IP : 3.16.137.247Hostname : host45.registrar-servers.comKernel : Linux host45.registrar-servers.com 4.18.0-513.18.1.lve.2.el8.x86_64 #1 SMP Sat Mar 30 15:36:11 UTC 2024 x86_64Disable Function : None :) OS : Linux
PATH:
/
home/
../
usr/
share/
locale/
mwl/
../
nzi/
../
arc/
../
chp/
../
sn/
../
../
file/
magic/
/
#------------------------------------------------------------------------------ # $File: acorn,v 1.6 2017/10/19 16:40:37 christos Exp $ # acorn: file(1) magic for files found on Acorn systems #
# RISC OS Chunk File Format # From RISC OS Programmer's Reference Manual, Appendix D # We guess the file type from the type of the first chunk. 0 lelong 0xc3cbc6c5 RISC OS Chunk data >12 string OBJ_ \b, AOF object >12 string LIB_ \b, ALF library
# RISC OS AIF, contains "SWI OS_Exit" at offset 16. 16 lelong 0xef000011 RISC OS AIF executable
# RISC OS Draw files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Draw RISC OS Draw file data
# RISC OS new format font files # From RISC OS Programmer's Reference Manual, Appendix E 0 string FONT\0 RISC OS outline font data, >5 byte x version %d 0 string FONT\1 RISC OS 1bpp font data, >5 byte x version %d 0 string FONT\4 RISC OS 4bpp font data >5 byte x version %d
# RISC OS Music files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Maestro\r RISC OS music file >8 byte x version %d
>8 byte x type %d
# Digital Symphony data files # From: Bernard Jungen (bern8817@euphonynet.be) 0 string \x02\x01\x13\x13\x13\x01\x0d\x10 Digital Symphony sound sample (RISC OS), >8 byte x version %d, >9 pstring x named "%s", >(9.b+19) byte =0 8-bit logarithmic >(9.b+19) byte =1 LZW-compressed linear >(9.b+19) byte =2 8-bit linear signed >(9.b+19) byte =3 16-bit linear signed >(9.b+19) byte =4 SigmaDelta-compressed linear >(9.b+19) byte =5 SigmaDelta-compressed logarithmic >(9.b+19) byte >5 unknown format
0 string \x02\x01\x13\x13\x10\x14\x12\x0e >9 byte =0 Digital Symphony sequence (RISC OS), >>8 byte x version %d, >>10 byte =1 1 line, >>10 byte !1 %d lines, >>11 leshort =1 1 position >>11 leshort !1 %d positions >9 byte =1 Digital Symphony pattern data (RISC OS), >>8 byte x version %d, >>10 leshort =1 1 pattern >>10 leshort !1 %d patterns
# From: Joerg Jenderek # URL: https://www.kyzer.me.uk/pack/xad/#PackDir # reference: https://www.kyzer.me.uk/pack/xad/xad_PackDir.lha/PackDir.c # GRR: line below is too general as it matches also "Git pack" in ./revision 0 string PACK\0 # check for valid compression method 0-4 >5 ulelong <5 # https://www.riscosopen.org/wiki/documentation/show/Introduction%20To%20Filing%20Systems # To skip "Git pack" version 0 test for root directory object like # ADFS::RPC.$.websitezip.FONTFIX >>9 string >ADFS\ PackDir archive (RISC OS) # TrID labels above as "Acorn PackDir compressed Archive" # compression mode y (0 - 4) for GIF LZW with a maximum n bits # (y~n,0~12,1~13,2~14,3~15,4~16) >>>5 ulelong+12 x \b, LZW %u-bits compression # http://www.filebase.org.uk/filetypes # !Packdir compressed archive has three hexadecimal digits code 68E !:mime application/x-acorn-68E !:ext pkd/bin # null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo >>>9 string x \b, root "%s" # load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time >>>>&1 ulelong x \b, load address 0x%x # execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC >>>>&5 ulelong x \b, exec address 0x%x # attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write) >>>>&9 ulelong x \b, attributes 0x%x # number of entries in this directory. for root dir 0 #>>>&13 ulelong x \b, entries 0x%x # the entries start here with object name >>>>&17 string x \b, 1st object "%s"
#------------------------------------------------------------------------------ # $File: adventure,v 1.17 2017/07/03 16:03:40 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin <earendil@faeryland.tamu-commerce.edu> # Edited by Dave Chapeskie <dchapes@ddm.on.ca> Jun 28, 1998 # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # # ALAN # I assume there are other, lower versions, but these are the only ones I # saw in the archive. 0 beshort 0x0206 ALAN game data >2 byte <10 version 2.6%d
# Infocom (see z-machine) #------------------------------------------------------------------------------ # Z-machine: file(1) magic for Z-machine binaries. # Sanity checks by David Griffith <dave@661.org> # Updated by Adam Buchbinder <adam.buchbinder@gmail.com> # #http://www.gnelson.demon.co.uk/zspec/sect11.html #http://www.jczorkmid.net/~jpenney/ZSpec11-latest.txt #http://en.wikipedia.org/wiki/Z-machine # The first byte is the Z-machine revision; it is always between 1 and 8. We # had false matches (for instance, inbig5.ocp from the Omega TeX extension as # well as an occasional MP3 file), so we sanity-check the version number. # # It might be possible to sanity-check the release number as well, as it seems # (at least in classic Infocom games) to always be a relatively small number, # always under 150 or so, but as this isn't rigorous, we'll wait on that until # it becomes clear that it's needed. # 0 ubyte >0 >0 ubyte <9 >>16 belong&0xfe00f0f0 0x3030 >>>0 ubyte < 10 >>>>2 ubeshort x >>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9] >>>>>>0 ubyte < 10 Infocom (Z-machine %d >>>>>>>2 ubeshort x \b, Release %d >>>>>>>>18 string >\0 \b, Serial %.6s >>>>>>>>18 string x \b) !:strength + 40 !:mime application/x-zmachine
#------------------------------------------------------------------------------ # Glulx: file(1) magic for Glulx binaries. # # David Griffith <dave@661.org> # I haven't checked for false matches yet. # 0 string Glul Glulx game data >4 beshort x (Version %d >>6 byte x \b.%d >>8 byte x \b.%d) >36 string Info Compiled by Inform !:mime application/x-glulx
# For Quetzal and blorb magic see iff
# TADS (Text Adventure Development System) version 2 # All files are machine-independent (games compile to byte-code) and are tagged # with a version string of the form "V2.<digit>.<digit>\0". # Game files start with "TADS2 bin\n\r\032\0" then the compiler version. 0 string TADS2\ bin TADS >9 belong !0x0A0D1A00 game data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s game data !:mime application/x-tads # Resource files start with "TADS2 rsc\n\r\032\0" then the compiler version. 0 string TADS2\ rsc TADS >9 belong !0x0A0D1A00 resource data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s resource data !:mime application/x-tads # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), # "TADS2 save\n\r\032\0" and the interpreter version. 0 string TADS2\ save/g TADS >12 belong !0x0A0D1A00 saved game data, CORRUPTED >12 belong 0x0A0D1A00 >>(16.s+32) string >\0 %s saved game data !:mime application/x-tads # Other saved game files start with "TADS2 save\n\r\032\0" and the interpreter # version. 0 string TADS2\ save TADS >10 belong !0x0A0D1A00 saved game data, CORRUPTED >10 belong 0x0A0D1A00 >>14 string >\0 %s saved game data !:mime application/x-tads
# TADS (Text Adventure Development System) version 3 # Game files start with "T3-image\015\012\032" 0 string T3-image\015\012\032 >11 leshort x TADS 3 game data (format version %d) # Saved game files start with "T3-state-v####\015\012\032" # where #### is a format version number 0 string T3-state-v >14 string \015\012\032 TADS 3 saved game data (format version >>10 byte x %c >>11 byte x \b%c >>12 byte x \b%c >>13 byte x \b%c) !:mime application/x-t3vm-image
# edited by David Griffith <dave@661.org> # Danny Milosavljevic <danny.milo@gmx.net> # These are ADRIFT (adventure game standard) game files, extension .taf # Checked from source at (http://www.adrift.co/) and various taf files # found at the Interactive Fiction Archive (http://ifarchive.org/) 0 belong 0x3C423FC9 >4 belong 0x6A87C2CF Adrift game file version >>8 belong 0x94453661 3.80 >>8 belong 0x94453761 3.90 >>8 belong 0x93453E61 4.0 >>8 belong 0x92453E61 5.0 >>8 default x unknown !:mime application/x-adrift
#------------------------------------------------------------------------------ # $File: alliant,v 1.7 2009/09/19 16:28:07 christos Exp $ # alliant: file(1) magic for Alliant FX series a.out files # # If the FX series is the one that had a processor with a 68K-derived # instruction set, the "short" should probably become "beshort" and the # "long" should probably become "belong". # If it's the i860-based one, they should probably become either the # big-endian or little-endian versions, depending on the mode they ran # the 860 in.... # 0 short 0420 0420 Alliant virtual executable >2 short &0x0020 common library >16 long >0 not stripped 0 short 0421 0421 Alliant compact executable >2 short &0x0020 common library >16 long >0 not stripped
#------------------------------------------------------------------------------ # $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $ # amanda: file(1) magic for amanda file format # 0 string AMANDA:\ AMANDA >8 string TAPESTART\ DATE tape header file, >>23 string X >>>25 string >\ Unused %s >>23 string >\ DATE %s >8 string FILE\ dump file, >>13 string >\ DATE %s
# The following are from: "Stefan A. Haubenthal" <polluks@web.de> 0 beshort 0x0f00 AmigaOS bitmap font 0 beshort 0x0f03 AmigaOS outline font 0 belong 0x80001001 AmigaOS outline tag 0 string ##\ version catalog translation 0 string EMOD\0 Amiga E module 8 string ECXM\0 ECX module 0 string/c @database AmigaGuide file
# Amiga disk types # 0 string RDSK Rigid Disk Block >160 string x on %.24s 0 string DOS\0 Amiga DOS disk 0 string DOS\1 Amiga FFS disk 0 string DOS\2 Amiga Inter DOS disk 0 string DOS\3 Amiga Inter FFS disk 0 string DOS\4 Amiga Fastdir DOS disk 0 string DOS\5 Amiga Fastdir FFS disk 0 string KICK Kickstart disk
# Android Backup archive # From: Ariel Shkedi # File extension: .ab # No mime-type defined # URL: https://github.com/android/platform_frameworks_base/blob/\ # 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ # android/server/BackupManagerService.java#L2367 # After the header comes a tar file # If compressed, the entire tar file is compressed with JAVA deflate # # Include the version number hardcoded with the magic string to avoid # false positives 0 string/b ANDROID\ BACKUP\n1\n Android Backup >17 string 0\n \b, Not-Compressed >17 string 1\n \b, Compressed # any string as long as it's not the word none (which is matched below) >>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) >>19 string none\n \b, Not-Encrypted # Commented out because they don't seem useful to print # (but they are part of the header - the tar file comes after them): #>>>&1 regex/1l .* \b, Password salt: %s #>>>>&1 regex/1l .* \b, Master salt: %s #>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s #>>>>>>&1 regex/1l .* \b, IV: %s #>>>>>>>&1 regex/1l .* \b, Key: %s
# *.pit files by Joerg Jenderek # http://forum.xda-developers.com/showthread.php?p=9122369 # http://forum.xda-developers.com/showthread.php?t=816449 # Partition Information Table for Samsung's smartphone with Android # used by flash software Odin 0 ulelong 0x12349876 # 1st pit entry marker >0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # minimal 13 and maximal 18 PIT entries found >>4 ulelong <128 Partition Information Table for Samsung smartphone >>>4 ulelong x \b, %d entries # 1. pit entry >>>4 ulelong >0 \b; #1 >>>0x01C use PIT-entry >>>4 ulelong >1 \b; #2 >>>0x0A0 use PIT-entry >>>4 ulelong >2 \b; #3 >>>0x124 use PIT-entry >>>4 ulelong >3 \b; #4 >>>0x1A8 use PIT-entry >>>4 ulelong >4 \b; #5 >>>0x22C use PIT-entry >>>4 ulelong >5 \b; #6 >>>0x2B0 use PIT-entry >>>4 ulelong >6 \b; #7 >>>0x334 use PIT-entry >>>4 ulelong >7 \b; #8 >>>0x3B8 use PIT-entry >>>4 ulelong >8 \b; #9 >>>0x43C use PIT-entry >>>4 ulelong >9 \b; #10 >>>0x4C0 use PIT-entry >>>4 ulelong >10 \b; #11 >>>0x544 use PIT-entry >>>4 ulelong >11 \b; #12 >>>0x5C8 use PIT-entry >>>4 ulelong >12 \b; #13 >>>>0x64C use PIT-entry # 14. pit entry >>>4 ulelong >13 \b; #14 >>>>0x6D0 use PIT-entry >>>4 ulelong >14 \b; #15 >>>0x754 use PIT-entry >>>4 ulelong >15 \b; #16 >>>0x7D8 use PIT-entry >>>4 ulelong >16 \b; #17 >>>0x85C use PIT-entry # 18. pit entry >>>4 ulelong >17 \b; #18 >>>0x8E0 use PIT-entry
0 name PIT-entry # garbage value implies end of pit entries >0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # skip empty partition name >>0x24 ubyte !0 # partition name >>>0x24 string >\0 %-.32s # flags >>>0x0C ulelong&0x00000002 2 \b+RW # partition ID: # 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER # ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW >>>0x08 ulelong x (0x%x) # filename >>>0x44 string >\0 "%-.64s" #>>>0x18 ulelong >0 # blocksize in 512 byte units ? #>>>>0x18 ulelong x \b, %db # partition size in blocks ? #>>>>0x22 ulelong x \b*%d
# Android sparse img format # From https://android.googlesource.com/\ # platform/system/core/+/master/libsparse/sparse_format.h 0 lelong 0xed26ff3a Android sparse image >4 leshort x \b, version: %d >6 leshort x \b.%d >16 lelong x \b, Total of %d >12 lelong x \b %d-byte output blocks in >20 lelong x \b %d input chunks.
# Android binary XML magic # In include/androidfw/ResourceTypes.h: # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). 0 lelong 0x00080003 Android binary XML
#------------------------------------------------------------------------------ # $File: animation,v 1.66 2017/10/06 15:36:38 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats # MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) # FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com)
# SGI and Apple formats 0 string MOVI Silicon Graphics movie file !:mime video/x-sgi-movie 4 string moov Apple QuickTime !:mime video/quicktime >12 string mvhd \b movie (fast start) >12 string mdra \b URL >12 string cmov \b movie (fast start, compressed header) >12 string rmra \b multiple URLs 4 string mdat Apple QuickTime movie (unoptimized) !:mime video/quicktime #4 string wide Apple QuickTime movie (unoptimized) #!:mime video/quicktime #4 string skip Apple QuickTime movie (modified) #!:mime video/quicktime #4 string free Apple QuickTime movie (modified) #!:mime video/quicktime 4 string idsc Apple QuickTime image (fast start) !:mime image/x-quicktime #4 string idat Apple QuickTime image (unoptimized) #!:mime image/x-quicktime 4 string pckg Apple QuickTime compressed archive !:mime application/x-quicktime-player 4 string/W jP JPEG 2000 image !:mime image/jp2 # http://www.ftyps.com/ with local additions 4 string ftyp ISO Media # http://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ >8 string XAVC \b, MPEG v4 system, Sony XAVC Codec >>96 string x \b, Audio "%.4s" >>118 beshort x at %dHz >>140 string x \b, Video "%.4s" >>168 beshort x %d >>170 beshort x \bx%d >8 string 3g2 \b, MPEG v4 system, 3GPP2 !:mime video/3gpp2 >>11 byte 4 \b v4 (H.263/AMR GSM 6.10) >>11 byte 5 \b v5 (H.263/AMR GSM 6.10) >>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) # http://www.3gpp2.org/Public_html/Specs/C.S0050-B_v1.0_070521.pdf # Section 8.1.1, corresponds to a, b, c >>11 byte 0x61 \b C.S0050-0 V1.0 >>11 byte 0x62 \b C.S0050-0-A V1.0.0 >>11 byte 0x63 \b C.S0050-0-B V1.0 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release 6 MBMS Extended Presentations >>11 byte 7 \b, Release 7 MBMS Extended Presentations >8 string 3gg \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release 6 General Profile >8 string 3gp \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 1 \b, Release %d (non existent) >>11 byte 2 \b, Release %d (non existent) >>11 byte 3 \b, Release %d (non existent) >>11 byte 4 \b, Release %d >>11 byte 5 \b, Release %d >>11 byte 6 \b, Release %d >>11 byte 7 \b, Release %d Streaming Servers >8 string 3gs \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 7 \b, Release %d Streaming Servers >8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC [ISO 14496-12:2005] !:mime video/mp4 >8 string/W qt \b, Apple QuickTime movie !:mime video/quicktime >8 string CAEP \b, Canon Digital Camera >8 string caqv \b, Casio Digital Camera >8 string CDes \b, Convergent Design >8 string da0a \b, DMB MAF w/ MPEG Layer II aud, MOT slides, DLS, JPG/PNG/MNG >8 string da0b \b, DMB MAF, ext DA0A, with 3GPP timed text, DID, TVA, REL, IPMP >8 string da1a \b, DMB MAF audio with ER-BSAC audio, JPG/PNG/MNG images >8 string da1b \b, DMB MAF, ext da1a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string da2a \b, DMB MAF aud w/ HE-AAC v2 aud, MOT slides, DLS, JPG/PNG/MNG >8 string da2b \b, DMB MAF, ext da2a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string da3a \b, DMB MAF aud with HE-AAC aud, JPG/PNG/MNG images >8 string da3b \b, DMB MAF, ext da3a w/ BIFS, 3GPP, DID, TVA, REL, IPMP >8 string dash \b, MPEG v4 system, Dynamic Adaptive Streaming over HTTP !:mime video/mp4 >8 string dmb1 \b, DMB MAF supporting all the components defined in the spec >8 string dmpf \b, Digital Media Project >8 string drc1 \b, Dirac (wavelet compression), encap in ISO base media (MP4) >8 string dv1a \b, DMB MAF vid w/ AVC vid, ER-BSAC aud, BIFS, JPG/PNG/MNG, TS >8 string dv1b \b, DMB MAF, ext dv1a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string dv2a \b, DMB MAF vid w/ AVC vid, HE-AAC v2 aud, BIFS, JPG/PNG/MNG, TS >8 string dv2b \b, DMB MAF, ext dv2a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string dv3a \b, DMB MAF vid w/ AVC vid, HE-AAC aud, BIFS, JPG/PNG/MNG, TS >8 string dv3b \b, DMB MAF, ext dv3a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string dvr1 \b, DVB (.DVB) over RTP !:mime video/vnd.dvb.file >8 string dvt1 \b, DVB (.DVB) over MPEG-2 Transport Stream !:mime video/vnd.dvb.file >8 string F4V \b, Video for Adobe Flash Player 9+ (.F4V) !:mime video/mp4 >8 string F4P \b, Protected Video for Adobe Flash Player 9+ (.F4P) !:mime video/mp4 >8 string F4A \b, Audio for Adobe Flash Player 9+ (.F4A) !:mime audio/mp4 >8 string F4B \b, Audio Book for Adobe Flash Player 9+ (.F4B) !:mime audio/mp4 >8 string isc2 \b, ISMACryp 2.0 Encrypted File # ?/enc-isoff-generic >8 string iso2 \b, MP4 Base Media v2 [ISO 14496-12:2005] !:mime video/mp4 >8 string isom \b, MP4 Base Media v1 [IS0 14496-12:2003] !:mime video/mp4 >8 string/W jp2 \b, JPEG 2000 !:mime image/jp2 >8 string JP2 \b, JPEG 2000 Image (.JP2) [ISO 15444-1 ?] !:mime image/jp2 >8 string JP20 \b, Unknown, from GPAC samples (prob non-existent) >8 string jpm \b, JPEG 2000 Compound Image (.JPM) [ISO 15444-6] !:mime image/jpm >8 string jpx \b, JPEG 2000 w/ extensions (.JPX) [ISO 15444-2] !:mime image/jpx >8 string KDDI \b, 3GPP2 EZmovie for KDDI 3G cellphones !:mime video/3gpp2 >8 string M4A \b, Apple iTunes ALAC/AAC-LC (.M4A) Audio !:mime audio/x-m4a >8 string M4B \b, Apple iTunes ALAC/AAC-LC (.M4B) Audio Book !:mime audio/mp4 >8 string M4P \b, Apple iTunes ALAC/AAC-LC (.M4P) AES Protected Audio !:mime video/mp4 >8 string M4V \b, Apple iTunes Video (.M4V) Video !:mime video/x-m4v >8 string M4VH \b, Apple TV (.M4V) !:mime video/x-m4v >8 string M4VP \b, Apple iPhone (.M4V) !:mime video/x-m4v >8 string mj2s \b, Motion JPEG 2000 [ISO 15444-3] Simple Profile !:mime video/mj2 >8 string mjp2 \b, Motion JPEG 2000 [ISO 15444-3] General Profile !:mime video/mj2 >8 string mmp4 \b, MPEG-4/3GPP Mobile Profile (.MP4 / .3GP) (for NTT) !:mime video/mp4 >8 string mobi \b, MPEG-4, MOBI format !:mime video/mp4 >8 string mp21 \b, MPEG-21 [ISO/IEC 21000-9] >8 string mp41 \b, MP4 v1 [ISO 14496-1:ch13] !:mime video/mp4 >8 string mp42 \b, MP4 v2 [ISO 14496-14] !:mime video/mp4 >8 string mp71 \b, MP4 w/ MPEG-7 Metadata [per ISO 14496-12] >8 string mp7t \b, MPEG v4 system, MPEG v7 XML >8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML >8 string mmp4 \b, MPEG v4 system, 3GPP Mobile !:mime video/mp4 >8 string MPPI \b, Photo Player, MAF [ISO/IEC 23000-3] >8 string mqt \b, Sony / Mobile QuickTime (.MQV) US Pat 7,477,830 !:mime video/quicktime >8 string MSNV \b, MPEG-4 (.MP4) for SonyPSP !:mime audio/mp4 >8 string NDAS \b, MP4 v2 [ISO 14496-14] Nero Digital AAC Audio !:mime audio/mp4 >8 string NDSC \b, MPEG-4 (.MP4) Nero Cinema Profile !:mime video/mp4 >8 string NDSH \b, MPEG-4 (.MP4) Nero HDTV Profile !:mime video/mp4 >8 string NDSM \b, MPEG-4 (.MP4) Nero Mobile Profile !:mime video/mp4 >8 string NDSP \b, MPEG-4 (.MP4) Nero Portable Profile !:mime video/mp4 >8 string NDSS \b, MPEG-4 (.MP4) Nero Standard Profile !:mime video/mp4 >8 string NDXC \b, H.264/MPEG-4 AVC (.MP4) Nero Cinema Profile !:mime video/mp4 >8 string NDXH \b, H.264/MPEG-4 AVC (.MP4) Nero HDTV Profile !:mime video/mp4 >8 string NDXM \b, H.264/MPEG-4 AVC (.MP4) Nero Mobile Profile !:mime video/mp4 >8 string NDXP \b, H.264/MPEG-4 AVC (.MP4) Nero Portable Profile !:mime video/mp4 >8 string NDXS \b, H.264/MPEG-4 AVC (.MP4) Nero Standard Profile !:mime video/mp4 >8 string odcf \b, OMA DCF DRM Format 2.0 (OMA-TS-DRM-DCF-V2_0-20060303-A) >8 string opf2 \b, OMA PDCF DRM Format 2.1 (OMA-TS-DRM-DCF-V2_1-20070724-C) >8 string opx2 \b, OMA PDCF DRM + XBS ext (OMA-TS-DRM_XBS-V1_0-20070529-C) >8 string pana \b, Panasonic Digital Camera >8 string qt \b, Apple QuickTime (.MOV/QT) !:mime video/quicktime # HEIF image format # see https://nokiatech.github.io/heif/technical.html >8 string mif1 \b, HEIF Image !:mime image/heif >8 string msf1 \b, HEIF Image Sequence !:mime image/heif-sequence >8 string heic \b, HEIF Image HEVC Main or Main Still Picture Profile !:mime image/heic >8 string heix \b, HEIF Image HEVC Main 10 Profile !:mime image/heic >8 string hevc \b, HEIF Image Sequenz HEVC Main or Main Still Picture Profile !:mime image/heic-sequence >8 string hevx \b, HEIF Image Sequence HEVC Main 10 Profile !:mime image/heic-sequence # following HEIF brands are not mentioned in the heif technical info currently (Oct 2017) # but used in the reference implementation: # https://github.com/nokiatech/heif/blob/d5e9a21c8ba8df712bdf643021dd9f6518134776/Srcs/reader/hevcimagefilereader.cpp >8 string heim \b, HEIF Image L-HEVC !:mime image/heif >8 string heis \b, HEIF Image L-HEVC !:mime image/heif >8 string avic \b, HEIF Image AVC !:mime image/heif >8 string hevm \b, HEIF Image Sequence L-HEVC !:mime image/heif-sequence >8 string hevs \b, HEIF Image Sequence L-HEVC !:mime image/heif-sequence >8 string avcs \b, HEIF Image Sequence AVC !:mime image/heif-sequence
>8 string ROSS \b, Ross Video >8 string sdv \b, SD Memory Card Video >8 string ssc1 \b, Samsung stereo, single stream (patent pending) >8 string ssc2 \b, Samsung stereo, dual stream (patent pending)
# Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS !:mime audio/x-mp4a-latm #>1 beshort&0x1FFF x \b, %hu byte packet >3 byte&0xE0 0x40 >>4 byte&0x3C 0x04 \b, single stream >>4 byte&0x3C 0x08 \b, 2 streams >>4 byte&0x3C 0x0C \b, 3 streams >>4 byte &0x08 \b, 4 or more streams >>4 byte &0x20 \b, 8 or more streams >3 byte&0xC0 0 >>4 byte&0x78 0x08 \b, single stream >>4 byte&0x78 0x10 \b, 2 streams >>4 byte&0x78 0x18 \b, 3 streams >>4 byte &0x20 \b, 4 or more streams >>4 byte &0x40 \b, 8 or more streams # This magic isn't strong enough (matches plausible ISO-8859-1 text) #0 beshort 0x4DE1 MPEG-4 LO-EP audio stream #!:mime audio/x-mp4a-latm
# Summary: FLI animation format # Created by: Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection) 4 leshort 0xAF11 # standard FLI always has 320x200 resolution and 8 bit color >8 leshort 320 >>10 leshort 200 >>>12 leshort 8 FLI animation, 320x200x8 !:mime video/x-fli >>>>6 leshort x \b, %d frames # frame speed is multiple of 1/70s >>>>16 leshort x \b, %d/70s per frame
# Summary: FLC animation format # Created by: Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection) 4 leshort 0xAF12 # standard FLC always use 8 bit color >12 leshort 8 FLC animation !:mime video/x-flc >>8 leshort x \b, %d >>10 leshort x \bx%dx8 >>6 uleshort x \b, %d frames >>16 uleshort x \b, %dms per frame
# DL animation format # XXX - collision with most `mips' magic # # I couldn't find a real magic number for these, however, this # -appears- to work. Note that it might catch other files, too, so be # careful! # # Note that title and author appear in the two 20-byte chunks # at decimal offsets 2 and 22, respectively, but they are XOR'ed with # 255 (hex FF)! The DL format is really bad. # #0 byte 1 DL version 1, medium format (160x100, 4 images/screen) #!:mime video/x-unknown #>42 byte x - %d screens, #>43 byte x %d commands #0 byte 2 DL version 2 #!:mime video/x-unknown #>1 byte 1 - large format (320x200,1 image/screen), #>1 byte 2 - medium format (160x100,4 images/screen), #>1 byte >2 - unknown format, #>42 byte x %d screens, #>43 byte x %d commands # Based on empirical evidence, DL version 3 have several nulls following the # \003. Most of them start with non-null values at hex offset 0x34 or so. #0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3
# iso 13818 transport stream # # from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 (ISO 13818.1) # syncbyte 8 bit 0x47 # error_ind 1 bit - # payload_start 1 bit 1 # priority 1 bit - # PID 13 bit 0x0000 # scrambling 2 bit - # adaptfld_ctrl 2 bit 1 or 3 # conti_count 4 bit - 0 belong&0xFF5FFF10 0x47400010 >188 byte 0x47 MPEG transport stream data
# DIF digital video file format <mpruett@sgi.com> 0 belong&0xffffff00 0x1f070000 DIF >4 byte &0x01 (DVCPRO) movie file >4 byte ^0x01 (DV) movie file >3 byte &0x80 (PAL) >3 byte ^0x80 (NTSC)
# Microsoft Advanced Streaming Format (ASF) <mpruett@sgi.com> 0 belong 0x3026b275 Microsoft ASF !:mime video/x-ms-asf
# MNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/> 0 string \x8aMNG MNG video data, !:mime video/x-mng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a >>16 belong x %d x >>20 belong x %d
# JNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/> 0 string \x8bJNG JNG video data, !:mime video/x-jng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a >>16 belong x %d x >>20 belong x %d
# Vivo video (Wolfram Kleff) 3 string \x0D\x0AVersion:Vivo Vivo video data
# X3D (Extensible 3D) [http://www.web3d.org/specifications/x3d-3.0.dtd] # From Michel Briand <michelbriand@free.fr> # mimetype from https://www.iana.org/assignments/media-types/model/x3d+xml # Example http://www.web3d.org/x3d/content/examples/Basic/course/CreateX3DFromStringRandomSpheres.x3d 0 string/w \<?xml\ version= !:strength + 5 >20 search/1000/w \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text !:mime model/x3d+xml
#--------------------------------------------------------------------------- # HVQM4: compressed movie format designed by Hudson for Nintendo GameCube # From Mark Sheppard <msheppard@climax.co.uk>, 2002-10-03 # 0 string HVQM4 %s >6 string >\0 v%s >0 byte x GameCube movie, >0x34 ubeshort x %d x >0x36 ubeshort x %d, >0x26 ubeshort x %dus, >0x42 ubeshort 0 no audio >0x42 ubeshort >0 %dHz audio
# From: "Stefan A. Haubenthal" <polluks@web.de> 0 string DVDVIDEO-VTS Video title set, >0x21 byte x v%x 0 string DVDVIDEO-VMG Video manager, >0x21 byte x v%x
# From: Behan Webster <behanw@websterwood.com> # NuppelVideo used by Mythtv (*.nuv) # Note: there are two identical stanzas here differing only in the # initial string matched. It used to be done with a regex, but we're # trying to get rid of those. 0 string NuppelVideo MythTV NuppelVideo >12 string x v%s >20 lelong x (%d >24 lelong x \bx%d), >36 string P \bprogressive, >36 string I \binterlaced, >40 ledouble x \baspect:%.2f, >48 ledouble x \bfps:%.2f 0 string MythTV MythTV NuppelVideo >12 string x v%s >20 lelong x (%d >24 lelong x \bx%d), >36 string P \bprogressive, >36 string I \binterlaced, >40 ledouble x \baspect:%.2f, >48 ledouble x \bfps:%.2f
# MPEG file # MPEG sequences # FIXME: This section is from the old magic.mime file and needs # integrating with the rest #0 belong 0x000001BA #>4 byte &0x40 #!:mime video/mp2p #>4 byte ^0x40 #!:mime video/mpeg #0 belong 0x000001BB #!:mime video/mpeg #0 belong 0x000001B0 #!:mime video/mp4v-es #0 belong 0x000001B5 #!:mime video/mp4v-es #0 belong 0x000001B3 #!:mime video/mpv #0 belong&0xFF5FFF10 0x47400010 #!:mime video/mp2t #0 belong 0x00000001 #>4 byte&0x1F 0x07 #!:mime video/h264
# Type: Bink Video # Extension: .bik # URL: http://wiki.multimedia.cx/index.php?title=Bink_Container # From: <hoehle@users.sourceforge.net> 2008-07-18 0 string BIK Bink Video >3 regex =[a-z] rev.%s #>4 ulelong x size %d >20 ulelong x \b, %d >24 ulelong x \bx%d >8 ulelong x \b, %d frames >32 ulelong x at rate %d/ >28 ulelong >1 \b%d >40 ulelong =0 \b, no audio >40 ulelong !0 \b, %d audio track >>40 ulelong !1 \bs # follow properties of the first audio track only >>48 uleshort x %dHz >>51 byte&0x20 0 mono >>51 byte&0x20 !0 stereo #>>51 byte&0x10 0 FFT #>>51 byte&0x10 !0 DCT
# Type: Interplay MVE Movie # URL: http://wiki.multimedia.cx/index.php?title=Interplay_MVE # From: Mike Melanson <mike@multimedia.cx> 0 string Interplay\040MVE\040File\032 Interplay MVE Movie
# Type: Windows Television DVR File # URL: http://wiki.multimedia.cx/index.php?title=WTV # From: Mike Melanson <mike@mutlimedia.cx> # This takes the form of a Windows-style GUID 0 bequad 0xB7D800203749DA11 >8 bequad 0xA64E0007E95EAD8D Windows Television DVR Media
# Type: Sega FILM/CPK Multimedia # URL: http://wiki.multimedia.cx/index.php?title=Sega_FILM # From: Mike Melanson <mike@multimedia.cx> 0 string FILM Sega FILM/CPK Multimedia, >32 belong x %d x >28 belong x %d
# Type: Nintendo THP Multimedia # URL: http://wiki.multimedia.cx/index.php?title=THP # From: Mike Melanson <mike@multimedia.cx> 0 string THP\0 Nintendo THP Multimedia
# Type: BBC Dirac Video # URL: http://wiki.multimedia.cx/index.php?title=Dirac # From: Mike Melanson <mike@multimedia.cx> 0 string BBCD BBC Dirac Video
# Type: RAD Game Tools Smacker Multimedia # URL: http://wiki.multimedia.cx/index.php?title=Smacker # From: Mike Melanson <mike@multimedia.cx> 0 string SMK RAD Game Tools Smacker Multimedia >3 byte x version %c, >4 lelong x %d x >8 lelong x %d, >12 lelong x %d frames
# Material Exchange Format # More information: # https://en.wikipedia.org/wiki/Material_Exchange_Format # http://www.freemxf.org/ 0 string \x06\x0e\x2b\x34\x02\x05\x01\x01\x0d\x01\x02\x01\x01\x02 Material exchange container format !:ext mxf !:mime application/mxf
#------------------------------------------------------------------------------ # $File: aout,v 1.1 2013/01/09 22:37:23 christos Exp $ # aout: file(1) magic for a.out executable/object/etc entries that # handle executables on multiple platforms. #
# # Little-endian 32-bit-int a.out, merged from bsdi (for BSD/OS, from # BSDI), netbsd, and vax (for UNIX/32V and BSD) # # XXX - is there anything we can look at to distinguish BSD/OS 386 from # NetBSD 386 from various VAX binaries? The BSD/OS shared library flag # works only for binaries using shared libraries. Grabbing the entry # point from the a.out header, using it to find the first code executed # in the program, and looking at that might help. # 0 lelong 0407 a.out little-endian 32-bit executable >16 lelong >0 not stripped >32 byte 0x6a (uses BSD/OS shared libs)
0 lelong 0410 a.out little-endian 32-bit pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses BSD/OS shared libs)
# # Big-endian 32-bit-int a.out, merged from sun (for old 68010 SunOS a.out), # mips (for old 68020(!) SGI a.out), and netbsd (for old big-endian a.out). # # XXX - is there anything we can look at to distinguish old SunOS 68010 # from old 68020 IRIX from old NetBSD? Again, I guess we could look at # the first instruction or instructions in the program. # 0 belong 0407 a.out big-endian 32-bit executable >16 belong >0 not stripped
0 belong 0410 a.out big-endian 32-bit pure executable >16 belong >0 not stripped
#------------------------------------------------------------------------------ # $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $ # apache: file(1) magic for Apache Big Data formats
# Avro files 0 string Obj Apache Avro >3 byte x version %d
# ORC files # Important information is in file footer, which we can't index to :( 0 string ORC Apache ORC
# Parquet files 0 string PAR1 Apache Parquet
# Hive RC files 0 string RCF Apache Hive RC file >3 byte x version %d
# Sequence files (and the careless first version of RC file)
0 string SEQ >3 byte <6 Apache Hadoop Sequence file version %d >3 byte >6 Apache Hadoop Sequence file version %d >3 byte =6 >>5 string org.apache.hadoop.hive.ql.io.RCFile$KeyBuffer Apache Hive RC file version 0 >>3 default x Apache Hadoop Sequence file version 6
#------------------------------------------------------------------------------ # $File: apl,v 1.6 2009/09/19 16:28:07 christos Exp $ # apl: file(1) magic for APL (see also "pdp" and "vax" for other APL # workspaces) # 0 long 0100554 APL workspace (Ken's original?)
#------------------------------------------------------------------------------ # $File: apple,v 1.39 2018/03/02 15:26:39 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 0 string \x0aGL Binary II (apple ][) data 0 string \x76\xff Squeezed (apple ][) data 0 string NuFile NuFile archive (apple ][) data 0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file
# Type: Apple Emulator 2IMG format # From: Radek Vokal <rvokal@redhat.com> 0 string 2IMG Apple ][ 2IMG Disk Image >4 string XGS! \b, XGS >4 string CTKG \b, Catakig >4 string ShIm \b, Sheppy's ImageMaker >4 string WOOF \b, Sweet 16 >4 string B2TR \b, Bernie ][ the Rescue >4 string !nfc \b, ASIMOV2 >4 string x \b, Unknown Format >0xc byte 00 \b, DOS 3.3 sector order >>0x10 byte 00 \b, Volume 254 >>0x10 byte&0x7f x \b, Volume %u >0xc byte 01 \b, ProDOS sector order >>0x14 short x \b, %u Blocks >0xc byte 02 \b, NIB data
# magic for Newton PDA package formats # from Ruda Moura <ruda@helllabs.org> 0 string package0 Newton package, NOS 1.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d
0 string package1 Newton package, NOS 2.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d
0 string package4 Newton package, >8 byte 8 NOS 1.x, >8 byte 9 NOS 2.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression,
# The following entries for the Apple II are for files that have # been transferred as raw binary data from an Apple, without having # been encapsulated by any of the above archivers. # # In general, Apple II formats are hard to identify because Apple DOS # and especially Apple ProDOS have strong typing in the file system and # therefore programmers never felt much need to include type information # in the files themselves. # # Eric Fischer <enf@pobox.com>
# AppleWorks word processor: # URL: https://en.wikipedia.org/wiki/AppleWorks # Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx # Update: Joerg Jenderek # NOTE: # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. # and/or look for unused bits of booleans bytes like zoom, paginated, mail merge # the newer AppleWorks is from claris with extension CWK 4 string O # test for unused bits of zoom- , paginated-boolean bytes >84 ubequad ^0x00Fe00000000Fe00 # look for tabstop definitions "=" no tab, "|" no tab # "<" left tab,"^" center tab,">" right tab, "." decimal tab, # unofficial "!" other , "\x8a" other # official only if SFMinVers is nonzero >>5 regex/s [=.<>|!^\x8a]{79} AppleWorks Word Processor # AppleWorks Word Processor File (Apple II) # ./apple (version 5.25) labeled the entry as "AppleWorks word processor data" # application/x-appleworks is mime type for claris version with cwk extension !:mime application/x-appleworks3 # http://home.earthlink.net/~hughhood/appleiiworksenvoy/ # ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type') # $70 $1A $F8 $FF is this the apple type ? #:apple pdosp�� !:ext awp # minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) >>>183 ubyte 30 3.0 >>>183 ubyte !30 >>>>183 ubyte !0 0x%x # usual tabstop start sequence "=====<" >>>5 string x \b, tabstop ruler "%6.6s" # tabstop ruler #>>>5 string >\0 \b, tabstops "%-79s" # zoom switch >>>85 byte&0x01 >0 \b, zoomed # whether paginated >>>90 byte&0x01 >0 \b, paginated # contains any mail-merge commands >>>92 byte&0x01 >0 \b, with mail merge # left margin in 1/10 inches ( normally 0 or 10 ) >>>91 ubyte >0 >>>>91 ubyte x \b, %d/10 inch left margin
# AppleWorks database: # # This isn't really a magic number, but it's the closest thing to one # that I could find. The 1 and 2 really mean "order in which you defined # categories" and "left to right, top to bottom," respectively; the D and R # mean that the cursor should move either down or right when you press Return.
#30 string \x01D AppleWorks database data #30 string \x02D AppleWorks database data #30 string \x01R AppleWorks database data #30 string \x02R AppleWorks database data
# AppleWorks spreadsheet: # # Likewise, this isn't really meant as a magic number. The R or C means # row- or column-order recalculation; the A or M means automatic or manual # recalculation.
#131 string RA AppleWorks spreadsheet data #131 string RM AppleWorks spreadsheet data #131 string CA AppleWorks spreadsheet data #131 string CM AppleWorks spreadsheet data
# Applesoft BASIC: # # This is incredibly sloppy, but will be true if the program was # written at its usual memory location of 2048 and its first line # number is less than 256. Yuck. # update by Joerg Jenderek at Feb 2013
# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) #0 belong&0xff00ff 0x80000 Applesoft BASIC program data 0 belong&0x00ff00ff 0x00080000 # assuming that line number must be positive >2 leshort >0 Applesoft BASIC program data, first line number %d #>2 leshort x \b, first line number %d
# ORCA/EZ assembler: # # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data #>5 byte x \b, build number %d
# Broderbund Fantavision # # I don't know what these values really mean, but they seem to recur. # Will they cause too many conflicts?
# Probably :-) #2 belong&0xFF00FF 0x040008 Fantavision movie data
# Some attempts at images. # # These are actually just bit-for-bit dumps of the frame buffer, so # there's really no reasonably way to distinguish them except for their # address (if preserved) -- 8192 or 16384 -- and their length -- 8192 # or, occasionally, 8184. # # Nevertheless this will manage to catch a lot of images that happen # to have a solid-colored line at the bottom of the screen.
# GRR: Magic too weak #8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background #8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background #8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background #8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background #8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background
# Beagle Bros. Apple Mechanic fonts
0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font
# Apple Universal Disk Image Format (UDIF) - dmg files. # From Johan Gade. # These entries are disabled for now until we fix the following issues. # # Note there might be some problems with the "VAX COFF executable" # entry. Note this entry should be placed before the mac filesystem section, # particularly the "Apple Partition data" entry. # # The intended meaning of these tests is, that the file is only of the # specified type if both of the lines are correct - i.e. if the first # line matches and the second doesn't then it is not of that type. # #0 long 0x7801730d #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) # # Note that this entry is recognized correctly by the "Apple Partition # data" entry - however since this entry is more specific - this # information seems to be more useful. #0 long 0x45520200 #>0x410 string disk\ image UDIF read/write image (UDRW)
# From: Toby Peterson <toby@apple.com> 0 string bplist00 Apple binary property list
# Apple binary property list (bplist) # Assumes version bytes are hex. # Provides content hints for version 0 files. Assumes that the root # object is the first object (true for CoreFoundation implementation). # From: David Remahl <dremahl@apple.com> 0 string bplist >6 byte x \bCoreFoundation binary property list data, version 0x%c >>7 byte x \b%c >6 string 00 \b >>8 byte&0xF0 0x00 \b >>>8 byte&0x0F 0x00 \b, root type: null >>>8 byte&0x0F 0x08 \b, root type: false boolean >>>8 byte&0x0F 0x09 \b, root type: true boolean >>8 byte&0xF0 0x10 \b, root type: integer >>8 byte&0xF0 0x20 \b, root type: real >>8 byte&0xF0 0x30 \b, root type: date >>8 byte&0xF0 0x40 \b, root type: data >>8 byte&0xF0 0x50 \b, root type: ascii string >>8 byte&0xF0 0x60 \b, root type: unicode string >>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) >>8 byte&0xF0 0xa0 \b, root type: array >>8 byte&0xF0 0xd0 \b, root type: dictionary
# Apple/NeXT typedstream data # Serialization format used by NeXT and Apple for various # purposes in YellowStep/Cocoa, including some nib files. # From: David Remahl <dremahl@apple.com> 2 string typedstream NeXT/Apple typedstream data, big endian >0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b >>>14 ubeshort x \b, system %d 2 string streamtyped NeXT/Apple typedstream data, little endian >0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b >>>14 uleshort x \b, system %d
#------------------------------------------------------------------------------ # CAF: Apple CoreAudio File Format # # Container format for high-end audio purposes. # From: David Remahl <dremahl@apple.com> # 0 string caff CoreAudio Format audio file >4 beshort <10 version %d >6 beshort x
#------------------------------------------------------------------------------ # Keychain database files 0 string kych Mac OS X Keychain File
#------------------------------------------------------------------------------ # Code Signing related file types 0 belong 0xfade0c00 Mac OS X Code Requirement >8 belong 1 (opExpr) >4 belong x - %d bytes
0 belong 0xfade0c01 Mac OS X Code Requirement Set >8 belong >1 containing %d items >4 belong x - %d bytes
0 belong 0xfade0c02 Mac OS X Code Directory >8 belong x version %x >12 belong >0 flags 0x%x >4 belong x - %d bytes
0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) >4 belong x - %d bytes
0 belong 0xfade0cc1 Mac OS X Detached Code Signature >8 belong >1 (%d elements) >4 belong x - %d bytes
# From: "Nelson A. de Oliveira" <naoliv@gmail.com> # .vdi 4 string innotek\ VirtualBox\ Disk\ Image %s
# Apple disk partition stuff # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h # Update: Joerg Jenderek # "ER" is APPLE_DRVR_MAP_MAGIC signature 0 beshort 0x4552 # display Apple Driver Map (strength=50) after Syslinux bootloader (71) #!:strength +0 # strengthen the magic by looking for used blocksizes 512 2048 >2 ubeshort&0xf1FF 0 Apple Driver Map # last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid #>>504 ubequad&0x0000FFffFFff0000 0 !:mime application/x-apple-diskimage !:apple ????devr # https://en.wikipedia.org/wiki/Apple_Disk_Image !:ext dmg/iso # sbBlkSize for driver descriptor map 512 2048 >>2 beshort x \b, blocksize %d # sbBlkCount sometimes garbish like # 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg # 0xf2720100 for bunziped Firefox 48.0-2.dmg # 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso # 0x00009090 by syslinux-6.03/utils/isohybrid.c >>4 ubelong x \b, blockcount %u # following device/driver information not very useful # device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>8 ubeshort x \b, devtype %u # device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>10 ubeshort x \b, devid %u # driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>12 ubelong >0 >>>12 ubelong x \b, driver data %u # number of driver descriptors sbDrvrCount <= 61 # (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>16 ubeshort x \b, driver count %u # 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map # >>18 use apple-driver-map # >>26 use apple-driver-map # # ... # >>500 use apple-driver-map # number of partitions is always same in every partition (map block count) #>>0x0204 ubelong x \b, %u partitions >>0x0204 ubelong >0 \b, contains[@0x200]: >>>0x0200 use apple-apm >>0x0204 ubelong >1 \b, contains[@0x400]: >>>0x0400 use apple-apm >>0x0204 ubelong >2 \b, contains[@0x600]: >>>0x0600 use apple-apm >>0x0204 ubelong >3 \b, contains[@0x800]: >>>0x0800 use apple-apm >>0x0204 ubelong >4 \b, contains[@0xA00]: >>>0x0A00 use apple-apm >>0x0204 ubelong >5 \b, contains[@0xC00]: >>>0x0C00 use apple-apm >>0x0204 ubelong >6 \b, contains[@0xE00]: >>>0x0E00 use apple-apm >>0x0204 ubelong >7 \b, contains[@0x1000]: >>>0x1000 use apple-apm # display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) 0 name apple-driver-map >0 ubequad !0 # descBlock first block of driver >>0 ubelong x \b, driver start block %u # descSize driver size in blocks >>4 ubeshort x \b, size %u # descType driver system type 1 701h F8FFh FFFFh >>6 ubeshort x \b, type 0x%x
# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: http://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h # Update: Joerg Jenderek # Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the # magic stronger. # for apple partition map stored as a single file 0 belong 0x504d0000 # to display Apple Partition Map (strength=70) after Syslinux bootloader (71) #!:strength +0 >0 use apple-apm # magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type # file: could not find any valid magic files! #!:ext bin # display apple partition map. Normally called after Apple driver map 0 name apple-apm >0 belong 0x504d0000 Apple Partition Map # number of partitions >>4 ubelong x \b, map block count %u # logical block (512 bytes) start of partition >>8 ubelong x \b, start block %u >>12 ubelong x \b, block count %u >>16 string >0 \b, name %s >>48 string >0 \b, type %s # processor type dpme_process_id[16] e.g. "68000" "68020" >>120 string >0 \b, processor %s # A/UX boot arguments BootArgs[128] >>136 string >0 \b, boot arguments %s # status of partition dpme_flags >>88 belong & 1 \b, valid >>88 belong & 2 \b, allocated >>88 belong & 4 \b, in use >>88 belong & 8 \b, has boot info >>88 belong & 16 \b, readable >>88 belong & 32 \b, writable >>88 belong & 64 \b, pic boot code >>88 belong & 128 \b, chain compatible driver >>88 belong & 256 \b, real driver >>88 belong & 512 \b, chain driver # mount automatically at startup APPLE_PS_AUTO_MOUNT >>88 ubelong &0x40000000 \b, mount at startup # is the startup partition APPLE_PS_STARTUP >>88 ubelong &0x80000000 \b, is the startup partition
#http://wiki.mozilla.org/DS_Store_File_Format #http://en.wikipedia.org/wiki/.DS_Store 0 string \0\0\0\1Bud1\0 Apple Desktop Services Store
# HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015) # Usually not in separate files, but have either filename rsrc with # no extension, or a filename corresponding to another file, with # extensions rsr/rsrc 0 string \000\000\001\000 >4 leshort 0 >>16 lelong 0 Apple HFS/HFS+ resource fork
# before version 10 ("old format"), data was in arch-specific long/short
# old format 64 bit 0 name apt-cache-64bit-be >12 beshort 1 \b, dirty >40 bequad x \b, %llu packages >48 bequad x \b, %llu versions
# old format 32 bit 0 name apt-cache-32bit-be >8 beshort 1 \b, dirty >40 belong x \b, %u packages >44 belong x \b, %u versions
# new format 0 name apt-cache-be >6 byte 1 \b, dirty >24 belong x \b, %u packages >28 belong x \b, %u versions
0 bequad 0x98FE76DC >8 ubeshort <10 APT cache data, version %u >>10 beshort x \b.%u, 64 bit big-endian >>0 use apt-cache-64bit-be
0 lequad 0x98FE76DC >8 uleshort <10 APT cache data, version %u >>10 leshort x \b.%u, 64 bit little-endian >>0 use \^apt-cache-64bit-be
0 belong 0x98FE76DC >4 ubeshort <10 APT cache data, version %u >>6 ubeshort x \b.%u, 32 bit big-endian >>0 use apt-cache-32bit-be >4 ubyte >9 APT cache data, version %u >>5 ubyte x \b.%u, big-endian >>0 use apt-cache-be
0 lelong 0x98FE76DC >4 uleshort <10 APT cache data, version %u >>6 uleshort x \b.%u, 32 bit little-endian >>0 use \^apt-cache-32bit-be >4 ubyte >9 APT cache data, version %u >>5 ubyte x \b.%u, little-endian >>0 use \^apt-cache-be #------------------------------------------------------------------------------ # $File: archive,v 1.117 2018/03/17 02:11:04 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. # pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c.
# POSIX tar archives # URL: https://en.wikipedia.org/wiki/Tar_(computing) # Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current # header mainly padded with nul bytes 500 quad 0 # filename or extended attribute printable strings in range space null til umlaut ue >0 ubeshort >0x1F00 >>0 ubeshort <0xFCFD # last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad # at https://sourceforge.net/projects/s-tar/files/testscripts/ >>>508 ubelong&0x8B9E8DFF 0 # nul, space or ascii digit 0-7 at start of mode >>>>100 ubyte&0xC8 =0 >>>>>101 ubyte&0xC8 =0 # nul, space at end of check sum >>>>>>155 ubyte&0xDF =0 # space or ascii digit 0 at start of check sum >>>>>>>148 ubyte&0xEF =0x20 >>>>>>>>0 use tar-file # minimal check and then display tar archive information which can also be # embedded inside others like Android Backup, Clam AntiVirus database 0 name tar-file >257 string !ustar # header padded with nuls >>257 ulong =0 # GNU tar version 1.29 with non pax format option without refusing # creates misleading V7 header for Long path, Multi-volume, Volume type >>>156 ubyte 0x4c GNU tar archive !:mime application/x-gtar !:ext tar/gtar >>>156 ubyte 0x4d GNU tar archive !:mime application/x-gtar !:ext tar/gtar >>>156 ubyte 0x56 GNU tar archive !:mime application/x-gtar !:ext tar/gtar >>>156 default x tar archive (V7) !:mime application/x-tar !:ext tar # other stuff in padding # some implementations add new fields to the blank area at the end of the header record # created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option >>257 ulong !0 tar archive (old) !:mime application/x-tar !:ext tar # magic in newer, GNU, posix variants >257 string =ustar # 2 last char of magic and UStar version because string expression does not work # 2 space characters followed by a null for GNU variant >>261 ubelong =0x72202000 POSIX tar archive (GNU) !:mime application/x-gtar !:ext tar/gtar # UStar version with ASCII "00" >>261 ubelong 0x72003030 POSIX # gLOBAL and ExTENSION type only found in POSIX.1-2001 format >>>156 ubyte 0x67 \b.1-2001 >>>156 ubyte 0x78 \b.1-2001 >>>156 ubyte x tar archive !:mime application/x-ustar !:ext tar/ustar # version with 2 binary nuls embedded in Android Backup like com.android.settings.ab >>261 ubelong 0x72000000 tar archive (ustar) !:mime application/x-ustar !:ext tar/ustar # not seen ustar variant with garbish version >>261 default x tar archive (unknown ustar) !:mime application/x-ustar !:ext tar/ustar # type flag of 1st tar archive member #>156 ubyte x \b, %c-type >156 ubyte x >>156 ubyte 0 \b, file >>156 ubyte 0x30 \b, file >>156 ubyte 0x31 \b, hard link >>156 ubyte 0x32 \b, symlink >>156 ubyte 0x33 \b, char device >>156 ubyte 0x34 \b, block device >>156 ubyte 0x35 \b, directory >>156 ubyte 0x36 \b, fifo >>156 ubyte 0x37 \b, reserved >>156 ubyte 0x4c \b, long path >>156 ubyte 0x4d \b, multi volume >>156 ubyte 0x56 \b, volume >>156 ubyte 0x67 \b, global >>156 ubyte 0x78 \b, extension >>156 default x \b, type >>>156 ubyte x '%c' # name[100] >0 string >\0 %-.60s # mode mainly stored as an octal number in ASCII null or space terminated >100 string >\0 \b, mode %-.7s # user id mainly as octal numbers in ASCII null or space terminated >108 string >\0 \b, uid %-.7s # group id mainly as octal numbers in ASCII null or space terminated >116 string >\0 \b, gid %-.7s # size mainly as octal number in ASCII >124 ubyte <0x38 >>124 string >\0 \b, size %-.12s # coding indicated by setting the high-order bit of the leftmost byte >124 ubyte >0xEF \b, size 0x >>124 ubyte !0xff \b%2.2x >>125 ubyte !0xff \b%2.2x >>126 ubyte !0xff \b%2.2x >>127 ubyte !0xff \b%2.2x >>128 ubyte !0xff \b%2.2x >>129 ubyte !0xff \b%2.2x >>130 ubyte !0xff \b%2.2x >>131 ubyte !0xff \b%2.2x >>132 ubyte !0xff \b%2.2x >>133 ubyte !0xff \b%2.2x >>134 ubyte !0xff \b%2.2x >>135 ubyte !0xff \b%2.2x # seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated >136 string >\0 \b, seconds %-.11s # header checksum stored as an octal number in ASCII null or space terminated #>148 string x \b, cksum %.7s # linkname[100] >157 string >\0 \b, linkname %-.40s # additional fields for ustar >257 string =ustar # owner user name null terminated >>265 string >\0 \b, user %-.32s # group name null terminated >>297 string >\0 \b, group %-.32s # device major minor if not zero >>329 ubequad&0xCFCFCFCFcFcFcFdf !0 >>>329 string x \b, devmaj %-.7s >>337 ubequad&0xCFCFCFCFcFcFcFdf !0 >>>337 string x \b, devmin %-.7s # prefix[155] >>345 string >\0 \b, prefix %-.155s # old non ustar/POSIX tar >257 string !ustar >>508 string =tar\0 # padding[255] in old star >>>257 string >\0 \b, padding: %-.40s >>508 default x # padding[255] in old tar sometimes comment field >>>257 string >\0 \b, comment: %-.40s
# Incremental snapshot gnu-tar format from: # http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html 0 string GNU\ tar- GNU tar incremental snapshot data >&0 regex [0-9]\.[0-9]+-[0-9]+ version %s
# cpio archives # # Yes, the top two "cpio archive" formats *are* supposed to just be "short". # The idea is to indicate archives produced on machines with the same # byte order as the machine running "file" with "cpio archive", and # to indicate archives produced on machines with the opposite byte order # from the machine running "file" with "byte-swapped cpio archive". # # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. 0 short 070707 cpio archive !:mime application/x-cpio 0 short 0143561 byte-swapped cpio archive !:mime application/x-cpio # encoding: swapped 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) 0 string 070701 ASCII cpio archive (SVR4 with no CRC) 0 string 070702 ASCII cpio archive (SVR4 with CRC)
# # Various archive formats used by various versions of the "ar" # command. #
# # Original UNIX archive formats. # They were written with binary values in host byte order, and # the magic number was a host "int", which might have been 16 bits # or 32 bits. We don't say "PDP-11" or "VAX", as there might have # been ports to little-endian 16-bit-int or 32-bit-int platforms # (x86?) using some of those formats; if none existed, feel free # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian # 32-bit. There might have been big-endian ports of that sort as # well. # 0 leshort 0177555 very old 16-bit-int little-endian archive 0 beshort 0177555 very old 16-bit-int big-endian archive 0 lelong 0177555 very old 32-bit-int little-endian archive 0 belong 0177555 very old 32-bit-int big-endian archive
0 leshort 0177545 old 16-bit-int little-endian archive >2 string __.SYMDEF random library 0 beshort 0177545 old 16-bit-int big-endian archive >2 string __.SYMDEF random library 0 lelong 0177545 old 32-bit-int little-endian archive >4 string __.SYMDEF random library 0 belong 0177545 old 32-bit-int big-endian archive >4 string __.SYMDEF random library
# # From "pdp" (but why a 4-byte quantity?) # 0 lelong 0x39bed PDP-11 old archive 0 lelong 0x39bee PDP-11 4.0 archive
# # XXX - what flavor of APL used this, and was it a variant of # some ar archive format? It's similar to, but not the same # as, the APL workspace magic numbers in pdp. # 0 long 0100554 apl workspace
# # System V Release 1 portable(?) archive format. # 0 string =<ar> System V Release 1 ar archive !:mime application/x-archive
# # Debian package; it's in the portable archive format, and needs to go # before the entry for regular portable archives, as it's recognized as # a portable archive whose first member has a name beginning with # "debian". # 0 string =!<arch>\ndebian >8 string debian-split part of multipart Debian package !:mime application/vnd.debian.binary-package >8 string debian-binary Debian binary package !:mime application/vnd.debian.binary-package >8 string !debian >68 string >\0 (format %s) # These next two lines do not work, because a bzip2 Debian archive # still uses gzip for the control.tar (first in the archive). Only # data.tar varies, and the location of its filename varies too. # file/libmagic does not current have support for ascii-string based # (offsets) as of 2005-09-15. #>81 string bz2 \b, uses bzip2 compression #>84 string gz \b, uses gzip compression #>136 ledate x created: %s
# # MIPS archive; they're in the portable archive format, and need to go # before the entry for regular portable archives, as it's recognized as # a portable archive whose first member has a name beginning with # "__________E". # 0 string =!<arch>\n__________E MIPS archive !:mime application/x-archive >20 string U with MIPS Ucode members >21 string L with MIPSEL members >21 string B with MIPSEB members >19 string L and an EL hash table >19 string B and an EB hash table >22 string X -- out of date
0 search/1 -h- Software Tools format archive text
# # BSD/SVR2-and-later portable archive formats. # 0 string =!<arch> current ar archive !:mime application/x-archive >8 string __.SYMDEF random library >68 string __.SYMDEF\ SORTED random library
# # "Thin" archive, as can be produced by GNU ar. # 0 string =!<thin>\n thin archive with >68 belong 0 no symbol entries >68 belong 1 %d symbol entry >68 belong >1 %d symbol entries
# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) # # The first byte is the magic (0x1a), byte 2 is the compression type for # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS # filename of the first file (null terminated). Since some types collide # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW !:mime application/x-arc 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched !:mime application/x-arc # [JW] stuff taken from idarc, obviously ARC successors: 0 lelong&0x8080ffff 0x00000a1a PAK archive data !:mime application/x-arc 0 lelong&0x8080ffff 0x0000141a ARC+ archive data !:mime application/x-arc 0 lelong&0x8080ffff 0x0000481a HYP archive data !:mime application/x-arc
# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) # I can't create either SPARK or ArcFS archives so I have not tested this stuff # [GRR: the original entries collide with ARC, above; replaced with combined # version (not tested)] #0 byte 0x1a RISC OS archive (spark format) 0 string \032archive RISC OS archive (ArcFS format) 0 string Archive\000 RISC OS archive (ArcFS format)
# All these were taken from idarc, many could not be verified. Unfortunately, # there were many low-quality sigs, i.e. easy to trigger false positives. # Please notify me of any real-world fishy/ambiguous signatures and I'll try # to get my hands on the actual archiver and see if I find something better. [JW] # probably many can be enhanced by finding some 0-byte or control char near the start
# idarc calls this Crush/Uncompressed... *shrug* 0 string CRUSH Crush archive data # Squeeze It (.sqz) 0 string HLSQZ Squeeze It archive data # SQWEZ 0 string SQWEZ SQWEZ archive data # HPack (.hpk) 0 string HPAK HPack archive data # HAP 0 string \x91\x33HF HAP archive data # MD/MDCD 0 string MDmd MDCD archive data # LIM 0 string LIM\x1a LIM archive data # SAR 3 string LH5 SAR archive data # BSArc/BS2 0 string \212\3SB\020\0 BSArc/BS2 archive data # Bethesda Softworks Archive (Oblivion) 0 string BSA\0 BSArc archive data >4 lelong x version %d # MAR 2 string =-ah MAR archive data # ACB #0 belong&0x00f800ff 0x00800000 ACB archive data # CPZ # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data # JRC 0 string JRchive JRC archive data # Quantum 0 string DS\0 Quantum archive data # ReSOF 0 string PK\3\6 ReSOF archive data # QuArk 0 string 7\4 QuArk archive data # YAC 14 string YC YAC archive data # X1 0 string X1 X1 archive data 0 string XhDr X1 archive data # CDC Codec (.dqt) 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data # AMGC 0 string \xad6" AMGC archive data # NuLIB 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data # PakLeo 0 string LEOLZW PAKLeo archive data # ChArc 0 string SChF ChArc archive data # PSA 0 string PSA PSA archive data # CrossePAC 0 string DSIGDCC CrossePAC archive data # Freeze 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data # KBoom 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data # NSQ, must go after CDC Codec 0 string \x76\xff NSQ archive data # DPA 0 string Dirk\ Paehl DPA archive data # BA # TODO: idarc says "bytes 0-2 == bytes 3-5" # TTComp # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive # Update: Joerg Jenderek # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others 0 string \0\6 # look for first keyword of Panorama database *.pan >12 search/261 DESIGN # skip keyword with low entropy >12 default x TTComp archive, binary, 4K dictionary # (version 5.25) labeled the above entry as "TTComp archive data" # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 0 string ESP ESP archive data # ZPack 0 string \1ZPK\1 ZPack archive data # Sky 0 string \xbc\x40 Sky archive data # UFA 0 string UFA UFA archive data # Dry 0 string =-H2O DRY archive data # FoxSQZ 0 string FOXSQZ FoxSQZ archive data # AR7 0 string ,AR7 AR7 archive data # PPMZ 0 string PPMZ PPMZ archive data # MS Compress # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression # Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html # Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z 4 string \x88\xf0\x27 # KWAJ variant >0 string KWAJ MS Compress archive data, KWAJ variant !:mime application/x-ms-compress-kwaj # extension not working in version 5.32 # magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?' # file: line 284: Bad magic entry ' ??_' !:ext ??_ # compression method (0-4) >>8 uleshort x \b, %u method # offset of compressed data >>10 uleshort x \b, 0x%x offset #>>(10.s) uleshort x #>>>&-6 string x \b, TEST extension %-.3s # header flags to mark header extensions >>12 uleshort >0 \b, 0x%x flags # 4 bytes: decompressed length of file >>12 uleshort &0x01 >>>14 ulelong x \b, original size: %u bytes # 2 bytes: unknown purpose # 2 bytes: length of unknown data + mentioned bytes # 1-9 bytes: null-terminated file name # 1-4 bytes: null-terminated file extension >>12 uleshort &0x08 >>>12 uleshort ^0x01 >>>>12 uleshort ^0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>14 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>14 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(14.s) uleshort x >>>>>>>>&14 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(14.s) uleshort x >>>>>>>>&14 string x \b, %-.8s >>>>>>>>>&1 string x \b.%-.3s >>>>12 uleshort &0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>16 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>16 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(16.s) uleshort x >>>>>>>>&16 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(16.s) uleshort x >>>>>>>&16 string x %-.8s >>>>>>>>&1 string x \b.%-.3s >>>12 uleshort &0x01 >>>>12 uleshort ^0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>18 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>18 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(18.s) uleshort x >>>>>>>>&18 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(18.s) uleshort x >>>>>>>>&18 string x \b, %-.8s >>>>>>>>>&1 string x \b.%-.3s >>>>12 uleshort &0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>20 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>20 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(20.s) uleshort x >>>>>>>>&20 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(20.s) uleshort x >>>>>>>>&20 string x \b, %-.8s >>>>>>>>>&1 string x \b.%-.3s # 2 bytes: length of data + mentioned bytes # # SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ >0 string SZDD MS Compress archive data, SZDD variant !:mime application/x-ms-compress-szdd !:ext ??_ # The character missing from the end of the filename (0=unknown) >>9 string >\0 \b, %-.1s is last character of original name # https://www.betaarchive.com/forum/viewtopic.php?t=26161 # Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e >>8 string !A \b, %-.1s method >>10 ulelong >0 \b, original size: %u bytes # QBasic SZDD variant 3 string \x88\xf0\x27 >0 string SZ\x20 MS Compress archive data, QBasic variant !:mime application/x-ms-compress-sz !:ext ??$ >>8 ulelong >0 \b, original size: %u bytes
# MP3 (archiver, not lossy audio compression) 0 string MP3\x1a MP3-Archiver archive data # ZET 0 string OZ\xc3\x9d ZET archive data # TSComp 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data # ARQ 0 string gW\4\1 ARQ archive data # Squash 3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data # PUCrunch 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string UHA UHarc archive data # ABComp 0 string \2AB ABComp archive data 0 string \3AB2 ABComp archive data # CMP 0 string CO\0 CMP archive data # Splint 0 string \x93\xb9\x06 Splint archive data # InstallShield 0 string \x13\x5d\x65\x8c InstallShield Z archive Data # Gather 1 string GTH Gather archive data # BOA 0 string BOA BOA archive data # RAX 0 string ULEB\xa RAX archive data # Xtreme 0 string ULEB\0 Xtreme archive data # Pack Magic 0 string @\xc3\xa2\1\0 Pack Magic archive data # BTS 0 belong&0xfeffffff 0x1a034465 BTS archive data # ELI 5750 0 string Ora\ ELI 5750 archive data # QFC 0 string \x1aFC\x1a QFC archive data 0 string \x1aQF\x1a QFC archive data # PRO-PACK 0 string RNC PRO-PACK archive data # 777 0 string 777 777 archive data # LZS221 0 string sTaC LZS221 archive data # HPA 0 string HPA HPA archive data # Arhangel 0 string LG Arhangel archive data # EXP1, uses bzip2 0 string 0123456789012345BZh EXP1 archive data # IMP 0 string IMP\xa IMP archive data # NRV 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data # Squish 0 string \x73\xb2\x90\xf4 Squish archive data # Par 0 string PHILIPP Par archive data 0 string PAR Par archive data # HIT 0 string UB HIT archive data # SBX 0 belong&0xfffff000 0x53423000 SBX archive data # NaShrink 0 string NSK NaShrink archive data # SAPCAR 0 string #\ CAR\ archive\ header SAPCAR archive data 0 string CAR\ 2.00RG SAPCAR archive data # Disintegrator 0 string DST Disintegrator archive data # ASD 0 string ASD ASD archive data # InstallShield CAB 0 string ISc( InstallShield CAB # TOP4 0 string T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable # so TODO: get real 4dos batcomp file and find sig # BlakHole 0 string BH\5\7 BlakHole archive data # BIX 0 string BIX0 BIX archive data # ChiefLZA 0 string ChfLZ ChiefLZA archive data # Blink 0 string Blink Blink archive data # Logitech Compress 0 string \xda\xfa Logitech Compress archive data # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) 1 string (C)\ STEPANYUK ARS-Sfx archive data # AKT/AKT32 0 string AKT32 AKT32 archive data 0 string AKT AKT archive data # NPack 0 string MSTSM NPack archive data # PFT 0 string \0\x50\0\x14 PFT archive data # SemOne 0 string SEM SemOne archive data # PPMD 0 string \x8f\xaf\xac\x84 PPMD archive data # FIZ 0 string FIZ FIZ archive data # MSXiE 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data # DeepFreezer 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data # DC 0 string =<DC- DC archive data # TPac 0 string \4TPAC\3 TPac archive data # Ai 0 string Ai\1\1\0 Ai archive data 0 string Ai\1\0\0 Ai archive data # Ai32 0 string Ai\2\0 Ai32 archive data 0 string Ai\2\1 Ai32 archive data # SBC 0 string SBC SBC archive data # Ybs 0 string YBS Ybs archive data # DitPack 0 string \x9e\0\0 DitPack archive data # DMS 0 string DMS! DMS archive data # EPC 0 string \x8f\xaf\xac\x8c EPC archive data # VSARC 0 string VS\x1a VSARC archive data # PDZ 0 string PDZ PDZ archive data # ReDuq 0 string rdqx ReDuq archive data # GCA 0 string GCAX GCA archive data # PPMN 0 string pN PPMN archive data # WinImage 3 string WINIMAGE WinImage archive data # Compressia 0 string CMP0CMP Compressia archive data # UHBC 0 string UHB UHBC archive data # WinHKI 0 string \x61\x5C\x04\x05 WinHKI archive data # WWPack data file 0 string WWP WWPack archive data # BSN (BSA, PTS-DOS) 0 string \xffBSG BSN archive data 1 string \xffBSG BSN archive data 3 string \xffBSG BSN archive data 1 string \0\xae\2 BSN archive data 1 string \0\xae\3 BSN archive data 1 string \0\xae\7 BSN archive data # AIN 0 string \x33\x18 AIN archive data 0 string \x33\x17 AIN archive data # XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015 # SZip (TODO: doesn't catch all versions) 0 string SZ\x0a\4 SZip archive data # XPack DiskImage # *.XDI updated by Joerg Jenderek Sep 2015 # ftp://ftp.sac.sk/pub/sac/pack/0index.txt # GRR: this test is still too general as it catches also text files starting with jm 0 string jm # only found examples with this additional characteristic 2 bytes >2 string \x2\x4 Xpack DiskImage archive data #!:ext xdi # XPack Data # *.xpa updated by Joerg Jenderek Sep 2015 # ftp://ftp.elf.stuba.sk/pub/pc/pack/ 0 string xpa XPA !:ext xpa # XPA32 # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip # created by XPA32.EXE version 1.0.2 for Windows >0 string xpa\0\1 \b32 archive data # created by XPACK.COM version 1.67m or 1.67r with short 0x1800 >3 ubeshort !0x0001 \bck archive data # XPack Single Data # changed by Joerg Jenderek Sep 2015 back to like in version 5.12 # letter 'I'+ acute accent is equivalent to \xcd 0 string \xcd\ jm Xpack single archive data #!:mime application/x-xpa-compressed !:ext xpa
# TODO: missing due to unknown magic/magic at end of file: #DWC #ARG #ZAR #PC/3270 #InstallIt #RKive #RK #XPack Diskimage
# These were inspired by idarc, but actually verified # Dzip archiver (.dz) # Update: Joerg Jenderek # URL: http://speeddemosarchive.com/dzip/ # reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c # GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt 0 string DZ # latest version is 2.9 dated 7 may 2003 >2 byte <4 Dzip archive data !:mime application/x-dzip !:ext dz >>2 byte x \b, version %i >>3 byte x \b.%i >>4 ulelong x \b, offset 0x%x >>8 ulelong x \b, %u files # ZZip archiver (.zz) 0 string ZZ\ \0\0 ZZip archive data 0 string ZZ0 ZZip archive data # PAQ archiver (.paq) 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data 0 string PAQ PAQ archive data >3 byte&0xf0 0x30 >>3 byte x (v%c) # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data 0 string JARCS JAR (ARJ Software, Inc.) archive data
# ARJ archiver (jason@jarthur.Claremont.EDU) 0 leshort 0xea60 ARJ archive data !:mime application/x-arj >5 byte x \b, v%d, >8 byte &0x04 multi-volume, >8 byte &0x10 slash-switched, >8 byte &0x20 backup, >34 string x original name: %s, >7 byte 0 os: MS-DOS >7 byte 1 os: PRIMOS >7 byte 2 os: Unix >7 byte 3 os: Amiga >7 byte 4 os: Macintosh >7 byte 5 os: OS/2 >7 byte 6 os: Apple ][ GS >7 byte 7 os: Atari ST >7 byte 8 os: NeXT >7 byte 9 os: VAX/VMS >3 byte >0 %d] # [JW] idarc says this is also possible 2 leshort 0xea60 ARJ archive data
# HA archiver (Greg Roelofs, newt@uchicago.edu) # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, #>2 leshort >1 %hu files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC #>4 byte&0x0f =0x0e first is type DIR #>4 byte&0x0f =0x0f first is type SPECIAL # suggestion: at least identify small archives (<1024 files) 0 belong&0xffff00fc 0x48410000 HA archive data >2 leshort =1 1 file, >2 leshort >1 %u files, >4 byte&0x0f =0 first is type CPY >4 byte&0x0f =1 first is type ASC >4 byte&0x0f =2 first is type HSC >4 byte&0x0f =0x0e first is type DIR >4 byte&0x0f =0x0f first is type SPECIAL
# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 0 string \351,\001JAM\ JAM archive, >7 string >\0 version %.4s >0x26 byte =0x27 - >>0x2b string >\0 label %.11s, >>0x27 lelong x serial %08x, >>0x36 string >\0 fstype %.8s
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html # # check and display information of lharc (LHa,PMarc) file 0 name lharc-file # check 1st character of method id like -lz4- -lh5- or -pm2- >2 string - # check 5th character of method id >>6 string - # check header level 0 1 2 3 >>>20 ubyte <4 # check 2nd, 3th and 4th character of method id >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b !:mime application/x-lzh-compressed # creator type "LHA " !:apple ????LHA # display archive type name like "LHa/LZS archive data" or "LArc archive" >>>>>2 string -lz \b !:ext lzs # already known -lzs- -lz4- -lz5- with old names >>>>>>2 string -lzs LHa/LZS archive data >>>>>>3 regex \^lz[45] LHarc 1.x archive data # missing -lz?- with wikipedia names >>>>>>3 regex \^lz[2378] LArc archive # display archive type name like "LHa (2.x) archive data" >>>>>2 string -lh \b # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" # FOOBAR archiver use ".foo" as name extension instead usual one # "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment >>>>>>>2 string -lh1 \b !:ext lha/lzh/ice >>>>>>3 regex \^lh[23d] LHa 2.x? archive data >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data >>>>>>3 regex \^lh[456] LHa (2.x) archive data >>>>>>>2 string -lh5 \b # https://en.wikipedia.org/wiki/BIOS # Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like # bios.rom , kd7_v14.bin, 1010.004, ... !:ext lha/lzh/rom/bin # missing -lh?- variants (Joe Jared) >>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive # UNLHA32 2.67a >>>>>>2 string -lhx LHa (UNLHA32) archive # lha archives with standard file name extensions ".lha" ".lzh" >>>>>>3 regex !\^(lh1|lh5) \b !:ext lha/lzh # this should not happen if all -lh variants are described >>>>>>2 default x LHa (unknown) archive #!:ext lha # PMarc >>>>>3 regex \^pm[012] PMarc archive data !:ext pma # append method id without leading and trailing minus character >>>>>3 string x [%3.3s] >>>>>>0 use lharc-header # # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 >0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d # attribute: 0x2~?? 0x10~symlink|target 0x20~normal #>19 ubyte x \b, 19_0x%x # level identifier 0 1 2 3 #>20 ubyte x \b, level %d # time stamp #>15 ubelong x DATE 0x%8.8x # OS ID for level 1 >20 ubyte 1 # 0x20 types find for *.rom files >>(21.b+24) ubyte <0x21 \b, 0x%x OS # ascii type like M for MSDOS >>(21.b+24) ubyte >0x20 \b, '%c' OS # OS ID for level 2 >20 ubyte 2 #>>23 ubyte x \b, OS ID 0x%x >>23 ubyte <0x21 \b, 0x%x OS >>23 ubyte >0x20 \b, '%c' OS # filename only for level 0 and 1 >20 ubyte <2 # length of filename >>21 ubyte >0 \b, with # filename >>>21 pstring x "%s" # #2 string -lh0- LHarc 1.x/ARX archive data [lh0] #!:mime application/x-lharc 2 string -lh0- >0 use lharc-file #2 string -lh1- LHarc 1.x/ARX archive data [lh1] #!:mime application/x-lharc 2 string -lh1- >0 use lharc-file # NEW -lz2- ... -lz8- 2 string -lz2- >0 use lharc-file 2 string -lz3- >0 use lharc-file 2 string -lz4- >0 use lharc-file 2 string -lz5- >0 use lharc-file 2 string -lz7- >0 use lharc-file 2 string -lz8- >0 use lharc-file # [never seen any but the last; -lh4- reported in comp.compression:] #2 string -lzs- LHa/LZS archive data [lzs] 2 string -lzs- >0 use lharc-file # According to wikipedia and others such a version does not exist #2 string -lh\40- LHa 2.x? archive data [lh ] #2 string -lhd- LHa 2.x? archive data [lhd] 2 string -lhd- >0 use lharc-file #2 string -lh2- LHa 2.x? archive data [lh2] 2 string -lh2- >0 use lharc-file #2 string -lh3- LHa 2.x? archive data [lh3] 2 string -lh3- >0 use lharc-file #2 string -lh4- LHa (2.x) archive data [lh4] 2 string -lh4- >0 use lharc-file #2 string -lh5- LHa (2.x) archive data [lh5] 2 string -lh5- >0 use lharc-file #2 string -lh6- LHa (2.x) archive data [lh6] 2 string -lh6- >0 use lharc-file #2 string -lh7- LHa (2.x)/LHark archive data [lh7] 2 string -lh7- # !:mime application/x-lha # >20 byte x - header level %d >0 use lharc-file # NEW -lh8- ... -lhe- , -lhx- 2 string -lh8- >0 use lharc-file 2 string -lh9- >0 use lharc-file 2 string -lha- >0 use lharc-file 2 string -lhb- >0 use lharc-file 2 string -lhc- >0 use lharc-file 2 string -lhe- >0 use lharc-file 2 string -lhx- >0 use lharc-file # taken from idarc [JW] 2 string -lZ PUT archive data # already done by LHarc magics # this should never happen if all sub types of LZS archive are identified #2 string -lz LZS archive data 2 string -sw1- Swag archive data
# UC2 archiver (Greg Roelofs, newt@uchicago.edu) # [JW] see exe section for self-extracting version 0 string UC2\x1a UC2 archive data
# PKZIP multi-volume archive 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract !:mime application/zip !:ext zip/cbz
# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\005\006 Zip archive data (empty) !:mime application/zip !:ext zip/cbz 0 string PK\003\004
# Specialised zip formats which start with a member named 'mimetype' # (stored uncompressed, with no 'extra field') containing the file's MIME type. # Check for have 8-byte name, 0-byte extra field, name "mimetype", and # contents starting with "application/": >26 string \x8\0\0\0mimetypeapplication/
# Catch other ZIP-with-mimetype formats # In a ZIP file, the bytes immediately after a member's contents are # always "PK". The 2 regex rules here print the "mimetype" member's # contents up to the first 'P'. Luckily, most MIME types don't contain # any capital 'P's. This is a kludge. # (mimetype contains "application/<OTHER>") >>50 string !epub+zip >>>50 string !vnd.oasis.opendocument. >>>>50 string !vnd.sun.xml. >>>>>50 string !vnd.kde. >>>>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip # (mimetype contents other than "application/*") >26 string \x8\0\0\0mimetype >>38 string !application/ >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip
# Java Jar files >(26.s+30) leshort 0xcafe Java archive data (JAR) !:mime application/java-archive
# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) # Next line excludes specialized formats: >(26.s+30) leshort !0xcafe >>26 string !\x8\0\0\0mimetype Zip archive data !:mime application/zip >>>4 beshort x \b, at least >>>4 use zipversion >>>4 beshort x to extract >>>0x161 string WINZIP \b, WinZIP self-extracting
# StarView Metafile # From Pierre Ducroquet <pinaraf@pinaraf.info> 0 string VCLMTF StarView MetaFile >6 beshort x \b, version %d >8 belong x \b, size %d
# # LBR. NB: May conflict with the questionable # "binary Computer Graphics Metafile" format. # 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # #2 string -pm0- PMarc archive data [pm0] 2 string -pm0- >0 use lharc-file #2 string -pm1- PMarc archive data [pm1] 2 string -pm1- >0 use lharc-file #2 string -pm2- PMarc archive data [pm2] 2 string -pm2- >0 use lharc-file 2 string -pms- PMarc SFX archive (CP/M, DOS) #!:mime application/x-foobar-exec !:ext com 5 string -pc1- PopCom compressed executable (CP/M) #!:mime application/x- #!:ext com
# From Rafael Laboissiere <rafael@laboissiere.net> # The Project Revision Control System (see # http://prcs.sourceforge.net) generates a packaged project # file which is recognized by the following entry: 0 leshort 0xeb81 PRCS packaged project
# Microsoft cabinets # by David Necas (Yeti) <yeti@physics.muni.cz> #0 string MSCF\0\0\0\0 Microsoft cabinet file data, #>25 byte x v%d #>24 byte x \b.%d # MPi: All CABs have version 1.3, so this is pointless. # Better magic in debian-additions.
# GTKtalog catalogs # by David Necas (Yeti) <yeti@physics.muni.cz> 4 string gtktalog\ GTKtalog catalog data, >13 string 3 version 3 >>14 beshort 0x677a (gzipped) >>14 beshort !0x677a (not gzipped) >13 string >3 version %s
############################################################################ # Parity archive reconstruction file, the 'par' file format now used on Usenet. 0 string PAR\0 PARity archive data >48 leshort =0 - Index file >48 leshort >0 - file number %d
# Felix von Leitner <felix-file@fefe.de> 0 string d8:announce BitTorrent file !:mime application/x-bittorrent # Durval Menezes, <jmgthbfile at durval dot com> 0 string d13:announce-list BitTorrent file !:mime application/x-bittorrent
# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> 0 beshort 0x0e0f Atari MSA archive data >2 beshort x \b, %d sectors per track >4 beshort 0 \b, 1 sided >4 beshort 1 \b, 2 sided >6 beshort x \b, starting track: %d >8 beshort x \b, ending track: %d
# Alternate ZIP string (amc@arwen.cs.berkeley.edu) 0 string PK00PK\003\004 Zip archive data !:mime application/zip !:ext zip/cbz
# ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl <sec@42.org> 7 string **ACE** ACE archive data >15 byte >0 version %d >16 byte =0x00 \b, from MS-DOS >16 byte =0x01 \b, from OS/2 >16 byte =0x02 \b, from Win/32 >16 byte =0x03 \b, from Unix >16 byte =0x04 \b, from MacOS >16 byte =0x05 \b, from WinNT >16 byte =0x06 \b, from Primos >16 byte =0x07 \b, from AppleGS >16 byte =0x08 \b, from Atari >16 byte =0x09 \b, from Vax/VMS >16 byte =0x0A \b, from Amiga >16 byte =0x0B \b, from Next >14 byte x \b, version %d to extract >5 leshort &0x0080 \b, multiple volumes, >>17 byte x \b (part %d), >5 leshort &0x0002 \b, contains comment >5 leshort &0x0200 \b, sfx >5 leshort &0x0400 \b, small dictionary >5 leshort &0x0800 \b, multi-volume >5 leshort &0x1000 \b, contains AV-String >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered) >5 leshort &0x2000 \b, with recovery record >5 leshort &0x4000 \b, locked >5 leshort &0x8000 \b, solid # Date in MS-DOS format (whatever that is) #>18 lelong x Created on
# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann # <doj@cubic.org> 0x1A string sfArk sfArk compressed Soundfont >0x15 string 2 >>0x1 string >\0 Version %s >>0x2A string >\0 : %s
# DR-DOS 7.03 Packed File *.??_ 0 string Packed\ File\ Personal NetWare Packed File >12 string x \b, was "%.12s"
# From "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string MPQ\032 MoPaQ (MPQ) archive
# From: "Nelson A. de Oliveira" <naoliv@gmail.com> # .kgb 0 string KGB_arch KGB Archiver file >10 string x with compression level %.1s
# xar (eXtensible ARchiver) archive # xar archive format: http://code.google.com/p/xar/ # From: "David Remahl" <dremahl@apple.com> 0 string xar! xar archive !:mime application/x-xar #>4 beshort x header size %d >6 beshort x version %d, #>8 quad x compressed TOC: %d, #>16 quad x uncompressed TOC: %d, >24 belong 0 no checksum >24 belong 1 SHA-1 checksum >24 belong 2 MD5 checksum
# Type: Parity Archive # From: Daniel van Eeden <daniel_e@dds.nl> 0 string PAR2 Parity Archive Volume Set
# Bacula volume format. (Volumes always start with a block header.) # URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html # From: Adam Buchbinder <adam.buchbinder@gmail.com> 12 string BB02 Bacula volume >20 bedate x \b, started %s
# ePub is XHTML + XML inside a ZIP archive. The first member of the # archive must be an uncompressed file called 'mimetype' with contents # 'application/epub+zip'
# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format # that uses little-endian encoding and has a different magic number 0 lelong 0x0064732E DEC audio data: >12 lelong 1 8-bit ISDN mu-law, !:mime audio/x-dec-basic >12 lelong 2 8-bit linear PCM [REF-PCM], !:mime audio/x-dec-basic >12 lelong 3 16-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 4 24-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 5 32-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 6 32-bit IEEE floating point, !:mime audio/x-dec-basic >12 lelong 7 64-bit IEEE floating point, !:mime audio/x-dec-basic >12 belong 8 Fragmented sample data, >12 belong 10 DSP program, >12 belong 11 8-bit fixed point, >12 belong 12 16-bit fixed point, >12 belong 13 24-bit fixed point, >12 belong 14 32-bit fixed point, >12 belong 18 16-bit linear with emphasis, >12 belong 19 16-bit linear compressed, >12 belong 20 16-bit linear with emphasis and compression, >12 belong 21 Music kit DSP commands, >12 lelong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.), !:mime audio/x-dec-basic >12 belong 24 compressed (8-bit CCITT G.722 ADPCM) >12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM), >12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM), >12 belong 27 8-bit A-law (CCITT G.711), >20 lelong 1 mono, >20 lelong 2 stereo, >20 lelong 4 quad, >16 lelong >0 %d Hz
# Creative Labs AUDIO stuff 0 string MThd Standard MIDI data !:mime audio/midi >8 beshort x (format %d) >10 beshort x using %d track >10 beshort >1 \bs >12 beshort&0x7fff x at 1/%d >12 beshort&0x8000 >0 SMPTE
0 string CTMF Creative Music (CMF) data !:mime audio/x-unknown 0 string SBI SoundBlaster instrument data !:mime audio/x-unknown 0 string Creative\ Voice\ File Creative Labs voice data !:mime audio/x-unknown # is this next line right? it came this way... >19 byte 0x1A >23 byte >0 - version %d >22 byte >0 \b.%d
# first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data >4 belong x - version %d
# Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED # [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] 0 string EMOD Extended MOD sound data, >4 byte&0xf0 x version %d >4 byte&0x0f x \b.%d, >45 byte x %d instruments >83 byte 0 (module) >83 byte 1 (song)
# Real Audio (Magic .ra\0375) 0 belong 0x2e7261fd RealAudio sound file !:mime audio/x-pn-realaudio 0 string .RMF\0\0\0 RealMedia file !:mime application/vnd.rn-realmedia #video/x-pn-realvideo #video/vnd.rn-realvideo #application/vnd.rn-realmedia # sigh, there are many mimes for that but the above are the most common.
# MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net] # Oct 31, 1995 # fixed by <doj@cubic.org> 2003-06-24 # Too short... #0 string MTM MultiTracker Module sound file #0 string if Composer 669 Module sound data #0 string JN Composer 669 Module sound data (extended format) 0 string MAS_U ULT(imate) Module sound data
#0 string FAR Module sound data #>4 string >\15 Title: "%s"
0x2c string SCRM ScreamTracker III Module sound data >0 string >\0 Title: "%s"
# Gravis UltraSound patches # From <ache@nagual.ru>
# # Taken from loader code from mikmod version 2.14 # by Steve McIntyre (stevem@chiark.greenend.org.uk) # <doj@cubic.org> added title printing on 2003-06-24 0 string MAS_UTrack_V00 >14 string >/0 ultratracker V1.%.1s module sound data !:mime audio/x-mod #audio/x-tracker-module
0 string UN05 MikMod UNI format module sound data
0 string Extended\ Module: Fasttracker II module sound data !:mime audio/x-mod #audio/x-tracker-module >17 string >\0 Title: "%s"
# ReBorn Song Files (.rbs) # David J. Singer <doc@deadvirgins.org.uk> 8 string RB40 RBS Song file >29 string ReBorn created by ReBorn >37 string Propellerhead created by ReBirth
# Synthesizer Generator and Kimwitu share their file format 0 string A#S#C#S#S#L#V#3 Synthesizer Generator or Kimwitu data # Kimwitu++ uses a slightly different magic 0 string A#S#C#S#S#L#HUB Kimwitu++ data
# From "Simon Hosie 0 string TFMX-SONG TFMX module sound data
# Monkey's Audio compressed audio format (.ape) # From danny.milo@gmx.net (Danny Milosavljevic) # New version from Abel Cheung <abel (@) oaka.org> 0 string MAC\040 Monkey's Audio compressed format !:mime audio/x-ape >4 uleshort >0x0F8B version %d >>(0x08.l) uleshort =1000 with fast compression >>(0x08.l) uleshort =2000 with normal compression >>(0x08.l) uleshort =3000 with high compression >>(0x08.l) uleshort =4000 with extra high compression >>(0x08.l) uleshort =5000 with insane compression >>(0x08.l+18) uleshort =1 \b, mono >>(0x08.l+18) uleshort =2 \b, stereo >>(0x08.l+20) ulelong x \b, sample rate %d >4 uleshort <0x0F8C version %d >>6 uleshort =1000 with fast compression >>6 uleshort =2000 with normal compression >>6 uleshort =3000 with high compression >>6 uleshort =4000 with extra high compression >>6 uleshort =5000 with insane compression >>10 uleshort =1 \b, mono >>10 uleshort =2 \b, stereo >>12 ulelong x \b, sample rate %d
# adlib sound files # From: Alex Myczko <alex@aiei.ch> 0 string RAWADATA RdosPlay RAW
1068 string RoR AMUSIC Adlib Tracker
0 string JCH EdLib
0 string mpu401tr MPU-401 Trakker
0 string SAdT Surprise! Adlib Tracker >4 byte x Version %d
0 string \0BONK BONK, #>5 byte x version %d >14 byte x %d channel(s), >15 byte =1 lossless, >15 byte =0 lossy, >16 byte x mid-side
384 string LockStream LockStream Embedded file (mostly MP3 on old Nokia phones)
# format VQF (proprietary codec for sound) # some infos on the header file available at : # http://www.twinvq.org/english/technology_format.html 0 string TWIN97012000 VQF data >27 short 0 \b, Mono >27 short 1 \b, Stereo >31 short >0 \b, %d kbit/s >35 short >0 \b, %d kHz
# Nelson A. de Oliveira (naoliv@gmail.com) # .eqf 0 string Winamp\ EQ\ library\ file %s # it will match only versions like v<digit>.<digit> # Since I saw only eqf files with version v1.1 I think that it's OK >23 string x \b%.4s # .preset 0 string [Equalizer\ preset] XMMS equalizer preset # .m3u 0 search/1 #EXTM3U M3U playlist text # .pls 0 search/1 [playlist] PLS playlist text # licq.conf 1 string [licq] LICQ configuration file
# Atari ST audio files by Dirk Jagdmann <doj@cubic.org> 0 string ICE! SNDH Atari ST music 0 string SC68\ Music-file\ /\ (c)\ (BeN)jami sc68 Atari ST music
# Type: SuperCollider 3 Synth Definition File Format # From: Mario Lang <mlang@debian.org> 0 string SCgf SuperCollider3 Synth Definition file, >4 belong x version %d
# GVOX Encore file format # Since this is a proprietary file format and there is no publicly available # format specification, this is just based on induction # 0 string SCOW >4 byte 0xc4 GVOX Encore music, version 5.0 or above >4 byte 0xc2 GVOX Encore music, version < 5.0
0 string ZBOT >4 byte 0xc5 GVOX Encore music, version < 5.0
# Summary: Garmin Voice Processing Module (WAVE audios) # From: Joerg Jenderek # URL: http://www.garmin.com/ # Reference: http://turboccc.wikispaces.com/share/view/28622555 # NOTE: there exist 2 other Garmin VPM formats 0 string AUDIMG # skip text files starting with string "AUDIMG" >13 ubyte <13 Garmin Voice Processing Module !:mime audio/x-vpm-wav-garmin !:ext vpm # 3 bytes indicating the voice version (200,220) >>6 string x \b, version %3.3s # day of release (01-31) >>12 ubyte x \b, %.2d # month of release (01-12) >>13 ubyte x \b.%.2d # year of release (like 2006, 2007, 2008) >>14 uleshort x \b.%.4d # hour of release (0-23) >>11 ubyte x %.2d # minute of release (0-59) >>10 ubyte x \b:%.2d # second of release (0-59) >>9 ubyte x \b:%.2d # if you select a language like german on your garmin device # you can only select voice modules with corresponding language byte ID like 1 >>18 ubyte x \b, language ID %d # pointer to 1st audio WAV sample >>16 uleshort >0 >>>(16.s) ulelong >0 \b, at offset 0x%x # WAV length >>>>(16.s+4) ulelong >0 %d Bytes # look for magic >>>>>(&-8.l) string RIFF # determine type by ./riff >>>>>>&-4 indirect x \b # 2 - ~ 131 WAV samples following same way
# From Martin Mueller Skarbiniks Pedersen 0 string GDM >0x3 byte 0xFE General Digital Music. >0x4 string >\0 title: "%s" >0x24 string >\0 musician: "%s" >>0x44 beshort 0x0D0A >>>0x46 byte 0x1A >>>>0x47 string GMFS Version >>>>0x4B byte x %d. >>>>0x4C byte x \b%02d >>>>0x4D beshort 0x000 (2GDM v >>>>0x4F byte x \b%d. >>>>>0x50 byte x \b%d)
0 string MTM Multitracker >0x3 byte/16 x Version %d. >0x3 byte&0x0F x \b%02d >>0x4 string >\0 title: "%s"
0 string HVL >3 byte <2 Hively Tracker Song >3 byte 0 1 module data >3 byte 1 2 module data
0 string MO3 >3 ubyte <6 MOdule with MP3 >>3 byte 0 Version 0 (With MP3 and lossless) >>3 byte 1 Version 1 (With ogg and lossless) >>3 byte 3 Version 2.2 >>3 byte 4 (With no LAME header) >>3 byte 5 Version 2.4
0 string ADRVPACK AProSys module
# ftp://ftp.modland.com/pub/documents/format_documentation/\ # Art%20Of%20Noise%20(.aon).txt 0 string AON >4 string "ArtOfNoise by Bastian Spiegel(twice/lego)" >0x2e string NAME Art of Noise Tracker Song >3 string <9 >3 string 4 (4 voices) >3 string 8 (8 voices) >>0x36 string >\0 Title: "%s"
0 string FAR >0x2c byte 0x0d >0x2d byte 0x0a >0x2e byte 0x1a >>0x3 byte 0xFE Farandole Tracker Song >>>0x31 byte/16 x Version %d. >>>0x31 byte&0x0F x \b%02d >>>>0x4 string >\0 \b, title: "%s"
# magic for Klystrack, http://kometbomb.github.io/klystrack/ # from Alex Myczko <alex@aiei.ch> 0 string cyd!song Klystrack song >8 byte >0 \b, version %u >8 byte >26 #>>9 byte x \b, channels %u #>>10 leshort x \b, time signature %u #>>12 leshort x \b, sequence step %u #>>14 byte x \b, instruments %u #>>15 leshort x \b, patterns %u #>>17 leshort x \b, sequences %u #>>19 leshort x \b, length %u #>>21 leshort x \b, loop point %u #>>23 byte x \b, master volume %u #>>24 byte x \b, song speed %u #>>25 byte x \b, song speed2 %u #>>26 byte x \b, song rate %u #>>27 belong x \b, flags %#x #>>31 byte x \b, multiplex period %u #>>32 byte x \b, pitch inaccuracy %u >>149 pstring x \b, title %s
0 string cyd!inst Klystrack instrument
# magic for WOPL instrument files, https://github.com/Wohlstand/OPL3BankEditor # see Specifications/WOPL-and-OPLI-Specification.txt
0 string WOPL3-INST\0 WOPL instrument >11 leshort x \b, version %u 0 string WOPL3-BANK\0 WOPL instrument bank >11 leshort x \b, version %u
# AdLib/OPL instrument files. Format specifications on # http://www.shikadi.net/moddingwiki 0 string Junglevision\ Patch\ File Junglevision instrument data 0 string #OPL_II# DMX OP2 instrument data 0 string IBK\x1a IBK instrument data 0 string 2OP\x1a IBK instrument data, 2 operators 0 string 4OP\x1a IBK instrument data, 4 operators 2 string ADLIB- AdLib instrument data >0 byte x \b, version %u >1 byte x \b.%u
#------------------------------------------------------------------------------ # $File: ber,v 1.1 2016/06/05 00:21:30 christos Exp $ # ber: file(1) magic for several BER formats used in the mobile # telecommunications industry (Georg Sauthoff)
# The file formats are standardized by the GSMA (GSM association). # They are specified via ASN.1 schemas and some prose. Basic encoding # rules (BER) is the used encoding. The formats are used for exchanging # call data records (CDRs) between mobile operators and associated # parties for roaming clearing purposes and fraud detection.
# The magic file covers:
# - TAP files (TD.57) - CDR batches and notifications # - RAP files (TD.32) - return batches and acknowledgements # - NRT files (TD.35) - CDR batches for 'near real time' processing
# # TAP 3 Files # TAP -> Transferred Account Procedure # cf. http://www.gsma.com/newsroom/wp-content/uploads/TD.57-v32.31.pdf # TransferBatch short tag 0 byte 0x61 # BatchControlInfo short tag >&1 search/b5 \x64 # Sender long tag #TAP 3.x (BER encoded) >>&1 search/b8 \x5f\x81\x44 # <SpecificationVersionNumber>3</><ReleaseVersionNumber> block >>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 >>>>&0 byte x TAP 3.%d Batch (TD.57, Transferred Account)
# Notification short tag 0 byte 0x62 # Sender long tag >2 search/b8 \x5f\x81\x44 # <SpecificationVersionNumber>3</><ReleaseVersionNumber> block >>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 >>>&0 byte x TAP 3.%d Notification (TD.57, Transferred Account)
# NRT Files # NRT a.k.a. NRTRDE 0 byte 0x61 # <SpecificationVersionNumber>2</><ReleaseVersionNumber> block >&1 search/b8 \x5f\x29\x01\x02\x5f\x25\x01 >>&0 byte x NRT 2.%d (TD.35, Near Real Time Roaming Data Exchange)
# RAP Files # cf. http://www.gsma.com/newsroom/wp-content/uploads/TD.32-v6.11.pdf # Long ReturnBatch tag 0 string \x7f\x84\x16 # Long RapBatchControlInfo tag >&1 search/b8 \x7f\x84\x19 # <SpecificationVersionNumber>3</><ReleaseVersionNumber> block >>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 # <RapSpecificationVersionNumber>1</><RapReleaseVersionNumber> block >>>&1 string/b \x5f\x84\x20\x01\x01\x5f\x84\x1f\x01 >>>>&0 byte x RAP 1.%d Batch (TD.32, Returned Account Procedure), >>>&0 byte x TAP 3.%d
# Long Acknowledgement tag 0 string \x7f\x84\x17 # Long Sender tag >&1 search/b5 \x5f\x81\x44 RAP Acknowledgement (TD.32, Returned Account Procedure)
#------------------------------------------------------------------------------ # $File: bflt,v 1.5 2014/04/30 21:41:02 christos Exp $ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter <phdm@macqel.be> # 0 string bFLT BFLT executable >4 belong x - version %d >4 belong 4 >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata
############################################################################### # BGZF (Blocked GNU Zip Format) - gzip compatible, but also indexable # used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml) ############################################################################### 0 string \037\213 >3 byte &0x04 >>12 string BC >>>14 leshort &0x02 Blocked GNU Zip Format (BGZF; gzip compatible) >>>>16 leshort x \b, block length %d !:mime application/x-gzip
############################################################################### # Tabix index file # used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml) ############################################################################### 0 string TBI\1 SAMtools TBI (Tabix index format) >0x04 lelong =1 \b, with %d reference sequence >0x04 lelong >1 \b, with %d reference sequences >0x08 lelong &0x10000 \b, using half-closed-half-open coordinates (BED style) >0x08 lelong ^0x10000 >>0x08 lelong =0 \b, using closed and one based coordinates (GFF style) >>0x08 lelong =1 \b, using SAM format >>0x08 lelong =2 \b, using VCF format >0x0c lelong x \b, sequence name column: %d >0x10 lelong x \b, region start column: %d >0x08 lelong =0 >>0x14 lelong x \b, region end column: %d >0x18 byte x \b, comment character: %c >0x1c lelong x \b, skip line count: %d
############################################################################### # BAM (Binary Sequence Alignment/Map format) # used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BAM\1 SAMtools BAM (Binary Sequence Alignment/Map) >0x04 lelong >0 >>&0x00 regex =^[@]HD\t.*VN: \b, with SAM header >>>&0 regex =[0-9.]+ \b version %s >>&(0x04) lelong >0 \b, with %d reference sequences
############################################################################### # BAI (BAM indexing format) # used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) ############################################################################### 0 string BAI\1 SAMtools BAI (BAM indexing format) >0x04 lelong >0 \b, with %d reference sequences
############################################################################### # BCF (Binary Call Format), version 1 # used by SAMtools & VCFtools (http://vcftools.sourceforge.net/bcf.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BCF\4 # length of seqnm data in bytes is positive >&0x00 lelong >0 # length of smpl data in bytes is positive >>&(&-0x04) lelong >0 SAMtools BCF (Binary Call Format) # length of meta in bytes >>>&(&-0x04) lelong >0 # have meta text string >>>>&0x00 search ##samtoolsVersion= >>>>>&0x00 string x \b, generated by SAMtools version %s
############################################################################### # BCF (Binary Call Format), version 2.1 # used by SAMtools (http://samtools.github.io/hts-specs/BCFv2_qref.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BCF\2\1 Binary Call Format (BCF) version 2.1 # length of header text >&0x00 lelong >0 # have header string >>&0x00 search ##samtoolsVersion= >>>&0x00 string x \b, generated by SAMtools version %s
############################################################################### # BCF (Binary Call Format), version 2.2 # used by SAMtools (http://samtools.github.io/hts-specs/BCFv2_qref.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BCF\2\2 Binary Call Format (BCF) version 2.2 # length of header text >&0x00 lelong >0 # have header string >>&0x00 search ##samtoolsVersion= >>>&0x00 string x \b, generated by SAMtools version %s
############################################################################### # VCF (Variant Call Format) # used by VCFtools (http://vcftools.sourceforge.net/) ############################################################################### 0 search ##fileformat=VCFv Variant Call Format (VCF) >&0 string x \b version %s
############################################################################### # FASTA # used by FASTA (http://fasta.bioch.virginia.edu/fasta_www2/fasta_guide.pdf) ############################################################################### #0 byte 0x3e # q>0 regex =^[>][!-~\t\ ]+$ # Amino Acid codes: [A-IK-Z*-]+ #>>1 regex !=[!-'Jj;:=?@^`|~\\] FASTA # IUPAC codes/gaps: [ACGTURYKMSWBDHVNX-]+ # not in IUPAC codes/gaps: [EFIJLOPQZ] #>>>1 regex !=[EFIJLOPQZefijlopqz] \b, with IUPAC nucleotide codes #>>>1 regex =^[EFIJLOPQZefijlopqz]+$ \b, with Amino Acid codes
############################################################################### # SAM (Sequence Alignment/Map format) # used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) ############################################################################### # Short-cut version to recognise SAM files with (optional) header at beginning ############################################################################### 0 string @HD\t >4 search VN: Sequence Alignment/Map (SAM), with header >>&0 regex [0-9.]+ \b version %s ############################################################################### # Longer version to recognise SAM alignment lines using (many) regexes ############################################################################### # SAM Alignment QNAME 0 regex =^[!-?A-~]{1,255}(\t[^\t]+){11} # SAM Alignment FLAG >0 regex =^([^\t]+\t){1}[0-9]{1,5}\t # SAM Alignment RNAME >>0 regex =^([^\t]+\t){2}\\*|[^*=]*\t # SAM Alignment POS >>>0 regex =^([^\t]+\t){3}[0-9]{1,9}\t # SAM Alignment MAPQ >>>>0 regex =^([^\t]+\t){4}[0-9]{1,3}\t # SAM Alignment CIGAR >>>>>0 regex =\t(\\*|([0-9]+[MIDNSHPX=])+)\t # SAM Alignment RNEXT >>>>>>0 regex =\t(\\*|=|[!-()+->?-~][!-~]*)\t # SAM Alignment PNEXT >>>>>>>0 regex =^([^\t]+\t){7}[0-9]{1,9}\t # SAM Alignment TLEN >>>>>>>>0 regex =\t[+-]{0,1}[0-9]{1,9}\t.*\t # SAM Alignment SEQ >>>>>>>>>0 regex =^([^\t]+\t){9}(\\*|[A-Za-z=.]+)\t # SAM Alignment QUAL >>>>>>>>>>0 regex =^([^\t]+\t){10}[!-~]+ Sequence Alignment/Map (SAM) >>>>>>>>>>>0 regex =^[@]HD\t.*VN: \b, with header >>>>>>>>>>>>&0 regex =[0-9.]+ \b version %s
#------------------------------------------------------------------------------ # $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $ # blackberry: file(1) magic for BlackBerry file formats # 5 belong 0 >8 belong 010010010 BlackBerry RIM ETP file >>22 string x \b for %s # Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files # http://ftg.lbl.gov/checkpoint 0 string C\0\0\0R\0\0\0 BLCR >16 lelong 1 x86 >16 lelong 3 alpha >16 lelong 5 x86-64 >16 lelong 7 ARM >8 lelong x context data (little endian, version %d) # Uncomment the following only of your "file" program supports "search" #>0 search/1024 VMA\06 for kernel #>>&1 byte x %d. #>>&2 byte x %d. #>>&3 byte x %d 0 string \0\0\0C\0\0\0R BLCR >16 belong 2 SPARC >16 belong 4 ppc >16 belong 6 ppc64 >16 belong 7 ARMEB >16 belong 8 SPARC64 >8 belong x context data (big endian, version %d) # Uncomment the following only of your "file" program supports "search" #>0 search/1024 VMA\06 for kernel #>>&1 byte x %d. #>>&2 byte x \b%d. #>>&3 byte x \b%d
#------------------------------------------------------------------------------ # $File: blender,v 1.7 2017/03/17 21:35:28 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list # http://lists.blender.org/mailman/listinfo/bf-committers # GLOB chunk was moved near start and provides subversion info since 2.42
0 string =BLENDER Blender3D, >7 string =_ saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 leshort x \b%.4d >>8 string =V big endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 beshort x \b%.4d >7 string =- saved as 64-bits >>8 string =v little endian >>9 byte x with version %c. >>10 byte x \b%c >>11 byte x \b%c >>0x44 string =GLOB \b. >>>0x60 leshort x \b%.4d >>8 string =V big endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x44 string =GLOB \b. >>>>0x60 beshort x \b%.4d
# Scripts that run in the embedded Python interpreter 0 string #!BPY Blender3D BPython script
#------------------------------------------------------------------------------ # $File: blit,v 1.8 2009/09/19 16:28:08 christos Exp $ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... # # XXX - should this be redone with "be" and "le", so that it works on # little-endian machines as well? If so, what's the deal with # "VAX-order" and "VAX-order2"? # #0 long 0407 68K Blit (standalone) executable #0 short 0407 VAX-order2 68K Blit (standalone) executable 0 short 03401 VAX-order 68K Blit (standalone) executable 0 long 0406 68k Blit mpx/mux executable 0 short 0406 VAX-order2 68k Blit mpx/mux executable 0 short 03001 VAX-order 68k Blit mpx/mux executable # Need more values for WE32 DMD executables. # Note that 0520 is the same as COFF #0 short 0520 tty630 layers executable
#------------------------------------------------------------------------------ # $File: bout,v 1.5 2009/09/19 16:28:08 christos Exp $ # i80960 b.out objects and archives # 0 long 0x10d i960 b.out relocatable object >16 long >0 not stripped # # b.out archive (hp-rt on i960) 0 string =!<bout> b.out archive >8 string __.SYMDEF random library
#------------------------------------------------------------------------------ # $File: bsdi,v 1.7 2014/03/29 15:40:34 christos Exp $ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # Some object/executable formats use the same magic numbers as are used # in other OSes; those are handled by entries in aout. #
0 lelong 0314 386 compact demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs)
0 belong&077777777 0600407 SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) # Chiasmus is a encryption standard developed by the German Federal # Office for Information Security (Bundesamt fuer Sicherheit in der # Informationstechnik).
# Extension: .xia 0 string XIA1 Chiasmus encrypted data
# Extension: .xis 0 string XIS Chiasmus key
#------------------------------------------------------------------------------ # $File: btsnoop,v 1.5 2009/09/19 16:28:08 christos Exp $ # BTSnoop: file(1) magic for BTSnoop files # # From <marcel@holtmann.org> 0 string btsnoop\0 BTSnoop >8 belong x version %d, >12 belong 1001 Unencapsulated HCI >12 belong 1002 HCI UART (H4) >12 belong 1003 HCI BCSP >12 belong 1004 HCI Serial (H5) >>12 belong x type %d #------------------------------------------------------------------------------ # $File: c-lang,v 1.26 2017/08/14 07:40:38 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML
# BCPL 0 search/8192 "libhdr" BCPL source text !:mime text/x-bcpl 0 search/8192 "LIBHDR" BCPL source text !:mime text/x-bcpl
# C # Check for class if include is found, otherwise class is beaten by include becouse of lowered strength 0 regex \^#include C >0 regex \^class[[:space:]]+ >>&0 regex \\{[\.\*]\\}(;)?$ \b++ >&0 clear x source text !:strength + 13 !:mime text/x-c 0 regex \^#[[:space:]]*pragma C source text !:mime text/x-c 0 regex \^#[[:space:]]*(if\|ifn)def >&0 regex \^#[[:space:]]*endif$ C source text !:mime text/x-c 0 regex \^#[[:space:]]*(if\|ifn)def >&0 regex \^#[[:space:]]*define C source text !:mime text/x-c 0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c 0 regex \^[[:space:]]*double(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c 0 regex \^[[:space:]]*extern[[:space:]]+ C source text !:mime text/x-c 0 regex \^[[:space:]]*float(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c 0 regex \^struct[[:space:]]+ C source text !:mime text/x-c 0 regex \^union[[:space:]]+ C source text !:mime text/x-c 0 search/8192 main( >&0 regex \\)[[:space:]]*\\{ C source text !:mime text/x-c
# C++ # The strength of these rules is increased so they beat the C rules above 0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text !:strength + 30 !:mime text/x-c++ # using namespace [namespace] or using std::[lib] 0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text !:strength + 30 !:mime text/x-c++ 0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text !:strength + 30 !:mime text/x-c++ 0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text !:strength + 30 !:mime text/x-c++ # But class alone is reduced to avoid beating php (Jens Schleusener) 0 regex \^[[:space:]]*class[[:space:]]+[[:digit:][:alpha:]:_]+[[:space:]]*\\{(.*[\n]*)*\\}(;)?$ C++ source text !:strength + 13 !:mime text/x-c++ 0 regex \^[[:space:]]*public: C++ source text !:strength + 30 !:mime text/x-c++ 0 regex \^[[:space:]]*private: C++ source text !:strength + 30 !:mime text/x-c++ 0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++
# From: Mikhail Teterin <mi@aldan.algebra.com> 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. # The inverted index functionality was added some time between # versions 11 and 15, so look for -q if version is above 14: >7 string >14 >>10 search/100 \ -q\ with inverted index >10 search/100 \ -c\ text (non-compressed)
#------------------------------------------------------------------------------ # $File: c64,v 1.7 2017/11/15 12:19:06 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann <doj@cubic.org>
0 string C64S\x20tape\x20file T64 tape Image >32 leshort x Version:0x%x >36 leshort !0 Entries:%i >40 string x Name:%.24s
0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x Version:0x%x >36 leshort !0 Entries:%i >40 string x Name:%.24s
0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x Version:0x%x >36 leshort !0 Entries:%i >40 string x Name:%.24s
# Raw tape file format (.tap files) # Esa Hyyti <esa@netlab.tkk.fi> 0 string C64-TAPE-RAW C64 Raw Tape File (.tap), >0x0c byte x Version:%u, >0x10 lelong x Length:%u cycles
# magic for Goattracker2, http://covertbitops.c64.org/ # from Alex Myczko <alex@aiei.ch> 0 string GTS5 GoatTracker 2 song >4 string >\0 \b, "%s" >36 string >\0 \b by %s >68 string >\0 \b (C) %s >100 byte >0 \b, %u subsong(s)
#------------------------------------------------------------------------------ # $File: cafebabe,v 1.23 2017/05/25 20:07:23 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, # the test must be performed in the same "magic" sequence to get both right. # The long at offset 4 in a Mach-O universal binary tells the number of # architectures; the short at offset 4 in a Java bytecode file is the JVM minor # version and the short at offset 6 is the JVM major version. Since there are only # only 18 labeled Mach-O architectures at current, and the first released # Java class format was version 43.0, we can safely choose any number # between 18 and 39 to test the number of architectures against # (and use as a hack). Let's not use 18, because the Mach-O people # might add another one or two as time goes by... # ### JAVA START ### 0 belong 0xcafebabe >4 belong >30 compiled Java class data, !:mime application/x-java-applet >>6 beshort x version %d. >>4 beshort x \b%d # Which is which? #>>4 belong 0x032d (Java 1.0) #>>4 belong 0x032d (Java 1.1) >>4 belong 0x002e (Java 1.2) >>4 belong 0x002f (Java 1.3) >>4 belong 0x0030 (Java 1.4) >>4 belong 0x0031 (Java 1.5) >>4 belong 0x0032 (Java 1.6) >>4 belong 0x0033 (Java 1.7) >>4 belong 0x0034 (Java 1.8)
0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. >4 byte x \b%d !:mime application/x-java-pack200
0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. >4 byte x \b%d !:mime application/x-java-pack200
### JAVA END ### ### MACH-O START ###
0 name mach-o \b [ >0 use mach-o-cpu \b >(8.L) indirect x \b: >0 belong x \b]
0 belong 0xcafebabe >4 belong 1 Mach-O universal binary with 1 architecture: !:mime application/x-mach-binary >>8 use mach-o \b >4 belong >1 >>4 belong <20 Mach-O universal binary with %d architectures: !:mime application/x-mach-binary >>>8 use mach-o \b >>4 belong 2 >>>28 use mach-o \b >>4 belong 3 >>>48 use mach-o \b >>4 belong 4 >>>68 use mach-o \b >>4 belong 5 >>>88 use mach-o \b >>4 belong 6 >>>108 use mach-o \b
### MACH-O END ###
#------------------------------------------------------------------------------ # $File: cbor,v 1.1 2015/01/28 01:05:21 christos Exp $ # cbor: file(1) magic for CBOR files as defined in RFC 7049
#------------------------------------------------------------------------------ # $File: cddb,v 1.4 2009/09/19 16:28:08 christos Exp $ # CDDB: file(1) magic for CDDB(tm) format CD text data files # # From <steve@gracenote.com> # # This is the /etc/magic entry to decode datafiles as used by # CDDB-enabled CD player applications. #
0 search/1/w #\040xmcd CDDB(tm) format CD text data
#------------------------------------------------------------------------------ # $File: chord,v 1.5 2010/09/20 19:19:16 rrt Exp $ # chord: file(1) magic for Chord music sheet typesetting utility input files # # From Philippe De Muyter <phdm@macqel.be> # File format is actually free, but many distributed files begin with `{title' # 0 string {title Chord text file
# Database files # signature 0 leshort 0x3343 Clarion Developer (v2 and above) data file # attributes >2 leshort &0x0001 \b, locked >2 leshort &0x0004 \b, encrypted >2 leshort &0x0008 \b, memo file exists >2 leshort &0x0010 \b, compressed >2 leshort &0x0040 \b, read only # number of records >5 lelong x \b, %d records
# Memo files 0 leshort 0x334d Clarion Developer (v2 and above) memo data
# Key/Index files # No magic? :(
# Help files 0 leshort 0x49e0 Clarion Developer (v2 and above) help data
#------------------------------------------------------------------------------ # $File: claris,v 1.8 2016/07/18 19:23:38 christos Exp $ # claris: file(1) magic for claris # "H. Nanosecond" <aldomel@ix.netcom.com> # Claris Works a word processor, etc. # Version 3.0
# Claris works files # .cwk # Moved to Apple AppleWorks document #0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works document # .plt 0 string \020\341\000\000\010\010 Claris Works palette files .plt
# .msp a dictionary file I am not sure about this I have only one .msp file 0 string \002\271\262\000\040\002\000\164 Claris works dictionary
# .usp are user dictionary bits # I am not sure about a magic header: #0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151 # soh S p f 8 U D sp ^ S cr nl p o d i #0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043 # a t r i s t sp ^ S cr nl d i v sp #
# .mth Thesaurus # starts with \0 but no magic header
# .chy Hyphenation file # I am not sure: 000 210 034 000 000
# other claris files #./windows/claris/useng.ndx: data #./windows/claris/xtndtran.l32: data #./windows/claris/xtndtran.lst: data #./windows/claris/clworks.lbl: data #./windows/claris/clworks.prf: data #./windows/claris/userd.spl: data
#------------------------------------------------------------------------------ # $File: clipper,v 1.8 2017/03/17 21:35:28 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # # >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST # # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # # >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST # # as SVR3.1's "file" doesn't support anything of the "!074000,000000" # sort, nor does SunOS 4.x, so either it's something Intergraph added # in CLIX, or something AT&T added in SVR3.2 or later, or something # somebody else thought was a good idea; it's not documented in the # man page for this version of "magic", nor does it appear to be # implemented (at least not after I blew off the bogus code to turn # old-style "&"s into new-style "&"s, which just didn't work at all). # 0 short 0575 CLIPPER COFF executable (VAX #) >20 short 0407 (impure) >20 short 0410 (5.2 compatible) >20 short 0411 (pure) >20 short 0413 (demand paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %d 0 short 0577 CLIPPER COFF executable >18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 >18 short&074000 010000 C3 R1 >18 short&074000 074000 TEST >20 short 0407 (impure) >20 short 0410 (pure) >20 short 0411 (separate I&D) >20 short 0413 (paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %d >48 long&01 01 alignment trap enabled >52 byte 1 -Ctnc >52 byte 2 -Ctsw >52 byte 3 -Ctpw >52 byte 4 -Ctcb >53 byte 1 -Cdnc >53 byte 2 -Cdsw >53 byte 3 -Cdpw >53 byte 4 -Cdcb >54 byte 1 -Csnc >54 byte 2 -Cssw >54 byte 3 -Cspw >54 byte 4 -Cscb 4 string pipe CLIPPER instruction trace 4 string prof CLIPPER instruction profile
#------------------------------------------------------------------------------ # $File: coff,v 1.2 2017/03/17 21:35:28 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF # # by Joerg Jenderek at Oct 2015 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html
# display name+variables+flags of Common Object Files Format (32bit) # Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel, # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags >18 uleshort&0x8E80 0 >>0 clear x # f_magic - magic number # DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) >>0 uleshort 0x014C Intel 80386 # Hitachi SH big-endian COFF (./hitachi-sh) >>0 uleshort 0x0500 Hitachi SH big-endian # Hitachi SH little-endian COFF (./hitachi-sh) >>0 uleshort 0x0550 Hitachi SH little-endian # executable (RISC System/6000 V3.1) or obj module (./ibm6000) #>>0 uleshort 0x01DF # TODO for other COFFs #>>0 uleshort 0xABCD COFF_TEMPLATE >>0 default x >>>0 uleshort x type 0x%04x >>0 uleshort x COFF # F_EXEC flag bit >>18 leshort ^0x0002 object file #!:mime application/x-coff #!:ext cof/o/obj/lib >>18 leshort &0x0002 executable #!:mime application/x-coffexec # F_RELFLG flag bit,static object >>18 leshort &0x0001 \b, no relocation info # F_LNNO flag bit >>18 leshort &0x0004 \b, no line number info # F_LSYMS flag bit >>18 leshort &0x0008 \b, stripped >>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions #0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit #>>>18 leshort &0x0100 \b, 32 bit little endian #0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY # f_nscns - number of sections >>2 uleshort <2 \b, %d section >>2 uleshort >1 \b, %d sections # f_timdat - file time & date stamp only for little endian #>>4 date x \b, %s # f_symptr - symbol table pointer, only for not stripped >>8 ulelong >0 \b, symbol offset=0x%x # f_nsyms - number of symbols, only for not stripped >>12 ulelong >0 \b, %d symbols # f_opthdr - optional header size >>16 uleshort >0 \b, optional header size %d # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. # or first section header # additional variables for other COFF files # >20 beshort 0407 (impure) # >20 beshort 0410 (pure) # >20 beshort 0413 (demand paged) # >20 beshort 0421 (standalone) # >22 leshort >0 - version %d # >168 string .lowmem Apple toolbox
#------------------------------------------------------------------------------ # $File: commands,v 1.59 2017/08/14 07:40:38 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text 0 string/wt #!\ /bin/sh POSIX shell script text executable !:mime text/x-shellscript 0 string/wb #!\ /bin/sh POSIX shell script executable (binary data) !:mime text/x-shellscript 0 string/w #!\ /usr/bin/sh Shell script text executable !:mime text/x-shellscript
0 string/wt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript
# korn shell magic, sent by George Wu, gwu@clyde.att.com 0 string/wt #!\ /bin/ksh Korn shell script text executable !:mime text/x-shellscript 0 string/wb #!\ /bin/ksh Korn shell script executable (binary data) !:mime text/x-shellscript
0 string/wt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript
# # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) 0 string/wt #!\ /bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/ae Neil Brown's ae script text executable !:mime text/x-shellscript 0 string/wt #!\ /bin/nawk new awk script text executable !:mime text/x-nawk 0 string/wt #!\ /usr/bin/nawk new awk script text executable !:mime text/x-nawk 0 string/wt #!\ /usr/local/bin/nawk new awk script text executable !:mime text/x-nawk 0 string/wt #!\ /bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/wt #!\ /usr/bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/wt #!\ /usr/local/bin/gawk GNU awk script text executable !:mime text/x-gawk # 0 string/wt #!\ /bin/awk awk script text executable !:mime text/x-awk 0 string/wt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk 0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text
# AT&T Bell Labs' Plan 9 shell 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable
# TTCN is the Tree and Tabular Combined Notation described in ISO 9646-3. # It is used for conformance testing of communication protocols. # Added by W. Borgert <debacle@debian.org>. 0 string $Suite TTCN Abstract Test Suite >&1 string $SuiteId >>&1 string >\n %s >&2 string $SuiteId >>&1 string >\n %s >&3 string $SuiteId >>&1 string >\n %s
# MSC (message sequence charts) are a formal description technique, # described in ITU-T Z.120, mainly used for communication protocols. # Added by W. Borgert <debacle@debian.org>. 0 string mscdocument Message Sequence Chart (document) 0 string msc Message Sequence Chart (chart) 0 string submsc Message Sequence Chart (subchart) #------------------------------------------------------------------------------ # $File: compress,v 1.72 2018/03/27 23:26:41 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. # # Formats for various forms of compressed data # Formats for "compress" proper have been moved into "compress.c", # because it tries to uncompress it to figure out what's inside.
# standard unix compress 0 string \037\235 compress'd data !:mime application/x-compress !:apple LZIVZIVU >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). 0 string \037\213 gzip compressed data !:mime application/x-gzip !:strength * 2 >2 byte <8 \b, reserved method >2 byte >8 \b, unknown method >3 byte &0x01 \b, ASCII >3 byte &0x02 \b, has CRC >3 byte &0x04 \b, extra field >3 byte&0xC =0x08 >>10 string x \b, was "%s" >3 byte &0x10 \b, has comment >3 byte &0x20 \b, encrypted >4 ledate >0 \b, last modified: %s >8 byte 2 \b, max compression >8 byte 4 \b, max speed >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS >9 byte =0x03 \b, from Unix >9 byte =0x04 \b, from VM/CMS >9 byte =0x05 \b, from Atari >9 byte =0x06 \b, from HPFS filesystem (OS/2, NT) >9 byte =0x07 \b, from MacOS >9 byte =0x08 \b, from Z-System >9 byte =0x09 \b, from CP/M >9 byte =0x0A \b, from TOPS/20 >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS >-4 lelong x \b, original size %d
# packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data !:mime application/octet-stream >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # # This magic number is byte-order-independent. 0 short 0x1f1f old packed data !:mime application/octet-stream
# XXX - why *two* entries for "compacted data", one of which is # byte-order independent, and one of which is byte-order dependent? # 0 short 0x1fff compacted data !:mime application/octet-stream # This string is valid for SunOS (BE) and a matching "short" is listed # in the Ultrix (LE) magic file. 0 string \377\037 compacted data !:mime application/octet-stream 0 short 0145405 huf output !:mime application/octet-stream
# bzip a block-sorting file compressor # by Julian Seward <sewardj@cs.man.ac.uk> and others 0 string BZ0 bzip compressed data !:mime application/x-bzip >3 byte >47 \b, block size = %c00k
# lzip 0 string LZIP lzip compressed data !:mime application/x-lzip >4 byte x \b, version: %d
# squeeze and crunch # Michael Haardt <michael@cantor.informatik.rwth-aachen.de> 0 beshort 0x76FF squeezed data, >4 string x original name %s 0 beshort 0x76FE crunched data, >2 string x original name %s 0 beshort 0x76FD LZH compressed data, >2 string x original name %s
# European GSM 06.10 is a provisional standard for full-rate speech # transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse # excitation/long term prediction) coding at 13 kbit/s. # # There's only a magic nibble (4 bits); that nibble repeats every 33 # bytes. This isn't suited for use, but maybe we can use it someday. # # This will cause very short GSM files to be declared as data and # mismatches to be declared as data too! #0 byte&0xF0 0xd0 data #>33 byte&0xF0 0xd0 #>66 byte&0xF0 0xd0 #>99 byte&0xF0 0xd0 #>132 byte&0xF0 0xd0 GSM 06.10 compressed audio
# https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data >4 byte x - version %d >5 byte x \b.%d !:mime application/x-lrzip
# http://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html 0 lelong 0x184d2204 LZ4 compressed data (v1.4+) !:mime application/x-lz4 # Added by osm0sis@xda-developers.com 0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) !:mime application/x-lz4 0 lelong 0x184c2102 LZ4 compressed data (v0.1-v0.9) !:mime application/x-lz4
# Supplementary magic data for the file(1) command to support # rzip(1). The format is described in magic(5). # # Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with # this file. # 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes)
# ines: file(1) magic for Marat's iNES Nintendo Entertainment System ROM dump format # Updated by David Korth <gerbilsoft@gerbilsoft.com> # References: # - http://wiki.nesdev.com/w/index.php/INES # - http://wiki.nesdev.com/w/index.php/NES_2.0
# Standard iNES ROM header. 0 string NES\x1A NES ROM image (iNES) >0 use nes-rom-image-ines
# Wii U Virtual Console iNES ROM header. 0 belong 0x4E455300 NES ROM image (Wii U Virtual Console) >0 use nes-rom-image-ines
#------------------------------------------------------------------------------ # unif: file(1) magic for UNIF-format Nintendo Entertainment System ROM images # Reference: http://wiki.nesdev.com/w/index.php/UNIF # From: David Korth <gerbilsoft@gerbilsoft.com> # # NOTE: The UNIF format uses chunks instead of a fixed header, # so most of the data isn't easily parseable. # 0 string UNIF >4 lelong <16 NES ROM image (UNIF v%d format)
#------------------------------------------------------------------------------ # fds: file(1) magic for Famciom Disk System disk images # Reference: http://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format # From: David Korth <gerbilsoft@gerbilsoft.com> # TODO: Check "Disk info block" and get info from that in addition to the optional header.
# Disk info block. (block 1) 0 name nintendo-fds-disk-info-block >23 byte !1 FMC- >23 byte 1 FSC- >16 string x \b%.3s >15 byte x \b, mfr %02X >20 byte x (Rev.%02u)
# Headered version. 0 string FDS\x1A >0x11 string *NINTENDO-HVC* Famicom Disk System disk image: >>0x10 use nintendo-fds-disk-info-block >4 byte 1 (%u side) >4 byte !1 (%u sides)
# Unheadered version. 1 string *NINTENDO-HVC* Famicom Disk System disk image: >0 use nintendo-fds-disk-info-block
#------------------------------------------------------------------------------ # tnes: file(1) magic for TNES-format Nintendo Entertainment System ROM images # Used by Nintendo 3DS NES Virtual Console games. # From: David Korth <gerbilsoft@gerbilsoft.com> # 0 string TNES NES ROM image (Nintendo 3DS Virtual Console) >4 byte 100 \b: FDS, >>0x2010 use nintendo-fds-disk-info-block >4 byte !100 \b: TNES mapper %u >>5 byte x \b, %ux8k PRG >>6 byte x \b, %ux8k CHR >>7 byte&0x08 =1 [WRAM] >>8 byte&0x09 =1 [H-mirror] >>8 byte&0x09 =2 [V-mirror] >>8 byte&0x02 =3 [VRAM]
#------------------------------------------------------------------------------ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header # 0x104 bequad 0xCEED6666CC0D000B Game Boy ROM image >0x143 byte&0x80 0x80 >>0x134 string >\0 \b: "%.15s" >0x143 byte&0x80 !0x80 >>0x134 string >\0 \b: "%.16s" >0x14c byte x (Rev.%02u)
#------------------------------------------------------------------------------ # genesis: file(1) magic for various Sega Mega Drive / Genesis ROM image and disc formats # Updated by David Korth <gerbilsoft@gerbilsoft.com> # References: # - http://www.retrodev.com/segacd.html # - http://devster.monkeeh.com/sega/32xguide1.txt #
# Common Sega Mega Drive header format. # FIXME: Name fields are 48 bytes, but have spaces for padding instead of 00s. 0 name sega-mega-drive-header # ROM title. (Use domestic if present; if not, use international.) >0x120 byte >0x20 >>0x120 string >\0 \b: "%.16s" >0x120 byte <0x21 >>0x150 string >\0 \b: "%.16s" # Other information. >0x180 string >\0 (%.14s >>0x110 string >\0 \b, %.16s >0x180 byte 0 >>0x110 string >\0 (%.16s >0 byte x \b)
# TODO: Check for 32X CD? # Sega Mega CD disc images: 2048-byte sectors. 0 string SEGADISCSYSTEM\ \ Sega Mega CD disc image >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors 0 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors # Sega Mega CD disc images: 2352-byte sectors. 0x10 string SEGADISCSYSTEM\ \ Sega Mega CD disc image >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors 0x10 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors
# Sega Mega Drive, 32X, Pico, and Mega CD Boot ROM images. 0x100 string SEGA >0x3C0 bequad 0x4D41525320434845 Sega 32X ROM image >>0 use sega-mega-drive-header >0x3C0 bequad !0x4D41525320434845 >>0x105 belong 0x5049434F Sega Pico ROM image >>>0 use sega-mega-drive-header >>0x105 belong !0x5049434F >>>0x180 beshort 0x4252 Sega Mega CD Boot ROM image >>>0x180 beshort !0x4252 Sega Mega Drive / Genesis ROM image >>>0 use sega-mega-drive-header
#------------------------------------------------------------------------------ # genesis: file(1) magic for the Super MegaDrive ROM dump format #
# NOTE: Due to interleaving, we can't display anything # other than the copier header information. 0 name sega-genesis-smd-header >0 byte x %dx16k blocks >2 byte 0 \b, last in series or standalone >2 byte >0 \b, split ROM
# "Sega Genesis" header. 0x280 string EAGN >8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format): >>0 use sega-genesis-smd-header
# "Sega Mega Drive" header. 0x280 string EAMG >8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format): >>0 use sega-genesis-smd-header
#------------------------------------------------------------------------------ # smsgg: file(1) magic for Sega Master System and Game Gear ROM images # Detects all Game Gear and export Sega Master System ROM images, # and some Japanese Sega Master System ROM images. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://www.smspower.org/Development/ROMHeader #
# General SMS header rule. # The SMS boot ROM checks the header at three locations. 0 name sega-master-system-rom-header # Machine type. >0x0F byte&0xF0 0x30 Sega Master System >0x0F byte&0xF0 0x40 Sega Master System >0x0F byte&0xF0 0x50 Sega Game Gear >0x0F byte&0xF0 0x60 Sega Game Gear >0x0F byte&0xF0 0x70 Sega Game Gear >0x0F byte&0xF0 <0x30 Sega Master System / Game Gear >0x0F byte&0xF0 >0x70 Sega Master System / Game Gear >0 byte x ROM image: # Product code. >0x0E byte&0xF0 0x10 1 >0x0E byte&0xF0 0x20 2 >0x0E byte&0xF0 0x30 3 >0x0E byte&0xF0 0x40 4 >0x0E byte&0xF0 0x50 5 >0x0E byte&0xF0 0x60 6 >0x0E byte&0xF0 0x70 7 >0x0E byte&0xF0 0x80 8 >0x0E byte&0xF0 0x90 9 >0x0E byte&0xF0 0xA0 10 >0x0E byte&0xF0 0xB0 11 >0x0E byte&0xF0 0xC0 12 >0x0E byte&0xF0 0xD0 13 >0x0E byte&0xF0 0xE0 14 >0x0E byte&0xF0 0xF0 15 # If the product code is 5 digits, we'll need to backspace here. >0x0E byte&0xF0 !0 >>0x0C leshort x \b%04x >0x0E byte&0xF0 0 >>0x0C leshort x %04x # Revision. >0x0E byte&0x0F x (Rev.%02d) # ROM size. (Used for the boot ROM checksum routine.) >0x0F byte&0x0F 0x0A (8 KB) >0x0F byte&0x0F 0x0B (16 KB) >0x0F byte&0x0F 0x0C (32 KB) >0x0F byte&0x0F 0x0D (48 KB) >0x0F byte&0x0F 0x0E (64 KB) >0x0F byte&0x0F 0x0F (128 KB) >0x0F byte&0x0F 0x00 (256 KB) >0x0F byte&0x0F 0x01 (512 KB) >0x0F byte&0x0F 0x02 (1 MB)
# SMS/GG header locations. 0x7FF0 string TMR\ SEGA >0x7FF0 use sega-master-system-rom-header 0x3FF0 string TMR\ SEGA >0x3FF0 use sega-master-system-rom-header 0x1FF0 string TMR\ SEGA >0x1FF0 use sega-master-system-rom-header
#------------------------------------------------------------------------------ # saturn: file(1) magic for the Sega Saturn disc image format. # From: David Korth <gerbilsoft@gerbilsoft.com> #
# Common Sega Saturn disc header format. # NOTE: Title is 112 bytes, but we're only showing 32 due to space padding. # TODO: Release date, device information, region code, others? 0 name sega-saturn-disc-header >0x60 string >\0 \b: "%.32s" >0x20 string >\0 (%.10s >>0x2A string >\0 \b, %.6s) >>0x2A byte 0 \b)
# 2048-byte sector version. 0 string SEGA\ SEGASATURN\ Sega Saturn disc image >0 use sega-saturn-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. 0x10 string SEGA\ SEGASATURN\ Sega Saturn disc image >0x10 use sega-saturn-disc-header >0 byte x (2352-byte sectors)
#------------------------------------------------------------------------------ # dreamcast: file(1) magic for the Sega Dreamcast disc image format. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://mc.pp.se/dc/ip0000.bin.html #
# Common Sega Dreamcast disc header format. # NOTE: Title is 128 bytes, but we're only showing 32 due to space padding. # TODO: Release date, device information, region code, others? 0 name sega-dreamcast-disc-header >0x80 string >\0 \b: "%.32s" >0x40 string >\0 (%.10s >>0x4A string >\0 \b, %.6s) >>0x4A byte 0 \b)
# 2048-byte sector version. 0 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image >0 use sega-dreamcast-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. 0x10 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image >0x10 use sega-dreamcast-disc-header >0 byte x (2352-byte sectors)
#------------------------------------------------------------------------------ # dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format # 0 belong 0x21068028 Sega Dreamcast VMU game image 0 string LCDi Dream Animator file
#------------------------------------------------------------------------------ # z64: file(1) magic for the Z64 format N64 ROM dumps # Reference: http://forum.pj64-emu.com/showthread.php?t=2239 # From: David Korth <gerbilsoft@gerbilsoft.com> # 0 bequad 0x803712400000000F Nintendo 64 ROM image >0x20 string >\0 \b: "%.20s" >0x3B string x (%.4s >0x3F byte x \b, Rev.%02u)
#------------------------------------------------------------------------------ # v64: file(1) magic for the V64 format N64 ROM dumps # Same as z64 format, but with 16-bit byteswapping. # 0 bequad 0x3780401200000F00 Nintendo 64 ROM image (V64)
#------------------------------------------------------------------------------ # n64-swap2: file(1) magic for the swap2 format N64 ROM dumps # Same as z64 format, but with swapped 16-bit words. # 0 bequad 0x12408037000F0000 Nintendo 64 ROM image (wordswapped)
#------------------------------------------------------------------------------ # n64-le32: file(1) magic for the 32-bit byteswapped format N64 ROM dumps # Same as z64 format, but with 32-bit byteswapping. # 0 bequad 0x401237800F000000 Nintendo 64 ROM image (32-bit byteswapped)
#------------------------------------------------------------------------------ # gba: file(1) magic for the Nintendo Game Boy Advance raw ROM format # Reference: http://problemkaputt.de/gbatek.htm#gbacartridgeheader # # Original version from: "Nelson A. de Oliveira" <naoliv@gmail.com> # Updated version from: David Korth <gerbilsoft@gerbilsoft.com> # 4 bequad 0x24FFAE51699AA221 Game Boy Advance ROM image >0xA0 string >\0 \b: "%.12s" >0xAC string x (%.6s >0xBC byte x \b, Rev.%02u)
#------------------------------------------------------------------------------ # nds: file(1) magic for the Nintendo DS(i) raw ROM format # Reference: http://problemkaputt.de/gbatek.htm#dscartridgeheader # # Original version from: "Nelson A. de Oliveira" <naoliv@gmail.com> # Updated version from: David Korth <gerbilsoft@gerbilsoft.com> # 0xC0 bequad 0x24FFAE51699AA221 Nintendo DS ROM image >0x00 string >\0 \b: "%.12s" >0x0C string x (%.6s >0x1E byte x \b, Rev.%02u) >0x12 byte 2 (DSi enhanced) >0x12 byte 3 (DSi only) # Secure Area check. >0x20 lelong <0x4000 (homebrew) >0x20 lelong >0x3FFF >>0x4000 lequad 0x0000000000000000 (multiboot) >>0x4000 lequad !0x0000000000000000 >>>0x4000 lequad 0xE7FFDEFFE7FFDEFF (decrypted) >>>0x4000 lequad !0xE7FFDEFFE7FFDEFF >>>>0x1000 lequad 0x0000000000000000 (encrypted) >>>>0x1000 lequad !0x0000000000000000 (mask ROM)
#------------------------------------------------------------------------------ # nds_passme: file(1) magic for Nintendo DS ROM images for GBA cartridge boot. # This is also used for loading .nds files using the MSET exploit on 3DS. # Reference: https://github.com/devkitPro/ndstool/blob/master/source/ndscreate.cpp 0xC0 bequad 0xC8604FE201708FE2 Nintendo DS Slot-2 ROM image (PassMe)
#------------------------------------------------------------------------------ # ngp: file(1) magic for the Neo Geo Pocket (Color) raw ROM format. # From: David Korth <gerbilsoft@gerbilsoft.com> # References: # - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp # - http://www.devrs.com/ngp/files/ngpctech.txt # 0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket >0x23 byte 0x10 Color >0 byte x ROM image >0x24 string >\0 \b: "%.12s" >0x1F byte 0xFF (debug mode enabled)
#------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps # Too simple - MPi #0 beshort 0x4142 MSX game cartridge dump
#------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : 0 string PS-X\ EXE Sony Playstation executable >16 lelong x PC=0x%08x, >20 lelong !0 GP=0x%08x, >24 lelong !0 .text=[0x%08x, >>28 lelong x \b0x%x], >32 lelong !0 .data=[0x%08x, >>36 lelong x \b0x%x], >40 lelong !0 .bss=[0x%08x, >>44 lelong x \b0x%x], >48 lelong !0 Stack=0x%08x, >48 lelong =0 No Stack!, >52 lelong !0 StackSize=0x%x, #>76 string >\0 (%s) # Area: >113 string x (%s)
# Double-check that the image type matches too, 0x8008 conflicts with # 8 character OMF-86 object file headers. 0 beshort 0x8008 >6 string BS93 Lynx homebrew cartridge >>2 beshort x \b, RAM start $%04x >6 string LYNX Lynx cartridge >>2 beshort x \b, RAM start $%04x
# Opera file system that is used on the 3DO console # From: Serge van den Boom <svdb@stack.nl> 0 string \x01ZZZZZ\x01 3DO "Opera" file system
# From: Alex Myczko <alex@aiei.ch> # From: David Pflug <david@pflug.email> # is the offset 12 or the offset 16 correct? # GBS (Game Boy Sound) magic # ftp://ftp.modland.com/pub/documents/format_documentation/\ # Gameboy%20Sound%20System%20(.gbs).txt 0 string GBS Nintendo Gameboy Music/Audio Data #12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module >16 string >\0 ("%s" by >48 string >\0 %s, copyright >80 string >\0 %s), >3 byte x version %d, >4 byte x %d tracks
# IPS Patch Files from: From: Thomas Klausner <tk@giga.or.at> # see http://zerosoft.zophar.net/ips.php 0 string PATCH IPS patch file
# Playstations Patch Files from: From: Thomas Klausner <tk@giga.or.at> 0 string PPF30 Playstation Patch File version 3.0 >5 byte 0 \b, PPF 1.0 patch >5 byte 1 \b, PPF 2.0 patch >5 byte 2 \b, PPF 3.0 patch >>56 byte 0 \b, Imagetype BIN (any) >>56 byte 1 \b, Imagetype GI (PrimoDVD) >>57 byte 0 \b, Blockcheck disabled >>57 byte 1 \b, Blockcheck enabled >>58 byte 0 \b, Undo data not available >>58 byte 1 \b, Undo data available >6 string x \b, description: %s
0 string PPF20 Playstation Patch File version 2.0 >5 byte 0 \b, PPF 1.0 patch >5 byte 1 \b, PPF 2.0 patch >>56 lelong >0 \b, size of file to patch %d >6 string x \b, description: %s
0 string PPF10 Playstation Patch File version 1.0 >5 byte 0 \b, Simple Encoding >6 string x \b, description: %s
# From: Daniel Dawson <ddawson@icehouse.net> # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording >0x4 lelong x \b, version %d # version 4 is latest so far >0x4 lelong <5 >>0x8 ledate x \b, recorded at %s >>0xc lelong >0 \b, rerecorded %d times >>0x10 lelong x \b, %d frames long >>0x14 byte >0 \b, data for controller(s): >>>0x14 byte &0x1 #1 >>>0x14 byte &0x2 #2 >>>0x14 byte &0x4 #3 >>>0x14 byte &0x8 #4 >>>0x14 byte &0x10 #5 >>0x15 byte ^0x1 \b, begins from snapshot >>0x15 byte &0x1 \b, begins from reset >>0x15 byte ^0x2 \b, NTSC standard >>0x15 byte &0x2 \b, PAL standard >>0x17 byte &0x1 \b, settings: # WIP1Timing not used as of version 4 >>>0x4 lelong <4 >>>>0x17 byte &0x2 WIP1Timing >>>0x17 byte &0x4 Left+Right >>>0x17 byte &0x8 VolumeEnvX >>>0x17 byte &0x10 FakeMute >>>0x17 byte &0x20 SyncSound # New flag as of version 4 >>>0x4 lelong >3 >>>>0x17 byte &0x80 NoCPUShutdown >>0x4 lelong <4 >>>0x18 lelong >0x23 >>>>0x20 leshort !0 >>>>>0x20 lestring16 x \b, metadata: "%s" >>0x4 lelong >3 >>>0x24 byte >0 \b, port 1: >>>>0x24 byte 1 joypad >>>>0x24 byte 2 mouse >>>>0x24 byte 3 SuperScope >>>>0x24 byte 4 Justifier >>>>0x24 byte 5 multitap >>>0x24 byte >0 \b, port 2: >>>>0x25 byte 1 joypad >>>>0x25 byte 2 mouse >>>>0x25 byte 3 SuperScope >>>>0x25 byte 4 Justifier >>>>0x25 byte 5 multitap >>>0x18 lelong >0x43 >>>>0x40 leshort !0 >>>>>0x40 lestring16 x \b, metadata: "%s" >>0x17 byte &0x40 \b, ROM: >>>(0x18.l-26) lelong x CRC32 0x%08x >>>(0x18.l-23) string x "%s"
#------------------------------------------------------------------------------ # Nintendo GameCube / Wii file formats. #
# Type: Nintendo GameCube/Wii common disc header data. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://wiibrew.org/wiki/Wii_Disc 0 name nintendo-gcn-disc-common >0x20 string x "%.64s" >0x00 string x (%.6s >0x06 byte >0 >>0x06 byte 1 \b, Disc 2 >>0x06 byte 2 \b, Disc 3 >>0x06 byte 3 \b, Disc 4 >0x07 byte x \b, Rev.%02u)
# Type: Nintendo GameCube disc image # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://wiibrew.org/wiki/Wii_Disc 0x1C belong 0xC2339F3D Nintendo GameCube disc image: >0 use nintendo-gcn-disc-common
# Type: Nintendo GameCube embedded disc image # Commonly found on demo discs. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://hitmen.c02.at/files/yagcd/yagcd/index.html#idx14.8 0 belong 0xAE0F38A2 >0x0C belong 0x00100000 >>(8.L+0x1C) belong 0xC2339F3D Nintendo GameCube embedded disc image: >>>(8.L) use nintendo-gcn-disc-common
# Type: Nintendo Wii disc image # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://wiibrew.org/wiki/Wii_Disc 0x18 belong 0x5D1C9EA3 Nintendo Wii disc image: >0 use nintendo-gcn-disc-common
# Type: Nintendo Wii disc image (WBFS format) # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://wiibrew.org/wiki/Wii_Disc 0 string WBFS >0x218 belong 0x5D1C9EA3 Nintendo Wii disc image (WBFS format): >>0x200 use nintendo-gcn-disc-common
# Type: Nintendo GameCube/Wii disc image (CISO format) # NOTE: This is NOT the same as Compact ISO or PSP CISO, # though it has the same magic number. 0 string CISO # Other fields are used to determine what type of CISO this is: # - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) # - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) # - None of the above: Compact ISO. >4 lelong 0x200000 >>8 byte 1 >>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): >>>>0x8000 use nintendo-gcn-disc-common >>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): >>>>0x8000 use nintendo-gcn-disc-common
# Type: Nintendo GameCube/Wii disc image (GCZ format) # Due to zlib compression, we can't get the actual disc information. 0 lelong 0xB10BC001 >4 lelong 0 Nintendo GameCube disc image (GCZ format) >4 lelong 1 Nintendo Wii disc image (GCZ format) >4 lelong >1 Nintendo GameCube/Wii disc image (GCZ format)
# Type: Nintendo GameCube/Wii disc image (WDF format) 0 string WII\001DISC >8 belong 1 # WDFv1 >>0x54 belong 0xC2339F3D Nintendo GameCube disc image (WDFv1 format): >>>0x38 use nintendo-gcn-disc-common >>0x58 belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv1 format): >>>0x38 use nintendo-gcn-disc-common >8 belong 2 # WDFv2 >>(12.L+0x1C) belong 0xC2339F3D Nintendo GameCube disc image (WDFv2 format): >>>(12.L) use nintendo-gcn-disc-common >>(12.L+0x18) belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv2 format): >>>(12.L) use nintendo-gcn-disc-common
# Type: Nintendo GameCube/Wii disc image (WIA format) 0 string WIA\001 Nintendo >0x48 belong 0 GameCube/Wii >0x48 belong 1 GameCube >0x48 belong 2 Wii >0x48 belong >2 GameCube/Wii >0x48 belong x disc image (WIA format): >>0x58 use nintendo-gcn-disc-common
#------------------------------------------------------------------------------ # Nintendo 3DS file formats. #
# Type: Nintendo 3DS "NCSD" image. (game cards and eMMC) # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: https://www.3dbrew.org/wiki/NCSD 0x100 string NCSD >0x118 lequad 0 Nintendo 3DS Game Card image # NCCH header for partition 0. (game data) >>0x1150 string >\0 \b: "%.16s" >>0x312 byte x (Rev.%02u) >>0x118C byte 2 (New3DS only) >>0x18D byte 0 (inner device) >>0x18D byte 1 (Card1) >>0x18D byte 2 (Card2) >>0x18D byte 3 (extended device) >0x118 bequad 0x0102020202000000 Nintendo 3DS eMMC dump (Old3DS) >0x118 bequad 0x0102020203000000 Nintendo 3DS eMMC dump (New3DS)
# Type: Nintendo 3DS "NCCH" container. # https://www.3dbrew.org/wiki/NCCH 0x100 string NCCH Nintendo 3DS >0x18D byte&2 0 File Archive (CFA) >0x18D byte&2 2 Executable Image (CXI) >0x150 string >\0 \b: "%.16s" >0x18D byte 0x05 >>0x10E leshort x (Old3DS System Update v >>0x10E use nintendo-3ds-version-code >>0x10E leshort x \b) >0x18D byte 0x15 >>0x10E leshort x (New3DS System Update v >>0x10E use nintendo-3ds-version-code >>0x10E leshort x \b) >0x18D byte !0x05 >>0x18D byte !0x15 >>>0x112 byte x (v >>>0x112 use nintendo-3ds-version-code >>>0x112 byte x \b) >0x18C byte 2 (New3DS only)
# Type: Nintendo 3DS "SMDH" file. (application description) # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: https://3dbrew.org/wiki/SMDH 0 string SMDH Nintendo 3DS SMDH file >0x208 leshort !0 >>0x208 lestring16 x \b: "%.128s" >>0x388 leshort !0 >>>0x388 lestring16 x by %.128s >0x208 leshort 0 >>0x008 leshort !0 >>>0x008 lestring16 x \b: "%.128s" >>>0x188 leshort !0 >>>>0x188 lestring16 x by %.128s
# Type: Nintendo 3DS Homebrew Application. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: https://3dbrew.org/wiki/3DSX_Format 0 string 3DSX Nintendo 3DS Homebrew Application (3DSX)
#------------------------------------------------------------------------------ # a7800: file(1) magic for the Atari 7800 raw ROM format. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: https://sites.google.com/site/atari7800wiki/a78-header
#------------------------------------------------------------------------------ # vectrex: file(1) magic for the GCE Vectrex raw ROM format. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: http://www.playvectrex.com/designit/chrissalo/hello1.htm # # NOTE: Title is terminated with 0x80, not 0. # The header is terminated with a 0, so that will # terminate the title as well. # 0 string g\ GCE Vectrex ROM image >0x11 string >\0 \b: "%.16s"
#------------------------------------------------------------------------------ # amiibo: file(1) magic for Nintendo amiibo NFC dumps. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: https://www.3dbrew.org/wiki/Amiibo 0x00 byte 0x04 >0x0A beshort 0x0FE0 >>0x0C belong 0xF110FFEE >>>0x208 beshort 0x0100 >>>>0x020A byte 0x0F >>>>>0x020C bequad 0x000000045F000000 >>>>>>0x5B byte 0x02 >>>>>>>0x54 belong x Nintendo amiibo NFC dump - amiibo ID: %08X- >>>>>>>0x58 belong x \b%08X
#------------------------------------------------------------------------------ # $File: convex,v 1.8 2012/10/03 23:44:43 christos Exp $ # convex: file(1) magic for Convex boxes # # Convexes are big-endian. # # /*\ # * Below are the magic numbers and tests added for Convex. # * Added at beginning, because they are expected to be used most. # \*/ 0 belong 0507 Convex old-style object >16 belong >0 not stripped 0 belong 0513 Convex old-style demand paged executable >16 belong >0 not stripped 0 belong 0515 Convex old-style pre-paged executable >16 belong >0 not stripped 0 belong 0517 Convex old-style pre-paged, non-swapped executable >16 belong >0 not stripped 0 belong 0x011257 Core file # # The following are a series of dump format magic numbers. Each one # corresponds to a drastically different dump format. The first on is # the original dump format on a 4.1 BSD or earlier file system. The # second marks the change between the 4.1 file system and the 4.2 file # system. The Third marks the changing of the block size from 1K # to 2K to be compatible with an IDC file system. The fourth indicates # a dump that is dependent on Convex Storage Manager, because data in # secondary storage is not physically contained within the dump. # The restore program uses these number to determine how the data is # to be extracted. # 24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible) 24 belong =60014 dump format, Convex Storage Manager by-reference dump # # what follows is a bunch of bit-mask checks on the flags field of the opthdr. # If there is no `=' sign, assume just checking for whether the bit is set? # 0 belong 0601 Convex SOFF >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000001 demand paged >88 belong &0x00000002 pre-paged >88 belong &0x00000004 non-swapped >88 belong &0x00000008 POSIX # >84 belong &0x80000000 executable >84 belong &0x40000000 object >84 belong&0x20000000 =0 not stripped >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode # 0 belong 0605 Convex SOFF core # 0 belong 0607 Convex SOFF checkpoint >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000008 POSIX # >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode
#------------------------------------------------------------------------------ # $File: coverage,v 1.1 2016/06/05 00:26:32 christos Exp $ # xoverage: file(1) magic for test coverage data
# File formats used to store test coverage data # 2016-05-21, Georg Sauthoff <mail@georg.so>
# - GCC gcno - written by GCC at compile time when compiling with # gcc -ftest-coverage # - GCC gcda - written by a program that was compiled with # gcc -fprofile-arcs # - LLVM raw profiles - generated by a program compiled with # clang -fprofile-instr-generate -fcoverage-mapping ... # - LLVM indexed profiles - generated by # llvm-profdata # - GCOV reports, i.e. the annotated source code # - LCOV trace files, i.e. aggregated GCC profiles # # GCC coverage tracefiles # .gcno file are created during compile time, # while data collected during runtime is stored in .gcda files # cf. gcov-io.h # https://gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc/Gcov-Data-Files.html # Examples: # Fedora 23/x86-64/gcc-5.3.1: 6f 6e 63 67 52 33 30 35 # Debian 8 PPC64/gcc-4.9.2 : 67 63 6e 6f 34 30 39 2a 0 lelong 0x67636e6f GCC gcno coverage (-ftest-coverage), >&3 byte x version %c. >&1 byte x \b%c
# big endian 0 belong 0x67636e6f GCC gcno coverage (-ftest-coverage), >&0 byte x version %c. >&2 byte x \b%c (big-endian)
# Coverage reports generated by gcov # i.e. source code annoted with coverage information 0 string \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Source: >&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Graph: >>&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Data: GCOV coverage report
# LLVM coverage files
# raw data after running a program compiled with: # `clang -fprofile-instr-generate -fcoverage-mapping ...` # default name: default.profraw # magic is: \xFF lprofr \x81 # cf. http://llvm.org/docs/doxygen/html/InstrProfData_8inc_source.html 0 lequad 0xff6c70726f667281 LLVM raw profile data, >&0 byte x version %d
# big endian 0 bequad 0xff6c70726f667281 LLVM raw profile data, >&7 byte x version %d (big-endian)
# LLVM indexed instruction profile (as generated by llvm-profdata) # magic is: reverse(\xFF lprofi \x81) # cf. http://llvm.org/docs/CoverageMappingFormat.html # http://llvm.org/docs/doxygen/html/namespacellvm_1_1IndexedInstrProf.html # http://llvm.org/docs/CommandGuide/llvm-cov.html # http://llvm.org/docs/CommandGuide/llvm-profdata.html 0 lequad 0x8169666f72706cff LLVM indexed profile data, >&0 byte x version %d
# big endian 0 bequad 0x8169666f72706cff LLVM indexed profile data, >&7 byte x version %d (big-endian)
0 lelong 0x70775631 Cracklib password index, little endian >4 long >0 (%i words) >4 long 0 ("64-bit") >>8 long >-1 (%i words) 0 belong 0x70775631 Cracklib password index, big endian >4 belong >-1 (%i words) # really bellong 0x0000000070775631 0 search/1 \0\0\0\0pwV1 Cracklib password index, big endian ("64-bit") >12 belong >0 (%i words)
# ---------------------------------------------------------------------------- # $File: ctags,v 1.6 2009/09/19 16:28:08 christos Exp $ # ctags: file (1) magic for Exuberant Ctags files # From: Alexander Mai <mai@migdal.ikp.physik.tu-darmstadt.de> 0 search/1 =!_TAG Exuberant Ctags tag file text
#-------------------------------------------------------------- # ctf: file(1) magic for CTF (Common Trace Format) trace files # # Specs. available here: <http://www.efficios.com/ctf> #--------------------------------------------------------------
# CTF trace data 0 lelong 0xc1fc1fc1 Common Trace Format (CTF) trace data (LE) 0 belong 0xc1fc1fc1 Common Trace Format (CTF) trace data (BE)
# CTF metadata (packetized) 0 lelong 0x75d11d57 Common Trace Format (CTF) packetized metadata (LE) >35 byte x \b, v%d >36 byte x \b.%d 0 belong 0x75d11d57 Common Trace Format (CTF) packetized metadata (BE) >35 byte x \b, v%d >36 byte x \b.%d
# CTF metadata (plain text) 0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata !:strength + 5 # this is to make sure we beat C >&0 regex [0-9]+\.[0-9]+ \b, v%s
#------------------------------------------------------------------------------ # $File: cubemap,v 1.1 2012/06/06 13:03:20 christos Exp $ # file(1) magic(5) data for cubemaps Martin Erik Werner <martinerikwerner@gmail.com> # 0 string ACMP Map file for the AssaultCube FPS game 0 string CUBE Map file for cube and cube2 engine games 0 string MAPZ) Map file for the Blood Frontier/Red Eclipse FPS games
#------------------------------------------------------------------------------ # $File: cups,v 1.5 2017/03/17 21:35:28 christos Exp $ # Cups: file(1) magic for the cups raster file format # From: Laurent Martelli <martellilaurent@gmail.com> # http://www.cups.org/documentation.php/spec-raster.html #
# Cups Raster image format, Big Endian 0 string RaS >3 string t Cups Raster version 1, Big Endian >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian !:mime application/vnd.cups-raster >0 use \^cups-le
# Cups Raster image format, Little Endian 1 string SaR >0 string t Cups Raster version 1, Little Endian >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian !:mime application/vnd.cups-raster >0 use cups-le
#------------------------------------------------------------------------------ # $File: dact,v 1.4 2009/09/19 16:28:08 christos Exp $ # dact: file(1) magic for DACT compressed files # 0 long 0x444354C3 DACT compressed data >4 byte >-1 (version %i. >5 byte >-1 $BS%i. >6 byte >-1 $BS%i) >7 long >0 $BS, original size: %i bytes >15 long >30 $BS, block size: %i bytes
#------------------------------------------------------------------------------ # $File: database,v 1.52 2017/08/13 00:21:47 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) # # # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # <downsj@teeny.org> 0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit !:mime application/x-gdbm 0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old !:mime application/x-gdbm 0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit !:mime application/x-gdbm 0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit !:mime application/x-gdbm 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old !:mime application/x-gdbm 0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit !:mime application/x-gdbm 0 string GDBM GNU dbm 2.x database !:mime application/x-gdbm # # Berkeley DB # # Ian Darwin's file /etc/magic files: big/little-endian version. # # Hash 1.85/1.86 databases store metadata in network byte order. # Btree 1.85/1.86 databases store the metadata in host byte order. # Hash and Btree 2.X and later databases store the metadata in host byte order.
0 long 0x00053162 Berkeley DB 1.85/1.86 >4 long >0 (Btree, version %d, native byte-order) 0 belong 0x00053162 Berkeley DB 1.85/1.86 >4 belong >0 (Btree, version %d, big-endian) 0 lelong 0x00053162 Berkeley DB 1.85/1.86 >4 lelong >0 (Btree, version %d, little-endian)
12 long 0x00061561 Berkeley DB >16 long >0 (Hash, version %d, native byte-order) 12 belong 0x00061561 Berkeley DB >16 belong >0 (Hash, version %d, big-endian) 12 lelong 0x00061561 Berkeley DB >16 lelong >0 (Hash, version %d, little-endian)
12 long 0x00053162 Berkeley DB >16 long >0 (Btree, version %d, native byte-order) 12 belong 0x00053162 Berkeley DB >16 belong >0 (Btree, version %d, big-endian) 12 lelong 0x00053162 Berkeley DB >16 lelong >0 (Btree, version %d, little-endian)
12 long 0x00042253 Berkeley DB >16 long >0 (Queue, version %d, native byte-order) 12 belong 0x00042253 Berkeley DB >16 belong >0 (Queue, version %d, big-endian) 12 lelong 0x00042253 Berkeley DB >16 lelong >0 (Queue, version %d, little-endian)
# From Max Bowsher. 12 long 0x00040988 Berkeley DB >16 long >0 (Log, version %d, native byte-order) 12 belong 0x00040988 Berkeley DB >16 belong >0 (Log, version %d, big-endian) 12 lelong 0x00040988 Berkeley DB >16 lelong >0 (Log, version %d, little-endian)
# # # Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch> 0 string/b RRD\0 RRDTool DB >4 string/b x version %s
>>10 short !0 16bit aligned >>>10 bedouble 8.642135e+130 big-endian >>>>18 short x 32bit long (m68k)
>>10 short 0 >>>12 long !0 32bit aligned >>>>12 bedouble 8.642135e+130 big-endian >>>>>20 long 0 64bit long >>>>>20 long !0 32bit long >>>>12 ledouble 8.642135e+130 little-endian >>>>>24 long 0 64bit long >>>>>24 long !0 32bit long (i386) >>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian >>>>>24 short !0 32bit long (arm)
>>8 quad 0 64bit aligned >>>16 bedouble 8.642135e+130 big-endian >>>>24 long 0 64bit long (s390x) >>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) >>>16 ledouble 8.642135e+130 little-endian >>>>28 long 0 64bit long (alpha/amd64/ia64) >>>>28 long !0 32bit long (armel/mipsel)
#---------------------------------------------------------------------- # ROOT: file(1) magic for ROOT databases # 0 string root\0 ROOT file >4 belong x Version %d >33 belong x (Compression: %d)
# XXX: Weak magic. # Alex Ott <ott@jet.msk.su> ## Paradox file formats #2 leshort 0x0800 Paradox #>0x39 byte 3 v. 3.0 #>0x39 byte 4 v. 3.5 #>0x39 byte 9 v. 4.x #>0x39 byte 10 v. 5.x #>0x39 byte 11 v. 5.x #>0x39 byte 12 v. 7.x #>>0x04 byte 0 indexed .DB data file #>>0x04 byte 1 primary index .PX file #>>0x04 byte 2 non-indexed .DB data file #>>0x04 byte 3 non-incrementing secondary index .Xnn file #>>0x04 byte 4 secondary index .Ynn file #>>0x04 byte 5 incrementing secondary index .Xnn file #>>0x04 byte 6 non-incrementing secondary index .XGn file #>>0x04 byte 7 secondary index .YGn file #>>>0x04 byte 8 incrementing secondary index .XGn file
## XBase database files # updated by Joerg Jenderek at Feb 2013 # http://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm # http://www.clicketyclick.dk/databases/xbase/format/dbf.html # http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 0 ubelong&0x0000FFFF <0x00000C20 # skip Infocom game Z-machine >2 ubyte >0 # skip Androids *.xml >>3 ubyte >0 >>>3 ubyte <32 # 1 < version VV >>>>0 ubyte >1 # skip HELP.CA3 by test for reserved byte ( NULL ) >>>>>27 ubyte 0 # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) #>>>>>30 ubeshort x 30NULL?%x # possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) >>>>>>24 ubelong&0xffFFFFff >0x01302000 # .DBF or .MDX >>>>>>24 ubelong&0xffFFFFff <0x01302001 # for Xbase Database file (*.DBF) reserved (NULL) for multi-user >>>>>>>24 ubelong&0xffFFFFff =0 # test for 2 reserved NULL bytes,transaction and encryption byte flag >>>>>>>>12 ubelong&0xFFFFfEfE 0 # test for MDX flag >>>>>>>>>28 ubyte x >>>>>>>>>28 ubyte&0xf8 0 # header size >= 32 >>>>>>>>>>8 uleshort >31 # skip PIC15736.PCX by test for language driver name or field name >>>>>>>>>>>32 ubyte >0 #!:mime application/x-dbf; charset=unknown-8bit ?? #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type # database file >>>>>>>>>>>>0 ubyte x \b DBF >>>>>>>>>>>>4 lelong 0 \b, no records >>>>>>>>>>>>4 lelong >0 \b, %d record # plural s appended >>>>>>>>>>>>>4 lelong >1 \bs # http://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF # 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) >>>>>>>>>>>>10 uleshort x * %d # file size = records * record size + header size >>>>>>>>>>>>1 ubyte x \b, update-date >>>>>>>>>>>>1 use xbase-date # http://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx #>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=0x%x # 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? >>>>>>>>>>>>29 ubyte >0 \b, codepage ID=0x%x #>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file >>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT >>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer # 1st record offset + 1 = header size >>>>>>>>>>>>8 uleshort >0 >>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>8 uleshort >0 \b, at offset %d >>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>>&-1 string >\0 1st record "%s" # for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) >>>>>>>24 ubelong&0x0133f7ff >0 # test for reserved NULL byte >>>>>>>>47 ubyte 0 # test for valid TAG key format (0x10 or 0) >>>>>>>>>559 ubyte&0xeF 0 # test MM <= 12 >>>>>>>>>>45 ubeshort <0x0C20 >>>>>>>>>>>45 ubyte >0 >>>>>>>>>>>>46 ubyte <32 >>>>>>>>>>>>>46 ubyte >0 #!:mime application/x-mdx >>>>>>>>>>>>>>0 use xbase-type >>>>>>>>>>>>>>0 ubyte x \b MDX >>>>>>>>>>>>>>1 ubyte x \b, creation-date >>>>>>>>>>>>>>1 use xbase-date >>>>>>>>>>>>>>44 ubyte x \b, update-date >>>>>>>>>>>>>>44 use xbase-date # No.of tags in use (1,2,5,12) >>>>>>>>>>>>>>28 uleshort x \b, %d # No. of entries in tag (0x30) >>>>>>>>>>>>>>25 ubyte x \b/%d tags # Length of tag >>>>>>>>>>>>>>26 ubyte x * %d # 1st tag name_ >>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" # 2nd tag name #>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # # Print the xBase names of different version variants 0 name xbase-type >0 ubyte <2 # 1 < version >0 ubyte >1 >>0 ubyte 0x02 FoxBase # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III !:mime application/x-dbf # dBASE IV no memo file >>0 ubyte 0x04 dBase IV !:mime application/x-dbf # dBASE V no memo file >>0 ubyte 0x05 dBase V !:mime application/x-dbf >>0 ubyte 0x30 Visual FoxPro !:mime application/x-dbf >>0 ubyte 0x31 Visual FoxPro, autoincrement !:mime application/x-dbf # Visual FoxPro, with field type Varchar or Varbinary >>0 ubyte 0x32 Visual FoxPro, with field type Varchar !:mime application/x-dbf # dBASE IV SQL, no memo;dbv memo var size (Flagship) >>0 ubyte 0x43 dBase IV, with SQL table !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0x62 dBase IV, with SQL table #!:mime application/x-dbf # dBASE IV, with memo!! >>0 ubyte 0x7b dBase IV, with memo !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0x82 dBase IV, with SQL system #!:mime application/x-dbf # FoxBase+/dBaseIII+ with memo .DBT! >>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT !:mime application/x-dbf # VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file >>0 ubyte 0x87 VISUAL OBJECTS, with memo file !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT #!:mime application/x-dbf # dBASE IV with memo! >>0 ubyte 0x8B dBase IV, with memo .DBT !:mime application/x-dbf # dBase IV with SQL Table,no memo? >>0 ubyte 0x8E dBase IV, with SQL table !:mime application/x-dbf # .dbv and .dbt memo (Flagship)? >>0 ubyte 0xB3 Flagship # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0xCA dBase IV with memo .DBT #!:mime application/x-dbf # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT !:mime application/x-dbf # HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0xF4 dBase IV, with SQL table, with memo #!:mime application/x-dbf >>0 ubyte 0xF5 FoxPro with memo !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx #>>0 ubyte 0xFA FoxPro 2.x, with memo #!:mime application/x-dbf # unknown version (should not happen) >>0 default x xBase !:mime application/x-dbf >>>0 ubyte x (0x%x) # flags in version byte # DBT flag (with dBASE III memo .DBT)!! # >>0 ubyte&0x80 >0 DBT_FLAG=%x # memo flag ?? # >>0 ubyte&0x08 >0 MEMO_FLAG=%x # SQL flag ?? # >>0 ubyte&0x70 >0 SQL_FLAG=%x # test and print the date of xBase .DBF .MDX 0 name xbase-date # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 >0 ubelong x >1 ubyte <13 >>1 ubyte >0 >>>2 ubyte >0 >>>>2 ubyte <32 >>>>>0 ubyte x # YY is interpreted as 20YY or 19YY >>>>>>0 ubyte <100 \b %.2d # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY >>>>>>0 ubyte >99 \b %d >>>>>1 ubyte x \b-%d >>>>>2 ubyte x \b-%d
# dBase memo files .DBT or .FPT # http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx 16 ubyte <4 >16 ubyte !2 >>16 ubyte !1 # next free block index is positive >>>0 ulelong >0 # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size >>>>17 ubelong&0xFFfdFE00 0x00000000 # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 # dBASE III DBT >>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF >>>>>>>20 uleshort 0 # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage >>>>>>>>8 ulong =0 >>>>>>>>>6 ubeshort >0 # skip emacs.PIF >>>>>>>>>>4 ushort 0 >>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage >>>>>>>>>6 ubeshort 0 # skip MM*DD*.bin by test for for reserved NULL byte >>>>>>>>>>510 ubeshort 0 # skip TK-DOS11.img image by looking for memo text >>>>>>>>>>>512 ubelong <0xfeffff03 # skip EFI executables by looking for memo text >>>>>>>>>>>>512 ubelong >0x1F202020 >>>>>>>>>>>>>513 ubyte >0 # unusual dBASE III DBT like adressen.dbt >>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes >>>>>>>>>510 ubeshort 0 # skip some DBF by test of invalid version >>>>>>>>>>0 ubyte >5 >>>>>>>>>>>0 ubyte <48 >>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 # multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero >>>>>>>>20 uleshort&0x800f 0 >>>>>>>>>0 use dbase4-memo-print
# Print the information of dBase III DBT memo file 0 name dbase3-memo-print >0 ubyte x dBase III DBT # instead 3 as version number 0 for unusual examples like biblio.dbt >16 ubyte !3 \b, version number %u # Number of next available block for appending data #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u # no positiv block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u # dBase III memo field terminated by \032\032 >512 string >\0 \b, 1st item "%s" # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print >0 lelong x dBase IV DBT !:mime application/x-dbt !:ext dbt # 8 character shorted main name of coresponding dBASE IV DBF file >8 ubelong >0x20000000 # skip unusual like for angest.dbt >>20 uleshort >0 >>>8 string >\0 \b of %-.8s.DBF # value 0 implies 512 as size #>4 ulelong =0 \b, blocks size %u # size of blocks not reliable like 0x2020204C in angest.dbt >4 ulelong !0 >>4 ulelong&0x0000003f 0 \b, blocks size %u # dBase IV DBT with positive block length (found 512 , 1024) >20 uleshort >0 \b, block length %u # next available block #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u >20 uleshort >0 >>(20.s) ubelong x >>>&-4 use dbase4-memofield-print # unusual dBase IV DBT without block length (implies 512 as length) >20 uleshort =0 >>512 ubelong x >>>&-4 use dbase4-memofield-print # Print the information of dBase IV memo field 0 name dbase4-memofield-print # free dBase IV memo field >0 ubelong !0xFFFF0800 >>0 lelong x \b, next free block %u >>4 lelong x \b, next used block %u # used dBase IV memo field >0 ubelong =0xFFFF0800 # length of memo field >>4 lelong x \b, field length %d >>>8 string >\0 \b, 1st used item "%s" # Print the information of FoxPro FPT memo file 0 name foxpro-memo-print >0 belong x FoxPro FPT # Size of blocks for FoxPro ( 64,256 ) >6 ubeshort x \b, blocks size %u # next available block #>0 belong =0 \b, next free block index %u >0 belong !0 \b, next free block index %u # field type ( 0~picture, 1~memo, 2~object ) >512 ubelong <3 \b, field type %u # length of memo field >512 ubelong 1 >>516 belong >0 \b, field length %d >>>520 string >\0 \b, 1st item "%s"
# TODO: # DBASE index file *.NDX # DBASE Compound Index file *.CDX # dBASE IV Printer Driver *.PRF ## End of XBase database stuff
# MS Access database 4 string Standard\ Jet\ DB Microsoft Access Database !:mime application/x-msaccess 4 string Standard\ ACE\ DB Microsoft Access Database !:mime application/x-msaccess
# From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine # Reference: https://github.com/libyal/libesedb/archive/master.zip # libesedb-master/documentation/ # Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc # Note: also known as "JET Blue". Used by numerous Windows components such as # Windows Search, Mail, Exchange and Active Directory. 4 ubelong 0xefcdab89 # unknown1 >132 ubelong 0 Extensible storage engine !:mime application/x-ms-ese # file_type 0~database 1~stream >>12 ulelong 0 DataBase # Security DataBase (sdb) !:ext edb/sdb >>12 ulelong 1 STreaMing !:ext stm # format_version 620h >>8 uleshort x \b, version 0x%x >>10 uleshort >0 revision 0x%4.4x >>0 ubelong x \b, checksum 0x%8.8x # Page size 4096 8192 32768 >>236 ulequad x \b, page size %lld # database_state >>52 ulelong 1 \b, JustCreated >>52 ulelong 2 \b, DirtyShutdown #>>52 ulelong 3 \b, CleanShutdown >>52 ulelong 4 \b, BeingConverted >>52 ulelong 5 \b, ForceDetach # Windows�NT major version when the databases indexes were updated. >>216 ulelong x \b, Windows version %d # Windows�NT minor version >>220 ulelong x \b.%d
# TDB database from Samba et al - Martin Pool <mbp@samba.org> 0 string TDB\ file TDB database >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes
# SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons
# ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data
# X11 Xauthority file (Wolfram Kleff) 10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
# From: Maxime Henrion <mux@FreeBSD.org> # PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org> 0 string PGDMP PostgreSQL custom database dump >5 byte x - v%d >6 byte x \b.%d >5 beshort <0x101 \b-0 >5 beshort >0x100 >>7 byte x \b-%d
# Type: Advanced Data Format (ADF) database # URL: http://www.grc.nasa.gov/WWW/cgns/adf/ # From: Nicolas Chauvat <nicolas.chauvat@logilab.fr> 0 string @(#)ADF\ Database CGNS Advanced Data Format
# URL: https://en.wikipedia.org/wiki/Panorama_(database_engine) # Reference: http://www.provue.com/Panorama/ # From: Joerg Jenderek # NOTE: test only versions 4 and 6.0 with Windows # length of Panorama database name 5 ubyte >0 # look after database name for "some" null bits >(5.B+7) ubelong&0xF3ffF000 0 # look for first keyword >>&1 search/2 DESIGN Panorama database #!:mime application/x-panorama-database !:apple KASXZEPD !:ext pan # database name >>>5 pstring x \b, "%s"
# # # askSam Database by Stefan A. Haubenthal <polluks@web.de> 0 string askw40\0 askSam DB
# # # MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de> 0 string MBSTV\040 MUIbase DB >6 string x version %s
# # CDB database 0 string NBCDB\012 NetBSD Constant Database >7 byte x \b, version %d >8 string x \b, for '%s' >24 lelong x \b, datasize %d >28 lelong x \b, entries %d >32 lelong x \b, index %d >36 lelong x \b, seed %#x
#------------------------------------------------------------------------------ # $File: dbpf,v 1.1 2017/10/13 20:47:14 christos Exp $ # dppf: Maxis Database Packed Files, the stored data file format used by all # Maxis games after the Sims: http://wiki.niotso.org/DBPF # http://www.wiki.sc4devotion.com/index.php?title=DBPF # 13 Oct 2017, Kip Warner <kip at thevertigo dot com> 0 string DBPF Maxis Database Packed File >4 ulelong x \b, version: %u. >>8 ulelong x \b%u >>>36 ulelong x \b, files: %u !:ext dbpf/package/dat/sc4 !:mime application/x-maxis-dbpf 4 ulelong 1 >8 ulelong !1 >>24 ledate !0 \b, created: %s >>>28 ledate !0 \b, modified: %s #------------------------------------------------------------------------------ # $File: der,v 1.2 2017/03/17 21:35:28 christos Exp $ # der: file(1) magic for DER encoded files #
# Certificate information piece 0 name certinfo >0 der seq >>&0 der set >>>&0 der seq >>>>&0 der obj_id3=550406 >>>>&0 der prt_str=x \b, countryName=%s >>&0 der set >>>&0 der seq >>>>&0 der obj_id3=550408 >>>>&0 der utf8_str=x \b, stateOrProvinceName=%s >>&0 der set >>>&0 der seq >>>>&0 der obj_id3=55040a >>>>&0 der utf8_str=x \b, organizationName=%s >>&0 der set >>>&0 der seq >>>>&0 der obj_id3=550403 >>>>&0 der utf8_str=x \b, commonName=%s >>&0 der seq
# Certificate requests 0 der seq >&0 der seq >>&0 der int1=00 DER Encoded Certificate request >>&0 use certinfo
# Key Pairs 0 der seq >&0 der int1=00 >&0 der int65=x >&0 der int3=010001 DER Encoded Key Pair, 512 bits
0 der seq >&0 der int1=00 >&0 der int129=x >&0 der int3=010001 DER Encoded Key Pair, 1024 bits
0 der seq >&0 der int1=00 >&0 der int257=x >&0 der int3=010001 DER Encoded Key Pair, 2048 bits
0 der seq >&0 der int1=00 >&0 der int513=x >&0 der int3=010001 DER Encoded Key Pair, 4096 bits
0 der seq >&0 der int1=00 >&0 der int1025=x >&0 der int3=010001 DER Encoded Key Pair, 8192 bits
0 der seq >&0 der int1=00 >&0 der int2049=x >&0 der int3=010001 DER Encoded Key Pair, 16k bits
0 der seq >&0 der int1=00 >&0 der int4097=x >&0 der int3=010001 DER Encoded Key Pair, 32k bits
# Certificates 0 der seq >&0 der seq >>&0 der int2=0dfa DER Encoded Certificate, 512 bits >>&0 der int2=0dfb DER Encoded Certificate, 1024 bits >>&0 der int2=0dfc DER Encoded Certificate, 2048 bits >>&0 der int2=0dfd DER Encoded Certificate, 4096 bits >>&0 der int2=0dfe DER Encoded Certificate, 8192 bits >>&0 der int2=0dff DER Encoded Certificate, 16k bits >>&0 der int2=0e04 DER Encoded Certificate, 32k bits >>&0 der int2=x DER Encoded Certificate, ? bits (%s) >>&0 der seq >>>&0 der obj_id9=2a864886f70d010105 \b, sha1WithRSAEncryption >>>&0 der obj_id9=x \b, ? Encryption (%s) >>>&0 der null >>&0 der seq >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=550406 >>>>>&0 der prt_str=x \b, countryName=%s >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=550408 >>>>>&0 der prt_str=x \b, stateOrProvinceName=%s >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=550407 >>>>>&0 der prt_str=x \b, localityName=%s >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=55040a >>>>>&0 der prt_str=x \b, organizationName=%s >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=55040b >>>>>&0 der prt_str=x \b, organizationUnitName=%s >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=550403 >>>>>&0 der prt_str=x \b, commonName=%s >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id9=2a864886f70d010901 >>>>>&0 der ia5_str=x \b, emailAddress=%s >>&0 der seq >>>&0 der utc_time=x \b, utcTime=%s >>>&0 der utc_time=x \b, utcTime=%s >>&0 use certinfo
#------------------------------------------------------------------------------ # $File: diamond,v 1.7 2009/09/19 16:28:08 christos Exp $ # diamond: file(1) magic for Diamond system # # ... diamond is a multi-media mail and electronic conferencing system.... # # XXX - I think it was either renamed Slate, or replaced by Slate.... # # The full deal is too long... #0 string <list>\n<protocol\ bbn-multimedia-format> Diamond Multimedia Document 0 string =<list>\n<protocol\ bbn-m Diamond Multimedia Document
#------------------------------------------------------------------------------ # $File: diff,v 1.16 2017/03/17 22:20:22 christos Exp $ # diff: file(1) magic for diff(1) output # 0 search/1 diff\040 diff output text !:mime text/x-diff 0 search/1 ***\040 diff output text !:mime text/x-diff 0 search/1 Only\040in\040 diff output text !:mime text/x-diff 0 search/1 Common\040subdirectories:\040 diff output text !:mime text/x-diff
0 search/1 Index: RCS/CVS diff output text !:mime text/x-diff
# librsync -- the library for network deltas # # Copyright (C) 2001 by Martin Pool. You may do whatever you want with # this file. # 0 belong 0x72730236 rdiff network-delta data
0 belong 0x72730136 rdiff network-delta signature data >4 belong x (block length=%d, >8 belong x signature strength=%d)
#------------------------------------------------------------------------------ # $File: digital,v 1.11 2013/01/11 16:45:23 christos Exp $ # Digital UNIX - Info # 0 string =!<arch>\n________64E Alpha archive >22 string X -- out of date #
0 leshort 0603 >24 leshort 0410 COFF format alpha pure >24 leshort 0413 COFF format alpha demand paged >>22 leshort&030000 !020000 executable >>22 leshort&020000 !0 dynamically linked >>16 lelong !0 not stripped >>16 lelong 0 stripped >>27 byte x - version %d >>26 byte x \b.%d >>28 byte x \b-%d >24 leshort 0407 COFF format alpha object >>22 leshort&030000 020000 shared library >>27 byte x - version %d >>26 byte x \b.%d >>28 byte x \b-%d
# Basic recognition of Digital UNIX core dumps - Mike Bremford <mike@opac.bl.uk> # # The actual magic number is just "Core", followed by a 2-byte version # number; however, treating any file that begins with "Core" as a Digital # UNIX core dump file may produce too many false hits, so we include one # byte of the version number as well; DU 5.0 appears only to be up to # version 2. # 0 string Core\001 Alpha COFF format core dump (Digital UNIX) >24 string >\0 \b, from '%s' 0 string Core\002 Alpha COFF format core dump (Digital UNIX) >24 string >\0 \b, from '%s' # # The next is incomplete, we could tell more about this format, # but its not worth it. 0 leshort 0x188 Alpha compressed COFF 0 leshort 0x18f Alpha u-code object # # # Some other interesting Digital formats, 0 string \377\377\177 ddis/ddif 0 string \377\377\174 ddis/dots archive 0 string \377\377\176 ddis/dtif table data 0 string \033c\033 LN03 output 0 long 04553207 X image # 0 string =!<PDF>!\n profiling data file # # Locale data tables (MIPS and Alpha). # 0 short 0x0501 locale data table >6 short 0x24 for MIPS >6 short 0x40 for Alpha
#------------------------------------------------------------------------------ # $File: elf,v 1.72 2018/02/24 19:50:04 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # Created by: unknown # Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support) # Modified by (3): Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> (fix of core support) # Modified by (4): <gerardo.cacciari@gmail.com> (VMS Itanium) # Modified by (5): Matthias Urlichs <smurf@debian.org> (Listing of many architectures)
#------------------------------------------------------------------------------ # $File: encore,v 1.7 2014/04/30 21:41:02 christos Exp $ # encore: file(1) magic for Encore machines # # XXX - needs to have the byte order specified (NS32K was little-endian, # dunno whether they run the 88K in little-endian mode or not). # 0 short 0x154 Encore >20 short 0x107 executable >20 short 0x108 pure executable >20 short 0x10b demand-paged executable >20 short 0x10f unsupported executable >12 long >0 not stripped >22 short >0 - version %d >22 short 0 - #>4 date x stamp %s 0 short 0x155 Encore unsupported executable >12 long >0 not stripped >22 short >0 - version %d >22 short 0 - #>4 date x stamp %s
#------------------------------------------------------------------------------ # $File: epoc,v 1.9 2013/12/21 14:28:15 christos Exp $ # EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1] # Stefan Praszalowicz <hpicollo@worldnet.fr> and Peter Breitenlohner <peb@mppmu.mpg.de> # Useful information for improving this file can be found at: # http://software.frodo.looijaard.name/psiconv/formats/Index.html #------------------------------------------------------------------------------ 0 lelong 0x10000037 Psion Series 5 >4 lelong 0x10000039 font file >4 lelong 0x1000003A printer driver >4 lelong 0x1000003B clipboard >4 lelong 0x10000042 multi-bitmap image !:mime image/x-epoc-mbm >4 lelong 0x1000006A application information file >4 lelong 0x1000006D >>8 lelong 0x1000007D Sketch image !:mime image/x-epoc-sketch >>8 lelong 0x1000007E voice note >>8 lelong 0x1000007F Word file !:mime application/x-epoc-word >>8 lelong 0x10000085 OPL program (TextEd) !:mime application/x-epoc-opl >>8 lelong 0x10000087 Comms settings >>8 lelong 0x10000088 Sheet file !:mime application/x-epoc-sheet >>8 lelong 0x100001C4 EasyFax initialisation file >4 lelong 0x10000073 OPO module !:mime application/x-epoc-opo >4 lelong 0x10000074 OPL application !:mime application/x-epoc-app >4 lelong 0x1000008A exported multi-bitmap image >4 lelong 0x1000016D >>8 lelong 0x10000087 Comms names
0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image
# 4.2 version may have a copyright notice! 4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 79 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2
4 string 1.0\ Fri\ Feb\ 3\ 09:55:56\ MET\ 1995 Erlang JAM file - version 4.3
0 bequad 0x0000000000ABCDEF Erlang DETS file
#------------------------------------------------------------------------------ # $File: esri,v 1.4 2009/09/19 16:28:09 christos Exp $ # ESRI Shapefile format (.shp .shx .dbf=DBaseIII) # Based on info from # <URL:http://www.esri.com/library/whitepapers/pdfs/shapefile.pdf> 0 belong 9994 ESRI Shapefile >4 belong =0 >8 belong =0 >12 belong =0 >16 belong =0 >20 belong =0 >28 lelong x version %d >24 belong x length %d >32 lelong =0 type Null Shape >32 lelong =1 type Point >32 lelong =3 type PolyLine >32 lelong =5 type Polygon >32 lelong =8 type MultiPoint >32 lelong =11 type PointZ >32 lelong =13 type PolyLineZ >32 lelong =15 type PolygonZ >32 lelong =18 type MultiPointZ >32 lelong =21 type PointM >32 lelong =23 type PolyLineM >32 lelong =25 type PolygonM >32 lelong =28 type MultiPointM >32 lelong =31 type MultiPatch
#------------------------------------------------------------------------------ # $File: fcs,v 1.4 2009/09/19 16:28:09 christos Exp $ # fcs: file(1) magic for FCS (Flow Cytometry Standard) data files # From Roger Leigh <roger@whinlatter.uklinux.net> 0 string FCS1.0 Flow Cytometry Standard (FCS) data, version 1.0 0 string FCS2.0 Flow Cytometry Standard (FCS) data, version 2.0 0 string FCS3.0 Flow Cytometry Standard (FCS) data, version 3.0
#------------------------------------------------------------------------------ # $File: filesystems,v 1.124 2018/01/12 12:35:30 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 name partid >0 ubyte 0x00 Unused >0 ubyte 0x01 12-bit FAT >0 ubyte 0x02 XENIX / >0 ubyte 0x03 XENIX /usr >0 ubyte 0x04 16-bit FAT, less than 32M >0 ubyte 0x05 extended partition >0 ubyte 0x06 16-bit FAT, more than 32M >0 ubyte 0x07 OS/2 HPFS, NTFS, QNX2, Adv. UNIX >0 ubyte 0x08 AIX or os, or etc. >0 ubyte 0x09 AIX boot partition or Coherent >0 ubyte 0x0a O/2 boot manager or Coherent swap >0 ubyte 0x0b 32-bit FAT >0 ubyte 0x0c 32-bit FAT, LBA-mapped >0 ubyte 0x0d 7XXX, LBA-mapped >0 ubyte 0x0e 16-bit FAT, LBA-mapped >0 ubyte 0x0f extended partition, LBA-mapped >0 ubyte 0x10 OPUS >0 ubyte 0x11 OS/2 DOS 12-bit FAT >0 ubyte 0x12 Compaq diagnostics >0 ubyte 0x14 OS/2 DOS 16-bit FAT <32M >0 ubyte 0x16 OS/2 DOS 16-bit FAT >=32M >0 ubyte 0x17 OS/2 hidden IFS >0 ubyte 0x18 AST Windows swapfile >0 ubyte 0x19 Willowtech Photon coS >0 ubyte 0x1b hidden win95 fat 32 >0 ubyte 0x1c hidden win95 fat 32 lba >0 ubyte 0x1d hidden win95 fat 16 lba >0 ubyte 0x20 Willowsoft OFS1 >0 ubyte 0x21 reserved >0 ubyte 0x23 reserved >0 ubyte 0x24 NEC DOS >0 ubyte 0x26 reserved >0 ubyte 0x31 reserved >0 ubyte 0x32 Alien Internet Services NOS >0 ubyte 0x33 reserved >0 ubyte 0x34 reserved >0 ubyte 0x35 JFS on OS2 >0 ubyte 0x36 reserved >0 ubyte 0x38 Theos >0 ubyte 0x39 Plan 9, or Theos spanned >0 ubyte 0x3a Theos ver 4 4gb partition >0 ubyte 0x3b Theos ve 4 extended partition >0 ubyte 0x3c PartitionMagic recovery >0 ubyte 0x3d Hidden Netware >0 ubyte 0x40 VENIX 286 or LynxOS >0 ubyte 0x41 PReP >0 ubyte 0x42 linux swap sharing DRDOS disk >0 ubyte 0x43 linux sharing DRDOS disk >0 ubyte 0x44 GoBack change utility >0 ubyte 0x45 Boot US Boot manager >0 ubyte 0x46 EUMEL/Elan or Ergos 3 >0 ubyte 0x47 EUMEL/Elan or Ergos 3 >0 ubyte 0x48 EUMEL/Elan or Ergos 3 >0 ubyte 0x4a ALFX/THIN filesystem for DOS >0 ubyte 0x4c Oberon partition >0 ubyte 0x4d QNX4.x >0 ubyte 0x4e QNX4.x 2nd part >0 ubyte 0x4f QNX4.x 3rd part >0 ubyte 0x50 DM (disk manager) >0 ubyte 0x51 DM6 Aux1 (or Novell) >0 ubyte 0x52 CP/M or Microport SysV/AT >0 ubyte 0x53 DM6 Aux3 >0 ubyte 0x54 DM6 DDO >0 ubyte 0x55 EZ-Drive (disk manager) >0 ubyte 0x56 Golden Bow (disk manager) >0 ubyte 0x57 Drive PRO >0 ubyte 0x5c Priam Edisk (disk manager) >0 ubyte 0x61 SpeedStor >0 ubyte 0x63 GNU HURD or Mach or Sys V/386 >0 ubyte 0x64 Novell Netware 2.xx or Speedstore >0 ubyte 0x65 Novell Netware 3.xx >0 ubyte 0x66 Novell 386 Netware >0 ubyte 0x67 Novell >0 ubyte 0x68 Novell >0 ubyte 0x69 Novell >0 ubyte 0x70 DiskSecure Multi-Boot >0 ubyte 0x71 reserved >0 ubyte 0x73 reserved >0 ubyte 0x74 reserved >0 ubyte 0x75 PC/IX >0 ubyte 0x76 reserved >0 ubyte 0x77 M2FS/M2CS partition >0 ubyte 0x78 XOSL boot loader filesystem >0 ubyte 0x80 MINIX until 1.4a >0 ubyte 0x81 MINIX since 1.4b >0 ubyte 0x82 Linux swap or Solaris >0 ubyte 0x83 Linux native >0 ubyte 0x84 OS/2 hidden C: drive >0 ubyte 0x85 Linux extended partition >0 ubyte 0x86 NT FAT volume set >0 ubyte 0x87 NTFS volume set or HPFS mirrored >0 ubyte 0x8a Linux Kernel AiR-BOOT partition >0 ubyte 0x8b Legacy Fault tolerant FAT32 >0 ubyte 0x8c Legacy Fault tolerant FAT32 ext >0 ubyte 0x8d Hidden free FDISK FAT12 >0 ubyte 0x8e Linux Logical Volume Manager >0 ubyte 0x90 Hidden free FDISK FAT16 >0 ubyte 0x91 Hidden free FDISK DOS EXT >0 ubyte 0x92 Hidden free FDISK FAT16 Big >0 ubyte 0x93 Amoeba filesystem >0 ubyte 0x94 Amoeba bad block table >0 ubyte 0x95 MIT EXOPC native partitions >0 ubyte 0x97 Hidden free FDISK FAT32 >0 ubyte 0x98 Datalight ROM-DOS Super-Boot >0 ubyte 0x99 Mylex EISA SCSI >0 ubyte 0x9a Hidden free FDISK FAT16 LBA >0 ubyte 0x9b Hidden free FDISK EXT LBA >0 ubyte 0x9f BSDI? >0 ubyte 0xa0 IBM Thinkpad hibernation >0 ubyte 0xa1 HP Volume expansion (SpeedStor) >0 ubyte 0xa3 HP Volume expansion (SpeedStor) >0 ubyte 0xa4 HP Volume expansion (SpeedStor) >0 ubyte 0xa5 386BSD partition type >0 ubyte 0xa6 OpenBSD partition type >0 ubyte 0xa7 NeXTSTEP 486 >0 ubyte 0xa8 Apple UFS >0 ubyte 0xa9 NetBSD partition type >0 ubyte 0xaa Olivetty Fat12 1.44MB Service part >0 ubyte 0xab Apple Boot >0 ubyte 0xae SHAG OS filesystem >0 ubyte 0xaf Apple HFS >0 ubyte 0xb0 BootStar Dummy >0 ubyte 0xb1 reserved >0 ubyte 0xb3 reserved >0 ubyte 0xb4 reserved >0 ubyte 0xb6 reserved >0 ubyte 0xb7 BSDI BSD/386 filesystem >0 ubyte 0xb8 BSDI BSD/386 swap >0 ubyte 0xbb Boot Wizard Hidden >0 ubyte 0xbe Solaris 8 partition type >0 ubyte 0xbf Solaris partition type >0 ubyte 0xc0 CTOS >0 ubyte 0xc1 DRDOS/sec (FAT-12) >0 ubyte 0xc2 Hidden Linux >0 ubyte 0xc3 Hidden Linux swap >0 ubyte 0xc4 DRDOS/sec (FAT-16, < 32M) >0 ubyte 0xc5 DRDOS/sec (EXT) >0 ubyte 0xc6 DRDOS/sec (FAT-16, >= 32M) >0 ubyte 0xc7 Syrinx (Cyrnix?) or HPFS disabled >0 ubyte 0xc8 Reserved for DR-DOS 8.0+ >0 ubyte 0xc9 Reserved for DR-DOS 8.0+ >0 ubyte 0xca Reserved for DR-DOS 8.0+ >0 ubyte 0xcb DR-DOS 7.04+ Secured FAT32 CHS >0 ubyte 0xcc DR-DOS 7.04+ Secured FAT32 LBA >0 ubyte 0xcd CTOS Memdump >0 ubyte 0xce DR-DOS 7.04+ FAT16X LBA >0 ubyte 0xcf DR-DOS 7.04+ EXT LBA >0 ubyte 0xd0 REAL/32 secure big partition >0 ubyte 0xd1 Old Multiuser DOS FAT12 >0 ubyte 0xd4 Old Multiuser DOS FAT16 Small >0 ubyte 0xd5 Old Multiuser DOS Extended >0 ubyte 0xd6 Old Multiuser DOS FAT16 Big >0 ubyte 0xd8 CP/M 86 >0 ubyte 0xdb CP/M or Concurrent CP/M >0 ubyte 0xdd Hidden CTOS Memdump >0 ubyte 0xde Dell PowerEdge Server utilities >0 ubyte 0xdf DG/UX virtual disk manager >0 ubyte 0xe0 STMicroelectronics ST AVFS >0 ubyte 0xe1 DOS access or SpeedStor 12-bit >0 ubyte 0xe3 DOS R/O or Storage Dimensions >0 ubyte 0xe4 SpeedStor 16-bit FAT < 1024 cyl. >0 ubyte 0xe5 reserved >0 ubyte 0xe6 reserved >0 ubyte 0xeb BeOS >0 ubyte 0xee GPT Protective MBR >0 ubyte 0xef EFI system partition >0 ubyte 0xf0 Linux PA-RISC boot loader >0 ubyte 0xf1 SpeedStor or Storage Dimensions >0 ubyte 0xf2 DOS 3.3+ Secondary >0 ubyte 0xf3 reserved >0 ubyte 0xf4 SpeedStor large partition >0 ubyte 0xf5 Prologue multi-volumen partition >0 ubyte 0xf6 reserved >0 ubyte 0xf9 pCache: ext2/ext3 persistent cache >0 ubyte 0xfa Bochs x86 emulator >0 ubyte 0xfb VMware File System >0 ubyte 0xfc VMware Swap >0 ubyte 0xfd Linux RAID partition persistent sb >0 ubyte 0xfe LANstep or IBM PS/2 IML >0 ubyte 0xff Xenix Bad Block Table
0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: 0774 beshort 0xdabe # modified by Joerg Jenderek, because original test # succeeds for Cabinet archive dao360.dl_ with negative blocks >0770 long >0 Sun disk label >>0 string x '%s >>>31 string >\0 \b%s >>>>63 string >\0 \b%s >>>>>95 string >\0 \b%s >>0 string x \b' >>0734 short >0 %d rpm, >>0736 short >0 %d phys cys, >>0740 short >0 %d alts/cyl, >>0746 short >0 %d interleave, >>0750 short >0 %d data cyls, >>0752 short >0 %d alt cyls, >>0754 short >0 %d heads/partition, >>0756 short >0 %d sectors/track, >>0764 long >0 start cyl %d, >>0770 long x %d blocks # Is there a boot block written 1 sector in? >512 belong&077777777 0600407 \b, boot block present
# Joerg Jenderek: Smart Boot Manager backup file is 25 (MSDOS) or 41 (LINUX) byte header + first sectors of disk # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string SBMBAKUP_ Smart Boot Manager backup file >9 string x \b, version %-5.5s >>14 string =_ >>>15 string x %-.1s >>>>16 string =_ \b. >>>>>17 string x \b%-.1s >>>>>>18 string =_ \b. >>>>>>>19 string x \b%-.1s >>>22 ubyte 0 >>>>21 ubyte x \b, from drive 0x%x >>>22 ubyte >0 >>>>21 string x \b, from drive %s >>>535 search/17 \x55\xAA >>>>&-512 indirect x \b; contains
# updated by Joerg Jenderek at Nov 2012 # DOS Emulator image is 128 byte, null right padded header + harddisc image 0 string DOSEMU\0 >0x27E leshort 0xAA55 #offset is 128 >>19 ubyte 128 >>>(19.b-1) ubyte 0x0 DOS Emulator image >>>>7 ulelong >0 \b, %u heads >>>>11 ulelong >0 \b, %d sectors/track >>>>15 ulelong >0 \b, %d cylinders >>>>128 indirect x \b; contains
# added by Joerg Jenderek at Nov 2012 # http://www.thenakedpc.com/articles/v04/08/0408-05.html # Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data 0 string PNCIHISK\0 Norton Utilities disc image data # real x86 boot sector with jump instruction >509 search/1026 \x55\xAA\xeb >>&-1 indirect x \b; contains # http://file-extension.net/seeker/file_extension_dat 0 string PNCIUNDO Norton Disk Doctor UnDo file #
# DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013 # for any allowed sector sizes 30 search/481 \x55\xAA # to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) # DOS BPB information (70) and after DOS floppy (120) like in previous file version !:strength +65 # for sector sizes < 512 Bytes >11 uleshort <512 >>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector # for sector sizes with 512 or more Bytes >0x1FE leshort 0xAA55 DOS/MBR boot sector
# keep old DOS/MBR boot sector as dummy for mbr and bootloader displaying # only for sector sizes with 512 or more Bytes 0x1FE leshort 0xAA55 DOS/MBR boot sector # # to display information (50) before DOS BPB (strength=70) and after DOS floppy (120) like in old file version !:strength +65 >2 string OSBS OS/BS MBR # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/ # and http://en.wikipedia.org/wiki/Master_Boot_Record # test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by # characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00 >0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR # Microsoft Windows 95A and early ( http://thestarman.pcministry.com/asm/mbr/STDMBR.htm ) # assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld >>8 ubequad 0x8bf45007501ffbfc # http://thestarman.pcministry.com/asm/mbr/200MBR.htm >>>0x16 ubyte 0xF3 \b,DOS 2 >>>>219 regex Author\ -\ Author: # found "David Litton" , "A Pehrsson " >>>>>&0 string x "%s" >>>0x16 ubyte 0xF2 # NEC MS-DOS 3.30 Rev. 3 . See http://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm # assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz >>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3 # version MS-DOS 3.30 til MS-Windows 95A (WinVer=4.00.1111) >>>>0x22 default x \b,D0S version 3.3-7.0 # error messages are printed by assembler instructions: mov si,06nn;...;int 10 (0xBEnn06;...) # where nn is string offset varying for different languages # "Invalid partition table" nn=0x8b for english version >>>>>(0x49.b) string Invalid\ partition\ table english >>>>>(0x49.b) string Ung\201ltige\ Partitionstabelle german >>>>>(0x49.b) string Table\ de\ partition\ invalide french >>>>>(0x49.b) string Tabela\ de\ parti\207ao\ inv\240lida portuguese >>>>>(0x49.b) string Tabla\ de\ partici\242n\ no\ v\240lida spanish >>>>>(0x49.b) string Tavola\ delle\ partizioni\ non\ valida italian >>>>>0x49 ubyte >0 at offset 0x%x >>>>>>(0x49.b) string >\0 "%s" # "Error loading operating system" nn=0xa3 for english version # "Fehler beim Laden des Betriebssystems" nn=0xa7 for german version # "Erreur en chargeant syst\212me d'exploitation" nn=0xa7 for french version # "Erro na inicializa\207ao do sistema operacional" nn=0xa7 for portuguese Brazilian version # "Error al cargar sistema operativo" nn=0xa8 for spanish version # "Errore durante il caricamento del sistema operativo" nn=0xae for italian version >>>>>0x74 ubyte >0 at offset 0x%x >>>>>>(0x74.b) string >\0 "%s" # "Missing operating system" nn=0xc2 for english version # "Betriebssystem fehlt" nn=0xcd for german version # "Syst\212me d'exploitation absent" nn=0xd2 for french version # "Sistema operacional nao encontrado" nn=0xd4 for portuguese Brazilian version # "Falta sistema operativo" nn=0xca for spanish version # "Sistema operativo mancante" nn=0xe2 for italian version >>>>>0x79 ubyte >0 at offset 0x%x >>>>>>(0x79.b) string >\0 "%s" # Microsoft Windows 95B to XP (http://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm) # assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b >>8 ubequad 0x5007501ffcbe1b7c # assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 >>>24 ubequad 0xf3a4cbbebe07b104 9M # "Invalid partition table" nn=0x10F for english version # "Ung\201ltige Partitionstabelle" nn=0x10F for german version # "Table de partition erron\202e" nn=0x10F for french version # "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x10F for russian version >>>>(0x3C.b+0x0FF) string Invalid\ partition\ table english >>>>(0x3C.b+0x0FF) string Ung\201ltige\ Partitionstabelle german >>>>(0x3C.b+0x0FF) string Table\ de\ partition\ erron\202e french >>>>(0x3C.b+0x0FF) string \215\245\257\340\240\242\250\253\354\255\240\357\ \342\240\241\253\250\346\240 russian >>>>0x3C ubyte x at offset 0x%x+0xFF >>>>(0x3C.b+0x0FF) string >\0 "%s" # "Error loading operating system" nn=0x127 for english version # "Fehler beim Laden des Betriebssystems" nn=0x12b for german version # "Erreur lors du chargement du syst\212me d'exploitation" nn=0x12a for french version # "\216\350\250\241\252\240 \257\340\250 \247\240\243\340\343\247\252\245 \256\257\245\340\240\346\250\256\255\255\256\251 \341\250\341\342\245\254\353" nn=0x12d for russian version >>>>0xBD ubyte x at offset 0x1%x >>>>(0xBD.b+0x100) string >\0 "%s" # "Missing operating system" nn=0x146 for english version # "Betriebssystem fehlt" nn=0x151 for german version # "Syst\212me d'exploitation manquant" nn=0x15e for french version # "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x156 for russian version >>>>0xA9 ubyte x at offset 0x1%x >>>>(0xA9.b+0x100) string >\0 "%s" # http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm # assembler instructions: rep;movsb;retf;mov BP,07be;mov cl,04 >>>24 ubequad 0xf3a4cbbdbe07b104 XP # where xxyyzz are lower bits from offsets of error messages varying for different languages >>>>0x1B4 ubelong&0x00FFFFFF 0x002c4463 english >>>>0x1B4 ubelong&0x00FFFFFF 0x002c486e german # "Invalid partition table" xx=0x12C for english version # "Ung\201ltige Partitionstabelle" xx=0x12C for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x144 for english version # "Fehler beim Laden des Betriebssystems" yy=0x148 for german version >>>>0x1b6 ubyte >0 at offset 0x1%x >>>>(0x1b6.b+0x100) string >\0 "%s" # "Missing operating system" zz=0x163 for english version # "Betriebssystem nicht vorhanden" zz=0x16e for german version >>>>0x1b7 ubyte >0 at offset 0x1%x >>>>(0x1b7.b+0x100) string >\0 "%s" # Microsoft Windows Vista or 7 # assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00 >>8 ubequad 0xc08ed8be007cbf00 # Microsoft Windows Vista (http://thestarman.pcministry.com/asm/mbr/VistaMBR.htm) # assembler instructions: jnz 0729;cmp ebx,"TCPA" >>>0xEC ubequad 0x753b6681fb544350 Vista # where xxyyzz are lower bits from offsets of error messages varying for different languages >>>>0x1B4 ubelong&0x00FFFFFF 0x00627a99 english #>>>>0x1B4 ubelong&0x00FFFFFF ? german # "Invalid partition table" xx=0x162 for english version # "Ung\201ltige Partitionstabelle" xx=0x1?? for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x17a for english version # "Fehler beim Laden des Betriebssystems" yy= 0x1?? for german version >>>>0x1b6 ubyte >0 at offset 0x1%x >>>>(0x1b6.b+0x100) string >\0 "%s" # "Missing operating system" zz=0x199 for english version # "Betriebssystem nicht vorhanden" zz=0x1?? for german version >>>>0x1b7 ubyte >0 at offset 0x1%x >>>>(0x1b7.b+0x100) string >\0 "%s" # Microsoft Windows 7 (http://thestarman.pcministry.com/asm/mbr/W7MBR.htm) # assembler instructions: cmp ebx,"TCPA";cmp >>>0xEC ubequad 0x6681fb5443504175 Windows 7 # where xxyyzz are lower bits from offsets of error messages varying for different languages >>>>0x1B4 ubelong&0x00FFFFFF 0x00637b9a english #>>>>0x1B4 ubelong&0x00FFFFFF ? german # "Invalid partition table" xx=0x163 for english version # "Ung\201ltige Partitionstabelle" xx=0x1?? for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x17b for english version # "Fehler beim Laden des Betriebssystems" yy=0x1?? for german version >>>>0x1b6 ubyte >0 at offset 0x1%x >>>>(0x1b6.b+0x100) string >\0 "%s" # "Missing operating system" zz=0x19a for english version # "Betriebssystem nicht vorhanden" zz=0x1?? for german version >>>>0x1b7 ubyte >0 at offset 0x1%x >>>>(0x1b7.b+0x100) string >\0 "%s" # http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DiskSigs # http://en.wikipedia.org/wiki/MBR_disk_signature#ID >>0x1b8 ulelong >0 \b, disk signature 0x%-.4x # driveID/timestamp for Win 95B,98,98SE and ME. See http://thestarman.pcministry.com/asm/mbr/mystery.htm >>0xDA uleshort 0 >>>0xDC ulelong >0 \b, created # physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive >>>>0xDC ubyte x with driveID 0x%x # hours, minutes and seconds >>>>0xDf ubyte x at %x >>>>0xDe ubyte x \b:%x >>>>0xDd ubyte x \b:%x # special case for Microsoft MS-DOS 3.21 spanish # assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov >0 ubequad 0xfab830008ed0bc00 # assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov >>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish # Microsoft MBR IPL end
# dr-dos with some upper-, lowercase variants >0x9D string Invalid\ partition\ table$ >>181 string No\ Operating\ System$ >>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 >0x9D string Invalid\ partition\ table$ >>181 string No\ operating\ system$ >>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 >342 string Invalid\ partition\ table$ >>366 string No\ operating\ system$ >>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03 >295 string NEWLDR\0 >>302 string Bad\ PT\ $ >>>310 string No\ OS\ $ >>>>317 string OS\ load\ err$ >>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r >>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ >>>>>>>387 string Copyright\ (c)\ 1984,1998 >>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) # # tests for different MS-DOS Master Boot Records (MBR) moved and merged # #>0x145 string Default:\ F \b, FREE-DOS MBR #>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR >0x145 search/7 Default:\ F \b, FREE-DOS MBR #>>313 string F0\ .\ .\ . #>>>322 string disk\ 1 #>>>>382 string FAT3 >64 string no\ active\ partition\ found >>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR # Ranish Partition Manager http://www.ranish.com/part/ >387 search/4 \0\ Error!\r >>378 search/7 Virus! >>>397 search/4 Booting\040 >>>>408 search/4 HD1/\0 \b, Ranish MBR ( >>>>>416 string Writing\ changes... \b2.37 >>>>>>438 ubyte x \b,0x%x dots >>>>>>440 ubyte >0 \b,virus check >>>>>>441 ubyte >0 \b,partition %c #2.38,2.42,2.44 >>>>>416 string !Writing\ changes... \b >>>>>>418 ubyte 1 \bvirus check, >>>>>>419 ubyte x \b0x%x seconds >>>>>>420 ubyte&0x0F >0 \b,partition >>>>>>>420 ubyte&0x0F <5 \b %x >>>>>>>420 ubyte&0x0F 0Xf \b ask >>>>>420 ubyte x \b) # # SYSLINUX MBR moved # http://www.acronis.de/ >362 string MBR\ Error\ \0\r >>376 string ress\ any\ key\ to\040 >>>392 string boot\ from\ floppy...\0 \b, Acronis MBR # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ >309 string No\ bootable\ partition\ found\r >>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR >349 string No\ bootable\ partition\ found\r >>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR # bootloader, bootmanager >0x40 string SBML # label with 11 characters of FAT 12 bit filesystem >>43 string SMART\ BTMGR >>>430 string SBMK\ Bad!\r \b, Smart Boot Manager # OEM-ID not always "SBM" #>>>>3 strings SBM >>>>6 string >\0 \b, version %s >382 string XOSLLOADXCF \b, eXtended Operating System Loader >6 string LILO \b, LInux i386 boot LOader >>120 string LILO \b, version 22.3.4 SuSe >>172 string LILO \b, version 22.5.8 Debian # updated by Joerg Jenderek at Oct 2008 # variables according to grub-0.97/stage1/stage1.S or # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders >342 search/60 \0Geom\0 #>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 >>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader # 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 >>>>0x3E ubyte x \b, stage1 version 0x%x #If it is 0xFF, use a drive passed by BIOS >>>>0x40 ubyte <0xFF \b, boot drive 0x%x # in most case 0,1,0x2e for GRUB 0.5.95 >>>>0x41 ubyte >0 \b, LBA flag 0x%x >>>>0x42 uleshort <0x8000 \b, stage2 address 0x%x #>>>>0x42 uleshort =0x8000 \b, stage2 address 0x%x (usual) >>>>0x42 uleshort >0x8000 \b, stage2 address 0x%x #>>>>0x44 ulelong =1 \b, 1st sector stage2 0x%x (default) >>>>0x44 ulelong >1 \b, 1st sector stage2 0x%x >>>>0x48 uleshort <0x800 \b, stage2 segment 0x%x #>>>>0x48 uleshort =0x800 \b, stage2 segment 0x%x (usual) >>>>0x48 uleshort >0x800 \b, stage2 segment 0x%x >>>>402 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>394 string stage1 \b, GRUB version 0.5.95 >>>>382 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>376 string GRUB\ \0 \b, GRUB version 0.93 or 1.94 >>>>383 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>377 string GRUB\ \0 \b, GRUB version 0.94 >>>>385 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>379 string GRUB\ \0 \b, GRUB version 0.95 or 0.96 >>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>385 string GRUB\ \0 \b, GRUB version 0.97 # unknown version >>>343 string Geom\0Read\0\ Error\0 >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>374 string GRUB\ \0 \b, GRUB version n.m # SYSLINUX bootloader moved >395 string chksum\0\ ERROR!\0 \b, Gujin bootloader # http://www.bcdwb.de/bcdw/index_e.htm >3 string BCDL >>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) # mbr partition table entries updated by Joerg Jenderek at Sep 2013 # skip Norton Utilities disc image data >3 string !IHISK # skip Linux style boot sector starting with assember instructions mov 0x7c0,ax; >>0 belong !0xb8c0078e # not Linux kernel >>>514 string !HdrS # not BeOS >>>>422 string !Be\ Boot\ Loader # jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr >>>>>0 ubelong&0xFD000000 =0xE9000000 # AdvanceMAME mbr >>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e >>>>>>>446 use partition-table # mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader >>>>>0 ubelong&0xFD000000 !0xE9000000 # skip FSInfosector >>>>>>0 string !RRaA # skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, # http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm >>>>>>>0 ubequad !0xfa660fb64610668b # skip 13rd sector of MS x86 bootloader >>>>>>>>0 ubequad !0x660fb64610668b4e # skip sector starting with DOS new line >>>>>>>>>0 string !\r\n # allowed active flag 0,80h-FFh >>>>>>>>>>446 ubyte 0 >>>>>>>>>>>446 use partition-table >>>>>>>>>>446 ubyte >0x7F >>>>>>>>>>>446 use partition-table # TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries # mbr partition table entries end # http://www.acronis.de/ #FAT label=ACRONIS\ SZ #OEM-ID=BOOTWIZ0 >442 string Non-system\ disk,\040 >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader # updated by Joerg Jenderek at Nov 2012, Sep 2013 # DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes # display 1 space >>>447 ubyte x \b >>>477 use DOS-filename # >185 string FDBOOT\ Version\040 >>204 string \rNo\ Systemdisk.\040 >>>220 string Booting\ from\ harddisk.\n\r >>>245 string Cannot\ load\ from\ harddisk.\n\r >>>>273 string Insert\ Systemdisk\040 >>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader >>>>>>200 string >\0 \b, version %-3s >242 string Bootsector\ from\ C.H.\ Hochst\204 # http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c # updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string # skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut >242 search/127 Bootsector\ from\ C.H.\ Hochst >>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk # followed by variants with point,CR-NL or NL-CR >>>208 search/261 Cannot\ load\ from\ harddisk. # followed by variants CR-NL or NL-CR >>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. # followed by variants with point,CR-NL or NL-CR >>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader # followed by string like "6.50 (c) 1993-2004 Gilles Vollant" >>>>>>&0 string x \b, version %-4.4s >(1.b+2) ubyte 0xe >>(1.b+3) ubyte 0x1f >>>(1.b+4) ubyte 0xbe # message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others >>>>(1.b+5) ubyte&0xd3 0x53 >>>>>(1.b+6) ubyte 0x7c # assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah, >>>>>>(1.b+7) ubyte 0xac >>>>>>>(1.b+8) ubyte 0x22 >>>>>>>>(1.b+9) ubyte 0xc0 >>>>>>>>>(1.b+10) ubyte 0x74 >>>>>>>>>>(1.b+11) ubyte 0x0b >>>>>>>>>>>(1.b+12) ubyte 0x56 >>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display # FAT1X version >>>>>>>>>>>>>(1.b+5) ubyte 0x5b >>>>>>>>>>>>>>0x5b string >\0 "%-s" # FAT32 version >>>>>>>>>>>>>(1.b+5) ubyte 0x77 >>>>>>>>>>>>>>0x77 string >\0 "%-s" >214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display #>>244 string from\ dosemu-freedos-*-bin.tgz\r #>>>170 string Sorry,\ could\ not\ load\ an\040 #>>>>195 string operating\ system.\r\n # >103 string This\ is\ not\ a\ bootable\ disk.\040 >>132 string Please\ insert\ a\ bootable\040 >>>157 string floppy\ and\r\n >>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display # >66 string Solaris\ Boot\ Sector >>99 string Incomplete\ MDBoot\ load. >>>89 string Version \b, Sun Solaris Bootloader >>>>97 byte x version %c # >408 string OS/2\ !!\ SYS01475\r\0 >>429 string OS/2\ !!\ SYS02025\r\0 >>>450 string OS/2\ !!\ SYS02027\r\0 >>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader # >409 string OS/2\ !!\ SYS01475\r\0 >>430 string OS/2\ !!\ SYS02025\r\0 >>>451 string OS/2\ !!\ SYS02027\r\0 >>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader >112 string This\ disk\ is\ not\ bootable\r >>142 string If\ you\ wish\ to\ make\ it\ bootable >>>176 string run\ the\ DOS\ program\ SYS\040 >>>200 string after\ the\r >>>>216 string system\ has\ been\ loaded\r\n >>>>>242 string Please\ insert\ a\ DOS\ diskette\040 >>>>>271 string into\r\n\ the\ drive\ and\040 >>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display # XP >430 string NTLDR\ is\ missing\xFF\r\n >>449 string Disk\ error\xFF\r\n >>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader # DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # >>>>371 ubyte >0x20 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # >430 string NTLDR\ nicht\ gefunden\xFF\r\n >>453 string Datentr\204gerfehler\xFF\r\n >>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german) >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # offset variant >>>>379 string \0 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s # >430 string NTLDR\ fehlt\xFF\r\n >>444 string Datentr\204gerfehler\xFF\r\n >>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german) >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # variant >>>>371 ubyte >0x20 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # >430 string NTLDR\ fehlt\xFF\r\n >>444 string Medienfehler\xFF\r\n >>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german) >>>>371 ubyte >0x20 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # >430 string Datentr\204ger\ entfernen\xFF\r\n >>454 string Medienfehler\xFF\r\n >>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) >>>>379 string \0 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s #
#>3 string NTFS\ \ \ \040 >389 string Fehler\ beim\ Lesen\040 >>407 string des\ Datentr\204gers >>>426 string NTLDR\ fehlt >>>>440 string NTLDR\ ist\ komprimiert >>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german) #>3 string NTFS\ \ \ \040 >313 string A\ disk\ read\ error\ occurred.\r >>345 string A\ kernel\ file\ is\ missing\040 >>>370 string from\ the\ disk.\r >>>>484 string NTLDR\ is\ compressed >>>>>429 string Insert\ a\ system\ diskette\040 >>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS # DOS loader variants different languages,offsets >472 ubyte&0xDF >0 >>389 string Invalid\ system\ disk\xFF\r\n >>>411 string Disk\ I/O\ error >>>>428 string Replace\ the\ disk,\ and\040 >>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader #IO.SYS >>>>>>472 ubyte&0xDF >0 >>>>>>>472 string x \b %-.2s >>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s >>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s >>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s >>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s >>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # >>390 string Invalid\ system\ disk\xFF\r\n >>>412 string Disk\ I/O\ error\xFF\r\n >>>>429 string Replace\ the\ disk,\ and\040 >>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader >>388 string Ungueltiges\ System\ \xFF\r\n >>>410 string E/A-Fehler\ \ \ \ \xFF\r\n >>>>427 string Datentraeger\ wechseln\ und\040 >>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german) #WINBOOT.SYS only not spaces (0xDF) >>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.5s >>>>>>>>502 ubyte&0xDF >0 >>>>>>>>>502 string x \b%-.1s >>>>>>>>>>503 ubyte&0xDF >0 >>>>>>>>>>>503 string x \b%-.1s >>>>>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>>>>>504 string x \b%-.1s >>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s >>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s >>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s >>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s >>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s >>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # >>390 string Ungueltiges\ System\ \xFF\r\n >>>412 string E/A-Fehler\ \ \ \ \xFF\r\n >>>>429 string Datentraeger\ wechseln\ und\040 >>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German) #WINBOOT.SYS only not spaces (0xDF) >>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.7s >>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>504 string x \b%-.1s >>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s >>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.6s >>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s >>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s >>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # >>389 string Ungueltiges\ System\ \xFF\r\n >>>411 string E/A-Fehler\ \ \ \ \xFF\r\n >>>>428 string Datentraeger\ wechseln\ und\040 >>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN) # DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes >>>>>>472 string x %-.2s >>>>>>>474 ubyte&0xDF >0 >>>>>>>>474 string x \b%-.5s >>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>479 string x \b%-.1s >>>>>>480 ubyte&0xDF >0 >>>>>>>480 string x \b.%-.3s >>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>483 string x \b%-.5s >>>>>>>488 ubyte&0xDF >0 >>>>>>>>488 string x \b%-.2s >>>>>>>>490 ubyte&0xDF >0 >>>>>>>>>490 string x \b%-.1s >>>>>>>491 ubyte&0xDF >0 >>>>>>>>491 string x \b.%-.3s >479 ubyte&0xDF >0 >>416 string Kein\ System\ oder\040 >>>433 string Laufwerksfehler >>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german) #IO.SYS >>>>>479 string x \b %-.2s >>>>>>481 ubyte&0xDF >0 >>>>>>>481 string x \b%-.6s >>>>>487 ubyte&0xDF >0 >>>>>>487 string x \b.%-.3s #MSDOS.SYS >>>>>>490 ubyte&0xDF >0 \b+ >>>>>>>490 string x \b%-.5s >>>>>>>>495 ubyte&0xDF >0 >>>>>>>>>495 string x \b%-.3s >>>>>>>498 ubyte&0xDF >0 >>>>>>>>498 string x \b.%-.3s # >376 search/41 Non-System\ disk\ or\040 >>395 search/41 disk\ error\r >>>407 search/41 Replace\ and\040 >>>>419 search/41 press\ \b, >>>>419 search/41 strike\ \b, old >>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader #449 Disk\ Boot\ failure\r MS 3.21 #466 Boot\ Failure\r MS 3.30 >>>>>468 search/18 \0 #IO.SYS,IBMBIO.COM >>>>>>&0 string x \b %-.2s >>>>>>>&-20 ubyte&0xDF >0 >>>>>>>>&-1 string x \b%-.4s >>>>>>>>>&-16 ubyte&0xDF >0 >>>>>>>>>>&-1 string x \b%-.2s >>>>>>&8 ubyte&0xDF >0 \b. >>>>>>>&-1 string x \b%-.3s #MSDOS.SYS,IBMDOS.COM >>>>>>&11 ubyte&0xDF >0 \b+ >>>>>>>&-1 string x \b%-.5s >>>>>>>>&-6 ubyte&0xDF >0 >>>>>>>>>&-1 string x \b%-.1s >>>>>>>>>>&-5 ubyte&0xDF >0 >>>>>>>>>>>&-1 string x \b%-.2s >>>>>>>&7 ubyte&0xDF >0 \b. >>>>>>>>&-1 string x \b%-.3s >441 string Cannot\ load\ from\ harddisk.\n\r >>469 string Insert\ Systemdisk\040 >>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader #>43 string \224R-LOADER\ \ SYS =label >54 string SYS >>324 string VASKK >>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS) # >98 string Press\ a\ key\ to\ retry\0\r >>120 string Cannot\ find\ file\ \0\r >>>139 string Disk\ read\ error\0\r >>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader #DRBIOS.SYS >>>>>44 ubyte&0xDF >0 >>>>>>44 string x \b %-.6s >>>>>>>50 ubyte&0xDF >0 >>>>>>>>50 string x \b%-.2s >>>>>>52 ubyte&0xDF >0 >>>>>>>52 string x \b.%-.3s # >70 string IBMBIO\ \ COM >>472 string Cannot\ load\ DOS!\040 >>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader >>471 string Cannot\ load\ DOS\040 >>487 string press\ key\ to\ retry \b, Open-DOS Bootloader #?? >444 string KERNEL\ \ SYS >>314 string BOOT\ error! \b, FREE-DOS Bootloader >499 string KERNEL\ \ SYS >>305 string BOOT\ err!\0 \b, Free-DOS Bootloader >449 string KERNEL\ \ SYS >>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader # >449 string Loading\ FreeDOS >>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # >331 string Error!.0 \b, FREE-DOS 1.0 bootloader # >125 string Loading\ FreeDOS...\r >>311 string BOOT\ error!\r \b, FREE-DOS bootloader >>>441 ubyte&0xDF >0 >>>>441 string x \b %-.6s >>>>>447 ubyte&0xDF >0 >>>>>>447 string x \b%-.1s >>>>>>>448 ubyte&0xDF >0 >>>>>>>>448 string x \b%-.1s >>>>449 ubyte&0xDF >0 >>>>>449 string x \b.%-.3s >124 string FreeDOS\0 >>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader # DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >336 string Error!\040 >>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ # OEM-ID=Visopsys >478 ulelong 0 >>(1.b+326) string I/O\ Error\ reading\040 >>>(1.b+344) string Visopsys\ loader\r >>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader # http://alexfru.chat.ru/epm.html#bootprog >494 ubyte >0x4D >>495 string >E >>>495 string <S #OEM-ID is not reliable >>>>3 string BootProg # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes >>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader >>>>>499 use DOS-filename #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. #If the boot sector fails to find needed program in the root directory, #it also hangs with another message ("NF"). >>>>>492 string RENF \b, FAT (12 bit) >>>>>495 string RENF \b, FAT (16 bit) #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. # x86 bootloader end
# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO # and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector >0 string RRaA >>0x1E4 string rrAa \b, FSInfosector #>>0x1FC uleshort =0 SHOULD BE ZERO >>>0x1E8 ulelong <0xffffffff \b, %u free clusters >>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u
# DOS x86 sector separated and moved from "DOS/MBR boot sector" by Joerg Jenderek at May 2011
>0x200 lelong 0x82564557 \b, BSD disklabel
# by Joerg Jenderek at Apr 2013 # Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension # like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS 0 name DOS-filename # space=0x20 (00100000b) means empty >0 ubyte&0xDF >0 >>0 ubyte x \b%c >>>1 ubyte&0xDF >0 >>>>1 ubyte x \b%c >>>>>2 ubyte&0xDF >0 >>>>>>2 ubyte x \b%c >>>>>>>3 ubyte&0xDF >0 >>>>>>>>3 ubyte x \b%c >>>>>>>>>4 ubyte&0xDF >0 >>>>>>>>>>4 ubyte x \b%c >>>>>>>>>>>5 ubyte&0xDF >0 >>>>>>>>>>>>5 ubyte x \b%c >>>>>>>>>>>>>6 ubyte&0xDF >0 >>>>>>>>>>>>>>6 ubyte x \b%c >>>>>>>>>>>>>>>7 ubyte&0xDF >0 >>>>>>>>>>>>>>>>7 ubyte x \b%c # DOS filename extension >>8 ubyte&0xDF >0 \b. >>>8 ubyte x \b%c >>>>9 ubyte&0xDF >0 >>>>>9 ubyte x \b%c >>>>>>10 ubyte&0xDF >0 >>>>>>>10 ubyte x \b%c # Print 2 following DOS filenames from directory entry form # like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com 0 name 2xDOS-filename # display 1 space >0 ubyte x \b >0 use DOS-filename >11 ubyte x \b+ >11 use DOS-filename
# http://en.wikipedia.org/wiki/Master_boot_record#PTE # display standard partition table 0 name partition-table #>0 ubyte x PARTITION-TABLE # test and display 1st til 4th partition table entry >0 use partition-entry-test >16 use partition-entry-test >32 use partition-entry-test >48 use partition-entry-test # test for entry of partition table 0 name partition-entry-test # partition type ID > 0 >4 ubyte >0 # active flag 0 >>0 ubyte 0 >>>0 use partition-entry # active flag 0x80, 0x81, ... >>0 ubyte >0x7F >>>0 use partition-entry # Print entry of partition table 0 name partition-entry # partition type ID > 0 >4 ubyte >0 \b; partition >>64 leshort 0xAA55 1 >>48 leshort 0xAA55 2 >>32 leshort 0xAA55 3 >>16 leshort 0xAA55 4 >>4 ubyte x : ID=0x%x >>0 ubyte&0x80 0x80 \b, active >>0 ubyte >0x80 0x%x >>1 ubyte x \b, start-CHS ( >>1 use partition-chs >>5 ubyte x \b), end-CHS ( >>5 use partition-chs >>8 ulelong x \b), startsector %u >>12 ulelong x \b, %u sectors # Print cylinder,head,sector (CHS) of partition entry 0 name partition-chs # cylinder >1 ubyte x \b0x >1 ubyte&0xC0 0x40 \b1 >1 ubyte&0xC0 0x80 \b2 >1 ubyte&0xC0 0xC0 \b3 >2 ubyte x \b%x # head >0 ubyte x \b,%u # sector >1 ubyte&0x3F x \b,%u
# FATX 0 string FATX FATX filesystem data
# romfs filesystems - Juan Cespedes <cespedes@debian.org> 0 string -rom1fs- romfs filesystem, version 1 >8 belong x %d bytes, >16 string x named %s.
# updated by Joerg Jenderek at Oct 2008 and Sep 2012 # http://syslinux.zytor.com/iso.php # tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05 # assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop 0 ulequad&0x909000007cc0eafa 0x909000007c40eafa >631 search/689 ISOLINUX\ isolinux Loader >>&0 string x (version %-4.4s) # http://syslinux.zytor.com/pxe.php # assembler instructions: jmp 7C05 0 ulelong 0x007c05ea pxelinux loader (version 2.13 or older) # assembler instructions: pushfd;pushad 0 ulelong 0x60669c66 pxelinux loader # assembler instructions: jmp 05 0 ulelong 0xc00005ea pxelinux loader (version 3.70 or newer) # http://syslinux.zytor.com/wiki/index.php/SYSLINUX 0 string LDLINUX\ SYS\ SYSLINUX loader >12 string x (older version %-4.4s) 0 string \r\nSYSLINUX\ SYSLINUX loader >11 string x (version %-4.4s) # syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX" 0 ulelong&0x80909bEB 0x009018EB # OEM-ID not always "SYSLINUX" >434 search/47 Boot\ failed # followed by \r\n\0 or :\ >>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older) >>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9) >459 search/30 Boot\ error\r\n\0 >>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer) # SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: mov di,0600h;mov cx,0100h 16 search/4 \xbf\x00\x06\xb9\x00\x01 # to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21) !:strength +36 >94 search/249 Missing\ operating\ system # followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other # skip Ranish MBR >>408 search/4 HD1/\0 >>408 default x >>>250 search/118 \0Operating\ system\ load SYSLINUX MBR # followed by "ing " or space >>>>292 search/98 error >>>>>&0 string \r (version 3.35 or older) >>>>>&0 string .\r (version 3.52 or newer) >>>>>&0 default x (version 3.36-3.51 ) >368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR >>156 search/10 \0Boot\ partition\ not\ found\r\n >>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older) >>174 search/10 \0Missing\ OS\r\n >>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer) # SYSLINUX END
# NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012 # assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax, 0 ubequad 0x31c08ed0bc007c8e # mbr_bootsel magic before partition table not reliable with small ipl fragments #>444 uleshort 0xb5e1 >0004 uleshort x # ERRorTeXT >>181 search/166 Error\ \0\r\n NetBSD mbr # NT Drive Serial Number http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS >>>0x1B8 ubelong >0 \b,Serial 0x%-.8x # BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx >>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector # BOOT_EXTENDED definitions contains assembler instructions: # xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13 >>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended # COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al >>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO # not TERSE_ERROR >>>196 search/106 No\ active\ partition\0 >>>>&0 string Disk\ read\ error\0 >>>>>&0 string No\ operating\ system\0 \b,verbose # not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13 >>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS # not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13 >>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check # assembler instructions: movw nametab,bx >>>0x26 search/21 \xBB\x94\x07 # not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf >>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 >>>>>181 search/166 Error\ \0 # "a: disk" , "Fn: diskn" or "NetBSD MBR boot" >>>>>>&3 string x \b,"%s" >>>446 use partition-table # Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html # added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 # assembler instructions: jmp short 0x58;nop;ASCII 0 ubequad&0xeb58908000000000 0xeb58900000000000 # assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss, >(1.b+2) ubequad 0xfa31c08ed88ec08e # Error messages at end of code >>376 string No\ operating\ system\r\n\0 >>>398 string Disk\ error\r\n\0FDD\0HDD\0 >>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr
# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ # added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11 # for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI, # or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS, 0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC # pointer to the data starting with Neil Turton signature string >(0x1BC.s) string NDTmbr >>&-14 string 1234F\0 Turton mbr ( # parameters also viewed by install-mbr --list >>>(0x1BC.s+7) ubyte x \b%u<= >>>(0x1BC.s+9) ubyte x \bVersion<=%u #>>>(0x1BC.s+8) ubyte x asm_flag_%x >>>(0x1BC.s+8) ubyte&1 1 \b,Y2K-Fix # variant used by testdisk of http://www.cgsecurity.org/wiki/Menu_MBRCode >>>(0x1BC.s+8) ubyte&2 2 \b,TestDisk #0x1~1,..,0x8~4,0x10~F,0x80~A enabled #>>>(0x1BC.s+10) ubyte x \b,flags 0x%x #0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot #>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x # for older versions >>>(0x1BC.s+9) ubyte <2 #>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x >>>>(0x1BC.s+13) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x # not 1st hard disc >>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x # for version >= 2 maximal timeout can be 65534 >>>(0x1BC.s+9) ubyte >1 #>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds >>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x >>>>(0x1BC.s+14) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x # not 1st hard disc >>>>>(0x1BC.s+14) ubyte !0x80 \b,drive 0x%x >>>0 ubyte x \b)
# added by Joerg Jenderek # In the second sector (+0x200) are variables according to grub-0.97/stage2/asm.S or # grub-1.94/kern/i386/pc/startup.S # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders 0x200 uleshort 0x70EA # found only version 3.{1,2} >0x206 ubeshort >0x0300 # GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00" >>0x212 ubyte >0x29 >>>0x213 ubyte >0x29 # not iso9660_stage1_5 #>>>0 ulelong&0x00BE5652 0x00BE5652 >>>>0x213 ubyte >0x29 GRand Unified Bootloader # config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2" >>>>0x217 ubyte 0xFF stage1_5 >>>>0x217 ubyte <0xFF stage2 >>>>0x206 ubyte x \b version %u >>>>0x207 ubyte x \b.%u # module_size for 1.94 >>>>0x208 ulelong <0xffffff \b, installed partition %u #>>>>0x208 ulelong =0xffffff \b, %lu (default) >>>>0x208 ulelong >0xffffff \b, installed partition %u # GRUB 0.5.95 unofficial >>>>0x20C ulelong&0x2E300000 0x2E300000 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs >>>>>0x20C ubyte x \b, identifier 0x%x #>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default) >>>>>0x20D ubyte >0 \b, LBA flag 0x%x # GRUB version as string >>>>>0x20E string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default >>>>>>0x215 ulong 0xffffffff >>>>>>>0x219 string >\0 \b, configuration file %-s >>>>>>0x215 ulong !0xffffffff >>>>>>>0x215 string >\0 \b, configuration file %-s # newer GRUB versions >>>>0x20C ulelong&0x2E300000 !0x2E300000 ##>>>>>0x20C ulelong =0 \b, saved entry %d (usual) >>>>>0x20C ulelong >0 \b, saved entry %d # for 1.94 contains kernel image size # for 0.93,0.94,0.96,0.97 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 >>>>>0x210 ubyte x \b, identifier 0x%x # The flag for LBA forcing is in most cases 0 #>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default) >>>>>0x211 ubyte >0 \b, LBA flag 0x%x # GRUB version as string >>>>>0x212 string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default >>>>>0x217 ulong 0xffffffff >>>>>>0x21b string >\0 \b, configuration file %-s >>>>>0x217 ulong !0xffffffff >>>>>>0x217 string >\0 \b, configuration file %-s
# DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 # JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 # over BIOS parameter block (BPB) # http://thestarman.pcministry.com/asm/2bytejumps.htm#FWD # older drives may use Near JuMP instruction E9 xx xx # minimal short forward jump found 0x29 for bootloaders or 0x0 # maximal short forward jump is 0x7f # OEM-ID is empty or contain readable bytes 0 ulelong&0x804000E9 0x000000E9 !:strength +60 # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 >11 uleshort&0x001f 0 >>11 uleshort <32769 >>>11 uleshort >31 >>>>21 ubyte&0xf0 0xF0 >>>>>0 ubyte 0xEB DOS/MBR boot sector >>>>>>1 ubyte x \b, code offset 0x%x+2 >>>>>0 ubyte 0xE9 >>>>>>1 uleshort x \b, code offset 0x%x+3 >>>>>3 string >\0 \b, OEM-ID "%-.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC >>>>>>8 string IHC \b cached by Windows 9M >>>>>11 uleshort >512 \b, Bytes/sector %u #>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual) >>>>>11 uleshort <512 \b, Bytes/sector %u >>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) # for lazy FAT32 implementation like Transcend digital photo frame PF830 >>>>>82 string/c fat32 >>>>>>14 uleshort !32 \b, reserved sectors %u #>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) >>>>>82 string/c !fat32 >>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) #>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) >>>>>16 ubyte >2 \b, FATs %u #>>>>>16 ubyte =2 \b, FATs %u (usual) >>>>>16 ubyte =1 \b, FAT %u >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u #>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) >>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) #>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) >>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x >>>>>22 uleshort >0 \b, sectors/FAT %u #>>>>>22 uleshort =0 \b, sectors/FAT %hu=0 (usual Fat32) >>>>>24 uleshort x \b, sectors/track %u >>>>>26 ubyte >2 \b, heads %u #>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>26 ubyte =1 \b, heads %u # valid only for sector sizes with more then 32 Bytes >>>>>11 uleshort >32 # http://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block # skip for values 2,2Ah,70h,73h,DFh # and continue for extended boot signature values 0,28h,29h,80h >>>>>>38 ubyte&0x56 =0 >>>>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) >>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) # FAT<32 bit specific >>>>>>>82 string/c !fat32 #>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) #>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>>>36 ubyte !0x80 >>>>>>>>>36 ubyte !0 \b, physical drive 0x%x # VGA-copy CRC or # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too >>>>>>>>37 ubyte >0 \b, reserved 0x%x #>>>>>>>>37 ubyte =0 \b, reserved 0x%x # extended boot signatur value is 0x80 for NTFS, 0x28 or 0x29 for others >>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>>>38 ubyte&0xFE =0x28 >>>>>>>>>39 ulelong x \b, serial number 0x%x >>>>>>>>38 ubyte =0x29 >>>>>>>>>43 string <NO\ NAME \b, label: "%11.11s" >>>>>>>>>43 string >NO\ NAME \b, label: "%11.11s" >>>>>>>>>43 string =NO\ NAME \b, unlabeled # there exist some old floppies without word FAT at offset 54 # a word like "FATnm " is only a hint for a FAT size on nm-bits # Normally the number of clusters is calculated by the values of BPP. # if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, # otherwise FAT is 16 bit. # http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html >>>>>82 string/c !fat32 >>>>>>54 string FAT12 \b, FAT (12 bit) >>>>>>54 string FAT16 \b, FAT (16 bit) >>>>>>54 default x # determinate FAT bit size by media descriptor # small floppies implies FAT12 >>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor) # with media descriptor F0h floppy or maybe superfloppy with FAT16 >>>>>>>21 ubyte =0xF0 # superfloppy (many sectors) implies FAT16 >>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors) # no superfloppy with media descriptor F0h implies FAT12 >>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors) # with media descriptor F8h floppy or hard disc with FAT12 or FAT16 >>>>>>>21 ubyte =0xF8 # 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry) # hard disc with FAT12 or FAT16 >>>>>>>>19 default x \b, FAT (1Y bit by descriptor) # with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc >>>>>>>21 ubyte =0xFA # 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry) # RAM disc with FAT12 or FAT16 or Tandy hard disc >>>>>>>>19 default x \b, FAT (1Y bit by descriptor) # others are floppy >>>>>>>21 default x \b, FAT (12 bit by descriptor) # FAT32 bit specific >>>>>82 string/c fat32 \b, FAT (32 bit) >>>>>>36 ulelong x \b, sectors/FAT %u # http://technet.microsoft.com/en-us/library/cc977221.aspx >>>>>>40 uleshort >0 \b, extension flags 0x%x #>>>>>>40 uleshort =0 \b, extension flags %hu >>>>>>42 uleshort >0 \b, fsVersion %u #>>>>>>42 uleshort =0 \b, fsVersion %u (usual) >>>>>>44 ulelong >2 \b, rootdir cluster %u #>>>>>>44 ulelong =2 \b, rootdir cluster %u #>>>>>>44 ulelong =1 \b, rootdir cluster %u >>>>>>48 uleshort >1 \b, infoSector %u #>>>>>>48 uleshort =1 \b, infoSector %u (usual) >>>>>>48 uleshort <1 \b, infoSector %u # 0 or 0xFFFF instead of usual 6 means no backup sector >>>>>>50 uleshort =0xFFFF \b, no Backup boot sector >>>>>>50 uleshort =0 \b, no Backup boot sector #>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) >>>>>>50 default x >>>>>>>50 uleshort x \b, Backup boot sector %u # corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO >>>>>>52 ulelong >0 \b, reserved1 0x%x >>>>>>56 ulelong >0 \b, reserved2 0x%x >>>>>>60 ulelong >0 \b, reserved3 0x%x # same structure as FAT1X #>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) #>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>64 ubyte !0x80 >>>>>>>64 ubyte >0 \b, physical drive 0x%x # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too >>>>>>65 ubyte >0 \b, reserved 0x%x >>>>>>66 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>66 ubyte =0x29 >>>>>>>67 ulelong x \b, serial number 0x%x >>>>>>>71 string <NO\ NAME \b, label: "%11.11s" >>>>>>>71 string >NO\ NAME \b, label: "%11.11s" >>>>>>>71 string =NO\ NAME \b, unlabeled # additional tests for floppy image added by Joerg Jenderek # no fixed disk >>>>>21 ubyte !0xF8 # floppy media with 12 bit FAT >>>>>>54 string !FAT16 # test for FAT after bootsector >>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT # floppy image !:mime application/x-ima # NTFS specific added by Joerg Jenderek at Mar 2011 according to http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm # and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html # 0 FATs >>>>>16 ubyte =0 # 0 root entries >>>>>>17 uleshort =0 # 0 DOS sectors >>>>>>>19 uleshort =0 # 0 sectors/FAT # dos < 4.0 BootSector value found is 0x80 #38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x) >>>>>>>>22 uleshort =0 \b; NTFS >>>>>>>>>24 uleshort >0 \b, sectors/track %u >>>>>>>>>36 ulelong !0x800080 \b, physical drive 0x%x >>>>>>>>>40 ulequad >0 \b, sectors %lld >>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld >>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld # Values 0 to 127 represent MFT record sizes of 0 to 127 clusters. # Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. >>>>>>>>>64 lelong <256 >>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d >>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i) # Values 0 to 127 represent index block sizes of 0 to 127 clusters. # Values 128 to 255 represent index block sizes of 2^(256-N) byte >>>>>>>>>68 ulelong <256 >>>>>>>>>>68 ulelong <128 \b, clusters/index block %d #>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) >>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) >>>>>>>>>72 ulequad x \b, serial number 0%llx >>>>>>>>>80 ulelong >0 \b, checksum 0x%x #>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) >>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 >>>>>>>>>>&-92 indirect x \b; contains # For 2nd NTFS sector added by Joerg Jenderek at Jan 2013 # http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm # unused assembler instructions JMP y2;NOP;NOP 0x056 ulelong&0xFFFF0FFF 0x909002EB # unicode loadername terminated by CTRL-D >(0.s*2) ulelong&0xFFFFFF00 0x00040000 # loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR >>0x002 lestring16 x Microsoft Windows XP/VISTA bootloader %-5.5s >>0x12 string $ >>>0x0c lestring16 x \b%-2.2s ### DOS,NTFS boot sectors end
# ntfsclone-image is a special save format for NTFS volumes, # created and restored by the ntfsclone program 0 string \0ntfsclone-image ntfsclone image, >0x10 byte x version %d. >0x11 byte x \b%d, >0x12 lelong x cluster size %d, >0x16 lequad x device size %lld, >0x1e lequad x %lld total clusters, >0x26 lequad x %lld clusters in use
9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x last written at %s, >8401 byte x clean flag %d, >8228 lelong x number of blocks %d, >8232 lelong x number of data blocks %d, >8236 lelong x number of cylinder groups %d, >8240 lelong x block size %d, >8244 lelong x fragment size %d, >8252 lelong x minimum percentage of free blocks %d, >8256 lelong x rotational delay %dms, >8260 lelong x disk rotational speed %drps, >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization
42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 leqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 lequad x number of blocks %lld, >&-288 lequad x number of data blocks %lld, >&-1332 lelong x number of cylinder groups %d, >&-1328 lelong x block size %d, >&-1324 lelong x fragment size %d, >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, >&-264 lelong x pending inodes to free %d, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization >&-1248 lelong 1 SPACE optimization
66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 leqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 lequad x number of blocks %lld, >&-288 lequad x number of data blocks %lld, >&-1332 lelong x number of cylinder groups %d, >&-1328 lelong x block size %d, >&-1324 lelong x fragment size %d, >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, >&-264 lelong x pending inodes to free %d, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization >&-1248 lelong 1 SPACE optimization
9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), >7168 belong 0x4c41424c Apple UFS Volume >>7186 string x named %s, >>7176 belong x volume label version %d, >>7180 bedate x created on %s, >8404 string x last mounted on %s, #>9504 bedate x last checked at %s, >8224 bedate x last written at %s, >8401 byte x clean flag %d, >8228 belong x number of blocks %d, >8232 belong x number of data blocks %d, >8236 belong x number of cylinder groups %d, >8240 belong x block size %d, >8244 belong x fragment size %d, >8252 belong x minimum percentage of free blocks %d, >8256 belong x rotational delay %dms, >8260 belong x disk rotational speed %drps, >8320 belong 0 TIME optimization >8320 belong 1 SPACE optimization
42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 beqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 bequad x number of blocks %lld, >&-288 bequad x number of data blocks %lld, >&-1332 belong x number of cylinder groups %d, >&-1328 belong x block size %d, >&-1324 belong x fragment size %d, >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, >&-264 belong x pending inodes to free %d, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization >&-1248 belong 1 SPACE optimization
66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 beqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 bequad x number of blocks %lld, >&-288 bequad x number of data blocks %lld, >&-1332 belong x number of cylinder groups %d, >&-1328 belong x block size %d, >&-1324 belong x fragment size %d, >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, >&-264 belong x pending inodes to free %d, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization >&-1248 belong 1 SPACE optimization
0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), >0x90 lelong+1 x volume %d >0x94 lelong x (of %d), >0x50 string x name %s, >0x98 ulelong x version %u, >0xa0 ulelong x flags 0x%x
# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca> # ext4 filesystem - Eric Sandeen <sandeen@sandeen.net> # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 0x438 leshort 0xEF53 Linux >0x44c lelong x rev %d >0x43e leshort x \b.%d # No journal? ext2 >0x45c lelong ^0x0000004 ext2 filesystem data >>0x43a leshort ^0x0000001 (mounted or unclean) # Has a journal? ext3 or ext4 >0x45c lelong &0x0000004 # and small INCOMPAT? >>0x460 lelong <0x0000040 # and small RO_COMPAT? >>>0x464 lelong <0x0000008 ext3 filesystem data # else large RO_COMPAT? >>>0x464 lelong >0x0000007 ext4 filesystem data # else large INCOMPAT? >>0x460 lelong >0x000003f ext4 filesystem data >0x468 belong x \b, UUID=%08x >0x46c beshort x \b-%04x >0x46e beshort x \b-%04x >0x470 beshort x \b-%04x >0x472 belong x \b-%08x >0x476 beshort x \b%04x >0x478 string >0 \b, volume name "%s" # General flags for any ext* fs >0x460 lelong &0x0000004 (needs journal recovery) >0x43a leshort &0x0000002 (errors) # INCOMPAT flags >0x460 lelong &0x0000001 (compressed) #>0x460 lelong &0x0000002 (filetype) #>0x460 lelong &0x0000010 (meta bg) >0x460 lelong &0x0000040 (extents) >0x460 lelong &0x0000080 (64bit) #>0x460 lelong &0x0000100 (mmp) #>0x460 lelong &0x0000200 (flex bg) # RO_INCOMPAT flags #>0x464 lelong &0x0000001 (sparse super) >0x464 lelong &0x0000002 (large files) >0x464 lelong &0x0000008 (huge files) #>0x464 lelong &0x0000010 (gdt checksum) #>0x464 lelong &0x0000020 (many subdirs) #>0x463 lelong &0x0000040 (extra isize)
# f2fs filesystem - Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> 0x400 lelong 0xF2F52010 F2FS filesystem >0x46c belong x \b, UUID=%08x >0x470 beshort x \b-%04x >0x472 beshort x \b-%04x >0x474 beshort x \b-%04x >0x476 belong x \b-%08x >0x47a beshort x \b%04x >0x147c lestring16 x \b, volume name "%s"
# SGI disk labels - Nathan Scott <nathans@debian.org> 0 belong 0x0BE5A941 SGI disk label (volume header)
# SGI XFS filesystem - Nathan Scott <nathans@debian.org> 0 belong 0x58465342 SGI XFS filesystem data >0x4 belong x (blksz %d, >0x68 beshort x inosz %d, >0x64 beshort ^0x2004 v1 dirs) >0x64 beshort &0x2004 v2 dirs)
############################################################################ # Minix-ST kernel floppy 0x800 belong 0x46fc2700 Atari-ST Minix kernel image # http://en.wikipedia.org/wiki/BIOS_parameter_block # floppies with valid BPB and any instruction at beginning >19 string \240\005\371\005\0\011\0\2\0 \b, 720k floppy >19 string \320\002\370\005\0\011\0\1\0 \b, 360k floppy
############################################################################ # Hmmm, is this a better way of detecting _standard_ floppy images ? 19 string \320\002\360\003\0\011\0\1\0 DOS floppy 360k >0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector 19 string \240\005\371\003\0\011\0\2\0 DOS floppy 720k >0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector 19 string \100\013\360\011\0\022\0\2\0 DOS floppy 1440k >0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector
19 string \240\005\371\005\0\011\0\2\0 DOS floppy 720k, IBM >0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector 19 string \100\013\371\005\0\011\0\2\0 DOS floppy 1440k, mkdosfs >0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector
# Valid media descriptor bytes for MS-DOS: # # Byte Capacity Media Size and Type # ------------------------------------------------- # # F0 2.88 MB 3.5-inch, 2-sided, 36-sector # F0 1.44 MB 3.5-inch, 2-sided, 18-sector # F9 720K 3.5-inch, 2-sided, 9-sector # F9 1.2 MB 5.25-inch, 2-sided, 15-sector # FD 360K 5.25-inch, 2-sided, 9-sector # FF 320K 5.25-inch, 2-sided, 8-sector # FC 180K 5.25-inch, 1-sided, 9-sector # FE 160K 5.25-inch, 1-sided, 8-sector # FE 250K 8-inch, 1-sided, single-density # FD 500K 8-inch, 2-sided, single-density # FE 1.2 MB 8-inch, 2-sided, double-density # F8 ----- Fixed disk # # FC xxxK Apricot 70x1x9 boot disk. # # Originally a bitmap: # xxxxxxx0 Not two sided # xxxxxxx1 Double sided # xxxxxx0x Not 8 SPT # xxxxxx1x 8 SPT # xxxxx0xx Not Removable drive # xxxxx1xx Removable drive # 11111xxx Must be one. # # But now it's rather random: # 111111xx Low density disk # 00 SS, Not 8 SPT # 01 DS, Not 8 SPT # 10 SS, 8 SPT # 11 DS, 8 SPT # # 11111001 Double density 3 1/2 floppy disk, high density 5 1/4 # 11110000 High density 3 1/2 floppy disk # 11111000 Hard disk any format #
# all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013 # http://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions # Too Weak. #512 ubelong&0xE0ffff00 0xE0ffff00 # without valid Media descriptor in place of BPB, cases with are done at other places #>21 ubyte <0xE5 floppy with old FAT filesystem # but valid Media descriptor at begin of FAT #>>512 ubyte =0xed 720k #>>512 ubyte =0xf0 1440k #>>512 ubyte =0xf8 720k #>>512 ubyte =0xf9 1220k #>>512 ubyte =0xfa 320k #>>512 ubyte =0xfb 640k #>>512 ubyte =0xfc 180k # look like an an old DOS directory entry #>>>0xA0E ubequad 0 #>>>>0xA00 ubequad !0 #!:mime application/x-ima #>>512 ubyte =0xfd # look for 2nd FAT at different location to distinguish between 360k and 500k #>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k #>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k #>>>0xA0E ubequad 0 #!:mime application/x-ima #>>512 ubyte =0xfe #>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k #>>>>0x60E ubequad 0 #>>>>>0x600 ubequad !0 #!:mime application/x-ima #>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k #>>512 ubyte =0xff 320k #>>>0x60E ubequad 0 #>>>>0x600 ubequad !0 #!:mime application/x-ima #>>512 ubyte x \b, Media descriptor 0x%x # without x86 jump instruction #>>0 ulelong&0x804000E9 !0x000000E9 # assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV #>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader # IOSYS.COM+MSDOS.COM #>>>>0xc4 use 2xDOS-filename #>>0 ulelong&0x804000E9 =0x000000E9 # only x86 short jump instruction found #>>>0 ubyte =0xEB #>>>>1 ubyte x \b, code offset 0x%x+2 # http://thestarman.pcministry.com/DOS/ibm100/Boot.htm # assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 #>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader # ibmbio.com+ibmdos.com #>>>>>0x176 use DOS-filename #>>>>>0x181 ubyte x \b+ #>>>>>0x182 use DOS-filename # http://thestarman.pcministry.com/DOS/ibm110/Boot.htm # assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV #>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader # ibmbio.com+ibmdos.com #>>>>>0x18b use DOS-filename #>>>>>0x196 ubyte x \b+ #>>>>>0x197 use DOS-filename # http://en.wikipedia.org/wiki/Zenith_Data_Systems # assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 #>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x20 use 2xDOS-filename # http://en.wikipedia.org/wiki/Corona_Data_Systems # assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; #>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x69 use 2xDOS-filename # assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; #>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader # defect IO.SYS+MSDOS.SYS ? #>>>>>0x162 use 2xDOS-filename
0 name cdrom >38913 string !NSR0 ISO 9660 CD-ROM filesystem data !:mime application/x-iso9660-image !:ext iso/iso9660 >38913 string NSR0 UDF filesystem data !:mime application/x-iso9660-image !:ext iso/udf >>38917 string 1 (version 1.0) >>38917 string 2 (version 1.5) >>38917 string 3 (version 2.0) >>38917 byte >0x33 (unknown version, ID 0x%X) >>38917 byte <0x31 (unknown version, ID 0x%X) # The next line is not necessary because the MBR staff is done looking for boot signature >0x1FE leshort 0xAA55 (DOS/MBR boot sector) # "application id" which appears to be used as a volume label >32808 string/T >\0 '%s' >34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) 37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) !:mime application/x-iso9660-image 32777 string CDROM High Sierra CD-ROM filesystem data
# CDROM Filesystems # https://en.wikipedia.org/wiki/ISO_9660 # Modified for UDF by gerardo.cacciari@gmail.com 32769 string CD001 # mime line at that position does not work # to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51) #!:strength -11 # to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51) !:strength +35 >0 use cdrom
# URL: https://en.wikipedia.org/wiki/NRG_(file_format) # Reference: https://dl.opendesktop.org/api/files/download/id/1460731811/ # 11577-mount-iso-0.9.5.tar.bz2/mount-iso-0.9.5/install.sh # From: Joerg Jenderek # Note: Only for nero disc with once (DAO) type after 300 KB header 339969 string CD001 Nero CD image at 0x4B000 !:mime application/x-nrg !:ext nrg >307200 use cdrom
# .cso files # Reference: http://pismotec.com/ciso/ciso.h # NOTE: There are two other formats with the same magic but # completely incompatible specifications: # - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h # - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h 0 string CISO # Other fields are used to determine what type of CISO this is: # - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) # - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) # - None of the above: Compact ISO. >4 lelong !0 >>4 lelong !0x200000 >>>0x10 lelong !0x800 Compressed ISO CD image
# cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian >4 lelong x size %u >8 lelong &1 version #2 >8 lelong &2 sorted_dirs >8 lelong &4 hole_support >32 lelong x CRC 0x%x, >36 lelong x edition %u, >40 lelong x %u blocks, >44 lelong x %u files
0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian >4 belong x size %u >8 belong &1 version #2 >8 belong &2 sorted_dirs >8 belong &4 hole_support >32 belong x CRC 0x%x, >36 belong x edition %u, >40 belong x %u blocks, >44 belong x %u files
# JFFS2 file system 0 leshort 0x1984 Linux old jffs2 filesystem data little endian 0 beshort 0x1984 Linux old jffs2 filesystem data big endian 0 leshort 0x1985 Linux jffs2 filesystem data little endian 0 beshort 0x1985 Linux jffs2 filesystem data big endian
# Squashfs 0 string sqsh Squashfs filesystem, big endian, >28 beshort x version %d. >30 beshort x \b%d, >28 beshort <3 >>8 belong x %d bytes, >28 beshort >2 >>28 beshort <4 >>>63 bequad x %lld bytes, >>28 beshort >3 >>>40 bequad x %lld bytes, #>>67 belong x %d bytes, >4 belong x %d inodes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort >1 >>28 beshort <4 >>>51 belong x blocksize: %d bytes, >>28 beshort >3 >>>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s 0 string hsqs Squashfs filesystem, little endian, >28 leshort x version %d. >30 leshort x \b%d, >28 leshort <3 >>8 lelong x %d bytes, >28 leshort >2 >>28 leshort <4 >>>63 lequad x %lld bytes, >>28 leshort >3 >>>40 lequad x %lld bytes, #>>63 lelong x %d bytes, >4 lelong x %d inodes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort >1 >>28 leshort <4 >>>51 lelong x blocksize: %d bytes, >>28 leshort >3 >>>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s
# AFS Dump Magic # From: Ty Sarna <tsarna@sarna.org> 0 string \x01\xb3\xa1\x13\x22 AFS Dump >&0 belong x (v%d) >>&0 byte 0x76 >>>&0 belong x Vol %d, >>>>&0 byte 0x6e >>>>>&0 string x %s >>>>>>&1 byte 0x74 >>>>>>>&0 beshort 2 >>>>>>>>&4 bedate x on: %s >>>>>>>>&0 bedate =0 full dump >>>>>>>>&0 bedate !0 incremental since: %s
#---------------------------------------------------------- #delta ISO Daniel Novotny (dnovotny@redhat.com) 0 string DISO Delta ISO data !:strength +50 >4 belong x version %d
# VMS backup savesets - gerardo.cacciari@gmail.com # 4 string \x01\x00\x01\x00\x01\x00 >(0.s+16) string \x01\x01 >>&(&0.b+8) byte 0x42 OpenVMS backup saveset data >>>40 lelong x (block size %d, >>>49 string >\0 original name '%s', >>>2 short 1024 VAX generated) >>>2 short 2048 AXP generated) >>>2 short 4096 I64 generated)
# Summary: Oracle Clustered Filesystem # Created by: Aaron Botsis <redhat@digitalmafia.org> 8 string OracleCFS Oracle Clustered Filesystem, >4 long x rev %d >0 long x \b.%d, >560 string x label: %.64s, >136 string x mountpoint: %.128s
# Summary: Oracle ASM tagged volume # Created by: Aaron Botsis <redhat@digitalmafia.org> 32 string ORCLDISK Oracle ASM Volume, >40 string x Disk Name: %0.12s 32 string ORCLCLRD Oracle ASM Volume (cleared), >40 string x Disk Name: %0.12s
# Oracle Clustered Filesystem - Aaron Botsis <redhat@digitalmafia.org> 8 string OracleCFS Oracle Clustered Filesystem, >4 long x rev %d >0 long x \b.%d, >560 string x label: %.64s, >136 string x mountpoint: %.128s
# Oracle ASM tagged volume - Aaron Botsis <redhat@digitalmafia.org> 32 string ORCLDISK Oracle ASM Volume, >40 string x Disk Name: %0.12s 32 string ORCLCLRD Oracle ASM Volume (cleared), >40 string x Disk Name: %0.12s
#------------------------------------------------------------------------------ # Files-11 On-Disk Structure (File system for various RSX-11 and VMS flavours). # These bits come from LBN 1 (home block) of ODS-1, ODS-2 and ODS-5 volumes, # which is mapped to VBN 2 of [000000]INDEXF.SYS;1 - gerardo.cacciari@gmail.com # 1008 string DECFILE11 Files-11 On-Disk Structure >525 byte x (ODS-%d); >1017 string A RSX-11, VAX/VMS or OpenVMS VAX file system; >1017 string B >>525 byte 2 VAX/VMS or OpenVMS file system; >>525 byte 5 OpenVMS Alpha or Itanium file system; >984 string x volume label is '%-12.12s'
# From: Thomas Klausner <wiz@NetBSD.org> # http://filext.com/file-extension/DAA # describes the daa file format. The magic would be: 0 string DAA\x0\x0\x0\x0\x0 PowerISO Direct-Access-Archive
# From Eric Sandeen # GFS2 0x10000 belong 0x01161970 >0x10018 belong 0x0000051d GFS1 Filesystem >>0x10024 belong x (blocksize %d, >>0x10060 string >\0 lockproto %s) >0x10018 belong 0x00000709 GFS2 Filesystem >>0x10024 belong x (blocksize %d, >>0x10060 string >\0 lockproto %s)
# Russell Coker <russell@coker.com.au> 0x10040 string _BHRfS_M BTRFS Filesystem >0x1012b string >\0 label "%s", >0x10090 lelong x sectorsize %d, >0x10094 lelong x nodesize %d, >0x10098 lelong x leafsize %d, >0x10020 belong x UUID=%08x- >0x10024 beshort x \b%04x- >0x10026 beshort x \b%04x- >0x10028 beshort x \b%04x- >0x1002a beshort x \b%04x >0x1002c belong x \b%08x, >0x10078 lequad x %lld/ >0x10070 lequad x \b%lld bytes used, >0x10088 lequad x %lld devices
# dvdisaster's .ecc # From: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string *dvdisaster* dvdisaster error correction file
# xfs metadump image # mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog # but can we do the << ? For now it's always 512 (0x200) anyway. 0 string XFSM >0x200 string XFSB XFS filesystem metadump image
# Type: xfs metadump image # From: Daniel Novotny <dnovotny@redhat.com> # mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog # but can we do the << ? For now it's always 512 (0x200) anyway. 0 string XFSM >0x200 string XFSB XFS filesystem metadump image
# Type: delta ISO # From: Daniel Novotny <dnovotny@redhat.com> 0 string DISO Delta ISO data, >4 belong x version %d
# JFS2 (Journaling File System) image. (Old JFS1 has superblock at 0x1000.) # See linux/fs/jfs/jfs_superblock.h for layout; see jfs_filsys.h for flags. # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0x8000 string JFS1 # Because it's text-only magic, check a binary value (version) to be sure. # Should always be 2, but mkfs.jfs writes it as 1. Needs to be 2 or 1 to be # mountable. >&0 lelong <3 JFS2 filesystem image # Label is followed by a UUID; we have to limit string length to avoid # appending the UUID in the case of a 16-byte label. >>&144 regex [\x20-\x7E]{1,16} (label "%s") >>&0 lequad x \b, %lld blocks >>&8 lelong x \b, blocksize %d >>&32 lelong&0x00000006 >0 (dirty) >>&36 lelong >0 (compressed)
# LFS 0 lelong 0x070162 LFS filesystem image >4 lelong 1 version 1, >>8 lelong x \b blocks %u, >>12 lelong x \b blocks per segment %u, >4 lelong 2 version 2, >>8 lelong x \b fragments %u, >>12 lelong x \b bytes per segment %u, >16 lelong x \b disk blocks %u, >20 lelong x \b block size %u, >24 lelong x \b fragment size %u, >28 lelong x \b fragments per block %u, >32 lelong x \b start for free list %u, >36 lelong x \b number of free blocks %d, >40 lelong x \b number of files %u, >44 lelong x \b blocks available for writing %d, >48 lelong x \b inodes in cache %d, >52 lelong x \b inode file disk address 0x%x, >56 lelong x \b inode file inode number %u, >60 lelong x \b address of last segment written 0x%x, >64 lelong x \b address of next segment to write 0x%x, >68 lelong x \b address of current segment written 0x%x
0 string td\000 floppy image data (TeleDisk, compressed) 0 string TD\000 floppy image data (TeleDisk)
0 string CQ\024 floppy image data (CopyQM, >16 leshort x %d sectors, >18 leshort x %d heads.)
0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk)
0 beshort 0xAA58 floppy image data (IBM SaveDskF, old) 0 beshort 0xAA59 floppy image data (IBM SaveDskF) 0 beshort 0xAA5A floppy image data (IBM SaveDskF, compressed)
0 string \074CPM_Disk\076 disk image data (YAZE)
# ReFS # Richard W.M. Jones <rjones@redhat.com> 0 string \0\0\0ReFS\0 ReFS filesystem image
# HDD Raw Copy Tool disk image, file extension: .imgc # From Benjamin Vanheuverzwijn <bvanheu@gmail.com> 0 pstring HDD\ Raw\ Copy\ Tool %s >0x100 pstring x %s >0x200 pstring x - HD model: %s #>0x300 pstring x unknown %s >0x400 pstring x serial: %s #>0x500 pstring x unknown: %s !:ext imgc
>0 string F >>8 byte&0xfd 0x08 Macromedia Flash data !:mime application/x-shockwave-flash >>>3 byte x \b, version %d >>8 byte&0xfe 0x10 Macromedia Flash data !:mime application/x-shockwave-flash >>>3 byte x \b, version %d >>8 byte 0x18 Macromedia Flash data !:mime application/x-shockwave-flash >>>3 byte x \b, version %d >>8 beshort&0xff87 0x2000 Macromedia Flash data !:mime application/x-shockwave-flash >>>3 byte x \b, version %d >>8 beshort&0xffe0 0x3000 Macromedia Flash data !:mime application/x-shockwave-flash >>>3 byte x \b, version %d >>8 byte&0x7 0 >>>8 ubyte >0x2f >>>>9 ubyte <0x20 Macromedia Flash data !:mime application/x-shockwave-flash >>>>>3 byte x \b, version %d
>0 string C >>8 byte 0x78 Macromedia Flash data (compressed) !:mime application/x-shockwave-flash >>>3 byte x \b, version %d
>0 string Z >>8 byte 0x5d Macromedia Flash data (lzma compressed) !:mime application/x-shockwave-flash >>>3 byte x \b, version %d
#------------------------------------------------------------------------------ # $File: fonts,v 1.38 2017/11/14 15:48:36 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text 0 short 0436 Berkeley vfont data 0 short 017001 byte-swapped Berkeley vfont data
# PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com 0 string %!PS-AdobeFont-1. PostScript Type 1 font text >20 string >\0 (%s) 6 string %!PS-AdobeFont-1. PostScript Type 1 font program data 0 string %!FontType1 PostScript Type 1 font program data 6 string %!FontType1 PostScript Type 1 font program data 0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text
# Summary: PostScript Type 1 Printer Font Metrics # URL: https://en.wikipedia.org/wiki/PostScript_fonts # Reference: http://partners.adobe.com/public/developer/en/font/5178.PFM.pdf # Modified by: Joerg Jenderek # Note: moved from ./msdos magic # dfVersion 256=0100h 0 uleshort 0x0100 # GRR: line above is too general as it catches also TrueType font, # raw G3 data FAX, WhatsApp encrypted and Panorama database # dfType 129=0081h >66 uleshort 0x0081 # dfVertRes 300=012Ch not needed as additional test #>>70 uleshort 0x012c # dfHorizRes 300=012Ch #>>>72 uleshort 0x012c # dfDriverInfo points to postscript information section >>(101.l) string/c Postscript Printer Font Metrics # above labeled "PFM data" by ./msdos (version 5.28) or "Adobe Printer Font Metrics" by TrID !:mime application/x-font-pfm # AppleShare Print Server #!:apple ASPS???? !:ext pfm # dfCopyright 60 byte null padded Copyright string. uncomment it to get old looking #>>>6 string >\060 - %-.60s # dfDriverInfo >>>139 ulelong >0 # often abbreviated and same as filename >>>>(139.l) string x %s # dfSize >>>2 ulelong x \b, %d bytes # dfFace 210=D2h 9Eh >>>105 ulelong >0 # Windows font name >>>>(105.l) string x \b, %s # dfItalic >>>80 ubyte 1 italic # dfUnderline >>>81 ubyte 1 underline # dfStrikeOut >>>82 ubyte 1 strikeout # dfWeight 400=0x0190 300=0x012c 500=0x01f4 600=0x0258 700=0x02bc >>>83 uleshort >699 bold # dfPitchAndFamily 16 17 48 49 64 65 >>>90 ubyte 16 serif >>>90 ubyte 17 serif proportional #>>>90 ubyte 48 other >>>90 ubyte 49 proportional >>>90 ubyte 64 script >>>90 ubyte 65 script proportional
# X11 font files in SNF (Server Natural Format) format # updated by Joerg Jenderek at Feb 2013 # http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm 0 belong 00000004 X11 SNF font data, MSB first #>104 belong 00000004 X11 SNF font data, MSB first !:mime application/x-font-sfn # GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX 0 lelong 00000004 >104 lelong 00000004 X11 SNF font data, LSB first !:mime application/x-font-sfn
# X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 STARTFONT\ X11 BDF font text
# From: Joerg Jenderek # URL: http://grub.gibibit.com/New_font_format # Reference: util/grub-mkfont.c # include/grub/fontformat.h # FONT_FORMAT_SECTION_NAMES_FILE 0 string FILE # FONT_FORMAT_PFF2_MAGIC >8 string PFF2 # leng 4 only at the moment >>4 ubelong 4 # FONT_FORMAT_SECTION_NAMES_FONT_NAME >>>12 string NAME GRUB2 font !:mime application/x-font-pf2 !:ext pf2 # length of font_name >>>>16 ubelong >0 # font_name >>>>>20 string >\0 "%-s"
# X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) # PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides) 0 string \001fcp X11 Portable Compiled Font data, >12 lelong ^0x08 bit: LSB, >12 lelong &0x08 bit: MSB, >12 lelong ^0x04 byte: LSB first >12 lelong &0x04 byte: MSB first 0 string D1.0\015 X11 Speedo font data
#------------------------------------------------------------------------------ # FIGlet fonts and controlfiles # From figmagic supplied with Figlet version 2.2 # "David E. O'Brien" <obrien@FreeBSD.ORG> 0 string flf FIGlet font >3 string >2a version %-2.2s 0 string flc FIGlet controlfile >3 string >2a version %-2.2s
# libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu) # Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++ 0 belong 0x14025919 libGrx font data, >8 leshort x %dx >10 leshort x \b%d >40 string x %s # Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu) 0 belong 0xff464f4e DOS code page font data collection 7 belong 0x00454741 DOS code page font data 7 belong 0x00564944 DOS code page font data (from Linux?) 4098 string DOSFONT DOSFONT2 encrypted font data
# downloadable fonts for browser (prints type) anthon@mnt.org # https://tools.ietf.org/html/rfc3073 0 string PFR1 Portable Font Resource font data (new) >102 string >0 \b: %s 0 string PFR0 Portable Font Resource font data (old) >4 beshort >0 version %d
# True Type fonts # Modified by: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/TrueType # Reference: https://developer.apple.com/fonts/TrueType-Reference-Manual/ # # sfnt version "typ1" used by some Apple, but no example found 0 string typ1 >0 use sfnt-font >0 use sfnt-names # sfnt version "true" used by some Apple 0 string true >0 use sfnt-font >0 use sfnt-names # GRR: below test is too general # sfnt version often 0x00010000 0 string \000\001\000\000 >0 use sfnt-font >0 use sfnt-names # validate and display sfnt font data like number of tables 0 name sfnt-font # file 5.30 version assumes 00FFh as maximal number of tables #>4 ubeshort <0x0100 # maximal 27 tables found like in Skia.ttf # 46 different table names mentioned on Apple specification # skip 1st sequence of DOS 2 backup with path separator (\~92 or /~47) misinterpreted as table number >4 ubeshort <47 # skip bad examples with garbage table names like in a5.show HYPERC MAC # tag names consist of up to four characters padded with spaces at end like # BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ... >>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ] #>>>0 ubelong x \b, sfnt version 0x%x >>>0 ubelong !0x4f54544f TrueType !:mime application/font-sfnt #!:mime font/ttf !:apple ????tfil # .ttf for TrueType font # EUDC.tte created by privat character editor %WINDIR%\system32\eudcedit.exe !:ext ttf/tte # sfnt version 4F54544Fh~OTTO >>>0 ubelong =0x4f54544f OpenType !:mime application/font-sfnt #!:mime font/otf !:apple ????OTTO !:ext otf >>>0 ubelong x Font data # DSIG=44454947h table name implies a digitally signed font # search range = number of tables * 16 =< maximal number of tables * 16 = 27 * 16 = 432 >>>12 search/432 DSIG \b, digitally signed >>>4 ubeshort x \b, %d tables # minimal 9 tables found like in NISC18030.ttf #>>>4 ubeshort <10 TMIN #>>>4 ubeshort >24 TBIG # table directory entries >>>12 string x \b, 1st "%4.4s"
# search and display 1st name in sfnt font which is often copyright text # does not work inside font collections 0 name sfnt-names # search for naming table >12 search/432/s name # biggest offset 0x0100bd28 like Windows10 Fonts\simsunb.ttf #>>>>&8 ubelong >0x0100bd27 BIGGEST OFFSET >>&8 ubelong >0x00100000 # offset of name table >>>&-4 ubelong x \b, name offset 0x%x # GRR: pointer to name table only works if offset ~< FILE_BYTES_MAX = 100000h defined in src\file.h >>&8 ubelong <0x00100000 >>>&-16 ubelong x # name table >>>>(&8.L) ubequad x # invalid format selector #>>>>>&-8 ubeshort !0 \b, invalid selector %x # minimal 3 name records found like in c:\Program Files (x86)\Tesseract-OCR\tessdata\pdf.ttf # maximal 1227 name records found like in Apple Chancery.ttf #>>>>>&-6 ubeshort <0x4 mincount #>>>>>&-6 ubeshort >130 maxcount >>>>>&-6 ubeshort x \b, %d names # offset to start of string storage from start of table #>>>>>&-4 ubeshort x \b, record offset %d # 1st name record # string offset from start of storage area #>>>>>&8 ubeshort x \b, string offset %d # string length #>>>>>&6 ubeshort x \b, string length %d # minimal name string 7 like in c:\Program Files (x86)\Kodi\addons\webinterface.default\lib\video-js\font\VideoJS.ttf # also found 0 like in SWZCONLN.TTF #>>>>>&6 ubeshort <8 MIN STRING # maximal name string 806 like in c:\Windows\Fonts\palabi.ttf #>>>>>&6 ubeshort >805 MAX STRING # platform identifier: 0~Apple Unicode, 1~Macintosh, 3~Microsoft #>>>>>&-2 ubeshort >3 BAD PLATFORM >>>>>&-2 ubeshort 0 \b, Unicode >>>>>&-2 ubeshort 1 \b, Macintosh >>>>>&-2 ubeshort 3 \b, Microsoft # languageID (0~english Macintosh, 0409h~english Microsoft, ...) >>>>>&2 ubeshort >0 \b, language 0x%x # name identifiers # often 0~copyright, 1~font, 2~font subfamily, 5~version, 13~license, 19~sample, ... >>>>>&4 ubeshort >0 \b, type %d string # platform specific encoding: # 0~undefined character set, 1~UGL set with Unicode, 3~Unicode 2.0 BMP only, 4~Unicode 2.0 #>>>>>&0 ubeshort x \b, %d encoding >>>>>&0 ubeshort 0 # handle only name string offset 0 because do not know how to add 2 relative offsets >>>>>>&6 ubeshort 0 >>>>>>>&(&-14.S-18) ubyte !0 # GRR: instead 806 only first MAXstring = 96 characters are displayed as defined in src\file.h # often copyright string that starts like \251 2006 The Monotype Corporation >>>>>>>>&-1 string x \b, %-11.96s # test for unicode string >>>>>>>&(&-14.S-18) ubyte 0 >>>>>>>>&0 lestring16 x \b, %-11.96s # unicode encoding >>>>>&0 ubeshort >0 >>>>>>&6 ubeshort 0 >>>>>>>&(&-14.S-17) lestring16 x \b, %-11.96s
0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font 0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font
# TrueType/OpenType font collections (.ttc) # URL: https://en.wikipedia.org/wiki/OpenType # http://www.microsoft.com/typography/otspec/otff.htm # Modified by: Joerg Jenderek # Note: container for TrueType, OpenType font 0 string ttcf # skip ASCII text >4 ubyte 0 # sfnt version often 0x00010000 of 1st table is TrueType >>(12.L) ubelong !0x4f54544f TrueType #!:mime font/ttf !:apple ????tfil !:ext ttc # sfnt version 4F54544Fh~OTTO of 1st table is OpenType font >>(12.L) ubelong =0x4f54544f OpenType #!:mime font/otf !:apple ????OTTO # no example found for otc !:ext ttc/otc >>4 ubyte x font collection data !:mime application/font-sfnt #!:mime font/collection # TCC version >>4 belong 0x00010000 \b, 1.0 >>4 belong 0x00020000 \b, 2.0 >>8 ubelong >0 \b, %d fonts # array offset size = fonts * offsetsize = fonts * 4 >>(8.L*4) ubequad x # 0x44454947 = 'DSIG' >>>&4 belong 0x44534947 \b, digitally signed # offset to 1st font >>12 ubelong x \b, at 0x%x # point to 1st font that starts with sfnt version >>(12.L) use sfnt-font
# Opentype font data from Avi Bercovich 0 string OTTO OpenType font data !:mime application/vnd.ms-opentype
# From: Alex Myczko <alex@aiei.ch> 0 string SplineFontDB: Spline Font Database !:mime application/vnd.font-fontforge-sfd >14 string x version %s
# EOT 0x40 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 >0x22 string LP Embedded OpenType (EOT) # workaround until there's lepstring16 # >>0x52 lepstring16/h >\0 \b, %s family >>0x52 short !0 >>>0x54 lestring16 x \b, %s family !:mime application/vnd.ms-fontobject
# Web Open Font Format (.woff) 0 name woff >4 belong 0x00010000 \b, TrueType >4 belong 0x4F54544F \b, CFF >4 belong 0x74727565 \b, TrueType >4 default x >>4 belong x \b, flavor %d >8 belong x \b, length %d #>12 beshort x \b, numTables %d #>14 beshort x \b, reserved %d #>16 belong x \b, totalSfntSize %d
# http://www.w3.org/TR/WOFF/ 0 string wOFF Web Open Font Format >0 use woff >20 beshort x \b, version %d >22 beshort x \b.%d # http://www.w3.org/TR/WOFF2/ 0 string wOF2 Web Open Font Format (Version 2) >0 use woff #>20 belong x \b, totalCompressedSize %d >24 beshort x \b, version %d >26 beshort x \b.%d
#------------------------------------------------------------------------------ # $File: fortran,v 1.10 2015/11/05 18:47:16 christos Exp $ # FORTRAN source # Check that the first 100 lines start with C or whitespace first. 0 regex/100l !\^[^Cc\ \t].*$ >0 regex/100l \^[Cc][\ \t] FORTRAN program text !:mime text/x-fortran !:strength - 5
#------------------------------------------------------------------------------ # $File: frame,v 1.13 2015/08/29 07:10:35 christos Exp $ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is # copyright, but this file is "published" as witness the following: # # Note that this is the Framemaker Maker Interchange Format, not the # Normal format which would be application/vnd.framemaker. # 0 string \<MakerFile FrameMaker document !:mime application/x-mif >11 string 5.5 (5.5 >11 string 5.0 (5.0 >11 string 4.0 (4.0 >11 string 3.0 (3.0 >11 string 2.0 (2.0 >11 string 1.0 (1.0 >14 byte x %c) 0 string \<MIFFile FrameMaker MIF (ASCII) file !:mime application/x-mif >9 string 4.0 (4.0) >9 string 3.0 (3.0) >9 string 2.0 (2.0) >9 string 1.0 (1.x) 0 search/1 \<MakerDictionary FrameMaker Dictionary text !:mime application/x-mif >17 string 3.0 (3.0) >17 string 2.0 (2.0) >17 string 1.0 (1.x) 0 string \<MakerScreenFont FrameMaker Font file !:mime application/x-mif >17 string 1.01 (%s) 0 string \<MML FrameMaker MML file !:mime application/x-mif 0 string \<BookFile FrameMaker Book file !:mime application/x-mif >10 string 3.0 (3.0 >10 string 2.0 (2.0 >10 string 1.0 (1.0 >13 byte x %c) # XXX - this book entry should be verified, if you find one, uncomment this #0 string \<Book\040 FrameMaker Book (ASCII) file #!:mime application/x-mif #>6 string 3.0 (3.0) #>6 string 2.0 (2.0) #>6 string 1.0 (1.0) 0 string \<Maker\040Intermediate\040Print\040File FrameMaker IPL file !:mime application/x-mif
#------------------------------------------------------------------------------ # $File: freebsd,v 1.7 2009/09/19 16:28:09 christos Exp $ # freebsd: file(1) magic for FreeBSD objects # # All new-style FreeBSD magic numbers are in host byte order (i.e., # little-endian on x86). # # XXX - this comes from the file "freebsd" in a recent FreeBSD version of # "file"; it, and the NetBSD stuff in "netbsd", appear to use different # schemes for distinguishing between executable images, shared libraries, # and object files. # # FreeBSD says: # # Regardless of whether it's pure, demand-paged, or none of the # above: # # if the entry point is < 4096, then it's a shared library if # the "has run-time loader information" bit is set, and is # position-independent if the "is position-independent" bit # is set; # # if the entry point is >= 4096 (or >4095, same thing), then it's # an executable, and is dynamically-linked if the "has run-time # loader information" bit is set. # # On x86, NetBSD says: # # If it's neither pure nor demand-paged: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable; # # if it doesn't have that bit set, then: # # if it has the "is position-independent" bit set, it's # position-independent; # # if the entry point is non-zero, it's an executable, otherwise # it's an object file. # # If it's pure: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable, otherwise it's just an # executable. # # If it's demand-paged: # # if it has the "has run-time loader information" bit set, # then: # # if the entry point is < 4096, it's a shared library; # # if the entry point is = 4096 or > 4096 (i.e., >= 4096), # it's a dynamically-linked executable); # # if it doesn't have the "has run-time loader information" bit # set, then it's just an executable. # # (On non-x86, NetBSD does much the same thing, except that it uses # 8192 on 68K - except for "68k4k", which is presumably "68K with 4K # pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's # had 8K pages; dunno about MIPS.) # # I suspect the two will differ only in perverse and uninteresting cases # ("shared" libraries that aren't demand-paged and whose pages probably # won't actually be shared, executables with entry points <4096). # # I leave it to those more familiar with FreeBSD and NetBSD to figure out # what the right answer is (although using ">4095", FreeBSD-style, is # probably better than separately checking for "=4096" and ">4096", # NetBSD-style). (The old "netbsd" file analyzed FreeBSD demand paged # executables using the NetBSD technique.) # 0 lelong&0377777777 041400407 FreeBSD/i386 >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped
# XXX gross hack to identify core files # cores start with a struct tss; we take advantage of the following: # byte 7: highest byte of the kernel stack pointer, always 0xfe # 8/9: kernel (ring 0) ss value, always 0x0010 # 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0 # 28: low order byte of the current PTD entry, always 0 since the # PTD is page-aligned # 7 string \357\020\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 FreeBSD/i386 a.out core file >1039 string >\0 from '%s'
# /var/run/ld.so.hints # What are you laughing about? 0 lelong 011421044151 ld.so hints file (Little Endian >4 lelong >0 \b, version %d) >4 belong <1 \b) 0 belong 011421044151 ld.so hints file (Big Endian >4 belong >0 \b, version %d) >4 belong <1 \b)
# # Files generated by FreeBSD scrshot(1)/vidcontrol(1) utilities # 0 string SCRSHOT_ scrshot(1) screenshot, >8 byte x version %d, >9 byte 2 %d bytes in header, >>10 byte x %d chars wide by >>11 byte x %d chars high
#------------------------------------------------------------------------------ # $File: fsav,v 1.14 2017/03/17 21:35:28 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org)
#------------------------------------------------------------------------------ # $File: games,v 1.16 2017/10/19 16:40:37 christos Exp $ # games: file(1) for games
# Fabio Bonelli <fabiobonelli@libero.it> # Quake II - III data files 0 string IDP2 Quake II 3D Model file, >20 long x %u skin(s), >8 long x (%u x >12 long x %u), >40 long x %u frame(s), >16 long x Frame size %u bytes, >24 long x %u vertices/frame, >28 long x %u texture coordinates, >32 long x %u triangles/frame
0 string IBSP Quake >4 long 0x26 II Map file (BSP) >4 long 0x2E III Map file (BSP)
0 string IDS2 Quake II SP2 sprite file
#--------------------------------------------------------------------------- # Doom and Quake # submitted by Nicolas Patrois
0 string \xcb\x1dBoom\xe6\xff\x03\x01 Boom or linuxdoom demo # some doom lmp files don't match, I've got one beginning with \x6d\x02\x01\x01
24 string LxD\ 203 Linuxdoom save >0 string x , name=%s >44 string x , world=%s
# Quake
# Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/PAK # reference: https://quakewiki.org/wiki/.pak # GRR: line below is too general as it matches also Acorn PackDir compressed Archive # and Git pack ./revision 0 string PACK # real Quake examples like pak0.pak have only some hundreds like 150 files # So test for few files >8 ulelong <0x01000000 # in file version 5.32 test for null terminator is only true for # offset ~< FILE_BYTES_MAX = 1 MB defined in ../../src/file.h # look for null terminator of 1st entry name >>(4.l+55) ubyte 0 Quake I or II world or extension !:mime application/x-dzip !:ext pak #>>>8 ulelong x \b, table size %u # dividing this by entry size (64) gives number of files >>>8 ulelong/64 x \b, %u files # offset to the beginning of the file table >>>4 ulelong x \b, offset 0x%x # 1st file entry >>>(4.l) use pak-entry # 2nd file entry #>>>4 ulelong+64 x \b, offset 0x%x #>>>(4.l+64) use pak-entry # # display file table entry of Quake PAK archive 0 name pak-entry # normally entry start after header which implies offset 12 or higher >56 ulelong >11 # the offset from the beginning of pak to beginning of this entry file contents >>56 ulelong x at 0x%x # the size of file for this entry >>60 ulelong x %u bytes # 56 byte null-terminated entry name string includes path like maps/e1m1.bsp >>0 string x '%-.56s' # inspect entry content by jumping to entry offset >>(56) indirect x \b:
#0 string -1\x0a Quake I demo #>30 string x version %.4s #>61 string x level %s
#0 string 5\x0a Quake I save
# The levels
# Quake 1
0 string 5\x0aIntroduction Quake I save: start Introduction 0 string 5\x0athe_Slipgate_Complex Quake I save: e1m1 The slipgate complex 0 string 5\x0aCastle_of_the_Damned Quake I save: e1m2 Castle of the damned 0 string 5\x0athe_Necropolis Quake I save: e1m3 The necropolis 0 string 5\x0athe_Grisly_Grotto Quake I save: e1m4 The grisly grotto 0 string 5\x0aZiggurat_Vertigo Quake I save: e1m8 Ziggurat vertigo (secret) 0 string 5\x0aGloom_Keep Quake I save: e1m5 Gloom keep 0 string 5\x0aThe_Door_To_Chthon Quake I save: e1m6 The door to Chthon 0 string 5\x0aThe_House_of_Chthon Quake I save: e1m7 The house of Chthon 0 string 5\x0athe_Installation Quake I save: e2m1 The installation 0 string 5\x0athe_Ogre_Citadel Quake I save: e2m2 The ogre citadel 0 string 5\x0athe_Crypt_of_Decay Quake I save: e2m3 The crypt of decay (dopefish lives!) 0 string 5\x0aUnderearth Quake I save: e2m7 Underearth (secret) 0 string 5\x0athe_Ebon_Fortress Quake I save: e2m4 The ebon fortress 0 string 5\x0athe_Wizard's_Manse Quake I save: e2m5 The wizard's manse 0 string 5\x0athe_Dismal_Oubliette Quake I save: e2m6 The dismal oubliette 0 string 5\x0aTermination_Central Quake I save: e3m1 Termination central 0 string 5\x0aVaults_of_Zin Quake I save: e3m2 Vaults of Zin 0 string 5\x0athe_Tomb_of_Terror Quake I save: e3m3 The tomb of terror 0 string 5\x0aSatan's_Dark_Delight Quake I save: e3m4 Satan's dark delight 0 string 5\x0athe_Haunted_Halls Quake I save: e3m7 The haunted halls (secret) 0 string 5\x0aWind_Tunnels Quake I save: e3m5 Wind tunnels 0 string 5\x0aChambers_of_Torment Quake I save: e3m6 Chambers of torment 0 string 5\x0athe_Sewage_System Quake I save: e4m1 The sewage system 0 string 5\x0aThe_Tower_of_Despair Quake I save: e4m2 The tower of despair 0 string 5\x0aThe_Elder_God_Shrine Quake I save: e4m3 The elder god shrine 0 string 5\x0athe_Palace_of_Hate Quake I save: e4m4 The palace of hate 0 string 5\x0aHell's_Atrium Quake I save: e4m5 Hell's atrium 0 string 5\x0athe_Nameless_City Quake I save: e4m8 The nameless city (secret) 0 string 5\x0aThe_Pain_Maze Quake I save: e4m6 The pain maze 0 string 5\x0aAzure_Agony Quake I save: e4m7 Azure agony 0 string 5\x0aShub-Niggurath's_Pit Quake I save: end Shub-Niggurath's pit
# Quake DeathMatch levels
0 string 5\x0aPlace_of_Two_Deaths Quake I save: dm1 Place of two deaths 0 string 5\x0aClaustrophobopolis Quake I save: dm2 Claustrophobopolis 0 string 5\x0aThe_Abandoned_Base Quake I save: dm3 The abandoned base 0 string 5\x0aThe_Bad_Place Quake I save: dm4 The bad place 0 string 5\x0aThe_Cistern Quake I save: dm5 The cistern 0 string 5\x0aThe_Dark_Zone Quake I save: dm6 The dark zone
# Scourge of Armagon
0 string 5\x0aCommand_HQ Quake I save: start Command HQ 0 string 5\x0aThe_Pumping_Station Quake I save: hip1m1 The pumping station 0 string 5\x0aStorage_Facility Quake I save: hip1m2 Storage facility 0 string 5\x0aMilitary_Complex Quake I save: hip1m5 Military complex (secret) 0 string 5\x0athe_Lost_Mine Quake I save: hip1m3 The lost mine 0 string 5\x0aResearch_Facility Quake I save: hip1m4 Research facility 0 string 5\x0aAncient_Realms Quake I save: hip2m1 Ancient realms 0 string 5\x0aThe_Gremlin's_Domain Quake I save: hip2m6 The gremlin's domain (secret) 0 string 5\x0aThe_Black_Cathedral Quake I save: hip2m2 The black cathedral 0 string 5\x0aThe_Catacombs Quake I save: hip2m3 The catacombs 0 string 5\x0athe_Crypt__ Quake I save: hip2m4 The crypt 0 string 5\x0aMortum's_Keep Quake I save: hip2m5 Mortum's keep 0 string 5\x0aTur_Torment Quake I save: hip3m1 Tur torment 0 string 5\x0aPandemonium Quake I save: hip3m2 Pandemonium 0 string 5\x0aLimbo Quake I save: hip3m3 Limbo 0 string 5\x0athe_Edge_of_Oblivion Quake I save: hipdm1 The edge of oblivion (secret) 0 string 5\x0aThe_Gauntlet Quake I save: hip3m4 The gauntlet 0 string 5\x0aArmagon's_Lair Quake I save: hipend Armagon's lair
# Malice
0 string 5\x0aThe_Academy Quake I save: start The academy 0 string 5\x0aThe_Lab Quake I save: d1 The lab 0 string 5\x0aArea_33 Quake I save: d1b Area 33 0 string 5\x0aSECRET_MISSIONS Quake I save: d3b Secret missions 0 string 5\x0aThe_Hospital Quake I save: d10 The hospital (secret) 0 string 5\x0aThe_Genetics_Lab Quake I save: d11 The genetics lab (secret) 0 string 5\x0aBACK_2_MALICE Quake I save: d4b Back to Malice 0 string 5\x0aArea44 Quake I save: d1c Area 44 0 string 5\x0aTakahiro_Towers Quake I save: d2 Takahiro towers 0 string 5\x0aA_Rat's_Life Quake I save: d3 A rat's life 0 string 5\x0aInto_The_Flood Quake I save: d4 Into the flood 0 string 5\x0aThe_Flood Quake I save: d5 The flood 0 string 5\x0aNuclear_Plant Quake I save: d6 Nuclear plant 0 string 5\x0aThe_Incinerator_Plant Quake I save: d7 The incinerator plant 0 string 5\x0aThe_Foundry Quake I save: d7b The foundry 0 string 5\x0aThe_Underwater_Base Quake I save: d8 The underwater base 0 string 5\x0aTakahiro_Base Quake I save: d9 Takahiro base 0 string 5\x0aTakahiro_Laboratories Quake I save: d12 Takahiro laboratories 0 string 5\x0aStayin'_Alive Quake I save: d13 Stayin' alive 0 string 5\x0aB.O.S.S._HQ Quake I save: d14 B.O.S.S. HQ 0 string 5\x0aSHOWDOWN! Quake I save: d15 Showdown!
# Malice DeathMatch levels
0 string 5\x0aThe_Seventh_Precinct Quake I save: ddm1 The seventh precinct 0 string 5\x0aSub_Station Quake I save: ddm2 Sub station 0 string 5\x0aCrazy_Eights! Quake I save: ddm3 Crazy eights! 0 string 5\x0aEast_Side_Invertationa Quake I save: ddm4 East side invertationa 0 string 5\x0aSlaughterhouse Quake I save: ddm5 Slaughterhouse 0 string 5\x0aDOMINO Quake I save: ddm6 Domino 0 string 5\x0aSANDRA'S_LADDER Quake I save: ddm7 Sandra's ladder
0 string MComprHD MAME CHD compressed hard disk image, >12 belong x version %u
# doom - submitted by Jon Dowland
0 string =IWAD doom main IWAD data >4 lelong x containing %d lumps 0 string =PWAD doom patch PWAD data >4 lelong x containing %d lumps
# Build engine group files (Duke Nukem, Shadow Warrior, ...) # Extension: .grp # Created by: "Ganael Laplanche" <ganael.laplanche@martymac.org> 0 string KenSilverman Build engine group file >12 lelong x containing %d files
# Summary: Warcraft 3 save # Extension: .w3g # Created by: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string Warcraft\ III\ recorded\ game %s
# Summary: Warcraft 3 map # Extension: .w3m # Created by: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string HM3W Warcraft III map file
# Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data 0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar >4 regex [0-9]*\.[0-9]* version %s
0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data >3 byte x version %d . >4 byte x %d
# This corresponds to MB-System format 94, L-3/ELAC/SeaBeam XSE vendor # format. It is the format of our upgraded SeaBeam 2112 on R/V KNORR. 0 string $HSF XSE multibeam
# mb121 http://www.saic.com/maritime/gsf/ 8 string GSF-v SAIC generic sensor format (GSF) sonar data, >&0 regex [0-9]*\.[0-9]* version %s
# MGD77 - http://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm # mb161 9 string MGD77 MGD77 Header, Marine Geophysical Data Exchange Format
# MBSystem processing caches the mbinfo output 1 string Swath\ Data\ File: mbsystem info cache
# Caris John Hughes Clark format 0 string HDCS Caris multibeam sonar related data 1 string Start/Stop\ parameter\ header: Caris ASCII project summary
###################################################################### # # Visualization and 3D modeling # ######################################################################
# Geospatial Designs http://www.geospatialdesigns.com/surfer6_format.htm 0 string DSBB Surfer 6 binary grid file >4 leshort x \b, %d >6 leshort x \bx%d >8 ledouble x \b, minx=%g >16 ledouble x \b, maxx=%g >24 ledouble x \b, miny=%g >32 ledouble x \b, maxy=%g >40 ledouble x \b, minz=%g >48 ledouble x \b, maxz=%g
# magic for LAS format files # alex myczko <alex@aiei.ch> # http://www.asprs.org/wp-content/uploads/2010/12/LAS_1_3_r11.pdf 0 string LASF LIDAR point data records >24 byte >0 \b, version %u >25 byte >0 \b.%u >26 string >\0 \b, SYSID %s >58 string >\0 \b, Generating Software %s
# magic for PCD format files # alex myczko <alex@aiei.ch> # http://pointclouds.org/documentation/tutorials/pcd_file_format.php 0 string #\ .PCD Point Cloud Data
#------------------------------------------------------------------------------ # $File: geos,v 1.4 2009/09/19 16:28:09 christos Exp $ # GEOS files (Vidar Madsen, vidar@gimp.org) # semi-commonly used in embedded and handheld systems. 0 belong 0xc745c153 GEOS >40 byte 1 executable >40 byte 2 VMFile >40 byte 3 binary >40 byte 4 directory label >40 byte <1 unknown >40 byte >4 unknown >4 string >\0 \b, name "%s" #>44 short x \b, version %d #>46 short x \b.%d #>48 short x \b, rev %d #>50 short x \b.%d #>52 short x \b, proto %d #>54 short x \br%d #>168 string >\0 \b, copyright "%s"
#------------------------------------------------------------------------------ # $File: gimp,v 1.9 2014/04/30 21:41:02 christos Exp $ # GIMP Gradient: file(1) magic for the GIMP's gradient data files (.ggr) # by Federico Mena <federico@nuclecu.unam.mx>
0 string/t GIMP\ Gradient GIMP gradient data
# GIMP palette (.gpl) # From: Markus Heidelberg <markus.heidelberg@web.de> 0 string/t GIMP\ Palette GIMP palette data
#------------------------------------------------------------------------------ # XCF: file(1) magic for the XCF image format used in the GIMP (.xcf) developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu)
0 string gimp\ xcf GIMP XCF image data, !:mime image/x-xcf >9 string file version 0, >9 string v version >>10 string >\0 %s, >14 belong x %u x >18 belong x %u, >22 belong 0 RGB Color >22 belong 1 Greyscale >22 belong 2 Indexed Color >22 belong >2 Unknown Image Type.
#------------------------------------------------------------------------------ # XCF: file(1) magic for the patterns used in the GIMP (.pat), developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu)
20 string GPAT GIMP pattern data, >24 string x %s
#------------------------------------------------------------------------------ # XCF: file(1) magic for the brushes used in the GIMP (.gbr), developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu)
20 string GIMP GIMP brush data
# GIMP Curves File # From: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string #\040GIMP\040Curves\040File GIMP curve file
# Contributed by Josh Triplett # FIXME: Could be simplified if pstring supported two-byte counts 0 string GnomeKeyring\n\r\0\n GNOME keyring >&0 ubyte 0 \b, major version 0 >>&0 ubyte 0 \b, minor version 0 >>>&0 ubyte 0 \b, crypto type 0 (AES) >>>&0 ubyte >0 \b, crypto type %u (unknown) >>>&1 ubyte 0 \b, hash type 0 (MD5) >>>&1 ubyte >0 \b, hash type %u (unknown) >>>&2 ubelong 0xFFFFFFFF \b, name NULL >>>&2 ubelong !0xFFFFFFFF >>>>&-4 ubelong >255 \b, name too long for file's pstring type >>>>&-4 ubelong <256 >>>>>&-1 pstring x \b, name "%s" >>>>>>&0 ubeqdate x \b, last modified %s >>>>>>&8 ubeqdate x \b, created %s >>>>>>&16 ubelong &1 >>>>>>>&0 ubelong x \b, locked if idle for %u seconds >>>>>>&16 ubelong ^1 \b, not locked if idle >>>>>>&24 ubelong x \b, hash iterations %u >>>>>>&28 ubequad x \b, salt %llu >>>>>>&52 ubelong x \b, %u item(s)
# From: Alex Beregszaszi <alex@fsn.hu> 4 string gtktalog GNOME Catalogue (gtktalog) >13 string >\0 version %s
# GVariant Database file # By Elan Ruusamae <glen@delfi.ee> # https://github.com/GNOME/gvdb/blob/master/gvdb-format.h # It's always "GVariant", it's byte swapped on incompatible archs # See https://github.com/GNOME/gvdb/blob/master/gvdb-builder.c # file_builder_serialise() # http://developer.gnome.org/glib/2.34/glib-GVariant.html#GVariant 0 string GVariant GVariant Database file, # version is never filled. probably future extension >8 lelong x version %d # not sure are these usable, so commented out #>>16 lelong x start %d, #>>>20 lelong x end %d
# G-IR database made by gobject-introspect toolset, # http://live.gnome.org/GObjectIntrospection 0 string GOBJ\nMETADATA\r\n\032 G-IR binary database >16 byte x \b, v%d >17 byte x \b.%d >20 leshort x \b, %d entries >22 leshort x \b/%d local
#------------------------------------------------------------------------------ # $File: gnu,v 1.20 2018/02/24 16:11:23 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format # # GNU message catalog (.mo and .gmo files)
# Update: Joerg Jenderek # URL: https://www.gnu.org/software/gettext/manual/html_node/MO-Files.html # Reference: ftp://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.8.tar.gz/ # gettext-0.19.8.1/gettext-runtime/intl/gmo.h # Note: maybe call it like "GNU translation gettext machine object" 0 string \336\22\4\225 GNU message catalog (little endian), #0 ulelong 0x950412DE GNU-format message catalog data # TODO: write lines in such a way that code can also be called for big endian variant #>0 use gettext-object #0 name gettext-object >4 ulelong x revision !:mime application/x-gettext-translation # mo extension is also used for Easeus Partition Master PE32 executable module # like ConvertFatToNTFS.mo !:ext gmo/mo # only found three revision combinations 0.0 0.1 1.1 as unsigned 32-bit # major revision >4 ulelong/0xFFff x %u. # minor revision >4 ulelong&0x0000FFff x \b%u >>8 ulelong x \b, %u message # plural s >>8 ulelong >1 \bs # size of hashing table #>20 ulelong x \b, %u hash #>20 ulelong >1 \bes #>24 ulelong x at 0x%x # for revsion x.0 offset of table with originals is 1Ch if directly after header >4 ulelong&0x0000FFff =0 >>12 ulelong !0x1C \b, at 0x%x string table # but for x.1 table offset i found is 30h. That means directly after bigger header >4 ulelong&0x0000FFff >0 >>12 ulelong !0x30 \b, at 0x%x string table # The following variables are only used in .mo files with minor revision >= 1 # number of system dependent segments #>>28 ulelong x \b, %u segment #>>28 ulelong >1 \bs # offset of table describing system dependent segments #>>32 ulelong x at 0x%x # number of system dependent strings pairs >>36 ulelong x \b, %u sysdep message >>36 ulelong >1 \bs # offset of table with start offsets of original sysdep strings #>>40 ulelong x \b, at 0x%x sysdep strings # offset of table with start offsets of translated sysdep strings #>>44 ulelong x \b, at 0x%x sysdep translations # >>(44.l) ulelong x 0x%x chars # >>>&0 ulelong x at 0x%x # >>>>(&-4) string x "%s" # string table after big header #>>48 ubequad x \b, string table 0x%llx # # 0th string length seems to be always 0 #>(12.l) ulelong x \b, %u chars #>>&0 ulelong x at 0x%x # if 1st string length positiv inspect offset and string #>(12.l+8) ulelong >0 \b, %u chars #>>&0 ulelong x at 0x%x # if 2nd string length positiv inspect offset and string # >(12.l+16) ulelong >0 \b, %u chars # >>&0 ulelong x at 0x%x # skip newline byte #>>>(&-4) ubyte =0x0A #>>>>&0 string x "%s" #>>>(&-4) ubyte !0x0A #>>>>&-1 string x '%s' # offset of table with translation strings #>16 ulelong x \b, at 0x%x translation table # check translation 0 length and offset >(16.l) ulelong >0 >>&0 ulelong x # translation 0 seems to be often Project-Id with name and version >>>(&-4) string x \b, %s # trans. 1 with bytes >= 1 unlike icoutils-0.31.0\po\en@boldquot.gmo with 1 NL >(16.l+8) ulelong >1 >>&0 ulelong x >>>(&-4) ubyte !0x0A >>>>&-1 string x '%s' # 1 New Line like in tar-1.29\po\de.gmo >>>(&-4) ubyte =0x0A >>>>&0 ubyte !0x0A >>>>>&-1 string x '%s' # 2nd New Line like in parted-3.1\po\de.gmo >>>>&0 ubyte =0x0A >>>>>&0 string x '%s'
0 string \225\4\22\336 GNU message catalog (big endian), #0 ubelong 0x950412DE GNU-format message catalog data !:mime application/x-gettext-translation !:ext gmo/mo # TODO: for big endian use same code as for little endian #>0 use \^gettext-object # DEBUG code #>16 ubelong x \b, at 0x%x translation table #>(16.L) ubelong x 0x%x chars #>>&0 ubelong x at 0x%x # unexpected value HERE! #>>>(&-4) ubequad x 0x%llx # >4 beshort x revision %d. >6 beshort >0 \b%d, >>8 belong x %d messages, >>36 belong x %d sysdep messages >6 beshort =0 \b%d, >>8 belong x %d messages
# GnuPG # The format is very similar to pgp 0 string \001gpg GPG key trust database >4 byte x version %d # Note: magic.mime had 0x8501 for the next line instead of 0x8502 0 beshort 0x8502 GPG encrypted data !:mime text/PGP # encoding: data
# Update: Joerg Jenderek # Note: PGP and GPG use same data structure. # So recognition is now done by ./pgp with start test for byte 0x99 # This magic is not particularly good, as the keyrings don't have true # magic. Nevertheless, it covers many keyrings. # 0 ubeshort-0x9901 <2 # >3 byte 4 # >>4 bedate x GPG key public ring, created %s # !:mime application/x-gnupg-keyring
# Symmetric encryption 0 leshort 0x0d8c >4 leshort 0x0203 >>2 leshort 0x0204 GPG symmetrically encrypted data (3DES cipher) >>2 leshort 0x0304 GPG symmetrically encrypted data (CAST5 cipher) >>2 leshort 0x0404 GPG symmetrically encrypted data (BLOWFISH cipher) >>2 leshort 0x0704 GPG symmetrically encrypted data (AES cipher) >>2 leshort 0x0804 GPG symmetrically encrypted data (AES192 cipher) >>2 leshort 0x0904 GPG symmetrically encrypted data (AES256 cipher) >>2 leshort 0x0a04 GPG symmetrically encrypted data (TWOFISH cipher) >>2 leshort 0x0b04 GPG symmetrically encrypted data (CAMELLIA128 cipher) >>2 leshort 0x0c04 GPG symmetrically encrypted data (CAMELLIA192 cipher) >>2 leshort 0x0d04 GPG symmetrically encrypted data (CAMELLIA256 cipher)
# GnuPG Keybox file # <http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=kbx/keybox-blob.c;hb=HEAD> # From: Philipp Hahn <hahn@univention.de> 0 belong 32 >4 byte 1 >>8 string KBXf GPG keybox database >>>5 byte 1 version %d >>>16 bedate x \b, created-at %s >>>20 bedate x \b, last-maintained %s
# Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps 39 string =<gmr:Workbook Gnumeric spreadsheet
# From: James Youngman <jay@gnu.org> # gnu find magic 0 string \0LOCATE GNU findutils locate database data >7 string >\0 \b, format %s >7 string 02 \b (frcode)
# Files produced by GNU gettext
# gettext message catalogue 0 search/1024 \nmsgid >&0 search/1024 \nmsgstr GNU gettext message catalogue text !:strength +100 !:mime text/x-po
#------------------------------------------------------------------------------ # $File: gnumeric,v 1.4 2009/09/19 16:28:09 christos Exp $ # gnumeric: file(1) magic for Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps 39 string =<gmr:Workbook Gnumeric spreadsheet !:mime application/x-gnumeric
#------------------------------------------------------------------------------ # $File: gpt,v 1.4 2017/03/17 21:35:28 christos Exp $ # # GPT Partition table patterns. # Author: Rogier Goossens (goossens.rogier@gmail.com) # Note that a GPT-formatted disk must contain an MBR as well. #
# The initial segment (up to >>>>>>>>422) was copied from the X86 # partition table code (aka MBR). # This is kept separate, so that MBR partitions are not reported as well. # (use -k if you do want them as well)
# First, detect the MBR partiton table # If more than one GPT protective MBR partition exists, don't print anything # (the other MBR detection code will then just print the MBR partition table) 0x1FE leshort 0xAA55 >3 string !MS >>3 string !SYSLINUX >>>3 string !MTOOL >>>>3 string !NEWLDR >>>>>5 string !DOS # not FAT (32 bit) >>>>>>82 string !FAT32 #not Linux kernel >>>>>>>514 string !HdrS #not BeOS >>>>>>>>422 string !Be\ Boot\ Loader # GPT with protective MBR entry in partition 1 (only) >>>>>>>>>450 ubyte 0xee >>>>>>>>>>466 ubyte !0xee >>>>>>>>>>>482 ubyte !0xee >>>>>>>>>>>>498 ubyte !0xee #>>>>>>>>>>>>>446 use gpt-mbr-partition >>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(454.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>0 ubyte x of 4096 bytes >>>>>>>>>>>>>>(454.l*4096) string !EFI\ PART >>>>>>>>>>>>>>>(454.l*2048) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes >>>>>>>>>>>>>>>(454.l*2048) string !EFI\ PART >>>>>>>>>>>>>>>>(454.l*1024) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes >>>>>>>>>>>>>>>>(454.l*1024) string !EFI\ PART >>>>>>>>>>>>>>>>>(454.l*512) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes # GPT with protective MBR entry in partition 2 (only) >>>>>>>>>450 ubyte !0xee >>>>>>>>>>466 ubyte 0xee >>>>>>>>>>>482 ubyte !0xee >>>>>>>>>>>>498 ubyte !0xee #>>>>>>>>>>>>>462 use gpt-mbr-partition >>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(470.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>0 ubyte x of 4096 bytes >>>>>>>>>>>>>>(470.l*4096) string !EFI\ PART >>>>>>>>>>>>>>>(470.l*2048) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes >>>>>>>>>>>>>>>(470.l*2048) string !EFI\ PART >>>>>>>>>>>>>>>>(470.l*1024) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes >>>>>>>>>>>>>>>>(470.l*1024) string !EFI\ PART >>>>>>>>>>>>>>>>>(470.l*512) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes # GPT with protective MBR entry in partition 3 (only) >>>>>>>>>450 ubyte !0xee >>>>>>>>>>466 ubyte !0xee >>>>>>>>>>>482 ubyte 0xee >>>>>>>>>>>>498 ubyte !0xee #>>>>>>>>>>>>>478 use gpt-mbr-partition >>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(486.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>0 ubyte x of 4096 bytes >>>>>>>>>>>>>>(486.l*4096) string !EFI\ PART >>>>>>>>>>>>>>>(486.l*2048) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes >>>>>>>>>>>>>>>(486.l*2048) string !EFI\ PART >>>>>>>>>>>>>>>>(486.l*1024) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes >>>>>>>>>>>>>>>>(486.l*1024) string !EFI\ PART >>>>>>>>>>>>>>>>>(486.l*512) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes # GPT with protective MBR entry in partition 4 (only) >>>>>>>>>450 ubyte !0xee >>>>>>>>>>466 ubyte !0xee >>>>>>>>>>>482 ubyte !0xee >>>>>>>>>>>>498 ubyte 0xee #>>>>>>>>>>>>>494 use gpt-mbr-partition >>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(502.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>0 ubyte x of 4096 bytes >>>>>>>>>>>>>>(502.l*4096) string !EFI\ PART >>>>>>>>>>>>>>>(502.l*2048) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes >>>>>>>>>>>>>>>(502.l*2048) string !EFI\ PART >>>>>>>>>>>>>>>>(502.l*1024) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes >>>>>>>>>>>>>>>>(502.l*1024) string !EFI\ PART >>>>>>>>>>>>>>>>>(502.l*512) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>>>>>&-8 use gpt-table >>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes
# The following code does GPT detection and processing, including # sector size detection. # It has to be duplicated above because the top-level pattern # (i.e. not called using 'use') must print *something* for file # to count it as a match. Text only printed in named patterns is # not counted, and causes file to continue, and try and match # other patterns. # # Unfortunately, when assuming sector sizes >=16k, if the sector size # happens to be 512 instead, we may find confusing data after the GPT # table... If the GPT table has less than 128 entries, this may even # happen for assumed sector sizes as small as 4k # This could be solved by checking for the presence of the backup GPT # header as well, but that makes the logic extremely complex ##0 name gpt-mbr-partition ##>(8.l*8192) string EFI\ PART ##>>(8.l*8192) use gpt-mbr-type ##>>&-8 use gpt-table ##>>0 ubyte x of 8192 bytes ##>(8.l*8192) string !EFI\ PART ##>>(8.l*4096) string EFI\ PART GPT partition table ##>>>0 use gpt-mbr-type ##>>>&-8 use gpt-table ##>>>0 ubyte x of 4096 bytes ##>>(8.l*4096) string !EFI\ PART ##>>>(8.l*2048) string EFI\ PART GPT partition table ##>>>>0 use gpt-mbr-type ##>>>>&-8 use gpt-table ##>>>>0 ubyte x of 2048 bytes ##>>>(8.l*2048) string !EFI\ PART ##>>>>(8.l*1024) string EFI\ PART GPT partition table ##>>>>>0 use gpt-mbr-type ##>>>>>&-8 use gpt-table ##>>>>>0 ubyte x of 1024 bytes ##>>>>(8.l*1024) string !EFI\ PART ##>>>>>(8.l*512) string EFI\ PART GPT partition table ##>>>>>>0 use gpt-mbr-type ##>>>>>>&-8 use gpt-table ##>>>>>>0 ubyte x of 512 bytes
# Print details of MBR type for a GPT-disk # Calling code ensures that there is only one 0xee partition. 0 name gpt-mbr-type # GPT with protective MBR entry in partition 1 >450 ubyte 0xee >>454 ulelong 1 >>>462 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>454 ulelong !1 \b (nonstandard: not at LBA 1) # GPT with protective MBR entry in partition 2 >466 ubyte 0xee >>470 ulelong 1 >>>478 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 >>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>>478 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>470 ulelong !1 \b (nonstandard: not at LBA 1) # GPT with protective MBR entry in partition 3 >482 ubyte 0xee >>486 ulelong 1 >>>494 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 >>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>>494 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>486 ulelong !1 \b (nonstandard: not at LBA 1) # GPT with protective MBR entry in partition 4 >498 ubyte 0xee >>502 ulelong 1 >>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>502 ulelong !1 \b (nonstandard: not at LBA 1)
# Print the information from a GPT partition table structure 0 name gpt-table >10 uleshort x \b, version %u >8 uleshort x \b.%u >56 ulelong x \b, GUID: %08x >60 uleshort x \b-%04x >62 uleshort x \b-%04x >64 ubeshort x \b-%04x >66 ubeshort x \b-%04x >68 ubelong x \b%08x #>80 uleshort x \b, %d partition entries >32 ulequad+1 x \b, disk size: %lld sectors
# In case a GPT data-structure is at LBA 0, report it as well # This covers systems which are not GPT-aware, and which show # and allow access to the protective partition. This code will # detect the contents of such a partition. 0 string EFI\ PART GPT data structure (nonstandard: at LBA 0) >0 use gpt-table >0 ubyte x (sector size unknown)
# FIXME: These patterns match too generally. For example, the first # line matches a LaTeX file containing the word "graph" (with a { # following later) and the second line matches this file. #0 regex/100l [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text #!:mime text/vnd.graphviz #0 regex/100l [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text #!:mime text/vnd.graphviz
0 string GOOF---- Guile Object >8 string LE \b, little endian >8 string BE \b, big endian >11 string 4 \b, 32bit >11 string 8 \b, 64bit >13 regex .\.. \b, bytecode v%s
#------------------------------------------------------------------------------ # $File: hitachi-sh,v 1.8 2017/03/17 21:35:28 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF # # updated by Joerg Jenderek at Oct 2015 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html # below test line conflicts with 2nd NTFS filesystem sector # 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR # and Portable Gaming Notation Compressed format (*.WID http://pgn.freeservers.com/) 0 beshort 0x0500 # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags >18 ubeshort&0x8E80 0 # use big endian variant of subroutine to display name+variables+flags # for common object formated files >>0 use \^display-coff
0 leshort 0x0550 # test for unused flag bits in f_flags >18 uleshort&0x8E80 0 # use little endian variant of subroutine to # display name+variables+flags for common object formated files >>0 use display-coff
#------------------------------------------------------------------------------ # $File: hp,v 1.24 2014/04/30 21:41:02 christos Exp $ # hp: file(1) magic for Hewlett Packard machines (see also "printer") # # XXX - somebody should figure out whether any byte order needs to be # applied to the "TML" stuff; I'm assuming the Apollo stuff is # big-endian as it was mostly 68K-based. # # I think the 500 series was the old stack-based machines, running a # UNIX environment atop the "SUN kernel"; dunno whether it was # big-endian or little-endian. # # Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based; # hp300 are 68020+68881 based; hp400 are also 68k. The following basic # HP magic is useful for reference, but using "long" magic is a better # practice in order to avoid collisions. # # Guy Harris (guy@netapp.com): some additions to this list came from # HP-UX 10.0's "/usr/include/sys/unistd.h" (68030, 68040, PA-RISC 1.1, # 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0 # "/etc/magic", though, except for the "archive file relocatable library" # stuff, and the 68030 and 68040 stuff isn't there at all - are they not # used in executables, or have they just not yet updated "/etc/magic" # completely? # # 0 beshort 200 hp200 (68010) BSD binary # 0 beshort 300 hp300 (68020+68881) BSD binary # 0 beshort 0x20c hp200/300 HP-UX binary # 0 beshort 0x20d hp400 (68030) HP-UX binary # 0 beshort 0x20e hp400 (68040?) HP-UX binary # 0 beshort 0x20b PA-RISC1.0 HP-UX binary # 0 beshort 0x210 PA-RISC1.1 HP-UX binary # 0 beshort 0x211 PA-RISC1.2 HP-UX binary # 0 beshort 0x214 PA-RISC2.0 HP-UX binary
# # The "misc" stuff needs a byte order; the archives look suspiciously # like the old 177545 archives (0xff65 = 0177545). # #### Old Apollo stuff 0 beshort 0627 Apollo m68k COFF executable >18 beshort ^040000 not stripped >22 beshort >0 - version %d 0 beshort 0624 apollo a88k COFF executable >18 beshort ^040000 not stripped >22 beshort >0 - version %d 0 long 01203604016 TML 0123 byte-order format 0 long 01702407010 TML 1032 byte-order format 0 long 01003405017 TML 2301 byte-order format 0 long 01602007412 TML 3210 byte-order format #### PA-RISC 1.1 0 belong 0x02100106 PA-RISC1.1 relocatable object 0 belong 0x02100107 PA-RISC1.1 executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped
0 belong 0x020a0108 HP s200 (2.x release) pure executable >4 beshort >0 - version %d >36 belong >0 not stripped
0 belong 0x020a0107 HP s200 (2.x release) executable >4 beshort >0 - version %d >36 belong >0 not stripped
0 belong 0x020c010e HP s200 shared library >4 beshort >0 - version %d >6 beshort >0 - highwater %d >36 belong >0 not stripped
0 belong 0x020c010d HP s200 dynamic load library >4 beshort >0 - version %d >6 beshort >0 - highwater %d >36 belong >0 not stripped
#### MISC 0 long 0x0000ff65 HP old archive 0 long 0x020aff65 HP s200 old archive 0 long 0x020cff65 HP s200 old archive 0 long 0x0208ff65 HP s500 old archive
0 long 0x015821a6 HP core file
0 long 0x4da7eee8 HP-WINDOWS font >8 byte >0 - version %d 0 string Bitmapfile HP Bitmapfile
0 string IMGfile CIS compimg HP Bitmapfile # XXX - see "lif" #0 short 0x8000 lif file 0 long 0x020c010c compiled Lisp
0 string msgcat01 HP NLS message catalog, >8 long >0 %d messages
# Summary: HP-38/39 calculator # Created by: Samuel Thibault <samuel.thibault@ens-lyon.org> 0 string HP3 >3 string 8 HP 38 >3 string 9 HP 39 >4 string Bin binary >4 string Asc ASCII >7 string A (Directory List) >7 string B (Zaplet) >7 string C (Note) >7 string D (Program) >7 string E (Variable) >7 string F (List) >7 string G (Matrix) >7 string H (Library) >7 string I (Target List) >7 string J (ASCII Vector specification) >7 string K (wildcard)
# Summary: HP-38/39 calculator # Created by: Samuel Thibault <samuel.thibault@ens-lyon.org> 0 string HP3 >3 string 8 HP 38 >3 string 9 HP 39 >4 string Bin binary >4 string Asc ASCII >7 string A (Directory List) >7 string B (Zaplet) >7 string C (Note) >7 string D (Program) >7 string E (Variable) >7 string F (List) >7 string G (Matrix) >7 string H (Library) >7 string I (Target List) >7 string J (ASCII Vector specification) >7 string K (wildcard)
# hpBSD magic numbers 0 beshort 200 hp200 (68010) BSD >2 beshort 0407 impure binary >2 beshort 0410 read-only binary >2 beshort 0413 demand paged binary 0 beshort 300 hp300 (68020+68881) BSD >2 beshort 0407 impure binary >2 beshort 0410 read-only binary >2 beshort 0413 demand paged binary # # From David Gero <dgero@nortelnetworks.com> # HP-UX 10.20 core file format from /usr/include/sys/core.h # Unfortunately, HP-UX uses corehead blocks without specifying the order # There are four we care about: # CORE_KERNEL, which starts with the string "HP-UX" # CORE_EXEC, which contains the name of the command # CORE_PROC, which contains the signal number that caused the core dump # CORE_FORMAT, which contains the version of the core file format (== 1) # The only observed order in real core files is KERNEL, EXEC, FORMAT, PROC # but we include all 6 variations of the order of the first 3, and # assume that PROC will always be last # Order 1: KERNEL, EXEC, FORMAT, PROC 0x10 string HP-UX >0 belong 2 >>0xC belong 0x3C >>>0x4C belong 0x100 >>>>0x58 belong 0x44 >>>>>0xA0 belong 1 >>>>>>0xAC belong 4 >>>>>>>0xB0 belong 1 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x90 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 2: KERNEL, FORMAT, EXEC, PROC >>>0x4C belong 1 >>>>0x58 belong 4 >>>>>0x5C belong 1 >>>>>>0x60 belong 0x100 >>>>>>>0x6C belong 0x44 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0xA4 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 3: FORMAT, KERNEL, EXEC, PROC 0x24 string HP-UX >0 belong 1 >>0xC belong 4 >>>0x10 belong 1 >>>>0x14 belong 2 >>>>>0x20 belong 0x3C >>>>>>0x60 belong 0x100 >>>>>>>0x6C belong 0x44 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0xA4 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 4: EXEC, KERNEL, FORMAT, PROC 0x64 string HP-UX >0 belong 0x100 >>0xC belong 0x44 >>>0x54 belong 2 >>>>0x60 belong 0x3C >>>>>0xA0 belong 1 >>>>>>0xAC belong 4 >>>>>>>0xB0 belong 1 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x44 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 5: FORMAT, EXEC, KERNEL, PROC 0x78 string HP-UX >0 belong 1 >>0xC belong 4 >>>0x10 belong 1 >>>>0x14 belong 0x100 >>>>>0x20 belong 0x44 >>>>>>0x68 belong 2 >>>>>>>0x74 belong 0x3C >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x58 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 6: EXEC, FORMAT, KERNEL, PROC >0 belong 0x100 >>0xC belong 0x44 >>>0x54 belong 1 >>>>0x60 belong 4 >>>>>0x64 belong 1 >>>>>>0x68 belong 2 >>>>>>>0x74 belong 0x2C >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x44 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ
#------------------------------------------------------------------------------ # $File: human68k,v 1.5 2009/09/19 16:28:09 christos Exp $ # human68k: file(1) magic for Human68k (X680x0 DOS) binary formats # Magic too short! #0 string HU Human68k #>68 string LZX LZX compressed #>>72 string >\0 (version %s) #>(8.L+74) string LZX LZX compressed #>>(8.L+78) string >\0 (version %s) #>60 belong >0 binded #>(8.L+66) string #HUPAIR hupair #>0 string HU X executable #>(8.L+74) string #LIBCV1 - linked PD LIBC ver 1 #>4 belong >0 - base address 0x%x #>28 belong >0 not stripped #>32 belong >0 with debug information #0 beshort 0x601a Human68k Z executable #0 beshort 0x6000 Human68k object file #0 belong 0xd1000000 Human68k ar binary archive #0 belong 0xd1010000 Human68k ar ascii archive #0 beshort 0x0068 Human68k lib archive #4 string LZX Human68k LZX compressed #>8 string >\0 (version %s) #>4 string LZX R executable #2 string #HUPAIR Human68k hupair R executable
#------------------------------------------------------------------------------ # $File: ibm370,v 1.10 2017/03/17 21:35:28 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". # What the heck *is* "USS/370"? # AIX 4.1's "/etc/magic" has # # 0 short 0535 370 sysV executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # 0 short 0530 370 sysV pure executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # # instead of the "USS/370" versions of the same magic numbers. # 0 beshort 0537 370 XA sysV executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format 0 beshort 0532 370 XA sysV pure executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format 0 beshort 054001 370 sysV pure executable >12 belong >0 not stripped 0 beshort 055001 370 XA sysV pure executable >12 belong >0 not stripped 0 beshort 056401 370 sysV executable >12 belong >0 not stripped 0 beshort 057401 370 XA sysV executable >12 belong >0 not stripped 0 beshort 0531 SVR2 executable (Amdahl-UTS) >12 belong >0 not stripped >24 belong >0 - version %d 0 beshort 0534 SVR2 pure executable (Amdahl-UTS) >12 belong >0 not stripped >24 belong >0 - version %d 0 beshort 0530 SVR2 pure executable (USS/370) >12 belong >0 not stripped >24 belong >0 - version %d 0 beshort 0535 SVR2 executable (USS/370) >12 belong >0 not stripped >24 belong >0 - version %d
#------------------------------------------------------------------------------ # $File: ibm6000,v 1.13 2017/03/17 21:35:28 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module >12 belong >0 not stripped # Breaks sun4 statically linked execs. #0 beshort 0x0103 executable (RT Version 2) or obj module #>2 byte 0x50 pure #>28 belong >0 not stripped #>6 beshort >0 - version %ld 0 beshort 0x0104 shared library 0 beshort 0x0105 ctab data 0 beshort 0xfe04 structured file 0 string 0xabcdef AIX message catalog 0 belong 0x000001f9 AIX compiled message catalog 0 string \<aiaff> archive 0 string \<bigaf> archive (big format)
0 beshort 0x01f7 64-bit XCOFF executable or object module >20 belong 0 not stripped # GRR: this test is still too general as it catches also many FATs of DOS filesystems 4 belong &0x0feeddb0 # real core dump could not be 32-bit and 64-bit together >7 byte&0x03 !3 AIX core file >>1 byte &0x01 fulldump >>7 byte &0x01 32-bit >>>0x6e0 string >\0 \b, %s >>7 byte &0x02 64-bit >>>0x524 string >\0 \b, %s
#------------------------------------------------------------------------------ # $File: icc,v 1.5 2017/08/13 00:21:47 christos Exp $ # icc: file(1) magic for International Color Consortium file formats
# # Color profiles as per the ICC's "Image technology colour management - # Architecture, profile format, and data structure" specification. # See # # http://www.color.org/specification/ICC1v43_2010-12.pdf # # for Specification ICC.1:2010 (Profile version 4.3.0.0). # URL: http://fileformats.archiveteam.org/wiki/ICC_profile # Reference: http://www.color.org/iccmax/ICC.2-2016-7.pdf # Update: Joerg Jenderek # # Bytes 36 to 39 contain a generic profile file signature of "acsp"; # bytes 40 to 43 "may be used to identify the primary platform/operating # system framework for which the profile was created". # # check and display ICC/ICM color profile 0 name color-profile >36 string acsp # skip ASCII like Cognacspirit.txt by month <= 12 >>26 ubeshort <13 # platform/operating system. Only 5 mentioned
# # This appears to be what's used for Apple ColorSync profiles. # Instead of adding that, Apple just changed the generic "acsp" entry # to be for "ColorSync ICC Color Profile" rather than "Kodak Color # Management System, ICC Profile". # Yes, it's "APPL", not "AAPL"; see the spec. >>>40 string APPL ColorSync
# Microsoft ICM color profile >>>40 string MSFT Microsoft
# Yes, that's a blank after "SGI". >>>40 string SGI\ SGI
# XXX - is this what's used for the Sun KCMS or not? The standard file # uses just "acsp" for that, but Apple's file uses it for "ColorSync", # and there *is* an identified "primary platform" value of SUNW. >>>40 string SUNW Sun KCMS
# 5th platform >>>40 string TGNT Taligent
# remaining "l" "e" of "color profile" printed later to avoid error >>>40 string x color profi #>>>40 string x (%.4s) !:mime application/vnd.iccprofile # for "ICM" extension only versions 2.x and for Kodak "CC" 2.0 is found >>>8 ubyte =2 # do not use empty message text to a avoid error like # icc, 82: Warning: Current entry does not yet have a description for adding a EXTENSION type # file.exe: could not find any valid magic files! >>>>9 ubyte !0 \ble !:ext icc/icm # minor version >>>>9 ubyte =0 \bl # Kodak colour management system >>>>>4 string =KCMS \be !:ext icc/icm/cc >>>>>4 string !KCMS \be !:ext icc/icm >>>8 ubyte !2 \ble !:ext icc # Profile version major.4bit-minor.sub1.sub2 like 4.3.0.0 (04300000h) >>>8 ubyte x %u >>>9 ubyte/16 x \b.%u # reserved and shall be null but 205.205 in umx1220u.icm >>>10 ubyte >0 \b.%u >>>>11 ubyte >0 \b.%u # preferred colour management module like appl CCMS KCMS Lino UCCM "Win " "FF " # skip space like in brmsl08f.icm and null like in brmsl09f.icm, brmsl07f.icm >>>4 string >\ \b, type %.2s >>>>6 string >\ \b%.1s >>>>>7 string >\ \b%.1s # colour space "XYZ " "Lab " "RGB " CMYK GRAY ... >>>16 string x \b, %.3s >>>19 string >\ \b%.1s # Profile Connection Space (PCS) field usually "XYZ " or "Lab " but sometimes # null or CMYK like in ISOcoated_v2_to_PSOcoated_v3_DeviceLink.icc >>>20 string >\0 \b/%.3s >>>>23 string >\ \b%.1s # eleven device classes >>>12 string x \b-%.4s device # skip 00001964h in hpf69000.icc or 0h in XRDC50Q.ICM or " ROT" in brmsl05f.icm >>>52 string >\040 # skip "none" model like in "Trinitron Compatible 9300K G2.2.icm" >>>>52 ubelong !0x6e6f6e65 # device manufacturer field like "HP " "IBM " EPSO >>>>>48 string x \b, %.2s >>>>>50 string >\ \b%.1s >>>>>51 string >\ \b%.1s # model like "ADI " "A265" and skip 20000404h in IS330.icm for RICOH RUSSIAN-SC >>>>>52 string >\ \ \b/%.3s >>>>>>55 string >\ \b%.1s >>>>>52 string x model # creator (often same as manufacture) like HP SONY XROX or null like in A925A.icm >>>80 string >\0 by %.2s >>>>82 string >\ \b%.1s >>>>>83 string >\ \b%.1s # profile size >>>0 ubelong x \b, %u bytes # skip invalid date 0 like in linearSRGB.icc >>>24 ubequad !0 # datetime dd-mm-yyyy hh:mm:ss >>>>28 ubeshort x \b, %u # month <= 12 >>>>26 ubeshort x \b-%u # year >>>>24 ubeshort x \b-%u # do not display midnight time like in CNHP8308.ICC >>>>30 ubequad&0xFFffFFffFFff0000 !0 # hour <= 24 >>>>>30 ubeshort x %u # minutes <= 59 >>>>>32 ubeshort x \b:%.2u # seconds <= 59 >>>>>34 ubeshort x \b:%.2u # vendor specific flags like 2 in HPCLJ5.ICM >>>44 ubeshort >0 \b, 0x%x vendor flags # profile flags bits 0-2 of least 16 used by ICC #>>>44 ubelong >0 \b, 0x%x flags # icEmbeddedProfileTrue >>>44 ubelong &1 \b, embedded # icEmbeddedProfileFalse #>>>44 ubelong ^1 \b, not embedded # icUseWithEmbeddedDataOnly >>>44 ubelong &2 \b, dependently # icUseAnywhere #>>>44 ubelong ^2 \b, independently >>>44 ubelong &4 \b, MCS #>>>44 ubelong ^4 \b, no MCS # vendor specific device attributes 1~srgb.icc # E000D00h~CNB7QEDA.ICM C000A00h~CNB5FCAA.ICM 01040401h~CNB25PE3.ICM >>>56 ubelong >0 \b, 0x%x vendor attribute # ICC device attributes bits 0-7 used #>>>60 ubelong x \b, 0x%x attribute # http://www.color.org/icc34.h >>>60 ubelong &0x01 \b, transparent #>>>60 ubelong ^0x01 \b, reflective >>>60 ubelong &0x02 \b, matte #>>>60 ubelong ^0x02 \b, glossy >>>60 ubelong &0x04 \b, negative #>>>60 ubelong ^0x04 \b, positive >>>60 ubelong &0x08 \b, black&white #>>>60 ubelong ^0x08 \b, colour >>>60 ubelong &0x10 \b, non-paper #>>>60 ubelong ^0x10 \b, paper >>>60 ubelong &0x20 \b, non-textured #>>>60 ubelong ^0x20 \b, textured >>>60 ubelong &0x40 \b, non-isotropic #>>>60 ubelong ^0x40 \b, isotropic >>>60 ubelong &0x80 \b, self-luminous #>>>60 ubelong ^0x80 \b, non-self-luminous # rendering intent 0-3 but 7AEA5027h in EE051__1.ICM 6CB1BCh in EE061__1.ICM >>>64 ubelong >3 \b, 0x%x rendering intent #>>>64 ubelong =0 \b, perceptual >>>64 ubelong =1 \b, relative colorimetric >>>64 ubelong =2 \b, saturation >>>64 ubelong =3 \b, absolute colorimetric # PCS illuminant (3*s15Fixed16Numbers) often 0000f6d6 00010000 0000d32d >>>71 ubequad !0xd6000100000000d3 \b, PCS # usually X~0.9642*65536=63189.8112~63190=F6D5h ; but also found # often F6D6 in gt5000r.icm, F6B8 in kodakce.icm, F6CA in RSWOP.icm >>>>68 ubelong !0x0000f6d5 X=0x%x # usually Y=1.0~00010000h but Y=0 in brmsl07f.icm >>>>72 ubelong !0x00010000 Y=0x%x # usually Z~0.8249*65536=54060.6464~54061=D32Dh ; but also found # D2F7 in hp1200c.icm, often D32C in A925A.icm, D309 in RSWOP.icm , D2F8 in kodak_dc.icm >>>>76 ubelong !0x0000d32d Z=0x%x # Profile ID. MD5 fingerprinting method as defined in Internet RFC 1321. >>>84 ubequad >0 \b, 0x%llx MD5 # reserved in older versions should be zero but also found CDCDCDCDCDCDCDCD #>>100 ubequad x \b 0x%llx reserved # tag table # 6 <= tags count <= 43 #>>>128 ubelong >43 \b, %u tags >>>128 ubelong x # shall contain the profileDescriptionTag "desc" , copyrightTag "cprt" # search range = tags count * 12 -8=< maximal tag count * 12 -8= 43 * 12 -8= 508 >>>>132 search/508 cprt # but no copyright tag in linearSRGB.icc # beneath /System/Library/Frameworks/WebKit.framework/ # Versions/A/Frameworks/WebCore.framework/Versions/A/Resources >>>>132 default x \b, no copyright tag # 1st tag #>>>132 string x \b, 1st tag %.4s #>>>136 ubelong x 0x%x offset #>>>140 ubelong x 0x%x len # 2nd tag,... # look also for profileDescriptionTag "desc" >>>132 search/508 desc # look further for TextDescriptionType "desc" signature >>>>(&0.L) string =desc >>>>>&4 pstring/l x "%s" # look alternative for multiLocalizedUnicodeType "mluc" signature like in VideoPAL.icc >>>>(&0.L) string =mluc >>>>>&(&8.L) ubequad x >>>>>>&4 bestring16 x '%s'
# Any other profile. # XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles, # and use "acsp" for everything else and dump the "primary platform" # string in those cases? 36 string acsp >0 use color-profile
#------------------------------------------------------------------------------ # $File: iff,v 1.14 2015/09/07 10:03:21 christos Exp $ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic # Arts for file interchange. It has also been used by Apple, SGI, and # especially Commodore-Amiga. # # IFF files begin with an 8 byte FORM header, followed by a 4 character # FORM type, which is followed by the first chunk in the FORM.
# These go at the end of the iff rules # # David Griffith <dave@661.org> # I don't see why these might collide with anything else. # # Interactive Fiction related formats # >8 string IFRS \b, Blorb Interactive Fiction >>24 string Exec with executable chunk >8 string IFZS \b, Z-machine or Glulx saved game file (Quetzal) !:mime application/x-blorb
#------------------------------------------------------------------------------ # $File: images,v 1.131 2018/02/16 15:44:28 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # # originally from jef@helios.ee.lbl.gov (Jef Poskanzer), # additions by janl@ifi.uio.no as well as others. Jan also suggested # merging several one- and two-line files into here. # # little magic: PCX (first byte is 0x0a)
# Targa - matches `povray', `ppmtotga' and `xv' outputs # by Philippe De Muyter <phdm@macqel.be> # URL: http://justsolve.archiveteam.org/wiki/TGA # Reference: http://www.dca.fee.unicamp.br/~martino/disciplinas/ea978/tgaffs.pdf # Update: Joerg Jenderek # at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11 # ,32 or 33 (both not observed) # at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise # or theoretically 2-128 reserved for use by Truevision or 128-255 may be used for developer applications # at 3, leshort Index is 0 for povray, ppmtotga and xv outputs # `xv' recognizes only a subset of the following (RGB with pixelsize = 24) # `tgatoppm' recognizes a superset (Index may be anything) # # test of Color Map Type 0~no 1~color map # and Image Type 1 2 3 9 10 11 32 33 # and Color Map Entry Size 0 15 16 24 32 0 ubequad&0x00FeC400000000C0 0 # skip more garbage like *.iso by looking for positive image type >2 ubyte >0 # skip some compiled terminfo like xterm+tmux by looking for image type less equal 33 >>2 ubyte <34 # skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel depth 1 8 15 16 24 32 >>>16 ubyte 1 >>>>0 use tga-image >>>16 ubyte 8 >>>>0 use tga-image >>>16 ubyte 15 >>>>0 use tga-image >>>16 ubyte 16 >>>>0 use tga-image >>>16 ubyte 24 >>>>0 use tga-image >>>16 ubyte 32 >>>>0 use tga-image # display tga bitmap image information 0 name tga-image >2 ubyte <34 Targa image data !:mime image/x-tga !:apple ????TPIC # normal extension .tga but some Truevision products used others: # tpic (Apple),icb (Image Capture Board),vda (Video Display Adapter),vst (NuVista),win (UNSURE about that) !:ext tga/tpic/icb/vda/vst # image type 1 2 3 9 10 11 32 33 >2 ubyte&0xF7 1 - Map >2 ubyte&0xF7 2 - RGB # alpha channel >>17 ubyte&0x0F >0 \bA >2 ubyte&0xF7 3 - Mono # type not found, but by http://www.fileformat.info/format/tga/corion.htm # Compressed color-mapped data, using Huffman, Delta, and runlength encoding >2 ubyte 32 - Color # Compressed color-mapped data, using Huffman, Delta, and RLE. 4-pass quadtree- type process >2 ubyte 33 - Color # Color Map Type 0~no 1~color map >1 ubyte 1 ( # first color map entry, 0 normal >>3 uleshort >0 \b%d- # color map length 0 2 1dh 3bh d9h 100h >>5 uleshort x \b%d) # 8~run length encoding bit >2 ubyte&0x08 8 - RLE # gimp can create big pictures! >12 uleshort >0 %d x >12 uleshort =0 65536 x # image height. 0 interpreted as 65536 >14 uleshort >0 %d >14 uleshort =0 65536 # Image Pixel depth 1 8 15 16 24 32 >16 ubyte x x %d # X origin of image. 0 normal >8 uleshort >0 +%d # Y origin of image. 0 normal; positive for top >10 uleshort >0 +%d # Image descriptor: bits 3-0 give the alpha channel depth, bits 5-4 give direction >17 ubyte&0x0F >0 - %d-bit alpha # bits 5-4 give direction. normal bottom left >17 ubyte &0x20 - top #>17 ubyte ^0x20 - bottom >17 ubyte &0x10 - right #>17 ubyte ^0x10 - left # some info say other bits 6-7 should be zero # but data storage interleave by http://www.fileformat.info/format/tga/corion.htm # 00 - no interleave;01 - even/odd interleave; 10 - four way interleave; 11 - reserved #>17 ubyte&0xC0 0x00 - no interleave >17 ubyte&0xC0 0x40 - interleave >17 ubyte&0xC0 0x80 - four way interleave >17 ubyte&0xC0 0xC0 - reserved # positive length implies identification field >0 ubyte >0 >>18 string x "%s" # last 18 bytes of newer tga file footer signature >18 search/4261301/s TRUEVISION-XFILE.\0 # extension area offset if not 0 >>&-8 ulelong >0 # length of the extension area. normal 495 for version 2.0 >>>(&-4.l) uleshort 0x01EF # AuthorName[41] >>>>&0 string >\0 - author "%-.40s" # Comment[324]=4 * 80 null terminated >>>>&41 string >\0 - comment "%-.80s" # date >>>>&365 ubequad&0xffffFFFFffff0000 !0 # Day >>>>>&-6 uleshort x %d # Month >>>>>&-8 uleshort x \b-%d # Year >>>>>&-4 uleshort x \b-%d # time >>>>&371 ubequad&0xffffFFFFffff0000 !0 # hour >>>>>&-8 uleshort x %d # minutes >>>>>&-6 uleshort x \b:%.2d # second >>>>>&-4 uleshort x \b:%.2d # JobName[41] >>>>&377 string >\0 - job "%-.40s" # JobHour Jobminute Jobsecond >>>>&418 ubequad&0xffffFFFFffff0000 !0 >>>>>&-8 uleshort x %d >>>>>&-6 uleshort x \b:%.2d >>>>>&-4 uleshort x \b:%.2d # SoftwareId[41] >>>>&424 string >\0 - %-.40s # SoftwareVersionNumber >>>>&424 ubyte >0 >>>>>&40 uleshort/100 x %d >>>>>&40 uleshort%100 x \b.%d # VersionLetter >>>>>&42 ubyte >0x20 \b%c # KeyColor >>>>&468 ulelong >0 - keycolor 0x%8.8x # Denominator of Pixel ratio. 0~no pixel aspect >>>>&474 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - aspect %d >>>>>&-2 uleshort x \b/%d # Denominator of Gamma ratio. 0~no Gamma value >>>>&478 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - gamma %d >>>>>&-2 uleshort x \b/%d # ColorOffset #>>>>&480 ulelong x - col offset 0x%8.8x # StampOffset #>>>>&484 ulelong x - stamp offset 0x%8.8x # ScanOffset #>>>>&488 ulelong x - scan offset 0x%8.8x # AttributesType #>>>>&492 ubyte x - Attributes 0x%x ## EndOfTGA
# PBMPLUS images # The next byte following the magic is always whitespace. # strength is changed to try these patterns before "x86 boot sector" 0 name netpbm >3 regex/s =[0-9]{1,50}\ [0-9]{1,50} Netpbm image data >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s
0 search/1 P1 >0 regex/4 P1[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, bitmap !:strength + 65 !:mime image/x-portable-bitmap
0 search/1 P2 >0 regex/4 P2[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, greymap !:strength + 65 !:mime image/x-portable-greymap
0 search/1 P3 >0 regex/4 P3[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, pixmap !:strength + 65 !:mime image/x-portable-pixmap
0 string P4 >0 regex/4 P4[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, bitmap !:strength + 65 !:mime image/x-portable-bitmap
0 string P5 >0 regex/4 P5[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, greymap !:strength + 65 !:mime image/x-portable-greymap
0 string P6 >0 regex/4 P6[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, pixmap !:strength + 65 !:mime image/x-portable-pixmap
# From: bryanh@giraffe-data.com (Bryan Henderson) 0 string \117\072 Solitaire Image Recorder format >4 string \013 MGI Type 11 >4 string \021 MGI Type 17 0 string .MDA MicroDesign data >21 byte 48 version 2 >21 byte 51 version 3 0 string .MDP MicroDesign page data >21 byte 48 version 2 >21 byte 51 version 3
# NIFF (Navy Interchange File Format, a modification of TIFF) images # [GRR: this *must* go before TIFF] 0 string IIN1 NIFF image data !:mime image/x-niff
# Canon RAW version 1 (CRW) files are a type of Canon Image File Format # (CIFF) file. These are apparently all little-endian. # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://www.sno.phy.queensu.ca/~phil/exiftool/canon_raw.html 0 string II\x1a\0\0\0HEAPCCDR Canon CIFF raw image data !:mime image/x-canon-crw >16 leshort x \b, version %d. >14 leshort x \b%d
# Canon RAW version 2 (CR2) files are a kind of TIFF with an extra magic # number. Put this above the TIFF test to make sure we detect them. # These are apparently all little-endian. # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://libopenraw.freedesktop.org/wiki/Canon_CR2 0 string II\x2a\0\x10\0\0\0CR Canon CR2 raw image data !:mime image/x-canon-cr2 >10 byte x \b, version %d. >11 byte x \b%d
# Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. 0 string MM\x00\x2a TIFF image data, big-endian !:mime image/tiff >(4.L) use \^tiff_ifd 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff >(4.l) use tiff_ifd
0 name tiff_ifd >0 leshort x \b, direntries=%d >2 use tiff_entry
0 name tiff_entry # NewSubFileType >0 leshort 0xfe >>12 use tiff_entry >0 leshort 0x100 >>4 lelong 1 >>>12 use tiff_entry >>>8 leshort x \b, width=%d >0 leshort 0x101 >>4 lelong 1 >>>8 leshort x \b, height=%d >>>12 use tiff_entry >0 leshort 0x102 >>8 leshort x \b, bps=%d >>12 use tiff_entry >0 leshort 0x103 >>4 lelong 1 \b, compression= >>>8 leshort 1 \bnone >>>8 leshort 2 \bhuffman >>>8 leshort 3 \bbi-level group 3 >>>8 leshort 4 \bbi-level group 4 >>>8 leshort 5 \bLZW >>>8 leshort 6 \bJPEG (old) >>>8 leshort 7 \bJPEG >>>8 leshort 8 \bdeflate >>>8 leshort 9 \bJBIG, ITU-T T.85 >>>8 leshort 0xa \bJBIG, ITU-T T.43 >>>8 leshort 0x7ffe \bNeXT RLE 2-bit >>>8 leshort 0x8005 \bPackBits (Macintosh RLE) >>>8 leshort 0x8029 \bThunderscan RLE >>>8 leshort 0x807f \bRasterPadding (CT or MP) >>>8 leshort 0x8080 \bRLE (Line Work) >>>8 leshort 0x8081 \bRLE (High-Res Cont-Tone) >>>8 leshort 0x8082 \bRLE (Binary Line Work) >>>8 leshort 0x80b2 \bDeflate (PKZIP) >>>8 leshort 0x80b3 \bKodak DCS >>>8 leshort 0x8765 \bJBIG >>>8 leshort 0x8798 \bJPEG2000 >>>8 leshort 0x8799 \bNikon NEF Compressed >>>8 default x >>>>8 leshort x \b(unknown 0x%x) >>>12 use tiff_entry >0 leshort 0x106 \b, PhotometricIntepretation= >>8 clear x >>8 leshort 0 \bWhiteIsZero >>8 leshort 1 \bBlackIsZero >>8 leshort 2 \bRGB >>8 leshort 3 \bRGB Palette >>8 leshort 4 \bTransparency Mask >>8 leshort 5 \bCMYK >>8 leshort 6 \bYCbCr >>8 leshort 8 \bCIELab >>8 default x >>>8 leshort x \b(unknown=0x%x) >>12 use tiff_entry # FillOrder >0 leshort 0x10a >>4 lelong 1 >>>12 use tiff_entry # DocumentName >0 leshort 0x10d >>(8.l) string x \b, name=%s >>>12 use tiff_entry # ImageDescription >0 leshort 0x10e >>(8.l) string x \b, description=%s >>>12 use tiff_entry # Make >0 leshort 0x10f >>(8.l) string x \b, manufacturer=%s >>>12 use tiff_entry # Model >0 leshort 0x110 >>(8.l) string x \b, model=%s >>>12 use tiff_entry # StripOffsets >0 leshort 0x111 >>12 use tiff_entry # Orientation >0 leshort 0x112 \b, orientation= >>8 leshort 1 \bupper-left >>8 leshort 3 \blower-right >>8 leshort 6 \bupper-right >>8 leshort 8 \blower-left >>8 leshort 9 \bundefined >>8 default x >>>8 leshort x \b[*%d*] >>12 use tiff_entry # XResolution >0 leshort 0x11a >>8 lelong x \b, xresolution=%d >>12 use tiff_entry # YResolution >0 leshort 0x11b >>8 lelong x \b, yresolution=%d >>12 use tiff_entry # ResolutionUnit >0 leshort 0x128 >>8 leshort x \b, resolutionunit=%d >>12 use tiff_entry # Software >0 leshort 0x131 >>(8.l) string x \b, software=%s >>12 use tiff_entry # Datetime >0 leshort 0x132 >>(8.l) string x \b, datetime=%s >>12 use tiff_entry # HostComputer >0 leshort 0x13c >>(8.l) string x \b, hostcomputer=%s >>12 use tiff_entry # WhitePoint >0 leshort 0x13e >>12 use tiff_entry # PrimaryChromaticities >0 leshort 0x13f >>12 use tiff_entry # YCbCrCoefficients >0 leshort 0x211 >>12 use tiff_entry # YCbCrPositioning >0 leshort 0x213 >>12 use tiff_entry # ReferenceBlackWhite >0 leshort 0x214 >>12 use tiff_entry # Copyright >0 leshort 0x8298 >>(8.l) string x \b, copyright=%s >>12 use tiff_entry # ExifOffset >0 leshort 0x8769 >>12 use tiff_entry # GPS IFD >0 leshort 0x8825 \b, GPS-Data >>12 use tiff_entry
#>0 leshort x \b, unknown=0x%x #>>12 use tiff_entry
0 string MM\x00\x2b Big TIFF image data, big-endian !:mime image/tiff 0 string II\x2b\x00 Big TIFF image data, little-endian !:mime image/tiff
# PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # # 137 P N G \r \n ^Z \n [4-byte length] I H D R [HEAD data] [HEAD crc] ... #
# ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster, # 1 plane, no encoding. 0 string \361\0\100\273 CMU window manager raster image data >4 lelong >0 %d x >8 lelong >0 %d, >12 lelong >0 %d-bit
# Magick Image File Format 0 string id=ImageMagick MIFF image data
# Artisan 0 long 1123028772 Artisan image data >4 long 1 \b, rectangular 24-bit >4 long 2 \b, rectangular 8-bit with colormap >4 long 3 \b, rectangular 32-bit (24-bit with matte)
# FIG (Facility for Interactive Generation of figures), an object-based format 0 search/1 #FIG FIG image text >5 string x \b, version %.3s
# PHIGS 0 string ARF_BEGARF PHIGS clear text archive 0 string @(#)SunPHIGS SunPHIGS # version number follows, in the form m.n >40 string SunBin binary >32 string archive archive
# MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) 0 string yz MGR bitmap, modern format, 8-bit aligned 0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned 0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned 0 string yx MGR bitmap, modern format, squeezed
# Fuzzy Bitmap (FBM) images 0 string %bitmap\0 FBM image data >30 long 0x31 \b, mono >30 long 0x33 \b, color
# facsimile data 1 string PC\ Research,\ Inc group 3 fax data >29 byte 0 \b, normal resolution (204x98 DPI) >29 byte 1 \b, fine resolution (204x196 DPI) # From: Herbert Rosmanith <herp@wildsau.idv.uni.linz.at> 0 string Sfff structured fax file
# From: Joerg Jenderek <joerg.jen.der.ek@gmx.net> # most files with the extension .EPA and some with .BMP 0 string \x11\x06 Award BIOS Logo, 136 x 84 !:mime image/x-award-bioslogo 0 string \x11\x09 Award BIOS Logo, 136 x 126 !:mime image/x-award-bioslogo #0 string \x07\x1f BIOS Logo corrupted? # http://www.blackfiveservices.co.uk/awbmtools.shtml # http://biosgfx.narod.ru/v3/ # http://biosgfx.narod.ru/abr-2/ 0 string AWBM >4 leshort <1981 Award BIOS bitmap !:mime image/x-award-bmp # image width is a multiple of 4 >>4 leshort&0x0003 0 >>>4 leshort x \b, %d >>>6 leshort x x %d >>4 leshort&0x0003 >0 \b, >>>4 leshort&0x0003 =1 >>>>4 leshort x %d+3 >>>4 leshort&0x0003 =2 >>>>4 leshort x %d+2 >>>4 leshort&0x0003 =3 >>>>4 leshort x %d+1 >>>6 leshort x x %d # at offset 8 starts imagedata followed by "RGB " marker
# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) # http://en.wikipedia.org/wiki/BMP_file_format#DIB_header_.\ # 28bitmap_information_header.29 0 string BM >14 leshort 12 PC bitmap, OS/2 1.x format !:mime image/x-ms-bmp >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 64 PC bitmap, OS/2 2.x format !:mime image/x-ms-bmp >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 40 PC bitmap, Windows 3.x format !:mime image/x-ms-bmp >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d >14 leshort 124 PC bitmap, Windows 98/2000 and newer format !:mime image/x-ms-bmp >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d >14 leshort 108 PC bitmap, Windows 95/NT4 and newer format !:mime image/x-ms-bmp >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d >14 leshort 128 PC bitmap, Windows NT/2000 format !:mime image/x-ms-bmp >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d # Too simple - MPi #0 string IC PC icon data #0 string PI PC pointer image data #0 string CI PC color icon data #0 string CP PC color pointer image data # Conflicts with other entries [BABYL] #0 string BA PC bitmap array data
# XPM icons (Greg Roelofs, newt@uchicago.edu) 0 search/1 /*\ XPM\ */ X pixmap image text !:mime image/x-xpmi
# Utah Raster Toolkit RLE images (janl@ifi.uio.no) 0 leshort 0xcc52 RLE image data, >6 leshort x %d x >8 leshort x %d >2 leshort >0 \b, lower left corner: %d >4 leshort >0 \b, lower right corner: %d >10 byte&0x1 =0x1 \b, clear first >10 byte&0x2 =0x2 \b, no background >10 byte&0x4 =0x4 \b, alpha channel >10 byte&0x8 =0x8 \b, comment >11 byte >0 \b, %d color channels >12 byte >0 \b, %d bits per pixel >13 byte >0 \b, %d color map channels
# image file format (Robert Potter, potter@cs.rochester.edu) 0 string Imagefile\ version- iff image data # this adds the whole header (inc. version number), informative but longish >10 string >\0 %s
# Sun raster images, from Daniel Quinlan (quinlan@yggdrasil.com) 0 belong 0x59a66a95 Sun raster image data >4 belong >0 \b, %d x >8 belong >0 %d, >12 belong >0 %d-bit, #>16 belong >0 %d bytes long, >20 belong 0 old format, #>20 belong 1 standard, >20 belong 2 compressed, >20 belong 3 RGB, >20 belong 4 TIFF, >20 belong 5 IFF, >20 belong 0xffff reserved for testing, >24 belong 0 no colormap >24 belong 1 RGB colormap >24 belong 2 raw colormap #>28 belong >0 colormap is %d bytes long
# SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com) # # See # http://reality.sgi.com/grafica/sgiimage.html # 0 beshort 474 SGI image data #>2 byte 0 \b, verbatim >2 byte 1 \b, RLE #>3 byte 1 \b, normal precision >3 byte 2 \b, high precision >4 beshort x \b, %d-D >6 beshort x \b, %d x >8 beshort x %d >10 beshort x \b, %d channel >10 beshort !1 \bs >80 string >0 \b, "%s"
0 string IT01 FIT image data >4 belong x \b, %d x >8 belong x %d x >12 belong x %d # 0 string IT02 FIT image data >4 belong x \b, %d x >8 belong x %d x >12 belong x %d # 2048 string PCD_IPI Kodak Photo CD image pack file >0xe02 byte&0x03 0x00 , landscape mode >0xe02 byte&0x03 0x01 , portrait mode >0xe02 byte&0x03 0x02 , landscape mode >0xe02 byte&0x03 0x03 , portrait mode 0 string PCD_OPA Kodak Photo CD overview pack file
# FITS format. Jeff Uphoff <juphoff@tarsier.cv.nrao.edu> # FITS is the Flexible Image Transport System, the de facto standard for # data and image transfer, storage, etc., for the astronomical community. # (FITS floating point formats are big-endian.) 0 string SIMPLE\ \ = FITS image data >109 string 8 \b, 8-bit, character or unsigned binary integer >108 string 16 \b, 16-bit, two's complement binary integer >107 string \ 32 \b, 32-bit, two's complement binary integer >107 string -32 \b, 32-bit, floating point, single precision >107 string -64 \b, 64-bit, floating point, double precision
# From SunOS 5.5.1 "/etc/magic" - appeared right before Sun raster image # stuff. # 0 beshort 0x1010 PEX Binary Archive
# DICOM medical imaging data # URL: https://en.wikipedia.org/wiki/DICOM#Data_format # Note: "dcm" is the official file name extension # XnView mention also "dc3" and "acr" as file name extension 128 string DICM DICOM medical imaging data !:mime application/dicom !:ext dcm/dicom/dic
# XWD - X Window Dump file. # As described in /usr/X11R6/include/X11/XWDFile.h # used by the xwd program. # Bradford Castalia, idaeim, 1/01 # updated by Adam Buchbinder, 2/09 # The following assumes version 7 of the format; the first long is the length # of the header, which is at least 25 4-byte longs, and the one at offset 8 # is a constant which is always either 1 or 2. Offset 12 is the pixmap depth, # which is a maximum of 32. 0 belong >100 >8 belong <3 >>12 belong <33 >>>4 belong 7 XWD X Window Dump image data !:mime image/x-xwindowdump >>>>100 string >\0 \b, "%s" >>>>16 belong x \b, %dx >>>>20 belong x \b%dx >>>>12 belong x \b%d
# PDS - Planetary Data System # These files use Parameter Value Language in the header section. # Unfortunately, there is no certain magic, but the following # strings have been found to be most likely. 0 string NJPL1I00 PDS (JPL) image data 2 string NJPL1I PDS (JPL) image data 0 string CCSD3ZF PDS (CCSD) image data 2 string CCSD3Z PDS (CCSD) image data 0 string PDS_ PDS image data 0 string LBLSIZE= PDS (VICAR) image data
# pM8x: ATARI STAD compressed bitmap format # # from Oskar Schirmer <schirmer@scara.com> Feb 2, 2001 # p M 8 5/6 xx yy zz data... # Atari ST STAD bitmap is always 640x400, bytewise runlength compressed. # bytes either run horizontally (pM85) or vertically (pM86). yy is the # most frequent byte, xx and zz are runlength escape codes, where xx is # used for runs of yy. # 0 string pM85 Atari ST STAD bitmap image data (hor) >5 byte 0x00 (white background) >5 byte 0xFF (black background) 0 string pM86 Atari ST STAD bitmap image data (vert) >5 byte 0x00 (white background) >5 byte 0xFF (black background)
# XXX: # This is bad magic 0x5249 == 'RI' conflicts with RIFF and other # magic. # SGI RICE image file <mpruett@sgi.com> #0 beshort 0x5249 RICE image #>2 beshort x v%d #>4 beshort x (%d x #>6 beshort x %d) #>8 beshort 0 8 bit #>8 beshort 1 10 bit #>8 beshort 2 12 bit #>8 beshort 3 13 bit #>10 beshort 0 4:2:2 #>10 beshort 1 4:2:2:4 #>10 beshort 2 4:4:4 #>10 beshort 3 4:4:4:4 #>12 beshort 1 RGB #>12 beshort 2 CCIR601 #>12 beshort 3 RP175 #>12 beshort 4 YUV
# PCX image files # From: Dan Fandrich <dan@coneharvesters.com> # updated by Joerg Jenderek at Feb 2013 by http://de.wikipedia.org/wiki/PCX # http://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt # GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 # test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT 0 ubelong&0xffF8fe00 0x0a000000 # for PCX bit depth > 0 >3 ubyte >0 # test for valid versions >>1 ubyte <6 >>>1 ubyte !1 PCX !:mime image/x-pcx #!:mime image/pcx >>>>1 ubyte 0 ver. 2.5 image data >>>>1 ubyte 2 ver. 2.8 image data, with palette >>>>1 ubyte 3 ver. 2.8 image data, without palette >>>>1 ubyte 4 for Windows image data >>>>1 ubyte 5 ver. 3.0 image data >>>>4 uleshort x bounding box [%d, >>>>6 uleshort x %d] - >>>>8 uleshort x [%d, >>>>10 uleshort x %d], >>>>65 ubyte >1 %d planes each of >>>>3 ubyte x %d-bit >>>>68 byte 1 colour, >>>>68 byte 2 grayscale, # this should not happen >>>>68 default x image, >>>>12 leshort >0 %d x >>>>>14 uleshort x %d dpi, >>>>2 byte 0 uncompressed >>>>2 byte 1 RLE compressed
# XV thumbnail indicator (ThMO) 0 string P7\ 332 XV thumbnail image data
# NITF is defined by United States MIL-STD-2500A 0 string NITF National Imagery Transmission Format >25 string >\0 dated %.14s
# GEM Image: Version 1, Headerlen 8 (Wolfram Kleff) # Format variations from: Bernd Nuernberger <bernd.nuernberger@web.de> # Update: Joerg Jenderek # See http://fileformats.archiveteam.org/wiki/GEM_Raster # For variations, also see: # http://www.seasip.info/Gem/ff_img.html (Ventura) # http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT) # http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT) # http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG) 0 beshort 0x0001 # header_size >2 beshort 0x0008 >>0 use gem_info >2 beshort 0x0009 >>0 use gem_info # no example for NOSIG >2 beshort 24 >>0 use gem_info # no example for HYPERPAINT >2 beshort 25 >>0 use gem_info 16 string XIMG\0 >0 use gem_info # no example 16 string STTT\0\x10 >0 use gem_info # no example or description 16 string TIMG\0 >0 use gem_info
0 name gem_info # version is 2 for some XIMG and 1 for all others >0 beshort <0x0003 GEM # http://www.snowstone.org.uk/riscos/mimeman/mimemap.txt !:mime image/x-gem # header_size 24 25 27 59 779 words for colored bitmaps >>2 beshort >9 >>>16 string STTT\0\x10 STTT >>>16 string TIMG\0 TIMG # HYPERPAINT or NOSIG variant >>>16 string \0\x80 >>>>2 beshort =24 NOSIG >>>>2 beshort !24 HYPERPAINT # NOSIG or XIMG variant >>>16 default x >>>>16 string !XIMG\0 NOSIG >>16 string =XIMG\0 XIMG Image data !:ext img/ximg # to avoid Warning: Current entry does not yet have a description for adding a EXTENSION type >>16 string !XIMG\0 Image data !:ext img # header_size is 9 for Ventura files and 8 for other GEM Paint files >>2 beshort 9 (Ventura) #>>2 beshort 8 (Paint) >>12 beshort x %d x >>14 beshort x %d, # 1 4 8 >>4 beshort x %d planes, # in tenths of a millimetre >>8 beshort x %d x >>10 beshort x %d pixelsize # pattern_size 1-8. 2 for GEM Paint >>6 beshort !2 \b, pattern size %d
# GEM Metafile (Wolfram Kleff) 0 lelong 0x0018FFFF GEM Metafile data >4 leshort x version %d
# # SMJPEG. A custom Motion JPEG format used by Loki Entertainment # Software Torbjorn Andersson <d91tan@Update.UU.SE>. # 0 string \0\nSMJPEG SMJPEG >8 belong x %d.x data # According to the specification you could find any number of _TXT # headers here, but I can't think of any way of handling that. None of # the SMJPEG files I tried it on used this feature. Even if such a # file is encountered the output should still be reasonable. >16 string _SND \b, >>24 beshort >0 %d Hz >>26 byte 8 8-bit >>26 byte 16 16-bit >>28 string NONE uncompressed # >>28 string APCM ADPCM compressed >>27 byte 1 mono >>28 byte 2 stereo # Help! Isn't there any way to avoid writing this part twice? >>32 string _VID \b, # >>>48 string JFIF JPEG >>>40 belong >0 %d frames >>>44 beshort >0 (%d x >>>46 beshort >0 %d) >16 string _VID \b, # >>32 string JFIF JPEG >>24 belong >0 %d frames >>28 beshort >0 (%d x >>30 beshort >0 %d)
# "thumbnail file" (icon) # descended from "xv", but in use by other applications as well (Wolfram Kleff) 0 string P7\ 332 XV "thumbnail file" (icon) data
# taken from fkiss: (<yav@mte.biglobe.ne.jp> ?) 0 string KiSS KISS/GS >4 byte 16 color >>5 byte x %d bit >>8 leshort x %d colors >>10 leshort x %d groups >4 byte 32 cell >>5 byte x %d bit >>8 leshort x %d x >>10 leshort x %d >>12 leshort x +%d >>14 leshort x +%d
# Webshots (www.webshots.com), by John Harrison 0 string C\253\221g\230\0\0\0 Webshots Desktop .wbz file
# Hercules DASD image files # From Jan Jaeger <jj@septa.nl> 0 string CKD_P370 Hercules CKD DASD image file >8 long x \b, %d heads per cylinder >12 long x \b, track size %d bytes >16 byte x \b, device type 33%2.2X
0 string CKD_C370 Hercules compressed CKD DASD image file >8 long x \b, %d heads per cylinder >12 long x \b, track size %d bytes >16 byte x \b, device type 33%2.2X
0 string CKD_S370 Hercules CKD DASD shadow file >8 long x \b, %d heads per cylinder >12 long x \b, track size %d bytes >16 byte x \b, device type 33%2.2X
# Squeak images and programs - etoffi@softhome.net 0 string \146\031\0\0 Squeak image data 0 search/1 'From\040Squeak Squeak program text
# partimage: file(1) magic for PartImage files (experimental, incomplete) # Author: Hans-Joachim Baader <hjb@pro-linux.de> 0 string PaRtImAgE-VoLuMe PartImage >0x0020 string 0.6.1 file version %s >>0x0060 lelong >-1 volume %d #>>0x0064 8 byte identifier #>>0x007c reserved >>0x0200 string >\0 type %s >>0x1400 string >\0 device %s, >>0x1600 string >\0 original filename %s, # Some fields omitted >>0x2744 lelong 0 not compressed >>0x2744 lelong 1 gzip compressed >>0x2744 lelong 2 bzip2 compressed >>0x2744 lelong >2 compressed with unknown algorithm >0x0020 string >0.6.1 file version %s >0x0020 string <0.6.1 file version %s
# DCX is multi-page PCX, using a simple header of up to 1024 # offsets for the respective PCX components. # From: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de> 0 lelong 987654321 DCX multi-page PCX image data
# Simon Walton <simonw@matteworld.com> # Kodak Cineon format for scanned negatives # http://www.kodak.com/US/en/motion/support/dlad/ 0 lelong 0xd75f2a80 Cineon image data >200 belong >0 \b, %d x >204 belong >0 %d
# Bio-Rad .PIC is an image format used by microscope control systems # and related image processing software used by biologists. # From: Vebjorn Ljosa <vebjorn@ljosa.com> # BOOL values are two-byte integers; use them to rule out false positives. # http://web.archive.org/web/20050317223257/www.cs.ubc.ca/spider/ladic/text/biorad.txt # Samples: http://www.loci.wisc.edu/software/sample-data 14 leshort <2 >62 leshort <2 >>54 leshort 12345 Bio-Rad .PIC Image File >>>0 leshort >0 %d x >>>2 leshort >0 %d, >>>4 leshort =1 1 image in file >>>4 leshort >1 %d images in file
# From Jan "Yenya" Kasprzak <kas@fi.muni.cz> # The description of *.mrw format can be found at # http://www.dalibor.cz/minolta/raw_file_format.htm 0 string \000MRM Minolta Dimage camera raw image data
# Originally by Marc Espie # Modified by Robert Minsk <robertminsk at yahoo.com> # http://www.openexr.com/openexrfilelayout.pdf 0 lelong 20000630 OpenEXR image data, !:mime image/x-exr >4 lelong&0x000000ff x version %d, >4 lelong ^0x00000200 storage: scanline >4 lelong &0x00000200 storage: tiled >8 search/0x1000 compression\0 \b, compression: >>&16 byte 0 none >>&16 byte 1 rle >>&16 byte 2 zips >>&16 byte 3 zip >>&16 byte 4 piz >>&16 byte 5 pxr24 >>&16 byte 6 b44 >>&16 byte 7 b44a >>&16 byte 8 dwaa >>&16 byte 9 dwab >>&16 byte >9 unknown >8 search/0x1000 dataWindow\0 \b, dataWindow: >>&10 lelong x (%d >>&14 lelong x %d)- >>&18 lelong x \b(%d >>&22 lelong x %d) >8 search/0x1000 displayWindow\0 \b, displayWindow: >>&10 lelong x (%d >>&14 lelong x %d)- >>&18 lelong x \b(%d >>&22 lelong x %d) >8 search/0x1000 lineOrder\0 \b, lineOrder: >>&14 byte 0 increasing y >>&14 byte 1 decreasing y >>&14 byte 2 random y >>&14 byte >2 unknown
# SMPTE Digital Picture Exchange Format, SMPTE DPX # # ANSI/SMPTE 268M-1994, SMPTE Standard for File Format for Digital # Moving-Picture Exchange (DPX), v1.0, 18 February 1994 # Robert Minsk <robertminsk at yahoo.com> # Modified by Harry Mallon <hjmallon at gmail.com> 0 string SDPX DPX image data, big-endian, !:mime image/x-dpx >0 use dpx_info 0 string XPDS DPX image data, little-endian, !:mime image/x-dpx >0 use \^dpx_info
0 name dpx_info >768 beshort <4 >>772 belong x %dx >>776 belong x \b%d, >768 beshort >3 >>776 belong x %dx >>772 belong x \b%d, >768 beshort 0 left to right/top to bottom >768 beshort 1 right to left/top to bottom >768 beshort 2 left to right/bottom to top >768 beshort 3 right to left/bottom to top >768 beshort 4 top to bottom/left to right >768 beshort 5 top to bottom/right to left >768 beshort 6 bottom to top/left to right >768 beshort 7 bottom to top/right to left
# From: Tom Hilinski <tom.hilinski@comcast.net> # http://www.unidata.ucar.edu/packages/netcdf/ 0 string CDF\001 NetCDF Data Format data
#----------------------------------------------------------------------- # Hierarchical Data Format, used to facilitate scientific data exchange # specifications at http://hdf.ncsa.uiuc.edu/ 0 belong 0x0e031301 Hierarchical Data Format (version 4) data !:mime application/x-hdf 0 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) data !:mime application/x-hdf 512 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 512 bytes user block !:mime application/x-hdf 1024 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 1k user block !:mime application/x-hdf 2048 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 2k user block !:mime application/x-hdf 4096 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 4k user block !:mime application/x-hdf
# From: Tobias Burnus <burnus@net-b.de> # Xara (for a while: Corel Xara) is a graphic package, see # http://www.xara.com/ for Windows and as GPL application for Linux 0 string XARA\243\243 Xara graphics file
# From Albert Cahalan <acahalan@gmail.com> # puredigital used it for the CVS disposable camcorder #8 lelong 4 ZBM bitmap image data #>4 leshort x %u x #>6 leshort x %u
# From Albert Cahalan <acahalan@gmail.com> # uncompressed 5:6:5 HighColor image for OLPC XO firmware icons 0 string C565 OLPC firmware icon image data >4 leshort x %u x >6 leshort x %u
# Wavelet Scalar Quantization format used in gray-scale fingerprint images # From Tano M Fotang <mfotang@quanteq.com> 0 string \xff\xa0\xff\xa8\x00 Wavelet Scalar Quantization image data
# Type: PCO B16 image files # URL: http://www.pco.de/fileadmin/user_upload/db/download/MA_CWDCOPIE_0412b.pdf # From: Florian Philipp <florian.philipp@binarywings.net> # Extension: .b16 # Description: Pixel image format produced by PCO Camware, typically used # together with PCO cameras. # Note: Different versions exist for e.g. 8 bit and 16 bit images. # Documentation is incomplete. 0 string/b PCO- PCO B16 image data >12 lelong x \b, %dx >16 lelong x \b%d >20 lelong 0 \b, short header >20 lelong -1 \b, extended header >>24 lelong 0 \b, grayscale >>>36 lelong 0 linear LUT >>>36 lelong 1 logarithmic LUT >>>28 lelong x [%d >>>32 lelong x \b,%d] >>24 lelong 1 \b, color >>>64 lelong 0 linear LUT >>>64 lelong 1 logarithmic LUT >>>40 lelong x r[%d >>>44 lelong x \b,%d] >>>48 lelong x g[%d >>>52 lelong x \b,%d] >>>56 lelong x b[%d >>>60 lelong x \b,%d]
# Polar Monitor Bitmap (.pmb) used as logo for Polar Electro watches # From: Markus Heidelberg <markus.heidelberg at web.de> 0 string/t [BitmapInfo2] Polar Monitor Bitmap text !:mime image/x-polar-monitor-bitmap
# From: Rick Richardson <rickrich@gmail.com> # updated by: Joerg Jenderek # URL: http://techmods.net/nuvi/ 0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file # extension is also used for # Sony SRF raw image (image/x-sony-srf) # SRF map # Terragen Surface Map (http://www.planetside.co.uk/terragen) # FileLocator Pro search criteria file (http://www.mythicsoft.com/filelocatorpro) !:ext srf #!:mime image/x-garmin-srf # version 1.00,2.00,2.10,2.40,2.50 >0x2f string >0 \b, version %4.4s # width (2880,2881,3240) >0x55 uleshort >0 \b, %dx # height (80,90) >>0x53 uleshort x \b%d
# Type: Olympus ORF raw images. # URL: http://libopenraw.freedesktop.org/wiki/Olympus_ORF # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0 string MMOR Olympus ORF raw image data, big-endian !:mime image/x-olympus-orf 0 string IIRO Olympus ORF raw image data, little-endian !:mime image/x-olympus-orf 0 string IIRS Olympus ORF raw image data, little-endian !:mime image/x-olympus-orf
# Type: files used in modern AVCHD camcoders to store clip information # Extension: .cpi # From: Alexander Danilov <alexander.a.danilov@gmail.com> 0 string HDMV0100 AVCHD Clip Information
# From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ # Radiance HDR; usually has .pic or .hdr extension. 0 string #?RADIANCE\n Radiance HDR image data #!mime image/vnd.radiance
# From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf # Used by the pfstools packages. The regex matches for the image size could # probably use some work. The MIME type is made up; if there's one in # actual common use, it should replace the one below. 0 string PFS1\x0a PFS HDR image data #!mime image/x-pfs >1 regex [0-9]*\ \b, %s >>1 regex \ [0-9]{4} \bx%s
# Type: Foveon X3F # URL: http://www.photofo.com/downloads/x3f-raw-format.pdf # From: Adam Buchbinder <adam.buchbinder@gmail.com> # Note that the MIME type isn't defined anywhere that I can find; if # there's a canonical type for this format, it should replace this one. 0 string FOVb Foveon X3F raw image data !:mime image/x-x3f >6 leshort x \b, version %d. >4 leshort x \b%d >28 lelong x \b, %dx >32 lelong x \b%d
# Paint.NET file # From Adam Buchbinder <adam.buchbinder@gmail.com> 0 string PDN3 Paint.NET image data !:mime image/x-paintnet
# Not really an image. # From: "Tano M. Fotang" <mfotang@quanteq.com> 0 string \x46\x4d\x52\x00 ISO/IEC 19794-2 Format Minutiae Record (FMR)
# From: Johan van der Knijff <johan.vanderknijff@kb.nl> # # BPG (Better Portable Graphics) format # http://bellard.org/bpg/ # http://fileformats.archiveteam.org/wiki/BPG # 0 string \x42\x50\x47\xFB BPG (Better Portable Graphics) !:mime image/bpg
# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Apple_Icon_Image_format 0 string icns Mac OS X icon !:mime image/x-icns !:apple ????icns !:ext icns >4 ubelong >0 # file size >>4 ubelong x \b, %d bytes # icon type >>8 string x \b, "%4.4s" type
# TIM images 0 lelong 0x00000010 TIM image, >4 lelong 0x8 4-Bit, >4 lelong 0x9 8-Bit, >4 lelong 0x2 15-Bit, >4 lelong 0x3 24-Bit, >4 lelong &8 >>(8.l+12) leshort x Pixel at (%d, >>(8.l+14) leshort x \b%d) >>(8.l+16) leshort x Size=%dx >>(8.l+18) leshort x \b%d, >>4 lelong 0x8 16 CLUT Entries at >>4 lelong 0x9 256 CLUT Entries at >>12 leshort x (%d, >>14 leshort x \b%d) >4 lelong ^8 >>12 leshort x Pixel at (%d, >>14 leshort x \b%d) >>16 leshort x Size=%dx >>18 leshort x \b%d
# MDEC streams 0 lelong 0x80010160 MDEC video stream, >16 leshort x %dx >18 leshort x \b%d #>8 lelong x %d frames #>4 leshort x secCount=%d; #>6 leshort x nSectors=%d; #>12 lelong x frameSize=%d;
# BS encoded bitstreams 2 leshort 0x3800 BS image, >6 leshort x Version %d, >4 leshort x Quantization %d, >0 leshort x (Decompresses to %d words)
# Type: farbfeld image. # Url: http://tools.suckless.org/farbfeld/ # From: Ian D. Scott <ian@iandouglasscott.com> # 0 string farbfeld farbfeld image data, >8 ubelong x %dx >12 ubelong x \b%d
# Sega PVR (Xbox) image header. # Contains an embedded DirectDraw surface instead of PVR data. 0 name sega-pvr-xbox-dds-header >16 lelong x %d x >12 lelong x %d, >84 string x %.4s
# Sega PVR image. 0 string PVRT >0x10 string DDS\040\174\000\000\000 Sega PVR (Xbox) image: >>0x20 use sega-pvr-xbox-dds-header >0x10 belong !0x44445320 Sega PVR image: >>0 use sega-pvr-image-header
# Sega PVR image with GBIX. 0 string GBIX >0x10 string PVRT >>0x10 string DDS\040\174\000\000\000 Sega PVR (Xbox) image: >>>0x20 use sega-pvr-xbox-dds-header >>0x10 belong !0x44445320 Sega PVR image: >>>0x10 use sega-pvr-image-header >>0x08 lelong x \b, global index = %u
0 belong 0x894C4650 >4 belong 0x0D0A1A0A >12 belong 0x00000000 Lytro Light Field Picture >8 belong x \b, version %d
# Type: Vision Research Phantom CINE Format # URL: https://www.phantomhighspeed.com/ # URL2: http://phantomhighspeed.force.com/vriknowledge/servlet/fileField?id=0BEU0000000Cfyk # From: Harry Mallon <hjmallon at gmail.com> # # This has a short "CI" code but the 44 is the size of the struct which is # stable 0 string CI >2 leshort 44 Vision Research CINE Video, >>4 leshort 0 Grayscale, >>4 leshort 1 JPEG Compressed, >>4 leshort 2 RAW, >>6 leshort x version %d, >>20 lelong x %d frames, >>48 lelong x %dx >>52 lelong x \b%d
# Type: ARRI Raw Image # Info: SMPTE RDD30:2014 # From: Harry Mallon <hjmallon at gmail.com> 0 string ARRI ARRI ARI image data, >4 lelong 0x78563412 little-endian, >4 lelong 0x12345678 big-endian, >12 lelong x version %d, >20 lelong x %dx >24 lelong x \b%d
#------------------------------------------------------------------------------ # $File: inform,v 1.5 2009/09/19 16:28:09 christos Exp $ # inform: file(1) magic for Inform interactive fiction language
# URL: http://www.inform-fiction.org/ # From: Reuben Thomas <rrt@sc3d.org>
0 search/100/cW constant\ story Inform source text
#------------------------------------------------------------------------------ # $File: intel,v 1.16 2017/11/14 15:48:36 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which # is in "microsoft"). DOS is in "msdos"; the ambitious soul can do # Windows as well. # # Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and # whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere # as well, if, as, and when IBM makes it portable. # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # 0 leshort 0502 basic-16 executable >12 lelong >0 not stripped #>22 leshort >0 - version %d 0 leshort 0503 basic-16 executable (TV) >12 lelong >0 not stripped #>22 leshort >0 - version %d 0 leshort 0510 x86 executable >12 lelong >0 not stripped 0 leshort 0511 x86 executable (TV) >12 lelong >0 not stripped 0 leshort =0512 iAPX 286 executable small model (COFF) >12 lelong >0 not stripped #>22 leshort >0 - version %d 0 leshort =0522 iAPX 286 executable large model (COFF) >12 lelong >0 not stripped #>22 leshort >0 - version %d # updated by Joerg Jenderek at Oct 2015 # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html # ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file" # ./intel (version 5.25) label labeled the next entry as "80386 COFF executable" # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan 0 leshort =0514 # use subroutine to display name+flags+variables for common object formated files >0 use display-coff #>12 lelong >0 not stripped # no hint found, that at offset 22 is version #>22 leshort >0 - version %d
# rom: file(1) magic for BIOS ROM Extensions found in intel machines # mapped into memory between 0xC0000 and 0xFFFFF # From: Alex Myczko <alex@aiei.ch> # updated by Joerg Jenderek # https://en.wikipedia.org/wiki/Option_ROM 0 beshort 0x55AA BIOS (ia32) ROM Ext. !:mime application/octet-stream !:ext rom/bin >5 string USB USB >7 string LDR UNDI image >30 string IBM IBM comp. Video >26 string Adaptec Adaptec >28 string Adaptec Adaptec >42 string PROMISE Promise >2 byte x (%d*512)
# Flash descriptors for Intel SPI flash roms. # From Dr. Jesus <j@hug.gs> 0 lelong 0x0ff0a55a Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step 16 lelong 0x0ff0a55a Intel serial flash for PCH ROM
#------------------------------------------------------------------------------ # $File: ispell,v 1.8 2009/09/19 16:28:10 christos Exp $ # ispell: file(1) magic for ispell # # Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic # will match 0x9600 through 0x9603 in *both* little endian and big endian. # (No other current magic entries collide.) # # Updated by Daniel Quinlan (quinlan@yggdrasil.com) # 0 leshort&0xFFFC 0x9600 little endian ispell >0 byte 0 hash file (?), >0 byte 1 3.0 hash file, >0 byte 2 3.1 hash file, >0 byte 3 hash file (?), >2 leshort 0x00 8-bit, no capitalization, 26 flags >2 leshort 0x01 7-bit, no capitalization, 26 flags >2 leshort 0x02 8-bit, capitalization, 26 flags >2 leshort 0x03 7-bit, capitalization, 26 flags >2 leshort 0x04 8-bit, no capitalization, 52 flags >2 leshort 0x05 7-bit, no capitalization, 52 flags >2 leshort 0x06 8-bit, capitalization, 52 flags >2 leshort 0x07 7-bit, capitalization, 52 flags >2 leshort 0x08 8-bit, no capitalization, 128 flags >2 leshort 0x09 7-bit, no capitalization, 128 flags >2 leshort 0x0A 8-bit, capitalization, 128 flags >2 leshort 0x0B 7-bit, capitalization, 128 flags >2 leshort 0x0C 8-bit, no capitalization, 256 flags >2 leshort 0x0D 7-bit, no capitalization, 256 flags >2 leshort 0x0E 8-bit, capitalization, 256 flags >2 leshort 0x0F 7-bit, capitalization, 256 flags >4 leshort >0 and %d string characters 0 beshort&0xFFFC 0x9600 big endian ispell >1 byte 0 hash file (?), >1 byte 1 3.0 hash file, >1 byte 2 3.1 hash file, >1 byte 3 hash file (?), >2 beshort 0x00 8-bit, no capitalization, 26 flags >2 beshort 0x01 7-bit, no capitalization, 26 flags >2 beshort 0x02 8-bit, capitalization, 26 flags >2 beshort 0x03 7-bit, capitalization, 26 flags >2 beshort 0x04 8-bit, no capitalization, 52 flags >2 beshort 0x05 7-bit, no capitalization, 52 flags >2 beshort 0x06 8-bit, capitalization, 52 flags >2 beshort 0x07 7-bit, capitalization, 52 flags >2 beshort 0x08 8-bit, no capitalization, 128 flags >2 beshort 0x09 7-bit, no capitalization, 128 flags >2 beshort 0x0A 8-bit, capitalization, 128 flags >2 beshort 0x0B 7-bit, capitalization, 128 flags >2 beshort 0x0C 8-bit, no capitalization, 256 flags >2 beshort 0x0D 7-bit, no capitalization, 256 flags >2 beshort 0x0E 8-bit, capitalization, 256 flags >2 beshort 0x0F 7-bit, capitalization, 256 flags >4 beshort >0 and %d string characters # ispell 4.0 hash files kromJx <kromJx@crosswinds.net> # Ispell 4.0 0 string ISPL ispell >4 long x hash file version %d, >8 long x lexletters %d, >12 long x lexsize %d, >16 long x hashsize %d, >20 long x stblsize %d
#------------------------------------------------------------------------------ # $File: isz,v 1.4 2017/03/17 21:35:28 christos Exp $ # ISO Zipped file format # http://www.ezbsystems.com/isz/iszspec.txt 0 string IsZ! ISO Zipped file >4 byte x \b, header size %u >5 byte x \b, version %u >8 lelong x \b, serial %u #12 leshort x \b, sector size %u #>16 lelong x \b, total sectors %u >17 byte >0 \b, password protected #>24 lequad x \b, segment size %llu #>32 lelong x \b, blocks %u #>36 lelong x \b, block size %u
#------------------------------------------------------------ # $File: java,v 1.18 2015/11/29 22:08:14 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". #------------------------------------------------------------ # Java serialization # From Martin Pool (m.pool@pharos.com.au) 0 beshort 0xaced Java serialization data >2 beshort >0x0004 \b, version %d
# Java HPROF dumps # https://java.net/downloads/heap-snapshot/hprof-binary-format.html 0 string JAVA\x20PROFILE\x201.0. >0x12 short 0 >>0x11 ushort-0x31 <2 Java HPROF dump, >>0x17 beqdate/1000 x created %s
#------------------------------------------------------------------------------ # $File: javascript,v 1.1 2012/06/16 13:30:36 christos Exp $ # javascript: magic for javascript and node.js scripts. # 0 search/1/w #!/bin/node Node.js script text executable !:mime application/javascript 0 search/1/w #!/usr/bin/node Node.js script text executable !:mime application/javascript 0 search/1/w #!/bin/nodejs Node.js script text executable !:mime application/javascript 0 search/1/w #!/usr/bin/nodejs Node.js script text executable !:mime application/javascript 0 search/1 #!/usr/bin/env\ node Node.js script text executable !:mime application/javascript 0 search/1 #!/usr/bin/env\ nodejs Node.js script text executable !:mime application/javascript 0 string/wt #!\ /usr/bin/gjs Gnome Javascript text executable !:mime text/javascript
#------------------------------------------------------------------------------ # $File: jpeg,v 1.31 2017/03/17 21:35:28 christos Exp $ # JPEG images # SunOS 5.5.1 had # # 0 string \377\330\377\340 JPEG file # 0 string \377\330\377\356 JPG file # # both of which turn into "JPEG image data" here. # 0 beshort 0xffd8 JPEG image data !:mime image/jpeg !:apple 8BIMJPEG !:strength *3 !:ext jpeg/jpg/jpe/jfif >6 string JFIF \b, JFIF standard # The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these # tests are not fool-proof since some perfectly valid JPEGs are currently # impossible to specify in magic(4) format. # First, a little JFIF version info: >>11 byte x \b %d. >>12 byte x \b%02d # Next, the resolution or aspect ratio of the image: >>13 byte 0 \b, aspect ratio >>13 byte 1 \b, resolution (DPI) >>13 byte 2 \b, resolution (DPCM) >>14 beshort x \b, density %dx >>16 beshort x \b%d >>4 beshort x \b, segment length %d # Next, show thumbnail info, if it exists: >>18 byte !0 \b, thumbnail %dx >>>19 byte x \b%d >6 string Exif \b, Exif standard: [ >>12 indirect/r x >>12 string x \b]
# Jump to the first segment >(4.S+4) use jpeg_segment
# This uses recursion... 0 name jpeg_segment >0 beshort 0xFFFE # Recursion handled by FFE0 #>>(2.S+2) use jpeg_segment >>2 pstring/HJ x \b, comment: "%s"
>0 beshort 0xFFC0 >>(2.S+2) use jpeg_segment >>4 byte x \b, baseline, precision %d >>7 beshort x \b, %dx >>5 beshort x \b%d >>9 byte x \b, frames %d
>0 beshort 0xFFC1 >>(2.S+2) use jpeg_segment >>4 byte x \b, extended sequential, precision %d >>7 beshort x \b, %dx >>5 beshort x \b%d >>9 byte x \b, frames %d
>0 beshort 0xFFC2 >>(2.S+2) use jpeg_segment >>4 byte x \b, progressive, precision %d >>7 beshort x \b, %dx >>5 beshort x \b%d >>9 byte x \b, frames %d
# Define Huffman Tables >0 beshort 0xFFC4 >>(2.S+2) use jpeg_segment
>0 beshort 0xFFE1 # Recursion handled by FFE0 #>>(2.S+2) use jpeg_segment >>4 string Exif \b, Exif Standard: [ >>>10 indirect/r x >>>10 string x \b]
# Application specific markers >0 beshort&0xFFE0 =0xFFE0 >>(2.S+2) use jpeg_segment
# DB: Define Quantization tables # DD: Define Restart interval [XXX: wrong here, it is 4 bytes] # D8: Start of image # D9: End of image # Dn: Restart >0 beshort&0xFFD0 =0xFFD0 >>0 beshort&0xFFE0 !0xFFE0 >>>(2.S+2) use jpeg_segment
#>0 beshort x unknown 0x%x #>>(2.S+2) use jpeg_segment
# From: David Santinoli <david@santinoli.com> 0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 # From: Johan van der Knijff <johan.vanderknijff@kb.nl> # Added sub-entries for JP2, JPX, JPM and MJ2 formats; added mimetypes # https://github.com/bitsgalore/jp2kMagic # # Now read value of 'Brand' field, which yields a few possibilities: >20 string \x6a\x70\x32\x20 Part 1 (JP2) !:mime image/jp2 >20 string \x6a\x70\x78\x20 Part 2 (JPX) !:mime image/jpx >20 string \x6a\x70\x6d\x20 Part 6 (JPM) !:mime image/jpm >20 string \x6d\x6a\x70\x32 Part 3 (MJ2) !:mime video/mj2
# This magic entry is for demonstration purposes and could be improved # if the following features were implemented in file: # # Strings inside [[ .. ]] in the descriptions have special meanings and # are not printed. # # - Provide some form of iteration in number of components # [[${counter}=%d]] in the description # then append # [${counter}--] in the offset of the entries # - Provide a way to round the next offset # Add [R:4] after the offset? # - Provide a way to have optional entries # XXX: Syntax: # - Provide a way to "save" entries to print them later. # if the description is [[${name}=%s]], then nothing is # printed and a subsequent entry in the same magic file # can refer to ${name} # - Provide a way to format strings as hex values # # http://www.gnu.org/software/shishi/manual/html_node/\ # The-Keytab-Binary-File-Format.html #
0 name keytab_entry #>0 beshort x \b, size=%d #>2 beshort x \b, components=%d >4 pstring/H x \b, realm=%s >>&0 pstring/H x \b, principal=%s/ >>>&0 pstring/H x \b%s >>>>&0 belong x \b, type=%d >>>>>&0 bedate x \b, date=%s >>>>>>&0 byte x \b, kvno=%u #>>>>>>>&0 pstring/H x #>>>>>>>>&0 belong x #>>>>>>>>>>&0 use keytab_entry
0 belong 0x05020000 Kerberos Keytab file >4 use keytab_entry
#------------------------------------------------------------------------------ # $File: kml,v 1.4 2017/03/17 21:35:28 christos Exp $ # Type: Google KML, formerly Keyhole Markup Language # Future development of this format has been handed # over to the Open Geospatial Consortium. # http://www.opengeospatial.org/standards/kml/ # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> 0 string/t \<?xml >20 search/400 \ xmlns= >>&0 regex ['"]http://earth.google.com/kml Google KML document !:mime application/vnd.google-earth.kml+xml >>>&1 string 2.0' \b, version 2.0 >>>&1 string 2.1' \b, version 2.1 >>>&1 string 2.2' \b, version 2.2
#------------------------------------------------------------------------------ # Type: OpenGIS KML, formerly Keyhole Markup Language # This standard is maintained by the # Open Geospatial Consortium. # http://www.opengeospatial.org/standards/kml/ # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> >>&0 regex ['"]http://www.opengis.net/kml OpenGIS KML document !:mime application/vnd.google-earth.kml+xml >>>&1 string/t 2.2 \b, version 2.2
#------------------------------------------------------------------------------ # $File: lecter,v 1.4 2009/09/19 16:28:10 christos Exp $ # DEC SRC Virtual Paper: Lectern files # Karl M. Hegbloom <karlheg@inetarena.com> 0 string lect DEC SRC Virtual Paper Lectern file
#------------------------------------------------------------------------------ # $File: lex,v 1.6 2009/09/19 16:28:10 christos Exp $ # lex: file(1) magic for lex # # derived empirically, your offsets may vary! 0 search/100 yyprevious C program text (from lex) >3 search/1 >\0 for %s # C program text from GNU flex, from Daniel Quinlan <quinlan@yggdrasil.com> 0 search/100 generated\ by\ flex C program text (from flex) # lex description file, from Daniel Quinlan <quinlan@yggdrasil.com> 0 search/1 %{ lex description text
#------------------------------------------------------------------------------ # $File: linux,v 1.64 2017/03/17 21:35:28 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> # The following basic Linux magic is useful for reference, but using # "long" magic is a better practice in order to avoid collisions. # # 2 leshort 100 Linux/i386 # >0 leshort 0407 impure executable (OMAGIC) # >0 leshort 0410 pure executable (NMAGIC) # >0 leshort 0413 demand-paged executable (ZMAGIC) # >0 leshort 0314 demand-paged executable (QMAGIC) # 0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC) >16 lelong 0 \b, stripped # 0 string \007\001\000 Linux/i386 object file >20 lelong >0x1020 \b, DLL library # Linux-8086 stuff: 0 string \01\03\020\04 Linux-8086 impure executable >28 long !0 not stripped 0 string \01\03\040\04 Linux-8086 executable >28 long !0 not stripped # 0 string \243\206\001\0 Linux-8086 object file # 0 string \01\03\020\20 Minix-386 impure executable >28 long !0 not stripped 0 string \01\03\040\20 Minix-386 executable >28 long !0 not stripped 0 string \01\03\04\20 Minix-386 NSYM/GNU executable >28 long !0 not stripped # core dump file, from Bill Reynolds <bill@goshawk.lanl.gov> 216 lelong 0421 Linux/i386 core file !:strength / 2 >220 string >\0 of '%s' >200 lelong >0 (signal %d) # # LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com> # this can be overridden by the DOS executable (COM) entry 2 string LILO Linux/i386 LILO boot/chain loader # # Linux make config build file, from Ole Aamot <oka@oka.no> # Updated by Ken Sharp 28 string make\ config Linux make config build file (old) 49 search/70 Kernel\ Configuration Linux make config build file
# # PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com> # Updated by Adam Buchbinder <adam.buchbinder@gmail.com> # See: http://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html 0 leshort 0x0436 Linux/i386 PC Screen Font v1 data, >2 byte&0x01 0 256 characters, >2 byte&0x01 !0 512 characters, >2 byte&0x02 0 no directory, >2 byte&0x02 !0 Unicode directory, >3 byte >0 8x%d 0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data, >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, >24 lelong x %d >28 lelong x \bx%d
# Linux swap file, from Daniel Quinlan <quinlan@yggdrasil.com> 4086 string SWAP-SPACE Linux/i386 swap file # From: Jeff Bailey <jbailey@ubuntu.com> # Linux swap file with swsusp1 image, from Jeff Bailey <jbailey@ubuntu.com> 4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image # From: James Hunt <james.hunt@ubuntu.com> 4076 string SWAPSPACE2LINHIB0001 Linux/i386 swap file (new style) (compressed hibernate) # according to man page of mkswap (8) March 1999 # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 4086 string SWAPSPACE2 Linux/i386 swap file (new style), >0x400 long x version %d (4K pages), >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x # From Daniel Novotny <dnovotny@redhat.com> # swap file for PowerPC 65526 string SWAPSPACE2 Linux/ppc swap file >0x400 long x version %d, >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x 16374 string SWAPSPACE2 Linux/ia64 swap file # # Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu> # and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de> # and Nicolas Lichtmaier <nick@debian.org> # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # Linux kernel boot images (i386 arch) (Wolfram Kleff) 514 string HdrS Linux kernel !:strength + 55 >510 leshort 0xAA55 x86 boot executable >>518 leshort >0x1ff >>>529 byte 0 zImage, >>>529 byte 1 bzImage, >>>526 lelong >0 >>>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, >>508 leshort >0 root_dev 0x%X, >>502 leshort >0 swap_dev 0x%X, >>504 leshort >0 RAMdisksize %u KB, >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA >>506 leshort 0xFFFD Prompt for Videomode >>506 leshort >0 Video mode %d # This also matches new kernels, which were caught above by "HdrS". 0 belong 0xb8c0078e Linux kernel >0x1e3 string Loading version 1.3.79 or older >0x1e9 string Loading from prehistoric times
# System.map files - Nicolas Lichtmaier <nick@debian.org> 8 search/1 \ A\ _text Linux kernel symbol map text
# LSM entries - Nicolas Lichtmaier <nick@debian.org> 0 search/1 Begin3 Linux Software Map entry text 0 search/1 Begin4 Linux Software Map entry text (new format)
# From Matt Zimmerman, enhanced for v3 by Matthew Palmer 0 belong 0x4f4f4f4d User-mode Linux COW file >4 belong <3 \b, version %d >>8 string >\0 \b, backing file %s >4 belong >2 \b, version %d >>32 string >\0 \b, backing file %s
############################################################################ # Linux kernel versions
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux >497 leshort 0 x86 boot sector >>514 belong 0x8e of a kernel from the dawn of time! >>514 belong 0x908ed8b4 version 0.99-1.1.42 >>514 belong 0x908ed8b8 for memtest86
# Linux ARM compressed kernel image # From: Kevin Cernekee <cernekee@gmail.com> 36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian) 36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian)
# SYSLINUX boot logo files (from 'ppmtolss16' sources) # http://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: # file extension .lss .16 0 lelong =0x1413f33d SYSLINUX' LSS16 image data # syslinux-4.05/mime/image/x-lss16.xml !:mime image/x-lss16 >4 leshort x \b, width %d >6 leshort x \b, height %d
0 string OOOM User-Mode-Linux's Copy-On-Write disk image >4 belong x version %d
# SE Linux policy database # From: Mike Frysinger <vapier@gentoo.org> 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons
# Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net> # # System ID, UUID and volume group name are 128 bytes long # but they should never be full and initialized with zeros... # # LVM1 # 0x0 string HM\001 LVM1 (Linux Logical Volume Manager), version 1 >0x12c string >\0 , System ID: %s
0x0 string HM\002 LVM1 (Linux Logical Volume Manager), version 2 >0x12c string >\0 , System ID: %s
# LVM2 # # It seems that the label header can be in one the four first sector # of the disk... (from _find_labeller in lib/label/label.c of LVM2) # # 0x200 seems to be the common case
0x218 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) # read the offset to add to the start of the header, and the header # start in 0x200 >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld
0x018 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld
0x418 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld
0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld
# LVM snapshot # from Jason Farrel 0 string SnAp LVM Snapshot (CopyOnWrite store) >4 lelong !0 - valid, >4 lelong 0 - invalid, >8 lelong x version %d, >12 lelong x chunk_size %d
# SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons
# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec # Anthon van der Neut (anthon@mnt.org) 0 string LUKS\xba\xbe LUKS encrypted file, >6 beshort x ver %d >8 string x [%s, >40 string x %s, >72 string x %s] >168 string x UUID: %s
# Systemd journald files # See http://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
# check magic 0 string LPKSHHRH # check that state is one of known values >16 ubyte&252 0 # check that each half of three unique id128s is non-zero >>24 ubequad >0 >>>32 ubequad >0 >>>>40 ubequad >0 >>>>>48 ubequad >0 >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file !:mime application/octet-stream # provide more info >>>>>>>>184 leqdate 0 empty >>>>>>>>16 ubyte 0 \b, offline >>>>>>>>16 ubyte 1 \b, online >>>>>>>>16 ubyte 2 \b, archived >>>>>>>>8 ulelong&1 1 \b, sealed >>>>>>>>12 ulelong&1 1 \b, compressed
# BCache backing and cache devices # From: Gabriel de Perthuis <g2p.code@gmail.com> 0x1008 lequad 8 >0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache >>0x1010 ulequad 0 cache device >>0x1010 ulequad 1 backing device >>0x1010 ulequad 3 cache device >>0x1010 ulequad 4 backing device >>0x1048 string >0 \b, label "%.32s" >>0x1028 ubelong x \b, uuid %08x >>0x102c ubeshort x \b-%04x >>0x102e ubeshort x \b-%04x >>0x1030 ubeshort x \b-%04x >>0x1032 ubelong x \b-%08x >>0x1036 ubeshort x \b%04x >>0x1038 ubelong x \b, set uuid %08x >>0x103c ubeshort x \b-%04x >>0x103e ubeshort x \b-%04x >>0x1040 ubeshort x \b-%04x >>0x1042 ubelong x \b-%08x >>0x1046 ubeshort x \b%04x
# Linux device tree: # File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed # structure and strings must be within blob >&(8.L) byte x >>&(12.L) byte x >>>20 belong >1 Device Tree Blob version %d >>>>4 belong x \b, size=%d >>>>20 belong >1 >>>>>28 belong x \b, boot CPU=%d >>>>20 belong >2 >>>>>32 belong x \b, string block size=%d >>>>20 belong >16 >>>>>36 belong x \b, DT structure block size=%d
# glibc locale archive as defined in glibc locale/locarchive.h 0 lelong 0xde020109 locale archive >24 lelong x %d strings
# Linux Software RAID (mdadm) # Russell Coker <russell@coker.com.au> 0 name linuxraid >16 belong x UUID=%8x: >20 belong x \b%8x: >24 belong x \b%8x: >28 belong x \b%8x >32 string x name=%s >72 lelong x level=%d >92 lelong x disks=%d
4096 lelong 0xa92b4efc Linux Software RAID >4100 lelong x version 1.2 (%d) >4096 use linuxraid
0 lelong 0xa92b4efc Linux Software RAID >4 lelong x version 1.1 (%d) >0 use linuxraid
# Summary: Database file for mlocate # Description: A database file as used by mlocate, a fast implementation # of locate/updatedb. It uses merging to reuse the existing # database and avoid rereading most of the filesystem. It's # the default version of locate on Arch Linux (and others). # File path: /var/lib/mlocate/mlocate.db by default (but configurable) # Site: https://fedorahosted.org/mlocate/ # Format docs: http://linux.die.net/man/5/mlocate.db # Type: mlocate database file # URL: https://fedorahosted.org/mlocate/ # From: Wander Nauta <info@wandernauta.nl> 0 string \0mlocate mlocate database >12 byte x \b, version %d >13 byte 1 \b, require visibility >16 string x \b, root %s
# Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 # From: Pavel Emelyanov <xemul@parallels.com> 0 lelong 0x45311224 iproute2 routes dump 0 lelong 0x47361222 iproute2 addresses dump
# Image and service files for CRIU tool. # URL: http://criu.org # From: Pavel Emelyanov <xemul@parallels.com> 0 lelong 0x54564319 CRIU image file v1.1 0 lelong 0x55105940 CRIU service file 0 lelong 0x58313116 CRIU inventory
#------------------------------------------------------------------------------ # $File: lisp,v 1.25 2017/03/17 21:35:28 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com)
# updated by Joerg Jenderek # GRR: This lot is too weak #0 string ;; # windows INF files often begin with semicolon and use CRLF as line end # lisp files are mainly created on unix system with LF as line end #>2 search/4096 !\r Lisp/Scheme program text #>2 search/4096 \r Windows INF file
0 search/4096 (setq\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (defvar\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (defparam\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (defun\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (autoload\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (custom-set-variables\ Lisp/Scheme program text !:mime text/x-lisp
# URL: https://en.wikipedia.org/wiki/Emacs_Lisp # Reference: http://ftp.gnu.org/old-gnu/emacs/elisp-manual-18-1.03.tar.gz # Update: Joerg Jenderek # Emacs 18 - this is always correct, but not very magical. 0 string \012( # look for emacs lisp keywords # GRR: split regex because it is too long or get error like # lisp, 36: Warning: cannot get string from `^(defun|defvar|defconst|defmacro|setq|fset|put|provide|require|' >&0 regex \^(defun|defvar|defconst|defmacro|setq|fset) Emacs v18 byte-compiled Lisp data !:mime application/x-elc # https://searchcode.com/codesearch/view/2173420/ # not really pure text !:apple EMAxTEXT !:ext elc # remaining regex >&0 regex \^(put|provide|require|random) Emacs v18 byte-compiled Lisp data !:mime application/x-elc !:apple EMAxTEXT !:ext elc # missed cl.elc dbx.elc simple.elc look like normal lisp starting with ;;;
# Emacs 19+ - ver. recognition added by Ian Springer # Also applies to XEmacs 19+ .elc files; could tell them apart with regexs # - Chris Chittleborough <cchittleborough@yahoo.com.au> # Update: Joerg Jenderek 0 string ;ELC # version\0\0\0 >4 byte >18 Emacs/XEmacs v%d byte-compiled Lisp data # why less than 32 ? does not make sense to me. GNU Emacs version is 24.5 at April 2015 #>4 byte <32 Emacs/XEmacs v%d byte-compiled Lisp data !:mime application/x-elc !:apple EMAxTEXT !:ext elc
# Files produced by CLISP Common Lisp From: Bruno Haible <haible@ilog.fr> 0 string (SYSTEM::VERSION\040' CLISP byte-compiled Lisp program (pre 2004-03-27) 0 string (|SYSTEM|::|VERSION|\040' CLISP byte-compiled Lisp program text
0 long 0x70768BD2 CLISP memory image data 0 long 0xD28B7670 CLISP memory image data, other endian
#.com and .bin for MIT scheme 0 string \372\372\372\372 MIT scheme (library?)
# From: David Allouche <david@allouche.net> 0 search/1 \<TeXmacs| TeXmacs document text !:mime text/texmacs
#------------------------------------------------------------------------------ # $File: llvm,v 1.8 2013/01/12 03:09:51 christos Exp $ # llvm: file(1) magic for LLVM byte-codes # URL: http://llvm.org/docs/BitCodeFormat.html # From: Al Stone <ahs3@fc.hp.com>
# Lua bytecode 0 string \033Lua Lua bytecode, >4 byte 0x50 version 5.0 >4 byte 0x51 version 5.1 >4 byte 0x52 version 5.2
#------------------------------------------------------------------------------ # $File: luks,v 1.4 2009/09/19 16:28:10 christos Exp $ # luks: file(1) magic for Linux Unified Key Setup # URL: http://luks.endorphin.org/spec # From: Anthon van der Neut <anthon@mnt.org>
0 string LUKS\xba\xbe LUKS encrypted file, >6 beshort x ver %d >8 string x [%s, >40 string x %s, >72 string x %s] >168 string x UUID: %s #------------------------------------------------------------------------------ # $File: m4,v 1.2 2017/08/14 07:40:38 christos Exp $ # make: file(1) magic for M4 scripts # 0 regex \^dnl\ M4 macro processor script text !:mime text/x-m4 0 regex \^AC_DEFUN\\(\\[ M4 macro processor script text !:strength + 15 !:mime text/x-m4
#------------------------------------------------------------ # $File: mach,v 1.23 2015/10/15 21:51:22 christos Exp $ # Mach has two magic numbers, 0xcafebabe and 0xfeedface. # Unfortunately the first, cafebabe, is shared with # Java ByteCode, so they are both handled in the file "cafebabe". # The "feedface" ones are handled herein. #------------------------------------------------------------ # if set, it's for the 64-bit version of the architecture # yes, this is separate from the low-order magic number bit # it's also separate from the "64-bit libraries" bit in the # upper 8 bits of the CPU subtype
#------------------------------------------------------------------------------ # $File: macintosh,v 1.28 2017/12/05 02:17:48 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") # Daniel Quinlan, quinlan@yggdrasil.com 11 string must\ be\ converted\ with\ BinHex BinHex binary text !:mime application/mac-binhex40 >41 string x \b, version %.3s
# Stuffit archives are the de facto standard of compression for Macintosh # files obtained from most archives. (franklsm@tuns.ca) 0 string SIT! StuffIt Archive (data) !:mime application/x-stuffit !:apple SIT!SIT! >2 string x : %s 0 string SITD StuffIt Deluxe (data) >2 string x : %s 0 string Seg StuffIt Deluxe Segment (data) >2 string x : %s
# Macintosh Applications and Installation binaries (franklsm@tuns.ca) # GRR: Too weak #0 string APPL Macintosh Application (data) #>2 string x \b: %s
# Macintosh System files (franklsm@tuns.ca) # GRR: Too weak #0 string zsys Macintosh System File (data) #0 string FNDR Macintosh Finder (data) #0 string libr Macintosh Library (data) #>2 string x : %s #0 string shlb Macintosh Shared Library (data) #>2 string x : %s #0 string cdev Macintosh Control Panel (data) #>2 string x : %s #0 string INIT Macintosh Extension (data) #>2 string x : %s #0 string FFIL Macintosh Truetype Font (data) #>2 string x : %s #0 string LWFN Macintosh Postscript Font (data) #>2 string x : %s
# Additional Macintosh Files (franklsm@tuns.ca) # GRR: Too weak #0 string PACT Macintosh Compact Pro Archive (data) #>2 string x : %s #0 string ttro Macintosh TeachText File (data) #>2 string x : %s #0 string TEXT Macintosh TeachText File (data) #>2 string x : %s #0 string PDF Macintosh PDF File (data) #>2 string x : %s
# MacBinary format (Eric Fischer, enf@pobox.com) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/MacBinary # Reference: http://files.stairways.com/other/macbinaryii-standard-info.txt # # Unfortunately MacBinary doesn't really have a magic number prior # to the MacBinary III format. #
# old version number, must be kept at zero for compatibility 0 byte 0 # length of filename (must be in the range 1-63) >1 ubyte >0 # skip T.PIC.LZ INSTRUMENT.7T INVENTORY >>1 ubyte <64 # skip Docs.MWII ReadMe.MacWrite "Notes (MacWrite II)" # by looking for printable characters at beginning of file name >>>2 ubelong >0x1F000000 # zero fill, must be zero for compatibility >>>>74 byte 0 # zero fill, must be zero for compatibility >>>>>82 byte 0 # MacBinary I test for valid version numbers >>>>>>122 ubeshort 0 # additional check for creation date after 1 Jan 1970 ~ 7C25B080h #>>>>>>>91 ubelong >0x7c25b07F # additional check for undefined header fields in MacBinary I #>>>>>>>101 ulong 0 >>>>>>>0 use mac-bin # MacBinary II the newer versions begins at 129 >>>>>>122 ubeshort 0x8181 >>>>>>>0 use mac-bin # MacBinary III with MacBinary II to read >>>>>122 ubeshort 0x8281 >>>>>>0 use mac-bin
# display information of MacBinary file 0 name mac-bin >122 ubyte x MacBinary # versions for MacBinary II/III >122 ubyte 129 II >122 ubyte 130 III # only in MacBinary III >>102 string !mBIN with surprising version !:mime application/x-macbinary !:apple PSPTBINA !:ext bin/macbin # THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified as MacBinary #>1 ubyte >63 \b, name length %u too BIG! #>122 ubeshort x \b, version 0x%x # Finder flags if not 0 # >73 byte !0 \b, flags 0x # >73 byte =0 # >>101 byte !0 \b, flags 0x # # original Finder flags (Bits 8-15) # >73 byte !0 \b%x # # finder flags, bits 0-7 # >101 byte !0 \b%x >73 byte &0x01 \b, inited >73 byte &0x02 \b, changed >73 byte &0x04 \b, busy >73 byte &0x08 \b, bozo >73 byte &0x10 \b, system >73 byte &0x20 \b, bundle >73 byte &0x40 \b, invisible >73 byte &0x80 \b, locked
# 75 beshort # vertical posn in window #>75 beshort !0 \b, v.pos %u # 77 beshort # horiz posn in window #>77 beshort !0 \b, h.pos %u # 79 beshort # window or folder ID >79 ubeshort !0 \b, ID 0x%x # protected flag >81 byte !0 \b, protected 0x%x # length of comment after resource >99 ubeshort !0 \b, comment length %u # char. code of file name >106 ubyte !0 \b, char. code 0x%x # still more Finder flags >107 ubyte !0 \b, more flags 0x%x # length of total files when unpacked only used when pack and unpack on the fly >116 ubelong !0 \b, total length %u # 120 beshort # length of add'l header >120 ubeshort !0 \b, 2nd header length %u # 124 beshort # checksum #>124 ubeshort !0 \b, CRC 0x%x # creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 >91 beldate-0x7C25B080 x \b, %s # THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified or time overflow >91 ubelong <0x7c25b080 INVALID date #>91 belong-0x7C25B080 x \b, DEBUG DATE %d # last modified date >95 beldate-0x7C25B080 x \b, modified %s # Apple creator+typ if not null # file creator (normally expressed as four characters) >69 ulong !0 \b, creator # instead 4 character code display full creator name >>69 use apple-creator # file type (normally expressed as four characters) >65 ulong !0 \b, type >>65 use apple-type # length of data segment >83 ubelong !0 \b, %u bytes # filename (in the range 1-63) >1 pstring x "%s" # print 1 space and then at offset 128 inspect data fork content if it has one >83 ubelong !0 \b >>128 indirect x # Afterwards resource fork if length of resource segment not zero >87 ubelong !0 # calculate resource fork offset >>83 ubelong+128 x \b, at 0x%x # length of resource segment >>87 ubelong !0 %u bytes >>(83.S+128) ubequad x resource # further resource fork content inspection >>>&-8 indirect x
# Apple Type/Creator Database # URL: https://en.wikipedia.org/wiki/Type_code # Reference: http://www.lacikam.co.il/tcdb/ # http://www.macdisk.com/macsigen.php # Note: classic Mac OS files have two 4 character codes for type and creator. # Thereby the Finder attach documents types to applications.
#>65 string x \b, type "%4.4s"
# display information about apple type 0 name apple-type >0 string 8BIM PhotoShop >0 string ALB3 PageMaker 3 >0 string ALB4 PageMaker 4 >0 string ALT3 PageMaker 3 >0 string APPL application >0 string AWWP AppleWorks word processor >0 string CIRC simulated circuit >0 string DRWG MacDraw >0 string EPSF Encapsulated PostScript >0 string FFIL font suitcase >0 string FKEY function key >0 string FNDR Macintosh Finder >0 string GIFf GIF image >0 string Gzip GNU gzip >0 string INIT system extension >0 string LIB\ library >0 string LWFN PostScript font >0 string MSBC Microsoft BASIC >0 string PACT Compact Pro archive >0 string PDF\ Portable Document Format >0 string PICT picture >0 string PNTG MacPaint picture >0 string PREF preferences >0 string PROJ Think C project >0 string QPRJ Think Pascal project >0 string SCFL Defender scores >0 string SCRN startup screen >0 string SITD StuffIt Deluxe >0 string SPn3 SuperPaint >0 string STAK HyperCard stack >0 string Seg\ StuffIt segment >0 string TARF Unix tar archive >0 string TEXT ASCII >0 string TIFF TIFF image >0 string TOVF Eudora table of contents >0 string WDBN Microsoft Word word processor >0 string WORD MacWrite word processor >0 string XLS\ Microsoft Excel >0 string ZIVM compress (.Z) >0 string ZSYS Pre-System 7 system file >0 string acf3 Aldus FreeHand >0 string cdev control panel >0 string dfil Desk Accessory suitcase >0 string libr library >0 string nX^d WriteNow word processor >0 string nX^w WriteNow dictionary >0 string rsrc resource >0 string scbk Scrapbook >0 string shlb shared library >0 string ttro SimpleText read-only >0 string zsys system file
# additional types added in Dec 2017 >0 string BINA binary file >0 string BMPp BMP image >0 string JPEG JPEG image #>0 string W4BN Microsoft Word x.y word processor? # if type name is not known display 4 character identifier >0 default x >>0 string x '%4.4s'
#>69 string x \b, creator "%4.4s"
# Now Apple has no repository of registered Creator IDs any more. These are # just the ones that I happened to have files from and was able to identify.
# display information about apple creator 0 name apple-creator >0 string 8BIM Adobe Photoshop >0 string ALD3 PageMaker 3 >0 string ALD4 PageMaker 4 >0 string ALFA Alpha editor >0 string APLS Apple Scanner >0 string APSC Apple Scanner >0 string BRKL Brickles >0 string BTFT BitFont >0 string CCL2 Common Lisp 2 >0 string CCL\ Common Lisp >0 string CDmo The Talking Moose >0 string CPCT Compact Pro >0 string CSOm Eudora >0 string DMOV Font/DA Mover >0 string DSIM DigSim >0 string EDIT Macintosh Edit >0 string ERIK Macintosh Finder >0 string EXTR self-extracting archive >0 string Gzip GNU gzip >0 string KAHL Think C >0 string LWFU LaserWriter Utility >0 string LZIV compress >0 string MACA MacWrite >0 string MACS Macintosh operating system >0 string MAcK MacKnowledge terminal emulator >0 string MLND Defender >0 string MPNT MacPaint >0 string MSBB Microsoft BASIC (binary) >0 string MSWD Microsoft Word >0 string NCSA NCSA Telnet >0 string PJMM Think Pascal >0 string PSAL Hunt the Wumpus #>0 string PSI2 Apple File Exchange >0 string R*ch BBEdit >0 string RMKR Resource Maker >0 string RSED Resource Editor >0 string Rich BBEdit >0 string SIT! StuffIt >0 string SPNT SuperPaint >0 string Unix NeXT Mac filesystem >0 string VIM! Vim editor >0 string WILD HyperCard >0 string XCEL Microsoft Excel >0 string aCa2 Fontographer >0 string aca3 Aldus FreeHand >0 string dosa Macintosh MS-DOS file system >0 string movr Font/DA Mover >0 string nX^n WriteNow >0 string pdos Apple ProDOS file system >0 string scbk Scrapbook >0 string ttxt SimpleText >0 string ufox Foreign File Access # additional creators added in Dec 2017 # Claris/Apple Works >0 string BOBO Apple Works # CU-SeeMe_0.87b3_(68K).bin #>0 string CUce bar >0 string PSPT Apple File Exchange # Disk_Copy_4.2.sea.bin #>0 string NCse foo # probably StuffIt/Aladdin by Smith Micro Software, Inc. >0 string STi0 stuffit # MacGzip-1.1.3.sea.bin #>0 string aust bar # D-Disk_Copy_6.3.3.smi.bin >0 string oneb Disk Copy Self Mounting # if creator name is not known display 4 character identifier >0 default x >>0 string x '%4.4s'
# sas magic from Bruce Foster (bef@nwu.edu) # #0 string SAS SAS #>8 string x %s 0 string SAS SAS >24 string DATA data file >24 string CATALOG catalog >24 string INDEX data file index >24 string VIEW data view # sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com) # 0x54 string SAS SAS 7+ >0x9C string DATA data file >0x9C string CATALOG catalog >0x9C string INDEX data file index >0x9C string VIEW data view
# spss magic for SPSS system and portable files, # from Bruce Foster (bef@nwu.edu).
0 long 0xc1e2c3c9 SPSS Portable File >40 string x %s
0 string $FL2 SPSS System File >24 string x %s
0 string $FL3 SPSS System File >24 string x %s
# Macintosh filesystem data # From "Tom N Harris" <telliamed@mac.com> # Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net> # The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these # entries depend on the data arithmetic added after v.35 # There's also some Pascal strings in here, ditto...
# The boot block signature, according to IM:Files, is # "for HFS volumes, this field always contains the value 0x4C4B." # But if this is true for MFS or HFS+ volumes, I don't know. # Alternatively, the boot block is supposed to be zeroed if it's # unused, so a simply >0 should suffice.
0x400 beshort 0xD2D7 Macintosh MFS data >0 beshort 0x4C4B (bootable) >0x40a beshort &0x8000 (locked) >0x402 beldate-0x7C25B080 x created: %s, >0x406 beldate-0x7C25B080 >0 last backup: %s, >0x414 belong x block size: %d, >0x412 beshort x number of blocks: %d, >0x424 pstring x volume name: %s
# *.hfs updated by Joerg Jenderek # http://en.wikipedia.org/wiki/Hierarchical_File_System # "BD" gives many false positives 0x400 beshort 0x4244 # ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h # first block of volume bit map (always 3) >0x40e ubeshort 0x0003 # maximal length of volume name is 27 >>0x424 ubyte <28 Macintosh HFS data !:mime application/x-apple-diskimage #!:apple hfsdINIT #!:apple MACSdisk # http://www.macdisk.com/macsigen.php #!:apple ddskdevi !:apple ????devi # https://en.wikipedia.org/wiki/Apple_Disk_Image !:ext hfs/dmg >>>0 beshort 0x4C4B (bootable) #>>>0 beshort 0x0000 (not bootable) >>>0x40a beshort &0x8000 (locked) >>>0x40a beshort ^0x0100 (mounted) >>>0x40a beshort &0x0200 (spared blocks) >>>0x40a beshort &0x0800 (unclean) >>>0x47C beshort 0x482B (Embedded HFS+ Volume) # http://www.epochconverter.com/ # 0x7C245F00 seconds ~ 2082758400 ~ 01 Jan 2036 00:00:00 ~ 66 years to 1970 # 0x7C25B080 seconds ~ 2082844800 ~ 02 Jan 2036 00:00:00 # construct not working #>>>0x402 beldate-0x7C25B080 x created: %s, #>>>0x406 beldate-0x7C25B080 x last modified: %s, #>>>0x440 beldate-0x7C25B080 >0 last backup: %s, # found block sizes 200h,1200h,2800h >>>0x414 belong x block size: %d, >>>0x412 beshort x number of blocks: %d, >>>0x424 pstring x volume name: %s
0x400 beshort 0x482B Macintosh HFS Extended >&0 beshort x version %d data >0 beshort 0x4C4B (bootable) >0x404 belong ^0x00000100 (mounted) >&2 belong &0x00000200 (spared blocks) >&2 belong &0x00000800 (unclean) >&2 belong &0x00008000 (locked) >&6 string x last mounted by: '%.4s', # really, that should be treated as a belong and we print a string # based on the value. TN1150 only mentions '8.10' for "MacOS 8.1" >&14 beldate-0x7C25B080 x created: %s, # only the creation date is local time, all other timestamps in HFS+ are UTC. >&18 bedate-0x7C25B080 x last modified: %s, >&22 bedate-0x7C25B080 >0 last backup: %s, >&26 bedate-0x7C25B080 >0 last checked: %s, >&38 belong x block size: %d, >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d
## AFAIK, only the signature is different # same as Apple Partition Map # GRR: This magic is too weak, it is just "TS" #0x200 beshort 0x5453 Apple Old Partition data #>0x2 beshort x block size: %d, #>0x230 string x first type: %s, #>0x210 string x name: %s, #>0x254 belong x number of blocks: %d, #>0x400 beshort 0x504D #>>0x430 string x second type: %s, #>>0x410 string x name: %s, #>>0x454 belong x number of blocks: %d, #>>0x800 beshort 0x504D #>>>0x830 string x third type: %s, #>>>0x810 string x name: %s, #>>>0x854 belong x number of blocks: %d, #>>>0xa00 beshort 0x504D #>>>>0xa30 string x fourth type: %s, #>>>>0xa10 string x name: %s, #>>>>0xa54 belong x number of blocks: %d
# From: Remi Mommsen <mommsen@slac.stanford.edu> 0 string BOMStore Mac OS X bill of materials (BOM) file
# From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://en.wikipedia.org/wiki/Datafork_TrueType # Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is # TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I # don't know what they mean. 0 belong 0x100 >(0x4.L+24) beshort x >>&4 belong 0x73666e74 Mac OSX datafork font, TrueType >>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' >>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' >>&4 belong 0x504f5354 Mac OSX datafork font, PostScript
0 string book\0\0\0\0mark\0\0\0\0 MacOS Alias file
#------------------------------------------------------------------------------ # $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ # magic: file(1) magic for magic files # 0 string/t #\ Magic magic text file for file(1) cmd 0 lelong 0xF11E041C magic binary file for file(1) cmd >4 lelong x (version %d) (little endian) 0 belong 0xF11E041C magic binary file for file(1) cmd >4 belong x (version %d) (big endian) #------------------------------------------------------------------------------ # $File: mail.news,v 1.23 2015/06/29 14:44:26 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. #0 string From mail text 0 string/t Relay-Version: old news text !:mime message/rfc822 0 string/t #!\ rnews batched news text !:mime message/rfc822 0 string/t N#!\ rnews mailed, batched news text !:mime message/rfc822 0 string/t Forward\ to mail forwarding text !:mime message/rfc822 0 string/t Pipe\ to mail piping text !:mime message/rfc822 0 string/tc delivered-to: SMTP mail text !:mime message/rfc822 0 string/tc return-path: SMTP mail text !:mime message/rfc822 0 string/t Path: news text !:mime message/news 0 string/t Xref: news text !:mime message/news 0 string/t From: news or mail text !:mime message/rfc822 0 string/t Article saved news text !:mime message/news 0 string/t BABYL Emacs RMAIL text 0 string/t Received: RFC 822 mail text !:mime message/rfc822 0 string/t MIME-Version: MIME entity text #0 string/t Content- MIME entity text
# TNEF files... 0 lelong 0x223E9F78 Transport Neutral Encapsulation Format !:mime application/vnd.ms-tnef
# From: Kevin Sullivan <ksulliva@psc.edu> 0 string *mbx* MBX mail folder
# From: Simon Matter <simon.matter@invoca.ch> 0 string \241\002\213\015skiplist\ file\0\0\0 Cyrus skiplist DB 0 string \241\002\213\015twoskip\ file\0\0\0\0 Cyrus twoskip DB
# JAM(mbp) Fidonet message area databases # JHR file 0 string JAM\0 JAM message area header file >12 leshort >0 (%d messages)
# Squish Fidonet message area databases # SQD file (requires at least one message in the area) # XXX: Weak magic #256 leshort 0xAFAE4453 Squish message area data file #>4 leshort >0 (%d messages)
# Cyrus: file(1) magic for compiled Cyrus sieve scripts # URL: http://www.cyrusimap.org/docs/cyrus-imapd/2.4.6/internal/bytecode.php # URL: http://git.cyrusimap.org/cyrus-imapd/tree/sieve/bytecode.h?h=master # From: Philipp Hahn <hahn@univention.de>
# Compiled Cyrus sieve script 0 string CyrSBytecode Cyrus sieve bytecode data, >12 belong =1 version 1, big-endian >12 lelong =1 version 1, little-endian >12 belong x version %d, network-endian #------------------------------------------------------------------------------ # $File: make,v 1.3 2016/12/10 14:21:29 christos Exp $ # make: file(1) magic for makefiles # # URL: https://en.wikipedia.org/wiki/Make_(software) 0 regex/100l \^CFLAGS makefile script text !:mime text/x-makefile 0 regex/100l \^VPATH makefile script text !:mime text/x-makefile 0 regex/100l \^LDFLAGS makefile script text !:mime text/x-makefile 0 regex/100l \^all: makefile script text !:mime text/x-makefile 0 regex/100l \^\\.PRECIOUS makefile script text !:mime text/x-makefile # Update: Joerg Jenderek # Reference: https://www.freebsd.org/cgi/man.cgi?make(1) # exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST" # by additional escaping point character 0 regex/100l \^\\.BEGIN BSD makefile script text with "%s" !:mime text/x-makefile !:ext /mk # exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT" # and NSIS script with "!include" by additional escaping point character 0 regex/100l \^\\.include BSD makefile script text with "%s" !:mime text/x-makefile !:ext /mk 0 regex/100l \^SUBDIRS automake makefile script text !:mime text/x-makefile
#------------------------------------------------------------------------------ # $File: map,v 1.4 2015/08/10 05:18:27 christos Exp $ # map: file(1) magic for Map data #
# Garmin .FIT files http://pub.ks-and-ks.ne.jp/cycling/edge500_fit.shtml 8 string .FIT FIT Map data >15 byte 0 >>35 belong x \b, unit id %d >>39 lelong x \b, serial %u # http://pub.ks-and-ks.ne.jp/cycling/edge500_fit.shtml # 20 years after unix epoch # TZ=GMT date -d '1989-12-31 0:00' +%s >>43 leldate+631065600 x \b, %s
# TOM TOM GPS watches ttbin files: # http://github.com/ryanbinns/ttwatch/tree/master/ttbin # From: Daniel Lenski 0 byte 0x20 >1 leshort 0x0007 >>0x76 byte 0x20 >>>0x77 leshort 0x0075 TomTom activity file, v7 >>>>8 leldate x (%s, >>>>3 byte x device firmware %d. >>>>4 byte x \b%d. >>>>5 byte x \b%d, >>>>6 leshort x product ID %04d)
#------------------------------------------------------------------------------ # $File: maple,v 1.8 2017/03/17 21:35:28 christos Exp $ # maple: file(1) magic for maple files # "H. Nanosecond" <aldomel@ix.netcom.com> # Maple V release 4, a multi-purpose math program #
# maple library .lib 0 string \000MVR4\nI MapleVr4 library
# .ind # no magic for these :-( # they are compiled indexes for maple files
# .hdb 0 string \000\004\000\000 Maple help database
# .mhp # this has the form <PACKAGE=name> 0 string \<PACKAGE= Maple help file 0 string \<HELP\ NAME= Maple help file 0 string \n\<HELP\ NAME= Maple help file with extra carriage return at start (yuck) #0 string #\ Newton Maple help file, old style 0 string #\ daub Maple help file, old style #0 string #=========== Maple help file, old style
# .mws 0 string \000\000\001\044\000\221 Maple worksheet #this is anomalous 0 string WriteNow\000\002\000\001\000\000\000\000\100\000\000\000\000\000 Maple worksheet, but weird # this has the form {VERSION 2 3 "IBM INTEL NT" "2.3" }\n # that is {VERSION major_version miunor_version computer_type version_string} 0 string {VERSION\ Maple worksheet >9 string >\0 version %.1s. >>11 string >\0 %.1s
# .mps 0 string \0\0\001$ Maple something # from byte 4 it is either 'nul E' or 'soh R' # I think 'nul E' means a file that was saved as a different name # a sort of revision marking # 'soh R' means new >4 string \000\105 An old revision >4 string \001\122 The latest save
# .mpl # some of these are the same as .mps above #0000000 000 000 001 044 000 105 same as .mps #0000000 000 000 001 044 001 122 same as .mps
0 string #\n##\ <SHAREFILE= Maple something 0 string \n#\n##\ <SHAREFILE= Maple something 0 string ##\ <SHAREFILE= Maple something 0 string #\r##\ <SHAREFILE= Maple something 0 string \r#\r##\ <SHAREFILE= Maple something 0 string #\ \r##\ <DESCRIBE> Maple something anomalous. #-------------------------------------------- # marc21: file(1) magic for MARC 21 Format # # Kevin Ford (kefo@loc.gov) # # MARC21 formats are for the representation and communication # of bibliographic and related information in machine-readable # form. For more info, see http://www.loc.gov/marc/
# leader position 20-21 must be 45 # and 22-23 also 00 so far, but we check that later. 20 string 45 >0 search/2048 \x1e
# leader starts with 5 digits, followed by codes specific to MARC format >>0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic !:mime application/marc >>0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority !:mime application/marc >>0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings !:mime application/marc >>0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification !:mime application/marc >>0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community !:mime application/marc
# leader position 22-23, should be "00" but is it? >>0 regex/1l (^.{21})([^0]{2}) (non-conforming) !:mime application/marc
# .ml files These are menu resources I think # these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ # how to put that into a magic rule? 4 string \ A~ MAthematica .ml file
# other (* matches it is a comment start in these langs # GRR: Too weak; also matches other languages e.g. ML #0 string (* Mathematica, or Pascal, Modula-2 or 3 code text
######################### # MatLab v5 0 string MATLAB Matlab v5 mat-file >126 short 0x494d (big endian) >>124 beshort x version 0x%04x >126 short 0x4d49 (little endian) >>124 leshort x version 0x%04x
#------------------------------------------------------------------------------ # $File: measure,v 1.1 2017/11/28 14:01:14 christos Exp $ # measure: file(1) magic for measurement data
# DIY-Thermocam raw data 0 name diy-thermocam-parser >0 beshort x scale %d- >2 beshort x \b%d, >4 lefloat x spot sensor temperature %f, >9 ubyte 0 unit celsius, >9 ubyte 1 unit fahrenheit, >8 ubyte x color scheme %d >10 ubyte 1 \b, show spot sensor >11 ubyte 1 \b, show scale bar >12 ubyte &1 \b, minimum point enabled >12 ubyte &2 \b, maximum point enabled >13 lefloat x \b, calibration: offset %f, >17 lefloat x slope %f
0 name diy-thermocam-checker >9 ubyte <2 >>10 ubyte <2 >>>11 ubyte <2 >>>>12 ubyte <4 >>>>>17 lefloat >0.0001 DIY-Thermocam raw data
# V2 and Leption 3.x: 38408 ubyte <19 >38400 use diy-thermocam-checker >>38400 default x (Lepton 3.x), >>>38400 use diy-thermocam-parser
# V1 or Lepton 2.x 9608 ubyte <19 >9600 use diy-thermocam-checker >>9600 default x (Lepton 2.x), >>>9600 use diy-thermocam-parser
#----------------------------------------------------------------------------- # $File: misctools,v 1.17 2017/03/17 21:35:28 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text 0 string/c BEGIN:VCALENDAR vCalendar calendar file !:mime text/calendar # updated by Joerg Jenderek at Apr 2015 # Extension: .vcf # http://en.wikipedia.org/wiki/VCard 0 string/c BEGIN:VCARD vCard visiting card # deprecated #!:mime text/x-vcard !:mime text/vcard # VERSION must come right after BEGIN for 3.0 or 4.0 except in 2.1 , where it can be anywhere >12 search/14000/c VERSION: # VERSION 2.1 , 3.0 or 4.0 >>&0 string x \b, version %-.3s
# From: Daniel Novotny <dnovotny@redhat.com> # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Core_dump#User-mode_memory_dumps # Reference: https://msdn.microsoft.com/en-us/library/ms680378%28VS.85%29.aspx # # "Windows Minidump" by TrID # ./misctools (version 5.25) labeled the entry as "MDMP crash report data" 0 string MDMP Mini DuMP crash report # http://filext.com/file-extension/DMP !:mime application/x-dmp !:ext dmp/mdmp # The high-order word is an internal value that is implementation specific. # The low-order word is MINIDUMP_VERSION 0xA793 >4 ulelong&0x0000FFFF !0xA793 \b, version 0x%4.4x # NumberOfStreams 8,9,10,13 >8 ulelong x \b, %d streams # StreamDirectoryRva 0x20 >12 ulelong !0x20 \b, 0x%8.8x RVA # CheckSum 0 >16 ulelong !0 \b, CheckSum 0x%8.8x # Reserved or TimeDateStamp >20 ledate x \b, %s # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx # Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800 >24 ulelong x \b, 0x%x type # >24 ulelong >0 \b; include # >>24 ulelong &0x00000001 \b data sections, # >>24 ulelong &0x00000020 \b list of unloaded modules, # >>24 ulelong &0x00000100 \b process and thread information, # >>24 ulelong &0x00000800 \b memory information,
# Summary: abook addressbook file # Submitted by: Mark Schreiber <mark7@alumni.cmu.edu> 0 string #\x20abook\x20addressbook\x20file abook address book !:mime application/x-abook-addressbook
#------------------------------------------------------------------------------ # $File: mkid,v 1.6 2009/09/19 16:28:10 christos Exp $ # mkid: file(1) magic for mkid(1) databases # # ID is the binary tags database produced by mkid(1). # # XXX - byte order? # 0 string \311\304 ID tags data >2 short >0 version %d
# Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header). # Modified by: Joerg Jenderek # URL: https://de.wikipedia.org/wiki/Fax # Reference: http://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others 0 short 0x0100 # 16 0-bits near beginning like True Type fonts *.ttf, Postscript PrinterFontMetric *.pfm, FTYPE.HYPERCARD, XFER >2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 >2 default x # skip IRCAM file (VAX big-endian) ./audio >>0 belong !0x0001a364 # skip GEM Image data ./images >>>2 beshort !0x0008 # look for first keyword of Panorama database *.pan >>>>11 search/262 \x06DESIGN # skip Panorama database >>>>11 default x # old Apple DreamWorld DreamGrafix *.3200 with keyword at end of g3 looking files >>>>>27118 search/1864 DreamWorld >>>>>27118 default x # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom >>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom >>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" !:mime image/g3fax #!:apple ????TIFF !:ext g3 # unusual image starting with black pixel #0 short 0x1300 raw G3 (Group 3) FAX 0 short 0x1400 # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom >2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 >2 default x raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" !:mime image/g3fax !:ext g3 # unusual image with black pixel near beginning #0 short 0x1900 raw G3 (Group 3) FAX
# # Magic data for vgetty voice formats # (Martin Seine & Marc Eberhard)
# # raw modem data version 1 # 0 string RMD1 raw modem data >4 string >\0 (%s / >20 short >0 compression type 0x%04x)
# # portable voice format 1 # 0 string PVF1\n portable voice format >5 string >\0 (binary %s)
# # portable voice format 2 # 0 string PVF2\n portable voice format >5 string >\0 (ascii %s)
# From: Bernd Nuernberger <bernd.nuernberger@web.de> # Brooktrout G3 fax data incl. 128 byte header # Common suffixes: 3??, BRK, BRT, BTR 0 leshort 0x01bb >2 leshort 0x0100 Brooktrout 301 fax image, >>9 leshort x %d x >>0x2d leshort x %d >>6 leshort 200 \b, fine resolution >>6 leshort 100 \b, normal resolution >>11 byte 1 \b, G3 compression >>11 byte 2 \b, G32D compression
# ATARI ST relocatable PRG # # from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 # (according to Roland Waldi, Oct 21, 1987) # besides the magic 0x601a, the text segment size is checked to be # not larger than 1 MB (which is a lot on ST). # The additional 0x601b distinction I took from Doug Lee's magic. 0 belong&0xFFFFFFF0 0x601A0000 Atari ST M68K contiguous executable >2 belong x (txt=%d, >6 belong x dat=%d, >10 belong x bss=%d, >14 belong x sym=%d) 0 belong&0xFFFFFFF0 0x601B0000 Atari ST M68K non-contig executable >2 belong x (txt=%d, >6 belong x dat=%d, >10 belong x bss=%d, >14 belong x sym=%d)
# Atari ST/TT... program format (sent by Wolfram Kleff <kleff@cs.uni-bonn.de>) 0 beshort 0x601A Atari 68xxx executable, >2 belong x text len %u, >6 belong x data len %u, >10 belong x BSS len %u, >14 belong x symboltab len %u, >18 belong 0 >22 belong &0x01 fastload flag, >22 belong &0x02 may be loaded to alternate RAM, >22 belong &0x04 malloc may be from alternate RAM, >22 belong x flags: 0x%X, >26 beshort 0 no relocation tab >26 beshort !0 + relocation tab >30 string SFX [Self-Extracting LZH SFX archive] >38 string SFX [Self-Extracting LZH SFX archive] >44 string ZIP! [Self-Extracting ZIP SFX archive]
0 string XPCOM\nMozFASL\r\n\x1A Mozilla XUL fastload data 0 string mozLz4a Mozilla lz4 compressed bookmark data
# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Firefox_4 # Reference: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT # Note: Most ZIP utilities are able to extract such archives # maybe only partly or after some warnings. Example: # zip -FF omni.ja --out omni.zip 4 string PK\001\002 Mozilla archive omni.ja !:mime application/x-zip !:ext ja # TODO: #>4 use zip-dir-entry
# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) # updated by Joerg Jenderek at Oct 2008,Apr 2011 0 string/t @ >1 string/cW \ echo\ off DOS batch file text !:mime text/x-msdos-batch >1 string/cW echo\ off DOS batch file text !:mime text/x-msdos-batch >1 string/cW rem DOS batch file text !:mime text/x-msdos-batch >1 string/cW set\ DOS batch file text !:mime text/x-msdos-batch
# OS/2 batch files are REXX. the second regex is a bit generic, oh well # the matched commands seem to be common in REXX and uncommon elsewhere 100 search/0xffff rxfuncadd >100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 100 search/0xffff say >100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text
# updated by Joerg Jenderek at Oct 2015 # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html # ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" #0 leshort 0x14c MS Windows COFF Intel 80386 object file #>4 ledate x stamp %s 0 leshort 0x166 MS Windows COFF MIPS R4000 object file #>4 ledate x stamp %s 0 leshort 0x184 MS Windows COFF Alpha object file #>4 ledate x stamp %s 0 leshort 0x268 MS Windows COFF Motorola 68000 object file #>4 ledate x stamp %s 0 leshort 0x1f0 MS Windows COFF PowerPC object file #>4 ledate x stamp %s 0 leshort 0x290 MS Windows COFF PA-RISC object file #>4 ledate x stamp %s
# Tests for various EXE types. # # Many of the compressed formats were extraced from IDARC 1.23 source code. # 0 string/b MZ # All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. >0x18 leshort <0x40 MS-DOS executable !:mime application/x-dosexec # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) #>>0x18 leshort 0x1e (MS compiler)
# If the relocation table is 0x40 or more bytes into the file, it's definitely # not a DOS EXE. >0x18 leshort >0x3f
# hooray, there's a DOS extender using the PE format, with a valid PE # executable inside (which just prints a message and exits if run in win) >>>(8.s*16) string 32STUB \b, 32rtm DOS extender >>>(8.s*16) string !32STUB \b, for MS Windows >>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed >>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed >>>(0x3c.l+0xf8) search/0x140 UPX2 >>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>(0x3c.l+0xf8) search/0x140 .idata >>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive >>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .rsrc >>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive >>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive >>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive >>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .data >>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed >>>>(0x3c.l+0xf7) byte x >>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive >>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>>0x30 string Inno \b, InnoSetup self-extracting archive
# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable !:mime application/x-dosexec
>>(0x3c.l) string NE \b, NE !:mime application/x-dosexec >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte 4 for Windows 386 >>>(0x3c.l+0x36) byte 5 for Borland Operating System Services >>>(0x3c.l+0x36) default x >>>>(0x3c.l+0x36) byte x (unknown OS %x) >>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender >>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) >>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) >>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive >>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
# MS Windows system file, supposedly a collection of LE executables >>(0x3c.l) string W3 \b, W3 for MS Windows !:mime application/x-dosexec
>>(0x3c.l) string LE\0\0 \b, LE executable !:mime application/x-dosexec >>>(0x3c.l+0x0a) leshort 1 # some DOS extenders use LE files with OS/2 header >>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender >>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender >>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender >>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender >>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) >>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) >>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) # this is a wild guess; hopefully it is a specific signature >>>>&0x24 lelong <0x50 >>>>>(&0x4c.l) string \xfc\xb8WATCOM >>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed # another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP #>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 # fails with DOS-Extenders. >>>(0x3c.l+0x0a) leshort 2 for MS Windows >>>(0x3c.l+0x0a) leshort 3 for DOS >>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) >>>(&0x7c.l+0x26) string UPX \b, UPX compressed >>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive
# looks like ASCII, probably some embedded copyright message. # and definitely not NE/LE/LX/PE >>0x3c lelong >0x20000000 >>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS !:mime application/x-dosexec # header data too small for extended executable >2 long !0 >>0x18 leshort <0x40 >>>(4.s*512) leshort !0x014c
>>>>&(2.s-514) string !LE >>>>>&-2 string !BW \b, MZ for MS-DOS !:mime application/x-dosexec >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender # educated guess since indirection is still not capable enough for complex offset # calculations (next embedded executable would be at &(&2*512+&0-2) # I suspect there are only LE executables in these multi-exe files >>>>&(2.s-514) string BW >>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) >>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS
# This sequence skips to the first COFF segment, usually .text >(4.s*512) leshort 0x014c \b, COFF !:mime application/x-dosexec >>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s >>&(&0x42.l-3) byte x >>>&0x26 string UPX \b, UPX compressed # and yet another guess: small .text, and after large .data is unusal, could be 32lite >>&0x2c search/0xa0 .text >>>&0x0b lelong <0x2000 >>>>&0 lelong >0x6000 \b, 32lite compressed
>(8.s*16) string $WdX \b, WDos/X DOS extender
# By now an executable type should have been printed out. The executable # may be a self-uncompressing archive, so look for evidence of that and # print it out. # # Some signatures below from Greg Roelofs, newt@uchicago.edu. # >0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed >0xe7 string LH/2\ Self-Extract \b, %s >0x1c string UC2X \b, UCEXE compressed >0x1c string WWP\ \b, WWPACK compressed >0x1c string RJSX \b, ARJ self-extracting archive >0x1c string diet \b, diet compressed >0x1c string LZ09 \b, LZEXE v0.90 compressed >0x1c string LZ91 \b, LZEXE v0.91 compressed >0x1c string tz \b, TinyProg compressed >0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive !:mime application/zip # Yes, this really is "Copr", not "Corp." >0x1e string PKLITE\ Copr. Self-extracting PKZIP archive !:mime application/zip # winarj stores a message in the stub instead of the sig in the MZ header >0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive >0x20 string AIN >>0x23 string 2 \b, AIN 2.x compressed >>0x23 string <2 \b, AIN 1.x compressed >>0x23 string >2 \b, AIN 1.x compressed >0x24 string LHa's\ SFX \b, LHa self-extracting archive !:mime application/x-lha >0x24 string LHA's\ SFX \b, LHa self-extracting archive !:mime application/x-lha >0x24 string \ $ARX \b, ARX self-extracting archive >0x24 string \ $LHarc \b, LHarc self-extracting archive >0x20 string SFX\ by\ LARC \b, LARC self-extracting archive >0x40 string aPKG \b, aPackage self-extracting archive >0x64 string W\ Collis\0\0 \b, Compack compressed >0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive >>&0xf4 search/0x140 \x0\x40\x1\x0 >>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive >1638 string -lh5- \b, LHa self-extracting archive v2.13S >0x17888 string Rar! \b, RAR self-extracting archive
# Skip to the end of the EXE. This will usually work fine in the PE case # because the MZ image is hardcoded into the toolchain and almost certainly # won't match any of these signatures. >(4.s*512) long x >>&(2.s-517) byte x >>>&0 string PK\3\4 \b, ZIP self-extracting archive >>>&0 string Rar! \b, RAR self-extracting archive >>>&0 string =!\x11 \b, AIN 2.x self-extracting archive >>>&0 string =!\x12 \b, AIN 2.x self-extracting archive >>>&0 string =!\x17 \b, AIN 1.x self-extracting archive >>>&0 string =!\x18 \b, AIN 1.x self-extracting archive >>>&7 search/400 **ACE** \b, ACE self-extracting archive >>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive
# a few unknown ZIP sfxes, no idea if they are needed or if they are # already captured by the generic patterns above >(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) # TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive #
# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc # and http://www.freedos.org/software/?prog=kpdos # for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 0 string/b KCF FreeDOS KEYBoard Layout collection # only version=0x100 found >3 uleshort x \b, version 0x%x # length of string containing author,info and special characters >6 ubyte >0 #>>6 pstring x \b, name=%s >>7 string >\0 \b, author=%-.14s >>7 search/254 \xff \b, info= #>>>&0 string x \b%-s >>>&0 string x \b%-.15s # for FreeDOS *.KL files 0 string/b KLF FreeDOS KEYBoard Layout file # only version=0x100 or 0x101 found >3 uleshort x \b, version 0x%x # stringlength >5 ubyte >0 >>8 string x \b, name=%-.2s 0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file
# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 # https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 0 ulequad&0x07a0ffffffff 0xffffffff >0 use msdos-driver 0 name msdos-driver DOS executable ( #!:mime application/octet-stream !:mime application/x-dosdriver # also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN !:ext sys/dev/bin >40 search/7 UPX! \bUPX compressed # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver # character device >4 uleshort&0x8000 0x8000 \b >>4 uleshort&0x0008 0x0008 \bclock # fast video output by int 29h >>4 uleshort&0x0010 0x0010 \bfast # standard input/output device >>4 uleshort&0x0003 >0 \bstandard >>>4 uleshort&0x0001 0x0001 \binput >>>4 uleshort&0x0003 0x0003 \b/ >>>4 uleshort&0x0002 0x0002 \boutput >>4 uleshort&0x8000 0x8000 \bcharacter device driver >0 ubyte x # upx compressed device driver has garbage instead of real in name field of header >>40 search/7 UPX! >>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped >>>12 ubyte >0x2E \b >>>>10 ubyte >0x20 >>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c >>>>11 ubyte >0x20 >>>>>11 ubyte !0x2E \b%c >>>>12 ubyte >0x20 >>>>>12 ubyte !0x39 >>>>>>12 ubyte !0x2E \b%c >>>13 ubyte >0x20 >>>>13 ubyte !0x2E \b%c >>>>14 ubyte >0x20 >>>>>14 ubyte !0x2E \b%c >>>>15 ubyte >0x20 >>>>>15 ubyte !0x2E \b%c >>>>16 ubyte >0x20 >>>>>16 ubyte !0x2E >>>>>>16 ubyte <0xCB \b%c >>>>17 ubyte >0x20 >>>>>17 ubyte !0x2E >>>>>>17 ubyte <0x90 \b%c # some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field >>>12 ubyte <0x2F # they have their real name at offset 22 # also block device drivers like DUMBDRV.SYS >>>>22 string >\056 %-.6s >4 uleshort&0x8000 0x0000 # 32 bit sector addressing ( > 32 MB) for block devices >>4 uleshort&0x0002 0x0002 \b,32-bit sector- # support by driver functions 13h, 17h, 18h >4 uleshort&0x0040 0x0040 \b,IOCTL- # open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh >4 uleshort&0x0800 0x0800 \b,close media- # output until busy support by int 10h for character device driver >4 uleshort&0x8000 0x8000 >>4 uleshort&0x2000 0x2000 \b,until busy- # direct read/write support by driver functions 03h,0Ch >4 uleshort&0x4000 0x4000 \b,control strings- >4 uleshort&0x8000 0x8000 >>4 uleshort&0x6840 >0 \bsupport >4 uleshort&0x8000 0x0000 >>4 uleshort&0x4842 >0 \bsupport >0 ubyte x \b) # DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 0 ulequad 0x0513c00000000012 >0 use msdos-driver # DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 0 ulequad 0x32f28000ffff0016 >0 use msdos-driver 0 ulequad 0x007f00000000ffff >0 use msdos-driver 0 ulequad 0x001600000000ffff >0 use msdos-driver # DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 0 ulequad 0x0bf708c2ffffffff >0 use msdos-driver 0 ulequad 0x07bd08c2ffffffff >0 use msdos-driver
# updated by Joerg Jenderek # GRR: line below too general as it catches also # rt.lib DYADISKS.PIC and many more # start with assembler instruction MOV 0 ubyte 0x8c # skip "AppleWorks word processor data" like ARTICLE.1 ./apple >4 string !O==== # skip some unknown basic binaries like RocketRnger.SHR >>5 string !MAIN # skip "GPG symmetrically encrypted data" ./gnu # skip "PGP symmetric key encrypted data" ./pgp # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type >>>4 ubyte >13 DOS executable (COM, 0x8C-variant) # the remaining files should be DOS *.COM executables # dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd # hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 # UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b # BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b # RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b # SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b # validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e # devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e !:mime application/x-dosexec !:ext com
# updated by Joerg Jenderek at Oct 2008 0 ulelong 0xffff10eb DR-DOS executable (COM) # byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 0 ubeshort&0xeb8d >0xeb00 # DR-DOS STACKER.COM SCREATE.SYS missed
# JMP 8bit 0 byte 0xeb # allow forward jumps only >1 byte >-1 # that offset must be accessible >>(1.b+2) byte x >>>0 use msdos-com
# JMP 16bit 0 byte 0xe9 # forward jumps >1 short >-1 # that offset must be accessible >>(1.s+3) byte x >>>0 use msdos-com # negative offset, must not lead into PSP >1 short <-259 # that offset must be accessible >>(1,s+65539) byte x >>>0 use msdos-com
# updated by Joerg Jenderek at Oct 2008,2015 # following line is too general 0 ubyte 0xb8 # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux >0 string !\xb8\xc0\x07\x8e # modified by Joerg Jenderek # syslinux COM32 or COM32R executable >>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT # http://www.syslinux.org/wiki/index.php/Comboot_API # Since version 5.00 c32 modules switched from the COM32 object format to ELF !:mime application/x-c32-comboot-syslinux-exec !:ext c32 # http://syslinux.zytor.com/comboot.php # older syslinux version ( <4 ) # (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode # start with assembler instructions mov eax,21cd4cffh >>>1 lelong 0x21CD4CFf \b) # syslinux:doc/comboot.txt # A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov # eax,21cd4cfeh) as a magic number. # syslinux version (4.x) # "COM executable (COM32R)" or "Syslinux COM32 module" by TrID >>>1 lelong 0x21CD4CFe \b, relocatable) # remaining are DOS COM executables starting with assembler instruction MOV # like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM # MS-DOS SYS.COM RESTART.COM # SYSLINUX.COM (version 1.40 - 2.13) # GFXBOOT.COM (version 3.75) # COPYBS.COM POWEROFF.COM INT18.COM >>1 default x COM executable for DOS !:mime application/x-dosexec #!:mime application/x-ms-dos-executable #!:mime application/x-msdos-program !:ext com
0 string/b \x81\xfc >4 string \x77\x02\xcd\x20\xb9 >>36 string UPX! FREE-DOS executable (COM), UPX compressed 252 string Must\ have\ DOS\ version DR-DOS executable (COM) # added by Joerg Jenderek at Oct 2008 # GRR search is not working #34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 34 string UPX! FREE-DOS executable (COM), UPX compressed 35 string UPX! FREE-DOS executable (COM), UPX compressed # GRR search is not working #2 search/28 \xcd\x21 COM executable for MS-DOS #WHICHFAT.cOM 2 string \xcd\x21 COM executable for DOS #DELTREE.cOM DELTREE2.cOM 4 string \xcd\x21 COM executable for DOS #IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 5 string \xcd\x21 COM executable for DOS #DELTMP.COm HASFAT32.cOM 7 string \xcd\x21 >0 byte !0xb8 COM executable for DOS #COMP.cOM MORE.COm 10 string \xcd\x21 >5 string !\xcd\x21 COM executable for DOS #comecho.com 13 string \xcd\x21 COM executable for DOS #HELP.COm EDIT.coM 18 string \xcd\x21 COM executable for MS-DOS #NWRPLTRM.COm 23 string \xcd\x21 COM executable for MS-DOS #LOADFIX.cOm LOADFIX.cOm 30 string \xcd\x21 COM executable for MS-DOS #syslinux.com 3.11 70 string \xcd\x21 COM executable for DOS # many compressed/converted COMs start with a copy loop instead of a jump 0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS >0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed # FIXME: missing diet .com compression
# miscellaneous formats 0 string/b LZ MS-DOS executable (built-in) #0 byte 0xf0 MS-DOS program library data #
# AAF files: # <stuartc@rd.bbc.co.uk> Stuart Cunningham 0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage >30 byte 9 (512B sectors) >30 byte 12 (4kB sectors) 0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage >30 byte 9 (512B sectors) >30 byte 12 (4kB sectors)
# Popular applications 2080 string Microsoft\ Word\ 6.0\ Document %s !:mime application/msword 2080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data !:mime application/msword # Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 2112 string MSWordDoc Microsoft Word document data !:mime application/msword # 0 belong 0x31be0000 Microsoft Word Document !:mime application/msword # 0 string/b PO^Q` Microsoft Word 6.0 Document !:mime application/msword # 4 long 0 >0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 !:mime application/msword !:ext mcw >0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 !:mime application/msword !:ext mcw >0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 !:mime application/msword !:ext mcw >0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 !:mime application/msword !:ext mcw
0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document !:mime application/msword !:ext doc # Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs #512 string/b \354\245\301 Microsoft Word Document #!:mime application/msword
2080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s !:mime application/vnd.ms-excel # # Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 2114 string Biff5 Microsoft Excel 5.0 Worksheet !:mime application/vnd.ms-excel # Italian MS-Excel 2121 string Biff5 Microsoft Excel 5.0 Worksheet !:mime application/vnd.ms-excel 0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet !:mime application/vnd.ms-excel # # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 # Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf # Note: newer Lotus versions >2 use longer BOF record # record type (BeginningOfFile=0000h) + length (001Ah) 0 belong 0x00001a00 # reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 #>18 uleshort&0x73E0 0 # Lotus Multi Byte Character Set (LMBCS=1-31) >20 ubyte >0 >>20 ubyte <32 Lotus 1-2-3 #!:mime application/x-123 !:mime application/vnd.lotus-1-2-3 !:apple ????L123 # (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" >>>4 uleshort 0x1000 WorKsheet, version 3 !:ext wk3 # (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" >>>4 uleshort 0x1002 WorKsheet, version 4 # also worksheet template 4 (.wt4) !:ext wk4/wt4 # no example or documentation for wk5 #>>4 uleshort 0x???? WorKsheet, version 4 #!:ext wk5 # only MacrotoScript.123 example >>>4 uleshort 0x1003 WorKsheet, version 97 # also worksheet template Smartmaster (.12M)? !:ext 123 # only Set_Y2K.123 example >>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium !:ext 123 # no example for this version >>>4 uleshort 0x8001 FoRMatting data !:ext frm # (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" # TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" >>>4 uleshort 0x8007 ForMatting data, version 3 !:ext fm3 >>>4 default x unknown # file revision sub code 0004h for worksheets >>>>6 uleshort =0x0004 worksheet !:ext wXX >>>>6 uleshort !0x0004 formatting data !:ext fXX # main revision number >>>>4 uleshort x \b, revision 0x%x >>>6 uleshort =0x0004 \b, cell range # active cellcoord range (start row, page,column ; end row, page, column) # start values normally 0~1st sheet A1 >>>>8 ulelong !0 >>>>>10 ubyte >0 \b%d* >>>>>8 uleshort x \b%d, >>>>>11 ubyte x \b%d- # end page mostly 0 >>>>14 ubyte >0 \b%d* # end raw, column normally not 0 >>>>12 uleshort x \b%d, >>>>15 ubyte x \b%d # Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) >>>>20 ubyte >1 \b, character set 0x%x # flags >>>>21 ubyte x \b, flags 0x%x >>>6 uleshort !0x0004 # record type (FONTNAME=00AEh) >>>>30 search/29 \0\xAE # variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) >>>>>&4 string >\0 \b, 1st font "%s" # # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 # Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT # Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x # record type (BeginningOfFile=0000h) + length (0002h) 0 belong 0x00000200 # GRR: line above is too general as it catches also MS Windows CURsor # to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) !:strength -1 # skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h >7 ubyte 0 # skip Windows cursors with image width 256 and keep Lotus with positiv opcode >>6 ubyte >0 Lotus # !:mime application/x-123 !:mime application/vnd.lotus-1-2-3 !:apple ????L123 # revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) # undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" >>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) !:ext cnf >>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J !:ext cnf >>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 !:ext cnf >>>4 uleshort 0x0802 Symphony CoNFiguration !:ext cnf >>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 !:ext cnf >>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 !:ext cnf >>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x !:ext cnf >>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x !:ext cnf # (version 5.26) labeled the entry as "Lotus 123" # TrID labeles the entry as "Lotus 123 Worksheet (generic)" >>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 # extension "wks" also for Microsoft Works document !:ext wks # (version 5.26) labeled the entry as "Lotus 123" # TrID labeles the entry as "Lotus 123 Worksheet (generic)" >>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 !:ext wrk/wr1 # (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" # TrID labeles the entry as "Lotus 123 Worksheet (V2)" >>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 # Symphony (.wr1) !:ext wk1/wr1 # no example for this japan version >>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ !:ext wj1 # no example or documentation for wk2 #>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 #!:ext wk2 # undocumented japan version >>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J !:ext wj3 # (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" >>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x # japan version 2.4J (fj3) !:ext fmt/fj3 # no example for this version >>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 !:ext frm # (version 5.26) labeled the entry as "Lotus 1-2-3" >>>4 default x unknown worksheet or configuration !:ext cnf >>>>4 uleshort x \b, revision 0x%x # 2nd record for most worksheets describes cells range >>>6 use lotus-cells # 3nd record for most japan worksheets describes cells range >>>(8.s+10) use lotus-cells # check and then display Lotus worksheet cells range 0 name lotus-cells # look for type (RANGE=0006h) + length (0008h) at record begin >0 ubelong 0x06000800 \b, cell range # cell range (start column, row, end column, row) start values normally 0,0~A1 cell >>4 ulong !0 >>>4 uleshort x \b%d, >>>6 uleshort x \b%d- # end of cell range >>8 uleshort x \b%d, >>10 uleshort x \b%d # EndOfLotus123 0 string/b WordPro\0 Lotus WordPro !:mime application/vnd.lotus-wordpro 0 string/b WordPro\r\373 Lotus WordPro !:mime application/vnd.lotus-wordpro
# Summary: Script used by InstallScield to uninstall applications # Extension: .isu # Submitted by: unknown # Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 0 string \x71\xa8\x00\x00\x01\x02 >12 string Stirling\ Technologies, InstallShield Uninstall Script
# Winamp .avs #0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in
#tz3 files whatever that is (MS Works files) 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file
# PGP sig files .sig #0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
# windows zips files .dmf 0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
#ico files 0 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows
# Windows icons # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CUR_(file_format) # Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 0 belong 0x00000100 >9 byte 0 >>0 byte x >>0 use cur-ico-dir >9 ubyte 0xff >>0 byte x >>0 use cur-ico-dir # displays number of icons and information for icon or cursor 0 name cur-ico-dir # skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with # 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h >18 ulelong &0x00000006 # skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) >>(18.l) ulelong x MS Windows >>>0 ubelong 0x00000100 icon resource #!:mime image/vnd.microsoft.icon !:mime image/x-icon !:ext ico >>>>4 uleshort x - %d icon # plural s >>>>4 uleshort >1 \bs # 1st icon >>>>0x06 use ico-entry # 2nd icon >>>>4 uleshort >1 >>>>>0x16 use ico-entry >>>0 ubelong 0x00000200 cursor resource #!:mime image/x-cur !:mime image/x-win-bitmap !:ext cur >>>>4 uleshort x - %d icon >>>>4 uleshort >1 \bs # 1st cursor >>>>0x06 use cur-entry #>>>>0x16 use cur-entry # display information of one cursor entry 0 name cur-entry >0 use cur-ico-entry >4 uleshort x \b, hotspot @%dx >6 uleshort x \b%d # display information of one icon entry 0 name ico-entry >0 use cur-ico-entry # normally 0 1 but also found 14 >4 uleshort >1 \b, %d planes # normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 >6 uleshort >1 \b, %d bits/pixel # display shared information of cursor or icon entry 0 name cur-ico-entry >0 byte =0 \b, 256x >0 byte !0 \b, %dx >1 byte =0 \b256 >1 byte !0 \b%d # number of colors in palette >2 ubyte !0 \b, %d colors # reserved 0 FFh #>3 ubyte x \b, reserved %x #>8 ulelong x \b, image size %d # offset of PNG or DIB image #>12 ulelong x \b, offset 0x%x # PNG header (\x89PNG) >(12.l) ubelong =0x89504e47 >>&-4 indirect x \b with # DIB image >(12.l) ubelong !0x89504e47 #>>&-4 use dib-image
# Windows non-animated cursors # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CUR_(file_format) # Note: similar to Windows ICOn. container for BMP ( only DIB part) # GRR: line below is too general as it catches also Lotus 1-2-3 files 0 belong 0x00000200 >9 byte 0 >>0 use cur-ico-dir >9 ubyte 0xff >>0 use cur-ico-dir
# .chr files 0 string/b PK\010\010BGI Borland font >4 string >\0 %s # then there is a copyright notice
# .bgi files 0 string/b pk\010\010BGI Borland device >4 string >\0 %s # then there is a copyright notice
# Windows Recycle Bin record file (named INFO2) # By Abel Cheung (abelcheung AT gmail dot com) # Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes # Since Vista uses another structure, INFO2 structure probably won't change # anymore. Detailed analysis in: # http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 0 lelong 0x00000004 >12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below)
0 lelong 0x00000005 >12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP)
# From Doug Lee via a FreeBSD pr 9 string GERBILDOC First Choice document 9 string GERBILDB First Choice database 9 string GERBILCLIP First Choice database 0 string GERBIL First Choice device file 9 string RABBITGRAPH RabbitGraph file 0 string DCU1 Borland Delphi .DCU file 0 string =!<spell> MKS Spell hash list (old format) 0 string =!<spell2> MKS Spell hash list # Too simple - MPi #0 string AH Halo(TM) bitmapped font file 0 lelong 0x08086b70 TurboC BGI file 0 lelong 0x08084b50 TurboC Font file
# Debian#712046: The magic below identifies "Delphi compiled form data". # An additional source of information is available at: # http://www.woodmann.com/fravia/dafix_t1.htm 0 string TPF0 >4 pstring >\0 Delphi compiled form '%s'
# tests for DBase files moved, updated and merged to database
0 string PMCC Windows 3.x .GRP file 1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file 0 lelong 0x4C >4 lelong 0x00021401 Windows shortcut file
# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm # only for windows versions equal or greater 3.0 0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File !:mime application/x-dosexec #>2 string >\0 \b, Title:%.30s >0x24 string >\0 \b for %.63s >0x65 string >\0 \b, directory=%.64s >0xA5 string >\0 \b, parameters=%.64s #>0x181 leshort x \b, offset %x #>0x183 leshort x \b, offsetdata %x #>0x185 leshort x \b, section length %x >0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 >>&0x5e ubyte >0 >>>&-1 string <PIFMGR.DLL \b, icon=%s #>>>&-1 string PIFMGR.DLL \b, icon=%s >>>&-1 string >PIFMGR.DLL \b, icon=%s >>&0xF0 ubyte >0 >>>&-1 string <Terminal \b, font=%.32s #>>>&-1 string =Terminal \b, font=%.32s >>>&-1 string >Terminal \b, font=%.32s >>&0x110 ubyte >0 >>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s #>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s >>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s #>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style #>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style >0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style #>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style >0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS #>>&06 string x \b:%s >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT #>>&06 string x \b:%s
# DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> 0 belong 0xC5D0D3C6 DOS EPS Binary File !:mime image/x-eps >4 long >0 Postscript starts at byte %d >>8 long >0 length %d >>>12 long >0 Metafile starts at byte %d >>>>16 long >0 length %d >>>20 long >0 TIFF starts at byte %d >>>>24 long >0 length %d
# TNEF magic From "Joomy" <joomy@se-ed.net> # Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 0 lelong 0x223e9f78 TNEF !:mime application/vnd.ms-tnef
# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # http://en.wikipedia.org/wiki/Norton_Guides 0 string NG\0\001 # only value 0x100 found at offset 2 >2 ulelong 0x00000100 Norton Guide # Title[40] >>8 string >\0 "%-.40s" #>>6 uleshort x \b, MenuCount=%u # szCredits[5][66] >>48 string >\0 \b, %-.66s >>114 string >\0 %-.66s
# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of http://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm 0 ulelong 0x48443408 4DOS help file >4 string x \b, version %-4.4s
# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 0 ulequad 0x3a000000024e4c MS Advisor help file
# HtmlHelp files (.chm) 0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data
# GFA-BASIC (Wolfram Kleff) 2 string/b GFA-BASIC3 GFA-BASIC 3 data
#------------------------------------------------------------------------------ # From Stuart Caie <kyzer@4u.net> (developer of cabextract) # Microsoft Cabinet files 0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data !:mime application/vnd.ms-cab-compressed >8 lelong x \b, %u bytes >28 leshort 1 \b, 1 file >28 leshort >1 \b, %u files
# InstallShield Cabinet files 0 string/b ISc( InstallShield Cabinet archive data >5 byte&0xf0 =0x60 version 6, >5 byte&0xf0 !0x60 version 4/5, >(12.l+40) lelong x %u files
# Windows Enhanced Metafile (EMF) # See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. 0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data >>44 ulelong x version 0x%x
0 string/b \224\246\056 Microsoft Word Document !:mime application/msword
512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document !:mime application/msword
# From: "Nelson A. de Oliveira" <naoliv@gmail.com> # Magic type for Dell's BIOS .hdr files # Dell's .hdr 0 string/b $RBU >23 string Dell %s system BIOS >5 byte 2 >>48 byte x version %d. >>49 byte x \b%d. >>50 byte x \b%d >5 byte <2 >>48 string x version %.3s
# Type: Microsoft DirectDraw Surface # URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp # From: Morten Hustveit <morten@debian.org> 0 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), >16 lelong >0 %d x >12 lelong >0 %d, >84 string x %.4s
# Type: Microsoft Document Imaging Format (.mdi) # URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format # From: Daniele Sempione <scrows@oziosi.org> # Too weak (EP) #0 short 0x5045 Microsoft Document Imaging Format
# MS eBook format (.lit) 0 string/b ITOLITLS Microsoft Reader eBook Data >8 lelong x \b, version %u !:mime application/x-ms-reader
# Windows CE Binary Image Data Format # From: Dr. Jesus <j@hug.gs> 0 string/b B000FF\n Windows Embedded CE binary image
# Windows Imaging (WIM) Image 0 string/b MSWIM\000\000\000 Windows imaging (WIM) image 0 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format
# The second byte of these signatures is a file version; I don't know what, # if anything, produced files with version numbers 0-2. # From: John Elliott <johne@seasip.demon.co.uk> 0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 0 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 0 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 0 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+)
0 string MIOPEN Mallard BASIC Jetsam data 0 string Jetsam0 Mallard BASIC Jetsam index data
# DOS backup 2.0 to 3.2
# backupid.@@@
# plausibility check for date 0x3 ushort >1979 >0x5 ubyte-1 <31 >>0x6 ubyte-1 <12 # actually 121 nul bytes >>>0x7 string \0\0\0\0\0\0\0\0 >>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d !:ext @@@ >>>>0x0 ubyte 0xff \b, last disk
# backed up file
# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd # by looking for trailing nul of maximal file name string 0x52 ubyte 0 # test for flag byte: FFh~complete file, 00h~split file # FFh -127 = -1 -127 = -128 # 00h -127 = 0 -127 = -127 >0 byte-127 <-126 # plausibility check for file name length >>0x53 ubyte-1 <78 # looking for terminating nul of file name string >>>(0x53.b+4) ubyte 0 # looking if last char of string is valid DOS file name >>>>(0x53.b+3) ubyte >0x1F # actually 44 nul bytes # but sometimes garbage according to Ralf Quint. So can not be used as test #>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 # first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator # only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE >>>>>5 ubyte&0x8C 0x0C # ./msdos (version 5.30) labeled the entry as # "DOS 2.0 backed up file %s, split file, sequence %d" or # "DOS 2.0 backed up file %s, complete file" >>>>>>0 ubyte x DOS 2.0-3.2 backed up #>>>>>>0 ubyte 0xff complete >>>>>>0 ubyte 0 >>>>>>>1 uleshort x sequence %d of # full file name with path but without drive letter and colon stored from 0x05 til 0x52 >>>>>>0x5 string x file %s # backup name is original filename #!:ext * # magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' # file: line 1169: Bad magic entry ' *' # after header original file content >>>>>>128 indirect x \b;
# DOS backup 3.3 to 5.x
# CONTROL.nnn files 0 string \x8bBACKUP\x20 # actually 128 nul bytes >0xa string \0\0\0\0\0\0\0\0 >>0x9 ubyte x DOS 3.3 backup control file, sequence %d >>0x8a ubyte 0xff \b, last disk
# NB: The BACKUP.nnn files consist of the files backed up, # concatenated.
#------------------------------------------------------------------------------ # $File: msooxml,v 1.7 2018/03/12 12:38:59 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown <ralf.brown@gmail.com>
# .docx, .pptx, and .xlsx are XML plus other files inside a ZIP # archive. The first member file is normally "[Content_Types].xml". # but some libreoffice generated files put this later. Perhaps skip # the "[Content_Types].xml" test? # Since MSOOXML doesn't have anything like the uncompressed "mimetype" # file of ePub or OpenDocument, we'll have to scan for a filename # which can distinguish between the three types
0 name msooxml >0 string word/ Microsoft Word 2007+ !:mime application/vnd.openxmlformats-officedocument.wordprocessingml.document >0 string ppt/ Microsoft PowerPoint 2007+ !:mime application/vnd.openxmlformats-officedocument.presentationml.presentation >0 string xl/ Microsoft Excel 2007+ !:mime application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
# start by checking for ZIP local file header signature 0 string PK\003\004 !:strength +10 # make sure the first file is correct >0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels # skip to the second local file header # since some documents include a 520-byte extra field following the file # header, we need to scan for the next header >>(18.l+49) search/6000 PK\003\004 # now skip to the *third* local file header; again, we need to scan due to a # 520-byte extra field following the file header >>>&26 search/6000 PK\003\004 # and check the subdirectory name to determine which type of OOXML # file we have. Correct the mimetype with the registered ones: # http://technet.microsoft.com/en-us/library/cc179224.aspx >>>>&26 use msooxml >>>>&26 default x # OpenOffice/Libreoffice orders ZIP entry differently, so check the 4th file >>>>>&26 search/6000 PK\003\004 >>>>>>&26 use msooxml >>>>>>&26 default x Microsoft OOXML
#------------------------------------------------------------------------------ # $File: msvc,v 1.9 2017/08/02 08:15:20 christos Exp $ # msvc: file(1) magic for msvc # "H. Nanosecond" <aldomel@ix.netcom.com> # Microsoft visual C # # I have version 1.0
# .aps 0 string HWB\000\377\001\000\000\000 Microsoft Visual C .APS file
#.lib 0 string \360\015\000\000 Microsoft Visual C library 0 string \360\075\000\000 Microsoft Visual C library 0 string \360\175\000\000 Microsoft Visual C library
#.pch 0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch
# Summary: Symbol Table / Debug info used by Microsoft compilers # URL: https://en.wikipedia.org/wiki/Program_database # Reference: https://code.google.com/p/pdbparser/wiki/MSF_Format # Update: Joerg Jenderek # Note: test only for Windows XP+SP3 x86 , 8.1 x64 arm and 10.1 x86 # info does only applies partly for older files like msvbvm50.pdb about year 2001 0 string Microsoft\ C/C++\040 # "Microsoft Program DataBase" by TrID >24 search/14 \r\n\x1A MSVC program database !:mime application/x-ms-pdb !:ext pdb # "MSF 7.00" "program database 2.00" for msvbvm50.pdb >>16 regex \([0-9.]+\) ver %s #>>>0x38 search/128123456 /LinkInfo \b with linkinfo # "MSF 7.00" variant >>0x1e leshort 0 # PageSize 400h 1000h >>>0x20 lelong x \b, %d # Page Count >>>0x28 lelong x \b*%d bytes # "program database 2.00" variant >>0x1e leshort !0 # PageSize 400h >>>0x2c lelong x \b, %d # Page Count for msoo-dll.pdb 4379h >>>0x32 leshort x \b*%d bytes
# Reference: https://github.com/Microsoft/vstest/pull/856/commits/fdc7a9f074ca5a8dfeec83b1be9162bf0cf4000d 0 string/c bsjb\001\000\001\000\000\000\000\000\f\000\000\000pdb\ v1.0 Microsoft Rosyln C# debugging symbols version 1.0
#.wsp 0 string 1.00\ .0000.0000\000\003 MSVC .wsp version 1.0000.0000 # these seem to start with the version and contain menus
#------------------------------------------------------------------------------ # msx: file(1) magic for the MSX Home Computer # v1.3 # Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net>
############## MSX Music file formats ##############
# Gigamix MGSDRV music file 0 string/b MGS MSX Gigamix MGSDRV3 music file, >6 ubeshort 0x0D0A >>3 byte x \bv%c >>4 byte x \b.%c >>5 byte x \b%c >>8 string >\0 \b, title: %s
# SCMD music file 0x8B string/b SCMD >0xCE uleshort 0 MSX SCMD Music file #>>-2 uleshort 0x6a71 ; The file must end with this value. How to code this here? >>0x8F string >\0 \b, title: %s
# Metal Gear 1 savegame #0x4F string \x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF #>>0x60 string \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF #>>>0x7B string \0x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00 Metal Gear 1 savegame
# ------------------------------------------------------------------------ # $File: mup,v 1.5 2017/03/17 21:35:28 christos Exp $ # mup: file(1) magic for Mup (Music Publisher) input file. # # From: Abel Cheung <abel (@) oaka.org> # # NOTE: This header is mainly proposed in the Arkkra mailing list, # and is not a mandatory header because of old mup input file # compatibility. Noteedit also use mup format, but is not forcing # user to use any header as well. # 0 search/1 //!Mup Mup music publication program input text >6 string -Arkkra (Arkkra) >>13 string - >>>16 string . >>>>14 string x \b, need V%.4s >>>15 string . >>>>14 string x \b, need V%.3s >6 string - >>9 string . >>>7 string x \b, need V%.4s >>8 string . >>>7 string x \b, need V%.3s #------------------------------------------------------------------------------ # $File: music,v 1.1 2011/11/25 03:28:17 christos Exp $ # music: file (1) magic for music formats
# BWW format used by Bagpipe Music Writer Gold by Robert MacNeil Musicworks # and Bagpipe Writer by Doug Wickstrom # 0 string Bagpipe Bagpipe >8 string Reader Reader >>15 string >\0 (version %.3s) >8 string Music\ Writer Music Writer >>20 string : >>>21 string >\0 (version %.3s) >>21 string Gold Gold >>>25 string : >>>>26 string >\0 (version %.3s)
# From: Barry Carter <carter.barry@gmail.com> 0 string DAF/SPK NASA SPICE file (binary format) 0 string DAFETF\ NAIF\ DAF\ ENCODED NASA SPICE file (transfer format)
#----------------------------------------------------------------------------- # $File: natinst,v 1.6 2014/06/03 19:17:27 christos Exp $ # natinst: file(1) magic for National Instruments Code Files
# # From <egamez@fcfm.buap.mx> Enrique Gamez-Flores # version 1 # Many formats still missing, we use, for the moment LabVIEW # We guess VXI format file. VISA, LabWindowsCVI, BridgeVIEW, etc, are missing # 0 string RSRC National Instruments, # Check if it's a LabVIEW File >8 string LV LabVIEW File, # Check which kind of file it is >>10 string SB Code Resource File, data >>10 string IN Virtual Instrument Program, data >>10 string AR VI Library, data # This is for Menu Libraries >8 string LMNULBVW Portable File Names, data # This is for General Resources >8 string rsc Resources File, data # This is for VXI Package 0 string VMAP National Instruments, VXI File, data
#------------------------------------------------------------------------------ # $File: ncr,v 1.8 2014/04/30 21:41:02 christos Exp $ # ncr: file(1) magic for NCR Tower objects # # contributed by # Michael R. Wayne *** TMC & Associates *** INTERNET: wayne@ford-vax.arpa # uucp: {philabs | pyramid} !fmsrl7!wayne OR wayne@fmsrl7.UUCP # 0 beshort 000610 Tower/XP rel 2 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %d 0 beshort 000615 Tower/XP rel 2 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %d 0 beshort 000620 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %d 0 beshort 000625 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %d 0 beshort 000630 Tower32/600/400 68020 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %d 0 beshort 000640 Tower32/800 68020 >18 beshort &020000 w/68881 object >18 beshort &040000 compatible object >18 beshort &060000 object >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped >22 beshort >0 - version %d 0 beshort 000645 Tower32/800 68010 >18 beshort &040000 compatible object >18 beshort &060000 object >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped >22 beshort >0 - version %d
# From: Mikhail Gusarov <dottedmag@dottedmag.net> # NekoVM (http://nekovm.org/) bytecode 0 string NEKO NekoVM bytecode >4 lelong x (%d global symbols, >8 lelong x %d global fields, >12 lelong x %d bytecode ops) !:mime application/x-nekovm-bytecode
#------------------------------------------------------------------------------ # $File: netbsd,v 1.25 2017/09/28 02:37:47 christos Exp $ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. # The old-style magic numbers are indistinguishable from the same magic # numbers used in other systems, and are handled, for all those systems, # in aout. #
# NetBSD/alpha does not support (and has never supported) a.out objects, # so no rules are provided for them. NetBSD/alpha ELF objects are # dealt with in "elf". 0 lelong 0x00070185 ECOFF NetBSD/alpha binary >10 leshort 0x0001 not stripped >10 leshort 0x0000 stripped 0 belong&0377777777 043200507 a.out NetBSD/alpha core >12 string >\0 from '%s' >32 lelong !0 (signal %d)
# little endian only for now. 0 name ktrace >4 leshort 7 >>6 leshort <3 NetBSD ktrace file version %d >>>12 string x from %s >>>56 string x \b, emulation %s >>>8 lelong <65536 \b, pid=%d
56 string netbsd >0 use ktrace 56 string linux >0 use ktrace 56 string sunos >0 use ktrace 56 string hpux >0 use ktrace
#------------------------------------------------------------------------------ # $File: netscape,v 1.8 2017/03/17 21:35:28 christos Exp $ # netscape: file(1) magic for Netscape files # "H. Nanosecond" <aldomel@ix.netcom.com> # version 3 and 4 I think #
# Netscape Address book .nab 0 string \000\017\102\104\000\000\000\000\000\000\001\000\000\000\000\002\000\000\000\002\000\000\004\000 Netscape Address book
# Netscape Communicator address book 0 string \000\017\102\111 Netscape Communicator address book
#------------------------------------------------------------------------------ # $File: news,v 1.6 2009/09/19 16:28:11 christos Exp $ # news: file(1) magic for SunOS NeWS fonts (not "news" as in "netnews") # 0 string StartFontMetrics ASCII font metrics 0 string StartFont ASCII font bits 0 belong 0x137A2944 NeWS bitmap font 0 belong 0x137A2947 NeWS font family 0 belong 0x137A2950 scalable OpenFont binary 0 belong 0x137A2951 encrypted scalable OpenFont binary 8 belong 0x137A2B45 X11/NeWS bitmap font 8 belong 0x137A2B48 X11/NeWS font family
#------------------------------------------------------------------------------ # $File: nitpicker,v 1.7 2017/03/17 21:35:28 christos Exp $ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann <C.Jachmann@gmx.net> http://www.nitpicker.de 0 string NPFF NItpicker Flow File >4 byte x V%d. >5 byte x %d >6 bedate x started: %s >10 bedate x stopped: %s >14 belong x Bytes: %u >18 belong x Bytes1: %u >22 belong x Flows: %u >26 belong x Pkts: %u
#------------------------------------------------------------------------------ # $File: oasis,v 1.2 2014/06/03 19:17:27 christos Exp $ # OASIS # Summary: OASIS stream file # Long description: Open Artwork System Interchange Standard # File extension: .oas # Full name: Ben Cowley (bcowley@broadcom.com) # Philip Dixon (pdixon@broadcom.com) # Reference: http://www.wrcad.com/oasis/oasis-3626-042303-draft.pdf # (see page 3) 0 string %SEMI-OASIS\r\n OASIS Stream file
#------------------------------------------------------------------------------ # $File: ocaml,v 1.5 2010/09/20 18:55:20 rrt Exp $ # ocaml: file(1) magic for Objective Caml files. 0 string Caml1999 OCaml >8 string X exec file >8 string I interface file (.cmi) >8 string O object file (.cmo) >8 string A library file (.cma) >8 string Y native object file (.cmx) >8 string Z native library file (.cmxa) >8 string M abstract syntax tree implementation file >8 string N abstract syntax tree interface file >9 string >\0 (Version %3.3s)
#------------------------------------------------------------------------------ # $File: octave,v 1.4 2009/09/19 16:28:11 christos Exp $ # octave binary data file(1) magic, from Dirk Eddelbuettel <edd@debian.org> 0 string Octave-1-L Octave binary data (little endian) 0 string Octave-1-B Octave binary data (big endian)
#------------------------------------------------------------------------------ # $File: ole2compounddocs,v 1.5 2017/10/27 21:43:23 christos Exp $ # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format) # Additional tests for OLE 2 Compound Documents should be under this recipe.
0 string \320\317\021\340\241\261\032\341 OLE 2 Compound Document # - Microstation V8 DGN files (www.bentley.com) # Last update on 10/23/2006 by Lester Hightower > 0x480 string D\000g\000n\000~\000H : Microstation V8 DGN # - Visio documents # Last update on 10/23/2006 by Lester Hightower > 0x480 string V\000i\000s\000i\000o\000D\000o\000c : Visio Document
# Note: moved & merged Microsoft Office parts from ./msdos Oct 2017 # Update: Joerg Jenderek # from http://filext.com by Derek M Jones <derek@knosof.co.uk> # False positive with PPT (also currently this string is too long) #0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer #0 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document #>48 byte 0x1B Excel Document #!:mime application/vnd.ms-excel >546 string bjbj : Microsoft Word Document !:mime application/msword # https://www.macdisk.com/macsigen.php !:apple MSWDWDBN !:ext doc/dot >546 string jbjb : Microsoft Word Document !:mime application/msword !:apple MSWDWDBN !:ext doc
#------------------------------------------------------------------------------ # $File: olf,v 1.4 2009/09/19 16:28:11 christos Exp $ # olf: file(1) magic for OLF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # MIPS R3000 may also be for MIPS R2000. # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # Created by Erik Theisen <etheisen@openbsd.org> # Based on elf from Daniel Quinlan <quinlan@yggdrasil.com> 0 string \177OLF OLF >4 byte 0 invalid class >4 byte 1 32-bit >4 byte 2 64-bit >7 byte 0 invalid os >7 byte 1 OpenBSD >7 byte 2 NetBSD >7 byte 3 FreeBSD >7 byte 4 4.4BSD >7 byte 5 Linux >7 byte 6 SVR4 >7 byte 7 esix >7 byte 8 Solaris >7 byte 9 Irix >7 byte 10 SCO >7 byte 11 Dell >7 byte 12 NCR >5 byte 0 invalid byte order >5 byte 1 LSB >>16 leshort 0 no file type, >>16 leshort 1 relocatable, >>16 leshort 2 executable, >>16 leshort 3 shared object, # Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de> # corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> >>16 leshort 4 core file >>>(0x38+0xcc) string >\0 of '%s' >>>(0x38+0x10) lelong >0 (signal %d), >>16 leshort &0xff00 processor-specific, >>18 leshort 0 no machine, >>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 2 SPARC - invalid byte order, >>18 leshort 3 Intel 80386, >>18 leshort 4 Motorola 68000 - invalid byte order, >>18 leshort 5 Motorola 88000 - invalid byte order, >>18 leshort 6 Intel 80486, >>18 leshort 7 Intel 80860, >>18 leshort 8 MIPS R3000_BE - invalid byte order, >>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 10 MIPS R3000_LE, >>18 leshort 11 RS6000 - invalid byte order, >>18 leshort 15 PA-RISC - invalid byte order, >>18 leshort 16 nCUBE, >>18 leshort 17 VPP500, >>18 leshort 18 SPARC32PLUS, >>18 leshort 20 PowerPC, >>18 leshort 0x9026 Alpha, >>20 lelong 0 invalid version >>20 lelong 1 version 1 >>36 lelong 1 MathCoPro/FPU/MAU Required >8 string >\0 (%s) >5 byte 2 MSB >>16 beshort 0 no file type, >>16 beshort 1 relocatable, >>16 beshort 2 executable, >>16 beshort 3 shared object, >>16 beshort 4 core file, >>>(0x38+0xcc) string >\0 of '%s' >>>(0x38+0x10) belong >0 (signal %d), >>16 beshort &0xff00 processor-specific, >>18 beshort 0 no machine, >>18 beshort 1 AT&T WE32100, >>18 beshort 2 SPARC, >>18 beshort 3 Intel 80386 - invalid byte order, >>18 beshort 4 Motorola 68000, >>18 beshort 5 Motorola 88000, >>18 beshort 6 Intel 80486 - invalid byte order, >>18 beshort 7 Intel 80860, >>18 beshort 8 MIPS R3000_BE, >>18 beshort 9 Amdahl, >>18 beshort 10 MIPS R3000_LE - invalid byte order, >>18 beshort 11 RS6000, >>18 beshort 15 PA-RISC, >>18 beshort 16 nCUBE, >>18 beshort 17 VPP500, >>18 beshort 18 SPARC32PLUS, >>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 21 cisco 7500, >>18 beshort 24 cisco SVIP, >>18 beshort 25 cisco 7200, >>18 beshort 36 cisco 12000, >>18 beshort 0x9026 Alpha, >>20 belong 0 invalid version >>20 belong 1 version 1 >>36 belong 1 MathCoPro/FPU/MAU Required
# Provided 1998/08/22 by # David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net> 1 search/100 InternetShortcut MS Windows 95 Internet shortcut text >17 search/100 URL= (URL=< >>&0 string x \b%s>)
# >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) # Carl Hauser (chauser.parc@xerox.com) and # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) # list the following header format in inf02a.doc: # # int16 ID; // ID magic word (5348h = "HS") # int8 unknown1; // unknown purpose, could be third letter of ID # int8 flags; // probably a flag word... # // bit 0: set if INF style file # // bit 4: set if HLP style file # // patching this byte allows reading HLP files # // using the VIEW command, while help files # // seem to work with INF settings here as well. # int16 hdrsize; // total size of header # int16 unknown2; // unknown purpose # 0 string HSP\x01\x9b\x00 OS/2 INF >107 string >0 (%s) 0 string HSP\x10\x9b\x00 OS/2 HLP >107 string >0 (%s)
# OS/2 INI (this is a guess) 0 string \xff\xff\xff\xff\x14\0\0\0 OS/2 INI
#------------------------------------------------------------------------------ # $File: os400,v 1.5 2009/09/19 16:28:11 christos Exp $ # os400: file(1) magic for IBM OS/400 files # # IBM OS/400 (i5/OS) Save file (SAVF) - gerardo.cacciari@gmail.com # In spite of its quite variable format (due to internal memory page # length differences between CISC and RISC versions of the OS) the # SAVF structure hasn't suitable offsets to identify the catalog # header in the first descriptor where there are some useful infos, # so we must search in a somewhat large area for a particular string # that represents the EBCDIC encoding of 'QSRDSSPC' (save/restore # descriptor space) preceded by a two byte constant. # 1090 search/7393 \x19\xDB\xD8\xE2\xD9\xC4\xE2\xE2\xD7\xC3 IBM OS/400 save file data >&212 byte 0x01 \b, created with SAVOBJ >&212 byte 0x02 \b, created with SAVLIB >&212 byte 0x07 \b, created with SAVCFG >&212 byte 0x08 \b, created with SAVSECDTA >&212 byte 0x0A \b, created with SAVSECDTA >&212 byte 0x0B \b, created with SAVDLO >&212 byte 0x0D \b, created with SAVLICPGM >&212 byte 0x11 \b, created with SAVCHGOBJ >&213 byte 0x44 \b, at least V5R4 to open >&213 byte 0x43 \b, at least V5R3 to open >&213 byte 0x42 \b, at least V5R2 to open >&213 byte 0x41 \b, at least V5R1 to open >&213 byte 0x40 \b, at least V4R5 to open >&213 byte 0x3F \b, at least V4R4 to open >&213 byte 0x3E \b, at least V4R3 to open >&213 byte 0x3C \b, at least V4R2 to open >&213 byte 0x3D \b, at least V4R1M4 to open >&213 byte 0x3B \b, at least V4R1 to open >&213 byte 0x3A \b, at least V3R7 to open >&213 byte 0x35 \b, at least V3R6 to open >&213 byte 0x36 \b, at least V3R2 to open >&213 byte 0x34 \b, at least V3R1 to open >&213 byte 0x31 \b, at least V3R0M5 to open >&213 byte 0x30 \b, at least V2R3 to open
#------------------------------------------------------------------------------ # $File: os9,v 1.8 2017/03/17 21:35:28 christos Exp $ # # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # # OS9/6809 module descriptions: # 0 beshort 0x87CD OS9/6809 module: # >6 byte&0x0f 0x00 non-executable >6 byte&0x0f 0x01 machine language >6 byte&0x0f 0x02 BASIC I-code >6 byte&0x0f 0x03 Pascal P-code >6 byte&0x0f 0x04 C I-code >6 byte&0x0f 0x05 COBOL I-code >6 byte&0x0f 0x06 Fortran I-code # >6 byte&0xf0 0x10 program executable >6 byte&0xf0 0x20 subroutine >6 byte&0xf0 0x30 multi-module >6 byte&0xf0 0x40 data module # >6 byte&0xf0 0xC0 system module >6 byte&0xf0 0xD0 file manager >6 byte&0xf0 0xE0 device driver >6 byte&0xf0 0xF0 device descriptor # # OS9/m68k stuff (to be continued) # 0 beshort 0x4AFC OS9/68K module: # # attr >0x14 byte&0x80 0x80 re-entrant >0x14 byte&0x40 0x40 ghost >0x14 byte&0x20 0x20 system-state # # lang: # >0x13 byte 1 machine language >0x13 byte 2 BASIC I-code >0x13 byte 3 Pascal P-code >0x13 byte 4 C I-code >0x13 byte 5 COBOL I-code >0x13 byte 6 Fortran I-code # # # type: # >0x12 byte 1 program executable >0x12 byte 2 subroutine >0x12 byte 3 multi-module >0x12 byte 4 data module >0x12 byte 11 trap library >0x12 byte 12 system module >0x12 byte 13 file manager >0x12 byte 14 device driver >0x12 byte 15 device descriptor
#------------------------------------------------------------------------------ # $File: osf1,v 1.7 2009/09/19 16:28:11 christos Exp $ # # Mach magic number info # 0 long 0xefbe OSF/Rose object # I386 magic number info # 0 short 0565 i386 COFF object
#------------------------------------------------------------------------------ # $File: palm,v 1.13 2014/03/30 21:40:08 christos Exp $ # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # # Brian Lalor <blalor@hcirisc.cs.binghamton.edu>
# These are weak, byte 59 is not guaranteed to be 0 and there are # 8 character identifiers at byte 60, one I found for appl is BIGb. # What are the possibilities and where is this documented?
# The common header format for PalmOS .pdb/.prc files is # { # char name[ 32 ]; # Word attributes; # Word version; # DWord creationDate; # DWord modificationDate; # DWord lastBackupDate; # DWord modificationNumber; # DWord appInfoID; # DWord sortInfoID; # char type[4]; # char creator[4]; # DWord uniqueIDSeed; # RecordListType recordList; # }; # # Datestamps are unsigned seconds since the MacOS epoch (Jan 1, 1904), # or Unix/POSIX time + 2082844800.
0 name aportisdoc # date is supposed to be big-endian seconds since 1 Jan 1904, but many # files contain the timestamp in little-endian or a completely # nonsensical value... #>36 bedate-2082844800 >0 \b, created %s # compression: 1=uncomp, 2=orig, 0x4448=HuffDic >(78.L) beshort =1 \b, uncompressed # compressed >(78.L) beshort >1 >>(78.L+4) belong x \b, %d bytes uncompressed
# Mobipocket (www.mobipocket.com), donated by Carl Witty # expanded by Ralf Brown 60 string BOOKMOBI Mobipocket E-book # MobiPocket stores a full title, pointed at by the belong at offset # 0x54 in its header at (78.L), with length given by the belong at # offset 0x58. # there's no guarantee that the title string is null-terminated, but # we currently can't specify a variable-length string where the length # field is not at the start of the string; in practice, the data # following the string always seems to start with a zero byte >(78.L) belong x >>&(&0x50.L-4) string >\0 "%s" >0 use aportisdoc >>(78.L+0x68) belong >0 \b, version %d >>(78.L+0x1C) belong !0 \b, codepage %d >>(78.L+0x0C) beshort >0 \b, encrypted (type %d)
# A GutenPalm zTXT etext for use on Palm Pilots (http://gutenpalm.sf.net) # For version 1.xx zTXTs, outputs version and numbers of bookmarks and # annotations. # For other versions, just outputs version. # 60 string zTXT A GutenPalm zTXT e-book >0 string >\0 "%s" >(0x4E.L) byte 0 >>(0x4E.L+1) byte x (v0.%02d) >(0x4E.L) byte 1 >>(0x4E.L+1) byte x (v1.%02d) >>>(0x4E.L+10) beshort >0 >>>>(0x4E.L+10) beshort <2 - 1 bookmark >>>>(0x4E.L+10) beshort >1 - %d bookmarks >>>(0x4E.L+14) beshort >0 >>>>(0x4E.L+14) beshort <2 - 1 annotation >>>>(0x4E.L+14) beshort >1 - %d annotations >(0x4E.L) byte >1 (v%d. >>(0x4E.L+1) byte x %02d)
# Palm OS .prc file types 60 string libr # flags, only bit 0 or bit 6 # http://en.wikipedia.org/wiki/PRC_%28Palm_OS%29 # http://web.mit.edu/tytso/www/pilot/prc-format.html >0x20 beshort&0xffbe 0 >>0 string >\0 Palm OS dynamic library data "%s" 60 string ptch Palm OS operating system patch data >0 string >\0 "%s"
# Mobipocket (www.mobipocket.com), donated by Carl Witty 60 string BOOKMOBI Mobipocket E-book >0 string >\0 "%s"
#------------------------------------------------------------------------------ # pc98: file(1) magic for the MSX Home Computer # v1.0 # Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net>
# Maki-chan v1 Graphic format # The image resolution should be X=(44.L - 40.L) and Y=(46.L - 42.L), but I couldn't find a way to do so # http://www.jisyo.com/viewer/faq/maki_tech.htm 0 string/b MAKI01 Maki-chan v1. >6 ubyte|0x20 x \b%c image >8 ubelong >0x40404040 \b, system ID: >>8 byte x %c >>9 byte x \b%c >>10 byte x \b%c >>11 byte x \b%c >44 ubeshort x \b, %dx >46 ubeshort x \b%d >38 ubeshort&2 0 \b, 16 paletted RGB colors >38 ubeshort&2 2 \b, 8 fixed RGB colors >38 ubeshort&1 1 \b, 2:1 dot aspect ratio
# Maki-chan v2 Graphic format # http://www.jisyo.com/viewer/faq/mag_tech.htm # http://mooncore.eu/bunny/txt/makichan.htm # http://metanest.jp/mag/mag.xhtml 0 string/b MAKI02\ \ Maki-chan v2 image, >8 byte x system ID: %c >9 byte x \b%c >10 byte x \b%c >11 byte x \b%c, >13 search/0x200 \x1A #Maki-chan video modes are a bit messy and seems to have been expanded over the years without too much planing: #1) When offset1(ubeshort) !=0x0344: # 1.1) And offset3(ubyte).b7=0: # - b0=pixel aspect ratio: 1=2:1 (note: this ignores that the machine's 1:1 pixel aspect ratio isn't really 1:1) # - b1=number of colors: 0=16 colors, 1=8 colors # - b2=Palette or fixed colors flag (called "analog" and "digital" in the doc): 0=Paletted, 1=Fixed colors encoded directly in the pixel data # 1.2) And offset3(ubyte).B7=1: # - b0=256 paletted colors # - b1=256 fixed colors using the MSX SCR8 palette #2) When offset1(ubeshort) =0x0344: # - 256x212 image with 19268 YJK colors. The usual resolution and color information fields from the file must be ignored >>&1 ubeshort 0x0344 256x212, 19268 fixed YJK colors >>&1 ubeshort !0x0344 >>>&5 uleshort+1 x %dx >>>&7 uleshort+1 x \b%d, >>>&0 ubyte&0x86 0x00 16 paletted RGB colors >>>&0 ubyte&0x86 0x02 8 paletted RGB colors >>>&0 ubyte&0x86 0x04 16 fixed RGB colors >>>&0 ubyte&0x86 0x06 8 fixed RGB colors >>>&0 ubyte&0x81 0x80 256 paletted RGB colors >>>&0 ubyte&0x81 0x81 256 fixed MSX-SCR8 colors >>>&0 ubyte&0x01 1 \b, 2:1 dot aspect ratio
# Yanagisawa Pi picture #0 string Pi\x1A\0 Yanagisawa Pi picture #>3 search/0x200 \x04 0 string Pi >2 search/0x200 \x1A >>&0 ubyte 0 >>>&3 ubyte 4 Yanagisawa Pi 16 color picture, >>>&4 byte x system ID: %c >>>&5 byte x \b%c >>>&6 byte x \b%c >>>&7 byte x \b%c, >>>&10 ubeshort x %dx >>>&12 ubeshort x \b%d >>>&3 ubyte 8 Yanagisawa Pi 256 color picture >>>&4 byte x system ID: %c >>>&5 byte x \b%c >>>&6 byte x \b%c >>>&7 byte x \b%c, >>>&10 ubeshort x %dx >>>&12 ubeshort x \b%d
#------------------------------------------------------------------------------ # $File: pdf,v 1.9 2017/05/24 17:35:20 christos Exp $ # pdf: file(1) magic for Portable Document Format #
0 string %PDF- PDF document !:mime application/pdf >5 byte x \b, version %c >7 byte x \b.%c
0 string \012%PDF- PDF document !:mime application/pdf >6 byte x \b, version %c >8 byte x \b.%c
# From: Nick Schmalenberger <nick@schmalenberger.us> # Forms Data Format 0 string %FDF- FDF document !:mime application/vnd.fdf >5 byte x \b, version %c >7 byte x \b.%c
0 search/256 %PDF- PDF document !:mime application/pdf >&0 byte x \b, version %c >&2 byte x \b.%c
# updated by Joerg Jenderek at Mar 2013 # GRR: line below too general as it catches also Windows precompiled setup information *.PNF 0 leshort 0401 # skip *.PNF with WinDirPathOffset 58h >68 ulelong !0x00000058 PDP-11 UNIX/RT ldp # skip *.PNF with high byte of InfVersionDatumCount zero #>>15 byte !0 PDP-11 UNIX/RT ldp 0 leshort 0405 PDP-11 old overlay
0 leshort 0410 PDP-11 pure executable >8 leshort >0 not stripped >15 byte >0 - version %d
0 leshort 0411 PDP-11 separate I&D executable >8 leshort >0 not stripped >15 byte >0 - version %d
0 leshort 0437 PDP-11 kernel overlay
# These last three are derived from 2.11BSD file(1) 0 leshort 0413 PDP-11 demand-paged pure executable >8 leshort >0 not stripped
0 leshort 0430 PDP-11 overlaid pure executable >8 leshort >0 not stripped
0 leshort 0431 PDP-11 overlaid separate executable >8 leshort >0 not stripped #------------------------------------------------------------------------------ # $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. # Keith Waclena <keith@cerberus.uchicago.edu> # Send additions to <perl5-porters@perl.org> 0 search/1024 eval\ "exec\ perl Perl script text !:mime text/x-perl 0 search/1024 eval\ "exec\ /bin/perl Perl script text !:mime text/x-perl 0 search/1024 eval\ "exec\ /usr/bin/perl Perl script text !:mime text/x-perl 0 search/1024 eval\ "exec\ /usr/local/bin/perl Perl script text !:mime text/x-perl 0 search/1024 eval\ 'exec\ perl Perl script text !:mime text/x-perl 0 search/1024 eval\ 'exec\ /bin/perl Perl script text !:mime text/x-perl 0 search/1024 eval\ 'exec\ /usr/bin/perl Perl script text !:mime text/x-perl 0 search/1024 eval\ 'exec\ /usr/local/bin/perl Perl script text !:mime text/x-perl 0 search/1024 eval\ '(exit\ $?0)'\ &&\ eval\ 'exec Perl script text !:mime text/x-perl 0 string #!/usr/bin/env\ perl Perl script text executable !:mime text/x-perl 0 string #!\ /usr/bin/env\ perl Perl script text executable !:mime text/x-perl 0 string #! >0 regex \^#!.*/bin/perl([[:space:]].*)*$ Perl script text executable !:mime text/x-perl
# by Dmitry V. Levin and Alexey Tourbin # check the first line 0 search/8192 package >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text !:strength + 40 # not 'p', check other lines 0 search/8192 !p >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; >>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text !:strength + 75
# Perl POD documents # From: Tom Hukins <tom@eborcom.com> 0 search/1024/W \=pod\n Perl POD document text 0 search/1024/W \n\=pod\n Perl POD document text 0 search/1024/W \=head1\ Perl POD document text 0 search/1024/W \n\=head1\ Perl POD document text 0 search/1024/W \=head2\ Perl POD document text 0 search/1024/W \n\=head2\ Perl POD document text 0 search/1024/W \=encoding\ Perl POD document text 0 search/1024/W \n\=encoding\ Perl POD document text
# This is Debian #742949 by Zefram <zefram@fysh.org>: # ----------------------------------------------------------- # The Perl module Hash::SharedMem # <https://metacpan.org/release/Hash-SharedMem> defines a file format # for a key/value store. Details of the file format are in the "DESIGN" # file in the module distribution. Magic: 0 bequad =0xa58afd185cbf5af7 Hash::SharedMem master file, big-endian >8 bequad <0x1000000 >>15 byte >2 \b, line size 2^%d byte >>14 byte >2 \b, page size 2^%d byte >>13 byte &1 >>>13 byte >1 \b, max fanout %d 0 lequad =0xa58afd185cbf5af7 Hash::SharedMem master file, little-endian >8 lequad <0x1000000 >>8 byte >2 \b, line size 2^%d byte >>9 byte >2 \b, page size 2^%d byte >>10 byte &1 >>>10 byte >1 \b, max fanout %d 0 bequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, big-endian >8 bequad <0x1000000 >>15 byte >2 \b, line size 2^%d byte >>14 byte >2 \b, page size 2^%d byte >>13 byte &1 >>>13 byte >1 \b, max fanout %d 0 lequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, little-endian >8 lequad <0x1000000 >>8 byte >2 \b, line size 2^%d byte >>9 byte >2 \b, page size 2^%d byte >>10 byte &1 >>>10 byte >1 \b, max fanout %d
#------------------------------------------------------------------------------ # $File: pgf,v 1.2 2017/03/17 21:35:28 christos Exp $ # pgf: file(1) magic for Progressive Graphics File (PGF) # # <http://www.libpgf.org/uploads/media/PGF_Details_01.pdf> # 2013 by Philipp Hahn <pmhahn debian org> 0 string PGF Progressive Graphics image data, !:mime image/x-pgf >3 string 2 version %s, >3 string 4 version %s, >3 string 5 version %s, >3 string 6 version %s, # PGFPreHeader #>>4 lelong x header size %d, # PGFHeader >>8 lelong x %d x >>12 lelong x %d, >>16 byte x %d levels, >>17 byte x compression level %d, >>18 byte x %d bpp, >>19 byte x %d channels, >>20 clear x >>20 byte 0 bitmap, >>20 byte 1 gray scale, >>20 byte 2 indexed color, >>20 byte 3 RGB color, >>20 byte 4 CYMK color, >>20 byte 5 HSL color, >>20 byte 6 HSB color, >>20 byte 7 multi-channel, >>20 byte 8 duo tone, >>20 byte 9 LAB color, >>20 byte 10 gray scale 16, >>20 byte 11 RGB color 48, >>20 byte 12 LAB color 48, >>20 byte 13 CYMK color 64, >>20 byte 14 deep multi-channel, >>20 byte 15 duo tone 16, >>20 byte 17 RGBA color, >>20 byte 18 gray scale 32, >>20 byte 19 RGB color 12, >>20 byte 20 RGB color 16, >>20 byte 255 unknown format, >>20 default x format >>>20 byte x \b %d, >>21 byte x %d bpc # PGFPostHeader # Level-Sizes #>>(4.l+4) lelong x level 0 size: %d #>>(4.l+8) lelong x level 1 size: %d #>>(4.l+12) lelong x level 2 size: %d
#------------------------------------------------------------------------------ # $File: pgp,v 1.15 2018/02/24 16:11:23 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # # Update: Joerg Jenderek # Note: verified by `gpg -v --debug 0x02 --list-packets < PUBRING263_10.PGP` #0 byte 0x99 MAYBE PGP 0x99 0 byte 0x99 # 99h~10;0110;01~2=old packet type;tag 6=Public-Key Packet;1=two-octet length # A two-octet body header encodes packet lengths of 192~00C0h - 8383~20BFh #>1 ubeshort x \b, body length 0x%.4x # skip Basic.Image Beauty.320 Pic.Icons by looking for low version number #>3 ubyte x \b, V=%u #>3 ubyte <5 VERSION OK >3 ubyte <5 # next packet type often b4h~(tag 13)~User ID Packet, b0h~(tag 12)~Trust packet #>>(1.S+3) ubyte x \b, next packet type 0x%x # skip 9900-v4.bin 9902-v4.bin by looking for valid second packet type (bit 7=1) #>>(1.S+3) ubyte >0x7F TYPE OK, >>(1.S+3) ubyte >0x7F # old versions 2,3 implies Pretty Good Privacy >>>3 ubyte <4 PGP key public ring (v%u) !:mime application/pgp-keys !:ext pgp/ASD >>>>4 beldate x created %s # days that this key is valid. If this number is zero, then it does not expire >>>>8 ubeshort >0 \b, %u days valid >>>>8 ubeshort =0 \b, not expire # display key algorithm 1~RSA (Encrypt or Sign) >>>>10 use key_algo # Multiprecision Integers (MPI) size >>>>11 ubeshort x %u bits # MPI >>>>13 ubequad x MPI=0x%16.16llx... # new version implies Pretty Good Privacy (PGP) >= 5.0 or Gnu Privacy Guard (GPG) >>>3 ubyte >3 PGP/GPG key public ring (v%u) !:mime application/pgp-keys !:ext pgp/gpg/pkr/asd >>>>4 beldate x created %s # display key algorithm 17~DSA >>>>8 use key_algo # Multiprecision Integers (MPI) size >>>>9 ubeshort x %u bits >>>>11 ubequad x MPI=0x%16.16llx...
0 beshort 0x9501 PGP key security ring !:mime application/x-pgp-keyring 0 beshort 0x9500 PGP key security ring !:mime application/x-pgp-keyring 0 beshort 0xa600 PGP encrypted data #!:mime application/pgp-encrypted #0 string -----BEGIN\040PGP text/PGP armored data !:mime text/PGP # encoding: armored data #>15 string PUBLIC\040KEY\040BLOCK- public key block #>15 string MESSAGE- message #>15 string SIGNED\040MESSAGE- signed message #>15 string PGP\040SIGNATURE- signature
# Decode the type of the packet based on it's base64 encoding. # Idea from Mark Martinec # The specification is in RFC 4880, section 4.2 and 4.3: # http://tools.ietf.org/html/rfc4880#section-4.2
# encrypted keymaterial needs s2k & can be checksummed/hashed
0 name chkcrypto >0 use crypto >1 byte 0x00 Simple S2K >1 byte 0x01 Salted S2K >1 byte 0x03 Salted&Iterated S2K >2 use hash
# all PGP keys start with this prolog # containing version, creation date, and purpose
0 name keyprolog >0 byte 0x04 >1 beldate x created on %s - >5 byte 0x01 RSA (Encrypt or Sign) >5 byte 0x02 RSA Encrypt-Only
# end of secret keys known signature # contains e=65537 and the prolog to # the encrypted parameters
0 name keyend >0 string \x00\x11\x01\x00\x01 e=65537 >5 use crypto >5 byte 0xff checksummed >>6 use chkcrypto >5 byte 0xfe hashed >>6 use chkcrypto
# PGP secret keys contain also the public parts # these vary by bitsize of the key
0 name x1024 >0 use keyprolog >6 string \x03\xfe >6 string \x03\xff >6 string \x04\x00 >136 use keyend
0 name x2048 >0 use keyprolog >6 string \x80\x00 >6 string \x07\xfe >6 string \x07\xff >264 use keyend
0 name x3072 >0 use keyprolog >6 string \x0b\xfe >6 string \x0b\xff >6 string \x0c\x00 >392 use keyend
0 name x4096 >0 use keyprolog >6 string \x10\x00 >6 string \x0f\xfe >6 string \x0f\xff >520 use keyend
# \x00|\x1f[\xfe\xff]).{1024})' 0 name x8192 >0 use keyprolog >6 string \x20\x00 >6 string \x1f\xfe >6 string \x1f\xff >1032 use keyend
# depending on the size of the pkt # we branch into the proper key size # signatures defined as x{keysize}
>0 name pgpkey >0 string \x01\xd8 1024b >>2 use x1024 >0 string \x01\xeb 1024b >>2 use x1024 >0 string \x01\xfb 1024b >>2 use x1024 >0 string \x01\xfd 1024b >>2 use x1024 >0 string \x01\xf3 1024b >>2 use x1024 >0 string \x01\xee 1024b >>2 use x1024 >0 string \x01\xfe 1024b >>2 use x1024 >0 string \x01\xf4 1024b >>2 use x1024 >0 string \x02\x0d 1024b >>2 use x1024 >0 string \x02\x03 1024b >>2 use x1024 >0 string \x02\x05 1024b >>2 use x1024 >0 string \x02\x15 1024b >>2 use x1024 >0 string \x02\x00 1024b >>2 use x1024 >0 string \x02\x10 1024b >>2 use x1024 >0 string \x02\x04 1024b >>2 use x1024 >0 string \x02\x06 1024b >>2 use x1024 >0 string \x02\x16 1024b >>2 use x1024 >0 string \x03\x98 2048b >>2 use x2048 >0 string \x03\xab 2048b >>2 use x2048 >0 string \x03\xbb 2048b >>2 use x2048 >0 string \x03\xbd 2048b >>2 use x2048 >0 string \x03\xcd 2048b >>2 use x2048 >0 string \x03\xb3 2048b >>2 use x2048 >0 string \x03\xc3 2048b >>2 use x2048 >0 string \x03\xc5 2048b >>2 use x2048 >0 string \x03\xd5 2048b >>2 use x2048 >0 string \x03\xae 2048b >>2 use x2048 >0 string \x03\xbe 2048b >>2 use x2048 >0 string \x03\xc0 2048b >>2 use x2048 >0 string \x03\xd0 2048b >>2 use x2048 >0 string \x03\xb4 2048b >>2 use x2048 >0 string \x03\xc4 2048b >>2 use x2048 >0 string \x03\xc6 2048b >>2 use x2048 >0 string \x03\xd6 2048b >>2 use x2048 >0 string \x05X 3072b >>2 use x3072 >0 string \x05k 3072b >>2 use x3072 >0 string \x05{ 3072b >>2 use x3072 >0 string \x05} 3072b >>2 use x3072 >0 string \x05\x8d 3072b >>2 use x3072 >0 string \x05s 3072b >>2 use x3072 >0 string \x05\x83 3072b >>2 use x3072 >0 string \x05\x85 3072b >>2 use x3072 >0 string \x05\x95 3072b >>2 use x3072 >0 string \x05n 3072b >>2 use x3072 >0 string \x05\x7e 3072b >>2 use x3072 >0 string \x05\x80 3072b >>2 use x3072 >0 string \x05\x90 3072b >>2 use x3072 >0 string \x05t 3072b >>2 use x3072 >0 string \x05\x84 3072b >>2 use x3072 >0 string \x05\x86 3072b >>2 use x3072 >0 string \x05\x96 3072b >>2 use x3072 >0 string \x07[ 4096b >>2 use x4096 >0 string \x07\x18 4096b >>2 use x4096 >0 string \x07+ 4096b >>2 use x4096 >0 string \x07; 4096b >>2 use x4096 >0 string \x07= 4096b >>2 use x4096 >0 string \x07M 4096b >>2 use x4096 >0 string \x073 4096b >>2 use x4096 >0 string \x07C 4096b >>2 use x4096 >0 string \x07E 4096b >>2 use x4096 >0 string \x07U 4096b >>2 use x4096 >0 string \x07. 4096b >>2 use x4096 >0 string \x07> 4096b >>2 use x4096 >0 string \x07@ 4096b >>2 use x4096 >0 string \x07P 4096b >>2 use x4096 >0 string \x074 4096b >>2 use x4096 >0 string \x07D 4096b >>2 use x4096 >0 string \x07F 4096b >>2 use x4096 >0 string \x07V 4096b >>2 use x4096 >0 string \x0e[ 8192b >>2 use x8192 >0 string \x0e\x18 8192b >>2 use x8192 >0 string \x0e+ 8192b >>2 use x8192 >0 string \x0e; 8192b >>2 use x8192 >0 string \x0e= 8192b >>2 use x8192 >0 string \x0eM 8192b >>2 use x8192 >0 string \x0e3 8192b >>2 use x8192 >0 string \x0eC 8192b >>2 use x8192 >0 string \x0eE 8192b >>2 use x8192 >0 string \x0eU 8192b >>2 use x8192 >0 string \x0e. 8192b >>2 use x8192 >0 string \x0e> 8192b >>2 use x8192 >0 string \x0e@ 8192b >>2 use x8192 >0 string \x0eP 8192b >>2 use x8192 >0 string \x0e4 8192b >>2 use x8192 >0 string \x0eD 8192b >>2 use x8192 >0 string \x0eF 8192b >>2 use x8192 >0 string \x0eV 8192b >>2 use x8192
# PGP RSA (e=65537) secret (sub-)key header
0 byte 0x95 PGP Secret Key - >1 use pgpkey 0 byte 0x97 PGP Secret Sub-key - >1 use pgpkey 0 byte 0x9d # Update: Joerg Jenderek # secret subkey packet (tag 7) with same structure as secret key packet (tag 5) # skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len >1 ubeshort >0 #>1 ubeshort x \b, body length 0x%x # next packet type often 88h,89h~(tag 2)~Signature Packet #>>(1.S+3) ubyte x \b, next packet type 0x%x # skip Dragon.SHR DEMO.INIT by looking for positive version >>3 ubyte >0 # skip BUISSON.13 GUITAR1 by looking for low version number >>>3 ubyte <5 PGP Secret Sub-key # sub-key are normally part of secret key. So it does not occur as standalone file #!:ext bin # version 2,3~old 4~new . Comment following line for version 5.28 look >>>>3 ubyte x (v%d) >>>>3 ubyte x - # old versions 2 or 3 but no real example found >>>>3 ubyte <4 # 2 byte for key bits in version 5.28 look >>>>>11 ubeshort x %db >>>>>4 beldate x created on %s - # old versions use 2 additional bytes after time stamp #>>>>>8 ubeshort x 0x%x # display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman >>>>>10 use key_algo >>>>>(11.S/8) ubequad x # look after first key >>>>>>&5 use keyend # new version >>>>3 ubyte >3 >>>>>9 ubeshort x %db >>>>>4 beldate x created on %s - # display key algorithm >>>>>8 use key_algo >>>>>(9.S/8) ubequad x # look after first key for something like s2k >>>>>>&3 use keyend
# PostScript, updated by Daniel Quinlan (quinlan@yggdrasil.com) 0 string %! PostScript document text !:mime application/postscript !:apple ASPSTEXT >2 string PS-Adobe- conforming >>11 string >\0 DSC level %.3s >>>15 string EPS \b, type %s >>>15 string Query \b, type %s >>>15 string ExitServer \b, type %s >>>15 search/1000 %%LanguageLevel:\040 >>>>&0 string >\0 \b, Level %s # Some PCs have the annoying habit of adding a ^D as a document separator 0 string \004%! PostScript document text !:mime application/postscript !:apple ASPSTEXT >3 string PS-Adobe- conforming >>12 string >\0 DSC level %.3s >>>16 string EPS \b, type %s >>>16 string Query \b, type %s >>>16 string ExitServer \b, type %s >>>16 search/1000 %%LanguageLevel:\040 >>>>&0 string >\0 \b, Level %s 0 string \033%-12345X%!PS PostScript document
# DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> 0 belong 0xC5D0D3C6 DOS EPS Binary File >4 long >0 Postscript starts at byte %d >>8 long >0 length %d >>>12 long >0 Metafile starts at byte %d >>>>16 long >0 length %d >>>20 long >0 TIFF starts at byte %d >>>>24 long >0 length %d
# HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data # HP Printer Job Language # The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de> # 0 string \033%-12345X@PJL HP Printer Job Language data >&0 string >\0 %s >>&0 string >\0 %s >>>&0 string >\0 %s >>>>&0 string >\0 %s #>15 string \ ENTER\ LANGUAGE\ = #>31 string PostScript PostScript
# From: Stefan Thurner <thurners@nicsys.de> 0 string \033%-12345X@PJL >&0 search/10000 %! PJL encapsulated PostScript document text
# Rick Richardson <rickrich@gmail.com>
# For Fuji-Xerox Printers - HBPL stands for Host Based Printer Language # For Oki Data Printers - HIPERC # For Konica Minolta Printers - LAVAFLOW # For Samsung Printers - QPDL # For HP Printers - ZJS stands for Zenographics ZJStream 0 string \033%-12345X@PJL HP Printer Job Language data >0 search/10000 @PJL\ ENTER\ LANGUAGE=HBPL - HBPL >0 search/10000 @PJL\ ENTER\ LANGUAGE=HIPERC - Oki Data HIPERC >0 search/10000 @PJL\ ENTER\ LANGUAGE=LAVAFLOW - Konica Minolta LAVAFLOW >0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS
# IMAGEN printer-ready files: 0 string @document( Imagen printer # this only works if "language xxx" is first item in Imagen header. >10 string language\ impress (imPRESS data) >10 string language\ daisy (daisywheel text) >10 string language\ diablo (daisywheel text) >10 string language\ printer (line printer emulation) >10 string language\ tektronix (Tektronix 4014 emulation) # Add any other languages that your Imagen uses - remember # to keep the word `text' if the file is human-readable. # [GRR 950115: missing "postscript" or "ultrascript" (whatever it was called)] # # Now magic for IMAGEN font files... 0 string Rast RST-format raster font data >45 string >0 face %s # From Jukka Ukkonen 0 string \033[K\002\0\0\017\033(a\001\0\001\033(g Canon Bubble Jet BJC formatted data
# From <mike@flyn.org> # These are the /etc/magic entries to decode data sent to an Epson printer. 0 string \x1B\x40\x1B\x28\x52\x08\x00\x00REMOTE1P Epson Stylus Color 460 data
#------------------------------------------------------------------------------ # zenographics: file(1) magic for Zenographics ZjStream printer data # Rick Richardson <rickrich@gmail.com> 0 string JZJZ >0x12 string ZZ Zenographics ZjStream printer data (big-endian) 0 string ZJZJ >0x12 string ZZ Zenographics ZjStream printer data (little-endian)
#------------------------------------------------------------------------------ # Oak Technologies printer stream # Rick Richardson <rickrich@gmail.com> 0 string OAK >0x07 byte 0 >0x0b byte 0 Oak Technologies printer stream
# This would otherwise be recognized as PostScript - nick@debian.org 0 string %!VMF SunClock's Vector Map Format data
#------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file 0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware
# From: Paolo <oopla@users.sf.net> # Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data
#------------------------------------------------------------------------------ # $File: project,v 1.5 2017/03/17 21:35:28 christos Exp $ # project: file(1) magic for Project management # # Magic strings for ftnchek project files. Alexander Mai 0 string FTNCHEK_\ P project file for ftnchek >10 string 1 version 2.7 >10 string 2 version 2.8 to 2.10 >10 string 3 version 2.11 or later
#------------------------------------------------------------------------------ # $File: psdbms,v 1.8 2017/03/17 21:35:28 christos Exp $ # psdbms: file(1) magic for psdatabase # # Update: Joerg Jenderek # GRR: line below too general as it catches also some Panorama database *.pan , # AppleWorks word processor 0 belong&0xff00ffff 0x56000000 # assume version starts with digit >1 regex/s =^[0-9] ps database >>1 string >\0 version %s # kernel name >>4 string >\0 from kernel %s
#------------------------------------------------------------------------------ # $File: psl,v 1.2 2016/07/14 17:34:27 christos Exp $ # psl: file(1) magic for Public Suffix List representations # From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> # URL: https://publicsuffix.org # see also: http://thread.gmane.org/gmane.network.dns.libpsl.bugs/162/focus=166
0 search/512 \n\n//\ ===BEGIN\ ICANN\ DOMAINS===\n\n Public Suffix List data
0 string .DAFSA@PSL_ >15 string \n Public Suffix List data (optimized) >>11 byte >0x2f >>>11 byte <0x3a (Version %c)
0 belong 0x1ee7f11e Pulsar POP3 daemon mailbox cache file. >4 ubelong x Version: %d. >8 ubelong x \b%d
#------------------------------------------------------------------------------ # $File: pwsafe,v 1.1 2012/10/25 00:12:19 christos Exp $ # pwsafe: file(1) magic for passwordsafe file # # Password Safe # http://passwordsafe.sourceforge.net/ # file format specs # http://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/formatV3.txt # V2 http://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/formatV2.txt # V1 http://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/notes.txt # V2 and V1 have no easy identifier that I can find # .psafe3 0 string PWS3 Password Safe V3 database
#------------------------------------------------------------------------------ # $File: pyramid,v 1.7 2009/09/19 16:28:12 christos Exp $ # pyramid: file(1) magic for Pyramids # # XXX - byte order? # 0 long 0x50900107 Pyramid 90x family executable 0 long 0x50900108 Pyramid 90x family pure executable >16 long >0 not stripped 0 long 0x5090010b Pyramid 90x family demand paged pure executable >16 long >0 not stripped
#------------------------------------------------------------------------------ # $File: python,v 1.34 2017/08/14 07:40:38 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages # From: David Necas <yeti@physics.muni.cz> # often the module starts with a multiline string 0 string/t """ Python script text executable # MAGIC as specified in Python/import.c (1.5 to 2.7a0 and 3.1a0, assuming # that Py_UnicodeFlag is off for Python 2) # two bytes of magic followed by "\r\n" in little endian order 0 belong 0x994e0d0a python 1.5/1.6 byte-compiled 0 belong 0x87c60d0a python 2.0 byte-compiled 0 belong 0x2aeb0d0a python 2.1 byte-compiled 0 belong 0x2ded0d0a python 2.2 byte-compiled 0 belong 0x3bf20d0a python 2.3 byte-compiled 0 belong 0x6df20d0a python 2.4 byte-compiled 0 belong 0xb3f20d0a python 2.5 byte-compiled 0 belong 0xd1f20d0a python 2.6 byte-compiled 0 belong 0x03f30d0a python 2.7 byte-compiled 0 belong 0x3b0c0d0a python 3.0 byte-compiled 0 belong 0x4f0c0d0a python 3.1 byte-compiled 0 belong 0x6c0c0d0a python 3.2 byte-compiled 0 belong 0x9e0c0d0a python 3.3 byte-compiled 0 belong 0xee0c0d0a python 3.4 byte-compiled 0 belong 0x160d0d0a python 3.5.1- byte-compiled 0 belong 0x170d0d0a python 3.5.2+ byte-compiled 0 belong 0x330d0d0a python 3.6 byte-compiled 0 belong 0x3e0d0d0a python 3.7 byte-compiled
# Type: Git pack # From: Adam Buchbinder <adam.buchbinder@gmail.com> # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Git # reference: https://github.com/git/git/blob/master/Documentation/technical/pack-format.txt # The actual magic is 'PACK', but that clashes with Doom/Quake packs. However, # those have a little-endian offset immediately following the magic 'PACK', # the first byte of which is never 0, while the first byte of the Git pack # version, since it's a tiny number stored in big-endian format, is always 0. 0 string PACK # GRR: line above is too general as it matches also PackDir archive ./acorn # test for major version. Git 2017 accepts version number 2 or 3 >4 ubelong <9 # Acorn PackDir with method 0 compression has root like ADFS::HardDisc4.$.AsylumSrc # or SystemDevice::foobar >>9 search/13 :: # but in git binary >>9 default x Git pack !:mime application/x-git !:ext pack # 4 GB limit implies unsigned integer >>>4 ubelong x \b, version %u >>>8 ubelong x \b, %u objects
# Type: Git pack index # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0 string \377tOc Git pack index >4 belong =2 \b, version 2
# Type: Git index file # From: Frederic Briare <fbriere@fbriere.net> 0 string DIRC Git index >4 belong >0 \b, version %d >>8 belong >0 \b, %d entries
# try to find "fmt " 0 name riff-walk >0 string fmt\x20 >>4 lelong <0x80 >>>8 use riff-wave >0 string LIST >>&(4.l+4) use riff-walk >0 string DISP >>&(4.l+4) use riff-walk >0 string bext >>&(4.l+4) use riff-walk >0 string Fake >>&(4.l+4) use riff-walk >0 string fact >>&(4.l+4) use riff-walk >0 string VP8 >>11 byte 0x9d >>>12 byte 0x01 >>>>13 byte 0x2a \b, VP8 encoding >>>>>14 leshort&0x3fff x \b, %d >>>>>16 leshort&0x3fff x \bx%d, Scaling: >>>>>14 leshort&0xc000 0x0000 \b [none] >>>>>14 leshort&0xc000 0x1000 \b [5/4] >>>>>14 leshort&0xc000 0x2000 \b [5/3] >>>>>14 leshort&0xc000 0x3000 \b [2] >>>>>14 leshort&0xc000 0x0000 \bx[none] >>>>>14 leshort&0xc000 0x1000 \bx[5/4] >>>>>14 leshort&0xc000 0x2000 \bx[5/3] >>>>>14 leshort&0xc000 0x3000 \bx[2] >>>>>15 byte&0x80 =0x00 \b, YUV color >>>>>15 byte&0x80 =0x80 \b, bad color specification >>>>>15 byte&0x40 =0x40 \b, no clamping required >>>>>15 byte&0x40 =0x00 \b, decoders should clamp #>0 string x we got %s #>>&(4.l+4) use riff-walk
# AVI section extended by Patrik Radman <patrik+file-magic@iki.fi> # 0 string RIFF RIFF (little-endian) data # RIFF Palette format # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Resource_Interchange_File_Format # Reference: http://worms2d.info/Palette_file >8 string PAL\ \b, palette !:mime application/x-riff # color palette by Microsoft Corporation !:ext pal # file size = chunk size + 8 in most cases >>4 ulelong+8 x \b, %u bytes # Extended PAL Format >>12 string plth \b, extended # Simple PAL Format >>12 string data # data chunk size = color entries * 4 + 4 + sometimes extra (4) appended bytes >>>16 ulelong x \b, data size %u # palVersion is always 0x0300 #>>>20 leshort x \b, version 0x%4.4x # palNumEntries specifies the number of palette color entries >>>22 uleshort x \b, %u entries # after palPalEntry sized (number of color entries * 4 ) vector >>>(22.s*4) ubequad x # jump relative 22 ( 8 + 16) bytes forward points after end of file or to # appended extra bytes like in http://safecolours.rigdenage.com/set(ms).zip/Protan(MS).pal >>>>&16 ubelong x \b, extra bytes >>>>>&-4 ubelong >0 0x%8.8x # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap >>16 string BM >>>30 leshort 12 \b, OS/2 1.x format >>>>34 leshort x \b, %d x >>>>36 leshort x %d >>>30 leshort 64 \b, OS/2 2.x format >>>>34 leshort x \b, %d x >>>>36 leshort x %d >>>30 leshort 40 \b, Windows 3.x format >>>>34 lelong x \b, %d x >>>>38 lelong x %d x >>>>44 leshort x %d # RIFF MIDI format >8 string RMID \b, MIDI # RIFF Multimedia Movie File format >8 string RMMP \b, multimedia movie # RIFF wrapper for MP3 >8 string RMP3 \b, MPEG Layer 3 audio # Microsoft WAVE format (*.wav) >8 string WAVE \b, WAVE audio !:mime audio/x-wav >>12 string >\0 >>>12 use riff-walk # Corel Draw Picture >8 string CDRA \b, Corel Draw Picture !:mime image/x-coreldraw >8 string CDR6 \b, Corel Draw Picture, version 6 !:mime image/x-coreldraw >8 string NUNDROOT \b, Steinberg CuBase # AVI == Audio Video Interleave >8 string AVI\040 \b, AVI !:mime video/x-msvideo >>12 string LIST >>>20 string hdrlavih >>>>&36 lelong x \b, %u x >>>>&40 lelong x %u, >>>>&4 lelong >1000000 <1 fps, >>>>&4 lelong 1000000 1.00 fps, >>>>&4 lelong 500000 2.00 fps, >>>>&4 lelong 333333 3.00 fps, >>>>&4 lelong 250000 4.00 fps, >>>>&4 lelong 200000 5.00 fps, >>>>&4 lelong 166667 6.00 fps, >>>>&4 lelong 142857 7.00 fps, >>>>&4 lelong 125000 8.00 fps, >>>>&4 lelong 111111 9.00 fps, >>>>&4 lelong 100000 10.00 fps, # ]9.9,10.1[ >>>>&4 lelong <101010 >>>>>&-4 lelong >99010 >>>>>>&-4 lelong !100000 ~10 fps, >>>>&4 lelong 83333 12.00 fps, # ]11.9,12.1[ >>>>&4 lelong <84034 >>>>>&-4 lelong >82645 >>>>>>&-4 lelong !83333 ~12 fps, >>>>&4 lelong 66667 15.00 fps, # ]14.9,15.1[ >>>>&4 lelong <67114 >>>>>&-4 lelong >66225 >>>>>>&-4 lelong !66667 ~15 fps, >>>>&4 lelong 50000 20.00 fps, >>>>&4 lelong 41708 23.98 fps, >>>>&4 lelong 41667 24.00 fps, # ]23.9,24.1[ >>>>&4 lelong <41841 >>>>>&-4 lelong >41494 >>>>>>&-4 lelong !41708 >>>>>>>&-4 lelong !41667 ~24 fps, >>>>&4 lelong 40000 25.00 fps, # ]24.9,25.1[ >>>>&4 lelong <40161 >>>>>&-4 lelong >39841 >>>>>>&-4 lelong !40000 ~25 fps, >>>>&4 lelong 33367 29.97 fps, >>>>&4 lelong 33333 30.00 fps, # ]29.9,30.1[ >>>>&4 lelong <33445 >>>>>&-4 lelong >33223 >>>>>>&-4 lelong !33367 >>>>>>>&-4 lelong !33333 ~30 fps, >>>>&4 lelong <32224 >30 fps, ##>>>>&4 lelong x (%lu) ##>>>>&20 lelong x %lu frames, # Note: The tests below assume that the AVI has 1 or 2 streams, # "vids" optionally followed by "auds". # (Should cover 99.9% of all AVIs.) # assuming avih length = 56 >>>88 string LIST >>>>96 string strlstrh >>>>>108 string vids video: >>>>>>&0 lelong 0 uncompressed # skip past vids strh >>>>>>(104.l+108) string strf >>>>>>>(104.l+132) lelong 1 RLE 8bpp >>>>>>>(104.l+132) string/c cvid Cinepak >>>>>>>(104.l+132) string/c i263 Intel I.263 >>>>>>>(104.l+132) string/c iv32 Indeo 3.2 >>>>>>>(104.l+132) string/c iv41 Indeo 4.1 >>>>>>>(104.l+132) string/c iv50 Indeo 5.0 >>>>>>>(104.l+132) string/c mp42 Microsoft MPEG-4 v2 >>>>>>>(104.l+132) string/c mp43 Microsoft MPEG-4 v3 >>>>>>>(104.l+132) string/c fmp4 FFMpeg MPEG-4 >>>>>>>(104.l+132) string/c mjpg Motion JPEG >>>>>>>(104.l+132) string/c div3 DivX 3 >>>>>>>>112 string/c div3 Low-Motion >>>>>>>>112 string/c div4 Fast-Motion >>>>>>>(104.l+132) string/c divx DivX 4 >>>>>>>(104.l+132) string/c dx50 DivX 5 >>>>>>>(104.l+132) string/c xvid XviD >>>>>>>(104.l+132) string/c h264 H.264 >>>>>>>(104.l+132) string/c wmv3 Windows Media Video 9 >>>>>>>(104.l+132) string/c h264 X.264 or H.264 >>>>>>>(104.l+132) lelong 0 ##>>>>>>>(104.l+132) string x (%.4s) # skip past first (video) LIST >>>>(92.l+96) string LIST >>>>>(92.l+104) string strlstrh >>>>>>(92.l+116) string auds \b, audio: # auds strh length = 56: >>>>>>>(92.l+172) string strf >>>>>>>>(92.l+180) leshort 0x0001 uncompressed PCM >>>>>>>>(92.l+180) leshort 0x0002 ADPCM >>>>>>>>(92.l+180) leshort 0x0006 aLaw >>>>>>>>(92.l+180) leshort 0x0007 uLaw >>>>>>>>(92.l+180) leshort 0x0050 MPEG-1 Layer 1 or 2 >>>>>>>>(92.l+180) leshort 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+180) leshort 0x2000 Dolby AC3 >>>>>>>>(92.l+180) leshort 0x0161 DivX ##>>>>>>>>(92.l+180) leshort x (0x%.4x) >>>>>>>>(92.l+182) leshort 1 (mono, >>>>>>>>(92.l+182) leshort 2 (stereo, >>>>>>>>(92.l+182) leshort >2 (%d channels, >>>>>>>>(92.l+184) lelong x %d Hz) # auds strh length = 64: >>>>>>>(92.l+180) string strf >>>>>>>>(92.l+188) leshort 0x0001 uncompressed PCM >>>>>>>>(92.l+188) leshort 0x0002 ADPCM >>>>>>>>(92.l+188) leshort 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+188) leshort 0x2000 Dolby AC3 >>>>>>>>(92.l+188) leshort 0x0161 DivX ##>>>>>>>>(92.l+188) leshort x (0x%.4x) >>>>>>>>(92.l+190) leshort 1 (mono, >>>>>>>>(92.l+190) leshort 2 (stereo, >>>>>>>>(92.l+190) leshort >2 (%d channels, >>>>>>>>(92.l+192) lelong x %d Hz) # Animated Cursor format >8 string ACON \b, animated cursor # SoundFont 2 <mpruett@sgi.com> >8 string sfbk SoundFont/Bank # MPEG-1 wrapped in a RIFF, apparently >8 string CDXA \b, wrapped MPEG-1 (CDXA) >8 string 4XMV \b, 4X Movie file # AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV >8 string AMV\040 \b, AMV >8 string WEBP \b, Web/P image !:mime image/webp >>12 use riff-walk
# # XXX - some of the below may only appear in little-endian form. # # Also "MV93" appears to be for one form of Macromedia Director # files, and "GDMF" appears to be another multimedia format. # 0 string RIFX RIFF (big-endian) data # RIFF Palette format >8 string PAL \b, palette >>16 beshort x \b, version %d >>18 beshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap >>16 string BM >>>30 beshort 12 \b, OS/2 1.x format >>>>34 beshort x \b, %d x >>>>36 beshort x %d >>>30 beshort 64 \b, OS/2 2.x format >>>>34 beshort x \b, %d x >>>>36 beshort x %d >>>30 beshort 40 \b, Windows 3.x format >>>>34 belong x \b, %d x >>>>38 belong x %d x >>>>44 beshort x %d # RIFF MIDI format >8 string RMID \b, MIDI # RIFF Multimedia Movie File format >8 string RMMP \b, multimedia movie # Microsoft WAVE format (*.wav) >8 string WAVE \b, WAVE audio >>20 leshort 1 \b, Microsoft PCM >>>34 leshort >0 \b, %d bit >>22 beshort =1 \b, mono >>22 beshort =2 \b, stereo >>22 beshort >2 \b, %d channels >>24 belong >0 %d Hz # Corel Draw Picture >8 string CDRA \b, Corel Draw Picture >8 string CDR6 \b, Corel Draw Picture, version 6 # AVI == Audio Video Interleave >8 string AVI\040 \b, AVI # Animated Cursor format >8 string ACON \b, animated cursor # Notation Interchange File Format (big-endian only) >8 string NIFF \b, Notation Interchange File Format # SoundFont 2 <mpruett@sgi.com> >8 string sfbk SoundFont/Bank
#------------------------------------------------------------------------------ # Sony Wave64 # see http://www.vcs.de/fileadmin/user_upload/MBS/PDF/Whitepaper/Informations_about_Sony_Wave64.pdf # 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian 0 string riff\x2E\x91\xCF\x11\xA5\xD6\x28\xDB\x04\xC1\x00\x00 Sony Wave64 RIFF data # 128 bit + total file size (64 bits) so 24 bytes # then WAVE-GUID { 65766177-ACF3-11D3-8CD1-00C04F8EDB8A } >24 string wave\xF3\xAC\xD3\x11\x8C\xD1\x00\xC0\x4F\x8E\xDB\x8A \b, WAVE 64 audio !:mime audio/x-w64 # FMT-GUID { 20746D66-ACF3-11D3-8CD1-00C04F8EDB8A } >>40 search/256 fmt\x20\xF3\xAC\xD3\x11\x8C\xD1\x00\xC0\x4F\x8E\xDB\x8A \b >>>&10 leshort =1 \b, mono >>>&10 leshort =2 \b, stereo >>>&10 leshort >2 \b, %d channels >>>&12 lelong >0 %d Hz
#------------------------------------------------------------------------------ # $File: rtf,v 1.7 2009/09/19 16:28:12 christos Exp $ # rtf: file(1) magic for Rich Text Format (RTF) # # Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk # 0 string {\\rtf Rich Text Format data, !:mime text/rtf >5 string 1 version 1, >>6 string \\ansi ANSI >>6 string \\mac Apple Macintosh >>6 string \\pc IBM PC, code page 437 >>6 string \\pca IBM PS/2, code page 850 >>6 default x unknown character set >5 default x unknown version
#------------------------------------------------------------------------------ # $File: ruby,v 1.7 2017/08/14 13:39:18 christos Exp $ # ruby: file(1) magic for Ruby scripting language # URL: http://www.ruby-lang.org/ # From: Reuben Thomas <rrt@sc3d.org>
#------------------------------------------------------------------------------ # $File: sccs,v 1.7 2017/03/17 21:35:28 christos Exp $ # sccs: file(1) magic for SCCS archives # # SCCS archive structure: # \001h01207 # \001s 00276/00000/00000 # \001d D 1.1 87/09/23 08:09:20 ian 1 0 # \001c date and time created 87/09/23 08:09:20 by ian # \001e # \001u # \001U # ... etc. # Now '\001h' happens to be the same as the 3B20's a.out magic number (0550). # *Sigh*. And these both came from various parts of the USG. # Maybe we should just switch everybody from SCCS to RCS! # Further, you can't just say '\001h0', because the five-digit number # is a checksum that could (presumably) have any leading digit, # and we don't have regular expression matching yet. # Hence the following official kludge: 8 string \001s\ SCCS archive data
1028 string MMX\000\000\000\000\000\000\000\000\000\000\000\000\000 MAR Area Detector Image, >1072 ulong >1 Compressed(%d), >1100 ulong >1 %d headers, >1104 ulong >0 %d x >1108 ulong >0 %d, >1120 ulong >0 %d bits/pixel
# Type: GEDCOM genealogical (family history) data # From: Giuseppe Bilotta 0 search/1/c 0\ HEAD GEDCOM genealogy text >&0 search 1\ GEDC >>&0 search 2\ VERS version >>>&1 string >\0 %s # From: Phil Endecott <phil05@chezphil.org> 0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data 0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data 0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data 0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data
# PDB: Protein Data Bank files # Adam Buchbinder <adam.buchbinder@gmail.com> # # http://www.wwpdb.org/documentation/format32/sect2.html # http://www.ch.ic.ac.uk/chemime/ # # The PDB file format is fixed-field, 80 columns. From the spec: # # COLS DATA # 1 - 6 "HEADER" # 11 - 50 String(40) # 51 - 59 Date # 63 - 66 IDcode # # Thus, positions 7-10, 60-62 and 67-80 are spaces. The Date must be in the # format DD-MMM-YY, e.g., 01-JAN-70, and the IDcode consists of numbers and # uppercase letters. However, examples have been seen without the date string, # e.g., the example on the chemime site. 0 string HEADER\ \ \ \040 >&0 regex/1l \^.{40} >>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} >>>&0 regex/1ls [A-Z0-9]{4}.{14}$ >>>>&0 regex/1l [A-Z0-9]{4} Protein Data Bank data, ID Code %s !:mime chemical/x-pdb >>>>0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2} \b, %s
# Type: GDSII Stream file 0 belong 0x00060002 GDSII Stream file >4 byte 0x00 >>5 byte x version %d.0 >4 byte >0x00 version %d >>5 byte x \b.%d
#------------------------------------------------------------------------------ # $File: securitycerts,v 1.4 2009/09/19 16:28:12 christos Exp $ 0 search/1 -----BEGIN\ CERTIFICATE------ RFC1421 Security Certificate text 0 search/1 -----BEGIN\ NEW\ CERTIFICATE RFC1421 Security Certificate Signing Request text 0 belong 0xedfeedfe Sun 'jks' Java Keystore File data
0 string \0volume_key volume_key escrow packet # Type: SE Linux policy modules *.pp reference policy # for Fedora 5 to 9, RHEL5, and Debian Etch and Lenny. # URL: http://doc.coker.com.au/computers/selinux-magic # From: Russell Coker <russell@coker.com.au>
0 lelong 0xf97cff8f SE Linux modular policy >4 lelong x version %d, >8 lelong x %d sections, >>(12.l) lelong 0xf97cff8d >>>(12.l+27) lelong x mod version %d, >>>(12.l+31) lelong 0 Not MLS, >>>(12.l+31) lelong 1 MLS, >>>(12.l+23) lelong 2 >>>>(12.l+47) string >\0 module name %s >>>(12.l+23) lelong 1 base
1 string policy_module( SE Linux policy module source 2 string policy_module( SE Linux policy module source
0 string ##\ <summary> SE Linux policy interface source
#0 search gen_context( SE Linux policy file contexts
#0 search gen_sens( SE Linux policy MLS constraints source
#------------------------------------------------------------------------------ # $File: sendmail,v 1.10 2017/08/13 00:21:47 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? # # Update: Joerg Jenderek # GRR: this test is too general as it catches also # READ.ME.FIRST.AWP Sendmail frozen configuration # - version ====|====|====|====|====|====|====|====|====|====|====|====|=== # Email_23_f217153422.ts Sendmail frozen configuration # - version \330jK\354 0 byte 046 # http://www.sendmail.com/sm/open_source/docs/older_release_notes/ # freezed configuration file (dbm format?) created from sendmal.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed # valid version numbers look like "7.14.4" and should be similar to output of commands # "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration # normally only /etc/sendmail.fc or /var/adm/sendmail/sendmail.fc !:ext fc >>16 string >\0 - version %s 0 short 0x271c # look for valid version number >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration !:ext fc >>16 string >\0 - version %s
#------------------------------------------------------------------------------ # sendmail: file(1) magic for sendmail m4(1) files # # From Hendrik Scholz <hendrik@scholz.net> # i.e. files in /usr/share/sendmail/cf/ # 0 string divert(-1)\n sendmail m4 text file
#------------------------------------------------------------------------------ # $File: sequent,v 1.13 2017/03/17 21:35:28 christos Exp $ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins <atsun!dwiggins>. # For Sequent's multiprocessor systems (incomplete). 0 lelong 0x00ea BALANCE NS32000 .o >16 lelong >0 not stripped >124 lelong >0 version %d 0 lelong 0x10ea BALANCE NS32000 executable (0 @ 0) >16 lelong >0 not stripped >124 lelong >0 version %d 0 lelong 0x20ea BALANCE NS32000 executable (invalid @ 0) >16 lelong >0 not stripped >124 lelong >0 version %d 0 lelong 0x30ea BALANCE NS32000 standalone executable >16 lelong >0 not stripped >124 lelong >0 version %d # # Symmetry information added by Jason Merrill <jason@jarthur.claremont.edu>. # Symmetry magic nums will not be reached if DOS COM comes before them; # byte 0xeb is matched before these get a chance. 0 leshort 0x12eb SYMMETRY i386 .o >16 lelong >0 not stripped >124 lelong >0 version %d 0 leshort 0x22eb SYMMETRY i386 executable (0 @ 0) >16 lelong >0 not stripped >124 lelong >0 version %d 0 leshort 0x32eb SYMMETRY i386 executable (invalid @ 0) >16 lelong >0 not stripped >124 lelong >0 version %d # http://en.wikipedia.org/wiki/Sequent_Computer_Systems # below test line conflicts with MS-DOS 2.11 floppies and Acronis loader #0 leshort 0x42eb SYMMETRY i386 standalone executable 0 leshort 0x42eb # skip unlike negative version >124 lelong >-1 # assuming version 28867614 is very low probable >>124 lelong !28867614 SYMMETRY i386 standalone executable >>>16 lelong >0 not stripped >>>124 lelong >0 version %d
#------------------------------------------------------------------------------ # $File: sereal,v 1.3 2015/02/05 19:14:45 christos Exp $ # sereal: file(1) magic the Sereal binary serialization format # # From: Ævar Arnfjörð Bjarmason <avarab@gmail.com> # # See the specification of the format at # https://github.com/Sereal/Sereal/blob/master/sereal_spec.pod#document-header-format # # I'd have liked to do the byte&0xF0 matching against 0, 1, 2 ... by # doing (byte&0xF0)>>4 here, but unfortunately that's not # supported. So when we print out a message about an unknown format # we'll print out e.g. 0x30 instead of the more human-readable # 0x30>>4. # # See https://github.com/Sereal/Sereal/commit/35372ae01d in the # Sereal.git repository for test Sereal data. 0 name sereal >4 byte&0x0F x (version %d, >4 byte&0xF0 0x00 uncompressed) >4 byte&0xF0 0x10 compressed with non-incremental Snappy) >4 byte&0xF0 0x20 compressed with incremental Snappy) >4 byte&0xF0 >0x20 unknown subformat, flag: %d>>4)
0 string/b \=srl Sereal data packet !:mime application/sereal >&0 use sereal 0 string/b \=\xF3rl Sereal data packet !:mime application/sereal >&0 use sereal 0 string/b \=\xC3\xB3rl Sereal data packet, UTF-8 encoded !:mime application/sereal >&0 use sereal
#------------------------------------------------------------------------------ # $File: sgi,v 1.22 2015/08/29 07:10:35 christos Exp $ # sgi: file(1) magic for Silicon Graphics operating systems and applications # # Executable images are handled either in aout (for old-style a.out # files for 68K; they are indistinguishable from other big-endian 32-bit # a.out files) or in mips (for MIPS ECOFF and Ucode files) #
# kbd file definitions 0 string kbd!map kbd map file >8 byte >0 Ver %d: >10 short >0 with %d table(s)
0 beshort 0x8765 disk quotas file
0 beshort 0x0506 IRIS Showcase file >2 byte 0x49 - >3 byte x - version %d 0 beshort 0x0226 IRIS Showcase template >2 byte 0x63 - >3 byte x - version %d 0 belong 0x5343464d IRIS Showcase file >4 byte x - version %d 0 belong 0x5443464d IRIS Showcase template >4 byte x - version %d 0 belong 0xdeadbabe IRIX Parallel Arena >8 belong >0 - version %d
# SpeedShop data files 0 lelong 0x13130303 SpeedShop data file
# mdbm files 0 lelong 0x01023962 mdbm file, version 0 (obsolete) 0 string mdbm mdbm file, >5 byte x version %d, >6 byte x 2^%d pages, >7 byte x pagesize 2^%d, >17 byte x hash %d, >11 byte x dataformat %d
# Alias Maya files 0 string/t //Maya\040ASCII Alias Maya Ascii File, >13 string >\0 version %s 8 string MAYAFOR4 Alias Maya Binary File, >32 string >\0 version %s scene 8 string MayaFOR4 Alias Maya Binary File, >32 string >\0 version %s scene 8 string CIMG Alias Maya Image File 8 string DEEP Alias Maya Image File
#------------------------------------------------------------------------------ # sgml: file(1) magic for Standard Generalized Markup Language # HyperText Markup Language (HTML) is an SGML document type, # from Daniel Quinlan (quinlan@yggdrasil.com) # adapted to string extenstions by Anthon van der Neut <anthon@mnt.org) 0 search/4096/cWt \<!doctype\ html HTML document text !:mime text/html !:strength + 5
# # "libpcap"-with-Alexey-Kuznetsov's-patches capture files. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is # the main program that uses that format, but there are other programs # that use "libpcap", or that use the same capture file format.) # 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) >0 use pcap-be 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) >0 use \^pcap-be
# # "pcap-ng" capture files. # http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html # Pcap-ng files can contain multiple sections. Printing the endianness, # snaplen, or other information from the first SHB may be misleading. # 0 ubelong 0x0a0d0d0a >8 ubelong 0x1a2b3c4d pcap-ng capture file >>12 beshort x - version %d >>14 beshort x \b.%d 0 ulelong 0x0a0d0d0a >8 ulelong 0x1a2b3c4d pcap-ng capture file >>12 leshort x - version %d >>14 leshort x \b.%d
# # NetStumbler log files. Not really packets, per se, but about as # close as you can get. These are log files from NetStumbler, a # Windows program, that scans for 802.11b networks. # 0 string NetS NetStumbler log file >8 lelong x \b, %d stations found
#------------------------------------------------------------------------------ # $File: softquad,v 1.13 2009/09/19 16:28:12 christos Exp $ # softquad: file(1) magic for SoftQuad Publishing Software # # Author/Editor and RulesBuilder # # XXX - byte order? # 0 string \<!SQ\ DTD> Compiled SGML rules file >9 string >\0 Type %s 0 string \<!SQ\ A/E> A/E SGML Document binary >9 string >\0 Type %s 0 string \<!SQ\ STS> A/E SGML binary styles file >9 string >\0 Type %s 0 short 0xc0de Compiled PSI (v1) data 0 short 0xc0da Compiled PSI (v2) data >3 string >\0 (%s) # Binary sqtroff font/desc files... 0 short 0125252 SoftQuad DESC or font file binary >2 short >0 - version %d # Bitmaps... 0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text #0 string SQ\ BITMAP2 SoftQuad Raster Format data # sqtroff intermediate language (replacement for ditroff int. lang.) 0 string X\ SoftQuad troff Context intermediate >2 string 495 for AT&T 495 laser printer >2 string hp for Hewlett-Packard LaserJet >2 string impr for IMAGEN imPRESS >2 string ps for PostScript
# From: Michael Piefel <piefel@debian.org> # sqtroff intermediate language (replacement for ditroff int. lang.) 0 string X\ 495 SoftQuad troff Context intermediate for AT&T 495 laser printer 0 string X\ hp SoftQuad troff Context intermediate for HP LaserJet 0 string X\ impr SoftQuad troff Context intermediate for IMAGEN imPRESS 0 string X\ ps SoftQuad troff Context intermediate for PostScript
#------------------------------------------------------------------------------ # $File: spec,v 1.4 2009/09/19 16:28:12 christos Exp $ # spec: file(1) magic for SPEC raw results (*.raw, *.rsf) # # Cloyce D. Spradling <cloyce@headgear.org>
0 string spec SPEC >4 string .cpu CPU >>8 string <: \b%.4s >>12 string . raw result text
17 string version=SPECjbb SPECjbb >32 string <: \b%.4s >>37 string <: v%.4s raw result text
0 string BEGIN\040SPECWEB SPECweb >13 string <: \b%.2s >>15 string _SSL \b_SSL >>>20 string <: v%.4s raw result text >>16 string <: v%.4s raw result text
# # Spectrum +3DOS header # 0 string PLUS3DOS\032 Spectrum +3 data >15 byte 0 - BASIC program >15 byte 1 - number array >15 byte 2 - character array >15 byte 3 - memory block >>16 belong 0x001B0040 (screen) >15 byte 4 - Tasword document >15 string TAPEFILE - ZXT tapefile # # Tape file. This assumes the .TAP starts with a Spectrum-format header, # which nearly all will. # # Update: Sanity-check string contents to be printable. # -Adam Buchbinder <adam.buchbinder@gmail.com> # 0 string \023\000\000 >4 string >\0 >>4 string <\177 Spectrum .TAP data "%-10.10s" >>>3 byte 0 - BASIC program >>>3 byte 1 - number array >>>3 byte 2 - character array >>>3 byte 3 - memory block >>>>14 belong 0x001B0040 (screen)
# The following three blocks are from pak21-spectrum@srcf.ucam.org # TZX tape images 0 string ZXTape!\x1a Spectrum .TZX data >8 byte x version %d >9 byte x \b.%d
# RZX input recording files 0 string RZX! Spectrum .RZX data >4 byte x version %d >5 byte x \b.%d
#------------------------------------------------------------------------------ # $File: sql,v 1.21 2017/03/17 21:35:28 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" <mleisner@eng.mc.xerox.com> # Recognize some MySQL files. # Elan Ruusamae <glen@delfi.ee>, added MariaDB signatures # from https://bazaar.launchpad.net/~maria-captains/maria/5.5/view/head:/support-files/magic # 0 beshort 0xfe01 MySQL table definition file >2 byte x Version %d >3 byte 0 \b, type UNKNOWN >3 byte 1 \b, type DIAM_ISAM >3 byte 2 \b, type HASH >3 byte 3 \b, type MISAM >3 byte 4 \b, type PISAM >3 byte 5 \b, type RMS_ISAM >3 byte 6 \b, type HEAP >3 byte 7 \b, type ISAM >3 byte 8 \b, type MRG_ISAM >3 byte 9 \b, type MYISAM >3 byte 10 \b, type MRG_MYISAM >3 byte 11 \b, type BERKELEY_DB >3 byte 12 \b, type INNODB >3 byte 13 \b, type GEMINI >3 byte 14 \b, type NDBCLUSTER >3 byte 15 \b, type EXAMPLE_DB >3 byte 16 \b, type CSV_DB >3 byte 17 \b, type FEDERATED_DB >3 byte 18 \b, type BLACKHOLE_DB >3 byte 19 \b, type PARTITION_DB >3 byte 20 \b, type BINLOG >3 byte 21 \b, type SOLID >3 byte 22 \b, type PBXT >3 byte 23 \b, type TABLE_FUNCTION >3 byte 24 \b, type MEMCACHE >3 byte 25 \b, type FALCON >3 byte 26 \b, type MARIA >3 byte 27 \b, type PERFORMANCE_SCHEMA >3 byte 127 \b, type DEFAULT >0x0033 ulong x \b, MySQL version %d 0 belong&0xffffff00 0xfefe0500 MySQL ISAM index file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0600 MySQL ISAM compressed data file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0700 MySQL MyISAM index file >3 byte x Version %d >14 beshort x \b, %d key parts >16 beshort x \b, %d unique key parts >18 byte x \b, %d keys >28 bequad x \b, %lld records >36 bequad x \b, %lld deleted records 0 belong&0xffffff00 0xfefe0800 MySQL MyISAM compressed data file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0900 MySQL Maria index file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0a00 MySQL Maria compressed data file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0c00 >4 string MACF MySQL Maria control file >>3 byte x Version %d 0 string \376bin MySQL replication log, >9 long x server id %d >8 byte 1 >>13 long 69 \b, MySQL V3.2.3 >>>19 string x \b, server version %s >>13 long 75 \b, MySQL V4.0.2-V4.1 >>>25 string x \b, server version %s >8 byte 15 MySQL V5+, >>25 string x server version %s >4 string MARIALOG MySQL Maria transaction log file >>3 byte x Version %d
#------------------------------------------------------------------------------ # iRiver H Series database file # From Ken Guest <ken@linux.ie> # As observed from iRivNavi.iDB and unencoded firmware # 0 string iRivDB iRiver Database file >11 string >\0 Version %s >39 string iHP-100 [H Series]
#------------------------------------------------------------------------------ # SQLite database files # Ken Guest <ken@linux.ie>, Ty Sarna, Zack Weinberg # # Version 1 used GDBM internally; its files cannot be distinguished # from other GDBM files. # # Version 2 used this format: 0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database
# Version 3 of SQLite allows applications to embed their own "user version" # number in the database at offset 60. Later, SQLite added an "application id" # at offset 68 that is preferred over "user version" for indicating the # associated application. # 0 string SQLite\ format\ 3 SQLite 3.x database !:mime application/x-sqlite3 # seldom found extension sqlite3 like in SyncData.sqlite3 # db # Avira Antivir use extension "dbe" like in avevtdb.dbe, avguard_tchk.dbe # Unfortunately extension sqlite also used for other databases starting with string # "TTCONTAINER" like in tracks.sqlite contentconsumer.sqlite contentproducerrepository.sqlite # and with string "ZV-zlib" in like extra.sqlite !:ext sqlite/sqlite3/db/dbe >60 belong =0x5f4d544e (Monotone source repository) >68 belong =0x0f055112 (Fossil checkout) >68 belong =0x0f055113 (Fossil global configuration) >68 belong =0x0f055111 (Fossil repository) >68 belong =0x42654462 (Bentley Systems BeSQLite Database) >68 belong =0x42654c6e (Bentley Systems Localization File) >68 belong =0x47504b47 (OGC GeoPackage file) >68 default x >>68 belong !0 \b, application id %u >>60 belong !0 \b, user version %d >96 belong x \b, last written using SQLite version %d
# SQLite Write-Ahead Log from SQLite version >= 3.7.0 # http://www.sqlite.org/fileformat.html#walformat 0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, !:ext sqlite-wal/db-wal >4 belong x version %d
# From Luc Gommans # OpenSSL enc file (recognized by a magic string preceding the password's salt) 0 string Salted__ openssl enc'd data with salted password # Using the -a or -base64 option, OpenSSL will base64-encode the data. 0 string U2FsdGVkX1 openssl enc'd data with salted password, base64 encoded
#------------------------------------------------------------------------------ # $File: sun,v 1.27 2014/04/30 21:41:02 christos Exp $ # sun: file(1) magic for Sun machines # # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x # releases. (5.x uses ELF.) Entries for executables without an # architecture type, used before the 68020-based Sun-3's came out, # are in aout, as they're indistinguishable from other big-endian # 32-bit a.out files. # 0 belong&077777777 0600413 a.out SunOS SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped
#--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie <duncan@sun.com> (a # lead Sun/Cobalt developer) who agrees that they are good and worthy of # inclusion.
# Boot ROM images for Sun/Cobalt Linux server appliances 0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged COBALT boot rom >38 string x V%.4s
# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # at the very end where file(1) can't get it. 0 string CRfs COBALT boot rom data (Flat boot rom or file system)
#------------------------------------------------------------------------------ # msx: file(1) magic for the SymbOS operating system # http://www.symbos.de # Fabio R. Schmidlin <frs@pop.com.br>
# SymbOS EXE file 0x30 string SymExe SymbOS executable >0x36 ubyte x v%c >0x37 ubyte x \b.%c >0xF string x \b, name: %s
# Symbos driver 0 string SMD1 SymbOS driver >19 byte x \b, name: %c >20 byte x \b%c >21 byte x \b%c >22 byte x \b%c >23 byte x \b%c >24 byte x \b%c >25 byte x \b%c >26 byte x \b%c >27 byte x \b%c >28 byte x \b%c >29 byte x \b%c >30 byte x \b%c >31 byte x \b%c
# Symbos video 0 string SymVid SymbOS video >6 ubyte x v%c >7 ubyte x \b.%c
# Soundtrakker 128 ST2 music 0 byte 0 >0xC string \x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x40\x00 Soundtrakker 128 ST2 music, >>1 string x name: %s
#------------------------------------------------------------------------ # $File: sysex,v 1.9 2017/03/17 21:35:28 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems # where real SYStem EXclusive messages at offset 1 are limited to seven bits # http://en.wikipedia.org/wiki/MIDI 0 ubeshort&0xFF80 0xF000 SysEx File -
>1 belong&0xffffff00 0x00202b00 Medeli Electronics >1 belong&0xffffff00 0x00202c00 Charlie Lab >1 belong&0xffffff00 0x00202d00 Blue Chip Music >1 belong&0xffffff00 0x00202e00 BEE OH Corp >1 belong&0xffffff00 0x00202f00 LG Semicon America >1 belong&0xffffff00 0x00203000 TESI >1 belong&0xffffff00 0x00203100 EMAGIC >1 belong&0xffffff00 0x00203200 Behringer >1 belong&0xffffff00 0x00203300 Access Music >1 belong&0xffffff00 0x00203400 Synoptic >1 belong&0xffffff00 0x00203500 Hanmesoft Corp >1 belong&0xffffff00 0x00203600 Terratec >1 belong&0xffffff00 0x00203700 Proel SpA >1 belong&0xffffff00 0x00203800 IBK MIDI >1 belong&0xffffff00 0x00203900 IRCAM >1 belong&0xffffff00 0x00203a00 Propellerhead Software >1 belong&0xffffff00 0x00203b00 Red Sound Systems >1 belong&0xffffff00 0x00203c00 Electron ESI AB >1 belong&0xffffff00 0x00203d00 Sintefex Audio >1 belong&0xffffff00 0x00203e00 Music and More >1 belong&0xffffff00 0x00203f00 Amsaro >1 belong&0xffffff00 0x00204000 CDS Advanced Technology >1 belong&0xffffff00 0x00204100 Touched by Sound >1 belong&0xffffff00 0x00204200 DSP Arts >1 belong&0xffffff00 0x00204300 Phil Rees Music >1 belong&0xffffff00 0x00204400 Stamer Musikanlagen GmbH >1 belong&0xffffff00 0x00204500 Soundart >1 belong&0xffffff00 0x00204600 C-Mexx Software >1 belong&0xffffff00 0x00204700 Klavis Tech. >1 belong&0xffffff00 0x00204800 Noteheads AB
0 string T707 Roland TR-707 Data #------------------------------------------------------------------------------ # file: file(1) magic for Tcl scripting language # URL: http://www.tcl.tk/ # From: gustaf neumann
# Tcl scripts 0 search/1/w #!\ /usr/bin/tcl Tcl script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/local/bin/tcl Tcl script text executable !:mime text/x-tcl 0 search/1 #!/usr/bin/env\ tcl Tcl script text executable !:mime text/x-tcl 0 search/1 #!\ /usr/bin/env\ tcl Tcl script text executable !:mime text/x-tcl 0 string/wt #!\ /usr/bin/jimsh Jim TCL text executable !:mime text/x-tcl 0 search/1/wt #!\ /usr/bin/tclsh Tcl/Tk script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/bin/wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/local/bin/wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1 #!/usr/bin/env\ wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1 #!\ /usr/bin/env\ wish Tcl/Tk script text executable !:mime text/x-tcl
# check the first line 0 search/1 package\ req >0 regex \^package[\ \t]+req Tcl script # not 'p', check other lines 0 search/1 !p >0 regex \^package[\ \t]+req Tcl script
#------------------------------------------------------------------------------ # $File: terminfo,v 1.10 2018/01/21 03:26:33 christos Exp $ # terminfo: file(1) magic for terminfo # # URL: http://invisible-island.net/ncurses/man/term.5.html # URL: http://invisible-island.net/ncurses/man/scr_dump.5.html # # Workaround for Targa image type by Joerg Jenderek # GRR: line below too general as it catches also # Targa image type 1 with 26 long identification field # and HELP.DSK 0 string \032\001 # 5th character of terminal name list, but not Targa image pixel size (15 16 24 32) >16 ubyte >32 # namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0.4.1" >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled terminfo entry "%-s" !:mime application/x-terminfo # no extension #!:ext # #------------------------------------------------------------------------------ # The following was added for ncurses6 development: #------------------------------------------------------------------------------ # 0 string \036\002 # imitate the legacy compiled-format, to get the entry-name printed >16 ubyte >32 # namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0. 4.1" >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled 32-bit terminfo entry "%-s" !:mime application/x-terminfo2 # # While the compiled terminfo uses little-endian format irregardless of # platform, SystemV screen dumps do not. They came later, and that detail was # overlooked. # # AIX and HPUX use the SVr4 big-endian format # Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) 0 beshort 0433 SVr2 curses screen image, big-endian 0 beshort 0434 SVr3 curses screen image, big-endian 0 beshort 0435 SVr4 curses screen image, big-endian # 0 leshort 0433 SVr2 curses screen image, little-endian 0 leshort 0434 SVr3 curses screen image, little-endian 0 leshort 0435 SVr4 curses screen image, little-endian # # Rather than SVr4, Solaris "xcurses" writes this header: 0 regex \^MAX=[0-9]+,[0-9]+$ >1 regex \^BEG=[0-9]+,[0-9]+$ >2 regex \^SCROLL=[0-9]+,[0-9]+$ >3 regex \^VMIN=[0-9]+$ >4 regex \^VTIME=[0-9]+$ >5 regex \^FLAGS=0x[[:xdigit:]]+$ >6 regex \^FG=[0-9],[0-9]+$ >7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image # # ncurses5 (and before) did not use a magic number, making screen dumps "data". # ncurses6 (2015) uses this format, ignoring byte-order 0 string \210\210\210\210ncurses ncurses6 screen image # # PDCurses added this in 2005 0 string PDC\001 PDCurses screen image
# Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] 0 string \367\002 TeX DVI file !:mime application/x-dvi >16 string >\0 (%s) 0 string \367\203 TeX generic font data 0 string \367\131 TeX packed font data >3 string >\0 (%s) 0 string \367\312 TeX virtual font data 0 search/1 This\ is\ TeX, TeX transcript text 0 search/1 This\ is\ METAFONT, METAFONT transcript text
# There is no way to detect TeX Font Metric (*.tfm) files without # breaking them apart and reading the data. The following patterns # match most *.tfm files generated by METAFONT or afm2tfm. 2 string \000\021 TeX font metric data !:mime application/x-tex-tfm >33 string >\0 (%s) 2 string \000\022 TeX font metric data !:mime application/x-tex-tfm >33 string >\0 (%s)
# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 \\input\ texinfo Texinfo source text !:mime text/x-texinfo 0 search/1 This\ is\ Info\ file GNU Info text !:mime text/x-info
# TeX documents, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/4096 \\input TeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\begin LaTeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\section LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\setlength LaTeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\documentstyle LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\chapter LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\documentclass LaTeX 2e document text !:mime text/x-tex !:strength + 15 0 search/4096 \\relax LaTeX auxiliary file !:mime text/x-tex !:strength + 15 0 search/4096 \\contentsline LaTeX table of contents !:mime text/x-tex !:strength + 15 0 search/4096 %\ -*-latex-*- LaTeX document text !:mime text/x-tex
# Tex document, from Hendrik Scholz <hendrik@scholz.net> 0 search/1 \\ifx TeX document text
# Index and glossary files 0 search/4096 \\indexentry LaTeX raw index file 0 search/4096 \\begin{theindex} LaTeX sorted index 0 search/4096 \\glossaryentry LaTeX raw glossary 0 search/4096 \\begin{theglossary} LaTeX sorted glossary 0 search/4096 This\ is\ makeindex Makeindex log file
# End of TeX
#------------------------------------------------------------------------------ # file(1) magic for BibTex text files # From Hendrik Scholz <hendrik@scholz.net>
0 search/1/c @article{ BibTeX text file 0 search/1/c @book{ BibTeX text file 0 search/1/c @inbook{ BibTeX text file 0 search/1/c @incollection{ BibTeX text file 0 search/1/c @inproceedings{ BibTeX text file 0 search/1/c @manual{ BibTeX text file 0 search/1/c @misc{ BibTeX text file 0 search/1/c @preamble{ BibTeX text file 0 search/1/c @phdthesis{ BibTeX text file 0 search/1/c @techreport{ BibTeX text file 0 search/1/c @unpublished{ BibTeX text file
73 search/1 %%%\ \ BibTeX-file{ BibTex text file (with full header)
73 search/1 %%%\ \ @BibTeX-style-file{ BibTeX style text file (with full header)
0 search/1 %\ BibTeX\ standard\ bibliography\ BibTeX standard bibliography style text file
# VTi & TiEmu skins (TI Graphing Calculators). # From: Romain Lievin (roms@lpg.ticalc.org). # Magic Numbers for the VTi skins 0 string VTI Virtual TI skin >3 string v - Version >>4 byte >0 \b %c >>6 byte x \b.%c # Magic Numbers for the TiEmu skins 0 string TiEmu TiEmu skin >6 string v - Version >>7 byte >0 \b %c >>9 byte x \b.%c >>10 byte x \b%c
#------------------------------------------------------------------------------ # $File: timezone,v 1.11 2009/09/19 16:28:12 christos Exp $ # timezone: file(1) magic for timezone data # # from Daniel Quinlan (quinlan@yggdrasil.com) # this should work on Linux, SunOS, and maybe others # Added new official magic number for recent versions of the Olson code 0 string TZif timezone data >4 byte 0 \b, old version >4 byte >0 \b, version %c >20 belong 0 \b, no gmt time flags >20 belong 1 \b, 1 gmt time flag >20 belong >1 \b, %d gmt time flags >24 belong 0 \b, no std time flags >20 belong 1 \b, 1 std time flag >24 belong >1 \b, %d std time flags >28 belong 0 \b, no leap seconds >28 belong 1 \b, 1 leap second >28 belong >1 \b, %d leap seconds >32 belong 0 \b, no transition times >32 belong 1 \b, 1 transition time >32 belong >1 \b, %d transition times >36 belong 0 \b, no abbreviation chars >36 belong 1 \b, 1 abbreviation char >36 belong >1 \b, %d abbreviation chars 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 old timezone data
# URL: https://wiki.openwrt.org/doc/techref/header # Reference: http://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c # From: Joerg Jenderek # check for valid header version 1 or 2 0 ulelong <3 >0 ulelong !0 # test for header padding with nulls >>0x100 long 0 >>>0 use firmware-tplink
0 name firmware-tplink >0 ubyte x firmware !:mime application/x-tplink-bin !:ext bin # hardware id like 10430001 07410001 09410004 09410006 >0x40 ubeshort x %x >0x42 ubeshort x v%x # hardware revision like 1 >0x44 ubelong !1 (revision %u) # vendor_name[24] like OpenWrt or TP-LINK Technologies >4 string x %.24s # fw_version[36] like r49389 or ver. 1.0 >0x1c string x %.36s # header version 1 or 2 >0 ubyte !1 V%X # ver_hi.ver_mid.ver_lo >0x98 long !0 \b, version >>0x98 ubeshort x %u >>0x9A ubeshort x \b.%u >>0x9C ubeshort x \b.%u # region code 0~universal 1~US >0x48 ubelong x #>>0x48 ubelong 0 (universal) >>0x48 ubelong 1 (US) >>0x48 ubelong >1 (region %u) # total length of the firmware. not always true >0x7C ubelong x \b, %u bytes or less # unknown 1 >0x48 ubelong !0 \b, UNKNOWN1 0x%x # md5sum1[16] #>0x4c ubequad x \b, MD5 %llx #>>0x54 ubequad x \b%llx # unknown 2 >0x5c ubelong !0 \b, UNKNOWN2 0x%x # md5sum2[16] #>0x60 ubequad !0 \b, 2nd MD5 %llx #>>0x68 ubequad x \b%llx # unknown 3 >0x70 ubelong !0 \b, UNKNOWN3 0x%x # kernel load address #>0x74 ubelong x \b, 0x%x load # kernel entry point #>0x78 ubelong x \b, 0x%x entry # kernel data offset. 200h means direct after header >0x80 ubelong x \b, at 0x%x # kernel data length and 1 space >0x84 ubelong x %u bytes # look for kernel type (gzip compressed vmlinux.bin by ./compress) >(0x80.L) indirect x # root file system data offset >0x88 ubelong x \b, at 0x%x # rootfs data length and 1 space >0x8C ubelong x %u bytes # in 5.32 only true for offset ~< FILE_BYTES_MAX=9 MB defined in ../../src/file.h >(0x88.L) indirect x #>(0x88.L) string x \b, file system '%.4s' #>(0x88.L) ubequad x \b, file system 0x%llx # bootloader data offset >0x90 ubelong !0 \b, at 0x%x # bootloader data length only resonable if bootloader offset not null >>0x94 ubelong !0 %u bytes # pad[354] should be 354 null bytes. #>0x9E ubequad !0 \b, padding 0x%llx # But at 0x120 18 non null bytes in examples like # wr940nv4_eu_3_16_9_up_boot(160620).bin # wr940nv6_us_3_18_1_up_boot(171030).bin #>0x120 ubequad !0 \b, other padding 0x%llx
#------------------------------------------------------------------------------ # $File: troff,v 1.11 2014/06/03 19:01:34 christos Exp $ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com)
# troff input 0 search/1 .\\" troff or preprocessor input text !:mime text/troff 0 search/1 '\\" troff or preprocessor input text !:mime text/troff 0 search/1 '.\\" troff or preprocessor input text !:mime text/troff 0 search/1 \\" troff or preprocessor input text !:mime text/troff 0 search/1 ''' troff or preprocessor input text !:mime text/troff 0 regex/20l \^\\.[A-Za-z0-9][A-Za-z0-9][\ \t] troff or preprocessor input text !:mime text/troff 0 regex/20l \^\\.[A-Za-z0-9][A-Za-z0-9]$ troff or preprocessor input text !:mime text/troff
# ditroff intermediate output text 0 search/1 x\ T ditroff output text >4 search/1 cat for the C/A/T phototypesetter >4 search/1 ps for PostScript >4 search/1 dvi for DVI >4 search/1 ascii for ASCII >4 search/1 lj4 for LaserJet 4 >4 search/1 latin1 for ISO 8859-1 (Latin 1) >4 search/1 X75 for xditview at 75dpi >>7 search/1 -12 (12pt) >4 search/1 X100 for xditview at 100dpi >>8 search/1 -12 (12pt)
# output data formats 0 string \100\357 very old (C/A/T) troff output data
#------------------------------------------------------------------------------ # $File: tuxedo,v 1.4 2009/09/19 16:28:13 christos Exp $ # tuxedo: file(1) magic for BEA TUXEDO data files # # from Ian Springer <ispringer@hotmail.com> # 0 string \0\0\1\236\0\0\0\0\0\0\0\0\0\0\0\0 BEA TUXEDO DES mask data
#------------------------------------------------------------------------------ # $File: unicode,v 1.6 2010/09/20 18:55:20 rrt Exp $ # Unicode: BOM prefixed text files - Adrian Havill <havill@turbolinux.co.jp> # GRR: These types should be recognised in file_ascmagic so these # encodings can be treated by text patterns. # Missing types are already dealt with internally. # 0 string +/v8 Unicode text, UTF-7 0 string +/v9 Unicode text, UTF-7 0 string +/v+ Unicode text, UTF-7 0 string +/v/ Unicode text, UTF-7 0 string \335\163\146\163 Unicode text, UTF-8-EBCDIC 0 string \000\000\376\377 Unicode text, UTF-32, big-endian 0 string \377\376\000\000 Unicode text, UTF-32, little-endian 0 string \016\376\377 Unicode text, SCSU (Standard Compression Scheme for Unicode)
#------------------------------------------------------------------------------ # $File: unknown,v 1.8 2013/01/09 22:37:24 christos Exp $ # unknown: file(1) magic for unknown machines # # 0x107 is 0407, 0x108 is 0410, and 0x109 is 0411; those are all PDP-11 # (executable, pure, and split I&D, respectively), but the PDP-11 version # doesn't have the "version %ld", which may be a bogus COFFism (I don't # think there was ever COFF for the PDP-11). # # 0x10B is 0413; that's VAX demand-paged, but this is a short, not a # long, as it would be on a VAX. In any case, that could collide with # VAX demand-paged files, as the magic number is little-endian on those # binaries, so the first 16 bits of the file would contain 0x10B. # # Therefore, those entries are commented out. # # 0x10C is 0414 and 0x10E is 0416; those *are* unknown. # #0 short 0x107 unknown machine executable #>8 short >0 not stripped #>15 byte >0 - version %ld #0 short 0x108 unknown pure executable #>8 short >0 not stripped #>15 byte >0 - version %ld #0 short 0x109 PDP-11 separate I&D #>8 short >0 not stripped #>15 byte >0 - version %ld #0 short 0x10b unknown pure executable #>8 short >0 not stripped #>15 byte >0 - version %ld 0 long 0x10c unknown demand paged pure executable >16 long >0 not stripped 0 long 0x10e unknown readable demand paged pure executable
#------------------------------------------------------------------------------ # $File: uterus,v 1.3 2014/04/30 21:41:02 christos Exp $ # file(1) magic for uterus files # http://freecode.com/projects/uterus # 0 string UTE+ uterus file >4 string v \b, version >5 byte x %c >6 string . \b. >7 byte x \b%c >8 string \<\> \b, big-endian >>16 belong >0 \b, slut size %u >8 string \>\< \b, litte-endian >>16 lelong >0 \b, slut size %u >10 byte &8 \b, compressed
# GRR: the first line of xxencoded files is identical to that in uuencoded # files, but the first character in most subsequent lines is 'h' instead of # 'M'. (xxencoding uses lowercase letters in place of most of uuencode's # punctuation and survives BITNET gateways better.) If regular expressions # were supported, this entry could possibly be split into two with # "begin\040\.\*\012M" or "begin\040\.\*\012h" (where \. and \* are REs). 0 search/1 begin\ uuencoded or xxencoded text
# btoa(1) is an alternative to uuencode that requires less space. 0 search/1 xbtoa\ Begin btoa'd text
# ship(1) is another, much cooler alternative to uuencode. # Greg Roelofs, newt@uchicago.edu 0 search/1 $\012ship ship'd binary text
# bencode(8) is used to encode compressed news batches (Bnews/Cnews only?) # Greg Roelofs, newt@uchicago.edu 0 search/1 Decode\ the\ following\ with\ bdeco bencoded News text
# BinHex is the Macintosh ASCII-encoded file format (see also "apple") # Daniel Quinlan, quinlan@yggdrasil.com 11 search/1 must\ be\ converted\ with\ BinHex BinHex binary text >41 search/1 x \b, version %.3s
# GRR: handle BASE64
#------------------------------------------------------------------------------ # $File: vacuum-cleaner,v 1.1 2015/11/14 13:38:35 christos Exp $ # vacuum cleaner magic by Thomas M. Ott (ThMO) # # navigation map for LG robot vacuum cleaner models VR62xx, VR64xx, VR63xx # file: MAPDATAyyyymmddhhmmss_xxxxxx_cc.blk # -> yyyymmdd: year, month, day of cleaning # -> hhmmss: hour, minute, second of cleaning # -> xxxxxx: 6 digits # -> cc: cleaning runs counter # size: 136044 bytes # # struct maphdr { # int32_t map_cnt; /* 0: single map */ # int32_t min_ceil; /* 4: 100 mm == 10 cm == min. ceil */ # int32_t max_ceil; /* 8: 10000 mm == 100 m == max. ceil */ # int32_t max_climb; /* 12: 50 mm = 5 cm == max. height to climb */ # int32_t unknown; /* 16: 50000 ??? */ # int32_t cell_bytes; /* 20: # of bytes for cells per block */ # int32_t block_max; /* 24: 1000 == max. # of blocks */ # int32_t route_max; /* 28: 1000 == max. # of routes */ # int32_t used_blocks; /* 32: 5/45/33/... == # of block entries used! */ # int32_t cell_dim; /* 36: 10 == cell dimension */ # int32_t clock_tick; /* 40: 100 == clock ticks */ # #if 0 # struct { /* 44: 1000 blocks for 10x10 cells */ # int32_t yoffset; # int32_t xoffset; # int32_t posxy; # int32_t timecode; # } blocks[ 1000]; # char cells[ 1000* 100]; /* 16044: 1000 10x10 cells */ # int16_t routes[ 1000* 10]; /* 116044: 1000 10-routes */ # #endif # };
# From: Jason Spence <jspence@lightconsulting.com> # Generated by the "examples" in STM's ST40 devkit, and derived code. 0 lelong 0x13a9f17e ST40 component image format >4 string >\0 \b, name '%s'
#------------------------------------------------------------------------------ # $File: varied.script,v 1.11 2015/03/27 17:59:39 christos Exp $ # varied.script: file(1) magic for various interpreter scripts
0 string/t #!\ / a >3 string >\0 %s script text executable
# From: arno <arenevier@fdn.fr> # mozilla xpconnect typelib # see http://www.mozilla.org/scriptable/typelib_file.html 0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib >0x10 byte x version %d >>0x11 byte x \b.%d
# # VAX a.out (BSD; others collide with 386 and other 32-bit little-endian # executables, and are handled in aout) # 0 lelong 0420 a.out VAX demand paged (first page unmapped) pure executable >16 lelong >0 not stripped
# # VAX COFF # # The `versions' were commented out, but have been un-commented out. # (Was the problem just one of endianness?) # 0 leshort 0570 VAX COFF executable >12 lelong >0 not stripped >22 leshort >0 - version %d 0 leshort 0575 VAX COFF pure executable >12 lelong >0 not stripped >22 leshort >0 - version %d
#------------------------------------------------------------------------------ # $File: virtual,v 1.6 2014/05/07 21:25:41 christos Exp $ # From: James Nobis <quel@quelrod.net> # Microsoft hard disk images for: # Virtual Server # Virtual PC # http://technet.microsoft.com/en-us/virtualserver/bb676673.aspx # .vhd 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC
# libvirt # From: Philipp Hahn <hahn@univention.de> 0 string LibvirtQemudSave Libvirt QEMU Suspend Image >0x10 lelong x \b, version %u >0x14 lelong x \b, XML length %u >0x18 lelong 1 \b, running >0x1c lelong 1 \b, compressed
0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image # From: Alex Beregszaszi <alex@fsn.hu> 0 string/b COWD VMWare3 >4 byte 3 disk image >>32 lelong x (%d/ >>36 lelong x \b%d/ >>40 lelong x \b%d) >4 byte 2 undoable disk image >>32 string >\0 (%s)
0 string/b VMDK VMware4 disk image 0 string/b KDMV VMware4 disk image
#-------------------------------------------------------------------- # Qemu Emulator Images # Lines written by Friedrich Schwittay (f.schwittay@yousable.de) # Updated by Adam Buchbinder (adam.buchbinder@gmail.com) # Made by reading sources, reading documentation, and doing trial and error # on existing QCOW files 0 string/b QFI\xFB QEMU QCOW Image
# Uncomment the following line to display Magic (only used for debugging # this magic number) #>0 string/b x , Magic: %s
# There are currently 2 Versions: "1" and "2". # http://www.gnome.org/~markmc/qcow-image-format-version-1.html >4 belong 1 (v1)
# Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>12 belong >0 \b, has backing file ( # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. >>>(12.L) string >\0 \bpath %s
# Modification time of the Backing File # Really useful if you want to know if your backing # file is still usable together with this image >>>>20 bedate >0 \b, mtime %s) >>>>20 default x \b)
# Size is stored in bytes in a big-endian u64. >>24 bequad x \b, %lld bytes
# 1 for AES encryption, 0 for none. >>36 belong 1 \b, AES-encrypted
# http://www.gnome.org/~markmc/qcow-image-format.html >4 belong 2 (v2) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>8 bequad >0 \b, has backing file # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. Also, since there's no # .Q modifier, we just use the bottom four bytes as an offset. Note that if # the file is over 4G, and the backing file path is stored after the first 4G, # the wrong filename will be printed. (This should be (8.Q), when that syntax # is introduced.) >>>(12.L) string >\0 (path %s) >>24 bequad x \b, %lld bytes >>32 belong 1 \b, AES-encrypted
>4 belong 3 (v3) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>8 bequad >0 \b, has backing file # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. Also, since there's no # .Q modifier, we just use the bottom four bytes as an offset. Note that if # the file is over 4G, and the backing file path is stored after the first 4G, # the wrong filename will be printed. (This should be (8.Q), when that syntax # is introduced.) >>>(12.L) string >\0 (path %s) >>24 bequad x \b, %lld bytes >>32 belong 1 \b, AES-encrypted
>4 default x (unknown version)
0 string/b QEVM QEMU suspend to disk image
# QEMU QED Image # http://wiki.qemu.org/Features/QED/Specification 0 string/b QED\0 QEMU QED Image
# VDI Image # Sun xVM VirtualBox Disk Image # From: Richard W.M. Jones <rich@annexia.org> # VirtualBox Disk Image 0x40 ulelong 0xbeda107f VirtualBox Disk Image >0x44 uleshort >0 \b, major %u >0x46 uleshort >0 \b, minor %u >0 string >\0 (%s) >368 lequad x \b, %lld bytes
0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, >32 string x type %s, >48 string x subtype %s
0 lelong 0x02468ace Bochs Sparse disk image
#------------------------------------------------------------------------------ # $File: virtutech,v 1.4 2009/09/19 16:28:13 christos Exp $ # Virtutech Compressed Random Access File Format # # From <gustav@virtutech.com> 0 string \211\277\036\203 Virtutech CRAFF >4 belong x v%d >20 belong 0 uncompressed >20 belong 1 bzipp2ed >20 belong 2 gzipped >24 belong 0 not clean
#------------------------------------------------------------------------------ # $File: vms,v 1.10 2017/03/17 21:35:28 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu)
# GRR 950122: I'm just guessing on these, based on inspection of the headers # of three executables each for Alpha and VAX architectures. The VAX files # all had headers similar to this: # # 00000 b0 00 30 00 44 00 60 00 00 00 00 00 30 32 30 35 ..0.D.`.....0205 # 00010 01 01 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ # 0 string \xb0\0\x30\0 VMS VAX executable >44032 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption # # The AXP files all looked like this, except that the byte at offset 0x22 # was 06 in some of them and 07 in others: # # 00000 03 00 00 00 00 00 00 00 ec 02 00 00 10 01 00 00 ................ # 00010 68 00 00 00 98 00 00 00 b8 00 00 00 00 00 00 00 h............... # 00020 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ # 00030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # # GRR this test is still too general as it catches example adressen.dbt 0 belong 0x03000000 >8 ubelong 0xec020000 VMS Alpha executable >>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption
#------------------------------------------------------------------------------ # $File: vmware,v 1.8 2017/03/17 21:35:28 christos Exp $ # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) 0 belong 0x4d52564e VMware nvram
#------------------------------------------------------------------------------ # $File: vorbis,v 1.24 2018/03/14 04:38:44 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner <leitner@fefe.de> # Extended by Beni Cherniavsky <cben@crosswinds.net> # Further extended by Greg Wooledge <greg@wooledge.org> # # Most (everything but the number of channels and bitrate) is commented # out with `##' as it's not interesting to the average user. The most # probable things advanced users would want to uncomment are probably # the number of comments and the encoder version. # # FIXME: The first match has been made a search, so that it can skip # over prepended ID3 tags. This will work for MIME type detection, but # won't work for detecting other properties of the file (they all need # to be made relative to the search). In any case, if the file has ID3 # tags, the ID3 information will be printed, not the Ogg information, # so until that's fixed, this doesn't matter. # FIXME[2]: Disable the above for now, since search assumes text mode. # # --- Ogg Framing --- #0 search/1000 OggS Ogg data 0 string OggS Ogg data >4 byte !0 UNKNOWN REVISION %u ##>4 byte 0 revision 0 >4 byte 0 ##>>14 lelong x (Serial %lX) # non-Vorbis content: FLAC (Free Lossless Audio Codec, http://flac.sourceforge.net) >>28 string \x7fFLAC \b, FLAC audio # non-Vorbis content: Theora !:mime audio/ogg >>28 string \x80theora \b, Theora video !:mime video/ogg # non-Vorbis content: Kate >>28 string \x80kate\0\0\0\0 \b, Kate (Karaoke and Text) !:mime application/ogg >>>37 ubyte x v%u >>>38 ubyte x \b.%u, >>>40 byte 0 utf8 encoding, >>>40 byte !0 unknown character encoding, >>>60 string >\0 language %s, >>>60 string \0 no language set, >>>76 string >\0 category %s >>>76 string \0 no category set # non-Vorbis content: Skeleton >>28 string fishead\0 \b, Skeleton !:mime video/ogg >>>36 leshort x v%u >>>40 leshort x \b.%u # non-Vorbis content: Speex >>28 string Speex\ \ \ \b, Speex audio !:mime audio/ogg # non-Vorbis content: OGM >>28 string \x01video\0\0\0 \b, OGM video !:mime video/ogg >>>37 string/c div3 (DivX 3) >>>37 string/c divx (DivX 4) >>>37 string/c dx50 (DivX 5) >>>37 string/c xvid (XviD) # --- First vorbis packet - general header --- >>28 string \x01vorbis \b, Vorbis audio, !:mime audio/ogg >>>35 lelong !0 UNKNOWN VERSION %u, ##>>>35 lelong 0 version 0, >>>35 lelong 0 >>>>39 ubyte 1 mono, >>>>39 ubyte 2 stereo, >>>>39 ubyte >2 %u channels, >>>>40 lelong x %u Hz # Minimal, nominal and maximal bitrates specified when encoding >>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \b, # The above tests if at least one of these is specified: >>>>>52 lelong !-1 # Vorbis RC2 has a bug which puts -1000 in the min/max bitrate fields # instead of -1. # Vorbis 1.0 uses 0 instead of -1. >>>>>>52 lelong !0 >>>>>>>52 lelong !-1000 >>>>>>>>52 lelong x <%u >>>>>48 lelong !-1 >>>>>>48 lelong x ~%u >>>>>44 lelong !-1 >>>>>>44 lelong !-1000 >>>>>>>44 lelong !0 >>>>>>>>44 lelong x >%u >>>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff bps # -- Second vorbis header packet - the comments # A kludge to read the vendor string. It's a counted string, not a # zero-terminated one, so file(1) can't read it in a generic way. # libVorbis is the only one existing currently, so I detect specifically # it. The interesting value is the cvs date (8 digits decimal). # Post-RC1 Ogg files have the second header packet (and thus the version) # in a different place, so we must use an indirect offset. >>>(84.b+85) string \x03vorbis >>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I >>>>>(84.b+120) string >00000000 # Map to beta version numbers: >>>>>>(84.b+120) string <20000508 (<beta1, prepublic) >>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2) >>>>>>(84.b+120) string >20000508 >>>>>>>(84.b+120) string <20001031 (beta2-3) >>>>>>(84.b+120) string 20001031 (1.0 beta 3) >>>>>>(84.b+120) string >20001031 >>>>>>>(84.b+120) string <20010225 (beta3-4) >>>>>>(84.b+120) string 20010225 (1.0 beta 4) >>>>>>(84.b+120) string >20010225 >>>>>>>(84.b+120) string <20010615 (beta4-RC1) >>>>>>(84.b+120) string 20010615 (1.0 RC1) >>>>>>(84.b+120) string 20010813 (1.0 RC2) >>>>>>(84.b+120) string 20010816 (RC2 - Garf tuned v1) >>>>>>(84.b+120) string 20011014 (RC2 - Garf tuned v2) >>>>>>(84.b+120) string 20011217 (1.0 RC3) >>>>>>(84.b+120) string 20011231 (1.0 RC3) # Some pre-1.0 CVS snapshots still had "Xiphphorus"... >>>>>>(84.b+120) string >20011231 (pre-1.0 CVS) # For the 1.0 release, Xiphophorus is replaced by Xiph.Org >>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I >>>>>(84.b+117) string >00000000 >>>>>>(84.b+117) string <20020717 (pre-1.0 CVS) >>>>>>(84.b+117) string 20020717 (1.0) >>>>>>(84.b+117) string 20030909 (1.0.1) >>>>>>(84.b+117) string 20040629 (1.1.0 RC1) >>>>>>(84.b+117) string 20050304 (1.1.2) >>>>>>(84.b+117) string 20070622 (1.2.0) >>>>>>(84.b+117) string 20090624 (1.2.2) >>>>>>(84.b+117) string 20090709 (1.2.3) >>>>>>(84.b+117) string 20100325 (1.3.1) >>>>>>(84.b+117) string 20101101 (1.3.2) >>>>>>(84.b+117) string 20120203 (1.3.3) >>>>>>(84.b+117) string 20140122 (1.3.4) >>>>>>(84.b+117) string 20150105 (1.3.5)
#------------------------------------------------------------------------------ # $File: vxl,v 1.4 2009/09/19 16:28:13 christos Exp $ # VXL: file(1) magic for VXL binary IO data files # # from Ian Scott <scottim@sf.net> # # VXL is a collection of C++ libraries for Computer Vision. # See the vsl chapter in the VXL Book for more info # http://www.isbe.man.ac.uk/public_vxl_doc/books/vxl/book.html # http:/vxl.sf.net
2 lelong 0x472b2c4e VXL data file, >0 leshort >0 schema version no %d
0 string WARC/ WARC Archive >5 string x version %.4s !:mime application/warc
#------------------------------------------------------------------------------ # Arc File Format from Internet Archive # see http://www.archive.org/web/researcher/ArcFileFormat.php 0 string filedesc:// Internet Archive File !:mime application/x-ia-arc >11 search/256 \x0A \b >>&0 ubyte >0 \b version %c
#------------------------------------------------------------------------------ # weak: file(1) magic for very weak magic entries, disabled by default # # These entries are so weak that they might interfere identification of # other formats. Example include: # - Only identify for 1 or 2 bytes # - Match against very wide range of values # - Match against generic word in some spoken languages (e.g. English)
#0 string =!! Bennet Yee's "face" format #------------------------------------------------------------------------------ # $File: webassembly,v 1.2 2017/05/02 14:05:29 christos Exp $ # webassembly: file(1) magic for WebAssembly modules # # WebAssembly is a virtual architecture developed by a W3C Community # Group at http://webassembly.org/. The file extension is .wasm, and # the MIME type is application/wasm. # # http://webassembly.org/docs/binary-encoding/ is the main # document describing the binary format. # From: Pip Cet <pipcet@gmail.com> and Joel Martin
0 string \0asm WebAssembly (wasm) binary module >4 lelong =1 version %#x (MVP) >4 lelong >1 version %#x
#------------------------------------------------------------------------------ # $File: windows,v 1.22 2018/02/16 15:44:00 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs # using them are run almost always on MS Windows 3.x or # above, or files only used exclusively in Windows OS, # where there is no better category to allocate for. # For example, even though WinZIP almost run on Windows # only, it is better to treat them as "archive" instead. # For format usable in DOS, such as generic executable # format, please specify under "msdos" file. #
# Summary: Outlook Express DBX file # Extension: .dbx # Created by: Christophe Monniez 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file >4 byte =0xC5 \b, message database >4 byte =0xC6 \b, folder database >4 byte =0xC7 \b, account information >4 byte =0x30 \b, offline database
# Summary: Windows crash dump # Extension: .dmp # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 0 string PAGE >4 string DUMP MS Windows 32bit crash dump >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump >>0x068 lelong x \b, %d pages >4 string DU64 MS Windows 64bit crash dump >>0xf98 lelong 1 \b, full dump >>0xf98 lelong 2 \b, kernel dump >>0xf98 lelong 3 \b, small dump >>0x090 lequad x \b, %lld pages
# Summary: Vista Event Log # Extension: .evtx # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 0 string ElfFile\0 MS Windows Vista Event Log >0x2a leshort x \b, %d chunks >>0x10 lelong x \b (no. %d in use) >0x18 lelong >1 \b, next record no. %d >0x18 lelong =1 \b, empty >0x78 lelong &1 \b, DIRTY >0x78 lelong &2 \b, FULL
# Summary: Windows 3.1 group files # Extension: .grp # Created by: unknown 0 string \120\115\103\103 MS Windows 3.1 group files
# Summary: Old format help files # URL: https://en.wikipedia.org/wiki/WinHelp # Reference: http://www.oocities.org/mwinterhoff/helpfile.htm # Update: Joerg Jenderek # Created by: Dirk Jagdmann <doj@cubic.org> # # check and then display version and date inside MS Windows HeLP file fragment 0 name help-ver-date # look for Magic of SYSTEMHEADER >0 leshort 0x036C # version Major 1 for right file fragment >>4 leshort 1 Windows # print non empty string above to avoid error message # Warning: Current entry does not yet have a description for adding a MIME type !:mime application/winhelp !:ext hlp # version Minor of help file format is hint for windows version >>>2 leshort 0x0F 3.x >>>2 leshort 0x15 3.0 >>>2 leshort 0x21 3.1 >>>2 leshort 0x27 x.y >>>2 leshort 0x33 95 >>>2 default x y.z >>>>2 leshort x 0x%x # to complete message string like "MS Windows 3.x help file" >>>2 leshort x help # GenDate often older than file creation date >>>6 ldate x \b, %s # # Magic for HeLP files 0 lelong 0x00035f3f # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" # file header magic 0x293B at DirectoryStart+9 >(4.l+9) uleshort 0x293B MS # look for @VERSION bmf.. like IBMAVW.ANN >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation !:mime application/x-winhelp !:ext ann >>0xD4 string !\x62\x6D\x66\x01\x00 # "GID Help index" by TrID >>>(4.l+0x65) string =|Pete Windows help Global Index !:mime application/x-winhelp !:ext gid # HeLP Bookmark or # "Windows HELP File" by TrID >>>(4.l+0x65) string !|Pete # maybe there exist a cleaner way to detect HeLP fragments # brute search for Magic 0x036C with matching Major maximal 7 iterations # discapp.hlp >>>>16 search/0x49AF/s \x6c\x03 >>>>>&0 use help-ver-date >>>>>&4 leshort !1 # putty.hlp >>>>>>&0 search/0x69AF/s \x6c\x03 >>>>>>>&0 use help-ver-date >>>>>>>&4 leshort !1 >>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>&0 use help-ver-date >>>>>>>>>&4 leshort !1 >>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>&4 leshort !1 >>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>>>&4 leshort !1 >>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>>>>>&4 leshort !1 >>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 # GCC.HLP is detected after 7 iterations >>>>>>>>>>>>>>>>>&0 use help-ver-date # this only happens if bigger hlp file is detected after used search iterations >>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help !:mime application/winhelp !:ext hlp # repeat search again or following default line does not work >>>>16 search/0x49AF/s \x6c\x03 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) >>>>16 default x Windows help Bookmark !:mime application/x-winhelp !:ext bmk ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN ##>>8 lelong x \b, FirstFreeBlock 0x%8.8x # EntireFileSize >>12 lelong x \b, %d bytes ## ReservedSpace normally 042Fh AFh for *.ANN #>>(4.l) lelong x \b, ReservedSpace 0x%8.8x ## UsedSpace normally 0426h A6h for *.ANN #>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x ## FileFlags normally 04... #>>(4.l+5) lelong x \b, FileFlags 0x%8.8x ## file header magic 0x293B #>>(4.l+9) uleshort x \b, file header magic 0x%4.4x ## file header Flags 0x0402 #>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x ## file header PageSize 0400h 80h for *.ANN #>>(4.l+13) uleshort x \b, PageSize 0x%4.4x ## Structure[16] z4 #>>(4.l+15) string >\0 \b, Structure_"%-.16s" ## MustBeZero 0 #>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x ## PageSplits #>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x ## RootPage #>>(4.l+35) uleshort x \b, RootPage 0x%4.4x ## MustBeNegOne 0xffff #>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x ## TotalPages 1 #>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x ## NLevels 0x0001 #>>(4.l+41) uleshort x \b, NLevels 0x%4.4x ## TotalBtreeEntries #>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x ## pages of the B+ tree #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx
# start with colon or semicolon for comment line like Back2Life.cnt 0 regex \^(:|;) # look for first keyword Base >0 search/45 :Base >>&0 use cnt-name # only solution to search again from beginning , because relative offsets changes when use is called >0 search/45 :Base >0 default x # look for other keyword Title like in putty.cnt >>0 search/45 :Title >>>&0 use cnt-name # # display mime type and name of Windows help Content source 0 name cnt-name # skip space at beginning >0 string \040 # name without extension and greater character or name with hlp extension >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" !:mime text/plain !:apple ????TEXT !:ext cnt # # Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 0 string tfMR MS Windows help Full Text Search index !:mime application/x-winhelp-fts !:ext fts >16 string >\0 for "%s"
# Summary: Hyper terminal # Extension: .ht # Created by: unknown 0 string HyperTerminal\040 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
# http://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut # Extension: .lnk # Created by: unknown # 'L' + GUUID 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut >20 lelong&1 1 \b, Item id list present >20 lelong&2 2 \b, Points to a file or directory >20 lelong&4 4 \b, Has Description string >20 lelong&8 8 \b, Has Relative path >20 lelong&16 16 \b, Has Working directory >20 lelong&32 32 \b, Has command line arguments >20 lelong&64 64 \b, Icon >>56 lelong x \b number=%d >24 lelong&1 1 \b, Read-Only >24 lelong&2 2 \b, Hidden >24 lelong&4 4 \b, System >24 lelong&8 8 \b, Volume Label >24 lelong&16 16 \b, Directory >24 lelong&32 32 \b, Archive >24 lelong&64 64 \b, Encrypted >24 lelong&128 128 \b, Normal >24 lelong&256 256 \b, Temporary >24 lelong&512 512 \b, Sparse >24 lelong&1024 1024 \b, Reparse point >24 lelong&2048 2048 \b, Compressed >24 lelong&4096 4096 \b, Offline >28 leqwdate x \b, ctime=%s >36 leqwdate x \b, mtime=%s >44 leqwdate x \b, atime=%s >52 lelong x \b, length=%u, window= >60 lelong&1 1 \bhide >60 lelong&2 2 \bnormal >60 lelong&4 4 \bshowminimized >60 lelong&8 8 \bshowmaximized >60 lelong&16 16 \bshownoactivate >60 lelong&32 32 \bminimize >60 lelong&64 64 \bshowminnoactive >60 lelong&128 128 \bshowna >60 lelong&256 256 \brestore >60 lelong&512 512 \bshowdefault #>20 lelong&1 0 #>>20 lelong&2 2 #>>>(72.l-64) pstring/h x \b [%s] #>20 lelong&1 1 #>>20 lelong&2 2 #>>>(72.s) leshort x #>>>&75 pstring/h x \b [%s]
# Summary: Outlook Personal Folders # Created by: unknown 0 lelong 0x4E444221 Microsoft Outlook email folder >10 leshort 0x0e (<=2002) >10 leshort 0x17 (>=2003)
# Summary: Windows help cache # Created by: unknown 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache
# Summary: IE cache file # Created by: Christophe Monniez 0 string Client\ UrlCache\ MMF Internet Explorer cache file >20 string >\0 version %s
# Summary: Registry files # Created by: unknown # Modified by (1): Joerg Jenderek 0 string regf MS Windows registry file, NT/2000 or above 0 string CREG MS Windows 95/98/ME registry file 0 string SHCC3 MS Windows 3.1 registry file
# Summary: Windows Registry text # URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files # Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry # Submitted by: Abel Cheung <abelcheung@gmail.com> # Update: Joerg Jenderek # Windows 3-9X variant 0 string REGEDIT # skip ASCII text like "REGEDITor.txt" but match # L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL >7 search/3 \n Windows Registry text !:mime text/x-ms-regedit !:ext reg # Windows 9X variant >>0 string REGEDIT4 (Win95 or above) # Windows 2K ANSI variant 0 string Windows\ Registry\ Editor\ >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) !:mime text/x-ms-regedit !:ext reg # Windows 2K UTF-16 variant 2 lestring16 Windows\ Registry\ Editor\ >0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) # relative offset not working #>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) !:mime text/x-ms-regedit !:ext reg # WINE variant # URL: https://en.wikipedia.org/wiki/Wine_(software) # Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html # Note: WINE use text based registry (system.reg,user.reg,userdef.reg) # instead binary hiv structure like Windows 0 string WINE\ REGISTRY\ Version\ WINE registry text # version 2 >&0 string x \b, version %s !:mime text/x-wine-extension-reg !:ext reg
# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018 # empty ,comment , section # PR/383: remove unicode BOM because it is not portable across regex impls #0 regex/s \\`(\\r\\n|;|[[]) # empty line CRLF 0 ubeshort 0x0D0A >0 use ini-file # comment line 0 string ; >0 use ini-file # section line 0 string [ >0 use ini-file # check and then display Windows INItialization configuration 0 name ini-file # look for left bracket in section line >0 search/8192 [ # http://en.wikipedia.org/wiki/Autorun.inf # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx # space after right bracket # or AutoRun.Amd64 for 64 bit systems # or only NL separator >>&0 regex/c \^(autorun) # but sometimes total commander directory tree file "treeinfo.wc" with lines like # [AUTORUN] # [boot] >>>&0 string =]\r\n[ Total commander directory treeinfo.wc !:mime text/plain !:ext wc # From: Pal Tamas <folti@balabit.hu> # Autorun File >>>&0 string !]\r\n[ Microsoft Windows Autorun file !:mime application/x-setupscript !:ext inf # http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx # version strings ASCII coded case-independent for Windows setup information script file >>&0 regex/c \^(version|strings)] Windows setup INFormation !:mime application/x-setupscript #!:mime application/x-wine-extension-inf !:ext inf # NETCRC.INF OEMCPL.INF >>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation !:mime application/x-setupscript !:ext inf # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent >>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini !:mime application/x-wine-extension-ini #!:mime text/plain # http://support.microsoft.com/kb/84709/ >>&0 regex/c \^(don't\ load)] Windows CONTROL.INI !:mime application/x-wine-extension-ini !:ext ini >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI !:mime application/x-wine-extension-ini !:ext ini # http://technet.microsoft.com/en-us/library/cc722567.aspx # http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm >>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI !:mime application/x-wine-extension-ini !:ext ini # http://en.wikipedia.org/wiki/SYSTEM.INI >>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI !:mime application/x-wine-extension-ini !:ext ini # http://www.mdgx.com/newtip6.htm >>&0 regex/c \^(SafeList)] Windows IOS.INI !:mime application/x-wine-extension-ini !:ext ini # http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information >>&0 regex/c \^(boot\x20loader)] Windows boot.ini !:mime application/x-wine-extension-ini !:ext ini # http://en.wikipedia.org/wiki/CONFIG.SYS >>&0 regex/c \^(menu)] MS-DOS CONFIG.SYS # @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE # CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE # CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE # dos and w40 used in dual booting scene !:ext sys/dos/w40 # http://support.microsoft.com/kb/118579/ >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS !:ext sys/dos # http://chmspec.nongnu.org/latest/INI.html#HHP >>&0 regex/c \^(options)]\r\n Microsoft HTML Help Project !:mime text/plain !:ext hhp # unknown keyword after opening bracket >>&0 default x #>>>&0 string/c x UNKNOWN [%s # look for left bracket of second section >>>&0 search/8192 [ # version Strings FileIdentification >>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript !:ext inf # http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other >>>>&0 default x >>>>>&0 ubyte x # characters, digits, underscore and white space followed by right bracket # terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT >>>>>>&-1 regex \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s # NETDEF.INF multiarc.ini #!:mime application/x-setupscript !:mime application/x-wine-extension-ini #!:mime text/plain !:ext ini/inf # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00 0 ubelong&0xFFff89FF =0xFFFE0900 # look for left bracket in section line >2 search/8192 [ # keyword without 1st letter which is maybe up-/down-case >>&3 lestring16 ersion] Windows setup INFormation !:mime application/x-setupscript !:ext inf >>&3 lestring16 trings] Windows setup INFormation !:mime application/x-setupscript !:ext inf >>&3 lestring16 ourceDisksNames] Windows setup INFormation !:mime application/x-setupscript !:ext inf # netnwcli.inf start with ;---[ NetNWCli.INX ] >>&3 default x # look for NL followed by left bracket >>>&0 search/8192 \x0A\x00\x5b >>>>&3 lestring16 ersion] Windows setup INFormation !:mime application/x-setupscript !:ext inf
# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp 0 leshort&0xFeFe 0x0000 !:strength -5 # test for unused null bits in PNF_FLAGs >4 ulelong&0xFCffFe00 0x00000000 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure >>68 ulelong >0x57 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF !:mime application/x-pnf # currently only found Major Version=1 and Minor Version=1 #>>>>0 uleshort =0x0101 #>>>>>1 ubyte x \b, version %u #>>>>>0 ubyte x \b.%u >>>>0 uleshort !0x0101 >>>>>1 ubyte x \b, version %u >>>>>0 ubyte x \b.%u # 1 ,2 (windows 98 SE) #>>>>2 uleshort =2 \b, InfStyle %u >>>>2 uleshort !2 \b, InfStyle %u # PNF_FLAG_IS_UNICODE 0x00000001 # PNF_FLAG_HAS_STRINGS 0x00000002 # PNF_FLAG_SRCPATH_IS_URL 0x00000004 # PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 # PNF_FLAG_INF_VERIFIED 0x00000010 # PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 # ?? 0x00000100 # ?? 0x01000000 # ?? 0x02000000 >>>>4 ulelong&0x00000001 0x00000001 \b, unicoded >>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed #>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF #>>>>12 uleshort x \b, InfSubstValueCount 0x%x # only < 9 found #>>>>14 uleshort x \b, InfVersionDatumCount 0x%x # only found values lower 0x0000ffff #>>>>16 ulelong x \b, InfVersionDataSize 0x%x # only found positive values lower 0x00ffFFff for InfVersionDataOffset >>>>20 ulelong x \b, at 0x%x >>>>4 ulelong&0x00000001 =0x00000001 # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature >>>>>(20.l) lestring16 x "%s" >>>>4 ulelong&0x00000001 !0x00000001 >>>>>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx # only found values lower 0x00ffFFff #>>>>32 ulelong x \b, StringTableBlockOffset 0x%x #>>>>36 ulelong x \b, StringTableBlockSize 0x%x #>>>>40 ulelong x \b, InfSectionCount 0x%x #>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x #>>>>48 ulelong x \b, InfSectionBlockSize 0x%x #>>>>52 ulelong x \b, InfLineBlockOffset 0x%x #>>>>56 ulelong x \b, InfLineBlockSize 0x%x #>>>>60 ulelong x \b, InfValueBlockOffset 0x%x #>>>>64 ulelong x \b, InfValueBlockSize 0x%x # WinDirPathOffset #>>>>68 ulelong x \b, at 0x%x >>>>68 ulelong >0x57 >>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(68.l) ubequad =0x43003a005c005700 # normally unicoded C:\Windows #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" >>>>>>(68.l) ubequad !0x43003a005c005700 >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" >>>>>4 ulelong&0x00000001 !0x00000001 # normally ASCII C:\WINDOWS #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" # found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF #>>>>72 ulelong >0 \b, at 0x%x >>>>72 ulelong >0 \b, >>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(72.l) lestring16 x OsLoaderPath "%s" >>>>>4 ulelong&0x00000001 !0x00000001 # seldom C:\ instead empty >>>>>>(72.l) string x OsLoaderPath "%s" # 1fdh #>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x >>>>78 uleshort !0x407 \b, LanguageId %x # only 407h found #>>>>78 uleshort =0x407 \b, LanguageId %x # InfSourcePathOffset often 0 #>>>>80 ulelong >0 \b, at 0x%x >>>>80 ulelong >0 \b, >>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(80.l) lestring16 x SourcePath "%s" >>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(80.l) string >\0 SourcePath "%s" # OriginalInfNameOffset often 0 #>>>>84 ulelong >0 \b, at 0x%x >>>>84 ulelong >0 \b, >>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(84.l) lestring16 x InfName "%s" >>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(84.l) string >\0 InfName "%s"
# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 # Extension: .bkf # Created by: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/NTBackup # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF # Descriptor BloCK name of Microsoft Tape Format 0 string TAPE # Format Logical Address is zero >20 ulequad 0 # Reserved for MBC is zero >>28 uleshort 0 # Control Block ID is zero >>>36 ulelong 0 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive #!:mime application/x-ntbackup !:ext bkf # OS ID >>>>>10 ubyte 1 \b NetWare >>>>>10 ubyte 13 \b NetWare SMS >>>>>10 ubyte 14 \b NT >>>>>10 ubyte 24 \b 3 >>>>>10 ubyte 25 \b OS/2 >>>>>10 ubyte 26 \b 95 >>>>>10 ubyte 27 \b Macintosh >>>>>10 ubyte 28 \b UNIX # OS Version (2) #>>>>>11 ubyte x OS V=%x # MTF_CONTINUATION Media Sequence Number > 1 #>>>>>4 ulelong&0x00000001 !0 \b, continued # MTF_COMPRESSION >>>>>4 ulelong&0x00000004 !0 \b, compressed # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit >>>>>4 ulelong&0x00020000 0 # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape >>>>>>4 ulelong&0x00010000 !0 \b, with catalog # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present >>>>>4 ulelong&0x00020000 !0 \b, with file catalog # Offset To First Event 238h,240h,28Ch #>>>>>8 uleshort x \b, event offset %4.4x # Displayable Size (20e0230h 20e024ch 20e0224h) #>>>>>8 ulequad x dis. size %16.16llx # Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) #>>>>>52 ulelong x family ID %8.8x # TAPE Attributes (3) #>>>>>56 ulelong x TAPE %8.8x # Media Sequence Number >>>>>60 uleshort >1 \b, sequence %u # Password Encryption Algorithm (3) >>>>>62 uleshort >0 \b, 0x%x encrypted # Soft Filemark Block Size * 512 (2) #>>>>>64 uleshort =2 \b, soft size %u*512 >>>>>64 uleshort !2 \b, soft size %u*512 # Media Based Catalog Type (1,2) #>>>>>66 uleshort x \b, catalog type %4.4x # size of Media Name (66,68,6Eh) >>>>>68 uleshort >0 # offset of Media Name (5Eh) >>>>>>70 uleshort >0 # 0~, 1~ANSI, 2~UNICODE >>>>>>>48 ubyte 1 # size terminated ansi coded string normally followed by "MTF Media Label" >>>>>>>>(70.s) string >\0 \b, name: %s >>>>>>>48 ubyte 2 # Not null, but size terminated unicoded string >>>>>>>>(70.s) lestring16 x \b, name: %s # size of Media Label (104h) >>>>>72 uleshort >0 # offset of Media Label (C4h,C6h,CCh) >>>>>74 uleshort >0 >>>>>>48 ubyte 1 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields >>>>>>>(74.s) string >\0 \b, label: %s >>>>>>48 ubyte 2 >>>>>>>(74.s) lestring16 x \b, label: %s # size of password name (0,1Ch) #>>>>>76 uleshort >0 \b, password size %4.4x # Software Vendor ID (CBEh) >>>>>86 uleshort x \b, software (0x%x) # size of Software Name (6Eh) >>>>>80 uleshort >0 # offset of Software Name (1C8h,1CAh,1D0h) >>>>>>82 uleshort >0 # 1~ANSI, 2~UNICODE >>>>>>>48 ubyte 1 >>>>>>>>(82.s) string >\0 \b: %s >>>>>>>48 ubyte 2 # size terminated unicoded coded string normally followed by "SPAD" >>>>>>>>(82.s) lestring16 x \b: %s # Format Logical Block Size (512,1024) #>>>>>84 uleshort =1024 \b, block size %u >>>>>84 uleshort !1024 \b, block size %u # Media Date of MTF_DATE_TIME type with 5 bytes #>>>>>>88 ubequad x DATE %16.16llx # MTF Major Version (1) #>>>>>>93 ubyte x \b, MFT version %x #
# URL: https://en.wikipedia.org/wiki/PaintShop_Pro # Reference: http://www.cryer.co.uk/file-types/p/pal.htm # Created by: Joerg Jenderek # Note: there exist other color palette formats also with .pal extension 0 string JASC-PAL\r\n PaintShop Pro color palette #!:mime text/plain # PspPalette extension is used by newer (probably 8) PaintShopPro versions !:ext pal/PspPalette # 2nd line contains palette file version. For example "0100" >10 string !0100 \b, version %.4s # third line contains the number of colours: 16 256 ... >16 string x \b, %.3s colors
# URL: http://en.wikipedia.org/wiki/Innosetup # Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas # Created by: Joerg Jenderek # Note: created by like "InnoSetup self-extracting archive" inside ./msdos # TrID labeles the entry as "Inno Setup Uninstall Log" # TUninstallLogID 0 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log !:mime application/x-innosetup # unins000.dat, unins001.dat, ... !:ext dat # " 64-bit" variant >0x1c string >\0 \b%.7s # AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ... >0xc0 string x %s # AppId[0x80] is simliar to AppName or # GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace >0x40 ubyte 0x7b >>0x40 string x %-.38s # do not know how this log version correlates to program version >0x140 ulelong x \b, version 0x%x # NumRecs #>0x144 ulelong x \b, 0x%4.4x records # EndOffset means files size >0x148 ulelong x \b, %u bytes # Flags 5 25h 35h #>0x14c ulelong x \b, flags %8.8x # Reserved: array[0..26] of Longint # the non Unicode HighestSupportedVersion may never become greater than or equal to 1000 >0x140 ulelong <1000 # hostname >>0x1d6 pstring x \b, %s # user name >>>&0 pstring x \b\%s # directory like C:\Program Files (x86)\GnuWin32 >>>>&0 pstring x \b, "%s" # version 1000 or higher implies unicode >0x140 ulelong >999 # hostname >>0x1db lestring16 x \b, %-.9s # utf string variant with prepending fe??ffFFff >>0x1db search/43 \xFF\xFF\xFF # user name >>>&0 lestring16 x \b\%-.9s >>>&0 search/43 \xFF\xFF\xFF # directory like C:\Program Files\GIMP 2 >>>>&0 lestring16 x \b, %-.42s
# Type: Scribus # From: Werner Fink <werner@suse.de> 0 string \<SCRIBUSUTF8\ Version Scribus Document 0 string \<SCRIBUSUTF8NEW\ Version Scribus Document !:mime application/x-scribus
# help files .hlp compiled from html and used by gfxboot added by Joerg Jenderek # markups page=0x04,label=0x12, followed by strings like "opt" or "main" and title=0x14 0 ulelong&0x8080FFFF 0x00001204 gfxboot compiled html help file
#------------------------------------------------------------------------------ # $File: wsdl,v 1.3 2013/02/06 14:18:52 christos Exp $ # wsdl: PHP WSDL Cache, http://www.php.net/manual/en/book.soap.php # Cache format extracted from source: # http://svn.php.net/viewvc/php/php-src/trunk/ext/soap/php_sdl.c?revision=HEAD&view=markup # Requires file >= 5.05, see http://mx.gw.com/pipermail/file/2010/000683.html # By Elan Ruusamae <glen@delfi.ee>, Patryk Zawadzki <patrys@pld-linux.org>, 2010-2011 0 string wsdl PHP WSDL cache, >4 byte x version 0x%02x >6 ledate x \b, created %s
# uri >10 lelong <0x7fffffff >>10 pstring/l x \b, uri: "%s"
0 leshort 0x580 XENIX 8086 relocatable or 80286 small model
#------------------------------------------------------------------------------ # $File: xilinx,v 1.8 2017/03/17 21:35:28 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 # # Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, # fixes at least reading of bitfiles from Spartan 2, 3, 6. # http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm # # First there is the sync header and its length 0 beshort 0x0009 >2 belong =0x0ff00ff0 >>&0 belong =0x0ff00ff0 >>>&0 byte =0x00 >>>&1 beshort =0x0001 >>>&3 string a Xilinx BIT data # Next is a Pascal-style string with the NCD name. We want to capture that. >>>>&0 pstring/H x - from %s # And then 'b' >>>>>&1 string b # Then the model / part number: >>>>>>&0 pstring/H x - for %s # Then 'c' >>>>>>>&1 string c # Then the build-date >>>>>>>>&0 pstring/H x - built %s # Then 'd' >>>>>>>>>&1 string d # Then the build-time >>>>>>>>>>&0 pstring/H x \b(%s) # Then 'e' >>>>>>>>>>>&1 string e # And length of data >>>>>>>>>>>>&0 belong x - data length 0x%x
# Raw bitstream files 0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN)
#------------------------------------------------------------------------------ # $File: xo65,v 1.4 2009/09/19 16:28:13 christos Exp $ # xo65 object files # From: "Ullrich von Bassewitz" <uz@cc65.org> # 0 string \x55\x7A\x6E\x61 xo65 object, >4 leshort x version %d, >6 leshort&0x0001 =0x0001 with debug info >6 leshort&0x0001 =0x0000 no debug info
# xo65 library files 0 string \x6E\x61\x55\x7A xo65 library, >4 leshort x version %d
# Jaleo XFS files 0 long 395726 Jaleo XFS file >4 long x - version %d >8 long x - [%d - >20 long x \b%dx >24 long x \b%dx >28 long 1008 \bYUV422] >28 long 1000 \bRGB24]
# Xcursor data # X11 mouse cursor format defined in libXcursor, see # http://www.x.org/archive/X11R6.8.1/doc/Xcursor.3.html # http://cgit.freedesktop.org/xorg/lib/libXcursor/tree/include/X11/Xcursor/Xcursor.h 0 string Xcur Xcursor data !:mime image/x-xcursor >10 leshort x version %d >>8 leshort x \b.%d
0 string YARA >4 lelong >2047 >8 byte <20 YARA 3.x compiled rule set # version >>8 clear x >>8 byte 6 created with version 3.3.0 >>8 byte 8 created with version 3.4.0 >>8 byte 11 created with version 3.5.0 >>8 default x >>>8 byte x development version 0x%02x #------------------------------------------------------------------------------ # zfs: file(1) magic for ZFS dumps # # From <rea-fbsd@codelabs.ru> # ZFS dump header has the following structure (as per zfs_ioctl.h # in FreeBSD with drr_type is set to DRR_BEGIN) # # enum { # DRR_BEGIN, DRR_OBJECT, DRR_FREEOBJECTS, # DRR_WRITE, DRR_FREE, DRR_END, # } drr_type; # uint32_t drr_pad; # uint64_t drr_magic; # uint64_t drr_version; # uint64_t drr_creation_time; # dmu_objset_type_t drr_type; # uint32_t drr_pad; # uint64_t drr_toguid; # uint64_t drr_fromguid; # char drr_toname[MAXNAMELEN]; # # Backup magic is 0x00000002f5bacbac (quad word) # The drr_type is defined as # typedef enum dmu_objset_type { # DMU_OST_NONE, # DMU_OST_META, # DMU_OST_ZFS, # DMU_OST_ZVOL, # DMU_OST_OTHER, /* For testing only! */ # DMU_OST_ANY, /* Be careful! */ # DMU_OST_NUMTYPES # } dmu_objset_type_t; # # Almost all uint64_t fields are printed as the 32-bit ones (with high # 32 bits zeroed), because there is no simple way to print them as the # full 64-bit values.
# Big-endian values 8 string \000\000\000\002\365\272\313\254 ZFS shapshot (big-endian machine), >20 belong x version %u, >32 belong 0 type: NONE, >32 belong 1 type: META, >32 belong 2 type: ZFS, >32 belong 3 type: ZVOL, >32 belong 4 type: OTHER, >32 belong 5 type: ANY, >32 belong >5 type: UNKNOWN (%u), >40 byte x destination GUID: %02X >41 byte x %02X >42 byte x %02X >43 byte x %02X >44 byte x %02X >45 byte x %02X >46 byte x %02X >47 byte x %02X, >48 ulong >0 >>52 ulong >0 >>>48 byte x source GUID: %02X >>>49 byte x %02X >>>50 byte x %02X >>>51 byte x %02X >>>52 byte x %02X >>>53 byte x %02X >>>54 byte x %02X >>>55 byte x %02X, >56 string >\0 name: '%s'
# Little-endian values 8 string \254\313\272\365\002\000\000\000 ZFS shapshot (little-endian machine), >16 lelong x version %u, >32 lelong 0 type: NONE, >32 lelong 1 type: META, >32 lelong 2 type: ZFS, >32 lelong 3 type: ZVOL, >32 lelong 4 type: OTHER, >32 lelong 5 type: ANY, >32 lelong >5 type: UNKNOWN (%u), >47 byte x destination GUID: %02X >46 byte x %02X >45 byte x %02X >44 byte x %02X >43 byte x %02X >42 byte x %02X >41 byte x %02X >40 byte x %02X, >48 ulong >0 >>52 ulong >0 >>>55 byte x source GUID: %02X >>>54 byte x %02X >>>53 byte x %02X >>>52 byte x %02X >>>51 byte x %02X >>>50 byte x %02X >>>49 byte x %02X >>>48 byte x %02X, >56 string >\0 name: '%s'
#------------------------------------------------------------------------------ # $File: zilog,v 1.7 2009/09/19 16:28:13 christos Exp $ # zilog: file(1) magic for Zilog Z8000. # # Was it big-endian or little-endian? My Product Specification doesn't # say. # 0 long 0xe807 object file (z8000 a.out) 0 long 0xe808 pure object file (z8000 a.out) 0 long 0xe809 separate object file (z8000 a.out) 0 long 0xe805 overlay object file (z8000 a.out) #------------------------------------------------------------------------------ # $File: zip,v 1.1 2017/11/03 23:36:17 christos Exp $ # zip: file(1) magic for zip files; this is not use # Note the version of magic in archive is currently stronger, this is # just an example until negative offsets are supported better
# Zip Central Cirectory record 0 name zipcd >0 string PK\001\002 >>4 leshort x \b, made by >>4 use zipversion >>6 leshort x \b, extract using at least >>6 use zipversion >>12 ledate x \b, last modified %s >>24 lelong >0 \b, uncompressed size %d >>10 leshort x \b, method= >>10 use zipcompression
# Zip End Of Central Directory record -22 string PK\005\006 Zip archive data #>4 leshort >1 \b, %d disks #>6 leshort >1 \b, central directory disk %d #>8 leshort >1 \b, %d central directories on this disk #>10 leshort >1 \b, %d central directories #>12 lelong x \b, %d central directory bytes >(16.l) use zipcd >20 pstring/l >0 \b, %s
#------------------------------------------------------------------------------ # $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $ # zyxel: file(1) magic for ZyXEL modems # # From <rob@pe1chl.ampr.org> # These are the /etc/magic entries to decode datafiles as used for the # ZyXEL U-1496E DATA/FAX/VOICE modems. (This header conforms to a # ZyXEL-defined standard)