1024 bit, 128 channels, 1 MHz +0 name riff-wave +>0 leshort 0x01 \b, Microsoft PCM +>>14 leshort >0 +>>>14 leshort <1024 \b, %d bit +>0 leshort 0x02 \b, Microsoft ADPCM +>0 leshort 0x03 \b, IEEE Float +>0 leshort 0x04 \b, Compaq VSELP +>0 leshort 0x05 \b, IBM CVSD +>0 leshort 0x06 \b, ITU G.711 A-law +>0 leshort 0x07 \b, ITU G.711 mu-law +>0 leshort 0x08 \b, Microsoft DTS +>0 leshort 0x10 \b, OKI ADPCM +>0 leshort 0x11 \b, IMA ADPCM +>0 leshort 0x12 \b, MediaSpace ADPCM +>0 leshort 0x13 \b, Sierra ADPCM +>0 leshort 0x14 \b, ITU G.723 ADPCM (Yamaha) +>0 leshort 0x15 \b, DSP Solutions DIGISTD +>0 leshort 0x16 \b, DSP Solutions DIGIFIX +>0 leshort 0x17 \b, Dialogic OKI ADPCM +>0 leshort 0x18 \b, MediaVision ADPCM +>0 leshort 0x19 \b, HP CU +>0 leshort 0x20 \b, Yamaha ADPCM +>0 leshort 0x21 \b, Speech Compression SONARC +>0 leshort 0x22 \b, DSP Group True Speech +>0 leshort 0x23 \b, Echo Speech EchoSC1 +>0 leshort 0x24 \b, AudioFile AF36 +>0 leshort 0x25 \b, APTX +>0 leshort 0x26 \b, AudioFile AF10 +>0 leshort 0x27 \b, Prosody 1612 +>0 leshort 0x28 \b, LRC +>0 leshort 0x30 \b, Dolby AC2 +>0 leshort 0x31 \b, GSM 6.10 +>0 leshort 0x32 \b, MSN Audio +>0 leshort 0x33 \b, Antex ADPCME +>0 leshort 0x34 \b, Control Res VQLPC +>0 leshort 0x35 \b, Digireal +>0 leshort 0x36 \b, DigiADPCM +>0 leshort 0x37 \b, Control Res CR10 +>0 leshort 0x38 \b, NMS VBXADPCM +>0 leshort 0x39 \b, Roland RDAC +>0 leshort 0x3A \b, Echo Speech EchoSC3 +>0 leshort 0x3B \b, Rockwell ADPCM +>0 leshort 0x3C \b, Rockwell Digitalk +>0 leshort 0x3D \b, Xebec +>0 leshort 0x40 \b, ITU G.721 ADPCM +>0 leshort 0x41 \b, ITU G.728 CELP +>0 leshort 0x42 \b, MSG723 +>0 leshort 0x50 \b, MPEG +>0 leshort 0x52 \b, RT24 +>0 leshort 0x53 \b, PAC +>0 leshort 0x55 \b, MPEG Layer 3 +>0 leshort 0x59 \b, Lucent G.723 +>0 leshort 0x60 \b, Cirrus +>0 leshort 0x61 \b, ESPCM +>0 leshort 0x62 \b, Voxware +>0 leshort 0x63 \b, Canopus Atrac +>0 leshort 0x64 \b, ITU G.726 ADPCM +>0 leshort 0x65 \b, ITU G.722 ADPCM +>0 leshort 0x66 \b, DSAT +>0 leshort 0x67 \b, DSAT Display +>0 leshort 0x69 \b, Voxware Byte Aligned +>0 leshort 0x70 \b, Voxware AC8 +>0 leshort 0x71 \b, Voxware AC10 +>0 leshort 0x72 \b, Voxware AC16 +>0 leshort 0x73 \b, Voxware AC20 +>0 leshort 0x74 \b, Voxware MetaVoice +>0 leshort 0x75 \b, Voxware MetaSound +>0 leshort 0x76 \b, Voxware RT29HW +>0 leshort 0x77 \b, Voxware VR12 +>0 leshort 0x78 \b, Voxware VR18 +>0 leshort 0x79 \b, Voxware TQ40 +>0 leshort 0x80 \b, Softsound +>0 leshort 0x81 \b, Voxware TQ60 +>0 leshort 0x82 \b, MSRT24 +>0 leshort 0x83 \b, ITU G.729A +>0 leshort 0x84 \b, MVI MV12 +>0 leshort 0x85 \b, DF G.726 +>0 leshort 0x86 \b, DF GSM610 +>0 leshort 0x88 \b, ISIAudio +>0 leshort 0x89 \b, Onlive +>0 leshort 0x91 \b, SBC24 +>0 leshort 0x92 \b, Dolby AC3 S/PDIF +>0 leshort 0x97 \b, ZyXEL ADPCM +>0 leshort 0x98 \b, Philips LPCBB +>0 leshort 0x99 \b, Packed +>0 leshort 0x100 \b, Rhetorex ADPCM +>0 leshort 0x101 \b, BeCubed Software IRAT +>0 leshort 0x111 \b, Vivo G.723 +>0 leshort 0x112 \b, Vivo Siren +>0 leshort 0x123 \b, Digital G.723 +>0 leshort 0x200 \b, Creative ADPCM +>0 leshort 0x202 \b, Creative FastSpeech8 +>0 leshort 0x203 \b, Creative FastSpeech10 +>0 leshort 0x220 \b, Quarterdeck +>0 leshort 0x300 \b, FM Towns Snd +>0 leshort 0x400 \b, BTV Digital +>0 leshort 0x680 \b, VME VMPCM +>0 leshort 0x1000 \b, OLIGSM +>0 leshort 0x1001 \b, OLIADPCM +>0 leshort 0x1002 \b, OLICELP +>0 leshort 0x1003 \b, OLISBC +>0 leshort 0x1004 \b, OLIOPR +>0 leshort 0x1100 \b, LH Codec +>0 leshort 0x1400 \b, Norris +>0 leshort 0x1401 \b, ISIAudio +>0 leshort 0x1500 \b, Soundspace Music Compression +>0 leshort 0x2000 \b, AC3 DVM +>0 leshort 0x2001 \b, DTS +>2 leshort =1 \b, mono +>2 leshort =2 \b, stereo +>2 leshort >2 +>>2 leshort <128 \b, %d channels +>4 lelong >0 +>>4 lelong <1000000 %d Hz + +# try to find "fmt " +0 name riff-walk +>0 string fmt\x20 +>>4 lelong >15 +>>>8 use riff-wave +>0 string LIST +>>&(4.l+4) use riff-walk +>0 string DISP +>>&(4.l+4) use riff-walk +>0 string bext +>>&(4.l+4) use riff-walk +>0 string Fake +>>&(4.l+4) use riff-walk +>0 string fact +>>&(4.l+4) use riff-walk +>0 string VP8 +>>11 byte 0x9d +>>>12 byte 0x01 +>>>>13 byte 0x2a \b, VP8 encoding +>>>>>14 leshort&0x3fff x \b, %d +>>>>>16 leshort&0x3fff x \bx%d, Scaling: +>>>>>14 leshort&0xc000 0x0000 \b [none] +>>>>>14 leshort&0xc000 0x1000 \b [5/4] +>>>>>14 leshort&0xc000 0x2000 \b [5/3] +>>>>>14 leshort&0xc000 0x3000 \b [2] +>>>>>14 leshort&0xc000 0x0000 \bx[none] +>>>>>14 leshort&0xc000 0x1000 \bx[5/4] +>>>>>14 leshort&0xc000 0x2000 \bx[5/3] +>>>>>14 leshort&0xc000 0x3000 \bx[2] +>>>>>15 byte&0x80 =0x00 \b, YUV color +>>>>>15 byte&0x80 =0x80 \b, bad color specification +>>>>>15 byte&0x40 =0x40 \b, no clamping required +>>>>>15 byte&0x40 =0x00 \b, decoders should clamp +#>0 string x we got %s +#>>&(4.l+4) use riff-walk + +# RecorderGear TR500 call recorder digits (BCD) +0 name tr500-call-recorder-digits +>0 byte&0xF0 0x00 \b0 +>0 byte&0xF0 0x10 \b1 +>0 byte&0xF0 0x20 \b2 +>0 byte&0xF0 0x30 \b3 +>0 byte&0xF0 0x40 \b4 +>0 byte&0xF0 0x50 \b5 +>0 byte&0xF0 0x60 \b6 +>0 byte&0xF0 0x70 \b7 +>0 byte&0xF0 0x80 \b8 +>0 byte&0xF0 0x90 \b9 +>0 byte&0xF0 0xb0 \b* +>0 byte&0xF0 0xc0 \b# +>0 byte&0x0F 0 \b0 +>0 byte&0x0F 1 \b1 +>0 byte&0x0F 2 \b2 +>0 byte&0x0F 3 \b3 +>0 byte&0x0F 4 \b4 +>0 byte&0x0F 5 \b5 +>0 byte&0x0F 6 \b6 +>0 byte&0x0F 7 \b7 +>0 byte&0x0F 8 \b8 +>0 byte&0x0F 9 \b9 +>0 byte&0x0F 0xb \b* +>0 byte&0x0F 0xc \b# + +# TR500 call recorder extended header +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Contains dialed/incoming phone number and timestamp. +# TODO: Verify byte 15. +0 name tr500-call-recorder-header +>15 byte 2 (outgoing call: +>15 byte 4 (incoming call: +>1 byte 0xFF \bno number +>1 byte !0xFF +>>1 use tr500-call-recorder-digits +>>2 byte !0xFF +>>>2 use tr500-call-recorder-digits +>>3 byte !0xFF +>>>3 use tr500-call-recorder-digits +>>4 byte !0xFF +>>>4 use tr500-call-recorder-digits +>>5 byte !0xFF +>>>5 use tr500-call-recorder-digits +>>6 byte !0xFF +>>>6 use tr500-call-recorder-digits +>>7 byte !0xFF +>>>7 use tr500-call-recorder-digits +>>8 byte !0xFF +>>>8 use tr500-call-recorder-digits +>9 byte x \b, 20%02x +>10 byte x \b/%02x +>11 byte x \b/%02x +>12 byte x %02x +>13 byte x \b:%02x +>14 byte x \b:%02x) + +# AVI section extended by Patrik Radman <patrik+file-magic@iki.fi> +# +0 string RIFF RIFF (little-endian) data +# RIFF Palette format +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Resource_Interchange_File_Format +# Reference: https://worms2d.info/Palette_file +# WAVE/AVI codec registry: https://www.iana.org/assignments/wave-avi-codec-registry/wave-avi-codec-registry.xml +>8 string PAL\ \b, palette +!:mime application/x-riff +# color palette by Microsoft Corporation +!:ext pal +# file size = chunk size + 8 in most cases +>>4 ulelong+8 x \b, %u bytes +# Extended PAL Format +>>12 string plth \b, extended +# Simple PAL Format +>>12 string data +# data chunk size = color entries * 4 + 4 + sometimes extra (4) appended bytes +>>>16 ulelong x \b, data size %u +# palVersion is always 0x0300 +#>>>20 leshort x \b, version %#4.4x +# palNumEntries specifies the number of palette color entries +>>>22 uleshort x \b, %u entries +# after palPalEntry sized (number of color entries * 4 ) vector +>>>(22.s*4) ubequad x +# jump relative 22 ( 8 + 16) bytes forward points after end of file or to +# appended extra bytes like in http://safecolours.rigdenage.com/set(ms).zip/Protan(MS).pal +>>>>&16 ubelong x \b, extra bytes +>>>>>&-4 ubelong >0 %#8.8x +# RIFF Device Independent Bitmap format +# URL: http://fileformats.archiveteam.org/wiki/RDIB +>8 string RDIB \b, device-independent bitmap +!:ext rdi/dib +>>16 string BM +>>>30 leshort 12 \b, OS/2 1.x format +>>>>34 leshort x \b, %d x +>>>>36 leshort x %d +>>>30 leshort 64 \b, OS/2 2.x format +>>>>34 leshort x \b, %d x +>>>>36 leshort x %d +>>>30 leshort 40 \b, Windows 3.x format +>>>>34 lelong x \b, %d x +>>>>38 lelong x %d x +>>>>44 leshort x %d +# RIFF MIDI format +# URL: http://fileformats.archiveteam.org/wiki/RIFF_MIDI +>8 string RMID \b, MIDI +# http://extension.nirsoft.net/rmi +!:mime audio/mid +#!:mime audio/x-rmid +!:ext rmi +# RIFF Multimedia Movie File format +# URL: http://fileformats.archiveteam.org/wiki/RIFF_Multimedia_Movie +>8 string RMMP \b, multimedia movie +!:mime video/x-mmm +!:ext mmm +# RIFF wrapper for MP3 +>8 string RMP3 \b, MPEG Layer 3 audio +#!:mime audio/x-rmp3 +# Microsoft WAVE format (*.wav) +# URL: http://fileformats.archiveteam.org/wiki/WAV +>8 string WAVE \b, WAVE audio +#!:mime audio/vnd.wave +!:mime audio/x-wav +# https://www.macdisk.com/macsigen.php +#!:apple ????WAVE +!:ext wav/wave +>>12 string >\0 +>>>12 use riff-walk +# TR500 call recorder extended header +>>16 ulelong 0x1E4 +>>>20 leshort 0x11 +>>>>256 byte 4 +>>>>>256 use tr500-call-recorder-header +# Update: Joerg Jenderek +# lower case for Corel Draw version 8 Bidi +>8 string/c cdr +# skip Corel CCX Clipart +>>8 string !CDRXcont +# Corel Draw Picture +>>>0 use corel-draw +# URL: http://fileformats.archiveteam.org/wiki/CCX_(Corel) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/ccx-corel.trid.xml +>>8 string =CDRXcont \b, Corel Clipart +!:mime application/x-corel-ccx +!:ext ccx +# 3rd chunk data {Corel\040Binary\040Meta\040File} +#>>>20 string x \b, 3rd '%-s' +>>>4 ulelong+8 x \b, %u bytes +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CorelDRAW +# Reference: http://fileformats.archiveteam.org/wiki/CorelDRAW +# Picture templates created by newer software start with RIFF type CDT +>8 string CDT +>>0 use corel-draw +# Picture templates with version 4.4 +>8 string CDST +>>0 use corel-draw +# pattern created by newer software start with RIFF type PAT +>8 string PAT +>>0 use corel-draw +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Corel_Designer +# Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer +>8 string DES +>>8 string !DESC +>>>0 use corel-des +# Corel Draw templates with version 12.5 or Corel Designer illustration 12 +>>8 string =DESC +# MORE TESTS NEEDED HERE! +#>>>0 use corel-des +#>>>0 use corel-draw +>8 string NUNDROOT \b, Steinberg CuBase +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MIDI_Instrument_Definition_File +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/idf.trid.xml +# ftp://curscott.servebeer.com/Download/Apps/_Microsoft/ +# Visual%20Studio%206.0%20Professional%20MSDN/ +# SAMPLES/VC98/SDK/GRAPHICS/AUDIO/IDFEDIT/GLOBALS.H +# Note: called "MIDI Instrument Definition File" by TrID +>8 string IDF\ LIST \b, MIDI Instrument Definition File +!:mime audio/x-idf +!:ext idf +# 3rd chunk size like: 254 284 286 670 +#>>0x10 ulelong x \b, 3th SIZE %u +# for debugging purpose display next chunk like: MMAPhdr +#>>0x14 string x \b, 4th "%-8.8s" +#>>0x1C ulelong x \b, 4th SIZE 0x%x +# probably MIDI instrument name like: "Universal-MIDI-Instrument" "instrument name" "General MIDI" +>>0x30 string x "%s" +# look for inst TAG +>>0x31 search/256 inst by +# probably manufacture name like: "Unspecified Company" "NVidia Corporation" +>>>&0x24 string x "%s" +# AVI == Audio Video Interleave +# Reference: http://fileformats.archiveteam.org/wiki/AVI +>8 string AVI\040 \b, AVI +# https://reposcope.com/mimetype/video/x-msvideo +!:mime video/x-msvideo +# https://www.iana.org/assignments/wave-avi-codec-registry/wave-avi-codec-registry.xml +#!:mime video/vnd.avi +!:ext avi/divx +>>12 string LIST +>>>20 string hdrlavih +>>>>&36 lelong x \b, %u x +>>>>&40 lelong x %u, +>>>>&4 lelong >1000000 <1 fps, +>>>>&4 lelong 1000000 1.00 fps, +>>>>&4 lelong 500000 2.00 fps, +>>>>&4 lelong 333333 3.00 fps, +>>>>&4 lelong 250000 4.00 fps, +>>>>&4 lelong 200000 5.00 fps, +>>>>&4 lelong 166667 6.00 fps, +>>>>&4 lelong 142857 7.00 fps, +>>>>&4 lelong 125000 8.00 fps, +>>>>&4 lelong 111111 9.00 fps, +>>>>&4 lelong 100000 10.00 fps, +# ]9.9,10.1[ +>>>>&4 lelong <101010 +>>>>>&-4 lelong >99010 +>>>>>>&-4 lelong !100000 ~10 fps, +>>>>&4 lelong 83333 12.00 fps, +# ]11.9,12.1[ +>>>>&4 lelong <84034 +>>>>>&-4 lelong >82645 +>>>>>>&-4 lelong !83333 ~12 fps, +>>>>&4 lelong 66667 15.00 fps, +# ]14.9,15.1[ +>>>>&4 lelong <67114 +>>>>>&-4 lelong >66225 +>>>>>>&-4 lelong !66667 ~15 fps, +>>>>&4 lelong 50000 20.00 fps, +>>>>&4 lelong 41708 23.98 fps, +>>>>&4 lelong 41667 24.00 fps, +# ]23.9,24.1[ +>>>>&4 lelong <41841 +>>>>>&-4 lelong >41494 +>>>>>>&-4 lelong !41708 +>>>>>>>&-4 lelong !41667 ~24 fps, +>>>>&4 lelong 40000 25.00 fps, +# ]24.9,25.1[ +>>>>&4 lelong <40161 +>>>>>&-4 lelong >39841 +>>>>>>&-4 lelong !40000 ~25 fps, +>>>>&4 lelong 33367 29.97 fps, +>>>>&4 lelong 33333 30.00 fps, +# ]29.9,30.1[ +>>>>&4 lelong <33445 +>>>>>&-4 lelong >33223 +>>>>>>&-4 lelong !33367 +>>>>>>>&-4 lelong !33333 ~30 fps, +>>>>&4 lelong <32224 >30 fps, +##>>>>&4 lelong x (%lu) +##>>>>&20 lelong x %lu frames, +# Note: The tests below assume that the AVI has 1 or 2 streams, +# "vids" optionally followed by "auds". +# (Should cover 99.9% of all AVIs.) +# assuming avih length = 56 +>>>88 string LIST +>>>>96 string strlstrh +>>>>>108 string vids video: +>>>>>>&0 lelong 0 uncompressed +# skip past vids strh +>>>>>>(104.l+108) string strf +>>>>>>>(104.l+132) lelong 1 RLE 8bpp +>>>>>>>(104.l+132) string/c anim Intel RDX +>>>>>>>(104.l+132) string/c aur2 AuraVision Aura 2 +>>>>>>>(104.l+132) string/c aura AuraVision Aura +>>>>>>>(104.l+132) string/c bt20 Brooktree MediaStream +>>>>>>>(104.l+132) string/c btcv Brooktree Composite Video +>>>>>>>(104.l+132) string/c cc12 Intel YUV12 +>>>>>>>(104.l+132) string/c cdvc Canopus DV +>>>>>>>(104.l+132) string/c cham Winnov Caviara Cham +>>>>>>>(104.l+132) string/c cljr Proprietary YUV 4 pixels +>>>>>>>(104.l+132) string/c cmyk Common Data Format in Printing +>>>>>>>(104.l+132) string/c cpla Weitek 4:2:0 YUV Planar +>>>>>>>(104.l+132) string/c cvid Cinepak +>>>>>>>(104.l+132) string/c cwlt Microsoft Color WLT DIB +>>>>>>>(104.l+132) string/c cyuv Creative Labs YUV +>>>>>>>(104.l+132) string/c d261 H.261 +>>>>>>>(104.l+132) string/c d263 H.263 +>>>>>>>(104.l+132) string/c duck TrueMotion 1.0 +>>>>>>>(104.l+132) string/c dve2 DVE-2 Videoconferencing +>>>>>>>(104.l+132) string/c fljp Field Encoded Motion JPEG +>>>>>>>(104.l+132) string/c fvf1 Fractal Video Frame +>>>>>>>(104.l+132) string/c gwlt Microsoft Greyscale WLT DIB +>>>>>>>(104.l+132) string/c h260 H.260 +>>>>>>>(104.l+132) string/c h261 H.261 +>>>>>>>(104.l+132) string/c h262 H.262 +>>>>>>>(104.l+132) string/c h263 H.263 +>>>>>>>(104.l+132) string/c h264 H.264 +>>>>>>>(104.l+132) string/c h265 H.265 +>>>>>>>(104.l+132) string/c h266 H.266 +>>>>>>>(104.l+132) string/c h267 H.267 +>>>>>>>(104.l+132) string/c h268 H.268 +>>>>>>>(104.l+132) string/c h269 H.269 +>>>>>>>(104.l+132) string/c i263 Intel I.263 +>>>>>>>(104.l+132) string/c i420 Intel Indeo 4 +>>>>>>>(104.l+132) string/c ian Intel RDX +>>>>>>>(104.l+132) string/c iclb CellB Videoconferencing Codec +>>>>>>>(104.l+132) string/c ilvc Intel Layered Video +>>>>>>>(104.l+132) string/c ilvr ITU-T H.263+ +>>>>>>>(104.l+132) string/c iraw Intel YUV Uncompressed +>>>>>>>(104.l+132) string/c iv30 Intel Indeo 3 +>>>>>>>(104.l+132) string/c iv31 Intel Indeo 3.1 +>>>>>>>(104.l+132) string/c iv32 Intel Indeo 3.2 +>>>>>>>(104.l+132) string/c iv33 Intel Indeo 3.3 +>>>>>>>(104.l+132) string/c iv34 Intel Indeo 3.4 +>>>>>>>(104.l+132) string/c iv35 Intel Indeo 3.5 +>>>>>>>(104.l+132) string/c iv36 Intel Indeo 3.6 +>>>>>>>(104.l+132) string/c iv37 Intel Indeo 3.7 +>>>>>>>(104.l+132) string/c iv38 Intel Indeo 3.8 +>>>>>>>(104.l+132) string/c iv39 Intel Indeo 3.9 +>>>>>>>(104.l+132) string/c iv40 Intel Indeo 4.0 +>>>>>>>(104.l+132) string/c iv41 Intel Indeo 4.1 +>>>>>>>(104.l+132) string/c iv42 Intel Indeo 4.2 +>>>>>>>(104.l+132) string/c iv43 Intel Indeo 4.3 +>>>>>>>(104.l+132) string/c iv44 Intel Indeo 4.4 +>>>>>>>(104.l+132) string/c iv45 Intel Indeo 4.5 +>>>>>>>(104.l+132) string/c iv46 Intel Indeo 4.6 +>>>>>>>(104.l+132) string/c iv47 Intel Indeo 4.7 +>>>>>>>(104.l+132) string/c iv48 Intel Indeo 4.8 +>>>>>>>(104.l+132) string/c iv49 Intel Indeo 4.9 +>>>>>>>(104.l+132) string/c iv50 Intel Indeo 5.0 +>>>>>>>(104.l+132) string/c mpeg MPEG 1 Video Frame +>>>>>>>(104.l+132) string/c mjpg Motion JPEG +>>>>>>>(104.l+132) string/c mp42 Microsoft MPEG-4 v2 +>>>>>>>(104.l+132) string/c mp43 Microsoft MPEG-4 v3 +>>>>>>>(104.l+132) string/c mrca MR Codec +>>>>>>>(104.l+132) string/c mrle Run Length Encoding +>>>>>>>(104.l+132) string/c msvc Microsoft Video 1 +>>>>>>>(104.l+132) string/c phmo Photomotion +>>>>>>>(104.l+132) string/c qpeq QPEG 1.1 Format Video +>>>>>>>(104.l+132) string/c rgbt RGBT +>>>>>>>(104.l+132) string/c rle4 Run Length Encoded 4 +>>>>>>>(104.l+132) string/c rle8 Run Length Encoded 8 +>>>>>>>(104.l+132) string/c rt21 Intel Indeo 2.1 +>>>>>>>(104.l+132) string/c rvx Intel RDX +>>>>>>>(104.l+132) string/c sdcc Sun Digital Camera Codec +>>>>>>>(104.l+132) string/c sfmc Crystal Net SFM Codec +>>>>>>>(104.l+132) string/c smsc SMSC +>>>>>>>(104.l+132) string/c smsd SMSD +>>>>>>>(104.l+132) string/c splc Splash Studios ACM Audio Codec +>>>>>>>(104.l+132) string/c sqz2 Microsoft VXtreme Video Codec +>>>>>>>(104.l+132) string/c sv10 Sorenson Video R1 +>>>>>>>(104.l+132) string/c tlms TeraLogic Motion Intraframe Codec A +>>>>>>>(104.l+132) string/c tlst TeraLogic Motion Intraframe Codec B +>>>>>>>(104.l+132) string/c tm20 TrueMotion 2.0 +>>>>>>>(104.l+132) string/c tmic TeraLogic Motion Intraframe Codec 2 +>>>>>>>(104.l+132) string/c tmot TrueMotion Video Compression +>>>>>>>(104.l+132) string/c tr20 TrueMotion RT 2.0 +>>>>>>>(104.l+132) string/c ulti Ultimotion +>>>>>>>(104.l+132) string/c uyvy UYVY 4:2:2 byte ordering +>>>>>>>(104.l+132) string/c v422 24-bit YUV 4:2:2 format +>>>>>>>(104.l+132) string/c v655 16-bit YUV 4:2:2 format +>>>>>>>(104.l+132) string/c vcr1 ATI VCR 1.0 +>>>>>>>(104.l+132) string/c vcr2 ATI VCR 2.0 +>>>>>>>(104.l+132) string/c vcr3 ATI VCR 3.0 +>>>>>>>(104.l+132) string/c vcr4 ATI VCR 4.0 +>>>>>>>(104.l+132) string/c vcr5 ATI VCR 5.0 +>>>>>>>(104.l+132) string/c vcr6 ATI VCR 6.0 +>>>>>>>(104.l+132) string/c vcr7 ATI VCR 7.0 +>>>>>>>(104.l+132) string/c vcr8 ATI VCR 8.0 +>>>>>>>(104.l+132) string/c vcr9 ATI VCR 9.0 +>>>>>>>(104.l+132) string/c vdct Video Maker Pro DIB +>>>>>>>(104.l+132) string/c vids YUV 4:2:2 CCIR 601 for V422 +>>>>>>>(104.l+132) string/c vivo Vivo H.263 +>>>>>>>(104.l+132) string/c vixl VIXL +>>>>>>>(104.l+132) string/c vlv1 VLCAP.DRV +>>>>>>>(104.l+132) string/c wbvc W9960 +>>>>>>>(104.l+132) string/c x263 mmioFOURCC('X','2','6','3') +>>>>>>>(104.l+132) string/c xlv0 XL Video Decoder +>>>>>>>(104.l+132) string/c y211 YUV 2:1:1 Packed +>>>>>>>(104.l+132) string/c y411 YUV 4:1:1 Packed +>>>>>>>(104.l+132) string/c y41b YUV 4:1:1 Planar +>>>>>>>(104.l+132) string/c y41p PC1 4:1:1 +>>>>>>>(104.l+132) string/c y41t PC1 4:1:1 with transparency +>>>>>>>(104.l+132) string/c y42b YUV 4:2:2 Planar +>>>>>>>(104.l+132) string/c y42t PC1 4:2:2 with transparency +>>>>>>>(104.l+132) string/c yc12 Intel YUV12 Codec +>>>>>>>(104.l+132) string/c yuv8 Winnov Caviar YUV8 +>>>>>>>(104.l+132) string/c yuv9 YUV9 +>>>>>>>(104.l+132) string/c yuy2 YUY2 4:2:2 byte ordering packed +>>>>>>>(104.l+132) string/c yuyv BI_YUYV, Canopus +>>>>>>>(104.l+132) string/c fmp4 FFMpeg MPEG-4 +>>>>>>>(104.l+132) string/c div3 DivX 3 +>>>>>>>>112 string/c div3 Low-Motion +>>>>>>>>112 string/c div4 Fast-Motion +>>>>>>>(104.l+132) string/c divx DivX 4 +>>>>>>>(104.l+132) string/c dx50 DivX 5 +>>>>>>>(104.l+132) string/c xvid XviD +>>>>>>>(104.l+132) string/c h264 H.264 +>>>>>>>(104.l+132) string/c wmv3 Windows Media Video 9 +>>>>>>>(104.l+132) string/c h264 X.264 or H.264 +>>>>>>>(104.l+132) lelong 0 +##>>>>>>>(104.l+132) string x (%.4s) +# skip past first (video) LIST +>>>>(92.l+96) string LIST +>>>>>(92.l+104) string strlstrh +>>>>>>(92.l+116) string auds \b, audio: +# auds strh length = 56: +>>>>>>>(92.l+172) string strf +>>>>>>>>(92.l+180) leshort 0x0001 uncompressed PCM +>>>>>>>>(92.l+180) leshort 0x0002 ADPCM +>>>>>>>>(92.l+180) leshort 0x0006 aLaw +>>>>>>>>(92.l+180) leshort 0x0007 uLaw +>>>>>>>>(92.l+180) leshort 0x0050 MPEG-1 Layer 1 or 2 +>>>>>>>>(92.l+180) leshort 0x0055 MPEG-1 Layer 3 +>>>>>>>>(92.l+180) leshort 0x2000 Dolby AC3 +>>>>>>>>(92.l+180) leshort 0x0161 DivX +##>>>>>>>>(92.l+180) leshort x (%#.4x) +>>>>>>>>(92.l+182) leshort 1 (mono, +>>>>>>>>(92.l+182) leshort 2 (stereo, +>>>>>>>>(92.l+182) leshort >2 (%d channels, +>>>>>>>>(92.l+184) lelong x %d Hz) +# auds strh length = 64: +>>>>>>>(92.l+180) string strf +>>>>>>>>(92.l+188) leshort 0x0001 uncompressed PCM +>>>>>>>>(92.l+188) leshort 0x0002 ADPCM +>>>>>>>>(92.l+188) leshort 0x0055 MPEG-1 Layer 3 +>>>>>>>>(92.l+188) leshort 0x2000 Dolby AC3 +>>>>>>>>(92.l+188) leshort 0x0161 DivX +##>>>>>>>>(92.l+188) leshort x (%#.4x) +>>>>>>>>(92.l+190) leshort 1 (mono, +>>>>>>>>(92.l+190) leshort 2 (stereo, +>>>>>>>>(92.l+190) leshort >2 (%d channels, +>>>>>>>>(92.l+192) lelong x %d Hz) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/VDR_(VirtualDub) +# Reference: http://sourceforge.net/projects/virtualdub/files/virtualdub-win/ +# 1.10.4.35491/VirtualDub-1.10.4-src.7z/src/vdremote/Main.cpp +# VirtualDub link handler +>8 string VDRM \b, VirtualDub link +!:mime video/x-vdr +!:ext vdr +>>12 string PATH \b, PATH +# remote-path to video file +>>16 pstring/l x %s +# Animated Cursor format +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Windows_Animated_Cursor +# Reference: https://www.gdgsoft.com/anituner/help/aniformat.htm +>8 string ACON \b, animated cursor +!:mime application/x-navi-animation +# http://extension.nirsoft.net/ani +#!:mime image/ani +!:ext ani +# INAM tag followed by length of title +>>24 string INAM +>>>28 pstring/l x "%s" +# IART tag followed by length of author +>>>(28.l+32) ubelong 0x49415254 +>>>>&0 pstring/l x %s +# SoundFont 2 <mpruett@sgi.com> +# URL: http://fileformats.archiveteam.org/wiki/SoundFont_2.0 +>8 string sfbk \b, SoundFont/Bank +!:mime audio/x-sfbk +!:ext sf2 +# MPEG-1 wrapped in a RIFF, apparently +# URL: http://file.fyicenter.com/17_Video_.DAT_File_Extension_for_VCD_Files.html +>8 string CDXA \b, wrapped MPEG-1 (CDXA) +!:mime video/x-cdxa +!:ext mpg/dat +# URL: http://fileformats.archiveteam.org/wiki/4X_IMA_ADPCM +>8 string 4XMV \b, 4X Movie file +!:mime video/x-4xmv +!:ext 4xm/4xa +# AMV-type AVI file: https://wiki.multimedia.cx/index.php?title=AMV +>8 string AMV\040 \b, AMV +# http://fileformats.archiveteam.org/wiki/MTV_Video_(.AMV) +!:mime video/x-amv +!:ext amv +#!:ext amv/mtv +# URL: http://fileformats.archiveteam.org/wiki/WebP +>8 string WEBP \b, Web/P image +!:mime image/webp +!:ext webp +>>12 use riff-walk +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/RIFF_MIDS +>8 string MIDS \b, MIDI Stream +!:mime audio/x-mids +!:ext mds +# From: Joerg Jenderek +# URL: http://mark0.net/soft-trid-e.html +# Reference: http://fileformats.archiveteam.org/wiki/Trd_(TRID) +>8 string TRID \b, TrID defs package +!:mime application/x-trid-trd +!:ext trd +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CorelDRAW +# Reference: http://fileformats.archiveteam.org/wiki/CorelDRAW +# Note: Since version 3 CorelDraw Pictures are RIFF based +# but data chunks remain proprietary. +# Since version 14 til 15 packed as "content/riffData.cdr" and +# since 16 "content/root.dat" in ZIP container +# TODO: distinguish templates with version 12.5 from Designer illustration 12 +# display information of RIFF based Corel Draw pictures, templates and patterns +0 name corel-draw +# display second chunk for debugging +#>8 string x \b, [8]=%.8s +>0 string x \b, Corel Draw +#!:mime image/x-coreldraw +!:mime application/vnd.corel-draw +# used by newer pictures templates +>>8 string CDT +# used by templates with newer versions since 16 +>>>12 string =fver Picture template (root.dat) +!:ext dat +# used by templates with older versions with vrsn tag +>>>12 string !fver +# used by templates with older versions 14-15 +>>>>11 string >E Picture template (riffData.cdr) +!:ext cdr +# used by templates with older versions 11-13 +>>>>11 string <F Picture template +!:ext cdt/cdrt +# used by older templates with version 4.4 +>>8 string CDST Picture template +!:ext cdt +# used by templates with version 12.5 +>>8 string DESC Picture template +!:ext cdt +# used by newer patterns with version 22 +>>8 string PAT Pattern +!:ext dat +# remaining older templates, patterns, drawings +>>8 default x +# pattern with old version 4.y +>>>26 ulelong =0x0000206C Pattern +!:ext pat +# pattern with newer versions +>>>26 ulelong =0x00000D2C Pattern +!:ext pat +# remaining older templates or pictures +>>>26 default x +# used by older versions 5 - 15 +>>>>12 string =vrsn +# 4th chunk size unequal 282Ch only found for CDR +>>>>>26 ulelong !0x0000282c Picture +!:ext cdr +>>>>>26 default x Picture or template +!:ext cdr/cdt +# used by newer versions since 16 +>>>>12 string =fver Picture (root.dat) +!:ext dat +# version marked by 1 ASCII char: space~3, ... , F~15, ... , N~22, ... R~22 template +>11 string x \b, version +>11 string >\040 '%-.1s' +>0 use corel-version +>4 ulelong+8 x \b, %u bytes +# +# display numeric version of RIFF based Corel after 3rd RIFF tag +0 name corel-version +# for debugging purpose; vrsn for short content; fver for 16 byte size +#>12 string x \b, TAG "%-4.4s" +# 1st data chunk length 2 implies short content version +>16 ulelong 2 +# vrsn chunk short content interpreted by MajorVersion * 100 + MinorVersion +>>20 uleshort/100 x %u +>>20 uleshort%100 >0 \b.%u +# for debugging purpose display next chunk like: DISP LIST +#>>22 string x \b, 4th "%-4.4s" +#>>26 ulelong x \b, 4th SIZE %#x +# for debugging purpose display 5th chunk like: LIST DISP ccmm osfp +#>>(26.l+30) string x \b, 5th "%-4.4s" +# 1st data chunk length 10h implies 16 byte content with version info +>16 ulelong 0x10 +>>34 ubyte x %u +>>>33 ubyte >0 \b.%u +# display information of RIFF based Corel Design formats +0 name corel-des +# display second chunk for debugging +#>8 string x \b, [8]=%.8s +>12 string x \b, Corel DESIGNER +!:mime image/x-corel-des +#!:mime application/x-vnd.corel.designer.document +# used by Corel Designer with newer versions since 16 +>12 string =fver graphics (root.dat) +!:ext dat +# used by Corel Designer templates with older versions with vrsn tag +>12 string !fver +# used by Corel Designer with versions 14-15 +>>11 string >D graphics (riffData.cdr) +!:ext cdr +# used by Corel Designer with versions 10-12 +>>11 string <E graphics +!:ext des +# version indicated by last ASCII char of second chunk tag +>11 string x \b, version '%-.1s' +# but vrsn short content is not always version indicator +# exceptions: 'A'~11.4 'B'~12 'C'~12.5 +>11 string >D +>>0 use corel-version +# for debugging purpose display next chunk like: DISP LIST +#>>22 string x \b, 4th "%-4.4s" +#>>26 ulelong x \b, 4th SIZE %#x +# for debugging purpose display 5th chunk like: LIST osfp +#>>(26.l+30) string x \b, 5th "%-4.4s" +>4 ulelong+8 x \b, %u bytes + +# +# XXX - some of the below may only appear in little-endian form. +# +# Also "MV93" appears to be for one form of Macromedia Director +# files, and "GDMF" appears to be another multimedia format. +# +0 string RIFX RIFF (big-endian) data +# RIFF Palette format +>8 string PAL \b, palette +>>16 beshort x \b, version %d +>>18 beshort x \b, %d entries +# RIFF Device Independent Bitmap format +>8 string RDIB \b, device-independent bitmap +>>16 string BM +>>>30 beshort 12 \b, OS/2 1.x format +>>>>34 beshort x \b, %d x +>>>>36 beshort x %d +>>>30 beshort 64 \b, OS/2 2.x format +>>>>34 beshort x \b, %d x +>>>>36 beshort x %d +>>>30 beshort 40 \b, Windows 3.x format +>>>>34 belong x \b, %d x +>>>>38 belong x %d x +>>>>44 beshort x %d +# RIFF MIDI format +>8 string RMID \b, MIDI +# RIFF Multimedia Movie File format +>8 string RMMP \b, multimedia movie +# Microsoft WAVE format (*.wav) +>8 string WAVE \b, WAVE audio +>>20 leshort 1 \b, Microsoft PCM +>>>34 leshort >0 \b, %d bit +>>22 beshort =1 \b, mono +>>22 beshort =2 \b, stereo +>>22 beshort >2 \b, %d channels +>>24 belong >0 %d Hz +# Corel Draw Picture big endian not tested by real examples +#>8 string CDRA \b, Corel Draw Picture +#>8 string CDR6 \b, Corel Draw Picture, version 6 +>8 string CDR +>>0 use \^corel-draw + +# AVI == Audio Video Interleave +>8 string AVI\040 \b, AVI +# Animated Cursor format +>8 string ACON \b, animated cursor +# Notation Interchange File Format (big-endian only) +>8 string NIFF \b, Notation Interchange File Format +# SoundFont 2 <mpruett@sgi.com> +>8 string sfbk SoundFont/Bank + +#------------------------------------------------------------------------------ +# Sony Wave64 +# see http://www.vcs.de/fileadmin/user_upload/MBS/PDF/Whitepaper/Informations_about_Sony_Wave64.pdf +# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian +0 string riff\x2E\x91\xCF\x11\xA5\xD6\x28\xDB\x04\xC1\x00\x00 Sony Wave64 RIFF data +# 128 bit + total file size (64 bits) so 24 bytes +# then WAVE-GUID { 65766177-ACF3-11D3-8CD1-00C04F8EDB8A } +>24 string wave\xF3\xAC\xD3\x11\x8C\xD1\x00\xC0\x4F\x8E\xDB\x8A \b, WAVE 64 audio +!:mime audio/x-w64 +# FMT-GUID { 20746D66-ACF3-11D3-8CD1-00C04F8EDB8A } +>>40 search/256 fmt\x20\xF3\xAC\xD3\x11\x8C\xD1\x00\xC0\x4F\x8E\xDB\x8A \b +>>>&10 leshort =1 \b, mono +>>>&10 leshort =2 \b, stereo +>>>&10 leshort >2 \b, %d channels +>>>&12 lelong >0 %d Hz + +#------------------------------------------------------------------------------ +# MBWF/RF64 +# see EBU TECH 3306 https://tech.ebu.ch/docs/tech/tech3306-2009.pdf +0 string RF64\xff\xff\xff\xffWAVEds64 MBWF/RF64 audio +!:mime audio/x-wav +>40 search/256 fmt\x20 \b +>>&6 leshort =1 \b, mono +>>&6 leshort =2 \b, stereo +>>&6 leshort >2 \b, %d channels +>>&8 lelong >0 %d Hz diff --git a/magic/Magdir/ringdove b/magic/Magdir/ringdove new file mode 100644 index 0000000..38dd4bf --- /dev/null +++ b/magic/Magdir/ringdove @@ -0,0 +1,45 @@ +#------------------------------------------------------------------------------ +# $File: ringdove,v 1.1 2022/08/16 12:04:30 christos Exp $ +# ringdove: file(1) magic for RingdoveEDA data files + +# librnd and global +0 regex/128l ha:rnd-menu-v[0-9]+[\ \t\r\n]*[{] librnd menu system (lihata) +0 regex/128l ha:rnd-menu-patch-v[0-9]+[\ \t\r\n]*[{] librnd menu patch (lihata) +0 regex/128l ha:coraleda-project-v[0-9]+[\ \t\r\n]*[{] CoralEDA/Ringdove project file (lihata) +0 regex/128l ha:ringdove-project-v[0-9]+[\ \t\r\n]*[{] Ringdove project file (lihata) + +# pcb-rnd +0 regex/128l ha:pcb-rnd-board-v[0-9]+[\ \t\r\n]*[{] pcb-rnd board file (lihata) +0 regex/128l li:pcb-rnd-subcircuit-v[0-9]+[\ \t\r\n]*[{] pcb-rnd subcircuit/footprint file (lihata) +0 regex/128l ha:pcb-rnd-buffer-v[0-9]+[\ \t\r\n]*[{] pcb-rnd paste buffer content (lihata) +0 regex/128l li:pcb-rnd-conf-v[0-9]+[\ \t\r\n]*[{] pcb-rnd configuration (lihata) +0 regex/128l ha:pcb-rnd-drc-query-v[0-9]+[\ \t\r\n]*[{] pcb-rnd drc query string (lihata) +0 regex/128l li:pcb-rnd-font-v[0-9]+[\ \t\r\n]*[{] pcb-rnd vector font (lihata) +0 regex/128l ha:pcb-rnd-log-v[0-9]+[\ \t\r\n]*[{] pcb-rnd message log dump (lihata) +0 regex/128l ha:pcb-rnd-padstack-v[0-9]+[\ \t\r\n]*[{] pcb-rnd padstack (lihata) +0 regex/128l li:pcb-rnd-view-list-v[0-9]+[\ \t\r\n]*[{] pcb-rnd view list (lihata) +0 regex/128l li:view-list-v[0-9]+[\ \t\r\n]*[{] pcb-rnd view list (lihata) +0 search Netlist(Freeze) pcb-rnd or gEDA/PCB netlist forward annotation action script + +# sch-rnd (cschem data model) +0 regex/128l li:cschem-buffer-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem buffer content (lihata) +0 regex/128l li:sch-rnd-conf-v[0-9]+[\ \t\r\n]*[{] sch-rnd configuration (lihata) +0 regex/128l ha:std_devmap.v[0-9]+[\ \t\r\n]*[{] sch-rnd devmap (device mapping; lihata) +0 regex/128l li:cschem-group-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem group or symbol (lihata) +0 regex/128l ha:cschem-sheet-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem schematic sheet (lihata) + +# tEDAx (modular format) +0 regex/1l tEDAx[\ \t\r\n]v tEDAx (Trivial EDA eXchange) +>0 regex begin\ symbol\ v with schematic symbol +>0 regex begin\ board\ v with Printed Circuit Board +>0 regex begin\ route_req\ v with PCB routing request +>0 regex begin\ route_res\ v with PCB routing result +>0 regex begin\ camv_layer\ v with camv-rnd exported layer +>0 regex begin\ netlist\ v with netlist +>0 regex begin\ backann\ v with Ringdove EDA back annotation +>0 regex begin\ footprint\ v with PCB footprint +>0 regex begin\ drc\ v with PCB DRC script +>0 regex begin\ drc_query_rule\ v with pcb-rnd drc_query rules +>0 regex begin\ drc_query_def\ v with pcb-rnd drc_query value/config definitions +>0 regex begin\ etest\ v with PCB electric test + diff --git a/magic/Magdir/rpi b/magic/Magdir/rpi new file mode 100644 index 0000000..0d213b5 --- /dev/null +++ b/magic/Magdir/rpi @@ -0,0 +1,52 @@ + +#------------------------------------------------------------------------------ +# $File: rpi,v 1.3 2022/04/02 14:39:34 christos Exp $ +# rpi: file(1) magic for Raspberry Pi images +-44 lelong 0 +>4 lelong 0 +>>8 lelong 1 +>>12 lelong 4 +>>>16 string 283x +>>>>20 lelong 1 +>>>>>24 lelong 4 +>>>>>>28 string DTOK +>>>>>>>32 lelong 44 +>>>>>>>>36 lelong 4 +>>>>>>>>>40 string RPTL Raspberry PI kernel image + +-56 lelong 0 +>4 lelong 0 +>>8 lelong 1 +>>12 lelong 4 +>>>16 string 283x +>>>>20 lelong 1 +>>>>>24 lelong 4 +>>>>>>28 string DTOK +>>>>>>>32 lelong 1 +>>>>>>>>36 lelong 4 +>>>>>>>>>40 string DDTK8 +>>>>>>>>>>48 lelong 4 +>>>>>>>>>>>52 string RPTL Raspberry PI kernel image + +# From: Joerg Jenderek +# URL: https://www.raspberrypi.com/documentation/computers/raspberry-pi.html +# #raspberry-pi-4-boot-eeprom +# Reference: https://github.com/raspberrypi/rpi-eeprom/blob/master/rpi-eeprom-config +# Note: start with same magic as for BIOS (ia32) ROM Extension handled by ./intel +# masked with MAGIC_MASK and then compared with MAGIC +0 belong&0xFFffF00F 0x55aaF00F Raspberry PI EEPROM +#!:mime application/octet-stream +!:mime application/x-raspberry-eeprom +# like: pieeprom-2020-09-03.bin +!:ext bin +# a 32 bit offset to the next section like: 000184d4 000184c8 00018534 ... 0000bb84 0000bbd4 0000bbd4 +>4 ubelong x \b, offset %8.8x +#>(4.L) ubelong x NEXT=%8.8x +# self.length +>8 ubelong !0 \b, length %x +# self.filename +>12 string >0 \b, "%s" +# length is zero +>8 ubelong =0 +# if length is zero then 2nd section magic here can be zero; this means sections parsing done +>>8 ubelong !0 \b, 2nd MAGIC=%8.8x diff --git a/magic/Magdir/rpm b/magic/Magdir/rpm new file mode 100644 index 0000000..9a795f8 --- /dev/null +++ b/magic/Magdir/rpm @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: rpm,v 1.12 2013/01/11 16:45:23 christos Exp $ +# +# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) +# +0 belong 0xedabeedb RPM +!:mime application/x-rpm +>4 byte x v%d +>5 byte x \b.%d +>6 beshort 1 src +>6 beshort 0 bin +>>8 beshort 1 i386/x86_64 +>>8 beshort 2 Alpha/Sparc64 +>>8 beshort 3 Sparc +>>8 beshort 4 MIPS +>>8 beshort 5 PowerPC +>>8 beshort 6 68000 +>>8 beshort 7 SGI +>>8 beshort 8 RS6000 +>>8 beshort 9 IA64 +>>8 beshort 10 Sparc64 +>>8 beshort 11 MIPSel +>>8 beshort 12 ARM +>>8 beshort 13 MiNT +>>8 beshort 14 S/390 +>>8 beshort 15 S/390x +>>8 beshort 16 PowerPC64 +>>8 beshort 17 SuperH +>>8 beshort 18 Xtensa +>>8 beshort 255 noarch + +#delta RPM Daniel Novotny (dnovotny@redhat.com) +0 string drpm Delta RPM +!:mime application/x-rpm +>12 string x %s +>>8 beshort 11 MIPSel +>>8 beshort 12 ARM +>>8 beshort 13 MiNT +>>8 beshort 14 S/390 +>>8 beshort 15 S/390x +>>8 beshort 16 PowerPC64 +>>8 beshort 17 SuperH +>>8 beshort 18 Xtensa +>>10 string x %s diff --git a/magic/Magdir/rpmsg b/magic/Magdir/rpmsg new file mode 100644 index 0000000..cbbbb2b --- /dev/null +++ b/magic/Magdir/rpmsg @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: rpmsg,v 1.1 2019/04/19 00:40:47 christos Exp $ +# rpmsg: file(1) magic for restricted-permission messages (or "rights-protected" messages) +# see https://en.wikipedia.org/wiki/Rpmsg + +0 string \x76\xe8\x04\x60\xc4\x11\xe3\x86 rpmsg Restricted Permission Message diff --git a/magic/Magdir/rst b/magic/Magdir/rst new file mode 100644 index 0000000..0df15b8 --- /dev/null +++ b/magic/Magdir/rst @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: rst,v 1.4 2023/07/27 18:26:32 christos Exp $ +# rst: ReStructuredText http://docutils.sourceforge.net/rst.html +0 search/256 \=\= +!:strength + 30 +>&0 regex/256 \^[\=]+$ +>>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 \012Authors: ReStructuredText file +>>&0 search/512 \012Author: ReStructuredText file +>>&0 default x +>>>&0 regex/512 \^\\.\\.[A-Za-z] ReStructuredText file +!:ext rst diff --git a/magic/Magdir/rtf b/magic/Magdir/rtf new file mode 100644 index 0000000..48a1f28 --- /dev/null +++ b/magic/Magdir/rtf @@ -0,0 +1,94 @@ + +#------------------------------------------------------------------------------ +# $File: rtf,v 1.9 2020/12/12 20:01:47 christos Exp $ +# rtf: file(1) magic for Rich Text Format (RTF) +# +# Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Rich_Text_Format +# Reference: http://www.snake.net/software/RTF/RTF-Spec-1.7.rtf +# http://www.kleinlercher.at/tools/Windows_Protocols/Word2007RTFSpec9.pdf +0 string {\\rtf +# skip DROID fmt-355-signature-id-522.rtf by looking for valid version +>5 ubyte !0xAB +# skip also \ in DROID fmt-50-signature-id-158.rtf by looking for valid version +>>5 ubyte !0x5C Rich Text Format data +!:mime text/rtf +!:apple ????RTF +!:ext rtf +>>>0 use rtf-info +# display information like version, language and code page of RTF +0 name rtf-info +# 1 mostly, 2 for newer Pocket Word documents, space for test like fdo78502.rtf, { for some urtf +>5 ubyte !0x7b \b, version %c +# The word for character set must precede any text or most other control words +>6 string \\mac \b, Apple Macintosh +>6 string \\pc +# control word \pca +>>9 ubyte =0x61 \b, IBM PS/2, code page 850 +>>9 ubyte !0x61 \b, IBM PC, code page 437 +# unknown character set or ANSI later after control words like +# \adeflang1025 \info \title \author \category \manager +# "Burow, Steffanie - Im Tal des Schneeleoparden.rtf" +#>6 search/105 \\ansi \b, ANSI +>6 search/502 \\ansi \b, ANSI +>6 default x \b, unknown character set +# look for explicit codepage keyword +# "Burow, Steffanie - Im Tal des Schneeleoparden.rtf" +#>5 search/110 \\ansicpg +>5 search/500 \\ansicpg +# skip unknown or buggy codepage string 0 like in fdo78502.rtf +>>&0 ubyte !0x30 \b, code page +# codepage string: 437~United States IBM, ..., 1252~WesternEuropean, ..., 57011~Punjabi +>>>&-1 string x %-.3s +# skip space or \ and display possible 4th digit of code page string +>>>&2 ubyte >0x2F +>>>>&-1 ubyte <0x3A \b%c +# possible 5th digit of code page string +>>>>>&0 ubyte >0x2F +>>>>>>&-1 ubyte <0x3A \b%c +# look again at version byte to use default clause +>5 ubyte x +# Default language ID for South Asian/Middle Eastern text +# language ID: 1025, ..., 1065~Persian, ..., 2057~English_UnitedKingdom, ..., 58380~French_NorthAfrica +# Readme-0.72-Persian.rtf +#>6 search/1 \\adeflang \b, default middle east language ID +>>6 search/497 \\adeflang \b, default middle east language ID +# https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a +>>>&0 string x %.4s +# skip \ and NL and show possible 5th digit of language string +>>>&4 ubyte >0x2F +>>>>&-1 ubyte <0x3A \b%c +# else look for default language to be used when the \plain control word is encountered +>>6 default x +# "Burow, Steffanie - Im Tal des Schneeleoparden.rtf" +#>>>6 search/127 \\deflang +>>>6 search/505 \\deflang +>>>>&0 string >0 \b, default language ID %-.4s +# possible 5th digit of language string +>>>>&4 ubyte >0x2F +>>>>>&-1 ubyte <0x3A \b%c + +# Reference: http://latex2rtf.sourceforge.net/rtfspec_63.html +# Note: no real world example found +0 string {\\urtf Rich Text Format unicoded data +!:mime text/rtf +#!:apple ????RTF +!:ext rtf +>1 use rtf-info + +# URL: https://en.wikipedia.org/wiki/Microsoft_Word +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Word +# Note: called by TrID "Pocket Word document" +# by PlanMaker "Pocket Word-Handheld PC" for pwd +# by PlanMaker "Pocket Word-Pocket PC" for psw +0 string {\\pwd Pocket Word document or template +# by SoftMaker Office http://extension.nirsoft.net/pwd +#!:mime application/msword +# https://reposcope.com/mimetype/application/x-pocket-word +!:mime application/x-pocket-word +# PWD for Handheld PC variant and PSW for Pocket PC variant +# PWT for template +!:ext pwd/psw/pwt +>0 use rtf-info + diff --git a/magic/Magdir/ruby b/magic/Magdir/ruby new file mode 100644 index 0000000..9e67a3e --- /dev/null +++ b/magic/Magdir/ruby @@ -0,0 +1,55 @@ + +#------------------------------------------------------------------------------ +# $File: ruby,v 1.10 2019/07/21 09:40:17 christos Exp $ +# ruby: file(1) magic for Ruby scripting language +# URL: https://www.ruby-lang.org/ +# From: Reuben Thomas <rrt@sc3d.org> + +# Ruby scripts +0 search/1/w #!\ /usr/bin/ruby Ruby script text executable +!:strength + 15 +!:mime text/x-ruby +0 search/1/w #!\ /usr/local/bin/ruby Ruby script text executable +!:strength + 15 +!:mime text/x-ruby +0 search/1 #!/usr/bin/env\ ruby Ruby script text executable +!:strength + 15 +!:mime text/x-ruby +0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable +!:strength + 15 +!:mime text/x-ruby + +# What looks like ruby, but does not have a shebang +# (modules and such) +# From: Lubomir Rintel <lkundrak@v3.sk> +0 search/8192 require +>0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/.]+' +>>0 regex def\ [a-z]|\ do$ +>>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 30 +!:mime text/x-ruby +0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z] +>0 regex (modul|includ)e\ [A-Z]|def\ [a-z] +>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 30 +!:mime text/x-ruby +# Classes with no modules or defs, beats simple ASCII +0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z] +>&0 regex \^[[:space:]]*end([[:space:]]+[;#if].*)?$ Ruby script text +!:strength + 10 +!:mime text/x-ruby +# Looks for function definition to balance python magic +# def name (args) +# end +0 search/8192 def\ +>0 regex \^[[:space:]]*def\ [a-z]|def\ [[:alpha:]]+::[a-z] +>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 10 +!:mime text/x-ruby + +0 search/8192 require +>0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/.]+' Ruby script text +!:mime text/x-ruby +0 search/8192 include +>0 regex \^[[:space:]]*include\ ([A-Z]+[a-z]*(::))+ Ruby script text +!:mime text/x-ruby diff --git a/magic/Magdir/rust b/magic/Magdir/rust new file mode 100644 index 0000000..b1bbd9d --- /dev/null +++ b/magic/Magdir/rust @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: rust,v 1.2 2022/11/18 15:58:15 christos Exp $ +# Magic for Rust and related languages programs +# + +# Rust compiler metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_metadata/src/rmeta/mod.rs +0 string rust\x00\x00\x00 +>12 string \014rustc\x20 Rust compiler metadata +!:ext rmeta +>>7 byte x \b, version %d + +# Rust incremental compilation metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_incremental/src/persist/file_format.rs +0 string RSIC +>4 uleshort =0 Rust incremental compilation metadata +!:ext bin +>>6 pstring x \b, rustc %s diff --git a/magic/Magdir/sc b/magic/Magdir/sc new file mode 100644 index 0000000..dc6d6c8 --- /dev/null +++ b/magic/Magdir/sc @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: sc,v 1.6 2009/09/19 16:28:12 christos Exp $ +# sc: file(1) magic for "sc" spreadsheet +# +38 string Spreadsheet sc spreadsheet file +!:mime application/x-sc diff --git a/magic/Magdir/sccs b/magic/Magdir/sccs new file mode 100644 index 0000000..04e7929 --- /dev/null +++ b/magic/Magdir/sccs @@ -0,0 +1,24 @@ + +#------------------------------------------------------------------------------ +# $File: sccs,v 1.8 2020/06/20 21:32:52 christos Exp $ +# sccs: file(1) magic for SCCS archives +# +# SCCS v4 archive structure: +# \001h01207 +# \001s 00276/00000/00000 +# \001d D 1.1 87/09/23 08:09:20 ian 1 0 +# \001c date and time created 87/09/23 08:09:20 by ian +# \001e +# \001u +# \001U +# ... etc. +# Now '\001h' happens to be the same as the 3B20's a.out magic number (0550). +# *Sigh*. And these both came from various parts of the USG. +# Maybe we should just switch everybody from SCCS to RCS! +# Further, you can't just say '\001h0', because the five-digit number +# is a checksum that could (presumably) have any leading digit, +# Fortunately we have regular expression matching: +0 string \001h +>2 regex [0-9][0-9][0-9][0-9][0-9]$ +>>8 string \001s\040 SCCS v4 archive data +>2 string V6,sum= SCCS v6 archive data diff --git a/magic/Magdir/scientific b/magic/Magdir/scientific new file mode 100644 index 0000000..d52d6ae --- /dev/null +++ b/magic/Magdir/scientific @@ -0,0 +1,144 @@ + +#------------------------------------------------------------------------------ +# $File: scientific,v 1.14 2023/04/29 17:28:09 christos Exp $ +# scientific: file(1) magic for scientific formats +# +# From: Joe Krahn <krahn@niehs.nih.gov> + +######################################################## +# CCP4 data and plot files: +0 string MTZ\040 MTZ reflection file + +92 string PLOT%%84 Plot84 plotting file +>52 byte 1 , Little-endian +>55 byte 1 , Big-endian + +######################################################## +# Electron density MAP/MASK formats + +0 string EZD_MAP NEWEZD Electron Density Map +109 string MAP\040( Old EZD Electron Density Map + +0 string/c :-)\040Origin BRIX Electron Density Map +>170 string >0 , Sigma:%.12s +#>4 string >0 %.178s +#>4 addr x %.178s + +7 string 18\040!NTITLE XPLOR ASCII Electron Density Map +9 string \040!NTITLE\012\040REMARK CNS ASCII electron density map + +208 string MAP\040 CCP4 Electron Density Map +# Assumes same stamp for float and double (normal case) +>212 byte 17 \b, Big-endian +>212 byte 34 \b, VAX format +>212 byte 68 \b, Little-endian +>212 byte 85 \b, Convex native + +############################################################ +# X-Ray Area Detector images +0 string R-AXIS4\ \ \ R-Axis Area Detector Image: +>796 lelong <20 Little-endian, IP #%d, +>>768 lelong >0 Size=%dx +>>772 lelong >0 \b%d +>796 belong <20 Big-endian, IP #%d, +>>768 belong >0 Size=%dx +>>772 belong >0 \b%d + +0 string RAXIS\ \ \ \ \ R-Axis Area Detector Image, Win32: +>796 lelong <20 Little-endian, IP #%d, +>>768 lelong >0 Size=%dx +>>772 lelong >0 \b%d +>796 belong <20 Big-endian, IP #%d, +>>768 belong >0 Size=%dx +>>772 belong >0 \b%d + + +1028 string MMX\000\000\000\000\000\000\000\000\000\000\000\000\000 MAR Area Detector Image, +>1072 ulong >1 Compressed(%d), +>1100 ulong >1 %d headers, +>1104 ulong >0 %d x +>1108 ulong >0 %d, +>1120 ulong >0 %d bits/pixel + +# Type: GEDCOM genealogical (family history) data +# From: Giuseppe Bilotta +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GEDCOM +# https://en.wikipedia.org/wiki/GEDCOM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/ +# ged.trid.xml ged-utf8.trid.xml ged-utf16.trid.xml +# Note: called "GEDCOM Family History" by TrID and "Genealogical Data Communication (GEDCOM) Format" by DROID via PUID fmt/851 +0 search/1/c 0\ HEAD GEDCOM genealogy text +#!:mime text/plain +#!:mime application/x-gedcom +# https://www.iana.org/assignments/media-types/text/vnd.familysearch.gedcom +!:mime text/vnd.familysearch.gedcom +!:ext ged +# no gedcom sample found and ged suffix also used for other formats +#!:ext ged/gedcom +>&0 search 1\ GEDC +>>&0 search 2\ VERS version +# 4 5.0 5.3 5.4 5.5 5.5.1 5.5.5 5.6 7.0 or no version +>>>&1 string >\0 %s +# From: Phil Endecott <phil05@chezphil.org> +# 0\040HEAD as UTF-16 big endian without BOM +0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 big endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&2 bestring16 x %s +>>0 string x \b, UTF-16 (without BOM) big-endian text +# 0\040HEAD as UTF-16 little endian without BOM +0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 lttle endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&3 lestring16 x %s +>>2 string x \b, UTF-16 (without BOM) little-endian text +# Note: UTF-16 with BOM variants already described above by first test as "GEDCOM genealogy text" +# 0\040HEAD as UTF-16 big endian with BOM +#0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data +# 0\040HEAD as UTF-16 little endian with BOM +#0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data + +# PDB: Protein Data Bank files +# Adam Buchbinder <adam.buchbinder@gmail.com> +# +# https://www.wwpdb.org/documentation/format32/sect2.html +# https://www.ch.ic.ac.uk/chemime/ +# +# The PDB file format is fixed-field, 80 columns. From the spec: +# +# COLS DATA +# 1 - 6 "HEADER" +# 11 - 50 String(40) +# 51 - 59 Date +# 63 - 66 IDcode +# +# Thus, positions 7-10, 60-62 and 67-80 are spaces. The Date must be in the +# format DD-MMM-YY, e.g., 01-JAN-70, and the IDcode consists of numbers and +# uppercase letters. However, examples have been seen without the date string, +# e.g., the example on the chemime site. +0 string HEADER\ \ \ \040 +>&0 regex/1l \^.{40} +>>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} +>>>&0 regex/1ls [A-Z0-9]{4}.{14}$ +>>>>&0 regex/1l [A-Z0-9]{4} Protein Data Bank data, ID Code %s +!:mime chemical/x-pdb +>>>>0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2} \b, %s + +# Type: GDSII Stream file +0 belong 0x00060002 GDSII Stream file +>4 byte 0x00 +>>5 byte x version %d.0 +>4 byte >0x00 version %d +>>5 byte x \b.%d + +# Type: LXT (interLaced eXtensible Trace) +# chrysn <chrysn@fsfe.org> +0 beshort 0x0138 interLaced eXtensible Trace (LXT) file +>2 beshort >0 (Version %u) diff --git a/magic/Magdir/securitycerts b/magic/Magdir/securitycerts new file mode 100644 index 0000000..8785dd8 --- /dev/null +++ b/magic/Magdir/securitycerts @@ -0,0 +1,6 @@ + +#------------------------------------------------------------------------------ +# $File: securitycerts,v 1.4 2009/09/19 16:28:12 christos Exp $ +0 search/1 -----BEGIN\ CERTIFICATE------ RFC1421 Security Certificate text +0 search/1 -----BEGIN\ NEW\ CERTIFICATE RFC1421 Security Certificate Signing Request text +0 belong 0xedfeedfe Sun 'jks' Java Keystore File data diff --git a/magic/Magdir/selinux b/magic/Magdir/selinux new file mode 100644 index 0000000..89d5f53 --- /dev/null +++ b/magic/Magdir/selinux @@ -0,0 +1,24 @@ +# Type: SE Linux policy modules *.pp reference policy +# for Fedora 5 to 9, RHEL5, and Debian Etch and Lenny. +# URL: https://doc.coker.com.au/computers/selinux-magic +# From: Russell Coker <russell@coker.com.au> + +0 lelong 0xf97cff8f SE Linux modular policy +>4 lelong x version %d, +>8 lelong x %d sections, +>>(12.l) lelong 0xf97cff8d +>>>(12.l+27) lelong x mod version %d, +>>>(12.l+31) lelong 0 Not MLS, +>>>(12.l+31) lelong 1 MLS, +>>>(12.l+23) lelong 2 +>>>>(12.l+47) string >\0 module name %s +>>>(12.l+23) lelong 1 base + +1 string policy_module( SE Linux policy module source +2 string policy_module( SE Linux policy module source + +0 string ##\ <summary> SE Linux policy interface source + +#0 search gen_context( SE Linux policy file contexts + +#0 search gen_sens( SE Linux policy MLS constraints source diff --git a/magic/Magdir/sendmail b/magic/Magdir/sendmail new file mode 100644 index 0000000..6808dbf --- /dev/null +++ b/magic/Magdir/sendmail @@ -0,0 +1,37 @@ + +#------------------------------------------------------------------------------ +# $File: sendmail,v 1.12 2022/10/31 13:22:26 christos Exp $ +# sendmail: file(1) magic for sendmail config files +# +# XXX - byte order? +# +# Update: Joerg Jenderek +# GRR: this test is too general as it catches also +# READ.ME.FIRST.AWP Sendmail frozen configuration +# - version ====|====|====|====|====|====|====|====|====|====|====|====|=== +# Email_23_f217153422.ts Sendmail frozen configuration +# - version \330jK\354 +0 byte 046 +# https://www.sendmail.com/sm/open_source/docs/older_release_notes/ +# freezed configuration file (dbm format?) created from sendmail.cf with -bz +# by older sendmail. til version 8.6 support for frozen configuration files is removed +# valid version numbers look like "7.14.4" and should be similar to output of commands +# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" +>16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration +# normally only /etc/sendmail.fc or /var/adm/sendmail/sendmail.fc +!:ext fc +>>16 string >\0 - version %s +0 short 0x271c +# look for valid version number +>16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration +!:ext fc +>>16 string >\0 - version %s + +#------------------------------------------------------------------------------ +# sendmail: file(1) magic for sendmail m4(1) files +# +# From Hendrik Scholz <hendrik@scholz.net> +# i.e. files in /usr/share/sendmail/cf/ +# +0 string divert(-1)\n sendmail m4 text file + diff --git a/magic/Magdir/sequent b/magic/Magdir/sequent new file mode 100644 index 0000000..da38de6 --- /dev/null +++ b/magic/Magdir/sequent @@ -0,0 +1,42 @@ + +#------------------------------------------------------------------------------ +# $File: sequent,v 1.14 2019/04/19 00:42:27 christos Exp $ +# sequent: file(1) magic for Sequent machines +# +# Sequent information updated by Don Dwiggins <atsun!dwiggins>. +# For Sequent's multiprocessor systems (incomplete). +0 lelong 0x00ea BALANCE NS32000 .o +>16 lelong >0 not stripped +>124 lelong >0 version %d +0 lelong 0x10ea BALANCE NS32000 executable (0 @ 0) +>16 lelong >0 not stripped +>124 lelong >0 version %d +0 lelong 0x20ea BALANCE NS32000 executable (invalid @ 0) +>16 lelong >0 not stripped +>124 lelong >0 version %d +0 lelong 0x30ea BALANCE NS32000 standalone executable +>16 lelong >0 not stripped +>124 lelong >0 version %d +# +# Symmetry information added by Jason Merrill <jason@jarthur.claremont.edu>. +# Symmetry magic nums will not be reached if DOS COM comes before them; +# byte 0xeb is matched before these get a chance. +0 leshort 0x12eb SYMMETRY i386 .o +>16 lelong >0 not stripped +>124 lelong >0 version %d +0 leshort 0x22eb SYMMETRY i386 executable (0 @ 0) +>16 lelong >0 not stripped +>124 lelong >0 version %d +0 leshort 0x32eb SYMMETRY i386 executable (invalid @ 0) +>16 lelong >0 not stripped +>124 lelong >0 version %d +# https://en.wikipedia.org/wiki/Sequent_Computer_Systems +# below test line conflicts with MS-DOS 2.11 floppies and Acronis loader +#0 leshort 0x42eb SYMMETRY i386 standalone executable +0 leshort 0x42eb +# skip unlike negative version +>124 lelong >-1 +# assuming version 28867614 is very low probable +>>124 lelong !28867614 SYMMETRY i386 standalone executable +>>>16 lelong >0 not stripped +>>>124 lelong >0 version %d diff --git a/magic/Magdir/sereal b/magic/Magdir/sereal new file mode 100644 index 0000000..ead78d5 --- /dev/null +++ b/magic/Magdir/sereal @@ -0,0 +1,35 @@ + +#------------------------------------------------------------------------------ +# $File: sereal,v 1.3 2015/02/05 19:14:45 christos Exp $ +# sereal: file(1) magic the Sereal binary serialization format +# +# From: Ævar Arnfjörð Bjarmason <avarab@gmail.com> +# +# See the specification of the format at +# https://github.com/Sereal/Sereal/blob/master/sereal_spec.pod#document-header-format +# +# I'd have liked to do the byte&0xF0 matching against 0, 1, 2 ... by +# doing (byte&0xF0)>>4 here, but unfortunately that's not +# supported. So when we print out a message about an unknown format +# we'll print out e.g. 0x30 instead of the more human-readable +# 0x30>>4. +# +# See https://github.com/Sereal/Sereal/commit/35372ae01d in the +# Sereal.git repository for test Sereal data. +0 name sereal +>4 byte&0x0F x (version %d, +>4 byte&0xF0 0x00 uncompressed) +>4 byte&0xF0 0x10 compressed with non-incremental Snappy) +>4 byte&0xF0 0x20 compressed with incremental Snappy) +>4 byte&0xF0 >0x20 unknown subformat, flag: %d>>4) + +0 string/b \=srl Sereal data packet +!:mime application/sereal +>&0 use sereal +0 string/b \=\xF3rl Sereal data packet +!:mime application/sereal +>&0 use sereal +0 string/b \=\xC3\xB3rl Sereal data packet, UTF-8 encoded +!:mime application/sereal +>&0 use sereal + diff --git a/magic/Magdir/sgi b/magic/Magdir/sgi new file mode 100644 index 0000000..fe532e0 --- /dev/null +++ b/magic/Magdir/sgi @@ -0,0 +1,144 @@ + +#------------------------------------------------------------------------------ +# $File: sgi,v 1.24 2021/09/13 13:23:53 christos Exp $ +# sgi: file(1) magic for Silicon Graphics operating systems and applications +# +# Executable images are handled either in aout (for old-style a.out +# files for 68K; they are indistinguishable from other big-endian 32-bit +# a.out files) or in mips (for MIPS ECOFF and Ucode files) +# + +# kbd file definitions +0 string kbd!map kbd map file +>8 byte >0 Ver %d: +>10 short >0 with %d table(s) + +0 beshort 0x8765 disk quotas file + +0 beshort 0x0506 IRIS Showcase file +>2 byte 0x49 - +>3 byte x - version %d +0 beshort 0x0226 IRIS Showcase template +>2 byte 0x63 - +>3 byte x - version %d +0 belong 0x5343464d IRIS Showcase file +>4 byte x - version %d +0 belong 0x5443464d IRIS Showcase template +>4 byte x - version %d +0 belong 0xdeadbabe IRIX Parallel Arena +>8 belong >0 - version %d + +# core files +# +# 32bit core file +0 belong 0xdeadadb0 IRIX core dump +>4 belong 1 of +>16 string >\0 '%s' +# 64bit core file +0 belong 0xdeadad40 IRIX 64-bit core dump +>4 belong 1 of +>16 string >\0 '%s' +# N32bit core file +0 belong 0xbabec0bb IRIX N32 core dump +>4 belong 1 of +>16 string >\0 '%s' +# New style crash dump file +0 string \x43\x72\x73\x68\x44\x75\x6d\x70 IRIX vmcore dump of +>36 string >\0 '%s' + +# Trusted IRIX info +0 string SGIAUDIT SGI Audit file +>8 byte x - version %d +>9 byte x \b.%d +# +0 string WNGZWZSC Wingz compiled script +0 string WNGZWZSS Wingz spreadsheet +0 string WNGZWZHP Wingz help file +# +0 string #Inventor\040V IRIS Inventor 1.0 file +0 string #Inventor\040V2 Open Inventor 2.0 file +# GLF is OpenGL stream encoding +0 string glfHeadMagic(); GLF_TEXT +4 belong 0x7d000000 GLF_BINARY_LSB_FIRST +!:strength -30 +4 belong 0x0000007d GLF_BINARY_MSB_FIRST +!:strength -30 +# GLS is OpenGL stream encoding; GLS is the successor of GLF +0 string glsBeginGLS( GLS_TEXT +4 belong 0x10000000 GLS_BINARY_LSB_FIRST +!:strength -30 +4 belong 0x00000010 GLS_BINARY_MSB_FIRST +!:strength -30 + +# Performance Co-Pilot file types +0 string PmNs PCP compiled namespace (V.0) +0 string PmN PCP compiled namespace +>3 string >\0 (V.%1.1s) +3 belong 0x84500526 PCP archive +>7 byte x (V.%d) +>20 belong -2 temporal index +>20 belong -1 metadata +>20 belong 0 log volume #0 +>20 belong >0 log volume #%d +>24 string >\0 host: %s +3 belong 0x28500526 PCP archive +>7 byte x (V.%d) +>24 belong -2 temporal index +>24 belong -1 metadata +>24 belong 0 log volume #0 +>24 belong >0 log volume #%d +>36 string >\0 host: %s +0 string PCPFolio PCP +>9 string Version: Archive Folio +>18 string >\0 (V.%s) +0 string #pmchart PCP pmchart view +>9 string Version +>17 string >\0 (V%-3.3s) +0 string #kmchart PCP pmchart view +>9 string Version +>17 string >\0 (V.%s) +0 string pmview PCP pmview config +>7 string Version +>15 string >\0 (V%-3.3s) +0 string #pmlogger PCP pmlogger config +>10 string Version +>18 string >\0 (V%1.1s) +0 string #pmdahotproc PCP pmdahotproc config +>13 string Version +>21 string >\0 (V%-3.3s) +0 string PcPh PCP Help +>4 string 1 Index +>4 string 2 Text +>5 string >\0 (V.%1.1s) +0 string #pmieconf-rules PCP pmieconf rules +>16 string >\0 (V.%1.1s) +3 string pmieconf-pmie PCP pmie config +>17 string >\0 (V.%1.1s) +0 string #pmlogconf-setup PCP pmlogconf config +>17 string >\0 (V.%1.1s) +1 string pmlogconf PCP pmlogger config +>11 string >\0 (V.%1.1s) +0 string MMV PCP memory mapped values +>4 long x (V.%d) + +# SpeedShop data files +0 lelong 0x13130303 SpeedShop data file + +# mdbm files +0 lelong 0x01023962 mdbm file, version 0 (obsolete) +0 string mdbm mdbm file, +>5 byte x version %d, +>6 byte x 2^%d pages, +>7 byte x pagesize 2^%d, +>17 byte x hash %d, +>11 byte x dataformat %d + +# Alias Maya files +0 string/t //Maya\040ASCII Alias Maya Ascii File, +>13 string >\0 version %s +8 string MAYAFOR4 Alias Maya Binary File, +>32 string >\0 version %s scene +8 string MayaFOR4 Alias Maya Binary File, +>32 string >\0 version %s scene +8 string CIMG Alias Maya Image File +8 string DEEP Alias Maya Image File diff --git a/magic/Magdir/sgml b/magic/Magdir/sgml new file mode 100644 index 0000000..fb698a5 --- /dev/null +++ b/magic/Magdir/sgml @@ -0,0 +1,161 @@ + +#------------------------------------------------------------------------------ +# $File: sgml,v 1.48 2023/01/18 16:10:21 christos Exp $ +# Type: SVG Vectorial Graphics +# From: Noel Torres <tecnico@ejerciciosresueltos.com> +0 string \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* +>>19 search/4096 \<svg SVG Scalable Vector Graphics image +!:mime image/svg+xml +!:ext svg +>>19 search/4096 \<gnc-v2 GnuCash file +!:mime application/x-gnucash +0 string \<svg SVG Scalable Vector Graphics image +!:mime image/svg+xml +!:ext svg + +# Sitemap file +0 string/t \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* +>>19 search/4096 \<urlset XML Sitemap document text +!:mime application/xml-sitemap + +# OpenStreetMap XML (.osm) +# https://wiki.openstreetmap.org/wiki/OSM_XML +# From: Markus Heidelberg <markus.heidelberg@web.de> +0 string \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* +>>19 search/4096 \<osm OpenStreetMap XML data + +# xhtml +0 string/t \<?xml\ version=" +>19 search/4096/cWbt \<!doctype\ html XHTML document text +>>15 string >\0 (version %.3s) +!:mime text/html +0 string/t \<?xml\ version=' +>19 search/4096/cWbt \<!doctype\ html XHTML document text +>>15 string >\0 (version %.3s) +!:mime text/html +0 string/t \<?xml\ version=" +>19 search/4096/cWbt \<html broken XHTML document text +>>15 string >\0 (version %.3s) +!:mime text/html + +#------------------------------------------------------------------------------ +# sgml: file(1) magic for Standard Generalized Markup Language +# HyperText Markup Language (HTML) is an SGML document type, +# from Daniel Quinlan (quinlan@yggdrasil.com) +# adapted to string extensions by Anthon van der Neut <anthon@mnt.org) +0 search/4096/cWt \<!doctype\ html HTML document text +!:mime text/html +!:strength + 5 + +# avoid misdetection as JavaScript +0 string/cWt \<!doctype\ html HTML document text +!:mime text/html +0 string/ct \<html> HTML document text +!:mime text/html +0 string/ct \<!-- +>&0 search/4096/cWt \<!doctype\ html HTML document text +!:mime text/html +>&0 search/4096/ct \<html> HTML document text +!:mime text/html + +# SVG document +# https://www.w3.org/TR/SVG/single-page.html +0 search/4096/cWbt \<!doctype\ svg SVG XML document +!:mime image/svg+xml +!:strength + 15 + +0 search/4096/cwt \<head\> HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cWt \<head\ HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cwt \<title\> HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cWt \<title\ HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cwt \<html\> HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cWt \<html\ HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cwt \<script\> HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cWt \<script\ HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cwt \<style\> HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cWt \<style\ HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cwt \<table\> HTML document text +!:mime text/html +!:strength + 15 +0 search/4096/cWt \<table\ HTML document text +!:mime text/html +!:strength + 15 + +0 search/4096/cwt \<a\ href= HTML document text +!:mime text/html +!:strength + 15 + +# Extensible markup language (XML), a subset of SGML +# from Marc Prud'hommeaux (marc@apocalypse.org) +0 search/1/cwt \<?xml XML document text +!:mime text/xml +!:strength + 15 +0 string/t \<?xml\ version\ " XML +!:mime text/xml +!:strength + 15 +0 string/t \<?xml\ version=" XML +!:mime text/xml +!:strength + 15 +>15 string/t >\0 %.3s document text +>>23 search/1 \<xsl:stylesheet (XSL stylesheet) +>>24 search/1 \<xsl:stylesheet (XSL stylesheet) +0 string/t \<?xml\ version=' XML +!:mime text/xml +!:strength + 15 +>15 string/t >\0 %.3s document text +>>23 search/1 \<xsl:stylesheet (XSL stylesheet) +>>24 search/1 \<xsl:stylesheet (XSL stylesheet) +0 search/1/wt \<?XML broken XML document text +!:mime text/xml +!:strength - 10 + + +# SGML, mostly from rph@sq +0 search/4096/cwt \<!doctype exported SGML document text +0 search/4096/cwt \<!subdoc exported SGML subdocument text +0 search/4096/cwt \<!-- exported SGML document text +!:strength - 10 + +# Web browser cookie files +# (Mozilla, Galeon, Netscape 4, Konqueror..) +# Ulf Harnhammar <ulfh@update.uu.se> +0 search/1 #\ HTTP\ Cookie\ File Web browser cookie text +0 search/1 #\ Netscape\ HTTP\ Cookie\ File Netscape cookie text +0 search/1 #\ KDE\ Cookie\ File Konqueror cookie text + +# XML-based format representing braille pages in a digital format. +# +# Specification: +# http://files.pef-format.org/specifications/pef-2008-1/pef-specification.html +# +# Simon Aittamaa <simon.aittamaa@gmail.com> +0 string \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* +>>19 search/4096 \<pef Portable Embosser Format +!:mime application/x-pef+xml + +# https://www.qgis.org/en/site/ +0 string \<!DOCTYPE\040qgis QGIS XML document diff --git a/magic/Magdir/sharc b/magic/Magdir/sharc new file mode 100644 index 0000000..e54088b --- /dev/null +++ b/magic/Magdir/sharc @@ -0,0 +1,23 @@ + +#------------------------------------------------------------------------ +# $File: sharc,v 1.8 2017/03/17 21:35:28 christos Exp $ +# file(1) magic for sharc files +# +# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by +# FutureGroove Music (dsp@futuregroove.de) + +#------------------------------------------------------------------------ +#0 string Draw RiscOS Drawfile +#0 string PACK RiscOS PackdDir archive + +#------------------------------------------------------------------------ +# SHARC DSP stuff (based on the FGM SHARC DSP SDK) + +#0 string =! Assembler source +#0 string Analog ADi asm listing file +0 string .SYSTEM SHARC architecture file +0 string .system SHARC architecture file + +0 leshort 0x521C SHARC COFF binary +>2 leshort >1 , %d sections +>>12 lelong >0 , not stripped diff --git a/magic/Magdir/sinclair b/magic/Magdir/sinclair new file mode 100644 index 0000000..608d779 --- /dev/null +++ b/magic/Magdir/sinclair @@ -0,0 +1,40 @@ + +#------------------------------------------------------------------------------ +# $File: sinclair,v 1.7 2021/04/27 20:35:51 christos Exp $ +# sinclair: file(1) sinclair QL + +# additions to /etc/magic by Thomas M. Ott (ThMO) + +# Sinclair QL floppy disk formats (ThMO) +0 string =QL5 QL disk dump data, +>3 string =A 720 KB, +>3 string =B 1.44 MB, +>3 string =C 3.2 MB, +>4 string >\0 label:%.10s + +# Sinclair QL OS dump (ThMO) +0 belong =0x30000 +>49124 belong <47104 +>>49128 belong <47104 +>>>49132 belong <47104 +>>>>49136 belong <47104 QL OS dump data, +>>>>>49148 string >\0 type %.3s, +>>>>>49142 string >\0 version %.4s + +# Sinclair QL firmware executables (ThMO) +0 string NqNqNq`\004 QL firmware executable (BCPL) + +# Sinclair QL libraries (was ThMO) +0 beshort 0xFB01 QDOS object +>2 pstring x '%s' + +# Sinclair QL executables (was ThMO) +4 belong 0x4AFB QDOS executable +>9 pstring x '%s' +6 beshort 0x4AFB QDOS executable +>9 pstring x '%s' + +# Sinclair QL ROM (ThMO) +0 belong =0x4AFB0001 QL plugin-ROM data, +>9 pstring =\0 un-named +>9 pstring >\0 named: %s diff --git a/magic/Magdir/sisu b/magic/Magdir/sisu new file mode 100644 index 0000000..ba7104f --- /dev/null +++ b/magic/Magdir/sisu @@ -0,0 +1,18 @@ +# Type: SiSU Markup Language +# URL: http://www.sisudoc.org/ +# From: Ralph Amissah <ralph.amissah@gmail.com> + +0 regex \^%?[\ \t]*SiSU[\ \t]+insert SiSU text insert +>5 regex [0-9.]+ %s + +0 regex \^%[\ \t]+SiSU[\ \t]+master SiSU text master +>5 regex [0-9.]+ %s + +0 regex \^%?[\ \t]*SiSU[\ \t]+text SiSU text +>5 regex [0-9.]+ %s + +0 regex \^%?[\ \t]*SiSU[\ \t][0-9.]+ SiSU text +>5 regex [0-9.]+ %s + +0 regex \^%*[\ \t]*sisu-[0-9.]+ SiSU text +>5 regex [0-9.]+ %s diff --git a/magic/Magdir/sketch b/magic/Magdir/sketch new file mode 100644 index 0000000..ee731dd --- /dev/null +++ b/magic/Magdir/sketch @@ -0,0 +1,6 @@ + +#------------------------------------------------------------------------------ +# $File: sketch,v 1.5 2017/03/17 21:35:28 christos Exp $ +# Sketch Drawings: http://sketch.sourceforge.net/ +# From: Edwin Mons <e@ik.nu> +0 search/1 ##Sketch Sketch document text diff --git a/magic/Magdir/smalltalk b/magic/Magdir/smalltalk new file mode 100644 index 0000000..9ff2c6b --- /dev/null +++ b/magic/Magdir/smalltalk @@ -0,0 +1,25 @@ + +#----------------------------------------------- +# $File: smalltalk,v 1.5 2009/09/19 16:28:12 christos Exp $ +# GNU Smalltalk image, starting at version 1.6.2 +# From: catull_us@yahoo.com +# +0 string GSTIm\0\0 GNU SmallTalk +# little-endian +>7 byte&1 =0 LE image version +>>10 byte x %d. +>>9 byte x \b%d. +>>8 byte x \b%d +#>>12 lelong x , data: %ld +#>>16 lelong x , table: %ld +#>>20 lelong x , memory: %ld +# big-endian +>7 byte&1 =1 BE image version +>>8 byte x %d. +>>9 byte x \b%d. +>>10 byte x \b%d +#>>12 belong x , data: %ld +#>>16 belong x , table: %ld +#>>20 belong x , memory: %ld + + diff --git a/magic/Magdir/smile b/magic/Magdir/smile new file mode 100644 index 0000000..d196de5 --- /dev/null +++ b/magic/Magdir/smile @@ -0,0 +1,34 @@ + +#------------------------------------------------------------------------------ +# $File: smile,v 1.1 2011/08/17 17:37:18 christos Exp $ +# smile: file(1) magic for Smile serialization +# +# The Smile serialization format uses a 4-byte header: +# +# Constant byte #0: 0x3A (ASCII ':') +# Constant byte #1: 0x29 (ASCII ')') +# Constant byte #2: 0x0A (ASCII linefeed, '\n') +# Variable byte #3, consisting of bits: +# Bits 4-7 (4 MSB): 4-bit version number +# Bits 3: Reserved +# Bit 2 (mask 0x04): Whether raw binary (unescaped 8-bit) values may be present in content +# Bit 1 (mask 0x02): Whether shared String value checking was enabled during encoding, default false +# Bit 0 (mask 0x01): Whether shared property name checking was enabled during encoding, default true +# +# Reference: http://wiki.fasterxml.com/SmileFormatSpec +# Created by: Pierre-Alexandre Meyer <pierre@mouraf.org> + +# Detection +0 string :)\n Smile binary data + +# Versioning +>3 byte&0xF0 x version %d: + +# Properties +>3 byte&0x04 0x04 binary raw, +>3 byte&0x04 0x00 binary encoded, +>3 byte&0x02 0x02 shared String values enabled, +>3 byte&0x02 0x00 shared String values disabled, +>3 byte&0x01 0x01 shared field names enabled +>3 byte&0x01 0x00 shared field names disabled + diff --git a/magic/Magdir/sniffer b/magic/Magdir/sniffer new file mode 100644 index 0000000..751d197 --- /dev/null +++ b/magic/Magdir/sniffer @@ -0,0 +1,482 @@ + +#------------------------------------------------------------------------------ +# $File: sniffer,v 1.34 2022/12/14 18:27:36 christos Exp $ +# sniffer: file(1) magic for packet capture files +# +# From: guy@alum.mit.edu (Guy Harris) +# + +# +# Microsoft Network Monitor 1.x capture files. +# +0 string RTSS NetMon capture file +>5 byte x - version %d +>4 byte x \b.%d +>6 leshort 0 (Unknown) +>6 leshort 1 (Ethernet) +>6 leshort 2 (Token Ring) +>6 leshort 3 (FDDI) +>6 leshort 4 (ATM) +>6 leshort >4 (type %d) + +# +# Microsoft Network Monitor 2.x capture files. +# +0 string GMBU NetMon capture file +>5 byte x - version %d +>4 byte x \b.%d +>6 leshort 0 (Unknown) +>6 leshort 1 (Ethernet) +>6 leshort 2 (Token Ring) +>6 leshort 3 (FDDI) +>6 leshort 4 (ATM) +>6 leshort 5 (IP-over-IEEE 1394) +>6 leshort 6 (802.11) +>6 leshort 7 (Raw IP) +>6 leshort 8 (Raw IP) +>6 leshort 9 (Raw IP) +>6 leshort >9 (type %d) + +# +# Network General Sniffer capture files. +# Sorry, make that "Network Associates Sniffer capture files." +# Sorry, make that "Network General old DOS Sniffer capture files." +# +0 string TRSNIFF\040data\040\040\040\040\032 Sniffer capture file +>33 byte 2 (compressed) +>23 leshort x - version %d +>25 leshort x \b.%d +>32 byte 0 (Token Ring) +>32 byte 1 (Ethernet) +>32 byte 2 (ARCNET) +>32 byte 3 (StarLAN) +>32 byte 4 (PC Network broadband) +>32 byte 5 (LocalTalk) +>32 byte 6 (Znet) +>32 byte 7 (Internetwork Analyzer) +>32 byte 9 (FDDI) +>32 byte 10 (ATM) + +# +# Cinco Networks NetXRay capture files. +# Sorry, make that "Network General Sniffer Basic capture files." +# Sorry, make that "Network Associates Sniffer Basic capture files." +# Sorry, make that "Network Associates Sniffer Basic, and Windows +# Sniffer Pro", capture files." +# Sorry, make that "Network General Sniffer capture files." +# Sorry, make that "NetScout Sniffer capture files." +# +0 string XCP\0 NetXRay capture file +>4 string >\0 - version %s +>44 leshort 0 (Ethernet) +>44 leshort 1 (Token Ring) +>44 leshort 2 (FDDI) +>44 leshort 3 (WAN) +>44 leshort 8 (ATM) +>44 leshort 9 (802.11) + +# +# "libpcap" capture files. +# https://www.tcpdump.org/manpages/pcap-savefile.5.html +# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is +# the main program that uses that format, but there are other programs +# that use "libpcap", or that use the same capture file format.) +# +0 name pcap-be +>4 beshort x - version %d +>6 beshort x \b.%d +# clear that continuation level match +>20 clear x +>20 belong&0x03FFFFFF 0 (No link-layer encapsulation +>20 belong&0x03FFFFFF 1 (Ethernet +>20 belong&0x03FFFFFF 2 (3Mb Ethernet +>20 belong&0x03FFFFFF 3 (AX.25 +>20 belong&0x03FFFFFF 4 (ProNET +>20 belong&0x03FFFFFF 5 (CHAOS +>20 belong&0x03FFFFFF 6 (Token Ring +>20 belong&0x03FFFFFF 7 (BSD ARCNET +>20 belong&0x03FFFFFF 8 (SLIP +>20 belong&0x03FFFFFF 9 (PPP +>20 belong&0x03FFFFFF 10 (FDDI +>20 belong&0x03FFFFFF 11 (RFC 1483 ATM +>20 belong&0x03FFFFFF 12 (Raw IP +>20 belong&0x03FFFFFF 13 (BSD/OS SLIP +>20 belong&0x03FFFFFF 14 (BSD/OS PPP +>20 belong&0x03FFFFFF 19 (Linux ATM Classical IP +>20 belong&0x03FFFFFF 50 (PPP or Cisco HDLC +>20 belong&0x03FFFFFF 51 (PPP-over-Ethernet +>20 belong&0x03FFFFFF 99 (Symantec Enterprise Firewall +>20 belong&0x03FFFFFF 100 (RFC 1483 ATM +>20 belong&0x03FFFFFF 101 (Raw IP +>20 belong&0x03FFFFFF 102 (BSD/OS SLIP +>20 belong&0x03FFFFFF 103 (BSD/OS PPP +>20 belong&0x03FFFFFF 104 (BSD/OS Cisco HDLC +>20 belong&0x03FFFFFF 105 (802.11 +>20 belong&0x03FFFFFF 106 (Linux Classical IP over ATM +>20 belong&0x03FFFFFF 107 (Frame Relay +>20 belong&0x03FFFFFF 108 (OpenBSD loopback +>20 belong&0x03FFFFFF 109 (OpenBSD IPsec encrypted +>20 belong&0x03FFFFFF 112 (Cisco HDLC +>20 belong&0x03FFFFFF 113 (Linux cooked v1 +>20 belong&0x03FFFFFF 114 (LocalTalk +>20 belong&0x03FFFFFF 117 (OpenBSD PFLOG +>20 belong&0x03FFFFFF 119 (802.11 with Prism header +>20 belong&0x03FFFFFF 122 (RFC 2625 IP over Fibre Channel +>20 belong&0x03FFFFFF 123 (SunATM +>20 belong&0x03FFFFFF 127 (802.11 with radiotap header +>20 belong&0x03FFFFFF 129 (Linux ARCNET +>20 belong&0x03FFFFFF 130 (Juniper Multi-Link PPP +>20 belong&0x03FFFFFF 131 (Juniper Multi-Link Frame Relay +>20 belong&0x03FFFFFF 132 (Juniper Encryption Services PIC +>20 belong&0x03FFFFFF 133 (Juniper GGSN PIC +>20 belong&0x03FFFFFF 134 (Juniper FRF.16 Frame Relay +>20 belong&0x03FFFFFF 135 (Juniper ATM2 PIC +>20 belong&0x03FFFFFF 136 (Juniper Advanced Services PIC +>20 belong&0x03FFFFFF 137 (Juniper ATM1 PIC +>20 belong&0x03FFFFFF 138 (Apple IP over IEEE 1394 +>20 belong&0x03FFFFFF 139 (SS7 MTP2 with pseudo-header +>20 belong&0x03FFFFFF 140 (SS7 MTP2 +>20 belong&0x03FFFFFF 141 (SS7 MTP3 +>20 belong&0x03FFFFFF 142 (SS7 SCCP +>20 belong&0x03FFFFFF 143 (DOCSIS +>20 belong&0x03FFFFFF 144 (Linux IrDA +>20 belong&0x03FFFFFF 147 (Private use 0 +>20 belong&0x03FFFFFF 148 (Private use 1 +>20 belong&0x03FFFFFF 149 (Private use 2 +>20 belong&0x03FFFFFF 150 (Private use 3 +>20 belong&0x03FFFFFF 151 (Private use 4 +>20 belong&0x03FFFFFF 152 (Private use 5 +>20 belong&0x03FFFFFF 153 (Private use 6 +>20 belong&0x03FFFFFF 154 (Private use 7 +>20 belong&0x03FFFFFF 155 (Private use 8 +>20 belong&0x03FFFFFF 156 (Private use 9 +>20 belong&0x03FFFFFF 157 (Private use 10 +>20 belong&0x03FFFFFF 158 (Private use 11 +>20 belong&0x03FFFFFF 159 (Private use 12 +>20 belong&0x03FFFFFF 160 (Private use 13 +>20 belong&0x03FFFFFF 161 (Private use 14 +>20 belong&0x03FFFFFF 162 (Private use 15 +>20 belong&0x03FFFFFF 163 (802.11 with AVS header +>20 belong&0x03FFFFFF 164 (Juniper Passive Monitor PIC +>20 belong&0x03FFFFFF 165 (BACnet MS/TP +>20 belong&0x03FFFFFF 166 (PPPD +>20 belong&0x03FFFFFF 167 (Juniper PPPoE +>20 belong&0x03FFFFFF 168 (Juniper PPPoE/ATM +>20 belong&0x03FFFFFF 169 (GPRS LLC +>20 belong&0x03FFFFFF 170 (GPF-T +>20 belong&0x03FFFFFF 171 (GPF-F +>20 belong&0x03FFFFFF 174 (Juniper PIC Peer +>20 belong&0x03FFFFFF 175 (Ethernet with Endace ERF header +>20 belong&0x03FFFFFF 176 (Packet-over-SONET with Endace ERF header +>20 belong&0x03FFFFFF 177 (Linux LAPD +>20 belong&0x03FFFFFF 178 (Juniper Ethernet +>20 belong&0x03FFFFFF 179 (Juniper PPP +>20 belong&0x03FFFFFF 180 (Juniper Frame Relay +>20 belong&0x03FFFFFF 181 (Juniper C-HDLC +>20 belong&0x03FFFFFF 182 (FRF.16 Frame Relay +>20 belong&0x03FFFFFF 183 (Juniper Voice PIC +>20 belong&0x03FFFFFF 184 (Arinc 429 +>20 belong&0x03FFFFFF 185 (Arinc 653 Interpartition Communication +>20 belong&0x03FFFFFF 186 (USB with FreeBSD header +>20 belong&0x03FFFFFF 187 (Bluetooth HCI H4 +>20 belong&0x03FFFFFF 188 (802.16 MAC Common Part Sublayer +>20 belong&0x03FFFFFF 189 (Linux USB +>20 belong&0x03FFFFFF 190 (Controller Area Network (CAN) v. 2.0B +>20 belong&0x03FFFFFF 191 (802.15.4 with Linux padding +>20 belong&0x03FFFFFF 192 (PPI +>20 belong&0x03FFFFFF 193 (802.16 MAC Common Part Sublayer plus radiotap header +>20 belong&0x03FFFFFF 194 (Juniper Integrated Service Module +>20 belong&0x03FFFFFF 195 (802.15.4 with FCS +>20 belong&0x03FFFFFF 196 (SITA +>20 belong&0x03FFFFFF 197 (Endace ERF +>20 belong&0x03FFFFFF 198 (Ethernet with u10 Networks pseudo-header +>20 belong&0x03FFFFFF 199 (IPMB +>20 belong&0x03FFFFFF 200 (Juniper Secure Tunnel +>20 belong&0x03FFFFFF 201 (Bluetooth HCI H4 with pseudo-header +>20 belong&0x03FFFFFF 202 (AX.25 with KISS header +>20 belong&0x03FFFFFF 203 (LAPD +>20 belong&0x03FFFFFF 204 (PPP with direction pseudo-header +>20 belong&0x03FFFFFF 205 (Cisco HDLC with direction pseudo-header +>20 belong&0x03FFFFFF 206 (Frame Relay with direction pseudo-header +>20 belong&0x03FFFFFF 209 (Linux IPMB +>20 belong&0x03FFFFFF 215 (802.15.4 with non-ASK PHY header +>20 belong&0x03FFFFFF 216 (Linux evdev events +>20 belong&0x03FFFFFF 219 (MPLS with label as link-layer header +>20 belong&0x03FFFFFF 220 (Memory-mapped Linux USB +>20 belong&0x03FFFFFF 221 (DECT +>20 belong&0x03FFFFFF 222 (AOS Space Data Link protocol +>20 belong&0x03FFFFFF 223 (Wireless HART +>20 belong&0x03FFFFFF 224 (Fibre Channel FC-2 +>20 belong&0x03FFFFFF 225 (Fibre Channel FC-2 with frame delimiters +>20 belong&0x03FFFFFF 226 (Solaris IPNET +>20 belong&0x03FFFFFF 227 (SocketCAN +>20 belong&0x03FFFFFF 228 (Raw IPv4 +>20 belong&0x03FFFFFF 229 (Raw IPv6 +>20 belong&0x03FFFFFF 230 (802.15.4 without FCS +>20 belong&0x03FFFFFF 231 (D-Bus messages +>20 belong&0x03FFFFFF 232 (Juniper Virtual Server +>20 belong&0x03FFFFFF 233 (Juniper SRX E2E +>20 belong&0x03FFFFFF 234 (Juniper Fibre Channel +>20 belong&0x03FFFFFF 235 (DVB-CI +>20 belong&0x03FFFFFF 236 (MUX27010 +>20 belong&0x03FFFFFF 237 (STANAG 5066 D_PDUs +>20 belong&0x03FFFFFF 238 (Juniper ATM CEMIC +>20 belong&0x03FFFFFF 239 (Linux netfilter log messages +>20 belong&0x03FFFFFF 240 (Hilscher netAnalyzer +>20 belong&0x03FFFFFF 241 (Hilscher netAnalyzer with delimiters +>20 belong&0x03FFFFFF 242 (IP-over-Infiniband +>20 belong&0x03FFFFFF 243 (MPEG-2 Transport Stream packets +>20 belong&0x03FFFFFF 244 (ng4t ng40 +>20 belong&0x03FFFFFF 245 (NFC LLCP +>20 belong&0x03FFFFFF 246 (Packet filter state syncing +>20 belong&0x03FFFFFF 247 (InfiniBand +>20 belong&0x03FFFFFF 248 (SCTP +>20 belong&0x03FFFFFF 249 (USB with USBPcap header +>20 belong&0x03FFFFFF 250 (Schweitzer Engineering Laboratories RTAC packets +>20 belong&0x03FFFFFF 251 (Bluetooth Low Energy air interface +>20 belong&0x03FFFFFF 252 (Wireshark Upper PDU export +>20 belong&0x03FFFFFF 253 (Linux netlink +>20 belong&0x03FFFFFF 254 (Bluetooth Linux Monitor +>20 belong&0x03FFFFFF 255 (Bluetooth Basic Rate/Enhanced Data Rate baseband packets +>20 belong&0x03FFFFFF 256 (Bluetooth Low Energy air interface with pseudo-header +>20 belong&0x03FFFFFF 257 (PROFIBUS data link layer +>20 belong&0x03FFFFFF 258 (Apple DLT_PKTAP +>20 belong&0x03FFFFFF 259 (Ethernet with 802.3 Clause 65 EPON preamble +>20 belong&0x03FFFFFF 260 (IPMI trace packets +>20 belong&0x03FFFFFF 261 (Z-Wave RF profile R1 and R2 packets +>20 belong&0x03FFFFFF 262 (Z-Wave RF profile R3 packets +>20 belong&0x03FFFFFF 263 (WattStopper Digital Lighting Mngmt/Legrand Nitoo Open Proto +>20 belong&0x03FFFFFF 264 (ISO 14443 messages +>20 belong&0x03FFFFFF 265 (IEC 62106 Radio Data System groups +>20 belong&0x03FFFFFF 266 (USB with Darwin header +>20 belong&0x03FFFFFF 267 (OpenBSD DLT_OPENFLOW +>20 belong&0x03FFFFFF 268 (IBM SDLC frames +>20 belong&0x03FFFFFF 269 (TI LLN sniffer frames +>20 belong&0x03FFFFFF 271 (Linux vsock +>20 belong&0x03FFFFFF 272 (Nordic Semiconductor Bluetooth LE sniffer frames +>20 belong&0x03FFFFFF 273 (Excentis XRA-31 DOCSIS 3.1 RF sniffer frames +>20 belong&0x03FFFFFF 274 (802.3br mPackets +>20 belong&0x03FFFFFF 275 (DisplayPort AUX channel monitoring data +>20 belong&0x03FFFFFF 276 (Linux cooked v2 +>20 belong&0x03FFFFFF 278 (OpenVizsla USB +>20 belong&0x03FFFFFF 279 (Elektrobit High Speed Capture and Replay (EBHSCR) +>20 belong&0x03FFFFFF 281 (Broadcom tag +>20 belong&0x03FFFFFF 282 (Broadcom tag (prepended) +>20 belong&0x03FFFFFF 283 (802.15.4 with TAP +>20 belong&0x03FFFFFF 284 (Marvell DSA +>20 belong&0x03FFFFFF 285 (Marvell EDSA +>20 belong&0x03FFFFFF 286 (ELEE lawful intercept +>20 belong&0x03FFFFFF 287 (Z-Wave serial +>20 belong&0x03FFFFFF 288 (USB 2.0 +>20 belong&0x03FFFFFF 289 (ATSC ALP +>20 belong&0x03FFFFFF 290 (Event Tracing for Windows +>20 belong&0x03FFFFFF 291 (Hilscher netANALYZER NG pseudo-footer +>20 belong&0x03FFFFFF 292 (ZBOSS NCP protocol with pseudo-header +>20 belong&0x03FFFFFF 293 (Low-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 294 (Full-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 295 (High-Speed USB 2.0 +# print default match +>20 default x +>>20 belong x (linktype#%u +>16 belong x \b, capture length %u) + +# packets time stamps in seconds and microseconds. +0 ubelong 0xa1b2c3d4 pcap capture file, microseconds ts (big-endian) +!:mime application/vnd.tcpdump.pcap +>0 use pcap-be +0 ulelong 0xa1b2c3d4 pcap capture file, microsecond ts (little-endian) +!:mime application/vnd.tcpdump.pcap +>0 use \^pcap-be + +# packets time stamps in seconds and nanoseconds. +0 ubelong 0xa1b23c4d pcap capture file, nanosecond ts (big-endian) +!:mime application/vnd.tcpdump.pcap +>0 use pcap-be +0 ulelong 0xa1b23c4d pcap capture file, nanosecond ts (little-endian) +!:mime application/vnd.tcpdump.pcap +>0 use \^pcap-be + +# +# "libpcap"-with-Alexey-Kuznetsov's-patches capture files. +# +0 ubelong 0xa1b2cd34 pcap capture file, microsecond ts, extensions (big-endian) +>0 use pcap-be +0 ulelong 0xa1b2cd34 pcap capture file, microsecond ts, extensions (little-endian) +>0 use \^pcap-be + +# +# "pcapng" capture files. +# https://github.com/pcapng/pcapng +# Pcapng files can contain multiple sections. Printing the endianness, +# snaplen, or other information from the first SHB may be misleading. +# +0 ubelong 0x0a0d0d0a +>8 ubelong 0x1a2b3c4d pcapng capture file +>>12 beshort x - version %d +>>14 beshort x \b.%d +0 ulelong 0x0a0d0d0a +>8 ulelong 0x1a2b3c4d pcapng capture file +>>12 leshort x - version %d +>>14 leshort x \b.%d + +# +# AIX "iptrace" capture files. +# +0 string iptrace\0401.0 AIX iptrace capture file +0 string iptrace\0402.0 AIX iptrace capture file + +# +# Novell LANalyzer capture files. +# URL: http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c +# Update: Joerg Jenderek +# +# regular trace header record (RT_HeaderRegular) +0 leshort 0x1001 +# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5 +# and VIC-20 BASIC V2 program +# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg) +# with invalid second record type 0 instead of "Trace receive channel name record" +>(2.s+4) leshort =0x1006h +>>0 use novell-lanalyzer +# cyclic trace header record (RT_HeaderCyclic) +0 leshort 0x1007 +>0 use novell-lanalyzer +0 name novell-lanalyzer +>0 leshort x Novell LANalyzer capture file +# https://reposcope.com/mimetype/application/x-lanalyzer +!:mime application/x-lanalyzer +# maybe also TR2 .. TR9 TRA .. TRZ +!:ext tr1 +# version like: 1.5 +>4 ubyte x \b, version %u +# minor version; one byte identifying the trace file minor version number +>5 ubyte x \b.%u +# Trace header record type like: 1001~regular or 1007~cyclic +>0 leshort !0x1001 \b, record type %4.4x +# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch +>2 leshort x \b, record length %#x +# second record type like: 1006h~Trace receive channel name record +>(2.s+4) leshort !0x1006h \b, 2nd record type %#4.4x +>(2.s+6) leshort x \b, 2nd record length %#x +# each channel name is a null-terminated, eight-byte ASCII string like: Channel1 +>(2.s+8) string x \b, names %.9s +# 2nd channel name like: Channel2 +>(2.s+17) string x %.9s ... + +# +# HP-UX "nettl" capture files. +# URL: https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c +# Update: Joerg Jenderek +# Note: Wireshark fills "meta information header fields" with "dummy" values +# nettl_magic_hpux9[12]; for HP-UX 9.x not tested +0 string \x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00 HP/UX 9.x nettl capture file +!:mime application/x-nettl +!:ext trc0/trc1 +# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x +0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file +# https://reposcope.com/mimetype/application/x-nettl +!:mime application/x-nettl +# maybe also TRC000 TRC001 TRC002 ... +!:ext trc0/trc1 +# file_name[56]; maybe also like /tmp/raw.tr.TRC000 +>12 string !/tmp/wireshark.TRC000 +>>12 string x "%-.56s" +# tz[20]; like UTC +>68 string !UTC \b, tz +>>68 string x %-.20s +# host_name[9]; +>88 string >\0 \b, host %-.9s +# os_vers[9]; like B.11.11 +>97 string !B.11.11 \b, os +>>97 string x %-.9s +# os_v; like 55h +>>106 ubyte x (%#x) +# xxa[8]; like 0 +>107 ubequad !0 \b, xxa=%#16.16llx +# model[11] like: 9000/800 +>115 string !9000/800 \b, model +>>115 string x %-.11s +# unknown; probably just padding to 128 bytes like: 0406h +>126 ubeshort !0x0406h \b, at 126 %#4.4x + +# +# RADCOM WAN/LAN Analyzer capture files. +# +0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file + +# +# NetStumbler log files. Not really packets, per se, but about as +# close as you can get. These are log files from NetStumbler, a +# Windows program, that scans for 802.11b networks. +# +0 string NetS NetStumbler log file +>8 lelong x \b, %d stations found + +# +# *Peek tagged capture files. +# +0 string \177ver EtherPeek/AiroPeek/OmniPeek capture file + +# +# Visual Networks traffic capture files. +# +0 string \x05VNF Visual Networks traffic capture file + +# +# Network Instruments Observer capture files. +# +0 string ObserverPktBuffe Network Instruments Observer capture file + +# +# Files from Accellent Group's 5View products. +# +# URL: http://www.infovista.com +# Reference: http://mark0.net/download/triddefs_xml.7z +# defs/0/5vw.trid.xml +# https://2.na.dl.wireshark.org/src/wireshark-3.6.2.tar.xz +# wireshark-3.6.2/wiretap/5views.c +# Update: Joerg Jenderek +# Note: called "5View capture" by TrID and +# "Wireshark capture file" on Windows or +# "Packet Capture (Accellent/InfoVista 5view)" by shared MIME-info database +# verified/falsified by `wireshark *.5vw` +0 string \xaa\xaa\xaa\xaa +# skip misidentified boot/x86_64/loader/kroete.dat on Suse LEAP DVD +# by check for valid record version +>8 ulelong =0x00010000 +>>0 use 5view-le +0 name 5view-le +# t_5VW_Info_Header.Signature = CST_5VW_INFO_HEADER_KEY = 0xAAAAAAAAU +>0 ulelong x 5View capture file +# https://reposcope.com/mimetype/application/x-5view +!:mime application/x-5view +!:ext 5vw +# size of header in bytes (included signature and reserved fields); probably always 20h +>4 ulelong !0x00000020 \b, header size %#x +# version of header record; apparently always CST_5VW_INFO_RECORD_VERSION=0x00010000U +>8 ulelong !0x00010000 \b, record version %#x +# DataSize; total size of data without header like: 18h +>12 ulelong x \b, record size %#x +# filetype; type of the capture file like: 18001000h +>16 ulelong x \b, file type %#8.8x +# Reserved[3]; reserved for future use; apparently zero +>20 quad !0 \b, Reserved %#llx +# look for record header key CST_5VW_RECORDS_HEADER_KEY of structure t_5VW_TimeStamped_Header +>0x20 search/0xB8/b \xEE\xEE\x33\x33 \b; record +# HeaderSize; actual size of this header in bytes like: 32 24h +>>&0 uleshort x size %#x +# HeaderType; exact type of this header; probably always 0x4000 +>>&2 uleshort !0x4000 \b, header type %#x +# RecType; type of record like: 80000000h +>>&4 ulelong x \b, record type %#x +# RecSubType; subtype of record like: 0 +>>&8 ulelong !0 \b, subtype %#x +# RecSize; Size of one record like: 5Ch +>>&12 ulelong x \b, RecSize %#x +# RecNb; Number of records like: 1 +>>&16 ulelong >1 \b, %#x records +# Timestamp Utc +#>>&20 ulelong x \b, RAW TIME %#8.8x +>>&20 date x \b, Time-stamp %s diff --git a/magic/Magdir/softquad b/magic/Magdir/softquad new file mode 100644 index 0000000..28f03b9 --- /dev/null +++ b/magic/Magdir/softquad @@ -0,0 +1,40 @@ + +#------------------------------------------------------------------------------ +# $File: softquad,v 1.14 2022/10/28 17:19:54 christos Exp $ +# softquad: file(1) magic for SoftQuad Publishing Software +# URL: https://en.wikipedia.org/wiki/SoftQuad_Software +# +# Author/Editor and RulesBuilder +# +# XXX - byte order? +# +0 string \<!SQ\ DTD> Compiled SGML rules file +>9 string >\0 Type %s +0 string \<!SQ\ A/E> A/E SGML Document binary +>9 string >\0 Type %s +0 string \<!SQ\ STS> A/E SGML binary styles file +>9 string >\0 Type %s +0 short 0xc0de Compiled PSI (v1) data +0 short 0xc0da Compiled PSI (v2) data +>3 string >\0 (%s) +# Binary sqtroff font/desc files... +# GRR: the line below is also true for 5View capture file handled by ./sniffer +0 short 0125252 +# skip 5View capture file with "invalid" version AAAAh +>2 short >0 SoftQuad DESC or font file binary - version %d +# Bitmaps... +0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text +#0 string SQ\ BITMAP2 SoftQuad Raster Format data +# sqtroff intermediate language (replacement for ditroff int. lang.) +0 string X\ SoftQuad troff Context intermediate +>2 string 495 for AT&T 495 laser printer +>2 string hp for Hewlett-Packard LaserJet +>2 string impr for IMAGEN imPRESS +>2 string ps for PostScript + +# From: Michael Piefel <piefel@debian.org> +# sqtroff intermediate language (replacement for ditroff int. lang.) +0 string X\ 495 SoftQuad troff Context intermediate for AT&T 495 laser printer +0 string X\ hp SoftQuad troff Context intermediate for HP LaserJet +0 string X\ impr SoftQuad troff Context intermediate for IMAGEN imPRESS +0 string X\ ps SoftQuad troff Context intermediate for PostScript diff --git a/magic/Magdir/sosi b/magic/Magdir/sosi new file mode 100644 index 0000000..88ecc51 --- /dev/null +++ b/magic/Magdir/sosi @@ -0,0 +1,40 @@ + +#------------------------------------------------------------------------------ +# $File: sosi,v 1.2 2021/02/23 00:51:10 christos Exp $ +# SOSI +# Summary: Systematic Organization of Spatial Information +# Long description: Norwegian text based map format +# File extension: .sos +# Full name: Petter Reinholdtsen (pere@hungry.com) +# Reference: https://en.wikipedia.org/wiki/SOSI +# +# Example SOSI files available from +# https://trac.osgeo.org/gdal/ticket/3638 +# https://nedlasting.geonorge.no/geonorge/Basisdata/N50Kartdata/SOSI/ +# https://nedlasting.geonorge.no/geonorge/Samferdsel/Elveg/SOSI/ +# +# Start with optional comments (from "!" to the next line end) +# followed by ".HODE" and end with "\n.SLUTT" followed by an optional +# separator (any number of " ", "\t", "\n" or "\r"), might have BOM at +# the start and following ".HODE" near the start there is "..OMR=C3=85DE" +# (either UTF-8, ISO-8859-1 or some 7 bit Norwegian charset based on +# ASCII) , "..TRANSPAR", "..TEGNSETT " followed by the charset and a +# separator, as well as "..SOSI-VERSJON " followed by the format +# version and a separator. +# +# FIXME figure out how to accept any of [space], [tab], [newline] and +# [carriage return] as separators, not only line end. + +# Not searching for full "OMR=C3=85DE" to match also for non-UTF-8 +# character sets +0 search ..OMR +>0 search ..TRANSPAR +>>0 search .HODE SOSI map data +>>>&0 search ..SOSI-VERSJON +>>>>&1 string x \b, version %s +# FIXME could not figure out way to make a match for .SLUTT at the end required +#>-7 string \n.SLUTT slutt +#>-8 string \n.SLUTT\n slutt-nl +#>-9 string \n.SLUTT\r\n slutt-crnl2 +!:mime text/vnd.sosi +!:ext sos diff --git a/magic/Magdir/spec b/magic/Magdir/spec new file mode 100644 index 0000000..c504b1f --- /dev/null +++ b/magic/Magdir/spec @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: spec,v 1.4 2009/09/19 16:28:12 christos Exp $ +# spec: file(1) magic for SPEC raw results (*.raw, *.rsf) +# +# Cloyce D. Spradling <cloyce@headgear.org> + +0 string spec SPEC +>4 string .cpu CPU +>>8 string <: \b%.4s +>>12 string . raw result text + +17 string version=SPECjbb SPECjbb +>32 string <: \b%.4s +>>37 string <: v%.4s raw result text + +0 string BEGIN\040SPECWEB SPECweb +>13 string <: \b%.2s +>>15 string _SSL \b_SSL +>>>20 string <: v%.4s raw result text +>>16 string <: v%.4s raw result text diff --git a/magic/Magdir/spectrum b/magic/Magdir/spectrum new file mode 100644 index 0000000..cf14551 --- /dev/null +++ b/magic/Magdir/spectrum @@ -0,0 +1,184 @@ + +#------------------------------------------------------------------------------ +# $File: spectrum,v 1.10 2023/05/08 01:33:36 christos Exp $ +# spectrum: file(1) magic for Spectrum emulator files. +# +# John Elliott <jce@seasip.demon.co.uk> + +# +# Spectrum +3DOS header +# +0 string PLUS3DOS\032 Spectrum +3 data +>15 byte 0 - BASIC program +>15 byte 1 - number array +>15 byte 2 - character array +>15 byte 3 - memory block +>>16 belong 0x001B0040 (screen) +>15 byte 4 - Tasword document +>15 string TAPEFILE - ZXT tapefile +# +# Tape file. This assumes the .TAP starts with a Spectrum-format header, +# which nearly all will. +# +# Update: Sanity-check string contents to be printable. +# -Adam Buchbinder <adam.buchbinder@gmail.com> +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TAP_(ZX_Spectrum) +# Reference: http://web.archive.org/web/20110711141601/http://www.zxmodules.de/fileformats/tapformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tap-zx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TAP (ZX Spectrum)" by DROID via PUID fmt/801 +# verified by fuse-emulator-utils `tzxlist EXAMPLES.TAP` +# +# headers length 19=023 and flag byte 0 indicating a standard ROM loading header +0 string \023\000\000 +>4 string >\0 +# skip {85CEE8D6-0F90-4492-B484-98E38862B28D}.2.ver0x0000000000000004.db {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db +# inside c:\ProgramData\Microsoft\Windows\Caches according to TrID and DROID +>>23 ubyte =0xFF +# skip DROID fmt-801-signature-id-1166.tap with invalid name \253\253\253\253\253\253\253\253\253\253 +# which looks like: "TF COPY II" "screen " "\023\001TF" " 1943 " +>>>4 string <\177 Spectrum .TAP data "%-10.10s" +#!:mime application/octet-stream +!:mime application/x-spectrum-tap +!:ext tap +>>>>3 byte 0 - BASIC program +# autostart line; 0..9999 are valid; 32768 means "no auto-loading" +>>>>>16 uleshort x \b, autostart line %u +# program length; length of BASIC program +>>>>>18 uleshort x \b, program length %u +>>>>3 byte 1 - number array +>>>>3 byte 2 - character array +>>>>3 byte 3 - memory block +# length of the following data 1B00h=6912 and start address 4000h=16384 in case of a SCREEN$ header +>>>>>14 belong 0x001B0040 (screen) +# unused 32768=8000h +>>>>>18 uleshort !32768 \b, unused %u +# zxlength; length of the following data after the header +>>>>14 uleshort x \b, data length %u +#>>14 uleshort x \b, data length %#x +# checksum byte; simply all bytes (including flag byte) XORed +#>>>>20 ubyte x \b, checksum %#x + +# The following three blocks are from pak21-spectrum@srcf.ucam.org +# TZX tape images +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TZX +# Reference: https://worldofspectrum.net/TZXformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tzx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TZX Format" by DROID via PUID fmt/1000 +0 string ZXTape!\x1a Spectrum .TZX data +#!:mime application/octet-stream +!:mime application/x-spectrum-tzx +# CDT is used for Amstrad tapes +!:ext tzx/cdt +>8 byte x version %d +>9 byte x \b.%d +# ID of first block +>10 ubyte x \b; ID %#x +# turbo speed data block +>10 ubyte =0x11 (turbo) +# length of PILOT tone (number of pulses) +>>21 uleshort x \b, %u pilot pulses +# length of PILOT pulse +>>11 uleshort x with %u tstates +# length of SYNC first pulse +>>13 uleshort x \b, %u and +# length of SYNC second pulse +>>15 uleshort x %u sync tstates +# length of ZERO bit pulse +>>17 uleshort x \b, %u zero tstates +# length of ONE bit pulse +>>19 uleshort x \b, %u one tstates +# used bits in the last byte +>>23 ubyte x \b, use %u bit +# plural s +>>23 ubyte >1 \bs +# pause after this block in milliseconds +>>24 uleshort x \b, %u ms pause +# BYTE[3]; length of data that follow +>>26 ulelong&0x00FFffFF x \b, %u data bytes +>10 ubyte =0x20 (pause) +# pause duration in milliseconds +>>11 uleshort x %u ms +# text description +>10 ubyte =0x30 (text) +# length of the text description +#>>11 ubyte x L=%u +>>11 pstring x "%s" +# archive text description in ASCII format +>10 ubyte =0x32 (archive info) +# length of archive text +>>11 uleshort x \b, %#x bytes +# number of text strings +>>13 ubyte x with %u (type) text parts +# text type identification byte: 0~title 1~publisher 2~author 3~year 4~language 5~type 6~price 7~protection 8~origin ff~comment +>>14 byte <9 (%d) +>>>14 byte >-2 +# length of text string +#>>>>15 ubyte x L=%u +>>>>15 pstring x %s +# 2nd possible text description +>>>>>&0 byte <9 (%d) +>>>>>>&-1 byte >-2 +>>>>>>>&0 pstring x %s +# 3rd possible text description +>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>&0 pstring x %s +# 4th possible text description +>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>&0 pstring x %s +# 5th possible text description +>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>&0 pstring x %s +# 6th possible text description +>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>&0 pstring x %s +# 7th possible text description +>>>>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>>>>&0 pstring x %s + +# RZX input recording files +0 string RZX! Spectrum .RZX data +>4 byte x version %d +>5 byte x \b.%d + +# Floppy disk images +0 string MV\ -\ CPCEMU\ Disk-Fil Amstrad/Spectrum .DSK data +0 string MV\ -\ CPC\ format\ Dis Amstrad/Spectrum DU54 .DSK data +0 string EXTENDED\ CPC\ DSK\ Fil Amstrad/Spectrum Extended .DSK data +0 string SINCLAIR Spectrum .SCL Betadisk image + +# Hard disk images +0 string RS-IDE\x1a Spectrum .HDF hard disk image +>7 byte x \b, version %#02x + +# SZX snapshots (fuse and spectaculator) +# Martin M. S. Pedersen <martin@linux.com> +# http://www.spectaculator.com/docs/zx-state/header.shtml +# +0 string ZXST zx-state snapshot +>4 byte x version %d +>5 byte x \b.%d +>>6 byte 0 16k ZX Spectrum +>>6 byte 1 48k ZX Spectrum/ZX Spectrum+ +>>6 byte 2 ZX Spectrum 128 +>>6 byte 3 ZX Spectrum +2 +>>6 byte 4 ZX Spectrum +2A/+2B +>>6 byte 5 ZX Spectrum +3 +>>6 byte 6 ZX Spectrum +3e +>>6 byte 7 Pentagon 128 +>>6 byte 8 Timex Sinclair TC2048 +>>6 byte 9 Timex Sinclair TC2068 +>>6 byte 10 Scorpion ZS-256 +>>6 byte 11 ZX Spectrum SE +>>6 byte 12 Timex Sinclair TS2068 +>>6 byte 13 Pentagon 512 +>>6 byte 14 Pentagon 1024 +>>6 byte 15 48k ZX Spectrum (NTSC) +>>6 byte 16 ZX Spectrum 12Ke +>>>7 byte 1 (alternate timings) diff --git a/magic/Magdir/sql b/magic/Magdir/sql new file mode 100644 index 0000000..00f3617 --- /dev/null +++ b/magic/Magdir/sql @@ -0,0 +1,288 @@ + +#------------------------------------------------------------------------------ +# $File: sql,v 1.26 2023/04/29 17:26:58 christos Exp $ +# sql: file(1) magic for SQL files +# +# From: "Marty Leisner" <mleisner@eng.mc.xerox.com> +# Recognize some MySQL files. +# Elan Ruusamae <glen@delfi.ee>, added MariaDB signatures +# from https://bazaar.launchpad.net/~maria-captains/maria/5.5/view/head:/support-files/magic +# +0 beshort 0xfe01 MySQL table definition file +>2 byte x Version %d +>3 byte 0 \b, type UNKNOWN +>3 byte 1 \b, type DIAM_ISAM +>3 byte 2 \b, type HASH +>3 byte 3 \b, type MISAM +>3 byte 4 \b, type PISAM +>3 byte 5 \b, type RMS_ISAM +>3 byte 6 \b, type HEAP +>3 byte 7 \b, type ISAM +>3 byte 8 \b, type MRG_ISAM +>3 byte 9 \b, type MYISAM +>3 byte 10 \b, type MRG_MYISAM +>3 byte 11 \b, type BERKELEY_DB +>3 byte 12 \b, type INNODB +>3 byte 13 \b, type GEMINI +>3 byte 14 \b, type NDBCLUSTER +>3 byte 15 \b, type EXAMPLE_DB +>3 byte 16 \b, type CSV_DB +>3 byte 17 \b, type FEDERATED_DB +>3 byte 18 \b, type BLACKHOLE_DB +>3 byte 19 \b, type PARTITION_DB +>3 byte 20 \b, type BINLOG +>3 byte 21 \b, type SOLID +>3 byte 22 \b, type PBXT +>3 byte 23 \b, type TABLE_FUNCTION +>3 byte 24 \b, type MEMCACHE +>3 byte 25 \b, type FALCON +>3 byte 26 \b, type MARIA +>3 byte 27 \b, type PERFORMANCE_SCHEMA +>3 byte 127 \b, type DEFAULT +>0x0033 ulong x \b, MySQL version %d +0 belong&0xffffff00 0xfefe0500 MySQL ISAM index file +>3 byte x Version %d +0 belong&0xffffff00 0xfefe0600 MySQL ISAM compressed data file +>3 byte x Version %d +0 belong&0xffffff00 0xfefe0700 MySQL MyISAM index file +>3 byte x Version %d +>14 beshort x \b, %d key parts +>16 beshort x \b, %d unique key parts +>18 byte x \b, %d keys +>28 bequad x \b, %lld records +>36 bequad x \b, %lld deleted records +0 belong&0xffffff00 0xfefe0800 MySQL MyISAM compressed data file +>3 byte x Version %d +0 belong&0xffffff00 0xfefe0900 MySQL Maria index file +>3 byte x Version %d +0 belong&0xffffff00 0xfefe0a00 MySQL Maria compressed data file +>3 byte x Version %d +0 belong&0xffffff00 0xfefe0c00 +>4 string MACF MySQL Maria control file +>>3 byte x Version %d +0 string \376bin MySQL replication log, +>9 long x server id %d +>8 byte 1 +>>13 long 69 \b, MySQL V3.2.3 +>>>19 string x \b, server version %s +>>13 long 75 \b, MySQL V4.0.2-V4.1 +>>>25 string x \b, server version %s +>8 byte 15 MySQL V5+, +>>25 string x server version %s +>4 string MARIALOG MySQL Maria transaction log file +>>3 byte x Version %d + +#------------------------------------------------------------------------------ +# iRiver H Series database file +# From Ken Guest <ken@linux.ie> +# As observed from iRivNavi.iDB and unencoded firmware +# +0 string iRivDB iRiver Database file +>11 string >\0 Version %s +>39 string iHP-100 [H Series] + +#------------------------------------------------------------------------------ +# SQLite database files +# Ken Guest <ken@linux.ie>, Ty Sarna, Zack Weinberg +# +# Version 1 used GDBM internally; its files cannot be distinguished +# from other GDBM files. +# +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/sqlite-2x.trid.xml +# Note: called "SQLite 2.x database" by TrID and "SQLite Database File Format" version 2 by DROID via PUID fmt/1135 +# Version 2 used this format: +0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database +!:mime application/x-sqlite2 +# FileAttributesStore.db test.sqlite2 +!:ext sqlite/sqlite2/db + +# URL: https://en.wikipedia.org/wiki/SQLite +# Reference: https://www.sqlite.org/fileformat.html +# Update: Joerg Jenderek +# Version 3 of SQLite allows applications to embed their own "user version" +# number in the database at offset 60. Later, SQLite added an "application id" +# at offset 68 that is preferred over "user version" for indicating the +# associated application. +# +0 string SQLite\ format\ 3 +# skip DROID fmt-729-signature-id-1053.sqlite by checking for valid page size +>16 ubeshort >0 SQLite 3.x +# deprecated +#!:mime application/x-sqlite3 +!:mime application/vnd.sqlite3 +# seldom found extension sqlite3 like in SyncData.sqlite3 +# db +# db3 like: AddrBook.db3 cgipcrvp.db3 +# https://www.maplesoft.com/support/help/Maple/view.aspx?path=worksheet%2freference%2fhelpdatabase +# help is used for newer Maple help database +# SQLite database weewx.sdb used by weather software weewx +# https://www.weewx.com/docs/usersguide.htm +# Avira Antivir use extension "dbe" like in avevtdb.dbe, avguard_tchk.dbe +# Unfortunately extension sqlite also used for other databases starting with string +# "TTCONTAINER" like in tracks.sqlite contentconsumer.sqlite contentproducerrepository.sqlite +# and with string "ZV-zlib" in like extra.sqlite +>>68 belong !0x5CDE09EF database +!:ext sqlite/sqlite3/db/db3/dbe/sdb/help +>>68 belong =0x5CDE09EF database +# maple is used for Maple Workbook +!:ext maple +>>60 belong =0x5f4d544e (Monotone source repository) +# if no known user version then check for Application IDs with default clause +>>60 belong !0x5f4d544e +# The "Application ID" set by PRAGMA application_id +>>>68 belong =0x0f055112 (Fossil checkout) +>>>68 belong =0x0f055113 (Fossil global configuration) +>>>68 belong =0x0f055111 (Fossil repository) +>>>68 belong =0x42654462 (Bentley Systems BeSQLite Database) +>>>68 belong =0x42654c6e (Bentley Systems Localization File) +>>>68 belong =0x47504b47 (OGC GeoPackage file) +# https://www.sqlite.org/src/artifact?ci=trunk&filename=magic.txt +>>>68 belong =0x47503130 (OGC GeoPackage version 1.0 file) +>>>68 belong =0x45737269 (Esri Spatially-Enabled Database) +>>>68 belong =0x4d504258 (MBTiles tileset) +# https://www.maplesoft.com/support/help/errors/view.aspx?path=Formats/Maple +>>>68 belong =0x5CDE09EF (Maple Workbook) +# unknown application ID +>>>68 default x +>>>>68 belong !0 \b, application id %u +# The "user version" as read and set by the user_version pragma like: +# 1 2 4 5 7 9 10 25 36 43 53 400 416 131073 131074 131075 +>>60 belong !0 \b, user version %d +# SQLITE_VERSION_NUMBER like: 0 3008011 3016002 3007014 3017000 3022000 3028000 3031001 +>>96 belong x \b, last written using SQLite version %d +# database page size in bytes; a power of two between 512 and 32768, or 1 for 65536 +# like: 512 1024 often 4096 32768 +>>16 ubeshort !4096 \b, page size %u +# File format write version. 1 for legacy; 2 for WAL; 0 for corruptDB.sqlite +>>18 ubyte !1 \b, writer version %u +# File format read version. 1 for legacy; 2 for WAL; 4 for corruptDB.sqlite +>>19 ubyte !1 \b, read version %u +# Bytes of unused "reserved" space at the end of each page. Usually 0 +>>20 ubyte !0 \b, unused bytes %u +# maximum embedded payload fraction. Must be 64; 1 for corruptDB.sqlite +>>21 ubyte !64 \b, maximum payload %u +# Minimum embedded payload fraction. Must be 32; 1 for corruptDB.sqlite +>>22 ubyte !32 \b, minimum payload %u +# Leaf payload fraction. Must be 32; 0 for corruptDB.sqlite +>>23 ubyte !32 \b, leaf payload %u +# file change counter +>>24 ubelong x \b, file counter %u +# Size of the database file in pages +>>28 ubelong x \b, database pages %u +# page number of the first freelist trunk page like: 0 2 3 4 5 9 +# 10 13 14 15 16 17 18 19 23 36 39 46 50 136 190 217 307 505 516 561 883 1659 +>>32 ubelong !0 \b, 1st free page %u +# total number of freelist pages +>>36 ubelong !0 \b, free pages %u +# The schema cookie like: 2 3 4 6 7 9 A D E F 13 14 1C 25 2A 2F 33 44 4B 53 5A 5F 62 86 87 8F 91 A8 +>>40 ubelong x \b, cookie %#x +# the schema format number. Supported formats are 1 2 3 and often 4 +# 3328 for corruptDB.sqlite and 0 for 512 byte storage.sqlite (TorBrowser Firefox Thunderbird) +>>44 ubelong x \b, schema %u +# Suggested cache size like: 0 2000 +>>48 ubelong !0 \b, cache page size %u +# The page number of the largest root b-tree page when in auto-vacuum or incremental-vacuum modes, or zero otherwise. +>>52 ubelong !0 \b, largest root page %u +# The database text encoding; a value of 1 means UTF-8; 2 means UTF-16le; 3 means UTF-16be +#>>56 ubelong x \b, encoding %u +>>56 ubelong x +>>>56 ubelong =1 \b, UTF-8 +>>>56 ubelong =2 \b, UTF-16 little endian +>>>56 ubelong =3 \b, UTF-16 big endian +# 0 for corruptDB.sqlite and for storage.sqlite with database pages 1 (TorBrowser Firefox Thunderbird) +# https://mozilla.github.io/firefox-browser-architecture/text/0010-firefox-data-stores.html +>>>56 default x +>>>>56 ubelong x \b, unknown %#x encoding +# True (non-zero) for incremental-vacuum mode; false (zero) otherwiseqy +>>64 ubelong !0 \b, vacuum mode %u +# Reserved for expansion. Must be zero +>>72 uquad !0 \b, reserved %#llx +# The version-valid-for number like: +# 1 2 3 4 C F 68h 95h 266h A99h 3DCDh B7CEh +>>92 ubelong x \b, version-valid-for %u + +# SQLite Write-Ahead Log from SQLite version >= 3.7.0 +# https://www.sqlite.org/fileformat.html#walformat +0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, +!:ext sqlite-wal/db-wal +>4 belong x version %d +# Summary: SQLite Write-Ahead-Log index (shared memory) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/SQLite +# Reference: http://www.sqlite.org/draft/walformat.html#walidxfmt +# iVersion; WAL-index format version number; always 3007000=2DE218h +0 ulelong 0x002DE218 +>0 use shm-le +# big endian variant not tested +0 ubelong 0x002DE218 +>0 use \^shm-le +# show information about SQLite Write-Ahead-Log shared memory +0 name shm-le +>0 ulelong x SQLite Write-Ahead Log shared memory +#!:mime application/octet-stream +!:mime application/vnd.sqlite3 +# db3-shm Acronis BackupAndRecovery F4CEEE47-042C-4828-95A0-DE44EC267A28.db3-shm +# dbx-shm probably Dropbox filecache.dbx-shm +# aup3-shm Audacity project tada.aup3-shm +# srd-shm Microsoft Windows StateRepository service StateRepository-Deployment.srd-shm StateRepository-Machine.srd-shm: +!:ext sqlite-shm/db-shm/db3-shm/dbx-shm/aup3-shm/srd-shm +# unused padding space; must be zero +>4 ulelong !0 \b, unused %x +# iChange; unsigned integer counter, incremented with each transaction +>8 ulelong x \b, counter %u +# isInit; the "isInit" flag; 1 when the shm file has been initialized +>12 ubyte !1 \b, not initialized %u +# bigEndCksum; true if the WAL file uses big-ending checksums; 0 if the WAL uses little-endian checksums +>13 ubyte !0 \b, checksum type %u +# szPage; database page size in bytes, or 1 if the page size is 65536 +>14 uleshort !1 \b, page size %u +>14 uleshort =1 \b, page size 65536 +# mxFrame; number of valid and committed frames in the WAL file +>16 ulelong x \b, %u frames +# nPage; size of the database file in pages +>20 ulelong x \b, %u pages +# aFrameCksum; checksum of the last frame in the WAL file +>24 ulelong x \b, frame checksum %#x +# aSalt; two salt value copied from the WAL file header in the byte-order of the WAL file; might be different from machine byte-order +>32 ulequad x \b, salt %#llx +# aCksum; checksum over bytes 0 through 39 of this header +>40 ulelong x \b, header checksum %#x +# a copy of bytes 0 through 47 of header +>48 ulelong !3007000 \b, iversion %u +# nBackfill; number of WAL frames that have already been backfilled into the database by prior checkpoints +>96 ulelong !0 \b, %u backfilled +# nBackfillAttempted; number of WAL frames that have attempted to be backfilled +>>128 ulelong x (%u attempts) +# read-mark[0..4]; five "read marks"; each read mark is a 32-bit unsigned integer +>100 ulelong !0 \b, read-mark[0] %#x +>104 ulelong x \b, read-mark[1] %#x +>108 ulelong !0xffffffff \b, read-mark[2] %#x +>112 ulelong !0xffffffff \b, read-mark[3] %#x +>116 ulelong !0xffffffff \b, read-mark[4] %#x +# unused space set aside for 8 file locks +>120 ulequad !0 \b, space %#llx +# unused space reserved for further expansion +>132 ulelong !0 \b, reserved %#x + +# SQLite Rollback Journal +# https://www.sqlite.org/fileformat.html#rollbackjournal +0 string \xd9\xd5\x05\xf9\x20\xa1\x63\xd7 SQLite Rollback Journal + +# Panasonic channel list database svl.bin or svl.db added by Joerg Jenderek +# https://github.com/PredatH0r/ChanSort +0 string PSDB\0 Panasonic channel list DataBase +!:ext db/bin +#!:mime application/x-db-svl-panasonic +>126 string SQLite\ format\ 3 +#!:mime application/x-panasonic-sqlite3 +>>&-15 indirect x \b; contains + +# H2 Database from https://www.h2database.com/ +0 string --\ H2\ 0.5/B\ --\ \n H2 Database file + +# DuckDB database file from https://duckdb.org +8 string DUCK DuckDB database file +>12 lequad x \b, version %lld +#>20 lequad x \b, flags %#llx +#>28 lequad x \b, flags %#llx diff --git a/magic/Magdir/ssh b/magic/Magdir/ssh new file mode 100644 index 0000000..56b28a8 --- /dev/null +++ b/magic/Magdir/ssh @@ -0,0 +1,42 @@ +# Type: OpenSSH key files +# From: Nicolas Collignon <tsointsoin@gmail.com> + +0 string SSH\040PRIVATE\040KEY OpenSSH RSA1 private key, +>28 string >\0 version %s +0 string -----BEGIN\040OPENSSH\040PRIVATE\040KEY----- OpenSSH private key +# https://www.rfc-editor.org/rfc/rfc5958 +0 string -----BEGIN\040PRIVATE\040KEY----- OpenSSH private key (no password) +0 string -----BEGIN\040ENCRYPTED\040PRIVATE\040KEY----- OpenSSH private key (with password) + +0 string ssh-dss\040 OpenSSH DSA public key +0 string ssh-rsa\040 OpenSSH RSA public key +0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key +0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key +0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key +0 string ssh-ed25519 OpenSSH ED25519 public key + +0 string SSHKRL\n\0 +>8 ubelong 1 OpenSSH key/certificate revocation list, format %u +>>12 ubequad x \b, version %llx +>>>20 beqdate x \b, generated %s + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/PuTTY +# Reference: https://the.earth.li/~sgtatham/putty/latest/putty-0.73.tar.gz +# /sshpubk.c +0 string PuTTY-User-Key-File- PuTTY Private Key File +#!:mime text/plain +# https://github.com/github/putty/blob/master/windows/installer.wxs +!:mime application/x-putty-private-key +!:ext ppk +# version 1 or 2 +>20 string x \b, version %.1s +# name of the algorithm like: ssh-dss ssh-rsa ecdsa-sha2-nistp256 ssh-ed25519 +>23 string x \b, algorithm %s +# next line says "Encryption: " plus an encryption type like aes256-cbc or none +>32 search/13 Encryption:\040 \b, Encryption +>>&0 string x %s +# next line says "Comment: " plus the comment string +>>>&0 search/3 Comment:\040 +>>>>&0 string x "%s" + diff --git a/magic/Magdir/ssl b/magic/Magdir/ssl new file mode 100644 index 0000000..2309392 --- /dev/null +++ b/magic/Magdir/ssl @@ -0,0 +1,20 @@ + +#------------------------------------------------------------------------------ +# $File: ssl,v 1.5 2017/12/29 04:00:07 christos Exp $ +# ssl: file(1) magic for SSL file formats + +# Type: OpenSSL certificates/key files +# From: Nicolas Collignon <tsointsoin@gmail.com> + +0 string -----BEGIN\040CERTIFICATE----- PEM certificate +0 string -----BEGIN\040CERTIFICATE\040REQ PEM certificate request +0 string -----BEGIN\040RSA\040PRIVATE PEM RSA private key +0 string -----BEGIN\040DSA\040PRIVATE PEM DSA private key +0 string -----BEGIN\040EC\040PRIVATE PEM EC private key +0 string -----BEGIN\040ECDSA\040PRIVATE PEM ECDSA private key + +# From Luc Gommans +# OpenSSL enc file (recognized by a magic string preceding the password's salt) +0 string Salted__ openssl enc'd data with salted password +# Using the -a or -base64 option, OpenSSL will base64-encode the data. +0 string U2FsdGVkX1 openssl enc'd data with salted password, base64 encoded diff --git a/magic/Magdir/statistics b/magic/Magdir/statistics new file mode 100644 index 0000000..ca9f859 --- /dev/null +++ b/magic/Magdir/statistics @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: statistics,v 1.3 2022/03/24 15:48:58 christos Exp $ +# statistics: file(1) magic for statistics related software +# + +# From Remy Rampin + +# Stata is a statistical software tool that was created in 1985. While I +# don't personally use it, data files in its native (proprietary) format +# are common (.dta files). +# +# Because they are so common, especially in statistical and social +# sciences, Stata files and SPSS files can be opened by a lot of modern +# software, for example Python's pandas package provides built-in +# support for them (read_stata() and read_spss()). +# +# I noticed that the magic database includes an entry for SPSS files but +# not Stata files. Stata files for Stata 13 and newer (formats 117, 118, +# and 119) always begin with the string "<stata_dta><header>" as per +# https://www.stata.com/help.cgi?dta#definition +# +# The format version number always follows, for example: +# <stata_dta><header><release>117</release> +# <stata_dta><header><release>118</release> +# +# Therefore the following line would do the trick: +# 0 string <stata_dta><header> Stata Data File +# +# (I'm sure the version number could be captured as well but I did not +# manage this without a regex) +# +# Unfortunately the previous formats (created by Stata before 13, which +# was released 2013) are harder to recognize. Format 115 starts with the +# four bytes 0x73010100 or 0x73020100, format 114 with 0x72010100 or +# 0x72020100, format 113 with 0x71010101 or 0x71020101. +# +# For additional reference, the Library of Congress website has an entry +# for the Stata Data File Format 118: +# https://www.loc.gov/preservation/digital/formats/fdd/fdd000471.shtml +# +# Example of those files can be found on Zenodo: +# https://zenodo.org/search?page=1&size=20&q=&file_type=dta +0 string \<stata_dta\>\<header\>\<release\> Stata Data File +>&0 regex [0-9]+ (Release %s) diff --git a/magic/Magdir/subtitle b/magic/Magdir/subtitle new file mode 100644 index 0000000..cfbe293 --- /dev/null +++ b/magic/Magdir/subtitle @@ -0,0 +1,38 @@ + +#------------------------------------------------------------------------------ +# $File: subtitle,v 1.2 2022/09/07 11:29:09 christos Exp $ +# subtitle: file(1) magic for subtitles files + +# EBU-STL +# https://tech.ebu.ch/docs/tech/tech3264.pdf +3 string STL EBU-STL subtitles +>6 regex =^[0-9][0-9] \b, rate %s +>>8 string .01 \b, v1 +!:mime application/x-ebu-stl +>>>16 regex =^[^\ ]{0,32} \b, title "%s" +>>>>224 regex =^[0-9]{2} \b, created %-.2s +>>>>>&0 regex =^[0-9]{2} \b-%-.2s +>>>>>>&0 regex =^[0-9]{2} \b-%-.2s +!:ext stl + +# SubRip (srt) subtitles +0 regex/20 =^1[\r\n]+0[01]:[0-9]{2}:[0-9]{2},[0-9]{3}\040--> SubRip +!:mime application/x-subrip +!:ext srt + +# WebVTT subtitles +# https://www.w3.org/TR/webvtt1/ +0 string/t WEBVTT +>&0 regex/255 =[0-9]{2}:[0-9]{2}\\.[0-9]{3}\040--> WebVTT subtitles +!:mime text/vtt +!:ext vtt + +# XML TTML subtitles +# https://www.w3.org/TR/ttml2/ +0 string/t \<?xml +>20 search/400 \020xmlns= +>>&0 regex ['"]http://www.w3.org/ns/ttml TTML subtitles +!:mime application/ttml+xml +# Augment strength to beat plain XML +!:strength * 3 +!:ext ttml diff --git a/magic/Magdir/sun b/magic/Magdir/sun new file mode 100644 index 0000000..df83834 --- /dev/null +++ b/magic/Magdir/sun @@ -0,0 +1,141 @@ + +#------------------------------------------------------------------------------ +# $File: sun,v 1.28 2019/04/19 00:42:27 christos Exp $ +# sun: file(1) magic for Sun machines +# +# Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x +# releases. (5.x uses ELF.) Entries for executables without an +# architecture type, used before the 68020-based Sun-3's came out, +# are in aout, as they're indistinguishable from other big-endian +# 32-bit a.out files. +# +0 belong&077777777 0600413 a.out SunOS SPARC demand paged +>0 byte &0x80 +>>20 belong <4096 shared library +>>20 belong =4096 dynamically linked executable +>>20 belong >4096 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0600410 a.out SunOS SPARC pure +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0600407 a.out SunOS SPARC +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0400413 a.out SunOS mc68020 demand paged +>0 byte &0x80 +>>20 belong <4096 shared library +>>20 belong =4096 dynamically linked executable +>>20 belong >4096 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0400410 a.out SunOS mc68020 pure +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0400407 a.out SunOS mc68020 +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0200413 a.out SunOS mc68010 demand paged +>0 byte &0x80 +>>20 belong <4096 shared library +>>20 belong =4096 dynamically linked executable +>>20 belong >4096 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0200410 a.out SunOS mc68010 pure +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +0 belong&077777777 0200407 a.out SunOS mc68010 +>0 byte &0x80 dynamically linked executable +>0 byte ^0x80 executable +>16 belong >0 not stripped + +# +# Core files. "SPARC 4.x BCP" means "core file from a SunOS 4.x SPARC +# binary executed in compatibility mode under SunOS 5.x". +# +0 belong 0x080456 SunOS core file +>4 belong 432 (SPARC) +>>132 string >\0 from '%s' +>>116 belong =3 (quit) +>>116 belong =4 (illegal instruction) +>>116 belong =5 (trace trap) +>>116 belong =6 (abort) +>>116 belong =7 (emulator trap) +>>116 belong =8 (arithmetic exception) +>>116 belong =9 (kill) +>>116 belong =10 (bus error) +>>116 belong =11 (segmentation violation) +>>116 belong =12 (bad argument to system call) +>>116 belong =29 (resource lost) +>>120 belong x (T=%dK, +>>124 belong x D=%dK, +>>128 belong x S=%dK) +>4 belong 826 (68K) +>>128 string >\0 from '%s' +>4 belong 456 (SPARC 4.x BCP) +>>152 string >\0 from '%s' +# Sun SunPC +0 long 0xfa33c08e SunPC 4.0 Hard Disk +0 string #SUNPC_CONFIG SunPC 4.0 Properties Values +# Sun snoop (see RFC 1761, which describes the capture file format, +# RFC 3827, which describes some additional datalink types, and +# https://www.iana.org/assignments/snoop-datalink-types/snoop-datalink-types.xml, +# which is the IANA registry of Snoop datalink types) +# +0 string snoop Snoop capture file +>8 belong >0 - version %d +>12 belong 0 (IEEE 802.3) +>12 belong 1 (IEEE 802.4) +>12 belong 2 (IEEE 802.5) +>12 belong 3 (IEEE 802.6) +>12 belong 4 (Ethernet) +>12 belong 5 (HDLC) +>12 belong 6 (Character synchronous) +>12 belong 7 (IBM channel-to-channel adapter) +>12 belong 8 (FDDI) +>12 belong 9 (Other) +>12 belong 10 (type %d) +>12 belong 11 (type %d) +>12 belong 12 (type %d) +>12 belong 13 (type %d) +>12 belong 14 (type %d) +>12 belong 15 (type %d) +>12 belong 16 (Fibre Channel) +>12 belong 17 (ATM) +>12 belong 18 (ATM Classical IP) +>12 belong 19 (type %d) +>12 belong 20 (type %d) +>12 belong 21 (type %d) +>12 belong 22 (type %d) +>12 belong 23 (type %d) +>12 belong 24 (type %d) +>12 belong 25 (type %d) +>12 belong 26 (IP over Infiniband) +>12 belong >26 (type %d) + +#--------------------------------------------------------------------------- +# The following entries have been tested by Duncan Laurie <duncan@sun.com> (a +# lead Sun/Cobalt developer) who agrees that they are good and worthy of +# inclusion. + +# Boot ROM images for Sun/Cobalt Linux server appliances +0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged COBALT boot rom +>38 string x V%.4s + +# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code +# at the very end where file(1) can't get it. +0 string CRfs COBALT boot rom data (Flat boot rom or file system) diff --git a/magic/Magdir/svf b/magic/Magdir/svf new file mode 100644 index 0000000..b0d5c98 --- /dev/null +++ b/magic/Magdir/svf @@ -0,0 +1,5 @@ +# $File: svf,v 1.2 2023/05/23 13:37:32 christos Exp $ +# +# file(1) magic(5) data for SmartVersion files with the .svf extension. + +0 string DFS\ File\x0D\x0Ahttp://www.difstream.com\x0D\x0A SmartVersion binary patch file diff --git a/magic/Magdir/sylk b/magic/Magdir/sylk new file mode 100644 index 0000000..f497c05 --- /dev/null +++ b/magic/Magdir/sylk @@ -0,0 +1,36 @@ + +#------------------------------------------------------------------------------ +# $File: sylk,v 1.1 2020/04/05 22:18:34 christos Exp $ +# sylk: file(1) magic for SYLK text files + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/SYmbolic_LinK_%28SYLK%29 +# http://fileformats.archiveteam.org/wiki/SYLK +# Note: called by TrID "SYLK - SYmbolic LinK data", +# by DROID "Microsoft Symbolic Link (SYLK) File" +# by FreeDesktop.org "spreadsheet interchange document" +0 string ID;P +# skip short DROID x-fmt-106-signature-id-603.slk +>7 ubyte >0 spreadsheet interchange document +# https://reposcope.com/mimetype/text/spreadsheet +#!:mime text/spreadsheet +# https://reposcope.com/mimetype/application/x-sylk by Gnumeric +!:mime application/x-sylk +!:ext slk/sylk +>>4 ubyte >037 \b, created by +# Gnumeric, pmw~PlanMaker, CALCOOO32~LibreOffice OpenOffice, SCALC3~StarOffice +# MP~Multiplan, XL~Excel WXL~Excel Windows +>>>4 string Gnumeric Gnumeric +>>>4 string pmw PlanMaker +>>>4 string CALCOOO32 Libre/OpenOffice Calc +>>>4 string SCALC3 StarOffice Calc +>>>4 string XL Excel +# Excel, version probably running on Windows +>>>4 string WXL Excel +# not tested +>>>4 string MP Multiplan +# unknown spreadsheet software +>>>4 default x +>>>>4 string x %s + + diff --git a/magic/Magdir/symbos b/magic/Magdir/symbos new file mode 100644 index 0000000..c97a42e --- /dev/null +++ b/magic/Magdir/symbos @@ -0,0 +1,42 @@ + +#------------------------------------------------------------------------------ +# msx: file(1) magic for the SymbOS operating system +# http://www.symbos.de +# Fabio R. Schmidlin <frs@pop.com.br> + +# SymbOS EXE file +0x30 string SymExe SymbOS executable +>0x36 ubyte x v%c +>0x37 ubyte x \b.%c +>0xF string x \b, name: %s + +# SymbOS DOX document +0 string INFOq\0 SymbOS DOX document + +# Symbos driver +0 string SMD1 SymbOS driver +>19 byte x \b, name: %c +>20 byte x \b%c +>21 byte x \b%c +>22 byte x \b%c +>23 byte x \b%c +>24 byte x \b%c +>25 byte x \b%c +>26 byte x \b%c +>27 byte x \b%c +>28 byte x \b%c +>29 byte x \b%c +>30 byte x \b%c +>31 byte x \b%c + +# Symbos video +0 string SymVid SymbOS video +>6 ubyte x v%c +>7 ubyte x \b.%c + +# Soundtrakker 128 ST2 music +0 byte 0 +>0xC string \x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x40\x00 Soundtrakker 128 ST2 music, +>>1 string x name: %s + + diff --git a/magic/Magdir/sysex b/magic/Magdir/sysex new file mode 100644 index 0000000..d02389d --- /dev/null +++ b/magic/Magdir/sysex @@ -0,0 +1,429 @@ + +#------------------------------------------------------------------------ +# $File: sysex,v 1.12 2022/10/31 13:22:26 christos Exp $ +# sysex: file(1) magic for MIDI sysex files +# +# GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems +# where real SYStem EXclusive messages at offset 1 are limited to seven bits +# https://en.wikipedia.org/wiki/MIDI +# test for StartSysEx byte and upper unsed bit of vendor ID +0 ubeshort&0xFF80 0xF000 +# MIDI System Exclusive (SysEx) messages (strength=50) after Microsoft Visual C library (strength=70) +#!:strength +0 +# skip Microsoft Visual C library with page size 16 misidentified as ADA and +# page size 32 misidentified as Inventronics by looking for terminating End Of eXclusive byte (EOX) +>2 search/12 \xF7 +>>0 use midi-sysex +# display information about MIDI System Exclusive (SysEx) messages +0 name midi-sysex +# https://fileinfo.com/extension/syx +>1 ubyte x MIDI audio System Exclusive (SysEx) message - +# Note: file (version 5.41) labeled the above entry as "SysEx File" +#!:mime application/octet-stream +!:mime audio/x-syx +# https://onsongapp.com/docs/features/formats/sysex +!:ext syx/sysex +# https://www.midi.org/specifications-old/item/manufacturer-id-numbers +# https://raw.githubusercontent.com/insolace/MIDI-Sysex-MFG-IDs/master/Sysex%20ID%20Tables/MIDI%20Sysex%20MFG%20IDs.csv +# SysEx manufacturer ID; originally one byte, but now 0 is used as an escapement to reach the next two +# North American Group +#>1 byte 0x01 Sequential +>1 byte 0x01 Sequential Circuits +>1 byte 0x02 IDP +#>1 byte 0x03 OctavePlateau +>1 byte 0x03 Voyetra Turtle Beach +>1 byte 0x04 Moog +#>1 byte 0x05 Passport +>1 byte 0x05 Passport Designs +#>1 byte 0x06 Lexicon +>1 byte 0x06 Lexicon Inc. +>1 byte 0x07 Kurzweil/Future Retro +>>3 byte 0x77 777 +>>4 byte 0x00 Bank +>>4 byte 0x01 Song +>>5 byte 0x0f 16 +>>5 byte 0x0e 15 +>>5 byte 0x0d 14 +>>5 byte 0x0c 13 +>>5 byte 0x0b 12 +>>5 byte 0x0a 11 +>>5 byte 0x09 10 +>>5 byte 0x08 9 +>>5 byte 0x07 8 +>>5 byte 0x06 7 +>>5 byte 0x05 6 +>>5 byte 0x04 5 +>>5 byte 0x03 4 +>>5 byte 0x02 3 +>>5 byte 0x01 2 +>>5 byte 0x00 1 +>>5 byte 0x10 (ALL) +>>2 byte x \b, Channel %d +>1 byte 0x08 Fender +#>1 byte 0x09 Gulbransen +>1 byte 0x09 MIDI9 +#>1 byte 0x0a AKG +>1 byte 0x0a AKG Acoustics +>1 byte 0x0b Voyce +>1 byte 0x0c Waveframe +# not ADA programming language +#>1 byte 0x0d ADA +>1 byte 0x0d ADA Signal Processors Inc. +#>1 byte 0x0e Garfield +>1 byte 0x0e Garfield Electronics +>1 byte 0x0f Ensoniq +>1 byte 0x10 Oberheim +>>2 byte 0x06 Matrix 6 series +>>3 byte 0x0A Dump (All) +>>3 byte 0x01 Dump (Bank) +>>4 belong 0x0002040E Matrix 1000 +>>>11 byte <2 User bank %d +>>>11 byte >1 Preset bank %d +>1 byte 0x11 Apple +>1 byte 0x12 GreyMatter +>1 byte 0x14 PalmTree +>1 byte 0x15 JLCooper +>1 byte 0x16 Lowrey +>1 byte 0x17 AdamsSmith +>1 byte 0x18 E-mu +#>1 byte 0x19 Harmony +>1 byte 0x19 Harmony Systems +>1 byte 0x1a ART +>1 byte 0x1b Baldwin +>1 byte 0x1c Eventide +>1 byte 0x1d Inventronics +>1 byte 0x1f Clarity + +# European Group +#>1 byte 0x21 SIEL +>1 byte 0x21 Proel Labs (SIEL) +>1 byte 0x22 Synthaxe +>1 byte 0x24 Hohner +>1 byte 0x25 Twister +#>1 byte 0x26 Solton +>1 byte 0x26 Ketron s.r.l. +>1 byte 0x27 Jellinghaus +>1 byte 0x28 Southworth +>1 byte 0x29 PPG +>1 byte 0x2a JEN +#>1 byte 0x2b SSL +>1 byte 0x2b Solid State Logic Organ Systems +#>1 byte 0x2c AudioVertrieb +>1 byte 0x2c Audio Veritrieb-P. Struven + +>1 byte 0x2f ELKA +>>3 byte 0x09 EK-44 + +>1 byte 0x30 Dynacord +#>1 byte 0x31 Jomox +>1 byte 0x31 Viscount International Spa +>1 byte 0x33 Clavia +>1 byte 0x39 Soundcraft +# Some Waldorf info from http://Stromeko.Synth.net/Downloads#WaldorfDocs +>1 byte 0x3e Waldorf +>>2 byte 0x00 microWave +>>2 byte 0x0E microwave2 / XT +>>2 byte 0x0F Q / Q+ +>>3 byte =0 (default id) +>>3 byte >0 ( +>>>3 byte <0x7F \bdevice %d) +>>>3 byte =0x7F \bbroadcast id) +>>3 byte 0x7f Microwave I +>>>4 byte 0x00 SNDR (Sound Request) +>>>4 byte 0x10 SNDD (Sound Dump) +>>>4 byte 0x20 SNDP (Sound Parameter Change) +>>>4 byte 0x30 SNDQ (Sound Parameter Inquiry) +>>>4 byte 0x70 BOOT (Sound Reserved) +>>>4 byte 0x01 MULR (Multi Request) +>>>4 byte 0x11 MULD (Multi Dump) +>>>4 byte 0x21 MULP (Multi Parameter Change) +>>>4 byte 0x31 MULQ (Multi Parameter Inquiry) +>>>4 byte 0x71 OS (Multi Reserved) +>>>4 byte 0x02 DRMR (Drum Map Request) +>>>4 byte 0x12 DRMD (Drum Map Dump) +>>>4 byte 0x22 DRMP (Drum Map Parameter Change) +>>>4 byte 0x32 DRMQ (Drum Map Parameter Inquiry) +>>>4 byte 0x72 BIN (Drum Map Reserved) +>>>4 byte 0x03 PATR (Sequencer Pattern Request) +>>>4 byte 0x13 PATD (Sequencer Pattern Dump) +>>>4 byte 0x23 PATP (Sequencer Pattern Parameter Change) +>>>4 byte 0x33 PATQ (Sequencer Pattern Parameter Inquiry) +>>>4 byte 0x73 AFM (Sequencer Pattern Reserved) +>>>4 byte 0x04 GLBR (Global Parameter Request) +>>>4 byte 0x14 GLBD (Global Parameter Dump) +>>>4 byte 0x24 GLBP (Global Parameter Parameter Change) +>>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) +>>>4 byte 0x07 MODR (Mode Parameter Request) +>>>4 byte 0x17 MODD (Mode Parameter Dump) +>>>4 byte 0x27 MODP (Mode Parameter Parameter Change) +>>>4 byte 0x37 MODQ (Mode Parameter Parameter Inquiry) +>>2 byte 0x10 microQ +>>>4 byte 0x00 SNDR (Sound Request) +>>>4 byte 0x10 SNDD (Sound Dump) +>>>4 byte 0x20 SNDP (Sound Parameter Change) +>>>4 byte 0x30 SNDQ (Sound Parameter Inquiry) +>>>4 byte 0x70 (Sound Reserved) +>>>4 byte 0x01 MULR (Multi Request) +>>>4 byte 0x11 MULD (Multi Dump) +>>>4 byte 0x21 MULP (Multi Parameter Change) +>>>4 byte 0x31 MULQ (Multi Parameter Inquiry) +>>>4 byte 0x71 OS (Multi Reserved) +>>>4 byte 0x02 DRMR (Drum Map Request) +>>>4 byte 0x12 DRMD (Drum Map Dump) +>>>4 byte 0x22 DRMP (Drum Map Parameter Change) +>>>4 byte 0x32 DRMQ (Drum Map Parameter Inquiry) +>>>4 byte 0x72 BIN (Drum Map Reserved) +>>>4 byte 0x04 GLBR (Global Parameter Request) +>>>4 byte 0x14 GLBD (Global Parameter Dump) +>>>4 byte 0x24 GLBP (Global Parameter Parameter Change) +>>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) +>>2 byte 0x11 rackAttack +>>>4 byte 0x00 SNDR (Sound Parameter Request) +>>>4 byte 0x10 SNDD (Sound Parameter Dump) +>>>4 byte 0x20 SNDP (Sound Parameter Parameter Change) +>>>4 byte 0x30 SNDQ (Sound Parameter Parameter Inquiry) +>>>4 byte 0x01 PRGR (Program Parameter Request) +>>>4 byte 0x11 PRGD (Program Parameter Dump) +>>>4 byte 0x21 PRGP (Program Parameter Parameter Change) +>>>4 byte 0x31 PRGQ (Program Parameter Parameter Inquiry) +>>>4 byte 0x71 OS (Program Parameter Reserved) +>>>4 byte 0x03 PATR (Pattern Parameter Request) +>>>4 byte 0x13 PATD (Pattern Parameter Dump) +>>>4 byte 0x23 PATP (Pattern Parameter Parameter Change) +>>>4 byte 0x33 PATQ (Pattern Parameter Parameter Inquiry) +>>>4 byte 0x04 GLBR (Global Parameter Request) +>>>4 byte 0x14 GLBD (Global Parameter Dump) +>>>4 byte 0x24 GLBP (Global Parameter Parameter Change) +>>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) +>>>4 byte 0x05 EFXR (FX Parameter Request) +>>>4 byte 0x15 EFXD (FX Parameter Dump) +>>>4 byte 0x25 EFXP (FX Parameter Parameter Change) +>>>4 byte 0x35 EFXQ (FX Parameter Parameter Inquiry) +>>>4 byte 0x07 MODR (Mode Command Request) +>>>4 byte 0x17 MODD (Mode Command Dump) +>>>4 byte 0x27 MODP (Mode Command Parameter Change) +>>>4 byte 0x37 MODQ (Mode Command Parameter Inquiry) +>>2 byte 0x03 Wave +>>>4 byte 0x00 SBPR (Soundprogram) +>>>4 byte 0x01 SAPR (Performance) +>>>4 byte 0x02 SWAVE (Wave) +>>>4 byte 0x03 SWTBL (Wave control table) +>>>4 byte 0x04 SVT (Velocity Curve) +>>>4 byte 0x05 STT (Tuning Table) +>>>4 byte 0x06 SGLB (Global Parameters) +>>>4 byte 0x07 SARRMAP (Performance Program Change Map) +>>>4 byte 0x08 SBPRMAP (Sound Program Change Map) +>>>4 byte 0x09 SBPRPAR (Sound Parameter) +>>>4 byte 0x0A SARRPAR (Performance Parameter) +>>>4 byte 0x0B SINSPAR (Instrument/External Parameter) +>>>4 byte 0x0F SBULK (Bulk Switch on/off) + +# Japanese Group +>1 byte 0x40 Kawai +>>3 byte 0x20 K1 +>>3 byte 0x22 K4 + +>1 byte 0x41 Roland +>>3 byte 0x14 D-50 +>>3 byte 0x2b U-220 +>>3 byte 0x02 TR-707 + +>1 byte 0x42 Korg +>>3 byte 0x19 M1 + +>1 byte 0x43 Yamaha +>1 byte 0x44 Casio +>1 byte 0x46 Kamiya +>1 byte 0x47 Akai +#>1 byte 0x48 Victor +>1 byte 0x48 Victor Company of Japan. Ltd. +>1 byte 0x49 Mesosha +>1 byte 0x4b Fujitsu +>1 byte 0x4c Sony +>1 byte 0x4e Teac +>1 byte 0x50 Matsushita +>1 byte 0x51 Fostex +#>1 byte 0x52 Zoom +>1 byte 0x52 Zoom Corporation +>1 byte 0x54 Matsushita +>1 byte 0x57 Acoustic tech. lab. +# https://www.midi.org/techspecs/manid.php +>1 belong&0xffffff00 0x00007400 Ta Horng +>1 belong&0xffffff00 0x00007500 e-Tek +>1 belong&0xffffff00 0x00007600 E-Voice +>1 belong&0xffffff00 0x00007700 Midisoft +>1 belong&0xffffff00 0x00007800 Q-Sound +>1 belong&0xffffff00 0x00007900 Westrex +>1 belong&0xffffff00 0x00007a00 Nvidia* +>1 belong&0xffffff00 0x00007b00 ESS +>1 belong&0xffffff00 0x00007c00 Mediatrix +>1 belong&0xffffff00 0x00007d00 Brooktree +>1 belong&0xffffff00 0x00007e00 Otari +>1 belong&0xffffff00 0x00007f00 Key Electronics +>1 belong&0xffffff00 0x00010000 Shure +>1 belong&0xffffff00 0x00010100 AuraSound +>1 belong&0xffffff00 0x00010200 Crystal +>1 belong&0xffffff00 0x00010300 Rockwell +>1 belong&0xffffff00 0x00010400 Silicon Graphics +>1 belong&0xffffff00 0x00010500 Midiman +>1 belong&0xffffff00 0x00010600 PreSonus +>1 belong&0xffffff00 0x00010800 Topaz +>1 belong&0xffffff00 0x00010900 Cast Lightning +>1 belong&0xffffff00 0x00010a00 Microsoft +>1 belong&0xffffff00 0x00010b00 Sonic Foundry +>1 belong&0xffffff00 0x00010c00 Line 6 +>1 belong&0xffffff00 0x00010d00 Beatnik Inc. +>1 belong&0xffffff00 0x00010e00 Van Koerving +>1 belong&0xffffff00 0x00010f00 Altech Systems +>1 belong&0xffffff00 0x00011000 S & S Research +>1 belong&0xffffff00 0x00011100 VLSI Technology +>1 belong&0xffffff00 0x00011200 Chromatic +>1 belong&0xffffff00 0x00011300 Sapphire +>1 belong&0xffffff00 0x00011400 IDRC +>1 belong&0xffffff00 0x00011500 Justonic Tuning +>1 belong&0xffffff00 0x00011600 TorComp +>1 belong&0xffffff00 0x00011700 Newtek Inc. +>1 belong&0xffffff00 0x00011800 Sound Sculpture +>1 belong&0xffffff00 0x00011900 Walker Technical +>1 belong&0xffffff00 0x00011a00 Digital Harmony +>1 belong&0xffffff00 0x00011b00 InVision +>1 belong&0xffffff00 0x00011c00 T-Square +>1 belong&0xffffff00 0x00011d00 Nemesys +>1 belong&0xffffff00 0x00011e00 DBX +>1 belong&0xffffff00 0x00011f00 Syndyne +>1 belong&0xffffff00 0x00012000 Bitheadz +>1 belong&0xffffff00 0x00012100 Cakewalk +>1 belong&0xffffff00 0x00012200 Staccato +>1 belong&0xffffff00 0x00012300 National Semicon. +>1 belong&0xffffff00 0x00012400 Boom Theory +>1 belong&0xffffff00 0x00012500 Virtual DSP Corp +>1 belong&0xffffff00 0x00012600 Antares +>1 belong&0xffffff00 0x00012700 Angel Software +>1 belong&0xffffff00 0x00012800 St Louis Music +>1 belong&0xffffff00 0x00012900 Lyrrus dba G-VOX +>1 belong&0xffffff00 0x00012a00 Ashley Audio +>1 belong&0xffffff00 0x00012b00 Vari-Lite +>1 belong&0xffffff00 0x00012c00 Summit Audio +>1 belong&0xffffff00 0x00012d00 Aureal Semicon. +>1 belong&0xffffff00 0x00012e00 SeaSound +>1 belong&0xffffff00 0x00012f00 U.S. Robotics +>1 belong&0xffffff00 0x00013000 Aurisis +>1 belong&0xffffff00 0x00013100 Nearfield Multimedia +>1 belong&0xffffff00 0x00013200 FM7 Inc. +>1 belong&0xffffff00 0x00013300 Swivel Systems +>1 belong&0xffffff00 0x00013400 Hyperactive +>1 belong&0xffffff00 0x00013500 MidiLite +>1 belong&0xffffff00 0x00013600 Radical +>1 belong&0xffffff00 0x00013700 Roger Linn +>1 belong&0xffffff00 0x00013800 Helicon +>1 belong&0xffffff00 0x00013900 Event +>1 belong&0xffffff00 0x00013a00 Sonic Network +>1 belong&0xffffff00 0x00013b00 Realtime Music +>1 belong&0xffffff00 0x00013c00 Apogee Digital + +>1 belong&0xffffff00 0x00202b00 Medeli Electronics +>1 belong&0xffffff00 0x00202c00 Charlie Lab +>1 belong&0xffffff00 0x00202d00 Blue Chip Music +>1 belong&0xffffff00 0x00202e00 BEE OH Corp +>1 belong&0xffffff00 0x00202f00 LG Semicon America +>1 belong&0xffffff00 0x00203000 TESI +>1 belong&0xffffff00 0x00203100 EMAGIC +>1 belong&0xffffff00 0x00203200 Behringer +>1 belong&0xffffff00 0x00203300 Access Music +>1 belong&0xffffff00 0x00203400 Synoptic +>1 belong&0xffffff00 0x00203500 Hanmesoft Corp +>1 belong&0xffffff00 0x00203600 Terratec +>1 belong&0xffffff00 0x00203700 Proel SpA +>1 belong&0xffffff00 0x00203800 IBK MIDI +>1 belong&0xffffff00 0x00203900 IRCAM +>1 belong&0xffffff00 0x00203a00 Propellerhead Software +>1 belong&0xffffff00 0x00203b00 Red Sound Systems +>1 belong&0xffffff00 0x00203c00 Electron ESI AB +>1 belong&0xffffff00 0x00203d00 Sintefex Audio +>1 belong&0xffffff00 0x00203e00 Music and More +>1 belong&0xffffff00 0x00203f00 Amsaro +>1 belong&0xffffff00 0x00204000 CDS Advanced Technology +>1 belong&0xffffff00 0x00204100 Touched by Sound +>1 belong&0xffffff00 0x00204200 DSP Arts +>1 belong&0xffffff00 0x00204300 Phil Rees Music +>1 belong&0xffffff00 0x00204400 Stamer Musikanlagen GmbH +>1 belong&0xffffff00 0x00204500 Soundart +>1 belong&0xffffff00 0x00204600 C-Mexx Software +>1 belong&0xffffff00 0x00204700 Klavis Tech. +>1 belong&0xffffff00 0x00204800 Noteheads AB + +# Update: Joerg Jenderek; January 2022 +>1 byte 0x00 ID EXTENSIONS +>1 byte 0x13 Digidesign Inc. +>1 byte 0x1e Key Concepts +>1 byte 0x20 Passac +>1 byte 0x23 Stepp +>1 byte 0x2d Neve +>1 byte 0x2e Soundtracs Ltd. +>1 byte 0x32 Drawmer +>1 byte 0x34 Audio Architecture +>1 byte 0x35 Generalmusic Corp SpA +>1 byte 0x36 Cheetah Marketing +>1 byte 0x37 C.T.M. +>1 byte 0x38 Simmons UK +>1 byte 0x3a Steinberg +>1 byte 0x3b Wersi GmbH +>1 byte 0x3c AVAB Niethammer AB +>1 byte 0x3d Digigram +>1 byte 0x3f Quasimidi +# +>1 byte 0x40 Kawai Musical Instruments MFG. CO. Ltd +#>1 byte 0x45 foo +#>1 byte 0x4a foo +#>1 byte 0x4d foo +#>1 byte 0x4f foo +#>1 byte 0x53 foo +>1 byte 0x55 Suzuki Musical Instruments MFG. Co. Ltd. +>1 byte 0x56 Fuji Sound Corporation Ltd. +#>1 byte 0x58 foo +>1 byte 0x59 Faith. Inc. +>1 byte 0x5a Internet Corporation +#>1 byte 0x5b foo +>1 byte 0x5c Seekers Co. Ltd. +#>1 byte 0x5d foo +#>1 byte 0x5e foo +>1 byte 0x5f SD Card Association +# Reserved for other uses for 60H to 7FH +# URL: https://www.philscomputerlab.com/roland-midi-emulator-project-20.html +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/syx--midiemu.trid.xml +# Note: called by TrID "MIDI Emulator Project SysEx preset command" +>1 byte 0x66 MIDI Emulator +# https://electronicmusic.fandom.com/wiki/List_of_MIDI_Manufacturer_IDs +# Educational, prototyping, test, private use and experimentation +>1 byte 0x7D PROTOTYPING +# universal non-real-time (sample dump, tuning table, etc.) +>1 byte 0x7E UNIVERSAL +# universal real time (MIDI time code, MIDI Machine control, etc.) +>1 byte 0x7F universal real time +# display information about End Of eXclusive byte (EOX=F7) +#>2 ubyte 0xF7 \b, at 2 EOX +#>3 ubyte 0xF7 \b, at 3 EOX +# https://tttapa.github.io/Control-Surface-doc/new-input/Doxygen/d2/d93/SysEx-Send-Receive_8ino-example.html +>4 ubyte 0xF7 \b, at 4 EOX +# http://www.1manband.nl/tutorials2/sysex.htm +>5 ubyte 0xF7 \b, at 5 EOX +# http://www.somascape.org/midi/tech/mfile.html#sysex +>6 ubyte 0xF7 \b, at 6 EOX +# +>7 ubyte 0xF7 \b, at 7 EOX +# https://webmidijs.org/forum/discussion/34/how-to-send-or-receive-system-exclusive-messages +>8 ubyte 0xF7 \b, at 8 EOX +# +>9 ubyte 0xF7 \b, at 9 EOX +# https://www.chd-el.cz/wp-content/uploads/845010_syxcom.pdf +>10 ubyte 0xF7 \b, at 10 EOX +# https://stackoverflow.com/questions/52906076/handling-midi-the-input-of-multiple-system-exclusive-messages-in-vb +>11 ubyte 0xF7 \b, at 11 EOX +# https://www.2writers.com/eddie/TutSysEx.htm +>12 ubyte 0xF7 \b, at 12 EOX +>13 ubyte 0xF7 \b, at 13 EOX +# http://www.chromakinetics.com/handsonic/rolSysEx.htm +>14 ubyte 0xF7 \b, at 14 EOX +#>15 ubyte 0xF7 \b, at 15 EOX + +0 string T707 Roland TR-707 Data diff --git a/magic/Magdir/tcl b/magic/Magdir/tcl new file mode 100644 index 0000000..edc3ec4 --- /dev/null +++ b/magic/Magdir/tcl @@ -0,0 +1,29 @@ +#------------------------------------------------------------------------------ +# file: file(1) magic for Tcl scripting language +# URL: https://www.tcl.tk/ +# From: gustaf neumann + +# Tcl scripts +0 search/1/w #!\ /usr/bin/tcl Tcl script text executable +!:mime text/x-tcl +0 search/1/w #!\ /usr/local/bin/tcl Tcl script text executable +!:mime text/x-tcl +0 search/1 #!/usr/bin/env\ tcl Tcl script text executable +!:mime text/x-tcl +0 search/1 #!\ /usr/bin/env\ tcl Tcl script text executable +!:mime text/x-tcl +0 search/1/w #!\ /usr/bin/wish Tcl/Tk script text executable +!:mime text/x-tcl +0 search/1/w #!\ /usr/local/bin/wish Tcl/Tk script text executable +!:mime text/x-tcl +0 search/1 #!/usr/bin/env\ wish Tcl/Tk script text executable +!:mime text/x-tcl +0 search/1 #!\ /usr/bin/env\ wish Tcl/Tk script text executable +!:mime text/x-tcl + +# check the first line +0 search/1 package\ req +>0 regex \^package[\ \t]+req Tcl script +# not 'p', check other lines +0 search/1 !p +>0 regex \^package[\ \t]+req Tcl script diff --git a/magic/Magdir/teapot b/magic/Magdir/teapot new file mode 100644 index 0000000..b6577b6 --- /dev/null +++ b/magic/Magdir/teapot @@ -0,0 +1,6 @@ + +#------------------------------------------------------------------------------ +# $File: teapot,v 1.4 2009/09/19 16:28:12 christos Exp $ +# teapot: file(1) magic for "teapot" spreadsheet +# +0 string #!teapot\012xdr teapot work sheet (XDR format) diff --git a/magic/Magdir/terminfo b/magic/Magdir/terminfo new file mode 100644 index 0000000..41704eb --- /dev/null +++ b/magic/Magdir/terminfo @@ -0,0 +1,63 @@ + +#------------------------------------------------------------------------------ +# $File: terminfo,v 1.13 2022/11/21 22:25:37 christos Exp $ +# terminfo: file(1) magic for terminfo +# +# URL: https://invisible-island.net/ncurses/man/term.5.html +# URL: https://invisible-island.net/ncurses/man/scr_dump.5.html +# +# Workaround for Targa image type by Joerg Jenderek +# GRR: line below too general as it catches also +# Targa image type 1 with 26 long identification field +# and HELP.DSK +0 string \032\001 +# 5th character of terminal name list, but not Targa image pixel size (15 16 24 32) +>16 ubyte >32 +# namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0.4.1" +>>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled terminfo entry "%-s" +!:mime application/x-terminfo +# no extension +#!:ext +# +#------------------------------------------------------------------------------ +# The following was added for ncurses6 development: +#------------------------------------------------------------------------------ +# +0 string \036\002 +# imitate the legacy compiled-format, to get the entry-name printed +>16 ubyte >32 +# namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0. 4.1" +>>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled 32-bit terminfo entry "%-s" +!:mime application/x-terminfo2 +# +# While the compiled terminfo uses little-endian format regardless of +# platform, SystemV screen dumps do not. They came later, and that detail was +# overlooked. +# +# AIX and HPUX use the SVr4 big-endian format +# Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) +0 beshort 0433 SVr2 curses screen image, big-endian +# GRR: line below too general as it catches Commodore C128 program (crc32.prg XLINK.PRG) with start address 1C01h handled by ./c64 +0 beshort 0434 SVr3 curses screen image, big-endian +0 beshort 0435 SVr4 curses screen image, big-endian +# +0 leshort 0433 SVr2 curses screen image, little-endian +0 leshort 0434 SVr3 curses screen image, little-endian +0 leshort 0435 SVr4 curses screen image, little-endian +# +# Rather than SVr4, Solaris "xcurses" writes this header: +0 regex \^MAX=[0-9]+,[0-9]+$ +>1 regex \^BEG=[0-9]+,[0-9]+$ +>2 regex \^SCROLL=[0-9]+,[0-9]+$ +>3 regex \^VMIN=[0-9]+$ +>4 regex \^VTIME=[0-9]+$ +>5 regex \^FLAGS=0x[[:xdigit:]]+$ +>6 regex \^FG=[0-9],[0-9]+$ +>7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image +# +# ncurses5 (and before) did not use a magic number, making screen dumps "data". +# ncurses6 (2015) uses this format, ignoring byte-order +0 string \210\210\210\210ncurses ncurses6 screen image +# +# PDCurses added this in 2005 +0 string PDC\001 PDCurses screen image diff --git a/magic/Magdir/tex b/magic/Magdir/tex new file mode 100644 index 0000000..e66f8ff --- /dev/null +++ b/magic/Magdir/tex @@ -0,0 +1,141 @@ + +#------------------------------------------------------------------------------ +# $File: tex,v 1.22 2022/12/21 16:50:04 christos Exp $ +# tex: file(1) magic for TeX files +# +# XXX - needs byte-endian stuff (big-endian and little-endian DVI?) +# +# From <conklin@talisman.kaleida.com> + +# Although we may know the offset of certain text fields in TeX DVI +# and font files, we can't use them reliably because they are not +# zero terminated. [but we do anyway, christos] +0 string \367\002 +>(14.b+15) string \213 +>>14 pstring >\0 TeX DVI file (%s) +!:mime application/x-dvi +0 string \367\203 TeX generic font data +0 string \367\131 TeX packed font data +>3 string >\0 (%s) +0 string \367\312 +>(2.b+11) string \363 TeX virtual font data +0 search/1 This\ is\ TeX, TeX transcript text +0 search/1 This\ is\ METAFONT, METAFONT transcript text + +# There is no way to detect TeX Font Metric (*.tfm) files without +# breaking them apart and reading the data. The following patterns +# match most *.tfm files generated by METAFONT or afm2tfm. +2 string \000\021 TeX font metric data +!:mime application/x-tex-tfm +>33 string >\0 (%s) +2 string \000\022 TeX font metric data +!:mime application/x-tex-tfm +>33 string >\0 (%s) + +# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) +0 search/1 \\input\ texinfo Texinfo source text +!:mime text/x-texinfo +0 search/1 This\ is\ Info\ file GNU Info text +!:mime text/x-info + +# TeX documents, from Daniel Quinlan (quinlan@yggdrasil.com) +0 search/4096 \\input TeX document text +!:mime text/x-tex +!:strength + 15 +0 search/4096 \\begin LaTeX document text +!:mime text/x-tex +!:strength + 15 +0 search/4096 \\section LaTeX document text +!:mime text/x-tex +!:strength + 18 +0 search/4096 \\setlength LaTeX document text +!:mime text/x-tex +!:strength + 15 +0 search/4096 \\documentstyle LaTeX document text +!:mime text/x-tex +!:strength + 18 +0 search/4096 \\chapter LaTeX document text +!:mime text/x-tex +!:strength + 18 +0 search/4096 \\documentclass LaTeX 2e document text +!:mime text/x-tex +!:strength + 15 +0 search/4096 \\relax LaTeX auxiliary file +!:mime text/x-tex +!:strength + 15 +0 search/4096 \\contentsline LaTeX table of contents +!:mime text/x-tex +!:strength + 15 +0 search/4096 %\ -*-latex-*- LaTeX document text +!:mime text/x-tex + +# Tex document, from Hendrik Scholz <hendrik@scholz.net> +0 search/1 \\ifx TeX document text + +# Index and glossary files +0 search/4096 \\indexentry LaTeX raw index file +0 search/4096 \\begin{theindex} LaTeX sorted index +0 search/4096 \\glossaryentry LaTeX raw glossary +0 search/4096 \\begin{theglossary} LaTeX sorted glossary +0 search/4096 This\ is\ makeindex Makeindex log file + +# End of TeX + +#------------------------------------------------------------------------------ +# file(1) magic for BibTex text files +# From Hendrik Scholz <hendrik@scholz.net> + +0 search/1/c @article{ BibTeX text file +0 search/1/c @book{ BibTeX text file +0 search/1/c @inbook{ BibTeX text file +0 search/1/c @incollection{ BibTeX text file +0 search/1/c @inproceedings{ BibTeX text file +0 search/1/c @manual{ BibTeX text file +0 search/1/c @misc{ BibTeX text file +0 search/1/c @preamble{ BibTeX text file +0 search/1/c @phdthesis{ BibTeX text file +0 search/1/c @techreport{ BibTeX text file +0 search/1/c @unpublished{ BibTeX text file + +73 search/1 %%%\ \ BibTeX-file{ BibTex text file (with full header) + +73 search/1 %%%\ \ @BibTeX-style-file{ BibTeX style text file (with full header) + +0 search/1 %\ BibTeX\ standard\ bibliography\ BibTeX standard bibliography style text file + +0 search/1 %\ BibTeX\ ` BibTeX custom bibliography style text file + +0 search/1 @c\ @mapfile{ TeX font aliases text file + +0 string #LyX LyX document text + +# ConTeXt documents +# https://wiki.contextgarden.net/ +0 search/4096 \\setupcolors[ ConTeXt document text +!:strength + 15 +0 search/4096 \\definecolor[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupinteraction[ ConTeXt document text +!:strength + 15 +0 search/4096 \\useURL[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuppapersize[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuplayout[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupfooter[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupfootertexts[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuppagenumbering[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupbodyfont[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuphead[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupitemize[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupwhitespace[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupindenting[ ConTeXt document text +!:strength + 15 diff --git a/magic/Magdir/tgif b/magic/Magdir/tgif new file mode 100644 index 0000000..e80b3a7 --- /dev/null +++ b/magic/Magdir/tgif @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: tgif,v 1.7 2010/09/20 19:03:46 rrt Exp $ +# file(1) magic for tgif(1) files +# From Hendrik Scholz <hendrik@scholz.net> +0 string %TGIF\ Tgif file version +>6 string x %s diff --git a/magic/Magdir/ti-8x b/magic/Magdir/ti-8x new file mode 100644 index 0000000..b05c5c9 --- /dev/null +++ b/magic/Magdir/ti-8x @@ -0,0 +1,239 @@ + +#------------------------------------------------------------------------------ +# $File: ti-8x,v 1.8 2020/02/12 22:13:01 christos Exp $ +# ti-8x: file(1) magic for the TI-8x and TI-9x Graphing Calculators. +# +# From: Ryan McGuire (rmcguire@freenet.columbus.oh.us). +# +# Update: Romain Lievin (roms@lpg.ticalc.org). +# +# NOTE: This list is not complete. +# Files for the TI-80 and TI-81 are pretty rare. I'm not going to put the +# program/group magic numbers in here because I cannot find any. +0 string **TI80** TI-80 Graphing Calculator File. +0 string **TI81** TI-81 Graphing Calculator File. +# +# Magic Numbers for the TI-73 +# +0 string **TI73** TI-73 Graphing Calculator +>0x00003B byte 0x00 (real number) +>0x00003B byte 0x01 (list) +>0x00003B byte 0x02 (matrix) +>0x00003B byte 0x03 (equation) +>0x00003B byte 0x04 (string) +>0x00003B byte 0x05 (program) +>0x00003B byte 0x06 (assembly program) +>0x00003B byte 0x07 (picture) +>0x00003B byte 0x08 (gdb) +>0x00003B byte 0x0C (complex number) +>0x00003B byte 0x0F (window settings) +>0x00003B byte 0x10 (zoom) +>0x00003B byte 0x11 (table setup) +>0x00003B byte 0x13 (backup) + +# Magic Numbers for the TI-82 +# +0 string **TI82** TI-82 Graphing Calculator +>0x00003B byte 0x00 (real) +>0x00003B byte 0x01 (list) +>0x00003B byte 0x02 (matrix) +>0x00003B byte 0x03 (Y-variable) +>0x00003B byte 0x05 (program) +>0x00003B byte 0x06 (protected prgm) +>0x00003B byte 0x07 (picture) +>0x00003B byte 0x08 (gdb) +>0x00003B byte 0x0B (window settings) +>0x00003B byte 0x0C (window settings) +>0x00003B byte 0x0D (table setup) +>0x00003B byte 0x0E (screenshot) +>0x00003B byte 0x0F (backup) +# +# Magic Numbers for the TI-83 +# +0 string **TI83** TI-83 Graphing Calculator +>0x00003B byte 0x00 (real) +>0x00003B byte 0x01 (list) +>0x00003B byte 0x02 (matrix) +>0x00003B byte 0x03 (Y-variable) +>0x00003B byte 0x04 (string) +>0x00003B byte 0x05 (program) +>0x00003B byte 0x06 (protected prgm) +>0x00003B byte 0x07 (picture) +>0x00003B byte 0x08 (gdb) +>0x00003B byte 0x0B (window settings) +>0x00003B byte 0x0C (window settings) +>0x00003B byte 0x0D (table setup) +>0x00003B byte 0x0E (screenshot) +>0x00003B byte 0x13 (backup) +# +# Magic Numbers for the TI-83+ +# +0 string **TI83F* TI-83+ Graphing Calculator +>0x00003B byte 0x00 (real number) +>0x00003B byte 0x01 (list) +>0x00003B byte 0x02 (matrix) +>0x00003B byte 0x03 (equation) +>0x00003B byte 0x04 (string) +>0x00003B byte 0x05 (program) +>0x00003B byte 0x06 (assembly program) +>0x00003B byte 0x07 (picture) +>0x00003B byte 0x08 (gdb) +>0x00003B byte 0x0C (complex number) +>0x00003B byte 0x0F (window settings) +>0x00003B byte 0x10 (zoom) +>0x00003B byte 0x11 (table setup) +>0x00003B byte 0x13 (backup) +>0x00003B byte 0x15 (application variable) +>0x00003B byte 0x17 (group of variable) + +# +# Magic Numbers for the TI-85 +# +0 string **TI85** TI-85 Graphing Calculator +>0x00003B byte 0x00 (real number) +>0x00003B byte 0x01 (complex number) +>0x00003B byte 0x02 (real vector) +>0x00003B byte 0x03 (complex vector) +>0x00003B byte 0x04 (real list) +>0x00003B byte 0x05 (complex list) +>0x00003B byte 0x06 (real matrix) +>0x00003B byte 0x07 (complex matrix) +>0x00003B byte 0x08 (real constant) +>0x00003B byte 0x09 (complex constant) +>0x00003B byte 0x0A (equation) +>0x00003B byte 0x0C (string) +>0x00003B byte 0x0D (function GDB) +>0x00003B byte 0x0E (polar GDB) +>0x00003B byte 0x0F (parametric GDB) +>0x00003B byte 0x10 (diffeq GDB) +>0x00003B byte 0x11 (picture) +>0x00003B byte 0x12 (program) +>0x00003B byte 0x13 (range) +>0x00003B byte 0x17 (window settings) +>0x00003B byte 0x18 (window settings) +>0x00003B byte 0x19 (window settings) +>0x00003B byte 0x1A (window settings) +>0x00003B byte 0x1B (zoom) +>0x00003B byte 0x1D (backup) +>0x00003B byte 0x1E (unknown) +>0x00003B byte 0x2A (equation) +>0x000032 string ZS4 - ZShell Version 4 File. +>0x000032 string ZS3 - ZShell Version 3 File. +# +# Magic Numbers for the TI-86 +# +0 string **TI86** TI-86 Graphing Calculator +>0x00003B byte 0x00 (real number) +>0x00003B byte 0x01 (complex number) +>0x00003B byte 0x02 (real vector) +>0x00003B byte 0x03 (complex vector) +>0x00003B byte 0x04 (real list) +>0x00003B byte 0x05 (complex list) +>0x00003B byte 0x06 (real matrix) +>0x00003B byte 0x07 (complex matrix) +>0x00003B byte 0x08 (real constant) +>0x00003B byte 0x09 (complex constant) +>0x00003B byte 0x0A (equation) +>0x00003B byte 0x0C (string) +>0x00003B byte 0x0D (function GDB) +>0x00003B byte 0x0E (polar GDB) +>0x00003B byte 0x0F (parametric GDB) +>0x00003B byte 0x10 (diffeq GDB) +>0x00003B byte 0x11 (picture) +>0x00003B byte 0x12 (program) +>0x00003B byte 0x13 (range) +>0x00003B byte 0x17 (window settings) +>0x00003B byte 0x18 (window settings) +>0x00003B byte 0x19 (window settings) +>0x00003B byte 0x1A (window settings) +>0x00003B byte 0x1B (zoom) +>0x00003B byte 0x1D (backup) +>0x00003B byte 0x1E (unknown) +>0x00003B byte 0x2A (equation) +# +# Magic Numbers for the TI-89 +# +0 string **TI89** TI-89 Graphing Calculator +>0x000048 byte 0x00 (expression) +>0x000048 byte 0x04 (list) +>0x000048 byte 0x06 (matrix) +>0x000048 byte 0x0A (data) +>0x000048 byte 0x0B (text) +>0x000048 byte 0x0C (string) +>0x000048 byte 0x0D (graphic data base) +>0x000048 byte 0x0E (figure) +>0x000048 byte 0x10 (picture) +>0x000048 byte 0x12 (program) +>0x000048 byte 0x13 (function) +>0x000048 byte 0x14 (macro) +>0x000048 byte 0x1C (zipped) +>0x000048 byte 0x21 (assembler) +# +# Magic Numbers for the TI-92 +# +0 string **TI92** TI-92 Graphing Calculator +>0x000048 byte 0x00 (expression) +>0x000048 byte 0x04 (list) +>0x000048 byte 0x06 (matrix) +>0x000048 byte 0x0A (data) +>0x000048 byte 0x0B (text) +>0x000048 byte 0x0C (string) +>0x000048 byte 0x0D (graphic data base) +>0x000048 byte 0x0E (figure) +>0x000048 byte 0x10 (picture) +>0x000048 byte 0x12 (program) +>0x000048 byte 0x13 (function) +>0x000048 byte 0x14 (macro) +>0x000048 byte 0x1D (backup) +# +# Magic Numbers for the TI-92+/V200 +# +0 string **TI92P* TI-92+/V200 Graphing Calculator +>0x000048 byte 0x00 (expression) +>0x000048 byte 0x04 (list) +>0x000048 byte 0x06 (matrix) +>0x000048 byte 0x0A (data) +>0x000048 byte 0x0B (text) +>0x000048 byte 0x0C (string) +>0x000048 byte 0x0D (graphic data base) +>0x000048 byte 0x0E (figure) +>0x000048 byte 0x10 (picture) +>0x000048 byte 0x12 (program) +>0x000048 byte 0x13 (function) +>0x000048 byte 0x14 (macro) +>0x000048 byte 0x1C (zipped) +>0x000048 byte 0x21 (assembler) +# +# Magic Numbers for the TI-73/83+/89/92+/V200 FLASH upgrades +# +#0x0000016 string Advanced TI-XX Graphing Calculator (FLASH) +0 string **TIFL** TI-XX Graphing Calculator (FLASH) +>8 byte >0 - Revision %d +>>9 byte x \b.%d, +>12 byte >0 Revision date %02x +>>13 byte x \b/%02x +>>14 beshort x \b/%04x, +>17 string >/0 name: '%s', +>48 byte 0x74 device: TI-73, +>48 byte 0x73 device: TI-83+, +>48 byte 0x98 device: TI-89, +>48 byte 0x88 device: TI-92+, +>49 byte 0x23 type: OS upgrade, +>49 byte 0x24 type: application, +>49 byte 0x25 type: certificate, +>49 byte 0x3e type: license, +>74 lelong >0 size: %d bytes + +# VTi & TiEmu skins (TI Graphing Calculators). +# From: Romain Lievin (roms@lpg.ticalc.org). +# Magic Numbers for the VTi skins +0 string VTI Virtual TI skin +>3 string v - Version +>>4 byte >0 \b %c +>>6 byte x \b.%c +# Magic Numbers for the TiEmu skins +0 string TiEmu TiEmu skin +>6 string v - Version +>>7 byte >0 \b %c +>>9 byte x \b.%c +>>10 byte x \b%c diff --git a/magic/Magdir/timezone b/magic/Magdir/timezone new file mode 100644 index 0000000..84e9081 --- /dev/null +++ b/magic/Magdir/timezone @@ -0,0 +1,42 @@ + +#------------------------------------------------------------------------------ +# $File: timezone,v 1.13 2021/07/21 17:57:20 christos Exp $ +# timezone: file(1) magic for timezone data +# +# from Daniel Quinlan (quinlan@yggdrasil.com) +# this should work on Linux, SunOS, and maybe others +# Added new official magic number for recent versions of the Olson code +0 name timezone +>4 byte 0 \b, old version +>4 byte >0 \b, version %c +>20 belong 0 \b, no gmt time flags +>20 belong 1 \b, 1 gmt time flag +>20 belong >1 \b, %d gmt time flags +>24 belong 0 \b, no std time flags +>24 belong 1 \b, 1 std time flag +>24 belong >1 \b, %d std time flags +>28 belong 0 \b, no leap seconds +>28 belong 1 \b, 1 leap second +>28 belong >1 \b, %d leap seconds +>32 belong 0 \b, no transition times +>32 belong 1 \b, 1 transition time +>32 belong >1 \b, %d transition times +>36 belong 0 \b, no local time types +>36 belong 1 \b, 1 local time type +>36 belong >1 \b, %d local time types +>40 belong 0 \b, no abbreviation chars +>40 belong 1 \b, 1 abbreviation char +>40 belong >1 \b, %d abbreviation chars + +0 string TZif timezone data +>51 string TZif \b(slim) +>>51 use timezone +>51 default x \b(fat) +>>0 use timezone + +0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0 old timezone data +0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0 old timezone data +0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0 old timezone data +0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0 old timezone data +0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 old timezone data +0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 old timezone data diff --git a/magic/Magdir/tplink b/magic/Magdir/tplink new file mode 100644 index 0000000..1b4ef0f --- /dev/null +++ b/magic/Magdir/tplink @@ -0,0 +1,95 @@ + +#------------------------------------------------------------------------------ +# $File: tplink,v 1.8 2023/05/15 16:41:02 christos Exp $ +# tplink: File magic for openwrt firmware files + +# URL: https://wiki.openwrt.org/doc/techref/header +# Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bin-tplink-v1.trid.xml +# Note: called "TP-Link router firmware (v1)" by TrID +# From: Joerg Jenderek +# check for valid header version 1 or 2 +0 ulelong <3 +>0 ulelong !0 +# test for header padding with nulls +>>0x100 long 0 +# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor name +>>>4 ubelong >0x1F000000 +# skip user.dbt by looking for positive hardware id +>>>>0x40 ubeshort >0 +# skip cversions.1.db cversions.2.db cversions.3.db inside +# c:\ProgramData\Microsoft\Windows\Caches +# with invalid vendor names \240\0\0\0 \140\0\0\0 \040\0\0\0 +>>>>>5 short !0 +>>>>>>0 use firmware-tplink + +0 name firmware-tplink +>0 ubyte x firmware +!:mime application/x-tplink-bin +# like: TL-WR1043ND-V1-FW0.0.3-stripped.bin gluon-ffrefugee-0.9.2-tp-link-archer-c5-v1-sysupgrade.bin +!:ext bin +# hardware id like 10430001 07410001 09410004 09410006 +>0x40 ubeshort x %x +>0x42 ubeshort x v%x +# hardware revision like 1 +>0x44 ubelong !1 (revision %u) +# vendor_name[24] like OpenWrt or TP-LINK Technologies +>4 string x %.24s +# fw_version[36] like r49389 or ver. 1.0 +>0x1c string x %.36s +# header version 1 or 2 +>0 ubyte !1 V%X +# ver_hi.ver_mid.ver_lo +>0x98 long !0 \b, version +>>0x98 ubeshort x %u +>>0x9A ubeshort x \b.%u +>>0x9C ubeshort x \b.%u +# region code 0~universal 1~US +>0x48 ubelong x +#>>0x48 ubelong 0 (universal) +>>0x48 ubelong 1 (US) +>>0x48 ubelong >1 (region %u) +# total length of the firmware. not always true +>0x7C ubelong x \b, %u bytes or less +# unknown 1 +>0x48 ubelong !0 \b, UNKNOWN1 %#x +# md5sum1[16] +#>0x4c ubequad x \b, MD5 %llx +#>>0x54 ubequad x \b%llx +# unknown 2 +>0x5c ubelong !0 \b, UNKNOWN2 %#x +# md5sum2[16] +#>0x60 ubequad !0 \b, 2nd MD5 %llx +#>>0x68 ubequad x \b%llx +# unknown 3 +>0x70 ubelong !0 \b, UNKNOWN3 %#x +# kernel load address +#>0x74 ubelong x \b, %#x load +# kernel entry point +#>0x78 ubelong x \b, %#x entry +# kernel data offset. 200h means direct after header +>0x80 ubelong x \b, at %#x +# kernel data length and 1 space +>0x84 ubelong x %u bytes +# look for kernel type (gzip compressed vmlinux.bin by ./compress) +>(0x80.L) indirect x +# root file system data offset +# WRONG in 5.35 with above indirect expression +>0x88 ubelong x \b, at %#x +# rootfs data length and 1 space +>0x8C ubelong x %u bytes +# in 5.32 only true for offset ~< FILE_BYTES_MAX=9 MB defined in ../../src/file.h +>(0x88.L) indirect x +# 'qshs' for wr940nv1_en_3_13_7_up(111228).bin +#>(0x88.L) string x \b, file system '%.4s' +#>(0x88.L) ubequad x \b, file system %#llx +# bootloader data offset +>0x90 ubelong !0 \b, at %#x +# bootloader data length only reasonable if bootloader offset not null +>>0x94 ubelong !0 %u bytes +# pad[354] should be 354 null bytes. +#>0x9E ubequad !0 \b, padding %#llx +# But at 0x120 18 non null bytes in examples like +# wr940nv4_eu_3_16_9_up_boot(160620).bin +# wr940nv6_us_3_18_1_up_boot(171030).bin +#>0x120 ubequad !0 \b, other padding %#llx diff --git a/magic/Magdir/troff b/magic/Magdir/troff new file mode 100644 index 0000000..301a40b --- /dev/null +++ b/magic/Magdir/troff @@ -0,0 +1,44 @@ + +#------------------------------------------------------------------------------ +# $File: troff,v 1.14 2023/06/01 16:00:46 christos Exp $ +# troff: file(1) magic for *roff +# +# updated by Daniel Quinlan (quinlan@yggdrasil.com) + +# troff input +0 search/1 .\\" troff or preprocessor input text +!:strength +12 +!:mime text/troff +0 search/1 '\\" troff or preprocessor input text +!:strength +12 +!:mime text/troff +0 search/1 '.\\" troff or preprocessor input text +!:strength +12 +!:mime text/troff +0 search/1 \\" troff or preprocessor input text +!:strength +12 +!:mime text/troff +#0 search/1 ''' troff or preprocessor input text +#!:mime text/troff +0 regex/20l \^\\.[A-Za-z][A-Za-z0-9][\ \t] troff or preprocessor input text +!:strength +12 +!:mime text/troff +0 regex/20l \^\\.[A-Za-z][A-Za-z0-9]$ troff or preprocessor input text +!:strength +12 +!:mime text/troff + +# ditroff intermediate output text +0 search/1 x\ T ditroff output text +>4 search/1 cat for the C/A/T phototypesetter +>4 search/1 ps for PostScript +>4 search/1 dvi for DVI +>4 search/1 ascii for ASCII +>4 search/1 lj4 for LaserJet 4 +>4 search/1 latin1 for ISO 8859-1 (Latin 1) +>4 search/1 X75 for xditview at 75dpi +>>7 search/1 -12 (12pt) +>4 search/1 X100 for xditview at 100dpi +>>8 search/1 -12 (12pt) + +# output data formats +0 string \100\357 very old (C/A/T) troff output data diff --git a/magic/Magdir/tuxedo b/magic/Magdir/tuxedo new file mode 100644 index 0000000..191501d --- /dev/null +++ b/magic/Magdir/tuxedo @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: tuxedo,v 1.4 2009/09/19 16:28:13 christos Exp $ +# tuxedo: file(1) magic for BEA TUXEDO data files +# +# from Ian Springer <ispringer@hotmail.com> +# +0 string \0\0\1\236\0\0\0\0\0\0\0\0\0\0\0\0 BEA TUXEDO DES mask data diff --git a/magic/Magdir/typeset b/magic/Magdir/typeset new file mode 100644 index 0000000..e99fe37 --- /dev/null +++ b/magic/Magdir/typeset @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: typeset,v 1.8 2009/09/19 16:28:13 christos Exp $ +# typeset: file(1) magic for other typesetting +# +0 string Interpress/Xerox Xerox InterPress data +>16 string / (version +>>17 string >\0 %s) diff --git a/magic/Magdir/uf2 b/magic/Magdir/uf2 new file mode 100644 index 0000000..49a86d7 --- /dev/null +++ b/magic/Magdir/uf2 @@ -0,0 +1,72 @@ + +#------------------------------------------------------------------------------ +# $File: uf2,v 1.3 2021/04/28 01:00:31 christos Exp $ +# uf2: file(1) magic for UF2 firmware image files +# +# https://github.com/microsoft/uf2 +# +# Created by Blake Ramsdell <blaker@gmail.com> + +0 string UF2\n UF2 firmware image +!:ext uf2 +# This is for checking the other magic numbers, do we want to do that? +#>4 lelong 0x9E5D5157 howdy +#>>508 lelong 0x0AB16F30 doody +>8 lelong &0x0001 \b, not main flash +>8 lelong &0x1000 \b, file container +>8 lelong &0x2000 \b, family + +# To update the UF2 family data, use this fine command +# +# families=`curl \ +# https://raw.githubusercontent.com/microsoft/uf2/master/utils/uf2families.json \ +# | jq -r '.[] | ">>28\tlelong\t\(.id)\t\(.description)"' | sort -n -k 3` && \ +# perl -0777 -i -pe \ +# "s/(### BEGIN UF2 FAMILIES\\n).*(\\n### END UF2 FAMILIES)/\$1$families\$2/s" \ +# uf2 + +### BEGIN UF2 FAMILIES +>>28 lelong 0x00ff6919 ST STM32L4xx +>>28 lelong 0x04240bdf ST STM32L5xx +>>28 lelong 0x16573617 Microchip (Atmel) ATmega32 +>>28 lelong 0x1851780a Microchip (Atmel) SAML21 +>>28 lelong 0x1b57745f Nordic NRF52 +>>28 lelong 0x1c5f21b0 ESP32 +>>28 lelong 0x1e1f432d ST STM32L1xx +>>28 lelong 0x202e3a91 ST STM32L0xx +>>28 lelong 0x21460ff0 ST STM32WLxx +>>28 lelong 0x2abc77ec NXP LPC55xx +>>28 lelong 0x300f5633 ST STM32G0xx +>>28 lelong 0x31d228c6 GD32F350 +>>28 lelong 0x4c71240a ST STM32G4xx +>>28 lelong 0x4fb2d5bd NXP i.MX RT10XX +>>28 lelong 0x53b80f00 ST STM32F7xx +>>28 lelong 0x55114460 Microchip (Atmel) SAMD51 +>>28 lelong 0x57755a57 ST STM32F401 +>>28 lelong 0x5a18069b Cypress FX2 +>>28 lelong 0x5d1a0a2e ST STM32F2xx +>>28 lelong 0x5ee21072 ST STM32F103 +>>28 lelong 0x647824b6 ST STM32F0xx +>>28 lelong 0x68ed2b88 Microchip (Atmel) SAMD21 +>>28 lelong 0x6b846188 ST STM32F3xx +>>28 lelong 0x6d0922fa ST STM32F407 +>>28 lelong 0x6db66082 ST STM32H7xx +>>28 lelong 0x70d16653 ST STM32WBxx +>>28 lelong 0x7eab61ed ESP8266 +>>28 lelong 0x7f83e793 NXP KL32L2x +>>28 lelong 0x8fb060fe ST STM32F407VG +>>28 lelong 0xada52840 Nordic NRF52840 +>>28 lelong 0xbfdd4eee ESP32-S2 +>>28 lelong 0xc47e5767 ESP32-S3 +>>28 lelong 0xd42ba06c ESP32-C3 +>>28 lelong 0xe48bff56 Raspberry Pi RP2040 +### END UF2 FAMILIES + +>>28 default x +>>>28 lelong x %#08x +>8 lelong&0x2000 0 \b, file size +>>28 lelong x %#08x +>8 lelong &0x4000 \b, MD5 checksum present +>8 lelong &0x8000 \b, extension tags present +>12 lelong x \b, address %#08x +>24 lelong x \b, %u total blocks diff --git a/magic/Magdir/unicode b/magic/Magdir/unicode new file mode 100644 index 0000000..7ca61ba --- /dev/null +++ b/magic/Magdir/unicode @@ -0,0 +1,15 @@ + +#------------------------------------------------------------------------------ +# $File: unicode,v 1.7 2019/02/19 20:34:42 christos Exp $ +# Unicode: BOM prefixed text files - Adrian Havill <havill@turbolinux.co.jp> +# These types are recognised in file_ascmagic so these encodings can be +# treated by text patterns. Missing types are already dealt with internally. +# +0 string +/v8 Unicode text, UTF-7 +0 string +/v9 Unicode text, UTF-7 +0 string +/v+ Unicode text, UTF-7 +0 string +/v/ Unicode text, UTF-7 +0 string \335\163\146\163 Unicode text, UTF-8-EBCDIC +0 string \000\000\376\377 Unicode text, UTF-32, big-endian +0 string \377\376\000\000 Unicode text, UTF-32, little-endian +0 string \016\376\377 Unicode text, SCSU (Standard Compression Scheme for Unicode) diff --git a/magic/Magdir/unisig b/magic/Magdir/unisig new file mode 100644 index 0000000..6212c38 --- /dev/null +++ b/magic/Magdir/unisig @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: unisig,v 1.1 2020/04/09 19:05:44 christos Exp $ +# unisig: file(1) magic for files carrying a uniform signature (Unisig) +# From: Lassi Kortela, John Cowan +# URL: https://github.com/unisig +# +0 string \xDC\xDC\x0D\x0A\x1A\x0A\x00 Unisig: +>7 ubyte =0 UUID +>>8 guid x %s +>7 ubyte >0 URI +>>7 pstring x %s diff --git a/magic/Magdir/unknown b/magic/Magdir/unknown new file mode 100644 index 0000000..578a8ea --- /dev/null +++ b/magic/Magdir/unknown @@ -0,0 +1,34 @@ + +#------------------------------------------------------------------------------ +# $File: unknown,v 1.8 2013/01/09 22:37:24 christos Exp $ +# unknown: file(1) magic for unknown machines +# +# 0x107 is 0407, 0x108 is 0410, and 0x109 is 0411; those are all PDP-11 +# (executable, pure, and split I&D, respectively), but the PDP-11 version +# doesn't have the "version %ld", which may be a bogus COFFism (I don't +# think there was ever COFF for the PDP-11). +# +# 0x10B is 0413; that's VAX demand-paged, but this is a short, not a +# long, as it would be on a VAX. In any case, that could collide with +# VAX demand-paged files, as the magic number is little-endian on those +# binaries, so the first 16 bits of the file would contain 0x10B. +# +# Therefore, those entries are commented out. +# +# 0x10C is 0414 and 0x10E is 0416; those *are* unknown. +# +#0 short 0x107 unknown machine executable +#>8 short >0 not stripped +#>15 byte >0 - version %ld +#0 short 0x108 unknown pure executable +#>8 short >0 not stripped +#>15 byte >0 - version %ld +#0 short 0x109 PDP-11 separate I&D +#>8 short >0 not stripped +#>15 byte >0 - version %ld +#0 short 0x10b unknown pure executable +#>8 short >0 not stripped +#>15 byte >0 - version %ld +0 long 0x10c unknown demand paged pure executable +>16 long >0 not stripped +0 long 0x10e unknown readable demand paged pure executable diff --git a/magic/Magdir/usd b/magic/Magdir/usd new file mode 100644 index 0000000..356cdf7 --- /dev/null +++ b/magic/Magdir/usd @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: usd,v 1.2 2020/05/21 22:17:00 christos Exp $ +# +# From Christian Schmidbauer +# +# https://github.com/PixarAnimationStudios/USD + +# USD crate file +# https://github.com/PixarAnimationStudios/USD/blob/ebac0a8b6703f4fa1c27115f1f013bb9819662f4/pxr/usd/usd/crateFile.h#L441-L450 +0 string PXR-USDC USD crate +>8 byte x \b, version %x. +>9 byte x \b%x. +>10 byte x \b%x +!:ext usd + +# USD ASCII file +0 string #usda\040 USD ASCII +>6 string x \b, version %s +!:mime text/plain +!:ext usd diff --git a/magic/Magdir/uterus b/magic/Magdir/uterus new file mode 100644 index 0000000..4b9e768 --- /dev/null +++ b/magic/Magdir/uterus @@ -0,0 +1,16 @@ + +#------------------------------------------------------------------------------ +# $File: uterus,v 1.4 2022/10/31 13:22:26 christos Exp $ +# file(1) magic for uterus files +# http://freecode.com/projects/uterus +# +0 string UTE+ uterus file +>4 string v \b, version +>5 byte x %c +>6 string . \b. +>7 byte x \b%c +>8 string \<\> \b, big-endian +>>16 belong >0 \b, slut size %u +>8 string \>\< \b, little-endian +>>16 lelong >0 \b, slut size %u +>10 byte &8 \b, compressed diff --git a/magic/Magdir/uuencode b/magic/Magdir/uuencode new file mode 100644 index 0000000..df70dc5 --- /dev/null +++ b/magic/Magdir/uuencode @@ -0,0 +1,28 @@ + +#------------------------------------------------------------------------------ +# $File: uuencode,v 1.9 2021/11/13 17:48:10 christos Exp $ +# uuencode: file(1) magic for ASCII-encoded files +# + +# The first line of xxencoded files is identical to that in uuencoded files, +# but the first character in most subsequent lines is 'h' instead of 'M'. +# (xxencoding uses lowercase letters in place of most of uuencode's +# punctuation and survives BITNET gateways better.) +0 regex/1024 \^begin\040[0-7]{3}\040 +>&0 regex/256 [\012\015]+M[\040-\140]{60}[\012\015]+ uuencoded text +>&0 regex/256 [\012\015]+h[0-9A-Za-z\053\055]{60}[\012\015]+ xxencoded text +>&0 default x uuencoded or xxencoded text +>&0 string >\0 \b, file name "%s" + +# btoa(1) is an alternative to uuencode that requires less space. +0 search/1 xbtoa\ Begin btoa'd text + +# ship(1) is another, much cooler alternative to uuencode. +# Greg Roelofs, newt@uchicago.edu +0 search/1 $\012ship ship'd binary text + +# bencode(8) is used to encode compressed news batches (Bnews/Cnews only?) +# Greg Roelofs, newt@uchicago.edu +0 search/1 Decode\ the\ following\ with\ bdeco bencoded News text + +# GRR: handle BASE64 diff --git a/magic/Magdir/vacuum-cleaner b/magic/Magdir/vacuum-cleaner new file mode 100644 index 0000000..eef78f2 --- /dev/null +++ b/magic/Magdir/vacuum-cleaner @@ -0,0 +1,54 @@ + +#------------------------------------------------------------------------------ +# $File: vacuum-cleaner,v 1.1 2015/11/14 13:38:35 christos Exp $ +# vacuum cleaner magic by Thomas M. Ott (ThMO) +# +# navigation map for LG robot vacuum cleaner models VR62xx, VR64xx, VR63xx +# file: MAPDATAyyyymmddhhmmss_xxxxxx_cc.blk +# -> yyyymmdd: year, month, day of cleaning +# -> hhmmss: hour, minute, second of cleaning +# -> xxxxxx: 6 digits +# -> cc: cleaning runs counter +# size: 136044 bytes +# +# struct maphdr { +# int32_t map_cnt; /* 0: single map */ +# int32_t min_ceil; /* 4: 100 mm == 10 cm == min. ceil */ +# int32_t max_ceil; /* 8: 10000 mm == 100 m == max. ceil */ +# int32_t max_climb; /* 12: 50 mm = 5 cm == max. height to climb */ +# int32_t unknown; /* 16: 50000 ??? */ +# int32_t cell_bytes; /* 20: # of bytes for cells per block */ +# int32_t block_max; /* 24: 1000 == max. # of blocks */ +# int32_t route_max; /* 28: 1000 == max. # of routes */ +# int32_t used_blocks; /* 32: 5/45/33/... == # of block entries used! */ +# int32_t cell_dim; /* 36: 10 == cell dimension */ +# int32_t clock_tick; /* 40: 100 == clock ticks */ +# #if 0 +# struct { /* 44: 1000 blocks for 10x10 cells */ +# int32_t yoffset; +# int32_t xoffset; +# int32_t posxy; +# int32_t timecode; +# } blocks[ 1000]; +# char cells[ 1000* 100]; /* 16044: 1000 10x10 cells */ +# int16_t routes[ 1000* 10]; /* 116044: 1000 10-routes */ +# #endif +# }; + +0 lelong =1 +>4 lelong =100 +>>8 lelong =10000 +>>>12 lelong =50 +>>>>16 lelong =50000 +>>>>>20 lelong =100 +>>>>>>24 lelong =1000 +>>>>>>>28 lelong =1000 +>>>>>>>>36 lelong =10 +>>>>>>>>>40 lelong =100 +>>>>>>>>>>32 lelong x LG robot VR6[234]xx %dm^2 navigation +>>>>>>>>>>136040 lelong =-1 reuse map data +>>>>>>>>>>136040 lelong =0 map data +>>>>>>>>>>136040 lelong >0 spurious map data +>>>>>>>>>>136040 lelong <-1 spurious map data + + diff --git a/magic/Magdir/varied.out b/magic/Magdir/varied.out new file mode 100644 index 0000000..01caf07 --- /dev/null +++ b/magic/Magdir/varied.out @@ -0,0 +1,46 @@ + +#------------------------------------------------------------------------------ +# $File: varied.out,v 1.23 2014/04/30 21:41:02 christos Exp $ +# varied.out: file(1) magic for various USG systems +# +# Herewith many of the object file formats used by USG systems. +# Most have been moved to files for a particular processor, +# and deleted if they duplicate other entries. +# +0 short 0610 Perkin-Elmer executable +# AMD 29K +0 beshort 0572 amd 29k coff noprebar executable +0 beshort 01572 amd 29k coff prebar executable +0 beshort 0160007 amd 29k coff archive +# Cray +6 beshort 0407 unicos (cray) executable +# Ultrix 4.3 +596 string \130\337\377\377 Ultrix core file +>600 string >\0 from '%s' +# BeOS and MAcOS PEF executables +# From: hplus@zilker.net (Jon Watte) +0 string Joy!peffpwpc header for PowerPC PEF executable +# +# ava assembler/linker Uros Platise <uros.platise@ijs.si> +0 string avaobj AVR assembler object code +>7 string >\0 version '%s' +# gnu gmon magic From: Eugen Dedu <dedu@ese-metz.fr> +0 string gmon GNU prof performance data +>4 long x - version %d +# From: Dave Pearson <davep@davep.org> +# Harbour <URL:http://harbour-project.org/> HRB files. +0 string \xc0HRB Harbour HRB file +>4 leshort x version %d +# Harbour HBV files +0 string \xc0HBV Harbour variable dump file +>4 leshort x version %d + +# From: Alex Beregszaszi <alex@fsn.hu> +# 0 string exec BugOS executable +# 0 string pack BugOS archive + +# From: Jason Spence <jspence@lightconsulting.com> +# Generated by the "examples" in STM's ST40 devkit, and derived code. +0 lelong 0x13a9f17e ST40 component image format +>4 string >\0 \b, name '%s' + diff --git a/magic/Magdir/varied.script b/magic/Magdir/varied.script new file mode 100644 index 0000000..74b1b22 --- /dev/null +++ b/magic/Magdir/varied.script @@ -0,0 +1,21 @@ +#------------------------------------------------------------------------------ +# $File: varied.script,v 1.15 2022/10/18 13:01:30 christos Exp $ +# varied.script: file(1) magic for various interpreter scripts + +0 string/wt #!\ a +>&-1 string/T x %s script text executable +!:strength / 3 + +0 string/wb #!\ a +>&-1 string/T x %s script executable (binary data) +!:strength / 3 + + +# using env +0 string/wt #!\ /usr/bin/env a +>15 string/T >\0 %s script text executable +!:strength / 6 + +0 string/wb #!\ /usr/bin/env a +>15 string/T >\0 %s script executable (binary data) +!:strength / 6 diff --git a/magic/Magdir/vax b/magic/Magdir/vax new file mode 100644 index 0000000..f3deffa --- /dev/null +++ b/magic/Magdir/vax @@ -0,0 +1,32 @@ + +#------------------------------------------------------------------------------ +# $File: vax,v 1.10 2019/10/04 18:07:46 christos Exp $ +# vax: file(1) magic for VAX executable/object and APL workspace +# +0 lelong 0101557 VAX single precision APL workspace +0 lelong 0101556 VAX double precision APL workspace + +# +# VAX a.out (BSD; others collide with 386 and other 32-bit little-endian +# executables, and are handled in aout) +# +0 lelong 0420 a.out VAX demand paged (first page unmapped) pure executable +>16 lelong >0 not stripped + +# +# VAX COFF +# +# The `versions' were commented out, but have been un-commented out. +# (Was the problem just one of endianness?) +# +0 leshort 0570 +>2 uleshort <100 VAX COFF executable, sections %d +>>4 ledate x \b, created %s +>>12 lelong >0 \b, not stripped +>>22 leshort >0 \b, version %d + +0 leshort 0575 +>2 uleshort <100 VAX COFF pure executable, sections %d +>>4 ledate x \b, created %s +>>12 lelong >0 \b, not stripped +>>22 leshort >0 \b, version %d diff --git a/magic/Magdir/vicar b/magic/Magdir/vicar new file mode 100644 index 0000000..59d843d --- /dev/null +++ b/magic/Magdir/vicar @@ -0,0 +1,17 @@ + +#------------------------------------------------------------------------------ +# $File: vicar,v 1.4 2009/09/19 16:28:13 christos Exp $ +# vicar: file(1) magic for VICAR files. +# +# From: Ossama Othman <othman@astrosun.tn.cornell.edu +# VICAR is JPL's in-house spacecraft image processing program +# VICAR image +0 string LBLSIZE= VICAR image data +>32 string BYTE \b, 8 bits = VAX byte +>32 string HALF \b, 16 bits = VAX word = Fortran INTEGER*2 +>32 string FULL \b, 32 bits = VAX longword = Fortran INTEGER*4 +>32 string REAL \b, 32 bits = VAX longword = Fortran REAL*4 +>32 string DOUB \b, 64 bits = VAX quadword = Fortran REAL*8 +>32 string COMPLEX \b, 64 bits = VAX quadword = Fortran COMPLEX*8 +# VICAR label file +43 string SFDU_LABEL VICAR label file diff --git a/magic/Magdir/virtual b/magic/Magdir/virtual new file mode 100644 index 0000000..3372020 --- /dev/null +++ b/magic/Magdir/virtual @@ -0,0 +1,307 @@ + +#------------------------------------------------------------------------------ +# $File: virtual,v 1.17 2022/08/23 08:00:54 christos Exp $ +# From: James Nobis <quel@quelrod.net> +# Microsoft hard disk images for: +# Virtual Server +# Virtual PC +# VirtualBox +# URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk) +# Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/ +# Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc +0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC +# alternative shorter names +#0 string conectix Microsoft Virtual Hard Disk image +#0 string conectix Microsoft Virtual HD image +!:mime application/x-virtualbox-vhd +!:ext vhd +# Features is a bit field used to indicate specific feature support +#>8 ubelong !0x00000002 \b, Features %#x +# Reserved. This bit must always be set to 1. +#>8 ubelong &0x00000002 \b, Reserved %#x +# File Format Version for the current specification 0x00010000 +#>12 ubelong !0x00010000 \b, Version %#8.8x +# Data Offset only found 0x200 +#>16 ubequad !0x200 \b, Data Offset %#llx +#>16 ubequad x \b, at %#llx +# Dynamic Disk Header cookie like cxsparse +#>(16.Q) string x "%-.8s" +# This field contains a Unicode string (UTF-16) of the parent hard disk filename +#>(16.Q+64) ubequad x \b, parent name %#llx +# Creator Application +# vpc~Microsoft Virtual PC, vs~Microsoft Virtual Server, vbox~VirtualBox, d2v~disk2vhd +>28 string x \b, Creator %-4.4s +# Creator Version: 0x00010000~Virtual Server 2004, 0x00050000~Virtual PC 2004 +# holds the major/minor version of the application that created the image +>32 ubeshort x %x +>34 ubeshort x \b.%x +#>32 ubelong x \b, Version %#8.8x +# Creator Host OS: 0x5769326B~Windows (Wi2k), 0x4D616320~Macintosh (Mac) +>36 ubelong x ( +>>36 ubelong 0x5769326B \bW2k +>>36 ubelong 0x4D616320 \bMac +>>36 default x \b0x +>>>36 ubelong x \b%8.8x +# creation Time in seconds since 1 Jan 2000 UTC~946684800 sec. since Unix Epoch +>24 bedate+946684800 x \b) %s +# Original Size +#>40 ubequad x \b, o.-Size %#llx +# Current Size is same as original size, but change when disk is expanded +#>48 ubequad x \b, Size %#llx +>48 ubequad x \b, %llu bytes +# Disk Geometry: cylinder, heads, and sectors/track for hard disk +#>56 ubeshort x \b, Cylinder %#x +>56 ubeshort x \b, CHS %u +# Heads +#>58 ubyte x \b, Heads %#x +>58 ubyte x \b/%u +# Sectors per track +#>59 ubyte x \b, Sectors %#x +>59 ubyte x \b/%u +# Disk Type: 3~Dynamic hard disk +>60 ubelong !0x3 \b, type %#x +# Checksum +#>64 ubelong x \b, cksum %#x +# universally unique identifier (UUID) to associate a parent with its differencing image +#>68 ubequad x \b, id %#16.16llx +#>76 ubequad x \b-%16.16llx +# Saved State: 1~Saved State +>84 ubyte !0 \b, State %#x +# Reserved 427 bytes with nils +#>85 ubequad !0 \b, Reserved %#16.16llx + +# From: Joerg Jenderek +# URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/ +# MS-VHDX/[MS-VHDX].pdf +# Note: extends the VHD format with new capabilities, such as a 16TB maximum size +# TODO: find and display values like virtual size, disk size, cluster_size, etc +# display id in GUID format +# +# VHDX_FILE_IDENTIFIER signature 0x656C696678646876 +0 string vhdxfile +# VHDX_HEADER signature. 1 header is stored at offset 64KB and the other at 128KB +>0x10000 string head Microsoft Disk Image eXtended +#>0x20000 string head \b, 2nd header +#!:mime application/x-virtualbox-vhdx +!:ext vhdx +# Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512" +>>8 lestring16 x \b, by %.256s +# The Checksum field is a CRC-32C hash over the entire 4 KB structure +#>>0x10004 ulelong x \b, CRC %#x +# SequenceNumber +>>0x10008 ulequad x \b, sequence %#llx +# FileWriteGuid +#>>0x10010 ubequad x \b, file id %#llx +#>>>0x10018 ubequad x \b-%llx +# DataWriteGuid +#>>0x10020 ubequad x \b, data id %#llx +#>>>0x10028 ubequad x \b-%llx +# LogGuid. If this field is zero, then the log is empty or has no valid entries +>>0x10030 ubequad >0 \b, log id %#llx +>>>0x10038 ubequad x \b-%llx +# LogVersion. If not 0 there is a log to replay +>>0x10040 uleshort >0 \b, LogVersion %#x +# Version. This field must be set to 1 +>>0x10042 uleshort !1 \b, Version %#x +# LogLength must be multiples of 1 MB +>>0x10044 ulelong/1048576 >1 \b, LogLength %u MB +# LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB +>>0x10048 ulequad !0x100000 \b, LogOffset %#llx +# Log Entry Signature must be 0x65676F6C~loge +>>(0x10048.q) ulelong !0x65676F6C \b, NO Log Signature +>>(0x10048.q) ulelong =0x65676F6C \b; LOG +# Log Entry Checksum +#>>>(0x10048.q+4) ulelong x \b, Log CRC %#x +# Log Entry Length must be a multiple of 4 KB +>>>(0x10048.q+8) ulelong/1024 >4 \b, EntryLength %u KB +# Log Entry Tail must be a multiple of 4 KB +#>>>(0x10048.q+12) ulelong x \b, Tail %#x +# Log Entry SequenceNumber +#>>>(0x10048.q+16) ulequad x \b, # %#llx +# Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8 +#>>>(0x10048.q+24) ulelong x \b, DescriptorCount %#llx +# Log Entry Reserved must be set to 0 +>>>(0x10048.q+28) ulelong !0 \b, Reserved %#x +# Log Entry LogGuid +#>>>(0x10048.q+32) ubequad x \b, Log id %#llx +#>>>(0x10048.q+40) ubequad x \b-%llx +# Log Entry FlushedFileOffset should VHDX size when entry is written. +#>>>(0x10048.q+48) ulequad x \b, FlushedFileOffset %llu +# Log Entry LastFileOffset +#>>>(0x10048.q+56) ulequad x \b, LastFileOffset %llu +# filling +#>>>(0x10048.q+64) ulequad >0 \b, filling %llx +# Reserved[4016] +#>>0x10050 ulequad >0 \b, Reserved %#llx +# VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB +>0x30000 ulelong !0x69676572 \b, 1st region INVALID +>0x30000 ulelong =0x69676572 \b; region +# region Checksum. CRC-32C hash over the entire 64-KB table +#>>0x30004 ulelong x \b, CRC %#x +# The EntryCount specifies number of valid entries; Found 2; This must be =< 2047. +>>0x30008 ulelong x \b, %u entries +# reserved must be zero +#>>0x3000C ulelong !0 \b, RESERVED %#x +# Region Table Entry starts with identifier for the object. often BAT id +>>0x30010 use vhdx-id +# FileOffset +>>0x30020 ulequad x \b, at %#llx +# Length. Specifies the length of the object within the file +#>>0x30028 ulelong x \b, Length %#x +# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX +>>0x3002C ulelong x \b, Required %u +# 2nd region entry often metadata id +>>0x30030 use vhdx-id +# 2nd entry FileOffset +>>0x30040 ulequad x \b, at %#llx +# 1 means region entry is required. if region not recognized, then REFUSE to load VHDX +>>0x3004C ulelong x \b, Required %u +# 2nd region +>>0x40000 ulelong !0x69676572 \b, 2nd region INVALID +# check in vhdx images for known id and show names instead hexadecimal +0 name vhdx-id +# https://www.windowstricks.in/online-windows-guid-converter +# 2DC27766-F623-4200-9D64-115E9BFD4A08 BAT GUID +# 6677C22D23F600429D64115E9BFD4A08 BAT ID +>0 ubequad =0x6677C22D23F60042 +>>8 ubequad =0x9D64115E9BFD4A08 \b, id BAT +# no BAT id +>>8 default x +>>>0 use vhdx-id-hex +# 8B7CA206-4790-4B9A-B8FE-575F050F886E Metadata region GUID +# 06A27C8B90479A4BB8FE575F050F886E Metadata region ID +>0 ubequad =0x06A27C8B90479A4B +>>8 ubequad =0xB8FE575F050F886E \b, id Metadata +# no Metadata id +>>8 default x +>>>0 use vhdx-id-hex +# 2FA54224-CD1B-4876-B211-5DBED83BF4B8 Virtual Disk Size GUID +# 2442A52F1BCD7648B2115DBED83BF4B8 Virtual Disk Size ID +# value "virtual size" can be verified by command `qemu-img info ` +>0 ubequad =0x2442A52F1BCD7648 +>>8 ubequad =0xB2115DBED83BF4B8 \b, id vsize +# no Virtual Disk Size ID +>>8 default x +>>>0 use vhdx-id-hex +# other ids +>0 default x +>>0 use vhdx-id-hex +# in vhdx images show id as hexadecimal +0 name vhdx-id-hex +>0 ubequad x \b, ID %#16.16llx +>8 ubequad x \b-%16.16llx +# +# libvirt +# From: Philipp Hahn <hahn@univention.de> +0 string LibvirtQemudSave Libvirt QEMU Suspend Image +>0x10 lelong x \b, version %u +>0x14 lelong x \b, XML length %u +>0x18 lelong 1 \b, running +>0x1c lelong 1 \b, compressed + +0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image +# From: Alex Beregszaszi <alex@fsn.hu> +0 string/b COWD VMWare3 +>4 byte 3 disk image +>>32 lelong x (%d/ +>>36 lelong x \b%d/ +>>40 lelong x \b%d) +>4 byte 2 undoable disk image +>>32 string >\0 (%s) + +0 string/b VMDK VMware4 disk image +0 string/b KDMV VMware4 disk image + +#-------------------------------------------------------------------- +# Qemu Emulator Images +# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) +# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) +# Made by reading sources, reading documentation, and doing trial and error +# on existing QCOW files +0 string/b QFI\xFB QEMU QCOW Image +!:mime application/x-qemu-disk + +# Uncomment the following line to display Magic (only used for debugging +# this magic number) +#>0 string/b x , Magic: %s + +# There are currently 2 Versions: "1" and "2". +# https://www.gnome.org/~markmc/qcow-image-format-version-1.html +>4 belong x (v%d) + +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>12 belong >0 \b, has backing file ( +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. +>>>(12.L) string >\0 \bpath %s + +# Modification time of the Backing File +# Really useful if you want to know if your backing +# file is still usable together with this image +>>>>20 bedate >0 \b, mtime %s) +>>>>20 default x \b) + +# Size is stored in bytes in a big-endian u64. +>>24 bequad x \b, %lld bytes + +# 1 for AES encryption, 0 for none. +>>36 belong 1 \b, AES-encrypted + +# https://www.gnome.org/~markmc/qcow-image-format.html +>4 belong 2 (v2) +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>8 bequad >0 \b, has backing file +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. Also, since there's no +# .Q modifier, we just use the bottom four bytes as an offset. Note that if +# the file is over 4G, and the backing file path is stored after the first 4G, +# the wrong filename will be printed. (This should be (8.Q), when that syntax +# is introduced.) +>>>(12.L) string >\0 (path %s) +>>24 bequad x \b, %lld bytes +>>32 belong 1 \b, AES-encrypted + +>4 belong 3 (v3) +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>8 bequad >0 \b, has backing file +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. Also, since there's no +# .Q modifier, we just use the bottom four bytes as an offset. Note that if +# the file is over 4G, and the backing file path is stored after the first 4G, +# the wrong filename will be printed. (This should be (8.Q), when that syntax +# is introduced.) +>>>(12.L) string >\0 (path %s) +>>24 bequad x \b, %lld bytes +>>32 belong 1 \b, AES-encrypted + +>4 default x (unknown version) + +0 string/b QEVM QEMU suspend to disk image + +# QEMU QED Image +# https://wiki.qemu.org/Features/QED/Specification +0 string/b QED\0 QEMU QED Image + +# VDI Image +# Sun xVM VirtualBox Disk Image +# From: Richard W.M. Jones <rich@annexia.org> +# VirtualBox Disk Image +0x40 ulelong 0xbeda107f VirtualBox Disk Image +>0x44 uleshort >0 \b, major %u +>0x46 uleshort >0 \b, minor %u +>0 string >\0 (%s) +>368 lequad x \b, %lld bytes + +0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, +>32 string x type %s, +>48 string x subtype %s + +0 lelong 0x02468ace Bochs Sparse disk image + diff --git a/magic/Magdir/virtutech b/magic/Magdir/virtutech new file mode 100644 index 0000000..410ab9e --- /dev/null +++ b/magic/Magdir/virtutech @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: virtutech,v 1.4 2009/09/19 16:28:13 christos Exp $ +# Virtutech Compressed Random Access File Format +# +# From <gustav@virtutech.com> +0 string \211\277\036\203 Virtutech CRAFF +>4 belong x v%d +>20 belong 0 uncompressed +>20 belong 1 bzipp2ed +>20 belong 2 gzipped +>24 belong 0 not clean diff --git a/magic/Magdir/visx b/magic/Magdir/visx new file mode 100644 index 0000000..fe5c827 --- /dev/null +++ b/magic/Magdir/visx @@ -0,0 +1,32 @@ + +#------------------------------------------------------------------------------ +# $File: visx,v 1.5 2009/09/19 16:28:13 christos Exp $ +# visx: file(1) magic for Visx format files +# +0 short 0x5555 VISX image file +>2 byte 0 (zero) +>2 byte 1 (unsigned char) +>2 byte 2 (short integer) +>2 byte 3 (float 32) +>2 byte 4 (float 64) +>2 byte 5 (signed char) +>2 byte 6 (bit-plane) +>2 byte 7 (classes) +>2 byte 8 (statistics) +>2 byte 10 (ascii text) +>2 byte 15 (image segments) +>2 byte 100 (image set) +>2 byte 101 (unsigned char vector) +>2 byte 102 (short integer vector) +>2 byte 103 (float 32 vector) +>2 byte 104 (float 64 vector) +>2 byte 105 (signed char vector) +>2 byte 106 (bit plane vector) +>2 byte 121 (feature vector) +>2 byte 122 (feature vector library) +>2 byte 124 (chain code) +>2 byte 126 (bit vector) +>2 byte 130 (graph) +>2 byte 131 (adjacency graph) +>2 byte 132 (adjacency graph library) +>2 string .VISIX (ascii text) diff --git a/magic/Magdir/vms b/magic/Magdir/vms new file mode 100644 index 0000000..56d57ae --- /dev/null +++ b/magic/Magdir/vms @@ -0,0 +1,30 @@ + +#------------------------------------------------------------------------------ +# $File: vms,v 1.10 2017/03/17 21:35:28 christos Exp $ +# vms: file(1) magic for VMS executables (experimental) +# +# VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) + +# GRR 950122: I'm just guessing on these, based on inspection of the headers +# of three executables each for Alpha and VAX architectures. The VAX files +# all had headers similar to this: +# +# 00000 b0 00 30 00 44 00 60 00 00 00 00 00 30 32 30 35 ..0.D.`.....0205 +# 00010 01 01 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ +# +0 string \xb0\0\x30\0 VMS VAX executable +>44032 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption +# +# The AXP files all looked like this, except that the byte at offset 0x22 +# was 06 in some of them and 07 in others: +# +# 00000 03 00 00 00 00 00 00 00 ec 02 00 00 10 01 00 00 ................ +# 00010 68 00 00 00 98 00 00 00 b8 00 00 00 00 00 00 00 h............... +# 00020 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +# 00030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ +# 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ +# +# GRR this test is still too general as it catches example adressen.dbt +0 belong 0x03000000 +>8 ubelong 0xec020000 VMS Alpha executable +>>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption diff --git a/magic/Magdir/vmware b/magic/Magdir/vmware new file mode 100644 index 0000000..cd1a9d9 --- /dev/null +++ b/magic/Magdir/vmware @@ -0,0 +1,6 @@ + +#------------------------------------------------------------------------------ +# $File: vmware,v 1.8 2017/03/17 21:35:28 christos Exp $ +# VMware specific files (deducted from version 1.1 and log file entries) +# Anthon van der Neut (anthon@mnt.org) +0 belong 0x4d52564e VMware nvram diff --git a/magic/Magdir/vorbis b/magic/Magdir/vorbis new file mode 100644 index 0000000..49e75cb --- /dev/null +++ b/magic/Magdir/vorbis @@ -0,0 +1,155 @@ + +#------------------------------------------------------------------------------ +# $File: vorbis,v 1.26 2020/08/22 18:30:55 christos Exp $ +# vorbis: file(1) magic for Ogg/Vorbis files +# +# From Felix von Leitner <leitner@fefe.de> +# Extended by Beni Cherniavsky <cben@crosswinds.net> +# Further extended by Greg Wooledge <greg@wooledge.org> +# +# Most (everything but the number of channels and bitrate) is commented +# out with `##' as it's not interesting to the average user. The most +# probable things advanced users would want to uncomment are probably +# the number of comments and the encoder version. +# +# FIXME: The first match has been made a search, so that it can skip +# over prepended ID3 tags. This will work for MIME type detection, but +# won't work for detecting other properties of the file (they all need +# to be made relative to the search). In any case, if the file has ID3 +# tags, the ID3 information will be printed, not the Ogg information, +# so until that's fixed, this doesn't matter. +# FIXME[2]: Disable the above for now, since search assumes text mode. +# +# --- Ogg Framing --- +#0 search/1000 OggS Ogg data +0 string OggS Ogg data +>4 byte !0 UNKNOWN REVISION %u +##>4 byte 0 revision 0 +>4 byte 0 +##>>14 lelong x (Serial %lX) +# non-Vorbis content: FLAC (Free Lossless Audio Codec, http://flac.sourceforge.net) +>>28 string \x7fFLAC \b, FLAC audio +# non-Vorbis content: Theora +!:mime audio/ogg +>>28 string \x80theora \b, Theora video +!:mime video/ogg +# non-Vorbis content: Kate +>>28 string \x80kate\0\0\0\0 \b, Kate (Karaoke and Text) +!:mime application/ogg +>>>37 ubyte x v%u +>>>38 ubyte x \b.%u, +>>>40 byte 0 utf8 encoding, +>>>40 byte !0 unknown character encoding, +>>>60 string >\0 language %s, +>>>60 string \0 no language set, +>>>76 string >\0 category %s +>>>76 string \0 no category set +# non-Vorbis content: Skeleton +>>28 string fishead\0 \b, Skeleton +!:mime video/ogg +>>>36 leshort x v%u +>>>40 leshort x \b.%u +# non-Vorbis content: Speex +>>28 string Speex\ \ \ \b, Speex audio +!:mime audio/ogg +# non-Vorbis content: OGM +>>28 string \x01video\0\0\0 \b, OGM video +!:mime video/ogg +>>>37 string/c div3 (DivX 3) +>>>37 string/c divx (DivX 4) +>>>37 string/c dx50 (DivX 5) +>>>37 string/c xvid (XviD) +# --- First vorbis packet - general header --- +>>28 string \x01vorbis \b, Vorbis audio, +!:mime audio/ogg +>>>35 lelong !0 UNKNOWN VERSION %u, +##>>>35 lelong 0 version 0, +>>>35 lelong 0 +>>>>39 ubyte 1 mono, +>>>>39 ubyte 2 stereo, +>>>>39 ubyte >2 %u channels, +>>>>40 lelong x %u Hz +# Minimal, nominal and maximal bitrates specified when encoding +>>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \b, +# The above tests if at least one of these is specified: +>>>>>52 lelong !-1 +# Vorbis RC2 has a bug which puts -1000 in the min/max bitrate fields +# instead of -1. +# Vorbis 1.0 uses 0 instead of -1. +>>>>>>52 lelong !0 +>>>>>>>52 lelong !-1000 +>>>>>>>>52 lelong x <%u +>>>>>48 lelong !-1 +>>>>>>48 lelong x ~%u +>>>>>44 lelong !-1 +>>>>>>44 lelong !-1000 +>>>>>>>44 lelong !0 +>>>>>>>>44 lelong x >%u +>>>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff bps +# -- Second vorbis header packet - the comments +# A kludge to read the vendor string. It's a counted string, not a +# zero-terminated one, so file(1) can't read it in a generic way. +# libVorbis is the only one existing currently, so I detect specifically +# it. The interesting value is the cvs date (8 digits decimal). +# Post-RC1 Ogg files have the second header packet (and thus the version) +# in a different place, so we must use an indirect offset. +>>>(84.b+85) string \x03vorbis +>>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I +>>>>>(84.b+120) string >00000000 +# Map to beta version numbers: +>>>>>>(84.b+120) string <20000508 (<beta1, prepublic) +>>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2) +>>>>>>(84.b+120) string >20000508 +>>>>>>>(84.b+120) string <20001031 (beta2-3) +>>>>>>(84.b+120) string 20001031 (1.0 beta 3) +>>>>>>(84.b+120) string >20001031 +>>>>>>>(84.b+120) string <20010225 (beta3-4) +>>>>>>(84.b+120) string 20010225 (1.0 beta 4) +>>>>>>(84.b+120) string >20010225 +>>>>>>>(84.b+120) string <20010615 (beta4-RC1) +>>>>>>(84.b+120) string 20010615 (1.0 RC1) +>>>>>>(84.b+120) string 20010813 (1.0 RC2) +>>>>>>(84.b+120) string 20010816 (RC2 - Garf tuned v1) +>>>>>>(84.b+120) string 20011014 (RC2 - Garf tuned v2) +>>>>>>(84.b+120) string 20011217 (1.0 RC3) +>>>>>>(84.b+120) string 20011231 (1.0 RC3) +# Some pre-1.0 CVS snapshots still had "Xiphphorus"... +>>>>>>(84.b+120) string >20011231 (pre-1.0 CVS) +# For the 1.0 release, Xiphophorus is replaced by Xiph.Org +>>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I +>>>>>(84.b+117) string >00000000 +>>>>>>(84.b+117) string <20020717 (pre-1.0 CVS) +>>>>>>(84.b+117) string 20020717 (1.0) +>>>>>>(84.b+117) string 20030909 (1.0.1) +>>>>>>(84.b+117) string 20040629 (1.1.0 RC1) +>>>>>>(84.b+117) string 20050304 (1.1.2) +>>>>>>(84.b+117) string 20070622 (1.2.0) +>>>>>>(84.b+117) string 20090624 (1.2.2) +>>>>>>(84.b+117) string 20090709 (1.2.3) +>>>>>>(84.b+117) string 20100325 (1.3.1) +>>>>>>(84.b+117) string 20101101 (1.3.2) +>>>>>>(84.b+117) string 20120203 (1.3.3) +>>>>>>(84.b+117) string 20140122 (1.3.4) +>>>>>>(84.b+117) string 20150105 (1.3.5) + +# non-Vorbis content: Opus https://tools.ietf.org/html/rfc7845#section-5 +>>28 string OpusHead \b, Opus audio, +!:mime audio/ogg +>>>36 ubyte >0x0F UNKNOWN VERSION %u, +>>>36 ubyte&0x0F !0 version 0.%u, +>>>>46 ubyte >1 +>>>>>46 ubyte !255 unknown channel mapping family %u, +>>>>>37 ubyte x %u channels +>>>>46 ubyte 0 +>>>>>37 ubyte 1 mono +>>>>>37 ubyte 2 stereo +>>>>46 ubyte 1 +>>>>>37 ubyte 1 mono +>>>>>37 ubyte 2 stereo +>>>>>37 ubyte 3 linear surround +>>>>>37 ubyte 4 quadraphonic +>>>>>37 ubyte 5 5.0 surround +>>>>>37 ubyte 6 5.1 surround +>>>>>37 ubyte 7 6.1 surround +>>>>>37 ubyte 8 7.1 surround +>>>>40 lelong !0 \b, %u Hz (Input Sample Rate)
\ No newline at end of file diff --git a/magic/Magdir/vxl b/magic/Magdir/vxl new file mode 100644 index 0000000..0fdc68a --- /dev/null +++ b/magic/Magdir/vxl @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: vxl,v 1.4 2009/09/19 16:28:13 christos Exp $ +# VXL: file(1) magic for VXL binary IO data files +# +# from Ian Scott <scottim@sf.net> +# +# VXL is a collection of C++ libraries for Computer Vision. +# See the vsl chapter in the VXL Book for more info +# http://www.isbe.man.ac.uk/public_vxl_doc/books/vxl/book.html +# http:/vxl.sf.net + +2 lelong 0x472b2c4e VXL data file, +>0 leshort >0 schema version no %d diff --git a/magic/Magdir/warc b/magic/Magdir/warc new file mode 100644 index 0000000..5942867 --- /dev/null +++ b/magic/Magdir/warc @@ -0,0 +1,16 @@ + +#------------------------------------------------------------------------------ +# $File: warc,v 1.4 2019/04/19 00:42:27 christos Exp $ +# warc: file(1) magic for WARC files + +0 string WARC/ WARC Archive +>5 string x version %.4s +!:mime application/warc + +#------------------------------------------------------------------------------ +# Arc File Format from Internet Archive +# see https://www.archive.org/web/researcher/ArcFileFormat.php +0 string filedesc:// Internet Archive File +!:mime application/x-ia-arc +>11 search/256 \x0A \b +>>&0 ubyte >0 \b version %c diff --git a/magic/Magdir/weak b/magic/Magdir/weak new file mode 100644 index 0000000..6dc1793 --- /dev/null +++ b/magic/Magdir/weak @@ -0,0 +1,16 @@ + +#------------------------------------------------------------------------------ +# weak: file(1) magic for very weak magic entries, disabled by default +# +# These entries are so weak that they might interfere identification of +# other formats. Example include: +# - Only identify for 1 or 2 bytes +# - Match against very wide range of values +# - Match against generic word in some spoken languages (e.g. English) + +# Summary: Computer Graphics Metafile +# Extension: .cgm +#0 beshort&0xffe0 0x0020 binary Computer Graphics Metafile +#0 beshort 0x3020 character Computer Graphics Metafile + +#0 string =!! Bennet Yee's "face" format diff --git a/magic/Magdir/web b/magic/Magdir/web new file mode 100644 index 0000000..a0d26e6 --- /dev/null +++ b/magic/Magdir/web @@ -0,0 +1,18 @@ + +#------------------------------------------------------------------------------ +# $File: web,v 1.2 2022/10/29 16:02:37 christos Exp $ + +# http://www.rdfhdt.org/ +# From Christoph Biedl +# http://www.rdfhdt.org/hdt-internals/ +# https://github.com/rdfhdt/hdt-cpp + +0 string $HDT\x01 HDT file (binary compressed indexed RDF triples) type 1 +!:mime application/vnd.hdt +!:ext hdt + +0 string [Adblock\040Plus Adblock Plus +>&1 regex [0-9.]+ %s +>1 string x rules file +>10 search/100 Version: +>>&1 regex [0-9]+ \b, version %s diff --git a/magic/Magdir/webassembly b/magic/Magdir/webassembly new file mode 100644 index 0000000..469b45e --- /dev/null +++ b/magic/Magdir/webassembly @@ -0,0 +1,17 @@ +#------------------------------------------------------------------------------ +# $File: webassembly,v 1.4 2022/08/16 11:16:39 christos Exp $ +# webassembly: file(1) magic for WebAssembly modules +# +# WebAssembly is a virtual architecture developed by a W3C Community +# Group at https://webassembly.org/. The file extension is .wasm, and +# the MIME type is application/wasm. +# +# https://webassembly.org/docs/binary-encoding/ is the main +# document describing the binary format. +# From: Pip Cet <pipcet@gmail.com> and Joel Martin + +0 string \0asm WebAssembly (wasm) binary module +>4 lelong =1 version %#x (MVP) +!:mime application/wasm +!:ext wasm +>4 lelong >1 version %#x diff --git a/magic/Magdir/windows b/magic/Magdir/windows new file mode 100644 index 0000000..f58ce3e --- /dev/null +++ b/magic/Magdir/windows @@ -0,0 +1,1822 @@ + +#------------------------------------------------------------------------------ +# $File: windows,v 1.63 2023/07/17 16:56:13 christos Exp $ +# windows: file(1) magic for Microsoft Windows +# +# This file is mainly reserved for files where programs +# using them are run almost always on MS Windows 3.x or +# above, or files only used exclusively in Windows OS, +# where there is no better category to allocate for. +# For example, even though WinZIP almost run on Windows +# only, it is better to treat them as "archive" instead. +# For format usable in DOS, such as generic executable +# format, please specify under "msdos" file. +# + + +# Summary: Outlook Express DBX file +# Created by: Christophe Monniez +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Outlook_Express_Database +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbx.trid.xml +# https://sourceforge.net/projects/ol2mbox/files/LibDBX/ +# v1.0.4/libdbx_1.0.4.tar.gz/FILE-FORMAT +# Note: called "Outlook Express Database" by TrID and DROID via PUID fmt/838 fmt/839 +# and partly verified by `undbx --verbosity 4 Posteingang.dbx` +0 string \xCF\xAD\x12\xFE +# skip DROID fmt-838-signature-id-1193.dbx fmt-839-signature-id-1194.dbx by check for valid file size +>0x7C ulelong >0 MS Outlook Express DBX file +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-dbx +!:ext dbx +>>4 byte =0xC5 \b, message database +>>4 byte =0xC6 \b, folder database +>>4 byte =0xC7 \b, account information +>>4 byte =0x30 \b, offline database +# version like: 5.2 5.5 (typical) +>>20 ulequad !0x0000000500000005 \b, version +# major version +>>>24 ulelong x %u +# minor version +>>>20 ulelong x \b.%u +# CLSID: 6F74FDC5-E366-11d1-9A4E-00C04FA309D4~Message 6F74FDC6-E366-11D1-9A4E-00C04FA309D4~Folder +# 26FE9D30-1A8F-11D2-AABF-006097D474C4~offline +#>>4 guid x \b, CLSID %s +# file size; total size of file; sometimes real size a little bit higher +>>0x7C ulelong x \b, ~ %u bytes +# highest Email ID; the next email will have a number one higher than this +>>0x5c ulelong x \b, highest ID %#x +# item count; number of items stored in this DBX file +>>0xC4 ulelong x \b, %u item +# plural s +>>0xC4 ulelong !1 \bs +# index pointer; file offset pointing to a page of Data Indexes +>>0xE4 ulelong >0 \b, index pointer %#x + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Nickfile +# https://www.nirsoft.net/utils/outlook_nk2_edit.html +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nk2.trid.xml +# https://github.com/libyal/libnk2/blob/main/documentation +# Nickfile%20(NK2)%20format.asciidoc +# Note: called "Outlook Nickfile" by TrID & TestDisk and +# "Outlook Nickname File" by Microsoft Outlook and +# "Outlook AutoComplete File" by Nirsoft NK2Edit +# partly verfied by NK2Edit Raw Text Edit Mode +0 ubelong 0x0DF0ADBA MS Outlook Nickfile +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-nickfile +!:ext nk2/dat/bak +# nick is used by "older" Outlook; dat is used by "newer" Outlook (probably 2010 - 2016); bak is used for backup +#!:ext nick/nk2/dat/bak +# Unknown; probably a version indicator like: 0000000Ah 0000000Ch +>4 ulelong x \b, probably version %u +# Unknown2; probably a version indicator like: 1 0 +>8 ulelong x \b.%u +# number of rows (nickname or alias items) in file +>12 ulelong x \b, %u items +# number of item entries/columns/properties value like: 17h +>16 ulelong x \b, %u entries +# value type/property tag: 001Fh~4 bytes for data size of UTF-16 LE string +>20 uleshort x \b, value type %#4.4x +# entry type/property identifier: 6001h~PR_DOTSTUFF_STATE/PR_NICK_NAME_W +>22 uleshort x \b, entry type %#4.4x +# Reserved like: 0013FD90h +#>24 ulelong x \b, reserved %#8.8x +# value data array/Irrelevant Union like: 0000000004E31A80h +#>28 ulequad x \b, data %#16.16llx +# UTF-16 +>20 uleshort =0x001F +# unicode string bytes like: 2Ch +>>36 ulelong x \b, %u bytes +# unicode string value PT_UNICODE like: janesmith@contoso.org +>>40 lestring16 x "%s" + +# Summary: Windows crash dump +# Created by: Andreas Schuster (https://computer.forensikblog.de/) +# https://web.archive.org/web/20101125060849/https://computer.forensikblog.de/en/2008/02/64bit_magic.html +# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) +# Modified by (2): Joerg Jenderek (addtional fields, extension, URL) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp.trid.xml +# https://gitlab.com/qemu-project/qemu/-/blob/master/include/qemu/win_dump_defs.h +# Note: called "Windows memory dump" by TrID +# and verified by like Windows Kit `Dumpchk.exe 043022-18703-01.dmp` +# and partly by NirSoft `BlueScreenView.exe 043022-18703-01.dmp` +# char Signature[4] +0 string PAGE +# char ValidDump[4] +>4 string DUMP MS Windows 32bit crash dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: Mini111013-01.dmp +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 2600 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 709000 +#>>16 ulelong x \b, DirectoryTableBase %#x +# PfnDatabase like: 805620c8 +#>>20 ulelong x \b, PfnDatabase %#x +# PsLoadedModuleList like: 8055d720 +#>>24 ulelong x \b, PsLoadedModuleList %#x +# PsActiveProcessHead like:805638b8 +#>>28 ulelong x \b, PsActiveProcessHead %#x +# MachineImageType like: 14c (intel x86) +>>32 ulelong !0x14c \b, MachineImageType %#x +# NumberProcessors like: 2 +>>36 ulelong x \b, %u processors +# BugcheckCode like: e2 +#>>40 ulelong x \b, BugcheckCode %#x +# BugcheckParameter1 like: 0 +#>>44 ulelong x \b, BugcheckParameter1 %#x +# BugcheckParameter2 like: 0 +#>>48 ulelong x \b, BugcheckParameter2 %#x +# BugcheckParameter3 like: 0 +#>>52 ulelong x \b, BugcheckParameter3 %#x +# BugcheckParameter4 like: 0 +#>>56 ulelong x \b, BugcheckParameter4 %#x +# VersionUser[32]; like "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>60 string x \b, VersionUser "%.32s" +# uint32_t reserved0 like: 45474101 +#>>92 ulelong x \b, reserved0 %#x +>>0x05c byte 0 \b, no PAE +>>0x05c byte 1 \b, PAE +# KdDebuggerDataBlock like: 8054d2e0 +#>>96 ulelong x \b, KdDebuggerDataBlock %#x +# uint8_t PhysicalMemoryBlockBuffer[700] +# WinDumpPhyMemDesc32 NumberOfRuns like: 45474150 +#>>100 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +#>>104 ulelong x \b, NumberOfPages %#x +# WinDumpPhyMemRun32 Run[86]; 688 bytes +#>>108 ulelong x \b, BasePage %#x +#>>112 ulelong x \b, PageCount %#x +# uint8_t reserved1[3200] +#>>800 string x \b, reserved "%s" +#>>4000 ulelong x \b, RequiredDumpSpace %#x +# uint8_t reserved2[92]; +#>>4004 string x \b, reserved2 "%s" +>>0xf88 lelong 1 \b, full dump +>>0xf88 lelong 2 \b, kernel dump +>>0xf88 lelong 3 \b, small dump +# like: 4 +>>0xf88 lelong >3 \b, dump type (%#x) +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! +#>>104 ulelong x \b, NumberOfPages %#x +>>0x068 lelong x \b, %d pages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp-64.trid.xml113o +# Note: called "Windows 64bit Memory Dump" by TrID +# char ValidDump[4] +>4 string DU64 MS Windows 64bit crash dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: c:\Windows\Minidump\020322-18890-01.dmp c:\Windows\MEMORY.DMP +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 9600 19041 22621 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 001ab000 +#>>16 ulequad x \b, DirectoryTableBase %#llx +# PfnDatabase like: fffffa8000000000 +#>>24 ulequad x \b, PfnDatabase %#llx +# PsLoadedModuleList like: fffff800c553f650 +#>>32 ulequad x \b, PsLoadedModuleList %#llx +# PsActiveProcessHead like: fffff800c5525400 +#>>40 ulequad x \b, PsActiveProcessHead %#llx +# MachineImageType like: 00008664 +>>48 ulelong !0x8664 \b, MachineImageType %#x +# NumberProcessors like: 2 4 +>>52 ulelong x \b, %u processors +# BugcheckCode like: 1000007e +#>>56 ulelong x \b, BugcheckCode %#x +# unused0 +#>>60 ulelong x \b, unused0 %#x +# BugcheckParameter1 like: ffffffffc0000005 +#>>64 ulequad x \b, BugcheckParameter1 %#llx +# BugcheckParameter2 like: fffff801abb2158f +#>>72 ulequad x \b, BugcheckParameter2 %#llx +# BugcheckParameter3 like: ffffd000290d4288 +#>>80 ulequad x \b, BugcheckParameter3 %#llx +# BugcheckParameter4 like: ffffd000290d3aa0 +#>>88 ulequad x \b, BugcheckParameter4 %#llx +# VersionUser[32]; like "" "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>96 string x \b, VersionUser "%.32s" +# KdDebuggerDataBlock like: fffff800c550c530 +#>>128 ulequad x \b, KdDebuggerDataBlock %#llx +# uint8_t PhysicalMemoryBlockBuffer[704] +# WinDumpPhyMemDesc64 NumberOfRuns like: 6 7 0x45474150 +#>>136 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc64 unused like: 0 0x45474150 +#>>140 ulelong x \b, unused %#x +# WinDumpPhyMemRun64 Run[43] BasePage like: 1 +#>>152 ulequad x \b, BasePage %#llx +# WinDumpPhyMemRun64 Run[43] PageCount like: 57h +#>>160 ulequad x \b, PageCount %#llx +# uint8_t ContextBuffer[3000] like: "" "\001" "\0207J\266\001\340\377\377&8\007\312" +#>>840 string x \b, ContextBuffer "%s" +# WinDumpExceptionRecord ExceptionCode +#>>3840 ulelong x \b, ExceptionCode %#x +# WinDumpExceptionRecord ExceptionFlags +#>>3844 ulelong x \b, ExceptionFlags %#x +# WinDumpExceptionRecord ExceptionRecord +#>>3848 ulequad x \b, ExceptionRecord %#llx +# WinDumpExceptionRecord ExceptionAddress +#>>3856 ulequad x \b, ExceptionAddress %#llx +# WinDumpExceptionRecord NumberParameters +#>>3864 ulelong x \b, NumberParameters %#x +# WinDumpExceptionRecord unused +#>>3868 ulelong x \b, unsed %#x +# WinDumpExceptionRecord ExceptionInformation[15] +#>>3872 ulequad x \b, ExceptionInformation[0] %#llx +# https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options +# but DumpType like: 4~small 5~full (MEMORY.DMP) 6~kernel (MEMORY.DMP) +>>0xf98 ulelong x \b, +>>>0xf98 lelong 5 full dump +>>>0xf98 lelong 6 kernel dump +>>>0xf98 lelong 4 small dump +# This probably never occur +>>>0xf98 default x DumpType +>>>>0xf98 ulelong x (%#x) +# WinDumpPhyMemDesc64 uint64_t NumberOfPages like: 3142425 8341923 8366500 1162297680 4992030524978970960 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! +>>0x090 lequad x \b, %lld pages + +# Summary: Vista Event Log +# Created by: Andreas Schuster (https://computer.forensikblog.de/) +# Update: Joerg Jenderek +# URL: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc +# Reference (1): https://web.archive.org/web/20110803085000/ +# https://computer.forensikblog.de/en/2007/05/some_magic.html +# http://mark0.net/download/triddefs_xml.7z/defs/e/evtx.trid.xml +# Note: called "Vista Event Log" by TrID and "Event Log" by Windows +# verified partly by `wevtutil.exe gli /lf:true dumpfile.evtx` +0 string ElfFile\0 MS Windows +#!:mime application/octet-stream +!:mime application/x-ms-evtx +!:ext evtx +# Major+Minor format version: 3.1~Vista and later 3.2~Windows 10 (2004) and later +>0x24 ulelong =0x00030001 Vista-8.1 Event Log +>0x24 ulelong !0x00030001 10-11 Event Log, version +>>0x26 uleshort x %u +>>0x24 uleshort x \b.%u +>0x2a leshort x \b, %d chunks +>>0x10 lelong x \b (no. %d in use) +>0x18 lelong >1 \b, next record no. %d +>0x18 lelong =1 \b, empty +>0x78 lelong &1 \b, DIRTY +>0x78 lelong &2 \b, FULL + +# Summary: Windows Event Trace Log +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/ETL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/etl.trid.xml +# https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracelog/trace_logfile_header.htm +# Note: called "Window tracing/diagnostic binary log" by TrID +# verified by `tracerpt.EXE Wifi.etl -of EVTX` +# and by etl-parser `etl2xml --input AMSITrace.etl --output AMSITrace.xml` +# Every ETL file begins with a WMI_BUFFER_HEADER, a SYSTEM_TRACE_HEADER and a TRACE_LOGFILE_HEADER +0 ubyte 0 +# look for corresponding encoded as UTF-16 file name extension like in: boot_BASE+CSWITCH_1.etl +>0 search/0x699087/b .\0e\0t\0l\0\0\0 +# GRR: line above only works if in ../../src/file.h FILE_BYTES_MAX is raised above 699086h (6,59 MiB) +>>0 use trace-etl +# display information of Windows Performance Analyzer Trace File (file name) +0 name trace-etl +>0 ubyte x Windows Event Trace Log +#!:mime application/x-ms-etl +# http://extension.nirsoft.net/etl +!:mime application/etl +!:ext etl +# look for DOS drive letter part of log file name like: PhotosAppTracing_startedInBGMode.etl +>0 search/0x2b4/sb :\0\x5c\0 +# like: "c:\Windows\Logs\NetSetup\service.0.etl" "C:\Windows\System32\LogFiles\WMI\Wifi.etl" +>>&-2 lestring16 x "%s" + +# Summary: Windows System Deployment Image +# Created by: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/System_Deployment_Image +# Reference: http://skolk.livejournal.com/1320.html +0 string $SDI +>4 string 0001 System Deployment Image +!:mime application/x-ms-sdi +#!:mime application/octet-stream +# \Boot\boot.sdi +!:ext sdi +# MDBtype: 0~Unspecified 1~RAM 2~ROM +>>8 ulequad !0 \b, MDBtype %#llx +# BootCodeOffset +>>16 ulequad !0 \b, BootCodeOffset %#llx +# BootCodeSize +>>24 ulequad !0 \b, BootCodeSize %#llx +# VendorID +>>32 ulequad !0 \b, VendorID %#llx +# DeviceID +>>40 ulequad !0 \b, DeviceID %#llx +# DeviceModel +>>48 ulequad !0 \b, DeviceModel %#llx +>>>56 ulequad !0 \b%llx +# DeviceRole +>>64 ulequad !0 \b, DeviceRole %#llx +# Reserved1; reserved fields and gaps between BLOBs are padded with \0 +#>>72 ulequad !0 \b, Reserved1 %#llx +# RuntimeGUID +>>80 ulequad !0 \b, RuntimeGUID %#llx +>>>88 ulequad !0 \b%llx +# RuntimeOEMrev +>>96 ulequad !0 \b, RuntimeOEMrev %#llx +# Reserved2 +#>>104 ulequad !0 \b, Reserved2 %#llx +# BLOB alignment value in pages, as specified in sdimgr /pack: 1~4K 2~8k +>>112 ulequad !0 \b, PageAlignment %llu +# Reserved3[48] +#>>120 ulequad !0 \b, Reserved3 %#llx +# SDI checksum 39h +>>0x1f8 ulequad x \b, checksum %#llx +# BLOBtype[8] \0-padded: PART, WIM , BOOT, LOAD, DISK +>>0x400 string >\0 \b, type %-3.8s +# 0~non-filesystem 7~NTFS 6~BIGFAT +>>>0x420 ulequad !0 (%#llx) +# ATTRibutes +>>>0x408 ulequad !0 %#llx attributes +# Offset +>>>0x410 ulequad x at %#llx +# print 1 space after size and then handles NTFS boot sector by ./filesystems +>>>0x418 ulequad >0 %llu bytes +>>>>(0x410.l) indirect x +# 2nd BLOB: WIM +>>0x440 string >\0 \b, type %-3.8s +>>>0x428 ulequad !0 (%#llx) +# ATTRibutes +>>>0x448 ulequad !0 %#llx attributes +# Offset +>>>0x450 ulequad x at %#llx +>>>0x458 ulequad >0 %llu bytes +>>>>(0x450.l) indirect x +# 3rd BLOB +>>0x480 string >\0 \b, type %-3.8s + +# Summary: Windows boot status log BOOTSTAT.DAT +# From: Joerg Jenderek +# Reference: https://www.geoffchappell.com/notes/windows/boot/bsd.htm +# Note: mainly refers to older Windows Vista, sometimes +# BOOTSTAT.DAT only contains nulls or invalid data +# checking for valid version below 5 +0 ulelong <5 +# skip many ISO images by checking for valid 64 KiB file size +>8 ulelong =0x00010000 +>>0 use bootstat-dat +# display information of BOOTSTAT.DAT +0 name bootstat-dat +>0 ulelong x Windows boot log +#!:mime application/octet-stream +!:mime application/x-ms-dat +# BOOTSTAT.DAT in BOOT subdirectory +!:ext dat +# apparently a version number: 2 for older like Vista, 3, 4 Windows 10 +>0 ulelong >2 \b, version %u +# apparently the size of the header: often 10h in older Windows, 14h, 18h +>4 ulelong !0x10 \b, header size %#x +#>4 ulelong !0x10 \b, header size %u +# apparently the size of the file: always 0x00010000~64KiB +# the file is acceptable to BOOTMGR only if it is exactly 64 KiB +>8 ulelong !0x00010000 \b, file size %#x +# size of valid data, in bytes: C8h 50h 172h 5D5Ch +>0xc ulelong x \b, %#x valid bytes +# skip header and jump to first bootstat entry and display information +>(0x4.l-1) ubyte x +>>&0 use bootstat-entry +# jump to first entry again because pointer are bad after "use" +>(0x4.l-1) ubyte x +# by 1st entry size jump to 2nd entry and display information +>>&(&0x18.l-1) ubyte x +>>>&0 use bootstat-entry +# jump to possible 3rd boot entry and display information +# >(0x4.l-1) ubyte x +# >>&(&0x18.l-1) ubyte x +# >>>&(&0x18.l-1) ubyte x +# >>>>&0 use bootstat-entry +# display BOOTSTAT.DAT entry +0 name bootstat-entry +#>0x00 ubequad x \b, ENTRY %16.16llx +# size of entry, in bytes: 40h(init) 78h(launced) 9Ch +#>0x18 ulelong x \b; entry size %u +>0x18 ulelong x \b; entry size %#x +# time stamp, in seconds +>0x00 ulelong x \b, %#x seconds +# always zero, significance unknown +>0x04 ulelong !0 \b, not null %u +# GUID of event source; but empty if event source is BOOTMGR +>0x08 ubequad !0 \b, GUID %#16.16llx +>>0x10 ubequad x \b%16.16llx +# severity code: 1~informational 3~errors +>0x1C ulelong !1 \b, severity %#x +# apparently a version number: 2 +>0x20 ulelong !2 \b, version %u +# event identifier 1~log file initialised 11h~boot application launched +#>0x24 ulelong x \b, event %#x +>0x24 ulelong !1 +>>0x24 ulelong !0x11 \b, event %#x +# entry data; size depends on event identifier +#>0x28 ubequad x \b, data %#16.16llx +>0x24 ulelong =0x1 \b, Init +# always 0, significance unknown +>>0x34 uleshort !0 \b, not null %u +# always 7, significance unknown +>>0x36 uleshort !7 \b, not seven %u +# year +>>0x28 uleshort x %u +# month +>>0x2A uleshort x \b-%u +# day +>>0x2C uleshort x \b-%u +# hour +>>0x2E uleshort x %u +# minute +>>0x30 uleshort x \b:%u +# second +>>0x32 uleshort x \b:%u +# boot application launched +>0x24 ulelong =0x11 \b, launched +# type of start: 0 normally, 1 or 2 maybe in a recovery sequence +>>0x38 uleshort !0 \b, type %u +# pathname of boot application, as null-terminated Unicode string; typically +# \Windows\system32\winload.exe \Windows\system32\winload.efi +>>0x3C lestring16 x %s + +# Summary: Windows Error Report text files +# URL: https://en.wikipedia.org/wiki/Windows_Error_Reporting +# Reference: https://www.nirsoft.net/utils/app_crash_view.html +# Created by: Joerg Jenderek +# Note: in directories %ProgramData%\Microsoft\Windows\WER\{ReportArchive,ReportQueue} +# %LOCALAPPDATA%\Microsoft\Windows\WER\{ReportArchive,ReportQueue} +0 lestring16 Version= +>22 lestring16 EventType Windows Error Report +!:mime text/plain +# Report.wer +!:ext wer + +# Summary: Windows 3.1 group files +# Extension: .grp +# Created by: unknown +0 string \120\115\103\103 MS Windows 3.1 group files + + +# Summary: Old format help files +# URL: https://en.wikipedia.org/wiki/WinHelp +# Reference: https://www.oocities.org/mwinterhoff/helpfile.htm +# Update: Joerg Jenderek +# Created by: Dirk Jagdmann <doj@cubic.org> +# +# check and then display version and date inside MS Windows HeLP file fragment +0 name help-ver-date +# look for Magic of SYSTEMHEADER +>0 leshort 0x036C +# version Major 1 for right file fragment +>>4 leshort 1 Windows +# print non empty string above to avoid error message +# Warning: Current entry does not yet have a description for adding a MIME type +!:mime application/winhelp +!:ext hlp +# version Minor of help file format is hint for windows version +>>>2 leshort 0x0F 3.x +>>>2 leshort 0x15 3.0 +>>>2 leshort 0x21 3.1 +>>>2 leshort 0x27 x.y +>>>2 leshort 0x33 95 +>>>2 default x y.z +>>>>2 leshort x %#x +# to complete message string like "MS Windows 3.x help file" +>>>2 leshort x help +# GenDate often older than file creation date +>>>6 ldate x \b, %s +# +# Magic for HeLP files +0 lelong 0x00035f3f +# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" +# file header magic 0x293B at DirectoryStart+9 +>(4.l+9) uleshort 0x293B MS +# look for @VERSION bmf.. like IBMAVW.ANN +>>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation +!:mime application/x-winhelp +!:ext ann +>>0xD4 string !\x62\x6D\x66\x01\x00 +# "GID Help index" by TrID +>>>(4.l+0x65) string =|Pete Windows help Global Index +!:mime application/x-winhelp +!:ext gid +# HeLP Bookmark or +# "Windows HELP File" by TrID +>>>(4.l+0x65) string !|Pete +# maybe there exist a cleaner way to detect HeLP fragments +# brute search for Magic 0x036C with matching Major maximal 7 iterations +# discapp.hlp +>>>>16 search/0x49AF/s \x6c\x03 +>>>>>&0 use help-ver-date +>>>>>&4 leshort !1 +# putty.hlp +>>>>>>&0 search/0x69AF/s \x6c\x03 +>>>>>>>&0 use help-ver-date +>>>>>>>&4 leshort !1 +>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>&0 use help-ver-date +>>>>>>>>>&4 leshort !1 +>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +# GCC.HLP is detected after 7 iterations +>>>>>>>>>>>>>>>>>&0 use help-ver-date +# this only happens if bigger hlp file is detected after used search iterations +>>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help +!:mime application/winhelp +!:ext hlp +# repeat search again or following default line does not work +>>>>16 search/0x49AF/s \x6c\x03 +# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) +>>>>16 default x Windows help Bookmark +!:mime application/x-winhelp +!:ext bmk +## FirstFreeBlock normally FFFFFFFFh 10h for *ANN +##>>8 lelong x \b, FirstFreeBlock %#8.8x +# EntireFileSize +>>12 lelong x \b, %d bytes +## ReservedSpace normally 042Fh AFh for *.ANN +#>>(4.l) lelong x \b, ReservedSpace %#8.8x +## UsedSpace normally 0426h A6h for *.ANN +#>>(4.l+4) lelong x \b, UsedSpace %#8.8x +## FileFlags normally 04... +#>>(4.l+5) lelong x \b, FileFlags %#8.8x +## file header magic 0x293B +#>>(4.l+9) uleshort x \b, file header magic %#4.4x +## file header Flags 0x0402 +#>>(4.l+11) uleshort x \b, file header Flags %#4.4x +## file header PageSize 0400h 80h for *.ANN +#>>(4.l+13) uleshort x \b, PageSize %#4.4x +## Structure[16] z4 +#>>(4.l+15) string >\0 \b, Structure_"%-.16s" +## MustBeZero 0 +#>>(4.l+31) uleshort x \b, MustBeZero %#4.4x +## PageSplits +#>>(4.l+33) uleshort x \b, PageSplits %#4.4x +## RootPage +#>>(4.l+35) uleshort x \b, RootPage %#4.4x +## MustBeNegOne 0xffff +#>>(4.l+37) uleshort x \b, MustBeNegOne %#4.4x +## TotalPages 1 +#>>(4.l+39) uleshort x \b, TotalPages %#4.4x +## NLevels 0x0001 +#>>(4.l+41) uleshort x \b, NLevels %#4.4x +## TotalBtreeEntries +#>>(4.l+43) ulelong x \b, TotalBtreeEntries %#8.8x +## pages of the B+ tree +#>>(4.l+47) ubequad x \b, PageStart %#16.16llx + +# start with colon or semicolon for comment line like Back2Life.cnt +0 regex \^(:|;) +# look for first keyword Base +>0 search/45 :Base +>>&0 use cnt-name +# only solution to search again from beginning , because relative offsets changes when use is called +>0 search/45 :Base +>0 default x +# look for other keyword Title like in putty.cnt +>>0 search/45 :Title +>>>&0 use cnt-name +# +# display mime type and name of Windows help Content source +0 name cnt-name +# skip space at beginning +>0 string \040 +# name without extension and greater character or name with hlp extension +>>1 regex/c \^([^\xd>]*|.*\\.hlp) MS Windows help file Content, based "%s" +!:mime text/plain +!:apple ????TEXT +!:ext cnt +# +# Windows creates a full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing +0 string tfMR MS Windows help Full Text Search index +!:mime application/x-winhelp-fts +!:ext fts +>16 string >\0 for "%s" + +# Summary: Hyper terminal +# Created by: unknown +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/HyperACCESS +# https://www.hilgraeve.com/hyperterminal/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/ht.trid.xml +# Note: called "HyperTerminal data file" by TrID and "HyperTerminal File" on English Windows +0 string HyperTerminal\040 +>14 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +#!:mime application/octet-stream +!:mime application/x-ms-ht +!:ext ht + +# https://ithreats.files.wordpress.com/2009/05/\040 +# lnk_the_windows_shortcut_file_format.pdf +# Summary: Windows shortcut +# Created by: unknown +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Windows_Shortcut +# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnk-shortcut.trid.xml +# https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf +# Note: called "Windows Shortcut" by TrID, "Microsoft Windows Shortcut" by DROID via PUID x-fmt/428 and "Windows shortcut file" by ./msdos (v 1.158) +# partly verified by command like `lnkinfo AOL.lnk` +# 'L' + GUUID +# HeaderSize + LinkCLSID 00021401-0000-0000-C000-000000000046 +0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut +!:mime application/x-ms-shortcut +!:ext lnk +# LinkFlags +# HasLinkTargetIDList; if set a LinkTargetIDList structure MUST follow the ShellLinkHeader; If is not set, structure MUST NOT be present +>20 lelong&1 1 \b, Item id list present +# HasLinkInfo; if set a LinkInfo structure MUST follow the ShellLinkHeader or LinkTargetIDList; If is not set, structure MUST NOT be present +>20 lelong&2 2 \b, Points to a file or directory +>20 lelong&4 4 \b, Has Description string +>20 lelong&8 8 \b, Has Relative path +>20 lelong&16 16 \b, Has Working directory +>20 lelong&32 32 \b, Has command line arguments +>20 lelong&64 64 \b, Icon +# IconIndex +>>56 lelong x \b number=%d +# IsUnicode; If set then StringData section contains Unicode-encoded strings +>20 lelong&128 128 \b, Unicoded +# ForceNoLinkInfo; LinkInfo structure is ignored +>20 lelong&256 256 \b, NoLinkInfo +# HasExpString; with an EnvironmentVariableDataBlock +>20 lelong&512 512 \b, HasEnvironment +# look for BlockSize 314h and EnvironmentVariableDataBlock BlockSignature A0000001h +>>76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes): optional NULL-terminated path to same environment variable Unicode encoded +# like: "%windir%\system32\calc.exe" +>>>&260 lestring16 x "%s" +# RunInSeparateProcess; run in a separate virtual machine when launching a 16-bit application; no examples found +>20 lelong&1024 1024 \b, RunInSeparateProcess +# Unused1; undefined and MUST be ignored +#>20 lelong&2048 2048 \b, Unused1 +# HasDarwinID; with a DarwinDataBlock +>20 lelong&4096 4096 \b, HasDarwinID +# look for BlockSize 314h and DarwinDataBlock BlockSignature A0000006h +>>76 search/1972 \x14\x03\x00\x00\x06\x00\x00\xa0 +# DarwinDataAnsi (260 bytes); NULL-terminated application identifier encoded with system default code page; SHOULD be ignored +#>>>&0 string x '%s' +# DarwinDataUnicode (520 bytes); NULL-terminated application identifier Unicode encoded +>>>&260 lestring16 x "%s" +# RunAsUser; target application is run as a different user +>20 lelong&8192 8192 \b, RunAsUser +# HasExpIcon; with an IconEnvironmentDataBlock +>20 lelong&16384 16384 \b, HasExpIcon +# look for BlockSize 314h and IconEnvironmentDataBlock BlockSignature A0000007h +>>76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment icon variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes); optional NULL-terminated path to same icon environment variable Unicode encoded +# like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico" +>>>&260 lestring16 x "%s" +# NoPidlAlias; represented in the shell namespace; no examples found +>20 lelong&32768 32768 \b, NoPidlAlias +# Unused2; undefined and MUST be ignored +#>20 lelong&65536 65536 \b, Unused2 +# RunWithShimLayer; with a ShimDataBlock; no examples found +>20 lelong&131072 131072 \b, RunWithShimLayer +# ForceNoLinkTrack; TrackerDataBlock is ignored; no examples found +>20 lelong&262144 262144 \b, ForceNoLinkTrack +>20 lelong&262144 0 +# look for BlockSize 60h, TrackerDataBlock BlockSignature A0000003h, it length 58h and Version 0 +>>76 search/1972 \x60\x00\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\0\0\0\0 +# MachineID (16 bytes); a NULL-terminated NetBIOS name encoded with system default code page of the machine +>>>&0 string x \b, MachineID %0.16s +# Droid (32 bytes) +# +# DroidBirth (32 bytes) +# +# EnableTargetMetadata; collect target properties and store in PropertyStoreDataBlock +>20 lelong&524288 524288 \b, EnableTargetMetadata +# look for BlockSize >= Ch, PropertyStoreDataBlock BlockSignature A0000009h +#>>76 search/1972 \x00\x00\x09\x00\x00\xa0 +# PropertyStore (variable) +# +# DisableLinkPathTracking; EnvironmentVariableDataBlock is ignored; no examples found +>20 lelong&1048576 1048576 \b, DisableLinkPathTracking +# DisableKnownFolderTracking; SpecialFolderDataBlock and KnownFolderDataBlock are ignored and not saved +>20 lelong&2097152 2097152 \b, DisableKnownFolderTracking +>20 lelong&2097152 0 +# look for BlockSize 1Ch and KnownFolderDataBlock BlockSignature A000000Bh +>>76 search/1972 \x1c\x00\x00\x00\x0B\x00\x00\xa0 +# https://learn.microsoft.com/en-us/dotnet/desktop/winforms/controls/known-folder-guids-for-file-dialog-custom-places +# KnownFolderID specifies the folder GUID ID +# ProgramFiles 905E63B6-C1BF-494E-B29C-65B732D3D21A +# ProgramFilesX86 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E +>>>&0 guid x KnownFolderID %s +# DisableKnownFolderAlias; unaliased form of the known folder IDList SHOULD be used; no examples found +>20 lelong&4194304 4194304 \b, DisableKnownFolderAlias +# AllowLinkToLink; link that references another link is enabled; no examples found +>20 lelong&8388608 8388608 \b, AllowLinkToLink +# UnaliasOnSave; unaliased form of that known folder or the target IDList SHOULD be used; no examples found +>20 lelong&16777216 16777216 \b, UnaliasOnSave +# PreferEnvironmentPath; path specified in the EnvironmentVariableDataBlock SHOULD be used +>20 lelong&33554432 33554432 \b, PreferEnvironmentPath +# KeepLocalIDListForUNCTarget; UNC name SHOULD be stored in local path IDList in PropertyStoreDataBlock; no examples found +>20 lelong&67108864 67108864 \b, KeepLocalIDListForUNCTarget +# FileAttributes +>24 lelong&1 1 \b, Read-Only +>24 lelong&2 2 \b, Hidden +>24 lelong&4 4 \b, System +# Reserved1; MUST be zero +>24 lelong&8 8 \b, Reserved1 +>24 lelong&16 16 \b, Directory +>24 lelong&32 32 \b, Archive +# Reserved2; MUST be zero +>24 lelong&64 64 \b, Reserved2 +>24 lelong&128 128 \b, Normal +>24 lelong&256 256 \b, Temporary +# no examples found +>24 lelong&512 512 \b, Sparse +# no examples found +>24 lelong&1024 1024 \b, Reparse point +>24 lelong&2048 2048 \b, Compressed +>24 lelong&4096 4096 \b, Offline +# FILE_ATTRIBUTE_NOT_CONTENT_INDEXED; contents need to be indexed +>24 lelong&8192 8192 \b, NeedIndexed +# FILE_ATTRIBUTE_ENCRYPTED; file or directory is encrypted +>24 lelong&16384 16384 \b, Encrypted +# value zero means there is no time set on the target +>28 leqwdate !0 \b, ctime=%s +# Access time of target in UTC +>36 leqwdate !0 \b, atime=%s +# write time of target in UTC +>44 leqwdate !0 \b, mtime=%s +# FileSize; 32 bit size of target in bytes +>52 lelong x \b, length=%u, window= +# ShowCommand; 1~SW_SHOWNORMAL 3~SW_SHOWMAXIMIZED HerzlichMEDION.lnk 7~SW_SHOWMINNOACTIVE YaCy.lnk Privoxy.lnk; All other values like 2 MUST be treated as SW_SHOWNORMAL +#>60 lelong x ShowCommand=%#x +>60 lelong x +>>60 lelong 3 \bshowmaximized +>>60 lelong 7 \bshowminnoactive +>>60 default x \bnormal +# Hotkey +>64 uleshort >0 \b, hot key +# 41h~A 42h~B ... +>>64 ubyte x %c +# modifier keys: 0x01~HOTKEYF_SHIFT 0x02~HOTKEYF_CONTROL 0x04~HOTKEYF_ALT +>>65 ubyte&1 1 \b+SHIFT +>>65 ubyte&2 2 \b+CONTROL +>>65 ubyte&4 4 \b+ALT +# Reserved; MUST be zero +#>66 uleshort !0 \b, reserved %#x +# Reserved2; MUST be zero +#>68 ulelong !0 \b, reserved2 %#x +# Reserved3; MUST be zero +#>72 ulelong !0 \b, reserved3 %#x +# optional LINKTARGET_IDLIST if LinkFlags bit HasLinkTargetIDList is set +>20 lelong&1 1 +# IDListSize; size of IDList +>>76 uleshort x \b, IDListSize %#4.4x +# 1st item +>>78 use lnk-item +# 2nd possible item +>>(78.s+78) uleshort >0 +>>>(78.s+78) use lnk-item +# 3rd possible item +>>>&(&-2.s-2) uleshort >0 +>>>>&-2 use lnk-item +# 4th possible item +>>>>&(&-2.s-2) uleshort >0 +>>>>>&-2 use lnk-item +# Because HasLinkInfo is set, a LinkInfo structure follows +>20 lelong&2 2 +# if no LINKTARGET_IDLIST (no HasLinkTargetIDList) then direct after header; no example found +>>20 lelong&1 =0 +>>>76 use lnk-info +# if LINKTARGET_IDLIST (HasLinkTargetIDList) then after LINKTARGET_IDLIST by addtional IDListSize bytes +>>20 lelong&1 =1 +>>>76 uleshort >0 +#>>>>(76.s+78) use lnk-info +>>>>(76.s+78) ubelong x +# move pointer to beginnig of LinkInfo structure +>>>>>&-8 ubelong x +#>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x +>>>>>>&(&16.l) string x \b, LocalBasePath "%s" +# check and then display link item (size,data) +0 name lnk-item +# size value 0x0000 means TerminalID; indicates the end of the item IDs list +>0 uleshort >0 +#>>0 uleshort x \b, ItemIDSize %#4.4x +# item Data +#>>2 ubequad x \b, Item data=%#16.16llx +#>>2 ubyte x \b, Item type=%#x +>>2 ubyte =0x1f \b, Root folder +# like: "26EE0668-A00A-44D7-9371-BEB064C98683" Control Panel +# "20D04FE0-3AEA-1069-A2D8-08002B30309D" My Computer +# "871C5380-42A0-1069-A2EA-08002B30309D" Internet Explorer +>>>4 guid x "%s" +>>2 ubyte =0x2f \b, Volume +# like: "C:\" "D:\" +>>>3 string x "%s" +# Control panel category +#>>2 ubyte foo \b, Control panel category +# display LinkInfo structure (size,flags,offsets) +0 name lnk-info +# LinkInfoSize; size of the LinkInfo structure +>0 ulelong x \b, LinkInfoSize %#x +# LinkInfoHeaderSize; if 1C no optional fields; >=24 optional fields are specified +>4 ulelong x \b, LinkInfoHeaderSize %#x +# LinkInfoFlags; +#>8 ulelong x \b, LinkInfoFlags=%#x +>8 ulelong&1 1 \b, VolumeIDAndLocalBasePath +# VolumeIDOffset; location of the VolumeID field (VolumeIDSize DriveType DriveSerialNumber VolumeLabelOffset ... ) inside LinkInfo structure +>>12 ulelong x \b, VolumeIDOffset %#x +# LocalBasePathOffset; location of LocalBasePath field like "C:\test\a.txt" inside LinkInfo structure +>>16 ulelong x \b, LocalBasePathOffset %#x +# LocalBasePathOffsetUnicode; location of the LocalBasePathUnicode field inside LinkInfo structure +>>4 ulelong >23 +>>>28 ulelong x \b, LocalBasePathOffsetUnicode %#x +>8 ulelong&2 2 \b, CommonNetworkRelativeLinkAndPathSuffix +# CommonNetworkRelativeLinkOffset; location of the CommonNetworkRelativeLink field inside LinkInfo structure +>>20 ulelong x \b, CommonNetworkRelativeLinkOffset %#x +# CommonPathSuffixOffset; location of CommonPathSuffix field +>24 ulelong x \b, CommonPathSuffixOffset %#x +# CommonPathSuffixOffsetUnicode; location of CommonPathSuffixUnicode field inside LinkInfo structure +>4 ulelong >23 +>>32 ulelong x \b, CommonPathSuffixOffsetUnicode %#x + +# Summary: Outlook Personal Folders +# Created by: unknown +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Personal_Folder_File +# https://en.wikipedia.org/wiki/Personal_Storage_Table +# Reference: https://interoperability.blob.core.windows.net/files/MS-PST/%5bMS-PST%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# dwMagic !BDN +0 lelong 0x4E444221 +# skip DROID x-fmt-75-signature-id-472.pab x-fmt-248-signature-id-260.pst x-fmt-249-signature-id-261.pst +# by check for existance of bPlatformCreate value +>14 ubyte x Microsoft Outlook +#!:mime application/octet-stream +# NOT official registered ! +!:mime application/vnd.ms-outlook +# dwCRCPartial; 32-bit cyclic redundancy check (CRC) value of followin 471 bytes; zero for 64-bit +#>>4 ulelong !0 \b, CRC %#x +# wMagicClient; AB (4142h) is used for PAB files; SM (534Dh) is used for PST files; SO (534Fh) is used for OST files +#>>8 leshort x \b, wMagicClient=%#x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# Note: called "Microsoft Personal Address Book" by TrID and +# "Microsoft Outlook Personal Address Book" by DROID via x-fmt/75 +>>8 leshort 0x4142 Personal Address Book +#!:mime application/x-ms-pab +!:ext pab +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/p/pst-unicode.trid.xml +# Note: called "Microsoft OutLook Personal Folder" by TrID and +# by DROID via x-fmt/248 for ANSI and via x-fmt/249 for Unicode +#>>8 leshort 0x4D53 \b, PST~ +# called "Microsoft Outlook email folder" in ./windows version 1.37 and older +>>8 leshort 0x4D53 Personal Storage +#!:mime application/x-ms-pst +!:ext pst +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ost.trid.xml +# Note: called "Outlook Exchange Offline Storage" by TrID +>>8 leshort 0x4F53 Offline Storage +#!:mime application/x-ms-ost +!:ext ost +# wVer; file format version. 14 or 15 if the file is ANSI; > 21 or 23(=17h) if Unicode; 37 for written by Outlook with WIP +>>10 uleshort x ( +# probably NO intermediate versions exist +>>10 leshort <0x10 \b<=2002, ANSI, +>>10 leshort >0x14 \b>=2003, Unicode, +>>10 uleshort x version %u) +# wVerClient; client file format version like: 19 22 +#>>12 uleshort x \b, wVerClient=%u +# bPlatformCreate; This value MUST be set to 1 but also found 2 +>>14 ubyte >1 \b, bPlatformCreate=%u +# bPlatformAccess; This value MUST be set to 1 but also found 2 +>>15 ubyte >1 \b, bPlatformAccess=%u +# dwReserved1; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>16 ulelong !0 \b, dwReserved1=%#x +# dwReserved2; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>20 ulelong !0 \b, dwReserved2=%#x +# ANSI 32-bit variant Outlook 1997-2002 +>>10 uleshort <16 +# bidNextB; next BlockID (ANSI 4 bytes) +#>>>24 ulelong !0 \b, bidNextB=%#x +# bidNextP; Next available back BlockID pointer +#>>>28 ulelong !0 \b, bidNextP=%#x +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>32 ulelong !0 \b, dwUnique=%#x +# rgnid[128]; A fixed array of 32 NodeIDs, each corresponding to one of the 32 possible NID_TYPEs +#>>>36 ubequad x \b, rgnid=%#llx... +# dwReserved; Implementations SHOULD ignore this value and SHOULD NOT modify it; Initialized zero +>>>164 ulelong !0 \b, dwReserved=%#x +# ibFileEof; the size of the PST file, in bytes (ANSI 4 bytes) +>>>168 ulelong x \b, %u bytes +# ibAMapLast; offset to the last AMap page +#>>>172 ulelong x \b, ibAMapLast=%#x +# bSentinel; MUST be set to 0x80 +>>>460 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod: 0~No encryption 1~encryption with permutation 2~encryption with cyclic 16~encryption with Windows Information Protection (WIP) +>>>461 ubyte >0 \b, bCryptMethod=%u +# UNICODE 64-bit variant Outlook 2003-2007 +>>10 uleshort >20 +# bidUnused; Unused 8 bytes padding (Unicode only); sometimes like: 0x0000000100000004 +>>>24 ulequad !0x0000000100000004 \b, bidUnused=%#16.16llx +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>40 ulelong !0 \b, dwUnique=%#x +# rgnid[] (128 bytes): A fixed array of 32 NIDs, each corresponding to one of the 32 possible +#>>>44 ubequad x \b, rgnid=%#llx... +# ibFileEof; the size of the PST file, in bytes (Unicode 8 bytes) +>>>184 ulequad x \b, %llu bytes +# bSentinel; MUST be set to 0x80 +>>>512 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod; Encryption type like: 0 1 2 16 +>>>513 ubyte >0 \b, bCryptMethod=%u +# dwCRC; 32-bit CRC of the of the previous 516 bytes +>>>524 ulelong x \b, CRC32 %#x + + +# Summary: Windows help cache +# Created by: unknown +0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache + + +# Summary: IE cache file +# Created by: Christophe Monniez +0 string Client\ UrlCache\ MMF Internet Explorer cache file +>20 string >\0 version %s + + +# Summary: Registry files +# Created by: unknown +# Modified by (1): Joerg Jenderek +0 string regf MS Windows registry file, NT/2000 or above +0 string CREG MS Windows 95/98/ME registry file +0 string SHCC3 MS Windows 3.1 registry file + + +# Summary: Windows Registry text +# URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files +# Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry +# Submitted by: Abel Cheung <abelcheung@gmail.com> +# Update: Joerg Jenderek +# Windows 3-9X variant +0 string REGEDIT +# skip ASCII text like "REGEDITor.txt" but match +# L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL +>7 search/3 \n Windows Registry text +!:mime text/x-ms-regedit +!:ext reg +# Windows 9X variant +>>0 string REGEDIT4 (Win95 or above) +# Windows 2K ANSI variant +0 string Windows\ Registry\ Editor\ +>&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) +!:mime text/x-ms-regedit +!:ext reg +# Windows 2K UTF-16 variant +2 lestring16 Windows\ Registry\ Editor\ +>0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) +# relative offset not working +#>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) +!:mime text/x-ms-regedit +!:ext reg +# WINE variant +# URL: https://en.wikipedia.org/wiki/Wine_(software) +# Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html +# Note: WINE use text based registry (system.reg,user.reg,userdef.reg) +# instead binary hiv structure like Windows +0 string WINE\ REGISTRY\ Version\ WINE registry text +# version 2 +>&0 string x \b, version %s +!:mime text/x-wine-extension-reg +!:ext reg + +# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018 +# empty ,comment , section +# PR/383: remove unicode BOM because it is not portable across regex impls +#0 regex/s \\`(\\r\\n|;|[[]) +# empty line CRLF +0 ubeshort 0x0D0A +>0 use ini-file +# comment line starting with semicolon +0 string ; +# look for phrase of Windows policy ADMinistrative template (with starting remark) +# like: WINDOW_95_CD/TOOLS/RESKIT/netadmin/poledit/conf.adm +>1 search/3548 END\040CATEGORY +# ADM with remark (by adm-rem.trid.xml) already done by generic ASCII variant +# if no Windows policy ADMinistrative template then Windows INItialization +>1 default x +>>0 use ini-file +# section line starting with left bracket +0 string [ +>0 use ini-file +# check and then display Windows INItialization configuration +0 name ini-file +# look for left bracket in section line +>0 search/8192 [ +# https://en.wikipedia.org/wiki/Autorun.inf +# https://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx +# space after right bracket +# or AutoRun.Amd64 for 64 bit systems +# or only NL separator +>>&0 regex/c \^autorun +# but sometimes total commander directory tree file "treeinfo.wc" with lines like +# [AUTORUN] +# [boot] +>>>&0 string =]\r\n[ Total commander directory treeinfo.wc +!:mime text/plain +!:ext wc +# From: Pal Tamas <folti@balabit.hu> +# Autorun File +>>>&0 string !]\r\n[ Microsoft Windows Autorun file +!:mime application/x-setupscript +!:ext inf +# https://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx +# version strings ASCII coded case-independent for Windows setup information script file +>>&0 regex/c \^(version|strings)] Windows setup INFormation +!:mime application/x-setupscript +#!:mime application/x-wine-extension-inf +!:ext inf +# NETCRC.INF OEMCPL.INF +>>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation +!:mime application/x-setupscript +!:ext inf +# http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm +# https://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx +# .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent +>>&0 regex/1024c \^(\\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini +!:mime application/x-wine-extension-ini +#!:mime text/plain +# https://support.microsoft.com/kb/84709/ +>>&0 regex/c \^don't\ load] Windows CONTROL.INI +!:mime application/x-wine-extension-ini +!:ext ini +>>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI +!:mime application/x-wine-extension-ini +!:ext ini +# https://technet.microsoft.com/en-us/library/cc722567.aspx +# http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm +>>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI +!:mime application/x-wine-extension-ini +!:ext ini +# https://en.wikipedia.org/wiki/SYSTEM.INI +>>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI +!:mime application/x-wine-extension-ini +!:ext ini +# http://www.mdgx.com/newtip6.htm +>>&0 regex/c \^SafeList] Windows IOS.INI +!:mime application/x-wine-extension-ini +!:ext ini +# https://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information +>>&0 regex/c \^boot\x20loader] Windows boot.ini +!:mime application/x-wine-extension-ini +!:ext ini +# https://en.wikipedia.org/wiki/CONFIG.SYS +>>&0 regex/c \^menu] MS-DOS CONFIG.SYS +# @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE +# CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYSTEM\MSCONFIG.EXE +# CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYSTEM\MSCONFIG.EXE +# dos and w40 used in dual booting scene +!:ext sys/dos/w40 +# https://support.microsoft.com/kb/118579/ +>>&0 regex/c \^Paths]\r\n MS-DOS MSDOS.SYS +!:ext sys/dos +# http://chmspec.nongnu.org/latest/INI.html#HHP +>>&0 regex/c \^options]\r\n Microsoft HTML Help Project +!:mime text/plain +!:ext hhp +# From: Joerg Jenderek +# URL: https://documentation.basis.com/BASISHelp/WebHelp/b3odbc/ODBC_Driver/obdcdriv_character_translation.htm +# Reference: https://www.garykessler.net/library/file_sigs.html +# http://mark0.net/download/triddefs_xml.7z/defs/c/cpx.trid.xml +# Note: stored in directory %WINDIR%\SysWOW64 or %WINDIR%\system +# second word often Latin but sometimes Cyrillic like in 12510866.CPX +>>&0 regex/c \^Windows\ (Latin|Cyrillic) Windows codepage translator +#!:mime text/plain +!:mime text/x-ms-cpx +# like: 12510866.CPX +!:ext cpx +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/File_Explorer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-exp.trid.xml,scf-exp-old.trid.xml +# Note: called "Windows Explorer Command Shell File" by TrID and "File Explorer Command" by Windows via SHCmdFile +>>&0 regex/c \^Shell]\r\n Windows Explorer Shell Command File +#!:mime text/plain +!:mime text/x-ms-scf +# like: channels.scf desktop.scf explorer.scf "Desktop anzeigen.scf" +!:ext scf +# look for icon file directive maybe pointing to malicious file +>>>1 search/128 IconFile= \b, icon +>>>>&0 string x "%s" +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/VIA_Technologies +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-via.trid.xml +# Note: called "VIA setup configuration file" by TrID +>>&0 regex/c \^SCF]\r\n VIA setup configuration +#!:mime text/plain +!:mime text/x-via-scf +# like: SETUP.SCF +!:ext scf +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/InstallShield +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lid-is.trid.xml +# Note: contain also 3 keywords like: count Default key0 +>>&0 regex/c \^Languages] InstallShield Language Identifier +#!:mime text/plain +!:mime text/x-installshield-lid +# like: SETUP.LID +!:ext lid +# From: Joerg Jenderek +# URL: https://www.file-extensions.org/tag-file-extension +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/taginfo.trid.xml +# Note: contain also keywords like: Application Category Company Misc Version +>>&0 regex/c \^TagInfo] TagInfo +#!:mime text/plain +#!:mime text/prs.lines.tag +!:mime text/x-ms-tag +# like: DATA.TAG +!:ext tag +# URL: https://en.wikipedia.org/wiki/Flatpak +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/flatpakref.trid.xml +# Note: called "Flatpack Reference" by TrID +>>&0 string Flatpak\ Ref] Flatpak repository reference +#!:mime text/plain +# https://reposcope.com/mimetype/application/vnd.flatpak.ref +!:mime application/vnd.flatpak.ref +!:ext flatpakref +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CloneCD +# Reference: https://en.wikipedia.org/wiki/CloneCD_Control_File +# http://mark0.net/download/triddefs_xml.7z/defs/c/cdimage-clonecd-cue.trid.xml +# Note: called "CloneCD CDImage (description)" by TrID and "CloneCD Control File" by DROID via PUID fmt/1760 +>>&0 string CloneCD] CloneCD CD-image Description +#!:mime text/plain +!:mime text/x-ccd +!:ext ccd +# unknown keyword after opening bracket +>>&0 default x +#>>>&0 string/c x UNKNOWN [%s +# look for left bracket of second section +>>>&0 search/8192 [ +# version Strings FileIdentification +>>>>&0 string/c version Windows setup INFormation +!:mime application/x-setupscript +!:ext inf +# From: Joerg Jenderek +# URL: https://cdrtfe.sourceforge.io/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cfp-cdrtfe.trid.xml +>>>>&0 string FileExplorer] cdrtfe Project +!:mime text/x-cfp +!:ext cfp +# https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other +>>>>&0 default x +>>>>>&0 ubyte x +# characters, digits, underscore and white space followed by right bracket +# terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT +>>>>>>&-1 regex/T \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s +# NETDEF.INF multiarc.ini +#!:mime application/x-setupscript +!:mime application/x-wine-extension-ini +#!:mime text/plain +!:ext ini/inf +# samples with only 1 and unknown section name +# XXX: matches a file containing '[1] 2' +#>>>&0 default x Generic INItialization configuration +#>>>>0 string x \b, 1st line "%s" +# UTF-16 BOM +0 ubeshort =0xFFFE +# look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml) +# like: wuau.adm +>2 search/0x384A E\0N\0D\0\040\0C\0A\0T\0E\0G\0O\0R\0Y\0 +>>0 use windows-adm +# if no Windows policy ADMinistrative template then Windows INFormation +>2 default x +# UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00 +>>0 ubelong&0xFFff89FF =0xFFFE0900 +# look for left bracket in section line +>>>2 search/8192 [ +# keyword without 1st letter which is maybe up-/down-case +>>>>&3 lestring16 ersion] Windows setup INFormation +!:mime application/x-setupscript +# like: hdaudio.inf iscsi.inf spaceport.inf tpm.inf usbhub3.inf UVncVirtualDisplay.inf +!:ext inf +>>>>&3 lestring16 trings] Windows setup INFormation +!:mime application/x-setupscript +# like: arduino_gemma.inf iis.inf MSM8960.inf +!:ext inf +>>>>&3 lestring16 ourceDisksNames] Windows setup INFormation +!:mime application/x-setupscript +# like: atiixpag.inf mdmnokia.inf netefe32.inf rdpbus.inf +!:ext inf +# netnwcli.inf start with ;---[ NetNWCli.INX ] +>>>>&3 default x +# look for NL followed by left bracket +>>>>>&0 search/8192 \x0A\x00\x5b +# like: defltwk.inf netvwifibus.inf WSDPrint.inf +>>>>>>&3 lestring16 ersion] Windows setup INFormation +!:mime application/x-setupscript +!:ext inf + +# Summary: Windows Policy ADMinistrative template +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Administrative_Template +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adm.trid.xml +# Note: typically stored in directory like: %WINDIR%\system32\GroupPolicy\ADM +# worst case ASCII variant starting with remark line like: inetset.adm +0 search/0x4E CLASS\040 +>&0 string MACHINE +>>0 use windows-adm +>&0 string USER +>>0 use windows-adm +# display information about Windows policy ADMinistrative template +0 name windows-adm Windows Policy Administrative Template +!:mime text/x-ms-adm +!:ext adm +# UTF-16 BOM implies UTF-16 encoded ADM (by adm-uni.trid.xml) +>0 ubeshort =0xFFFE +>>2 lestring16 x \b, 1st line "%s" +# look for UTF-16 encoded CarriageReturn LineFeed +>>>2 search/0x3A \r\0\n\0 +>>>>&0 lestring16 x \b, 2nd line "%s" +# no UTF-16 BOM implies "ASCII" encoded ADM (by adm.trid.xml) +>0 ubeshort !0xFFFE +>>0 string x \b, 1st line "%s" +#>>>&0 ubequad x \b, 2ND %16.16llx +# 2nd line empty +>>>&2 beshort =0x0D0A +>>>>&0 beshort !0x0D0A \b, 3th line +>>>>>&-2 string x "%s" +# 2nd line with content +>>>&2 beshort !0x0D0A \b, 2nd line +>>>>&-2 string x "%s" + +# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h +# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm +# URL: http://fileformats.archiveteam.org/wiki/INF_(Windows) +# Reference: http://en.verysource.com/code/10350344_1/inf.h.html +# Note: stored in %Windir%\Inf %Windir%\System32\DriverStore\FileRepository +# check for valid major and minor versions: 101h - 303h +0 leshort&0xFcFc =0x0000 +# GRR: line above (strength 50) is too general as it catches also "PDP-11 UNIX/RT ldp" ./pdp +>0 leshort&0x0303 !0x0000 +# test for valid InfStyles: 1 2 +>>2 uleshort >0 +>>>2 uleshort <3 +# look for colon in WinDirPath after PNF header +#>>>>0x59 search/18 : +# skip few Adobe Photoshop Color swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some +# Targa image (money-256.tga XING_B_UCM8.tga x-fmt-367-signature-id-604.tga) with "invalid low section name" \0 +>>>>(20.l) ubelong >0x40004000 +>>>>>0 use PreCompiledInf +0 name PreCompiledInf +>0 uleshort x Windows Precompiled iNF +!:mime application/x-pnf +!:ext pnf +# major version 1 for older Windows like XP and 3 since about Windows Vista +# 101h~95-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362-Windows11 +>1 ubyte x \b, version %u +>0 ubyte x \b.%u +>0 uleshort =0x0101 (Windows +>>4 ulelong&0x00000001 !0x00000001 95-98) +>>4 ulelong&0x00000001 =0x00000001 XP) +>0 uleshort =0x0301 (Windows Vista-8.1) +>0 uleshort =0x0302 (Windows 10 older) +>0 uleshort =0x0303 (Windows 10-11) +# 1 ,2 (windows 98 SE) +>2 uleshort !2 \b, InfStyle %u +# PNF_FLAG_IS_UNICODE 0x00000001 +# PNF_FLAG_HAS_STRINGS 0x00000002 +# PNF_FLAG_SRCPATH_IS_URL 0x00000004 +# PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 +# PNF_FLAG_INF_VERIFIED 0x00000010 +# PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 +# UNKNOWN8 0x00000080 +# UNKNOWN 0x00000100 +# UNKNOWN1 0x01000000 +# UNKNOWN2 0x02000000 +>4 ulelong&0x03000180 >0 \b, flags +>>4 ulelong x %#x +>4 ulelong&0x00000001 0x00000001 \b, unicoded +>4 ulelong&0x00000002 0x00000002 \b, has strings +>4 ulelong&0x00000004 0x00000004 \b, src URL +>4 ulelong&0x00000008 0x00000008 \b, volatile dir ids +>4 ulelong&0x00000010 0x00000010 \b, verified +>4 ulelong&0x00000020 0x00000020 \b, digitally signed +# >4 ulelong&0x00000080 0x00000080 \b, UNKNOWN8 +# >4 ulelong&0x00000100 0x00000100 \b, UNKNOWN +# >4 ulelong&0x01000000 0x01000000 \b, UNKNOWN1 +# >4 ulelong&0x02000000 0x02000000 \b, UNKNOWN2 +#>8 ulelong x \b, InfSubstValueListOffset %#x +# many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF +# , 6 bth.PNF, 9 usbport.PNF, d netnwifi.PNF, 10h nettcpip.PNF +#>12 uleshort x \b, InfSubstValueCount %#x +# only < 9 found: 8 hcw85b64.PNF +#>14 uleshort x \b, InfVersionDatumCount %#x +# only found values lower 0x0000ffff ?? +#>16 ulelong x \b, InfVersionDataSize %#x +# only found positive values lower 0x00ffFFff for InfVersionDataOffset +>20 ulelong x \b, at %#x +>4 ulelong&0x00000001 =0x00000001 +# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature +>>(20.l) lestring16 x "%s" +>4 ulelong&0x00000001 !0x00000001 +>>(20.l) string x "%s" +# FILETIME is number of 100-nanosecond intervals since 1 January 1601 +#>24 ulequad x \b, InfVersionLastWriteTime %16.16llx +>24 qwdate x \b, InfVersionLastWriteTime %s +# for Windows 98, XP +>0 uleshort <0x0102 +# only found values lower 0x00ffFFff +# often 70 but also 78h for corelist.PNF +# >>32 ulelong x \b, StringTableBlockOffset %#x +# >>36 ulelong x \b, StringTableBlockSize %#x +# >>40 ulelong x \b, InfSectionCount %#x +# >>44 ulelong x \b, InfSectionBlockOffset %#x +# >>48 ulelong x \b, InfSectionBlockSize %#x +# >>52 ulelong x \b, InfLineBlockOffset %#x +# >>56 ulelong x \b, InfLineBlockSize %#x +# >>60 ulelong x \b, InfValueBlockOffset %#x +# >>64 ulelong x \b, InfValueBlockSize %#x +# WinDirPathOffset +# like 58h, which means direct after PNF header +#>>68 ulelong x \b, at %#x +>>68 ulelong x +>>>4 ulelong&0x00000001 =0x00000001 +#>>>>(68.l) ubequad =0x43003a005c005700 +# normally unicoded C:\Windows +#>>>>>(68.l) lestring16 x \b, WinDirPath "%s" +>>>>(68.l) ubequad !0x43003a005c005700 +>>>>>(68.l) lestring16 x \b, WinDirPath "%s" +>>>4 ulelong&0x00000001 !0x00000001 +# normally ASCII C:\WINDOWS +#>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" +>>>>(68.l) string !C:\\WINDOWS +>>>>>(68.l) string x \b, WinDirPath "%s" +# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF +>>>72 ulelong >0 \b, +>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>(72.l) lestring16 x OsLoaderPath "%s" +>>>>4 ulelong&0x00000001 !0x00000001 +# seldom C:\ instead empty +>>>>>(72.l) string x OsLoaderPath "%s" +# 1fdh +#>>>76 uleshort x \b, StringTableHashBucketCount %#x +# https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a +# only 407h found +>>>78 uleshort !0x409 \b, LanguageID %x +#>>>78 uleshort =0x409 \b, LanguageID %x +# InfSourcePathOffset often 0 +>>>80 ulelong >0 \b, at %#x +>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>(80.l) lestring16 x SourcePath "%s" +>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>(80.l) string >\0 SourcePath "%s" +# OriginalInfNameOffset often 0 +>>>84 ulelong >0 \b, at %#x +>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>(84.l) lestring16 x InfName "%s" +>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>(84.l) string >\0 InfName "%s" + +# for newer Windows like Vista, 7 , 8.1 , 10 +>0 uleshort >0x0101 +>>80 ulelong x \b, at %#x WinDirPath +>>>4 ulelong&0x00000001 0x00000001 +# normally unicoded C:\Windows +#>>>>(80.l) ubequad =0x43003a005c005700 +#>>>>>(80.l) lestring16 x "%s" +>>>>(80.l) ubequad !0x43003a005c005700 +>>>>>(80.l) lestring16 x "%s" +# language id: 0 407h~german 409h~English_US +>>90 uleshort !0x409 \b, LanguageID %x +#>>90 uleshort =0x409 \b, LanguageID %x +>>92 ulelong >0 \b, at %#x +>>>4 ulelong&0x00000001 0x00000001 +# language string like: de-DE en-US +>>>>(92.l) lestring16 x language %s + +# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 +# Extension: .bkf +# Created by: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/NTBackup +# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF +# Descriptor BloCK name of Microsoft Tape Format +0 string TAPE +# Format Logical Address is zero +>20 ulequad 0 +# Reserved for MBC is zero +>>28 uleshort 0 +# Control Block ID is zero +>>>36 ulelong 0 +# BIT4-BIT15, BIT18-BIT31 of block attributes are unused +>>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive +#!:mime application/x-ntbackup +!:ext bkf +# OS ID +>>>>>10 ubyte 1 \b NetWare +>>>>>10 ubyte 13 \b NetWare SMS +>>>>>10 ubyte 14 \b NT +>>>>>10 ubyte 24 \b 3 +>>>>>10 ubyte 25 \b OS/2 +>>>>>10 ubyte 26 \b 95 +>>>>>10 ubyte 27 \b Macintosh +>>>>>10 ubyte 28 \b UNIX +# OS Version (2) +#>>>>>11 ubyte x OS V=%x +# MTF_CONTINUATION Media Sequence Number > 1 +#>>>>>4 ulelong&0x00000001 !0 \b, continued +# MTF_COMPRESSION +>>>>>4 ulelong&0x00000004 !0 \b, compressed +# MTF_EOS_AT_EOM End Of Medium was hit during end of set processing +>>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit +>>>>>4 ulelong&0x00020000 0 +# MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape +>>>>>>4 ulelong&0x00010000 !0 \b, with catalog +# MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present +>>>>>4 ulelong&0x00020000 !0 \b, with file catalog +# Offset To First Event 238h,240h,28Ch +#>>>>>8 uleshort x \b, event offset %4.4x +# Displayable Size (20e0230h 20e024ch 20e0224h) +#>>>>>8 ulequad x dis. size %16.16llx +# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) +#>>>>>52 ulelong x family ID %8.8x +# TAPE Attributes (3) +#>>>>>56 ulelong x TAPE %8.8x +# Media Sequence Number +>>>>>60 uleshort >1 \b, sequence %u +# Password Encryption Algorithm (3) +>>>>>62 uleshort >0 \b, %#x encrypted +# Soft Filemark Block Size * 512 (2) +#>>>>>64 uleshort =2 \b, soft size %u*512 +>>>>>64 uleshort !2 \b, soft size %u*512 +# Media Based Catalog Type (1,2) +#>>>>>66 uleshort x \b, catalog type %4.4x +# size of Media Name (66,68,6Eh) +>>>>>68 uleshort >0 +# offset of Media Name (5Eh) +>>>>>>70 uleshort >0 +# 0~, 1~ANSI, 2~UNICODE +>>>>>>>48 ubyte 1 +# size terminated ansi coded string normally followed by "MTF Media Label" +>>>>>>>>(70.s) string >\0 \b, name: %s +>>>>>>>48 ubyte 2 +# Not null, but size terminated unicoded string +>>>>>>>>(70.s) lestring16 x \b, name: %s +# size of Media Label (104h) +>>>>>72 uleshort >0 +# offset of Media Label (C4h,C6h,CCh) +>>>>>74 uleshort >0 +>>>>>>48 ubyte 1 +#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields +>>>>>>>(74.s) string >\0 \b, label: %s +>>>>>>48 ubyte 2 +>>>>>>>(74.s) lestring16 x \b, label: %s +# size of password name (0,1Ch) +#>>>>>76 uleshort >0 \b, password size %4.4x +# Software Vendor ID (CBEh) +>>>>>86 uleshort x \b, software (%#x) +# size of Software Name (6Eh) +>>>>>80 uleshort >0 +# offset of Software Name (1C8h,1CAh,1D0h) +>>>>>>82 uleshort >0 +# 1~ANSI, 2~UNICODE +>>>>>>>48 ubyte 1 +>>>>>>>>(82.s) string >\0 \b: %s +>>>>>>>48 ubyte 2 +# size terminated unicoded coded string normally followed by "SPAD" +>>>>>>>>(82.s) lestring16 x \b: %s +# Format Logical Block Size (512,1024) +#>>>>>84 uleshort =1024 \b, block size %u +>>>>>84 uleshort !1024 \b, block size %u +# Media Date of MTF_DATE_TIME type with 5 bytes +#>>>>>>88 ubequad x DATE %16.16llx +# MTF Major Version (1) +#>>>>>>93 ubyte x \b, MFT version %x +# + +# URL: https://en.wikipedia.org/wiki/PaintShop_Pro +# Reference: https://www.cryer.co.uk/file-types/p/pal.htm +# Created by: Joerg Jenderek +# Note: there exist other color palette formats also with .pal extension +0 string JASC-PAL\r\n PaintShop Pro color palette +#!:mime text/plain +# PspPalette extension is used by newer (probably 8) PaintShopPro versions +!:ext pal/PspPalette +# 2nd line contains palette file version. For example "0100" +>10 string !0100 \b, version %.4s +# third line contains the number of colours: 16 256 ... +>16 string x \b, %.3s colors + +# URL: https://en.wikipedia.org/wiki/Innosetup +# Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas +# Created by: Joerg Jenderek +# Note: created by like "InnoSetup self-extracting archive" inside ./msdos +# TrID labeles the entry as "Inno Setup Uninstall Log" +# TUninstallLogID +0 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log +!:mime application/x-innosetup +# unins000.dat, unins001.dat, ... +!:ext dat +# " 64-bit" variant +>0x1c string >\0 \b%.7s +# AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ... +>0xc0 string x %s +# AppId[0x80] is similar to AppName or +# GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace +>0x40 ubyte 0x7b +>>0x40 string x %-.38s +# do not know how this log version correlates to program version +>0x140 ulelong x \b, version %#x +# NumRecs +#>0x144 ulelong x \b, %#4.4x records +# EndOffset means files size +>0x148 ulelong x \b, %u bytes +# Flags 5 25h 35h +#>0x14c ulelong x \b, flags %8.8x +# Reserved: array[0..26] of Longint +# the non Unicode HighestSupportedVersion may never become greater than or equal to 1000 +>0x140 ulelong <1000 +# hostname +>>0x1d6 pstring x \b, %s +# user name +>>>&0 pstring x \b\%s +# directory like C:\Program Files (x86)\GnuWin32 +>>>>&0 pstring x \b, "%s" +# version 1000 or higher implies unicode +>0x140 ulelong >999 +# hostname +>>0x1db lestring16 x \b, %-.9s +# utf string variant with prepending fe??ffFFff +>>0x1db search/43 \xFF\xFF\xFF +# user name +>>>&0 lestring16 x \b\%-.9s +>>>&0 search/43 \xFF\xFF\xFF +# directory like C:\Program Files\GIMP 2 +>>>>&0 lestring16 x \b, %-.42s + +# URL: https://jrsoftware.org/ishelp/index.php?topic=setup_signeduninstaller +# Reference:https://github.com/jrsoftware/issrc/blob/main/Projects/Struct.pas +# From: Joerg Jenderek +0 string Inno\ Setup\ Messages\ ( +# null padded til 0x40 boundary +>0x38 quad 0 InnoSetup messages +!:mime application/x-innosetup-msg +# unins000.msg, unins001.msg, ... +!:ext msg +# version like 5.1.1 5.1.11 5.5.0 5.5.3 6.0.0 +>>0x15 string x \b, version %.5s +# look for 6th char of version string or terminating right parentheses +>>>0x1a ubyte !0x29 \b%c +# NumMessages +>>0x40 ulelong x \b, %u messages +# TotalSize: Cardinal; +#>>0x44 ulelong x \b, TotalSize %u +# NotTotalSize: Cardinal; +#>>0x48 ulelong x \b, NotTotalSize %u +# CRCMessages: Longint; +#>>0x4C ulelong x \b, CRC %#x +>>0x40 ulelong x +# (u) after version means unicoded messages +>>>0x1c search/2 (u) (UTF-16), +>>>>0x50 lestring16 x %s +# ASCII coded message +>>>0x1c default x (ASCII), +>>>>0x50 string x %s + +# Windows Imaging (WIM) Image +# Update: Joerg Jenderek at Mar 2019, 2021 +# URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format +# http://fileformats.archiveteam.org/wiki/Windows_Imaging_Format +# Reference: https://download.microsoft.com/download/f/e/f/ +# fefdc36e-392d-4678-9e4e-771ffa2692ab/Windows%20Imaging%20File%20Format.rtf +# Note: verified by like `7z t boot.wim` `wiminfo install.esd --header` +0 string MSWIM\000\000\000 +>0 use wim-archive +# https://wimlib.net/man1/wimoptimize.html +0 string WLPWM\000\000\000 +>0 use wim-archive +0 name wim-archive +# _WIMHEADER_V1_PACKED ImageTag[8] +>0 string x Windows imaging +!:mime application/x-ms-wim +# TO avoid in file version 5.36 error like +# Magdir/windows, 760: Warning: Current entry does not yet have a description +# file: could not find any valid magic files! (No error) +# split WIM +>16 ulelong &0x00000008 (SWM +!:ext swm +# usPartNumber; 1, unless the file was split into multiple parts +>>40 uleshort x \b %u +# usTotalParts; The total number of WIM file parts in a spanned set +>>42 uleshort x \b of %u) image +# non split WIM +>16 ulelong ^0x00000008 +# https://wimlib.net/man1/wimmount.html +# solid WIMs; version 3584; usually contain LZMS-compressed and the .esd extension +>>12 ulelong 3584 (ESD) image +!:ext esd +>>12 ulelong !3584 ( +# look for archive member RunTime.xml like in Microsoft.Windows.Cosa.Desktop.Client.ppkg +>>>156 search/68233/s RunTime.xml \bWindows provisioning package) +!:ext ppkg +# if is is not a Windows provisioning package, then it is a WIM +>>>156 default x \bWIM) image +# second disk image part created by Microsoft's RecoveryDrive.exe has name Reconstruct.WIM2 +!:ext wim/wim2 +>0 string/b WLPWM\000\000\000 \b, wimlib pipable format +# cbSize size of the WIM header in bytes like 208 +#>8 ulelong x \b, headersize %u +# dwVersion version of the WIM file 00010d00h~1.13 00000e00h~0.14 +>14 uleshort x v%u +>13 ubyte x \b.%u +# dwImageCount; The number of images contained in the WIM file +>44 ulelong >1 \b, %u images +# dwBootIndex +# 1-based index of the bootable image of the WIM, or 0 if no image is bootable +>0x78 ulelong >0 \b, bootable no. %u +# dwFlags +#>16 ulelong x \b, flags %#8.8x +#define FLAG_HEADER_COMPRESSION 0x00000002 +#define FLAG_HEADER_READONLY 0x00000004 +#define FLAG_HEADER_SPANNED 0x00000008 +#define FLAG_HEADER_RESOURCE_ONLY 0x00000010 +#define FLAG_HEADER_METADATA_ONLY 0x00000020 +#define FLAG_HEADER_WRITE_IN_PROGRESS 0x00000040 +#define FLAG_HEADER_RP_FIX 0x00000080 reparse point fixup +#define FLAG_HEADER_COMPRESS_RESERVED 0x00010000 +#define FLAG_HEADER_COMPRESS_XPRESS 0x00020000 +#define FLAG_HEADER_COMPRESS_LZX 0x00040000 +#define FLAG_HEADER_COMPRESS_LZMS 0x00080000 +#define FLAG_HEADER_COMPRESS_XPRESS2 0x00100000 wimlib-1.13.0\include\wimlib\header.h +# XPRESS, with small chunk size +>16 ulelong &0x00100000 \b, XPRESS2 +>16 ulelong &0x00080000 \b, LZMS +>16 ulelong &0x00040000 \b, LZX +>16 ulelong &0x00020000 \b, XPRESS +>16 ulelong &0x00000002 compressed +>16 ulelong &0x00000004 \b, read only +>16 ulelong &0x00000010 \b, resource only +>16 ulelong &0x00000020 \b, metadata only +>16 ulelong &0x00000080 \b, reparse point fixup +#>16 ulelong &0x00010000 \b, RESERVED +# dwCompressionSize; Uncompressed chunk size for resources or 0 if uncompressed +#>20 ulelong >0 \b, chunk size %u bytes +# gWIMGuid +#>24 ubequad x \b, GUID %#16.16llx +#>>32 ubequad x \b%16.16llx +# rhOffsetTable; the location of the resource lookup table +# wim_reshdr_disk[24]= u8 size_in_wim[7] + u8 flags + le64 offset_in_wim + le64 uncompressed_size +#>48 ubequad x \b, rhOffsetTable %#16.16llx +# rhXmlData; the location of the XML data +#>0x50 ulelong x \b, at %#8.8x +# NOT WORKING \xff\xfe<\0W\0I\0M\0 +#>(0x50.l) ubequad x \b, xml=%16.16llx +# rhBootMetadata; the location of the metadata resource +#>0x60 ubequad x \b, rhBootMetadata %#16.16llx +# rhIntegrity; the location of integrity table used to verify files +#>0x7c ubequad x \b, rhIntegrity %#16.16llx +# Unused[60] +#>148 ubequad !0 \b,unused %#16.16llx +# + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Windows_Easy_Transfer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mig.trid.xml +# Note: called "Windows Easy Transfer migration data" by TrID, +# "Migration Store" or "EasyTransfer file" by Microsoft +0 string 1giM Windows Easy Transfer migration data +#!:mime application/octet-stream +!:mime application/x-ms-mig +!:ext mig +>0x18 string =MRTS without password +# data offset with 1 space at end +>>0x1c ulelong+0x38 x \b, at %#x +# look for zlib compressed data by ./compress +>>(0x1c.l+0x38) ubyte x +>>>&-1 indirect x +# in password protected examples MRTS comes some bytes further +>0x18 string !MRTS with password +# look for first MRTS tag +>0x18 search/29/b MRTS +# probably first file name length like 178, ... +#>>&0 ulelong x \b, 1st length %u +# URL like File\C:\Users\nutzer\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini +>>&20 lestring16 x \b, 1st %-s + +# Microsoft SYLK +# https://en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK) +# https://outflank.nl/upload/sylksum.txt +0 string ID;P Microsoft SYLK program +>4 string >0 \b, created by %s +!:ext slk/sylk + +# Summary: Windows Performance Monitor Alert +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Performance_Monitor +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pma.trid.xml +# Note: called "Windows Performance Monitor Alert" by TrID +0 ubelong =0xDC058340 +>4 ubyte =0 Windows Performance Monitor Alert +#!:mime application/octet-stream +# https://www.thoughtco.com/mime-types-by-content-type-3469108 +# https://filext.com/file-extension/PAM +!:mime application/x-perfmon +#!:mime application/x-ms-pma +!:ext pma +# metric type like: "BrowserMetrics" "CrashpadMetrics" "SetupMetrics" +>>80 string x \b, "%s" + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/InstallShield +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/ins.trid.xml +# Note: contain also keywords like: BATCH_INSTALL ISVERSION LOGHANDLE SRCDIR SRCDISK WINDIR WINSYSDISK +0 ubelong 0xB8C90C00 InstallShield Script +#!:mime application/octet-stream +!:mime application/x-installshield-ins +# like test.ins Setup.ins +!:ext ins +# UNKNOWN like: 160034121de07e00 1600341260befe00 16003412e0783700 +# 5000010021083f00 50000100b0335600 50000100cbfdf800 50000100dfbc4700 +#>4 ubequad x \b, at 4 %#16.16llx +# copyright text like: "Stirling Technologies, Inc. (c) 1990-1994" +# "InstallSHIELD Software Corporation (c) 1990-1997" +>13 pstring/h x "%s" +# look for specific ASCII variable names +>1 search/0x121/s SRCDIR \b, variable names: +# 1st like: SRCDIR +>>&-4 leshort x #%u +>>&-2 pstring/h x %s +# 2nd like: SRCDISK +>>>&0 leshort x #%u +>>>&2 pstring/h x %s +# 3rd like: TARGETDISK +>>>>&0 leshort x #%u +>>>>&2 pstring/h x %s +# 4th like: TARGETDIR +#>>>>>&0 leshort x #%u +#>>>>>&2 pstring/h x %s +# 5th like: WINDIR +#>>>>>>&0 leshort x #%u +#>>>>>>&2 pstring/h x %s +# 6th like: WINDISK +#>>>>>>>&0 leshort x #%u +#>>>>>>>&2 pstring/h x %s +# 7th like: WINSYSDIR +#>>>>>>>>&0 leshort x #%u +#>>>>>>>>&2 pstring/h x %s +# ... LOGHANDLE +>0 ubelong x ... +# + +# Summary: Microsoft Remote Desktop Protocol connection +# From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/r/rdp.trid.xml +# Note: called "Remote Desktop Connection Settings" by TrID +0 string screen\040mode\040id:i: Remote Desktop Protocol connection +#!:mime text/plain +!:mime text/x-ms-rdp +!:ext rdp +# Screen mode: 1~session appear in a window 2~session appear full screen +>17 string 1 \b, window mode +>17 string 2 \b, full screen mode + +0 guid 7B5C52E4-D88C-4DA7-AEB1-5378D02996D3 Microsoft OneNote +!:ext one +!:mime application/onenote +0 guid 43FF2FA1-EFD9-4C76-9EE2-10EA5722765F Microsoft OneNote Revision Store File + +# Microsoft XAML Binary Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/WalkingCat/XbfDump/blob/8832d2ffcaa738434d803fefa2ba99d3af37ed29/xbf_data.h +0 string XBF\0 +>12 ulelong <0xFF +>>16 ulelong <0xFF Microsoft XAML Binary Format +!:ext xbf +>>>12 ulelong x %d +>>>16 ulelong x \b.%d +>>>4 ulelong x \b, metadata size: %d bytes +>>>8 ulelong x \b, node size: %d bytes + +# Metaswitch MetaView Service Assurance Server exports +0 string MetaView\x20Service\x20Assurance\x20Export\x20File MetaView SAS export +>39 string Version\x20 +>>47 byte x \b, version %c + +# Active Directory Group Policy Registry Policy File Format +# From: Yuuta Liang <yuuta@yuuta.moe> +# URL: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format +0 string PReg +>4 lelong x Group Policy Registry Policy, Version=%d diff --git a/magic/Magdir/wireless b/magic/Magdir/wireless new file mode 100644 index 0000000..badb73b --- /dev/null +++ b/magic/Magdir/wireless @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: wireless,v 1.2 2009/09/19 16:28:13 christos Exp $ +# wireless-regdb: file(1) magic for CRDA wireless-regdb file format +# +0 string RGDB CRDA wireless regulatory database file +>4 belong 19 (Version 1) diff --git a/magic/Magdir/wordprocessors b/magic/Magdir/wordprocessors new file mode 100644 index 0000000..3a2e1ce --- /dev/null +++ b/magic/Magdir/wordprocessors @@ -0,0 +1,630 @@ + +#------------------------------------------------------------------------------ +# $File: wordprocessors,v 1.34 2023/01/24 20:13:40 christos Exp $ +# wordprocessors: file(1) magic fo word processors. +# +####### PWP file format used on Smith Corona Personal Word Processors: +2 string \040\040\040\040\040\040\040\040\040\040\040ML4D\040'92 Smith Corona PWP +>24 byte 2 \b, single spaced +>24 byte 3 \b, 1.5 spaced +>24 byte 4 \b, double spaced +>25 byte 0x42 \b, letter +>25 byte 0x54 \b, legal +>26 byte 0x46 \b, A4 + +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor +# reference: http://mark0.net/download/triddefs_xml.7z +# /defs/w/wps-works-dos.trid.xml +# From: Joerg Jenderek +# Note: older non OLE 2 Compound based versions +0 ubeshort =0x01FE +>112 ubeshort =0x0100 Microsoft Works 1-3 (DOS) or 2 (Windows) document +# title like THE GREAT KHAN GAME +>>0x100 string x %s +!:mime application/vnd-ms-works +#!:mime application/x-msworks +# https://www.macdisk.com/macsigen.php +!:apple ????AWWP +!:ext wps + +# Corel/WordPerfect +# URL: https://en.wikipedia.org/wiki/WordPerfect +# Reference: https://github.com/OneWingedShark/WordPerfect/blob/master/doc/SDK_Help/FileFormats/WPFF_DocumentStructure.htm +# http://mark0.net/download/triddefs_xml.7z/defs/w/wp-generic.trid.xml +0 string \xffWPC +# WordPerfect +>8 byte 1 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpm-macro.trid.xml +# Note: there exist other macro variants +>>9 byte 1 WordPerfect macro +#!:mime application/octet-stream +!:mime application/x-wordperfect-wpm +# like: ALTD.WPM ENDFOOT.WPM FOOTEND.WPM LABELS.WPM REVEALTX.WPM +!:ext wpm +# Note: used in WordPerfect 5.1; there exist other FIL variants +>>9 byte 2 WordPerfect help file +#!:mime application/octet-stream +!:mime application/x-wordperfect-help +# like: WPHELP.FIL +!:ext fil +# pointer to document area like: 10h +>>>4 ulelong !0x10 \b, at %#x document area +>>9 byte 3 WordPerfect keyboard file +#!:mime application/octet-stream +!:mime application/x-wordperfect-keyboard +!:ext wpk +# no document area, so point to end of file; so this is file size like: 23381 2978 32835 3355 3775 919 +>>>4 ulelong x \b, %u bytes +>>9 byte 4 WordPerfect VAX keyboard definition +#!:mime application/octet-stream +!:mime application/x-wordperfect-keyboard +#!:ext foo +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpd-doc-gen.trid.xml +>>9 byte 10 WordPerfect document +# https://www.iana.org/assignments/media-types/application/vnd.wordperfect +!:mime application/vnd.wordperfect +#!:apple ????WPC2 +# TODO: distinguish different suffix +!:ext wpd/wpt/wkb/icr/tut/sty/tst/crs +>>9 byte 11 WordPerfect dictionary +>>9 byte 12 WordPerfect thesaurus +>>9 byte 13 WordPerfect block +>>9 byte 14 WordPerfect rectangular block +>>9 byte 15 WordPerfect column block +>>9 byte 16 WordPerfect printer data +#!:mime application/octet-stream +!:mime application/x-wordperfect-prs +# like: STANDARD.PRS WORKBOOK.PRS +!:ext prs +# like: "Standard Printer" "Workbook Printer" +>>>0x64 pstring/B >A "%s" +#>>9 byte 18 WordPerfect Prefix information file +# printer resource .ALL +>>9 byte 19 WordPerfect printer data +#!:mime application/octet-stream +!:mime application/x-wordperfect-all +!:ext all +# display Resource +>>9 byte 20 WordPerfect driver resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-drs +# like: WPSMALL.DRS +!:ext drs +# pointer to index area with string "smalldrs" like: 46h +>>>4 uleshort !0x46 \b, at %#x index area +>>9 byte 21 WordPerfect Overlay file +#!:mime application/octet-stream +!:mime application/x-wordperfect-fil +# like: WP.FIL +!:ext fil +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect_Graphics +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wpg.trid.xml +# Note: called "WordPerfect Graphics bitmap" by TrID and +# "WordPerfect Graphics Metafile" by DROID via x-fmt/395 fmt/1042 +# "WPG (Word Perfect Graphics)" by ImageMagick `identify -verbose BUTTRFLY.WPG` +>>9 byte 22 WordPerfect graphic image +# TODO: skip DROID x-fmt-395-signature-id-132.wpg by check for existing document area +#>>>4 ulelong >15 WordPerfect_graphic_OK +#!:mime application/octet-stream +# http://extension.nirsoft.net/wpg +!:mime image/x-wordperfect-graphics +# https://reposcope.com/mimetype/application/x-wpg +#!:mime application/x-wpg +# like: BUTTRFLY.WPG STAR-5.WPG input.wpg WORDPFCT.WPG +!:ext wpg +# pointer to document area like: 10h 1Ah +>>>4 ulelong !0x1A \b, at %#x document area +>>9 byte 23 WordPerfect hyphenation code +>>9 byte 24 WordPerfect hyphenation data +>>9 byte 25 WordPerfect macro resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-mrs +# like: WP.MRS +!:ext mrs +>>9 byte 27 WordPerfect hyphenation lex +>>9 byte 29 WordPerfect wordlist +>>9 byte 30 WordPerfect equation resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-qrs +# like: WQ.QRS wpDE.qrs wpen.qrs +!:ext qrs +# jump to document area with some marker and equation +>>>(4.l) ubyte x +# equation like: "Fraction: x OVER y" +>>>>&1 string >A (...%-.19s...) +# pointer to document area like: 17C4h +>>>4 ulelong x \b, at %#x document area +#>>9 byte 31 reserved +#>>9 byte 32 WordPerfect VAX .SET +>>9 byte 33 WordPerfect spell rules +>>9 byte 34 WordPerfect dictionary rules +#>>9 byte 35 reserved +# video resource device driver +# Note: filetype 26 for VRS and filetype 36 for WPD apparently is wrong +>>9 byte 36 WordPerfect Video Resource +#!:mime application/octet-stream +!:mime application/x-wordperfect-vrs +# like: STANDARD.VRS +!:ext vrs +# like: "IBM CGA (& compatibles)" +>>>0x20 string >A "%.23s" +>>9 byte 39 WordPerfect spell rules (Microlytics) +#>>9 byte 40 reserved +>>9 byte 41 WordPerfect Install options +#!:mime application/octet-stream +!:mime application/x-wordperfect-ins +# like: WP51.INS +!:ext ins +# probably default directory name like: "C:\WP51\" +>>>0x12 string >A "%.8s" +# maybe mouse driver for WP5.1 +>>9 byte 42 WordPerfect Resource +#!:mime application/octet-stream +!:mime application/x-wordperfect-irs +# like: STANDARD.IRS +!:ext irs +# like: "Mouse Driver (MOUSE.COM)" +>>>0x28 string >A "%.24s" +>>9 byte 43 WordPerfect settings file +# maybe Macintosh WP2.0 document +>>9 byte 44 WordPerfect 3.5 document +!:mime application/vnd.wordperfect +!:apple ????WPD3 +# like: WP3.wpd +!:ext wpd +>>9 byte 45 WordPerfect 4.2 document +# External spell code module (WP5.1) +#>>9 byte 46 WordPerfect external spell +# external spell dictionary .LEX +#>>9 byte 47 WordPerfect external spell dictionary +# Macintosh SOFT graphics file (SOFT (Sequential Object Format) +#>>9 byte 48 WordPerfect SOFT graphics +#>>9 byte 49 reserved +#>>9 byte 50 reserved +# WPWin 5.1 Application Resource Library added for WPWin 5.1 +#>>9 byte 51 WordPerfect application resource library +>>9 byte 69 WordPerfect dialog file +# From: Joerg Jenderek +# Note: found in sub directory WritingTools inside WordPerfect 2021 program directory +>>9 byte 70 WordPerfect Writing Tools +#!:mime application/octet-stream +!:mime application/x-wordperfect-cbt +# like: Wt13cbede.cbt Wt13cbeit.cbt Wt13cbefr.cbt WT21cbede.cbt Wt13cbeEN.CBD WT21cbeEN.CBD +!:ext cbd/cbt +>>9 byte 76 WordPerfect button bar +>>9 default x +>>>9 byte x Corel WordPerfect: Unknown filetype %d +# Corel Shell +>8 byte 2 +>>9 byte 1 Corel shell macro +>>9 byte 10 Corel shell definition +>>9 default x +>>>9 byte x Corel Shell: Unknown filetype %d +# Corel Notebook +>8 byte 3 +>>9 byte 1 Corel Notebook macro +>>9 byte 2 Corel Notebook help file +>>9 byte 3 Corel Notebook keyboard file +>>9 byte 10 Corel Notebook definition +>>9 default x +>>>9 byte x Corel Notebook: Unknown filetype %d +# Corel Calculator +>8 byte 4 +>>9 byte 2 Corel Calculator help file +>>9 default x +>>>9 byte x Corel Calculator: Unknown filetype %d +# Corel File Manager +>8 byte 5 +>>9 default x +>>>9 byte x Corel File Manager: Unknown filetype %d +# Corel Calendar +>8 byte 6 +>>9 byte 2 Corel Calendar help file +>>9 byte 10 Corel Calendar data file +>>9 default x +>>>9 byte x Corel Calendar: Unknown filetype %d +# Corel Program Editor/Ed Editor +>8 byte 7 +>>9 byte 1 Corel Editor macro +>>9 byte 2 Corel Editor help file +>>9 byte 3 Corel Editor keyboard file +>>9 byte 25 Corel Editor macro resource file +>>9 default x +>>>9 byte x Corel Program Editor/Ed Editor: Unknown filetype %d +# Corel Macro Editor +>8 byte 8 +>>9 byte 1 Corel Macro editor macro +>>9 byte 2 Corel Macro editor help file +>>9 byte 3 Corel Macro editor keyboard file +>>9 default x +>>>9 byte x Corel Macro Editor: Unknown filetype %d +# Corel Plan Perfect +>8 byte 9 +>>9 default x +>>>9 byte x Corel Plan Perfect: Unknown filetype %d +# Corel DataPerfect +>8 byte 10 +# CHECK: Don't these belong into product 9? +>>9 byte 1 Corel PlanPerfect macro +>>9 byte 2 Corel PlanPerfect help file +>>9 byte 3 Corel PlanPerfect keyboard file +>>9 byte 10 Corel PlanPerfect worksheet +>>9 byte 15 Corel PlanPerfect printer definition +>>9 byte 18 Corel PlanPerfect graphic definition +>>9 byte 19 Corel PlanPerfect data +>>9 byte 20 Corel PlanPerfect temporary printer +>>9 byte 25 Corel PlanPerfect macro resource data +>>9 default x +>>>9 byte x Corel DataPerfect: Unknown filetype %d +# Corel Mail +>8 byte 11 +>>9 byte 2 Corel Mail help file +>>9 byte 5 Corel Mail distribution list +>>9 byte 10 Corel Mail out box +>>9 byte 11 Corel Mail in box +>>9 byte 20 Corel Mail users archived mailbox +>>9 byte 21 Corel Mail archived message database +>>9 byte 22 Corel Mail archived attachments +>>9 default x +>>>9 byte x Corel Mail: Unknown filetype %d +# Corel Printer +>8 byte 12 +>>9 byte 11 Corel Printer temporary file +>>9 default x +>>>9 byte x Corel Printer: Unknown filetype %d +# Corel Scheduler +>8 byte 13 +>>9 byte 2 Corel Scheduler help file +>>9 byte 10 Corel Scheduler in file +>>9 byte 11 Corel Scheduler out file +>>9 default x +>>>9 byte x Corel Scheduler: Unknown filetype %d +# Corel WordPerfect Office +>8 byte 14 +>>9 byte 10 Corel GroupWise settings file +>>9 byte 17 Corel GroupWise directory services +>>9 byte 43 Corel GroupWise settings file +>>9 default x +>>>9 byte x Corel WordPerfect Office: Unknown filetype %d +# Corel DrawPerfect +# URL: http://fileformats.archiveteam.org/wiki/Corel_Presentations +# Update: Joerg Jenderek +>8 byte 15 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-2.trid.xml +# Note: called "WordPerfect Presentations (v2)" by TrID and +# "Corel Presentation" with version "7-8-9" by DROID via PUID fmt/877 +>>9 byte 10 WordPerfect Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: BENEFITS.SHW chartbar.shw chartbul.shw chartgal.shw chartorg.shw fig-demo.shw figurgal.shw mastrgal.shw scuba.shw tutorial.shw +!:ext shw +# pointer to document area like: 10h +>>>4 ulelong !0x10 \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# search for embedded WP file like in tutorial.shw +#>>>16 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-3.trid.xml +# Note: called "WordPerfect/Corel Presentations (v3)" by TrID and +# "Corel Presentation" with version "3" by DROID via PUID fmt/878 +>>9 byte 15 Corel Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: FIG_ANIM.SHW presenta.shw +!:ext shw +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file like in foo +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# embedded inside Compound Document variant handled by ./ole2compounddocs +>>9 byte 16 Corel Presentation (embeded) +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-corelpresentations +# like: PerfectOffice_MAIN +!:ext / +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +>>9 default x +>>>9 byte x Corel DrawPerfect: Unknown filetype %d +# Corel LetterPerfect +>8 byte 16 +>>9 default x +>>>9 byte x Corel LetterPerfect: Unknown filetype %d +# Corel Terminal +>8 byte 17 +>>9 byte 10 Corel Terminal resource data +>>9 byte 11 Corel Terminal resource data +>>9 byte 43 Corel Terminal resource data +>>9 default x +>>>9 byte x Corel Terminal: Unknown filetype %d +# Corel loadable file +>8 byte 18 +>>9 byte 10 Corel loadable file +>>9 byte 11 Corel GUI loadable text +>>9 byte 12 Corel graphics resource data +>>9 byte 13 Corel printer settings file +>>9 byte 14 Corel port definition file +>>9 byte 15 Corel print queue parameters +>>9 byte 16 Corel compressed file +>>9 default x +>>>9 byte x Corel loadable file: Unknown filetype %d +>>15 byte 0 \b, optimized for Intel +>>15 byte 1 \b, optimized for Non-Intel +# Network service +>8 byte 20 +>>9 byte 10 Corel Network service msg file +>>9 byte 11 Corel Network service msg file +>>9 byte 12 Corel Async gateway login msg +>>9 byte 14 Corel GroupWise message file +>>9 default x +>>>9 byte x Corel Network service: Unknown filetype %d +# GroupWise +>8 byte 31 +>>9 byte 20 GroupWise admin domain database +>>9 byte 21 GroupWise admin host database +>>9 byte 23 GroupWise admin remote host database +>>9 byte 24 GroupWise admin ADS deferment data file +>>9 default x +>>>9 byte x GroupWise: Unknown filetype %d +# Corel Writing Tools WT*.* +# From: Joerg Jenderek +# URL: https://support.corel.com/hc/en-us/articles/215876258-Writing-Tools-Spell-Check-Dictionary-does-not-work-in-WordPerfect-X5 +# http://wordperfect.helpmax.net/en/editing-and-formatting-documents/using-the-writing-tools/working-with-user-word-lists/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/u/uwl-wp.trid.xml +>8 byte 32 +>>9 byte 10 Corel Writing Tools User Word List +#!:mime application/octet-stream +!:mime application/x-wordperfect-wordlist +# personal user word list UWL under user directory like: WTDE.UWL WTUS.UWL WT21DE.UWL WT21US.UWL WT13DE.UWL ... +# and "template" SAV/HWL variant under program directory like: wt13en.hwl Wt13de.sav Wt13it.sav wt13ru.sav WT21us.sav Wtcz.sav ... +!:ext uwl/hwl/sav +# jump to document area with some marker and word list +>>>(4.l) ubyte x +# look for beginning of word list starting mostly with letter a as UTF-16 like: Wt13es.sav +# but not found in russian wt13ru.sav +>>>>&0 search/91/sb a\0 +# word list starting like: "acsesory\022accessory.\001\026acomodate\026accommodate4\001" +>>>>>&0 lestring16 x (...%-.33s...) +# pointer to document area like: 200h +>>>4 ulelong !0x200 \b, at %#x document area +# file size, not including pad characters at EOF +>>>0x14 uleshort x \b, %u bytes +# IntelliTAG +>8 byte 33 +>>9 byte 10 IntelliTAG (SGML) compiled DTD +>>9 default x +>>>9 byte x IntelliTAG: Unknown filetype %d +# Summary: Corel WordPerfect WritingTools advise part +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adv-wp.trid.xml +>8 byte 34 +>>9 byte 11 Corel WordPerfect dictionary advise +#!:mime application/octet-stream +!:mime application/x-wordperfect-adv +#!:mime application/vnd.wordperfect.adv +# like: WT21de.adv Wt13de.adv Wt13es.adv Wt13fr.adv wt13us.adv +!:ext adv +# advise text part often start with tag like: 580A +#>>>(16.s) ubequad x ADVISE PART %#llx +# part of advise text like: "This is too informal for most writing." +>>>(16.s+16) string x (...%-.33s...) +# everything else +>8 default x +>>8 byte x Unknown Corel/Wordperfect product %d, +>>>9 byte x file type %d +>10 byte 0 \b, v5. +# version of WP file; 2.1~WP 8.0 +# major version of WP file like: 1 2 +>10 byte !0 \b, v%d. +# minor version of WP file like: 0 1 +>11 byte x \b%d + +# Hancom HWP (Hangul Word Processor) +# Hangul Word Processor 3.0 through 97 used HWP 3.0 format. +# URL: https://www.hancom.com/etc/hwpDownload.do +0 string HWP\ Document\ File Hancom HWP (Hangul Word Processor) file, version 3.0 +!:ext hwp + +# CosmicBook, from Benoit Rouits +0 string CSBK Ted Neslson's CosmicBook hypertext file + +2 string EYWR AmigaWriter file + +# chi: file(1) magic for ChiWriter files +0 string \\1cw\ ChiWriter file +>5 string >\0 version %s +0 string \\1cw ChiWriter file + +# Quark Express from https://www.garykessler.net/library/file_sigs.html +2 string IIXPR3 Intel Quark Express Document (English) +2 string IIXPRa Intel Quark Express Document (Korean) +2 string MMXPR3 Motorola Quark Express Document (English) +!:mime application/x-quark-xpress-3 +2 string MMXPRa Motorola Quark Express Document (Korean) + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/PageMaker +# https://en.wikipedia.org/wiki/Adobe_PageMaker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p +# pm4-pagemaker.trid.xml +# pm5-pagemaker.trid.xml +# Note: since version 6 in 1995 called Adobe PageMaker and +# embedded in Compound Document handled by ./ole2compounddocs +# mainly tested little endian variant +4 ubelong =0x0000FF99 +>0 use PageMaker +# big endian variant +4 ubelong =0x000099FF +>0 use \^PageMaker +# display information of Aldus/Adobe PageMaker document/publication +0 name PageMaker +>110 uleshort <0x0600 Aldus +>110 uleshort >0x05FF Adobe +>110 uleshort x PageMaker +# "MP" marker for newer version 4 and above according to TrID +#>108 string x \b, MARKER "%.2s" +# http://www.nationalarchives.gov.uk/pronom/fmt/876 +!:mime application/vnd.pagemaker +#!:mime application/x-pagemaker +# different file name extensions are used depending on version +# older version like 3 +>110 uleshort/256 =0 document +# https://www.macdisk.com/macsigen.php +!:apple ALB3ALD3 +# PT3 for template and no example for PageMaker document/publication with PM3 extension +!:ext pm3/pt3 +>110 uleshort/256 =4 document +!:apple ALD4ALB4 +# no example for PT4 template +!:ext pm4/pt4 +>110 uleshort/256 =5 document +!:apple ALD5ALB5 +# no example for PT5 template +!:ext pm5/pt5 +>110 uleshort =0x0600 document +!:apple ALD6ALB6 +# PT6 for template +!:ext pm6/pt6 +# HOWTO to distinguish version 7 from 6.5 ? +>110 uleshort =0x0632 document +!:apple AD65AB65 +# no example for T65 template +!:ext p65/t65/pmd/pmt +# version 7 with PMT extension for template +#!:ext pmd/pmt +#!:apple ????PUBF +# endian marker FF 99 for little endian +>6 ubyte =0xFF \b, little-endian +>6 ubyte =0x99 \b, big-endian +# newer numeric version like: 4 5 6 6.50 +#>110 uleshort x \b, VERSION=%#x +>110 uleshort >0x03FF +>>110 uleshort/256 x \b, version %u +>>110 uleshort%256 >0 \b.%u +# older version like 3 +>110 uleshort <0x0400 \b, maybe version 3 + +# adobe indesign (document, whatever...) from querkan +0 belong 0x0606edf5 Adobe InDesign +>16 string DOCUMENT Document + +#------------------------------------------------------------------------------ +# ichitaro456: file(1) magic for Just System Word Processor Ichitaro +# +# Contributor kenzo-: +# Reversed-engineered JS Ichitaro magic numbers +# + +0 string DOC +>43 byte 0x14 Just System Word Processor Ichitaro v4 +!:mime application/x-ichitaro4 +>144 string JDASH application/x-ichitaro4 + +0 string DOC +>43 byte 0x15 Just System Word Processor Ichitaro v5 +!:mime application/x-ichitaro5 + +0 string DOC +>43 byte 0x16 Just System Word Processor Ichitaro v6 +!:mime application/x-ichitaro6 + +# Type: Freemind mindmap documents +# From: Jamie Thompson <debian-bugs@jamie-thompson.co.uk> +0 string/w \<map\ version Freemind document +!:mime application/x-freemind + +# Type: Freeplane mindmap documents +# From: Felix Natter <fnatter@gmx.net> +0 string/w \<map\ version="freeplane Freeplane document +!:mime application/x-freeplane + +# Type: Scribus +# From: Werner Fink <werner@suse.de> +0 string \<SCRIBUSUTF8\ Version Scribus Document +0 string \<SCRIBUSUTF8NEW\ Version Scribus Document +!:mime application/x-scribus + +# help files .hlp compiled from html and used by gfxboot added by Joerg Jenderek +# markups page=0x04,label=0x12, followed by strings like "opt" or "main" and title=0x14 +0 ulelong&0x8080FFFF 0x00001204 gfxboot compiled html help file + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/StarOffice +# Reference: http://mark0.net/download/triddefs_xml.7z +# /defs/t/thm-staroffice.trid.xml +# Note: used in Star-, Open- and Libre-Office +# named as soffice.StarConfigFile.6 or OpenOffice.org configuration by others +0 ubeshort 0x0400 +# non nil gap +#>(2.s+8) ubequad x \b, gap %#16.16llx +# test for null value in gap after theme name maybe unreliable +#>(2.s+9) ubyte 0 \b, 0-byte +# look for keyword GALRESRV near the end +# "C:\Program Files (x86)\StarOffice6.0\share\gallery\sg27.thm" Navigation, 238 objects +#>0 search/8415 GALRESRV \b, GALRESRV found +# "neues thema6.thm" MorePictures, 315 objects +#>0 search/19299 GALRESRV \b, GALRESRV FOUND +#>2 uleshort x \b, name length %u +# skip file2147.chk by check for positive name length like for sg16.thm "3D" +>2 uleshort >0 +# skip dBase printer form T6.PRF with misidentified gallery +# name :\DBASE\IV\T6.txts by check for 1st object name or RESRV keyword +# https://www.clicketyclick.dk/databases/xbase/xbase/dbase_ex.zip +# template/t6/with_data/T6.PRF +# by first char of object name or RESRV part of keyword GALRESRV +>>(2.s+13) ubyte >0x1F StarOffice Gallery theme +!:mime application/x-stargallery-thm +# thm is also used for JPEG thumbnail images +!:ext thm +# gallery name often 1 word like: 3D sounds Diagrams Flussdiagramme Fotos +# or like private://gallery/hidden/imgppt "Cisco - WAN - LAN" +>>>2 pstring/h x %s +# number of objects +>>>(2.s+4) ulelong x \b, %u object +# plural s +>>>(2.s+4) ulelong !1 \bs +# if available then display first object name +>>>(2.s+4) ulelong >0 +# partial file name, URL or internal name like "dd2*" of 1st object or RESRV +>>>>(2.s+11) pstring/h x \b, 1st %s + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/StarOffice_Gallery +# Note: used in Star-, Open- and Libre-Office and found in directories like +# %APPDATA%\Roaming\LibreOffice\4\user\gallery +# $HOME/.config/libreoffice/4/user/gallery +0 string SGA3 StarOffice Gallery thumbnails +# Unknown like 0x04000?0001000142 +#>4 ubequad x \b, UNKNOWN %#16.16llx +#!:mime application/x-sdg +!:mime application/x-stargallery-sdg +!:ext sdg +# display image magic for debugging purpose like 'BM' +# looking like PC bitmap, Windows 3.x format with unknown compression +#>11 string x \b, image magic '%-.2s' +# inspect 1st GALLERY thumbnail magic by ./images with 1 space at end +#>11 indirect x \b; contains + diff --git a/magic/Magdir/wsdl b/magic/Magdir/wsdl new file mode 100644 index 0000000..1c9e60a --- /dev/null +++ b/magic/Magdir/wsdl @@ -0,0 +1,23 @@ + +#------------------------------------------------------------------------------ +# $File: wsdl,v 1.6 2021/04/26 15:56:00 christos Exp $ +# wsdl: PHP WSDL Cache, https://www.php.net/manual/en/book.soap.php +# Cache format extracted from source: +# https://svn.php.net/viewvc/php/php-src/trunk/ext/soap/php_sdl.c?revision=HEAD&view=markup +# Requires file >= 5.05 +# By Elan Ruusamae <glen@delfi.ee>, Patryk Zawadzki <patrys@pld-linux.org>, 2010-2011 +0 string wsdl PHP WSDL cache, +>4 byte x version %#02x +>6 ledate x \b, created %s + +# uri +>10 lelong <0x7fffffff +>>10 pstring/l x \b, uri: "%s" + +# source +>>>&0 lelong <0x7fffffff +>>>>&-4 pstring/l x \b, source: "%s" + +# target_ns +>>>>>&0 lelong <0x7fffffff +>>>>>>&-4 pstring/l x \b, target_ns: "%s" diff --git a/magic/Magdir/x68000 b/magic/Magdir/x68000 new file mode 100644 index 0000000..927b96d --- /dev/null +++ b/magic/Magdir/x68000 @@ -0,0 +1,25 @@ +#------------------------------------------------------------------------------ +# x68000: file(1) magic for the Sharp Home Computer +# v1.0 +# Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net> + +# Yanagisawa PIC picture +0 string PIC +>3 search/0x200 \x1A +>>&0 search/0x200 \x0 +>>>&0 ubyte 0 Yanagisawa PIC image file, +>>>>&0 ubyte&15 0 model: X68000, +>>>>&0 ubyte&15 1 model: PC-88VA, +>>>>&0 ubyte&15 2 model: FM-TOWNS, +>>>>&0 ubyte&15 3 model: MAC, +>>>>&0 ubyte&15 15 model: Generic, +>>>>&3 ubeshort x %dx +>>>>&5 ubeshort x \b%d, +>>>>&1 ubeshort 4 colors: 16 +>>>>&1 ubeshort 8 colors: 256 +>>>>&1 ubeshort 12 colors: 4096 +>>>>&1 ubeshort 15 colors: 32768 +>>>>&1 ubeshort 16 colors: 65536 +>>>>&1 ubeshort >16 colors: %d-bit + + diff --git a/magic/Magdir/xdelta b/magic/Magdir/xdelta new file mode 100644 index 0000000..fde1d26 --- /dev/null +++ b/magic/Magdir/xdelta @@ -0,0 +1,13 @@ + +#------------------------------------------------------------------------------ +# $File: xdelta,v 1.5 2011/08/08 09:01:05 christos Exp $ +# file(1) magic(5) data for xdelta Josh MacDonald <jmacd@CS.Berkeley.EDU> +# +0 string %XDELTA% XDelta binary patch file 0.14 +0 string %XDZ000% XDelta binary patch file 0.18 +0 string %XDZ001% XDelta binary patch file 0.20 +0 string %XDZ002% XDelta binary patch file 1.0 +0 string %XDZ003% XDelta binary patch file 1.0.4 +0 string %XDZ004% XDelta binary patch file 1.1 + +0 string \xD6\xC3\xC4\x00 VCDIFF binary diff diff --git a/magic/Magdir/xenix b/magic/Magdir/xenix new file mode 100644 index 0000000..fc8027b --- /dev/null +++ b/magic/Magdir/xenix @@ -0,0 +1,106 @@ + +#------------------------------------------------------------------------------ +# $File: xenix,v 1.15 2022/10/19 20:15:16 christos Exp $ +# xenix: file(1) magic for Microsoft Xenix +# +# "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small +# model" lifted from "magic.xenix", with comment "derived empirically; +# treat as folklore until proven" +# +# "small model", "large model", "huge model" stuff lifted from XXX +# +# XXX - "x.out" collides with PDP-11 archives +# +0 string core core file (Xenix) +# URL: http://www.polarhome.com/service/man/?qf=86rel&tf=2&of=Xenix +# http://fileformats.archiveteam.org/wiki/OMF +# Reference: http://www.azillionmonkeys.com/qed/Omfg.pdf +# Update: Joerg Jenderek +# recordtype~TranslatorHEADerRecord +0 byte 0x80 +# GRR: line above is too general as it catches also Extensible storage engine DataBase, +# all lif files like forth.lif hpcc88.lif lex90b.lif ( See ./lif) +# and all compressed DEGAS low-res bitmaps like: MUNCHIE.PC1 PIDER1.PC1 +# skip examples like GENA.SND Switch.Snd by looking for record length maximal 1024-3 +>1 uleshort <1022 +# skip examples like GAME.PICTURE Strange.Pic by looking for positive record length +>>1 uleshort >0 +# skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positive string length +>>>3 ubyte >0 +# skip examples like OMBRE.6 with "UUUUUU" name by looking for valid high second record type +>>>>(1.s+3) ubyte >0x6D +# skip few Atari DEGAS bitmap TPDEMO.PC2 RECIPE.PC2 with invalid "high" second record type FEh FFh +>>>>>(1.s+3) ubyte <0xF2 8086 relocatable (Microsoft) +#!:mime application/octet-stream +!:mime application/x-object +!:ext obj/o/a +# T-module name often source name like "hello.c" or "jmppm32.asm" in JMPPM32.OBJ or +# "kbhit" in KBHITS.OBJ or "CAUSEWAY_KERNAL" in CWAPI.OBJ +>>>>>>3 pstring x \b, "%s" +# data length probably lower 256 according to TrID obj_omf.trid.xml +>>>>>>1 uleshort x \b, 1st record data length %u +# checksum +#>>>>>>(3.b+4) ubyte x \b, checksum %#2.2x +# second recordtype: 96h~LNAMES 88h~COMENT 8CH~EXTDEF +# highest F1h~Library End Record +>>>>>>(1.s+3) ubyte x \b, 2nd record type %#x +>>>>>>(1.s+4) uleshort x \b, 2nd record data length %u +0 leshort 0xff65 x.out +>2 string __.SYMDEF randomized +>0 byte x archive +0 leshort 0x206 Microsoft a.out +>8 leshort 1 Middle model +>0x1e leshort &0x10 overlay +>0x1e leshort &0x2 separate +>0x1e leshort &0x4 pure +>0x1e leshort &0x800 segmented +>0x1e leshort &0x400 standalone +>0x1e leshort &0x8 fixed-stack +>0x1c byte &0x80 byte-swapped +>0x1c byte &0x40 word-swapped +>0x10 lelong >0 not-stripped +>0x1e leshort ^0xc000 pre-SysV +>0x1e leshort &0x4000 V2.3 +>0x1e leshort &0x8000 V3.0 +>0x1c byte &0x4 86 +>0x1c byte &0xb 186 +>0x1c byte &0x9 286 +>0x1c byte &0xa 386 +>0x1f byte <0x040 small model +>0x1f byte =0x048 large model +>0x1f byte =0x049 huge model +>0x1e leshort &0x1 executable +>0x1e leshort ^0x1 object file +>0x1e leshort &0x40 Large Text +>0x1e leshort &0x20 Large Data +>0x1e leshort &0x120 Huge Objects Enabled +>0x10 lelong >0 not stripped + +0 leshort 0x140 old Microsoft 8086 x.out +>0x3 byte &0x4 separate +>0x3 byte &0x2 pure +>0 byte &0x1 executable +>0 byte ^0x1 relocatable +>0x14 lelong >0 not stripped + +0 lelong 0x206 b.out +>0x1e leshort &0x10 overlay +>0x1e leshort &0x2 separate +>0x1e leshort &0x4 pure +>0x1e leshort &0x800 segmented +>0x1e leshort &0x400 standalone +>0x1e leshort &0x1 executable +>0x1e leshort ^0x1 object file +>0x1e leshort &0x4000 V2.3 +>0x1e leshort &0x8000 V3.0 +>0x1c byte &0x4 86 +>0x1c byte &0xb 186 +>0x1c byte &0x9 286 +>0x1c byte &0x29 286 +>0x1c byte &0xa 386 +>0x1e leshort &0x4 Large Text +>0x1e leshort &0x2 Large Data +>0x1e leshort &0x102 Huge Objects Enabled + +0 leshort 0x580 XENIX 8086 relocatable or 80286 small model +# GRR: line above is too general as it catches also all 8086 relocatable (Microsoft) with 1st record data length 5 C0M.OBJ C0T.OBJ C0S.OBJ diff --git a/magic/Magdir/xilinx b/magic/Magdir/xilinx new file mode 100644 index 0000000..fd14678 --- /dev/null +++ b/magic/Magdir/xilinx @@ -0,0 +1,58 @@ + +#------------------------------------------------------------------------------ +# $File: xilinx,v 1.10 2022/12/18 14:59:32 christos Exp $ +# This is Aaron's attempt at a MAGIC file for Xilinx .bit files. +# Xilinx-Magic@RevRagnarok.com +# Got the info from FPGA-FAQ 0026 +# +# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, +# fixes at least reading of bitfiles from Spartan 2, 3, 6. +# http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm +# +# First there is the sync header and its length +0 beshort 0x0009 +>2 belong =0x0ff00ff0 +>>&0 belong =0x0ff00ff0 +>>>&0 byte =0x00 +>>>&1 beshort =0x0001 +>>>&3 string a Xilinx BIT data +# Next is a Pascal-style string with the NCD name. We want to capture that. +>>>>&0 pstring/H x - from %s +# And then 'b' +>>>>>&1 string b +# Then the model / part number: +>>>>>>&0 pstring/H x - for %s +# Then 'c' +>>>>>>>&1 string c +# Then the build-date +>>>>>>>>&0 pstring/H x - built %s +# Then 'd' +>>>>>>>>>&1 string d +# Then the build-time +>>>>>>>>>>&0 pstring/H x \b(%s) +# Then 'e' +>>>>>>>>>>>&1 string e +# And length of data +>>>>>>>>>>>>&0 belong x - data length %#x + +# Raw bitstream files +0 long 0xffffffff +>&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) + +# AXLF (xclbin) files used by AMD/Xilinx accelerators. +# The file format is defined by XRT source tree: +# https://github.com/Xilinx/XRT/blob/master/src/runtime_src/core/include/xclbin.h +# Display file size, creation date, accelerator shell name, xclbin uuid and +# number of sections. + +0 string xclbin2 AMD/Xilinx accelerator AXLF (xclbin) file +>0x130 lequad x \b, %lld bytes +>0x138 leqdate x \b, created %s +>0x160 string >0 \b, shell "%.64s" +>0x1a0 ubelong x \b, uuid %08x +>0x1a4 ubeshort x \b-%04x +>0x1a6 ubeshort x \b-%04x +>0x1a8 ubeshort x \b-%04x +>0x1aa ubelong x \b-%08x +>0x1ae ubeshort x \b%04x +>0x1c0 lelong x \b, %d sections
\ No newline at end of file diff --git a/magic/Magdir/xo65 b/magic/Magdir/xo65 new file mode 100644 index 0000000..f7b555f --- /dev/null +++ b/magic/Magdir/xo65 @@ -0,0 +1,37 @@ + +#------------------------------------------------------------------------------ +# $File: xo65,v 1.5 2022/07/17 15:36:20 christos Exp $ +# https://cc65.github.io/doc/sim65.html +# xo65 object files +# From: "Ullrich von Bassewitz" <uz@cc65.org> +# +0 string \x55\x7A\x6E\x61 xo65 object, +>4 leshort x version %d, +>6 leshort&0x0001 =0x0001 with debug info +>6 leshort&0x0001 =0x0000 no debug info + +# xo65 library files +0 string \x6E\x61\x55\x7A xo65 library, +>4 leshort x version %d + +# o65 object files +0 string \x01\x00\x6F\x36\x35 o65 +>6 leshort&0x1000 =0x0000 executable, +>6 leshort&0x1000 =0x1000 object, +>5 byte x version %d, +>6 leshort&0x8000 =0x8000 65816, +>6 leshort&0x8000 =0x0000 6502, +>6 leshort&0x2000 =0x2000 32 bit, +>6 leshort&0x2000 =0x0000 16 bit, +>6 leshort&0x4000 =0x4000 page reloc, +>6 leshort&0x4000 =0x0000 byte reloc, +>6 leshort&0x0003 =0x0000 alignment 1 +>6 leshort&0x0003 =0x0001 alignment 2 +>6 leshort&0x0003 =0x0002 alignment 4 +>6 leshort&0x0003 =0x0003 alignment 256 + +# sim65 executable files +0 string \x73\x69\x6d\x36\x35 sim65 executable, +>5 byte x version %d, +>6 leshort&0x0000 =0x0000 6502 +>6 leshort&0x0001 =0x0001 65C02 diff --git a/magic/Magdir/xwindows b/magic/Magdir/xwindows new file mode 100644 index 0000000..d8c08c8 --- /dev/null +++ b/magic/Magdir/xwindows @@ -0,0 +1,43 @@ + +#------------------------------------------------------------------------------ +# $File: xwindows,v 1.13 2022/03/24 15:48:58 christos Exp $ +# xwindows: file(1) magic for various X/Window system file formats. + +# Compiled X Keymap +# XKM (compiled X keymap) files (including version and byte ordering) +1 string mkx Compiled XKB Keymap: lsb, +>0 byte >0 version %d +>0 byte =0 obsolete +0 string xkm Compiled XKB Keymap: msb, +>3 byte >0 version %d +>3 byte =0 obsolete + +# xfsdump archive +0 string xFSdump0 xfsdump archive +>8 belong x (version %d) + +# Jaleo XFS files +0 long 395726 Jaleo XFS file +>4 long x - version %d +>8 long x - [%d - +>20 long x \b%dx +>24 long x \b%dx +>28 long 1008 \bYUV422] +>28 long 1000 \bRGB24] + +# Xcursor data +# X11 mouse cursor format defined in libXcursor, see +# https://www.x.org/archive/X11R6.8.1/doc/Xcursor.3.html +# https://cgit.freedesktop.org/xorg/lib/libXcursor/tree/include/X11/Xcursor/Xcursor.h +0 string Xcur Xcursor data +!:mime image/x-xcursor +>10 leshort x version %d +>>8 leshort x \b.%d + +# X bitmap https://en.wikipedia.org/wiki/X_BitMap +0 search/2048 #define\040 +>&0 regex [a-zA-Z0-9]+_width\040 xbm image +>>&0 regex [0-9]+ (%sx +>>>&0 string \n#define\040 +>>>>&0 regex [a-zA-Z0-9]+_height\040 +>>>>>&0 regex [0-9]+ \b%s) diff --git a/magic/Magdir/yara b/magic/Magdir/yara new file mode 100644 index 0000000..6156cc6 --- /dev/null +++ b/magic/Magdir/yara @@ -0,0 +1,17 @@ + + +#------------------------------------------------------------------------------ +# $File: yara,v 1.4 2021/04/26 15:56:00 christos Exp $ +# yara: file(1) magic for https://virustotal.github.io/yara/ +# + +0 string YARA +>4 lelong >2047 +>8 byte <20 YARA 3.x compiled rule set +# version +>>8 clear x +>>8 byte 6 created with version 3.3.0 +>>8 byte 8 created with version 3.4.0 +>>8 byte 11 created with version 3.5.0 +>>8 default x +>>>8 byte x development version %#02x diff --git a/magic/Magdir/zfs b/magic/Magdir/zfs new file mode 100644 index 0000000..5cb0fdd --- /dev/null +++ b/magic/Magdir/zfs @@ -0,0 +1,96 @@ +#------------------------------------------------------------------------------ +# zfs: file(1) magic for ZFS dumps +# +# From <rea-fbsd@codelabs.ru> +# ZFS dump header has the following structure (as per zfs_ioctl.h +# in FreeBSD with drr_type is set to DRR_BEGIN) +# +# enum { +# DRR_BEGIN, DRR_OBJECT, DRR_FREEOBJECTS, +# DRR_WRITE, DRR_FREE, DRR_END, +# } drr_type; +# uint32_t drr_pad; +# uint64_t drr_magic; +# uint64_t drr_version; +# uint64_t drr_creation_time; +# dmu_objset_type_t drr_type; +# uint32_t drr_pad; +# uint64_t drr_toguid; +# uint64_t drr_fromguid; +# char drr_toname[MAXNAMELEN]; +# +# Backup magic is 0x00000002f5bacbac (quad word) +# The drr_type is defined as +# typedef enum dmu_objset_type { +# DMU_OST_NONE, +# DMU_OST_META, +# DMU_OST_ZFS, +# DMU_OST_ZVOL, +# DMU_OST_OTHER, /* For testing only! */ +# DMU_OST_ANY, /* Be careful! */ +# DMU_OST_NUMTYPES +# } dmu_objset_type_t; +# +# Almost all uint64_t fields are printed as the 32-bit ones (with high +# 32 bits zeroed), because there is no simple way to print them as the +# full 64-bit values. + +# Big-endian values +8 string \000\000\000\002\365\272\313\254 ZFS snapshot (big-endian machine), +>20 belong x version %u, +>32 belong 0 type: NONE, +>32 belong 1 type: META, +>32 belong 2 type: ZFS, +>32 belong 3 type: ZVOL, +>32 belong 4 type: OTHER, +>32 belong 5 type: ANY, +>32 belong >5 type: UNKNOWN (%u), +>40 byte x destination GUID: %02X +>41 byte x %02X +>42 byte x %02X +>43 byte x %02X +>44 byte x %02X +>45 byte x %02X +>46 byte x %02X +>47 byte x %02X, +>48 ulong >0 +>>52 ulong >0 +>>>48 byte x source GUID: %02X +>>>49 byte x %02X +>>>50 byte x %02X +>>>51 byte x %02X +>>>52 byte x %02X +>>>53 byte x %02X +>>>54 byte x %02X +>>>55 byte x %02X, +>56 string >\0 name: '%s' + +# Little-endian values +8 string \254\313\272\365\002\000\000\000 ZFS snapshot (little-endian machine), +>16 lelong x version %u, +>32 lelong 0 type: NONE, +>32 lelong 1 type: META, +>32 lelong 2 type: ZFS, +>32 lelong 3 type: ZVOL, +>32 lelong 4 type: OTHER, +>32 lelong 5 type: ANY, +>32 lelong >5 type: UNKNOWN (%u), +>47 byte x destination GUID: %02X +>46 byte x %02X +>45 byte x %02X +>44 byte x %02X +>43 byte x %02X +>42 byte x %02X +>41 byte x %02X +>40 byte x %02X, +>48 ulong >0 +>>52 ulong >0 +>>>55 byte x source GUID: %02X +>>>54 byte x %02X +>>>53 byte x %02X +>>>52 byte x %02X +>>>51 byte x %02X +>>>50 byte x %02X +>>>49 byte x %02X +>>>48 byte x %02X, +>56 string >\0 name: '%s' diff --git a/magic/Magdir/zilog b/magic/Magdir/zilog new file mode 100644 index 0000000..1c861fb --- /dev/null +++ b/magic/Magdir/zilog @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: zilog,v 1.7 2009/09/19 16:28:13 christos Exp $ +# zilog: file(1) magic for Zilog Z8000. +# +# Was it big-endian or little-endian? My Product Specification doesn't +# say. +# +0 long 0xe807 object file (z8000 a.out) +0 long 0xe808 pure object file (z8000 a.out) +0 long 0xe809 separate object file (z8000 a.out) +0 long 0xe805 overlay object file (z8000 a.out) diff --git a/magic/Magdir/zip b/magic/Magdir/zip new file mode 100644 index 0000000..abf5284 --- /dev/null +++ b/magic/Magdir/zip @@ -0,0 +1,126 @@ +#------------------------------------------------------------------------------ +# $File: zip,v 1.8 2021/10/24 15:53:56 christos Exp $ +# zip: file(1) magic for zip files; this is not use +# Note the version of magic in archive is currently stronger, this is +# just an example until negative offsets are supported better +# Note: All fields unless otherwise noted are unsigned! + +# Zip Central Directory record +0 name zipcd +>0 string PK\001\002 Zip archive data +!:mime application/zip +# no "made by" in local file header with PK\3\4 magic +>>4 leshort x \b, made by +>>4 use zipversion +>>4 use ziphost +# inside ./archive 1.151 called "at least" zipversion "to extract" +>>6 leshort x \b, extract using at least +>>6 use zipversion +# This is DOS date like: ledate 21:00:48 19 Dec 2001 != DOS 00:00 1 Jan 2010 ~ 0000213C +>>12 ulelong x \b, last modified +>>14 lemsdosdate x \b, last modified %s +>>12 lemsdostime x %s +# uncompressed size of 1st entry; FFffFFff means real value stored in ZIP64 record +>>24 ulelong !0xFFffFFff \b, uncompressed size %u +# inside ./archive 1.151 called "compression method="zipcompression +>>10 leshort x \b, method= +>>10 use zipcompression + +# URL: https://en.wikipedia.org/wiki/Zip_(file_format) +# reference: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT (Version: 6.3.9) +# Zip known compressions +0 name zipcompression +>0 leshort 0 \bstore +>0 leshort 1 \bShrinking +>0 leshort 6 \bImploding +>0 leshort 7 \bTokenizing +>0 leshort 8 \bdeflate +>0 leshort 9 \bdeflate64 +>0 leshort 10 \bLibrary imploding +#>0 leshort 11 \bReserved by PKWARE +>0 leshort 12 \bbzip2 +#>0 leshort 13 \bReserved by PKWARE +>0 leshort 14 \blzma +#>0 leshort 15 \bReserved by PKWARE +>0 leshort 16 \bCMPSC (IBM z/OS) +#>0 leshort 17 \bReserved by PKWARE +>0 leshort 18 \bIBM TERSE +>0 leshort 19 \bIBM LZ77 (z/Architecture) +>0 leshort 20 \bZstd (deprecated) +>0 leshort 93 \bZstd +>0 leshort 94 \bMP3 +>0 leshort 95 \bxz +>0 leshort 96 \bJpeg +>0 leshort 97 \bWavPack +>0 leshort 98 \bPPMd +>0 leshort 99 \bAES Encrypted +>0 default x +>>0 leshort x \b[%#x] + +# Zip known versions +0 name zipversion +# The lower byte indicates the ZIP version of this file. The value/10 indicates +# the major version number, and the value mod 10 is the minor version number. +>0 ubyte/10 x v%u +>0 ubyte%10 x \b.%u +# >0 leshort 0x09 v0.9 +# >0 leshort 0x0a v1.0 +# >0 leshort 0x0b v1.1 +# >0 leshort 0x14 v2.0 +# >0 leshort 0x15 v2.1 +# >0 leshort 0x19 v2.5 +# >0 leshort 0x1b v2.7 +# >0 leshort 0x2d v4.5 +# >0 leshort 0x2e v4.6 +# >0 leshort 0x32 v5.0 +# >0 leshort 0x33 v5.1 +# >0 leshort 0x34 v5.2 +# >0 leshort 0x3d v6.1 +# >0 leshort 0x3e v6.2 +# >0 leshort 0x3f v6.3 +# >0 default x +# >>0 leshort x v?[%#x] + +# display compatible host system name of ZIP archive +0 name ziphost +# The upper byte indicates the compatibility of the file attribute information. +# If the file is compatible with MS-DOS (v 2.04g) then this value will be zero. +#>1 ubyte 0 DOS +>1 ubyte 1 Amiga +>1 ubyte 2 OpenVMS +>1 ubyte 3 UNIX +>1 ubyte 4 VM/CMS +>1 ubyte 6 OS/2 +>1 ubyte 7 Macintosh +>1 ubyte 11 MVS +>1 ubyte 13 Acorn Risc +>1 ubyte 16 BeOS +>1 ubyte 17 Tandem +# 9 untested +>1 ubyte 5 Atari ST +>1 ubyte 8 Z-System +>1 ubyte 9 CP/M +>1 ubyte 10 Windows NTFS +>1 ubyte 12 VSE +>1 ubyte 14 VFAT +>1 ubyte 15 alternate MVS +>1 ubyte 18 OS/400 +>1 ubyte 19 OS X +# unused +#>1 ubyte >19 unused %#x + +# Zip End Of Central Directory record +# GRR: wrong for ZIP with comment archive +-22 string PK\005\006 +#>4 uleshort !0xFFff \b, %u disks +#>6 uleshort !0xFFff \b, central directory disk %u +#>8 uleshort !0xFFff \b, %u central directories on this disk +#>10 uleshort !0xFFff \b, %u central directories +#>12 ulelong !0xFFffFFff \b, %u central directory bytes +# offset of central directory +#>16 ulelong x \b, central directory offset %#x +>(16.l) use zipcd +# archive comment length n +#>>20 uleshort >0 \b, comment length %u +# archive comment +>>20 pstring/l >0 \b, %s diff --git a/magic/Magdir/zyxel b/magic/Magdir/zyxel new file mode 100644 index 0000000..d3a43e4 --- /dev/null +++ b/magic/Magdir/zyxel @@ -0,0 +1,17 @@ + +#------------------------------------------------------------------------------ +# $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $ +# zyxel: file(1) magic for ZyXEL modems +# +# From <rob@pe1chl.ampr.org> +# These are the /etc/magic entries to decode datafiles as used for the +# ZyXEL U-1496E DATA/FAX/VOICE modems. (This header conforms to a +# ZyXEL-defined standard) + +0 string ZyXEL\002 ZyXEL voice data +>10 byte 0 - CELP encoding +>10 byte&0x0B 1 - ADPCM2 encoding +>10 byte&0x0B 2 - ADPCM3 encoding +>10 byte&0x0B 3 - ADPCM4 encoding +>10 byte&0x0B 8 - New ADPCM3 encoding +>10 byte&0x04 4 with resync |