From d3ee0b6f6c6d0295075a8132f7e67d92f7d74d96 Mon Sep 17 00:00:00 2001 From: Tiago Gomes Date: Tue, 3 Feb 2015 15:19:27 +0000 Subject: Import 5.22 tarball --- magic/Magdir/android | 139 ++++++++ magic/Magdir/animation | 211 +++++++++--- magic/Magdir/apple | 17 +- magic/Magdir/archive | 50 ++- magic/Magdir/assembler | 16 +- magic/Magdir/att3b | 10 +- magic/Magdir/audio | 67 +++- magic/Magdir/bflt | 4 +- magic/Magdir/blackberry | 8 + magic/Magdir/blender | 4 +- magic/Magdir/bsdi | 8 +- magic/Magdir/c-lang | 22 +- magic/Magdir/cad | 72 +++- magic/Magdir/cafebabe | 41 +-- magic/Magdir/clarion | 4 +- magic/Magdir/claris | 4 +- magic/Magdir/clipper | 6 +- magic/Magdir/commands | 19 +- magic/Magdir/compress | 48 ++- magic/Magdir/ctf | 23 ++ magic/Magdir/cups | 8 +- magic/Magdir/database | 415 ++++++++++++++++++----- magic/Magdir/dolby | 102 +++--- magic/Magdir/dump | 10 +- magic/Magdir/dyadic | 90 ++--- magic/Magdir/efi | 4 +- magic/Magdir/elf | 138 +++++++- magic/Magdir/encore | 6 +- magic/Magdir/epoc | 6 +- magic/Magdir/filesystems | 804 ++++++++++++++++++++++++++++++++------------ magic/Magdir/flash | 27 +- magic/Magdir/fonts | 15 +- magic/Magdir/fortran | 4 +- magic/Magdir/fsav | 5 +- magic/Magdir/games | 20 +- magic/Magdir/gimp | 20 +- magic/Magdir/gnome | 6 +- magic/Magdir/gnu | 13 +- magic/Magdir/gpt | 3 +- magic/Magdir/graphviz | 6 +- magic/Magdir/hp | 30 +- magic/Magdir/ibm370 | 10 +- magic/Magdir/ibm6000 | 17 +- magic/Magdir/images | 386 +++++++++++++++++---- magic/Magdir/intel | 12 +- magic/Magdir/isz | 2 +- magic/Magdir/java | 21 +- magic/Magdir/jpeg | 187 ++++------- magic/Magdir/karma | 4 +- magic/Magdir/kerberos | 45 +++ magic/Magdir/linux | 96 +++++- magic/Magdir/mach | 348 +++++++++---------- magic/Magdir/macintosh | 89 +++-- magic/Magdir/map | 25 ++ magic/Magdir/marc21 | 12 +- magic/Magdir/meteorological | 49 +++ magic/Magdir/mips | 46 +-- magic/Magdir/misctools | 7 +- magic/Magdir/motorola | 30 +- magic/Magdir/msdos | 188 +++++------ magic/Magdir/msooxml | 33 +- magic/Magdir/msx | 255 ++++++++++++++ magic/Magdir/natinst | 4 +- magic/Magdir/ncr | 16 +- magic/Magdir/neko | 12 + magic/Magdir/netbsd | 46 +-- magic/Magdir/nitpicker | 2 +- magic/Magdir/oasis | 4 +- magic/Magdir/palm | 82 ++++- magic/Magdir/pascal | 10 +- magic/Magdir/pbf | 11 + magic/Magdir/pdf | 3 +- magic/Magdir/pdp | 18 +- magic/Magdir/perl | 42 ++- magic/Magdir/pgf | 52 +++ magic/Magdir/pgp | 444 +++++++++++++++++++++++- magic/Magdir/printer | 22 +- magic/Magdir/python | 20 +- magic/Magdir/qt | 19 ++ magic/Magdir/riff | 92 +++-- magic/Magdir/rinex | 44 --- magic/Magdir/scientific | 14 +- magic/Magdir/sequent | 29 +- magic/Magdir/sereal | 25 ++ magic/Magdir/sgi | 20 +- magic/Magdir/sgml | 9 +- magic/Magdir/sharc | 4 +- magic/Magdir/sql | 30 +- magic/Magdir/ssh | 5 + magic/Magdir/ssl | 1 + magic/Magdir/sun | 38 +-- magic/Magdir/symbos | 42 +++ magic/Magdir/sysex | 10 +- magic/Magdir/tcl | 2 +- magic/Magdir/tex | 36 +- magic/Magdir/ti-8x | 4 +- magic/Magdir/troff | 6 +- magic/Magdir/uterus | 2 +- magic/Magdir/varied.out | 4 +- magic/Magdir/varied.script | 30 +- magic/Magdir/vax | 6 +- magic/Magdir/virtual | 108 +++++- magic/Magdir/vms | 8 +- magic/Magdir/vorbis | 22 +- magic/Magdir/windows | 182 +++++++++- magic/Magdir/wordprocessors | 7 +- magic/Magdir/xilinx | 52 +-- magic/Magdir/xwindows | 14 +- magic/Magdir/zfs | 8 +- 109 files changed, 4505 insertions(+), 1523 deletions(-) create mode 100644 magic/Magdir/android create mode 100644 magic/Magdir/blackberry create mode 100644 magic/Magdir/ctf create mode 100644 magic/Magdir/kerberos create mode 100644 magic/Magdir/map create mode 100644 magic/Magdir/meteorological create mode 100644 magic/Magdir/msx create mode 100644 magic/Magdir/neko create mode 100644 magic/Magdir/pbf create mode 100644 magic/Magdir/pgf create mode 100644 magic/Magdir/qt delete mode 100644 magic/Magdir/rinex create mode 100644 magic/Magdir/sereal create mode 100644 magic/Magdir/symbos (limited to 'magic/Magdir') diff --git a/magic/Magdir/android b/magic/Magdir/android new file mode 100644 index 0000000..da98b57 --- /dev/null +++ b/magic/Magdir/android @@ -0,0 +1,139 @@ + +#------------------------------------------------------------ +# $File: android,v 1.7 2014/11/10 05:08:23 christos Exp $ +# Various android related magic entries +#------------------------------------------------------------ + +# Dalvik .dex format. http://retrodev.com/android/dexformat.html +# From "Mike Fleming" +# Fixed to avoid regexec 17 errors on some dex files +# From "Tim Strazzere" +0 string dex\n +>0 regex dex\n[0-9]{2}\0 Dalvik dex file +>4 string >000 version %s +0 string dey\n +>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) +>4 string >000 version %s + +# Android bootimg format +# From https://android.googlesource.com/\ +# platform/system/core/+/master/mkbootimg/bootimg.h +0 string ANDROID! Android bootimg +>1024 string LOKI\01 \b, LOKI'd +>8 lelong >0 \b, kernel +>>12 lelong >0 \b (0x%x) +>16 lelong >0 \b, ramdisk +>>20 lelong >0 \b (0x%x) +>24 lelong >0 \b, second stage +>>28 lelong >0 \b (0x%x) +>36 lelong >0 \b, page size: %d +>38 string >0 \b, name: %s +>64 string >0 \b, cmdline (%s) + +# Android Backup archive +# From: Ariel Shkedi +# File extension: .ab +# No mime-type defined +# URL: https://github.com/android/platform_frameworks_base/blob/\ +# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ +# android/server/BackupManagerService.java#L2367 +# After the header comes a tar file +# If compressed, the entire tar file is compressed with JAVA deflate +# +# Include the version number hardcoded with the magic string to avoid +# false positives +0 string/b ANDROID\ BACKUP\n1\n Android Backup +>17 string 0\n \b, Not-Compressed +>17 string 1\n \b, Compressed +# any string as long as it's not the word none (which is matched below) +>>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) +>>19 string none\n \b, Not-Encrypted +# Commented out because they don't seem useful to print +# (but they are part of the header - the tar file comes after them): +#>>>&1 regex/1l .* \b, Password salt: %s +#>>>>&1 regex/1l .* \b, Master salt: %s +#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s +#>>>>>>&1 regex/1l .* \b, IV: %s +#>>>>>>>&1 regex/1l .* \b, Key: %s + +# *.pit files by Joerg Jenderek +# http://forum.xda-developers.com/showthread.php?p=9122369 +# http://forum.xda-developers.com/showthread.php?t=816449 +# Partition Information Table for Samsung's smartphone with Android +# used by flash software Odin +0 ulelong 0x12349876 +# 1st pit entry marker +>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# minimal 13 and maximal 18 PIT entries found +>>4 ulelong <128 Partition Information Table for Samsung smartphone +>>>4 ulelong x \b, %d entries +# 1. pit entry +>>>4 ulelong >0 \b; #1 +>>>0x01C use PIT-entry +>>>4 ulelong >1 \b; #2 +>>>0x0A0 use PIT-entry +>>>4 ulelong >2 \b; #3 +>>>0x124 use PIT-entry +>>>4 ulelong >3 \b; #4 +>>>0x1A8 use PIT-entry +>>>4 ulelong >4 \b; #5 +>>>0x22C use PIT-entry +>>>4 ulelong >5 \b; #6 +>>>0x2B0 use PIT-entry +>>>4 ulelong >6 \b; #7 +>>>0x334 use PIT-entry +>>>4 ulelong >7 \b; #8 +>>>0x3B8 use PIT-entry +>>>4 ulelong >8 \b; #9 +>>>0x43C use PIT-entry +>>>4 ulelong >9 \b; #10 +>>>0x4C0 use PIT-entry +>>>4 ulelong >10 \b; #11 +>>>0x544 use PIT-entry +>>>4 ulelong >11 \b; #12 +>>>0x5C8 use PIT-entry +>>>4 ulelong >12 \b; #13 +>>>>0x64C use PIT-entry +# 14. pit entry +>>>4 ulelong >13 \b; #14 +>>>>0x6D0 use PIT-entry +>>>4 ulelong >14 \b; #15 +>>>0x754 use PIT-entry +>>>4 ulelong >15 \b; #16 +>>>0x7D8 use PIT-entry +>>>4 ulelong >16 \b; #17 +>>>0x85C use PIT-entry +# 18. pit entry +>>>4 ulelong >17 \b; #18 +>>>0x8E0 use PIT-entry + +0 name PIT-entry +# garbage value implies end of pit entries +>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +# skip empty partition name +>>0x24 ubyte !0 +# partition name +>>>0x24 string >\0 %-.32s +# flags +>>>0x0C ulelong&0x00000002 2 \b+RW +# partition ID: +# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER +# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW +>>>0x08 ulelong x (0x%x) +# filename +>>>0x44 string >\0 "%-.64s" +#>>>0x18 ulelong >0 +# blocksize in 512 byte units ? +#>>>>0x18 ulelong x \b, %db +# partition size in blocks ? +#>>>>0x22 ulelong x \b*%d + +# Android bootimg format +# From https://android.googlesource.com/\ +# platform/system/core/+/master/libsparse/sparse_format.h +0 lelong 0xed26ff3a Android sparse image +>4 leshort x \b, version: %d +>6 leshort x \b.%d +>16 lelong x \b, Total of %d +>12 lelong x \b %d-byte output blocks in +>20 lelong x \b %d input chunks. diff --git a/magic/Magdir/animation b/magic/Magdir/animation index fa5e6f1..0445adc 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.47 2013/02/06 14:18:52 christos Exp $ +# $File: animation,v 1.56 2014/10/23 23:12:51 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -32,43 +32,155 @@ !:mime application/x-quicktime-player 4 string/W jP JPEG 2000 image !:mime image/jp2 +# http://www.ftyps.com/ with local additions 4 string ftyp ISO Media ->8 string isom \b, MPEG v4 system, version 1 -!:mime video/mp4 ->8 string iso2 \b, MPEG v4 system, part 12 revision ->8 string mp41 \b, MPEG v4 system, version 1 -!:mime video/mp4 ->8 string mp42 \b, MPEG v4 system, version 2 -!:mime video/mp4 ->8 string mp7t \b, MPEG v4 system, MPEG v7 XML ->8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML ->8 string/W jp2 \b, JPEG 2000 -!:mime image/jp2 +>8 string 3g2 \b, MPEG v4 system, 3GPP2 +!:mime video/3gpp2 +>>11 byte 4 \b v4 (H.263/AMR GSM 6.10) +>>11 byte 5 \b v5 (H.263/AMR GSM 6.10) +>>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) +>>11 byte a \b C.S0050-0 V1.0 +>>11 byte b \b C.S0050-0-A V1.0.0 +>>11 byte c \b C.S0050-0-B V1.0 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp +>>11 byte 6 \b, Release 6 MBMS Extended Presentations +>>11 byte 7 \b, Release 7 MBMS Extended Presentations >8 string 3gg \b, MPEG v4 system, 3GPP +>11 byte 6 \b, Release 6 General Profile !:mime video/3gpp >8 string 3gp \b, MPEG v4 system, 3GPP +>11 byte 1 \b, Release %d (non existent) +>11 byte 2 \b, Release %d (non existent) +>11 byte 3 \b, Release %d (non existent) +>11 byte 4 \b, Release %d +>11 byte 5 \b, Release %d +>11 byte 6 \b, Release %d +>11 byte 7 \b, Release %d Streaming Servers !:mime video/3gpp >8 string 3gs \b, MPEG v4 system, 3GPP +>11 byte 7 \b, Release %d Streaming Servers !:mime video/3gpp ->8 string 3g2 \b, MPEG v4 system, 3GPP2 +>8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC [ISO 14496-12:2005] +!:mime video/mp4 +>8 string/W qt \b, Apple QuickTime movie +!:mime video/quicktime +>8 string CAEP \b, Canon Digital Camera +>8 string caqv \b, Casio Digital Camera +>8 string CDes \b, Convergent Design +>8 string da0a \b, DMB MAF w/ MPEG Layer II aud, MOT slides, DLS, JPG/PNG/MNG +>8 string da0b \b, DMB MAF, ext DA0A, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da1a \b, DMB MAF audio with ER-BSAC audio, JPG/PNG/MNG images +>8 string da1b \b, DMB MAF, ext da1a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da2a \b, DMB MAF aud w/ HE-AAC v2 aud, MOT slides, DLS, JPG/PNG/MNG +>8 string da2b \b, DMB MAF, ext da2a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string da3a \b, DMB MAF aud with HE-AAC aud, JPG/PNG/MNG images +>8 string da3b \b, DMB MAF, ext da3a w/ BIFS, 3GPP, DID, TVA, REL, IPMP +>8 string dmb1 \b, DMB MAF supporting all the components defined in the spec +>8 string dmpf \b, Digital Media Project +>8 string drc1 \b, Dirac (wavelet compression), encap in ISO base media (MP4) +>8 string dv1a \b, DMB MAF vid w/ AVC vid, ER-BSAC aud, BIFS, JPG/PNG/MNG, TS +>8 string dv1b \b, DMB MAF, ext dv1a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dv2a \b, DMB MAF vid w/ AVC vid, HE-AAC v2 aud, BIFS, JPG/PNG/MNG, TS +>8 string dv2b \b, DMB MAF, ext dv2a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dv3a \b, DMB MAF vid w/ AVC vid, HE-AAC aud, BIFS, JPG/PNG/MNG, TS +>8 string dv3b \b, DMB MAF, ext dv3a, with 3GPP timed text, DID, TVA, REL, IPMP +>8 string dvr1 \b, DVB (.DVB) over RTP +!:mime video/vnd.dvb.file +>8 string dvt1 \b, DVB (.DVB) over MPEG-2 Transport Stream +!:mime video/vnd.dvb.file +>8 string F4V \b, Video for Adobe Flash Player 9+ (.F4V) +!:mime video/mp4 +>8 string F4P \b, Protected Video for Adobe Flash Player 9+ (.F4P) +!:mime video/mp4 +>8 string F4A \b, Audio for Adobe Flash Player 9+ (.F4A) +!:mime audio/mp4 +>8 string F4B \b, Audio Book for Adobe Flash Player 9+ (.F4B) +!:mime audio/mp4 +>8 string isc2 \b, ISMACryp 2.0 Encrypted File +# ?/enc-isoff-generic +>8 string iso2 \b, MP4 Base Media v2 [ISO 14496-12:2005] +!:mime video/mp4 +>8 string isom \b, MP4 Base Media v1 [IS0 14496-12:2003] +!:mime video/mp4 +>8 string/W jp2 \b, JPEG 2000 +!:mime image/jp2 +>8 string JP2 \b, JPEG 2000 Image (.JP2) [ISO 15444-1 ?] +!:mime image/jp2 +>8 string JP20 \b, Unknown, from GPAC samples (prob non-existent) +>8 string jpm \b, JPEG 2000 Compound Image (.JPM) [ISO 15444-6] +!:mime image/jpm +>8 string jpx \b, JPEG 2000 w/ extensions (.JPX) [ISO 15444-2] +!:mime image/jpx +>8 string KDDI \b, 3GPP2 EZmovie for KDDI 3G cellphones !:mime video/3gpp2 ->>11 byte 4 \b v4 (H.263/AMR GSM 6.10) ->>11 byte 5 \b v5 (H.263/AMR GSM 6.10) ->>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) +>8 string M4A \b, Apple iTunes ALAC/AAC-LC (.M4A) Audio +!:mime audio/x-m4a +>8 string M4B \b, Apple iTunes ALAC/AAC-LC (.M4B) Audio Book +!:mime audio/mp4 +>8 string M4P \b, Apple iTunes ALAC/AAC-LC (.M4P) AES Protected Audio +!:mime video/mp4 +>8 string M4V \b, Apple iTunes Video (.M4V) Video +!:mime video/x-m4v +>8 string M4VH \b, Apple TV (.M4V) +!:mime video/x-m4v +>8 string M4VP \b, Apple iPhone (.M4V) +!:mime video/x-m4v +>8 string mj2s \b, Motion JPEG 2000 [ISO 15444-3] Simple Profile +!:mime video/mj2 +>8 string mjp2 \b, Motion JPEG 2000 [ISO 15444-3] General Profile +!:mime video/mj2 +>8 string mmp4 \b, MPEG-4/3GPP Mobile Profile (.MP4 / .3GP) (for NTT) +!:mime video/mp4 +>8 string mobi \b, MPEG-4, MOBI format +!:mime video/mp4 +>8 string mp21 \b, MPEG-21 [ISO/IEC 21000-9] +>8 string mp41 \b, MP4 v1 [ISO 14496-1:ch13] +!:mime video/mp4 +>8 string mp42 \b, MP4 v2 [ISO 14496-14] +!:mime video/mp4 +>8 string mp71 \b, MP4 w/ MPEG-7 Metadata [per ISO 14496-12] +>8 string mp7t \b, MPEG v4 system, MPEG v7 XML +>8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML >8 string mmp4 \b, MPEG v4 system, 3GPP Mobile !:mime video/mp4 ->8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC -!:mime video/3gpp ->8 string/W M4A \b, MPEG v4 system, iTunes AAC-LC +>8 string MPPI \b, Photo Player, MAF [ISO/IEC 23000-3] +>8 string mqt \b, Sony / Mobile QuickTime (.MQV) US Pat 7,477,830 +!:mime video/quicktime +>8 string MSNV \b, MPEG-4 (.MP4) for SonyPSP !:mime audio/mp4 ->8 string/W M4V \b, MPEG v4 system, iTunes AVC-LC +>8 string NDAS \b, MP4 v2 [ISO 14496-14] Nero Digital AAC Audio +!:mime audio/mp4 +>8 string NDSC \b, MPEG-4 (.MP4) Nero Cinema Profile !:mime video/mp4 ->8 string/W M4P \b, MPEG v4 system, iTunes AES encrypted ->8 string/W M4B \b, MPEG v4 system, iTunes bookmarked ->8 string/W qt \b, Apple QuickTime movie +>8 string NDSH \b, MPEG-4 (.MP4) Nero HDTV Profile +!:mime video/mp4 +>8 string NDSM \b, MPEG-4 (.MP4) Nero Mobile Profile +!:mime video/mp4 +>8 string NDSP \b, MPEG-4 (.MP4) Nero Portable Profile +!:mime video/mp4 +>8 string NDSS \b, MPEG-4 (.MP4) Nero Standard Profile +!:mime video/mp4 +>8 string NDXC \b, H.264/MPEG-4 AVC (.MP4) Nero Cinema Profile +!:mime video/mp4 +>8 string NDXH \b, H.264/MPEG-4 AVC (.MP4) Nero HDTV Profile +!:mime video/mp4 +>8 string NDXM \b, H.264/MPEG-4 AVC (.MP4) Nero Mobile Profile +!:mime video/mp4 +>8 string NDXP \b, H.264/MPEG-4 AVC (.MP4) Nero Portable Profile +!:mime video/mp4 +>8 string NDXS \b, H.264/MPEG-4 AVC (.MP4) Nero Standard Profile +!:mime video/mp4 +>8 string odcf \b, OMA DCF DRM Format 2.0 (OMA-TS-DRM-DCF-V2_0-20060303-A) +>8 string opf2 \b, OMA PDCF DRM Format 2.1 (OMA-TS-DRM-DCF-V2_1-20070724-C) +>8 string opx2 \b, OMA PDCF DRM + XBS ext (OMA-TS-DRM_XBS-V1_0-20070529-C) +>8 string pana \b, Panasonic Digital Camera +>8 string qt \b, Apple QuickTime (.MOV/QT) !:mime video/quicktime +>8 string ROSS \b, Ross Video +>8 string sdv \b, SD Memory Card Video +>8 string ssc1 \b, Samsung stereo, single stream (patent pending) +>8 string ssc2 \b, Samsung stereo, dual stream (patent pending) # MPEG sequences # Scans for all common MPEG header start codes @@ -89,7 +201,10 @@ >>4 byte 77 \b, main >>4 byte 88 \b, extended >>6 byte x \b @ L %u +# GRR too general as it catches also FoxPro Memo example NG.FPT >3 byte 0xB0 MPEG sequence, v4 +# TODO: maybe this extra line exclude FoxPro Memo example NG.FPT starting with 000001b0 00000100 00000000 +#>>4 byte !0 MPEG sequence, v4 !:mime video/mpeg4-generic >>5 belong 0x000001B5 >>>9 byte &0x80 @@ -448,6 +563,7 @@ # MP2, M2A 0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 +!:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps @@ -617,7 +733,7 @@ # Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS !:mime audio/x-mp4a-latm -#>1 beshort&0x1FFF x \b, %u byte packet +#>1 beshort&0x1FFF x \b, %hu byte packet >3 byte&0xE0 0x40 >>4 byte&0x3C 0x04 \b, single stream >>4 byte&0x3C 0x08 \b, 2 streams @@ -715,16 +831,16 @@ !:mime video/x-mng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a ->>16 belong x %ld x ->>20 belong x %ld +>>16 belong x %d x +>>20 belong x %d # JNG Video Format, 0 string \x8bJNG JNG video data, !:mime video/x-jng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a ->>16 belong x %ld x ->>20 belong x %ld +>>16 belong x %d x +>>20 belong x %d # Vivo video (Wolfram Kleff) 3 string \x0D\x0AVersion:Vivo Vivo video data @@ -785,25 +901,26 @@ # MPEG file # MPEG sequences -# FIXME: This section is from the old magic.mime file and needs integrating with the rest -0 belong 0x000001BA ->4 byte &0x40 -!:mime video/mp2p ->4 byte ^0x40 -!:mime video/mpeg -0 belong 0x000001BB -!:mime video/mpeg -0 belong 0x000001B0 -!:mime video/mp4v-es -0 belong 0x000001B5 -!:mime video/mp4v-es -0 belong 0x000001B3 -!:mime video/mpv -0 belong&0xFF5FFF1F 0x47400010 -!:mime video/mp2t -0 belong 0x00000001 ->4 byte&0x1F 0x07 -!:mime video/h264 +# FIXME: This section is from the old magic.mime file and needs +# integrating with the rest +#0 belong 0x000001BA +#>4 byte &0x40 +#!:mime video/mp2p +#>4 byte ^0x40 +#!:mime video/mpeg +#0 belong 0x000001BB +#!:mime video/mpeg +#0 belong 0x000001B0 +#!:mime video/mp4v-es +#0 belong 0x000001B5 +#!:mime video/mp4v-es +#0 belong 0x000001B3 +#!:mime video/mpv +#0 belong&0xFF5FFF10 0x47400010 +#!:mime video/mp2t +#0 belong 0x00000001 +#>4 byte&0x1F 0x07 +#!:mime video/h264 # Type: Bink Video # Extension: .bik diff --git a/magic/Magdir/apple b/magic/Magdir/apple index 419b090..e3dd059 100644 --- a/magic/Magdir/apple +++ b/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.26 2012/12/27 15:43:23 christos Exp $ +# $File: apple,v 1.29 2014/04/30 21:41:02 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -106,8 +106,13 @@ # This is incredibly sloppy, but will be true if the program was # written at its usual memory location of 2048 and its first line # number is less than 256. Yuck. +# update by Joerg Jenderek at Feb 2013 -0 belong&0xff00ff 0x80000 Applesoft BASIC program data +# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) +#0 belong&0xff00ff 0x80000 Applesoft BASIC program data +0 belong&0x00ff00ff 0x00080000 +# assuming that line number must be positive +>2 leshort >0 Applesoft BASIC program data, first line number %d #>2 leshort x \b, first line number %d # ORCA/EZ assembler: @@ -199,15 +204,15 @@ # purposes in YellowStep/Cocoa, including some nib files. # From: David Remahl 2 string typedstream NeXT/Apple typedstream data, big endian ->0 byte x \b, version %hhd +>0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b ->>>14 ubeshort x \b, system %hd +>>>14 ubeshort x \b, system %d 2 string streamtyped NeXT/Apple typedstream data, little endian ->0 byte x \b, version %hhd +>0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b ->>>14 uleshort x \b, system %hd +>>>14 uleshort x \b, system %d #------------------------------------------------------------------------------ # CAF: Apple CoreAudio File Format diff --git a/magic/Magdir/archive b/magic/Magdir/archive index b8fbd28..4ef73a7 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.79 2013/02/08 17:24:06 christos Exp $ +# $File: archive,v 1.88 2014/08/16 10:42:17 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -92,9 +92,10 @@ # "debian". # 0 string =!\ndebian -!:mime application/x-debian-package >8 string debian-split part of multipart Debian package +!:mime application/vnd.debian.binary-package >8 string debian-binary Debian binary package +!:mime application/vnd.debian.binary-package >8 string !debian >68 string >\0 (format %s) # These next two lines do not work, because a bzip2 Debian archive @@ -268,7 +269,7 @@ >9 string \0 >>0 string KWAJ >>>7 string \321\003 MS Compress archive data ->>>>14 ulong >0 \b, original size: %ld bytes +>>>>14 ulong >0 \b, original size: %d bytes >>>>18 ubyte >0x65 >>>>>18 string x \b, was %.8s >>>>>(10.b-4) string x \b.%.3s @@ -497,7 +498,7 @@ # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, -#>2 leshort >1 %u files, +#>2 leshort >1 %hu files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC @@ -679,7 +680,7 @@ # EPUB (OEBPS) books using OCF (OEBPS Container Format) # http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4. # From: Ralf Brown ->0x1E string mimetypeapplication/epub+zip EPUB document +>>50 string epub+zip EPUB document !:mime application/epub+zip # Catch other ZIP-with-mimetype formats @@ -701,8 +702,8 @@ !:mime application/zip # Java Jar files ->(26.s+30) leshort 0xcafe Java Jar file data (zip) -!:mime application/jar +>(26.s+30) leshort 0xcafe Java archive data (JAR) +!:mime application/java-archive # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) # Next line excludes specialized formats: @@ -873,7 +874,7 @@ # From: Dirk Jagdmann # xar archive format: http://code.google.com/p/xar/ 0 string xar! xar archive ->6 beshort x - version %ld +>6 beshort x - version %d # From: "Nelson A. de Oliveira" # .kgb @@ -920,3 +921,36 @@ >36 byte 16 \b, back-to-front >42 beshort x \b, (%dx, >44 beshort x %d) + +# Symantec GHOST image by Joerg Jenderek at May 2014 +# http://us.norton.com/ghost/ +# http://www.garykessler.net/library/file_sigs.html +0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image +# *.GHO +>2 ubyte&0x08 0x00 \b, first file +# *.GHS or *.[0-9] with cns program option +>2 ubyte&0x08 0x08 \b, split file +# part of split index interesting for *.ghs +>>4 ubyte x id=0x%x +# compression tag minus one equals numeric compression command line switch z[1-9] +>3 ubyte 0 \b, no compression +>3 ubyte 2 \b, fast compression (Z1) +>3 ubyte 3 \b, medium compression (Z2) +>3 ubyte >3 +>>3 ubyte <11 \b, compression (Z%d-1) +>2 ubyte&0x08 0x00 +# ~ 30 byte password field only for *.gho +>>12 ubequad !0 \b, password protected +>>44 ubyte !1 +# 1~Image All, sector-by-sector only for *.gho +>>>10 ubyte 1 \b, sector copy +# 1~Image Boot track only for *.gho +>>>43 ubyte 1 \b, boot track +# 1~Image Disc only for *.gho implies Image Boot track and sector copy +>>44 ubyte 1 \b, disc sector copy +# optional image description only *.gho +>>0xff string >\0 "%-.254s" +# look for DOS sector end sequence +>0xE08 search/7776 \x55\xAA +>>&-512 indirect x \b; contains + diff --git a/magic/Magdir/assembler b/magic/Magdir/assembler index f311ae9..805a326 100644 --- a/magic/Magdir/assembler +++ b/magic/Magdir/assembler @@ -1,18 +1,18 @@ #------------------------------------------------------------------------------ -# $File: assembler,v 1.4 2013/01/04 23:31:11 christos Exp $ +# $File: assembler,v 1.6 2013/12/11 14:14:20 christos Exp $ # make: file(1) magic for assembler source # -0 regex \^[\020\t]*\\.asciiz assembler source text +0 regex \^[\040\t]{0,50}\\.asciiz assembler source text !:mime text/x-asm -0 regex \^[\020\t]*\\.byte assembler source text +0 regex \^[\040\t]{0,50}\\.byte assembler source text !:mime text/x-asm -0 regex \^[\020\t]*\\.even assembler source text +0 regex \^[\040\t]{0,50}\\.even assembler source text !:mime text/x-asm -0 regex \^[\020\t]*\\.globl assembler source text +0 regex \^[\040\t]{0,50}\\.globl assembler source text !:mime text/x-asm -0 regex \^[\020\t]*\\.text assembler source text +0 regex \^[\040\t]{0,50}\\.text assembler source text !:mime text/x-asm -0 regex \^[\020\t]*\\.file assembler source text +0 regex \^[\040\t]{0,50}\\.file assembler source text !:mime text/x-asm -0 regex \^[\020\t]*\\.type assembler source text +0 regex \^[\040\t]{0,50}\\.type assembler source text !:mime text/x-asm diff --git a/magic/Magdir/att3b b/magic/Magdir/att3b index 9688011..a3ed9c0 100644 --- a/magic/Magdir/att3b +++ b/magic/Magdir/att3b @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: att3b,v 1.8 2009/09/19 16:28:08 christos Exp $ +# $File: att3b,v 1.9 2014/04/30 21:41:02 christos Exp $ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. @@ -11,10 +11,10 @@ # The 3B20 conflicts with SCCS. #0 beshort 0550 3b20 COFF executable #>12 belong >0 not stripped -#>22 beshort >0 - version %ld +#>22 beshort >0 - version %d #0 beshort 0551 3b20 COFF executable (TV) #>12 belong >0 not stripped -#>22 beshort >0 - version %ld +#>22 beshort >0 - version %d # # WE32K # @@ -29,12 +29,12 @@ >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0443 (target shared library) ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 0561 WE32000 COFF executable (TV) >12 belong >0 not stripped #>18 beshort &00020000 - 32100 required #>18 beshort &00040000 and MAU hardware required -#>22 beshort >0 - version %ld +#>22 beshort >0 - version %d # # core file for 3b2 0 string \000\004\036\212\200 3b2 core file diff --git a/magic/Magdir/audio b/magic/Magdir/audio index ebe6f09..338d8ae 100644 --- a/magic/Magdir/audio +++ b/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.66 2013/02/06 14:18:52 christos Exp $ +# $File: audio,v 1.71 2014/05/14 23:30:28 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -104,7 +104,7 @@ # first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data ->4 belong x - version %ld +>4 belong x - version %d # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED # [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] @@ -637,3 +637,66 @@ # URL: http://wiki.multimedia.cx/index.php?title=WavPack # From: Mike Melanson 0 string wvpk WavPack Lossless Audio + +# From Fabio R. Schmidlin +# VGM music file +0 string Vgm\ +>9 ubyte >0 VGM Video Game Music dump v +>>9 ubyte/16 >0 \b%d +>>9 ubyte&0x0F x \b%d +>>8 ubyte/16 x \b.%d +>>8 ubyte&0x0F >0 \b%d +#Get soundchips +>>8 ubyte x \b, soundchip(s)= +>>0x0C ulelong >0 SN76489, +>>0x10 ulelong >0 YM2413, +>>0x2C ulelong >0 YM2612, +>>0x30 ulelong >0 YM2151, +>>0x38 ulelong >0 Sega PCM, +>>0x34 ulelong >0xC +>>>0x40 ulelong >0 RF5C68, +>>0x34 ulelong >0x10 +>>>0x44 ulelong >0 YM2203, +>>0x34 ulelong >0x14 +>>>0x48 ulelong >0 YM2608, +>>0x34 ulelong >0x18 +>>>0x4C lelong >0 YM2610, +>>>0x4C lelong <0 YM2610B, +>>0x34 ulelong >0x1C +>>>0x50 ulelong >0 YM3812, +>>0x34 ulelong >0x20 +>>>0x54 ulelong >0 YM3526, +>>0x34 ulelong >0x24 +>>>0x58 ulelong >0 Y8950, +>>0x34 ulelong >0x28 +>>>0x5C ulelong >0 YMF262, +>>0x34 ulelong >0x2C +>>>0x60 ulelong >0 YMF278B, +>>0x34 ulelong >0x30 +>>>0x64 ulelong >0 YMF271, +>>0x34 ulelong >0x34 +>>>0x68 ulelong >0 YMZ280B, +>>0x34 ulelong >0x38 +>>>0x6C ulelong >0 RF5C164, +>>0x34 ulelong >0x3C +>>>0x70 ulelong >0 PWM, +>>0x34 ulelong >0x40 +>>>0x74 ulelong >0 +>>>>0x78 ubyte 0x00 AY-3-8910, +>>>>0x78 ubyte 0x01 AY-3-8912, +>>>>0x78 ubyte 0x02 AY-3-8913, +>>>>0x78 ubyte 0x03 AY-3-8930, +>>>>0x78 ubyte 0x10 YM2149, +>>>>0x78 ubyte 0x11 YM3439, + +# GVOX Encore file format +# Since this is a proprietary file format and there is no publicly available +# format specification, this is just based on induction +# +0 string SCOW +>4 byte 0xc4 GVOX Encore music, version 5.0 or above +>4 byte 0xc2 GVOX Encore music, version < 5.0 + +0 string ZBOT +>4 byte 0xc5 GVOX Encore music, version < 5.0 + diff --git a/magic/Magdir/bflt b/magic/Magdir/bflt index 03eb59d..c46b4db 100644 --- a/magic/Magdir/bflt +++ b/magic/Magdir/bflt @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: bflt,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File: bflt,v 1.5 2014/04/30 21:41:02 christos Exp $ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter # 0 string bFLT BFLT executable ->4 belong x - version %ld +>4 belong x - version %d >4 belong 4 >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic diff --git a/magic/Magdir/blackberry b/magic/Magdir/blackberry new file mode 100644 index 0000000..4a61d4e --- /dev/null +++ b/magic/Magdir/blackberry @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: blackberry,v 1.1 2014/01/31 01:51:32 christos Exp $ +# blackberry: file(1) magic for BlackBerry file formats +# +5 belong 0 +>8 belong 010010010 BlackBerry RIM ETP file +>>22 string x \b for %s diff --git a/magic/Magdir/blender b/magic/Magdir/blender index 1814738..5b9c855 100644 --- a/magic/Magdir/blender +++ b/magic/Magdir/blender @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.5 2009/09/19 16:28:08 christos Exp $ +# $File: blender,v 1.6 2014/08/30 08:34:17 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list @@ -35,5 +35,5 @@ >>>0x44 string =GLOB \b. >>>>0x60 beshort x \b%.4d -# Scripts that run in the embeded Python interpreter +# Scripts that run in the embedded Python interpreter 0 string #!BPY Blender3D BPython script diff --git a/magic/Magdir/bsdi b/magic/Magdir/bsdi index e8a6c35..8499b0c 100644 --- a/magic/Magdir/bsdi +++ b/magic/Magdir/bsdi @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: bsdi,v 1.6 2013/01/09 22:37:24 christos Exp $ +# $File: bsdi,v 1.7 2014/03/29 15:40:34 christos Exp $ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # Some object/executable formats use the same magic numbers as are used # in other OSes; those are handled by entries in aout. @@ -11,7 +11,7 @@ >32 byte 0x6a (uses shared libs) # same as in SunOS 4.x, except for static shared libraries -0 belong&077777777 0600413 sparc demand paged +0 belong&077777777 0600413 SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable @@ -20,13 +20,13 @@ >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) -0 belong&077777777 0600410 sparc pure +0 belong&077777777 0600410 SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) -0 belong&077777777 0600407 sparc +0 belong&077777777 0600407 SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped diff --git a/magic/Magdir/c-lang b/magic/Magdir/c-lang index 41dfb62..39889ec 100644 --- a/magic/Magdir/c-lang +++ b/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.17 2012/04/28 21:20:26 christos Exp $ +# $File: c-lang,v 1.19 2014/06/03 19:17:27 christos Exp $ # c-lang: file(1) magic for C and related languages programs # @@ -12,30 +12,30 @@ # C 0 regex \^#include C source text !:mime text/x-c -0 regex \^char C source text +0 regex \^char[\ \t\n]+ C source text !:mime text/x-c -0 regex \^double C source text +0 regex \^double[\ \t\n]+ C source text !:mime text/x-c -0 regex \^extern C source text +0 regex \^extern[\ \t\n]+ C source text !:mime text/x-c -0 regex \^float C source text +0 regex \^float[\ \t\n]+ C source text !:mime text/x-c -0 regex \^struct C source text +0 regex \^struct[\ \t\n]+ C source text !:mime text/x-c -0 regex \^union C source text +0 regex \^union[\ \t\n]+ C source text !:mime text/x-c 0 search/8192 main( C source text !:mime text/x-c # C++ # The strength of these rules is increased so they beat the C rules above -0 regex \^template C++ source text +0 regex \^template[\ \t\n]+ C++ source text !:strength + 5 !:mime text/x-c++ -0 regex \^virtual C++ source text +0 regex \^virtual[\ \t\n]+ C++ source text !:strength + 5 !:mime text/x-c++ -0 regex \^class C++ source text +0 regex \^class[\ \t\n]+ C++ source text !:strength + 5 !:mime text/x-c++ 0 regex \^public: C++ source text @@ -50,7 +50,7 @@ >7 string x version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. -# The inverted index functionality was added some time betwen +# The inverted index functionality was added some time between # versions 11 and 15, so look for -q if version is above 14: >7 string >14 >>10 search/100 \ -q\ with inverted index diff --git a/magic/Magdir/cad b/magic/Magdir/cad index cc4ef34..9b09fd7 100644 --- a/magic/Magdir/cad +++ b/magic/Magdir/cad @@ -1,16 +1,9 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.11 2011/12/08 12:12:46 rrt Exp $ +# $File: cad,v 1.13 2014/03/23 18:05:38 christos Exp $ # autocad: file(1) magic for cad files # -# AutoCAD DWG versions R13/R14 (www.autodesk.com) -# Written December 01, 2003 by Lester Hightower -# Based on the DWG File Format Specifications at http://www.opendwg.org/ -0 string \101\103\061\060\061 AutoCAD ->5 string \062\000\000\000\000 DWG ver. R13 ->5 string \064\000\000\000\000 DWG ver. R14 - # Microstation DGN/CIT Files (www.bentley.com) # Last updated July 29, 2005 by Lester Hightower # DGN is the default file extension of Microstation/Intergraph CAD files. @@ -49,19 +42,62 @@ >4 string \030\000\000 CITFile >4 string \030\000\003 CITFile +# AutoCAD +# Merge of the different contributions and updates from http://en.wikipedia.org/wiki/Dwg +# and http://www.iana.org/assignments/media-types/image/vnd.dwg +0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0 +!:mime image/vnd.dwg +0 string AC1.2 DWG AutoDesk AutoCAD Release 1.2 +!:mime image/vnd.dwg +0 string AC1.3 DWG AutoDesk AutoCAD Release 1.3 +!:mime image/vnd.dwg +0 string AC1.40 DWG AutoDesk AutoCAD Release 1.40 +!:mime image/vnd.dwg +0 string AC1.50 DWG AutoDesk AutoCAD Release 2.05 +!:mime image/vnd.dwg +0 string AC2.10 DWG AutoDesk AutoCAD Release 2.10 +!:mime image/vnd.dwg +0 string AC2.21 DWG AutoDesk AutoCAD Release 2.21 +!:mime image/vnd.dwg +0 string AC2.22 DWG AutoDesk AutoCAD Release 2.22 +!:mime image/vnd.dwg +0 string AC1001 DWG AutoDesk AutoCAD Release 2.22 +!:mime image/vnd.dwg +0 string AC1002 DWG AutoDesk AutoCAD Release 2.50 +!:mime image/vnd.dwg +0 string AC1003 DWG AutoDesk AutoCAD Release 2.60 +!:mime image/vnd.dwg +0 string AC1004 DWG AutoDesk AutoCAD Release 9 +!:mime image/vnd.dwg +0 string AC1006 DWG AutoDesk AutoCAD Release 10 +!:mime image/vnd.dwg +0 string AC1009 DWG AutoDesk AutoCAD Release 11/12 +!:mime image/vnd.dwg +# AutoCAD DWG versions R13/R14 (www.autodesk.com) +# Written December 01, 2003 by Lester Hightower +# Based on the DWG File Format Specifications at http://www.opendwg.org/ # AutoCad, from Nahuel Greco # AutoCAD DWG versions R12/R13/R14 (www.autodesk.com) -0 string AC1012 DWG AutoDesk AutoCad (release 12) -0 string AC1013 DWG AutoDesk AutoCad (release 13) -0 string AC1014 DWG AutoDesk AutoCad (release 14) +0 string AC1012 DWG AutoDesk AutoCAD Release 13 +!:mime image/vnd.dwg +0 string AC1014 DWG AutoDesk AutoCAD Release 14 +!:mime image/vnd.dwg +0 string AC1015 DWG AutoDesk AutoCAD 2000/2002 +!:mime image/vnd.dwg + # A new version of AutoCAD DWG # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321) # From various sources like: # http://autodesk.blogs.com/between_the_lines/autocad-release-history.html -0 string AC1018 DWG AutoDesk AutoCAD 2004/2005/2006 -0 string AC1021 DWG AutoDesk AutoCAD 2007/2008/2009 -0 string AC1024 DWG AutoDesk AutoCAD 2010/2011 +0 string AC1018 DWG AutoDesk AutoCAD 2004/2005/2006 +!:mime image/vnd.dwg +0 string AC1021 DWG AutoDesk AutoCAD 2007/2008/2009 +!:mime image/vnd.dwg +0 string AC1024 DWG AutoDesk AutoCAD 2010/2011/2012 +!:mime image/vnd.dwg +0 string AC1027 DWG AutoDesk AutoCAD 2013/2014 +!:mime image/vnd.dwg # KOMPAS 2D drawing from ASCON # This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor @@ -110,9 +146,11 @@ 0 beshort 0x0809 Bentley/Intergraph MicroStation >0x02 byte 0xfe >>0x04 beshort 0x1800 CIT raster CAD -0 string AC1012 AutoDesk AutoCAD R13 -0 string AC1014 AutoDesk AutoCAD R14 -0 string AC1015 AutoDesk AutoCAD R2000 # 3DS (3d Studio files) Conflicts with diff output 0x3d '=' #16 beshort 0x3d3d image/x-3ds + +# MegaCAD 2D/3D drawing (.prt) +# http://megacad.de/ +# From: Markus Heidelberg +0 string MegaCad23\0 MegaCAD 2D/3D drawing diff --git a/magic/Magdir/cafebabe b/magic/Magdir/cafebabe index ea4846d..4c58fc6 100644 --- a/magic/Magdir/cafebabe +++ b/magic/Magdir/cafebabe @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.12 2013/01/11 16:45:23 christos Exp $ +# $File: cafebabe,v 1.17 2015/01/01 17:07:00 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, @@ -16,8 +16,8 @@ # ### JAVA START ### 0 belong 0xcafebabe -!:mime application/x-java-applet >4 belong >30 compiled Java class data, +!:mime application/x-java-applet >>6 beshort x version %d. >>4 beshort x \b%d # Which is which? @@ -43,36 +43,21 @@ ### JAVA END ### ### MACH-O START ### -# 16777216 = 0x01000000 -0 name mach-o \b [ ->0 belong 0xffffffff \bAny ->0 belong 1 \bVax ->0 belong 6 \bMC680x0 ->0 belong 7 \bI386 ->0 belong 8 \bMIPS ->0 belong 10 \bMC98000 ->0 belong 11 \bHPPA ->0 belong 12 \bARM ->0 belong 13 \bMC88000 ->0 belong 14 \bSPARC ->0 belong 15 \bI860 ->0 belong 16 \bALPHA ->0 belong 17 \bPOWERPC ->0 belong 16777223 \bX86_64 ->0 belong 16777233 \bPOWERPC64 ->&(8.L) indirect : +0 name mach-o \b [ +>0 use mach-o-cpu \b +>(8.L) indirect \b: >0 belong x \b] 0 belong 0xcafebabe >4 belong 1 Mach-O universal binary with 1 architecture: ->>8 use mach-o +>>8 use mach-o \b >4 belong >1 ->>4 belong <20 Mach-O universal binary with %ld architectures: ->>>8 use mach-o ->>>28 use mach-o ->>>4 belong >2 ->>>>48 use mach-o ->>>>>4 belong >3 ->>>>>68 use mach-o +>>4 belong <20 Mach-O universal binary with %d architectures: +>>>8 use mach-o \b +>>>28 use mach-o \b +>>4 belong >2 +>>>48 use mach-o \b +>>4 belong >3 +>>>68 use mach-o \b ### MACH-O END ### diff --git a/magic/Magdir/clarion b/magic/Magdir/clarion index cff7a3b..9fa0049 100644 --- a/magic/Magdir/clarion +++ b/magic/Magdir/clarion @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: clarion,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File: clarion,v 1.5 2014/04/30 21:41:02 christos Exp $ # clarion: file(1) magic for # Clarion Personal/Professional Developer # (v2 and above) # From: Julien Blache @@ -15,7 +15,7 @@ >2 leshort &0x0010 \b, compressed >2 leshort &0x0040 \b, read only # number of records ->5 lelong x \b, %ld records +>5 lelong x \b, %d records # Memo files 0 leshort 0x334d Clarion Developer (v2 and above) memo data diff --git a/magic/Magdir/claris b/magic/Magdir/claris index 3f447bc..0f7b591 100644 --- a/magic/Magdir/claris +++ b/magic/Magdir/claris @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: claris,v 1.6 2012/06/20 21:19:05 christos Exp $ +# $File: claris,v 1.7 2014/06/03 19:17:27 christos Exp $ # claris: file(1) magic for claris # "H. Nanosecond" # Claris Works a word processor, etc. @@ -20,7 +20,7 @@ # .cwk 0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works document # .plt -0 string \020\341\000\000\010\010 Claris Works pallete files .plt +0 string \020\341\000\000\010\010 Claris Works palette files .plt # .msp a dictionary file I am not sure about this I have only one .msp file 0 string \002\271\262\000\040\002\000\164 Claris works dictionary diff --git a/magic/Magdir/clipper b/magic/Magdir/clipper index 9f47534..98278eb 100644 --- a/magic/Magdir/clipper +++ b/magic/Magdir/clipper @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: clipper,v 1.6 2009/09/19 16:28:08 christos Exp $ +# $File: clipper,v 1.7 2014/04/30 21:41:02 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? @@ -35,7 +35,7 @@ >20 short 0413 (demand paged) >20 short 0443 (target shared library) >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d 0 short 0577 CLIPPER COFF executable >18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 @@ -47,7 +47,7 @@ >20 short 0413 (paged) >20 short 0443 (target shared library) >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d >48 long&01 01 alignment trap enabled >52 byte 1 -Ctnc >52 byte 2 -Ctsw diff --git a/magic/Magdir/commands b/magic/Magdir/commands index 157dae0..3d97489 100644 --- a/magic/Magdir/commands +++ b/magic/Magdir/commands @@ -1,16 +1,23 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.45 2013/02/06 14:18:52 christos Exp $ +# $File: commands,v 1.51 2014/09/27 00:12:55 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text 0 string/wt #!\ /bin/sh POSIX shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /bin/sh POSIX shell script executable (binary data) +!:mime text/x-shellscript + 0 string/wt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript + # korn shell magic, sent by George Wu, gwu@clyde.att.com 0 string/wt #!\ /bin/ksh Korn shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /bin/ksh Korn shell script executable (binary data) +!:mime text/x-shellscript + 0 string/wt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/bin/tcsh Tenex C shell script text executable @@ -49,7 +56,7 @@ !:mime text/x-awk 0 string/wt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk -0 regex =^\\s*BEGIN\\s*[{] awk script text +0 regex/4096 =^\\s{0,100}BEGIN\\s{0,100}[{] awk or perl script text # AT&T Bell Labs' Plan 9 shell 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable @@ -57,12 +64,20 @@ # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string/wt #!\ /bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript 0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /usr/bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript 0 string/wt #!\ /usr/local/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /usr/local/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/wb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) +!:mime text/x-shellscript # PHP scripts # Ulf Harnhammar diff --git a/magic/Magdir/compress b/magic/Magdir/compress index 94c209d..beb8ebe 100644 --- a/magic/Magdir/compress +++ b/magic/Magdir/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.49 2011/12/07 22:04:27 christos Exp $ +# $File: compress,v 1.62 2014/09/13 14:27:12 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -22,6 +22,7 @@ # other than 8 ("deflate", the only method defined in RFC 1952). 0 string \037\213 gzip compressed data !:mime application/x-gzip +!:strength * 2 >2 byte <8 \b, reserved method >2 byte >8 \b, unknown method >3 byte &0x01 \b, ASCII @@ -30,6 +31,10 @@ >3 byte&0xC =0x08 >>10 string x \b, was "%s" >3 byte &0x10 \b, has comment +>3 byte &0x20 \b, encrypted +>4 ledate >0 \b, last modified: %s +>8 byte 2 \b, max compression +>8 byte 4 \b, max speed >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS @@ -44,11 +49,6 @@ >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS ->3 byte &0x10 \b, comment ->3 byte &0x20 \b, encrypted ->4 ledate >0 \b, last modified: %s ->8 byte 2 \b, max compression ->8 byte 4 \b, max speed # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data @@ -191,10 +191,13 @@ # Type: LZMA 0 lelong&0xffffff =0x5d ->12 leshort =0xff LZMA compressed data, +>12 leshort 0xff LZMA compressed data, +!:mime application/x-lzma +>>5 lequad =0xffffffffffffffff streamed +>>5 lequad !0xffffffffffffffff non-streamed, size %lld +>12 leshort 0 LZMA compressed data, >>5 lequad =0xffffffffffffffff streamed >>5 lequad !0xffffffffffffffff non-streamed, size %lld -!:mime application/x-lzma # http://tukaani.org/xz/xz-file-format.txt 0 ustring \xFD7zXZ\x00 XZ compressed data @@ -206,6 +209,15 @@ >5 byte x \b.%d !:mime application/x-lrzip +# http://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html +0 lelong 0x184d2204 LZ4 compressed data (v1.4+) +!:mime application/x-lz4 +# Added by osm0sis@xda-developers.com +0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) +!:mime application/x-lz4 +0 lelong 0x184c2102 LZ4 compressed data (v0.1-v0.9) +!:mime application/x-lz4 + # AFX compressed files (Wolfram Kleff) 2 string -afx- AFX compressed file data @@ -229,3 +241,23 @@ >6 byte >-1 %i) >7 long >0 , original size: %i bytes >15 long >30 , block size: %i bytes + +# Valve Pack (VPK) files +0 lelong 0x55aa1234 Valve Pak file +>0x4 lelong x \b, version %u +>0x8 lelong x \b, %u entries + +# Snappy framing format +# http://code.google.com/p/snappy/source/browse/trunk/framing_format.txt +0 string \377\006\0\0sNaPpY snappy framed data +!:mime application/x-snappy-framed + +# qpress, http://www.quicklz.com/ +0 string qpress10 qpress compressed data +!:mime application/x-qpress + +# Zlib https://www.ietf.org/rfc/rfc6713.txt +0 beshort%31 =0 +>0 byte&0xf =8 +>>0 byte&0x80 =0 zlib compressed data +!:mime application/zlib diff --git a/magic/Magdir/ctf b/magic/Magdir/ctf new file mode 100644 index 0000000..37fdd1b --- /dev/null +++ b/magic/Magdir/ctf @@ -0,0 +1,23 @@ + +#-------------------------------------------------------------- +# ctf: file(1) magic for CTF (Common Trace Format) trace files +# +# Specs. available here: +#-------------------------------------------------------------- + +# CTF trace data +0 lelong 0xc1fc1fc1 Common Trace Format (CTF) trace data (LE) +0 belong 0xc1fc1fc1 Common Trace Format (CTF) trace data (BE) + +# CTF metadata (packetized) +0 lelong 0x75d11d57 Common Trace Format (CTF) packetized metadata (LE) +>35 byte x \b, v%d +>36 byte x \b.%d +0 belong 0x75d11d57 Common Trace Format (CTF) packetized metadata (BE) +>35 byte x \b, v%d +>36 byte x \b.%d + +# CTF metadata (plain text) +0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata +!:strength + 5 # this is to make sure we beat C +>&0 regex [0-9]+\.[0-9]+ \b, v%s diff --git a/magic/Magdir/cups b/magic/Magdir/cups index 54167fc..005a134 100644 --- a/magic/Magdir/cups +++ b/magic/Magdir/cups @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: cups,v 1.2 2012/11/02 21:50:29 christos Exp $ +# $File: cups,v 1.3 2014/05/28 19:50:41 christos Exp $ # Cups: file(1) magic for the cups raster file format # From: Laurent Martelli # http://www.cups.org/documentation.php/spec-raster.html # -0 name cups-be +0 name cups-le >280 lelong x \b, %d >284 lelong x \bx%d dpi >376 lelong x \b, %dx @@ -44,7 +44,7 @@ >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian !:mime application/vnd.cups-raster ->0 use ^cups-be +>0 use ^cups-le # Cups Raster image format, Little Endian @@ -53,4 +53,4 @@ >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian !:mime application/vnd.cups-raster ->0 use \^cups-be +>0 use cups-le diff --git a/magic/Magdir/database b/magic/Magdir/database index 39e11c3..b00252b 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.32 2013/02/06 14:18:52 christos Exp $ +# $File: database,v 1.43 2014/10/28 15:47:39 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -9,9 +9,17 @@ # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # -0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian +0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit !:mime application/x-gdbm -0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian +0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old +!:mime application/x-gdbm +0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit +!:mime application/x-gdbm +0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit +!:mime application/x-gdbm +0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old +!:mime application/x-gdbm +0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit !:mime application/x-gdbm 0 string GDBM GNU dbm 2.x database !:mime application/x-gdbm @@ -84,8 +92,32 @@ # # # Round Robin Database Tool by Tobias Oetiker -0 string RRD RRDTool DB ->4 string x version %s +0 string/b RRD\0 RRDTool DB +>4 string/b x version %s + +>>10 short !0 16bit aligned +>>>10 bedouble 8.642135e+130 big-endian +>>>>18 short x 32bit long (m68k) + +>>10 short 0 +>>>12 long !0 32bit aligned +>>>>12 bedouble 8.642135e+130 big-endian +>>>>>20 long 0 64bit long +>>>>>20 long !0 32bit long +>>>>12 ledouble 8.642135e+130 little-endian +>>>>>24 long 0 64bit long +>>>>>24 long !0 32bit long (i386) +>>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian +>>>>>24 short !0 32bit long (arm) + +>>8 quad 0 64bit aligned +>>>16 bedouble 8.642135e+130 big-endian +>>>>24 long 0 64bit long (s390x) +>>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) +>>>16 ledouble 8.642135e+130 little-endian +>>>>28 long 0 64bit long (alpha/amd64/ia64) +>>>>28 long !0 32bit long (armel/mipsel) + #---------------------------------------------------------------------- # ROOT: file(1) magic for ROOT databases # @@ -114,91 +146,308 @@ #>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files -#0 byte 0x02 -#>8 leshort >0 -#>>12 leshort 0 FoxBase -#!:mime application/x-dbf -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x03 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FoxBase+, FoxPro, dBaseIII+, dBaseIV, no memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x04 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBASE IV no memo file -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x05 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBASE V no memo file -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x30 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 Visual FoxPro -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) +# updated by Joerg Jenderek at Feb 2013 +# http://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm +# http://www.clicketyclick.dk/databases/xbase/format/dbf.html +# http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm +# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +0 ubelong&0x0000FFFF <0x00000C20 +# skip Infocom game Z-machine +>2 ubyte >0 +# skip Androids *.xml +>>3 ubyte >0 +>>>3 ubyte <32 +# 1 < version VV +>>>>0 ubyte >1 +# skip HELP.CA3 by test for reserved byte ( NULL ) +>>>>>27 ubyte 0 +# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) +#>>>>>30 ubeshort x 30NULL?%x +# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>24 ubelong&0xffFFFFff >0x01302000 +# .DBF or .MDX +>>>>>>24 ubelong&0xffFFFFff <0x01302001 +# for Xbase Database file (*.DBF) reserved (NULL) for multi-user +>>>>>>>24 ubelong&0xffFFFFff =0 +# test for 2 reserved NULL bytes,transaction and encryption byte flag +>>>>>>>>12 ubelong&0xFFFFfEfE 0 +# test for MDX flag +>>>>>>>>>28 ubyte x +>>>>>>>>>28 ubyte&0xf8 0 +# header size >= 32 +>>>>>>>>>>8 uleshort >31 +# skip PIC15736.PCX by test for language driver name or field name +>>>>>>>>>>>32 ubyte >0 +#!:mime application/x-dbf; charset=unknown-8bit ?? +#!:mime application/x-dbase +>>>>>>>>>>>>0 use xbase-type +# database file +>>>>>>>>>>>>0 ubyte x \b DBF +>>>>>>>>>>>>4 lelong 0 \b, no records +>>>>>>>>>>>>4 lelong >0 \b, %d record +# plural s appended +>>>>>>>>>>>>>4 lelong >1 \bs +# http://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF +# 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) +>>>>>>>>>>>>10 uleshort x * %d +# file size = records * record size + header size +>>>>>>>>>>>>1 ubyte x \b, update-date +>>>>>>>>>>>>1 use xbase-date +# http://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx +#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=0x%x +# 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? +>>>>>>>>>>>>29 ubyte >0 \b, codepage ID=0x%x +#>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file +>>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX +>>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT +>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer +# 1st record offset + 1 = header size +>>>>>>>>>>>>8 uleshort >0 +>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>8 uleshort >0 \b, at offset %d +>>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>>&-1 string >\0 1st record "%s" +# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) +>>>>>>>24 ubelong&0x0133f7ff >0 +# test for reserved NULL byte +>>>>>>>>47 ubyte 0 +# test for valid TAG key format (0x10 or 0) +>>>>>>>>>559 ubyte&0xeF 0 +# test MM <= 12 +>>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>>46 ubyte >0 +#!:mime application/x-mdx +>>>>>>>>>>>>>>0 use xbase-type +>>>>>>>>>>>>>>0 ubyte x \b MDX +>>>>>>>>>>>>>>1 ubyte x \b, creation-date +>>>>>>>>>>>>>>1 use xbase-date +>>>>>>>>>>>>>>44 ubyte x \b, update-date +>>>>>>>>>>>>>>44 use xbase-date +# No.of tags in use (1,2,5,12) +>>>>>>>>>>>>>>28 uleshort x \b, %d +# No. of entries in tag (0x30) +>>>>>>>>>>>>>>25 ubyte x \b/%d tags +# Length of tag +>>>>>>>>>>>>>>26 ubyte x * %d +# 1st tag name_ +>>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" +# 2nd tag name +#>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # -#0 byte 0x43 +# Print the xBase names of different version variants +0 name xbase-type +>0 ubyte <2 +# 1 < version +>0 ubyte >1 +>>0 ubyte 0x02 FoxBase +# FoxBase+/dBaseIII+, no memo +>>0 ubyte 0x03 FoxBase+/dBase III +!:mime application/x-dbf +# dBASE IV no memo file +>>0 ubyte 0x04 dBase IV +!:mime application/x-dbf +# dBASE V no memo file +>>0 ubyte 0x05 dBase V +!:mime application/x-dbf +>>0 ubyte 0x30 Visual FoxPro +!:mime application/x-dbf +>>0 ubyte 0x31 Visual FoxPro, autoincrement +!:mime application/x-dbf +# Visual FoxPro, with field type Varchar or Varbinary +>>0 ubyte 0x32 Visual FoxPro, with field type Varchar +!:mime application/x-dbf +# dBASE IV SQL, no memo;dbv memo var size (Flagship) +>>0 ubyte 0x43 dBase IV, with SQL table +!:mime application/x-dbf +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0x62 dBase IV, with SQL table #!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FlagShip with memo var size -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x7b +# dBASE IV, with memo!! +>>0 ubyte 0x7b dBase IV, with memo +!:mime application/x-dbf +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0x82 dBase IV, with SQL system #!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBASEIV with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x83 -#!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FoxBase+, dBaseIII+ with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x8b +# FoxBase+/dBaseIII+ with memo .DBT! +>>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT +!:mime application/x-dbf +# VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file +>>0 ubyte 0x87 VISUAL OBJECTS, with memo file +!:mime application/x-dbf +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT #!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBaseIV with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0x8e +# dBASE IV with memo! +>>0 ubyte 0x8B dBase IV, with memo .DBT +!:mime application/x-dbf +# dBase IV with SQL Table,no memo? +>>0 ubyte 0x8E dBase IV, with SQL table +!:mime application/x-dbf +# .dbv and .dbt memo (Flagship)? +>>0 ubyte 0xB3 Flagship +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0xCA dBase IV with memo .DBT #!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 dBaseIV with SQL Table -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0xb3 +# dBASE IV with SQL table, with memo .DBT +>>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT +!:mime application/x-dbf +# HiPer-Six format;Clipper SIX, with SMT memo file +>>0 ubyte 0xE5 Clipper SIX with memo +!:mime application/x-dbf +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0xF4 dBase IV, with SQL table, with memo #!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FlagShip with .dbt memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 byte 0xf5 +>>0 ubyte 0xF5 FoxPro with memo +!:mime application/x-dbf +# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +#>>0 ubyte 0xFA FoxPro 2.x, with memo #!:mime application/x-dbf -#>8 leshort >0 -#>>12 leshort 0 FoxPro with memo -#>>>0x04 lelong 0 (no records) -#>>>0x04 lelong >0 (%ld records) -# -#0 leshort 0x0006 DBase 3 index file +# unknown version (should not happen) +>>0 default x xBase +!:mime application/x-dbf +>>>0 ubyte x (0x%x) +# flags in version byte +# DBT flag (with dBASE III memo .DBT)!! +# >>0 ubyte&0x80 >0 DBT_FLAG=%x +# memo flag ?? +# >>0 ubyte&0x08 >0 MEMO_FLAG=%x +# SQL flag ?? +# >>0 ubyte&0x70 >0 SQL_FLAG=%x +# test and print the date of xBase .DBF .MDX +0 name xbase-date +# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 +>0 ubelong x +>1 ubyte <13 +>>1 ubyte >0 +>>>2 ubyte >0 +>>>>2 ubyte <32 +>>>>>0 ubyte x +# YY is interpreted as 20YY or 19YY +>>>>>>0 ubyte <100 \b %.2d +# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY +>>>>>>0 ubyte >99 \b %d +>>>>>1 ubyte x \b-%d +>>>>>2 ubyte x \b-%d + +# dBase memo files .DBT or .FPT +# http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx +16 ubyte <4 +>16 ubyte !2 +>>16 ubyte !1 +# next free block index is positive +>>>0 ulelong >0 +# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size +>>>>17 ubelong&0xFFfdFE00 0x00000000 +# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h +>>>>>20 ubelong&0xFF01209B 0x00000000 +# dBASE III +>>>>>>16 ubyte 3 +# dBASE III DBT +>>>>>>>0 use dbase3-memo-print +# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage +>>>>>>16 ubyte 0 +# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF +>>>>>>>20 uleshort 0 +# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage +>>>>>>>>8 ulong =0 +>>>>>>>>>6 ubeshort >0 +# skip emacs.PIF +>>>>>>>>>>4 ushort 0 +>>>>>>>>>>>0 use foxpro-memo-print +# dBASE III DBT , garbage +>>>>>>>>>6 ubeshort 0 +# skip MM*DD*.bin by test for for reserved NULL byte +>>>>>>>>>>510 ubeshort 0 +# skip TK-DOS11.img image by looking for memo text +>>>>>>>>>>>512 ubelong <0xfeffff03 +# skip EFI executables by looking for memo text +>>>>>>>>>>>>512 ubelong >0x1F202020 +>>>>>>>>>>>>>513 ubyte >0 +# unusual dBASE III DBT like adressen.dbt +>>>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE III DBT like angest.dbt, or garbage PCX DBF +>>>>>>>>8 ubelong !0 +# skip PCX and some DBF by test for for reserved NULL bytes +>>>>>>>>>510 ubeshort 0 +# skip some DBF by test of invalid version +>>>>>>>>>>0 ubyte >5 +>>>>>>>>>>>0 ubyte <48 +>>>>>>>>>>>>0 use dbase3-memo-print +# dBASE IV DBT with positive block size +>>>>>>>20 uleshort >0 +>>>>>>>>0 use dbase4-memo-print + +# Print the information of dBase III DBT memo file +0 name dbase3-memo-print +>0 ubyte x dBase III DBT +# instead 3 as version number 0 for unusual examples like biblio.dbt +>16 ubyte !3 \b, version number %u +# Number of next available block for appending data +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +# no positiv block length +#>20 uleshort =0 \b, block length %u +>20 uleshort !0 \b, block length %u +# dBase III memo field terminated by \032\032 +>512 string >\0 \b, 1st item "%s" +# Print the information of dBase IV DBT memo file +0 name dbase4-memo-print +>0 lelong x dBase IV DBT +# 8 character shorted main name of coresponding dBASE IV DBF file +>8 ubelong >0x20000000 +# skip unusual like for angest.dbt +>>20 uleshort >0 +>>>8 string >\0 \b of %-.8s.DBF +# value 0 implies 512 as size +#>4 ulelong =0 \b, blocks size %u +# size of blocks not reliable like 0x2020204C in angest.dbt +>4 ulelong !0 +>>4 ulelong&0x0000003f 0 \b, blocks size %u +# dBase IV DBT with positive block length (found 512 , 1024) +>20 uleshort >0 \b, block length %u +# next available block +#>0 lelong =0 \b, next free block index %u +>0 lelong !0 \b, next free block index %u +>20 uleshort >0 +>>(20.s) ubelong x +>>>&-4 use dbase4-memofield-print +# unusual dBase IV DBT without block length (implies 512 as length) +>20 uleshort =0 +>>512 ubelong x +>>>&-4 use dbase4-memofield-print +# Print the information of dBase IV memo field +0 name dbase4-memofield-print +# free dBase IV memo field +>0 ubelong !0xFFFF0800 +>>0 lelong x \b, next free block %u +>>4 lelong x \b, next used block %u +# used dBase IV memo field +>0 ubelong =0xFFFF0800 +# length of memo field +>>4 lelong x \b, field length %d +>>>8 string >\0 \b, 1st used item "%s" +# Print the information of FoxPro FPT memo file +0 name foxpro-memo-print +>0 belong x FoxPro FPT +# Size of blocks for FoxPro ( 64,256 ) +>6 ubeshort x \b, blocks size %u +# next available block +#>0 belong =0 \b, next free block index %u +>0 belong !0 \b, next free block index %u +# field type ( 0~picture, 1~memo, 2~object ) +>512 ubelong <3 \b, field type %u +# length of memo field +>512 ubelong 1 +>>516 belong >0 \b, field length %d +>>>520 string >\0 \b, 1st item "%s" + +# TODO: +# DBASE index file *.NDX +# DBASE Compound Index file *.CDX +# dBASE IV Printer Driver *.PRF +## End of XBase database stuff # MS Access database 4 string Standard\ Jet\ DB Microsoft Access Database diff --git a/magic/Magdir/dolby b/magic/Magdir/dolby index 8c61d62..573398f 100644 --- a/magic/Magdir/dolby +++ b/magic/Magdir/dolby @@ -1,61 +1,69 @@ #------------------------------------------------------------------------------ -# $File: dolby,v 1.6 2012/10/31 13:39:42 christos Exp $ +# $File: dolby,v 1.7 2014/01/08 22:37:23 christos Exp $ # ATSC A/53 aka AC-3 aka Dolby Digital # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! # # syncword -0 beshort 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream, +0 beshort 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream, +# Proposed audio/ac3 RFC/4184 !:mime audio/vnd.dolby.dd-raw # fscod ->4 byte&0xc0 0x00 48 kHz, ->4 byte&0xc0 0x40 44.1 kHz, ->4 byte&0xc0 0x80 32 kHz, +>4 byte&0xc0 = 0x00 48 kHz, +>4 byte&0xc0 = 0x40 44.1 kHz, +>4 byte&0xc0 = 0x80 32 kHz, # is this one used for 96 kHz? ->4 byte&0xc0 0xc0 reserved frequency, +>4 byte&0xc0 = 0xc0 reserved frequency, # ->5 byte&7 = 0 \b, complete main (CM) ->5 byte&7 = 1 \b, music and effects (ME) ->5 byte&7 = 2 \b, visually impaired (VI) ->5 byte&7 = 3 \b, hearing impaired (HI) ->5 byte&7 = 4 \b, dialogue (D) ->5 byte&7 = 5 \b, commentary (C) ->5 byte&7 = 6 \b, emergency (E) +>5 byte&0x07 = 0x00 \b, complete main (CM) +>5 byte&0x07 = 0x01 \b, music and effects (ME) +>5 byte&0x07 = 0x02 \b, visually impaired (VI) +>5 byte&0x07 = 0x03 \b, hearing impaired (HI) +>5 byte&0x07 = 0x04 \b, dialogue (D) +>5 byte&0x07 = 0x05 \b, commentary (C) +>5 byte&0x07 = 0x06 \b, emergency (E) +>5 beshort&0x07e0 0x0720 \b, voiceover (VO) +>5 beshort&0x07e0 >0x0720 \b, karaoke # acmod ->6 byte&0xe0 0x00 1+1 front, ->6 byte&0xe0 0x20 1 front/0 rear, ->6 byte&0xe0 0x40 2 front/0 rear, ->6 byte&0xe0 0x60 3 front/0 rear, ->6 byte&0xe0 0x80 2 front/1 rear, ->6 byte&0xe0 0xa0 3 front/1 rear, ->6 byte&0xe0 0xc0 2 front/2 rear, ->6 byte&0xe0 0xe0 3 front/2 rear, -# lfeon (these may be incorrect) ->7 byte&0x40 0x00 LFE off, ->7 byte&0x40 0x40 LFE on, +>6 byte&0xe0 = 0x00 1+1 front, +>>6 byte&0x10 = 0x10 LFE on, +>6 byte&0xe0 = 0x20 1 front/0 rear, +>>6 byte&0x10 = 0x10 LFE on, +>6 byte&0xe0 = 0x40 2 front/0 rear, +# dsurmod (for stereo only) +>>6 byte&0x18 = 0x00 Dolby Surround not indicated +>>6 byte&0x18 = 0x08 not Dolby Surround encoded +>>6 byte&0x18 = 0x10 Dolby Surround encoded +>>6 byte&0x18 = 0x18 reserved Dolby Surround mode +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0x60 3 front/0 rear, +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0x80 2 front/1 rear, +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0xa0 3 front/1 rear, +>>6 byte&0x01 = 0x01 LFE on, +>6 byte&0xe0 = 0xc0 2 front/2 rear, +>>6 byte&0x04 = 0x04 LFE on, +>6 byte&0xe0 = 0xe0 3 front/2 rear, +>>6 byte&0x01 = 0x01 LFE on, # >4 byte&0x3e = 0x00 \b, 32 kbit/s ->4 byte&0x3e = 0x02 \b, 40 kbit/s ->4 byte&0x3e = 0x04 \b, 48 kbit/s ->4 byte&0x3e = 0x06 \b, 56 kbit/s ->4 byte&0x3e = 0x08 \b, 64 kbit/s ->4 byte&0x3e = 0x0a \b, 80 kbit/s ->4 byte&0x3e = 0x0c \b, 96 kbit/s ->4 byte&0x3e = 0x0e \b, 112 kbit/s ->4 byte&0x3e = 0x10 \b, 128 kbit/s ->4 byte&0x3e = 0x12 \b, 160 kbit/s ->4 byte&0x3e = 0x14 \b, 192 kbit/s ->4 byte&0x3e = 0x16 \b, 224 kbit/s ->4 byte&0x3e = 0x18 \b, 256 kbit/s ->4 byte&0x3e = 0x1a \b, 320 kbit/s ->4 byte&0x3e = 0x1c \b, 384 kbit/s ->4 byte&0x3e = 0x1e \b, 448 kbit/s ->4 byte&0x3e = 0x20 \b, 512 kbit/s ->4 byte&0x3e = 0x22 \b, 576 kbit/s ->4 byte&0x3e = 0x24 \b, 640 kbit/s -# dsurmod (these may be incorrect) ->6 beshort&0x0180 0x0000 Dolby Surround not indicated ->6 beshort&0x0180 0x0080 not Dolby Surround encoded ->6 beshort&0x0180 0x0100 Dolby Surround encoded ->6 beshort&0x0180 0x0180 reserved Dolby Surround mode +>4 byte&0x3e = 0x02 \b, 40 kbit/s +>4 byte&0x3e = 0x04 \b, 48 kbit/s +>4 byte&0x3e = 0x06 \b, 56 kbit/s +>4 byte&0x3e = 0x08 \b, 64 kbit/s +>4 byte&0x3e = 0x0a \b, 80 kbit/s +>4 byte&0x3e = 0x0c \b, 96 kbit/s +>4 byte&0x3e = 0x0e \b, 112 kbit/s +>4 byte&0x3e = 0x10 \b, 128 kbit/s +>4 byte&0x3e = 0x12 \b, 160 kbit/s +>4 byte&0x3e = 0x14 \b, 192 kbit/s +>4 byte&0x3e = 0x16 \b, 224 kbit/s +>4 byte&0x3e = 0x18 \b, 256 kbit/s +>4 byte&0x3e = 0x1a \b, 320 kbit/s +>4 byte&0x3e = 0x1c \b, 384 kbit/s +>4 byte&0x3e = 0x1e \b, 448 kbit/s +>4 byte&0x3e = 0x20 \b, 512 kbit/s +>4 byte&0x3e = 0x22 \b, 576 kbit/s +>4 byte&0x3e = 0x24 \b, 640 kbit/s diff --git a/magic/Magdir/dump b/magic/Magdir/dump index b4a7240..1a20ace 100644 --- a/magic/Magdir/dump +++ b/magic/Magdir/dump @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dump,v 1.12 2012/11/01 04:26:40 christos Exp $ +# $File: dump,v 1.13 2014/04/30 21:41:02 christos Exp $ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. @@ -8,7 +8,7 @@ 0 name new-dump-be >4 bedate x Previous dump %s, >8 bedate x This dump %s, ->12 belong >0 Volume %ld, +>12 belong >0 Volume %d, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, @@ -27,7 +27,7 @@ 0 name old-dump-be #>4 bedate x Previous dump %s, #>8 bedate x This dump %s, ->12 belong >0 Volume %ld, +>12 belong >0 Volume %d, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, @@ -46,7 +46,7 @@ 0 name ufs2-dump-be >896 beqdate x Previous dump %s, >904 beqdate x This dump %s, ->12 belong >0 Volume %ld, +>12 belong >0 Volume %d, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, @@ -84,7 +84,7 @@ 18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), >2 medate x Previous dump %s, >6 medate x This dump %s, ->10 leshort >0 Volume %ld, +>10 leshort >0 Volume %d, >0 leshort 1 tape header. >0 leshort 2 beginning of file record. >0 leshort 3 map of inodes on tape. diff --git a/magic/Magdir/dyadic b/magic/Magdir/dyadic index c1a2c3c..18f18bc 100644 --- a/magic/Magdir/dyadic +++ b/magic/Magdir/dyadic @@ -1,46 +1,56 @@ #------------------------------------------------------------------------------ -# $File: dyadic,v 1.5 2010/09/20 18:55:20 rrt Exp $ +# $File: dyadic,v 1.6 2014/06/01 19:14:42 christos Exp $ # Dyadic: file(1) magic for Dyalog APL. # -0 byte 0xaa ->1 byte <4 Dyalog APL ->>1 byte 0x00 incomplete workspace ->>1 byte 0x01 component file ->>1 byte 0x02 external variable ->>1 byte 0x03 workspace ->>2 byte x version %d ->>3 byte x .%d - -0 beshort 0xaa03 Dyalog APL ->2 byte x workspace type %d ->3 byte x subtype %d ->7 byte&0x28 0x00 32-bit ->7 byte&0x28 0x20 64-bit ->7 byte&0x0c 0x00 classic ->7 byte&0x0c 0x04 unicode ->7 byte&0x88 0x00 big-endian ->7 byte&0x88 0x80 little-endian - -0 byte 0xaa Dyalog APL ->1 byte 0x00 aplcore ->1 byte 0x01 component file 32-bit non-journaled non-checksummed ->1 byte 0x02 external variable exclusive ->1 byte 0x06 external variable shared ->1 byte 0x07 session ->1 byte 0x08 mapped file 32-bit ->1 byte 0x09 component file 64-bit non-journaled non-checksummed ->1 byte 0x0a mapped file 64-bit ->1 byte 0x0b component file 32-bit level 1 journaled non-checksummed ->1 byte 0x0c component file 64-bit level 1 journaled non-checksummed ->1 byte 0x0d component file 32-bit level 1 journaled checksummed ->1 byte 0x0e component file 64-bit level 1 journaled checksummed ->1 byte 0x0f component file 32-bit level 2 journaled checksummed ->1 byte 0x10 component file 64-bit level 2 journaled checksummed ->1 byte 0x11 component file 32-bit level 3 journaled checksummed ->1 byte 0x12 component file 64-bit level 3 journaled checksummed ->1 byte 0x13 component file 32-bit non-journaled checksummed ->1 byte 0x14 component file 64-bit non-journaled checksummed ->1 byte 0x80 DDB +# updated by Joerg Jenderek at Oct 2013 +# http://en.wikipedia.org/wiki/Dyalog_APL +# http://www.dyalog.com/ +# .DXV Dyalog APL External Variable +# .DIN Dyalog APL Input Table +# .DOT Dyalog APL Output Table +# .DFT Dyalog APL Format File +0 ubeshort&0xFF60 0xaa00 +# skip biblio.dbt +>1 byte !4 +# real Dyalog APL have non zero version numbers like 7.3 or 13.4 +>>2 ubeshort >0x0000 Dyalog APL +>>>1 byte 0x00 aplcore +#>>>1 byte 0x00 incomplete workspace +# *.DCF Dyalog APL Component File +>>>1 byte 0x01 component file 32-bit non-journaled non-checksummed +#>>>1 byte 0x01 component file +>>>1 byte 0x02 external variable exclusive +#>>>1 byte 0x02 external variable +# *.DWS Dyalog APL Workspace +>>>1 byte 0x03 workspace +>>>>7 byte&0x28 0x00 32-bit +>>>>7 byte&0x28 0x20 64-bit +>>>>7 byte&0x0c 0x00 classic +>>>>7 byte&0x0c 0x04 unicode +>>>>7 byte&0x88 0x00 big-endian +>>>>7 byte&0x88 0x80 little-endian +>>>1 byte 0x06 external variable shared +# *.DSE Dyalog APL Session , *.DLF Dyalog APL Session Log File +>>>1 byte 0x07 session +>>>1 byte 0x08 mapped file 32-bit +>>>1 byte 0x09 component file 64-bit non-journaled non-checksummed +>>>1 byte 0x0a mapped file 64-bit +>>>1 byte 0x0b component file 32-bit level 1 journaled non-checksummed +>>>1 byte 0x0c component file 64-bit level 1 journaled non-checksummed +>>>1 byte 0x0d component file 32-bit level 1 journaled checksummed +>>>1 byte 0x0e component file 64-bit level 1 journaled checksummed +>>>1 byte 0x0f component file 32-bit level 2 journaled checksummed +>>>1 byte 0x10 component file 64-bit level 2 journaled checksummed +>>>1 byte 0x11 component file 32-bit level 3 journaled checksummed +>>>1 byte 0x12 component file 64-bit level 3 journaled checksummed +>>>1 byte 0x13 component file 32-bit non-journaled checksummed +>>>1 byte 0x14 component file 64-bit non-journaled checksummed +>>>1 byte 0x80 DDB +>>>2 byte x version %d +>>>3 byte x \b.%d +#>>>2 byte x type %d +#>>>3 byte x subtype %d +# *.DXF Dyalog APL Transfer File 0 short 0x6060 Dyalog APL transfer diff --git a/magic/Magdir/efi b/magic/Magdir/efi index 7335c5c..7760100 100644 --- a/magic/Magdir/efi +++ b/magic/Magdir/efi @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: efi,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File: efi,v 1.5 2014/04/30 21:41:02 christos Exp $ # efi: file(1) magic for Universal EFI binaries 0 lelong 0x0ef1fab9 @@ -12,4 +12,4 @@ >>&0 lelong 0x01000007 \b, x86_64 >>&20 lelong 7 \b, i386 >>&20 lelong 0x01000007 \b, x86_64 ->4 lelong >2 Universal EFI binary with %ld architectures +>4 lelong >2 Universal EFI binary with %d architectures diff --git a/magic/Magdir/elf b/magic/Magdir/elf index f80f6d9..04ee37e 100644 --- a/magic/Magdir/elf +++ b/magic/Magdir/elf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: elf,v 1.58 2012/11/06 20:43:52 christos Exp $ +# $File: elf,v 1.68 2014/09/19 19:05:57 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the @@ -17,7 +17,6 @@ 0 name elf-le >16 leshort 0 no file type, -!:strength *2 !:mime application/octet-stream >16 leshort 1 relocatable, !:mime application/x-object @@ -31,16 +30,17 @@ #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), >16 leshort &0xff00 processor-specific, +>18 clear x >18 leshort 0 no machine, ->18 leshort 1 AT&T WE32100 ->18 leshort 2 SPARC +>18 leshort 1 AT&T WE32100, +>18 leshort 2 SPARC, >18 leshort 3 Intel 80386, ->18 leshort 4 Motorola +>18 leshort 4 Motorola m68k, >>4 byte 1 ->>>36 lelong &0x01000000 68000 - invalid byte order, ->>>36 lelong &0x00810000 CPU32 - invalid byte order, ->>>36 lelong 0 68020 - invalid byte order, ->18 leshort 5 Motorola 88000 - invalid byte order, +>>>36 lelong &0x01000000 68000, +>>>36 lelong &0x00810000 CPU32, +>>>36 lelong 0 68020, +>18 leshort 5 Motorola m88k, >18 leshort 6 Intel 80486, >18 leshort 7 Intel 80860, # The official e_machine number for MIPS is now #8, regardless of endianness. @@ -75,10 +75,10 @@ >>>48 lelong&0xf0000000 0x60000000 MIPS64 >>>48 lelong&0xf0000000 0x70000000 MIPS32 rel2 >>>48 lelong&0xf0000000 0x80000000 MIPS64 rel2 ->18 leshort 9 Amdahl - invalid byte order, +>18 leshort 9 Amdahl, >18 leshort 10 MIPS (deprecated), ->18 leshort 11 RS6000 - invalid byte order, ->18 leshort 15 PA-RISC - invalid byte order, +>18 leshort 11 RS6000, +>18 leshort 15 PA-RISC, # only for 32-bit >>4 byte 1 >>>38 leshort 0x0214 2.0 @@ -96,6 +96,7 @@ >>>36 lelong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, >>>36 lelong&0xffff00 0x000400 HaL R1 Extensions Required, >>>36 lelong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, +>18 leshort 19 Intel 80960, >18 leshort 20 PowerPC or cisco 4500, >18 leshort 21 64-bit PowerPC or cisco 7500, >18 leshort 22 IBM S/390, @@ -110,8 +111,9 @@ >>4 byte 1 >>>36 lelong&0xff000000 0x04000000 EABI4 >>>36 lelong&0xff000000 0x05000000 EABI5 +>>>36 lelong &0x00800000 BE8 +>>>36 lelong &0x00400000 LE8 >18 leshort 41 Alpha, ->18 leshort 0xa390 IBM S/390 (obsolete), >18 leshort 42 Renesas SH, >18 leshort 43 SPARC V9, >>4 byte 2 @@ -141,6 +143,8 @@ >18 leshort 61 Tinyj emb., >18 leshort 62 x86-64, >18 leshort 63 Sony DSP, +>18 leshort 64 DEC PDP-10, +>18 leshort 65 DEC PDP-11, >18 leshort 66 FX66, >18 leshort 67 ST9+ 8/16 bit, >18 leshort 68 ST7 8 bit, @@ -170,28 +174,132 @@ >18 leshort 92 OpenRISC, >18 leshort 93 ARC Cores Tangent-A5, >18 leshort 94 Tensilica Xtensa, +>18 leshort 95 Alphamosaic VideoCore, +>18 leshort 96 Thompson Multimedia, >18 leshort 97 NatSemi 32k, +>18 leshort 98 Tenor Network TPC, +>18 leshort 99 Trebia SNP 1000, +>18 leshort 100 STMicroelectronics ST200, +>18 leshort 101 Ubicom IP2022, +>18 leshort 102 MAX Processor, +>18 leshort 103 NatSemi CompactRISC, +>18 leshort 104 Fujitsu F2MC16, +>18 leshort 105 TI msp430, >18 leshort 106 Analog Devices Blackfin, +>18 leshort 107 S1C33 Family of Seiko Epson, +>18 leshort 108 Sharp embedded, +>18 leshort 109 Arca RISC, +>18 leshort 110 PKU-Unity Ltd., +>18 leshort 111 eXcess: 16/32/64-bit, +>18 leshort 112 Icera Deep Execution Processor, >18 leshort 113 Altera Nios II, +>18 leshort 114 NatSemi CRX, +>18 leshort 115 Motorola XGATE, +>18 leshort 116 Infineon C16x/XC16x, +>18 leshort 117 Renesas M16C series, +>18 leshort 118 Microchip dsPIC30F, +>18 leshort 119 Freescale RISC core, +>18 leshort 120 Renesas M32C series, +>18 leshort 131 Altium TSK3000 core, +>18 leshort 132 Freescale RS08, +>18 leshort 134 Cyan Technology eCOG2, +>18 leshort 135 Sunplus S+core7 RISC, +>18 leshort 136 New Japan Radio (NJR) 24-bit DSP, +>18 leshort 137 Broadcom VideoCore III, +>18 leshort 138 LatticeMico32, +>18 leshort 139 Seiko Epson C17 family, +>18 leshort 140 TI TMS320C6000 DSP family, +>18 leshort 141 TI TMS320C2000 DSP family, +>18 leshort 142 TI TMS320C55x DSP family, +>18 leshort 160 STMicroelectronics 64bit VLIW DSP, +>18 leshort 161 Cypress M8C, +>18 leshort 162 Renesas R32C series, +>18 leshort 163 NXP TriMedia family, +>18 leshort 164 QUALCOMM DSP6, +>18 leshort 165 Intel 8051 and variants, +>18 leshort 166 STMicroelectronics STxP7x family, +>18 leshort 167 Andes embedded RISC, +>18 leshort 168 Cyan eCOG1X family, +>18 leshort 169 Dallas MAXQ30, +>18 leshort 170 New Japan Radio (NJR) 16-bit DSP, +>18 leshort 171 M2000 Reconfigurable RISC, +>18 leshort 172 Cray NV2 vector architecture, +>18 leshort 173 Renesas RX family, >18 leshort 174 META, +>18 leshort 175 MCST Elbrus, +>18 leshort 176 Cyan Technology eCOG16 family, +>18 leshort 177 NatSemi CompactRISC, +>18 leshort 178 Freescale Extended Time Processing Unit, +>18 leshort 179 Infineon SLE9X, +>18 leshort 180 Intel L1OM, +>18 leshort 181 Intel K1OM, >18 leshort 183 ARM aarch64, +>18 leshort 185 Atmel 32-bit family, +>18 leshort 186 STMicroeletronics STM8 8-bit, >18 leshort 187 Tilera TILE64, >18 leshort 188 Tilera TILEPro, +>18 leshort 189 Xilinx MicroBlaze 32-bit RISC, +>18 leshort 190 NVIDIA CUDA architecture, >18 leshort 191 Tilera TILE-Gx, +>18 leshort 197 Renesas RL78 family, +>18 leshort 199 Renesas 78K0R, +>18 leshort 200 Freescale 56800EX, +>18 leshort 201 Beyond BA1, +>18 leshort 202 Beyond BA2, +>18 leshort 203 XMOS xCORE, +>18 leshort 204 Microchip 8-bit PIC(r), +>18 leshort 210 KM211 KM32, +>18 leshort 211 KM211 KMX32, +>18 leshort 212 KM211 KMX16, +>18 leshort 213 KM211 KMX8, +>18 leshort 214 KM211 KVARC, +>18 leshort 215 Paneve CDP, +>18 leshort 216 Cognitive Smart Memory, +>18 leshort 217 iCelero CoolEngine, +>18 leshort 218 Nanoradio Optimized RISC, +>18 leshort 243 UCB RISC-V, +>18 leshort 0x1057 AVR (unofficial), +>18 leshort 0x1059 MSP430 (unofficial), +>18 leshort 0x1223 Adapteva Epiphany (unofficial), +>18 leshort 0x2530 Morpho MT (unofficial), +>18 leshort 0x3330 FR30 (unofficial), >18 leshort 0x3426 OpenRISC (obsolete), +>18 leshort 0x4688 Infineon C166 (unofficial), +>18 leshort 0x5441 Cygnus FRV (unofficial), +>18 leshort 0x5aa5 DLX (unofficial), +>18 leshort 0x7650 Cygnus D10V (unofficial), +>18 leshort 0x7676 Cygnus D30V (unofficial), +>18 leshort 0x8217 Ubicom IP2xxx (unofficial), >18 leshort 0x8472 OpenRISC (obsolete), +>18 leshort 0x9025 Cygnus PowerPC (unofficial), >18 leshort 0x9026 Alpha (unofficial), +>18 leshort 0x9041 Cygnus M32R (unofficial), +>18 leshort 0x9080 Cygnus V850 (unofficial), +>18 leshort 0xa390 IBM S/390 (obsolete), +>18 leshort 0xabc7 Old Xtensa (unofficial), +>18 leshort 0xad45 xstormy16 (unofficial), +>18 leshort 0xbaab Old MicroBlaze (unofficial),, +>18 leshort 0xbeef Cygnus MN10300 (unofficial), +>18 leshort 0xdead Cygnus MN10200 (unofficial), +>18 leshort 0xf00d Toshiba MeP (unofficial), +>18 leshort 0xfeb0 Renesas M32C (unofficial), +>18 leshort 0xfeba Vitesse IQ2000 (unofficial), +>18 leshort 0xfebb NIOS (unofficial), +>18 leshort 0xfeed Moxie (unofficial), +>18 default x +>>18 leshort x *unknown arch 0x%x* >20 lelong 0 invalid version >20 lelong 1 version 1 0 string \177ELF ELF +!:strength *2 >4 byte 0 invalid class >4 byte 1 32-bit >4 byte 2 64-bit >5 byte 0 invalid byte order ->5 byte 1 LSB +>5 byte 1 LSB >>0 use elf-le ->5 byte 2 MSB +>5 byte 2 MSB >>0 use \^elf-le # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # like proper ELF, but extracting the string had bad results. diff --git a/magic/Magdir/encore b/magic/Magdir/encore index ef82eed..287b388 100644 --- a/magic/Magdir/encore +++ b/magic/Magdir/encore @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: encore,v 1.6 2009/09/19 16:28:09 christos Exp $ +# $File: encore,v 1.7 2014/04/30 21:41:02 christos Exp $ # encore: file(1) magic for Encore machines # # XXX - needs to have the byte order specified (NS32K was little-endian, @@ -12,11 +12,11 @@ >20 short 0x10b demand-paged executable >20 short 0x10f unsupported executable >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d >22 short 0 - #>4 date x stamp %s 0 short 0x155 Encore unsupported executable >12 long >0 not stripped ->22 short >0 - version %ld +>22 short >0 - version %d >22 short 0 - #>4 date x stamp %s diff --git a/magic/Magdir/epoc b/magic/Magdir/epoc index 8b11a2e..6f4ab5f 100644 --- a/magic/Magdir/epoc +++ b/magic/Magdir/epoc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: epoc,v 1.8 2012/06/16 14:43:36 christos Exp $ +# $File: epoc,v 1.9 2013/12/21 14:28:15 christos Exp $ # EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1] # Stefan Praszalowicz and Peter Breitenlohner # Useful information for improving this file can be found at: @@ -30,8 +30,8 @@ >4 lelong 0x10000074 OPL application !:mime application/x-epoc-app >4 lelong 0x1000008A exported multi-bitmap image ->4 lelong 0x1000016D ->>8 lelong 0x10000088 Comms names +>4 lelong 0x1000016D +>>8 lelong 0x10000087 Comms names 0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index 2a85454..939a092 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1,8 +1,189 @@ - #------------------------------------------------------------------------------ -# $File: filesystems,v 1.76 2013/02/18 18:45:41 christos Exp $ +# $File: filesystems,v 1.108 2015/01/01 17:43:47 christos Exp $ # filesystems: file(1) magic for different filesystems # +0 name partid +>0 ubyte 0x00 Unused +>0 ubyte 0x01 12-bit FAT +>0 ubyte 0x02 XENIX / +>0 ubyte 0x03 XENIX /usr +>0 ubyte 0x04 16-bit FAT, less than 32M +>0 ubyte 0x05 extended partition +>0 ubyte 0x06 16-bit FAT, more than 32M +>0 ubyte 0x07 OS/2 HPFS, NTFS, QNX2, Adv. UNIX +>0 ubyte 0x08 AIX or os, or etc. +>0 ubyte 0x09 AIX boot partition or Coherent +>0 ubyte 0x0a O/2 boot manager or Coherent swap +>0 ubyte 0x0b 32-bit FAT +>0 ubyte 0x0c 32-bit FAT, LBA-mapped +>0 ubyte 0x0d 7XXX, LBA-mapped +>0 ubyte 0x0e 16-bit FAT, LBA-mapped +>0 ubyte 0x0f extended partition, LBA-mapped +>0 ubyte 0x10 OPUS +>0 ubyte 0x11 OS/2 DOS 12-bit FAT +>0 ubyte 0x12 Compaq diagnostics +>0 ubyte 0x14 OS/2 DOS 16-bit FAT <32M +>0 ubyte 0x16 OS/2 DOS 16-bit FAT >=32M +>0 ubyte 0x17 OS/2 hidden IFS +>0 ubyte 0x18 AST Windows swapfile +>0 ubyte 0x19 Willowtech Photon coS +>0 ubyte 0x1b hidden win95 fat 32 +>0 ubyte 0x1c hidden win95 fat 32 lba +>0 ubyte 0x1d hidden win95 fat 16 lba +>0 ubyte 0x20 Willowsoft OFS1 +>0 ubyte 0x21 reserved +>0 ubyte 0x23 reserved +>0 ubyte 0x24 NEC DOS +>0 ubyte 0x26 reserved +>0 ubyte 0x31 reserved +>0 ubyte 0x32 Alien Internet Services NOS +>0 ubyte 0x33 reserved +>0 ubyte 0x34 reserved +>0 ubyte 0x35 JFS on OS2 +>0 ubyte 0x36 reserved +>0 ubyte 0x38 Theos +>0 ubyte 0x39 Plan 9, or Theos spanned +>0 ubyte 0x3a Theos ver 4 4gb partition +>0 ubyte 0x3b Theos ve 4 extended partition +>0 ubyte 0x3c PartitionMagic recovery +>0 ubyte 0x3d Hidden Netware +>0 ubyte 0x40 VENIX 286 or LynxOS +>0 ubyte 0x41 PReP +>0 ubyte 0x42 linux swap sharing DRDOS disk +>0 ubyte 0x43 linux sharing DRDOS disk +>0 ubyte 0x44 GoBack change utility +>0 ubyte 0x45 Boot US Boot manager +>0 ubyte 0x46 EUMEL/Elan or Ergos 3 +>0 ubyte 0x47 EUMEL/Elan or Ergos 3 +>0 ubyte 0x48 EUMEL/Elan or Ergos 3 +>0 ubyte 0x4a ALFX/THIN filesystem for DOS +>0 ubyte 0x4c Oberon partition +>0 ubyte 0x4d QNX4.x +>0 ubyte 0x4e QNX4.x 2nd part +>0 ubyte 0x4f QNX4.x 3rd part +>0 ubyte 0x50 DM (disk manager) +>0 ubyte 0x51 DM6 Aux1 (or Novell) +>0 ubyte 0x52 CP/M or Microport SysV/AT +>0 ubyte 0x53 DM6 Aux3 +>0 ubyte 0x54 DM6 DDO +>0 ubyte 0x55 EZ-Drive (disk manager) +>0 ubyte 0x56 Golden Bow (disk manager) +>0 ubyte 0x57 Drive PRO +>0 ubyte 0x5c Priam Edisk (disk manager) +>0 ubyte 0x61 SpeedStor +>0 ubyte 0x63 GNU HURD or Mach or Sys V/386 +>0 ubyte 0x64 Novell Netware 2.xx or Speedstore +>0 ubyte 0x65 Novell Netware 3.xx +>0 ubyte 0x66 Novell 386 Netware +>0 ubyte 0x67 Novell +>0 ubyte 0x68 Novell +>0 ubyte 0x69 Novell +>0 ubyte 0x70 DiskSecure Multi-Boot +>0 ubyte 0x71 reserved +>0 ubyte 0x73 reserved +>0 ubyte 0x74 reserved +>0 ubyte 0x75 PC/IX +>0 ubyte 0x76 reserved +>0 ubyte 0x77 M2FS/M2CS partition +>0 ubyte 0x78 XOSL boot loader filesystem +>0 ubyte 0x80 MINIX until 1.4a +>0 ubyte 0x81 MINIX since 1.4b +>0 ubyte 0x82 Linux swap or Solaris +>0 ubyte 0x83 Linux native +>0 ubyte 0x84 OS/2 hidden C: drive +>0 ubyte 0x85 Linux extended partition +>0 ubyte 0x86 NT FAT volume set +>0 ubyte 0x87 NTFS volume set or HPFS mirrored +>0 ubyte 0x8a Linux Kernel AiR-BOOT partition +>0 ubyte 0x8b Legacy Fault tolerant FAT32 +>0 ubyte 0x8c Legacy Fault tolerant FAT32 ext +>0 ubyte 0x8d Hidden free FDISK FAT12 +>0 ubyte 0x8e Linux Logical Volume Manager +>0 ubyte 0x90 Hidden free FDISK FAT16 +>0 ubyte 0x91 Hidden free FDISK DOS EXT +>0 ubyte 0x92 Hidden free FDISK FAT16 Big +>0 ubyte 0x93 Amoeba filesystem +>0 ubyte 0x94 Amoeba bad block table +>0 ubyte 0x95 MIT EXOPC native partitions +>0 ubyte 0x97 Hidden free FDISK FAT32 +>0 ubyte 0x98 Datalight ROM-DOS Super-Boot +>0 ubyte 0x99 Mylex EISA SCSI +>0 ubyte 0x9a Hidden free FDISK FAT16 LBA +>0 ubyte 0x9b Hidden free FDISK EXT LBA +>0 ubyte 0x9f BSDI? +>0 ubyte 0xa0 IBM Thinkpad hibernation +>0 ubyte 0xa1 HP Volume expansion (SpeedStor) +>0 ubyte 0xa3 HP Volume expansion (SpeedStor) +>0 ubyte 0xa4 HP Volume expansion (SpeedStor) +>0 ubyte 0xa5 386BSD partition type +>0 ubyte 0xa6 OpenBSD partition type +>0 ubyte 0xa7 NeXTSTEP 486 +>0 ubyte 0xa8 Apple UFS +>0 ubyte 0xa9 NetBSD partition type +>0 ubyte 0xaa Olivetty Fat12 1.44MB Service part +>0 ubyte 0xab Apple Boot +>0 ubyte 0xae SHAG OS filesystem +>0 ubyte 0xaf Apple HFS +>0 ubyte 0xb0 BootStar Dummy +>0 ubyte 0xb1 reserved +>0 ubyte 0xb3 reserved +>0 ubyte 0xb4 reserved +>0 ubyte 0xb6 reserved +>0 ubyte 0xb7 BSDI BSD/386 filesystem +>0 ubyte 0xb8 BSDI BSD/386 swap +>0 ubyte 0xbb Boot Wizard Hidden +>0 ubyte 0xbe Solaris 8 partition type +>0 ubyte 0xbf Solaris partition type +>0 ubyte 0xc0 CTOS +>0 ubyte 0xc1 DRDOS/sec (FAT-12) +>0 ubyte 0xc2 Hidden Linux +>0 ubyte 0xc3 Hidden Linux swap +>0 ubyte 0xc4 DRDOS/sec (FAT-16, < 32M) +>0 ubyte 0xc5 DRDOS/sec (EXT) +>0 ubyte 0xc6 DRDOS/sec (FAT-16, >= 32M) +>0 ubyte 0xc7 Syrinx (Cyrnix?) or HPFS disabled +>0 ubyte 0xc8 Reserved for DR-DOS 8.0+ +>0 ubyte 0xc9 Reserved for DR-DOS 8.0+ +>0 ubyte 0xca Reserved for DR-DOS 8.0+ +>0 ubyte 0xcb DR-DOS 7.04+ Secured FAT32 CHS +>0 ubyte 0xcc DR-DOS 7.04+ Secured FAT32 LBA +>0 ubyte 0xcd CTOS Memdump +>0 ubyte 0xce DR-DOS 7.04+ FAT16X LBA +>0 ubyte 0xcf DR-DOS 7.04+ EXT LBA +>0 ubyte 0xd0 REAL/32 secure big partition +>0 ubyte 0xd1 Old Multiuser DOS FAT12 +>0 ubyte 0xd4 Old Multiuser DOS FAT16 Small +>0 ubyte 0xd5 Old Multiuser DOS Extended +>0 ubyte 0xd6 Old Multiuser DOS FAT16 Big +>0 ubyte 0xd8 CP/M 86 +>0 ubyte 0xdb CP/M or Concurrent CP/M +>0 ubyte 0xdd Hidden CTOS Memdump +>0 ubyte 0xde Dell PowerEdge Server utilities +>0 ubyte 0xdf DG/UX virtual disk manager +>0 ubyte 0xe0 STMicroelectronics ST AVFS +>0 ubyte 0xe1 DOS access or SpeedStor 12-bit +>0 ubyte 0xe3 DOS R/O or Storage Dimensions +>0 ubyte 0xe4 SpeedStor 16-bit FAT < 1024 cyl. +>0 ubyte 0xe5 reserved +>0 ubyte 0xe6 reserved +>0 ubyte 0xeb BeOS +>0 ubyte 0xee GPT Protective MBR +>0 ubyte 0xef EFI system partition +>0 ubyte 0xf0 Linux PA-RISC boot loader +>0 ubyte 0xf1 SpeedStor or Storage Dimensions +>0 ubyte 0xf2 DOS 3.3+ Secondary +>0 ubyte 0xf3 reserved +>0 ubyte 0xf4 SpeedStor large partition +>0 ubyte 0xf5 Prologue multi-volumen partition +>0 ubyte 0xf6 reserved +>0 ubyte 0xf9 pCache: ext2/ext3 persistent cache +>0 ubyte 0xfa Bochs x86 emulator +>0 ubyte 0xfb VMware File System +>0 ubyte 0xfc VMware Swap +>0 ubyte 0xfd Linux RAID partition persistent sb +>0 ubyte 0xfe LANstep or IBM PS/2 IML +>0 ubyte 0xff Xenix Bad Block Table + 0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: @@ -23,8 +204,8 @@ >>0752 short >0 %d alt cyls, >>0754 short >0 %d heads/partition, >>0756 short >0 %d sectors/track, ->>0764 long >0 start cyl %ld, ->>0770 long x %ld blocks +>>0764 long >0 start cyl %d, +>>0770 long x %d blocks # Is there a boot block written 1 sector in? >512 belong&077777777 0600407 \b, boot block present @@ -57,22 +238,36 @@ >>>>15 ulelong >0 \b, %d cylinders >>>>128 indirect x \b; contains -# x86 boot sector updated by Joerg Jenderek at Sep 2007,May 2011 +# added by Joerg Jenderek at Nov 2012 +# http://www.thenakedpc.com/articles/v04/08/0408-05.html +# Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data +0 string PNCIHISK\0 Norton Utilities disc image data +# real x86 boot sector with jump instruction +>509 search/1026 \x55\xAA\xeb +>>&-1 indirect x \b; contains +# http://file-extension.net/seeker/file_extension_dat +0 string PNCIUNDO Norton Disk Doctor UnDo file +# + +# DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013 # for any allowed sector sizes 30 search/481 \x55\xAA -# to display x86 boot sector (40) before old one (strength=50), SYSLINUX MBR (?) and DOS BPB information (71) like in previous file version -!:strength +30 +# to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) +# DOS BPB information (70) and after DOS floppy (120) like in previous file version +!:strength +65 # for sector sizes < 512 Bytes >11 uleshort <512 ->>(11.s-2) uleshort 0xAA55 x86 boot sector +>>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector # for sector sizes with 512 or more Bytes ->0x1FE leshort 0xAA55 x86 boot sector -# keep old x86 boot sector as dummy for mbr and bootloader displaying +>0x1FE leshort 0xAA55 DOS/MBR boot sector + +# keep old DOS/MBR boot sector as dummy for mbr and bootloader displaying # only for sector sizes with 512 or more Bytes -0x1FE leshort 0xAA55 -# to display information (51) before DOS BPB (strength=71) and after DOS floppy (120) like in old file version -!:strength +21 ->2 string OSBS \b, OS/BS MBR +0x1FE leshort 0xAA55 DOS/MBR boot sector +# +# to display information (50) before DOS BPB (strength=70) and after DOS floppy (120) like in old file version +!:strength +65 +>2 string OSBS OS/BS MBR # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/ # and http://en.wikipedia.org/wiki/Master_Boot_Record # test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by @@ -125,8 +320,8 @@ # assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 >>>24 ubequad 0xf3a4cbbebe07b104 9M # "Invalid partition table" nn=0x10F for english version -# "Ungültige Partitionstabelle" nn=0x10F for german version -# "Table de partition erronée" nn=0x10F for french version +# "Ung\201ltige Partitionstabelle" nn=0x10F for german version +# "Table de partition erron\202e" nn=0x10F for french version # "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x10F for russian version >>>>(0x3C.b+0x0FF) string Invalid\ partition\ table english >>>>(0x3C.b+0x0FF) string Ung\201ltige\ Partitionstabelle german @@ -136,13 +331,13 @@ >>>>(0x3C.b+0x0FF) string >\0 "%s" # "Error loading operating system" nn=0x127 for english version # "Fehler beim Laden des Betriebssystems" nn=0x12b for german version -# "Erreur lors du chargement du système d'exploitation" nn=0x12a for french version +# "Erreur lors du chargement du syst\212me d'exploitation" nn=0x12a for french version # "\216\350\250\241\252\240 \257\340\250 \247\240\243\340\343\247\252\245 \256\257\245\340\240\346\250\256\255\255\256\251 \341\250\341\342\245\254\353" nn=0x12d for russian version >>>>0xBD ubyte x at offset 0x1%x >>>>(0xBD.b+0x100) string >\0 "%s" # "Missing operating system" nn=0x146 for english version # "Betriebssystem fehlt" nn=0x151 for german version -# "Système d'exploitation manquant" nn=0x15e for french version +# "Syst\212me d'exploitation manquant" nn=0x15e for french version # "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x156 for russian version >>>>0xA9 ubyte x at offset 0x1%x >>>>(0xA9.b+0x100) string >\0 "%s" @@ -153,7 +348,7 @@ >>>>0x1B4 ubelong&0x00FFFFFF 0x002c4463 english >>>>0x1B4 ubelong&0x00FFFFFF 0x002c486e german # "Invalid partition table" xx=0x12C for english version -# "Ungültige Partitionstabelle" xx=0x12C for german version +# "Ung\201ltige Partitionstabelle" xx=0x12C for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x144 for english version @@ -174,7 +369,7 @@ >>>>0x1B4 ubelong&0x00FFFFFF 0x00627a99 english #>>>>0x1B4 ubelong&0x00FFFFFF ? german # "Invalid partition table" xx=0x162 for english version -# "Ungültige Partitionstabelle" xx=0x1?? for german version +# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x17a for english version @@ -192,7 +387,7 @@ >>>>0x1B4 ubelong&0x00FFFFFF 0x00637b9a english #>>>>0x1B4 ubelong&0x00FFFFFF ? german # "Invalid partition table" xx=0x163 for english version -# "Ungültige Partitionstabelle" xx=0x1?? for german version +# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version >>>>0x1b5 ubyte >0 at offset 0x1%x >>>>(0x1b5.b+0x100) string >\0 "%s" # "Error loading operating system" yy=0x17b for english version @@ -325,7 +520,7 @@ >>>>>379 string GRUB\ \0 \b, GRUB version 0.95 or 0.96 >>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>385 string GRUB\ \0 \b, GRUB version 0.97 -#unkown version +# unknown version >>>343 string Geom\0Read\0\ Error\0 >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 @@ -335,76 +530,50 @@ # http://www.bcdwb.de/bcdw/index_e.htm >3 string BCDL >>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) -# mbr partition table entries -# OEM-ID does not contain MicroSoft,NEWLDR,DOS,SYSLINUX,or MTOOLs ->3 string !MS ->>3 string !SYSLINUX ->>>3 string !MTOOL ->>>>3 string !NEWLDR ->>>>>5 string !DOS -# not FAT (32 bit) ->>>>>>82 string !FAT32 -#not Linux kernel ->>>>>>>514 string !HdrS -#not BeOS ->>>>>>>>422 string !Be\ Boot\ Loader -# active flag 0 or 0x80 and type > 0 ->>>>>>>>>446 ubyte <0x81 ->>>>>>>>>>446 ubyte&0x7F 0 ->>>>>>>>>>>450 ubyte >0 \b; partition 1: ID=0x%x ->>>>>>>>>>>>446 ubyte 0x80 \b, active ->>>>>>>>>>>>447 ubyte x \b, starthead %u -#>>>>>>>>>>>>448 ubyte x \b, start C_S: 0x%x -#>>>>>>>>>>>>448 ubeshort&1023 x \b, startcylinder? %d ->>>>>>>>>>>>454 ulelong x \b, startsector %u ->>>>>>>>>>>>458 ulelong x \b, %u sectors -# ->>>>>>>>>462 ubyte <0x81 ->>>>>>>>>>462 ubyte&0x7F 0 ->>>>>>>>>>>466 ubyte >0 \b; partition 2: ID=0x%x ->>>>>>>>>>>>462 ubyte 0x80 \b, active ->>>>>>>>>>>>463 ubyte x \b, starthead %u -#>>>>>>>>>>>>464 ubyte x \b, start C_S: 0x%x -#>>>>>>>>>>>>464 ubeshort&1023 x \b, startcylinder? %d ->>>>>>>>>>>>470 ulelong x \b, startsector %u ->>>>>>>>>>>>474 ulelong x \b, %u sectors -# ->>>>>>>>>478 ubyte <0x81 ->>>>>>>>>>478 ubyte&0x7F 0 ->>>>>>>>>>>482 ubyte >0 \b; partition 3: ID=0x%x ->>>>>>>>>>>>478 ubyte 0x80 \b, active ->>>>>>>>>>>>479 ubyte x \b, starthead %u -#>>>>>>>>>>>>480 ubyte x \b, start C_S: 0x%x -#>>>>>>>>>>>>481 ubyte x \b, start C2S: 0x%x -#>>>>>>>>>>>>480 ubeshort&1023 x \b, startcylinder? %d ->>>>>>>>>>>>486 ulelong x \b, startsector %u ->>>>>>>>>>>>490 ulelong x \b, %u sectors -# ->>>>>>>>>494 ubyte <0x81 ->>>>>>>>>>494 ubyte&0x7F 0 ->>>>>>>>>>>498 ubyte >0 \b; partition 4: ID=0x%x ->>>>>>>>>>>>494 ubyte 0x80 \b, active ->>>>>>>>>>>>495 ubyte x \b, starthead %u -#>>>>>>>>>>>>496 ubyte x \b, start C_S: 0x%x -#>>>>>>>>>>>>496 ubeshort&1023 x \b, startcylinder? %d ->>>>>>>>>>>>502 ulelong x \b, startsector %u ->>>>>>>>>>>>506 ulelong x \b, %u sectors +# mbr partition table entries updated by Joerg Jenderek at Sep 2013 +# skip Norton Utilities disc image data +>3 string !IHISK +# skip Linux style boot sector starting with assember instructions mov 0x7c0,ax; +>>0 belong !0xb8c0078e +# not Linux kernel +>>>514 string !HdrS +# not BeOS +>>>>422 string !Be\ Boot\ Loader +>>>>>32769 string CD001 +>>>>>>0 use cdrom +# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr +>>>>>0 ubelong&0xFD000000 =0xE9000000 +# AdvanceMAME mbr +>>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e +>>>>>>>446 use partition-table +# mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader +>>>>>0 ubelong&0xFD000000 !0xE9000000 +# skip FSInfosector +>>>>>>0 string !RRaA +# skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, +# http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm +>>>>>>>0 ubequad !0xfa660fb64610668b +# skip 13rd sector of MS x86 bootloader +>>>>>>>>0 ubequad !0x660fb64610668b4e +# skip sector starting with DOS new line +>>>>>>>>>0 string !\r\n +# allowed active flag 0,80h-FFh +>>>>>>>>>>446 ubyte 0 +>>>>>>>>>>>446 use partition-table +>>>>>>>>>>446 ubyte >0x7F +>>>>>>>>>>>446 use partition-table +# TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries # mbr partition table entries end # http://www.acronis.de/ #FAT label=ACRONIS\ SZ #OEM-ID=BOOTWIZ0 >442 string Non-system\ disk,\ >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader -# updated by Joerg Jenderek at Nov 2012 +# updated by Joerg Jenderek at Nov 2012, Sep 2013 # DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes ->>>477 ubyte&0xDF >0 ->>>>477 string x \b %-.3s ->>>>>480 ubyte&0xDF >0 ->>>>>>480 string x \b%-.4s ->>>>>>>484 ubyte&0xDF >0 ->>>>>>>>484 string x \b%-.1s ->>>>485 ubyte&0xDF >0 ->>>>>485 string x \b.%-.3s +# display 1 space +>>>447 ubyte x \b +>>>477 use DOS-filename # >185 string FDBOOT\ Version\ >>204 string \rNo\ Systemdisk.\ @@ -844,85 +1013,25 @@ # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes ->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader ->>>>>499 string x \b %-.1s ->>>>>>500 ubyte&0xDF >0 ->>>>>>>500 string x \b%-.1s ->>>>>>>>501 ubyte&0xDF >0 ->>>>>>>>>501 string x \b%-.1s ->>>>>>>>>>502 ubyte&0xDF >0 ->>>>>>>>>>>502 string x \b%-.1s ->>>>>>>>>>>>503 ubyte&0xDF >0 ->>>>>>>>>>>>>503 string x \b%-.1s ->>>>>>>>>>>>>>504 ubyte&0xDF >0 ->>>>>>>>>>>>>>>504 string x \b%-.1s ->>>>>>>>>>>>>>>>505 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>505 string x \b%-.1s ->>>>>>>>>>>>>>>>>>506 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>>>506 string x \b%-.1s -#name extension ->>>>>507 ubyte&0xDF >0 \b. ->>>>>>507 string x \b%-.1s ->>>>>>>508 ubyte&0xDF >0 ->>>>>>>>508 string x \b%-.1s ->>>>>>>>>509 ubyte&0xDF >0 ->>>>>>>>>>509 string x \b%-.1s +>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader +>>>>>499 use DOS-filename #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. #If the boot sector fails to find needed program in the root directory, #it also hangs with another message ("NF"). >>>>>492 string RENF \b, FAT (12 bit) >>>>>495 string RENF \b, FAT (16 bit) -# http://alexfru.chat.ru/epm.html#bootprog ->494 ubyte >0x4D ->>495 string >E ->>>495 string >>>3 string BootProg -# It just looks for a program file name at the root directory -# and loads corresponding file with following execution. -# DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes ->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader ->>>>>499 string x \b %-.1s ->>>>>>500 ubyte&0xDF >0 ->>>>>>>500 string x \b%-.1s ->>>>>>>>501 ubyte&0xDF >0 ->>>>>>>>>501 string x \b%-.1s ->>>>>>>>>>502 ubyte&0xDF >0 ->>>>>>>>>>>502 string x \b%-.1s ->>>>>>>>>>>>503 ubyte&0xDF >0 ->>>>>>>>>>>>>503 string x \b%-.1s ->>>>>>>>>>>>>>504 ubyte&0xDF >0 ->>>>>>>>>>>>>>>504 string x \b%-.1s ->>>>>>>>>>>>>>>>505 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>505 string x \b%-.1s ->>>>>>>>>>>>>>>>>>506 ubyte&0xDF >0 ->>>>>>>>>>>>>>>>>>>506 string x \b%-.1s -#name extension ->>>>>507 ubyte&0xDF >0 \b. ->>>>>>507 string x \b%-.1s ->>>>>>>508 ubyte&0xDF >0 ->>>>>>>>508 string x \b%-.1s ->>>>>>>>>509 ubyte&0xDF >0 ->>>>>>>>>>509 string x \b%-.1s #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. -#If the boot sector fails to find needed program in the root directory, -#it also hangs with another message ("NF"). ->>>>>492 string RENF \b, FAT (12 bit) ->>>>>495 string RENF \b, FAT (16 bit) # x86 bootloader end -# added by Joerg Jenderek at Nov 2012 -# http://www.thenakedpc.com/articles/v04/08/0408-05.html -# Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data -0 string PNCIHISK\0 Norton Utilities disc image data -# real x86 boot sector with jump instruction ->509 search/1026 \x55\xAA\xeb ->>&-1 indirect x \b; contains -# http://file-extension.net/seeker/file_extension_dat -0 string PNCIUNDO Norton Disk Doctor UnDo file -# +# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO +# and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector +>0 string RRaA +>>0x1E4 string rrAa \b, FSInfosector +#>>0x1FC uleshort =0 SHOULD BE ZERO +>>>0x1E8 ulelong <0xffffffff \b, %u free clusters +>>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u # updated by Joerg Jenderek at Sep 2007 >3 ubyte 0 @@ -937,11 +1046,98 @@ >>>>>>466 ubyte <0x10 >>>>>>>466 ubyte 0x05 \b, extended partition table >>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) ->>>>>>>466 ubyte 0x0 \b, extended partition table (last) +>>>>>>>466 ubyte 0x0 \b, extended partition table (last) -# DOS x86 sector separated and moved from "x86 boot sector" by Joerg Jenderek at May 2011 +# DOS x86 sector separated and moved from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 >0x200 lelong 0x82564557 \b, BSD disklabel + +# by Joerg Jenderek at Apr 2013 +# Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension +# like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS +0 name DOS-filename +# space=0x20 (00100000b) means empty +>0 ubyte&0xDF >0 +>>0 ubyte x \b%c +>>>1 ubyte&0xDF >0 +>>>>1 ubyte x \b%c +>>>>>2 ubyte&0xDF >0 +>>>>>>2 ubyte x \b%c +>>>>>>>3 ubyte&0xDF >0 +>>>>>>>>3 ubyte x \b%c +>>>>>>>>>4 ubyte&0xDF >0 +>>>>>>>>>>4 ubyte x \b%c +>>>>>>>>>>>5 ubyte&0xDF >0 +>>>>>>>>>>>>5 ubyte x \b%c +>>>>>>>>>>>>>6 ubyte&0xDF >0 +>>>>>>>>>>>>>>6 ubyte x \b%c +>>>>>>>>>>>>>>>7 ubyte&0xDF >0 +>>>>>>>>>>>>>>>>7 ubyte x \b%c +# DOS filename extension +>>8 ubyte&0xDF >0 \b. +>>>8 ubyte x \b%c +>>>>9 ubyte&0xDF >0 +>>>>>9 ubyte x \b%c +>>>>>>10 ubyte&0xDF >0 +>>>>>>>10 ubyte x \b%c +# Print 2 following DOS filenames from directory entry form +# like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com +0 name 2xDOS-filename +# display 1 space +>0 ubyte x \b +>0 use DOS-filename +>11 ubyte x \b+ +>11 use DOS-filename + +# http://en.wikipedia.org/wiki/Master_boot_record#PTE +# display standard partition table +0 name partition-table +#>0 ubyte x PARTITION-TABLE +# test and display 1st til 4th partition table entry +>0 use partition-entry-test +>16 use partition-entry-test +>32 use partition-entry-test +>48 use partition-entry-test +# test for entry of partition table +0 name partition-entry-test +# partition type ID > 0 +>4 ubyte >0 +# active flag 0 +>>0 ubyte 0 +>>>0 use partition-entry +# active flag 0x80, 0x81, ... +>>0 ubyte >0x7F +>>>0 use partition-entry +# Print entry of partition table +0 name partition-entry +# partition type ID > 0 +>4 ubyte >0 \b; partition +>>64 leshort 0xAA55 1 +>>48 leshort 0xAA55 2 +>>32 leshort 0xAA55 3 +>>16 leshort 0xAA55 4 +>>4 ubyte x : ID=0x%x +>>0 ubyte&0x80 0x80 \b, active +>>0 ubyte >0x80 0x%x +>>1 ubyte x \b, start-CHS ( +>>1 use partition-chs +>>5 ubyte x \b), end-CHS ( +>>5 use partition-chs +>>8 ulelong x \b), startsector %u +>>12 ulelong x \b, %u sectors +# Print cylinder,head,sector (CHS) of partition entry +0 name partition-chs +# cylinder +>1 ubyte x \b0x +>1 ubyte&0xC0 0x40 \b1 +>1 ubyte&0xC0 0x80 \b2 +>1 ubyte&0xC0 0xC0 \b3 +>2 ubyte x \b%x +# head +>0 ubyte x \b,%u +# sector +>1 ubyte&0x3F x \b,%u + # FATX 0 string FATX FATX filesystem data @@ -978,7 +1174,7 @@ >12 string x (older version %-4.4s) 0 string \r\nSYSLINUX\ SYSLINUX loader >11 string x (version %-4.4s) -# syslinux updated and separated from "x86 boot sector" by Joerg Jenderek at Sep 2012 +# syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX" 0 ulelong&0x80909bEB 0x009018EB # OEM-ID not always "SYSLINUX" @@ -988,9 +1184,11 @@ >>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9) >459 search/30 Boot\ error\r\n\0 >>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer) -# SYSLINUX MBR updated and separated from "x86 boot sector" by Joerg Jenderek at Sep 2012 +# SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: mov di,0600h;mov cx,0100h 16 search/4 \xbf\x00\x06\xb9\x00\x01 +# to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21) +!:strength +36 >94 search/249 Missing\ operating\ system # followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other # skip Ranish MBR @@ -1041,6 +1239,7 @@ >>>>>181 search/166 Error\ \0 # "a: disk" , "Fn: diskn" or "NetBSD MBR boot" >>>>>>&3 string x \b,"%s" +>>>446 use partition-table # Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html # added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 # assembler instructions: jmp short 0x58;nop;ASCII @@ -1073,7 +1272,7 @@ #>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x # for older versions >>>(0x1BC.s+9) ubyte <2 -#>>>>(0x1BC.s+12) ubyte 18 \b,%u/18 seconds +#>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x @@ -1116,7 +1315,7 @@ >>>>0x207 ubyte x \b.%u # module_size for 1.94 >>>>0x208 ulelong <0xffffff \b, installed partition %u -#>>>>0x208 ulelong =0xffffff \b, %u (default) +#>>>>0x208 ulelong =0xffffff \b, %lu (default) >>>>0x208 ulelong >0xffffff \b, installed partition %u # GRUB 0.5.95 unofficial >>>>0x20C ulelong&0x2E300000 0x2E300000 @@ -1150,7 +1349,7 @@ >>>>>0x217 ulong !0xffffffff >>>>>>0x217 string >\0 \b, configuration file %-s -# DOS x86 sector updated and separated from "x86 boot sector" by Joerg Jenderek at May 2011 +# DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 # JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 # over BIOS parameter block (BPB) # http://thestarman.pcministry.com/asm/2bytejumps.htm#FWD @@ -1158,18 +1357,19 @@ # minimal short forward jump found 0x29 for bootloaders or 0x0 # maximal short forward jump is 0x7f # OEM-ID is empty or contain readable bytes -0 ulelong&0x804000E9 0x000000E9 +0 ulelong&0x804000E9 0x000000E9 +!:strength +60 # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 ->11 uleshort&0xf001f 0 +>11 uleshort&0x001f 0 >>11 uleshort <32769 >>>11 uleshort >31 >>>>21 ubyte&0xf0 0xF0 ->>>>>0 ubyte 0xEB +>>>>>0 ubyte 0xEB DOS/MBR boot sector >>>>>>1 ubyte x \b, code offset 0x%x+2 >>>>>0 ubyte 0xE9 ->>>>>>1 uleshort x \b, code offset 0x%x+2 +>>>>>>1 uleshort x \b, code offset 0x%x+3 >>>>>3 string >\0 \b, OEM-ID "%-.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC >>>>>>8 string IHC \b cached by Windows 9M @@ -1178,10 +1378,11 @@ >>>>>11 uleshort <512 \b, Bytes/sector %u >>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) ->>>>>82 string FAT32 +# for lazy FAT32 implementation like Transcend digital photo frame PF830 +>>>>>82 string/c fat32 >>>>>>14 uleshort !32 \b, reserved sectors %u #>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) ->>>>>82 string !FAT32 +>>>>>82 string/c !fat32 >>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) #>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) @@ -1190,38 +1391,43 @@ >>>>>16 ubyte =1 \b, FAT %u >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u -#>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32) +#>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) >>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) -#>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32) +#>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) >>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x >>>>>22 uleshort >0 \b, sectors/FAT %u -#>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32) +#>>>>>22 uleshort =0 \b, sectors/FAT %hu=0 (usual Fat32) >>>>>24 uleshort x \b, sectors/track %u >>>>>26 ubyte >2 \b, heads %u #>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>26 ubyte =1 \b, heads %u # valid only for sector sizes with more then 32 Bytes >>>>>11 uleshort >32 -# skip for Digital Research DOS (version 3.41) 1440 kB Bootdisk ->>>>>>38 ubyte !0x70 +# http://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block +# skip for values 2,2Ah,70h,73h,DFh +# and continue for extended boot signature values 0,28h,29h,80h +>>>>>>38 ubyte&0x56 =0 >>>>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) >>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) # FAT<32 bit specific ->>>>>>>82 string !FAT32 +>>>>>>>82 string/c !fat32 #>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) #>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>>>36 ubyte !0x80 >>>>>>>>>36 ubyte !0 \b, physical drive 0x%x +# VGA-copy CRC or +# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too >>>>>>>>37 ubyte >0 \b, reserved 0x%x #>>>>>>>>37 ubyte =0 \b, reserved 0x%x -# value is 0x80 for NTFS +# extended boot signatur value is 0x80 for NTFS, 0x28 or 0x29 for others >>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) ->>>>>>>>38 ubyte =0x29 +>>>>>>>>38 ubyte&0xFE =0x28 >>>>>>>>>39 ulelong x \b, serial number 0x%x +>>>>>>>>38 ubyte =0x29 >>>>>>>>>43 string >>>>>>>>43 string >NO\ NAME \b, label: "%11.11s" >>>>>>>>>43 string =NO\ NAME \b, unlabeled @@ -1231,15 +1437,39 @@ # if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, # otherwise FAT is 16 bit. # http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html ->>>>>>54 string FAT \b, FAT ->>>>>>>54 string FAT12 \b (12 bit) ->>>>>>>54 string FAT16 \b (16 bit) +>>>>>82 string/c !fat32 +>>>>>>54 string FAT12 \b, FAT (12 bit) +>>>>>>54 string FAT16 \b, FAT (16 bit) +>>>>>>54 default x +# determinate FAT bit size by media descriptor +# small floppies implies FAT12 +>>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor) +# with media descriptor F0h floppy or maybe superfloppy with FAT16 +>>>>>>>21 ubyte =0xF0 +# superfloppy (many sectors) implies FAT16 +>>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors) +# no superfloppy with media descriptor F0h implies FAT12 +>>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors) +# with media descriptor F8h floppy or hard disc with FAT12 or FAT16 +>>>>>>>21 ubyte =0xF8 +# 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12 +>>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry) +# hard disc with FAT12 or FAT16 +>>>>>>>>19 default x \b, FAT (1Y bit by descriptor) +# with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc +>>>>>>>21 ubyte =0xFA +# 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12 +>>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry) +# RAM disc with FAT12 or FAT16 or Tandy hard disc +>>>>>>>>19 default x \b, FAT (1Y bit by descriptor) +# others are floppy +>>>>>>>21 default x \b, FAT (12 bit by descriptor) # FAT32 bit specific ->>>>>82 string FAT32 \b, FAT (32 bit) +>>>>>82 string/c fat32 \b, FAT (32 bit) >>>>>>36 ulelong x \b, sectors/FAT %u # http://technet.microsoft.com/en-us/library/cc977221.aspx >>>>>>40 uleshort >0 \b, extension flags 0x%x -#>>>>>>40 uleshort =0 \b, extension flags %u +#>>>>>>40 uleshort =0 \b, extension flags %hu >>>>>>42 uleshort >0 \b, fsVersion %u #>>>>>>42 uleshort =0 \b, fsVersion %u (usual) >>>>>>44 ulelong >2 \b, rootdir cluster %u @@ -1248,9 +1478,12 @@ >>>>>>48 uleshort >1 \b, infoSector %u #>>>>>>48 uleshort =1 \b, infoSector %u (usual) >>>>>>48 uleshort <1 \b, infoSector %u ->>>>>>50 uleshort >6 \b, Backup boot sector %u +# 0 or 0xFFFF instead of usual 6 means no backup sector +>>>>>>50 uleshort =0xFFFF \b, no Backup boot sector +>>>>>>50 uleshort =0 \b, no Backup boot sector #>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) ->>>>>>50 uleshort <6 \b, Backup boot sector %u +>>>>>>50 default x +>>>>>>>50 uleshort x \b, Backup boot sector %u # corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO >>>>>>52 ulelong >0 \b, reserved1 0x%x >>>>>>56 ulelong >0 \b, reserved2 0x%x @@ -1298,13 +1531,13 @@ # Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. >>>>>>>>>64 lelong <256 >>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d ->>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%hhi) +>>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i) # Values 0 to 127 represent index block sizes of 0 to 127 clusters. # Values 128 to 255 represent index block sizes of 2^(256-N) byte >>>>>>>>>68 ulelong <256 >>>>>>>>>>68 ulelong <128 \b, clusters/index block %d #>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) ->>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%hhi) +>>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) >>>>>>>>>72 ulequad x \b, serial number 0%llx >>>>>>>>>80 ulelong >0 \b, checksum 0x%x #>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) @@ -1352,7 +1585,7 @@ >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %ld, +>&-264 lelong x pending inodes to free %d, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization @@ -1372,7 +1605,7 @@ >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %ld, +>&-264 lelong x pending inodes to free %d, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization @@ -1412,7 +1645,7 @@ >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %ld, +>&-264 belong x pending inodes to free %d, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization @@ -1432,7 +1665,7 @@ >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %ld, +>&-264 belong x pending inodes to free %d, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization @@ -1542,25 +1775,33 @@ ############################################################################ # Minix-ST kernel floppy 0x800 belong 0x46fc2700 Atari-ST Minix kernel image ->19 string \240\5\371\5\0\011\0\2\0 \b, 720k floppy ->19 string \320\2\370\5\0\011\0\1\0 \b, 360k floppy +# http://en.wikipedia.org/wiki/BIOS_parameter_block +# floppies with valid BPB and any instruction at beginning +>19 string \240\005\371\005\0\011\0\2\0 \b, 720k floppy +>19 string \320\002\370\005\0\011\0\1\0 \b, 360k floppy ############################################################################ # Hmmm, is this a better way of detecting _standard_ floppy images ? -19 string \320\2\360\3\0\011\0\1\0 DOS floppy 360k ->0x1FE leshort 0xAA55 \b, x86 hard disk boot sector -19 string \240\5\371\3\0\011\0\2\0 DOS floppy 720k ->0x1FE leshort 0xAA55 \b, x86 hard disk boot sector +19 string \320\002\360\003\0\011\0\1\0 DOS floppy 360k +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector +19 string \240\005\371\003\0\011\0\2\0 DOS floppy 720k +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector 19 string \100\013\360\011\0\022\0\2\0 DOS floppy 1440k ->0x1FE leshort 0xAA55 \b, x86 hard disk boot sector - -19 string \240\5\371\5\0\011\0\2\0 DOS floppy 720k, IBM ->0x1FE leshort 0xAA55 \b, x86 hard disk boot sector -19 string \100\013\371\5\0\011\0\2\0 DOS floppy 1440k, mkdosfs ->0x1FE leshort 0xAA55 \b, x86 hard disk boot sector - -19 string \320\2\370\5\0\011\0\1\0 Atari-ST floppy 360k -19 string \240\5\371\5\0\011\0\2\0 Atari-ST floppy 720k +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector + +19 string \240\005\371\005\0\011\0\2\0 DOS floppy 720k, IBM +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector +19 string \100\013\371\005\0\011\0\2\0 DOS floppy 1440k, mkdosfs +>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector + +19 string \320\002\370\005\0\011\0\1\0 Atari-ST floppy 360k +19 string \240\005\371\005\0\011\0\2\0 Atari-ST floppy 720k +# | | | | | +# | | | | heads +# | | | sectors/track +# | | sectors/FAT +# | media descriptor +# BPB: sectors # Valid media descriptor bytes for MS-DOS: # @@ -1603,12 +1844,85 @@ # 11111000 Hard disk any format # -# CDROM Filesystems -# Modified for UDF by gerardo.cacciari@gmail.com -32769 string CD001 # -!:mime application/x-iso9660-image +# all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013 +# http://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions +# Too Weak. +#512 ubelong&0xE0ffff00 0xE0ffff00 +# without valid Media descriptor in place of BPB, cases with are done at other places +#>21 ubyte <0xE5 floppy with old FAT filesystem +# but valid Media descriptor at begin of FAT +#>>512 ubyte =0xed 720k +#>>512 ubyte =0xf0 1440k +#>>512 ubyte =0xf8 720k +#>>512 ubyte =0xf9 1220k +#>>512 ubyte =0xfa 320k +#>>512 ubyte =0xfb 640k +#>>512 ubyte =0xfc 180k +# look like an an old DOS directory entry +#>>>0xA0E ubequad 0 +#>>>>0xA00 ubequad !0 +#!:mime application/x-ima +#>>512 ubyte =0xfd +# look for 2nd FAT at different location to distinguish between 360k and 500k +#>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k +#>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k +#>>>0xA0E ubequad 0 +#!:mime application/x-ima +#>>512 ubyte =0xfe +#>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k +#>>>>0x60E ubequad 0 +#>>>>>0x600 ubequad !0 +#!:mime application/x-ima +#>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k +#>>512 ubyte =0xff 320k +#>>>0x60E ubequad 0 +#>>>>0x600 ubequad !0 +#!:mime application/x-ima +#>>512 ubyte x \b, Media descriptor 0x%x +# without x86 jump instruction +#>>0 ulelong&0x804000E9 !0x000000E9 +# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV +#>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader +# IOSYS.COM+MSDOS.COM +#>>>>0xc4 use 2xDOS-filename +#>>0 ulelong&0x804000E9 =0x000000E9 +# only x86 short jump instruction found +#>>>0 ubyte =0xEB +#>>>>1 ubyte x \b, code offset 0x%x+2 +# http://thestarman.pcministry.com/DOS/ibm100/Boot.htm +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 +#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader +# ibmbio.com+ibmdos.com +#>>>>>0x176 use DOS-filename +#>>>>>0x181 ubyte x \b+ +#>>>>>0x182 use DOS-filename +# http://thestarman.pcministry.com/DOS/ibm110/Boot.htm +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV +#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader +# ibmbio.com+ibmdos.com +#>>>>>0x18b use DOS-filename +#>>>>>0x196 ubyte x \b+ +#>>>>>0x197 use DOS-filename +# http://en.wikipedia.org/wiki/Zenith_Data_Systems +# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 +#>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader +# IO.SYS+MSDOS.SYS +#>>>>>0x20 use 2xDOS-filename +# http://en.wikipedia.org/wiki/Corona_Data_Systems +# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; +#>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader +# IO.SYS+MSDOS.SYS +#>>>>>0x69 use 2xDOS-filename +# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; +#>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader +# defect IO.SYS+MSDOS.SYS ? +#>>>>>0x162 use 2xDOS-filename + +0 name cdrom >38913 string !NSR0 ISO 9660 CD-ROM filesystem data +!:mime application/x-iso9660-image >38913 string NSR0 UDF filesystem data +!:mime application/x-iso9660-image >>38917 string 1 (version 1.0) >>38917 string 2 (version 1.5) >>38917 string 3 (version 2.0) @@ -1619,31 +1933,43 @@ >34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) 37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) !:mime application/x-iso9660-image -32776 string CDROM High Sierra CD-ROM filesystem data +32777 string CDROM High Sierra CD-ROM filesystem data + +# CDROM Filesystems +# https://en.wikipedia.org/wiki/ISO_9660 +# Modified for UDF by gerardo.cacciari@gmail.com +32769 string CD001 +# mime line at that position does not work +# to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51) +!:strength -11 +# to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51) +# does not work +#!:strength +33 +>0 use cdrom # .cso files 0 string CISO Compressed ISO CD image # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian ->4 lelong x size %lu +>4 lelong x size %u >8 lelong &1 version #2 >8 lelong &2 sorted_dirs >8 lelong &4 hole_support >32 lelong x CRC 0x%x, ->36 lelong x edition %lu, ->40 lelong x %lu blocks, ->44 lelong x %lu files +>36 lelong x edition %u, +>40 lelong x %u blocks, +>44 lelong x %u files 0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian ->4 belong x size %lu +>4 belong x size %u >8 belong &1 version #2 >8 belong &2 sorted_dirs >8 belong &4 hole_support >32 belong x CRC 0x%x, ->36 belong x edition %lu, ->40 belong x %lu blocks, ->44 belong x %lu files +>36 belong x edition %u, +>40 belong x %u blocks, +>44 belong x %u files # reiserfs - russell@coker.com.au 0x10034 string ReIsErFs ReiserFS V3.5 @@ -1803,6 +2129,7 @@ #---------------------------------------------------------- #delta ISO Daniel Novotny (dnovotny@redhat.com) 0 string DISO Delta ISO data +!:strength +50 >4 belong x version %d # VMS backup savesets - gerardo.cacciari@gmail.com @@ -1854,7 +2181,6 @@ # which is mapped to VBN 2 of [000000]INDEXF.SYS;1 - gerardo.cacciari@gmail.com # 1008 string DECFILE11 Files-11 On-Disk Structure ->525 byte x Level %d >525 byte x (ODS-%d); >1017 string A RSX-11, VAX/VMS or OpenVMS VAX file system; >1017 string B @@ -1908,8 +2234,8 @@ >16 ulequad >0 \b fblock table at %lld, >24 ulequad >0 \b inode table at %lld, >32 ulequad >0 \b root at %lld, ->40 ulelong >0 \b fblock size = %ld, ->44 ulelong >0 \b block size = %ld, +>40 ulelong >0 \b fblock size = %d, +>44 ulelong >0 \b block size = %d, >48 ulequad >0 \b bytes = %lld # Type: xfs metadump image @@ -1977,3 +2303,43 @@ 0 beshort 0xAA5A floppy image data (IBM SaveDskF, compressed) 0 string \074CPM_Disk\076 disk image data (YAZE) + +# ReFS +# Richard W.M. Jones +0 string \0\0\0ReFS\0 ReFS filesystem image + +# EFW encase image file format: +# Gregoire Passault +# http://www.forensicswiki.org/wiki/Encase_image_file_format +0 string EVF\x09\x0d\x0a\xff\x00 EWF/Expert Witness/EnCase image file format + +# UBIfs +# Linux kernel sources: fs/ubifs/ubifs-media.h +0 lelong 0x06101831 +>0x16 leshort 0 UBIfs image +>0x08 lequad x \b, sequence number %llu +>0x10 leshort x \b, length %u +>0x04 lelong x \b, CRC 0x%08x + +0 lelong 0x23494255 +>0x04 leshort <2 +>0x05 string \0\0\0 +>0x1c string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>0x04 leshort x UBI image, version %u + +# NEC PC-88 2D disk image +# From Fabio R. Schmidlin +0x20 ulelong&0xFFFFFEFF 0x2A0 +>0x10 string \0\0\0\0\0\0\0\0\0\0 +>>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +>>>0x1A ubyte&0xEF 0 +>>>>0x1B ubyte&0x8F 0 +>>>>>0x1B ubyte&70 <0x40 +>>>>>>0x1C ulelong >0x21 +>>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s +>>>>>>>>0x1B ubyte 0 \b, media=2D +>>>>>>>>0x1B ubyte 0x10 \b, media=2DD +>>>>>>>>0x1B ubyte 0x20 \b, media=2HD +>>>>>>>>0x1B ubyte 0x30 \b, media=1D +>>>>>>>>0x1B ubyte 0x40 \b, media=1DD +>>>>>>>>0x1A ubyte 0x10 \b, write-protected diff --git a/magic/Magdir/flash b/magic/Magdir/flash index dea35ae..b06f879 100644 --- a/magic/Magdir/flash +++ b/magic/Magdir/flash @@ -1,20 +1,35 @@ #------------------------------------------------------------------------------ -# $File: flash,v 1.9 2009/11/08 01:30:01 christos Exp $ +# $File: flash,v 1.11 2014/05/02 00:26:49 christos Exp $ # flash: file(1) magic for Macromedia Flash file format # # See # # http://www.macromedia.com/software/flash/open/ +# http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/\ +# en/devnet/swf/pdf/swf-file-format-spec.pdf page 27 # -0 string FWS Macromedia Flash data, ->3 byte x version %d + +0 name swf-details +>0 string F Macromedia Flash data +!:mime application/x-shockwave-flash +>0 string C Macromedia Flash data (compressed) !:mime application/x-shockwave-flash -0 string CWS Macromedia Flash data (compressed), +>0 string Z Macromedia Flash data (lzma compressed) !:mime application/x-shockwave-flash ->3 byte x version %d +>3 byte x \b, version %d + +1 string WS +>4 lelong !0 +>>3 byte 255 Suspicious +>>>0 use swf-details + +>>3 ubyte <32 +>>>3 ubyte !0 +>>>>0 use swf-details + # From: Cal Peake -0 string FLV Macromedia Flash Video +0 string FLV\x01 Macromedia Flash Video !:mime video/x-flv # diff --git a/magic/Magdir/fonts b/magic/Magdir/fonts index 88ca91c..4b3173c 100644 --- a/magic/Magdir/fonts +++ b/magic/Magdir/fonts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fonts,v 1.25 2013/02/06 14:18:52 christos Exp $ +# $File: fonts,v 1.27 2014/04/30 21:41:02 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -16,8 +16,15 @@ 0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text # X11 font files in SNF (Server Natural Format) format +# updated by Joerg Jenderek at Feb 2013 +# http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm 0 belong 00000004 X11 SNF font data, MSB first -0 lelong 00000004 X11 SNF font data, LSB first +#>104 belong 00000004 X11 SNF font data, MSB first +!:mime application/x-font-sfn +# GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX +0 lelong 00000004 +>104 lelong 00000004 X11 SNF font data, LSB first +!:mime application/x-font-sfn # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 STARTFONT\ X11 BDF font text @@ -89,5 +96,5 @@ 0 string wOFF Web Open Font Format >4 belong x \b, flavor %d >8 belong x \b, length %d ->20 beshort x \b, version %hd ->22 beshort x \b.%hd +>20 beshort x \b, version %d +>22 beshort x \b.%d diff --git a/magic/Magdir/fortran b/magic/Magdir/fortran index 0604c25..921beec 100644 --- a/magic/Magdir/fortran +++ b/magic/Magdir/fortran @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: fortran,v 1.7 2012/06/21 01:55:02 christos Exp $ +# $File: fortran,v 1.8 2014/06/03 19:01:34 christos Exp $ # FORTRAN source -0 regex/100 \^[Cc][\ \t] FORTRAN program +0 regex/100l \^[Cc][\ \t] FORTRAN program !:mime text/x-fortran !:strength - 5 diff --git a/magic/Magdir/fsav b/magic/Magdir/fsav index 0a7a7f8..ecdc4f6 100644 --- a/magic/Magdir/fsav +++ b/magic/Magdir/fsav @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fsav,v 1.11 2009/09/19 16:28:09 christos Exp $ +# $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) @@ -61,3 +61,6 @@ # Type: Grisoft AVG AntiVirus # From: David Newgas 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data + +0 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR +>33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files diff --git a/magic/Magdir/games b/magic/Magdir/games index e811628..779bc6c 100644 --- a/magic/Magdir/games +++ b/magic/Magdir/games @@ -1,19 +1,19 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.13 2012/02/13 22:50:50 christos Exp $ +# $File: games,v 1.14 2014/04/30 21:41:02 christos Exp $ # games: file(1) for games # Fabio Bonelli # Quake II - III data files 0 string IDP2 Quake II 3D Model file, ->20 long x %lu skin(s), ->8 long x (%lu x ->12 long x %lu), ->40 long x %lu frame(s), ->16 long x Frame size %lu bytes, ->24 long x %lu vertices/frame, ->28 long x %lu texture coordinates, ->32 long x %lu triangles/frame +>20 long x %u skin(s), +>8 long x (%u x +>12 long x %u), +>40 long x %u frame(s), +>16 long x Frame size %u bytes, +>24 long x %u vertices/frame, +>28 long x %u texture coordinates, +>32 long x %u triangles/frame 0 string IBSP Quake >4 long 0x26 II Map file (BSP) @@ -146,7 +146,7 @@ 0 string MComprHD MAME CHD compressed hard disk image, ->12 belong x version %lu +>12 belong x version %u # doom - submitted by Jon Dowland diff --git a/magic/Magdir/gimp b/magic/Magdir/gimp index a360bd8..516abb2 100644 --- a/magic/Magdir/gimp +++ b/magic/Magdir/gimp @@ -1,13 +1,17 @@ #------------------------------------------------------------------------------ -# $File: gimp,v 1.7 2010/09/20 18:55:20 rrt Exp $ -# GIMP Gradient: file(1) magic for the GIMP's gradient data files +# $File: gimp,v 1.9 2014/04/30 21:41:02 christos Exp $ +# GIMP Gradient: file(1) magic for the GIMP's gradient data files (.ggr) # by Federico Mena -0 string GIMP\ Gradient GIMP gradient data +0 string/t GIMP\ Gradient GIMP gradient data + +# GIMP palette (.gpl) +# From: Markus Heidelberg +0 string/t GIMP\ Palette GIMP palette data #------------------------------------------------------------------------------ -# XCF: file(1) magic for the XCF image format used in the GIMP developed +# XCF: file(1) magic for the XCF image format used in the GIMP (.xcf) developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) @@ -16,15 +20,15 @@ >9 string file version 0, >9 string v version >>10 string >\0 %s, ->14 belong x %lu x ->18 belong x %lu, +>14 belong x %u x +>18 belong x %u, >22 belong 0 RGB Color >22 belong 1 Greyscale >22 belong 2 Indexed Color >22 belong >2 Unknown Image Type. #------------------------------------------------------------------------------ -# XCF: file(1) magic for the patterns used in the GIMP, developed +# XCF: file(1) magic for the patterns used in the GIMP (.pat), developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) @@ -32,7 +36,7 @@ >24 string x %s #------------------------------------------------------------------------------ -# XCF: file(1) magic for the brushes used in the GIMP, developed +# XCF: file(1) magic for the brushes used in the GIMP (.gbr), developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) diff --git a/magic/Magdir/gnome b/magic/Magdir/gnome index 14d5aeb..32c9ae9 100644 --- a/magic/Magdir/gnome +++ b/magic/Magdir/gnome @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gnome,v 1.3 2013/02/05 15:20:47 christos Exp $ +# $File: gnome,v 1.5 2014/04/30 21:41:02 christos Exp $ # GNOME related files # Contributed by Josh Triplett @@ -9,9 +9,9 @@ >&0 ubyte 0 \b, major version 0 >>&0 ubyte 0 \b, minor version 0 >>>&0 ubyte 0 \b, crypto type 0 (AES) ->>>&0 ubyte >0 \b, crypto type %hhu (unknown) +>>>&0 ubyte >0 \b, crypto type %u (unknown) >>>&1 ubyte 0 \b, hash type 0 (MD5) ->>>&1 ubyte >0 \b, hash type %hhu (unknown) +>>>&1 ubyte >0 \b, hash type %u (unknown) >>>&2 ubelong 0xFFFFFFFF \b, name NULL >>>&2 ubelong !0xFFFFFFFF >>>>&-4 ubelong >255 \b, name too long for file's pstring type diff --git a/magic/Magdir/gnu b/magic/Magdir/gnu index 6e746b2..e4a0a16 100644 --- a/magic/Magdir/gnu +++ b/magic/Magdir/gnu @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gnu,v 1.14 2012/10/03 23:38:12 christos Exp $ +# $File: gnu,v 1.15 2014/02/06 14:21:02 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format @@ -52,6 +52,17 @@ >>2 leshort 0x0d04 GPG symmetrically encrypted data (CAMELLIA256 cipher) +# GnuPG Keybox file +# +# From: Philipp Hahn +0 belong 32 +>4 byte 1 +>>8 string KBXf GPG keybox database +>>>5 byte 1 version %d +>>>16 bedate x \b, created-at %s +>>>20 bedate x \b, last-maintained %s + + # Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps diff --git a/magic/Magdir/gpt b/magic/Magdir/gpt index 74aaaf7..c48a58f 100644 --- a/magic/Magdir/gpt +++ b/magic/Magdir/gpt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gpt,v 1.1 2013/02/18 18:31:09 christos Exp $ +# $File: gpt,v 1.3 2014/04/30 21:41:02 christos Exp $ # # GPT Partition table patterns. # Author: Rogier Goossens (goossens.rogier@gmail.com) @@ -220,7 +220,6 @@ 0 name gpt-table >10 uleshort x \b, version %u >8 uleshort x \b.%u -# a GUID is just like a UUID, except it's displayed mixed-endian. >56 ulelong x \b, GUID: %08x >60 uleshort x \b-%04x >62 uleshort x \b-%04x diff --git a/magic/Magdir/graphviz b/magic/Magdir/graphviz index b944d46..cddc116 100644 --- a/magic/Magdir/graphviz +++ b/magic/Magdir/graphviz @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: graphviz,v 1.7 2009/09/19 16:28:09 christos Exp $ +# $File: graphviz,v 1.8 2014/06/03 19:01:34 christos Exp $ # graphviz: file(1) magic for http://www.graphviz.org/ # FIXME: These patterns match too generally. For example, the first # line matches a LaTeX file containing the word "graph" (with a { # following later) and the second line matches this file. -#0 regex/100 [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text +#0 regex/100l [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text #!:mime text/vnd.graphviz -#0 regex/100 [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text +#0 regex/100l [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text #!:mime text/vnd.graphviz diff --git a/magic/Magdir/hp b/magic/Magdir/hp index 3201c15..b01c3a4 100644 --- a/magic/Magdir/hp +++ b/magic/Magdir/hp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: hp,v 1.23 2009/09/19 16:28:09 christos Exp $ +# $File: hp,v 1.24 2014/04/30 21:41:02 christos Exp $ # hp: file(1) magic for Hewlett Packard machines (see also "printer") # # XXX - somebody should figure out whether any byte order needs to be @@ -41,10 +41,10 @@ #### Old Apollo stuff 0 beshort 0627 Apollo m68k COFF executable >18 beshort ^040000 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 0624 apollo a88k COFF executable >18 beshort ^040000 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 long 01203604016 TML 0123 byte-order format 0 long 01702407010 TML 1032 byte-order format 0 long 01003405017 TML 2301 byte-order format @@ -128,58 +128,58 @@ #### 500 0 long 0x02080106 HP s500 relocatable executable ->16 long >0 - version %ld +>16 long >0 - version %d 0 long 0x02080107 HP s500 executable ->16 long >0 - version %ld +>16 long >0 - version %d 0 long 0x02080108 HP s500 pure executable ->16 long >0 - version %ld +>16 long >0 - version %d #### 200 0 belong 0x020c0108 HP s200 pure executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0107 HP s200 executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c010b HP s200 demand-load executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0106 HP s200 relocatable executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >6 beshort >0 - highwater %d >8 belong &0x80000000 save fp regs >8 belong &0x20000000 debuggable >8 belong &0x10000000 PIC 0 belong 0x020a0108 HP s200 (2.x release) pure executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >36 belong >0 not stripped 0 belong 0x020a0107 HP s200 (2.x release) executable ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >36 belong >0 not stripped 0 belong 0x020c010e HP s200 shared library ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >6 beshort >0 - highwater %d >36 belong >0 not stripped 0 belong 0x020c010d HP s200 dynamic load library ->4 beshort >0 - version %ld +>4 beshort >0 - version %d >6 beshort >0 - highwater %d >36 belong >0 not stripped @@ -192,7 +192,7 @@ 0 long 0x015821a6 HP core file 0 long 0x4da7eee8 HP-WINDOWS font ->8 byte >0 - version %ld +>8 byte >0 - version %d 0 string Bitmapfile HP Bitmapfile 0 string IMGfile CIS compimg HP Bitmapfile diff --git a/magic/Magdir/ibm370 b/magic/Magdir/ibm370 index 37d17bd..7887dc3 100644 --- a/magic/Magdir/ibm370 +++ b/magic/Magdir/ibm370 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm370,v 1.8 2009/09/19 16:28:09 christos Exp $ +# $File: ibm370,v 1.9 2014/04/30 21:41:02 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". @@ -36,13 +36,13 @@ >12 belong >0 not stripped 0 beshort 0531 SVR2 executable (Amdahl-UTS) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d 0 beshort 0534 SVR2 pure executable (Amdahl-UTS) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d 0 beshort 0530 SVR2 pure executable (USS/370) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d 0 beshort 0535 SVR2 executable (USS/370) >12 belong >0 not stripped ->24 belong >0 - version %ld +>24 belong >0 - version %d diff --git a/magic/Magdir/ibm6000 b/magic/Magdir/ibm6000 index df27491..7f45072 100644 --- a/magic/Magdir/ibm6000 +++ b/magic/Magdir/ibm6000 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm6000,v 1.11 2013/01/08 20:13:01 christos Exp $ +# $File: ibm6000,v 1.12 2013/09/16 15:12:42 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module @@ -20,9 +20,12 @@ 0 beshort 0x01f7 64-bit XCOFF executable or object module >20 belong 0 not stripped -4 belong &0x0feeddb0 AIX core file ->1 byte &0x01 fulldump ->7 byte &0x01 32-bit ->>0x6e0 string >\0 \b, %s ->7 byte &0x02 64-bit ->>0x524 string >\0 \b, %s +# GRR: this test is still too general as it catches also many FATs of DOS filesystems +4 belong &0x0feeddb0 +# real core dump could not be 32-bit and 64-bit together +>7 byte&0x03 !3 AIX core file +>>1 byte &0x01 fulldump +>>7 byte &0x01 32-bit +>>>0x6e0 string >\0 \b, %s +>>7 byte &0x02 64-bit +>>>0x524 string >\0 \b, %s diff --git a/magic/Magdir/images b/magic/Magdir/images index fe8e449..672dd88 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.80 2013/02/06 14:18:52 christos Exp $ +# $File: images,v 1.102 2015/01/02 02:36:35 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -18,55 +18,58 @@ # `xv' recognizes only a subset of the following (RGB with pixelsize = 24) # `tgatoppm' recognizes a superset (Index may be anything) 1 belong&0xfff7ffff 0x01010000 Targa image data - Map +!:strength + 2 >2 byte&8 8 - RLE ->12 leshort >0 %hd x ->14 leshort >0 %hd +>12 leshort >0 %d x +>14 leshort >0 %d 1 belong&0xfff7ffff 0x00020000 Targa image data - RGB +!:strength + 2 >2 byte&8 8 - RLE ->12 leshort >0 %hd x ->14 leshort >0 %hd +>12 leshort >0 %d x +>14 leshort >0 %d 1 belong&0xfff7ffff 0x00030000 Targa image data - Mono +!:strength + 2 >2 byte&8 8 - RLE ->12 leshort >0 %hd x ->14 leshort >0 %hd +>12 leshort >0 %d x +>14 leshort >0 %d # PBMPLUS images # The next byte following the magic is always whitespace. # strength is changed to try these patterns before "x86 boot sector" 0 search/1 P1 ->3 regex =[0-9]*\ [0-9]* Netpbm PBM image text ->3 regex =[0-9]+\ \b, size = %sx ->>3 regex =\ [0-9]+ \b%s +>3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PBM image text +>3 regex =[0-9]{1,50}\ \b, size = %sx +>>3 regex =\ [0-9]{1,50} \b%s !:strength + 45 !:mime image/x-portable-bitmap 0 search/1 P2 ->3 regex =[0-9]*\ [0-9]* Netpbm PGM image text ->3 regex =[0-9]+\ \b, size = %sx ->>3 regex =\ [0-9]+ \b%s +>3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PGM image text +>3 regex =[0-9]{1,50}\ \b, size = %sx +>>3 regex =\ [0-9]{1,50} \b%s !:strength + 45 !:mime image/x-portable-greymap -0 search/1 P3 Netpbm PPM image text ->3 regex =[0-9]*\ [0-9]* Netpbm PPM image text ->3 regex =[0-9]+\ \b, size = %sx ->>3 regex =\ [0-9]+ \b%s +0 search/1 P3 +>3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PPM image text +>3 regex =[0-9]{1,50}\ \b, size = %sx +>>3 regex =\ [0-9]{1,50} \b%s !:strength + 45 !:mime image/x-portable-pixmap 0 string P4 ->3 regex =[0-9]*\ [0-9]* Netpbm PBM "rawbits" image data ->3 regex =[0-9]+\ \b, size = %sx ->>3 regex =\ [0-9]+ \b%s +>3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PBM "rawbits" image data +>3 regex =[0-9]{1,50}\ \b, size = %sx +>>3 regex =\ [0-9]{1,50} \b%s !:strength + 45 !:mime image/x-portable-bitmap 0 string P5 ->3 regex =[0-9]*\ [0-9]* Netpbm PGM "rawbits" image data ->3 regex =[0-9]+\ \b, size = %sx ->>3 regex =\ [0-9]+ \b%s +>3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PGM "rawbits" image data +>3 regex =[0-9]{1,50}\ \b, size = %sx +>>3 regex =\ [0-9]{1,50} \b%s !:strength + 45 !:mime image/x-portable-greymap 0 string P6 ->3 regex =[0-9]*\ [0-9]* Netpbm PPM "rawbits" image data ->3 regex =[0-9]+\ \b, size = %sx ->>3 regex =\ [0-9]+ \b%s +>3 regex =[0-9]{0,50}\ [0-9]{0,50} Netpbm PPM "rawbits" image data +>3 regex =[0-9]{1,50}\ \b, size = %sx +>>3 regex =\ [0-9]{1,50} \b%s !:strength + 45 !:mime image/x-portable-pixmap 0 string P7 Netpbm PAM image file @@ -112,8 +115,153 @@ # never changed. The TIFF specification recommends testing for it. 0 string MM\x00\x2a TIFF image data, big-endian !:mime image/tiff +>(4.L) use \^tiff_ifd 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff +>(4.l) use tiff_ifd + +0 name tiff_ifd +>0 leshort x \b, direntries=%d +>2 use tiff_entry + +0 name tiff_entry +# NewSubFileType +>0 leshort 0xfe +>>12 use tiff_entry +>0 leshort 0x100 +>>4 lelong 1 +>>>12 use tiff_entry +>>>8 leshort x \b, width=%d +>0 leshort 0x101 +>>4 lelong 1 +>>>8 leshort x \b, height=%d +>>>12 use tiff_entry +>0 leshort 0x102 +>>8 leshort x \b, bps=%d +>>12 use tiff_entry +>0 leshort 0x103 +>>4 lelong 1 \b, compression= +>>>8 leshort 1 \bnone +>>>8 leshort 2 \bhuffman +>>>8 leshort 3 \bbi-level group 3 +>>>8 leshort 4 \bbi-level group 4 +>>>8 leshort 5 \bLZW +>>>8 leshort 6 \bJPEG (old) +>>>8 leshort 7 \bJPEG +>>>8 leshort 8 \bdeflate +>>>8 leshort 9 \bJBIG, ITU-T T.85 +>>>8 leshort 0xa \bJBIG, ITU-T T.43 +>>>8 leshort 0x7ffe \bNeXT RLE 2-bit +>>>8 leshort 0x8005 \bPackBits (Macintosh RLE) +>>>8 leshort 0x8029 \bThunderscan RLE +>>>8 leshort 0x807f \bRasterPadding (CT or MP) +>>>8 leshort 0x8080 \bRLE (Line Work) +>>>8 leshort 0x8081 \bRLE (High-Res Cont-Tone) +>>>8 leshort 0x8082 \bRLE (Binary Line Work) +>>>8 leshort 0x80b2 \bDeflate (PKZIP) +>>>8 leshort 0x80b3 \bKodak DCS +>>>8 leshort 0x8765 \bJBIG +>>>8 leshort 0x8798 \bJPEG2000 +>>>8 leshort 0x8799 \bNikon NEF Compressed +>>>8 default x +>>>>8 leshort x \b(unknown 0x%x) +>>>12 use tiff_entry +>0 leshort 0x106 \b, PhotometricIntepretation= +>>8 leshort 0 \bWhiteIsZero +>>8 leshort 1 \bBlackIsZero +>>8 leshort 2 \bRGB +>>8 leshort 3 \bRGB Palette +>>8 leshort 4 \bTransparency Mask +>>8 leshort 5 \bCMYK +>>8 leshort 6 \bYCbCr +>>8 leshort 8 \bCIELab +>>>8 leshort x \b(unknown=0x%x) +>>12 use tiff_entry +# FillOrder +>0 leshort 0x10a +>>4 lelong 1 +>>>12 use tiff_entry +# DocumentName +>0 leshort 0x10d +>>(8.l) string x \b, name=%s +>>>12 use tiff_entry +# ImageDescription +>0 leshort 0x10e +>>(8.l) string x \b, description=%s +>>>12 use tiff_entry +# Make +>0 leshort 0x10f +>>(8.l) string x \b, manufacturer=%s +>>>12 use tiff_entry +# Model +>0 leshort 0x110 +>>(8.l) string x \b, model=%s +>>>12 use tiff_entry +# StripOffsets +>0 leshort 0x111 +>>12 use tiff_entry +# Orientation +>0 leshort 0x112 \b, orientation= +>>8 leshort 1 \bupper-left +>>8 leshort 3 \blower-right +>>8 leshort 6 \bupper-right +>>8 leshort 8 \blower-left +>>8 leshort 9 \bundefined +>>8 default x +>>>8 leshort x \b[*%d*] +>>12 use tiff_entry +# XResolution +>0 leshort 0x11a +>>8 lelong x \b, xresolution=%d +>>12 use tiff_entry +# YResolution +>0 leshort 0x11b +>>8 lelong x \b, yresolution=%d +>>12 use tiff_entry +# ResolutionUnit +>0 leshort 0x128 +>>8 leshort x \b, resolutionunit=%d +>>12 use tiff_entry +# Software +>0 leshort 0x131 +>>(8.l) string x \b, software=%s +>>12 use tiff_entry +# Datetime +>0 leshort 0x132 +>>(8.l) string x \b, datetime=%s +>>12 use tiff_entry +# HostComputer +>0 leshort 0x13c +>>(8.l) string x \b, hostcomputer=%s +>>12 use tiff_entry +# WhitePoint +>0 leshort 0x13e +>>12 use tiff_entry +# PrimaryChromaticities +>0 leshort 0x13f +>>12 use tiff_entry +# YCbCrCoefficients +>0 leshort 0x211 +>>12 use tiff_entry +# YCbCrPositioning +>0 leshort 0x213 +>>12 use tiff_entry +# ReferenceBlackWhite +>0 leshort 0x214 +>>12 use tiff_entry +# Copyright +>0 leshort 0x8298 +>>(8.l) string x \b, copyright=%s +>>12 use tiff_entry +# ExifOffset +>0 leshort 0x8769 +>>12 use tiff_entry +# GPS IFD +>0 leshort 0x8825 \b, GPS-Data +>>12 use tiff_entry + +#>0 leshort x \b, unknown=0x%x +#>>12 use tiff_entry 0 string MM\x00\x2b Big TIFF image data, big-endian !:mime image/tiff @@ -128,8 +276,8 @@ # 0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data !:mime image/png ->16 belong x \b, %ld x ->20 belong x %ld, +>16 belong x \b, %d x +>20 belong x %d, >24 byte x %d-bit >25 byte 0 grayscale, >25 byte 2 \b/color RGB, @@ -164,8 +312,8 @@ !:apple 8BIMGIFf >4 string 7a \b, version 8%s, >4 string 9a \b, version 8%s, ->6 leshort >0 %hd x ->8 leshort >0 %hd +>6 leshort >0 %d x +>8 leshort >0 %d #>10 byte &0x80 color mapped, #>10 byte&0x07 =0x00 2 colors #>10 byte&0x07 =0x01 4 colors @@ -256,6 +404,8 @@ # at offset 8 starts imagedata followed by "RGB " marker # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) +# http://en.wikipedia.org/wiki/BMP_file_format#DIB_header_.\ +# 28bitmap_information_header.29 0 string BM >14 leshort 12 PC bitmap, OS/2 1.x format !:mime image/x-ms-bmp @@ -270,6 +420,16 @@ >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d +>14 leshort 124 PC bitmap, Windows 98/2000 and newer format +!:mime image/x-ms-bmp +>>18 lelong x \b, %d x +>>22 lelong x %d x +>>28 leshort x %d +>14 leshort 108 PC bitmap, Windows 95/NT4 and newer format +!:mime image/x-ms-bmp +>>18 lelong x \b, %d x +>>22 lelong x %d x +>>28 leshort x %d >14 leshort 128 PC bitmap, Windows NT/2000 format !:mime image/x-ms-bmp >>18 lelong x \b, %d x @@ -454,26 +614,37 @@ # PCX image files # From: Dan Fandrich -0 beshort 0x0a00 PCX ver. 2.5 image data -0 beshort 0x0a02 PCX ver. 2.8 image data, with palette -0 beshort 0x0a03 PCX ver. 2.8 image data, without palette -0 beshort 0x0a04 PCX for Windows image data -0 beshort 0x0a05 PCX ver. 3.0 image data ->4 leshort x bounding box [%hd, ->6 leshort x %hd] - ->8 leshort x [%hd, ->10 leshort x %hd], ->65 byte >1 %d planes each of ->3 byte x %hhd-bit ->68 byte 0 image, ->68 byte 1 colour, ->68 byte 2 grayscale, ->68 byte >2 image, ->68 byte <0 image, ->12 leshort >0 %hd x ->>14 leshort x %hd dpi, ->2 byte 0 uncompressed ->2 byte 1 RLE compressed +# updated by Joerg Jenderek at Feb 2013 by http://de.wikipedia.org/wiki/PCX +# http://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt +# GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 +# test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT +0 ubelong&0xffF8fe00 0x0a000000 +# for PCX bit depth > 0 +>3 ubyte >0 +# test for valid versions +>>1 ubyte <6 +>>>1 ubyte !1 PCX +!:mime image/x-pcx +#!:mime image/pcx +>>>>1 ubyte 0 ver. 2.5 image data +>>>>1 ubyte 2 ver. 2.8 image data, with palette +>>>>1 ubyte 3 ver. 2.8 image data, without palette +>>>>1 ubyte 4 for Windows image data +>>>>1 ubyte 5 ver. 3.0 image data +>>>>4 uleshort x bounding box [%d, +>>>>6 uleshort x %d] - +>>>>8 uleshort x [%d, +>>>>10 uleshort x %d], +>>>>65 ubyte >1 %d planes each of +>>>>3 ubyte x %d-bit +>>>>68 byte 1 colour, +>>>>68 byte 2 grayscale, +# this should not happen +>>>>68 default x image, +>>>>12 leshort >0 %d x +>>>>>14 uleshort x %d dpi, +>>>>2 byte 0 uncompressed +>>>>2 byte 1 RLE compressed # Adobe Photoshop # From: Asbjoern Sloth Toennesen @@ -595,7 +766,7 @@ # Author: Hans-Joachim Baader 0 string PaRtImAgE-VoLuMe PartImage >0x0020 string 0.6.1 file version %s ->>0x0060 lelong >-1 volume %ld +>>0x0060 lelong >-1 volume %d #>>0x0064 8 byte identifier #>>0x007c reserved >>0x0200 string >\0 type %s @@ -618,8 +789,8 @@ # Kodak Cineon format for scanned negatives # http://www.kodak.com/US/en/motion/support/dlad/ 0 lelong 0xd75f2a80 Cineon image data ->200 belong >0 \b, %ld x ->204 belong >0 %ld +>200 belong >0 \b, %d x +>204 belong >0 %d # Bio-Rad .PIC is an image format used by microscope control systems @@ -631,10 +802,10 @@ 14 leshort <2 >62 leshort <2 >>54 leshort 12345 Bio-Rad .PIC Image File ->>>0 leshort >0 %hd x ->>>2 leshort >0 %hd, +>>>0 leshort >0 %d x +>>>2 leshort >0 %d, >>>4 leshort =1 1 image in file ->>>4 leshort >1 %hd images in file +>>>4 leshort >1 %d images in file # From Jan "Yenya" Kasprzak # The description of *.mrw format can be found at @@ -723,6 +894,15 @@ !:mime application/x-hdf 0 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) data !:mime application/x-hdf +512 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 512 bytes user block +!:mime application/x-hdf +1024 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 1k user block +!:mime application/x-hdf +2048 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 2k user block +!:mime application/x-hdf +4096 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 4k user block +!:mime application/x-hdf + # From: Tobias Burnus # Xara (for a while: Corel Xara) is a graphic package, see @@ -758,12 +938,40 @@ # From Tano M Fotang 0 string \xff\xa0\xff\xa8\x00 Wavelet Scalar Quantization image data +# Type: PCO B16 image files +# URL: http://www.pco.de/fileadmin/user_upload/db/download/MA_CWDCOPIE_0412b.pdf +# From: Florian Philipp +# Extension: .b16 +# Description: Pixel image format produced by PCO Camware, typically used +# together with PCO cameras. +# Note: Different versions exist for e.g. 8 bit and 16 bit images. +# Documentation is incomplete. +0 string/b PCO- PCO B16 image data +>12 lelong x \b, %dx +>16 lelong x \b%d +>20 lelong 0 \b, short header +>20 lelong -1 \b, extended header +>>24 lelong 0 \b, grayscale +>>>36 lelong 0 linear LUT +>>>36 lelong 1 logarithmic LUT +>>>28 lelong x [%d +>>>32 lelong x \b,%d] +>>24 lelong 1 \b, color +>>>64 lelong 0 linear LUT +>>>64 lelong 1 logarithmic LUT +>>>40 lelong x r[%d +>>>44 lelong x \b,%d] +>>>48 lelong x g[%d +>>>52 lelong x \b,%d] +>>>56 lelong x b[%d +>>>60 lelong x \b,%d] + # Polar Monitor Bitmap (.pmb) used as logo for Polar Electro watches # From: Markus Heidelberg 0 string/t [BitmapInfo2] Polar Monitor Bitmap text !:mime image/x-polar-monitor-bitmap -# From: Rick Richardson +# From: Rick Richardson 0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file # Type: Ulead Photo Explorer5 (.pe5) @@ -827,3 +1035,67 @@ # Not really an image. # From: "Tano M. Fotang" 0 string \x46\x4d\x52\x00 ISO/IEC 19794-2 Format Minutiae Record (FMR) + +# WEBP https://developers.google.com/speed/webp/docs/riff_container +#0 string RIFF +#>8 string WEBP Web/P image data +#>>4 lelong x \b, %d bytes + +# doc: http://www.shikino.co.jp/eng/products/images/FLOWER.jpg.zip +# example: http://www.shikino.co.jp/eng/products/images/FLOWER.wdp.zip +90 bequad 0x574D50484F544F00 JPEG-XR Image +>98 byte&0x08 =0x08 \b, hard tiling +>99 byte&0x80 =0x80 \b, tiling present +>99 byte&0x40 =0x40 \b, codestream present +>99 byte&0x38 x \b, spatial xform= +>99 byte&0x38 0x00 \bTL +>99 byte&0x38 0x08 \bBL +>99 byte&0x38 0x10 \bTR +>99 byte&0x38 0x18 \bBR +>99 byte&0x38 0x20 \bBT +>99 byte&0x38 0x28 \bRB +>99 byte&0x38 0x30 \bLT +>99 byte&0x38 0x38 \bLB +>100 byte&0x80 =0x80 \b, short header +>>102 beshort+1 x \b, %d +>>104 beshort+1 x \bx%d +>100 byte&0x80 =0x00 \b, long header +>>102 belong+1 x \b, %x +>>106 belong+1 x \bx%x +>101 beshort&0xf x \b, bitdepth= +>>101 beshort&0xf 0x0 \b1-WHITE=1 +>>101 beshort&0xf 0x1 \b8 +>>101 beshort&0xf 0x2 \b16 +>>101 beshort&0xf 0x3 \b16-SIGNED +>>101 beshort&0xf 0x4 \b16-FLOAT +>>101 beshort&0xf 0x5 \b(reserved 5) +>>101 beshort&0xf 0x6 \b32-SIGNED +>>101 beshort&0xf 0x7 \b32-FLOAT +>>101 beshort&0xf 0x8 \b5 +>>101 beshort&0xf 0x9 \b10 +>>101 beshort&0xf 0xa \b5-6-5 +>>101 beshort&0xf 0xb \b(reserved %d) +>>101 beshort&0xf 0xc \b(reserved %d) +>>101 beshort&0xf 0xd \b(reserved %d) +>>101 beshort&0xf 0xe \b(reserved %d) +>>101 beshort&0xf 0xf \b1-BLACK=1 +>101 beshort&0xf0 x \b, colorfmt= +>>101 beshort&0xf0 0x00 \bYONLY +>>101 beshort&0xf0 0x10 \bYUV240 +>>101 beshort&0xf0 0x20 \bYWV422 +>>101 beshort&0xf0 0x30 \bYWV444 +>>101 beshort&0xf0 0x40 \bCMYK +>>101 beshort&0xf0 0x50 \bCMYKDIRECT +>>101 beshort&0xf0 0x60 \bNCOMPONENT +>>101 beshort&0xf0 0x70 \bRGB +>>101 beshort&0xf0 0x80 \bRGBE +>>101 beshort&0xf0 >0x80 \b(reserved 0x%x) + +# From: Johan van der Knijff +# +# BPG (Better Portable Graphics) format +# http://bellard.org/bpg/ +# http://fileformats.archiveteam.org/wiki/BPG +# +0 string \x42\x50\x47\xFB BPG (Better Portable Graphics) +!:mime image/bpg diff --git a/magic/Magdir/intel b/magic/Magdir/intel index c3657f0..9fa90f4 100644 --- a/magic/Magdir/intel +++ b/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.11 2013/02/06 14:18:52 christos Exp $ +# $File: intel,v 1.12 2014/04/30 21:41:02 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -16,24 +16,24 @@ # 0 leshort 0502 basic-16 executable >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d 0 leshort 0503 basic-16 executable (TV) >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d 0 leshort 0510 x86 executable >12 lelong >0 not stripped 0 leshort 0511 x86 executable (TV) >12 lelong >0 not stripped 0 leshort =0512 iAPX 286 executable small model (COFF) >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d 0 leshort =0522 iAPX 286 executable large model (COFF) >12 lelong >0 not stripped -#>22 leshort >0 - version %ld +#>22 leshort >0 - version %d # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan 0 leshort =0514 80386 COFF executable >12 lelong >0 not stripped ->22 leshort >0 - version %ld +>22 leshort >0 - version %d # rom: file(1) magic for BIOS ROM Extensions found in intel machines # mapped into memory between 0xC0000 and 0xFFFFF diff --git a/magic/Magdir/isz b/magic/Magdir/isz index 316bbd4..3388a82 100644 --- a/magic/Magdir/isz +++ b/magic/Magdir/isz @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: isz,v 1.1 2010/03/27 16:17:09 christos Exp $ +# $File: isz,v 1.3 2014/04/30 21:41:02 christos Exp $ # ISO Zipped file format # http://www.ezbsystems.com/isz/iszspec.txt 0 string IsZ! ISO Zipped file diff --git a/magic/Magdir/java b/magic/Magdir/java index f494f61..b09302e 100644 --- a/magic/Magdir/java +++ b/magic/Magdir/java @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: java,v 1.14 2013/02/08 16:54:45 christos Exp $ +# $File: java,v 1.16 2013/09/24 20:22:03 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". @@ -15,25 +15,6 @@ 0 belong 0xcececece Java JCE KeyStore !:mime application/x-java-jce-keystore -# Dalvik .dex format. http://retrodev.com/android/dexformat.html -# From "Mike Fleming" -0 string dex\n ->0 regex dex\n[0-9][0-9][0-9]\0 Dalvik dex file ->4 string >000 version %s -0 string dey\n ->0 regex dey\n[0-9][0-9][0-9]\0 Dalvik dex file (optimized for host) ->4 string >000 version %s - # Java source 0 regex ^import.*;$ Java source !:mime text/x-java - -# http://android.stackexchange.com/questions/23357/\ -# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\ -# 23608#23608 -0 string ANDROID\040BACKUP\n Android Backup ->15 string 1\n \b, version 1 ->17 string 0\n \b, uncompressed ->17 string 1\n \b, compressed ->19 string none\n \b, unencrypted ->19 string AES-256\n \b, encrypted AES-256 diff --git a/magic/Magdir/jpeg b/magic/Magdir/jpeg index bc8b342..cfe8973 100644 --- a/magic/Magdir/jpeg +++ b/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.19 2013/02/04 15:50:03 christos Exp $ +# $File: jpeg,v 1.25 2015/01/02 16:56:50 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -22,132 +22,73 @@ >>11 byte x \b %d. >>12 byte x \b%02d # Next, the resolution or aspect ratio of the image: -#>>13 byte 0 \b, aspect ratio -#>>13 byte 1 \b, resolution (DPI) -#>>13 byte 2 \b, resolution (DPCM) -#>>4 beshort x \b, segment length %d +>>13 byte 0 \b, aspect ratio +>>13 byte 1 \b, resolution (DPI) +>>13 byte 2 \b, resolution (DPCM) +>>14 beshort x \b, density %dx +>>16 beshort x \b%d +>>4 beshort x \b, segment length %d # Next, show thumbnail info, if it exists: >>18 byte !0 \b, thumbnail %dx >>>19 byte x \b%d +>6 string Exif \b, Exif standard: [ +>>12 indirect/r x +>>12 string x \b] -# EXIF moved down here to avoid reporting a bogus version number, -# and EXIF version number printing added. -# - Patrik R=E5dman ->6 string Exif \b, EXIF standard -# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. -# All possible combinations of entries have to be enumerated, since no looping -# is possible. And both endians are possible... -# The combinations included below are from real-world JPEGs. -# Little-endian ->>12 string II -# IFD 0 Entry #5: ->>>70 leshort 0x8769 -# EXIF IFD Entry #1: ->>>>(78.l+14) leshort 0x9000 ->>>>>(78.l+23) byte x %c ->>>>>(78.l+24) byte x \b.%c ->>>>>(78.l+25) byte !0x30 \b%c -# IFD 0 Entry #9: ->>>118 leshort 0x8769 -# EXIF IFD Entry #3: ->>>>(126.l+38) leshort 0x9000 ->>>>>(126.l+47) byte x %c ->>>>>(126.l+48) byte x \b.%c ->>>>>(126.l+49) byte !0x30 \b%c -# IFD 0 Entry #10 ->>>130 leshort 0x8769 -# EXIF IFD Entry #3: ->>>>(138.l+38) leshort 0x9000 ->>>>>(138.l+47) byte x %c ->>>>>(138.l+48) byte x \b.%c ->>>>>(138.l+49) byte !0x30 \b%c -# EXIF IFD Entry #4: ->>>>(138.l+50) leshort 0x9000 ->>>>>(138.l+59) byte x %c ->>>>>(138.l+60) byte x \b.%c ->>>>>(138.l+61) byte !0x30 \b%c -# EXIF IFD Entry #5: ->>>>(138.l+62) leshort 0x9000 ->>>>>(138.l+71) byte x %c ->>>>>(138.l+72) byte x \b.%c ->>>>>(138.l+73) byte !0x30 \b%c -# IFD 0 Entry #11 ->>>142 leshort 0x8769 -# EXIF IFD Entry #3: ->>>>(150.l+38) leshort 0x9000 ->>>>>(150.l+47) byte x %c ->>>>>(150.l+48) byte x \b.%c ->>>>>(150.l+49) byte !0x30 \b%c -# EXIF IFD Entry #4: ->>>>(150.l+50) leshort 0x9000 ->>>>>(150.l+59) byte x %c ->>>>>(150.l+60) byte x \b.%c ->>>>>(150.l+61) byte !0x30 \b%c -# EXIF IFD Entry #5: ->>>>(150.l+62) leshort 0x9000 ->>>>>(150.l+71) byte x %c ->>>>>(150.l+72) byte x \b.%c ->>>>>(150.l+73) byte !0x30 \b%c -# Big-endian ->>12 string MM -# IFD 0 Entry #9: ->>>118 beshort 0x8769 -# EXIF IFD Entry #1: ->>>>(126.L+14) beshort 0x9000 ->>>>>(126.L+23) byte x %c ->>>>>(126.L+24) byte x \b.%c ->>>>>(126.L+25) byte !0x30 \b%c -# EXIF IFD Entry #3: ->>>>(126.L+38) beshort 0x9000 ->>>>>(126.L+47) byte x %c ->>>>>(126.L+48) byte x \b.%c ->>>>>(126.L+49) byte !0x30 \b%c -# IFD 0 Entry #10 ->>>130 beshort 0x8769 -# EXIF IFD Entry #3: ->>>>(138.L+38) beshort 0x9000 ->>>>>(138.L+47) byte x %c ->>>>>(138.L+48) byte x \b.%c ->>>>>(138.L+49) byte !0x30 \b%c -# EXIF IFD Entry #5: ->>>>(138.L+62) beshort 0x9000 ->>>>>(138.L+71) byte x %c ->>>>>(138.L+72) byte x \b.%c ->>>>>(138.L+73) byte !0x30 \b%c -# IFD 0 Entry #11 ->>>142 beshort 0x8769 -# EXIF IFD Entry #4: ->>>>(150.L+50) beshort 0x9000 ->>>>>(150.L+59) byte x %c ->>>>>(150.L+60) byte x \b.%c ->>>>>(150.L+61) byte !0x30 \b%c -# Here things get sticky. We can do ONE MORE marker segment with -# indirect addressing, and that's all. It would be great if we could -# do pointer arithemetic like in an assembler language. Christos? -# And if there was some sort of looping construct to do searches, plus a few -# named accumulators, it would be even more effective... -# At least we can show a comment if no other segments got inserted before: ->(4.S+5) byte 0xFE \b, comment: ->>(4.S+6) pstring/HJ x "%s" -# Or, we can show the encoding type (I've included only the three most common) -# and image dimensions if we are lucky and the SOFn (image segment) is here: ->(4.S+5) byte 0xC0 \b, baseline ->>(4.S+6) byte x \b, precision %d ->>(4.S+7) beshort x \b, %dx ->>(4.S+9) beshort x \b%d ->(4.S+5) byte 0xC1 \b, extended sequential ->>(4.S+6) byte x \b, precision %d ->>(4.S+7) beshort x \b, %dx ->>(4.S+9) beshort x \b%d ->(4.S+5) byte 0xC2 \b, progressive ->>(4.S+6) byte x \b, precision %d ->>(4.S+7) beshort x \b, %dx ->>(4.S+9) beshort x \b%d -# I've commented-out quantisation table reporting. I doubt anyone cares yet. -#>(4.S+5) byte 0xDB \b, quantisation table -#>>(4.S+6) beshort x \b length=%d -#>14 beshort x \b, %d x -#>16 beshort x \b %d +# Jump to the first segment +>(4.S+4) use jpeg_segment + +# This uses recursion... +0 name jpeg_segment +>0 beshort 0xFFFE +>>(2.S+2) use jpeg_segment +>>2 pstring/HJ x \b, comment: "%s" + +>0 beshort 0xFFC0 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, baseline, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, frames %d + +>0 beshort 0xFFC1 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, extended sequential, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, frames %d + +>0 beshort 0xFFC2 +>>(2.S+2) use jpeg_segment +>>4 byte x \b, progressive, precision %d +>>7 beshort x \b, %dx +>>5 beshort x \b%d +>>9 byte x \b, frames %d + +# Define Huffman Tables +>0 beshort 0xFFC4 +>>(2.S+2) use jpeg_segment + +>0 beshort 0xFFE1 +#>>(2.S+2) use jpeg_segment +>>4 string Exif \b, Exif Standard: [ +>>>10 indirect/r x +>>>10 string x \b] + +# Application specific markers +>0 beshort&0xFFE0 =0xFFE0 +>>(2.S+2) use jpeg_segment + +# DB: Define Quantization tables +# DD: Define Restart interval [XXX: wrong here, it is 4 bytes] +# D8: Start of image +# D9: End of image +# Dn: Restart +>0 beshort&0xFFD0 =0xFFD0 +>>(2.S+2) use jpeg_segment + +#>0 beshort x unknown 0x%x +#>>(2.S+2) use jpeg_segment # HSI is Handmade Software's proprietary JPEG encoding scheme 0 string hsi1 JPEG image data, HSI proprietary diff --git a/magic/Magdir/karma b/magic/Magdir/karma index 007a4b7..47d5d97 100644 --- a/magic/Magdir/karma +++ b/magic/Magdir/karma @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: karma,v 1.6 2009/09/19 16:28:10 christos Exp $ +# $File: karma,v 1.7 2014/04/30 21:41:02 christos Exp $ # karma: file(1) magic for Karma data files # # From 0 string KarmaRHD Version Karma Data Structure Version ->16 belong x %lu +>16 belong x %u diff --git a/magic/Magdir/kerberos b/magic/Magdir/kerberos new file mode 100644 index 0000000..cb07fed --- /dev/null +++ b/magic/Magdir/kerberos @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: kerberos,v 1.1 2014/12/10 18:45:43 christos Exp $ +# kerberos: MIT kerberos file binary formats +# + +# This magic entry is for demonstration purposes and could be improved +# if the following features were implemented in file: +# +# Strings inside [[ .. ]] in the descriptions have special meanings and +# are not printed. +# +# - Provide some form of iteration in number of components +# [[${counter}=%d]] in the description +# then append +# [${counter}--] in the offset of the entries +# - Provide a way to round the next offset +# Add [R:4] after the offset? +# - Provide a way to have optional entries +# XXX: Syntax: +# - Provide a way to "save" entries to print them later. +# if the description is [[${name}=%s]], then nothing is +# printed and a subsequent entry in the same magic file +# can refer to ${name} +# - Provide a way to format strings as hex values +# +# http://www.gnu.org/software/shishi/manual/html_node/\ +# The-Keytab-Binary-File-Format.html +# + +0 name keytab_entry +#>0 beshort x \b, size=%d +#>2 beshort x \b, components=%d +>4 pstring/H x \b, realm=%s +>>&0 pstring/H x \b, principal=%s/ +>>>&0 pstring/H x \b%s +>>>>&0 belong x \b, type=%d +>>>>>&0 bedate x \b, date=%s +>>>>>>&0 byte x \b, kvno=%u +#>>>>>>>&0 pstring/H x +#>>>>>>>>&0 belong x +#>>>>>>>>>>&0 use keytab_entry + +0 belong 0x05020000 Kerberos Keytab file +>4 use keytab_entry diff --git a/magic/Magdir/linux b/magic/Magdir/linux index 1b03e25..d3f6a9d 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.47 2013/02/06 14:18:52 christos Exp $ +# $File: linux,v 1.59 2014/11/03 21:03:36 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan @@ -40,6 +40,7 @@ >28 long !0 not stripped # core dump file, from Bill Reynolds 216 lelong 0421 Linux/i386 core file +!:strength / 2 >220 string >\0 of '%s' >200 lelong >0 (signal %d) # @@ -48,7 +49,10 @@ 2 string LILO Linux/i386 LILO boot/chain loader # # Linux make config build file, from Ole Aamot -28 string make\ config Linux make config build file +# Updated by Ken Sharp +28 string make\ config Linux make config build file (old) +49 search/70 Kernel\ Configuration Linux make config build file + # # PSF fonts, from H. Peter Anvin # Updated by Adam Buchbinder @@ -98,12 +102,13 @@ # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # Linux kernel boot images (i386 arch) (Wolfram Kleff) 514 string HdrS Linux kernel -!:strength + 5 +!:strength + 55 >510 leshort 0xAA55 x86 boot executable >>518 leshort >0x1ff >>>529 byte 0 zImage, >>>529 byte 1 bzImage, ->>>(526.s+0x200) string >\0 version %s, +>>>526 lelong >0 +>>>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, >>508 leshort >0 root_dev 0x%X, @@ -344,3 +349,86 @@ #>2 regex \(name\ [^)]*\) %s >20 search/256 (name (name >>&1 string x %s...) + +# Systemd journald files +# See http://www.freedesktop.org/wiki/Software/systemd/journal-files/. +# From: Zbigniew Jedrzejewski-Szmek + +# check magic +0 string LPKSHHRH +# check that state is one of known values +>16 ubyte&252 0 +# check that each half of three unique id128s is non-zero +>>24 ubequad >0 +>>>32 ubequad >0 +>>>>40 ubequad >0 +>>>>>48 ubequad >0 +>>>>>>56 ubequad >0 +>>>>>>>64 ubequad >0 Journal file +!:mime application/octet-stream +# provide more info +>>>>>>>>184 leqdate 0 empty +>>>>>>>>16 ubyte 0 \b, offline +>>>>>>>>16 ubyte 1 \b, online +>>>>>>>>16 ubyte 2 \b, archived +>>>>>>>>8 ulelong&1 1 \b, sealed +>>>>>>>>12 ulelong&1 1 \b, compressed + +# BCache backing and cache devices +# From: Gabriel de Perthuis +0x1008 lequad 8 +>0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 BCache +>>0x1010 ulequad 0 cache device +>>0x1010 ulequad 1 backing device +>>0x1010 ulequad 3 cache device +>>0x1010 ulequad 4 backing device +>>0x1048 string >0 \b, label "%.32s" +>>0x1028 ubelong x \b, uuid %08x +>>0x102c ubeshort x \b-%04x +>>0x102e ubeshort x \b-%04x +>>0x1030 ubeshort x \b-%04x +>>0x1032 ubelong x \b-%08x +>>0x1036 ubeshort x \b%04x +>>0x1038 ubelong x \b, set uuid %08x +>>0x103c ubeshort x \b-%04x +>>0x103e ubeshort x \b-%04x +>>0x1040 ubeshort x \b-%04x +>>0x1042 ubelong x \b-%08x +>>0x1046 ubeshort x \b%04x + +# Linux device tree: +# File format description can be found in the Linux kernel sources at +# Documentation/devicetree/booting-without-of.txt +# From Christoph Biedl +0 belong 0xd00dfeed +# structure and strings must be within blob +>&(8.L) byte x +>>&(12.L) byte x +>>>20 belong >1 Device Tree Blob version %d +>>>>4 belong x \b, size=%d +>>>>20 belong >1 +>>>>>28 belong x \b, boot CPU=%d +>>>>20 belong >2 +>>>>>32 belong x \b, string block size=%d +>>>>20 belong >16 +>>>>>36 belong x \b, DT structure block size=%d + +# glibc locale archive as defined in glibc locale/locarchive.h +0 lelong 0xde020109 locale archive +>24 lelong x %d strings + +# Summary: Database file for mlocate +# Description: A database file as used by mlocate, a fast implementation +# of locate/updatedb. It uses merging to reuse the existing +# database and avoid rereading most of the filesystem. It's +# the default version of locate on Arch Linux (and others). +# File path: /var/lib/mlocate/mlocate.db by default (but configurable) +# Site: https://fedorahosted.org/mlocate/ +# Format docs: http://linux.die.net/man/5/mlocate.db +# Type: mlocate database file +# URL: https://fedorahosted.org/mlocate/ +# From: Wander Nauta +0 string \0mlocate mlocate database +>12 byte x \b, version %d +>13 byte 1 \b, require visibility +>16 string x \b, root %s diff --git a/magic/Magdir/mach b/magic/Magdir/mach index a9128a1..23b9f8a 100644 --- a/magic/Magdir/mach +++ b/magic/Magdir/mach @@ -1,191 +1,195 @@ #------------------------------------------------------------ -# $File: mach,v 1.14 2013/01/04 23:35:53 christos Exp $ +# $File: mach,v 1.19 2014/04/30 21:41:02 christos Exp $ # Mach has two magic numbers, 0xcafebabe and 0xfeedface. # Unfortunately the first, cafebabe, is shared with # Java ByteCode, so they are both handled in the file "cafebabe". # The "feedface" ones are handled herein. #------------------------------------------------------------ - -0 name mach-o-be ->0 byte 0xcf 64-bit # if set, it's for the 64-bit version of the architecture # yes, this is separate from the low-order magic number bit # it's also separate from the "64-bit libraries" bit in the # upper 8 bits of the CPU subtype ->4 belong&0x01000000 0 + +0 name mach-o-cpu +>0 belong&0x01000000 0 # # 32-bit ABIs. # # 1 vax ->>4 belong&0x00ffffff 1 ->>>8 belong&0x00ffffff 0 vax ->>>8 belong&0x00ffffff 1 vax11/780 ->>>8 belong&0x00ffffff 2 vax11/785 ->>>8 belong&0x00ffffff 3 vax11/750 ->>>8 belong&0x00ffffff 4 vax11/730 ->>>8 belong&0x00ffffff 5 uvaxI ->>>8 belong&0x00ffffff 6 uvaxII ->>>8 belong&0x00ffffff 7 vax8200 ->>>8 belong&0x00ffffff 8 vax8500 ->>>8 belong&0x00ffffff 9 vax8600 ->>>8 belong&0x00ffffff 10 vax8650 ->>>8 belong&0x00ffffff 11 vax8800 ->>>8 belong&0x00ffffff 12 uvaxIII ->>>8 belong&0x00ffffff >12 vax subarchitecture=%ld ->>4 belong&0x00ffffff 2 romp ->>4 belong&0x00ffffff 3 architecture=3 ->>4 belong&0x00ffffff 4 ns32032 ->>4 belong&0x00ffffff 5 ns32332 ->>4 belong&0x00ffffff 6 m68k +>>0 belong&0x00ffffff 1 +>>>4 belong&0x00ffffff 0 vax +>>>4 belong&0x00ffffff 1 vax11/780 +>>>4 belong&0x00ffffff 2 vax11/785 +>>>4 belong&0x00ffffff 3 vax11/750 +>>>4 belong&0x00ffffff 4 vax11/730 +>>>4 belong&0x00ffffff 5 uvaxI +>>>4 belong&0x00ffffff 6 uvaxII +>>>4 belong&0x00ffffff 7 vax8200 +>>>4 belong&0x00ffffff 8 vax8500 +>>>4 belong&0x00ffffff 9 vax8600 +>>>4 belong&0x00ffffff 10 vax8650 +>>>4 belong&0x00ffffff 11 vax8800 +>>>4 belong&0x00ffffff 12 uvaxIII +>>>4 belong&0x00ffffff >12 vax subarchitecture=%d +>>0 belong&0x00ffffff 2 romp +>>0 belong&0x00ffffff 3 architecture=3 +>>0 belong&0x00ffffff 4 ns32032 +>>0 belong&0x00ffffff 5 ns32332 +>>0 belong&0x00ffffff 6 m68k # 7 x86 ->>4 belong&0x00ffffff 7 ->>>8 belong&0x0000000f 3 i386 ->>>8 belong&0x0000000f 4 i486 ->>>>8 belong&0x00fffff0 0 ->>>>8 belong&0x00fffff0 0x80 \bsx ->>>8 belong&0x0000000f 5 i586 ->>>8 belong&0x0000000f 6 ->>>>8 belong&0x00fffff0 0 p6 ->>>>8 belong&0x00fffff0 0x10 pentium_pro ->>>>8 belong&0x00fffff0 0x20 pentium_2_m0x20 ->>>>8 belong&0x00fffff0 0x30 pentium_2_m3 ->>>>8 belong&0x00fffff0 0x40 pentium_2_m0x40 ->>>>8 belong&0x00fffff0 0x50 pentium_2_m5 ->>>>8 belong&0x00fffff0 >0x50 pentium_2_m0x%lx ->>>8 belong&0x0000000f 7 celeron ->>>>8 belong&0x00fffff0 0x00 \b_m0x%lx ->>>>8 belong&0x00fffff0 0x10 \b_m0x%lx ->>>>8 belong&0x00fffff0 0x20 \b_m0x%lx ->>>>8 belong&0x00fffff0 0x30 \b_m0x%lx ->>>>8 belong&0x00fffff0 0x40 \b_m0x%lx ->>>>8 belong&0x00fffff0 0x50 \b_m0x%lx ->>>>8 belong&0x00fffff0 0x60 ->>>>8 belong&0x00fffff0 0x70 \b_mobile ->>>>8 belong&0x00fffff0 >0x70 \b_m0x%lx ->>>8 belong&0x0000000f 8 pentium_3 ->>>>8 belong&0x00fffff0 0x00 ->>>>8 belong&0x00fffff0 0x10 \b_m ->>>>8 belong&0x00fffff0 0x20 \b_xeon ->>>>8 belong&0x00fffff0 >0x20 \b_m0x%lx ->>>8 belong&0x0000000f 9 pentiumM ->>>>8 belong&0x00fffff0 0x00 ->>>>8 belong&0x00fffff0 >0x00 \b_m0x%lx ->>>8 belong&0x0000000f 10 pentium_4 ->>>>8 belong&0x00fffff0 0x00 ->>>>8 belong&0x00fffff0 0x10 \b_m ->>>>8 belong&0x00fffff0 >0x10 \b_m0x%lx ->>>8 belong&0x0000000f 11 itanium ->>>>8 belong&0x00fffff0 0x00 ->>>>8 belong&0x00fffff0 0x10 \b_2 ->>>>8 belong&0x00fffff0 >0x10 \b_m0x%lx ->>>8 belong&0x0000000f 12 xeon ->>>>8 belong&0x00fffff0 0x00 ->>>>8 belong&0x00fffff0 0x10 \b_mp ->>>>8 belong&0x00fffff0 >0x10 \b_m0x%lx ->>>8 belong&0x0000000f >12 ia32 family=%ld ->>>>8 belong&0x00fffff0 0x00 ->>>>8 belong&0x00fffff0 >0x00 model=%lx ->>4 belong&0x00ffffff 8 mips ->>>8 belong&0x00ffffff 1 R2300 ->>>8 belong&0x00ffffff 2 R2600 ->>>8 belong&0x00ffffff 3 R2800 ->>>8 belong&0x00ffffff 4 R2000a ->>>8 belong&0x00ffffff 5 R2000 ->>>8 belong&0x00ffffff 6 R3000a ->>>8 belong&0x00ffffff 7 R3000 ->>>8 belong&0x00ffffff >7 subarchitecture=%ld ->>4 belong&0x00ffffff 9 ns32532 ->>4 belong&0x00ffffff 10 mc98000 ->>4 belong&0x00ffffff 11 hppa ->>>8 belong&0x00ffffff 0 7100 ->>>8 belong&0x00ffffff 1 7100LC ->>>8 belong&0x00ffffff >1 subarchitecture=%ld ->>4 belong&0x00ffffff 12 arm ->>>8 belong&0x00ffffff 0 ->>>8 belong&0x00ffffff 1 subarchitecture=%ld ->>>8 belong&0x00ffffff 2 subarchitecture=%ld ->>>8 belong&0x00ffffff 3 subarchitecture=%ld ->>>8 belong&0x00ffffff 4 subarchitecture=%ld ->>>8 belong&0x00ffffff 5 \b_v4t ->>>8 belong&0x00ffffff 6 \b_v6 ->>>8 belong&0x00ffffff 7 \b_v5tej ->>>8 belong&0x00ffffff 8 \b_xscale ->>>8 belong&0x00ffffff 9 \b_v7 ->>>8 belong&0x00ffffff 10 \b_v7f ->>>8 belong&0x00ffffff 11 subarchitecture=%ld ->>>8 belong&0x00ffffff 12 \b_v7k ->>>8 belong&0x00ffffff >12 subarchitecture=%ld +>>0 belong&0x00ffffff 7 +>>>4 belong&0x0000000f 3 i386 +>>>4 belong&0x0000000f 4 i486 +>>>>4 belong&0x00fffff0 0 +>>>>4 belong&0x00fffff0 0x80 \bsx +>>>4 belong&0x0000000f 5 i586 +>>>4 belong&0x0000000f 6 +>>>>4 belong&0x00fffff0 0 p6 +>>>>4 belong&0x00fffff0 0x10 pentium_pro +>>>>4 belong&0x00fffff0 0x20 pentium_2_m0x20 +>>>>4 belong&0x00fffff0 0x30 pentium_2_m3 +>>>>4 belong&0x00fffff0 0x40 pentium_2_m0x40 +>>>>4 belong&0x00fffff0 0x50 pentium_2_m5 +>>>>4 belong&0x00fffff0 >0x50 pentium_2_m0x%x +>>>4 belong&0x0000000f 7 celeron +>>>>4 belong&0x00fffff0 0x00 \b_m0x%x +>>>>4 belong&0x00fffff0 0x10 \b_m0x%x +>>>>4 belong&0x00fffff0 0x20 \b_m0x%x +>>>>4 belong&0x00fffff0 0x30 \b_m0x%x +>>>>4 belong&0x00fffff0 0x40 \b_m0x%x +>>>>4 belong&0x00fffff0 0x50 \b_m0x%x +>>>>4 belong&0x00fffff0 0x60 +>>>>4 belong&0x00fffff0 0x70 \b_mobile +>>>>4 belong&0x00fffff0 >0x70 \b_m0x%x +>>>4 belong&0x0000000f 8 pentium_3 +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_m +>>>>4 belong&0x00fffff0 0x20 \b_xeon +>>>>4 belong&0x00fffff0 >0x20 \b_m0x%x +>>>4 belong&0x0000000f 9 pentiumM +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 >0x00 \b_m0x%x +>>>4 belong&0x0000000f 10 pentium_4 +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_m +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x +>>>4 belong&0x0000000f 11 itanium +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_2 +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x +>>>4 belong&0x0000000f 12 xeon +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 0x10 \b_mp +>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x +>>>4 belong&0x0000000f >12 ia32 family=%d +>>>>4 belong&0x00fffff0 0x00 +>>>>4 belong&0x00fffff0 >0x00 model=%x +>>0 belong&0x00ffffff 8 mips +>>>4 belong&0x00ffffff 1 R2300 +>>>4 belong&0x00ffffff 2 R2600 +>>>4 belong&0x00ffffff 3 R2800 +>>>4 belong&0x00ffffff 4 R2000a +>>>4 belong&0x00ffffff 5 R2000 +>>>4 belong&0x00ffffff 6 R3000a +>>>4 belong&0x00ffffff 7 R3000 +>>>4 belong&0x00ffffff >7 subarchitecture=%d +>>0 belong&0x00ffffff 9 ns32532 +>>0 belong&0x00ffffff 10 mc98000 +>>0 belong&0x00ffffff 11 hppa +>>>4 belong&0x00ffffff 0 7100 +>>>4 belong&0x00ffffff 1 7100LC +>>>4 belong&0x00ffffff >1 subarchitecture=%d +>>0 belong&0x00ffffff 12 arm +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 subarchitecture=%d +>>>4 belong&0x00ffffff 2 subarchitecture=%d +>>>4 belong&0x00ffffff 3 subarchitecture=%d +>>>4 belong&0x00ffffff 4 subarchitecture=%d +>>>4 belong&0x00ffffff 5 \b_v4t +>>>4 belong&0x00ffffff 6 \b_v6 +>>>4 belong&0x00ffffff 7 \b_v5tej +>>>4 belong&0x00ffffff 8 \b_xscale +>>>4 belong&0x00ffffff 9 \b_v7 +>>>4 belong&0x00ffffff 10 \b_v7f +>>>4 belong&0x00ffffff 11 subarchitecture=%d +>>>4 belong&0x00ffffff 12 \b_v7k +>>>4 belong&0x00ffffff >12 subarchitecture=%d # 13 m88k ->>4 belong&0x00ffffff 13 ->>>8 belong&0x00ffffff 0 mc88000 ->>>8 belong&0x00ffffff 1 mc88100 ->>>8 belong&0x00ffffff 2 mc88110 ->>>8 belong&0x00ffffff >2 mc88000 subarchitecture=%ld ->>4 belong&0x00ffffff 14 sparc ->>4 belong&0x00ffffff 15 i860g ->>4 belong&0x00ffffff 16 alpha ->>4 belong&0x00ffffff 17 rs6000 ->>4 belong&0x00ffffff 18 ppc ->>>8 belong&0x00ffffff 0 ->>>8 belong&0x00ffffff 1 \b_601 ->>>8 belong&0x00ffffff 2 \b_602 ->>>8 belong&0x00ffffff 3 \b_603 ->>>8 belong&0x00ffffff 4 \b_603e ->>>8 belong&0x00ffffff 5 \b_603ev ->>>8 belong&0x00ffffff 6 \b_604 ->>>8 belong&0x00ffffff 7 \b_604e ->>>8 belong&0x00ffffff 8 \b_620 ->>>8 belong&0x00ffffff 9 \b_650 ->>>8 belong&0x00ffffff 10 \b_7400 ->>>8 belong&0x00ffffff 11 \b_7450 ->>>8 belong&0x00ffffff 100 \b_970 ->>>8 belong&0x00ffffff >100 subarchitecture=%ld ->>4 belong&0x00ffffff >18 architecture=%ld ->4 belong&0x01000000 0x01000000 +>>0 belong&0x00ffffff 13 +>>>4 belong&0x00ffffff 0 mc88000 +>>>4 belong&0x00ffffff 1 mc88100 +>>>4 belong&0x00ffffff 2 mc88110 +>>>4 belong&0x00ffffff >2 mc88000 subarchitecture=%d +>>0 belong&0x00ffffff 14 SPARC +>>0 belong&0x00ffffff 15 i860g +>>0 belong&0x00ffffff 16 alpha +>>0 belong&0x00ffffff 17 rs6000 +>>0 belong&0x00ffffff 18 ppc +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \b_601 +>>>4 belong&0x00ffffff 2 \b_602 +>>>4 belong&0x00ffffff 3 \b_603 +>>>4 belong&0x00ffffff 4 \b_603e +>>>4 belong&0x00ffffff 5 \b_603ev +>>>4 belong&0x00ffffff 6 \b_604 +>>>4 belong&0x00ffffff 7 \b_604e +>>>4 belong&0x00ffffff 8 \b_620 +>>>4 belong&0x00ffffff 9 \b_650 +>>>4 belong&0x00ffffff 10 \b_7400 +>>>4 belong&0x00ffffff 11 \b_7450 +>>>4 belong&0x00ffffff 100 \b_970 +>>>4 belong&0x00ffffff >100 subarchitecture=%d +>>0 belong&0x00ffffff >18 architecture=%d +>0 belong&0x01000000 0x01000000 # # 64-bit ABIs. # ->>4 belong&0x00ffffff 0 64-bit architecture=%ld ->>4 belong&0x00ffffff 1 64-bit architecture=%ld ->>4 belong&0x00ffffff 2 64-bit architecture=%ld ->>4 belong&0x00ffffff 3 64-bit architecture=%ld ->>4 belong&0x00ffffff 4 64-bit architecture=%ld ->>4 belong&0x00ffffff 5 64-bit architecture=%ld ->>4 belong&0x00ffffff 6 64-bit architecture=%ld ->>4 belong&0x00ffffff 7 x86_64 ->>>8 belong&0x00ffffff 0 subarchitecture=%ld ->>>8 belong&0x00ffffff 1 subarchitecture=%ld ->>>8 belong&0x00ffffff 2 subarchitecture=%ld ->>>8 belong&0x00ffffff 3 ->>>8 belong&0x00ffffff 4 \b_arch1 ->>>8 belong&0x00ffffff >4 subarchitecture=%ld ->>4 belong&0x00ffffff 8 64-bit architecture=%ld ->>4 belong&0x00ffffff 9 64-bit architecture=%ld ->>4 belong&0x00ffffff 10 64-bit architecture=%ld ->>4 belong&0x00ffffff 11 64-bit architecture=%ld ->>4 belong&0x00ffffff 12 64-bit architecture=%ld ->>4 belong&0x00ffffff 13 64-bit architecture=%ld ->>4 belong&0x00ffffff 14 64-bit architecture=%ld ->>4 belong&0x00ffffff 15 64-bit architecture=%ld ->>4 belong&0x00ffffff 16 64-bit architecture=%ld ->>4 belong&0x00ffffff 17 64-bit architecture=%ld ->>4 belong&0x00ffffff 18 ppc64 ->>>8 belong&0x00ffffff 0 ->>>8 belong&0x00ffffff 1 \b_601 ->>>8 belong&0x00ffffff 2 \b_602 ->>>8 belong&0x00ffffff 3 \b_603 ->>>8 belong&0x00ffffff 4 \b_603e ->>>8 belong&0x00ffffff 5 \b_603ev ->>>8 belong&0x00ffffff 6 \b_604 ->>>8 belong&0x00ffffff 7 \b_604e ->>>8 belong&0x00ffffff 8 \b_620 ->>>8 belong&0x00ffffff 9 \b_650 ->>>8 belong&0x00ffffff 10 \b_7400 ->>>8 belong&0x00ffffff 11 \b_7450 ->>>8 belong&0x00ffffff 100 \b_970 ->>>8 belong&0x00ffffff >100 subarchitecture=%ld ->>4 belong&0x00ffffff >18 64-bit architecture=%ld +>>0 belong&0x00ffffff 0 64-bit architecture=%d +>>0 belong&0x00ffffff 1 64-bit architecture=%d +>>0 belong&0x00ffffff 2 64-bit architecture=%d +>>0 belong&0x00ffffff 3 64-bit architecture=%d +>>0 belong&0x00ffffff 4 64-bit architecture=%d +>>0 belong&0x00ffffff 5 64-bit architecture=%d +>>0 belong&0x00ffffff 6 64-bit architecture=%d +>>0 belong&0x00ffffff 7 x86_64 +>>>4 belong&0x00ffffff 0 subarchitecture=%d +>>>4 belong&0x00ffffff 1 subarchitecture=%d +>>>4 belong&0x00ffffff 2 subarchitecture=%d +>>>4 belong&0x00ffffff 3 +>>>4 belong&0x00ffffff 4 \b_arch1 +>>>4 belong&0x00ffffff >4 subarchitecture=%d +>>0 belong&0x00ffffff 8 64-bit architecture=%d +>>0 belong&0x00ffffff 9 64-bit architecture=%d +>>0 belong&0x00ffffff 10 64-bit architecture=%d +>>0 belong&0x00ffffff 11 64-bit architecture=%d +>>0 belong&0x00ffffff 12 64-bit architecture=%d +>>0 belong&0x00ffffff 13 64-bit architecture=%d +>>0 belong&0x00ffffff 14 64-bit architecture=%d +>>0 belong&0x00ffffff 15 64-bit architecture=%d +>>0 belong&0x00ffffff 16 64-bit architecture=%d +>>0 belong&0x00ffffff 17 64-bit architecture=%d +>>0 belong&0x00ffffff 18 ppc64 +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \b_601 +>>>4 belong&0x00ffffff 2 \b_602 +>>>4 belong&0x00ffffff 3 \b_603 +>>>4 belong&0x00ffffff 4 \b_603e +>>>4 belong&0x00ffffff 5 \b_603ev +>>>4 belong&0x00ffffff 6 \b_604 +>>>4 belong&0x00ffffff 7 \b_604e +>>>4 belong&0x00ffffff 8 \b_620 +>>>4 belong&0x00ffffff 9 \b_650 +>>>4 belong&0x00ffffff 10 \b_7400 +>>>4 belong&0x00ffffff 11 \b_7450 +>>>4 belong&0x00ffffff 100 \b_970 +>>>4 belong&0x00ffffff >100 subarchitecture=%d +>>0 belong&0x00ffffff >18 64-bit architecture=%d + + +0 name mach-o-be +>0 byte 0xcf 64-bit +>4 use mach-o-cpu >12 belong 1 object >12 belong 2 executable >12 belong 3 fixed virtual memory shared library @@ -198,11 +202,13 @@ >12 belong 10 dSYM companion file >12 belong 11 kext bundle >12 belong >11 ->>12 belong x filetype=%ld +>>12 belong x filetype=%d # -0 lelong&0xfffffffe 0xfeedface Mach-O +0 lelong&0xfffffffe 0xfeedface Mach-O +!:strength +1 >0 use \^mach-o-be -0 belong&0xfffffffe 0xfeedface Mach-O +0 belong&0xfffffffe 0xfeedface Mach-O +!:strength +1 >0 use mach-o-be diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh index b9933b1..3ca2cab 100644 --- a/magic/Magdir/macintosh +++ b/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.22 2011/05/17 17:40:31 rrt Exp $ +# $File: macintosh,v 1.25 2014/09/03 13:34:16 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -165,7 +165,7 @@ #>65 string ZSYS (Pre-System 7 system file) #>65 string acf3 (Aldus FreeHand) #>65 string cdev (control panel) -#>65 string dfil (Desk Acessory suitcase) +#>65 string dfil (Desk Accessory suitcase) #>65 string libr (library) #>65 string nX^d (WriteNow word processor) #>65 string nX^w (WriteNow dictionary) @@ -263,6 +263,9 @@ 0 string $FL2 SPSS System File >24 string x %s +0 string $FL3 SPSS System File +>24 string x %s + # Macintosh filesystem data # From "Tom N Harris" # Fixed HFS+ and Partition map magic: Ethan Benson @@ -285,20 +288,38 @@ >0x412 beshort x number of blocks: %d, >0x424 pstring x volume name: %s +# *.hfs updated by Joerg Jenderek +# http://en.wikipedia.org/wiki/Hierarchical_File_System # "BD" gives many false positives -#0x400 beshort 0x4244 Macintosh HFS data -#>0 beshort 0x4C4B (bootable) -#>0x40a beshort &0x8000 (locked) -#>0x40a beshort ^0x0100 (mounted) -#>0x40a beshort &0x0200 (spared blocks) -#>0x40a beshort &0x0800 (unclean) -#>0x47C beshort 0x482B (Embedded HFS+ Volume) -#>0x402 beldate-0x7C25B080 x created: %s, -#>0x406 beldate-0x7C25B080 x last modified: %s, -#>0x440 beldate-0x7C25B080 >0 last backup: %s, -#>0x414 belong x block size: %d, -#>0x412 beshort x number of blocks: %d, -#>0x424 pstring x volume name: %s +0x400 beshort 0x4244 +# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h +# first block of volume bit map (always 3) +>0x40e ubeshort 0x0003 +# maximal length of volume name is 27 +>>0x424 ubyte <28 Macintosh HFS data +#!:mime application/octet-stream +# these mime and apple types are not sure +!:mime application/x-apple-diskimage +#!:apple hfsdINIT +#!:apple MACSdisk +>>>0 beshort 0x4C4B (bootable) +#>>>0 beshort 0x0000 (not bootable) +>>>0x40a beshort &0x8000 (locked) +>>>0x40a beshort ^0x0100 (mounted) +>>>0x40a beshort &0x0200 (spared blocks) +>>>0x40a beshort &0x0800 (unclean) +>>>0x47C beshort 0x482B (Embedded HFS+ Volume) +# http://www.epochconverter.com/ +# 0x7C245F00 seconds ~ 2082758400 ~ 01 Jan 2036 00:00:00 ~ 66 years to 1970 +# 0x7C25B080 seconds ~ 2082844800 ~ 02 Jan 2036 00:00:00 +# construct not working +#>>>0x402 beldate-0x7C25B080 x created: %s, +#>>>0x406 beldate-0x7C25B080 x last modified: %s, +#>>>0x440 beldate-0x7C25B080 >0 last backup: %s, +# found block sizes 200h,1200h,2800h +>>>0x414 belong x block size: %d, +>>>0x412 beshort x number of blocks: %d, +>>>0x424 pstring x volume name: %s 0x400 beshort 0x482B Macintosh HFS Extended >&0 beshort x version %d data @@ -319,43 +340,9 @@ >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d -# I don't think this is really necessary since it doesn't do much and -# anything with a valid driver descriptor will also have a valid -# partition map -#0 beshort 0x4552 Apple Device Driver data -#>&24 beshort =1 \b, MacOS - -# Is that the partition type a cstring or a pstring? Well, IM says "strings -# shorter than 32 bytes must be terminated with NULL" so I'll treat it as a -# cstring. Of course, partitions can contain more than four entries, but -# what're you gonna do? -# GRR: This magic is too weak, it is just "PM" -#0x200 beshort 0x504D Apple Partition data -#>0x2 beshort x (block size: %d): -#>0x230 string x first type: %s, -#>0x210 string x name: %s, -#>0x254 belong x number of blocks: %d, -#>0x400 beshort 0x504D -#>>0x430 string x second type: %s, -#>>0x410 string x name: %s, -#>>0x454 belong x number of blocks: %d, -#>>0x600 beshort 0x504D -#>>>0x630 string x third type: %s, -#>>>0x610 string x name: %s, -#>>>0x654 belong x number of blocks: %d, -#>>0x800 beshort 0x504D -#>>>0x830 string x fourth type: %s, -#>>>0x810 string x name: %s, -#>>>0x854 belong x number of blocks: %d, -#>>>0xa00 beshort 0x504D -#>>>>0xa30 string x fifth type: %s, -#>>>>0xa10 string x name: %s, -#>>>>0xa54 belong x number of blocks: %d -#>>>0xc00 beshort 0x504D -#>>>>0xc30 string x sixth type: %s, -#>>>>0xc10 string x name: %s, -#>>>>0xc54 belong x number of blocks: %d ## AFAIK, only the signature is different +# same as Apple Partition Map +# GRR: This magic is too weak, it is just "TS" #0x200 beshort 0x5453 Apple Old Partition data #>0x2 beshort x block size: %d, #>0x230 string x first type: %s, diff --git a/magic/Magdir/map b/magic/Magdir/map new file mode 100644 index 0000000..d9471fe --- /dev/null +++ b/magic/Magdir/map @@ -0,0 +1,25 @@ + + +#------------------------------------------------------------------------------ +# $File: map,v 1.1 2014/06/03 18:22:25 christos Exp $ +# map: file(1) magic for Map data +# + +# Garmin .FIT files http://pub.ks-and-ks.ne.jp/cycling/edge500_fit.shtml +8 string .FIT FIT Map data +>15 byte 0 +>>35 belong x \b, unit id %d +# 20 years after unix epoch +>>39 lelong x \b, serial %u +>>43 ledate/631152000 x \b, %s + +>>47 leshort x \b, manufacturer %d +>>47 leshort 1 \b (garmin) +>>49 leshort x \b, product %d +>>53 byte x \b, type %d +>>53 byte 1 \b (Device) +>>53 byte 2 \b (Settings) +>>53 byte 3 \b (Sports/Cycling) +>>53 byte 4 \b (Activity) +>>53 byte 8 \b (Elevations) +>>53 byte 10 \b (Totals) diff --git a/magic/Magdir/marc21 b/magic/Magdir/marc21 index 83f7959..7e859a3 100644 --- a/magic/Magdir/marc21 +++ b/magic/Magdir/marc21 @@ -12,17 +12,17 @@ 20 string 45 # leader starts with 5 digits, followed by codes specific to MARC format ->0 regex/1 (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic +>0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic !:mime application/marc ->0 regex/1 (^[0-9]{5})[acdnosx][z] MARC21 Authority +>0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority !:mime application/marc ->0 regex/1 (^[0-9]{5})[cdn][uvxy] MARC21 Holdings +>0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings !:mime application/marc -0 regex/1 (^[0-9]{5})[acdn][w] MARC21 Classification +0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification !:mime application/marc ->0 regex/1 (^[0-9]{5})[cdn][q] MARC21 Community +>0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community !:mime application/marc # leader position 22-23, should be "00" but is it? ->0 regex/1 (^.{21})([^0]{2}) (non-conforming) +>0 regex/1l (^.{21})([^0]{2}) (non-conforming) !:mime application/marc diff --git a/magic/Magdir/meteorological b/magic/Magdir/meteorological new file mode 100644 index 0000000..541bbbf --- /dev/null +++ b/magic/Magdir/meteorological @@ -0,0 +1,49 @@ + +#------------------------------------------------------------------------------ +# $File: meteorological,v 1.1 2014/08/04 06:26:16 christos Exp $ +# rinex: file(1) magic for RINEX files +# http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt +# ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf +# data for testing: ftp://cddis.gsfc.nasa.gov/pub/gps/data +60 string RINEX +>80 search/256 XXRINEXB RINEX Data, GEO SBAS Broadcast +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/broadcast +>80 search/256 XXRINEXD RINEX Data, Observation (Hatanaka comp) +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/observation +>80 search/256 XXRINEXC RINEX Data, Clock +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/clock +>80 search/256 XXRINEXH RINEX Data, GEO SBAS Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXG RINEX Data, GLONASS Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXL RINEX Data, Galileo Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXM RINEX Data, Meteorological +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/meteorological +>80 search/256 XXRINEXN RINEX Data, Navigation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/navigation +>80 search/256 XXRINEXO RINEX Data, Observation +>>&32 string x \b, date %15.15s +>>5 string x \b, version %6.6s +!:mime rinex/observation + +# https://en.wikipedia.org/wiki/GRIB +0 string GRIB +>7 byte =1 Gridded binary (GRIB) version 1 +>7 byte =2 Gridded binary (GRIB) version 2 diff --git a/magic/Magdir/mips b/magic/Magdir/mips index 8ed3567..fe83614 100644 --- a/magic/Magdir/mips +++ b/magic/Magdir/mips @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: mips,v 1.9 2013/01/12 03:09:51 christos Exp $ +# $File: mips,v 1.10 2014/04/30 21:41:02 christos Exp $ # mips: file(1) magic for MIPS ECOFF and Ucode, as used in SGI IRIX # and DEC Ultrix # @@ -10,8 +10,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x0162 MIPSEL-BE ECOFF executable >20 beshort 0407 (impure) @@ -20,7 +20,7 @@ >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d ->22 byte x \b.%ld +>22 byte x \b.%d # 0 beshort 0x6001 MIPSEB-LE ECOFF executable >20 beshort 03401 (impure) @@ -29,7 +29,7 @@ >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d ->22 byte x \b.%ld +>22 byte x \b.%d # 0 beshort 0x6201 MIPSEL ECOFF executable >20 beshort 03401 (impure) @@ -37,8 +37,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # # MIPS 2 additions # @@ -48,8 +48,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable >20 beshort 0407 (impure) @@ -57,8 +57,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable >20 beshort 03401 (impure) @@ -66,8 +66,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # 0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable >20 beshort 03401 (impure) @@ -75,8 +75,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # # MIPS 3 additions # @@ -86,8 +86,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable >20 beshort 0407 (impure) @@ -95,8 +95,8 @@ >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->22 byte x - version %ld ->23 byte x \b.%ld +>22 byte x - version %d +>23 byte x \b.%d # 0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable >20 beshort 03401 (impure) @@ -104,8 +104,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # 0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable >20 beshort 03401 (impure) @@ -113,8 +113,8 @@ >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped ->23 byte x - version %ld ->22 byte x \b.%ld +>23 byte x - version %d +>22 byte x \b.%d # 0 beshort 0x180 MIPSEB Ucode 0 beshort 0x182 MIPSEL-BE Ucode diff --git a/magic/Magdir/misctools b/magic/Magdir/misctools index 06bd7b7..0367ec0 100644 --- a/magic/Magdir/misctools +++ b/magic/Magdir/misctools @@ -1,6 +1,6 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.13 2013/01/16 13:53:10 christos Exp $ +# $File: misctools,v 1.14 2014/03/06 16:08:58 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text @@ -21,3 +21,8 @@ # From: Daniel Novotny 0 string MDMP\x93\xA7 MDMP crash report data + +# Summary: abook addressbook file +# Submitted by: Mark Schreiber +0 string #\x20abook\x20addressbook\x20file abook address book +!:mime application/x-abook-addressbook diff --git a/magic/Magdir/motorola b/magic/Magdir/motorola index b56e5e4..e19a907 100644 --- a/magic/Magdir/motorola +++ b/magic/Magdir/motorola @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: motorola,v 1.10 2009/09/19 16:28:11 christos Exp $ +# $File: motorola,v 1.11 2014/04/30 21:41:02 christos Exp $ # motorola: file(1) magic for Motorola 68K and 88K binaries # # 68K @@ -40,27 +40,27 @@ # not larger than 1 MB (which is a lot on ST). # The additional 0x601b distinction I took from Doug Lee's magic. 0 belong&0xFFFFFFF0 0x601A0000 Atari ST M68K contiguous executable ->2 belong x (txt=%ld, ->6 belong x dat=%ld, ->10 belong x bss=%ld, ->14 belong x sym=%ld) +>2 belong x (txt=%d, +>6 belong x dat=%d, +>10 belong x bss=%d, +>14 belong x sym=%d) 0 belong&0xFFFFFFF0 0x601B0000 Atari ST M68K non-contig executable ->2 belong x (txt=%ld, ->6 belong x dat=%ld, ->10 belong x bss=%ld, ->14 belong x sym=%ld) +>2 belong x (txt=%d, +>6 belong x dat=%d, +>10 belong x bss=%d, +>14 belong x sym=%d) # Atari ST/TT... program format (sent by Wolfram Kleff ) 0 beshort 0x601A Atari 68xxx executable, ->2 belong x text len %lu, ->6 belong x data len %lu, ->10 belong x BSS len %lu, ->14 belong x symboltab len %lu, +>2 belong x text len %u, +>6 belong x data len %u, +>10 belong x BSS len %u, +>14 belong x symboltab len %u, >18 belong 0 >22 belong &0x01 fastload flag, >22 belong &0x02 may be loaded to alternate RAM, >22 belong &0x04 malloc may be from alternate RAM, ->22 belong x flags: 0x%lX, +>22 belong x flags: 0x%X, >26 beshort 0 no relocation tab >26 beshort !0 + relocation tab >30 string SFX [Self-Extracting LZH SFX archive] @@ -68,4 +68,4 @@ >44 string ZIP! [Self-Extracting ZIP SFX archive] 0 beshort 0x0064 Atari 68xxx CPX file ->8 beshort x (version %04lx) +>8 beshort x (version %04x) diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index 1498509..64d4862 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.84 2013/02/05 13:55:22 christos Exp $ +# $File: msdos,v 1.100 2014/06/03 19:17:27 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -42,9 +42,9 @@ # Many of the compressed formats were extraced from IDARC 1.23 source code. # 0 string/b MZ -!:mime application/x-dosexec # All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. >0x18 leshort <0x40 MS-DOS executable +!:mime application/x-dosexec # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) @@ -56,6 +56,7 @@ # Maybe it's a PE? >>(0x3c.l) string PE\0\0 PE +!:mime application/x-dosexec >>>(0x3c.l+24) leshort 0x010b \b32 executable >>>(0x3c.l+24) leshort 0x020b \b32+ executable >>>(0x3c.l+24) leshort 0x0107 ROM image @@ -134,8 +135,10 @@ # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable +!:mime application/x-dosexec >>(0x3c.l) string NE \b, NE +!:mime application/x-dosexec >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS @@ -150,6 +153,7 @@ >>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) >>(0x3c.l) string LX\0\0 \b, LX +!:mime application/x-dosexec >>>(0x3c.l+0x0a) leshort <1 (unknown OS) >>>(0x3c.l+0x0a) leshort 1 for OS/2 >>>(0x3c.l+0x0a) leshort 2 for MS Windows @@ -168,8 +172,10 @@ # MS Windows system file, supposedly a collection of LE executables >>(0x3c.l) string W3 \b, W3 for MS Windows +!:mime application/x-dosexec >>(0x3c.l) string LE\0\0 \b, LE executable +!:mime application/x-dosexec >>>(0x3c.l+0x0a) leshort 1 # some DOS extenders use LE files with OS/2 header >>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender @@ -196,6 +202,7 @@ # and definitely not NE/LE/LX/PE >>0x3c lelong >0x20000000 >>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS +!:mime application/x-dosexec # header data too small for extended executable >2 long !0 >>0x18 leshort <0x40 @@ -203,17 +210,19 @@ >>>>&(2.s-514) string !LE >>>>>&-2 string !BW \b, MZ for MS-DOS +!:mime application/x-dosexec >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender # educated guess since indirection is still not capable enough for complex offset # calculations (next embedded executable would be at &(&2*512+&0-2) # I suspect there are only LE executables in these multi-exe files >>>>&(2.s-514) string BW ->>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded) ->>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS +>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) +>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS # This sequence skips to the first COFF segment, usually .text >(4.s*512) leshort 0x014c \b, COFF +!:mime application/x-dosexec >>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s @@ -373,7 +382,7 @@ # they have their real name at offset 22 >>>>>22 string >\0 \b%-.5s >4 uleshort&0x8000 0x0000 -# 32 bit sector adressing ( > 32 MB) for block devices +# 32 bit sector addressing ( > 32 MB) for block devices >>4 uleshort&0x0002 0x0002 \b,32-bit sector- # support by driver functions 13h, 17h, 18h >4 uleshort&0x0040 0x0040 \b,IOCTL- @@ -578,16 +587,48 @@ #ico files 0 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows -# Windows icons (Ian Springer ) -0 string/b \000\000\001\000 MS Windows icon resource +# Windows icons +0 name ico-dir +# not entirely accurate, the number of icons is part of the header +>0 byte 1 - 1 icon +>0 ubyte >1 - %d icons +>2 byte 0 \b, 256x +>2 byte !0 \b, %dx +>3 byte 0 \b256 +>3 byte !0 \b%d +>4 ubyte !0 \b, %d colors + +0 belong 0x00000100 +>9 byte 0 +>>0 byte x MS Windows icon resource !:mime image/x-icon ->4 byte 1 - 1 icon ->4 byte >1 - %d icons ->>6 byte >0 \b, %dx ->>>7 byte >0 \b%d ->>8 byte 0 \b, 256-colors ->>8 byte >0 \b, %d-colors - +>>4 use ico-dir +>9 ubyte 0xff +>>0 byte x MS Windows icon resource +!:mime image/x-icon +>>4 use ico-dir + +# Windows non-animated cursors +0 name cur-dir +# not entirely accurate, the number of icons is part of the header +>0 byte 1 - 1 icon +>0 ubyte >1 - %d icons +>2 byte 0 \b, 256x +>2 byte !0 \b, %dx +>3 byte 0 \b256 +>3 byte !0 \b%d +>6 uleshort x \b, hotspot @%dx +>8 uleshort x \b%d + +0 belong 0x00000200 +>9 byte 0 +>>0 byte x MS Windows cursor resource +!:mime image/x-cur +>>4 use cur-dir +>9 ubyte 0xff +>>0 byte x MS Windows cursor resource +!:mime image/x-cur +>>4 use cur-dir # .chr files 0 string/b PK\010\010BGI Borland font @@ -645,16 +686,14 @@ 0 lelong 0x08086b70 TurboC BGI file 0 lelong 0x08084b50 TurboC Font file -# WARNING: below line conflicts with Infocom game data Z-machine 3 -0 byte 0x03 ->0x02 byte <0x13 DBase 3 data file ->>0x04 lelong 0 (no records) ->>0x04 lelong >0 (%ld records) -0 byte 0x83 ->0x02 byte <0x13 DBase 3 data file with memo(s) ->>0x04 lelong 0 (no records) ->>0x04 lelong >0 (%ld records) -0 leshort 0x0006 DBase 3 index file +# Debian#712046: The magic below identifies "Delphi compiled form data". +# An additional source of information is available at: +# http://www.woodmann.com/fravia/dafix_t1.htm +0 string TPF0 +>4 pstring >\0 Delphi compiled form '%s' + +# tests for DBase files moved, updated and merged to database + 0 string PMCC Windows 3.x .GRP file 1 string RDC-meg MegaDots >8 byte >0x2F version %c @@ -710,6 +749,19 @@ 0 leshort 0x223e9f78 TNEF !:mime application/vnd.ms-tnef +# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C +# of http://www.davep.org/norton-guides/ng2h-105.tgz +# http://en.wikipedia.org/wiki/Norton_Guides +0 string NG\0\001 +# only value 0x100 found at offset 2 +>2 ulelong 0x00000100 Norton Guide +# Title[40] +>>8 string >\0 "%-.40s" +#>>6 uleshort x \b, MenuCount=%u +# szCredits[5][66] +>>48 string >\0 \b, %-.66s +>>114 string >\0 %-.66s + # 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of http://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm @@ -764,90 +816,6 @@ >40 string \ EMF Windows Enhanced Metafile (EMF) image data >>44 ulelong x version 0x%x -# From: Alex Beregszaszi -0 string/b COWD VMWare3 ->4 byte 3 disk image ->>32 lelong x (%d/ ->>36 lelong x \b%d/ ->>40 lelong x \b%d) ->4 byte 2 undoable disk image ->>32 string >\0 (%s) - -0 string/b VMDK VMware4 disk image -0 string/b KDMV VMware4 disk image - -#-------------------------------------------------------------------- -# Qemu Emulator Images -# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) -# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) -# Made by reading sources, reading documentation, and doing trial and error -# on existing QCOW files -0 string/b QFI\xFB QEMU QCOW Image - -# Uncomment the following line to display Magic (only used for debugging -# this magic number) -#>0 string/b x , Magic: %s - -# There are currently 2 Versions: "1" and "2". -# http://www.gnome.org/~markmc/qcow-image-format-version-1.html ->4 belong 1 (v1) - -# Using the existence of the Backing File Offset to determine whether -# to read Backing File Information ->>12 belong >0 \b, has backing file ( -# Note that this isn't a null-terminated string; the length is actually -# (16.L). Assuming a null-terminated string happens to work usually, but it -# may spew junk until it reaches a \0 in some cases. ->>>(12.L) string >\0 \bpath %s - -# Modification time of the Backing File -# Really useful if you want to know if your backing -# file is still usable together with this image ->>>>20 bedate >0 \b, mtime %s) ->>>>20 default x \b) - -# Size is stored in bytes in a big-endian u64. ->>24 bequad x \b, %lld bytes - -# 1 for AES encryption, 0 for none. ->>36 belong 1 \b, AES-encrypted - -# http://www.gnome.org/~markmc/qcow-image-format.html ->4 belong 2 (v2) -# Using the existence of the Backing File Offset to determine whether -# to read Backing File Information ->>8 bequad >0 \b, has backing file -# Note that this isn't a null-terminated string; the length is actually -# (16.L). Assuming a null-terminated string happens to work usually, but it -# may spew junk until it reaches a \0 in some cases. Also, since there's no -# .Q modifier, we just use the bottom four bytes as an offset. Note that if -# the file is over 4G, and the backing file path is stored after the first 4G, -# the wrong filename will be printed. (This should be (8.Q), when that syntax -# is introduced.) ->>>(12.L) string >\0 (path %s) ->>24 bequad x \b, %lld bytes ->>32 belong 1 \b, AES-encrypted - ->4 default x (unknown version) - -0 string/b QEVM QEMU suspend to disk image - -# QEMU QED Image -# http://wiki.qemu.org/Features/QED/Specification -0 string/b QED\0 QEMU QED Image - -# VDI Image -64 string/b \x7f\x10\xda\xbe VDI Image ->68 string/b \x01\x00\x01\x00 version 1.1 ->0 string >\0 (%s) ->368 lequad x \b, %lld bytes - -0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, ->32 string x type %s, ->48 string x subtype %s - -0 lelong 0x02468ace Bochs Sparse disk image - # from http://filext.com by Derek M Jones # False positive with PPT (also currently this string is too long) #0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer @@ -881,8 +849,8 @@ # URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp # From: Morten Hustveit 0 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), ->16 lelong >0 %hd x ->12 lelong >0 %hd, +>16 lelong >0 %d x +>12 lelong >0 %d, >84 string x %.4s # Type: Microsoft Document Imaging Format (.mdi) diff --git a/magic/Magdir/msooxml b/magic/Magdir/msooxml index c627644..059e729 100644 --- a/magic/Magdir/msooxml +++ b/magic/Magdir/msooxml @@ -1,35 +1,36 @@ #------------------------------------------------------------------------------ -# $File: msooxml,v 1.2 2013/01/25 23:04:37 christos Exp $ +# $File: msooxml,v 1.5 2014/08/05 07:38:45 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown # .docx, .pptx, and .xlsx are XML plus other files inside a ZIP # archive. The first member file is normally "[Content_Types].xml". +# but some libreoffice generated files put this later. Perhaps skip +# the "[Content_Types].xml" test? # Since MSOOXML doesn't have anything like the uncompressed "mimetype" # file of ePub or OpenDocument, we'll have to scan for a filename # which can distinguish between the three types # start by checking for ZIP local file header signature -0 string PK\003\004 +0 string PK\003\004 +!:strength +10 # make sure the first file is correct ->0x1E string [Content_Types].xml +>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels # skip to the second local file header -# since some documents include a 520-byte extra field following the file -# header, we need to scan for the next header ->>(18.l+49) search/2000 PK\003\004 +# since some documents include a 520-byte extra field following the file +# header, we need to scan for the next header +>>(18.l+49) search/2000 PK\003\004 # now skip to the *third* local file header; again, we need to scan due to a -# 520-byte extra field following the file header ->>>&26 search/1000 PK\003\004 +# 520-byte extra field following the file header +>>>&26 search/1000 PK\003\004 # and check the subdirectory name to determine which type of OOXML -# file we have -# Correct the mimetype with the registered ones: -# http://technet.microsoft.com/en-us/library/cc179224.aspx ->>>>&26 string word/ Microsoft Word 2007+ +# file we have. Correct the mimetype with the registered ones: +# http://technet.microsoft.com/en-us/library/cc179224.aspx +>>>>&26 string word/ Microsoft Word 2007+ !:mime application/vnd.openxmlformats-officedocument.wordprocessingml.document ->>>>&26 string ppt/ Microsoft PowerPoint 2007+ +>>>>&26 string ppt/ Microsoft PowerPoint 2007+ !:mime application/vnd.openxmlformats-officedocument.presentationml.presentation ->>>>&26 string xl/ Microsoft Excel 2007+ +>>>>&26 string xl/ Microsoft Excel 2007+ !:mime application/vnd.openxmlformats-officedocument.spreadsheetml.sheet ->>>>&26 default x Microsoft OOXML -!:strength +10 +>>>>&26 default x Microsoft OOXML diff --git a/magic/Magdir/msx b/magic/Magdir/msx new file mode 100644 index 0000000..0eacbe5 --- /dev/null +++ b/magic/Magdir/msx @@ -0,0 +1,255 @@ + +#------------------------------------------------------------------------------ +# msx: file(1) magic for the MSX Home Computer +# v1.1 +# Fabio R. Schmidlin + +############## MSX Music file formats ############## + +# Gigamix MGSDRV music file +0 string MGS MSX Gigamix MGSDRV3 music file, +>6 ubeshort 0x0D0A +>>3 byte x \bv%c +>>4 byte x \b.%c +>>5 byte x \b%c +>>8 string >\0 \b, title: %s + +1 string mgs2\ MSX Gigamix MGSDRV2 music file +>6 uleshort 0x80 +>>0x2E uleshort 0 +>>>0x30 string >\0 \b, title: %s + +# KSS music file +0 string KSCC KSS music file v1.03 +>0xE byte 0 +>>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+) +>>0xF byte&0x02 2 \b, soundchip(s): SN76489 +>>>0xF byte&0x04 4 stereo +>>0xF byte&0x01 1 \b, YM2413 +>>0xF byte&0x08 8 \b, Y8950 + +0 string KSSX KSS music file v1.20 +>0xE byte&0xEF 0 +>>0xF byte&0x40 0x00 \b, 60Hz +>>0xF byte&0x40 0x40 \b, 50Hz +>>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+) +>>0xF byte&0x02 0x02 \b, soundchips: SN76489 +>>>0xF byte&0x04 0x04 stereo +>>0xF byte&0x01 0x01 \b, +>>>0xF byte&0x18 0x00 \bYM2413 +>>>0xF byte&0x18 0x08 \bYM2413, Y8950 +>>>0xF byte&0x18 0x18 \bYM2413+Y8950 pseudostereo +>>0xF byte&0x18 0x10 \b, Majyutsushi DAC + +# Moonblaster for Moonsound +0 string MBMS +>4 byte 0x10 MSX Moonblaster for MoonSound music + +# Music Player K-kaz +0 string MPK MSX Music Player K-kaz song +>6 ubeshort 0x0D0A +>>3 byte x v%c +>>4 byte x \b.%c +>>5 byte x \b%c + +# I don't know why these don't work +#0 search/0xFFFF \r\n.FM9 +#>0 search/0xFFFF \r\n#FORMAT MSX Music Player K-kaz source MML file +#0 search/0xFFFF \r\nFM1\ \= +#>0 search/0xFFFF \r\nPSG1\= +#>>0 search/0xFFFF \r\nSCC1\= MSX MuSiCa MML source file + +# OPX Music file +0x35 beshort 0x0d0a +>0x7B beshort 0x0d0a +>>0x7D byte 0x1a +>>>0x87 uleshort 0 MSX OPX Music file +>>>>0x86 byte 0 v1.5 +>>>>>0 string >\32 \b, title: %s +>>>>0x86 byte 1 v2.4 +>>>>>0 string >\32 \b, title: %s + +# SCMD music file +0x8B string SCMD +>0xCE uleshort 0 MSX SCMD Music file +#>>-2 uleshort 0x6a71 ; The file must end with this value. How to code this here? +>>0x8F string >\0 \b, title: %s + +0 search/0xFFFF \r\n@title +>&0 search/0xFFFF \r\n@m=[ MSX SCMD source MML file + + +############## MSX image file formats ############## + +# MSX raw VRAM dump +0 ubyte 0xFE +>1 uleshort 0 +>>5 uleshort 0 +>>>3 uleshort 0x37FF MSX SC2/GRP raw image +>>>3 uleshort 0x6A00 MSX Graph Saurus SR5 raw image +>>>3 uleshort >0x769E +>>>>3 uleshort <0x8000 MSX GE5/GE6 raw image +>>>>>3 uleshort 0x7FFF \b, with sprite patterns +>>>3 uleshort 0xD3FF MSX screen 7-12 raw image +>>>3 uleshort 0xD400 MSX Graph Saurus SR7/SR8/SRS raw image + +# Graph Saurus compressed images +0 ubyte 0xFD +>1 uleshort 0 +>>5 uleshort 0 +>>>3 uleshort >0x013D MSX Graph Saurus compressed image + +# Maki-chan Graphic format +0 string MAKI02\ \ Maki-chan image, +>8 byte x system ID: %c +>9 byte x \b%c +>10 byte x \b%c +>11 byte x \b%c, +>13 search/0x200 \x1A +# >>&3 ubyte 0 , video mode: PC-98 400 lines, 16 analog colors +# >>&3 ubyte 1 , video mode: MSX SC7, 16 analog colors +# >>&3 ubyte 2 , video mode: VM-98 400 lines, 8 analog colors +# >>&3 ubyte 3 , video mode: PC-88 analog, 200 lines, 8 analog colors +# >>&3 ubyte 4 , video mode: 400 lines, 16 digital colors +# >>&3 ubyte 5 , video mode: 200 lines, 16 digital colors +# >>&3 ubyte 6 , video mode: old PC-98 digital 400 lines, 8 colors +# >>&3 ubyte 7 , video mode: PC-88 400 lines, 8 digital colors +>>&8 uleshort+1 x %dx +>>&10 uleshort+1 x \b%d, +>>&3 ubyte&0x82 0x80 256 colors +>>&3 ubyte&0x82 0x00 16 colors +>>&3 ubyte&0x82 0x01 8 colors +>>&3 ubyte&0x04 4 digital +>>&3 ubyte&0x04 0 analog +>>&3 ubyte&0x01 1 \b, 2:1 dot aspect ratio + +# Japanese PIC file +0 string PIC\x1A +>4 lelong 0 Japanese PIC image file + +# MSX G9B image file +0 string G9B +>1 uleshort 11 +>>3 uleshort >10 +>>>5 ubyte >0 MSX G9B image, depth=%d +>>>>8 uleshort x \b, %dx +>>>>10 uleshort x \b%d +>>>>5 ubyte <9 +>>>>>6 ubyte 0 +>>>>>>7 ubyte x \b, codec=%d RGB color palettes +>>>>>6 ubyte 64 \b, codec=RGB fixed color +>>>>>6 ubyte 128 \b, codec=YJK +>>>>>6 ubyte 192 \b, codec=YUV +>>>>5 ubyte >8 codec=RGB fixed color +>>>>12 ubyte 0 \b, raw +>>>>12 ubyte 1 \b, bitbuster compression + +############## Other MSX file formats ############## + +# MSX ROMs +0 string AB +>2 uleshort 0x0010 MSX ROM +>>2 uleshort x \b, init=0x%4x +>>4 uleshort >0 \b, stat=0x%4x +>>6 uleshort >0 \b, dev=0x%4x +>>8 uleshort >0 \b, bas=0x%4x +>2 uleshort 0x4010 MSX ROM +>>2 uleshort x \b, init=0x%04x +>>4 uleshort >0 \b, stat=0x%04x +>>6 uleshort >0 \b, dev=0x%04x +>>8 uleshort >0 \b, bas=0x%04x +>2 uleshort 0x8010 MSX ROM +>>2 uleshort x \b, init=0x%04x +>>4 uleshort >0 \b, stat=0x%04x +>>6 uleshort >0 \b, dev=0x%04x +>>8 uleshort >0 \b, bas=0x%04x + +0 string AB +#>2 string 5JSuperLAYDOCK MSX Super Laydock ROM +#>3 string @HYDLIDE3MSX MSX Hydlide-3 ROM +#>3 string @3\x80IA862 Golvellius MSX1 ROM +>2 uleshort >10 +>>10 string \0\0\0\0\0\0 MSX ROM +>>>0x10 string YZ\0\0\0\0 Konami Game Master 2 MSX ROM +>>>0x10 string CD \b, Konami RC- +>>>>0x12 ubyte x \b%d +>>>>0x13 ubyte/16 x \b%d +>>>>0x13 ubyte&0xF x \b%d +>>>0x10 string EF \b, Konami RC- +>>>>0x12 ubyte x \b%d +>>>>0x13 ubyte/16 x \b%d +>>>>0x13 ubyte&0xF x \b%d +>>>2 uleshort x \b, init=0x%04x +>>>4 uleshort >0 \b, stat=0x%04x +>>>6 uleshort >0 \b, dev=0x%04x +>>>8 uleshort >0 \b, bas=0x%04x +>2 uleshort 0 +>>4 uleshort 0 +>>>6 uleshort 0 +>>>>8 uleshort >0 MSX BASIC program in ROM, bas=0x%04x + +0x4000 string AB +>0x4002 uleshort >0x4010 +>>0x400A string \0\0\0\0\0\0 MSX MegaROM with nonstandard page order +>>0x4002 uleshort x \b, init=0x%04x +>>0x4004 uleshort >0 \b, stat=0x%04x +>>0x4006 uleshort >0 \b, dev=0x%04x +>>0x4008 uleshort >0 \b, bas=0x%04x + +0x8000 string AB +>0x8002 uleshort >0x4010 +>>0x800A string \0\0\0\0\0\0 MSX MegaROM with nonstandard page order +>>0x8002 uleshort x \b, init=0x%04x +>>0x8004 uleshort >0 \b, stat=0x%04x +>>0x8006 uleshort >0 \b, dev=0x%04x +>>0x8008 uleshort >0 \b, bas=0x%04x + + +0x3C000 string AB +>0x3C008 string \0\0\0\0\0\0\0\0 MSX MegaROM with nonstandard page order +>>0x3C002 uleshort x \b, init=0x%04x +>>0x3C004 uleshort >0 \b, stat=0x%04x +>>0x3C006 uleshort >0 \b, dev=0x%04x +>>0x3C008 uleshort >0 \b, bas=0x%04x + +# MSX BIN file +#0 byte 0xFE +#>1 uleshort >0x8000 +#>>3 uleshort >0x8004 +#>>>5 uleshort >0x8000 MSX BIN file + +# MSX-BASIC file +0 byte 0xFF +>3 uleshort 0x000A +>>1 uleshort >0x8000 MSX-BASIC program + +# MSX .CAS file +0 string \x1F\xA6\xDE\xBA\xCC\x13\x7D\x74 MSX cassette archive + +# Mega-Assembler file +0 byte 0xFE +>1 uleshort 0x0001 +>>5 uleshort 0xffff +>>>6 byte 0x0A MSX Mega-Assembler source + +# Execrom Patchfile +0 string ExecROM\ patchfile\x1A MSX ExecROM patchfile +>0x12 ubyte/16 x v%d +>0x12 ubyte&0xF x \b.%d +>0x13 ubyte x \b, contains %d patches + +# Konami's King's Valley-2 custom stage (ELG file) +4 uleshort 0x0900 +>0xF byte 1 +>>0x14 byte 0 +>>>0x1E string \ \ \ +>>>>0x23 byte 1 +>>>>>0x25 byte 0 +>>>>>>0x15 string >\x30 +>>>>>>>0x15 string <\x5A Konami King's Valley-2 custom stage, title: "%-8.8s" +>>>>>>>>0x1D byte <32 \b, theme: %d + +# Metal Gear 1 savegame +#0x4F string \x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF +#>>0x60 string \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF +#>>>0x7B string \0x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00 Metal Gear 1 savegame diff --git a/magic/Magdir/natinst b/magic/Magdir/natinst index 0a936c5..7a55dde 100644 --- a/magic/Magdir/natinst +++ b/magic/Magdir/natinst @@ -1,6 +1,6 @@ #----------------------------------------------------------------------------- -# $File: natinst,v 1.5 2013/02/06 14:18:52 christos Exp $ +# $File: natinst,v 1.6 2014/06/03 19:17:27 christos Exp $ # natinst: file(1) magic for National Instruments Code Files # @@ -12,7 +12,7 @@ 0 string RSRC National Instruments, # Check if it's a LabVIEW File >8 string LV LabVIEW File, -# Check wich kind of file is +# Check which kind of file it is >>10 string SB Code Resource File, data >>10 string IN Virtual Instrument Program, data >>10 string AR VI Library, data diff --git a/magic/Magdir/ncr b/magic/Magdir/ncr index 4067596..21b09ab 100644 --- a/magic/Magdir/ncr +++ b/magic/Magdir/ncr @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ncr,v 1.7 2009/09/19 16:28:11 christos Exp $ +# $File: ncr,v 1.8 2014/04/30 21:41:02 christos Exp $ # ncr: file(1) magic for NCR Tower objects # # contributed by @@ -11,27 +11,27 @@ >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000615 Tower/XP rel 2 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000620 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000625 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000630 Tower32/600/400 68020 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000640 Tower32/800 68020 >18 beshort &020000 w/68881 object >18 beshort &040000 compatible object @@ -39,11 +39,11 @@ >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d 0 beshort 000645 Tower32/800 68010 >18 beshort &040000 compatible object >18 beshort &060000 object >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped ->22 beshort >0 - version %ld +>22 beshort >0 - version %d diff --git a/magic/Magdir/neko b/magic/Magdir/neko new file mode 100644 index 0000000..ac5ff35 --- /dev/null +++ b/magic/Magdir/neko @@ -0,0 +1,12 @@ + +#------------------------------------------------------------ +# $File: neko,v 1.1 2009/11/10 20:36:10 christos Exp $ + +# From: Mikhail Gusarov +# NekoVM (http://nekovm.org/) bytecode +0 string NEKO NekoVM bytecode +>4 lelong x (%d global symbols, +>8 lelong x %d global fields, +>12 lelong x %d bytecode ops) +!:mime application/x-nekovm-bytecode + diff --git a/magic/Magdir/netbsd b/magic/Magdir/netbsd index fd0eed3..aa933ff 100644 --- a/magic/Magdir/netbsd +++ b/magic/Magdir/netbsd @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: netbsd,v 1.20 2013/01/09 22:37:24 christos Exp $ +# $File: netbsd,v 1.22 2014/12/08 20:53:52 christos Exp $ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. @@ -100,25 +100,25 @@ 0 belong&0377777777 045200507 a.out NetBSD/powerpc core >12 string >\0 from '%s' -0 belong&0377777777 042400413 a.out NetBSD/sparc demand paged +0 belong&0377777777 042400413 a.out NetBSD/SPARC demand paged >0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&0377777777 042400410 a.out NetBSD/sparc pure +0 belong&0377777777 042400410 a.out NetBSD/SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&0377777777 042400407 a.out NetBSD/sparc +0 belong&0377777777 042400407 a.out NetBSD/SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 belong !0 executable >>20 belong =0 object file >16 belong >0 not stripped -0 belong&0377777777 042400507 a.out NetBSD/sparc core +0 belong&0377777777 042400507 a.out NetBSD/SPARC core >12 string >\0 from '%s' >32 belong !0 (signal %d) @@ -247,14 +247,14 @@ # Kernel core dump format 0 belong&0x0000ffff 0x00008fca NetBSD kernel core file >0 belong&0x03ff0000 0x00000000 \b, Unknown ->0 belong&0x03ff0000 0x00001000 \b, sun 68010/68020 +>0 belong&0x03ff0000 0x00010000 \b, sun 68010/68020 >0 belong&0x03ff0000 0x00020000 \b, sun 68020 >0 belong&0x03ff0000 0x00640000 \b, 386 PC >0 belong&0x03ff0000 0x00860000 \b, i386 BSD >0 belong&0x03ff0000 0x00870000 \b, m68k BSD (8K pages) >0 belong&0x03ff0000 0x00880000 \b, m68k BSD (4K pages) >0 belong&0x03ff0000 0x00890000 \b, ns32532 BSD ->0 belong&0x03ff0000 0x008a0000 \b, sparc/32 BSD +>0 belong&0x03ff0000 0x008a0000 \b, SPARC/32 BSD >0 belong&0x03ff0000 0x008b0000 \b, pmax BSD >0 belong&0x03ff0000 0x008c0000 \b, vax BSD (1K pages) >0 belong&0x03ff0000 0x008d0000 \b, alpha BSD @@ -262,20 +262,24 @@ >0 belong&0x03ff0000 0x008f0000 \b, arm6 BSD >0 belong&0x03ff0000 0x00900000 \b, m68k BSD (2K pages) >0 belong&0x03ff0000 0x00910000 \b, sh3 BSD ->0 belong&0x03ff0000 0x00920000 \b, ppc BSD (Big Endian) ->0 belong&0x03ff0000 0x00930000 \b, vax BSD (4K pages) ->0 belong&0x03ff0000 0x00940000 \b, mips1 BSD ->0 belong&0x03ff0000 0x00950000 \b, mips2 BSD ->0 belong&0x03ff0000 0x00960000 \b, parisc BSD ->0 belong&0x03ff0000 0x00970000 \b, sh5/64 BSD ->0 belong&0x03ff0000 0x00980000 \b, sparc/64 BSD ->0 belong&0x03ff0000 0x00990000 \b, amd64 BSD ->0 belong&0x03ff0000 0x009a0000 \b, hp200 (68010) BSD ->0 belong&0x03ff0000 0x009b0000 \b, hp300 (68020+68881) BSD ->0 belong&0x03ff0000 0x009b0000 \b, hp300 (68020+68881) BSD ->0 belong&0x03ff0000 0x00c80000 \b, hp200 ->0 belong&0x03ff0000 0x020b0000 \b, hp300 (68020+68881) HP-UX ->0 belong&0x03ff0000 0x020c0000 \b, hp300 (68020+68881) HP-UX +>0 belong&0x03ff0000 0x00950000 \b, ppc BSD (Big Endian) +>0 belong&0x03ff0000 0x00960000 \b, vax BSD (4K pages) +>0 belong&0x03ff0000 0x00970000 \b, mips1 BSD +>0 belong&0x03ff0000 0x00980000 \b, mips2 BSD +>0 belong&0x03ff0000 0x00990000 \b, m88k BSD +>0 belong&0x03ff0000 0x00920000 \b, parisc BSD +>0 belong&0x03ff0000 0x009b0000 \b, sh5/64 BSD +>0 belong&0x03ff0000 0x009c0000 \b, SPARC/64 BSD +>0 belong&0x03ff0000 0x009d0000 \b, amd64 BSD +>0 belong&0x03ff0000 0x009e0000 \b, sh5/32 BSD +>0 belong&0x03ff0000 0x009f0000 \b, ia64 BSD +>0 belong&0x03ff0000 0x00b70000 \b, aarch64 BSD +>0 belong&0x03ff0000 0x00b80000 \b, or1k BSD +>0 belong&0x03ff0000 0x00b90000 \b, Risk-V BSD +>0 belong&0x03ff0000 0x00c80000 \b, hp200 BSD +>0 belong&0x03ff0000 0x012c0000 \b, hp300 BSD +>0 belong&0x03ff0000 0x020b0000 \b, hp800 HP-UX +>0 belong&0x03ff0000 0x020c0000 \b, hp200/hp300 HP-UX >0 belong&0xfc000000 0x04000000 \b, CPU >0 belong&0xfc000000 0x08000000 \b, DATA >0 belong&0xfc000000 0x10000000 \b, STACK diff --git a/magic/Magdir/nitpicker b/magic/Magdir/nitpicker index d1a6628..2486dee 100644 --- a/magic/Magdir/nitpicker +++ b/magic/Magdir/nitpicker @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: nitpicker,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: nitpicker,v 1.6 2014/04/30 21:41:02 christos Exp $ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann http://www.nitpicker.de 0 string NPFF NItpicker Flow File diff --git a/magic/Magdir/oasis b/magic/Magdir/oasis index e527185..45ad6d1 100644 --- a/magic/Magdir/oasis +++ b/magic/Magdir/oasis @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: oasis,v 1.1 2011/03/15 02:09:38 christos Exp $ +# $File: oasis,v 1.2 2014/06/03 19:17:27 christos Exp $ # OASIS # Summary: OASIS stream file -# Long descripton: Open Artwork System Interchange Standard +# Long description: Open Artwork System Interchange Standard # File extension: .oas # Full name: Ben Cowley (bcowley@broadcom.com) # Philip Dixon (pdixon@broadcom.com) diff --git a/magic/Magdir/palm b/magic/Magdir/palm index 536f384..e852cc7 100644 --- a/magic/Magdir/palm +++ b/magic/Magdir/palm @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: palm,v 1.9 2012/01/16 15:16:43 christos Exp $ +# $File: palm,v 1.13 2014/03/30 21:40:08 christos Exp $ # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # # Brian Lalor @@ -9,18 +9,70 @@ # 8 character identifiers at byte 60, one I found for appl is BIGb. # What are the possibilities and where is this documented? +# The common header format for PalmOS .pdb/.prc files is +# { +# char name[ 32 ]; +# Word attributes; +# Word version; +# DWord creationDate; +# DWord modificationDate; +# DWord lastBackupDate; +# DWord modificationNumber; +# DWord appInfoID; +# DWord sortInfoID; +# char type[4]; +# char creator[4]; +# DWord uniqueIDSeed; +# RecordListType recordList; +# }; +# +# Datestamps are unsigned seconds since the MacOS epoch (Jan 1, 1904), +# or Unix/POSIX time + 2082844800. + +0 name aportisdoc +# date is supposed to be big-endian seconds since 1 Jan 1904, but many +# files contain the timestamp in little-endian or a completely +# nonsensical value... +#>36 bedate-2082844800 >0 \b, created %s +# compression: 1=uncomp, 2=orig, 0x4448=HuffDic +>(78.L) beshort =1 \b, uncompressed +# compressed +>(78.L) beshort >1 +>>(78.L+4) belong x \b, %d bytes uncompressed + # appl -#59 byte \0 -#>60 string appl PalmOS application -#>0 string >\0 "%s" -# TEXt -#59 byte \0 -#>60 belong TEXt AportisDoc file -#>0 string >\0 "%s" +#60 string appl PalmOS application +#>0 string >\0 "%s" + # HACK -#59 byte \0 -#>60 string HACK HackMaster hack -#>0 string >\0 "%s" +#60 string HACK HackMaster hack +#>0 string >\0 "%s" + +# iSiloX e-book +60 string SDocSilX iSiloX E-book +>0 string >\0 "%s" + +# Mobipocket (www.mobipocket.com), donated by Carl Witty +# expanded by Ralf Brown +60 string BOOKMOBI Mobipocket E-book +# MobiPocket stores a full title, pointed at by the belong at offset +# 0x54 in its header at (78.L), with length given by the belong at +# offset 0x58. +# there's no guarantee that the title string is null-terminated, but +# we currently can't specify a variable-length string where the length +# field is not at the start of the string; in practice, the data +# following the string always seems to start with a zero byte +>(78.L) belong x +>>&(&0x50.L-4) string >\0 "%s" +>0 use aportisdoc +>>(78.L+0x68) belong >0 \b, version %d +>>(78.L+0x1C) belong !0 \b, codepage %d +>>(78.L+0x0C) beshort >0 \b, encrypted (type %d) + +# AportisDoc/PalmDOC +60 string TEXtREAd AportisDoc/PalmDOC E-book +>0 string >\0 "%s" +>0 use aportisdoc # Variety of PalmOS document types # Michael-John Turner @@ -89,8 +141,12 @@ >>(0x4E.L+1) byte x %02d) # Palm OS .prc file types -60 string libr Palm OS dynamic library data ->0 string >\0 "%s" +60 string libr +# flags, only bit 0 or bit 6 +# http://en.wikipedia.org/wiki/PRC_%28Palm_OS%29 +# http://web.mit.edu/tytso/www/pilot/prc-format.html +>0x20 beshort&0xffbe 0 +>>0 string >\0 Palm OS dynamic library data "%s" 60 string ptch Palm OS operating system patch data >0 string >\0 "%s" diff --git a/magic/Magdir/pascal b/magic/Magdir/pascal index a134a47..eebd349 100644 --- a/magic/Magdir/pascal +++ b/magic/Magdir/pascal @@ -1,10 +1,10 @@ #------------------------------------------------------------------------------ -# $File: pascal,v 1.1 2011/12/08 12:12:46 rrt Exp $ +# $File: pascal,v 1.2 2014/07/14 14:21:33 rrt Exp $ # pascal: file(1) magic for Pascal source # 0 search/8192 (input, Pascal source text !:mime text/x-pascal -0 regex \^program Pascal source text -!:mime text/x-pascal -0 regex \^record Pascal source text -!:mime text/x-pascal +#0 regex \^program Pascal source text +#!:mime text/x-pascal +#0 regex \^record Pascal source text +#!:mime text/x-pascal diff --git a/magic/Magdir/pbf b/magic/Magdir/pbf new file mode 100644 index 0000000..d133d12 --- /dev/null +++ b/magic/Magdir/pbf @@ -0,0 +1,11 @@ + +#------------------------------------------------------------------------------ +# $File: pbf,v 1.1 2013/12/21 14:27:24 christos Exp $ +# file(1) magic(5) data for OpenStreetMap + +# OpenStreetMap Protocolbuffer Binary Format (.osm.pbf) +# http://wiki.openstreetmap.org/wiki/PBF_Format +# From: Markus Heidelberg +0 belong 0x0000000D +>4 beshort 0x0A09 +>>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format diff --git a/magic/Magdir/pdf b/magic/Magdir/pdf index ccde22f..dc2f799 100644 --- a/magic/Magdir/pdf +++ b/magic/Magdir/pdf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.6 2009/09/19 16:28:11 christos Exp $ +# $File: pdf,v 1.7 2013/08/22 07:47:26 christos Exp $ # pdf: file(1) magic for Portable Document Format # @@ -12,5 +12,6 @@ # From: Nick Schmalenberger # Forms Data Format 0 string %FDF- FDF document +!:mime application/vnd.fdf >5 byte x \b, version %c >7 byte x \b.%c diff --git a/magic/Magdir/pdp b/magic/Magdir/pdp index fa4b82b..0afee0c 100644 --- a/magic/Magdir/pdp +++ b/magic/Magdir/pdp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pdp,v 1.8 2009/09/19 16:28:11 christos Exp $ +# $File: pdp,v 1.10 2014/04/30 21:41:02 christos Exp $ # pdp: file(1) magic for PDP-11 executable/object and APL workspace # 0 lelong 0101555 PDP-11 single precision APL workspace @@ -10,18 +10,24 @@ # 0 leshort 0407 PDP-11 executable >8 leshort >0 not stripped ->15 byte >0 - version %ld - -0 leshort 0401 PDP-11 UNIX/RT ldp +>15 byte >0 - version %d + +# updated by Joerg Jenderek at Mar 2013 +# GRR: line below too general as it catches also Windows precompiled setup information *.PNF +0 leshort 0401 +# skip *.PNF with WinDirPathOffset 58h +>68 ulelong !0x00000058 PDP-11 UNIX/RT ldp +# skip *.PNF with high byte of InfVersionDatumCount zero +#>>15 byte !0 PDP-11 UNIX/RT ldp 0 leshort 0405 PDP-11 old overlay 0 leshort 0410 PDP-11 pure executable >8 leshort >0 not stripped ->15 byte >0 - version %ld +>15 byte >0 - version %d 0 leshort 0411 PDP-11 separate I&D executable >8 leshort >0 not stripped ->15 byte >0 - version %ld +>15 byte >0 - version %d 0 leshort 0437 PDP-11 kernel overlay diff --git a/magic/Magdir/perl b/magic/Magdir/perl index 1d7bd31..b5b54fb 100644 --- a/magic/Magdir/perl +++ b/magic/Magdir/perl @@ -1,20 +1,14 @@ #------------------------------------------------------------------------------ -# $File: perl,v 1.20 2012/06/21 01:16:49 christos Exp $ +# $File: perl,v 1.22 2014/04/28 12:04:35 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. # Keith Waclena # Send additions to -0 search/1/w #!\ /bin/perl Perl script text executable -!:mime text/x-perl 0 search/1 eval\ "exec\ /bin/perl Perl script text !:mime text/x-perl -0 search/1/w #!\ /usr/bin/perl Perl script text executable -!:mime text/x-perl 0 search/1 eval\ "exec\ /usr/bin/perl Perl script text !:mime text/x-perl -0 search/1/w #!\ /usr/local/bin/perl Perl script text executable -!:mime text/x-perl 0 search/1 eval\ "exec\ /usr/local/bin/perl Perl script text !:mime text/x-perl 0 search/1 eval\ '(exit\ $?0)'\ &&\ eval\ 'exec Perl script text @@ -23,6 +17,9 @@ !:mime text/x-perl 0 search/1 #!\ /usr/bin/env\ perl Perl script text executable !:mime text/x-perl +0 search/1 #! +>0 regex \^#!.*/bin/perl$ Perl script text executable +!:mime text/x-perl # by Dmitry V. Levin and Alexey Tourbin # check the first line @@ -60,3 +57,34 @@ >>4 byte =5 (major 2) >>4 byte =4 (major 2) >>5 byte >0 (minor %d) + +# This is Debian #742949 by Zefram : +# ----------------------------------------------------------- +# The Perl module Hash::SharedMem +# defines a file format +# for a key/value store. Details of the file format are in the "DESIGN" +# file in the module distribution. Magic: +0 bequad =0xa58afd185cbf5af7 Hash::SharedMem master file, big-endian +>8 bequad <0x1000000 +>>15 byte >2 \b, line size 2^%d byte +>>14 byte >2 \b, page size 2^%d byte +>>13 byte &1 +>>>13 byte >1 \b, max fanout %d +0 lequad =0xa58afd185cbf5af7 Hash::SharedMem master file, little-endian +>8 lequad <0x1000000 +>>8 byte >2 \b, line size 2^%d byte +>>9 byte >2 \b, page size 2^%d byte +>>10 byte &1 +>>>10 byte >1 \b, max fanout %d +0 bequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, big-endian +>8 bequad <0x1000000 +>>15 byte >2 \b, line size 2^%d byte +>>14 byte >2 \b, page size 2^%d byte +>>13 byte &1 +>>>13 byte >1 \b, max fanout %d +0 lequad =0xc693dac5ed5e47c2 Hash::SharedMem data file, little-endian +>8 lequad <0x1000000 +>>8 byte >2 \b, line size 2^%d byte +>>9 byte >2 \b, page size 2^%d byte +>>10 byte &1 +>>>10 byte >1 \b, max fanout %d diff --git a/magic/Magdir/pgf b/magic/Magdir/pgf new file mode 100644 index 0000000..825f5f6 --- /dev/null +++ b/magic/Magdir/pgf @@ -0,0 +1,52 @@ + +#------------------------------------------------------------------------------ +# $File: pgf,v 1.1 2013/04/22 15:19:49 christos Exp $ +# pgf: file(1) magic for Progressive Graphics File (PGF) +# +# +# 2013 by Philipp Hahn +0 string PGF Progressive Graphics image data, +!:mime image/x-pgf +>3 string 2 version %s, +>3 string 4 version %s, +>3 string 5 version %s, +>3 string 6 version %s, +# PGFPreHeader +#>>4 lelong x header size %d, +# PGFHeader +>>8 lelong x %d x +>>12 lelong x %d, +>>16 byte x %d levels, +>>17 byte x compression level %d, +>>18 byte x %d bpp, +>>19 byte x %d channels, +>>20 clear x +>>20 byte 0 bitmap, +>>20 byte 1 gray scale, +>>20 byte 2 indexed color, +>>20 byte 3 RGB color, +>>20 byte 4 CYMK color, +>>20 byte 5 HSL color, +>>20 byte 6 HSB color, +>>20 byte 7 multi-channel, +>>20 byte 8 duo tone, +>>20 byte 9 LAB color, +>>20 byte 10 gray scale 16, +>>20 byte 11 RGB color 48, +>>20 byte 12 LAB color 48, +>>20 byte 13 CYMK color 64, +>>20 byte 14 deep multi-channel, +>>20 byte 15 duo tone 16, +>>20 byte 17 RGBA color, +>>20 byte 18 gray scale 32, +>>20 byte 19 RGB color 12, +>>20 byte 20 RGB color 16, +>>20 byte 255 unknown format, +>>20 default x format +>>>20 byte x \b %d, +>>21 byte x %d bpc +# PGFPostHeader +# Level-Sizes +#>>(4.l+4) lelong x level 0 size: %d +#>>(4.l+8) lelong x level 1 size: %d +#>>(4.l+12) lelong x level 2 size: %d diff --git a/magic/Magdir/pgp b/magic/Magdir/pgp index a8d3c9a..95a6766 100644 --- a/magic/Magdir/pgp +++ b/magic/Magdir/pgp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgp,v 1.9 2009/09/19 16:28:11 christos Exp $ +# $File: pgp,v 1.11 2014/11/11 21:32:38 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # @@ -21,7 +21,449 @@ 2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- PGP public key block !:mime application/pgp-keys +>10 search/100 \n\n +>>&0 use pgp 0 string -----BEGIN\040PGP\40MESSAGE- PGP message !:mime application/pgp +>10 search/100 \n\n +>>&0 use pgp 0 string -----BEGIN\040PGP\40SIGNATURE- PGP signature !:mime application/pgp-signature +>10 search/100 \n\n +>>&0 use pgp + +# Decode the type of the packet based on it's base64 encoding. +# Idea from Mark Martinec +# The specification is in RFC 4880, section 4.2 and 4.3: +# http://tools.ietf.org/html/rfc4880#section-4.2 + +0 name pgp +>0 byte 0x67 Reserved (old) +>0 byte 0x68 Public-Key Encrypted Session Key (old) +>0 byte 0x69 Signature (old) +>0 byte 0x6a Symmetric-Key Encrypted Session Key (old) +>0 byte 0x6b One-Pass Signature (old) +>0 byte 0x6c Secret-Key (old) +>0 byte 0x6d Public-Key (old) +>0 byte 0x6e Secret-Subkey (old) +>0 byte 0x6f Compressed Data (old) +>0 byte 0x70 Symmetrically Encrypted Data (old) +>0 byte 0x71 Marker (old) +>0 byte 0x72 Literal Data (old) +>0 byte 0x73 Trust (old) +>0 byte 0x74 User ID (old) +>0 byte 0x75 Public-Subkey (old) +>0 byte 0x76 Unused (old) +>0 byte 0x77 +>>1 byte&0xc0 0x00 Reserved +>>1 byte&0xc0 0x40 Public-Key Encrypted Session Key +>>1 byte&0xc0 0x80 Signature +>>1 byte&0xc0 0xc0 Symmetric-Key Encrypted Session Key +>0 byte 0x78 +>>1 byte&0xc0 0x00 One-Pass Signature +>>1 byte&0xc0 0x40 Secret-Key +>>1 byte&0xc0 0x80 Public-Key +>>1 byte&0xc0 0xc0 Secret-Subkey +>0 byte 0x79 +>>1 byte&0xc0 0x00 Compressed Data +>>1 byte&0xc0 0x40 Symmetrically Encrypted Data +>>1 byte&0xc0 0x80 Marker +>>1 byte&0xc0 0xc0 Literal Data +>0 byte 0x7a +>>1 byte&0xc0 0x00 Trust +>>1 byte&0xc0 0x40 User ID +>>1 byte&0xc0 0x80 Public-Subkey +>>1 byte&0xc0 0xc0 Unused [z%x] +>0 byte 0x30 +>>1 byte&0xc0 0x00 Unused [0%x] +>>1 byte&0xc0 0x40 User Attribute +>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data +>>1 byte&0xc0 0xc0 Modification Detection Code + +# magic signatures to detect PGP crypto material (from stef) +# detects and extracts metadata from: +# - symmetric encrypted packet header +# - RSA (e=65537) secret (sub-)keys + +# 1024b RSA encrypted data + +0 string \x84\x8c\x03 PGP RSA encrypted session key - +>3 lelong x keyid: %X +>7 lelong x %X +>11 byte 0x01 RSA (Encrypt or Sign) 1024b +>11 byte 0x02 RSA Encrypt-Only 1024b +>12 string \x04\x00 +>12 string \x03\xff +>12 string \x03\xfe +>12 string \x03\xfd +>12 string \x03\xfc +>12 string \x03\xfb +>12 string \x03\xfa +>12 string \x03\xf9 +>142 byte 0xd2 . + +# 2048b RSA encrypted data + +0 string \x85\x01\x0c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 2048b +>12 byte 0x02 RSA Encrypt-Only 2048b +>13 string \x08\x00 +>13 string \x07\xff +>13 string \x07\xfe +>13 string \x07\xfd +>13 string \x07\xfc +>13 string \x07\xfb +>13 string \x07\xfa +>13 string \x07\xf9 +>271 byte 0xd2 . + +# 3072b RSA encrypted data + +0 string \x85\x01\x8c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 3072b +>12 byte 0x02 RSA Encrypt-Only 3072b +>13 string \x0c\x00 +>13 string \x0b\xff +>13 string \x0b\xfe +>13 string \x0b\xfd +>13 string \x0b\xfc +>13 string \x0b\xfb +>13 string \x0b\xfa +>13 string \x0b\xf9 +>399 byte 0xd2 . + +# 3072b RSA encrypted data + +0 string \x85\x02\x0c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 4096b +>12 byte 0x02 RSA Encrypt-Only 4096b +>13 string \x10\x00 +>13 string \x0f\xff +>13 string \x0f\xfe +>13 string \x0f\xfd +>13 string \x0f\xfc +>13 string \x0f\xfb +>13 string \x0f\xfa +>13 string \x0f\xf9 +>527 byte 0xd2 . + +# 4096b RSA encrypted data + +0 string \x85\x04\x0c\x03 PGP RSA encrypted session key - +>4 lelong x keyid: %X +>8 lelong x %X +>12 byte 0x01 RSA (Encrypt or Sign) 8129b +>12 byte 0x02 RSA Encrypt-Only 8129b +>13 string \x20\x00 +>13 string \x1f\xff +>13 string \x1f\xfe +>13 string \x1f\xfd +>13 string \x1f\xfc +>13 string \x1f\xfb +>13 string \x1f\xfa +>13 string \x1f\xf9 +>1039 byte 0xd2 . + +# crypto algo mapper + +0 name crypto +>0 byte 0x00 Plaintext or unencrypted data +>0 byte 0x01 IDEA +>0 byte 0x02 TripleDES +>0 byte 0x03 CAST5 (128 bit key) +>0 byte 0x04 Blowfish (128 bit key, 16 rounds) +>0 byte 0x07 AES with 128-bit key +>0 byte 0x08 AES with 192-bit key +>0 byte 0x09 AES with 256-bit key +>0 byte 0x0a Twofish with 256-bit key + +# hash algo mapper + +0 name hash +>0 byte 0x01 MD5 +>0 byte 0x02 SHA-1 +>0 byte 0x03 RIPE-MD/160 +>0 byte 0x08 SHA256 +>0 byte 0x09 SHA384 +>0 byte 0x0a SHA512 +>0 byte 0x0b SHA224 + +# pgp symmetric encrypted data + +0 byte 0x8c PGP symmetric key encrypted data - +>1 byte 0x0d +>1 byte 0x0c +>2 byte 0x04 +>3 use crypto +>4 byte 0x01 salted - +>>5 use hash +>>14 byte 0xd2 . +>>14 byte 0xc9 . +>4 byte 0x03 salted & iterated - +>>5 use hash +>>15 byte 0xd2 . +>>15 byte 0xc9 . + +# encrypted keymaterial needs s2k & can be checksummed/hashed + +0 name chkcrypto +>0 use crypto +>1 byte 0x00 Simple S2K +>1 byte 0x01 Salted S2K +>1 byte 0x03 Salted&Iterated S2K +>2 use hash + +# all PGP keys start with this prolog +# containing version, creation date, and purpose + +0 name keyprolog +>0 byte 0x04 +>1 beldate x created on %s - +>5 byte 0x01 RSA (Encrypt or Sign) +>5 byte 0x02 RSA Encrypt-Only + +# end of secret keys known signature +# contains e=65537 and the prolog to +# the encrypted parameters + +0 name keyend +>0 string \x00\x11\x01\x00\x01 e=65537 +>5 use crypto +>5 byte 0xff checksummed +>>6 use chkcrypto +>5 byte 0xfe hashed +>>6 use chkcrypto + +# PGP secret keys contain also the public parts +# these vary by bitsize of the key + +0 name x1024 +>0 use keyprolog +>6 string \x03\xfe +>6 string \x03\xff +>6 string \x04\x00 +>136 use keyend + +0 name x2048 +>0 use keyprolog +>6 string \x80\x00 +>6 string \x07\xfe +>6 string \x07\xff +>264 use keyend + +0 name x3072 +>0 use keyprolog +>6 string \x0b\xfe +>6 string \x0b\xff +>6 string \x0c\x00 +>392 use keyend + +0 name x4096 +>0 use keyprolog +>6 string \x10\x00 +>6 string \x0f\xfe +>6 string \x0f\xff +>520 use keyend + +# \x00|\x1f[\xfe\xff]).{1024})' +0 name x8192 +>0 use keyprolog +>6 string \x20\x00 +>6 string \x1f\xfe +>6 string \x1f\xff +>1032 use keyend + +# depending on the size of the pkt +# we branch into the proper key size +# signatures defined as x{keysize} + +>0 name pgpkey +>0 string \x01\xd8 1024b +>>2 use x1024 +>0 string \x01\xeb 1024b +>>2 use x1024 +>0 string \x01\xfb 1024b +>>2 use x1024 +>0 string \x01\xfd 1024b +>>2 use x1024 +>0 string \x01\xf3 1024b +>>2 use x1024 +>0 string \x01\xee 1024b +>>2 use x1024 +>0 string \x01\xfe 1024b +>>2 use x1024 +>0 string \x01\xf4 1024b +>>2 use x1024 +>0 string \x02\x0d 1024b +>>2 use x1024 +>0 string \x02\x03 1024b +>>2 use x1024 +>0 string \x02\x05 1024b +>>2 use x1024 +>0 string \x02\x15 1024b +>>2 use x1024 +>0 string \x02\x00 1024b +>>2 use x1024 +>0 string \x02\x10 1024b +>>2 use x1024 +>0 string \x02\x04 1024b +>>2 use x1024 +>0 string \x02\x06 1024b +>>2 use x1024 +>0 string \x02\x16 1024b +>>2 use x1024 +>0 string \x03\x98 2048b +>>2 use x2048 +>0 string \x03\xab 2048b +>>2 use x2048 +>0 string \x03\xbb 2048b +>>2 use x2048 +>0 string \x03\xbd 2048b +>>2 use x2048 +>0 string \x03\xcd 2048b +>>2 use x2048 +>0 string \x03\xb3 2048b +>>2 use x2048 +>0 string \x03\xc3 2048b +>>2 use x2048 +>0 string \x03\xc5 2048b +>>2 use x2048 +>0 string \x03\xd5 2048b +>>2 use x2048 +>0 string \x03\xae 2048b +>>2 use x2048 +>0 string \x03\xbe 2048b +>>2 use x2048 +>0 string \x03\xc0 2048b +>>2 use x2048 +>0 string \x03\xd0 2048b +>>2 use x2048 +>0 string \x03\xb4 2048b +>>2 use x2048 +>0 string \x03\xc4 2048b +>>2 use x2048 +>0 string \x03\xc6 2048b +>>2 use x2048 +>0 string \x03\xd6 2048b +>>2 use x2048 +>0 string \x05X 3072b +>>2 use x3072 +>0 string \x05k 3072b +>>2 use x3072 +>0 string \x05{ 3072b +>>2 use x3072 +>0 string \x05} 3072b +>>2 use x3072 +>0 string \x05\x8d 3072b +>>2 use x3072 +>0 string \x05s 3072b +>>2 use x3072 +>0 string \x05\x83 3072b +>>2 use x3072 +>0 string \x05\x85 3072b +>>2 use x3072 +>0 string \x05\x95 3072b +>>2 use x3072 +>0 string \x05n 3072b +>>2 use x3072 +>0 string \x05\x7e 3072b +>>2 use x3072 +>0 string \x05\x80 3072b +>>2 use x3072 +>0 string \x05\x90 3072b +>>2 use x3072 +>0 string \x05t 3072b +>>2 use x3072 +>0 string \x05\x84 3072b +>>2 use x3072 +>0 string \x05\x86 3072b +>>2 use x3072 +>0 string \x05\x96 3072b +>>2 use x3072 +>0 string \x07[ 4096b +>>2 use x4096 +>0 string \x07\x18 4096b +>>2 use x4096 +>0 string \x07+ 4096b +>>2 use x4096 +>0 string \x07; 4096b +>>2 use x4096 +>0 string \x07= 4096b +>>2 use x4096 +>0 string \x07M 4096b +>>2 use x4096 +>0 string \x073 4096b +>>2 use x4096 +>0 string \x07C 4096b +>>2 use x4096 +>0 string \x07E 4096b +>>2 use x4096 +>0 string \x07U 4096b +>>2 use x4096 +>0 string \x07. 4096b +>>2 use x4096 +>0 string \x07> 4096b +>>2 use x4096 +>0 string \x07@ 4096b +>>2 use x4096 +>0 string \x07P 4096b +>>2 use x4096 +>0 string \x074 4096b +>>2 use x4096 +>0 string \x07D 4096b +>>2 use x4096 +>0 string \x07F 4096b +>>2 use x4096 +>0 string \x07V 4096b +>>2 use x4096 +>0 string \x0e[ 8192b +>>2 use x8192 +>0 string \x0e\x18 8192b +>>2 use x8192 +>0 string \x0e+ 8192b +>>2 use x8192 +>0 string \x0e; 8192b +>>2 use x8192 +>0 string \x0e= 8192b +>>2 use x8192 +>0 string \x0eM 8192b +>>2 use x8192 +>0 string \x0e3 8192b +>>2 use x8192 +>0 string \x0eC 8192b +>>2 use x8192 +>0 string \x0eE 8192b +>>2 use x8192 +>0 string \x0eU 8192b +>>2 use x8192 +>0 string \x0e. 8192b +>>2 use x8192 +>0 string \x0e> 8192b +>>2 use x8192 +>0 string \x0e@ 8192b +>>2 use x8192 +>0 string \x0eP 8192b +>>2 use x8192 +>0 string \x0e4 8192b +>>2 use x8192 +>0 string \x0eD 8192b +>>2 use x8192 +>0 string \x0eF 8192b +>>2 use x8192 +>0 string \x0eV 8192b +>>2 use x8192 + +# PGP RSA (e=65537) secret (sub-)key header + +0 byte 0x95 PGP Secret Key - +>1 use pgpkey +0 byte 0x97 PGP Secret Sub-key - +>1 use pgpkey +0 byte 0x9d PGP Secret Sub-key - +>1 use pgpkey diff --git a/magic/Magdir/printer b/magic/Magdir/printer index d9d39ee..1016826 100644 --- a/magic/Magdir/printer +++ b/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.25 2011/05/20 23:31:46 christos Exp $ +# $File: printer,v 1.26 2014/04/12 14:51:52 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -68,6 +68,22 @@ 0 string \033%-12345X@PJL >&0 search/10000 %! PJL encapsulated PostScript document text +# Rick Richardson + +# For Fuji-Xerox Printers - HBPL stands for Host Based Printer Language +# For Oki Data Printers - HIPERC +# For Konica Minolta Printers - LAVAFLOW +# For Samsung Printers - QPDL +# For HP Printers - ZJS stands for Zenographics ZJStream +0 string \033%-12345X@PJL HP Printer Job Language data +>0 search/10000 @PJL\ ENTER\ LANGUAGE=HBPL - HBPL +>0 search/10000 @PJL\ ENTER\ LANGUAGE=HIPERC - Oki Data HIPERC +>0 search/10000 @PJL\ ENTER\ LANGUAGE=LAVAFLOW - Konica Minolta LAVAFLOW +>0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL +>0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL +>0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS + + # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string \033E\033 HP PCL printer data >3 string \&l0A - default page size @@ -108,7 +124,7 @@ #------------------------------------------------------------------------------ # zenographics: file(1) magic for Zenographics ZjStream printer data -# Rick Richardson rickr@mn.rr.com +# Rick Richardson 0 string JZJZ >0x12 string ZZ Zenographics ZjStream printer data (big-endian) 0 string ZJZJ @@ -117,7 +133,7 @@ #------------------------------------------------------------------------------ # Oak Technologies printer stream -# Rick Richardson +# Rick Richardson 0 string OAK >0x07 byte 0 >0x0b byte 0 Oak Technologies printer stream diff --git a/magic/Magdir/python b/magic/Magdir/python index a882425..36cdfd8 100644 --- a/magic/Magdir/python +++ b/magic/Magdir/python @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: python,v 1.21 2012/06/21 01:12:51 christos Exp $ +# $File: python,v 1.26 2014/08/04 05:58:40 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages @@ -22,6 +22,8 @@ 0 belong 0x3b0c0d0a python 3.0 byte-compiled 0 belong 0x4f0c0d0a python 3.1 byte-compiled 0 belong 0x6c0c0d0a python 3.2 byte-compiled +0 belong 0x9e0c0d0a python 3.3 byte-compiled +0 belong 0xee0c0d0a python 3.4 byte-compiled 0 search/1/w #!\ /usr/bin/python Python script text executable !:mime text/x-python @@ -43,13 +45,13 @@ !:mime text/x-python # comments -0 search/4096 ''' ->&0 regex .*'''$ Python script text executable -!:mime text/x-python +#0 search/4096 ''' +#>&0 regex .*'''$ Python script text executable +#!:mime text/x-python -0 search/4096 """ ->&0 regex .*"""$ Python script text executable -!:mime text/x-python +#0 search/4096 """ +#>&0 regex .*"""$ Python script text executable +#!:mime text/x-python # try: # except: or finally: @@ -61,6 +63,6 @@ !:mime text/x-python # def name(args, args): -0 regex \^(\ |\\t)*def\ +[a-zA-Z]+ ->&0 regex \ *\\(([a-zA-Z]|,|\ )*\\):$ Python script text executable +0 regex \^(\ |\\t){0,50}def\ {1,50}[a-zA-Z]{1,100} +>&0 regex \ {0,50}\\(([a-zA-Z]|,|\ ){1,255}\\):$ Python script text executable !:mime text/x-python diff --git a/magic/Magdir/qt b/magic/Magdir/qt new file mode 100644 index 0000000..72e6ff3 --- /dev/null +++ b/magic/Magdir/qt @@ -0,0 +1,19 @@ + +#------------------------------------------------------------------------------ +# $File: qt,v 1.2 2014/12/16 19:49:29 christos Exp $ +# qt: file(1) magic for Qt + +# http://doc.qt.io/qt-5/resources.html +0 string \ Qt Resource Collection file + +# https://qt.gitorious.org/qt/qtbase/source/\ +# 5367fa356233da4c0f28172a8f817791525f5457:\ +# src/tools/rcc/rcc.cpp#L840 +0 string qres\0\0 Qt Binary Resource file +0 search/1024 The\040Resource\040Compiler\040for\040Qt Qt C-code resource file + +# https://qt.gitorious.org/qt/qtbase/source/\ +# 5367fa356233da4c0f28172a8f817791525f5457:\ +# src/corelib/kernel/qtranslator.cpp#L62 +0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 +>8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file diff --git a/magic/Magdir/riff b/magic/Magdir/riff index b41d0bd..e551292 100644 --- a/magic/Magdir/riff +++ b/magic/Magdir/riff @@ -1,11 +1,71 @@ #------------------------------------------------------------------------------ -# $File: riff,v 1.23 2013/02/06 14:18:52 christos Exp $ +# $File: riff,v 1.30 2014/09/23 17:02:12 christos Exp $ # riff: file(1) magic for RIFF format # See # # http://www.seanet.com/users/matts/riffmci/riffmci.htm # + +# audio format tag. Assume limits: max 1024 bit, 128 channels, 1 MHz +0 name riff-wave +>0 leshort 1 \b, Microsoft PCM +>>14 leshort >0 +>>>14 leshort <1024 \b, %d bit +>0 leshort 2 \b, Microsoft ADPCM +>0 leshort 6 \b, ITU G.711 A-law +>0 leshort 7 \b, ITU G.711 mu-law +>0 leshort 8 \b, Microsoft DTS +>0 leshort 17 \b, IMA ADPCM +>0 leshort 20 \b, ITU G.723 ADPCM (Yamaha) +>0 leshort 49 \b, GSM 6.10 +>0 leshort 64 \b, ITU G.721 ADPCM +>0 leshort 80 \b, MPEG +>0 leshort 85 \b, MPEG Layer 3 +>0 leshort 0x2001 \b, DTS +>2 leshort =1 \b, mono +>2 leshort =2 \b, stereo +>2 leshort >2 +>>2 leshort <128 \b, %d channels +>4 lelong >0 +>>4 lelong <1000000 %d Hz + +# try to find "fmt " +0 name riff-walk +>0 string fmt\x20 +>>4 lelong <0x80 +>>>8 use riff-wave +>0 string LIST +>>&(4.l+4) use riff-walk +>0 string DISP +>>&(4.l+4) use riff-walk +>0 string bext +>>&(4.l+4) use riff-walk +>0 string Fake +>>&(4.l+4) use riff-walk +>0 string fact +>>&(4.l+4) use riff-walk +>0 string VP8 +>>11 byte 0x9d +>>>12 byte 0x01 +>>>>13 byte 0x2a \b, VP8 encoding +>>>>>14 leshort&0x3fff x \b, %d +>>>>>16 leshort&0x3fff x \bx%d, Scaling: +>>>>>14 leshort&0xc000 0x0000 \b [none] +>>>>>14 leshort&0xc000 0x1000 \b [5/4] +>>>>>14 leshort&0xc000 0x2000 \b [5/3] +>>>>>14 leshort&0xc000 0x3000 \b [2] +>>>>>14 leshort&0xc000 0x0000 \bx[none] +>>>>>14 leshort&0xc000 0x1000 \bx[5/4] +>>>>>14 leshort&0xc000 0x2000 \bx[5/3] +>>>>>14 leshort&0xc000 0x3000 \bx[2] +>>>>>15 byte&0x80 =0x00 \b, YUV color +>>>>>15 byte&0x80 =0x80 \b, bad color specification +>>>>>15 byte&0x40 =0x40 \b, no clamping required +>>>>>15 byte&0x40 =0x00 \b, decoders should clamp +#>0 string x we got %s +#>>&(4.l+4) use riff-walk + # AVI section extended by Patrik Radman # 0 string RIFF RIFF (little-endian) data @@ -35,33 +95,21 @@ # Microsoft WAVE format (*.wav) >8 string WAVE \b, WAVE audio !:mime audio/x-wav ->>20 leshort 1 \b, Microsoft PCM ->>>34 leshort >0 \b, %d bit ->>20 leshort 2 \b, Microsoft ADPCM ->>20 leshort 6 \b, ITU G.711 A-law ->>20 leshort 7 \b, ITU G.711 mu-law ->>20 leshort 8 \b, Microsoft DTS ->>20 leshort 17 \b, IMA ADPCM ->>20 leshort 20 \b, ITU G.723 ADPCM (Yamaha) ->>20 leshort 49 \b, GSM 6.10 ->>20 leshort 64 \b, ITU G.721 ADPCM ->>20 leshort 80 \b, MPEG ->>20 leshort 85 \b, MPEG Layer 3 ->>20 leshort 0x2001 \b, DTS ->>22 leshort =1 \b, mono ->>22 leshort =2 \b, stereo ->>22 leshort >2 \b, %d channels ->>24 lelong >0 %d Hz +>>12 string >\0 +>>>12 use riff-walk # Corel Draw Picture >8 string CDRA \b, Corel Draw Picture !:mime image/x-coreldraw +>8 string CDR6 \b, Corel Draw Picture, version 6 +!:mime image/x-coreldraw +>8 string NUNDROOT \b, Steinberg CuBase # AVI == Audio Video Interleave >8 string AVI\040 \b, AVI !:mime video/x-msvideo >>12 string LIST >>>20 string hdrlavih ->>>>&36 lelong x \b, %lu x ->>>>&40 lelong x %lu, +>>>>&36 lelong x \b, %u x +>>>>&40 lelong x %u, >>>>&4 lelong >1000000 <1 fps, >>>>&4 lelong 1000000 1.00 fps, >>>>&4 lelong 500000 2.00 fps, @@ -181,6 +229,8 @@ >8 string 4XMV \b, 4X Movie file # AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV >8 string AMV\040 \b, AMV +>8 string WEBP \b, Web/P image +>>12 use riff-walk # # XXX - some of the below may only appear in little-endian form. @@ -220,6 +270,7 @@ >>24 belong >0 %d Hz # Corel Draw Picture >8 string CDRA \b, Corel Draw Picture +>8 string CDR6 \b, Corel Draw Picture, version 6 # AVI == Audio Video Interleave >8 string AVI\040 \b, AVI # Animated Cursor format @@ -255,4 +306,3 @@ >>&6 leshort =2 \b, stereo >>&6 leshort >2 \b, %d channels >>&8 lelong >0 %d Hz - diff --git a/magic/Magdir/rinex b/magic/Magdir/rinex deleted file mode 100644 index c5f2bcb..0000000 --- a/magic/Magdir/rinex +++ /dev/null @@ -1,44 +0,0 @@ - -#------------------------------------------------------------------------------ -# $File: rinex,v 1.4 2011/05/03 01:44:17 christos Exp $ -# rinex: file(1) magic for RINEX files -# http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt -# ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf -# data for testing: ftp://cddis.gsfc.nasa.gov/pub/gps/data -60 string RINEX ->80 search/256 XXRINEXB RINEX Data, GEO SBAS Broadcast ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/broadcast ->80 search/256 XXRINEXD RINEX Data, Observation (Hatanaka comp) ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/observation ->80 search/256 XXRINEXC RINEX Data, Clock ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/clock ->80 search/256 XXRINEXH RINEX Data, GEO SBAS Navigation ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/navigation ->80 search/256 XXRINEXG RINEX Data, GLONASS Navigation ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/navigation ->80 search/256 XXRINEXL RINEX Data, Galileo Navigation ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/navigation ->80 search/256 XXRINEXM RINEX Data, Meteorological ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/meteorological ->80 search/256 XXRINEXN RINEX Data, Navigation ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/navigation ->80 search/256 XXRINEXO RINEX Data, Observation ->>&32 string x \b, date %15.15s ->>5 string x \b, version %6.6s -!:mime rinex/observation diff --git a/magic/Magdir/scientific b/magic/Magdir/scientific index 7418f1b..f780743 100644 --- a/magic/Magdir/scientific +++ b/magic/Magdir/scientific @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.7 2010/09/20 19:19:17 rrt Exp $ +# $File: scientific,v 1.9 2014/06/03 19:01:34 christos Exp $ # scientific: file(1) magic for scientific formats # # From: Joe Krahn @@ -65,7 +65,7 @@ 0 search/1/c 0\ HEAD GEDCOM genealogy text >&0 search 1\ GEDC >>&0 search 2\ VERS version ->>>&1 search/1 >\0 %s +>>>&1 string >\0 %s # From: Phil Endecott 0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data 0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data @@ -91,12 +91,12 @@ # uppercase letters. However, examples have been seen without the date string, # e.g., the example on the chemime site. 0 string HEADER\ \ \ \ ->&0 regex/1 \^.{40} ->>&0 regex/1 [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} ->>>&0 regex/1s [A-Z0-9]{4}.{14}$ ->>>>&0 regex/1 [A-Z0-9]{4} Protein Data Bank data, ID Code %s +>&0 regex/1l \^.{40} +>>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} +>>>&0 regex/1ls [A-Z0-9]{4}.{14}$ +>>>>&0 regex/1l [A-Z0-9]{4} Protein Data Bank data, ID Code %s !:mime chemical/x-pdb ->>>>0 regex/1 [0-9]{2}-[A-Z]{3}-[0-9]{2} \b, %s +>>>>0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2} \b, %s # Type: GDSII Stream file 0 belong 0x00060002 GDSII Stream file diff --git a/magic/Magdir/sequent b/magic/Magdir/sequent index 0ce6bf2..5137c0e 100644 --- a/magic/Magdir/sequent +++ b/magic/Magdir/sequent @@ -1,35 +1,42 @@ #------------------------------------------------------------------------------ -# $File: sequent,v 1.8 2009/09/19 16:28:12 christos Exp $ +# $File: sequent,v 1.12 2014/08/16 16:07:12 christos Exp $ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins . # For Sequent's multiprocessor systems (incomplete). 0 lelong 0x00ea BALANCE NS32000 .o >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 lelong 0x10ea BALANCE NS32000 executable (0 @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 lelong 0x20ea BALANCE NS32000 executable (invalid @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 lelong 0x30ea BALANCE NS32000 standalone executable >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d # # Symmetry information added by Jason Merrill . # Symmetry magic nums will not be reached if DOS COM comes before them; # byte 0xeb is matched before these get a chance. 0 leshort 0x12eb SYMMETRY i386 .o >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 leshort 0x22eb SYMMETRY i386 executable (0 @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d 0 leshort 0x32eb SYMMETRY i386 executable (invalid @ 0) >16 lelong >0 not stripped ->124 lelong >0 version %ld -0 leshort 0x42eb SYMMETRY i386 standalone executable ->16 lelong >0 not stripped ->124 lelong >0 version %ld +>124 lelong >0 version %d +# http://en.wikipedia.org/wiki/Sequent_Computer_Systems +# below test line conflicts with MS-DOS 2.11 floppies and Acronis loader +#0 leshort 0x42eb SYMMETRY i386 standalone executable +0 leshort 0x42eb +# skip unlike negative version +>124 lelong >-1 +# assuming version 28867614 is very low probable +>>124 lelong !28867614 SYMMETRY i386 standalone executable +>>>16 lelong >0 not stripped +>>>124 lelong >0 version %d diff --git a/magic/Magdir/sereal b/magic/Magdir/sereal new file mode 100644 index 0000000..7fa4503 --- /dev/null +++ b/magic/Magdir/sereal @@ -0,0 +1,25 @@ + +#------------------------------------------------------------------------------ +# $File: sereal,v 1.2 2014/11/11 20:10:49 christos Exp $ +# sereal: file(1) magic the Sereal binary serialization format +# +# From: Ævar Arnfjörð Bjarmason +# +# See the specification of the format at +# https://github.com/Sereal/Sereal/blob/master/sereal_spec.pod#document-header-format +# +# I'd have liked to do the byte&0xF0 matching against 0, 1, 2 ... by +# doing (byte&0xF0)>>4 here, but unfortunately that's not +# supported. So when we print out a message about an unknown format +# we'll print out e.g. 0x30 instead of the more human-readable +# 0x30>>4. +# +# See https://github.com/Sereal/Sereal/commit/35372ae01d in the +# Sereal.git repository for test Sereal data. +0 string \=srl Sereal data +!:mime application/sereal +>4 byte&0x0F x (version %d, +>4 byte&0xF0 0x00 uncompressed) +>4 byte&0xF0 0x10 compressed with non-incremental Snappy) +>4 byte&0xF0 0x20 compressed with incremental Snappy) +>4 byte&0xF0 >0x20 unknown subformat, flag: %d>>4) diff --git a/magic/Magdir/sgi b/magic/Magdir/sgi index 40aae0b..a6223d7 100644 --- a/magic/Magdir/sgi +++ b/magic/Magdir/sgi @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sgi,v 1.19 2013/01/12 03:09:51 christos Exp $ +# $File: sgi,v 1.21 2014/04/30 21:41:02 christos Exp $ # sgi: file(1) magic for Silicon Graphics operating systems and applications # # Executable images are handled either in aout (for old-style a.out @@ -17,16 +17,16 @@ 0 beshort 0x0506 IRIS Showcase file >2 byte 0x49 - ->3 byte x - version %ld +>3 byte x - version %d 0 beshort 0x0226 IRIS Showcase template >2 byte 0x63 - ->3 byte x - version %ld +>3 byte x - version %d 0 belong 0x5343464d IRIS Showcase file ->4 byte x - version %ld +>4 byte x - version %d 0 belong 0x5443464d IRIS Showcase template ->4 byte x - version %ld +>4 byte x - version %d 0 belong 0xdeadbabe IRIX Parallel Arena ->8 belong >0 - version %ld +>8 belong >0 - version %d # core files # @@ -49,7 +49,7 @@ # Trusted IRIX info 0 string SGIAUDIT SGI Audit file >8 byte x - version %d ->9 byte x \b.%ld +>9 byte x \b.%d # 0 string WNGZWZSC Wingz compiled script 0 string WNGZWZSS Wingz spreadsheet @@ -82,11 +82,11 @@ #>20 lelong -2 temporal index #>20 lelong -1 metadata #>20 lelong 0 log volume #0 -#>20 lelong >0 log volume #%ld +#>20 lelong >0 log volume #%d >20 belong -2 temporal index >20 belong -1 metadata >20 belong 0 log volume #0 ->20 belong >0 log volume #%ld +>20 belong >0 log volume #%d >24 string >\0 host: %s 0 string PCPFolio PCP >9 string Version: Archive Folio @@ -128,7 +128,7 @@ >11 byte x dataformat %d # Alias Maya files -0 string/t //Maya ASCII Alias Maya Ascii File, +0 string/t //Maya\040ASCII Alias Maya Ascii File, >13 string >\0 version %s 8 string MAYAFOR4 Alias Maya Binary File, >32 string >\0 version %s scene diff --git a/magic/Magdir/sgml b/magic/Magdir/sgml index 8b3b91a..f9cab08 100644 --- a/magic/Magdir/sgml +++ b/magic/Magdir/sgml @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: sgml,v 1.29 2012/08/26 10:25:41 christos Exp $ +# $File: sgml,v 1.30 2013/12/21 14:27:24 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres 0 string \>19 search/4096 \ +0 string \15 string >\0 +>>19 search/4096 \ @@ -50,12 +50,30 @@ 0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database # Version 3 of SQLite allows applications to embed their own "user version" -# number in the database. Detect this and distinguish those files. - +# number in the database at offset 60. Later, SQLite added an "application id" +# at offset 68 that is preferred over "user version" for indicating the +# associated application. +# 0 string SQLite\ format\ 3 ->60 string _MTN Monotone source repository ->60 belong !0 SQLite 3.x database, user version %u ->60 belong 0 SQLite 3.x database +>60 belong =0x5f4d544e Monotone source repository - SQLite3 database +>68 belong =0x0f055112 Fossil checkout - SQLite3 database +>68 belong =0x0f055113 Fossil global configuration - SQLite3 database +>68 belong =0x0f055111 Fossil repository - SQLite3 database +>68 belong =0x42654462 Bentley Systems BeSQLite Database - SQLite3 database +>68 belong =0x42654c6e Bentley Systems Localization File - SQLite3 database +>68 belong =0x47504b47 OGC GeoPackage file - SQLite3 database +>68 default x SQLite 3.x database +>>68 belong !0 \b, application id %u +>>60 belong !0 \b, user version %d + +# SQLite Write-Ahead Log from SQLite version >= 3.7.0 +# http://www.sqlite.org/fileformat.html#walformat +0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, +>4 belong x version %d + +# SQLite Rollback Journal +# http://www.sqlite.org/fileformat.html#rollbackjournal +0 string \xd9\xd5\x05\xf9\x20\xa1\x63\xd7 SQLite Rollback Journal # Panasonic channel list database svl.bin or svl.db added by Joerg Jenderek # http://www.ullrich.es/job/service-menue/panasonic/panasonic-sendersortierung-sat-am-pc/ diff --git a/magic/Magdir/ssh b/magic/Magdir/ssh index c87f388..ca64564 100644 --- a/magic/Magdir/ssh +++ b/magic/Magdir/ssh @@ -3,6 +3,11 @@ 0 string SSH\ PRIVATE\ KEY OpenSSH RSA1 private key, >28 string >\0 version %s +0 string -----BEGIN\ OPENSSH\ PRIVATE\ KEY----- OpenSSH private key 0 string ssh-dss\ OpenSSH DSA public key 0 string ssh-rsa\ OpenSSH RSA public key +0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key +0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key +0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key +0 string ssh-ed25519 OpenSSH ED25519 public key diff --git a/magic/Magdir/ssl b/magic/Magdir/ssl index 4d8706e..5d5daee 100644 --- a/magic/Magdir/ssl +++ b/magic/Magdir/ssl @@ -5,3 +5,4 @@ 0 string -----BEGIN\ CERTIFICATE\ REQ PEM certificate request 0 string -----BEGIN\ RSA\ PRIVATE PEM RSA private key 0 string -----BEGIN\ DSA\ PRIVATE PEM DSA private key +0 string -----BEGIN\ EC\ PRIVATE PEM EC private key diff --git a/magic/Magdir/sun b/magic/Magdir/sun index 86ffad2..802a9eb 100644 --- a/magic/Magdir/sun +++ b/magic/Magdir/sun @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sun,v 1.25 2013/01/09 22:37:24 christos Exp $ +# $File: sun,v 1.27 2014/04/30 21:41:02 christos Exp $ # sun: file(1) magic for Sun machines # # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x @@ -9,7 +9,7 @@ # are in aout, as they're indistinguishable from other big-endian # 32-bit a.out files. # -0 belong&077777777 0600413 a.out SunOS sparc demand paged +0 belong&077777777 0600413 a.out SunOS SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable @@ -17,12 +17,12 @@ >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&077777777 0600410 a.out SunOS sparc pure +0 belong&077777777 0600410 a.out SunOS SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped -0 belong&077777777 0600407 a.out SunOS sparc +0 belong&077777777 0600407 a.out SunOS SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped @@ -97,7 +97,7 @@ # which is the IANA registry of Snoop datalink types) # 0 string snoop Snoop capture file ->8 belong >0 - version %ld +>8 belong >0 - version %d >12 belong 0 (IEEE 802.3) >12 belong 1 (IEEE 802.4) >12 belong 2 (IEEE 802.5) @@ -108,24 +108,24 @@ >12 belong 7 (IBM channel-to-channel adapter) >12 belong 8 (FDDI) >12 belong 9 (Other) ->12 belong 10 (type %ld) ->12 belong 11 (type %ld) ->12 belong 12 (type %ld) ->12 belong 13 (type %ld) ->12 belong 14 (type %ld) ->12 belong 15 (type %ld) +>12 belong 10 (type %d) +>12 belong 11 (type %d) +>12 belong 12 (type %d) +>12 belong 13 (type %d) +>12 belong 14 (type %d) +>12 belong 15 (type %d) >12 belong 16 (Fibre Channel) >12 belong 17 (ATM) >12 belong 18 (ATM Classical IP) ->12 belong 19 (type %ld) ->12 belong 20 (type %ld) ->12 belong 21 (type %ld) ->12 belong 22 (type %ld) ->12 belong 23 (type %ld) ->12 belong 24 (type %ld) ->12 belong 25 (type %ld) +>12 belong 19 (type %d) +>12 belong 20 (type %d) +>12 belong 21 (type %d) +>12 belong 22 (type %d) +>12 belong 23 (type %d) +>12 belong 24 (type %d) +>12 belong 25 (type %d) >12 belong 26 (IP over Infiniband) ->12 belong >26 (type %ld) +>12 belong >26 (type %d) #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie (a diff --git a/magic/Magdir/symbos b/magic/Magdir/symbos new file mode 100644 index 0000000..c97a42e --- /dev/null +++ b/magic/Magdir/symbos @@ -0,0 +1,42 @@ + +#------------------------------------------------------------------------------ +# msx: file(1) magic for the SymbOS operating system +# http://www.symbos.de +# Fabio R. Schmidlin + +# SymbOS EXE file +0x30 string SymExe SymbOS executable +>0x36 ubyte x v%c +>0x37 ubyte x \b.%c +>0xF string x \b, name: %s + +# SymbOS DOX document +0 string INFOq\0 SymbOS DOX document + +# Symbos driver +0 string SMD1 SymbOS driver +>19 byte x \b, name: %c +>20 byte x \b%c +>21 byte x \b%c +>22 byte x \b%c +>23 byte x \b%c +>24 byte x \b%c +>25 byte x \b%c +>26 byte x \b%c +>27 byte x \b%c +>28 byte x \b%c +>29 byte x \b%c +>30 byte x \b%c +>31 byte x \b%c + +# Symbos video +0 string SymVid SymbOS video +>6 ubyte x v%c +>7 ubyte x \b.%c + +# Soundtrakker 128 ST2 music +0 byte 0 +>0xC string \x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x40\x00 Soundtrakker 128 ST2 music, +>>1 string x name: %s + + diff --git a/magic/Magdir/sysex b/magic/Magdir/sysex index 70b5b1c..97472e2 100644 --- a/magic/Magdir/sysex +++ b/magic/Magdir/sysex @@ -1,10 +1,12 @@ #------------------------------------------------------------------------ -# $File: sysex,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File: sysex,v 1.8 2014/06/03 19:17:27 christos Exp $ # sysex: file(1) magic for MIDI sysex files # -# -0 byte 0xF0 SysEx File - +# GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems +# where real SYStem EXclusive messages at offset 1 are limited to seven bits +# http://en.wikipedia.org/wiki/MIDI +0 ubeshort&0xFF80 0xF000 SysEx File - # North American Group >1 byte 0x01 Sequential @@ -210,7 +212,7 @@ >1 byte 0x52 Zoom >1 byte 0x54 Matsushita >1 byte 0x57 Acoustic tech. lab. - +# http://www.midi.org/techspecs/manid.php >1 belong&0xffffff00 0x00007400 Ta Horng >1 belong&0xffffff00 0x00007500 e-Tek >1 belong&0xffffff00 0x00007600 E-Voice diff --git a/magic/Magdir/tcl b/magic/Magdir/tcl index 223f93b..515fa8d 100644 --- a/magic/Magdir/tcl +++ b/magic/Magdir/tcl @@ -5,7 +5,7 @@ # Tcl scripts 0 search/1/w #!\ /usr/bin/tcl Tcl script text executable -!:mime text/x-lua +!:mime text/x-tcl 0 search/1/w #!\ /usr/local/bin/tcl Tcl script text executable !:mime text/x-tcl 0 search/1 #!/usr/bin/env\ tcl Tcl script text executable diff --git a/magic/Magdir/tex b/magic/Magdir/tex index e8d2e87..1737ea9 100644 --- a/magic/Magdir/tex +++ b/magic/Magdir/tex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: tex,v 1.18 2011/02/08 13:45:15 christos Exp $ +# $File: tex,v 1.20 2014/03/16 02:53:03 christos Exp $ # tex: file(1) magic for TeX files # # XXX - needs byte-endian stuff (big-endian and little-endian DVI?) @@ -40,6 +40,9 @@ 0 search/4096 \\input TeX document text !:mime text/x-tex !:strength + 15 +0 search/4096 \\begin LaTeX document text +!:mime text/x-tex +!:strength + 15 0 search/4096 \\section LaTeX document text !:mime text/x-tex !:strength + 18 @@ -103,3 +106,34 @@ 0 search/1 @c\ @mapfile{ TeX font aliases text file 0 string #LyX LyX document text + +# ConTeXt documents +# http://wiki.contextgarden.net/ +0 search/4096 \\setupcolors[ ConTeXt document text +!:strength + 15 +0 search/4096 \\definecolor[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupinteraction[ ConTeXt document text +!:strength + 15 +0 search/4096 \\useURL[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuppapersize[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuplayout[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupfooter[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupfootertexts[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuppagenumbering[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupbodyfont[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setuphead[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupitemize[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupwhitespace[ ConTeXt document text +!:strength + 15 +0 search/4096 \\setupindenting[ ConTeXt document text +!:strength + 15 diff --git a/magic/Magdir/ti-8x b/magic/Magdir/ti-8x index d7903fe..205f982 100644 --- a/magic/Magdir/ti-8x +++ b/magic/Magdir/ti-8x @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ti-8x,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File: ti-8x,v 1.7 2014/04/30 21:41:02 christos Exp $ # ti-8x: file(1) magic for the TI-8x and TI-9x Graphing Calculators. # # From: Ryan McGuire (rmcguire@freenet.columbus.oh.us). @@ -222,7 +222,7 @@ >49 byte 0x24 type: application, >49 byte 0x25 type: certificate, >49 byte 0x3e type: license, ->74 lelong >0 size: %ld bytes +>74 lelong >0 size: %d bytes # VTi & TiEmu skins (TI Graphing Calculators). # From: Romain Lievin (roms@lpg.ticalc.org). diff --git a/magic/Magdir/troff b/magic/Magdir/troff index b24ea0a..cb6bc00 100644 --- a/magic/Magdir/troff +++ b/magic/Magdir/troff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: troff,v 1.10 2009/09/19 16:28:12 christos Exp $ +# $File: troff,v 1.11 2014/06/03 19:01:34 christos Exp $ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com) @@ -16,9 +16,9 @@ !:mime text/troff 0 search/1 ''' troff or preprocessor input text !:mime text/troff -0 regex/20 \^\\.[A-Za-z0-9][A-Za-z0-9][\ \t] troff or preprocessor input text +0 regex/20l \^\\.[A-Za-z0-9][A-Za-z0-9][\ \t] troff or preprocessor input text !:mime text/troff -0 regex/20 \^\\.[A-Za-z0-9][A-Za-z0-9]$ troff or preprocessor input text +0 regex/20l \^\\.[A-Za-z0-9][A-Za-z0-9]$ troff or preprocessor input text !:mime text/troff # ditroff intermediate output text diff --git a/magic/Magdir/uterus b/magic/Magdir/uterus index c5a139b..a8be8a8 100644 --- a/magic/Magdir/uterus +++ b/magic/Magdir/uterus @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: uterus,v 1.1 2012/12/18 18:53:32 christos Exp $ +# $File: uterus,v 1.3 2014/04/30 21:41:02 christos Exp $ # file(1) magic for uterus files # http://freecode.com/projects/uterus # diff --git a/magic/Magdir/varied.out b/magic/Magdir/varied.out index 3d8aa92..01caf07 100644 --- a/magic/Magdir/varied.out +++ b/magic/Magdir/varied.out @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: varied.out,v 1.22 2010/07/02 00:06:27 christos Exp $ +# $File: varied.out,v 1.23 2014/04/30 21:41:02 christos Exp $ # varied.out: file(1) magic for various USG systems # # Herewith many of the object file formats used by USG systems. @@ -26,7 +26,7 @@ >7 string >\0 version '%s' # gnu gmon magic From: Eugen Dedu 0 string gmon GNU prof performance data ->4 long x - version %ld +>4 long x - version %d # From: Dave Pearson # Harbour HRB files. 0 string \xc0HRB Harbour HRB file diff --git a/magic/Magdir/varied.script b/magic/Magdir/varied.script index 50259d3..eb71b2f 100644 --- a/magic/Magdir/varied.script +++ b/magic/Magdir/varied.script @@ -1,28 +1,56 @@ #------------------------------------------------------------------------------ -# $File: varied.script,v 1.9 2011/12/16 16:32:48 rrt Exp $ +# $File: varied.script,v 1.10 2014/03/01 22:32:39 christos Exp $ # varied.script: file(1) magic for various interpreter scripts 0 string/t #!\ / a >3 string >\0 %s script text executable !:strength / 2 + +0 string/b #!\ / a +>3 string >\0 %s script executable (binary data) +!:strength / 2 + 0 string/t #!\t/ a >3 string >\0 %s script text executable !:strength / 2 + +0 string/b #!\t/ a +>3 string >\0 %s script executable (binary data) +!:strength / 2 + 0 string/t #!/ a >2 string >\0 %s script text executable !:strength / 2 + +0 string/b #!/ a +>2 string >\0 %s script executable (binary data) +!:strength / 2 + 0 string/t #!\ script text executable >3 string >\0 for %s !:strength / 3 +0 string/b #!\ script executable +>3 string >\0 for %s (binary data) +!:strength / 3 + # using env 0 string/t #!/usr/bin/env a >15 string/t >\0 %s script text executable !:strength / 10 + +0 string/b #!/usr/bin/env a +>15 string/b >\0 %s script executable (binary data) +!:strength / 10 + 0 string/t #!\ /usr/bin/env a >16 string/t >\0 %s script text executable !:strength / 10 +0 string/b #!\ /usr/bin/env a +>16 string/b >\0 %s script executable (binary data) +!:strength / 10 + # From: arno # mozilla xpconnect typelib # see http://www.mozilla.org/scriptable/typelib_file.html diff --git a/magic/Magdir/vax b/magic/Magdir/vax index 5a096e8..11de6ce 100644 --- a/magic/Magdir/vax +++ b/magic/Magdir/vax @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vax,v 1.8 2013/01/09 22:37:24 christos Exp $ +# $File: vax,v 1.9 2014/04/30 21:41:02 christos Exp $ # vax: file(1) magic for VAX executable/object and APL workspace # 0 lelong 0101557 VAX single precision APL workspace @@ -21,7 +21,7 @@ # 0 leshort 0570 VAX COFF executable >12 lelong >0 not stripped ->22 leshort >0 - version %ld +>22 leshort >0 - version %d 0 leshort 0575 VAX COFF pure executable >12 lelong >0 not stripped ->22 leshort >0 - version %ld +>22 leshort >0 - version %d diff --git a/magic/Magdir/virtual b/magic/Magdir/virtual index 7b729d4..26442bf 100644 --- a/magic/Magdir/virtual +++ b/magic/Magdir/virtual @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: virtual,v 1.2 2011/11/22 13:30:05 christos Exp $ +# $File: virtual,v 1.6 2014/05/07 21:25:41 christos Exp $ # From: James Nobis # Microsoft hard disk images for: # Virtual Server @@ -9,9 +9,115 @@ # .vhd 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC +# libvirt +# From: Philipp Hahn +0 string LibvirtQemudSave Libvirt QEMU Suspend Image +>0x10 lelong x \b, version %u +>0x14 lelong x \b, XML length %u +>0x18 lelong 1 \b, running +>0x1c lelong 1 \b, compressed + +0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image +# From: Alex Beregszaszi +0 string/b COWD VMWare3 +>4 byte 3 disk image +>>32 lelong x (%d/ +>>36 lelong x \b%d/ +>>40 lelong x \b%d) +>4 byte 2 undoable disk image +>>32 string >\0 (%s) + +0 string/b VMDK VMware4 disk image +0 string/b KDMV VMware4 disk image + +#-------------------------------------------------------------------- +# Qemu Emulator Images +# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) +# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) +# Made by reading sources, reading documentation, and doing trial and error +# on existing QCOW files +0 string/b QFI\xFB QEMU QCOW Image + +# Uncomment the following line to display Magic (only used for debugging +# this magic number) +#>0 string/b x , Magic: %s + +# There are currently 2 Versions: "1" and "2". +# http://www.gnome.org/~markmc/qcow-image-format-version-1.html +>4 belong 1 (v1) + +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>12 belong >0 \b, has backing file ( +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. +>>>(12.L) string >\0 \bpath %s + +# Modification time of the Backing File +# Really useful if you want to know if your backing +# file is still usable together with this image +>>>>20 bedate >0 \b, mtime %s) +>>>>20 default x \b) + +# Size is stored in bytes in a big-endian u64. +>>24 bequad x \b, %lld bytes + +# 1 for AES encryption, 0 for none. +>>36 belong 1 \b, AES-encrypted + +# http://www.gnome.org/~markmc/qcow-image-format.html +>4 belong 2 (v2) +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>8 bequad >0 \b, has backing file +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. Also, since there's no +# .Q modifier, we just use the bottom four bytes as an offset. Note that if +# the file is over 4G, and the backing file path is stored after the first 4G, +# the wrong filename will be printed. (This should be (8.Q), when that syntax +# is introduced.) +>>>(12.L) string >\0 (path %s) +>>24 bequad x \b, %lld bytes +>>32 belong 1 \b, AES-encrypted + +>4 belong 3 (v3) +# Using the existence of the Backing File Offset to determine whether +# to read Backing File Information +>>8 bequad >0 \b, has backing file +# Note that this isn't a null-terminated string; the length is actually +# (16.L). Assuming a null-terminated string happens to work usually, but it +# may spew junk until it reaches a \0 in some cases. Also, since there's no +# .Q modifier, we just use the bottom four bytes as an offset. Note that if +# the file is over 4G, and the backing file path is stored after the first 4G, +# the wrong filename will be printed. (This should be (8.Q), when that syntax +# is introduced.) +>>>(12.L) string >\0 (path %s) +>>24 bequad x \b, %lld bytes +>>32 belong 1 \b, AES-encrypted + +>4 default x (unknown version) + +0 string/b QEVM QEMU suspend to disk image + +# QEMU QED Image +# http://wiki.qemu.org/Features/QED/Specification +0 string/b QED\0 QEMU QED Image + +# VDI Image # Sun xVM VirtualBox Disk Image # From: Richard W.M. Jones # VirtualBox Disk Image 0x40 ulelong 0xbeda107f VirtualBox Disk Image >0x44 uleshort >0 \b, major %u >0x46 uleshort >0 \b, minor %u +>0 string >\0 (%s) +>368 lequad x \b, %lld bytes + +0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, +>32 string x type %s, +>48 string x subtype %s + +0 lelong 0x02468ace Bochs Sparse disk image + diff --git a/magic/Magdir/vms b/magic/Magdir/vms index d114dfd..4939303 100644 --- a/magic/Magdir/vms +++ b/magic/Magdir/vms @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vms,v 1.6 2009/09/19 16:28:13 christos Exp $ +# $File: vms,v 1.9 2014/08/17 13:47:59 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) @@ -24,5 +24,7 @@ # 00030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # -0 belong 0x03000000 VMS Alpha executable ->75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption +# GRR this test is still too general as it catches example adressen.dbt +0 belong 0x03000000 +>8 ubelong 0xec020000 VMS Alpha executable +>>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption diff --git a/magic/Magdir/vorbis b/magic/Magdir/vorbis index ed6c040..d337398 100644 --- a/magic/Magdir/vorbis +++ b/magic/Magdir/vorbis @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vorbis,v 1.16 2009/09/19 16:28:13 christos Exp $ +# $File: vorbis,v 1.20 2014/09/23 16:35:08 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner @@ -23,7 +23,6 @@ # --- Ogg Framing --- #0 search/1000 OggS Ogg data 0 string OggS Ogg data -!:mime application/ogg >4 byte !0 UNKNOWN REVISION %u ##>4 byte 0 revision 0 >4 byte 0 @@ -31,9 +30,12 @@ # non-Vorbis content: FLAC (Free Lossless Audio Codec, http://flac.sourceforge.net) >>28 string \x7fFLAC \b, FLAC audio # non-Vorbis content: Theora +!:mime audio/ogg >>28 string \x80theora \b, Theora video +!:mime video/ogg # non-Vorbis content: Kate ->>28 string \x80kate\0\0\0\0 \b, Kate +>>28 string \x80kate\0\0\0\0 \b, Kate (Karaoke and Text) +!:mime application/ogg >>>37 ubyte x v%u >>>38 ubyte x \b.%u, >>>40 byte 0 utf8 encoding, @@ -44,25 +46,29 @@ >>>76 string \0 no category set # non-Vorbis content: Skeleton >>28 string fishead\0 \b, Skeleton +!:mime video/ogg >>>36 short x v%u >>>40 short x \b.%u # non-Vorbis content: Speex >>28 string Speex\ \ \ \b, Speex audio +!:mime audio/ogg # non-Vorbis content: OGM >>28 string \x01video\0\0\0 \b, OGM video +!:mime video/ogg >>>37 string/c div3 (DivX 3) >>>37 string/c divx (DivX 4) >>>37 string/c dx50 (DivX 5) >>>37 string/c xvid (XviD) # --- First vorbis packet - general header --- >>28 string \x01vorbis \b, Vorbis audio, ->>>35 lelong !0 UNKNOWN VERSION %lu, +!:mime audio/ogg +>>>35 lelong !0 UNKNOWN VERSION %u, ##>>>35 lelong 0 version 0, >>>35 lelong 0 >>>>39 ubyte 1 mono, >>>>39 ubyte 2 stereo, >>>>39 ubyte >2 %u channels, ->>>>40 lelong x %lu Hz +>>>>40 lelong x %u Hz # Minimal, nominal and maximal bitrates specified when encoding >>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \b, # The above tests if at least one of these is specified: @@ -72,13 +78,13 @@ # Vorbis 1.0 uses 0 instead of -1. >>>>>>52 lelong !0 >>>>>>>52 lelong !-1000 ->>>>>>>>52 lelong x <%lu +>>>>>>>>52 lelong x <%u >>>>>48 lelong !-1 ->>>>>>48 lelong x ~%lu +>>>>>>48 lelong x ~%u >>>>>44 lelong !-1 >>>>>>44 lelong !-1000 >>>>>>>44 lelong !0 ->>>>>>>>44 lelong x >%lu +>>>>>>>>44 lelong x >%u >>>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff bps # -- Second vorbis header packet - the comments # A kludge to read the vendor string. It's a counted string, not a diff --git a/magic/Magdir/windows b/magic/Magdir/windows index 1ab78d4..3f7bded 100644 --- a/magic/Magdir/windows +++ b/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.5 2012/04/03 22:25:07 christos Exp $ +# $File: windows,v 1.10 2014/09/24 19:52:46 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -36,7 +36,7 @@ >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump ->>0x068 lelong x \b, %ld pages +>>0x068 lelong x \b, %d pages >4 string DU64 MS Windows 64bit crash dump >>0xf98 lelong 1 \b, full dump >>0xf98 lelong 2 \b, kernel dump @@ -158,8 +158,180 @@ 0 string Windows\ Registry\ Editor\ >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) - +# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 +# empty ,comment , section +# PR/383: remove unicode BOM because it is not portable across regex impls +0 regex/s \\`(\\r\\n|;|[[]) +# left bracket in section line +>&0 search/8192 [ +# http://en.wikipedia.org/wiki/Autorun.inf +# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx +>>&0 regex/c \^(autorun)]\r\n +>>>&0 ubyte =0x5b INItialization configuration +!:mime application/x-wine-extension-ini # From: Pal Tamas # Autorun File -0 string/c [autorun]\r\n Microsoft Windows Autorun file. -!:mime application/x-setupscript. +>>>&0 ubyte !0x5b Microsoft Windows Autorun file +!:mime application/x-setupscript +# http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx +# version strings ASCII coded case-independent for Windows setup information script file +>>&0 regex/c \^(version|strings)] Windows setup INFormation +!:mime application/x-setupscript +#!:mime application/inf +#!:mime application/x-wine-extension-inf +>>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation +!:mime text/inf +# http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm +# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx +# .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent +>>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini +!:mime application/x-wine-extension-ini +#!:mime text/plain +# http://support.microsoft.com/kb/84709/ +>>&0 regex/c \^(don't\ load)] Windows CONTROL.INI +!:mime application/x-wine-extension-ini +>>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI +!:mime application/x-wine-extension-ini +# http://technet.microsoft.com/en-us/library/cc722567.aspx +# http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm +>>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI +!:mime application/x-wine-extension-ini +# http://en.wikipedia.org/wiki/SYSTEM.INI +>>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI +!:mime application/x-wine-extension-ini +# http://www.mdgx.com/newtip6.htm +>>&0 regex/c \^(SafeList)] Windows IOS.INI +!:mime application/x-wine-extension-ini +# http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information +>>&0 regex/c \^(boot\x20loader)] Windows boot.ini +!:mime application/x-wine-extension-ini +>>>&0 ubyte x +# http://en.wikipedia.org/wiki/CONFIG.SYS +>>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS +# http://support.microsoft.com/kb/118579/ +>>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS +# VERS string unicoded case-independent +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +# ION] string unicoded case-independent +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +!:mime application/x-setupscript +# STRI string unicoded case-independent +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 +# NGS] string unicoded case-independent +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation +!:mime application/x-setupscript +# unknown keyword after opening bracket +>>&0 default x +>>>&0 search/8192 [ +# version Strings FileIdentification +>>>>&0 string/c version Windows setup INFormation +!:mime application/x-setupscript +# VERS string unicoded case-independent +>>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +# ION] string unicoded case-independent +>>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +!:mime application/x-setupscript +# http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other +#>>>>&0 default x Generic INItialization configuration +#!:mime application/x-wine-extension-ini + +# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h +# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm +# GRR: line below too general as it catches also PDP-11 UNIX/RT ldp +0 leshort&0xFeFe 0x0000 +# test for unused null bits in PNF_FLAGs +>4 ulelong&0xFCffFe00 0x00000000 +# only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure +>>68 ulelong >0x57 +# test for zero high byte of InfValueBlockSize, followed by WinDirPath like +# C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT +>>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF +!:mime application/x-pnf +# currently only found Major Version=1 and Minor Version=1 +#>>>>0 uleshort =0x0101 +#>>>>>1 ubyte x \b, version %u +#>>>>>0 ubyte x \b.%u +>>>>0 uleshort !0x0101 +>>>>>1 ubyte x \b, version %u +>>>>>0 ubyte x \b.%u +# 1 ,2 (windows 98 SE) +#>>>>2 uleshort =2 \b, InfStyle %u +>>>>2 uleshort !2 \b, InfStyle %u +# PNF_FLAG_IS_UNICODE 0x00000001 +# PNF_FLAG_HAS_STRINGS 0x00000002 +# PNF_FLAG_SRCPATH_IS_URL 0x00000004 +# PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 +# PNF_FLAG_INF_VERIFIED 0x00000010 +# PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 +# ?? 0x00000100 +# ?? 0x01000000 +# ?? 0x02000000 +>>>>4 ulelong&0x00000001 0x00000001 \b, unicoded +>>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed +#>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x +# many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF +#>>>>12 uleshort x \b, InfSubstValueCount 0x%x +# only < 9 found +#>>>>14 uleshort x \b, InfVersionDatumCount 0x%x +# only found values lower 0x0000ffff +#>>>>16 ulelong x \b, InfVersionDataSize 0x%x +# only found positive values lower 0x00ffFFff for InfVersionDataOffset +>>>>20 ulelong x \b, at 0x%x +>>>>4 ulelong&0x00000001 =0x00000001 +# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature +>>>>>(20.l) lestring16 x "%s" +>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>(20.l) string x "%s" +# FILETIME is number of 100-nanosecond intervals since 1 January 1601 +#>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx +# only found values lower 0x00ffFFff +#>>>>32 ulelong x \b, StringTableBlockOffset 0x%x +#>>>>36 ulelong x \b, StringTableBlockSize 0x%x +#>>>>40 ulelong x \b, InfSectionCount 0x%x +#>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x +#>>>>48 ulelong x \b, InfSectionBlockSize 0x%x +#>>>>52 ulelong x \b, InfLineBlockOffset 0x%x +#>>>>56 ulelong x \b, InfLineBlockSize 0x%x +#>>>>60 ulelong x \b, InfValueBlockOffset 0x%x +#>>>>64 ulelong x \b, InfValueBlockSize 0x%x +# WinDirPathOffset +#>>>>68 ulelong x \b, at 0x%x +>>>>68 ulelong >0x57 +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(68.l) ubequad =0x43003a005c005700 +# normally unicoded C:\Windows +#>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" +>>>>>>(68.l) ubequad !0x43003a005c005700 +>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" +>>>>>4 ulelong&0x00000001 !0x00000001 +# normally ASCII C:\WINDOWS +#>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" +>>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" +# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF +#>>>>72 ulelong >0 \b, at 0x%x +>>>>72 ulelong >0 \b, +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(72.l) lestring16 x OsLoaderPath "%s" +>>>>>4 ulelong&0x00000001 !0x00000001 +# seldom C:\ instead empty +>>>>>>(72.l) string x OsLoaderPath "%s" +# 1fdh +#>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x +>>>>78 uleshort !0x407 \b, LanguageId %x +# only 407h found +#>>>>78 uleshort =0x407 \b, LanguageId %x +# InfSourcePathOffset often 0 +#>>>>80 ulelong >0 \b, at 0x%x +>>>>80 ulelong >0 \b, +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(80.l) lestring16 x SourcePath "%s" +>>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>>(80.l) string >\0 SourcePath "%s" +# OriginalInfNameOffset often 0 +#>>>>84 ulelong >0 \b, at 0x%x +>>>>84 ulelong >0 \b, +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(84.l) lestring16 x InfName "%s" +>>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>>(84.l) string >\0 InfName "%s" + diff --git a/magic/Magdir/wordprocessors b/magic/Magdir/wordprocessors index 024b57d..951f603 100644 --- a/magic/Magdir/wordprocessors +++ b/magic/Magdir/wordprocessors @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: wordprocessors,v 1.17 2013/02/06 14:18:52 christos Exp $ +# $File: wordprocessors,v 1.18 2013/06/03 19:07:29 christos Exp $ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: @@ -156,6 +156,11 @@ 0 string/w \ +0 string/w \