--- embedaddon/php/ext/fileinfo/tests/magic 2012/02/21 23:47:56 1.1 +++ embedaddon/php/ext/fileinfo/tests/magic 2013/10/14 08:02:19 1.1.1.4 @@ -1,16 +1,18 @@ # Magic data for file(1) command. -# Format is described in magic(5). -# Don't edit this file, edit /etc/magic or send your suggested inclusions to -# this file as a wishlist bug against file (using the reportbug utility). +# Format is described in magic(files), where: +# files is 5 on V7 and BSD, 4 on SV, and ?? on SVID. +# Don't edit this file, edit /etc/magic or send your magic improvements +# to the maintainers, at file@mx.gw.com - #------------------------------------------------------------------------------ # Localstuff: file(1) magic for locally observed files # -# $File: Localstuff,v 1.4 2003/03/23 04:17:27 christos Exp $ +# $File: Localstuff,v 1.5 2007/01/12 17:38:27 christos Exp $ # Add any locally observed files here. Remember: # text if readable, executable if runnable binary, data if unreadable. + #------------------------------------------------------------------------------ +# $File: acorn,v 1.5 2009/09/19 16:28:07 christos Exp $ # acorn: file(1) magic for files found on Acorn systems # @@ -79,6 +81,7 @@ >>10 leshort !1 %d patterns #------------------------------------------------------------------------------ +# $File: adi,v 1.4 2009/09/19 16:28:07 christos Exp $ # adi: file(1) magic for ADi's objects # From Gregory McGarry # @@ -91,6 +94,7 @@ >18 lelong ^010 not stripped #------------------------------------------------------------------------------ +# $File: adventure,v 1.14 2012/06/21 01:32:26 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin @@ -107,18 +111,30 @@ # Infocom (see z-machine) #------------------------------------------------------------------------------ # Z-machine: file(1) magic for Z-machine binaries. +# Updated by Adam Buchbinder # -# This will match ${TEX_BASE}/texmf/omega/ocp/char2uni/inbig5.ocp which -# appears to be a version-0 Z-machine binary. +#http://www.gnelson.demon.co.uk/zspec/sect11.html +#http://www.jczorkmid.net/~jpenney/ZSpec11-latest.txt +#http://en.wikipedia.org/wiki/Z-machine +# The first byte is the Z-machine revision; it is always between 1 and 8. We +# had false matches (for instance, inbig5.ocp from the Omega TeX extension as +# well as an occasional MP3 file), so we sanity-check the version number. # -# The (false match) message is to correct that behavior. Perhaps it is -# not needed. +# It might be possible to sanity-check the release number as well, as it seems +# (at least in classic Infocom games) to always be a relatively small number, +# always under 150 or so, but as this isn't rigorous, we'll wait on that until +# it becomes clear that it's needed. # -16 belong&0xfe00f0f0 0x3030 Infocom game data ->0 ubyte 0 (false match) ->0 ubyte >0 (Z-machine %d, ->>2 ubeshort x Release %d / ->>18 string >\0 Serial %.6s) +0 ubyte >0 +>0 ubyte <9 +>>16 belong&0xfe00f0f0 0x3030 +>>>0 ubyte < 10 +>>>>2 ubeshort < 10 +>>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9] +>>>>>>0 ubyte < 10 Infocom (Z-machine %d, +>>>>>>>2 ubeshort < 10 Release %d / +>>>>>>>>18 string >\0 Serial %.6s) +!:strength + 40 #------------------------------------------------------------------------------ # Glulx: file(1) magic for Glulx binaries. @@ -136,10 +152,9 @@ # For Quetzal and blorb magic see iff -# TADS (Text Adventure Development System) +# TADS (Text Adventure Development System) version 2 # All files are machine-independent (games compile to byte-code) and are tagged -# with a version string of the form "V2..\0" (but TADS 3 is -# on the way). +# with a version string of the form "V2..\0". # Game files start with "TADS2 bin\n\r\032\0" then the compiler version. 0 string TADS2\ bin TADS >9 belong !0x0A0D1A00 game data, CORRUPTED @@ -164,6 +179,19 @@ >10 belong 0x0A0D1A00 >>14 string >\0 %s saved game data +# TADS (Text Adventure Development System) version 3 +# Game files start with "T3-image\015\012\032" +0 string T3-image\015\012\032 +>11 leshort x TADS 3 game data (format version %d) +# Saved game files start with "T3-state-v####\015\012\032" +# where #### is a format version number +0 string T3-state-v +>14 string \015\012\032 TADS 3 saved game data (format version +>>10 byte x %c +>>11 byte x \b%c +>>12 byte x \b%c +>>13 byte x \b%c) + # Danny Milosavljevic # this are adrift (adventure game standard) game files, extension .taf # depending on version magic continues with 0x93453E6139FA (V 4.0) @@ -174,7 +202,9 @@ #0 belong 0x3C423FC9 #>4 belong 0x6A87C2CF Adrift game file #!:mime application/x-adrift + #------------------------------------------------------------------------------ +# $File: allegro,v 1.4 2009/09/19 16:28:07 christos Exp $ # allegro: file(1) magic for Allegro datafiles # Toby Deshane # @@ -183,6 +213,7 @@ 0 belong 0x736C682B Allegro datafile (appended exe data) #------------------------------------------------------------------------------ +# $File: alliant,v 1.7 2009/09/19 16:28:07 christos Exp $ # alliant: file(1) magic for Alliant FX series a.out files # # If the FX series is the one that had a processor with a 68K-derived @@ -198,37 +229,9 @@ 0 short 0421 0421 Alliant compact executable >2 short &0x0020 common library >16 long >0 not stripped -#------------------------------------------------------------------------------ -# alpha architecture description -# -0 leshort 0603 COFF format alpha ->22 leshort&030000 !020000 executable ->24 leshort 0410 pure ->24 leshort 0413 paged ->22 leshort&020000 !0 dynamically linked ->16 lelong !0 not stripped ->16 lelong 0 stripped ->22 leshort&030000 020000 shared library ->24 leshort 0407 object ->27 byte x - version %d ->26 byte x .%d ->28 byte x -%d - -# Basic recognition of Digital UNIX core dumps - Mike Bremford -# -# The actual magic number is just "Core", followed by a 2-byte version -# number; however, treating any file that begins with "Core" as a Digital -# UNIX core dump file may produce too many false hits, so we include one -# byte of the version number as well; DU 5.0 appears only to be up to -# version 2. -# -0 string Core\001 Alpha COFF format core dump (Digital UNIX) ->24 string >\0 \b, from '%s' -0 string Core\002 Alpha COFF format core dump (Digital UNIX) ->24 string >\0 \b, from '%s' - #------------------------------------------------------------------------------ +# $File: amanda,v 1.5 2009/09/19 16:28:07 christos Exp $ # amanda: file(1) magic for amanda file format # 0 string AMANDA:\ AMANDA @@ -238,7 +241,9 @@ >>23 string >\ DATE %s >8 string FILE\ dump file, >>13 string >\ DATE %s + #------------------------------------------------------------------------------ +# $File: amigaos,v 1.15 2012/06/21 01:13:59 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -301,8 +306,12 @@ # From: Alex Beregszaszi 0 string LZX LZX compressed archive (Amiga) +# From: Przemek Kramarczyk +0 string .KEY AmigaDOS script +0 string .key AmigaDOS script #------------------------------------------------------------------------------ +# $File: animation,v 1.48 2013/03/09 22:36:00 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -332,7 +341,7 @@ #!:mime image/x-quicktime 4 string pckg Apple QuickTime compressed archive !:mime application/x-quicktime-player -4 string/B jP JPEG 2000 image +4 string/W jP JPEG 2000 image !:mime image/jp2 4 string ftyp ISO Media >8 string isom \b, MPEG v4 system, version 1 @@ -344,10 +353,18 @@ !:mime video/mp4 >8 string mp7t \b, MPEG v4 system, MPEG v7 XML >8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML ->8 string/B jp2 \b, JPEG 2000 +>8 string/W jp2 \b, JPEG 2000 !:mime image/jp2 +>8 string 3ge \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>8 string 3gg \b, MPEG v4 system, 3GPP +!:mime video/3gpp >8 string 3gp \b, MPEG v4 system, 3GPP !:mime video/3gpp +>8 string 3gs \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>8 string 3g2 \b, MPEG v4 system, 3GPP2 +!:mime video/3gpp2 >>11 byte 4 \b v4 (H.263/AMR GSM 6.10) >>11 byte 5 \b v5 (H.263/AMR GSM 6.10) >>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) @@ -355,13 +372,13 @@ !:mime video/mp4 >8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC !:mime video/3gpp ->8 string/B M4A \b, MPEG v4 system, iTunes AAC-LC +>8 string/W M4A \b, MPEG v4 system, iTunes AAC-LC !:mime audio/mp4 ->8 string/B M4V \b, MPEG v4 system, iTunes AVC-LC +>8 string/W M4V \b, MPEG v4 system, iTunes AVC-LC !:mime video/mp4 ->8 string/B M4P \b, MPEG v4 system, iTunes AES encrypted ->8 string/B M4B \b, MPEG v4 system, iTunes bookmarked ->8 string/B qt \b, Apple QuickTime movie +>8 string/W M4P \b, MPEG v4 system, iTunes AES encrypted +>8 string/W M4B \b, MPEG v4 system, iTunes bookmarked +>8 string/W qt \b, Apple QuickTime movie !:mime video/quicktime # MPEG sequences @@ -374,6 +391,7 @@ >>7 byte x \b @ L %u 0 belong&0xFFFFFF00 0x00000100 >3 byte 0xBA MPEG sequence +!:mime video/mpeg >>4 byte &0x40 \b, v2, program multiplex >>4 byte ^0x40 \b, v1, system multiplex >3 byte 0xBB MPEG sequence, v1/2, multiplex (missing pack header) @@ -382,7 +400,11 @@ >>4 byte 77 \b, main >>4 byte 88 \b, extended >>6 byte x \b @ L %u +# GRR too general as it catches also FoxPro Memo example NG.FPT >3 byte 0xB0 MPEG sequence, v4 +# TODO: maybe this extra line exclude FoxPro Memo example NG.FPT starting with 000001b0 00000100 00000000 +#>>4 byte !0 MPEG sequence, v4 +!:mime video/mpeg4-generic >>5 belong 0x000001B5 >>>9 byte &0x80 >>>>10 byte&0xF0 16 \b, video @@ -452,6 +474,7 @@ >>4 byte 252 \b, FGS @ L4 >>4 byte 253 \b, FGS @ L5 >3 byte 0xB5 MPEG sequence, v4 +!:mime video/mpeg4-generic >>4 byte &0x80 >>>5 byte&0xF0 16 \b, video (missing profile header) >>>5 byte&0xF0 32 \b, still texture (missing profile header) @@ -462,6 +485,7 @@ >>4 byte&0xF8 24 \b, mesh (missing profile header) >>4 byte&0xF8 32 \b, face (missing profile header) >3 byte 0xB3 MPEG sequence +!:mime video/mpeg >>12 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong 0x000001B5 \b, v2, @@ -628,6 +652,7 @@ # MP2, M1A 0 beshort&0xFFFE 0xFFFC MPEG ADTS, layer II, v1 +!:mime audio/mpeg # rates >2 byte&0xF0 0x10 \b, 32 kbps >2 byte&0xF0 0x20 \b, 48 kbps @@ -702,6 +727,7 @@ # MP3, M2A 0 beshort&0xFFFE 0xFFF2 MPEG ADTS, layer III, v2 +!:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps @@ -770,6 +796,7 @@ # MPA, M2A 0 beshort&0xFFFE 0xFFF6 MPEG ADTS, layer I, v2 +!:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 32 kbps >2 byte&0xF0 0x20 \b, 48 kbps @@ -804,6 +831,7 @@ # MP3, M25A 0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5 +!:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps @@ -974,10 +1002,6 @@ # iso 13818 transport stream # # from Oskar Schirmer Feb 3, 2001 (ISO 13818.1) -# (the following is a little bit restrictive and works fine for a stream -# that starts with PAT properly. it won't work for stream data, that is -# cut from an input device data right in the middle, but this shouldn't -# disturb) # syncbyte 8 bit 0x47 # error_ind 1 bit - # payload_start 1 bit 1 @@ -985,9 +1009,9 @@ # PID 13 bit 0x0000 # scrambling 2 bit - # adaptfld_ctrl 2 bit 1 or 3 -# conti_count 4 bit 0 -0 belong&0xFF5FFF1F 0x47400010 MPEG transport stream data ->188 byte !0x47 CORRUPTED +# conti_count 4 bit - +0 belong&0xFF5FFF10 0x47400010 +>188 byte 0x47 MPEG transport stream data # DIF digital video file format 0 belong&0xffffff00 0x1f070000 DIF @@ -998,7 +1022,7 @@ # Microsoft Advanced Streaming Format (ASF) 0 belong 0x3026b275 Microsoft ASF -!:mime video/x-ms-asf +!:mime video/x-ms-asf # MNG Video Format, 0 string \x8aMNG MNG video data, @@ -1020,16 +1044,16 @@ 3 string \x0D\x0AVersion:Vivo Vivo video data # VRML (Virtual Reality Modelling Language) -0 string/b #VRML\ V1.0\ ascii VRML 1 file +0 string/w #VRML\ V1.0\ ascii VRML 1 file !:mime model/vrml -0 string/b #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file +0 string/w #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file !:mime model/vrml # X3D (Extensible 3D) [http://www.web3d.org/specifications/x3d-3.0.dtd] # From Michel Briand -0 string \20 search/1000/cb \20 search/1000/cw \0 byte x GameCube movie, >0x34 ubeshort x %d x >0x36 ubeshort x %d, ->0x26 ubeshort x %dµs, +>0x26 ubeshort x %dus, >0x42 ubeshort 0 no audio >0x42 ubeshort >0 %dHz audio @@ -1095,15 +1119,149 @@ >4 byte&0x1F 0x07 !:mime video/h264 +# Type: Bink Video +# Extension: .bik +# URL: http://wiki.multimedia.cx/index.php?title=Bink_Container +# From: 2008-07-18 +0 string BIK Bink Video +>3 regex =[a-z] rev.%s +#>4 ulelong x size %d +>20 ulelong x \b, %d +>24 ulelong x \bx%d +>8 ulelong x \b, %d frames +>32 ulelong x at rate %d/ +>28 ulelong >1 \b%d +>40 ulelong =0 \b, no audio +>40 ulelong !0 \b, %d audio track +>>40 ulelong !1 \bs +# follow properties of the first audio track only +>>48 uleshort x %dHz +>>51 byte&0x20 0 mono +>>51 byte&0x20 !0 stereo +#>>51 byte&0x10 0 FFT +#>>51 byte&0x10 !0 DCT + +# Type: NUT Container +# URL: http://wiki.multimedia.cx/index.php?title=NUT +# From: Adam Buchbinder +0 string nut/multimedia\ container\0 NUT multimedia container + +# Type: Nullsoft Video (NSV) +# URL: http://wiki.multimedia.cx/index.php?title=Nullsoft_Video +# From: Mike Melanson +0 string NSVf Nullsoft Video + +# Type: REDCode Video +# URL: http://www.red.com/ ; http://wiki.multimedia.cx/index.php?title=REDCode +# From: Mike Melanson +4 string RED1 REDCode Video + +# Type: MTV Multimedia File +# URL: http://wiki.multimedia.cx/index.php?title=MTV +# From: Mike Melanson +0 string AMVS MTV Multimedia File + +# Type: ARMovie +# URL: http://wiki.multimedia.cx/index.php?title=ARMovie +# From: Mike Melanson +0 string ARMovie\012 ARMovie + +# Type: Interplay MVE Movie +# URL: http://wiki.multimedia.cx/index.php?title=Interplay_MVE +# From: Mike Melanson +0 string Interplay\040MVE\040File\032 Interplay MVE Movie + +# Type: Windows Television DVR File +# URL: http://wiki.multimedia.cx/index.php?title=WTV +# From: Mike Melanson +# This takes the form of a Windows-style GUID +0 bequad 0xB7D800203749DA11 +>8 bequad 0xA64E0007E95EAD8D Windows Television DVR Media + +# Type: Sega FILM/CPK Multimedia +# URL: http://wiki.multimedia.cx/index.php?title=Sega_FILM +# From: Mike Melanson +0 string FILM Sega FILM/CPK Multimedia, +>32 belong x %d x +>28 belong x %d + +# Type: Nintendo THP Multimedia +# URL: http://wiki.multimedia.cx/index.php?title=THP +# From: Mike Melanson +0 string THP\0 Nintendo THP Multimedia + +# Type: BBC Dirac Video +# URL: http://wiki.multimedia.cx/index.php?title=Dirac +# From: Mike Melanson +0 string BBCD BBC Dirac Video + +# Type: RAD Game Tools Smacker Multimedia +# URL: http://wiki.multimedia.cx/index.php?title=Smacker +# From: Mike Melanson +0 string SMK RAD Game Tools Smacker Multimedia +>3 byte x version %c, +>4 lelong x %d x +>8 lelong x %d, +>12 lelong x %d frames + #------------------------------------------------------------------------------ +# $File: aout,v 1.1 2013/01/09 22:37:23 christos Exp $ +# aout: file(1) magic for a.out executable/object/etc entries that +# handle executables on multiple platforms. +# + +# +# Little-endian 32-bit-int a.out, merged from bsdi (for BSD/OS, from +# BSDI), netbsd, and vax (for UNIX/32V and BSD) +# +# XXX - is there anything we can look at to distinguish BSD/OS 386 from +# NetBSD 386 from various VAX binaries? The BSD/OS shared library flag +# works only for binaries using shared libraries. Grabbing the entry +# point from the a.out header, using it to find the first code executed +# in the program, and looking at that might help. +# +0 lelong 0407 a.out little-endian 32-bit executable +>16 lelong >0 not stripped +>32 byte 0x6a (uses BSD/OS shared libs) + +0 lelong 0410 a.out little-endian 32-bit pure executable +>16 lelong >0 not stripped +>32 byte 0x6a (uses BSD/OS shared libs) + +0 lelong 0413 a.out little-endian 32-bit demand paged pure executable +>16 lelong >0 not stripped +>32 byte 0x6a (uses BSD/OS shared libs) + +# +# Big-endian 32-bit-int a.out, merged from sun (for old 68010 SunOS a.out), +# mips (for old 68020(!) SGI a.out), and netbsd (for old big-endian a.out). +# +# XXX - is there anything we can look at to distinguish old SunOS 68010 +# from old 68020 IRIX from old NetBSD? Again, I guess we could look at +# the first instruction or instructions in the program. +# +0 belong 0407 a.out big-endian 32-bit executable +>16 belong >0 not stripped + +0 belong 0410 a.out big-endian 32-bit pure executable +>16 belong >0 not stripped + +0 belong 0413 a.out big-endian 32-bit demand paged executable +>16 belong >0 not stripped + + +#------------------------------------------------------------------------------ +# $File: apl,v 1.6 2009/09/19 16:28:07 christos Exp $ # apl: file(1) magic for APL (see also "pdp" and "vax" for other APL # workspaces) # 0 long 0100554 APL workspace (Ken's original?) + #------------------------------------------------------------------------------ +# $File: apple,v 1.27 2013/03/09 22:36:00 christos Exp $ # apple: file(1) magic for Apple file formats # -0 search/1 FiLeStArTfIlEsTaRt binscii (apple ][) text +0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 0 string \x0aGL Binary II (apple ][) data 0 string \x76\xff Squeezed (apple ][) data 0 string NuFile NuFile archive (apple ][) data @@ -1206,8 +1364,13 @@ # This is incredibly sloppy, but will be true if the program was # written at its usual memory location of 2048 and its first line # number is less than 256. Yuck. +# update by Joerg Jenderek at Feb 2013 -0 belong&0xff00ff 0x80000 Applesoft BASIC program data +# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) +#0 belong&0xff00ff 0x80000 Applesoft BASIC program data +0 belong&0x00ff00ff 0x00080000 +# assuming that line number must be positive +>2 leshort >0 Applesoft BASIC program data, first line number %d #>2 leshort x \b, first line number %d # ORCA/EZ assembler: @@ -1350,7 +1513,54 @@ # .vdi 4 string innotek\ VirtualBox\ Disk\ Image %s +# Apple disk partition stuff, strengthen the magic using byte 4 +0 beshort 0x4552 +>4 byte 0 Apple Driver Map +>>2 beshort x \b, blocksize %d +>>4 belong x \b, blockcount %d +>>10 beshort x \b, devtype %d +>>12 beshort x \b, devid %d +>>20 beshort x \b, descriptors %d +# Assume 8 partitions each at a multiple of the sector size. +# We could glean this from the partition descriptors, but they are empty!?!? +>>(2.S*1) indirect \b, contains[@0x%x]: +>>(2.S*2) indirect \b, contains[@0x%x]: +>>(2.S*3) indirect \b, contains[@0x%x]: +>>(2.S*4) indirect \b, contains[@0x%x]: +>>(2.S*5) indirect \b, contains[@0x%x]: +>>(2.S*6) indirect \b, contains[@0x%x]: +>>(2.S*7) indirect \b, contains[@0x%x]: +>>(2.S*8) indirect \b, contains[@0x%x]: + +# Yes, the 3rd and 4th bytes are reserved, but we use them to make the +# magic stronger. +0 belong 0x504d0000 Apple Partition Map +>4 belong x \b, map block count %d +>8 belong x \b, start block %d +>12 belong x \b, block count %d +>16 string >0 \b, name %s +>48 string >0 \b, type %s +>124 string >0 \b, processor %s +>140 string >0 \b, boot arguments %s +>92 belong & 1 \b, valid +>92 belong & 2 \b, allocated +>92 belong & 4 \b, in use +>92 belong & 8 \b, has boot info +>92 belong & 16 \b, readable +>92 belong & 32 \b, writable +>92 belong & 64 \b, pic boot code +>92 belong & 128 \b, chain compatible driver +>92 belong & 256 \b, real driver +>92 belong & 512 \b, chain driver +>92 belong & 1024 \b, mount at startup +>92 belong & 2048 \b, is the startup partition + +#http://wiki.mozilla.org/DS_Store_File_Format` +#http://en.wikipedia.org/wiki/.DS_Store +0 string \0\0\0\1Bud1\0 Apple Desktop Services Store + #------------------------------------------------------------------------------ +# $File: applix,v 1.5 2009/09/19 16:28:08 christos Exp $ # applix: file(1) magic for Applixware # From: Peter Soos # @@ -1362,6 +1572,7 @@ >7 string MACRO Macro >7 string BUILDER Builder Object #------------------------------------------------------------------------------ +# $File: archive,v 1.79 2013/02/08 17:24:06 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -1374,6 +1585,11 @@ 257 string ustar\040\040\0 GNU tar archive !:mime application/x-tar # encoding: gnu +# Incremental snapshot gnu-tar format from: +# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html +0 string GNU\ tar- GNU tar incremental snapshot data +>&0 regex [0-9]\.[0-9]+-[0-9]+ version %s + # cpio archives # # Yes, the top two "cpio archive" formats *are* supposed to just be "short". @@ -1393,8 +1609,61 @@ 0 string 070701 ASCII cpio archive (SVR4 with no CRC) 0 string 070702 ASCII cpio archive (SVR4 with CRC) -# Debian package (needs to go before regular portable archives) # +# Various archive formats used by various versions of the "ar" +# command. +# + +# +# Original UNIX archive formats. +# They were written with binary values in host byte order, and +# the magic number was a host "int", which might have been 16 bits +# or 32 bits. We don't say "PDP-11" or "VAX", as there might have +# been ports to little-endian 16-bit-int or 32-bit-int platforms +# (x86?) using some of those formats; if none existed, feel free +# to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian +# 32-bit. There might have been big-endian ports of that sort as +# well. +# +0 leshort 0177555 very old 16-bit-int little-endian archive +0 beshort 0177555 very old 16-bit-int big-endian archive +0 lelong 0177555 very old 32-bit-int little-endian archive +0 belong 0177555 very old 32-bit-int big-endian archive + +0 leshort 0177545 old 16-bit-int little-endian archive +>2 string __.SYMDEF random library +0 beshort 0177545 old 16-bit-int big-endian archive +>2 string __.SYMDEF random library +0 lelong 0177545 old 32-bit-int little-endian archive +>4 string __.SYMDEF random library +0 belong 0177545 old 32-bit-int big-endian archive +>4 string __.SYMDEF random library + +# +# From "pdp" (but why a 4-byte quantity?) +# +0 lelong 0x39bed PDP-11 old archive +0 lelong 0x39bee PDP-11 4.0 archive + +# +# XXX - what flavor of APL used this, and was it a variant of +# some ar archive format? It's similar to, but not the same +# as, the APL workspace magic numbers in pdp. +# +0 long 0100554 apl workspace + +# +# System V Release 1 portable(?) archive format. +# +0 string = System V Release 1 ar archive +!:mime application/x-archive + +# +# Debian package; it's in the portable archive format, and needs to go +# before the entry for regular portable archives, as it's recognized as +# a portable archive whose first member has a name beginning with +# "debian". +# 0 string =!\ndebian !:mime application/x-debian-package >8 string debian-split part of multipart Debian package @@ -1410,18 +1679,14 @@ #>84 string gz \b, uses gzip compression #>136 ledate x created: %s -# other archives -0 long 0177555 very old archive -0 short 0177555 very old PDP-11 archive -0 long 0177545 old archive -0 short 0177545 old PDP-11 archive -0 long 0100554 apl workspace -0 string = archive -!:mime application/x-archive - -# MIPS archive (needs to go before regular portable archives) # +# MIPS archive; they're in the portable archive format, and need to go +# before the entry for regular portable archives, as it's recognized as +# a portable archive whose first member has a name beginning with +# "__________E". +# 0 string =!\n__________E MIPS archive +!:mime application/x-archive >20 string U with MIPS Ucode members >21 string L with MIPSEL members >21 string B with MIPSEB members @@ -1432,56 +1697,20 @@ 0 search/1 -h- Software Tools format archive text # -# XXX - why are there multiple thingies? Note that 0x213c6172 is -# "! current ar archive -# 0 long 0x213c6172 archive file -# -# and for SVR1 archives, we have: -# -# 0 string \ System V Release 1 ar archive -# 0 string = archive -# -# XXX - did Aegis really store shared libraries, breakpointed modules, -# and absolute code program modules in the same format as new-style -# "ar" archives? -# 0 string =! current ar archive !:mime application/x-archive >8 string __.SYMDEF random library ->0 belong =65538 - pre SR9.5 ->0 belong =65539 - post SR9.5 ->0 beshort 2 - object archive ->0 beshort 3 - shared library module ->0 beshort 4 - debug break-pointed module ->0 beshort 5 - absolute code program module -0 string \ System V Release 1 ar archive -0 string = archive +>68 string __.SYMDEF\ SORTED random library + # -# XXX - from "vax", which appears to collect a bunch of byte-swapped -# thingies, to help you recognize VAX files on big-endian machines; -# with "leshort", "lelong", and "string", that's no longer necessary.... +# "Thin" archive, as can be produced by GNU ar. # -0 belong 0x65ff0000 VAX 3.0 archive -0 belong 0x3c61723e VAX 5.0 archive -# -0 long 0x213c6172 archive file -0 lelong 0177555 very old VAX archive -0 leshort 0177555 very old PDP-11 archive -# -# XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus -# be a random library (it said 0xff65 rather than 0177545). -# -0 lelong 0177545 old VAX archive ->8 string __.SYMDEF random library -0 leshort 0177545 old PDP-11 archive ->8 string __.SYMDEF random library -# -# From "pdp" (but why a 4-byte quantity?) -# -0 lelong 0x39bed PDP-11 old archive -0 lelong 0x39bee PDP-11 4.0 archive +0 string =!\n thin archive with +>68 belong 0 no symbol entries +>68 belong 1 %d symbol entry +>68 belong >1 %d symbol entries # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) # @@ -1541,11 +1770,14 @@ # SAR 3 string LH5 SAR archive data # BSArc/BS2 -0 string \212\3SB \0 BSArc/BS2 archive data +0 string \212\3SB\020\0 BSArc/BS2 archive data +# Bethesda Softworks Archive (Oblivion) +0 string BSA\0 BSArc archive data +>4 lelong x version %d # MAR 2 string =-ah MAR archive data # ACB -0 belong&0x00f800ff 0x00800000 ACB archive data +#0 belong&0x00f800ff 0x00800000 ACB archive data # CPZ # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data # JRC @@ -1566,7 +1798,7 @@ # AMGC 0 string \xad6" AMGC archive data # NuLIB -0 string NõFélå NuLIB archive data +0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data # PakLeo 0 string LEOLZW PAKLeo archive data # ChArc @@ -1578,7 +1810,7 @@ # Freeze 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data # KBoom -0 string ¨MP¨ KBoom archive data +0 string \xc2\xa8MP\xc2\xa8 KBoom archive data # NSQ, must go after CDC Codec 0 string \x76\xff NSQ archive data # DPA @@ -1606,17 +1838,17 @@ # MS Compress 4 string \x88\xf0\x27 MS Compress archive data # updated by Joerg Jenderek ->9 string \0 ->>0 string KWAJ +>9 string \0 +>>0 string KWAJ >>>7 string \321\003 MS Compress archive data >>>>14 ulong >0 \b, original size: %ld bytes ->>>>18 ubyte >0x65 ->>>>>18 string x \b, was %.8s ->>>>>(10.b-4) string x \b.%.3s +>>>>18 ubyte >0x65 +>>>>>18 string x \b, was %.8s +>>>>>(10.b-4) string x \b.%.3s # MP3 (archiver, not lossy audio compression) 0 string MP3\x1a MP3-Archiver archive data # ZET -0 string OZÝ ZET archive data +0 string OZ\xc3\x9d ZET archive data # TSComp 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data # ARQ @@ -1637,7 +1869,7 @@ # Splint 0 string \x93\xb9\x06 Splint archive data # InstallShield -0 string \x13\x5d\x65\x8c InstallShield Z archive Data +0 string \x13\x5d\x65\x8c InstallShield Z archive Data # Gather 1 string GTH Gather archive data # BOA @@ -1647,7 +1879,7 @@ # Xtreme 0 string ULEB\0 Xtreme archive data # Pack Magic -0 string @â\1\0 Pack Magic archive data +0 string @\xc3\xa2\1\0 Pack Magic archive data # BTS 0 belong&0xfeffffff 0x1a034465 BTS archive data # ELI 5750 @@ -1783,7 +2015,7 @@ # XPack Data 0 string xpa XPack archive data # XPack Single Data -0 string Í\ jm XPack single archive data +0 string \xc3\x8d\ jm XPack single archive data # TODO: missing due to unknown magic/magic at end of file: #DWC @@ -1896,7 +2128,7 @@ >20 byte x - header level %d # taken from idarc [JW] 2 string -lZ PUT archive data -2 string -lz LZS archive data +2 string -lz LZS archive data 2 string -sw1- Swag archive data # RAR archiver (Greg Roelofs, newt@uchicago.edu) @@ -1923,80 +2155,146 @@ # [JW] see exe section for self-extracting version 0 string UC2\x1a UC2 archive data -# ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -0 string PK\003\004 ->4 byte 0x00 Zip archive data +# PKZIP multi-volume archive +0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract !:mime application/zip ->4 byte 0x09 Zip archive data, at least v0.9 to extract -!:mime application/zip ->4 byte 0x0a Zip archive data, at least v1.0 to extract -!:mime application/zip ->4 byte 0x0b Zip archive data, at least v1.1 to extract -!:mime application/zip ->0x161 string WINZIP Zip archive data, WinZIP self-extracting -!:mime application/zip ->4 byte 0x14 ->>30 ubelong !0x6d696d65 Zip archive data, at least v2.0 to extract -!:mime application/zip -# OpenOffice.org / KOffice / StarOffice documents -# Listed here because they ARE zip files -# -# From: Abel Cheung ->4 byte 0x14 ->>30 string mimetype +# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +0 string PK\005\006 Zip archive data (empty) +0 string PK\003\004 -# KOffice (1.2 or above) formats ->>>50 string vnd.kde. KOffice (>=1.2) ->>>>58 string karbon Karbon document ->>>>58 string kchart KChart document ->>>>58 string kformula KFormula document ->>>>58 string kivio Kivio document ->>>>58 string kontour Kontour document ->>>>58 string kpresenter KPresenter document ->>>>58 string kspread KSpread document ->>>>58 string kword KWord document +# Specialised zip formats which start with a member named 'mimetype' +# (stored uncompressed, with no 'extra field') containing the file's MIME type. +# Check for have 8-byte name, 0-byte extra field, name "mimetype", and +# contents starting with "application/": +>26 string \x8\0\0\0mimetypeapplication/ -# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) ->>>50 string vnd.sun.xml. OpenOffice.org 1.x ->>>>62 string writer Writer ->>>>>68 byte !0x2e document ->>>>>68 string .template template ->>>>>68 string .global global document ->>>>62 string calc Calc ->>>>>66 byte !0x2e spreadsheet ->>>>>66 string .template template ->>>>62 string draw Draw ->>>>>66 byte !0x2e document ->>>>>66 string .template template ->>>>62 string impress Impress ->>>>>69 byte !0x2e presentation ->>>>>69 string .template template ->>>>62 string math Math document ->>>>62 string base Database file +# KOffice / OpenOffice & StarOffice / OpenDocument formats +# From: Abel Cheung -# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) -# http://lists.oasis-open.org/archives/office/200505/msg00006.html ->>>50 string vnd.oasis.opendocument. OpenDocument ->>>>73 string text ->>>>>77 byte !0x2d Text +# KOffice (1.2 or above) formats +# (mimetype contains "application/vnd.kde.") +>>50 string vnd.kde. KOffice (>=1.2) +>>>58 string karbon Karbon document +>>>58 string kchart KChart document +>>>58 string kformula KFormula document +>>>58 string kivio Kivio document +>>>58 string kontour Kontour document +>>>58 string kpresenter KPresenter document +>>>58 string kspread KSpread document +>>>58 string kword KWord document + +# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) +# (mimetype contains "application/vnd.sun.xml.") +>>50 string vnd.sun.xml. OpenOffice.org 1.x +>>>62 string writer Writer +>>>>68 byte !0x2e document +>>>>68 string .template template +>>>>68 string .global global document +>>>62 string calc Calc +>>>>66 byte !0x2e spreadsheet +>>>>66 string .template template +>>>62 string draw Draw +>>>>66 byte !0x2e document +>>>>66 string .template template +>>>62 string impress Impress +>>>>69 byte !0x2e presentation +>>>>69 string .template template +>>>62 string math Math document +>>>62 string base Database file + +# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) +# http://lists.oasis-open.org/archives/office/200505/msg00006.html +# (mimetype contains "application/vnd.oasis.opendocument.") +>>50 string vnd.oasis.opendocument. OpenDocument +>>>73 string text +>>>>77 byte !0x2d Text !:mime application/vnd.oasis.opendocument.text ->>>>>77 string -template Text Template ->>>>>77 string -web HTML Document Template ->>>>>77 string -master Master Document ->>>>73 string graphics Drawing ->>>>>81 string -template Template ->>>>73 string presentation Presentation ->>>>>85 string -template Template ->>>>73 string spreadsheet Spreadsheet ->>>>>84 string -template Template ->>>>73 string chart Chart ->>>>>78 string -template Template ->>>>73 string formula Formula ->>>>>80 string -template Template ->>>>73 string database Database ->>>>73 string image Image +>>>>77 string -template Text Template +!:mime application/vnd.oasis.opendocument.text-template +>>>>77 string -web HTML Document Template +!:mime application/vnd.oasis.opendocument.text-web +>>>>77 string -master Master Document +!:mime application/vnd.oasis.opendocument.text-master +>>>73 string graphics +>>>>81 byte !0x2d Drawing +!:mime application/vnd.oasis.opendocument.graphics +>>>>81 string -template Template +!:mime application/vnd.oasis.opendocument.graphics-template +>>>73 string presentation +>>>>85 byte !0x2d Presentation +!:mime application/vnd.oasis.opendocument.presentation +>>>>85 string -template Template +!:mime application/vnd.oasis.opendocument.presentation-template +>>>73 string spreadsheet +>>>>84 byte !0x2d Spreadsheet +!:mime application/vnd.oasis.opendocument.spreadsheet +>>>>84 string -template Template +!:mime application/vnd.oasis.opendocument.spreadsheet-template +>>>73 string chart +>>>>78 byte !0x2d Chart +!:mime application/vnd.oasis.opendocument.chart +>>>>78 string -template Template +!:mime application/vnd.oasis.opendocument.chart-template +>>>73 string formula +>>>>80 byte !0x2d Formula +!:mime application/vnd.oasis.opendocument.formula +>>>>80 string -template Template +!:mime application/vnd.oasis.opendocument.formula-template +>>>73 string database Database +!:mime application/vnd.oasis.opendocument.database +>>>73 string image +>>>>78 byte !0x2d Image +!:mime application/vnd.oasis.opendocument.image +>>>>78 string -template Template +!:mime application/vnd.oasis.opendocument.image-template +# EPUB (OEBPS) books using OCF (OEBPS Container Format) +# http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4. +# From: Ralf Brown +>0x1E string mimetypeapplication/epub+zip EPUB document +!:mime application/epub+zip + +# Catch other ZIP-with-mimetype formats +# In a ZIP file, the bytes immediately after a member's contents are +# always "PK". The 2 regex rules here print the "mimetype" member's +# contents up to the first 'P'. Luckily, most MIME types don't contain +# any capital 'P's. This is a kludge. +# (mimetype contains "application/") +>>50 string !epub+zip +>>>50 string !vnd.oasis.opendocument. +>>>>50 string !vnd.sun.xml. +>>>>>50 string !vnd.kde. +>>>>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) +!:mime application/zip +# (mimetype contents other than "application/*") +>26 string \x8\0\0\0mimetype +>>38 string !application/ +>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) +!:mime application/zip + +# Java Jar files +>(26.s+30) leshort 0xcafe Java Jar file data (zip) +!:mime application/jar + +# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +# Next line excludes specialized formats: +>(26.s+30) leshort !0xcafe +>>26 string !\x8\0\0\0mimetype Zip archive data +!:mime application/zip +>>>4 byte 0x09 \b, at least v0.9 to extract +>>>4 byte 0x0a \b, at least v1.0 to extract +>>>4 byte 0x0b \b, at least v1.1 to extract +>>>4 byte 0x14 \b, at least v2.0 to extract +>>>4 byte 0x2d \b, at least v3.0 to extract +>>>0x161 string WINZIP \b, WinZIP self-extracting + +# StarView Metafile +# From Pierre Ducroquet +0 string VCLMTF StarView MetaFile +>6 beshort x \b, version %d +>8 belong x \b, size %d + # Zoo archiver 20 lelong 0xfdc4a7dc Zoo archive data !:mime application/x-zoo @@ -2014,7 +2312,7 @@ !:mime application/octet-stream # -# LBR. NB: May conflict with the questionable +# LBR. NB: May conflict with the questionable # "binary Computer Graphics Metafile" format. # 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data @@ -2030,10 +2328,10 @@ # From Rafael Laboissiere # The Project Revision Control System (see # http://prcs.sourceforge.net) generates a packaged project -# file which is recognized by the following entry: +# file which is recognized by the following entry: 0 leshort 0xeb81 PRCS packaged project -# Microsoft cabinets +# Microsoft cabinets # by David Necas (Yeti) #0 string MSCF\0\0\0\0 Microsoft cabinet file data, #>25 byte x v%d @@ -2041,7 +2339,7 @@ # MPi: All CABs have version 1.3, so this is pointless. # Better magic in debian-additions. -# GTKtalog catalogs +# GTKtalog catalogs # by David Necas (Yeti) 4 string gtktalog\ GTKtalog catalog data, >13 string 3 version 3 @@ -2060,12 +2358,12 @@ !:mime application/x-bittorrent # Atari MSA archive - Teemu Hukkanen -0 beshort 0x0e0f Atari MSA archive data ->2 beshort x \b, %d sectors per track ->4 beshort 0 \b, 1 sided ->4 beshort 1 \b, 2 sided ->6 beshort x \b, starting track: %d ->8 beshort x \b, ending track: %d +0 beshort 0x0e0f Atari MSA archive data +>2 beshort x \b, %d sectors per track +>4 beshort 0 \b, 1 sided +>4 beshort 1 \b, 2 sided +>6 beshort x \b, starting track: %d +>8 beshort x \b, ending track: %d # Alternate ZIP string (amc@arwen.cs.berkeley.edu) 0 string PK00PK\003\004 Zip archive data @@ -2110,7 +2408,7 @@ # DR-DOS 7.03 Packed File *.??_ 0 string Packed\ File\ Personal NetWare Packed File ->12 string x \b, was "%.12s" +>12 string x \b, was "%.12s" # EET archive # From: Tilman Sauerbeck @@ -2168,9 +2466,54 @@ # Type: Parity Archive # From: Daniel van Eeden -0 string PAR2 Parity Archive Volume Set +0 string PAR2 Parity Archive Volume Set +# Bacula volume format. (Volumes always start with a block header.) +# URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html +# From: Adam Buchbinder +12 string BB02 Bacula volume +>20 bedate x \b, started %s + +# ePub is XHTML + XML inside a ZIP archive. The first member of the +# archive must be an uncompressed file called 'mimetype' with contents +# 'application/epub+zip' + + +# From: "Michael Gorny" +# ZPAQ: http://mattmahoney.net/dc/zpaq.html +0 string zPQ ZPAQ stream +>3 byte x \b, level %d + +# BBeB ebook, unencrypted (LRF format) +# URL: http://www.sven.de/librie/Librie/LrfFormat +# From: Adam Buchbinder +0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted +>8 beshort x \b, version %d +>36 byte 1 \b, front-to-back +>36 byte 16 \b, back-to-front +>42 beshort x \b, (%dx, +>44 beshort x %d) #------------------------------------------------------------------------------ +# $File: assembler,v 1.4 2013/01/04 23:31:11 christos Exp $ +# make: file(1) magic for assembler source +# +0 regex \^[\020\t]*\\.asciiz assembler source text +!:mime text/x-asm +0 regex \^[\020\t]*\\.byte assembler source text +!:mime text/x-asm +0 regex \^[\020\t]*\\.even assembler source text +!:mime text/x-asm +0 regex \^[\020\t]*\\.globl assembler source text +!:mime text/x-asm +0 regex \^[\020\t]*\\.text assembler source text +!:mime text/x-asm +0 regex \^[\020\t]*\\.file assembler source text +!:mime text/x-asm +0 regex \^[\020\t]*\\.type assembler source text +!:mime text/x-asm + +#------------------------------------------------------------------------------ +# $File: asterix,v 1.5 2009/09/19 16:28:08 christos Exp $ # asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character # strings as "long" - we assume they're just strings: # From: guy@netapp.com (Guy Harris) @@ -2188,6 +2531,7 @@ #------------------------------------------------------------------------------ +# $File: att3b,v 1.8 2009/09/19 16:28:08 christos Exp $ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. @@ -2226,7 +2570,9 @@ # core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' + #------------------------------------------------------------------------------ +# $File: audio,v 1.66 2013/02/06 14:18:52 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -2478,12 +2824,17 @@ >0x36 string >\0 author: "%s" >0x56 string >\0 copyright: "%s" -# IRCAM -# VAX and MIPS files are little-endian; Sun and NeXT are big-endian -0 belong 0x64a30100 IRCAM file (VAX) -0 belong 0x64a30200 IRCAM file (Sun) +# IRCAM sound files - Michael Pruett +# http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/IRCAM/IRCAM.html +0 belong 0x64a30100 IRCAM file (VAX little-endian) +0 belong 0x0001a364 IRCAM file (VAX big-endian) +0 belong 0x64a30200 IRCAM file (Sun big-endian) +0 belong 0x0002a364 IRCAM file (Sun little-endian) 0 belong 0x64a30300 IRCAM file (MIPS little-endian) -0 belong 0x64a30400 IRCAM file (NeXT) +0 belong 0x0003a364 IRCAM file (MIPS big-endian) +0 belong 0x64a30400 IRCAM file (NeXT big-endian) +0 belong 0x64a30400 IRCAM file (NeXT big-endian) +0 belong 0x0004a364 IRCAM file (NeXT little-endian) # NIST SPHERE 0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file @@ -2504,8 +2855,8 @@ >21 ubyte <128 note %d, >22 byte =0 replay 5.485 KHz >22 byte =1 replay 8.084 KHz ->22 byte =2 replay 10.971 Khz ->22 byte =3 replay 16.168 Khz +>22 byte =2 replay 10.971 KHz +>22 byte =3 replay 16.168 KHz >22 byte =4 replay 21.942 KHz >22 byte =5 replay 32.336 KHz >22 byte =6 replay 43.885 KHz @@ -2514,43 +2865,14 @@ # SGI SoundTrack 0 string _SGI_SoundTrack SGI SoundTrack project file # ID3 version 2 tags -0 string ID3 Audio file with ID3 version 2. -# ??? Normally such a file is an MP3 file, but this will give false positives -!:mime audio/mpeg ->3 ubyte <0xff \b%d -#>4 ubyte <0xff \b%d tag ->2584 string fLaC \b, FLAC encoding ->>2588 byte&0x7f >0 \b, unknown version ->>2588 byte&0x7f 0 \b -# some common bits/sample values ->>>2600 beshort&0x1f0 0x030 \b, 4 bit ->>>2600 beshort&0x1f0 0x050 \b, 6 bit ->>>2600 beshort&0x1f0 0x070 \b, 8 bit ->>>2600 beshort&0x1f0 0x0b0 \b, 12 bit ->>>2600 beshort&0x1f0 0x0f0 \b, 16 bit ->>>2600 beshort&0x1f0 0x170 \b, 24 bit ->>>2600 byte&0xe 0x0 \b, mono ->>>2600 byte&0xe 0x2 \b, stereo ->>>2600 byte&0xe 0x4 \b, 3 channels ->>>2600 byte&0xe 0x6 \b, 4 channels ->>>2600 byte&0xe 0x8 \b, 5 channels ->>>2600 byte&0xe 0xa \b, 6 channels ->>>2600 byte&0xe 0xc \b, 7 channels ->>>2600 byte&0xe 0xe \b, 8 channels -# some common sample rates ->>>2597 belong&0xfffff0 0x0ac440 \b, 44.1 kHz ->>>2597 belong&0xfffff0 0x0bb800 \b, 48 kHz ->>>2597 belong&0xfffff0 0x07d000 \b, 32 kHz ->>>2597 belong&0xfffff0 0x056220 \b, 22.05 kHz ->>>2597 belong&0xfffff0 0x05dc00 \b, 24 kHz ->>>2597 belong&0xfffff0 0x03e800 \b, 16 kHz ->>>2597 belong&0xfffff0 0x02b110 \b, 11.025 kHz ->>>2597 belong&0xfffff0 0x02ee00 \b, 12 kHz ->>>2597 belong&0xfffff0 0x01f400 \b, 8 kHz ->>>2597 belong&0xfffff0 0x177000 \b, 96 kHz ->>>2597 belong&0xfffff0 0x0fa000 \b, 64 kHz ->>>2601 byte&0xf >0 \b, >4G samples ->2584 string !fLaC \b, MP3 encoding +0 string ID3 Audio file with ID3 version 2 +>3 byte x \b.%d +>4 byte x \b.%d +>>5 byte &0x80 \b, unsynchronized frames +>>5 byte &0x40 \b, extended header +>>5 byte &0x20 \b, experimental +>>5 byte &0x10 \b, footer present +>(6.I) indirect x \b, contains: # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File @@ -2741,6 +3063,7 @@ # From danny.milo@gmx.net (Danny Milosavljevic) # New version from Abel Cheung 0 string MAC\040 Monkey's Audio compressed format +!:mime audio/x-ape >4 uleshort >0x0F8B version %d >>(0x08.l) uleshort =1000 with fast compression >>(0x08.l) uleshort =2000 with normal compression @@ -2761,7 +3084,7 @@ >>12 ulelong x \b, sample rate %d # adlib sound files -# From Gürkan Sengün , http://www.linuks.mine.nu +# From Gurkan Sengun , http://www.linuks.mine.nu 0 string RAWADATA RdosPlay RAW 1068 string RoR AMUSIC Adlib Tracker @@ -2820,6 +3143,7 @@ # musepak support From: "Jiri Pejchal" 0 string MP+ Musepack audio +!:mime audio/x-musepack >3 byte 255 \b, SV pre8 >3 byte&0xF 0x6 \b, SV 6 >3 byte&0xF 0x8 \b, SV 8 @@ -2875,7 +3199,19 @@ # From: Mario Lang 0 string SCgf SuperCollider3 Synth Definition file, >4 belong x version %d + +# Type: True Audio Lossless Audio +# URL: http://wiki.multimedia.cx/index.php?title=True_Audio +# From: Mike Melanson +0 string TTA1 True Audio Lossless Audio + +# Type: WavPack Lossless Audio +# URL: http://wiki.multimedia.cx/index.php?title=WavPack +# From: Mike Melanson +0 string wvpk WavPack Lossless Audio + #---------------------------------------------------------------- +# $File: basis,v 1.4 2009/09/19 16:28:08 christos Exp $ # basis: file(1) magic for BBx/Pro5-files # Oliver Dammer 2005/11/07 # http://www.basis.com business-basic-files. @@ -2891,7 +3227,9 @@ >7 string \006 mkeyed file >>13 short 0 (sort) >>8 string \000 (mkey) + #------------------------------------------------------------------------------ +# $File: bflt,v 1.4 2009/09/19 16:28:08 christos Exp $ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter @@ -2903,7 +3241,34 @@ >>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata +# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files +# http://ftg.lbl.gov/checkpoint +0 string C\0\0\0R\0\0\0 BLCR +>16 lelong 1 x86 +>16 lelong 3 alpha +>16 lelong 5 x86-64 +>16 lelong 7 ARM +>8 lelong x context data (little endian, version %d) +# Uncomment the following only of your "file" program supports "search" +#>0 search/1024 VMA\06 for kernel +#>>&1 byte x %d. +#>>&2 byte x %d. +#>>&3 byte x %d +0 string \0\0\0C\0\0\0R BLCR +>16 belong 2 SPARC +>16 belong 4 ppc +>16 belong 6 ppc64 +>16 belong 7 ARMEB +>16 belong 8 SPARC64 +>8 belong x context data (big endian, version %d) +# Uncomment the following only of your "file" program supports "search" +#>0 search/1024 VMA\06 for kernel +#>>&1 byte x %d. +#>>&2 byte x \b%d. +#>>&3 byte x \b%d + #------------------------------------------------------------------------------ +# $File: blender,v 1.5 2009/09/19 16:28:08 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list @@ -2938,10 +3303,11 @@ >>>0x44 string =GLOB \b. >>>>0x60 beshort x \b%.4d -# Scripts that run in the embeded Python interpreter +# Scripts that run in the embedded Python interpreter 0 string #!BPY Blender3D BPython script #------------------------------------------------------------------------------ +# $File: blit,v 1.8 2009/09/19 16:28:08 christos Exp $ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... @@ -2959,7 +3325,9 @@ # Need more values for WE32 DMD executables. # Note that 0520 is the same as COFF #0 short 0520 tty630 layers executable -# + +#------------------------------------------------------------------------------ +# $File: bout,v 1.5 2009/09/19 16:28:08 christos Exp $ # i80960 b.out objects and archives # 0 long 0x10d i960 b.out relocatable object @@ -2968,26 +3336,18 @@ # b.out archive (hp-rt on i960) 0 string =! b.out archive >8 string __.SYMDEF random library + #------------------------------------------------------------------------------ +# $File: bsdi,v 1.6 2013/01/09 22:37:24 christos Exp $ # bsdi: file(1) magic for BSD/OS (from BSDI) objects +# Some object/executable formats use the same magic numbers as are used +# in other OSes; those are handled by entries in aout. # 0 lelong 0314 386 compact demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) -0 lelong 0407 386 executable ->16 lelong >0 not stripped ->32 byte 0x6a (uses shared libs) - -0 lelong 0410 386 pure executable ->16 lelong >0 not stripped ->32 byte 0x6a (uses shared libs) - -0 lelong 0413 386 demand paged pure executable ->16 lelong >0 not stripped ->32 byte 0x6a (uses shared libs) - # same as in SunOS 4.x, except for static shared libraries 0 belong&077777777 0600413 sparc demand paged >0 byte &0x80 @@ -3009,7 +3369,18 @@ >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) +# Chiasmus is a encryption standard developed by the German Federal +# Office for Information Security (Bundesamt fuer Sicherheit in der +# Informationstechnik). + +# Extension: .xia +0 string XIA1 Chiasmus encrypted data + +# Extension: .xis +0 string XIS Chiasmus key + #------------------------------------------------------------------------------ +# $File: btsnoop,v 1.5 2009/09/19 16:28:08 christos Exp $ # BTSnoop: file(1) magic for BTSnoop files # # From @@ -3020,34 +3391,9 @@ >12 belong 1003 HCI BCSP >12 belong 1004 HCI Serial (H5) >>12 belong x type %d -#------------------------------------------------------------------------------ -# c-lang: file(1) magic for C programs (or REXX) -# -# XPM icons (Greg Roelofs, newt@uchicago.edu) -# if you uncomment "/*" for C/REXX below, also uncomment this entry -#0 string /*\ XPM\ */ X pixmap image data -#!:mime image/x-xpmi - -# 3DS (3d Studio files) Conflicts with diff output 0x3d '=' -#16 beshort 0x3d3d image/x-3ds - -# this first will upset you if you're a PL/1 shop... -# in which case rm it; ascmagic will catch real C programs -#0 search/1 /* C or REXX program text -#0 search/1 // C++ program text - -# From: Mikhail Teterin -0 string cscope cscope reference data ->7 string x version %.2s -# We skip the path here, because it is often long (so file will -# truncate it) and mostly redundant. -# The inverted index functionality was added some time betwen -# versions 11 and 15, so look for -q if version is above 14: ->7 string >14 ->>10 search/100 \ -q\ with inverted index ->10 search/100 \ -c\ text (non-compressed) #------------------------------------------------------------------------------ +# $File: c64,v 1.5 2009/09/19 16:28:08 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann @@ -3090,6 +3436,7 @@ >40 string x Name:%.24s #------------------------------------------------------------------------------ +# $File: cad,v 1.11 2011/12/08 12:12:46 rrt Exp $ # autocad: file(1) magic for cad files # @@ -3140,10 +3487,55 @@ # AutoCad, from Nahuel Greco # AutoCAD DWG versions R12/R13/R14 (www.autodesk.com) -0 string AC1012 AutoCad (release 12) -0 string AC1013 AutoCad (release 13) -0 string AC1014 AutoCad (release 14) +0 string AC1012 DWG AutoDesk AutoCad (release 12) +0 string AC1013 DWG AutoDesk AutoCad (release 13) +0 string AC1014 DWG AutoDesk AutoCad (release 14) +# A new version of AutoCAD DWG +# Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, +# ICQ 358572321) +# From various sources like: +# http://autodesk.blogs.com/between_the_lines/autocad-release-history.html +0 string AC1018 DWG AutoDesk AutoCAD 2004/2005/2006 +0 string AC1021 DWG AutoDesk AutoCAD 2007/2008/2009 +0 string AC1024 DWG AutoDesk AutoCAD 2010/2011 +# KOMPAS 2D drawing from ASCON +# This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor +# gathered nor specification +# ASCON http://ascon.net/main/ in English, +# http://ascon.ru/ main site in Russian +# Extension is CDW for drawing and FRW for fragment of drawing +# Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, +# ICQ 358572321, http://vkontakte.ru/id16076543) +# From: +# http://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292 +# (in russian) and my experiments +0 string KF +>2 belong 0x4E00000C Kompas drawing 12.0 SP1 +>2 belong 0x4D00000C Kompas drawing 12.0 +>2 belong 0x3200000B Kompas drawing 11.0 SP1 +>2 belong 0x3100000B Kompas drawing 11.0 +>2 belong 0x2310000A Kompas drawing 10.0 SP1 +>2 belong 0x2110000A Kompas drawing 10.0 +>2 belong 0x08000009 Kompas drawing 9.0 SP1 +>2 belong 0x05000009 Kompas drawing 9.0 +>2 belong 0x33010008 Kompas drawing 8+ +>2 belong 0x1A000008 Kompas drawing 8.0 +>2 belong 0x2C010107 Kompas drawing 7+ +>2 belong 0x05000007 Kompas drawing 7.0 +>2 belong 0x32000006 Kompas drawing 6+ +>2 belong 0x09000006 Kompas drawing 6.0 +>2 belong 0x5C009005 Kompas drawing 5.11R03 +>2 belong 0x54009005 Kompas drawing 5.11R02 +>2 belong 0x51009005 Kompas drawing 5.11R01 +>2 belong 0x22009005 Kompas drawing 5.10R03 +>2 belong 0x22009005 Kompas drawing 5.10R02 mar +>2 belong 0x21009005 Kompas drawing 5.10R02 febr +>2 belong 0x19009005 Kompas drawing 5.10R01 +>2 belong 0xF4008005 Kompas drawing 5.9R01.003 +>2 belong 0x1C008005 Kompas drawing 5.9R01.002 +>2 belong 0x11008005 Kompas drawing 5.8R01.003 + # CAD: file(1) magic for computer aided design files # Phillip Griffith # AutoCAD magic taken from the Open Design Alliance's OpenDWG specifications. @@ -3157,34 +3549,75 @@ 0 string AC1012 AutoDesk AutoCAD R13 0 string AC1014 AutoDesk AutoCAD R14 0 string AC1015 AutoDesk AutoCAD R2000 + +# 3DS (3d Studio files) Conflicts with diff output 0x3d '=' +#16 beshort 0x3d3d image/x-3ds + #------------------------------------------------------------------------------ +# $File: cafebabe,v 1.14 2013/02/27 16:59:59 christos Exp $ # Cafe Babes unite! # -# Since Java bytecode and Mach-O fat-files have the same magic number, the test -# must be performed in the same "magic" sequence to get both right. The long -# at offset 4 in a mach-O fat file tells the number of architectures; the short at -# offset 4 in a Java bytecode file is the JVM minor version and the -# short at offset 6 is the JVM major version. Since there are only +# Since Java bytecode and Mach-O universal binaries have the same magic number, +# the test must be performed in the same "magic" sequence to get both right. +# The long at offset 4 in a Mach-O universal binary tells the number of +# architectures; the short at offset 4 in a Java bytecode file is the JVM minor +# version and the short at offset 6 is the JVM major version. Since there are only # only 18 labeled Mach-O architectures at current, and the first released # Java class format was version 43.0, we can safely choose any number # between 18 and 39 to test the number of architectures against # (and use as a hack). Let's not use 18, because the Mach-O people # might add another one or two as time goes by... # -0 beshort 0xcafe ->2 beshort 0xbabe +### JAVA START ### +0 belong 0xcafebabe !:mime application/x-java-applet ->>2 belong >30 compiled Java class data, ->>>6 beshort x version %d. ->>>4 beshort x \b%d ->>4 belong 1 Mach-O fat file with 1 architecture ->>4 belong >1 ->>>4 belong <20 Mach-O fat file with %ld architectures ->2 beshort 0xd00d JAR compressed with pack200, ->>5 byte x version %d. ->>4 byte x \b%d +>4 belong >30 compiled Java class data, +>>6 beshort x version %d. +>>4 beshort x \b%d +# Which is which? +#>>4 belong 0x032d (Java 1.0) +#>>4 belong 0x032d (Java 1.1) +>>4 belong 0x002e (Java 1.2) +>>4 belong 0x002f (Java 1.3) +>>4 belong 0x0030 (Java 1.4) +>>4 belong 0x0031 (Java 1.5) +>>4 belong 0x0032 (Java 1.6) + +0 belong 0xcafed00d JAR compressed with pack200, +>5 byte x version %d. +>4 byte x \b%d !:mime application/x-java-pack200 + + +0 belong 0xcafed00d JAR compressed with pack200, +>5 byte x version %d. +>4 byte x \b%d +!:mime application/x-java-pack200 + +### JAVA END ### +### MACH-O START ### + +0 name mach-o \b [ +>0 use mach-o-cpu \b +>&(8.L) indirect \b: +>0 belong x \b] + +0 belong 0xcafebabe +>4 belong 1 Mach-O universal binary with 1 architecture: +>>8 use mach-o \b +>4 belong >1 +>>4 belong <20 Mach-O universal binary with %ld architectures: +>>>8 use mach-o \b +>>>28 use mach-o \b +>>4 belong >2 +>>>48 use mach-o \b +>>4 belong >3 +>>>68 use mach-o \b + +### MACH-O END ### + #------------------------------------------------------------------------------ +# $File: cddb,v 1.4 2009/09/19 16:28:08 christos Exp $ # CDDB: file(1) magic for CDDB(tm) format CD text data files # # From @@ -3193,9 +3626,10 @@ # CDDB-enabled CD player applications. # -0 search/1/b #\040xmcd CDDB(tm) format CD text data +0 search/1/w #\040xmcd CDDB(tm) format CD text data #------------------------------------------------------------------------------ +# $File: chord,v 1.5 2010/09/20 19:19:16 rrt Exp $ # chord: file(1) magic for Chord music sheet typesetting utility input files # # From Philippe De Muyter @@ -3208,7 +3642,9 @@ # From: Jelmer Vernooij 0 string ptab\003\000 Power-Tab v3 Tablature File 0 string ptab\004\000 Power-Tab v4 Tablature File + #------------------------------------------------------------------------------ +# $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code @@ -3218,14 +3654,74 @@ >7 string >\0 for '%s' 0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode >7 string >\0 for '%s' + #------------------------------------------------------------------------------ +# $File: citrus,v 1.4 2009/09/19 16:28:08 christos Exp $ # citrus locale declaration # 0 string RuneCT Citrus locale declaration for LC_CTYPE +#------------------------------------------------------------------------------ +# $File: c-lang,v 1.17 2012/04/28 21:20:26 christos Exp $ +# c-lang: file(1) magic for C and related languages programs +# +# BCPL +0 search/8192 "libhdr" BCPL source text +!:mime text/x-bcpl +0 search/8192 "LIBHDR" BCPL source text +!:mime text/x-bcpl + +# C +0 regex \^#include C source text +!:mime text/x-c +0 regex \^char C source text +!:mime text/x-c +0 regex \^double C source text +!:mime text/x-c +0 regex \^extern C source text +!:mime text/x-c +0 regex \^float C source text +!:mime text/x-c +0 regex \^struct C source text +!:mime text/x-c +0 regex \^union C source text +!:mime text/x-c +0 search/8192 main( C source text +!:mime text/x-c + +# C++ +# The strength of these rules is increased so they beat the C rules above +0 regex \^template C++ source text +!:strength + 5 +!:mime text/x-c++ +0 regex \^virtual C++ source text +!:strength + 5 +!:mime text/x-c++ +0 regex \^class C++ source text +!:strength + 5 +!:mime text/x-c++ +0 regex \^public: C++ source text +!:strength + 5 +!:mime text/x-c++ +0 regex \^private: C++ source text +!:strength + 5 +!:mime text/x-c++ + +# From: Mikhail Teterin +0 string cscope cscope reference data +>7 string x version %.2s +# We skip the path here, because it is often long (so file will +# truncate it) and mostly redundant. +# The inverted index functionality was added some time betwen +# versions 11 and 15, so look for -q if version is above 14: +>7 string >14 +>>10 search/100 \ -q\ with inverted index +>10 search/100 \ -c\ text (non-compressed) + #------------------------------------------------------------------------------ +# $File: clarion,v 1.4 2009/09/19 16:28:08 christos Exp $ # clarion: file(1) magic for # Clarion Personal/Professional Developer # (v2 and above) # From: Julien Blache @@ -3252,6 +3748,7 @@ 0 leshort 0x49e0 Clarion Developer (v2 and above) help data #------------------------------------------------------------------------------ +# $File: claris,v 1.6 2012/06/20 21:19:05 christos Exp $ # claris: file(1) magic for claris # "H. Nanosecond" # Claris Works a word processor, etc. @@ -3262,10 +3759,10 @@ #* #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 #null to byte 1000 octal -514 string \377\377\377\377\000 Claris clip art? ->0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. -514 string \377\377\377\377\001 Claris clip art? ->0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. +514 string \377\377\377\377\000 +>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art +514 string \377\377\377\377\001 +>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art # Claris works files # .cwk @@ -3298,6 +3795,7 @@ #./windows/claris/userd.spl: data #------------------------------------------------------------------------------ +# $File: clipper,v 1.6 2009/09/19 16:28:08 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? @@ -3362,101 +3860,102 @@ 4 string prof CLIPPER instruction profile #------------------------------------------------------------------------------ +# $File: commands,v 1.45 2013/02/06 14:18:52 christos Exp $ # commands: file(1) magic for various shells and interpreters # -#0 string : shell archive or script for antique kernel text -0 string/b #!\ /bin/sh POSIX shell script text executable +#0 string/w : shell archive or script for antique kernel text +0 string/wt #!\ /bin/sh POSIX shell script text executable !:mime text/x-shellscript -0 string/b #!\ /bin/csh C shell script text executable +0 string/wt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript # korn shell magic, sent by George Wu, gwu@clyde.att.com -0 string/b #!\ /bin/ksh Korn shell script text executable +0 string/wt #!\ /bin/ksh Korn shell script text executable !:mime text/x-shellscript -0 string/b #!\ /bin/tcsh Tenex C shell script text executable +0 string/wt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/bin/tcsh Tenex C shell script text executable +0 string/wt #!\ /usr/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/local/tcsh Tenex C shell script text executable +0 string/wt #!\ /usr/local/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/local/bin/tcsh Tenex C shell script text executable +0 string/wt #!\ /usr/local/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript # # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) -0 string/b #!\ /bin/zsh Paul Falstad's zsh script text executable +0 string/wt #!\ /bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/bin/zsh Paul Falstad's zsh script text executable +0 string/wt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable +0 string/wt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/local/bin/ash Neil Brown's ash script text executable +0 string/wt #!\ /usr/local/bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/local/bin/ae Neil Brown's ae script text executable +0 string/wt #!\ /usr/local/bin/ae Neil Brown's ae script text executable !:mime text/x-shellscript -0 string/b #!\ /bin/nawk new awk script text executable +0 string/wt #!\ /bin/nawk new awk script text executable !:mime text/x-nawk -0 string/b #!\ /usr/bin/nawk new awk script text executable +0 string/wt #!\ /usr/bin/nawk new awk script text executable !:mime text/x-nawk -0 string/b #!\ /usr/local/bin/nawk new awk script text executable +0 string/wt #!\ /usr/local/bin/nawk new awk script text executable !:mime text/x-nawk -0 string/b #!\ /bin/gawk GNU awk script text executable +0 string/wt #!\ /bin/gawk GNU awk script text executable !:mime text/x-gawk -0 string/b #!\ /usr/bin/gawk GNU awk script text executable +0 string/wt #!\ /usr/bin/gawk GNU awk script text executable !:mime text/x-gawk -0 string/b #!\ /usr/local/bin/gawk GNU awk script text executable +0 string/wt #!\ /usr/local/bin/gawk GNU awk script text executable !:mime text/x-gawk # -0 string/b #!\ /bin/awk awk script text executable +0 string/wt #!\ /bin/awk awk script text executable !:mime text/x-awk -0 string/b #!\ /usr/bin/awk awk script text executable +0 string/wt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk -# update to distinguish from *.vcf files -# this is broken because postscript has /EBEGIN{ for example. -#0 search/Bb BEGIN { awk script text 0 regex =^\\s*BEGIN\\s*[{] awk script text # AT&T Bell Labs' Plan 9 shell -0 string/b #!\ /bin/rc Plan 9 rc shell script text executable +0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) -0 string/b #!\ /bin/bash Bourne-Again shell script text executable +0 string/wt #!\ /bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript -0 string/b #!\ /usr/bin/bash Bourne-Again shell script text executable -!:mime text/x-shellscript -0 string/b #!\ /usr/local/bash Bourne-Again shell script text executable -!:mime text/x-shellscript -0 string/b #!\ /usr/local/bin/bash Bourne-Again shell script text executable +0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wt #!\ /usr/local/bash Bourne-Again shell script text executable +!:mime text/x-shellscript +0 string/wt #!\ /usr/local/bin/bash Bourne-Again shell script text executable +!:mime text/x-shellscript -# using env -0 string #!/usr/bin/env a ->15 string >\0 %s script text executable -0 string #!\ /usr/bin/env a ->16 string >\0 %s script text executable - # PHP scripts # Ulf Harnhammar 0 search/1/c = +0 string =24 regex [0-9.]+ \b, version %s +!:mime text/x-php 0 string Zend\x00 PHP script Zend Optimizer data -0 string $! DCL command file +0 string/t $! DCL command file # Type: Pdmenu # URL: http://packages.debian.org/pdmenu # From: Edward Betts -0 string #!/usr/bin/pdmenu Pdmenu configuration file text +0 string #!/usr/bin/pdmenu Pdmenu configuration file text #---------------------------------------------------------------------------- +# $File: communications,v 1.5 2009/09/19 16:28:08 christos Exp $ # communication # TTCN is the Tree and Tabular Combined Notation described in ISO 9646-3. @@ -3476,8 +3975,8 @@ 0 string mscdocument Message Sequence Chart (document) 0 string msc Message Sequence Chart (chart) 0 string submsc Message Sequence Chart (subchart) - #------------------------------------------------------------------------------ +# $File: compress,v 1.49 2011/12/07 22:04:27 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -3489,6 +3988,7 @@ # standard unix compress 0 string \037\235 compress'd data !:mime application/x-compress +!:apple LZIVZIVU >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits @@ -3496,7 +3996,7 @@ # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods -# other than 8 ("deflate", the only method defined in RFC 1952). +# other than 8 ("deflate", the only method defined in RFC 1952). 0 string \037\213 gzip compressed data !:mime application/x-gzip >2 byte <8 \b, reserved method @@ -3554,6 +4054,11 @@ !:mime application/x-bzip2 >3 byte >47 \b, block size = %c00k +# lzip +0 string LZIP lzip compressed data +!:mime application/x-lzip +>4 byte x \b, version: %d + # squeeze and crunch # Michael Haardt 0 beshort 0x76FF squeezed data, @@ -3654,19 +4159,30 @@ >4 belong 0x090A0C0D best compression # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) -# http://www.7-zip.org or DOC/7zFormat.txt +# http://www.7-zip.org or DOC/7zFormat.txt # 0 string 7z\274\257\047\034 7-zip archive data, >6 byte x version %d >7 byte x \b.%d +!:mime application/x-7z-compressed # Type: LZMA -# URL: http://www.7-zip.org/sdk.html -# From: Robert Millan and Reuben Thomas -# Commented out because apparently not reliable (according to Debian -# bug #364260) -#0 string ]\000\000\200\000 LZMA compressed data +0 lelong&0xffffff =0x5d +>12 leshort =0xff LZMA compressed data, +>>5 lequad =0xffffffffffffffff streamed +>>5 lequad !0xffffffffffffffff non-streamed, size %lld +!:mime application/x-lzma +# http://tukaani.org/xz/xz-file-format.txt +0 ustring \xFD7zXZ\x00 XZ compressed data +!:mime application/x-xz + +# https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt +0 string LRZI LRZIP compressed data +>4 byte x - version %d +>5 byte x \b.%d +!:mime application/x-lrzip + # AFX compressed files (Wolfram Kleff) 2 string -afx- AFX compressed file data @@ -3680,7 +4196,19 @@ >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) + +0 string ArC\x01 FreeArc archive + +# Type: DACT compressed files +0 long 0x444354C3 DACT compressed data +>4 byte >-1 (version %i. +>5 byte >-1 %i. +>6 byte >-1 %i) +>7 long >0 , original size: %i bytes +>15 long >30 , block size: %i bytes + #------------------------------------------------------------------------------ +# $File: console,v 1.19 2013/02/06 14:18:52 christos Exp $ # Console game magic # Toby Deshane # ines: file(1) magic for Marat's iNES Nintendo Entertainment System @@ -3817,7 +4345,7 @@ >113 string x (%s) #------------------------------------------------------------------------------ -# Microsoft Xbox executables .xbe (Esa Hyytiä ) +# Microsoft Xbox executables .xbe (Esa Hyytia ) 0 string XBEH XBE, Microsoft Xbox executable # probabilistic checks whether signed or not >0x0004 ulelong =0x0 @@ -3845,15 +4373,19 @@ # Atari Lynx cartridge dump (EXE/BLL header) # From: "Stefan A. Haubenthal" -0 beshort 0x8008 Lynx cartridge, ->2 beshort x RAM start $%04x ->6 string BS93 +# Double-check that the image type matches too, 0x8008 conflicts with +# 8 character OMF-86 object file headers. +0 beshort 0x8008 +>6 string BS93 Lynx homebrew cartridge +>>2 beshort x \b, RAM start $%04x +>6 string LYNX Lynx cartridge +>>2 beshort x \b, RAM start $%04x # Opera file system that is used on the 3DO console # From: Serge van den Boom 0 string \x01ZZZZZ\x01 3DO "Opera" file system -# From Gürkan Sengün , www.linuks.mine.nu +# From Gurkan Sengun , www.linuks.mine.nu 0 string GBS Nintendo Gameboy Music/Audio Data 12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module @@ -3936,9 +4468,11 @@ # Type: scummVM savegame files # From: Sven Hartge -0 string SCVM scummVM savegame +0 string SCVM ScummVM savegame >12 string >\0 "%s" + #------------------------------------------------------------------------------ +# $File: convex,v 1.8 2012/10/03 23:44:43 christos Exp $ # convex: file(1) magic for Convex boxes # # Convexes are big-endian. @@ -3968,8 +4502,6 @@ # The restore program uses these number to determine how the data is # to be extracted. # -24 belong =60011 dump format, 4.1 BSD or earlier -24 belong =60012 dump format, 4.2 or 4.3 BSD without IDC 24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible) 24 belong =60014 dump format, Convex Storage Manager by-reference dump # @@ -4009,6 +4541,7 @@ >84 belong&0x18000000 =0x18000000 undefined fpmode #------------------------------------------------------------------------------ +# $File: cracklib,v 1.7 2009/09/19 16:28:08 christos Exp $ # cracklib: file (1) magic for cracklib v2.7 0 lelong 0x70775631 Cracklib password index, little endian @@ -4020,12 +4553,79 @@ # really bellong 0x0000000070775631 0 search/1 \0\0\0\0pwV1 Cracklib password index, big endian ("64-bit") >12 belong >0 (%i words) + # ---------------------------------------------------------------------------- +# $File: ctags,v 1.6 2009/09/19 16:28:08 christos Exp $ # ctags: file (1) magic for Exuberant Ctags files # From: Alexander Mai 0 search/1 =!_TAG Exuberant Ctags tag file text #------------------------------------------------------------------------------ +# $File: cubemap,v 1.1 2012/06/06 13:03:20 christos Exp $ +# file(1) magic(5) data for cubemaps Martin Erik Werner +# +0 string ACMP Map file for the AssaultCube FPS game +0 string CUBE Map file for cube and cube2 engine games +0 string MAPZ) Map file for the Blood Frontier/Red Eclipse FPS games + +#------------------------------------------------------------------------------ +# $File: cups,v 1.2 2012/11/02 21:50:29 christos Exp $ +# Cups: file(1) magic for the cups raster file format +# From: Laurent Martelli +# http://www.cups.org/documentation.php/spec-raster.html +# + +0 name cups-be +>280 lelong x \b, %d +>284 lelong x \bx%d dpi +>376 lelong x \b, %dx +>380 lelong x \b%d pixels +>388 lelong x %d bits/color +>392 lelong x %d bits/pixel +>400 lelong 0 ColorOrder=Chunky +>400 lelong 1 ColorOrder=Banded +>400 lelong 2 ColorOrder=Planar +>404 lelong 0 ColorSpace=gray +>404 lelong 1 ColorSpace=RGB +>404 lelong 2 ColorSpace=RGBA +>404 lelong 3 ColorSpace=black +>404 lelong 4 ColorSpace=CMY +>404 lelong 5 ColorSpace=YMC +>404 lelong 6 ColorSpace=CMYK +>404 lelong 7 ColorSpace=YMCK +>404 lelong 8 ColorSpace=KCMY +>404 lelong 9 ColorSpace=KCMYcm +>404 lelong 10 ColorSpace=GMCK +>404 lelong 11 ColorSpace=GMCS +>404 lelong 12 ColorSpace=WHITE +>404 lelong 13 ColorSpace=GOLD +>404 lelong 14 ColorSpace=SILVER +>404 lelong 15 ColorSpace=CIE XYZ +>404 lelong 16 ColorSpace=CIE Lab +>404 lelong 17 ColorSpace=RGBW +>404 lelong 18 ColorSpace=sGray +>404 lelong 19 ColorSpace=sRGB +>404 lelong 20 ColorSpace=AdobeRGB + +# Cups Raster image format, Big Endian +0 string RaS +>3 string t Cups Raster version 1, Big Endian +>3 string 2 Cups Raster version 2, Big Endian +>3 string 3 Cups Raster version 3, Big Endian +!:mime application/vnd.cups-raster +>0 use ^cups-be + + +# Cups Raster image format, Little Endian +1 string SaR +>0 string t Cups Raster version 1, Little Endian +>0 string 2 Cups Raster version 2, Little Endian +>0 string 3 Cups Raster version 3, Little Endian +!:mime application/vnd.cups-raster +>0 use \^cups-be + +#------------------------------------------------------------------------------ +# $File: dact,v 1.4 2009/09/19 16:28:08 christos Exp $ # dact: file(1) magic for DACT compressed files # 0 long 0x444354C3 DACT compressed data @@ -4036,6 +4636,7 @@ >15 long >30 $BS, block size: %i bytes #------------------------------------------------------------------------------ +# $File: database,v 1.33 2013/03/09 22:36:00 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -4149,95 +4750,247 @@ #>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files -#0 byte 0x02 -#>8 leshort >0 -#>>12 leshort 0 FoxBase -#!:mime application/x-dbf -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) +# updated by Joerg Jenderek at Feb 2013 +# http://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm +# http://www.clicketyclick.dk/databases/xbase/format/dbf.html +# http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm +# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +0 ubelong&0x0000FFFF <0x00000C20 +# skip Infocom game Z-machine +>2 ubyte >0 +# skip Androids *.xml +>>3 ubyte >0 +>>>3 ubyte <32 +# 1 < version VV +>>>>0 ubyte >1 +# skip HELP.CA3 by test for reserved byte ( NULL ) +>>>>>27 ubyte 0 +# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) +#>>>>>30 ubeshort x 30NULL?%x +# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>24 ubelong&0xffFFFFff >0x01302000 +# .DBF or .MDX +>>>>>>24 ubelong&0xffFFFFff <0x01302001 +# for Xbase Database file (*.DBF) reserved (NULL) for multi-user +>>>>>>>24 ubelong&0xffFFFFff =0 +# test for 2 reserved NULL bytes,transaction and encryption byte flag +>>>>>>>>12 ubelong&0xFFFFfEfE 0 +# test for MDX flag +>>>>>>>>>28 ubyte x +>>>>>>>>>28 ubyte&0xf8 0 +# header size >= 32 +>>>>>>>>>>8 uleshort >31 +# skip PIC15736.PCX by test for language driver name or field name +>>>>>>>>>>>32 ubyte >0 +!:mime application/x-dbf +#!:mime application/x-dbf; charset=unknown-8bit ?? +#!:mime application/x-dbase +>>>>>>>>>>>>0 use xbase-type +# database file +>>>>>>>>>>>>0 ubyte x \b DBF +>>>>>>>>>>>>4 lelong 0 \b, no records +>>>>>>>>>>>>4 lelong >0 \b, %ld record +# plural s appended +>>>>>>>>>>>>>4 lelong >1 \bs +# http://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF +# 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) +>>>>>>>>>>>>10 uleshort x * %d +# file size = records * record size + header size +>>>>>>>>>>>>1 ubyte x \b, update-date +>>>>>>>>>>>>1 use xbase-date +# http://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx +#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=0x%x +# 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? +>>>>>>>>>>>>29 ubyte >0 \b, codepage ID=0x%x +#>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file +>>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX +>>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT +>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer +# 1st record offset + 1 = header size +>>>>>>>>>>>>8 uleshort >0 +>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>8 uleshort >0 \b, at offset %d +>>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>>&-1 string >\0 1st record "%s" +# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) +>>>>>>>24 ubelong&0x0133f7ff >0 +# test for reserved NULL byte +>>>>>>>>47 ubyte x +# test for valid TAG key format (0x10 or 0) +>>>>>>>>>559 ubyte&0xeF 0 +# test MM <= 12 +>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>46 ubyte >0 +#!:mime application/x-mdx +>>>>>>>>>>>>>0 use xbase-type +>>>>>>>>>>>>>0 ubyte x \b MDX +>>>>>>>>>>>>>1 ubyte x \b, creation-date +>>>>>>>>>>>>>1 use xbase-date +>>>>>>>>>>>>>44 ubyte x \b, update-date +>>>>>>>>>>>>>44 use xbase-date +# No.of tags in use (1,2,5,12) +>>>>>>>>>>>>>28 uleshort x \b, %d +# No. of entries in tag (0x30) +>>>>>>>>>>>>>25 ubyte x \b/%d tags +# Length of tag +>>>>>>>>>>>>>26 ubyte x * %d +# 1st tag name_ +>>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" +# 2nd tag name +#>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # -#0 byte 0x03 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FoxBase+, FoxPro, dBaseIII+, dBaseIV, no memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x04 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBASE IV no memo file -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x05 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBASE V no memo file -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x30 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 Visual FoxPro -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x43 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FlagShip with memo var size -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x7b -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBASEIV with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x83 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FoxBase+, dBaseIII+ with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x8b -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBaseIV with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x8e -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBaseIV with SQL Table -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0xb3 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FlagShip with .dbt memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0xf5 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FoxPro with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 leshort 0x0006 DBase 3 index file +# Print the xBase names of different version variants +0 name xbase-type +>0 ubyte <2 +# 1 < version +>0 ubyte >1 +>>0 ubyte 0x02 FoxBase +# FoxBase+/dBaseIII+, no memo +>>0 ubyte 0x03 FoxBase+/dBase III +# dBASE IV no memo file +>>0 ubyte 0x04 dBase IV +# dBASE V no memo file +>>0 ubyte 0x05 dBase V +>>0 ubyte 0x30 Visual FoxPro +>>0 ubyte 0x31 Visual FoxPro, autoincrement +# Visual FoxPro, with field type Varchar or Varbinary +>>0 ubyte 0x32 Visual FoxPro, with field type Varchar +# dBASE IV SQL, no memo;dbv memo var size (Flagship) +>>0 ubyte 0x43 dBase IV, with SQL table +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0x62 dBase IV, with SQL table +# dBASE IV, with memo!! +>>0 ubyte 0x7b dBase IV, with memo +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0x82 dBase IV, with SQL system +# FoxBase+/dBaseIII+ with memo .DBT! +>>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT +# VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file +>>0 ubyte 0x87 VISUAL OBJECTS, with memo file +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT +# dBASE IV with memo! +>>0 ubyte 0x8B dBase IV, with memo .DBT +# dBase IV with SQL Table,no memo? +>>0 ubyte 0x8E dBase IV, with SQL table +# .dbv and .dbt memo (Flagship)? +>>0 ubyte 0xB3 Flagship +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0xCA dBase IV with memo .DBT +# dBASE IV with SQL table, with memo .DBT +>>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT +# HiPer-Six format;Clipper SIX, with SMT memo file +>>0 ubyte 0xE5 Clipper SIX with memo +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0xF4 dBase IV, with SQL table, with memo +>>0 ubyte 0xF5 FoxPro with memo +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0xFA FoxPro 2.x, with memo +# unkown version (should not happen) +>>0 default x xBase +>>>0 ubyte x (0x%x) +# flags in version byte +# DBT flag (with dBASE III memo .DBT)!! +# >>0 ubyte&0x80 >0 DBT_FLAG=%x +# memo flag ?? +# >>0 ubyte&0x08 >0 MEMO_FLAG=%x +# SQL flag ?? +# >>0 ubyte&0x70 >0 SQL_FLAG=%x +# test and print the date of xBase .DBF .MDX +0 name xbase-date +# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +>0 ubelong x +>1 ubyte <13 +>>1 ubyte >0 +>>>2 ubyte >0 +>>>>2 ubyte <32 +>>>>>0 ubyte x +# YY is interpreted as 20YY or 19YY +>>>>>>0 ubyte <100 \b %.2d +# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY +>>>>>>0 ubyte >99 \b %d +>>>>>1 ubyte x \b-%d +>>>>>2 ubyte x \b-%d +# dBase memo files .DBT or .FPT +# http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx +16 ubyte <4 +>16 ubyte !2 +>>16 ubyte !1 +# next free block index is positive +>>>0 ulelong >0 +# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size +>>>>17 ubelong&0xFFfdFE00 0x00000000 +# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h +>>>>>20 ubelong&0xFF01209B 0x00000000 +# dBASE III +>>>>>>16 ubyte 3 +# dBASE III DBT +>>>>>>>0 use xbase-memo-print +# dBASE IV DBT , FoxPro FPT or many PNG , ZIP , DBF garbage +>>>>>>16 ubyte 0 +# dBASE IV DBT with DBF name or DBF garbage +>>>>>>>8 ubelong >0x40000000 +# skip DBF and catch dBASE IV DBT with DBF name and with non big index of next free block +>>>>>>>>0 ulelong <0x01010002 +>>>>>>>>>0 use xbase-memo-print +>>>>>>>8 ubelong 0 +# skip MM*DD*.bin by test for for reserved NULL byte +>>>>>>>>508 ubelong 0 +>>>>>>>>>0 use xbase-memo-print +# garbage PCX , ZIP , JAR , XPI +>>>>>>>8 default x + +# Print the information of dBase DBT or FoxPro FPT memo files +0 name xbase-memo-print +>0 ubyte x +# test version +# memo file +>>16 ubyte 3 dBase III DBT +>>16 ubyte 0 +>>>512 ubelong <0x00000003 FoxPro FPT +# Size of blocks for FoxPro +>>>>6 ubeshort x \b, blocks size %lu +# Number of next available block for appending data for FoxPro +>>>>0 ubelong =0 \b, next free block index %lu +>>>>0 ubelong !0 \b, next free block index %lu +>>>512 default x dBase IV DBT +# DBF file name without extension +>>>>8 string >\0 \b of %-.8s.DBF +# size of blocks ; not reliable 0x2020204C +#>>>>4 ulelong =0 \b, blocks size %lu +>>>>4 ulelong !0 \b, blocks size %lu +# Block length found 0 , 512 +#>>>>20 uleshort =0 \b, block length %u +>>>>20 uleshort !0 \b, block length %u +# Number of next available block for appending data +>>>>0 ulelong =0 \b, next free block index %lu +>>>>0 ulelong !0 \b, next free block index %lu +>>512 ubelong x +>>>512 ubelong =0xFFFF0800 +>>>>520 string >\0 \b, 1st used item "%s" +# FoxPro +>>>512 ubelong <3 +# FoxPro memo +>>>>512 ubelong =1 +>>>>520 string >\0 \b, 1st used item "%s" +>>>512 default x +# may be deleted memo field +>>>>512 string >\0 \b, 1st item "%s" + +# TODO: +# DBASE index file *.NDX +# DBASE Compound Index file *.CDX +# dBASE IV Printer Driver *.PRF +## End of XBase database stuff + # MS Access database 4 string Standard\ Jet\ DB Microsoft Access Database !:mime application/x-msaccess +4 string Standard\ ACE\ DB Microsoft Access Database +!:mime application/x-msaccess # TDB database from Samba et al - Martin Pool 0 string TDB\ file TDB database @@ -4279,18 +5032,53 @@ # From: Nicolas Chauvat 0 string @(#)ADF\ Database CGNS Advanced Data Format +# Tokyo Cabinet magic data +# http://tokyocabinet.sourceforge.net/index.html +0 string ToKyO\ CaBiNeT\n Tokyo Cabinet +>14 string x \b (%s) +>32 byte 0 \b, Hash +!:mime application/x-tokyocabinet-hash +>32 byte 1 \b, B+ tree +!:mime application/x-tokyocabinet-btree +>32 byte 2 \b, Fixed-length +!:mime application/x-tokyocabinet-fixed +>32 byte 3 \b, Table +!:mime application/x-tokyocabinet-table +>33 byte &1 \b, [open] +>33 byte &2 \b, [fatal] +>34 byte x \b, apow=%d +>35 byte x \b, fpow=%d +>36 byte &0x01 \b, [large] +>36 byte &0x02 \b, [deflate] +>36 byte &0x04 \b, [bzip] +>36 byte &0x08 \b, [tcbs] +>36 byte &0x10 \b, [excodec] +>40 lequad x \b, bnum=%lld +>48 lequad x \b, rnum=%lld +>56 lequad x \b, fsiz=%lld + # Type: QDBM Quick Database Manager # From: Benoit Sibaud -0 string \\[depot\\]\n\f Quick Database Manager, little endian -0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian +0 string \\[depot\\]\n\f Quick Database Manager, little endian +0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian # Type: TokyoCabinet database # URL: http://tokyocabinet.sourceforge.net/ # From: Benoit Sibaud -0 string ToKyO\ CaBiNeT\n TokyoCabinet database ->14 string x (version %s) +0 string ToKyO\ CaBiNeT\n TokyoCabinet database +>14 string x (version %s) +# From: Stephane Blondon http://www.yaal.fr +# Database file for Zope (done by FileStorage) +0 string FS21 Zope Object Database File Storage (data) +# Cache file for the database of Zope (done by ClientStorage) +0 string ZEC3 Zope Object Database Client Cache File (data) + +# IDA (Interactive Disassembler) database +0 string IDA1 IDA (Interactive Disassembler) database + #------------------------------------------------------------------------------ +# $File: diamond,v 1.7 2009/09/19 16:28:08 christos Exp $ # diamond: file(1) magic for Diamond system # # ... diamond is a multi-media mail and electronic conferencing system.... @@ -4300,7 +5088,9 @@ # The full deal is too long... #0 string \n Diamond Multimedia Document 0 string =\n&0 search/1024 \n +>>&0 search/1 +++\ +>>>&0 search/1024 \n +>>>>&0 search/1 @@ unified diff output text +!:mime text/x-diff +!:strength + 90 + +# librsync -- the library for network deltas +# +# Copyright (C) 2001 by Martin Pool. You may do whatever you want with +# this file. +# +0 belong 0x72730236 rdiff network-delta data + +0 belong 0x72730136 rdiff network-delta signature data +>4 belong x (block length=%d, +>8 belong x signature strength=%d) + +#------------------------------------------------------------------------------ +# $File: digital,v 1.11 2013/01/11 16:45:23 christos Exp $ # Digital UNIX - Info # 0 string =!\n________64E Alpha archive >22 string X -- out of date # -# Alpha COFF Based Executables -# The stripped stuff really needs to be an 8 byte (64 bit) compare, -# but this works -0 leshort 0x183 COFF format alpha ->22 leshort&020000 &010000 sharable library, ->22 leshort&020000 ^010000 dynamically linked, ->24 leshort 0410 pure ->24 leshort 0413 demand paged ->8 lelong >0 executable or object module, not stripped ->8 lelong 0 ->>12 lelong 0 executable or object module, stripped ->>12 lelong >0 executable or object module, not stripped ->27 byte >0 - version %d. ->26 byte >0 %d- ->28 leshort >0 %d + +0 leshort 0603 +>24 leshort 0410 COFF format alpha pure +>24 leshort 0413 COFF format alpha demand paged +>>22 leshort&030000 !020000 executable +>>22 leshort&020000 !0 dynamically linked +>>16 lelong !0 not stripped +>>16 lelong 0 stripped +>>27 byte x - version %d +>>26 byte x \b.%d +>>28 byte x \b-%d +>24 leshort 0407 COFF format alpha object +>>22 leshort&030000 020000 shared library +>>27 byte x - version %d +>>26 byte x \b.%d +>>28 byte x \b-%d + +# Basic recognition of Digital UNIX core dumps - Mike Bremford # +# The actual magic number is just "Core", followed by a 2-byte version +# number; however, treating any file that begins with "Core" as a Digital +# UNIX core dump file may produce too many false hits, so we include one +# byte of the version number as well; DU 5.0 appears only to be up to +# version 2. +# +0 string Core\001 Alpha COFF format core dump (Digital UNIX) +>24 string >\0 \b, from '%s' +0 string Core\002 Alpha COFF format core dump (Digital UNIX) +>24 string >\0 \b, from '%s' +# # The next is incomplete, we could tell more about this format, # but its not worth it. 0 leshort 0x188 Alpha compressed COFF @@ -4355,12 +5186,16 @@ 0 short 0x0501 locale data table >6 short 0x24 for MIPS >6 short 0x40 for Alpha + +#------------------------------------------------------------------------------ +# $File: dolby,v 1.6 2012/10/31 13:39:42 christos Exp $ # ATSC A/53 aka AC-3 aka Dolby Digital # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! # # syncword 0 beshort 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream, +!:mime audio/vnd.dolby.dd-raw # fscod >4 byte&0xc0 0x00 48 kHz, >4 byte&0xc0 0x40 44.1 kHz, @@ -4414,11 +5249,12 @@ >6 beshort&0x0180 0x0180 reserved Dolby Surround mode #------------------------------------------------------------------------------ +# $File: dump,v 1.12 2012/11/01 04:26:40 christos Exp $ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. # -24 belong 60012 new-fs dump file (big endian), +0 name new-dump-be >4 bedate x Previous dump %s, >8 bedate x This dump %s, >12 belong >0 Volume %ld, @@ -4437,7 +5273,7 @@ >824 string >\0 Host %s, >888 belong >0 Flags %x -24 belong 60011 old-fs dump file (big endian), +0 name old-dump-be #>4 bedate x Previous dump %s, #>8 bedate x This dump %s, >12 belong >0 Volume %ld, @@ -4456,57 +5292,7 @@ >824 string >\0 Host %s, >888 belong >0 Flags %x -24 lelong 60012 new-fs dump file (little endian), ->4 ledate x This dump %s, ->8 ledate x Previous dump %s, ->12 lelong >0 Volume %ld, ->692 lelong 0 Level zero, type: ->692 lelong >0 Level %d, type: ->0 lelong 1 tape header, ->0 lelong 2 beginning of file record, ->0 lelong 3 map of inodes on tape, ->0 lelong 4 continuation of file record, ->0 lelong 5 end of volume, ->0 lelong 6 map of inodes deleted, ->0 lelong 7 end of medium (for floppy), ->676 string >\0 Label %s, ->696 string >\0 Filesystem %s, ->760 string >\0 Device %s, ->824 string >\0 Host %s, ->888 lelong >0 Flags %x - -24 lelong 60011 old-fs dump file (little endian), -#>4 ledate x Previous dump %s, -#>8 ledate x This dump %s, ->12 lelong >0 Volume %ld, ->692 lelong 0 Level zero, type: ->692 lelong >0 Level %d, type: ->0 lelong 1 tape header, ->0 lelong 2 beginning of file record, ->0 lelong 3 map of inodes on tape, ->0 lelong 4 continuation of file record, ->0 lelong 5 end of volume, ->0 lelong 6 map of inodes deleted, ->0 lelong 7 end of medium (for floppy), ->676 string >\0 Label %s, ->696 string >\0 Filesystem %s, ->760 string >\0 Device %s, ->824 string >\0 Host %s, ->888 lelong >0 Flags %x - -18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), ->2 medate x Previous dump %s, ->6 medate x This dump %s, ->10 leshort >0 Volume %ld, ->0 leshort 1 tape header. ->0 leshort 2 beginning of file record. ->0 leshort 3 map of inodes on tape. ->0 leshort 4 continuation of file record. ->0 leshort 5 end of volume. ->0 leshort 6 map of inodes deleted. ->0 leshort 7 end of medium (for floppy). - -24 belong 0x19540119 new-fs dump file (ufs2, big endian), +0 name ufs2-dump-be >896 beqdate x Previous dump %s, >904 beqdate x This dump %s, >12 belong >0 Volume %ld, @@ -4525,29 +5311,42 @@ >824 string >\0 Host %s, >888 belong >0 Flags %x -24 lelong 0x19540119 new-fs dump file (ufs2, little endian), ->896 leqdate x This dump %s, ->904 leqdate x Previous dump %s, ->12 lelong >0 Volume %ld, ->692 lelong 0 Level zero, type: ->692 lelong >0 Level %d, type: ->0 lelong 1 tape header, ->0 lelong 2 beginning of file record, ->0 lelong 3 map of inodes on tape, ->0 lelong 4 continuation of file record, ->0 lelong 5 end of volume, ->0 lelong 6 map of inodes deleted, ->0 lelong 7 end of medium (for floppy), ->676 string >\0 Label %s, ->696 string >\0 Filesystem %s, ->760 string >\0 Device %s, ->824 string >\0 Host %s, ->888 lelong >0 Flags %x +24 belong 60012 new-fs dump file (big endian), +>0 use new-dump-be +24 belong 60011 old-fs dump file (big endian), +>0 use old-dump-be + +24 lelong 60012 new-fs dump file (little endian), +>0 use \^new-dump-be + +24 lelong 60011 old-fs dump file (little endian), +>0 use \^old-dump-be + + +24 belong 0x19540119 new-fs dump file (ufs2, big endian), +>0 use ufs2-dump-be + +24 lelong 0x19540119 new-fs dump file (ufs2, little endian), +>0 use \^ufs2-dump-be + +18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), +>2 medate x Previous dump %s, +>6 medate x This dump %s, +>10 leshort >0 Volume %ld, +>0 leshort 1 tape header. +>0 leshort 2 beginning of file record. +>0 leshort 3 map of inodes on tape. +>0 leshort 4 continuation of file record. +>0 leshort 5 end of volume. +>0 leshort 6 map of inodes deleted. +>0 leshort 7 end of medium (for floppy). + #------------------------------------------------------------------------------ +# $File: dyadic,v 1.5 2010/09/20 18:55:20 rrt Exp $ # Dyadic: file(1) magic for Dyalog APL. # -0 byte 0xaa +0 byte 0xaa >1 byte <4 Dyalog APL >>1 byte 0x00 incomplete workspace >>1 byte 0x01 component file @@ -4556,7 +5355,49 @@ >>2 byte x version %d >>3 byte x .%d +0 beshort 0xaa03 Dyalog APL +>2 byte x workspace type %d +>3 byte x subtype %d +>7 byte&0x28 0x00 32-bit +>7 byte&0x28 0x20 64-bit +>7 byte&0x0c 0x00 classic +>7 byte&0x0c 0x04 unicode +>7 byte&0x88 0x00 big-endian +>7 byte&0x88 0x80 little-endian + +0 byte 0xaa Dyalog APL +>1 byte 0x00 aplcore +>1 byte 0x01 component file 32-bit non-journaled non-checksummed +>1 byte 0x02 external variable exclusive +>1 byte 0x06 external variable shared +>1 byte 0x07 session +>1 byte 0x08 mapped file 32-bit +>1 byte 0x09 component file 64-bit non-journaled non-checksummed +>1 byte 0x0a mapped file 64-bit +>1 byte 0x0b component file 32-bit level 1 journaled non-checksummed +>1 byte 0x0c component file 64-bit level 1 journaled non-checksummed +>1 byte 0x0d component file 32-bit level 1 journaled checksummed +>1 byte 0x0e component file 64-bit level 1 journaled checksummed +>1 byte 0x0f component file 32-bit level 2 journaled checksummed +>1 byte 0x10 component file 64-bit level 2 journaled checksummed +>1 byte 0x11 component file 32-bit level 3 journaled checksummed +>1 byte 0x12 component file 64-bit level 3 journaled checksummed +>1 byte 0x13 component file 32-bit non-journaled checksummed +>1 byte 0x14 component file 64-bit non-journaled checksummed +>1 byte 0x80 DDB + +0 short 0x6060 Dyalog APL transfer + #------------------------------------------------------------------------------ +# $File: ebml,v 1.1 2010/07/02 00:07:03 christos Exp $ +# ebml: file(1) magic for various Extensible Binary Meta Language +# http://www.matroska.org/technical/specs/index.html#track +0 belong 0x1a45dfa3 EBML file +>4 search/b/100 \102\202 +>>&1 string x \b, creator %.8s + +#------------------------------------------------------------------------------ +# $File: editors,v 1.8 2009/09/19 16:28:09 christos Exp $ # T602 editor documents # by David Necas 0 string @CT\ T602 document data, @@ -4574,6 +5415,7 @@ >&0 string >\0 \b, version %s #------------------------------------------------------------------------------ +# $File: efi,v 1.4 2009/09/19 16:28:09 christos Exp $ # efi: file(1) magic for Universal EFI binaries 0 lelong 0x0ef1fab9 @@ -4588,6 +5430,7 @@ >4 lelong >2 Universal EFI binary with %ld architectures #------------------------------------------------------------------------------ +# $File: elf,v 1.59 2013/03/21 17:50:02 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the @@ -4601,255 +5444,185 @@ # Modified by (3): Christian 'Dr. Disk' Hechelmann (fix of core support) # Modified by (4): (VMS Itanium) # Modified by (5): Matthias Urlichs (Listing of many architectures) -0 string \177ELF ELF ->4 byte 0 invalid class ->4 byte 1 32-bit ->4 byte 2 64-bit ->5 byte 0 invalid byte order ->5 byte 1 LSB ->>16 leshort 0 no file type, -!:strength *2 + +0 name elf-le +>16 leshort 0 no file type, !:mime application/octet-stream ->>16 leshort 1 relocatable, +>16 leshort 1 relocatable, !:mime application/x-object ->>16 leshort 2 executable, +>16 leshort 2 executable, !:mime application/x-executable ->>16 leshort 3 shared object, +>16 leshort 3 shared object, !:mime application/x-sharedlib ->>16 leshort 4 core file +>16 leshort 4 core file !:mime application/x-coredump # Core file detection is not reliable. #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), ->>16 leshort &0xff00 processor-specific, ->>18 leshort 0 no machine, ->>18 leshort 1 AT&T WE32100 - invalid byte order, ->>18 leshort 2 SPARC - invalid byte order, ->>18 leshort 3 Intel 80386, ->>18 leshort 4 Motorola +>16 leshort &0xff00 processor-specific, +>18 leshort 0 no machine, +>18 leshort 1 AT&T WE32100 +>18 leshort 2 SPARC +>18 leshort 3 Intel 80386, +>18 leshort 4 Motorola +>>4 byte 1 >>>36 lelong &0x01000000 68000 - invalid byte order, >>>36 lelong &0x00810000 CPU32 - invalid byte order, >>>36 lelong 0 68020 - invalid byte order, ->>18 leshort 5 Motorola 88000 - invalid byte order, ->>18 leshort 6 Intel 80486, ->>18 leshort 7 Intel 80860, +>18 leshort 5 Motorola 88000 - invalid byte order, +>18 leshort 6 Intel 80486, +>18 leshort 7 Intel 80860, # The official e_machine number for MIPS is now #8, regardless of endianness. # The second number (#10) will be deprecated later. For now, we still # say something if #10 is encountered, but only gory details for #8. ->>18 leshort 8 MIPS, +>18 leshort 8 MIPS, +>>4 byte 1 >>>36 lelong &0x20 N32 ->>18 leshort 10 MIPS, +>18 leshort 10 MIPS, +>>4 byte 1 >>>36 lelong &0x20 N32 ->>18 leshort 8 +>18 leshort 8 # only for 32-bit ->>>4 byte 1 ->>>>36 lelong&0xf0000000 0x00000000 MIPS-I ->>>>36 lelong&0xf0000000 0x10000000 MIPS-II ->>>>36 lelong&0xf0000000 0x20000000 MIPS-III ->>>>36 lelong&0xf0000000 0x30000000 MIPS-IV ->>>>36 lelong&0xf0000000 0x40000000 MIPS-V ->>>>36 lelong&0xf0000000 0x50000000 MIPS32 ->>>>36 lelong&0xf0000000 0x60000000 MIPS64 ->>>>36 lelong&0xf0000000 0x70000000 MIPS32 rel2 ->>>>36 lelong&0xf0000000 0x80000000 MIPS64 rel2 +>>4 byte 1 +>>>36 lelong&0xf0000000 0x00000000 MIPS-I +>>>36 lelong&0xf0000000 0x10000000 MIPS-II +>>>36 lelong&0xf0000000 0x20000000 MIPS-III +>>>36 lelong&0xf0000000 0x30000000 MIPS-IV +>>>36 lelong&0xf0000000 0x40000000 MIPS-V +>>>36 lelong&0xf0000000 0x50000000 MIPS32 +>>>36 lelong&0xf0000000 0x60000000 MIPS64 +>>>36 lelong&0xf0000000 0x70000000 MIPS32 rel2 +>>>36 lelong&0xf0000000 0x80000000 MIPS64 rel2 # only for 64-bit ->>>4 byte 2 ->>>>48 lelong&0xf0000000 0x00000000 MIPS-I ->>>>48 lelong&0xf0000000 0x10000000 MIPS-II ->>>>48 lelong&0xf0000000 0x20000000 MIPS-III ->>>>48 lelong&0xf0000000 0x30000000 MIPS-IV ->>>>48 lelong&0xf0000000 0x40000000 MIPS-V ->>>>48 lelong&0xf0000000 0x50000000 MIPS32 ->>>>48 lelong&0xf0000000 0x60000000 MIPS64 ->>>>48 lelong&0xf0000000 0x70000000 MIPS32 rel2 ->>>>48 lelong&0xf0000000 0x80000000 MIPS64 rel2 ->>18 leshort 9 Amdahl - invalid byte order, ->>18 leshort 10 MIPS (deprecated), ->>18 leshort 11 RS6000 - invalid byte order, ->>18 leshort 15 PA-RISC - invalid byte order, ->>>50 leshort 0x0214 2.0 ->>>48 leshort &0x0008 (LP64), ->>18 leshort 16 nCUBE, ->>18 leshort 17 Fujitsu VPP500, ->>18 leshort 18 SPARC32PLUS - invalid byte order, ->>18 leshort 20 PowerPC, ->>18 leshort 22 IBM S/390, ->>18 leshort 36 NEC V800, ->>18 leshort 37 Fujitsu FR20, ->>18 leshort 38 TRW RH-32, ->>18 leshort 39 Motorola RCE, ->>18 leshort 40 ARM, ->>18 leshort 41 Alpha, ->>18 leshort 0xa390 IBM S/390 (obsolete), ->>18 leshort 42 Renesas SH, ->>18 leshort 43 SPARC V9 - invalid byte order, ->>18 leshort 44 Siemens Tricore Embedded Processor, ->>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., ->>18 leshort 46 Renesas H8/300, ->>18 leshort 47 Renesas H8/300H, ->>18 leshort 48 Renesas H8S, ->>18 leshort 49 Renesas H8/500, ->>18 leshort 50 IA-64, ->>18 leshort 51 Stanford MIPS-X, ->>18 leshort 52 Motorola Coldfire, ->>18 leshort 53 Motorola M68HC12, ->>18 leshort 54 Fujitsu MMA, ->>18 leshort 55 Siemens PCP, ->>18 leshort 56 Sony nCPU, ->>18 leshort 57 Denso NDR1, ->>18 leshort 58 Start*Core, ->>18 leshort 59 Toyota ME16, ->>18 leshort 60 ST100, ->>18 leshort 61 Tinyj emb., ->>18 leshort 62 x86-64, ->>18 leshort 63 Sony DSP, ->>18 leshort 66 FX66, ->>18 leshort 67 ST9+ 8/16 bit, ->>18 leshort 68 ST7 8 bit, ->>18 leshort 69 MC68HC16, ->>18 leshort 70 MC68HC11, ->>18 leshort 71 MC68HC08, ->>18 leshort 72 MC68HC05, ->>18 leshort 73 SGI SVx, ->>18 leshort 74 ST19 8 bit, ->>18 leshort 75 Digital VAX, ->>18 leshort 76 Axis cris, ->>18 leshort 77 Infineon 32-bit embedded, ->>18 leshort 78 Element 14 64-bit DSP, ->>18 leshort 79 LSI Logic 16-bit DSP, ->>18 leshort 80 MMIX, ->>18 leshort 81 Harvard machine-independent, ->>18 leshort 82 SiTera Prism, ->>18 leshort 83 Atmel AVR 8-bit, ->>18 leshort 84 Fujitsu FR30, ->>18 leshort 85 Mitsubishi D10V, ->>18 leshort 86 Mitsubishi D30V, ->>18 leshort 87 NEC v850, ->>18 leshort 88 Renesas M32R, ->>18 leshort 89 Matsushita MN10300, ->>18 leshort 90 Matsushita MN10200, ->>18 leshort 91 picoJava, ->>18 leshort 92 OpenRISC, ->>18 leshort 93 ARC Cores Tangent-A5, ->>18 leshort 0x3426 OpenRISC (obsolete), ->>18 leshort 0x8472 OpenRISC (obsolete), ->>18 leshort 94 Tensilica Xtensa, ->>18 leshort 97 NatSemi 32k, ->>18 leshort 106 Analog Devices Blackfin, ->>18 leshort 0x9026 Alpha (unofficial), ->>20 lelong 0 invalid version ->>20 lelong 1 version 1 ->>36 lelong 1 MathCoPro/FPU/MAU Required ->5 byte 2 MSB ->>16 beshort 0 no file type, -!:mime application/octet-stream ->>16 beshort 1 relocatable, -!:mime application/x-object ->>16 beshort 2 executable, -!:mime application/x-executable ->>16 beshort 3 shared object, -!:mime application/x-sharedlib ->>16 beshort 4 core file, -!:mime application/x-coredump -#>>>(0x38+0xcc) string >\0 of '%s' -#>>>(0x38+0x10) belong >0 (signal %d), ->>16 beshort &0xff00 processor-specific, ->>18 beshort 0 no machine, ->>18 beshort 1 AT&T WE32100, ->>18 beshort 2 SPARC, ->>18 beshort 3 Intel 80386 - invalid byte order, ->>18 beshort 4 Motorola ->>>36 belong &0x01000000 68000, ->>>36 belong &0x00810000 CPU32, ->>>36 belong 0 68020, ->>18 beshort 5 Motorola 88000, ->>18 beshort 6 Intel 80486 - invalid byte order, ->>18 beshort 7 Intel 80860, -# only for MIPS - see comment in little-endian section above. ->>18 beshort 8 MIPS, ->>>36 belong &0x20 N32 ->>18 beshort 10 MIPS, ->>>36 belong &0x20 N32 ->>18 beshort 8 +>>4 byte 2 +>>>48 lelong&0xf0000000 0x00000000 MIPS-I +>>>48 lelong&0xf0000000 0x10000000 MIPS-II +>>>48 lelong&0xf0000000 0x20000000 MIPS-III +>>>48 lelong&0xf0000000 0x30000000 MIPS-IV +>>>48 lelong&0xf0000000 0x40000000 MIPS-V +>>>48 lelong&0xf0000000 0x50000000 MIPS32 +>>>48 lelong&0xf0000000 0x60000000 MIPS64 +>>>48 lelong&0xf0000000 0x70000000 MIPS32 rel2 +>>>48 lelong&0xf0000000 0x80000000 MIPS64 rel2 +>18 leshort 9 Amdahl - invalid byte order, +>18 leshort 10 MIPS (deprecated), +>18 leshort 11 RS6000 - invalid byte order, +>18 leshort 15 PA-RISC - invalid byte order, # only for 32-bit ->>>4 byte 1 ->>>>36 belong&0xf0000000 0x00000000 MIPS-I ->>>>36 belong&0xf0000000 0x10000000 MIPS-II ->>>>36 belong&0xf0000000 0x20000000 MIPS-III ->>>>36 belong&0xf0000000 0x30000000 MIPS-IV ->>>>36 belong&0xf0000000 0x40000000 MIPS-V ->>>>36 belong&0xf0000000 0x50000000 MIPS32 ->>>>36 belong&0xf0000000 0x60000000 MIPS64 ->>>>36 belong&0xf0000000 0x70000000 MIPS32 rel2 ->>>>36 belong&0xf0000000 0x80000000 MIPS64 rel2 +>>4 byte 1 +>>>38 leshort 0x0214 2.0 +>>>36 leshort &0x0008 (LP64) # only for 64-bit ->>>4 byte 2 ->>>>48 belong&0xf0000000 0x00000000 MIPS-I ->>>>48 belong&0xf0000000 0x10000000 MIPS-II ->>>>48 belong&0xf0000000 0x20000000 MIPS-III ->>>>48 belong&0xf0000000 0x30000000 MIPS-IV ->>>>48 belong&0xf0000000 0x40000000 MIPS-V ->>>>48 belong&0xf0000000 0x50000000 MIPS32 ->>>>48 belong&0xf0000000 0x60000000 MIPS64 ->>>>48 belong&0xf0000000 0x70000000 MIPS32 rel2 ->>>>48 belong&0xf0000000 0x80000000 MIPS64 rel2 ->>18 beshort 9 Amdahl, ->>18 beshort 10 MIPS (deprecated), ->>18 beshort 11 RS6000, ->>18 beshort 15 PA-RISC ->>>50 beshort 0x0214 2.0 ->>>48 beshort &0x0008 (LP64) ->>18 beshort 16 nCUBE, ->>18 beshort 17 Fujitsu VPP500, ->>18 beshort 18 SPARC32PLUS, ->>>36 belong&0xffff00 0x000100 V8+ Required, ->>>36 belong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, ->>>36 belong&0xffff00 0x000400 HaL R1 Extensions Required, ->>>36 belong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, ->>18 beshort 20 PowerPC or cisco 4500, ->>18 beshort 21 64-bit PowerPC or cisco 7500, ->>18 beshort 22 IBM S/390, ->>18 beshort 23 Cell SPU, ->>18 beshort 24 cisco SVIP, ->>18 beshort 25 cisco 7200, ->>18 beshort 36 NEC V800 or cisco 12000, ->>18 beshort 37 Fujitsu FR20, ->>18 beshort 38 TRW RH-32, ->>18 beshort 39 Motorola RCE, ->>18 beshort 40 ARM, ->>18 beshort 41 Alpha, ->>18 beshort 42 Renesas SH, ->>18 beshort 43 SPARC V9, ->>>48 belong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, ->>>48 belong&0xffff00 0x000400 HaL R1 Extensions Required, ->>>48 belong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, ->>>48 belong&0x3 0 total store ordering, ->>>48 belong&0x3 1 partial store ordering, ->>>48 belong&0x3 2 relaxed memory ordering, ->>18 beshort 44 Siemens Tricore Embedded Processor, ->>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc., ->>18 beshort 46 Renesas H8/300, ->>18 beshort 47 Renesas H8/300H, ->>18 beshort 48 Renesas H8S, ->>18 beshort 49 Renesas H8/500, ->>18 beshort 50 IA-64, ->>18 beshort 51 Stanford MIPS-X, ->>18 beshort 52 Motorola Coldfire, ->>18 beshort 53 Motorola M68HC12, ->>18 beshort 73 Cray NV1, ->>18 beshort 75 Digital VAX, ->>18 beshort 88 Renesas M32R, ->>18 leshort 92 OpenRISC, ->>18 leshort 0x3426 OpenRISC (obsolete), ->>18 leshort 0x8472 OpenRISC (obsolete), ->>18 beshort 94 Tensilica Xtensa, ->>18 beshort 97 NatSemi 32k, ->>18 beshort 0x18ad AVR32 (unofficial), ->>18 beshort 0x9026 Alpha (unofficial), ->>18 beshort 0xa390 IBM S/390 (obsolete), ->>20 belong 0 invalid version ->>20 belong 1 version 1 ->>36 belong 1 MathCoPro/FPU/MAU Required +>>4 byte 2 +>>>50 leshort 0x0214 2.0 +>>>48 leshort &0x0008 (LP64) +>18 leshort 16 nCUBE, +>18 leshort 17 Fujitsu VPP500, +>18 leshort 18 SPARC32PLUS, +# only for 32-bit +>>4 byte 1 +>>>36 lelong&0xffff00 0x000100 V8+ Required, +>>>36 lelong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, +>>>36 lelong&0xffff00 0x000400 HaL R1 Extensions Required, +>>>36 lelong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, +>18 leshort 20 PowerPC or cisco 4500, +>18 leshort 21 64-bit PowerPC or cisco 7500, +>18 leshort 22 IBM S/390, +>18 leshort 23 Cell SPU, +>18 leshort 24 cisco SVIP, +>18 leshort 25 cisco 7200, +>18 leshort 36 NEC V800 or cisco 12000, +>18 leshort 37 Fujitsu FR20, +>18 leshort 38 TRW RH-32, +>18 leshort 39 Motorola RCE, +>18 leshort 40 ARM, +>>4 byte 1 +>>>36 lelong&0xff000000 0x04000000 EABI4 +>>>36 lelong&0xff000000 0x05000000 EABI5 +>18 leshort 41 Alpha, +>18 leshort 0xa390 IBM S/390 (obsolete), +>18 leshort 42 Renesas SH, +>18 leshort 43 SPARC V9, +>>4 byte 2 +>>>48 lelong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, +>>>48 lelong&0xffff00 0x000400 HaL R1 Extensions Required, +>>>48 lelong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, +>>>48 lelong&0x3 0 total store ordering, +>>>48 lelong&0x3 1 partial store ordering, +>>>48 lelong&0x3 2 relaxed memory ordering, +>18 leshort 44 Siemens Tricore Embedded Processor, +>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., +>18 leshort 46 Renesas H8/300, +>18 leshort 47 Renesas H8/300H, +>18 leshort 48 Renesas H8S, +>18 leshort 49 Renesas H8/500, +>18 leshort 50 IA-64, +>18 leshort 51 Stanford MIPS-X, +>18 leshort 52 Motorola Coldfire, +>18 leshort 53 Motorola M68HC12, +>18 leshort 54 Fujitsu MMA, +>18 leshort 55 Siemens PCP, +>18 leshort 56 Sony nCPU, +>18 leshort 57 Denso NDR1, +>18 leshort 58 Start*Core, +>18 leshort 59 Toyota ME16, +>18 leshort 60 ST100, +>18 leshort 61 Tinyj emb., +>18 leshort 62 x86-64, +>18 leshort 63 Sony DSP, +>18 leshort 66 FX66, +>18 leshort 67 ST9+ 8/16 bit, +>18 leshort 68 ST7 8 bit, +>18 leshort 69 MC68HC16, +>18 leshort 70 MC68HC11, +>18 leshort 71 MC68HC08, +>18 leshort 72 MC68HC05, +>18 leshort 73 SGI SVx or Cray NV1, +>18 leshort 74 ST19 8 bit, +>18 leshort 75 Digital VAX, +>18 leshort 76 Axis cris, +>18 leshort 77 Infineon 32-bit embedded, +>18 leshort 78 Element 14 64-bit DSP, +>18 leshort 79 LSI Logic 16-bit DSP, +>18 leshort 80 MMIX, +>18 leshort 81 Harvard machine-independent, +>18 leshort 82 SiTera Prism, +>18 leshort 83 Atmel AVR 8-bit, +>18 leshort 84 Fujitsu FR30, +>18 leshort 85 Mitsubishi D10V, +>18 leshort 86 Mitsubishi D30V, +>18 leshort 87 NEC v850, +>18 leshort 88 Renesas M32R, +>18 leshort 89 Matsushita MN10300, +>18 leshort 90 Matsushita MN10200, +>18 leshort 91 picoJava, +>18 leshort 92 OpenRISC, +>18 leshort 93 ARC Cores Tangent-A5, +>18 leshort 94 Tensilica Xtensa, +>18 leshort 97 NatSemi 32k, +>18 leshort 106 Analog Devices Blackfin, +>18 leshort 113 Altera Nios II, +>18 leshort 174 META, +>18 leshort 183 ARM aarch64, +>18 leshort 187 Tilera TILE64, +>18 leshort 188 Tilera TILEPro, +>18 leshort 191 Tilera TILE-Gx, +>18 leshort 0x3426 OpenRISC (obsolete), +>18 leshort 0x8472 OpenRISC (obsolete), +>18 leshort 0x9026 Alpha (unofficial), +>20 lelong 0 invalid version +>20 lelong 1 version 1 + +0 string \177ELF ELF +!:strength *2 +>4 byte 0 invalid class +>4 byte 1 32-bit +>4 byte 2 64-bit +>5 byte 0 invalid byte order +>5 byte 1 LSB +>>0 use elf-le +>5 byte 2 MSB +>>0 use \^elf-le # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # like proper ELF, but extracting the string had bad results. >4 byte <0x80 @@ -4874,6 +5647,7 @@ >>7 byte 255 (embedded) #------------------------------------------------------------------------------ +# $File: encore,v 1.6 2009/09/19 16:28:09 christos Exp $ # encore: file(1) magic for Encore machines # # XXX - needs to have the byte order specified (NS32K was little-endian, @@ -4895,16 +5669,69 @@ #>4 date x stamp %s #------------------------------------------------------------------------------ -# Epoc 32 : file(1) magic for Epoc Documents [psion/osaris -# Stefan Praszalowicz (hpicollo@worldnet.fr) -#0 lelong 0x10000037 Epoc32 +# $File: epoc,v 1.8 2012/06/16 14:43:36 christos Exp $ +# EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1] +# Stefan Praszalowicz and Peter Breitenlohner +# Useful information for improving this file can be found at: +# http://software.frodo.looijaard.name/psiconv/formats/Index.html +#------------------------------------------------------------------------------ +0 lelong 0x10000037 Psion Series 5 +>4 lelong 0x10000039 font file +>4 lelong 0x1000003A printer driver +>4 lelong 0x1000003B clipboard +>4 lelong 0x10000042 multi-bitmap image +!:mime image/x-epoc-mbm +>4 lelong 0x1000006A application information file >4 lelong 0x1000006D ->>8 lelong 0x1000007F Word ->>8 lelong 0x10000088 Sheet ->>8 lelong 0x1000007D Sketch ->>8 lelong 0x10000085 TextEd +>>8 lelong 0x1000007D Sketch image +!:mime image/x-epoc-sketch +>>8 lelong 0x1000007E voice note +>>8 lelong 0x1000007F Word file +!:mime application/x-epoc-word +>>8 lelong 0x10000085 OPL program (TextEd) +!:mime application/x-epoc-opl +>>8 lelong 0x10000087 Comms settings +>>8 lelong 0x10000088 Sheet file +!:mime application/x-epoc-sheet +>>8 lelong 0x100001C4 EasyFax initialisation file +>4 lelong 0x10000073 OPO module +!:mime application/x-epoc-opo +>4 lelong 0x10000074 OPL application +!:mime application/x-epoc-app +>4 lelong 0x1000008A exported multi-bitmap image +>4 lelong 0x1000016D +>>8 lelong 0x10000088 Comms names +0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image + +0 lelong 0x10000050 Psion Series 5 +>4 lelong 0x1000006D database +>>8 lelong 0x10000084 Agenda file +!:mime application/x-epoc-agenda +>>8 lelong 0x10000086 Data file +!:mime application/x-epoc-data +>>8 lelong 0x10000CEA Jotter file +!:mime application/x-epoc-jotter +>4 lelong 0x100000E4 ini file + +0 lelong 0x10000079 Psion Series 5 binary: +>4 lelong 0x00000000 DLL +>4 lelong 0x10000049 comms hardware library +>4 lelong 0x1000004A comms protocol library +>4 lelong 0x1000005D OPX +>4 lelong 0x1000006C application +>4 lelong 0x1000008D DLL +>4 lelong 0x100000AC logical device driver +>4 lelong 0x100000AD physical device driver +>4 lelong 0x100000E5 file transfer protocol +>4 lelong 0x100000E5 file transfer protocol +>4 lelong 0x10000140 printer definition +>4 lelong 0x10000141 printer definition + +0 lelong 0x1000007A Psion Series 5 executable + #------------------------------------------------------------------------------ +# $File: erlang,v 1.6 2010/09/20 19:19:17 rrt Exp $ # erlang: file(1) magic for Erlang JAM and BEAM files # URL: http://www.erlang.org/faq/x779.html#AEN812 @@ -4917,12 +5744,15 @@ >8 string BEAM Erlang BEAM file # 4.2 version may have a copyright notice! -4 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2 -79 string Tue Jan 22 14:32:44 MET 1991 Erlang JAM file - version 4.2 +4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 +79 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 -4 string 1.0 Fri Feb 3 09:55:56 MET 1995 Erlang JAM file - version 4.3 +4 string 1.0\ Fri\ Feb\ 3\ 09:55:56\ MET\ 1995 Erlang JAM file - version 4.3 +0 bequad 0x0000000000ABCDEF Erlang DETS file + #------------------------------------------------------------------------------ +# $File: esri,v 1.4 2009/09/19 16:28:09 christos Exp $ # ESRI Shapefile format (.shp .shx .dbf=DBaseIII) # Based on info from # @@ -4950,6 +5780,7 @@ >32 lelong =31 type MultiPatch #------------------------------------------------------------------------------ +# $File: fcs,v 1.4 2009/09/19 16:28:09 christos Exp $ # fcs: file(1) magic for FCS (Flow Cytometry Standard) data files # From Roger Leigh 0 string FCS1.0 Flow Cytometry Standard (FCS) data, version 1.0 @@ -4958,6 +5789,7 @@ #------------------------------------------------------------------------------ +# $File: filesystems,v 1.77 2013/03/14 01:38:30 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 string \366\366\366\366 PC formatted floppy with no filesystem @@ -4984,7 +5816,8 @@ >>0770 long x %ld blocks # Is there a boot block written 1 sector in? >512 belong&077777777 0600407 \b, boot block present -# Joerg Jenderek: Smart Boot Manager backup file is 41 byte header + first sectors of disc + +# Joerg Jenderek: Smart Boot Manager backup file is 25 (MSDOS) or 41 (LINUX) byte header + first sectors of disk # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string SBMBAKUP_ Smart Boot Manager backup file >9 string x \b, version %-5.5s @@ -4998,8 +5831,10 @@ >>>>21 ubyte x \b, from drive 0x%x >>>22 ubyte >0 >>>>21 string x \b, from drive %s +>>>535 search/17 \x55\xAA +>>>>&-512 indirect x \b; contains -# Joerg Jenderek +# updated by Joerg Jenderek at Nov 2012 # DOS Emulator image is 128 byte, null right padded header + harddisc image 0 string DOSEMU\0 >0x27E leshort 0xAA55 @@ -5009,17 +5844,174 @@ >>>>7 ulelong >0 \b, %u heads >>>>11 ulelong >0 \b, %d sectors/track >>>>15 ulelong >0 \b, %d cylinders +>>>>128 indirect x \b; contains -# updated by Joerg Jenderek at Sep 2007 +# x86 boot sector updated by Joerg Jenderek at Sep 2007,May 2011 +# for any allowed sector sizes +30 search/481 \x55\xAA +# to display x86 boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) +# DOS BPB information (70) and after DOS floppy (120) like in previous file version +!:strength +72 +# for sector sizes < 512 Bytes +>11 uleshort <512 +>>(11.s-2) uleshort 0xAA55 x86 boot sector +# for sector sizes with 512 or more Bytes +>0x1FE leshort 0xAA55 x86 boot sector +# keep old x86 boot sector as dummy for mbr and bootloader displaying # only for sector sizes with 512 or more Bytes -0x1FE leshort 0xAA55 x86 boot sector -# to do also for sectors < than 512 Bytes and some other files, GRR -#30 search/481 \x55\xAA x86 boot sector -# not for BeOS floppy 1440k, MBRs -#(11.s-2) uleshort 0xAA55 x86 boot sector +0x1FE leshort 0xAA55 +# to display information (50) before DOS BPB (strength=70) and after DOS floppy (120) like in old file version +!:strength +21 >2 string OSBS \b, OS/BS MBR -# J\xf6rg Jenderek ->0x8C string Invalid\ partition\ table \b, MS-DOS MBR +# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/ +# and http://en.wikipedia.org/wiki/Master_Boot_Record +# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by +# characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00 +>0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR +# Microsoft Windows 95A and early ( http://thestarman.pcministry.com/asm/mbr/STDMBR.htm ) +# assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld +>>8 ubequad 0x8bf45007501ffbfc +# http://thestarman.pcministry.com/asm/mbr/200MBR.htm +>>>0x16 ubyte 0xF3 \b,DOS 2 +>>>>219 regex Author\ -\ Author: +# found "David Litton" , "A Pehrsson " +>>>>>&0 string x "%s" +>>>0x16 ubyte 0xF2 +# NEC MS-DOS 3.30 Rev. 3 . See http://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm +# assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz +>>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3 +# version MS-DOS 3.30 til MS-Windows 95A (WinVer=4.00.1111) +>>>>0x22 default x \b,D0S version 3.3-7.0 +# error messages are printed by assembler instructions: mov si,06nn;...;int 10 (0xBEnn06;...) +# where nn is string offset varying for different languages +# "Invalid partition table" nn=0x8b for english version +>>>>>(0x49.b) string Invalid\ partition\ table english +>>>>>(0x49.b) string Ung\201ltige\ Partitionstabelle german +>>>>>(0x49.b) string Table\ de\ partition\ invalide french +>>>>>(0x49.b) string Tabela\ de\ parti\207ao\ inv\240lida portuguese +>>>>>(0x49.b) string Tabla\ de\ partici\242n\ no\ v\240lida spanish +>>>>>(0x49.b) string Tavola\ delle\ partizioni\ non\ valida italian +>>>>>0x49 ubyte >0 at offset 0x%x +>>>>>>(0x49.b) string >\0 "%s" +# "Error loading operating system" nn=0xa3 for english version +# "Fehler beim Laden des Betriebssystems" nn=0xa7 for german version +# "Erreur en chargeant syst\212me d'exploitation" nn=0xa7 for french version +# "Erro na inicializa\207ao do sistema operacional" nn=0xa7 for portuguese Brazilian version +# "Error al cargar sistema operativo" nn=0xa8 for spanish version +# "Errore durante il caricamento del sistema operativo" nn=0xae for italian version +>>>>>0x74 ubyte >0 at offset 0x%x +>>>>>>(0x74.b) string >\0 "%s" +# "Missing operating system" nn=0xc2 for english version +# "Betriebssystem fehlt" nn=0xcd for german version +# "Syst\212me d'exploitation absent" nn=0xd2 for french version +# "Sistema operacional nao encontrado" nn=0xd4 for portuguese Brazilian version +# "Falta sistema operativo" nn=0xca for spanish version +# "Sistema operativo mancante" nn=0xe2 for italian version +>>>>>0x79 ubyte >0 at offset 0x%x +>>>>>>(0x79.b) string >\0 "%s" +# Microsoft Windows 95B to XP (http://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm) +# assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b +>>8 ubequad 0x5007501ffcbe1b7c +# assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 +>>>24 ubequad 0xf3a4cbbebe07b104 9M +# "Invalid partition table" nn=0x10F for english version +# "Ungültige Partitionstabelle" nn=0x10F for german version +# "Table de partition erronée" nn=0x10F for french version +# "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x10F for russian version +>>>>(0x3C.b+0x0FF) string Invalid\ partition\ table english +>>>>(0x3C.b+0x0FF) string Ung\201ltige\ Partitionstabelle german +>>>>(0x3C.b+0x0FF) string Table\ de\ partition\ erron\202e french +>>>>(0x3C.b+0x0FF) string \215\245\257\340\240\242\250\253\354\255\240\357\ \342\240\241\253\250\346\240 russian +>>>>0x3C ubyte x at offset 0x%x+0xFF +>>>>(0x3C.b+0x0FF) string >\0 "%s" +# "Error loading operating system" nn=0x127 for english version +# "Fehler beim Laden des Betriebssystems" nn=0x12b for german version +# "Erreur lors du chargement du système d'exploitation" nn=0x12a for french version +# "\216\350\250\241\252\240 \257\340\250 \247\240\243\340\343\247\252\245 \256\257\245\340\240\346\250\256\255\255\256\251 \341\250\341\342\245\254\353" nn=0x12d for russian version +>>>>0xBD ubyte x at offset 0x1%x +>>>>(0xBD.b+0x100) string >\0 "%s" +# "Missing operating system" nn=0x146 for english version +# "Betriebssystem fehlt" nn=0x151 for german version +# "Système d'exploitation manquant" nn=0x15e for french version +# "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x156 for russian version +>>>>0xA9 ubyte x at offset 0x1%x +>>>>(0xA9.b+0x100) string >\0 "%s" +# http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm +# assembler instructions: rep;movsb;retf;mov BP,07be;mov cl,04 +>>>24 ubequad 0xf3a4cbbdbe07b104 XP +# where xxyyzz are lower bits from offsets of error messages varying for different languages +>>>>0x1B4 ubelong&0x00FFFFFF 0x002c4463 english +>>>>0x1B4 ubelong&0x00FFFFFF 0x002c486e german +# "Invalid partition table" xx=0x12C for english version +# "Ungültige Partitionstabelle" xx=0x12C for german version +>>>>0x1b5 ubyte >0 at offset 0x1%x +>>>>(0x1b5.b+0x100) string >\0 "%s" +# "Error loading operating system" yy=0x144 for english version +# "Fehler beim Laden des Betriebssystems" yy=0x148 for german version +>>>>0x1b6 ubyte >0 at offset 0x1%x +>>>>(0x1b6.b+0x100) string >\0 "%s" +# "Missing operating system" zz=0x163 for english version +# "Betriebssystem nicht vorhanden" zz=0x16e for german version +>>>>0x1b7 ubyte >0 at offset 0x1%x +>>>>(0x1b7.b+0x100) string >\0 "%s" +# Microsoft Windows Vista or 7 +# assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00 +>>8 ubequad 0xc08ed8be007cbf00 +# Microsoft Windows Vista (http://thestarman.pcministry.com/asm/mbr/VistaMBR.htm) +# assembler instructions: jnz 0729;cmp ebx,"TCPA" +>>>0xEC ubequad 0x753b6681fb544350 Vista +# where xxyyzz are lower bits from offsets of error messages varying for different languages +>>>>0x1B4 ubelong&0x00FFFFFF 0x00627a99 english +#>>>>0x1B4 ubelong&0x00FFFFFF ? german +# "Invalid partition table" xx=0x162 for english version +# "Ungültige Partitionstabelle" xx=0x1?? for german version +>>>>0x1b5 ubyte >0 at offset 0x1%x +>>>>(0x1b5.b+0x100) string >\0 "%s" +# "Error loading operating system" yy=0x17a for english version +# "Fehler beim Laden des Betriebssystems" yy= 0x1?? for german version +>>>>0x1b6 ubyte >0 at offset 0x1%x +>>>>(0x1b6.b+0x100) string >\0 "%s" +# "Missing operating system" zz=0x199 for english version +# "Betriebssystem nicht vorhanden" zz=0x1?? for german version +>>>>0x1b7 ubyte >0 at offset 0x1%x +>>>>(0x1b7.b+0x100) string >\0 "%s" +# Microsoft Windows 7 (http://thestarman.pcministry.com/asm/mbr/W7MBR.htm) +# assembler instructions: cmp ebx,"TCPA";cmp +>>>0xEC ubequad 0x6681fb5443504175 Windows 7 +# where xxyyzz are lower bits from offsets of error messages varying for different languages +>>>>0x1B4 ubelong&0x00FFFFFF 0x00637b9a english +#>>>>0x1B4 ubelong&0x00FFFFFF ? german +# "Invalid partition table" xx=0x163 for english version +# "Ungültige Partitionstabelle" xx=0x1?? for german version +>>>>0x1b5 ubyte >0 at offset 0x1%x +>>>>(0x1b5.b+0x100) string >\0 "%s" +# "Error loading operating system" yy=0x17b for english version +# "Fehler beim Laden des Betriebssystems" yy=0x1?? for german version +>>>>0x1b6 ubyte >0 at offset 0x1%x +>>>>(0x1b6.b+0x100) string >\0 "%s" +# "Missing operating system" zz=0x19a for english version +# "Betriebssystem nicht vorhanden" zz=0x1?? for german version +>>>>0x1b7 ubyte >0 at offset 0x1%x +>>>>(0x1b7.b+0x100) string >\0 "%s" +# http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DiskSigs +# http://en.wikipedia.org/wiki/MBR_disk_signature#ID +>>0x1b8 ulelong >0 \b, disk signature 0x%-.4x +# driveID/timestamp for Win 95B,98,98SE and ME. See http://thestarman.pcministry.com/asm/mbr/mystery.htm +>>0xDA uleshort 0 +>>>0xDC ulelong >0 \b, created +# physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive +>>>>0xDC ubyte x with driveID 0x%x +# hours, minutes and seconds +>>>>0xDf ubyte x at %x +>>>>0xDe ubyte x \b:%x +>>>>0xDd ubyte x \b:%x +# special case for Microsoft MS-DOS 3.21 spanish +# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov +>0 ubequad 0xfab830008ed0bc00 +# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov +>>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish +# Microsoft MBR IPL end + # dr-dos with some upper-, lowercase variants >0x9D string Invalid\ partition\ table$ >>181 string No\ Operating\ System$ @@ -5038,35 +6030,36 @@ >>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ >>>>>>>387 string Copyright\ (c)\ 1984,1998 >>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) ->0x10F string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 4.10.1998, 4.10.2222 ->>0x1B8 ubelong >0 \b, Serial 0x%-.4x ->0x8B string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 5.00 to 4.00.950 ->271 string Invalid\ partition\ table\0 ->>295 string Error\ loading\ operating\ system\0 ->>>326 string Missing\ operating\ system\0 \b, mbr # ->139 string Invalid\ partition\ table\0 ->>163 string Error\ loading\ operating\ system\0 ->>>194 string Missing\ operating\ system\0 \b, Microsoft Windows XP mbr -# http://www.heise.de/ct/05/09/006/ page 184 -#HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\DosDevices\?:=Serial4Bytes+8Bytes ->>>>0x1B8 ulelong >0 \b,Serial 0x%-.4x ->300 string Invalid\ partition\ table\0 ->>324 string Error\ loading\ operating\ system\0 ->>>355 string Missing\ operating\ system\0 \b, Microsoft Windows XP MBR -#??>>>389 string Invalid\ system\ disk ->>>>0x1B8 ulelong >0 \b, Serial 0x%-.4x ->300 string Ung\201ltige\ Partitionstabelle -#split string to avoid error: String too long ->>328 string Fehler\ beim\ Laden\ ->>>346 string des\ Betriebssystems ->>>>366 string Betriebssystem\ nicht\ vorhanden \b, Microsoft Windows XP MBR (german) ->>>>>0x1B8 ulelong >0 \b, Serial 0x%-.4x ->0x145 string Default:\ F \b, FREE-DOS MBR +# tests for different MS-DOS Master Boot Records (MBR) moved and merged +# +#>0x145 string Default:\ F \b, FREE-DOS MBR +#>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR +>0x145 search/7 Default:\ F \b, FREE-DOS MBR +#>>313 string F0\ .\ .\ . +#>>>322 string disk\ 1 +#>>>>382 string FAT3 >64 string no\ active\ partition\ found >>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR ->271 string Operating\ system\ loading ->>296 string error\r \b, SYSLINUX MBR (2.10) +# Ranish Partition Manager http://www.ranish.com/part/ +>387 search/4 \0\ Error!\r +>>378 search/7 Virus! +>>>397 search/4 Booting\ +>>>>408 search/4 HD1/\0 \b, Ranish MBR ( +>>>>>416 string Writing\ changes... \b2.37 +>>>>>>438 ubyte x \b,0x%x dots +>>>>>>440 ubyte >0 \b,virus check +>>>>>>441 ubyte >0 \b,partition %c +#2.38,2.42,2.44 +>>>>>416 string !Writing\ changes... \b +>>>>>>418 ubyte 1 \bvirus check, +>>>>>>419 ubyte x \b0x%x seconds +>>>>>>420 ubyte&0x0F >0 \b,partition +>>>>>>>420 ubyte&0x0F <5 \b %x +>>>>>>>420 ubyte&0x0F 0Xf \b ask +>>>>>420 ubyte x \b) +# +# SYSLINUX MBR moved # http://www.acronis.de/ >362 string MBR\ Error\ \0\r >>376 string ress\ any\ key\ to\ @@ -5082,18 +6075,20 @@ >0x40 string SBML # label with 11 characters of FAT 12 bit filesystem >>43 string SMART\ BTMGR ->>>430 string SBMK\ Bad!\r ->>>>3 string SBM \b, Smart Boot Manager ->>>>>6 string >\0 \b, version %s +>>>430 string SBMK\ Bad!\r \b, Smart Boot Manager +# OEM-ID not always "SBM" +#>>>>3 strings SBM +>>>>6 string >\0 \b, version %s >382 string XOSLLOADXCF \b, eXtended Operating System Loader >6 string LILO \b, LInux i386 boot LOader >>120 string LILO \b, version 22.3.4 SuSe >>172 string LILO \b, version 22.5.8 Debian -# updated by Joerg Jenderek +# updated by Joerg Jenderek at Oct 2008 # variables according to grub-0.97/stage1/stage1.S or # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders ->0 ulelong 0x009048EB +>342 search/60 \0Geom\0 +#>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 >>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader # 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 @@ -5125,26 +6120,20 @@ >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>374 string GRUB\ \0 \b, GRUB version n.m -# http://syslinux.zytor.com/ ->478 string Boot\ failed\r ->>495 string LDLINUX\ SYS \b, SYSLINUX bootloader (1.62) ->480 string Boot\ failed\r ->>495 string LDLINUX\ SYS \b, SYSLINUX bootloader (2.06 or 2.11) ->484 string Boot\ error\r \b, SYSLINUX bootloader (3.11) +# SYSLINUX bootloader moved >395 string chksum\0\ ERROR!\0 \b, Gujin bootloader # http://www.bcdwb.de/bcdw/index_e.htm >3 string BCDL >>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) -# mbr partion table entries -# OEM-ID not Microsoft,SYSLINUX,or MTOOLs +# mbr partition table entries +# OEM-ID does not contain MicroSoft,NEWLDR,DOS,SYSLINUX,or MTOOLs >3 string !MS >>3 string !SYSLINUX >>>3 string !MTOOL +>>>>3 string !NEWLDR +>>>>>5 string !DOS # not FAT (32 bit) ->>>>82 string !FAT32 -#not IO.SYS ->>>>>472 string !IO\ \ \ \ \ \ SYS ->>>>>>480 string !IO\ \ \ \ \ \ SYS +>>>>>>82 string !FAT32 #not Linux kernel >>>>>>>514 string !HdrS #not BeOS @@ -5190,17 +6179,20 @@ #>>>>>>>>>>>>496 ubeshort&1023 x \b, startcylinder? %d >>>>>>>>>>>>502 ulelong x \b, startsector %u >>>>>>>>>>>>506 ulelong x \b, %u sectors -# mbr partion table entries end +# mbr partition table entries end # http://www.acronis.de/ #FAT label=ACRONIS\ SZ #OEM-ID=BOOTWIZ0 >442 string Non-system\ disk,\ >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader -# DOS names like F11.SYS are 8 right space padded bytes+3 bytes +# updated by Joerg Jenderek at Nov 2012 +# DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes >>>477 ubyte&0xDF >0 >>>>477 string x \b %-.3s >>>>>480 ubyte&0xDF >0 ->>>>>>480 string x \b%-.5s +>>>>>>480 string x \b%-.4s +>>>>>>>484 ubyte&0xDF >0 +>>>>>>>>484 string x \b%-.1s >>>>485 ubyte&0xDF >0 >>>>>485 string x \b.%-.3s # @@ -5212,24 +6204,44 @@ >>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader >>>>>>200 string >\0 \b, version %-3s >242 string Bootsector\ from\ C.H.\ Hochst\204 ->>278 string No\ Systemdisk.\ ->>>293 string Booting\ from\ harddisk.\n\r ->>>441 string Cannot\ load\ from\ harddisk.\n\r ->>>>469 string Insert\ Systemdisk\ ->>>>>487 string and\ press\ any\ key.\n\r \b, WinImage harddisk Bootloader ->>>>>>209 string >\0 \b, version %-4.4s +# http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c +# updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string +# skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut +>242 search/127 Bootsector\ from\ C.H.\ Hochst +>>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk +# followed by variants with point,CR-NL or NL-CR +>>>208 search/261 Cannot\ load\ from\ harddisk. +# followed by variants CR-NL or NL-CR +>>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. +# followed by variants with point,CR-NL or NL-CR +>>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader +# followed by string like "6.50 (c) 1993-2004 Gilles Vollant" +>>>>>>&0 string x \b, version %-4.4s >(1.b+2) ubyte 0xe >>(1.b+3) ubyte 0x1f >>>(1.b+4) ubyte 0xbe ->>>>(1.b+5) ubyte 0x77 ->>>>(1.b+6) ubyte 0x7c ->>>>>(1.b+7) ubyte 0xac ->>>>>>(1.b+8) ubyte 0x22 ->>>>>>>(1.b+9) ubyte 0xc0 ->>>>>>>>(1.b+10) ubyte 0x74 ->>>>>>>>>(1.b+11) ubyte 0xb ->>>>>>>>>>(1.b+12) ubyte 0x56 ->>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display +# message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others +>>>>(1.b+5) ubyte&0xd3 0x53 +>>>>>(1.b+6) ubyte 0x7c +# assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah, +>>>>>>(1.b+7) ubyte 0xac +>>>>>>>(1.b+8) ubyte 0x22 +>>>>>>>>(1.b+9) ubyte 0xc0 +>>>>>>>>>(1.b+10) ubyte 0x74 +>>>>>>>>>>(1.b+11) ubyte 0x0b +>>>>>>>>>>>(1.b+12) ubyte 0x56 +>>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display +# FAT1X version +>>>>>>>>>>>>>(1.b+5) ubyte 0x5b +>>>>>>>>>>>>>>0x5b string >\0 "%-s" +# FAT32 version +>>>>>>>>>>>>>(1.b+5) ubyte 0x77 +>>>>>>>>>>>>>>0x77 string >\0 "%-s" +>214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display +#>>244 string from\ dosemu-freedos-*-bin.tgz\r +#>>>170 string Sorry,\ could\ not\ load\ an\ +#>>>>195 string operating\ system.\r\n +# >103 string This\ is\ not\ a\ bootable\ disk.\ >>132 string Please\ insert\ a\ bootable\ >>>157 string floppy\ and\r\n @@ -5332,12 +6344,22 @@ >430 string Datentr\204ger\ entfernen\xFF\r\n >>454 string Medienfehler\xFF\r\n >>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) ->>>>368 ubyte&0xDF >0 ->>>>>368 string x %-.5s ->>>>>>373 ubyte&0xDF >0 ->>>>>>>373 string x \b%-.3s ->>>>>376 ubyte&0xDF >0 ->>>>>>376 string x \b.%-.3s +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 +>>>>>>368 string x %-.5s +>>>>>>>373 ubyte&0xDF >0 +>>>>>>>>373 string x \b%-.3s +>>>>>>376 ubyte&0xDF >0 +>>>>>>>376 string x \b.%-.3s +# variant +>>>>417 ubyte&0xDF >0 +>>>>>417 string x %-.5s +>>>>>>422 ubyte&0xDF >0 +>>>>>>>422 string x \b%-.3s +>>>>>425 ubyte&0xDF >0 +>>>>>>425 string >\ \b.%-.3s +# + #>3 string NTFS\ \ \ \ >389 string Fehler\ beim\ Lesen\ >>407 string des\ Datentr\204gers @@ -5525,12 +6547,27 @@ >>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader >>471 string Cannot\ load\ DOS\ >>487 string press\ key\ to\ retry \b, Open-DOS Bootloader +#?? >444 string KERNEL\ \ SYS >>314 string BOOT\ error! \b, FREE-DOS Bootloader >499 string KERNEL\ \ SYS >>305 string BOOT\ err!\0 \b, Free-DOS Bootloader >449 string KERNEL\ \ SYS >>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader +# +>449 string Loading\ FreeDOS +>>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader +>>>497 ubyte&0xDF >0 +>>>>497 string x \b %-.6s +>>>>>503 ubyte&0xDF >0 +>>>>>>503 string x \b%-.1s +>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 string x \b%-.1s +>>>>505 ubyte&0xDF >0 +>>>>>505 string x \b.%-.3s +# +>331 string Error!.0 \b, FREE-DOS 1.0 bootloader +# >125 string Loading\ FreeDOS...\r >>311 string BOOT\ error!\r \b, FREE-DOS bootloader >>>441 ubyte&0xDF >0 @@ -5664,13 +6701,27 @@ #it also hangs with another message ("NF"). >>>>>492 string RENF \b, FAT (12 bit) >>>>>495 string RENF \b, FAT (16 bit) -# added by Joerg Jenderek -# http://syslinux.zytor.com/iso.php -0 ulelong 0x7c40eafa isolinux Loader -# http://syslinux.zytor.com/pxe.php -0 ulelong 0x007c05ea pxelinux Loader -0 ulelong 0x60669c66 pxelinux Loader -# loader end +# x86 bootloader end + +# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO +# and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector +>0 string RRaA +>>0x1E4 string rrAa \b, FSInfosector +#>>0x1FC uleshort =0 SHOULD BE ZERO +>>>0x1E8 ulelong <0xffffffff \b, %u free clusters +>>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u + +# added by Joerg Jenderek at Nov 2012 +# http://www.thenakedpc.com/articles/v04/08/0408-05.html +# Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data +0 string PNCIHISK\0 Norton Utilities disc image data +# real x86 boot sector with jump instruction +>509 search/1026 \x55\xAA\xeb +>>&-1 indirect x \b; contains +# http://file-extension.net/seeker/file_extension_dat +0 string PNCIUNDO Norton Disk Doctor UnDo file +# + # updated by Joerg Jenderek at Sep 2007 >3 ubyte 0 #no active flag @@ -5685,121 +6736,15 @@ >>>>>>>466 ubyte 0x05 \b, extended partition table >>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) >>>>>>>466 ubyte 0x0 \b, extended partition table (last) -# JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 -# http://mirror.href.com/thestarman/asm/2bytejumps.htmm#FWD -# older drives may use Near JuMP instruction E9 xx xx ->0 lelong&0x009000EB 0x009000EB ->0 lelong&0x000000E9 0x000000E9 -# maximal short forward jump is 07fx ->1 ubyte <0xff \b, code offset 0x%x -# mtools-3.9.8/msdos.h -# usual values are marked with comments to get only informations of strange FAT systems -# valid sectorsize must be a power of 2 from 32 to 32768 ->>11 uleshort&0x000f x ->>>11 uleshort <32769 ->>>>11 uleshort >31 ->>>>>3 string >\0 \b, OEM-ID "%8.8s" -#http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC ->>>>>>8 string IHC \b cached by Windows 9M ->>>>>11 uleshort >512 \b, Bytes/sector %u -#>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual) ->>>>>11 uleshort <512 \b, Bytes/sector %u ->>>>>13 ubyte >1 \b, sectors/cluster %u -#>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) ->>>>>14 uleshort >32 \b, reserved sectors %u -#>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) -#>>>>>14 uleshort >1 \b, reserved sectors %u -#>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) ->>>>>14 uleshort <1 \b, reserved sectors %u ->>>>>16 ubyte >2 \b, FATs %u -#>>>>>16 ubyte =2 \b, FATs %u (usual) ->>>>>16 ubyte =1 \b, FAT %u ->>>>>16 ubyte >0 ->>>>>17 uleshort >0 \b, root entries %u -#>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32) ->>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) -#>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32) ->>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x -#>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) ->>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x ->>>>>22 uleshort >0 \b, sectors/FAT %u -#>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32) ->>>>>26 ubyte >2 \b, heads %u -#>>>>>26 ubyte =2 \b, heads %u (usual floppy) ->>>>>26 ubyte =1 \b, heads %u -#skip for Digital Research DOS (version 3.41) 1440 kB Bootdisk ->>>>>38 ubyte !0x70 ->>>>>>28 ulelong >0 \b, hidden sectors %u -#>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) ->>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) -#>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) -# FAT<32 specific ->>>>>82 string !FAT32 -#>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) -#>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>36 ubyte !0x80 ->>>>>>>36 ubyte !0 \b, physical drive 0x%x ->>>>>>37 ubyte >0 \b, reserved 0x%x -#>>>>>>37 ubyte =0 \b, reserved 0x%x ->>>>>>38 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x) ->>>>>>38 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x) ->>>>>>38 ubyte =0x29 ->>>>>>>39 ulelong x \b, serial number 0x%x ->>>>>>>43 string >>>>>>43 string >NO\ NAME \b, label: "%11.11s" ->>>>>>>43 string =NO\ NAME \b, unlabeled ->>>>>>54 string FAT \b, FAT ->>>>>>>54 string FAT12 \b (12 bit) ->>>>>>>54 string FAT16 \b (16 bit) -# FAT32 specific ->>>>>82 string FAT32 \b, FAT (32 bit) ->>>>>>36 ulelong x \b, sectors/FAT %u ->>>>>>40 uleshort >0 \b, extension flags %u -#>>>>>>40 uleshort =0 \b, extension flags %u ->>>>>>42 uleshort >0 \b, fsVersion %u -#>>>>>>42 uleshort =0 \b, fsVersion %u (usual) ->>>>>>44 ulelong >2 \b, rootdir cluster %u -#>>>>>>44 ulelong =2 \b, rootdir cluster %u -#>>>>>>44 ulelong =1 \b, rootdir cluster %u ->>>>>>48 uleshort >1 \b, infoSector %u -#>>>>>>48 uleshort =1 \b, infoSector %u (usual) ->>>>>>48 uleshort <1 \b, infoSector %u ->>>>>>50 uleshort >6 \b, Backup boot sector %u -#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) ->>>>>>50 uleshort <6 \b, Backup boot sector %u ->>>>>>54 ulelong >0 \b, reserved1 0x%x ->>>>>>58 ulelong >0 \b, reserved2 0x%x ->>>>>>62 ulelong >0 \b, reserved3 0x%x -# same structure as FAT1X ->>>>>>64 ubyte >0x80 \b, physical drive 0x%x -#>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) ->>>>>>64 ubyte&0x7F >0 \b, physical drive 0x%x -#>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>65 ubyte >0 \b, reserved 0x%x ->>>>>>66 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x) ->>>>>>66 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x) ->>>>>>66 ubyte =0x29 ->>>>>>>67 ulelong x \b, serial number 0x%x ->>>>>>>71 string >>>>>71 string >NO\ NAME \b, label: "%11.11s" ->>>>>>71 string =NO\ NAME \b, unlabeled -### FATs end + +# DOS x86 sector separated and moved from "x86 boot sector" by Joerg Jenderek at May 2011 + >0x200 lelong 0x82564557 \b, BSD disklabel # FATX 0 string FATX FATX filesystem data - -# Minix filesystems - Juan Cespedes -0x410 leshort 0x137f Minix filesystem -0x410 beshort 0x137f Minix filesystem (big endian) ->0x402 beshort !0 \b, %d zones ->0x1e string minix \b, bootable -0x410 leshort 0x138f Minix filesystem, 30 char names -0x410 leshort 0x2468 Minix filesystem, version 2 -0x410 leshort 0x2478 Minix filesystem, version 2, 30 char names - # romfs filesystems - Juan Cespedes -0 string -rom1fs-\0 romfs filesystem, version 1 +0 string -rom1fs- romfs filesystem, version 1 >8 belong x %d bytes, >16 string x named %s. @@ -5812,6 +6757,144 @@ 0x18b string OS/2 OS/2 Boot Manager +# updated by Joerg Jenderek at Oct 2008 and Sep 2012 +# http://syslinux.zytor.com/iso.php +# tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05 +# assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop +0 ulequad&0x909000007cc0eafa 0x909000007c40eafa +>631 search/689 ISOLINUX\ isolinux Loader +>>&0 string x (version %-4.4s) +# http://syslinux.zytor.com/pxe.php +# assembler instructions: jmp 7C05 +0 ulelong 0x007c05ea pxelinux loader (version 2.13 or older) +# assembler instructions: pushfd;pushad +0 ulelong 0x60669c66 pxelinux loader +# assembler instructions: jmp 05 +0 ulelong 0xc00005ea pxelinux loader (version 3.70 or newer) +# http://syslinux.zytor.com/wiki/index.php/SYSLINUX +0 string LDLINUX\ SYS\ SYSLINUX loader +>12 string x (older version %-4.4s) +0 string \r\nSYSLINUX\ SYSLINUX loader +>11 string x (version %-4.4s) +# syslinux updated and separated from "x86 boot sector" by Joerg Jenderek at Sep 2012 +# assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX" +0 ulelong&0x80909bEB 0x009018EB +# OEM-ID not always "SYSLINUX" +>434 search/47 Boot\ failed +# followed by \r\n\0 or :\ +>>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older) +>>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9) +>459 search/30 Boot\ error\r\n\0 +>>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer) +# SYSLINUX MBR updated and separated from "x86 boot sector" by Joerg Jenderek at Sep 2012 +# assembler instructions: mov di,0600h;mov cx,0100h +16 search/4 \xbf\x00\x06\xb9\x00\x01 +# to display SYSLINUX MBR (36) before old x86 boot sector one with partition table (strength=50+21) +!:strength +36 +>94 search/249 Missing\ operating\ system +# followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other +# skip Ranish MBR +>>408 search/4 HD1/\0 +>>408 default x +>>>250 search/118 \0Operating\ system\ load SYSLINUX MBR +# followed by "ing " or space +>>>>292 search/98 error +>>>>>&0 string \r (version 3.35 or older) +>>>>>&0 string .\r (version 3.52 or newer) +>>>>>&0 default x (version 3.36-3.51 ) +>368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR +>>156 search/10 \0Boot\ partition\ not\ found\r\n +>>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older) +>>174 search/10 \0Missing\ OS\r\n +>>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer) +# SYSLINUX END + +# NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012 +# assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax, +0 ubequad 0x31c08ed0bc007c8e +# mbr_bootsel magic before partition table not reliable with small ipl fragments +#>444 uleshort 0xb5e1 +>0004 uleshort x +# ERRorTeXT +>>181 search/166 Error\ \0\r\n NetBSD mbr +# NT Drive Serial Number http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS +>>>0x1B8 ubelong >0 \b,Serial 0x%-.8x +# BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx +>>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector +# BOOT_EXTENDED definitions contains assembler instructions: +# xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13 +>>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended +# COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al +>>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO +# not TERSE_ERROR +>>>196 search/106 No\ active\ partition\0 +>>>>&0 string Disk\ read\ error\0 +>>>>>&0 string No\ operating\ system\0 \b,verbose +# not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13 +>>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS +# not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13 +>>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check +# assembler instructions: movw nametab,bx +>>>0x26 search/21 \xBB\x94\x07 +# not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf +>>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 +>>>>>181 search/166 Error\ \0 +# "a: disk" , "Fn: diskn" or "NetBSD MBR boot" +>>>>>>&3 string x \b,"%s" +# Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html +# added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 +# assembler instructions: jmp short 0x58;nop;ASCII +0 ubequad&0xeb58908000000000 0xeb58900000000000 +# assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss, +>(1.b+2) ubequad 0xfa31c08ed88ec08e +# Error messages at end of code +>>376 string No\ operating\ system\r\n\0 +>>>398 string Disk\ error\r\n\0FDD\0HDD\0 +>>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr + +# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ +# added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11 +# for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI, +# or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS, +0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC +# pointer to the data starting with Neil Turton signature string +>(0x1BC.s) string NDTmbr +>>&-14 string 1234F\0 Turton mbr ( +# parameters also viewed by install-mbr --list +>>>(0x1BC.s+7) ubyte x \b%u<= +>>>(0x1BC.s+9) ubyte x \bVersion<=%u +#>>>(0x1BC.s+8) ubyte x asm_flag_%x +>>>(0x1BC.s+8) ubyte&1 1 \b,Y2K-Fix +# variant used by testdisk of http://www.cgsecurity.org/wiki/Menu_MBRCode +>>>(0x1BC.s+8) ubyte&2 2 \b,TestDisk +#0x1~1,..,0x8~4,0x10~F,0x80~A enabled +#>>>(0x1BC.s+10) ubyte x \b,flags 0x%x +#0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot +#>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x +# for older versions +>>>(0x1BC.s+9) ubyte <2 +#>>>>(0x1BC.s+12) ubyte 18 \b,%u/18 seconds +>>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds +# floppy A: or B: +>>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x +>>>>(0x1BC.s+13) ubyte >1 +# 1st hard disc +#>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x +# not 1st hard disc +>>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x +# for version >= 2 maximal timeout can be 65534 +>>>(0x1BC.s+9) ubyte >1 +#>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds +>>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds +# floppy A: or B: +>>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x +>>>>(0x1BC.s+14) ubyte >1 +# 1st hard disc +#>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x +# not 1st hard disc +>>>>>(0x1BC.s+14) ubyte !0x80 \b,drive 0x%x +>>>0 ubyte x \b) + # added by Joerg Jenderek # In the second sector (+0x200) are variables according to grub-0.97/stage2/asm.S or # grub-1.94/kern/i386/pc/startup.S @@ -5867,6 +6950,178 @@ >>>>>0x217 ulong !0xffffffff >>>>>>0x217 string >\0 \b, configuration file %-s +# DOS x86 sector updated and separated from "x86 boot sector" by Joerg Jenderek at May 2011 +# JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 +# over BIOS parameter block (BPB) +# http://thestarman.pcministry.com/asm/2bytejumps.htm#FWD +# older drives may use Near JuMP instruction E9 xx xx +# minimal short forward jump found 0x29 for bootloaders or 0x0 +# maximal short forward jump is 0x7f +# OEM-ID is empty or contain readable bytes +0 ulelong&0x804000E9 0x000000E9 +# mtools-3.9.8/msdos.h +# usual values are marked with comments to get only informations of strange FAT systems +# valid sectorsize must be a power of 2 from 32 to 32768 +>11 uleshort&0xf001f 0 +>>11 uleshort <32769 +>>>11 uleshort >31 +>>>>21 ubyte&0xf0 0xF0 +>>>>>0 ubyte 0xEB +>>>>>>1 ubyte x \b, code offset 0x%x+2 +>>>>>0 ubyte 0xE9 +>>>>>>1 uleshort x \b, code offset 0x%x+2 +>>>>>3 string >\0 \b, OEM-ID "%-.8s" +#http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC +>>>>>>8 string IHC \b cached by Windows 9M +>>>>>11 uleshort >512 \b, Bytes/sector %u +#>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual) +>>>>>11 uleshort <512 \b, Bytes/sector %u +>>>>>13 ubyte >1 \b, sectors/cluster %u +#>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) +>>>>>82 string FAT32 +>>>>>>14 uleshort !32 \b, reserved sectors %u +#>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) +>>>>>82 string !FAT32 +>>>>>>14 uleshort >1 \b, reserved sectors %u +#>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) +#>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) +>>>>>16 ubyte >2 \b, FATs %u +#>>>>>16 ubyte =2 \b, FATs %u (usual) +>>>>>16 ubyte =1 \b, FAT %u +>>>>>16 ubyte >0 +>>>>>17 uleshort >0 \b, root entries %u +#>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32) +>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) +#>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32) +>>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x +#>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) +>>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x +>>>>>22 uleshort >0 \b, sectors/FAT %u +#>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32) +>>>>>24 uleshort x \b, sectors/track %u +>>>>>26 ubyte >2 \b, heads %u +#>>>>>26 ubyte =2 \b, heads %u (usual floppy) +>>>>>26 ubyte =1 \b, heads %u +# valid only for sector sizes with more then 32 Bytes +>>>>>11 uleshort >32 +# skip for Digital Research DOS (version 3.41) 1440 kB Bootdisk +>>>>>>38 ubyte !0x70 +>>>>>>>28 ulelong >0 \b, hidden sectors %u +#>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) +>>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) +#>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) +# FAT<32 bit specific +>>>>>>>82 string !FAT32 +#>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) +#>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) +>>>>>>>>36 ubyte !0x80 +>>>>>>>>>36 ubyte !0 \b, physical drive 0x%x +>>>>>>>>37 ubyte >0 \b, reserved 0x%x +#>>>>>>>>37 ubyte =0 \b, reserved 0x%x +# value is 0x80 for NTFS +>>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) +>>>>>>>>38 ubyte =0x29 +>>>>>>>>>39 ulelong x \b, serial number 0x%x +>>>>>>>>>43 string >>>>>>>>43 string >NO\ NAME \b, label: "%11.11s" +>>>>>>>>>43 string =NO\ NAME \b, unlabeled +# there exist some old floppies without word FAT at offset 54 +# a word like "FATnm " is only a hint for a FAT size on nm-bits +# Normally the number of clusters is calculated by the values of BPP. +# if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, +# otherwise FAT is 16 bit. +# http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html +>>>>>>54 string FAT \b, FAT +>>>>>>>54 string FAT12 \b (12 bit) +>>>>>>>54 string FAT16 \b (16 bit) +# FAT32 bit specific +>>>>>82 string FAT32 \b, FAT (32 bit) +>>>>>>36 ulelong x \b, sectors/FAT %u +# http://technet.microsoft.com/en-us/library/cc977221.aspx +>>>>>>40 uleshort >0 \b, extension flags 0x%x +#>>>>>>40 uleshort =0 \b, extension flags %u +>>>>>>42 uleshort >0 \b, fsVersion %u +#>>>>>>42 uleshort =0 \b, fsVersion %u (usual) +>>>>>>44 ulelong >2 \b, rootdir cluster %u +#>>>>>>44 ulelong =2 \b, rootdir cluster %u +#>>>>>>44 ulelong =1 \b, rootdir cluster %u +>>>>>>48 uleshort >1 \b, infoSector %u +#>>>>>>48 uleshort =1 \b, infoSector %u (usual) +>>>>>>48 uleshort <1 \b, infoSector %u +>>>>>>50 uleshort >6 \b, Backup boot sector %u +#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) +>>>>>>50 uleshort <6 \b, Backup boot sector %u +# corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO +>>>>>>52 ulelong >0 \b, reserved1 0x%x +>>>>>>56 ulelong >0 \b, reserved2 0x%x +>>>>>>60 ulelong >0 \b, reserved3 0x%x +# same structure as FAT1X +#>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) +#>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) +>>>>>>64 ubyte !0x80 +>>>>>>>64 ubyte >0 \b, physical drive 0x%x +# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too +>>>>>>65 ubyte >0 \b, reserved 0x%x +>>>>>>66 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) +>>>>>>66 ubyte =0x29 +>>>>>>>67 ulelong x \b, serial number 0x%x +>>>>>>>71 string >>>>>>71 string >NO\ NAME \b, label: "%11.11s" +>>>>>>>71 string =NO\ NAME \b, unlabeled +# additional tests for floppy image added by Joerg Jenderek +# no fixed disk +>>>>>21 ubyte !0xF8 +# floppy media with 12 bit FAT +>>>>>>54 string !FAT16 +# test for FAT after bootsector +>>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT +# floppy image +!:mime application/x-ima +# NTFS specific added by Joerg Jenderek at Mar 2011 according to http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm +# and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html +# 0 FATs +>>>>>16 ubyte =0 +# 0 root entries +>>>>>>17 uleshort =0 +# 0 DOS sectors +>>>>>>>19 uleshort =0 +# 0 sectors/FAT +# dos < 4.0 BootSector value found is 0x80 +#38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x) +>>>>>>>>22 uleshort =0 \b; NTFS +>>>>>>>>>24 uleshort >0 \b, sectors/track %u +>>>>>>>>>36 ulelong !0x800080 \b, physical drive 0x%x +>>>>>>>>>40 ulequad >0 \b, sectors %lld +>>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld +>>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld +# Values 0 to 127 represent MFT record sizes of 0 to 127 clusters. +# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. +>>>>>>>>>64 lelong <256 +>>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d +>>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%hhi) +# Values 0 to 127 represent index block sizes of 0 to 127 clusters. +# Values 128 to 255 represent index block sizes of 2^(256-N) byte +>>>>>>>>>68 ulelong <256 +>>>>>>>>>>68 ulelong <128 \b, clusters/index block %d +#>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) +>>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%hhi) +>>>>>>>>>72 ulequad x \b, serial number 0%llx +>>>>>>>>>80 ulelong >0 \b, checksum 0x%x +#>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) +>>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 +>>>>>>>>>>&-92 indirect x \b; contains +# For 2nd NTFS sector added by Joerg Jenderek at Jan 2013 +# http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm +# unused assembler instructions JMP y2;NOP;NOP +0x056 ulelong&0xFFFF0FFF 0x909002EB +# unicode loadername terminated by CTRL-D +>(0.s*2) ulelong&0xFFFFFF00 0x00040000 +# loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR +>>0x002 lestring16 x Microsoft Windows XP/VISTA bootloader %-5.5s +>>0x12 string $ +>>>0x0c lestring16 x \b%-2.2s +### DOS,NTFS boot sectors end + 9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, @@ -6003,12 +7258,12 @@ >>>0x464 lelong >0x0000007 ext4 filesystem data # else large INCOMPAT? >>0x460 lelong >0x000003f ext4 filesystem data ->0x468 belong x \b, UUID=%x ->0x46c beshort x \b-%x ->0x46e beshort x \b-%x ->0x470 beshort x \b-%x ->0x472 belong x \b-%x ->0x476 beshort x \b%x +>0x468 belong x \b, UUID=%08x +>0x46c beshort x \b-%04x +>0x46e beshort x \b-%04x +>0x470 beshort x \b-%04x +>0x472 belong x \b-%08x +>0x476 beshort x \b%04x >0x478 string >0 \b, volume name "%s" # General flags for any ext* fs >0x460 lelong &0x0000004 (needs journal recovery) @@ -6029,6 +7284,51 @@ #>0x464 lelong &0x0000020 (many subdirs) #>0x463 lelong &0x0000040 (extra isize) +# Minix filesystems - Juan Cespedes +0x410 leshort 0x137f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1, %d zones +>0x1e string minix \b, bootable +0x410 beshort 0x137f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1 (big endian), %d zones +>0x1e string minix \b, bootable +0x410 leshort 0x138f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1, 30 char names, %d zones +>0x1e string minix \b, bootable +0x410 beshort 0x138f +!:strength / 2 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V1, 30 char names (big endian), %d zones +>0x1e string minix \b, bootable +0x410 leshort 0x2468 +>0x402 beshort < 100 +>>0x402 beshort > -1 Minix filesystem, V2, %d zones +>0x1e string minix \b, bootable +0x410 beshort 0x2468 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V2 (big endian), %d zones +>0x1e string minix \b, bootable + +0x410 leshort 0x2478 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V2, 30 char names, %d zones +>0x1e string minix \b, bootable +0x410 leshort 0x2478 +>0x402 beshort < 100 +>0x402 beshort > -1 Minix filesystem, V2, 30 char names, %d zones +>0x1e string minix \b, bootable +0x410 beshort 0x2478 +>0x402 beshort !0 Minix filesystem, V2, 30 char names (big endian), %d zones +>0x1e string minix \b, bootable +0x410 leshort 0x4d5a +>0x402 beshort !0 Minix filesystem, V3, %d zones +>0x1e string minix \b, bootable + # SGI disk labels - Nathan Scott 0 belong 0x0BE5A941 SGI disk label (volume header) @@ -6098,14 +7398,14 @@ # 10 SS, 8 SPT # 11 DS, 8 SPT # -# 11111001 Double density 3 floppy disk, high density 5 -# 11110000 High density 3 floppy disk +# 11111001 Double density 3 1/2 floppy disk, high density 5 1/4 +# 11110000 High density 3 1/2 floppy disk # 11111000 Hard disk any format # # CDROM Filesystems # Modified for UDF by gerardo.cacciari@gmail.com -32769 string CD001 +32769 string CD001 # !:mime application/x-iso9660-image >38913 string !NSR0 ISO 9660 CD-ROM filesystem data >38913 string NSR0 UDF filesystem data @@ -6115,12 +7415,15 @@ >>38917 byte >0x33 (unknown version, ID 0x%X) >>38917 byte <0x31 (unknown version, ID 0x%X) # "application id" which appears to be used as a volume label ->32808 string >\0 '%s' +>32808 string/T >\0 '%s' >34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) 37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) !:mime application/x-iso9660-image 32776 string CDROM High Sierra CD-ROM filesystem data +# .cso files +0 string CISO Compressed ISO CD image + # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian >4 lelong x size %lu @@ -6166,11 +7469,70 @@ 0 string VoIP\ Startup\ and Aculab VoIP firmware >35 string x format %s -# u-boot/PPCBoot image file -# From: Mark Brown -0 belong 0x27051956 u-boot/PPCBoot image ->4 string PPCBoot ->>12 string x version %s +# From: Mark Brown [old] +# From: Behan Webster +0 belong 0x27051956 u-boot legacy uImage, +>32 string x %s, +>28 byte 0 Invalid os/ +>28 byte 1 OpenBSD/ +>28 byte 2 NetBSD/ +>28 byte 3 FreeBSD/ +>28 byte 4 4.4BSD/ +>28 byte 5 Linux/ +>28 byte 6 SVR4/ +>28 byte 7 Esix/ +>28 byte 8 Solaris/ +>28 byte 9 Irix/ +>28 byte 10 SCO/ +>28 byte 11 Dell/ +>28 byte 12 NCR/ +>28 byte 13 LynxOS/ +>28 byte 14 VxWorks/ +>28 byte 15 pSOS/ +>28 byte 16 QNX/ +>28 byte 17 Firmware/ +>28 byte 18 RTEMS/ +>28 byte 19 ARTOS/ +>28 byte 20 Unity OS/ +>28 byte 21 INTEGRITY/ +>29 byte 0 \bInvalid CPU, +>29 byte 1 \bAlpha, +>29 byte 2 \bARM, +>29 byte 3 \bIntel x86, +>29 byte 4 \bIA64, +>29 byte 5 \bMIPS, +>29 byte 6 \bMIPS 64-bit, +>29 byte 7 \bPowerPC, +>29 byte 8 \bIBM S390, +>29 byte 9 \bSuperH, +>29 byte 10 \bSparc, +>29 byte 11 \bSparc 64-bit, +>29 byte 12 \bM68K, +>29 byte 13 \bNios-32, +>29 byte 14 \bMicroBlaze, +>29 byte 15 \bNios-II, +>29 byte 16 \bBlackfin, +>29 byte 17 \bAVR32, +>29 byte 18 \bSTMicroelectronics ST200, +>30 byte 0 Invalid Image +>30 byte 1 Standalone Program +>30 byte 2 OS Kernel Image +>30 byte 3 RAMDisk Image +>30 byte 4 Multi-File Image +>30 byte 5 Firmware Image +>30 byte 6 Script File +>30 byte 7 Filesystem Image (any type) +>30 byte 8 Binary Flat Device Tree BLOB +>31 byte 0 (Not compressed), +>31 byte 1 (gzip), +>31 byte 2 (bzip2), +>31 byte 3 (lzma), +>12 belong x %d bytes, +>8 bedate x %s, +>16 belong x Load Address: 0x%08X, +>20 belong x Entry Point: 0x%08X, +>4 belong x Header CRC: 0x%08X, +>24 belong x Data CRC: 0x%08X # JFFS2 file system 0 leshort 0x1984 Linux old jffs2 filesystem data little endian @@ -6183,31 +7545,47 @@ >28 beshort <3 >>8 belong x %d bytes, >28 beshort >2 ->>63 bequad x %lld bytes, +>>28 beshort <4 +>>>63 bequad x %lld bytes, +>>28 beshort >3 +>>>40 bequad x %lld bytes, #>>67 belong x %d bytes, >4 belong x %d inodes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort >1 ->>51 belong x blocksize: %d bytes, ->39 bedate x created: %s +>>28 beshort <4 +>>>51 belong x blocksize: %d bytes, +>>28 beshort >3 +>>>12 belong x blocksize: %d bytes, +>28 beshort <4 +>>39 bedate x created: %s +>28 beshort >3 +>>8 bedate x created: %s 0 string hsqs Squashfs filesystem, little endian, >28 leshort x version %d. >30 leshort x \b%d, >28 leshort <3 >>8 lelong x %d bytes, >28 leshort >2 ->>63 lequad x %lld bytes, +>>28 leshort <4 +>>>63 lequad x %lld bytes, +>>28 leshort >3 +>>>40 lequad x %lld bytes, #>>63 lelong x %d bytes, >4 lelong x %d inodes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort >1 ->>51 lelong x blocksize: %d bytes, ->39 ledate x created: %s +>>28 leshort <4 +>>>51 lelong x blocksize: %d bytes, +>>28 leshort >3 +>>>12 lelong x blocksize: %d bytes, +>28 leshort <4 +>>39 ledate x created: %s +>28 leshort >3 +>>8 ledate x created: %s -0 string td\000 floppy image data (TeleDisk) - # AFS Dump Magic # From: Ty Sarna 0 string \x01\xb3\xa1\x13\x22 AFS Dump @@ -6223,6 +7601,10 @@ >>>>>>>>&0 bedate !0 incremental since: %s #---------------------------------------------------------- +#delta ISO Daniel Novotny (dnovotny@redhat.com) +0 string DISO Delta ISO data +>4 belong x version %d + # VMS backup savesets - gerardo.cacciari@gmail.com # 4 string \x01\x00\x01\x00\x01\x00 @@ -6267,13 +7649,17 @@ 0 string CPQRFBLO Compaq/HP RILOE floppy image #------------------------------------------------------------------------------ -# Files-11 On-Disk Structure (OpenVMS file system) - gerardo.cacciari@gmail.com -# These bits come from LBN 1 (home block) of ODS-2 and ODS-5 volumes, which is -# mapped to VBN 2 of [000000]INDEXF.SYS;1 +# Files-11 On-Disk Structure (File system for various RSX-11 and VMS flavours). +# These bits come from LBN 1 (home block) of ODS-1, ODS-2 and ODS-5 volumes, +# which is mapped to VBN 2 of [000000]INDEXF.SYS;1 - gerardo.cacciari@gmail.com # -1008 string DECFILE11B Files-11 On-Disk Structure +1008 string DECFILE11 Files-11 On-Disk Structure >525 byte x Level %d ->525 byte x (ODS-%d OpenVMS file system), +>525 byte x (ODS-%d); +>1017 string A RSX-11, VAX/VMS or OpenVMS VAX file system; +>1017 string B +>>525 byte 2 VAX/VMS or OpenVMS file system; +>>525 byte 5 OpenVMS Alpha or Itanium file system; >984 string x volume label is '%-12.12s' # From: Thomas Klausner @@ -6288,14 +7674,32 @@ # From Eric Sandeen # GFS2 -0x10000 belong 0x01161970 GFS2 Filesystem ->0x10024 belong x (blocksize %d, ->0x10060 string >\0 lockproto %s) +0x10000 belong 0x01161970 +>0x10018 belong 0x0000051d GFS1 Filesystem +>>0x10024 belong x (blocksize %d, +>>0x10060 string >\0 lockproto %s) +>0x10018 belong 0x00000709 GFS2 Filesystem +>>0x10024 belong x (blocksize %d, +>>0x10060 string >\0 lockproto %s) +# BTRFS +0x10040 string _BHRfS_M BTRFS Filesystem +>0x1012b string >\0 (label "%s", +>0x10090 lelong x sectorsize %d, +>0x10094 lelong x nodesize %d, +>0x10098 lelong x leafsize %d) + + # dvdisaster's .ecc # From: "Nelson A. de Oliveira" 0 string *dvdisaster* dvdisaster error correction file +# xfs metadump image +# mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog +# but can we do the << ? For now it's always 512 (0x200) anyway. +0 string XFSM +>0x200 string XFSB XFS filesystem metadump image + # Type: CROM filesystem # From: Werner Fink 0 string CROMFS CROMFS @@ -6308,7 +7712,74 @@ >44 ulelong >0 \b block size = %ld, >48 ulequad >0 \b bytes = %lld +# Type: xfs metadump image +# From: Daniel Novotny +# mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog +# but can we do the << ? For now it's always 512 (0x200) anyway. +0 string XFSM +>0x200 string XFSB XFS filesystem metadump image + +# Type: delta ISO +# From: Daniel Novotny +0 string DISO Delta ISO data, +>4 belong x version %d + +# JFS2 (Journaling File System) image. (Old JFS1 has superblock at 0x1000.) +# See linux/fs/jfs/jfs_superblock.h for layout; see jfs_filsys.h for flags. +# From: Adam Buchbinder +0x8000 string JFS1 +# Because it's text-only magic, check a binary value (version) to be sure. +# Should always be 2, but mkfs.jfs writes it as 1. Needs to be 2 or 1 to be +# mountable. +>&0 lelong <3 JFS2 filesystem image +# Label is followed by a UUID; we have to limit string length to avoid +# appending the UUID in the case of a 16-byte label. +>>&144 regex [\x20-\x7E]{1,16} (label "%s") +>>&0 lequad x \b, %lld blocks +>>&8 lelong x \b, blocksize %d +>>&32 lelong&0x00000006 >0 (dirty) +>>&36 lelong >0 (compressed) + +# LFS +0 lelong 0x070162 LFS filesystem image +>4 lelong 1 version 1, +>>8 lelong x \b blocks %u, +>>12 lelong x \b blocks per segment %u, +>4 lelong 2 version 2, +>>8 lelong x \b fragments %u, +>>12 lelong x \b bytes per segment %u, +>16 lelong x \b disk blocks %u, +>20 lelong x \b block size %u, +>24 lelong x \b fragment size %u, +>28 lelong x \b fragments per block %u, +>32 lelong x \b start for free list %u, +>36 lelong x \b number of free blocks %d, +>40 lelong x \b number of files %u, +>44 lelong x \b blocks available for writing %d, +>48 lelong x \b inodes in cache %d, +>52 lelong x \b inode file disk address 0x%x, +>56 lelong x \b inode file inode number %u, +>60 lelong x \b address of last segment written 0x%x, +>64 lelong x \b address of next segment to write 0x%x, +>68 lelong x \b address of current segment written 0x%x + +0 string td\000 floppy image data (TeleDisk, compressed) +0 string TD\000 floppy image data (TeleDisk) + +0 string CQ\024 floppy image data (CopyQM, +>16 leshort x %d sectors, +>18 leshort x %d heads.) + +0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) + +0 beshort 0xAA58 floppy image data (IBM SaveDskF, old) +0 beshort 0xAA59 floppy image data (IBM SaveDskF) +0 beshort 0xAA5A floppy image data (IBM SaveDskF, compressed) + +0 string \074CPM_Disk\076 disk image data (YAZE) + #------------------------------------------------------------------------------ +# $File: flash,v 1.9 2009/11/08 01:30:01 christos Exp $ # flash: file(1) magic for Macromedia Flash file format # # See @@ -6326,9 +7797,14 @@ !:mime video/x-flv # +# Yosu Gomez +0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document +0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document # From Dave Wilson 0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document + #------------------------------------------------------------------------------ +# $File: fonts,v 1.26 2013/03/09 22:36:00 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -6336,13 +7812,23 @@ 0 short 017001 byte-swapped Berkeley vfont data # PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com -0 search/1 %!PS-AdobeFont-1. PostScript Type 1 font text ->20 search/1 >\0 (%s) +0 string %!PS-AdobeFont-1. PostScript Type 1 font text +>20 string >\0 (%s) 6 string %!PS-AdobeFont-1. PostScript Type 1 font program data +0 string %!FontType1 PostScript Type 1 font program data +6 string %!FontType1 PostScript Type 1 font program data +0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text # X11 font files in SNF (Server Natural Format) format +# updated by Joerg Jenderek at Feb 2013 +# http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm 0 belong 00000004 X11 SNF font data, MSB first -0 lelong 00000004 X11 SNF font data, LSB first +#>104 belong 00000004 X11 SNF font data, MSB first +!:mime application/x-font-sfn +# GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX +0 lelong 00000004 +>104 lelong 00000004 X11 SNF font data, LSB first +!:mime application/x-font-sfn # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 STARTFONT\ X11 BDF font text @@ -6381,20 +7867,51 @@ # True Type fonts 0 string \000\001\000\000\000 TrueType font data +!:mime application/x-font-ttf 0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font 0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font +# TrueType/OpenType font collections (.ttc) +# http://www.microsoft.com/typography/otspec/otff.htm +0 string ttcf TrueType font collection data +>4 belong 0x00010000 \b, 1.0 +>>8 belong >0 \b, %d fonts +>4 belong 0x00020000 \b, 2.0 +>>8 belong >0 \b, %d fonts +# 0x44454947 = 'DSIG' +>>>16 belong 0x44534947 \b, digitally signed + # Opentype font data from Avi Bercovich -0 string OTTO OpenType font data +0 string OTTO OpenType font data +!:mime application/vnd.ms-opentype -# Gürkan Sengün , www.linuks.mine.nu +# Gurkan Sengun , www.linuks.mine.nu 0 string SplineFontDB: Spline Font Database +!:mime application/vnd.font-fontforge-sfd >14 string x version %s + +# EOT +34 string LP Embedded OpenType (EOT) +!:mime application/vnd.ms-fontobject + +# Web Open Font Format (.woff) +# http://www.w3.org/TR/WOFF/ +0 string wOFF Web Open Font Format +>4 belong x \b, flavor %d +>8 belong x \b, length %d +>20 beshort x \b, version %hd +>22 beshort x \b.%hd + +#------------------------------------------------------------------------------ +# $File: fortran,v 1.7 2012/06/21 01:55:02 christos Exp $ # FORTRAN source -0 string/c c\ FORTRAN program +0 regex/100 \^[Cc][\ \t] FORTRAN program !:mime text/x-fortran +!:strength - 5 + #------------------------------------------------------------------------------ +# $File: frame,v 1.12 2009/09/19 16:28:09 christos Exp $ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is @@ -6444,6 +7961,7 @@ !:mime application/x-mif #------------------------------------------------------------------------------ +# $File: freebsd,v 1.7 2009/09/19 16:28:09 christos Exp $ # freebsd: file(1) magic for FreeBSD objects # # All new-style FreeBSD magic numbers are in host byte order (i.e., @@ -6587,6 +8105,7 @@ >>11 byte x %d chars high #------------------------------------------------------------------------------ +# $File: fsav,v 1.11 2009/09/19 16:28:09 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) @@ -6647,7 +8166,21 @@ # Type: Grisoft AVG AntiVirus # From: David Newgas 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data + #------------------------------------------------------------------------------ +# $File: fusecompress,v 1.2 2011/08/08 09:05:55 christos Exp $ +# fusecompress: file(1) magic for fusecompress +0 string \037\135\211 FuseCompress(ed) data +>3 byte 0x00 (none format) +>3 byte 0x01 (bz2 format) +>3 byte 0x02 (gz format) +>3 byte 0x03 (lzo format) +>3 byte 0x04 (xor format) +>3 byte >0x04 (unknown format) +>4 long x uncompressed size: %d + +#------------------------------------------------------------------------------ +# $File: games,v 1.13 2012/02/13 22:50:50 christos Exp $ # games: file(1) for games # Fabio Bonelli @@ -6682,6 +8215,7 @@ # Quake 0 string PACK Quake I or II world or extension +>8 lelong >0 \b, %d entries #0 string -1\x0a Quake I demo #>30 string x version %.4s @@ -6801,6 +8335,11 @@ 0 string =PWAD doom patch PWAD data >4 lelong x containing %d lumps +# Build engine group files (Duke Nukem, Shadow Warrior, ...) +# Extension: .grp +# Created by: "Ganael Laplanche" +0 string KenSilverman Build engine group file +>12 lelong x containing %d files # Summary: Warcraft 3 save # Extension: .w3g @@ -6821,7 +8360,7 @@ # Modified by (1): Abel Cheung (regex, more game format) # FIXME: Some games don't have GM (game type) 0 regex \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format ->2 search/0x200 GM[ +>2 search/0x200/b GM[ >>&0 string 1] (Go) >>&0 string 2] (Othello) >>&0 string 3] (chess) @@ -6863,13 +8402,6 @@ >>&0 string 39] (Gipf) >>&0 string 40] (Kropki) - -# Summary: Civilization 4 video -# Extension: .bik -# Created by: Abel Cheung -0 string BIKi Civilization 4 Video - - ############################################## # NetImmerse/Gamebryo game engine entries @@ -6904,7 +8436,16 @@ >2 regex/c GM\\[20\\] - Gess Game >2 regex/c GM\\[21\\] - twix Game +# Epic Games/Unreal Engine Package +# +0 lelong 0x9E2A83C1 Unreal Engine Package, +>4 leshort x version: %i +>12 lelong !0 \b, names: %i +>28 lelong !0 \b, imports: %i +>20 lelong !0 \b, exports: %i + #------------------------------------------------------------------------------ +# $File: gcc,v 1.4 2009/09/19 16:28:09 christos Exp $ # gcc: file(1) magic for GCC special files # 0 string gpch GCC precompiled header @@ -6921,6 +8462,124 @@ >4 byte 79 for Objective C++ #------------------------------------------------------------------------------ +# $File: geo,v 1.3 2013/01/04 00:47:02 christos Exp $ +# Geo- files from Kurt Schwehr + +###################################################################### +# +# Acoustic Doppler Current Profilers (ADCP) +# +###################################################################### + +0 beshort 0x7f7f RDI Acoustic Doppler Current Profiler (ADCP) + +###################################################################### +# +# Metadata +# +###################################################################### + +0 string Identification_Information FGDC ASCII metadata + +###################################################################### +# +# Seimsic / Subbottom +# +###################################################################### + +# Knudsen subbottom chirp profiler - Binary File Format: B9 +# KEB D409-03167 V1.75 Huffman +0 string KEB\ Knudsen seismic KEL binary (KEB) - +>4 regex [-A-Z0-9]* Software: %s +>>&1 regex V[0-9]*\.[0-9]* version %s + +###################################################################### +# +# LIDAR - Laser altimetry or bathy +# +###################################################################### + + +# Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data +0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar +>4 regex [0-9]*\.[0-9]* version %s + +0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data +>3 byte x version %d . +>4 byte x %d + + +###################################################################### +# +# MULTIBEAM SONARS http://www.ldeo.columbia.edu/res/pi/MB-System/formatdoc/ +# +###################################################################### + +# GeoAcoustics - GeoSwath Plus +4 beshort 0x2002 GeoSwath RDF +0 string Start:- GeoSwatch auf text file + +# Seabeam 2100 +# mbsystem code mb41 +0 string SB2100 SeaBeam 2100 multibeam sonar +0 string SB2100DR SeaBeam 2100 DR multibeam sonar +0 string SB2100PR SeaBeam 2100 PR multibeam sonar + +# This corresponds to MB-System format 94, L-3/ELAC/SeaBeam XSE vendor +# format. It is the format of our upgraded SeaBeam 2112 on R/V KNORR. +0 string $HSF XSE multibeam + +# mb121 http://www.saic.com/maritime/gsf/ +8 string GSF-v SAIC generic sensor format (GSF) sonar data, +>&0 regex [0-9]*\.[0-9]* version %s + +# MGD77 - http://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm +# mb161 +9 string MGD77 MGD77 Header, Marine Geophysical Data Exchange Format + +# MBSystem processing caches the mbinfo output +1 string Swath\ Data\ File: mbsystem info cache + +# Caris John Hughes Clark format +0 string HDCS Caris multibeam sonar related data +1 string Start/Stop\ parameter\ header: Caris ASCII project summary + +###################################################################### +# +# Visualization and 3D modeling +# +###################################################################### + +# IVS - IVS3d.com Tagged Data Represetation +0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file + +# http://www.ecma-international.org/publications/standards/Ecma-363.htm +# 3D in PDFs +0 string U3D ECMA-363, Universal 3D + +###################################################################### +# +# Support files +# +###################################################################### + +# https://midas.psi.ch/elog/ +0 string $@MID@$ elog journal entry + +# Geospatial Designs http://www.geospatialdesigns.com/surfer6_format.htm +0 string DSBB Surfer 6 binary grid file +>4 leshort x \b, %d +>6 leshort x \bx%d +>8 ledouble x \b, minx=%g +>16 ledouble x \b, maxx=%g +>24 ledouble x \b, miny=%g +>32 ledouble x \b, maxy=%g +>40 ledouble x \b, minz=%g +>48 ledouble x \b, maxz=%g + + +#------------------------------------------------------------------------------ +# $File: geos,v 1.4 2009/09/19 16:28:09 christos Exp $ # GEOS files (Vidar Madsen, vidar@gimp.org) # semi-commonly used in embedded and handheld systems. 0 belong 0xc745c153 GEOS @@ -6938,7 +8597,9 @@ #>52 short x \b, proto %d #>54 short x \br%d #>168 string >\0 \b, copyright "%s" + #------------------------------------------------------------------------------ +# $File: gimp,v 1.7 2010/09/20 18:55:20 rrt Exp $ # GIMP Gradient: file(1) magic for the GIMP's gradient data files # by Federico Mena @@ -6950,6 +8611,7 @@ # ('Bucky' LaDieu, nega@vt.edu) 0 string gimp\ xcf GIMP XCF image data, +!:mime image/x-xcf >9 string file version 0, >9 string v version >>10 string >\0 %s, @@ -6978,13 +8640,17 @@ # GIMP Curves File # From: "Nelson A. de Oliveira" 0 string #\040GIMP\040Curves\040File GIMP curve file -# GNOME keyring + +#------------------------------------------------------------------------------ +# $File: gnome,v 1.3 2013/02/05 15:20:47 christos Exp $ +# GNOME related files + # Contributed by Josh Triplett # FIXME: Could be simplified if pstring supported two-byte counts 0 string GnomeKeyring\n\r\0\n GNOME keyring >&0 ubyte 0 \b, major version 0 >>&0 ubyte 0 \b, minor version 0 ->>>&0 ubyte 0 \b, crypto type 0 (AEL) +>>>&0 ubyte 0 \b, crypto type 0 (AES) >>>&0 ubyte >0 \b, crypto type %hhu (unknown) >>>&1 ubyte 0 \b, hash type 0 (MD5) >>>&1 ubyte >0 \b, hash type %hhu (unknown) @@ -7001,21 +8667,64 @@ >>>>>>&24 ubelong x \b, hash iterations %u >>>>>>&28 ubequad x \b, salt %llu >>>>>>&52 ubelong x \b, %u item(s) + +# From: Alex Beregszaszi +4 string gtktalog GNOME Catalogue (gtktalog) +>13 string >\0 version %s + +# Summary: GStreamer binary registry +# Extension: .bin +# Submitted by: Josh Triplett +0 belong 0xc0def00d GStreamer binary registry +>4 string x \b, version %s + +# GVariant Database file +# By Elan Ruusamae +# https://github.com/GNOME/gvdb/blob/master/gvdb-format.h +# It's always "GVariant", it's byte swapped on incompatible archs +# See https://github.com/GNOME/gvdb/blob/master/gvdb-builder.c +# file_builder_serialise() +# http://developer.gnome.org/glib/2.34/glib-GVariant.html#GVariant +0 string GVariant GVariant Database file, +# version is never filled. probably future extension +>8 lelong x version %d +# not sure are these usable, so commented out +#>>16 lelong x start %d, +#>>>20 lelong x end %d + +# G-IR database made by gobject-introspect toolset, +# http://live.gnome.org/GObjectIntrospection +0 string GOBJ\nMETADATA\r\n\032 G-IR binary database +>16 byte x \b, v%d +>17 byte x \b.%d +>20 leshort x \b, %d entries +>22 leshort x \b/%d local + #------------------------------------------------------------------------------ +# $File: gnu,v 1.14 2012/10/03 23:38:12 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format # +# GNU message catalog (.mo and .gmo files) + 0 string \336\22\4\225 GNU message catalog (little endian), ->4 lelong x revision %d, ->8 lelong x %d messages +>6 leshort x revision %d. +>4 leshort >0 \b%d, +>>8 lelong x %d messages, +>>36 lelong x %d sysdep messages +>4 leshort =0 \b%d, +>>8 lelong x %d messages + 0 string \225\4\22\336 GNU message catalog (big endian), ->4 belong x revision %d, ->8 belong x %d messages -# message catalogs, from Mitchum DSouza -0 string *nazgul* Nazgul style compiled message catalog ->8 lelong >0 \b, version %ld +>4 beshort x revision %d. +>6 beshort >0 \b%d, +>>8 belong x %d messages, +>>36 belong x %d sysdep messages +>6 beshort =0 \b%d, +>>8 belong x %d messages + # GnuPG # The format is very similar to pgp 0 string \001gpg GPG key trust database @@ -7029,6 +8738,21 @@ 0 beshort 0x9901 GPG key public ring !:mime application/x-gnupg-keyring +# Symmetric encryption +0 leshort 0x0d8c +>4 leshort 0x0203 +>>2 leshort 0x0204 GPG symmetrically encrypted data (3DES cipher) +>>2 leshort 0x0304 GPG symmetrically encrypted data (CAST5 cipher) +>>2 leshort 0x0404 GPG symmetrically encrypted data (BLOWFISH cipher) +>>2 leshort 0x0704 GPG symmetrically encrypted data (AES cipher) +>>2 leshort 0x0804 GPG symmetrically encrypted data (AES192 cipher) +>>2 leshort 0x0904 GPG symmetrically encrypted data (AES256 cipher) +>>2 leshort 0x0a04 GPG symmetrically encrypted data (TWOFISH cipher) +>>2 leshort 0x0b04 GPG symmetrically encrypted data (CAMELLIA128 cipher) +>>2 leshort 0x0c04 GPG symmetrically encrypted data (CAMELLIA192 cipher) +>>2 leshort 0x0d04 GPG symmetrically encrypted data (CAMELLIA256 cipher) + + # Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps @@ -7044,7 +8768,12 @@ 0 long 0xDE120495 GNU-format message catalog data 0 long 0x950412DE GNU-format message catalog data +# gettext message catalogue +0 regex \^msgid\ GNU gettext message catalogue text +!:mime text/x-po + #------------------------------------------------------------------------------ +# $File: gnumeric,v 1.4 2009/09/19 16:28:09 christos Exp $ # gnumeric: file(1) magic for Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps @@ -7052,6 +8781,248 @@ !:mime application/x-gnumeric #------------------------------------------------------------------------------ +# $File: gpt,v 1.1 2013/02/18 18:31:09 christos Exp $ +# +# GPT Partition table patterns. +# Author: Rogier Goossens (goossens.rogier@gmail.com) +# Note that a GPT-formatted disk must contain an MBR as well. +# + +# The initial segment (up to >>>>>>>>422) was copied from the X86 +# partition table code (aka MBR). +# This is kept separate, so that MBR partitions are not reported as well. +# (use -k if you do want them as well) + +# First, detect the MBR partiton table +# If more than one GPT protective MBR partition exists, don't print anything +# (the other MBR detection code will then just print the MBR partition table) +0x1FE leshort 0xAA55 +>3 string !MS +>>3 string !SYSLINUX +>>>3 string !MTOOL +>>>>3 string !NEWLDR +>>>>>5 string !DOS +# not FAT (32 bit) +>>>>>>82 string !FAT32 +#not Linux kernel +>>>>>>>514 string !HdrS +#not BeOS +>>>>>>>>422 string !Be\ Boot\ Loader +# GPT with protective MBR entry in partition 1 (only) +>>>>>>>>>450 ubyte 0xee +>>>>>>>>>>466 ubyte !0xee +>>>>>>>>>>>482 ubyte !0xee +>>>>>>>>>>>>498 ubyte !0xee +#>>>>>>>>>>>>>446 use gpt-mbr-partition +>>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(454.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(454.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(454.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(454.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(454.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(454.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(454.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes +# GPT with protective MBR entry in partition 2 (only) +>>>>>>>>>450 ubyte !0xee +>>>>>>>>>>466 ubyte 0xee +>>>>>>>>>>>482 ubyte !0xee +>>>>>>>>>>>>498 ubyte !0xee +#>>>>>>>>>>>>>462 use gpt-mbr-partition +>>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(470.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(470.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(470.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(470.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(470.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(470.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(470.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes +# GPT with protective MBR entry in partition 3 (only) +>>>>>>>>>450 ubyte !0xee +>>>>>>>>>>466 ubyte !0xee +>>>>>>>>>>>482 ubyte 0xee +>>>>>>>>>>>>498 ubyte !0xee +#>>>>>>>>>>>>>478 use gpt-mbr-partition +>>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(486.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(486.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(486.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(486.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(486.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(486.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(486.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes +# GPT with protective MBR entry in partition 4 (only) +>>>>>>>>>450 ubyte !0xee +>>>>>>>>>>466 ubyte !0xee +>>>>>>>>>>>482 ubyte !0xee +>>>>>>>>>>>>498 ubyte 0xee +#>>>>>>>>>>>>>494 use gpt-mbr-partition +>>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>(502.l*8192) string !EFI\ PART +>>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes +>>>>>>>>>>>>>>(502.l*4096) string !EFI\ PART +>>>>>>>>>>>>>>>(502.l*2048) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes +>>>>>>>>>>>>>>>(502.l*2048) string !EFI\ PART +>>>>>>>>>>>>>>>>(502.l*1024) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes +>>>>>>>>>>>>>>>>(502.l*1024) string !EFI\ PART +>>>>>>>>>>>>>>>>>(502.l*512) string EFI\ PART GPT partition table +>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type +>>>>>>>>>>>>>>>>>>&-8 use gpt-table +>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes + +# The following code does GPT detection and processing, including +# sector size detection. +# It has to be duplicated above because the top-level pattern +# (i.e. not called using 'use') must print *something* for file +# to count it as a match. Text only printed in named patterns is +# not counted, and causes file to continue, and try and match +# other patterns. +# +# Unfortunately, when assuming sector sizes >=16k, if the sector size +# happens to be 512 instead, we may find confusing data after the GPT +# table... If the GPT table has less than 128 entries, this may even +# happen for assumed sector sizes as small as 4k +# This could be solved by checking for the presence of the backup GPT +# header as well, but that makes the logic extremely complex +##0 name gpt-mbr-partition +##>(8.l*8192) string EFI\ PART +##>>(8.l*8192) use gpt-mbr-type +##>>&-8 use gpt-table +##>>0 ubyte x of 8192 bytes +##>(8.l*8192) string !EFI\ PART +##>>(8.l*4096) string EFI\ PART GPT partition table +##>>>0 use gpt-mbr-type +##>>>&-8 use gpt-table +##>>>0 ubyte x of 4096 bytes +##>>(8.l*4096) string !EFI\ PART +##>>>(8.l*2048) string EFI\ PART GPT partition table +##>>>>0 use gpt-mbr-type +##>>>>&-8 use gpt-table +##>>>>0 ubyte x of 2048 bytes +##>>>(8.l*2048) string !EFI\ PART +##>>>>(8.l*1024) string EFI\ PART GPT partition table +##>>>>>0 use gpt-mbr-type +##>>>>>&-8 use gpt-table +##>>>>>0 ubyte x of 1024 bytes +##>>>>(8.l*1024) string !EFI\ PART +##>>>>>(8.l*512) string EFI\ PART GPT partition table +##>>>>>>0 use gpt-mbr-type +##>>>>>>&-8 use gpt-table +##>>>>>>0 ubyte x of 512 bytes + +# Print details of MBR type for a GPT-disk +# Calling code ensures that there is only one 0xee partition. +0 name gpt-mbr-type +# GPT with protective MBR entry in partition 1 +>450 ubyte 0xee +>>454 ulelong 1 +>>>462 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>454 ulelong !1 \b (nonstandard: not at LBA 1) +# GPT with protective MBR entry in partition 2 +>466 ubyte 0xee +>>470 ulelong 1 +>>>478 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>>478 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>470 ulelong !1 \b (nonstandard: not at LBA 1) +# GPT with protective MBR entry in partition 3 +>482 ubyte 0xee +>>486 ulelong 1 +>>>494 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>>494 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>486 ulelong !1 \b (nonstandard: not at LBA 1) +# GPT with protective MBR entry in partition 4 +>498 ubyte 0xee +>>502 ulelong 1 +>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) +>>502 ulelong !1 \b (nonstandard: not at LBA 1) + +# Print the information from a GPT partition table structure +0 name gpt-table +>10 uleshort x \b, version %u +>8 uleshort x \b.%u +# a GUID is just like a UUID, except it's displayed mixed-endian. +>56 ulelong x \b, GUID: %08x +>60 uleshort x \b-%04x +>62 uleshort x \b-%04x +>64 ubeshort x \b-%04x +>66 ubeshort x \b-%04x +>68 ubelong x \b%08x +#>80 uleshort x \b, %d partition entries +>32 ulequad+1 x \b, disk size: %lld sectors + +# In case a GPT data-structure is at LBA 0, report it as well +# This covers systems which are not GPT-aware, and which show +# and allow access to the protective partition. This code will +# detect the contents of such a partition. +0 string EFI\ PART GPT data structure (nonstandard: at LBA 0) +>0 use gpt-table +>0 ubyte x (sector size unknown) + + + +#------------------------------------------------------------------------------ +# $File: grace,v 1.4 2009/09/19 16:28:09 christos Exp $ # ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE # # ACE/gr binary @@ -7072,13 +9043,19 @@ # end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE #------------------------------------------------------------------------------ +# $File: graphviz,v 1.7 2009/09/19 16:28:09 christos Exp $ # graphviz: file(1) magic for http://www.graphviz.org/ -0 regex/100 [\r\n\t\ ]*graph[\r\n\t\ ]*.*\\{ graphviz graph text -!:mime text/vnd.graphviz -0 regex/100 [\r\n\t\ ]*digraph[\r\n\t\ ]*.*\\{ graphviz digraph text -!:mime text/vnd.graphviz +# FIXME: These patterns match too generally. For example, the first +# line matches a LaTeX file containing the word "graph" (with a { +# following later) and the second line matches this file. +#0 regex/100 [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text +#!:mime text/vnd.graphviz +#0 regex/100 [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text +#!:mime text/vnd.graphviz + #------------------------------------------------------------------------------ +# $File: gringotts,v 1.5 2009/09/19 16:28:09 christos Exp $ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo @@ -7126,11 +9103,28 @@ >3 string >3 v.%.1s (unknown details) #------------------------------------------------------------------------------ +# $File: guile,v 1.1 2011/12/16 17:44:33 christos Exp $ +# Guile file magic from +# http://www.gnu.org/s/guile/ +# http://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 + +0 string GOOF---- Guile Object +>8 string LE \b, little endian +>8 string BE \b, big endian +>11 string 4 \b, 32bit +>11 string 8 \b, 64bit +>13 regex .\.. \b, bytecode v%s + +#------------------------------------------------------------------------------ +# $File: hitachi-sh,v 1.6 2013/01/29 19:31:33 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF # +# below test line conflicts with 2nd NTFS filesystem sector 0 beshort 0x0500 Hitachi SH big-endian COFF +# 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR +#0 ubelong&0xFFFFNMPQ 0x0500NMPQ Hitachi SH big-endian COFF >18 beshort&0x0002 =0x0000 object >18 beshort&0x0002 =0x0002 executable >18 beshort&0x0008 =0x0008 \b, stripped @@ -7142,7 +9136,9 @@ >18 leshort&0x0008 =0x0008 \b, stripped >18 leshort&0x0008 =0x0000 \b, not stripped + #------------------------------------------------------------------------------ +# $File: hp,v 1.23 2009/09/19 16:28:09 christos Exp $ # hp: file(1) magic for Hewlett Packard machines (see also "printer") # # XXX - somebody should figure out whether any byte order needs to be @@ -7581,6 +9577,7 @@ #------------------------------------------------------------------------------ +# $File: human68k,v 1.5 2009/09/19 16:28:09 christos Exp $ # human68k: file(1) magic for Human68k (X680x0 DOS) binary formats # Magic too short! #0 string HU Human68k @@ -7606,6 +9603,7 @@ #2 string #HUPAIR Human68k hupair R executable #------------------------------------------------------------------------------ +# $File: ibm370,v 1.8 2009/09/19 16:28:09 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". @@ -7653,6 +9651,7 @@ >24 belong >0 - version %ld #------------------------------------------------------------------------------ +# $File: ibm6000,v 1.11 2013/01/08 20:13:01 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module @@ -7670,8 +9669,68 @@ 0 string \ archive 0 string \ archive (big format) +0 beshort 0x01f7 64-bit XCOFF executable or object module +>20 belong 0 not stripped +4 belong &0x0feeddb0 AIX core file +>1 byte &0x01 fulldump +>7 byte &0x01 32-bit +>>0x6e0 string >\0 \b, %s +>7 byte &0x02 64-bit +>>0x524 string >\0 \b, %s #------------------------------------------------------------------------------ +# $File: icc,v 1.1 2013/01/08 01:43:18 christos Exp $ +# icc: file(1) magic for International Color Consortium file formats + +# +# Color profiles as per the ICC's "Image technology colour management - +# Architecture, profile format, and data structure" specification. +# See +# +# http://www.color.org/specification/ICC1v43_2010-12.pdf +# +# for Specification ICC.1:2010 (Profile version 4.3.0.0). +# +# Bytes 36 to 39 contain a generic profile file signature of "acsp"; +# bytes 40 to 43 "may be used to identify the primary platform/operating +# system framework for which the profile was created". +# +# There are other fields that might be worth dumping as well. +# + +# This appears to be what's used for Apple ColorSync profiles. +# Instead of adding that, Apple just changed the generic "acsp" entry +# to be for "ColorSync ICC Color Profile" rather than "Kodak Color +# Management System, ICC Profile". +# Yes, it's "APPL", not "AAPL"; see the spec. +36 string acspAPPL ColorSync ICC Profile +!:mime application/vnd.iccprofile + +# Microsoft ICM color profile +36 string acspMSFT Microsoft ICM Color Profile +!:mime application/vnd.iccprofile + +# Yes, that's a blank after "SGI". +36 string acspSGI\ SGI ICC Profile +!:mime application/vnd.iccprofile + +# XXX - is this what's used for the Sun KCMS or not? The standard file +# uses just "acsp" for that, but Apple's file uses it for "ColorSync", +# and there *is* an identified "primary platform" value of SUNW. +36 string acspSUNW Sun KCMS ICC Profile +!:mime application/vnd.iccprofile + +# Any other profile. +# XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles, +# and use "acsp" for everything else and dump the "primary platform" +# string in those cases? +36 string acsp ICC Profile +!:mime application/vnd.iccprofile + + + +#------------------------------------------------------------------------------ +# $File: iff,v 1.13 2011/09/06 11:00:06 christos Exp $ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic @@ -7723,6 +9782,13 @@ >8 string AMFF \b, AMFF AmigaMetaFile format >8 string WZRD \b, WZRD StormWIZARD resource >8 string DOC\ \b, DOC desktop publishing document +>8 string WVQA \b, Westwood Studios VQA Multimedia, +>>24 leshort x %d video frames, +>>26 leshort x %d x +>>28 leshort x %d +>8 string MOVE \b, Wing Commander III Video +>>12 string _PC_ \b, PC version +>>12 string 3DO_ \b, 3DO version # These go at the end of the iff rules # @@ -7733,7 +9799,9 @@ >8 string IFRS \b, Blorb Interactive Fiction >>24 string Exec with executable chunk >8 string IFZS \b, Z-machine or Glulx saved game file (Quetzal) + #------------------------------------------------------------------------------ +# $File: images,v 1.81 2013/03/09 22:36:00 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -7765,17 +9833,42 @@ # PBMPLUS images # The next byte following the magic is always whitespace. -0 search/1 P1 Netpbm PBM image text +# strength is changed to try these patterns before "x86 boot sector" +0 search/1 P1 +>3 regex =[0-9]*\ [0-9]* Netpbm PBM image text +>3 regex =[0-9]+\ \b, size = %sx +>>3 regex =\ [0-9]+ \b%s +!:strength + 45 !:mime image/x-portable-bitmap -0 search/1 P2 Netpbm PGM image text +0 search/1 P2 +>3 regex =[0-9]*\ [0-9]* Netpbm PGM image text +>3 regex =[0-9]+\ \b, size = %sx +>>3 regex =\ [0-9]+ \b%s +!:strength + 45 !:mime image/x-portable-greymap 0 search/1 P3 Netpbm PPM image text +>3 regex =[0-9]*\ [0-9]* Netpbm PPM image text +>3 regex =[0-9]+\ \b, size = %sx +>>3 regex =\ [0-9]+ \b%s +!:strength + 45 !:mime image/x-portable-pixmap -0 string P4 Netpbm PBM "rawbits" image data +0 string P4 +>3 regex =[0-9]*\ [0-9]* Netpbm PBM "rawbits" image data +>3 regex =[0-9]+\ \b, size = %sx +>>3 regex =\ [0-9]+ \b%s +!:strength + 45 !:mime image/x-portable-bitmap -0 string P5 Netpbm PGM "rawbits" image data +0 string P5 +>3 regex =[0-9]*\ [0-9]* Netpbm PGM "rawbits" image data +>3 regex =[0-9]+\ \b, size = %sx +>>3 regex =\ [0-9]+ \b%s +!:strength + 45 !:mime image/x-portable-greymap -0 string P6 Netpbm PPM "rawbits" image data +0 string P6 +>3 regex =[0-9]*\ [0-9]* Netpbm PPM "rawbits" image data +>3 regex =[0-9]+\ \b, size = %sx +>>3 regex =\ [0-9]+ \b%s +!:strength + 45 !:mime image/x-portable-pixmap 0 string P7 Netpbm PAM image file !:mime image/x-portable-pixmap @@ -7796,6 +9889,25 @@ 0 string IIN1 NIFF image data !:mime image/x-niff +# Canon RAW version 1 (CRW) files are a type of Canon Image File Format +# (CIFF) file. These are apparently all little-endian. +# From: Adam Buchbinder +# URL: http://www.sno.phy.queensu.ca/~phil/exiftool/canon_raw.html +0 string II\x1a\0\0\0HEAPCCDR Canon CIFF raw image data +!:mime image/x-canon-crw +>16 leshort x \b, version %d. +>14 leshort x \b%d + +# Canon RAW version 2 (CR2) files are a kind of TIFF with an extra magic +# number. Put this above the TIFF test to make sure we detect them. +# These are apparently all little-endian. +# From: Adam Buchbinder +# URL: http://libopenraw.freedesktop.org/wiki/Canon_CR2 +0 string II\x2a\0\x10\0\0\0CR Canon CR2 raw image data +!:mime image/x-canon-cr2 +>10 byte x \b, version %d. +>11 byte x \b%d + # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. @@ -7804,13 +9916,18 @@ 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff +0 string MM\x00\x2b Big TIFF image data, big-endian +!:mime image/tiff +0 string II\x2b\x00 Big TIFF image data, little-endian +!:mime image/tiff + # PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # -0 string \x89PNG\x0d\x0a\x1a\x0a PNG image +0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data !:mime image/png >16 belong x \b, %ld x >20 belong x %ld, @@ -7845,6 +9962,7 @@ # GIF 0 string GIF8 GIF image data !:mime image/gif +!:apple 8BIMGIFf >4 string 7a \b, version 8%s, >4 string 9a \b, version 8%s, >6 leshort >0 %hd x @@ -7911,6 +10029,32 @@ # From: Herbert Rosmanith 0 string Sfff structured fax file +# From: Joerg Jenderek +# most files with the extension .EPA and some with .BMP +0 string \x11\x06 Award BIOS Logo, 136 x 84 +!:mime image/x-award-bioslogo +0 string \x11\x09 Award BIOS Logo, 136 x 126 +!:mime image/x-award-bioslogo +#0 string \x07\x1f BIOS Logo corrupted? +# http://www.blackfiveservices.co.uk/awbmtools.shtml +# http://biosgfx.narod.ru/v3/ +# http://biosgfx.narod.ru/abr-2/ +0 string AWBM +>4 leshort <1981 Award BIOS bitmap +!:mime image/x-award-bmp +# image width is a multiple of 4 +>>4 leshort&0x0003 0 +>>>4 leshort x \b, %d +>>>6 leshort x x %d +>>4 leshort&0x0003 >0 \b, +>>>4 leshort&0x0003 =1 +>>>>4 leshort x %d+3 +>>>4 leshort&0x0003 =2 +>>>>4 leshort x %d+2 +>>>4 leshort&0x0003 =3 +>>>>4 leshort x %d+1 +>>>6 leshort x x %d +# at offset 8 starts imagedata followed by "RGB " marker # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) 0 string BM @@ -7941,8 +10085,8 @@ #0 string BA PC bitmap array data # XPM icons (Greg Roelofs, newt@uchicago.edu) -# note possible collision with C/REXX entry in c-lang; currently commented out 0 search/1 /*\ XPM\ */ X pixmap image text +!:mime image/x-xpmi # Utah Raster Toolkit RLE images (janl@ifi.uio.no) 0 leshort 0xcc52 RLE image data, @@ -8042,11 +10186,20 @@ # As described in /usr/X11R6/include/X11/XWDFile.h # used by the xwd program. # Bradford Castalia, idaeim, 1/01 -4 belong 7 XWD X Window Dump image data ->100 string >\0 \b, "%s" ->16 belong x \b, %dx ->20 belong x \b%dx ->12 belong x \b%d +# updated by Adam Buchbinder, 2/09 +# The following assumes version 7 of the format; the first long is the length +# of the header, which is at least 25 4-byte longs, and the one at offset 8 +# is a constant which is always either 1 or 2. Offset 12 is the pixmap depth, +# which is a maximum of 32. +0 belong >100 +>8 belong <3 +>>12 belong <33 +>>>4 belong 7 XWD X Window Dump image data +!:mime image/x-xwindowdump +>>>>100 string >\0 \b, "%s" +>>>>16 belong x \b, %dx +>>>>20 belong x \b%dx +>>>>12 belong x \b%d # PDS - Planetary Data System # These files use Parameter Value Language in the header section. @@ -8075,7 +10228,7 @@ >5 byte 0x00 (white background) >5 byte 0xFF (black background) -# Gürkan Sengün , www.linuks.mine.nu +# Gurkan Sengun , www.linuks.mine.nu # http://www.atarimax.com/jindroush.atari.org/afmtatr.html 0 leshort 0x0296 Atari ATR image @@ -8100,42 +10253,63 @@ #>12 beshort 3 RP175 #>12 beshort 4 YUV -#------------------------------------------------------------------------------ -# -# Marco Schmidt (marcoschmidt@users.sourceforge.net) -- an image file format -# for the EPOC operating system, which is used with PDAs like those from Psion -# -# see http://huizen.dds.nl/~frodol/psiconv/html/Index.html for a description -# of various EPOC file formats - -0 string \x37\x00\x00\x10\x42\x00\x00\x10\x00\x00\x00\x00\x39\x64\x39\x47 EPOC MBM image file - # PCX image files # From: Dan Fandrich -0 beshort 0x0a00 PCX ver. 2.5 image data -0 beshort 0x0a02 PCX ver. 2.8 image data, with palette -0 beshort 0x0a03 PCX ver. 2.8 image data, without palette -0 beshort 0x0a04 PCX for Windows image data -0 beshort 0x0a05 PCX ver. 3.0 image data ->4 leshort x bounding box [%hd, ->6 leshort x %hd] - ->8 leshort x [%hd, ->10 leshort x %hd], ->65 byte >1 %d planes each of ->3 byte x %hhd-bit ->68 byte 0 image, ->68 byte 1 colour, ->68 byte 2 grayscale, ->68 byte >2 image, ->68 byte <0 image, ->12 leshort >0 %hd x ->>14 leshort x %hd dpi, ->2 byte 0 uncompressed ->2 byte 1 RLE compressed +# updated by Joerg Jenderek at Feb 2013 by http://de.wikipedia.org/wiki/PCX +# http://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt +# GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 +# test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT +0 ubelong&0xffF8fe00 0x0a000000 +# for PCX bit depth > 0 +>3 ubyte >0 +# test for valid versions +>>1 ubyte <6 +>>>1 ubyte !1 PCX +!:mime image/x-pcx +#!:mime image/pcx +>>>>1 ubyte 0 ver. 2.5 image data +>>>>1 ubyte 2 ver. 2.8 image data, with palette +>>>>1 ubyte 3 ver. 2.8 image data, without palette +>>>>1 ubyte 4 for Windows image data +>>>>1 ubyte 5 ver. 3.0 image data +>>>>4 uleshort x bounding box [%hd, +>>>>6 uleshort x %d] - +>>>>8 uleshort x [%d, +>>>>10 uleshort x %d], +>>>>65 ubyte >1 %d planes each of +>>>>3 ubyte x %d-bit +>>>>68 byte 1 colour, +>>>>68 byte 2 grayscale, +# this should not happen +>>>>68 default x image, +>>>>12 leshort >0 %d x +>>>>>14 uleshort x %d dpi, +>>>>2 byte 0 uncompressed +>>>>2 byte 1 RLE compressed # Adobe Photoshop +# From: Asbjoern Sloth Toennesen 0 string 8BPS Adobe Photoshop Image !:mime image/vnd.adobe.photoshop +>4 beshort 2 (PSB) +>18 belong x \b, %d x +>14 belong x %d, +>24 beshort 0 bitmap +>24 beshort 1 grayscale +>>12 beshort 2 with alpha +>24 beshort 2 indexed +>24 beshort 3 RGB +>>12 beshort 4 \bA +>24 beshort 4 CMYK +>>12 beshort 5 \bA +>24 beshort 7 multichannel +>24 beshort 8 duotone +>24 beshort 9 lab +>12 beshort > 1 +>>12 beshort x \b, %dx +>12 beshort 1 \b, +>22 beshort x %d-bit channel +>12 beshort > 1 \bs # XV thumbnail indicator (ThMO) 0 string P7\ 332 XV thumbnail image data @@ -8263,11 +10437,16 @@ # Bio-Rad .PIC is an image format used by microscope control systems # and related image processing software used by biologists. # From: Vebjorn Ljosa -54 leshort 12345 Bio-Rad .PIC Image File ->0 leshort >0 %hd x ->2 leshort >0 %hd, ->4 leshort =1 1 image in file ->4 leshort >1 %hd images in file +# BOOL values are two-byte integers; use them to rule out false positives. +# http://web.archive.org/web/20050317223257/www.cs.ubc.ca/spider/ladic/text/biorad.txt +# Samples: http://www.loci.wisc.edu/software/sample-data +14 leshort <2 +>62 leshort <2 +>>54 leshort 12345 Bio-Rad .PIC Image File +>>>0 leshort >0 %hd x +>>>2 leshort >0 %hd, +>>>4 leshort =1 1 image in file +>>>4 leshort >1 %hd images in file # From Jan "Yenya" Kasprzak # The description of *.mrw format can be found at @@ -8280,15 +10459,70 @@ # Submitted by: Stephane Loeuillet # Modified by (1): Abel Cheung 0 string AT&TFORM -!:mime image/vnd.djvu >12 string DJVM DjVu multiple page document +!:mime image/vnd.djvu >12 string DJVU DjVu image or single page document +!:mime image/vnd.djvu >12 string DJVI DjVu shared document +!:mime image/vnd.djvu >12 string THUM DjVu page thumbnails +!:mime image/vnd.djvu +# Originally by Marc Espie +# Modified by Robert Minsk +# http://www.openexr.com/openexrfilelayout.pdf +0 lelong 20000630 OpenEXR image data, +!:mime image/x-exr +>4 lelong&0x000000ff x version %d, +>4 lelong ^0x00000200 storage: scanline +>4 lelong &0x00000200 storage: tiled +>8 search/0x1000 compression\0 \b, compression: +>>&16 byte 0 none +>>&16 byte 1 rle +>>&16 byte 2 zips +>>&16 byte 3 zip +>>&16 byte 4 piz +>>&16 byte 5 pxr24 +>>&16 byte 6 b44 +>>&16 byte 7 b44a +>>&16 byte >7 unknown +>8 search/0x1000 dataWindow\0 \b, dataWindow: +>>&10 lelong x (%d +>>&14 lelong x %d)- +>>&18 lelong x \b(%d +>>&22 lelong x %d) +>8 search/0x1000 displayWindow\0 \b, displayWindow: +>>&10 lelong x (%d +>>&14 lelong x %d)- +>>&18 lelong x \b(%d +>>&22 lelong x %d) +>8 search/0x1000 lineOrder\0 \b, lineOrder: +>>&14 byte 0 increasing y +>>&14 byte 1 decreasing y +>>&14 byte 2 random y +>>&14 byte >2 unknown -# From Marc Espie -0 lelong 20000630 OpenEXR image data +# SMPTE Digital Picture Exchange Format, SMPTE DPX +# +# ANSI/SMPTE 268M-1994, SMPTE Standard for File Format for Digital +# Moving-Picture Exchange (DPX), v1.0, 18 February 1994 +# Robert Minsk +0 string SDPX DPX image data, big-endian, +!:mime image/x-dpx +>768 beshort <4 +>>772 belong x %dx +>>776 belong x \b%d, +>768 beshort >3 +>>776 belong x %dx +>>772 belong x \b%d, +>768 beshort 0 left to right/top to bottom +>768 beshort 1 right to left/top to bottom +>768 beshort 2 left to right/bottom to top +>768 beshort 3 right to left/bottom to top +>768 beshort 4 top to bottom/left to right +>768 beshort 5 top to bottom/right to left +>768 leshort 6 bottom to top/left to right +>768 leshort 7 bottom to top/right to left # From: Tom Hilinski # http://www.unidata.ucar.edu/packages/netcdf/ @@ -8299,7 +10533,7 @@ # specifications at http://hdf.ncsa.uiuc.edu/ 0 belong 0x0e031301 Hierarchical Data Format (version 4) data !:mime application/x-hdf -0 string \211HDF\r\n\032 Hierarchical Data Format (version 5) data +0 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) data !:mime application/x-hdf # From: Tobias Burnus @@ -8336,25 +10570,87 @@ # From Tano M Fotang 0 string \xff\xa0\xff\xa8\x00 Wavelet Scalar Quantization image data +# Polar Monitor Bitmap (.pmb) used as logo for Polar Electro watches +# From: Markus Heidelberg +0 string/t [BitmapInfo2] Polar Monitor Bitmap text +!:mime image/x-polar-monitor-bitmap + +# From: Rick Richardson +0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file + # Type: Ulead Photo Explorer5 (.pe5) # URL: http://www.jisyo.com/cgibin/view.cgi?EXT=pe5 (Japanese) # From: Simon Horman -0 string IIO2H Ulead Photo Explorer5 +0 string IIO2H Ulead Photo Explorer5 # Type: X11 cursor # URL: http://webcvs.freedesktop.org/mime/shared-mime-info/freedesktop.org.xml.in?view=markup # From: Mathias Brodala -0 string Xcur X11 cursor +0 string Xcur X11 cursor +# Type: Olympus ORF raw images. +# URL: http://libopenraw.freedesktop.org/wiki/Olympus_ORF +# From: Adam Buchbinder +0 string MMOR Olympus ORF raw image data, big-endian +!:mime image/x-olympus-orf +0 string IIRO Olympus ORF raw image data, little-endian +!:mime image/x-olympus-orf +0 string IIRS Olympus ORF raw image data, little-endian +!:mime image/x-olympus-orf + +# Type: files used in modern AVCHD camcoders to store clip information +# Extension: .cpi +# From: Alexander Danilov +0 string HDMV0100 AVCHD Clip Information + +# From: Adam Buchbinder +# URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ +# Radiance HDR; usually has .pic or .hdr extension. +0 string #?RADIANCE\n Radiance HDR image data +#!mime image/vnd.radiance + +# From: Adam Buchbinder +# URL: http://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf +# Used by the pfstools packages. The regex matches for the image size could +# probably use some work. The MIME type is made up; if there's one in +# actual common use, it should replace the one below. +0 string PFS1\x0a PFS HDR image data +#!mime image/x-pfs +>1 regex [0-9]*\ \b, %s +>>1 regex \ [0-9]{4} \bx%s + +# Type: Foveon X3F +# URL: http://www.photofo.com/downloads/x3f-raw-format.pdf +# From: Adam Buchbinder +# Note that the MIME type isn't defined anywhere that I can find; if +# there's a canonical type for this format, it should replace this one. +0 string FOVb Foveon X3F raw image data +!:mime image/x-x3f +>6 leshort x \b, version %d. +>4 leshort x \b%d +>28 lelong x \b, %dx +>32 lelong x \b%d + +# Paint.NET file +# From Adam Buchbinder +0 string PDN3 Paint.NET image data +!:mime image/x-paintnet + +# Not really an image. +# From: "Tano M. Fotang" +0 string \x46\x4d\x52\x00 ISO/IEC 19794-2 Format Minutiae Record (FMR) + #------------------------------------------------------------------------------ +# $File: inform,v 1.5 2009/09/19 16:28:09 christos Exp $ # inform: file(1) magic for Inform interactive fiction language # URL: http://www.inform-fiction.org/ # From: Reuben Thomas -0 search/cB/100 constant\ story Inform source text +0 search/100/cW constant\ story Inform source text #------------------------------------------------------------------------------ +# $File: intel,v 1.11 2013/02/06 14:18:52 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -8391,7 +10687,7 @@ # rom: file(1) magic for BIOS ROM Extensions found in intel machines # mapped into memory between 0xC0000 and 0xFFFFF -# From Gürkan Sengün , www.linuks.mine.nu +# From Gurkan Sengun , www.linuks.mine.nu 0 beshort 0x55AA BIOS (ia32) ROM Ext. >5 string USB USB >7 string LDR UNDI image @@ -8401,7 +10697,13 @@ >42 string PROMISE Promise >2 byte x (%d*512) +# Flash descriptors for Intel SPI flash roms. +# From Dr. Jesus +0 lelong 0x0ff0a55a Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step +16 lelong 0x0ff0a55a Intel serial flash for PCH ROM + #------------------------------------------------------------------------------ +# $File: interleaf,v 1.10 2009/09/19 16:28:10 christos Exp $ # interleaf: file(1) magic for InterLeaf TPS: # 0 string =\210OPS Interleaf saved data @@ -8410,6 +10712,7 @@ >>17 string >\0 %.3s #------------------------------------------------------------------------------ +# $File: island,v 1.5 2009/09/19 16:28:10 christos Exp $ # island: file(1) magic for IslandWite/IslandDraw, from SunOS 5.5.1 # "/etc/magic": # From: guy@netapp.com (Guy Harris) @@ -8419,6 +10722,7 @@ #------------------------------------------------------------------------------ +# $File: ispell,v 1.8 2009/09/19 16:28:10 christos Exp $ # ispell: file(1) magic for ispell # # Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic @@ -8479,7 +10783,24 @@ >12 long x lexsize %d, >16 long x hashsize %d, >20 long x stblsize %d + +#------------------------------------------------------------------------------ +# $File: isz,v 1.1 2010/03/27 16:17:09 christos Exp $ +# ISO Zipped file format +# http://www.ezbsystems.com/isz/iszspec.txt +0 string IsZ! ISO Zipped file +>4 byte x \b, header size %u +>5 byte x \b, version %u +>8 lelong x \b, serial %u +#12 leshort x \b, sector size %u +#>16 lelong x \b, total sectors %u +>17 byte >0 \b, password protected +#>24 lequad x \b, segment size %llu +#>32 lelong x \b, blocks %u +#>36 lelong x \b, block size %u + #------------------------------------------------------------ +# $File: java,v 1.14 2013/02/08 16:54:45 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". @@ -8503,8 +10824,39 @@ >0 regex dey\n[0-9][0-9][0-9]\0 Dalvik dex file (optimized for host) >4 string >000 version %s +# Java source +0 regex ^import.*;$ Java source +!:mime text/x-java +# http://android.stackexchange.com/questions/23357/\ +# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ +# 23608#23608 +0 string ANDROID\040BACKUP\n Android Backup +>15 string 1\n \b, version 1 +>17 string 0\n \b, uncompressed +>17 string 1\n \b, compressed +>19 string none\n \b, unencrypted +>19 string AES-256\n \b, encrypted AES-256 + #------------------------------------------------------------------------------ +# $File: javascript,v 1.1 2012/06/16 13:30:36 christos Exp $ +# javascript: magic for javascript and node.js scripts. +# +0 search/1/w #!/bin/node Node.js script text executable +!:mime application/javascript +0 search/1/w #!/usr/bin/node Node.js script text executable +!:mime application/javascript +0 search/1/w #!/bin/nodejs Node.js script text executable +!:mime application/javascript +0 search/1/w #!/usr/bin/nodejs Node.js script text executable +!:mime application/javascript +0 search/1 #!/usr/bin/env\ node Node.js script text executable +!:mime application/javascript +0 search/1 #!/usr/bin/env\ nodejs Node.js script text executable +!:mime application/javascript + +#------------------------------------------------------------------------------ +# $File: jpeg,v 1.19 2013/02/04 15:50:03 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -8515,7 +10867,8 @@ # 0 beshort 0xffd8 JPEG image data !:mime image/jpeg -!:strength +1 +!:apple 8BIMJPEG +!:strength +2 >6 string JFIF \b, JFIF standard # The following added by Erik Rossen 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these @@ -8630,13 +10983,8 @@ # And if there was some sort of looping construct to do searches, plus a few # named accumulators, it would be even more effective... # At least we can show a comment if no other segments got inserted before: ->(4.S+5) byte 0xFE ->>(4.S+8) string >\0 \b, comment: "%s" -# FIXME: When we can do non-byte counted strings, we can use that to get -# the string's count, and fix Debian bug #283760 -#>(4.S+5) byte 0xFE \b, comment -#>>(4.S+6) beshort x \b length=%d -#>>(4.S+8) string >\0 \b, "%s" +>(4.S+5) byte 0xFE \b, comment: +>>(4.S+6) pstring/HJ x "%s" # Or, we can show the encoding type (I've included only the three most common) # and image dimensions if we are lucky and the SOFn (image segment) is here: >(4.S+5) byte 0xC0 \b, baseline @@ -8661,7 +11009,20 @@ 0 string hsi1 JPEG image data, HSI proprietary # From: David Santinoli -0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 image data +0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 +# From: Johan van der Knijff +# Added sub-entries for JP2, JPX, JPM and MJ2 formats; added mimetypes +# https://github.com/bitsgalore/jp2kMagic +# +# Now read value of 'Brand' field, which yields a few possibilities: +>20 string \x6a\x70\x32\x20 Part 1 (JP2) +!:mime image/jp2 +>20 string \x6a\x70\x78\x20 Part 2 (JPX) +!:mime image/jpx +>20 string \x6a\x70\x6d\x20 Part 6 (JPM) +!:mime image/jpm +>20 string \x6d\x6a\x70\x32 Part 3 (MJ2) +!:mime video/mj2 # Type: JPEG 2000 codesream # From: Mathieu Malaterre @@ -8669,6 +11030,7 @@ 45 beshort 0xff52 #------------------------------------------------------------------------------ +# $File: karma,v 1.6 2009/09/19 16:28:10 christos Exp $ # karma: file(1) magic for Karma data files # # From @@ -8677,19 +11039,78 @@ >16 belong x %lu #------------------------------------------------------------------------------ +# $File: kde,v 1.5 2010/11/25 15:00:12 christos Exp $ # kde: file(1) magic for KDE -0 string [KDE\ Desktop\ Entry] KDE desktop entry +0 string/t [KDE\ Desktop\ Entry] KDE desktop entry !:mime application/x-kdelnk -0 string #\ KDE\ Config\ File KDE config file +0 string/t #\ KDE\ Config\ File KDE config file !:mime application/x-kdelnk -0 string #\ xmcd xmcd database file for kscd +0 string/t #\ xmcd xmcd database file for kscd !:mime text/x-xmcd + #------------------------------------------------------------------------------ +# $File: keepass,v 1.1 2012/12/24 22:14:56 christos Exp $ +# keepass: file(1) magic for KeePass file +# +# Keepass Password Safe: +# * original one: http://keepass.info/ +# * *nix port: http://www.keepassx.org/ +# * android port: http://code.google.com/p/keepassdroid/ + +0 lelong 0x9AA2D903 Keepass password database +>4 lelong 0xB54BFB65 1.x KDB +>>48 lelong >0 \b, %d groups +>>52 lelong >0 \b, %d entries +>>8 lelong&0x0f 1 \b, SHA-256 +>>8 lelong&0x0f 2 \b, AES +>>8 lelong&0x0f 4 \b, RC4 +>>8 lelong&0x0f 8 \b, Twofish +>>120 lelong >0 \b, %d key transformation rounds +>4 lelong 0xB54BFB67 2.x KDBX + +#------------------------------------------------------------------------------ +# $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $ +# Type: Google KML, formerly Keyhole Markup Language +# Future development of this format has been handed +# over to the Open Geospatial Consortium. +# http://www.opengeospatial.org/standards/kml/ +# From: Asbjoern Sloth Toennesen +0 string/t \20 search/400 \ xmlns= +>>&0 regex ['"]http://earth.google.com/kml Google KML document +!:mime application/vnd.google-earth.kml+xml +>>>&1 string 2.0' \b, version 2.0 +>>>&1 string 2.1' \b, version 2.1 +>>>&1 string 2.2' \b, version 2.2 + +#------------------------------------------------------------------------------ +# Type: OpenGIS KML, formerly Keyhole Markup Language +# This standard is maintained by the +# Open Geospatial Consortium. +# http://www.opengeospatial.org/standards/kml/ +# From: Asbjoern Sloth Toennesen +>>&0 regex ['"]http://www.opengis.net/kml OpenGIS KML document +!:mime application/vnd.google-earth.kml+xml +>>>&1 string/t 2.2 \b, version 2.2 + +#------------------------------------------------------------------------------ +# Type: Google KML Archive (ZIP based) +# http://code.google.com/apis/kml/documentation/kml_tut.html +# From: Asbjoern Sloth Toennesen +0 string PK\003\004 +>4 byte 0x14 +>>30 string doc.kml Compressed Google KML Document, including resources. +!:mime application/vnd.google-earth.kmz + +#------------------------------------------------------------------------------ +# $File: lecter,v 1.4 2009/09/19 16:28:10 christos Exp $ # DEC SRC Virtual Paper: Lectern files # Karl M. Hegbloom 0 string lect DEC SRC Virtual Paper Lectern file + #------------------------------------------------------------------------------ +# $File: lex,v 1.6 2009/09/19 16:28:10 christos Exp $ # lex: file(1) magic for lex # # derived empirically, your offsets may vary! @@ -8701,12 +11122,15 @@ 0 search/1 %{ lex description text #------------------------------------------------------------------------------ +# $File: lif,v 1.8 2009/09/19 16:28:10 christos Exp $ # lif: file(1) magic for lif # # (Daniel Quinlan ) # 0 beshort 0x8000 lif file + #------------------------------------------------------------------------------ +# $File: linux,v 1.47 2013/02/06 14:18:52 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan @@ -8742,6 +11166,8 @@ >28 long !0 not stripped 0 string \01\03\040\20 Minix-386 executable >28 long !0 not stripped +0 string \01\03\04\20 Minix-386 NSYM/GNU executable +>28 long !0 not stripped # core dump file, from Bill Reynolds 216 lelong 0421 Linux/i386 core file >220 string >\0 of '%s' @@ -8751,18 +11177,32 @@ # this can be overridden by the DOS executable (COM) entry 2 string LILO Linux/i386 LILO boot/chain loader # +# Linux make config build file, from Ole Aamot +28 string make\ config Linux make config build file +# # PSF fonts, from H. Peter Anvin -0 leshort 0x0436 Linux/i386 PC Screen Font data, ->2 byte 0 256 characters, no directory, ->2 byte 1 512 characters, no directory, ->2 byte 2 256 characters, Unicode directory, ->2 byte 3 512 characters, Unicode directory, +# Updated by Adam Buchbinder +# See: http://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html +0 leshort 0x0436 Linux/i386 PC Screen Font v1 data, +>2 byte&0x01 0 256 characters, +>2 byte&0x01 !0 512 characters, +>2 byte&0x02 0 no directory, +>2 byte&0x02 !0 Unicode directory, >3 byte >0 8x%d +0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data, +>16 lelong x %d characters, +>12 lelong&0x01 0 no directory, +>12 lelong&0x01 !0 Unicode directory, +>24 lelong x %d +>28 lelong x \bx%d + # Linux swap file, from Daniel Quinlan 4086 string SWAP-SPACE Linux/i386 swap file # From: Jeff Bailey # Linux swap file with swsusp1 image, from Jeff Bailey 4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image +# From: James Hunt +4076 string SWAPSPACE2LINHIB0001 Linux/i386 swap file (new style) (compressed hibernate) # according to man page of mkswap (8) March 1999 # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ @@ -8771,36 +11211,27 @@ >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, ->0x40c belong x UUID=%x ->0x410 beshort x \b-%x ->0x412 beshort x \b-%x ->0x414 beshort x \b-%x ->0x416 belong x \b-%x ->0x41a beshort x \b%x -# ECOFF magic for OSF/1 and Linux (only tested under Linux though) +>0x40c belong x UUID=%08x +>0x410 beshort x \b-%04x +>0x412 beshort x \b-%04x +>0x414 beshort x \b-%04x +>0x416 belong x \b-%08x +>0x41a beshort x \b%04x +# From Daniel Novotny +# swap file for PowerPC +65526 string SWAPSPACE2 Linux/ppc swap file +16374 string SWAPSPACE2 Linux/ia64 swap file # -# from Erik Troan (ewt@redhat.com) examining od dumps, so this -# could be wrong -# updated by David Mosberger (davidm@azstarnet.com) based on -# GNU BFD and MIPS info found below. -# -0 leshort 0x0183 ECOFF alpha ->24 leshort 0407 executable ->24 leshort 0410 pure ->24 leshort 0413 demand paged ->8 long >0 not stripped ->8 long 0 stripped ->23 leshort >0 - version %ld. -# # Linux kernel boot images, from Albert Cahalan # and others such as Axel Kohlmeyer -# and Nicols Lichtmaier +# and Nicolas Lichtmaier # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # Linux kernel boot images (i386 arch) (Wolfram Kleff) 514 string HdrS Linux kernel +!:strength + 5 >510 leshort 0xAA55 x86 boot executable >>518 leshort >0x1ff ->>529 byte 0 zImage, +>>>529 byte 0 zImage, >>>529 byte 1 bzImage, >>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, @@ -8817,10 +11248,10 @@ >0x1e3 string Loading version 1.3.79 or older >0x1e9 string Loading from prehistoric times -# System.map files - Nicols Lichtmaier +# System.map files - Nicolas Lichtmaier 8 search/1 \ A\ _text Linux kernel symbol map text -# LSM entries - Nicols Lichtmaier +# LSM entries - Nicolas Lichtmaier 0 search/1 Begin3 Linux Software Map entry text 0 search/1 Begin4 Linux Software Map entry text (new format) @@ -8870,6 +11301,27 @@ >0x1e6 belong !0x454c4b53 style boot sector ############################################################################ +# Linux S390 kernel image +# Created by: Jan Kaluza +8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390 +>0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc +# 64bit +>>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel +>>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel +>>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel +>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel +# 32bit +>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel +>>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel +>>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel +>>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel + +# Linux ARM compressed kernel image +# From: Kevin Cernekee +36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian) +36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) + +############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless >5 string . @@ -8895,9 +11347,11 @@ # 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable # SYSLINUX boot logo files (from 'ppmtolss16' sources) -# http://syslinux.zytor.com/ -# +# http://www.syslinux.org/wiki/index.php/SYSLINUX#Display_graphic_from_filename: +# file extension .lss .16 0 lelong =0x1413f33d SYSLINUX' LSS16 image data +# syslinux-4.05/mime/image/x-lss16.xml +!:mime image/x-lss16 >4 leshort x \b, width %d >6 leshort x \b, height %d @@ -8933,19 +11387,55 @@ # # 0x200 seems to be the common case -0x218 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) +0x218 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) # read the offset to add to the start of the header, and the header # start in 0x200 ->(0x214.l+0x200) string >\0 , UUID: %s +>&(&-12.l-0x21) byte x +# display UUID in LVM format + display all 32 bytes (instead of max string length: 31) +>>&0x0 string >\x2f \b, UUID: %.6s +>>&0x6 string >\x2f \b-%.4s +>>&0xa string >\x2f \b-%.4s +>>&0xe string >\x2f \b-%.4s +>>&0x12 string >\x2f \b-%.4s +>>&0x16 string >\x2f \b-%.4s +>>&0x1a string >\x2f \b-%.6s +>>&0x20 lequad x \b, size: %lld -0x018 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) ->(0x014.l) string >\0 , UUID: %s +0x018 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) +>&(&-12.l-0x21) byte x +# display UUID in LVM format + display all 32 bytes (instead of max string length: 31) +>>&0x0 string >\x2f \b, UUID: %.6s +>>&0x6 string >\x2f \b-%.4s +>>&0xa string >\x2f \b-%.4s +>>&0xe string >\x2f \b-%.4s +>>&0x12 string >\x2f \b-%.4s +>>&0x16 string >\x2f \b-%.4s +>>&0x1a string >\x2f \b-%.6s +>>&0x20 lequad x \b, size: %lld -0x418 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) ->(0x414.l+0x400) string >\0 , UUID: %s +0x418 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) +>&(&-12.l-0x21) byte x +# display UUID in LVM format + display all 32 bytes (instead of max string length: 31) +>>&0x0 string >\x2f \b, UUID: %.6s +>>&0x6 string >\x2f \b-%.4s +>>&0xa string >\x2f \b-%.4s +>>&0xe string >\x2f \b-%.4s +>>&0x12 string >\x2f \b-%.4s +>>&0x16 string >\x2f \b-%.4s +>>&0x1a string >\x2f \b-%.6s +>>&0x20 lequad x \b, size: %lld -0x618 string LVM2\ 001 LVM2 (Linux Logical Volume Manager) ->(0x614.l+0x600) string >\0 , UUID: %s +0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) +>&(&-12.l-0x21) byte x +# display UUID in LVM format + display all 32 bytes (instead of max string length: 31) +>>&0x0 string >\x2f \b, UUID: %.6s +>>&0x6 string >\x2f \b-%.4s +>>&0xa string >\x2f \b-%.4s +>>&0xe string >\x2f \b-%.4s +>>&0x12 string >\x2f \b-%.4s +>>&0x16 string >\x2f \b-%.4s +>>&0x1a string >\x2f \b-%.6s +>>&0x20 lequad x \b, size: %lld # LVM snapshot # from Jason Farrel @@ -8984,7 +11474,9 @@ #>2 regex \(name\ [^)]*\) %s >20 search/256 (name (name >>&1 string x %s...) + #------------------------------------------------------------------------------ +# $File: lisp,v 1.23 2009/09/19 16:28:10 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) @@ -8994,23 +11486,21 @@ #0 string ;; # windows INF files often begin with semicolon and use CRLF as line end # lisp files are mainly created on unix system with LF as line end -#>2 search/2048 !\r Lisp/Scheme program text -#>2 search/2048 \r Windows INF file +#>2 search/4096 !\r Lisp/Scheme program text +#>2 search/4096 \r Windows INF file -0 search/256 (if\ Lisp/Scheme program text +0 search/4096 (setq\ Lisp/Scheme program text !:mime text/x-lisp -0 search/256 (setq\ Lisp/Scheme program text +0 search/4096 (defvar\ Lisp/Scheme program text !:mime text/x-lisp -0 search/256 (defvar\ Lisp/Scheme program text +0 search/4096 (defparam\ Lisp/Scheme program text !:mime text/x-lisp -0 search/256 (defparam\ Lisp/Scheme program text +0 search/4096 (defun\ Lisp/Scheme program text !:mime text/x-lisp -0 search/256 (defun\ Lisp/Scheme program text +0 search/4096 (autoload\ Lisp/Scheme program text !:mime text/x-lisp -0 search/256 (autoload\ Lisp/Scheme program text +0 search/4096 (custom-set-variables\ Lisp/Scheme program text !:mime text/x-lisp -0 search/256 (custom-set-variables\ Lisp/Scheme program text -!:mime text/x-lisp # Emacs 18 - this is always correct, but not very magical. 0 string \012( Emacs v18 byte-compiled Lisp data @@ -9038,23 +11528,36 @@ !:mime text/texmacs #------------------------------------------------------------------------------ +# $File: llvm,v 1.8 2013/01/12 03:09:51 christos Exp $ # llvm: file(1) magic for LLVM byte-codes -# URL: http://llvm.cs.uiuc.edu/docs/BytecodeFormat.html#signature +# URL: http://llvm.org/docs/BitCodeFormat.html # From: Al Stone 0 string llvm LLVM byte-codes, uncompressed 0 string llvc0 LLVM byte-codes, null compression 0 string llvc1 LLVM byte-codes, gzip compression 0 string llvc2 LLVM byte-codes, bzip2 compression + +0 lelong 0x0b17c0de LLVM bitcode, wrapper +# Are these Mach-O ABI values? They appear to be. +>16 lelong 0x01000007 x86_64 +>16 lelong 0x00000007 i386 +>16 lelong 0x00000012 ppc +>16 lelong 0x01000012 ppc64 +>16 lelong 0x0000000c arm + +0 string BC\xc0\xde LLVM IR bitcode + #------------------------------------------------------------------------------ +# $File: lua,v 1.6 2013/01/09 16:23:17 christos Exp $ # lua: file(1) magic for Lua scripting language # URL: http://www.lua.org/ # From: Reuben Thomas , Seo Sanghyeon # Lua scripts -0 search/1/b #!\ /usr/bin/lua Lua script text executable +0 search/1/w #!\ /usr/bin/lua Lua script text executable !:mime text/x-lua -0 search/1/b #!\ /usr/local/bin/lua Lua script text executable +0 search/1/w #!\ /usr/local/bin/lua Lua script text executable !:mime text/x-lua 0 search/1 #!/usr/bin/env\ lua Lua script text executable !:mime text/x-lua @@ -9065,8 +11568,10 @@ 0 string \033Lua Lua bytecode, >4 byte 0x50 version 5.0 >4 byte 0x51 version 5.1 +>4 byte 0x52 version 5.2 #------------------------------------------------------------------------------ +# $File: luks,v 1.4 2009/09/19 16:28:10 christos Exp $ # luks: file(1) magic for Linux Unified Key Setup # URL: http://luks.endorphin.org/spec # From: Anthon van der Neut @@ -9077,92 +11582,229 @@ >40 string x %s, >72 string x %s] >168 string x UUID: %s +#------------------------------------------------------------------------------ +# $File: m4,v 1.1 2011/12/08 12:12:46 rrt Exp $ +# make: file(1) magic for M4 scripts +# +0 regex \^dnl\ M4 macro processor script text +!:mime text/x-m4 + #------------------------------------------------------------ +# $File: mach,v 1.17 2013/03/07 02:22:52 christos Exp $ # Mach has two magic numbers, 0xcafebabe and 0xfeedface. # Unfortunately the first, cafebabe, is shared with # Java ByteCode, so they are both handled in the file "cafebabe". # The "feedface" ones are handled herein. #------------------------------------------------------------ -0 lelong&0xfeffffff 0xfeedface Mach-O ->0 byte 0xcf 64-bit ->12 lelong 1 object ->12 lelong 2 executable ->12 lelong 3 fixed virtual memory shared library ->12 lelong 4 core ->12 lelong 5 preload executable ->12 lelong 6 dynamically linked shared library ->12 lelong 7 dynamic linker ->12 lelong 8 bundle ->12 lelong 9 dynamically linked shared library stub ->12 lelong >9 ->>12 lelong x filetype=%ld ->4 lelong <0 ->>4 lelong x architecture=%ld ->4 lelong 1 vax ->4 lelong 2 romp ->4 lelong 3 architecture=3 ->4 lelong 4 ns32032 ->4 lelong 5 ns32332 ->4 lelong 6 m68k ->4 lelong 7 i386 ->4 lelong 8 mips ->4 lelong 9 ns32532 ->4 lelong 10 architecture=10 ->4 lelong 11 hppa ->4 lelong 12 acorn ->4 lelong 13 m88k ->4 lelong 14 sparc ->4 lelong 15 i860-big ->4 lelong 16 i860 ->4 lelong 17 rs6000 ->4 lelong 18 ppc ->4 lelong 16777234 ppc64 ->4 lelong >16777234 ->>4 lelong x architecture=%ld +# if set, it's for the 64-bit version of the architecture +# yes, this is separate from the low-order magic number bit +# it's also separate from the "64-bit libraries" bit in the +# upper 8 bits of the CPU subtype + +0 name mach-o-cpu +>0 belong&0x01000000 0 # -0 belong&0xfffffffe 0xfeedface Mach-O ->3 byte 0xcf 64-bit +# 32-bit ABIs. +# +# 1 vax +>>0 belong&0x00ffffff 1 +>>>4 belong&0x00ffffff 0 vax +>>>4 belong&0x00ffffff 1 vax11/780 +>>>4 belong&0x00ffffff 2 vax11/785 +>>>4 belong&0x00ffffff 3 vax11/750 +>>>4 belong&0x00ffffff 4 vax11/730 +>>>4 belong&0x00ffffff 5 uvaxI +>>>4 belong&0x00ffffff 6 uvaxII +>>>4 belong&0x00ffffff 7 vax8200 +>>>4 belong&0x00ffffff 8 vax8500 +>>>4 belong&0x00ffffff 9 vax8600 +>>>4 belong&0x00ffffff 10 vax8650 +>>>4 belong&0x00ffffff 11 vax8800 +>>>4 belong&0x00ffffff 12 uvaxIII +>>>4 belong&0x00ffffff >12 vax subarchitecture=%ld +>>0 belong&0x00ffffff 2 romp +>>0 belong&0x00ffffff 3 architecture=3 +>>0 belong&0x00ffffff 4 ns32032 +>>0 belong&0x00ffffff 5 ns32332 +>>0 belong&0x00ffffff 6 m68k +# 7 x86 +>>0 belong&0x00ffffff 7 +>>>4 belong&0x0000000f 3 i386 +>>>4 belong&0x0000000f 4 i486 +>>>>4 belong&0x00fffff0 0 +>>>>4 belong&0x00fffff0 0x80 \bsx +>>>4 belong&0x0000000f 5 i586 +>>>4 belong&0x0000000f 6 +>>>>4 belong&0x00fffff0 0 p6 +>>>>4 belong&0x00fffff0 0x10 pentium_pro +>>>>4 belong&0x00fffff0 0x20 pentium_2_m0x20 +>>>>4 belong&0x00fffff0 0x30 pentium_2_m3 +>>>>4 belong&0x00fffff0 0x40 pentium_2_m0x40 +>>>>4 belong&0x00fffff0 0x50 pentium_2_m5 +>>>>4 belong&0x00fffff0 >0x50 pentium_2_m0x%lx +>>>4 belong&0x0000000f 7 celeron +>>>>4 belong&0x00fffff0 0x00 \b_m0x%lx +>>>>4 belong&0x00fffff0 0x10 \b_m0x%lx +>>>>4 belong&0x00fffff0 0x20 \b_m0x%lx +>>>>4 belong&0x00fffff0 0x30 \b_m0x%lx +>>>>4 belong&0x00fffff0 0x40 \b_m0x%lx +>>>>4 belong&0x00fffff0 0x50 \b_m0x%lx +>>>>4 belong&0x00fffff0 0x60 +>>>>4 belong&0x00fffff0 0x70 \b_mobile +>>>>4 belong&0x00fffff0 >0x70 \b_m0x%lx +>>>4 belong&0x0000000f 8 pentium_3 +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_m +>>>>4 belong&0x00fffff0 0x20 \b_xeon +>>>>4 belong&0x00fffff0 >0x20 \b_m0x%lx +>>>4 belong&0x0000000f 9 pentiumM +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 >0x00 \b_m0x%lx +>>>4 belong&0x0000000f 10 pentium_4 +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_m +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%lx +>>>4 belong&0x0000000f 11 itanium +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_2 +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%lx +>>>4 belong&0x0000000f 12 xeon +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_mp +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%lx +>>>4 belong&0x0000000f >12 ia32 family=%ld +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 >0x00 model=%lx +>>0 belong&0x00ffffff 8 mips +>>>4 belong&0x00ffffff 1 R2300 +>>>4 belong&0x00ffffff 2 R2600 +>>>4 belong&0x00ffffff 3 R2800 +>>>4 belong&0x00ffffff 4 R2000a +>>>4 belong&0x00ffffff 5 R2000 +>>>4 belong&0x00ffffff 6 R3000a +>>>4 belong&0x00ffffff 7 R3000 +>>>4 belong&0x00ffffff >7 subarchitecture=%ld +>>0 belong&0x00ffffff 9 ns32532 +>>0 belong&0x00ffffff 10 mc98000 +>>0 belong&0x00ffffff 11 hppa +>>>4 belong&0x00ffffff 0 7100 +>>>4 belong&0x00ffffff 1 7100LC +>>>4 belong&0x00ffffff >1 subarchitecture=%ld +>>0 belong&0x00ffffff 12 arm +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 subarchitecture=%ld +>>>4 belong&0x00ffffff 2 subarchitecture=%ld +>>>4 belong&0x00ffffff 3 subarchitecture=%ld +>>>4 belong&0x00ffffff 4 subarchitecture=%ld +>>>4 belong&0x00ffffff 5 \b_v4t +>>>4 belong&0x00ffffff 6 \b_v6 +>>>4 belong&0x00ffffff 7 \b_v5tej +>>>4 belong&0x00ffffff 8 \b_xscale +>>>4 belong&0x00ffffff 9 \b_v7 +>>>4 belong&0x00ffffff 10 \b_v7f +>>>4 belong&0x00ffffff 11 subarchitecture=%ld +>>>4 belong&0x00ffffff 12 \b_v7k +>>>4 belong&0x00ffffff >12 subarchitecture=%ld +# 13 m88k +>>0 belong&0x00ffffff 13 +>>>4 belong&0x00ffffff 0 mc88000 +>>>4 belong&0x00ffffff 1 mc88100 +>>>4 belong&0x00ffffff 2 mc88110 +>>>4 belong&0x00ffffff >2 mc88000 subarchitecture=%ld +>>0 belong&0x00ffffff 14 sparc +>>0 belong&0x00ffffff 15 i860g +>>0 belong&0x00ffffff 16 alpha +>>0 belong&0x00ffffff 17 rs6000 +>>0 belong&0x00ffffff 18 ppc +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \b_601 +>>>4 belong&0x00ffffff 2 \b_602 +>>>4 belong&0x00ffffff 3 \b_603 +>>>4 belong&0x00ffffff 4 \b_603e +>>>4 belong&0x00ffffff 5 \b_603ev +>>>4 belong&0x00ffffff 6 \b_604 +>>>4 belong&0x00ffffff 7 \b_604e +>>>4 belong&0x00ffffff 8 \b_620 +>>>4 belong&0x00ffffff 9 \b_650 +>>>4 belong&0x00ffffff 10 \b_7400 +>>>4 belong&0x00ffffff 11 \b_7450 +>>>4 belong&0x00ffffff 100 \b_970 +>>>4 belong&0x00ffffff >100 subarchitecture=%ld +>>0 belong&0x00ffffff >18 architecture=%ld +>0 belong&0x01000000 0x01000000 +# +# 64-bit ABIs. +# +>>0 belong&0x00ffffff 0 64-bit architecture=%ld +>>0 belong&0x00ffffff 1 64-bit architecture=%ld +>>0 belong&0x00ffffff 2 64-bit architecture=%ld +>>0 belong&0x00ffffff 3 64-bit architecture=%ld +>>0 belong&0x00ffffff 4 64-bit architecture=%ld +>>0 belong&0x00ffffff 5 64-bit architecture=%ld +>>0 belong&0x00ffffff 6 64-bit architecture=%ld +>>0 belong&0x00ffffff 7 x86_64 +>>>4 belong&0x00ffffff 0 subarchitecture=%ld +>>>4 belong&0x00ffffff 1 subarchitecture=%ld +>>>4 belong&0x00ffffff 2 subarchitecture=%ld +>>>4 belong&0x00ffffff 3 +>>>4 belong&0x00ffffff 4 \b_arch1 +>>>4 belong&0x00ffffff >4 subarchitecture=%ld +>>0 belong&0x00ffffff 8 64-bit architecture=%ld +>>0 belong&0x00ffffff 9 64-bit architecture=%ld +>>0 belong&0x00ffffff 10 64-bit architecture=%ld +>>0 belong&0x00ffffff 11 64-bit architecture=%ld +>>0 belong&0x00ffffff 12 64-bit architecture=%ld +>>0 belong&0x00ffffff 13 64-bit architecture=%ld +>>0 belong&0x00ffffff 14 64-bit architecture=%ld +>>0 belong&0x00ffffff 15 64-bit architecture=%ld +>>0 belong&0x00ffffff 16 64-bit architecture=%ld +>>0 belong&0x00ffffff 17 64-bit architecture=%ld +>>0 belong&0x00ffffff 18 ppc64 +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \b_601 +>>>4 belong&0x00ffffff 2 \b_602 +>>>4 belong&0x00ffffff 3 \b_603 +>>>4 belong&0x00ffffff 4 \b_603e +>>>4 belong&0x00ffffff 5 \b_603ev +>>>4 belong&0x00ffffff 6 \b_604 +>>>4 belong&0x00ffffff 7 \b_604e +>>>4 belong&0x00ffffff 8 \b_620 +>>>4 belong&0x00ffffff 9 \b_650 +>>>4 belong&0x00ffffff 10 \b_7400 +>>>4 belong&0x00ffffff 11 \b_7450 +>>>4 belong&0x00ffffff 100 \b_970 +>>>4 belong&0x00ffffff >100 subarchitecture=%ld +>>0 belong&0x00ffffff >18 64-bit architecture=%ld + + +0 name mach-o-be +>0 byte 0xcf 64-bit +>4 use mach-o-cpu >12 belong 1 object >12 belong 2 executable >12 belong 3 fixed virtual memory shared library >12 belong 4 core >12 belong 5 preload executable ->12 belong 6 dynamically linked shared library ->12 belong 7 dynamic linker +>12 belong 6 dynamically linked shared library +>12 belong 7 dynamic linker >12 belong 8 bundle >12 belong 9 dynamically linked shared library stub ->12 belong >9 +>12 belong 10 dSYM companion file +>12 belong 11 kext bundle +>12 belong >11 >>12 belong x filetype=%ld ->4 belong <0 ->>4 belong x architecture=%ld ->4 belong 1 vax ->4 belong 2 romp ->4 belong 3 architecture=3 ->4 belong 4 ns32032 ->4 belong 5 ns32332 ->4 belong 6 for m68k architecture -# from NeXTstep 3.0 -# i.e. mc680x0_all, ignore -# >>8 belong 1 (mc68030) ->>8 belong 2 (mc68040) ->>8 belong 3 (mc68030 only) ->4 belong 7 i386 ->4 belong 8 mips ->4 belong 9 ns32532 ->4 belong 10 architecture=10 ->4 belong 11 hppa ->4 belong 12 acorn ->4 belong 13 m88k ->4 belong 14 sparc ->4 belong 15 i860-big ->4 belong 16 i860 ->4 belong 17 rs6000 ->4 belong 18 ppc ->4 belong 16777234 ppc64 ->4 belong >16777234 ->>4 belong x architecture=%ld +# +0 lelong&0xfffffffe 0xfeedface Mach-O +!:strength +1 +>0 use \^mach-o-be + +0 belong&0xfffffffe 0xfeedface Mach-O +!:strength +1 +>0 use mach-o-be + #------------------------------------------------------------------------------ +# $File: macintosh,v 1.22 2011/05/17 17:40:31 rrt Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -9174,6 +11816,8 @@ # Stuffit archives are the de facto standard of compression for Macintosh # files obtained from most archives. (franklsm@tuns.ca) 0 string SIT! StuffIt Archive (data) +!:mime application/x-stuffit +!:apple SIT!SIT! >2 string x : %s 0 string SITD StuffIt Deluxe (data) >2 string x : %s @@ -9183,6 +11827,7 @@ # Newer StuffIt archives (grant@netbsd.org) 0 string StuffIt StuffIt Archive !:mime application/x-stuffit +!:apple SIT!SIT! #>162 string >0 : %s # Macintosh Applications and Installation binaries (franklsm@tuns.ca) @@ -9324,7 +11969,7 @@ #>65 string ZSYS (Pre-System 7 system file) #>65 string acf3 (Aldus FreeHand) #>65 string cdev (control panel) -#>65 string dfil (Desk Acessory suitcase) +#>65 string dfil (Desk Accessory suitcase) #>65 string libr (library) #>65 string nX^d (WriteNow word processor) #>65 string nX^w (WriteNow dictionary) @@ -9444,7 +12089,7 @@ >0x412 beshort x number of blocks: %d, >0x424 pstring x volume name: %s -# "BD" is has many false positives +# "BD" gives many false positives #0x400 beshort 0x4244 Macintosh HFS data #>0 beshort 0x4C4B (bootable) #>0x40a beshort &0x8000 (locked) @@ -9536,48 +12181,71 @@ # From: Remi Mommsen 0 string BOMStore Mac OS X bill of materials (BOM) file +# From: Adam Buchbinder +# URL: http://en.wikipedia.org/wiki/Datafork_TrueType +# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is +# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I +# don't know what they mean. +0 belong 0x100 +>(0x4.L+24) beshort x +>>&4 belong 0x73666e74 Mac OSX datafork font, TrueType +>>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' +>>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' +>>&4 belong 0x504f5354 Mac OSX datafork font, PostScript + #------------------------------------------------------------------------------ +# $File: macos,v 1.1 2012/12/21 16:41:07 christos Exp $ +# MacOS files +# + +0 string book\0\0\0\0mark\0\0\0\0 MacOS Alias file + +#------------------------------------------------------------------------------ +# $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ # magic: file(1) magic for magic files # -0 string #\ Magic magic text file for file(1) cmd +0 string/t #\ Magic magic text file for file(1) cmd 0 lelong 0xF11E041C magic binary file for file(1) cmd >4 lelong x (version %d) (little endian) 0 belong 0xF11E041C magic binary file for file(1) cmd >4 belong x (version %d) (big endian) #------------------------------------------------------------------------------ +# $File: mail.news,v 1.22 2013/01/04 14:22:07 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. #0 string From mail text -# There are tests to ascmagic.c to cope with mail and news. -0 string Relay-Version: old news text +0 string/t Relay-Version: old news text !:mime message/rfc822 -0 string #!\ rnews batched news text +0 string/t #!\ rnews batched news text !:mime message/rfc822 -0 string N#!\ rnews mailed, batched news text +0 string/t N#!\ rnews mailed, batched news text !:mime message/rfc822 -0 string Forward\ to mail forwarding text +0 string/t Forward\ to mail forwarding text !:mime message/rfc822 -0 string Pipe\ to mail piping text +0 string/t Pipe\ to mail piping text !:mime message/rfc822 -0 string Return-Path: smtp mail text +0 string/tc delivered-to: SMTP mail text !:mime message/rfc822 -0 string Path: news text +0 string/tc return-path: SMTP mail text +!:mime message/rfc822 +0 string/t Path: news text !:mime message/news -0 string Xref: news text +0 string/t Xref: news text !:mime message/news -0 string From: news or mail text +0 string/t From: news or mail text !:mime message/rfc822 -0 string Article saved news text +0 string/t Article saved news text !:mime message/news -0 string BABYL Emacs RMAIL text -0 string Received: RFC 822 mail text +0 string/t BABYL Emacs RMAIL text +0 string/t Received: RFC 822 mail text !:mime message/rfc822 -0 string MIME-Version: MIME entity text -#0 string Content- MIME entity text +0 string/t MIME-Version: MIME entity text +#0 string/t Content- MIME entity text # TNEF files... 0 lelong 0x223E9F78 Transport Neutral Encapsulation Format +!:mime application/vnd.ms-tnef # From: Kevin Sullivan 0 string *mbx* MBX mail folder @@ -9598,7 +12266,34 @@ #0 string \