diff options
Diffstat (limited to 'contrib/file/magic')
140 files changed, 11261 insertions, 2254 deletions
diff --git a/contrib/file/magic/Magdir/acorn b/contrib/file/magic/Magdir/acorn index 37a4ed79e56e..427f8159d11e 100644 --- a/contrib/file/magic/Magdir/acorn +++ b/contrib/file/magic/Magdir/acorn @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: acorn,v 1.8 2021/04/26 15:56:00 christos Exp $ +# $File: acorn,v 1.9 2024/08/30 17:29:28 christos Exp $ # acorn: file(1) magic for files found on Acorn systems # @@ -67,36 +67,3 @@ >>8 byte x version %d, >>10 leshort =1 1 pattern >>10 leshort !1 %d patterns - -# From: Joerg Jenderek -# URL: https://www.kyzer.me.uk/pack/xad/#PackDir -# reference: https://www.kyzer.me.uk/pack/xad/xad_PackDir.lha/PackDir.c -# GRR: line below is too general as it matches also "Git pack" in ./revision -0 string PACK\0 -# check for valid compression method 0-4 ->5 ulelong <5 -# https://www.riscosopen.org/wiki/documentation/show/Introduction%20To%20Filing%20Systems -# To skip "Git pack" version 0 test for root directory object like -# ADFS::RPC.$.websitezip.FONTFIX ->>9 string >ADFS\ PackDir archive (RISC OS) -# TrID labels above as "Acorn PackDir compressed Archive" -# compression mode y (0 - 4) for GIF LZW with a maximum n bits -# (y~n,0~12,1~13,2~14,3~15,4~16) ->>>5 ulelong+12 x \b, LZW %u-bits compression -# https://www.filebase.org.uk/filetypes -# !Packdir compressed archive has three hexadecimal digits code 68E -!:mime application/x-acorn-68E -!:ext pkd/bin -# null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo ->>>9 string x \b, root "%s" -# load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time ->>>>&1 ulelong x \b, load address %#x -# execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC ->>>>&5 ulelong x \b, exec address %#x -# attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write) ->>>>&9 ulelong x \b, attributes %#x -# number of entries in this directory. for root dir 0 -#>>>&13 ulelong x \b, entries %#x -# the entries start here with object name ->>>>&17 string x \b, 1st object "%s" - diff --git a/contrib/file/magic/Magdir/adventure b/contrib/file/magic/Magdir/adventure index bd7f863be28b..fdf60a3f1128 100644 --- a/contrib/file/magic/Magdir/adventure +++ b/contrib/file/magic/Magdir/adventure @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: adventure,v 1.18 2019/04/19 00:42:27 christos Exp $ +# $File: adventure,v 1.19 2023/12/02 13:48:56 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin <earendil@faeryland.tamu-commerce.edu> @@ -10,6 +10,8 @@ # ALAN # I assume there are other, lower versions, but these are the only ones I # saw in the archive. +# +# FIXME: Conflicts with Microsoft x.out big-endian and PDP-11 binaries (./xenix) 0 beshort 0x0206 ALAN game data >2 byte <10 version 2.6%d diff --git a/contrib/file/magic/Magdir/algol68 b/contrib/file/magic/Magdir/algol68 index 77016778ad78..81086dd5e82c 100644 --- a/contrib/file/magic/Magdir/algol68 +++ b/contrib/file/magic/Magdir/algol68 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: algol68,v 1.4 2021/08/15 06:00:55 christos Exp $ +# $File: algol68,v 1.7 2024/08/27 18:50:56 christos Exp $ # algol68: file(1) magic for Algol 68 source # # URL: https://en.wikipedia.org/wiki/ALGOL_68 @@ -9,15 +9,7 @@ 0 search/8192 (input, >0 use algol_68 # graph_2d.a68 -0 regex/4006 \^PROC -#>&-4 string x \b, dBase or Algol "%s" -# most xBase scripts *.prg with PROCEDURE like: Areacode BarCount Def_mens Vendors -#>&-4 string =PROCEDURE \b, dBase PROCEDURE -# skip xBase program scripts *.prg with PROCEDURE keyword -# keyword proc probably followed by white space used to specify algol procedures ->&-4 string !PROCEDURE ->>0 use algol_68 -0 regex/1024 \bMODE[\t\ ] +0 regex/4006 \^PROC[[:space:]][a-zA-Z0-9_[:space:]]*[[:space:]]= >0 use algol_68 0 regex/1024 \bMODE[\t\ ] >0 use algol_68 diff --git a/contrib/file/magic/Magdir/android b/contrib/file/magic/Magdir/android index 63296d0ecfc5..c081ebc72635 100644 --- a/contrib/file/magic/Magdir/android +++ b/contrib/file/magic/Magdir/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.19 2021/04/26 15:56:00 christos Exp $ +# $File: android,v 1.26 2024/09/04 19:06:11 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -9,11 +9,11 @@ # Fixed to avoid regexec 17 errors on some dex files # From <diff@lookout.com> "Tim Strazzere" 0 string dex\n ->0 regex dex\n[0-9]{2}\0 Dalvik dex file ->4 string >000 version %s +>0 regex dex\n[0-9]{2} Dalvik dex file +>>4 string >000 version %s 0 string dey\n ->0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) ->4 string >000 version %s +>0 regex dey\n[0-9]{2} Dalvik dex file (optimized for host) +>>4 string >000 version %s # Android bootimg format # From https://android.googlesource.com/\ @@ -180,7 +180,9 @@ # In include/androidfw/ResourceTypes.h: # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). +# The strength is increased to avoid misidentifying as Targa image data 0 lelong 0x00080003 Android binary XML +!:strength +1 # Android cryptfs footer # From https://android.googlesource.com/\ @@ -207,3 +209,51 @@ >8 string >000 dex section version: %s, >12 lelong >0 number of dex files: %d, >16 lelong >0 verifier deps size: %d + +# Disassembled DEX files +0 string/t .class\x20 +>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali) +!:ext smali + +# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileTranscoder.java +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileVersion.java +0 string pro\x00 +>4 regex 0[0-9][0-9] Android ART profile +!:ext prof +>>4 string 001\x00 \b, version 001 N +>>4 string 005\x00 \b, version 005 O +>>4 string 009\x00 \b, version 009 O MR1 +>>4 string 010\x00 \b, version 010 P +>>4 string 015\x00 \b, version 015 S +0 string prm\x00 +>0 regex 0[0-9][0-9] Android ART profile metadata +!:ext profm +>>4 string 001\x00 \b, version 001 N +>>4 string 002\x00 \b, version 002 + +# Android package resource table (ARSC): resources.arsc +# Reference: https://android.googlesource.com/platform/tools/base/\ +# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\ +# src/main/java/com/google/devrel/gmscore/tools/apk/arsc +# 00: resource table type = 0x0002 (2) + header size = 12 (2) +# 04: chunk size (4, skipped) +# 08: #packages (4) +0 ulelong 0x000c0002 Android package resource table (ARSC) +!:ext arsc +>8 ulelong !1 \b, %d packages +# 12: string pool type = 0x0001 (2) + header size = 28 (2) +# 16: chunk size (4, skipped) +# 20: #strings (4), #styles (4), flags (4) +>12 ulelong 0x001c0001 +>>20 ulelong !0 \b, %d string(s) +>>24 ulelong !0 \b, %d style(s) +>>28 ulelong &1 \b, sorted +>>28 ulelong &256 \b, utf8 + +# extracted APK Signing Block +-16 string APK\x20Sig\x20Block\x2042 APK Signing Block diff --git a/contrib/file/magic/Magdir/animation b/contrib/file/magic/Magdir/animation index 28a0f2d217aa..0df435290a3a 100644 --- a/contrib/file/magic/Magdir/animation +++ b/contrib/file/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.88 2022/05/14 22:06:04 christos Exp $ +# $File: animation,v 1.98 2024/09/01 15:51:51 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -18,8 +18,8 @@ >12 string rmra \b multiple URLs 4 string mdat Apple QuickTime movie (unoptimized) !:mime video/quicktime -#4 string wide Apple QuickTime movie (unoptimized) -#!:mime video/quicktime +4 string wide Apple QuickTime movie (unoptimized) +!:mime video/quicktime #4 string skip Apple QuickTime movie (modified) #!:mime video/quicktime #4 string free Apple QuickTime movie (modified) @@ -30,8 +30,6 @@ #!:mime image/x-quicktime 4 string pckg Apple QuickTime compressed archive !:mime application/x-quicktime-player -4 string/W jP JPEG 2000 image -!:mime image/jp2 #### MP4 #### # https://www.ftyps.com/ with local additions @@ -39,6 +37,7 @@ 4 string ftyp ISO Media # https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ >8 string XAVC \b, MPEG v4 system, Sony XAVC Codec +!:mime video/mp4 >>96 string x \b, Audio "%.4s" >>118 beshort x at %dHz >>140 string x \b, Video "%.4s" @@ -168,6 +167,7 @@ # ?/enc-isoff-generic >8 string iso \b, MP4 Base Media !:mime video/mp4 +!:ext mp4 >>11 string m v1 [ISO 14496-12:2003] >>11 string 2 v2 [ISO 14496-12:2005] >>11 string 4 v4 @@ -542,36 +542,36 @@ >>2 byte&0xF0 !0xF0 MPEG ADTS, layer III, v1 !:strength +20 !:mime audio/mpeg ->2 byte&0xF0 0x10 \b, 32 kbps ->2 byte&0xF0 0x20 \b, 40 kbps ->2 byte&0xF0 0x30 \b, 48 kbps ->2 byte&0xF0 0x40 \b, 56 kbps ->2 byte&0xF0 0x50 \b, 64 kbps ->2 byte&0xF0 0x60 \b, 80 kbps ->2 byte&0xF0 0x70 \b, 96 kbps ->2 byte&0xF0 0x80 \b, 112 kbps ->2 byte&0xF0 0x90 \b, 128 kbps ->2 byte&0xF0 0xA0 \b, 160 kbps ->2 byte&0xF0 0xB0 \b, 192 kbps ->2 byte&0xF0 0xC0 \b, 224 kbps ->2 byte&0xF0 0xD0 \b, 256 kbps ->2 byte&0xF0 0xE0 \b, 320 kbps +>>>2 byte&0xF0 0x10 \b, 32 kbps +>>>2 byte&0xF0 0x20 \b, 40 kbps +>>>2 byte&0xF0 0x30 \b, 48 kbps +>>>2 byte&0xF0 0x40 \b, 56 kbps +>>>2 byte&0xF0 0x50 \b, 64 kbps +>>>2 byte&0xF0 0x60 \b, 80 kbps +>>>2 byte&0xF0 0x70 \b, 96 kbps +>>>2 byte&0xF0 0x80 \b, 112 kbps +>>>2 byte&0xF0 0x90 \b, 128 kbps +>>>2 byte&0xF0 0xA0 \b, 160 kbps +>>>2 byte&0xF0 0xB0 \b, 192 kbps +>>>2 byte&0xF0 0xC0 \b, 224 kbps +>>>2 byte&0xF0 0xD0 \b, 256 kbps +>>>2 byte&0xF0 0xE0 \b, 320 kbps # timing ->2 byte&0x0C 0x00 \b, 44.1 kHz ->2 byte&0x0C 0x04 \b, 48 kHz ->2 byte&0x0C 0x08 \b, 32 kHz +>>>2 byte&0x0C 0x00 \b, 44.1 kHz +>>>2 byte&0x0C 0x04 \b, 48 kHz +>>>2 byte&0x0C 0x08 \b, 32 kHz # channels/options ->3 byte&0xC0 0x00 \b, Stereo ->3 byte&0xC0 0x40 \b, JntStereo ->3 byte&0xC0 0x80 \b, 2x Monaural ->3 byte&0xC0 0xC0 \b, Monaural -#>1 byte ^0x01 \b, Data Verify -#>2 byte &0x02 \b, Packet Pad -#>2 byte &0x01 \b, Custom Flag -#>3 byte &0x08 \b, Copyrighted -#>3 byte &0x04 \b, Original Source -#>3 byte&0x03 1 \b, NR: 50/15 ms -#>3 byte&0x03 3 \b, NR: CCIT J.17 +>>>3 byte&0xC0 0x00 \b, Stereo +>>>3 byte&0xC0 0x40 \b, JntStereo +>>>3 byte&0xC0 0x80 \b, 2x Monaural +>>>3 byte&0xC0 0xC0 \b, Monaural +#>>>1 byte ^0x01 \b, Data Verify +#>>>2 byte &0x02 \b, Packet Pad +#>>>2 byte &0x01 \b, Custom Flag +#>>>3 byte &0x08 \b, Copyrighted +#>>>3 byte &0x04 \b, Original Source +#>>>3 byte&0x03 1 \b, NR: 50/15 ms +#>>>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M1A 0 beshort&0xFFFE 0xFFFC MPEG ADTS, layer II, v1 @@ -855,7 +855,7 @@ # Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS !:mime audio/x-mp4a-latm -#>1 beshort&0x1FFF x \b, %hu byte packet +#>1 beshort&0x1FFF x \b, %u byte packet >3 byte&0xE0 0x40 >>4 byte&0x3C 0x04 \b, single stream >>4 byte&0x3C 0x08 \b, 2 streams @@ -927,16 +927,26 @@ # # from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 (ISO 13818.1) # syncbyte 8 bit 0x47 -# error_ind 1 bit - -# payload_start 1 bit 1 -# priority 1 bit - -# PID 13 bit 0x0000 -# scrambling 2 bit - -# adaptfld_ctrl 2 bit 1 or 3 -# conti_count 4 bit - -0 belong&0xFF5FFF10 0x47400010 ->188 byte 0x47 MPEG transport stream data +# 188 bytes per packet +0 byte 0x47 +>188 byte 0x47 +>>376 byte 0x47 +>>>564 byte 0x47 +>>>>752 byte 0x47 MPEG transport stream data !:mime video/MP2T +!:ext ts + +# Blu-ray disc Audio-Video MPEG-2 transport stream +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/MPEG_transport_stream +# Note: similar to ISO 13818.1 but with 4 extra bytes per packets +4 byte 0x47 +>196 byte 0x47 +>>388 byte 0x47 +>>>580 byte 0x47 +>>>>772 byte 0x47 BDAV MPEG-2 Transport Stream (M2TS) +!:mime video/MP2T +!:ext m2ts/mts # DIF digital video file format <mpruett@sgi.com> 0 belong&0xffffff00 0x1f070000 DIF @@ -1185,3 +1195,56 @@ >30 lelong x \b, height: %d >34 lelong x \b, %d bit >38 lelong x \b, frames: %d + +# https://wiki.multimedia.cx/index.php/Duck_IVF +0 string DKIF Duck IVF video file +!:mime video/x-ivf +>4 leshort >0 \b, version %d +>8 string x \b, codec %s +>12 leshort x \b, %d +>14 leshort x \bx%d +>24 lelong >0 \b, %d frames + + +# libplacebo cache file +# https://libplacebo.org +0 string pl_cache libplacebo cache +>8 ulelong x \b, version %u +>12 ulelong =0 \b, empty +>12 ulelong =1 \b, 1 entry +>12 ulelong >1 \b, %u entries + +>4 byte 1 \b, version 3.00.00 +>4 byte 2 \b, version 3.03.00 +>4 byte 3 \b, version 4.00.00 +>4 byte 4 \b, version 4.02.00 +>4 byte 5 \b, version 5.00.00 + +# live2d: file(1) magic for Live2D Cubism file formats +# https://www.live2d.com/en/ +0 string/4 MOC3 Live2D Cubism MOC3 +>4 byte 0 \b, SDK version invalid/unknown (%d) +>4 byte 1 \b, SDK version 3.0.00 - 3.2.07 (%d) +>4 byte 2 \b, SDK version 3.3.00 - 3.3.03 (%d) +>4 byte 3 \b, SDK version 4.0.00 - 4.1.05 (%d) +>4 byte 4 \b, SDK version 4.2.00 - 4.2.02 (%d) +>4 byte 5 \b, SDK version 5.0.00 (%d) +>4 byte >5 \b, SDK version unknown (%d) +>5 byte 0 \b, little endian +>5 byte >0 \b, big endian +!:mime application/x-moc3-data +!:ext moc3 + +0 string/4 CAFF Live2D Cubism archive +>4 ubyte x version %d +>&0 ubyte x \b.%d +>&1 ubyte x \b.%d +>7 string/4 =---- \b, standard format +>7 string/4 !---- \b, unknown format (%.4s) +>11 ubyte x version %d +>&0 ubyte x \b.%d +>&1 ubyte x \b.%d +>14 belong =0 \b, no obfuscation +>14 belong !0 \b, XOR obfuscation key %d +!:mime application/x-cubism-archive +!:ext cmo3/can3 diff --git a/contrib/file/magic/Magdir/apple b/contrib/file/magic/Magdir/apple index 4b249bf8a327..72e665f43625 100644 --- a/contrib/file/magic/Magdir/apple +++ b/contrib/file/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.45 2021/04/26 15:56:00 christos Exp $ +# $File: apple,v 1.51 2024/09/04 19:06:12 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -11,23 +11,41 @@ 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file +# Type: Apple Emulator A2R format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/a2r2-reference/ +# Ref: https://applesaucefdc.com/a2r/ +0 string A2R +>3 string \x31\xFF\x0A\x0D\x0A Applesauce A2R 1.x Disk Image +>>0 use applesauce +>3 string \x32\xFF\x0A\x0D\x0A Applesauce A2R 2.x Disk Image +>>0 use applesauce +>3 string \x33\xFF\x0A\x0D\x0A Applesauce A2R 3.x Disk Image +>>0 use applesauce + +0 name applesauce +>8 string INFO +>>49 byte 01 \b, 5.25″ SS 40trk +>>49 byte 02 \b, 3.5″ DS 80trk +>>49 byte 03 \b, 5.25″ DS 80trk +>>49 byte 04 \b, 5.25″ DS 40trk +>>49 byte 05 \b, 3.5″ DS 80trk +>>49 byte 06 \b, 8″ DS +>>50 byte 01 \b, write protected +>>51 byte 01 \b, cross track synchronized +>>17 string/T x \b, %.32s + # Type: Apple Emulator WOZ format # From: Greg Wildman <greg@apple2.org.za> # Ref: https://applesaucefdc.com/woz/reference/ # Ref: https://applesaucefdc.com/woz/reference2/ -# -# Note: The following test are mostly identical. I would rather not -# use a regex to identify the WOZ format number. -0 string WOZ1 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image ->12 string INFO ->>21 byte 01 \b, 5.25 inch ->>21 byte 02 \b, 3.5 inch ->>22 byte 01 \b, write protected ->>23 byte 01 \b, cross track synchronized ->>25 string/T x \b, %.32s -0 string WOZ2 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image +0 string WOZ +>3 string \x31\xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +>>0 use applewoz +>3 string \x32\xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image +>>0 use applewoz + +0 name applewoz >12 string INFO >>21 byte 01 \b, 5.25 inch >>21 byte 02 \b, 3.5 inch @@ -35,6 +53,19 @@ >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s +# Type: Apple Macintosh Emulator MOOF format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/moof-reference/ +0 string MOOF +>4 string \xFF\x0A\x0D\x0A Apple Macintosh MOOF Disk Image +>>12 string INFO +>>>21 byte 01 \b, SSDD GCR (400K) +>>>21 byte 02 \b, DSDD GCR (800K) +>>>21 byte 03 \b, DSHD MFM (1.44M) +>>>22 byte 01 \b, write protected +>>>23 byte 01 \b, cross track synchronized +>>>25 string/T x \b, %.32s + # Type: Apple Emulator disk images # From: Greg Wildman <greg@apple2.org.za> # ProDOS boot loader? @@ -43,29 +74,79 @@ >0x400 string \x00\x00\x03\x00 >>0x404 byte &0xF0 >>>0x405 string x \b, Volume /%s ->>>0x429 leshort x \b, %u Blocks +>>>0x429 uleshort x \b, %u Blocks # ProDOS ordered ? >0xb00 string \x00\x00\x03\x00 >>0xb04 byte &0xF0 >>>0xb05 string x \b, Volume /%s ->>>0xb29 leshort x \b, %u Blocks +>>>0xb29 uleshort x \b, %u Blocks # -# DOS3.3 boot loader? -0 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B ->0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.2 ? ->0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.1 ? ->0x11001 string \x11\x0C\x01 ->>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image +# Proboot HD +0 string \x01\x8A\x48\xD8\x2C\x82\xC0\x8D\x0E\xC0\x8D\x0C Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\xA8\x8A\x20\x7B\xF8\x29\x07\x09\xC0\x99\x30 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x4A\xD0\x34\xE6\x3D\x8A\x20\x7B\xF8\x09\xC0 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# ProDOS formatted +0 string \x01\xBD\x88\xC0\x20\x2F\xFB\x20\x58\xFC\x20\x40 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x38\xB0\x03\x4C\x1C\x09\x78\x86\x43\xC9\x03 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# DOS3 boot loader +0 string \x01\xA5\x27\xC9\x09\xD0 +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Image +>>0x11006 ubyte x \b, Volume #%03u +>>0x11034 ubyte x \b, %u Tracks +>>0x11035 ubyte x \b, %u Sectors +>>0x11036 uleshort x \b, %u bytes per sector +# +# DOS3 uninitialized disk +0 string \x01\xA6\x2B\xBD\x88\xC0\x8A\x4A\x4A +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Unbootable Image +>>>0x11006 ubyte x \b, Volume #%03u +>>>0x11034 ubyte x \b, %u Tracks +>>>0x11035 ubyte x \b, %u Sectors +>>>0x11036 uleshort x \b, %u bytes per sector # # Pascal boot loader? 0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD @@ -112,9 +193,68 @@ >>0x440 string \x00\x00\x03\x00 >>>0x444 byte &0xF0 >>>>0x445 string x \b, Volume /%s ->>>>0x469 leshort x \b, %u Blocks +>>>>0x469 uleshort x \b, %u Blocks >0xc byte 02 \b, NIB data +# Type: Peter Ferrie QBoot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/qboot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ QBoot Image +# Type: Peter Ferrie 0Boot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/0boot +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ 0Boot Image + +# Different proprietary boot sectors +0 string \x01\x0F\x21\x74\x00\x01\x6B\x00\x02\x30\x81\x5D Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xA2\x00\x8E\x78\x04\x8E\xF4\x03 Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xAD\x51\xC0\xAD\x54\xC0\xA6\x2B Apple ][ Disk Image +0 string \x01\x20\x89\xFE\x20\x93\xFE\xA6\x2B\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x25\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x2D\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x38\x90\x2A\xC9\x01\xF0\x33\xA8\xC8\xC0\x10 Apple ][ Disk Image +0 string \x01\x38\xB0\x03\x4C\x32\xA1\x87\x43\xC9\x03\x08 Apple ][ Disk Image +0 string \x01\x4C\x04\x08\xA9\x2A\x8D\x02\x08\x86\x2B\xEE Apple ][ Disk Image +0 string \x01\x4C\x60\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x4C\x92\x08\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\x4C\xB3\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x8D\xFB\x03\x8E\xFC\x03\x8C\xFD\x03\x8A\x29 Apple ][ Disk Image +0 string \x01\xA2\xFF\x9A\xD8\x20\x20\x08\x20\x34\x08\xAD Apple ][ Disk Image +0 string \x01\xA5\x27\xBD\x88\xC0\x2C\x10\xC0\xA2\x00\xA9 Apple ][ Disk Image +0 string \x01\xA5\x2B\xAE\x51\xC0\xEA\xAA\xBD\x88\xC0\x20 Apple ][ Disk Image +0 string \x01\xA6\x27\xBD\x0B\x08\x48\xBD\x0A\x08\x48\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x01\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x25\x85 Apple ][ Disk Image +0 string \x01\xA8\xC0\x0F\x90\x16\xF0\x12\xA0\xFF\x18\xAD Apple ][ Disk Image +0 string \x01\xA9\x00\x85\xF0\xA9\x04\x85\xF1\xA0\x00\xA9 Apple ][ Disk Image +0 string \x01\xA9\x5C\x8D\xF2\x03\xA9\xC6\x8D\xF3\x03\x49 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x2F\xFB\x20\x58\xFC Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x49\x08\xA9\x0A\x85 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x2C\x82\xC0\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x86\x43\x8A\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\x86\xFF\xB5\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xB2\x8D\xF2\x03\xA9 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xFF\x8D\xF3\x03\x8D Apple ][ Disk Image +0 string \x01\xAC\x00\x08\xF0\x19\xB9\x30\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAC\x23\x08\x30\x2E\xB9\x24\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAD\x00\x08\xC9\x09\xB0\x20\x69\x02\x8D\x00 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\x86\x2B\x8A\x4A Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\xA9\xF5\x8D\xF2 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3F\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x48\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x09\xC0\x8D Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x8D\x2F\x08 Apple ][ Disk Image +0 string \x01\xD8\x2C\x81\xC0\xA9\x60\x4D\x58\xFF\xD0\xFE Apple ][ Disk Image +0 string \x01\xD8\x78\xBD\x88\xC0\xA9\xFD\x85\x37\x85\x39 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\x16\x09\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xCB\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEE\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEF\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x70\xB0\x04\xE0\x40\xB0\x39\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xEA\x8D\xF4\x03\xA9\x60\x9D\x88\xC0\x8D\x51 Apple ][ Disk Image + # magic for Newton PDA package formats # from Ruda Moura <ruda@helllabs.org> 0 string package0 Newton package, NOS 1.x, @@ -291,7 +431,13 @@ #>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson <toby@apple.com> +# From https://www.nationalarchives.gov.uk/pronom/fmt/866 +0 string bplist00 +>8 search/500 WebMainResource Apple Safari Webarchive +!:mime application/x-webarchive +!:strength +50 0 string bplist00 Apple binary property list +!:mime application/x-bplist # Apple binary property list (bplist) # Assumes version bytes are hex. @@ -299,22 +445,22 @@ # object is the first object (true for CoreFoundation implementation). # From: David Remahl <dremahl@apple.com> 0 string bplist ->6 byte x \bCoreFoundation binary property list data, version %#c +>6 byte x CoreFoundation binary property list data, version %#c >>7 byte x \b%c ->6 string 00 \b ->>8 byte&0xF0 0x00 \b ->>>8 byte&0x0F 0x00 \b, root type: null ->>>8 byte&0x0F 0x08 \b, root type: false boolean ->>>8 byte&0x0F 0x09 \b, root type: true boolean ->>8 byte&0xF0 0x10 \b, root type: integer ->>8 byte&0xF0 0x20 \b, root type: real ->>8 byte&0xF0 0x30 \b, root type: date ->>8 byte&0xF0 0x40 \b, root type: data ->>8 byte&0xF0 0x50 \b, root type: ascii string ->>8 byte&0xF0 0x60 \b, root type: unicode string ->>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) ->>8 byte&0xF0 0xa0 \b, root type: array ->>8 byte&0xF0 0xd0 \b, root type: dictionary +>>6 string 00 \b +>>>8 byte&0xF0 0x00 \b +>>>>8 byte&0x0F 0x00 \b, root type: null +>>>>8 byte&0x0F 0x08 \b, root type: false boolean +>>>>8 byte&0x0F 0x09 \b, root type: true boolean +>>>8 byte&0xF0 0x10 \b, root type: integer +>>>8 byte&0xF0 0x20 \b, root type: real +>>>8 byte&0xF0 0x30 \b, root type: date +>>>8 byte&0xF0 0x40 \b, root type: data +>>>8 byte&0xF0 0x50 \b, root type: ascii string +>>>8 byte&0xF0 0x60 \b, root type: unicode string +>>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) +>>>8 byte&0xF0 0xa0 \b, root type: array +>>>8 byte&0xF0 0xd0 \b, root type: dictionary # Apple/NeXT typedstream data # Serialization format used by NeXT and Apple for various @@ -339,7 +485,6 @@ # 0 string caff CoreAudio Format audio file >4 beshort <10 version %d ->6 beshort x #------------------------------------------------------------------------------ @@ -491,9 +636,107 @@ # Usually not in separate files, but have either filename rsrc with # no extension, or a filename corresponding to another file, with # extensions rsr/rsrc +# URL: http://fileformats.archiveteam.org/wiki/Macintosh_resource_file +# https://en.wikipedia.org/wiki/Resource_fork +# Reference: https://github.com/kreativekorp/ksfl/wiki/Macintosh-Resource-File-Format +# http://developer.apple.com/legacy/mac/library/documentation/mac/pdf/MoreMacintoshToolbox.pdf +# https://formats.kaitai.io/resource_fork/ +# Update: Joerg Jenderek +# Note: verified often by command like `deark -m macrsrc Icon_.rsrc` +# offset of resource data; usually starts at offset 0x0100 0 string \000\000\001\000 ->4 leshort 0 ->>16 lelong 0 Apple HFS/HFS+ resource fork +# skip NPETraceSession.etl with invalid "low" map offset 0 +>4 ubelong >0xFF +# skip few Atari DEGAS Elite bitmap (eil2.pi1 nastro.pi1) with ivalid "high" 0x6550766 0x7510763 map length +>>12 ubelong <0x8001 +# most examples with zeroed system reserved field +>>>16 lelong =0 +>>>>0 use apple-rsr +# few samples with not zeroed system reserved field like: Empty.rsrc.rsr OpenSans-CondBold.dfont +>>>16 lelong !0 +# resource fork variant with not zeroed system reserved field and copy of header +>>>>(4.L) ubelong 0x100 +# GRR: the line above only works if in ../../src/file.h FILE_BYTES_MAX is raised from 1 MiB above 0x6ab0f4 (HelveticaNeue.dfont) +>>>>>0 use apple-rsr +# data fork variant with not zeroed system reserved field and no copy of header +>>>>(4.L) ubelong 0 +>>>>>0 use apple-rsr +# Note: moved and merged from ./macintosh +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: https://en.wikipedia.org/wiki/Datafork_TrueType +# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is +# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I +# don't know what they mean. +# display information about Mac OSX datafork font DFONT +0 name apple-dfont +>(4.L+30) ubelong x Mac OSX datafork font, +# https://en.wikipedia.org/wiki/Datafork_TrueType +!:mime application/x-dfont +!:ext dfont +# https://exiftool.org/TagNames/RSRC.html +>(4.L+30) ubelong 0x73666e74 TrueType +>(4.L+30) ubelong 0x464f4e54 'FONT' +>(4.L+30) ubelong 0x4e464e54 'NFNT' +>(4.L+30) ubelong 0x504f5354 PostScript +>(4.L+30) ubelong 0x464f4e44 'FOND' +>(4.L+30) ubelong 0x76657273 'vers' +# display information about Macintosh resource +0 name apple-rsr +>(4.L+30) ubelong 0x73666e74 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x4e464e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x504f5354 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e44 +>>0 use apple-dfont +>(4.L+30) ubelong 0x76657273 +>>0 use apple-dfont +>(4.L+30) default x Apple HFS/HFS+ resource fork +#!:mime application/octet-stream +!:mime application/x-apple-rsr +!:ext rsrc/rsr +# offset to resource data; usually starts at offset 0x0100 +>0 ubelong !0x100 \b, data offset %#x +# offset to resource map; positive but not nil like in NPETraceSession.etl +>4 ubelong x \b, map offset %#x +# length of resource map; positive with 32K limitation but not +# nil like in NPETraceSession.etl or high like 0x7510763 in nastro.pi1 +>12 ubelong x \b, map length %#x +# length of resource data; positive but not nil like in NPETraceSession.etl +>8 ubelong x \b, data length %#x +# reserved 112 bytes for system use; apparently often nil, but 8fd20000h in Empty.rsrc.rsr and 0x00768c2b in OpenSans-CondBold.dfont +>16 ubelong !0 \b, at 16 %#8.8x +# https://fontforge.org/docs/techref/macformats.html +# jump to resource map +# a copy of resource header or 16 bytes of zeros for data fork +#>(4.L) ubelong x \b, DATA offset %#x +#>(4.L+4) ubelong x \b, MAP offset %#x +#>(4.L+8) ubelong x \b, DATA length %#x +#>(4.L+12) ubelong x \b, MAP length %#x +# nextResourceMap; handle to next resource map; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+16) ubelong !0 \b, nextResourceMap %#x +# fileRef; file reference number; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+20) ubeshort !0 \b, fileRef %#x +# attributes; Resource fork attributes (80h~read-only 40h~compression needed 20h~changed); other bits are reserved and should be zero +>(4.L+22) ubeshort !0 \b, attributes %#x +# typeListOffset; offset from resource map to start of type list like: 1Ch +>(4.L+24) ubeshort x \b, list offset %#x +# nameListOffset; offset from esource map to start of name list like: 32h 46h 56h (XLISP.RSR XLISPTIN.RSR) 13Eh (HelveticaNeue.dfont) +>(4.L+26) ubeshort x \b, name offset %#x +# typeCount; number of types in the map minus 1; If there are no resources, this is 0xFFFF +>(4.L+28) beshort+1 >0 \b, %u type +# plural s +>>(4.L+28) beshort+1 >1 \bs +# resource type list array; 1st resource type like: ALRT CODE FOND MPSR icns scsz +>>(4.L+30) ubelong x \b, %#x +>>(4.L+30) string x '%-.4s' +# resourceCount; number of this type resources minus one. If there is one resource of this type, this is 0x0000 +>>(4.L+34) beshort+1 x * %d +# resourceListOffset; offset from type list to resource list like: Ah 12h DAh +>(4.L+36) ubeshort x resource offset %#x #https://en.wikipedia.org/wiki/AppleScript 0 string FasdUAS AppleScript compiled diff --git a/contrib/file/magic/Magdir/archive b/contrib/file/magic/Magdir/archive index fb535ac0ff26..b920f9930f41 100644 --- a/contrib/file/magic/Magdir/archive +++ b/contrib/file/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.162 2022/05/27 21:27:59 christos Exp $ +# $File: archive,v 1.207 2024/11/27 15:37:46 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -25,7 +25,49 @@ >>>>>>155 ubyte&0xDF =0 # space or ascii digit 0 at start of check sum >>>>>>>148 ubyte&0xEF =0x20 ->>>>>>>>0 use tar-file +# check for specific 1st member name that indicates other mime type and file name suffix +>>>>>>>>0 string TpmEmuTpms/permall +# maybe also look for 2nd tar member efi/nvram containing UEFI variables part +#>>>>>>>>>512 search/0x1800 efi/nvram\0 EFI_PART_FOUND +>>>>>>>>>0 use tar-nvram +# FOR DEBUGGING: +#>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s" +# check for 1st image main name with digits used for sorting +# and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP +>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) +>>>>>>>>>0 use tar-cbt +# check for 1st member name with ovf suffix +>>>>>>>>0 regex \^.{1,96}[.](ovf) +>>>>>>>>>0 use tar-ova +# look for relative directory ./var/ or ./lte/ as 1st member name that indicates AVM firmware with other file name suffix +>>>>>>>>0 ubequad&0xFFffE5eaE8ffFFff 0x2e2f6460602f0000 +>>>>>>>>>0 use tar-avm +# maybe look for AVM specific 2nd name entry +# >>>>>>>>>517 string /content\0 content~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /install\0 install~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /chksum\0 chksum~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /modfw.nfo\0 modfw~ +# >>>>>>>>>>0 use tar-avm +# most (419/429) *.WBM (71/71) *.WBT with user name jcameron of Webmin developer Jamie Cameron in first tar archive member +>>>>>>>>265 string jcameron +>>>>>>>>>0 use tar-webmin +# if 1st member name without digits and without used image suffix, without *.ovf, +# ./var/ , ./lte/ and TpmEmuTpms/ then it is a pure TAR archive or Webmin without jcameron user name +>>>>>>>>0 default x +# few (10/429) *.WBM without user name jcameron in 1st tar member but with WBM module.info name like: +# apcupsd-0.81-2.wbm csavupdate.wbm cwmail.wbm dac960.wbm etcupdate.wbm logviewer.wbm memcached.wbm rinetd.wbm shoutcast.wbm vacationadmin-webmin-module-1.1.2.wbm +# few (10/95) *.WBT without user name jcameron in 1st tar member but with WBT theme.info name like: +# authentic-theme-21.09.5.wbt Mozilla-Modern.wbt virtual-server-theme-2.7.wbt fkn-webmintheme.0.6.0.wbt +>>>>>>>>>512 search/210965/s e.info\0 +>>>>>>>>>>0 use tar-webmin +# pure TAR +>>>>>>>>>0 default x +>>>>>>>>>>0 use tar-file +# Note: called "TAR - Tape ARchive" by TrID, "Tape Archive Format" by DROID via PUID x-fmt/265 +# and "Tar archive" by shared MIME-info database from freedesktop.org # minimal check and then display tar archive information which can also be # embedded inside others like Android Backup, Clam AntiVirus database 0 name tar-file @@ -75,7 +117,11 @@ >>261 default x tar archive (unknown ustar) !:mime application/x-ustar !:ext tar/ustar -# type flag of 1st tar archive member +# show information for 1st tar archive member +>0 use tar-entry +# display information of tar archive member (file type, name, permissions, user, group) +0 name tar-entry +# type flag of tar archive member #>156 ubyte x \b, %c-type >156 ubyte x >>156 ubyte 0 \b, file @@ -131,7 +177,7 @@ >>265 string >\0 \b, user %-.32s # group name null terminated >>297 string >\0 \b, group %-.32s -# device major minor if not zero +# device major minor if not zero (binary or ASCII) >>329 ubequad&0xCFCFCFCFcFcFcFdf !0 >>>329 string x \b, devmaj %-.7s >>337 ubequad&0xCFCFCFCFcFcFcFdf !0 @@ -146,6 +192,132 @@ >>508 default x # padding[255] in old tar sometimes comment field >>>257 string >\0 \b, comment: %-.40s +# Summary: VirtualBox NvramFile with UEFI variables packed inside TAR archive +# URL: hhttps://www.virtualbox.org/manual/ch08.html#vboxmanage-modifynvram +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nvram-virtualbox-tar.trid.xml +# Note: called "VirtualBox saved (U)EFI BIOS settings (TAR) by TrID and +# verified by 7-Zip `7z l -ttar Mint-21.1.nvram` and +# VirtualBox `VBoxManage modifynvram "Mint-21.1" listvars` +0 name tar-nvram +# +>0 string x VirtualBox NVRAM file +#!:mime application/x-gtar +!:mime application/x-virtualbox-nvram +!:ext nvram +# first name[100] like: TpmEmuTpms/permall +>0 use tar-entry +# 2nd tar member efi/nvram contains UEFI variables part described by ./virtual +>512 search/0x1800/s efi/nvram\0 +>>&0 use tar-entry +# 2nd tar member efi/nvram content could be described by ./virtual +#>>&512 indirect x +# Summary: Comic Book Archive *.CBT with TAR format +# URL: https://en.wikipedia.org/wiki/Comic_book_archive +# http://fileformats.archiveteam.org/wiki/Comic_Book_Archive +# Note: there exist also RAR, ZIP, ACE and 7Z packed variants +0 name tar-cbt +>0 string x Comic Book archive, tar archive +#!:mime application/x-tar +!:mime application/vnd.comicbook +#!:mime application/vnd.comicbook+tar +!:ext cbt +# name[100] probably like: 19.jpg 0001.png 0002.png +# or maybe like ComicInfo.xml +#>0 string >\0 \b, 1st image %-.60s +>0 use tar-entry +# Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format +# http://fileformats.archiveteam.org/wiki/OVF_(Open_Virtualization_Format) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ova.trid.xml +# Note: called "Open Virtualization Format package" by TrID +# assuming *.ovf comes first +0 name tar-ova +>0 string x Open Virtualization Format Archive +#!:mime application/x-ustar +# http://extension.nirsoft.net/ova +!:mime application/x-virtualbox-ova +!:ext ova +# assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf +#>0 string >\0 \b, with %-.60s +>0 use tar-entry +# Summary: AVM firmware (FRITZ!OS) for the FRITZ!Box (router) +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Fritz!Box +# https://www.redteam-pentesting.de/de/advisories/rt-sa-2014-010/-avm-fritz-box-firmware-signature-bypass +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/image-avm.trid.xml +# Note: verified by 7-Zip `7z l -ttar FRITZ.Box_4040-07.57.image` +0 name tar-avm +>0 string x AVM FRITZ!Box firmware +#!:mime application/x-gtar +!:mime application/x-avm-image +!:ext image +# tar member ./var/content starts with line like "Product=Fritz_Box_HW227 (FRITZ!Box 4040)" +>>1024 search/512 Product=Fritz_Box_ +>>>&0 string x %s +# version string like: 07.57 07.58 +>>>1044 search Version= \b, version +>>>>&0 string x %s +# product phrase too far behind (dozen MB) in many samples like: FRITZ.Box_4040-07.12.image FRITZ.Box_6820v3_LTE-07.57.image +# so try to look for other characteristic foo +# >>1024 default x OTHER_PATTERN! +# >>>1023 search AVM_PATTERN PATTERNfound +# first name[100] like: ./var/ ./lte/ +>0 use tar-entry +# if 1st entry is directory then show 2nd entry +>156 ubyte 0x35 +# 2nd tar member name like: ./var/content (often ) ./var/install ./var/chksum ./lte/modfw.nfo +>>512 use tar-entry +# Summary: Webmin Module or Theme +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Webmin +# https://webmin.com/docs/development/creating-modules/ +# https://webmin.com/docs/development/creating-themes/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wbm.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/w/wbt.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/w/wbt-gif.trid.xml +# Note: called "Webmin Module" "Webmin Theme" by TrID +# most verfied by 7-Zip `7z l -ttar *.wbm | grep "\module.info"` and +# `7z l -ttar *.wbt | grep "\theme.info"` +0 name tar-webmin +>0 string x Webmin +# Webmin module or theme +>>512 search/1767941/s /module.info Module +!:mime application/x-webmin-module +!:ext wbm +# According to documentation module.info is mandatory but instead theme.info is found in +# old-blue-theme.wbm old-blue-theme-1.0.wbm old-mscstyle3.wbm virtual-server-mobile.wbm +# GRR: maybe here wrong file name suffix WBM instead of WBT +>>512 default x +>>>512 search/3149333/s /theme.info Theme +!:mime application/x-webmin-theme +!:ext wbt +# next 3 lines should not happen +>>>512 default x Module or Theme +!:mime application/x-webmin +!:ext wbm/wbt +# GNU or POSIX tar +>257 string =ustar ( +# 2 space characters followed by a null for GNU variant for most (428/429) WBM samples +>>261 ubelong =0x72202000 \bGNU tar) +#!:mime application/x-gtar +# UStar version variant with ASCII "00" as in few (1/429) samples like cwmail.wbm +>>261 ubelong 0x72003030 \bPOSIX tar) +#!:mime application/x-ustar +#>>>156 ubyte x tar archive +# Apparently first archive member name[100] is directory like: dynbind/ ssh/ virtualmin-powerdns/ virtual-server-mobile/ vnc/ +>>0 use tar-entry +# look for characteristic WBM module info name starting with "module.info" for language variant like in: ssh2.wbm +>>512 search/1767941/s /module.info +# look for TAR magic of WBM archive module info +>>>&0 search/257/s ustar +# show details for WBM archive member module info +>>>>&-257 use tar-entry +# look for characteristic WBT theme info name with "theme.info" like in: authentic-theme-21.09.5.wbt +>>512 search/3149333/s /theme.info\0 +# look for TAR magic of WBT archive theme info +>>>&0 search/257/s ustar +>>>>&-257 use tar-entry # Incremental snapshot gnu-tar format from: # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html @@ -163,16 +335,88 @@ # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. -0 short 070707 cpio archive +# URL: http://fileformats.archiveteam.org/wiki/Cpio +# https://en.wikipedia.org/wiki/Cpio +# Reference: https://people.freebsd.org/~kientzle/libarchive/man/cpio.5.txt +# Update: Joerg Jenderek +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin.trid.xml +# Note: called "CPIO archive (binary)" by TrID, "cpio/Binary LE" by 7-Zip and "CPIO" by DROID via PUID fmt/635 +0 short 070707 +# skip DROID fmt-635-signature-id-960.cpio by looking for pathname of 1st entry +>26 string >\0 cpio archive !:mime application/x-cpio +# https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-NET-x86_64-Media.iso +# boot/x86_64/loader/bootlogo +# message.cpi +!:ext /cpio/cpi +>>0 use cpio-bin +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin-sw.trid.xml +# Note: called "CPIO archive (byte swapped binary)" by TrID and "Cpio/Binary BE" by 7-Zip 0 short 0143561 byte-swapped cpio archive !:mime application/x-cpio # encoding: swapped +# https://telparia.com/fileFormatSamples/archive/cpio/skeleton2.cpio +!:ext cpio +>0 use cpio-bin-be +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio.trid.xml +# Note: called "CPIO archive (portable)" by TrID, "cpio/Portable ASCII" by 7-Zip and "cpio/odc" by GNU cpio 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) !:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/ pthreads-1.60B5.osr5src.cpio cinema.cpi VOL.000.008 VOL.000.012 +!:ext cpio/cpi/008/012 +# Note: called "CPIO archive (portable)" by TrID, "cpio/New ASCII" by 7-Zip and "cpio/newc" by GNU cpio 0 string 070701 ASCII cpio archive (SVR4 with no CRC) !:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/MainActor-2.06.3.cpio +!:ext cpio +# Note: called "CPIO archive (portable)" by TrID, "cpio/New CRC" by 7-Zip and "cpio/crc" by GNU cpio 0 string 070702 ASCII cpio archive (SVR4 with CRC) !:mime application/x-cpio +# http://ftp.gnu.org/gnu/tar/tar-1.27.cpio.gz +# https://telparia.com/fileFormatSamples/archive/cpio/pcmcia +!:ext /cpio +# display information of old binary cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `cpio -ivt --numeric-uid-gid --file=clam.bin-le.cpio` +0 name cpio-bin +# c_dev; device number; WHAT IS THAT? +>2 uleshort x \b; device %u +# c_ino; truncated inode number; use `ls --inode` +>4 uleshort x \b, inode %u +# c_mode; mode specifies permissions and file type like: ?622~?rw-r--r-- by `ls -l` +>6 uleshort x \b, mode %o +# c_uid; numeric user id; use `ls --numeric-uid-gid` +>8 uleshort x \b, uid %u +# c_gid; numeric group id +>10 uleshort x \b, gid %u +# c_nlink; links to this file; directories at least 2 +>12 uleshort >1 \b, %u links +# c_rdev; device number for block and character entries; zero for all other entries by writers +# like 0x0440 for /dev/ttyS0 +>14 uleshort >0 \b, device %#4.4x +# c_mtime[2]; modification time in seconds since 1 January 1970; most-significant 16 bits first +>16 medate x \b, modified %s +# c_filesize[2]; size of pathname; most-significant 16 bits first like: 544 +>22 melong x \b, %u bytes +# c_namesize; bytes in the pathname that follows the header like: 9 +#>20 uleshort x \b, namesize %u +# pathname of entry like: "clam.exe" +>26 string x "%s" +# display information of old binary byte swapped cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `LANGUAGE=C cpio -ivt --numeric-uid-gid --file=clam.bin-be.cpio` +0 name cpio-bin-be +>2 ubeshort x \b; device %u +>4 ubeshort x \b, inode %u +>6 ubeshort x \b, mode %o +>8 ubeshort x \b, uid %u +>10 ubeshort x \b, gid %u +>12 ubeshort >1 \b, %u links +>14 ubeshort >0 \b, device %#4.4x +>16 bedate x \b, modified %s +>22 ubelong x \b, %u bytes +#>20 ubeshort x \b, namesize %u +>26 string x "%s" # # Various archive formats used by various versions of the "ar" @@ -249,7 +493,8 @@ #>>68 string x (format %.3s) >68 string =2.0\n # 2nd archive name=control archive name like control.tar.gz or control.tar.xz ->>72 string >\0 \b, with %.14s +# or control.tar.zst +>>72 string >\0 \b, with %.15s # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma} >>0 search/0x93e4f data.tar. \b, data compression # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised @@ -484,11 +729,12 @@ >>>>0 use ttcomp 0 string \1\4 # TODO: -# skip Commodore PET BASIC 4.0 program *.prg -# variant ASCII, 1K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? # skip shared library (strength=50) handled by ./ibm6000 !:strength -2 ->0 use ttcomp +# skip Commodore PET BASIC programs (Mastermind.prg) with last 3 nil bytes (\0~end of line followed by 0000h line offset) +#>-4 ubelong x LAST_BYTES=%8.8x +>-4 ubelong&0x00FFffFF !0 +>>0 use ttcomp # display information of TTComp archive 0 name ttcomp # (version 5.25) labeled the entry as "TTComp archive data" @@ -652,7 +898,7 @@ >>>>>>>(16.s) uleshort x >>>>>>>>&16 string x \b, %-.8s >>>>>>12 uleshort &0x10 ->>>>>>>(16.s) uleshort x +#>>>>>>>(16.s) uleshort x >>>>>>>&16 string x %-.8s >>>>>>>>&1 string x \b.%-.3s >>>12 uleshort &0x01 @@ -731,6 +977,88 @@ !:ext ??$ >>8 ulelong >0 \b, original size: %u bytes +# Summary: lzss compressed/EDI Pack +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/EDI_Install_packed_file +# Note: called "EDI Install LZS compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 BOOK01A.IC$` as "EDI Pack LZSS1" +0 string EDILZSS +>7 string 1 +# look for point character before orginal file name extension +>>8 search/9/b . +# check suffix of possible orginal file anme +#>>>&0 ubelong x SUFFIX=%8.8x +# samples without valid character after point in original file name field like: FENNEL.LZS PLANTAIN.LZS +>>>&0 ubyte <0x20 +>>>>0 use edi-lzs +# samples with valid character after point in original file name field +>>>&0 ubyte >0x1F +# check 2nd charcter of suffix +#>>>>&0 ubyte x 2ND_SUFFIX=%x +# sample with one valid character after point followed by \0 in original file name field like: SPELMATE.H$ +>>>>&0 ubyte =0 +>>>>>0 use edi-pack +>>>>&0 ubyte >0x1F +# check 3rd charcter of suffix +#>>>>>&0 ubyte x 3RD_SUFFIX=%x +# no sample with 2 valid characters after point followed by \0 in original file name field +>>>>>&0 ubyte =0 +>>>>>>0 use edi-pack +# samples with valid 3rd character after point in original file name field +>>>>>&0 ubyte >0x1F +# sample with 3 valid character after point followed by \0 in original file name field like: BOOK01A.IC$ CTL3D.DL$ +>>>>>>&0 ubyte =0 +>>>>>>>0 use edi-pack +# sample with 3 valid character after point followed by no \0 in original file name field like: HERBTEXT.LZS +>>>>>>&0 ubyte !0 +>>>>>>>0 use edi-lzs +# no sample with invalid 3rd character after point in original file name field +>>>>>&0 default x +>>>>>>0 use edi-lzs +# sample with invalid 2nd character after point in original file name field like: LACERATE.LZS SPLINTER.LZS +>>>>&0 default x +>>>>>0 use edi-lzs +# sample without point character in original file name field like GUNSHOT.LZS +>>8 default x +>>>0 use edi-lzs +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/edi-lzss2.trid.xml +# Note: called "EDI Install Pro LZSS2 compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 4WAY.WA$` as "EDI Pack LZSS2" +>7 string 2 EDI LZSS2 packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/??_ +# original filename, NUL-terminated, padded to 13 bytes like: mci.vbx 4way.wav skymap.exe cmdialog.vbx +>>8 string x "%-0.13s" +# original file size, as a 4-byte integer. +>>21 ulelong x \b, %u bytes +# compressed data like: ff5249464606ec00 ff4d5aa601010000 +>>>25 ubequad x \b, data %#16.16llx... +0 name edi-pack +# Note: verified by command like `deark -l -d2 SPELMATE.H$` as "EDI Pack LZSS1" +# original filename, NUL-terminated, padded to 13 bytes like: ctl3d.dll spelmate.h filemenu.rc owl.def index-it.exe +# but not like \377Aloe.lzs\273 (HERBTEXT.LZS) +>8 string x EDI LZSS packed "%-.13s" +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/?$ +# compressed data like: f7000001eff02020 ff4d5aa900020000 ff2f2a207370656c +>21 ubequad x \b, data %#16.16llx... +# URL: http://fileformats.archiveteam.org/wiki/EDI_LZSSLib +# Note: verified partly by command like `deark -l -m edi_pack -d2 GUNSHOT.LZS` as "EDI LZSSLib" +0 name edi-lzs +# Note: verified by command like `deark -l -d2 GUNSHOT.LZS` as "EDI LZSSLib" +# no original filename looks like: \277BM\226.\0 \277BM.n\001 \277BM\226.\0 \277BM.g\001 \377Aloe.lzs\273 +>8 string x EDI LZSSLib packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# The name of a compressed file ends with LZS suffix +!:ext lzs +# compressed data like: bf424df6e10100f3 ff416c6f652e6c7a ff416c6f652e6c7a +>8 ubequad x \b, data %#16.16llx... + # Summary: CAZIP compressed file # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/CAZIP @@ -762,15 +1090,51 @@ # ZET 0 string OZ\xc3\x9d ZET archive data # TSComp -0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data +# Update: Joerg Jenderek 2023 Nov +# URL: http://fileformats.archiveteam.org/wiki/TSComp +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tscomp.trid.xml +# https://entropymine.com/deark/releases/deark-1.6.5.tar.gz +# deark-1.6.5/modules/installshld.c +# Note: called "TSComp compressed data" by TrID +# verified by command like `deark -m tscomp -l -d2 MAKERRES.DL$` +# The "13" might be a version number. The "8c" is a mystery +0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive +#!:mime application/octet-stream +!:mime application/x-tscomp-compressed +# filename style: 0~old version 1~without wildcard 2~with wildcard +#>0x08 ubyte x \b, filename style %u +>0x08 ubyte 0 data, filename style 0 +# no example found +!:ext ??$ +#>0x08 ubyte 1 data, without wildcard +>0x08 ubyte 1 data +# for single-file archives, often the last letter of the filename extension is changed to "$"; but also name like: BUILD3.BM! +!:ext ??$/??! +>0x08 ubyte 2 data, with wildcard +# for multi-file archives common extensions seem to be .lib and .cmp, but also names like: SAMPMIF$ OTDATA.$$$ TWOFILES.TSC WIN.PAK +!:ext /lib/cmp/$$$/tsc/pak +# fnlen; pascal string length; original 1st file name like: CHFORMAT.MML +>0x1c pstring x \b, %s +# md->fi->timestamp +>0x16 lemsdosdate x \b, modified %s +>0x18 lemsdostime x %s +# 1st compressed size: like 180 (SAMPMML$$) +>0x0E ulelong x \b, compressed size %u +# de_dbg_indent(c, 1): like: 12h +#>0x0d ubyte x b, at 0xD %#x +# like: 0 +#>0x1A ubeshort x \b, at 0x1A %#x +# 2nd member offset +#>0x12 ulelong x \b, next offset %#x +>0x12 ulelong >0 +# original 2nd archive member name like: FORMATS.MML +>>(0x12.l+15) pstring x \b, %s ... # ARQ 0 string gW\4\1 ARQ archive data # Squash 3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data -# PUCrunch -0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string UHA UHarc archive data # ABComp @@ -799,8 +1163,10 @@ # QFC 0 string \x1aFC\x1a QFC archive data 0 string \x1aQF\x1a QFC archive data -# PRO-PACK -0 string RNC PRO-PACK archive data +# PRO-PACK https://www.segaretro.org/Rob_Northen_compression +0 string RNC +>3 byte 1 PRO-PACK archive data (compression 1) +>3 byte 2 PRO-PACK archive data (compression 2) # 777 0 string 777 777 archive data # LZS221 @@ -903,11 +1269,39 @@ # TPac 0 string \4TPAC\3 TPac archive data # Ai +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Ai_Archiver 0 string Ai\1\1\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai 0 string Ai\1\0\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai # Ai32 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ai.trid.xml +# Note: called "Ai Archivator compressed archive" by TrID 0 string Ai\2\0 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# according to TrID the next 3 bytes are nil +>5 ubyte !0 \b, at 5 %#x +>6 ubyte !0 \b, at 6 %#x +>7 ubyte !0 \b, at 7 %#x +# the fourth byte with value 0 is probably a flag for "non solid" mode +#>3 ubyte =0x00 \b, unsolid mode 0 string Ai\2\1 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# the fourth byte with value 0x01 is probably a flag for "solid" mode; this is not the default +>3 ubyte =0x01 \b, solid mode # SBC 0 string SBC SBC archive data # Ybs @@ -1153,7 +1547,7 @@ # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, -#>2 leshort >1 %hu files, +#>2 leshort >1 %u files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC @@ -1212,7 +1606,7 @@ >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" # FOOBAR archiver use ".foo" as name extension instead usual one -# "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment +# "Florian Orjanov's and Olga Bachetska's ARchiver" not found at the moment >>>>>>>2 string -lh1 \b !:ext lha/lzh/ice >>>>>>3 regex \^lh[23d] LHa 2.x? archive data @@ -1243,7 +1637,7 @@ # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 ->0 ubyte x +#>0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d # attribute: 0x2~?? 0x10~symlink|target 0x20~normal @@ -1367,7 +1761,7 @@ # RAR (Roshal Archive) archive 0 string Rar!\x1a\7\0 RAR archive data -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar/cbr # file header >(0xc.l+9) byte 0x74 @@ -1379,13 +1773,13 @@ >>7 use rar-archive-header 0 string Rar!\x1a\7\1\0 RAR archive data, v5 -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar # Very old RAR archive # https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf 0 string RE\x7e\x5e RAR archive data (<v1.5) -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar/cbr # SQUISH archiver (Greg Roelofs, newt@uchicago.edu) @@ -1400,13 +1794,87 @@ !:mime application/zip !:ext zip/cbz -# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -0 string PK\005\006 Zip archive data (empty) -!:mime application/zip -!:ext zip/cbz -!:strength +1 + 0 string PK\003\004 !:strength +1 +# IOS/IPadOS IPA file (Zip archive) +# Starts with Payload (file name length = 19) +>26 uleshort 8 +>>30 string Payload IOS/iPadOS IPA file +>>>&26 search/6000 PK\003\004 +>>>>&34 string x containing %s +!:mime application/x-ios-app +!:ext ipa + +# Android APK file (Zip archive) +# Starts with AndroidManifest.xml (file name length = 19) +>26 uleshort 19 +>>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/com/android/build/gradle/app-metadata.properties +>26 uleshort 57 +>>30 string META-INF/com/android/build/gradle/ +>>>&0 string app-metadata.properties Android package (APK), with gradle app-metadata.properties +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with classes.dex (file name length = 11) +>26 uleshort 11 +>>30 string classes.dex Android package (APK), with classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/MANIFEST.MF (file name length = 20) +# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files +>26 uleshort 20 +>>30 string META-INF/MANIFEST.MF +# Contains resources.arsc (near the end, in the central directory) +>>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>-22 string PK\005\006 +>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>>-22 string PK\005\006 +>>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar +# Starts with zipflinger virtual entry (28 + 104 = 132 bytes) +# See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 +>4 string \x00\x00\x00\x00\x00\x00 +>>&0 string \x21\x08\x21\x02 +>>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +>>>>&0 string \x00\x00 Android package (APK), with zipflinger virtual entry +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block + # Specialised zip formats which start with a member named 'mimetype' # (stored uncompressed, with no 'extra field') containing the file's MIME type. @@ -1502,9 +1970,13 @@ >>>>77 string -web HTML Document Template !:mime application/vnd.oasis.opendocument.text-web !:ext oth ->>>>77 string -master Master Document +>>>>77 string -master +>>>>>84 byte !0x2d Master Document !:mime application/vnd.oasis.opendocument.text-master !:ext odm +>>>>>84 string -template Master Template +!:mime application/vnd.oasis.opendocument.text-master-template +!:ext otm >>>73 string graphics >>>>81 byte !0x2d Drawing !:mime application/vnd.oasis.opendocument.graphics @@ -1547,8 +2019,7 @@ # Valid for LibreOffice Base 6.0.1.1 at least >>>73 string base Database # https://bugs.documentfoundation.org/show_bug.cgi?id=45854 -!:mime application/vnd.oasis.opendocument.database -#!:mime application/vnd.oasis.opendocument.base +!:mime application/vnd.oasis.opendocument.base !:ext odb >>>73 string image >>>>78 byte !0x2d Image @@ -1564,6 +2035,16 @@ >>50 string epub+zip EPUB document !:mime application/epub+zip +# From: Hajin Jang <jb6804@naver.com> +# hwpx (OWPML) document format follows OCF specification. +# Hangul Word Processor 2010+ supports HWPX format. +# URL: https://www.hancom.com/etc/hwpDownload.do +# https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101 +# https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331 +>>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX +!:mime application/x-hwp+zip +!:ext hwpx + # From: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/CorelDRAW # NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based @@ -1617,9 +2098,10 @@ >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip -# Java Jar files +# Java Jar files (see also APK files above) >(26.s+30) leshort 0xcafe Java archive data (JAR) !:mime application/java-archive +!:ext jar # iOS App >(26.s+30) leshort !0xcafe @@ -1632,18 +2114,41 @@ #>30 search/100/b application/epub+zip EPUB document #!:mime application/epub+zip -# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -# Next line excludes specialized formats: +# APK Signing Block >(26.s+30) leshort !0xcafe >>30 search/100/b !application/epub+zip ->>>26 string !\x8\0\0\0mimetype Zip archive data +>>>26 string !\x8\0\0\0mimetype +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk + +# Keyman Compiled Package File (keyman.com) +# https://help.keyman.com/developer/current-version/reference/file-types/kmp +# Find start of central directory +>>>>>(-6.l) string PK\001\002 +# Scan central directory for string 'kmp.json', will suffice for a +# package containing about 150 files +>>>>>>(-6.l) search/9000 kmp.json Keyman Compiled Package File +!:mime application/vnd.keyman.kmp+zip +!:ext kmp + +# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +# Next line excludes specialized formats: +>>>>+4 default x +>>>>>4 beshort x Zip archive data, at least !:mime application/zip ->>>>4 beshort x \b, at least ->>>>4 use zipversion ->>>>4 beshort x to extract ->>>>8 beshort x \b, compression method= ->>>>8 use zipcompression ->>>>0x161 string WINZIP \b, WinZIP self-extracting +>>>>>4 use zipversion +>>>>>4 beshort x to extract +>>>>>8 beshort x \b, compression method= +>>>>>8 use zipcompression +>>>>>0x161 string WINZIP \b, WinZIP self-extracting + +# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +0 string PK\005\006 Zip archive data (empty) +!:mime application/zip +!:ext zip/cbz +!:strength +1 # StarView Metafile # From Pierre Ducroquet <pinaraf@pinaraf.info> @@ -1652,16 +2157,116 @@ >8 belong x \b, size %d # Zoo archiver -20 lelong 0xfdc4a7dc Zoo archive data +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Zoo_(file_format) +# http://fileformats.archiveteam.org/wiki/Zoo +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-zoo-strict.trid.xml +# http://distcache.freebsd.org/ports-distfiles/zoo-2.10pl1.tar.gz/zoo.h +# Note: called "ZOO compressed archive (strict)" by TrID and "ZOO Compressed Archive" by DROID via PUID x-fmt/269 +# verified by command like `deark -m zoo -l -d2 WHRCGA.ZOO` +20 lelong 0xfdc4a7dc +# skip DROID x-fmt-269-signature-id-621.zoo by looking for valid major version to manipulate archive +>32 byte >0 Zoo archive data !:mime application/x-zoo ->4 byte >48 \b, v%c. ->>6 byte >47 \b%c ->>>7 byte >47 \b%c ->32 byte >0 \b, modify: v%d ->>33 byte x \b.%d+ ->42 lelong 0xfdc4a7dc \b, ->>70 byte >0 extract: v%d ->>>71 byte x \b.%d+ +# bak is extension of backup-ed zoo +!:ext zoo/bak +# version in text form like: 1.50 2.00 2.10 +>>4 byte >48 \b, v%c. +>>>6 byte >47 \b%c +>>>>7 byte >47 \b%c +# ZOO files typically start with "ZOO ?.?? Archive.", followed by the bytes 0x1a 0x0 0x0; not used by Zoo and they may be anything +>>8 string !\040Archive.\032 \b, at 8 +>>>8 string x text "%0.10s" +# major_ver.minor_ver; minimum version needed to manipulate archive like: 1.0 2.0 +>>32 byte >0 \b, modify: v%d +>>>33 byte x \b.%d+ +# major_ver.minor_ver; minimum version needed to extract after modify like in old versions +>>(24.l+28) ubyte x \b, extract: v%u +>>(24.l+29) ubyte x \b.%u+ +# with zoo 2.00 additional fields have been added in the archive header +>>32 byte >1 +# type; type of archive header like: 1 2 +>>>34 ubyte !1 \b, header type %u +# acmt_pos; position of archive comment like: 6258 30599 61369 149501 +>>>35 lelong >0 \b, at %d +# acmt_len; length of archive comment like: 258 +>>>>39 uleshort x %u bytes comment +#>>>>(35.l) ubequad x COMMENT=%16.16llx +# 1st character of comment maybe is CarriageReturn (0x0d) +>>>>(35.l) ubyte <040 +# 2nd character of comment maybe is LineFeed (0x0a) +>>>>>(35.l+1) ubyte <040 +# comment string after CRLF like "Anonymous ftp site garbo.uwasa.fi 128.214.87.1 moderated by" +>>>>>>(35.l+2) string x %s +# next character of remaining comment maybe is CarriageReturn (0x0d) +>>>>>>>&0 ubyte <040 +>>>>>>>>&0 ubyte <040 +# 2nd comment part like: Timo Salmi ts@chyde.uwasa.fi PC directories and uploads\015\012Harri Valkama hv@chyde.uwasa.fi PC, Mac, Unix files, and upload +>>>>>>>>>&0 string >037 %s +# vdata; archive-level versioning byte like: 1 3 +>>>41 ubyte !1 \b, vdata %#x +# zoo_start; pointer to 1st entry header +>>24 lelong x \b; at %u +# zoo_minus; zoo_start -1 for consistency checking +#>>28 lelong x \b, zoo_minus %#x +# zoo_tag; tag for check +#>>(24.l+0) ulelong !0xfdc4a7dc \b, zoo_tag=%8.8x +# type; type of directory entry like: 1 2 +>>(24.l+4) ubyte !2 type=%u +# packing_method; 0~no packing 1~normal LZW 2~lzh +>>(24.l+5) ubyte x method= +>>>(24.l+5) ubyte 0 \bnot-compressed +>>>(24.l+5) ubyte 1 \blzd +>>>(24.l+5) ubyte 2 \blzh +# next; position of next directory entry +>>(24.l+6) ulelong x \b, next entry at %u +# offset; position of file data for this entry +#>>(24.l+10) ulelong x \b, data at %u +# file_crc; CRC-16 of file data +>>(24.l+18) uleshort x \b, CRC %#4.4x +# comment; zero if none or points to entry comment like ADD9h (WHRCGA.ZOO) +>>(24.l+32) lelong >0 \b, at %#x +# cmt_size; if not 0 for none then length of entry comment like: 46 +>>>(24.l+36) uleshort >0 %u bytes comment +# entry comment itself like: "CGA .GL file showing menu input from keyboard" +>>>>(&-6.l) string x "%s" +# org_size; original size of file +>>(24.l+20) ulelong x \b, size %u +# size_now; compressed size of file +>>(24.l+24) ulelong x (%u compressed) +# major_ver.minor_ver; minimum version needed to extract already done +# deleted; will be 1 if deleted, 0 if not +>>(24.l+30) ubyte =1 \b, deleted +# struc; file structure if any; WHAT IS THAT? +>>(24.l+31) ubyte !0 \b, structured +# fname[13]; short/DOS file name like 12345678.012 +>>(24.l+38) string x \b, %0.13s +# for directory entry type 2 with variable part +>>(24.l+4) ubyte =2 +# var_dir_len; length of variable part of dir entry +>>>(24.l+51) uleshort >0 +#>>>(24.l+51) uleshort >0 \b, variable part length %u +# namlen; length of long filename +#>>>>(24.l+56) ubyte x \b, namlen %u +# dirlen; length of directory name +#>>>>(24.l+57) ubyte x \b, dirlen %u +# if file length positive then show long file name +>>>>(24.l+56) ubyte >0 +# lfname[256]; long file name \0-terminated +>>>>>(24.l+58) string x "%s" +# if directory length positive then jump before file name field and then jump this addtional length plus 2 (\0-terminator + dirlen field) to following directory name +>>>>(24.l+57) ubyte >0 +>>>>>(24.l+55) ubyte x +# dirname[256]; directory name \0-terminated +>>>>>>&(&0.b+2) string x in "%s" +# dir_crc; CRC of directory entry +#>>>(24.l+54) uleshort x \b, entry CRC %#4.4x +# tz; timezone where file was archived; 7Fh~unknown 4~1.00hoursWestOfUTC 12 16 20~5.00hoursWestOfUTC -107~26.75hoursEastOfUTC -4~1.00hoursEastOfUTC +>>>(24.l+53) byte !0x7f \b, time zone %d/4 +# date; last mod file date in DOS format +>>>(24.l+14) lemsdosdate x \b, modified %s +# time; last mod file time in DOS format +>>>(24.l+16) lemsdostime x %s # Shell archives 10 string #\ This\ is\ a\ shell\ archive shell archive text @@ -1724,13 +2329,17 @@ # Felix von Leitner <felix-file@fefe.de> 0 string d8:announce BitTorrent file !:mime application/x-bittorrent +!:ext torrent # Durval Menezes, <jmgthbfile at durval dot com> 0 string d13:announce-list BitTorrent file !:mime application/x-bittorrent +!:ext torrent 0 string d7:comment BitTorrent file !:mime application/x-bittorrent +!:ext torrent 0 string d4:info BitTorrent file !:mime application/x-bittorrent +!:ext torrent # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> # URL: http://fileformats.archiveteam.org/wiki/MSA_(Magic_Shadow_Archiver) @@ -1763,6 +2372,19 @@ !:mime application/zip !:ext zip/cbz +# Recognize ZIP archives with prepended data by end-of-central-directory record +# https://en.wikipedia.org/wiki/ZIP_(file_format)#End_of_central_directory_record_(EOCD) +# by Michal Gorny <mgorny@gentoo.org> +-2 uleshort 0 +>&-22 string PK\005\006 +# without #! +>>0 string !#! Zip archive, with extra data prepended +!:mime application/zip +!:ext zip/cbz +# with #! +>>0 string/w #!\ a +>>>&-1 string/T x %s script executable (Zip archive) + # ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl <sec@42.org> 7 string **ACE** ACE archive data @@ -1821,12 +2443,6 @@ 0 belong 0x1ee7ff00 EET archive !:mime application/x-eet -# rzip archives -0 string RZIP rzip compressed data ->4 byte x - version %d ->5 byte x \b.%d ->6 belong x (%d bytes) - # From: Joerg Jenderek # URL: https://help.foxitsoftware.com/kb/install-fzip-file.php # reference: http://mark0.net/download/triddefs_xml.7z/ @@ -2007,7 +2623,28 @@ >3 byte x version %d # LyNX archive +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Lynx_archive +# Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml +# Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64 +# TODO: merge and unify with Commodore C64 BASIC program 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive +# display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64 +#!:strength +0 +#!:mime application/octet-stream +!:mime application/x-commodore-lnx +!:ext lnx +# afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn +>86 search/10 \x8910\0\0\0\r \b, +# for DEBUGGING +#>>&0 string x STRING="%s" +# number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5 +>>&0 regex [0-9]{1,5} %s directory blocks +# signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*" +>>>&2 regex [^\r]{1,24} \b, signature "%s" +# number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?) +>>>>&1 regex [0-9]{1,3} \b, %s files # From: Joerg Jenderek # URL: https://www.acronis.com/ @@ -2040,6 +2677,7 @@ # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5 -4 string STOP >-16 string XPAKSTOP Gentoo binary package (XPAK) +!:mime application/vnd.gentoo.xpak # From: Joerg Jenderek # URL: https://kodi.wiki/view/TexturePacker @@ -2081,3 +2719,94 @@ # URL: http://mattmahoney.net/dc/#paq9a # Note: Line 1186 of paq9a.cpp gives the magic bytes 0 string pQ9\001 PAQ9A archive + +# From wof (wof@stachelkaktus.net) +0 string Unison\ archive\ format Unison archive format + +# https://ankiweb.net +30 string collection.anki2 Anki APKG file +#!:ext .apkg + +# Synology archive (DiskStation Manager 7.0+) +# From: Alexandre Iooss <erdnaxe@crans.org> +# Note: These archives are signed and encrypted. +0 ulelong&0xFFFFFF00 0xEFBEAD00 +# MessagePack header (fixarray of 5 elements starting with a bin of 32 bytes) +>8 ulelong&0x00FFFFFF 0x20C495 Synology archive +!:ext spk +# Extract some properties from MessagePack third item +>>43 search/0x10000 package= +>>>&0 string x \b, package %s +>>43 search/0x10000 arch= +>>>&0 string x %s +>>43 search/0x10000 version= +>>>&0 string x %s +>>43 search/0x10000 create_time= +>>>&0 string x \b, created on %s + +# MonoGame/XNA processed assets archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/MonoGame/MonoGame/blob/v3.8.1/MonoGame.Framework/Content/ContentManager.cs +0 string XNB +# XNB must be version 4 or 5 +>4 byte <6 +>>4 byte >3 +# Size must be positive +>>>6 lelong >0 MonoGame/XNA processed assets +!:ext xnb +>>>>3 string =w \b, for Windows +>>>>3 string =x \b, for Xbox360 +>>>>3 string =i \b, for iOS +>>>>3 string =a \b, for Android +>>>>3 string =d \b, for DesktopGL +>>>>3 string =X \b, for MacOSX +>>>>3 string =W \b, for WindowsStoreApp +>>>>3 string =n \b, for NativeClient +>>>>3 string =M \b, for WindowsPhone8 +>>>>3 string =r \b, for RaspberryPi +>>>>3 string =P \b, for PlayStation4 +>>>>3 string =5 \b, for PlayStation5 +>>>>3 string =O \b, for XboxOne +>>>>3 string =S \b, for Nintendo Switch +>>>>3 string =G \b, for Google Stadia +>>>>3 string =b \b, for WebAssembly and Bridge.NET +>>>>3 string =m \b, for WindowsPhone7.0 (XNA) +>>>>3 string =p \b, for PlayStationMobile +>>>>3 string =v \b, for PSVita +>>>>3 string =g \b, for Windows (OpenGL) +>>>>3 string =l \b, for Linux +>>>>4 byte x \b, version %d +>>>>5 byte &0x80 \b, LZX compressed +>>>>>10 lelong x \b, decompressed size: %d bytes +>>>>5 byte &0x40 \b, LZ4 compressed +>>>>>10 lelong x \b, decompressed size: %d bytes + +# Electron ASAR archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/electron/asar +0 ulelong 4 +# Match JSON header start and end +>16 string {"files":{" +>>(12.l+12) string }}}} Electron ASAR archive +!:ext asar +>>>12 ulelong x \b, header length: %d bytes + +# Wasay ImageIt DataPack +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.neowin.net/forum/topic/615151-anyone-know-what-program-opens-dsi-and-wsi-files/ +# Note: Used in Acer eRecovery and Lenovo OneKey Recovery (OKR) +4 string WSVD +# bytes 3-4 are the checksum or the first 32 bytes of the file +>0 uleshort 0x40 Wasay ImageIt DataPack +>>8 uleshort x v%u +>>10 uleshort x \b.%u +>>16 lestring16/8 x \b, "%s" +>>12 uleshort x (%u) +>>32 byte x \b, created on %02d +>>33 byte x \b%02d +>>34 byte x \b/%02d +>>35 byte x \b/%02d +>>36 byte x %02d +>>37 byte x \b:%02d +>>38 byte x \b:%02d +>>56 ulelong x \b, size: %u bytes diff --git a/contrib/file/magic/Magdir/aria b/contrib/file/magic/Magdir/aria index c3a6bf57e464..eb0a611427e9 100644 --- a/contrib/file/magic/Magdir/aria +++ b/contrib/file/magic/Magdir/aria @@ -1,5 +1,7 @@ #------------------------------------------------------------------------------ +# $File: aria,v 1.2 2024/06/10 23:09:52 christos Exp $ +# aria: file(1) magic for download manager aria # URL: https://de.wikipedia.org/wiki/Aria_(Software) # Reference: https://github.com/aria2/aria2/blob/master/doc/manual-src/en/technical-notes.rst # From: Joerg Jenderek diff --git a/contrib/file/magic/Magdir/arm b/contrib/file/magic/Magdir/arm index b40f213cbfb4..fd0180316a35 100644 --- a/contrib/file/magic/Magdir/arm +++ b/contrib/file/magic/Magdir/arm @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: arm,v 1.2 2021/07/14 17:40:31 christos Exp $ +# $File: arm,v 1.4 2024/02/18 14:15:22 christos Exp $ # arm: file(1) magic for ARM COFF # # https://docs.microsoft.com/en-us/windows/win32/debug/pe-format @@ -39,3 +39,21 @@ # display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 + +# ARM64 Compiled Hybrid PE X86 +0 leshort 0x3a64 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARM64EC +0 leshort 0xa641 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 diff --git a/contrib/file/magic/Magdir/asf b/contrib/file/magic/Magdir/asf index 9f274ede2ff8..e4c3dd95c956 100644 --- a/contrib/file/magic/Magdir/asf +++ b/contrib/file/magic/Magdir/asf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: asf,v 1.3 2022/04/25 17:33:13 christos Exp $ +# $File: asf,v 1.5 2024/09/04 19:06:12 christos Exp $ # asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files # http://www.staroceans.org/e-book/ASF_Specification.pdf @@ -10,18 +10,18 @@ #>16 lequad >0 #>>(16.q) use asf-object # ASF_Simple_Index_Object ->0 guid 33000890-E5B1-11CF-89F4-00A0C90349CB +#>0 guid 33000890-E5B1-11CF-89F4-00A0C90349CB >0 guid D6E229D3-35DA-11D1-9034-00A0C90349BE ASF_Index_Object >0 guid FEB103F8-12AD-4C64-840F-2A1D2F7AD48C ASF_Media_Object_Index_Object >0 guid 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C ASF_Timecode_Index_Object # ASF_File_Properties_Object ->0 guid 8CABDCA1-A947-11CF-8EE4-00C00C205365 +#>0 guid 8CABDCA1-A947-11CF-8EE4-00C00C205365 # ASF_Stream_Properties_Object >0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 #>>56 lequad x Time Offset %lld -#>>64 lelong x Type-Specicic Data Length %d +#>>64 lelong x Type-Specific Data Length %d #>>68 lelong x Error Correction Data Length %d #>>72 leshort x Flags %#x #>>74 lelong x Reserved %x @@ -52,15 +52,15 @@ >>40 use asf-name >>0 lelong x \b) #ASF_Header_Extension_Object ->0 guid 5FBF03B5-A92E-11CF-8EE3-00C00C205365 +#>0 guid 5FBF03B5-A92E-11CF-8EE3-00C00C205365 # ASF_Codec_List_Object ->0 guid 86D15240-311D-11D0-A3A4-00A0C90348F6 +#>0 guid 86D15240-311D-11D0-A3A4-00A0C90348F6 >0 guid 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ASF_Script_Command_Object >0 guid F487CD01-A951-11CF-8EE6-00C00C205365 ASF_Marker_Object >0 guid D6E229DC-35DA-11D1-9034-00A0C90349BE ASF_Bitrate_Mutual_Exclusion_Object >0 guid 75B22635-668E-11CF-A6D9-00AA0062CE6C ASF_Error_Correction_Object # ASF_Content_Description_Object ->0 guid 75B22633-668E-11CF-A6D9-00AA0062CE6C +#>0 guid 75B22633-668E-11CF-A6D9-00AA0062CE6C #>>24 leshort title length %d #>>26 leshort author length %d #>>28 leshort copyright length %d @@ -73,7 +73,7 @@ >0 guid 298AE614-2622-4C17-B935-DAE07EE9289C ASF_Extended_Content_Encryption_Object >0 guid 2211B3FC-BD23-11D2-B4B7-00A0C955FC6E ASF_Digital_Signature_Object # ASF_Padding_Object ->0 guid 1806D474-CADF-4509-A4BA-9AABCB96AAE8 +#>0 guid 1806D474-CADF-4509-A4BA-9AABCB96AAE8 >0 guid 14E6A5CB-C672-4332-8399-A96952065B5A ASF_Extended_Stream_Properties_Object >0 guid A08649CF-4775-4670-8A16-6E35357566CD ASF_Advanced_Mutual_Exclusion_Object >0 guid D1465A40-5A79-4338-B71B-E36B8FD6C249 ASF_Group_Mutual_Exclusion_Object diff --git a/contrib/file/magic/Magdir/audio b/contrib/file/magic/Magdir/audio index c85c2952336f..991b75999608 100644 --- a/contrib/file/magic/Magdir/audio +++ b/contrib/file/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.121 2021/04/26 15:56:00 christos Exp $ +# $File: audio,v 1.133 2024/09/04 19:07:20 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -99,8 +99,8 @@ !:mime audio/x-unknown # is this next line right? it came this way... >19 byte 0x1A ->23 byte >0 - version %d ->22 byte >0 \b.%d +>>23 byte >0 - version %d +>>22 byte >0 \b.%d # first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data @@ -183,42 +183,57 @@ 21 string BMOD2STM Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module + +1080 string \!PM! 4-channel Protracker module sound data +!:mime audio/x-mod +#audio/x-protracker-module +>0 string >\0 Title: "%s" + 1080 string M.K. 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string M!K! 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string FLT4 4-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string FLT8 8-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string 4CHN 4-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 6CHN 6-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 8CHN 8-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string CD81 8-channel Octalyser module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + 1080 string OKTA 8-channel Octalyzer module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data @@ -261,13 +276,12 @@ # http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/IRCAM/IRCAM.html 0 belong 0x64a30100 IRCAM file (VAX little-endian) 0 belong 0x0001a364 IRCAM file (VAX big-endian) -0 belong 0x64a30200 IRCAM file (Sun big-endian) 0 belong 0x0002a364 IRCAM file (Sun little-endian) +0 belong 0x64a30200 IRCAM file (Sun big-endian) 0 belong 0x64a30300 IRCAM file (MIPS little-endian) 0 belong 0x0003a364 IRCAM file (MIPS big-endian) -0 belong 0x64a30400 IRCAM file (NeXT big-endian) -0 belong 0x64a30400 IRCAM file (NeXT big-endian) 0 belong 0x0004a364 IRCAM file (NeXT little-endian) +0 belong 0x64a30400 IRCAM file (NeXT big-endian) # NIST SPHERE <mpruett@sgi.com> 0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file @@ -403,10 +417,26 @@ 0 string THX AHX version >3 byte =0 1 module data >3 byte =1 2 module data ->10 byte x TRL: %u ->11 byte x TRK: %u ->12 byte x SMP: %u ->13 byte x SS: %u +>11 ubyte x TRK: %u +>10 ubyte x TRL: %u +>12 ubyte x SMP: %u +>13 ubyte x SS: %u +>(4.H) string x Title: "%.128s" + +# header is mostly AHX format +0 string HVL +>3 byte <2 Hively Tracker Song +>3 byte =0 v1 module data +>3 byte =1 v2 module data +>11 ubyte x TRK: %u +>10 ubyte x TRL: %u +>12 ubyte x SMP: %u +>13 ubyte x SS: %u +>8 ubyte/4 =0 CHN: 4 +>8 ubyte/4 >0 CHN: 4+%u +#>-0 offset <0xffff +>(4.H) string x Title: "%.128s" + # 0 string OKTASONG Oktalyzer module data # @@ -456,7 +486,7 @@ # Sharp Jisaku Melody format for PDC 0 string \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody >20 string Ver01.00 Ver. 1.00 ->>32 byte x , %d tracks +>>32 byte x \b, %d tracks # Free lossless audio codec <http://flac.sourceforge.net> # From: Przemyslaw Augustyniak <silvathraec@rpg.pl> @@ -548,15 +578,13 @@ # From: Alex Myczko <alex@aiei.ch> # https://github.com/rerrahkr/BambooTracker -0 string BambooTrackerMod BambooTracker module ->22 byte x \b, version %u ->21 byte x \b.%u ->20 byte x \b.%u - -0 string BambooTrackerIst BambooTracker instrument ->22 byte x \b, version %u ->21 byte x \b.%u ->20 byte x \b.%u +0 string BambooTracker BambooTracker +>13 string Mod Module +>13 string Ist Instrument +>13 string Bnk Bank +>22 byte x \b, version %u +>21 byte x \b.%u +>20 byte x \b.%u 0 string CC2x CheeseCutter 2 song @@ -615,6 +643,7 @@ 0 string [Equalizer\ preset] XMMS equalizer preset # .m3u 0 search/1 #EXTM3U M3U playlist text +!:mime audio/x-mpegurl # .pls 0 search/1 [playlist] PLS playlist text # licq.conf @@ -684,10 +713,36 @@ # Type: Adaptive Multi-Rate Codec # URL: http://filext.com/detaillist.php?extdetail=AMR +# http://fileformats.archiveteam.org/wiki/Adaptive_Multi-Rate_Audio +# Reference: https://datatracker.ietf.org/doc/html/rfc4867 +# http://mark0.net/download/triddefs_xml.7z/defs/a/audio-amr.trid.xml +# Update: Joerg Jenderek # From: Russell Coker <russell@coker.com.au> -0 string #!AMR Adaptive Multi-Rate Codec (GSM telephony) -!:mime audio/amr +# Note: called "AMR (Adaptive Multi Rate) encoded audio" by TrID and +# "Adaptive Multi-Rate Audio" by DROID via PUID fmt/356 and +# "AMR" "AMR audio" or "Adaptive Multi-Rate" by shared MIME-info database from freedesktop.org +0 string #!AMR Adaptive Multi-Rate Codec +# Adaptive Multi-Rate Codec (strength=80) before wrong "a AMR script executable (binary data)" (strength=20=60/3) by ./varied.script +#!:strength +0 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/audio-awb.trid.xml +# Note: called "Adaptive Multi-Rate Wideband ACELP codec" by TrID and +# "Adaptive Multi-Rate Wideband Audio" bY DROID via PUID fmt/954 and +# "AMR-WB" "AMR-WB audio" or "Adaptive Multi-Rate Wideband" by shared MIME-info database from freedesktop.org +>5 string -WB (Wideband) +# https://www.iana.org/assignments/media-types/audio/AMR-WB +!:mime audio/AMR-WB +#!:mime audio/amr-wb-encrypted +!:apple ????amrw +!:ext awb +# variant without Wideband +>5 default x (GSM telephony) +# https://www.iana.org/assignments/media-types/audio/AMR +!:mime audio/AMR +# last character in type code is space +!:apple ????amr !:ext amr +# GRR: maybe also 3ga suffix? https://telparia.com/fileFormatSamples/audio/amr/example.3ga +#!:ext amr/3ga # Type: SuperCollider 3 Synth Definition File Format # From: Mario Lang <mlang@debian.org> @@ -878,27 +933,22 @@ # From Martin Mueller Skarbiniks Pedersen 0 string GDM >0x3 byte 0xFE General Digital Music. ->0x4 string >\0 title: "%s" ->0x24 string >\0 musician: "%s" ->>0x44 beshort 0x0D0A ->>>0x46 byte 0x1A ->>>>0x47 string GMFS Version ->>>>0x4B byte x %d. ->>>>0x4C byte x \b%02d ->>>>0x4D beshort 0x000 (2GDM v ->>>>0x4F byte x \b%d. ->>>>>0x50 byte x \b%d) +>>0x4 string >\0 title: "%s" +>>0x24 string >\0 musician: "%s" +>>>0x44 beshort 0x0D0A +>>>>0x46 byte 0x1A +>>>>>0x47 string GMFS Version +>>>>>0x4B byte x %d. +>>>>>0x4C byte x \b%02d +>>>>>0x4D beshort 0x000 (2GDM v +>>>>>0x4F byte x \b%d. +>>>>>>0x50 byte x \b%d) 0 string MTM Multitracker >0x3 byte/16 x Version %d. >0x3 byte&0x0F x \b%02d >>0x4 string >\0 title: "%s" -0 string HVL ->3 byte <2 Hively Tracker Song ->3 byte 0 1 module data ->3 byte 1 2 module data - 0 string MO3 >3 ubyte <6 MOdule with MP3 >>3 byte 0 Version 0 (With MP3 and lossless) @@ -915,18 +965,18 @@ >4 string "ArtOfNoise by Bastian Spiegel(twice/lego)" >0x2e string NAME Art of Noise Tracker Song >3 string <9 ->3 string 4 (4 voices) ->3 string 8 (8 voices) +>>3 string 4 (4 voices) +>>3 string 8 (8 voices) >>0x36 string >\0 Title: "%s" 0 string FAR >0x2c byte 0x0d ->0x2d byte 0x0a ->0x2e byte 0x1a ->>0x3 byte 0xFE Farandole Tracker Song ->>>0x31 byte/16 x Version %d. ->>>0x31 byte&0x0F x \b%02d ->>>>0x4 string >\0 \b, title: "%s" +>>0x2d byte 0x0a +>>>0x2e byte 0x1a +>>>>0x3 byte 0xFE Farandole Tracker Song +>>>>>0x31 byte/16 x Version %d. +>>>>>0x31 byte&0x0F x \b%02d +>>>>>0x4 string >\0 \b, title: "%s" # magic for Klystrack, https://kometbomb.github.io/klystrack/ # from Alex Myczko <alex@aiei.ch> @@ -1010,25 +1060,37 @@ # Added by David Korth <gerbilsoft@gerbilsoft.com> 0 string PSF >3 byte 0x01 +>>0 use portable_sound_format >3 byte 0x02 +>>0 use portable_sound_format >3 byte 0x11 +>>0 use portable_sound_format >3 byte 0x12 +>>0 use portable_sound_format >3 byte 0x13 +>>0 use portable_sound_format >3 byte 0x21 +>>0 use portable_sound_format >3 byte 0x22 +>>0 use portable_sound_format >3 byte 0x23 +>>0 use portable_sound_format >3 byte 0x41 ->>0 string PSF Portable Sound Format +>>0 use portable_sound_format + + +0 name portable_sound_format +>0 string PSF Portable Sound Format !:mime audio/x-psf ->>>3 byte 0x01 (Sony PlayStation) ->>>3 byte 0x02 (Sony PlayStation 2) ->>>3 byte 0x11 (Sega Saturn) ->>>3 byte 0x12 (Sega Dreamcast) ->>>3 byte 0x13 (Sega Mega Drive) ->>>3 byte 0x21 (Nintendo 64) ->>>3 byte 0x22 (Game Boy Advance) ->>>3 byte 0x23 (Super NES) ->>>3 byte 0x41 (Capcom QSound) +>>3 byte 0x01 (Sony PlayStation) +>>3 byte 0x02 (Sony PlayStation 2) +>>3 byte 0x11 (Sega Saturn) +>>3 byte 0x12 (Sega Dreamcast) +>>3 byte 0x13 (Sega Mega Drive) +>>3 byte 0x21 (Nintendo 64) +>>3 byte 0x22 (Game Boy Advance) +>>3 byte 0x23 (Super NES) +>>3 byte 0x41 (Capcom QSound) # Atari 8-bit SAP audio format # http://asap.sourceforge.net/sap-format.html @@ -1136,3 +1198,143 @@ >>0 use nintendo-3ds-bcwav-fields >4 beshort 0xFEFF >>0 use \^nintendo-3ds-bcwav-fields + +# Philips DSDIFF audio format (Direct Stream Digital Interchange File Format) +# Used for DSD audio recordings and Super Audio CD (SACD) mastering annotations +# https://dsd-guide.com/sites/default/files/white-papers/DSDIFF_1.5_Spec.pdf +# From: Toni Ruottu <toni.ruottu@iki.fi> +0 string FRM8 +12 string DSD\x20 DSDIFF audio bitstream data +!:mime audio/x-dff +!:ext dff + +# format version chunk +>&0 string FVER +# version 1 +>>&8 byte 1 + +# v1 / sampling resolution ( 1 bit PDM only ) +>>>&0 string x \b, 1 bit + +# v1 / sound property chunk +>>>&0 search/0xff PROP +>>>>&8 string SND + +# v1 / sound property chunk / channel configuration chunk +>>>>>&0 search/0xff CHNL +>>>>>>&8 ubeshort 1 \b, mono +>>>>>>&8 ubeshort 2 +>>>>>>>&0 string SLFTSRGT \b, stereo +>>>>>>>&0 default x \b, 2 channels +>>>>>>&8 ubeshort 3 +>>>>>>>&0 string SLFTSRGTLFE\x20 \b, 2.1 stereo +>>>>>>>&0 string SLFTSRGTC\x20\x20\x20 \b, 3.0 stereo +>>>>>>>&0 default x \b, 3 channels +>>>>>>&8 ubeshort 4 +>>>>>>>&0 string MLFTMRGTLS\x20\x20RS\x20\x20 \b, 4.0 surround +>>>>>>>&0 string SLFTSRGTC\x20\x20\x20LFE\x20 \b, 3.1 stereo +>>>>>>>&0 default x \b, 4 channels +>>>>>>&8 ubeshort 5 +>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LS\x20\x20RS\x20\x20 \b, 5.0 surround +>>>>>>>&0 string MLFTMRGTLFE\x20LS\x20\x20RS\x20\x20 \b, 4.1 surround +>>>>>>>&0 default x \b, 5 channels +>>>>>>&8 ubeshort 6 +>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LFE\x20LS\x20\x20RS\x20\x20 \b, 5.1 surround +>>>>>>>&0 default x \b, 6 channels +>>>>>>&8 ubeshort >6 \b, %u channels + +# v1 / sound property chunk / sample rate chunk +>>>>>&0 search/0xff FS\x20\x20 +>>>>>>&0 string x \b, +>>>>>>&8 ubelong%44100 0 +>>>>>>>&-4 ubelong/44100 x "DSD %u" +>>>>>>>&-4 ubelong x %u Hz + +# v1 / sound property chunk / compression type chunk +>>>>>&0 search/0xff CMPR +>>>>>>&8 string DSD\x20 \b, no compression +>>>>>>&8 string DST\x20 \b, DST compression +>>>>>>&8 default x \b, unknown compression + +# v1 / quest for metadata +>>>&0 string x + +# v1 / quest for metadata / edited master information chunk +>>>>&0 search DIIN +>>>>>&0 ubequad >0 \b, "edited master" metadata + +# v1 / quest for metadata / ID3 chunk ( defacto standard ) +>>>>&0 search ID3\x20 +>>>>>&8 string ID3 \b, ID3 version 2 +>>>>>&0 byte x \b.%u +>>>>>&1 byte x \b.%u + +# v1 / quest for metadata / failure ( possibly due to -P bytes=... being too low ) +>>>>&0 default x \b, ID3 missing (or unreachable) + +# version > 1 or 0 +>>&0 default x \b, unknown version + +# Sony DSF audio format (Direct Stream Digital Stream File) +# Used for lossless digital storage of songs produced as DSD audio +# Portable analog of a track stored on a Super Audio CD (SACD) +# https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf +# From: Toni Ruottu <toni.ruottu@iki.fi> +0 string DSD\x20 DSF audio bitstream data +!:mime audio/x-dsf +!:ext dsf + +# format chunk +>28 string fmt\x20 +# version 1 +>>&8 ulelong 1 + +# v1 / sampling resolution ( 1 bit PDM only ) +# NOTE: the spec incorrectly uses "bits per sample" instead of "bits per byte" +>>>&0 string x \b, 1 bit + +# v1 / channel configuration +>>>>&4 ulelong 1 \b, mono +>>>>&4 ulelong 2 \b, stereo +>>>>&4 ulelong 3 \b, 3.0 stereo +>>>>&4 ulelong 4 \b, 4.0 surround +>>>>&4 ulelong 5 \b, 3.1 stereo +>>>>&4 ulelong 6 \b, 5.0 surround +>>>>&4 ulelong 7 \b, 5.1 surround +>>>>&0 default x +>>>>>&4 ulelong x \b, %u channels + +# v1 / sample rate chunk +>>>>&0 string x \b, +>>>>&12 ulelong%44100 0 +>>>>>&-4 ulelong/44100 x "DSD %u" +>>>>&12 ulelong x %u Hz + +# v1 / compression +>>>>&0 string x +>>>>>&0 ulelong 0 \b, no compression +>>>>>&0 default x \b, unknown compression + +# v1 / embedded ID3v2 metadata +>>>0 string x \b, ID3 +>>>>20 ulequad !0 +>>>>>(20.q) string ID3 version 2 +>>>>>>&0 byte x \b.%u +>>>>>>&1 byte x \b.%u +# unable to verify ID3 ( possibly due to -P bytes=... being too low ) +>>>>>&0 default x unreachable +>>>>&0 default x missing + +# version > 1 or 0 +>>&0 default x \b, unknown version + +# https://moddingwiki.shikadi.net/wiki/ROL_Format +4 string \\roll\\default AdLib Visual Composer ROL file +>0 leshort x \b, version %d. +>2 leshort x \b%d +>44 leshort x \b, tickBeat %d +>46 leshort x \b, beatMeasure %d +>48 leshort x \b, scaleY %d +>50 leshort x \b, scaleX %d +>52 byte 0 \b, percussive +>52 byte 1 \b, melodic diff --git a/contrib/file/magic/Magdir/ber b/contrib/file/magic/Magdir/ber index 15288c682416..8afd23d45594 100644 --- a/contrib/file/magic/Magdir/ber +++ b/contrib/file/magic/Magdir/ber @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ber,v 1.2 2019/04/19 00:42:27 christos Exp $ +# $File: ber,v 1.3 2024/09/01 13:49:15 christos Exp $ # ber: file(1) magic for several BER formats used in the mobile # telecommunications industry (Georg Sauthoff) @@ -41,7 +41,6 @@ # NRT Files # NRT a.k.a. NRTRDE -0 byte 0x61 # <SpecificationVersionNumber>2</><ReleaseVersionNumber> block >&1 search/b8 \x5f\x29\x01\x02\x5f\x25\x01 >>&0 byte x NRT 2.%d (TD.35, Near Real Time Roaming Data Exchange) diff --git a/contrib/file/magic/Magdir/biosig b/contrib/file/magic/Magdir/biosig index 7d41713f24a5..dc99773e086f 100644 --- a/contrib/file/magic/Magdir/biosig +++ b/contrib/file/magic/Magdir/biosig @@ -1,7 +1,7 @@ -############################################################################## -# -# Magic ids for biomedical signal file formats +#------------------------------------------------------------------------------ +# $File: biosig,v 1.4 2024/06/10 23:09:52 christos Exp $ +# file(1) magic for biomedical signal file formats # Copyright (C) 2018 Alois Schloegl <alois.schloegl@gmail.com> # # The list has been derived from biosig projects diff --git a/contrib/file/magic/Magdir/blender b/contrib/file/magic/Magdir/blender index 276242eab02f..5a897113e092 100644 --- a/contrib/file/magic/Magdir/blender +++ b/contrib/file/magic/Magdir/blender @@ -1,13 +1,24 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.8 2019/04/19 00:42:27 christos Exp $ +# $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list # https://lists.blender.org/mailman/listinfo/bf-committers # GLOB chunk was moved near start and provides subversion info since 2.42 - +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/BLEND +# http://www.blender.org/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/blend.trid.xml +# http://formats.kaitai.io/blender_blend/index.html +# Note: called "Blender 3D data" by TrID +# and gzip compressed variant handled by ./compress 0 string =BLENDER Blender3D, +#!:mime application/octet-stream +!:mime application/x-blender +!:ext blend +# no sample found with extension blender +#!:ext blend/blender >7 string =_ saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. diff --git a/contrib/file/magic/Magdir/bsdi b/contrib/file/magic/Magdir/bsdi index 8499b0c90363..d2fa6002aad4 100644 --- a/contrib/file/magic/Magdir/bsdi +++ b/contrib/file/magic/Magdir/bsdi @@ -1,21 +1,26 @@ #------------------------------------------------------------------------------ -# $File: bsdi,v 1.7 2014/03/29 15:40:34 christos Exp $ +# $File: bsdi,v 1.9 2024/03/31 15:06:56 christos Exp $ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # Some object/executable formats use the same magic numbers as are used # in other OSes; those are handled by entries in aout. # -0 lelong 0314 386 compact demand paged pure executable +0 lelong 0314 i386 compact demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) +# Update: Joerg Jenderek # same as in SunOS 4.x, except for static shared libraries +# Note: was also called "a.out SunOS SPARC demand paged" by ./sun v 1.28 0 belong&077777777 0600413 SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable +#!:mime application/x-foo-executable +# typically no file name suffix for executables +!:ext / >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) diff --git a/contrib/file/magic/Magdir/burp b/contrib/file/magic/Magdir/burp new file mode 100644 index 000000000000..460d18c4c27f --- /dev/null +++ b/contrib/file/magic/Magdir/burp @@ -0,0 +1,7 @@ + +#------------------------------------------------------------ +# $File: burp,v 1.1 2022/07/04 17:15:09 christos Exp $ +# Burp file, I don't know the version +#------------------------------------------------------------ +# From wof (wof@stachelkaktus.net) +0 bequad 0x6685828000000001 Burp project save file diff --git a/contrib/file/magic/Magdir/bytecode b/contrib/file/magic/Magdir/bytecode index 94fb8b38cb03..dca961c26431 100644 --- a/contrib/file/magic/Magdir/bytecode +++ b/contrib/file/magic/Magdir/bytecode @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: bytecode,v 1.3 2022/03/24 15:48:58 christos Exp $ +# $File: bytecode,v 1.5 2023/02/20 16:25:05 christos Exp $ # magic for various bytecodes # From: Mikhail Gusarov <dottedmag@dottedmag.net> @@ -28,3 +28,14 @@ >11 string 4 \b, 32bit >11 string 8 \b, 64bit >13 regex .\\.. \b, bytecode v%s + +# Racket file magic +# From: Haelwenn (lanodan) Monnier <contact+libmagic@hacktivis.me> +# https://racket-lang.org/ +# https://github.com/racket/racket/blob/master/racket/src/expander/compile/write-linklet.rkt +0 string #~ +>&0 pstring x +>>&0 pstring racket +>>>0 string #~ Racket bytecode +>>>>&0 pstring x (version %s) + diff --git a/contrib/file/magic/Magdir/c-lang b/contrib/file/magic/Magdir/c-lang index 6500d37822c1..6e375a06a7e6 100644 --- a/contrib/file/magic/Magdir/c-lang +++ b/contrib/file/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.30 2021/08/16 10:17:05 christos Exp $ +# $File: c-lang,v 1.32 2023/06/16 19:57:19 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -17,7 +17,7 @@ >>0 regex \^class[[:space:]]+ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>&0 clear x source text -!:strength + 13 +!:strength + 15 !:mime text/x-c 0 search/8192 pragma >0 regex \^#[[:space:]]*pragma C source text @@ -88,13 +88,13 @@ !:strength + 30 !:mime text/x-c++ 0 search/8192 protected ->0 regex \^[[:space:]]*protected: C++ source text +>0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++ # Objective-C 0 search/8192 #import ->0 regex \^#import Objective-C source text +>0 regex \^#import[[:space:]]+["<] Objective-C source text !:strength + 25 !:mime text/x-objective-c diff --git a/contrib/file/magic/Magdir/c64 b/contrib/file/magic/Magdir/c64 index 9a635aedc978..36f30ab3b684 100644 --- a/contrib/file/magic/Magdir/c64 +++ b/contrib/file/magic/Magdir/c64 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: c64,v 1.12 2022/05/14 20:03:39 christos Exp $ +# $File: c64,v 1.16 2024/03/07 22:30:21 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann <doj@cubic.org> @@ -12,13 +12,32 @@ # C64 (and other CBM) cartridges # Extended by David Korth <gerbilsoft@gerbilsoft.com> +# Update: Joerg Jenderek # Reference: https://vice-emu.sourceforge.io/vice_17.html#SEC391 +# http://ist.uwaterloo.ca/~schepers/formats/CRT.TTX +# http://mark0.net/download/triddefs_xml.7z/defs/c/crt-c64.trid.xml +# Note: called "C64 Cartridge image" by TrID and +# "CRT C64 Cartridge Image Format" by DROID via PUID fmt/822 -0 string C64\40CARTRIDGE Commodore 64 cartridge +0 string C64\40CARTRIDGE +# skip DROID fmt-822-signature-id-1179.crt with missing packet length +>0x44 ubelong >0x10 +>>0 use c64-crt +# display Commodore 64 cartridge information +0 name c64-crt +>0 string x Commodore 64 cartridge +#!:mime application/octet-stream +!:mime application/x-commodore-crt +!:ext crt +# http://mark0.net/download/triddefs_xml.7z/defs/c/car-ccs64.trid.xml +#!:ext crt/car >0x20 ubyte 0 \b, >0x20 ubyte !0 +# 32-byte null padded cartridge name like: "BUGS BUNNY" "CART64" "EasyFlash" "FINAL CARTRIDGE" "Magic Desk" "VICE CART" >>0x20 string/T x \b: "%.32s", +# cartridge hardware type >0x16 beshort 0 +# cartridge port EXROM line status >>0x18 beshort 0x0000 16 KB game >>0x18 beshort 0x0001 8 KB game >>0x18 beshort 0x0100 UltiMax mode @@ -59,6 +78,7 @@ >0x16 beshort 34 Capture >0x16 beshort 35 Action Replay 3 >0x16 beshort 36 +# cartridge Hardware Revision/Subtype (usually 0) (added in v1.01) >>0x1A ubyte 1 Nordic Replay >>0x1A ubyte !1 Retro Replay >0x16 beshort 37 MMC64 @@ -104,6 +124,24 @@ >0x16 beshort 75 IEEE Flash! 64 >0x16 beshort 76 Turtle Graphics II >0x16 beshort 77 Freeze Frame MK2 +>0x16 beshort 78 Partner 64 +# cartridge hardware type: (0-78) +>0x16 ubeshort >78 unknown type %#x +# Cartridge Hardware Revision/Subtype (usually 0 added in v1.01) +>>0x1A ubyte >0 revision %#x +# padded with 3 space characters for CRT but for CCS64 Cartridge (*.CAR) maybe different according to TrID +>14 ubeshort !0x2020 \b, at 14 %#x +# file header length like: 20h (reported wrong) 40h (default and minimum) +>0x10 ubelong !0x40 \b, header length %#x +# cartridge version like: 1.0 1.1 (adds CRT sub type/hardware revision) 2.0 (introduces VIC20, PLUS4, C128, CBM2) +>0x14 ubeshort !0x0100 +>>0x14 ubyte x \b, version %u +>>0x15 ubyte x \b.%u +# cartridge content start with ROM signature which must be CHIP +>0x40 ubelong !0x43484950 \b, invalid ROM signature +>>0x40 string x "%0.4s" +# total packet length (length of ROM image size and header combined) like: 2010h 4010h +>0x44 ubelong x \b, packet length %#x 0 string C128\40CARTRIDGE Commodore 128 cartridge >0x20 ubyte 0 \b, @@ -164,26 +202,112 @@ 0 belong 0xFF424CFF WRAptor packer (c64) -0 string C64S\x20tape\x20file T64 tape Image ->32 leshort x Version:%#x ->36 leshort !0 Entries:%i ->40 string x Name:%.24s - -0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image ->32 leshort x Version:%#x ->36 leshort !0 Entries:%i ->40 string x Name:%.24s - -0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image ->32 leshort x Version:%#x ->36 leshort !0 Entries:%i ->40 string x Name:%.24s +# URL: http://fileformats.archiveteam.org/wiki/T64 +# Reference: http://ist.uwaterloo.ca/~schepers/formats/T64.TXT +# https://vice-emu.sourceforge.io/vice_16.html#SEC394 +# https://www.infinite-loop.at/Power64/Documentation/Power64-ReadMe/AE-File_Formats.html +# http://mark0.net/download/triddefs_xml.7z/defs/e/emu-t64.trid.xml +# Note: called "Commodore 64 Tape container" by TrID, "T64 Tape Image Format" by DROID via PUID fmt/820 and +# "T64 tape Image" by ./c64,v 1.14 +# verified by command like `deark -m t64 -l -d2 Caitan_the_Demo.t64` and +# `cbmconvert -v2 -t -D4 ironmanoffroad.d64 ironmanoffroad.t64` +# 32 byte signature starting like C64S\x20tape\x20file +# C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 +# C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 +0 string/b C64 +# skip raw Commodore TAPe by check for unsed areas (\0 filled) and valid low (40h+m*20h; m=0-FFffh) offset +>0x46 ubequad&0xFFff1F00C0ffFFff 0 Commodore Tape image +#!:mime application/octet-stream +#!:mime application/x-commodore-tape +!:ext t64 +# version like: 0100h (examples found) 0101h 0200h (no examples) +>>32 leshort x Version:%#x +#>>32 leshort !0x0100 Version:%#x +# number of used directory entries like: 0 1 2 5 +>>36 leshort !0 Entries:%i +# tape container name, 24 characters (padded with 20h but with A0h for DirMaster created samples) like: +# ->ZYRON'S PD<- IMAGETAPE MY-T64-TEST\240\240\240 OPERATIONWOLF+3-711.T64 +>>40 string/24/Tb >\040 Name:%.24s +# MaxFiles; maximal directory entries like: 0 1 2 5 30 (=1Eh some emulators expect exactly this value) 31 32 +>>34 uleshort x MaxFiles:%u +# 1st C64 filetype: 0~free 1~normal tape file 2~tape file with header 3~memory snapshot 4~tape block 5~digitized stream 6-255~reserved +>>0x40 ubyte !1 \b, C64 file type %#x +# 1st start address or load address of first entry like: 0000 (empty|snapshot) 04a0h (ironmanoffroad.t64) 0801h (typically) 1201h (3501_quizmaster_program_s1.t64) +>>0x42 uleshort !0x0801 \b, load address %#4.4x +# 1st actual end address in memory +>>0x44 uleshort x \b, end address %#4.4x +# reserved; must be 0 +>>0x26 ubeshort !0 \b, at +0x26 %#x +# not used like: 0 (examples found and according to TrID) +>>0x46 ubeshort !0 \b, at 0x46 %#4.4x +# not used like: 0 (examples found and according to TrID) +>>0x4c ubelong !0 \b, at 0x4C %#8.8x +# offset (=64+32*m) into 1st container file like: 0 (empty) 60h 80h E0h 400h 440h ... +>>0x48 ulelong >0 \b, at %#x +# 1st filename (in PETASCII, padded with 20h, not A0h) like: "DRILLINSTR. /HTL" "WIZBALL+ " ... +>>>0x50 string/16/bT x "%0.16s" +# https://www.lyonlabs.org/commodore/onrequest/Inside_Commodore_Dos.pdf +# file type like: 0~Scratched 1~SEQunclosed 81h~SEQ 82h~PRG C2h~PRGlocked ... +>>>0x41 ubyte x +>>>>0x41 ubyte =0x00 Scratched type +>>>>0x41 ubyte =0x01 SEQ unclosed type +#>>>>0x41 ubyte =0x44 foo type +>>>>0x41 ubyte =0x80 DEL type +>>>>0x41 ubyte =0x81 SEQ type +>>>>0x41 ubyte =0x82 PRG type +>>>>0x41 ubyte =0x83 USR type +>>>>0x41 ubyte =0x84 REL type +>>>>0x41 ubyte =0xC2 PRG locked type +# other unusual file type +>>>>0x41 default x +>>>>>0x41 ubyte x %#2.2x type +# inspect 1st entry content (often Commodore C64 BASIC program *.PRG) without load adress +#>>(0x48.l) ubequad x \b, 1st data %16.16llx... # Raw tape file format (.tap files) # Esa Hyyti <esa@netlab.tkk.fi> -0 string C64-TAPE-RAW C64 Raw Tape File (.tap), +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Tap_file +# https://vice-emu.sourceforge.io/vice_16.html#SEC392 +# Reference: http://ist.uwaterloo.ca/~schepers/formats/TAP.TXT +# Note: called "TAP (Commodore 64)" by DROID via PUID fmt/802 +# a variant starting with C16-TAPE-RAW should exist, but no examples found +0 string/b C64-TAPE-RAW Commodore raw Tape image (platform +#0 string C64-TAPE-RAW C64 Raw Tape File (.tap), +#!:mime application/octet-stream +!:mime application/x-commodore-tape +!:ext tap +# According to TrID als raw suffix, but no such samples found +#!:ext tap/raw +# computer platform like: 0~C64 1~VIC-20 2~C16 Plus/4 3~PET 4~C5x0 5~C6x0 C7x0 +>0xD ubyte 0 C64 +>0xD ubyte 1 VIC-20 +>0xD ubyte 2 C16 Plus/4 +>0xD ubyte 3 PET +>0xD ubyte 4 C5x0 +>0xD ubyte 5 C6x0 C7x0 +# this should not happen! +>0xD ubyte >5 %#2.2x +>0xD ubyte x \b), +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tap.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/t/tap-1.trid.xml +# Note: called "C64 Tape image format" (v0-original) (v1-updated)" by TrID +# TAP version like: 0~OriginalLayout 1~Updated (often) >0x0c byte x Version:%u, +# file data size (not including header) >0x10 lelong x Length:%u cycles +# video standard like: 0~PAL 1~NTSC 2~OLD NTSC 3~PALN +>0xE ubyte x \b, video +>0xE ubyte 0 PAL +>0xE ubyte 1 NTSC +>0xE ubyte 2 old NTSC +>0xE ubyte 3 PALN +# this should not happen! +>0xE ubyte >3 %#2.2x +# reserved for future expansion like: 0 +>0xF ubyte !0 \b, at 0xF %#2.2x +# file data +#>014 ubequad x \b, data %16.16llx # magic for Goattracker2, http://covertbitops.c64.org/ # from Alex Myczko <alex@aiei.ch> @@ -194,7 +318,356 @@ >100 byte >0 \b, %u subsong(s) # CBM BASIC (cc65 compiled) +# Summary: binary executable or Basic program for Commodore C64 computers +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Commodore_BASIC_tokenized_file +# Reference: https://www.c64-wiki.com/wiki/BASIC_token +# https://github.com/thezerobit/bastext/blob/master/bastext.doc +# http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c64.trid.xml +# TODO: unify Commodore BASIC/program sub routines +# Note: "PUCrunch archive data" moved from ./archive and merged with c64-exe 0 leshort 0x0801 ->2 leshort 0x080b ->6 string \x9e CBM BASIC ->7 string >\0 \b, SYS %s +# display Commodore C64 BASIC program (strength=50) after "Lynx archive" (strength=330) handled by ./archive +#!:strength +0 +# if first token is not SYS this implies BASIC program in most cases +>6 ubyte !0x9e +# but sELF-ExTRACTING-zIP executable unzp6420.prg contains SYS token at end of second BASIC line (at 0x35) +>>23 search/30 \323ELF-E\330TRACTING-\332IP +>>>0 use c64-exe +>>23 default x +>>>0 use c64-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use c64-exe +# display information about C64 binary executable (memory address, line number, token) +0 name c64-exe +>0 uleshort x Commodore C64 +# http://a1bert.kapsi.fi/Dev/pucrunch/ +# start address 0801h; next offset 080bh; BASIC line number is 239=00EFh; BASIC instruction is SYS 2061 +# the above combination appartly also occur for other Commodore programs like: gunzip111.c64.prg +# and there exist PUCrunch archive for other machines like C16 with other magics +>0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program, probably PUCrunch archive data +!:mime application/x-compress-pucrunch +!:ext prg/pck +>0 string !\x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# valid 2nd BASIC fragment found only in sELF-ExTRACTING-zIP executable unzp6420.prg +>>23 search/30 \323ELF-E\330TRACTING-\332IP +# jump again from beginning +>>>(2.s-0x800) ubyte x +>>>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C64 BASIC program (memory address, line number, token) +0 name c64-prg +>0 uleshort x Commodore C64 BASIC program +!:mime application/x-commodore-basic +# Tokenized BASIC programs were stored by Commodore as file type program "PRG" in separate field in directory structures. +# So file name can have no suffix like in saveroms; When transferring to other platforms, they are often saved with .prg extensions. +# BAS suffix is typically used for the BASIC source but also found in program pods.bas +!:ext prg/bas/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C128 computers +# URL: https://en.wikipedia.org/wiki/Commodore_128 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c128.trid.xml +# From: Joerg Jenderek +# Note: Commodore 128 BASIC 7.0 variant; there exist varaints with different start addresses +0 leshort 0x1C01 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches SVr3 curses screen image, big-endian with strength (50) handled by ./terminfo +# probably skip SVr3 curses images with "invalid high" second line offset +>2 uleshort <0x1D02 +# skip foo with "invalid low" second line offset +>>2 uleshort >0x1C06 +# if first token is not SYS this implies BASIC program +>>>6 ubyte !0x9e +>>>>0 use c128-prg +# if first token is SYS this implies binary executable +>>>6 ubyte =0x9e +>>>>0 use c128-exe +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.1 extension by Rick Simon +# start adress 132Dh +#0 leshort 0x132D THIS_IS_C128_7.1 +#>0 use c128-prg +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.0 saved with graphics mode enabled +# start adress 4001h +#0 leshort 0x4001 THIS_IS_C128_GRAPHIC +#>0 use c128-prg +# display information about tokenized C128 BASIC program (memory address, line number, token) +0 name c128-prg +>0 uleshort x Commodore C128 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about C128 program (memory address, line number, token) +0 name c128-exe +>0 uleshort x Commodore C128 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in Commodore executables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C16/VIC-20/Plus4 computers +# URL: https://en.wikipedia.org/wiki/Commodore_Plus/4 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20.trid.xml +# defs/p/prg-plus4.trid.xml +# From: Joerg Jenderek +# Note: there exist VIC-20 variants with different start address +# GRR: line below is too generic because it matches Novell LANalyzer capture +# with regular trace header record handled by ./sniffer +0 leshort 0x1001 +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" token value 54h +>6 ubyte >0x7F +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" second line offset 4Ch +#>>2 uleshort >0x1006 OFFSET_NOT_TOO_LOW +# skip foo with "invalid high" second line offset but not for 0x123b (Minefield.prg) +#>>>2 uleshort <0x1102 OFFSET_NOT_TOO_HIGH +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +# valid second end of line separator implies BASIC program +>>>(2.s-0x1000) ubyte =0 +>>>>0 use c16-prg +# invalid second end of line separator !=0 implies binary executable like: Minefield.prg +>>>(2.s-0x1000) ubyte !0 +>>>>0 use c16-exe +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use c16-exe +# display information about C16 program (memory address, line number, token) +0 name c16-exe +>0 uleshort x Commodore C16/VIC-20/Plus4 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C16 BASIC program (memory address, line number, token) +0 name c16-prg +>0 uleshort x Commodore C16/VIC-20/Plus4 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore VIC-20 computer with 8K RAM expansion +# URL: https://en.wikipedia.org/wiki/VIC-20 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20-8k.trid.xml +# From: Joerg Jenderek +# Note: Basic v2.0 with Basic v4.0 extension (VIC20); there exist VIC-20 variants with different start addresses +# start adress 1201h +0 leshort 0x1201 +# if first token is not SYS this implies BASIC program +>6 ubyte !0x9e +>>0 use vic-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use vic-exe +# display information about Commodore VIC-20 BASIC+8K program (memory address, line number, token) +0 name vic-prg +>0 uleshort x Commodore VIC-20 +8K BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1200) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore VIC-20 +8K program (memory address, line number, token) +0 name vic-exe +>0 uleshort x Commodore VIC-20 +8K program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore PET computers +# URL: https://en.wikipedia.org/wiki/Commodore_PET +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-pet.trid.xml +# From: Joerg Jenderek +# start adress 0401h +0 leshort 0x0401 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches TTComp archive data, ASCII, 1K dictionary +# (strength=48=50-2) handled by ./archive and shared library (strength=50) handled by ./ibm6000 +# skip TTComp archive data, ASCII, 1K dictionary ttcomp-ascii-1k.bin with "invalid high" second line offset 4162h +>2 uleshort <0x0502 +# skip foo with "invalid low" second line offset +#>>2 uleshort >0x0406 OFFSET_NOT_TOO_LOW +# skip bar with "invalid end of line" +#>>>(2.s-0x0400) ubyte =0 END_OF_LINE_OK +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +>>>0 use pet-prg +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use pet-exe +# display information about Commodore PET BASIC program (memory address, line number, token) +0 name pet-prg +>0 uleshort x Commodore PET BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore PET program (memory address, line number, token) +0 name pet-exe +>0 uleshort x Commodore PET program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized BASIC line (memory address, line number, Token) +0 name basic-line +# pointer to memory address of beginning of "next" BASIC line +# greater then previous offset but maximal 100h difference +>0 uleshort x \b, offset %#4.4x +# offset 0x0000 indicates the end of BASIC program; so bytes afterwards may be some other data +>0 uleshort 0 +# not line number but first 2 data bytes +>>2 ubeshort x \b, data %#4.4x +# not token but next 2 data bytes +>>4 ubeshort x \b%4.4x +# not token arguments but next data bytes +>>6 ubequad x \b%16.16llx +>>14 ubequad x \b%16.16llx... +# like 0x0d20352020204c594e5820495820204259205749 "\r 5 LYNX IX BY WILL CORLEY" for LyNX archive Darkon.lnx handled by ./archive +#>>3 string x "%-0.30s" +>0 uleshort >0 +# BASIC line number with range from 0 to 65520; practice to increment numbers by some value (5, 10 or 100) +>>2 uleshort x \b, line %u +# https://www.c64-wiki.com/wiki/BASIC_token +# The "high-bit" bytes from #128-#254 stood for the various BASIC commands and mathematical operators +>>4 ubyte x \b, token (%#x) +# https://www.c64-wiki.com/wiki/REM +>>4 string \x8f REM +# remark string like: ** SYNTHESIZER BY RICOCHET ** +>>>5 string >\0 %s +#>>>>&1 uleshort x \b, NEXT OFFSET %#4.4x +# https://www.c64-wiki.com/wiki/PRINT +>>4 string \x99 PRINT +# string like: "Hello world" "\021 \323ELF-E\330TRACTING-\332IP (64 ONLY)\016\231":\2362141 +>>>5 string x %s +#>>>>&0 ubequad x AFTER_PRINT=%#16.16llx +# https://www.c64-wiki.com/wiki/POKE +>>4 string \x97 POKE +# <Memory address>,<number> +>>>5 regex \^[0-9,\040]+ %s +# BASIC command delimiter colon (:=3Ah) +>>>>&-2 ubyte =0x3A +# after BASIC command delimiter colon remaining (<255) other tokenized BASIC commands +>>>>>&0 string x "%s" +# https://www.c64-wiki.com/wiki/SYS 0x9e=\236 +>>4 string \x9e SYS +# SYS <Address> parameter is a 16-bit unsigned integer; in the range 0 - 65535 +>>>5 regex \^[0-9]{1,5} %s +# maybe followed by spaces, "control-characters" or colon (:) followed by next commnds or in victracker.prg +# (\302(43)\252256\254\302(44)\25236) /T.L.R/ +#>>>5 string x SYS_STRING="%s" +# https://www.c64-wiki.com/wiki/GOSUB +>>4 string \x8d GOSUB +# <line> +>>>5 string >\0 %s diff --git a/contrib/file/magic/Magdir/cad b/contrib/file/magic/Magdir/cad index 46a35497c2f2..0bead6eeb483 100644 --- a/contrib/file/magic/Magdir/cad +++ b/contrib/file/magic/Magdir/cad @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.29 2021/12/06 19:33:27 christos Exp $ +# $File: cad,v 1.31 2022/12/09 15:36:23 christos Exp $ # autocad: file(1) magic for cad files # @@ -301,18 +301,50 @@ # https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\ # HSF_architecture.html # Stephane Charette <stephane.charette@gmail.com> -0 string ;;\020HSF\020V OpenHSF (Hoops Stream Format) ->7 regex/9 V[.0-9]{4,5}\020 %s +0 string ;;\040HSF\040V OpenHSF (Hoops Stream Format) +>7 regex/9 V[.0-9]{4,5}\040 %s !:ext hsf # AutoCAD Drawing Exchange Format +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DXF +# https://en.wikipedia.org/wiki/AutoCAD_DXF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/ +# dxf-var0.trid.xml dxf-var0u.trid.xml dxf-var2.trid.xml dxf-var2u.trid.xml +# Note: called "AutoCAD Drawing eXchange Format" by TrID and +# "Drawing Interchange File Format (ASCII)" by DROID +# GRR: some samples does not match 1st test like: abydos.dxf 0 regex \^[\ \t]*0\r?\000$ >1 regex \^[\ \t]*SECTION\r?$ >>2 regex \^[\ \t]*2\r?$ +# GRR: some samples without HEADER section like: airplan2.dxf >>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format -!:mime application/x-dxf +#!:mime application/x-dxf +!:mime image/vnd.dxf !:ext dxf +# DROID PUID fmt/64 fmt-64-signature-id-99.dxf +>>>>&1 search/8192 MC0.0 \b, 1.0 +# DROID PUID fmt/65 fmt-65-signature-id-100.dxf +>>>>&1 search/8192 AC1.2 \b, 1.2 +# DROID PUID fmt/66 fmt-66-signature-id-101.dxf +>>>>&1 search/8192 AC1.3 \b, 1.3 +# DROID PUID fmt/67 fmt-67-signature-id-102.dxf +>>>>&1 search/8192 AC1.40 \b, 1.4 +# DROID PUID fmt/68 fmt-68-signature-id-103.dxf +>>>>&1 search/8192 AC1.50 \b, 2.0 +# DROID PUID fmt/69 fmt-69-signature-id-104.dxf +>>>>&1 search/8192 AC2.10 \b, 2.1 +# DROID PUID fmt/70 fmt-70-signature-id-105.dxf +>>>>&1 search/8192 AC2.21 \b, 2.2 +# DROID PUID fmt/71 fmt-71-signature-id-106.dxf +>>>>&1 search/8192 AC1002 \b, 2.5 +# DROID PUID fmt/72 fmt-72-signature-id-107.dxf +>>>>&1 search/8192 AC1003 \b, 2.6 +# DROID PUID fmt/73 fmt-73-signature-id-108.dxf +>>>>&1 search/8192 AC1004 \b, R9 >>>>&1 search/8192 AC1006 \b, R10 +# http://cd.textfiles.com/amigaenv/DXF/OBJEKTE/LASTMINUTE/apple.dxf +#>>>>&1 search/8192 AC1008 \b, Rfoo >>>>&1 search/8192 AC1009 \b, R11/R12 >>>>&1 search/8192 AC1012 \b, R13 >>>>&1 search/8192 AC1013 \b, R13c3 diff --git a/contrib/file/magic/Magdir/cafebabe b/contrib/file/magic/Magdir/cafebabe index 8cc0902b4cd5..eb28a4b27651 100644 --- a/contrib/file/magic/Magdir/cafebabe +++ b/contrib/file/magic/Magdir/cafebabe @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.27 2021/04/26 15:56:00 christos Exp $ +# $File: cafebabe,v 1.31 2024/08/30 16:53:22 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, @@ -14,10 +14,47 @@ # (and use as a hack). Let's not use 18, because the Mach-O people # might add another one or two as time goes by... # + +### MACH-O START ### +# URL: https://en.wikipedia.org/wiki/Mach-O + +0 name mach-o \b [ +# for debugging purpose CPU type as hexadecimal +#>0 ubequad x CPU=%16.16llx +# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... +>0 use mach-o-cpu \b +# for debugging purpose print offset to 1st mach_header like: +# 1000h 4000h seldom 2d000h 88000h 5b000h 10e000 h +#>8 ubelong x at %#x offset +>(8.L) indirect x \b: +>0 belong x \b] + +# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ +# include/mach-o/fat.h +# include/mach/machine.h +0 belong 0xcafebabe +>4 belong 1 Mach-O universal binary with 1 architecture: +!:mime application/x-mach-binary +>>8 use mach-o \b +# nfat_arch; number of CPU architectures; highest is 18 for CPU_TYPE_POWERPC in 2020 +>4 ubelong >1 +>>4 ubelong <20 Mach-O universal binary with %d architectures: +!:mime application/x-mach-binary +>>>8 use mach-o \b +>>>4 ubelong >1 +>>>>28 use mach-o \b +>>>4 ubelong >2 +>>>>48 use mach-o \b +>>>4 ubelong >3 +>>>>68 use mach-o \b +>>>4 ubelong >4 +>>>>88 use mach-o \b +>>>4 ubelong >5 +>>>>108 use mach-o \b +### MACH-O END ### ### JAVA START ### # Reference: http://en.wikipedia.org/wiki/Java_class_file # Update: Joerg Jenderek -0 belong 0xcafebabe >4 ubelong >30 compiled Java class data, !:mime application/x-java-applet #!:mime application/java-byte-code @@ -44,6 +81,18 @@ >>4 belong 0x0038 (Java SE 12) >>4 belong 0x0039 (Java SE 13) >>4 belong 0x003A (Java SE 14) +>>4 belong 0x003B (Java SE 15) +>>4 belong 0x003C (Java SE 16) +>>4 belong 0x003D (Java SE 17) +>>4 belong 0x003E (Java SE 18) +>>4 belong 0x003F (Java SE 19) +>>4 belong 0x0040 (Java SE 20) +>>4 belong 0x0041 (Java SE 21) +>>4 belong 0x0042 (Java SE 22) +>>4 belong 0x0043 (Java SE 23) +>>4 belong 0x0044 (Java SE 24) +>>4 belong 0x0045 (Java SE 25) +>>4 belong 0x0046 (Java SE 26) # pool count unequal zero #>>8 beshort x \b, pool count %#x # pool table @@ -54,48 +103,4 @@ >4 byte x \b%d !:mime application/x-java-pack200 - -0 belong 0xcafed00d JAR compressed with pack200, ->5 byte x version %d. ->4 byte x \b%d -!:mime application/x-java-pack200 - ### JAVA END ### -### MACH-O START ### -# URL: https://en.wikipedia.org/wiki/Mach-O - -0 name mach-o \b [ -# for debugging purpose CPU type as hexadecimal -#>0 ubequad x CPU=%16.16llx -# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... ->0 use mach-o-cpu \b -# for debugging purpose print offset to 1st mach_header like: -# 1000h 4000h seldom 2d000h 88000h 5b000h 10e000 h -#>8 ubelong x at %#x offset ->(8.L) indirect x \b: ->0 belong x \b] - -# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ -# include/mach-o/fat.h -# include/mach/machine.h -0 belong 0xcafebabe ->4 belong 1 Mach-O universal binary with 1 architecture: -!:mime application/x-mach-binary ->>8 use mach-o \b -# nfat_arch; number of CPU architectures; highest is 18 for CPU_TYPE_POWERPC in 2020 ->4 ubelong >1 ->>4 ubelong <20 Mach-O universal binary with %d architectures: -!:mime application/x-mach-binary ->>>8 use mach-o \b ->>>4 ubelong >1 ->>>>28 use mach-o \b ->>>4 ubelong >2 ->>>>48 use mach-o \b ->>>4 ubelong >3 ->>>>68 use mach-o \b ->>>4 ubelong >4 ->>>>88 use mach-o \b ->>>4 ubelong >5 ->>>>108 use mach-o \b - -### MACH-O END ### diff --git a/contrib/file/magic/Magdir/cbor b/contrib/file/magic/Magdir/cbor index c780dc6594d3..75c09a1c1a4c 100644 --- a/contrib/file/magic/Magdir/cbor +++ b/contrib/file/magic/Magdir/cbor @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cbor,v 1.1 2015/01/28 01:05:21 christos Exp $ +# $File: cbor,v 1.2 2024/09/04 19:06:12 christos Exp $ # cbor: file(1) magic for CBOR files as defined in RFC 7049 0 string \xd9\xd9\xf7 Concise Binary Object Representation (CBOR) container @@ -13,7 +13,7 @@ >3 ubyte <0x80 >>3 ubyte >0x5f (text string) >3 ubyte <0xa0 ->3 ubyte >0x7f (array) +>>3 ubyte >0x7f (array) >3 ubyte <0xc0 >>3 ubyte >0x9f (map) >3 ubyte <0xe0 diff --git a/contrib/file/magic/Magdir/claris b/contrib/file/magic/Magdir/claris index 6a1b68fb2275..3230bda2a7c4 100644 --- a/contrib/file/magic/Magdir/claris +++ b/contrib/file/magic/Magdir/claris @@ -1,8 +1,10 @@ #------------------------------------------------------------------------------ -# $File: claris,v 1.8 2016/07/18 19:23:38 christos Exp $ +# $File: claris,v 1.9 2024/07/07 14:36:49 christos Exp $ # claris: file(1) magic for claris # "H. Nanosecond" <aldomel@ix.netcom.com> +# Update: Joerg Jenderek 2024 May +# URL: https://en.wikipedia.org/wiki/AppleWorks # Claris Works a word processor, etc. # Version 3.0 @@ -12,8 +14,14 @@ #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 #null to byte 1000 octal 514 string \377\377\377\377\000 +# https://sembiance.com/fileFormatSamples/image/pict/ +# Claris clip art (strength=80) after few Macintosh QuickDraw (strength=81=70+11 ./images) with corner coordinates -1/-1 and Y=0x00?? like PICT_2012.pict +#!:strength +0 >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art 514 string \377\377\377\377\001 +# https://sembiance.com/fileFormatSamples/image/pict/ +# Claris clip art (strength=80) after few Macintosh QuickDraw (strength=81=70+11 ./images) with corner coordinates -1/-1 and Y=0x01?? like PICT_129.pict +#!:strength +0 >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art # Claris works files diff --git a/contrib/file/magic/Magdir/coff b/contrib/file/magic/Magdir/coff index 535187c2ce9e..d42b9ebeec7a 100644 --- a/contrib/file/magic/Magdir/coff +++ b/contrib/file/magic/Magdir/coff @@ -1,48 +1,92 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.6 2021/04/26 15:56:00 christos Exp $ +# $File: coff,v 1.15 2024/11/10 18:54:33 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF # -# by Joerg Jenderek at Oct 2015, Feb 2021 +# by Joerg Jenderek at Oct 2015, Feb 2021, Mar 2024 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image +# https://formats.kaitai.io/uefi_te/index.html + +# Display COFF processor type, including MS COFF and PE/COFF +0 name display-coff-processor +# PE/COFF, DJGPP, i386 COFF executable, MS Windows COFF Intel i386 object file (./intel) +>0 uleshort 0x014c Intel i386 +>0 uleshort 0x014d Intel i860 +>0 uleshort 0x0160 MIPS R3000 (big-endian) +>0 uleshort 0x0162 MIPS R3000 +>0 uleshort 0x0166 MIPS R4000 +>0 uleshort 0x0168 MIPS R10000 +>0 uleshort 0x0169 MIPS WCE v2 +>0 uleshort 0x0184 Alpha 32-bit +>0 uleshort 0x01a2 Hitachi SH3 +>0 uleshort 0x01a3 Hitachi SH3 DSP +>0 uleshort 0x01a4 Hitachi SH4E +>0 uleshort 0x01a6 Hitachi SH4 +>0 uleshort 0x01a8 Hitachi SH5 +>0 uleshort 0x01c0 ARMv4 +>0 uleshort 0x01c2 ARMv4T +>0 uleshort 0x01c4 ARMv7 +>0 uleshort 0x01d3 Matsushita AM33 +# executable (RISC System/6000 V3.1) or obj module (./ibm6000 v 1.15), not PE/COFF +>0 uleshort 0x01df RISC System/6000 +>0 uleshort 0x01f0 PowerPC 32-bit (little-endian) +>0 uleshort 0x01f1 PowerPC 32-bit with FPU (little-endian) +>0 uleshort 0x01f2 PowerPC 64-bit (big-endian) +>0 uleshort 0x0200 Intel Itanium +>0 uleshort 0x0266 MIPS16 +>0 uleshort 0x0268 Motorola 68000 +>0 uleshort 0x0284 Alpha 64-bit +>0 uleshort 0x0290 PA-RISC +>0 uleshort 0x0366 MIPS with FPU +>0 uleshort 0x0466 MIPS16 with FPU +# Hitachi SH big-endian COFF (./hitachi-sh), not PE/COFF +>0 uleshort 0x0500 Hitachi SH (big-endian) +>0 uleshort 0x0520 Tricore +# Hitachi SH little-endian COFF (./hitachi-sh), not PE/COFF +>0 uleshort 0x0550 Hitachi SH (little-endian) +>0 uleshort 0x0601 PowerPC 32-bit (big-endian) +# Windows CE 3.0 Common Executable Format, created by linkcef.exe with /MACHINE:CEF flag +# https://web.archive.org/web/20000819035046/http://microsoft.com/windows/embedded/ce/downloads/cef.asp +# https://web.archive.org/web/20000914080342/http://microsoft.com/windows/embedded/ce/developer/applications/appdevelopment/cef2.asp +# https://web.archive.org/web/20021022055906/http://msdn.microsoft.com/library/en-us/dnce30/html/cef2.asp +>0 uleshort 0x0cef Common Executable Format +>0 uleshort 0x0ebc EFI byte code +>0 uleshort 0x3a64 ARM64 (i386 ABI) +>0 uleshort 0x5032 RISC-V 32-bit +>0 uleshort 0x5064 RISC-V 64-bit +>0 uleshort 0x5128 RISC-V 128-bit +>0 uleshort 0x6232 LoongArch 32-bit +>0 uleshort 0x6264 LoongArch 64-bit +>0 uleshort 0x8664 x86-64 +>0 uleshort 0x9041 Mitsubishi M32R +>0 uleshort 0xa641 ARM64 (x86-64 ABI) +>0 uleshort 0xa64e ARM64 (classic + x86-64 ABI) +# PE/COFF ARM64 classic ABI, ARM COFF (./arm) +>0 uleshort 0xaa64 ARM64 +>0 uleshort 0xace1 OMNI VM (omniprox.dll) +# Processor type CEE can be only in object files (created by older ilasm.exe with /OBJECT flag), not in PE executables +>0 uleshort 0xc0ee COM+ Execution Engine +>0 default x Unknown processor +>>0 uleshort x 0x%04x # display name+variables+flags of Common Object Files Format (32bit) # Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel, # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff -# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 uleshort&0x8E80 0 +# test for unused flag bits (0x8000,x0080) in f_flags +# flag bits (0x0800,0x0400,0x0200) now seems to be used in RISC System/6000 V3.1 +>18 uleshort&0x8080 0 # skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections >>2 uleshort >0 # skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections >>>2 uleshort <4207 ->>>>0 clear x # f_magic - magic number -# DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) ->>>>0 uleshort 0x014C Intel 80386 -# Hitachi SH big-endian COFF (./hitachi-sh) ->>>>0 uleshort 0x0500 Hitachi SH big-endian -# Hitachi SH little-endian COFF (./hitachi-sh) ->>>>0 uleshort 0x0550 Hitachi SH little-endian -# executable (RISC System/6000 V3.1) or obj module (./ibm6000) -#>>>>0 uleshort 0x01DF -# MS Windows COFF Intel Itanium, AMD64 -# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx ->>>>0 uleshort 0x0200 Intel ia64 ->>>>0 uleshort 0x8664 Intel amd64 -# ARM COFF (./arm) ->>>>0 uleshort 0xaa64 Aarch64 ->>>>0 uleshort 0x01c0 ARM ->>>>0 uleshort 0x01c2 ARM Thumb ->>>>0 uleshort 0x01c4 ARMv7 Thumb -# TODO for other COFFs -#>>>>0 uleshort 0xABCD COFF_TEMPLATE ->>>>0 default x ->>>>>0 uleshort x type %#04x +>>>>0 use display-coff-processor >>>>0 uleshort x COFF # F_EXEC flag bit >>>>18 leshort ^0x0002 object file @@ -52,6 +96,9 @@ #!:ext cof/o/obj/lib >>>>18 leshort &0x0002 executable #!:mime application/x-coffexec +!:mime application/x-coff-executable +# typically no file name suffix for executables +!:ext / # F_RELFLG flag bit,static object >>>>18 leshort &0x0001 \b, no relocation info # F_LNNO flag bit @@ -78,16 +125,39 @@ # like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 >>>>12 ulelong >0 \b, %d symbols # f_opthdr - optional header size. An object file should have a value of 0 +# like: 72 (IBM\HH\HYPERHLP) >>>>16 uleshort >0 \b, optional header size %u -# f_timdat - file time & date stamp only for little endian +# f_timdat - file time & date stamp >>>>4 ledate >0 \b, created %s # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. # or first section header # additional variables for other COFF files >>>>16 uleshort =0 -# first section name s_name[8] like: .text .data .debug$S .drectve .testseg ->>>>>20 string x \b, 1st section name "%.8s" +# most section names start with point character except samples created by "exotic" compilers +# first section name s_name[8] like: .text .data .debug$S .drectve .testseg .rsrc .rsrc$01 .pad +>>>>>(16.s+20) string x \b, 1st section name "%.8s" +# physical address s_paddr like: 0 +#>>>>>(16.s+28) lelong !0 \b, s_paddr %#8.8x +# virtual address s_vaddr like: 0 +#>>>>>(16.s+32) lelong !0 \b, s_vaddr %#8.8x +# section size s_size +#>>>>>(16.s+36) lelong x \b, s_size %#8.8x +# file ptr to raw data for section s_scnpt +#>>>>>(16.s+40) lelong x \b, s_scnpt %#8.8x +# file ptr to relocation s_relptr like: 0 +#>>>>>(16.s+44) lelong !0 \b, s_relptr %#8.8x +# file ptr to gp histogram s_lnnoptr like: 0 +#>>>>>(16.s+48) lelong !0 \b, s_lnnoptr %#8.8x +# number of relocation entries s_nreloc like: 0 1 2 5 6 8 19h 26h 27h 38h 50h 5Fh 89h Dh 1Ch 69h A9h 1DCh 651h +#>>>>>(16.s+52) uleshort x \b, s_nreloc %#4.4x +# number of gp histogram entries s_nlnno like: 0 +#>>>>>(16.s+54) uleshort !0 \b, s_nlnno %#4.4x +# flags s_flags +#>>>>>(16.s+56) lelong x \b, s_flags %#8.8x +# second section name s_name[8] like: .bss .data .debug$S .rsrc$01 +>>>>2 uleshort >1 +>>>>>(16.s+60) string x \b, 2nd section name "%.8s" # >20 beshort 0407 (impure) # >20 beshort 0410 (pure) # >20 beshort 0413 (demand paged) @@ -95,3 +165,53 @@ # >22 leshort >0 - version %d # >168 string .lowmem Apple toolbox +# PowerPC COFF object file or executable +0 leshort 0x01f0 +>16 leshort 0 +>>0 use display-coff +# can be created by: LINK.EXE /MACHINE:powerpc /ROM +>16 leshort !0 +>>18 leshort &0x0002 +>>>20 leshort 0x010b +>>>>0 use display-coff +0 leshort 0x01f1 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x01f2 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x0601 +>16 leshort 0 +>>0 use display-coff +# can be created by: LINK.EXE /MACHINE:MPPC /ROM +>16 leshort !0 +>>18 leshort &0x0002 +>>>20 leshort 0x010b +>>>>0 use display-coff + +0 name display-subsystem +>0 ubyte 0 unknown +>0 ubyte 1 native +>0 ubyte 2 windows_gui +>0 ubyte 3 windows_cui +>0 ubyte 7 posix_cui +>0 ubyte 9 windows_ce_gui +>0 ubyte 10 efi_application +>0 ubyte 11 efi_boot_service_driver +>0 ubyte 12 efi_runtime_driver +>0 ubyte 13 efi_rom +>0 ubyte 14 xbox +>0 ubyte 16 windows_boot-application +>0 default x Unknown subsystem +>>0 ubyte x %#x + + +# https://formats.kaitai.io/uefi_te/index.html +0 string VZ TE (Terse Executable) file +>2 use display-coff-processor +>4 byte x \b, sections %d +>5 use display-subsystem +>6 uleshort x \b, stripped-size %u +>8 ulelong x \b, entry %#x +>12 ulelong x \b, base_of_code %#x +>16 ulequad x \b, image_base %#llx diff --git a/contrib/file/magic/Magdir/commands b/contrib/file/magic/Magdir/commands index a257eb2b7a13..88aa6920be86 100644 --- a/contrib/file/magic/Magdir/commands +++ b/contrib/file/magic/Magdir/commands @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.69 2022/04/20 21:14:23 christos Exp $ +# $File: commands,v 1.77 2024/11/10 16:55:15 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text @@ -8,6 +8,8 @@ !:mime text/x-shellscript 0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data) !:mime text/x-shellscript +>10 string #\040This\040script\040was\040generated\040using\040Makeself \b, self-executable archive +>>53 string x \b, Makeself %s 0 string/fwt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript @@ -87,6 +89,13 @@ !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/fwt #!\ /bin/env\ bash Bourne-Again shell script text executable +!:mime text/x-shellscript + +0 string/fwt #!\ /bin/dash Dash shell script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/dash Dash shell script text executable +!:mime text/x-shellscript # Fish shell magic # From: Benjamin Lowry <ben@ben.gmbh> @@ -97,9 +106,6 @@ 0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable !:mime text/x-shellscript -0 string/wt #!\ a ->&-1 string/T x %s script text executable - 0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable !:mime text/x-tcl @@ -111,6 +117,8 @@ 0 search/1/fwt #!\ /usr/bin/stap Systemtap script text executable !:mime text/x-systemtap +0 search/1/fwt #!\ /sbin/openrc-run OpenRC script text executable +!:mime text/x-shellscript # From: Kylie McClain <kylie@somas.is> # Type: execline scripts @@ -128,6 +136,9 @@ >0 regex \^#!.*/bin/execlineb([[:space:]].*)*$ execline script text executable !:mime text/x-execline +0 string #!/nix/store/ +>&-11 string/T x a %s script text executable + # PHP scripts # Ulf Harnhammar <ulfh@update.uu.se> 0 search/1/c =<?php PHP script text @@ -189,3 +200,14 @@ # From Danny Weldon 0 string \x0b\x13\x08\x00 >0x04 uleshort <4 ksh byte-code version %d + +# From: arno <arenevier@fdn.fr> +# mozilla xpconnect typelib +# see https://www.mozilla.org/scriptable/typelib_file.html +0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib +>0x10 byte x version %d +>>0x11 byte x \b.%d + +0 string/fwt #!\ /usr/bin/env\ runghc GHC script executable +0 string/fwt #!\ /usr/bin/env\ runhaskell Haskell script executable +0 string/fwt #!\ /usr/bin/env\ julia Julia script executable diff --git a/contrib/file/magic/Magdir/compress b/contrib/file/magic/Magdir/compress index 8c368db58cd6..78395c526a63 100644 --- a/contrib/file/magic/Magdir/compress +++ b/contrib/file/magic/Magdir/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.82 2021/06/30 08:11:29 christos Exp $ +# $File: compress,v 1.96 2024/11/09 23:47:04 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -12,13 +12,14 @@ 0 string \037\235 compress'd data !:mime application/x-compress !:apple LZIVZIVU +!:ext Z >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # URL: https://en.wikipedia.org/wiki/Gzip # Reference: https://tools.ietf.org/html/rfc1952 -# Update: Joerg Jenderek, Apr 2019 +# Update: Joerg Jenderek, Apr 2019, Dec 2022 # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods @@ -61,20 +62,24 @@ !:mime application/gzip >>>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 +# TODO: check for GXD MCD cad the reported size >>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated # gzipped TAR or VirtualBox extension package #!:mime application/x-compressed-tar #!:mime application/x-virtualbox-vbox-extpack # https://www.w3.org/TR/SVG/mimereg.html -#!:mime image/image/svg+xml-compressed +#!:mime image/svg+xml-compressed # zlib.3.gz # microcode-20180312.tgz # tpz same as tgz # lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg # Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack -!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz +# trees.blend http://fileformats.archiveteam.org/wiki/BLEND +# 2020-07-19-Note-16-24.xoj https://xournal.sourceforge.net/manual.html +# MYgnucash-gz.gnucash https://wiki.gnucash.org/wiki/GnuCash_XML_format +# text-rotate.dia https://en.wikipedia.org/wiki/Dia_(software) +# MYrdata.RData https://en.wikipedia.org/wiki/R_(programming_language) +!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz/blend/dia/gnucash/rdata/xoj # FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text >3 byte&0x18 >0 gzip compressed data !:mime application/gzip @@ -83,12 +88,13 @@ #!:mime application/x-abiword-compressed #!:mime image/image/svg+xml-compressed # kleopatra_splashscreen.svgz gzipped .svg -!:ext gz/tgz/tpz/zabw/svgz +# RSI-Mega-Demo_Disk1.adz gzipped .adf http://fileformats.archiveteam.org/wiki/ADF_(Amiga) +# PostbankTest.kmy gzipped XML https://docs.kde.org/stable5/en/kmymoney/kmymoney/details.formats.compressed.html +# Logo.xcfgz gzipped .xcf http://fileformats.archiveteam.org/wiki/XCF +!:ext gz/tgz/tpz/zabw/svgz/adz/kmy/xcfgz >>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 ->>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated +>>-4 ulelong x \b, original size modulo 2^32 %u # display information of gzip compressed files 0 name gzip-info #>2 byte x THIS iS GZIP @@ -125,6 +131,7 @@ # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data !:mime application/octet-stream +!:ext z >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # @@ -147,6 +154,7 @@ # bzip2 0 string BZh bzip2 compressed data !:mime application/x-bzip2 +!:ext bz2 >3 byte >47 \b, block size = %c00k # bzip a block-sorting file compressor @@ -158,6 +166,7 @@ # lzip 0 string LZIP lzip compressed data !:mime application/x-lzip +!:ext lz >4 byte x \b, version: %d # squeeze and crunch @@ -193,6 +202,8 @@ # lzop from <markus.oberhumer@jk.uni-linz.ac.at> 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data +!:ext lzo +!:mime application/x-lzop >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, @@ -253,20 +264,24 @@ !:mime application/x-7z-compressed !:ext 7z/cb7 +0 name lzma LZMA compressed data, +!:mime application/x-lzma +!:ext lzma +>5 lequad =0xffffffffffffffff streamed +>5 lequad !0xffffffffffffffff non-streamed, size %lld + # Type: LZMA 0 lelong&0xffffff =0x5d ->12 leshort 0xff LZMA compressed data, -!:mime application/x-lzma ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld ->12 leshort 0 LZMA compressed data, ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld +>12 leshort 0xff +>>0 use lzma +>12 leshort 0 +>>0 use lzma # http://tukaani.org/xz/xz-file-format.txt 0 ustring \xFD7zXZ\x00 XZ compressed data, checksum !:strength * 2 !:mime application/x-xz +!:ext xz >7 byte&0xf 0x0 NONE >7 byte&0xf 0x1 CRC32 >7 byte&0xf 0x4 CRC64 @@ -274,14 +289,15 @@ # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data +!:mime application/x-lrzip >4 byte x - version %d >5 byte x \b.%d >22 byte 1 \b, encrypted -!:mime application/x-lrzip # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html 0 lelong 0x184d2204 LZ4 compressed data (v1.4+) !:mime application/x-lz4 +!:ext lz4 # Added by osm0sis@xda-developers.com 0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) !:mime application/x-lz4 @@ -318,19 +334,26 @@ # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id 0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md @@ -354,18 +377,15 @@ 0 string ArC\x01 FreeArc archive <http://freearc.org> -# Type: DACT compressed files -0 long 0x444354C3 DACT compressed data ->4 byte >-1 (version %i. ->5 byte >-1 %i. ->6 byte >-1 %i) ->7 long >0 , original size: %i bytes ->15 long >30 , block size: %i bytes - # Valve Pack (VPK) files +# https://developer.valvesoftware.com/wiki/VPK_(file_format)#File_Format 0 lelong 0x55aa1234 Valve Pak file >0x4 lelong x \b, version %u ->0x8 lelong x \b, %u entries +>0x8 lelong x \b, tree size %u +>0x12 lelong x \b, file data size %u +>0x16 lelong x \b, archive MD5 size %u +>0x20 lelong x \b, other MD5 size %u +>0x24 lelong x \b, signature size %u # Snappy framing format # https://code.google.com/p/snappy/source/browse/trunk/framing_format.txt @@ -402,7 +422,37 @@ 0 string bvx2 lzfse compressed, compressed tables 0 string bvxn lzfse encoded, lzvn compressed -# pcxLib.exe compression program -# http://www.shikadi.net/moddingwiki/PCX_Library -0 string/b pcxLib ->0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/SW/ORA/ORAFormatSpecification.htm +0 uleshort 0x7c49 +>2 lelong 0x80 ORA FASTQ compressed file +>>6 ulelong x \b, DNA size %u +>>10 ulelong x \b, read names size %u +>>14 ulelong x \b, quality buffer 1 size %u +>>18 ulelong x \b, quality buffer 2 size %u +>>22 ulelong x \b, sequence buffer size %u +>>26 ulelong x \b, N-position buffer size %u +>>30 ulelong x \b, crypto buffer size %u +>>34 ulelong x \b, misc buffer 1 size %u +>>38 ulelong x \b, misc buffer 2 size %u +>>42 ulelong x \b, flags %#x +>>46 lelong x \b, read size %d +>>50 lelong x \b, number of reads %d +>>54 leshort x \b, version %d + +# https://github.com/kspalaiologos/bzip3/blob/master/doc/file_format.md +0 string/b BZ3v1 bzip3 compressed data +>5 ulelong x \b, blocksize %u + + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/\ +# SW/ORA/ORAFormatSpecification.htm +# From Guillaume Rizk +0 short =0x7C49 DRAGEN ORA file, +>-261 short =0x7C49 with metadata: +>-125 u8 x NB reads: %llu, +>-109 u8 x NB bases: %llu. +>-219 u4&0x02 2 File contains interleaved paired reads + +# https://github.com/xamarin/xamarin-android/pull/4686 +0 string XALZ Xamarin LZ4-compressed assembly +>8 ulelong x \b, uncompressed size %u diff --git a/contrib/file/magic/Magdir/console b/contrib/file/magic/Magdir/console index 367aeec36004..8fef21f73ab8 100644 --- a/contrib/file/magic/Magdir/console +++ b/contrib/file/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.68 2022/05/14 20:04:43 christos Exp $ +# $File: console,v 1.80 2024/11/09 23:55:02 christos Exp $ # Console game magic # Toby Deshane <hac@shoelace.digivill.net> @@ -68,7 +68,7 @@ !:mime application/x-nes-rom #------------------------------------------------------------------------------ -# fds: file(1) magic for Famciom Disk System disk images +# fds: file(1) magic for Famicom Disk System disk images # Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format # From: David Korth <gerbilsoft@gerbilsoft.com> # TODO: Check "Disk info block" and get info from that in addition to the optional header. @@ -115,17 +115,18 @@ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header # -0x104 bequad 0xCEED6666CC0D000B Game Boy ROM image -# TODO: application/x-gameboy-color-rom for GBC. -!:mime application/x-gameboy-rom + +# Title (16 chars for GB; 15 chars for CGB) +0 name gameboy-title >0x143 byte&0x80 0x80 >>0x134 string >\0 \b: "%.15s" >0x143 byte&0x80 !0x80 >>0x134 string >\0 \b: "%.16s" >0x14c byte x (Rev.%02u) -# Machine type. (SGB, CGB, SGB+CGB) +# Machine type (SGB, CGB, SGB+CGB) # Old licensee code 0x33 is required for SGB, but not CGB. +0 name gameboy-machine-type >0x14b byte 0x33 >>0x146 byte 0x03 >>>0x143 byte&0x80 0x80 [SGB+CGB] @@ -137,53 +138,78 @@ >>0x143 byte&0xC0 0x80 [CGB] >>0x143 byte&0xC0 0xC0 [CGB ONLY] -# Mapper. ->0x147 byte 0x00 [ROM ONLY] ->0x147 byte 0x01 [MBC1] ->0x147 byte 0x02 [MBC1+RAM] ->0x147 byte 0x03 [MBC1+RAM+BATT] ->0x147 byte 0x05 [MBC2] ->0x147 byte 0x06 [MBC2+BATTERY] ->0x147 byte 0x08 [ROM+RAM] ->0x147 byte 0x09 [ROM+RAM+BATTERY] ->0x147 byte 0x0B [MMM01] ->0x147 byte 0x0C [MMM01+SRAM] ->0x147 byte 0x0D [MMM01+SRAM+BATT] ->0x147 byte 0x0F [MBC3+TIMER+BATT] ->0x147 byte 0x10 [MBC3+TIMER+RAM+BATT] ->0x147 byte 0x11 [MBC3] ->0x147 byte 0x12 [MBC3+RAM] ->0x147 byte 0x13 [MBC3+RAM+BATT] ->0x147 byte 0x19 [MBC5] ->0x147 byte 0x1A [MBC5+RAM] ->0x147 byte 0x1B [MBC5+RAM+BATT] ->0x147 byte 0x1C [MBC5+RUMBLE] ->0x147 byte 0x1D [MBC5+RUMBLE+SRAM] ->0x147 byte 0x1E [MBC5+RUMBLE+SRAM+BATT] ->0x147 byte 0xFC [Pocket Camera] ->0x147 byte 0xFD [Bandai TAMA5] ->0x147 byte 0xFE [Hudson HuC-3] ->0x147 byte 0xFF [Hudson HuC-1] - -# ROM size. ->0x148 byte 0 \b, ROM: 256Kbit ->0x148 byte 1 \b, ROM: 512Kbit ->0x148 byte 2 \b, ROM: 1Mbit ->0x148 byte 3 \b, ROM: 2Mbit ->0x148 byte 4 \b, ROM: 4Mbit ->0x148 byte 5 \b, ROM: 8Mbit ->0x148 byte 6 \b, ROM: 16Mbit ->0x148 byte 7 \b, ROM: 32Mbit ->0x148 byte 0x52 \b, ROM: 9Mbit ->0x148 byte 0x53 \b, ROM: 10Mbit ->0x148 byte 0x54 \b, ROM: 12Mbit - -# RAM size. ->0x149 byte 1 \b, RAM: 16Kbit ->0x149 byte 2 \b, RAM: 64Kbit ->0x149 byte 3 \b, RAM: 256Kbit ->0x149 byte 4 \b, RAM: 1Mbit ->0x149 byte 5 \b, RAM: 512Kbit +# Mapper +0 name gameboy-mapper +>0 byte 0x00 [ROM ONLY] +>0 byte 0x01 [MBC1] +>0 byte 0x02 [MBC1+RAM] +>0 byte 0x03 [MBC1+RAM+BATT] +>0 byte 0x05 [MBC2] +>0 byte 0x06 [MBC2+BATTERY] +>0 byte 0x08 [ROM+RAM] +>0 byte 0x09 [ROM+RAM+BATTERY] +>0 byte 0x0B [MMM01] +>0 byte 0x0C [MMM01+SRAM] +>0 byte 0x0D [MMM01+SRAM+BATT] +>0 byte 0x0F [MBC3+TIMER+BATT] +>0 byte 0x10 [MBC3+TIMER+RAM+BATT] +>0 byte 0x11 [MBC3] +>0 byte 0x12 [MBC3+RAM] +>0 byte 0x13 [MBC3+RAM+BATT] +>0 byte 0x19 [MBC5] +>0 byte 0x1A [MBC5+RAM] +>0 byte 0x1B [MBC5+RAM+BATT] +>0 byte 0x1C [MBC5+RUMBLE] +>0 byte 0x1D [MBC5+RUMBLE+SRAM] +>0 byte 0x1E [MBC5+RUMBLE+SRAM+BATT] +>0 byte 0xFC [Pocket Camera] +>0 byte 0xFD [Bandai TAMA5] +>0 byte 0xFE [Hudson HuC-3] +>0 byte 0xFF [Hudson HuC-1] + +# ROM size +0 name gameboy-rom-size +>0 byte 0 \b, ROM: 256Kbit +>0 byte 1 \b, ROM: 512Kbit +>0 byte 2 \b, ROM: 1Mbit +>0 byte 3 \b, ROM: 2Mbit +>0 byte 4 \b, ROM: 4Mbit +>0 byte 5 \b, ROM: 8Mbit +>0 byte 6 \b, ROM: 16Mbit +>0 byte 7 \b, ROM: 32Mbit +>0 byte 0x52 \b, ROM: 9Mbit +>0 byte 0x53 \b, ROM: 10Mbit +>0 byte 0x54 \b, ROM: 12Mbit + +# RAM size +0 name gameboy-ram-size +>0 byte 1 \b, RAM: 16Kbit +>0 byte 2 \b, RAM: 64Kbit +>0 byte 3 \b, RAM: 256Kbit +>0 byte 4 \b, RAM: 1Mbit +>0 byte 5 \b, RAM: 512Kbit + +# Game Boy (Color) +0x104 bequad 0xCEED6666CC0D000B +>0x143 byte&0x80 0x80 Game Boy Color ROM image +!:mime application/x-gameboy-color-rom +>0x143 byte&0x80 !0x80 Game Boy ROM image +!:mime application/x-gameboy-rom +>0 use gameboy-title +>0 use gameboy-machine-type +>0x147 use gameboy-mapper +>0x148 use gameboy-rom-size +>0x149 use gameboy-ram-size + +# Analogue Pocket +0x104 bequad 0x0110CEEF000044AA +>0 byte x Analogue Pocket ROM image +!:mime application/x-analogue-pocket-rom +>0 use gameboy-title +>0 use gameboy-machine-type +>0x147 use gameboy-mapper +>0x148 use gameboy-rom-size +>0x149 use gameboy-ram-size #------------------------------------------------------------------------------ # genesis: file(1) magic for various Sega Mega Drive / Genesis ROM image and disc formats @@ -210,45 +236,45 @@ # TODO: Check for 32X CD? # Sega Mega CD disc images: 2048-byte sectors. -0 string SEGADISCSYSTEM\ \ Sega Mega CD disc image +0 string SEGADISCSYSTEM\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors -0 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image +0 string SEGABOOTDISC\040\040\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors # Sega Mega CD disc images: 2352-byte sectors. -0x10 string SEGADISCSYSTEM\ \ Sega Mega CD disc image +0x10 string SEGADISCSYSTEM\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors -0x10 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image +0x10 string SEGABOOTDISC\040\040\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors # Sega Mega Drive: Identify the system ID. 0x100 string SEGA ->0x3C0 string MARS\ CHECK\ MODE Sega 32X ROM image +>0x3C0 string MARS\040CHECK\040MODE Sega 32X ROM image !:mime application/x-genesis-32x-rom >>0 use sega-mega-drive-header ->0x104 string \ PICO Sega Pico ROM image +>0x104 string \040PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string TOYS\ PICO Sega Pico ROM image +>0x104 string TOYS\040PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string \ TOYS\ PICO Sega Pico ROM image +>0x104 string \040TOYS\040PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string \ IAC Sega Pico ROM image +>0x104 string \040IAC Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string \ TERA68K Sega Teradrive (68K) ROM image +>0x104 string \040TERA68K Sega Teradrive (68K) ROM image !:mime application/x-sega-teradrive-rom >>0 use sega-mega-drive-header ->0x104 string \ TERA286 Sega Teradrive (286) ROM image +>0x104 string \040TERA286 Sega Teradrive (286) ROM image !:mime application/x-sega-teradrive-rom >>0 use sega-mega-drive-header >0x180 string BR Sega Mega CD Boot ROM image @@ -259,23 +285,23 @@ >>0 use sega-mega-drive-header # Sega Mega Drive: Some ROMs have "SEGA" at 0x101, not 0x100. -0x100 string \ SEGA Sega Mega Drive / Genesis ROM image +0x100 string \040SEGA Sega Mega Drive / Genesis ROM image >0 use sega-mega-drive-header # Sega Pico ROMs that don't start with "SEGA". -0x100 string SAMSUNG\ PICO Samsung Pico ROM image +0x100 string SAMSUNG\040PICO Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header -0x100 string IMA\ IKUNOUJYUKU Samsung Pico ROM image +0x100 string IMA\040IKUNOUJYUKU Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header -0x100 string IMA IKUNOJYUKU Samsung Pico ROM image +0x100 string IMA\040IKUNOJYUKU Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header # Sega Picture Magic (modified 32X) -0x100 string Picture\ Magic ->0x3C0 string PICTURE MAGIC-01 Sega 32X ROM image +0x100 string Picture\040Magic +>0x3C0 string PICTURE\040MAGIC-01 Sega 32X ROM image !:mime application/x-genesis-32x-rom >>0 use sega-mega-drive-header @@ -314,59 +340,59 @@ # The SMS boot ROM checks the header at three locations. 0 name sega-master-system-rom-header # Machine type. ->0x0F byte&0xF0 0x30 Sega Master System +>0x0F ubyte&0xF0 0x30 Sega Master System !:mime application/x-sms-rom ->0x0F byte&0xF0 0x40 Sega Master System +>0x0F ubyte&0xF0 0x40 Sega Master System !:mime application/x-sms-rom ->0x0F byte&0xF0 0x50 Sega Game Gear +>0x0F ubyte&0xF0 0x50 Sega Game Gear !:mime application/x-gamegear-rom ->0x0F byte&0xF0 0x60 Sega Game Gear +>0x0F ubyte&0xF0 0x60 Sega Game Gear !:mime application/x-gamegear-rom ->0x0F byte&0xF0 0x70 Sega Game Gear +>0x0F ubyte&0xF0 0x70 Sega Game Gear !:mime application/x-gamegear-rom >0x0F default x Sega Master System / Game Gear !:mime application/x-sms-rom >0 byte x ROM image: # Product code. ->0x0E byte&0xF0 0x10 1 ->0x0E byte&0xF0 0x20 2 ->0x0E byte&0xF0 0x30 3 ->0x0E byte&0xF0 0x40 4 ->0x0E byte&0xF0 0x50 5 ->0x0E byte&0xF0 0x60 6 ->0x0E byte&0xF0 0x70 7 ->0x0E byte&0xF0 0x80 8 ->0x0E byte&0xF0 0x90 9 ->0x0E byte&0xF0 0xA0 10 ->0x0E byte&0xF0 0xB0 11 ->0x0E byte&0xF0 0xC0 12 ->0x0E byte&0xF0 0xD0 13 ->0x0E byte&0xF0 0xE0 14 ->0x0E byte&0xF0 0xF0 15 +>0x0E ubyte&0xF0 0x10 1 +>0x0E ubyte&0xF0 0x20 2 +>0x0E ubyte&0xF0 0x30 3 +>0x0E ubyte&0xF0 0x40 4 +>0x0E ubyte&0xF0 0x50 5 +>0x0E ubyte&0xF0 0x60 6 +>0x0E ubyte&0xF0 0x70 7 +>0x0E ubyte&0xF0 0x80 8 +>0x0E ubyte&0xF0 0x90 9 +>0x0E ubyte&0xF0 0xA0 10 +>0x0E ubyte&0xF0 0xB0 11 +>0x0E ubyte&0xF0 0xC0 12 +>0x0E ubyte&0xF0 0xD0 13 +>0x0E ubyte&0xF0 0xE0 14 +>0x0E ubyte&0xF0 0xF0 15 # If the product code is 5 digits, we'll need to backspace here. ->0x0E byte&0xF0 !0 ->>0x0C leshort x \b%04x ->0x0E byte&0xF0 0 ->>0x0C leshort x %04x +>0x0E ubyte&0xF0 !0 +>>0x0C uleshort x \b%04x +>0x0E ubyte&0xF0 0 +>>0x0C uleshort x %04x # Revision. ->0x0E byte&0x0F x (Rev.%02d) +>0x0E ubyte&0x0F x (Rev.%02d) # ROM size. (Used for the boot ROM checksum routine.) ->0x0F byte&0x0F 0x0A (8 KB) ->0x0F byte&0x0F 0x0B (16 KB) ->0x0F byte&0x0F 0x0C (32 KB) ->0x0F byte&0x0F 0x0D (48 KB) ->0x0F byte&0x0F 0x0E (64 KB) ->0x0F byte&0x0F 0x0F (128 KB) ->0x0F byte&0x0F 0x00 (256 KB) ->0x0F byte&0x0F 0x01 (512 KB) ->0x0F byte&0x0F 0x02 (1 MB) +>0x0F ubyte&0x0F 0x0A (8 KB) +>0x0F ubyte&0x0F 0x0B (16 KB) +>0x0F ubyte&0x0F 0x0C (32 KB) +>0x0F ubyte&0x0F 0x0D (48 KB) +>0x0F ubyte&0x0F 0x0E (64 KB) +>0x0F ubyte&0x0F 0x0F (128 KB) +>0x0F ubyte&0x0F 0x00 (256 KB) +>0x0F ubyte&0x0F 0x01 (512 KB) +>0x0F ubyte&0x0F 0x02 (1 MB) # SMS/GG header locations. -0x7FF0 string TMR\ SEGA +0x7FF0 string TMR\040SEGA >0x7FF0 use sega-master-system-rom-header -0x3FF0 string TMR\ SEGA +0x3FF0 string TMR\040SEGA >0x3FF0 use sega-master-system-rom-header -0x1FF0 string TMR\ SEGA +0x1FF0 string TMR\040SEGA >0x1FF0 use sega-master-system-rom-header #------------------------------------------------------------------------------ @@ -384,12 +410,12 @@ >>0x2A byte 0 \b) # 2048-byte sector version. -0 string SEGA\ SEGASATURN\ Sega Saturn disc image +0 string SEGA\040SEGASATURN\040 Sega Saturn disc image !:mime application/x-saturn-rom >0 use sega-saturn-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. -0x10 string SEGA\ SEGASATURN\ Sega Saturn disc image +0x10 string SEGA\040SEGASATURN\040 Sega Saturn disc image !:mime application/x-saturn-rom >0x10 use sega-saturn-disc-header >0 byte x (2352-byte sectors) @@ -410,12 +436,12 @@ >>0x4A byte 0 \b) # 2048-byte sector version. -0 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image +0 string SEGA\040SEGAKATANA\040 Sega Dreamcast disc image !:mime application/x-dc-rom >0 use sega-dreamcast-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. -0x10 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image +0x10 string SEGA\040SEGAKATANA\040 Sega Dreamcast disc image !:mime application/x-dc-rom >0x10 use sega-dreamcast-disc-header >0 byte x (2352-byte sectors) @@ -509,7 +535,7 @@ # - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp # - https://www.devrs.com/ngp/files/ngpctech.txt # -0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket +0x0A string BY\040SNK\040CORPORATION Neo Geo Pocket !:mime application/x-neo-geo-pocket-rom >0x23 byte 0x10 Color >0 byte x ROM image @@ -524,7 +550,7 @@ #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : -0 string PS-X\ EXE Sony Playstation executable +0 string PS-X\040EXE Sony Playstation executable >16 lelong x PC=%#08x, >20 lelong !0 GP=%#08x, >24 lelong !0 .text=[%#08x, @@ -544,6 +570,19 @@ 0 string CPE CPE executable >3 byte x (version %d) +# Sony PlayStation archive (PSARC) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.psdevwiki.com/ps3/PlayStation_archive_(PSARC) +0 string PSAR Sony PlayStation Archive +!:ext psarc +>4 ubeshort x \b, version %d. +>6 ubeshort x \b%d +>8 string zlib \b, zlib compression +>8 string lzma \b, LZMA compression +>28 ubeshort&2 0 \b, relative paths +>28 ubeshort&2 2 \b, absolute paths +>28 ubeshort&1 1 \b, ignore case + #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytia <ehyytia@cc.hut.fi>) 0 string XBEH Microsoft Xbox executable @@ -684,12 +723,25 @@ >6 string BS93 Lynx homebrew cartridge !:mime application/x-atari-lynx-rom >>2 beshort x \b, RAM start $%04x +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnx.trid.xml +# Note: called "Atari Lynx ROM" by TrID 0 string LYNX Lynx cartridge !:mime application/x-atari-lynx-rom +!:ext lnx +# bank 0 page size like: 128 256 512 >4 leshort/4 >0 \b, bank 0 %dk >6 leshort/4 >0 \b, bank 1 %dk +# 32 bytes cart name like: "jconnort.lyx" "viking~1.lyx" "Eye of the Beholder" "C:\EMU\LYNX\ROMS\ULTCHESS.LYX" >10 string >\0 \b, "%.32s" +# 16 bytes manufacturer like: "Atari" "NuFX Inc." "Matthias Domin" >42 string >\0 \b, "%.16s" +# version number +#>8 leshort !1 \b, version number %u +# rotation: 1~left Lexis (NA).lnx 2~right Centipede (Prototype).lnx +>58 ubyte >0 \b, rotation %u +# spare +#>59 lelong !0 \b, spare %#x # Opera file system that is used on the 3DO console # From: Serge van den Boom <svdb@stack.nl> @@ -697,17 +749,54 @@ # From: Alex Myczko <alex@aiei.ch> # From: David Pflug <david@pflug.email> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Game_Boy_Sound +# http://en.wikipedia.org/wiki/Game_Boy_Sound_System +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/gbs.trid.xml +# Note: called "GameBoy Sound System dump" by TrID, +# "Gameboy GBS rom image" by X11 Gameboy sound player xgbsplay and +# verified by gbsplay `LANG=C gbsinfo /usr/share/doc/gbsplay/examples/nightmode.gbs` # is the offset 12 or the offset 16 correct? # GBS (Game Boy Sound) magic -# ftp://ftp.modland.com/pub/documents/format_documentation/\ +# http://ftp.modland.com/pub/documents/format_documentation/\ # Gameboy%20Sound%20System%20(.gbs).txt -0 string GBS Nintendo Gameboy Music/Audio Data -#12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module +# skip Grand Theft Auto 2 Style data (*.sty via sty-gta2.trid.xml) and Opera (*.patch) by check for valid "low" version +0 string GBS\001 Nintendo Gameboy Music/Audio Data +!:mime audio/x-nintendo-gbs +# by gbsplay or xgbsplay tools +#!:mime audio/gbs +#!:mime audio/prs.gbs +!:ext gbs +# fields are right null-filled; no terminating \0 if all bytes are used; if field unknown, should be set to a single ? +# title string like: "Blues Brothers" "Bugs Bunny Crazy Castle 3" +#12 string GameBoy\040Music\040Module Nintendo Gameboy Music Module >16 string >\0 ("%.32s" by +# author string like: <?>, by Laxity, Justin Muir, 1993 Ocean >48 string >\0 %.32s, copyright ->80 string >\0 %.32s), ->3 byte x version %u, ->4 byte x %u tracks +# copyright string like: empty "1991 Titus" "2001 Imagineer/KT.Kodansha/P&B" "2000 Newline, Ubisoft, D. Eclip." +>80 string >\0 %.32s +# GBSVersion; 1 +#>3 byte !1 version %u, +# number of songs (1-255) +>4 ubyte x \b), %u track +# plural s +>4 ubyte >1 \bs +# default subsong; like: 1 (often) 2 29 60 79 82 +>5 ubyte !1 \b, %u first +# load address (400h-7fffh) +>6 uleshort x \b, load address %#4.4x +# init address (400h-7fffh) +>8 uleshort x \b, init address %#4.4x +# play address (400-7fffh) +>10 uleshort x \b, play address %#4.4x +# stack pointer; like: FFFEh (default) CFFFh DCFEh DDFEh DDFFh DEFFh E000h FFF4h +>12 uleshort x \b, stack pointer %#4.4x +# timer modulo; often 0 +>14 ubyte !0 \b, timer modulo %#x +# timer control; often 0 +>15 ubyte !0 \b, timer control %#x +# code and Data (see RST VECTORS) +#>0x70 ubequad x \b, data %#16.16llx... # IPS Patch Files from: From: Thomas Klausner <tk@giga.or.at> # see https://zerosoft.zophar.net/ips.php @@ -760,6 +849,59 @@ >5 byte 0 \b, Simple Encoding >6 string x \b, description: %s +# Compressed ISO disc image (used mostly by PSP, PS2 and MegaDrive) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/.CSO +# NOTE: This is NOT the same as Compact ISO or GameCube/Wii disc image, +# though it has the same magic number. +0 string CISO +# Match CISO version 1 with ISO-9660 sector size +>20 ubyte <2 +>>16 ulelong =2048 CSO v1 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>8 ulequad x \b, original size %llu bytes +>>>16 ulelong x \b, datablock size %u bytes +# Match CISO version 2 +>20 ubyte =2 +>>22 uleshort =0 +>>>4 ulelong =24 CSO v2 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>>8 ulequad x \b, original size %llu bytes +>>>>16 ulelong x \b, datablock size %u bytes +# Type: Nintendo GameCube/Wii disc image (CISO format) +# NOTE: This is NOT the same as Compact ISO or PSP CISO, +# though it has the same magic number. +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - None of the above: Compact ISO. +>4 lelong 0x200000 +>>8 byte 1 +>>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): +!:mime application/x-wii-rom +>>>>0x8000 use nintendo-gcn-disc-common +>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): +!:mime application/x-wii-rom +>>>>0x8000 use nintendo-gcn-disc-common +# .cso files +# Reference: https://pismotec.com/ciso/ciso.h +# NOTE: There are two other formats with the same magic but +# completely incompatible specifications: +# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h +# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - 0x10 == 0x00004000: For >2GB files using maxcso... +# https://github.com/unknownbrackets/maxcso/issues/26 +# - None of the above: Compact ISO. +>4 lelong !0 +>>4 lelong !0x200000 +>>>16 lelong !0x800 +>>>>16 lelong !0x4000 Compressed ISO CD image + # From: Daniel Dawson <ddawson@icehouse.net> # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording @@ -870,22 +1012,6 @@ !:mime application/x-wii-rom >>0x200 use nintendo-gcn-disc-common -# Type: Nintendo GameCube/Wii disc image (CISO format) -# NOTE: This is NOT the same as Compact ISO or PSP CISO, -# though it has the same magic number. -0 string CISO -# Other fields are used to determine what type of CISO this is: -# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) -# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) -# - None of the above: Compact ISO. ->4 lelong 0x200000 ->>8 byte 1 ->>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): -!:mime application/x-wii-rom ->>>>0x8000 use nintendo-gcn-disc-common ->>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): -!:mime application/x-wii-rom ->>>>0x8000 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (GCZ format) # Due to zlib compression, we can't get the actual disc information. @@ -1085,7 +1211,7 @@ # The header is terminated with a 0, so that will # terminate the title as well. # -0 string g\ GCE Vectrex ROM image +0 string g\040GCE Vectrex ROM image >0x11 string >\0 \b: "%.16s" #------------------------------------------------------------------------------ @@ -1165,8 +1291,8 @@ # From: David Korth <gerbilsoft@gerbilsoft.com> # References: # - https://problemkaputt.de/fullsnes.htm#snescartsufamiturbominicartridgeadaptor -0 string BANDAI\ SFC-ADX ->0x10 string !SFC-ADX\ BACKUP Sufami Turbo ROM image: +0 string BANDAI\040SFC-ADX +>0x10 string !SFC-ADX\040BACKUP Sufami Turbo ROM image: >>0x10 string/T x "%.14s" >>0x30 byte x \b, ID %02X >>0x31 byte x \b%02X @@ -1176,3 +1302,77 @@ >>0x34 ubyte 1 [FastROM] >>0x35 ubyte 1 [SRAM] >>0x35 ubyte 3 [Special] + +#------------------------------------------------------------------------------ +# Type: Super NES ROM image +# From: Alexandre Iooss <erdnaxe@crans.org> +# Reference: https://snes.nesdev.org/wiki/ROM_header +0 name snes-rom-hdr +# cartridge title is encoded in JIS X 0201, 21 chars padded with spaces +>0 ubyte-0x20 <0xC0 +>>1 ubyte-0x20 <0xC0 +>>>2 ubyte-0x20 <0xC0 +>>>>3 ubyte-0x20 <0xC0 +>>>>>4 ubyte-0x20 <0xC0 +>>>>>>5 ubyte-0x20 <0xC0 +>>>>>>>6 ubyte-0x20 <0xC0 +>>>>>>>>7 ubyte-0x20 <0xC0 +>>>>>>>>>8 ubyte-0x20 <0xC0 +>>>>>>>>>>9 ubyte-0x20 <0xC0 +>>>>>>>>>>>10 ubyte-0x20 <0xC0 +>>>>>>>>>>>>21 ubyte-0x20 <0xC0 Super NES ROM image +>>>>>>>>>>>>>0 string/21/T x "%s" +>>>>>>>>>>>>>25 byte 0 (Japan) +>>>>>>>>>>>>>25 byte 1 (USA) +>>>>>>>>>>>>>25 byte 2 (Europe) +>>>>>>>>>>>>>25 byte 6 (France) +>>>>>>>>>>>>>25 byte 7 (Netherlands) +>>>>>>>>>>>>>25 byte 9 (Germany) +>>>>>>>>>>>>>25 byte 10 (Brazil) +>>>>>>>>>>>>>27 byte >0 (Rev.%02u) +>>>>>>>>>>>>>21 byte&0xF 0x0 \b, LoROM +>>>>>>>>>>>>>21 byte&0xF 0x1 \b, HiROM +>>>>>>>>>>>>>21 byte&0x10 0x10 \b, FastROM +>>>>>>>>>>>>>23 byte 8 \b, ROM size: 256KB +>>>>>>>>>>>>>23 byte 9 \b, ROM size: 512KB +>>>>>>>>>>>>>23 byte 10 \b, ROM size: 1024KB +>>>>>>>>>>>>>23 byte 11 \b, ROM size: 2048KB +>>>>>>>>>>>>>23 byte 12 \b, ROM size: 4096KB +>>>>>>>>>>>>>24 byte 0 \b, RAM size: 1KB +>>>>>>>>>>>>>24 byte 1 \b, RAM size: 2KB +>>>>>>>>>>>>>24 byte 2 \b, RAM size: 4KB +>>>>>>>>>>>>>24 byte 3 \b, RAM size: 8KB +>>>>>>>>>>>>>24 byte 4 \b, RAM size: 16KB +>>>>>>>>>>>>>24 byte 5 \b, RAM size: 32KB +>>>>>>>>>>>>>24 byte 6 \b, RAM size: 64KB + +# header position for LoROM: $007FC0 +32725 ubyte&0xEF 0x20 +# ROM is <=4096KB, RAM is <=64KB and country<=10 +>32727 ubyte <13 +>>32728 ubyte <7 +>>>32729 ubyte <11 +>>>>32704 use snes-rom-hdr + +# HiROM header at $00FFC0 +65493 ubyte&0xEF 0x21 +# ROM is <=4096KB, RAM is <=64KB and country<=10 +>65495 ubyte <13 +>>65496 ubyte <7 +>>>65497 ubyte <11 +>>>>65472 use snes-rom-hdr + +#------------------------------------------------------------------------------ +# ancast: file(1) magic for Wii U firmware images, aka "ancast" images. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://wiiubrew.org/wiki/Ancast_image +0 ubelong 0xEFA282D9 Wii U firmware image: +>0x20 ubelong 2 ARM +>>0x1A4 ubelong 0x21 \b, NAND boot +>>0x1A4 ubelong 0x22 \b, SD boot +>>0x1A8 ubelong 1 \b, for devkits +>>0x1A8 ubelong 2 \b, for retail +>0x20 ubelong 1 PowerPC +>>0xA4 ubelong 0x11 \b, Wii U mode +>>0xA4 ubelong 0x12 \b, Wii mode diff --git a/contrib/file/magic/Magdir/crypto b/contrib/file/magic/Magdir/crypto index 72a90ace2829..910df8dd497b 100644 --- a/contrib/file/magic/Magdir/crypto +++ b/contrib/file/magic/Magdir/crypto @@ -1,5 +1,49 @@ #------------------------------------------------------------------------------ -# $File: crypto,v 1.2 2021/03/27 20:15:53 christos Exp $ +# $File: crypto,v 1.4 2023/07/17 16:41:48 christos Exp $ # crypto: file(1) magic for crypto formats # +# Bitcoin block files +0 lelong 0xD9B4BEF9 Bitcoin +>(4.l+40) lelong 0xD9B4BEF9 reverse block +>>4 lelong x \b, size %u +# normal block below +>0 default x block +>>4 lelong x \b, size %u +>>8 lelong&0xE0000000 0x20000000 +>>>8 lelong x \b, BIP9 0x%x +>>8 lelong&0xE0000000 !0x20000000 +>>>8 lelong x \b, version 0x%x +>>76 ledate x \b, %s UTC +# VarInt counter +>>88 ubyte <0xfd \b, txcount %u +>>88 ubyte 0xfd +>>>89 leshort x \b, txcount %u +>>88 ubyte 0xfe +>>>89 lelong x \b, txcount %u +>>88 ubyte 0xff +>>>89 lequad x \b, txcount %llu +!:ext dat +# option to find more blocks in the file +#>>(4.l+8) indirect x ; + +# LevelDB +-8 lequad 0xdb4775248b80fb57 LevelDB table data + +# http://www.tarsnap.com/scrypt.html +# see scryptenc_setup() in lib/scryptenc/scryptenc.c +0 string scrypt\0 scrypt encrypted file +>7 byte x \b, N=2**%d +>8 belong x \b, r=%d +>12 belong x \b, p=%d + +# https://age-encryption.org/ +# Only the first recipient is printed in detail to prevent repetitive output +# in extreme cases ("ssh-rsa, ssh-rsa, ssh-rsa, ..."). +0 string age-encryption.org/v1\n age encrypted file +>25 regex/128 \^[^\040]+ \b, %s recipient +>>25 string scrypt +>>>&0 regex/64 [0-9]+\$ (N=2**%s) +>>&0 search/256 \n->\040 \b, among others + +0 string -----BEGIN\040AGE\040ENCRYPTED\040FILE----- age encrypted file, ASCII armored diff --git a/contrib/file/magic/Magdir/ctf b/contrib/file/magic/Magdir/ctf index d91684d18c40..0134b70b1d3c 100644 --- a/contrib/file/magic/Magdir/ctf +++ b/contrib/file/magic/Magdir/ctf @@ -1,5 +1,6 @@ #-------------------------------------------------------------- +# $File: ctf,v 1.5 2024/06/10 23:09:52 christos Exp $ # ctf: file(1) magic for CTF (Common Trace Format) trace files # # Specs. available here: <https://www.efficios.com/ctf> diff --git a/contrib/file/magic/Magdir/database b/contrib/file/magic/Magdir/database index ee4b1cb98f9d..c4462f96675e 100644 --- a/contrib/file/magic/Magdir/database +++ b/contrib/file/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.66 2022/02/26 17:42:21 christos Exp $ +# $File: database,v 1.73 2024/11/09 19:54:36 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -387,8 +387,22 @@ >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 -# dBASE III DBT ->>>>>>>0 use dbase3-memo-print +# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod +>>>>>>>512 ubyte >040 +# skip with valid 1st item "rintf" keylayouts.mod +# by looking for valid terminating character Ctrl-Z like in test.dbt +>>>>>>>>513 search/3308 \032 +# skip GRUB plan9.mod with invalid second terminating character 007 +# by checking second terminating character Ctrl-Z like in test.dbt +>>>>>>>>>&0 ubyte 032 +# dBASE III DBT with two Ctr-Z terminating characters +>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod +>>>>>>>>>&0 ubyte 0 +# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 +>>>>>>>>>>0x1ad string !grub_mod_init +# like dbase-memo.dbt +>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF @@ -408,8 +422,27 @@ >>>>>>>>>0 ulelong <0x400000 # skip WinStore.App.exe by looking for printable 2nd character of 1st memo item >>>>>>>>>>513 ubyte >037 -# unusual dBASE III DBT like adressen.dbt ->>>>>>>>>>>0 use dbase3-memo-print +# skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item +>>>>>>>>>>>512 ubyte >037 +# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 +>>>>>>>>>>>>512 ubyte <0377 +# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) +# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>513 search/523 \032 +# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character +#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o +# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt +>>>>>>>>>>>>>>&0 ubyte 032 +>>>>>>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>&0 ubyte 0 +# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" +>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show +# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt +>>>>>>>>>>>>>>>514 default x +# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes @@ -422,7 +455,19 @@ >>>>>>>>>>>>512 ubyte <0200 # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character >>>>>>>>>>>>>513 ubyte >037 ->>>>>>>>>>>>>>0 use dbase3-memo-print +# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like +# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" +# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" +# "10586.494.amd64fre.th2_release_sec.160630-1736" +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>>513 search/0x11E \032 +# followed by second character Ctrl-Z implies typical DBT +>>>>>>>>>>>>>>>&0 ubyte 032 +# examples like: angest.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>>>&0 ubyte 0 +# no example found here with terminating sequence CTRL-Z + \0 +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 @@ -444,11 +489,16 @@ # no positive block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u -# dBase III memo field terminated by \032\032 +# dBase III memo field terminated often by \032\032 # like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT >512 string >\0 \b, 1st item "%s" # For DEBUGGING #>512 ubelong x \b, 1ST item %#8.8x +#>513 search/0x225 \032 FOUND_TERMINATOR +#>>&0 ubyte 032 2xCTRL_Z +# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte +#>>&0 ubyte 0 1xCTRL_Z + # https://www.clicketyclick.dk/databases/xbase/format/dbt.html # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print @@ -690,13 +740,6 @@ >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes -# SE Linux policy database -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - # ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data @@ -770,7 +813,9 @@ 0 string ZEC3 Zope Object Database Client Cache File (data) # IDA (Interactive Disassembler) database +0 string IDA0 IDA (Interactive Disassembler) database 0 string IDA1 IDA (Interactive Disassembler) database +0 string IDA2 IDA (Interactive Disassembler) database # Hopper (reverse engineering tool) https://www.hopperapp.com/ 0 string hopperdb Hopper database @@ -821,8 +866,31 @@ # Used by older versions of Mozilla Suite and Firefox, # and current versions of Thunderbird. # From: David Korth <gerbilsoft@gerbilsoft.com> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Mork +# https://en.wikipedia.org/wiki/Mork_(file_format) +# Note: called "Mork" by DROID via fmt/612 0 string //\ <!--\ <mdb:mork:z\ v=" Mozilla Mork database +# display Mozilla Mork database (strength=260=260+0) before "exported SGML document" (strength=28=38-10) via ./sgml +#!:strength +0 +#!:mime text/plain +!:mime text/x-mozilla-mork +# version like 1.4 >23 string x \b, version %.3s +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/msf.trid.xml +# Note: called "Mozilla Mail Summary file" by TrID +>26 search/7516 mailboxName \b, Mail Summary file +# like: Archives.msf Drafts.msf INBOX.msf Junk.msf Sent.msf Templates.msf Trash.msf +!:ext msf +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mab.trid.xml +# Note: called "Mozilla Address Book" by TrID +>26 search/192 addrbk \b, Address Book +!:ext mab +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-mork.trid.xml +# Note: called "Mozilla Mail folder cache" by TrID +>26 search/210 indexingPriority \b, Mail folder cache +# panacea.dat +!:ext dat # URL: https://en.wikipedia.org/wiki/Management_Information_Format # Reference: https://www.dmtf.org/sites/default/files/standards/documents/DSP0005.pdf @@ -834,3 +902,10 @@ !:mime text/x-dmtf-mif !:ext mif +# https://github.com/boltdb/bolt +# https://github.com/etcd-io/bbolt +# See magic value here: https://github.com/boltdb/bolt/blob/fd01fc79c553a8e99d512a07e8e0c63d4a3ccfc5/db.go#L24 +# The magic value is written according to endianess of the host, +# so we check both to detect them also on hosts with differnet endianess +16 lelong 0xED0CDAED BoltDB database +16 belong 0xED0CDAED BoltDB database, big-endian diff --git a/contrib/file/magic/Magdir/dataone b/contrib/file/magic/Magdir/dataone index 566633eff22c..ac32a04b17cd 100644 --- a/contrib/file/magic/Magdir/dataone +++ b/contrib/file/magic/Magdir/dataone @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dataone,v 1.3 2022/04/18 21:38:10 christos Exp $ +# $File: dataone,v 1.4 2024/08/27 19:17:10 christos Exp $ # # DataONE- files from Dave Vieglais <dave.vieglais@gmail.com> & # Pratik Shrivastava <pratikshrivastava23@gmail.com> @@ -11,6 +11,11 @@ # EML (Ecological Metadata Language Format) 0 string \<?xml\ version= >&0 regex/1024 eml-[0-9]\\.[0-9]\\.[0-9]+ eml://ecoinformatics.org/%s +# Object Reuse and Exchange Vocabulary +>&0 search/1024 rdf +>>&0 search/1024 openarchives https://www.openarchives.org/ore/terms +!:mime application/rdf+xml + # onedcx (DataONE Dublin Core Extended v1.0) >&0 regex/1024 onedcx/v[0-9]\\.[0-9]+ https://ns.dataone.org/metadata/schema/onedcx/v1.0 @@ -34,12 +39,6 @@ !:mime text/xml -# Object Reuse and Exchange Vocabulary -0 string \<?xml\ version= ->&0 search/1024 rdf ->>&0 search/1024 openarchives https://www.openarchives.org/ore/terms -!:mime application/rdf+xml - # Dryad Metadata Application Profile Version 3.1 0 string <DryadData diff --git a/contrib/file/magic/Magdir/der b/contrib/file/magic/Magdir/der index d8a21cd57ef7..3bc2e38aa950 100644 --- a/contrib/file/magic/Magdir/der +++ b/contrib/file/magic/Magdir/der @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: der,v 1.4 2021/03/14 17:12:04 christos Exp $ +# $File: der,v 1.6 2023/01/11 23:59:49 christos Exp $ # der: file(1) magic for DER encoded files # @@ -110,9 +110,9 @@ >>>>&0 der seq >>>>>&0 der obj_id9=2a864886f70d010901 >>>>>&0 der ia5_str=x \b, emailAddress=%s ->>&0 der seq ->>>&0 der utc_time=x \b, utcTime=%s ->>>&0 der utc_time=x \b, utcTime=%s +#>>&0 der seq +#>>>&0 der utc_time=x \b, utcTime=%s +#>>>&0 der utc_time=x \b, utcTime=%s >>&0 use certinfo 0 der seq @@ -129,11 +129,18 @@ >>>>&0 der seq >>>>>&0 der obj_id3=550403 >>>>>&0 der utf8_str=x \b, Issuer=%s ->>&0 der seq ->>>&0 der utc_time=x \b, not-valid-before=%s ->>>&0 der utc_time=x \b, not-valid-after=%s +#>>&0 der seq +#>>>&0 der utc_time=x \b, not-valid-before=%s +#>>>&0 der utc_time=x \b, not-valid-after=%s >>&0 der seq >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=550403 >>>>>&0 der utf8_str=x \b, Subject=%s + +# PKCS#7 Signed Data (e.g. JAR Signature Block File) +# OID 1.2.840.113549.1.7.2 (2a864886f70d010702) +# Reference: https://www.rfc-editor.org/rfc/rfc2315 +0 der seq +>&0 der obj_id9=2a864886f70d010702 DER Encoded PKCS#7 Signed Data +!:ext RSA/DSA/EC diff --git a/contrib/file/magic/Magdir/diff b/contrib/file/magic/Magdir/diff index a6124e3f703b..f894ab00b890 100644 --- a/contrib/file/magic/Magdir/diff +++ b/contrib/file/magic/Magdir/diff @@ -1,33 +1,142 @@ #------------------------------------------------------------------------------ -# $File: diff,v 1.17 2020/08/22 18:16:58 christos Exp $ +# $File: diff,v 1.21 2024/07/13 14:47:09 christos Exp $ # diff: file(1) magic for diff(1) output # +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Diff +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/diff.trid.xml +# Note: called "diff output text" by TrID and +# "Differences between files" by shared MIME-info database from freedesktop.org +# According to shared MIME-info database also tabulator character instead of space character and +# by TrID minus character after space character 0 search/1 diff\040 diff output text +# diff output text (strength=40=40+0) after unified diff output (strength=131=38+93) +#!:strength +0 !:mime text/x-diff +#!:mime text/x-patch +!:ext diff/patch +# no short named pch dif examples found +#!:ext diff/patch/dif/pch +# URL: https://en.wikipedia.org/wiki/Diff_utility#Context_format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/diff-context.trid.xml +# Note: called "context diff output" by TrID +# and "Differences between files" by shared MIME-info database from freedesktop.org 0 search/1 ***\040 +# context diff output text (strength=42=38+4) before +# C source (strength=41,39,37) exported SGML document (strength=39,28) +!:strength +4 >&0 search/1024 \n---\040 context diff output text !:mime text/x-diff +#!:mime text/x-patch +!:ext diff/patch +# no short named pch dif examples found +#!:ext diff/patch/dif/pch 0 search/1 Only\040in\040 diff output text +# diff output text output text (strength=38=38+0) after unified diff output (strength=131=38+93) +#!:strength +0 !:mime text/x-diff +#!:mime text/x-patch +!:ext diff 0 search/1 Common\040subdirectories:\040 diff output text !:mime text/x-diff +# URL: https://en.wikipedia.org/wiki/Diff#Extensions +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/diff-rcs.trid.xml +# Note: called "RCS/CVS diff output" by TrID +# and "Differences between files" by shared MIME-info database from freedesktop.org 0 search/1 Index: RCS/CVS diff output text +# RCS/CVS diff output text (strength=36=36+0) after unified diff output (strength=131=38+93) +#!:strength +0 !:mime text/x-diff +#!:mime text/x-patch +!:ext diff/patch # bsdiff: file(1) magic for bsdiff(1) output -0 string/b BSDIFF40 bsdiff(1) patch file +# Update: Joerg Jenderek +# URL: http://www.daemonology.net/bsdiff/ +# Reference: https://github.com/cperciva/bsdiff/blob/master/bsdiff-ra/FORMAT +# http://mark0.net/download/triddefs_xml.7z/defs/b/bsdiff.trid.xml +# Note: called "bsdiff patch" by TrID and and "BSDIFF" version 4.0 by DROID via PUID fmt/439 and +# "Binary differences between files" by shared MIME-info database from freedesktop.org +0 string/b BSDIFF40 +# skip DROID fmt-439-signature-id-672.bsdiff with invalid new file segment length 0 +>16 long !0 bsdiff(1) patch file +#!:mime application/octet-stream +!:mime application/x-bsdiff +!:ext bsdiff +# new file length +#>>8 lequad x \b, new length %lld +# new file segment length +#>>16 lelong x \b, new segment length %d +# compressed header block length +#>>20 lelong !0 \b, compressed header length %d +# patch data block length +#>>24 lequad x \b, data length %lld +# look for bzip data by ./compress after message with 1 space at end +>>0x20 indirect x \b, at 0x20 +# From: Joerg Jenderek +# URL: https://www.chromium.org/developers/design-documents/software-updates-courgette/ +# Reference: https://github.com/adobe/chromium/blob/master/courgette/third_party/bsdiff.h +# http://mark0.net/download/triddefs_xml.7z/defs/b/bsdiff-chrome.trid.xml +# Note: called "Courgette Binary Diff output" by TrID +# the Courgette bsdiff tool use a total different file format compared with BSD variant from Colin Percival +0 string/b GBSDIF42 Courgette binary diff output +#!:mime application/octet-stream +!:mime application/x-patch +!:ext patch/bsdiff +# slen; length of the file to be patched +#>8 ubelong x \b, source length %u +# scrc32; CRC32 of the file to be patched +>12 ubelong x \b, crc %#8.8x +# dlen; length of the result file +#>16 ubelong x \b, result length %u +# cblen; length of the control block +#>20 ubelong x \b, control length %u +# difflen; length of the diff block +#>24 ubelong x \b, patch length %u +# extralen; length of the extra block +#>28 ubelong x \b, extra length %u # unified diff -0 search/4096 ---\040 ->&0 search/1024 \n ->>&0 search/1 +++\040 ->>>&0 search/1024 \n ->>>>&0 search/1 @@ unified diff output text +# URL: http://fileformats.archiveteam.org/wiki/Unified_diff +# https://en.wikipedia.org/wiki/Diff_utility#Unified_format +# Reference: https://www.artima.com/weblogs/viewpost.jsp?thread=164293 +# http://mark0.net/download/triddefs_xml.7z/defs/d/diff-unified.trid.xml +# Note: called "unified diff output" by TrID and +# "Differences between files" by shared MIME-info database from freedesktop.org +# use b flag to forces the test to be done for binary files (non ASCII text like with Ctrl-D Ctrl-V Ctrl-Z) +0 search/4096/b ---\040 +!:strength + 93 +>0 use diff-unified +# most samples are just pure ASCII text like: ShellR64.patch +0 search/11054 ---\040 +# unified diff (strength=131=38+93) before +# HTML document text (strength=170,90,71,53,52,51,49) POSIX shell script (fix-qt5.6-build.patch strength=130 ./commands) +# JavaScript source (strength=112,84,81,80,79,78,72,69) C++ source (strength=71,70,69,68,67,54), +# Python script (strength=69,67,63,60,58,57,56,54,52,37)LaTeX document text (strength=62,56,55,51,43) +# TeX document (strength=51,38) C source (strength=41,39,37) +# exported SGML document (strength=39,28) diff output text (strength=38=38+0) +# Pascal source (strength=37) RCS/CVS diff (strength=36=36+0), +# Algol 68 source (strength=?) CSV ASCII text (strength=?) +!:strength + 93 +>0 use diff-unified +# check for 3 characteristic lines of unified diff +0 name diff-unified +>0 search/11084 +++\040 +>>&0 search/1024 \n +# at signs line sometimes other (with 2 space chars before) like: indent-header.patch +>>>&0 search/2 @@\040- unified diff output text !:mime text/x-diff -!:strength + 90 +#!:mime text/x-patch +# https://file-extension.net/seeker/file_extension_dif file_extension_pch file_extension_rej +!:ext diff/patch/dif/pch/rej +# GRR: mainly for debugging purpose for variants with text before real diff output +>>>>0 string !---\040 +>>>>>0 string x \b, 1st line "%s" +>>>>>>&1 string x \b, 2nd line "%s" +>>>>>>>&1 string x \b, 3rd line "%s" # librsync -- the library for network deltas # diff --git a/contrib/file/magic/Magdir/digital b/contrib/file/magic/Magdir/digital index b2753b989859..55d06c139953 100644 --- a/contrib/file/magic/Magdir/digital +++ b/contrib/file/magic/Magdir/digital @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: digital,v 1.12 2021/07/03 14:01:46 christos Exp $ +# $File: digital,v 1.17 2024/08/30 16:53:22 christos Exp $ # Digital UNIX - Info # 0 string =!<arch>\n________64E Alpha archive @@ -10,7 +10,12 @@ 0 leshort 0603 >24 leshort 0410 COFF format alpha pure >24 leshort 0413 COFF format alpha demand paged +# TODO: use other subroutine (./coff) to display name+flags+variables for common object formatted files +#>0 use display-coff-foo >>22 leshort&030000 !020000 executable +#!:mime application/x-foo-executable +# typically no file name suffix for executables like \DEC\HH\HYPERHLP +!:ext / >>22 leshort&020000 !0 dynamically linked >>16 lelong !0 not stripped >>16 lelong 0 stripped @@ -23,6 +28,19 @@ >>26 byte x \b.%d >>28 byte x \b-%d +# Alpha COFF object file or executable +0 leshort 0x0184 +>16 leshort 0 +>>0 use display-coff +# can be created by LINK.EXE /MACHINE:ALPHA /ROM +>16 leshort !0 +>>18 leshort &0x0002 +>>>20 leshort 0x0107 +>>>>0 use display-coff +0 leshort 0x0284 +>16 leshort 0 +>>0 use display-coff + # Basic recognition of Digital UNIX core dumps - Mike Bremford <mike@opac.bl.uk> # # The actual magic number is just "Core", followed by a 2-byte version diff --git a/contrib/file/magic/Magdir/dsf b/contrib/file/magic/Magdir/dsf deleted file mode 100644 index e6c4b6e3e059..000000000000 --- a/contrib/file/magic/Magdir/dsf +++ /dev/null @@ -1,25 +0,0 @@ - -#------------------------------------------------------------ -# $File: dsf,v 1.1 2022/01/08 16:29:18 christos Exp $ -# dsf: file(1) magic for DSD Stream File -# URL: https://en.wikipedia.org/wiki/Direct_Stream_Digital -# Reference: https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf -0 string DSD\x20 DSD Stream File, ->0x30 leshort 1 mono, ->0x30 leshort 2 stereo, ->0x30 leshort 3 three-channel, ->0x30 leshort 4 quad-channel, ->0x30 leshort 5 3.1 4-channel, ->0x30 leshort 6 five-channel, ->0x30 leshort 7 5.1 surround, ->0x30 default x ->>0x30 leshort x unknown channel format (%d), ->0x38 lelong 2822400 simple-rate, ->0x38 lelong 5644800 double-rate, ->0x38 default x ->>0x38 lelong x %d Hz, ->0x3c leshort 1 1 bit, ->0x3c leshort 8 8 bit, ->0x3c default x ->>0x3c leshort x %d bit, ->0x40 lelong x %d samples diff --git a/contrib/file/magic/Magdir/dwarfs b/contrib/file/magic/Magdir/dwarfs new file mode 100644 index 000000000000..3700a33c5d7a --- /dev/null +++ b/contrib/file/magic/Magdir/dwarfs @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: dwarfs,v 1.2 2023/05/23 13:37:32 christos Exp $ +# dwarfs: file(1) magic for DwarFS File System Image files +# URL: https://github.com/mhx/dwarfs for details about DwarFS +# From: Marcus Holland-Moritz <github@mhxnet.de> + +#### DwarFS Version Macro +0 name dwarfsversion +>&0 byte x \b, version %d +>&1 byte x \b.%d + +#### DwarFS Compression Macro +0 name dwarfscompression +>&0 leshort =0 \b, uncompressed +>&0 leshort =1 \b, LZMA compression +>&0 leshort =2 \b, ZSTD compression +>&0 leshort =3 \b, LZ4 compression +>&0 leshort =4 \b, LZ4HC compression +>&0 leshort =5 \b, BROTLI compression + +#### DwarFS files without header +## We first check against a DWARFS magic at the start of the file, then +## validate by checking the block count / section type to be all zeros +## for the first block. Finally, we check that the *next* block also +## has the correct DWARFS magic. +0 string DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image +>>>&0 use dwarfsversion +>>&0 use dwarfscompression + +#### DwarFS files with header +## We search for a DWARFS magic in the first 64k of the file (images with +## headers longer than 64k won't be recognized), then validate by checking +## the block count / section type to be all zeros for the first block. +## Finally, we check that the *next* block also has the correct DWARFS magic. +## If we find a DWARFS magic that doesn't pass validation, we continue with +## an indirect match recursively. +1 search/65536/b DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image (with header) +>>>&0 use dwarfsversion +>>&0 use dwarfscompression +>&-1 indirect x diff --git a/contrib/file/magic/Magdir/efi b/contrib/file/magic/Magdir/efi index 7760100b1989..6b40e1519c57 100644 --- a/contrib/file/magic/Magdir/efi +++ b/contrib/file/magic/Magdir/efi @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: efi,v 1.5 2014/04/30 21:41:02 christos Exp $ +# $File: efi,v 1.7 2024/02/18 14:15:22 christos Exp $ # efi: file(1) magic for Universal EFI binaries 0 lelong 0x0ef1fab9 @@ -13,3 +13,46 @@ >>&20 lelong 7 \b, i386 >>&20 lelong 0x01000007 \b, x86_64 >4 lelong >2 Universal EFI binary with %d architectures + +# EFI Signature List +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git +0 name efi_sig_list +>0 guid D719B2CB-3D3A-4596-A3BC-DAD00E67656F EFI Signature List, SIG DB +>0 guid 4AAFD29D-68DF-49EE-8AA9-347D375665A7 EFI Signature List, PKCS7 +>0 guid 3C5766E8-269C-4E34-AA14-ED776E85B3B6 EFI Signature List, RSA2048 +>0 guid E2B36190-879B-4A3D-AD8D-F2E7BBA32784 EFI Signature List, RSA2048 SHA256 +>0 guid 67F8444F-8743-48F1-A328-1EAAB8736080 EFI Signature List, RSA2048 SHA1 +>0 guid A7717414-C616-4977-9420-844712A735BF EFI Signature List, RSA2048 SHA256 type +>0 guid 826CA512-CF10-4AC9-B187-BE01496631BD EFI Signature List, SHA1 +>0 guid 0B6E5233-A65C-44C9-9407-D9AB83BFC8BD EFI Signature List, SHA224 +>0 guid C1C41626-504C-4092-ACA9-41F936934328 EFI Signature List, SHA256 +>0 guid FF3E5307-9FD0-48C9-85F1-8AD56C701E01 EFI Signature List, SHA384 +>0 guid 093E0FAE-A6C4-4F50-9F1B-D41E2B89C19A EFI Signature List, SHA512 +>0 guid A5C059A1-94E4-4AA7-87B5-AB155C2BF072 EFI Signature List, X509 +>0 guid 3BD2A492-96C0-4079-B420-FCF98EF103ED EFI Signature List, X509 SHA256 +>0 guid 7076876E-80C2-4EE6-AAD2-28B349A6865B EFI Signature List, X509 SHA384 +>0 guid 446DBF63-2502-4CDA-BCFA-2465D2B0FE9D EFI Signature List, X509 SHA512 +>0 guid 605DAB50-E046-4300-ABB6-3DD810DD8B23 EFI Signature List, MOK_OWNER +>0 guid A46423E3-4617-49F1-B9FF-D1BFA9115839 EFI Signature List, SECURITY PROTOCOL +>0 guid 94AB2F58-1438-4EF1-9152-18941A3A0E68 EFI Signature List, SECURITY2 PROTOCOL +>0 guid AAF32C78-947B-439A-A180-2E144EC37792 EFI Signature List, SECURE VARIABLE +# Hypothesis: EFI Signature List are smaller than 16MiB +19 byte =0 +>23 byte =0 +>>27 byte =0 +>>>0 use efi_sig_list +>>>>16 ulelong x \b, total size: %d bytes +# Variant: EFI Signature List as an EFI variable +# See https://docs.kernel.org/filesystems/efivarfs.html +23 byte =0 +>27 byte =0 +>>31 byte =0 +>>>4 use efi_sig_list +>>>>0 ulelong x \b, EFI variable %d +>>>>20 ulelong x \b, total size: %d bytes + +# EFI byte code COFF object file +0 leshort 0x0ebc +>16 leshort 0 +>>0 use display-coff diff --git a/contrib/file/magic/Magdir/elf b/contrib/file/magic/Magdir/elf index 93abdc380db9..404a509db50e 100644 --- a/contrib/file/magic/Magdir/elf +++ b/contrib/file/magic/Magdir/elf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: elf,v 1.87 2021/05/25 15:19:51 christos Exp $ +# $File: elf,v 1.91 2024/11/09 23:52:23 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the @@ -8,6 +8,8 @@ # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # +# https://www.sco.com/developers/gabi/latest/ch4.eheader.html +# # Created by: unknown # Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support) @@ -80,15 +82,15 @@ >18 leshort 0 no machine, >18 leshort 1 AT&T WE32100, >18 leshort 2 SPARC, ->18 leshort 3 Intel 80386, +>18 leshort 3 Intel i386, >18 leshort 4 Motorola m68k, >>4 byte 1 >>>36 lelong &0x01000000 68000, >>>36 lelong &0x00810000 CPU32, >>>36 lelong 0 68020, >18 leshort 5 Motorola m88k, ->18 leshort 6 Intel 80486, ->18 leshort 7 Intel 80860, +>18 leshort 6 Intel i486, +>18 leshort 7 Intel i860, # The official e_machine number for MIPS is now #8, regardless of endianness. # The second number (#10) will be deprecated later. For now, we still # say something if #10 is encountered, but only gory details for #8. @@ -282,6 +284,12 @@ >18 leshort 216 Cognitive Smart Memory, >18 leshort 217 iCelero CoolEngine, >18 leshort 218 Nanoradio Optimized RISC, +>18 leshort 219 CSR Kalimba architecture family +>18 leshort 220 Zilog Z80 +>18 leshort 221 Controls and Data Services VISIUMcore processor +>18 leshort 222 FTDI Chip FT32 high performance 32-bit RISC architecture +>18 leshort 223 Moxie processor family +>18 leshort 224 AMD GPU architecture >18 leshort 243 UCB RISC-V, # only for 32-bit >>4 byte 1 @@ -367,5 +375,29 @@ >7 byte 16 (FenixOS) >7 byte 17 (Nuxi CloudABI) >7 byte 97 (ARM) +>7 byte 102 (Cell LV2) >7 byte 202 (Cafe OS) >7 byte 255 (embedded) + +# SELF Signed ELF used on the playstation +# https://www.psdevwiki.com/ps4/SELF_File_Format#make_fself_by_flatz +# https://www.psdevwiki.com/ps3/SELF_-_SPRX +0 lelong 0x4F153D1D +>4 lelong 0x00010112 PS4 Signed ELF file +>8 byte 1 \b, SELF/SPRX signed-elf/prx +>8 byte 2 \b, SRVK signed-revoke-list +>8 byte 3 \b, SPKG signed-package +>8 byte 4 \b, SSPP signed-security-policy-profile +>8 byte 5 \b, SDIFF signed-diff +>8 byte 6 \b, SPSFO signed-param-sfo +>9 byte&0xf0 x \b, version %#x +>9 byte&0x0f 4 \b, game +>9 byte&0x0f 5 \b, module +>9 byte&0x0f 6 \b, video app +>9 byte&0x0f 8 \b, System/EX application +>9 byte&0x0f 9 \b, System/EX module/dll +#>12 leshort x \b, header size %d +#>14 leshort x \b, signature size %d +#>16 lelong x \b, file size %d +#>18 leshort x \b, number of segments %d +#>20 leshort 22 diff --git a/contrib/file/magic/Magdir/epoc b/contrib/file/magic/Magdir/epoc index 6f4ab5fc38e2..98f62fcba62d 100644 --- a/contrib/file/magic/Magdir/epoc +++ b/contrib/file/magic/Magdir/epoc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: epoc,v 1.9 2013/12/21 14:28:15 christos Exp $ +# $File: epoc,v 1.10 2024/02/14 23:51:54 rrt Exp $ # EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1] # Stefan Praszalowicz <hpicollo@worldnet.fr> and Peter Breitenlohner <peb@mppmu.mpg.de> # Useful information for improving this file can be found at: @@ -8,55 +8,82 @@ #------------------------------------------------------------------------------ 0 lelong 0x10000037 Psion Series 5 >4 lelong 0x10000039 font file +!:mime application/x-epoc-font >4 lelong 0x1000003A printer driver +!:mime application/x-epoc-pdriver >4 lelong 0x1000003B clipboard +!:mime application/x-epoc-clipboard >4 lelong 0x10000042 multi-bitmap image !:mime image/x-epoc-mbm >4 lelong 0x1000006A application information file ->4 lelong 0x1000006D +>4 lelong 0x1000006D Record file +!:mime image/x-epoc-record >>8 lelong 0x1000007D Sketch image !:mime image/x-epoc-sketch >>8 lelong 0x1000007E voice note +!:mime application/x-epoc-voice >>8 lelong 0x1000007F Word file !:mime application/x-epoc-word >>8 lelong 0x10000085 OPL program (TextEd) !:mime application/x-epoc-opl +>>8 lelong 0x10000086 Data file +!:mime application/x-epoc-data >>8 lelong 0x10000087 Comms settings >>8 lelong 0x10000088 Sheet file !:mime application/x-epoc-sheet >>8 lelong 0x100001C4 EasyFax initialisation file +!:mime application/x-epoc-eini >4 lelong 0x10000073 OPO module !:mime application/x-epoc-opo >4 lelong 0x10000074 OPL application !:mime application/x-epoc-app >4 lelong 0x1000008A exported multi-bitmap image +!:mime image/x-epoc-xmbm >4 lelong 0x1000016D >>8 lelong 0x10000087 Comms names 0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image +!:mime image/x-epoc-mbm 0 lelong 0x10000050 Psion Series 5 >4 lelong 0x1000006D database >>8 lelong 0x10000084 Agenda file !:mime application/x-epoc-agenda ->>8 lelong 0x10000086 Data file -!:mime application/x-epoc-data +>>8 lelong 0x10000086 Address book +!:mime application/x-epoc-addressbook >>8 lelong 0x10000CEA Jotter file !:mime application/x-epoc-jotter >4 lelong 0x100000E4 ini file +!:mime application/x-epoc-ini +>4 lelong 0x10000075 Backlite file +!:mime application/x-epoc-backlite 0 lelong 0x10000079 Psion Series 5 binary: >4 lelong 0x00000000 DLL +!:mime application/x-epoc-dll >4 lelong 0x10000049 comms hardware library +!:mime application/x-epoc-chlib >4 lelong 0x1000004A comms protocol library +!:mime application/x-epoc-cplib >4 lelong 0x1000005D OPX +!:mime application/x-epoc-opx >4 lelong 0x1000006C application +!:mime application/x-epoc-app >4 lelong 0x1000008D DLL +!:mime application/x-epoc-dll >4 lelong 0x100000AC logical device driver +!:mime application/x-epoc-ldd >4 lelong 0x100000AD physical device driver +!:mime application/x-epoc-pdd >4 lelong 0x100000E5 file transfer protocol ->4 lelong 0x100000E5 file transfer protocol +!:mime application/x-epoc-ftp >4 lelong 0x10000140 printer definition +!:mime application/x-epoc-ppd >4 lelong 0x10000141 printer definition +!:mime application/x-epoc-ppd 0 lelong 0x1000007A Psion Series 5 executable + +4 lelong 0x1000006d +>8 lelong 0x10000419 Psion Series 5 Application Installer +!:mime application/x-epoc-sis diff --git a/contrib/file/magic/Magdir/espressif b/contrib/file/magic/Magdir/espressif index a97c09301fd1..4909a7cd68f6 100644 --- a/contrib/file/magic/Magdir/espressif +++ b/contrib/file/magic/Magdir/espressif @@ -1,5 +1,7 @@ -# $File: espressif,v 1.3 2021/04/26 15:56:00 christos Exp $ +#------------------------------------------------------------------------------ +# $File: espressif,v 1.4 2024/06/10 23:09:52 christos Exp $ +# espressif: file(1) magic for ESP8266 based devices # configuration dump of Tasmota firmware for ESP8266 based devices by Espressif # URL: https://github.com/arendst/Sonoff-Tasmota/ # Reference: https://codeload.github.com/arendst/Sonoff-Tasmota/zip/release-6.2/ diff --git a/contrib/file/magic/Magdir/filesystems b/contrib/file/magic/Magdir/filesystems index dee053b0a812..a15e5e74d971 100644 --- a/contrib/file/magic/Magdir/filesystems +++ b/contrib/file/magic/Magdir/filesystems @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.149 2022/05/21 22:50:28 christos Exp $ +# $File: filesystems,v 1.165 2024/09/01 15:51:51 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 name partid @@ -1282,7 +1282,7 @@ #>>>(0x1BC.s+11) ubyte x \b,cfg_def %#x # for older versions >>>(0x1BC.s+9) ubyte <2 -#>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds +#>>>>(0x1BC.s+12) ubyte 18 \b,%u/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+13) ubyte <2 \b,floppy %#x @@ -1401,14 +1401,14 @@ >>>>>16 ubyte =1 \b, FAT %u >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u -#>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) +#>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32) >>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) -#>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) +#>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor %#x #>>>>>21 ubyte =0xF0 \b, Media descriptor %#x (usual floppy) >>>>>21 ubyte <0xF0 \b, Media descriptor %#x >>>>>22 uleshort >0 \b, sectors/FAT %u -#>>>>>22 uleshort =0 \b, sectors/FAT %hu=0 (usual Fat32) +#>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32) >>>>>24 uleshort x \b, sectors/track %u >>>>>26 ubyte >2 \b, heads %u #>>>>>26 ubyte =2 \b, heads %u (usual floppy) @@ -1479,7 +1479,7 @@ >>>>>>36 ulelong x \b, sectors/FAT %u # https://technet.microsoft.com/en-us/library/cc977221.aspx >>>>>>40 uleshort >0 \b, extension flags %#x -#>>>>>>40 uleshort =0 \b, extension flags %hu +#>>>>>>40 uleshort =0 \b, extension flags %u >>>>>>42 uleshort >0 \b, fsVersion %u #>>>>>>42 uleshort =0 \b, fsVersion %u (usual) >>>>>>44 ulelong >2 \b, rootdir cluster %u @@ -1596,7 +1596,8 @@ >0x1e lequad x %lld total clusters, >0x26 lequad x %lld clusters in use -9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), + +0 name ffsv1 >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x last written at %s, @@ -1612,105 +1613,59 @@ >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization -42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization - -66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization +9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), +>0 use ffsv1 9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), >7168 belong 0x4c41424c Apple UFS Volume >>7186 string x named %s, >>7176 belong x volume label version %d, >>7180 bedate x created on %s, ->8404 string x last mounted on %s, -#>9504 bedate x last checked at %s, ->8224 bedate x last written at %s, ->8401 byte x clean flag %d, ->8228 belong x number of blocks %d, ->8232 belong x number of data blocks %d, ->8236 belong x number of cylinder groups %d, ->8240 belong x block size %d, ->8244 belong x fragment size %d, ->8252 belong x minimum percentage of free blocks %d, ->8256 belong x rotational delay %dms, ->8260 belong x disk rotational speed %drps, ->8320 belong 0 TIME optimization ->8320 belong 1 SPACE optimization +>0 use \^ffsv1 + +0 name ffsv2 +>212 string x last mounted on %s, +>680 string >\0 volume name %s, +>1072 leqldate x last written at %s, +>209 byte x clean flag %d, +>210 byte x readonly flag %d, +>1080 lequad x number of blocks %lld, +>1088 lequad x number of data blocks %lld, +>44 lelong x number of cylinder groups %d, +>48 lelong x block size %d, +>52 lelong x fragment size %d, +>1196 lelong x average file size %d, +>1200 lelong x average number of files in dir %d, +>1104 lequad x pending blocks to free %lld, +>1112 lelong x pending inodes to free %d, +>712 lequad x system-wide uuid %0llx, +>60 lelong x minimum percentage of free blocks %d, +>128 lelong 0 TIME optimization +>128 lelong 1 SPACE optimization + +42332 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use ffsv2 + +42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>40960 use ffsv2 + +42332 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use \^ffsv2 42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>40960 use \^ffsv2 + +66908 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use ffsv2 + +66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>65536 use ffsv2 + +66908 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use \^ffsv2 66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>65536 use \^ffsv2 0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), >0x90 lelong+1 x volume %d @@ -1983,26 +1938,29 @@ # defect IO.SYS+MSDOS.SYS ? #>>>>>0x162 use 2xDOS-filename -0 name cdrom ->38913 string !NSR0 ISO 9660 CD-ROM filesystem data +0 name cdrom ISO 9660 CD-ROM filesystem data !:mime application/x-iso9660-image !:ext iso/iso9660 ->38913 string NSR0 UDF filesystem data -!:mime application/x-iso9660-image -!:ext iso/udf ->>38917 string 1 (version 1.0) ->>38917 string 2 (version 1.5) ->>38917 string 3 (version 2.0) ->>38917 byte >0x33 (unknown version, ID %#X) ->>38917 byte <0x31 (unknown version, ID %#X) # The next line is not necessary because the MBR staff is done looking for boot signature >0x1FE leshort 0xAA55 (DOS/MBR boot sector) # "application id" which appears to be used as a volume label >32808 string/T >\0 '%.32s' >34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) +# check for extended area (combined ISO + UDF) +>36865 string BEA01 + +>>36864 use extendedarea + 37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) !:mime application/x-iso9660-image + +# URL: http://fileformats.archiveteam.org/wiki/High_Sierra +# Update: Joerg Jenderek 32777 string CDROM High Sierra CD-ROM filesystem data +# https://www.unix.com/man-page/OpenSolaris/7fs/hsfs/ +#!:mime application/octet-stream +#!:mime application/x-hsfs-image +# BOOKSHELF.ISO "Shareware Grab Bag.iso" +!:ext iso # "application id" which appears to be used as a volume label >32816 string/T >\0 '%.32s' @@ -2018,6 +1976,55 @@ !:strength +35 >0 use cdrom +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Universal_Disk_Format +# https://en.wikipedia.org/wiki/Universal_Disk_Format +# Reference: https://wiki.osdev.org/UDF +# Note: called "UDF Disc Image" by DROID via PUID fmt/1738 +# verified by udftools `udfinfo nero-UDFv26.iso` and 7-Zip `7z l -tUdf nero-UDF1.iso` +# +# look for type descriptor at relative offset 1 of block 16 if it is an extended descriptor section +32769 string BEA01 +>32768 use extendedarea + +0 name extendedarea +# look for type descriptor at relative offset 1 of block 17 with size 2048 (valid for images with blocksize of 512, 1024 or 2048 bytes) +>2049 string NSR0 +>>2048 use NSR0 +>2049 default x +# look for type descriptor at relative offset 1 of block 17 with size 4096 (valid for images with blocksize of 4096 bytes) +>>4097 string NSR0 +>>>4096 use NSR0 +>>4097 default x +# look for type descriptor at relative offset 1 of block 17 with size 8192 (valid for images with blocksize of 8192 bytes) +>>>8193 string NSR0 +>>>>8192 use NSR0 +>>>8193 default x +# look for type descriptor at relative offset 1 of block 17 with size 16384 (valid for images with blocksize of 16384 bytes) +>>>>16385 string NSR0 +>>>>>16384 use NSR0 +>>>>16385 default x +# look for type descriptor at relative offset 1 of block 17 with size 32768 (valid for images with blocksize of 32768 bytes) +>>>>>32769 string NSR0 +>>>>>>32768 use NSR0 +>>>>>32769 default x + +0 name NSR0 +# NSR02 indicates ISO/IEC 13346 first edition, or ECMA-167 second edition +# OSTA UDF 1.x revisions are based on ISO/IEC 13346 first edition +# FIXME: This detection is incorrect as it does not detect UDF 1.x, but ECMA-167 2nd +>5 ubyte 0x32 UDF filesystem data (version 1.x) +#!:mime application/octet-stream +!:mime application/x-udf-image +!:ext iso/udf +# NSR03 indicates ISO/IEC 13346 second edition, or ECMA-167 third edition +# OSTA UDF 2.x revisions are based on ECMA-167 third edition +# FIXME: This detection is incorrect as it does not detect UDF 2.x, but ECMA-167 3rd +>5 ubyte 0x33 UDF filesystem data (version 2.x) +#!:mime application/octet-stream +!:mime application/x-udf-image +!:ext iso/udf + # URL: https://en.wikipedia.org/wiki/NRG_(file_format) # Reference: https://dl.opendesktop.org/api/files/download/id/1460731811/ # 11577-mount-iso-0.9.5.tar.bz2/mount-iso-0.9.5/install.sh @@ -2028,24 +2035,6 @@ !:ext nrg >307200 use cdrom -# .cso files -# Reference: https://pismotec.com/ciso/ciso.h -# NOTE: There are two other formats with the same magic but -# completely incompatible specifications: -# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h -# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h -0 string CISO -# Other fields are used to determine what type of CISO this is: -# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) -# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) -# - 0x10 == 0x00004000: For >2GB files using maxcso... -# https://github.com/unknownbrackets/maxcso/issues/26 -# - None of the above: Compact ISO. ->4 lelong !0 ->>4 lelong !0x200000 ->>>16 lelong !0x800 ->>>>16 lelong !0x4000 Compressed ISO CD image - # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian >4 lelong x size %u @@ -2244,20 +2233,6 @@ >560 string x label: %.64s, >136 string x mountpoint: %.128s -# Summary: Oracle ASM tagged volume -# Created by: Aaron Botsis <redhat@digitalmafia.org> -32 string ORCLDISK Oracle ASM Volume, ->40 string x Disk Name: %0.12s -32 string ORCLCLRD Oracle ASM Volume (cleared), ->40 string x Disk Name: %0.12s - -# Oracle Clustered Filesystem - Aaron Botsis <redhat@digitalmafia.org> -8 string OracleCFS Oracle Clustered Filesystem, ->4 long x rev %d ->0 long x \b.%d, ->560 string x label: %.64s, ->136 string x mountpoint: %.128s - # Oracle ASM tagged volume - Aaron Botsis <redhat@digitalmafia.org> 32 string ORCLDISK Oracle ASM Volume, >40 string x Disk Name: %0.12s @@ -2323,12 +2298,6 @@ # From: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string *dvdisaster* dvdisaster error correction file -# xfs metadump image -# mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog -# but can we do the << ? For now it's always 512 (0x200) anyway. -0 string XFSM ->0x200 string XFSB XFS filesystem metadump image - # Type: CROM filesystem # From: Werner Fink <werner@suse.de> 0 string CROMFS CROMFS @@ -2648,16 +2617,149 @@ >10 ubelong x \b-%08x >14 ubeshort x \b%04x -0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 bcachefs ->0x1068 lequad 8 \b, UUID= ->>0x1038 use bcachefs-uuid ->>0x1048 string >0 \b, label "%.32s" ->>0x1010 uleshort x \b, version %u ->>0x1012 uleshort x \b, min version %u ->>0x107a byte x \b, device %d +0 name bcachefs bcachefs +>0x68 lequad 8 \b, UUID= +>>0x38 use bcachefs-uuid +>>0x48 string >0 \b, label "%.32s" +>>0x10 uleshort x \b, version %u +>>0x12 uleshort x \b, min version %u +>>0x7a byte x \b, device %d # assumes the first field is the members field ->>0x12f4 ulelong 0x01 \b/UUID= ->>>0x12f0 default x ->>>&(0x107a.b*56) use bcachefs-uuid ->>0x107b byte x \b, %d devices ->>0x1090 byte ^0x02 \b (unclean) +>>0x2f4 ulelong 0x01 \b/UUID= +>>>0x2f0 default x +>>>&(0x07a.b*56) use bcachefs-uuid +>>0x07b byte x \b, %d devices +>>0x090 byte ^0x02 \b (unclean) + +0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 +>0x1000 use bcachefs + +0x1018 string \xc6\x85\x73\xf6\x66\xce\x90\xa9\xd9\x6a\x60\xcf\x80\x3d\xf7\xef +>0x1000 use bcachefs + +# EROFS +# https://kernel.googlesource.com/pub/scm/linux/kernel/git/xiang/erofs-utils/\ +# +/refs/heads/experimental/include/erofs_fs.h#12 +1024 lelong 0xE0F5E1E2 EROFS filesystem +#>1028 lelong x \b, checksum=%#x +>1032 lelong >0 \b, compat: +>>1032 lelong &1 SB_CHKSUM +>>1032 lelong &2 MTIME +>1036 byte x \b, blocksize=%u +>1037 byte x \b, exslots=%u +#>1038 leshort x \b, root_nid=%d +#>1040 lequad x \b, inodes=%ld +#>1048 leldate x \b, build_time=%s +#>1056 lelong x \b.%d +#>1060 lelong x \b, blocks=%d +#>1064 lelong x \b, metadata@%#x +#>1068 lelong x \b, xattr@%#x +>1072 guid x \b, uuid=%s +>1088 string >0 \b, name=%s +>1104 lelong >0 \b, incompat: +>>1104 lelong &1 LZ4_0PADDING +>>1104 lelong &2 BIG_PCLUSTER +>>1104 lelong &4 CHUNKED_FILE +>>1104 lelong &8 DEVICE_TABLE +>>1104 lelong &16 ZTAILPACKING + +# YAFFS +# The layout itself is undocumented, determined by the memory layout of the +# reference implementation. This signature is derived from the +# reference implementation code and generated test cases +# We recognize the start of an object header defined by yaffs_obj_hdr: +# (Note the values being encoded depending on platform endianess) + +# u32 type /* enum yaffs_obj_type, valid 1-5 */ +# u32 parent_obj_id; /* 1 for root objects we recognize */ +# u16 sum_no_longer_used; /* checksum of name. Not used by YAFFS and memset to 0xFF */ +# YCHAR name[YAFFS_MAX_NAME_LENGTH + 1]; + +# mkyaffsimage always writes a root directory with empty name, then processing the target directory contents +# mkyaffs2image directly proceeds to writing entries with the appropriate u32 YAFFS_OBJECT_TYPE (1-5 valid), each with parent id 1 + +0 name yaffs +>0 ulelong 1 \b, type file +>0 ulelong 2 \b, type symlink +>0 ulelong 3 \b, type root or directory +>0 ulelong 4 \b, type hardlink +>0 ulelong 5 \b, type special +>0xA byte 0 \b, v1 root directory +>0xA byte !0 \b, object entry +>>0xA string x (name: "%s") + +# Little Endian: XX 00 00 00 01 00 00 00 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x1 string \x00\x00\x00\x01\x00\x00\x00\xFF\xFF +>0 ulelong 0 +>0 ulelong >5 +>0 default x YAFFS filesystem root entry (little endian) +>>0 use yaffs + +# Big Endian: 00 00 00 XX 00 00 00 01 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x4 string \x00\x00\x00\x01\xFF\xFF +>0 string \x00\x00\x00 +>>0 ubelong 0 +>>0 ubelong >5 +>>0 default x YAFFS filesystem root entry (big endian) +>>>0 use \^yaffs + +# littlefs superblock +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/littlefs-project/littlefs/blob/v2.9.0/SPEC.md +# Match first commit tag, then "littlefs" magic +4 ulelong 0xf7ff0ff0 +>8 string littlefs littlefs superblock +>>22 uleshort x \b, version %u +>>20 uleshort x \b.%u +>>24 ulelong x \b, block size: %u bytes +>>28 ulelong x \b, %u blocks + +# EldOS Corporation SolidFS (aka SolFS) +# 256 bytes page size +0x0 string \x08\x00\x4e\x57\x20 +>0x100 string \x4e\x57\x00\x00\x01 +>0x1A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 256 bytes page size + +# 512 bytes page size +0x0 string \x09\x00\x4e\x57\x20 +>0x200 string \x4e\x57\x00\x00\x01 +>0x2A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 512 bytes page size + +# 1 kibibyte page size +0x0 string \x0A\x00\x4e\x57\x20 +>0x400 string \x4e\x57\x00\x00\x01 +>0x4A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 1KiB page size + +# 2 kibibyte page size +0x0 string \x0B\x00\x4e\x57\x20 +>0x800 string \x4e\x57\x00\x00\x01 +>0x8A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 2KiB page size + +# 4 kibibyte page size +0x0 string \x0C\x00\x4e\x57\x20 +>0x1000 string \x4e\x57\x00\x00\x01 +>0x10A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 4KiB page size + +# 8 kibibyte page size +0x0 string \x0D\x00\x4e\x57\x20 +>0x2000 string \x4e\x57\x00\x00\x01 +>0x20A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 8KiB page size + +# 16 kibibyte page size +0x0 string \x0E\x00\x4e\x57\x20 +>0x4000 string \x4e\x57\x00\x00\x01 +>0x40A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 16KiB page size + +# 32 kibibyte page size +0x0 string \x0F\x00\x4e\x57\x20 +>0x8000 string \x4e\x57\x00\x00\x01 +>0x80A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 32KiB page size + +# 64 kibibyte page size +0x0 string \x10\x00\x4e\x57\x20 +>0x10000 string \x4e\x57\x00\x00\x01 +>0x100A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 64KiB page size diff --git a/contrib/file/magic/Magdir/firmware b/contrib/file/magic/Magdir/firmware new file mode 100644 index 000000000000..21ba1ed591b6 --- /dev/null +++ b/contrib/file/magic/Magdir/firmware @@ -0,0 +1,277 @@ +#------------------------------------------------------------------------------ +# $File: firmware,v 1.13 2024/09/04 19:04:03 christos Exp $ +# firmware: file(1) magic for firmware files +# + +# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure +# examples: https://github.com/cweiske/frontier-silicon-firmwares +0 lelong 0x00001176 +>4 lelong 0x7c Frontier Silicon firmware download +>>8 lelong x \b, MeOS version %x +>>12 string/32/T x \b, version %s +>>40 string/64/T x \b, customization %s + +# HPE iLO firmware update image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ +# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images +0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00 +>16 ubeshort =0xCFDD HPE iLO2 firmware update image +>16 ubeshort =0x6444 HPE iLO1 firmware update image +# iLO3 images (ilo3_*.bin) start directly with image name +0 string iLO3\x20v\x20 HPE iLO3 firmware update image, +>7 string x version %s +# iLO4 images (ilo4_*.bin) start with a signature and a certificate +0 string --=</Begin\x20HP\x20Signed +>75 string label_HPBBatch +>>5828 string iLO\x204 +>>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image, +>>>6947 string x version %s +# iLO5 images (ilo5_*.bin) start with a signature +>75 string label_HPE-HPB-BMC-ILO5-4096 +>>880 string HPIMAGE\x00 HPE iLO5 firmware update image, +>>944 string x version %s + +# IBM POWER Secure Boot Container +# from https://github.com/open-power/skiboot/blob/master/libstb/container.h +0 belong 0x17082011 POWER Secure Boot Container, +>4 beshort x version %u +>6 bequad x container size %llu +# These are always zero +# >14 bequad x target HRMOR %llx +# >22 bequad x stack pointer %llx +>4096 ustring \xFD7zXZ\x00 XZ compressed +0 belong 0x1bad1bad POWER boot firmware +>256 belong 0x48002030 (PHYP entry point) + +# ARM Cortex-M vector table +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties +# Match stack MSB +3 byte 0x20 +# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match) +>4 ulelong&0xE0000001 1 +>>8 ulelong&0xE0000001 1 +>>>12 ulelong&0xE0000001 1 +>>>>44 ulelong&0xE0000001 1 +>>>>>56 ulelong&0xE0000001 1 +# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF) +>>>>>>28 ulelong+1 <2 +>>>>>>>32 ulelong+1 <2 +>>>>>>>>36 ulelong+1 <2 +>>>>>>>>>40 ulelong+1 <2 +>>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware +>>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x +>>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x +>>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x +>>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x +>>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x +>>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x + +# ESP-IDF partition table entry +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h +0 string \xAA\x50 +>2 ubyte <2 ESP-IDF partition table entry +>>12 string/16 x \b, label: "%s" +>>2 ubyte 0 +>>>3 ubyte 0x00 \b, factory app +>>>3 ubyte 0x10 \b, OTA_0 app +>>>3 ubyte 0x11 \b, OTA_1 app +>>>3 ubyte 0x12 \b, OTA_2 app +>>>3 ubyte 0x13 \b, OTA_3 app +>>>3 ubyte 0x14 \b, OTA_4 app +>>>3 ubyte 0x15 \b, OTA_5 app +>>>3 ubyte 0x16 \b, OTA_6 app +>>>3 ubyte 0x17 \b, OTA_7 app +>>>3 ubyte 0x18 \b, OTA_8 app +>>>3 ubyte 0x19 \b, OTA_9 app +>>>3 ubyte 0x1A \b, OTA_10 app +>>>3 ubyte 0x1B \b, OTA_11 app +>>>3 ubyte 0x1C \b, OTA_12 app +>>>3 ubyte 0x1D \b, OTA_13 app +>>>3 ubyte 0x1E \b, OTA_14 app +>>>3 ubyte 0x1F \b, OTA_15 app +>>>3 ubyte 0x20 \b, test app +>>2 ubyte 1 +>>>3 ubyte 0x00 \b, OTA selection data +>>>3 ubyte 0x01 \b, PHY init data +>>>3 ubyte 0x02 \b, NVS data +>>>3 ubyte 0x03 \b, coredump data +>>>3 ubyte 0x04 \b, NVS keys +>>>3 ubyte 0x05 \b, emulated eFuse data +>>>3 ubyte 0x06 \b, undefined data +>>>3 ubyte 0x80 \b, ESPHTTPD partition +>>>3 ubyte 0x81 \b, FAT partition +>>>3 ubyte 0x82 \b, SPIFFS partition +>>>3 ubyte 0xFF \b, any data +>>4 ulelong x \b, offset: 0x%X +>>8 ulelong x \b, size: 0x%X +>>28 ulelong&0x1 1 \b, encrypted + +# ESP-IDF application image +# From: Alexandre Iooss <erdnaxe@crans.org> +# Update: Joerg Jenderek +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h +# Reference: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/app_image_format.html +# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t +# First segment contains esp_app_desc_t +# ESP_IMAGE_HEADER_MAGIC at the beginning of esp_image_header_t structure +0 ubyte 0xE9 +# display ESP-IDF application image (strength=40=40+0) before DOS executable with 16bit JuMP (strength=40) handled by ./msdos +#!:strength +0 +# ESP_APP_DESC_MAGIC_WORD; magic for the esp_app_desc_t structure +>32 ulelong 0xABCD5432 ESP-IDF application image +#!:mime application/octet-stream +!:mime application/x-espressif-bin +!:ext bin +>>12 uleshort 0x0000 for ESP32 +>>12 uleshort 0x0002 for ESP32-S2 +>>12 uleshort 0x0005 for ESP32-C3 +>>12 uleshort 0x0009 for ESP32-S3 +>>12 uleshort 0x000A for ESP32-H2 Beta1 +>>12 uleshort 0x000C for ESP32-C2 +>>12 uleshort 0x000D for ESP32-C6 +>>12 uleshort 0x000E for ESP32-H2 Beta2 +>>12 uleshort 0x0010 for ESP32-H2 +>>80 string/32 x \b, project name: "%s" +>>48 string/32 x \b, version %s +>>128 string/16 x \b, compiled on %s +>>>112 string/16 x %s +>>144 string/32 x \b, IDF version: %s +>>4 ulelong x \b, entry address: 0x%08X + +# AVR firmware +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://microchipdeveloper.com/8avr:int +# Match 4-byte JMP for Reset, Int0-2, PcInt0-3 and WDT +0 uleshort&0xFE0E 0x940C +>4 uleshort&0xFE0E 0x940C +>>8 uleshort&0XFE0E 0x940C +>>>12 uleshort&0XFE0E 0x940C +>>>>16 uleshort&0XFE0E 0x940C +>>>>>20 uleshort&0XFE0E 0x940C +>>>>>>24 uleshort&0XFE0E 0x940C +>>>>>>>28 uleshort&0XFE0E 0x940C +>>>>>>>>32 uleshort&0XFE0E 0x940C AVR firmware +# Handle only 16-bit addressing +>>>>>>>>>0 uleshort 0x940C +>>>>>>>>>>2 uleshort x \b, reset at 0x%04x +# Match 2-byte RJMP for Reset, Int0-2, PcInt0-3 and WDT for smaller AVR +1 byte&0xF0 0xC0 +>3 byte&0xF0 0xC0 +>>5 byte&0xF0 0xC0 +>>>7 byte&0xF0 0xC0 +>>>>9 byte&0xF0 0xC0 +>>>>>11 byte&0xF0 0xC0 +>>>>>>13 byte&0xF0 0xC0 +>>>>>>>15 byte&0xF0 0xC0 +>>>>>>>>17 byte&0xF0 0xC0 AVR firmware +>>>>>>>>>0 uleshort&0x0FFF x \b, reset at 0x%04x + +# Summary: Intel HEXadecimal file format +# URL: https://en.wikipedia.org/wiki/Intel_HEX +# Reference: http://www.piclist.com/techref/fileext/hex/intel.htm +# http://mark0.net/download/triddefs_xml.7z/defs/h/hex-intel.trid.xml +# From: Joerg Jenderek +# Note: called "Intel Hexadecimal object format" by TrID, "Intel® hexadecimal object file" on Linux +# and "Intel HEX binary data" by Notepad++ +# look for start code; 1 character, an ASCII colon ':'; all characters preceding this symbol should be ignored +0 ubyte 0x3A +# check for valid record type string with range 00 - 05 (3030h - 3035h) +>&6 ubeshort&0xFFf8 =0x3030 +# check for valid record length string like: 02 04 08 10h 20h 03 (usbdload.hex usbdldv2.hex from Windows Vista) +#>>1 string x LENGTH_STRING=%0.2s +#>>1 ubeshort x LENGTH=%#4.4x +>>&-8 ubeshort&0xFCf0 =0x3030 +>>>0 use intel-hex +# display information (offset, record length and type) of Intel HEX +0 name intel-hex +# RECORD MARK +>0 ubyte x Intel hexadecimal object +#!:mime text/plain +!:mime text/x-hex +!:ext hex +# no samples with other suffix found +# .hex .mcs .int .ihex .ihe .ihx .h80 .h86 .a43 .a90 .obj .obl .obh .rom .eep +# .hxl-.hxh .h00-.h15 .p00-.pff +# RECLEN; 2 hex digits for number of bytes in 1st data field; like 0x02 0x03 0x04 0x08 0x10 0x20; maximum 255 +>1 string x \b, 0x%2.2s record length +# OFFSET; 4 hex digits for 1st 16-bit memory offset of data like: 0000 (often) 1C00h 1E00h 3800h 3E00h 76EDh 7800h 7E00h ... +>3 string x \b, 0x%4.4s offset +# RECTYP; 2 hex digits (00 - 05); meaning of 1st data field; 00~DataRecord (often) 0l~EndOfFileRecord 02~ExtendedSegmentAddressRecord 03~StartSegmentAddressRecord 04~ExtendedLinearAddressRecord 05~StartLinearAddressRecord +>7 string x \b, '%2.2s' type +# DATA; n bytes of 1st data represented by 2n hex digits followed by 1 byte checksum +>9 string x \b, data+checksum %s +# last record :00000001FF with RECLEN 0, OFFSET 0, record type 01 for EndOfFile and 1 checksum byte FF +# samples with CarriageReturnLineFeed terminator +>-2 ubeshort =0x0d0a +# This should not happen! +>>-13 string !:00000001FF \b, last line %s +>-2 ubeshort !0x0d0a +# samples with LineFeed terminator +>>-1 ubyte =0x0a +# This should not happen! +>>>-12 string !:00000001FF \b, last line %s + +# Raspberry Pi RP2040 firmware +# From: Alexandre Iooss <erdnaxe@crans.org> +# Note: RP2040 flash image starts with stage2 bootloader, then a vector table. +# URL: https://github.com/raspberrypi/pico-sdk/tree/1.5.1/src/rp2_common/boot_stage2 +# boot2_*.S code (_stage2_boot) +0 ulelong 0x4B32B500 +>4 ulelong 0x60582021 +>>8 ulelong 0x21026898 +# exit_from_boot2.S code (check_return) `pop {r0}; cmp r0, #0` +>>>148 ulelong 0x2800bc01 +# Cortex-M vector table with reserved section filled with a default interrupt address +>>>>259 byte 0x20 +# make sure required vector table entries are ARM Thumb and in flash +>>>>>260 ulelong&0xE0000001 1 +>>>>>>264 ulelong&0xE0000001 1 +>>>>>>>268 ulelong&0xE0000001 1 +>>>>>>>>300 ulelong&0xE0000001 1 +>>>>>>>>>312 ulelong&0xE0000001 1 Raspberry Pi RP2040 firmware +>>>>>>>>>>256 ulelong >0 \b, initial SP at 0x%08x +>>>>>>>>>>260 ulelong^1 x \b, reset at 0x%08x +>>>>>>>>>>264 ulelong^1 x \b, NMI at 0x%08x +>>>>>>>>>>268 ulelong^1 x \b, HardFault at 0x%08x +>>>>>>>>>>300 ulelong^1 x \b, SVCall at 0x%08x +>>>>>>>>>>312 ulelong^1 x \b, PendSV at 0x%08x +# optional binary_info in the first 256 bytes, used by picotool +# https://github.com/raspberrypi/pico-sdk/blob/master/src/common/pico_binary_info/include/pico/binary_info/defs.h +>>>>>>>>>>256 search/256 \xf2\xeb\x88\x71 \b, with binary_info + +# Silicon Labs Gecko Bootloader update image +# From: Alexandre Iooss <erdnaxe@crans.org> +# Reference: https://github.com/raboof/gbl +# https://github.com/dsyx/emberznet-doc +# Note: TLV always starting with tag 0x03A617EB of length 8 +0 ulelong 0x03A617EB +>4 ulelong 8 Silicon Labs Gecko bootloader update image +!:ext gbl +>>12 byte 1 \b, encrypted (AES-CTR-128) +>>13 byte 1 \b, signed (ECDSA-P256) +# If not encrypted, indicate first image type +>>16 ulelong 0xF40A0AF4 \b, application image +>>16 ulelong 0xF50909F5 \b, bootloader image + +# Silicon Labs Gecko Bootloader OTA update with Zigbee EmberZNet SDK +# URL: https://github.com/SiliconLabs/gecko_sdk +0 ulelong 0x0BEEF11E +>6 ulelong 0x38 Silicon Labs Gecko EmberZNet OTA image +!:ext ota/zigbee +>>4 ubeshort x v%d + +# Device Firmware Upgrade with ST STMicroelectronics extensions +# From: Alexandre Iooss <erdnaxe@crans.org> +# Reference: STMicroelectronics note UM0391 +# Reference: https://dfu-util.sourceforge.net/dfuse.html +# DFU prefix +0 string DfuSe\x01 DFU image (STM variant) +!:ext dfu +>6 ulelong x \b, size: %d bytes +# DFU suffix, specification 0x011A +>-10 string \x1A\x01UFD +>>-12 uleshort x \b, for device %04X: +>>-14 uleshort x \b%04X diff --git a/contrib/file/magic/Magdir/fonts b/contrib/file/magic/Magdir/fonts index de3e5354c785..e059ba563317 100644 --- a/contrib/file/magic/Magdir/fonts +++ b/contrib/file/magic/Magdir/fonts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fonts,v 1.50 2022/03/21 21:28:13 christos Exp $ +# $File: fonts,v 1.52 2024/11/09 23:52:53 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -442,7 +442,42 @@ # https://www.w3.org/TR/WOFF2/ 0 string wOF2 Web Open Font Format (Version 2) !:mime font/woff2 +!:ext woff2 >0 use woff #>20 belong x \b, totalCompressedSize %d >24 beshort x \b, version %d >26 beshort x \b.%d + +### fontconfig cache files + +# fontconfig cache files: little-endian +0 name fc-cache-le +# size is at offset 8, and is intptr_t +# hence, if offset 12 is zero, this is likely 64-bit +# NOTE: cannot determine double alignment here +>12 ulelong 0 le64 +>12 ulelong !0 le32 +# version number +>4 lelong x \b-%d + +# fontconfig cache files: big-endian +0 name fc-cache-be +# size is at offset 8, and is intptr_t +# hence, if offset 12 is zero, this is likely 64-bit +# NOTE: cannot determine double alignment here +>12 ubelong 0 be64 +>12 ubelong !0 be32 +# version number +>4 belong x \b-%d + +# fontconfig cache files +# https://gitlab.freedesktop.org/fontconfig/fontconfig +# https://www.microsoft.com/typography/otspec/otff.htm +0 ulelong 0xFC02FC04 fontconfig cache file: +>0 use fc-cache-le +0 ulelong 0xFC02FC05 fontconfig cache file (mmap): +>0 use fc-cache-le +0 ubelong 0xFC02FC04 fontconfig cache file: +>0 use fc-cache-be +0 ubelong 0xFC02FC05 fontconfig cache file (mmap): +>0 use fc-cache-be diff --git a/contrib/file/magic/Magdir/frame b/contrib/file/magic/Magdir/frame index c0fd840a46fa..fce87196752f 100644 --- a/contrib/file/magic/Magdir/frame +++ b/contrib/file/magic/Magdir/frame @@ -1,23 +1,53 @@ #------------------------------------------------------------------------------ -# $File: frame,v 1.14 2019/11/25 00:31:30 christos Exp $ +# $File: frame,v 1.19 2024/03/04 00:34:31 christos Exp $ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is # copyright, but this file is "published" as witness the following: # -# Note that this is the Framemaker Maker Interchange Format, not the -# Normal format which would be application/vnd.framemaker. +# URL: https://en.wikipedia.org/wiki/Adobe_FrameMaker # -0 string \<MakerFile FrameMaker document -!:mime application/x-mif ->11 string 5.5 (5.5 ->11 string 5.0 (5.0 ->11 string 4.0 (4.0 ->11 string 3.0 (3.0 ->11 string 2.0 (2.0 ->11 string 1.0 (1.0 ->14 byte x %c) +# Update: Joerg Jenderek 2024 Mar +# URL: http://fileformats.archiveteam.org/wiki/FrameMaker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fm.trid.xml +# Note: called "FrameMaker document" by TrID and "Adobe FrameMaker document" by shared MIME-info database +# skip "text" DROID samples like: fmt-190-signature-id-840.fm fmt-533-signature-id-837.fm fmt-534-signature-id-838.fm fmt-535-signature-id-839.fm fmt-536-signature-id-841.fm +# fmt-537-signature-id-842.fm fmt-538-signature-id-843.fm fmt-539-signature-id-844.fm x-fmt-302-signature-id-395.fm +0 string/b \<MakerFile FrameMaker document +#!:mime application/octet-stream +# https://www.iana.org/assignments/media-types/application/vnd.framemaker +!:mime application/vnd.framemaker +# version string like 1.0 2.0 3.0 4.0 5.0 5.5 6.0 7.0 8.0 9.0 10.0 +>11 string x (%0.3s +# before closing directive ">" is appended version letter like: F H J K Q Y +>>14 ubyte >0x40 %c +# or last digit of 4 character version string +>>14 ubyte <0x41 \b%c +# test again so that next default clause works +>14 ubyte x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-fm.trid.xml +# Note: called "FrameMaker Help" by TrID +# look for reference to FrameMaker help name suffix like in: index1.hlp +>>18 search/9688/s .hlp: \b) help +# the internal FrameMaker help are just FrameMaker document with hlp suffix; XREF.HLP is same as Xref-hlp.fm +!:ext hlp +# For control reason show link name like: +# "Overview" "lastpage "firstpage "Add File" "Conditional Text" "Table Format" "Creating a reference frame" "firstpageCov" "Spot Colors" "Selecting text" "proceduresbl" "lastpageu" "Introducing HelpHe" "Menu of Syntax Descriptions" "Main FrameMaker window" +#>>>&5 string x LINK_NAME "%s" +>>>&5 string x +# look for gotolink or openlink keyword before help file name +>>>&-18 search/18/s link\040 +# link construct with help name like: "gotolink xref.hlp:Overview" "openlink syntax1.hlp:firstpage" +>>>>&-4 regex/s =^\[A-Za-z0-9.:\040]{1,} with "%s" +# if not FrameMaker Help assume it is "normal" FrameMaker document +# shown with closing parenthesis to get look like in frame,v 1.18 +>>18 default x \b) +# sometimes without suffix like: CHAPTER HARVARD LETTER MEMO1 NEWSLTR REPORT3 +# no samples found with .bk or .book extension +# allchaps.ix (Framemaker Index) and others like: +# title.fm4 wp.filt textre1.htr pmscript.ind change.nbh books.prd executiv.sum Hyper.Template +!:ext /fm/doc/toc/ix # URL: http://fileformats.archiveteam.org/wiki/Maker_Interchange_Format # Reference: https://help.adobe.com/en_US/framemaker/mifreference/mifref.pdf # Update: Joerg Jenderek 2019 Nov @@ -36,22 +66,70 @@ # comment starting with # shows the name+version number of generating program >13 search/3 # >>&0 string x "%s" +# Update: Joerg Jenderek +# Note: called "Adobe FrameMaker document" by shared MIME-info database from freedesktop.org 0 search/1 \<MakerDictionary FrameMaker Dictionary text -!:mime application/x-mif +#!:mime text/plain +#!:mime application/x-mif +!:mime application/vnd.framemaker +# like site.dict but often extension is a 3 letters country code like in: hyphens.brt hyphens.eng +!:ext dict/eng/brt +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fm-hyph-dict-30.trid.xml +# Note: called "FrameMaker hyphens dictionary (v3.0)" by TrID >17 string 3.0 (3.0) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fm-hyph-dict-20.trid.xml +# Note: called "FrameMaker hyphens dictionary (v2.0)" by TrID >17 string 2.0 (2.0) >17 string 1.0 (1.x) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bfont.trid.xml +# Update: Joerg Jenderek 2023 +# Note: called "XFrameMaker Bitmapped screen Font" by TrID and +# "Adobe FrameMaker font" by shared MIME-info database from freedesktop.org 0 string \<MakerScreenFont FrameMaker Font file -!:mime application/x-mif +#!:mime application/octet-stream +#!:mime application/x-mif +!:mime application/x-font-framemaker +!:ext bfont +# Note: maybe also other version like: 1.x +>17 string !1.01 +>>17 string x (%-0.4s) >17 string 1.01 (%s) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mml-fm.trid.xml +# Update: Joerg Jenderek 2023 Nov +# Note: called "FrameMaker Maker Markup Language" by TrID and +# "Adobe FrameMaker document" by shared MIME-info database from freedesktop.org 0 string \<MML FrameMaker MML file -!:mime application/x-mif -0 string \<BookFile FrameMaker Book file -!:mime application/x-mif ->10 string 3.0 (3.0 ->10 string 2.0 (2.0 ->10 string 1.0 (1.0 ->13 byte x %c) +#!:mime text/plain +#!:mime application/x-mif +!:mime application/vnd.framemaker +!:ext mml +# Note: sometimes followed by space and version like 1.00 (formats.mml sample.mml) and more text +>5 string >0 (%-0.4s) +# URL: http://fileformats.archiveteam.org/wiki/FrameMaker +# Reference: http://mark0.net/download/triddefs_xml.7z +# defs/b/book-fm.trid.xml +# defs/b/bk-fm.trid.xml +# Update: Joerg Jenderek 2023 Dez +# Note: called "FrameMaker book (binary)" by TrID and +# "Adobe FrameMaker document" by shared MIME-info database from freedesktop.org +# look for BookFile, Bookfile (capitalized) or BOOKFILE (upcased) directive +0 string/c \<Bookfile FrameMaker Book file +#!:mime application/octet-stream +#!:mime application/x-mif +!:mime application/vnd.framemaker +# http://extension.nirsoft.net/book +!:ext bk/book +# version like: 1.0 2.0 3.0 4.0 5.0 5.5 6.0 7.0 8.0 10.0 +# 3 characters of version number string +>10 string x (%-0.3s +# if greater sign then exact 3 byte version string +>13 ubyte =0x3e \b) +# if digit then 4 byte version string +>13 ubyte <0x3A \b%c) +# if letter then this is appended sub level after 3 byte version string +>13 ubyte >0x3A %c) +# first directive typically is followed by one space character +>9 ubyte !0x20 \b, no space before version # XXX - this book entry should be verified, if you find one, uncomment this #0 string \<Book\040 FrameMaker Book (ASCII) file #!:mime application/x-mif diff --git a/contrib/file/magic/Magdir/games b/contrib/file/magic/Magdir/games index b5d4664c8891..b8ead41b1dba 100644 --- a/contrib/file/magic/Magdir/games +++ b/contrib/file/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.25 2022/05/31 18:40:20 christos Exp $ +# $File: games,v 1.35 2024/11/09 23:04:46 christos Exp $ # games: file(1) for games # Fabio Bonelli <fabiobonelli@libero.it> @@ -32,53 +32,6 @@ >0 string x , name=%s >44 string x , world=%s -# Quake - -# Update: Joerg Jenderek -# URL: http://fileformats.archiveteam.org/wiki/PAK -# reference: https://quakewiki.org/wiki/.pak -# GRR: line below is too general as it matches also Acorn PackDir compressed Archive -# and Git pack ./revision -0 string PACK -# real Quake examples like pak0.pak have only some hundreds like 150 files -# So test for few files ->8 ulelong <0x01000000 -# in file version 5.32 test for null terminator is only true for -# offset ~< FILE_BYTES_MAX = 1 MB defined in ../../src/file.h -# look for null terminator of 1st entry name ->>(4.l+55) ubyte 0 Quake I or II world or extension -!:mime application/x-dzip -!:ext pak -#>>>8 ulelong x \b, table size %u -# dividing this by entry size (64) gives number of files ->>>8 ulelong/64 x \b, %u files -# offset to the beginning of the file table ->>>4 ulelong x \b, offset %#x -# 1st file entry ->>>(4.l) use pak-entry -# 2nd file entry -#>>>4 ulelong+64 x \b, offset %#x -#>>>(4.l+64) use pak-entry -# -# display file table entry of Quake PAK archive -0 name pak-entry -# normally entry start after header which implies offset 12 or higher ->56 ulelong >11 -# the offset from the beginning of pak to beginning of this entry file contents ->>56 ulelong x at %#x -# the size of file for this entry ->>60 ulelong x %u bytes -# 56 byte null-terminated entry name string includes path like maps/e1m1.bsp ->>0 string x '%-.56s' -# inspect entry content by jumping to entry offset ->>(56) indirect x \b: - -#0 string -1\x0a Quake I demo -#>30 string x version %.4s -#>61 string x level %s - -#0 string 5\x0a Quake I save - # The levels # Quake 1 @@ -184,6 +137,15 @@ 0 string MComprHD MAME CHD compressed hard disk image, >12 belong x version %u +# MAME input recordings + +0 string MAMEINP\0 MAME input recording +>8 leqdate x at %s, +>16 leshort x format version %d. +>18 leshort x \b%d, +>20 string/12 x %s driver, +>32 string/32 x %s + # doom - submitted by Jon Dowland 0 string =IWAD doom main IWAD data @@ -293,12 +255,92 @@ >2 regex/c GM\\[21\\] - twix Game # Epic Games/Unreal Engine Package -# -0 lelong 0x9E2A83C1 Unreal Engine Package, ->4 leshort x version: %i ->12 lelong !0 \b, names: %i ->28 lelong !0 \b, imports: %i ->20 lelong !0 \b, exports: %i +# URL: https://docs.unrealengine.com/udk/Three/ContentCooking.html +# https://eliotvu.com/page/unreal-package-file-format +# Little-endian version (such as x86 PC) +0 lelong 0x9E2A83C1 Unreal Engine package (little-endian) +!:ext xxx/tfc/upk/me1/u +>4 uleshort !0 \b, version %u +>>6 uleshort !0 \b/%03u +>>0 use upk_header +# Big-endian version (such as PS3) +0 belong 0x9E2A83C1 Unreal Engine package (big-endian) +!:ext xxx/tfc +>6 ubeshort !0 \b, version %u +>>4 ubeshort !0 \b/%03u +>>0 use \^upk_header + +0 name upk_header +# Identify game from version and licensee +>4 ulelong 0x000002b2 (Alice Madness Returns) +>4 ulelong 0x002f0313 (Aliens: Colonial Marines) +>4 ulelong 0x005b021b (Alpha Protocol) +>4 ulelong 0x0000032c (AntiChamber) +>4 ulelong 0x00200223 (APB: All Points Bulletin) +>4 ulelong 0x004b02d7 (Bioshock Infinite) +>4 ulelong 0x00380340 (Borderlands 2) +>4 ulelong 0x001d02e6 (Bulletstorm) +>4 ulelong 0x00050240 (CrimeCraft) +>4 ulelong 0x00000356 (Deadlight) +>4 ulelong 0x001e0321 (Dishonored) +>4 ulelong 0x000202a6 (Dungeon Defenders) +>4 ulelong 0x000901ea (Gears of War) +>4 ulelong 0x0000023f (Gears of War 2) +>4 ulelong 0x0000033c (Gears of War 3) +>4 ulelong 0x0000034e (Gears of War: Judgement) +>4 ulelong 0x0004035c (Hawken) +>4 ulelong 0x0001034a (Infinity Blade 2) +>4 ulelong 0x00000350 (InMomentum) +>4 ulelong 0x0015037D (Life Is Strange) +>4 ulelong 0x000b01a5 (Medal of Honor: Airborne) +>4 ulelong 0x002b0218 (Mirrors Edge) +>4 ulelong 0x0000027e (Monday Night Combat) +>4 ulelong 0x0000024b (MoonBase Alpha) +>4 ulelong 0x002e01d8 (Mortal Kombat Komplete Edition 2605) +>4 ulelong 0x0000035c (Painkiller HD) +>4 ulelong 0x0000034d (Q.U.B.E) +>4 ulelong 0x80660340 (Quantum Conundrum) +>4 ulelong 0x0000035b (Ravaged) +>4 ulelong 0x00150340 (Remember Me) +>4 ulelong 0x00060171 (Roboblitz) +>4 ulelong 0x00000325 (Rock of Ages) +>4 ulelong 0x0000032a (Sanctum) +>4 ulelong 0x00030248 (Saw) +>4 ulelong 0x007e0248 (Singularity) +>4 ulelong 0x00090388 (Soldier Front 2) +>4 ulelong 0x000701e6 (Stargate Worlds) +>4 ulelong 0x00000334 (Super Monday Night Combat) +>4 ulelong 0x000002c2 (The Ball) +>4 ulelong 0x000e0262 (The Exiled Realm of Arborea or TERA) +>4 ulelong 0x0000035b (The Five Cores) +>4 ulelong 0x00000349 (The Haunted: Hells Reach) +>4 ulelong 0x00000354 (Unmechanical) +>4 ulelong 0x035c0298 (Unreal Development Kit) +>4 ulelong 0x00000200 (Unreal Tournament 3) +>4 ulelong 0x0000032d (Waves) +>4 ulelong 0x003b034d (XCOM: Enemy Unknown) +# Newer versions insert more headers +>4 ulelong&0xFFFF <249 +>>12 lelong !0 \b, names: %d +>>28 lelong !0 \b, imports: %d +>>20 lelong !0 \b, exports: %d +>4 ulelong&0xFFFF >248 +>>12 belong&0xFF !0 +>>>12 string x \b, folder "%s" +>>>>&5 lelong !0 \b, names: %d +>>>>&21 lelong !0 \b, imports: %d +>>>>&13 lelong !0 \b, exports: %d +>>12 belong&0xFF 0 +>>>16 belong&0xFF !0 +>>>>16 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d +>>>16 belong&0xFF 0 +>>>>20 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d 0 string ESVG >4 lelong 0x00160000 @@ -510,3 +552,115 @@ >>0 ulelong&0xf =8 RDR 2, >>4 ulelong x %d bytes, >>>8 ulelong x %d entries + +# Blitz3D Model File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/B3DExport/blob/master/B3DExport.py +0 string BB3D +>4 lelong >0 +>>8 lelong >0 Blitz3D Model +!:ext b3d +>>>8 lelong x \b, version %d + +# Minetest Schematic File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/minetest/blob/5.6.1/src/mapgen/mg_schematic.h +0 string MTSM Minetest Schematic +!:ext mts +>4 ubeshort x \b, version %d +>6 ubeshort x \b, size [%d +>8 ubeshort x \b, %d +>10 ubeshort x \b, %d] + +# MagicaVoxel File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/ephtracy/voxel-model/blob/ee2216c28a78ebb68691dc6cfa9c4ba429117ea2/MagicaVoxel-file-format-vox.txt +# Note: This format is used in Veloren voxel RPG. +0 string VOX\x20 +>4 lelong >0 MagicaVoxel model +!:ext vox +>>4 lelong x \b, version %d + +# Wwise SoundBank +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_SoundBank_(*.bnk) +0 string BKHD +# Little-endian version (such as x86 PC) +>4 ulelong <0x100 Wwise SoundBank (little-endian) +!:ext bnk +>>0 use wwise_bkhd +# Big-endian version (such as PS3) +>4 ubelong <0x100 Wwise SoundBank (big-endian) +!:ext bnk +>>0 use \^wwise_bkhd + +0 name wwise_bkhd +>8 ulelong x \b, version %d +>12 ulelong x \b, id %08X +>16 ulelong =0x00 \b, SFX +>16 ulelong =0x01 \b, arabic +>16 ulelong =0x02 \b, bulgarian +>16 ulelong =0x03 \b, chinese (HK) +>16 ulelong =0x04 \b, chinese (PRC) +>16 ulelong =0x05 \b, chinese (Taiwan) +>16 ulelong =0x06 \b, czech +>16 ulelong =0x07 \b, danish +>16 ulelong =0x08 \b, dutch +>16 ulelong =0x09 \b, english (Australia) +>16 ulelong =0x0A \b, english (India) +>16 ulelong =0x0B \b, english (UK) +>16 ulelong =0x0C \b, english (US) +>16 ulelong =0x0D \b, finnish +>16 ulelong =0x0E \b, french (Canada) +>16 ulelong =0x0F \b, french (France) +>16 ulelong =0x10 \b, german +>16 ulelong =0x11 \b, greek +>16 ulelong =0x12 \b, hebrew +>16 ulelong =0x13 \b, hungarian +>16 ulelong =0x14 \b, indonesian +>16 ulelong =0x15 \b, italian +>16 ulelong =0x16 \b, japanese +>16 ulelong =0x17 \b, korean +>16 ulelong =0x18 \b, latin +>16 ulelong =0x19 \b, norwegian +>16 ulelong =0x1A \b, polish +>16 ulelong =0x1B \b, portuguese (Brazil) +>16 ulelong =0x1C \b, portuguese (Portugal) +>16 ulelong =0x1D \b, romanian +>16 ulelong =0x1E \b, russian +>16 ulelong =0x1F \b, slovenian +>16 ulelong =0x20 \b, spanish (Mexico) +>16 ulelong =0x21 \b, spanish (Spain) +>16 ulelong =0x22 \b, spanish (US) +>16 ulelong =0x23 \b, swedish +>16 ulelong =0x24 \b, turkish +>16 ulelong =0x25 \b, ukrainian +>16 ulelong =0x26 \b, vietnamese + +# Wwise Audio Package +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_Audio_PCK +0 string AKPK +# Little-endian version (such as x86 PC) +>8 ulelong <0x100 Wwise Audio Package (little-endian) +!:ext pck +# Big-endian version (such as PS3) +>8 ubelong <0x100 Wwise Audio Package (big-endian) +!:ext pck + +# RPG Maker MV/MZ encrypted assets. Version was only ever known to be 00030100. +0 string RPGMV\0\0\0 +>12 string \0\0\0\0 +>>8 belong x RPG Maker MV encrypted asset, version %08x +!:ext png_/ogg_/m4a_/rpgmvp/rpgmvo/rpgmvm + +# https://arthran2.itch.io/encrypterator-3000 +0 string ART\0ENCRYPTER100FREE\0VERSION\0\0\0\0 RPG Maker MV encrypted asset, Encrypterator 3000 variant. +!:ext png_/ogg_/m4a_/rpgmvp/rpgmvo/rpgmvm + + +# http://www.shikadi.net/moddingwiki/PCX_Library +0 string/b pcxLib\0 +>122 ubyte 0x01 pcxLib archive +>>144 uleshort 0 \b, uncompressed +>>144 uleshort !0 \b, compressed diff --git a/contrib/file/magic/Magdir/gentoo b/contrib/file/magic/Magdir/gentoo new file mode 100644 index 000000000000..fc3fca779684 --- /dev/null +++ b/contrib/file/magic/Magdir/gentoo @@ -0,0 +1,85 @@ +#------------------------------------------------------------------------------ +# $File: gentoo,v 1.6 2024/02/11 15:39:59 christos Exp $ +# gentoo: file(1) magic for gentoo specific formats +# +# Summary: Gentoo ebuild Manifest files (GLEP 74) +# Reference: https://www.gentoo.org/glep/glep-0074.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +# Start by doing a fast check for the most common tags. +0 string AUX\040 +>0 use gentoo-manifest +0 string DATA\040 +>0 use gentoo-manifest +0 string DIST\040 +>0 use gentoo-manifest +0 string EBUILD\040 +>0 use gentoo-manifest +0 string MANIFEST\040 +>0 use gentoo-manifest + +# Manifest can be PGP-signed. +0 string -----BEGIN\040PGP\040SIGNED\040MESSAGE----- +>34 search/32 \n\n +>>&0 string AUX\040 +>>>&0 use gentoo-manifest +>>&0 string DATA\040 +>>>&0 use gentoo-manifest +>>&0 string DIST\040 +>>>&0 use gentoo-manifest +>>&0 string EBUILD\040 +>>>&0 use gentoo-manifest +>>&0 string MANIFEST\040 +>>>&0 use gentoo-manifest + +# Use a more detailed regex to verify that we were correct. +# <tag> <filename> <size> <hash-name> <hash-value>... +# (<tag>'s already been matched prior to calling) +0 name gentoo-manifest +>&0 regex [[:space:]]+[[:print:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[[:alnum:]]+[[:space:]]+[[:xdigit:]]{32} Gentoo Manifest (GLEP 74) +!:mime application/vnd.gentoo.manifest + +# Summary: Gentoo ebuild and eclass files +# Reference: https://projects.gentoo.org/pms/8/pms.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +0 search/512 EAPI= +>0 regex .*\n[\040\t]*EAPI=["']? Gentoo ebuild +>>&0 regex [[:alnum:]+_.-]+ \b, EAPI %s +!:mime application/vnd.gentoo.ebuild + +0 search/512 @ECLASS:\040 Gentoo eclass +>&0 string x %s +!:mime application/vnd.gentoo.eclass + +# Summary: Gentoo supplementary package and category metadata files +# Reference: https://www.gentoo.org/glep/glep-0068.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +0 string \<?xml +>0 search/512 \<catmetadata Gentoo category metadata file +!:mime application/vnd.gentoo.catmetadata+xml +>0 search/512 \<pkgmetadata Gentoo package metadata file +!:mime application/vnd.gentoo.pkgmetadata+xml + +# Summary: Gentoo GLEP 78 binary package +# Reference: https://www.gentoo.org/glep/glep-0078.html +# Note: assumes the strict format +# Submitted by: Michal Gorny <mgorny@gentoo.org> + +# GPKG uses ustar (or ustar-compatible GNU format) that starts with +# a <directory>/gpkg-1 file +257 string ustar +>0 search/100 /gpkg-1\0 +>>0 regex [^/]+ Gentoo GLEP 78 (GPKG) binary package for "%s" +!:mime application/vnd.gentoo.gpkg +!:ext tar +# the logic below requires the gpkg-1 file to be empty +>>>124 string 00000000000\0 +# determine the compression used by looking at the second member name +>>>>512 search/100 .tar. +>>>>>&0 string gz\0 using gzip compression +>>>>>&0 string bz2\0 using bzip2 compression +>>>>>&0 string lz\0 using lzip compression +>>>>>&0 string lz4\0 using lz4 compression +>>>>>&0 string lzo\0 using lzo compression +>>>>>&0 string xz\0 using xz compression +>>>>>&0 string zst\0 using zstd compression +>>>>(636.o+1024) search/611 .sig\0 \b, signed diff --git a/contrib/file/magic/Magdir/geo b/contrib/file/magic/Magdir/geo index dda5f738311d..5065db5581fe 100644 --- a/contrib/file/magic/Magdir/geo +++ b/contrib/file/magic/Magdir/geo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geo,v 1.8 2022/03/24 15:48:58 christos Exp $ +# $File: geo,v 1.11 2024/11/09 23:35:01 christos Exp $ # Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> ###################################################################### @@ -54,7 +54,43 @@ ###################################################################### # GeoAcoustics - GeoSwath Plus -4 beshort 0x2002 GeoSwath RDF +# Update: Joerg Jenderek +# URL: https://www.mbari.org/products/research-software/mb-system/ +# Reference: http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/ +# GS%2B-6063-BB-GS%2B-Broadcast-Raw-Data-File-Format-Command-Specification.pdf +# Note: All data is written using Intel 80x86 byte ordering (LSB to MSB) +# raw_header_siz; file header size is 544 bytes +4 beshort 0x2002 +# GRR: line above is too general as it matches also some Microsoft Event Trace Logs *.ETL +# skip many (63/753) Microsoft Event Trace Logs (AMSITrace.etl lxcore_kernel.etl NotificationUxBroker.052.etl WindowsBackup.4.etl) with invalid "low" ping header size 0 +>6 leshort >0 GeoSwath RDF +# skip foo samples with invalid "high" spare bytes +#>>536 ulequad =0 OK_THIS_IS_GeoSwath_RDF +#!:mime application/octet-stream +!:mime application/x-geoswath-rdf +# http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/060116342.rdf +!:ext rdf +# filename; original file name like: "C:\GS+\Projects\Default\Raw Data Files\060116342.rdf" +>>8 string x "%-.512s" +# version[8]; recording software version number like: 3.16c +>>527 string x \b, version %-.8s +# creation; unsigned int file creation time; WHAT time format is this? +>>0 ulelong x \b, creation time %#8.8x +# raw_ping_header_size; size of ping header in bytes like: 64 +>>6 leshort !64 \b, ping header size %d +# frequency; system frequency in hertz like: 500000 +>>520 lelong x \b, frequency %d +# echo_type; Echosounder type index like: 1 +>>524 leshort x \b, echo type %#x +# file_mode; file mode mask (0x00 bathy & sidescan, 0x80 bathy, 0x40 sidescan, 0x20 seismic) +>>526 ubyte !0 \b, file mode %#2.2x +# pps_mode; PPS synch mode like: 2 +>>535 byte x \b, pps mode %#x +# char spare[8]; apparently zeroed +>>536 ubequad !0 \b, spare %#16.16llx +# Ping_number; 1st ping number like: 4944 +>>544 lelong x \b, 1st ping number %d + 0 string Start:- GeoSwatch auf text file # Seabeam 2100 @@ -88,7 +124,7 @@ # ###################################################################### -# IVS - IVS3d.com Tagged Data Represetation +# IVS - IVS3d.com Tagged Data Representation 0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file # http://www.ecma-international.org/publications/standards/Ecma-363.htm @@ -128,3 +164,7 @@ # alex myczko <alex@aiei.ch> # http://pointclouds.org/documentation/tutorials/pcd_file_format.php 0 string #\ .PCD Point Cloud Data + +# FlatGeobuf is a GIS file format for encoding geographic data. +# https://flatgeobuf.org/#specification +0 bequad 0x6667620366676201 FlatGeobuf file diff --git a/contrib/file/magic/Magdir/geos b/contrib/file/magic/Magdir/geos index 66c2bd1a2904..f1a12d38ee9c 100644 --- a/contrib/file/magic/Magdir/geos +++ b/contrib/file/magic/Magdir/geos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geos,v 1.4 2009/09/19 16:28:09 christos Exp $ +# $File: geos,v 1.5 2024/04/07 17:56:40 christos Exp $ # GEOS files (Vidar Madsen, vidar@gimp.org) # semi-commonly used in embedded and handheld systems. 0 belong 0xc745c153 GEOS @@ -18,3 +18,12 @@ #>52 short x \b, proto %d #>54 short x \br%d #>168 string >\0 \b, copyright "%s" + +30 string PRG\ formatted\ GEOS\ file Formatted GEOS file +>22 byte 6 \b, APPLICATION +>22 byte 14 \b, AUTO_EXEC +>22 byte 5 \b, DESK_ACC +>22 byte 2 \b, ASSEMBLY +>22 byte 11 \b, DISK_DEVICE +>22 byte 9 \b, PRINTER +>22 byte 4 \b, SYSTEM diff --git a/contrib/file/magic/Magdir/hitachi-sh b/contrib/file/magic/Magdir/hitachi-sh index f64489f7fcf6..cfcda8494ce7 100644 --- a/contrib/file/magic/Magdir/hitachi-sh +++ b/contrib/file/magic/Magdir/hitachi-sh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: hitachi-sh,v 1.10 2020/12/12 20:01:47 christos Exp $ +# $File: hitachi-sh,v 1.11 2024/02/18 14:15:22 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF @@ -28,3 +28,19 @@ >>0 use display-coff !:strength -10 +# Hitachi SH COFF object file +0 leshort 0x01a2 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x01a3 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x01a4 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x01a6 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x01a8 +>16 leshort 0 +>>0 use display-coff diff --git a/contrib/file/magic/Magdir/hp b/contrib/file/magic/Magdir/hp index d57169ee16e7..5bf30b3ec085 100644 --- a/contrib/file/magic/Magdir/hp +++ b/contrib/file/magic/Magdir/hp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: hp,v 1.25 2019/01/13 00:32:38 christos Exp $ +# $File: hp,v 1.27 2024/08/27 18:50:57 christos Exp $ # hp: file(1) magic for Hewlett Packard machines (see also "printer") # # XXX - somebody should figure out whether any byte order needs to be @@ -261,25 +261,6 @@ >7 string J (ASCII Vector specification) >7 string K (wildcard) -# Summary: HP-38/39 calculator -# Created by: Samuel Thibault <samuel.thibault@ens-lyon.org> -0 string HP3 ->3 string 8 HP 38 ->3 string 9 HP 39 ->4 string Bin binary ->4 string Asc ASCII ->7 string A (Directory List) ->7 string B (Zaplet) ->7 string C (Note) ->7 string D (Program) ->7 string E (Variable) ->7 string F (List) ->7 string G (Matrix) ->7 string H (Library) ->7 string I (Target List) ->7 string J (ASCII Vector specification) ->7 string K (wildcard) - # hpBSD magic numbers 0 beshort 200 hp200 (68010) BSD >2 beshort 0407 impure binary @@ -430,4 +411,8 @@ >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ +# PA-RISC COFF object file +0 leshort 0x0290 +>16 leshort 0 +>>0 use display-coff diff --git a/contrib/file/magic/Magdir/ibm370 b/contrib/file/magic/Magdir/ibm370 index dc976f8705ea..95f737128c97 100644 --- a/contrib/file/magic/Magdir/ibm370 +++ b/contrib/file/magic/Magdir/ibm370 @@ -1,10 +1,10 @@ #------------------------------------------------------------------------------ -# $File: ibm370,v 1.11 2021/03/14 16:51:45 christos Exp $ +# $File: ibm370,v 1.13 2024/06/19 16:52:57 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". -# What the heck *is* "USS/370"? +# "USS/370" is an old name for the z/OS Unix subsystem # AIX 4.1's "/etc/magic" has # # 0 short 0535 370 sysV executable @@ -48,5 +48,11 @@ >24 belong >0 - version %d # NETDATA (https://en.wikipedia.org/wiki/NETDATA) -# -\INMR01 In EBCDIC -0 string \x60\xe0\xc9\xd5\xd4\xd9\xf0\xf1 IBM NETDATA file +# INMR01 In EBCDIC starting at offset 2 +2 string \xc9\xd5\xd4\xd9\xf0\xf1 IBM NETDATA file + +# z/OS Program Object executable +# Starts with "IEWPLMH" in EBCDIC, followed by a single EBCDIC space to pad +# to 8 bytes. According to https://www.ibm.com/support/pages/apar/PK91585 +# IEWPLMH is eyecatcher for "Binder Program Load Module Header" control block +0 string \xc9\xc5\xe6\xd7\xd3\xd4\xc8\x40 z/OS Program Object executable diff --git a/contrib/file/magic/Magdir/ibm6000 b/contrib/file/magic/Magdir/ibm6000 index 724b64d3a5eb..78804b4fb785 100644 --- a/contrib/file/magic/Magdir/ibm6000 +++ b/contrib/file/magic/Magdir/ibm6000 @@ -1,10 +1,13 @@ #------------------------------------------------------------------------------ -# $File: ibm6000,v 1.15 2021/07/03 14:01:46 christos Exp $ +# $File: ibm6000,v 1.16 2024/03/31 15:06:56 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # -0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module ->12 belong >0 not stripped +# Update: Joerg Jenderek +#0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module +0 beshort 0x01df +# use subroutine (./coff) to display name+flags+variables for common object formatted files +>0 use \^display-coff # Breaks sun4 statically linked execs. #0 beshort 0x0103 executable (RT Version 2) or obj module #>2 byte 0x50 pure diff --git a/contrib/file/magic/Magdir/iff b/contrib/file/magic/Magdir/iff index 258d16a4e1e3..aa31ddc0ec4b 100644 --- a/contrib/file/magic/Magdir/iff +++ b/contrib/file/magic/Magdir/iff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: iff,v 1.18 2022/03/21 19:57:18 christos Exp $ +# $File: iff,v 1.20 2024/02/09 00:44:31 christos Exp $ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic @@ -10,11 +10,25 @@ # IFF files begin with an 8 byte FORM header, followed by a 4 character # FORM type, which is followed by the first chunk in the FORM. +# URL: http://fileformats.archiveteam.org/wiki/IFF +# https://en.wikipedia.org/wiki/Interchange_File_Format +# Reference: https://wiki.amigaos.net/wiki/IFF_FORM_and_Chunk_Registry +# Note: called "Interchange File" by DROID via PUID x-fmt/157 and +# "IFF file" or as alias expanded "Interchange File Format" by shared MIME-info database from freedesktop.org 0 string FORM IFF data #>4 belong x \b, FORM is %d bytes long # audio formats +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/AIFF +# https://en.wikipedia.org/wiki/Audio_Interchange_File_Format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/audio-aiff.trid.xml +# Note: called "AIFF Audio Interchange File Format" by TrID and +# "Audio Interchange File Format" by DROID via PUID fmt/414 >8 string AIFF \b, AIFF audio !:mime audio/x-aiff +# not officially registered +#!:mime audio/aiff +!:ext aiff/aif/aff >8 string AIFC \b, AIFF-C compressed audio !:mime audio/x-aiff >8 string 8SVX \b, 8SVX 8-bit sampled sound voice @@ -51,7 +65,14 @@ >8 string CTLG \b, CTLG message catalog >8 string PREF \b, PREF preferences >8 string DTYP \b, DTYP datatype description +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/iff-pch.trid.xml +# Note: called "IFF binary Patch" by TrID >8 string PTCH \b, PTCH binary patch +#!:mime application/octet-stream +#!:mime application/x-iff +#!:mime application/x-amiga-patch +!:ext patch/pch >8 string AMFF \b, AMFF AmigaMetaFile format >8 string WZRD \b, WZRD StormWIZARD resource >8 string DOC\040 \b, DOC desktop publishing document diff --git a/contrib/file/magic/Magdir/images b/contrib/file/magic/Magdir/images index 95004d1d9f47..a3b972fb1ee1 100644 --- a/contrib/file/magic/Magdir/images +++ b/contrib/file/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.223 2022/05/14 20:05:09 christos Exp $ +# $File: images,v 1.263 2024/11/10 20:44:30 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -13,8 +13,10 @@ # Targa - matches `povray', `ppmtotga' and `xv' outputs # by Philippe De Muyter <phdm@macqel.be> # URL: http://justsolve.archiveteam.org/wiki/TGA +# https://en.wikipedia.org/wiki/Truevision_TGA # Reference: http://www.dca.fee.unicamp.br/~martino/disciplinas/ea978/tgaffs.pdf -# Update: Joerg Jenderek +# Update: Joerg Jenderek February 2024 +# Note: called by DROID "Truevision TGA Bitmap" version 1.0 via PUID x-fmt/367 # at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11 # ,32 or 33 (both not observed) # at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise @@ -27,6 +29,8 @@ # and Image Type 1 2 3 9 10 11 32 33 # and Color Map Entry Size 0 15 16 24 32 0 ubequad&0x00FeC400000000C0 0 +# Targa image data (strength=70=110-40) before some Commodore disc image (strength=70=70+0 ./c64) like Cabal+2-MarioSoft(1).d64 +# and some MMDF mailbox (strength=70=70+0 ./mmdf) like uupc.input.1 # Conflict with MPEG sequences. !:strength -40 # Prevent conflicts with CRI ADX. @@ -42,7 +46,10 @@ >>>>17 ubyte&0x0F !11 # skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel depth 1 8 15 16 24 32 >>>>>16 ubyte 1 ->>>>>>0 use tga-image +# skip few Commodore D64 disc image like "The Great Gianna Sisters.d64" and +# few MMDF mailbox like uupc.input.1 with unlikely black&white, dimension 0101h x 0101h (257x257) and +0101h origin (+257 +257) +>>>>>>8 quad !0x0101010101010101 +>>>>>>>0 use tga-image >>>>>16 ubyte 8 >>>>>>0 use tga-image >>>>>16 ubyte 15 @@ -57,9 +64,11 @@ 0 name tga-image >2 ubyte <34 Targa image data !:mime image/x-tga +# Apple Uniform Type Identifier: com.truevision.tga-image !:apple ????TPIC # normal extension .tga but some Truevision products used others: # tpic (Apple),icb (Image Capture Board),vda (Video Display Adapter),vst (NuVista),win (UNSURE about that) +# afi bpx !:ext tga/tpic/icb/vda/vst # image type 1 2 3 9 10 11 32 33 >2 ubyte&0xF7 1 - Map @@ -110,6 +119,7 @@ # positive length implies identification field >0 ubyte >0 >>18 string x "%s" +# Note: called by DROID "Truevision TGA Bitmap" version 2.0 via fmt/402 # last 18 bytes of newer tga file footer signature >18 search/4261301/s TRUEVISION-XFILE.\0 # extension area offset if not 0 @@ -179,7 +189,7 @@ # adding 65 to strength so that Netpbm images comes before "x86 boot sector" or # "DOS/MBR boot sector" identified by ./filesystems 0 name netpbm ->3 regex/s =[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data +>3 regex/s =\^[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s @@ -311,12 +321,12 @@ 0 string MM\x00\x2a TIFF image data, big-endian !:strength +70 !:mime image/tiff -!:ext tif,tiff +!:ext tif/tiff >(4.L) use \^tiff_ifd 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff !:strength +70 -!:ext tif,tiff +!:ext tif/tiff >(4.l) use tiff_ifd 0 name tiff_ifd @@ -327,17 +337,21 @@ # NewSubFileType >0 uleshort 0xfe >>12 use tiff_entry +# Width >0 uleshort 0x100 >>4 ulelong 1 ->>>12 use tiff_entry >>>8 uleshort x \b, width=%d +>>>12 use tiff_entry +# Height >0 uleshort 0x101 >>4 ulelong 1 >>>8 uleshort x \b, height=%d >>>12 use tiff_entry +# BPS >0 uleshort 0x102 >>8 uleshort x \b, bps=%d >>12 use tiff_entry +# Compression >0 uleshort 0x103 >>4 ulelong 1 \b, compression= >>>8 uleshort 1 \bnone @@ -365,7 +379,8 @@ >>>8 default x >>>>8 uleshort x \b(unknown %#x) >>>12 use tiff_entry ->0 uleshort 0x106 \b, PhotometricIntepretation= +# Photometric Interpretation +>0 uleshort 0x106 \b, PhotometricInterpretation= >>8 clear x >>8 uleshort 0 \bWhiteIsZero >>8 uleshort 1 \bBlackIsZero @@ -460,10 +475,8 @@ # GPS IFD >0 uleshort 0x8825 \b, GPS-Data >>12 use tiff_entry - #>0 uleshort x \b, unknown=%#x #>>12 use tiff_entry - 0 string MM\x00\x2b Big TIFF image data, big-endian !:mime image/tiff 0 string II\x2b\x00 Big TIFF image data, little-endian @@ -496,6 +509,12 @@ !:ext png !:strength +10 >16 use png-ihdr +>33 string \x00\x00\x00\x08acTL \b, animated +>>41 ubelong 1 (%d frame +>>41 ubelong >1 (%d frames +>>45 ubelong 0 \b, infinite repetitions) +>>45 ubelong 1 \b, %d repetition) +>>45 ubelong >1 \b, %d repetitions) # Apple CgBI PNG image. 0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x04CgBI @@ -544,6 +563,23 @@ #>10 ubyte&0x07 =0x06 128 colors #>10 ubyte&0x07 =0x07 256 colors +# URL: http://fileformats.archiveteam.org/wiki/Jeff%27s_Image_Format +# http://web.archive.org/web/20010603113404/http://jeff.cafe.net/jif +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jif.trid.xml +# https://www.nationalarchives.gov.uk/PRONOM/fmt/994 +# From: Joerg Jenderek +# Note: nearly identical to GIF, except that it uses zlib compression instead of LZW +# called by TrID "Jeff's Image Format bitmap" and "Jeffs Image Format" by DROID via fmt/994 +# verfied by XnView `nconvert -fullinfo *.jif` as "Jeff's Image Format" +0 string JIF99a Jeffs Image Format data +!:mime image/x-jif +# http://extension.nirsoft.net/jif +#!:mime image/jif +!:apple ????JIFf +!:ext jif +>6 uleshort x %u x +>8 uleshort x %u + # ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster, # 1 plane, no encoding. 0 string \361\0\100\273 CMU window manager raster image data @@ -625,7 +661,7 @@ >>8 string x "%s" # should be point character (2Eh) of version string according to TrID #>6 ubyte !0x2E \b, at 6 %#x -# caret character (23h) at the beginning in most or probaly all exanples +# caret character (23h) at the beginning in most or probably all examples #>0 ubyte !0x23 \b, starting with character %#x # URL: http://fileformats.archiveteam.org/wiki/DeskMate_Draw # http://en.wikipedia.org/wiki/Deskmate @@ -652,7 +688,86 @@ >24 string SunGKS \b, SunGKS # CGM image files -0 string BEGMF clear text Computer Graphics Metafile +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CGM +# https://en.wikipedia.org/wiki/Computer_Graphics_Metafile +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-ct.trid.xml +# http://standards.iso.org/ittf/PubliclyAvailableStandards/c032381_ISO_IEC_8632-4_1999(E).zip +# Note: called "Computer Graphics Metafile (Clear Text)" by TrID and +# "Computer Graphics Metafile ASCII" by DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# According to TrID only letter B and M are always upcased and by DROID often only B is upcased for command BEGIN METAFILE +0 string/c begmf +# skip SOME DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>5 short !0 +# skip other versions of DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>>5 short !0xABab clear text Computer Graphics Metafile +# https://reposcope.com/mimetype/image/cgm +!:mime image/cgm +!:ext cgm +# SF:NAME like: 'metafile example'; +>>>5 string x %s +# look for command METAFILE VERSION (MFVERSION <SOFTSEP> <I:VERSION>) +>>>2 search/128/c mfversion +#>>>>&0 ubyte x SOFTSEP=%#x +# version like: 1 3 4 +>>>>&1 ubyte >0x31 \b, version %c +# Summary: Computer Graphics Metafile (binary) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-bin.trid.xml +# https://standards.iso.org/ittf/PubliclyAvailableStandards/c032380_ISO_IEC_8632-3_1999(E).zip +# Note: called "Computer Graphics Metafile (binary)" by TrID and DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# look for BEGIN METAFILE (element Class 0 and ID 1 and "random" Parameter) that is binary C C C C 0 0 0 0 0 0 1 P P P P P +0 ubeshort&0xFFe0 0x0020 +# skip SOME DROID fmt-303-signature-id-368.cgm fmt-304-signature-id-369.cgm fmt-305-signature-id-370.cgm fmt-306-signature-id-371.cgm +# with containing only 28 bytes +>28 ubyte x +# look for METAFILE VERSION (element class 1 and id 1 and parameter P1 with length 2) that is binary 0 0 0 1 i i i i i i 1 P P P 1 P +# with "low" version; 2nd worst case argentin.cgm with parameter length 56 +# worst MS.CGM +#>>2 search/73/b \x10\x22\0 binary Computer Graphics Metafile +>>2 search/128/b \x10\x22\0 binary Computer Graphics Metafile +!:mime image/cgm +!:ext cgm +# metafile 2 byte version number like: 1 (most) 2 3 4 +>>>&-1 ubeshort >1 \b, version %u +# length number of 1st parameter octets in range 0 to 30 implies short command +>>>0 ubeshort&0x001F <31 \b, parameter length %u +# length of string like: 8 9 10 11 12 29 +#>>>>2 ubyte x \b, %u BYTES (SHORT) +# string like: 'HiJaak 2' 'Example 1' 'sahara.cgm' 'MASTERCLIPS--Art Of Business ' +>>>>2 pstring >\0 '%s' +# after 1st short command with even parameter length comes 2nd command like: 1022h 0010h (EAF00010.CGM 'HiJaak 2' FLOPPY2.CGM TIGER.CGM 'B:\TIGER.CGM') +>>>>0 ubeshort&0x0001 =0 +>>>>>(2.b+3) ubeshort !0x1022 \b, 2nd command %#4.4x (short even) +# after 1st short command with odd parameter length comes nil padding byte followed 2nd command like: 1022h +>>>>0 ubeshort&0x0001 =1 +#>>>>>(2.b+3) ubyte !0 \b, PADDING %#x +>>>>>(2.b+4) ubeshort !0x1022 \b, 2nd command %#4.4x (short odd) +# 11111 binary (decimal 31) in the parameter field indicates that the command is in long-form +>>>0 ubeshort&0x001F =0x1F +# bit 15 is partition flag with 1 for 'not-last' partition and 0 for 'last' partition +>>>>2 ubeshort&0x8000 !0 \b, partition flag %#4.4x +# bits 0 to 14 is parameter list length; the number of following parameter octets; range 0 to 32767 +# length of 1st long command parameter like: 53 +>>>>2 ubeshort&0x7Fff x \b, parameter length %u (long) +# The two header words are then followed by lenghth of 1st string like: 52 +#>>>>4 ubyte x \b, %u BYTES +# string like: 'K:\PROJECTS\GRAPHICS\DWKS3.5\CLIPART\FLAGS\Italy.cgm' +>>>>4 pstring/B x '%s' +# odd long parameter length implies single null padding octet to start command on word boundary +>>>>2 ubeshort&0x0001 =1 +# after 1st long command with odd parameter length comes nil padding byte followed by 2nd command like: 1022h +#>>>>>(4.b+5) ubyte !0 \b, PADDING %#x +>>>>>(4.b+6) ubeshort !0x1022 \b, 2nd command %#4.4x (long odd) +# even long parameter length implies next command directly is following +>>>>2 ubeshort&0x0001 =0 +# after 1st long command with even parameter length comes 2nd command like: 1022h 0x1054 (MS.CGM) +>>>>>(4.b+5) ubeshort !0x1022 \b, 2nd command %#4.4x (long even) +# look for END METAFILE (element class 0 and id 2 and 0 parameter) that is binary 0 0 0 0 i i i i i 1 i P P P P P +>>>-2 ubeshort !0x0040 \b, NOT_FOUND_END_METAFILE # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) 0 string yz MGR bitmap, modern format, 8-bit aligned @@ -1092,6 +1207,22 @@ #>>(10.l) ubequad !0 \b, bits %#16.16llx # dib header size: 12~Ch~OS/2 1.x 64~40h~OS/2 2.x #>>14 ulelong x \b, dib header size %u +# Type: Vision Research Phantom CINE Format +# URL: https://www.phantomhighspeed.com/ +# URL2: http://phantomhighspeed.force.com/vriknowledge/servlet/fileField?id=0BEU0000000Cfyk +# From: Harry Mallon <hjmallon at gmail.com> +# +# This has a short "CI" code but the 44 is the size of the struct which is +# stable +>2 uleshort 44 Vision Research CINE Video, +>>4 uleshort 0 Grayscale, +>>4 uleshort 1 JPEG Compressed, +>>4 uleshort 2 RAW, +>>6 uleshort x version %d, +>>20 ulelong x %d frames, +>>48 ulelong x %dx +>>52 ulelong x \b%d + # Conflicts with other entries [BABYL] # URL: http://fileformats.archiveteam.org/wiki/BMP#OS.2F2_Bitmap_Array # Note: container for OS/2 icon "IC", color icon "CI", color pointer "CP" or bitmap "BM" @@ -1138,7 +1269,7 @@ 0 string /*\040 # 9 byte c-comment "/* XPM */" not at the beginning like: mozicon16.xpm mozicon50.xpm (thunderbird) >0 search/0xCE /*\ XPM\ */ -# skip DROID x-fmt-208-signature-id-620.xpm by looking for char aray without explict length +# skip DROID x-fmt-208-signature-id-620.xpm by looking for char array without explict length # and match mh-logo.xpm (emacs) >>&0 search/1249 [] >>>0 use xpm-image @@ -1146,7 +1277,7 @@ >0 default x # words are separated by a white space which can be composed of space and tabulation characters >>0 search/0x52 static\040char\040 -# skip debug.c testmlc.c by looking for char aray without explict length +# skip debug.c testmlc.c by looking for char array without explict length # https://www.clamav.net/downloads/production/clamav-0.104.2.tar.gz # clamav-0.104.2\libclammspack\mspack\debug.c >>>&0 search/64 [] @@ -1217,20 +1348,75 @@ # SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com) # -# See -# http://reality.sgi.com/grafica/sgiimage.html -# -0 ubeshort 474 SGI image data -#>2 ubyte 0 \b, verbatim ->2 ubyte 1 \b, RLE -#>3 ubyte 1 \b, normal precision ->3 ubyte 2 \b, high precision ->4 ubeshort x \b, %d-D ->6 ubeshort x \b, %d x ->8 ubeshort x %d ->10 ubeshort x \b, %d channel ->10 ubeshort !1 \bs ->80 string >0 \b, "%s" +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/SGI_(image_file_format) +# https://en.wikipedia.org/wiki/Silicon_Graphics_Image +# Reference: https://paulbourke.net/dataformats/sgirgb/sgiversion.html +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-sgi.trid.xml +# Note: called "Silicon Graphics bitmap (generic)" by TrID, +# "Silicon Graphics Image" by DROID via PUID x-fmt/140 and shared MIME-info database from freedesktop.org, +# verfied by ImageMagick `identify -verbose *.sgi` as SGI (Irix RGB image) and +# verfied by XnView `nconvert -in sgi -info *.sgi` as SGI RGB +# look for magic number (integer 474=0x01DA) + storage format (0 or 1) + number of bytes per pixel channel (1 or 2) +# to skip few TeX font metric data (like pxmi.tfm pxmi1.tfm eksfi8a.tfm ./tex) with invalid "high" bytes/pixel (11 12) +0 ubelong&0xFFffFEfc 0x01da0000 +# skip DROID x-fmt-140-signature-id-623.bw with invalid "low" dimensions "0 x 0" +>6 long !0 SGI image data +#!:mime image/sgi +!:mime image/x-sgi +!:apple ????.SGI +# STORAGE format; allowed values 0~VERBATIM 1~RLE +#>>2 ubyte 0 \b, verbatim +>>2 ubyte 1 \b, RLE +#>>2 ubyte >1 STORAGE=%#x +# BPC; number of bytes per pixel component; allowed values 1 2 +#>>3 ubyte 1 \b, normal precision +>>3 ubyte 2 \b, high precision +#>>3 ubyte x BPC=%#x +# DIMENSION; allowed values are 1~scanline 2~XSIZExYSIZE 3~XSIZExYSIZExZSIZE +>>4 ubeshort x \b, %d-D +# XSIZE; width of image in pixels +>>6 ubeshort x \b, %d x +# YSIZE; height of image in pixels +>>8 ubeshort x %d +# ZSIZE; number of channels in image; 1~B/W (greyscale) 3~RGB 4~RGB+ALPHA channel +>>10 ubeshort x \b, %d +# GRR: avoid +# Magdir\images, 1347: Warning: Current entry does not yet have a description for adding a EXTENSION type +>>>10 ubeshort 1 channel +# GRR: exception https://sembiance.com/fileFormatSamples/image/sgi/greytest.rgb +!:ext bw +# no examples found with .int suffix +#!:ext bw/int +# no examples found with .inta suffix for black/white+ALPHA channel +# no examples found with 2 channels +#>>>10 ubeshort 2 channels +#!:ext sgi +>>>10 ubeshort 3 channels +!:ext rgb/sgi +>>>10 ubeshort 4 channels +!:ext rgba/sgi +>>>10 default x channels +# no examples found with 5 and more channels +!:ext sgi +# IMAGENAME; null terminated ascii string of up to 79 characters +>>24 string >\0 \b, "%0.80s" +# PINMIN; minimum pixel value in the image; often 0 +>>12 ubelong !0 \b, %u PINMIN +# PINMAX; maximum pixel value in the image; often 255 +>>16 ubelong !255 \b, %u PINMAX +# DUMMY; 4 bytes of data should be set to 0 +>>20 ubelong !0 \b, at 20 %#x +# COLORMAP; 0~normal 1~DITHEREDobsolete 2~SCREENobsolete 3~COLORMAP +>>104 ubelong !0 \b, %u COLORMAP +# DUMMY; 404 bytes should be set to 0 but not always true; makes header exactly 512 bytes +>>111 ubyte !0 \b, at 111 %#x +>>113 ubyte !0 \b, at 113 %#x +>>118 ubeshort !0 \b, at 118 %#4.4x +>>121 ubyte !0 \b, at 121 %#x +>>132 ubelong !0 \b, at 132 %#8.8x +>>135 ubyte !0 \b, at 135 %#x +>>137 ubequad !0 \b, at 137 %#16.16llx 0 string IT01 FIT image data >4 ubelong x \b, %d x @@ -1250,17 +1436,95 @@ 0 string PCD_OPA Kodak Photo CD overview pack file # FITS format. Jeff Uphoff <juphoff@tarsier.cv.nrao.edu> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Flexible_Image_Transport_System +# https://en.wikipedia.org/wiki/FITS +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-fts.trid.xml +# Note: called "Flexible Image Transport System bitmap" by TrID, GIMP and DROID via PUID x-fmt/383 +# "FITS document" with expanded acronym "Flexible Image Transport System" by shared MIME-info database from freedesktop.org +# verified as "Flexible Image Transport System" by XnView `nconvert -fullinfo M57.FIT MOON.FTS` , +# as "FTS (Flexible Image Transport System)" by ImageMagick command `identify MOON.FTS` , +# by NetPBM `fitstopnm M57.FIT | file` , +# falsified by `fitsverify M57.FIT MOON.FTS` # FITS is the Flexible Image Transport System, the de facto standard for # data and image transfer, storage, etc., for the astronomical community. # (FITS floating point formats are big-endian.) -0 string SIMPLE\ \ = FITS image data +# keyword is a 1- to 8-character, left-justified ASCII string; columns that do not contain data are filled with spaces +# The assignment indicator (=) always occupies columns nine and ten in the card +0 string SIMPLE\ \ = +# skip DROID x-fmt-383-signature-id-57.fits by check for left padding spaces of 2nd card value +>89 ubeshort =0x2020 FITS image +# URL: https://heasarc.gsfc.nasa.gov/fitsio/fpack/ +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-fz.trid.xml +# https://heasarc.gsfc.nasa.gov/FTP/software/fitsio/c/docs/fpackguide.pdf +# Note: called "Flexible Image Transport System bitmap (compressed)" by TrID +>>240 search/0x4790/b ZCMPTYPE= data, compression type +# fz suffix for compressed fits +!:ext fz +# Flexible Image Transport System compression value (followed by optional FITS comment) like: NOCOMPRESS GZIP_1 GZIP_2 HCOMPRESS_1 PLIO_1 RICE_1 +#>>>&0 string x COMPRESSION=%0.13s +>>>&0 regex [A-Z_1-2]{4,11} %s +# not compressed Flexible Image Transport System with other filename suffix +>>240 default x data +!:ext fits/fit/fts +# five keywords that are required in every FITS file: SIMPLE, BITPIX, NAXIS, NAXISn, and END. EXTEND is also a required keyword if extensions are present in the file +# required keyword in standard on 3rd card contains integer number of bits used to represent each data value but in 2nd card for M57.FIT +>>80 search/81/b BITPIX\040\040= +#>>>&11 string x BIT=%-0.18s +# this is the number of bits per pixel for image data +>>>&20 string 8 \b, 8-bit, character or unsigned binary integer +# few samples with more right positioned values like: M57.FIT +# GRR: avoid warning: Magdir\images, 1380: Warning: description `, 8-bit, character or unsigned binary integer (too right positioned)' truncated +>>>&28 string 8 \b, 8-bit, character or unsigned binary integer +>>>>0 string x (too right positioned) +# few samples not right justified positioned like: MOON.FTS +>>>&11 string 8 \b, 8-bit, character or unsigned binary integer +>>>>0 string x (too left positioned) +# according to DROID but no examples found +#>>>&19 string 08 \b, 8-bit, character or unsigned binary integer +#>>>&19 string +8 \b, 8-bit, character or unsigned binary integer +>>>&19 string 16 \b, 16-bit, two's complement binary integer +>>>&18 string \04032 \b, 32-bit, two's complement binary integer +>>>&18 string -32 \b, 32-bit, floating point, single precision +>>>&18 string -64 \b, 64-bit, floating point, double precision +# second 64-bit variant like: blank.fits +>>>&18 string \04064 \b, 64-bit, two's complement binary integer +# in standard number of dimensions by keyword NAXIS on 3rd card image but in few cases on 2nd card like: M57.FIT +>>80 search/81/b NAXIS\040\040\040= \b, +# before optional comment 31 ASCII charactes left padded with spaces for integer (0-999) of data axis like: 0 (extension no data) 1 (spectrum) 2 (conventional bitmap) 3 (animated bitmap example.fit test.fits) 6 (DDTSUVDATA.fits) +#>>>>&0 string x NAXIS=%-0.31s +# single digit 0 implies no data or similar +>>>&0 search/31/b \0400\040 0 axes +!:mime application/fits +# single digit 1 implies one-dimensional entity such as a spectrum or a time series (no example found) +>>>&-1 search/31/b \0401\040 1 axis +!:mime application/fits +#!:mime image/fits +# single digit 2 implies conventional bitmap +>>>&0 search/31/b \0402\040 2 axes +!:mime image/fits +# single digit 3 implies data cubes of three dimensions (animated bitmap or similar) +>>>&0 search/31/b \0403\040 3 axes !:mime image/fits -!:ext fits/fts ->109 string 8 \b, 8-bit, character or unsigned binary integer ->108 string 16 \b, 16-bit, two's complement binary integer ->107 string \ 32 \b, 32-bit, two's complement binary integer ->107 string -32 \b, 32-bit, floating point, single precision ->107 string -64 \b, 64-bit, floating point, double precision +# data cubes more dimensions like: 5 (group.fits) 6 (DDTSUVDATA.fits) +>>>&0 default x +>>>>&0 regex/31/s =[0-9]{1,3} %s axis +!:mime application/fits +# often NAXIS1 as 4th card but sometimes at higher offset like: 29400 (IUElwp25637mxlo.fits) 20400 (NICMOSn4hk12010_mos.fits) +>>240 search/29400/bs NAXIS1\040\040= \b, +# before optional comment 31 ASCII charactes left padded with spaces for first axis like: 192 512 1024 1200 2000 2064 3600 ... +>>>&9 regex =[0-9]{1,31} %s +# often NAXIS2 as 5th card but sometimes not existent or at higher offset like: 29120 (IUElwp25637mxlo.fits) 20480 (NICMOSn4hk12010_mos.fits) +>>>320 search/29120/bs NAXIS2\040\040= x +# before optional comment 31 ASCII charactes left padded with spaces for second axis like: 2 4 165 512 800 1024 3600 ... +>>>>&9 regex =[0-9]{1,31} %s +# not standard cards +>>80 string !BITPIX\040\040= \b, at 80 +# in M57.FIT like: "NAXIS =" +>>>80 string x "%-0.9s" +>>160 string !NAXIS\040\040\040= \b, at 160 +# in M57.FIT like: "BITPIX =" +>>>160 string x "%-0.9s" # other images 0 string This\ is\ a\ BitMap\ file Lisp Machine bit-array-file @@ -1458,26 +1722,71 @@ >2 quad !0 # skip g3test.g3 by test for unused bits of 2nd color entry >>4 ubeshort&0xF000 0 ->>>0 use degas-bitmap +#>>>0 beshort x 1ST_VALUE=%x +#>>>-0 offset x FILE_SIZE=%lld +# standard DEGAS low-res uncompressed bitmap *.pi1 with file size 32034 +>>>-0 offset =32034 +#>>>>0 beshort x 1st_VALUE=%x +# like: 8ball.pi1 teddy.pi1 sonic01.pi1 +>>>>0 use degas-bitmap +# about 61 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32066 +>>>-0 offset =32066 +# like: spider.pi1 pinkgirl.pi1 frog3.pi1 +>>>>0 use degas-bitmap +# about 55 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32128 +>>>-0 offset =32128 +# like: mountain.pi1 bigspid.pi1 alf33.pi1 +>>>>0 use degas-bitmap +# 1 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 44834 +>>>-0 offset =44834 +# like: kenshin.pi1 +>>>>0 use degas-bitmap # DEGAS mid-res uncompressed bitmap *.pi2 (strength=50) after GEM Images like: # BEETHVEN.IMG CHURCH.IMG GAMEOVR4.IMG TURKEY.IMG clinton.img 0 beshort 0x0001 #!:strength +0 # skip many control files like gnucash-4.8.setup.exe.aria2 by test for non black in 4 palette entries >2 quad !0 -# skip control file load-v0001.aria2 by test for unused bits of 5th color palette entry ->>10 ubeshort&0xF000 0 -# skip many GEM Image data like DANCER.IMG GAMEOVR4.IMG SHIP.IMG by test for unused bits of 8th color palette entry ->>>16 ubeshort&0xF000 0 -# skip many GEM Image data like BEETHVEN.IMG CABINETS.IMG MEMO.IMG by test for unused bits of 14th color palette entry ->>>>28 ubeshort&0xF000 0 -# skip few GEM Image data like CHURCH.IMG by test for unused bits of 15th color palette entry ->>>>>30 ubeshort&0xF000 0 -# skip many GEM Image data like TIGER.IMG TURKEY.IMG XMAS.IMG by test for unused bits of 16th color palette entry ->>>>>>32 ubeshort&0xF000 0 -# skip GEM Image data like clinton.img by test for existing bytes at the end ->>>>>>>32026 quad x ->>>>>>>>0 use degas-bitmap +# skip control file load-v0001.aria2 and many GEM Image data like +# GAMEOVR4.IMG BEETHVEN.IMG CHURCH.IMG TURKEY.IMG clinton.img +# by test for valid file sizes +# standard DEGAS mid-res uncompressed bitmap *.pi2 with file size 32034 +>>-0 offset =32034 +# (39/41) like: GEMINI03.PI2 ST_TOOLS.PI2 TBX_DEMO.PI2 +>>>0 use degas-bitmap +# few DEGAS Elite mid-res uncompressed bitmap *.pi2 with file size 32066 +>>-0 offset =32066 +# (2/41) like: medres.pi2 +>>>0 use degas-bitmap +# GEM Image: Version 1, Headerlen 8 (Wolfram Kleff) +# Format variations from: Bernd Nuernberger <bernd.nuernberger@web.de> +# Update: Joerg Jenderek +# See http://fileformats.archiveteam.org/wiki/GEM_Raster +# For variations, also see: +# https://www.seasip.info/Gem/ff_img.html (Ventura) +# http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT) +# http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT) +# http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG) +# header_size +>2 beshort 0x0008 +>>0 use gem_info +>2 beshort 0x0009 +>>0 use gem_info +# no example for NOSIG +>2 beshort 24 +>>0 use gem_info +# no example for HYPERPAINT +>2 beshort 25 +>>0 use gem_info +16 string XIMG\0 +>0 use gem_info +# no example +16 string STTT\0\x10 +>0 use gem_info +# no example or description +16 string TIMG\0 +>0 use gem_info + # DEGAS high-res uncompressed bitmap *.pi3 0 beshort 0x0002 # skip Intel ia64 COFF msvcrt.lib by test for unused bits of 1st atari color palette entry @@ -1497,8 +1806,12 @@ # 00000000 "LEREDACT.PI3" 03730773 "TBX_DEMO.PI3" #>>>>&8 ubelong x \b, LAST CHAR+NIL %8.8x >>>>&8 ubelong&0xff00ffFF !0 +# skip many Adobe Photoshop Color swatch (ANPA-Farben.aco TOYO-Farbsystem.aco) with invalid 3rd color entry (1319 2201 2206 21f5 2480 24db 25fd) +>>>>>6 ubeshort&0xF000 0 +# skip few Adobe Photoshop Color swatch (FOCOLTONE-Farben.aco "PANTONE process coated.aco") with invalid 4th color entry (ffff) +>>>>>>8 ubeshort&0xF000 0 # many DEGAS bitmap like: ARABDEMO.PI3 ELMRSESN.PI3 GEMVIEW.PI3 LEREDACT.PI3 PICCOLO.PI3 REPRO_JR.PI3 ST_TOOLS.PI3 TBX_DEMO.PI3 evgem7.pi3 ->>>>>0 use degas-bitmap +>>>>>>>0 use degas-bitmap # test for last character of Adobe PhotoShop Brush UTF16-LE string and terminating nul char >>>>&8 ubelong&0xff00ffFF =0 # select last DEGAS bitmaps by invalid last char of brush note like BASICNES.PI3 DB_HELP.PI3 DB_WRITR.PI3 LEREDACT.PI3 @@ -1510,13 +1823,23 @@ 0 beshort 0x8000 # skip lif files handled via ./lif by test for unused bits of 1st palette entry >2 ubeshort&0xF000 0 ->>0 use degas-bitmap +# skip CRI ADX ADPCM audio (R04HT.adx R03T-15552.adx) with 44100 Hz misinterpreted as 5th color entry value AC44h +>>10 ubeshort&0xF000 0 +# skip few (fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx) by test for 4 first non black colors in palette entries +>>>2 quad !0 +>>>>0 use degas-bitmap # DEGAS mid-res compressed bitmap *.pc2 like: abydos.pc2 ARTIS3.PC2 SMTHDRAW.PC2 STAR_2K.PC2 TX2_DEMO.PC2 0 beshort 0x8001 ->0 use degas-bitmap +# skip many (1274/1369) PostScript Type 1 font (DarkGardenMK.pfb coupbi.pfb MONOBOLD.PFB) with invalid 1st atari color palette entry 5506 5b06 6906 7906 7e06 fb15 +>2 ubeshort&0xF000 0 +# skip some (95/1369) PostScript Type 1 font (fmt-525-signature-id-816.pfb LUXEMBRG.PFB) with invalid 3rd atari color palette entry 2521 +>>6 ubeshort&0xF000 0 +>>>0 use degas-bitmap # DEGAS high-res compressed bitmap *.pc3 like: abydos.pc3 COYOTE.PC3 ELEPHANT.PC3 TX2_DEMO.PC3 SMTHDRAW.PC3 0 beshort 0x8002 ->0 use degas-bitmap +# skip some (36/212) Python Pickle (factor_cache.pickle environment.pickle) with invalid 1st atari color entry (2863 6363 7d71) +>2 ubeshort&0xF000 0 +>>0 use degas-bitmap # display information of Atari DEGAS and DEGAS Elite bitmap images 0 name degas-bitmap >0 ubyte x Atari DEGAS @@ -1603,6 +1926,19 @@ #>32058 ubequad !0 \b, channel delays %16.16llx # From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GED +# https://recoil.sourceforge.net/formats.html#Atari-8-bit +# Reference: https://sourceforge.net/projects/recoil/files/recoil/6.3.4/recoil-6.3.4.tar.gz +# recoil-6.3.4/recoil.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-ged.trid.xml +# Note: called "Atari GED bitmap" by TrID; file size 11302 +# and verified by RECOIL graphic tool +0 string \xFF\xFF0SO\x7F Atari GED bitmap, 160x200 +#!:mime application/octet-stream +!:mime image/x-atari-ged +!:ext ged + +# From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/ImageLab/PrintTechnic # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-b_w.trid.xml # Note: called "ImageLab bitmap" by TrID @@ -1641,8 +1977,12 @@ # PCX image files # From: Dan Fandrich <dan@coneharvesters.com> -# updated by Joerg Jenderek at Feb 2013 by https://de.wikipedia.org/wiki/PCX +# updated by Joerg Jenderek at Feb 2013, Nov 2023 by https://en.wikipedia.org/wiki/PCX # https://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt +# URL: http://fileformats.archiveteam.org/wiki/PCX +# Note: called "PCX image" with acronym "PiCture eXchange" by shared MIME-info database from freedesktop.org +# verfied partly as pcx "Zsoft Paintbrush" format by XnView `nconvert -in pcx -fullinfo *.pcx` and +# by ImageMagick version 7.1.1-21 command `identify *.pcx` # GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 # test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT 0 ubelong&0xffF8fe00 0x0a000000 @@ -1650,28 +1990,39 @@ >3 ubyte >0 # test for valid versions >>1 ubyte <6 ->>>1 ubyte !1 PCX -!:mime image/x-pcx -#!:mime image/pcx ->>>>1 ubyte 0 ver. 2.5 image data ->>>>1 ubyte 2 ver. 2.8 image data, with palette ->>>>1 ubyte 3 ver. 2.8 image data, without palette ->>>>1 ubyte 4 for Windows image data ->>>>1 ubyte 5 ver. 3.0 image data ->>>>4 uleshort x bounding box [%d, ->>>>6 uleshort x %d] - ->>>>8 uleshort x [%d, ->>>>10 uleshort x %d], ->>>>65 ubyte >1 %d planes each of ->>>>3 ubyte x %d-bit ->>>>68 ubyte 1 colour, ->>>>68 ubyte 2 grayscale, +>>>1 ubyte !1 +# skip DROID fmt-89-signature-id-62.pcx fmt-88-signature-id-63.pcx fmt-87-signature-id-64.pcx fmt-86-signature-id-65.pcx with invalid dimensions +>>>>8 long !0 PCX +!:mime image/vnd.zbrush.pcx +# deprecated +#!:mime image/x-pcx +!:ext pcx/pcc +# also examples like: abydos.st E-DIODE.ST MUSIC-13.ST ROSE.ST +#!:ext pcx/pcc/st +# Note: called as "PCX bitmap (v2.5)" by TrID via bitmap-pcx.trid.xml and "PCX" version 0 by DROID via PUID fmt/86 +>>>>>1 ubyte 0 ver. 2.5 image data +# Note: called as "PCX bitmap (v2.8, palette)" by TrID via bitmap-pcx-v28p.trid.xml and "PCX" version 2 by DROID via PUID fmt/87 +>>>>>1 ubyte 2 ver. 2.8 image data, with palette +# Note: called as "PCX bitmap (v2.8)" by TrID via bitmap-pcx-v28.trid.xml and "PCX" version 3 by DROID via PUID fmt/88 +>>>>>1 ubyte 3 ver. 2.8 image data, without palette +# Note: called as "PCX bitmap (Win)" by TrID via bitmap-pcx-win.trid.xml and "PCX" version 4 by DROID via PUID fmt/89 +>>>>>1 ubyte 4 for Windows image data +# Note: called as "PCX bitmap (v3.0) by TrID via bitmap-pcx-v30.trid.xml and "PCX" version 5 by DROID via PUID fmt/90 +>>>>>1 ubyte 5 ver. 3.0 image data +>>>>>4 uleshort x bounding box [%d, +>>>>>6 uleshort x %d] - +>>>>>8 uleshort x [%d, +>>>>>10 uleshort x %d], +>>>>>65 ubyte >1 %d planes each of +>>>>>3 ubyte x %d-bit +>>>>>68 ubyte 1 colour, +>>>>>68 ubyte 2 grayscale, # this should not happen ->>>>68 default x image, ->>>>12 uleshort >0 %d x ->>>>>14 uleshort x %d dpi, ->>>>2 ubyte 0 uncompressed ->>>>2 ubyte 1 RLE compressed +>>>>>68 default x image, +>>>>>12 uleshort >0 %d x +>>>>>>14 uleshort x %d dpi, +>>>>>2 ubyte 0 uncompressed +>>>>>2 ubyte 1 RLE compressed # Adobe Photoshop # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> @@ -1723,6 +2074,113 @@ >>>6 belong x 0x%8.8x >>>6 beshort x \b%4.4x +# From: Joerg Jenderek +# URL: https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/ +# http://fileformats.archiveteam.org/wiki/Photoshop +# Reference: http://www.nomodes.com/aco.html +# Note: registers as Photoshop.SwatchesFile for Photoshop.exe on Windows +# check for valid versions like: 2 (newest) 1 (old) 0 (oldest no examples) +0 ubeshort <3 +# skip few Atari DEGAS med-res bitmap (DIAGRAM1.PI2) and many ISO 9660 CD-ROM by check for invalid low color numbers (0) +>2 ubeshort >0 +# skip few Targa (bmpsuite-15col.tga rgb24_top_left_colormap.tga) by check for invalid high color space ID (F0 1D) +>>4 ubeshort <16 +# skip many (69/327) Targa image *.TGA by check of accessing near the ending of first color space section (size=nc*5*2) +>>>(2.S*10) ubelong x +# RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort =0 +# skip many (220/327) Targa by check of for invalid high RGB color z value (hexadecimal 2 3 2e03 4600 5e04 7502 8002 8b05 c700) +>>>>>12 ubeshort =0 +# RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>>0 ubeshort <2 +>>>>>>>0 use adobe-aco +# RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>>0 ubeshort =2 +# skip many (74/176) Atari DEGAS hi-res bitmap (*.PI3) by check for invalid low color name length (0) +>>>>>>>16 ubeshort >0 +>>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort !0 +# non RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>0 ubeshort <2 +# skip many GEM Image (CHURCH.IMG TIGER.IMG) by check for invalid second high color space ID (55 114 143 157 256 288 450) +>>>>>>14 ubeshort <16 +>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>0 ubeshort =2 +# skip few Atari DEGAS hi-res bitmap (pal1wb-blue.pi3) and few ABR by check for invalid "high" nil bytes (7) before color name length +>>>>>>14 ubeshort =0 +>>>>>>>0 use adobe-aco +# display Adobe Photoshop Color swatch file information (version, number of colors, color spaces, coordinates, names) +0 name adobe-aco +>0 ubeshort x Adobe Photoshop Color swatch, version %u +#!:mime application/octet-stream +!:mime application/x-adobe-aco +!:apple ????8BCO +!:ext aco +>0 ubeshort <2 +>>(2.S*10) ubelong x +# version 2 section after version 1 section +>>>&0 ubeshort 2 and 2 +# nc; number of colors like: 20 50 86 88 126 204 300 1050 1137 1280 2092 3010 4096 +>2 ubeshort x \b, %u colors +# maybe last 4 bytes of first section (probably y z color value) like: 0 0x66660000 0xfe700000 0xffff0000 +#>(2.S*10) ubelong x 1ST_SECTION_END=%#8.8x +>0 ubeshort <2 \b; 1st +# first older Adobe Photoshop Color entry +>>4 use aco-color +>>>2 ubeshort >1 \b; 2nd +# second older Adobe Photoshop Color entry +>>>>14 use aco-color +>0 ubeshort =2 \b; 1st +# first new Adobe Photoshop Color entry +>>4 use aco-color-v2 +>>>2 ubeshort >1 \b; 2nd +# jump first color name length words +>>>>(16.S*2) ubequad x +# second new Adobe Photoshop Color entry +>>>>>&10 use aco-color-v2 +# display Adobe Photoshop Color entry (color space, color coordinates) +0 name aco-color +# each color spec entry occupies five words +# color space: 0~RGB 1~HSB 2~CMYK 3~Pantone 4~Focoltone 5~Trumatch 6~Toyo 7~Lab 8~Grayscale 9?~wideCMYK 10~HKS ... +#>0 ubeshort x COLOR_ENTRY +>0 ubeshort 0 RGB +>0 ubeshort 1 HSB +>0 ubeshort 2 CMYK +>0 ubeshort 3 Pantone +>0 ubeshort 4 Focoltone +>0 ubeshort 5 Trumatch +>0 ubeshort 6 Toyo +>0 ubeshort 7 Lab +>0 ubeshort 8 Grayscale +>0 ubeshort 9 wide CMYK +>0 ubeshort 10 HKS +# unofficial +# >0 ubeshort 12 foo +# >0 ubeshort 13 bar +# >0 ubeshort 14 FOO +# >0 ubeshort 15 BAR +>0 ubeshort x space (%u) +# color coordinate w +>2 ubeshort x \b, w %#x +# color coordinate x +>4 ubeshort x \b, x %#x +# color coordinate y +>6 ubeshort x \b, y %#x +# color coordinate z; zero for RGB space +>8 ubeshort x \b, z %#x +# display Adobe Photoshop Color entry version 2 (color space, color coordinates names) +0 name aco-color-v2 +>0 use aco-color +#>10 ubeshort x \b, NUL_BYTES %#x +# color name length plus one (len+1) like: 7 8 9 13 14 15 16 17 22 26 +#>>12 ubeshort x \b, LENGTH %u +>>12 ubeshort-1 x \b, %u chars +# len words; UTF-16 representation of the color name like: "DIC 1s" "PANTONE Process Yellow PC" +>>14 bestring16 x "%s" +# followed by nil word + # XV thumbnail indicator (ThMO) # URL: https://en.wikipedia.org/wiki/Xv_(software) # Reference: http://fileformats.archiveteam.org/wiki/XV_thumbnail @@ -1737,35 +2195,6 @@ 0 string NITF National Imagery Transmission Format >25 string >\0 dated %.14s -# GEM Image: Version 1, Headerlen 8 (Wolfram Kleff) -# Format variations from: Bernd Nuernberger <bernd.nuernberger@web.de> -# Update: Joerg Jenderek -# See http://fileformats.archiveteam.org/wiki/GEM_Raster -# For variations, also see: -# https://www.seasip.info/Gem/ff_img.html (Ventura) -# http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT) -# http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT) -# http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG) -0 beshort 0x0001 -# header_size ->2 beshort 0x0008 ->>0 use gem_info ->2 beshort 0x0009 ->>0 use gem_info -# no example for NOSIG ->2 beshort 24 ->>0 use gem_info -# no example for HYPERPAINT ->2 beshort 25 ->>0 use gem_info -16 string XIMG\0 ->0 use gem_info -# no example -16 string STTT\0\x10 ->0 use gem_info -# no example or description -16 string TIMG\0 ->0 use gem_info 0 name gem_info # version is 2 for some XIMG and 1 for all others @@ -1856,43 +2285,41 @@ # Hercules DASD image files # From Jan Jaeger <jj@septa.nl> and Jay Maynard <jaymaynard@gmail.com> + +# Common Hercules CKD image files +0 name HercCKD +>0 lelong x \b, %d heads per cylinder +>4 lelong x \b, track size %d bytes +>8 ubyte >0x2F +>>8 ubyte 0x45 \b, device type 9345 +>>8 ubyte !0x45 \b, device type 33%2.2X +>8 ubyte <0x30 \b, device type 23%2.2X + 0 string CKD_P370 Hercules CKD DASD image file ->8 lelong x \b, %d heads per cylinder ->12 lelong x \b, track size %d bytes ->16 byte x \b, device type 33%2.2X +>8 use HercCKD 0 string CKD_C370 Hercules compressed CKD DASD image file ->8 lelong x \b, %d heads per cylinder ->12 lelong x \b, track size %d bytes ->16 byte x \b, device type 33%2.2X +>8 use HercCKD >552 lelong x \b, %d total cylinders >>557 byte 0 \b, no compression >>557 byte 1 \b, ZLIB compression >>557 byte 2 \b, BZ2 compression 0 string CKD_S370 Hercules CKD DASD shadow file ->8 lelong x \b, %d heads per cylinder ->12 lelong x \b, track size %d bytes ->16 byte x \b, device type 33%2.2X +>8 use HercCKD 0 string CKD_P064 Hercules CKD64 DASD image file ->8 lelong x \b, %d heads per cylinder ->12 lelong x \b, track size %d bytes ->16 byte x \b, device type 33%2.2X +>8 use HercCKD 0 string CKD_C064 Hercules compressed CKD64 DASD image file ->8 lelong x \b, %d heads per cylinder ->12 lelong x \b, track size %d bytes ->16 byte x \b, device type 33%2.2X +>8 use HercCKD >524 lelong x \b, %d total cylinders >>585 byte 0 \b, no compression >>585 byte 1 \b, ZLIB compression >>585 byte 2 \b, BZ2 compression 0 string CKD_S064 Hercules CKD64 DASD shadow file ->8 lelong x \b, %d heads per cylinder ->12 lelong x \b, track size %d bytes ->16 byte x \b, device type 33%2.2X +>8 use HercCKD # Squeak images and programs - etoffi@softhome.net 0 string \146\031\0\0 Squeak image data @@ -2210,10 +2637,103 @@ # height (80,90) >>0x53 uleshort x \b%d +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3.trid.xml +# Note: called "Ulead Imageiio/Imaginfo thumbnail" by TrID +0 string IIO1$ Ulead Photo Explorer 3 +#!:mime application/octet-stream +!:mime image/x-ulead-pe3 +# IMAGEIIO.PE3 +!:ext pe3 +# look for DOS/Windows drive letter +>5 search/192/s :\\ +# directory or full name of corresponding imaginfo.pe3 like: "T:\SAMPLES\TEXTURES\SKY_SNOW\IIOE371.TMP "S:\PI3\PIMPACT3\PROGRAMS\PATTERNS\imaginfo.pe3" +>>&-1 string x "%s" +# look for DOS/Windows network path if no drive letter part +>5 default x +>>5 search/192/s \x5c\x5c +# full name of corresponding imaginfo.pe3 like: "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS\imaginfo.pe3" +>>>&0 string x "%s" # Type: Ulead Photo Explorer5 (.pe5) -# URL: http://www.jisyo.com/cgibin/view.cgi?EXT=pe5 (Japanese) +# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4.trid.xml # From: Simon Horman <horms@debian.org> -0 string IIO2H Ulead Photo Explorer5 +# Update: Joerg Jenderek +# Note: some called "Ulead Imageiio/Imaginfo thumbnail" by TrID +# and used in various Ulead applications +0 string IIO2H Ulead Photo Explorer 4 or 5 +#!:mime application/octet-stream +!:mime image/x-ulead-pe4 +# IMAGEIIO.PE4 +!:ext pe4/pe5 +# look in most samples for JPEG signature like: SAMPLES/IMAGES/SCENES/IMAGINFO.PE4 +>0x4c2 search/0xE02/s JFIF with JPEG image data +>>&-6 use jpeg +# near the end list of image names like: Img0001.pcd 1116012L.JPG NCARD4.TPL +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3-imaginfo.trid.xml +11 string \001\0\0\0\0 +# check for version 3 part +>19 string \0\001\0\003\0 +>>0 use ulead-imaginfo +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4-imaginfo.trid.xml +# check for version 4 part +>19 string \0\0\0\004\0 +>>0 use ulead-imaginfo +# display information about Ulead Imaginfo thumbnail (version, directory, image extension) +0 name ulead-imaginfo +>22 ubyte x Ulead Imaginfo thumbnail +#!:mime application/octet-stream +!:mime image/x-ulead-imaginfo +>22 ubyte =3 \b, version 3 +# IMAGINFO.PE3 +!:ext pe3 +>22 ubyte =4 \b, version 4 +# IMAGINFO.PE4 +!:ext pe4 +# MAYBE ALSO VERSION 5 ? +#>22 ubyte =5 \b, version 5 +#!:ext pe5 +>22 ubyte x +# look for DOS/Windows driver letter +>>4 search/192/s :\x5c +# skip f:\Programme\iPhoto Plus 4\Template\Business Cards\IMAGINFO.PE4 +# by looking for driver letter in range A-Z +>>>&-1 ubyte >0x40 +# directory path like: "E:\iPE\CDSample\Images\Scenes" "D:\XmasCard\Samples" "C:\TEMP\PLANTS" +>>>>&-5 pstring/l >0 \b, "%s" +# look for DOS/Windows network path if no valid drive letter part +>>>&-1 default x +>>>>4 search/192/s \x5c\x5c +# directory path like: "\\FSX\SYS\OPPS\IPE.ENG\TEMPLATE\BUSINESS" "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS" +>>>>>&-4 pstring/l >0 \b, "%s" +# look for DOS/Windows network path if no drive letter part +>>4 default x +>>>4 search/192/s \x5c\x5c +# directory path like: "\\FSX\SYS\opps\ipe.eng\samples" "\\DANIEL\IPE_CD\IPE.ITA" +>>>>&-4 pstring/l >0 \b, "%s" +# look for point character inside image names +>56 search/38/s . +# image name extension like: bmp jpg pcd tpl +>>&1 string x with %-.3s images +# Summary: Ulead Pattern image (Corel Corporation) +# URL: https://en.wikipedia.org/wiki/Ulead_Systems +# https://www.file-extensions.org/pst-file-extension-ulead-pattern-image-format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst-ulead.trid.xml +# From: Joerg Jenderek +# Note: used also by CorelDraw Essentials 3 version 13.0.0.800 +# there seems to exist other versions +0 ubelong 0xFFFF0100 +>8 search/21 PresetInfo Ulead pattern image +#!:mime application/octet-stream +!:mime image/x-ulead-pst +!:ext pst +# string length like: 16 18 19 21 24 +#>>4 uleshort x n=%u +# like: BlendPresetInfo DropShadowPresetInfo FileNewPresetInfo VectorExtrudePresetInfo EnvelopePresetInfo ContourPresetInfo DistortionPresetInfo +>>4 pstring/h x "%s" # Type: X11 cursor # URL: http://webcvs.freedesktop.org/mime/shared-mime-info/freedesktop.org.xml.in?view=markup @@ -2239,7 +2759,7 @@ # URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ # Radiance HDR; usually has .pic or .hdr extension. 0 string #?RADIANCE\n Radiance HDR image data -#!mime image/vnd.radiance +!:mime image/vnd.radiance # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: https://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf @@ -2425,6 +2945,7 @@ # BS encoded bitstreams 2 uleshort 0x3800 BS image, +# GRR: the above line is also true for binary Computer Graphics Metafile SAB00012.CGM with long parameter length 56 (=38h) >6 uleshort x Version %d, >4 uleshort x Quantization %d, >0 uleshort x (Decompresses to %d words) @@ -2630,7 +3151,8 @@ # FIXME: Handle DX10 and XBOX formats. >>0x54 string DX10 >>>0x80 use ms-directdraw-dx10 ->>0x54 string !DX10 \b, compressed using %.4s +>>0x54 string !DX10 +>>>0x54 string x \b, compressed using %.4s >0x50 ulelong&0x2 0x2 \b, alpha only >0x50 ulelong&0x200 0x200 \b, YUV >0x50 ulelong&0x20000 0x20000 \b, luminance @@ -2777,6 +3299,10 @@ >>0x10 ubelong !0x44445320 Sega PVR image: >>>0x10 use sega-pvr-image-header >>0x08 ulelong x \b, global index = %u +# Sega GVR image with GBIX. +>0x10 string GVRT Sega GVR image: +>>0x10 use sega-gvr-image-header +>>0x08 ubelong x \b, global index = %u # Sega GVR header. 0 name sega-gvr-image-header @@ -2798,12 +3324,6 @@ 0 string GVRT Sega GVR image: >0x10 use sega-gvr-image-header -# Sega GVR image with GBIX. -0 string GBIX ->0x10 string GVRT Sega GVR image: ->>0x10 use sega-gvr-image-header ->>0x08 ubelong x \b, global index = %u - # Sega GVR image with GCIX. (Wii) 0 string GCIX >0x10 string GVRT Sega GVR image: @@ -2813,28 +3333,9 @@ # Light Field Picture # Documentation: http://optics.miloush.net/lytro/TheFileFormat.aspx # Typical file extensions: .lfp .lfr .lfx - 0 ubelong 0x894C4650 ->4 ubelong 0x0D0A1A0A ->12 ubelong 0x00000000 Lytro Light Field Picture ->8 ubelong x \b, version %d - -# Type: Vision Research Phantom CINE Format -# URL: https://www.phantomhighspeed.com/ -# URL2: http://phantomhighspeed.force.com/vriknowledge/servlet/fileField?id=0BEU0000000Cfyk -# From: Harry Mallon <hjmallon at gmail.com> -# -# This has a short "CI" code but the 44 is the size of the struct which is -# stable -0 string CI ->2 uleshort 44 Vision Research CINE Video, ->>4 uleshort 0 Grayscale, ->>4 uleshort 1 JPEG Compressed, ->>4 uleshort 2 RAW, ->>6 uleshort x version %d, ->>20 ulelong x %d frames, ->>48 ulelong x %dx ->>52 ulelong x \b%d +>4 ubelong 0x0D0A1A0A Lytro Light Field Picture +>>8 ubelong x \b, version %u # Type: ARRI Raw Image # Info: SMPTE RDD30:2014 @@ -2849,6 +3350,7 @@ # Type: Khronos KTX texture. # From: David Korth <gerbilsoft@gerbilsoft.com> # Reference: https://www.khronos.org/opengles/sdk/tools/KTX/file_format_spec/ +# https://www.iana.org/assignments/media-types/image/ktx # glEnum decoding. # NOTE: Only the most common formats are listed here. @@ -2923,6 +3425,8 @@ # Main KTX header. # Determine endianness, then check the rest of the header. 0 string \xABKTX\ 11\xBB\r\n\x1A\n Khronos KTX texture +!:mime image/ktx +!:ext ktx >12 ulelong 0x04030201 (little-endian) >>16 use khronos-ktx-endian-header >12 ubelong 0x04030201 (big-endian) @@ -2932,6 +3436,7 @@ # From: David Korth <gerbilsoft@gerbilsoft.com> # Based on draft19. # Reference: http://github.khronos.org/KTX-Specification/ +# https://www.iana.org/assignments/media-types/image/ktx2 # Supercompression enum. 0 name khronos-ktx2-supercompression @@ -3193,6 +3698,8 @@ # Main KTX2 header. 0 string \xABKTX\ 20\xBB\r\n\x1A\n Khronos KTX2 texture +!:mime image/ktx2 +!:ext ktx2 >20 ulelong x \b, %u >24 ulelong >1 x %u >28 ulelong >1 x %u @@ -3286,7 +3793,7 @@ # Microsoft Paint graphic # http://www.fileformat.info/format/mspaint/egff.htm -0 string DanM icrosoft Paint image data (version 1.x) +0 string DanM Microsoft Paint image data (version 1.x) >4 uleshort x (%d >>6 uleshort x x %d) 0 string LinS Microsoft Paint image data (version 2.0) @@ -3305,9 +3812,7 @@ >>>>33 string and >>>>>37 string layers >>>>>>43 ulelong x reMarkable tablet notebook lines, 1404 x 1872, %x page(s) - # newer per-page files for the reMarkable -0 string reMarkable >11 string .lines >>18 string file, >>>24 string version= @@ -3608,6 +4113,29 @@ # display ICC/ICM color profile by ./icc #>>>0x154 use color-profile +# URL: http://fileformats.archiveteam.org/wiki/CorelDRAW +# https://en.wikipedia.org/wiki/CorelDRAW +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-gen.trid.xml +# Note: called "CorelDRAW drawing (generic)" by TrID +# version til 2 WL-based; from version 3 til 13 handled by ./riff and from 14 zip based handled by ./archive +0 ubelong&0xFFffF7ff 0x574C6500 Corel Draw Picture +#!:mime image/x-coreldraw +!:mime application/vnd.corel-draw +!:ext cdr +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-10.trid.xml +# Note: called "CorelDRAW drawing (v1.0)" by TrID and +# "CorelDraw Drawing" with version "1.0" by DROID via PUID fmt/467 +# only DROID fmt-467-signature-id-726.cdr example +>2 ubyte 0x65 \b, version 1.0 +#>>4 ubelong !0x45000000 \b, at 4 %#8.8x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-20.trid.xml +# Note: called "CorelDRAW drawing (v2.0)" by TrID and +# "CorelDraw Drawing" with version "2.0" by DROID via PUID fmt/466 +>2 ubyte 0x6D \b, version 2.0 +# According to DROID 0xed080000 or 0x25050000 +#>>4 ubelong !0xed080000 +#>>>4 ubelong !0x25050000 \b, at 4 %#8.8x + # Type: Crunch compressed texture. # From: David Korth <gerbilsoft@gerbilsoft.com> # References: @@ -3679,9 +4207,9 @@ >>>13 ubyte x *bad colorspace %u* -# Type: Godot 3, 4 texture (pixel format) +# Type: Godot 3 texture (pixel format) # From: David Korth <gerbilsoft@gerbilsoft.com> -0 name godot-pixel-format +0 name godot-pixel-format-v3 >0 ulelong&0xFFFFF 0 L8 >0 ulelong&0xFFFFF 1 LA8 >0 ulelong&0xFFFFF 2 R8 @@ -3719,7 +4247,54 @@ >0 ulelong&0xFFFFF 34 ETC2_RGB8 >0 ulelong&0xFFFFF 35 ETC2_RGBA8 >0 ulelong&0xFFFFF 36 ETC2_RGB8A1 +# NOTE: This is a custom pixel format used by Sonic Colors Ultimate. +# Godot 4 later added its own ASTC format values. +>0 ulelong&0xFFFFF 37 ASTC_8x8 + +# Type: Godot 4 texture (pixel format) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# NOTE: This is a custom pixel format used by Sonic Colors Ultimate. +# Godot 4 later added its own ASTC format values. +0 name godot-pixel-format-v4 +>0 ulelong&0xFFFFF 0 L8 +>0 ulelong&0xFFFFF 1 LA8 +>0 ulelong&0xFFFFF 2 R8 +>0 ulelong&0xFFFFF 3 RG8 +>0 ulelong&0xFFFFF 4 RGB8 +>0 ulelong&0xFFFFF 5 RGBA8 +>0 ulelong&0xFFFFF 6 RGBA4444 +>0 ulelong&0xFFFFF 7 RGB565 +>0 ulelong&0xFFFFF 8 RF +>0 ulelong&0xFFFFF 9 RGF +>0 ulelong&0xFFFFF 10 RGBF +>0 ulelong&0xFFFFF 11 RGBAF +>0 ulelong&0xFFFFF 12 RH +>0 ulelong&0xFFFFF 13 RGH +>0 ulelong&0xFFFFF 14 RGBH +>0 ulelong&0xFFFFF 15 RGBAH +>0 ulelong&0xFFFFF 16 RGBE9995 +>0 ulelong&0xFFFFF 17 DXT1 +>0 ulelong&0xFFFFF 18 DXT3 +>0 ulelong&0xFFFFF 19 DXT5 +>0 ulelong&0xFFFFF 20 RGTC_R +>0 ulelong&0xFFFFF 21 RGTC_RG +>0 ulelong&0xFFFFF 22 BPTC_RGBA +>0 ulelong&0xFFFFF 23 BPTC_RGBF +>0 ulelong&0xFFFFF 24 BPTC_RGBFU +>0 ulelong&0xFFFFF 25 ETC +>0 ulelong&0xFFFFF 36 ETC2_R11 +>0 ulelong&0xFFFFF 27 ETC2_R11S +>0 ulelong&0xFFFFF 28 ETC2_RG11 +>0 ulelong&0xFFFFF 29 ETC2_RG11S +>0 ulelong&0xFFFFF 30 ETC2_RGB8 +>0 ulelong&0xFFFFF 31 ETC2_RGBA8 +>0 ulelong&0xFFFFF 32 ETC2_RGB8A1 +>0 ulelong&0xFFFFF 33 ETC2_RA_AS_RG +>0 ulelong&0xFFFFF 34 DXT5_RA_AS_RG +>0 ulelong&0xFFFFF 35 ASTC_4x4 +>0 ulelong&0xFFFFF 36 ASTC_4x4_HDR >0 ulelong&0xFFFFF 37 ASTC_8x8 +>0 ulelong&0xFFFFF 38 ASTC_8x8_HDR # Type: Godot 3, 4 texture (rescale display, width) # From: David Korth <gerbilsoft@gerbilsoft.com> @@ -3791,7 +4366,7 @@ >16 ulelong&0x100000 0x100000 lossless encoding >16 ulelong&0x200000 0x200000 lossy encoding >16 ulelong&0x300000 0 ->>16 use godot-pixel-format +>>16 use godot-pixel-format-v3 # Type: Godot 4 texture # From: David Korth <gerbilsoft@gerbilsoft.com> @@ -3810,7 +4385,200 @@ >12 use godot-rescale-display-h >12 uleshort x \b, >0x2C ulelong >1 %u mipmaps, ->0x30 use godot-pixel-format +>0x30 use godot-pixel-format-v4 >0x24 ulelong 1 \b, embedded PNG image >0x24 ulelong 2 \b, embedded WebP image >0x24 ulelong 3 \b, Basis Universal + +# Summary: iCEDraw graphic *.IDF +# URL: http://fileformats.archiveteam.org/wiki/ICEDraw +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/idf-icedraw.trid.xml +# From: Joerg Jenderek +# Note: called "iCEDraw graphic" by TrID, "iCEDraw text" by FFmpeg and "iCE Draw" by Ansilove +# verified by FFmpeg command `ffprobe ICE-9605.IDF` and `ansilove -s SQ-FORCE.IDF` +0 string \0041.4\0\0\0\0O\0 iCEDraw graphic +#!:mime application/octet-stream +!:mime image/x-idf +!:ext idf + +# Type: ColoRIX VGA Paint Image File (.rix/.sci/.scX) +# From: Eddy Jansson <github.com/eloj> +# Reference: https://www.fileformat.info/format/rix/spec/ +# +0 name rix-header +>0 uleshort x \b, %u x +>2 uleshort x %u +# palette type: +# .. if direct color, low bits encode bpp +>4 ubyte&128 0 +>>4 ubyte&127 x \b %u bpp (direct color) +# .. else palette +>4 ubyte&128 128 +>>4 ubyte&7 0 \b x 2 +>>4 ubyte&7 1 \b x 4 +>>4 ubyte&7 2 \b x 8 +>>4 ubyte&7 3 \b x 16 +>>4 ubyte&7 4 \b x 32 +>>4 ubyte&7 5 \b x 64 +>>4 ubyte&7 6 \b x 128 +>>4 ubyte&7 7 \b x 256 +# storage type +#>5 ubyte&15 0 \b, Linear +>5 ubyte&15 1 \b, Planar (0213) +>5 ubyte&15 2 \b, Planar +>5 ubyte&15 3 \b, Text +>5 ubyte&15 4 \b, Planar lines +>5 ubyte&128 128 \b (compressed) +>5 ubyte&64 64 \b (extension) +>5 ubyte&32 32 \b (encrypted) + +0 string RIX3 ColoRIX Image +>4 use rix-header + +0 string RIX7 ColoRIX Slideshow + +# http://fileformats.archiveteam.org/wiki/PaperPort_(MAX) +0 string ViG Visioneer PaperPort +>3 string Ae 2 +>3 string Be 2 +>3 string Cj 3-4 +>3 string Em 5-7 +>3 string Fk 8-12 +>3 default x MAX + + +# https://teem.sourceforge.net/nrrd/index.html +# From: Quasar Jarosz <quasar@uams.edu>, 2023 +0 string NRRD000 NRRD imaging data +!:mime image/x.nrrd +!:ext nrrd +>7 string x \b, version %s +>0 search type: +>>&1 string x \b, type: %s +>0 search dimension: +>>&1 string x \b, dimensions: %s +>0 search sizes: +>>&1 string x \b, sizes: %s +>0 search encoding: +>>&1 string x \b, encoding: %s + +# From: Joerg Jenderek +# URL: http://justsolve.archiveteam.org/wiki/PICT +# https://en.wikipedia.org/wiki/PICT +# Reference: https://www.fileformat.info/format/macpict/egff.htm +# http://mark0.net/download/triddefs_xml.7z/defs/p/pict-v2.trid.xml +# Note: called "Macintosh Quickdraw/PICT drawing" by shared MIME-info database from freedesktop.org, +# "QuickDraw/PICT bitmap (v2)" by TrID and "Macintosh PICT Image" version 2.0 by DROID via PUID via fmt/341 +# verified by command like `deark -m pict -l -d2 flag_b24.pct` as PICT v2, +# partly by NetPBM `picttoppm venus.pct | file` as "Macintosh PICT", +# partly by ImageMagick `identify -verbose flag_b24.pct` as (Apple Macintosh QuickDraw/PICT) and +# partly by XnView `nconvert -fullinfo *.pict *.pic *.pct` as "Macintosh PICT 2" +# look for version operator (0011h) and version number (02FFh) +522 ubelong 0x001102ff +# few Macintosh QuickDraw with one corner at -1/-1 coordinates like PICT_129.pict PICT_2012.pict (strength=81=70+11) before Claris clip art (strength=80 ./claris) +!:strength +11 +# look for Version operator (0C00h) +>526 ubeshort 0x0c00 +# skip DROID fmt-341-signature-id-468.pct with invalid dimension x=0 +>>520 ubeshort !0 +# skip DROID variant fmt-341-signature-id-468.pct using 0xAB instead 0x0 +>>>0 long !0xABABABAB Macintosh QuickDraw PICT, version 2 +#!:mime application/octet-stream +!:mime image/x-pict +!:apple ????PICT +!:ext pict/pic/pct +# maybe also suffix pict2 https://www.xnview.com/de/image_formats/ +#!:ext pict2/pict/pic/pct +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pict.trid.xml +# Note: called "Macintosh Quickdraw/PICT Drawing" by TrID +# "real" content stored by opcode 0x8200 (CompressedQuickTime *.qtif) with none, cvid or JPEG compression +# look for LongText QuickTime followed by trademark character +>>>>554 search/691976/b QuickTime\252 \b, QuickTime +# look for LongText afterwards like "and a/None|Cinepak|Photo - JPEG decompressor/are needed to see this picture" +>>>>>&0 search/28/bs \040decompressor with decompressor +>>>>>>&-4 string None None +# Cinepak and "Compact Video decompressor" seems to be cvid +>>>>>>&-7 string Cinepak Cinepak +>>>>>>&-12 string Photo\040-\040JPEG JPEG +>>>>>>&-13 string Compact\040Video cvid +# case where decompression is not like: Cinepak None "Photo - JPEG" "Compact Video decompressor" +>>>>>>&-6 default x +>>>>>>>&0 string x "%0.6s" +# file size in bytes; not reliable sometimes 0 or little smaller than real size +#>>>>512 ubeshort x \b, size %u +# 8 bytes picFrame (rectangle); for most examples one corner is located at coordinates 0/0; except deark other tools fail when negative values +# GRR: samples with coordinates -1/-1 and Y=0x01??|0x00?? are interpreted as "Claris clip art" (strength=80 ./claris) +#>>>>518 ubeshort x Y=%#4.4x +>>>>520 ubeshort x \b, %u +>>>>>516 beshort !0 \b-%d +>>>>518 ubeshort x x %u +>>>>>514 beshort !0 \b-%d +# Note: at the beginning all zeros or information about the particular software like: PICT +>>>>0 long !0 \b, at 0 +>>>>>0 string x %.4s +# version 2.0 files also have a 26-byte header following the version information +# like: 0 FFFEh (freedesktop egff~Encyclopedia of Graphics File Formats) FFFFh (egff) +>>>>528 ubeshort x \b, at 528 %#4.4x +# 2nd opcode like: 0x0000~NOP 0x0001~Clip 0x00a0~ShortComment 0x00a1~LongComment 0x001e~DefHilite 0x001f~OpColor +>>>>552 ubeshort x \b, at 552 second opcode %#4.4x +# last opcode if not opEndPic (00FFh) +>>>>-2 ubeshort !0x00FF \b, at the end %#4.4x opcode +# Reference: http://web.archive.org/web/20010703041301/http://developer.apple.com/technotes/qd/qd_14.html +# http://mark0.net/download/triddefs_xml.7z/defs/p/pict-v1.trid.xml +# Note: called "QuickDraw/PICT bitmap (v1)" by TrID and "Macintosh PICT Image" version 1.0 by DROID via PUID via x-fmt/80 +# verified by command like `deark -m pict -l -d2 FC9.PCT` as PICT v1, +# by ImageMagick `identify -verbose *.pict` as PICT (Apple Macintosh QuickDraw/PICT) and +# by XnView `nconvert -fullinfo *.pict *.pct` as "Macintosh PICT" +# 1 byte opcode for picversion (11h); next byte version number (1) +522 ubeshort 0x1101 +# skip DROID x-fmt-80-signature-id-859.pct x-fmt-80-signature-id-860.pct without next opcode usually clipRgn (1h) +>524 ubyte =0x01 +>>0 use mac-pict1 +# display Macintosh PICT drawing version 1 information +0 name mac-pict1 +>520 ubeshort x Macintosh QuickDraw PICT, version 1 +#!:mime application/octet-stream +!:mime image/x-pict +!:apple ????PICT +!:ext pict/pct +# maybe also suffix pict1 and pic +#!:ext pict1/pict/pic/pct +# file size in bytes; not reliable sometimes 0 or smaller than real size +#>512 ubeshort x \b, size %u +# 8 bytes picFrame (rectangle) +>520 ubeshort x \b, %u +>516 ubeshort !0 \b-%u +>518 ubeshort x x %u +>514 ubeshort !0 \b-%u +# Note: According to DROID at the beginning all zeros or information about the particular software like DRWG(MD|D2) +>0 long !0 \b, at 0 +>>0 string x %.6s +>>0 ubelong x %#8.8x +>>4 ubeshort x \b%4.4x +# 2nd opcode if not clipRgn (1h) +>524 ubyte !0x01 \b, at 524 %#2.2x opcode +# last opcode if not opEndPic (FFh) +>-1 ubyte !0xFF \b, at the end %#2.2x opcode + +# https://github.com/aseprite/aseprite/blob/main/docs/ase-file-specs.md +20 ulelong 0 +>24 ulelong 0 +>>4 uleshort 0xA5E0 Aseprite asset file +!:ext aseprite +>>>0 ulelong x \b, size %u +>>>6 uleshort x \b, frames %u +>>>8 uleshort x \b, size %ux +>>>10 uleshort x \b%u +>>>12 uleshort 32 \b, RGBA +>>>12 uleshort 16 \b, Grayscale +>>>12 uleshort 8 \b, Indexed +>>>14 ulelong x \b, flags %#x +#>>>18 uleshort x \b, speed %u +>>>28 ubyte x \b, transparency index %u +>>>32 uleshort x \b, number of colors %u +>>>34 ubyte >0 \b, pixel ratio %u: +>>>>35 ubyte x \b%u +>>>36 leshort x \b, grid position (%d, +>>>38 leshort x \b%d) +>>>40 uleshort x \b, grid size %dx +>>>42 uleshort x \b%d diff --git a/contrib/file/magic/Magdir/intel b/contrib/file/magic/Magdir/intel index 2b57fd1b246a..5177fea45785 100644 --- a/contrib/file/magic/Magdir/intel +++ b/contrib/file/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.22 2022/04/02 14:47:42 christos Exp $ +# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -141,7 +141,7 @@ # e80d0fcbh PXE-Intel.rom # b8004875h orchid.bin >>3 ubelong x %#8.8x -# For misidetified raspberry pi pieeprom-*.bin like: 0xf00f +# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f #>2 ubeshort x \b, AT 2 %#4.4x ################################################################################ # new sections for BIOS (ia32) ROM Extension @@ -230,12 +230,12 @@ # PCI data structure length like: 24h 28h >>(24.s+0xA) uleshort >0x28 \b, length %u # PCI data structure revision like: 0 3 ->>(24.s+0xC) ubyte >0 \b, revison %u +>>(24.s+0xC) ubyte >0 \b, revision %u # image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83 # Apparently this gives the same information as given by byte at offset 2 but as 16-bit #>>(24.s+0x10) uleshort x \b, length %u*512 # revision level of code/data like: 0 1 201h 502h ->>(24.s+0xC) ubyte >1 \b, code revison %#x +>>(24.s+0xC) ubyte >1 \b, code revision %#x # code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved >>(24.s+0x14) ubyte >0 \b, code type %#x # last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved diff --git a/contrib/file/magic/Magdir/ispell b/contrib/file/magic/Magdir/ispell index 57a6e9e78988..4bcb9f062e4f 100644 --- a/contrib/file/magic/Magdir/ispell +++ b/contrib/file/magic/Magdir/ispell @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: ispell,v 1.8 2009/09/19 16:28:10 christos Exp $ -# ispell: file(1) magic for ispell +# $File: ispell,v 1.10 2023/10/23 19:49:58 christos Exp $ +# ispell: file(1) magic for ispell, MySpell, Hunspell and aspell # # Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic # will match 0x9600 through 0x9603 in *both* little endian and big endian. @@ -61,3 +61,189 @@ >12 long x lexsize %d, >16 long x hashsize %d, >20 long x stblsize %d + +# Summary: affixes defition text files for Ispell/MySpell/Hunspell +# From: Joerg Jenderek +# URL: https://www.openoffice.org/lingucomponent/affix.readme +# https://man.archlinux.org/man/hunspell.5.en +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/affix.trid.xml +# Note: called "Affix file" by TrID +# variant starting with comment character +0 ubyte 0x23 +# look for SET character command followed by whitespace (seems to be often 1 space character) like in: +# /usr/share/calibre/dictionaries/en-GB/en-GB.aff +>0 search/60459 SET\040 +# skip scripts like /bin/affixcompress /bin/setupcon /bin/imdbpy2sql.py by checking for valid character SET argument +# character SET argument like: UTF-8 +>>&0 string UTF-8 +>>>0 use spell-aff +# character SET argument like: ISO8859-1 - ISO8859-10 ISO8859-13 - ISO8859-15 +>>&0 string ISO8859- +>>>0 use spell-aff +# character SET argument for Russian with Cyrillic alphabet like: KOI8-R KOI8-U +# no russian support until war against ukraine +>>&0 string KOI8- +#>>>0 use spell-aff +# character SET argument for languages with Cyrillic alphabet like: cp1251 +# no cyrillic support until russia war against ukraine +>>&0 string cp1251 +#>>>0 use spell-aff +# character SET argument for Indian Script Code for Information Interchange (ISCII) like: ISCII-DEVANAGARI +>>&0 string ISCII- +# no example found +>>>0 use spell-aff +# not "real" affix rule files but found as tests unit inside thunderbird sources like: +# 1463589.aff 1695964.aff 2970240.aff +>0 default x +# look for suffix SFX command followed by whitespace like in: +# 1695964.aff +>>0 search/164 SFX\040 +>>>0 use spell-aff +# if not real Hunspell/MySpell affix look for ispell variant +>>0 default x +# URL: https://manpages.debian.org/testing/ispell/ispell.5.en.html +# look for ispell declaration like in: /usr/lib/ispell/espanol.aff +>>>0 search/8251 defstringtype +# defstringtype declaration start with unique name (like "list" "lat" "utf8" "iso" "nroff" often like formatter name) +# followed by formatter name (like "nroff" "tex") +# followed by suffix list (like ".mm" ".ms" ".me" ".man" ".NeXT" ".txt" ".list") +#>>>>&1 string x DECLARATION=%s +>>>>0 use spell-aff +# ispell variant without declaration like in: /usr/lib/ispell/bulgarian.aff /usr/lib/ispell/russian.aff +>>>0 default x +# skip /etc/nilfs_cleanerd.conf by looking for ispell suffix section +>>>>0 search/3233 suffixes\n +>>>>>0 use spell-aff +# variant starting with empty line and comment character at the beginning of 2nd line like in: /usr/lib/ispell/polish.aff +0 ubeshort 0x0a23 +# skip /etc/discover-modprobe.conf by looking for ispell declaration +>2 search/3118 defstringtype +>>0 use spell-aff +# starting with UTF-8 Byte Order Mark (BOM) https://en.wikipedia.org/wiki/Byte_order_mark +0 string \xEF\xBB\xBF +# starting with UTF-8 Byte Order Mark (BOM) followed by comment starting character +>3 string \x23 +# starting with UTF-8 BOM and with SET character command followed by whitespace +# like in: /opt/Wolfram/WolframEngine/13.1/SystemFiles/Components/SpellingData/SpellingDictionaries/lt.aff +# look for character SET command used in MySpell and Hunspell +>3 search/9883 SET\040 +>>0 use spell-aff +# look for FLAG type command used in MySpell and Hunspell +0 string FLAG +# followed by space character like in +# /opt/Wolfram/WolframEngine/13.1/SystemFiles/Components/SpellingData/SpellingDictionaries/en_US.aff +>4 ubyte 0x20 +>>0 use spell-aff +# or followed by tabulator character like in +# /opt/Wolfram/WolframEngine/13.1/SystemFiles/Components/SpellingData/SpellingDictionaries/ar.aff +>4 ubyte 0x09 +>>0 use spell-aff +# starting with character SET command used in MySpell and Hunspell like in: org/languagetool/resource/sv/hunspell/sv_SE.aff +0 string SET\040 +>0 use spell-aff +# starting with language code LANG used in MySpell and Hunspell like in: /usr/share/hunspell/tr_TR.aff +0 string LANG\040 +>0 use spell-aff +# starting with affix flag command AF used in MySpell and Hunspell like in: /usr/lib/thunderbird/extensions/langpack-hu@thunderbird.mozilla.org/dictionaries/hu.aff +0 string AF\040 +# look for number of flag vector aliases +>3 regex [0-9]{1,4} +>>0 use spell-aff +# display information (encoding,language,...) about affixes rules text for Ispell/MySpell/Hunspell +0 name spell-aff +>1 ubeshort x affix definition +#!:mime text/plain +!:mime text/x-affix +!:ext aff +# GRR: need extra test so that default clause works +>0 ubyte x +# look for ispell declaration +>>0 search/8251 defstringtype for Ispell +# ispell variant without declaration +>>0 default x +# look for ispell suffixes command +>>>0 search/3233 suffixes +# skip "suffixes used to create first part of a compound" by checking for flag argument like in: languagetool\resource\sv\hunspell\sv_SE.aff +>>>>&0 search/2 flag for Ispell +>>>>&0 default x for MySpell/Hunspell +# without suffixes keyword +>>>0 default x for MySpell/Hunspell +# look for language code command used in MySpell and Hunspell +# like in: /usr/share/hunspell/de_AT.aff /usr/share/hunspell/it_IT.aff /usr/share/hunspell/tr_TR.aff /usr/lib/firefox/browser/extensions/langpack-hu@firefox.mozilla.org/dictionaries/hu.aff +>>0 search/1117643 LANG\040 \b, language +# language code argument like: de_DE hu_HU it_IT mn_MN tr_TR +>>>&0 string x %s +# look for character SET command used in MySpell and Hunspell +>>0 search/1117729 SET +# skip SETTINGS like in /usr/lib/ispell/ngerman.aff +# SET command followed often by space character (0x20) or tabulator (0x09) like in +# /opt/Wolfram/WolframEngine/13.1/SystemFiles/Components/SpellingData/SpellingDictionaries/ar.aff +>>>&0 ubyte&0xD6 =0x00 +# skip SSET # schosS in /usr/lib/ispell/ogerman.aff +>>>>&0 ubyte >0x48 \b, +# character SET argument like: cp1251 ISCII-DEVANAGAR ISO8859-1 - ISO8859-10 ISO8859-13 - ISO8859-15 KOI8-R KOI8-U UTF-8 +>>>>>&-1 string x "%s" encoded +# for control reasons show first non empty lines for ASCII or ISO-8859 text variant +>1 ubeshort !0xBBBF +# 1st line starting with 0x0A like in /usr/src/dicts/sjp-ispell-pl-20140213/polish.aff +>>0 ubyte =0x0A +>>>1 ubyte !0x0A \b, 2nd line +>>>>&-1 string x "%s" +# 3rd line starting with 0x0A like in polish.aff +>>>>>&1 ubyte =0x0A +>>>>>>&0 string x \b, 4th line "%s" +# 1st line starting with ASCII text like: +# this is the affix file of the de_DE Hunspell dictionary +>>0 ubyte !0x0A +>>>0 string x \b, 1st line "%s" +>>>>&1 ubyte >0x1F \b, 2nd line +>>>>>&-1 string x "%s" +# 2nd line starting with 0x0A like in /usr/lib/ispell/bulgarian.aff +>>>>&1 ubyte =0x0A \b, 3rd line +>>>>>&0 string x "%s" +# for control reasons show first lines for variant starting with ByteOrderMark (BOM=\xEF\xBB\xBF) +>1 ubeshort =0xBBBF \b, with BOM +>>3 string x \b, 1st line "%s" +>>>&1 ubyte >0x1F \b, 2nd line +>>>>&-1 string x "%s" + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/GNU_Aspell +# https://manpages.ubuntu.com/manpages/trusty/en/man8/aspell-autobuildhash.8.html +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/r/rws-aspell.trid.xml +# https://ftp.gnu.org/gnu/aspell/aspell-0.60.8.tar.gz +# aspell-0.60.8/modules/speller/default/data.cpp +# aspell-0.60.8/modules/speller/default/readonly_ws.cpp +# Note: called "aspell dictionary" by TrID +0 string aspell\040default\040speller\040rowl aspell dictionary +#!:mime application/octet-stream +!:mime application/x-aspell-dictionary +!:ext rws +# version like: 1.10 1.4 +>28 string x \b, version %s +# u32int endian_check; 12345678=00BC614Eh +#>64 ulelong x \b, endian_check=%u +>>64 ulelong 12345678 \b, little endian +# not tested +>>64 ubelong 12345678 \b, big endian +# older aspell version not like 0.60.8 +>>64 default x \b, old +# URL: https://en.wikipedia.org/wiki/GNU_Aspell +# Reference http://aspell.net/man-html/Format-of-the-Personal-and-Replacement-Dictionaries.html +# personal_ws-1.1 lang num [encoding] +0 string personal_ aspell personal +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pws-aspell.trid.xml +# Note: called "aspell Personal dictionary" by TrID +>9 string ws- dictionary +#!:mime text/plain +!:mime text/x-aspell-dictionary +# like: ~/.aspell.en.pws ~/.aspell.de_DE.pws ~/.aspell.it.pws +!:ext pws +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prepl-aspell.trid.xml +# Note: called "aspell Personal Replacement dictionary" by TrID +# personal_repl-1.1 lang num [encoding] +>9 string repl- replacement dictionary +#!:mime text/plain +!:mime text/x-aspell-dictionary +# like: ~/.aspell.en.prepl ~/.aspell.de_DE.prepl ~/.aspell.it.prepl +!:ext prepl diff --git a/contrib/file/magic/Magdir/java b/contrib/file/magic/Magdir/java index b9854e54c159..d36127553513 100644 --- a/contrib/file/magic/Magdir/java +++ b/contrib/file/magic/Magdir/java @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: java,v 1.21 2019/02/18 17:58:50 christos Exp $ +# $File: java,v 1.22 2023/01/11 23:59:49 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". @@ -43,3 +43,10 @@ >6 leshort >0x00 \b, version %d >4 leshort x \b.%d !:mime application/x-java-image + +# JAR Manifest & Signature File +# Reference: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html +0 string/t Manifest-Version:\x201.0 JAR Manifest +!:ext MF +0 string/t Signature-Version:\x201.0 JAR Signature File +!:ext SF diff --git a/contrib/file/magic/Magdir/javascript b/contrib/file/magic/Magdir/javascript index 1e29c5e8e875..85d4a70b46de 100644 --- a/contrib/file/magic/Magdir/javascript +++ b/contrib/file/magic/Magdir/javascript @@ -1,22 +1,168 @@ #------------------------------------------------------------------------------ -# $File: javascript,v 1.3 2021/12/08 13:42:00 christos Exp $ +# $File: javascript,v 1.7 2024/11/10 14:48:55 christos Exp $ # javascript: magic for javascript and node.js scripts. # -0 string/w #!/bin/node Node.js script text executable +0 string/tw #!/bin/node Node.js script executable !:mime application/javascript -0 string/w #!/usr/bin/node Node.js script text executable +0 string/tw #!/usr/bin/node Node.js script executable !:mime application/javascript -0 string/w #!/bin/nodejs Node.js script text executable +0 string/tw #!/bin/nodejs Node.js script executable !:mime application/javascript -0 string/w #!/usr/bin/nodejs Node.js script text executable +0 string/tw #!/usr/bin/nodejs Node.js script executable !:mime application/javascript -0 string #!/usr/bin/env\ node Node.js script text executable +0 string/t #!/usr/bin/env\ node Node.js script executable !:mime application/javascript -0 string #!/usr/bin/env\ nodejs Node.js script text executable +0 string/t #!/usr/bin/env\ nodejs Node.js script executable !:mime application/javascript + +# JavaScript +# The strength is increased to beat the C++ but lose to HTML rules, +# because javascript is embedded in hmtl files typically +0 search "use\x20strict" JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 search 'use\x20strict' JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 regex module(\\.|\\[["'])exports.*= JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 regex \^(const|var|let).*=.*require\\( JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 regex \^export\x20(function|class|default|const|var|let|async)\x20 JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 regex \\((async\x20)?function[(\x20] JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 regex \^(import|export).*\x20from\x20 JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 regex \^(import|export)\x20["']\\./ JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js +0 regex typeof.*[!=]== JavaScript source +!:strength +20 +!:mime application/javascript +!:ext js + +# React Native minified JavaScript +0 search/128 __BUNDLE_START_TIME__= React Native minified JavaScript +!:strength +20 +!:mime application/javascript +!:ext bundle/jsbundle + # Hermes by Facebook https://hermesengine.dev/ # https://github.com/facebook/hermes/blob/master/include/hermes/\ # BCGen/HBC/BytecodeFileFormat.h#L24 0 lequad 0x1F1903C103BC1FC6 Hermes JavaScript bytecode >8 lelong x \b, version %d + +# v8 JavaScript engine bytecode +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://v8.dev/docs/ignition +# Note: used in bytenode and NW.js protected source code +# V8 bytecode extraction was added in NodeJS v5.7.0 (V8 4.6.85.31). +# Version information is provided for some v8 versions found in NodeJS releases. +2 uleshort =0xC0DE +>0 ulelong^0xC0DE0000 >0 +# Reservation table starts at 40 +>>40 ulelong&0xFFFFFF00 =0x80000000 +# Stub keys present +>>>24 ulelong >0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0xEE4BF478 version 5.1.281.111, +>>>>4 ulelong =0xC4A0100C version 5.5.372.43, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x cpu features: %#08X, +>>>>16 ulelong x flag hash: %#08X, +>>>>20 ulelong x %u reservations, +>>>>28 ulelong x payload size: %u bytes, +>>>>32 ulelong x checksum1: %#08X, +>>>>36 ulelong x checksum2: %#08X +# No stub keys +>>>24 ulelong =0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x54F0AD81 version 6.2.414.46, +>>>>4 ulelong =0X7D1BF182 version 6.2.414.54, +>>>>4 ulelong =0x35BA122E version 6.2.414.77, +>>>>4 ulelong =0X9319F9C2 version 6.2.414.78, +>>>>4 ulelong =0xB1240060 version 6.6.346.32, +>>>>4 ulelong =0x2B757060 version 6.7.288.46, +>>>>4 ulelong =0x09D147AA version 6.7.288.49, +>>>>4 ulelong =0xF4D4F48A version 6.8.275.32, +>>>>4 ulelong =0xD3961326 version 7.0.276.38, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x cpu features: %#08X, +>>>>16 ulelong x flag hash: %#08X, +>>>>20 ulelong x %u reservations, +>>>>28 ulelong x payload size: %u bytes, +>>>>32 ulelong x checksum1: %#08X, +>>>>36 ulelong x checksum2: %#08X +# Reservation table starts at 32 +>>32 ulelong&0xFFFFFF00 =0x80000000 +# Second checksum present +>>>28 ulelong >0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x21DDF627 version 7.4.288.21, +>>>>4 ulelong =0x1FC9FE84 version 7.4.288.27, +>>>>4 ulelong =0x60A99E8B version 7.5.288.22, +>>>>4 ulelong =0x4F665E90 version 7.6.303.29, +>>>>4 ulelong =0xC7ACFCDE version 7.7.299.11, +>>>>4 ulelong =0x7F641D8F version 7.7.299.13, +>>>>4 ulelong =0xFD9A4F2E version 7.8.279.17, +>>>>4 ulelong =0x3A845324 version 7.8.279.23, +>>>>4 ulelong =0xFF52FEAF version 7.9.317.25, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x flag hash: %#08X, +>>>>16 ulelong x %u reservations, +>>>>20 ulelong x payload size: %u bytes, +>>>>24 ulelong x checksum1: %#08X, +>>>>28 ulelong x checksum2: %#08X +# No second checksum +>>>28 ulelong =0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x8725E0F8 version 8.1.307.30, +>>>>4 ulelong =0x09ED1289 version 8.1.307.31, +>>>>4 ulelong =0xA5728C87 version 8.3.110.9, +>>>>4 ulelong =0xB45C5D30 version 8.4.371.23, +>>>>4 ulelong =0xED9C278B version 8.4.371.19, +>>>>4 ulelong =0xD27BFF42 version 8.6.395.16, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x flag hash: %#08X, +>>>>16 ulelong x %u reservations, +>>>>20 ulelong x payload size: %u bytes, +>>>>24 ulelong x payload checksum: %#08X +# No reservation table and code starts at 24 +>>32 ulelong =0 +>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>4 ulelong =0x9A6F0B0F version 9.0.257.17, +>>>4 ulelong =0x271D5D1E version 9.0.257.24, +>>>4 ulelong =0x4EEA75DF version 9.0.257.25, +>>>4 ulelong =0x80809479 version 9.1.269.36, +>>>4 ulelong =0x55C46F65 version 9.1.269.38, +>>>4 ulelong =0x8A9C758A version 9.2.230.21, +>>>4 ulelong =0x9712F0E1 version 9.3.345.16, +>>>4 ulelong =0x29593715 version 9.4.146.19, +>>>4 ulelong =0xCD991825 version 9.4.146.24, +>>>4 ulelong =0xACDD64EE version 9.4.146.26, +>>>4 ulelong =0xC96B4CD5 version 9.5.172.21, +>>>4 ulelong =0xBCCE4578 version 9.5.172.25, +>>>4 ulelong =0xA2EEA077 version 9.6.180.15, +>>>4 ulelong =0xFD350011 version 10.1.124.8, +>>>4 ulelong =0xBEF4028F version 10.2.154.13, +>>>4 ulelong =0xAF632352 version 10.2.154.4, +>>>8 ulelong x source size: %u bytes, +>>>12 ulelong x flag hash: %#08X, +>>>16 ulelong x payload size: %u bytes, +>>>20 ulelong x payload checksum: %#08X diff --git a/contrib/file/magic/Magdir/jpeg b/contrib/file/magic/Magdir/jpeg index 522f8d34f07a..8a18727dd2dc 100644 --- a/contrib/file/magic/Magdir/jpeg +++ b/contrib/file/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.36 2021/08/28 12:30:52 christos Exp $ +# $File: jpeg,v 1.40 2024/11/10 00:26:35 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -34,12 +34,12 @@ >>13 byte 0 \b, aspect ratio >>13 byte 1 \b, resolution (DPI) >>13 byte 2 \b, resolution (DPCM) ->>14 beshort x \b, density %dx ->>16 beshort x \b%d ->>4 beshort x \b, segment length %d +>>14 ubeshort x \b, density %ux +>>16 ubeshort x \b%u +>>4 ubeshort x \b, segment length %u # Next, show thumbnail info, if it exists: ->>18 byte !0 \b, thumbnail %dx ->>>19 byte x \b%d +>>18 byte !0 \b, thumbnail %ux +>>>19 byte x \b%u >6 string Exif \b, Exif standard: [ >>12 indirect/r x >>12 string x \b] @@ -57,22 +57,22 @@ >0 beshort 0xFFC0 >>(2.S+2) use jpeg_segment >>4 byte x \b, baseline, precision %d ->>7 beshort x \b, %dx ->>5 beshort x \b%d +>>7 ubeshort x \b, %ux +>>5 ubeshort x \b%u >>9 byte x \b, components %d >0 beshort 0xFFC1 >>(2.S+2) use jpeg_segment >>4 byte x \b, extended sequential, precision %d ->>7 beshort x \b, %dx ->>5 beshort x \b%d +>>7 ubeshort x \b, %ux +>>5 ubeshort x \b%u >>9 byte x \b, components %d >0 beshort 0xFFC2 >>(2.S+2) use jpeg_segment >>4 byte x \b, progressive, precision %d ->>7 beshort x \b, %dx ->>5 beshort x \b%d +>>7 ubeshort x \b, %ux +>>5 ubeshort x \b%u >>9 byte x \b, components %d # Define Huffman Tables @@ -103,43 +103,165 @@ #>>(2.S+2) use jpeg_segment # HSI is Handmade Software's proprietary JPEG encoding scheme +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HSI_JPEG +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-hsi1.trid.xml +# Note: called by TrID "HSI JPEG bitmap" 0 string hsi1 JPEG image data, HSI proprietary +#!:mime application/octet-stream +!:mime image/x-hsi +!:ext hsi/jpg # From: David Santinoli <david@santinoli.com> 0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 +# delete from ./animation (version 1.87) with jP (=6A50h) magic at offset 4 # From: Johan van der Knijff <johan.vanderknijff@kb.nl> # Added sub-entries for JP2, JPX, JPM and MJ2 formats; added mimetypes # https://github.com/bitsgalore/jp2kMagic # # Now read value of 'Brand' field, which yields a few possibilities: +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JP2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpeg2k.trid.xml +# Note: called by TrID "JPEG 2000 bitmap" >20 string \x6a\x70\x32\x20 Part 1 (JP2) +# aliases image/jpeg2000, image/jpeg2000-image, image/x-jpeg2000-image !:mime image/jp2 +!:ext jp2 +# URL: http://fileformats.archiveteam.org/wiki/JPX +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpx.trid.xml +# Note: called by TrID "JPEG 2000 eXtended bitmap" >20 string \x6a\x70\x78\x20 Part 2 (JPX) !:mime image/jpx +!:ext jpf/jpx +# URL: http://fileformats.archiveteam.org/wiki/JPM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpm.trid.xml +# Note: called by TrID "JPEG 2000 eXtended bitmap" >20 string \x6a\x70\x6d\x20 Part 6 (JPM) !:mime image/jpm +!:ext jpm +# URL: http://fileformats.archiveteam.org/wiki/MJ2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/v/video-mj2.trid.xml +# Note: called by TrID "Motion JPEG 2000 video" >20 string \x6d\x6a\x70\x32 Part 3 (MJ2) !:mime video/mj2 +!:ext mj2/mjp2 # Type: JPEG 2000 codesream # From: Mathieu Malaterre <mathieu.malaterre@gmail.com> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_2000_codestream +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpc.trid.xml +# Note: called by TrID "JPEG-2000 Code Stream bitmap" 0 belong 0xff4fff51 JPEG 2000 codestream -45 beshort 0xff52 +# value like: 0701h FF50h +#>45 ubeshort x \b, at 45 %#4.4x +#!:mime application/octet-stream +# https://reposcope.com/mimetype/image/x-jp2-codestream +!:mime image/x-jp2-codestream +!:ext jpc/j2c/j2k +# MAYBE also JHC like in byte_causal.jhc ? +# WHAT IS THAT? DEAD ENTRY? +#45 beshort 0xff52 # JPEG extended range +# Update: Joerg Jenderek 2023 +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XR +# Reference: https://www.itu.int/rec/T-REC-T.832 +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wmp.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxr.trid.xml +# Note: called by TrID "JPEG XR bitmap" and "JPEG XR bitmap (WMPHOTO)" +# verified as "JPEG XR" by XnView `nconvert -fullinfo *.jxr *.wdp` +# partly by ImageMagick command `identify -verbose *.wdp` +# and libjxr-tools `JxrDecApp -v -i example.wdp -o example.tif` 0 string \x49\x49\xbc +# FILE_VERSION_ID; shall be equal to 1; other values are reserved for future use and are unlike to appear >3 byte 1 ->>4 lelong%2 0 JPEG-XR +# FIRST_IFD_OFFSET; shall be an integer multiple of 2; so skip DROID fmt-590-signature-id-931.wdp +>>4 lelong%2 0 JPEG-XR Image +#!:mime image/vnd.ms-photo !:mime image/jxr -!:ext jxr +# NO example for HDP ! +!:ext jxr/wdp/hdp +# MAYBE also WMP ? +#!:ext jxr/wdp/hdp/wmp +# moved from ./images (version 1.243 ) and merged +# example: +# http://shikino.co.jp/solution/upfile/FLOWER.wdp.zip +# often GDI_SIGNATURE "WMPHOTO\0" at offset 90 like: FLOWER.wdp abydos.jxr SMALLTOMATO.wdp +>90 bequad 0x574D50484F544F00 +>>0 use jxr-info +# seldom no GDI_SIGNATURE WMPHOTO\0 at offset 90 like: example.wdp MARKET-3361-ipm-bg-DE-treat[1].wdp +>90 bequad !0x574D50484F544F00 +# look for GDI_SIGNATURE WMPHOTO\0 at other offset +>>4 search/3267/sb WMPHOTO\0 +>>>&-90 use jxr-info +# +0 name jxr-info +# check for GDI_SIGNATURE that corresponds to "WMPHOTO\0" +>90 bequad 0x574D50484F544F00 +>>98 byte&0x08 =0x08 \b, hard tiling +>>99 byte&0x80 =0x80 \b, tiling present +>>99 byte&0x40 =0x40 \b, codestream present +>>99 byte&0x38 x \b, spatial xform= +>>99 byte&0x38 0x00 \bTL +>>99 byte&0x38 0x08 \bBL +>>99 byte&0x38 0x10 \bTR +>>99 byte&0x38 0x18 \bBR +>>99 byte&0x38 0x20 \bBT +>>99 byte&0x38 0x28 \bRB +>>99 byte&0x38 0x30 \bLT +>>99 byte&0x38 0x38 \bLB +>>100 byte&0x80 =0x80 \b, short header +>>>102 beshort+1 x \b, %u +>>>104 beshort+1 x \bx%u +>>100 byte&0x80 =0x00 \b, long header +>>>102 belong+1 x \b, %x +>>>106 belong+1 x \bx%x +>>101 beshort&0xf x \b, bitdepth= +>>>101 beshort&0xf 0x0 \b1-WHITE=1 +>>>101 beshort&0xf 0x1 \b8 +>>>101 beshort&0xf 0x2 \b16 +>>>101 beshort&0xf 0x3 \b16-SIGNED +>>>101 beshort&0xf 0x4 \b16-FLOAT +>>>101 beshort&0xf 0x5 \b(reserved 5) +>>>101 beshort&0xf 0x6 \b32-SIGNED +>>>101 beshort&0xf 0x7 \b32-FLOAT +>>>101 beshort&0xf 0x8 \b5 +>>>101 beshort&0xf 0x9 \b10 +>>>101 beshort&0xf 0xa \b5-6-5 +>>>101 beshort&0xf 0xb \b(reserved %d) +>>>101 beshort&0xf 0xc \b(reserved %d) +>>>101 beshort&0xf 0xd \b(reserved %d) +>>>101 beshort&0xf 0xe \b(reserved %d) +>>>101 beshort&0xf 0xf \b1-BLACK=1 +>>101 beshort&0xf0 x \b, colorfmt= +>>>101 beshort&0xf0 0x00 \bYONLY +>>>101 beshort&0xf0 0x10 \bYUV240 +>>>101 beshort&0xf0 0x20 \bYWV422 +>>>101 beshort&0xf0 0x30 \bYWV444 +>>>101 beshort&0xf0 0x40 \bCMYK +>>>101 beshort&0xf0 0x50 \bCMYKDIRECT +>>>101 beshort&0xf0 0x60 \bNCOMPONENT +>>>101 beshort&0xf0 0x70 \bRGB +>>>101 beshort&0xf0 0x80 \bRGBE +>>>101 beshort&0xf0 >0x80 \b(reserved %#x) # JPEG XL # From: Ian Tester +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl.trid.xml +# Note: called by TrID "JPEG XL bitmap" 0 string \xff\x0a JPEG XL codestream -!:mime image/jxl +!:mime image/jxl !:ext jxl # JPEG XL (transcoded JPEG file) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl-iso.trid.xml +# Note: called by TrID "JPEG XL bitmap (ISOBMFF)" 0 string \x00\x00\x00\x0cJXL\x20\x0d\x0a\x87\x0a JPEG XL container -!:mime image/jxl +!:mime image/jxl !:ext jxl diff --git a/contrib/file/magic/Magdir/keyman b/contrib/file/magic/Magdir/keyman new file mode 100644 index 000000000000..81d4d4ca0fc8 --- /dev/null +++ b/contrib/file/magic/Magdir/keyman @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: keyman,v 1.2 2024/10/17 19:23:07 christos Exp $ +# +# Keyman support for .kmx and .kmp files (kmp support is in archive) +# +# https://help.keyman.com/developer/current-version/reference/file-types/kmx +# https://help.keyman.com/developer/current-version/reference/file-types/kmp + +0 string/b KXTS Keyman Compiled Keyboard File +!:ext kmx +!:mime application/vnd.keyman.kmx +>4 lelong x version 0x%x +>>48 lelong &32 KMX+ Data diff --git a/contrib/file/magic/Magdir/lammps b/contrib/file/magic/Magdir/lammps index 5424383db80f..96454fe7806d 100644 --- a/contrib/file/magic/Magdir/lammps +++ b/contrib/file/magic/Magdir/lammps @@ -1,7 +1,6 @@ -#------------------------------------------------------------------------------ -# $File: lammps,v 1.1 2021/03/14 16:24:18 christos Exp $ -# +#------------------------------------------------------------------------------ +# $File: lammps,v 1.2 2024/06/10 23:09:52 christos Exp $ # Magic file patterns for use with file(1) for the # LAMMPS molecular dynamics simulation software. # https://lammps.sandia.gov diff --git a/contrib/file/magic/Magdir/lauterbach b/contrib/file/magic/Magdir/lauterbach new file mode 100644 index 000000000000..229157fce4e6 --- /dev/null +++ b/contrib/file/magic/Magdir/lauterbach @@ -0,0 +1,7 @@ + +#------------------------------------------------------------------------------ +# $File: lauterbach,v 1.1 2024/10/02 01:45:32 christos Exp $ +# Lauterbach GmbH file formats +# +0 string trace32\x20analyzer\x20data Lauterbach T32 trace data +!:ext ad diff --git a/contrib/file/magic/Magdir/lif b/contrib/file/magic/Magdir/lif index 89d7a8611624..3474a48d231e 100644 --- a/contrib/file/magic/Magdir/lif +++ b/contrib/file/magic/Magdir/lif @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: lif,v 1.10 2021/04/26 15:56:00 christos Exp $ +# $File: lif,v 1.11 2022/10/19 20:15:16 christos Exp $ # lif: file(1) magic for lif # # (Daniel Quinlan <quinlan@yggdrasil.com>) @@ -16,9 +16,9 @@ >14 beshort =0 # skip MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for low version number >>20 ubeshort <0x0100 -# skip DEGAS MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for ASCII like volume name -#>>>2 ubelong >0x2020201F ->>>0 use lif-file +# skip DROID fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx by test for ASCII like volume name +>>>2 ubelong >0x2020201F +>>>>0 use lif-file 0 name lif-file # LIF ID >0 beshort x lif file @@ -27,6 +27,7 @@ !:ext lif/hpi/dat # volume label; A-Z 0-9 _ ; default are 6 spaces >2 string x "%.6s" +#>2 ubelong x LABEL=%8.8x # version number; 0 for systems without extensions or 1 for model 64000 >20 ubeshort x \b, version %u # LIF identifier; 010000 for system 3000 diff --git a/contrib/file/magic/Magdir/linux b/contrib/file/magic/Magdir/linux index 0405f778aa35..16aadca87d1a 100644 --- a/contrib/file/magic/Magdir/linux +++ b/contrib/file/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.80 2022/03/24 15:48:58 christos Exp $ +# $File: linux,v 1.91 2024/11/09 21:15:48 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> @@ -67,8 +67,8 @@ >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, ->24 lelong x %d ->28 lelong x \bx%d +>28 lelong x %d +>24 lelong x \bx%d # Linux swap and hibernate files # Linux kernel: include/linux/swap.h @@ -137,34 +137,230 @@ # Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu> # and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de> # and Nicolas Lichtmaier <nick@debian.org> -# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 +# and Joerg Jenderek [unifying + more kernel info] +# many start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 +# by assembler instructions like: movw $0x07c0,%ax; movw %ax,%ds; movw $0x9000,%ax; movw %ax,%es; movw $0x0001,%cx; subw %si,%si; subw # Linux kernel boot images (i386 arch) (Wolfram Kleff) # URL: https://www.kernel.org/doc/Documentation/x86/boot.txt 514 string HdrS Linux kernel +# to display Linux kernel (strength=125=70+55) after VBR boot sector (130=70+60) but before DOS/MBR IPL (115=50+65), MBR boot sector (105=40+65) via ./filesystem +# before MZ PE32 executable (EFI application) (strength=50) and before DOS executable (COM) (strength=40) with start instruction 0xe9 via ./msdos !:strength + 55 # often no extension like in linux, vmlinuz, bzimage or memdisk but sometimes # Acronis Recovery kernel64.dat and Plop Boot Manager plpbtrom.bin # DamnSmallLinux 1.5 damnsmll.lnx +#!:mime application/octet-stream +!:mime application/x-linux-kernel !:ext /dat/bin/lnx +# GRR: does there exist here samples without 55AA boot signature? I believe NO (Joerg Jenderek) >510 leshort 0xAA55 x86 boot executable +>>0 use kernel-info +# show information about Linux kernel (root, swap device, vga modus, boot protocol, setup size, init_size, EFI entry point) +0 name kernel-info +# like: plpbtrom.bin +# After 16 bit jump instruction Hi, are you searching something? This is the Plop Boot Manager written by Elmar Hanlhofer http?://www.plop.at +>48 string Plop\040Boot\040Manager from PLOP Boot Manager +# dummy test below 512 limit (for LILO 24.2 bootsect.b) to get same magic indention level like in v 1.85 +# and display comma before zImage/bzImage or version +>498 leshort x \b, +# boot protocol option flags valid since boot protocol >= 2.00 >>518 leshort >0x1ff ->>>529 byte 0 zImage, ->>>529 byte 1 bzImage, ->>>526 lelong >0 +# loadflags bit 0 (read); LOADED_HIGH; if 0, the protected-mode code is loaded at 0x10000 +>>>529 ubyte&0x01 0 zImage, +# loadflags bit 0 (read); LOADED_HIGH; if 1, the protected-mode code is loaded at 0x100000; that implies is_bzImage +>>>529 ubyte&0x01 1 bzImage, +# kernel_version; since protocol 2.00 if not zero 2 byte pointer to kernel version string -200h; should be < 200h*setup_sects +# 0h (ldntldr.bin plpbtrom.bin) 260h (memtest32.bin memtest64.bin) 3b0h (memdisk16.bin) 890h (damnsmll.lnx) 3400h (linux64) 3640h (linux) +#>>>526 uleshort x kernel_version=%#4.4x +>>>526 uleshort >0 +# GRR: \353fHdrS\003\002 wrong shown if kernel_version=0 like in ldntldr.bin (GRUB for DOS) >>>>(526.s+0x200) string >\0 version %s, +# 498 MasterBootRecord 4th partition entry partition type (0~empty 1~FAT12) done by ./filesystems +# 499 MasterBootRecord 4th partition entry end heads done by ./filesystems +# root_flags; if set (=1), the root is mounted readonly; deprecated, use the "ro" or "rw" option on the command line instead +#>>498 uleshort >1 root_flags=%u >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, +# root_dev; default root device number like 0 301h (/dev/hda1 damnsmll.lnx) 380h (/dev/hd?? linux-elks); deprecated and replaced by command line option root= >>508 leshort >0 root_dev %#X, ->>502 leshort >0 swap_dev %#X, +# since protocol 2.04 the 2 upper bytes of long syssize and not swap_dev any more +>>518 uleshort <0x204 +# 502-505 MasterBootRecord 4th partition entry 1st LBA sector done by ./filesystems +>>>502 leshort >0 swap_dev %#X, >>504 leshort >0 RAMdisksize %u KB, +# 506-509 MasterBootRecord 4th partition entry sectors in partition done by ./filesystems >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA >>506 leshort 0xFFFD Prompt for Videomode >>506 leshort >0 Video mode %d +# more kernel information added by Joerg Jenderek 2023 +# if needed display comma after video mode and before setup_sects +>>506 leshort >-4 +>>>506 leshort !0 \b, +# setup_sects; if field contains 0, the real value is 4; size of the setup in sectors like: +# 0 (memdisk16.bin) 1 (ldntldr.bin) 2 (memtest32.bin memtest64.bin) 4 (plpbtrom.bin linux-elks) 8 (bootsect.b) 10 (damnsmll.lnx) 25 27 (linux64) 29 30 31 33 (linux) +# MasterBootRecord 4th partition entry start cylinder bits 0-7 done by ./filesystems +>>497 ubyte !0 setup size 512*%u +>>497 ubyte =0 setup size 512*4 (not 0) +# 500 MasterBootRecord 4th partition entry end sectors+cylinder bits 8-9 done by ./filesystems +# 501 MasterBootRecord 4th partition entry end cylinder bits 0-7 done by ./filesystems +# syssize; 32-bit code size in 16-byte paragraphs; since protocol 2.04 long before unreliable short +>>518 uleshort <0x204 \b, +# 0 (ldntldr.bin) 0 (memdisk16.bin) f180h (damnsmll.lnx) +>>>500 uleshort x syssize %#x +>>518 uleshort >0x203 \b, +# 0 (plpbtrom.bin) 1270h (linux-elks) 217eh (memtest32.bin) 22deh (memtest64.bin) 2c01h (memtest86+.bin) 459c6h (linux misinterpreted as swap_dev 0X4) 70c32h (linux64 misinterpreted as swap_dev 0X7) +>>>500 ulelong x syssize %#x +# jump; jump instruction relative to byte 0x202 +>>512 ubyte =0xEB \b, jump +# jump adress like: 0x230 (damnsmll.lnx) 0x240 (memdisk16.bin) 0x268 (memtest32.bin memtest64.bin ldntldr.bin linux AFTER handover offset) 0x26c (linux64) +>>>513 byte+2 x 0x2%2.2x +# next instruction like: +# b800088ec00fb60e mov ax,0x0800; mov es,ax; movzx cx,byte [] memdisk16.bin +# 8cc88ed88ec0e88b00 movw %cs,%ax; movw %ax,%ds; movw %ax,%es; call get_mem_info memtest32.bin +# 8cc88ed88ec0e88b00 movw %cs,%ax; movw %ax,%ds; movw %ax,%es; call get_mem_info memtest64.bin +>>>(513.b+514) ubequad x %#16.16llx instruction +# without jump instruction like: 0 (bootsect-lilo-24.2.b EOF!) 0xb8 (mov linux-elks) 0xfa (cli memtest86+.bin) +>>512 ubyte !0xEB \b, at 0x200 %#x instruction +# boot protocol version field valid since version >= 2.00 which is indicated by HdrS magic +# so skip memtest86+.bin with misinterpreted protocol 144.0 (0x9000) +>>514 string HdrS \b, +# Boot protocol version; 2.3 (ldntldr.bin damnsmll.lnx) 2.6 (plpbtrom.bin) 2.10 2.11 (linux) 2.12 (memtest32.bin) 2.13 2.15 (linux64) +>>>519 ubyte x protocol %u +>>>518 ubyte x \b.%u +# boot protocol in hexadecimal needed for addtional tests +#>>>518 uleshort x (%#4.4x) +# type_of_loader; Boot loader identifier; filled out by the bootloader +>>>528 ubyte >0 \b, loader %#x +# loadflags; boot protocol option flags +#>>>529 ubyte x loadflags=%#x +# loadflags bit 1 (kernel internal); KASLR_FLAG KASLR status to kernel +>>>529 ubyte&0x02 !0 \b, KASLR enabled +# loadflags bit 5 (write); QUIET_FLAG +>>>529 ubyte&0x20 !0 \b, quiet +# loadflags bit 6 (write) since boot protocal version >= 2.07; KEEP_SEGMENTS +>>>518 uleshort >0x206 +>>>>529 ubyte&0x40 !0 \b, keep segments +# loadflags bit 7 (write); CAN_USE_HEAP +>>>529 ubyte&0x80 !0 \b, can use heap +# payload_offset; since boot protocol 2.08 if non-zero contains offset of the protected-mode code to the payload like: cdh (linux) 40dh (linux64) +>>>518 uleshort >0x207 +>>>>584 ulelong >0 \b, from protected-mode code at offset %#x +# payload_length; since boot protocol 2.08 the length of the payload like: 452c41h (linux) 6fb644h (linux64) +>>>>>588 ulelong x %#x bytes +# jump setup size sectors a 512 bytes from kernel beginning +>>>>>(497.b*512) ubequad x +#>>>>>(497.b*512) ubequad x 512BYTES_BEFORE_PROTECTED-MODE_CODE=%#16.16llx +# jump payload_offset bytes + 512 bytes (for boot sector) - 8 (ubequad length) to payload start +#>>>>>>&(584.l+504) ubeshort x PAYLOAD=%#4.4x +# supported compression formats are gzip (magic numbers 1F8B or 1F9E linux) bzip2 (425A), LZMA (5D00 linux64), XZ (FD37) LZ4 (0221) ZST v0.8+ (28B5) +>>>>>>&(584.l+504) ubeshort =0x1F8B gzip compressed +>>>>>>&(584.l+504) ubeshort =0x1F9E gzip compressed +>>>>>>&(584.l+504) ubeshort =0x425A bzip2 compressed +>>>>>>&(584.l+504) ubeshort =0x5D00 LZMA compressed +>>>>>>&(584.l+504) ubeshort =0xFD37 XZ compressed +>>>>>>&(584.l+504) ubeshort =0x0221 LZ4 compressed +>>>>>>&(584.l+504) ubeshort =0x28B5 ZST compressed +# TODO: handle compressed data by ./compress; difficulties with leading space and duplicate gzip compressed +#>>>>>>&(584.l+504) indirect x COMPRESS_NOT_WORKING +# setup_move_size; for protocol 2.00-2.01; bytes starting with the beginning of the boot sector +# like: 0 (ldntldr.bin memdisk16.bin memtest32.bin memtest64.bin plpbtrom.bin) 8000h (damnsmll.lnx linux linux64) +>>>518 uleshort <0x202 +>>>>518 uleshort >0x1FF +>>>>530 uleshort x \b, setup_move_size %#4.4x +# code32_start; address to jump to in protected mode like: 100000h (linux linux64 memtest32.bin memtest64.bin) +#>>>>532 ulelong >0 \b, code32_start %#x +# kernel_alignment; since boot protocol 2.05 alignment unit required by the kernel (if relocatable_kernel is true) like: 0 (plptrom.bin) 1000h (memtest32.bin memtest64.bin) 200000h (linux) 1000000h (linux64) +#>>>518 uleshort >0x204 +#>>>>560 ulelong x \b, kernel_alignment %#x +# relocatable_kernel; since boot protocol 2.05 the protected-mode part of the kernel can be loaded at any address if this field is nonzero +>>>518 uleshort >0x204 +>>>>564 ubyte =1 \b, relocatable +#>>>>564 ubyte x \b, relocatable_kernel=%u +# min_alignment; since boot protocol 2.10 if nonzero, indicates as a power of two the minimum alignment required like: 12 (4 KB memtest32.bin memtest64.bin) 13 (8 KB linux) 21 (2 MB linux64) +#>>>518 uleshort >0x209 +#>>>>565 ubyte >0 \b, min_alignment %u +# xloadflags; since boot protocol 2.12 like: 3fh (linux64 unexpected value) 4h(memtest32.bin) 9h(memtest64.bin) +>>>518 uleshort >0x20B +#>>>>566 uleshort x \b, xloadflags=%#4.4x +# handover_offset; offset from beginning of kernel image to EFI handover protocol entry point like: +# 0 (damnsmll.lnx ldntldr.bin) 10h (memtest32.bin memtest64.bin) 30h (linux) 190h (linux64) 8e9000b8h (plpbtrom.bin INVALID!) +# this value makes only sense when 32 or 64-bit EFI handoff entry point +>>>>566 uleshort&0x000C !0 \b, handover offset +>>>>>612 ulelong x %#x +# Bit 0 XLF_KERNEL_64; if 1, this kernel has the legacy 64-bit entry point at 0x200 +>>>>566 uleshort&0x0001 !0 \b, legacy 64-bit entry point +# Bit 1 XLF_CAN_BE_LOADED_ABOVE_4G; if 1, kernel/boot_params/cmdline/ramdisk can be above 4G +>>>>566 uleshort&0x0002 !0 \b, can be above 4G +# Bit 2 XLF_EFI_HANDOVER_32; if 1, the kernel supports the 32-bit EFI handoff entry point +>>>>566 uleshort&0x0004 !0 \b, 32-bit EFI handoff entry point +# Bit 3 XLF_EFI_HANDOVER_64; if 1, the kernel supports the 64-bit EFI handoff entry point +>>>>566 uleshort&0x0008 !0 \b, 64-bit EFI handoff entry point +# Bit 4 EFI_KEXEC; if 1, the kernel supports kexec EFI boot with EFI runtime support +>>>>566 uleshort&0x0010 !0 \b, EFI kexec boot support +# GRR: What does bit 5 mean? +>>>>566 uleshort&0x0020 !0 \b, xloadflags bit 5 +# cmdline_size; since boot protocol 2.06 maximum size of the kernel command line like: 255 (memtest32.bin memtest64.bin) 2047 (linux linux64 plpbtrom); version <= 2.06 maximum was 255 +>>>518 uleshort >0x205 +>>>>568 ulelong x \b, max cmdline size %u +# hardware_subarch; since boot protocol 2.07 hardware subarchtecture like: 0~default x86 1~lguest 2~Xen 3~Moorestown 4~CE4100 TV +>>>518 uleshort >0x206 +>>>>572 ulelong >0 \b, hardware_subarch %u +# hardware_subarch_data; since boot protocol 2.07 pointer to data specific for hardware subarch; unused for default x86 +>>>>>576 ulequad >0 \b, hardware_subarch_data %#llx +# setup_data; since boot protocol 2.09 64-bit physical pointer to NULL terminated single linked list of struct setup_data +>>>518 uleshort >0x208 +>>>>592 ulequad >0 \b, setup_data %16.16llx +# pref_address; since boot protocol 2.10 if nonzero preferred load address for kernel like: 100000h (memtest32.bin memtest64.bin) 200000h (linux) 1000000h (linux64) +#>>>518 uleshort >0x209 +#>>>>600 ulequad >0 \b, pref_address %#llx +# init_size; since boot protocol 2.10 indicates amount of contiguous memory kernel needs before it is capable of examining its memory map +# like: 0h (damnsmll.lnx) 687f8h (memtest32.bin) 6acf8h (memtest64.bin) aa3000h (linux) 2514000h (linux64) 67ea0000h (memdisk16.bin INVALID) a4f3f2ffh (plpbtrom.bin INVALID) ffffff80h (ldntldr.bin INVALID) +>>>518 uleshort >0x209 +>>>>608 ulelong x \b, init_size %#x # This also matches new kernels, which were caught above by "HdrS". -0 belong 0xb8c0078e Linux kernel +# but also few samples without "HdrS" magic like: bootsect-lilo-24.2.b linux-elks memtest86+.bin +# URL: https://tldp.org/HOWTO/Linux-i386-Boot-Code-HOWTO/bootsect.html +#0 belong 0xb8c0078e Linux kernel +0 belong 0xb8c0078e +# to display Linux x86 kernel or Linux ELKS Kernel (strength=70=70+0) after VBR boot sector (130=70+60) DOS/MBR IPL (115=50+65), MBR boot sector (105=40+65) via ./filesystem +#!:strength +0 +# "newer" kernel (with HdrS magic) already done before +>514 string HdrS +# so handle "old" kernel variant (without HdrS magic) +>514 default x Linux +#!:mime application/octet-stream +!:mime application/x-linux-kernel +# GRR: in file 5.45 remaining default clause not working for samples with size = 512 like LILO 24.2 bootsect.b +>>0 belong x +# ELKS kernel variant is now unified with other "old" kernel variant (without HdrS magic) +>>0x1e6 belong =0x454c4b53 ELKS Kernel +!:ext / +# "old" kernel variant and not ELKS +>>0x1e6 belong !0x454c4b53 x86 kernel +!:ext /b/bin +# show kernel version information based on "Loading" message offset +>>0 use kernel-version-old1 +# unified "old" variant with start instruction \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 +>>4 string \xd8\xb8\x00\x90 +# show kernel version information part 2 for "old" kernel variant (without HdrS magic) based on new HdrS field +>>>0 use kernel-version-old2 +# show kernel version information part 3 for "old" kernel variant (without HdrS magic) based on new HdrS field +>>>0 use kernel-version-old3 +# show common kernel information +>>0 use kernel-info +# show kernel version information part 1 for "old" kernel variant (without HdrS magic) based on "Loading" message offset +0 name kernel-version-old1 >0x1e3 string Loading version 1.3.79 or older >0x1e9 string Loading from prehistoric times +# LILO 24.2-5.1 bootsect.b +>0x1c5 string Loading from LILO 24.2 +# Memtest86 5.31b memtest86+.bin +>0x1d2 string Loading from Memtest86 5.31b +# DamnSmallLinux kernel version 2.4.26 damnsmll.lnx not needed because done by kernel_version pointer +#>0x1cb string Loading damnsmll.lnx 2.4.26~ +# Memtest86+ v6.20 memtest32.bin not needed because done by kernel_version pointer +#>0x1c6 string Loading\040Memtest86+ from Memtest86+ v6.20 # System.map files - Nicolas Lichtmaier <nick@debian.org> 8 search/1 \ A\ _text Linux kernel symbol map text @@ -183,13 +379,37 @@ ############################################################################ # Linux kernel versions -0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux +# apply only to "old" kernel variant (without HdrS magic) like damnsmll.lnx memtest86+.bin +# wrong (497 setup_sects 498 root_flags) and now already done by 1st unified "old" kernel variant +#0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux +0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90foo OLD_VARIANT Linux >497 leshort 0 x86 boot sector +>>0 use kernel-version-old2 +>497 leshort !0 x86 kernel +# not needed any more because information is now shown by common kernel-info with other phrases +>>0 use kernel-info-old +# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field +>>0 use kernel-version-old3 +>>0 use kernel-version-4 +# version information part 2 for "old" kernel variant (without HdrS magic) based on new HdrS field +0 name kernel-version-old2 +# dummy test to get same magic indention level like in v 1.85 +>518 leshort x >>514 belong 0x8e of a kernel from the dawn of time! >>514 belong 0x908ed8b4 version 0.99-1.1.42 >>514 belong 0x908ed8b8 for memtest86 - +# dummy test function to get same magic indention level like in v 1.85 +0 name kernel-version-dummy >497 leshort !0 x86 kernel +# not needed any more because information is now shown by kernel-info +#>0 use kernel-info-old +>>0 use kernel-info +# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field +>0 use kernel-version-old3 +# deprecated because same information is shown by kernel-info with other phrases +0 name kernel-info-old +# dummy test to get same magic indention level like in v 1.85 +>504 leshort x >>504 leshort >0 RAMdisksize=%u KB >>502 leshort >0 swap=%#X >>508 leshort >0 root=%#X @@ -199,6 +419,10 @@ >>506 leshort 0xFFFE vga=extended >>506 leshort 0xFFFD vga=ask >>506 leshort >0 vga=%d +# kernel version information part 3 for "old" kernel variant (without HdrS magic) based on HdrS field +0 name kernel-version-old3 +# dummy test to get same magic indention level like in v 1.85 +>514 belong x >>514 belong 0x908ed881 version 1.1.43-1.1.45 >>514 belong 0x15b281cd >>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 @@ -207,16 +431,27 @@ >>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41 >>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45 >>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72 +# show kernel version information part 4 for kernel variant (with HdrS magic) based on "HdrS" field +# not needed any more because information is now shown by common kernel-info +0 name kernel-version-4 +# dummy test to get same magic indention level like in v 1.85 +>518 leshort x >>514 string HdrS >>>518 leshort >0x1FF >>>>529 byte 0 \b, zImage >>>>529 byte 1 \b, bzImage +# GRR: Not valid if kernel_version=0 >>>>(526.s+0x200) string >\0 \b, version %s # Linux boot sector thefts. -0 belong 0xb8c0078e Linux ->0x1e6 belong 0x454c4b53 ELKS Kernel ->0x1e6 belong !0x454c4b53 style boot sector +# ELKS kernel variant is now unified with above "old" kernel variant (without HdrS magic) +#0 belong 0xb8c0078e Linux +# display "Linux ELKS Kernel" or "Linux style boot sector" (strength=70) after DOS/MBR IPL (115=50+65) and MBR boot sector (105=40+65) via ./filesystem +#!:strength +0 +# https://en.wikipedia.org/wiki/Embeddable_Linux_Kernel_Subset +# https://github.com/jbruchon/elks/releases/download/v0.6.0/fd2880-fat.img/linux +#>0x1e6 belong 0x454c4b53 ELKS Kernel +#>0x1e6 belong !0x454c4b53 style boot sector ############################################################################ # Linux S390 kernel image @@ -238,16 +473,44 @@ # Linux ARM compressed kernel image # From: Kevin Cernekee <cernekee@gmail.com> # Update: Joerg Jenderek +# Update: Luke T. Shumaker +0 name arm-zimage +# Version indicators +>0x34 lelong 0x45454545 (kernel >=v4.15) +>0x34 lelong !0x45454545 +>>0x30 clear x +>>0x30 belong 0x04030201 (kernel >=v3.17, <v4.15) +>>0x30 lelong 0x04030201 (kernel >=v3.17, <v4.15) +>>0x30 default x (kernel <v3.17) +# Endianness indicators +# +# The kernel has 3 endianness modes: little-endian, and 2 variants of +# big-endian: BE-32 (ARMv5) and BE-8 (ARMv6+). +# +# In kernels <v3.17: +# - the 0x016f2818 @ 0x24 magic number indicates big-endian or +# little-endian (can't distinguish between BE-8 and BE-32) +# In kernels >=v3.17: +# - a new 0x04030201 @ 0x30 magic number indicates big-endian or +# little-endian, but doesn't distinguish between BE-8 and BE-32 +# - the old 0x016f2818 @ 0x24 magic number is little-endian for +# LE *and* BE-8, or big-endian for BE-32 +# +# >=v3.17 +>0x30 clear x +>0x30 belong 0x04030201 (big-endian, +>>0x24 belong 0x016f2818 BE-32, ARMv5) +>>0x24 lelong 0x016f2818 BE-8, ARMv6+) +>0x30 lelong 0x04030201 (little-endian) +# <v3.17 +>0x30 default x +>>0x24 lelong 0x016f2818 (little-endian) +>>0x24 belong 0x016f2818 (big-endian) + 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage -# There are three possible situations: LE, BE with LE bootloader and pure BE. -# In order to aid telling these apart a new endian flag was added. In order -# to support kernels before the flag and BE with LE bootloader was added we'll -# do a negative check against the BE variant of the flag when we see a LE magic. ->0x30 belong !0x04030201 (little-endian) -# raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" -!:ext img/bin ->0x30 belong 0x04030201 (big-endian) -0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) +>0 use arm-zimage +0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage +>0 use arm-zimage ############################################################################ # Linux AARCH64 kernel image @@ -259,6 +522,12 @@ >0x18 lelong &6 \b, 32K pages ############################################################################ +# Linux RISC-V kernel image +0x38 string RSC\05 Linux kernel RISC-V boot executable Image +>0x18 lelong ^1 \b, little-endian +>0x18 lelong &1 \b, big-endian + +############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless >5 string . @@ -357,59 +626,105 @@ >8 lelong x version %d, >12 lelong x chunk_size %d -# SE Linux policy database -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - -# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec -# Anthon van der Neut (anthon@mnt.org) -0 string LUKS\xba\xbe LUKS encrypted file, ->6 beshort x ver %d ->8 string x [%s, ->40 string x %s, ->72 string x %s] ->168 string x UUID: %s - - # Summary: Xen saved domain file # Created by: Radek Vokal <rvokal@redhat.com> 0 string LinuxGuestRecord Xen saved domain >20 search/256 (name >>&1 string x (name %s) -# Type: Xen, the virtual machine monitor -# From: Radek Vokal <rvokal@redhat.com> -0 string LinuxGuestRecord Xen saved domain -#>2 regex \(name\ [^)]*\) %s ->20 search/256 (name (name ->>&1 string x %s...) - # Systemd journald files # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> - -# check magic +# Update: Joerg Jenderek +# URL: https://systemd.io/JOURNAL_FILE_FORMAT/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml +# Note: called "systemd journal" by TrID +# verified by `journalctl --file=user-1000.journal` +# check magic signature[8] 0 string LPKSHHRH # check that state is one of known values +# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 >16 ubyte&252 0 # check that each half of three unique id128s is non-zero +# file_id >>24 ubequad >0 >>>32 ubequad >0 +# machine_id >>>>40 ubequad >0 >>>>>48 ubequad >0 +# boot_id; last writer >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file -!:mime application/octet-stream +#!:mime application/octet-stream +!:mime application/x-linux-journal # provide more info +# head_entry_realtime; contains a POSIX timestamp stored in microseconds +>>>>>>>>184 leqdate/1000000 !0 \b, %s >>>>>>>>184 leqdate 0 empty ->>>>>>>>16 ubyte 0 \b, offline ->>>>>>>>16 ubyte 1 \b, online +# If a file is closed after writing the state field should be set to STATE_OFFLINE +>>>>>>>>16 ubyte 0 \b, +# for offline and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 offline +# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html +# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: +# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' +!:ext journal~ +# for offline and non empty often *.journal~ but also user-1001.journal +>>>>>>>>>184 leqdate !0 offline +!:ext journal/journal~ +# if a file is opened for writing the state field should be set to STATE_ONLINE +>>>>>>>>16 ubyte 1 \b, +# for online and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 online +# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~ +!:ext journal~ +# for online and non empty only journal extension found +>>>>>>>>>184 leqdate !0 online +# system.journal user-1000.journal +!:ext journal +# after a file has been rotated it should be set to STATE_ARCHIVED >>>>>>>>16 ubyte 2 \b, archived +!:ext journal +# no *.journal~ found +#!:ext journal/journal~ +# compatible_flags >>>>>>>>8 ulelong&1 1 \b, sealed +# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 +#>>>>>>>>12 ulelong x FLAGS=%#x >>>>>>>>12 ulelong&1 1 \b, compressed +>>>>>>>>12 ulelong&2 !0 \b, compressed lz4 +>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 +>>>>>>>>12 ulelong&8 !0 \b, compressed zstd +>>>>>>>>12 ulelong&16 !0 \b, compact +# uint8_t reserved[7]; apparently nil +#>>17 long !0 \b, reserved %#8.8x +# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 +#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx +#>>>>>>>>80 ubequad x b%16.16llx +# header_size like: 100h +>>>>>>>>88 ulequad !0x100h \b, header size %#llx +# arena_size like: 0 7fff00h ffff00h 17fff00h +#>>>>>>>>96 ulequad >0 \b, arena size %#llx +# data_hash_table_offset like: 0 15f0h 15f0h +#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx +# data_hash_table_size like: 0 38e380h +#>>>>>>>>112 ulequad >0 \b, hash table size %#llx +# field_hash_table_offset like: 0 110h +#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx +# field_hash_table_size like: 0 14d0h +#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx +# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h +#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx +# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh +#>>>>>>>>144 ulequad >0 \b, objects %#llx +# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h +>>>>>>>>152 ulequad >0 \b, entries %#llx +# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh +#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx +# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah +#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx +# entry_array_offset like: 0 390058h 3909d8h 3909e0h +#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx # BCache backing and cache devices # From: Gabriel de Perthuis <g2p.code@gmail.com> @@ -481,12 +796,90 @@ # Site: https://fedorahosted.org/mlocate/ # Format docs: https://linux.die.net/man/5/mlocate.db # Type: mlocate database file +# URL: https://en.wikipedia.org/wiki/Locate_(Unix) # URL: https://fedorahosted.org/mlocate/ # From: Wander Nauta <info@wandernauta.nl> +# Update: Joerg Jenderek 0 string \0mlocate mlocate database ->12 byte x \b, version %d +#!:mime application/octet-stream +!:mime application/x-mlocate +# default mlocate.db if not overriden with --output option of updatedb +!:ext db +# at the moment value is 0; a higher version will probably not occur, because mlocate is now often replaced by plocate +>12 byte !0 \b, version %d +# configured with -l option of updatedb >13 byte 1 \b, require visibility +# 2 byte pad for 32-bit total alignment +#>14 short !0 \b, padding %#x +# standard is 1 byte / if not overriden with --database-root option of updatedb >16 string x \b, root %s +# 1st variable name nil terminated like: prune_bind_mounts +>>&1 string x \b, 1st variable %s +# 1st variable value like: 0 1 +>>>&1 string x \b=%s +# configuration block size in big endian like: 82 85 174 181 185 483 491 496 497 556 600 +>8 ubelong x \b, configuration size %u + +# URL: https://plocate.sesse.net/ +# Reference: https://plocate.sesse.net/download/plocate-1.1.19.tar.gz +# plocate-1.1.19/db.h +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/db-plocate.trid.xml +# Note: called "plocate database" by TrID +# magic[8] +0 string \0plocate plocate database +#!:mime application/octet-stream +!:mime application/x-plocate +# default /var/lib/plocate/plocate.db if not overriden with --output option of updatedb.plocate +!:ext db +# version; 2 is the current version +>8 ulelong !1 \b, version %u +# hashtable_size; like 1 (for "empty" samples) 1b5c3h +#>12 ulelong >1 \b, hash table size %#x +# extra_ht_slots; like: 10h +>16 ulelong !0x10 \b, extra_ht_slots %#x +# num_docids; like 0 (for "empty" samples) a132h +>20 ulelong >0 \b, num_docids %u +# hash_table_offset_bytes; 78h (for "empty" samples) afdf99h +#>24 ulequad !0x78 \b, hash table offset %#llx +# filename_index_offset_bytes; 70h (for "empty" samples) aad571h +#>32 ulequad !0x70 \b, filename index offset %#llx +# version 1 and up only +>8 ulelong >0 +# max_version; nominally 1 or 2 but can be increased if more features are added in a backward-compatible way +>>40 ulelong !2 \b, max version %u +# zstd_dictionary_length_bytes; 0 (for "empty" samples) 400h +>>44 ulelong !0 \b, at %#x +# zstd_dictionary_offset_bytes; 0 (for "empty" samples) 70h +>>48 ulequad >0 \b+%#llx +# jump to beginning of zstd dictionary +>>>(48.q) ubequad x +# jump realative zstd dictionary length bytes - 8 (quad length) forward to ZST data beginning +#>>>>&(44.l-8) ubelong x ZST=%8.8x +>>>>&(44.l-8) ubelong x +# print 1 space char after zstd_dictionary_offset and then handles Zstandard compressed data by ./compress +# to get phrase like "at 0x400+0x70 Zstandard compressed data (v0.8+)" +>>>>>&-4 indirect x \b +# only if max_version >= 2 and only relevant for updatedb +>40 ulelong >1 +# directory_data_length_byte +#>>56 ulequad x \b, directory data length %#llx +# directory_data_offset_bytes; +#>>64 ulequad x offset %#llx +# next_zstd_dictionary_length_bytes; 0 (for "empty" samples) 400h +>>72 ulequad >0 \b, next zstd dictionary length %#llx +# next_zstd_dictionary_offset_bytes; 0 (for "empty" samples) 14b9cb8h +>>>80 ulequad >0 offset %#llx +# conf_block_length_bytes like; 65 147 148 151 152 452 537 540 543 +>>88 ulequad x \b, configuration size %llu +# conf_block_offset_bytes; 1a1h (for "empty" samples) 14ba0b8h +>>96 ulequad >0 \b, at %#llx 1st variable +# 1st variable name nil terminated like: prune_bind_mounts +>>>(96.q) string x %s +# 1st variable value nil terminated like: 0 1 +>>>>&1 string x \b=%s +# bool check_visibility; 0 or 1 configured with -l option of updatedb.plocate +>>104 ubyte 1 \b, require visibility +#>>104 ubyte x \b, check_visibility %#x # Dump files for iproute2 tool. Generated by the "ip r|a save" command. URL: # https://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 @@ -502,9 +895,12 @@ 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files -# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION +# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION + +0 string KDUMP\x20\x20\x20 Kdump compressed dump +>0 use kdump-compressed-dump -0 string KDUMP Kdump compressed dump +0 name kdump-compressed-dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s @@ -513,6 +909,12 @@ >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s +# Flattened format +0 string makedumpfile +>16 bequad 1 +>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump +>>>0x1010 use kdump-compressed-dump + # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code @@ -535,3 +937,34 @@ >&0 regex [0-9]+\\.[0-9]+ \b, version %s >>&0 string ; >>>&0 regex [A-Z0-9]+ \b, encryption %s + +# From: Joerg Jenderek +# URL: https://www.gnu.org/software/grub +# Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz +# grub-2.06/include/grub/keyboard_layouts.h +# grub-2.06/grub-core/commands/keylayouts.c +# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC +0 string GRUBLAYO GRUB Keyboard +!:mime application/x-grub-keyboard +!:ext gkb +# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10 +>8 ulelong !10 \b, version %u +# 4 grub_uint32_t grub_keyboard_layout[160] +# for normal french keyboard this is letter a +>92 ubyte !0x71 +>>92 ubyte >0x40 \b, english q is %c +#>732 ubyte x \b, english Q is %c +# for normal german keyboard this is letter z +>124 ubyte !0x79 +>>124 ubyte >0x40 \b, english y is %c +#>764 ubyte x \b, english Y is %c + + +# From: Ben Dooks <ben.dooks@codethink.co.uk> +# URL: https://github.com/torvalds/linux/blob/master/tools/perf/util/header.c +# perf files for v1 and v2 +0 string PERFFILE Linux perf recording, version 1 + +0 lequad 0x32454c4946524550 Linux perf recording, version 2. little endian + +0 bequad 0x32454c4946524550 Linux perf recording, version 2. big endian diff --git a/contrib/file/magic/Magdir/lisp b/contrib/file/magic/Magdir/lisp index c854fb7c74be..bd1cf21ee8aa 100644 --- a/contrib/file/magic/Magdir/lisp +++ b/contrib/file/magic/Magdir/lisp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: lisp,v 1.27 2020/08/14 19:23:39 christos Exp $ +# $File: lisp,v 1.28 2024/05/30 15:32:20 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) @@ -76,3 +76,13 @@ # From: David Allouche <david@allouche.net> 0 search/1 \<TeXmacs| TeXmacs document text !:mime text/texmacs + +# Chibi-Scheme +0 string \a\achibi\n Chibi-Scheme memory image data +>8 ubyte =0 \b, big-endian +>>9 ubyte x \b, format version %d +>>11 ubyte x \b.%d +>8 ubyte >0 \b, little-endian +>>8 ubyte x \b, format version %d +>>10 ubyte x \b.%d +>12 string x \b, ABI %s diff --git a/contrib/file/magic/Magdir/llvm b/contrib/file/magic/Magdir/llvm index 2691ef1ac92f..6befe7a8bf0f 100644 --- a/contrib/file/magic/Magdir/llvm +++ b/contrib/file/magic/Magdir/llvm @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: llvm,v 1.9 2019/04/19 00:42:27 christos Exp $ +# $File: llvm,v 1.10 2023/03/11 17:54:17 christos Exp $ # llvm: file(1) magic for LLVM byte-codes # URL: https://llvm.org/docs/BitCodeFormat.html # From: Al Stone <ahs3@fc.hp.com> @@ -9,6 +9,7 @@ 0 string llvc0 LLVM byte-codes, null compression 0 string llvc1 LLVM byte-codes, gzip compression 0 string llvc2 LLVM byte-codes, bzip2 compression +0 string CPCH LLVM Pre-compiled header file 0 lelong 0x0b17c0de LLVM bitcode, wrapper # Are these Mach-O ABI values? They appear to be. diff --git a/contrib/file/magic/Magdir/luks b/contrib/file/magic/Magdir/luks index 6ecc40aff19a..16042517a332 100644 --- a/contrib/file/magic/Magdir/luks +++ b/contrib/file/magic/Magdir/luks @@ -1,13 +1,126 @@ #------------------------------------------------------------------------------ -# $File: luks,v 1.4 2009/09/19 16:28:10 christos Exp $ +# $File: luks,v 1.5 2022/09/07 11:23:44 christos Exp $ # luks: file(1) magic for Linux Unified Key Setup -# URL: http://luks.endorphin.org/spec +# URL: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup +# http://fileformats.archiveteam.org/wiki/LUKS # From: Anthon van der Neut <anthon@mnt.org> +# Update: Joerg Jenderek +# Note: verfied by command like `cryptsetup luksDump /dev/sda3` 0 string LUKS\xba\xbe LUKS encrypted file, +# https://reposcope.com/mimetype/application/x-raw-disk-image +!:mime application/x-raw-disk-image +#!:mime application/x-luks-volume +# img is the generic extension; no suffix for partitions; luksVolumeHeaderBackUp via zuluCrypt +!:ext /luks/img/luksVolumeHeaderBackUp +# version like: 1 2 >6 beshort x ver %d +# test for version 1 variant +>6 beshort 1 +>>0 use luks-v1 +# test for version 2 variant +>6 beshort >1 +>>0 use luks-v2 +# Reference: https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/l/luks.trid.xml +# display information about LUKS version 1 +0 name luks-v1 +# cipher-name like: aes twofish >8 string x [%s, +# cipher-mode like: xts-plain64 cbc-essiv >40 string x %s, +# hash specification like: sha256 sha1 ripemd160 >72 string x %s] >168 string x UUID: %s +# NEW PART! +# payload-offset; start offset of the bulk data +>104 ubelong x \b, at %#x data +# key-bytes; number of key bytes; key-bytes*8=MK-bits +>108 ubelong x \b, %u key bytes +# mk-digest[20]; master key checksum from PBKDF2 +>112 ubequad x \b, MK digest %#16.16llx +>>120 ubequad x \b%16.16llx +>>128 ubelong x \b%8.8x +# mk-digest-salt[32]; salt parameter for master key PBKDF2 +>132 ubequad x \b, MK salt %#16.16llx +>>140 ubequad x \b%16.16llx +>>148 ubequad x \b%16.16llx +>>156 ubequad x \b%16.16llx +# mk-digest-iter; iterations parameter for master key PBKDF2 +>164 ubelong x \b, %u MK iterations +# key slot 1 +>208 ubelong =0x00AC71F3 \b; slot #0 +>>208 use luks-slot +# key slot 2 +>256 ubelong =0x00AC71F3 \b; slot #1 +>>256 use luks-slot +# key slot 3 +>304 ubelong =0x00AC71F3 \b; slot #2 +>>304 use luks-slot +# key slot 4 +>352 ubelong =0x00AC71F3 \b; slot #3 +>>352 use luks-slot +# key slot 5 +>400 ubelong =0x00AC71F3 \b; slot #4 +>>400 use luks-slot +# key slot 6 +>448 ubelong =0x00AC71F3 \b; slot #5 +>>448 use luks-slot +# key slot 7 +>496 ubelong =0x00AC71F3 \b; slot #6 +>>496 use luks-slot +# key slot 8 +>544 ubelong =0x00AC71F3 \b; slot #7 +>>544 use luks-slot +# Reference: https://gitlab.com/cryptsetup/LUKS2-docs/-/raw/master/luks2_doc_wip.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/l/luks2.trid.xml +# display information about LUKS version 2 +0 name luks-v2 +# hdr_size; size including JSON area called Metadata area by cryptsetup with value like: 16384 +>8 ubequad x \b, header size %llu +# possible check for MAGIC_2ND after header +#>(8.Q) string SKUL\xba\xbe \b, 2nd_HEADER_OK +# seqid; sequence ID, increased on update; called Epoch by cryptsetup with value like: 3 4 8 10 +>16 ubequad x \b, ID %llu +# label[48]; optional ASCII label or empty; called Label by cryptsetup with value like: "LUKS2_EXT4_ROOT" +>24 string >\0 \b, label %s +# csum_alg[32]; checksum algorithm like: sha256 sha1 sha512 wirlpool ripemd160 +>72 string x \b, algo %s +# salt[64]; salt , unique for every header +>104 ubequad x \b, salt %#llx... +# uuid[40]; UID of device as string like: 242256c6-396e-4a35-af5f-5b70cb7af9a7 +>168 string x \b, UUID: %-.40s +# subsystem[48]; optional owner subsystem label or empty +>208 string >\0 \b, sub label %-.48s +# hdr_offset; offset from device start [ bytes ] like: 0 +>256 ubequad !0 \b, offset %llx +# char _padding [184]; must be zeroed +#>264 ubequad x \b, padding %#16.16llx +#>440 ubequad x \b...%16.16llx +# csum[64]; header checksum +>448 ubequad x \b, crc %#llx... +# char _padding4096 [7*512]; Padding , must be zeroed +#>512 ubequad x \b, more padding %#16.16llx +#>4088 ubequad x \b...%16.16llx +# JSON text data terminated by the zero character; unused remainder empty and filled with zeroes like: +# {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse" +>0x1000 string x \b, at 0x1000 %s +#>0x1000 indirect x +# display information (like active) about LUKS1 slot +0 name luks-slot +# state of keyslot; 0x00AC71F3~active 0x0000DEAD~inactive +#>0 ubelong x \b, status %#8.8x +>0 ubelong =0x00AC71F3 active +>0 ubelong =0x0000DEAD inactive +# iteration parameter for PBKDF2 +#>4 ubelong x \b, %u iterations +# salt parameter for PBKDF2 +#>8 ubequad x \b, salt %#16.16llx +#>>16 ubequad x \b%16.16llx +#>>24 ubequad x \b%16.16llx +#>>32 ubequad x \b%16.16llx +# start sector of key material like: 8 0x200 0x3f8 0x5f0 0xdd0 +>40 ubelong x \b, %#x material offset +# number of anti-forensic stripes like: 4000 +>44 ubelong !4000 \b, %u stripes diff --git a/contrib/file/magic/Magdir/macintosh b/contrib/file/magic/Magdir/macintosh index 905e4d6e1500..a74aac487caa 100644 --- a/contrib/file/magic/Magdir/macintosh +++ b/contrib/file/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.32 2021/04/26 15:56:00 christos Exp $ +# $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -95,7 +95,10 @@ # MacBinary format (Eric Fischer, enf@pobox.com) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/MacBinary +# http://fileformats.archiveteam.org/wiki/MacBinary # Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt +# Note: verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and +# `deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin` # # Unfortunately MacBinary doesn't really have a magic number prior # to the MacBinary III format. @@ -114,19 +117,19 @@ >>>>74 byte 0 # zero fill, must be zero for compatibility >>>>>82 byte 0 +# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00 +>>>>>>2 ubelong <0xffff0000 # MacBinary I test for valid version numbers ->>>>>>122 ubeshort 0 -# additional check for creation date after 1 Jan 1970 ~ 7C25B080h -#>>>>>>>91 ubelong >0x7c25b07F +>>>>>>>122 ubeshort 0 # additional check for undefined header fields in MacBinary I -#>>>>>>>101 ulong 0 ->>>>>>>0 use mac-bin +#>>>>>>>>101 ulong 0 +>>>>>>>>0 use mac-bin # MacBinary II the newer versions begins at 129 ->>>>>>122 ubeshort 0x8181 ->>>>>>>0 use mac-bin +>>>>>>>122 ubeshort 0x8181 +>>>>>>>>0 use mac-bin # MacBinary III with MacBinary II to read ->>>>>122 ubeshort 0x8281 ->>>>>>0 use mac-bin +>>>>>>122 ubeshort 0x8281 +>>>>>>>0 use mac-bin # display information of MacBinary file 0 name mac-bin @@ -139,7 +142,7 @@ !:mime application/x-macbinary !:apple PSPTBINA !:ext bin/macbin -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified as MacBinary +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary #>1 ubyte >63 \b, name length %u too BIG! #>122 ubeshort x \b, version %#x # Finder flags if not 0 @@ -180,12 +183,16 @@ # 124 beshort # checksum #>124 ubeshort !0 \b, CRC %#x # creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 ->91 beldate-0x7C25B080 x \b, %s -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified or time overflow +# few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields +>91 long !0 +>>91 beldate-0x7C25B080 x \b, %s +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow >91 ubelong <0x7c25b080 INVALID date -#>91 belong-0x7C25B080 x \b, DEBUG DATE %d +# reported date seconds by deark +#>91 ubelong x deark-DATE=%u # last modified date ->95 beldate-0x7C25B080 x \b, modified %s +>95 long !0 +>>95 beldate-0x7C25B080 x \b, modified %s # Apple creator+typ if not null # file creator (normally expressed as four characters) >69 ulong !0 \b, creator @@ -197,6 +204,7 @@ # length of data segment >83 ubelong !0 \b, %u bytes # filename (in the range 1-63) +# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2 (.sea)" >1 pstring x "%s" # print 1 space and then at offset 128 inspect data fork content if it has one >83 ubelong !0 \b @@ -447,7 +455,7 @@ >>>0x412 beshort x number of blocks: %d, >>>0x424 pstring x volume name: %s -0x400 beshort 0x482B Macintosh HFS Extended +0 name hfsplus >&0 beshort x version %d data >0 beshort 0x4C4B (bootable) >0x404 belong ^0x00000100 (mounted) @@ -466,6 +474,11 @@ >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d +0x400 beshort 0x482B Apple HFS Plus +>&0 use hfsplus +0x400 beshort 0x4858 Apple HFS Plus Extended +>&0 use hfsplus + ## AFAIK, only the signature is different # same as Apple Partition Map # GRR: This magic is too weak, it is just "TS" @@ -490,14 +503,3 @@ # From: Remi Mommsen <mommsen@slac.stanford.edu> 0 string BOMStore Mac OS X bill of materials (BOM) file -# From: Adam Buchbinder <adam.buchbinder@gmail.com> -# URL: https://en.wikipedia.org/wiki/Datafork_TrueType -# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is -# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I -# don't know what they mean. -0 belong 0x100 ->(0x4.L+24) beshort x ->>&4 belong 0x73666e74 Mac OSX datafork font, TrueType ->>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' ->>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' ->>&4 belong 0x504f5354 Mac OSX datafork font, PostScript diff --git a/contrib/file/magic/Magdir/magic b/contrib/file/magic/Magdir/magic index 0de332aa3bfb..03a021922b29 100644 --- a/contrib/file/magic/Magdir/magic +++ b/contrib/file/magic/Magdir/magic @@ -1,10 +1,98 @@ #------------------------------------------------------------------------------ -# $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ +# $File: magic,v 1.12 2024/06/10 23:09:52 christos Exp $ # magic: file(1) magic for magic files # -0 string/t #\ Magic magic text file for file(1) cmd +# Update: Joerg Jenderek +# skip Magicsee_R1.cfg found on retropie starting with # Magicsee R1 one-handed controller +0 string/t #\ Magic\ magic text file for file(1) cmd +#!:mime text/plain +!:mime text/x-file +# no suffix in ../Header +!:ext / +# +# some (34/339) samples start with a comment line +0 ubyte =0x23 +# some (28/339) samples start with separator line (about 78 minus characters) like: +# archive arm assembler beetle c-lang clojure compress der filesystems firmware gentoo lammps +# m4 mail.news make marc21 music parrot pascal pc88 pc98 perl ringdove tcl varied.script webassembly x68000 zfs +>4 string -------- +# skip scripts fse.sed stage1.sed constants.pxi gotmail.awk from fetchmail package by +# searching for reference to man page file(1) {lammps v 1.1} or file (1) {muscic v 1.1} +>>12 search/180 (1) +>>>0 use magic-fragment +# few (6/339) samples with 1st comment line and without separator comment line +# like: blcr bsi selinux sisu ssh svf +>4 default x +# few sample with 1st comment line and without seperator comment line and regular expression like: sisu +>>1 search/112 regex\x09 +>>>0 use magic-fragment +>>1 default x +# few samples with 1st comment line and without seperator comment line and string value like: +# blcr bsi selinux ssh (file 3.34) digital gnu wordperfect +>>>1 search/471 string\x09 +>>>>0 use magic-fragment +>>>1 default x +# few samples with 1st comment line and without seperator comment line and short value like: +# (file 3.34) os9 osf1 +>>>>1 search/1716 short\x09 +>>>>>0 use magic-fragment +# but many samples start with an empty first line +0 ubyte =0x0A +# many samples start with separator comment line +>4 string -------- +# skip some MS-DOS C source text {EMSINIT.INC MEM.C RESTPARS.C RTDO.C RTDO1.C RTFILE.C RTFILE1.C RTNEW.C RTNEW1.C RTOLD.C RTOLD1.C RTT1.C RTT3.C} +# and match many fragments by looking for Revision Control System keyword near the beginning +>>1 search/128 $File +>>>0 use magic-fragment +# few samples {ctf (2022-03-26) msx (2021-06-30) nasa (2021-02-23) symbos (2021-02-23) weak (2021-02-23)} +# with 1st empty line, separator comment line and without Revision Control System keyword but with reference to man page file(1) +>>1 default x +>>>1 search/180 file(1) +>>>>0 use magic-fragment +>>>1 default x +# sample aria (2021-12-24) with 1st empty line, separator comment line and without Revision Control System keyword and without reference to man page file(1) +>>>>1 search/1024 \041:mime +>>>>>0 use magic-fragment +# few samples with 1st empty line and without separator comment line like: biosig (2021-02-23) espressif (v 1.3) +>4 default x +>>1 search/581 \041:mime +>>>0 use magic-fragment +# display information (lines) about magic text fragment +0 name magic-fragment +>0 string x magic text fragment for file(1) cmd +!:mime text/x-file +# most without suffix but mail.news varied.out varied.script +!:ext /news/out/script +# next lines are mainly for control reasons +# some (34/339) samples start with comment line +>0 ubyte !0x0A +>>0 string x \b, 1st line "%s" +>>>&1 string x \b, 2nd line "%s" +# show more information to see difference between fragments and misidentfied scripts +>>>>&1 string x \b, 3rd line "%s" +>>>>>&1 string x \b, 4th line "%s" +>>>>>>&1 string x \b, 5th line "%s" +# but most (305/339) samples start with an empty first line +>0 ubyte =0x0A +>>1 string x \b, 2nd line "%s" +>>>&1 string x \b, 3rd line "%s" +# show more information to see difference between fragments and misidentfied scripts +>>>>&1 string x \b, 4th line "%s" +>>>>>&1 string x \b, 5th line "%s" +# +# URL: http://en.wikipedia.org/wiki/File_(command) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mgc.trid.xml +# Note: called "magic compiled data (LE)" by TrID 0 lelong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 lelong x (version %d) (little endian) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mgc-be.trid.xml +# Note: called "magic compiled data (BE)" by TrID 0 belong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 belong x (version %d) (big endian) diff --git a/contrib/file/magic/Magdir/mail.news b/contrib/file/magic/Magdir/mail.news index 074cfb191456..94f30898d5de 100644 --- a/contrib/file/magic/Magdir/mail.news +++ b/contrib/file/magic/Magdir/mail.news @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: mail.news,v 1.28 2021/09/11 19:20:15 christos Exp $ +# $File: mail.news,v 1.32 2024/11/10 16:59:38 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. @@ -26,6 +26,12 @@ !:mime message/rfc822 0 string/t Date: news or mail text !:mime message/rfc822 +0 string/t Subject: news or mail text +!:mime message/rfc822 +0 string/t Cc: news or mail text +!:mime message/rfc822 +0 string/t To: news or mail text +!:mime message/rfc822 0 string/t Article saved news text !:mime message/news # Reference: http://quimby.gnus.org/notes/BABYL @@ -43,9 +49,69 @@ 0 string/t MIME-Version: MIME entity text #0 string/t Content- MIME entity text +# From: Joerg Jenderek +# URL: https://tools.ietf.org/rfc/rfc4155.txt +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mbox.trid.xml +# Note: called "Standard Unix Mailbox" by TrID and +# "mailbox file" by shared MIME-info database +#https://gitlab.freedesktop.org/xdg/shared-mime-info/-/blob/master/data/freedesktop.org.xml.in?ref_type=heads +0 string From\040 Mailbox text +#!:mime text/plain +!:mime application/mbox +# like: INBOX 1.mbox +!:ext /mbox +# For control reasons show first line like: "From - Tue May 30 21:55:54 2023" "From noreply@unitymedia.info Thu Oct 13 17:23:38 2016" +>0 string x \b, 1st line "%s" + # TNEF files... -0 lelong 0x223E9F78 Transport Neutral Encapsulation Format +# URL: http://fileformats.archiveteam.org/wiki/Transport_Neutral_Encapsulation_Format +# https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tnef.trid.xml +# https://interoperability.blob.core.windows.net/files/MS-OXTNEF/%5bMS-OXTNEF%5d-210817.pdf +# Update: Joerg Jenderek +# Note: moved and merged from ./msdos (version 1.154) there just called "TNEF" +# partly verified by `tnef --list -v -f voice.tnef` and `ytnef -v triples.tnef` +# TNEF magic From "Joomy" <joomy@se-ed.net> +# TNEF_SIGNATURE +0 lelong 0x223E9F78 Transport Neutral Encapsulation Format (TNEF) !:mime application/vnd.ms-tnef +# winmail.dat or win.dat by Microsoft Outlook +!:ext tnef/dat +# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxtnef/7fdb64ee-7f63-4d95-9af1-c672e7475c3a +# LegacyKey +#>4 uleshort x \b, key %#4.4x +# attrLevelMessage; Level where attribute applies like: 1~attrLevelMessage 2~attrLevelAttachment +>6 ubyte !1 \b, 1st level %#2.2x +# other ID (like 02900000h) or TnefVersion ID (idTnefVersion=06900800h) +>7 ubelong !0x06900800 \b, 1st id %#8.8x +>7 ubelong =0x06900800 +# TnefVersion length like: 4 +>>11 ulelong !4 \b, TnefVersion length %x +# TNEFVersionData; TnefVersion data like: 00010000h +>>15 ulelong !0x00010000h \b, version %#8.8x +# Checksum like: 1 +>>19 uleshort !1 \b, checksum %#4.4x +# attrLevelMessage; level of attOemCodepage like: 1 +>>21 ubyte !1 \b, level %#2.2x +# idOEMCodePage; OEMCodePage ID like: 07900600h +>>22 ubelong =0x07900600 \b, OEM codepage +# OEMCodePage length like: 8 +>>>26 ulelong =8 +# OEMCodePageData; PrimaryCodePage like: 1251 1252 +>>>>30 ulelong x %u +# OEMCodePageData; SecondaryCodePage; unused and SHOULD contain zero +>>>>34 ulelong !0 and %u +# OEMCodePageData Checksum like: E7h E8h +>>>>38 uleshort x (checksum %#x) +# attrLevelMessage of attMessageClass like: 1 +>>40 ubyte !1 \b, level %u +# idMessageClass; ID of attMessageClass like: 08800700h +>>41 ubelong =0x08800700 \b, MessageAttribute +# attMessageClass length like: 16 24 25 +#>>>45 ulelong x (length %u) +# attMessageClass data like: "IPM.Microsoft Mail.Note" "IPM.Note.Portada Newseum" +# "IPM.Appointment" "IPM.Note.Microsoft.Voicemail.UM.CA" +>>>45 pstring/l x "%s" # From: Kevin Sullivan <ksulliva@psc.edu> 0 string *mbx* MBX mail folder diff --git a/contrib/file/magic/Magdir/map b/contrib/file/magic/Magdir/map index 2e8d0797d319..9977fa37c476 100644 --- a/contrib/file/magic/Magdir/map +++ b/contrib/file/magic/Magdir/map @@ -1,7 +1,6 @@ - #------------------------------------------------------------------------------ -# $File: map,v 1.9 2021/04/26 15:56:00 christos Exp $ +# $File: map,v 1.11 2024/06/10 23:09:52 christos Exp $ # map: file(1) magic for Map data # @@ -406,3 +405,8 @@ >>>>5 byte x \b%d, >>>>6 leshort x product ID %04d) +# Garmin firmware: +# https://www.memotech.franken.de/FileFormats/Garmin_GCD_Format.pdf +# https://www.gpsrchive.com/GPSMAP/GPSMAP%2066sr/Firmware.html +0 string GARMIN +>6 uleshort 100 GARMIN firmware (version 1.0) diff --git a/contrib/file/magic/Magdir/mathematica b/contrib/file/magic/Magdir/mathematica index 1563e34ba21a..dda71e884edb 100644 --- a/contrib/file/magic/Magdir/mathematica +++ b/contrib/file/magic/Magdir/mathematica @@ -1,48 +1,59 @@ #------------------------------------------------------------------------------ -# $File: mathematica,v 1.14 2021/11/07 16:27:36 christos Exp $ +# $File: mathematica,v 1.17 2023/06/16 19:33:58 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" <aldomel@ix.netcom.com> # Mathematica a multi-purpose math program # versions 2.2 and 3.0 -#mathematica .mb -0 string \064\024\012\000\035\000\000\000 Mathematica version 2 notebook -!:ext mb -0 string \064\024\011\000\035\000\000\000 Mathematica version 2 notebook +0 name wolfram +>0 string x Mathematica notebook version 2.x !:ext mb +!:mime application/vnd.wolfram.mathematica + +#mathematica .mb +0 string \064\024\012\000\035\000\000\000 +>0 use wolfram +0 string \064\024\011\000\035\000\000\000 +>0 use wolfram + +# +0 search/1000 Content-type:\040application/mathematica Mathematica notebook version 2.x +!:ext nb +!:mime application/mathematica + # .ma # multiple possibilities: -0 string (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook +0 string (*^\n\n::[\011frontEndVersion\ = #>41 string >\0 %s -!:ext mb +>0 use wolfram -#0 string (*^\n\n::[\011palette Mathematica notebook version 2.x +#0 string (*^\n\n::[\011palette -#0 string (*^\n\n::[\011Information Mathematica notebook version 2.x +#0 string (*^\n\n::[\011Information #>675 string >\0 %s #doesn't work well # there may be 'cr' instead of 'nl' in some does this matter? # generic: -0 string (*^\r\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\015 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\r\n\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n::[\011 Mathematica notebook version 2.x -!:ext mb +0 string (*^\r\r::[\011 +>0 use wolfram +0 string (*^\r\n\r\n::[\011 +>0 use wolfram +0 string (*^\015 +>0 use wolfram +0 string (*^\n\r\n\r::[\011 +>0 use wolfram +0 string (*^\r::[\011 +>0 use wolfram +0 string (*^\r\n::[\011 +>0 use wolfram +0 string (*^\n\n::[\011 +>0 use wolfram +0 string (*^\n::[\011 +>0 use wolfram # Mathematica .mx files @@ -132,14 +143,18 @@ >>>>0 ulelong <53 # skip tokens.dat and some Netwfw*.dat by check for valid imaginary flag value of MAT version 4 >>>>>12 ulelong <2 -# no misidentfied little endian MATrix example with "short" matrix name +# no misidentified little endian MATrix example with "short" matrix name >>>>>>16 ulelong <3 ->>>>>>>0 use \^matlab4 +# skip radeon firmware BONAIRE_sdma.bin HAWAII_sdma.bin KABINI_sdma.bin KAVERI_sdma.bin MULLINS_sdma.bin +# by check for non zero matrix name length +>>>>>>>16 ubelong >0 +>>>>>>>>0 use \^matlab4 # little endian MATrix with "long" matrix name or some misidentified samples >>>>>>16 ulelong >2 # skip TileCacheLogo-*.dat with invalid 2nd character \001 of matrix name with length 96 >>>>>>>21 ubyte >0x1F >>>>>>>>0 use \^matlab4 +# Note: called "MATLAB Mat File" with version "Level 4" by DROID via PUID fmt/1550 # display information of Matlab v4 mat-file 0 name matlab4 Matlab v4 mat-file #!:mime application/octet-stream diff --git a/contrib/file/magic/Magdir/meteorological b/contrib/file/magic/Magdir/meteorological index 9e7a3f1bcca6..0d38ee88a33d 100644 --- a/contrib/file/magic/Magdir/meteorological +++ b/contrib/file/magic/Magdir/meteorological @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ +# $File: meteorological,v 1.6 2024/11/10 17:05:08 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -44,6 +44,21 @@ !:mime rinex/observation # https://en.wikipedia.org/wiki/GRIB +# https://www.iana.org/assignments/media-types/application/grib 0 string GRIB ->7 byte =1 Gridded binary (GRIB) version 1 +>7 byte =1 Gridded binary (GRIB) version 1 +!:mime application/grib;edition=1 +!:ext grb/grib >7 byte =2 Gridded binary (GRIB) version 2 +!:mime application/grib;edition=2 +!:ext grb2/grib2 + +# BUFR is a meteorological data format for storing point or time series data. +# https://www.iana.org/assignments/media-types/application/bufr +0 string BUFR +>7 byte =3 Binary Universal Form data (BUFR) Edition 3 +!:mime application/bufr +!:ext bufr +>7 byte =4 Binary Universal Form data (BUFR) Edition 4 +!:mime application/bufr +!:ext bufr diff --git a/contrib/file/magic/Magdir/mips b/contrib/file/magic/Magdir/mips index fe83614703a3..0a39a35c5413 100644 --- a/contrib/file/magic/Magdir/mips +++ b/contrib/file/magic/Magdir/mips @@ -1,120 +1,102 @@ #------------------------------------------------------------------------------ -# $File: mips,v 1.10 2014/04/30 21:41:02 christos Exp $ +# $File: mips,v 1.15 2024/09/01 13:49:15 christos Exp $ # mips: file(1) magic for MIPS ECOFF and Ucode, as used in SGI IRIX # and DEC Ultrix # -0 beshort 0x0160 MIPSEB ECOFF executable ->20 beshort 0407 (impure) ->20 beshort 0410 (swapped) ->20 beshort 0413 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped +0 name display-mips-ecoff +>20 leshort 0407 (impure) +>20 leshort 0410 (swapped) +>20 leshort 0413 (paged) +>8 lelong !0 not stripped +>8 lelong 0 stripped >22 byte x - version %d >23 byte x \b.%d # -0 beshort 0x0162 MIPSEL-BE ECOFF executable ->20 beshort 0407 (impure) ->20 beshort 0410 (swapped) ->20 beshort 0413 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->23 byte x - version %d ->22 byte x \b.%d -# -0 beshort 0x6001 MIPSEB-LE ECOFF executable ->20 beshort 03401 (impure) ->20 beshort 04001 (swapped) ->20 beshort 05401 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->23 byte x - version %d ->22 byte x \b.%d -# -0 beshort 0x6201 MIPSEL ECOFF executable ->20 beshort 03401 (impure) ->20 beshort 04001 (swapped) ->20 beshort 05401 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->23 byte x - version %d ->22 byte x \b.%d +# MIPS 1 +# +0 beshort 0x0160 +>16 beshort 56 MIPSEB ECOFF executable +>>0 use \^display-mips-ecoff +>16 leshort 0 +>>0 use display-coff +# +0 beshort 0x0162 +>16 beshort 56 MIPSEL-BE ECOFF executable +>>0 use \^display-mips-ecoff +# +0 leshort 0x0160 +>16 leshort 56 MIPSEB-LE ECOFF executable +>>0 use display-mips-ecoff +>16 leshort 0 +>>0 use display-coff +# +0 leshort 0x0162 +>16 leshort 56 MIPSEL ECOFF executable +>>0 use display-mips-ecoff # # MIPS 2 additions # -0 beshort 0x0163 MIPSEB MIPS-II ECOFF executable ->20 beshort 0407 (impure) ->20 beshort 0410 (swapped) ->20 beshort 0413 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->22 byte x - version %d ->23 byte x \b.%d +0 beshort 0x0163 +>16 beshort 56 MIPSEB MIPS-II ECOFF executable +>>0 use \^display-mips-ecoff # -0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable ->20 beshort 0407 (impure) ->20 beshort 0410 (swapped) ->20 beshort 0413 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->22 byte x - version %d ->23 byte x \b.%d +0 beshort 0x0166 +>16 beshort 56 MIPSEL-BE MIPS-II ECOFF executable +>>0 use \^display-mips-ecoff +>16 leshort 0 +>>0 use display-coff +# +0 leshort 0x0163 +>16 leshort 56 MIPSEB-LE MIPS-II ECOFF executable +>>0 use display-mips-ecoff # -0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable ->20 beshort 03401 (impure) ->20 beshort 04001 (swapped) ->20 beshort 05401 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->23 byte x - version %d ->22 byte x \b.%d -# -0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable ->20 beshort 03401 (impure) ->20 beshort 04001 (swapped) ->20 beshort 05401 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->23 byte x - version %d ->22 byte x \b.%d +0 leshort 0x0166 +>16 leshort 56 MIPSEL MIPS-II ECOFF executable +>>0 use display-mips-ecoff # # MIPS 3 additions # -0 beshort 0x0140 MIPSEB MIPS-III ECOFF executable ->20 beshort 0407 (impure) ->20 beshort 0410 (swapped) ->20 beshort 0413 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->22 byte x - version %d ->23 byte x \b.%d +0 beshort 0x0140 +>16 beshort 56 MIPSEB MIPS-III ECOFF executable +>>0 use \^display-mips-ecoff # -0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable ->20 beshort 0407 (impure) ->20 beshort 0410 (swapped) ->20 beshort 0413 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->22 byte x - version %d ->23 byte x \b.%d +0 beshort 0x0142 +>16 beshort 56 MIPSEL-BE MIPS-III ECOFF executable +>>0 use \^display-mips-ecoff # -0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable ->20 beshort 03401 (impure) ->20 beshort 04001 (swapped) ->20 beshort 05401 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->23 byte x - version %d ->22 byte x \b.%d -# -0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable ->20 beshort 03401 (impure) ->20 beshort 04001 (swapped) ->20 beshort 05401 (paged) ->8 belong >0 not stripped ->8 belong 0 stripped ->23 byte x - version %d ->22 byte x \b.%d +0 leshort 0x0140 +>16 leshort 56 MIPSEB-LE MIPS-III ECOFF executable +>>0 use display-mips-ecoff +# +0 leshort 0x0142 +>16 leshort 56 MIPSEL MIPS-III ECOFF executable +>>0 use display-mips-ecoff +# +# MIPS Ucode additions # 0 beshort 0x180 MIPSEB Ucode 0 beshort 0x182 MIPSEL-BE Ucode +# +# MIPS COFF object file (have zero length optional header) +# +0 leshort 0x0168 +>16 leshort 0 +>>0 use display-coff +# can be created by LINK.EXE /MACHINE:MIPSR10 /ROM +>16 leshort !0 +>>18 leshort &0x0002 +>>>20 leshort 0x0107 +>>>>0 use display-coff +0 leshort 0x0169 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x0266 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x0366 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x0466 +>16 leshort 0 +>>0 use display-coff diff --git a/contrib/file/magic/Magdir/misctools b/contrib/file/magic/Magdir/misctools index 4292e2b0401a..dc1542adacd7 100644 --- a/contrib/file/magic/Magdir/misctools +++ b/contrib/file/magic/Magdir/misctools @@ -1,11 +1,71 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.20 2021/05/25 15:13:55 christos Exp $ +# $File: misctools,v 1.21 2023/02/03 20:43:48 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text -0 string/c BEGIN:VCALENDAR vCalendar calendar file -!:mime text/calendar +# URL: http://fileformats.archiveteam.org/wiki/ICalendar +# https://en.wikipedia.org/wiki/ICalendar +# Update: Joerg Jenderek +# Reference: https://www.rfc-editor.org/rfc/rfc5545 +# http://mark0.net/download/triddefs_xml.7z/defs/v/vcs.trid.xml +# Note: called "iCalendar - vCalendar" by TrID +0 string/c BEGIN:vcalendar +# skip DROID fmt-387-signature-id-572.vcs fmt-388-signature-id-573.ics +# with invalid separator 0x0 or 0xAB instead of CarriageReturn (0x0D) or LineFeed (0x0A) +>15 ubyte&0xF8 =0x08 +# look for VERSION keyword often on second line but sometimes later as in holidays_NRW_2014.ics +>>0 search/188 VERSION +# after VERSION keword :1.0 or often :2.0 but sometimes also ;VALUE=TEXT:2.0 like in Jewish religious Juish.ics +# http://www.webcal.guru/de-DE/kalender_herunterladen?calendar_instance_id=217 +# \n\040:2.0 like in import-real-world-2004-11-19.ics found at +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-real-world-2004-11-19.ics +#>>>&0 string x AFTER_VERSION=%.15s +# Note: called "Internet Calendar and Scheduling format" by DROID via PUID fmt/388 +# skip optional verparam=;other-param like ;VALUE=TEXT and look for version 2.0 that implies iCalendar variant +>>>&0 search/81 :2.0 iCalendar calendar +# look for Free/Busy component +>>>>15 search/278 :VFREEBUSY file, with Free/Busy component +!:mime text/calendar +!:apple ????iFBf +# no real examples found but only example on Wikipedia page +!:ext ifb +# iCalendar calendar without Free/Busy component +>>>>15 default x +# look for ALARM component +>>>>>15 search/154 :VALARM file, with ALARM component +!:mime text/calendar +!:apple ????iCal +# found on macOS beneath /Users/$USER/Library/Calendars/ as EventAllDayAlarms.icsalarm or EventTimedAlarms.icsalarm +# no isc examples found +!:ext icsalarm/ics +# iCalendar calendar without Free/Busy component and ALARM component +>>>>>15 default x file +!:mime text/calendar +!:apple ????iCal +# no examples found with .ical .icalender suffix +!:ext ics +# if no VERSION 2.0 is found then assume it is VERSION 1.0, that is older vCalendar +# URL: http://fileformats.archiveteam.org/wiki/VCalendar +# Note: called "VCalendar format" by DROID via fmt/387 +>>>&0 default x vCalendar calendar file +# deprecated +!:mime text/x-vcalendar +!:ext vcs +# GRR: without VERSION keyword violates specification but accepted by Thunderbird like +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-with-timezone.ics +>>0 default x vCalendar calendar file, without VERSION +!:mime text/x-vcalendar +#!:mime text/calendar +# no vcs example found +!:ext ics/vcs +# GRR: According to newest specification CarriageReturn (0xD) and LineFeed (0xA) should be used as separator but others accepted by Thunderbird +# like CRLF,LF in Sport Today.vcs created by calendar plugin of TV-Browser https://enwiki.tvbrowser.org/index.php/Calendar_Export +# or LF like https://www.schulferien.org/media/ical/deutschland/ferien_nordrhein-westfalen_2023.ics?k=foo +>>15 ubeshort !0x0D0A \b, without CRLF + # updated by Joerg Jenderek at Apr 2015, May 2021 # https://en.wikipedia.org/wiki/VCard # URL: http://fileformats.archiveteam.org/wiki/VCard diff --git a/contrib/file/magic/Magdir/mmdf b/contrib/file/magic/Magdir/mmdf index 5576a6627789..b4a898e72f14 100644 --- a/contrib/file/magic/Magdir/mmdf +++ b/contrib/file/magic/Magdir/mmdf @@ -1,6 +1,25 @@ #------------------------------------------------------------------------------ -# $File: mmdf,v 1.6 2009/09/19 16:28:10 christos Exp $ +# $File: mmdf,v 1.7 2024/02/29 03:40:37 christos Exp $ # mmdf: file(1) magic for MMDF mail files +# Update: Joerg Jenderek Feb 2024 +# URL: https://en.wikipedia.org/wiki/MMDF +# Reference: https://docs.oracle.com/cd/E88353_01/html/E37852/mmdf-5.html +# Note: Multi-channel Memorandum Distribution Facility (MMDF) mailbox format is a legacy variant of mbox format +# (handled by ./mail.news); each message is surrounded by lines containing 4 control-A # -0 string \001\001\001\001 MMDF mailbox +0 string \001\001\001\001 +# GRR: MMDF mailbox (strength=70=70+0 ./mmdf) after D64 Image (strength=70=70+0 ./c64) Targa image data (strength=70=110-40 ./images) +# and before "PDP-11 UNIX/RT ldp" (strength=50=50+0 ./pdp) +#!:strength +0 +# skip few Commodore disc Image where first content are initialized with ^A like "The Great Gianna Sisters.d64" +# by looking for following valid line terminator (10=0Ah~LineFeed or 13=0Dh~CarriageReturn) +#>4 ubyte&0xF8 =0x08 MMDF mailbox +# or by looking for MBOX Mailbox (/mail.news) characteristic like: +# https://github.com/dfandrich/oldmailconvert/blob/master/testdata/uupc.input.1 +>5 search/610/b From\ MMDF mailbox +#!:mime application/octet-stream +!:mime message/x-mmdf +# https://github.com/dfandrich/oldmailconvert/blob/master/testdata/maillog.expected.2 +# but default mailbox name is like /usr/spool/mail/username +!:ext /mmdf diff --git a/contrib/file/magic/Magdir/modem b/contrib/file/magic/Magdir/modem index 6eb21136e462..5d59401f6cb2 100644 --- a/contrib/file/magic/Magdir/modem +++ b/contrib/file/magic/Magdir/modem @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: modem,v 1.10 2021/04/26 15:56:00 christos Exp $ +# $File: modem,v 1.11 2022/10/19 20:15:16 christos Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche <florian@knorke.saar.de> @@ -11,6 +11,7 @@ # Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header). # Modified by: Joerg Jenderek # URL: https://de.wikipedia.org/wiki/Fax +# http://fileformats.archiveteam.org/wiki/CCITT_Group_3 # Reference: https://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others 0 short 0x0100 @@ -32,7 +33,10 @@ # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom >>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom ->>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded +>>>>>>>8 ubequad !0x5dee74ad1aa56394 +# skip few (5/41) DEGAS mid-res bitmap (GEMINI01.PI2 GEMINI02.PI2 GEMINI03.PI2 CODE_RAM.PI2 TBX_DEMO.PI2) +# with file size 32034 +>>>>>>>>-0 offset !32034 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" !:mime image/g3fax #!:apple ????TIFF @@ -43,7 +47,9 @@ # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom >2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 ->2 default x raw G3 (Group 3) FAX +>2 default x +# skip some (84/1246) MacBinary II/III (Cyberdog2.068k.smi.bin FileMakerPro4.img.bin Hypercard1.25.image.bin UsbStorage1.3.5.smi.bin) with "non random" numbers by versions values 81h/82h + 81h +>>122 ubeshort&0xFcFf !0x8081 raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" !:mime image/g3fax !:ext g3 diff --git a/contrib/file/magic/Magdir/motorola b/contrib/file/magic/Magdir/motorola index af93720f2968..2fd232ec0d39 100644 --- a/contrib/file/magic/Magdir/motorola +++ b/contrib/file/magic/Magdir/motorola @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: motorola,v 1.12 2021/04/26 15:56:00 christos Exp $ +# $File: motorola,v 1.13 2024/02/11 21:25:17 christos Exp $ # motorola: file(1) magic for Motorola 68K and 88K binaries # # 68K @@ -18,6 +18,12 @@ >12 belong >0 not stripped 0 beshort 0522 mc68k executable (shared demand paged) >12 belong >0 not stripped + +# Motorola 68000 COFF object file +0 leshort 0x0268 +>16 leshort 0 +>>0 use display-coff + # # Motorola/UniSoft 68K Binary Compatibility Standard (BCS) # diff --git a/contrib/file/magic/Magdir/msdos b/contrib/file/magic/Magdir/msdos index a8d6d0f43e3e..925901694c30 100644 --- a/contrib/file/magic/Magdir/msdos +++ b/contrib/file/magic/Magdir/msdos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.154 2022/03/21 21:25:50 christos Exp $ +# $File: msdos,v 1.208 2024/08/27 18:50:57 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -28,59 +28,187 @@ 100 search/0xffff say >100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text -# updated by Joerg Jenderek at Oct 2015 -# https://de.wikipedia.org/wiki/Common_Object_File_Format -# http://www.delorie.com/djgpp/doc/coff/filhdr.html -# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" -#0 leshort 0x14c MS Windows COFF Intel 80386 object file -#>4 ledate x stamp %s -0 leshort 0x166 MS Windows COFF MIPS R4000 object file -#>4 ledate x stamp %s -0 leshort 0x184 MS Windows COFF Alpha object file -#>4 ledate x stamp %s -0 leshort 0x268 MS Windows COFF Motorola 68000 object file -#>4 ledate x stamp %s -0 leshort 0x1f0 MS Windows COFF PowerPC object file -#>4 ledate x stamp %s -0 leshort 0x290 MS Windows COFF PA-RISC object file -#>4 ledate x stamp %s # Tests for various EXE types. # # Many of the compressed formats were extracted from IDARC 1.23 source code. # +# e_magic 0 string/b MZ -# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. ->0x18 leshort <0x40 MS-DOS executable -!:mime application/x-dosexec -# Windows and later versions of DOS will allow .EXEs to be named with a .COM -# extension, mostly for compatibility's sake. -# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM -# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml -!:ext exe/com/vlm -# These traditional tests usually work but not always. When test quality support is -# implemented these can be turned on. -#>>0x18 leshort 0x1c (Borland compiler) -#>>0x18 leshort 0x1e (MS compiler) +# TODO +# FLT: Syntrillium CoolEdit Filter https://en.wikipedia.org/wiki/Adobe_Audition +# FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FOD: WIFE Font Driver +# GAU: MS Flight Simulator Gauge +# IFS: OS/2 Installable File System https://en.wikipedia.org/wiki/OS/2 +# MEXW32:MATLAB Windows 32bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MEXW64:MATLAB Windows 64bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya +# PFL: PhotoFilter plugin http://photofiltre.free.fr +# 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html +# PLG: Aston Shell plugin http://www.astonshell.com/ +# QLB: Microsoft Basic Quick library https://en.wikipedia.org/wiki/QuickBASIC +# SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm +# TBK: Asymetrix ToolBook application http://www.toolbook.com +# TBP: The Bat! plugin http://www.ritlabs.com +# UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com +# XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com +# XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/ +# ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com +# +# NEXT LINES FOR DEBUGGING! +# e_cblp; bytes on last page of file +# e_cp; pages in file +#>4 uleshort x \b, e_cp 0x%x +# e_lfanew; file address of new exe header +#>0x3c ulelong x \b, e_lfanew 0x%x +# e_lfarlc; address of relocation table +#>0x18 uleshort x \b, e_lfarlc=0x%x +# e_ovno; overlay number. If zero, this is the main executable foo +#>0x1a uleshort !0 \b, e_ovno 0x%x +#>0x1C ubequad !0 \b, e_res 0x%16.16llx +# e_oemid; often 0 +#>0x24 uleshort !0 \b, e_oemid 0x%x +# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV) +# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV) +#>0x26 uleshort !0 \b, e_oeminfo 0x%x +# e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe +# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE +#>0x28 ubequad !0 \b, e_res2 0x%16.16llx +# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593 +# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs +# new exe header magic like: PE NE LE LX W3 W4 +# no examples found for ZM DL MP P2 P3 +#>(0x3c.l) string x \b, at [0x3c] %.2s +#>(0x3c.l) ubelong x \b, at [0x3c] %#8.8x +#>(0x3c.l+4) ubelong x \b, at [0x3c+4] %#8.8x +# +# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file. +# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe e_lfarlc=0x8ead +# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE e_lfarlc=0x1c +# some EFI apps Shell_Full.efi ext4_x64_signed.efi e_lfarlc=0 +# Icon library WORD60.ICL e_lfarlc=0 +# Microsoft compiled help format 2.0 WINWORD.DEV.HXS e_lfarlc=0 +>0x18 uleshort <0x40 +# check magic of new second header +# skip Portable Executable (PE) with low e_lfarlc here, because handled later +# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS +>>(0x3c.l) string !PE\0\0 MS-DOS executable +# NE executable with low e_lfarlc like: WORD60.ICL +# This is Icon Manager (IM) by Impact Software format, based on NE version 5 with cleared NE version and e_lfarlc fields +# It can be parsed/loaded as NE version 5 binary just by skipping e_lfarlc and NE version checks +# ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library +>>(0x3c.l-0x02) string IMNE \b, NE +>>>(0x3c.l+0x02) ubyte x \b version %u +>>>(0x3c.l+0x36) byte 2 for MS Windows +>>>>(0x3c.l+0x3E) ushort !0 +>>>>>(0x3c.l+0x3F) ubyte x %u +>>>>>(0x3c.l+0x3E) ubyte x \b.%02u +>>>(0x3c.l+0x02) ubyte x (Icon Library, Icon Manager by Impact Software) +!:ext icl +# handle LX executable with low e_lfarlc like: PCISCAN.EXE +>>(0x3c.l) string LX \b, LX +>>>(0x3c.l+0x2) uleshort =0x0000 +>>>>(0x3c.l) use lx-executable +# no examples found for big endian variant +>>>(0x3c.l+0x2) uleshort =0x0101 +>>>>(0x3c.l) use \^lx-executable +# no examples found for PDP-11 endian variant +>>>(0x3c.l+0x2) uleshort =0x0100 +# PDP-11-endian is not supported by magic "use" keyword yet +# no examples found for other endian variants +>>>0 default x +# other endianity is not supported by magic "use" keyword # Maybe it's a PE? +# URL: http://fileformats.archiveteam.org/wiki/Portable_Executable +# Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format >(0x3c.l) string PE\0\0 PE -!:mime application/x-dosexec +!:mime application/vnd.microsoft.portable-executable +# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics +# DLL Characteristics +#>>(0x3c.l+22) uleshort x \b, CHARACTERISTICS %#4.4x, +# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file +# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program. +# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL) >>(0x3c.l+24) leshort 0x010b \b32 executable +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x020b \b32+ executable ->>(0x3c.l+24) leshort 0x0107 ROM image ->>(0x3c.l+24) default x Unknown PE signature +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u +# ROM image is without DOS MZ header and without PE\0\0 signature +#>>(0x3c.l+24) leshort 0x0107 ROM image +>>(0x3c.l+24) default x with unknown signature >>>&0 leshort x %#x ->>(0x3c.l+22) leshort&0x2000 >0 (DLL) + +## Start of the subsystem switch +>>(0x3c.l+92) clear x + +# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem +>>(0x3c.l+92) leshort 0 +# WINE https://www.winehq.org/ DLL libraries without subsystem, some examples: +# fakedlls/l3codeca.acm fakedlls/msadp32.acm fakedlls/inetcpl.cpl fakedlls/inetcpl.cpl fakedlls/kernel32.dll fakedlls/user32.dll fakedlls/gdi32.dll +# fakedlls/winex11.drv fakedlls/winspool.drv fakedlls/gphoto2.ds fakedlls/sane.ds fakedlls/ntoskrnl.exe fakedlls/dhtmled.ocx fakedlls/hhctrl.ocx +# fakedlls/hidclass.sys fakedlls/mshtml.tlb fakedlls/stdole32.tlb fakedlls/vwin32.vxd fakedlls/vmm.vxd +>>>0x40 string Wine\ placeholder\ DLL for WINE stub (DLL) +!:ext acm/cpl/dll/drv/ds/exe/ocx/sys/tlb/vxd +>>>0x40 string Wine\ builtin\ DLL for WINE (DLL) +!:ext acm/cpl/dll/drv/ds/exe/ocx/sys/tlb/vxd +>>>0 default x +# Summary: Microsoft compiled help *.HXS format 2.0 +# URL: https://en.wikipedia.org/wiki/Microsoft_Help_2 +# Reference: http://www.russotto.net/chm/itolitlsformat.html +# https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml +# Note: Microsoft compiled help format contains 2 PE32 sections (.rsrc, .its) for Intel i386; +# The help content is appended after the PE32 binary and starts with ITOLITLS string; +# End of the PE32 binary is immediately after the .its section. +# verified by command like: +# `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS` +# `objdump -p -s WINWORD.HXS` +# `readpe WINWORD.HXS` +>>>>(0x3c.l+6) uleshort =2 +# Second section for these binaries starts at fixed offset 288 (size of PE signature + size of COFF header + size +# of PE32 optional header with all data dirs + size of first .rsrc section header = 4 + 20 + 96+8*16 + 40 = 288) +>>>>>(0x3c.l+288) string/b .its\0\0\0\0 +# Read start+length of .its section and just after it +>>>>>>(&4.l+(-4)) string ITOLITLS \b, Microsoft compiled help format 2.0 +!:ext hxs +# Fallback for any unrecognized binary with Unknown subsystem 0 +>>>>>>0 default x for Unknown subsystem 0 +>>>>>0 default x for Unknown subsystem 0 +>>>>0 default x for Unknown subsystem 0 + +# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes >>(0x3c.l+92) leshort 1 -# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the -# drivers in Windows/System32/drivers/*.sys. +# WINE https://www.winehq.org/: fakedlls/fltmgr.sys fakedlls/mountmgr.sys fakedlls/scsiport.sys fakedlls/winebus.sys fakedlls/winehid.sys +>>>0x40 string Wine\ placeholder\ DLL for WINE stub +>>>0x40 string Wine\ builtin\ DLL for WINE +>>>0 default x for MS Windows +>>>>(0x3c.l+72) leshort x %u +>>>>(0x3c.l+74) leshort x \b.%02u +# Native PEs are used by: +# - NT kernel DLLs: hal.dll, kdcom.dll, pshed.dll, bootvid.dll, ... +# - NT kernel images: ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe +# - NT kernel drivers: Windows/System32/drivers/*.sys +# - NT native userspace DLLs: ntdll.dll, ... +# - NT native userspace executables: smss.exe, csrss.exe, autochk.exe, ... +# TODO: write rule to distinguish between Kernel and Native processes +# (the only way to do this is based on the presence of ntoskrnl.exe in import table) >>>(0x3c.l+22) leshort&0x2000 >0 (native) !:ext dll/sys >>>(0x3c.l+22) leshort&0x2000 0 (native) !:ext exe/sys + +# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI The Windows graphical user interface (GUI) subsystem >>(0x3c.l+92) leshort 2 ->>>(0x3c.l+22) leshort&0x2000 >0 (GUI) +# WINE https://www.winehq.org/: fakedlls/clock.exe fakedlls/control.exe fakedlls/explorer.exe fakedlls/notepad.exe +>>>0x40 string Wine\ placeholder\ DLL for WINE stub +>>>0x40 string Wine\ builtin\ DLL for WINE +>>>0 default x for MS Windows +>>>>(0x3c.l+72) leshort x %u +>>>>(0x3c.l+74) leshort x \b.%02u +>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) # These could probably be at least partially distinguished from one another by # looking for specific exported functions. # CPL: Control Panel item @@ -94,65 +222,152 @@ # Screen savers typically include code from the scrnsave.lib static library, but # that's not guaranteed. !:ext exe/scr + +# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI The Windows character subsystem >>(0x3c.l+92) leshort 3 ->>>(0x3c.l+22) leshort&0x2000 >0 (console) +# WINE https://www.winehq.org/: fakedlls/cacls.exe fakedlls/cmd.exe fakedlls/expand.exe fakedlls/net.exe fakedlls/reg.exe +>>>0x40 string Wine\ placeholder\ DLL for WINE stub +>>>0x40 string Wine\ builtin\ DLL for WINE +>>>0 default x for MS Windows +>>>>(0x3c.l+72) leshort x %u +>>>>(0x3c.l+74) leshort x \b.%02u +>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) !:ext dll/cpl/tlb/ocx/acm/ax/ime >>>(0x3c.l+22) leshort&0x2000 0 (console) !:ext exe/com -# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format ->>(0x3c.l+92) leshort 7 (POSIX) ->>(0x3c.l+92) leshort 9 (Windows CE) ->>(0x3c.l+92) leshort 10 (EFI application) ->>(0x3c.l+92) leshort 11 (EFI boot service driver) ->>(0x3c.l+92) leshort 12 (EFI runtime driver) ->>(0x3c.l+92) leshort 13 (EFI ROM) ->>(0x3c.l+92) leshort 14 (XBOX) ->>(0x3c.l+92) leshort 15 (Windows boot application) ->>(0x3c.l+92) default x (Unknown subsystem ->>>&0 leshort x %#x) ->>(0x3c.l+4) leshort 0x14c Intel 80386 ->>(0x3c.l+4) leshort 0x166 MIPS R4000 ->>(0x3c.l+4) leshort 0x168 MIPS R10000 ->>(0x3c.l+4) leshort 0x184 Alpha ->>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 ->>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP ->>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 ->>(0x3c.l+4) leshort 0x169 MIPS WCE v2 ->>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 ->>(0x3c.l+4) leshort 0x1c0 ARM ->>(0x3c.l+4) leshort 0x1c2 ARM Thumb ->>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb ->>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 ->>(0x3c.l+4) leshort 0x1f0 PowerPC ->>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU ->>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) ->>(0x3c.l+4) leshort 0x200 Intel Itanium ->>(0x3c.l+4) leshort 0x266 MIPS16 ->>(0x3c.l+4) leshort 0x268 Motorola 68000 ->>(0x3c.l+4) leshort 0x290 PA-RISC ->>(0x3c.l+4) leshort 0x366 MIPSIV ->>(0x3c.l+4) leshort 0x466 MIPS16 with FPU ->>(0x3c.l+4) leshort 0xebc EFI byte code ->>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit ->>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit ->>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit ->>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R ->>(0x3c.l+4) leshort 0x8664 x86-64 ->>(0x3c.l+4) leshort 0xaa64 Aarch64 ->>(0x3c.l+4) leshort 0xc0ee MSIL ->>(0x3c.l+4) default x Unknown processor type ->>>&0 leshort x %#x + +# 4~Old Windows CE subsystem (never used) +#>>(0x3c.l+92) leshort 4 for MS Windows CE OLD + +# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem +# Not used in image files, constant used only in in-memory structures of OS/2 subsystem as part of Windows NT +#>>(0x3c.l+92) leshort 5 for OS/2 + +# NO Windows Subsystem number 6! +#>>(0x3c.l+92) leshort 6 for Unknown subsystem 6 + +# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem +>>(0x3c.l+92) leshort 7 for POSIX +>>>(0x3c.l+72) leshort x %u +>>>(0x3c.l+74) leshort x \b.%02u +>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) +# like: PSXDLL.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 (EXE) +# like: PAX.EXE +!:ext exe + +# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver +# Win9x never used subsystem 8, all Win9x drivers are either LE/VXD or PE with native (1) subsystem +# MSVC4 LINK.EXE can create PE binary for subsystem 8 by /SUBSYSTEM:MMOSA flag +# MMOSA refers to Native Win32E (embedded) API, mentioned at: +# https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-97-18.doc +#>>(0x3c.l+92) leshort 8 for Win9x/MMOSA +# GRR: No examples found by Joerg Jenderek + +# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE +>>(0x3c.l+92) leshort 9 +# WINE https://www.winehq.org/ +>>>0x40 string Wine\ placeholder\ DLL for WINE stub +>>>0x40 string Wine\ builtin\ DLL for WINE +>>>0 default x for MS Windows CE +>>>>(0x3c.l+72) leshort x %u +>>>>(0x3c.l+74) leshort x \b.%02u +>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) +# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 (EXE) +# like: NNGStart.exe navigator.exe +!:ext exe + +# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application +>>(0x3c.l+92) leshort 10 for EFI (application) +# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi +!:ext efi + +# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services +>>(0x3c.l+92) leshort 11 for EFI (boot service driver) +# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi +!:ext efi + +# 12~IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER An EFI driver with run-time services +>>(0x3c.l+92) leshort 12 for EFI (runtime driver) +# no sample found +!:ext efi + +# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image +>>(0x3c.l+92) leshort 13 for EFI (ROM) +# no sample found +!:ext efi + +# 14~IMAGE_SUBSYSTEM_XBOX XBOX +>>(0x3c.l+92) leshort 14 for XBOX +#!:ext foo-xbox + +# NO Windows Subsystem number 15! +#>>(0x3c.l+92) leshort 15 for Unknown subsystem 15 + +# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application +>>(0x3c.l+92) leshort 16 for MS Windows +>>>(0x3c.l+72) leshort x %u +>>>(0x3c.l+74) leshort x \b.%02u +>>>(0x3c.l+22) leshort&0x2000 >0 (boot DLL) +# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 (boot application) +# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll +!:ext efi/exe + +>>(0x3c.l+92) default x +>>>&0 leshort x for Unknown subsystem %#x +## End of the subsystem switch + +>>(0x3c.l+4) clear x \b, +>>(0x3c.l+4) use display-coff-processor + >>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) >>(0x3c.l+22) leshort&0x1000 >0 system file + +# Check for presence of COM Runtime descriptor >>(0x3c.l+24) leshort 0x010b ->>>(0x3c.l+232) lelong >0 Mono/.Net assembly +>>>(0x3c.l+116) leshort >14 +>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly >>(0x3c.l+24) leshort 0x020b ->>>(0x3c.l+248) lelong >0 Mono/.Net assembly +>>>(0x3c.l+132) leshort >14 +>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly # hooray, there's a DOS extender using the PE format, with a valid PE # executable inside (which just prints a message and exits if run in win) ->>(8.s*16) string 32STUB \b, 32rtm DOS extender ->>(8.s*16) string !32STUB \b, for MS Windows +# FIXME: Find sample of such executable for investigation. In was introduced +# in file version 4.14 with following check: +# "(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender" +# "(8.s*16) string !32STUB for MS Windows" +# But that check is too generic and had lot of false positives. 32STUB/32rtm +# sounds like Borland DOS extender with PE loader and Windows emulation which +# can be injected into any valid Windows PE binary. +# So it is needed to look at the sample of such executable and check for +# subsystem or cpu/machine. + +# Detect embedded DOS extenders +>>(8.s*16) string 32STUB +# BRC32.EXE, TLINK32.EXE or TASM32.EXE from TASM 5.0 +>>>(8.s*16) search/0x50 32rtm-stub\ for\ PE\ files \b, Borland 32rtm DOS extender (stub) +# CL.EXE or LINK.EXE from MS Visual C++ 1.x +>>(8.s*16) search/0x50 Phar\ Lap\ Software,\ Inc. \b, Phar Lap TNT DOS extender +# ulink.exe +>>(8.s*16) search/0x200 Can't\ find\ DOSWIN32.RTM \b, DosWin32 DOS extender (stub) +>>(8.s*16) search/0x4000 Stub\ failed\ to\ find\ DOS/4G\ extender. \b, DOS/4G DOS extender (stub) +# LOADPEX.BIN and HDLD32.BIN +# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49) +>>(8.s*16) ulequad&0xffff0000ff =0x494d0000e9 \b, HX DOS extender (embedded with DPMI host) +>>(8.s*16) ulequad&0xffff0000ff !0x494d0000e9 +# DPMIST32.BIN +>>>(8.s*16) search/0x200 cannot\ find\ loader\ DPMILD32.EXE \b, HX DOS extender (stub) +# LOADPE.BIN +>>>(8.s*16) search/0x600 PATH=HDPMI32.EXE \b, HX DOS extender (embedded without DPMI host) +# DPMILD32.BIN +>>>(8.s*16) search/0x4000 DPMILD32: \b, HX DOS extender (embedded without DPMI host) + >>(0x3c.l+0xf8) string UPX0 \b, UPX compressed >>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed >>(0x3c.l+0xf8) search/0x140 UPX2 @@ -176,72 +391,350 @@ >>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>0x30 string Inno \b, InnoSetup self-extracting archive +# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc. +# PE used as container have less sections +>>(0x3c.l+6) leshort >1 \b, %u sections +# do not display for 1 section to get output like in version 5.43 and to keep output columns low +#>>(0x3c.l+6) leshort =1 \b, %u section # If the relocation table is 0x40 or more bytes into the file, it's definitely # not a DOS EXE. ->0x18 leshort >0x3f +>0x18 uleshort >0x3f # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable -!:mime application/x-dosexec +#!:mime application/x-dosexec >>(0x3c.l) string NE \b, NE -!:mime application/x-dosexec ->>>(0x3c.l+0x36) byte 1 for OS/2 1.x ->>>(0x3c.l+0x36) byte 2 for MS Windows 3.x ->>>(0x3c.l+0x36) byte 3 for MS-DOS ->>>(0x3c.l+0x36) byte 4 for Windows 386 ->>>(0x3c.l+0x36) byte 5 for Borland Operating System Services ->>>(0x3c.l+0x36) default x ->>>>(0x3c.l+0x36) byte x (unknown OS %x) ->>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender ->>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) +#!:mime application/x-dosexec +!:mime application/x-ms-ne-executable +>>>(0x3c.l+0x02) ubyte x \b version %u +>>>(0x3c.l+0x02) ubyte >5 +>>>>(0x3c.l+0x03) ubyte x \b.%02u +# FOR DEBUGGING! +# Reference: https://wiki.osdev.org/NE +# Create time for NE version <5 in FAT12 format +#>>>(0x3c.l+0x02) ubyte <5 +#>>>>(0x3c.l+0x08) ulelong !0 \b, Created at +#>>>>>(0x3c.l+0x0a) lemsdosdate x %s +#>>>>>(0x3c.l+0x08) lemsdostime x %s +# ProgFlags; Program flags, bitmapped +#>>>(0x3c.l+0x0C) ubyte x \b, ProgFlags 0x%2.2x +# >>>(0x3c.l+0x0c) ubyte&0x03 =0 \b, no automatic data segment +# >>>(0x3c.l+0x0c) ubyte&0x03 =1 \b, single shared +# >>>(0x3c.l+0x0c) ubyte&0x03 =2 \b, multiple +# >>>(0x3c.l+0x0c) ubyte&0x03 =3 \b, (null) +# >>>(0x3c.l+0x0c) ubyte &0x04 \b, Per-Process Library Initialization OR real mode only +# >>>(0x3c.l+0x0c) ubyte &0x08 \b, Protected mode only +# >>>(0x3c.l+0x0c) ubyte &0x10 \b, 8086 instructions in OS/2 app OR LIM 3.2 EMS API in Win app +# >>>(0x3c.l+0x0c) ubyte &0x20 \b, i286 instructions in OS/2 app OR each instance in separate EMS bank in Win app +# >>>(0x3c.l+0x0c) ubyte &0x40 \b, i386 instructions in OS/2 app OR private GlobalAlloc above the EMS line in Win app +# >>>(0x3c.l+0x0c) ubyte &0x80 \b, x87 floating point instructions +# ApplFlags; Application flags, bitmapped +# https://www.fileformat.info/format/exe/corion-ne.htm +#>>>(0x3c.l+0x0D) ubyte x \b, ApplFlags 0x%2.2x +# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API) +# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =1 \b, Not compatiblr with Windows/P.M. API (full screen) +#>>>(0x3c.l+0x0D) ubyte&0x07 =2 \b, Compatible with Windows/P.M. API (console mode) +#>>>(0x3c.l+0x0D) ubyte&0x07 =3 \b, use Windows/P.M. API (window mode) +#>>>(0x3c.l+0x0D) ubyte &0x08 \b, Bound OS/2 app OR application specific loader in Win app +#>>>(0x3c.l+0x0D) ubyte &0x20 \b, Errors in image +#>>>(0x3c.l+0x0D) ubyte &0x40 \b, Non-conforming OS/2 app OR private Win library above EMS line +# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle +#>>>(0x3c.l+0x0D) ubyte &0x80 \b, DLL or driver +# AutoDataSegIndex; automatic data segment index like: 0 2 3 22 +# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared +#>>>(0x3c.l+0x0e) uleshort x \b, AutoDataSegIndex %u +# InitHeapSize; intial local heap size like; 0 400h 1400h +# zero if there is no local allocation +#>>>(0x3c.l+0x10) uleshort !0 \b, InitHeapSize 0x%x +# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h +# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h +# 6D60h 8000h 40000h +# zero if the SS register value does not equal the DS register value +#>>>(0x3c.l+0x12) uleshort !0 \b, InitStackSize 0x%x +# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h +#>>>(0x3c.l+0x14) ulelong !0 \b, EntryPoint 0x%x +# InitStack; specifies the segment offset value of stack pointer SS:SP +# like: 0 20000h 160000h +#>>>(0x3c.l+0x18) ulelong !0 \b, InitStack 0x%x +# SegCount; number of segments in segment table like: 0 1 2 3 16h +#>>>(0x3c.l+0x1C) uleshort x \b, SegCount 0x%x +# ModRefs; number of module references (DLLs) like; 0 1 3 +#>>>(0x3c.l+0x1E) uleshort !0 \b, ModRefs %u +# NoResNamesTabSiz; size in bytes of non-resident names table +# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh +#>>>(0x3c.l+0x20) uleshort x \b, NoResNamesTabSiz 0x%x +# SegTableOffset; offset of Segment table like: 40h +#>>>(0x3c.l+0x22) uleshort !0x40 \b, SegTableOffset 0x%x +# ResTableOffset; offset of resources table like: 40h 50h 58h F0h +# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON +#>>>(0x3c.l+0x24) uleshort x \b, ResTableOffset 0x%x +# ResidNamTable; offset of resident names table +# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h +#>>>(0x3c.l+0x26) uleshort x \b, ResidNamTable 0x%x +# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h) +# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh +#>>>(0x3c.l+0x2a) uleshort x \b, ImportNameTable 0x%x +# OffStartNonResTab; offset from start of file to non-resident names table +# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h +#>>>(0x3c.l+0x2c) ulelong x \b, OffStartNonResTab 0x%x +# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446 +#>>>(0x3c.l+0x30) uleshort !0 \b, MovEntryCount %u +# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default) +#>>>(0x3c.l+0x32) uleshort !9 \b, FileAlnSzShftCnt %u +# nResTabEntries; number of resource table entries like: 0 2 +#>>>(0x3c.l+0x34) uleshort !0 \b, nResTabEntries %u +# Following fields are valid only for NE version 5+ +>>>(0x3c.l+0x02) ubyte >4 +# targOS; Target OS; 0~unspecified (OS/2 or Windows); detect it based on Windows-only flags and OS/2 specific import lib (DOSCALLS) +#>>>(0x3c.l+0x36) byte x TARGOS %x +>>>>(0x3c.l+0x36) byte 0 +# if windows version is specified then it is windows binary +>>>>>(0x3c.l+0x3E) ushort !0 for MS Windows +>>>>>>(0x3c.l+0x3F) ubyte x %u +>>>>>>(0x3c.l+0x3E) ubyte x \b.%02u +>>>>>>(0x3c.l+0x3F) ubyte <3 +>>>>>>>(0x3c.l+0x37) byte&0x04 0 (real mode only) +>>>>>>>(0x3c.l+0x37) byte&0x04 !0 (real+protected mode) +>>>>>>(0x3c.l+0x3E) ushort =0x0300 +>>>>>>>(0x3c.l+0x0c) ubyte&0x08 0 (real+protected mode) +>>>>>>>(0x3c.l+0x0c) ubyte&0x08 !0 (protected mode only) +>>>>>(0x3c.l+0x3E) ushort 0 +>>>>>>(0x3c.l+0x2a) leshort 0 for OS/2 1.x or MS Windows 1.x/2.x +>>>>>>(0x3c.l+0x2a) default x +# Binaries with DOSCALLS import library are for OS/2 +>>>>>>>&(&0.s-0x29) search/512/C \x08DOSCALLS for OS/2 1.x +>>>>>>>(0x3c.l+0x2a) default x +# Binaries with KERNEL, USER or GDI import library are for Windows +# FIXME: names are prefixed by its length, but regex type does not support binary bytes +>>>>>>>>&(&0.s-0x29) regex/512/C KERNEL|USER|GDI for MS Windows 1.x/2.x +>>>>>>>>>(0x3c.l+0x37) byte&0x04 0 (real mode only) +>>>>>>>>>(0x3c.l+0x37) byte&0x04 !0 (real+protected mode) +# Binaries without any of those import library can be for any OS +>>>>>>>>(0x3c.l+0x2a) default x for OS/2 1.x or MS Windows 1.x/2.x +>>>>(0x3c.l+0x36) byte 1 for OS/2 1.x +>>>>(0x3c.l+0x36) byte 2 for MS Windows +# expctwinver; expected Windows version (minor first) like: +# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR +>>>>>(0x3c.l+0x3E) ushort !0 +>>>>>>(0x3c.l+0x3F) ubyte x %u +>>>>>>(0x3c.l+0x3E) ubyte x \b.%02u +# Empty version is is treated by Windows 3.x OS as Windows 2.01 version and by Windows 2.x OS as Windows 1.01 version +>>>>>(0x3c.l+0x3E) ushort 0 1.x/2.x +>>>>>(0x3c.l+0x3F) ubyte <3 +>>>>>>(0x3c.l+0x37) byte&0x04 0 (real mode only) +>>>>>>(0x3c.l+0x37) byte&0x04 !0 (real+protected mode) +>>>>>(0x3c.l+0x3E) ushort =0x0300 +>>>>>>(0x3c.l+0x0c) ubyte&0x08 0 (real+protected mode) +>>>>>>(0x3c.l+0x0c) ubyte&0x08 !0 (protected mode only) +# Windows P-code application +# https://web.archive.org/web/20000304044656/http://msdn.microsoft.com/library/backgrnd/html/msdn_c7pcode2.htm +# https://library.thedatadungeon.com/msdn-1992-09/msjv7/html/msjv0g6a.content.htm +# https://en.wikipedia.org/wiki/P-code_machine#Microsoft_P-code +# Can be created by MSC7 or MSVC1.x CL.EXE /Oq switch which calls MPC.EXE +# MPC.EXE (Make P-Code utility) sets bit2 in MZ e_res[2] (e_flags) field +# Filter out false-positive Windows 3.x applications with OS/2 WLO loader +# (sets bit7 in NE ne_flagsothers) as they do not have MZ e_res[] fields +>>>>>(0x3c.l+0x3E) ushort >0x0300 +>>>>>>(0x3c.l+0x37) ubyte&0x80 0 +>>>>>>>0x20 ubyte&0x04 !0 \b, P-code application +# 32-bit Watcom Win386 extender in 16-bit Windows 3.x NE binaries +# https://www.os2museum.com/wp/watcom-win386/ +# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/win386/ +# https://misc.daniel-marschall.de/spiele/blown_away/disassemble.php +# Examples: BA_LITE.EXE WALDO.EXE +>>>>>(0x3c.l+0x3E) ushort >0x0300 +>>>>>>0x38 ulong !0 +>>>>>>>(0x38.l) string MQ \b, Watcom Win386 extender +# OS 3 was reserved for Multitasking MS-DOS but it never used NE version 5+ (only NE version 4) +#>>>>(0x3c.l+0x36) byte 3 for Multitasking MS-DOS +# OS 4 was reserved for MS Windows/386 device drivers but MS Windows/386 2.x never used NE format (Xenix x.out format was used instead) +#>>>>(0x3c.l+0x36) byte 4 for MS Windows/386 device driver +# OS 5 is assigned to BOSS (Borland Operating System Services) but is used also by other 16-bit DOS applications +>>>>(0x3c.l+0x36) byte 5 for MS-DOS +# HDLD16.BIN +# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49) +>>>>>(8.s*16) ulequad&0xffff0000ff =0x494d0000e9 \b, HX DOS extender 16-bit (embedded with DPMI host) +>>>>>(8.s*16) ulequad&0xffff0000ff !0x494d0000e9 +# DPMIST16.BIN +>>>>>>(8.s*16) search/0x200 cannot\ find\ loader\ DPMILD16.EXE \b, HX DOS extender 16-bit (stub) +# DPMILD16.BIN +>>>>>>(8.s*16) search/0x4000 DPMILD16: \b, HX DOS extender 16-bit (embedded without DPMI host) +# TLINK.EXE or TD.EXE from TASM 5.0 +>>>>>>(8.s*16) string 16STUB +>>>>>>>(8.s*16) search/0x1000 rtm.exe\0dpmi16bi.ovl \b, Borland rtm DOS extender (stub) +>>>>>>(8.s*16) string !16STUB +# TLINK.EXE or BRC.EXE from Borland Pascal 7.0 +>>>>>>>(8.s*16) search/0x1000 BOSS\ Stub\ Version \b, Borland BOSS DOS extender (stub) +# OS 6 is not assigned but is used by 32-bit DOS application with extender (found only with HX DOS extender 32-bit) +# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip +# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE +# https://www.japheth.de/HX/DPMILD32.TXT +>>>>(0x3c.l+0x36) byte 6 for MS-DOS +# HDLD32.BIN +# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49) +>>>>>(8.s*16) ulequad&0xffff0000ff =0x494d0000e9 \b, HX DOS extender 32-bit (embedded with DPMI host) +>>>>>(8.s*16) ulequad&0xffff0000ff !0x494d0000e9 +# DPMIST32.BIN +>>>>>>(8.s*16) search/0x200 cannot\ find\ loader\ DPMILD32.EXE \b, HX DOS extender 32-bit (stub) +# DPMILD32.BIN +>>>>>>(8.s*16) search/0x4000 DPMILD32: \b, HX DOS extender 32-bit (embedded without DPMI host) +# https://en.wikipedia.org/wiki/Phar_Lap_(company) +# like: TELLPROT.EXE from 286DEX +# can be created by BIND286.EXE from OS/2 NE binary +>>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap 286 DOS extender, emulating OS/2 1.x +# like: CVP7.EXE from 286DEX +# can be created by BIND286.EXE from Windows NE binary +>>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap 286 DOS extender, emulating MS Windows +>>>>>(0x3c.l+0x3E) ushort 0 1.x/2.x +>>>>>(0x3c.l+0x3E) ushort !0 +>>>>>>(0x3c.l+0x3F) ubyte x %u +>>>>>>(0x3c.l+0x3E) ubyte x \b.%02u +>>>>(0x3c.l+0x36) default x +>>>>>(0x3c.l+0x36) ubyte x for unknown OS %#x +# OS2EXEFlags; other EXE flags +# 1~Long filename support 2~Win2.x proportional fonts 4~Win2.x protected mode 8~Executable has gangload area 10~Win9x thunk lib without DllEntryPoint 80~Win3.x app with OS/2 WLO loader +#>>>>(0x3c.l+0x37) byte !0 \b, OS2EXEFlags 0x%x +# gangstart; offset to start of gangload area like: 0 34h 58h 246h +#>>>>(0x3c.l+0x38) uleshort !0 \b, gangstart 0x%x +# ganglength; size of gangload area +# like: 0 33Eh 39Ah AEEh +#>>>>(0x3c.l+0x3A) uleshort !0 \b, ganglength 0x%x +# mincodeswap; minimum code swap area size like 0 620Ch +#>>>>(0x3c.l+0x3C) uleshort !0 \b, mincodeswap 0x%x +>>>>(0x3c.l+0x3F) ubyte =3 +>>>>>0x3c ulelong >0x800 +>>>>>>(0x3c.l+0x37) ubyte &0x80 with OS/2 WLO loader +# Detection for NE versions <5 which do not have OS type byte 0x36 +# These versions are used only by WINE, Windows 1.x/2.x and Multitasking MS-DOS +# WINE binaries have special signature after the dos header (at fixed offset 0x40) +# Multitasking MS-DOS binaries imports DOSCALLS library, so use it for distinguishing +# Import libraries are part of the string table which starts one byte after the +# 16-bit indirect offset 0x2a relative to the beginning of NE header, and consist +# of concatenated pascal strings (first byte of the string is its length) +>>>(0x3c.l+0x02) ubyte <5 +# like: fakedlls/krnl386.exe16 fakedlls/gdi.exe16 fakedlls/winsock.dll16 fakedlls/winoldap.mod16 fakedlls/mouse.drv16 +>>>>0x40 string Wine\ placeholder\ DLL for WINE stub +>>>>(0x3c.l+0x2a) default x +# like: HE_DAEM.EXE POPUP.EXE QUEUER.EXE +>>>>>&(&0.s-0x29) search/512/C \x08DOSCALLS for Multitasking MS-DOS +>>>>>(0x3c.l+0x2a) default x for MS Windows 1.x/2.x +# Special case, Windows 3.x OS parse from NE version 4 binaries also following NE version 5 fields: +# - os type if is 0 or 2 +# - bits proportional fonts and protected mode +# Such NE version 4 binary is treated by Windows 3.x OS as Windows 2.01 +# compatible binary and by Windows 2.x OS as Windows 1.01 compatible binary. +# So if os type is correct (0 or 2; matched mask 0xfd) and at least one +# of those bits is set and others are cleared (matched mask 0xf9) then +# detect if binary has NE version 5 protected mode bit set. +>>>>>>(0x3c.l+0x36) leshort&0xf9fd 0 +>>>>>>>(0x3c.l+0x37) byte&0x06 !0 +>>>>>>>>(0x3c.l+0x37) byte&0x04 0 (real mode only) +>>>>>>>>(0x3c.l+0x37) byte&0x04 !0 (real+protected mode) +>>>>>>>(0x3c.l+0x37) default x (real mode only) +>>>>>>(0x3c.l+0x36) default x (real mode only) # DRV: Driver # 3GR: Grabber device driver # CPL: Control Panel Item -# VBX: Visual Basic Extension -# FON: Bitmap font +# VBX: Visual Basic Extension https://en.wikipedia.org/wiki/Visual_Basic +# FON: Bitmap font http://fileformats.archiveteam.org/wiki/FON # FOT: Font resource file -!:ext dll/drv/3gr/cpl/vbx/fon/fot +# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE +# CNV: Microsoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data +>>>(0x3c.l+0x0c) leshort &0x8000 +# Check segment count, if 0 then this is resource-only DLL +>>>>(0x3c.l+0x1c) leshort 0 +>>>>>(0x3c.l+0x2c) lelong !0 +>>>>>>(&-4.l+1) string/C FONTRES (DLL, font) +!:ext fon/fot +>>>>>>(&-4.l+1) default x (DLL, resource-only) +!:ext dll +>>>>>(0x3c.l+0x2c) lelong 0 (DLL, resource-only) +!:ext dll +>>>>(0x3c.l+0x1c) leshort !0 +# Check description of the module, first word specifies type of the DLL library +>>>>>(0x3c.l+0x2c) lelong !0 +>>>>>>(&-4.l+1) string/C DDRV (DLL, driver) +!:ext drv +>>>>>>(&-4.l+1) default x (DLL) +!:ext dll/drv/3gr/cpl/vbx +>>>>>(0x3c.l+0x2c) lelong 0 (DLL) +!:ext dll/drv/3gr/cpl/vbx >>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) !:ext exe/scr +>>>>(0x3c.l+0x0d) ubyte&0x07 =1 (full screen) +>>>>(0x3c.l+0x0d) ubyte&0x07 =2 (console) +>>>>(0x3c.l+0x0d) ubyte&0x07 =3 (GUI) >>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive >>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) ->>(0x3c.l) string LX\0\0 \b, LX +>>(0x3c.l) string LX \b, LX !:mime application/x-dosexec ->>>(0x3c.l+0x0a) leshort <1 (unknown OS) ->>>(0x3c.l+0x0a) leshort 1 for OS/2 ->>>(0x3c.l+0x0a) leshort 2 for MS Windows ->>>(0x3c.l+0x0a) leshort 3 for DOS ->>>(0x3c.l+0x0a) leshort >3 (unknown OS) ->>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) ->>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) ->>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) ->>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) ->>>(0x3c.l+0x08) leshort 1 i80286 ->>>(0x3c.l+0x08) leshort 2 i80386 ->>>(0x3c.l+0x08) leshort 3 i80486 +>>>(0x3c.l+0x2) uleshort =0x0000 +>>>>(0x3c.l) use lx-executable +# no examples found for big endian variant +>>>(0x3c.l+0x2) uleshort =0x0101 +>>>>(0x3c.l) use \^lx-executable +# no examples found for PDP-11 endian variant +>>>(0x3c.l+0x2) uleshort =0x0100 +# PDP-11-endian is not supported by magic "use" keyword yet +# no examples found for other endian variants +>>>0 default x +# other endianity is not supported by magic "use" keyword >>>(8.s*16) string emx \b, emx >>>>&1 string x %s >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive # MS Windows system file, supposedly a collection of LE executables +# like vmm32.vxd WIN386.EXE >>(0x3c.l) string W3 \b, W3 for MS Windows -!:mime application/x-dosexec - ->>(0x3c.l) string LE\0\0 \b, LE executable +#!:mime application/x-dosexec +!:mime application/x-ms-w3-executable +>>>(0x3c.l+0x3) ubyte <4 %u +# Windows 3.x WIN386.EXE +!:ext exe +>>>(0x3c.l+0x3) ubyte >3 %u +# Windows 95 VMM32.VXD +!:ext vxd +>>>(0x3c.l+0x2) ubyte x \b.%02u + +# W4 executable +>>(0x3c.l) string W4 \b, W4 for MS Windows +#!:mime application/x-dosexec +!:mime application/x-ms-w4-executable +# windows 98 VMM32.VXD +!:ext vxd +>>>(0x3c.l+0x3) ubyte x %u +>>>(0x3c.l+0x2) ubyte x \b.%02u + +# Linear Executable (LE) in Little Endian (\0\0) +>>(0x3c.l) string LE\0\0 \b, LE !:mime application/x-dosexec >>>(0x3c.l+0x0a) leshort 1 # some DOS extenders use LE files with OS/2 header ->>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender ->>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender +>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS/4G DOS extender +>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS/4GW DOS extender >>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender >>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender >>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) >>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) >>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) +# D3XW.EXE +>>>>(8.s*16) string o2LEstub for MS-DOS, D3X DOS extender +>>>>0 default x +# DOS32MW.DLL +>>>>>(0x3c.l+0x10) lelong&0x38000 =0x18000 for MS-DOS (DLL) +!:ext dll +# HPFS.386 (HPFS386 filesystem for OS/2 1.x, part of Microsoft LAN Manager) +# https://www.os2museum.com/wp/os2-history/os2-16-bit-server/ +# EXE module (&0x38000=0x00000) with zero application type (&0x700=0x000) and +# with no external fixups (&0x20=0x20) is .386 32-bit driver module for OS/2 1.x +>>>>>(0x3c.l+0x10) lelong&0x38720 =0x00020 for OS/2 1.x (driver) +!:ext 386 +>>>>>0 default x for unknown OS 0x1 # this is a wild guess; hopefully it is a specific signature >>>>&0x24 lelong <0x50 >>>>>(&0x4c.l) string \xfc\xb8WATCOM @@ -249,44 +742,108 @@ # another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP #>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 # fails with DOS-Extenders. ->>>(0x3c.l+0x0a) leshort 2 for MS Windows ->>>(0x3c.l+0x0a) leshort 3 for DOS ->>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) -# VXD: VxD for Windows 95/98/Me -# 386: VxD for Windows 2.10, 3.0, 3.1x +# OS 2 was reserved for MS Windows 16-bit but it never used LE (NE format was used instead) +#>>>(0x3c.l+0x0a) leshort 2 for MS Windows 16-bit +# OS 3 was reserved for Multitasking MS-DOS but it never used LE (NE format was used instead) +#>>>(0x3c.l+0x0a) leshort 3 for Multitasking MS-DOS +>>>(0x3c.l+0x0a) leshort 4 for MS Windows +>>>>(0x3c.l+0xc3) ubyte x %u +>>>>(0x3c.l+0xc2) ubyte x \b.%02u +>>>>(0x3c.l+0x10) lelong&0x38000 =0x08000 +# DLL module (0x08000) with no external fixups (0x20) for i386 CPU (2) is .386 VxD file for MS Windows 3.x +>>>>>(0x3c.l+0x10) lelong&0x20 !0 +>>>>>>(0x3c.l+0x08) leshort 2 (VxD 386) +!:ext 386 +>>>>(0x3c.l+0x10) lelong&0x38000 =0x28000 (VxD static) +# VXD: VxD for MS Windows 95/98/Me # PDR: Port driver # MPD: Miniport driver (?) -!:ext vxd/386/pdr/mpd +!:ext vxd/pdr/mpd +>>>>(0x3c.l+0x10) lelong&0x38000 =0x38000 (VxD dynamic) +!:ext vxd/pdr/mpd +>>>(0x3c.l+0x0a) default x +>>>>(0x3c.l+0x0a) leshort x for unknown OS %#x >>>(&0x7c.l+0x26) string UPX \b, UPX compressed >>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive -# looks like ASCII, probably some embedded copyright message. -# and definitely not NE/LE/LX/PE ->>0x3c lelong >0x20000000 ->>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS -!:mime application/x-dosexec -!:ext exe/com -# header data too small for extended executable ->2 long !0 ->>0x18 leshort <0x40 ->>>(4.s*512) leshort !0x014c - ->>>>&(2.s-514) string !LE ->>>>>&-2 string !BW \b, MZ for MS-DOS -!:mime application/x-dosexec ->>>>&(2.s-514) string LE \b, LE ->>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender -# educated guess since indirection is still not capable enough for complex offset -# calculations (next embedded executable would be at &(&2*512+&0-2) -# I suspect there are only LE executables in these multi-exe files ->>>>&(2.s-514) string BW ->>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) ->>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS - -# This sequence skips to the first COFF segment, usually .text ->(4.s*512) leshort 0x014c \b, COFF -!:mime application/x-dosexec ->>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender +# DOS/32A Linear Compressed file format +>>(0x3c.l) string LC\0\0 \b, LC for MS-DOS +>>>0x40 search/0x40 STUB/32A \b, DOS/32A DOS extender (stub) +>>>0x40 search/0x80 STUB/32C \b, DOS/32A DOS extender (configurable stub) +>>>0x40 search/0x80 DOS/32A \b, DOS/32A DOS extender (embedded) + +# PX\0\0 signature for 32bit DOS Applications in DOS-PE Format (https://www.japheth.de/HX.html) +# SHDPMI.EXE, DOSTEST.EXE, GETVMODE.EXE, RMINT.EXE +>(0x3c.l) string PX\0\0 \b, PE32 +>>(0x3c.l+24) leshort 0x020b \b+ +>>0 clear x +>>0 default x executable for MS-DOS +# LOADPEX.BIN and HDLD32.BIN +# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49) +>>(8.s*16) ulequad&0xffff0000ff =0x494d0000e9 \b, HX DOS extender (embedded with DPMI host) +>>(8.s*16) ulequad&0xffff0000ff !0x494d0000e9 +# DPMIST32.BIN +>>>(8.s*16) search/0x200 cannot\ find\ loader\ DPMILD32.EXE \b, HX DOS extender (stub) +# LOADPE.BIN +>>>(8.s*16) search/0x600 PATH=HDPMI32.EXE \b, HX DOS extender (embedded without DPMI host) +# DPMILD32.BIN +>>>(8.s*16) search/0x4000 DPMILD32: \b, HX DOS extender (embedded without DPMI host) + +>0 clear x +# Skip already parsed binary types +# If magic in the branch is not parsed then always jumps to mz-unrecognized +>(0x3c.l) string PE\0\0 +>(0x3c.l) string PX\0\0 +>(0x3c.l) string LX +>(0x3c.l) string NE +>>(0x3c.l-0x02) string !IMNE +>>>0x18 uleshort <0x40 +>>>>0 use mz-unrecognized +>(0x3c.l) string W3 +>>0x18 uleshort <0x40 +>>>0 use mz-unrecognized +>(0x3c.l) string W4 +>>0x18 uleshort <0x40 +>>>0 use mz-unrecognized +>(0x3c.l) string LE\0\0 +>>0x18 uleshort <0x40 +>>>0 use mz-unrecognized +>(0x3c.l) string LC +>>0x18 uleshort <0x40 +>>>0 use mz-unrecognized +>0 default x +# This sequence jumps to the next MZ overlay +>>2 leshort !0 +# FIXME: Following line does not match binaries which total size is less than (4.s*512) +>>>(4.s*512) leshort x +>>>>&(2.s-514) leshort x +>>>>>&-2 use mz-next-overlay +>>>>>&-2 string BW +>>>>>>0 use mz-bw-collection +>>>>>&-2 string 3P +>>>>>>0 use mz-3p +>>>>0 default x +>>>>>0 use mz-unrecognized +>>>0 default x +>>>>0 use mz-unrecognized +>>2 leshort 0 +>>>(4.s*512) leshort x +>>>>&-2 use mz-next-overlay +>>>>&-2 string BW +>>>>>0 use mz-bw-collection +>>>>&-2 string 3P +>>>>>0 use mz-3p +>>>0 default x +>>>>0 use mz-unrecognized + +# Parse content of the COFF, executable type was already printed in mz-next-overlay +>(4.s*512) leshort 0x014c +#!:mime application/x-dosexec +# djgpp go32 v1 COFF +# F2C.EXE from f2c95201.zip or compress.exe from djdev112.zip +>>(&-6.l) string/b StubInfoMagic!!\0 for MS-DOS +# djgpp go32 v2 COFF +>>(8.s*16) string go32stub for MS-DOS >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s >>&(&0x42.l-3) byte x @@ -296,6 +853,61 @@ >>>&0x0b lelong <0x2000 >>>>&0 lelong >0x6000 \b, 32lite compressed +# Parse content of the a.out, executable type was already printed in mz-next-overlay +>(4.s*512) leshort 0x010b +# djgpp go32 v1 a.out +>>(&-6.l) string/b StubInfoMagic!!\0 for MS-DOS + +# djgpp go32 v1 +# Note that for "redirect" binaries is offset (4.s*512) behind end-of-file, so access it via "default" +>(4.s*512) clear x +>(4.s*512) default x +>>(&-4.l) string/b StubInfoMagic!!\0 +>>>&0 lelong >39 +>>>>&19 byte x \b, DJGPP go32 v%u +>>>>&18 byte x \b.%u +>>>>&17 byte x \b%c DOS extender (stub) +>>>&0 lelong <40 \b, DJGPP go32 v1 DOS extender (stub) +>>>&0 lelong >35 +>>>>&0 byte !0 +>>>>>&-1 string/16 x \b, autoload "%s" +>>>&0 lelong >62 +>>>>&28 byte !0 +# zcat.exe from djdev112.zip +>>>>>&-1 string/15 x \b, redirect to "%s" + +# djgpp go32 v2 +>(8.s*16) string go32stub +# Version string is usually ", v 2.05", so skip leading spaces +>>&0 string ,\ v\ +>>>&0 string/4 x \b, DJGPP go32 v%s DOS extender +>>&0 default x +>>>&0 string/8 x \b, DJGPP go32 %s DOS extender +>>&8 lelong >43 +>>>&24 byte 0 +# check for embedded DPMI host PMODSTUB.EXE +>>>>0x1c string PMODSTUB.EXE (embedded PMODE/DJ) +>>>>0x1c string !PMODSTUB.EXE +>>>>>0x18 leshort 0 +# check for the default djgpp stub +>>>>>>0x40 search/0x80 The\ STUB.EXE\ stub\ loader (stub) +>>>>>>>(8.s*16) default x +>>>>>>>>&8 lelong >83 +>>>>>>>>>&56 byte !0 +# show which DPMI host executable is autoloaded when none is running +>>>>>>>>>>&-1 string/16 x \b, autoload "%s" +>>>>>(0x18.s) default x +>>>>>>&(0x6.s*4) default x +# check for embedded DPMI host CWSDSTUB.EXE +>>>>>>>&0 search/16 CWSDPMI +>>>>>>>>&-7 regex/T =^CWSDPMI(\ [^\ ]+\ )? (embedded %s) +# check for embedded DPMI host D3XD.EXE +>>>>>>>&0 search/16 D3X +>>>>>>>>&-3 regex/T =^D3X(\ [^\ ]+\ )? (embedded %s) +>>>&24 byte !0 +# djtarx.exe or dxegen.exe from djdev205.zip +>>>>&-1 string/8 x \b, redirect to "%s" + >(8.s*16) string $WdX \b, WDos/X DOS extender # By now an executable type should have been printed out. The executable @@ -313,10 +925,10 @@ >0x1c string LZ09 \b, LZEXE v0.90 compressed >0x1c string LZ91 \b, LZEXE v0.91 compressed >0x1c string tz \b, TinyProg compressed ->0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive +>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. \b, Self-extracting PKZIP archive !:mime application/zip # Yes, this really is "Copr", not "Corp." ->0x1e string PKLITE\ Copr. Self-extracting PKZIP archive +>0x1e string PKLITE\ Copr. \b, Self-extracting PKZIP archive !:mime application/zip # winarj stores a message in the stub instead of the sig in the MZ header >0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive @@ -364,38 +976,136 @@ >>49824 leshort =1 \b, 1 file >>49824 leshort >1 \b, %u files + +# This named instance is called for multi overlay MZ executable with offset of the next overlay +0 name mz-next-overlay +>0 string P2 \b, EXP (P2) for MS-DOS, Phar Lap 286 DOS extender +>0 string P3 \b, EXP (P3) for MS-DOS, Phar Lap 386 DOS extender +>0 string MT \b, MT for MS-DOS, IGC XMLOD i386 DOS extender +>0 string 3P \b, 3P for MS-DOS +# Other 3P details are printed later as they depend on the original MZ content +>>32 lelong&0x00000001 !0 \b, 16-bit +>>32 lelong&0x00000001 0 +# CWC.EXE from cw349bin.zip is 32-bit +>>>32 lelong&0x00010000 0 \b, 32-bit +# WL32.EXE from cw349bin.zip is dual mode +>>>32 lelong&0x00010000 !0 \b, Dual mode +>>32 lelong&0x80000000 !0 \b, Compressed +>0 string D3X1 \b, D3X1 for MS-DOS, D3X DOS extender +# BW details are printed later as they depend on the original MZ content +>0 string BW \b, BW collection for MS-DOS +# a.out details are printed later as they depend on the original MZ content +>0 leshort 0x010b \b, a.out +# COFF details are printed later as they depend on the original MZ content +>0 leshort 0x014c \b, COFF +>0 default x +# now make offset aligned to 0x10 +>>0 offset%0x10 0x0 +# already aligned +>>>0x0 use mz-next-overlay-aligned +>>0 offset%0x10 0x1 +>>>0xf use mz-next-overlay-aligned +>>0 offset%0x10 0x2 +>>>0xe use mz-next-overlay-aligned +>>0 offset%0x10 0x3 +>>>0xd use mz-next-overlay-aligned +>>0 offset%0x10 0x4 +>>>0xc use mz-next-overlay-aligned +>>0 offset%0x10 0x5 +>>>0xb use mz-next-overlay-aligned +>>0 offset%0x10 0x6 +>>>0xa use mz-next-overlay-aligned +>>0 offset%0x10 0x7 +>>>0x9 use mz-next-overlay-aligned +>>0 offset%0x10 0x8 +>>>0x8 use mz-next-overlay-aligned +>>0 offset%0x10 0x9 +>>>0x7 use mz-next-overlay-aligned +>>0 offset%0x10 0xa +>>>0x6 use mz-next-overlay-aligned +>>0 offset%0x10 0xb +>>>0x5 use mz-next-overlay-aligned +>>0 offset%0x10 0xc +>>>0x4 use mz-next-overlay-aligned +>>0 offset%0x10 0xd +>>>0x3 use mz-next-overlay-aligned +>>0 offset%0x10 0xe +>>>0x2 use mz-next-overlay-aligned +>>0 offset%0x10 0xf +>>>0x1 use mz-next-overlay-aligned +0 name mz-next-overlay-aligned +>0 string MP \b, EXP (MP) for MS-DOS, Phar Lap 386 DOS extender +>0 default x +>>0 use mz-unrecognized + + +# This named instance is called for unrecognized MZ DOS binary from any offset +0 name mz-unrecognized +>0 default x \b, MZ for MS-DOS +!:mime application/x-dosexec +# Windows and later versions of DOS will allow .EXEs to be named with a .COM +# extension, mostly for compatibility's sake. +# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM +# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml +# also like: BGISRV.DRV +!:ext exe/com/vlm/drv + + +# This named instance is called for BW collection with offset from the beginning of the file +0 name mz-bw-collection +>(8.s*16) default x +>>&(&0x30.s) default x +>>>&0 string DOS/16M \b, DOS/16M DOS extender (embedded) +>>>&-8 string DOS/16M \b, DOS/16M DOS extender (embedded) +>>>&-8 string DOS/4G \b, DOS/4G DOS extender (embedded) +>>>0 default x +>>>>(8.s*16) search/0x4000 Stub\ failed\ to\ find\ DOS/4G\ extender. \b, DOS/4G DOS extender (stub) + + +# This named instance is called for CauseWay MZ 3P binary with offset from the beginning of the file +0 name mz-3p +# CWC.EXE and WL32.EXE from cw349bin.bin +>0x440 search/0x100 CauseWay\ DOS\ Extender \b, CauseWay DOS extender +# CWHELP.EXE from cw349bin.bin +>0x200 search/0x100 CauseWay\ dynamic\ link\ library \b, CauseWay DLL + + # Summary: OS/2 LX Library and device driver (no DOS stub) # From: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/EXE # Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt # https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h +# https://github.com/bitwiseworks/os2tk45/blob/master/h/exe386.h +# https://archive.org/download/IBMOS2Warp4ToolkitDocuments2/lxref.htm # Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)" -# TODO: unify with DOS stub variant (MZ magic) -0 string/b LX ->2 ushort =0 +# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" +0 string/b LX LX executable +#!:mime application/x-msdownload +!:mime application/x-lx-executable +>2 uleshort =0x0000 >>0 use lx-executable # no examples found for big endian variant ->2 ushort =0x0101 +>2 uleshort =0x0101 >>0 use \^lx-executable +# no examples found for PDP-11 endian variant +>2 uleshort =0x0100 +# PDP-11-endian is not supported by magic "use" keyword yet +# no examples found for other endian variants +>>0 default x +# other endianity is not supported by magic "use" keyword + 0 name lx-executable -# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" -#>0x00 uleshort x executable, -# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE ->0x00 uleshort =0x584c LX ->0x00 uleshort =0x454C LE ->0x00 uleshort x executable -#!:mime application/x-msdownload -!:mime application/x-lx-executable -# byte order: 00h~little-endian non-zero=1~big-endian -#>0x02 ubyte =0 (little-endian) ->0x02 ubyte !0 (big-endian) # FOR DEBUGGING! -# word order: 00h~little-endian non-zero=1~big-endian +# byte order: 00h~little-endian 01h~big-endian +#>0x02 ubyte =0 \b, little-endian byte order +#>0x02 ubyte =1 \b, big-endian word order +# word order: 00h~little-endian 01h~big-endian #>0x03 ubyte =0 \b, little-endian word order -#>0x03 ubyte !0 \b, big-endian word order -# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 +#>0x03 ubyte =1 \b, big-endian word order +# cpu_type; CPU type like: 1~i286 2~i386 3~i486 4~i586 20h~i860-N10 21h~i860-N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 #>0x08 uleshort x \b, CPU %u -# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386 +# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 16-bit 3~Multitasking MS-DOS 4.x 4~Windows 386 5~IBM Microkernel PN #>0x0A leshort x \b, OS %u # flags; module type flags #>0x10 ulelong x \b, FLAGS %#8.8x @@ -403,47 +1113,75 @@ #>0x10 ulelong &0x00000002 \b, 2h reserved # OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file is invalid #>0x10 ulelong &0x00000004 \b, per-process library Initialization +#>0x10 ulelong &0x00000008 \b, system dll # OSF_INTERNAL_FIXUPS_DONE=00000010h ~Internal fixups for the module have been applied #>0x10 ulelong &0x00000010 \b, int. fixup # OSF_EXTERNAL_FIXUPS_DONE=00000020h ~External fixups for the module have been applied #>0x10 ulelong &0x00000020 \b, ext. fixup # OSF_NOT_PM_COMPATIBLE=00000100h ~Incompatible with PM windowing -#>0x10 ulelong&0x00000100 =0x00000100 \b, incompatible with PM windowing +#>0x10 ulelong&0x00000700 =0x00000100 \b, incompatible with PM windowing # OSF_PM_COMPATIBLE=00000200h ~Compatible with PM windowing -#>0x10 ulelong&0x00000200 =0x00000200 \b, compatible with PM windowing +#>0x10 ulelong&0x00000700 =0x00000200 \b, compatible with PM windowing +#>0x10 ulelong&0x00000700 =0x00000300 \b, uses PM windowing API +#>0x10 ulelong &0x00002000 \b, not loadable +#>0x10 ulelong &0x00008000 \b, library module # bit 17; device driver -#>0x10 ulelong&0x00020000 >0 \b, device driver +#>0x10 ulelong &0x00020000 \b, device driver +#>0x10 ulelong &0x00080000 \b, multiple-processor unsafe # Per-process Library Termination; setting this bit for EXE file is invalid -#>0x10 ulelong&0x40000000 =0x40000000 \b, per-process library termination +#>0x10 ulelong &0x40000000 \b, per-process library termination +# OS type +>0x0a clear x >0x0a leshort 1 for OS/2 -# no example found ->0x0a leshort 3 for DOS +# OS 2 was reserved for MS Windows 16-bit but it never used LX (NE format was used instead) +#>0x0a leshort 2 for MS Windows 16-bit +# OS 3 was reserved for Multitasking MS-DOS but it never used LX (NE format was used instead) +#>0x0a leshort 3 for Multitasking MS-DOS +# OS 4 was reserved for MS Windows device drivers but it never used LX (LE format was used instead) +#>0x0a leshort 4 for MS Windows +# OS 5 was reserved for IBM Microkernel Personality Neutral but it never used LX (the only released IBM Workplace OS for PowerPC used ELF format) +#>0x0a leshort 5 for IBM Microkernel Personality Neutral +>0x0a default x +>>0x0a leshort x for unknown OS %#x # http://www.ctyme.com/intr/rb-2939.htm#Table1610 # library by module type mask 00038000h (bits 15-17); -# 0h ~exectable Program module ->0x10 ulelong&0x00038000 =0x00000000 (program) -#!:ext exe -# OSF_IS_DLL=8000h ~Library module (DLL) ->0x10 ulelong&0x00038000 >0x00000000 -# OSF_PHYS_DEVICE=00020000h ~device driver ->>0x10 ulelong&0x00020000 >0 (device driver) -!:ext sys -# if not device driver it is library (DLL) ->>0x10 ulelong&0x00020000 =0 (library) +# 0h ~executable Program module +>0x10 ulelong&0x00038000 =0x00000000 (EXE) +!:ext exe +# bits 8-10; OSF_PM_APP=700h in flags ~Uses PM windowing API; either it is GUI or console +>>0x10 ulelong&0x00000700 =0x00000100 (full screen) +>>0x10 ulelong&0x00000700 =0x00000200 (console) +>>0x10 ulelong&0x00000700 =0x00000300 (GUI) +>0x10 ulelong&0x00038000 =0x00008000 (DLL) !:ext dll -# bits 8-10; OSF_PM_APP=300h in flags ~Uses PM windowing API; either it is GUI or console ->0x10 ulelong&0x00000300 =0x00000300 (GUI) ->0x10 ulelong&0x00000300 !0x00000300 (console) +>0x10 ulelong&0x00038000 =0x00010000 (unknown) +>0x10 ulelong&0x00038000 =0x00018000 (PMDLL) +>0x10 ulelong&0x00038000 =0x00020000 (PDD) +!:ext sys +>0x10 ulelong&0x00038000 =0x00028000 (VDD) +!:ext sys +>0x10 ulelong&0x00038000 =0x00030000 (DLD) +>0x10 ulelong&0x00038000 =0x00038000 (unknown) # CPU type ->0x08 uleshort 1 i80286 +>0x08 clear x +>0x08 uleshort 1 \b, Intel i286 # all inspected examples ->0x08 uleshort 2 i80386 ->0x08 uleshort 3 i80486 ->0x08 uleshort 4 i80586 -# 21h Intel "N11" or compatible +>0x08 uleshort 2 \b, Intel i386 +>0x08 uleshort 3 \b, Intel i486 +>0x08 uleshort 4 \b, Intel i586 +# 20h Intel i860 N10 or compatible +# 21h Intel i860 N11 or compatible # 40h MIPS Mark I ( R2000, R3000) or compatible # 41h MIPS Mark II ( R6000 ) or compatible # 42h MIPS Mark III ( R4000 ) or compatible +>0x08 default x +>>0x08 uleshort x \b, unknown CPU %#x +# Endianity for debugging, there are no samples for non-little-endian +#>0x02 clear x +#>0x02 uleshort =0x0000 (little-endian) +#>0x02 uleshort =0x0101 (big-endian) +#>0x02 uleshort =0x0100 (PDP-11-endian) +#>0x02 default x (unknown-endian) # added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc # and https://www.freedos.org/software/?prog=kpdos @@ -468,14 +1206,18 @@ 0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file -# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023 # URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver # Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html -# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 +# http://www.o3one.org/hwdocs/bios_doc/dosref22.html 0 ulequad&0x07a0ffffffff 0xffffffff # skip OS/2 INI ./os2 >4 ubelong !0x14000000 ->>0 use msdos-driver +#>>10 ubequad x MAYBE_DRIVER_NAME=%16.16llx +# https://bugs.astron.com/view.php?id=434 +# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like" +>>10 ubequad !0 +>>>0 use msdos-driver 0 name msdos-driver DOS executable ( #!:mime application/octet-stream !:mime application/x-dosdriver @@ -507,8 +1249,8 @@ >>40 search/7 UPX! >>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped -# 1 space char before device driver name to get phrase like "device driver PROTMAN$" ->>>12 ubyte >0x2E \b +# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE" +>>>12 ubyte >0x23 \b >>>>10 ubyte >0x20 >>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c @@ -587,7 +1329,8 @@ # skip "GPG symmetrically encrypted data" ./gnu # skip "PGP symmetric key encrypted data" ./pgp # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type ->>>4 ubyte >13 DOS executable (COM, 0x8C-variant) +>>>4 ubyte >13 +>>>>0 use msdos-com # the remaining files should be DOS *.COM executables # dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd # hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 @@ -597,48 +1340,171 @@ # SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b # validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e # devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e -!:mime application/x-dosexec -!:ext com - -# updated by Joerg Jenderek at Oct 2008 -0 ulelong 0xffff10eb DR-DOS executable (COM) -# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb -0 ubeshort&0xeb8d >0xeb00 -# DR-DOS STACKER.COM SCREATE.SYS missed 0 name msdos-com ->0 byte x DOS executable (COM) -!:mime application/x-dosexec -!:ext com +# URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com) +>0 byte x DOS executable ( +# DOS executable with JuMP 16-bit instruction +>0 byte =0xE9 +# check for probably nil padding til offset 64 of Lotus driver name +>>56 quad =0 +# check for "long" alphabetic Lotus driver name like: +# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus" +>>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s +!:mime application/x-dosexec +# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2) +!:ext drv +# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1) +>>>24 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable with JuMP 16-bit and without nil padding +>>56 quad !0 +# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot +# TODO: HOWTO distinguish COMboot from pure DOS executables? +# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program +>>>1 search/0xc088 \xcd\x22 \bCOM or COMBOOT 16-bit) +!:mime application/x-dosexec +# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2) +!:ext com/cbt +>>>1 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable without JuMP 16-bit instruction +>0 byte !0xE9 +# SCREATE.SYS https://en.wikipedia.org/wiki/Stac_Electronics +>>10 string =?STACVOL \bSCREATE.SYS) +!:mime application/x-dosexec +!:ext sys +# COM executable without JuMP 16-bit instruction and not SCREATE.SYS +>>10 string !?STACVOL \bCOM) +!:mime application/x-dosexec +!:ext com >6 string SFX\ of\ LHarc \b, %s >0x1FE leshort 0xAA55 \b, boot code >85 string UPX \b, UPX compressed >4 string \ $ARX \b, ARX self-extracting archive >4 string \ $LHarc \b, LHarc self-extracting archive >0x20e string SFX\ by\ LARC \b, LARC self-extracting archive +# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2) +>1 search/0xc088 \xcd\x22 \b, maybe with interrupt 22h +>0 ubelong x \b, start instruction %#8.8x +# show more instructions but not in samples like: rem.com (DJGPP) +>4 ubelong x %8.8x # JMP 8bit 0 byte 0xeb +# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent # allow forward jumps only >1 byte >-1 # that offset must be accessible +# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc >>(1.b+2) byte x ->>>0 use msdos-com - +# if look like COM executable with x86 boot signature then this +# implies FAT volume with x86 real mode code already handled by ./filesystems +# +# No x86 boot signature implies often DOS executable +# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable +# like: FIXBIOS.COM (50 bytes) +>>>16 ubyte >3 +# https://www.drivedroid.io/ +# skip MBR disk image drivedroid.img version 12 July 2013 by start message +>>>>2 string !DriveDroid +# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/ +# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM) +# by check for characteristic message text near the beginning +>>>>>15 string !Non\040System\040disk +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar" +# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux +# by check for characteristic message text near the beginning +>>>>>>6 string !read\040error\015 +# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip +# skip ventoy 1.0.78 boot_hybrid.img +>>>>>>>24 string !\220\220\353I$\022\017 +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar" +# skip unusual floppy image PCDOS100.IMG of DOS 1.0 +# by check for characteristic message text near the beginning +>>>>>>>>9 string !7-May-81 +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar" +# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems +# by check for characteristic message near the beginning +>>>>>>>>>3 string !\370sdfS\270 +# like: FIXBIOS.COM (50 bytes) +>>>>>>>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable +# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15) +>>>16 ubyte =0 +# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux) +>>>>0x1FE leshort =0xAA55 +>>>>0x1FE default x +# https://thestarman.pcministry.com/tool/hxd/dimtut.htm +# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10 +# by check for characteristic bootloader names near end of boot sector +>>>>>395 string !ibmbio\040\040com +>>>>>>0 use msdos-com +# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems +# like: balder.img +>>>16 default x +# skip disk images with boot signature at end of 1st sector +# like: TDSK-64b.img +>>>>(11.s-2) uleshort !0xAA55 +# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18) +# by check for characteristic file system type text for FAT (12 bit or 16 bit) +>>>>>54 string !FAT +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar" +# skip unusual floppy image Disk4.img without boot signature and file system type text +# by check for characteristic OEM-ID text +>>>>>>3 string !COMPAQ\040\040 +# no such DOS COM executables found +>>>>>>>0 use msdos-com # JMP 16bit 0 byte 0xe9 +# display DOS executable (COM or COMBOOT 16-bit strength=40=40-0) after ESP-IDF application image (strength=40=40+0) handled by ./firmware +#!:strength -0 +# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM +# 2h (CPQ0TD.DRV) 4FEh (NDN.COM) 581h (DRMOUSE.COM) 1FDh (GAG.COM) BE07h (USBDRIVE.COM) +#>1 uleshort x \b, OFFSET=%#4.4x +#>1 leshort x \b, OFFSET %d # forward jumps ->1 short >-1 +>1 leshort >-1 # that offset must be accessible +# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc >>(1.s+3) byte x ->>>0 use msdos-com +# check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable +# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes) +>>>16 ubyte >3 +>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable +# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV +# or ESP-IDF application image like: WLED_0.14.0_ESP32-C3.bin opendtu-generic_esp32.bin +>>>16 ubyte =0 +# skip ESP-IDF application image handled by ./firmware with ESP_APP_DESC_MAGIC_WORD +>>>>32 ulelong !0xABCD5432 +>>>>>0 use msdos-com +# maybe disc image with valid number of FATs or DOS executable +# like: IPXODI.COM PERUSE.COM TASKID.COM +>>>16 default x +# invalid low media descriptor. Then it is not a disk image and it is a DOS executable +>>>>21 ubyte <0xE5 +>>>>>0 use msdos-com +# valid media descriptor. Then it is maybe disk image or DOS executable +>>>>21 ubyte >0xE4 +# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable +# like: LEARN.COM (Word 1.15) +>>>>>11 uleshort&0x001f !0 +>>>>>>0 use msdos-com # negative offset, must not lead into PSP ->1 short <-259 +# like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4) +# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS) +>1 leshort <-259 # that offset must be accessible +# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset >>(1,s+65539) byte x +# after jump next instruction for DEBUGGING! +#>>>&-1 ubelong x \b, NEXT instruction %#8.8x >>>0 use msdos-com -# updated by Joerg Jenderek at Oct 2008,2015 +# updated by Joerg Jenderek at Oct 2008,2015,2022 # following line is too general 0 ubyte 0xb8 # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux @@ -661,19 +1527,49 @@ # syslinux version (4.x) # "COM executable (COM32R)" or "Syslinux COM32 module" by TrID >>>1 lelong 0x21CD4CFe \b, relocatable) -# Hajin Jang <hajin_jang@worksmobile.com>: -# Disable simplest COM signature to prevent false positive on some EUC-KR text files. -## remaining are DOS COM executables starting with assembler instruction MOV -## like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM -## MS-DOS SYS.COM RESTART.COM -## SYSLINUX.COM (version 1.40 - 2.13) -## GFXBOOT.COM (version 3.75) -## COPYBS.COM POWEROFF.COM INT18.COM ->>1 default x COM executable for DOS -!:mime application/x-dosexec -##!:mime application/x-ms-dos-executable -##!:mime application/x-msdos-program -!:ext com +>>1 default x +# look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x) +>>>3 search/118 \xCD +# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) +# 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS) +#>>>>&0 ubyte x \b, INTERUPT %#x +# few examples with interrupt 0x13 instruction +>>>>&0 ubyte =0x13 +# FOR DEBUGGING! +#>>>>>3 ubequad x \b, 2nd INSTRUCTION %#16.16llx +# skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax +>>>>>3 ubequad !0x8ec0b8c0078ed88d +# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com +# http://bootcd.narod.ru/bcdw150z_en.zip +>>>>>>0 use msdos-com +# few examples with interrupt 0x16 instruction like flashimg.img +>>>>&0 ubyte =0x16 +# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz +>>>>>8 ubelong !0x3DE4E475 +# no DOS executable with interrupt 0x16 found +>>>>>>0 use msdos-com +# most examples with interrupt instruction unequal 0x13 and 0x16 +>>>>&0 default x +#>>>>>&-1 ubyte x \b, INTERUPT %#x +# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com +>>>>>0 use msdos-com +# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM +# or some EUC-KR text files or one Ulead Imaginfo thumbnail +>>>3 default x +# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM) +# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt) +#>>>>3 ubyte x \b, 2nd INSTRUCTION %#x +# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow) +# inside SAMPLES/TEXTURES/SKY_SNOW +# from https://archive.org/download/PI3CANON/PI3CANON.iso +>>>>3 ubyte !0x0 +# skip some EUC-KR text files like: euckr_falsepositive.txt +# https://bugs.astron.com/view.php?id=186 +>>>>>3 ubyte !0xb1 +# like: RESTART.COM (DOS 7.10) REBOOT.COM +>>>>>>0 use msdos-com # URL: https://en.wikipedia.org/wiki/UPX # Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ @@ -885,9 +1781,6 @@ # 0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document !:mime application/msword -# -0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document -!:mime application/msword # 0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet @@ -1066,15 +1959,82 @@ 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in # Windows Metafile .WMF -0 string/b \327\315\306\232 Windows metafile -!:mime image/wmf -!:ext wmf +# URL: http://fileformats.archiveteam.org/wiki/Windows_Metafile +# http://en.wikipedia.org/wiki/Windows_Metafile +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml +# Note: called "Windows Metafile" by TrID and +# verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File) +# META_PLACEABLE Record (Aldus Placeable Metafile signature) +0 string/b \327\315\306\232 +# Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119 +# and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile" +# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h +# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300 +>26 uleshort&0xFDff =0x0100 Windows metafile +# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0 +# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf +>>4 uleshort !0 \b, resource handle %#x +# BoundingBox; the rectangle in the playback context measured in logical units for displaying +# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024) +# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589) +#>>6 ubequad x \b, bounding box %#16.16llx +# Left; x-coordinate of the upper-left corner of the rectangle +>>6 leshort x \b, bounding box (%d +# Top; y-coordinate upper-left corner +>>8 leshort x \b,%d +# Right; x-coordinate lower-right corner +>>10 leshort x / %d +# Bottom; y-coordinate lower-right corner +>>12 leshort x \b,%d) +# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540 +>>14 uleshort x \b, dpi %u +# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf +>>16 ulelong !0 \b, reserved %#x +# Checksum; checksum for the previous 10 words +>>20 uleshort x \b, checksum %#x +# META_HEADER Record after META_PLACEABLE Record +>>22 use wmf-head +# GRR: no example for type 2 (DISKMETAFILE) variant found under few thousands WMF 0 string/b \002\000\011\000 Windows metafile +>0 use wmf-head +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml +# Note: called "Windows Metafile (old Win 3.x format)" by TrID and +# "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119 +# verified by XnView `nconvert -info *.wmf` as Windows metafile +# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9 +0 string/b \001\000\011\000 +# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011) +>18 ulelong >0 Windows metafile +# GRR: in version 5.44 unequal and not endian variant not working! +#>18 ulelong !0 THIS_SHOULD_NOT_HAPPEN +#>18 long !0 THIS_SHOULD_NOT_HAPPEN +>>0 use wmf-head +# display information of Windows metafile header (type, size, objects) +0 name wmf-head +# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk +>0 uleshort !0x0001 \b, type %#x +# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes) +>2 uleshort*2 !18 \b, header size %u +# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported +# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf +>4 uleshort =0x0100 \b, DIBs not supported +>4 uleshort =0x0300 +#>4 uleshort =0x0300 \b, DIBs supported +# this should not happen! +>4 default x \b, version +>>4 uleshort x %#x +# Size; the number of WORDs in the entire metafile +>6 ulelong x \b, size %u words +#>6 ulelong*2 x \b, size %u bytes !:mime image/wmf !:ext wmf -0 string/b \001\000\011\000 Windows metafile -!:mime image/wmf -!:ext wmf +# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF +>10 uleshort x \b, %u objects +# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h +>12 ulelong x \b, largest record size %#x +# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf +>16 uleshort !0 \b, %u members #tz3 files whatever that is (MS Works files) 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file @@ -1227,8 +2187,6 @@ 1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file -0 lelong 0x4C ->4 lelong 0x00021401 Windows shortcut file # .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm # only for windows versions equal or greater 3.0 @@ -1264,22 +2222,6 @@ >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT #>>&06 string x \b:%s -# DOS EPS Binary File Header -# From: Ed Sznyter <ews@Black.Market.NET> -0 belong 0xC5D0D3C6 DOS EPS Binary File -!:mime image/x-eps ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d ->>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d - -# TNEF magic From "Joomy" <joomy@se-ed.net> -# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) -0 lelong 0x223e9f78 TNEF -!:mime application/vnd.ms-tnef - # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # https://en.wikipedia.org/wiki/Norton_Guides @@ -1356,14 +2298,96 @@ #!:mime application/x-novell-msg !:ext msg #!:ext msg/dat + +# Summary: Turbo Pascal Help +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Turbo_Pascal +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-tp-2.trid.xml +# Note: called "Turbo Pascal Help (v2)" by TrID +0 string TPH2 Turbo Pascal help, version 2 +#!:mime application/octet-stream +!:mime application/x-pascal-hlp +# 4DOS help file, version 1.00 3.30 +!:ext hlp +# URL: https://en.wikipedia.org/wiki/4DOS +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos-v2.trid.xml +# Note: called "4DOS Help (v2)" by TrID +0 string ALIAS\r\nASSIGN\r\n +>13 search/3016 4DOS 4DOS help file, version 2.x +#!:mime text/plain +!:mime application/x-4dos-hlp +# DOS.HLP 4DOS help file, version 2.21 +!:ext hlp +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos-v4.trid.xml +# Note: called "4DOS Help (v4)" by TrID +0 string 4DH4 4DOS help file, version 4.x +#!:mime application/octet-stream +!:mime application/x-4dos-hlp +# 4dos402b.hlp +!:ext hlp +# Reference: https://4dos.info/4dsource/4helpsrc.zip/TPHELP.PAS +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos.trid.xml # 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of https://www.4dos.info/ -# pointer,HelpID[8]=4DHnnnmm -0 ulelong 0x48443408 4DOS help file ->4 string x \b, version %-4.4s +# check for valid pascal string length (6 or 8) of HelpID, 4DH magic, valid major number (5 6 7 8) +0 ubequad&0xF1ffFFffF0000000 0x0034444830000000 4DOS help file +#!:mime application/octet-stream +!:mime application/x-4dos-hlp +!:ext hlp +# pascal string length of of HelpID like: 6 8 +#>0 ubyte x PLENGHT=%x +# Note: version string correspond or is a little bit lower than value of _4VER variable or output of 4DOS command `VER /R` +# one-digit major version number of version string +>4 string x \b, version %-1.1s +# two-digit minor version number depending on pascal string length at the beginning +>>0 ubyte 8 \b. +>>>5 string x \b%-2.2s +# Byte at offset 7 (A=41h) and 8 (A=41h) is not Revison like C (=43h) as reported by VER /R for 4DOS602b.HLP +# GRR: maybe this is patch level +>>>7 string x %-.2s +# few samples with string length 6 (implying exact 2 byte minor version digits) like in 4DOS500f.HLP 4dos551c_ge.hlp +>>0 ubyte 6 \b. +>>>5 string x \b%-2.2s +# just in case pascal string length is neither 6 nor 8 +#>>0 default x \b. +#>>>5 string x %-2.2s +# false for version 5.52 and older, but true for version 6.02 and newer +>4 ubeshort >0x3535 +# HighestTopic; highest topic number +#>>9 uleshort x HighestTopic=%#4.4x +# NumTopics; number of topics +#>>11 uleshort x NumTopics=%#4.4x +# BiggestTopic; size of largest topic in uncompressed bytes +#>>13 uleshort x BiggestTopic=%#4.4x +# NamedTopics; number of topics in help index +#>>15 uleshort x NamedTopics=%#4.4x +# NameSize; Size of largest name, 0 for none +#>>17 uleshort x NameSize=%#4.4x +# PickSize; size of each entry in pick table, 0 for none +#>>18 uleshort x PickSize=%#4.4x +# width; width of help window, with frame if any +#>>19 ubyte x Width=%#2.2x +# FirstTopic; topic to show first (0 = index) +#>>20 uleshort x FirstTopic=%#4.4x +# KeysTopic; topic to show when keys help needed +#>>22 uleshort x KeysTopic=%#4.4x +# ExtHelpName; string[13]; name for external help program like: HELP.COM DOSBOOK.EXE +>>24 pstring x \b, external help %s +# ExtHelpEnv; String[16]; environment variable for alternate external help program name like: DOSHELP +>>38 pstring x or specified by DOS environment variable %s +# XlateArray = array[0..29] of Byte; {Most common characters in help text} +#>>55 ubequad x XlateArray=%#16.16llx +# SharewareData : SharewareDataRec; shareware info for 4DOS.COM +#>>87 ubequad x SharewareData=%#16.16llx # old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp -0 ulequad 0x3a000000024e4c MS Advisor help file +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Advisor_Help +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-ms-adv.trid.xml +# Note: called "Microsoft Advisor Help" by TrID +0 ulequad&0xFFffFFfeFFffFFff 0x003a000000024e4c MS Advisor help file +#!:mime application/octet-stream +!:mime application/x-ms-hlp +!:ext hlp # HtmlHelp files (.chm) 0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data @@ -1433,6 +2457,12 @@ >0x2c default x # look for 1st member name >>(16.l+16) ubyte x +# From: Joerg Jenderek +# URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml +>>>&-1 string PackageInfo.xml \b, Device Metadata Package +!:mime application/vnd.ms-cab-compressed +!:ext devicemetadata-ms # https://en.wikipedia.org/wiki/SNP_file_format >>>&-1 string/c _accrpt_.snp \b, Access report snapshot !:mime application/msaccess @@ -1456,14 +2486,20 @@ !:ext msu >>>&-1 default x # look at point character of 1st archive member name for file name extension +# GRR: search range is maybe too large and match point else where like in EN600x64.cab! >>>>&-1 search/255 . # http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm # PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 # packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB ->>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go +>>>>>&0 string/c ppt\0 +>>>>>>28 uleshort >1 \b, PowerPoint Packed and Go !:mime application/vnd.ms-powerpoint #!:mime application/mspowerpoint !:ext ppz +# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386 +>>>>>>28 uleshort =1 \b, one packed PowerPoint +!:mime application/vnd.ms-cab-compressed +!:ext pp_ # https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx # first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack # or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack @@ -1477,6 +2513,13 @@ >>>>>>(16.l+16) string !Panoram 7 or 8 !:ext themepack/deskthemepack >>>>>>(16.l+16) ubyte x Theme Pack +# URL: https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format +# http://fileformats.archiveteam.org/wiki/OneNote +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml +# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor Öffnen.onetoc2" +>>>>>&0 string/c one \b, OneNote Package +!:mime application/msonenote +!:ext onepkg >>>>>&0 default x # look for null terminator of 1st member name >>>>>>&0 search/255 \0 @@ -1504,6 +2547,16 @@ >>>>>>>>>30 uleshort !0x0000 \b, single !:mime application/vnd.ms-cab-compressed !:ext cab +# first archive name without point character +>>>>&-1 default x +>>>>>28 uleshort =1 \b, single +!:mime application/vnd.ms-cab-compressed +# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._ +!:ext _ +>>>>>28 uleshort >1 \b, many +!:mime application/vnd.ms-cab-compressed +# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab +!:ext cab # TODO: additional extensions like # .xtp InfoPath Template Part # .lvf Logitech Video Effects Face Accessory @@ -1601,9 +2654,9 @@ # define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) >8 uleshort >0 \b, iFolder %#x # date stamp for file -#>10 uleshort x \b, date %#x +>10 lemsdosdate x last modified %s # time stamp for file -#>12 uleshort x \b, time %#x +>12 lemsdostime x %s # attribs is attribute flags for file # define _A_RDONLY (0x01) file is read-only # define _A_HIDDEN (0x02) file is hidden @@ -1801,3 +2854,220 @@ # year part >2 uleshort/512 x 1980+%u # + +# ExcelBIFF2-8BOF.magic - Excel Binary Interchange File Format versions 2-8 +# Beginning of File records +# See https://www.gaia-gis.it/gaia-sins/freexl-1.0.6-doxy-doc/html/Format.html +# Excel Commercial BIFF Release +# Version Name Version Year Notes +# 2.x Excel 2.0 BIFF2 1987 Before CFBF. File is the BIFF +# stream, containing a single +# worksheet. +# 3.0 Excel 3.0 BIFF3 1990 "" +# 4.0 Excel 4.0 BIFF4 1992 "" +# 5.0 Excel 5.0 BIFF5 1993 Starting with BIFF5, a single +# Workbook can internally store +# many individual Worksheets. +# The BIFF stream is stored in +# the CFBF file container. +# 7.0 Excel 95 BIFF5 1995 +# 8.0 Excel 98 BIFF8 1998 +# 9.0 Excel 2000 BIFF8 1999 +# 10.0 Excel XP BIFF8 2001 +# 11.0 Excel 2003 BIFF8 2003 +# See https://www.openoffice.org/sc/excelfileformat.pdf#page=135 +# 5.8 BOF – Beginning of File +# See also https://en.wikipedia.org/wiki/Microsoft_Excel; +# Old file extensions +# Format Extension Description +# Spreadsheet .xls Main spreadsheet format which holds data in +# worksheets, charts, and macros +# Add-in (VBA) .xla Adds custom functionality; written in VBA +# Toolbar .xlb The file extension where Microsoft Excel custom +# toolbar settings are stored. +# Chart .xlc A chart created with data from a Microsoft Excel +# spreadsheet that only saves the chart. +# To save the chart and spreadsheet save as .XLS. +# XLC is not supported in Excel 2007 or in any +# newer versions of Excel. +# Dialog .xld Used in older versions of Excel. +# Archive .xlk A backup of an Excel Spreadsheet +# Add-in (DLL) .xll Adds custom functionality; written in C++/C, +# Fortran, etc. and compiled in to a special +# dynamic-link library +# Macro .xlm A macro is created by the user or pre-installed +# with Excel. +# Template .xlt A pre-formatted spreadsheet created by the user +# or by Microsoft Excel. +# Module .xlv A module is written in VBA (Visual Basic for +# Applications) for Microsoft Excel +# Workspace .xlw Arrangement of the windows of multiple Workbooks +# Library .DLL Code written in VBA may access functions in a +# DLL, typically this is used to access the +# Windows API +#!:ext xls/xla/xlb/xlc/xld/xlk/xll/xlm/xlt/xlv/xlw + +#!:mime application/vnd.ms-excel + +# 5.8.1 BOF Records Written by Excel +# Record BOF, BIFF2 (record identifier is 0009 H): +# Offset Size Contents +# 0 2 BIFF version (not used) +# 2 2 Type of the following data: 0010H = Sheet +# 0020H = Chart +# 0040H = Macro sheet +# e.g. 0x0009 BOF len 4 version 2 content 0x0010 Sheet +0 uleshort =0x0009 Excel 2 BIFF 2 +>2 uleshort =4 +# version +>>4 uleshort =0 +>>4 uleshort =2 +>>>6 uleshort =0x0010 Sheet +>>>6 uleshort =0x0020 Chart +>>>6 uleshort =0x0040 Macros + +# Record BOF, BIFF3 (record identifier is 0209 H) and +# BIFF4 (record identifier is 0409H): +# Offset Size Contents +# 0 2 BIFF version (not used) +# 2 2 Type of the following data: 0010H = Sheet +# 0020H = Chart +# 0040H = Macro sheet +# 0100H = Workspace +# (BIFF3W/BIFF4W only) +# 4 2 Not used +0 uleshort =0x0209 Excel 3 BIFF 3 +>2 uleshort =6 +# version +>>4 uleshort =0 +>>4 uleshort =3 +>>>6 uleshort =0x0010 Sheet +>>>6 uleshort =0x0020 Chart +>>>6 uleshort =0x0040 Macros +# (BIFF3W only) +>>>6 uleshort =0x0100 Workspace + +0 uleshort =0x0409 Excel 4 BIFF 4 +>2 uleshort =6 +# version +>>4 uleshort =0 +>>4 uleshort =4 +>>>6 uleshort =0x0010 Sheet +>>>6 uleshort =0x0020 Chart +>>>6 uleshort =0x0040 Macros +# (BIFF4W only) +>>>6 uleshort =0x0100 Workspace + +# Record BOF, BIFF5 (record identifier is 0809 H): +# Offset Size Contents +# 0 2 BIFF version (always 0500H for BIFF5). +# Should only be used, if this record is the leading +# workbook globals BOF (see above). +# 2 2 Type of the following data: +# 0005H = Workbook globals +# 0006H = Visual Basic module +# 0010H = Sheet or dialogue (see SHEETPR, +# âžœ5.97) +# 0020H = Chart +# 0040H = Macro sheet +# 0100H = Workspace (BIFF5W only) +# 4 2 Build identifier, must not be 0 +# 6 2 Build year +0 uleshort =0x0809 Excel 5 BIFF 5 +>2 uleshort =8 +# version +>>4 uleshort =0x0500 +>>4 uleshort =5 +>>4 uleshort =0 +>>>6 uleshort =0x0005 Workbook Globals +>>>6 uleshort =0x0006 VB Module +>>>6 uleshort =0x0010 Sheet +>>>6 uleshort =0x0020 Chart +>>>6 uleshort =0x0040 Macros +# (BIFF5W only) +>>>6 uleshort =0x0100 Workspace +>>>>8 uleshort >0 Build %d +>>>>>10 uleshort >1900 Year %d + +# Record BOF, BIFF8 (record identifier is 0809 H): +# Offset Size Contents +# 0 2 BIFF version (always 0600 H for BIFF8) +# 2 2 Type of the following data: +# 0005H = Workbook globals +# 0006H = Visual Basic module +# 0010H = Sheet or dialogue (see SHEETPR, +# âžœ5.97) +# 0020H = Chart +# 0040H = Macro sheet +# 0100H = Workspace (BIFF8W only) +# 4 2 Build identifier, must not be 0 +# 6 2 Build year, must not be 0 +# 8 4 File history flags +# 12 4 Lowest Excel version that can read all records in this +# file +0 uleshort =0x0809 Excel 8 BIFF 8 +>2 uleshort =16 +# version +>>4 uleshort =0x0600 +>>4 uleshort =8 +>>4 uleshort =0 +>>>6 uleshort =0x0005 Workbook Globals +>>>6 uleshort =0x0006 VB Module +>>>6 uleshort =0x0010 Sheet +>>>6 uleshort =0x0020 Chart +>>>6 uleshort =0x0040 Macros +# (BIFF8W only) +>>>6 uleshort =0x0100 Workspace +>>>>8 uleshort >0 Build %d +>>>>>10 uleshort >1900 Year %d +>>>>>>12 ulelong !0 File history %d +>>>>>>16 ulelong >0 Excel version needed %d + +# 5.8.2 BOF Records Written by Other External Tools +# Various external tools write non-standard BOF records with the record +# identifier 0809H (determining a BIFF5-BIFF8 BOF record), but with a +# different BIFF version field. In this case, the record identifier is +# ignored, and only the version field is used to set the BIFF version of +# the workbook. +# Record BOF (record identifier is 0809 H): +# Offset Size Contents +# 0 2 BIFF version: 0000H = BIFF5 +# 0200H = BIFF2 +# 0300H = BIFF3 +# 0400H = BIFF4 +# 0500H = BIFF5 +# 0600H = BIFF8 +# 2 2 Type of the following data: +# 0005H = Workbook globals +# 0006H = Visual Basic module +# 0010H = Sheet or dialogue (see SHEETPR, +# âžœ5.97) +# 0020H = Chart +# 0040H = Macro sheet +# 0100H = Workspace +# [4] var. (optional) Additional fields of a BOF record, +# should be ignored +0 uleshort =0x0809 +# >= 4 +>2 uleshort >3 +>>4 uleshort =0 Excel 5 BIFF 5 +>>4 uleshort =0x0200 Excel 2 BIFF 2 +>>4 uleshort =2 Excel 2 BIFF 2 +>>4 uleshort =0x0300 Excel 3 BIFF 3 +>>4 uleshort =3 Excel 3 BIFF 3 +>>4 uleshort =0x0400 Excel 4 BIFF 4 +>>4 uleshort =4 Excel 4 BIFF 4 +>>4 uleshort =0x0500 Excel 5 BIFF 5 +>>4 uleshort =5 Excel 5 BIFF 5 +>>4 uleshort =0x0600 Excel 8 BIFF 8 +>>4 uleshort =6 Excel 8 BIFF 8 +>>4 uleshort =0x0800 Excel 8 BIFF 8 +>>4 uleshort =8 Excel 8 BIFF 8 +>>>6 uleshort =0x0005 Workbook Globals +>>>6 uleshort =0x0006 VB Module +>>>6 uleshort =0x0010 Sheet/Dialogue +>>>6 uleshort =0x0020 Chart +>>>6 uleshort =0x0040 Macros +# (BIFF8W only) +>>>6 uleshort =0x0100 Workspace + diff --git a/contrib/file/magic/Magdir/msooxml b/contrib/file/magic/Magdir/msooxml index 9303411f6356..4dfb3a9fb623 100644 --- a/contrib/file/magic/Magdir/msooxml +++ b/contrib/file/magic/Magdir/msooxml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msooxml,v 1.17 2021/11/08 13:53:43 christos Exp $ +# $File: msooxml,v 1.23 2024/07/19 18:48:23 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown <ralf.brown@gmail.com> @@ -15,10 +15,13 @@ 0 name msooxml >0 string word/ Microsoft Word 2007+ !:mime application/vnd.openxmlformats-officedocument.wordprocessingml.document +!:ext docx >0 string ppt/ Microsoft PowerPoint 2007+ !:mime application/vnd.openxmlformats-officedocument.presentationml.presentation +!:ext pptx >0 string xl/ Microsoft Excel 2007+ !:mime application/vnd.openxmlformats-officedocument.spreadsheetml.sheet +!:ext xlsx >0 string visio/ Microsoft Visio 2013+ !:mime application/vnd.ms-visio.drawing.main+xml >0 string AppManifest.xaml Microsoft Silverlight Application @@ -35,21 +38,40 @@ # since some documents include a 520-byte extra field following the file # header, we need to scan for the next header >>>(18.l+49) search/6000 PK\003\004 +>>>>&26 use msooxml +>>>>&26 default x # now skip to the *third* local file header; again, we need to scan due to a # 520-byte extra field following the file header ->>>>&26 search/6000 PK\003\004 +>>>>>&26 search/6000 PK\003\004 # and check the subdirectory name to determine which type of OOXML -# file we have. Correct the mimetype with the registered ones: +# file we have. Correct the mimetype with the registered ones: # https://technet.microsoft.com/en-us/library/cc179224.aspx ->>>>>&26 use msooxml ->>>>>&26 default x +>>>>>>&26 use msooxml +>>>>>>&26 default x # OpenOffice/Libreoffice orders ZIP entry differently, so check the 4th file ->>>>>>&26 search/6000 PK\003\004 ->>>>>>>&26 use msooxml +>>>>>>>&26 search/6000 PK\003\004 +>>>>>>>>&26 use msooxml # Some OOXML generators add an extra customXml directory. Check another file. ->>>>>>>&26 default x ->>>>>>>>&26 search/6000 PK\003\004 ->>>>>>>>>&26 use msooxml +>>>>>>>>&26 default x +>>>>>>>>>&26 search/6000 PK\003\004 +>>>>>>>>>>&26 use msooxml +>>>>>>>>>>&26 default x +>>>>>>>>>>>&26 search/6000 PK\003\004 +>>>>>>>>>>>>&26 use msooxml +>>>>>>>>>>>>&26 default x Microsoft OOXML +>>>>>>>>>>>&26 default x Microsoft OOXML +>>>>>>>>>>&26 default x Microsoft OOXML >>>>>>>>>&26 default x Microsoft OOXML +>>>>>>>>&26 default x Microsoft OOXML +>>>>>>>&26 default x Microsoft OOXML +>>>>>>&26 default x Microsoft OOXML +>>0x1E regex \\[trash\\] +>>>&26 search/6000 PK\003\004 +>>>>&26 search/6000 PK\003\004 +>>>>>&26 use msooxml +>>>>>&26 default x +>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 use msooxml >>>>>>>&26 default x Microsoft OOXML +>>>>>>&26 default x Microsoft OOXML >>>>>&26 default x Microsoft OOXML diff --git a/contrib/file/magic/Magdir/msvc b/contrib/file/magic/Magdir/msvc index fbfa4f266f9b..c66a00ad506e 100644 --- a/contrib/file/magic/Magdir/msvc +++ b/contrib/file/magic/Magdir/msvc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msvc,v 1.11 2022/01/17 17:17:30 christos Exp $ +# $File: msvc,v 1.12 2024/03/31 15:08:13 christos Exp $ # msvc: file(1) magic for msvc # "H. Nanosecond" <aldomel@ix.netcom.com> # Microsoft visual C @@ -15,9 +15,14 @@ 0 string \102\157\162\154\141\156\144\040\103\053\053\040\120\162\157 MSVC .ide # .res -0 string \000\000\000\000\040\000\000\000\377 MSVC .res -0 string \377\003\000\377\001\000\020\020\350 MSVC .res -0 string \377\003\000\377\001\000\060\020\350 MSVC .res +# https://learn.microsoft.com/en-us/windows/win32/menurc/resource-file-formats +# https://learn.microsoft.com/en-us/windows/win32/menurc/resourceheader +# A binary resource file consists of a number of concatenated resource entries. +# Each entry consists of a resource header and the data for that resource. +# Resource file starts with an empty resource entry with 32-byte long header in +# which is stored ordinal type 0 and ordinal name 0. +0 string \000\000\000\000\040\000\000\000\377\377\000\000\377\377\000\000 Microsoft Visual C binary resource file +!:ext res #.lib # URL: https://en.wikipedia.org/wiki/Microsoft_Visual_C%2B%2B diff --git a/contrib/file/magic/Magdir/msx b/contrib/file/magic/Magdir/msx index 60e16569e24f..ce593cb80f02 100644 --- a/contrib/file/magic/Magdir/msx +++ b/contrib/file/magic/Magdir/msx @@ -1,5 +1,6 @@ #------------------------------------------------------------------------------ +# $File: msx,v 1.12 2024/08/30 17:29:28 christos Exp $ # msx: file(1) magic for the MSX Home Computer # v1.3 # Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net> @@ -202,21 +203,6 @@ >>4 uleshort >0 \b, stahdl=%#04x >>6 uleshort >0 \b, devhdl=%#04x >>8 uleshort >0 \b, bas=%#04x -0 string/b AB\0\0 ->6 uleshort 0 ->>4 uleshort >0x400F MSX-BASIC extension ROM ->>>4 uleshort >0 \b, stahdl=%#04x ->>>6 uleshort >0 \b, devhdl=%#04x ->>>0x1C string OPLL \b, MSX-Music ->>>>0x18 string PAC2 \b (external) ->>>>0x18 string APRL \b (internal) - -0 string/b AB\0\0\0\0 ->6 uleshort >0x400F MSX device BIOS ->>6 uleshort >0 \b, devhdl=%#04x - - -0 string/b AB #>2 string 5JSuperLAYDOCK MSX Super Laydock ROM #>3 string @HYDLIDE3MSX MSX Hydlide-3 ROM #>3 string @3\x80IA862 Golvellius MSX1 ROM @@ -242,6 +228,21 @@ >>>>>6 uleshort 0 >>>>>>8 uleshort >0 MSX BASIC program in ROM, bas=%#04x +0 string/b AB\0\0 +>6 uleshort 0 +>>4 uleshort >0x400F MSX-BASIC extension ROM +>>>4 uleshort >0 \b, stahdl=%#04x +>>>6 uleshort >0 \b, devhdl=%#04x +>>>0x1C string OPLL \b, MSX-Music +>>>>0x18 string PAC2 \b (external) +>>>>0x18 string APRL \b (internal) + +0 string/b AB\0\0\0\0 +>6 uleshort >0x400F MSX device BIOS +>>6 uleshort >0 \b, devhdl=%#04x + + + 0x4000 string/b AB >0x4002 uleshort >0x400F >>0x400A string \0\0\0\0\0\0 MSX ROM with nonstandard page order diff --git a/contrib/file/magic/Magdir/music b/contrib/file/magic/Magdir/music index ad8da6593811..f87fc12ef8b2 100644 --- a/contrib/file/magic/Magdir/music +++ b/contrib/file/magic/Magdir/music @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: music,v 1.1 2011/11/25 03:28:17 christos Exp $ -# music: file (1) magic for music formats +# $File: music,v 1.2 2024/06/10 23:09:52 christos Exp $ +# music: file(1) magic for music formats # BWW format used by Bagpipe Music Writer Gold by Robert MacNeil Musicworks # and Bagpipe Writer by Doug Wickstrom diff --git a/contrib/file/magic/Magdir/nasa b/contrib/file/magic/Magdir/nasa index de3545f80800..dd5a166e13c6 100644 --- a/contrib/file/magic/Magdir/nasa +++ b/contrib/file/magic/Magdir/nasa @@ -1,6 +1,7 @@ #------------------------------------------------------------------------------ -# nasa: file(1) magic +# $File: nasa,v 1.3 2024/06/10 23:09:52 christos Exp $ +# nasa: file(1) magic for NASA SPICE file # From: Barry Carter <carter.barry@gmail.com> 0 string DAF/SPK NASA SPICE file (binary format) diff --git a/contrib/file/magic/Magdir/ole2compounddocs b/contrib/file/magic/Magdir/ole2compounddocs index 1379e569e122..e86183c8036c 100644 --- a/contrib/file/magic/Magdir/ole2compounddocs +++ b/contrib/file/magic/Magdir/ole2compounddocs @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ole2compounddocs,v 1.18 2022/05/31 17:38:36 christos Exp $ +# $File: ole2compounddocs,v 1.29 2024/06/18 17:07:48 christos Exp $ # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format) # Additional tests for OLE 2 Compound Documents should be under this recipe. @@ -72,6 +72,7 @@ #>67 ubyte x \b, color %x # the DirIDs of the child nodes. Should both be -1 in the root storage entry #>68 bequad !0xffffffffffffffff \b, DirIDs %llx +# NEXT lines for DEBUGGING # second directory entry name like VisioDocument Control000 #>128 lestring16 x \b, 2nd %.20s # third directory entry like WordDocument @@ -201,6 +202,18 @@ !:ext nfo # # From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns-v14.trid.xml +# Note: older versions til 13 about middle 2021 handled by ./windows +# called "Sysinternals Autoruns data (v14)" by TrID +# second, third and fourth directory entry name like Header Items 0 +>>>>128 lestring16 Header : Microsoft sysinternals AutoRuns data, version 14 +#!:mime application/x-ole-storage +!:mime application/x-ms-arn +# like: MyHOSTNAME.arn +!:ext arn +# +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Microsoft_Access # Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mdz.trid.xml # http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File @@ -236,10 +249,24 @@ !:mime application/x-corel-gal !:ext gal # +# From: Joerg Jenderek +# URL: https://archive.org/details/iPhoto-Plus-4 +# https://filext.com/file-extension/TPL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tpl-ulead.trid.xml +# Note: found in Template sub directory in program directory of software iPhoto Plus version 4 +# second, third and fourth directory entry name like TplHeader TplMainImage TplPreview +>>>>128 lestring16 TplHeader : Ulead iPhoto Template +#!:mime application/x-ole-storage +!:mime image/x-ulead-tpl +# https://www.file-extensions.org/tpl-file-extension-ulead-photo-express-template +!:ext tpl +# # URL: https://en.wikipedia.org/wiki/Hangul_(word_processor) +# https://www.hancom.com/etc/hwpDownload.do # Note: "HWP Document File" signature found in FileHeader +# Hangul Word Processor WORDIAN, 2002 and later is using HWP 5.0 format. # Second directory entry name FileHeader hint for Thinkfree Office document ->>>>128 lestring16 FileHeader : Hangul (Korean) 5.0 Word Processor File +>>>>128 lestring16 FileHeader : Hancom HWP (Hangul Word Processor) file, version 5.0 #!:mime application/haansofthwp !:mime application/x-hwp # https://example-files.online-convert.com/document/hwp/example.hwp @@ -292,63 +319,106 @@ #>>>>>>&0 use PageMaker # THIS WORKS PARTLY! >>>>>>&0 indirect x +# +# URL: http://fileformats.archiveteam.org/wiki/Easy_CD_Creator +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cl4.trid.xml +# Note: called "Easy CD Creator Layout" by TrID +# "newer" version 4 contain a clsid +# Second directory entry name Contents +>>>>128 lestring16 Contents : Easy CD Creator 2 Layout +# contains also 3 strings SesnDescriptor CD_PLUS 0090 +#!:mime application/x-ole-storage +!:mime application/x-corel-cl2 +!:ext cl2 # remaining null clsid ->>>>128 default x : UNKNOWN -# second directory entry name like VisioDocument Control000 ->>>>>128 lestring16 x with names %.20s -# third directory entry like WordDocument ->>>>>256 lestring16 x %.20s -# forth ->>>>>384 lestring16 x %.20s -!:mime application/x-ole-storage -# according to file version 5.41 with -e soft option -#!:mime application/CDFV2 -#!:ext ??? +>>>>128 default x +>>>>>0 use ole2-unknown +# look for CLSID where "second" part is 0 +>>>80 ubequad !0x0 +# +# Summary: Family Tree Maker +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Family_Tree_Maker +# https://en.wikipedia.org/wiki/Family_Tree_Maker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/ftw.trid.xml +# Note called "Family Tree Maker Family Tree" by TrID and +# "FamilyTree Maker Database" with version "1-4" by DROID via PUID fmt/1352 +# tested only with version 2.0 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe my.ftw` +# newer versions are SQLite based and handled by ./sql +# directory names like: IND.DB AUX.DB GENERAL.DB NAME.NDX BIRTH.NDX EXTRA.DB +>>>>80 ubequad 0x5702000000000000 : Family Tree Maker Windows database, version 1-4 +# look for "File Format (C) Copyright 1993 Banner Blue Software Inc. - All Rights Reserved" in GENERAL.DB +#>>>>>0 search/0x5460c/s F\0i\0l\0e\0\040\0F\0o\0r\0m\0a\0t\0\040\0(\0C\0)\0 \b, VERSION +# GRR: jump to version value like 2 does not work! +#>>>>>>&-8 ubyte x %u +#!:mime application/x-ole-storage +!:mime application/x-fmt +# FBK is used for backup of FTW +!:ext ftw/fbk +# +>>>>80 default x +>>>>>0 use ole2-unknown # look for known clsid GUID # - Visio documents # URL: http://fileformats.archiveteam.org/wiki/Visio # Last update on 10/23/2006 by Lester Hightower, 07/20/2019 by Joerg Jenderek ->>88 ubequad 0xc000000000000046 : Microsoft ->>>80 ubequad 0x131a020000000000 Visio 2000-2002 Document, stencil or template +>>88 ubequad 0xc000000000000046 +>>>80 ubequad 0x131a020000000000 : Microsoft Visio 2000-2002 Document, stencil or template !:mime application/vnd.visio # VSD~Drawing VSS~Stencil VST~Template !:ext vsd/vss/vst ->>>80 ubequad 0x141a020000000000 Visio 2003-2010 Document, stencil or template +>>>80 ubequad 0x141a020000000000 : Microsoft Visio 2003-2010 Document, stencil or template !:mime application/vnd.visio !:ext vsd/vss/vst # # URL: http://fileformats.archiveteam.org/wiki/Windows_Installer ->>>80 ubequad 0x84100c0000000000 Windows Installer Package +# https://en.wikipedia.org/wiki/Windows_Installer#ICE_validation +# Update: Joerg Jenderek +# Windows Installer Package *.MSI or validation module *.CUB +>>>80 ubequad 0x84100c0000000000 : Microsoft Windows Installer Package or validation module !:mime application/x-msi #!:mime application/x-ms-win-installer -!:ext msi ->>>80 ubequad 0x86100c0000000000 Windows Installer Patch +# https://learn.microsoft.com/en-us/windows/win32/msi/internal-consistency-evaluators-ices +# cub is used for validation module like: Vstalogo.cub XPlogo.cub darice.cub logo.cub mergemod.cub +#!:mime application/x-ms-cub +!:ext msi/cub +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/Windows_Installer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mst.trid.xml +# called "Windows SDK Setup Transform script" by TrID +>>>80 ubequad 0x82100c0000000000 : Microsoft Windows Installer transform script +#!:mime application/x-ole-storage +!:mime application/x-ms-mst +!:ext mst +>>>80 ubequad 0x86100c0000000000 : Microsoft Windows Installer Patch # ?? !:mime application/x-wine-extension-msp #!:mime application/x-ms-msp !:ext msp # # URL: http://fileformats.archiveteam.org/wiki/DOC ->>>80 ubequad 0x0009020000000000 Word 6-95 document or template +>>>80 ubequad 0x0009020000000000 : Microsoft Word 6-95 document or template !:mime application/msword # for template MSWDW8TN !:apple MSWDWDBN !:ext doc/dot ->>>80 ubequad 0x0609020000000000 Word 97-2003 document or template +>>>80 ubequad 0x0609020000000000 : Microsoft Word 97-2003 document or template !:mime application/msword !:apple MSWDWDBN # dot for template; no extension on Macintosh !:ext doc/dot/ # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor ->>>80 ubequad 0x0213020000000000 Works 3-4 document or template +>>>80 ubequad 0x0213020000000000 : Microsoft Works 3-4 document or template !:mime application/vnd.ms-works !:apple ????AWWP # ps for template https://filext.com/file-extension/PS bps for backup !:ext wps/ps/bps # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database ->>>80 ubequad 0x0313020000000000 Works 3-4 database or template +>>>80 ubequad 0x0313020000000000 : Microsoft Works 3-4 database or template !:mime application/vnd.ms-works-db # https://www.macdisk.com/macsigen.php !:apple ????AWDB @@ -356,14 +426,14 @@ !:ext wdb/db/bdb # # URL: https://en.wikipedia.org/wiki/Microsoft_Excel ->>>80 ubequad 0x1008020000000000 Excel 5-95 worksheet, addin or template +>>>80 ubequad 0x1008020000000000 : Microsoft Excel 5-95 worksheet, addin or template !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php !:apple ????XLS5 # worksheet/addin/template/no extension on Macintosh !:ext xls/xla/xlt/ # ->>>80 ubequad 0x2008020000000000 Excel 97-2003 +>>>80 ubequad 0x2008020000000000 : Microsoft Excel 97-2003 !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php XLS5 for Excel 5 !:apple ????XLS9 @@ -379,23 +449,36 @@ #!:ext xls/xlt/ # # URL: http://fileformats.archiveteam.org/wiki/OLE2 ->>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 item -#>>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 Message +>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 item +#>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 Message #!:mime application/vnd.ms-outlook !:mime application/x-ms-msg !:ext msg # URL: https://wiki.fileformat.com/email/oft/ ->>>80 ubequad 0x46f0060000000000 Outlook 97-2003 item template +>>>80 ubequad 0x46f0060000000000 : Microsoft Outlook 97-2003 item template #!:mime application/vnd.ms-outlook !:mime application/x-ms-oft !:ext oft # # URL: http://fileformats.archiveteam.org/wiki/PPT ->>>80 ubequad 0x5148040000000000 PowerPoint 4.0 presentation +>>>80 ubequad 0x5148040000000000 : Microsoft PowerPoint 4.0 presentation !:mime application/vnd.ms-powerpoint # https://www.macdisk.com/macsigen.php !:apple ????PPT3 !:ext ppt +# Summary: "newer" Greenstreet Art drawing +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GST_ART +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/art-gst-docfile.trid.xml +# Note: called like "Greenstreet Art drawing" by TrID +# Note: CONTENT stream contains binary part of older versions with phrase GST:ART at offset 16 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe BCARD2.ART` +>>>80 ubequad 0x602c020000000000 : Greenstreet Art drawing +#!:mime application/x-ole-storage +!:mime image/x-greenstreet-art +!:ext art +>>>80 default x +>>>>0 use ole2-unknown #?? # URL: http://www.checkfilename.com/view-details/Microsoft-Works/RespageIndex/0/sTab/2/ >>88 ubequad 0xa29a00aa004a1a72 : Microsoft @@ -432,10 +515,17 @@ # https://extension.nirsoft.net/wsb # like: wsbsamp.wsb WORKS2003_CD:\MSWorks\Common\Sammlung.wsb !:ext wsb -#?? -# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Publisher +# +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Publisher +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pub.trid.xml +# Note: called like "Microsoft Publisher document" by TrID +# "version" string MSPublisher.2 inside CompObj stream >>88 ubequad 0x00c0000000000046 : Microsoft ->>>80 ubequad 0x0112020000000000 Publisher +>>>80 ubequad 0x0012020000000000 Publisher 95 (2.0) +!:mime application/vnd.ms-publisher +!:ext pub +>>>80 ubequad 0x0112020000000000 Publisher 97-2013 (3.0-11.0) !:mime application/vnd.ms-publisher !:ext pub # @@ -535,6 +625,19 @@ !:apple ????WPC9 !:ext wpg # +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CorelCAD +# https://en.wikipedia.org/wiki/CorelCAD +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/ccd-corelcad.trid.xml +# Note: called "CorelCAD Drawing" by TrID and CorelCAD +# directory entry names like Contents ViewInfo CustomViewDescriptions LayerInfo +>>88 ubequad 0xbe26db67235e2689 : Corel +>>>80 ubequad 0x20f414de1cacce11 \bCAD Drawing or Template +#!:mime application/x-ole-storage +!:mime application/x-corel-cad +# CCT for CorelCAD Template +!:ext ccd/cct +# # URL: http://fileformats.archiveteam.org/wiki/StarOffice_binary_formats >>88 ubequad 0x996104021c007002 : StarOffice >>>80 ubequad 0x407e5cdc5cb31b10 StarWriter 3.0 document or template @@ -647,15 +750,57 @@ !:ext max # also chr for character file according to DROID https://www.nationalarchives.gov.uk/PRONOM/fmt/978 #!:ext max/chr +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/IPT +# https://en.wikipedia.org/wiki/Autodesk_Inventor +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/ipt.trid.xml +# Note: called "Autodesk Inventor Part" by TrID +# second, third, fifth and seventh directory entry name like RSeStorage RSeEmbeddings RefdFiles RSeDb +>>88 ubequad 0x93c37e0706000000 : Autodesk +>>>80 ubequad 0x90b4294db249d011 Inventor Part +#!:mime application/x-ole-storage +!:mime model/x-autodesk-ipt +!:ext ipt +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Easy_CD_Creator +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cl4.trid.xml +# Note: called "Easy CD Creator Layout" by TrID, +# "Easy CD Creator 4" by CREATR32.exe and "Easy CD Creator Document" on Windows +# verified by Michal Mutl Structured Storage Viewer `SSView.exe MY_CD3.cl4` +# verified partly by libolecf-utils `olecfinfo -v MY_CD4.cl4` +# created by Adaptec Easy CD Creator 4.02b +# "older" version 2 contain no clsid +>>88 ubequad 0x893f00802964b632 : Easy +>>>80 ubequad 0x0293c3a90a77d111 CD Creator 4 Layout +#!:mime application/x-ole-storage +!:mime application/x-corel-cl4 +!:ext cl4 +# maybe also suffix cl3 +#!:ext cl3/cl4 # remaining non null clsid >>88 default x -# GRR: check again for non null clsid because wrong when called by indirect directive ->>>88 ubequad !0 : UNKNOWN +>>>0 use ole2-unknown +# display information about directory for not detected CDF files +0 name ole2-unknown +>80 ubequad x : UNKNOWN # https://reposcope.com/mimetype/application/x-ole-storage !:mime application/x-ole-storage # according to file version 5.41 with -e soft option #!:mime application/CDFV2 #!:ext ??? ->>>>80 ubequad !0 \b, clsid %#16.16llx ->>>>88 ubequad x \b%16.16llx - +>80 ubequad !0 \b, clsid %#16.16llx +>>88 ubequad x \b%16.16llx +# converted hexadecimal format to standard GUUID notation +>>80 guid x {%s} +# second directory entry name like VisioDocument Control000 +>128 lestring16 x with names %.20s +# third directory entry like WordDocument Preview.dib +>256 lestring16 x %.20s +# forth like \005SummaryInformation +>384 lestring16 x %.25s +# 5th +>512 lestring16 x %.10s +# 6th +>640 lestring16 x %.10s +# 7th +>768 lestring16 x %.10s diff --git a/contrib/file/magic/Magdir/olf b/contrib/file/magic/Magdir/olf index 6ae3fc04e5ec..5c970b2f974f 100644 --- a/contrib/file/magic/Magdir/olf +++ b/contrib/file/magic/Magdir/olf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: olf,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: olf,v 1.5 2024/02/29 03:42:40 christos Exp $ # olf: file(1) magic for OLF executables # # We have to check the byte order flag to see what byte order all the @@ -43,11 +43,11 @@ >>18 leshort 0 no machine, >>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 2 SPARC - invalid byte order, ->>18 leshort 3 Intel 80386, +>>18 leshort 3 Intel i386, >>18 leshort 4 Motorola 68000 - invalid byte order, >>18 leshort 5 Motorola 88000 - invalid byte order, ->>18 leshort 6 Intel 80486, ->>18 leshort 7 Intel 80860, +>>18 leshort 6 Intel i486, +>>18 leshort 7 Intel i860, >>18 leshort 8 MIPS R3000_BE - invalid byte order, >>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 10 MIPS R3000_LE, @@ -74,11 +74,11 @@ >>18 beshort 0 no machine, >>18 beshort 1 AT&T WE32100, >>18 beshort 2 SPARC, ->>18 beshort 3 Intel 80386 - invalid byte order, +>>18 beshort 3 Intel i386 - invalid byte order, >>18 beshort 4 Motorola 68000, >>18 beshort 5 Motorola 88000, ->>18 beshort 6 Intel 80486 - invalid byte order, ->>18 beshort 7 Intel 80860, +>>18 beshort 6 Intel i486 - invalid byte order, +>>18 beshort 7 Intel i860, >>18 beshort 8 MIPS R3000_BE, >>18 beshort 9 Amdahl, >>18 beshort 10 MIPS R3000_LE - invalid byte order, diff --git a/contrib/file/magic/Magdir/pack b/contrib/file/magic/Magdir/pack new file mode 100644 index 000000000000..e0f6835e8c84 --- /dev/null +++ b/contrib/file/magic/Magdir/pack @@ -0,0 +1,101 @@ +#------------------------------------------------------------------------------ +# $File: pack,v 1.1 2024/08/30 17:29:28 christos Exp $ +# file(1) magic for things that have PACK as magic + +0 string PACK +# Type: Git pack +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Git +# reference: https://github.com/git/git/blob/master/Documentation/technical/pack-format.txt +# The actual magic is 'PACK', but that clashes with Doom/Quake packs. However, +# those have a little-endian offset immediately following the magic 'PACK', +# the first byte of which is never 0, while the first byte of the Git pack +# version, since it's a tiny number stored in big-endian format, is always 0. +# GRR: line above is too general as it matches also PackDir archive ./acorn +# test for major version. Git 2017 accepts version number 2 or 3 +>4 ubelong <9 +# Acorn PackDir with method 0 compression has root like ADFS::HardDisc4.$.AsylumSrc +# or SystemDevice::foobar +>>9 search/13 :: +# but in git binary +>>9 default x Git pack +!:mime application/x-git +!:ext pack +# 4 GB limit implies unsigned integer +>>>4 ubelong x \b, version %u +>>>8 ubelong x \b, %u objects + +# From: Joerg Jenderek +# URL: https://www.kyzer.me.uk/pack/xad/#PackDir +# reference: https://www.kyzer.me.uk/pack/xad/xad_PackDir.lha/PackDir.c +# GRR: line below is too general as it matches also "Git pack" in ./revision +# check for valid compression method 0-4 +>5 ulelong <5 +# https://www.riscosopen.org/wiki/documentation/show/Introduction%20To%20Filing%20Systems +# To skip "Git pack" version 0 test for root directory object like +# ADFS::RPC.$.websitezip.FONTFIX +>>9 string >ADFS\ PackDir archive (RISC OS) +# TrID labels above as "Acorn PackDir compressed Archive" +# compression mode y (0 - 4) for GIF LZW with a maximum n bits +# (y~n,0~12,1~13,2~14,3~15,4~16) +>>>5 ulelong+12 x \b, LZW %u-bits compression +# https://www.filebase.org.uk/filetypes +# !Packdir compressed archive has three hexadecimal digits code 68E +!:mime application/x-acorn-68E +!:ext pkd/bin +# null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo +>>>9 string x \b, root "%s" +# load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time +>>>>&1 ulelong x \b, load address %#x +# execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC +>>>>&5 ulelong x \b, exec address %#x +# attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write) +>>>>&9 ulelong x \b, attributes %#x +# number of entries in this directory. for root dir 0 +#>>>&13 ulelong x \b, entries %#x +# the entries start here with object name +>>>>&17 string x \b, 1st object "%s" + +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/PAK +# reference: https://quakewiki.org/wiki/.pak +# GRR: line below is too general as it matches also Acorn PackDir compressed Archive +# real Quake examples like pak0.pak have only some hundreds like 150 files +# So test for few files +>8 ulelong <0x01000000 +# in file version 5.32 test for null terminator is only true for +# offset ~< FILE_BYTES_MAX = 1 MB defined in ../../src/file.h +# look for null terminator of 1st entry name +>>(4.l+55) ubyte 0 Quake I or II world or extension +!:mime application/x-dzip +!:ext pak +#>>>8 ulelong x \b, table size %u +# dividing this by entry size (64) gives number of files +>>>8 ulelong/64 x \b, %u files +# offset to the beginning of the file table +>>>4 ulelong x \b, offset %#x +# 1st file entry +>>>(4.l) use pak-entry +# 2nd file entry +#>>>4 ulelong+64 x \b, offset %#x +#>>>(4.l+64) use pak-entry +# +# display file table entry of Quake PAK archive +0 name pak-entry +# normally entry start after header which implies offset 12 or higher +>56 ulelong >11 +# the offset from the beginning of pak to beginning of this entry file contents +>>56 ulelong x at %#x +# the size of file for this entry +>>60 ulelong x %u bytes +# 56 byte null-terminated entry name string includes path like maps/e1m1.bsp +>>0 string x '%-.56s' +# inspect entry content by jumping to entry offset +>>(56) indirect x \b: + +#0 string -1\x0a Quake I demo +#>30 string x version %.4s +#>61 string x level %s + +#0 string 5\x0a Quake I save diff --git a/contrib/file/magic/Magdir/pascal b/contrib/file/magic/Magdir/pascal index ddb93b0c54f6..61688024560f 100644 --- a/contrib/file/magic/Magdir/pascal +++ b/contrib/file/magic/Magdir/pascal @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: pascal,v 1.3 2020/06/07 18:10:26 christos Exp $ +# $File: pascal,v 1.4 2022/07/30 16:53:06 christos Exp $ # pascal: file(1) magic for Pascal source # 0 search/8192 (input, Pascal source text @@ -12,3 +12,28 @@ # Free Pascal 0 string PPU Pascal unit >3 string x \b, version %s + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Dan_Bricklin +0 string/b Type +# URL: https://dl.winworldpc.com/Dan%20Bricklins%20Demo%20II%20Version%202%20Manual.7z +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-v2.trid.xml +>4 string D2 Dan Bricklin's Demo 2 demo +#!:mime application/octet-stream +!:ext dbd +# URL: https://muhaz.org/turbo-pascal-download-details.html +# From: Joerg Jenderek +# Note: used by Turbo Pascal 5.5 TOUR.EXE +>4 string T2 Turbo Pascal TOUR data +#!:mime application/octet-stream +!:mime application/x-borland-cbt +!:ext cbt +# WHAT iS THAT? +#>4 string \040P Dan Bricklin's Demo 2 foo +#!:mime application/octet-stream +# _PPRINT.SG2 _PASCII.SG2 +#!:ext sg2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-gen.trid.xml +>4 default x Dan Bricklin's Demo demo (generic) +#!:mime application/octet-stream +!:ext dbd diff --git a/contrib/file/magic/Magdir/pc88 b/contrib/file/magic/Magdir/pc88 deleted file mode 100644 index 03822f50279f..000000000000 --- a/contrib/file/magic/Magdir/pc88 +++ /dev/null @@ -1,24 +0,0 @@ -#------------------------------------------------------------------------------ -# pc88: file(1) magic for the NEC Home Computer -# v1.0 -# Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net> - -# PC88 2D disk image -0x20 ulelong&0xFFFFFEFF 0x2A0 ->0x10 string \0\0\0\0\0\0\0\0\0\0 ->>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 ->>>0x1A ubyte&0xEF 0 ->>>>0x1B ubyte&0x8F 0 ->>>>>0x1B ubyte&70 <0x40 ->>>>>>0x1C ulelong >0x21 ->>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s ->>>>>>>>0x1B ubyte 0 \b, media=2D ->>>>>>>>0x1B ubyte 0x10 \b, media=2DD ->>>>>>>>0x1B ubyte 0x20 \b, media=2HD ->>>>>>>>0x1B ubyte 0x30 \b, media=1D ->>>>>>>>0x1B ubyte 0x40 \b, media=1DD ->>>>>>>>0x1A ubyte 0x10 \b, write-protected - - - - diff --git a/contrib/file/magic/Magdir/pdf b/contrib/file/magic/Magdir/pdf index 38de3cff9b9f..7a99d8d3cf3d 100644 --- a/contrib/file/magic/Magdir/pdf +++ b/contrib/file/magic/Magdir/pdf @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.16 2021/07/30 11:47:07 christos Exp $ +# $File: pdf,v 1.18 2023/07/17 15:57:18 christos Exp $ # pdf: file(1) magic for Portable Document Format # 0 name pdf >8 search /Count ->>&0 regex [0-9]+ \b, %s pages +>>&0 regex [0-9]+ \b, %s page(s) >8 search/512 /Filter/FlateDecode/ (zip deflate encoded) 0 string %PDF- PDF document @@ -42,7 +42,7 @@ >5 byte x \b, version %c >7 byte x \b.%c -0 search/256 %PDF- PDF document +0 search/1024 %PDF- PDF document !:mime application/pdf !:strength +60 !:ext pdf diff --git a/contrib/file/magic/Magdir/pdp b/contrib/file/magic/Magdir/pdp index 2d18b62df595..dfb0ca60cbd3 100644 --- a/contrib/file/magic/Magdir/pdp +++ b/contrib/file/magic/Magdir/pdp @@ -1,7 +1,8 @@ #------------------------------------------------------------------------------ -# $File: pdp,v 1.11 2017/03/17 21:35:28 christos Exp $ +# $File: pdp,v 1.12 2024/02/29 03:40:37 christos Exp $ # pdp: file(1) magic for PDP-11 executable/object and APL workspace +# URL: https://en.wikipedia.org/wiki/PDP-11 # 0 lelong 0101555 PDP-11 single precision APL workspace 0 lelong 0101554 PDP-11 double precision APL workspace @@ -12,13 +13,22 @@ >8 leshort >0 not stripped >15 byte >0 - version %d -# updated by Joerg Jenderek at Mar 2013 +# updated by Joerg Jenderek at Mar 2013, Feb 2024 # GRR: line below too general as it catches also Windows precompiled setup information *.PNF 0 leshort 0401 +# PDP-11 UNIX/RT ldp (strength=50=50+0) after D64 Image (strength=70=70+0 ./c64) and MMDF mailbox (strength=70=70+0 ./mmdf) +#!:strength +0 # skip *.PNF with WinDirPathOffset 58h ->68 ulelong !0x00000058 PDP-11 UNIX/RT ldp +>68 ulelong !0x00000058 # skip *.PNF with high byte of InfVersionDatumCount zero #>>15 byte !0 PDP-11 UNIX/RT ldp +# skip few Commodore D64 disc image like "The Great Gianna Sisters.d64" initialized with ^A and handled by ./c64 +>>8 quad !0x0101010101010101 +# skip MMDF mailbox like maillog.expected.2 with MBOX characteristic near the beginning handled by ./mmdf +>>>5 search/610/b From\ +>>>5 default x PDP-11 UNIX/RT ldp +#!:mime application/octet-stream +#!:ext foo 0 leshort 0405 PDP-11 old overlay 0 leshort 0410 PDP-11 pure executable diff --git a/contrib/file/magic/Magdir/perl b/contrib/file/magic/Magdir/perl index c391d4a72036..4a3756a483e1 100644 --- a/contrib/file/magic/Magdir/perl +++ b/contrib/file/magic/Magdir/perl @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ +# $File: perl,v 1.27 2023/07/17 16:01:36 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. @@ -34,12 +34,12 @@ # by Dmitry V. Levin and Alexey Tourbin # check the first line 0 search/8192 package ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; Perl5 module source text !:strength + 40 # not 'p', check other lines 0 search/8192 !p ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; ->>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; +>>0 regex \^1[[:space:]]*;|\^(use|sub|my)[[:space:]].*[(;{=] Perl5 module source text !:strength + 75 # Perl POD documents diff --git a/contrib/file/magic/Magdir/pgp b/contrib/file/magic/Magdir/pgp index d81883868b41..d7d3ae95d850 100644 --- a/contrib/file/magic/Magdir/pgp +++ b/contrib/file/magic/Magdir/pgp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgp,v 1.25 2021/04/26 15:56:00 christos Exp $ +# $File: pgp,v 1.26 2024/09/01 15:51:51 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # Handling of binary PGP keys is in pgp-binary-keys. @@ -108,15 +108,15 @@ >7 belong x %08X >11 byte 0x01 RSA (Encrypt or Sign) 1024b >11 byte 0x02 RSA Encrypt-Only 1024b ->12 string \x04\x00 ->12 string \x03\xff ->12 string \x03\xfe ->12 string \x03\xfd ->12 string \x03\xfc ->12 string \x03\xfb ->12 string \x03\xfa ->12 string \x03\xf9 ->142 byte 0xd2 . +#>12 string \x04\x00 +#>12 string \x03\xff +#>12 string \x03\xfe +#>12 string \x03\xfd +#>12 string \x03\xfc +#>12 string \x03\xfb +#>12 string \x03\xfa +#>12 string \x03\xf9 +#>142 byte 0xd2 . # 2048b RSA encrypted data @@ -125,15 +125,15 @@ >8 belong x %08X >12 byte 0x01 RSA (Encrypt or Sign) 2048b >12 byte 0x02 RSA Encrypt-Only 2048b ->13 string \x08\x00 ->13 string \x07\xff ->13 string \x07\xfe ->13 string \x07\xfd ->13 string \x07\xfc ->13 string \x07\xfb ->13 string \x07\xfa ->13 string \x07\xf9 ->271 byte 0xd2 . +#>13 string \x08\x00 +#>13 string \x07\xff +#>13 string \x07\xfe +#>13 string \x07\xfd +#>13 string \x07\xfc +#>13 string \x07\xfb +#>13 string \x07\xfa +#>13 string \x07\xf9 +#>271 byte 0xd2 . # 3072b RSA encrypted data @@ -142,15 +142,15 @@ >8 belong x %08X >12 byte 0x01 RSA (Encrypt or Sign) 3072b >12 byte 0x02 RSA Encrypt-Only 3072b ->13 string \x0c\x00 ->13 string \x0b\xff ->13 string \x0b\xfe ->13 string \x0b\xfd ->13 string \x0b\xfc ->13 string \x0b\xfb ->13 string \x0b\xfa ->13 string \x0b\xf9 ->399 byte 0xd2 . +#>13 string \x0c\x00 +#>13 string \x0b\xff +#>13 string \x0b\xfe +#>13 string \x0b\xfd +#>13 string \x0b\xfc +#>13 string \x0b\xfb +#>13 string \x0b\xfa +#>13 string \x0b\xf9 +#>399 byte 0xd2 . # 4096b RSA encrypted data @@ -159,15 +159,15 @@ >8 belong x %08X >12 byte 0x01 RSA (Encrypt or Sign) 4096b >12 byte 0x02 RSA Encrypt-Only 4096b ->13 string \x10\x00 ->13 string \x0f\xff ->13 string \x0f\xfe ->13 string \x0f\xfd ->13 string \x0f\xfc ->13 string \x0f\xfb ->13 string \x0f\xfa ->13 string \x0f\xf9 ->527 byte 0xd2 . +#>13 string \x10\x00 +#>13 string \x0f\xff +#>13 string \x0f\xfe +#>13 string \x0f\xfd +#>13 string \x0f\xfc +#>13 string \x0f\xfb +#>13 string \x0f\xfa +#>13 string \x0f\xf9 +#>527 byte 0xd2 . # 8192b RSA encrypted data @@ -176,15 +176,15 @@ >8 belong x %08X >12 byte 0x01 RSA (Encrypt or Sign) 8192b >12 byte 0x02 RSA Encrypt-Only 8192b ->13 string \x20\x00 ->13 string \x1f\xff ->13 string \x1f\xfe ->13 string \x1f\xfd ->13 string \x1f\xfc ->13 string \x1f\xfb ->13 string \x1f\xfa ->13 string \x1f\xf9 ->1039 byte 0xd2 . +#>13 string \x20\x00 +#>13 string \x1f\xff +#>13 string \x1f\xfe +#>13 string \x1f\xfd +#>13 string \x1f\xfc +#>13 string \x1f\xfb +#>13 string \x1f\xfa +#>13 string \x1f\xf9 +#>1039 byte 0xd2 . # 1024b Elgamal encrypted data @@ -192,14 +192,14 @@ >4 belong x keyid: %08X >8 belong x %08X >12 byte 0x10 Elgamal Encrypt-Only 1024b. ->13 string \x04\x00 ->13 string \x03\xff ->13 string \x03\xfe ->13 string \x03\xfd ->13 string \x03\xfc ->13 string \x03\xfb ->13 string \x03\xfa ->13 string \x03\xf9 +#>13 string \x04\x00 +#>13 string \x03\xff +#>13 string \x03\xfe +#>13 string \x03\xfd +#>13 string \x03\xfc +#>13 string \x03\xfb +#>13 string \x03\xfa +#>13 string \x03\xf9 # 2048b Elgamal encrypted data @@ -207,14 +207,14 @@ >4 belong x keyid: %08X >8 belong x %08X >12 byte 0x10 Elgamal Encrypt-Only 2048b. ->13 string \x08\x00 ->13 string \x07\xff ->13 string \x07\xfe ->13 string \x07\xfd ->13 string \x07\xfc ->13 string \x07\xfb ->13 string \x07\xfa ->13 string \x07\xf9 +#>13 string \x08\x00 +#>13 string \x07\xff +#>13 string \x07\xfe +#>13 string \x07\xfd +#>13 string \x07\xfc +#>13 string \x07\xfb +#>13 string \x07\xfa +#>13 string \x07\xf9 # 3072b Elgamal encrypted data @@ -222,14 +222,14 @@ >4 belong x keyid: %08X >8 belong x %08X >12 byte 0x10 Elgamal Encrypt-Only 3072b. ->13 string \x0c\x00 ->13 string \x0b\xff ->13 string \x0b\xfe ->13 string \x0b\xfd ->13 string \x0b\xfc ->13 string \x0b\xfb ->13 string \x0b\xfa ->13 string \x0b\xf9 +#>13 string \x0c\x00 +#>13 string \x0b\xff +#>13 string \x0b\xfe +#>13 string \x0b\xfd +#>13 string \x0b\xfc +#>13 string \x0b\xfb +#>13 string \x0b\xfa +#>13 string \x0b\xf9 # crypto algo mapper diff --git a/contrib/file/magic/Magdir/plan9 b/contrib/file/magic/Magdir/plan9 index db068479c2d7..4f8ab352ec33 100644 --- a/contrib/file/magic/Magdir/plan9 +++ b/contrib/file/magic/Magdir/plan9 @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: plan9,v 1.6 2021/07/30 12:25:13 christos Exp $ +# $File: plan9,v 1.7 2024/02/29 03:42:40 christos Exp $ # plan9: file(1) magic for AT&T Bell Labs' Plan 9 executables and object files # From: "Stefan A. Haubenthal" <polluks@web.de> # 0 belong 0x00000107 Plan 9 executable, Motorola 68k 0 belong 0x00000197 Plan 9 executable, AT&T Hobbit -0 belong 0x000001EB Plan 9 executable, Intel 386 -0 belong 0x00000247 Plan 9 executable, Intel 960 +0 belong 0x000001EB Plan 9 executable, Intel i386 +0 belong 0x00000247 Plan 9 executable, Intel i960 0 belong 0x000002AB Plan 9 executable, SPARC 0 belong 0x00000407 Plan 9 executable, MIPS R3000 0 belong 0x0000048B Plan 9 executable, AT&T DSP 3210 @@ -22,4 +22,4 @@ 0 belong 0x430D013C Plan 9 object file, AT&T Hobbit 0 belong 0x4D013201 Plan 9 object file, Motorola 68k 0 belong 0x7410013C Plan 9 object file, SPARC -0 belong 0x7E004501 Plan 9 object file, Intel 386 +0 belong 0x7E004501 Plan 9 object file, Intel i386 diff --git a/contrib/file/magic/Magdir/playdate b/contrib/file/magic/Magdir/playdate new file mode 100644 index 000000000000..77f8c689378d --- /dev/null +++ b/contrib/file/magic/Magdir/playdate @@ -0,0 +1,57 @@ + +#------------------------------------------------------------------------------ +# $File: playdate,v 1.1 2022/11/04 13:34:48 christos Exp $ +# +# Various native file formats for the Playdate portable video game console. +# +# These are unofficially documented at +# https://github.com/jaames/playdate-reverse-engineering +# +# The SDK is a source for many test files, and can be used to +# create others. https://play.date/dev/ + + +# pdi: static image +0 string Playdate\ IMG Playdate image data +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d +>12 belong&0x80 0x00 (uncompressed) +>>16 leshort x %d x +>>18 leshort x %d + +# pdt: multiple static images +0 string Playdate\ IMT Playdate image data set +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d, +>>28 lelong x %d cells +>12 belong&0x80 0x00 (uncompressed) +>>20 lelong x tile grid %d x +>>24 lelong x %d + +# pds: string tables +0 string Playdate\ STR Playdate localization strings +>12 belong&0x80 0x80 (compressed) +>12 belong&0x80 0x00 (uncompressed) + +# pda: audio +0 string Playdate\ AUD Playdate audio file +>12 lelong&0xffffff x %d Hz, +>15 byte 0 unsigned, 8-bit PCM, 1 channel +>15 byte 1 unsigned, 8-bit PCM, 2 channel +>15 byte 2 signed, 16-bit little-endian PCM, 1 channel +>15 byte 3 signed, 16-bit little-endian PCM, 1 channel +>15 byte 4 4-bit ADPCM, 1 channel +>15 byte 5 4-bit ADPCM, 2 channel + +# pda: video +0 string Playdate\ VID Playdate video file +>24 leshort x %d x +>26 leshort x %d, +>16 leshort x %d frames, +>20 lefloat x %.2f FPS + +# pdz: executable package +# Not a lot we can do, as it's a stream of entries with no summary information. +0 string Playdate\ PDZ Playdate executable package diff --git a/contrib/file/magic/Magdir/printer b/contrib/file/magic/Magdir/printer index e8fccd279717..e55c320b2ebf 100644 --- a/contrib/file/magic/Magdir/printer +++ b/contrib/file/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.29 2019/04/19 00:42:27 christos Exp $ +# $File: printer,v 1.36 2024/08/27 18:50:57 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -30,13 +30,42 @@ # DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> -0 belong 0xC5D0D3C6 DOS EPS Binary File ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Encapsulated_PostScript +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/eps-adobe.trid.xml +# Note: called "Encapsulated PostScript binary" by TrID and +# verified partly by ImageMagick `identify -verbose *` as EPT (Encapsulated PostScript with TIFF preview) +0 belong 0xC5D0D3C6 +# skip DROID fmt-122-signature-id-174.eps fmt-123-signature-id-178.eps fmt-124-signature-id-180.eps +# by looking for content after header +# GRR: in version 5.44 unequal and not endian variant not working! +>32 ulelong >0 DOS EPS Binary File +!:mime image/x-eps +# TODO: check that "long" is false on big endian machines +# Postscript often (850/857) comes after header; so values like: 30 32 or 2788 10644 43350 71828 +>>4 long >0 at byte %d +# 1 space char after length value to get phrase like "length 263893 PostScript document text" +>>>8 long >0 length %d +# PostScript document text handled by ./printer +>>>>(4.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-wmf.trid.xml +# Note: called "Encapsulated PostScript binary (with WMF preview)" by TrID +# verified partly by XnView `nconvert -info *.EP?` as TIFF epsp +>>>>12 long >0 at byte %d +!:ext eps +# GRR: in file version 5.44 calling indirect of ./msdos produce phrase like "length 452\012- Windows metafile" >>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d +# Windows metafile data handled by ./msdos +>>>>>(12.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-tiff.trid.xml +# Note: called "Encapsulated PostScript binary (with TIFF preview)" by TrID +>>>>20 long >0 at byte %d +# For the variant with the TIFF preview image sometimes the file extension ept is used +!:ext eps/ept +# GRR: in file version 5.44 calling indirect of ./images produce phrase like "length 43320\012- TIFF image data," +>>>>>24 long >0 length %d +# TIFF image data handled by ./images +>>>>>>(20.l) indirect x # Summary: Adobe's PostScript Printer Description File # Extension: .ppd @@ -45,6 +74,8 @@ # 0 string *PPD-Adobe:\x20 PPD file >&0 string x \b, version %s +!:ext ppd +!:mime application/vnd.cups-ppd # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data @@ -55,19 +86,6 @@ # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de> -# -0 string \033%-12345X@PJL HP Printer Job Language data ->&0 string >\0 %s ->>&0 string >\0 %s ->>>&0 string >\0 %s ->>>>&0 string >\0 %s -#>15 string \ ENTER\ LANGUAGE\ = -#>31 string PostScript PostScript - -# From: Stefan Thurner <thurners@nicsys.de> -0 string \033%-12345X@PJL ->&0 search/10000 %! PJL encapsulated PostScript document text - # Rick Richardson <rickrich@gmail.com> # For Fuji-Xerox Printers - HBPL stands for Host Based Printer Language @@ -75,14 +93,24 @@ # For Konica Minolta Printers - LAVAFLOW # For Samsung Printers - QPDL # For HP Printers - ZJS stands for Zenographics ZJStream -0 string \033%-12345X@PJL HP Printer Job Language data >0 search/10000 @PJL\ ENTER\ LANGUAGE=HBPL - HBPL >0 search/10000 @PJL\ ENTER\ LANGUAGE=HIPERC - Oki Data HIPERC >0 search/10000 @PJL\ ENTER\ LANGUAGE=LAVAFLOW - Konica Minolta LAVAFLOW >0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS - +# From: Stefan Thurner <thurners@nicsys.de> +>&0 search/10000 %! PJL encapsulated PostScript document text +# Summary: Hewlett-Packard printer firmware update +# From: Joerg Jenderek +# URL: https://support.hp.com/us-en/drivers/selfservice/hp-envy-6000e-all-in-one-printer-series/2100187505/model/2100187513 +# Note: firmware update tested with ENVY 6000 All-in-One Printer +0 string @PJL\ ENTER\ LANGUAGE=FWUPDATE2 HP Printer firmware update +#!:mime application/octet-stream +#!:mime application/x-hp-firmware +# https://ftp.hp.com/pub/softlib/software13/printers/en6000/2214/EN6000_2214B.exe +# vasari_base_dist_pp1_001.2214B_nonassert_appsigned_lbi_rootfs_secure_signed.ful2 +!:ext ful2 # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string \033E\033 HP PCL printer data @@ -148,3 +176,93 @@ # From: Paolo <oopla@users.sf.net> # Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data + +# Summary: Hewlett-Packard Graphics Language +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HP-GL +# https://en.wikipedia.org/wiki/HPGL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpg.trid.xml +# Note: called "Hewlett-Packard Graphics Language" by TrID and +# "Hewlett Packard Graphics Language" by DROID via PUID x-fmt/293 and +# HPGL by XnView command `nconvert -info *` +# initialize, start a plotting job +0 string IN; +>0 use hpgl +# fill.plt +0 string INPS +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test1.hpgl +0 string DF; +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test3.hpgl +# Select Pen n; If no pen number or 0, the controller performs an end of file command; n in range between -32767 and 32768 like: 6 +0 string SP +# skip text Linux-syscall-note inside qemu sources starting with SPDX-Exception-Identifier: Linux-syscall-note +# by checking for valid Pen number +>2 regex \^([0-9]{1,5}) +#>2 regex \^([0-9]{1,5}) PEN_NUMBER=%s +>>0 use hpgl +# charsize.hp pages.hp set the scaling points (P1 and P2) to their default positions +0 string IP0 +>0 use hpgl +# ci.hp +0 string CO\040 +>0 use hpgl +# iw.hp 286x192.5_lh.hpg 286x192.5_lq.hpg +0 string PS\040 +>0 use hpgl +# thick.hp +0 string PS9 +>0 use hpgl +# ul.hp +0 string PS4 +>0 use hpgl +# la.hp +# Too weak +#0 string BP +#>0 use hpgl +# miter.hp +# Plot Absolute x,y{,x,y{...}}; x and y in range between -32767 and 32768 like: PA4000,3000; +0 string PA +# skip shell scripts test_msa_run_32r5eb.sh test_msa_run_32r5eb.sh with variable PATH_TO_QEMU +# by checking for valid x coordinate +>2 regex \^([-]{0,1}[0-9]{1,5}) +#>2 regex \^([-]{0,1}[0-9]{1,5}) COORDINATE=%s +>>0 use hpgl +# pw.hpg number of pens x +# Too weak +#0 string NP +#>0 use hpgl +# win_1.hp +#0 string \003INCA WHAT_IS_THAT +#>0 use hpgl +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpgl2.trid.xml +# Note: called "Hewlett-Packard Graphics Language 2" by TrID +0 string \033%-1B Hewlett-Packard Graphics Language 2 +!:mime application/vnd.hp-HPGL +# like: dt.plt +!:ext plt +#!:ext plt/gl2/hpg2/spl +# remaining part after escsape sequnce +>5 string x with "%-.10s" +# display Hewlett-Packard Graphics Language vector graphic information +0 name hpgl +>0 string x Hewlett-Packard Graphics Language +#!:mime vector/x-hpgl +# https://www.iana.org/assignments/media-types/application/vnd.hp-HPGL +!:mime application/vnd.hp-HPGL +# no example with HPL suffix found +!:ext hpgl/hpg/hp/plt +# like: "IN;" "DF;IN;LT;PU1000,1000;PD2000,10" "SP6;DI0,1;SR0.70,1.90;SC0,800," +# "CO Concentric circles drawn with different linewidths;" +>0 string x \b, starting with "%-.54s" +# continue but not for 1 long line without CR or LF +>>&0 ubyte <0x0E +#>>&0 ubyte <0x0E TERMINATOR=%x +# second line after 1 terminator character +>>>&0 string >\r with "%-.10s" +# next character again CR or LF +>>>&0 ubyte <0x0E +#>>>&0 ubyte <0x0E 2ND_CHARACTER=%x +# second line after 2 terminator characters +>>>>&0 string >\r with "%-.10s" diff --git a/contrib/file/magic/Magdir/python b/contrib/file/magic/Magdir/python index ed5888591aae..e00a087d8bec 100644 --- a/contrib/file/magic/Magdir/python +++ b/contrib/file/magic/Magdir/python @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: python,v 1.44 2021/10/20 11:15:35 christos Exp $ +# $File: python,v 1.47 2024/08/27 18:50:57 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages @@ -86,6 +86,8 @@ !:mime application/x-bytecode.python 0 belong 0x04f30d0a python 2.7 byte-compiled !:mime application/x-bytecode.python +0 belong 0x0af30d0a PyPy2.7 byte-compiled +!:mime application/x-bytecode.python 0 belong 0xb80b0d0a python 3.0 byte-compiled !:mime application/x-bytecode.python 0 belong 0xc20b0d0a python 3.0 byte-compiled @@ -186,80 +188,51 @@ !:mime application/x-bytecode.python 0 belong 0x3f0d0d0a python 3.7 byte-compiled !:mime application/x-bytecode.python -0 belong 0x400d0d0a python 3.7 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x410d0d0a python 3.7 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x420d0d0a python 3.7 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x480d0d0a python 3.8 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x490d0d0a python 3.8 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x520d0d0a python 3.8 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x530d0d0a python 3.8 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x540d0d0a python 3.8 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x550d0d0a python 3.8 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x5c0d0d0a python 3.9 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x5d0d0d0a python 3.9 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x5e0d0d0a python 3.9 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x5f0d0d0a python 3.9 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x600d0d0a python 3.9 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x610d0d0a python 3.9 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x660d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x670d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x680d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x690d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x6a0d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x6b0d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x6c0d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x6d0d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x6e0d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x6f0d0d0a python 3.10 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x7a0d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x7b0d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x7c0d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x7d0d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x7e0d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x7f0d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x800d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x810d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x820d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x830d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x840d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python -0 belong 0x850d0d0a python 3.11 byte-compiled -!:mime application/x-bytecode.python + +# magic 3392+ implements PEP 552: Deterministic pycs +0 name pyc-pep552 +>0 uleshort x (magic: %04d), +# the flag field determines how .pyc validity is checked +>4 ulelong&1 0 timestamp-based, +>>8 uledate x .py timestamp: %s UTC, +>>12 ulelong x .py size: %d bytes +>4 ulelong&1 !0 hash-based, check-source flag +>>4 ulelong&2 0 unset, +>>4 ulelong&2 !0 set, +>>8 ulequad x hash: 0x%llx + +# uleshort magic followed by \x0d\0xa +2 string \x0d\x0a +# extra check: only two bits of flag field are currently used +>4 ulelong <0x4 +# \x0d as part of magic should suffice till Python 3.14 (magic 3600) +>>1 ubyte 0x0d Byte-compiled Python module for +!:mime application/x-bytecode.python +# now look at the magic number to determine the version +>>>0 uleshort <3400 CPython 3.7 +>>>0 default x +>>>>0 uleshort <3420 CPython 3.8 +>>>>0 default x +>>>>>0 uleshort <3430 CPython 3.9 +>>>>>0 default x +>>>>>>0 uleshort <3450 CPython 3.10 +>>>>>>0 default x +>>>>>>>0 uleshort <3500 CPython 3.11 +>>>>>>>0 default x +>>>>>>>>0 uleshort <3550 CPython 3.12 +>>>>>>>>0 default x +>>>>>>>>>0 uleshort <3600 CPython 3.13 +>>>>>>>>>0 default x CPython 3.14 or newer +>>>0 use pyc-pep552 +>>0 uleshort 240 Byte-compiled Python module for PyPy3.7 +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 +>>0 uleshort 256 Byte-compiled Python module for PyPy3.8 +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 +>>0 uleshort 336 Byte-compiled Python module for PyPy3.9 +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 0 search/1/w #!\040/usr/bin/python Python script text executable !:strength + 15 @@ -277,6 +250,9 @@ >0 regex \^from[\040\t]+([A-Za-z0-9_]|\\.)+[\040\t]+import.*$ Python script text executable !:strength + 15 !:mime text/x-script.python +>0 regex \^import\ [_[:alpha:]]+\ as\ [[:alpha:]][[:space:]]*$ Python script text executable +!:mime text/x-script.python + # def __init__ (self, ...): 0 search/4096 def\ __init__ @@ -291,11 +267,6 @@ !:strength + 15 !:mime text/x-script.python -# import module [as abrev] -0 search/8192 import ->0 regex \^import\ [_[:alpha:]]+\ as\ [[:alpha:]][[:space:]]*$ Python script text executable -!:mime text/x-script.python - # comments #0 search/4096 ''' #>&0 regex .*'''$ Python script text executable diff --git a/contrib/file/magic/Magdir/qt b/contrib/file/magic/Magdir/qt index 83aa124cfd3d..68085f2892f9 100644 --- a/contrib/file/magic/Magdir/qt +++ b/contrib/file/magic/Magdir/qt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: qt,v 1.3 2019/04/19 00:42:27 christos Exp $ +# $File: qt,v 1.4 2022/11/11 14:50:23 christos Exp $ # qt: file(1) magic for Qt # https://doc.qt.io/qt-5/resources.html @@ -17,3 +17,14 @@ # src/corelib/kernel/qtranslator.cpp#L62 0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 >8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file + + +# Qt V4 Javascript engine compiled unit +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/qt/qtdeclarative/blob/v6.4.0/src/qml/common/qv4compileddata_p.h +0 string qv4cdata QV4 compiled unit +!:ext qmlc +>8 ulelong x \b, version %d +>12 byte x \b, Qt %d +>13 byte x \b.%d +>14 byte x \b.%d diff --git a/contrib/file/magic/Magdir/revision b/contrib/file/magic/Magdir/revision index 824220a3d295..cf7e2f4d7a13 100644 --- a/contrib/file/magic/Magdir/revision +++ b/contrib/file/magic/Magdir/revision @@ -1,7 +1,8 @@ #------------------------------------------------------------------------------ -# $File: revision,v 1.11 2019/04/19 00:42:27 christos Exp $ +# $File: revision,v 1.12 2024/08/30 17:29:28 christos Exp $ # file(1) magic for revision control files + # From Hendrik Scholz <hendrik@scholz.net> 0 string/t /1\ :pserver: cvs password text file @@ -13,30 +14,6 @@ # From: Josh Triplett <josh@freedesktop.org> 0 string #\ v2\ git\ bundle\n Git bundle -# Type: Git pack -# From: Adam Buchbinder <adam.buchbinder@gmail.com> -# Update: Joerg Jenderek -# URL: http://fileformats.archiveteam.org/wiki/Git -# reference: https://github.com/git/git/blob/master/Documentation/technical/pack-format.txt -# The actual magic is 'PACK', but that clashes with Doom/Quake packs. However, -# those have a little-endian offset immediately following the magic 'PACK', -# the first byte of which is never 0, while the first byte of the Git pack -# version, since it's a tiny number stored in big-endian format, is always 0. -0 string PACK -# GRR: line above is too general as it matches also PackDir archive ./acorn -# test for major version. Git 2017 accepts version number 2 or 3 ->4 ubelong <9 -# Acorn PackDir with method 0 compression has root like ADFS::HardDisc4.$.AsylumSrc -# or SystemDevice::foobar ->>9 search/13 :: -# but in git binary ->>9 default x Git pack -!:mime application/x-git -!:ext pack -# 4 GB limit implies unsigned integer ->>>4 ubelong x \b, version %u ->>>8 ubelong x \b, %u objects - # Type: Git pack index # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0 string \377tOc Git pack index diff --git a/contrib/file/magic/Magdir/riff b/contrib/file/magic/Magdir/riff index 6421bcb6747d..664fef24d5e9 100644 --- a/contrib/file/magic/Magdir/riff +++ b/contrib/file/magic/Magdir/riff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: riff,v 1.44 2022/05/14 19:42:47 christos Exp $ +# $File: riff,v 1.50 2024/04/13 16:40:48 christos Exp $ # riff: file(1) magic for RIFF format # See # @@ -140,24 +140,39 @@ >>&(4.l+4) use riff-walk >0 string fact >>&(4.l+4) use riff-walk ->0 string VP8 +# https://developers.google.com/speed/webp/docs/riff_container +>0 string VP8\x20 >>11 byte 0x9d >>>12 byte 0x01 >>>>13 byte 0x2a \b, VP8 encoding >>>>>14 leshort&0x3fff x \b, %d >>>>>16 leshort&0x3fff x \bx%d, Scaling: >>>>>14 leshort&0xc000 0x0000 \b [none] ->>>>>14 leshort&0xc000 0x1000 \b [5/4] ->>>>>14 leshort&0xc000 0x2000 \b [5/3] ->>>>>14 leshort&0xc000 0x3000 \b [2] ->>>>>14 leshort&0xc000 0x0000 \bx[none] ->>>>>14 leshort&0xc000 0x1000 \bx[5/4] ->>>>>14 leshort&0xc000 0x2000 \bx[5/3] ->>>>>14 leshort&0xc000 0x3000 \bx[2] +>>>>>14 leshort&0xc000 0x4000 \b [5/4] +>>>>>14 leshort&0xc000 0x8000 \b [5/3] +>>>>>14 leshort&0xc000 0xc000 \b [2] +>>>>>16 leshort&0xc000 0x0000 \bx[none] +>>>>>16 leshort&0xc000 0x4000 \bx[5/4] +>>>>>16 leshort&0xc000 0x8000 \bx[5/3] +>>>>>16 leshort&0xc000 0xc000 \bx[2] >>>>>15 byte&0x80 =0x00 \b, YUV color >>>>>15 byte&0x80 =0x80 \b, bad color specification >>>>>15 byte&0x40 =0x40 \b, no clamping required >>>>>15 byte&0x40 =0x00 \b, decoders should clamp +>0 string VP8L +>>8 byte 0x2f \b, lossless +>>>11 byte &0x01 \b, with alpha +>0 string VP8X +>>4 lelong 0x0a +>>>8 byte &0x02 \b, animated +>>>8 byte &0x04 \b, XMP metadata +>>>8 byte &0x08 \b, EXIF metadata +>>>8 byte &0x10 \b, with alpha +>>>8 byte &0x20 \b, ICC profile +# TODO: These two values are off-by-one, for a 64x64 WebP they contain +# 63x63 as there can be no 0x0 file. +>>>12 lelong&0xffffff x \b, %d+1 +>>>15 lelong&0xffffff x \bx%d+1 #>0 string x we got %s #>>&(4.l+4) use riff-walk @@ -332,7 +347,68 @@ # MORE TESTS NEEDED HERE! #>>>0 use corel-des #>>>0 use corel-draw +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/SHW_(Corel) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-corel.trid.xml +# Note: called "CorelSHOW presentation (v4)" by TrID +# and "Corel Presentation" by DROID via PUID fmt/877 +>8 string shw4 \b, CorelSHOW presentation, version 4 +#!:mime application/octet-stream +!:mime application/x-corel-shw +!:ext shw +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-corel-5.trid.xml +# Note: called "CorelSHOW presentation (v5)" by TrID +>8 string shw5 \b, CorelSHOW presentation, version 5 +#!:mime application/octet-stream +!:mime application/x-corel-shw +!:ext shw +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shb-corel.trid.xml +# Note: called "CorelSHOW Background (v5)" by TrID +>8 string shl5 \b, CorelSHOW Background, version 5 +#!:mime application/octet-stream +!:mime application/x-corel-shb +# GRR: no example +!:ext shb +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shr-corel.trid.xml +# Note: called "CorelSHOW player data (v5)" by TrID +>8 string shr5 \b, CorelSHOW player data, version 5 +#!:mime application/octet-stream +!:mime application/x-corel-shr +# GRR: no example +!:ext shr >8 string NUNDROOT \b, Steinberg CuBase +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MIDI_Instrument_Definition_File +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/idf.trid.xml +# ftp://curscott.servebeer.com/Download/Apps/_Microsoft/ +# Visual%20Studio%206.0%20Professional%20MSDN/ +# SAMPLES/VC98/SDK/GRAPHICS/AUDIO/IDFEDIT/GLOBALS.H +# Note: called "MIDI Instrument Definition File" by TrID +>8 string IDF\ LIST \b, MIDI Instrument Definition File +!:mime audio/x-idf +!:ext idf +# 3rd chunk size like: 254 284 286 670 +#>>0x10 ulelong x \b, 3th SIZE %u +# for debugging purpose display next chunk like: MMAPhdr +#>>0x14 string x \b, 4th "%-8.8s" +#>>0x1C ulelong x \b, 4th SIZE 0x%x +# probably MIDI instrument name like: "Universal-MIDI-Instrument" "instrument name" "General MIDI" +>>0x30 string x "%s" +# look for inst TAG +>>0x31 search/256 inst by +# probably manufacture name like: "Unspecified Company" "NVidia Corporation" +>>>&0x24 string x "%s" +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Flight_Simulator +# Reference: https://www.fsdeveloper.com/wiki/index.php?title=MDL_file_format_(FSX) +# http://mark0.net/download/triddefs_xml.7z/defs/m/mdl-fs-gen.trid.xml +# Note: called "Microsoft Flight Simulator 3D model (generic)" by TrID +>8 string MDL +>>12 string MDLH \b, Microsoft Flight Simulator 3D model +#!:mime application/x-riff +!:mime application/x-ms-mdl +!:ext mdl +#>>>8 string MDL8 \b, version 8? # AVI == Audio Video Interleave # Reference: http://fileformats.archiveteam.org/wiki/AVI >8 string AVI\040 \b, AVI @@ -629,6 +705,22 @@ !:mime application/x-trid-trd !:ext trd # From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Easy_CD_Creator +# https://en.wikipedia.org/wiki/Roxio +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/img-cif.trid.xml +# Note: called "Easy CD Creator disk image" by TrID, +# "Adaptec CD Image File" by Adaptec CD Creator 2.1.082 1995-1996 and +# "Easy CD/DVD Creator image" by PowerISO 8.5 +>8 string imag \b, Easy CD Creator disk image +#!:mime application/octet-stream +#!:mime application/x-riff +!:mime application/x-corel-cif +!:ext cif +# contains also 2 strings disc info +# look for ISO 9660 CD-ROM tag handled by ./filesystems +>>32769 search/4565/s CD001 \b; with +>>>&-32769 use cdrom +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CorelDRAW # Reference: http://fileformats.archiveteam.org/wiki/CorelDRAW # Note: Since version 3 CorelDraw Pictures are RIFF based diff --git a/contrib/file/magic/Magdir/ringdove b/contrib/file/magic/Magdir/ringdove new file mode 100644 index 000000000000..38dd4bfe6669 --- /dev/null +++ b/contrib/file/magic/Magdir/ringdove @@ -0,0 +1,45 @@ +#------------------------------------------------------------------------------ +# $File: ringdove,v 1.1 2022/08/16 12:04:30 christos Exp $ +# ringdove: file(1) magic for RingdoveEDA data files + +# librnd and global +0 regex/128l ha:rnd-menu-v[0-9]+[\ \t\r\n]*[{] librnd menu system (lihata) +0 regex/128l ha:rnd-menu-patch-v[0-9]+[\ \t\r\n]*[{] librnd menu patch (lihata) +0 regex/128l ha:coraleda-project-v[0-9]+[\ \t\r\n]*[{] CoralEDA/Ringdove project file (lihata) +0 regex/128l ha:ringdove-project-v[0-9]+[\ \t\r\n]*[{] Ringdove project file (lihata) + +# pcb-rnd +0 regex/128l ha:pcb-rnd-board-v[0-9]+[\ \t\r\n]*[{] pcb-rnd board file (lihata) +0 regex/128l li:pcb-rnd-subcircuit-v[0-9]+[\ \t\r\n]*[{] pcb-rnd subcircuit/footprint file (lihata) +0 regex/128l ha:pcb-rnd-buffer-v[0-9]+[\ \t\r\n]*[{] pcb-rnd paste buffer content (lihata) +0 regex/128l li:pcb-rnd-conf-v[0-9]+[\ \t\r\n]*[{] pcb-rnd configuration (lihata) +0 regex/128l ha:pcb-rnd-drc-query-v[0-9]+[\ \t\r\n]*[{] pcb-rnd drc query string (lihata) +0 regex/128l li:pcb-rnd-font-v[0-9]+[\ \t\r\n]*[{] pcb-rnd vector font (lihata) +0 regex/128l ha:pcb-rnd-log-v[0-9]+[\ \t\r\n]*[{] pcb-rnd message log dump (lihata) +0 regex/128l ha:pcb-rnd-padstack-v[0-9]+[\ \t\r\n]*[{] pcb-rnd padstack (lihata) +0 regex/128l li:pcb-rnd-view-list-v[0-9]+[\ \t\r\n]*[{] pcb-rnd view list (lihata) +0 regex/128l li:view-list-v[0-9]+[\ \t\r\n]*[{] pcb-rnd view list (lihata) +0 search Netlist(Freeze) pcb-rnd or gEDA/PCB netlist forward annotation action script + +# sch-rnd (cschem data model) +0 regex/128l li:cschem-buffer-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem buffer content (lihata) +0 regex/128l li:sch-rnd-conf-v[0-9]+[\ \t\r\n]*[{] sch-rnd configuration (lihata) +0 regex/128l ha:std_devmap.v[0-9]+[\ \t\r\n]*[{] sch-rnd devmap (device mapping; lihata) +0 regex/128l li:cschem-group-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem group or symbol (lihata) +0 regex/128l ha:cschem-sheet-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem schematic sheet (lihata) + +# tEDAx (modular format) +0 regex/1l tEDAx[\ \t\r\n]v tEDAx (Trivial EDA eXchange) +>0 regex begin\ symbol\ v with schematic symbol +>0 regex begin\ board\ v with Printed Circuit Board +>0 regex begin\ route_req\ v with PCB routing request +>0 regex begin\ route_res\ v with PCB routing result +>0 regex begin\ camv_layer\ v with camv-rnd exported layer +>0 regex begin\ netlist\ v with netlist +>0 regex begin\ backann\ v with Ringdove EDA back annotation +>0 regex begin\ footprint\ v with PCB footprint +>0 regex begin\ drc\ v with PCB DRC script +>0 regex begin\ drc_query_rule\ v with pcb-rnd drc_query rules +>0 regex begin\ drc_query_def\ v with pcb-rnd drc_query value/config definitions +>0 regex begin\ etest\ v with PCB electric test + diff --git a/contrib/file/magic/Magdir/rpm b/contrib/file/magic/Magdir/rpm index 9a795f841ade..e9dd8c80888b 100644 --- a/contrib/file/magic/Magdir/rpm +++ b/contrib/file/magic/Magdir/rpm @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: rpm,v 1.12 2013/01/11 16:45:23 christos Exp $ +# $File: rpm,v 1.13 2023/10/31 21:46:28 christos Exp $ # # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) # @@ -28,6 +28,11 @@ >>8 beshort 16 PowerPC64 >>8 beshort 17 SuperH >>8 beshort 18 Xtensa +>>8 beshort 19 AArch64 +>>8 beshort 20 MIPSr6 +>>8 beshort 21 MIPS64r6 +>>8 beshort 22 RISC-V64 +>>8 beshort 23 LoongArch64 >>8 beshort 255 noarch #delta RPM Daniel Novotny (dnovotny@redhat.com) @@ -42,4 +47,9 @@ >>8 beshort 16 PowerPC64 >>8 beshort 17 SuperH >>8 beshort 18 Xtensa +>>8 beshort 19 AArch64 +>>8 beshort 20 MIPSr6 +>>8 beshort 21 MIPS64r6 +>>8 beshort 22 RISC-V64 +>>8 beshort 23 LoongArch64 >>10 string x %s diff --git a/contrib/file/magic/Magdir/rst b/contrib/file/magic/Magdir/rst index aadfad20b01c..0df15b8fa5dd 100644 --- a/contrib/file/magic/Magdir/rst +++ b/contrib/file/magic/Magdir/rst @@ -1,11 +1,13 @@ #------------------------------------------------------------------------------ -# $File: rst,v 1.3 2020/04/27 01:50:36 christos Exp $ +# $File: rst,v 1.4 2023/07/27 18:26:32 christos Exp $ # rst: ReStructuredText http://docutils.sourceforge.net/rst.html 0 search/256 \=\= !:strength + 30 >&0 regex/256 \^[\=]+$ ->>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 \012Authors: ReStructuredText file +>>&0 search/512 \012Author: ReStructuredText file >>&0 default x >>>&0 regex/512 \^\\.\\.[A-Za-z] ReStructuredText file !:ext rst diff --git a/contrib/file/magic/Magdir/rust b/contrib/file/magic/Magdir/rust new file mode 100644 index 000000000000..b1bbd9d9702c --- /dev/null +++ b/contrib/file/magic/Magdir/rust @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: rust,v 1.2 2022/11/18 15:58:15 christos Exp $ +# Magic for Rust and related languages programs +# + +# Rust compiler metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_metadata/src/rmeta/mod.rs +0 string rust\x00\x00\x00 +>12 string \014rustc\x20 Rust compiler metadata +!:ext rmeta +>>7 byte x \b, version %d + +# Rust incremental compilation metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_incremental/src/persist/file_format.rs +0 string RSIC +>4 uleshort =0 Rust incremental compilation metadata +!:ext bin +>>6 pstring x \b, rustc %s diff --git a/contrib/file/magic/Magdir/scientific b/contrib/file/magic/Magdir/scientific index 0e78712fcab3..d52d6aeb0124 100644 --- a/contrib/file/magic/Magdir/scientific +++ b/contrib/file/magic/Magdir/scientific @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.13 2019/04/19 00:42:27 christos Exp $ +# $File: scientific,v 1.14 2023/04/29 17:28:09 christos Exp $ # scientific: file(1) magic for scientific formats # # From: Joe Krahn <krahn@niehs.nih.gov> @@ -62,15 +62,48 @@ # Type: GEDCOM genealogical (family history) data # From: Giuseppe Bilotta +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GEDCOM +# https://en.wikipedia.org/wiki/GEDCOM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/ +# ged.trid.xml ged-utf8.trid.xml ged-utf16.trid.xml +# Note: called "GEDCOM Family History" by TrID and "Genealogical Data Communication (GEDCOM) Format" by DROID via PUID fmt/851 0 search/1/c 0\ HEAD GEDCOM genealogy text +#!:mime text/plain +#!:mime application/x-gedcom +# https://www.iana.org/assignments/media-types/text/vnd.familysearch.gedcom +!:mime text/vnd.familysearch.gedcom +!:ext ged +# no gedcom sample found and ged suffix also used for other formats +#!:ext ged/gedcom >&0 search 1\ GEDC >>&0 search 2\ VERS version +# 4 5.0 5.3 5.4 5.5 5.5.1 5.5.5 5.6 7.0 or no version >>>&1 string >\0 %s # From: Phil Endecott <phil05@chezphil.org> -0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data -0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data +# 0\040HEAD as UTF-16 big endian without BOM +0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 big endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&2 bestring16 x %s +>>0 string x \b, UTF-16 (without BOM) big-endian text +# 0\040HEAD as UTF-16 little endian without BOM +0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 lttle endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&3 lestring16 x %s +>>2 string x \b, UTF-16 (without BOM) little-endian text +# Note: UTF-16 with BOM variants already described above by first test as "GEDCOM genealogy text" +# 0\040HEAD as UTF-16 big endian with BOM +#0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data +# 0\040HEAD as UTF-16 little endian with BOM +#0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data # PDB: Protein Data Bank files # Adam Buchbinder <adam.buchbinder@gmail.com> diff --git a/contrib/file/magic/Magdir/sendmail b/contrib/file/magic/Magdir/sendmail index 54028fdfe227..6808dbfd33aa 100644 --- a/contrib/file/magic/Magdir/sendmail +++ b/contrib/file/magic/Magdir/sendmail @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sendmail,v 1.11 2019/04/19 00:42:27 christos Exp $ +# $File: sendmail,v 1.12 2022/10/31 13:22:26 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? @@ -13,7 +13,7 @@ # - version \330jK\354 0 byte 046 # https://www.sendmail.com/sm/open_source/docs/older_release_notes/ -# freezed configuration file (dbm format?) created from sendmal.cf with -bz +# freezed configuration file (dbm format?) created from sendmail.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed # valid version numbers look like "7.14.4" and should be similar to output of commands # "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" diff --git a/contrib/file/magic/Magdir/sgml b/contrib/file/magic/Magdir/sgml index a191c3015fa4..f7327b45961a 100644 --- a/contrib/file/magic/Magdir/sgml +++ b/contrib/file/magic/Magdir/sgml @@ -1,43 +1,49 @@ #------------------------------------------------------------------------------ -# $File: sgml,v 1.45 2022/03/21 21:36:55 christos Exp $ +# $File: sgml,v 1.53 2024/11/10 14:48:55 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres <tecnico@ejerciciosresueltos.com> -0 string \<?xml\ version= +0 string/bt \<?xml\ version= >14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \<svg SVG Scalable Vector Graphics image +!:strength +50 !:mime image/svg+xml +!:ext svg >>19 search/4096 \<gnc-v2 GnuCash file !:mime application/x-gnucash -0 string \<svg SVG Scalable Vector Graphics image +0 string/bt \<svg SVG Scalable Vector Graphics image !:mime image/svg+xml +!:ext svg -# Sitemap file -0 string/t \<?xml\ version= >14 regex ['"\ \t]*[0-9.]+['"\ \t]* +# Sitemap file >>19 search/4096 \<urlset XML Sitemap document text !:mime application/xml-sitemap +# XML-based format representing braille pages in a digital format. +# +# Specification: +# http://files.pef-format.org/specifications/pef-2008-1/pef-specification.html +# +# Simon Aittamaa <simon.aittamaa@gmail.com> +>>19 search/4096 \<pef Portable Embosser Format +!:mime application/x-pef+xml + # OpenStreetMap XML (.osm) # https://wiki.openstreetmap.org/wiki/OSM_XML # From: Markus Heidelberg <markus.heidelberg@web.de> -0 string \<?xml\ version= ->14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \<osm OpenStreetMap XML data # xhtml -0 string/t \<?xml\ version=" ->19 search/4096/cWbt \<!doctype\ html XHTML document text ->>15 string >\0 (version %.3s) -!:mime text/html -0 string/t \<?xml\ version=' >19 search/4096/cWbt \<!doctype\ html XHTML document text >>15 string >\0 (version %.3s) -!:mime text/html -0 string/t \<?xml\ version=" ->19 search/4096/cWbt \<html broken XHTML document text +!:strength + 15 +!:mime application/xhtml+xml + +>19 search/4096/cWbt \<html\ xmlns= XHTML document text >>15 string >\0 (version %.3s) -!:mime text/html +!:mime application/xhtml+xml + #------------------------------------------------------------------------------ # sgml: file(1) magic for Standard Generalized Markup Language @@ -48,73 +54,86 @@ !:mime text/html !:strength + 5 +# avoid misdetection as JavaScript +0 string/cWt \<!doctype\ html HTML document text +!:mime text/html +!:strength + 30 +0 string/ct \<html> HTML document text +!:mime text/html +!:strength + 30 +0 string/ct \<!-- +>&0 search/4096/cWt \<!doctype\ html HTML document text +!:mime text/html +!:strength + 30 +>&0 search/4096/ct \<html> HTML document text +!:mime text/html + # SVG document # https://www.w3.org/TR/SVG/single-page.html 0 search/4096/cWbt \<!doctype\ svg SVG XML document !:mime image/svg+xml -!:strength + 15 +!:strength + 30 0 search/4096/cwt \<head\> HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cWt \<head\ HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cwt \<title\> HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cWt \<title\ HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cwt \<html\> HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cWt \<html\ HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cwt \<script\> HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cWt \<script\ HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cwt \<style\> HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cWt \<style\ HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cwt \<table\> HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cWt \<table\ HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 0 search/4096/cwt \<a\ href= HTML document text !:mime text/html -!:strength + 15 +!:strength + 30 + +# Microsoft HTML Application (HTA) +# https://learn.microsoft.com/en-us/previous-versions//ms536496(v=vs.85) +0 search/4096/cWt \<hta:application\ Microsoft HTML Application (HTA) +!:mime application/hta +!:ext hta +!:strength + 50 # Extensible markup language (XML), a subset of SGML # from Marc Prud'hommeaux (marc@apocalypse.org) 0 search/1/cwt \<?xml XML document text !:mime text/xml -!:strength + 15 -0 string/t \<?xml\ version\ " XML -!:mime text/xml -!:strength + 15 +!:strength + 30 0 string/t \<?xml\ version=" XML !:mime text/xml -!:strength + 15 ->15 string/t >\0 %.3s document text ->>23 search/1 \<xsl:stylesheet (XSL stylesheet) ->>24 search/1 \<xsl:stylesheet (XSL stylesheet) -0 string/t \<?xml\ version=' XML -!:mime text/xml -!:strength + 15 +!:strength + 30 >15 string/t >\0 %.3s document text >>23 search/1 \<xsl:stylesheet (XSL stylesheet) >>24 search/1 \<xsl:stylesheet (XSL stylesheet) + 0 search/1/wt \<?XML broken XML document text !:mime text/xml !:strength - 10 @@ -133,16 +152,6 @@ 0 search/1 #\ Netscape\ HTTP\ Cookie\ File Netscape cookie text 0 search/1 #\ KDE\ Cookie\ File Konqueror cookie text -# XML-based format representing braille pages in a digital format. -# -# Specification: -# http://files.pef-format.org/specifications/pef-2008-1/pef-specification.html -# -# Simon Aittamaa <simon.aittamaa@gmail.com> -0 string \<?xml\ version= ->14 regex ['"\ \t]*[0-9.]+['"\ \t]* ->>19 search/4096 \<pef Portable Embosser Format -!:mime application/x-pef+xml # https://www.qgis.org/en/site/ 0 string \<!DOCTYPE\040qgis QGIS XML document diff --git a/contrib/file/magic/Magdir/sharc b/contrib/file/magic/Magdir/sharc index e54088bc8f75..85fe125017ff 100644 --- a/contrib/file/magic/Magdir/sharc +++ b/contrib/file/magic/Magdir/sharc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------ -# $File: sharc,v 1.8 2017/03/17 21:35:28 christos Exp $ +# $File: sharc,v 1.9 2024/09/04 19:06:12 christos Exp $ # file(1) magic for sharc files # # SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by @@ -19,5 +19,5 @@ 0 string .system SHARC architecture file 0 leshort 0x521C SHARC COFF binary ->2 leshort >1 , %d sections ->>12 lelong >0 , not stripped +>2 leshort >1 \b, %d sections +>>12 lelong >0 \b, not stripped diff --git a/contrib/file/magic/Magdir/sniffer b/contrib/file/magic/Magdir/sniffer index 87bff6b03e6c..d5cf63d509e6 100644 --- a/contrib/file/magic/Magdir/sniffer +++ b/contrib/file/magic/Magdir/sniffer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sniffer,v 1.31 2022/03/20 22:45:43 christos Exp $ +# $File: sniffer,v 1.36 2024/06/16 15:09:26 christos Exp $ # sniffer: file(1) magic for packet capture files # # From: guy@alum.mit.edu (Guy Harris) @@ -78,8 +78,8 @@ # # "libpcap" capture files. # https://www.tcpdump.org/manpages/pcap-savefile.5.html -# (We call them "tcpdump capture file(s)" for now, as "tcpdump" is -# the main program that uses that format, but there are other programs +# (We call them "libpcap capture file(s)", as "libpcap" is +# the first library that uses that format, but there are other programs # that use "libpcap", or that use the same capture file format.) # 0 name pcap-be @@ -198,7 +198,7 @@ >20 belong&0x03FFFFFF 204 (PPP with direction pseudo-header >20 belong&0x03FFFFFF 205 (Cisco HDLC with direction pseudo-header >20 belong&0x03FFFFFF 206 (Frame Relay with direction pseudo-header ->20 belong&0x03FFFFFF 209 (Linux IPMB +>20 belong&0x03FFFFFF 209 (Linux I2C >20 belong&0x03FFFFFF 215 (802.15.4 with non-ASK PHY header >20 belong&0x03FFFFFF 216 (Linux evdev events >20 belong&0x03FFFFFF 219 (MPLS with label as link-layer header @@ -270,6 +270,11 @@ >20 belong&0x03FFFFFF 288 (USB 2.0 >20 belong&0x03FFFFFF 289 (ATSC ALP >20 belong&0x03FFFFFF 290 (Event Tracing for Windows +>20 belong&0x03FFFFFF 291 (Hilscher netANALYZER NG pseudo-footer +>20 belong&0x03FFFFFF 292 (ZBOSS NCP protocol with pseudo-header +>20 belong&0x03FFFFFF 293 (Low-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 294 (Full-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 295 (High-Speed USB 2.0 # print default match >20 default x >>20 belong x (linktype#%u @@ -322,14 +327,79 @@ # # Novell LANalyzer capture files. -# -0 leshort 0x1001 Novell LANalyzer capture file -0 leshort 0x1007 Novell LANalyzer capture file +# URL: http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c +# Update: Joerg Jenderek +# +# regular trace header record (RT_HeaderRegular) +0 leshort 0x1001 +# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5 +# and VIC-20 BASIC V2 program +# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg) +# with invalid second record type 0 instead of "Trace receive channel name record" +>(2.s+4) leshort =0x1006h +>>0 use novell-lanalyzer +# cyclic trace header record (RT_HeaderCyclic) +0 leshort 0x1007 +>0 use novell-lanalyzer +0 name novell-lanalyzer +>0 leshort x Novell LANalyzer capture file +# https://reposcope.com/mimetype/application/x-lanalyzer +!:mime application/x-lanalyzer +# maybe also TR2 .. TR9 TRA .. TRZ +!:ext tr1 +# version like: 1.5 +>4 ubyte x \b, version %u +# minor version; one byte identifying the trace file minor version number +>5 ubyte x \b.%u +# Trace header record type like: 1001~regular or 1007~cyclic +>0 leshort !0x1001 \b, record type %4.4x +# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch +>2 leshort x \b, record length %#x +# second record type like: 1006h~Trace receive channel name record +>(2.s+4) leshort !0x1006h \b, 2nd record type %#4.4x +>(2.s+6) leshort x \b, 2nd record length %#x +# each channel name is a null-terminated, eight-byte ASCII string like: Channel1 +>(2.s+8) string x \b, names %.9s +# 2nd channel name like: Channel2 +>(2.s+17) string x %.9s ... # # HP-UX "nettl" capture files. -# +# URL: https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c +# Update: Joerg Jenderek +# Note: Wireshark fills "meta information header fields" with "dummy" values +# nettl_magic_hpux9[12]; for HP-UX 9.x not tested +0 string \x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00 HP/UX 9.x nettl capture file +!:mime application/x-nettl +!:ext trc0/trc1 +# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x 0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file +# https://reposcope.com/mimetype/application/x-nettl +!:mime application/x-nettl +# maybe also TRC000 TRC001 TRC002 ... +!:ext trc0/trc1 +# file_name[56]; maybe also like /tmp/raw.tr.TRC000 +>12 string !/tmp/wireshark.TRC000 +>>12 string x "%-.56s" +# tz[20]; like UTC +>68 string !UTC \b, tz +>>68 string x %-.20s +# host_name[9]; +>88 string >\0 \b, host %-.9s +# os_vers[9]; like B.11.11 +>97 string !B.11.11 \b, os +>>97 string x %-.9s +# os_v; like 55h +>>106 ubyte x (%#x) +# xxa[8]; like 0 +>107 ubequad !0 \b, xxa=%#16.16llx +# model[11] like: 9000/800 +>115 string !9000/800 \b, model +>>115 string x %-.11s +# unknown; probably just padding to 128 bytes like: 0406h +>126 ubeshort !0x0406h \b, at 126 %#4.4x # # RADCOM WAN/LAN Analyzer capture files. diff --git a/contrib/file/magic/Magdir/softquad b/contrib/file/magic/Magdir/softquad index 06c1f018f8cb..28f03b9b78cb 100644 --- a/contrib/file/magic/Magdir/softquad +++ b/contrib/file/magic/Magdir/softquad @@ -1,7 +1,8 @@ #------------------------------------------------------------------------------ -# $File: softquad,v 1.13 2009/09/19 16:28:12 christos Exp $ +# $File: softquad,v 1.14 2022/10/28 17:19:54 christos Exp $ # softquad: file(1) magic for SoftQuad Publishing Software +# URL: https://en.wikipedia.org/wiki/SoftQuad_Software # # Author/Editor and RulesBuilder # @@ -17,8 +18,10 @@ 0 short 0xc0da Compiled PSI (v2) data >3 string >\0 (%s) # Binary sqtroff font/desc files... -0 short 0125252 SoftQuad DESC or font file binary ->2 short >0 - version %d +# GRR: the line below is also true for 5View capture file handled by ./sniffer +0 short 0125252 +# skip 5View capture file with "invalid" version AAAAh +>2 short >0 SoftQuad DESC or font file binary - version %d # Bitmaps... 0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text #0 string SQ\ BITMAP2 SoftQuad Raster Format data diff --git a/contrib/file/magic/Magdir/spectrum b/contrib/file/magic/Magdir/spectrum index f295979ac48d..cf14551b4d6b 100644 --- a/contrib/file/magic/Magdir/spectrum +++ b/contrib/file/magic/Magdir/spectrum @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: spectrum,v 1.9 2021/04/26 15:56:00 christos Exp $ +# $File: spectrum,v 1.10 2023/05/08 01:33:36 christos Exp $ # spectrum: file(1) magic for Spectrum emulator files. # # John Elliott <jce@seasip.demon.co.uk> @@ -22,21 +22,125 @@ # # Update: Sanity-check string contents to be printable. # -Adam Buchbinder <adam.buchbinder@gmail.com> +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TAP_(ZX_Spectrum) +# Reference: http://web.archive.org/web/20110711141601/http://www.zxmodules.de/fileformats/tapformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tap-zx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TAP (ZX Spectrum)" by DROID via PUID fmt/801 +# verified by fuse-emulator-utils `tzxlist EXAMPLES.TAP` # +# headers length 19=023 and flag byte 0 indicating a standard ROM loading header 0 string \023\000\000 >4 string >\0 ->>4 string <\177 Spectrum .TAP data "%-10.10s" ->>>3 byte 0 - BASIC program ->>>3 byte 1 - number array ->>>3 byte 2 - character array ->>>3 byte 3 - memory block ->>>>14 belong 0x001B0040 (screen) +# skip {85CEE8D6-0F90-4492-B484-98E38862B28D}.2.ver0x0000000000000004.db {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db +# inside c:\ProgramData\Microsoft\Windows\Caches according to TrID and DROID +>>23 ubyte =0xFF +# skip DROID fmt-801-signature-id-1166.tap with invalid name \253\253\253\253\253\253\253\253\253\253 +# which looks like: "TF COPY II" "screen " "\023\001TF" " 1943 " +>>>4 string <\177 Spectrum .TAP data "%-10.10s" +#!:mime application/octet-stream +!:mime application/x-spectrum-tap +!:ext tap +>>>>3 byte 0 - BASIC program +# autostart line; 0..9999 are valid; 32768 means "no auto-loading" +>>>>>16 uleshort x \b, autostart line %u +# program length; length of BASIC program +>>>>>18 uleshort x \b, program length %u +>>>>3 byte 1 - number array +>>>>3 byte 2 - character array +>>>>3 byte 3 - memory block +# length of the following data 1B00h=6912 and start address 4000h=16384 in case of a SCREEN$ header +>>>>>14 belong 0x001B0040 (screen) +# unused 32768=8000h +>>>>>18 uleshort !32768 \b, unused %u +# zxlength; length of the following data after the header +>>>>14 uleshort x \b, data length %u +#>>14 uleshort x \b, data length %#x +# checksum byte; simply all bytes (including flag byte) XORed +#>>>>20 ubyte x \b, checksum %#x # The following three blocks are from pak21-spectrum@srcf.ucam.org # TZX tape images +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TZX +# Reference: https://worldofspectrum.net/TZXformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tzx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TZX Format" by DROID via PUID fmt/1000 0 string ZXTape!\x1a Spectrum .TZX data +#!:mime application/octet-stream +!:mime application/x-spectrum-tzx +# CDT is used for Amstrad tapes +!:ext tzx/cdt >8 byte x version %d >9 byte x \b.%d +# ID of first block +>10 ubyte x \b; ID %#x +# turbo speed data block +>10 ubyte =0x11 (turbo) +# length of PILOT tone (number of pulses) +>>21 uleshort x \b, %u pilot pulses +# length of PILOT pulse +>>11 uleshort x with %u tstates +# length of SYNC first pulse +>>13 uleshort x \b, %u and +# length of SYNC second pulse +>>15 uleshort x %u sync tstates +# length of ZERO bit pulse +>>17 uleshort x \b, %u zero tstates +# length of ONE bit pulse +>>19 uleshort x \b, %u one tstates +# used bits in the last byte +>>23 ubyte x \b, use %u bit +# plural s +>>23 ubyte >1 \bs +# pause after this block in milliseconds +>>24 uleshort x \b, %u ms pause +# BYTE[3]; length of data that follow +>>26 ulelong&0x00FFffFF x \b, %u data bytes +>10 ubyte =0x20 (pause) +# pause duration in milliseconds +>>11 uleshort x %u ms +# text description +>10 ubyte =0x30 (text) +# length of the text description +#>>11 ubyte x L=%u +>>11 pstring x "%s" +# archive text description in ASCII format +>10 ubyte =0x32 (archive info) +# length of archive text +>>11 uleshort x \b, %#x bytes +# number of text strings +>>13 ubyte x with %u (type) text parts +# text type identification byte: 0~title 1~publisher 2~author 3~year 4~language 5~type 6~price 7~protection 8~origin ff~comment +>>14 byte <9 (%d) +>>>14 byte >-2 +# length of text string +#>>>>15 ubyte x L=%u +>>>>15 pstring x %s +# 2nd possible text description +>>>>>&0 byte <9 (%d) +>>>>>>&-1 byte >-2 +>>>>>>>&0 pstring x %s +# 3rd possible text description +>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>&0 pstring x %s +# 4th possible text description +>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>&0 pstring x %s +# 5th possible text description +>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>&0 pstring x %s +# 6th possible text description +>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>&0 pstring x %s +# 7th possible text description +>>>>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>>>>&0 pstring x %s # RZX input recording files 0 string RZX! Spectrum .RZX data diff --git a/contrib/file/magic/Magdir/sql b/contrib/file/magic/Magdir/sql index 5f4629f4b4bf..d8cdfbf165b3 100644 --- a/contrib/file/magic/Magdir/sql +++ b/contrib/file/magic/Magdir/sql @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sql,v 1.23 2021/07/30 14:53:38 christos Exp $ +# $File: sql,v 1.27 2023/08/19 15:33:04 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" <mleisner@eng.mc.xerox.com> @@ -88,12 +88,19 @@ # Version 1 used GDBM internally; its files cannot be distinguished # from other GDBM files. # +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/sqlite-2x.trid.xml +# Note: called "SQLite 2.x database" by TrID and "SQLite Database File Format" version 2 by DROID via PUID fmt/1135 # Version 2 used this format: 0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database +!:mime application/x-sqlite2 +# FileAttributesStore.db test.sqlite2 +!:ext sqlite/sqlite2/db # URL: https://en.wikipedia.org/wiki/SQLite # Reference: https://www.sqlite.org/fileformat.html # Update: Joerg Jenderek +# TODO: missing extensions for Bentley Systems and Esri Spatially-Enabled Database # Version 3 of SQLite allows applications to embed their own "user version" # number in the database at offset 60. Later, SQLite added an "application id" # at offset 68 that is preferred over "user version" for indicating the @@ -104,7 +111,6 @@ >16 ubeshort >0 SQLite 3.x # deprecated #!:mime application/x-sqlite3 -!:mime application/vnd.sqlite3 # seldom found extension sqlite3 like in SyncData.sqlite3 # db # db3 like: AddrBook.db3 cgipcrvp.db3 @@ -113,14 +119,88 @@ # SQLite database weewx.sdb used by weather software weewx # https://www.weewx.com/docs/usersguide.htm # Avira Antivir use extension "dbe" like in avevtdb.dbe, avguard_tchk.dbe +# ide is used in storage.ide +# localstorage like in Enigma2 http_itv.ard.de_0.localstorage +# xowa like in home-html.user.xowa http://fileformats.archiveteam.org/wiki/XOWA +# sqlar like in sqlar-src-4824e73896.sqlar http://fileformats.archiveteam.org/wiki/SQLite_Archive +# sketch http://fileformats.archiveteam.org/wiki/Sketch +# ftb http://fileformats.archiveteam.org/wiki/MyHeritage_Family_Tree_Builder +# lrcat http://fileformats.archiveteam.org/wiki/Lightroom_catalog +# without suffix like in "Diagnostic Data" # Unfortunately extension sqlite also used for other databases starting with string # "TTCONTAINER" like in tracks.sqlite contentconsumer.sqlite contentproducerrepository.sqlite # and with string "ZV-zlib" in like extra.sqlite ->>68 belong !0x5CDE09EF database -!:ext sqlite/sqlite3/db/db3/dbe/sdb/help +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/maple-sqlite.trid.xml >>68 belong =0x5CDE09EF database # maple is used for Maple Workbook !:ext maple +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Audacity_(audio_editor) +# http://fileformats.archiveteam.org/wiki/Audacity_Project_Format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/aup3.trid.xml +# Note: called "Audacity 3 Project" by TrID and "Audacity Project File" version 3.x by DROID via PUID fmt/1826 +# with user version 03000000h whereas older versions *.AUP are not SQLite based +>>68 belong =0x41554459 database +!:mime application/x-audacity-project+sqlite3 +!:ext aup3 +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/TeXnicard +# Reference: http://fileformats.archiveteam.org/wiki/TeXnicard_card_database +# Note: no examples found +>>68 belong =0x6A035744 database +!:mime application/vnd.sqlite3 +!:ext db +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Fossil_repository_database +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fossil.trid.xml +# Note: called "Fossil repository data base" by TrID +>>68 belong =0x0F055111 database +!:mime application/vnd.sqlite3 +!:ext fossil/fsl +# URL: http://fileformats.archiveteam.org/wiki/Fossil_checkout_database +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fossil-checkout.trid.xml +# Note: called "Fossil checkout data base" by TrID +>>68 belong =0x0F055112 database +!:mime application/vnd.sqlite3 +# name _FOSSIL_ on Windows or .fslckout else +!:ext /fslckout +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Fossil_configuration_database +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fossil-config.trid.xml +# Note: called "Fossil configuration data base" by TrID +>>68 belong =0x0F055113 database +!:mime application/vnd.sqlite3 +# %LOCALAPPDATA%\_fossil on Windows and ~/.fossil or fossil.db else +!:ext /fossil/db +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GeoPackage +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/gpkg-v1.trid.xml +# Note: called "GeoPackage (v1)" by TrID and "OGC GeoPackage" version 1.0-1.31 by DROID via PUID fmt/1700 +# with GP10 application id +>>68 belong =0x47503130 database +# https://www.iana.org/assignments/media-types/application/geopackage+sqlite3 +!:mime application/geopackage+sqlite3 +# https://github.com/opengeospatial/ets-gpkg12/blob/master/src/test/resources/gpkg/bluemarble.gpkg +!:ext gpkg +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/gpkg-v12.trid.xml +# Note: called "GeoPackage (v1.2)" by TrID and "OGC GeoPackage" version 1.0-1.31 by DROID via PUID fmt/1700 +# with GPKG application id +>>68 belong =0x47504B47 database +!:mime application/geopackage+sqlite3 +!:ext gpkg +# Update: Joerg Jenderek +# URL: https://github.com/mapbox/mbtiles-spec/tree/master +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mbtiles-MPBX.trid.xml +# Note: called "MBTiles tileset (MPBX)" by TrID and many samples without application id MPBX like +# https://ftp.gwdg.de/pub/misc/openstreetmap/openseamap/charts/mbtiles/OSM-OpenCPN2-MagellanStrait.mbtiles +>>68 belong =0x4D504258 database +!:mime application/vnd.sqlite3 +!:ext mbtiles +>>68 default x database +!:mime application/vnd.sqlite3 +# no examples found with s3db sl3 suffix +!:ext /sqlite/sqlite3/db/db3/dbe/sdb/help/ide/localstorage/sqlar/xowa/mbtiles +# GRR: the line above only works if in ../../src/file.h FILE_MAGICSIZE ext[] are raised or you get >>60 belong =0x5f4d544e (Monotone source repository) # if no known user version then check for Application IDs with default clause >>60 belong !0x5f4d544e @@ -137,17 +217,24 @@ >>>68 belong =0x4d504258 (MBTiles tileset) # https://www.maplesoft.com/support/help/errors/view.aspx?path=Formats/Maple >>>68 belong =0x5CDE09EF (Maple Workbook) +# AUDY Audacity Project File +>>>68 belong =0x41554459 (Audacity Project) +>>>68 belong =0x6A035744 (TeXnicard card database) # unknown application ID >>>68 default x >>>>68 belong !0 \b, application id %u # The "user version" as read and set by the user_version pragma like: -# 1 2 4 5 7 9 10 25 36 43 53 400 416 131073 131074 131075 +# 1 2 4 5 7 9 10 25 36 43 53 400 416 131073 131074 131075 50331648 >>60 belong !0 \b, user version %d -# SQLITE_VERSION_NUMBER like: 0 3008011 3016002 3007014 3017000 3022000 3028000 3031001 +# expressed as hexadecimal because some people mention version number in hexadecimal with marking that item +>>>60 belong x (%#x) +# SQLITE_VERSION_NUMBER like: 0 3007014 3008011 3016002 3017000 3022000 3028000 3031001 3032003 3035005 >>96 belong x \b, last written using SQLite version %d # database page size in bytes; a power of two between 512 and 32768, or 1 for 65536 # like: 512 1024 often 4096 32768 ->>16 ubeshort !4096 \b, page size %u +>>16 ubeshort !4096 \b, page size +>>>16 ubeshort !1 %u +>>>16 ubeshort =1 65536 # File format write version. 1 for legacy; 2 for WAL; 0 for corruptDB.sqlite >>18 ubyte !1 \b, writer version %u # File format read version. 1 for legacy; 2 for WAL; 4 for corruptDB.sqlite @@ -201,6 +288,63 @@ 0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, !:ext sqlite-wal/db-wal >4 belong x version %d +# Summary: SQLite Write-Ahead-Log index (shared memory) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/SQLite +# Reference: http://www.sqlite.org/draft/walformat.html#walidxfmt +# iVersion; WAL-index format version number; always 3007000=2DE218h +0 ulelong 0x002DE218 +>0 use shm-le +# big endian variant not tested +0 ubelong 0x002DE218 +>0 use \^shm-le +# show information about SQLite Write-Ahead-Log shared memory +0 name shm-le +>0 ulelong x SQLite Write-Ahead Log shared memory +#!:mime application/octet-stream +!:mime application/vnd.sqlite3 +# db3-shm Acronis BackupAndRecovery F4CEEE47-042C-4828-95A0-DE44EC267A28.db3-shm +# dbx-shm probably Dropbox filecache.dbx-shm +# aup3-shm Audacity project tada.aup3-shm +# srd-shm Microsoft Windows StateRepository service StateRepository-Deployment.srd-shm StateRepository-Machine.srd-shm: +!:ext sqlite-shm/db-shm/db3-shm/dbx-shm/aup3-shm/srd-shm +# unused padding space; must be zero +>4 ulelong !0 \b, unused %x +# iChange; unsigned integer counter, incremented with each transaction +>8 ulelong x \b, counter %u +# isInit; the "isInit" flag; 1 when the shm file has been initialized +>12 ubyte !1 \b, not initialized %u +# bigEndCksum; true if the WAL file uses big-ending checksums; 0 if the WAL uses little-endian checksums +>13 ubyte !0 \b, checksum type %u +# szPage; database page size in bytes, or 1 if the page size is 65536 +>14 uleshort !1 \b, page size %u +>14 uleshort =1 \b, page size 65536 +# mxFrame; number of valid and committed frames in the WAL file +>16 ulelong x \b, %u frames +# nPage; size of the database file in pages +>20 ulelong x \b, %u pages +# aFrameCksum; checksum of the last frame in the WAL file +>24 ulelong x \b, frame checksum %#x +# aSalt; two salt value copied from the WAL file header in the byte-order of the WAL file; might be different from machine byte-order +>32 ulequad x \b, salt %#llx +# aCksum; checksum over bytes 0 through 39 of this header +>40 ulelong x \b, header checksum %#x +# a copy of bytes 0 through 47 of header +>48 ulelong !3007000 \b, iversion %u +# nBackfill; number of WAL frames that have already been backfilled into the database by prior checkpoints +>96 ulelong !0 \b, %u backfilled +# nBackfillAttempted; number of WAL frames that have attempted to be backfilled +>>128 ulelong x (%u attempts) +# read-mark[0..4]; five "read marks"; each read mark is a 32-bit unsigned integer +>100 ulelong !0 \b, read-mark[0] %#x +>104 ulelong x \b, read-mark[1] %#x +>108 ulelong !0xffffffff \b, read-mark[2] %#x +>112 ulelong !0xffffffff \b, read-mark[3] %#x +>116 ulelong !0xffffffff \b, read-mark[4] %#x +# unused space set aside for 8 file locks +>120 ulequad !0 \b, space %#llx +# unused space reserved for further expansion +>132 ulelong !0 \b, reserved %#x # SQLite Rollback Journal # https://www.sqlite.org/fileformat.html#rollbackjournal @@ -217,3 +361,9 @@ # H2 Database from https://www.h2database.com/ 0 string --\ H2\ 0.5/B\ --\ \n H2 Database file + +# DuckDB database file from https://duckdb.org +8 string DUCK DuckDB database file +>12 lequad x \b, version %lld +#>20 lequad x \b, flags %#llx +#>28 lequad x \b, flags %#llx diff --git a/contrib/file/magic/Magdir/ssh b/contrib/file/magic/Magdir/ssh index 441f3b4a8e55..84d3817cbd33 100644 --- a/contrib/file/magic/Magdir/ssh +++ b/contrib/file/magic/Magdir/ssh @@ -1,16 +1,64 @@ # Type: OpenSSH key files # From: Nicolas Collignon <tsointsoin@gmail.com> +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Secure_Shell_Protocol -0 string SSH\ PRIVATE\ KEY OpenSSH RSA1 private key, +0 string SSH\040PRIVATE\040KEY OpenSSH RSA1 private key, >28 string >\0 version %s -0 string -----BEGIN\ OPENSSH\ PRIVATE\ KEY----- OpenSSH private key +0 string -----BEGIN\040OPENSSH\040PRIVATE\040KEY----- OpenSSH private key +!:mime application/x-pem-file +# https://www.rfc-editor.org/rfc/rfc5958 +0 string -----BEGIN\040PRIVATE\040KEY----- OpenSSH private key (no password) +#!:mime text/plain +!:mime text/x-ssh-private-key +!:ext key +0 string -----BEGIN\040ENCRYPTED\040PRIVATE\040KEY----- OpenSSH private key (with password) +# https://download.qemu.org/qemu-9.0.0.tar.xz +# qemu-9.0.0/roms/skiboot/libstb/crypto/mbedtls/tests/data_files/format_gen.pub +0 string -----BEGIN\040PUBLIC\040KEY----- OpenSSH public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub -0 string ssh-dss\ OpenSSH DSA public key -0 string ssh-rsa\ OpenSSH RSA public key +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pub-ssh-dss.trid.xml +# Note: called "SSH-DSS Public key" by TrID +0 string ssh-dss\040 OpenSSH DSA public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pub-ssh-rsa.trid.xml +# Note: called "SSH-RSA Public key" by TrID +0 string ssh-rsa\040 OpenSSH RSA public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub 0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub +# https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.u2f?annotate=HEAD +0 string sk-ecdsa-sha2-nistp256@openssh.com OpenSSH U2F ECDSA public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub 0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub 0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub 0 string ssh-ed25519 OpenSSH ED25519 public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub +0 string sk-ssh-ed25519@openssh.com OpenSSH U2F ED25519 public key +#!:mime text/plain +!:mime text/x-ssh-public-key +!:ext pub + + 0 string SSHKRL\n\0 >8 ubelong 1 OpenSSH key/certificate revocation list, format %u diff --git a/contrib/file/magic/Magdir/ssl b/contrib/file/magic/Magdir/ssl index 230939239323..2d0e77f7234c 100644 --- a/contrib/file/magic/Magdir/ssl +++ b/contrib/file/magic/Magdir/ssl @@ -1,17 +1,37 @@ #------------------------------------------------------------------------------ -# $File: ssl,v 1.5 2017/12/29 04:00:07 christos Exp $ +# $File: ssl,v 1.7 2024/06/10 23:23:55 christos Exp $ # ssl: file(1) magic for SSL file formats # Type: OpenSSL certificates/key files # From: Nicolas Collignon <tsointsoin@gmail.com> 0 string -----BEGIN\040CERTIFICATE----- PEM certificate +!:mime application/x-pem-file 0 string -----BEGIN\040CERTIFICATE\040REQ PEM certificate request +!:mime application/x-pem-file +# Update: Joerg Jenderek +# Reference: https://github.com/openssl/openssl/blob/master/include/openssl/pem.h +# http://mark0.net/download/triddefs_xml.7z/defs/k/key-rsa-pvt.trid.xml +# Note: called "ASCII armored RSA Private Key" by TrID 0 string -----BEGIN\040RSA\040PRIVATE PEM RSA private key +#!:mime text/plain +!:mime text/x-ssl-private-key +!:ext key/priv +0 string -----BEGIN\040RSA\040PRIVATE PEM RSA private key +!:mime application/x-pem-file 0 string -----BEGIN\040DSA\040PRIVATE PEM DSA private key +!:mime application/x-pem-file 0 string -----BEGIN\040EC\040PRIVATE PEM EC private key +!:mime application/x-pem-file 0 string -----BEGIN\040ECDSA\040PRIVATE PEM ECDSA private key +!:mime application/x-pem-file +# From: Joerg Jenderek +# Reference: https://github.com/openssl/openssl/blob/master/include/openssl/pem.h +0 string -----BEGIN\040RSA\040PUBLIC\040KEY----- PEM RSA public key +#!:mime text/plain +!:mime text/x-ssl-public-key +!:ext pub # From Luc Gommans # OpenSSL enc file (recognized by a magic string preceding the password's salt) diff --git a/contrib/file/magic/Magdir/subtitle b/contrib/file/magic/Magdir/subtitle new file mode 100644 index 000000000000..cfbe293d59ed --- /dev/null +++ b/contrib/file/magic/Magdir/subtitle @@ -0,0 +1,38 @@ + +#------------------------------------------------------------------------------ +# $File: subtitle,v 1.2 2022/09/07 11:29:09 christos Exp $ +# subtitle: file(1) magic for subtitles files + +# EBU-STL +# https://tech.ebu.ch/docs/tech/tech3264.pdf +3 string STL EBU-STL subtitles +>6 regex =^[0-9][0-9] \b, rate %s +>>8 string .01 \b, v1 +!:mime application/x-ebu-stl +>>>16 regex =^[^\ ]{0,32} \b, title "%s" +>>>>224 regex =^[0-9]{2} \b, created %-.2s +>>>>>&0 regex =^[0-9]{2} \b-%-.2s +>>>>>>&0 regex =^[0-9]{2} \b-%-.2s +!:ext stl + +# SubRip (srt) subtitles +0 regex/20 =^1[\r\n]+0[01]:[0-9]{2}:[0-9]{2},[0-9]{3}\040--> SubRip +!:mime application/x-subrip +!:ext srt + +# WebVTT subtitles +# https://www.w3.org/TR/webvtt1/ +0 string/t WEBVTT +>&0 regex/255 =[0-9]{2}:[0-9]{2}\\.[0-9]{3}\040--> WebVTT subtitles +!:mime text/vtt +!:ext vtt + +# XML TTML subtitles +# https://www.w3.org/TR/ttml2/ +0 string/t \<?xml +>20 search/400 \020xmlns= +>>&0 regex ['"]http://www.w3.org/ns/ttml TTML subtitles +!:mime application/ttml+xml +# Augment strength to beat plain XML +!:strength * 3 +!:ext ttml diff --git a/contrib/file/magic/Magdir/sun b/contrib/file/magic/Magdir/sun index df83834d2dd1..14fa6af4b473 100644 --- a/contrib/file/magic/Magdir/sun +++ b/contrib/file/magic/Magdir/sun @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sun,v 1.28 2019/04/19 00:42:27 christos Exp $ +# $File: sun,v 1.29 2024/03/31 15:06:56 christos Exp $ # sun: file(1) magic for Sun machines # # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x @@ -9,13 +9,14 @@ # are in aout, as they're indistinguishable from other big-endian # 32-bit a.out files. # -0 belong&077777777 0600413 a.out SunOS SPARC demand paged ->0 byte &0x80 ->>20 belong <4096 shared library ->>20 belong =4096 dynamically linked executable ->>20 belong >4096 dynamically linked executable ->0 byte ^0x80 executable ->16 belong >0 not stripped +# Note: already handled as "SPARC demand paged" by ./bsdi +#0 belong&077777777 0600413 a.out SunOS SPARC demand paged +#>0 byte &0x80 +#>>20 belong <4096 shared library +#>>20 belong =4096 dynamically linked executable~ +#>>20 belong >4096 dynamically linked executable +#>0 byte ^0x80 executable +#>16 belong >0 not stripped 0 belong&077777777 0600410 a.out SunOS SPARC pure >0 byte &0x80 dynamically linked executable diff --git a/contrib/file/magic/Magdir/svf b/contrib/file/magic/Magdir/svf new file mode 100644 index 000000000000..b0d5c980f944 --- /dev/null +++ b/contrib/file/magic/Magdir/svf @@ -0,0 +1,5 @@ +# $File: svf,v 1.2 2023/05/23 13:37:32 christos Exp $ +# +# file(1) magic(5) data for SmartVersion files with the .svf extension. + +0 string DFS\ File\x0D\x0Ahttp://www.difstream.com\x0D\x0A SmartVersion binary patch file diff --git a/contrib/file/magic/Magdir/symbos b/contrib/file/magic/Magdir/symbos index c97a42e0c74d..0a79ec4c7550 100644 --- a/contrib/file/magic/Magdir/symbos +++ b/contrib/file/magic/Magdir/symbos @@ -1,6 +1,7 @@ #------------------------------------------------------------------------------ -# msx: file(1) magic for the SymbOS operating system +# $File: symbos,v 1.3 2024/06/10 23:09:52 christos Exp $ +# symbos: file(1) magic for the SymbOS operating system # http://www.symbos.de # Fabio R. Schmidlin <frs@pop.com.br> diff --git a/contrib/file/magic/Magdir/sysex b/contrib/file/magic/Magdir/sysex index 0065ad17e432..d02389d9a457 100644 --- a/contrib/file/magic/Magdir/sysex +++ b/contrib/file/magic/Magdir/sysex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------ -# $File: sysex,v 1.11 2022/01/17 17:16:51 christos Exp $ +# $File: sysex,v 1.12 2022/10/31 13:22:26 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems @@ -10,8 +10,8 @@ 0 ubeshort&0xFF80 0xF000 # MIDI System Exclusive (SysEx) messages (strength=50) after Microsoft Visual C library (strength=70) #!:strength +0 -# skip Microsoft Visual C library with page size 16 misidentifed as ADA and -# page size 32 misidentifed as Inventronics by looking for terminating End Of eXclusive byte (EOX) +# skip Microsoft Visual C library with page size 16 misidentified as ADA and +# page size 32 misidentified as Inventronics by looking for terminating End Of eXclusive byte (EOX) >2 search/12 \xF7 >>0 use midi-sysex # display information about MIDI System Exclusive (SysEx) messages diff --git a/contrib/file/magic/Magdir/terminfo b/contrib/file/magic/Magdir/terminfo index 1b036935b6e0..647cdfeeb137 100644 --- a/contrib/file/magic/Magdir/terminfo +++ b/contrib/file/magic/Magdir/terminfo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: terminfo,v 1.12 2021/02/23 00:51:10 christos Exp $ +# $File: terminfo,v 1.14 2024/09/04 19:06:12 christos Exp $ # terminfo: file(1) magic for terminfo # # URL: https://invisible-island.net/ncurses/man/term.5.html @@ -37,6 +37,7 @@ # AIX and HPUX use the SVr4 big-endian format # Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) 0 beshort 0433 SVr2 curses screen image, big-endian +# GRR: line below too general as it catches Commodore C128 program (crc32.prg XLINK.PRG) with start address 1C01h handled by ./c64 0 beshort 0434 SVr3 curses screen image, big-endian 0 beshort 0435 SVr4 curses screen image, big-endian # @@ -47,12 +48,12 @@ # Rather than SVr4, Solaris "xcurses" writes this header: 0 regex \^MAX=[0-9]+,[0-9]+$ >1 regex \^BEG=[0-9]+,[0-9]+$ ->2 regex \^SCROLL=[0-9]+,[0-9]+$ ->3 regex \^VMIN=[0-9]+$ ->4 regex \^VTIME=[0-9]+$ ->5 regex \^FLAGS=0x[[:xdigit:]]+$ ->6 regex \^FG=[0-9],[0-9]+$ ->7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image +>>2 regex \^SCROLL=[0-9]+,[0-9]+$ +>>>3 regex \^VMIN=[0-9]+$ +>>>>4 regex \^VTIME=[0-9]+$ +>>>>>5 regex \^FLAGS=0x[[:xdigit:]]+$ +>>>>>>6 regex \^FG=[0-9],[0-9]+$ +>>>>>>>7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image # # ncurses5 (and before) did not use a magic number, making screen dumps "data". # ncurses6 (2015) uses this format, ignoring byte-order diff --git a/contrib/file/magic/Magdir/tex b/contrib/file/magic/Magdir/tex index aaeae169f336..e66f8ffdcecb 100644 --- a/contrib/file/magic/Magdir/tex +++ b/contrib/file/magic/Magdir/tex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: tex,v 1.21 2019/04/19 00:42:27 christos Exp $ +# $File: tex,v 1.22 2022/12/21 16:50:04 christos Exp $ # tex: file(1) magic for TeX files # # XXX - needs byte-endian stuff (big-endian and little-endian DVI?) @@ -10,13 +10,15 @@ # Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] -0 string \367\002 TeX DVI file +0 string \367\002 +>(14.b+15) string \213 +>>14 pstring >\0 TeX DVI file (%s) !:mime application/x-dvi ->16 string >\0 (%s) 0 string \367\203 TeX generic font data 0 string \367\131 TeX packed font data >3 string >\0 (%s) -0 string \367\312 TeX virtual font data +0 string \367\312 +>(2.b+11) string \363 TeX virtual font data 0 search/1 This\ is\ TeX, TeX transcript text 0 search/1 This\ is\ METAFONT, METAFONT transcript text diff --git a/contrib/file/magic/Magdir/tplink b/contrib/file/magic/Magdir/tplink index 971f428103ba..1b4ef0f3369f 100644 --- a/contrib/file/magic/Magdir/tplink +++ b/contrib/file/magic/Magdir/tplink @@ -1,25 +1,32 @@ #------------------------------------------------------------------------------ -# $File: tplink,v 1.7 2021/04/26 15:56:00 christos Exp $ +# $File: tplink,v 1.8 2023/05/15 16:41:02 christos Exp $ # tplink: File magic for openwrt firmware files # URL: https://wiki.openwrt.org/doc/techref/header # Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bin-tplink-v1.trid.xml +# Note: called "TP-Link router firmware (v1)" by TrID # From: Joerg Jenderek # check for valid header version 1 or 2 0 ulelong <3 >0 ulelong !0 # test for header padding with nulls >>0x100 long 0 -# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor +# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor name >>>4 ubelong >0x1F000000 # skip user.dbt by looking for positive hardware id >>>>0x40 ubeshort >0 ->>>>>0 use firmware-tplink +# skip cversions.1.db cversions.2.db cversions.3.db inside +# c:\ProgramData\Microsoft\Windows\Caches +# with invalid vendor names \240\0\0\0 \140\0\0\0 \040\0\0\0 +>>>>>5 short !0 +>>>>>>0 use firmware-tplink 0 name firmware-tplink >0 ubyte x firmware !:mime application/x-tplink-bin +# like: TL-WR1043ND-V1-FW0.0.3-stripped.bin gluon-ffrefugee-0.9.2-tp-link-archer-c5-v1-sysupgrade.bin !:ext bin # hardware id like 10430001 07410001 09410004 09410006 >0x40 ubeshort x %x diff --git a/contrib/file/magic/Magdir/troff b/contrib/file/magic/Magdir/troff index 5b8af64ce881..301a40bc34da 100644 --- a/contrib/file/magic/Magdir/troff +++ b/contrib/file/magic/Magdir/troff @@ -1,24 +1,30 @@ #------------------------------------------------------------------------------ -# $File: troff,v 1.13 2020/05/30 23:12:34 christos Exp $ +# $File: troff,v 1.14 2023/06/01 16:00:46 christos Exp $ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com) # troff input 0 search/1 .\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 '\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 '.\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 \\" troff or preprocessor input text +!:strength +12 !:mime text/troff #0 search/1 ''' troff or preprocessor input text #!:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9][\ \t] troff or preprocessor input text +!:strength +12 !:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9]$ troff or preprocessor input text +!:strength +12 !:mime text/troff # ditroff intermediate output text diff --git a/contrib/file/magic/Magdir/uf2 b/contrib/file/magic/Magdir/uf2 index 49a86d7640c1..adaee0611f83 100644 --- a/contrib/file/magic/Magdir/uf2 +++ b/contrib/file/magic/Magdir/uf2 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: uf2,v 1.3 2021/04/28 01:00:31 christos Exp $ +# $File: uf2,v 1.6 2024/09/04 19:08:08 christos Exp $ # uf2: file(1) magic for UF2 firmware image files # # https://github.com/microsoft/uf2 @@ -28,6 +28,8 @@ ### BEGIN UF2 FAMILIES >>28 lelong 0x00ff6919 ST STM32L4xx >>28 lelong 0x04240bdf ST STM32L5xx +>>28 lelong 0x06d1097b ST STM32F411xC +>>28 lelong 0x11de784a M0SENSE BL702 >>28 lelong 0x16573617 Microchip (Atmel) ATmega32 >>28 lelong 0x1851780a Microchip (Atmel) SAML21 >>28 lelong 0x1b57745f Nordic NRF52 @@ -35,31 +37,63 @@ >>28 lelong 0x1e1f432d ST STM32L1xx >>28 lelong 0x202e3a91 ST STM32L0xx >>28 lelong 0x21460ff0 ST STM32WLxx +>>28 lelong 0x22e0d6fc Realtek AmebaZ RTL8710B >>28 lelong 0x2abc77ec NXP LPC55xx +>>28 lelong 0x2b88d29c ESP32-C2 +>>28 lelong 0x2dc309c5 ST STM32F411xE >>28 lelong 0x300f5633 ST STM32G0xx >>28 lelong 0x31d228c6 GD32F350 +>>28 lelong 0x332726f6 ESP32-H2 +>>28 lelong 0x3379CFE2 Realtek AmebaD RTL8720D +>>28 lelong 0x3d308e94 ESP32-P4 +>>28 lelong 0x4b684d71 Sipeed MaixPlay-U4 (BL618) >>28 lelong 0x4c71240a ST STM32G4xx +>>28 lelong 0x4f6ace52 LISTENAI CSK300x/400x >>28 lelong 0x4fb2d5bd NXP i.MX RT10XX +>>28 lelong 0x51e903a8 Xradiotech 809 >>28 lelong 0x53b80f00 ST STM32F7xx +>>28 lelong 0x540ddf62 ESP32-C6 >>28 lelong 0x55114460 Microchip (Atmel) SAMD51 ->>28 lelong 0x57755a57 ST STM32F401 +>>28 lelong 0x57755a57 ST STM32F4xx >>28 lelong 0x5a18069b Cypress FX2 >>28 lelong 0x5d1a0a2e ST STM32F2xx >>28 lelong 0x5ee21072 ST STM32F103 +>>28 lelong 0x621e937a Nordic NRF52833 >>28 lelong 0x647824b6 ST STM32F0xx +>>28 lelong 0x675a40b0 Beken 7231U/7231T >>28 lelong 0x68ed2b88 Microchip (Atmel) SAMD21 +>>28 lelong 0x699b62ec WCH CH32V2xx and CH32V3xx +>>28 lelong 0x6a82cc42 Beken 7251/7252 >>28 lelong 0x6b846188 ST STM32F3xx >>28 lelong 0x6d0922fa ST STM32F407 >>28 lelong 0x6db66082 ST STM32H7xx +>>28 lelong 0x6e7348a8 LISTENAI CSK60xx +>>28 lelong 0x6f752678 Nordic NRF52832xxAB >>28 lelong 0x70d16653 ST STM32WBxx +>>28 lelong 0x72721d4e Nordic NRF52832xxAA +>>28 lelong 0x77d850c4 ESP32-C61 +>>28 lelong 0x7b3ef230 Beken 7231N +>>28 lelong 0x7be8976d Renesas RA4M1 >>28 lelong 0x7eab61ed ESP8266 >>28 lelong 0x7f83e793 NXP KL32L2x >>28 lelong 0x8fb060fe ST STM32F407VG +>>28 lelong 0x9517422f Renesas RZ/A1LU (R7S7210xx) +>>28 lelong 0x9af03e33 GigaDevice GD32VF103 +>>28 lelong 0x9fffd543 Realtek Ameba1 RTL8710A +>>28 lelong 0xa0c97b8e ArteryTek AT32F415 >>28 lelong 0xada52840 Nordic NRF52840 >>28 lelong 0xbfdd4eee ESP32-S2 >>28 lelong 0xc47e5767 ESP32-S3 >>28 lelong 0xd42ba06c ESP32-C3 +>>28 lelong 0xde1270b7 Boufallo 602 +>>28 lelong 0xe08f7564 Realtek AmebaZ2 RTL8720C >>28 lelong 0xe48bff56 Raspberry Pi RP2040 +>>28 lelong 0xe48bff57 Raspberry Pi MC: Absolute (unpartitioned) download +>>28 lelong 0xe48bff58 Raspberry Pi MC: Data partition download +>>28 lelong 0xe48bff59 Raspberry Pi RP2350, Secure Arm image +>>28 lelong 0xe48bff5a Raspberry Pi RP2350, RISC-V image +>>28 lelong 0xe48bff5b Raspberry Pi RP2350, Non-secure Arm image +>>28 lelong 0xf71c0343 ESP32-C5 ### END UF2 FAMILIES >>28 default x @@ -68,5 +102,5 @@ >>28 lelong x %#08x >8 lelong &0x4000 \b, MD5 checksum present >8 lelong &0x8000 \b, extension tags present ->12 lelong x \b, address %#08x +>12 lelong x \b, base address %#08x >24 lelong x \b, %u total blocks diff --git a/contrib/file/magic/Magdir/uterus b/contrib/file/magic/Magdir/uterus index a8be8a880d28..4b9e768b6424 100644 --- a/contrib/file/magic/Magdir/uterus +++ b/contrib/file/magic/Magdir/uterus @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: uterus,v 1.3 2014/04/30 21:41:02 christos Exp $ +# $File: uterus,v 1.4 2022/10/31 13:22:26 christos Exp $ # file(1) magic for uterus files # http://freecode.com/projects/uterus # @@ -11,6 +11,6 @@ >7 byte x \b%c >8 string \<\> \b, big-endian >>16 belong >0 \b, slut size %u ->8 string \>\< \b, litte-endian +>8 string \>\< \b, little-endian >>16 lelong >0 \b, slut size %u >10 byte &8 \b, compressed diff --git a/contrib/file/magic/Magdir/uxn b/contrib/file/magic/Magdir/uxn new file mode 100644 index 000000000000..a7910c550bc4 --- /dev/null +++ b/contrib/file/magic/Magdir/uxn @@ -0,0 +1,18 @@ + +#------------------------------------------------------------------------------ +# $File: uxn,v 1.1 2024/07/30 22:25:24 christos Exp $ +# uxn: file(1) magic for Uxn ROM files +# +# https://100r.co/site/uxn.html +# https://wiki.xxiivv.com/site/uxn.html +# +# Created by Samuel Dionne-Riel <samuel@dionne-riel.com> + +# https://wiki.xxiivv.com/site/metadata.html +0x00 byte =0xa0 +>0x01 ubeshort x +>>0x03 byte =0x80 +>>>0x04 byte =0x06 +>>>>0x05 byte =0x37 Varvara Uxn ROM +>>>>>0x01 ubeshort x with metadata at 0x%x +>>>>>>(0x01.S-0x0ff) string x (%s) diff --git a/contrib/file/magic/Magdir/varied.script b/contrib/file/magic/Magdir/varied.script index ff893882b01e..e6090b49f43f 100644 --- a/contrib/file/magic/Magdir/varied.script +++ b/contrib/file/magic/Magdir/varied.script @@ -1,59 +1,24 @@ #------------------------------------------------------------------------------ -# $File: varied.script,v 1.13 2019/10/11 14:35:29 christos Exp $ +# $File: varied.script,v 1.16 2024/02/04 19:26:02 christos Exp $ # varied.script: file(1) magic for various interpreter scripts -0 string/t #!\ / a ->3 string >\0 %s script text executable -!:strength / 2 +0 string #![ Rust Source file +!:ext rs -0 string/b #!\ / a ->3 string >\0 %s script executable (binary data) -!:strength / 2 +0 string/wt #!\ a +>&-1 string/T x %s script text executable +!:strength / 3 -0 string/t #!\t/ a ->3 string >\0 %s script text executable -!:strength / 2 +0 string/wb #!\ a +>&-1 string/T x %s script executable (binary data) +!:strength / 3 -0 string/b #!\t/ a ->3 string >\0 %s script executable (binary data) -!:strength / 2 - -0 string/t #!/ a ->2 string >\0 %s script text executable -!:strength / 2 - -0 string/b #!/ a ->2 string >\0 %s script executable (binary data) -!:strength / 2 - -0 string/t #!\ script text executable ->3 string >\0 for %s -!:strength / 2 - -0 string/b #!\ script executable ->3 string >\0 for %s (binary data) -!:strength / 2 # using env -0 string/t #!/usr/bin/env a ->15 string/t >\0 %s script text executable -!:strength / 10 - -0 string/b #!/usr/bin/env a ->15 string/b >\0 %s script executable (binary data) -!:strength / 10 - -0 string/t #!\ /usr/bin/env a ->16 string/t >\0 %s script text executable -!:strength / 10 - -0 string/b #!\ /usr/bin/env a ->16 string/b >\0 %s script executable (binary data) -!:strength / 10 +0 string/wt #!\ /usr/bin/env a +>15 string/T >\0 %s script text executable +!:strength / 6 -# From: arno <arenevier@fdn.fr> -# mozilla xpconnect typelib -# see https://www.mozilla.org/scriptable/typelib_file.html -0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib ->0x10 byte x version %d ->>0x11 byte x \b.%d +0 string/wb #!\ /usr/bin/env a +>15 string/T >\0 %s script executable (binary data) +!:strength / 6 diff --git a/contrib/file/magic/Magdir/vax b/contrib/file/magic/Magdir/vax index f3deffa59fa3..dbf455477338 100644 --- a/contrib/file/magic/Magdir/vax +++ b/contrib/file/magic/Magdir/vax @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: vax,v 1.10 2019/10/04 18:07:46 christos Exp $ +# $File: vax,v 1.11 2024/02/29 03:42:40 christos Exp $ # vax: file(1) magic for VAX executable/object and APL workspace # 0 lelong 0101557 VAX single precision APL workspace 0 lelong 0101556 VAX double precision APL workspace # -# VAX a.out (BSD; others collide with 386 and other 32-bit little-endian +# VAX a.out (BSD; others collide with i386 and other 32-bit little-endian # executables, and are handled in aout) # 0 lelong 0420 a.out VAX demand paged (first page unmapped) pure executable diff --git a/contrib/file/magic/Magdir/virtual b/contrib/file/magic/Magdir/virtual index 7872e32483ba..295dbd025d52 100644 --- a/contrib/file/magic/Magdir/virtual +++ b/contrib/file/magic/Magdir/virtual @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: virtual,v 1.16 2022/01/18 14:08:15 christos Exp $ +# $File: virtual,v 1.21 2024/09/04 19:09:00 christos Exp $ # From: James Nobis <quel@quelrod.net> # Microsoft hard disk images for: # Virtual Server @@ -9,10 +9,10 @@ # URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk) # Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/ # Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc -0 string connectix Microsoft Disk Image, Virtual Server or Virtual PC +0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC # alternative shorter names -#0 string connectix Microsoft Virtual Hard Disk image -#0 string connectix Microsoft Virtual HD image +#0 string conectix Microsoft Virtual Hard Disk image +#0 string conectix Microsoft Virtual HD image !:mime application/x-virtualbox-vhd !:ext vhd # Features is a bit field used to indicate specific feature support @@ -135,8 +135,8 @@ # Reserved[4016] #>>0x10050 ulequad >0 \b, Reserved %#llx # VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB ->0x30000 ulelong !0x69676572 \b, 1st region INVALID ->0x30000 ulelong =0x69676572 \b; region +>0x30000 ulelong !0x69676572 Microsoft Disk Image Extended, 1st region INVALID +>0x30000 ulelong =0x69676572 Microsoft Disk Image Extended; region # region Checksum. CRC-32C hash over the entire 64-KB table #>>0x30004 ulelong x \b, CRC %#x # The EntryCount specifies number of valid entries; Found 2; This must be =< 2047. @@ -299,9 +299,41 @@ >0 string >\0 (%s) >368 lequad x \b, %lld bytes +# From: Joerg Jenderek +# URL: https://www.virtualbox.org/manual/ch08.html#vboxmanage-modifynvram +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nvram-virtualbox.trid.xml +# Note: called "VirtualBox saved (U)EFI BIOS settings" by TrID and +# verfied partly by VirtualBox version 7.0.12 `VBoxManage modifynvram <uuid|vmname> listvars` +# first 64 bytes seems to be constant +0 long 0 +>0x28 string _FVH +>>0x64 beshort 0xAA55 +>>>0 use virtualbox-nvram +# display information of virtualbox *.nvram +0 name virtualbox-nvram +>0x64 beshort x VirtualBox NVRAM file +#!:mime application/octet-stream +!:mime application/x-virtualbox-nvram +!:ext nvram + 0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, >32 string x type %s, >48 string x subtype %s 0 lelong 0x02468ace Bochs Sparse disk image +# QEMU replay image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.qemu.org/docs/master/system/replay.html +# Reference: https://gitlab.com/qemu/qemu/-/blob/master/replay/replay.c +0 ubelong&0xFFFFFFF0 0x00e02000 +>3 byte >5 +>>4 quad 0 +>>>12 ulelong <40 QEMU replay +>>>>3 byte x \b, version %d +>>>>3 byte 6 (QEMU 2.10-2.11) +>>>>3 byte 7 (QEMU 2.12-4.1) +>>>>3 byte 8 (QEMU 4.2) +>>>>3 byte 9 (QEMU 5.0) +>>>>3 byte 10 (QEMU 5.1-7.0) +>>>>3 byte 12 (QEMU 7.1+) diff --git a/contrib/file/magic/Magdir/weak b/contrib/file/magic/Magdir/weak index 6dc1793c927e..404a67a50156 100644 --- a/contrib/file/magic/Magdir/weak +++ b/contrib/file/magic/Magdir/weak @@ -1,5 +1,6 @@ #------------------------------------------------------------------------------ +# $File: weak,v 1.3 2024/06/10 23:09:52 christos Exp $ # weak: file(1) magic for very weak magic entries, disabled by default # # These entries are so weak that they might interfere identification of diff --git a/contrib/file/magic/Magdir/web b/contrib/file/magic/Magdir/web index ca8d812365e5..a0d26e67fb9c 100644 --- a/contrib/file/magic/Magdir/web +++ b/contrib/file/magic/Magdir/web @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: web,v 1.1 2020/05/17 19:14:28 christos Exp $ +# $File: web,v 1.2 2022/10/29 16:02:37 christos Exp $ # http://www.rdfhdt.org/ # From Christoph Biedl @@ -10,3 +10,9 @@ 0 string $HDT\x01 HDT file (binary compressed indexed RDF triples) type 1 !:mime application/vnd.hdt !:ext hdt + +0 string [Adblock\040Plus Adblock Plus +>&1 regex [0-9.]+ %s +>1 string x rules file +>10 search/100 Version: +>>&1 regex [0-9]+ \b, version %s diff --git a/contrib/file/magic/Magdir/webassembly b/contrib/file/magic/Magdir/webassembly index 3b1d37e667bd..469b45e22b8e 100644 --- a/contrib/file/magic/Magdir/webassembly +++ b/contrib/file/magic/Magdir/webassembly @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: webassembly,v 1.3 2019/04/19 00:42:27 christos Exp $ +# $File: webassembly,v 1.4 2022/08/16 11:16:39 christos Exp $ # webassembly: file(1) magic for WebAssembly modules # # WebAssembly is a virtual architecture developed by a W3C Community @@ -12,4 +12,6 @@ 0 string \0asm WebAssembly (wasm) binary module >4 lelong =1 version %#x (MVP) +!:mime application/wasm +!:ext wasm >4 lelong >1 version %#x diff --git a/contrib/file/magic/Magdir/windows b/contrib/file/magic/Magdir/windows index c98708ae1bae..2614e57f96be 100644 --- a/contrib/file/magic/Magdir/windows +++ b/contrib/file/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.44 2022/05/31 17:39:08 christos Exp $ +# $File: windows,v 1.67 2024/11/09 22:43:01 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -15,40 +15,255 @@ # Summary: Outlook Express DBX file -# Extension: .dbx # Created by: Christophe Monniez -0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file ->4 byte =0xC5 \b, message database ->4 byte =0xC6 \b, folder database ->4 byte =0xC7 \b, account information ->4 byte =0x30 \b, offline database +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Outlook_Express_Database +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbx.trid.xml +# https://sourceforge.net/projects/ol2mbox/files/LibDBX/ +# v1.0.4/libdbx_1.0.4.tar.gz/FILE-FORMAT +# Note: called "Outlook Express Database" by TrID and DROID via PUID fmt/838 fmt/839 +# and partly verified by `undbx --verbosity 4 Posteingang.dbx` +0 string \xCF\xAD\x12\xFE +# skip DROID fmt-838-signature-id-1193.dbx fmt-839-signature-id-1194.dbx by check for valid file size +>0x7C ulelong >0 MS Outlook Express DBX file +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-dbx +!:ext dbx +>>4 byte =0xC5 \b, message database +>>4 byte =0xC6 \b, folder database +>>4 byte =0xC7 \b, account information +>>4 byte =0x30 \b, offline database +# version like: 5.2 5.5 (typical) +>>20 ulequad !0x0000000500000005 \b, version +# major version +>>>24 ulelong x %u +# minor version +>>>20 ulelong x \b.%u +# CLSID: 6F74FDC5-E366-11d1-9A4E-00C04FA309D4~Message 6F74FDC6-E366-11D1-9A4E-00C04FA309D4~Folder +# 26FE9D30-1A8F-11D2-AABF-006097D474C4~offline +#>>4 guid x \b, CLSID %s +# file size; total size of file; sometimes real size a little bit higher +>>0x7C ulelong x \b, ~ %u bytes +# highest Email ID; the next email will have a number one higher than this +>>0x5c ulelong x \b, highest ID %#x +# item count; number of items stored in this DBX file +>>0xC4 ulelong x \b, %u item +# plural s +>>0xC4 ulelong !1 \bs +# index pointer; file offset pointing to a page of Data Indexes +>>0xE4 ulelong >0 \b, index pointer %#x +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Nickfile +# https://www.nirsoft.net/utils/outlook_nk2_edit.html +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nk2.trid.xml +# https://github.com/libyal/libnk2/blob/main/documentation +# Nickfile%20(NK2)%20format.asciidoc +# Note: called "Outlook Nickfile" by TrID & TestDisk and +# "Outlook Nickname File" by Microsoft Outlook and +# "Outlook AutoComplete File" by Nirsoft NK2Edit +# partly verfied by NK2Edit Raw Text Edit Mode +0 ubelong 0x0DF0ADBA MS Outlook Nickfile +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-nickfile +!:ext nk2/dat/bak +# nick is used by "older" Outlook; dat is used by "newer" Outlook (probably 2010 - 2016); bak is used for backup +#!:ext nick/nk2/dat/bak +# Unknown; probably a version indicator like: 0000000Ah 0000000Ch +>4 ulelong x \b, probably version %u +# Unknown2; probably a version indicator like: 1 0 +>8 ulelong x \b.%u +# number of rows (nickname or alias items) in file +>12 ulelong x \b, %u items +# number of item entries/columns/properties value like: 17h +>16 ulelong x \b, %u entries +# value type/property tag: 001Fh~4 bytes for data size of UTF-16 LE string +>20 uleshort x \b, value type %#4.4x +# entry type/property identifier: 6001h~PR_DOTSTUFF_STATE/PR_NICK_NAME_W +>22 uleshort x \b, entry type %#4.4x +# Reserved like: 0013FD90h +#>24 ulelong x \b, reserved %#8.8x +# value data array/Irrelevant Union like: 0000000004E31A80h +#>28 ulequad x \b, data %#16.16llx +# UTF-16 +>20 uleshort =0x001F +# unicode string bytes like: 2Ch +>>36 ulelong x \b, %u bytes +# unicode string value PT_UNICODE like: janesmith@contoso.org +>>40 lestring16 x "%s" # Summary: Windows crash dump -# Extension: .dmp # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2008/02/64bit_magic.html +# https://web.archive.org/web/20101125060849/https://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) +# Modified by (2): Joerg Jenderek (addtional fields, extension, URL) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp.trid.xml +# https://gitlab.com/qemu-project/qemu/-/blob/master/include/qemu/win_dump_defs.h +# Note: called "Windows memory dump" by TrID +# and verified by like Windows Kit `Dumpchk.exe 043022-18703-01.dmp` +# and partly by NirSoft `BlueScreenView.exe 043022-18703-01.dmp` +# char Signature[4] 0 string PAGE +# char ValidDump[4] >4 string DUMP MS Windows 32bit crash dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: Mini111013-01.dmp +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 2600 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 709000 +#>>16 ulelong x \b, DirectoryTableBase %#x +# PfnDatabase like: 805620c8 +#>>20 ulelong x \b, PfnDatabase %#x +# PsLoadedModuleList like: 8055d720 +#>>24 ulelong x \b, PsLoadedModuleList %#x +# PsActiveProcessHead like:805638b8 +#>>28 ulelong x \b, PsActiveProcessHead %#x +# MachineImageType like: 14c (intel x86) +>>32 ulelong !0x14c \b, MachineImageType %#x +# NumberProcessors like: 2 +>>36 ulelong x \b, %u processors +# BugcheckCode like: e2 +#>>40 ulelong x \b, BugcheckCode %#x +# BugcheckParameter1 like: 0 +#>>44 ulelong x \b, BugcheckParameter1 %#x +# BugcheckParameter2 like: 0 +#>>48 ulelong x \b, BugcheckParameter2 %#x +# BugcheckParameter3 like: 0 +#>>52 ulelong x \b, BugcheckParameter3 %#x +# BugcheckParameter4 like: 0 +#>>56 ulelong x \b, BugcheckParameter4 %#x +# VersionUser[32]; like "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>60 string x \b, VersionUser "%.32s" +# uint32_t reserved0 like: 45474101 +#>>92 ulelong x \b, reserved0 %#x >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE +# KdDebuggerDataBlock like: 8054d2e0 +#>>96 ulelong x \b, KdDebuggerDataBlock %#x +# uint8_t PhysicalMemoryBlockBuffer[700] +# WinDumpPhyMemDesc32 NumberOfRuns like: 45474150 +#>>100 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +#>>104 ulelong x \b, NumberOfPages %#x +# WinDumpPhyMemRun32 Run[86]; 688 bytes +#>>108 ulelong x \b, BasePage %#x +#>>112 ulelong x \b, PageCount %#x +# uint8_t reserved1[3200] +#>>800 string x \b, reserved "%s" +#>>4000 ulelong x \b, RequiredDumpSpace %#x +# uint8_t reserved2[92]; +#>>4004 string x \b, reserved2 "%s" >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump +# like: 4 +>>0xf88 lelong >3 \b, dump type (%#x) +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! +#>>104 ulelong x \b, NumberOfPages %#x >>0x068 lelong x \b, %d pages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp-64.trid.xml113o +# Note: called "Windows 64bit Memory Dump" by TrID +# char ValidDump[4] >4 string DU64 MS Windows 64bit crash dump ->>0xf98 lelong 1 \b, full dump ->>0xf98 lelong 2 \b, kernel dump ->>0xf98 lelong 3 \b, small dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: c:\Windows\Minidump\020322-18890-01.dmp c:\Windows\MEMORY.DMP +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 9600 19041 22621 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 001ab000 +#>>16 ulequad x \b, DirectoryTableBase %#llx +# PfnDatabase like: fffffa8000000000 +#>>24 ulequad x \b, PfnDatabase %#llx +# PsLoadedModuleList like: fffff800c553f650 +#>>32 ulequad x \b, PsLoadedModuleList %#llx +# PsActiveProcessHead like: fffff800c5525400 +#>>40 ulequad x \b, PsActiveProcessHead %#llx +# MachineImageType like: 00008664 +>>48 ulelong !0x8664 \b, MachineImageType %#x +# NumberProcessors like: 2 4 +>>52 ulelong x \b, %u processors +# BugcheckCode like: 1000007e +#>>56 ulelong x \b, BugcheckCode %#x +# unused0 +#>>60 ulelong x \b, unused0 %#x +# BugcheckParameter1 like: ffffffffc0000005 +#>>64 ulequad x \b, BugcheckParameter1 %#llx +# BugcheckParameter2 like: fffff801abb2158f +#>>72 ulequad x \b, BugcheckParameter2 %#llx +# BugcheckParameter3 like: ffffd000290d4288 +#>>80 ulequad x \b, BugcheckParameter3 %#llx +# BugcheckParameter4 like: ffffd000290d3aa0 +#>>88 ulequad x \b, BugcheckParameter4 %#llx +# VersionUser[32]; like "" "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>96 string x \b, VersionUser "%.32s" +# KdDebuggerDataBlock like: fffff800c550c530 +#>>128 ulequad x \b, KdDebuggerDataBlock %#llx +# uint8_t PhysicalMemoryBlockBuffer[704] +# WinDumpPhyMemDesc64 NumberOfRuns like: 6 7 0x45474150 +#>>136 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc64 unused like: 0 0x45474150 +#>>140 ulelong x \b, unused %#x +# WinDumpPhyMemRun64 Run[43] BasePage like: 1 +#>>152 ulequad x \b, BasePage %#llx +# WinDumpPhyMemRun64 Run[43] PageCount like: 57h +#>>160 ulequad x \b, PageCount %#llx +# uint8_t ContextBuffer[3000] like: "" "\001" "\0207J\266\001\340\377\377&8\007\312" +#>>840 string x \b, ContextBuffer "%s" +# WinDumpExceptionRecord ExceptionCode +#>>3840 ulelong x \b, ExceptionCode %#x +# WinDumpExceptionRecord ExceptionFlags +#>>3844 ulelong x \b, ExceptionFlags %#x +# WinDumpExceptionRecord ExceptionRecord +#>>3848 ulequad x \b, ExceptionRecord %#llx +# WinDumpExceptionRecord ExceptionAddress +#>>3856 ulequad x \b, ExceptionAddress %#llx +# WinDumpExceptionRecord NumberParameters +#>>3864 ulelong x \b, NumberParameters %#x +# WinDumpExceptionRecord unused +#>>3868 ulelong x \b, unsed %#x +# WinDumpExceptionRecord ExceptionInformation[15] +#>>3872 ulequad x \b, ExceptionInformation[0] %#llx +# https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options +# but DumpType like: 4~small 5~full (MEMORY.DMP) 6~kernel (MEMORY.DMP) +>>0xf98 ulelong x \b, +>>>0xf98 lelong 5 full dump +>>>0xf98 lelong 6 kernel dump +>>>0xf98 lelong 4 small dump +# This probably never occur +>>>0xf98 default x DumpType +>>>>0xf98 ulelong x (%#x) +# WinDumpPhyMemDesc64 uint64_t NumberOfPages like: 3142425 8341923 8366500 1162297680 4992030524978970960 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! >>0x090 lequad x \b, %lld pages - # Summary: Vista Event Log -# Extension: .evtx # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2007/05/some_magic.html -0 string ElfFile\0 MS Windows Vista Event Log +# Update: Joerg Jenderek +# URL: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc +# Reference (1): https://web.archive.org/web/20110803085000/ +# https://computer.forensikblog.de/en/2007/05/some_magic.html +# http://mark0.net/download/triddefs_xml.7z/defs/e/evtx.trid.xml +# Note: called "Vista Event Log" by TrID and "Event Log" by Windows +# verified partly by `wevtutil.exe gli /lf:true dumpfile.evtx` +0 string ElfFile\0 MS Windows +#!:mime application/octet-stream +!:mime application/x-ms-evtx +!:ext evtx +# Major+Minor format version: 3.1~Vista and later 3.2~Windows 10 (2004) and later +>0x24 ulelong =0x00030001 Vista-8.1 Event Log +>0x24 ulelong !0x00030001 10-11 Event Log, version +>>0x26 uleshort x %u +>>0x24 uleshort x \b.%u >0x2a leshort x \b, %d chunks >>0x10 lelong x \b (no. %d in use) >0x18 lelong >1 \b, next record no. %d @@ -56,6 +271,32 @@ >0x78 lelong &1 \b, DIRTY >0x78 lelong &2 \b, FULL +# Summary: Windows Event Trace Log +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/ETL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/etl.trid.xml +# https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracelog/trace_logfile_header.htm +# Note: called "Window tracing/diagnostic binary log" by TrID +# verified by `tracerpt.EXE Wifi.etl -of EVTX` +# and by etl-parser `etl2xml --input AMSITrace.etl --output AMSITrace.xml` +# Every ETL file begins with a WMI_BUFFER_HEADER, a SYSTEM_TRACE_HEADER and a TRACE_LOGFILE_HEADER +0 ubyte 0 +# look for corresponding encoded as UTF-16 file name extension like in: boot_BASE+CSWITCH_1.etl +>0 search/0x699087/b .\0e\0t\0l\0\0\0 +# GRR: line above only works if in ../../src/file.h FILE_BYTES_MAX is raised above 699086h (6,59 MiB) +>>0 use trace-etl +# display information of Windows Performance Analyzer Trace File (file name) +0 name trace-etl +>0 ubyte x Windows Event Trace Log +#!:mime application/x-ms-etl +# http://extension.nirsoft.net/etl +!:mime application/etl +!:ext etl +# look for DOS drive letter part of log file name like: PhotosAppTracing_startedInBGMode.etl +>0 search/0x2b4/sb :\0\x5c\0 +# like: "c:\Windows\Logs\NetSetup\service.0.etl" "C:\Windows\System32\LogFiles\WMI\Wifi.etl" +>>&-2 lestring16 x "%s" + # Summary: Windows System Deployment Image # Created by: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/System_Deployment_Image @@ -239,77 +480,131 @@ >>4 leshort 1 Windows # print non empty string above to avoid error message # Warning: Current entry does not yet have a description for adding a MIME type -!:mime application/winhelp -!:ext hlp +# not officially registered at IANA +#!:mime application/winhelp +#!:mime application/winhlp +!:mime application/x-winhelp # version Minor of help file format is hint for windows version ->>>2 leshort 0x0F 3.x ->>>2 leshort 0x15 3.0 ->>>2 leshort 0x21 3.1 ->>>2 leshort 0x27 x.y ->>>2 leshort 0x33 95 +# HC30 Windows 3.0 help file +>>>2 leshort 15 3.0 +# HC31 Windows 3.1 help file +>>>2 leshort 21 3.1 +# WMVC/MMVC media view file +>>>2 leshort 27 +# MVC or HCW 4.00 Windows 95 +>>>2 leshort 33 95 +# next line should not happen >>>2 default x y.z >>>>2 leshort x %#x # to complete message string like "MS Windows 3.x help file" ->>>2 leshort x help +>>>2 leshort !27 +# HLP or few MVB like NOTEPLAY.MVB +>>>>2 leshort x help +!:ext hlp +# URL: http://fileformats.archiveteam.org/wiki/Multimedia_Viewer_Book +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mvb.trid.xml +# Note: called "Multimedia Viewer Book" by TrID and by DROID via PUID fmt/1800 +>>>2 leshort =27 Multimedia Viewer Book +!:ext mvb # GenDate often older than file creation date >>>6 ldate x \b, %s -# +# flags determine the compression +#>>>10 uleshort x \b, flags %#x +>>>2 leshort <17 +# HelpFileTitle +>>>>12 string x \b, title "%s" +>>>2 leshort >16 +# SYSTEMREC[].RecordType type of data in record; 1~help file title 2~COPYRIGHT 3~TOPICOFFSET Contents 4~Macro 5~*.ICO 6~HPJ-structure +#>>>>12 uleshort x \b, RecordType %u +# DataSize size of data +#>>>>14 uleshort x \b, DataSize %u +>>>>12 uleshort 1 +>>>>>14 pstring/h >\0 \b, title "%s" # Magic for HeLP files +# URL: http://fileformats.archiveteam.org/wiki/HLP_(WinHelp) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hlp.trid.xml +# Note: called "Windows HELP File" by TrID, "Windows Help File" by DROID via PUID fmt/474 and +# "WinHelp help file" by shared MIME-info database from freedesktop.org 0 lelong 0x00035f3f # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" # file header magic 0x293B at DirectoryStart+9 >(4.l+9) uleshort 0x293B MS +# URL: http://fileformats.archiveteam.org/wiki/WinHelp_annotation +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ann.trid.xml # look for @VERSION bmf.. like IBMAVW.ANN >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation !:mime application/x-winhelp !:ext ann >>0xD4 string !\x62\x6D\x66\x01\x00 -# "GID Help index" by TrID ->>>(4.l+0x65) string =|Pete Windows help Global Index +# "GID Help index" by TrID by gid.trid.xml +# sometimes at little higher offset like in corelap.GID +>>>(4.l+0x65) search/26 |Pete Windows help Global Index !:mime application/x-winhelp !:ext gid # HeLP Bookmark or -# "Windows HELP File" by TrID ->>>(4.l+0x65) string !|Pete +# Multimedia_Viewer_Book or +# "Windows HELP File" by TrID by hlp.trid.xml +>>>(4.l+0x65) default x # maybe there exist a cleaner way to detect HeLP fragments -# brute search for Magic 0x036C with matching Major maximal 7 iterations -# discapp.hlp ->>>>16 search/0x49AF/s \x6c\x03 +# brute search for Magic 0x036C with matching Major maximal 13 iterations +# https://sembiance.com/fileFormatSamples/document/multimediaViewerBook/viewerht.mvb +>>>>16 search/0x1bbc370/s \x6c\x03 >>>>>&0 use help-ver-date >>>>>&4 leshort !1 -# putty.hlp ->>>>>>&0 search/0x69AF/s \x6c\x03 +# viewerht.mvb +>>>>>>&-2 search/0x1c4b6f0/s \x6c\x03 >>>>>>>&0 use help-ver-date >>>>>>>&4 leshort !1 ->>>>>>>>&0 search/0x49AF/s \x6c\x03 +# https://sembiance.com/fileFormatSamples/document/multimediaViewerBook/clarkhow.mvb +>>>>>>>>&0 search/0x34ab80/s \x6c\x03 >>>>>>>>>&0 use help-ver-date >>>>>>>>>&4 leshort !1 ->>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>&0 search/0x473ab0/s \x6c\x03 >>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>&0 search/0x739680/s \x6c\x03 >>>>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>&0 search/0x76c030/s \x6c\x03 >>>>>>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>>>&0 search/0x805c80/s \x6c\x03 # GCC.HLP is detected after 7 iterations >>>>>>>>>>>>>>>>>&0 use help-ver-date -# this only happens if bigger hlp file is detected after used search iterations ->>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help -!:mime application/winhelp -!:ext hlp +>>>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>>>&0 search/0x805c80/s \x6c\x03 +>>>>>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>>>>>&0 search/0xb63480/s \x6c\x03 +>>>>>>>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>>>>>>>&0 search/0xb7fe80/s \x6c\x03 +>>>>>>>>>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>>>>>>>>>&0 search/0xb8ade0/s \x6c\x03 +>>>>>>>>>>>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>>>>>>>>>>>&0 search/0x371d4/s \x6c\x03 +>>>>>>>>>>>>>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>>>>>>>>>>>>>&0 search/0x371d4/s \x6c\x03 +>>>>>>>>>>>>>>>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>>>>>>>>>>>>>>>&4 leshort !1 +# https://sembiance.com/fileFormatSamples/document/multimediaViewerBook/arivideo.mvb +>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>8 lelong !0xFFffFFff Windows Multimedia Viewer Book +!:mime application/x-winhelp +!:ext mvb # repeat search again or following default line does not work >>>>16 search/0x49AF/s \x6c\x03 -# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) +# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 7 8.1 64-bit) +# typically found inside directory %LOCALAPPDATA%\Help >>>>16 default x Windows help Bookmark !:mime application/x-winhelp -!:ext bmk -## FirstFreeBlock normally FFFFFFFFh 10h for *ANN -##>>8 lelong x \b, FirstFreeBlock %#8.8x -# EntireFileSize ->>12 lelong x \b, %d bytes +!:ext /bmk +# DirectoryStart offset of FILEHEADER of internal directory +#>4 lelong x \b, DirectoryStart %8.8x +## FirstFreeBlock normally for *HLP FFFFFFFFh if no free list or 10h for *ANN +#>>8 lelong x \b, FirstFreeBlock %#8.8x ## ReservedSpace normally 042Fh AFh for *.ANN #>>(4.l) lelong x \b, ReservedSpace %#8.8x ## UsedSpace normally 0426h A6h for *.ANN @@ -340,6 +635,16 @@ #>>(4.l+43) ulelong x \b, TotalBtreeEntries %#8.8x ## pages of the B+ tree #>>(4.l+47) ubequad x \b, PageStart %#16.16llx +# GRR: offset is not reachable in few samples like STMMHLP.MVB because probably damaged file +# or DROID fmt-474-signature-id-748.hlp +# or for example run file command with higher --parameter bytes=30335189 +>(4.l+9) uleshort !0x293B MS Windows Multimedia Viewer Book +#!:mime application/octet-stream +!:ext mvb +# GRR: next line is not executed! +>>12 lelong x (damaged or use higher '-P bytes' option) +# EntireFileSize; biggest 1551334 for CORELDRW.HLP 30335189 for viewerht.mvb; smallest 28672 for open.mvb +>12 lelong x \b, %d bytes # start with colon or semicolon for comment line like Back2Life.cnt 0 regex \^(:|;) @@ -362,76 +667,359 @@ !:mime text/plain !:apple ????TEXT !:ext cnt -# +# URL: https://en.wikipedia.org/wiki/WinHelp +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fts.trid.xml +# Note: called "Windows Help Full-Text Search index" by TrID # Windows creates a full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 0 string tfMR MS Windows help Full Text Search index !:mime application/x-winhelp-fts !:ext fts +# path of corresponding MS Windows help like: "C:\CDCREATR\creatr32.hlp" "C:\PROGRAMME\IPHOTO PLUS 4\PROGRAMS\Guide.hlp" +>16 string >\0 for "%s" +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/ftg-winhelp.trid.xml +# Note: called "Windows Help Full-Text search Group" by TrID +0 string gfMR MS Windows help Full Text search Group +!:mime application/x-winhelp-ftg +!:ext ftg +# path of corresponding FTS like: "C:\Windows\Help\winhlp32.FTS" >16 string >\0 for "%s" # Summary: Hyper terminal -# Extension: .ht # Created by: unknown +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/HyperACCESS +# https://www.hilgraeve.com/hyperterminal/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/ht.trid.xml +# Note: called "HyperTerminal data file" by TrID and "HyperTerminal File" on English Windows 0 string HyperTerminal\040 ->15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +>14 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +#!:mime application/octet-stream +!:mime application/x-ms-ht +!:ext ht # https://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut -# Extension: .lnk # Created by: unknown +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Windows_Shortcut +# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnk-shortcut.trid.xml +# https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf +# Note: called "Windows Shortcut" by TrID, "Microsoft Windows Shortcut" by DROID via PUID x-fmt/428 and "Windows shortcut file" by ./msdos (v 1.158) +# partly verified by command like `lnkinfo AOL.lnk` # 'L' + GUUID +# HeaderSize + LinkCLSID 00021401-0000-0000-C000-000000000046 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut !:mime application/x-ms-shortcut !:ext lnk +# LinkFlags +# HasLinkTargetIDList; if set a LinkTargetIDList structure MUST follow the ShellLinkHeader; If is not set, structure MUST NOT be present >20 lelong&1 1 \b, Item id list present +# HasLinkInfo; if set a LinkInfo structure MUST follow the ShellLinkHeader or LinkTargetIDList; If is not set, structure MUST NOT be present >20 lelong&2 2 \b, Points to a file or directory >20 lelong&4 4 \b, Has Description string >20 lelong&8 8 \b, Has Relative path >20 lelong&16 16 \b, Has Working directory >20 lelong&32 32 \b, Has command line arguments >20 lelong&64 64 \b, Icon +# IconIndex >>56 lelong x \b number=%d +# IsUnicode; If set then StringData section contains Unicode-encoded strings +>20 lelong&128 128 \b, Unicoded +# ForceNoLinkInfo; LinkInfo structure is ignored +>20 lelong&256 256 \b, NoLinkInfo +# HasExpString; with an EnvironmentVariableDataBlock +>20 lelong&512 512 \b, HasEnvironment +# look for BlockSize 314h and EnvironmentVariableDataBlock BlockSignature A0000001h +>>76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes): optional NULL-terminated path to same environment variable Unicode encoded +# like: "%windir%\system32\calc.exe" +>>>&260 lestring16 x "%s" +# RunInSeparateProcess; run in a separate virtual machine when launching a 16-bit application; no examples found +>20 lelong&1024 1024 \b, RunInSeparateProcess +# Unused1; undefined and MUST be ignored +#>20 lelong&2048 2048 \b, Unused1 +# HasDarwinID; with a DarwinDataBlock +>20 lelong&4096 4096 \b, HasDarwinID +# look for BlockSize 314h and DarwinDataBlock BlockSignature A0000006h +>>76 search/1972 \x14\x03\x00\x00\x06\x00\x00\xa0 +# DarwinDataAnsi (260 bytes); NULL-terminated application identifier encoded with system default code page; SHOULD be ignored +#>>>&0 string x '%s' +# DarwinDataUnicode (520 bytes); NULL-terminated application identifier Unicode encoded +>>>&260 lestring16 x "%s" +# RunAsUser; target application is run as a different user +>20 lelong&8192 8192 \b, RunAsUser +# HasExpIcon; with an IconEnvironmentDataBlock +>20 lelong&16384 16384 \b, HasExpIcon +# look for BlockSize 314h and IconEnvironmentDataBlock BlockSignature A0000007h +>>76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment icon variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes); optional NULL-terminated path to same icon environment variable Unicode encoded +# like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico" +>>>&260 lestring16 x "%s" +# NoPidlAlias; represented in the shell namespace; no examples found +>20 lelong&32768 32768 \b, NoPidlAlias +# Unused2; undefined and MUST be ignored +#>20 lelong&65536 65536 \b, Unused2 +# RunWithShimLayer; with a ShimDataBlock; no examples found +>20 lelong&131072 131072 \b, RunWithShimLayer +# ForceNoLinkTrack; TrackerDataBlock is ignored; no examples found +>20 lelong&262144 262144 \b, ForceNoLinkTrack +>20 lelong&262144 0 +# look for BlockSize 60h, TrackerDataBlock BlockSignature A0000003h, it length 58h and Version 0 +>>76 search/1972 \x60\x00\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\0\0\0\0 +# MachineID (16 bytes); a NULL-terminated NetBIOS name encoded with system default code page of the machine +>>>&0 string x \b, MachineID %0.16s +# Droid (32 bytes) +# +# DroidBirth (32 bytes) +# +# EnableTargetMetadata; collect target properties and store in PropertyStoreDataBlock +>20 lelong&524288 524288 \b, EnableTargetMetadata +# look for BlockSize >= Ch, PropertyStoreDataBlock BlockSignature A0000009h +#>>76 search/1972 \x00\x00\x09\x00\x00\xa0 +# PropertyStore (variable) +# +# DisableLinkPathTracking; EnvironmentVariableDataBlock is ignored; no examples found +>20 lelong&1048576 1048576 \b, DisableLinkPathTracking +# DisableKnownFolderTracking; SpecialFolderDataBlock and KnownFolderDataBlock are ignored and not saved +>20 lelong&2097152 2097152 \b, DisableKnownFolderTracking +>20 lelong&2097152 0 +# look for BlockSize 1Ch and KnownFolderDataBlock BlockSignature A000000Bh +>>76 search/1972 \x1c\x00\x00\x00\x0B\x00\x00\xa0 +# https://learn.microsoft.com/en-us/dotnet/desktop/winforms/controls/known-folder-guids-for-file-dialog-custom-places +# KnownFolderID specifies the folder GUID ID +# ProgramFiles 905E63B6-C1BF-494E-B29C-65B732D3D21A +# ProgramFilesX86 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E +>>>&0 guid x KnownFolderID %s +# DisableKnownFolderAlias; unaliased form of the known folder IDList SHOULD be used; no examples found +>20 lelong&4194304 4194304 \b, DisableKnownFolderAlias +# AllowLinkToLink; link that references another link is enabled; no examples found +>20 lelong&8388608 8388608 \b, AllowLinkToLink +# UnaliasOnSave; unaliased form of that known folder or the target IDList SHOULD be used; no examples found +>20 lelong&16777216 16777216 \b, UnaliasOnSave +# PreferEnvironmentPath; path specified in the EnvironmentVariableDataBlock SHOULD be used +>20 lelong&33554432 33554432 \b, PreferEnvironmentPath +# KeepLocalIDListForUNCTarget; UNC name SHOULD be stored in local path IDList in PropertyStoreDataBlock; no examples found +>20 lelong&67108864 67108864 \b, KeepLocalIDListForUNCTarget +# FileAttributes >24 lelong&1 1 \b, Read-Only >24 lelong&2 2 \b, Hidden >24 lelong&4 4 \b, System ->24 lelong&8 8 \b, Volume Label +# Reserved1; MUST be zero +>24 lelong&8 8 \b, Reserved1 >24 lelong&16 16 \b, Directory >24 lelong&32 32 \b, Archive ->24 lelong&64 64 \b, Encrypted +# Reserved2; MUST be zero +>24 lelong&64 64 \b, Reserved2 >24 lelong&128 128 \b, Normal >24 lelong&256 256 \b, Temporary +# no examples found >24 lelong&512 512 \b, Sparse +# no examples found >24 lelong&1024 1024 \b, Reparse point >24 lelong&2048 2048 \b, Compressed >24 lelong&4096 4096 \b, Offline ->28 leqwdate x \b, ctime=%s ->36 leqwdate x \b, mtime=%s ->44 leqwdate x \b, atime=%s +# FILE_ATTRIBUTE_NOT_CONTENT_INDEXED; contents need to be indexed +>24 lelong&8192 8192 \b, NeedIndexed +# FILE_ATTRIBUTE_ENCRYPTED; file or directory is encrypted +>24 lelong&16384 16384 \b, Encrypted +# value zero means there is no time set on the target +>28 leqwdate !0 \b, ctime=%s +# Access time of target in UTC +>36 leqwdate !0 \b, atime=%s +# write time of target in UTC +>44 leqwdate !0 \b, mtime=%s +# FileSize; 32 bit size of target in bytes >52 lelong x \b, length=%u, window= ->60 lelong&1 1 \bhide ->60 lelong&2 2 \bnormal ->60 lelong&4 4 \bshowminimized ->60 lelong&8 8 \bshowmaximized ->60 lelong&16 16 \bshownoactivate ->60 lelong&32 32 \bminimize ->60 lelong&64 64 \bshowminnoactive ->60 lelong&128 128 \bshowna ->60 lelong&256 256 \brestore ->60 lelong&512 512 \bshowdefault -#>20 lelong&1 0 -#>>20 lelong&2 2 -#>>>(72.l-64) pstring/h x \b [%s] -#>20 lelong&1 1 -#>>20 lelong&2 2 -#>>>(72.s) leshort x -#>>>&75 pstring/h x \b [%s] +# ShowCommand; 1~SW_SHOWNORMAL 3~SW_SHOWMAXIMIZED HerzlichMEDION.lnk 7~SW_SHOWMINNOACTIVE YaCy.lnk Privoxy.lnk; All other values like 2 MUST be treated as SW_SHOWNORMAL +#>60 lelong x ShowCommand=%#x +>60 lelong x +>>60 lelong 3 \bshowmaximized +>>60 lelong 7 \bshowminnoactive +>>60 default x \bnormal +# Hotkey +>64 uleshort >0 \b, hot key +# 41h~A 42h~B ... +>>64 ubyte x %c +# modifier keys: 0x01~HOTKEYF_SHIFT 0x02~HOTKEYF_CONTROL 0x04~HOTKEYF_ALT +>>65 ubyte&1 1 \b+SHIFT +>>65 ubyte&2 2 \b+CONTROL +>>65 ubyte&4 4 \b+ALT +# Reserved; MUST be zero +#>66 uleshort !0 \b, reserved %#x +# Reserved2; MUST be zero +#>68 ulelong !0 \b, reserved2 %#x +# Reserved3; MUST be zero +#>72 ulelong !0 \b, reserved3 %#x +# optional LINKTARGET_IDLIST if LinkFlags bit HasLinkTargetIDList is set +>20 lelong&1 1 +# IDListSize; size of IDList +>>76 uleshort x \b, IDListSize %#4.4x +# 1st item +>>78 use lnk-item +# 2nd possible item +>>(78.s+78) uleshort >0 +>>>(78.s+78) use lnk-item +# 3rd possible item +>>>&(&-2.s-2) uleshort >0 +>>>>&-2 use lnk-item +# 4th possible item +>>>>&(&-2.s-2) uleshort >0 +>>>>>&-2 use lnk-item +# Because HasLinkInfo is set, a LinkInfo structure follows +>20 lelong&2 2 +# if no LINKTARGET_IDLIST (no HasLinkTargetIDList) then direct after header; no example found +>>20 lelong&1 =0 +>>>76 use lnk-info +# if LINKTARGET_IDLIST (HasLinkTargetIDList) then after LINKTARGET_IDLIST by addtional IDListSize bytes +>>20 lelong&1 =1 +>>>76 uleshort >0 +#>>>>(76.s+78) use lnk-info +>>>>(76.s+78) ubelong x +# move pointer to beginnig of LinkInfo structure +>>>>>&-8 ubelong x +#>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x +>>>>>>&(&16.l) string x \b, LocalBasePath "%s" +# check and then display link item (size,data) +0 name lnk-item +# size value 0x0000 means TerminalID; indicates the end of the item IDs list +>0 uleshort >0 +#>>0 uleshort x \b, ItemIDSize %#4.4x +# item Data +#>>2 ubequad x \b, Item data=%#16.16llx +#>>2 ubyte x \b, Item type=%#x +>>2 ubyte =0x1f \b, Root folder +# like: "26EE0668-A00A-44D7-9371-BEB064C98683" Control Panel +# "20D04FE0-3AEA-1069-A2D8-08002B30309D" My Computer +# "871C5380-42A0-1069-A2EA-08002B30309D" Internet Explorer +>>>4 guid x "%s" +>>2 ubyte =0x2f \b, Volume +# like: "C:\" "D:\" +>>>3 string x "%s" +# Control panel category +#>>2 ubyte foo \b, Control panel category +# display LinkInfo structure (size,flags,offsets) +0 name lnk-info +# LinkInfoSize; size of the LinkInfo structure +>0 ulelong x \b, LinkInfoSize %#x +# LinkInfoHeaderSize; if 1C no optional fields; >=24 optional fields are specified +>4 ulelong x \b, LinkInfoHeaderSize %#x +# LinkInfoFlags; +#>8 ulelong x \b, LinkInfoFlags=%#x +>8 ulelong&1 1 \b, VolumeIDAndLocalBasePath +# VolumeIDOffset; location of the VolumeID field (VolumeIDSize DriveType DriveSerialNumber VolumeLabelOffset ... ) inside LinkInfo structure +>>12 ulelong x \b, VolumeIDOffset %#x +# LocalBasePathOffset; location of LocalBasePath field like "C:\test\a.txt" inside LinkInfo structure +>>16 ulelong x \b, LocalBasePathOffset %#x +# LocalBasePathOffsetUnicode; location of the LocalBasePathUnicode field inside LinkInfo structure +>>4 ulelong >23 +>>>28 ulelong x \b, LocalBasePathOffsetUnicode %#x +>8 ulelong&2 2 \b, CommonNetworkRelativeLinkAndPathSuffix +# CommonNetworkRelativeLinkOffset; location of the CommonNetworkRelativeLink field inside LinkInfo structure +>>20 ulelong x \b, CommonNetworkRelativeLinkOffset %#x +# CommonPathSuffixOffset; location of CommonPathSuffix field +>24 ulelong x \b, CommonPathSuffixOffset %#x +# CommonPathSuffixOffsetUnicode; location of CommonPathSuffixUnicode field inside LinkInfo structure +>4 ulelong >23 +>>32 ulelong x \b, CommonPathSuffixOffsetUnicode %#x # Summary: Outlook Personal Folders # Created by: unknown -0 lelong 0x4E444221 Microsoft Outlook email folder ->10 leshort 0x0e (<=2002) ->10 leshort 0x17 (>=2003) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Personal_Folder_File +# https://en.wikipedia.org/wiki/Personal_Storage_Table +# Reference: https://interoperability.blob.core.windows.net/files/MS-PST/%5bMS-PST%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# dwMagic !BDN +0 lelong 0x4E444221 +# skip DROID x-fmt-75-signature-id-472.pab x-fmt-248-signature-id-260.pst x-fmt-249-signature-id-261.pst +# by check for existance of bPlatformCreate value +>14 ubyte x Microsoft Outlook +#!:mime application/octet-stream +# NOT official registered ! +!:mime application/vnd.ms-outlook +# dwCRCPartial; 32-bit cyclic redundancy check (CRC) value of followin 471 bytes; zero for 64-bit +#>>4 ulelong !0 \b, CRC %#x +# wMagicClient; AB (4142h) is used for PAB files; SM (534Dh) is used for PST files; SO (534Fh) is used for OST files +#>>8 leshort x \b, wMagicClient=%#x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# Note: called "Microsoft Personal Address Book" by TrID and +# "Microsoft Outlook Personal Address Book" by DROID via x-fmt/75 +>>8 leshort 0x4142 Personal Address Book +#!:mime application/x-ms-pab +!:ext pab +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/p/pst-unicode.trid.xml +# Note: called "Microsoft OutLook Personal Folder" by TrID and +# by DROID via x-fmt/248 for ANSI and via x-fmt/249 for Unicode +#>>8 leshort 0x4D53 \b, PST~ +# called "Microsoft Outlook email folder" in ./windows version 1.37 and older +>>8 leshort 0x4D53 Personal Storage +#!:mime application/x-ms-pst +!:ext pst +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ost.trid.xml +# Note: called "Outlook Exchange Offline Storage" by TrID +>>8 leshort 0x4F53 Offline Storage +#!:mime application/x-ms-ost +!:ext ost +# wVer; file format version. 14 or 15 if the file is ANSI; > 21 or 23(=17h) if Unicode; 37 for written by Outlook with WIP +>>10 uleshort x ( +# probably NO intermediate versions exist +>>10 leshort <0x10 \b<=2002, ANSI, +>>10 leshort >0x14 \b>=2003, Unicode, +>>10 uleshort x version %u) +# wVerClient; client file format version like: 19 22 +#>>12 uleshort x \b, wVerClient=%u +# bPlatformCreate; This value MUST be set to 1 but also found 2 +>>14 ubyte >1 \b, bPlatformCreate=%u +# bPlatformAccess; This value MUST be set to 1 but also found 2 +>>15 ubyte >1 \b, bPlatformAccess=%u +# dwReserved1; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>16 ulelong !0 \b, dwReserved1=%#x +# dwReserved2; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>20 ulelong !0 \b, dwReserved2=%#x +# ANSI 32-bit variant Outlook 1997-2002 +>>10 uleshort <16 +# bidNextB; next BlockID (ANSI 4 bytes) +#>>>24 ulelong !0 \b, bidNextB=%#x +# bidNextP; Next available back BlockID pointer +#>>>28 ulelong !0 \b, bidNextP=%#x +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>32 ulelong !0 \b, dwUnique=%#x +# rgnid[128]; A fixed array of 32 NodeIDs, each corresponding to one of the 32 possible NID_TYPEs +#>>>36 ubequad x \b, rgnid=%#llx... +# dwReserved; Implementations SHOULD ignore this value and SHOULD NOT modify it; Initialized zero +>>>164 ulelong !0 \b, dwReserved=%#x +# ibFileEof; the size of the PST file, in bytes (ANSI 4 bytes) +>>>168 ulelong x \b, %u bytes +# ibAMapLast; offset to the last AMap page +#>>>172 ulelong x \b, ibAMapLast=%#x +# bSentinel; MUST be set to 0x80 +>>>460 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod: 0~No encryption 1~encryption with permutation 2~encryption with cyclic 16~encryption with Windows Information Protection (WIP) +>>>461 ubyte >0 \b, bCryptMethod=%u +# UNICODE 64-bit variant Outlook 2003-2007 +>>10 uleshort >20 +# bidUnused; Unused 8 bytes padding (Unicode only); sometimes like: 0x0000000100000004 +>>>24 ulequad !0x0000000100000004 \b, bidUnused=%#16.16llx +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>40 ulelong !0 \b, dwUnique=%#x +# rgnid[] (128 bytes): A fixed array of 32 NIDs, each corresponding to one of the 32 possible +#>>>44 ubequad x \b, rgnid=%#llx... +# ibFileEof; the size of the PST file, in bytes (Unicode 8 bytes) +>>>184 ulequad x \b, %llu bytes +# bSentinel; MUST be set to 0x80 +>>>512 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod; Encryption type like: 0 1 2 16 +>>>513 ubyte >0 \b, bCryptMethod=%u +# dwCRC; 32-bit CRC of the of the previous 516 bytes +>>>524 ulelong x \b, CRC32 %#x # Summary: Windows help cache @@ -596,6 +1184,27 @@ # like: 12510866.CPX !:ext cpx # From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/File_Explorer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-exp.trid.xml,scf-exp-old.trid.xml +# Note: called "Windows Explorer Command Shell File" by TrID and "File Explorer Command" by Windows via SHCmdFile +>>&0 regex/c \^Shell]\r\n Windows Explorer Shell Command File +#!:mime text/plain +!:mime text/x-ms-scf +# like: channels.scf desktop.scf explorer.scf "Desktop anzeigen.scf" +!:ext scf +# look for icon file directive maybe pointing to malicious file +>>>1 search/128 IconFile= \b, icon +>>>>&0 string x "%s" +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/VIA_Technologies +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-via.trid.xml +# Note: called "VIA setup configuration file" by TrID +>>&0 regex/c \^SCF]\r\n VIA setup configuration +#!:mime text/plain +!:mime text/x-via-scf +# like: SETUP.SCF +!:ext scf +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/InstallShield # Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lid-is.trid.xml # Note: contain also 3 keywords like: count Default key0 @@ -614,6 +1223,23 @@ !:mime text/x-ms-tag # like: DATA.TAG !:ext tag +# URL: https://en.wikipedia.org/wiki/Flatpak +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/flatpakref.trid.xml +# Note: called "Flatpack Reference" by TrID +>>&0 string Flatpak\ Ref] Flatpak repository reference +#!:mime text/plain +# https://reposcope.com/mimetype/application/vnd.flatpak.ref +!:mime application/vnd.flatpak.ref +!:ext flatpakref +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CloneCD +# Reference: https://en.wikipedia.org/wiki/CloneCD_Control_File +# http://mark0.net/download/triddefs_xml.7z/defs/c/cdimage-clonecd-cue.trid.xml +# Note: called "CloneCD CDImage (description)" by TrID and "CloneCD Control File" by DROID via PUID fmt/1760 +>>&0 string CloneCD] CloneCD CD-image Description +#!:mime text/plain +!:mime text/x-ccd +!:ext ccd # unknown keyword after opening bracket >>&0 default x #>>>&0 string/c x UNKNOWN [%s @@ -623,6 +1249,12 @@ >>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript !:ext inf +# From: Joerg Jenderek +# URL: https://cdrtfe.sourceforge.io/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cfp-cdrtfe.trid.xml +>>>>&0 string FileExplorer] cdrtfe Project +!:mime text/x-cfp +!:ext cfp # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other >>>>&0 default x >>>>>&0 ubyte x @@ -634,6 +1266,10 @@ !:mime application/x-wine-extension-ini #!:mime text/plain !:ext ini/inf +# samples with only 1 and unknown section name +# XXX: matches a file containing '[1] 2' +#>>>&0 default x Generic INItialization configuration +#>>>>0 string x \b, 1st line "%s" # UTF-16 BOM 0 ubeshort =0xFFFE # look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml) @@ -715,21 +1351,24 @@ >>>2 uleshort <3 # look for colon in WinDirPath after PNF header #>>>>0x59 search/18 : ->>>>0 use PreCompiledInf +# skip few Adobe Photoshop Color swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some +# Targa image (money-256.tga XING_B_UCM8.tga x-fmt-367-signature-id-604.tga) with "invalid low section name" \0 +>>>>(20.l) ubelong >0x40004000 +>>>>>0 use PreCompiledInf 0 name PreCompiledInf >0 uleshort x Windows Precompiled iNF !:mime application/x-pnf !:ext pnf # major version 1 for older Windows like XP and 3 since about Windows Vista -# 101h~98-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362 +# 101h~95-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362-Windows11 >1 ubyte x \b, version %u >0 ubyte x \b.%u >0 uleshort =0x0101 (Windows ->>4 ulelong&0x00000001 !0x00000001 98) +>>4 ulelong&0x00000001 !0x00000001 95-98) >>4 ulelong&0x00000001 =0x00000001 XP) >0 uleshort =0x0301 (Windows Vista-8.1) >0 uleshort =0x0302 (Windows 10 older) ->0 uleshort =0x0303 (Windows 10) +>0 uleshort =0x0303 (Windows 10-11) # 1 ,2 (windows 98 SE) >2 uleshort !2 \b, InfStyle %u # PNF_FLAG_IS_UNICODE 0x00000001 @@ -771,7 +1410,7 @@ >>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>24 ulequad x \b, InfVersionLastWriteTime %16.16llx -#>24 foodate-0xbar x \b, InfVersionLastWriteTime %s +>24 qwdate x \b, InfVersionLastWriteTime %s # for Windows 98, XP >0 uleshort <0x0102 # only found values lower 0x00ffFFff @@ -809,6 +1448,7 @@ >>>>>(72.l) string x OsLoaderPath "%s" # 1fdh #>>>76 uleshort x \b, StringTableHashBucketCount %#x +# https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a # only 407h found >>>78 uleshort !0x409 \b, LanguageID %x #>>>78 uleshort =0x409 \b, LanguageID %x @@ -910,7 +1550,7 @@ # Not null, but size terminated unicoded string >>>>>>>>(70.s) lestring16 x \b, name: %s # size of Media Label (104h) ->>>>>72 uleshort >0 +#>>>>>72 uleshort >0 # offset of Media Label (C4h,C6h,CCh) >>>>>74 uleshort >0 >>>>>>48 ubyte 1 @@ -1186,7 +1826,7 @@ # 5000010021083f00 50000100b0335600 50000100cbfdf800 50000100dfbc4700 #>4 ubequad x \b, at 4 %#16.16llx # copyright text like: "Stirling Technologies, Inc. (c) 1990-1994" -# "InstallSHIELD Software Coporation (c) 1990-1997" +# "InstallSHIELD Software Corporation (c) 1990-1997" >13 pstring/h x "%s" # look for specific ASCII variable names >1 search/0x121/s SRCDIR \b, variable names: @@ -1214,3 +1854,64 @@ # ... LOGHANDLE >0 ubelong x ... # + +# Summary: Microsoft Remote Desktop Protocol connection +# From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/r/rdp.trid.xml +# Note: called "Remote Desktop Connection Settings" by TrID +0 string screen\040mode\040id:i: Remote Desktop Protocol connection +#!:mime text/plain +!:mime text/x-ms-rdp +!:ext rdp +# Screen mode: 1~session appear in a window 2~session appear full screen +>17 string 1 \b, window mode +>17 string 2 \b, full screen mode + +0 guid 7B5C52E4-D88C-4DA7-AEB1-5378D02996D3 Microsoft OneNote +!:ext one +!:mime application/onenote +0 guid 43FF2FA1-EFD9-4C76-9EE2-10EA5722765F Microsoft OneNote Revision Store File + +# Microsoft XAML Binary Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/WalkingCat/XbfDump/blob/8832d2ffcaa738434d803fefa2ba99d3af37ed29/xbf_data.h +0 string XBF\0 +>12 ulelong <0xFF +>>16 ulelong <0xFF Microsoft XAML Binary Format +!:ext xbf +>>>12 ulelong x %d +>>>16 ulelong x \b.%d +>>>4 ulelong x \b, metadata size: %d bytes +>>>8 ulelong x \b, node size: %d bytes + +# Metaswitch MetaView Service Assurance Server exports +0 string MetaView\x20Service\x20Assurance\x20Export\x20File MetaView SAS export +>39 string Version\x20 +>>47 byte x \b, version %c + +# Active Directory Group Policy Registry Policy File Format +# From: Yuuta Liang <yuuta@yuuta.moe> +# URL: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format +0 string PReg +>4 lelong x Group Policy Registry Policy, Version=%d + +# Microsoft Type Library Format (.TLB file) +# Stores metadata on calling COM APIs (method parameters/etc) +# Exists in two formats: the original (SLTG aka Type 1) and a newer format (MSFT aka Type 2) +# SLTG: https://www.nationalarchives.gov.uk/PRONOM/fmt/1601 +# MSFT: https://www.nationalarchives.gov.uk/PRONOM/fmt/1602 +# (Pronom claims these formats are due to Borland, but that appears to be incorrect, Microsoft invented them.) +# The MSFT format is documented here: https://gist.github.com/djhohnstein/e4a346ee1506895000ca0fa93e5a0024 +# Which is a copy of original: http://theircorp.byethost11.com/files/TypeLib.txt (but which displays incorrectly due to encoding issues) +# The MSFT format is generated by the Windows CreateTypeLib2 API: https://learn.microsoft.com/en-us/windows/win32/api/oleauto/nf-oleauto-createtypelib2 +# The SLTG format is generated by the Windows CreateTypeLib API: https://learn.microsoft.com/en-us/windows/win32/api/oleauto/nf-oleauto-createtypelib +# +# Note type libraries can also be embedded as resources inside executables/DLL. No attempt is made here to detect that scenario. + +# Legacy SLTG format +0 string SLTG +>-36 string TYPELIB Type Library (legacy SLTG format) + +# MSFT format +0 string MSFT\x02\x00\x01\x00 Type Library (MSFT format) diff --git a/contrib/file/magic/Magdir/wordprocessors b/contrib/file/magic/Magdir/wordprocessors index 8032053d06c3..992c06727dbc 100644 --- a/contrib/file/magic/Magdir/wordprocessors +++ b/contrib/file/magic/Magdir/wordprocessors @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: wordprocessors,v 1.27 2021/12/06 15:05:16 christos Exp $ +# $File: wordprocessors,v 1.39 2024/11/09 23:26:33 christos Exp $ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: @@ -27,36 +27,193 @@ !:apple ????AWWP !:ext wps +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Publisher +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Publisher +# Note: older non OLE 2 (./ole2compounddocs) Compound based version +0 ubelong =0xE7AC2C00 Microsoft Publisher (1.0) +#!:mime application/x-mspublisher +# Not registered at IANA but +# https://web.archive.org/web/20200930085807/https://reposcope.com/mimetype/application/vnd.ms-publisher +!:mime application/vnd.ms-publisher +!:ext pub + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/COSMI_MultiMedia +# https://en.wikipedia.org/wiki/Cosmi_Corporation +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cosmi.trid.xml +# Note: called "COSMI document (generic)" by TrID +0 string/b LCP COSMI document +#!:mime application/octet-stream +!:mime application/x-cosmi +# BCD~Business Card Maker BRO~Brochure Magic CRD~Greeting Card Magic DTP~Print Perfect PUB~Desktop Publisher +!:ext bcd/bro/crd/dtp/pub/ + # Corel/WordPerfect +# URL: https://en.wikipedia.org/wiki/WordPerfect +# Reference: https://github.com/OneWingedShark/WordPerfect/blob/master/doc/SDK_Help/FileFormats/WPFF_DocumentStructure.htm +# http://mark0.net/download/triddefs_xml.7z/defs/w/wp-generic.trid.xml 0 string \xffWPC # WordPerfect >8 byte 1 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpm-macro.trid.xml +# Note: there exist other macro variants >>9 byte 1 WordPerfect macro +#!:mime application/octet-stream +!:mime application/x-wordperfect-wpm +# like: ALTD.WPM ENDFOOT.WPM FOOTEND.WPM LABELS.WPM REVEALTX.WPM +!:ext wpm +# Note: used in WordPerfect 5.1; there exist other FIL variants >>9 byte 2 WordPerfect help file +#!:mime application/octet-stream +!:mime application/x-wordperfect-help +# like: WPHELP.FIL +!:ext fil +# pointer to document area like: 10h +>>>4 ulelong !0x10 \b, at %#x document area >>9 byte 3 WordPerfect keyboard file +#!:mime application/octet-stream +!:mime application/x-wordperfect-keyboard +!:ext wpk +# no document area, so point to end of file; so this is file size like: 23381 2978 32835 3355 3775 919 +>>>4 ulelong x \b, %u bytes +>>9 byte 4 WordPerfect VAX keyboard definition +#!:mime application/octet-stream +!:mime application/x-wordperfect-keyboard +#!:ext foo +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpd-doc-gen.trid.xml >>9 byte 10 WordPerfect document +# https://www.iana.org/assignments/media-types/application/vnd.wordperfect +!:mime application/vnd.wordperfect +#!:apple ????WPC2 +# TODO: distinguish different suffix +!:ext wpd/wpt/wkb/icr/tut/sty/tst/crs >>9 byte 11 WordPerfect dictionary >>9 byte 12 WordPerfect thesaurus >>9 byte 13 WordPerfect block >>9 byte 14 WordPerfect rectangular block >>9 byte 15 WordPerfect column block >>9 byte 16 WordPerfect printer data +#!:mime application/octet-stream +!:mime application/x-wordperfect-prs +# like: STANDARD.PRS WORKBOOK.PRS +!:ext prs +# like: "Standard Printer" "Workbook Printer" +>>>0x64 pstring/B >A "%s" +#>>9 byte 18 WordPerfect Prefix information file +# printer resource .ALL >>9 byte 19 WordPerfect printer data +#!:mime application/octet-stream +!:mime application/x-wordperfect-all +!:ext all +# display Resource >>9 byte 20 WordPerfect driver resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-drs +# like: WPSMALL.DRS +!:ext drs +# pointer to index area with string "smalldrs" like: 46h +>>>4 uleshort !0x46 \b, at %#x index area +>>9 byte 21 WordPerfect Overlay file +#!:mime application/octet-stream +!:mime application/x-wordperfect-fil +# like: WP.FIL +!:ext fil +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect_Graphics +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wpg.trid.xml +# Note: called "WordPerfect Graphics bitmap" by TrID and +# "WordPerfect Graphics Metafile" by DROID via x-fmt/395 fmt/1042 +# "WPG (Word Perfect Graphics)" by ImageMagick `identify -verbose BUTTRFLY.WPG` >>9 byte 22 WordPerfect graphic image +# TODO: skip DROID x-fmt-395-signature-id-132.wpg by check for existing document area +#>>>4 ulelong >15 WordPerfect_graphic_OK +#!:mime application/octet-stream +# http://extension.nirsoft.net/wpg +!:mime image/x-wordperfect-graphics +# https://reposcope.com/mimetype/application/x-wpg +#!:mime application/x-wpg +# like: BUTTRFLY.WPG STAR-5.WPG input.wpg WORDPFCT.WPG +!:ext wpg +# pointer to document area like: 10h 1Ah +>>>4 ulelong !0x1A \b, at %#x document area >>9 byte 23 WordPerfect hyphenation code >>9 byte 24 WordPerfect hyphenation data >>9 byte 25 WordPerfect macro resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-mrs +# like: WP.MRS +!:ext mrs >>9 byte 27 WordPerfect hyphenation lex >>9 byte 29 WordPerfect wordlist >>9 byte 30 WordPerfect equation resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-qrs +# like: WQ.QRS wpDE.qrs wpen.qrs +!:ext qrs +# jump to document area with some marker and equation +>>>(4.l) ubyte x +# equation like: "Fraction: x OVER y" +>>>>&1 string >A (...%-.19s...) +# pointer to document area like: 17C4h +>>>4 ulelong x \b, at %#x document area +#>>9 byte 31 reserved +#>>9 byte 32 WordPerfect VAX .SET >>9 byte 33 WordPerfect spell rules >>9 byte 34 WordPerfect dictionary rules +#>>9 byte 35 reserved +# video resource device driver +# Note: filetype 26 for VRS and filetype 36 for WPD apparently is wrong +>>9 byte 36 WordPerfect Video Resource +#!:mime application/octet-stream +!:mime application/x-wordperfect-vrs +# like: STANDARD.VRS +!:ext vrs +# like: "IBM CGA (& compatibles)" +>>>0x20 string >A "%.23s" >>9 byte 39 WordPerfect spell rules (Microlytics) +#>>9 byte 40 reserved +>>9 byte 41 WordPerfect Install options +#!:mime application/octet-stream +!:mime application/x-wordperfect-ins +# like: WP51.INS +!:ext ins +# probably default directory name like: "C:\WP51\" +>>>0x12 string >A "%.8s" +# maybe mouse driver for WP5.1 +>>9 byte 42 WordPerfect Resource +#!:mime application/octet-stream +!:mime application/x-wordperfect-irs +# like: STANDARD.IRS +!:ext irs +# like: "Mouse Driver (MOUSE.COM)" +>>>0x28 string >A "%.24s" >>9 byte 43 WordPerfect settings file +# maybe Macintosh WP2.0 document >>9 byte 44 WordPerfect 3.5 document +!:mime application/vnd.wordperfect +!:apple ????WPD3 +# like: WP3.wpd +!:ext wpd >>9 byte 45 WordPerfect 4.2 document +# External spell code module (WP5.1) +#>>9 byte 46 WordPerfect external spell +# external spell dictionary .LEX +#>>9 byte 47 WordPerfect external spell dictionary +# Macintosh SOFT graphics file (SOFT (Sequential Object Format) +#>>9 byte 48 WordPerfect SOFT graphics +#>>9 byte 49 reserved +#>>9 byte 50 reserved +# WPWin 5.1 Application Resource Library added for WPWin 5.1 +#>>9 byte 51 WordPerfect application resource library >>9 byte 69 WordPerfect dialog file +# From: Joerg Jenderek +# Note: found in sub directory WritingTools inside WordPerfect 2021 program directory +>>9 byte 70 WordPerfect Writing Tools +#!:mime application/octet-stream +!:mime application/x-wordperfect-cbt +# like: Wt13cbede.cbt Wt13cbeit.cbt Wt13cbefr.cbt WT21cbede.cbt Wt13cbeEN.CBD WT21cbeEN.CBD +!:ext cbd/cbt >>9 byte 76 WordPerfect button bar >>9 default x >>>9 byte x Corel WordPerfect: Unknown filetype %d @@ -153,7 +310,65 @@ >>9 default x >>>9 byte x Corel WordPerfect Office: Unknown filetype %d # Corel DrawPerfect +# URL: http://fileformats.archiveteam.org/wiki/Corel_Presentations +# Update: Joerg Jenderek >8 byte 15 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-2.trid.xml +# Note: called "WordPerfect Presentations (v2)" by TrID and +# "Corel Presentation" with version "7-8-9" by DROID via PUID fmt/877 +>>9 byte 10 WordPerfect Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: BENEFITS.SHW chartbar.shw chartbul.shw chartgal.shw chartorg.shw fig-demo.shw figurgal.shw mastrgal.shw scuba.shw tutorial.shw +!:ext shw +# pointer to document area like: 10h +>>>4 ulelong !0x10 \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# search for embedded WP file like in tutorial.shw +#>>>16 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-3.trid.xml +# Note: called "WordPerfect/Corel Presentations (v3)" by TrID and +# "Corel Presentation" with version "3" by DROID via PUID fmt/878 +>>9 byte 15 Corel Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: FIG_ANIM.SHW presenta.shw +!:ext shw +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file like in foo +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# embedded inside Compound Document variant handled by ./ole2compounddocs +>>9 byte 16 Corel Presentation (embeded) +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-corelpresentations +# like: PerfectOffice_MAIN +!:ext / +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains >>9 default x >>>9 byte x Corel DrawPerfect: Unknown filetype %d # Corel LetterPerfect @@ -196,21 +411,64 @@ >>9 byte 24 GroupWise admin ADS deferment data file >>9 default x >>>9 byte x GroupWise: Unknown filetype %d +# Corel Writing Tools WT*.* +# From: Joerg Jenderek +# URL: https://support.corel.com/hc/en-us/articles/215876258-Writing-Tools-Spell-Check-Dictionary-does-not-work-in-WordPerfect-X5 +# http://wordperfect.helpmax.net/en/editing-and-formatting-documents/using-the-writing-tools/working-with-user-word-lists/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/u/uwl-wp.trid.xml +>8 byte 32 +>>9 byte 10 Corel Writing Tools User Word List +#!:mime application/octet-stream +!:mime application/x-wordperfect-wordlist +# personal user word list UWL under user directory like: WTDE.UWL WTUS.UWL WT21DE.UWL WT21US.UWL WT13DE.UWL ... +# and "template" SAV/HWL variant under program directory like: wt13en.hwl Wt13de.sav Wt13it.sav wt13ru.sav WT21us.sav Wtcz.sav ... +!:ext uwl/hwl/sav +# jump to document area with some marker and word list +>>>(4.l) ubyte x +# look for beginning of word list starting mostly with letter a as UTF-16 like: Wt13es.sav +# but not found in russian wt13ru.sav +>>>>&0 search/91/sb a\0 +# word list starting like: "acsesory\022accessory.\001\026acomodate\026accommodate4\001" +>>>>>&0 lestring16 x (...%-.33s...) +# pointer to document area like: 200h +>>>4 ulelong !0x200 \b, at %#x document area +# file size, not including pad characters at EOF +>>>0x14 uleshort x \b, %u bytes # IntelliTAG >8 byte 33 >>9 byte 10 IntelliTAG (SGML) compiled DTD >>9 default x >>>9 byte x IntelliTAG: Unknown filetype %d +# Summary: Corel WordPerfect WritingTools advise part +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adv-wp.trid.xml +>8 byte 34 +>>9 byte 11 Corel WordPerfect dictionary advise +#!:mime application/octet-stream +!:mime application/x-wordperfect-adv +#!:mime application/vnd.wordperfect.adv +# like: WT21de.adv Wt13de.adv Wt13es.adv Wt13fr.adv wt13us.adv +!:ext adv +# advise text part often start with tag like: 580A +#>>>(16.s) ubequad x ADVISE PART %#llx +# part of advise text like: "This is too informal for most writing." +>>>(16.s+16) string x (...%-.33s...) # everything else >8 default x >>8 byte x Unknown Corel/Wordperfect product %d, >>>9 byte x file type %d >10 byte 0 \b, v5. +# version of WP file; 2.1~WP 8.0 +# major version of WP file like: 1 2 >10 byte !0 \b, v%d. +# minor version of WP file like: 0 1 >11 byte x \b%d -# Hangul (Korean) Word Processor File -0 string HWP\ Document\ File Hangul (Korean) Word Processor File 3.0 +# Hancom HWP (Hangul Word Processor) +# Hangul Word Processor 3.0 through 97 used HWP 3.0 format. +# URL: https://www.hancom.com/etc/hwpDownload.do +0 string HWP\ Document\ File Hancom HWP (Hangul Word Processor) file, version 3.0 +!:ext hwp # CosmicBook, from Benoit Rouits 0 string CSBK Ted Neslson's CosmicBook hypertext file @@ -258,7 +516,7 @@ >110 uleshort/256 =0 document # https://www.macdisk.com/macsigen.php !:apple ALB3ALD3 -# PT3 for template and no example for PageMaker document/publiction with PM3 extension +# PT3 for template and no example for PageMaker document/publication with PM3 extension !:ext pm3/pt3 >110 uleshort/256 =4 document !:apple ALD4ALB4 @@ -305,15 +563,11 @@ 0 string DOC >43 byte 0x14 Just System Word Processor Ichitaro v4 !:mime application/x-ichitaro4 ->144 string JDASH application/x-ichitaro4 - -0 string DOC >43 byte 0x15 Just System Word Processor Ichitaro v5 !:mime application/x-ichitaro5 - -0 string DOC >43 byte 0x16 Just System Word Processor Ichitaro v6 !:mime application/x-ichitaro6 +>144 string JDASH application/x-ichitaro4 # Type: Freemind mindmap documents # From: Jamie Thompson <debian-bugs@jamie-thompson.co.uk> @@ -332,8 +586,23 @@ !:mime application/x-scribus # help files .hlp compiled from html and used by gfxboot added by Joerg Jenderek +# URL: https://en.opensuse.org/Gfxboot +# Reference: https://github.com/openSUSE/gfxboot/blob/master/gfxboot +# http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-gfxboot-main.trid.xml,hlp-gfxboot-opt.trid.xml +# Note: called "gfxboot compiled html help" (main),(opt) by TrID +# verified by command like `gfxboot --help-show en.hlp > en.html` # markups page=0x04,label=0x12, followed by strings like "opt" or "main" and title=0x14 -0 ulelong&0x8080FFFF 0x00001204 gfxboot compiled html help file +0 ulelong&0x8080FFFF 0x00001204 +# display "gfxboot compiled html help file" (strength=70) after one "TeX font metric data" (tri10u.tfm strength=71=50+21) handled by ./tex +#!:strength +0 +>2 regex \^(main|opt) gfxboot compiled html help file, label %s +#!:mime application/octet-stream +!:mime application/x-gfxboot-hlp +!:ext hlp +# check for title token \x14 +>>&0 ubyte 0x14 \b, title +# title text ends with \x10 +>>>&0 regex \^[[:print:]]+ '%s' # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/StarOffice @@ -392,3 +661,6 @@ # inspect 1st GALLERY thumbnail magic by ./images with 1 space at end #>11 indirect x \b; contains +# Atari ST Hypertext files +0 string HDOC\0 ST-Guide file +0 string HREF\0 ST-Guide reference file diff --git a/contrib/file/magic/Magdir/xenix b/contrib/file/magic/Magdir/xenix index 01d894ca9d98..f2bdda547acb 100644 --- a/contrib/file/magic/Magdir/xenix +++ b/contrib/file/magic/Magdir/xenix @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: xenix,v 1.14 2021/04/26 15:56:00 christos Exp $ +# $File: xenix,v 1.17 2024/02/29 03:42:40 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # -# "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small +# "Middle model" stuff, and "Xenix 8086 relocatable or i286 small # model" lifted from "magic.xenix", with comment "derived empirically; # treat as folklore until proven" # @@ -28,51 +28,122 @@ # skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positive string length >>>3 ubyte >0 # skip examples like OMBRE.6 with "UUUUUU" name by looking for valid high second record type ->>>>(1.s+3) ubyte >0x6D 8086 relocatable (Microsoft) +>>>>(1.s+3) ubyte >0x6D +# skip few Atari DEGAS bitmap TPDEMO.PC2 RECIPE.PC2 with invalid "high" second record type FEh FFh +>>>>>(1.s+3) ubyte <0xF2 8086 relocatable (Microsoft) #!:mime application/octet-stream !:mime application/x-object !:ext obj/o/a # T-module name often source name like "hello.c" or "jmppm32.asm" in JMPPM32.OBJ or # "kbhit" in KBHITS.OBJ or "CAUSEWAY_KERNAL" in CWAPI.OBJ ->>>>>3 pstring x \b, "%s" +>>>>>>3 pstring x \b, "%s" # data length probably lower 256 according to TrID obj_omf.trid.xml ->>>>>1 uleshort x \b, 1st record data length %u +>>>>>>1 uleshort x \b, 1st record data length %u # checksum -#>>>>>(3.b+4) ubyte x \b, checksum %#2.2x +#>>>>>>(3.b+4) ubyte x \b, checksum %#2.2x # second recordtype: 96h~LNAMES 88h~COMENT 8CH~EXTDEF ->>>>>(1.s+3) ubyte x \b, 2nd record type %#x ->>>>>(1.s+4) uleshort x \b, 2nd record data length %u -0 leshort 0xff65 x.out +# highest F1h~Library End Record +>>>>>>(1.s+3) ubyte x \b, 2nd record type %#x +>>>>>>(1.s+4) uleshort x \b, 2nd record data length %u + +# Microsoft Xenix archive header +0 leshort 0xff65 Microsoft x.out >2 string __.SYMDEF randomized >0 byte x archive -0 leshort 0x206 Microsoft a.out ->8 leshort 1 Middle model + +# Microsoft Xenix x.out header +# Used by Xenix and also by Windows/386 2.x for WIN386.386 file +# URL: http://www.polarhome.com/service/man/?qf=a.out&tf=2&of=Xenix +# http://lock.cmpxchg8b.com/files/a.out.h +# https://www.geoffchappell.com/notes/windows/retro/win386.htm +# Big-endian examples: +# - static executables for Xenix V2.x from Motorola 6800 files in IMD tar archive: +# https://github.com/pski/model2archive/blob/master/Software/Xenix/Xenix_Games/GAMES1.IMD +# Little-endian examples: +# - static executables from Windows/386 2.x: WIN386.386, CGA.386, EGA.386, CTVGA.386, HERCULES.386, 8514.386 +# - static executables from SCO Xenix 2.1.3 for 8086: /bin/vi, /bin/file, ... +# - standalone kernel executables from SCO Xenix 2.1.3 for 8086: /boot, /dos, /xenix +0 leshort 0x206 +>0x1c byte&0xc0 =0x40 Microsoft x.out little-endian +>>0 use microsoft-x.out +0 beshort 0x206 +>0x1c byte&0xc0 =0x00 Microsoft x.out PDP-11-endian +# PDP-11-endian is not supported by magic "use" keyword yet but because +# we do not use long and quad types, we can parse it as big-endian +>>0 use \^microsoft-x.out +>0x1c byte&0xc0 =0x80 Microsoft x.out big-endian +>>0 use \^microsoft-x.out +0 name microsoft-x.out +# Parse type mask >0x1e leshort &0x10 overlay >0x1e leshort &0x2 separate >0x1e leshort &0x4 pure >0x1e leshort &0x800 segmented ->0x1e leshort &0x400 standalone ->0x1e leshort &0x8 fixed-stack ->0x1c byte &0x80 byte-swapped ->0x1c byte &0x40 word-swapped ->0x10 lelong >0 not-stripped ->0x1e leshort ^0xc000 pre-SysV ->0x1e leshort &0x4000 V2.3 ->0x1e leshort &0x8000 V3.0 ->0x1c byte &0x4 86 ->0x1c byte &0xb 186 ->0x1c byte &0x9 286 ->0x1c byte &0xa 386 ->0x1f byte <0x040 small model ->0x1f byte =0x048 large model ->0x1f byte =0x049 huge model ->0x1e leshort &0x1 executable ->0x1e leshort ^0x1 object file ->0x1e leshort &0x40 Large Text ->0x1e leshort &0x20 Large Data ->0x1e leshort &0x120 Huge Objects Enabled ->0x10 lelong >0 not stripped +>0x1e clear x +>0x1e leshort&0x501 =0x001 static executable +>0x1e leshort&0x501 =0x100 shared library module +>0x1e leshort&0x501 =0x101 dynamic executable +>0x1e leshort&0x501 =0x401 standalone kernel executable +>0x1e leshort&0x501 =0x500 virtual kernel module +>0x1e default x unknown binary type +# Parse OS type and OS version mask +>0x1e leshort&0xc000 =0x0000 for pre-SysV +>0x1e leshort&0xc000 =0x4000 for Xenix V2.x +>0x1e leshort&0xc000 =0x8000 for Xenix V3.x +>0x1e leshort&0xc000 =0xc000 +>>0x1e leshort ^0x800 for Xenix V5.x +>>0x1e leshort &0x800 +>>>2 leshort =0x2c +>>>>0x46 ubyte 1 +>>>>>0x47 ubyte 0 for Xenix V2.x +>>>>>0x47 ubyte 1 for Xenix V3.x +>>>>>0x47 ubyte 2 for Xenix V5.x +# little-endian segmented static executable for Intel i386 with OS type 1 and +# OS version 2 is used also by Windows/386 2.x for *.386 files (e.g. WIN386.386) +>>>>>>0x1c ulequad&0x3fff00ff =0x0801004a or Windows/386 2.x +>>>>0x46 ubyte 2 for iRMX +>>>>0x46 ubyte 3 for Concurrent CP/M +# Parse CPU mask +>0x1c byte&0x3f =0x01 \b, PDP-11 +>0x1c byte&0x3f =0x02 \b, PDP-11/23 +>0x1c byte&0x3f =0x03 \b, Zilog Z8000 +>0x1c byte&0x3f =0x04 \b, Intel 8086 +>0x1c byte&0x3f =0x05 \b, Motorola 6800 +>0x1c byte&0x3f =0x06 \b, Zilog Z80 +>0x1c byte&0x3f =0x07 \b, VAX 780/750 +>0x1c byte&0x3f =0x08 \b, NS16032 +>0x1c byte&0x3f =0x09 \b, Intel i286 +>0x1c byte&0x3f =0x0a \b, Intel i386 +>0x1c byte&0x3f =0x0b \b, Intel i186 +>0x1c byte&0x3f =0x29 \b, Intel i286 +# Parse other flags +# /bin/file from SCO Xenix 2.1.3 for 8086 reports bit 0x40 as Middle model +# even that in a.out.h is this defined as large model text, so do same +>0x1e leshort &0x40 \b, Middle model +# following long check works in any endianity (including PDP-11) +>0x10 lelong !0 \b, not stripped +# Flags for debugging +#>0x1c byte &0x40 \b, words swapped (differs from PDP-11) +#>0x1c byte &0x80 \b, bytes swapped (differs from PDP-11) +#>0x1e leshort &0x1 \b, executable +#>0x1e leshort &0x2 \b, separate I&D +#>0x1e leshort &0x4 \b, pure text +#>0x1e leshort &0x8 \b, fixed stack +#>0x1e leshort &0x10 \b, text overlay +#>0x1e leshort &0x20 \b, large model data +#>0x1e leshort &0x40 \b, large model text +#>0x1e leshort &0x80 \b, FPU required +#>0x1e leshort &0x100 \b, virtual module / huge model data +#>0x1e leshort &0x200 \b, iterated text/data present +#>0x1e leshort &0x400 \b, absolute memory image +#>0x1e leshort &0x800 \b, segment table present +#>0x1e leshort &0x1000 \b, advisory locking +#>0x1e leshort &0x2000 \b, needs 5.3 functionality +# Microsoft Xenix a.out header +# URL: http://www.polarhome.com/service/man/?qf=a.out&tf=2&of=Xenix +# http://lock.cmpxchg8b.com/files/a.out.h +# FIXME: Below magic definition is probably wrong, it does not match struct aexec from a.out.h 0 leshort 0x140 old Microsoft 8086 x.out >0x3 byte &0x4 separate >0x3 byte &0x2 pure @@ -80,6 +151,10 @@ >0 byte ^0x1 relocatable >0x14 lelong >0 not stripped +# Microsoft Xenix b.out header +# URL: http://www.polarhome.com/service/man/?qf=a.out&tf=2&of=Xenix +# http://lock.cmpxchg8b.com/files/a.out.h +# FIXME: Below magic definition is probably wrong, it does not match struct bexec from a.out.h 0 lelong 0x206 b.out >0x1e leshort &0x10 overlay >0x1e leshort &0x2 separate @@ -90,13 +165,14 @@ >0x1e leshort ^0x1 object file >0x1e leshort &0x4000 V2.3 >0x1e leshort &0x8000 V3.0 ->0x1c byte &0x4 86 ->0x1c byte &0xb 186 ->0x1c byte &0x9 286 ->0x1c byte &0x29 286 ->0x1c byte &0xa 386 +>0x1c byte &0x4 8086 +>0x1c byte &0xb i186 +>0x1c byte &0x9 i286 +>0x1c byte &0x29 i286 +>0x1c byte &0xa i386 >0x1e leshort &0x4 Large Text >0x1e leshort &0x2 Large Data >0x1e leshort &0x102 Huge Objects Enabled -0 leshort 0x580 XENIX 8086 relocatable or 80286 small model +0 leshort 0x580 XENIX 8086 relocatable or i286 small model +# GRR: line above is too general as it catches also all 8086 relocatable (Microsoft) with 1st record data length 5 C0M.OBJ C0T.OBJ C0S.OBJ diff --git a/contrib/file/magic/Magdir/xilinx b/contrib/file/magic/Magdir/xilinx index b5443cbfd278..3476e5181236 100644 --- a/contrib/file/magic/Magdir/xilinx +++ b/contrib/file/magic/Magdir/xilinx @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xilinx,v 1.9 2021/04/26 15:56:00 christos Exp $ +# $File: xilinx,v 1.12 2024/09/04 19:06:12 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 @@ -14,27 +14,68 @@ >2 belong =0x0ff00ff0 >>&0 belong =0x0ff00ff0 >>>&0 byte =0x00 ->>>&1 beshort =0x0001 ->>>&3 string a Xilinx BIT data +>>>>&1 beshort =0x0001 +>>>>>&3 string a Xilinx BIT data # Next is a Pascal-style string with the NCD name. We want to capture that. ->>>>&0 pstring/H x - from %s +>>>>>>&0 pstring/H x - from %s # And then 'b' ->>>>>&1 string b +>>>>>>>&1 string b # Then the model / part number: ->>>>>>&0 pstring/H x - for %s +>>>>>>>>&0 pstring/H x - for %s # Then 'c' ->>>>>>>&1 string c +>>>>>>>>>&1 string c # Then the build-date ->>>>>>>>&0 pstring/H x - built %s +>>>>>>>>>>&0 pstring/H x - built %s # Then 'd' ->>>>>>>>>&1 string d +>>>>>>>>>>>&1 string d # Then the build-time ->>>>>>>>>>&0 pstring/H x \b(%s) +>>>>>>>>>>>>&0 pstring/H x \b(%s) # Then 'e' ->>>>>>>>>>>&1 string e +>>>>>>>>>>>>>&1 string e # And length of data ->>>>>>>>>>>>&0 belong x - data length %#x +>>>>>>>>>>>>>>&0 belong x - data length %#x # Raw bitstream files 0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) + +# AXLF (xclbin) files used by AMD/Xilinx accelerators. +# The file format is defined by XRT source tree: +# https://github.com/Xilinx/XRT/blob/master/src/runtime_src/core/include/xclbin.h +# Display file size, creation date, accelerator shell name, xclbin uuid and +# number of sections. + +0 string xclbin2 AMD/Xilinx accelerator AXLF (xclbin) file +>0x130 lequad x \b, %lld bytes +>0x138 leqdate x \b, created %s +>0x160 string >0 \b, shell "%.64s" +>0x1a0 ubelong x \b, uuid %08x +>0x1a4 ubeshort x \b-%04x +>0x1a6 ubeshort x \b-%04x +>0x1a8 ubeshort x \b-%04x +>0x1aa ubelong x \b-%08x +>0x1ae ubeshort x \b%04x +>0x1c0 lelong x \b, %d sections + +# Xilinx Boot Image files +# File format spec is from Xilinx UG1283 +# https://docs.xilinx.com/r/en-US/ug1283-bootgen-user-guide +0x20 lelong 0xAA995566 +>0x24 lelong 0x584c4e58 Xilinx Boot Image +>>0x0 lelong 0xEAFFFFFE \b, 32-bit +>>0x0 lelong 0x14000000 \b, 64-bit +>>0x28 lelong 0x00000000 \b, unencrypted +>>0x28 lelong 0xA5C3C5A5 \b, black key in efuse +>>0x28 lelong 0xA5C3C5A7 \b, obfuscated key in efuse +>>0x28 lelong 0x3A5C3C5A \b, red key in bbram +>>0x28 lelong 0xA5C3C5A3 \b, efuse red key in efuse +>>0x28 lelong 0xA35C7CA5 \b, obfuscated key in boot header +>>0x28 lelong 0xA3A5C3C5 \b, user key in boot header +>>0x28 lelong 0xA35C7C53 \b, black key in boot header +>>0x2C lelong 0x01010000 \b, Zynq 7000 SoC +!:mime application/x-xilinx-boot-zynq +>>>0x34 ulelong >0 \b, FSBL size %#x bytes +>>0x2C lelong !0x01010000 \b, Zynq UltraScale+ MPSoC +!:mime application/x-xilinx-boot-zynqmp +>>>0x34 ulelong >0 \b, PMU size %#x bytes +>>>0x3C ulelong >0 \b, FSBL size %#x bytes diff --git a/contrib/file/magic/Magdir/xo65 b/contrib/file/magic/Magdir/xo65 index 7b38818e090b..f7b555f59f1d 100644 --- a/contrib/file/magic/Magdir/xo65 +++ b/contrib/file/magic/Magdir/xo65 @@ -1,6 +1,7 @@ #------------------------------------------------------------------------------ -# $File: xo65,v 1.4 2009/09/19 16:28:13 christos Exp $ +# $File: xo65,v 1.5 2022/07/17 15:36:20 christos Exp $ +# https://cc65.github.io/doc/sim65.html # xo65 object files # From: "Ullrich von Bassewitz" <uz@cc65.org> # @@ -28,3 +29,9 @@ >6 leshort&0x0003 =0x0001 alignment 2 >6 leshort&0x0003 =0x0002 alignment 4 >6 leshort&0x0003 =0x0003 alignment 256 + +# sim65 executable files +0 string \x73\x69\x6d\x36\x35 sim65 executable, +>5 byte x version %d, +>6 leshort&0x0000 =0x0000 6502 +>6 leshort&0x0001 =0x0001 65C02 diff --git a/contrib/file/magic/Magdir/yara b/contrib/file/magic/Magdir/yara index 6156cc63bc3d..70edc815e011 100644 --- a/contrib/file/magic/Magdir/yara +++ b/contrib/file/magic/Magdir/yara @@ -1,17 +1,17 @@ #------------------------------------------------------------------------------ -# $File: yara,v 1.4 2021/04/26 15:56:00 christos Exp $ +# $File: yara,v 1.5 2024/09/04 19:06:12 christos Exp $ # yara: file(1) magic for https://virustotal.github.io/yara/ # 0 string YARA >4 lelong >2047 ->8 byte <20 YARA 3.x compiled rule set +>>8 byte <20 YARA 3.x compiled rule set # version ->>8 clear x ->>8 byte 6 created with version 3.3.0 ->>8 byte 8 created with version 3.4.0 ->>8 byte 11 created with version 3.5.0 ->>8 default x ->>>8 byte x development version %#02x +>>>8 clear x +>>>8 byte 6 created with version 3.3.0 +>>>8 byte 8 created with version 3.4.0 +>>>8 byte 11 created with version 3.5.0 +>>>8 default x +>>>>8 byte x development version %#02x diff --git a/contrib/file/magic/Makefile.am b/contrib/file/magic/Makefile.am index fafa9b7d0fb1..e0f90343fc89 100644 --- a/contrib/file/magic/Makefile.am +++ b/contrib/file/magic/Makefile.am @@ -1,5 +1,5 @@ # -# $File: Makefile.am,v 1.178 2022/04/02 14:47:42 christos Exp $ +# $File: Makefile.am,v 1.192 2024/10/02 01:45:32 christos Exp $ # MAGIC_FRAGMENT_BASE = Magdir MAGIC_DIR = $(top_srcdir)/magic @@ -53,6 +53,7 @@ $(MAGIC_FRAGMENT_DIR)/bout \ $(MAGIC_FRAGMENT_DIR)/bsdi \ $(MAGIC_FRAGMENT_DIR)/bsi \ $(MAGIC_FRAGMENT_DIR)/btsnoop \ +$(MAGIC_FRAGMENT_DIR)/burp \ $(MAGIC_FRAGMENT_DIR)/bytecode \ $(MAGIC_FRAGMENT_DIR)/c-lang \ $(MAGIC_FRAGMENT_DIR)/c64 \ @@ -91,8 +92,8 @@ $(MAGIC_FRAGMENT_DIR)/dif \ $(MAGIC_FRAGMENT_DIR)/diff \ $(MAGIC_FRAGMENT_DIR)/digital \ $(MAGIC_FRAGMENT_DIR)/dolby \ -$(MAGIC_FRAGMENT_DIR)/dsf \ $(MAGIC_FRAGMENT_DIR)/dump \ +$(MAGIC_FRAGMENT_DIR)/dwarfs \ $(MAGIC_FRAGMENT_DIR)/dyadic \ $(MAGIC_FRAGMENT_DIR)/ebml \ $(MAGIC_FRAGMENT_DIR)/edid \ @@ -107,6 +108,7 @@ $(MAGIC_FRAGMENT_DIR)/esri \ $(MAGIC_FRAGMENT_DIR)/fcs \ $(MAGIC_FRAGMENT_DIR)/filesystems \ $(MAGIC_FRAGMENT_DIR)/finger \ +$(MAGIC_FRAGMENT_DIR)/firmware \ $(MAGIC_FRAGMENT_DIR)/flash \ $(MAGIC_FRAGMENT_DIR)/flif \ $(MAGIC_FRAGMENT_DIR)/fonts \ @@ -119,6 +121,7 @@ $(MAGIC_FRAGMENT_DIR)/fusecompress \ $(MAGIC_FRAGMENT_DIR)/games \ $(MAGIC_FRAGMENT_DIR)/gcc \ $(MAGIC_FRAGMENT_DIR)/gconv \ +$(MAGIC_FRAGMENT_DIR)/gentoo \ $(MAGIC_FRAGMENT_DIR)/geo \ $(MAGIC_FRAGMENT_DIR)/geos \ $(MAGIC_FRAGMENT_DIR)/gimp \ @@ -154,9 +157,11 @@ $(MAGIC_FRAGMENT_DIR)/karma \ $(MAGIC_FRAGMENT_DIR)/kde \ $(MAGIC_FRAGMENT_DIR)/keepass \ $(MAGIC_FRAGMENT_DIR)/kerberos \ +$(MAGIC_FRAGMENT_DIR)/keyman \ $(MAGIC_FRAGMENT_DIR)/kicad \ $(MAGIC_FRAGMENT_DIR)/kml \ $(MAGIC_FRAGMENT_DIR)/lammps \ +$(MAGIC_FRAGMENT_DIR)/lauterbach \ $(MAGIC_FRAGMENT_DIR)/lecter \ $(MAGIC_FRAGMENT_DIR)/lex \ $(MAGIC_FRAGMENT_DIR)/lif \ @@ -225,13 +230,13 @@ $(MAGIC_FRAGMENT_DIR)/os2 \ $(MAGIC_FRAGMENT_DIR)/os400 \ $(MAGIC_FRAGMENT_DIR)/os9 \ $(MAGIC_FRAGMENT_DIR)/osf1 \ +$(MAGIC_FRAGMENT_DIR)/pack \ $(MAGIC_FRAGMENT_DIR)/palm \ $(MAGIC_FRAGMENT_DIR)/parix \ $(MAGIC_FRAGMENT_DIR)/parrot \ $(MAGIC_FRAGMENT_DIR)/pascal \ $(MAGIC_FRAGMENT_DIR)/pbf \ $(MAGIC_FRAGMENT_DIR)/pbm \ -$(MAGIC_FRAGMENT_DIR)/pc88 \ $(MAGIC_FRAGMENT_DIR)/pc98 \ $(MAGIC_FRAGMENT_DIR)/pci_ids \ $(MAGIC_FRAGMENT_DIR)/pcjr \ @@ -243,6 +248,7 @@ $(MAGIC_FRAGMENT_DIR)/pgp \ $(MAGIC_FRAGMENT_DIR)/pgp-binary-keys \ $(MAGIC_FRAGMENT_DIR)/pkgadd \ $(MAGIC_FRAGMENT_DIR)/plan9 \ +$(MAGIC_FRAGMENT_DIR)/playdate \ $(MAGIC_FRAGMENT_DIR)/plus5 \ $(MAGIC_FRAGMENT_DIR)/pmem \ $(MAGIC_FRAGMENT_DIR)/polyml \ @@ -257,6 +263,7 @@ $(MAGIC_FRAGMENT_DIR)/pyramid \ $(MAGIC_FRAGMENT_DIR)/python \ $(MAGIC_FRAGMENT_DIR)/qt \ $(MAGIC_FRAGMENT_DIR)/revision \ +$(MAGIC_FRAGMENT_DIR)/ringdove \ $(MAGIC_FRAGMENT_DIR)/riff \ $(MAGIC_FRAGMENT_DIR)/rpi \ $(MAGIC_FRAGMENT_DIR)/rpm \ @@ -264,6 +271,7 @@ $(MAGIC_FRAGMENT_DIR)/rpmsg \ $(MAGIC_FRAGMENT_DIR)/rtf \ $(MAGIC_FRAGMENT_DIR)/rst \ $(MAGIC_FRAGMENT_DIR)/ruby \ +$(MAGIC_FRAGMENT_DIR)/rust \ $(MAGIC_FRAGMENT_DIR)/sc \ $(MAGIC_FRAGMENT_DIR)/sccs \ $(MAGIC_FRAGMENT_DIR)/scientific \ @@ -289,7 +297,9 @@ $(MAGIC_FRAGMENT_DIR)/sql \ $(MAGIC_FRAGMENT_DIR)/ssh \ $(MAGIC_FRAGMENT_DIR)/ssl \ $(MAGIC_FRAGMENT_DIR)/statistics \ +$(MAGIC_FRAGMENT_DIR)/subtitle \ $(MAGIC_FRAGMENT_DIR)/sun \ +$(MAGIC_FRAGMENT_DIR)/svf \ $(MAGIC_FRAGMENT_DIR)/sylk \ $(MAGIC_FRAGMENT_DIR)/symbos \ $(MAGIC_FRAGMENT_DIR)/sysex \ @@ -311,6 +321,7 @@ $(MAGIC_FRAGMENT_DIR)/unknown \ $(MAGIC_FRAGMENT_DIR)/usd \ $(MAGIC_FRAGMENT_DIR)/uterus \ $(MAGIC_FRAGMENT_DIR)/uuencode \ +$(MAGIC_FRAGMENT_DIR)/uxn \ $(MAGIC_FRAGMENT_DIR)/vacuum-cleaner \ $(MAGIC_FRAGMENT_DIR)/varied.out \ $(MAGIC_FRAGMENT_DIR)/varied.script \ diff --git a/contrib/file/magic/Makefile.in b/contrib/file/magic/Makefile.in index 2b1b3f1842de..5774badc4bbf 100644 --- a/contrib/file/magic/Makefile.in +++ b/contrib/file/magic/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -165,8 +165,9 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAG_VISIBILITY = @CFLAG_VISIBILITY@ -CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ @@ -177,8 +178,10 @@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GREP = @GREP@ HAVE_VISIBILITY = @HAVE_VISIBILITY@ INSTALL = @INSTALL@ @@ -265,6 +268,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -275,7 +279,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ # -# $File: Makefile.am,v 1.178 2022/04/02 14:47:42 christos Exp $ +# $File: Makefile.am,v 1.192 2024/10/02 01:45:32 christos Exp $ # MAGIC_FRAGMENT_BASE = Magdir MAGIC_DIR = $(top_srcdir)/magic @@ -327,6 +331,7 @@ $(MAGIC_FRAGMENT_DIR)/bout \ $(MAGIC_FRAGMENT_DIR)/bsdi \ $(MAGIC_FRAGMENT_DIR)/bsi \ $(MAGIC_FRAGMENT_DIR)/btsnoop \ +$(MAGIC_FRAGMENT_DIR)/burp \ $(MAGIC_FRAGMENT_DIR)/bytecode \ $(MAGIC_FRAGMENT_DIR)/c-lang \ $(MAGIC_FRAGMENT_DIR)/c64 \ @@ -365,8 +370,8 @@ $(MAGIC_FRAGMENT_DIR)/dif \ $(MAGIC_FRAGMENT_DIR)/diff \ $(MAGIC_FRAGMENT_DIR)/digital \ $(MAGIC_FRAGMENT_DIR)/dolby \ -$(MAGIC_FRAGMENT_DIR)/dsf \ $(MAGIC_FRAGMENT_DIR)/dump \ +$(MAGIC_FRAGMENT_DIR)/dwarfs \ $(MAGIC_FRAGMENT_DIR)/dyadic \ $(MAGIC_FRAGMENT_DIR)/ebml \ $(MAGIC_FRAGMENT_DIR)/edid \ @@ -381,6 +386,7 @@ $(MAGIC_FRAGMENT_DIR)/esri \ $(MAGIC_FRAGMENT_DIR)/fcs \ $(MAGIC_FRAGMENT_DIR)/filesystems \ $(MAGIC_FRAGMENT_DIR)/finger \ +$(MAGIC_FRAGMENT_DIR)/firmware \ $(MAGIC_FRAGMENT_DIR)/flash \ $(MAGIC_FRAGMENT_DIR)/flif \ $(MAGIC_FRAGMENT_DIR)/fonts \ @@ -393,6 +399,7 @@ $(MAGIC_FRAGMENT_DIR)/fusecompress \ $(MAGIC_FRAGMENT_DIR)/games \ $(MAGIC_FRAGMENT_DIR)/gcc \ $(MAGIC_FRAGMENT_DIR)/gconv \ +$(MAGIC_FRAGMENT_DIR)/gentoo \ $(MAGIC_FRAGMENT_DIR)/geo \ $(MAGIC_FRAGMENT_DIR)/geos \ $(MAGIC_FRAGMENT_DIR)/gimp \ @@ -428,9 +435,11 @@ $(MAGIC_FRAGMENT_DIR)/karma \ $(MAGIC_FRAGMENT_DIR)/kde \ $(MAGIC_FRAGMENT_DIR)/keepass \ $(MAGIC_FRAGMENT_DIR)/kerberos \ +$(MAGIC_FRAGMENT_DIR)/keyman \ $(MAGIC_FRAGMENT_DIR)/kicad \ $(MAGIC_FRAGMENT_DIR)/kml \ $(MAGIC_FRAGMENT_DIR)/lammps \ +$(MAGIC_FRAGMENT_DIR)/lauterbach \ $(MAGIC_FRAGMENT_DIR)/lecter \ $(MAGIC_FRAGMENT_DIR)/lex \ $(MAGIC_FRAGMENT_DIR)/lif \ @@ -499,13 +508,13 @@ $(MAGIC_FRAGMENT_DIR)/os2 \ $(MAGIC_FRAGMENT_DIR)/os400 \ $(MAGIC_FRAGMENT_DIR)/os9 \ $(MAGIC_FRAGMENT_DIR)/osf1 \ +$(MAGIC_FRAGMENT_DIR)/pack \ $(MAGIC_FRAGMENT_DIR)/palm \ $(MAGIC_FRAGMENT_DIR)/parix \ $(MAGIC_FRAGMENT_DIR)/parrot \ $(MAGIC_FRAGMENT_DIR)/pascal \ $(MAGIC_FRAGMENT_DIR)/pbf \ $(MAGIC_FRAGMENT_DIR)/pbm \ -$(MAGIC_FRAGMENT_DIR)/pc88 \ $(MAGIC_FRAGMENT_DIR)/pc98 \ $(MAGIC_FRAGMENT_DIR)/pci_ids \ $(MAGIC_FRAGMENT_DIR)/pcjr \ @@ -517,6 +526,7 @@ $(MAGIC_FRAGMENT_DIR)/pgp \ $(MAGIC_FRAGMENT_DIR)/pgp-binary-keys \ $(MAGIC_FRAGMENT_DIR)/pkgadd \ $(MAGIC_FRAGMENT_DIR)/plan9 \ +$(MAGIC_FRAGMENT_DIR)/playdate \ $(MAGIC_FRAGMENT_DIR)/plus5 \ $(MAGIC_FRAGMENT_DIR)/pmem \ $(MAGIC_FRAGMENT_DIR)/polyml \ @@ -531,6 +541,7 @@ $(MAGIC_FRAGMENT_DIR)/pyramid \ $(MAGIC_FRAGMENT_DIR)/python \ $(MAGIC_FRAGMENT_DIR)/qt \ $(MAGIC_FRAGMENT_DIR)/revision \ +$(MAGIC_FRAGMENT_DIR)/ringdove \ $(MAGIC_FRAGMENT_DIR)/riff \ $(MAGIC_FRAGMENT_DIR)/rpi \ $(MAGIC_FRAGMENT_DIR)/rpm \ @@ -538,6 +549,7 @@ $(MAGIC_FRAGMENT_DIR)/rpmsg \ $(MAGIC_FRAGMENT_DIR)/rtf \ $(MAGIC_FRAGMENT_DIR)/rst \ $(MAGIC_FRAGMENT_DIR)/ruby \ +$(MAGIC_FRAGMENT_DIR)/rust \ $(MAGIC_FRAGMENT_DIR)/sc \ $(MAGIC_FRAGMENT_DIR)/sccs \ $(MAGIC_FRAGMENT_DIR)/scientific \ @@ -563,7 +575,9 @@ $(MAGIC_FRAGMENT_DIR)/sql \ $(MAGIC_FRAGMENT_DIR)/ssh \ $(MAGIC_FRAGMENT_DIR)/ssl \ $(MAGIC_FRAGMENT_DIR)/statistics \ +$(MAGIC_FRAGMENT_DIR)/subtitle \ $(MAGIC_FRAGMENT_DIR)/sun \ +$(MAGIC_FRAGMENT_DIR)/svf \ $(MAGIC_FRAGMENT_DIR)/sylk \ $(MAGIC_FRAGMENT_DIR)/symbos \ $(MAGIC_FRAGMENT_DIR)/sysex \ @@ -585,6 +599,7 @@ $(MAGIC_FRAGMENT_DIR)/unknown \ $(MAGIC_FRAGMENT_DIR)/usd \ $(MAGIC_FRAGMENT_DIR)/uterus \ $(MAGIC_FRAGMENT_DIR)/uuencode \ +$(MAGIC_FRAGMENT_DIR)/uxn \ $(MAGIC_FRAGMENT_DIR)/vacuum-cleaner \ $(MAGIC_FRAGMENT_DIR)/varied.out \ $(MAGIC_FRAGMENT_DIR)/varied.script \ @@ -695,7 +710,6 @@ ctags CTAGS: cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am |