diff options
Diffstat (limited to 'contrib/file/magic')
167 files changed, 14918 insertions, 3169 deletions
diff --git a/contrib/file/magic/Magdir/acorn b/contrib/file/magic/Magdir/acorn index 4aa34551a74b..37a4ed79e56e 100644 --- a/contrib/file/magic/Magdir/acorn +++ b/contrib/file/magic/Magdir/acorn @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: acorn,v 1.7 2019/04/19 00:42:27 christos Exp $ +# $File: acorn,v 1.8 2021/04/26 15:56:00 christos Exp $ # acorn: file(1) magic for files found on Acorn systems # @@ -90,13 +90,13 @@ # null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo >>>9 string x \b, root "%s" # load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time ->>>>&1 ulelong x \b, load address 0x%x +>>>>&1 ulelong x \b, load address %#x # execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC ->>>>&5 ulelong x \b, exec address 0x%x +>>>>&5 ulelong x \b, exec address %#x # attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write) ->>>>&9 ulelong x \b, attributes 0x%x +>>>>&9 ulelong x \b, attributes %#x # number of entries in this directory. for root dir 0 -#>>>&13 ulelong x \b, entries 0x%x +#>>>&13 ulelong x \b, entries %#x # the entries start here with object name >>>>&17 string x \b, 1st object "%s" diff --git a/contrib/file/magic/Magdir/aes b/contrib/file/magic/Magdir/aes new file mode 100644 index 000000000000..e5e1edcb1350 --- /dev/null +++ b/contrib/file/magic/Magdir/aes @@ -0,0 +1,29 @@ + +#------------------------------------------------------------------------------ +# $File: aes,v 1.1 2020/08/18 21:20:22 christos Exp $ +# +# aes: magic file for AES encrypted files + +# Summary: AES Crypt Encrypted Data File +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard +# Reference: https://www.aescrypt.com/aes_file_format.html +0 string AES +>3 ubyte <3 AES encrypted data, version %u +#!:mime application/aes +!:mime application/x-aes-encrypted +!:ext aes +# For Version 2 the encrypted file can have text tags +>>3 ubyte =2 +# length of an extension identifier and contents like: 0 24 33 38 +#>>5 ubeshort x \b, tag length %u +#>>5 pstring/H x '%s' +# standard extension tags like CREATED_BY +>>>7 string CREATED_BY \b, created by +# software product, manufacturer like "SharpAESCrypt v1.3.3.0" "aescrypt (Windows GUI) 3.10" ... +>>>>&1 string x "%s" +# TODO: more other tags +# tag CREATED_DATE like YYYY-MM-DD +# tag CREATED_TIME like HH:MM:SS +# + diff --git a/contrib/file/magic/Magdir/algol68 b/contrib/file/magic/Magdir/algol68 index 3675b840e3b6..1ca1fad2113c 100644 --- a/contrib/file/magic/Magdir/algol68 +++ b/contrib/file/magic/Magdir/algol68 @@ -1,19 +1,35 @@ #------------------------------------------------------------------------------ -# $File: algol68,v 1.3 2018/10/19 01:04:21 christos Exp $ +# $File: algol68,v 1.6 2022/11/06 18:36:55 christos Exp $ # algol68: file(1) magic for Algol 68 source # -0 search/8192 (input, Algol 68 source text -!:mime text/x-Algol68 -0 regex/1024 \^PROC Algol 68 source text -!:mime text/x-Algol68 -0 regex/1024 \bMODE[\t\ ] Algol 68 source text -!:mime text/x-Algol68 -0 regex/1024 \bREF[\t\ ] Algol 68 source text -!:mime text/x-Algol68 -0 regex/1024 \bFLEX[\t\ ]\*\\[ Algol 68 source text +# URL: https://en.wikipedia.org/wiki/ALGOL_68 +# Reference: http://www.softwarepreservation.org/projects/ALGOL/report/Algol68_revised_report-AB.pdf +# Update: Joerg Jenderek +0 search/8192 (input, +>0 use algol_68 +# graph_2d.a68 +0 regex/4006 \^PROC[[:space:]][a-zA-Z0-9_[:space:]]*[[:space:]]= +>0 use algol_68 +0 regex/1024 \bMODE[\t\ ] +>0 use algol_68 +0 regex/1024 \bMODE[\t\ ] +>0 use algol_68 +0 regex/1024 \bREF[\t\ ] +>0 use algol_68 +0 regex/1024 \bFLEX[\t\ ]\*\\[ +>0 use algol_68 + +# display information like mime type and file name extension of Algol 68 source text +0 name algol_68 Algol 68 source text !:mime text/x-Algol68 +# https://file-extension.net/seeker/file_extension_a68 +!:ext a68 +#!:ext a68/alg + #0 regex [\t\ ]OD Algol 68 source text +#>0 use algol_68 #!:mime text/x-Algol68 #0 regex [\t\ ]FI Algol 68 source text +#>0 use algol_68 #!:mime text/x-Algol68 diff --git a/contrib/file/magic/Magdir/amigaos b/contrib/file/magic/Magdir/amigaos index e719921ef39f..fdd947fdf7f5 100644 --- a/contrib/file/magic/Magdir/amigaos +++ b/contrib/file/magic/Magdir/amigaos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: amigaos,v 1.17 2018/10/16 18:57:19 christos Exp $ +# $File: amigaos,v 1.20 2021/09/20 00:42:19 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -40,7 +40,62 @@ #26 string V.2 Brian Postma's Soundmon Module sound file v2 # The following are from: "Stefan A. Haubenthal" <polluks@web.de> -0 beshort 0x0f00 AmigaOS bitmap font +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Amiga_bitmap_font +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/font-amiga.trid.xml +# https://wiki.amigaos.net/wiki/Graphics_Library_and_Text +# fch_FileID=FCH_ID=0x0f00 +0 beshort 0x0f00 +# skip some AVM powerline firmware images by check for positive number of font elements +# https://download.avm.de/fritzpowerline/fritzpowerline-1000e-t/other/fritz.os/fritz.powerline_1000ET_01_05.image +>2 ubeshort >0 AmigaOS bitmap font +#!:mime application/octet-stream +!:mime font/x-amiga-font +!:ext font +# struct FontContents fch_FC; 1st fc_FileName [MAXFONTPATH=256]; ~ filename "/" fc_YSize +# like: topazb/6 suits/8 Excel/9e emerald/17 Franklin/23 DIAMONDS/60.8C +>>4 string x "%.256s" +# fc_YSize ~number after slash in fc_FileName; like: 6 7 8 9 11 12 16 17 21 23 45 60 +>>260 beshort x \b, fc_YSize %u +# fch_NumEntries; number of FontContents elements like: +# 1 (often) 2 3 (IconCondensed.font tempfont.font) 4 (Franklin.font) 6 (mcoop.font) +>>2 ubeshort >1 \b, %u elements +#>>2 beshort x \b, %u element +# plural s +#>>2 beshort !1 \bs +# like: 6 7 8 9 11 12 16 17 21 23 45 60 +#>>262 beshort x \b, FLAGS_STYLE +>>2 beshort >1 \b, 2nd +# 2nd fc_FileName like: Franklin/36 +>>>264 string x "%.256s" +>>2 beshort >2 \b, 3rd +# 3rd fc_FileName like: Franklin/18 +>>>524 string x "%.256s" +# URL: http://fileformats.archiveteam.org/wiki/Amiga_bitmap_font +# Reference: https://wiki.amigaos.net/wiki/Graphics_Library_and_Text +# http://mark0.net/download/triddefs_xml.7z/defs/f/font-amiga-var2.trid.xml +# Note: called by TrID "Amiga bitmap Font (var.2)" +# fch_FileID=TFCH_ID=0x0f02 +0 beshort 0x0f02 +# skip possible misidentified foo by check for positive number of font elements +>2 ubeshort >0 AmigaOS bitmap font (TFCH) +#!:mime application/octet-stream +!:mime font/x-amiga-font +!:ext font +# struct TFontContents fch_TFC[]; 1st tfc_FileName [254]; ~ filename "/" fc_YSize +# like: Abbey/45 XScript/75 XTriumvirate/45 +>>4 string x "%.254s" +# tfc_TagCount; including the TAG_END tag like: 4 +>>258 ubeshort x \b, tfc_TagCount %u +# tfc_YSize ~number after slash in tfc_FileName; like: 45 75 +>>260 beshort x \b, tfc_YSize %u +# tfc_Style; tfc_Flags like: 8022h 8222h +#>>262 ubeshort x \b, FLAGS_STYLE %#x +# fch_NumEntries; number of FontContents elements like: 1 (abbey.font) 2 (xscript.font xtriumvirate.font) +>>2 ubeshort >1 \b, %u elements +>>2 beshort >1 \b, 2nd +# 2nd tfc_FileName like: XScript/45 XTriumvirate/30 +>>>264 string x "%.254s" 0 beshort 0x0f03 AmigaOS outline font 0 belong 0x80001001 AmigaOS outline tag 0 string ##\ version catalog translation @@ -49,15 +104,91 @@ 0 string/c @database AmigaGuide file # Amiga disk types +# display information like volume name of root block on Amiga (floppy) disk +0 name adf-rootblock +# block primary type = T_HEADER (value 2) +>0x000 ubelong !2 \b, type %u +# header_key; unused in rootblock (value 0) +>0x004 ubelong !0 \b, header_key %u +# high_seq; unused (value 0) +>0x008 ubelong !0 \b, high_seq %u +# ht_size; hash table size; 0x48 for flopies +>0x00c ubelong !0x48 \b, hash table size %#x +# bm_flag; bitmap flag, -1 means VALID +>0x138 belong !-1 \b, bitmap flag %#x +# bm_ext; first bitmap extension block (Hard disks only) +>0x1A0 ubelong !0 \b, bitmap extension block %#x +# name_len; volume name length; diskname[30]; volume name +>0x1B0 pstring >\0 \b, "%s" +# first directory cache block for FFS; otherwise 0 +>0x1F8 ubelong !0 \b, directory cache block %#x +# block secondary type = ST_ROOT (value 1) +>0x1FC ubelong !1 \b, sec_type %#x # 0 string RDSK Rigid Disk Block >160 string x on %.24s -0 string DOS\0 Amiga DOS disk -0 string DOS\1 Amiga FFS disk -0 string DOS\2 Amiga Inter DOS disk -0 string DOS\3 Amiga Inter FFS disk -0 string DOS\4 Amiga Fastdir DOS disk -0 string DOS\5 Amiga Fastdir FFS disk +# URL: http://fileformats.archiveteam.org/wiki/ADF_(Amiga) +# https://en.wikipedia.org/wiki/Amiga_Fast_File_System +# Reference: http://lclevy.free.fr/adflib/adf_info.html +# Update: Joerg Jenderek +# Note: created by ADFOpus.exe +# and verified by `unadf -l TURBO_SILVER_SV.ADF` +0 string DOS +# skip DOS Client Message Files like IPXODI.MSG DOSRQSTR.MSG +>3 ubyte <8 Amiga +# https://reposcope.com/mimetype/application/x-amiga-disk-format +!:mime application/x-amiga-disk-format +!:ext adf +>>3 ubyte 0 DOS disk +>>3 ubyte 1 FFS disk +>>3 ubyte 2 Inter DOS disk +>>3 ubyte 3 Inter FFS disk +# For Fastdir mode the international mode is also enabled, +>>3 ubyte 4 Fastdir DOS disk +>>3 ubyte 5 Fastdir FFS dis +# called by TrID "Amiga Disk image File (OFS+INTL+DIRC)" +>>3 ubyte 6 Inter Fastdir DOS disk +# called by TrID "Amiga Disk image File (FFS+INTL+DIRC)" +>>3 ubyte 7 Inter Fastdir FFS disk +# but according to Wikipedia variants with long name support +#>>3 ubyte 6 long name DOS disk +#>>3 ubyte 7 long name FFS disk +# DOES NOT only work! Partly for file size ~< FILE_BYTES_MAX=1 MiB defined in ../../src/file.h +#>>-0 offset x \b, %lld bytes +# Correct file size, but next lines are NOT executed +#>>-0 offset 901120 (DD 880 KiB floppy) +# 880 KiB Double Density floppy disk by characteristic hash table size 0x48 and T_HEADER=2 +>>0x6E00C ubelong 0x48 +>>>0x6E000 ubelong 2 (DD 880 KiB) +# 1760 KiB High Density floppy disk (1802240 bytes) by characteristic hash table size 0x48 +>>0xDC00C ubelong 0x48 +>>>0xDC000 ubelong 2 (HD 1760 KiB) +# Chksum; special block checksum like: 0 0x44ccf4c0 0x51f32cac 0xe33d0e7d ... +#>>4 ubelong x \b, CRC %#x +# Rootblock: 0 880 (often for DD and HD) 1146049280 (IMAGINE_1_0_DISK_01.ADF TURBO_SILVER_SV.ADF) +>>8 ubelong >0 \b, probably root block %d +# bootblock code +>>12 quad !0 \b, bootable +# assembler instructions: lea exp(pc),a1; moveq 25h,d0; jsr -552(a6) +>>>12 ubequad =0x43fa003e70254eae AmigaDOS 3.0 +>>>12 default x +>>>>12 ubequad !0x43fa003e70254eae %#llx.. +# 880 KiB Double Density floppy disk (901120 bytes) +>>0x6E00C ubelong 0x48 +>>>0x6E000 ubelong 2 +>>>>0x6E000 use adf-rootblock +# 1760 KiB High Density floppy disk (1802240 bytes) +>>0xDC00C ubelong 0x48 +>>>0xDC000 ubelong 2 +>>>>0xDC000 use adf-rootblock +# 1 MiB hard disc by test for T_HEADER=2 and header_key=0=high_seq +>>0x80000 ubelong 2 +>>>0x80004 quad 0 +>>>>0x80000 use adf-rootblock +# 2 MiB hard disc; only works if in ../../src/file.h FILE_BYTES_MAX is raised to 2 MiB +#>>0x100000 ubelong x 2 MiB TEST +#>>0x100000 ubelong 2 \b, 2 MiB hard disc rootblock +#>>>0x100000 use adf-rootblock 0 string KICK Kickstart disk # From: Alex Beregszaszi <alex@fsn.hu> diff --git a/contrib/file/magic/Magdir/android b/contrib/file/magic/Magdir/android index 1265d95925a7..8a2dedf3d2d9 100644 --- a/contrib/file/magic/Magdir/android +++ b/contrib/file/magic/Magdir/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.16 2019/11/15 21:03:14 christos Exp $ +# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -24,11 +24,11 @@ >>1028 lelong 0 \b (boot) >>1028 lelong 1 \b (recovery) >8 lelong >0 \b, kernel ->>12 lelong >0 \b (0x%x) +>>12 lelong >0 \b (%#x) >16 lelong >0 \b, ramdisk ->>20 lelong >0 \b (0x%x) +>>20 lelong >0 \b (%#x) >24 lelong >0 \b, second stage ->>28 lelong >0 \b (0x%x) +>>28 lelong >0 \b (%#x) >36 lelong >0 \b, page size: %d >38 string >0 \b, name: %s >64 string >0 \b, cmdline (%s) @@ -64,7 +64,7 @@ # look for backup content after line with encryption info #>>19 search/7 \n # data part after header for not encrypted Android Backup -#>>>&0 ubequad x \b, content 0x%16.16llx... +#>>>&0 ubequad x \b, content %#16.16llx... # look for zlib compressed by ./compress after message with 1 space at end #>>>&0 indirect x \b; contains # look for tar archive block by ./archive for package name manifest @@ -155,9 +155,9 @@ # flags >>>0x0C ulelong&0x00000002 2 \b+RW # partition ID: -# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER +# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER # ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW ->>>0x08 ulelong x (0x%x) +>>>0x08 ulelong x (%#x) # filename >>>0x44 string >\0 "%-.64s" #>>>0x18 ulelong >0 @@ -180,7 +180,9 @@ # In include/androidfw/ResourceTypes.h: # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). +# The strength is increased to avoid misidentifying as Targa image data 0 lelong 0x00080003 Android binary XML +!:strength +1 # Android cryptfs footer # From https://android.googlesource.com/\ @@ -188,3 +190,70 @@ 0 lelong 0xd0b5b1c4 Android cryptfs footer >4 leshort x \b, version: %d >6 leshort x \b.%d + +# Android Vdex format +# From https://android.googlesource.com/\ +# platform/art/+/master/runtime/vdex_file.h +0 string vdex Android vdex file, +>4 string >000 verifier deps version: %s, +>8 string >000 dex section version: %s, +>12 lelong >0 number of dex files: %d, +>16 lelong >0 verifier deps size: %d + +# Android Vdex format, dexfile is currently being updated +# by android system +# From https://android.googlesource.com/\ +# platform/art/+/master/dex2oat/dex2oat.cc +0 string wdex Android vdex file, being processed by dex2oat, +>4 string >000 verifier deps version: %s, +>8 string >000 dex section version: %s, +>12 lelong >0 number of dex files: %d, +>16 lelong >0 verifier deps size: %d + +# Disassembled DEX files +0 string/t .class\x20 +>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali) +!:ext smali + +# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileTranscoder.java +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileVersion.java +0 string pro\x00 +>0 regex pro\x000[0-9][0-9]\x00 Android ART profile +!:ext prof +>>4 string 001\x00 \b, version 001 N +>>4 string 005\x00 \b, version 005 O +>>4 string 009\x00 \b, version 009 O MR1 +>>4 string 010\x00 \b, version 010 P +>>4 string 015\x00 \b, version 015 S +0 string prm\x00 +>0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata +!:ext profm +>>4 string 001\x00 \b, version 001 N +>>4 string 002\x00 \b, version 002 + +# Android package resource table (ARSC): resources.arsc +# Reference: https://android.googlesource.com/platform/tools/base/\ +# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\ +# src/main/java/com/google/devrel/gmscore/tools/apk/arsc +# 00: resource table type = 0x0002 (2) + header size = 12 (2) +# 04: chunk size (4, skipped) +# 08: #packages (4) +0 ulelong 0x000c0002 Android package resource table (ARSC) +!:ext arsc +>8 ulelong !1 \b, %d packages +# 12: string pool type = 0x0001 (2) + header size = 28 (2) +# 16: chunk size (4, skipped) +# 20: #strings (4), #styles (4), flags (4) +>12 ulelong 0x001c0001 +>>20 ulelong !0 \b, %d string(s) +>>24 ulelong !0 \b, %d style(s) +>>28 ulelong &1 \b, sorted +>>28 ulelong &256 \b, utf8 + +# extracted APK Signing Block +-16 string APK\x20Sig\x20Block\x2042 APK Signing Block diff --git a/contrib/file/magic/Magdir/animation b/contrib/file/magic/Magdir/animation index 470fdb6f3a6e..aab93ca34a6f 100644 --- a/contrib/file/magic/Magdir/animation +++ b/contrib/file/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.77 2020/04/26 15:23:43 christos Exp $ +# $File: animation,v 1.94 2023/06/16 20:06:50 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -18,8 +18,8 @@ >12 string rmra \b multiple URLs 4 string mdat Apple QuickTime movie (unoptimized) !:mime video/quicktime -#4 string wide Apple QuickTime movie (unoptimized) -#!:mime video/quicktime +4 string wide Apple QuickTime movie (unoptimized) +!:mime video/quicktime #4 string skip Apple QuickTime movie (modified) #!:mime video/quicktime #4 string free Apple QuickTime movie (modified) @@ -30,12 +30,14 @@ #!:mime image/x-quicktime 4 string pckg Apple QuickTime compressed archive !:mime application/x-quicktime-player -4 string/W jP JPEG 2000 image -!:mime image/jp2 + +#### MP4 #### # https://www.ftyps.com/ with local additions +# https://cconcolato.github.io/mp4ra/filetype.html 4 string ftyp ISO Media # https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ >8 string XAVC \b, MPEG v4 system, Sony XAVC Codec +!:mime video/mp4 >>96 string x \b, Audio "%.4s" >>118 beshort x at %dHz >>140 string x \b, Video "%.4s" @@ -53,11 +55,21 @@ >>11 byte 0x63 \b C.S0050-0-B V1.0 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp ->>11 byte 6 \b, Release 6 MBMS Extended Presentations ->>11 byte 7 \b, Release 7 MBMS Extended Presentations +>>11 byte 6 \b, Release %d MBMS Extended Presentations +>>11 byte 7 \b, Release %d MBMS Extended Presentations +>>11 byte 9 \b, Release %d MBMS Extended Presentations +>8 string 3gf \b, MPEG v4 system, 3GPP +>>11 byte 9 \b, Release %d File-delivery profile >8 string 3gg \b, MPEG v4 system, 3GPP !:mime video/3gpp ->>11 byte 6 \b, Release 6 General Profile +>>11 byte 6 \b, Release %d General Profile +>>11 byte 9 \b, Release %d General Profile +>8 string 3gh \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 9 \b, Release %d Adaptive Streaming Profile +>8 string 3gm \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 9 \b, Release %d Media Segment Profile >8 string 3gp \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 1 \b, Release %d (non existent) @@ -67,16 +79,49 @@ >>11 byte 5 \b, Release %d >>11 byte 6 \b, Release %d >>11 byte 7 \b, Release %d Streaming Servers +>8 string 3gr \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 6 \b, Release %d Progressive Download Profile +>>11 byte 9 \b, Release %d Progressive Download Profile >8 string 3gs \b, MPEG v4 system, 3GPP !:mime video/3gpp +>>11 byte 6 \b, Release %d Streaming Servers >>11 byte 7 \b, Release %d Streaming Servers +>>11 byte 9 \b, Release %d Streaming Servers +>8 string 3gt \b, MPEG v4 system, 3GPP +!:mime video/3gpp +>>11 byte 8 \b, Release %d Media Stream Recording Profile +>>11 byte 9 \b, Release %d Media Stream Recording Profile +>8 string ARRI \b, MPEG v4 system, ARRI Digital Camera +!:mime video/mp4 >8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC [ISO 14496-12:2005] !:mime video/mp4 +>8 string bbxm \b, Blinkbox Master File: H.264 video/16-bit LE LPCM audio +!:mime video/mp4 >8 string/W qt \b, Apple QuickTime movie !:mime video/quicktime >8 string CAEP \b, Canon Digital Camera >8 string caqv \b, Casio Digital Camera >8 string CDes \b, Convergent Design +>8 string caaa \b, CMAF Media Profile - AAC Adaptive Audio +>8 string caac \b, CMAF Media Profile - AAC Core +>8 string caqv \b, Casio Digital Camera Casio +>8 string ccea \b, CMAF Supplemental Data - CEA-608/708 +>8 string ccff \b, Common container file format +>8 string cfhd \b, CMAF Media Profile - AVC HD +>8 string cfsd \b, CMAF Media Profile - AVC SD +>8 string chd1 \b, CMAF Media Profile - HEVC HDR10 +>8 string chdf \b, CMAF Media Profile - AVC HDHF +>8 string chhd \b, CMAF Media Profile - HEVC HHD8 +>8 string chh1 \b, CMAF Media Profile - HEVC HHD10 +>8 string clg1 \b, CMAF Media Profile - HEVC HLG10 +>8 string cmfc \b, CMAF Track Format +>8 string cmff \b, CMAF Fragment Format +>8 string cmfl \b, CMAF Chunk Format +>8 string cmfs \b, CMAF Segment Format +>8 string cud1 \b, CMAF Media Profile - HEVC UHD10 +>8 string cud8 \b, CMAF Media Profile - HEVC UHD8 +>8 string cwvt \b, CMAF Media Profile - WebVTT >8 string da0a \b, DMB MAF w/ MPEG Layer II aud, MOT slides, DLS, JPG/PNG/MNG >8 string da0b \b, DMB MAF, ext DA0A, with 3GPP timed text, DID, TVA, REL, IPMP >8 string da1a \b, DMB MAF audio with ER-BSAC audio, JPG/PNG/MNG images @@ -87,6 +132,12 @@ >8 string da3b \b, DMB MAF, ext da3a w/ BIFS, 3GPP, DID, TVA, REL, IPMP >8 string dash \b, MPEG v4 system, Dynamic Adaptive Streaming over HTTP !:mime video/mp4 +>8 string dby1 \b, MP4 files with Dolby content +>8 string dsms \b, Media Segment DASH conformant +>8 string dts1 \b, MP4 track file with audio codecs dtsc dtsh or dtse +>8 string dts2 \b, MP4 track file with audio codec dtsx +>8 string dts3 \b, MP4 track file with audio codec dtsy +>8 string dxo$20 \b, DxO ONE camera >8 string dmb1 \b, DMB MAF supporting all the components defined in the spec >8 string dmpf \b, Digital Media Project >8 string drc1 \b, Dirac (wavelet compression), encap in ISO base media (MP4) @@ -99,6 +150,7 @@ >8 string dvr1 \b, DVB (.DVB) over RTP !:mime video/vnd.dvb.file >8 string dvt1 \b, DVB (.DVB) over MPEG-2 Transport Stream +>8 string emsg \b, Event message box present !:mime video/vnd.dvb.file >8 string F4V \b, Video for Adobe Flash Player 9+ (.F4V) !:mime video/mp4 @@ -108,12 +160,23 @@ !:mime audio/mp4 >8 string F4B \b, Audio Book for Adobe Flash Player 9+ (.F4B) !:mime audio/mp4 +>8 string ifrm \b, Apple iFrame Specification, Version 8.1 Jan 2013 +>8 string im1i \b, CMAF Media Profile - IMSC1 Image +>8 string im1t \b, CMAF Media Profile - IMSC1 Text >8 string isc2 \b, ISMACryp 2.0 Encrypted File # ?/enc-isoff-generic ->8 string iso2 \b, MP4 Base Media v2 [ISO 14496-12:2005] +>8 string iso \b, MP4 Base Media !:mime video/mp4 ->8 string isom \b, MP4 Base Media v1 [IS0 14496-12:2003] +!:ext mp4 +>>11 string m v1 [ISO 14496-12:2003] +>>11 string 2 v2 [ISO 14496-12:2005] +>>11 string 4 v4 +>>11 string 5 v5 +>>11 string 6 v6 +>8 string isml \b, MP4 Base Media v2 [ISO 14496-12:2005] !:mime video/mp4 +>8 string J2P0 \b, JPEG2000 Profile 0 +>8 string J2P1 \b, JPEG2000 Profile 1 >8 string/W jp2 \b, JPEG 2000 !:mime image/jp2 >8 string JP2 \b, JPEG 2000 Image (.JP2) [ISO 15444-1 ?] @@ -121,10 +184,13 @@ >8 string JP20 \b, Unknown, from GPAC samples (prob non-existent) >8 string jpm \b, JPEG 2000 Compound Image (.JPM) [ISO 15444-6] !:mime image/jpm +>8 string jpsi \b, The JPSearch data interchange format >8 string jpx \b, JPEG 2000 w/ extensions (.JPX) [ISO 15444-2] !:mime image/jpx >8 string KDDI \b, 3GPP2 EZmovie for KDDI 3G cellphones !:mime video/3gpp2 +>8 string LCAG \b, Leica digital camera +>8 string lmsg \b, Last Media Segment indicator for ISO base media file format. >8 string M4A \b, Apple iTunes ALAC/AAC-LC (.M4A) Audio !:mime audio/x-m4a >8 string M4B \b, Apple iTunes ALAC/AAC-LC (.M4B) Audio Book @@ -140,6 +206,8 @@ >8 string mj2s \b, Motion JPEG 2000 [ISO 15444-3] Simple Profile !:mime video/mj2 >8 string mjp2 \b, Motion JPEG 2000 [ISO 15444-3] General Profile +>8 string MFSM \b, Media File for Samsung video Metadata +>8 string MGSV \b, Sony Home and Mobile Multimedia Platform (HMMP) !:mime video/mj2 >8 string mmp4 \b, MPEG-4/3GPP Mobile Profile (.MP4 / .3GP) (for NTT) !:mime video/mp4 @@ -153,13 +221,16 @@ >8 string mp71 \b, MP4 w/ MPEG-7 Metadata [per ISO 14496-12] >8 string mp7t \b, MPEG v4 system, MPEG v7 XML >8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML +>8 string mpuf \b, Compliance with the MMT Processing Unit format +>8 string msdh \b, Media Segment conforming to ISO base media file format. +>8 string msix \b, Media Segment conforming to ISO base media file format. >8 string mmp4 \b, MPEG v4 system, 3GPP Mobile !:mime video/mp4 >8 string MPPI \b, Photo Player, MAF [ISO/IEC 23000-3] >8 string mqt \b, Sony / Mobile QuickTime (.MQV) US Pat 7,477,830 !:mime video/quicktime >8 string MSNV \b, MPEG-4 (.MP4) for SonyPSP -!:mime video/mp4 +!:mime audio/mp4 >8 string NDAS \b, MP4 v2 [ISO 14496-14] Nero Digital AAC Audio !:mime audio/mp4 >8 string NDSC \b, MPEG-4 (.MP4) Nero Cinema Profile @@ -181,11 +252,14 @@ >8 string NDXP \b, H.264/MPEG-4 AVC (.MP4) Nero Portable Profile !:mime video/mp4 >8 string NDXS \b, H.264/MPEG-4 AVC (.MP4) Nero Standard Profile +>8 string niko \b, Nikon Digital Camera !:mime video/mp4 >8 string odcf \b, OMA DCF DRM Format 2.0 (OMA-TS-DRM-DCF-V2_0-20060303-A) >8 string opf2 \b, OMA PDCF DRM Format 2.1 (OMA-TS-DRM-DCF-V2_1-20070724-C) >8 string opx2 \b, OMA PDCF DRM + XBS ext (OMA-TS-DRM_XBS-V1_0-20070529-C) >8 string pana \b, Panasonic Digital Camera +>8 string piff \b, Protected Interoperable File Format +>8 string pnvi ]b, Panasonic Video Intercom >8 string qt \b, Apple QuickTime (.MOV/QT) !:mime video/quicktime # HEIF image format @@ -217,11 +291,24 @@ !:mime image/heif-sequence >8 string avcs \b, HEIF Image Sequence AVC !:mime image/heif-sequence - +# AVIF image format +# see https://aomediacodec.github.io/av1-avif/ +>8 string avif \b, AVIF Image +!:mime image/avif +>8 string avis \b, AVIF Image Sequence +!:mime image/avif +>8 string risx \b, Representation Index Segment for MPEG-2 TS Segments >8 string ROSS \b, Ross Video >8 string sdv \b, SD Memory Card Video >8 string ssc1 \b, Samsung stereo, single stream (patent pending) >8 string ssc2 \b, Samsung stereo, dual stream (patent pending) +>8 string SEAU \b, Sony Home and Mobile Multimedia Platform (HMMP) +>8 string SEBK \b, Sony Home and Mobile Multimedia Platform (HMMP) +>8 string senv \b, Video contents Sony Entertainment Network +>8 string sims \b, Media Segment for Sub-Indexed Media Segment format +>8 string sisx \b, Single Index Segment forindex MPEG-2 TS +>8 string ssss \b, Subsegment Index Segment used to index MPEG-2 Segments +>8 string uvvu \b, UltraViolet file brand for DECE Common Format # MPEG sequences # Scans for all common MPEG header start codes @@ -234,6 +321,9 @@ 0 belong&0xFFFFFF00 0x00000100 >3 byte 0xBA MPEG sequence !:mime video/mpeg +# http://fileformats.archiveteam.org/wiki/Enhanced_VOB +# https://reposcope.com/mimetype/video/mpeg +!:ext vob/evo/mpg/mpeg >>4 byte &0x40 \b, v2, program multiplex >>4 byte ^0x40 \b, v1, system multiplex >3 byte 0xBB MPEG sequence, v1/2, multiplex (missing pack header) @@ -847,9 +937,20 @@ 0 belong&0xFF5FFF10 0x47400010 >188 byte 0x47 MPEG transport stream data !:mime video/MP2T +!:ext ts + +# Blu-ray disc Audio-Video MPEG-2 transport stream +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/MPEG_transport_stream +# Note: similar to ISO 13818.1 but with 4 extra bytes per packets +4 belong&0xFF5FFF10 =0x47400010 +>196 byte =0x47 BDAV MPEG-2 Transport Stream (M2TS) +!:mime video/MP2T +!:ext m2ts/mts # DIF digital video file format <mpruett@sgi.com> 0 belong&0xffffff00 0x1f070000 DIF +!:mime video/x-dv >4 byte &0x01 (DVCPRO) movie file >4 byte ^0x01 (DV) movie file >3 byte &0x80 (PAL) @@ -877,21 +978,6 @@ # ABC (alembic.io 3d models) 0 string 0gawa ABC 3d model -# VRML (Virtual Reality Modelling Language) -0 string/w #VRML\ V1.0\ ascii VRML 1 file -!:mime model/vrml -0 string/w #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file -!:mime model/vrml - -# X3D (Extensible 3D) [https://www.web3d.org/specifications/x3d-3.0.dtd] -# From Michel Briand <michelbriand@free.fr> -# mimetype from https://www.iana.org/assignments/media-types/model/x3d+xml -# Example https://www.web3d.org/x3d/content/examples/Basic/course/CreateX3DFromStringRandomSpheres.x3d -0 string/w \<?xml\ version= -!:strength + 5 ->20 search/1000/w \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text -!:mime model/x3d+xml - #--------------------------------------------------------------------------- # HVQM4: compressed movie format designed by Hudson for Nintendo GameCube # From Mark Sheppard <msheppard@climax.co.uk>, 2002-10-03 @@ -905,12 +991,22 @@ >0x42 ubeshort 0 no audio >0x42 ubeshort >0 %dHz audio -# From: "Stefan A. Haubenthal" <polluks@web.de> +# From: Stefan A. Haubenthal <polluks@sdf.lonestar.org> +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/VOB 0 string DVDVIDEO-VTS Video title set, +!:mime video/x-ifo +!:ext ifo/bup >0x21 byte x v%x 0 string DVDVIDEO-VMG Video manager, +!:mime video/x-ifo +!:ext ifo/bup >0x21 byte x v%x +# From: Stefan A. Haubenthal <polluks@sdf.lonestar.org> +0 string xMovieSetter MovieSetter movie +0 string xSceneEditor MovieSetter movie + # From: Behan Webster <behanw@websterwood.com> # NuppelVideo used by Mythtv (*.nuv) # Note: there are two identical stanzas here differing only in the @@ -1069,3 +1165,42 @@ # From: David Korth <gerbilsoft@gerbilsoft.com> 0 string CRID >32 string @UTF Scaleform video + +# http://www.jerrysguide.com/tips/demystify-tvs-file-format.html +0 string TVS\015\012 +>&0 string Version\040 TeamViewer Session File +>>&0 string x \b, version %s + +# SER file format - simple uncompressed video format for astronomical use +# Initially developed by Lucam Recorder, +# as of 2021 maintained by Heiko Wilkens, Grischa Hahn +# Typical extensions: .SER +# http://www.grischa-hahn.homepage.t-online.de/astro/ser/SER%20Doc%20V3b.pdf +0 string LUCAM-RECORDER SER video sequence +!:ext ser +>18 lelong 0 \b, bayer: mono +>18 lelong 8 \b, bayer: RGGB +>18 lelong 9 \b, bayer: GRBG +>18 lelong 10 \b, bayer: GBRG +>18 lelong 11 \b, bayer: BGGR +>18 lelong 16 \b, bayer: CYYM +>18 lelong 17 \b, bayer: YCMY +>18 lelong 18 \b, bayer: YMCY +>18 lelong 19 \b, bayer: MYYC +>18 lelong 100 \b, bayer: RGB +>18 lelong 101 \b, bayer: BGR +>22 lelong 0 \b, big-endian +>22 lelong 1 \b, little-endian +>26 lelong x \b, width: %d +>30 lelong x \b, height: %d +>34 lelong x \b, %d bit +>38 lelong x \b, frames: %d + +# https://wiki.multimedia.cx/index.php/Duck_IVF +0 string DKIF Duck IVF video file +!:mime video/x-ivf +>4 leshort >0 \b, version %d +>8 string x \b, codec %s +>12 leshort x \b, %d +>14 leshort x \bx%d +>24 lelong >0 \b, %d frames diff --git a/contrib/file/magic/Magdir/apple b/contrib/file/magic/Magdir/apple index e0617454cd95..547b0ac20aba 100644 --- a/contrib/file/magic/Magdir/apple +++ b/contrib/file/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.44 2019/10/18 15:21:02 christos Exp $ +# $File: apple,v 1.48 2023/05/01 14:20:21 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -11,26 +11,48 @@ 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file +# Type: Apple Emulator A2R format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/a2r2-reference/ +# Ref: https://applesaucefdc.com/a2r/ +0 string A2R +>3 string \x31\xFF\x0A\x0D\x0A Applesauce A2R 1.x Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Applesauce A2R 2.x Disk Image +>3 string \x33\xFF\x0A\x0D\x0A Applesauce A2R 3.x Disk Image +>8 string INFO +>>49 byte 01 \b, 5.25″ SS 40trk +>>49 byte 02 \b, 3.5″ DS 80trk +>>49 byte 03 \b, 5.25″ DS 80trk +>>49 byte 04 \b, 5.25″ DS 40trk +>>49 byte 05 \b, 3.5″ DS 80trk +>>49 byte 06 \b, 8″ DS +>>50 byte 01 \b, write protected +>>51 byte 01 \b, cross track synchronized +>>17 string/T x \b, %.32s + # Type: Apple Emulator WOZ format # From: Greg Wildman <greg@apple2.org.za> # Ref: https://applesaucefdc.com/woz/reference/ # Ref: https://applesaucefdc.com/woz/reference2/ -# -# Note: The following test are mostly identical. I would rather not -# use a regex to identify the WOZ format number. -0 string WOZ1 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +0 string WOZ +>3 string \x31\xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image >12 string INFO >>21 byte 01 \b, 5.25 inch >>21 byte 02 \b, 3.5 inch >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s -0 string WOZ2 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image + +# Type: Apple Macintosh Emulator MOOF format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/moof-reference/ +0 string MOOF +>4 string \xFF\x0A\x0D\x0A Apple Macintosh MOOF Disk Image >12 string INFO ->>21 byte 01 \b, 5.25 inch ->>21 byte 02 \b, 3.5 inch +>>21 byte 01 \b, SSDD GCR (400K) +>>21 byte 02 \b, DSDD GCR (800K) +>>21 byte 03 \b, DSHD MFM (1.44M) >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s @@ -43,29 +65,79 @@ >0x400 string \x00\x00\x03\x00 >>0x404 byte &0xF0 >>>0x405 string x \b, Volume /%s ->>>0x429 leshort x \b, %u Blocks +>>>0x429 uleshort x \b, %u Blocks # ProDOS ordered ? >0xb00 string \x00\x00\x03\x00 >>0xb04 byte &0xF0 >>>0xb05 string x \b, Volume /%s ->>>0xb29 leshort x \b, %u Blocks +>>>0xb29 uleshort x \b, %u Blocks # -# DOS3.3 boot loader? -0 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B ->0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.2 ? ->0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.1 ? ->0x11001 string \x11\x0C\x01 ->>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image +# Proboot HD +0 string \x01\x8A\x48\xD8\x2C\x82\xC0\x8D\x0E\xC0\x8D\x0C Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\xA8\x8A\x20\x7B\xF8\x29\x07\x09\xC0\x99\x30 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x4A\xD0\x34\xE6\x3D\x8A\x20\x7B\xF8\x09\xC0 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# ProDOS formatted +0 string \x01\xBD\x88\xC0\x20\x2F\xFB\x20\x58\xFC\x20\x40 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x38\xB0\x03\x4C\x1C\x09\x78\x86\x43\xC9\x03 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# DOS3 boot loader +0 string \x01\xA5\x27\xC9\x09\xD0 +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Image +>>0x11006 ubyte x \b, Volume #%03u +>>0x11034 ubyte x \b, %u Tracks +>>0x11035 ubyte x \b, %u Sectors +>>0x11036 uleshort x \b, %u bytes per sector +# +# DOS3 uninitialized disk +0 string \x01\xA6\x2B\xBD\x88\xC0\x8A\x4A\x4A +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Unbootable Image +>>>0x11006 ubyte x \b, Volume #%03u +>>>0x11034 ubyte x \b, %u Tracks +>>>0x11035 ubyte x \b, %u Sectors +>>>0x11036 uleshort x \b, %u bytes per sector # # Pascal boot loader? 0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD @@ -112,9 +184,70 @@ >>0x440 string \x00\x00\x03\x00 >>>0x444 byte &0xF0 >>>>0x445 string x \b, Volume /%s ->>>>0x469 leshort x \b, %u Blocks +>>>>0x469 uleshort x \b, %u Blocks >0xc byte 02 \b, NIB data +# Type: Peter Ferrie QBoot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/qboot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ QBoot Image + +# Type: Peter Ferrie 0Boot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/0boot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ 0Boot Image + +# Different proprietary boot sectors +0 string \x01\x0F\x21\x74\x00\x01\x6B\x00\x02\x30\x81\x5D Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xA2\x00\x8E\x78\x04\x8E\xF4\x03 Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xAD\x51\xC0\xAD\x54\xC0\xA6\x2B Apple ][ Disk Image +0 string \x01\x20\x89\xFE\x20\x93\xFE\xA6\x2B\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x25\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x2D\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x38\x90\x2A\xC9\x01\xF0\x33\xA8\xC8\xC0\x10 Apple ][ Disk Image +0 string \x01\x38\xB0\x03\x4C\x32\xA1\x87\x43\xC9\x03\x08 Apple ][ Disk Image +0 string \x01\x4C\x04\x08\xA9\x2A\x8D\x02\x08\x86\x2B\xEE Apple ][ Disk Image +0 string \x01\x4C\x60\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x4C\x92\x08\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\x4C\xB3\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x8D\xFB\x03\x8E\xFC\x03\x8C\xFD\x03\x8A\x29 Apple ][ Disk Image +0 string \x01\xA2\xFF\x9A\xD8\x20\x20\x08\x20\x34\x08\xAD Apple ][ Disk Image +0 string \x01\xA5\x27\xBD\x88\xC0\x2C\x10\xC0\xA2\x00\xA9 Apple ][ Disk Image +0 string \x01\xA5\x2B\xAE\x51\xC0\xEA\xAA\xBD\x88\xC0\x20 Apple ][ Disk Image +0 string \x01\xA6\x27\xBD\x0B\x08\x48\xBD\x0A\x08\x48\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x01\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x25\x85 Apple ][ Disk Image +0 string \x01\xA8\xC0\x0F\x90\x16\xF0\x12\xA0\xFF\x18\xAD Apple ][ Disk Image +0 string \x01\xA9\x00\x85\xF0\xA9\x04\x85\xF1\xA0\x00\xA9 Apple ][ Disk Image +0 string \x01\xA9\x5C\x8D\xF2\x03\xA9\xC6\x8D\xF3\x03\x49 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x2F\xFB\x20\x58\xFC Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x49\x08\xA9\x0A\x85 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x2C\x82\xC0\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x86\x43\x8A\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\x86\xFF\xB5\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xB2\x8D\xF2\x03\xA9 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xFF\x8D\xF3\x03\x8D Apple ][ Disk Image +0 string \x01\xAC\x00\x08\xF0\x19\xB9\x30\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAC\x23\x08\x30\x2E\xB9\x24\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAD\x00\x08\xC9\x09\xB0\x20\x69\x02\x8D\x00 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\x86\x2B\x8A\x4A Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\xA9\xF5\x8D\xF2 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3F\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x48\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x09\xC0\x8D Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x8D\x2F\x08 Apple ][ Disk Image +0 string \x01\xD8\x2C\x81\xC0\xA9\x60\x4D\x58\xFF\xD0\xFE Apple ][ Disk Image +0 string \x01\xD8\x78\xBD\x88\xC0\xA9\xFD\x85\x37\x85\x39 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\x16\x09\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xCB\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEE\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEF\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x70\xB0\x04\xE0\x40\xB0\x39\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xEA\x8D\xF4\x03\xA9\x60\x9D\x88\xC0\x8D\x51 Apple ][ Disk Image + # magic for Newton PDA package formats # from Ruda Moura <ruda@helllabs.org> 0 string package0 Newton package, NOS 1.x, @@ -180,7 +313,7 @@ # minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) >>>183 ubyte 30 3.0 >>>183 ubyte !30 ->>>>183 ubyte !0 0x%x +>>>>183 ubyte !0 %#x # usual tabstop start sequence "=====<" >>>5 string x \b, tabstop ruler "%6.6s" # tabstop ruler @@ -291,7 +424,13 @@ #>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson <toby@apple.com> +# From https://www.nationalarchives.gov.uk/pronom/fmt/866 +0 string bplist00 +>8 search/500 WebMainResource Apple Safari Webarchive +!:mime application/x-webarchive +!:strength +50 0 string bplist00 Apple binary property list +!:mime application/x-bplist # Apple binary property list (bplist) # Assumes version bytes are hex. @@ -299,7 +438,7 @@ # object is the first object (true for CoreFoundation implementation). # From: David Remahl <dremahl@apple.com> 0 string bplist ->6 byte x \bCoreFoundation binary property list data, version 0x%c +>6 byte x \bCoreFoundation binary property list data, version %#c >>7 byte x \b%c >6 string 00 \b >>8 byte&0xF0 0x00 \b @@ -358,7 +497,7 @@ 0 belong 0xfade0c02 Mac OS X Code Directory >8 belong x version %x ->12 belong >0 flags 0x%x +>12 belong >0 flags %#x >4 belong x - %d bytes 0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) @@ -438,7 +577,7 @@ # descSize driver size in blocks >>4 ubeshort x \b, size %u # descType driver system type 1 701h F8FFh FFFFh ->>6 ubeshort x \b, type 0x%x +>>6 ubeshort x \b, type %#x # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h @@ -491,9 +630,107 @@ # Usually not in separate files, but have either filename rsrc with # no extension, or a filename corresponding to another file, with # extensions rsr/rsrc +# URL: http://fileformats.archiveteam.org/wiki/Macintosh_resource_file +# https://en.wikipedia.org/wiki/Resource_fork +# Reference: https://github.com/kreativekorp/ksfl/wiki/Macintosh-Resource-File-Format +# http://developer.apple.com/legacy/mac/library/documentation/mac/pdf/MoreMacintoshToolbox.pdf +# https://formats.kaitai.io/resource_fork/ +# Update: Joerg Jenderek +# Note: verified often by command like `deark -m macrsrc Icon_.rsrc` +# offset of resource data; usually starts at offset 0x0100 0 string \000\000\001\000 ->4 leshort 0 ->>16 lelong 0 Apple HFS/HFS+ resource fork +# skip NPETraceSession.etl with invalid "low" map offset 0 +>4 ubelong >0xFF +# skip few Atari DEGAS Elite bitmap (eil2.pi1 nastro.pi1) with ivalid "high" 0x6550766 0x7510763 map length +>>12 ubelong <0x8001 +# most examples with zeroed system reserved field +>>>16 lelong =0 +>>>>0 use apple-rsr +# few samples with not zeroed system reserved field like: Empty.rsrc.rsr OpenSans-CondBold.dfont +>>>16 lelong !0 +# resource fork variant with not zeroed system reserved field and copy of header +>>>>(4.L) ubelong 0x100 +# GRR: the line above only works if in ../../src/file.h FILE_BYTES_MAX is raised from 1 MiB above 0x6ab0f4 (HelveticaNeue.dfont) +>>>>>0 use apple-rsr +# data fork variant with not zeroed system reserved field and no copy of header +>>>>(4.L) ubelong 0 +>>>>>0 use apple-rsr +# Note: moved and merged from ./macintosh +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: https://en.wikipedia.org/wiki/Datafork_TrueType +# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is +# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I +# don't know what they mean. +# display information about Mac OSX datafork font DFONT +0 name apple-dfont +>(4.L+30) ubelong x Mac OSX datafork font, +# https://en.wikipedia.org/wiki/Datafork_TrueType +!:mime application/x-dfont +!:ext dfont +# https://exiftool.org/TagNames/RSRC.html +>(4.L+30) ubelong 0x73666e74 TrueType +>(4.L+30) ubelong 0x464f4e54 'FONT' +>(4.L+30) ubelong 0x4e464e54 'NFNT' +>(4.L+30) ubelong 0x504f5354 PostScript +>(4.L+30) ubelong 0x464f4e44 'FOND' +>(4.L+30) ubelong 0x76657273 'vers' +# display information about Macintosh resource +0 name apple-rsr +>(4.L+30) ubelong 0x73666e74 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x4e464e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x504f5354 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e44 +>>0 use apple-dfont +>(4.L+30) ubelong 0x76657273 +>>0 use apple-dfont +>(4.L+30) default x Apple HFS/HFS+ resource fork +#!:mime application/octet-stream +!:mime application/x-apple-rsr +!:ext rsrc/rsr +# offset to resource data; usually starts at offset 0x0100 +>0 ubelong !0x100 \b, data offset %#x +# offset to resource map; positive but not nil like in NPETraceSession.etl +>4 ubelong x \b, map offset %#x +# length of resource map; positive with 32K limitation but not +# nil like in NPETraceSession.etl or high like 0x7510763 in nastro.pi1 +>12 ubelong x \b, map length %#x +# length of resource data; positive but not nil like in NPETraceSession.etl +>8 ubelong x \b, data length %#x +# reserved 112 bytes for system use; apparently often nil, but 8fd20000h in Empty.rsrc.rsr and 0x00768c2b in OpenSans-CondBold.dfont +>16 ubelong !0 \b, at 16 %#8.8x +# https://fontforge.org/docs/techref/macformats.html +# jump to resource map +# a copy of resource header or 16 bytes of zeros for data fork +#>(4.L) ubelong x \b, DATA offset %#x +#>(4.L+4) ubelong x \b, MAP offset %#x +#>(4.L+8) ubelong x \b, DATA length %#x +#>(4.L+12) ubelong x \b, MAP length %#x +# nextResourceMap; handle to next resource map; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+16) ubelong !0 \b, nextResourceMap %#x +# fileRef; file reference number; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+20) ubeshort !0 \b, fileRef %#x +# attributes; Resource fork attributes (80h~read-only 40h~compression needed 20h~changed); other bits are reserved and should be zero +>(4.L+22) ubeshort !0 \b, attributes %#x +# typeListOffset; offset from resource map to start of type list like: 1Ch +>(4.L+24) ubeshort x \b, list offset %#x +# nameListOffset; offset from esource map to start of name list like: 32h 46h 56h (XLISP.RSR XLISPTIN.RSR) 13Eh (HelveticaNeue.dfont) +>(4.L+26) ubeshort x \b, name offset %#x +# typeCount; number of types in the map minus 1; If there are no resources, this is 0xFFFF +>(4.L+28) beshort+1 >0 \b, %u type +# plural s +>>(4.L+28) beshort+1 >1 \bs +# resource type list array; 1st resource type like: ALRT CODE FOND MPSR icns scsz +>>(4.L+30) ubelong x \b, %#x +>>(4.L+30) string x '%-.4s' +# resourceCount; number of this type resources minus one. If there is one resource of this type, this is 0x0000 +>>(4.L+34) beshort+1 x * %d +# resourceListOffset; offset from type list to resource list like: Ah 12h DAh +>(4.L+36) ubeshort x resource offset %#x #https://en.wikipedia.org/wiki/AppleScript 0 string FasdUAS AppleScript compiled diff --git a/contrib/file/magic/Magdir/archive b/contrib/file/magic/Magdir/archive index 99798b030399..6e1f9678e7ac 100644 --- a/contrib/file/magic/Magdir/archive +++ b/contrib/file/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.138 2020/06/07 23:29:26 christos Exp $ +# $File: archive,v 1.193 2023/07/27 17:55:58 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -25,7 +25,18 @@ >>>>>>155 ubyte&0xDF =0 # space or ascii digit 0 at start of check sum >>>>>>>148 ubyte&0xEF =0x20 ->>>>>>>>0 use tar-file +# FOR DEBUGGING: +#>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s" +# check for 1st image main name with digits used for sorting +# and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP +>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) +>>>>>>>>>0 use tar-cbt +# check for 1st member name with ovf suffix +>>>>>>>>0 regex \^.{1,96}[.](ovf) +>>>>>>>>>0 use tar-ova +# if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive +>>>>>>>>0 default x +>>>>>>>>>0 use tar-file # minimal check and then display tar archive information which can also be # embedded inside others like Android Backup, Clam AntiVirus database 0 name tar-file @@ -146,11 +157,39 @@ >>508 default x # padding[255] in old tar sometimes comment field >>>257 string >\0 \b, comment: %-.40s +# Summary: Comic Book Archive *.CBT with TAR format +# URL: https://en.wikipedia.org/wiki/Comic_book_archive +# http://fileformats.archiveteam.org/wiki/Comic_Book_Archive +# Note: there exist also RAR, ZIP, ACE and 7Z packed variants +0 name tar-cbt +>0 string x Comic Book archive, tar archive +#!:mime application/x-tar +!:mime application/vnd.comicbook +#!:mime application/vnd.comicbook+tar +!:ext cbt +# name[100] probably like: 19.jpg 0001.png 0002.png +# or maybe like ComicInfo.xml +>0 string >\0 \b, 1st image %-.60s +# Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format +# http://fileformats.archiveteam.org/wiki/OVF_(Open_Virtualization_Format) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ova.trid.xml +# Note: called "Open Virtualization Format package" by TrID +# assuming *.ovf comes first +0 name tar-ova +>0 string x Open Virtualization Format Archive +#!:mime application/x-ustar +# http://extension.nirsoft.net/ova +!:mime application/x-virtualbox-ova +!:ext ova +# assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf +>0 string >\0 \b, with %-.60s # Incremental snapshot gnu-tar format from: # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html 0 string GNU\ tar- GNU tar incremental snapshot data ->&0 regex [0-9]\.[0-9]+-[0-9]+ version %s +>&0 regex [0-9]\\.[0-9]+-[0-9]+ version %s # cpio archives # @@ -163,13 +202,88 @@ # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. -0 short 070707 cpio archive +# URL: http://fileformats.archiveteam.org/wiki/Cpio +# https://en.wikipedia.org/wiki/Cpio +# Reference: https://people.freebsd.org/~kientzle/libarchive/man/cpio.5.txt +# Update: Joerg Jenderek +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin.trid.xml +# Note: called "CPIO archive (binary)" by TrID, "cpio/Binary LE" by 7-Zip and "CPIO" by DROID via PUID fmt/635 +0 short 070707 +# skip DROID fmt-635-signature-id-960.cpio by looking for pathname of 1st entry +>26 string >\0 cpio archive !:mime application/x-cpio +# https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-NET-x86_64-Media.iso +# boot/x86_64/loader/bootlogo +# message.cpi +!:ext /cpio/cpi +>>0 use cpio-bin +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin-sw.trid.xml +# Note: called "CPIO archive (byte swapped binary)" by TrID and "Cpio/Binary BE" by 7-Zip 0 short 0143561 byte-swapped cpio archive !:mime application/x-cpio # encoding: swapped +# https://telparia.com/fileFormatSamples/archive/cpio/skeleton2.cpio +!:ext cpio +>0 use cpio-bin-be +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio.trid.xml +# Note: called "CPIO archive (portable)" by TrID, "cpio/Portable ASCII" by 7-Zip and "cpio/odc" by GNU cpio 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) +!:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/ pthreads-1.60B5.osr5src.cpio cinema.cpi VOL.000.008 VOL.000.012 +!:ext cpio/cpi/008/012 +# Note: called "CPIO archive (portable)" by TrID, "cpio/New ASCII" by 7-Zip and "cpio/newc" by GNU cpio 0 string 070701 ASCII cpio archive (SVR4 with no CRC) +!:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/MainActor-2.06.3.cpio +!:ext cpio +# Note: called "CPIO archive (portable)" by TrID, "cpio/New CRC" by 7-Zip and "cpio/crc" by GNU cpio 0 string 070702 ASCII cpio archive (SVR4 with CRC) +!:mime application/x-cpio +# http://ftp.gnu.org/gnu/tar/tar-1.27.cpio.gz +# https://telparia.com/fileFormatSamples/archive/cpio/pcmcia +!:ext /cpio +# display information of old binary cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `cpio -ivt --numeric-uid-gid --file=clam.bin-le.cpio` +0 name cpio-bin +# c_dev; device number; WHAT IS THAT? +>2 uleshort x \b; device %u +# c_ino; truncated inode number; use `ls --inode` +>4 uleshort x \b, inode %u +# c_mode; mode specifies permissions and file type like: ?622~?rw-r--r-- by `ls -l` +>6 uleshort x \b, mode %o +# c_uid; numeric user id; use `ls --numeric-uid-gid` +>8 uleshort x \b, uid %u +# c_gid; numeric group id +>10 uleshort x \b, gid %u +# c_nlink; links to this file; directories at least 2 +>12 uleshort >1 \b, %u links +# c_rdev; device number for block and character entries; zero for all other entries by writers +# like 0x0440 for /dev/ttyS0 +>14 uleshort >0 \b, device %#4.4x +# c_mtime[2]; modification time in seconds since 1 January 1970; most-significant 16 bits first +>16 medate x \b, modified %s +# c_filesize[2]; size of pathname; most-significant 16 bits first like: 544 +>22 melong x \b, %u bytes +# c_namesize; bytes in the pathname that follows the header like: 9 +#>20 uleshort x \b, namesize %u +# pathname of entry like: "clam.exe" +>26 string x "%s" +# display information of old binary byte swapped cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `LANGUAGE=C cpio -ivt --numeric-uid-gid --file=clam.bin-be.cpio` +0 name cpio-bin-be +>2 ubeshort x \b; device %u +>4 ubeshort x \b, inode %u +>6 ubeshort x \b, mode %o +>8 ubeshort x \b, uid %u +>10 ubeshort x \b, gid %u +>12 ubeshort >1 \b, %u links +>14 ubeshort >0 \b, device %#4.4x +>16 bedate x \b, modified %s +>22 ubelong x \b, %u bytes +#>20 ubeshort x \b, namesize %u +>26 string x "%s" # # Various archive formats used by various versions of the "ar" @@ -240,13 +354,14 @@ !:ext deb/udeb/ipk # This should not happen >14 default x Unknown Debian package -# NL terminated version; for most Debian cases this is 2.0 or 2.1 for splitted +# NL terminated version; for most Debian cases this is 2.0 or 2.1 for split >68 string >\0 (format %s) #>68 string !2.0\n #>>68 string x (format %.3s) >68 string =2.0\n # 2nd archive name=control archive name like control.tar.gz or control.tar.xz ->>72 string >\0 \b, with %.14s +# or control.tar.zst +>>72 string >\0 \b, with %.15s # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma} >>0 search/0x93e4f data.tar. \b, data compression # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised @@ -261,7 +376,7 @@ >>>>>>>&-1 ubyte !0x2f # display 4th character of file name extension like a of lzma >>>>>>>>&-1 ubyte x \b%c -# splitted debian package case +# split debian package case >68 string =2.1\n # dpkg-1.18.25/dpkg-split/info.c # NL terminated ASCII package name like ckermit @@ -447,36 +562,136 @@ # look for first keyword of Panorama database *.pan >12 search/261 DESIGN # skip keyword with low entropy ->12 default x TTComp archive, binary, 4K dictionary -# (version 5.25) labeled the above entry as "TTComp archive data" +>12 default x +# skip DOS 2.0 backup id file, sequence 6 with many nils like BACKUPID_xx6.@@@ handled by ./msdos +>>8 quad !0 +>>>0 use ttcomp +# variant ASCII, 4K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? +0 string \1\6 +# TODO: +# skip VAX-order 68k Blit mpx/mux executable (strength=50) handled by ./blit +!:strength -2 +>0 use ttcomp +0 string \0\5 +# skip some DOS 2.0 backup id file, sequence 5 with many nils like BACKUPID_075.@@@ handled by ./msdos +>8 quad !0 +>>0 use ttcomp +0 string \1\5 +# TODO: +# variant ASCII, 2K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? +# skip ctab data (strength=50) handled by ./ibm6000 +# skip locale data table (strength=50) handled by ./digital +!:strength -2 +>0 use ttcomp +0 string \0\4 +# skip many Maple help database *.hdb with version tag handled by ./maple +>1028 string !version +# skip veclib maple.hdb by looking for Mable keyword +>>4 search/1091 Maple\040 +#>4 search/34090 Maple\040 +>>4 default x +# skip DOS 2.0-3.2 backed up sequence 4 with many nils like LOTUS5.RAR handled by ./msdos +# skip xBASE Compound Index file *.CDX with many nils +>>>0x54 quad !0 +>>>>0 use ttcomp +0 string \1\4 +# TODO: +# skip shared library (strength=50) handled by ./ibm6000 +!:strength -2 +# skip Commodore PET BASIC programs (Mastermind.prg) with last 3 nil bytes (\0~end of line followed by 0000h line offset) +#>-4 ubelong x LAST_BYTES=%8.8x +>-4 ubelong&0x00FFffFF !0 +>>0 use ttcomp +# display information of TTComp archive +0 name ttcomp +# (version 5.25) labeled the entry as "TTComp archive data" +>0 ubyte x TTComp archive data +!:mime application/x-compress-ttcomp +# PBACKSCR.PI1 +!:ext $xe/$ts/pi1/__d +# compression type: 0~binary compression 1~ASCII compression +>0 ubyte 0 \b, binary +>0 ubyte 1 \b, ASCII +# size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes +>1 ubyte 4 \b, 1K +>1 ubyte 5 \b, 2K +>1 ubyte 6 \b, 4K +>1 ubyte x dictionary +# https://mark0.net/forum/index.php?topic=848 +# last 3 bytes probably have only 8 possible bit sequences +# xxxxxxxx 0000000x 11111111 ____FFh +# xxxxxxxx 10000000 01111111 __807Fh +# 0xxxxxxx 11000000 00111111 __C03Fh +# 00xxxxxx 11100000 00011111 __E01Fh +# 000xxxxx 11110000 00001111 __F00Fh +# 0000xxxx 11111000 00000111 __F807h +# 00000xxx 11111100 00000011 __FC03h +# 000000xx 11111110 00000001 __FE01h +# but for quickgif.__d 0A7DD4h +#>-3 ubyte x \b, last 3 bytes 0x%2.2x +#>-2 ubeshort x \b%4.4x # From: Joerg Jenderek -# URL: https://wiki.68kmla.org/DiskCopy_4.2_format_specification +# URL: https://en.wikipedia.org/wiki/Disk_Copy # reference: http://nulib.com/library/FTN.e00005.htm 0x52 ubeshort 0x0100 -# test for disk size equal or above 400k ->0x40 ubelong >409599 Apple DiskCopy 4.2 image +# test for disk image size equal or above 400k +>0x40 ubelong >409599 +# test also for disk image size equal or below 1440k to skip +# windows7en.mbr UNICODE.DAT +#>>0x40 ubelong <1474561 +# test now for "low" disk image size equal or below 64 MiB to skip +# windows7en.mbr (B441BBAAh) UNICODE.DAT (0400AF05h) +>>0x40 ubelong <0x04000001 +# To skip Flags$StringJoiner.class with size 00106A61h test also for valid disk image sizes +# 00064000 for 400k GCR disks dc42-400k-gcr.trid.xml +# 000c8000 for 800k GCR disks dc42-800k-gcr.trid.xml +# 000b4000 for 720k MFM disks dc42-720k-mfm.trid.xml +# 00168000 for 1440k MFM disks dc42-1440k-mfm.trid.xml +# https://lisaem.sunder.net/LisaProjectDocs.txt +# 00500000 05M available +# 00A00000 10M available +# 01800000 24M possible +# 02000000 32M uncertain +# 04000000 64M uncertain +>>>0x40 ubelong&0xf8003fFF 0 +# skip samples with invalid disk name length like: +# 181 (biosmd80.rom) 202 (Flags$StringJoiner.class) 90 (UNICODE.DAT) +>>>>0x0 ubyte <64 +>>>>>0 use dc42-floppy +# display information of Apple DiskCopy 4.2 floppy image +0 name dc42-floppy +# disk name length; maximal 63 +#>0 ubyte x DISK NAME LENGTH %u +# ASCII image pascal (maximal 63 bytes) name padded with NULs like: +# "Microsoft Mail" "Disquette 2" "IIe Installer Disk" +# "-lisaem.sunder.net hd-" (dc42-lisaem.trid.xml) "-not a Macintosh disk" (dc42-nonmac.trid.xml) +>00 pstring/B x Apple DiskCopy 4.2 image %s #!:mime application/octet-stream +!:mime application/x-dc42-floppy-image !:apple dCpydImg -!:ext image/dc42 -# image pascal name padded with NULs like Microsoft Mail ->>00 pstring/B x %s -# data size in bytes like 409600 ->>0x40 ubelong x \b, %u bytes -# tag size in bytes ->>0x44 ubelong >0 \b, 0x%x tag size +# probably also img like: "Utilitaires 2.img" "Installation 7.img" +!:ext image/dc42/img +# data size in bytes like: 409600 737280 819200 1474560 +>0x40 ubelong x \b, %u bytes +# for debugging purpose size in hexadecimal +#>0x40 ubelong x (%#8.8x) +# tag size in bytes like: 0 (often) 2580h (PUID fmt/625) 4B00h (Microsoft Mail.image) +>0x44 ubelong >0 \b, %#x tag size # data checksum -#>>0x48 ubelong x \b, 0x%x checksum +#>0x48 ubelong x \b, %#x checksum # tag checksum -#>>0x4c ubelong x \b, 0x%x tag checksum -# disk encoding ->>0x50 ubyte 0 \b, GCR CLV ssdd (400k) ->>0x50 ubyte 1 \b, GCR CLV dsdd (800k) ->>0x50 ubyte 2 \b, MFM CAV dsdd (720k) ->>0x50 ubyte 3 \b, MFM CAV dshd (1440k) ->>0x50 ubyte >3 \b, 0x%x encoding -# format byte ->>0x51 ubyte x \b, 0x%x format -#>>0x54 ubequad x \b, data 0x%16.16llx +#>0x4c ubelong x \b, %#x tag checksum +# disk encoding like: 0 1 2 3 (PUID: fmt/625) +>0x50 ubyte 0 \b, GCR CLV ssdd (400k) +>0x50 ubyte 1 \b, GCR CLV dsdd (800k) +>0x50 ubyte 2 \b, MFM CAV dsdd (720k) +>0x50 ubyte 3 \b, MFM CAV dshd (1440k) +>0x50 ubyte >3 \b, %#x encoding +# format byte like: 12h (Lisa 400K) 24h (400K Macintosh) 96h (800K Apple II disk) +# 2 (Mac 400k "Disquette Installation 13.image") +# 22h (double-sided MFM or Mac 800k "Disco 12.image" "IIe Installer Disk.image") +>0x51 ubyte x \b, %#x format +#>0x54 ubequad x \b, data %#16.16llx # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 0 string ESP ESP archive data # ZPack @@ -509,11 +724,11 @@ # compression method (0-4) >>8 uleshort x \b, %u method # offset of compressed data ->>10 uleshort x \b, 0x%x offset +>>10 uleshort x \b, %#x offset #>>(10.s) uleshort x #>>>&-6 string x \b, TEST extension %-.3s # header flags to mark header extensions ->>12 uleshort >0 \b, 0x%x flags +>>12 uleshort >0 \b, %#x flags # 4 bytes: decompressed length of file >>12 uleshort &0x01 >>>14 ulelong x \b, original size: %u bytes @@ -587,7 +802,15 @@ # 2 bytes: length of data + mentioned bytes # # SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ +# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression +# Reference: http://www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html +# http://mark0.net/download/triddefs_xml.7z/defs/s/szdd.trid.xml +# Note: called "Microsoft SZDD compressed (Haruhiko Okumura's LZSS)" by TrID +# verfied by 7-Zip `7z l -tMsLZ -slt *.??_` as MsLZ +# `deark -l -m lzss_oku -d2 setup-1-41.bin` as "LZSS.C by Haruhiko Okumura" >0 string SZDD MS Compress archive data, SZDD variant +# 2nd part of signature +#>>4 ubelong 0x88F02733 \b, SIGNATURE OK !:mime application/x-ms-compress-szdd !:ext ??_ # The character missing from the end of the filename (0=unknown) @@ -596,6 +819,24 @@ # Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e >>8 string !A \b, %-.1s method >>10 ulelong >0 \b, original size: %u bytes +# Summary: InstallShield archive with SZDD compressed +# URL: https://community.flexera.com/t5/InstallShield-Knowledge-Base/InstallShield-Redistributable-Files/ta-p/5647 +# From: Joerg Jenderek +1 search/48/bs SZDD\x88\xF0\x27\x33 InstallShield archive +#!:mime application/octet-stream +!:mime application/x-installshield-compress-szdd +!:ext ibt +# name of compressed archive member like: setup.dl_ _setup7int.dl_ _setup2k.dl_ _igdi.dl_ cabinet.dl_ +>0 string x %s +# name of uncompressed archive member like: setup.dll _Setup.dll IGdi.dll CABINET.DLL +>>&1 string x (%s) +# probably version like: 9.0.0.333 9.1.0.429 11.50.0.42618 +>>>&1 string x \b, version %s +# SZDD member length like: 168048 169333 181842 +>>>>&1 string x \b, %s bytes +# MS Compress archive data +#>&0 string SZDD \b, SIGNATURE FOUND +>&0 indirect x # QBasic SZDD variant 3 string \x88\xf0\x27 >0 string SZ\x20 MS Compress archive data, QBasic variant @@ -603,6 +844,114 @@ !:ext ??$ >>8 ulelong >0 \b, original size: %u bytes +# Summary: lzss compressed/EDI Pack +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/EDI_Install_packed_file +# Note: called "EDI Install LZS compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 BOOK01A.IC$` as "EDI Pack LZSS1" +0 string EDILZSS +>7 string 1 +# look for point character before orginal file name extension +>>8 search/9/b . +# check suffix of possible orginal file anme +#>>>&0 ubelong x SUFFIX=%8.8x +# samples without valid character after point in original file name field like: FENNEL.LZS PLANTAIN.LZS +>>>&0 ubyte <0x20 +>>>>0 use edi-lzs +# samples with valid character after point in original file name field +>>>&0 ubyte >0x1F +# check 2nd charcter of suffix +#>>>>&0 ubyte x 2ND_SUFFIX=%x +# sample with one valid character after point followed by \0 in original file name field like: SPELMATE.H$ +>>>>&0 ubyte =0 +>>>>>0 use edi-pack +>>>>&0 ubyte >0x1F +# check 3rd charcter of suffix +#>>>>>&0 ubyte x 3RD_SUFFIX=%x +# no sample with 2 valid characters after point followed by \0 in original file name field +>>>>>&0 ubyte =0 +>>>>>>0 use edi-pack +# samples with valid 3rd character after point in original file name field +>>>>>&0 ubyte >0x1F +# sample with 3 valid character after point followed by \0 in original file name field like: BOOK01A.IC$ CTL3D.DL$ +>>>>>>&0 ubyte =0 +>>>>>>>0 use edi-pack +# sample with 3 valid character after point followed by no \0 in original file name field like: HERBTEXT.LZS +>>>>>>&0 ubyte !0 +>>>>>>>0 use edi-lzs +# no sample with invalid 3rd character after point in original file name field +>>>>>&0 default x +>>>>>>0 use edi-lzs +# sample with invalid 2nd character after point in original file name field like: LACERATE.LZS SPLINTER.LZS +>>>>&0 default x +>>>>>0 use edi-lzs +# sample without point character in original file name field like GUNSHOT.LZS +>>8 default x +>>>0 use edi-lzs +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/edi-lzss2.trid.xml +# Note: called "EDI Install Pro LZSS2 compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 4WAY.WA$` as "EDI Pack LZSS2" +>7 string 2 EDI LZSS2 packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/??_ +# original filename, NUL-terminated, padded to 13 bytes like: mci.vbx 4way.wav skymap.exe cmdialog.vbx +>>8 string x "%-0.13s" +# original file size, as a 4-byte integer. +>>21 ulelong x \b, %u bytes +# compressed data like: ff5249464606ec00 ff4d5aa601010000 +>>>25 ubequad x \b, data %#16.16llx... +0 name edi-pack +# Note: verified by command like `deark -l -d2 SPELMATE.H$` as "EDI Pack LZSS1" +# original filename, NUL-terminated, padded to 13 bytes like: ctl3d.dll spelmate.h filemenu.rc owl.def index-it.exe +# but not like \377Aloe.lzs\273 (HERBTEXT.LZS) +>8 string x EDI LZSS packed "%-.13s" +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/?$ +# compressed data like: f7000001eff02020 ff4d5aa900020000 ff2f2a207370656c +>21 ubequad x \b, data %#16.16llx... +# URL: http://fileformats.archiveteam.org/wiki/EDI_LZSSLib +# Note: verified partly by command like `deark -l -m edi_pack -d2 GUNSHOT.LZS` as "EDI LZSSLib" +0 name edi-lzs +# Note: verified by command like `deark -l -d2 GUNSHOT.LZS` as "EDI LZSSLib" +# no original filename looks like: \277BM\226.\0 \277BM.n\001 \277BM\226.\0 \277BM.g\001 \377Aloe.lzs\273 +>8 string x EDI LZSSLib packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# The name of a compressed file ends with LZS suffix +!:ext lzs +# compressed data like: bf424df6e10100f3 ff416c6f652e6c7a ff416c6f652e6c7a +>8 ubequad x \b, data %#16.16llx... + +# Summary: CAZIP compressed file +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CAZIP +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/caz.trid.xml +# Note: Format is distinct from CAZIPXP compressed +0 string \x0D\x0A\x1ACAZIP CAZIP compressed file +#!:mime application/octet-stream +!:mime application/x-compress-cazip +# like: BLINKER.WR_ CLIPDEFS._ CAOSETUP.EX_ CLIPPER.EX_ FILEIO.C_ +!:ext ??_/?_/_ + +# Summary: FTCOMP compressed archive +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/FTCOMP +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ftcomp.trid.xml +# Note: called by TrID "FTCOMP compressed archive" +# extracted by `unpack seahelp.hl_` +24 string/b FTCOMP FTCOMP compressed archive +#!:mime application/octet-stream +!:mime application/x-compress-ftcomp +!:ext ??_/??@/dll/drv/pk2/ +# probably A596FDFF magic at the beginning +>0 ubelong !0xA596FDFF \b, at beginning %#x +# probably original file name with directory like: \OS2\unpack.exe \SYSTEM\8514.DRV MAHJONGG.EXE +>41 string x "%s" + # MP3 (archiver, not lossy audio compression) 0 string MP3\x1a MP3-Archiver archive data # ZET @@ -615,8 +964,6 @@ 3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data -# PUCrunch -0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string UHA UHarc archive data # ABComp @@ -645,8 +992,10 @@ # QFC 0 string \x1aFC\x1a QFC archive data 0 string \x1aQF\x1a QFC archive data -# PRO-PACK -0 string RNC PRO-PACK archive data +# PRO-PACK https://www.segaretro.org/Rob_Northen_compression +0 string RNC +>3 byte 1 PRO-PACK archive data (compression 1) +>3 byte 2 PRO-PACK archive data (compression 2) # 777 0 string 777 777 archive data # LZS221 @@ -674,13 +1023,43 @@ 0 string NSK NaShrink archive data # SAPCAR 0 string #\ CAR\ archive\ header SAPCAR archive data -0 string CAR\ 2.00RG SAPCAR archive data +0 string CAR\ 2.00 SAPCAR archive data +0 string CAR\ 2.01 SAPCAR archive data +#!:mime application/octet-stream +!:mime application/vnd.sar +!:ext sar # Disintegrator 0 string DST Disintegrator archive data # ASD 0 string ASD ASD archive data # InstallShield CAB -0 string ISc( InstallShield CAB +# Update: Joerg Jenderek at Nov 2021 +# URL: https://en.wikipedia.org/wiki/InstallShield +# Reference: https://github.com/twogood/unshield/blob/master/lib/cabfile.h +# Note: Not compatible with Microsoft CAB files +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield.trid.xml +# CAB_SIGNATURE 0x28635349 +0 string ISc( InstallShield +#!:mime application/octet-stream +!:mime application/x-installshield +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield-hdr.trid.xml +>16 ulelong !0 setup header +# like: _SYS1.HDR _USER1.HDR data1.hdr +!:ext hdr +>16 ulelong =0 CAB +# like: _SYS1.CAB _USER1.CAB DATA1.CAB data2.cab +!:ext cab +# https://github.com/twogood/unshield/blob/master/lib/helper.c +# version like: 0x1005201 0x100600c 0x1007000 0x1009500 +# 0x2000578 0x20005dc 0x2000640 0x40007d0 0x4000834 +>4 ulelong x \b, version %#x +# volume_info like: 0 +>8 ulelong !0 \b, volume_info %#x +# cab_descriptor_offset like: 0x200 +>12 ulelong !0x200 \b, offset %#x +#>0x200 ubequad x \b, at 0x200 %#16.16llx +# cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2 +>16 ulelong !0 \b, descriptor size %#x # TOP4 0 string T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable @@ -719,11 +1098,39 @@ # TPac 0 string \4TPAC\3 TPac archive data # Ai +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Ai_Archiver 0 string Ai\1\1\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai 0 string Ai\1\0\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai # Ai32 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ai.trid.xml +# Note: called "Ai Archivator compressed archive" by TrID 0 string Ai\2\0 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# according to TrID the next 3 bytes are nil +>5 ubyte !0 \b, at 5 %#x +>6 ubyte !0 \b, at 6 %#x +>7 ubyte !0 \b, at 7 %#x +# the fourth byte with value 0 is probably a flag for "non solid" mode +#>3 ubyte =0x00 \b, unsolid mode 0 string Ai\2\1 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# the fourth byte with value 0x01 is probably a flag for "solid" mode; this is not the default +>3 ubyte =0x01 \b, solid mode # SBC 0 string SBC SBC archive data # Ybs @@ -816,7 +1223,7 @@ !:ext dz >>2 byte x \b, version %i >>3 byte x \b.%i ->>4 ulelong x \b, offset 0x%x +>>4 ulelong x \b, offset %#x >>8 ulelong x \b, %u files # ZZip archiver (.zz) 0 string ZZ\ \0\0 ZZip archive data @@ -827,30 +1234,143 @@ >3 byte&0xf0 0x30 >>3 byte x (v%c) # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JAR_(ARJ_Software) +# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jar.trid.xml +# https://www.sac.sk/download/pack/jar102x.exe/TECHNOTE.DOC +# Note: called "JAR compressed archive" by TrID 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data +#!:mime application/octet-stream +!:mime application/x-compress-j +>0 ulelong x \b, CRC32 %#x +# standard suffix is ".j"; for multi volumes following order j01 j02 ... j99 100 ... 990 +!:ext j/j01/j02 +# URL: http://fileformats.archiveteam.org/wiki/JARCS +# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jarcs.trid.xml +# Note: called "JARCS compressed archive" by TrID 0 string JARCS JAR (ARJ Software, Inc.) archive data +#!:mime application/octet-stream +!:mime application/x-compress-jar +!:ext jar # ARJ archiver (jason@jarthur.Claremont.EDU) -0 leshort 0xea60 ARJ archive data +# URL: http://fileformats.archiveteam.org/wiki/ARJ +# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-arj.trid.xml +# https://github.com/FarGroup/FarManager/ +# blob/master/plugins/multiarc/arc.doc/arj.txt +# Note: called "ARJ compressed archive" by TrID and +# "ARJ File Format" by DROID via PUID fmt/610 +# verified by `7z l -tarj PHRACK1.ARJ` and +# `arj.exe l TEST-hk9.ARJ` +0 leshort 0xea60 +# skip DROID fmt-610-signature-id-946.arj by check for valid file type of main header +>0xA ubyte 2 +>>0 use arj-archive +0 name arj-archive +>0 leshort x ARJ archive !:mime application/x-arj ->5 byte x \b, v%d, ->8 byte &0x04 multi-volume, ->8 byte &0x10 slash-switched, ->8 byte &0x20 backup, ->34 string x original name: %s, ->7 byte 0 os: MS-DOS ->7 byte 1 os: PRIMOS ->7 byte 2 os: Unix ->7 byte 3 os: Amiga ->7 byte 4 os: Macintosh ->7 byte 5 os: OS/2 ->7 byte 6 os: Apple ][ GS ->7 byte 7 os: Atari ST ->7 byte 8 os: NeXT ->7 byte 9 os: VAX/VMS ->3 byte >0 %d] +# look for terminating 0-character of filename +>0x26 search/1024 \0 +# file name extension is normally .arj but not for parts of multi volume +#>>&-5 string x extension %.4s +>>&-5 string/c .arj data +!:ext arj +>>&-5 default x +# for multi volume first name is archive.arj then following parts archive.a01 archive.a02 ... +>>>8 byte &0x04 data +!:ext a01/a02 +# for SFX first name is archive.exe then following parts archive.e01 archive.e02 ... +>>>8 byte ^0x04 data, SFX multi-volume +!:ext e01/e02 +# basic header size like: 0x002b 0x002c 0x04e0 0x04e3 0x04e7 +#>2 uleshort x basic header size %#4.4x +# next fragment content like: 0x0a200a003a8fc713 0x524a000010bb3471 0x524a0000c73c70f9 +#>(2.s) ubequad x NEXT FRAGMENT CONTENT %#16.16llx +# first_hdr_size; seems to be same as basic header size +#>2 uleshort x 1st header size %#x +# archiver version number like: 3 4 6 11 102 +>5 byte x \b, v%d +# minimum archiver version to extract like: 1 +>6 ubyte !1 \b, minimum %u to extract +# FOR DEBUGGING +#>8 byte x \b, FLAGS %#x +# GARBLED_FLAG1; garble with password; g switch +>8 byte &0x01 \b, password-protected +# encryption version: 0~old 1~old 2~new 3~reserved 4~40 bit key GOST +>>0x20 ubyte x (v%u) +#>8 byte &0x02 \b, secured +# ANSIPAGE_FLAG; indicates ANSI codepage used by ARJ32; hy switch +>8 byte &0x02 \b, ANSI codepage +# VOLUME_FLAG indicates presence of succeeding volume; but apparently not for SFX +>8 byte &0x04 \b, multi-volume +#>8 byte &0x08 \b, file-offset +# ARJPROT_FLAG; build with data protection record; hk switch +>8 byte &0x08 \b, recoverable +# arj protection factor; maximal 10; switch hky -> factor=y+1 +>>0x22 byte x (factor %u) +>8 byte &0x10 \b, slash-switched +# BACKUP_FLAG; obsolete +>8 byte &0x20 \b, backup +# SECURED_FLAG; +>8 byte &0x40 \b, secured, +# ALTNAME_FLAG; indicates dual-name archive +>8 byte &0x80 \b, dual-name +# security version; 0~old 2~current +>9 ubyte !0 +>>9 ubyte !2 \b, security version %u +# file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel +>0xA ubyte !2 \b, file type %u +# date+time when original archive was created in MS-DOS format via ./msdos +>0xC ulelong x \b, created +>0xC use dos-date +# or date and time by new internal function +#>0xE lemsdosdate x %s +#>0xC lemsdostime x %s +# FOR DEBUGGING +#>0x12 uleshort x RAW DATE %#4.4x +#>0x10 uleshort x RAW TIME %#4.4x +# date+time when archive was last modified; sometimes nil or +# maybe wrong like in HP4DRVR.ARJ +#>0x10 ulelong >0 \b, modified +#>>0x10 use dos-date +# or date and time by new internal function +#>>0x12 lemsdosdate x %s +#>>0x10 lemsdostime x %s +# archive size (currently used only for secured archives); MAYBE? +#>0x14 ulelong !0 \b, file size %u +# security envelope file position; MAYBE? +#>0x18 ulelong !0 \b, at %#x security envelope +# filespec position in filename; WHAT IS THAT? +#>0x1C uleshort >0 \b, filespec position %#x +# length in bytes of security envelope data like: 2CAh 301h 364h 471h +>0x1E uleshort !0 \b, security envelope length %#x +# last chapter like: 0 1 +>0x21 ubyte !0 \b, last chapter %u +# filename (null-terminated string); sometimes at 0x26 when 4 bytes for extra data +>34 byte x \b, original name: +# with extras data +>34 byte <0x0B +>>38 string x %s +# without extras data +>34 byte >0x0A +>>34 string x %s +# host OS: 0~MSDOS ... 11~WIN32 +>7 byte 0 \b, os: MS-DOS +>7 byte 1 \b, os: PRIMOS +>7 byte 2 \b, os: Unix +>7 byte 3 \b, os: Amiga +>7 byte 4 \b, os: Macintosh +>7 byte 5 \b, os: OS/2 +>7 byte 6 \b, os: Apple ][ GS +>7 byte 7 \b, os: Atari ST +>7 byte 8 \b, os: NeXT +>7 byte 9 \b, os: VAX/VMS +>7 byte 10 \b, os: WIN95 +>7 byte 11 \b, os: WIN32 # [JW] idarc says this is also possible 2 leshort 0xea60 ARJ archive data +#2 leshort 0xea60 +#>2 use arj-archive # HA archiver (Greg Roelofs, newt@uchicago.edu) # This is a really bad format. A file containing HAWAII will match this... @@ -915,7 +1435,7 @@ >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" # FOOBAR archiver use ".foo" as name extension instead usual one -# "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment +# "Florian Orjanov's and Olga Bachetska's ARchiver" not found at the moment >>>>>>>2 string -lh1 \b !:ext lha/lzh/ice >>>>>>3 regex \^lh[23d] LHa 2.x? archive data @@ -923,7 +1443,7 @@ >>>>>>3 regex \^lh[456] LHa (2.x) archive data >>>>>>>2 string -lh5 \b # https://en.wikipedia.org/wiki/BIOS -# Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like +# Some mainboard BIOS like Award use LHa compression. So archives with unusual extension are found like # bios.rom , kd7_v14.bin, 1010.004, ... !:ext lha/lzh/rom/bin # missing -lh?- variants (Joe Jared) @@ -950,21 +1470,21 @@ # compressed data size != compressed file size #>7 ulelong x \b, data size %d # attribute: 0x2~?? 0x10~symlink|target 0x20~normal -#>19 ubyte x \b, 19_0x%x +#>19 ubyte x \b, 19_%#x # level identifier 0 1 2 3 #>20 ubyte x \b, level %d # time stamp -#>15 ubelong x DATE 0x%8.8x +#>15 ubelong x DATE %#8.8x # OS ID for level 1 >20 ubyte 1 # 0x20 types find for *.rom files ->>(21.b+24) ubyte <0x21 \b, 0x%x OS +>>(21.b+24) ubyte <0x21 \b, %#x OS # ascii type like M for MSDOS >>(21.b+24) ubyte >0x20 \b, '%c' OS # OS ID for level 2 >20 ubyte 2 -#>>23 ubyte x \b, OS ID 0x%x ->>23 ubyte <0x21 \b, 0x%x OS +#>>23 ubyte x \b, OS ID %#x +>>23 ubyte <0x21 \b, %#x OS >>23 ubyte >0x20 \b, '%c' OS # filename only for level 0 and 1 >20 ubyte <2 @@ -1103,6 +1623,83 @@ !:mime application/zip !:ext zip/cbz +# Android APK file (Zip archive) +0 string PK\003\004 +!:strength +1 +# Starts with AndroidManifest.xml (file name length = 19) +>26 uleshort 19 +>>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/com/android/build/gradle/app-metadata.properties +>26 uleshort 57 +>>30 string META-INF/com/android/build/gradle/ +>>>&0 string app-metadata.properties Android package (APK), with gradle app-metadata.properties +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with classes.dex (file name length = 11) +>26 uleshort 11 +>>30 string classes.dex Android package (APK), with classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/MANIFEST.MF (file name length = 20) +# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files +>26 uleshort 20 +>>30 string META-INF/MANIFEST.MF +# Contains resources.arsc (near the end, in the central directory) +>>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>-22 string PK\005\006 +>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>>-22 string PK\005\006 +>>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar +# Starts with zipflinger virtual entry (28 + 104 = 132 bytes) +# See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 +>4 string \x00\x00\x00\x00\x00\x00 +>>&0 string \x21\x08\x21\x02 +>>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +>>>>&0 string \x00\x00 Android package (APK), with zipflinger virtual entry +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# APK Signing Block +>0 default x +>>-22 string PK\005\006 +>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk + # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\005\006 Zip archive data (empty) !:mime application/zip @@ -1178,6 +1775,18 @@ !:mime application/vnd.sun.xml.base !:ext sdb +# URL: https://wiki.openoffice.org/wiki/Documentation/DevGuide/Extensions/File_Format +# From: Joerg Jenderek +# Note: only few OXT samples are detected here by mimetype member +# is used by OpenOffice and LibreOffice and probably also NeoOffice +# verified by `unzip -Zv *.oxt` or `7z l -slt *.oxt` +>>50 string vnd.openofficeorg. OpenOffice +>>>68 string extension \b/LibreOffice Extension +# http://extension.nirsoft.net/oxt +!:mime application/vnd.openofficeorg.extension +# like: Gallery-Puzzle.2.1.0.1.oxt +!:ext oxt + # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) # URL: http://fileformats.archiveteam.org/wiki/OpenDocument # https://lists.oasis-open.org/archives/office/200505/msg00006.html @@ -1193,9 +1802,13 @@ >>>>77 string -web HTML Document Template !:mime application/vnd.oasis.opendocument.text-web !:ext oth ->>>>77 string -master Master Document +>>>>77 string -master +>>>>>84 byte !0x2d Master Document !:mime application/vnd.oasis.opendocument.text-master !:ext odm +>>>>>84 string -template Master Template +!:mime application/vnd.oasis.opendocument.text-master-template +!:ext otm >>>73 string graphics >>>>81 byte !0x2d Drawing !:mime application/vnd.oasis.opendocument.graphics @@ -1238,8 +1851,7 @@ # Valid for LibreOffice Base 6.0.1.1 at least >>>73 string base Database # https://bugs.documentfoundation.org/show_bug.cgi?id=45854 -!:mime application/vnd.oasis.opendocument.database -#!:mime application/vnd.oasis.opendocument.base +!:mime application/vnd.oasis.opendocument.base !:ext odb >>>73 string image >>>>78 byte !0x2d Image @@ -1255,6 +1867,16 @@ >>50 string epub+zip EPUB document !:mime application/epub+zip +# From: Hajin Jang <jb6804@naver.com> +# hwpx (OWPML) document format follows OCF specification. +# Hangul Word Processor 2010+ supports HWPX format. +# URL: https://www.hancom.com/etc/hwpDownload.do +# https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101 +# https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331 +>>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX +!:mime application/x-hwp+zip +!:ext hwpx + # From: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/CorelDRAW # NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based @@ -1308,9 +1930,10 @@ >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip -# Java Jar files +# Java Jar files (see also APK files above) >(26.s+30) leshort 0xcafe Java archive data (JAR) !:mime application/java-archive +!:ext jar # iOS App >(26.s+30) leshort !0xcafe @@ -1319,8 +1942,9 @@ >>>>38 search/64 .app/ iOS App !:mime application/x-ios-app ->30 search/100/b application/epub+zip EPUB document -!:mime application/epub+zip +# Dup, see above. +#>30 search/100/b application/epub+zip EPUB document +#!:mime application/epub+zip # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) # Next line excludes specialized formats: @@ -1331,6 +1955,8 @@ >>>>4 beshort x \b, at least >>>>4 use zipversion >>>>4 beshort x to extract +>>>>8 beshort x \b, compression method= +>>>>8 use zipcompression >>>>0x161 string WINZIP \b, WinZIP self-extracting # StarView Metafile @@ -1340,16 +1966,116 @@ >8 belong x \b, size %d # Zoo archiver -20 lelong 0xfdc4a7dc Zoo archive data +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Zoo_(file_format) +# http://fileformats.archiveteam.org/wiki/Zoo +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-zoo-strict.trid.xml +# http://distcache.freebsd.org/ports-distfiles/zoo-2.10pl1.tar.gz/zoo.h +# Note: called "ZOO compressed archive (strict)" by TrID and "ZOO Compressed Archive" by DROID via PUID x-fmt/269 +# verified by command like `deark -m zoo -l -d2 WHRCGA.ZOO` +20 lelong 0xfdc4a7dc +# skip DROID x-fmt-269-signature-id-621.zoo by looking for valid major version to manipulate archive +>32 byte >0 Zoo archive data !:mime application/x-zoo ->4 byte >48 \b, v%c. ->>6 byte >47 \b%c ->>>7 byte >47 \b%c ->32 byte >0 \b, modify: v%d ->>33 byte x \b.%d+ ->42 lelong 0xfdc4a7dc \b, ->>70 byte >0 extract: v%d ->>>71 byte x \b.%d+ +# bak is extension of backup-ed zoo +!:ext zoo/bak +# version in text form like: 1.50 2.00 2.10 +>>4 byte >48 \b, v%c. +>>>6 byte >47 \b%c +>>>>7 byte >47 \b%c +# ZOO files typically start with "ZOO ?.?? Archive.", followed by the bytes 0x1a 0x0 0x0; not used by Zoo and they may be anything +>>8 string !\040Archive.\032 \b, at 8 +>>>8 string x text "%0.10s" +# major_ver.minor_ver; minimum version needed to manipulate archive like: 1.0 2.0 +>>32 byte >0 \b, modify: v%d +>>>33 byte x \b.%d+ +# major_ver.minor_ver; minimum version needed to extract after modify like in old versions +>>(24.l+28) ubyte x \b, extract: v%u +>>(24.l+29) ubyte x \b.%u+ +# with zoo 2.00 additional fields have been added in the archive header +>>32 byte >1 +# type; type of archive header like: 1 2 +>>>34 ubyte !1 \b, header type %u +# acmt_pos; position of archive comment like: 6258 30599 61369 149501 +>>>35 lelong >0 \b, at %d +# acmt_len; length of archive comment like: 258 +>>>>39 uleshort x %u bytes comment +#>>>>(35.l) ubequad x COMMENT=%16.16llx +# 1st character of comment maybe is CarriageReturn (0x0d) +>>>>(35.l) ubyte <040 +# 2nd character of comment maybe is LineFeed (0x0a) +>>>>>(35.l+1) ubyte <040 +# comment string after CRLF like "Anonymous ftp site garbo.uwasa.fi 128.214.87.1 moderated by" +>>>>>>(35.l+2) string x %s +# next character of remaining comment maybe is CarriageReturn (0x0d) +>>>>>>>&0 ubyte <040 +>>>>>>>>&0 ubyte <040 +# 2nd comment part like: Timo Salmi ts@chyde.uwasa.fi PC directories and uploads\015\012Harri Valkama hv@chyde.uwasa.fi PC, Mac, Unix files, and upload +>>>>>>>>>&0 string >037 %s +# vdata; archive-level versioning byte like: 1 3 +>>>41 ubyte !1 \b, vdata %#x +# zoo_start; pointer to 1st entry header +>>24 lelong x \b; at %u +# zoo_minus; zoo_start -1 for consistency checking +#>>28 lelong x \b, zoo_minus %#x +# zoo_tag; tag for check +#>>(24.l+0) ulelong !0xfdc4a7dc \b, zoo_tag=%8.8x +# type; type of directory entry like: 1 2 +>>(24.l+4) ubyte !2 type=%u +# packing_method; 0~no packing 1~normal LZW 2~lzh +>>(24.l+5) ubyte x method= +>>>(24.l+5) ubyte 0 \bnot-compressed +>>>(24.l+5) ubyte 1 \blzd +>>>(24.l+5) ubyte 2 \blzh +# next; position of next directory entry +>>(24.l+6) ulelong x \b, next entry at %u +# offset; position of file data for this entry +#>>(24.l+10) ulelong x \b, data at %u +# file_crc; CRC-16 of file data +>>(24.l+18) uleshort x \b, CRC %#4.4x +# comment; zero if none or points to entry comment like ADD9h (WHRCGA.ZOO) +>>(24.l+32) lelong >0 \b, at %#x +# cmt_size; if not 0 for none then length of entry comment like: 46 +>>>(24.l+36) uleshort >0 %u bytes comment +# entry comment itself like: "CGA .GL file showing menu input from keyboard" +>>>>(&-6.l) string x "%s" +# org_size; original size of file +>>(24.l+20) ulelong x \b, size %u +# size_now; compressed size of file +>>(24.l+24) ulelong x (%u compressed) +# major_ver.minor_ver; minimum version needed to extract already done +# deleted; will be 1 if deleted, 0 if not +>>(24.l+30) ubyte =1 \b, deleted +# struc; file structure if any; WHAT IS THAT? +>>(24.l+31) ubyte !0 \b, structured +# fname[13]; short/DOS file name like 12345678.012 +>>(24.l+38) string x \b, %0.13s +# for directory entry type 2 with variable part +>>(24.l+4) ubyte =2 +# var_dir_len; length of variable part of dir entry +>>>(24.l+51) uleshort >0 +#>>>(24.l+51) uleshort >0 \b, variable part length %u +# namlen; length of long filename +#>>>>(24.l+56) ubyte x \b, namlen %u +# dirlen; length of directory name +#>>>>(24.l+57) ubyte x \b, dirlen %u +# if file length positive then show long file name +>>>>(24.l+56) ubyte >0 +# lfname[256]; long file name \0-terminated +>>>>>(24.l+58) string x "%s" +# if directory length positive then jump before file name field and then jump this addtional length plus 2 (\0-terminator + dirlen field) to following directory name +>>>>(24.l+57) ubyte >0 +>>>>>(24.l+55) ubyte x +# dirname[256]; directory name \0-terminated +>>>>>>&(&0.b+2) string x in "%s" +# dir_crc; CRC of directory entry +#>>>(24.l+54) uleshort x \b, entry CRC %#4.4x +# tz; timezone where file was archived; 7Fh~unknown 4~1.00hoursWestOfUTC 12 16 20~5.00hoursWestOfUTC -107~26.75hoursEastOfUTC -4~1.00hoursEastOfUTC +>>>(24.l+53) byte !0x7f \b, time zone %d/4 +# date; last mod file date in DOS format +>>>(24.l+14) lemsdosdate x \b, modified %s +# time; last mod file time in DOS format +>>>(24.l+16) lemsdostime x %s # Shell archives 10 string #\ This\ is\ a\ shell\ archive shell archive text @@ -1412,30 +2138,67 @@ # Felix von Leitner <felix-file@fefe.de> 0 string d8:announce BitTorrent file !:mime application/x-bittorrent +!:ext torrent # Durval Menezes, <jmgthbfile at durval dot com> 0 string d13:announce-list BitTorrent file !:mime application/x-bittorrent +!:ext torrent 0 string d7:comment BitTorrent file !:mime application/x-bittorrent +!:ext torrent 0 string d4:info BitTorrent file !:mime application/x-bittorrent +!:ext torrent # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> -0 beshort 0x0e0f Atari MSA archive data ->2 beshort x \b, %d sectors per track ->4 beshort 0 \b, 1 sided ->4 beshort 1 \b, 2 sided ->6 beshort x \b, starting track: %d ->8 beshort x \b, ending track: %d +# URL: http://fileformats.archiveteam.org/wiki/MSA_(Magic_Shadow_Archiver) +# Reference: http://info-coach.fr/atari/documents/_mydoc/FD_Image_File_Format.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/m/msa.trid.xml +# Update: Joerg Jenderek +# Note: called by TrID "Atari MSA Disk Image" and verified by +# command like `deark -l -m msa -d2 PDATS578.msa` as " Atari ST floppy disk image" +# GRR: line below is too general as it matches setup.skin +0 beshort 0x0e0f +# skip foo setup.skin with unrealistic high number 52255 of sides by check for valid "low" value +>4 ubeshort <2 Atari MSA archive data +#!:mime application/octet-stream +!:mime application/x-atari-msa +!:ext msa +# sectors per track like: 9 10 +>>2 beshort x \b, %d sectors per track +# sides (0 or 1; add 1 to this to get correct number of sides) +>>4 beshort 0 \b, 1 sided +>>4 beshort 1 \b, 2 sided +# starting track like: 0 +>>6 beshort x \b, starting track: %d +# ending track like: 39 79 80 81 +>>8 beshort x \b, ending track: %d +# tracks content +#>>10 ubequad x \b, track content %#16.16llx # Alternate ZIP string (amc@arwen.cs.berkeley.edu) 0 string PK00PK\003\004 Zip archive data !:mime application/zip !:ext zip/cbz +# Recognize ZIP archives with prepended data by end-of-central-directory record +# https://en.wikipedia.org/wiki/ZIP_(file_format)#End_of_central_directory_record_(EOCD) +# by Michal Gorny <mgorny@gentoo.org> +-2 uleshort 0 +>&-22 string PK\005\006 +# without #! +>>0 string !#! Zip archive, with extra data prepended +!:mime application/zip +!:ext zip/cbz +# with #! +>>0 string/w #!\ a +>>>&-1 string/T x %s script executable (Zip archive) + # ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl <sec@42.org> 7 string **ACE** ACE archive data +!:mime application/x-ace-compressed +!:ext ace >15 byte >0 version %d >16 byte =0x00 \b, from MS-DOS >16 byte =0x01 \b, from OS/2 @@ -1472,8 +2235,17 @@ >>0x2A string >\0 : %s # DR-DOS 7.03 Packed File *.??_ -0 string Packed\ File\ Personal NetWare Packed File ->12 string x \b, was "%.12s" +# Reference: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm +# Note: unpacked by PNUNPACK.EXE +0 string Packed\ File\ +# by looking for Control-Z skip ASCII text starting with Packed File +>0x18 ubyte 0x1a Personal NetWare Packed File +!:mime application/x-novell-compress +!:ext ??_ +>>12 string x \b, was "%.12s" +# 1 or 2 +#>>0x19 ubyte x \b, at 0x19 %u +>>0x1b ulelong x with %u bytes # EET archive # From: Tilman Sauerbeck <tilman@code-monkey.de> @@ -1548,7 +2320,7 @@ >24 belong 2 MD5 checksum >24 belong 3 SHA-256 checksum >24 belong 4 SHA-512 checksum ->24 belong >4 unknown 0x%x checksum +>24 belong >4 unknown %#x checksum #>24 belong >4 checksum # For no compression jump 0 bytes >24 belong 0 @@ -1556,7 +2328,7 @@ # jump more bytes forward by header size >>>&(4.S) ubyte x # jump more bytes forward by compressed table of contents size -#>>>>&(8.Q) ubequad x \b, heap data 0x%llx +#>>>>&(8.Q) ubequad x \b, heap data %#llx >>>>&(8.Q) ubyte x # look for data by ./compress after message with 1 space at end >>>>>&-3 indirect x \b, contains @@ -1628,7 +2400,7 @@ # *.GHS or *.[0-9] with cns program option >2 ubyte&0x08 0x08 \b, split file # part of split index interesting for *.ghs ->>4 ubyte x id=0x%x +>>4 ubyte x id=%#x # compression tag minus one equals numeric compression command line switch z[1-9] >3 ubyte 0 \b, no compression >3 ubyte 2 \b, fast compression (Z1) @@ -1666,7 +2438,28 @@ >3 byte x version %d # LyNX archive +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Lynx_archive +# Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml +# Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64 +# TODO: merge and unify with Commodore C64 BASIC program 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive +# display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64 +#!:strength +0 +#!:mime application/octet-stream +!:mime application/x-commodore-lnx +!:ext lnx +# afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn +>86 search/10 \x8910\0\0\0\r \b, +# for DEBUGGING +#>>&0 string x STRING="%s" +# number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5 +>>&0 regex [0-9]{1,5} %s directory blocks +# signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*" +>>>&2 regex [^\r]{1,24} \b, signature "%s" +# number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?) +>>>>&1 regex [0-9]{1,3} \b, %s files # From: Joerg Jenderek # URL: https://www.acronis.com/ @@ -1676,9 +2469,9 @@ !:mime application/x-acronis-tib !:ext tib # 01000000 -#>20 ubelong x \b, at 20 0x%x +#>20 ubelong x \b, at 20 %#x # 20000000 -#>28 ubelong x \b, at 28 0x%x +#>28 ubelong x \b, at 28 %#x # strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0" # ??? # strings like "\Device\0000011e" "\Device\0000015a" @@ -1699,6 +2492,7 @@ # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5 -4 string STOP >-16 string XPAKSTOP Gentoo binary package (XPAK) +!:mime application/vnd.gentoo.xpak # From: Joerg Jenderek # URL: https://kodi.wiki/view/TexturePacker @@ -1719,3 +2513,95 @@ # path[CXBTFFile[MaximumPathLength=256] >>9 string x \b, 1st %s +# ALZIP archive +# by Hyungjun Park <hyungjun.park@worksmobile.com>, Hajin Jang <hajin_jang@worksmobile.com> +# http://kippler.com/win/unalz/ +# https://salsa.debian.org/l10n-korean-team/unalz +0 string ALZ\001 ALZ archive data +!:ext alz + +# https://cf-aldn.altools.co.kr/setup/EGG_Specification.zip +0 string EGGA EGG archive data, +!:ext egg +>5 byte x version %u +>4 byte x \b.%u +>>0x0E ulelong =0x08E28222 +>>0x0E ulelong =0x24F5A262 \b, split +>>0x0E ulelong =0x24E5A060 \b, solid +>>0x0E default x \b, unknown + +# PAQ9A archive +# URL: http://mattmahoney.net/dc/#paq9a +# Note: Line 1186 of paq9a.cpp gives the magic bytes +0 string pQ9\001 PAQ9A archive + +# From wof (wof@stachelkaktus.net) +0 string Unison\ archive\ format Unison archive format + +# https://ankiweb.net +30 string collection.anki2 Anki APKG file +#!:ext .apkg + +# Synology archive (DiskStation Manager 7.0+) +# From: Alexandre Iooss <erdnaxe@crans.org> +# Note: These archives are signed and encrypted. +0 ulelong&0xFFFFFF00 0xEFBEAD00 +# MessagePack header (fixarray of 5 elements starting with a bin of 32 bytes) +>8 ulelong&0x00FFFFFF 0x20C495 Synology archive +!:ext spk +# Extract some properties from MessagePack third item +>>43 search/0x10000 package= +>>>&0 string x \b, package %s +>>43 search/0x10000 arch= +>>>&0 string x %s +>>43 search/0x10000 version= +>>>&0 string x %s +>>43 search/0x10000 create_time= +>>>&0 string x \b, created on %s + +# MonoGame/XNA processed assets archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/MonoGame/MonoGame/blob/v3.8.1/MonoGame.Framework/Content/ContentManager.cs +0 string XNB +# XNB must be version 4 or 5 +>4 byte <6 +>>4 byte >3 +# Size must be positive +>>>6 lelong >0 MonoGame/XNA processed assets +!:ext xnb +>>>>3 string =w \b, for Windows +>>>>3 string =x \b, for Xbox360 +>>>>3 string =i \b, for iOS +>>>>3 string =a \b, for Android +>>>>3 string =d \b, for DesktopGL +>>>>3 string =X \b, for MacOSX +>>>>3 string =W \b, for WindowsStoreApp +>>>>3 string =n \b, for NativeClient +>>>>3 string =M \b, for WindowsPhone8 +>>>>3 string =r \b, for RaspberryPi +>>>>3 string =P \b, for PlayStation4 +>>>>3 string =5 \b, for PlayStation5 +>>>>3 string =O \b, for XboxOne +>>>>3 string =S \b, for Nintendo Switch +>>>>3 string =G \b, for Google Stadia +>>>>3 string =b \b, for WebAssembly and Bridge.NET +>>>>3 string =m \b, for WindowsPhone7.0 (XNA) +>>>>3 string =p \b, for PlayStationMobile +>>>>3 string =v \b, for PSVita +>>>>3 string =g \b, for Windows (OpenGL) +>>>>3 string =l \b, for Linux +>>>>4 byte x \b, version %d +>>>>5 byte &0x80 \b, LZX compressed +>>>>>10 lelong x \b, decompressed size: %d bytes +>>>>5 byte &0x40 \b, LZ4 compressed +>>>>>10 lelong x \b, decompressed size: %d bytes + +# Electron ASAR archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/electron/asar +0 ulelong 4 +# Match JSON header start and end +>16 string {"files":{" +>>(12.l+12) string }}}} Electron ASAR archive +!:ext asar +>>>12 ulelong x \b, header length: %d bytes diff --git a/contrib/file/magic/Magdir/aria b/contrib/file/magic/Magdir/aria new file mode 100644 index 000000000000..c3a6bf57e464 --- /dev/null +++ b/contrib/file/magic/Magdir/aria @@ -0,0 +1,38 @@ + +#------------------------------------------------------------------------------ +# URL: https://de.wikipedia.org/wiki/Aria_(Software) +# Reference: https://github.com/aria2/aria2/blob/master/doc/manual-src/en/technical-notes.rst +# From: Joerg Jenderek +# Note: only version 1 suited +# check for valid version one +0 beshort 0x0001 +# skip most uncompressed DEGAS med-res bitmap *.PI2 and GEM bitmap (v1) *.IMG +# by test for valid infoHashCheck extension +>2 ubelong&0xffFFffFE 0x00000000 +# skip DEGAS med-res bitmap DIAGRAM1.PI2 by test for valid length of download +>>(6.L+14) ubequad >0 +>>>0 use aria +0 name aria +# version; (0x0000) or (0x0001); for 0 all multi-byte are in host byte order. For 1 big endian +>0 beshort x aria2 control file, version %u +#!:mime application/octet-stream +!:mime application/x-aria +!:ext aria2 +# EXTension; if EXT[3]&1 == 1 checks whether saved InfoHash and current downloading the same; infoHashCheck extension +>2 ubelong !0 \b, infoHashCheck %#x +# info hash length like: 0 14h +>6 ubelong !0 \b, %#x bytes info hash +# info hash; BitTorrent InfoHash +>>10 ubequad x %#16.16llx... +# piece length; the length of the piece like: 400h 100000h +>(6.L+10) ubelong x \b, piece length 0x%x +# total length; the total length of the download +>(6.L+14) ubequad x \b, total length %llu +#>(6.L+14) ubequad x \b, total length %#llx +# upload length; the uploaded length of download like: 0 400h +>(6.L+22) ubequad !0 \b, upload length %#llx +# bitfield length; the length of bitfield like: 4 6 Ah 10h 13h 167h +>(6.L+30) ubelong x \b, %#x bytes bitfield +# bitfield; bitfield which represents current download progress +>(6.L+34) ubequad !0 %#llx... + diff --git a/contrib/file/magic/Magdir/arm b/contrib/file/magic/Magdir/arm new file mode 100644 index 000000000000..c514320354e6 --- /dev/null +++ b/contrib/file/magic/Magdir/arm @@ -0,0 +1,50 @@ +#------------------------------------------------------------------------------ +# $File: arm,v 1.3 2022/10/31 14:35:39 christos Exp $ +# arm: file(1) magic for ARM COFF +# +# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format + +# Aarch64 +0 leshort 0xaa64 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARM +0 leshort 0x01c0 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARM Thumb +0 leshort 0x01c2 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARMv7 Thumb +0 leshort 0x01c4 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + +# ARM64EC +0 leshort 0xa641 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 diff --git a/contrib/file/magic/Magdir/asf b/contrib/file/magic/Magdir/asf index c97f5498f53e..744a0afc2ca9 100644 --- a/contrib/file/magic/Magdir/asf +++ b/contrib/file/magic/Magdir/asf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: asf,v 1.1 2019/12/26 02:07:53 christos Exp $ +# $File: asf,v 1.4 2022/10/31 13:22:26 christos Exp $ # asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files # http://www.staroceans.org/e-book/ASF_Specification.pdf @@ -21,9 +21,9 @@ # ASF_Stream_Properties_Object >0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 #>>56 lequad x Time Offset %lld -#>>64 lelong x Type-Specicic Data Length %d +#>>64 lelong x Type-Specific Data Length %d #>>68 lelong x Error Correction Data Length %d -#>>72 leshort x Flags 0x%x +#>>72 leshort x Flags %#x #>>74 lelong x Reserved %x # ASF_Audio_Media >>24 guid F8699E40-5B4D-11CF-A8FD-00805F5C442B \b, Audio Media ( @@ -40,7 +40,7 @@ #>>>85 leshort x \b, Format Data Size %x >>>93 lelong x \b, Image Width %d >>>97 lelong x \b, Image Height %d -#>>>101 leshort x \b, Reserved 0x%x +#>>>101 leshort x \b, Reserved %#x >>>103 leshort x \b, Bits Per Pixel Count %d #>>>105 lelong x \b, Compression ID %d #>>>109 lelong x \b, Image Size %d @@ -88,7 +88,7 @@ >0 guid 26F18B5D-4584-47EC-9F5F-0E651F0452C9 ASF_Compatibility_Object >0 guid 43058533-6981-49E6-9B74-AD12CB86D58C ASF_Advanced_Content_Encryption_Object >0 guid 59DACFC0-59E6-11D0-A3AC-00A0C90348F6 ASF_Command_Media ->0 guid B61BE100-5B4E-11CF-A8FD-00805F5C44 ASF_JFIF_Media +>0 guid B61BE100-5B4E-11CF-A8FD-00805F5C442B ASF_JFIF_Media >0 guid 35907DE0-E415-11CF-A917-00805F5C442B ASF_Degradable_JPEG_Media >0 guid 91BD222C-F21C-497A-8B6D-5AA86BFC0185 ASF_File_Transfer_Media >0 guid 3AFB65E2-47EF-40F2-AC2C-70A90D71D343 ASF_Binary_Media diff --git a/contrib/file/magic/Magdir/audio b/contrib/file/magic/Magdir/audio index 448f000a38bc..55c5cd0ad20e 100644 --- a/contrib/file/magic/Magdir/audio +++ b/contrib/file/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.118 2019/11/19 05:30:07 christos Exp $ +# $File: audio,v 1.127 2023/03/05 20:15:49 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -183,42 +183,57 @@ 21 string BMOD2STM Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module + +1080 string \!PM! 4-channel Protracker module sound data +!:mime audio/x-mod +#audio/x-protracker-module +>0 string >\0 Title: "%s" + 1080 string M.K. 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string M!K! 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string FLT4 4-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string FLT8 8-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string 4CHN 4-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 6CHN 6-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 8CHN 8-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string CD81 8-channel Octalyser module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + 1080 string OKTA 8-channel Octalyzer module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data @@ -403,10 +418,26 @@ 0 string THX AHX version >3 byte =0 1 module data >3 byte =1 2 module data ->10 byte x TRL: %u ->11 byte x TRK: %u ->12 byte x SMP: %u ->13 byte x SS: %u +>11 ubyte x TRK: %u +>10 ubyte x TRL: %u +>12 ubyte x SMP: %u +>13 ubyte x SS: %u +>(4.H) string x Title: "%.128s" + +# header is mostly AHX format +0 string HVL +>3 byte <2 Hively Tracker Song +>3 byte =0 v1 module data +>3 byte =1 v2 module data +>11 ubyte x TRK: %u +>10 ubyte x TRL: %u +>12 ubyte x SMP: %u +>13 ubyte x SS: %u +>8 ubyte/4 =0 CHN: 4 +>8 ubyte/4 >0 CHN: 4+%u +#>-0 offset <0xffff +>(4.H) string x Title: "%.128s" + # 0 string OKTASONG Oktalyzer module data # @@ -445,7 +476,7 @@ >0 string >\0 Composer: "%s" 0 string AMF AMF Module >4 string >\0 Title: "%s" -0 string MODINFO1 Open Cubic Player Module Inforation MDZ +0 string MODINFO1 Open Cubic Player Module Information MDZ 0 string Extended\40Instrument: Fast Tracker II Instrument # From: Takeshi Hamasaki <hma@syd.odn.ne.jp> @@ -548,15 +579,13 @@ # From: Alex Myczko <alex@aiei.ch> # https://github.com/rerrahkr/BambooTracker -0 string BambooTrackerMod BambooTracker module ->22 byte x \b, version %u ->21 byte x \b.%u ->20 byte x \b.%u - -0 string BambooTrackerIst BambooTracker instrument ->22 byte x \b, version %u ->21 byte x \b.%u ->20 byte x \b.%u +0 string BambooTracker BambooTracker +>13 string Mod Module +>13 string Ist Instrument +>13 string Bnk Bank +>22 byte x \b, version %u +>21 byte x \b.%u +>20 byte x \b.%u 0 string CC2x CheeseCutter 2 song @@ -716,36 +745,36 @@ >>8 ubyte&0x0F >0 \b%d #Get soundchips >>8 ubyte x \b, soundchip(s)= ->>0x0C ulelong >0 SN76489, ->>0x10 ulelong >0 YM2413, ->>0x2C ulelong >0 YM2612, ->>0x30 ulelong >0 YM2151, +>>0x0C ulelong >0 SN76489 (PSG), +>>0x10 ulelong >0 YM2413 (OPLL), +>>0x2C ulelong >0 YM2612 (OPN2), +>>0x30 ulelong >0 YM2151 (OPM), >>0x38 ulelong >0 Sega PCM, >>0x34 ulelong >0xC ->>>0x40 ulelong >0 RF5C68, +>>>0x40 ulelong >0 RF5C68 (PCM), >>0x34 ulelong >0x10 ->>>0x44 ulelong >0 YM2203, +>>>0x44 ulelong >0 YM2203 (OPN), >>0x34 ulelong >0x14 ->>>0x48 ulelong >0 YM2608, +>>>0x48 ulelong >0 YM2608 (OPNA), >>0x34 ulelong >0x18 ->>>0x4C lelong >0 YM2610, ->>>0x4C lelong <0 YM2610B, +>>>0x4C lelong >0 YM2610 (OPNB), +>>>0x4C lelong <0 YM2610B (OPNB+2FM), >>0x34 ulelong >0x1C ->>>0x50 ulelong >0 YM3812, +>>>0x50 ulelong >0 YM3812 (OPL2), >>0x34 ulelong >0x20 ->>>0x54 ulelong >0 YM3526, +>>>0x54 ulelong >0 YM3526 (OPL), >>0x34 ulelong >0x24 ->>>0x58 ulelong >0 Y8950, +>>>0x58 ulelong >0 Y8950 (MSX-Audio), >>0x34 ulelong >0x28 ->>>0x5C ulelong >0 YMF262, +>>>0x5C ulelong >0 YMF262 (OPL3), >>0x34 ulelong >0x2C ->>>0x60 ulelong >0 YMF278B, +>>>0x60 ulelong >0 YMF278B (OPL4), >>0x34 ulelong >0x30 ->>>0x64 ulelong >0 YMF271, +>>>0x64 ulelong >0 YMF271 (OPX), >>0x34 ulelong >0x34 ->>>0x68 ulelong >0 YMZ280B, +>>>0x68 ulelong >0 YMZ280B (PCMD8), >>0x34 ulelong >0x38 ->>>0x6C ulelong >0 RF5C164, +>>>0x6C ulelong >0 RF5C164 (PCM), >>0x34 ulelong >0x3C >>>0x70 ulelong >0 PWM, >>0x34 ulelong >0x40 @@ -767,11 +796,11 @@ >>0x34 ulelong >0x54 >>>0x88 ulelong >0 MultiPCM, >>0x34 ulelong >0x58 ->>>0x8C ulelong >0 uPD7759, +>>>0x8C ulelong >0 uPD7759 (ADPCM Speech), >>0x34 ulelong >0x5C ->>>0x90 ulelong >0 OKIM6258, +>>>0x90 ulelong >0 OKIM6258 (ADPCM Speech), >>0x34 ulelong >0x64 ->>>0x98 ulelong >0 OKIM6295, +>>>0x98 ulelong >0 OKIM6295 (ADPCM), >>0x34 ulelong >0x68 >>>0x9C ulelong >0 K051649, >>0x34 ulelong >0x6C @@ -796,10 +825,10 @@ >>0x34 ulelong >0x94 >>>0xC8 ulelong >0 SAA1099, >>0x34 ulelong >0x98 ->>>0xCC ulelong >0 ES5503, +>>>0xCC ulelong >0 ES5503 (DOC), >>0x34 ulelong >0x9C ->>>0xD0 lelong >0 ES5505, ->>>0xD0 lelong <0 ES5506, +>>>0xD0 lelong >0 ES5505 (OTIS), +>>>0xD0 lelong <0 ES5506 (OTTO), >>0x34 ulelong >0xA4 >>>0xD8 ulelong >0 X1-010, >>0x34 ulelong >0xA8 @@ -847,16 +876,16 @@ >>18 ubyte x \b, language ID %d # structure for phrases/sentences? # number of voice sample in the 1st phrase? -#>>19 uleshort x \b, 0x%x samples -#>>>21 uleshort >0 \b, at 0x%4.4x -#>>>(21.s) ubequad x 0x%llx +#>>19 uleshort x \b, %#x samples +#>>>21 uleshort >0 \b, at %#4.4x +#>>>(21.s) ubequad x %#llx # 2nd phrase? -#>>23 uleshort x \b, 0x%x samples -#>>>25 uleshort >0 \b, at 0x%4.4x -#>>>(25.s) ubequad x 0x%llx +#>>23 uleshort x \b, %#x samples +#>>>25 uleshort >0 \b, at %#4.4x +#>>>(25.s) ubequad x %#llx # pointer to 1st audio WAV sample >>16 uleshort >0 ->>>(16.s) ulelong >0 \b, at 0x%x +>>>(16.s) ulelong >0 \b, at %#x # WAV length # 1 space char after "bytes" to get phrase "bytes RIFF" >>>>(16.s+4) ulelong >0 %u bytes @@ -894,11 +923,6 @@ >0x3 byte&0x0F x \b%02d >>0x4 string >\0 title: "%s" -0 string HVL ->3 byte <2 Hively Tracker Song ->3 byte 0 1 module data ->3 byte 1 2 module data - 0 string MO3 >3 ubyte <6 MOdule with MP3 >>3 byte 0 Version 0 (With MP3 and lossless) @@ -1136,3 +1160,132 @@ >>0 use nintendo-3ds-bcwav-fields >4 beshort 0xFEFF >>0 use \^nintendo-3ds-bcwav-fields + +# Philips DSDIFF audio format (Direct Stream Digital Interchange File Format) +# Used for DSD audio recordings and Super Audio CD (SACD) mastering annotations +# https://dsd-guide.com/sites/default/files/white-papers/DSDIFF_1.5_Spec.pdf +# From: Toni Ruottu <toni.ruottu@iki.fi> +0 string FRM8 +12 string DSD\x20 DSDIFF audio bitstream data +!:mime audio/x-dff +!:ext dff + +# format version chunk +>&0 string FVER +# version 1 +>>&8 byte 1 + +# v1 / sampling resolution ( 1 bit PDM only ) +>>>&0 string x \b, 1 bit + +# v1 / sound property chunk +>>>&0 search/0xff PROP +>>>>&8 string SND + +# v1 / sound property chunk / channel configuration chunk +>>>>>&0 search/0xff CHNL +>>>>>>&8 ubeshort 1 \b, mono +>>>>>>&8 ubeshort 2 +>>>>>>>&0 string SLFTSRGT \b, stereo +>>>>>>>&0 default x \b, 2 channels +>>>>>>&8 ubeshort 3 +>>>>>>>&0 string SLFTSRGTLFE\x20 \b, 2.1 stereo +>>>>>>>&0 string SLFTSRGTC\x20\x20\x20 \b, 3.0 stereo +>>>>>>>&0 default x \b, 3 channels +>>>>>>&8 ubeshort 4 +>>>>>>>&0 string MLFTMRGTLS\x20\x20RS\x20\x20 \b, 4.0 surround +>>>>>>>&0 string SLFTSRGTC\x20\x20\x20LFE\x20 \b, 3.1 stereo +>>>>>>>&0 default x \b, 4 channels +>>>>>>&8 ubeshort 5 +>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LS\x20\x20RS\x20\x20 \b, 5.0 surround +>>>>>>>&0 string MLFTMRGTLFE\x20LS\x20\x20RS\x20\x20 \b, 4.1 surround +>>>>>>>&0 default x \b, 5 channels +>>>>>>&8 ubeshort 6 +>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LFE\x20LS\x20\x20RS\x20\x20 \b, 5.1 surround +>>>>>>>&0 default x \b, 6 channels +>>>>>>&8 ubeshort >6 \b, %u channels + +# v1 / sound property chunk / sample rate chunk +>>>>>&0 search/0xff FS\x20\x20 +>>>>>>&0 string x \b, +>>>>>>&8 ubelong%44100 0 +>>>>>>>&-4 ubelong/44100 x "DSD %u" +>>>>>>>&-4 ubelong x %u Hz + +# v1 / sound property chunk / compression type chunk +>>>>>&0 search/0xff CMPR +>>>>>>&8 string DSD\x20 \b, no compression +>>>>>>&8 string DST\x20 \b, DST compression +>>>>>>&8 default x \b, unknown compression + +# v1 / quest for metadata +>>>&0 string x + +# v1 / quest for metadata / edited master information chunk +>>>>&0 search DIIN +>>>>>&0 ubequad >0 \b, "edited master" metadata + +# v1 / quest for metadata / ID3 chunk ( defacto standard ) +>>>>&0 search ID3\x20 +>>>>>&8 string ID3 \b, ID3 version 2 +>>>>>&0 byte x \b.%u +>>>>>&1 byte x \b.%u + +# v1 / quest for metadata / failure ( possibly due to -P bytes=... being too low ) +>>>>&0 default x \b, ID3 missing (or unreachable) + +# version > 1 or 0 +>>&0 default x \b, unknown version + +# Sony DSF audio format (Direct Stream Digital Stream File) +# Used for lossless digital storage of songs produced as DSD audio +# Portable analog of a track stored on a Super Audio CD (SACD) +# https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf +# From: Toni Ruottu <toni.ruottu@iki.fi> +0 string DSD\x20 DSF audio bitstream data +!:mime audio/x-dsf +!:ext dsf + +# format chunk +>28 string fmt\x20 +# version 1 +>>&8 ulelong 1 + +# v1 / sampling resolution ( 1 bit PDM only ) +# NOTE: the spec incorrectly uses "bits per sample" instead of "bits per byte" +>>>&0 string x \b, 1 bit + +# v1 / channel configuration +>>>>&4 ulelong 1 \b, mono +>>>>&4 ulelong 2 \b, stereo +>>>>&4 ulelong 3 \b, 3.0 stereo +>>>>&4 ulelong 4 \b, 4.0 surround +>>>>&4 ulelong 5 \b, 3.1 stereo +>>>>&4 ulelong 6 \b, 5.0 surround +>>>>&4 ulelong 7 \b, 5.1 surround +>>>>&0 default x +>>>>>&4 ulelong x \b, %u channels + +# v1 / sample rate chunk +>>>>&0 string x \b, +>>>>&12 ulelong%44100 0 +>>>>>&-4 ulelong/44100 x "DSD %u" +>>>>&12 ulelong x %u Hz + +# v1 / compression +>>>>&0 string x +>>>>>&0 ulelong 0 \b, no compression +>>>>>&0 default x \b, unknown compression + +# v1 / embedded ID3v2 metadata +>>>0 string x \b, ID3 +>>>>20 ulequad !0 +>>>>>(20.q) string ID3 version 2 +>>>>>>&0 byte x \b.%u +>>>>>>&1 byte x \b.%u +# unable to verify ID3 ( possibly due to -P bytes=... being too low ) +>>>>>&0 default x unreachable +>>>>&0 default x missing + +# version > 1 or 0 +>>&0 default x \b, unknown version diff --git a/contrib/file/magic/Magdir/avm b/contrib/file/magic/Magdir/avm new file mode 100644 index 000000000000..86e96d110e30 --- /dev/null +++ b/contrib/file/magic/Magdir/avm @@ -0,0 +1,33 @@ + +#------------------------------------------------------------------------------ +# $File: avm,v 1.1 2020/08/28 20:37:58 christos Exp $ +# avm: file(1) magic for avm files; this is not use + +# Summary: FRITZ!Box router configuration backup +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Fritz!Box +# Reference: http://www.mengelke.de/Projekte/FritzBoxTools2 +# Note: only tested with models 4040 and 6490 Cable (lgi) +0 string ****\ FRITZ!Box\ FRITZ!Box configuration backup +#!:mime text/plain +!:mime application/x-avm-export +!:ext export +# router model name like "4040" , "6490 Cable (lgi)" followed by " CONFIGURATION EXPORT" +>15 string x of %-.4s +# on 2nd line hashed password +#>41 search/54 Password= \b, password +# on 3rd line firmware version like: 141.06.24 141.06.50 141.07.10 ... 155.06.83 +>41 search/172 FirmwareVersion= \b, firmware version +>>&0 string x %s +# on 5th line oem like: avme lgi +>41 search/285 OEM= \b, oem +>>&0 string x %s +# on 7th line language like: de en +>41 search/305 Language= \b, language +>>&0 string x %s +# on 10th line cfg file name like: /var/tmp.cfg +>41 search/349 tmp.cfg +# on 11th line date inside c-comment like: Thu Jun 4 22:25:19 2015 +>>&4 string x \b, %s +# + diff --git a/contrib/file/magic/Magdir/biosig b/contrib/file/magic/Magdir/biosig index e490f6cc7eff..7d41713f24a5 100644 --- a/contrib/file/magic/Magdir/biosig +++ b/contrib/file/magic/Magdir/biosig @@ -19,7 +19,7 @@ 0 string ATES\x20MEDICA\x20SOFT.\x20EEG\x20for\x20Windows Biosig/ATES MEDICA SOFT. EEG for Windows !:mime biosig/ates # -0 string ATF\x09 Biosig/Axon Text fomrat +0 string ATF\x09 Biosig/Axon Text format !:mime biosig/atf # 0 string ADU1 Biosig/Axona file format diff --git a/contrib/file/magic/Magdir/blender b/contrib/file/magic/Magdir/blender index 276242eab02f..5a897113e092 100644 --- a/contrib/file/magic/Magdir/blender +++ b/contrib/file/magic/Magdir/blender @@ -1,13 +1,24 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.8 2019/04/19 00:42:27 christos Exp $ +# $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list # https://lists.blender.org/mailman/listinfo/bf-committers # GLOB chunk was moved near start and provides subversion info since 2.42 - +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/BLEND +# http://www.blender.org/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/blend.trid.xml +# http://formats.kaitai.io/blender_blend/index.html +# Note: called "Blender 3D data" by TrID +# and gzip compressed variant handled by ./compress 0 string =BLENDER Blender3D, +#!:mime application/octet-stream +!:mime application/x-blender +!:ext blend +# no sample found with extension blender +#!:ext blend/blender >7 string =_ saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. diff --git a/contrib/file/magic/Magdir/blit b/contrib/file/magic/Magdir/blit index d5b687fce60b..5ce787070683 100644 --- a/contrib/file/magic/Magdir/blit +++ b/contrib/file/magic/Magdir/blit @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: blit,v 1.8 2009/09/19 16:28:08 christos Exp $ +# $File: blit,v 1.9 2021/07/03 14:01:46 christos Exp $ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... @@ -14,7 +14,11 @@ 0 short 03401 VAX-order 68K Blit (standalone) executable 0 long 0406 68k Blit mpx/mux executable 0 short 0406 VAX-order2 68k Blit mpx/mux executable +# GRR: line below is too general as it matches also TTComp archive, ASCII, 4K handled by ./archive 0 short 03001 VAX-order 68k Blit mpx/mux executable +# TODO: +# skip TTComp archive, ASCII, 4K by looking for executable keyword like main +#>0 search/5536 main\0 VAX-order 68k Blit mpx/mux executable # Need more values for WE32 DMD executables. # Note that 0520 is the same as COFF #0 short 0520 tty630 layers executable diff --git a/contrib/file/magic/Magdir/bm b/contrib/file/magic/Magdir/bm new file mode 100644 index 000000000000..a9a1d5bb3f42 --- /dev/null +++ b/contrib/file/magic/Magdir/bm @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: bm,v 1.2 2021/03/14 16:56:51 christos Exp $ +# bm: file(1) magic for "Birtual Machine", cf. https://github.com/tsoding/bm + +0 string bm\001\244 Birtual Machine +>4 leshort x \b, version %d +>6 lelong x \b, program size %u +>14 lelong x \b, memory size %u +>22 lelong x \b, memory capacity %u diff --git a/contrib/file/magic/Magdir/bsi b/contrib/file/magic/Magdir/bsi index 20a17d9c2d0d..87e0fec76e85 100644 --- a/contrib/file/magic/Magdir/bsi +++ b/contrib/file/magic/Magdir/bsi @@ -2,8 +2,9 @@ # Office for Information Security (Bundesamt fuer Sicherheit in der # Informationstechnik). -# Extension: .xia -0 string XIA1 Chiasmus encrypted data +# https://www.bsi.bund.de/EN/Topics/OtherTopics/Chiasmus/Chiasmus_node.html +0 string XIA1\r Chiasmus Encrypted data +!:ext xia -# Extension: .xis 0 string XIS Chiasmus key +!:ext xis diff --git a/contrib/file/magic/Magdir/burp b/contrib/file/magic/Magdir/burp new file mode 100644 index 000000000000..460d18c4c27f --- /dev/null +++ b/contrib/file/magic/Magdir/burp @@ -0,0 +1,7 @@ + +#------------------------------------------------------------ +# $File: burp,v 1.1 2022/07/04 17:15:09 christos Exp $ +# Burp file, I don't know the version +#------------------------------------------------------------ +# From wof (wof@stachelkaktus.net) +0 bequad 0x6685828000000001 Burp project save file diff --git a/contrib/file/magic/Magdir/bytecode b/contrib/file/magic/Magdir/bytecode new file mode 100644 index 000000000000..dca961c26431 --- /dev/null +++ b/contrib/file/magic/Magdir/bytecode @@ -0,0 +1,41 @@ + +#------------------------------------------------------------ +# $File: bytecode,v 1.5 2023/02/20 16:25:05 christos Exp $ +# magic for various bytecodes + +# From: Mikhail Gusarov <dottedmag@dottedmag.net> +# NekoVM (https://nekovm.org/) bytecode +0 string NEKO NekoVM bytecode +>4 lelong x (%d global symbols, +>8 lelong x %d global fields, +>12 lelong x %d bytecode ops) +!:mime application/x-nekovm-bytecode + +# https://www.iana.org/assignments/media-types/application/vnd.resilient.logic +# From: Benedikt Muessig <benedikt@resilient-group.de> +0 belong 0x07524c4d Resilient Logic bytecode +!:mime application/vnd.resilient.logic +>4 byte/16 x \b, version %d +>4 byte&0x0f x \b.%d + +# Guile file magic from <dalepsmith@gmail.com> +# https://www.gnu.org/s/guile/ +# https://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 + +0 string GOOF---- Guile Object +>8 string LE \b, little endian +>8 string BE \b, big endian +>11 string 4 \b, 32bit +>11 string 8 \b, 64bit +>13 regex .\\.. \b, bytecode v%s + +# Racket file magic +# From: Haelwenn (lanodan) Monnier <contact+libmagic@hacktivis.me> +# https://racket-lang.org/ +# https://github.com/racket/racket/blob/master/racket/src/expander/compile/write-linklet.rkt +0 string #~ +>&0 pstring x +>>&0 pstring racket +>>>0 string #~ Racket bytecode +>>>>&0 pstring x (version %s) + diff --git a/contrib/file/magic/Magdir/c-lang b/contrib/file/magic/Magdir/c-lang index 9356e82ed9e2..6e375a06a7e6 100644 --- a/contrib/file/magic/Magdir/c-lang +++ b/contrib/file/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.28 2019/11/15 21:03:14 christos Exp $ +# $File: c-lang,v 1.32 2023/06/16 19:57:19 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -17,7 +17,7 @@ >>0 regex \^class[[:space:]]+ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>&0 clear x source text -!:strength + 13 +!:strength + 15 !:mime text/x-c 0 search/8192 pragma >0 regex \^#[[:space:]]*pragma C source text @@ -49,7 +49,10 @@ >0 regex \^union[[:space:]]+ C source text !:mime text/x-c 0 search/8192 main( ->&0 regex \\)[[:space:]]*\\{ C source text +>&0 search/64 String Java source text +!:mime text/x-java +>&0 default x +>>&0 regex \\)[[:space:]]*\\{ C source text !:mime text/x-c # C++ @@ -85,13 +88,13 @@ !:strength + 30 !:mime text/x-c++ 0 search/8192 protected ->0 regex \^[[:space:]]*protected: C++ source text +>0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++ # Objective-C 0 search/8192 #import ->0 regex \^#import Objective-C source text +>0 regex \^#import[[:space:]]+["<] Objective-C source text !:strength + 25 !:mime text/x-objective-c diff --git a/contrib/file/magic/Magdir/c64 b/contrib/file/magic/Magdir/c64 index ff4e93309e6e..6c8732090ff3 100644 --- a/contrib/file/magic/Magdir/c64 +++ b/contrib/file/magic/Magdir/c64 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: c64,v 1.7 2017/11/15 12:19:06 christos Exp $ +# $File: c64,v 1.14 2023/06/16 19:24:06 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann <doj@cubic.org> @@ -8,9 +8,146 @@ 0x16500 belong 0x12014100 D64 Image 0x16500 belong 0x12014180 D71 Image 0x61800 belong 0x28034400 D81 Image -0 string C64\40CARTRIDGE CCS C64 Emultar Cartridge Image 0 belong 0x43154164 X64 Image +# C64 (and other CBM) cartridges +# Extended by David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://vice-emu.sourceforge.io/vice_17.html#SEC391 + +0 string C64\40CARTRIDGE Commodore 64 cartridge +>0x20 ubyte 0 \b, +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s", +>0x16 beshort 0 +>>0x18 beshort 0x0000 16 KB game +>>0x18 beshort 0x0001 8 KB game +>>0x18 beshort 0x0100 UltiMax mode +>>0x18 beshort 0x0101 RAM/disabled +>0x16 beshort 1 Action Replay +>0x16 beshort 2 KCS Power Cartridge +>0x16 beshort 3 Final Cartridge III +>0x16 beshort 4 Simons' BASIC +>0x16 beshort 5 Ocean type 1 +>0x16 beshort 6 Expert Cartridge +>0x16 beshort 7 Fun Play, Power Play +>0x16 beshort 8 Super Games +>0x16 beshort 9 Atomic Power +>0x16 beshort 10 Epyx Fastload +>0x16 beshort 11 Westermann Learning +>0x16 beshort 12 Rex Utility +>0x16 beshort 13 Final Cartridge I +>0x16 beshort 14 Magic Formel +>0x16 beshort 15 C64 Game System, System 3 +>0x16 beshort 16 Warp Speed +>0x16 beshort 17 Dinamic +>0x16 beshort 18 Zaxxon / Super Zaxxon (Sega) +>0x16 beshort 19 Magic Desk, Domark, HES Australia +>0x16 beshort 20 Super Snapshot V5 +>0x16 beshort 21 Comal-80 +>0x16 beshort 22 Structured BASIC +>0x16 beshort 23 Ross +>0x16 beshort 24 Dela EP64 +>0x16 beshort 25 Dela EP7x8 +>0x16 beshort 26 Dela EP256 +>0x16 beshort 27 Rex EP256 +>0x16 beshort 28 Mikro Assembler +>0x16 beshort 29 Final Cartridge Plus +>0x16 beshort 30 Action Replay 4 +>0x16 beshort 31 Stardos +>0x16 beshort 32 EasyFlash +>0x16 beshort 33 EasyFlash Xbank +>0x16 beshort 34 Capture +>0x16 beshort 35 Action Replay 3 +>0x16 beshort 36 +>>0x1A ubyte 1 Nordic Replay +>>0x1A ubyte !1 Retro Replay +>0x16 beshort 37 MMC64 +>0x16 beshort 38 MMC Replay +>0x16 beshort 39 IDE64 +>0x16 beshort 40 Super Snapshot V4 +>0x16 beshort 41 IEEE-488 +>0x16 beshort 42 Game Killer +>0x16 beshort 43 Prophet64 +>0x16 beshort 44 EXOS +>0x16 beshort 45 Freeze Frame +>0x16 beshort 46 Freeze Machine +>0x16 beshort 47 Snapshot64 +>0x16 beshort 48 Super Explode V5.0 +>0x16 beshort 49 Magic Voice +>0x16 beshort 50 Action Replay 2 +>0x16 beshort 51 MACH 5 +>0x16 beshort 52 Diashow-Maker +>0x16 beshort 53 Pagefox +>0x16 beshort 54 Kingsoft +>0x16 beshort 55 Silverrock 128K Cartridge +>0x16 beshort 56 Formel 64 +>0x16 beshort 57 +>>0x1A ubyte 1 Hucky +>>0x1A ubyte !1 RGCD +>0x16 beshort 58 RR-Net MK3 +>0x16 beshort 59 EasyCalc +>0x16 beshort 60 GMod2 +>0x16 beshort 61 MAX Basic +>0x16 beshort 62 GMod3 +>0x16 beshort 63 ZIPP-CODE 48 +>0x16 beshort 64 Blackbox V8 +>0x16 beshort 65 Blackbox V3 +>0x16 beshort 66 Blackbox V4 +>0x16 beshort 67 REX RAM-Floppy +>0x16 beshort 68 BIS-Plus +>0x16 beshort 69 SD-BOX +>0x16 beshort 70 MultiMAX +>0x16 beshort 71 Blackbox V9 +>0x16 beshort 72 Lt. Kernal Host Adaptor +>0x16 beshort 73 RAMLink +>0x16 beshort 74 H.E.R.O. +>0x16 beshort 75 IEEE Flash! 64 +>0x16 beshort 76 Turtle Graphics II +>0x16 beshort 77 Freeze Frame MK2 + +0 string C128\40CARTRIDGE Commodore 128 cartridge +>0x20 ubyte 0 \b, +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s", +>0x16 beshort 0 generic cartridge +>0x16 beshort 1 Warpspeed128 +>>0x1A ubyte 1 \b, REU support +>>0x1A ubyte 2 \b, REU support, with I/O and ROM banking + +0 string CBM2\40CARTRIDGE Commodore CBM-II cartridge +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s" + +0 string VIC20\40CARTRIDGE Commodore VIC-20 cartridge +>0x20 ubyte 0 \b, +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s", +>0x16 beshort 0 generic cartridge +>0x16 beshort 1 Mega-Cart +>0x16 beshort 2 Behr Bonz +>0x16 beshort 3 Vic Flash Plugin +>0x16 beshort 4 UltiMem +>0x16 beshort 5 Final Expansion + +0 string PLUS4\40CARTRIDGE Commodore 16/Plus4 cartridge +>0x20 ubyte !0 +>>0x20 string/T x \b: "%.32s" + + +# DreamLoad archives see: +# https://www.lemon64.com/forum/viewtopic.php?t=37415\ +# &sid=494dc2ca91289e05dadf80a7f8a968fe (at the bottom). +# https://www.c64-wiki.com/wiki/DreamLoad. +# Example HVSC Commodore 64 music collection: +# https://kohina.duckdns.org/HVSC/C64Music/10_Years_HVSC.dfi + +0 byte 0 +>1 string DREAMLOAD\40FILE\40ARCHIVE +>>0x17 byte 0 DFI Image +>>>0x1a leshort x version: %d. +>>>0x18 leshort x \b%d +>>>0x1c lelong x tracks: %d + 0 string GCR-1541 GCR Image >8 byte x version: %i >9 byte x tracks: %i @@ -28,17 +165,17 @@ 0 belong 0xFF424CFF WRAptor packer (c64) 0 string C64S\x20tape\x20file T64 tape Image ->32 leshort x Version:0x%x +>32 leshort x Version:%#x >36 leshort !0 Entries:%i >40 string x Name:%.24s 0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image ->32 leshort x Version:0x%x +>32 leshort x Version:%#x >36 leshort !0 Entries:%i >40 string x Name:%.24s 0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image ->32 leshort x Version:0x%x +>32 leshort x Version:%#x >36 leshort !0 Entries:%i >40 string x Name:%.24s @@ -56,3 +193,357 @@ >68 string >\0 \b (C) %s >100 byte >0 \b, %u subsong(s) +# CBM BASIC (cc65 compiled) +# Summary: binary executable or Basic program for Commodore C64 computers +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Commodore_BASIC_tokenized_file +# Reference: https://www.c64-wiki.com/wiki/BASIC_token +# https://github.com/thezerobit/bastext/blob/master/bastext.doc +# http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c64.trid.xml +# TODO: unify Commodore BASIC/program sub routines +# Note: "PUCrunch archive data" moved from ./archive and merged with c64-exe +0 leshort 0x0801 +# display Commodore C64 BASIC program (strength=50) after "Lynx archive" (strength=330) handled by ./archive +#!:strength +0 +# if first token is not SYS this implies BASIC program in most cases +>6 ubyte !0x9e +# but sELF-ExTRACTING-zIP executable unzp6420.prg contains SYS token at end of second BASIC line (at 0x35) +>>23 search/30 \323ELF-E\330TRACTING-\332IP +>>>0 use c64-exe +>>23 default x +>>>0 use c64-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use c64-exe +# display information about C64 binary executable (memory address, line number, token) +0 name c64-exe +>0 uleshort x Commodore C64 +# http://a1bert.kapsi.fi/Dev/pucrunch/ +# start address 0801h; next offset 080bh; BASIC line number is 239=00EFh; BASIC instruction is SYS 2061 +# the above combination appartly also occur for other Commodore programs like: gunzip111.c64.prg +# and there exist PUCrunch archive for other machines like C16 with other magics +>0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program, probably PUCrunch archive data +!:mime application/x-compress-pucrunch +!:ext prg/pck +>0 string !\x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# valid 2nd BASIC fragment found only in sELF-ExTRACTING-zIP executable unzp6420.prg +>>23 search/30 \323ELF-E\330TRACTING-\332IP +# jump again from beginning +>>>(2.s-0x800) ubyte x +>>>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C64 BASIC program (memory address, line number, token) +0 name c64-prg +>0 uleshort x Commodore C64 BASIC program +!:mime application/x-commodore-basic +# Tokenized BASIC programs were stored by Commodore as file type program "PRG" in separate field in directory structures. +# So file name can have no suffix like in saveroms; When transferring to other platforms, they are often saved with .prg extensions. +# BAS suffix is typically used for the BASIC source but also found in program pods.bas +!:ext prg/bas/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C128 computers +# URL: https://en.wikipedia.org/wiki/Commodore_128 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c128.trid.xml +# From: Joerg Jenderek +# Note: Commodore 128 BASIC 7.0 variant; there exist varaints with different start addresses +0 leshort 0x1C01 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches SVr3 curses screen image, big-endian with strength (50) handled by ./terminfo +# probably skip SVr3 curses images with "invalid high" second line offset +>2 uleshort <0x1D02 +# skip foo with "invalid low" second line offset +>>2 uleshort >0x1C06 +# if first token is not SYS this implies BASIC program +>>>6 ubyte !0x9e +>>>>0 use c128-prg +# if first token is SYS this implies binary executable +>>>6 ubyte =0x9e +>>>>0 use c128-exe +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.1 extension by Rick Simon +# start adress 132Dh +#0 leshort 0x132D THIS_IS_C128_7.1 +#>0 use c128-prg +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.0 saved with graphics mode enabled +# start adress 4001h +#0 leshort 0x4001 THIS_IS_C128_GRAPHIC +#>0 use c128-prg +# display information about tokenized C128 BASIC program (memory address, line number, token) +0 name c128-prg +>0 uleshort x Commodore C128 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about C128 program (memory address, line number, token) +0 name c128-exe +>0 uleshort x Commodore C128 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in Commodore executables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C16/VIC-20/Plus4 computers +# URL: https://en.wikipedia.org/wiki/Commodore_Plus/4 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20.trid.xml +# defs/p/prg-plus4.trid.xml +# From: Joerg Jenderek +# Note: there exist VIC-20 variants with different start address +# GRR: line below is too generic because it matches Novell LANalyzer capture +# with regular trace header record handled by ./sniffer +0 leshort 0x1001 +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" token value 54h +>6 ubyte >0x7F +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" second line offset 4Ch +#>>2 uleshort >0x1006 OFFSET_NOT_TOO_LOW +# skip foo with "invalid high" second line offset but not for 0x123b (Minefield.prg) +#>>>2 uleshort <0x1102 OFFSET_NOT_TOO_HIGH +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +# valid second end of line separator implies BASIC program +>>>(2.s-0x1000) ubyte =0 +>>>>0 use c16-prg +# invalid second end of line separator !=0 implies binary executable like: Minefield.prg +>>>(2.s-0x1000) ubyte !0 +>>>>0 use c16-exe +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use c16-exe +# display information about C16 program (memory address, line number, token) +0 name c16-exe +>0 uleshort x Commodore C16/VIC-20/Plus4 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C16 BASIC program (memory address, line number, token) +0 name c16-prg +>0 uleshort x Commodore C16/VIC-20/Plus4 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore VIC-20 computer with 8K RAM expansion +# URL: https://en.wikipedia.org/wiki/VIC-20 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20-8k.trid.xml +# From: Joerg Jenderek +# Note: Basic v2.0 with Basic v4.0 extension (VIC20); there exist VIC-20 variants with different start addresses +# start adress 1201h +0 leshort 0x1201 +# if first token is not SYS this implies BASIC program +>6 ubyte !0x9e +>>0 use vic-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use vic-exe +# display information about Commodore VIC-20 BASIC+8K program (memory address, line number, token) +0 name vic-prg +>0 uleshort x Commodore VIC-20 +8K BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1200) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore VIC-20 +8K program (memory address, line number, token) +0 name vic-exe +>0 uleshort x Commodore VIC-20 +8K program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore PET computers +# URL: https://en.wikipedia.org/wiki/Commodore_PET +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-pet.trid.xml +# From: Joerg Jenderek +# start adress 0401h +0 leshort 0x0401 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches TTComp archive data, ASCII, 1K dictionary +# (strength=48=50-2) handled by ./archive and shared library (strength=50) handled by ./ibm6000 +# skip TTComp archive data, ASCII, 1K dictionary ttcomp-ascii-1k.bin with "invalid high" second line offset 4162h +>2 uleshort <0x0502 +# skip foo with "invalid low" second line offset +#>>2 uleshort >0x0406 OFFSET_NOT_TOO_LOW +# skip bar with "invalid end of line" +#>>>(2.s-0x0400) ubyte =0 END_OF_LINE_OK +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +>>>0 use pet-prg +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use pet-exe +# display information about Commodore PET BASIC program (memory address, line number, token) +0 name pet-prg +>0 uleshort x Commodore PET BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore PET program (memory address, line number, token) +0 name pet-exe +>0 uleshort x Commodore PET program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized BASIC line (memory address, line number, Token) +0 name basic-line +# pointer to memory address of beginning of "next" BASIC line +# greater then previous offset but maximal 100h difference +>0 uleshort x \b, offset %#4.4x +# offset 0x0000 indicates the end of BASIC program; so bytes afterwards may be some other data +>0 uleshort 0 +# not line number but first 2 data bytes +>>2 ubeshort x \b, data %#4.4x +# not token but next 2 data bytes +>>4 ubeshort x \b%4.4x +# not token arguments but next data bytes +>>6 ubequad x \b%16.16llx +>>14 ubequad x \b%16.16llx... +# like 0x0d20352020204c594e5820495820204259205749 "\r 5 LYNX IX BY WILL CORLEY" for LyNX archive Darkon.lnx handled by ./archive +#>>3 string x "%-0.30s" +>0 uleshort >0 +# BASIC line number with range from 0 to 65520; practice to increment numbers by some value (5, 10 or 100) +>>2 uleshort x \b, line %u +# https://www.c64-wiki.com/wiki/BASIC_token +# The "high-bit" bytes from #128-#254 stood for the various BASIC commands and mathematical operators +>>4 ubyte x \b, token (%#x) +# https://www.c64-wiki.com/wiki/REM +>>4 string \x8f REM +# remark string like: ** SYNTHESIZER BY RICOCHET ** +>>>5 string >\0 %s +#>>>>&1 uleshort x \b, NEXT OFFSET %#4.4x +# https://www.c64-wiki.com/wiki/PRINT +>>4 string \x99 PRINT +# string like: "Hello world" "\021 \323ELF-E\330TRACTING-\332IP (64 ONLY)\016\231":\2362141 +>>>5 string x %s +#>>>>&0 ubequad x AFTER_PRINT=%#16.16llx +# https://www.c64-wiki.com/wiki/POKE +>>4 string \x97 POKE +# <Memory address>,<number> +>>>5 regex \^[0-9,\040]+ %s +# BASIC command delimiter colon (:=3Ah) +>>>>&-2 ubyte =0x3A +# after BASIC command delimiter colon remaining (<255) other tokenized BASIC commands +>>>>>&0 string x "%s" +# https://www.c64-wiki.com/wiki/SYS 0x9e=\236 +>>4 string \x9e SYS +# SYS <Address> parameter is a 16-bit unsigned integer; in the range 0 - 65535 +>>>5 regex \^[0-9]{1,5} %s +# maybe followed by spaces, "control-characters" or colon (:) followed by next commnds or in victracker.prg +# (\302(43)\252256\254\302(44)\25236) /T.L.R/ +#>>>5 string x SYS_STRING="%s" +# https://www.c64-wiki.com/wiki/GOSUB +>>4 string \x8d GOSUB +# <line> +>>>5 string >\0 %s diff --git a/contrib/file/magic/Magdir/cad b/contrib/file/magic/Magdir/cad index 3d07b422fc18..0bead6eeb483 100644 --- a/contrib/file/magic/Magdir/cad +++ b/contrib/file/magic/Magdir/cad @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.23 2020/05/30 23:58:07 christos Exp $ +# $File: cad,v 1.31 2022/12/09 15:36:23 christos Exp $ # autocad: file(1) magic for cad files # @@ -32,8 +32,8 @@ #>0 ubyte &0x40 \b, reserved # type of element 9~TCB 8~Digitizer setup 5~Group Data Elements #>1 ubyte&0x7F x \b, type %u -# words to follow in element: 17H~CEL libray 2FEh~DGN 9FEh,DFEh~CIT -#>2 uleshort x \b, words 0x%4.4x to follow +# words to follow in element: 17H~CEL library 2FEh~DGN 9FEh,DFEh~CIT +#>2 uleshort x \b, words %#4.4x to follow # test for 3 reserved 0 bytes in CIT or "conversion" in ViewInfo structure (DGN CEL) #>508 ubelong x \b, RESERVED %8.8x >508 ubelong&0xFFffFF00 =0 @@ -58,7 +58,7 @@ >>>>1120 string x \b, units %-.2s # 2 chars for name of master unit like IN in ML SU tn th TH HU mm "\0 "\040 \0\0 >>>>1122 string >\0 %-.2s -#>>>>1120 ubelong x \b, units 0x%8.8x +#>>>>1120 ubelong x \b, units %#8.8x # element range low,high x y z like xlow=0 08010000h 01080000h #>>>>4 ubelong !0 \b, xlow %8.8x #>>>>8 ubelong !0 \b, ylow %8.8x @@ -67,7 +67,7 @@ #>>>>20 ubelong !0 \b, yhigh %8.8x #>>>>24 ubelong !0 \b, zhigh %8.8x # graphic group number; all other elements in that group have same non-0 number -#>>>>28 leshort x \b, grphgrp 0x%4.4x +#>>>>28 leshort x \b, grphgrp %#4.4x # words to optional attribute linkage #>>>>30 ubyte x \b, attindx \%o #>>>>31 ubyte x \b\%o @@ -91,11 +91,11 @@ # >>30 string \372\106 DGNFile # >>30 string \376\103 DGNFile # elements properties indicator -#>>>>32 uleshort !0 \b, properties 0x%4.4x +#>>>>32 uleshort !0 \b, properties %#4.4x # class 0~Primary -#>>>>>32 uleshort&0x000F !0 \b, class 0x%4.4x +#>>>>>32 uleshort&0x000F !0 \b, class %#4.4x # Symbology -#>>>>>34 uleshort x \b, Symbology 0x%4.4x +#>>>>>34 uleshort x \b, Symbology %#4.4x # test for 2nd element type 1~library cell header >>&1 ubyte&0x7F 1 # test for 1st element with level 8 and type 5 for cell library @@ -151,13 +151,13 @@ >194 ubyte &0x04 horizontal >194 ubyte ^0x04 vertical # ScannableFlag; Scanline indexing method used -#>195 ubyte !0 \b, ScannableFlag 0x%x +#>195 ubyte !0 \b, ScannableFlag %#x # RotationAngle; Rotation angle of raster data -#>196 ubequad !0 \b, RotationAngle 0x%llx +#>196 ubequad !0 \b, RotationAngle %#llx # SkewAngle; Skew angle of raster data #>204 ubequad !0 \b, SkewAngle %llx # DataTypeModifier; Additional raster data format info -#>212 uleshort !0 \b, DataTypeModifier 0x%4.4x +#>212 uleshort !0 \b, DataTypeModifier %#4.4x # DesignFile[66]; Name of the design file >214 string >\0 \b, DesignFile %-.66s # DatabaseFile[66]; Name of the database file @@ -167,9 +167,9 @@ # FileDescription[80]; Text description of file and contents >412 string >\0 \b, FileDescription %-.80s # MinValue -#>492 ubequad !0 \b, MinValue 0x%llx +#>492 ubequad !0 \b, MinValue %#llx # MaxValue -#>500 ubequad !0 \b, MaxValue 0x%llx +#>500 ubequad !0 \b, MaxValue %#llx # Reserved[3]; Unused (always 0) #>508 ubelong&0xFFffFF00 x \b, RESERVED %8.8x # GridFileVersion; Grid File Version like 2 3 @@ -213,9 +213,11 @@ # AutoCAD DWG versions R12/R13/R14 (www.autodesk.com) 0 string AC1012 DWG AutoDesk AutoCAD Release 13 !:mime image/vnd.dwg +0 string AC1013 DWG AutoDesk AutoCAD Release 13c3 +!:mime image/vnd.dwg 0 string AC1014 DWG AutoDesk AutoCAD Release 14 !:mime image/vnd.dwg -0 string AC1015 DWG AutoDesk AutoCAD 2000/2002 +0 string AC1015 DWG AutoDesk AutoCAD 2000 !:mime image/vnd.dwg # A new version of AutoCAD DWG @@ -233,7 +235,9 @@ !:mime image/vnd.dwg # From GNU LibreDWG -0 string AC1032 DWG AutoDesk AutoCAD 2018/2019 +0 string AC1032 DWG AutoDesk AutoCAD 2018/2019/2020 +!:mime image/vnd.dwg +0 string AC1035 DWG AutoDesk AutoCAD 2021 !:mime image/vnd.dwg # KOMPAS 2D drawing from ASCON @@ -283,6 +287,8 @@ >6 leshort 0x2 >>8 lelong 0xa >>>16 leshort 0x3d3d 3D Studio model +# Beat sgi MMV +!:strength +20 !:mime image/x-3ds !:ext 3ds @@ -295,25 +301,61 @@ # https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\ # HSF_architecture.html # Stephane Charette <stephane.charette@gmail.com> -0 string ;;\020HSF\020V OpenHSF (Hoops Stream Format) ->7 regex/9 V[.0-9]{4,5}\020 %s +0 string ;;\040HSF\040V OpenHSF (Hoops Stream Format) +>7 regex/9 V[.0-9]{4,5}\040 %s !:ext hsf # AutoCAD Drawing Exchange Format +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DXF +# https://en.wikipedia.org/wiki/AutoCAD_DXF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/ +# dxf-var0.trid.xml dxf-var0u.trid.xml dxf-var2.trid.xml dxf-var2u.trid.xml +# Note: called "AutoCAD Drawing eXchange Format" by TrID and +# "Drawing Interchange File Format (ASCII)" by DROID +# GRR: some samples does not match 1st test like: abydos.dxf 0 regex \^[\ \t]*0\r?\000$ >1 regex \^[\ \t]*SECTION\r?$ >>2 regex \^[\ \t]*2\r?$ +# GRR: some samples without HEADER section like: airplan2.dxf >>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format -!:mime application/x-dxf +#!:mime application/x-dxf +!:mime image/vnd.dxf !:ext dxf +# DROID PUID fmt/64 fmt-64-signature-id-99.dxf +>>>>&1 search/8192 MC0.0 \b, 1.0 +# DROID PUID fmt/65 fmt-65-signature-id-100.dxf +>>>>&1 search/8192 AC1.2 \b, 1.2 +# DROID PUID fmt/66 fmt-66-signature-id-101.dxf +>>>>&1 search/8192 AC1.3 \b, 1.3 +# DROID PUID fmt/67 fmt-67-signature-id-102.dxf +>>>>&1 search/8192 AC1.40 \b, 1.4 +# DROID PUID fmt/68 fmt-68-signature-id-103.dxf +>>>>&1 search/8192 AC1.50 \b, 2.0 +# DROID PUID fmt/69 fmt-69-signature-id-104.dxf +>>>>&1 search/8192 AC2.10 \b, 2.1 +# DROID PUID fmt/70 fmt-70-signature-id-105.dxf +>>>>&1 search/8192 AC2.21 \b, 2.2 +# DROID PUID fmt/71 fmt-71-signature-id-106.dxf +>>>>&1 search/8192 AC1002 \b, 2.5 +# DROID PUID fmt/72 fmt-72-signature-id-107.dxf +>>>>&1 search/8192 AC1003 \b, 2.6 +# DROID PUID fmt/73 fmt-73-signature-id-108.dxf +>>>>&1 search/8192 AC1004 \b, R9 >>>>&1 search/8192 AC1006 \b, R10 +# http://cd.textfiles.com/amigaenv/DXF/OBJEKTE/LASTMINUTE/apple.dxf +#>>>>&1 search/8192 AC1008 \b, Rfoo >>>>&1 search/8192 AC1009 \b, R11/R12 >>>>&1 search/8192 AC1012 \b, R13 +>>>>&1 search/8192 AC1013 \b, R13c3 >>>>&1 search/8192 AC1014 \b, R14 >>>>&1 search/8192 AC1015 \b, version 2000 >>>>&1 search/8192 AC1018 \b, version 2004 >>>>&1 search/8192 AC1021 \b, version 2007 >>>>&1 search/8192 AC1024 \b, version 2010 +>>>>&1 search/8192 AC1027 \b, version 2013 +>>>>&1 search/8192 AC1032 \b, version 2018 +>>>>&1 search/8192 AC1035 \b, version 2021 # The Sketchup 3D model format https://www.sketchup.com/ 0 string \xff\xfe\xff\x0e\x53\x00\x6b\x00\x65\x00\x74\x00\x63\x00\x68\x00\x55\x00\x70\x00\x20\x00\x4d\x00\x6f\x00\x64\x00\x65\x00\x6c\x00 SketchUp Model @@ -322,3 +364,74 @@ 4 regex/b P[0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9] NAXOS CAD System file from version %s !:strength +40 + +# glTF (GL Transmission Format) - by the Khronos Group +# Reference: https://github.com/KhronosGroup/glTF/tree/master/specification/2.0#glb-file-format-specification +0 string glTF glTF binary model +>4 ulelong x \b, version %d +>8 ulelong x \b, length %d bytes +!:mime model/gltf-binary +!:ext glb + +# FBX (FilmBoX) - by Kaydara/Autodesk +# Reference: https://code.blender.org/2013/08/fbx-binary-file-format-specification +0 string Kaydara\ FBX\ Binary\ \ \0 Kaydara FBX model, +>&2 ulelong x version %d +!:ext fbx + +# PLY (Polygon File Format/Stanford Triangle Format) - by Greg Turk +# Reference: https://web.archive.org/web/20161204152348/http://www.dcs.ed.ac.uk/teaching/cs4/www/graphics/Web/ply.html +0 string ply\n PLY model, +!:ext ply +>4 string format\ ascii\ ASCII, +>>&0 regex/6 [0-9.]+ version %s +>4 string format\ binary binary, +>>&0 string _little_endian\ little endian, +>>>&0 regex/6 [0-9.]+ version %s +>>&0 string _big_endian\ big endian, +>>>&0 regex/6 [0-9.]+ version %s + +# VRML (Virtual Reality Modeling Language) - by the Web3D Consortium +# From: Michel Briand <michelbriand@free.fr> +# Reference: https://www.web3d.org/standards +0 string/w #VRML\ V1.0\ ascii VRML 1 file +!:mime model/vrml +!:ext wrl +0 string/w #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file +!:mime model/vrml +!:ext wrl +# X3D, VRML encoded +0 string #X3D X3D (Extensible 3D) model, VRML format +>4 string V +>>5 regex/6 [0-9.]+ \b, version %s +!:mime model/x3d+vrml +!:ext x3dv + +## XML-based 3D CAD Formats +# From: Michel Briand <michelbriand@free.fr>, Oliver Galvin <odg@riseup.net> +0 string/w \<?xml\ version= +!:strength + 5 +# X3D (Extensible 3D) +# Schema: https://www.web3d.org/specifications/x3d-3.2.dtd +# MIME Type: https://www.iana.org/assignments/media-types/model/x3d+xml +# Example: https://www.web3d.org/x3d/content/examples/Basic/course/CreateX3DFromStringRandomSpheres.x3d +>20 search/1000/w \<!DOCTYPE\ X3D X3D (Extensible 3D) model, XML document +!:mime model/x3d+xml +!:ext x3d +# COLLADA (COLLAborative Design Activity) - by the Khronos Group +# Schema: http://www.collada.org/2005/11/COLLADASchema +# Reference: https://www.khronos.org/collada +>20 search/1000/w \<COLLADA COLLADA model, XML document +!:mime model/vnd.collada+xml +!:ext dae +# 3MF (3D Manufacturing Format) - by the 3MF Consortium +# Schema: http://schemas.microsoft.com/3dmanufacturing/core/2015/02 +# Reference: https://3mf.io/specification +>20 search/1000/w xmlns="http://schemas.microsoft.com/3dmanufacturing 3MF (3D Manufacturing Format) model, XML document +!:mime model/3mf +!:ext 3mf +# AMF (Additive Manufacturing File) +# Reference: https://www.astm.org/Standards/ISOASTM52915.htm +>20 search/1000/w \<amf AMF (Additive Manufacturing Format) model, XML document +!:mime application/x-amf +!:ext amf diff --git a/contrib/file/magic/Magdir/cafebabe b/contrib/file/magic/Magdir/cafebabe index 18dd1a27a39f..4f97cc0345eb 100644 --- a/contrib/file/magic/Magdir/cafebabe +++ b/contrib/file/magic/Magdir/cafebabe @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.24 2018/10/01 23:33:15 christos Exp $ +# $File: cafebabe,v 1.28 2022/07/01 23:24:47 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, @@ -15,12 +15,20 @@ # might add another one or two as time goes by... # ### JAVA START ### +# Reference: http://en.wikipedia.org/wiki/Java_class_file +# Update: Joerg Jenderek 0 belong 0xcafebabe ->4 belong >30 compiled Java class data, +>4 ubelong >30 compiled Java class data, !:mime application/x-java-applet ->>6 beshort x version %d. ->>4 beshort x \b%d +#!:mime application/java-byte-code +!:ext class +>>6 ubeshort x version %d. +>>4 ubeshort x \b%d +# for debugging purpose version as hexadecimal to compare with Mach-O universal binary +#>>4 ubelong x (%#8.8x) # Which is which? +# https://docs.oracle.com/javase/specs/jvms/se6/html/ClassFile.doc.html +#>>4 belong 0x002b (Java 0.?) #>>4 belong 0x032d (Java 1.0) #>>4 belong 0x032d (Java 1.1) >>4 belong 0x002e (Java 1.2) @@ -30,6 +38,22 @@ >>4 belong 0x0032 (Java 1.6) >>4 belong 0x0033 (Java 1.7) >>4 belong 0x0034 (Java 1.8) +>>4 belong 0x0035 (Java SE 9) +>>4 belong 0x0036 (Java SE 10) +>>4 belong 0x0037 (Java SE 11) +>>4 belong 0x0038 (Java SE 12) +>>4 belong 0x0039 (Java SE 13) +>>4 belong 0x003A (Java SE 14) +>>4 belong 0x003B (Java SE 15) +>>4 belong 0x003C (Java SE 16) +>>4 belong 0x003D (Java SE 17) +>>4 belong 0x003E (Java SE 18) +>>4 belong 0x003F (Java SE 19) +>>4 belong 0x0040 (Java SE 20) +# pool count unequal zero +#>>8 beshort x \b, pool count %#x +# pool table +#>>10 ubequad x \b, pool %#16.16llx... 0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. @@ -44,29 +68,40 @@ ### JAVA END ### ### MACH-O START ### +# URL: https://en.wikipedia.org/wiki/Mach-O 0 name mach-o \b [ +# for debugging purpose CPU type as hexadecimal +#>0 ubequad x CPU=%16.16llx +# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... >0 use mach-o-cpu \b +# for debugging purpose print offset to 1st mach_header like: +# 1000h 4000h seldom 2d000h 88000h 5b000h 10e000 h +#>8 ubelong x at %#x offset >(8.L) indirect x \b: >0 belong x \b] +# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ +# include/mach-o/fat.h +# include/mach/machine.h 0 belong 0xcafebabe >4 belong 1 Mach-O universal binary with 1 architecture: !:mime application/x-mach-binary >>8 use mach-o \b ->4 belong >1 ->>4 belong <20 Mach-O universal binary with %d architectures: +# nfat_arch; number of CPU architectures; highest is 18 for CPU_TYPE_POWERPC in 2020 +>4 ubelong >1 +>>4 ubelong <20 Mach-O universal binary with %d architectures: !:mime application/x-mach-binary >>>8 use mach-o \b ->>4 belong >1 ->>>28 use mach-o \b ->>4 belong >2 ->>>48 use mach-o \b ->>4 belong >3 ->>>68 use mach-o \b ->>4 belong >4 ->>>88 use mach-o \b ->>4 belong >5 ->>>108 use mach-o \b +>>>4 ubelong >1 +>>>>28 use mach-o \b +>>>4 ubelong >2 +>>>>48 use mach-o \b +>>>4 ubelong >3 +>>>>68 use mach-o \b +>>>4 ubelong >4 +>>>>88 use mach-o \b +>>>4 ubelong >5 +>>>>108 use mach-o \b ### MACH-O END ### diff --git a/contrib/file/magic/Magdir/ccf b/contrib/file/magic/Magdir/ccf new file mode 100644 index 000000000000..1d5ba19e00e2 --- /dev/null +++ b/contrib/file/magic/Magdir/ccf @@ -0,0 +1,14 @@ + +#------------------------------------------------------------------------------ +# $File: ccf,v 1.1 2022/02/15 12:57:45 christos Exp $ +# file(1) magic(5) data for Phillips remote controls + +# Exchange format for Philips Pronto universal infrared remote controls +# A CCF file describes a learned/customized remote control, +# i.e. it contains button UI and infrared pulse code definitions +# (Georg Sauthoff) +# http://files.remotecentral.com/download/45/pan-air-csakr.zip.html +# https://github.com/gsauthof/pronto-ccf/blob/ + +8 string @\xa5Z@_CCF +>32 string CCF\x00 Philips Pronto IR remote control CCF diff --git a/contrib/file/magic/Magdir/citrus b/contrib/file/magic/Magdir/citrus index ff2471ea75ac..1801a55fa650 100644 --- a/contrib/file/magic/Magdir/citrus +++ b/contrib/file/magic/Magdir/citrus @@ -1,8 +1,12 @@ #------------------------------------------------------------------------------ -# $File: citrus,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File: citrus,v 1.5 2021/01/04 19:48:31 christos Exp $ # citrus locale declaration # 0 string RuneCT Citrus locale declaration for LC_CTYPE +0 string CtrsME Citrus locale declaration for LC_MESSAGES +0 string CtrsMO Citrus locale declaration for LC_MONETARY +0 string CtrsNU Citrus locale declaration for LC_NUMERIC +0 string CtrsTI Citrus locale declaration for LC_TIME diff --git a/contrib/file/magic/Magdir/clipper b/contrib/file/magic/Magdir/clipper index 2768b3af501d..484caeb89eac 100644 --- a/contrib/file/magic/Magdir/clipper +++ b/contrib/file/magic/Magdir/clipper @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: clipper,v 1.8 2017/03/17 21:35:28 christos Exp $ +# $File: clipper,v 1.9 2020/12/15 23:57:27 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? @@ -61,5 +61,5 @@ >54 byte 2 -Cssw >54 byte 3 -Cspw >54 byte 4 -Cscb -4 string pipe CLIPPER instruction trace -4 string prof CLIPPER instruction profile +#4 string pipe CLIPPER instruction trace +#4 string prof CLIPPER instruction profile diff --git a/contrib/file/magic/Magdir/coff b/contrib/file/magic/Magdir/coff index 31b47e7aff42..5123b7213c4c 100644 --- a/contrib/file/magic/Magdir/coff +++ b/contrib/file/magic/Magdir/coff @@ -1,11 +1,11 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.3 2018/08/01 10:34:03 christos Exp $ +# $File: coff,v 1.7 2022/11/21 22:30:22 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF # -# by Joerg Jenderek at Oct 2015 +# by Joerg Jenderek at Oct 2015, Feb 2021 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html @@ -16,62 +16,79 @@ 0 name display-coff # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags >18 uleshort&0x8E80 0 ->>0 clear x +# skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections +>>2 uleshort >0 +# skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections +>>>2 uleshort <4207 +>>>>0 clear x # f_magic - magic number # DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) ->>0 uleshort 0x014C Intel 80386 +>>>>0 uleshort 0x014C Intel 80386 # Hitachi SH big-endian COFF (./hitachi-sh) ->>0 uleshort 0x0500 Hitachi SH big-endian +>>>>0 uleshort 0x0500 Hitachi SH big-endian # Hitachi SH little-endian COFF (./hitachi-sh) ->>0 uleshort 0x0550 Hitachi SH little-endian +>>>>0 uleshort 0x0550 Hitachi SH little-endian # executable (RISC System/6000 V3.1) or obj module (./ibm6000) -#>>0 uleshort 0x01DF +#>>>>0 uleshort 0x01DF # MS Windows COFF Intel Itanium, AMD64 # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx ->>0 uleshort 0x0200 Intel ia64 ->>0 uleshort 0x8664 Intel amd64 +>>>>0 uleshort 0x0200 Intel ia64 +>>>>0 uleshort 0x8664 Intel amd64 +# ARM COFF (./arm) +>>>>0 uleshort 0xaa64 Aarch64 +>>>>0 uleshort 0x01c0 ARM +>>>>0 uleshort 0xa641 ARM64EC +>>>>0 uleshort 0x01c2 ARM Thumb +>>>>0 uleshort 0x01c4 ARMv7 Thumb # TODO for other COFFs -#>>0 uleshort 0xABCD COFF_TEMPLATE ->>0 default x ->>>0 uleshort x type 0x%04x ->>0 uleshort x COFF +#>>>>0 uleshort 0xABCD COFF_TEMPLATE +>>>>0 default x +>>>>>0 uleshort x type %#04x +>>>>0 uleshort x COFF # F_EXEC flag bit ->>18 leshort ^0x0002 object file -#!:mime application/x-coff -#!:ext cof/o/obj/lib ->>18 leshort &0x0002 executable +>>>>18 leshort ^0x0002 object file +!:mime application/x-coff +!:ext o/obj/lib +# no cof sample found +#!:ext cof/o/obj/lib +>>>>18 leshort &0x0002 executable #!:mime application/x-coffexec # F_RELFLG flag bit,static object ->>18 leshort &0x0001 \b, no relocation info +>>>>18 leshort &0x0001 \b, no relocation info # F_LNNO flag bit ->>18 leshort &0x0004 \b, no line number info +>>>>18 leshort &0x0004 \b, no line number info # F_LSYMS flag bit ->>18 leshort &0x0008 \b, stripped ->>18 leshort ^0x0008 \b, not stripped +>>>>18 leshort &0x0008 \b, stripped +>>>>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions #0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit -#>>>18 leshort &0x0100 \b, 32 bit little endian +#>>>>18 leshort &0x0100 \b, 32 bit little endian #0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY -# f_nscns - number of sections ->>2 uleshort <2 \b, %d section ->>2 uleshort >1 \b, %d sections -# f_timdat - file time & date stamp only for little endian -#>>4 date x \b, %s +# f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124 +>>>>2 uleshort <2 \b, %u section +>>>>2 uleshort >1 \b, %u sections # f_symptr - symbol table pointer, only for not stripped ->>8 ulelong >0 \b, symbol offset=0x%x +# like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0 +>>>>8 ulelong >0 \b, symbol offset=%#x # f_nsyms - number of symbols, only for not stripped ->>12 ulelong >0 \b, %d symbols -# f_opthdr - optional header size ->>16 uleshort >0 \b, optional header size %d +# like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 +>>>>12 ulelong >0 \b, %d symbols +# f_opthdr - optional header size. An object file should have a value of 0 +>>>>16 uleshort >0 \b, optional header size %u +# f_timdat - file time & date stamp only for little endian +>>>>4 ledate >0 \b, created %s # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. # or first section header # additional variables for other COFF files +>>>>16 uleshort =0 +# first section name s_name[8] like: .text .data .debug$S .drectve .testseg +>>>>>20 string x \b, 1st section name "%.8s" # >20 beshort 0407 (impure) # >20 beshort 0410 (pure) # >20 beshort 0413 (demand paged) diff --git a/contrib/file/magic/Magdir/commands b/contrib/file/magic/Magdir/commands index 10f8d2b20baa..6ad87fd7578d 100644 --- a/contrib/file/magic/Magdir/commands +++ b/contrib/file/magic/Magdir/commands @@ -1,112 +1,131 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.63 2020/06/06 15:36:30 christos Exp $ +# $File: commands,v 1.73 2022/11/06 18:39:23 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text -0 string/wt #!\ /bin/sh POSIX shell script text executable +0 string/fwt #!\ /bin/sh POSIX shell script text executable !:mime text/x-shellscript -0 string/wb #!\ /bin/sh POSIX shell script executable (binary data) +0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data) !:mime text/x-shellscript +>10 string #\040This\040script\040was\040generated\040using\040Makeself \b, self-executable archive +>>53 string x \b, Makeself %s -0 string/wt #!\ /bin/csh C shell script text executable +0 string/fwt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript # korn shell magic, sent by George Wu, gwu@clyde.att.com -0 string/wt #!\ /bin/ksh Korn shell script text executable +0 string/fwt #!\ /bin/ksh Korn shell script text executable !:mime text/x-shellscript -0 string/wb #!\ /bin/ksh Korn shell script executable (binary data) +0 string/fwb #!\ /bin/ksh Korn shell script executable (binary data) !:mime text/x-shellscript -0 string/wt #!\ /bin/tcsh Tenex C shell script text executable +0 string/fwt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/bin/tcsh Tenex C shell script text executable +0 string/fwt #!\ /usr/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/local/tcsh Tenex C shell script text executable +0 string/fwt #!\ /usr/local/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/local/bin/tcsh Tenex C shell script text executable +0 string/fwt #!\ /usr/local/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript # # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) -0 string/wt #!\ /bin/zsh Paul Falstad's zsh script text executable +0 string/fwt #!\ /bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable +0 string/fwt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable +0 string/fwt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript -0 search/1 #!/usr/bin/env\ zsh Paul Falstad's zsh script text executable +0 string/fwt #!\ /usr/bin/env\ zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/local/bin/ash Neil Brown's ash script text executable +0 string/fwt #!\ /bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/local/bin/ae Neil Brown's ae script text executable +0 string/fwt #!\ /usr/bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript -0 string/wt #!\ /bin/nawk new awk script text executable +0 string/fwt #!\ /usr/local/bin/ash Neil Brown's ash script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/local/bin/ae Neil Brown's ae script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /bin/nawk new awk script text executable !:mime text/x-nawk -0 string/wt #!\ /usr/bin/nawk new awk script text executable +0 string/fwt #!\ /usr/bin/nawk new awk script text executable !:mime text/x-nawk -0 string/wt #!\ /usr/local/bin/nawk new awk script text executable +0 string/fwt #!\ /usr/local/bin/nawk new awk script text executable !:mime text/x-nawk -0 string/wt #!\ /bin/gawk GNU awk script text executable +0 string/fwt #!\ /bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/wt #!\ /usr/bin/gawk GNU awk script text executable !:mime text/x-gawk -0 string/wt #!\ /usr/local/bin/gawk GNU awk script text executable +0 string/fwt #!\ /usr/local/bin/gawk GNU awk script text executable !:mime text/x-gawk # -0 string/wt #!\ /bin/awk awk script text executable +0 string/fwt #!\ /bin/awk awk script text executable !:mime text/x-awk -0 string/wt #!\ /usr/bin/awk awk script text executable +0 string/fwt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk 0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text # AT&T Bell Labs' Plan 9 shell -0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable +0 string/fwt #!\ /bin/rc Plan 9 rc shell script text executable # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) -0 string/wt #!\ /bin/bash Bourne-Again shell script text executable +0 string/fwt #!\ /bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript -0 string/wb #!\ /bin/bash Bourne-Again shell script executable (binary data) +0 string/fwb #!\ /bin/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript -0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable +0 string/fwt #!\ /usr/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript -0 string/wb #!\ /usr/bin/bash Bourne-Again shell script executable (binary data) +0 string/fwb #!\ /usr/bin/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript -0 string/wt #!\ /usr/local/bash Bourne-Again shell script text executable +0 string/fwt #!\ /usr/local/bash Bourne-Again shell script text executable !:mime text/x-shellscript -0 string/wb #!\ /usr/local/bash Bourne-Again shell script executable (binary data) +0 string/fwb #!\ /usr/local/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript -0 string/wt #!\ /usr/local/bin/bash Bourne-Again shell script text executable +0 string/fwt #!\ /usr/local/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript -0 string/wb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) +0 string/fwb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript -0 string/wt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable +0 string/fwt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable !:mime text/x-shellscript # Fish shell magic # From: Benjamin Lowry <ben@ben.gmbh> -0 string/wt #!\ /usr/local/bin/fish fish shell script text executable +0 string/fwt #!\ /usr/local/bin/fish fish shell script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/bin/fish fish shell script text executable +0 string/fwt #!\ /usr/bin/fish fish shell script text executable !:mime text/x-shellscript -0 string/wt #!\ /usr/bin/env\ fish fish shell script text executable +0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable !:mime text/x-shellscript - -0 search/1/wt #!\ /usr/bin/tclsh Tcl/Tk script text executable +0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable !:mime text/x-tcl -0 search/1/wt #!\ /usr/bin/texlua LuaTex script text executable +0 search/1/fwt #!\ /usr/bin/texlua LuaTex script text executable !:mime text/x-luatex -0 search/1/wt #!\ /usr/bin/luatex LuaTex script text executable +0 search/1/fwt #!\ /usr/bin/luatex LuaTex script text executable !:mime text/x-luatex -0 search/1/wt #!\ /usr/bin/stap Systemtap script text executable +0 search/1/fwt #!\ /usr/bin/stap Systemtap script text executable !:mime text/x-systemtap - +# From: Kylie McClain <kylie@somas.is> +# Type: execline scripts +# URL: https://skarnet.org/software/execline/ +0 string/fwt #!\ /command/execlineb execline script text executable +!:mime text/x-execline +0 string/fwt #!\ /bin/execlineb execline script text executable +!:mime text/x-execline +0 string/fwt #!\ /usr/bin/execlineb execline script text executable +!:mime text/x-execline +0 string/fwt #!\ /usr/bin/env\ execlineb execline script text executable +!:mime text/x-execline + +0 string #! +>0 regex \^#!.*/bin/execlineb([[:space:]].*)*$ execline script text executable +!:mime text/x-execline # PHP scripts # Ulf Harnhammar <ulfh@update.uu.se> @@ -133,6 +152,32 @@ 0 string Zend\x00 PHP script Zend Optimizer data +# From: Anatol Belski <ab@php.net> +0 string OPCACHE +>7 ubyte 0 PHP opcache filecache data + +0 search/64 --TEST-- +>16 search/64 --FILE-- +>24 search/8192 --EXPECT PHP core test +!:ext phpt + +# https://www.php.net/manual/en/phar.fileformat.signature.php +-4 string GBMB PHP phar archive +>-8 ubyte 0x1 with MD5 signature +!:ext phar +>-8 ubyte 0x2 with SHA1 signature +!:ext phar +>-8 ubyte 0x3 with SHA256 signature +!:ext phar +>-8 ubyte 0x4 with SHA512 signature +!:ext phar +>-8 ubyte 0x10 with OpenSSL signature +!:ext phar +>-8 ubyte 0x11 with OpenSSL SHA256 signature +!:ext phar +>-8 ubyte 0x12 with OpenSSL SHA512 signature +!:ext phar + 0 string/t $! DCL command file # Type: Pdmenu @@ -143,3 +188,14 @@ # From Danny Weldon 0 string \x0b\x13\x08\x00 >0x04 uleshort <4 ksh byte-code version %d + +# From: arno <arenevier@fdn.fr> +# mozilla xpconnect typelib +# see https://www.mozilla.org/scriptable/typelib_file.html +0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib +>0x10 byte x version %d +>>0x11 byte x \b.%d + +0 string/fwt #!\ /usr/bin/env\ runghc GHC script executable +0 string/fwt #!\ /usr/bin/env\ runhaskell Haskell script executable +0 string/fwt #!\ /usr/bin/env\ julia Julia script executable diff --git a/contrib/file/magic/Magdir/compress b/contrib/file/magic/Magdir/compress index a364a88039e7..c3f93fa3bed1 100644 --- a/contrib/file/magic/Magdir/compress +++ b/contrib/file/magic/Magdir/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.79 2020/05/30 23:53:04 christos Exp $ +# $File: compress,v 1.91 2023/06/16 19:37:47 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -12,13 +12,14 @@ 0 string \037\235 compress'd data !:mime application/x-compress !:apple LZIVZIVU +!:ext Z >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # URL: https://en.wikipedia.org/wiki/Gzip # Reference: https://tools.ietf.org/html/rfc1952 -# Update: Joerg Jenderek, Apr 2019 +# Update: Joerg Jenderek, Apr 2019, Dec 2022 # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods @@ -61,20 +62,24 @@ !:mime application/gzip >>>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 +# TODO: check for GXD MCD cad the reported size >>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated # gzipped TAR or VirtualBox extension package #!:mime application/x-compressed-tar #!:mime application/x-virtualbox-vbox-extpack # https://www.w3.org/TR/SVG/mimereg.html -#!:mime image/image/svg+xml-compressed +#!:mime image/svg+xml-compressed # zlib.3.gz # microcode-20180312.tgz # tpz same as tgz # lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg # Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack -!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz +# trees.blend http://fileformats.archiveteam.org/wiki/BLEND +# 2020-07-19-Note-16-24.xoj https://xournal.sourceforge.net/manual.html +# MYgnucash-gz.gnucash https://wiki.gnucash.org/wiki/GnuCash_XML_format +# text-rotate.dia https://en.wikipedia.org/wiki/Dia_(software) +# MYrdata.RData https://en.wikipedia.org/wiki/R_(programming_language) +!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz/blend/dia/gnucash/rdata/xoj # FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text >3 byte&0x18 >0 gzip compressed data !:mime application/gzip @@ -83,12 +88,13 @@ #!:mime application/x-abiword-compressed #!:mime image/image/svg+xml-compressed # kleopatra_splashscreen.svgz gzipped .svg -!:ext gz/tgz/tpz/zabw/svgz +# RSI-Mega-Demo_Disk1.adz gzipped .adf http://fileformats.archiveteam.org/wiki/ADF_(Amiga) +# PostbankTest.kmy gzipped XML https://docs.kde.org/stable5/en/kmymoney/kmymoney/details.formats.compressed.html +# Logo.xcfgz gzipped .xcf http://fileformats.archiveteam.org/wiki/XCF +!:ext gz/tgz/tpz/zabw/svgz/adz/kmy/xcfgz >>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 ->>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated +>>-4 ulelong x \b, original size modulo 2^32 %u # display information of gzip compressed files 0 name gzip-info #>2 byte x THIS iS GZIP @@ -125,6 +131,7 @@ # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data !:mime application/octet-stream +!:ext z >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # @@ -147,6 +154,7 @@ # bzip2 0 string BZh bzip2 compressed data !:mime application/x-bzip2 +!:ext bz2 >3 byte >47 \b, block size = %c00k # bzip a block-sorting file compressor @@ -158,6 +166,7 @@ # lzip 0 string LZIP lzip compressed data !:mime application/x-lzip +!:ext lz >4 byte x \b, version: %d # squeeze and crunch @@ -193,6 +202,7 @@ # lzop from <markus.oberhumer@jk.uni-linz.ac.at> 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data +!:ext lzo >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, @@ -253,30 +263,40 @@ !:mime application/x-7z-compressed !:ext 7z/cb7 +0 name lzma LZMA compressed data, +!:mime application/x-lzma +!:ext lzma +>5 lequad =0xffffffffffffffff streamed +>5 lequad !0xffffffffffffffff non-streamed, size %lld + # Type: LZMA 0 lelong&0xffffff =0x5d ->12 leshort 0xff LZMA compressed data, -!:mime application/x-lzma ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld ->12 leshort 0 LZMA compressed data, ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld +>12 leshort 0xff +>>0 use lzma +>12 leshort 0 +>>0 use lzma # http://tukaani.org/xz/xz-file-format.txt -0 ustring \xFD7zXZ\x00 XZ compressed data +0 ustring \xFD7zXZ\x00 XZ compressed data, checksum !:strength * 2 !:mime application/x-xz +!:ext xz +>7 byte&0xf 0x0 NONE +>7 byte&0xf 0x1 CRC32 +>7 byte&0xf 0x4 CRC64 +>7 byte&0xf 0xa SHA-256 # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data +!:mime application/x-lrzip >4 byte x - version %d >5 byte x \b.%d -!:mime application/x-lrzip +>22 byte 1 \b, encrypted # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html 0 lelong 0x184d2204 LZ4 compressed data (v1.4+) !:mime application/x-lz4 +!:ext lz4 # Added by osm0sis@xda-developers.com 0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) !:mime application/x-lz4 @@ -313,19 +333,26 @@ # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id 0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md @@ -401,3 +428,34 @@ # http://www.shikadi.net/moddingwiki/PCX_Library 0 string/b pcxLib >0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/SW/ORA/ORAFormatSpecification.htm +0 uleshort 0x7c49 +>2 lelong 0x80 ORA FASTQ compressed file +>>6 ulelong x \b, DNA size %u +>>10 ulelong x \b, read names size %u +>>14 ulelong x \b, quality buffer 1 size %u +>>18 ulelong x \b, quality buffer 2 size %u +>>22 ulelong x \b, sequence buffer size %u +>>26 ulelong x \b, N-position buffer size %u +>>30 ulelong x \b, crypto buffer size %u +>>34 ulelong x \b, misc buffer 1 size %u +>>38 ulelong x \b, misc buffer 2 size %u +>>42 ulelong x \b, flags %#x +>>46 lelong x \b, read size %d +>>50 lelong x \b, number of reads %d +>>54 leshort x \b, version %d + +# https://github.com/kspalaiologos/bzip3/blob/master/doc/file_format.md +0 string/b BZ3v1 bzip3 compressed data +>5 ulelong x \b, blocksize %u + + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/\ +# SW/ORA/ORAFormatSpecification.htm +# From Guillaume Rizk +0 short =0x7C49 DRAGEN ORA file, +>-261 short =0x7C49 with metadata: +>-125 u8 x NB reads: %llu, +>-109 u8 x NB bases: %llu. +>-219 u4&0x02 2 File contains interleaved paired reads diff --git a/contrib/file/magic/Magdir/console b/contrib/file/magic/Magdir/console index 022054dfea44..0ed53fe34d15 100644 --- a/contrib/file/magic/Magdir/console +++ b/contrib/file/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.55 2020/04/19 17:30:55 christos Exp $ +# $File: console,v 1.72 2023/06/16 19:24:06 christos Exp $ # Console game magic # Toby Deshane <hac@shoelace.digivill.net> @@ -68,7 +68,7 @@ !:mime application/x-nes-rom #------------------------------------------------------------------------------ -# fds: file(1) magic for Famciom Disk System disk images +# fds: file(1) magic for Famicom Disk System disk images # Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format # From: David Korth <gerbilsoft@gerbilsoft.com> # TODO: Check "Disk info block" and get info from that in addition to the optional header. @@ -78,8 +78,8 @@ >23 byte !1 FMC- >23 byte 1 FSC- >16 string x \b%.3s ->15 byte x \b, mfr %02X ->20 byte x (Rev.%02u) +>15 ubyte x \b, mfr %02X +>20 ubyte x (Rev.%02u) # Headered version. 0 string FDS\x1A @@ -125,6 +125,7 @@ >0x14c byte x (Rev.%02u) # Machine type. (SGB, CGB, SGB+CGB) +# Old licensee code 0x33 is required for SGB, but not CGB. >0x14b byte 0x33 >>0x146 byte 0x03 >>>0x143 byte&0x80 0x80 [SGB+CGB] @@ -133,6 +134,8 @@ >>>0x143 byte&0xC0 0x80 [CGB] >>>0x143 byte&0xC0 0xC0 [CGB ONLY] >0x14b byte !0x33 +>>0x143 byte&0xC0 0x80 [CGB] +>>0x143 byte&0xC0 0xC0 [CGB ONLY] # Mapper. >0x147 byte 0x00 [ROM ONLY] @@ -178,7 +181,7 @@ # RAM size. >0x149 byte 1 \b, RAM: 16Kbit >0x149 byte 2 \b, RAM: 64Kbit ->0x149 byte 3 \b, RAM: 128Kbit +>0x149 byte 3 \b, RAM: 256Kbit >0x149 byte 4 \b, RAM: 1Mbit >0x149 byte 5 \b, RAM: 512Kbit @@ -225,21 +228,56 @@ >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors -# Sega Mega Drive, 32X, Pico, and Mega CD Boot ROM images. +# Sega Mega Drive: Identify the system ID. 0x100 string SEGA ->0x3C0 bequad 0x4D41525320434845 Sega 32X ROM image +>0x3C0 string MARS\ CHECK\ MODE Sega 32X ROM image !:mime application/x-genesis-32x-rom >>0 use sega-mega-drive-header ->0x3C0 bequad !0x4D41525320434845 ->>0x105 belong 0x5049434F Sega Pico ROM image +>0x104 string \ PICO Sega Pico ROM image !:mime application/x-sega-pico-rom ->>>0 use sega-mega-drive-header ->>0x105 belong !0x5049434F ->>>0x180 beshort 0x4252 Sega Mega CD Boot ROM image +>>0 use sega-mega-drive-header +>0x104 string TOYS\ PICO Sega Pico ROM image +!:mime application/x-sega-pico-rom +>>0 use sega-mega-drive-header +>0x104 string \ TOYS\ PICO Sega Pico ROM image +!:mime application/x-sega-pico-rom +>>0 use sega-mega-drive-header +>0x104 string \ IAC Sega Pico ROM image +!:mime application/x-sega-pico-rom +>>0 use sega-mega-drive-header +>0x104 string \ TERA68K Sega Teradrive (68K) ROM image +!:mime application/x-sega-teradrive-rom +>>0 use sega-mega-drive-header +>0x104 string \ TERA286 Sega Teradrive (286) ROM image +!:mime application/x-sega-teradrive-rom +>>0 use sega-mega-drive-header +>0x180 string BR Sega Mega CD Boot ROM image !:mime application/x-genesis-rom ->>>0x180 beshort !0x4252 Sega Mega Drive / Genesis ROM image +>>0 use sega-mega-drive-header +>0x104 default x Sega Mega Drive / Genesis ROM image !:mime application/x-genesis-rom ->>>0 use sega-mega-drive-header +>>0 use sega-mega-drive-header + +# Sega Mega Drive: Some ROMs have "SEGA" at 0x101, not 0x100. +0x100 string \ SEGA Sega Mega Drive / Genesis ROM image +>0 use sega-mega-drive-header + +# Sega Pico ROMs that don't start with "SEGA". +0x100 string SAMSUNG\ PICO Samsung Pico ROM image +!:mime application/x-sega-pico-rom +>0 use sega-mega-drive-header +0x100 string IMA\ IKUNOUJYUKU Samsung Pico ROM image +!:mime application/x-sega-pico-rom +>0 use sega-mega-drive-header +0x100 string IMA IKUNOJYUKU Samsung Pico ROM image +!:mime application/x-sega-pico-rom +>0 use sega-mega-drive-header + +# Sega Picture Magic (modified 32X) +0x100 string Picture\ Magic +>0x3C0 string PICTURE MAGIC-01 Sega 32X ROM image +!:mime application/x-genesis-32x-rom +>>0 use sega-mega-drive-header #------------------------------------------------------------------------------ # genesis: file(1) magic for the Super MegaDrive ROM dump format @@ -471,12 +509,13 @@ # - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp # - https://www.devrs.com/ngp/files/ngpctech.txt # -0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket +0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket !:mime application/x-neo-geo-pocket-rom ->0x23 byte 0x10 Color ->0 byte x ROM image ->0x24 string >\0 \b: "%.12s" ->0x1F byte 0xFF (debug mode enabled) +>0x23 byte 0x10 Color +>0 byte x ROM image +>0x24 string >\0 \b: "%.12s" +>0x21 uleshort x \b, NEOP%04X +>0x1F ubyte 0xFF (debug mode enabled) #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps @@ -486,17 +525,17 @@ #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : 0 string PS-X\ EXE Sony Playstation executable ->16 lelong x PC=0x%08x, ->20 lelong !0 GP=0x%08x, ->24 lelong !0 .text=[0x%08x, ->>28 lelong x \b0x%x], ->32 lelong !0 .data=[0x%08x, ->>36 lelong x \b0x%x], ->40 lelong !0 .bss=[0x%08x, ->>44 lelong x \b0x%x], ->48 lelong !0 Stack=0x%08x, +>16 lelong x PC=%#08x, +>20 lelong !0 GP=%#08x, +>24 lelong !0 .text=[%#08x, +>>28 lelong x \b%#x], +>32 lelong !0 .data=[%#08x, +>>36 lelong x \b%#x], +>40 lelong !0 .bss=[%#08x, +>>44 lelong x \b%#x], +>48 lelong !0 Stack=%#08x, >48 lelong =0 No Stack!, ->52 lelong !0 StackSize=0x%x, +>52 lelong !0 StackSize=%#x, #>76 string >\0 (%s) # Area: >113 string x (%s) @@ -505,6 +544,19 @@ 0 string CPE CPE executable >3 byte x (version %d) +# Sony PlayStation archive (PSARC) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.psdevwiki.com/ps3/PlayStation_archive_(PSARC) +0 string PSAR Sony PlayStation Archive +!:ext psarc +>4 ubeshort x \b, version %d. +>6 ubeshort x \b%d +>8 string zlib \b, zlib compression +>8 string lzma \b, LZMA compression +>28 ubeshort&2 0 \b, relative paths +>28 ubeshort&2 2 \b, absolute paths +>28 ubeshort&1 1 \b, ignore case + #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytia <ehyytia@cc.hut.fi>) 0 string XBEH Microsoft Xbox executable @@ -636,17 +688,34 @@ >>0 use xbox-360-package # Atari Lynx cartridge dump (EXE/BLL header) -# From: "Stefan A. Haubenthal" <polluks@web.de> - +# From: "Stefan A. Haubenthal" <polluks@sdf.lonestar.org> +# Reference: +# https://raw.githubusercontent.com/cc65/cc65/master/libsrc/lynx/exehdr.s # Double-check that the image type matches too, 0x8008 conflicts with # 8 character OMF-86 object file headers. 0 beshort 0x8008 >6 string BS93 Lynx homebrew cartridge !:mime application/x-atari-lynx-rom >>2 beshort x \b, RAM start $%04x ->6 string LYNX Lynx cartridge +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnx.trid.xml +# Note: called "Atari Lynx ROM" by TrID +0 string LYNX Lynx cartridge !:mime application/x-atari-lynx-rom ->>2 beshort x \b, RAM start $%04x +!:ext lnx +# bank 0 page size like: 128 256 512 +>4 leshort/4 >0 \b, bank 0 %dk +>6 leshort/4 >0 \b, bank 1 %dk +# 32 bytes cart name like: "jconnort.lyx" "viking~1.lyx" "Eye of the Beholder" "C:\EMU\LYNX\ROMS\ULTCHESS.LYX" +>10 string >\0 \b, "%.32s" +# 16 bytes manufacturer like: "Atari" "NuFX Inc." "Matthias Domin" +>42 string >\0 \b, "%.16s" +# version number +#>8 leshort !1 \b, version number %u +# rotation: 1~left Lexis (NA).lnx 2~right Centipede (Prototype).lnx +>58 ubyte >0 \b, rotation %u +# spare +#>59 lelong !0 \b, spare %#x # Opera file system that is used on the 3DO console # From: Serge van den Boom <svdb@stack.nl> @@ -717,6 +786,28 @@ >5 byte 0 \b, Simple Encoding >6 string x \b, description: %s +# Compressed ISO disc image (used mostly by PSP, PS2 and MegaDrive) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/.CSO +# NOTE: This is NOT the same as Compact ISO or GameCube/Wii disc image, +# though it has the same magic number. +0 string CISO +# Match CISO version 1 with ISO-9660 sector size +>20 ubyte <2 +>>16 ulelong =2048 CSO v1 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>8 ulequad x \b, original size %llu bytes +>>>16 ulelong x \b, datablock size %u bytes +# Match CISO version 2 +>20 ubyte =2 +>>22 uleshort =0 +>>>4 ulelong =24 CSO v2 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>>8 ulequad x \b, original size %llu bytes +>>>>16 ulelong x \b, datablock size %u bytes + # From: Daniel Dawson <ddawson@icehouse.net> # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording @@ -768,7 +859,7 @@ >>>>0x40 leshort !0 >>>>>0x40 lestring16 x \b, metadata: "%s" >>0x17 byte &0x40 \b, ROM: ->>>(0x18.l-26) lelong x CRC32 0x%08x +>>>(0x18.l-26) lelong x CRC32 %#08x >>>(0x18.l-23) string x "%s" # Type: scummVM savegame files @@ -895,6 +986,16 @@ !:mime application/x-gamecube-rom >>>>0x8000 use nintendo-gcn-disc-common +# Type: Nintendo GameCube/Wii disc image (RVZ format) +0 string RVZ\001 Nintendo +>0x48 belong 1 GameCube +!:mime application/x-gamecube-rom +>0x48 belong 2 Wii +!:mime application/x-wii-rom +>0x48 default x GameCube/Wii +>0x48 belong x disc image (RVZ format): +>>0x58 use nintendo-gcn-disc-common + #------------------------------------------------------------------------------ # Nintendo 3DS file formats. # @@ -1003,6 +1104,11 @@ # Reference: https://3dbrew.org/wiki/3DSX_Format 0 string 3DSX Nintendo 3DS Homebrew Application (3DSX) +# Type: Nintendo 3DS Banner Model Data. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://3dbrew.org/wiki/CBMD +0 string CBMD\0\0\0\0 Nintendo 3DS Banner Model Data + #------------------------------------------------------------------------------ # a7800: file(1) magic for the Atari 7800 raw ROM format. # From: David Korth <gerbilsoft@gerbilsoft.com> @@ -1101,3 +1207,20 @@ >0x2C byte >0x20 Nintendo Badge Arcade badge set: >>0x2C string x "%.48s" >>0x24 ulelong x \b, set ID: %u + +#------------------------------------------------------------------------------ +# sufami: file(1) magic for Sufami Turbo ROM images. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://problemkaputt.de/fullsnes.htm#snescartsufamiturbominicartridgeadaptor +0 string BANDAI\ SFC-ADX +>0x10 string !SFC-ADX\ BACKUP Sufami Turbo ROM image: +>>0x10 string/T x "%.14s" +>>0x30 byte x \b, ID %02X +>>0x31 byte x \b%02X +>>0x32 byte x \b%02X +>>0x33 ubyte >0 \b, series index %u +>>0x34 ubyte 0 [SlowROM] +>>0x34 ubyte 1 [FastROM] +>>0x35 ubyte 1 [SRAM] +>>0x35 ubyte 3 [Special] diff --git a/contrib/file/magic/Magdir/coverage b/contrib/file/magic/Magdir/coverage index 69eab704933c..9f2c3dc91be9 100644 --- a/contrib/file/magic/Magdir/coverage +++ b/contrib/file/magic/Magdir/coverage @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: coverage,v 1.2 2019/04/19 00:42:27 christos Exp $ +# $File: coverage,v 1.3 2021/02/23 00:51:10 christos Exp $ # xoverage: file(1) magic for test coverage data # File formats used to store test coverage data @@ -55,7 +55,7 @@ # Coverage reports generated by gcov -# i.e. source code annoted with coverage information +# i.e. source code annotated with coverage information 0 string \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Source: >&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Graph: >>&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Data: GCOV coverage report diff --git a/contrib/file/magic/Magdir/crypto b/contrib/file/magic/Magdir/crypto new file mode 100644 index 000000000000..910df8dd497b --- /dev/null +++ b/contrib/file/magic/Magdir/crypto @@ -0,0 +1,49 @@ + +#------------------------------------------------------------------------------ +# $File: crypto,v 1.4 2023/07/17 16:41:48 christos Exp $ +# crypto: file(1) magic for crypto formats +# +# Bitcoin block files +0 lelong 0xD9B4BEF9 Bitcoin +>(4.l+40) lelong 0xD9B4BEF9 reverse block +>>4 lelong x \b, size %u +# normal block below +>0 default x block +>>4 lelong x \b, size %u +>>8 lelong&0xE0000000 0x20000000 +>>>8 lelong x \b, BIP9 0x%x +>>8 lelong&0xE0000000 !0x20000000 +>>>8 lelong x \b, version 0x%x +>>76 ledate x \b, %s UTC +# VarInt counter +>>88 ubyte <0xfd \b, txcount %u +>>88 ubyte 0xfd +>>>89 leshort x \b, txcount %u +>>88 ubyte 0xfe +>>>89 lelong x \b, txcount %u +>>88 ubyte 0xff +>>>89 lequad x \b, txcount %llu +!:ext dat +# option to find more blocks in the file +#>>(4.l+8) indirect x ; + +# LevelDB +-8 lequad 0xdb4775248b80fb57 LevelDB table data + +# http://www.tarsnap.com/scrypt.html +# see scryptenc_setup() in lib/scryptenc/scryptenc.c +0 string scrypt\0 scrypt encrypted file +>7 byte x \b, N=2**%d +>8 belong x \b, r=%d +>12 belong x \b, p=%d + +# https://age-encryption.org/ +# Only the first recipient is printed in detail to prevent repetitive output +# in extreme cases ("ssh-rsa, ssh-rsa, ssh-rsa, ..."). +0 string age-encryption.org/v1\n age encrypted file +>25 regex/128 \^[^\040]+ \b, %s recipient +>>25 string scrypt +>>>&0 regex/64 [0-9]+\$ (N=2**%s) +>>&0 search/256 \n->\040 \b, among others + +0 string -----BEGIN\040AGE\040ENCRYPTED\040FILE----- age encrypted file, ASCII armored diff --git a/contrib/file/magic/Magdir/ctf b/contrib/file/magic/Magdir/ctf index ebea8f316961..d91684d18c40 100644 --- a/contrib/file/magic/Magdir/ctf +++ b/contrib/file/magic/Magdir/ctf @@ -20,4 +20,4 @@ # CTF metadata (plain text) 0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata !:strength + 5 # this is to make sure we beat C ->&0 regex [0-9]+\.[0-9]+ \b, v%s +>&0 regex [0-9]+\\.[0-9]+ \b, v%s diff --git a/contrib/file/magic/Magdir/database b/contrib/file/magic/Magdir/database index a8a788effa8d..03ac4235f735 100644 --- a/contrib/file/magic/Magdir/database +++ b/contrib/file/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.59 2020/03/25 01:49:58 christos Exp $ +# $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -151,6 +151,7 @@ # https://www.clicketyclick.dk/databases/xbase/format/dbf.html # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 0 ubelong&0x0000FFFF <0x00000C20 +!:strength +10 # skip Infocom game Z-machine >2 ubyte >0 # skip Androids *.xml @@ -181,7 +182,10 @@ #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type # database file ->>>>>>>>>>>>0 ubyte x \b DBF +>>>>>>>>>>>>28 ubyte&0x04 =0 \b DBF +!:ext dbf +>>>>>>>>>>>>28 ubyte&0x04 =4 \b DataBaseContainer +!:ext dbc >>>>>>>>>>>>4 lelong 0 \b, no records >>>>>>>>>>>>4 lelong >0 \b, %d record # plural s appended @@ -193,13 +197,14 @@ >>>>>>>>>>>>1 ubyte x \b, update-date >>>>>>>>>>>>1 use xbase-date # https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx -#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=0x%x +#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=%#x # 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? ->>>>>>>>>>>>29 ubyte >0 \b, codepage ID=0x%x +>>>>>>>>>>>>29 ubyte >0 \b, codepage ID=%#x #>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file +# MDX or CDX index >>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT ->>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer +#>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer # 1st record offset + 1 = header size >>>>>>>>>>>>8 uleshort >0 >>>>>>>>>>>>(8.s+1) ubyte >0 @@ -241,72 +246,111 @@ # 1 < version >0 ubyte >1 >>0 ubyte 0x02 FoxBase +!:mime application/x-dbf +# like: ACCESS.DBF USER.DBF dbase3date.dbf mitarbei.dbf produkte.dbf umlaut-test-v2.dbf # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III !:mime application/x-dbf +# like: 92DATA.DBF MSCATLOG.DBF SYLLABI2.DBF SYLLABUS.DBF T4.DBF Teleadr.dbf us_city.dbf # dBASE IV no memo file >>0 ubyte 0x04 dBase IV !:mime application/x-dbf +# like: Quattro-test11.dbf umlaut-test-v4.dbf # dBASE V no memo file >>0 ubyte 0x05 dBase V !:mime application/x-dbf +# like: dbase4double.dbf Quattro-test2.dbf umlaut-test7.dbf +!:ext dbf +# probably Apollo Database Server 9.7? xBase (0x6) +>>0 ubyte 0x06 Apollo +!:mime application/x-dbf +# like: ALIAS.DBF CRYPT.DBF PROCS.DBF USERS.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x2F FoxBase+/Dbase III plus, no memo +!:mime application/x-dbf +# no example >>0 ubyte 0x30 Visual FoxPro !:mime application/x-dbf +# like: 26FRX.DBF 30DBC.DBF 30DBCPRO.DBF BEHINDSC.DBF USER_LEV.DBF +# Microsoft Visual FoxPro Database Container File like: FOXPRO-DB-TEST.DBC TESTDATA.DBC TASTRADE.DBC >>0 ubyte 0x31 Visual FoxPro, autoincrement !:mime application/x-dbf +# like: AI_Table.DBF dbase_31.dbf w_cityFoxpro.dbf # Visual FoxPro, with field type Varchar or Varbinary >>0 ubyte 0x32 Visual FoxPro, with field type Varchar !:mime application/x-dbf +# like: dbase_32.dbf # dBASE IV SQL, no memo;dbv memo var size (Flagship) >>0 ubyte 0x43 dBase IV, with SQL table !:mime application/x-dbf -# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx -#>>0 ubyte 0x62 dBase IV, with SQL table +# like: ASSEMBLY.DBF INVENTRY.DBF STAFF.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x62 dBase IV, with SQL table #!:mime application/x-dbf +# no example # dBASE IV, with memo!! >>0 ubyte 0x7b dBase IV, with memo !:mime application/x-dbf -# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx -#>>0 ubyte 0x82 dBase IV, with SQL system +# like: test3memo.DBF dbase5.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x82 dBase IV, with SQL system #!:mime application/x-dbf +# no example # FoxBase+/dBaseIII+ with memo .DBT! >>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT !:mime application/x-dbf +# like: T2.DBF t3.DBF biblio.dbf dbase_83.dbf dbase3dbt0_4.dbf fsadress.dbf stop.dbf # VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file >>0 ubyte 0x87 VISUAL OBJECTS, with memo file !:mime application/x-dbf -# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx -#>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT +# like: ACCESS.DBF dbase3date.dbf dbase3float.dbf holdings.dbf mitarbei.dbf +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT #!:mime application/x-dbf +# no example # dBASE IV with memo! >>0 ubyte 0x8B dBase IV, with memo .DBT !:mime application/x-dbf +# like: animals.dbf archive.dbf callin.dbf dbase_8b.dbf phnebook.dbf t6.dbf # dBase IV with SQL Table,no memo? >>0 ubyte 0x8E dBase IV, with SQL table !:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF # .dbv and .dbt memo (Flagship)? >>0 ubyte 0xB3 Flagship -# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx -#>>0 ubyte 0xCA dBase IV with memo .DBT +!:mime application/x-dbf +# no example +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0xCA dBase IV with memo .DBT #!:mime application/x-dbf +# no example # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT !:mime application/x-dbf +# like: dbase5.DBF test3memo.DBF test-memo.DBF # HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo !:mime application/x-dbf -# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx -#>>0 ubyte 0xF4 dBase IV, with SQL table, with memo +# like: dbase5.DBF test3memo.DBF test-memo.DBF testClipper.dbf DATA.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) +>>0 ubyte 0xF4 dBase IV, with SQL table, with memo #!:mime application/x-dbf +# no example >>0 ubyte 0xF5 FoxPro with memo !:mime application/x-dbf -# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx +# like: CUSTOMER.DBF FOXUSER1.DBF Invoice.DBF NG.DBF OBJSAMP.DBF dbase_f5.dbf kunde.dbf +# probably Apollo Database Server 9.7 with SQL and memo mask? xBase (0xF6) +>>0 ubyte 0xF6 Apollo, with SQL table with memo +!:mime application/x-dbf +# like: SCRIPTS.DBF +# https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) #>>0 ubyte 0xFA FoxPro 2.x, with memo #!:mime application/x-dbf +# no example # unknown version (should not happen) >>0 default x xBase !:mime application/x-dbf ->>>0 ubyte x (0x%x) +>>>0 ubyte x (%#x) # flags in version byte # DBT flag (with dBASE III memo .DBT)!! # >>0 ubyte&0x80 >0 DBT_FLAG=%x @@ -343,8 +387,22 @@ >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 -# dBASE III DBT ->>>>>>>0 use dbase3-memo-print +# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod +>>>>>>>512 ubyte >040 +# skip with valid 1st item "rintf" keylayouts.mod +# by looking for valid terminating character Ctrl-Z like in test.dbt +>>>>>>>>513 search/3308 \032 +# skip GRUB plan9.mod with invalid second terminating character 007 +# by checking second terminating character Ctrl-Z like in test.dbt +>>>>>>>>>&0 ubyte 032 +# dBASE III DBT with two Ctr-Z terminating characters +>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod +>>>>>>>>>&0 ubyte 0 +# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 +>>>>>>>>>>0x1ad string !grub_mod_init +# like dbase-memo.dbt +>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF @@ -356,14 +414,35 @@ >>>>>>>>>>4 ushort 0 # check for valid FoxPro field type >>>>>>>>>>>512 ubelong <3 ->>>>>>>>>>>>0 use foxpro-memo-print +# skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh +>>>>>>>>>>>>6 ubeshort&0x002f 0 +>>>>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage # skip WORD1XW.DOC with improbably high free block index >>>>>>>>>0 ulelong <0x400000 # skip WinStore.App.exe by looking for printable 2nd character of 1st memo item >>>>>>>>>>513 ubyte >037 -# unusual dBASE III DBT like adressen.dbt ->>>>>>>>>>>0 use dbase3-memo-print +# skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item +>>>>>>>>>>>512 ubyte >037 +# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 +>>>>>>>>>>>>512 ubyte <0377 +# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) +# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>513 search/523 \032 +# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character +#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o +# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt +>>>>>>>>>>>>>>&0 ubyte 032 +>>>>>>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>&0 ubyte 0 +# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" +>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show +# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt +>>>>>>>>>>>>>>>514 default x +# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes @@ -372,9 +451,23 @@ >>>>>>>>>>0 ulelong <0x400000 # skip AI070GEP.EPS by printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 +# skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB +>>>>>>>>>>>>512 ubyte <0200 # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character ->>>>>>>>>>>>513 ubyte >037 ->>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>513 ubyte >037 +# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like +# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" +# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" +# "10586.494.amd64fre.th2_release_sec.160630-1736" +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>>513 search/0x11E \032 +# followed by second character Ctrl-Z implies typical DBT +>>>>>>>>>>>>>>>&0 ubyte 032 +# examples like: angest.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>>>&0 ubyte 0 +# no example found here with terminating sequence CTRL-Z + \0 +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 @@ -393,18 +486,26 @@ # Number of next available block for appending data #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u -# no positiv block length +# no positive block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u -# dBase III memo field terminated by \032\032 +# dBase III memo field terminated often by \032\032 +# like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT >512 string >\0 \b, 1st item "%s" +# For DEBUGGING +#>512 ubelong x \b, 1ST item %#8.8x +#>513 search/0x225 \032 FOUND_TERMINATOR +#>>&0 ubyte 032 2xCTRL_Z +# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte +#>>&0 ubyte 0 1xCTRL_Z + # https://www.clicketyclick.dk/databases/xbase/format/dbt.html # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print >0 lelong x dBase IV DBT !:mime application/x-dbt !:ext dbt -# 8 character shorted main name of coresponding dBASE IV DBF file +# 8 character shorted main name of corresponding dBASE IV DBF file >8 ubelong >0x20000000 # skip unusual like for angest.dbt >>20 uleshort >0 @@ -443,7 +544,7 @@ >0 belong x FoxPro FPT !:mime application/x-fpt !:ext fpt -# Size of blocks for FoxPro ( 64,256 ) +# Size of blocks for FoxPro ( 64,256 ); probably a multiple of two >6 ubeshort x \b, blocks size %u # next available block #>0 belong =0 \b, next free block index %u @@ -455,10 +556,131 @@ >>516 belong >0 \b, field length %d >>>520 string >\0 \b, 1st item "%s" +# Summary: DBASE Compound Index file *.CDX and FoxPro index *.IDX +# From: Joerg Jenderek +# URL: https://www.clicketyclick.dk/databases/xbase/format/cdx.html +# https://www.clicketyclick.dk/databases/xbase/format/idx.html +# https://www.clicketyclick.dk/databases/xbase/format/idx_comp.html +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/s/sybase-ianywhere-cdx.trid.xml +# https://mark0.net/download/triddefs_xml.7z/defs/c/cdx-vfp7.trid.xml +# like: kunde.cdx +0 ulelong 0x1C00 +>0 use xbase-index +# like: SYLLABI2.CDX SYLLABUS.CDX +0 ulelong 0x0800 +>0 use xbase-index +# often in xBase index pointer to root node 400h +0 ulelong 0x0400 +# skip most Maple help database *.hdb with version tag handled by ./maple +>1028 string !version +# skip Maple help database hsum.hdb checking for valid reserved area +>>492 quad =0 +# skip remaining Maple help database *.hdb by checking key length +#>>>12 uleshort !0x000F KEY_LENGTHVALID +>>>0 use xbase-index +# display information about dBase/FoxPro index +0 name xbase-index +>0 ulelong x xBase +!:mime application/x-dbase-index +>14 ubyte &0x40 compound index +# DCX for FoxPro database index like: TESTDATA.DCX +!:ext cdx/dcx +>14 ubyte ^0x40 index +# only 1 example like: TEST.IDX +!:ext idx +# pointer to root node like: 1C00h 800h often 400h +>0 ulelong !0x400 \b, root pointer %#x +# Pointer to free node list: often 0 but -1 if not present +>4 ulelong !0 \b, free node pointer %#x +# MAYBE number of pages in file (Foxbase, FoxPro 1.x) or +# http://www.foxpert.com/foxpro/knowlbits/files/knowlbits_200708_1.HTM +# Whenever Visual FoxPro updates the index file it increments this reserved field +# Reserved for internal use like: 02000000h 03000000h 460c0000h 780f0000h 89000000h 9fdc0100h often 0 +>8 ulelong !0 \b, reserved counter %#x +# length of key like: mostly 000Ah 0028h (TEST.IDX) +>12 uleshort !0x000A \b, key length %#x +# index options like: 24h E0h E8h +# 1~a unique index 8~index has FOR clause 32~compact index format 64~compound index header +# 16~Bit vector (SoftC) 128~Structure index (FoxPro) +>14 ubyte x \b, index options (%#x +>14 ubyte &0x01 \b, unique +>14 ubyte &0x08 \b, has FOR clause +>14 ubyte &0x10 \b, bit vector (SoftC) +>14 ubyte &0x20 \b, compact format +#>14 ubyte &0x40 \b, compound header +>14 ubyte &0x80 \b, structure +>14 ubyte x \b) +# WHAT EXACTLY IS THAT? index signature like: 0 (sybase-ianywhere-cdx.trid.xml) 1 (cdx-vfp7.trid.xml) +>15 ubyte !0 \b, index signature %u +# reserved area (0-bytes) til about 500, but not for uncompressed Index files *.idx +>16 quad !0 \b, at 16 reserved %#llx +>492 quad !0 \b, at 492 reserved %#llx +# for IDX variant +#>14 ubyte ^0x40 IDX +# for CDX variant +>14 ubyte &0x40 +# Ascending or descending: 0~ascending 1~descending +>>502 uleshort x \b, sort order %u +# Total expression length (FoxPro 2) like: 0 1 +>>504 uleshort !0 \b, expression length %u +# FOR expression pool length like: 1 +>>506 uleshort !1 \b, FOR expression pool length %#x +# reserved for internal use like: 0 +>>508 uleshort !0 \b, at 0x508 reserved %#x +# Key expression pool length like: 1 +>>510 uleshort !1 \b, key expression pool length %#x +# 512 - 1023 Key & FOR expression pool (uncompiled) +>>512 quad !0 \b, key expression pool %#llx +#>>520 quad !0 \b, key expression pool %#llx + +# Summary: dBASE IV Printer Form *.PRF +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/.dbf#Other_file_types_found_in_dBASE +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/p/prf-dbase.trid.xml +0 ubeshort 0x0400 +# skip some Xbase Index files *.ndx and Infocom (Z-machine 4) *.z4 handled by ./adventure +# by looking for valid printer driver name extension +>0x58 search/8 .PR2 +>>0 use xbase-prf +# display information of dbase print form like printer driver *.PR2 +0 name xbase-prf dBase Printer Form +!:mime application/x-dbase-prf +!:ext prf +# MAYBE version? like: 4~DBASE IV +#>0 ubyte x \b, version %u +# MAYBE flag like: 1~with output file name 0~not +#>2 ubyte !0 \b, flag %u +# optional printer text output file name like E:\DBASE\IV\T6.txt +>3 string >\0 \b, output file %s +# probably padding with nils til 0x53 +#>0x48 uquad !0 \b, at 0x48 padding %#llx +# dBASE IV printer driver name like: Generic.PR2 ASCII.PR2 +>0x56 string >\0 \b, using printer driver %s +# 2 is probably last character of previous dBASE printer driver name +#>0x60 ubyte !0x32 \b, at 0x60 %#x +# probably padding with nils til 0xa8 +#>0x61 uquad !0 \b, at 0x61 padding %#llx +# unknown 0x03020300 0x03020100 at 0xa8 +>0xa8 ubelong x \b, at 0xa8 unknown %#8.8x +# probably padding with nils til 0x2aa +#>0x2a0 uquad !0 \b, at 0x2a0 padding %#llx +# unknown 0x100ff7f01000001 at 0x2AB +>0x2ab ubequad !0x100ff7f01000001 \b, at 0x2ab unknown %#llx +# unknown 0x0042 at 0x2b3 +>0x2b3 ubeshort !0x0042 \b, at 0x2b3 unknown %#4.4x +# unknown last 4 bytes at 0x2b6 like: 0 0x23 +>0x2b6 ubelong !0 \b, at 0x2b6 unknown %#8.8x + # TODO: # DBASE index file *.NDX -# DBASE Compound Index file *.CDX -# dBASE IV Printer Driver *.PRF +# dBASE compiled Format *.FMO +# FoxPro Database memo file *.DCT +# FoxPro Forms Memo *.SCT +# FoxPro Generated Menu Program *.MPR +# FoxPro Report *.FRX +# FoxPro Report Memo *.FRT +# Foxpro Generated Screen Program *.SPR +# Foxpro memo *.PJT ## End of XBase database stuff # MS Access database @@ -485,9 +707,9 @@ >>12 ulelong 1 STreaMing !:ext stm # format_version 620h ->>8 uleshort x \b, version 0x%x ->>10 uleshort >0 revision 0x%4.4x ->>0 ubelong x \b, checksum 0x%8.8x +>>8 uleshort x \b, version %#x +>>10 uleshort >0 revision %#4.4x +>>0 ubelong x \b, checksum %#8.8x # Page size 4096 8192 32768 >>236 ulequad x \b, page size %lld # database_state diff --git a/contrib/file/magic/Magdir/dataone b/contrib/file/magic/Magdir/dataone index 8ef3f798163f..566633eff22c 100644 --- a/contrib/file/magic/Magdir/dataone +++ b/contrib/file/magic/Magdir/dataone @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dataone,v 1.2 2019/04/19 00:42:27 christos Exp $ +# $File: dataone,v 1.3 2022/04/18 21:38:10 christos Exp $ # # DataONE- files from Dave Vieglais <dave.vieglais@gmail.com> & # Pratik Shrivastava <pratikshrivastava23@gmail.com> @@ -9,39 +9,39 @@ #------------------------------------------------------------------------------ # EML (Ecological Metadata Language Format) -0 string <?xml ->&0 regex (eml)-[0-9].[0-9].[0-9]+ eml://ecoinformatics.org/%s +0 string \<?xml\ version= +>&0 regex/1024 eml-[0-9]\\.[0-9]\\.[0-9]+ eml://ecoinformatics.org/%s # onedcx (DataONE Dublin Core Extended v1.0) ->&0 regex (onedcx/v)[0-9].[0-9]+ https://ns.dataone.org/metadata/schema/onedcx/v1.0 +>&0 regex/1024 onedcx/v[0-9]\\.[0-9]+ https://ns.dataone.org/metadata/schema/onedcx/v1.0 # FGDC-STD-001-1998 (Content Standard for Digital Geospatial Metadata, # version 001-1998) ->&0 regex fgdc FGDC-STD-001-1998 +>&0 search/1024 fgdc FGDC-STD-001-1998 # Mercury (Oak Ridge National Lab Mercury Metadata version 1.0) ->&0 regex (mercury/terms/v)[0-9].[0-9] https://purl.org/ornl/schema/mercury/terms/v1.0 +>&0 regex/1024 mercury/terms/v[0-9]\\.[0-9] https://purl.org/ornl/schema/mercury/terms/v1.0 # ISOTC211 (Geographic MetaData (GMD) Extensible Markup Language) ->&0 regex isotc211 ->>&0 regex eng;USA https://www.isotc211.org/2005/gmd +>&0 search/1024 isotc211 +>>&0 search/1024 eng;USA https://www.isotc211.org/2005/gmd # ISOTC211 (NOAA Variant Geographic MetaData (GMD) Extensible Markup Language) ->>&0 regex gov.noaa.nodc:[0-9]+ https://www.isotc211.org/2005/gmd-noaa +>>&0 regex/1024 gov\\.noaa\\.nodc:[0-9]+ https://www.isotc211.org/2005/gmd-noaa # ISOTC211 PANGAEA Variant Geographic MetaData (GMD) Extensible Markup Language ->>&0 regex pangaea.dataset[0-9][0-9][0-9][0-9][0-9][0-9]+ https://www.isotc211.org/2005/gmd-pangaea +>>&0 regex/1024 pangaea\\.dataset[0-9][0-9][0-9][0-9][0-9][0-9]+ https://www.isotc211.org/2005/gmd-pangaea !:mime text/xml # Object Reuse and Exchange Vocabulary -0 string <?xml ->&0 regex rdf ->>&0 regex openarchives https://www.openarchives.org/ore/terms +0 string \<?xml\ version= +>&0 search/1024 rdf +>>&0 search/1024 openarchives https://www.openarchives.org/ore/terms !:mime application/rdf+xml # Dryad Metadata Application Profile Version 3.1 0 string <DryadData ->&0 regex (dryad-bibo/v)[0-9].[0-9] https://datadryad.org/profile/v3.1 +>&0 regex/1024 dryad-bibo/v[0-9]\\.[0-9] https://datadryad.org/profile/v3.1 !:mime text/xml diff --git a/contrib/file/magic/Magdir/der b/contrib/file/magic/Magdir/der index 82cf70345bcb..3bc2e38aa950 100644 --- a/contrib/file/magic/Magdir/der +++ b/contrib/file/magic/Magdir/der @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: der,v 1.3 2020/02/16 20:45:21 christos Exp $ +# $File: der,v 1.6 2023/01/11 23:59:49 christos Exp $ # der: file(1) magic for DER encoded files # @@ -110,15 +110,16 @@ >>>>&0 der seq >>>>>&0 der obj_id9=2a864886f70d010901 >>>>>&0 der ia5_str=x \b, emailAddress=%s ->>&0 der seq ->>>&0 der utc_time=x \b, utcTime=%s ->>>&0 der utc_time=x \b, utcTime=%s +#>>&0 der seq +#>>>&0 der utc_time=x \b, utcTime=%s +#>>>&0 der utc_time=x \b, utcTime=%s >>&0 use certinfo 0 der seq >&0 der seq ->>&0 der eoc Certificate ->>>&0 der int1=02 \b, Version=3 +>>&0 der eoc +>>>&0 der int1=02 Certificate, Version=3 +>>>&0 der int1=x Certificate, Version=%s >>&0 der int9=x \b, Serial=%s >>&0 der seq >>>&0 der obj_id9=2a864886f70d01010b @@ -128,11 +129,18 @@ >>>>&0 der seq >>>>>&0 der obj_id3=550403 >>>>>&0 der utf8_str=x \b, Issuer=%s ->>&0 der seq ->>>&0 der utc_time=x \b, not-valid-before=%s ->>>&0 der utc_time=x \b, not-valid-after=%s +#>>&0 der seq +#>>>&0 der utc_time=x \b, not-valid-before=%s +#>>>&0 der utc_time=x \b, not-valid-after=%s >>&0 der seq >>>&0 der set >>>>&0 der seq >>>>>&0 der obj_id3=550403 >>>>>&0 der utf8_str=x \b, Subject=%s + +# PKCS#7 Signed Data (e.g. JAR Signature Block File) +# OID 1.2.840.113549.1.7.2 (2a864886f70d010702) +# Reference: https://www.rfc-editor.org/rfc/rfc2315 +0 der seq +>&0 der obj_id9=2a864886f70d010702 DER Encoded PKCS#7 Signed Data +!:ext RSA/DSA/EC diff --git a/contrib/file/magic/Magdir/diff b/contrib/file/magic/Magdir/diff index cd530d345e32..a6124e3f703b 100644 --- a/contrib/file/magic/Magdir/diff +++ b/contrib/file/magic/Magdir/diff @@ -1,11 +1,12 @@ #------------------------------------------------------------------------------ -# $File: diff,v 1.16 2017/03/17 22:20:22 christos Exp $ +# $File: diff,v 1.17 2020/08/22 18:16:58 christos Exp $ # diff: file(1) magic for diff(1) output # 0 search/1 diff\040 diff output text !:mime text/x-diff -0 search/1 ***\040 diff output text +0 search/1 ***\040 +>&0 search/1024 \n---\040 context diff output text !:mime text/x-diff 0 search/1 Only\040in\040 diff output text !:mime text/x-diff @@ -16,15 +17,15 @@ !:mime text/x-diff # bsdiff: file(1) magic for bsdiff(1) output -0 string/b BSDIFF40 bsdiff(1) patch file +0 string/b BSDIFF40 bsdiff(1) patch file # unified diff 0 search/4096 ---\040 ->&0 search/1024 \n ->>&0 search/1 +++\040 ->>>&0 search/1024 \n ->>>>&0 search/1 @@ unified diff output text +>&0 search/1024 \n +>>&0 search/1 +++\040 +>>>&0 search/1024 \n +>>>>&0 search/1 @@ unified diff output text !:mime text/x-diff !:strength + 90 diff --git a/contrib/file/magic/Magdir/digital b/contrib/file/magic/Magdir/digital index f66e0bc55917..b2753b989859 100644 --- a/contrib/file/magic/Magdir/digital +++ b/contrib/file/magic/Magdir/digital @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: digital,v 1.11 2013/01/11 16:45:23 christos Exp $ +# $File: digital,v 1.12 2021/07/03 14:01:46 christos Exp $ # Digital UNIX - Info # 0 string =!<arch>\n________64E Alpha archive @@ -53,6 +53,7 @@ # # Locale data tables (MIPS and Alpha). # +# GRR: line below is too general as it matches also TTComp archive, ASCII, 2K handled by ./archive 0 short 0x0501 locale data table >6 short 0x24 for MIPS >6 short 0x40 for Alpha diff --git a/contrib/file/magic/Magdir/dwarfs b/contrib/file/magic/Magdir/dwarfs new file mode 100644 index 000000000000..3700a33c5d7a --- /dev/null +++ b/contrib/file/magic/Magdir/dwarfs @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: dwarfs,v 1.2 2023/05/23 13:37:32 christos Exp $ +# dwarfs: file(1) magic for DwarFS File System Image files +# URL: https://github.com/mhx/dwarfs for details about DwarFS +# From: Marcus Holland-Moritz <github@mhxnet.de> + +#### DwarFS Version Macro +0 name dwarfsversion +>&0 byte x \b, version %d +>&1 byte x \b.%d + +#### DwarFS Compression Macro +0 name dwarfscompression +>&0 leshort =0 \b, uncompressed +>&0 leshort =1 \b, LZMA compression +>&0 leshort =2 \b, ZSTD compression +>&0 leshort =3 \b, LZ4 compression +>&0 leshort =4 \b, LZ4HC compression +>&0 leshort =5 \b, BROTLI compression + +#### DwarFS files without header +## We first check against a DWARFS magic at the start of the file, then +## validate by checking the block count / section type to be all zeros +## for the first block. Finally, we check that the *next* block also +## has the correct DWARFS magic. +0 string DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image +>>>&0 use dwarfsversion +>>&0 use dwarfscompression + +#### DwarFS files with header +## We search for a DWARFS magic in the first 64k of the file (images with +## headers longer than 64k won't be recognized), then validate by checking +## the block count / section type to be all zeros for the first block. +## Finally, we check that the *next* block also has the correct DWARFS magic. +## If we find a DWARFS magic that doesn't pass validation, we continue with +## an indirect match recursively. +1 search/65536/b DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image (with header) +>>>&0 use dwarfsversion +>>&0 use dwarfscompression +>&-1 indirect x diff --git a/contrib/file/magic/Magdir/editors b/contrib/file/magic/Magdir/editors index 78f3a84056e6..48eaa116e3b3 100644 --- a/contrib/file/magic/Magdir/editors +++ b/contrib/file/magic/Magdir/editors @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: editors,v 1.11 2017/03/17 21:35:28 christos Exp $ +# $File: editors,v 1.12 2020/10/11 20:28:07 christos Exp $ # T602 editor documents # by David Necas <yeti@physics.muni.cz> 0 string @CT\ T602 document data, @@ -11,7 +11,11 @@ # Vi IMproved Encrypted file # by David Necas <yeti@physics.muni.cz> +# updated by Osman Surkatty 0 string VimCrypt~ Vim encrypted file data +>9 string 01! with zip cryptmethod +>9 string 02! with blowfish cryptmethod +>9 string 03! with blowfish2 cryptmethod 0 name vimnanoswap >67 byte 0 diff --git a/contrib/file/magic/Magdir/elf b/contrib/file/magic/Magdir/elf index 7cf8600f861a..d3ec0260af25 100644 --- a/contrib/file/magic/Magdir/elf +++ b/contrib/file/magic/Magdir/elf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: elf,v 1.80 2020/02/12 22:17:33 christos Exp $ +# $File: elf,v 1.88 2023/01/08 17:09:18 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the @@ -8,6 +8,8 @@ # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # +# https://www.sco.com/developers/gabi/latest/ch4.eheader.html +# # Created by: unknown # Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support) @@ -43,6 +45,14 @@ >2 leshort 0x0214 2.0 >0 leshort &0x0008 (LP64) +0 name elf-riscv +>0 lelong&0x00000001 0x00000001 RVC, +>0 lelong&0x00000008 0x00000008 RVE, +>0 lelong&0x00000006 0x00000000 soft-float ABI, +>0 lelong&0x00000006 0x00000002 single-float ABI, +>0 lelong&0x00000006 0x00000004 double-float ABI, +>0 lelong&0x00000006 0x00000006 quad-float ABI, + 0 name elf-le >16 leshort 0 no file type, !:mime application/octet-stream @@ -62,7 +72,12 @@ # Core file detection is not reliable. #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), ->16 leshort &0xff00 processor-specific, +>16 leshort &0xff00 +>>18 leshort !8 processor-specific, +>>18 leshort 8 +>>>16 leshort 0xFF80 PlayStation 2 IOP module, +!:mime application/x-sharedlib +>>>16 leshort !0xFF80 processor-specific, >18 clear x >18 leshort 0 no machine, >18 leshort 1 AT&T WE32100, @@ -182,7 +197,7 @@ >18 leshort 90 Matsushita MN10200, >18 leshort 91 picoJava, >18 leshort 92 OpenRISC, ->18 leshort 93 ARC Cores Tangent-A5, +>18 leshort 93 Synopsys ARCompact ARC700 cores, >18 leshort 94 Tensilica Xtensa, >18 leshort 95 Alphamosaic VideoCore, >18 leshort 96 Thompson Multimedia, @@ -221,6 +236,7 @@ >18 leshort 140 TI TMS320C6000 DSP family, >18 leshort 141 TI TMS320C2000 DSP family, >18 leshort 142 TI TMS320C55x DSP family, +>18 leshort 144 TI Programmable Realtime Unit >18 leshort 160 STMicroelectronics 64bit VLIW DSP, >18 leshort 161 Cypress M8C, >18 leshort 162 Renesas R32C series, @@ -251,6 +267,7 @@ >18 leshort 189 Xilinx MicroBlaze 32-bit RISC, >18 leshort 190 NVIDIA CUDA architecture, >18 leshort 191 Tilera TILE-Gx, +>18 leshort 195 Synopsys ARCv2/HS3x/HS4x cores, >18 leshort 197 Renesas RL78 family, >18 leshort 199 Renesas 78K0R, >18 leshort 200 Freescale 56800EX, @@ -267,9 +284,35 @@ >18 leshort 216 Cognitive Smart Memory, >18 leshort 217 iCelero CoolEngine, >18 leshort 218 Nanoradio Optimized RISC, +>18 leshort 219 CSR Kalimba architecture family +>18 leshort 220 Zilog Z80 +>18 leshort 221 Controls and Data Services VISIUMcore processor +>18 leshort 222 FTDI Chip FT32 high performance 32-bit RISC architecture +>18 leshort 223 Moxie processor family +>18 leshort 224 AMD GPU architecture >18 leshort 243 UCB RISC-V, +# only for 32-bit +>>4 byte 1 +>>>36 use elf-riscv +# only for 64-bit +>>4 byte 2 +>>>48 use elf-riscv +>18 leshort 244 Lanai 32-bit processor, +>18 leshort 245 CEVA Processor Architecture Family, +>18 leshort 246 CEVA X2 Processor Family, >18 leshort 247 eBPF, ->18 leshort 251 NEC VE, +>18 leshort 248 Graphcore Intelligent Processing Unit, +>18 leshort 249 Imagination Technologies, +>18 leshort 250 Netronome Flow Processor, +>18 leshort 251 NEC Vector Engine, +>18 leshort 252 C-SKY processor family, +>18 leshort 253 Synopsys ARCv3 64-bit ISA/HS6x cores, +>18 leshort 254 MOS Technology MCS 6502 processor, +>18 leshort 255 Synopsys ARCv3 32-bit, +>18 leshort 256 Kalray VLIW core of the MPPA family, +>18 leshort 257 WDC 65816/65C816, +>18 leshort 258 LoongArch, +>18 leshort 259 ChipON KungFu32, >18 leshort 0x1057 AVR (unofficial), >18 leshort 0x1059 MSP430 (unofficial), >18 leshort 0x1223 Adapteva Epiphany (unofficial), @@ -299,7 +342,7 @@ >18 leshort 0xfebb NIOS (unofficial), >18 leshort 0xfeed Moxie (unofficial), >18 default x ->>18 leshort x *unknown arch 0x%x* +>>18 leshort x *unknown arch %#x* >20 lelong 0 invalid version >20 lelong 1 version 1 diff --git a/contrib/file/magic/Magdir/espressif b/contrib/file/magic/Magdir/espressif index 7a8616a1a48c..a97c09301fd1 100644 --- a/contrib/file/magic/Magdir/espressif +++ b/contrib/file/magic/Magdir/espressif @@ -1,5 +1,5 @@ -# $File: espressif,v 1.2 2019/11/15 21:03:14 christos Exp $ +# $File: espressif,v 1.3 2021/04/26 15:56:00 christos Exp $ # configuration dump of Tasmota firmware for ESP8266 based devices by Espressif # URL: https://github.com/arendst/Sonoff-Tasmota/ # Reference: https://codeload.github.com/arendst/Sonoff-Tasmota/zip/release-6.2/ @@ -17,7 +17,7 @@ >>10 ubyte^0x64 x \b.%u >>9 ubyte^0x63 x \b.%u >>8 ubyte^0x62 x \b.%u -#>8 ubelong x (0x%x) +#>8 ubelong x (%#x) # hostname[33] XORed >>0x165 ubyte^0x1BF x \b, hostname %c >>0x166 ubyte^0x1C0 >037 \b%c diff --git a/contrib/file/magic/Magdir/filesystems b/contrib/file/magic/Magdir/filesystems index 7b95a4f9c72f..cd7213051686 100644 --- a/contrib/file/magic/Magdir/filesystems +++ b/contrib/file/magic/Magdir/filesystems @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.133 2020/05/17 19:32:00 christos Exp $ +# $File: filesystems,v 1.158 2023/05/21 17:19:08 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 name partid @@ -220,7 +220,7 @@ >>>>>>18 string =_ \b. >>>>>>>19 string x \b%-.1s >>>22 ubyte 0 ->>>>21 ubyte x \b, from drive 0x%x +>>>>21 ubyte x \b, from drive %#x >>>22 ubyte >0 >>>>21 string x \b, from drive %s >>>535 search/17 \x55\xAA @@ -261,6 +261,18 @@ # for sector sizes with 512 or more Bytes >0x1FE leshort 0xAA55 DOS/MBR boot sector +# ExFAT +3 string/w =EXFAT +>0x1FE leshort 0xAA55 +>>0x6E ubyte 1 +>>>0x6F ubyte 0x80 +>>>0 ubyte 0xEB DOS/MBR boot sector, +>>>0x69 ubyte x ExFAT Filesystem version %d. +>>>0x68 ubyte x \b%d +>>>0x6d ubyte x \b, (1<<%d) sectors per cluster +>>>0x48 ulequad x \b, sectors %lld +>>>0x64 ulelong x \b, serial number %#x + # keep old DOS/MBR boot sector as dummy for mbr and bootloader displaying # only for sector sizes with 512 or more Bytes 0x1FE leshort 0xAA55 DOS/MBR boot sector @@ -296,7 +308,7 @@ >>>>>(0x49.b) string Tabela\ de\ parti\207ao\ inv\240lida portuguese >>>>>(0x49.b) string Tabla\ de\ partici\242n\ no\ v\240lida spanish >>>>>(0x49.b) string Tavola\ delle\ partizioni\ non\ valida italian ->>>>>0x49 ubyte >0 at offset 0x%x +>>>>>0x49 ubyte >0 at offset %#x >>>>>>(0x49.b) string >\0 "%s" # "Error loading operating system" nn=0xa3 for english version # "Fehler beim Laden des Betriebssystems" nn=0xa7 for german version @@ -304,7 +316,7 @@ # "Erro na inicializa\207ao do sistema operacional" nn=0xa7 for portuguese Brazilian version # "Error al cargar sistema operativo" nn=0xa8 for spanish version # "Errore durante il caricamento del sistema operativo" nn=0xae for italian version ->>>>>0x74 ubyte >0 at offset 0x%x +>>>>>0x74 ubyte >0 at offset %#x >>>>>>(0x74.b) string >\0 "%s" # "Missing operating system" nn=0xc2 for english version # "Betriebssystem fehlt" nn=0xcd for german version @@ -312,7 +324,7 @@ # "Sistema operacional nao encontrado" nn=0xd4 for portuguese Brazilian version # "Falta sistema operativo" nn=0xca for spanish version # "Sistema operativo mancante" nn=0xe2 for italian version ->>>>>0x79 ubyte >0 at offset 0x%x +>>>>>0x79 ubyte >0 at offset %#x >>>>>>(0x79.b) string >\0 "%s" # Microsoft Windows 95B to XP (https://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm) # assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b @@ -327,7 +339,7 @@ >>>>(0x3C.b+0x0FF) string Ung\201ltige\ Partitionstabelle german >>>>(0x3C.b+0x0FF) string Table\ de\ partition\ erron\202e french >>>>(0x3C.b+0x0FF) string \215\245\257\340\240\242\250\253\354\255\240\357\ \342\240\241\253\250\346\240 russian ->>>>0x3C ubyte x at offset 0x%x+0xFF +>>>>0x3C ubyte x at offset %#x+0xFF >>>>(0x3C.b+0x0FF) string >\0 "%s" # "Error loading operating system" nn=0x127 for english version # "Fehler beim Laden des Betriebssystems" nn=0x12b for german version @@ -400,12 +412,12 @@ >>>>(0x1b7.b+0x100) string >\0 "%s" # https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DiskSigs # https://en.wikipedia.org/wiki/MBR_disk_signature#ID ->>0x1b8 ulelong >0 \b, disk signature 0x%-.4x +>>0x1b8 ulelong >0 \b, disk signature %#-.4x # driveID/timestamp for Win 95B,98,98SE and ME. See https://thestarman.pcministry.com/asm/mbr/mystery.htm >>0xDA uleshort 0 >>>0xDC ulelong >0 \b, created # physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive ->>>>0xDC ubyte x with driveID 0x%x +>>>>0xDC ubyte x with driveID %#x # hours, minutes and seconds >>>>0xDf ubyte x at %x >>>>0xDe ubyte x \b:%x @@ -452,13 +464,13 @@ >>>397 search/4 Booting\040 >>>>408 search/4 HD1/\0 \b, Ranish MBR ( >>>>>416 string Writing\ changes... \b2.37 ->>>>>>438 ubyte x \b,0x%x dots +>>>>>>438 ubyte x \b,%#x dots >>>>>>440 ubyte >0 \b,virus check >>>>>>441 ubyte >0 \b,partition %c #2.38,2.42,2.44 >>>>>416 string !Writing\ changes... \b >>>>>>418 ubyte 1 \bvirus check, ->>>>>>419 ubyte x \b0x%x seconds +>>>>>>419 ubyte x \b%#x seconds >>>>>>420 ubyte&0x0F >0 \b,partition >>>>>>>420 ubyte&0x0F <5 \b %x >>>>>>>420 ubyte&0x0F 0Xf \b ask @@ -491,25 +503,25 @@ # updated by Joerg Jenderek at Oct 2008 # variables according to grub-0.97/stage1/stage1.S or # https://www.gnu.org/software/grub/manual/grub.html#Embedded-data -# usual values are marked with comments to get only informations of strange GRUB loaders +# usual values are marked with comments to get only information of strange GRUB loaders >342 search/60 \0Geom\0 #>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 >>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader # 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 ->>>>0x3E ubyte x \b, stage1 version 0x%x +>>>>0x3E ubyte x \b, stage1 version %#x #If it is 0xFF, use a drive passed by BIOS ->>>>0x40 ubyte <0xFF \b, boot drive 0x%x +>>>>0x40 ubyte <0xFF \b, boot drive %#x # in most case 0,1,0x2e for GRUB 0.5.95 ->>>>0x41 ubyte >0 \b, LBA flag 0x%x ->>>>0x42 uleshort <0x8000 \b, stage2 address 0x%x -#>>>>0x42 uleshort =0x8000 \b, stage2 address 0x%x (usual) ->>>>0x42 uleshort >0x8000 \b, stage2 address 0x%x -#>>>>0x44 ulelong =1 \b, 1st sector stage2 0x%x (default) ->>>>0x44 ulelong >1 \b, 1st sector stage2 0x%x ->>>>0x48 uleshort <0x800 \b, stage2 segment 0x%x -#>>>>0x48 uleshort =0x800 \b, stage2 segment 0x%x (usual) ->>>>0x48 uleshort >0x800 \b, stage2 segment 0x%x +>>>>0x41 ubyte >0 \b, LBA flag %#x +>>>>0x42 uleshort <0x8000 \b, stage2 address %#x +#>>>>0x42 uleshort =0x8000 \b, stage2 address %#x (usual) +>>>>0x42 uleshort >0x8000 \b, stage2 address %#x +#>>>>0x44 ulelong =1 \b, 1st sector stage2 %#x (default) +>>>>0x44 ulelong >1 \b, 1st sector stage2 %#x +>>>>0x48 uleshort <0x800 \b, stage2 segment %#x +#>>>>0x48 uleshort =0x800 \b, stage2 segment %#x (usual) +>>>>0x48 uleshort >0x800 \b, stage2 segment %#x >>>>402 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>394 string stage1 \b, GRUB version 0.5.95 >>>>382 string Geom\0Hard\ Disk\0Read\0\ Error\0 @@ -533,7 +545,7 @@ # mbr partition table entries updated by Joerg Jenderek at Sep 2013 # skip Norton Utilities disc image data >3 string !IHISK -# skip Linux style boot sector starting with assember instructions mov 0x7c0,ax; +# skip Linux style boot sector starting with assembler instructions mov 0x7c0,ax; >>0 belong !0xb8c0078e # not Linux kernel >>>514 string !HdrS @@ -548,7 +560,7 @@ >>>>>0 ubelong&0xFD000000 !0xE9000000 # skip FSInfosector >>>>>>0 string !RRaA -# skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, +# skip 3rd sector of MS x86 bootloader with assembler instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, # https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm >>>>>>>0 ubequad !0xfa660fb64610668b # skip 13rd sector of MS x86 bootloader @@ -1114,9 +1126,9 @@ >>48 leshort 0xAA55 2 >>32 leshort 0xAA55 3 >>16 leshort 0xAA55 4 ->>4 ubyte x : ID=0x%x +>>4 ubyte x : ID=%#x >>0 ubyte&0x80 0x80 \b, active ->>0 ubyte >0x80 0x%x +>>0 ubyte >0x80 %#x >>1 ubyte x \b, start-CHS ( >>1 use partition-chs >>5 ubyte x \b), end-CHS ( @@ -1214,7 +1226,7 @@ # ERRorTeXT >>181 search/166 Error\ \0\r\n NetBSD mbr # NT Drive Serial Number https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS ->>>0x1B8 ubelong >0 \b,Serial 0x%-.8x +>>>0x1B8 ubelong >0 \b,Serial %#-.8x # BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx >>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector # BOOT_EXTENDED definitions contains assembler instructions: @@ -1265,38 +1277,38 @@ # variant used by testdisk of https://www.cgsecurity.org/wiki/Menu_MBRCode >>>(0x1BC.s+8) ubyte&2 2 \b,TestDisk #0x1~1,..,0x8~4,0x10~F,0x80~A enabled -#>>>(0x1BC.s+10) ubyte x \b,flags 0x%x +#>>>(0x1BC.s+10) ubyte x \b,flags %#x #0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot -#>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x +#>>>(0x1BC.s+11) ubyte x \b,cfg_def %#x # for older versions >>>(0x1BC.s+9) ubyte <2 #>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: ->>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x +>>>>(0x1BC.s+13) ubyte <2 \b,floppy %#x >>>>(0x1BC.s+13) ubyte >1 # 1st hard disc -#>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x +#>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive %#x # not 1st hard disc ->>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x +>>>>>(0x1BC.s+13) ubyte !0x80 \b,drive %#x # for version >= 2 maximal timeout can be 65534 >>>(0x1BC.s+9) ubyte >1 #>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds >>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds # floppy A: or B: ->>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x +>>>>(0x1BC.s+14) ubyte <2 \b,floppy %#x >>>>(0x1BC.s+14) ubyte >1 # 1st hard disc -#>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x +#>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive %#x # not 1st hard disc ->>>>>(0x1BC.s+14) ubyte !0x80 \b,drive 0x%x +>>>>>(0x1BC.s+14) ubyte !0x80 \b,drive %#x >>>0 ubyte x \b) # added by Joerg Jenderek # In the second sector (+0x200) are variables according to grub-0.97/stage2/asm.S or # grub-1.94/kern/i386/pc/startup.S # https://www.gnu.org/software/grub/manual/grub.html#Embedded-data -# usual values are marked with comments to get only informations of strange GRUB loaders +# usual values are marked with comments to get only information of strange GRUB loaders 0x200 uleshort 0x70EA # found only version 3.{1,2} >0x206 ubeshort >0x0300 @@ -1318,9 +1330,9 @@ # GRUB 0.5.95 unofficial >>>>0x20C ulelong&0x2E300000 0x2E300000 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs ->>>>>0x20C ubyte x \b, identifier 0x%x -#>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default) ->>>>>0x20D ubyte >0 \b, LBA flag 0x%x +>>>>>0x20C ubyte x \b, identifier %#x +#>>>>>0x20D ubyte =0 \b, LBA flag %#x (default) +>>>>>0x20D ubyte >0 \b, LBA flag %#x # GRUB version as string >>>>>0x20E string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default @@ -1335,10 +1347,10 @@ # for 1.94 contains kernel image size # for 0.93,0.94,0.96,0.97 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 ->>>>>0x210 ubyte x \b, identifier 0x%x +>>>>>0x210 ubyte x \b, identifier %#x # The flag for LBA forcing is in most cases 0 -#>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default) ->>>>>0x211 ubyte >0 \b, LBA flag 0x%x +#>>>>>0x211 ubyte =0 \b, LBA flag %#x (default) +>>>>>0x211 ubyte >0 \b, LBA flag %#x # GRUB version as string >>>>>0x212 string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default @@ -1358,16 +1370,16 @@ 0 ulelong&0x804000E9 0x000000E9 !:strength +60 # mtools-3.9.8/msdos.h -# usual values are marked with comments to get only informations of strange FAT systems +# usual values are marked with comments to get only information of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 >11 uleshort&0x001f 0 >>11 uleshort <32769 >>>11 uleshort >31 >>>>21 ubyte&0xf0 0xF0 >>>>>0 ubyte 0xEB DOS/MBR boot sector ->>>>>>1 ubyte x \b, code offset 0x%x+2 +>>>>>>1 ubyte x \b, code offset %#x+2 >>>>>0 ubyte 0xE9 ->>>>>>1 uleshort x \b, code offset 0x%x+3 +>>>>>>1 uleshort x \b, code offset %#x+3 >>>>>3 string >\0 \b, OEM-ID "%-.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC >>>>>>8 string IHC \b cached by Windows 9M @@ -1392,9 +1404,9 @@ #>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) >>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) #>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) ->>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x -#>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) ->>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x +>>>>>21 ubyte >0xF0 \b, Media descriptor %#x +#>>>>>21 ubyte =0xF0 \b, Media descriptor %#x (usual floppy) +>>>>>21 ubyte <0xF0 \b, Media descriptor %#x >>>>>22 uleshort >0 \b, sectors/FAT %u #>>>>>22 uleshort =0 \b, sectors/FAT %hu=0 (usual Fat32) >>>>>24 uleshort x \b, sectors/track %u @@ -1413,18 +1425,18 @@ #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) # FAT<32 bit specific >>>>>>>82 string/c !fat32 -#>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) -#>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) +#>>>>>>>>36 ubyte 0x80 \b, physical drive %#x=0x80 (usual harddisk) +#>>>>>>>>36 ubyte 0 \b, physical drive %#x=0 (usual floppy) >>>>>>>>36 ubyte !0x80 ->>>>>>>>>36 ubyte !0 \b, physical drive 0x%x +>>>>>>>>>36 ubyte !0 \b, physical drive %#x # VGA-copy CRC or # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too ->>>>>>>>37 ubyte >0 \b, reserved 0x%x -#>>>>>>>>37 ubyte =0 \b, reserved 0x%x -# extended boot signatur value is 0x80 for NTFS, 0x28 or 0x29 for others ->>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) +>>>>>>>>37 ubyte >0 \b, reserved %#x +#>>>>>>>>37 ubyte =0 \b, reserved %#x +# extended boot signature value is 0x80 for NTFS, 0x28 or 0x29 for others +>>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (%#x) >>>>>>>>38 ubyte&0xFE =0x28 ->>>>>>>>>39 ulelong x \b, serial number 0x%x +>>>>>>>>>39 ulelong x \b, serial number %#x >>>>>>>>38 ubyte =0x29 >>>>>>>>>43 string <NO\ NAME \b, label: "%11.11s" >>>>>>>>>43 string >NO\ NAME \b, label: "%11.11s" @@ -1466,7 +1478,7 @@ >>>>>82 string/c fat32 \b, FAT (32 bit) >>>>>>36 ulelong x \b, sectors/FAT %u # https://technet.microsoft.com/en-us/library/cc977221.aspx ->>>>>>40 uleshort >0 \b, extension flags 0x%x +>>>>>>40 uleshort >0 \b, extension flags %#x #>>>>>>40 uleshort =0 \b, extension flags %hu >>>>>>42 uleshort >0 \b, fsVersion %u #>>>>>>42 uleshort =0 \b, fsVersion %u (usual) @@ -1483,19 +1495,19 @@ >>>>>>50 default x >>>>>>>50 uleshort x \b, Backup boot sector %u # corrected by Joerg Jenderek at Feb 2011 according to https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO ->>>>>>52 ulelong >0 \b, reserved1 0x%x ->>>>>>56 ulelong >0 \b, reserved2 0x%x ->>>>>>60 ulelong >0 \b, reserved3 0x%x +>>>>>>52 ulelong >0 \b, reserved1 %#x +>>>>>>56 ulelong >0 \b, reserved2 %#x +>>>>>>60 ulelong >0 \b, reserved3 %#x # same structure as FAT1X -#>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) -#>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) +#>>>>>>64 ubyte =0x80 \b, physical drive %#x=80 (usual harddisk) +#>>>>>>64 ubyte =0 \b, physical drive %#x=0 (usual floppy) >>>>>>64 ubyte !0x80 ->>>>>>>64 ubyte >0 \b, physical drive 0x%x +>>>>>>>64 ubyte >0 \b, physical drive %#x # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too ->>>>>>65 ubyte >0 \b, reserved 0x%x ->>>>>>66 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x) +>>>>>>65 ubyte >0 \b, reserved %#x +>>>>>>66 ubyte !0x29 \b, dos < 4.0 BootSector (%#x) >>>>>>66 ubyte =0x29 ->>>>>>>67 ulelong x \b, serial number 0x%x +>>>>>>>67 ulelong x \b, serial number %#x >>>>>>>71 string <NO\ NAME \b, label: "%11.11s" >>>>>>>71 string >NO\ NAME \b, label: "%11.11s" >>>>>>>71 string =NO\ NAME \b, unlabeled @@ -1518,10 +1530,10 @@ >>>>>>>19 uleshort =0 # 0 sectors/FAT # dos < 4.0 BootSector value found is 0x80 -#38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x) +#38 ubyte =0x80 \b, dos < 4.0 BootSector (%#x) >>>>>>>>22 uleshort =0 \b; NTFS >>>>>>>>>24 uleshort >0 \b, sectors/track %u ->>>>>>>>>36 ulelong !0x800080 \b, physical drive 0x%x +>>>>>>>>>36 ulelong !0x800080 \b, physical drive %#x >>>>>>>>>40 ulequad >0 \b, sectors %lld >>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld >>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld @@ -1537,8 +1549,8 @@ #>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) >>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) >>>>>>>>>72 ulequad x \b, serial number 0%llx ->>>>>>>>>80 ulelong >0 \b, checksum 0x%x -#>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) +>>>>>>>>>80 ulelong >0 \b, checksum %#x +#>>>>>>>>>80 ulelong =0 \b, checksum %#x=0 (usual) # unicode loadername size jump >>>>>>>>>(0x200.s*2) ubyte x # in next sector loadername terminated by unicode CTRL-D and $ @@ -1584,7 +1596,8 @@ >0x1e lequad x %lld total clusters, >0x26 lequad x %lld clusters in use -9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), + +0 name ffsv1 >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x last written at %s, @@ -1600,112 +1613,72 @@ >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization -42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization - -66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization +9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), +>0 use ffsv1 9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), >7168 belong 0x4c41424c Apple UFS Volume >>7186 string x named %s, >>7176 belong x volume label version %d, >>7180 bedate x created on %s, ->8404 string x last mounted on %s, -#>9504 bedate x last checked at %s, ->8224 bedate x last written at %s, ->8401 byte x clean flag %d, ->8228 belong x number of blocks %d, ->8232 belong x number of data blocks %d, ->8236 belong x number of cylinder groups %d, ->8240 belong x block size %d, ->8244 belong x fragment size %d, ->8252 belong x minimum percentage of free blocks %d, ->8256 belong x rotational delay %dms, ->8260 belong x disk rotational speed %drps, ->8320 belong 0 TIME optimization ->8320 belong 1 SPACE optimization +>0 use \^ffsv1 + +0 name ffsv2 +>212 string x last mounted on %s, +>680 string >\0 volume name %s, +>1072 leqldate x last written at %s, +>209 byte x clean flag %d, +>210 byte x readonly flag %d, +>1080 lequad x number of blocks %lld, +>1088 lequad x number of data blocks %lld, +>44 lelong x number of cylinder groups %d, +>48 lelong x block size %d, +>52 lelong x fragment size %d, +>1196 lelong x average file size %d, +>1200 lelong x average number of files in dir %d, +>1104 lequad x pending blocks to free %lld, +>1112 lelong x pending inodes to free %d, +>712 lequad x system-wide uuid %0llx, +>60 lelong x minimum percentage of free blocks %d, +>128 lelong 0 TIME optimization +>128 lelong 1 SPACE optimization + +42332 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use ffsv2 + +42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>40960 use ffsv2 + +42332 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use \^ffsv2 42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>40960 use \^ffsv2 + +66908 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use ffsv2 + +66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>65536 use ffsv2 + +66908 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use \^ffsv2 66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>65536 use \^ffsv2 0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), >0x90 lelong+1 x volume %d >0x94 lelong x (of %d), >0x50 string x name %s, >0x98 ulelong x version %u, ->0xa0 ulelong x flags 0x%x +>0xa0 ulelong x flags %#x + +0 ulequad 0x48414d3205172011 HAMMER2 filesystem (little-endian), +>0x3b byte x volume %d, +>0x28 ulequad/1073741824 x size %lluGB, +>0x30 ulelong x version %u, +>0x34 ulelong x flags %#x # ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca> # ext4 filesystem - Eric Sandeen <sandeen@sandeen.net> @@ -1727,12 +1700,12 @@ >>>0x464 lelong >0x0000007 ext4 filesystem data # else large INCOMPAT? >>0x460 lelong >0x000003f ext4 filesystem data ->0x468 belong x \b, UUID=%08x ->0x46c beshort x \b-%04x ->0x46e beshort x \b-%04x ->0x470 beshort x \b-%04x ->0x472 belong x \b-%08x ->0x476 beshort x \b%04x +>0x468 ubelong x \b, UUID=%08x +>0x46c ubeshort x \b-%04x +>0x46e ubeshort x \b-%04x +>0x470 ubeshort x \b-%04x +>0x472 ubelong x \b-%08x +>0x476 ubeshort x \b%04x >0x478 string >0 \b, volume name "%s" # General flags for any ext* fs >0x460 lelong &0x0000004 (needs journal recovery) @@ -1755,12 +1728,12 @@ # f2fs filesystem - Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> 0x400 lelong 0xF2F52010 F2FS filesystem ->0x46c belong x \b, UUID=%08x ->0x470 beshort x \b-%04x ->0x472 beshort x \b-%04x ->0x474 beshort x \b-%04x ->0x476 belong x \b-%08x ->0x47a beshort x \b%04x +>0x46c ubelong x \b, UUID=%08x +>0x470 ubeshort x \b-%04x +>0x472 ubeshort x \b-%04x +>0x474 ubeshort x \b-%04x +>0x476 ubelong x \b-%08x +>0x47a ubeshort x \b%04x >0x147c lestring16 x \b, volume name "%s" # Minix filesystems - Juan Cespedes <cespedes@debian.org> @@ -1925,7 +1898,7 @@ #>>>0x60E ubequad 0 #>>>>0x600 ubequad !0 #!:mime application/x-ima -#>>512 ubyte x \b, Media descriptor 0x%x +#>>512 ubyte x \b, Media descriptor %#x # without x86 jump instruction #>>0 ulelong&0x804000E9 !0x000000E9 # assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV @@ -1935,7 +1908,7 @@ #>>0 ulelong&0x804000E9 =0x000000E9 # only x86 short jump instruction found #>>>0 ubyte =0xEB -#>>>>1 ubyte x \b, code offset 0x%x+2 +#>>>>1 ubyte x \b, code offset %#x+2 # https://thestarman.pcministry.com/DOS/ibm100/Boot.htm # assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 #>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader @@ -1975,16 +1948,19 @@ >>38917 string 1 (version 1.0) >>38917 string 2 (version 1.5) >>38917 string 3 (version 2.0) ->>38917 byte >0x33 (unknown version, ID 0x%X) ->>38917 byte <0x31 (unknown version, ID 0x%X) +>>38917 byte >0x33 (unknown version, ID %#X) +>>38917 byte <0x31 (unknown version, ID %#X) # The next line is not necessary because the MBR staff is done looking for boot signature >0x1FE leshort 0xAA55 (DOS/MBR boot sector) # "application id" which appears to be used as a volume label ->32808 string/T >\0 '%s' +>32808 string/T >\0 '%.32s' >34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) 37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) !:mime application/x-iso9660-image 32777 string CDROM High Sierra CD-ROM filesystem data +# "application id" which appears to be used as a volume label +>32816 string/T >\0 '%.32s' + # CDROM Filesystems # https://en.wikipedia.org/wiki/ISO_9660 @@ -2031,7 +2007,7 @@ >8 lelong &1 version #2 >8 lelong &2 sorted_dirs >8 lelong &4 hole_support ->32 lelong x CRC 0x%x, +>32 lelong x CRC %#x, >36 lelong x edition %u, >40 lelong x %u blocks, >44 lelong x %u files @@ -2041,7 +2017,7 @@ >8 belong &1 version #2 >8 belong &2 sorted_dirs >8 belong &4 hole_support ->32 belong x CRC 0x%x, +>32 belong x CRC %#x, >36 belong x edition %u, >40 belong x %u blocks, >44 belong x %u files @@ -2134,10 +2110,10 @@ >31 byte 3 (lzma), >12 belong x %d bytes, >8 bedate x %s, ->16 belong x Load Address: 0x%08X, ->20 belong x Entry Point: 0x%08X, ->4 belong x Header CRC: 0x%08X, ->24 belong x Data CRC: 0x%08X +>16 belong x Load Address: %#08X, +>20 belong x Entry Point: %#08X, +>4 belong x Header CRC: %#08X, +>24 belong x Data CRC: %#08X # JFFS2 file system 0 leshort 0x1984 Linux old jffs2 filesystem data little endian @@ -2281,20 +2257,22 @@ >>0x10060 string >\0 lockproto %s) # Russell Coker <russell@coker.com.au> -0x10040 string _BHRfS_M BTRFS Filesystem ->0x1012b string >\0 label "%s", ->0x10090 lelong x sectorsize %d, ->0x10094 lelong x nodesize %d, ->0x10098 lelong x leafsize %d, ->0x10020 belong x UUID=%08x- ->0x10024 beshort x \b%04x- ->0x10026 beshort x \b%04x- ->0x10028 beshort x \b%04x- ->0x1002a beshort x \b%04x ->0x1002c belong x \b%08x, ->0x10078 lequad x %lld/ ->0x10070 lequad x \b%lld bytes used, ->0x10088 lequad x %lld devices +0x10040 string _BHRfS_M BTRFS Filesystem +>0x1012b string >\0 label "%s", +>0x10090 lelong x sectorsize %d, +>0x10094 lelong x nodesize %d, +>0x10098 lelong x leafsize %d, +>0x10020 ubelong x UUID=%08x- +>0x10024 ubeshort x \b%04x- +>0x10026 ubeshort x \b%04x- +>0x10028 ubeshort x \b%04x- +>0x1002a ubeshort x \b%04x +>0x1002c ubelong x \b%08x, +>0x10078 lequad x %lld/ +>0x10070 lequad x \b%lld bytes used, +>0x10088 lequad x %lld devices + +0 string btrfs-stream BTRFS stream file # dvdisaster's .ecc # From: "Nelson A. de Oliveira" <naoliv@gmail.com> @@ -2363,11 +2341,11 @@ >40 lelong x \b number of files %u, >44 lelong x \b blocks available for writing %d, >48 lelong x \b inodes in cache %d, ->52 lelong x \b inode file disk address 0x%x, +>52 lelong x \b inode file disk address %#x, >56 lelong x \b inode file inode number %u, ->60 lelong x \b address of last segment written 0x%x, ->64 lelong x \b address of next segment to write 0x%x, ->68 lelong x \b address of current segment written 0x%x +>60 lelong x \b address of last segment written %#x, +>64 lelong x \b address of next segment to write %#x, +>68 lelong x \b address of current segment written %#x 0 string td\000 floppy image data (TeleDisk, compressed) 0 string TD\000 floppy image data (TeleDisk) @@ -2378,12 +2356,167 @@ 0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) -0 beshort 0xAA58 floppy image data (IBM SaveDskF, old) -0 beshort 0xAA59 floppy image data (IBM SaveDskF) -0 beshort 0xAA5A floppy image data (IBM SaveDskF, compressed) +# URL: http://fileformats.archiveteam.org/wiki/LoadDskF/SaveDskF +# Update: Joerg Jenderek +# Note: called "IBM SKF disk image" by TrID +# verfied by 7-Zip `7z l -tFAT -slt *.dsk` and +# `deark -l -m loaddskf 06200D19.DSK` +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf-old.trid.xml +0 beshort 0xAA58 +>0 use SaveDskF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf.trid.xml +0 beshort 0xAA59 +>0 use SaveDskF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf-comp.trid.xml +0 beshort 0xAA5A +# skip foo by additional check for unused upper byte of media type in SaveDskF header +#>3 ubyte =0 +# skip bar by additional check for valid "low" number of heads in SaveDskF header +#>>26 uleshort <3 +# skip foo by additional check for unused double word field in SaveDskF header +#>>>30 long =0 +#>>>>0 use SaveDskF +>0 use SaveDskF +# display information about IBM SaveDskF floppy disk images +0 name SaveDskF +# SaveDskF magic +>0 beshort x floppy image data (IBM SaveDskF +#!:mime application/octet-stream +!:mime application/x-ibm-dsk +!:ext dsk +# also suffix with digit (1dk .2dk ...); NO example FOUND! +#!:ext dsk/1dk/2dk +>1 ubyte =0x58 \b, old) +>1 ubyte =0x59 \b) +>1 ubyte =0x5A \b, compressed) +# media type; the first byte of the FAT like: 0xF0 (usual floppy) 0xF9 0xFE +# https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system +>2 ubyte !0xF0 \b, Media descriptor %#x +# upper byte of media type is not used; so this seems to be nil +>3 ubyte !0 \b, upper byte of media type %#x +# sector size in bytes as in the BIOS parameter block like: 512 ; SAVEDSKF.EXE with other sizes produce garbage images +>4 uleshort !512 \b, Bytes/sector %u +# cluster mask; number of sectors per cluster, minus 1 +>6 uleshort+1 >1 \b, sectors/cluster %u +#>6 uleshort+1 x \b, sectors/cluster %u +# cluster shift; log2(cluster size / sector size) like: 0~1=ClusterSize/SectorSize +>7 ubyte >0 \b, cluster shift %u +#>7 ubyte x \b, cluster shift %u +# reserved sectors; as in the BIOS parameter block like: 1 256 (2M256R-K.DSK) +>8 uleshort >1 \b, reserved sectors %u +#>8 uleshort x \b, reserved sectors %u +# FAT copies; as in the BIOS parameter block like: 2 (usual) 1 (2-NK.DSK) +>10 ubyte !2 \b, FAT +# plural s +>>10 ubyte >1 \bs +>>10 ubyte x %u +# root directory entries; as in the BIOS parameter block like: 224 (usual) 64 (H1-NK.DSK) 4096 (2-NK.DSK) +>11 uleshort !224 \b, root entries %u +# sector number of first cluster (count sectors used by boot sector, FATs and root directory) like: 7 10 29 33 288 +>13 uleshort !33 \b, 1st cluster at sector %u +# number of clusters in image; empty clusters at the end are not saved and counted like: 2372 2848 +>15 uleshort x \b, %u clusters +# sectors/FAT; as in the BIOS parameter block like: 1 (H1-NK.DSK) 7 9 +>17 ubyte !9 \b, sectors/FAT %u +# sector number of root directory (ie, count of sectors used by boot sector and FATs) like: 3 (H1-NK.DSK) 9 10 15 19 274 (2M256R-K.DSK) +>18 uleshort !19 \b, root directory at sector %u +# checksum; sum of all bytes in the file +>20 ulelong x \b, checksum %#8.8x +# cylinders; number of cylinders like: 40 80 +>24 uleshort !80 \b, %u cylinders +#>24 uleshort x \b, %u cylinders +# heads; number of heads as in the BIOS parameter block like: 1 (H1-NK.DSK) 2 +>26 uleshort !2 \b, heads %u +#>26 uleshort x \b, heads %u +# sectors/track; number of sectors per track as in the BIOS parameter block like: 8 15 18 36 +>28 uleshort !18 \b, sectors/track %u +#>28 uleshort x \b, sectors/track %u +# unused double word field seems to be always like: 0 +>30 ulelong !0 \b, at 0x1E %#x +# number of sectors in images like: 1017 2786 2880 +>34 uleshort x \b, sectors %u +# if string is "printable" it can be a real comment +>(36.s) ubyte !0x00 +# if 1st sector is far enough away (> 0x29) then there is space for comment part +>>38 uleshort >41 +# offset to comment string like: 28h=40 +>>>36 uleshort x \b, at %#x +# comment string terminated with \r\n\0 +>>>(36.s) string x "%s" +# offset to the first sector like: 0 (If this is 0, assume it is 0x200) 29h=41 (DISPLAY3.DSK) 31h 43h 45h 46h 48h 50h 200h=512 +>38 uleshort !0 \b, 1st sector at %#x +# FOR DEBUGGING! +#>(38.s) ubelong x SECTOR CONTENT %x +# not compressed floppy image implies readable DOS boot sector inside image +>>1 ubyte !0x5A +# when not compressed it is readable as DOS boot sector via ./filesystems +#>>>(38.s) indirect x \b; contains +>38 uleshort =0 \b, 1st sector at 0x200 (0) +# maybe standard DOS boot sector; NO example FOUND HERE! +#>>0x200 indirect x \b; contains 0 string \074CPM_Disk\076 disk image data (YAZE) +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Central_Point_Software#cite_note-6 +# Reference: https://www.robcraig.com/download/transcopy-5-x-file-format +# https://www.robcraig.com/download/transcopy-file-format-by-gene-thompson +# http://mark0.net/download/triddefs_xml.7z/defs/t/tc-transcopy.trid.xml +# TransCopy signature +0 beshort 0x5AA5 +# skip Intel serial flash ROM with invalid 0 disk sides handled by ./intel +>0x103 ubyte !0 +# skip Intel serial flash ROM with unlikely "high" start cylinder 100 handled by ./intel +#>>0x101 ubyte <100 VALID_START_CYLINDER +# skip Intel serial flash ROM with unlikely description handled by ./intel +#>>>2 beshort !0xF00f VALID_DESCRIPTION +# skip Intel serial flash ROM with invalid disk types 89h 88h handled by ./intel +#>>>>0x100 byte !0x89 VALID_DISK_TYPE +>>0 use tc-floppy +# display information of Central Point Software (CPS) Option Board TransCopy floppy image +0 name tc-floppy +>0 beshort x TransCopy disk image +#!:mime application/octet-stream +!:mime application/x-floppy-image-tc +# like: disk04.tc VOCALC2.TC WIZ5_A.tc WIZ2_720.IMG +!:ext tc/img +# 1st description (optional 0-terminated maximal 32) like: +# "Project Workbench 2.20" "Visi On Calc" "Wizardry V Disk 1 of 3" +>2 string >\0 %.32s +# 2nd desc. (optional 0-terminated maximal 32) like: +# "(1988)." "Advanced - Utility" 'Program Disk 2" +>0x22 string >\0 "%.32s" +# Looks like ascii (like MESSAGES) formatted with attribute bytes (190)? +# not needed for disk copy +#>>0x42 string x '%.190s' +#>>0x88 lestring16 x "%.8s" +# disktype: 2~MFM High Density 3~MFM Double Density 4~Apple II GCR 5~FM Single Density +# 6~Commodore GCR 7~MFM Double Density 8~Commodore Amiga Ch~Atari FM FFh~Unknown +>0x100 ubyte !0xFF \b, disk type %u +# StartingCylinder like: 0 +>0x101 ubyte x \b, cylinder +>0x101 ubyte !0 start=%u +# EndingCylinder like: 40 (often) 41 79 +>0x102 ubyte x end=%u +# NumberOfSides like: 2 +>0x103 ubyte !2 \b, %u sides +# TrackIncrement like: 1 +>0x104 ubyte !1 \b, track increment %u +# TrackPosTbl Track skew +#>0x105 ubequad x \b, Track skew %#16.16llx +# TrackOffsTbl +#>0x305 ubequad x \b, TrackOffsTbl %#16.16llx +# TrackLngthTbl +#>0x505 ubequad x \b, TrackLngthTbl %#16.16llx +# TrackTypeTable +#>0x705 ubequad x \b, TrackTypeTable %#16.16llx +# Address mark timing +#>0x905 ubequad x \b, Address mark timing %#16.16llx +# Track fragment +#>0x2905 ubequad !0 \b, Track fragment %#16.16llx +# Track data +#>0x4000 ubequad !0 \b, Track data %#16.16llx + # ReFS # Richard W.M. Jones <rjones@redhat.com> 0 string \0\0\0ReFS\0 ReFS filesystem image @@ -2399,7 +2532,7 @@ >0x16 leshort 0 UBIfs image >0x08 lequad x \b, sequence number %llu >0x10 leshort x \b, length %u ->0x04 lelong x \b, CRC 0x%08x +>0x04 lelong x \b, CRC %#08x 0 lelong 0x23494255 >0x04 leshort <2 @@ -2433,3 +2566,129 @@ >0x400 pstring x serial: %s #>0x500 pstring x unknown: %s !:ext imgc + +# http://martin.hinner.info/fs/bfs/bfs-structure.html +0 lelong 0x1BADFACE SCO UnixWare BFS filesystem + +# https://arstechnica.com/information-technology/2018/07/the-beos-filesystem/ +32 lelong 0x42465331 BE/OS BFS1 filesystem +>36 lelong x \b, byte order %d +>40 lelong x \b, block size %d +>44 lelong x \b, block shift %d +>48 lequad x \b, total blocks %lld +>56 lequad x \b, used blocks %lld + + +0 name next +>0 lelong x \b, size %d +>4 string x \b, label %s + +# https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-44.3\ +# /IONeXTPartitionScheme.h +0 string NeXT NeXT version 1 disklabel +>12 use next +0 string dlV1 NeXT version 2 disklabel +>12 use next +0 string dlV2 NeXT version 3 disklabel +>12 use next + +# bcachefs +# From: Thomas Weißschuh <thomas@t-8ch.de> + +0 name bcachefs-uuid +>0 ubelong x \b%08x +>4 ubeshort x \b-%04x +>6 ubeshort x \b-%04x +>8 ubeshort x \b-%04x +>10 ubelong x \b-%08x +>14 ubeshort x \b%04x + +0 name bcachefs bcachefs +>0x68 lequad 8 \b, UUID= +>>0x38 use bcachefs-uuid +>>0x48 string >0 \b, label "%.32s" +>>0x10 uleshort x \b, version %u +>>0x12 uleshort x \b, min version %u +>>0x7a byte x \b, device %d +# assumes the first field is the members field +>>0x2f4 ulelong 0x01 \b/UUID= +>>>0x2f0 default x +>>>&(0x07a.b*56) use bcachefs-uuid +>>0x07b byte x \b, %d devices +>>0x090 byte ^0x02 \b (unclean) + +0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 +>0x1000 use bcachefs + +0x1018 string \xc6\x85\x73\xf6\x66\xce\x90\xa9\xd9\x6a\x60\xcf\x80\x3d\xf7\xef +>0x1000 use bcachefs + +# EROFS +# https://kernel.googlesource.com/pub/scm/linux/kernel/git/xiang/erofs-utils/\ +# +/refs/heads/experimental/include/erofs_fs.h#12 +1024 lelong 0xE0F5E1E2 EROFS filesystem +#>1028 lelong x \b, checksum=%#x +>1032 lelong >0 \b, compat: +>>1032 lelong &1 SB_CHKSUM +>>1032 lelong &2 MTIME +>1036 byte x \b, blocksize=%u +>1037 byte x \b, exslots=%u +#>1038 leshort x \b, root_nid=%d +#>1040 lequad x \b, inodes=%ld +#>1048 leldate x \b, build_time=%s +#>1056 lelong x \b.%d +#>1060 lelong x \b, blocks=%d +#>1064 lelong x \b, metadata@%#x +#>1068 lelong x \b, xattr@%#x +>1072 guid x \b, uuid=%s +>1088 string >0 \b, name=%s +>1104 lelong >0 \b, incompat: +>>1104 lelong &1 LZ4_0PADDING +>>1104 lelong &2 BIG_PCLUSTER +>>1104 lelong &4 CHUNKED_FILE +>>1104 lelong &8 DEVICE_TABLE +>>1104 lelong &16 ZTAILPACKING + +# YAFFS +# The layout itself is undocumented, determined by the memory layout of the +# reference implementation. This signature is derived from the +# reference implementation code and generated test cases +# We recognize the start of an object header defined by yaffs_obj_hdr: +# (Note the values being encoded depending on platform endianess) + +# u32 type /* enum yaffs_obj_type, valid 1-5 */ +# u32 parent_obj_id; /* 1 for root objects we recognize */ +# u16 sum_no_longer_used; /* checksum of name. Not used by YAFFS and memset to 0xFF */ +# YCHAR name[YAFFS_MAX_NAME_LENGTH + 1]; + +# mkyaffsimage always writes a root directory with empty name, then processing the target directory contents +# mkyaffs2image directly proceeds to writing entries with the appropriate u32 YAFFS_OBJECT_TYPE (1-5 valid), each with parent id 1 + +0 name yaffs +>0 ulelong 1 \b, type file +>0 ulelong 2 \b, type symlink +>0 ulelong 3 \b, type root or directory +>0 ulelong 4 \b, type hardlink +>0 ulelong 5 \b, type special +>0xA byte 0 \b, v1 root directory +>0xA byte !0 \b, object entry +>>0xA string x (name: "%s") + +# Little Endian: XX 00 00 00 01 00 00 00 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x1 string \x00\x00\x00\x01\x00\x00\x00\xFF\xFF +>0 ulelong 0 +>0 ulelong >5 +>0 default x YAFFS filesystem root entry (little endian) +>>0 use yaffs + +# Big Endian: 00 00 00 XX 00 00 00 01 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x4 string \x00\x00\x00\x01\xFF\xFF +>0 string \x00\x00\x00 +>>0 ubelong 0 +>>0 ubelong >5 +>>0 default x YAFFS filesystem root entry (big endian) +>>>0 use \^yaffs diff --git a/contrib/file/magic/Magdir/firmware b/contrib/file/magic/Magdir/firmware new file mode 100644 index 000000000000..4835b12e8d04 --- /dev/null +++ b/contrib/file/magic/Magdir/firmware @@ -0,0 +1,133 @@ +#------------------------------------------------------------------------------ +# $File: firmware,v 1.7 2023/03/11 18:52:03 christos Exp $ +# firmware: file(1) magic for firmware files +# + +# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure +# examples: https://github.com/cweiske/frontier-silicon-firmwares +0 lelong 0x00001176 +>4 lelong 0x7c Frontier Silicon firmware download +>>8 lelong x \b, MeOS version %x +>>12 string/32/T x \b, version %s +>>40 string/64/T x \b, customization %s + +# HPE iLO firmware update image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ +# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images +0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00 +>16 ubeshort =0xCFDD HPE iLO2 firmware update image +>16 ubeshort =0x6444 HPE iLO1 firmware update image +# iLO3 images (ilo3_*.bin) start directly with image name +0 string iLO3\x20v\x20 HPE iLO3 firmware update image, +>7 string x version %s +# iLO4 images (ilo4_*.bin) start with a signature and a certificate +0 string --=</Begin\x20HP\x20Signed +>75 string label_HPBBatch +>>5828 string iLO\x204 +>>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image, +>>>6947 string x version %s +# iLO5 images (ilo5_*.bin) start with a signature +>75 string label_HPE-HPB-BMC-ILO5-4096 +>>880 string HPIMAGE\x00 HPE iLO5 firmware update image, +>>944 string x version %s + +# IBM POWER Secure Boot Container +# from https://github.com/open-power/skiboot/blob/master/libstb/container.h +0 belong 0x17082011 POWER Secure Boot Container, +>4 beshort x version %u +>6 bequad x container size %llu +# These are always zero +# >14 bequad x target HRMOR %llx +# >22 bequad x stack pointer %llx +>4096 ustring \xFD7zXZ\x00 XZ compressed +0 belong 0x1bad1bad POWER boot firmware +>256 belong 0x48002030 (PHYP entry point) + +# ARM Cortex-M vector table +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties +# Match stack MSB +3 byte 0x20 +# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match) +>4 ulelong&0xE0000001 1 +>>8 ulelong&0xE0000001 1 +>>>12 ulelong&0xE0000001 1 +>>>>44 ulelong&0xE0000001 1 +>>>>>56 ulelong&0xE0000001 1 +# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF) +>>>>>>28 ulelong+1 <2 +>>>>>>>32 ulelong+1 <2 +>>>>>>>>36 ulelong+1 <2 +>>>>>>>>>40 ulelong+1 <2 +>>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware +>>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x +>>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x +>>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x +>>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x +>>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x +>>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x + +# ESP-IDF partition table entry +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h +0 string \xAA\x50 +>2 ubyte <2 ESP-IDF partition table entry +>>12 string/16 x \b, label: "%s" +>>2 ubyte 0 +>>>3 ubyte 0x00 \b, factory app +>>>3 ubyte 0x10 \b, OTA_0 app +>>>3 ubyte 0x11 \b, OTA_1 app +>>>3 ubyte 0x12 \b, OTA_2 app +>>>3 ubyte 0x13 \b, OTA_3 app +>>>3 ubyte 0x14 \b, OTA_4 app +>>>3 ubyte 0x15 \b, OTA_5 app +>>>3 ubyte 0x16 \b, OTA_6 app +>>>3 ubyte 0x17 \b, OTA_7 app +>>>3 ubyte 0x18 \b, OTA_8 app +>>>3 ubyte 0x19 \b, OTA_9 app +>>>3 ubyte 0x1A \b, OTA_10 app +>>>3 ubyte 0x1B \b, OTA_11 app +>>>3 ubyte 0x1C \b, OTA_12 app +>>>3 ubyte 0x1D \b, OTA_13 app +>>>3 ubyte 0x1E \b, OTA_14 app +>>>3 ubyte 0x1F \b, OTA_15 app +>>>3 ubyte 0x20 \b, test app +>>2 ubyte 1 +>>>3 ubyte 0x00 \b, OTA selection data +>>>3 ubyte 0x01 \b, PHY init data +>>>3 ubyte 0x02 \b, NVS data +>>>3 ubyte 0x03 \b, coredump data +>>>3 ubyte 0x04 \b, NVS keys +>>>3 ubyte 0x05 \b, emulated eFuse data +>>>3 ubyte 0x06 \b, undefined data +>>>3 ubyte 0x80 \b, ESPHTTPD partition +>>>3 ubyte 0x81 \b, FAT partition +>>>3 ubyte 0x82 \b, SPIFFS partition +>>>3 ubyte 0xFF \b, any data +>>4 ulelong x \b, offset: 0x%X +>>8 ulelong x \b, size: 0x%X +>>28 ulelong&0x1 1 \b, encrypted + +# ESP-IDF application image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h +# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t +# First segment contains esp_app_desc_t +0 ubyte 0xE9 +>32 ulelong 0xABCD5432 ESP-IDF application image +>>12 uleshort 0x0000 for ESP32 +>>12 uleshort 0x0002 for ESP32-S2 +>>12 uleshort 0x0005 for ESP32-C3 +>>12 uleshort 0x0009 for ESP32-S3 +>>12 uleshort 0x000A for ESP32-H2 Beta1 +>>12 uleshort 0x000C for ESP32-C2 +>>12 uleshort 0x000D for ESP32-C6 +>>12 uleshort 0x000E for ESP32-H2 Beta2 +>>12 uleshort 0x0010 for ESP32-H2 +>>80 string/32 x \b, project name: "%s" +>>48 string/32 x \b, version %s +>>128 string/16 x \b, compiled on %s +>>>112 string/16 x %s +>>144 string/32 x \b, IDF version: %s +>>4 ulelong x \b, entry address: 0x%08X diff --git a/contrib/file/magic/Magdir/fonts b/contrib/file/magic/Magdir/fonts index b0b40083a5d7..17373b5a580c 100644 --- a/contrib/file/magic/Magdir/fonts +++ b/contrib/file/magic/Magdir/fonts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fonts,v 1.43 2019/07/16 11:11:31 christos Exp $ +# $File: fonts,v 1.51 2022/08/16 11:16:39 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -8,12 +8,56 @@ 0 short 017001 byte-swapped Berkeley vfont data # PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com +# Modified by: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/PostScript_fonts +# http://fileformats.archiveteam.org/wiki/Adobe_Type_1 +# Reference: http://mark0.net/download/triddefs_xml.7z +# defs/p/pfb.trid.xml +# Note: PFB stands for Printer Font Binary 0 string %!PS-AdobeFont-1. PostScript Type 1 font text +#!:mime font/x-postscript-pfb +#!:ext pfb >20 string >\0 (%s) -6 string %!PS-AdobeFont-1. PostScript Type 1 font program data +# http://www.nationalarchives.gov.uk/pronom/fmt/525 +6 string %!PS-AdobeFont-1. +# skip DROID fmt-525-signature-id-816.pfb by checking for content after header +>24 ubyte x PostScript Type 1 font program data +#!:mime application/octet-stream +!:mime font/x-postscript-pfb +!:ext pfb +# often followed by colon (3Ah) and space (20h) and font name like: DarkGardenMK LetterGothic +>>24 ubyte =0x3A +>>>26 string >\0 (%s) +# some times instead of colon %%CreationDate: and "font name" later +>>24 ubyte !0x3A +# font name directive followed by def like: c0633bt_.pfb +>>>25 search/1247 /FontName\040/ +# show font name in parentheses like: Frankfurt Lithos CharterBT-BoldItalic Courier10PitchBT-Bold +>>>>&0 regex [A-Za-z0-9-]+ (%s) +# http://cd.textfiles.com/maxfonts/ATM/M/MIRROR__.PFB +6 string %PS-AdobeFont-1. PostScript Type 1 font program data +!:mime font/x-postscript-pfb +!:ext pfb +# font name like: Times-Mirror +>25 string >\0 (%s) 0 string %!FontType1 PostScript Type 1 font program data +#!:mime font/x-postscript-pfb +#!:ext pfb 6 string %!FontType1 PostScript Type 1 font program data +#!:mime application/octet-stream +!:mime font/x-postscript-pfb +!:ext pfb +# font name like: CaslonOpenFace FetteFraktur Kaufmann Linotext MesozoicGothic Old-Town +>23 string >\0 (%s) +# http://cd.textfiles.com/maxfonts/ATM/P/PLAYBI.PFB +230 string %!FontType1 PostScript Type 1 font program data +!:mime font/x-postscript-pfb +!:ext pfb +# font name like: Playbill +>247 string >\0 (%s) 0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text +#!:mime font/x-postscript-pfb +#!:ext pfb # Summary: PostScript Type 1 Printer Font Metrics # URL: https://en.wikipedia.org/wiki/PostScript_fonts @@ -66,15 +110,23 @@ >>>90 ubyte 65 script proportional # X11 font files in SNF (Server Natural Format) format -# updated by Joerg Jenderek at Feb 2013 +# updated by Joerg Jenderek at Feb 2013 and Nov 2021 # http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm -0 belong 00000004 X11 SNF font data, MSB first -#>104 belong 00000004 X11 SNF font data, MSB first +# URL: http://fileformats.archiveteam.org/wiki/SNF +# Reference: https://cgit.freedesktop.org/xorg/lib/libXfont/tree/src/bitmap/snfstr.h +0 belong 00000004 +# version2 same as version1 in struct _snfFontInfo +>104 belong 00000004 X11 SNF font data, MSB first +# GRR: line above is too general as it catches also DEGAS low-res bitmap like: +# http://cd.textfiles.com/geminiatari/FILES/GRAPHICS/ANIMAT/SPID_PAT/BIGSPID.PI1 !:mime application/x-font-sfn -# GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX +!:ext snf +# GRR: line below is too general as it catches also Xbase index file t3-CHAR.NDX 0 lelong 00000004 >104 lelong 00000004 X11 SNF font data, LSB first !:mime application/x-font-sfn +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/snf-x11-lsb.trid.xml +!:ext snf # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 STARTFONT\ X11 BDF font text @@ -123,7 +175,15 @@ >10 leshort x \b%d >40 string x %s # Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CPI +# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/58/17.html 0 belong 0xff464f4e DOS code page font data collection +!:mime font/x-dos-cpi +!:ext cpi +0 string \x7fDRFONT DR-DOS code page font data collection +!:mime font/x-drdos-cpi +!:ext cpi 7 belong 0x00454741 DOS code page font data 7 belong 0x00564944 DOS code page font data (from Linux?) 4098 string DOSFONT DOSFONT2 encrypted font data @@ -158,7 +218,7 @@ # face size in points 3-72 SLSS03CG.FNT H1CELT72.FNT >2 uleshort x %u # face ID (must be unique) ->0 uleshort x \b, ID 0x%4.4x +>0 uleshort x \b, ID %#4.4x # lowest character index in face (4 but usually 32 for disk-loaded fonts) #>36 uleshort !32 \b, unusual character index %u # width of the widest character like 0 8 10 12 16 24 32 @@ -168,21 +228,21 @@ # thickening size in pixel like 0 1 2 3 4 5 6 7 8 #>58 uleshort x \b, %u thick # lightening mask to eliminate pixels, usually 5555h ->62 uleshort !0x5555 \b, lightening mask 0x%x +>62 uleshort !0x5555 \b, lightening mask %#x # skewing mask to determine when to perform additional rotation when skewing, usually 5555h ->64 uleshort !0x5555 \b, skewing mask 0x%x +>64 uleshort !0x5555 \b, skewing mask %#x # offset to optional horizontal offset table 0 58h~88 5eh 252h -#>68 ulelong x \b, 0x%x horizontal table offset +#>68 ulelong x \b, %#x horizontal table offset # offset of character offset table 54h for many *.GFT 55h 58h 5Eh 120h 1D4h 202h 220h -#>72 ulelong x \b, 0x%x coffset +#>72 ulelong x \b, %#x coffset # offset to font data like 116h 118h 158 20Ah 20Eh ->76 ulelong x \b, 0x%x foffset +>76 ulelong x \b, %#x foffset # form width in bytes like 58 67 156 190 227 317 345 #>80 uleshort x \b, %u fwidth # form height in bytes like 4 8 11 17 26 56 70 90 120 146 150 #>82 uleshort x \b, %u fheight # pointer to the next font like 0 10000h 20000h 30000h 40000h 60000h 80000h E0000h D0000h -#>84 ulelong x \b, 0x%x noffset +#>84 ulelong x \b, %#x noffset # downloadable fonts for browser (prints type) anthon@mnt.org # https://tools.ietf.org/html/rfc3073 @@ -221,7 +281,7 @@ # tag names consist of up to four characters padded with spaces at end like # BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ... >>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ] -#>>>0 ubelong x \b, sfnt version 0x%x +#>>>0 ubelong x \b, sfnt version %#x >>>0 ubelong !0x4f54544f TrueType !:mime font/sfnt !:apple ????tfil @@ -253,7 +313,7 @@ #>>>>&8 ubelong >0x0100bd27 BIGGEST OFFSET >>&8 ubelong >0x00100000 # offset of name table ->>>&-4 ubelong x \b, name offset 0x%x +>>>&-4 ubelong x \b, name offset %#x # GRR: pointer to name table only works if offset ~< FILE_BYTES_MAX = 100000h defined in src\file.h >>&8 ubelong <0x00100000 >>>&-16 ubelong x @@ -284,7 +344,7 @@ >>>>>&-2 ubeshort 1 \b, Macintosh >>>>>&-2 ubeshort 3 \b, Microsoft # languageID (0~english Macintosh, 0409h~english Microsoft, ...) ->>>>>&2 ubeshort >0 \b, language 0x%x +>>>>>&2 ubeshort >0 \b, language %#x # name identifiers # often 0~copyright, 1~font, 2~font subfamily, 5~version, 13~license, 19~sample, ... >>>>>&4 ubeshort >0 \b, type %d string @@ -339,7 +399,7 @@ # 0x44454947 = 'DSIG' >>>&4 belong 0x44534947 \b, digitally signed # offset to 1st font ->>12 ubelong x \b, at 0x%x +>>12 ubelong x \b, at %#x # point to 1st font that starts with sfnt version >>(12.L) use sfnt-font @@ -375,11 +435,14 @@ # https://www.w3.org/TR/WOFF/ 0 string wOFF Web Open Font Format +!:mime font/woff >0 use woff >20 beshort x \b, version %d >22 beshort x \b.%d # https://www.w3.org/TR/WOFF2/ 0 string wOF2 Web Open Font Format (Version 2) +!:mime font/woff2 +!:ext woff2 >0 use woff #>20 belong x \b, totalCompressedSize %d >24 beshort x \b, version %d diff --git a/contrib/file/magic/Magdir/forth b/contrib/file/magic/Magdir/forth index cfbcef55482b..34c918152aec 100644 --- a/contrib/file/magic/Magdir/forth +++ b/contrib/file/magic/Magdir/forth @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: forth,v 1.1 2019/06/06 19:14:20 christos Exp $ +# $File: forth,v 1.4 2021/04/26 15:56:00 christos Exp $ # forth: file(1) magic for various Forth environments # From: Lubomir Rintel <lkundrak@v3.sk> # @@ -16,16 +16,18 @@ 0 regex \^:[[:space:]].*[[:space:]]\\(([[:space:]].*)?\ --\ (.*[[:space:]])?\\)[[:space:]].*[[:space:]];$ FORTH program !:mime text/x-forth -# Various dictionary images used by OpenFirware FORTH environent +# Various dictionary images used by OpenFirware FORTH environment 0 lelong 0xe1a00000 ->8 lelong 0xe1a00000 ARM OpenFirmware FORTH Dictionary, ->>24 lelong x Text length: %d bytes, ->>28 lelong x Data length: %d bytes, ->>32 lelong x Text Relocation Table length: %d bytes, ->>36 lelong x Data Relocation Table length: %d bytes, ->>40 lelong x Entry Point: 0x%08X, ->>44 lelong x BSS length: %d bytes +>8 lelong 0xe1a00000 +# skip raspberry pi kernel image kernel7.img by checking for positive text length +>>24 lelong >0 ARM OpenFirmware FORTH Dictionary, +>>>24 lelong x Text length: %d bytes, +>>>28 lelong x Data length: %d bytes, +>>>32 lelong x Text Relocation Table length: %d bytes, +>>>36 lelong x Data Relocation Table length: %d bytes, +>>>40 lelong x Entry Point: %#08X, +>>>44 lelong x BSS length: %d bytes 0 string MP >28 lelong 1 x86 OpenFirmware FORTH Dictionary, @@ -35,18 +37,18 @@ >>8 leshort x Header length: %d paragraphs, >>10 leshort x Data Size: %d >>12 leshort x - %d 4K pages, ->>14 lelong x Initial Stack Pointer: 0x%08X, ->>20 lelong x Entry Point: 0x%08X, +>>14 lelong x Initial Stack Pointer: %#08X, +>>20 lelong x Entry Point: %#08X, >>24 lelong x First Relocation Item: %d, >>26 lelong x Overlay Number: %d, ->>18 leshort x Checksum: 0x%08X +>>18 leshort x Checksum: %#08X 0 belong 0x48000020 PowerPC OpenFirmware FORTH Dictionary, >4 belong x Text length: %d bytes, >8 belong x Data length: %d bytes, >12 belong x BSS length: %d bytes, >16 belong x Symbol Table length: %d bytes, ->20 belong x Entry Point: 0x%08X, +>20 belong x Entry Point: %#08X, >24 belong x Text Relocation Table length: %d bytes, >28 belong x Data Relocation Table length: %d bytes @@ -55,7 +57,7 @@ >8 lelong x Data length: %d bytes, >12 lelong x BSS length: %d bytes, >16 lelong x Symbol Table length: %d bytes, ->20 lelong x Entry Point: 0x%08X, +>20 lelong x Entry Point: %#08X, >24 lelong x Text Relocation Table length: %d bytes, >28 lelong x Data Relocation Table length: %d bytes @@ -64,17 +66,17 @@ # Weak. #0 short 0x5820 cForth 16-bit Dictionary, -#>2 short x Serial: 0x%08X, -#>4 short x Dictionary Start: 0x%08X, +#>2 short x Serial: %#08X, +#>4 short x Dictionary Start: %#08X, #>6 short x Dictionary Size: %d bytes, -#>8 short x User Area Start: 0x%08X, +#>8 short x User Area Start: %#08X, #>10 short x User Area Size: %d bytes, -#>12 short x Entry Point: 0x%08X +#>12 short x Entry Point: %#08X 0 long 0x581120 cForth 32-bit Dictionary, ->4 long x Serial: 0x%08X, ->8 long x Dictionary Start: 0x%08X, +>4 long x Serial: %#08X, +>8 long x Dictionary Start: %#08X, >12 long x Dictionary Size: %d bytes, ->16 long x User Area Start: 0x%08X, +>16 long x User Area Start: %#08X, >20 long x User Area Size: %d bytes, ->24 long x Entry Point: 0x%08X +>24 long x Entry Point: %#08X diff --git a/contrib/file/magic/Magdir/freebsd b/contrib/file/magic/Magdir/freebsd index a01ac4a28575..66aff6caf2ac 100644 --- a/contrib/file/magic/Magdir/freebsd +++ b/contrib/file/magic/Magdir/freebsd @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: freebsd,v 1.7 2009/09/19 16:28:09 christos Exp $ +# $File: freebsd,v 1.9 2022/01/19 12:44:13 christos Exp $ # freebsd: file(1) magic for FreeBSD objects # # All new-style FreeBSD magic numbers are in host byte order (i.e., @@ -142,3 +142,23 @@ >9 byte 2 %d bytes in header, >>10 byte x %d chars wide by >>11 byte x %d chars high + +# +# FreeBSD kernel minidumps +# +0 string minidump\040FreeBSD/ FreeBSD kernel minidump +# powerpc uses 32-byte magic, followed by 32-byte mmu kind, then version +>17 string powerpc +>>17 string >\0 for %s, +>>>32 string >\0 %s, +>>>>64 byte 0 big endian, +>>>>>64 belong x version %d +>>>>64 default x little endian, +>>>>>64 lelong x version %d +# all other architectures use 24-byte magic, followed by version +>17 default x +>>17 string >\0 for %s, +>>>24 byte 0 big endian, +>>>>24 belong x version %d +>>>24 default x little endian, +>>>>24 lelong x version %d diff --git a/contrib/file/magic/Magdir/fsav b/contrib/file/magic/Magdir/fsav index 7ea094144e70..5c1d6e23dcfd 100644 --- a/contrib/file/magic/Magdir/fsav +++ b/contrib/file/magic/Magdir/fsav @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fsav,v 1.19 2019/04/19 00:42:27 christos Exp $ +# $File: fsav,v 1.22 2021/04/26 15:56:00 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) @@ -35,7 +35,7 @@ #>>>3 ubyte 0x1 #>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures -#>>>>>>11 ubyte x size 0x%02x +#>>>>>>11 ubyte x size %#02x #>>>>>>12 ubyte x \b%02x #>>>>>>13 ubyte x \b%02x bytes @@ -59,7 +59,7 @@ # file: could not find any valid magic files! (No error) >>10 default x (with buildtime) #>>10 default x -# clamtmp is used for temporily database like update process +# clamtmp is used for temporarily database like update process # for pure tar database only cld extension found !:ext cld/cvd/clamtmp/cud >511 default x file @@ -86,16 +86,16 @@ #>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s >>>>>>>>>&1 regex \^[^:]{1,10} # padding with spaces -#>>>>>>>>>>&1 ubequad x \b, padding 0x%16.16llx +#>>>>>>>>>>&1 ubequad x \b, padding %#16.16llx >510 ubyte =0x20 # inspect real database content -#>>512 ubeshort x \b, database MAGIC 0x%x +#>>512 ubeshort x \b, database MAGIC %#x # ./archive handle pure tar archives >>1012 quad =0 \b, with >>>512 use tar-file # not pure tar >>1012 quad !0 -# one space at the end of text and then handles gziped archives by ./compress +# one space at the end of text and then handles gzipped archives by ./compress >>>512 string \037\213 \b, with >>>>512 indirect x diff --git a/contrib/file/magic/Magdir/games b/contrib/file/magic/Magdir/games index 21e5328c5c94..0ccb4acff517 100644 --- a/contrib/file/magic/Magdir/games +++ b/contrib/file/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.20 2020/02/01 16:32:33 christos Exp $ +# $File: games,v 1.31 2023/03/29 22:57:27 christos Exp $ # games: file(1) for games # Fabio Bonelli <fabiobonelli@libero.it> @@ -53,11 +53,11 @@ # dividing this by entry size (64) gives number of files >>>8 ulelong/64 x \b, %u files # offset to the beginning of the file table ->>>4 ulelong x \b, offset 0x%x +>>>4 ulelong x \b, offset %#x # 1st file entry >>>(4.l) use pak-entry # 2nd file entry -#>>>4 ulelong+64 x \b, offset 0x%x +#>>>4 ulelong+64 x \b, offset %#x #>>>(4.l+64) use pak-entry # # display file table entry of Quake PAK archive @@ -65,7 +65,7 @@ # normally entry start after header which implies offset 12 or higher >56 ulelong >11 # the offset from the beginning of pak to beginning of this entry file contents ->>56 ulelong x at 0x%x +>>56 ulelong x at %#x # the size of file for this entry >>60 ulelong x %u bytes # 56 byte null-terminated entry name string includes path like maps/e1m1.bsp @@ -184,6 +184,15 @@ 0 string MComprHD MAME CHD compressed hard disk image, >12 belong x version %u +# MAME input recordings + +0 string MAMEINP\0 MAME input recording +>8 leqdate x at %s, +>16 leshort x format version %d. +>18 leshort x \b%d, +>20 string x %s driver, +>32 string x %s + # doom - submitted by Jon Dowland 0 string =IWAD doom main IWAD data @@ -276,7 +285,7 @@ # Summary: NetImmerse game engine file # Extension .nif # Created by: Abel Cheung <abelcheung@gmail.com> -0 string NetImmerse\ File\ Format,\ Versio +0 string NetImmerse\ File\ Format,\ Version >&0 string n\ NetImmerse game engine file >>&0 regex [0-9a-z.]+ \b, version %s @@ -293,12 +302,92 @@ >2 regex/c GM\\[21\\] - twix Game # Epic Games/Unreal Engine Package -# -0 lelong 0x9E2A83C1 Unreal Engine Package, ->4 leshort x version: %i ->12 lelong !0 \b, names: %i ->28 lelong !0 \b, imports: %i ->20 lelong !0 \b, exports: %i +# URL: https://docs.unrealengine.com/udk/Three/ContentCooking.html +# https://eliotvu.com/page/unreal-package-file-format +# Little-endian version (such as x86 PC) +0 lelong 0x9E2A83C1 Unreal Engine package (little-endian) +!:ext xxx/tfc/upk/me1/u +>4 uleshort !0 \b, version %u +>>6 uleshort !0 \b/%03u +>>0 use upk_header +# Big-endian version (such as PS3) +0 belong 0x9E2A83C1 Unreal Engine package (big-endian) +!:ext xxx/tfc +>6 ubeshort !0 \b, version %u +>>4 ubeshort !0 \b/%03u +>>0 use \^upk_header + +0 name upk_header +# Identify game from version and licensee +>4 ulelong 0x000002b2 (Alice Madness Returns) +>4 ulelong 0x002f0313 (Aliens: Colonial Marines) +>4 ulelong 0x005b021b (Alpha Protocol) +>4 ulelong 0x0000032c (AntiChamber) +>4 ulelong 0x00200223 (APB: All Points Bulletin) +>4 ulelong 0x004b02d7 (Bioshock Infinite) +>4 ulelong 0x00380340 (Borderlands 2) +>4 ulelong 0x001d02e6 (Bulletstorm) +>4 ulelong 0x00050240 (CrimeCraft) +>4 ulelong 0x00000356 (Deadlight) +>4 ulelong 0x001e0321 (Dishonored) +>4 ulelong 0x000202a6 (Dungeon Defenders) +>4 ulelong 0x000901ea (Gears of War) +>4 ulelong 0x0000023f (Gears of War 2) +>4 ulelong 0x0000033c (Gears of War 3) +>4 ulelong 0x0000034e (Gears of War: Judgement) +>4 ulelong 0x0004035c (Hawken) +>4 ulelong 0x0001034a (Infinity Blade 2) +>4 ulelong 0x00000350 (InMomentum) +>4 ulelong 0x0015037D (Life Is Strange) +>4 ulelong 0x000b01a5 (Medal of Honor: Airborne) +>4 ulelong 0x002b0218 (Mirrors Edge) +>4 ulelong 0x0000027e (Monday Night Combat) +>4 ulelong 0x0000024b (MoonBase Alpha) +>4 ulelong 0x002e01d8 (Mortal Kombat Komplete Edition 2605) +>4 ulelong 0x0000035c (Painkiller HD) +>4 ulelong 0x0000034d (Q.U.B.E) +>4 ulelong 0x80660340 (Quantum Conundrum) +>4 ulelong 0x0000035b (Ravaged) +>4 ulelong 0x00150340 (Remember Me) +>4 ulelong 0x00060171 (Roboblitz) +>4 ulelong 0x00000325 (Rock of Ages) +>4 ulelong 0x0000032a (Sanctum) +>4 ulelong 0x00030248 (Saw) +>4 ulelong 0x007e0248 (Singularity) +>4 ulelong 0x00090388 (Soldier Front 2) +>4 ulelong 0x000701e6 (Stargate Worlds) +>4 ulelong 0x00000334 (Super Monday Night Combat) +>4 ulelong 0x000002c2 (The Ball) +>4 ulelong 0x000e0262 (The Exiled Realm of Arborea or TERA) +>4 ulelong 0x0000035b (The Five Cores) +>4 ulelong 0x00000349 (The Haunted: Hells Reach) +>4 ulelong 0x00000354 (Unmechanical) +>4 ulelong 0x035c0298 (Unreal Development Kit) +>4 ulelong 0x00000200 (Unreal Tournament 3) +>4 ulelong 0x0000032d (Waves) +>4 ulelong 0x003b034d (XCOM: Enemy Unknown) +# Newer versions insert more headers +>4 ulelong&0xFFFF <249 +>>12 lelong !0 \b, names: %d +>>28 lelong !0 \b, imports: %d +>>20 lelong !0 \b, exports: %d +>4 ulelong&0xFFFF >248 +>>12 belong&0xFF !0 +>>>12 string x \b, folder "%s" +>>>>&5 lelong !0 \b, names: %d +>>>>&21 lelong !0 \b, imports: %d +>>>>&13 lelong !0 \b, exports: %d +>>12 belong&0xFF 0 +>>>16 belong&0xFF !0 +>>>>16 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d +>>>16 belong&0xFF 0 +>>>>20 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d 0 string ESVG >4 lelong 0x00160000 @@ -313,3 +402,295 @@ >>12 regex [0-9a-z.]+ saved by game version %s 0 string CIV6 Sid Meier's Civilization VI saved game + +# https://syzygy-tables.info/ +# From Michel Van den Bergh +0 string \327f\f\245 Syzygy DTZ tablebase +!:mime application/syzygy +0 string q\350#] Syzygy WDL tablebase +!:mime application/syzygy + +############################################################################## +# Grand Theft Auto (GTA) file formats. +# +# Summary: +# Includes GTA-specific formats used in all games from 1997 to present. Games +# and formats were created by Rockstar North, formerly DMA Design. Magic tests +# were written based on a combination of official and community documentation. +# +# Created by: Oliver Galvin <odg@riseup.net> +# +# References: +# * Classic GTA documentation and research: +# <https://gitlab.com/classic-gta/gta-data> +# * Official RenderWare documentation available from EA: +# <https://github.com/electronicarts/RenderWare3Docs> +# * Lots of community research in the GTAMods wiki: +# <https://gtamods.com/wiki> + +# GTA 2D-Era data - 'Classic' top down games (1/L/2) + +## GTA text + +0 string \xbf\xf8\xbd\x49\x62\xbe GTA1 in-game text (FXT), +0 string GBL GTA2 in-game text (GXT), +>3 string E English, +>>4 uleshort x version %d +>3 string F French, +>>4 uleshort x version %d +>3 string G German, +>>4 uleshort x version %d +>3 string I Italian, +>>4 uleshort x version %d +>3 string S Spanish, +>>4 uleshort x version %d +>3 string J Japanese, +>>4 uleshort x version %d + +## GTA maps + +0 ulelong 331 GTA1 map layout (CMP), +>4 byte 1 Level 1 +>4 byte 2 Level 2 +>4 byte 3 Level 3 +0 string GBMP GTA2/GBH map layout (GMP), +>4 uleshort x version %d +0 string/t [MapFiles] GTA2 multiplayer map metadata (MMP) +0 string/t MainOrBonus\ =\ MAIN GTA2 single player map listing (test1.seq) + +## GTA 2D sprites and textures + +0 ulelong 290 GTA1 style data (GRX), 8 bit editor graphics +0 ulelong 325 GTA1 style data (GRY), 8 bit in-game graphics +0 ulelong 336 GTA1 style data (G24), 24 bit in-game graphics +0 string GBST GTA2/GBH style data (STY), in-game graphics, +>4 uleshort x version %d + +## GTA audio index + +0 ulelong 0 +>4 ulelong <0x40000 +>>8 ulelong >4500 +>>>8 ulelong <45000 GTA audio index data (SDT) + +## GTA scripts + +0 ulelong 0x00080000 +>4 uleshort 0x0024 GTA2 binary main script (SCR) + +0 uleshort 0x063c GTA2 binary mission script (SCR), Residential area (ste) +0 uleshort 0x055b GTA2 binary mission script (SCR), Downtown area (wil) +0 uleshort 0x0469 GTA2 binary mission script (SCR), Industrial area (bil) + +0 string v9.6\0\0 GTA2 replay file (REP), +>8 regex/30c [a-z0-9:\ ]+\0\0 created on %s + +# GTA 3D-Era (III/VC/SA/LCS/VCS) - used by the RenderWare engine by Criterion Games + +## GTA 3D models and textures - RenderWare binary streams + +8 ulelong 0x00000310 RenderWare data, v3.1.0.0, used in GTA III on PS2, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0401ffff RenderWare data, v3.1.0.1, used in GTA III on PC/PS2, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0800ffff RenderWare data, v3.2.0.0, used in GTA III on PC, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0c00ffff RenderWare data, v3.3.0.0, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x0c02ffff RenderWare data, v3.3.0.2, used in GTA III PC and GTA VC PS2, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1000ffff RenderWare data, v3.4.0.0, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1003ffff RenderWare data, v3.4.0.3, used in GTA VC PC, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1005ffff RenderWare data, v3.4.0.5, used in GTA III/VC on Android, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1400ffff RenderWare data, v3.5.0.0, used in GTA III/VC on Xbox, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) +8 ulelong 0x1803ffff RenderWare data, v3.6.0.3, used in GTA SA, +>0 ulelong 0x00000016 texture archive (TXD) +>0 ulelong 0x00000010 3D models (DFF) + +0 string COL RenderWare collision data (COL), +>3 string L version 1, used in GTA III/VC/SA +>3 string 2 version 2, used in GTA SA +>3 string 3 version 3, used in GTA SA +>3 string 4 version 4, used in GTA SA + +## GTA items and animations + +0 string/c #\ ipl\ generated\ from\ max\ file GTA Item Placement data (IPL), used in GTA III/VC +0 string/b bnry GTA Item Placement data (IPL), used in GTA SA/IV, +>4 ulelong x %d items + +0 string ANP GTA animation data (IFP), +>3 string K version 1, used in GTA III/VC +>3 string 3 version 2, used in GTA SA + +0 string GtaSA29 GTA Replay data (REP), used in GTA SA + +## GTA text + +0 string TKEY GTA in-game text (GXT), version 2, used in GTA III +0 string TABL GTA in-game text (GXT), version 3, used in GTA VC/LS/VCS + +## GTA scripts + +0 string \x02\x00\x01 GTA script (SCM), used in GTA III/VC/SA + +## GTA archives + +0 string VER2 GTA archive (IMG), version 2, used in GTA SA, +>4 ulelong x %d items + +# GTA HD-Era (IV/V) - used by the Rockstar Advanced Game Engine (RAGE) + +## GTA models and textures - RAGE resources +# Note: GTA IV formats not yet documented - WAD, WBD, WBN, WHM, WPL + +0 ulelong 0x00695254 GTA Drawable data (WDR), model and weapon data, used in GTA IV +0 ulelong 0x00695238 GTA Windows Frag Type (WFT), vehicle models, used in GTA IV +0 ulelong 0x006953A4 GTA Ped and LOD models (WDD), used in GTA IV +0 ulelong 0x00695384 GTA Windows Texture Dictionary (WTD), used in GTA IV + +## GTA text + +4 string TABL GTA in-game text (GXT), +>0 uleshort x version %d, used in GTA SA/IV +0 string 2GXT GTA in-game text (GXT2), used in GTA V + +## GTA scripts + +0 ulelong 0x0d524353 GTA script (SCO), unencrypted, used in GTA IV, +>4 ulelong x %d code bytes, +>>8 ulelong x %d static variables, +>>>12 ulelong x %d global variables +0 ulelong 0x0e726373 GTA script (SCO), encrypted, used in GTA IV +>4 ulelong x %d code bytes, +>>8 ulelong x %d static variables, +>>>12 ulelong x %d global variables + +## GTA archives + +0 ulelong 0xa94e2a52 GTA archive (IMG), +>4 ulelong x version %d, used in GTA IV, +>>8 ulelong x %d items + +# RPF[0-8] +0 ulelong&0xfffffff0 =0x52504630 +>0 ulelong&0xf <9 RAGE Package Format (RPF), version %d, used in +>>0 ulelong&0xf =0 Rockstar Table Tennis, +>>0 ulelong&0xf =1 *unknown* +>>0 ulelong&0xf =2 GTA IV, +>>0 ulelong&0xf =3 GTA IV Audio & Midnight Club: LA, +>>0 ulelong&0xf =4 Max Payne 3, +>>0 ulelong&0xf =5 *unknown* +>>0 ulelong&0xf =6 RDR, +>>0 ulelong&0xf =7 GTA V, +>>0 ulelong&0xf =8 RDR 2, +>>4 ulelong x %d bytes, +>>>8 ulelong x %d entries + +# Blitz3D Model File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/B3DExport/blob/master/B3DExport.py +0 string BB3D +>4 lelong >0 +>>8 lelong >0 Blitz3D Model +!:ext b3d +>>>8 lelong x \b, version %d + +# Minetest Schematic File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/minetest/blob/5.6.1/src/mapgen/mg_schematic.h +0 string MTSM Minetest Schematic +!:ext mts +>4 ubeshort x \b, version %d +>6 ubeshort x \b, size [%d +>8 ubeshort x \b, %d +>10 ubeshort x \b, %d] + +# MagicaVoxel File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/ephtracy/voxel-model/blob/ee2216c28a78ebb68691dc6cfa9c4ba429117ea2/MagicaVoxel-file-format-vox.txt +# Note: This format is used in Veloren voxel RPG. +0 string VOX\x20 +>4 lelong >0 MagicaVoxel model +!:ext vox +>>4 lelong x \b, version %d + +# Wwise SoundBank +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_SoundBank_(*.bnk) +0 string BKHD +# Little-endian version (such as x86 PC) +>4 ulelong <0x100 Wwise SoundBank (little-endian) +!:ext bnk +>>0 use wwise_bkhd +# Big-endian version (such as PS3) +>4 ubelong <0x100 Wwise SoundBank (big-endian) +!:ext bnk +>>0 use \^wwise_bkhd + +0 name wwise_bkhd +>8 ulelong x \b, version %d +>12 ulelong x \b, id %08X +>16 ulelong =0x00 \b, SFX +>16 ulelong =0x01 \b, arabic +>16 ulelong =0x02 \b, bulgarian +>16 ulelong =0x03 \b, chinese (HK) +>16 ulelong =0x04 \b, chinese (PRC) +>16 ulelong =0x05 \b, chinese (Taiwan) +>16 ulelong =0x06 \b, czech +>16 ulelong =0x07 \b, danish +>16 ulelong =0x08 \b, dutch +>16 ulelong =0x09 \b, english (Australia) +>16 ulelong =0x0A \b, english (India) +>16 ulelong =0x0B \b, english (UK) +>16 ulelong =0x0C \b, english (US) +>16 ulelong =0x0D \b, finnish +>16 ulelong =0x0E \b, french (Canada) +>16 ulelong =0x0F \b, french (France) +>16 ulelong =0x10 \b, german +>16 ulelong =0x11 \b, greek +>16 ulelong =0x12 \b, hebrew +>16 ulelong =0x13 \b, hungarian +>16 ulelong =0x14 \b, indonesian +>16 ulelong =0x15 \b, italian +>16 ulelong =0x16 \b, japanese +>16 ulelong =0x17 \b, korean +>16 ulelong =0x18 \b, latin +>16 ulelong =0x19 \b, norwegian +>16 ulelong =0x1A \b, polish +>16 ulelong =0x1B \b, portuguese (Brazil) +>16 ulelong =0x1C \b, portuguese (Portugal) +>16 ulelong =0x1D \b, romanian +>16 ulelong =0x1E \b, russian +>16 ulelong =0x1F \b, slovenian +>16 ulelong =0x20 \b, spanish (Mexico) +>16 ulelong =0x21 \b, spanish (Spain) +>16 ulelong =0x22 \b, spanish (US) +>16 ulelong =0x23 \b, swedish +>16 ulelong =0x24 \b, turkish +>16 ulelong =0x25 \b, ukrainian +>16 ulelong =0x26 \b, vietnamese + +# Wwise Audio Package +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_Audio_PCK +0 string AKPK +# Little-endian version (such as x86 PC) +>8 ulelong <0x100 Wwise Audio Package (little-endian) +!:ext pck +# Big-endian version (such as PS3) +>8 ubelong <0x100 Wwise Audio Package (big-endian) +!:ext pck diff --git a/contrib/file/magic/Magdir/gentoo b/contrib/file/magic/Magdir/gentoo new file mode 100644 index 000000000000..f988047ad400 --- /dev/null +++ b/contrib/file/magic/Magdir/gentoo @@ -0,0 +1,85 @@ +#------------------------------------------------------------------------------ +# $File: gentoo,v 1.5 2022/12/26 17:16:55 christos Exp $ +# gentoo: file(1) magic for gentoo specific formats +# +# Summary: Gentoo ebuild Manifest files (GLEP 74) +# Reference: https://www.gentoo.org/glep/glep-0074.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +# Start by doing a fast check for the most common tags. +0 string AUX +>0 use gentoo-manifest +0 string DATA +>0 use gentoo-manifest +0 string DIST +>0 use gentoo-manifest +0 string EBUILD +>0 use gentoo-manifest +0 string MANIFEST +>0 use gentoo-manifest + +# Manifest can be PGP-signed. +0 string -----BEGIN\040PGP\040SIGNED\040MESSAGE----- +>34 search/32 \n\n +>>&0 string AUX +>>>&0 use gentoo-manifest +>>&0 string DATA +>>>&0 use gentoo-manifest +>>&0 string DIST +>>>&0 use gentoo-manifest +>>&0 string EBUILD +>>>&0 use gentoo-manifest +>>&0 string MANIFEST +>>>&0 use gentoo-manifest + +# Use a more detailed regex to verify that we were correct. +# <tag> <filename> <size> <hash-name> <hash-value>... +# (<tag>'s already been matched prior to calling) +0 name gentoo-manifest +>&0 regex [[:space:]]+[[:print:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[[:alnum:]]+[[:space:]]+[[:xdigit:]]{32} Gentoo Manifest (GLEP 74) +!:mime application/vnd.gentoo.manifest + +# Summary: Gentoo ebuild and eclass files +# Reference: https://projects.gentoo.org/pms/8/pms.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +0 search/512 EAPI= +>0 regex .*\n[\040\t]*EAPI=["']? Gentoo ebuild +>>&0 regex [[:alnum:]+_.-]+ \b, EAPI %s +!:mime application/vnd.gentoo.ebuild + +0 search/512 @ECLASS:\040 Gentoo eclass +>&0 string x %s +!:mime application/vnd.gentoo.eclass + +# Summary: Gentoo supplementary package and category metadata files +# Reference: https://www.gentoo.org/glep/glep-0068.html +# Submitted by: Michal Gorny <mgorny@gentoo.org> +0 string \<?xml +>0 search/512 \<catmetadata Gentoo category metadata file +!:mime application/vnd.gentoo.catmetadata+xml +>0 search/512 \<pkgmetadata Gentoo package metadata file +!:mime application/vnd.gentoo.pkgmetadata+xml + +# Summary: Gentoo GLEP 78 binary package +# Reference: https://www.gentoo.org/glep/glep-0078.html +# Note: assumes the strict format +# Submitted by: Michal Gorny <mgorny@gentoo.org> + +# GPKG uses ustar (or ustar-compatible GNU format) that starts with +# a <directory>/gpkg-1 file +257 string ustar +>0 search/100 /gpkg-1\0 +>>0 regex [^/]+ Gentoo GLEP 78 (GPKG) binary package for "%s" +!:mime application/vnd.gentoo.gpkg +!:ext tar +# the logic below requires the gpkg-1 file to be empty +>>>124 string 00000000000\0 +# determine the compression used by looking at the second member name +>>>>512 search/100 .tar. +>>>>>&0 string gz\0 using gzip compression +>>>>>&0 string bz2\0 using bzip2 compression +>>>>>&0 string lz\0 using lzip compression +>>>>>&0 string lz4\0 using lz4 compression +>>>>>&0 string lzo\0 using lzo compression +>>>>>&0 string xz\0 using xz compression +>>>>>&0 string zst\0 using zstd compression +>>>>(636.o+1024) search/611 .sig\0 \b, signed diff --git a/contrib/file/magic/Magdir/geo b/contrib/file/magic/Magdir/geo index d72e514a2338..1fde25e57be2 100644 --- a/contrib/file/magic/Magdir/geo +++ b/contrib/file/magic/Magdir/geo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geo,v 1.7 2019/04/19 00:42:27 christos Exp $ +# $File: geo,v 1.10 2022/10/31 13:22:26 christos Exp $ # Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> ###################################################################### @@ -28,8 +28,8 @@ # Knudsen subbottom chirp profiler - Binary File Format: B9 # KEB D409-03167 V1.75 Huffman 0 string KEB\ Knudsen seismic KEL binary (KEB) - ->4 regex [-A-Z0-9]* Software: %s ->>&1 regex V[0-9]*\.[0-9]* version %s +>4 regex [-A-Z0-9]+ Software: %s +>>&1 regex V[0-9]+\\.[0-9]+ version %s ###################################################################### # @@ -40,7 +40,7 @@ # Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data 0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar ->4 regex [0-9]*\.[0-9]* version %s +>4 regex [0-9]+\\.[0-9]+ version %s 0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data >3 byte x version %d . @@ -54,7 +54,43 @@ ###################################################################### # GeoAcoustics - GeoSwath Plus -4 beshort 0x2002 GeoSwath RDF +# Update: Joerg Jenderek +# URL: https://www.mbari.org/products/research-software/mb-system/ +# Reference: http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/ +# GS%2B-6063-BB-GS%2B-Broadcast-Raw-Data-File-Format-Command-Specification.pdf +# Note: All data is written using Intel 80x86 byte ordering (LSB to MSB) +# raw_header_siz; file header size is 544 bytes +4 beshort 0x2002 +# GRR: line above is too general as it matches also some Microsoft Event Trace Logs *.ETL +# skip many (63/753) Microsoft Event Trace Logs (AMSITrace.etl lxcore_kernel.etl NotificationUxBroker.052.etl WindowsBackup.4.etl) with invalid "low" ping header size 0 +>6 leshort >0 GeoSwath RDF +# skip foo samples with invalid "high" spare bytes +#>>536 ulequad =0 OK_THIS_IS_GeoSwath_RDF +#!:mime application/octet-stream +!:mime application/x-geoswath-rdf +# http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/060116342.rdf +!:ext rdf +# filename; original file name like: "C:\GS+\Projects\Default\Raw Data Files\060116342.rdf" +>>8 string x "%-.512s" +# version[8]; recording software version number like: 3.16c +>>527 string x \b, version %-.8s +# creation; unsigned int file creation time; WHAT time format is this? +>>0 ulelong x \b, creation time %#8.8x +# raw_ping_header_size; size of ping header in bytes like: 64 +>>6 leshort !64 \b, ping header size %d +# frequency; system frequency in hertz like: 500000 +>>520 lelong x \b, frequency %d +# echo_type; Echosounder type index like: 1 +>>524 leshort x \b, echo type %#x +# file_mode; file mode mask (0x00 bathy & sidescan, 0x80 bathy, 0x40 sidescan, 0x20 seismic) +>>526 ubyte !0 \b, file mode %#2.2x +# pps_mode; PPS synch mode like: 2 +>>535 byte x \b, pps mode %#x +# char spare[8]; apparently zeroed +>>536 ubequad !0 \b, spare %#16.16llx +# Ping_number; 1st ping number like: 4944 +>>544 lelong x \b, 1st ping number %d + 0 string Start:- GeoSwatch auf text file # Seabeam 2100 @@ -69,7 +105,7 @@ # mb121 https://www.saic.com/maritime/gsf/ 8 string GSF-v SAIC generic sensor format (GSF) sonar data, ->&0 regex [0-9]*\.[0-9]* version %s +>&0 regex [0-9]+\\.[0-9]+ version %s # MGD77 - https://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm # mb161 @@ -88,7 +124,7 @@ # ###################################################################### -# IVS - IVS3d.com Tagged Data Represetation +# IVS - IVS3d.com Tagged Data Representation 0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file # http://www.ecma-international.org/publications/standards/Ecma-363.htm diff --git a/contrib/file/magic/Magdir/git b/contrib/file/magic/Magdir/git index 4087fcd8de4b..67eab32a663a 100644 --- a/contrib/file/magic/Magdir/git +++ b/contrib/file/magic/Magdir/git @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: git,v 1.1 2019/10/04 18:46:29 christos Exp $ +# $File: git,v 1.2 2020/08/09 16:57:15 christos Exp $ # git: file(1) magic for Git objects 0 string blob\040 ->5 regex [0-9]+ Git blob %s +>5 regex [0-9a-f]+ Git blob %s 0 string tree\040 ->5 regex [0-9]+ Git tree %s +>5 regex [0-9a-f]+ Git tree %s 0 string commit\040 ->7 regex [0-9]+ Git commit %s +>7 regex [0-9a-f]+ Git commit %s diff --git a/contrib/file/magic/Magdir/gnome b/contrib/file/magic/Magdir/gnome index 2905340c7e06..7a45d1d586ef 100644 --- a/contrib/file/magic/Magdir/gnome +++ b/contrib/file/magic/Magdir/gnome @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gnome,v 1.6 2019/04/19 00:42:27 christos Exp $ +# $File: gnome,v 1.7 2020/06/23 16:17:08 christos Exp $ # GNOME related files # Contributed by Josh Triplett @@ -55,5 +55,5 @@ 0 string GOBJ\nMETADATA\r\n\032 G-IR binary database >16 byte x \b, v%d >17 byte x \b.%d ->20 leshort x \b, %d entries ->22 leshort x \b/%d local +>20 short x \b, %d entries +>22 short x \b/%d local diff --git a/contrib/file/magic/Magdir/gnu b/contrib/file/magic/Magdir/gnu index 29f0b05e1c08..761d657c4e84 100644 --- a/contrib/file/magic/Magdir/gnu +++ b/contrib/file/magic/Magdir/gnu @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gnu,v 1.22 2020/04/09 19:11:58 christos Exp $ +# $File: gnu,v 1.24 2021/04/26 15:56:00 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format @@ -33,48 +33,48 @@ # size of hashing table #>20 ulelong x \b, %u hash #>20 ulelong >1 \bes -#>24 ulelong x at 0x%x -# for revsion x.0 offset of table with originals is 1Ch if directly after header +#>24 ulelong x at %#x +# for revision x.0 offset of table with originals is 1Ch if directly after header >4 ulelong&0x0000FFff =0 ->>12 ulelong !0x1C \b, at 0x%x string table +>>12 ulelong !0x1C \b, at %#x string table # but for x.1 table offset i found is 30h. That means directly after bigger header >4 ulelong&0x0000FFff >0 ->>12 ulelong !0x30 \b, at 0x%x string table +>>12 ulelong !0x30 \b, at %#x string table # The following variables are only used in .mo files with minor revision >= 1 # number of system dependent segments #>>28 ulelong x \b, %u segment #>>28 ulelong >1 \bs # offset of table describing system dependent segments -#>>32 ulelong x at 0x%x +#>>32 ulelong x at %#x # number of system dependent strings pairs >>36 ulelong x \b, %u sysdep message >>36 ulelong >1 \bs # offset of table with start offsets of original sysdep strings -#>>40 ulelong x \b, at 0x%x sysdep strings +#>>40 ulelong x \b, at %#x sysdep strings # offset of table with start offsets of translated sysdep strings -#>>44 ulelong x \b, at 0x%x sysdep translations -# >>(44.l) ulelong x 0x%x chars -# >>>&0 ulelong x at 0x%x +#>>44 ulelong x \b, at %#x sysdep translations +# >>(44.l) ulelong x %#x chars +# >>>&0 ulelong x at %#x # >>>>(&-4) string x "%s" # string table after big header -#>>48 ubequad x \b, string table 0x%llx +#>>48 ubequad x \b, string table %#llx # # 0th string length seems to be always 0 #>(12.l) ulelong x \b, %u chars -#>>&0 ulelong x at 0x%x -# if 1st string length positiv inspect offset and string +#>>&0 ulelong x at %#x +# if 1st string length positive inspect offset and string #>(12.l+8) ulelong >0 \b, %u chars -#>>&0 ulelong x at 0x%x -# if 2nd string length positiv inspect offset and string +#>>&0 ulelong x at %#x +# if 2nd string length positive inspect offset and string # >(12.l+16) ulelong >0 \b, %u chars -# >>&0 ulelong x at 0x%x +# >>&0 ulelong x at %#x # skip newline byte #>>>(&-4) ubyte =0x0A #>>>>&0 string x "%s" #>>>(&-4) ubyte !0x0A #>>>>&-1 string x '%s' # offset of table with translation strings -#>16 ulelong x \b, at 0x%x translation table +#>16 ulelong x \b, at %#x translation table # check translation 0 length and offset >(16.l) ulelong >0 >>&0 ulelong x @@ -100,11 +100,11 @@ # TODO: for big endian use same code as for little endian #>0 use \^gettext-object # DEBUG code -#>16 ubelong x \b, at 0x%x translation table -#>(16.L) ubelong x 0x%x chars -#>>&0 ubelong x at 0x%x +#>16 ubelong x \b, at %#x translation table +#>(16.L) ubelong x %#x chars +#>>&0 ubelong x at %#x # unexpected value HERE! -#>>>(&-4) ubequad x 0x%llx +#>>>(&-4) ubequad x %#llx # >4 beshort x revision %d. >6 beshort >0 \b%d, diff --git a/contrib/file/magic/Magdir/gpt b/contrib/file/magic/Magdir/gpt index 76a223c3a030..c2fd51c0dcb6 100644 --- a/contrib/file/magic/Magdir/gpt +++ b/contrib/file/magic/Magdir/gpt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gpt,v 1.4 2017/03/17 21:35:28 christos Exp $ +# $File: gpt,v 1.5 2020/12/12 20:01:47 christos Exp $ # # GPT Partition table patterns. # Author: Rogier Goossens (goossens.rogier@gmail.com) @@ -12,7 +12,7 @@ # This is kept separate, so that MBR partitions are not reported as well. # (use -k if you do want them as well) -# First, detect the MBR partiton table +# First, detect the MBR partition table # If more than one GPT protective MBR partition exists, don't print anything # (the other MBR detection code will then just print the MBR partition table) 0x1FE leshort 0xAA55 diff --git a/contrib/file/magic/Magdir/gpu b/contrib/file/magic/Magdir/gpu index 62e30d0f7a25..36d712443ba0 100644 --- a/contrib/file/magic/Magdir/gpu +++ b/contrib/file/magic/Magdir/gpu @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gpu,v 1.2 2017/03/23 22:11:53 christos Exp $ +# $File: gpu,v 1.3 2021/04/26 15:56:00 christos Exp $ # gpu: file(1) magic for GPU input files # Standard Portable Intermediate Representation (SPIR) @@ -8,12 +8,12 @@ # Typical file extension: .spv 0 belong 0x07230203 Khronos SPIR-V binary, big-endian ->4 belong x \b, version 0x%08x ->8 belong x \b, generator 0x%08x +>4 belong x \b, version %#08x +>8 belong x \b, generator %#08x 0 lelong 0x07230203 Khronos SPIR-V binary, little-endian ->4 lelong x \b, version 0x%08x ->8 lelong x \b, generator 0x%08x +>4 lelong x \b, version %#08x +>8 lelong x \b, generator %#08x # Vulkan Trace file # Documentation: diff --git a/contrib/file/magic/Magdir/guile b/contrib/file/magic/Magdir/guile deleted file mode 100644 index 99f837133c7c..000000000000 --- a/contrib/file/magic/Magdir/guile +++ /dev/null @@ -1,13 +0,0 @@ - -#------------------------------------------------------------------------------ -# $File: guile,v 1.2 2019/04/19 00:42:27 christos Exp $ -# Guile file magic from <dalepsmith@gmail.com> -# https://www.gnu.org/s/guile/ -# https://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 - -0 string GOOF---- Guile Object ->8 string LE \b, little endian ->8 string BE \b, big endian ->11 string 4 \b, 32bit ->11 string 8 \b, 64bit ->13 regex .\.. \b, bytecode v%s diff --git a/contrib/file/magic/Magdir/hitachi-sh b/contrib/file/magic/Magdir/hitachi-sh index 18d83844515f..f64489f7fcf6 100644 --- a/contrib/file/magic/Magdir/hitachi-sh +++ b/contrib/file/magic/Magdir/hitachi-sh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: hitachi-sh,v 1.9 2018/08/21 12:48:41 christos Exp $ +# $File: hitachi-sh,v 1.10 2020/12/12 20:01:47 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF @@ -16,7 +16,7 @@ # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags >18 ubeshort&0x8E80 0 # use big endian variant of subroutine to display name+variables+flags -# for common object formated files +# for common object formatted files >>0 use \^display-coff !:strength -10 @@ -24,7 +24,7 @@ # test for unused flag bits in f_flags >18 uleshort&0x8E80 0 # use little endian variant of subroutine to -# display name+variables+flags for common object formated files +# display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 diff --git a/contrib/file/magic/Magdir/human68k b/contrib/file/magic/Magdir/human68k index b3d66ce5d089..707c74098b88 100644 --- a/contrib/file/magic/Magdir/human68k +++ b/contrib/file/magic/Magdir/human68k @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: human68k,v 1.5 2009/09/19 16:28:09 christos Exp $ +# $File: human68k,v 1.6 2021/04/26 15:56:00 christos Exp $ # human68k: file(1) magic for Human68k (X680x0 DOS) binary formats # Magic too short! #0 string HU Human68k @@ -12,7 +12,7 @@ #>(8.L+66) string #HUPAIR hupair #>0 string HU X executable #>(8.L+74) string #LIBCV1 - linked PD LIBC ver 1 -#>4 belong >0 - base address 0x%x +#>4 belong >0 - base address %#x #>28 belong >0 not stripped #>32 belong >0 with debug information #0 beshort 0x601a Human68k Z executable diff --git a/contrib/file/magic/Magdir/ibm370 b/contrib/file/magic/Magdir/ibm370 index a49b28f5db80..dc976f8705ea 100644 --- a/contrib/file/magic/Magdir/ibm370 +++ b/contrib/file/magic/Magdir/ibm370 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm370,v 1.10 2017/03/17 21:35:28 christos Exp $ +# $File: ibm370,v 1.11 2021/03/14 16:51:45 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". @@ -46,3 +46,7 @@ 0 beshort 0535 SVR2 executable (USS/370) >12 belong >0 not stripped >24 belong >0 - version %d + +# NETDATA (https://en.wikipedia.org/wiki/NETDATA) +# -\INMR01 In EBCDIC +0 string \x60\xe0\xc9\xd5\xd4\xd9\xf0\xf1 IBM NETDATA file diff --git a/contrib/file/magic/Magdir/ibm6000 b/contrib/file/magic/Magdir/ibm6000 index 2112e71652d3..724b64d3a5eb 100644 --- a/contrib/file/magic/Magdir/ibm6000 +++ b/contrib/file/magic/Magdir/ibm6000 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm6000,v 1.14 2019/03/07 17:21:54 christos Exp $ +# $File: ibm6000,v 1.15 2021/07/03 14:01:46 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module @@ -10,7 +10,9 @@ #>2 byte 0x50 pure #>28 belong >0 not stripped #>6 beshort >0 - version %ld +# GRR: line below is too general as it matches also TTComp archive, ASCII, 1K handled by ./archive 0 beshort 0x0104 shared library +# GRR: line below is too general as it matches also TTComp archive, ASCII, 2K handled by ./archive 0 beshort 0x0105 ctab data 0 beshort 0xfe04 structured file 0 string 0xabcdef AIX message catalog diff --git a/contrib/file/magic/Magdir/icc b/contrib/file/magic/Magdir/icc index a8b57864bf0d..15fd76b8d512 100644 --- a/contrib/file/magic/Magdir/icc +++ b/contrib/file/magic/Magdir/icc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: icc,v 1.6 2019/11/15 21:03:14 christos Exp $ +# $File: icc,v 1.7 2021/04/26 15:56:00 christos Exp $ # icc: file(1) magic for International Color Consortium file formats # @@ -123,9 +123,9 @@ # seconds <= 59 >>>>>34 ubeshort x \b:%.2u # vendor specific flags like 2 in HPCLJ5.ICM ->>>44 ubeshort >0 \b, 0x%x vendor flags +>>>44 ubeshort >0 \b, %#x vendor flags # profile flags bits 0-2 of least 16 used by ICC -#>>>44 ubelong >0 \b, 0x%x flags +#>>>44 ubelong >0 \b, %#x flags # icEmbeddedProfileTrue >>>44 ubelong &1 \b, embedded # icEmbeddedProfileFalse @@ -138,9 +138,9 @@ #>>>44 ubelong ^4 \b, no MCS # vendor specific device attributes 1~srgb.icc # E000D00h~CNB7QEDA.ICM C000A00h~CNB5FCAA.ICM 01040401h~CNB25PE3.ICM ->>>56 ubelong >0 \b, 0x%x vendor attribute +>>>56 ubelong >0 \b, %#x vendor attribute # ICC device attributes bits 0-7 used -#>>>60 ubelong x \b, 0x%x attribute +#>>>60 ubelong x \b, %#x attribute # http://www.color.org/icc34.h >>>60 ubelong &0x01 \b, transparent #>>>60 ubelong ^0x01 \b, reflective @@ -159,7 +159,7 @@ >>>60 ubelong &0x80 \b, self-luminous #>>>60 ubelong ^0x80 \b, non-self-luminous # rendering intent 0-3 but 7AEA5027h in EE051__1.ICM 6CB1BCh in EE061__1.ICM ->>>64 ubelong >3 \b, 0x%x rendering intent +>>>64 ubelong >3 \b, %#x rendering intent #>>>64 ubelong =0 \b, perceptual >>>64 ubelong =1 \b, relative colorimetric >>>64 ubelong =2 \b, saturation @@ -168,16 +168,16 @@ >>>71 ubequad !0xd6000100000000d3 \b, PCS # usually X~0.9642*65536=63189.8112~63190=F6D5h ; but also found # often F6D6 in gt5000r.icm, F6B8 in kodakce.icm, F6CA in RSWOP.icm ->>>>68 ubelong !0x0000f6d5 X=0x%x +>>>>68 ubelong !0x0000f6d5 X=%#x # usually Y=1.0~00010000h but Y=0 in brmsl07f.icm ->>>>72 ubelong !0x00010000 Y=0x%x +>>>>72 ubelong !0x00010000 Y=%#x # usually Z~0.8249*65536=54060.6464~54061=D32Dh ; but also found # D2F7 in hp1200c.icm, often D32C in A925A.icm, D309 in RSWOP.icm , D2F8 in kodak_dc.icm ->>>>76 ubelong !0x0000d32d Z=0x%x +>>>>76 ubelong !0x0000d32d Z=%#x # Profile ID. MD5 fingerprinting method as defined in Internet RFC 1321. ->>>84 ubequad >0 \b, 0x%llx MD5 +>>>84 ubequad >0 \b, %#llx MD5 # reserved in older versions should be zero but also found CDCDCDCDCDCDCDCD -#>>100 ubequad x \b 0x%llx reserved +#>>100 ubequad x \b %#llx reserved # tag table # 6 <= tags count <= 43 #>>>128 ubelong >43 \b, %u tags @@ -191,8 +191,8 @@ >>>>132 default x \b, no copyright tag # 1st tag #>>>132 string x \b, 1st tag %.4s -#>>>136 ubelong x 0x%x offset -#>>>140 ubelong x 0x%x len +#>>>136 ubelong x %#x offset +#>>>140 ubelong x %#x len # 2nd tag,... # look also for profileDescriptionTag "desc" >>>132 search/508 desc diff --git a/contrib/file/magic/Magdir/iff b/contrib/file/magic/Magdir/iff index 9437dd68e129..258d16a4e1e3 100644 --- a/contrib/file/magic/Magdir/iff +++ b/contrib/file/magic/Magdir/iff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: iff,v 1.14 2015/09/07 10:03:21 christos Exp $ +# $File: iff,v 1.18 2022/03/21 19:57:18 christos Exp $ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic @@ -41,8 +41,11 @@ >8 string ANIM \b, ANIM animation >8 string YAFA \b, YAFA animation >8 string SSA\ \b, SSA super smooth animation +>8 string FANT \b, Fantavision animation >8 string ACBM \b, ACBM continuous image >8 string FAXX \b, FAXX fax image +>8 string STFX \b, ST-Fax image +>8 string IMAGIHDR \b, CD-i image # other formats >8 string FTXT \b, FTXT formatted text >8 string CTLG \b, CTLG message catalog @@ -51,7 +54,11 @@ >8 string PTCH \b, PTCH binary patch >8 string AMFF \b, AMFF AmigaMetaFile format >8 string WZRD \b, WZRD StormWIZARD resource ->8 string DOC\ \b, DOC desktop publishing document +>8 string DOC\040 \b, DOC desktop publishing document +>8 string SWRT \b, SWRT Final Copy/Writer document +>8 string WORD \b, ProWrite document +>8 string WTXT \b, WTXT Wordworth document +>8 string WOWO \b, WOWO Wordworth document >8 string WVQA \b, Westwood Studios VQA Multimedia, >>24 leshort x %d video frames, >>26 leshort x %d x diff --git a/contrib/file/magic/Magdir/images b/contrib/file/magic/Magdir/images index e6ebc5a030f2..48e9f6dabfc2 100644 --- a/contrib/file/magic/Magdir/images +++ b/contrib/file/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.181 2020/05/30 23:49:03 christos Exp $ +# $File: images,v 1.243 2023/07/17 16:49:09 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -30,24 +30,29 @@ # Conflict with MPEG sequences. !:strength -40 # Prevent conflicts with CRI ADX. ->(2.S-2) belong !0x28632943 +#>(2.S-2) belong !0x28632943 +# above line does not work for rgb32_top_left_rle.tga +# skip some MPEG sequence *.vob and some CRI ADX audio with improbable interleave bits +>17 ubyte&0xC0 !0xC0 # skip more garbage like *.iso by looking for positive image type >>2 ubyte >0 # skip some compiled terminfo like xterm+tmux by looking for image type less equal 33 >>>2 ubyte <34 +# skip some MPEG sequence *.vob HV001T01.EVO winnicki.mpg with unacceptable alpha channel depth 11 +>>>>17 ubyte&0x0F !11 # skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel depth 1 8 15 16 24 32 ->>>>16 ubyte 1 ->>>>>0 use tga-image ->>>>16 ubyte 8 ->>>>>0 use tga-image ->>>>16 ubyte 15 ->>>>>0 use tga-image ->>>>16 ubyte 16 ->>>>>0 use tga-image ->>>>16 ubyte 24 ->>>>>0 use tga-image ->>>>16 ubyte 32 ->>>>>0 use tga-image +>>>>>16 ubyte 1 +>>>>>>0 use tga-image +>>>>>16 ubyte 8 +>>>>>>0 use tga-image +>>>>>16 ubyte 15 +>>>>>>0 use tga-image +>>>>>16 ubyte 16 +>>>>>>0 use tga-image +>>>>>16 ubyte 24 +>>>>>>0 use tga-image +>>>>>16 ubyte 32 +>>>>>>0 use tga-image # display tga bitmap image information 0 name tga-image >2 ubyte <34 Targa image data @@ -88,6 +93,7 @@ # Y origin of image. 0 normal; positive for top >10 uleshort >0 +%d # Image descriptor: bits 3-0 give the alpha channel depth, bits 5-4 give direction +# alpha depth like: 1 8 >17 ubyte&0x0F >0 - %d-bit alpha # bits 5-4 give direction. normal bottom left >17 ubyte &0x20 - top @@ -117,77 +123,88 @@ # date >>>>&365 ubequad&0xffffFFFFffff0000 !0 # Day ->>>>>&-6 uleshort x %d +>>>>>&-6 uleshort x %d # Month ->>>>>&-8 uleshort x \b-%d +>>>>>&-8 uleshort x \b-%d # Year ->>>>>&-4 uleshort x \b-%d +>>>>>&-4 uleshort x \b-%d # time >>>>&371 ubequad&0xffffFFFFffff0000 !0 # hour ->>>>>&-8 uleshort x %d +>>>>>&-8 uleshort x %d # minutes ->>>>>&-6 uleshort x \b:%.2d +>>>>>&-6 uleshort x \b:%.2d # second ->>>>>&-4 uleshort x \b:%.2d +>>>>>&-4 uleshort x \b:%.2d # JobName[41] ->>>>&377 string >\0 - job "%-.40s" +>>>>&377 string >\0 - job "%-.40s" # JobHour Jobminute Jobsecond >>>>&418 ubequad&0xffffFFFFffff0000 !0 ->>>>>&-8 uleshort x %d ->>>>>&-6 uleshort x \b:%.2d ->>>>>&-4 uleshort x \b:%.2d +>>>>>&-8 uleshort x %d +>>>>>&-6 uleshort x \b:%.2d +>>>>>&-4 uleshort x \b:%.2d # SoftwareId[41] ->>>>&424 string >\0 - %-.40s +>>>>&424 string >\0 - %-.40s # SoftwareVersionNumber ->>>>&424 ubyte >0 ->>>>>&40 uleshort/100 x %d ->>>>>&40 uleshort%100 x \b.%d +>>>>&424 ubyte >0 +>>>>>&40 uleshort/100 x %d +>>>>>&40 uleshort%100 x \b.%d # VersionLetter ->>>>>&42 ubyte >0x20 \b%c +>>>>>&42 ubyte >0x20 \b%c # KeyColor ->>>>&468 ulelong >0 - keycolor 0x%8.8x +>>>>&468 ulelong >0 - keycolor %#8.8x # Denominator of Pixel ratio. 0~no pixel aspect ->>>>&474 uleshort >0 +>>>>&474 uleshort >0 # Numerator ->>>>>&-4 uleshort >0 - aspect %d ->>>>>&-2 uleshort x \b/%d +>>>>>&-4 uleshort >0 - aspect %d +>>>>>&-2 uleshort x \b/%d # Denominator of Gamma ratio. 0~no Gamma value ->>>>&478 uleshort >0 +>>>>&478 uleshort >0 # Numerator ->>>>>&-4 uleshort >0 - gamma %d ->>>>>&-2 uleshort x \b/%d +>>>>>&-4 uleshort >0 - gamma %d +>>>>>&-2 uleshort x \b/%d # ColorOffset -#>>>>&480 ulelong x - col offset 0x%8.8x +#>>>>&480 ulelong x - col offset %#8.8x # StampOffset -#>>>>&484 ulelong x - stamp offset 0x%8.8x +#>>>>&484 ulelong x - stamp offset %#8.8x # ScanOffset -#>>>>&488 ulelong x - scan offset 0x%8.8x +#>>>>&488 ulelong x - scan offset %#8.8x # AttributesType -#>>>>&492 ubyte x - Attributes 0x%x +#>>>>&492 ubyte x - Attributes %#x ## EndOfTGA # PBMPLUS images +# URL: https://en.wikipedia.org/wiki/Netpbm # The next byte following the magic is always whitespace. -# strength is changed to try these patterns before "x86 boot sector" +# adding 65 to strength so that Netpbm images comes before "x86 boot sector" or +# "DOS/MBR boot sector" identified by ./filesystems 0 name netpbm ->3 regex/s =[0-9]{1,50}\ [0-9]{1,50} Netpbm image data +>3 regex/s =\^[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s 0 search/1 P1 ->0 regex/4 P1[\040\t\f\r\n] ->>0 use netpbm ->>0 string x \b, bitmap +# test for whitespace after 2 byte magic +>2 regex/2 [\040\t\f\r\n] +# skip DROID x-fmt-164-signature-id-583.pbm with ten 0 digits +>>3 string !000000000 +>>>0 use netpbm +>>>0 string x \b, bitmap !:strength + 65 !:mime image/x-portable-bitmap +!:ext pbm +# check for character # starting a comment line +>>>3 ubyte =0x23 +>>>>4 string x %s 0 search/1 P2 >0 regex/4 P2[\040\t\f\r\n] >>0 use netpbm >>0 string x \b, greymap !:strength + 65 -!:mime image/x-portable-greymap +# american spelling gray +!:mime image/x-portable-graymap +!:ext pgm 0 search/1 P3 >0 regex/4 P3[\040\t\f\r\n] @@ -195,6 +212,7 @@ >>0 string x \b, pixmap !:strength + 65 !:mime image/x-portable-pixmap +!:ext ppm 0 string P4 >0 regex/4 P4[\040\t\f\r\n] @@ -202,6 +220,7 @@ >>0 string x \b, rawbits, bitmap !:strength + 65 !:mime image/x-portable-bitmap +!:ext pbm 0 string P5 >0 regex/4 P5[\040\t\f\r\n] @@ -209,6 +228,7 @@ >>0 string x \b, rawbits, greymap !:strength + 65 !:mime image/x-portable-greymap +!:ext pgm 0 string P6 >0 regex/4 P6[\040\t\f\r\n] @@ -216,20 +236,35 @@ >>0 string x \b, rawbits, pixmap !:strength + 65 !:mime image/x-portable-pixmap +!:ext ppm/pnm -0 string P7 Netpbm PAM image file -!:mime image/x-portable-pixmap +# URL: https://en.wikipedia.org/wiki/Netpbm#PAM_graphics_format +# Reference: http://fileformats.archiveteam.org/wiki/Portable_Arbitrary_Map +# Update: Joerg Jenderek +0 string P7 +# skip DROID fmt-405-signature-id-589.pam by looking for character like New Line +>2 ubyte !0xAB +#>2 ubyte =0x0A +>>3 search/256/b WIDTH Netpbm PAM image file, size = +!:mime image/x-portable-arbitrarymap +!:ext pam +!:strength + 65 +>>>&1 string x %s +>>>3 search/256/b HEIGHT x +>>>>&1 string x %s +# at offset 2 a New Line character (0xA) should appear +>>>2 ubyte !0x0A \b, %#x at offset 2 instead new line # From: bryanh@giraffe-data.com (Bryan Henderson) 0 string \117\072 Solitaire Image Recorder format >4 string \013 MGI Type 11 >4 string \021 MGI Type 17 0 string .MDA MicroDesign data ->21 byte 48 version 2 ->21 byte 51 version 3 +>21 ubyte 48 version 2 +>21 ubyte 51 version 3 0 string .MDP MicroDesign page data ->21 byte 48 version 2 ->21 byte 51 version 3 +>21 ubyte 48 version 2 +>21 ubyte 51 version 3 # NIFF (Navy Interchange File Format, a modification of TIFF) images # [GRR: this *must* go before TIFF] @@ -242,8 +277,8 @@ # URL: https://www.sno.phy.queensu.ca/~phil/exiftool/canon_raw.html 0 string II\x1a\0\0\0HEAPCCDR Canon CIFF raw image data !:mime image/x-canon-crw ->16 leshort x \b, version %d. ->14 leshort x \b%d +>16 uleshort x \b, version %d. +>14 uleshort x \b%d # Canon RAW version 2 (CR2) files are a kind of TIFF with an extra magic # number. Put this above the TIFF test to make sure we detect them. @@ -253,8 +288,22 @@ 0 string II\x2a\0\x10\0\0\0CR Canon CR2 raw image data !:mime image/x-canon-cr2 !:strength +80 ->10 byte x \b, version %d. ->11 byte x \b%d +>10 ubyte x \b, version %d. +>11 ubyte x \b%d + +# Fujifilm RAF RAW image files with embedded JPEG data and compressed +# or uncompressed CFA RAW data. Byte order: Big Endian. +# URL: https://libopenraw.freedesktop.org/formats/raf/ +# Useful info from http://fileformats.archiveteam.org/wiki/Fujifilm_RAF. +# File extension: RAF +# Works for both the FinePix S2 Pro and the X-T3. Anybody have some more Fuji +# raw samples available? +# -- David Dyer-Bennet <dd-b@dd-b.net> 9-Sep-2021 +0 string FUJIFILMCCD-RAW Fujifilm RAF raw image data +!:mime image/x-fuji-raf +!:ext raf +>0x10 string x \b, format version %4.4s +>0x1C string x \b, camera %s # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has @@ -262,155 +311,157 @@ 0 string MM\x00\x2a TIFF image data, big-endian !:strength +70 !:mime image/tiff +!:ext tif/tiff >(4.L) use \^tiff_ifd 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff !:strength +70 +!:ext tif/tiff >(4.l) use tiff_ifd 0 name tiff_ifd ->0 leshort x \b, direntries=%d +>0 uleshort x \b, direntries=%d >2 use tiff_entry 0 name tiff_entry # NewSubFileType ->0 leshort 0xfe +>0 uleshort 0xfe >>12 use tiff_entry ->0 leshort 0x100 ->>4 lelong 1 +>0 uleshort 0x100 +>>4 ulelong 1 >>>12 use tiff_entry ->>>8 leshort x \b, width=%d ->0 leshort 0x101 ->>4 lelong 1 ->>>8 leshort x \b, height=%d +>>>8 uleshort x \b, width=%d +>0 uleshort 0x101 +>>4 ulelong 1 +>>>8 uleshort x \b, height=%d >>>12 use tiff_entry ->0 leshort 0x102 ->>8 leshort x \b, bps=%d +>0 uleshort 0x102 +>>8 uleshort x \b, bps=%d >>12 use tiff_entry ->0 leshort 0x103 ->>4 lelong 1 \b, compression= ->>>8 leshort 1 \bnone ->>>8 leshort 2 \bhuffman ->>>8 leshort 3 \bbi-level group 3 ->>>8 leshort 4 \bbi-level group 4 ->>>8 leshort 5 \bLZW ->>>8 leshort 6 \bJPEG (old) ->>>8 leshort 7 \bJPEG ->>>8 leshort 8 \bdeflate ->>>8 leshort 9 \bJBIG, ITU-T T.85 ->>>8 leshort 0xa \bJBIG, ITU-T T.43 ->>>8 leshort 0x7ffe \bNeXT RLE 2-bit ->>>8 leshort 0x8005 \bPackBits (Macintosh RLE) ->>>8 leshort 0x8029 \bThunderscan RLE ->>>8 leshort 0x807f \bRasterPadding (CT or MP) ->>>8 leshort 0x8080 \bRLE (Line Work) ->>>8 leshort 0x8081 \bRLE (High-Res Cont-Tone) ->>>8 leshort 0x8082 \bRLE (Binary Line Work) ->>>8 leshort 0x80b2 \bDeflate (PKZIP) ->>>8 leshort 0x80b3 \bKodak DCS ->>>8 leshort 0x8765 \bJBIG ->>>8 leshort 0x8798 \bJPEG2000 ->>>8 leshort 0x8799 \bNikon NEF Compressed +>0 uleshort 0x103 +>>4 ulelong 1 \b, compression= +>>>8 uleshort 1 \bnone +>>>8 uleshort 2 \bhuffman +>>>8 uleshort 3 \bbi-level group 3 +>>>8 uleshort 4 \bbi-level group 4 +>>>8 uleshort 5 \bLZW +>>>8 uleshort 6 \bJPEG (old) +>>>8 uleshort 7 \bJPEG +>>>8 uleshort 8 \bdeflate +>>>8 uleshort 9 \bJBIG, ITU-T T.85 +>>>8 uleshort 0xa \bJBIG, ITU-T T.43 +>>>8 uleshort 0x7ffe \bNeXT RLE 2-bit +>>>8 uleshort 0x8005 \bPackBits (Macintosh RLE) +>>>8 uleshort 0x8029 \bThunderscan RLE +>>>8 uleshort 0x807f \bRasterPadding (CT or MP) +>>>8 uleshort 0x8080 \bRLE (Line Work) +>>>8 uleshort 0x8081 \bRLE (High-Res Cont-Tone) +>>>8 uleshort 0x8082 \bRLE (Binary Line Work) +>>>8 uleshort 0x80b2 \bDeflate (PKZIP) +>>>8 uleshort 0x80b3 \bKodak DCS +>>>8 uleshort 0x8765 \bJBIG +>>>8 uleshort 0x8798 \bJPEG2000 +>>>8 uleshort 0x8799 \bNikon NEF Compressed >>>8 default x ->>>>8 leshort x \b(unknown 0x%x) +>>>>8 uleshort x \b(unknown %#x) >>>12 use tiff_entry ->0 leshort 0x106 \b, PhotometricIntepretation= +>0 uleshort 0x106 \b, PhotometricInterpretation= >>8 clear x ->>8 leshort 0 \bWhiteIsZero ->>8 leshort 1 \bBlackIsZero ->>8 leshort 2 \bRGB ->>8 leshort 3 \bRGB Palette ->>8 leshort 4 \bTransparency Mask ->>8 leshort 5 \bCMYK ->>8 leshort 6 \bYCbCr ->>8 leshort 8 \bCIELab +>>8 uleshort 0 \bWhiteIsZero +>>8 uleshort 1 \bBlackIsZero +>>8 uleshort 2 \bRGB +>>8 uleshort 3 \bRGB Palette +>>8 uleshort 4 \bTransparency Mask +>>8 uleshort 5 \bCMYK +>>8 uleshort 6 \bYCbCr +>>8 uleshort 8 \bCIELab >>8 default x ->>>8 leshort x \b(unknown=0x%x) +>>>8 uleshort x \b(unknown=%#x) >>12 use tiff_entry # FillOrder ->0 leshort 0x10a ->>4 lelong 1 +>0 uleshort 0x10a +>>4 ulelong 1 >>>12 use tiff_entry # DocumentName ->0 leshort 0x10d +>0 uleshort 0x10d >>(8.l) string x \b, name=%s >>>12 use tiff_entry # ImageDescription ->0 leshort 0x10e +>0 uleshort 0x10e >>(8.l) string x \b, description=%s >>>12 use tiff_entry # Make ->0 leshort 0x10f +>0 uleshort 0x10f >>(8.l) string x \b, manufacturer=%s >>>12 use tiff_entry # Model ->0 leshort 0x110 +>0 uleshort 0x110 >>(8.l) string x \b, model=%s >>>12 use tiff_entry # StripOffsets ->0 leshort 0x111 +>0 uleshort 0x111 >>12 use tiff_entry # Orientation ->0 leshort 0x112 \b, orientation= ->>8 leshort 1 \bupper-left ->>8 leshort 3 \blower-right ->>8 leshort 6 \bupper-right ->>8 leshort 8 \blower-left ->>8 leshort 9 \bundefined +>0 uleshort 0x112 \b, orientation= +>>8 uleshort 1 \bupper-left +>>8 uleshort 3 \blower-right +>>8 uleshort 6 \bupper-right +>>8 uleshort 8 \blower-left +>>8 uleshort 9 \bundefined >>8 default x ->>>8 leshort x \b[*%d*] +>>>8 uleshort x \b[*%d*] >>12 use tiff_entry # XResolution ->0 leshort 0x11a ->>8 lelong x \b, xresolution=%d +>0 uleshort 0x11a +>>8 ulelong x \b, xresolution=%d >>12 use tiff_entry # YResolution ->0 leshort 0x11b ->>8 lelong x \b, yresolution=%d +>0 uleshort 0x11b +>>8 ulelong x \b, yresolution=%d >>12 use tiff_entry # ResolutionUnit ->0 leshort 0x128 ->>8 leshort x \b, resolutionunit=%d +>0 uleshort 0x128 +>>8 uleshort x \b, resolutionunit=%d >>12 use tiff_entry # Software ->0 leshort 0x131 +>0 uleshort 0x131 >>(8.l) string x \b, software=%s >>12 use tiff_entry # Datetime ->0 leshort 0x132 +>0 uleshort 0x132 >>(8.l) string x \b, datetime=%s >>12 use tiff_entry # HostComputer ->0 leshort 0x13c +>0 uleshort 0x13c >>(8.l) string x \b, hostcomputer=%s >>12 use tiff_entry # WhitePoint ->0 leshort 0x13e +>0 uleshort 0x13e >>12 use tiff_entry # PrimaryChromaticities ->0 leshort 0x13f +>0 uleshort 0x13f >>12 use tiff_entry # YCbCrCoefficients ->0 leshort 0x211 +>0 uleshort 0x211 >>12 use tiff_entry # YCbCrPositioning ->0 leshort 0x213 +>0 uleshort 0x213 >>12 use tiff_entry # ReferenceBlackWhite ->0 leshort 0x214 +>0 uleshort 0x214 >>12 use tiff_entry # Copyright ->0 leshort 0x8298 +>0 uleshort 0x8298 >>(8.l) string x \b, copyright=%s >>12 use tiff_entry # ExifOffset ->0 leshort 0x8769 +>0 uleshort 0x8769 >>12 use tiff_entry # GPS IFD ->0 leshort 0x8825 \b, GPS-Data +>0 uleshort 0x8825 \b, GPS-Data >>12 use tiff_entry -#>0 leshort x \b, unknown=0x%x +#>0 uleshort x \b, unknown=%#x #>>12 use tiff_entry 0 string MM\x00\x2b Big TIFF image data, big-endian @@ -427,17 +478,17 @@ # IHDR parser 0 name png-ihdr ->0 belong x \b, %d x ->4 belong x %d, ->8 byte x %d-bit ->9 byte 0 grayscale, ->9 byte 2 \b/color RGB, ->9 byte 3 colormap, ->9 byte 4 gray+alpha, ->9 byte 6 \b/color RGBA, -#>10 byte 0 deflate/32K, ->12 byte 0 non-interlaced ->12 byte 1 interlaced +>0 ubelong x \b, %d x +>4 ubelong x %d, +>8 ubyte x %d-bit +>9 ubyte 0 grayscale, +>9 ubyte 2 \b/color RGB, +>9 ubyte 3 colormap, +>9 ubyte 4 gray+alpha, +>9 ubyte 6 \b/color RGBA, +#>10 ubyte 0 deflate/32K, +>12 ubyte 0 non-interlaced +>12 ubyte 1 interlaced # Standard PNG image. 0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data @@ -478,26 +529,27 @@ !:strength +80 !:mime image/gif !:apple 8BIMGIFf +!:ext gif >4 string 7a \b, version 8%s, >4 string 9a \b, version 8%s, ->6 leshort >0 %d x ->8 leshort >0 %d -#>10 byte &0x80 color mapped, -#>10 byte&0x07 =0x00 2 colors -#>10 byte&0x07 =0x01 4 colors -#>10 byte&0x07 =0x02 8 colors -#>10 byte&0x07 =0x03 16 colors -#>10 byte&0x07 =0x04 32 colors -#>10 byte&0x07 =0x05 64 colors -#>10 byte&0x07 =0x06 128 colors -#>10 byte&0x07 =0x07 256 colors +>6 uleshort >0 %d x +>8 uleshort >0 %d +#>10 ubyte &0x80 color mapped, +#>10 ubyte&0x07 =0x00 2 colors +#>10 ubyte&0x07 =0x01 4 colors +#>10 ubyte&0x07 =0x02 8 colors +#>10 ubyte&0x07 =0x03 16 colors +#>10 ubyte&0x07 =0x04 32 colors +#>10 ubyte&0x07 =0x05 64 colors +#>10 ubyte&0x07 =0x06 128 colors +#>10 ubyte&0x07 =0x07 256 colors # ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster, # 1 plane, no encoding. 0 string \361\0\100\273 CMU window manager raster image data ->4 lelong >0 %d x ->8 lelong >0 %d, ->12 lelong >0 %d-bit +>4 ulelong >0 %d x +>8 ulelong >0 %d, +>12 ulelong >0 %d-bit # Magick Image File Format # URL: https://imagemagick.org/script/miff.php @@ -506,7 +558,7 @@ # http://www.nationalarchives.gov.uk/pronom/fmt/930 0 search/256/bc id=imagemagick # skip bad ASCII text by following new line~0x0A or space~0x20 character -#>&0 ubyte x \b, next character 0x%x +#>&0 ubyte x \b, next character %#x # called by TriD ImageMagick Machine independent File Format bitmap >&0 ubyte&0xD5 0 MIFF image data # https://reposcope.com/mimetype/image/miff @@ -544,8 +596,49 @@ >4 long 3 \b, rectangular 32-bit (24-bit with matte) # FIG (Facility for Interactive Generation of figures), an object-based format -0 search/1 #FIG FIG image text +# URL: http://fileformats.archiveteam.org/wiki/Fig +# https://en.wikipedia.org/wiki/Xfig +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/fig.trid.xml +# https://web.archive.org/web/20070920204655/http://epb.lbl.gov/xfig/fig-format.html +# Update: Joerg Jenderek +# Note: called "FIG vector drawing" by TrID, +# 4 byte magic is assumed to be always at offset 0 and +# verified by `fig2mpdf -v bootloader.fig && file bootloader.pdf` +#0 search/1/tb #FIG FIG image text +# GRR: with --keep-going option the line above gives duplicate messages +0 search/1/ts #FIG +>&0 use image-xfig +# binary data variant with non ASCII text characters like Control-A or °C in thermostat.fig +0 search/1/bs #FIG +>&0 use image-xfig +# display XFIG image describing text, mime type, file name extension and version +0 name image-xfig +>8 ubyte x FIG image text +#!:mime text/plain +# https://reposcope.com/mimetype/image/x-xfig +!:mime image/x-xfig +!:ext fig +# version string like: 1.4 2.1 3.1 3.2 >5 string x \b, version %.3s +# some times after version text like: "Produced by xfig version 3.2.5-alpha5" +>8 ubyte >0x0D +>>8 string x "%s" +# should be point character (2Eh) of version string according to TrID +#>6 ubyte !0x2E \b, at 6 %#x +# caret character (23h) at the beginning in most or probably all examples +#>0 ubyte !0x23 \b, starting with character %#x +# URL: http://fileformats.archiveteam.org/wiki/DeskMate_Draw +# http://en.wikipedia.org/wiki/Deskmate +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dm-fig.trid.xml +# From: Joerg Jenderek +# Note: called "DeskMate Draw drawing" by TrID +0 string \x14FIG DeskMate Drawing +#!:mime application/octet-stream +!:mime image/x-deskmate-fig +!:ext fig +# TODO: +# "Cabri 3D Figure" by TrID fig-cabri.trid.xml +# "Playmation Figure" by TrID fig-playmation.trid.xml # PHIGS 0 string ARF_BEGARF PHIGS clear text archive @@ -559,7 +652,86 @@ >24 string SunGKS \b, SunGKS # CGM image files -0 string BEGMF clear text Computer Graphics Metafile +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CGM +# https://en.wikipedia.org/wiki/Computer_Graphics_Metafile +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-ct.trid.xml +# http://standards.iso.org/ittf/PubliclyAvailableStandards/c032381_ISO_IEC_8632-4_1999(E).zip +# Note: called "Computer Graphics Metafile (Clear Text)" by TrID and +# "Computer Graphics Metafile ASCII" by DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# According to TrID only letter B and M are always upcased and by DROID often only B is upcased for command BEGIN METAFILE +0 string/c begmf +# skip SOME DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>5 short !0 +# skip other versions of DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>>5 short !0xABab clear text Computer Graphics Metafile +# https://reposcope.com/mimetype/image/cgm +!:mime image/cgm +!:ext cgm +# SF:NAME like: 'metafile example'; +>>>5 string x %s +# look for command METAFILE VERSION (MFVERSION <SOFTSEP> <I:VERSION>) +>>>2 search/128/c mfversion +#>>>>&0 ubyte x SOFTSEP=%#x +# version like: 1 3 4 +>>>>&1 ubyte >0x31 \b, version %c +# Summary: Computer Graphics Metafile (binary) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-bin.trid.xml +# https://standards.iso.org/ittf/PubliclyAvailableStandards/c032380_ISO_IEC_8632-3_1999(E).zip +# Note: called "Computer Graphics Metafile (binary)" by TrID and DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# look for BEGIN METAFILE (element Class 0 and ID 1 and "random" Parameter) that is binary C C C C 0 0 0 0 0 0 1 P P P P P +0 ubeshort&0xFFe0 0x0020 +# skip SOME DROID fmt-303-signature-id-368.cgm fmt-304-signature-id-369.cgm fmt-305-signature-id-370.cgm fmt-306-signature-id-371.cgm +# with containing only 28 bytes +>28 ubyte x +# look for METAFILE VERSION (element class 1 and id 1 and parameter P1 with length 2) that is binary 0 0 0 1 i i i i i i 1 P P P 1 P +# with "low" version; 2nd worst case argentin.cgm with parameter length 56 +# worst MS.CGM +#>>2 search/73/b \x10\x22\0 binary Computer Graphics Metafile +>>2 search/128/b \x10\x22\0 binary Computer Graphics Metafile +!:mime image/cgm +!:ext cgm +# metafile 2 byte version number like: 1 (most) 2 3 4 +>>>&-1 ubeshort >1 \b, version %u +# length number of 1st parameter octets in range 0 to 30 implies short command +>>>0 ubeshort&0x001F <31 \b, parameter length %u +# length of string like: 8 9 10 11 12 29 +#>>>>2 ubyte x \b, %u BYTES (SHORT) +# string like: 'HiJaak 2' 'Example 1' 'sahara.cgm' 'MASTERCLIPS--Art Of Business ' +>>>>2 pstring >\0 '%s' +# after 1st short command with even parameter length comes 2nd command like: 1022h 0010h (EAF00010.CGM 'HiJaak 2' FLOPPY2.CGM TIGER.CGM 'B:\TIGER.CGM') +>>>>0 ubeshort&0x0001 =0 +>>>>>(2.b+3) ubeshort !0x1022 \b, 2nd command %#4.4x (short even) +# after 1st short command with odd parameter length comes nil padding byte followed 2nd command like: 1022h +>>>>0 ubeshort&0x0001 =1 +#>>>>>(2.b+3) ubyte !0 \b, PADDING %#x +>>>>>(2.b+4) ubeshort !0x1022 \b, 2nd command %#4.4x (short odd) +# 11111 binary (decimal 31) in the parameter field indicates that the command is in long-form +>>>0 ubeshort&0x001F =0x1F +# bit 15 is partition flag with 1 for 'not-last' partition and 0 for 'last' partition +>>>>2 ubeshort&0x8000 !0 \b, partition flag %#4.4x +# bits 0 to 14 is parameter list length; the number of following parameter octets; range 0 to 32767 +# length of 1st long command parameter like: 53 +>>>>2 ubeshort&0x7Fff x \b, parameter length %u (long) +# The two header words are then followed by lenghth of 1st string like: 52 +#>>>>4 ubyte x \b, %u BYTES +# string like: 'K:\PROJECTS\GRAPHICS\DWKS3.5\CLIPART\FLAGS\Italy.cgm' +>>>>4 pstring/B x '%s' +# odd long parameter length implies single null padding octet to start command on word boundary +>>>>2 ubeshort&0x0001 =1 +# after 1st long command with odd parameter length comes nil padding byte followed by 2nd command like: 1022h +#>>>>>(4.b+5) ubyte !0 \b, PADDING %#x +>>>>>(4.b+6) ubeshort !0x1022 \b, 2nd command %#4.4x (long odd) +# even long parameter length implies next command directly is following +>>>>2 ubeshort&0x0001 =0 +# after 1st long command with even parameter length comes 2nd command like: 1022h 0x1054 (MS.CGM) +>>>>>(4.b+5) ubeshort !0x1022 \b, 2nd command %#4.4x (long even) +# look for END METAFILE (element class 0 and id 2 and 0 parameter) that is binary 0 0 0 0 i i i i i 1 i P P P P P +>>>-2 ubeshort !0x0040 \b, NOT_FOUND_END_METAFILE # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) 0 string yz MGR bitmap, modern format, 8-bit aligned @@ -574,36 +746,49 @@ # facsimile data 1 string PC\ Research,\ Inc group 3 fax data ->29 byte 0 \b, normal resolution (204x98 DPI) ->29 byte 1 \b, fine resolution (204x196 DPI) +>29 ubyte 0 \b, normal resolution (204x98 DPI) +>29 ubyte 1 \b, fine resolution (204x196 DPI) # From: Herbert Rosmanith <herp@wildsau.idv.uni.linz.at> 0 string Sfff structured fax file # From: Joerg Jenderek <joerg.jen.der.ek@gmx.net> -# most files with the extension .EPA and some with .BMP +# URL: http://fileformats.archiveteam.org/wiki/Award_BIOS_logo +# Note: verified by XnView command `nconvert -fullinfo *.EPA` 0 string \x11\x06 Award BIOS Logo, 136 x 84 !:mime image/x-award-bioslogo +!:ext epa 0 string \x11\x09 Award BIOS Logo, 136 x 126 !:mime image/x-award-bioslogo +!:ext epa +# https://telparia.com/fileFormatSamples/image/epa/IO.EPA +# Note: by bitmap-awbm-v1x1009.trid.xml called "Award BIOS logo bitmap (128x126) (v1)" +# verified by RECOIL `recoil2png -o tmp.png IO.EPA; file tmp.png` +0 string \x10\x09 Award BIOS Logo, 128 x 126 +!:mime image/x-award-bioslogo +!:ext epa #0 string \x07\x1f BIOS Logo corrupted? # http://www.blackfiveservices.co.uk/awbmtools.shtml # http://biosgfx.narod.ru/v3/ # http://biosgfx.narod.ru/abr-2/ 0 string AWBM ->4 leshort <1981 Award BIOS bitmap -!:mime image/x-award-bmp +# Note: by bitmap-awbm.trid.xml called "Award BIOS logo bitmap (v2)" +>4 uleshort <1981 Award BIOS Logo, version 2 +#>4 uleshort <1981 Award BIOS bitmap +!:mime image/x-award-bioslogo2 +#!:mime image/x-award-bmp +!:ext epa/bmp # image width is a multiple of 4 ->>4 leshort&0x0003 0 ->>>4 leshort x \b, %d ->>>6 leshort x x %d ->>4 leshort&0x0003 >0 \b, ->>>4 leshort&0x0003 =1 ->>>>4 leshort x %d+3 ->>>4 leshort&0x0003 =2 ->>>>4 leshort x %d+2 ->>>4 leshort&0x0003 =3 ->>>>4 leshort x %d+1 ->>>6 leshort x x %d +>>4 uleshort&0x0003 0 +>>>4 uleshort x \b, %d +>>>6 uleshort x x %d +>>4 uleshort&0x0003 >0 \b, +>>>4 uleshort&0x0003 =1 +>>>>4 uleshort x %d+3 +>>>4 uleshort&0x0003 =2 +>>>>4 uleshort x %d+2 +>>>4 uleshort&0x0003 =3 +>>>>4 uleshort x %d+1 +>>>6 uleshort x x %d # at offset 8 starts imagedata followed by "RGB " marker # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) @@ -612,15 +797,15 @@ # Note: variant starting direct with DIB header see # http://fileformats.archiveteam.org/wiki/BMP # verified by ImageMagick version 6.8.9-8 command `identify *.dib` -0 leshort 40 +0 uleshort 40 # skip bad samples like GAME by looking for valid number of color planes >12 uleshort 1 Device independent bitmap graphic -!:mime image/bmp +!:mime image/x-ms-bmp !:apple ????BMPp !:ext dib ->>4 lelong x \b, %d x ->>8 lelong x %d x ->>14 leshort x %d +>>4 ulelong x \b, %d x +>>8 ulelong x %d x +>>14 uleshort x %d # number of color planes (must be 1) #>>12 uleshort >1 \b, %u color planes # compression method: 0~no 1~RLE 8-bit/pixel 3~Huffman 1D @@ -629,18 +814,110 @@ # image size is the size of raw bitmap; a dummy 0 can be given for BI_RGB bitmaps >>20 ulelong x \b, image size %u # horizontal and vertical resolution of the image (pixel per metre, signed integer) ->>24 lelong >0 \b, resolution %d x ->>>28 lelong x %d px/m +>>24 ulelong >0 \b, resolution %d x +>>>28 ulelong x %d px/m # number of colors in palette, or 0 to default to 2**n #>>32 ulelong >0 \b, %u colors # number of important colors used, or 0 when every color is important >>36 ulelong >0 \b, %u important colors +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/VBM_(VDC_BitMap) +# Reference: http://csbruce.com/cbm/postings/csc19950906-1.txt +# http://mark0.net/download/triddefs_xml.7z +# defs/b/bitmap-vbm.trid.xml +# defs/b/bitmap-vbm-v3.trid.xml +# Note: called "VDC BitMap" by TrID +# verified by RECOIL `recoil2png -o tmp.png coke_can.vbm; file tmp.png` +# begin with a signature of 'B' 'M' 0xCB, followed by a version byte 2 or 3 +# Similar to the unrelated Windows BMP format +# check for VDC bitmap and then display image dimension and version +0 name bitmap-vbm +>2 ubyte 0xCB VDC bitmap +!:mime image/x-commodore-vbm +# http://recoil.sourceforge.net/formats.html +!:ext bm/vbm +# the VBM format version number: 2 or 3 +>>3 ubyte x \b, version %u +# width of the image in Hi/Lo format +>>4 ubeshort x \b, %u +# height of the image +>>6 ubeshort x x %u +# version 3 images have the following additional header information +>>3 ubyte =3 +# data-encoding type: 0~uncompressed 1~RLE-compressed +>>>8 ubyte 0 \b, uncompressed +>>>8 ubyte 1 \b, RLE-compressed +# byte code for general RLE repetitions +#>>>9 ubyte x \b, RLE repetition code 0x%x +# reserved := 0 +#>>>14 short >0 \b, reserved 0x%x +# length of comment text; 0~no comment text +#>>>16 ubeshort >0 \b, comment length %u +>>>16 pstring/H >0 \b, comment "%s" +# 0 string BM ->14 leshort 12 PC bitmap, OS/2 1.x format -!:mime image/x-ms-bmp ->>18 leshort x \b, %d x ->>20 leshort x %d ->14 leshort 64 PC bitmap, OS/2 2.x format +# check for magic and version 2 of VDC bitmap or BMP with cbSize=715=CB02 +>2 ubeshort 0xCB02 +>>6 short =0 +>>>0 use bitmap-bmp +# VDC bitmap height or maybe a few OS/2 BMP with nonzero "hotspot coordinates" +>>6 short !0 +>>>0 use bitmap-vbm +# check for magic and version 3 of VDC bitmap or BMP with cbSize=971=CB03 +>2 ubeshort 0xCB03 +# check for reserved value (=0) of VDC bitmap +>>14 short =0 +>>>0 use bitmap-vbm +# BMP with cbSize=????03CBh and dib header size != 0 +>>14 short !0 +>>>0 use bitmap-bmp +# cbSize is size of header or file size of Windows BMP bitmap +>2 default x +>>0 use bitmap-bmp +0 name bitmap-bmp +>14 ulelong 12 PC bitmap, OS/2 1.x format +!:mime image/bmp +!:ext bmp +>>18 uleshort x \b, %d x +>>20 uleshort x %d +# number of color planes (must be 1) +#>>22 uleshort !1 \b, %u color planes +# number of bits per pixel (color depth); found 4 8 +>>24 uleshort x x %d +# x, y coordinates of the hotspot +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file or header like 1Ah 228C8h +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%8.8x +# offBits; offset to bitmap data like: +>>10 ulelong x \b, bits offset %u +# http://fileformats.archiveteam.org/wiki/BMP#OS.2F2_BMP_2.0 no examples found +>14 ulelong 48 PC bitmap, OS/2 2.x format (DIB header size=48) +>14 ulelong 24 PC bitmap, OS/2 2.x format (DIB header size=24) +# http://entropymine.com/jason/bmpsuite/bmpsuite/q/pal8os2v2-16.bmp +# Note: by bitmap-bmp-v2o.trid.xml called "Windows Bitmap (v2o)" +>14 ulelong 16 PC bitmap, OS/2 2.x format (DIB header size=16) +!:mime image/bmp +!:apple ????BMPp +!:ext bmp +# image width and height fields are unsigned integers for OS/2 +>>18 ulelong x \b, %u x +>>22 ulelong x %u +# number of bits per pixel (color depth); found 8 +>>28 uleshort >1 x %u +# x, y coordinates of the hotspot +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# number of color planes (must be 1) +#>>26 uleshort >1 \b, %u color planes +# cbSize; size of file like: 241E +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 41E +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +>14 ulelong 64 PC bitmap, OS/2 2.x format !:mime image/bmp !:apple ????BMPp !:ext bmp @@ -655,34 +932,57 @@ >>26 uleshort >1 \b, %u color planes # cbSize; size of file or headers >>2 ulelong x \b, cbSize %u -#>>2 ulelong x \b, cbSize 0x%x +# BMP with cbSize 000002CBh=715 or 000003CBh=971 maybe misinterpreted as VDC bitmap +#>>2 ulelong x \b, cbSize %#x # offBits; offset to bitmap data like 56h 5Eh 8Eh 43Eh ->>10 ulelong x \b, bits offset %u -#>>10 ulelong x \b, bits offset 0x%x -#>>(10.l) ubequad !0 \b, bits 0x%16.16llx +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset %#x +#>>(10.l) ubequad !0 \b, bits %#16.16llx # BITMAPV2INFOHEADER adds RGB bit masks ->14 leshort 52 PC bitmap, Adobe Photoshop +>14 ulelong 52 PC bitmap, Adobe Photoshop !:mime image/bmp !:apple ????BMPp !:ext bmp ->>18 lelong x \b, %d x ->>22 lelong x %d x ->>28 leshort x %d +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# number of bits per pixel (color depth); found 16 32 +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 14A 7F42 +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 42h +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x # BITMAPV3INFOHEADER adds alpha channel bit mask ->14 leshort 56 PC bitmap, Adobe Photoshop with alpha channel mask +>14 ulelong 56 PC bitmap, Adobe Photoshop with alpha channel mask !:mime image/bmp !:apple ????BMPp !:ext bmp ->>18 lelong x \b, %d x ->>22 lelong x %d x ->>28 leshort x %d ->14 leshort 40 +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# number of bits per pixel (color depth); found 16 32 +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 4E 7F46 131DE 14046h +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 46h +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +>14 ulelong 40 # jump 4 bytes before end of file/header to skip fmt-116-signature-id-118.dib ->>(2.l-4) ulong x PC bitmap, Windows 3.x format +# broken for large bitmaps +#>>(2.l-4) ulong x PC bitmap, Windows 3.x format +>>14 ulelong 40 PC bitmap, Windows 3.x format !:mime image/bmp !:apple ????BMPp ->>>18 lelong x \b, %d x ->>>22 lelong x %d +>>>18 ulelong x \b, %d x +>>>22 ulelong x %d # 320 x 400 https://en.wikipedia.org/wiki/LOGO.SYS >>>18 ulequad =0x0000019000000140 x !:ext bmp/sys @@ -690,10 +990,19 @@ # compression method 2~RLE 4-bit/pixel implies also extension rle >>>>30 ulelong 2 x !:ext bmp/rle ->>>>30 default x x +# not RLE compressed and not 320x400 dimension +>>>>30 default x +# "small" dimensions like: 14x15 15x16 16x14 16x16 32x32 +# https://en.wikipedia.org/wiki/Favicon +>>>>>18 ulequad&0xffFFffC0ffFFffC0 =0 x +# https://www.politi-kdigital.de/favicon.ico +# http://forum.rpc1.org/favicon.ico +!:ext bmp/ico +# "big" dimensions > 63 +>>>>>18 default x x !:ext bmp # number of bits per pixel (color depth); found 1 2 4 8 16 24 32 ->>>28 leshort x %d +>>>28 uleshort x %d # x, y coordinates of the hotspot; there is no hotspot in bitmaps, so values 0 #>>>6 uleshort >0 \b, hotspot %ux #>>>>8 uleshort x \b%u @@ -705,54 +1014,73 @@ # image size is the size of raw bitmap; a dummy 0 can be given for BI_RGB bitmaps >>>34 ulelong >0 \b, image size %u # horizontal and vertical resolution of the image (pixel per metre, signed integer) ->>>38 lelong >0 \b, resolution %d x ->>>>42 lelong x %d px/m +>>>38 ulelong >0 \b, resolution %d x +>>>>42 ulelong x %d px/m # number of colors in palette 16 256, or 0 to default to 2**n #>>>46 ulelong >0 \b, %u colors # number of important colors used, or 0 when every color is important >>>50 ulelong >0 \b, %u important colors # cbSize; often size of file >>>2 ulelong x \b, cbSize %u -#>>>2 ulelong x \b, cbSize 0x%x +#>>>2 ulelong x \b, cbSize %#x # offBits; offset to bitmap data like 36h 76h BEh 236h 406h 436h 4E6h ->>>10 ulelong x \b, bits offset %u -#>>>10 ulelong x \b, bits offset 0x%x -#>>>(10.l) ubequad !0 \b, bits 0x%16.16llxd ->14 leshort 124 PC bitmap, Windows 98/2000 and newer format -!:mime image/x-ms-bmp ->>18 lelong x \b, %d x ->>22 lelong x %d x ->>28 leshort x %d ->14 leshort 108 PC bitmap, Windows 95/NT4 and newer format -!:mime image/x-ms-bmp ->>18 lelong x \b, %d x ->>22 lelong x %d x ->>28 leshort x %d ->14 leshort 128 PC bitmap, Windows NT/2000 format -!:mime image/x-ms-bmp ->>18 lelong x \b, %d x ->>22 lelong x %d x ->>28 leshort x %d +>>>10 ulelong x \b, bits offset %u +#>>>10 ulelong x \b, bits offset %#x +#>>>(10.l) ubequad !0 \b, bits %#16.16llxd +>14 ulelong 124 PC bitmap, Windows 98/2000 and newer format +!:mime image/bmp +!:ext bmp +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# color planes; must be 1 +#>>>26 uleshort >1 \b, %u color planes +# number of bits per pixel (color depth); found 4 8 16 24 32 1 (fmt-119-signature-id-121.bmp) 0 (rgb24jpeg.bmp rgb24png.bmp) +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 8E AA 48A 999 247A 4F02 7F8A 3F88E B216E 1D4C8A 100008A +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 8A 47A ABABABAB (fmt-119-signature-id-121.bmp) +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x +>14 ulelong 108 PC bitmap, Windows 95/NT4 and newer format +!:mime image/bmp +!:ext bmp +>>18 ulelong x \b, %d x +>>22 ulelong x %d x +# number of bits per pixel (color depth); found 8 24 32 +>>28 uleshort x %d +# x, y coordinates of the hotspot; should be zero for Windows variant +>>6 uleshort >0 \b, hotspot %ux +>>>8 uleshort x \b%u +# cbSize; size of file like: 82 8A 9A 9F86 1E07A 3007A 88B7A C007A +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize 0x%x +# offBits; offset to bitmap data like: 7A 7E 46A +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset 0x%x # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/OS/2_Icon # Reference: http://www.fileformat.info # /format/os2bmp/spec/902d5c253f2a43ada39c2b81034f27fd/view.htm # Note: verified by command like `deark -l -d3 OS2MEMU.ICO` -0 string IC +0 string IC # skip Lotus smart icon *.smi by looking for valid hotspot coordinates >6 ulelong&0xFF00FF00 =0 OS/2 icon # jump 4 bytes before end of header/file and test for accessibility -#>>(2.l-4) ubelong x End of header is OK! +#>>(2.l-4) ubelong x End of header is OK! !:mime image/x-os2-ico !:ext ico # cbSize; size of header or file in bytes like 1ah 120h 420h ->>2 ulelong x \b, cbSize %u +>>2 ulelong x \b, cbSize %u # xHotspot, yHotspot; coordinates of the hotspot for icons like 16 32 ->>6 uleshort x \b, hotspot %ux ->>8 uleshort x \b%u +>>6 uleshort x \b, hotspot %ux +>>8 uleshort x \b%u # offBits; offset in bytes to the beginning of the bit-map pel data like 20h ->>10 ulelong x \b, bits offset %u -#>>(10.l) ubequad x \b, bits 0x%16.16llx +>>10 ulelong x \b, bits offset %u +#>>(10.l) ubequad x \b, bits %#16.16llx #0 string PI PC pointer image data #0 string CI PC color icon data 0 string CI @@ -783,23 +1111,31 @@ >>>30 ulelong 3 \b, Huffman 1D compression #>>>30 ulelong >0 \b, %u compression # xHotspot, yHotspot; coordinates of the hotspot like 0 1 16 20 32 33 63 64 ->>6 uleshort x \b, hotspot %ux ->>8 uleshort x \b%u +>>6 uleshort x \b, hotspot %ux +>>8 uleshort x \b%u # cbSize; size of header or maybe file in bytes like 1Ah 4Eh 84Eh ->>2 ulelong x \b, cbSize %u -#>>2 ulelong x \b, cbSize %x +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize %x # offBits; offset to bitmap data (pixel array) like E4h 3Ah 66h 6Ah 33Ah 4A4h ->>10 ulelong x \b, bits offset %u -#>>10 ulelong x \b, bits offset 0x%x -#>>(10.l) ubequad !0 \b, bits 0x%16.16llx +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset %#x +#>>(10.l) ubequad !0 \b, bits %#16.16llx # dib header size: 12~Ch~OS/2 1.x 64~40h~OS/2 2.x #>>14 ulelong x \b, dib header size %u #0 string CP PC color pointer image data # URL: http://fileformats.archiveteam.org/wiki/OS/2_Pointer # Reference: http://www.fileformat.info/format/os2bmp/egff.htm 0 string CP +# skip many Corel Photo-Paint image "CPT9FILE" by checking for positive bits offset +>10 ulelong >0 # skip CPU-Z Report by checking for valid dib header sizes 12 or 64 ->14 ulelong <65 OS/2 +>>14 ulelong =12 +>>>0 use os2-ptr +>>14 ulelong =64 +>>>0 use os2-ptr +# display information of OS/2 pointer bitmaps +0 name os2-ptr +>14 ulelong x OS/2 # http://extension.nirsoft.net/PTR !:mime image/x-ibm-pointer !:ext ptr @@ -824,15 +1160,15 @@ >>>30 ulelong 3 \b, Huffman 1D compression #>>>30 ulelong >0 \b, %u compression # xHotspot, yHotspot; coordinates of the hotspot like 0 3 4 8 15 16 23 27 31 ->>6 uleshort x \b, hotspot %ux ->>8 uleshort x \b%u +>>6 uleshort x \b, hotspot %ux +>>8 uleshort x \b%u # cbSize; size of header or maybe file in bytes like 1Ah 4Eh ->>2 ulelong x \b, cbSize %u -#>>2 ulelong x \b, cbSize %x +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize %x # offBits; offset to bitmap data (pixel array) like 6Ah A4h E4h 4A4h ->>10 ulelong x \b, bits offset %u -#>>10 ulelong x \b, bits offset 0x%x -#>>(10.l) ubequad !0 \b, bits 0x%16.16llx +>>10 ulelong x \b, bits offset %u +#>>10 ulelong x \b, bits offset %#x +#>>(10.l) ubequad !0 \b, bits %#16.16llx # dib header size: 12~Ch~OS/2 1.x 64~40h~OS/2 2.x #>>14 ulelong x \b, dib header size %u # Conflicts with other entries [BABYL] @@ -845,12 +1181,12 @@ !:mime image/x-os2-graphics #!:apple ????BMPf # cbSize; size of header like 28h 5Ch ->>2 ulelong x \b, cbSize %u -#>>2 ulelong x \b, cbSize 0x%x +>>2 ulelong x \b, cbSize %u +#>>2 ulelong x \b, cbSize %#x # offNext; offset to data like 0 48h F2h 4Eh 64h C6h D2h D6h DAh E6h EAh 348h ->>6 ulelong >0 \b, data offset %u -#>>6 ulelong >0 \b, data offset 0x%x -#>>(6.l) ubequad !0 \b, data 0x%16.16llx +>>6 ulelong >0 \b, data offset %u +#>>6 ulelong >0 \b, data offset %#x +#>>(6.l) ubequad !0 \b, data %#16.16llx # dimensions of the intended device like 640 x 480 for VGA or 1024 x 768 >>10 uleshort >0 \b, display %u >>>12 uleshort >0 x %u @@ -872,22 +1208,68 @@ >>14 indirect x # XPM icons (Greg Roelofs, newt@uchicago.edu) -0 search/1 /*\ XPM\ */ X pixmap image text -!:mime image/x-xpmi +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/XPM +# Reference: http://www.x.org/docs/XPM/xpm.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-xpm.trid.xml +# Note: called "X PixMap bitmap" by TrID and "X-Windows Pixmap Image" by DROID via PUID x-fmt/208 +# starting with c comment like: logo.xpm +0 string /*\040 +# 9 byte c-comment "/* XPM */" not at the beginning like: mozicon16.xpm mozicon50.xpm (thunderbird) +>0 search/0xCE /*\ XPM\ */ +# skip DROID x-fmt-208-signature-id-620.xpm by looking for char array without explict length +# and match mh-logo.xpm (emacs) +>>&0 search/1249 [] +>>>0 use xpm-image +# non standard because no 9 byte c-comment "/* XPM */" like: logo.xpm in qemu package +>0 default x +# words are separated by a white space which can be composed of space and tabulation characters +>>0 search/0x52 static\040char\040 +# skip debug.c testmlc.c by looking for char array without explict length +# https://www.clamav.net/downloads/production/clamav-0.104.2.tar.gz +# clamav-0.104.2\libclammspack\mspack\debug.c +>>>&0 search/64 [] +>>>>0 use xpm-image +# display X pixmap image information +0 name xpm-image +>0 string x X pixmap image text +#!:mime text/plain +# https://reposcope.com/mimetype/image/x-xpixmap +# alias +#!:mime image/x-xpm +!:mime image/x-xpixmap +!:ext xpm +# NO pm example found! +#!:ext xpm/pm +# look for start of character array at beginning of a line like: psetupl.xpm (OpenOffice 4.1.7) +>0 search/0x406 \n" +# DEBUG VALUES string +#>>&0 string x '%s' +# width with optional white space before like: 16 24 32 48 1280 +>>&0 regex/8 [0-9]{1,5} \b, %s +# height with white space like: 15 16 17 24 32 48 1024 +>>>&0 regex/8 [0-9]{1,5} x %s +# number of colors with white space like: 1 2 3 4 5 8 11 14 162 255 but unrelistic 4294967295 by hardcopy tool +>>>>&0 regex/12 [0-9]{1,9} x %s +# chars_per_pixel with white space like: 1 2 +>>>>>&0 regex/14 [0-9]{1,2} \b, %s chars/pixel +# non standard because not starting with 9 byte c-comment "/* XPM */" +>0 string !/*\ XPM\ */ +>>0 string x \b, 1st line "%s" # Utah Raster Toolkit RLE images (janl@ifi.uio.no) -0 leshort 0xcc52 RLE image data, ->6 leshort x %d x ->8 leshort x %d ->2 leshort >0 \b, lower left corner: %d ->4 leshort >0 \b, lower right corner: %d ->10 byte&0x1 =0x1 \b, clear first ->10 byte&0x2 =0x2 \b, no background ->10 byte&0x4 =0x4 \b, alpha channel ->10 byte&0x8 =0x8 \b, comment ->11 byte >0 \b, %d color channels ->12 byte >0 \b, %d bits per pixel ->13 byte >0 \b, %d color map channels +0 uleshort 0xcc52 RLE image data, +>6 uleshort x %d x +>8 uleshort x %d +>2 uleshort >0 \b, lower left corner: %d +>4 uleshort >0 \b, lower right corner: %d +>10 ubyte&0x1 =0x1 \b, clear first +>10 ubyte&0x2 =0x2 \b, no background +>10 ubyte&0x4 =0x4 \b, alpha channel +>10 ubyte&0x8 =0x8 \b, comment +>11 ubyte >0 \b, %d color channels +>12 ubyte >0 \b, %d bits per pixel +>13 ubyte >0 \b, %d color map channels # image file format (Robert Potter, potter@cs.rochester.edu) 0 string Imagefile\ version- iff image data @@ -895,55 +1277,55 @@ >10 string >\0 %s # Sun raster images, from Daniel Quinlan (quinlan@yggdrasil.com) -0 belong 0x59a66a95 Sun raster image data ->4 belong >0 \b, %d x ->8 belong >0 %d, ->12 belong >0 %d-bit, -#>16 belong >0 %d bytes long, ->20 belong 0 old format, -#>20 belong 1 standard, ->20 belong 2 compressed, ->20 belong 3 RGB, ->20 belong 4 TIFF, ->20 belong 5 IFF, ->20 belong 0xffff reserved for testing, ->24 belong 0 no colormap ->24 belong 1 RGB colormap ->24 belong 2 raw colormap -#>28 belong >0 colormap is %d bytes long +0 ubelong 0x59a66a95 Sun raster image data +>4 ubelong >0 \b, %d x +>8 ubelong >0 %d, +>12 ubelong >0 %d-bit, +#>16 ubelong >0 %d bytes long, +>20 ubelong 0 old format, +#>20 ubelong 1 standard, +>20 ubelong 2 compressed, +>20 ubelong 3 RGB, +>20 ubelong 4 TIFF, +>20 ubelong 5 IFF, +>20 ubelong 0xffff reserved for testing, +>24 ubelong 0 no colormap +>24 ubelong 1 RGB colormap +>24 ubelong 2 raw colormap +#>28 ubelong >0 colormap is %d bytes long # SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com) # # See # http://reality.sgi.com/grafica/sgiimage.html # -0 beshort 474 SGI image data -#>2 byte 0 \b, verbatim ->2 byte 1 \b, RLE -#>3 byte 1 \b, normal precision ->3 byte 2 \b, high precision ->4 beshort x \b, %d-D ->6 beshort x \b, %d x ->8 beshort x %d ->10 beshort x \b, %d channel ->10 beshort !1 \bs +0 ubeshort 474 SGI image data +#>2 ubyte 0 \b, verbatim +>2 ubyte 1 \b, RLE +#>3 ubyte 1 \b, normal precision +>3 ubyte 2 \b, high precision +>4 ubeshort x \b, %d-D +>6 ubeshort x \b, %d x +>8 ubeshort x %d +>10 ubeshort x \b, %d channel +>10 ubeshort !1 \bs >80 string >0 \b, "%s" 0 string IT01 FIT image data ->4 belong x \b, %d x ->8 belong x %d x ->12 belong x %d +>4 ubelong x \b, %d x +>8 ubelong x %d x +>12 ubelong x %d # 0 string IT02 FIT image data ->4 belong x \b, %d x ->8 belong x %d x ->12 belong x %d +>4 ubelong x \b, %d x +>8 ubelong x %d x +>12 ubelong x %d # 2048 string PCD_IPI Kodak Photo CD image pack file ->0xe02 byte&0x03 0x00 , landscape mode ->0xe02 byte&0x03 0x01 , portrait mode ->0xe02 byte&0x03 0x02 , landscape mode ->0xe02 byte&0x03 0x03 , portrait mode +>0xe02 ubyte&0x03 0x00 , landscape mode +>0xe02 ubyte&0x03 0x01 , portrait mode +>0xe02 ubyte&0x03 0x02 , landscape mode +>0xe02 ubyte&0x03 0x03 , portrait mode 0 string PCD_OPA Kodak Photo CD overview pack file # FITS format. Jeff Uphoff <juphoff@tarsier.cv.nrao.edu> @@ -965,7 +1347,7 @@ # From SunOS 5.5.1 "/etc/magic" - appeared right before Sun raster image # stuff. # -0 beshort 0x1010 PEX Binary Archive +0 ubeshort 0x1010 PEX Binary Archive # DICOM medical imaging data # URL: https://en.wikipedia.org/wiki/DICOM#Data_format @@ -976,23 +1358,138 @@ !:ext dcm/dicom/dic # XWD - X Window Dump file. +# URL: http://fileformats.archiveteam.org/wiki/XWD +# Reference: https://wiki.multimedia.cx/index.php?title=XWD +# http://mark0.net/download/triddefs_xml.7z/defs/x/xdm-x11.trid.xml +# Note: called "X-Windows Screen Dump (X11)" by TrID and +# "X-Windows Screen Dump" version X11 by DROID via PUID fmt/483 +# verfied by XnView `nconvert -in xwd -info *` +# and ImageMagick 6.9.11 `identify -verbose *` as XWD X Windows system window dump +# and `xwud -in fig41.wxd -dumpheader` # As described in /usr/X11R6/include/X11/XWDFile.h # used by the xwd program. # Bradford Castalia, idaeim, 1/01 -# updated by Adam Buchbinder, 2/09 +# updated by Adam Buchbinder, 2/09 and Joerg Jenderek, May 2022 # The following assumes version 7 of the format; the first long is the length # of the header, which is at least 25 4-byte longs, and the one at offset 8 # is a constant which is always either 1 or 2. Offset 12 is the pixmap depth, # which is a maximum of 32. -0 belong >100 ->8 belong <3 ->>12 belong <33 ->>>4 belong 7 XWD X Window Dump image data +# Size of the entire file header (bytes) like: 100 104 105 106 107 109 110 113 114 115 118 172 +0 ubelong >99 +# pixmap_format; Pixmap format; 0~1-bit (XYBitmap) format 1~single-plane (XYPixmap) 2~bitmap with two or more planes (ZPixmap) +>8 ubelong <3 +# pixmap_depth; Pixmap depth; value 1 - 32 +>>12 ubelong <33 +# file_version; XWD_FILE_VERSION=7 +>>>4 ubelong 7 +# skip DROID fmt-401-signature-id-618.xwd by test for existing border field +>>>>96 ubelong x X-Window screen dump image data, version X11 +# ./images (version 1.205) labeled the above entry as "XWD X Window Dump image data" +# https://reposcope.com/mimetype/image/x-xwindowdump +!:mime image/x-xwindowdump +#!:ext xwd +!:ext xwd/dmp +# https://www.xnview.com/en/image_formats/ NO example with x11 suffix FOUND! +#!:ext xwd/dmp/x11 +# https://www.nationalarchives.gov.uk/PRONOM/fmt/401 NO example with xdm suffix FOUND! +#!:ext xwd/dmp/x11/xmd +# file comment if header > 100; so not in MARBLES.XWD and hardcopy-x-window-v11.xwd +>>>>>0 ubelong >100 +# comment or windows name +>>>>>>100 string >\0 \b, "%s" +# pixmap_width; pixmap width like: 576 800 1014 1280 1419 NOT -1414812757=abABabABh +>>>>>16 ubelong x \b, %dx +# pixmap_height; pixmap height like: 449 454 600 704 720 1001 1024 NOT -1414812757=abABabABh +>>>>>20 ubelong x \b%dx +# pixmap_depth; pixmap depth +>>>>>12 ubelong x \b%d +# XOffset; Bitmap X offset; pixel numbers to ignore at the beginning of each scan-line +#>>>>>24 ubelong x \b, %u ignore +# ByteOrder; byte order of image data: 0~least significant byte first 1~most significant byte first +>>>>>28 ubelong >0 \b, order %u +# BitmapUnit; bitmap base data size unit in each scan line like: 8 16 32 +#>>>>>32 ubelong x \b, unit %u +# BitmapBitOrder; bit-order of image data; apparently same as ByteOrder +#>>>>>36 ubelong x \b, bit order %u +# BitmapPad; number of padding bits added to each scan line like: 8 16 32 +#>>>>>40 ubelong x \b, pad %u +# BitsPerPixel; Bits per pixel: 1~StaticGray and GrayScale 2-15~StaticColor and PseudoColor 16,24,32~TrueColor and DirectColor +#>>>>>44 ubelong x \b, %u bits/pixel +# BytesPerLine; size of each scan line in bytes +#>>>>>48 ubelong x \b, %u bytes/line +# VisualClass; class of the image: 0~StaticGray 1~GrayScale 2~StaticColor 3~PseudoColor 4~TrueColor 5~DirectColor +#>>>>>52 ubelong x \b, %u Class +# RedMask; red RGB mask values used by ZPixmaps like: 0 0xff0000 +#>>>>>56 ubelong !0 \b, %#x red +# GreenMask; green mask like: 0 +#>>>>>60 ubelong !0 \b, %#x green +# BlueMask; blue mask like: 0 0xff +#>>>>>64 ubelong !0 \b, %#x blue +# BitsPerRgb; Size of each color mask in bits like: 0 1 8 24 +#>>>>>68 ubelong x \b, %u bits/RGB +# NumberOfColors; number of colors in image like: 256 4 2 0 (WHAT DOES THIS MEAN?) +>>>>>72 ubelong x \b, %u colors +# ColorMapEntries; number of entries in color map like: 256 16 2 0~no color map +>>>>>76 ubelong x %u entries +# WindowWidth; window width +#>>>>>80 ubelong x \b, %u width +# WindowHeight; window height +#>>>>>84 ubelong x \b, %u height +# WindowX; Window upper left X coordinate like: 0 24 32 80 237 290 422 466 568 (lenna.dmp) +>>>>>88 ubelong !0 \b, x=%d +# WindowY; Window upper left Y coordinate like: 0 8 18 26 60 73 107 (fig41.xwd) 128 +>>>>>92 ubelong !0 \b, y=%d +# WindowBorderWidth; Window border width; apparently pixmap_width=WindowWidth+2*WindowBorderWidth +# like: 1 (fig41.xwd) 2 (maze.dmp) 3 (lenna.dmp mandrill.dmp) +>>>>>96 ubelong >0 \b, %u border +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/x/xdm-x10.trid.xml +# Note: called "X-Windows Screen Dump (X10)" by TrID and +# "X-Windows Screen Dump" version X10 by DROID via PUID x-fmt/300 +# verfied by XnView `nconvert -in xwd -info *` +# HeaderSize is the size of the header in bytes; always 40 for X10 variant +0 ubelong =0x000000028 +# FileVersion; always 6 for X10 variant +>4 ubelong =6 +# skip DROID x-fmt-300-signature-id-619.xdm by test existing border field +>>36 ubeshort x X-Window screen dump image data, version X10 !:mime image/x-xwindowdump ->>>>100 string >\0 \b, "%s" ->>>>16 belong x \b, %dx ->>>>20 belong x \b%dx ->>>>12 belong x \b%d +!:ext xwd +# http://www.nationalarchives.gov.uk/pronom/fmt/401 NO example with xdm suffix FOUND! +#!:ext xwd/xdm +# PixmapWidth; pixmap width like: 127 1280 +>>>20 ubelong x \b, %d +# PixmapHeight; pixmap height like: 64 1024 +>>>24 ubelong x \bx%d +# DisplayPlanes; number of display planes like: 1 4 8 +>>>12 ubelong x \bx%u +# DisplayType; display type like: 1 3 +#>>>8 ubelong x \b, type %u +# PixmapFormat; pixmap format like: 1~bitmap with two or more planes (ZPixmap) 0~single-plane bitmap (XYBitmap) +#>>>16 ubelong x \b, %u format +# WindowWidth; window width; probably PixmapWidth=WindowWidth+2*WindowBorderWidth +#>>>28 ubeshort x \b, width %u +# WindowHeight; window height; probably PixmapWidth=PixmapHeight+2*WindowBorderWidth +#>>>30 ubeshort x \b, height %u +# WindowX; window upper left X coordinate like: 0 +>>>32 ubeshort !0 \b, x=%d +# WindowY; window upper left Y coordinate like: 0 +>>>34 ubeshort !0 \b, y=%d +# WindowBorderWidth; window border width like: 0 +>>>36 ubeshort !0 \b, %u border +# WindowNumColors; Number of color entries in window like: 2 16 256 +#>>>38 ubeshort x \b, %u colors +# if the image is a PseudoColor image, a color map immediately follows the header. X10COLORMAP[WindowNumColors]; +# EntryNumber; number of the color-map entry like: 0 +#>>>40 ubeshort x \b, colors #%u +# Red; red-channel value +#>>>42 ubeshort !0 \b, red %#x +# Green; green-channel value +#>>>44 ubeshort !0 \b, green %#x +# Blue; blue-channel value +#>>>46 ubeshort !0 \b, blue %#x +# 2ND Entry like: 2 +#>>>48 ubeshort x \b, colors #%u # PDS - Planetary Data System # These files use Parameter Value Language in the header section. @@ -1015,36 +1512,254 @@ # used for runs of yy. # 0 string pM85 Atari ST STAD bitmap image data (hor) ->5 byte 0x00 (white background) ->5 byte 0xFF (black background) +>5 ubyte 0x00 (white background) +>5 ubyte 0xFF (black background) 0 string pM86 Atari ST STAD bitmap image data (vert) ->5 byte 0x00 (white background) ->5 byte 0xFF (black background) +>5 ubyte 0x00 (white background) +>5 ubyte 0xFF (black background) # From: Alex Myczko <alex@aiei.ch> # https://www.atarimax.com/jindroush.atari.org/afmtatr.html -0 leshort 0x0296 Atari ATR image +0 uleshort 0x0296 Atari ATR image + +# URL: http://fileformats.archiveteam.org/wiki/DEGAS_image +# Reference: https://wiki.multimedia.cx/index.php?title=Degas +# From: Joerg Jenderek +# http://mark0.net/download/triddefs_xml.7z/defs/b +# bitmap-pi2-degas.trid.xml bitmap-pi3-degas.trid.xml +# bitmap-pc1-degas.trid.xml bitmap-pc2-degas.trid.xml bitmap-pc3-degas.trid.xml +# Note: verified by NetPBM `pi3topbm sigirl1.pi3 | file` +# `deark -m degas -l -d2 ataribak.pi1` +# XnView `nconvert -fullinfo *.p??` +# DEGAS low-res uncompressed bitmap *.pi1 +0 beshort 0x0000 +# skip some ISO 9660 CD-ROM filesystems like plpbt.iso by test for 4 non black colors in palette entries +>2 quad !0 +# skip g3test.g3 by test for unused bits of 2nd color entry +>>4 ubeshort&0xF000 0 +#>>>0 beshort x 1ST_VALUE=%x +#>>>-0 offset x FILE_SIZE=%lld +# standard DEGAS low-res uncompressed bitmap *.pi1 with file size 32034 +>>>-0 offset =32034 +#>>>>0 beshort x 1st_VALUE=%x +# like: 8ball.pi1 teddy.pi1 sonic01.pi1 +>>>>0 use degas-bitmap +# about 61 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32066 +>>>-0 offset =32066 +# like: spider.pi1 pinkgirl.pi1 frog3.pi1 +>>>>0 use degas-bitmap +# about 55 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32128 +>>>-0 offset =32128 +# like: mountain.pi1 bigspid.pi1 alf33.pi1 +>>>>0 use degas-bitmap +# 1 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 44834 +>>>-0 offset =44834 +# like: kenshin.pi1 +>>>>0 use degas-bitmap +# DEGAS mid-res uncompressed bitmap *.pi2 (strength=50) after GEM Images like: +# BEETHVEN.IMG CHURCH.IMG GAMEOVR4.IMG TURKEY.IMG clinton.img +0 beshort 0x0001 +#!:strength +0 +# skip many control files like gnucash-4.8.setup.exe.aria2 by test for non black in 4 palette entries +>2 quad !0 +# skip control file load-v0001.aria2 and many GEM Image data like +# GAMEOVR4.IMG BEETHVEN.IMG CHURCH.IMG TURKEY.IMG clinton.img +# by test for valid file sizes +# standard DEGAS mid-res uncompressed bitmap *.pi2 with file size 32034 +>>-0 offset =32034 +# (39/41) like: GEMINI03.PI2 ST_TOOLS.PI2 TBX_DEMO.PI2 +>>>0 use degas-bitmap +# few DEGAS Elite mid-res uncompressed bitmap *.pi2 with file size 32066 +>>-0 offset =32066 +# (2/41) like: medres.pi2 +>>>0 use degas-bitmap +# DEGAS high-res uncompressed bitmap *.pi3 +0 beshort 0x0002 +# skip Intel ia64 COFF msvcrt.lib by test for unused bits of 1st atari color palette entry +>2 ubeshort&0xF000 0 +# skip few Adobe PhotoShop Brushes like Faux-Spitzen.abr by check +# for invalid Adobe PhotoShop Brush UTF16-LE string length +>>19 ubyte =0 +# many like: 4th_ofj2.pi3 GEMINI03.PI3 PEOPLE18.PI3 POWERFIX.PI3 abydos.pi3 highres.pi3 sigirl1.pi3 vanna5.pi3 +>>>0 use degas-bitmap +# Adobe PhotoShop Brush UTF16-LE string length 15 "Gitter - klein " 8 "Kreis 1 " +>>19 ubyte !0 +#>>19 ubyte !0 \b, NOTE LENGTH %u +#>>>21 lestring16 x \b, BRUSH NOTE "%s" +>>>(19.b*2) ubequad x +# maybe last character of Adobe PhotoShop Brush UTF16-LE string and terminating nul char like +# 006e0000 for n in "Faux-Spitzen.abr" 00310000 for 1 in "Verschiedene Spitzen.abr" +# 00000000 "LEREDACT.PI3" 03730773 "TBX_DEMO.PI3" +#>>>>&8 ubelong x \b, LAST CHAR+NIL %8.8x +>>>>&8 ubelong&0xff00ffFF !0 +# skip many Adobe Photoshop Color swatch (ANPA-Farben.aco TOYO-Farbsystem.aco) with invalid 3rd color entry (1319 2201 2206 21f5 2480 24db 25fd) +>>>>>6 ubeshort&0xF000 0 +# skip few Adobe Photoshop Color swatch (FOCOLTONE-Farben.aco "PANTONE process coated.aco") with invalid 4th color entry (ffff) +>>>>>>8 ubeshort&0xF000 0 +# many DEGAS bitmap like: ARABDEMO.PI3 ELMRSESN.PI3 GEMVIEW.PI3 LEREDACT.PI3 PICCOLO.PI3 REPRO_JR.PI3 ST_TOOLS.PI3 TBX_DEMO.PI3 evgem7.pi3 +>>>>>>>0 use degas-bitmap +# test for last character of Adobe PhotoShop Brush UTF16-LE string and terminating nul char +>>>>&8 ubelong&0xff00ffFF =0 +# select last DEGAS bitmaps by invalid last char of brush note like BASICNES.PI3 DB_HELP.PI3 DB_WRITR.PI3 LEREDACT.PI3 +>>>>>&-4 ubelong&0x00FF0000 <0x00200000 +>>>>>>0 use degas-bitmap +# last character of Adobe PhotoShop Brush UTF16-LE note +#>>>>>&-4 ubelong&0x00FF0000 >0x001F0000 \b, THAT IS ABR +# DEGAS low-res compressed bitmap *.pc1 like: BATTLSHP.PC1 GNUCHESS.PC1 MEDUSABL.PC1 MOONLORD.PC1 WILDROSE.PC1 +0 beshort 0x8000 +# skip lif files handled via ./lif by test for unused bits of 1st palette entry +>2 ubeshort&0xF000 0 +# skip CRI ADX ADPCM audio (R04HT.adx R03T-15552.adx) with 44100 Hz misinterpreted as 5th color entry value AC44h +>>10 ubeshort&0xF000 0 +# skip few (fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx) by test for 4 first non black colors in palette entries +>>>2 quad !0 +>>>>0 use degas-bitmap +# DEGAS mid-res compressed bitmap *.pc2 like: abydos.pc2 ARTIS3.PC2 SMTHDRAW.PC2 STAR_2K.PC2 TX2_DEMO.PC2 +0 beshort 0x8001 +# skip many (1274/1369) PostScript Type 1 font (DarkGardenMK.pfb coupbi.pfb MONOBOLD.PFB) with invalid 1st atari color palette entry 5506 5b06 6906 7906 7e06 fb15 +>2 ubeshort&0xF000 0 +# skip some (95/1369) PostScript Type 1 font (fmt-525-signature-id-816.pfb LUXEMBRG.PFB) with invalid 3rd atari color palette entry 2521 +>>6 ubeshort&0xF000 0 +>>>0 use degas-bitmap +# DEGAS high-res compressed bitmap *.pc3 like: abydos.pc3 COYOTE.PC3 ELEPHANT.PC3 TX2_DEMO.PC3 SMTHDRAW.PC3 +0 beshort 0x8002 +# skip some (36/212) Python Pickle (factor_cache.pickle environment.pickle) with invalid 1st atari color entry (2863 6363 7d71) +>2 ubeshort&0xF000 0 +>>0 use degas-bitmap +# display information of Atari DEGAS and DEGAS Elite bitmap images +0 name degas-bitmap +>0 ubyte x Atari DEGAS +#!:mime application/octet-stream +!:mime image/x-atari-degas +# compressed +>0 ubyte =0x80 Elite compressed +# uncompressed +#>0 ubyte =0x00 uncompressed +#>0 ubyte =0x00 un. +>0 ubyte =0x00 +# check for existence of footer for DEGAS Elite images +>>32042 ubequad x Elite +>0 beshort 0x0000 bitmap +!:ext pi1 +>0 beshort 0x0001 bitmap +!:ext pi2 +>0 beshort 0x0002 bitmap +# no example with SUH extension found +#!:ext pi3/suh +!:ext pi3 +>0 beshort 0x8000 bitmap +!:ext pc1 +>0 beshort 0x8001 bitmap +!:ext pc2 +>0 beshort 0x8002 bitmap +!:ext pc3 +# low resolution; 320x200, 16 colors +>1 ubyte =0 320 x 200 x 16 +# medium resolution; 640x200, 4 colors +>1 ubyte =1 640 x 200 x 4 +# high resolution; 640x400, 2 colors +>1 ubyte =2 640 x 400 x 2 +# http://fileformats.archiveteam.org/wiki/Atari_ST_color_palette +# hardware_palette[16]; 9 bit ?????RRR?GGG?BBB; 12 bit ????RRRRGGGGBBBB for Atari STE +# for Atari DEGAS apparently no Spectrum 512 Enhanced 15 bit palette RGB?RRRRGGGGBBBB +# Red Green Blue unused bit ? often 0 but not bilboule.pi1; color_value (examples or numbers) +# 1st color palette entry like: 0777 (61) 0fff (LEREDACT.PI3) 0fcf (devgem7.pi3) 0001 (9) +>2 ubeshort x \b, color palette %4.4x +# 2nd palette entry like: 0000 (32) 0700 (38) 0f00 (LEREDACT.PI3 devgem7.pi3) +>4 ubeshort x %4.4x +# 3rd palette entry +>6 ubeshort x %4.4x +# 4th palette entry like: 0000 (72) +>8 ubeshort x %4.4x +# 5th palette entry +>10 ubeshort x %4.4x +>2 ubeshort x ... +# 6th palette entry +#>12 ubeshort x %4.4x +# 7th palette entry like: 0000 (16) 0001 (ELMRSESN.PI3 elmrsesn.pi3) 0070 (51) 00f0 (BASICNES.PI3 LEREDACT.PI3) 00f8 (devgem7.pi3) +#>14 ubeshort x %4.4x +# 8th palette entry +#>16 ubeshort x %4.4x +# 9 palette entry +#>18 ubeshort x %4.4x +# 10 palette entry +#>20 ubeshort x %4.4x +# 11 palette entry +#>22 ubeshort x %4.4x +# 12 palette entry +#>24 ubeshort x %4.4x +# 13 palette entry +#>26 ubeshort x %4.4x +# 14th palette entry +#>28 ubeshort x %4.4x +# 15th palette entry +#>30 ubeshort x %4.4x +# 16th palette entry +#>32 ubeshort x %4.4x +# data[16000] for uncompressed images; pixel data +#>34 ubequad x \b, DATA %#16.16llx... +# footer for Elite variant images +# https://www.fileformat.info/format/atari/egff.htm +# https://pulkomandy.tk/projects/GrafX2/wiki/Develop/FileFormats/Atari +# left_color_animation[4]; like: 0000000000000000 0000000100020003 fffafff000000030 (bigspid.pi1) +#>32034 ubequad !0 \b, color animations %16.16llx (left) +# right_color_animation[4]; like: 0000000000000000 0000000100020003 +#>>32042 ubequad !0 %16.16llx (right) +# channel_direction[4]; 0~left 1~none 2~right like: 0001000100010001 0002000000010001 (cycle2.pi1) +# sometimes unexpected like: feaafc0000000000 (bigspid.pi1) +#>32050 ubequad !0 \b, channel directions %16.16llx +# channel_delay[4]; 128 - channel delay, timebase 1/60 s +#>32058 ubequad !0 \b, channel delays %16.16llx + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GED +# https://recoil.sourceforge.net/formats.html#Atari-8-bit +# Reference: https://sourceforge.net/projects/recoil/files/recoil/6.3.4/recoil-6.3.4.tar.gz +# recoil-6.3.4/recoil.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-ged.trid.xml +# Note: called "Atari GED bitmap" by TrID; file size 11302 +# and verified by RECOIL graphic tool +0 string \xFF\xFF0SO\x7F Atari GED bitmap, 160x200 +#!:mime application/octet-stream +!:mime image/x-atari-ged +!:ext ged + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/ImageLab/PrintTechnic +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-b_w.trid.xml +# Note: called "ImageLab bitmap" by TrID +# verfied by XnView `nconvert -fullinfo "MAEDCHEN.B&W"` +0 string B&W256 ImageLab bitmap +!:mime image/x-ilab +# https://www.xnview.com/de/image_formats/ +# GRR: add char & inside parse_ext in ../../src/apprentice.c to avoid in file version 5.40 error like: +# Magdir\images, 1090: Warning: EXTENSION type ` b_w/b&w' has bad char '&' +!:ext b_w/b&w +# Width +>6 ubeshort x \b, %u +# Height +>8 ubeshort x x %u # XXX: # This is bad magic 0x5249 == 'RI' conflicts with RIFF and other # magic. # SGI RICE image file <mpruett@sgi.com> -#0 beshort 0x5249 RICE image -#>2 beshort x v%d -#>4 beshort x (%d x -#>6 beshort x %d) -#>8 beshort 0 8 bit -#>8 beshort 1 10 bit -#>8 beshort 2 12 bit -#>8 beshort 3 13 bit -#>10 beshort 0 4:2:2 -#>10 beshort 1 4:2:2:4 -#>10 beshort 2 4:4:4 -#>10 beshort 3 4:4:4:4 -#>12 beshort 1 RGB -#>12 beshort 2 CCIR601 -#>12 beshort 3 RP175 -#>12 beshort 4 YUV +#0 ubeshort 0x5249 RICE image +#>2 ubeshort x v%d +#>4 ubeshort x (%d x +#>6 ubeshort x %d) +#>8 ubeshort 0 8 bit +#>8 ubeshort 1 10 bit +#>8 ubeshort 2 12 bit +#>8 ubeshort 3 13 bit +#>10 ubeshort 0 4:2:2 +#>10 ubeshort 1 4:2:2:4 +#>10 ubeshort 2 4:4:4 +#>10 ubeshort 3 4:4:4:4 +#>12 ubeshort 1 RGB +#>12 ubeshort 2 CCIR601 +#>12 ubeshort 3 RP175 +#>12 ubeshort 4 YUV # PCX image files # From: Dan Fandrich <dan@coneharvesters.com> @@ -1071,41 +1786,181 @@ >>>>10 uleshort x %d], >>>>65 ubyte >1 %d planes each of >>>>3 ubyte x %d-bit ->>>>68 byte 1 colour, ->>>>68 byte 2 grayscale, +>>>>68 ubyte 1 colour, +>>>>68 ubyte 2 grayscale, # this should not happen >>>>68 default x image, ->>>>12 leshort >0 %d x +>>>>12 uleshort >0 %d x >>>>>14 uleshort x %d dpi, ->>>>2 byte 0 uncompressed ->>>>2 byte 1 RLE compressed +>>>>2 ubyte 0 uncompressed +>>>>2 ubyte 1 RLE compressed # Adobe Photoshop # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> -0 string 8BPS Adobe Photoshop Image +# URL: http://fileformats.archiveteam.org/wiki/PSD +# Reference: https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/ +# Note: verfied by XnView `nconvert -fullinfo *.psd *.psb *.pdd` +# and ImageMagick `identify -verbose *.pdd` +0 string 8BPS +# skip DROID x-fmt-92-signature-id-277.psd by checking valid width +>18 ubelong >0 Adobe Photoshop !:mime image/vnd.adobe.photoshop ->4 beshort 2 (PSB) ->18 belong x \b, %d x ->14 belong x %d, ->24 beshort 0 bitmap ->24 beshort 1 grayscale ->>12 beshort 2 with alpha ->24 beshort 2 indexed ->24 beshort 3 RGB ->>12 beshort 4 \bA ->24 beshort 4 CMYK ->>12 beshort 5 \bA ->24 beshort 7 multichannel ->24 beshort 8 duotone ->24 beshort 9 lab ->12 beshort > 1 ->>12 beshort x \b, %dx ->12 beshort 1 \b, ->22 beshort x %d-bit channel ->12 beshort > 1 \bs +!:apple ????8BPS +# version: always equal to 1, but 2 for PSB +>>4 beshort 1 +# URL: http://fileformats.archiveteam.org/wiki/PhotoDeluxe +# EXTRAS/PHOTOS/DEMOPIX/ORIGINAL.PDD +>>>34 search/0xC0d7 PHUT Image (PhotoDeluxe) +!:ext pdd +>>>34 default x Image +!:ext psd +# URL: http://fileformats.archiveteam.org/wiki/PSB +>>4 beshort 2 Image (PSB) +!:ext psb +# width in pixels: 1-30000 1-300000 for PSB +>>18 belong x \b, %d x +>>14 belong x %d, +# The color mode; 0~Bitmap 1~Grayscale 2~Indexed 3~RGB 4~CMYK 7~Multichannel 9~Duotone 9~Lab +>>24 beshort 0 bitmap +>>24 beshort 1 grayscale +# the number of channels; range is 1 to 56 +>>>12 beshort 2 with alpha +>>24 beshort 2 indexed +>>24 beshort 3 RGB +>>>12 beshort 4 \bA +>>24 beshort 4 CMYK +>>>12 beshort 5 \bA +>>24 beshort 7 multichannel +>>24 beshort 8 duotone +>>24 beshort 9 lab +>>12 beshort > 1 +>>>12 beshort x \b, %dx +>>12 beshort 1 \b, +>>22 beshort x %d-bit channel +>>12 beshort > 1 \bs +# 6 reserved bytes; must be zero, but spaces inside ImageMagick input.psd +# https://download.imagemagick.org/ImageMagick/download/ImageMagick-7.0.11-11.zip +# ImageMagick-7.0.11-11\PerlMagick\t\input.psd +>>6 bequad&0xFFffFFffFFff0000 !0 \b, at offset 6 +>>>6 belong x 0x%8.8x +>>>6 beshort x \b%4.4x + +# From: Joerg Jenderek +# URL: https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/ +# http://fileformats.archiveteam.org/wiki/Photoshop +# Reference: http://www.nomodes.com/aco.html +# Note: registers as Photoshop.SwatchesFile for Photoshop.exe on Windows +# check for valid versions like: 2 (newest) 1 (old) 0 (oldest no examples) +0 ubeshort <3 +# skip few Atari DEGAS med-res bitmap (DIAGRAM1.PI2) and many ISO 9660 CD-ROM by check for invalid low color numbers (0) +>2 ubeshort >0 +# skip few Targa (bmpsuite-15col.tga rgb24_top_left_colormap.tga) by check for invalid high color space ID (F0 1D) +>>4 ubeshort <16 +# skip many (69/327) Targa image *.TGA by check of accessing near the ending of first color space section (size=nc*5*2) +>>>(2.S*10) ubelong x +# RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort =0 +# skip many (220/327) Targa by check of for invalid high RGB color z value (hexadecimal 2 3 2e03 4600 5e04 7502 8002 8b05 c700) +>>>>>12 ubeshort =0 +# RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>>0 ubeshort <2 +>>>>>>>0 use adobe-aco +# RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>>0 ubeshort =2 +# skip many (74/176) Atari DEGAS hi-res bitmap (*.PI3) by check for invalid low color name length (0) +>>>>>>>16 ubeshort >0 +>>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort !0 +# non RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>0 ubeshort <2 +# skip many GEM Image (CHURCH.IMG TIGER.IMG) by check for invalid second high color space ID (55 114 143 157 256 288 450) +>>>>>>14 ubeshort <16 +>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>0 ubeshort =2 +# skip few Atari DEGAS hi-res bitmap (pal1wb-blue.pi3) and few ABR by check for invalid "high" nil bytes (7) before color name length +>>>>>>14 ubeshort =0 +>>>>>>>0 use adobe-aco +# display Adobe Photoshop Color swatch file information (version, number of colors, color spaces, coordinates, names) +0 name adobe-aco +>0 ubeshort x Adobe Photoshop Color swatch, version %u +#!:mime application/octet-stream +!:mime application/x-adobe-aco +!:apple ????8BCO +!:ext aco +>0 ubeshort <2 +>>(2.S*10) ubelong x +# version 2 section after version 1 section +>>>&0 ubeshort 2 and 2 +# nc; number of colors like: 20 50 86 88 126 204 300 1050 1137 1280 2092 3010 4096 +>2 ubeshort x \b, %u colors +# maybe last 4 bytes of first section (probably y z color value) like: 0 0x66660000 0xfe700000 0xffff0000 +#>(2.S*10) ubelong x 1ST_SECTION_END=%#8.8x +>0 ubeshort <2 \b; 1st +# first older Adobe Photoshop Color entry +>>4 use aco-color +>>>2 ubeshort >1 \b; 2nd +# second older Adobe Photoshop Color entry +>>>>14 use aco-color +>0 ubeshort =2 \b; 1st +# first new Adobe Photoshop Color entry +>>4 use aco-color-v2 +>>>2 ubeshort >1 \b; 2nd +# jump first color name length words +>>>>(16.S*2) ubequad x +# second new Adobe Photoshop Color entry +>>>>>&10 use aco-color-v2 +# display Adobe Photoshop Color entry (color space, color coordinates) +0 name aco-color +# each color spec entry occupies five words +# color space: 0~RGB 1~HSB 2~CMYK 3~Pantone 4~Focoltone 5~Trumatch 6~Toyo 7~Lab 8~Grayscale 9?~wideCMYK 10~HKS ... +#>0 ubeshort x COLOR_ENTRY +>0 ubeshort 0 RGB +>0 ubeshort 1 HSB +>0 ubeshort 2 CMYK +>0 ubeshort 3 Pantone +>0 ubeshort 4 Focoltone +>0 ubeshort 5 Trumatch +>0 ubeshort 6 Toyo +>0 ubeshort 7 Lab +>0 ubeshort 8 Grayscale +>0 ubeshort 9 wide CMYK +>0 ubeshort 10 HKS +# unofficial +# >0 ubeshort 12 foo +# >0 ubeshort 13 bar +# >0 ubeshort 14 FOO +# >0 ubeshort 15 BAR +>0 ubeshort x space (%u) +# color coordinate w +>2 ubeshort x \b, w %#x +# color coordinate x +>4 ubeshort x \b, x %#x +# color coordinate y +>6 ubeshort x \b, y %#x +# color coordinate z; zero for RGB space +>8 ubeshort x \b, z %#x +# display Adobe Photoshop Color entry version 2 (color space, color coordinates names) +0 name aco-color-v2 +>0 use aco-color +#>10 ubeshort x \b, NUL_BYTES %#x +# color name length plus one (len+1) like: 7 8 9 13 14 15 16 17 22 26 +#>>12 ubeshort x \b, LENGTH %u +>>12 ubeshort-1 x \b, %u chars +# len words; UTF-16 representation of the color name like: "DIC 1s" "PANTONE Process Yellow PC" +>>14 bestring16 x "%s" +# followed by nil word # XV thumbnail indicator (ThMO) +# URL: https://en.wikipedia.org/wiki/Xv_(software) +# Reference: http://fileformats.archiveteam.org/wiki/XV_thumbnail +# Update: Joerg Jenderek 0 string P7\ 332 XV thumbnail image data +#0 string P7\ 332 XV "thumbnail file" (icon) data +!:mime image/x-xv-thumbnail +# thumbnail .xvpic/foo.bar for graphic foo.bar +!:ext p7/gif/tif/xpm/jpg # NITF is defined by United States MIL-STD-2500A 0 string NITF National Imagery Transmission Format @@ -1143,17 +1998,17 @@ 0 name gem_info # version is 2 for some XIMG and 1 for all others ->0 beshort <0x0003 GEM +>0 ubeshort <0x0003 GEM # https://www.snowstone.org.uk/riscos/mimeman/mimemap.txt !:mime image/x-gem # header_size 24 25 27 59 779 words for colored bitmaps ->>2 beshort >9 +>>2 ubeshort >9 >>>16 string STTT\0\x10 STTT >>>16 string TIMG\0 TIMG # HYPERPAINT or NOSIG variant >>>16 string \0\x80 ->>>>2 beshort =24 NOSIG ->>>>2 beshort !24 HYPERPAINT +>>>>2 ubeshort =24 NOSIG +>>>>2 ubeshort !24 HYPERPAINT # NOSIG or XIMG variant >>>16 default x >>>>16 string !XIMG\0 NOSIG @@ -1163,89 +2018,109 @@ >>16 string !XIMG\0 Image data !:ext img # header_size is 9 for Ventura files and 8 for other GEM Paint files ->>2 beshort 9 (Ventura) -#>>2 beshort 8 (Paint) ->>12 beshort x %d x ->>14 beshort x %d, +>>2 ubeshort 9 (Ventura) +#>>2 ubeshort 8 (Paint) +>>12 ubeshort x %d x +>>14 ubeshort x %d, # 1 4 8 ->>4 beshort x %d planes, +>>4 ubeshort x %d planes, # in tenths of a millimetre ->>8 beshort x %d x ->>10 beshort x %d pixelsize +>>8 ubeshort x %d x +>>10 ubeshort x %d pixelsize # pattern_size 1-8. 2 for GEM Paint ->>6 beshort !2 \b, pattern size %d +>>6 ubeshort !2 \b, pattern size %d # GEM Metafile (Wolfram Kleff) -0 lelong 0x0018FFFF GEM Metafile data ->4 leshort x version %d +0 ulelong 0x0018FFFF GEM Metafile data +>4 uleshort x version %d # # SMJPEG. A custom Motion JPEG format used by Loki Entertainment # Software Torbjorn Andersson <d91tan@Update.UU.SE>. # 0 string \0\nSMJPEG SMJPEG ->8 belong x %d.x data +>8 ubelong x %d.x data # According to the specification you could find any number of _TXT # headers here, but I can't think of any way of handling that. None of # the SMJPEG files I tried it on used this feature. Even if such a # file is encountered the output should still be reasonable. ->16 string _SND \b, ->>24 beshort >0 %d Hz ->>26 byte 8 8-bit ->>26 byte 16 16-bit ->>28 string NONE uncompressed -# >>28 string APCM ADPCM compressed ->>27 byte 1 mono ->>28 byte 2 stereo +>16 string _SND \b, +>>24 ubeshort >0 %d Hz +>>26 ubyte 8 8-bit +>>26 ubyte 16 16-bit +>>28 string NONE uncompressed +# >>28 string APCM ADPCM compressed +>>27 ubyte 1 mono +>>28 ubyte 2 stereo # Help! Isn't there any way to avoid writing this part twice? ->>32 string _VID \b, -# >>>48 string JFIF JPEG ->>>40 belong >0 %d frames ->>>44 beshort >0 (%d x ->>>46 beshort >0 %d) ->16 string _VID \b, -# >>32 string JFIF JPEG ->>24 belong >0 %d frames ->>28 beshort >0 (%d x ->>30 beshort >0 %d) +# Yes, use a name/use +>>32 string _VID \b, +# >>>48 string JFIF JPEG +>>>40 ubelong >0 %d frames +>>>44 ubeshort >0 (%d x +>>>46 ubeshort >0 %d) +>16 string _VID \b, +# >>32 string JFIF JPEG +>>24 ubelong >0 %d frames +>>28 ubeshort >0 (%d x +>>30 ubeshort >0 %d) 0 string Paint\ Shop\ Pro\ Image\ File Paint Shop Pro Image File -# "thumbnail file" (icon) -# descended from "xv", but in use by other applications as well (Wolfram Kleff) -0 string P7\ 332 XV "thumbnail file" (icon) data - # taken from fkiss: (<yav@mte.biglobe.ne.jp> ?) -0 string KiSS KISS/GS ->4 byte 16 color ->>5 byte x %d bit ->>8 leshort x %d colors ->>10 leshort x %d groups ->4 byte 32 cell ->>5 byte x %d bit ->>8 leshort x %d x ->>10 leshort x %d ->>12 leshort x +%d ->>14 leshort x +%d +0 string KiSS KISS/GS +>4 ubyte 16 color +>>5 ubyte x %d bit +>>8 uleshort x %d colors +>>10 uleshort x %d groups +>4 ubyte 32 cell +>>5 ubyte x %d bit +>>8 uleshort x %d x +>>10 uleshort x %d +>>12 uleshort x +%d +>>14 uleshort x +%d # Webshots (www.webshots.com), by John Harrison 0 string C\253\221g\230\0\0\0 Webshots Desktop .wbz file # Hercules DASD image files -# From Jan Jaeger <jj@septa.nl> +# From Jan Jaeger <jj@septa.nl> and Jay Maynard <jaymaynard@gmail.com> 0 string CKD_P370 Hercules CKD DASD image file ->8 long x \b, %d heads per cylinder ->12 long x \b, track size %d bytes +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes >16 byte x \b, device type 33%2.2X 0 string CKD_C370 Hercules compressed CKD DASD image file ->8 long x \b, %d heads per cylinder ->12 long x \b, track size %d bytes +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes >16 byte x \b, device type 33%2.2X +>552 lelong x \b, %d total cylinders +>>557 byte 0 \b, no compression +>>557 byte 1 \b, ZLIB compression +>>557 byte 2 \b, BZ2 compression 0 string CKD_S370 Hercules CKD DASD shadow file ->8 long x \b, %d heads per cylinder ->12 long x \b, track size %d bytes +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X + +0 string CKD_P064 Hercules CKD64 DASD image file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X + +0 string CKD_C064 Hercules compressed CKD64 DASD image file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes +>16 byte x \b, device type 33%2.2X +>524 lelong x \b, %d total cylinders +>>585 byte 0 \b, no compression +>>585 byte 1 \b, ZLIB compression +>>585 byte 2 \b, BZ2 compression + +0 string CKD_S064 Hercules CKD64 DASD shadow file +>8 lelong x \b, %d heads per cylinder +>12 lelong x \b, track size %d bytes >16 byte x \b, device type 33%2.2X # Squeak images and programs - etoffi@softhome.net @@ -1256,31 +2131,46 @@ # Author: Hans-Joachim Baader <hjb@pro-linux.de> 0 string PaRtImAgE-VoLuMe PartImage >0x0020 string 0.6.1 file version %s ->>0x0060 lelong >-1 volume %d +>>0x0060 ulelong >-1 volume %d #>>0x0064 8 byte identifier #>>0x007c reserved >>0x0200 string >\0 type %s >>0x1400 string >\0 device %s, >>0x1600 string >\0 original filename %s, # Some fields omitted ->>0x2744 lelong 0 not compressed ->>0x2744 lelong 1 gzip compressed ->>0x2744 lelong 2 bzip2 compressed ->>0x2744 lelong >2 compressed with unknown algorithm +>>0x2744 ulelong 0 not compressed +>>0x2744 ulelong 1 gzip compressed +>>0x2744 ulelong 2 bzip2 compressed +>>0x2744 ulelong >2 compressed with unknown algorithm >0x0020 string >0.6.1 file version %s >0x0020 string <0.6.1 file version %s # DCX is multi-page PCX, using a simple header of up to 1024 # offsets for the respective PCX components. # From: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de> -0 lelong 987654321 DCX multi-page PCX image data +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DCX +0 ulelong 987654321 DCX multi-page +# http://www.nationalarchives.gov.uk/pronom/x-fmt/348 +!:mime image/x-dcx +!:ext dcx +# The first file offset usually starts at file offset 0x1004 +# print 1 space after 0x100? offset and then handles PCX images by ./images +>4 ulelong x \b, at %#x +>(4.l) indirect x +# possible 2nd PCX image +#>8 ulelong !0 \b, at %#x +#>>(8.l) indirect x +# possible 3rd PCX image +#>12 ulelong !0 \b, at %#x +#>>(12.l) indirect x # Simon Walton <simonw@matteworld.com> # Kodak Cineon format for scanned negatives # http://www.kodak.com/US/en/motion/support/dlad/ -0 lelong 0xd75f2a80 Cineon image data ->200 belong >0 \b, %d x ->204 belong >0 %d +0 ulelong 0xd75f2a80 Cineon image data +>200 ubelong >0 \b, %d x +>204 ubelong >0 %d # Bio-Rad .PIC is an image format used by microscope control systems @@ -1289,13 +2179,13 @@ # BOOL values are two-byte integers; use them to rule out false positives. # https://web.archive.org/web/20050317223257/www.cs.ubc.ca/spider/ladic/text/biorad.txt # Samples: https://www.loci.wisc.edu/software/sample-data -14 leshort <2 ->62 leshort <2 ->>54 leshort 12345 Bio-Rad .PIC Image File ->>>0 leshort >0 %d x ->>>2 leshort >0 %d, ->>>4 leshort =1 1 image in file ->>>4 leshort >1 %d images in file +14 uleshort <2 +>62 uleshort <2 +>>54 uleshort 12345 Bio-Rad .PIC Image File +>>>0 uleshort >0 %d x +>>>2 uleshort >0 %d, +>>>4 uleshort =1 1 image in file +>>>4 uleshort >1 %d images in file # From Jan "Yenya" Kasprzak <kas@fi.muni.cz> # The description of *.mrw format can be found at @@ -1320,38 +2210,38 @@ # Originally by Marc Espie # Modified by Robert Minsk <robertminsk at yahoo.com> # https://www.openexr.com/openexrfilelayout.pdf -0 lelong 20000630 OpenEXR image data, +0 ulelong 20000630 OpenEXR image data, !:mime image/x-exr ->4 lelong&0x000000ff x version %d, ->4 lelong ^0x00000200 storage: scanline ->4 lelong &0x00000200 storage: tiled +>4 ulelong&0x000000ff x version %d, +>4 ulelong ^0x00000200 storage: scanline +>4 ulelong &0x00000200 storage: tiled >8 search/0x1000 compression\0 \b, compression: ->>&16 byte 0 none ->>&16 byte 1 rle ->>&16 byte 2 zips ->>&16 byte 3 zip ->>&16 byte 4 piz ->>&16 byte 5 pxr24 ->>&16 byte 6 b44 ->>&16 byte 7 b44a ->>&16 byte 8 dwaa ->>&16 byte 9 dwab ->>&16 byte >9 unknown +>>&16 ubyte 0 none +>>&16 ubyte 1 rle +>>&16 ubyte 2 zips +>>&16 ubyte 3 zip +>>&16 ubyte 4 piz +>>&16 ubyte 5 pxr24 +>>&16 ubyte 6 b44 +>>&16 ubyte 7 b44a +>>&16 ubyte 8 dwaa +>>&16 ubyte 9 dwab +>>&16 ubyte >9 unknown >8 search/0x1000 dataWindow\0 \b, dataWindow: ->>&10 lelong x (%d ->>&14 lelong x %d)- ->>&18 lelong x \b(%d ->>&22 lelong x %d) +>>&10 ulelong x (%d +>>&14 ulelong x %d)- +>>&18 ulelong x \b(%d +>>&22 ulelong x %d) >8 search/0x1000 displayWindow\0 \b, displayWindow: ->>&10 lelong x (%d ->>&14 lelong x %d)- ->>&18 lelong x \b(%d ->>&22 lelong x %d) +>>&10 ulelong x (%d +>>&14 ulelong x %d)- +>>&18 ulelong x \b(%d +>>&22 ulelong x %d) >8 search/0x1000 lineOrder\0 \b, lineOrder: ->>&14 byte 0 increasing y ->>&14 byte 1 decreasing y ->>&14 byte 2 random y ->>&14 byte >2 unknown +>>&14 ubyte 0 increasing y +>>&14 ubyte 1 decreasing y +>>&14 ubyte 2 random y +>>&14 ubyte >2 unknown # SMPTE Digital Picture Exchange Format, SMPTE DPX # @@ -1367,64 +2257,123 @@ >0 use \^dpx_info 0 name dpx_info ->768 beshort <4 ->>772 belong x %dx ->>776 belong x \b%d, ->768 beshort >3 ->>776 belong x %dx ->>772 belong x \b%d, ->768 beshort 0 left to right/top to bottom ->768 beshort 1 right to left/top to bottom ->768 beshort 2 left to right/bottom to top ->768 beshort 3 right to left/bottom to top ->768 beshort 4 top to bottom/left to right ->768 beshort 5 top to bottom/right to left ->768 beshort 6 bottom to top/left to right ->768 beshort 7 bottom to top/right to left +>768 ubeshort <4 +>>772 ubelong x %dx +>>776 ubelong x \b%d, +>768 ubeshort >3 +>>776 ubelong x %dx +>>772 ubelong x \b%d, +>768 ubeshort 0 left to right/top to bottom +>768 ubeshort 1 right to left/top to bottom +>768 ubeshort 2 left to right/bottom to top +>768 ubeshort 3 right to left/bottom to top +>768 ubeshort 4 top to bottom/left to right +>768 ubeshort 5 top to bottom/right to left +>768 ubeshort 6 bottom to top/left to right +>768 ubeshort 7 bottom to top/right to left # From: Tom Hilinski <tom.hilinski@comcast.net> +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/NetCDF +# http://fileformats.archiveteam.org/wiki/NetCDF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/netcdf.trid.xml +# https://www.loc.gov/preservation/digital/formats/fdd/fdd000330.shtml +# Note: called "NetCDF Network Common Data Form" by TrID and +# "netCDF-3 Classic" by DROID via PUID fmt/282 # https://www.unidata.ucar.edu/packages/netcdf/ -0 string CDF\001 NetCDF Data Format data +0 string CDF\001 +# skip DROID fmt-282-signature-id-298.nc by test for more content bytes +>3 uleshort >0 NetCDF Data Format data +#!:mime application/netcdf +# https://reposcope.com/mimetype/application/x-netcdf +!:mime application/x-netcdf +!:ext nc +# https://fileinfo.com/extension/cdf +# https://www.file-extensions.org/cdf-file-extension-unidata-network-common-data-form +# in 1994 changed from CDF to NC file extension avoid a clash with other file formats +#!:ext nc/cdf # 64-bit offset netcdf Classic https://www.unidata.ucar.edu/software/netcdf/docs/file_format_specifications -0 string CDF\002 NetCDF Data Format data (64-bit offset) +# Note: called "netCDF-3 64-bit" by DROID via PUID fmt/283 +0 string CDF\002 +# skip DROID fmt-283-signature-id-299.nc by test for more content bytes +>3 uleshort >0 NetCDF Data Format data (64-bit offset) +#!:mime application/netcdf +!:mime application/x-netcdf +!:ext nc + +# From: Michael Liu +# https://en.wikipedia.org/wiki/Common_Data_Format +0 ubelong 0xCDF30001 Common Data Format (Version 3 or later) data +!:mime application/x-cdf + +0 ubelong 0xCDF26002 Common Data Format (Version 2.6 or 2.7) data +!:mime application/x-cdf + +0 ubelong 0x0000FFFF Common Data Format (Version 2.5 or earlier) data +!:mime application/x-cdf -#----------------------------------------------------------------------- # Hierarchical Data Format, used to facilitate scientific data exchange # specifications at http://hdf.ncsa.uiuc.edu/ -0 belong 0x0e031301 Hierarchical Data Format (version 4) data +# URL: http://fileformats.archiveteam.org/wiki/HDF +# https://en.wikipedia.org/wiki/Hierarchical_Data_Format +# Reference: https://portal.hdfgroup.org/download/attachments/52627880/HDF5_File_Format_Specification_Version-3.0.pdf +0 ubelong 0x0e031301 Hierarchical Data Format (version 4) data !:mime application/x-hdf +!:ext hdf/hdf4/h4 0 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) data -!:mime application/x-hdf -512 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 512 bytes user block -!:mime application/x-hdf +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 +512 string \211HDF\r\n\032\n +# skip Matlab v5 mat-file testhdf5_7.4_GLNX86.mat handled by ./mathematica +>0 string !MATLAB Hierarchical Data Format (version 5) with 512 bytes user block +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 1024 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 1k user block -!:mime application/x-hdf +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 2048 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 2k user block -!:mime application/x-hdf +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 4096 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) with 4k user block -!:mime application/x-hdf - +#!:mime application/x-hdf +!:mime application/x-hdf5 +!:ext h5/hdf5/hdf/he5 # From: Tobias Burnus <burnus@net-b.de> # Xara (for a while: Corel Xara) is a graphic package, see # http://www.xara.com/ for Windows and as GPL application for Linux 0 string XARA\243\243 Xara graphics file +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Corel_Gallery +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bmf-corel.trid.xml +# Note: called "Corel Binary Material Format" by TrID and +# "Corel Flow" by XnView +0 string @CorelBMF\n\rCorel\040Corporation Corel GALLERY Clipart +!:mime image/x-corel-bmf +!:ext bmf + # https://www.cartesianinc.com/Tech/ +# Reference: http://fileformats.archiveteam.org/wiki/Cartesian_Perceptual_Compression 0 string CPC\262 Cartesian Perceptual Compression image !:mime image/x-cpi +!:ext cpi/cpc # From Albert Cahalan <acahalan@gmail.com> # puredigital used it for the CVS disposable camcorder -#8 lelong 4 ZBM bitmap image data -#>4 leshort x %u x -#>6 leshort x %u +#8 lelong 4 ZBM bitmap image data +#>4 uleshort x %u x +#>6 uleshort x %u # From Albert Cahalan <acahalan@gmail.com> # uncompressed 5:6:5 HighColor image for OLPC XO firmware icons -0 string C565 OLPC firmware icon image data ->4 leshort x %u x ->6 leshort x %u +0 string C565 OLPC firmware icon image data +>4 uleshort x %u x +>6 uleshort x %u # Applied Images - Image files from Cytovision # Gustavo Junior Alves <gjalves@gjalves.com.br> @@ -1448,24 +2397,24 @@ # Note: Different versions exist for e.g. 8 bit and 16 bit images. # Documentation is incomplete. 0 string/b PCO- PCO B16 image data ->12 lelong x \b, %dx ->16 lelong x \b%d ->20 lelong 0 \b, short header ->20 lelong -1 \b, extended header ->>24 lelong 0 \b, grayscale ->>>36 lelong 0 linear LUT ->>>36 lelong 1 logarithmic LUT ->>>28 lelong x [%d ->>>32 lelong x \b,%d] ->>24 lelong 1 \b, color ->>>64 lelong 0 linear LUT ->>>64 lelong 1 logarithmic LUT ->>>40 lelong x r[%d ->>>44 lelong x \b,%d] ->>>48 lelong x g[%d ->>>52 lelong x \b,%d] ->>>56 lelong x b[%d ->>>60 lelong x \b,%d] +>12 ulelong x \b, %dx +>16 ulelong x \b%d +>20 ulelong 0 \b, short header +>20 ulelong -1 \b, extended header +>>24 ulelong 0 \b, grayscale +>>>36 ulelong 0 linear LUT +>>>36 ulelong 1 logarithmic LUT +>>>28 ulelong x [%d +>>>32 ulelong x \b,%d] +>>24 ulelong 1 \b, color +>>>64 ulelong 0 linear LUT +>>>64 ulelong 1 logarithmic LUT +>>>40 ulelong x r[%d +>>>44 ulelong x \b,%d] +>>>48 ulelong x g[%d +>>>52 ulelong x \b,%d] +>>>56 ulelong x b[%d +>>>60 ulelong x \b,%d] # Polar Monitor Bitmap (.pmb) used as logo for Polar Electro watches # From: Markus Heidelberg <markus.heidelberg at web.de> @@ -1490,10 +2439,104 @@ # height (80,90) >>0x53 uleshort x \b%d +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3.trid.xml +# Note: called "Ulead Imageiio/Imaginfo thumbnail" by TrID +0 string IIO1$ Ulead Photo Explorer 3 +#!:mime application/octet-stream +!:mime image/x-ulead-pe3 +# IMAGEIIO.PE3 +!:ext pe3 +# look for DOS/Windows drive letter +>5 search/192/s :\\ +# directory or full name of corresponding imaginfo.pe3 like: "T:\SAMPLES\TEXTURES\SKY_SNOW\IIOE371.TMP "S:\PI3\PIMPACT3\PROGRAMS\PATTERNS\imaginfo.pe3" +>>&-1 string x "%s" +# look for DOS/Windows network path if no drive letter part +>5 default x +>>5 search/192/s \x5c\x5c +# full name of corresponding imaginfo.pe3 like: "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS\imaginfo.pe3" +>>>&0 string x "%s" # Type: Ulead Photo Explorer5 (.pe5) -# URL: http://www.jisyo.com/cgibin/view.cgi?EXT=pe5 (Japanese) +# URL: http://fileformats.archiveteam.org/wiki/Imageiio/imaginfo_(Ulead) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4.trid.xml # From: Simon Horman <horms@debian.org> -0 string IIO2H Ulead Photo Explorer5 +# Update: Joerg Jenderek +# Note: some called "Ulead Imageiio/Imaginfo thumbnail" by TrID +# and used in various Ulead applications +0 string IIO2H Ulead Photo Explorer 4 or 5 +#!:mime application/octet-stream +!:mime image/x-ulead-pe4 +# IMAGEIIO.PE4 +!:ext pe4/pe5 +# look in most samples for JPEG signature like: SAMPLES/IMAGES/SCENES/IMAGINFO.PE4 +>0x4c2 search/0xE02/s JFIF with JPEG image data +>>&-6 use jpeg +# near the end list of image names like: Img0001.pcd 1116012L.JPG NCARD4.TPL +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe3-imaginfo.trid.xml +11 string \001\0\0\0\0 +# check for version 3 part +>19 string \0\001\0\003\0 +>>0 use ulead-imaginfo +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pe4-imaginfo.trid.xml +11 string \001\0\0\0\0 +# check for version 4 part +>19 string \0\0\0\004\0 +>>0 use ulead-imaginfo +# display information about Ulead Imaginfo thumbnail (version, directory, image extension) +0 name ulead-imaginfo +>22 ubyte x Ulead Imaginfo thumbnail +#!:mime application/octet-stream +!:mime image/x-ulead-imaginfo +>22 ubyte =3 \b, version 3 +# IMAGINFO.PE3 +!:ext pe3 +>22 ubyte =4 \b, version 4 +# IMAGINFO.PE4 +!:ext pe4 +# MAYBE ALSO VERSION 5 ? +#>22 ubyte =5 \b, version 5 +#!:ext pe5 +>22 ubyte x +# look for DOS/Windows driver letter +>>4 search/192/s :\x5c +# skip f:\Programme\iPhoto Plus 4\Template\Business Cards\IMAGINFO.PE4 +# by looking for driver letter in range A-Z +>>>&-1 ubyte >0x40 +# directory path like: "E:\iPE\CDSample\Images\Scenes" "D:\XmasCard\Samples" "C:\TEMP\PLANTS" +>>>>&-5 pstring/l >0 \b, "%s" +# look for DOS/Windows network path if no valid drive letter part +>>>&-1 default x +>>>>4 search/192/s \x5c\x5c +# directory path like: "\\FSX\SYS\OPPS\IPE.ENG\TEMPLATE\BUSINESS" "\\Lionking\upi\SAMPLES\IMAGES\ANIMALS" +>>>>>&-4 pstring/l >0 \b, "%s" +# look for DOS/Windows network path if no drive letter part +>>4 default x +>>>4 search/192/s \x5c\x5c +# directory path like: "\\FSX\SYS\opps\ipe.eng\samples" "\\DANIEL\IPE_CD\IPE.ITA" +>>>>&-4 pstring/l >0 \b, "%s" +# look for point character inside image names +>56 search/38/s . +# image name extension like: bmp jpg pcd tpl +>>&1 string x with %-.3s images +# Summary: Ulead Pattern image (Corel Corporation) +# URL: https://en.wikipedia.org/wiki/Ulead_Systems +# https://www.file-extensions.org/pst-file-extension-ulead-pattern-image-format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst-ulead.trid.xml +# From: Joerg Jenderek +# Note: used also by CorelDraw Essentials 3 version 13.0.0.800 +# there seems to exist other versions +0 ubelong 0xFFFF0100 +>8 search/21 PresetInfo Ulead pattern image +#!:mime application/octet-stream +!:mime image/x-ulead-pst +!:ext pst +# string length like: 16 18 19 21 24 +#>>4 uleshort x n=%u +# like: BlendPresetInfo DropShadowPresetInfo FileNewPresetInfo VectorExtrudePresetInfo EnvelopePresetInfo ContourPresetInfo DistortionPresetInfo +>>4 pstring/h x "%s" # Type: X11 cursor # URL: http://webcvs.freedesktop.org/mime/shared-mime-info/freedesktop.org.xml.in?view=markup @@ -1519,7 +2562,7 @@ # URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ # Radiance HDR; usually has .pic or .hdr extension. 0 string #?RADIANCE\n Radiance HDR image data -#!mime image/vnd.radiance +!:mime image/vnd.radiance # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: https://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf @@ -1528,8 +2571,8 @@ # actual common use, it should replace the one below. 0 string PFS1\x0a PFS HDR image data #!mime image/x-pfs ->1 regex [0-9]*\ \b, %s ->>1 regex \ [0-9]{4} \bx%s +>1 regex [0-9]*\ \b, %s +>>1 regex \ [0-9]{4} \bx%s # Type: Foveon X3F # URL: https://www.photofo.com/downloads/x3f-raw-format.pdf @@ -1538,10 +2581,10 @@ # there's a canonical type for this format, it should replace this one. 0 string FOVb Foveon X3F raw image data !:mime image/x-x3f ->6 leshort x \b, version %d. ->4 leshort x \b%d ->28 lelong x \b, %dx ->32 lelong x \b%d +>6 uleshort x \b, version %d. +>4 uleshort x \b%d +>28 ulelong x \b, %dx +>32 ulelong x \b%d # Paint.NET file # From Adam Buchbinder <adam.buchbinder@gmail.com> @@ -1554,53 +2597,53 @@ # doc: https://www.shikino.co.jp/eng/products/images/FLOWER.jpg.zip # example: https://www.shikino.co.jp/eng/products/images/FLOWER.wdp.zip -90 bequad 0x574D50484F544F00 JPEG-XR Image ->98 byte&0x08 =0x08 \b, hard tiling ->99 byte&0x80 =0x80 \b, tiling present ->99 byte&0x40 =0x40 \b, codestream present ->99 byte&0x38 x \b, spatial xform= ->99 byte&0x38 0x00 \bTL ->99 byte&0x38 0x08 \bBL ->99 byte&0x38 0x10 \bTR ->99 byte&0x38 0x18 \bBR ->99 byte&0x38 0x20 \bBT ->99 byte&0x38 0x28 \bRB ->99 byte&0x38 0x30 \bLT ->99 byte&0x38 0x38 \bLB ->100 byte&0x80 =0x80 \b, short header ->>102 beshort+1 x \b, %d ->>104 beshort+1 x \bx%d ->100 byte&0x80 =0x00 \b, long header ->>102 belong+1 x \b, %x ->>106 belong+1 x \bx%x ->101 beshort&0xf x \b, bitdepth= ->>101 beshort&0xf 0x0 \b1-WHITE=1 ->>101 beshort&0xf 0x1 \b8 ->>101 beshort&0xf 0x2 \b16 ->>101 beshort&0xf 0x3 \b16-SIGNED ->>101 beshort&0xf 0x4 \b16-FLOAT ->>101 beshort&0xf 0x5 \b(reserved 5) ->>101 beshort&0xf 0x6 \b32-SIGNED ->>101 beshort&0xf 0x7 \b32-FLOAT ->>101 beshort&0xf 0x8 \b5 ->>101 beshort&0xf 0x9 \b10 ->>101 beshort&0xf 0xa \b5-6-5 ->>101 beshort&0xf 0xb \b(reserved %d) ->>101 beshort&0xf 0xc \b(reserved %d) ->>101 beshort&0xf 0xd \b(reserved %d) ->>101 beshort&0xf 0xe \b(reserved %d) ->>101 beshort&0xf 0xf \b1-BLACK=1 ->101 beshort&0xf0 x \b, colorfmt= ->>101 beshort&0xf0 0x00 \bYONLY ->>101 beshort&0xf0 0x10 \bYUV240 ->>101 beshort&0xf0 0x20 \bYWV422 ->>101 beshort&0xf0 0x30 \bYWV444 ->>101 beshort&0xf0 0x40 \bCMYK ->>101 beshort&0xf0 0x50 \bCMYKDIRECT ->>101 beshort&0xf0 0x60 \bNCOMPONENT ->>101 beshort&0xf0 0x70 \bRGB ->>101 beshort&0xf0 0x80 \bRGBE ->>101 beshort&0xf0 >0x80 \b(reserved 0x%x) +90 ubequad 0x574D50484F544F00 JPEG-XR Image +>98 ubyte&0x08 =0x08 \b, hard tiling +>99 ubyte&0x80 =0x80 \b, tiling present +>99 ubyte&0x40 =0x40 \b, codestream present +>99 ubyte&0x38 x \b, spatial xform= +>99 ubyte&0x38 0x00 \bTL +>99 ubyte&0x38 0x08 \bBL +>99 ubyte&0x38 0x10 \bTR +>99 ubyte&0x38 0x18 \bBR +>99 ubyte&0x38 0x20 \bBT +>99 ubyte&0x38 0x28 \bRB +>99 ubyte&0x38 0x30 \bLT +>99 ubyte&0x38 0x38 \bLB +>100 ubyte&0x80 =0x80 \b, short header +>>102 ubeshort+1 x \b, %d +>>104 ubeshort+1 x \bx%d +>100 ubyte&0x80 =0x00 \b, long header +>>102 ubelong+1 x \b, %x +>>106 ubelong+1 x \bx%x +>101 ubeshort&0xf x \b, bitdepth= +>>101 ubeshort&0xf 0x0 \b1-WHITE=1 +>>101 ubeshort&0xf 0x1 \b8 +>>101 ubeshort&0xf 0x2 \b16 +>>101 ubeshort&0xf 0x3 \b16-SIGNED +>>101 ubeshort&0xf 0x4 \b16-FLOAT +>>101 ubeshort&0xf 0x5 \b(reserved 5) +>>101 ubeshort&0xf 0x6 \b32-SIGNED +>>101 ubeshort&0xf 0x7 \b32-FLOAT +>>101 ubeshort&0xf 0x8 \b5 +>>101 ubeshort&0xf 0x9 \b10 +>>101 ubeshort&0xf 0xa \b5-6-5 +>>101 ubeshort&0xf 0xb \b(reserved %d) +>>101 ubeshort&0xf 0xc \b(reserved %d) +>>101 ubeshort&0xf 0xd \b(reserved %d) +>>101 ubeshort&0xf 0xe \b(reserved %d) +>>101 ubeshort&0xf 0xf \b1-BLACK=1 +>101 ubeshort&0xf0 x \b, colorfmt= +>>101 ubeshort&0xf0 0x00 \bYONLY +>>101 ubeshort&0xf0 0x10 \bYUV240 +>>101 ubeshort&0xf0 0x20 \bYWV422 +>>101 ubeshort&0xf0 0x30 \bYWV444 +>>101 ubeshort&0xf0 0x40 \bCMYK +>>101 ubeshort&0xf0 0x50 \bCMYKDIRECT +>>101 ubeshort&0xf0 0x60 \bNCOMPONENT +>>101 ubeshort&0xf0 0x70 \bRGB +>>101 ubeshort&0xf0 0x80 \bRGBE +>>101 ubeshort&0xf0 >0x80 \b(reserved %#x) # From: Johan van der Knijff <johan.vanderknijff@kb.nl> # @@ -1624,40 +2667,91 @@ >>8 string x \b, "%4.4s" type # TIM images -0 lelong 0x00000010 TIM image, ->4 lelong 0x8 4-Bit, ->4 lelong 0x9 8-Bit, ->4 lelong 0x2 15-Bit, ->4 lelong 0x3 24-Bit, ->4 lelong &8 ->>(8.l+12) leshort x Pixel at (%d, ->>(8.l+14) leshort x \b%d) ->>(8.l+16) leshort x Size=%dx ->>(8.l+18) leshort x \b%d, ->>4 lelong 0x8 16 CLUT Entries at ->>4 lelong 0x9 256 CLUT Entries at ->>12 leshort x (%d, ->>14 leshort x \b%d) ->4 lelong ^8 ->>12 leshort x Pixel at (%d, ->>14 leshort x \b%d) ->>16 leshort x Size=%dx ->>18 leshort x \b%d +# URL: http://fileformats.archiveteam.org/wiki/TIM_(PlayStation_graphics) +# Reference: https://mrclick.zophar.net/TilEd/download/timgfx.txt +# Update: Joerg Jenderek +# Note: called as "PSX TIM *bpp bitmap" by bitmap-tim-*.trid.xml +# verified as "TIM PSX" by XnView `nconvert -fullinfo *.tim` and +# by RECOIL `recoil2png -o TMP.PNG input.tim; file TMP.PNG` and often +# as "PSX TIM" by ImageMagick version 7.1.0-10 command `identify *.tim` +# here signed integers are used but according to Kaitai unsigned +0 ulelong 0x00000010 +# 32 Flag bits *cttt; c~CLUT flag t~type 000~4BPP 001~8BPP 010~16BPP 011~24BPP 100~Mixed +#>4 ulelong x FLAGS=%#x +# 12+Size of CLUT (2Ch for 4BPP; 20Ch 40Ch 60Ch 80Ch C0Ch for 8BPP) or +# +image data size (800Ch 2000Ch 2580C for 16BPP) (02000003h for dBase memo test.dbt) +#>8 ulelong x \b, 12+CLUT or data size=%#8.8x +# CLUT or data size remainder is 12 (Ch), but 03 for dBase memo test.dbt +#>8 ubyte&0x0F =0x0C \b, SIZE REMAINDER IS 12 +# skip dBase III memo test.dbt with invalid flags 22D10189h +>4 ulelong&0xffFFffF0 =0 Sony PlayStation PSX image, +# file (version 5.40) labeled the above entry as "TIM image" +!:mime image/x-sony-tim +!:ext tim +#>>4 ulelong&0x00000007 x \b, BPP~%u +# 4BPP and 8BPP examples exist with CLUT or without CLUT +>>4 ulelong&0x07 0x0 4-Bit, +>>4 ulelong&0x07 0x1 8-Bit, +# 16BPP and 24BPP examples have no CLUT +>>4 ulelong 0x2 15-Bit, +>>4 ulelong 0x3 24-Bit, +# no example +>>4 ulelong&0x07 0x4 Mixed-Bit, +# CLUT flag set +>>4 ulelong &8 +# 12 + size of CLUT like: 1000Ch 800Ch 400Ch 40Ch and 2FEh (KAGE.TIM) +#>>>(8.l+8) ulelong x \b, 12+CLUT SIZE=%#8.8x +>>>(8.l+12) uleshort x Pixel at (%d, +>>>(8.l+14) uleshort x \b%d) Size= +# image width (to get actual width multiply by 4 for 4BPP and by 2 for 8BPP) +>>>>4 ulelong 0x8 +>>>>>(8.l+16) uleshort*4 x \b%d +>>>>4 ulelong 0x9 +>>>>>(8.l+16) uleshort*2 x \b%d +# image height like: 32 64 128 144 160 208 256 +>>>(8.l+18) uleshort x \bx%d, +>>>4 ulelong 0x8 16 CLUT Entries at +>>>4 ulelong 0x9 256 CLUT Entries at +>>>12 uleshort x (%d, +>>>14 uleshort x \b%d) +# no Color LookUp Table (CLUT) +>>4 ulelong ^8 +# image origin X Y +>>>12 uleshort x Pixel at (%d, +>>>14 uleshort x \b%d) Size= +# real image width = multiply by 4 (4BPP) 2 (8BPP) 1 (16BPP) 2/3 (24BPP) +>>>>4 ulelong 0x0 +>>>>>16 uleshort*4 x \b%d +>>>>4 ulelong 0x1 +>>>>>16 uleshort*2 x \b%d +>>>>4 ulelong 0x2 +>>>>>16 uleshort x \b%d +>>>>4 ulelong 0x3 +# GRR: NOT working +#>>>>>16 uleshort*2/3 x \b%d +>>>>>16 uleshort x \b2/3*%d +# mixed format width not explained! +>>>>4 ulelong 0x4 +>>>>>16 uleshort x \b%d +# image height like: 64 240 256 +>>>18 uleshort x \bx%d +# TIM image data # MDEC streams -0 lelong 0x80010160 MDEC video stream, ->16 leshort x %dx ->18 leshort x \b%d -#>8 lelong x %d frames -#>4 leshort x secCount=%d; -#>6 leshort x nSectors=%d; -#>12 lelong x frameSize=%d; +0 ulelong 0x80010160 MDEC video stream, +>16 uleshort x %dx +>18 uleshort x \b%d +#>8 ulelong x %d frames +#>4 uleshort x secCount=%d; +#>6 uleshort x nSectors=%d; +#>12 ulelong x frameSize=%d; # BS encoded bitstreams -2 leshort 0x3800 BS image, ->6 leshort x Version %d, ->4 leshort x Quantization %d, ->0 leshort x (Decompresses to %d words) +2 uleshort 0x3800 BS image, +# GRR: the above line is also true for binary Computer Graphics Metafile SAB00012.CGM with long parameter length 56 (=38h) +>6 uleshort x Version %d, +>4 uleshort x Quantization %d, +>0 uleshort x (Decompresses to %d words) # Type: farbfeld image. # Url: http://tools.suckless.org/farbfeld/ @@ -1667,6 +2761,185 @@ >8 ubelong x %dx >12 ubelong x \b%d +# Type: Microsoft DirectDraw Surface (DXGI formats) +# URL: https://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp +# From: Morten Hustveit <morten@debian.org> +# Updated by: David Korth <gerbilsoft@gerbilsoft.com> +0 name ms-directdraw-dx10 +>0 ulelong x \b, DXGI format: +>0 ulelong 1 R32G32B32A32_TYPELESS +>0 ulelong 2 R32G32B32A32_FLOAT +>0 ulelong 3 R32G32B32A32_UINT +>0 ulelong 4 R32G32B32A32_SINT +>0 ulelong 5 R32G32B32_TYPELESS +>0 ulelong 6 R32G32B32_FLOAT +>0 ulelong 7 R32G32B32_UINT +>0 ulelong 8 R32G32B32_SINT +>0 ulelong 9 R16G16B16A16_TYPELESS +>0 ulelong 10 R16G16B16A16_FLOAT +>0 ulelong 11 R16G16B16A16_UNORM +>0 ulelong 12 R16G16B16A16_UINT +>0 ulelong 13 R16G16B16A16_SNORM +>0 ulelong 14 R16G16B16A16_SINT +>0 ulelong 15 R32G32_TYPELESS +>0 ulelong 16 R32G32_FLOAT +>0 ulelong 17 R32G32_UINT +>0 ulelong 18 R32G32_SINT +>0 ulelong 19 R32G8X24_TYPELESS +>0 ulelong 20 D32_FLOAT_S8X24_UINT +>0 ulelong 21 R32_FLOAT_X8X24_TYPELESS +>0 ulelong 22 X32_TYPELESS_G8X24_UINT +>0 ulelong 23 R10G10B10A2_TYPELESS +>0 ulelong 24 R10G10B10A2_UNORM +>0 ulelong 25 R10G10B10A2_UINT +>0 ulelong 26 R11G11B10_FLOAT +>0 ulelong 27 R8G8B8A8_TYPELESS +>0 ulelong 28 R8G8B8A8_UNORM +>0 ulelong 29 R8G8B8A8_UNORM_SRGB +>0 ulelong 30 R8G8B8A8_UINT +>0 ulelong 31 R8G8B8A8_SNORM +>0 ulelong 32 R8G8B8A8_SINT +>0 ulelong 33 R16G16_TYPELESS +>0 ulelong 34 R16G16_FLOAT +>0 ulelong 35 R16G16_UNORM +>0 ulelong 36 R16G16_UINT +>0 ulelong 37 R16G16_SNORM +>0 ulelong 38 R16G16_SINT +>0 ulelong 39 R32_TYPELESS +>0 ulelong 40 D32_FLOAT +>0 ulelong 41 R32_FLOAT +>0 ulelong 42 R32_UINT +>0 ulelong 43 R32_SINT +>0 ulelong 44 R24G8_TYPELESS +>0 ulelong 45 D24_UNORM_S8_UINT +>0 ulelong 46 R24_UNORM_X8_TYPELESS +>0 ulelong 47 X24_TYPELESS_G8_UINT +>0 ulelong 48 R8G8_TYPELESS +>0 ulelong 49 R8G8_UNORM +>0 ulelong 50 R8G8_UINT +>0 ulelong 51 R8G8_SNORM +>0 ulelong 52 R8G8_SINT +>0 ulelong 53 R16_TYPELESS +>0 ulelong 54 R16_FLOAT +>0 ulelong 55 D16_UNORM +>0 ulelong 56 R16_UNORM +>0 ulelong 57 R16_UINT +>0 ulelong 58 R16_SNORM +>0 ulelong 59 R16_SINT +>0 ulelong 60 R8_TYPELESS +>0 ulelong 61 R8_UNORM +>0 ulelong 62 R8_UINT +>0 ulelong 63 R8_SNORM +>0 ulelong 64 R8_SINT +>0 ulelong 65 A8_UNORM +>0 ulelong 66 R1_UNORM +>0 ulelong 67 R9G9B9E5_SHAREDEXP +>0 ulelong 68 R8G8_B8G8_UNORM +>0 ulelong 69 G8R8_G8B8_UNORM +>0 ulelong 70 BC1_TYPELESS +>0 ulelong 71 BC1_UNORM +>0 ulelong 72 BC1_UNORM_SRGB +>0 ulelong 73 BC2_TYPELESS +>0 ulelong 74 BC2_UNORM +>0 ulelong 75 BC2_UNORM_SRGB +>0 ulelong 76 BC3_TYPELESS +>0 ulelong 77 BC3_UNORM +>0 ulelong 78 BC3_UNORM_SRGB +>0 ulelong 79 BC4_TYPELESS +>0 ulelong 80 BC4_UNORM +>0 ulelong 81 BC4_SNORM +>0 ulelong 82 BC5_TYPELESS +>0 ulelong 83 BC5_UNORM +>0 ulelong 84 BC5_SNORM +>0 ulelong 85 B5G6R5_UNORM +>0 ulelong 86 B5G5R5A1_UNORM +>0 ulelong 87 B8G8R8A8_UNORM +>0 ulelong 88 B8G8R8X8_UNORM +>0 ulelong 89 R10G10B10_XR_BIAS_A2_UNORM +>0 ulelong 90 B8G8R8A8_TYPELESS +>0 ulelong 91 B8G8R8A8_UNORM_SRGB +>0 ulelong 92 B8G8R8X8_TYPELESS +>0 ulelong 93 B8G8R8X8_UNORM_SRGB +>0 ulelong 94 BC6H_TYPELESS +>0 ulelong 95 BC6H_UF16 +>0 ulelong 96 BC6H_SF16 +>0 ulelong 97 BC7_TYPELESS +>0 ulelong 98 BC7_UNORM +>0 ulelong 99 BC7_UNORM_SRGB +>0 ulelong 100 AYUV +>0 ulelong 101 Y410 +>0 ulelong 102 Y416 +>0 ulelong 103 NV12 +>0 ulelong 104 P010 +>0 ulelong 105 P016 +>0 ulelong 106 420_OPAQUE +>0 ulelong 107 YUY2 +>0 ulelong 108 Y210 +>0 ulelong 109 Y216 +>0 ulelong 110 NV11 +>0 ulelong 111 AI44 +>0 ulelong 112 IA44 +>0 ulelong 113 P8 +>0 ulelong 114 A8P8 +>0 ulelong 115 B4G4R4A4_UNORM + +>0 ulelong 116 XBOX_R10G10B10_7E3_A2_FLOAT +>0 ulelong 117 XBOX_R10G10B10_6E4_A2_FLOAT +>0 ulelong 118 XBOX_D16_UNORM_S8_UINT +>0 ulelong 119 XBOX_R16_UNORM_X8_TYPELESS +>0 ulelong 120 XBOX_X16_TYPELESS_G8_UINT + +>0 ulelong 130 DXGI_FORMAT_P208 +>0 ulelong 131 DXGI_FORMAT_V208 +>0 ulelong 132 DXGI_FORMAT_V408 + +>0 ulelong 133 ASTC_4X4_TYPELESS +>0 ulelong 134 ASTC_4X4_UNORM +>0 ulelong 135 ASTC_4X4_UNORM_SRGB +>0 ulelong 137 ASTC_5X4_TYPELESS +>0 ulelong 138 ASTC_5X4_UNORM +>0 ulelong 139 ASTC_5X4_UNORM_SRGB +>0 ulelong 141 ASTC_5X5_TYPELESS +>0 ulelong 142 ASTC_5X5_UNORM +>0 ulelong 143 ASTC_5X5_UNORM_SRGB +>0 ulelong 145 ASTC_6X5_TYPELESS +>0 ulelong 146 ASTC_6X5_UNORM +>0 ulelong 147 ASTC_6X5_UNORM_SRGB +>0 ulelong 149 ASTC_6X6_TYPELESS +>0 ulelong 150 ASTC_6X6_UNORM +>0 ulelong 151 ASTC_6X6_UNORM_SRGB +>0 ulelong 153 ASTC_8X5_TYPELESS +>0 ulelong 154 ASTC_8X5_UNORM +>0 ulelong 155 ASTC_8X5_UNORM_SRGB +>0 ulelong 157 ASTC_8X6_TYPELESS +>0 ulelong 158 ASTC_8X6_UNORM +>0 ulelong 159 ASTC_8X6_UNORM_SRGB +>0 ulelong 161 ASTC_8X8_TYPELESS +>0 ulelong 162 ASTC_8X8_UNORM +>0 ulelong 163 ASTC_8X8_UNORM_SRGB +>0 ulelong 165 ASTC_10X5_TYPELESS +>0 ulelong 166 ASTC_10X5_UNORM +>0 ulelong 167 ASTC_10X5_UNORM_SRGB +>0 ulelong 169 ASTC_10X6_TYPELESS +>0 ulelong 170 ASTC_10X6_UNORM +>0 ulelong 171 ASTC_10X6_UNORM_SRGB +>0 ulelong 173 ASTC_10X8_TYPELESS +>0 ulelong 174 ASTC_10X8_UNORM +>0 ulelong 175 ASTC_10X8_UNORM_SRGB +>0 ulelong 177 ASTC_10X10_TYPELESS +>0 ulelong 178 ASTC_10X10_UNORM +>0 ulelong 179 ASTC_10X10_UNORM_SRGB +>0 ulelong 181 ASTC_12X10_TYPELESS +>0 ulelong 182 ASTC_12X10_UNORM +>0 ulelong 183 ASTC_12X10_UNORM_SRGB +>0 ulelong 185 ASTC_12X12_TYPELESS +>0 ulelong 186 ASTC_12X12_UNORM +>0 ulelong 187 ASTC_12X12_UNORM_SRGB + +>0 ulelong 190 XBOX_R10G10B10_SNORM_A2_UNORM +>0 ulelong 189 XBOX_R4G4_UNORM +>0 ulelong 0xFFFFFFFF DXGI_FORMAT_FORCE_UINT + # Type: Microsoft DirectDraw Surface (common data) # URL: https://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp # From: Morten Hustveit <morten@debian.org> @@ -1679,7 +2952,9 @@ # Determine the pixel format. >0x50 ulelong&0x4 4 # FIXME: Handle DX10 and XBOX formats. ->>0x54 string x \b, compressed using %.4s +>>0x54 string DX10 +>>>0x80 use ms-directdraw-dx10 +>>0x54 string !DX10 \b, compressed using %.4s >0x50 ulelong&0x2 0x2 \b, alpha only >0x50 ulelong&0x200 0x200 \b, YUV >0x50 ulelong&0x20000 0x20000 \b, luminance @@ -1785,37 +3060,37 @@ # Sega PVR header. 0 name sega-pvr-image-header ->0x0C leshort x %u x ->0x0E leshort x %u +>0x0C uleshort x %u x +>0x0E uleshort x %u # Image format. ->0x08 byte 0 \b, ARGB1555 ->0x08 byte 1 \b, RGB565 ->0x08 byte 2 \b, ARGB4444 ->0x08 byte 3 \b, YUV442 ->0x08 byte 4 \b, Bump ->0x08 byte 5 \b, 4bpp ->0x08 byte 6 \b, 8bpp +>0x08 ubyte 0 \b, ARGB1555 +>0x08 ubyte 1 \b, RGB565 +>0x08 ubyte 2 \b, ARGB4444 +>0x08 ubyte 3 \b, YUV442 +>0x08 ubyte 4 \b, Bump +>0x08 ubyte 5 \b, 4bpp +>0x08 ubyte 6 \b, 8bpp # Image data type. ->0x09 byte 0x01 \b, square twiddled ->0x09 byte 0x02 \b, square twiddled & mipmap ->0x09 byte 0x03 \b, VQ ->0x09 byte 0x04 \b, VQ & mipmap ->0x09 byte 0x05 \b, 8-bit CLUT twiddled ->0x09 byte 0x06 \b, 4-bit CLUT twiddled ->0x09 byte 0x07 \b, 8-bit direct twiddled ->0x09 byte 0x08 \b, 4-bit direct twiddled ->0x09 byte 0x09 \b, rectangle ->0x09 byte 0x0B \b, rectangular stride ->0x09 byte 0x0D \b, rectangular twiddled ->0x09 byte 0x10 \b, small VQ ->0x09 byte 0x11 \b, small VQ & mipmap ->0x09 byte 0x12 \b, square twiddled & mipmap +>0x09 ubyte 0x01 \b, square twiddled +>0x09 ubyte 0x02 \b, square twiddled & mipmap +>0x09 ubyte 0x03 \b, VQ +>0x09 ubyte 0x04 \b, VQ & mipmap +>0x09 ubyte 0x05 \b, 8-bit CLUT twiddled +>0x09 ubyte 0x06 \b, 4-bit CLUT twiddled +>0x09 ubyte 0x07 \b, 8-bit direct twiddled +>0x09 ubyte 0x08 \b, 4-bit direct twiddled +>0x09 ubyte 0x09 \b, rectangle +>0x09 ubyte 0x0B \b, rectangular stride +>0x09 ubyte 0x0D \b, rectangular twiddled +>0x09 ubyte 0x10 \b, small VQ +>0x09 ubyte 0x11 \b, small VQ & mipmap +>0x09 ubyte 0x12 \b, square twiddled & mipmap # Sega PVR image. 0 string PVRT >0x10 string DDS\040\174\000\000\000 Sega PVR (Xbox) image: >>0x20 use ms-directdraw-surface ->0x10 belong !0x44445320 Sega PVR image: +>0x10 ubelong !0x44445320 Sega PVR image: >>0 use sega-pvr-image-header # Sega PVR image with GBIX. @@ -1823,25 +3098,25 @@ >0x10 string PVRT >>0x10 string DDS\040\174\000\000\000 Sega PVR (Xbox) image: >>>0x20 use ms-directdraw-surface ->>0x10 belong !0x44445320 Sega PVR image: +>>0x10 ubelong !0x44445320 Sega PVR image: >>>0x10 use sega-pvr-image-header ->>0x08 lelong x \b, global index = %u +>>0x08 ulelong x \b, global index = %u # Sega GVR header. 0 name sega-gvr-image-header ->0x0C beshort x %u x ->0x0E beshort x %u +>0x0C ubeshort x %u x +>0x0E ubeshort x %u # Image data format. ->0x0B byte 0 \b, I4 ->0x0B byte 1 \b, I8 ->0x0B byte 2 \b, IA4 ->0x0B byte 3 \b, IA8 ->0x0B byte 4 \b, RGB565 ->0x0B byte 5 \b, RGB5A3 ->0x0B byte 6 \b, ARGB8888 ->0x0B byte 8 \b, CI4 ->0x0B byte 9 \b, CI8 ->0x0B byte 14 \b, DXT1 +>0x0B ubyte 0 \b, I4 +>0x0B ubyte 1 \b, I8 +>0x0B ubyte 2 \b, IA4 +>0x0B ubyte 3 \b, IA8 +>0x0B ubyte 4 \b, RGB565 +>0x0B ubyte 5 \b, RGB5A3 +>0x0B ubyte 6 \b, ARGB8888 +>0x0B ubyte 8 \b, CI4 +>0x0B ubyte 9 \b, CI8 +>0x0B ubyte 14 \b, DXT1 # Sega GVR image. 0 string GVRT Sega GVR image: @@ -1851,22 +3126,22 @@ 0 string GBIX >0x10 string GVRT Sega GVR image: >>0x10 use sega-gvr-image-header ->>0x08 belong x \b, global index = %u +>>0x08 ubelong x \b, global index = %u # Sega GVR image with GCIX. (Wii) 0 string GCIX >0x10 string GVRT Sega GVR image: >>0x10 use sega-gvr-image-header ->>0x08 belong x \b, global index = %u +>>0x08 ubelong x \b, global index = %u # Light Field Picture # Documentation: http://optics.miloush.net/lytro/TheFileFormat.aspx # Typical file extensions: .lfp .lfr .lfx -0 belong 0x894C4650 ->4 belong 0x0D0A1A0A ->12 belong 0x00000000 Lytro Light Field Picture ->8 belong x \b, version %d +0 ubelong 0x894C4650 +>4 ubelong 0x0D0A1A0A +>12 ubelong 0x00000000 Lytro Light Field Picture +>8 ubelong x \b, version %d # Type: Vision Research Phantom CINE Format # URL: https://www.phantomhighspeed.com/ @@ -1876,24 +3151,24 @@ # This has a short "CI" code but the 44 is the size of the struct which is # stable 0 string CI ->2 leshort 44 Vision Research CINE Video, ->>4 leshort 0 Grayscale, ->>4 leshort 1 JPEG Compressed, ->>4 leshort 2 RAW, ->>6 leshort x version %d, ->>20 lelong x %d frames, ->>48 lelong x %dx ->>52 lelong x \b%d +>2 uleshort 44 Vision Research CINE Video, +>>4 uleshort 0 Grayscale, +>>4 uleshort 1 JPEG Compressed, +>>4 uleshort 2 RAW, +>>6 uleshort x version %d, +>>20 ulelong x %d frames, +>>48 ulelong x %dx +>>52 ulelong x \b%d # Type: ARRI Raw Image # Info: SMPTE RDD30:2014 # From: Harry Mallon <hjmallon at gmail.com> 0 string ARRI ARRI ARI image data, ->4 lelong 0x78563412 little-endian, ->4 lelong 0x12345678 big-endian, ->12 lelong x version %d, ->20 lelong x %dx ->24 lelong x \b%d +>4 ulelong 0x78563412 little-endian, +>4 ulelong 0x12345678 big-endian, +>12 ulelong x version %d, +>20 ulelong x %dx +>24 ulelong x \b%d # Type: Khronos KTX texture. # From: David Korth <gerbilsoft@gerbilsoft.com> @@ -1902,79 +3177,79 @@ # glEnum decoding. # NOTE: Only the most common formats are listed here. 0 name khronos-ktx-glEnum ->0 lelong 0x1907 \b, RGB ->0 lelong 0x1908 \b, RGBA ->0 lelong 0x1909 \b, LUMINANCE ->0 lelong 0x190A \b, LUMINANCE_ALPHA ->0 lelong 0x80E1 \b, BGR ->0 lelong 0x80E2 \b, BGRA ->0 lelong 0x83A0 \b, RGB_S3TC ->0 lelong 0x83A1 \b, RGB4_S3TC ->0 lelong 0x83A2 \b, RGBA_S3TC ->0 lelong 0x83A3 \b, RGBA4_S3TC ->0 lelong 0x83A4 \b, RGBA_DXT5_S3TC ->0 lelong 0x83A5 \b, RGBA4_DXT5_S3TC ->0 lelong 0x83F0 \b, COMPRESSED_RGB_S3TC_DXT1_EXT ->0 lelong 0x83F1 \b, COMPRESSED_RGBA_S3TC_DXT1_EXT ->0 lelong 0x83F2 \b, COMPRESSED_RGBA_S3TC_DXT3_EXT ->0 lelong 0x83F3 \b, COMPRESSED_RGBA_S3TC_DXT5_EXT ->0 lelong 0x8D64 \b, ETC1_RGB8_OES ->0 lelong 0x9270 \b, COMPRESSED_R11_EAC ->0 lelong 0x9271 \b, COMPRESSED_SIGNED_R11_EAC ->0 lelong 0x9272 \b, COMPRESSED_RG11_EAC ->0 lelong 0x9273 \b, COMPRESSED_SIGNED_RG11_EAC ->0 lelong 0x9274 \b, COMPRESSED_RGB8_ETC2 ->0 lelong 0x9275 \b, COMPRESSED_SRGB8_ETC2 ->0 lelong 0x9276 \b, COMPRESSED_RGB8_PUNCHTHROUGH_ALPHA1_ETC2 ->0 lelong 0x9277 \b, COMPRESSED_SRGB8_PUNCHTHROUGH_ALPHA1_ETC2 ->0 lelong 0x9278 \b, COMPRESSED_RGBA2_ETC2_EAC ->0 lelong 0x9279 \b, COMPRESSED_SRGB8_ALPHA8_ETC2_EAC ->0 lelong 0x93B0 \b, COMPRESSED_RGBA_ASTC_4x4_KHR ->0 lelong 0x93B1 \b, COMPRESSED_RGBA_ASTC_5x4_KHR ->0 lelong 0x93B2 \b, COMPRESSED_RGBA_ASTC_5x5_KHR ->0 lelong 0x93B3 \b, COMPRESSED_RGBA_ASTC_6x5_KHR ->0 lelong 0x93B4 \b, COMPRESSED_RGBA_ASTC_6x6_KHR ->0 lelong 0x93B5 \b, COMPRESSED_RGBA_ASTC_8x5_KHR ->0 lelong 0x93B6 \b, COMPRESSED_RGBA_ASTC_8x6_KHR ->0 lelong 0x93B7 \b, COMPRESSED_RGBA_ASTC_8x8_KHR ->0 lelong 0x93B8 \b, COMPRESSED_RGBA_ASTC_10x5_KHR ->0 lelong 0x93B9 \b, COMPRESSED_RGBA_ASTC_10x6_KHR ->0 lelong 0x93BA \b, COMPRESSED_RGBA_ASTC_10x8_KHR ->0 lelong 0x93BB \b, COMPRESSED_RGBA_ASTC_10x10_KHR ->0 lelong 0x93BC \b, COMPRESSED_RGBA_ASTC_12x10_KHR ->0 lelong 0x93BD \b, COMPRESSED_RGBA_ASTC_12x12_KHR ->0 lelong 0x93D0 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_4x4_KHR ->0 lelong 0x93D1 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_5x4_KHR ->0 lelong 0x93D2 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_5x5_KHR ->0 lelong 0x93D3 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_6x5_KHR ->0 lelong 0x93D4 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_6x6_KHR ->0 lelong 0x93D5 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x5_KHR ->0 lelong 0x93D6 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x6_KHR ->0 lelong 0x93D7 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x8_KHR ->0 lelong 0x93D8 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x5_KHR ->0 lelong 0x93D9 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x6_KHR ->0 lelong 0x93DA \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x8_KHR ->0 lelong 0x93DB \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x10_KHR ->0 lelong 0x93DC \b, COMPRESSED_SRGB8_ALPHA8_ASTC_12x10_KHR ->0 lelong 0x93DD \b, COMPRESSED_SRGB8_ALPHA8_ASTC_12x12_KHR +>0 ulelong 0x1907 \b, RGB +>0 ulelong 0x1908 \b, RGBA +>0 ulelong 0x1909 \b, LUMINANCE +>0 ulelong 0x190A \b, LUMINANCE_ALPHA +>0 ulelong 0x80E1 \b, BGR +>0 ulelong 0x80E2 \b, BGRA +>0 ulelong 0x83A0 \b, RGB_S3TC +>0 ulelong 0x83A1 \b, RGB4_S3TC +>0 ulelong 0x83A2 \b, RGBA_S3TC +>0 ulelong 0x83A3 \b, RGBA4_S3TC +>0 ulelong 0x83A4 \b, RGBA_DXT5_S3TC +>0 ulelong 0x83A5 \b, RGBA4_DXT5_S3TC +>0 ulelong 0x83F0 \b, COMPRESSED_RGB_S3TC_DXT1_EXT +>0 ulelong 0x83F1 \b, COMPRESSED_RGBA_S3TC_DXT1_EXT +>0 ulelong 0x83F2 \b, COMPRESSED_RGBA_S3TC_DXT3_EXT +>0 ulelong 0x83F3 \b, COMPRESSED_RGBA_S3TC_DXT5_EXT +>0 ulelong 0x8D64 \b, ETC1_RGB8_OES +>0 ulelong 0x9270 \b, COMPRESSED_R11_EAC +>0 ulelong 0x9271 \b, COMPRESSED_SIGNED_R11_EAC +>0 ulelong 0x9272 \b, COMPRESSED_RG11_EAC +>0 ulelong 0x9273 \b, COMPRESSED_SIGNED_RG11_EAC +>0 ulelong 0x9274 \b, COMPRESSED_RGB8_ETC2 +>0 ulelong 0x9275 \b, COMPRESSED_SRGB8_ETC2 +>0 ulelong 0x9276 \b, COMPRESSED_RGB8_PUNCHTHROUGH_ALPHA1_ETC2 +>0 ulelong 0x9277 \b, COMPRESSED_SRGB8_PUNCHTHROUGH_ALPHA1_ETC2 +>0 ulelong 0x9278 \b, COMPRESSED_RGBA2_ETC2_EAC +>0 ulelong 0x9279 \b, COMPRESSED_SRGB8_ALPHA8_ETC2_EAC +>0 ulelong 0x93B0 \b, COMPRESSED_RGBA_ASTC_4x4_KHR +>0 ulelong 0x93B1 \b, COMPRESSED_RGBA_ASTC_5x4_KHR +>0 ulelong 0x93B2 \b, COMPRESSED_RGBA_ASTC_5x5_KHR +>0 ulelong 0x93B3 \b, COMPRESSED_RGBA_ASTC_6x5_KHR +>0 ulelong 0x93B4 \b, COMPRESSED_RGBA_ASTC_6x6_KHR +>0 ulelong 0x93B5 \b, COMPRESSED_RGBA_ASTC_8x5_KHR +>0 ulelong 0x93B6 \b, COMPRESSED_RGBA_ASTC_8x6_KHR +>0 ulelong 0x93B7 \b, COMPRESSED_RGBA_ASTC_8x8_KHR +>0 ulelong 0x93B8 \b, COMPRESSED_RGBA_ASTC_10x5_KHR +>0 ulelong 0x93B9 \b, COMPRESSED_RGBA_ASTC_10x6_KHR +>0 ulelong 0x93BA \b, COMPRESSED_RGBA_ASTC_10x8_KHR +>0 ulelong 0x93BB \b, COMPRESSED_RGBA_ASTC_10x10_KHR +>0 ulelong 0x93BC \b, COMPRESSED_RGBA_ASTC_12x10_KHR +>0 ulelong 0x93BD \b, COMPRESSED_RGBA_ASTC_12x12_KHR +>0 ulelong 0x93D0 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_4x4_KHR +>0 ulelong 0x93D1 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_5x4_KHR +>0 ulelong 0x93D2 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_5x5_KHR +>0 ulelong 0x93D3 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_6x5_KHR +>0 ulelong 0x93D4 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_6x6_KHR +>0 ulelong 0x93D5 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x5_KHR +>0 ulelong 0x93D6 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x6_KHR +>0 ulelong 0x93D7 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_8x8_KHR +>0 ulelong 0x93D8 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x5_KHR +>0 ulelong 0x93D9 \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x6_KHR +>0 ulelong 0x93DA \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x8_KHR +>0 ulelong 0x93DB \b, COMPRESSED_SRGB8_ALPHA8_ASTC_10x10_KHR +>0 ulelong 0x93DC \b, COMPRESSED_SRGB8_ALPHA8_ASTC_12x10_KHR +>0 ulelong 0x93DD \b, COMPRESSED_SRGB8_ALPHA8_ASTC_12x12_KHR # Endian-specific KTX header. # TODO: glType (all textures I've seen so far are GL_UNSIGNED_BYTE) 0 name khronos-ktx-endian-header ->20 lelong x \b, %u ->24 lelong >1 x %u ->28 lelong >1 x %u ->8 lelong >0 +>20 ulelong x \b, %u +>24 ulelong >1 x %u +>28 ulelong >1 x %u +>8 ulelong >0 >>8 use khronos-ktx-glEnum ->8 lelong 0 +>8 ulelong 0 >>12 use khronos-ktx-glEnum # Main KTX header. # Determine endianness, then check the rest of the header. 0 string \xABKTX\ 11\xBB\r\n\x1A\n Khronos KTX texture ->12 lelong 0x04030201 (little-endian) +>12 ulelong 0x04030201 (little-endian) >>16 use khronos-ktx-endian-header ->12 belong 0x04030201 (big-endian) +>12 ubelong 0x04030201 (big-endian) >>16 use \^khronos-ktx-endian-header # Type: Khronos KTX2 texture. @@ -1984,272 +3259,273 @@ # Supercompression enum. 0 name khronos-ktx2-supercompression ->0 lelong 1 Basis Universal ->0 lelong 2 Zstandard +>0 ulelong 1 BasisLZ +>0 ulelong 2 Zstandard +>0 ulelong 3 ZLIB # Vulkan format identifier. # NOTE: Formats prohibited from KTX2 are commented out. 0 name khronos-ktx2-vkFormat ->0 lelong 0 UNDEFINED ->0 lelong 1 R4G4_UNORM_PACK8 ->0 lelong 2 R4G4B4A4_UNORM_PACK16 ->0 lelong 3 B4G4R4A4_UNORM_PACK16 ->0 lelong 4 R5G6B5_UNORM_PACK16 ->0 lelong 5 B5G6R5_UNORM_PACK16 ->0 lelong 6 R5G5B5A1_UNORM_PACK16 ->0 lelong 7 B5G5R5A1_UNORM_PACK16 ->0 lelong 8 A1R5G5B5_UNORM_PACK16 ->0 lelong 9 R8_UNORM ->0 lelong 10 R8_SNORM -#>0 lelong 11 R8_USCALED -#>0 lelong 12 R8_SSCALED ->0 lelong 13 R8_UINT ->0 lelong 14 R8_SINT ->0 lelong 15 R8_SRGB ->0 lelong 16 R8G8_UNORM ->0 lelong 17 R8G8_SNORM -#>0 lelong 18 R8G8_USCALED -#>0 lelong 19 R8G8_SSCALED ->0 lelong 20 R8G8_UINT ->0 lelong 21 R8G8_SINT ->0 lelong 22 R8G8_SRGB ->0 lelong 23 R8G8B8_UNORM ->0 lelong 24 R8G8B8_SNORM -#>0 lelong 25 R8G8B8_USCALED -#>0 lelong 26 R8G8B8_SSCALED ->0 lelong 27 R8G8B8_UINT ->0 lelong 28 R8G8B8_SINT ->0 lelong 29 R8G8B8_SRGB ->0 lelong 30 B8G8R8_UNORM ->0 lelong 31 B8G8R8_SNORM -#>0 lelong 32 B8G8R8_USCALED -#>0 lelong 33 B8G8R8_SSCALED ->0 lelong 34 B8G8R8_UINT ->0 lelong 35 B8G8R8_SINT ->0 lelong 36 B8G8R8_SRGB ->0 lelong 37 R8G8B8A8_UNORM ->0 lelong 38 R8G8B8A8_SNORM -#>0 lelong 39 R8G8B8A8_USCALED -#>0 lelong 40 R8G8B8A8_SSCALED ->0 lelong 41 R8G8B8A8_UINT ->0 lelong 42 R8G8B8A8_SINT ->0 lelong 43 R8G8B8A8_SRGB ->0 lelong 44 B8G8R8A8_UNORM ->0 lelong 45 B8G8R8A8_SNORM -#>0 lelong 46 B8G8R8A8_USCALED -#>0 lelong 47 B8G8R8A8_SSCALED ->0 lelong 48 B8G8R8A8_UINT ->0 lelong 49 B8G8R8A8_SINT ->0 lelong 50 B8G8R8A8_SRGB -#>0 lelong 51 A8B8G8R8_UNORM_PACK32 -#>0 lelong 52 A8B8G8R8_SNORM_PACK32 -#>0 lelong 53 A8B8G8R8_USCALED_PACK32 -#>0 lelong 54 A8B8G8R8_SSCALED_PACK32 -#>0 lelong 55 A8B8G8R8_UINT_PACK32 -#>0 lelong 56 A8B8G8R8_SINT_PACK32 -#>0 lelong 57 A8B8G8R8_SRGB_PACK32 ->0 lelong 58 A2R10G10B10_UNORM_PACK32 ->0 lelong 59 A2R10G10B10_SNORM_PACK32 -#>0 lelong 60 A2R10G10B10_USCALED_PACK32 -#>0 lelong 61 A2R10G10B10_SSCALED_PACK32 ->0 lelong 62 A2R10G10B10_UINT_PACK32 ->0 lelong 63 A2R10G10B10_SINT_PACK32 ->0 lelong 64 A2B10G10R10_UNORM_PACK32 ->0 lelong 65 A2B10G10R10_SNORM_PACK32 -#>0 lelong 66 A2B10G10R10_USCALED_PACK32 -#>0 lelong 67 A2B10G10R10_SSCALED_PACK32 ->0 lelong 68 A2B10G10R10_UINT_PACK32 ->0 lelong 69 A2B10G10R10_SINT_PACK32 ->0 lelong 70 R16_UNORM ->0 lelong 71 R16_SNORM -#>0 lelong 72 R16_USCALED -#>0 lelong 73 R16_SSCALED ->0 lelong 74 R16_UINT ->0 lelong 75 R16_SINT ->0 lelong 76 R16_SFLOAT ->0 lelong 77 R16G16_UNORM ->0 lelong 78 R16G16_SNORM -#>0 lelong 79 R16G16_USCALED -#>0 lelong 80 R16G16_SSCALED ->0 lelong 81 R16G16_UINT ->0 lelong 82 R16G16_SINT ->0 lelong 83 R16G16_SFLOAT ->0 lelong 84 R16G16B16_UNORM ->0 lelong 85 R16G16B16_SNORM -#>0 lelong 86 R16G16B16_USCALED -#>0 lelong 87 R16G16B16_SSCALED ->0 lelong 88 R16G16B16_UINT ->0 lelong 89 R16G16B16_SINT ->0 lelong 90 R16G16B16_SFLOAT ->0 lelong 91 R16G16B16A16_UNORM ->0 lelong 92 R16G16B16A16_SNORM -#>0 lelong 93 R16G16B16A16_USCALED -#>0 lelong 94 R16G16B16A16_SSCALED ->0 lelong 95 R16G16B16A16_UINT ->0 lelong 96 R16G16B16A16_SINT ->0 lelong 97 R16G16B16A16_SFLOAT ->0 lelong 98 R32_UINT ->0 lelong 99 R32_SINT ->0 lelong 100 R32_SFLOAT ->0 lelong 101 R32G32_UINT ->0 lelong 102 R32G32_SINT ->0 lelong 103 R32G32_SFLOAT ->0 lelong 104 R32G32B32_UINT ->0 lelong 105 R32G32B32_SINT ->0 lelong 106 R32G32B32_SFLOAT ->0 lelong 107 R32G32B32A32_UINT ->0 lelong 108 R32G32B32A32_SINT ->0 lelong 109 R32G32B32A32_SFLOAT ->0 lelong 110 R64_UINT ->0 lelong 111 R64_SINT ->0 lelong 112 R64_SFLOAT ->0 lelong 113 R64G64_UINT ->0 lelong 114 R64G64_SINT ->0 lelong 115 R64G64_SFLOAT ->0 lelong 116 R64G64B64_UINT ->0 lelong 117 R64G64B64_SINT ->0 lelong 118 R64G64B64_SFLOAT ->0 lelong 119 R64G64B64A64_UINT ->0 lelong 120 R64G64B64A64_SINT ->0 lelong 121 R64G64B64A64_SFLOAT ->0 lelong 122 B10G11R11_UFLOAT_PACK32 ->0 lelong 123 E5B9G9R9_UFLOAT_PACK32 ->0 lelong 124 D16_UNORM ->0 lelong 125 X8_D24_UNORM_PACK32 ->0 lelong 126 D32_SFLOAT ->0 lelong 127 S8_UINT ->0 lelong 128 D16_UNORM_S8_UINT ->0 lelong 129 D24_UNORM_S8_UINT ->0 lelong 130 D32_SFLOAT_S8_UINT - ->0 lelong 131 BC1_RGB_UNORM_BLOCK ->0 lelong 132 BC1_RGB_SRGB_BLOCK ->0 lelong 133 BC1_RGBA_UNORM_BLOCK ->0 lelong 134 BC1_RGBA_SRGB_BLOCK ->0 lelong 135 BC2_UNORM_BLOCK ->0 lelong 136 BC2_SRGB_BLOCK ->0 lelong 137 BC3_UNORM_BLOCK ->0 lelong 138 BC3_SRGB_BLOCK ->0 lelong 139 BC4_UNORM_BLOCK ->0 lelong 140 BC4_SNORM_BLOCK ->0 lelong 141 BC5_UNORM_BLOCK ->0 lelong 142 BC5_SNORM_BLOCK ->0 lelong 143 BC6H_UFLOAT_BLOCK ->0 lelong 144 BC6H_SFLOAT_BLOCK ->0 lelong 145 BC7_UNORM_BLOCK ->0 lelong 146 BC7_SRGB_BLOCK - ->0 lelong 147 ETC2_R8G8B8_UNORM_BLOCK ->0 lelong 148 ETC2_R8G8B8_SRGB_BLOCK ->0 lelong 149 ETC2_R8G8B8A1_UNORM_BLOCK ->0 lelong 150 ETC2_R8G8B8A1_SRGB_BLOCK ->0 lelong 151 ETC2_R8G8B8A8_UNORM_BLOCK ->0 lelong 152 ETC2_R8G8B8A8_SRGB_BLOCK - ->0 lelong 153 EAC_R11_UNORM_BLOCK ->0 lelong 154 EAC_R11_SNORM_BLOCK ->0 lelong 155 EAC_R11G11_UNORM_BLOCK ->0 lelong 156 EAC_R11G11_SNORM_BLOCK - ->0 lelong 157 ASTC_4x4_UNORM_BLOCK ->0 lelong 158 ASTC_4x4_SRGB_BLOCK ->0 lelong 159 ASTC_5x4_UNORM_BLOCK ->0 lelong 160 ASTC_5x4_SRGB_BLOCK ->0 lelong 161 ASTC_5x5_UNORM_BLOCK ->0 lelong 162 ASTC_5x5_SRGB_BLOCK ->0 lelong 163 ASTC_6x5_UNORM_BLOCK ->0 lelong 164 ASTC_6x5_SRGB_BLOCK ->0 lelong 165 ASTC_6x6_UNORM_BLOCK ->0 lelong 166 ASTC_6x6_SRGB_BLOCK ->0 lelong 167 ASTC_8x5_UNORM_BLOCK ->0 lelong 168 ASTC_8x5_SRGB_BLOCK ->0 lelong 169 ASTC_8x6_UNORM_BLOCK ->0 lelong 170 ASTC_8x6_SRGB_BLOCK ->0 lelong 171 ASTC_8x8_UNORM_BLOCK ->0 lelong 172 ASTC_8x8_SRGB_BLOCK ->0 lelong 173 ASTC_10x5_UNORM_BLOCK ->0 lelong 174 ASTC_10x5_SRGB_BLOCK ->0 lelong 175 ASTC_10x6_UNORM_BLOCK ->0 lelong 176 ASTC_10x6_SRGB_BLOCK ->0 lelong 177 ASTC_10x8_UNORM_BLOCK ->0 lelong 178 ASTC_10x8_SRGB_BLOCK ->0 lelong 179 ASTC_10x10_UNORM_BLOCK ->0 lelong 180 ASTC_10x10_SRGB_BLOCK ->0 lelong 181 ASTC_12x10_UNORM_BLOCK ->0 lelong 182 ASTC_12x10_SRGB_BLOCK ->0 lelong 183 ASTC_12x12_UNORM_BLOCK ->0 lelong 184 ASTC_12x12_SRGB_BLOCK - ->0 lelong 1000156000 G8B8G8R8_422_UNORM ->0 lelong 1000156001 B8G8R8G8_422_UNORM ->0 lelong 1000156002 G8_B8_R8_3PLANE_420_UNORM ->0 lelong 1000156003 G8_B8R8_2PLANE_420_UNORM ->0 lelong 1000156004 G8_B8_R8_3PLANE_422_UNORM ->0 lelong 1000156005 G8_B8R8_2PLANE_422_UNORM ->0 lelong 1000156006 G8_B8_R8_3PLANE_444_UNORM ->0 lelong 1000156007 R10X6_UNORM_PACK16 ->0 lelong 1000156008 R10X6G10X6_UNORM_2PACK16 ->0 lelong 1000156009 R10X6G10X6B10X6A10X6_UNORM_4PACK16 ->0 lelong 1000156010 G10X6B10X6G10X6R10X6_422_UNORM_4PACK16 ->0 lelong 1000156011 B10X6G10X6R10X6G10X6_422_UNORM_4PACK16 ->0 lelong 1000156012 G10X6_B10X6_R10X6_3PLANE_420_UNORM_3PACK16 ->0 lelong 1000156013 G10X6_B10X6R10X6_2PLANE_420_UNORM_3PACK16 ->0 lelong 1000156014 G10X6_B10X6_R10X6_3PLANE_422_UNORM_3PACK16 ->0 lelong 1000156015 G10X6_B10X6R10X6_2PLANE_422_UNORM_3PACK16 ->0 lelong 1000156016 G10X6_B10X6_R10X6_3PLANE_444_UNORM_3PACK16 ->0 lelong 1000156017 R12X4_UNORM_PACK16 ->0 lelong 1000156018 R12X4G12X4_UNORM_2PACK16 ->0 lelong 1000156019 R12X4G12X4B12X4A12X4_UNORM_4PACK16 ->0 lelong 1000156020 G12X4B12X4G12X4R12X4_422_UNORM_4PACK16 ->0 lelong 1000156021 B12X4G12X4R12X4G12X4_422_UNORM_4PACK16 ->0 lelong 1000156022 G12X4_B12X4_R12X4_3PLANE_420_UNORM_3PACK16 ->0 lelong 1000156023 G12X4_B12X4R12X4_2PLANE_420_UNORM_3PACK16 ->0 lelong 1000156024 G12X4_B12X4_R12X4_3PLANE_422_UNORM_3PACK16 ->0 lelong 1000156025 G12X4_B12X4R12X4_2PLANE_422_UNORM_3PACK16 ->0 lelong 1000156026 G12X4_B12X4_R12X4_3PLANE_444_UNORM_3PACK16 ->0 lelong 1000156027 G16B16G16R16_422_UNORM ->0 lelong 1000156028 B16G16R16G16_422_UNORM ->0 lelong 1000156029 G16_B16_R16_3PLANE_420_UNORM ->0 lelong 1000156030 G16_B16R16_2PLANE_420_UNORM ->0 lelong 1000156031 G16_B16_R16_3PLANE_422_UNORM ->0 lelong 1000156032 G16_B16R16_2PLANE_422_UNORM ->0 lelong 1000156033 G16_B16_R16_3PLANE_444_UNORM - ->0 lelong 1000054000 PVRTC1_2BPP_UNORM_BLOCK_IMG ->0 lelong 1000054001 PVRTC1_4BPP_UNORM_BLOCK_IMG ->0 lelong 1000054002 PVRTC2_2BPP_UNORM_BLOCK_IMG ->0 lelong 1000054003 PVRTC2_4BPP_UNORM_BLOCK_IMG ->0 lelong 1000054004 PVRTC1_2BPP_SRGB_BLOCK_IMG ->0 lelong 1000054005 PVRTC1_4BPP_SRGB_BLOCK_IMG ->0 lelong 1000054006 PVRTC2_2BPP_SRGB_BLOCK_IMG ->0 lelong 1000054007 PVRTC2_4BPP_SRGB_BLOCK_IMG - ->0 lelong 1000066000 ASTC_4x4_SFLOAT_BLOCK_EXT ->0 lelong 1000066001 ASTC_5x4_SFLOAT_BLOCK_EXT ->0 lelong 1000066002 ASTC_5x5_SFLOAT_BLOCK_EXT ->0 lelong 1000066003 ASTC_6x5_SFLOAT_BLOCK_EXT ->0 lelong 1000066004 ASTC_6x6_SFLOAT_BLOCK_EXT ->0 lelong 1000066005 ASTC_8x5_SFLOAT_BLOCK_EXT ->0 lelong 1000066006 ASTC_8x6_SFLOAT_BLOCK_EXT ->0 lelong 1000066007 ASTC_8x8_SFLOAT_BLOCK_EXT ->0 lelong 1000066008 ASTC_10x5_SFLOAT_BLOCK_EXT ->0 lelong 1000066009 ASTC_10x6_SFLOAT_BLOCK_EXT ->0 lelong 1000066010 ASTC_10x8_SFLOAT_BLOCK_EXT ->0 lelong 1000066011 ASTC_10x10_SFLOAT_BLOCK_EXT ->0 lelong 1000066012 ASTC_12x10_SFLOAT_BLOCK_EXT ->0 lelong 1000066013 ASTC_12x12_SFLOAT_BLOCK_EXT +>0 ulelong 0 UNDEFINED +>0 ulelong 1 R4G4_UNORM_PACK8 +>0 ulelong 2 R4G4B4A4_UNORM_PACK16 +>0 ulelong 3 B4G4R4A4_UNORM_PACK16 +>0 ulelong 4 R5G6B5_UNORM_PACK16 +>0 ulelong 5 B5G6R5_UNORM_PACK16 +>0 ulelong 6 R5G5B5A1_UNORM_PACK16 +>0 ulelong 7 B5G5R5A1_UNORM_PACK16 +>0 ulelong 8 A1R5G5B5_UNORM_PACK16 +>0 ulelong 9 R8_UNORM +>0 ulelong 10 R8_SNORM +#>0 ulelong 11 R8_USCALED +#>0 ulelong 12 R8_SSCALED +>0 ulelong 13 R8_UINT +>0 ulelong 14 R8_SINT +>0 ulelong 15 R8_SRGB +>0 ulelong 16 R8G8_UNORM +>0 ulelong 17 R8G8_SNORM +#>0 ulelong 18 R8G8_USCALED +#>0 ulelong 19 R8G8_SSCALED +>0 ulelong 20 R8G8_UINT +>0 ulelong 21 R8G8_SINT +>0 ulelong 22 R8G8_SRGB +>0 ulelong 23 R8G8B8_UNORM +>0 ulelong 24 R8G8B8_SNORM +#>0 ulelong 25 R8G8B8_USCALED +#>0 ulelong 26 R8G8B8_SSCALED +>0 ulelong 27 R8G8B8_UINT +>0 ulelong 28 R8G8B8_SINT +>0 ulelong 29 R8G8B8_SRGB +>0 ulelong 30 B8G8R8_UNORM +>0 ulelong 31 B8G8R8_SNORM +#>0 ulelong 32 B8G8R8_USCALED +#>0 ulelong 33 B8G8R8_SSCALED +>0 ulelong 34 B8G8R8_UINT +>0 ulelong 35 B8G8R8_SINT +>0 ulelong 36 B8G8R8_SRGB +>0 ulelong 37 R8G8B8A8_UNORM +>0 ulelong 38 R8G8B8A8_SNORM +#>0 ulelong 39 R8G8B8A8_USCALED +#>0 ulelong 40 R8G8B8A8_SSCALED +>0 ulelong 41 R8G8B8A8_UINT +>0 ulelong 42 R8G8B8A8_SINT +>0 ulelong 43 R8G8B8A8_SRGB +>0 ulelong 44 B8G8R8A8_UNORM +>0 ulelong 45 B8G8R8A8_SNORM +#>0 ulelong 46 B8G8R8A8_USCALED +#>0 ulelong 47 B8G8R8A8_SSCALED +>0 ulelong 48 B8G8R8A8_UINT +>0 ulelong 49 B8G8R8A8_SINT +>0 ulelong 50 B8G8R8A8_SRGB +#>0 ulelong 51 A8B8G8R8_UNORM_PACK32 +#>0 ulelong 52 A8B8G8R8_SNORM_PACK32 +#>0 ulelong 53 A8B8G8R8_USCALED_PACK32 +#>0 ulelong 54 A8B8G8R8_SSCALED_PACK32 +#>0 ulelong 55 A8B8G8R8_UINT_PACK32 +#>0 ulelong 56 A8B8G8R8_SINT_PACK32 +#>0 ulelong 57 A8B8G8R8_SRGB_PACK32 +>0 ulelong 58 A2R10G10B10_UNORM_PACK32 +>0 ulelong 59 A2R10G10B10_SNORM_PACK32 +#>0 ulelong 60 A2R10G10B10_USCALED_PACK32 +#>0 ulelong 61 A2R10G10B10_SSCALED_PACK32 +>0 ulelong 62 A2R10G10B10_UINT_PACK32 +>0 ulelong 63 A2R10G10B10_SINT_PACK32 +>0 ulelong 64 A2B10G10R10_UNORM_PACK32 +>0 ulelong 65 A2B10G10R10_SNORM_PACK32 +#>0 ulelong 66 A2B10G10R10_USCALED_PACK32 +#>0 ulelong 67 A2B10G10R10_SSCALED_PACK32 +>0 ulelong 68 A2B10G10R10_UINT_PACK32 +>0 ulelong 69 A2B10G10R10_SINT_PACK32 +>0 ulelong 70 R16_UNORM +>0 ulelong 71 R16_SNORM +#>0 ulelong 72 R16_USCALED +#>0 ulelong 73 R16_SSCALED +>0 ulelong 74 R16_UINT +>0 ulelong 75 R16_SINT +>0 ulelong 76 R16_SFLOAT +>0 ulelong 77 R16G16_UNORM +>0 ulelong 78 R16G16_SNORM +#>0 ulelong 79 R16G16_USCALED +#>0 ulelong 80 R16G16_SSCALED +>0 ulelong 81 R16G16_UINT +>0 ulelong 82 R16G16_SINT +>0 ulelong 83 R16G16_SFLOAT +>0 ulelong 84 R16G16B16_UNORM +>0 ulelong 85 R16G16B16_SNORM +#>0 ulelong 86 R16G16B16_USCALED +#>0 ulelong 87 R16G16B16_SSCALED +>0 ulelong 88 R16G16B16_UINT +>0 ulelong 89 R16G16B16_SINT +>0 ulelong 90 R16G16B16_SFLOAT +>0 ulelong 91 R16G16B16A16_UNORM +>0 ulelong 92 R16G16B16A16_SNORM +#>0 ulelong 93 R16G16B16A16_USCALED +#>0 ulelong 94 R16G16B16A16_SSCALED +>0 ulelong 95 R16G16B16A16_UINT +>0 ulelong 96 R16G16B16A16_SINT +>0 ulelong 97 R16G16B16A16_SFLOAT +>0 ulelong 98 R32_UINT +>0 ulelong 99 R32_SINT +>0 ulelong 100 R32_SFLOAT +>0 ulelong 101 R32G32_UINT +>0 ulelong 102 R32G32_SINT +>0 ulelong 103 R32G32_SFLOAT +>0 ulelong 104 R32G32B32_UINT +>0 ulelong 105 R32G32B32_SINT +>0 ulelong 106 R32G32B32_SFLOAT +>0 ulelong 107 R32G32B32A32_UINT +>0 ulelong 108 R32G32B32A32_SINT +>0 ulelong 109 R32G32B32A32_SFLOAT +>0 ulelong 110 R64_UINT +>0 ulelong 111 R64_SINT +>0 ulelong 112 R64_SFLOAT +>0 ulelong 113 R64G64_UINT +>0 ulelong 114 R64G64_SINT +>0 ulelong 115 R64G64_SFLOAT +>0 ulelong 116 R64G64B64_UINT +>0 ulelong 117 R64G64B64_SINT +>0 ulelong 118 R64G64B64_SFLOAT +>0 ulelong 119 R64G64B64A64_UINT +>0 ulelong 120 R64G64B64A64_SINT +>0 ulelong 121 R64G64B64A64_SFLOAT +>0 ulelong 122 B10G11R11_UFLOAT_PACK32 +>0 ulelong 123 E5B9G9R9_UFLOAT_PACK32 +>0 ulelong 124 D16_UNORM +>0 ulelong 125 X8_D24_UNORM_PACK32 +>0 ulelong 126 D32_SFLOAT +>0 ulelong 127 S8_UINT +>0 ulelong 128 D16_UNORM_S8_UINT +>0 ulelong 129 D24_UNORM_S8_UINT +>0 ulelong 130 D32_SFLOAT_S8_UINT + +>0 ulelong 131 BC1_RGB_UNORM_BLOCK +>0 ulelong 132 BC1_RGB_SRGB_BLOCK +>0 ulelong 133 BC1_RGBA_UNORM_BLOCK +>0 ulelong 134 BC1_RGBA_SRGB_BLOCK +>0 ulelong 135 BC2_UNORM_BLOCK +>0 ulelong 136 BC2_SRGB_BLOCK +>0 ulelong 137 BC3_UNORM_BLOCK +>0 ulelong 138 BC3_SRGB_BLOCK +>0 ulelong 139 BC4_UNORM_BLOCK +>0 ulelong 140 BC4_SNORM_BLOCK +>0 ulelong 141 BC5_UNORM_BLOCK +>0 ulelong 142 BC5_SNORM_BLOCK +>0 ulelong 143 BC6H_UFLOAT_BLOCK +>0 ulelong 144 BC6H_SFLOAT_BLOCK +>0 ulelong 145 BC7_UNORM_BLOCK +>0 ulelong 146 BC7_SRGB_BLOCK + +>0 ulelong 147 ETC2_R8G8B8_UNORM_BLOCK +>0 ulelong 148 ETC2_R8G8B8_SRGB_BLOCK +>0 ulelong 149 ETC2_R8G8B8A1_UNORM_BLOCK +>0 ulelong 150 ETC2_R8G8B8A1_SRGB_BLOCK +>0 ulelong 151 ETC2_R8G8B8A8_UNORM_BLOCK +>0 ulelong 152 ETC2_R8G8B8A8_SRGB_BLOCK + +>0 ulelong 153 EAC_R11_UNORM_BLOCK +>0 ulelong 154 EAC_R11_SNORM_BLOCK +>0 ulelong 155 EAC_R11G11_UNORM_BLOCK +>0 ulelong 156 EAC_R11G11_SNORM_BLOCK + +>0 ulelong 157 ASTC_4x4_UNORM_BLOCK +>0 ulelong 158 ASTC_4x4_SRGB_BLOCK +>0 ulelong 159 ASTC_5x4_UNORM_BLOCK +>0 ulelong 160 ASTC_5x4_SRGB_BLOCK +>0 ulelong 161 ASTC_5x5_UNORM_BLOCK +>0 ulelong 162 ASTC_5x5_SRGB_BLOCK +>0 ulelong 163 ASTC_6x5_UNORM_BLOCK +>0 ulelong 164 ASTC_6x5_SRGB_BLOCK +>0 ulelong 165 ASTC_6x6_UNORM_BLOCK +>0 ulelong 166 ASTC_6x6_SRGB_BLOCK +>0 ulelong 167 ASTC_8x5_UNORM_BLOCK +>0 ulelong 168 ASTC_8x5_SRGB_BLOCK +>0 ulelong 169 ASTC_8x6_UNORM_BLOCK +>0 ulelong 170 ASTC_8x6_SRGB_BLOCK +>0 ulelong 171 ASTC_8x8_UNORM_BLOCK +>0 ulelong 172 ASTC_8x8_SRGB_BLOCK +>0 ulelong 173 ASTC_10x5_UNORM_BLOCK +>0 ulelong 174 ASTC_10x5_SRGB_BLOCK +>0 ulelong 175 ASTC_10x6_UNORM_BLOCK +>0 ulelong 176 ASTC_10x6_SRGB_BLOCK +>0 ulelong 177 ASTC_10x8_UNORM_BLOCK +>0 ulelong 178 ASTC_10x8_SRGB_BLOCK +>0 ulelong 179 ASTC_10x10_UNORM_BLOCK +>0 ulelong 180 ASTC_10x10_SRGB_BLOCK +>0 ulelong 181 ASTC_12x10_UNORM_BLOCK +>0 ulelong 182 ASTC_12x10_SRGB_BLOCK +>0 ulelong 183 ASTC_12x12_UNORM_BLOCK +>0 ulelong 184 ASTC_12x12_SRGB_BLOCK + +>0 ulelong 1000156000 G8B8G8R8_422_UNORM +>0 ulelong 1000156001 B8G8R8G8_422_UNORM +>0 ulelong 1000156002 G8_B8_R8_3PLANE_420_UNORM +>0 ulelong 1000156003 G8_B8R8_2PLANE_420_UNORM +>0 ulelong 1000156004 G8_B8_R8_3PLANE_422_UNORM +>0 ulelong 1000156005 G8_B8R8_2PLANE_422_UNORM +>0 ulelong 1000156006 G8_B8_R8_3PLANE_444_UNORM +>0 ulelong 1000156007 R10X6_UNORM_PACK16 +>0 ulelong 1000156008 R10X6G10X6_UNORM_2PACK16 +>0 ulelong 1000156009 R10X6G10X6B10X6A10X6_UNORM_4PACK16 +>0 ulelong 1000156010 G10X6B10X6G10X6R10X6_422_UNORM_4PACK16 +>0 ulelong 1000156011 B10X6G10X6R10X6G10X6_422_UNORM_4PACK16 +>0 ulelong 1000156012 G10X6_B10X6_R10X6_3PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156013 G10X6_B10X6R10X6_2PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156014 G10X6_B10X6_R10X6_3PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156015 G10X6_B10X6R10X6_2PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156016 G10X6_B10X6_R10X6_3PLANE_444_UNORM_3PACK16 +>0 ulelong 1000156017 R12X4_UNORM_PACK16 +>0 ulelong 1000156018 R12X4G12X4_UNORM_2PACK16 +>0 ulelong 1000156019 R12X4G12X4B12X4A12X4_UNORM_4PACK16 +>0 ulelong 1000156020 G12X4B12X4G12X4R12X4_422_UNORM_4PACK16 +>0 ulelong 1000156021 B12X4G12X4R12X4G12X4_422_UNORM_4PACK16 +>0 ulelong 1000156022 G12X4_B12X4_R12X4_3PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156023 G12X4_B12X4R12X4_2PLANE_420_UNORM_3PACK16 +>0 ulelong 1000156024 G12X4_B12X4_R12X4_3PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156025 G12X4_B12X4R12X4_2PLANE_422_UNORM_3PACK16 +>0 ulelong 1000156026 G12X4_B12X4_R12X4_3PLANE_444_UNORM_3PACK16 +>0 ulelong 1000156027 G16B16G16R16_422_UNORM +>0 ulelong 1000156028 B16G16R16G16_422_UNORM +>0 ulelong 1000156029 G16_B16_R16_3PLANE_420_UNORM +>0 ulelong 1000156030 G16_B16R16_2PLANE_420_UNORM +>0 ulelong 1000156031 G16_B16_R16_3PLANE_422_UNORM +>0 ulelong 1000156032 G16_B16R16_2PLANE_422_UNORM +>0 ulelong 1000156033 G16_B16_R16_3PLANE_444_UNORM + +>0 ulelong 1000054000 PVRTC1_2BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054001 PVRTC1_4BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054002 PVRTC2_2BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054003 PVRTC2_4BPP_UNORM_BLOCK_IMG +>0 ulelong 1000054004 PVRTC1_2BPP_SRGB_BLOCK_IMG +>0 ulelong 1000054005 PVRTC1_4BPP_SRGB_BLOCK_IMG +>0 ulelong 1000054006 PVRTC2_2BPP_SRGB_BLOCK_IMG +>0 ulelong 1000054007 PVRTC2_4BPP_SRGB_BLOCK_IMG + +>0 ulelong 1000066000 ASTC_4x4_SFLOAT_BLOCK_EXT +>0 ulelong 1000066001 ASTC_5x4_SFLOAT_BLOCK_EXT +>0 ulelong 1000066002 ASTC_5x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066003 ASTC_6x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066004 ASTC_6x6_SFLOAT_BLOCK_EXT +>0 ulelong 1000066005 ASTC_8x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066006 ASTC_8x6_SFLOAT_BLOCK_EXT +>0 ulelong 1000066007 ASTC_8x8_SFLOAT_BLOCK_EXT +>0 ulelong 1000066008 ASTC_10x5_SFLOAT_BLOCK_EXT +>0 ulelong 1000066009 ASTC_10x6_SFLOAT_BLOCK_EXT +>0 ulelong 1000066010 ASTC_10x8_SFLOAT_BLOCK_EXT +>0 ulelong 1000066011 ASTC_10x10_SFLOAT_BLOCK_EXT +>0 ulelong 1000066012 ASTC_12x10_SFLOAT_BLOCK_EXT +>0 ulelong 1000066013 ASTC_12x12_SFLOAT_BLOCK_EXT # Main KTX2 header. 0 string \xABKTX\ 20\xBB\r\n\x1A\n Khronos KTX2 texture ->20 lelong x \b, %u ->24 lelong >1 x %u ->28 lelong >1 x %u ->32 lelong >1 \b, %u layers ->36 lelong >1 \b, %u faces ->40 lelong >1 \b, %u mipmaps ->44 lelong >0 \b, +>20 ulelong x \b, %u +>24 ulelong >1 x %u +>28 ulelong >1 x %u +>32 ulelong >1 \b, %u layers +>36 ulelong >1 \b, %u faces +>40 ulelong >1 \b, %u mipmaps +>44 ulelong >0 \b, >>44 use khronos-ktx2-supercompression ->12 lelong >0 \b, +>12 ulelong >0 \b, >>12 use khronos-ktx2-vkFormat # Type: Valve VTF texture. @@ -2259,87 +3535,87 @@ # VTF image formats. 0 name vtf-image-format ->0 lelong 0 RGBA8888 ->0 lelong 1 ABGR8888 ->0 lelong 2 RGB888 ->0 lelong 3 BGR888 ->0 lelong 4 RGB565 ->0 lelong 5 I8 ->0 lelong 6 IA88 ->0 lelong 7 P8 ->0 lelong 8 A8 ->0 lelong 9 RGB888 (bluescreen) ->0 lelong 10 BGR888 (bluescreen) ->0 lelong 11 ARGB8888 ->0 lelong 12 BGRA8888 ->0 lelong 13 DXT1 ->0 lelong 14 DXT3 ->0 lelong 15 DXT5 ->0 lelong 16 BGRx8888 ->0 lelong 17 BGR565 ->0 lelong 18 BGRx5551 ->0 lelong 19 BGRA4444 ->0 lelong 20 DXT1+A1 ->0 lelong 21 BGRA5551 ->0 lelong 22 UV88 ->0 lelong 23 UVWQ8888 ->0 lelong 24 RGBA16161616F ->0 lelong 25 RGBA16161616 ->0 lelong 26 UVLX8888 +>0 ulelong 0 RGBA8888 +>0 ulelong 1 ABGR8888 +>0 ulelong 2 RGB888 +>0 ulelong 3 BGR888 +>0 ulelong 4 RGB565 +>0 ulelong 5 I8 +>0 ulelong 6 IA88 +>0 ulelong 7 P8 +>0 ulelong 8 A8 +>0 ulelong 9 RGB888 (bluescreen) +>0 ulelong 10 BGR888 (bluescreen) +>0 ulelong 11 ARGB8888 +>0 ulelong 12 BGRA8888 +>0 ulelong 13 DXT1 +>0 ulelong 14 DXT3 +>0 ulelong 15 DXT5 +>0 ulelong 16 BGRx8888 +>0 ulelong 17 BGR565 +>0 ulelong 18 BGRx5551 +>0 ulelong 19 BGRA4444 +>0 ulelong 20 DXT1+A1 +>0 ulelong 21 BGRA5551 +>0 ulelong 22 UV88 +>0 ulelong 23 UVWQ8888 +>0 ulelong 24 RGBA16161616F +>0 ulelong 25 RGBA16161616 +>0 ulelong 26 UVLX8888 # Main VTF header. 0 string VTF\0 Valve Texture Format ->4 lelong x v%u ->8 lelong x \b.%u ->0x10 leshort x \b, %u ->0x12 leshort >1 x %u +>4 ulelong x v%u +>8 ulelong x \b.%u +>0x10 uleshort x \b, %u +>0x12 uleshort >1 x %u >4 lequad 0x0000000700000002 ->>0x3F leshort >1 x %u ->0x18 leshort >1 \b, %u frames ->0x38 byte x \b, mipmaps: %u ->0x34 lelong >-1 \b, +>>0x3F uleshort >1 x %u +>0x18 uleshort >1 \b, %u frames +>0x38 ubyte x \b, mipmaps: %u +>0x34 ulelong >-1 \b, >>0x34 use vtf-image-format # Type: Valve VTF3 (PS3) texture. # From: David Korth <gerbilsoft@gerbilsoft.com> 0 string VTF3 Valve Texture Format (PS3) ->0x14 beshort x \b, %u ->0x16 beshort x \b x %u ->0x10 belong&0x2000 0 \b, DXT1 ->0x10 belong&0x2000 0x2000 \b, DXT5 +>0x14 ubeshort x \b, %u +>0x16 ubeshort x \b x %u +>0x10 ubelong&0x2000 0 \b, DXT1 +>0x10 ubelong&0x2000 0x2000 \b, DXT5 # Type: ASTC texture. # From: David Korth <gerbilsoft@gerbilsoft.com> # References: # - https://stackoverflow.com/questions/22600678/determine-internal-format-of-given-astc-compressed-image-through-its-header # - https://stackoverflow.com/a/22682244 -0 lelong 0x5ca1ab13 ASTC ->4 byte x %u ->5 byte x \bx%u ->6 byte >1 \bx%u +0 ulelong 0x5ca1ab13 ASTC +>4 ubyte x %u +>5 ubyte x \bx%u +>6 ubyte >1 \bx%u # X, Y, and Z dimensions are stored as 24-bit LE. # Pretend it's 32-bit and mask off the high byte. ->7 lelong&0x00FFFFFF x texture, %u ->10 lelong&0x00FFFFFF x x %u ->13 lelong&0x00FFFFFF >1 x %u +>7 ulelong&0x00FFFFFF x texture, %u +>10 ulelong&0x00FFFFFF x x %u +>13 ulelong&0x00FFFFFF >1 x %u # Zebra Metafile graphic # http://www.fileformat.info/format/zbr/egff.htm -0 beshort 0x9a02 Zebra Metafile graphic ->2 leshort 1 (version 1.x) ->2 leshort 2 (version 1.1x or 1.2x) ->2 leshort 3 (version 1.49) ->2 leshort 4 (version 1.50) +0 ubeshort 0x9a02 Zebra Metafile graphic +>2 uleshort 1 (version 1.x) +>2 uleshort 2 (version 1.1x or 1.2x) +>2 uleshort 3 (version 1.49) +>2 uleshort 4 (version 1.50) >4 string x (comment = %s) # Microsoft Paint graphic # http://www.fileformat.info/format/mspaint/egff.htm 0 string DanM icrosoft Paint image data (version 1.x) ->4 leshort x (%d ->>6 leshort x x %d) +>4 uleshort x (%d +>>6 uleshort x x %d) 0 string LinS Microsoft Paint image data (version 2.0) ->4 leshort x (%d ->>6 leshort x x %d) +>4 uleshort x (%d +>>6 uleshort x x %d) # reMarkable tablet internal file format (https://www.remarkable.com/) # https://github.com/ax3l/lines-are-beautiful @@ -2352,15 +3628,15 @@ >>>22 string selections >>>>33 string and >>>>>37 string layers ->>>>>>43 lelong x reMarkable tablet notebook lines, 1404 x 1872, %x page(s) +>>>>>>43 ulelong x reMarkable tablet notebook lines, 1404 x 1872, %x page(s) # newer per-page files for the reMarkable 0 string reMarkable >11 string .lines >>18 string file, >>>24 string version= ->>>>32 byte x reMarkable tablet page (v%c), 1404 x 1872, ->>>>>43 lelong x %d layer(s) +>>>>32 ubyte x reMarkable tablet page (v%c), 1404 x 1872, +>>>>>43 ulelong x %d layer(s) # Type: PVR3 texture. # From: David Korth <gerbilsoft@gerbilsoft.com> @@ -2425,18 +3701,18 @@ >0x18 ulelong x %u x >0x1C ulelong x %u >0x20 ulelong >1 x %u ->0x08 byte x \b, +>0x08 ubyte x \b, >0x0C ulelong 0 >>0x08 use pvr3-pixel-format >0x0C ulelong !0 ->>0x08 byte !0 %c ->>>0x0C byte !0 \b%u ->>0x09 byte !0 \b%c ->>>0x0D byte !0 \b%u ->>0x0A byte !0 \b%c ->>>0x0E byte !0 \b%u ->>0x0B byte !0 \b%c ->>>0x0F byte !0 \b%u +>>0x08 ubyte !0 %c +>>>0x0C ubyte !0 \b%u +>>0x09 ubyte !0 \b%c +>>>0x0D ubyte !0 \b%u +>>0x0A ubyte !0 \b%c +>>>0x0E ubyte !0 \b%u +>>0x0B ubyte !0 \b%c +>>>0x0F ubyte !0 \b%u >0x10 ulelong 1 \b, sRGB >0x04 ulelong&0x02 0x02 \b, premultiplied alpha @@ -2444,18 +3720,18 @@ >0x18 ubelong x %u x >0x1C ubelong x %u >0x20 ubelong >1 x %u ->0x08 byte x \b, +>0x08 ubyte x \b, >0x0C ubelong 0 >>0x08 use pvr3-pixel-format >0x0C ubelong !0 ->>0x0B byte !0 %c ->>>0x0F byte !0 \b%u ->>0x0A byte !0 \b%c ->>>0x0E byte !0 \b%u ->>0x09 byte !0 \b%c ->>>0x0D byte !0 \b%u ->>0x08 byte !0 \b%c ->>>0x0C byte !0 \b%u +>>0x0B ubyte !0 %c +>>>0x0F ubyte !0 \b%u +>>0x0A ubyte !0 \b%c +>>>0x0E ubyte !0 \b%u +>>0x09 ubyte !0 \b%c +>>>0x0D ubyte !0 \b%u +>>0x08 ubyte !0 \b%c +>>>0x0C ubyte !0 \b%u >0x10 ubelong 1 \b, sRGB >0x04 ubelong&0x02 0x02 \b, premultiplied alpha @@ -2466,64 +3742,64 @@ # XPR pixel formats. 0 name xbox-xpr-pixel-format ->0 byte 0x00 L8 ->0 byte 0x01 AL8 ->0 byte 0x02 ARGB1555 ->0 byte 0x03 RGB555 ->0 byte 0x04 ARGB4444 ->0 byte 0x05 RGB565 ->0 byte 0x06 ARGB8888 ->0 byte 0x07 xRGB8888 ->0 byte 0x0B P8 ->0 byte 0x0C DXT1 ->0 byte 0x0E DXT2 ->0 byte 0x0F DXT4 ->0 byte 0x10 Linear ARGB1555 ->0 byte 0x11 Linear RGB565 ->0 byte 0x12 Linear ARGB8888 ->0 byte 0x13 Linear L8 ->0 byte 0x16 Linear R8B8 ->0 byte 0x17 Linear G8B8 ->0 byte 0x19 A8 ->0 byte 0x1A A8L8 ->0 byte 0x1B Linear AL8 ->0 byte 0x1C Linear RGB555 ->0 byte 0x1D Linear ARGB4444 ->0 byte 0x1E Linear xRGB8888 ->0 byte 0x1F Linear A8 ->0 byte 0x20 Linear A8L8 ->0 byte 0x24 YUY2 ->0 byte 0x25 UYVY ->0 byte 0x27 L6V5U5 ->0 byte 0x28 V8U8 ->0 byte 0x29 R8B8 ->0 byte 0x2A D24S8 ->0 byte 0x2B F24S8 ->0 byte 0x2C D16 ->0 byte 0x2D F16 ->0 byte 0x2E Linear D24S8 ->0 byte 0x2F Linear F24S8 ->0 byte 0x30 Linear D16 ->0 byte 0x31 Linear F16 ->0 byte 0x32 L16 ->0 byte 0x33 V16U16 ->0 byte 0x35 Linear L16 ->0 byte 0x36 Linear V16U16 ->0 byte 0x37 Linear L6V5U5 ->0 byte 0x38 RGBA5551 ->0 byte 0x39 RGBA4444 ->0 byte 0x3A QWVU8888 ->0 byte 0x3B BGRA8888 ->0 byte 0x3C RGBA8888 ->0 byte 0x3D Linear RGBA5551 ->0 byte 0x3E Linear RGBA4444 ->0 byte 0x3F Linear ABGR8888 ->0 byte 0x40 Linear BGRA8888 ->0 byte 0x41 Linear RGBA8888 ->0 byte 0x64 Vertex Data +>0 ubyte 0x00 L8 +>0 ubyte 0x01 AL8 +>0 ubyte 0x02 ARGB1555 +>0 ubyte 0x03 RGB555 +>0 ubyte 0x04 ARGB4444 +>0 ubyte 0x05 RGB565 +>0 ubyte 0x06 ARGB8888 +>0 ubyte 0x07 xRGB8888 +>0 ubyte 0x0B P8 +>0 ubyte 0x0C DXT1 +>0 ubyte 0x0E DXT2 +>0 ubyte 0x0F DXT4 +>0 ubyte 0x10 Linear ARGB1555 +>0 ubyte 0x11 Linear RGB565 +>0 ubyte 0x12 Linear ARGB8888 +>0 ubyte 0x13 Linear L8 +>0 ubyte 0x16 Linear R8B8 +>0 ubyte 0x17 Linear G8B8 +>0 ubyte 0x19 A8 +>0 ubyte 0x1A A8L8 +>0 ubyte 0x1B Linear AL8 +>0 ubyte 0x1C Linear RGB555 +>0 ubyte 0x1D Linear ARGB4444 +>0 ubyte 0x1E Linear xRGB8888 +>0 ubyte 0x1F Linear A8 +>0 ubyte 0x20 Linear A8L8 +>0 ubyte 0x24 YUY2 +>0 ubyte 0x25 UYVY +>0 ubyte 0x27 L6V5U5 +>0 ubyte 0x28 V8U8 +>0 ubyte 0x29 R8B8 +>0 ubyte 0x2A D24S8 +>0 ubyte 0x2B F24S8 +>0 ubyte 0x2C D16 +>0 ubyte 0x2D F16 +>0 ubyte 0x2E Linear D24S8 +>0 ubyte 0x2F Linear F24S8 +>0 ubyte 0x30 Linear D16 +>0 ubyte 0x31 Linear F16 +>0 ubyte 0x32 L16 +>0 ubyte 0x33 V16U16 +>0 ubyte 0x35 Linear L16 +>0 ubyte 0x36 Linear V16U16 +>0 ubyte 0x37 Linear L6V5U5 +>0 ubyte 0x38 RGBA5551 +>0 ubyte 0x39 RGBA4444 +>0 ubyte 0x3A QWVU8888 +>0 ubyte 0x3B BGRA8888 +>0 ubyte 0x3C RGBA8888 +>0 ubyte 0x3D Linear RGBA5551 +>0 ubyte 0x3E Linear RGBA4444 +>0 ubyte 0x3F Linear ABGR8888 +>0 ubyte 0x40 Linear BGRA8888 +>0 ubyte 0x41 Linear RGBA8888 +>0 ubyte 0x64 Vertex Data 0 string XPR0 Microsoft Xbox XPR0 texture ->0x19 byte x \b, format: +>0x19 ubyte x \b, format: >>0x19 use xbox-xpr-pixel-format # ILDA Image Data Transfer Format @@ -2531,39 +3807,413 @@ # # Updated by Chuck Hein (laser@geekdude.com) # -0 string ILDA ILDA Image Data Transfer Format ->7 byte 0x00 3D Coordinates with Indexed Color ->7 byte 0x01 2D Coordinates with Indexed Color ->7 byte 0x02 Color Palette ->7 byte 0x04 3D Coordinates with True Color ->7 byte 0x05 2D Coordinates with True Color ->8 string >0 \b, palette %s ->16 string >0 \b, company %s ->24 beshort >0 \b, number of records %d ->>26 beshort x \b, palette number %d ->>28 beshort >0 \b, number of frames %d ->>30 byte >0 \b, projector number %d +0 string ILDA ILDA Image Data Transfer Format +>7 ubyte 0x00 3D Coordinates with Indexed Color +>7 ubyte 0x01 2D Coordinates with Indexed Color +>7 ubyte 0x02 Color Palette +>7 ubyte 0x04 3D Coordinates with True Color +>7 ubyte 0x05 2D Coordinates with True Color +>8 string >0 \b, palette %s +>16 string >0 \b, company %s +>24 ubeshort >0 \b, number of records %d +>>26 ubeshort x \b, palette number %d +>>28 ubeshort >0 \b, number of frames %d +>>30 ubyte >0 \b, projector number %d # Dropbox "lepton" compressed jpeg format # https://github.com/dropbox/lepton -0 belong&0xfffff0ff 0xcf84005a Lepton image file ->2 byte x (version %d) +0 ubelong&0xfffff0ff 0xcf84005a Lepton image file +>2 ubyte x (version %d) # Apple QuickTake camera raw images # https://en.wikipedia.org/wiki/Apple_QuickTake # dcraw can decode them 0 name quicktake ->4 belong 8 ->>544 beshort x \b, %dx ->>546 beshort x \b%d ->4 belong 4 ->>546 beshort x \b, %dx ->>544 beshort x \b%d +>4 ubelong 8 +>>544 ubeshort x \b, %dx +>>546 ubeshort x \b%d +>4 ubelong 4 +>>546 ubeshort x \b, %dx +>>544 ubeshort x \b%d 0 string qktk Apple QuickTake 100 Raw Image >0 use quicktake 0 string qktn ->4 byte 0 Apple QuickTake 150 Raw Image ->4 byte >0 Apple QuickTake 200 Raw Image +>4 ubyte 0 Apple QuickTake 150 Raw Image +>4 ubyte >0 Apple QuickTake 200 Raw Image >0 use quicktake + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Corel_Photo-Paint_image +# Reference: http://blog.argasinski.eu/wp-content/uploads/2011/08/cpt-specification-0.01.pdf +0 string CPT +>4 string FILE Corel Photo-Paint image, version +# version like 7, 9 or 8 +>>3 ubyte x %c, +!:mime image/x-corel-cpt +!:ext cpt +# if blocks_array_offset available jump blockNumber*8 bytes +>>0x34 ulelong >0 +>>>(0x28.l*8) ubyte x +# jump additional stored blocks_array_offset bytes forward to object block +>>>>&(0x34.l-1) ulelong x %u +# object height in pixels +>>>>>&0 ulelong x x %u +# if no blocks_array_offset available jump blockNumber*8 bytes +>>0x34 ulelong =0 +>>>(0x28.l*8) ubyte x +# jump additional 0x13C bytes forward to object block +>>>>&0x13B ulelong x %u +>>>>>&0 ulelong x x %u +# image color model used +>>0x8 ulelong x +>>>0x8 ulelong 0x1 RGB 24 bits +>>>0x8 ulelong 0x3 CMYK 24 bits +>>>0x8 ulelong 0x5 greyscale 8 bits +>>>0x8 ulelong 0x6 black and white 1 bit +>>>0x8 ulelong 0xA RGB 8 bits +# palette_length number of colors * 3 in case of 8-bit RGB paletted image +# 0 otherwise. Allowed values: 0 or [1..256] * 3 +#>>0xC ulelong >0 \b, palette length %u +>>>>0xC ulelong/3 <256 \b, %u colors +>>>0x8 ulelong 0xB LAB +>>>0x8 ulelong 0xC RGB 48 bits +>>>0x8 ulelong 0xE greyscale 16 bits +# this should not happen +>>>0x8 default x color model +>>>>0x8 ulelong x %#x +# bit 1 in CPT file flags: UCS-2 file comment present +>>0x31 ubyte &0x02 +# look for comment marker +>>>0x100 search/0xc9d \4\2\0\0 +# UCS-2 file comment +>>>>&0 lestring16 x "%s" +# if no UCS-2 is present show ANSI file comment[112] if available +>>0x31 ubyte&0x02 =0 +>>>0x3C string >\0 "%-.112s" +# reserved seems to be always 0 +#>>0x10 ulelong >0 \b, reserved1 %u +# horizontal real dpi = dpi_h * 25.4 / 10**6 +>>0x18 ulelong x \b, %u micro dots/mm +# image vertical DPI in CPT DPI unit +#>>0x1C ulelong x \b, %u micro dots/mm +# reserved seems to be always 0 +#>>0x20 ulelong >0 \b, reserved2 %u +#>>0x24 ulelong >0 \b, reserved3 %u +# blocks_count; number of CPT_Block blocks. Allowed values: > 0 +>>0x28 ulelong x \b, %u block +# plural s +>>0x28 ulelong !1 \bs +# CPT file flags +# lower byte of CPT file flags: 0x94~CPT9FILE 0x01~often CPT7FILE 0x8C~CPT8FILE +#>>0x30 ubyte x \b, lower flags %#x +# upper byte of CPT file flags: +#>>0x31 ubyte >0 \b, upper flags %#x +# bit 2 in CPT file flags: unknown +#>>0x31 ubyte &0x04 \b, with UNKNOWN +# bits 3-7 in CPT file flags: unknown, seem to be often 0 +# show unusual flag combinations +>>0x31 ubyte&0xFC >0 +>>>0x30 uleshort x \b, flags %#4.4x +# reserved seems to be always 0 +#>>0x32 uleshort >0 \b, reserved4 %#x +# blocks_array_offset is always 0 for CPT7 and CPT8 files created by PP7-PP8 +# typical values like: 13Ch 154h 43Ch 4F0h DA8h +>>0x34 ulelong x \b, array offset %#x +# reserved seems to be often 0 +>>0x38 ulelong >0 \b, reserved5 %#x +# possible next master block +#>>0x100 ubequad !0 \b, next block=%#llx... +# bit 0: ICC profile block present +>>0x31 ubyte &0x01 \b, with ICC profile +# check for characteristic string acsp of color profile for DEBUGGING +#>>>0x178 string x icc=%.4s +# display ICC/ICM color profile by ./icc +#>>>0x154 use color-profile + +# URL: http://fileformats.archiveteam.org/wiki/CorelDRAW +# https://en.wikipedia.org/wiki/CorelDRAW +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-gen.trid.xml +# Note: called "CorelDRAW drawing (generic)" by TrID +# version til 2 WL-based; from version 3 til 13 handled by ./riff and from 14 zip based handled by ./archive +0 ubelong&0xFFffF7ff 0x574C6500 Corel Draw Picture +#!:mime image/x-coreldraw +!:mime application/vnd.corel-draw +!:ext cdr +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-10.trid.xml +# Note: called "CorelDRAW drawing (v1.0)" by TrID and +# "CorelDraw Drawing" with version "1.0" by DROID via PUID fmt/467 +# only DROID fmt-467-signature-id-726.cdr example +>2 ubyte 0x65 \b, version 1.0 +#>>4 ubelong !0x45000000 \b, at 4 %#8.8x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-20.trid.xml +# Note: called "CorelDRAW drawing (v2.0)" by TrID and +# "CorelDraw Drawing" with version "2.0" by DROID via PUID fmt/466 +>2 ubyte 0x6D \b, version 2.0 +# According to DROID 0xed080000 or 0x25050000 +#>>4 ubelong !0xed080000 +#>>>4 ubelong !0x25050000 \b, at 4 %#8.8x + +# Type: Crunch compressed texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/BinomialLLC/crunch/blob/44c8402e24441c7524ca364941fd224ab3b971e9/inc/crn_decomp.h#L267 +0 ubelong 0x4878004A Crunch compressed texture: +>0x0C ubeshort x %u x +>0x0E ubeshort x %u +>0x12 ubyte 0 \b, DXT1 +>0x12 ubyte 1 \b, DXT3 +>0x12 ubyte 2 \b, DXT5 +>0x12 ubyte 3 \b, DXT5 CCxY +>0x12 ubyte 4 \b, DXT5 xGxR +>0x12 ubyte 5 \b, DXT5 xGBR +>0x12 ubyte 6 \b, DXT5 AGBR +>0x12 ubyte 7 \b, DXn XY +>0x12 ubyte 8 \b, DXn YX +>0x12 ubyte 9 \b, DXT5 Alpha +>0x12 ubyte 10 \b, ETC1 +>0x10 ubyte >1 \b, %u images +>0x11 ubyte >1 \b, %u faces +# TODO: Flags at 0x13? (ubeshort) + +# Type: BasisLZ compressed texture. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/BinomialLLC/basis_universal/blob/master/spec/basis_spec.txt +0 uleshort 0x4273 +>0x04 uleshort 0x4D BasisLZ +>>0x02 uleshort x v%x compressed texture: +>>0x14 ubyte 0 ETC1S +>>0x14 ubyte 1 UASTC 4x4 +>>0x0E ulelong&0xFFFFFF >1 \b, %u slices +>>0x11 ulelong&0xFFFFFF >1 \b, %u images +>>0x15 uleshort&0x02 2 \b, Y-flipped + +# MIME registration: https://www.iana.org/assignments/media-types/model/e57 +# Sample files: http://www.libe57.org/data.html +# Reference implementation: http://www.libe57.org/ +# https://www.ri.cmu.edu/pub_files/2011/1/2011-huber-e57-v3.pdf +0 string ASTM-E57 ASTM E57 three-dimensional model +!:mime model/e57 +!:ext e57 + +# QOI [Quite OK Image Format] images +# (Horia Mihai David, mihaidavid@posteo.net) +# +# QOI format by Dominic Szablewski <http://phoboslab.org/> +# <https://qoiformat.org/> +# +# Based on spec v1.0 (2022.01.05) <https://qoiformat.org/qoi-specification.pdf> + +0 string qoif QOI image data +!:ext qoi +!:mime image/x-qoi +# See <https://github.com/phoboslab/qoi/issues/167> +>4 ubelong x %ux +>8 ubelong x \b%u, +>>13 ubyte 0 s +>>>12 ubyte 3 \bRGB +>>>12 ubyte 4 \bRGBA +>>>12 default x +>>>>12 ubyte x \b*bad channels %u* +>>>13 ubyte 0 (linear alpha) +>>13 ubyte 1 +>>>12 ubyte 3 RGB +>>>12 ubyte 4 RGBA +>>>13 ubyte 1 (all channels linear) +>>13 default x +>>>13 ubyte x *bad colorspace %u* + + +# Type: Godot 3, 4 texture (pixel format) +# From: David Korth <gerbilsoft@gerbilsoft.com> +0 name godot-pixel-format +>0 ulelong&0xFFFFF 0 L8 +>0 ulelong&0xFFFFF 1 LA8 +>0 ulelong&0xFFFFF 2 R8 +>0 ulelong&0xFFFFF 3 RG8 +>0 ulelong&0xFFFFF 4 RGB8 +>0 ulelong&0xFFFFF 5 RGBA8 +>0 ulelong&0xFFFFF 6 RGBA4444 +>0 ulelong&0xFFFFF 7 RGB565 +>0 ulelong&0xFFFFF 8 RF +>0 ulelong&0xFFFFF 9 RGF +>0 ulelong&0xFFFFF 10 RGBF +>0 ulelong&0xFFFFF 11 RGBAF +>0 ulelong&0xFFFFF 12 RH +>0 ulelong&0xFFFFF 13 RGH +>0 ulelong&0xFFFFF 14 RGBH +>0 ulelong&0xFFFFF 15 RGBAH +>0 ulelong&0xFFFFF 16 RGBE9995 +>0 ulelong&0xFFFFF 17 DXT1 +>0 ulelong&0xFFFFF 18 DXT3 +>0 ulelong&0xFFFFF 19 DXT5 +>0 ulelong&0xFFFFF 20 RGTC_R +>0 ulelong&0xFFFFF 21 RGTC_RG +>0 ulelong&0xFFFFF 22 BPTC_RGBA +>0 ulelong&0xFFFFF 23 BPTC_RGBF +>0 ulelong&0xFFFFF 24 BPTC_RGBFU +>0 ulelong&0xFFFFF 25 PVRTC1_2 +>0 ulelong&0xFFFFF 26 PVRTC1_2A +>0 ulelong&0xFFFFF 27 PVRTC1_4 +>0 ulelong&0xFFFFF 28 PVRTC1_4A +>0 ulelong&0xFFFFF 29 ETC +>0 ulelong&0xFFFFF 30 ETC2_R11 +>0 ulelong&0xFFFFF 31 ETC2_R11S +>0 ulelong&0xFFFFF 32 ETC2_RG11 +>0 ulelong&0xFFFFF 33 ETC2_RG11S +>0 ulelong&0xFFFFF 34 ETC2_RGB8 +>0 ulelong&0xFFFFF 35 ETC2_RGBA8 +>0 ulelong&0xFFFFF 36 ETC2_RGB8A1 +>0 ulelong&0xFFFFF 37 ASTC_8x8 + +# Type: Godot 3, 4 texture (rescale display, width) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Shows rescale value if it's not a power of 2. +0 name godot-rescale-display-w +>0 uleshort 0 +>0 uleshort 1 +>0 uleshort 2 +>0 uleshort 4 +>0 uleshort 8 +>0 uleshort 16 +>0 uleshort 32 +>0 uleshort 64 +>0 uleshort 128 +>0 uleshort 256 +>0 uleshort 512 +>0 uleshort 1024 +>0 uleshort 2048 +>0 uleshort 4096 +>0 uleshort 8192 +>0 uleshort 16384 +>0 uleshort 32768 +>0 default x +>>0 uleshort x (rescale to %u x + +# Type: Godot 3, 4 texture (rescale display, height) +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Shows rescale value if it's not a power of 2. +0 name godot-rescale-display-h +>0 clear x +>0 uleshort 0 +>0 uleshort 1 +>0 uleshort 2 +>0 uleshort 4 +>0 uleshort 8 +>0 uleshort 16 +>0 uleshort 32 +>0 uleshort 64 +>0 uleshort 128 +>0 uleshort 256 +>0 uleshort 512 +>0 uleshort 1024 +>0 uleshort 2048 +>0 uleshort 4096 +>0 uleshort 8192 +>0 uleshort 16384 +>0 uleshort 32768 +>0 default x +>>0 uleshort x %u) + +# Type: Godot 3 texture +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/godotengine/godot/blob/3.3/core/image.h +# - https://github.com/godotengine/godot/blob/3.3/scene/resources/texture.cpp +# - https://github.com/godotengine/godot/blob/3.3/scene/resources/texture.h +# TODO: Don't show "rescale to" if it matches the image size. +0 string GDST Godot 3 texture: +!:ext stex +!:mime image/x-godot-stex +>4 uleshort x %u x +>8 uleshort x %u +>6 uleshort 0 \b, +>6 uleshort !0 +>>6 use godot-rescale-display-w +>>10 use godot-rescale-display-h +>>10 uleshort x \b, +>16 ulelong&0x800000 !0 has mipmaps, +>16 ulelong&0x100000 0x100000 lossless encoding +>16 ulelong&0x200000 0x200000 lossy encoding +>16 ulelong&0x300000 0 +>>16 use godot-pixel-format + +# Type: Godot 4 texture +# From: David Korth <gerbilsoft@gerbilsoft.com> +# References: +# - https://github.com/godotengine/godot/blob/master/core/io/image.h +# - https://github.com/godotengine/godot/blob/master/scene/resources/texture.cpp +# - https://github.com/godotengine/godot/blob/master/scene/resources/texture.h +# TODO: Don't show "rescale to" if it matches the image size. +0 string GST2 Godot 4 texture +!:ext stex +!:mime image/x-godot-stex +>4 ulelong x v%u: +>0x28 uleshort x %u x +>0x2A uleshort x %u +>8 use godot-rescale-display-w +>12 use godot-rescale-display-h +>12 uleshort x \b, +>0x2C ulelong >1 %u mipmaps, +>0x30 use godot-pixel-format +>0x24 ulelong 1 \b, embedded PNG image +>0x24 ulelong 2 \b, embedded WebP image +>0x24 ulelong 3 \b, Basis Universal + +# Summary: iCEDraw graphic *.IDF +# URL: http://fileformats.archiveteam.org/wiki/ICEDraw +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/idf-icedraw.trid.xml +# From: Joerg Jenderek +# Note: called "iCEDraw graphic" by TrID, "iCEDraw text" by FFmpeg and "iCE Draw" by Ansilove +# verified by FFmpeg command `ffprobe ICE-9605.IDF` and `ansilove -s SQ-FORCE.IDF` +0 string \0041.4\0\0\0\0O\0 iCEDraw graphic +#!:mime application/octet-stream +!:mime image/x-idf +!:ext idf + +# Type: ColoRIX VGA Paint Image File (.rix/.sci/.scX) +# From: Eddy Jansson <github.com/eloj> +# Reference: https://www.fileformat.info/format/rix/spec/ +# +0 name rix-header +>0 uleshort x \b, %u x +>2 uleshort x %u +# palette type: +# .. if direct color, low bits encode bpp +>4 ubyte&128 0 +>>4 ubyte&127 x \b %u bpp (direct color) +# .. else palette +>4 ubyte&128 128 +>>4 ubyte&7 0 \b x 2 +>>4 ubyte&7 1 \b x 4 +>>4 ubyte&7 2 \b x 8 +>>4 ubyte&7 3 \b x 16 +>>4 ubyte&7 4 \b x 32 +>>4 ubyte&7 5 \b x 64 +>>4 ubyte&7 6 \b x 128 +>>4 ubyte&7 7 \b x 256 +# storage type +#>5 ubyte&15 0 \b, Linear +>5 ubyte&15 1 \b, Planar (0213) +>5 ubyte&15 2 \b, Planar +>5 ubyte&15 3 \b, Text +>5 ubyte&15 4 \b, Planar lines +>5 ubyte&128 128 \b (compressed) +>5 ubyte&64 64 \b (extension) +>5 ubyte&32 32 \b (encrypted) + +0 string RIX3 ColoRIX Image +>4 use rix-header + +0 string RIX7 ColoRIX Slideshow + +# http://fileformats.archiveteam.org/wiki/PaperPort_(MAX) +0 string ViG Visioneer PaperPort +>3 string Ae 2 +>3 string Be 2 +>3 string Cj 3-4 +>3 string Em 5-7 +>3 string Fk 8-12 +>3 default x MAX diff --git a/contrib/file/magic/Magdir/intel b/contrib/file/magic/Magdir/intel index ba25d983411a..5177fea45785 100644 --- a/contrib/file/magic/Magdir/intel +++ b/contrib/file/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.18 2020/04/18 16:19:03 christos Exp $ +# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -37,13 +37,22 @@ # ./intel (version 5.25) label labeled the next entry as "80386 COFF executable" # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan 0 leshort =0514 -# use subroutine to display name+flags+variables for common object formated files +# use subroutine to display name+flags+variables for common object formatted files >0 use display-coff #>12 lelong >0 not stripped # no hint found, that at offset 22 is version #>22 leshort >0 - version %d 0 leshort 0x0200 ->0 use display-coff +# no F_EXEC flag bit implies Intel ia64 COFF object file without optional header +>18 leshort ^0x0002 +# skip some DEGAS high-res uncompressed bitmap *.pi3 handled by ./images like +# GEMINI03.PI3 MODEM2.PI3 POWERFIX.PI3 sigirl1.pi3 vanna5.pi3 +# by test for valid starting character (often point 0x2E) of 1st section name +>>20 ubyte >0x1F +>>>0 use display-coff +# F_EXEC flag bit implies Intel ia64 COFF executable +>18 leshort &0x0002 +>>0 use display-coff 0 leshort 0x8664 >0 use display-coff @@ -52,16 +61,191 @@ # From: Alex Myczko <alex@aiei.ch> # updated by Joerg Jenderek # https://en.wikipedia.org/wiki/Option_ROM -0 beshort 0x55AA BIOS (ia32) ROM Ext. -!:mime application/octet-stream +# URL: http://fileformats.archiveteam.org/wiki/BIOS +# Reference: http://www.lejabeach.com/sisubb/BIOS_Disassembly_Ninjutsu_Uncovered.pdf +0 beshort 0x55AA +# skip misidentified raspberry pi pieeprom-*.bin by check for +# unlikely high ROM size (0xF0*512=240*512) and not observed start instruction 0x0F +>2 ubeshort !0xF00F +# skip 2 byte sized eof.bin with start magic +>>0 use rom-x86 +0 name rom-x86 +>0 beshort x BIOS (ia32) ROM Ext. +#!:mime application/octet-stream +!:mime application/x-ibm-rom !:ext rom/bin ->5 string USB USB ->7 string LDR UNDI image +################################################################################ +# not Plug aNd Play ($PnP) like 00000000 (ide_xtp.bin kvmvapic.bin V7VGA.ROM) 000000fc (MCT-VGA.bin) +# 55aaf00f (pieeprom-*.bin) 55aa40e9 (Trm3x5.bin) 24506f4f (sgabios-bin.rom) +# 55aa4be9 (vgabios-stdvga.rom vgabios-cirrus-bin.rom vgabios-vmware-bin.rom) +>(26.s) ubelong !0x24506e50 +#>(26.s) ubelong !0x24506e50 NOT PNP=%8.8x +# also not PCI (PCIR) implies "old" ISA cards or foo like: 8a168404 (MCT-VGA.bin) +# 55aaf00f (pieeprom*.bin) +>>(24.s) ubelong !0x50434952 +#>>(24.s) ubelong !0x50434952 ISA CARD=%8.8x +# "old" identification strings used in file version 5.41 and earlier +# probably an USB controller +>>>5 string USB USB +# probably https://en.wikipedia.org/wiki/Preboot_Execution_Environment +>>>7 string LDR UNDI image +# probably another Adaptec SCSI controller +>>>26 string Adaptec Adaptec +# http://minuszerodegrees.net/rom/bin/adaptec_aha1542cp_bios_908501-00.bin +# already done by PNP variant +#>>>28 string Adaptec Adaptec +# probably Promise SCSI controller +>>>42 string PROMISE Promise +# old test for IBM compatible Video cards; INTERNAL FACTS WHY IS THIS WORKING? >30 string IBM IBM comp. Video ->26 string Adaptec Adaptec ->28 string Adaptec Adaptec ->42 string PROMISE Promise ->2 byte x (%d*512) +# display exact text for IBM compatible Video cards with longer text +>>33 ubyte !0 +>>>30 string x "%s" +# http://minuszerodegrees.net/rom/bin/unknown/MCT-VGA-16%20-%20TDVGA%203588%20BIOS%20Version%20V1.04A.zip +# "IBM COMPATIBLETDVGA 3588 BIOS Version V1.04A2+" "MCT-VGA-16 - TDVGA 3588 BIOS Version V1.04A.bin" +# "IBM VGA Compatible\001" NVidia44.bin +# "IBM EGA ROM Video Seven BIOS Code, Version 1.04" V7VGA.ROM +# "IBM" vgabios-stdvga.rom +# "IBM" vgabios-vmware-bin.rom: +# "IBM" vgabios-cirrus-bin.rom +# "IBM" vgabios-virtio-bin.rom +################################################################################ +# ROM size in 512B blocks must be interpreted as unsigned for ROM of network cards +# like: efi-eepro100.rom efi-rtl8139.rom pxe-e1000.rom +>2 ubyte x (%u*512) +# file name file size calculated size remark +# eof.bin 2 - with start magic nothing is shown here +# orchid.bin 188 0 =0*512 on window 95 CD in Drivers\audio\orchid3d +# multiboot.bin 1024 1024 =2*512 QEMU emulator +# loader1.bin 512 2048 =4*512 +# ide_xtp.bin 8192 8192 =16*512 +# kvmvapic.bin 9216 9216 =18*512 +# V7VGA.ROM 18832 16384 =32*512 +# adaptec1542.bin 32768 16384 =32*512 +# MCT-VGA.bin 32768 24576 =48*512 +# 2975BIOS.BIN 32768 32256 =63*512 +# efi-e1000.rom 196608 64000 =125*512 +# efi-rtl8139.rom 176640 66048 =129*512 +# pieeprom*.bin 524288 122880 =240*512 +################################################################################ +# initialization vector with executable code; often near JuMP instruction E9 yy zz +>3 ubyte =0xE9 jmp +# jmp offset like: 008fh 0093h 009fh 00afh 0143h 3ad7h 5417h 54ech 594dh 895fh +>>4 uleshort x %#4.4x +# for initialization vector samples without 3 byte jump instruction +>3 ubyte !0xE9 instruction +# eb4b3734h NVidia44.bin +# 00003234h V7VGA.ROM +# 060e0731h kvmvapic.bin +# cb000000h linuxboot-bin.rom +# e80d0fcbh PXE-Intel.rom +# b8004875h orchid.bin +>>3 ubelong x %#8.8x +# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f +#>2 ubeshort x \b, AT 2 %#4.4x +################################################################################ +# new sections for BIOS (ia32) ROM Extension +# 4 bytes ASCII Signature "$PnP" for Plug aNd Play expansion header +>(26.s) string =$PnP \b; +#>(26.s) string =$PnP FOUND $PnP +# at 1Ah possible offset to expansion header structure; new for Plug aNd Play +>>26 uleshort x at %#x PNP +# Plug and Play vendor+device ID like: 0 0x000f1000 (2975BIOS.BIN) 0x31121095 (4243.bin) 0x04904215 (adaptec1542.bin) +#>>(26.s+0x0A) ulelong !0 NOT-nullID=%8.8x +>>(26.s+0x0A) uleshort !0 +# show PnP Vendor identification in human readable text form instead of numeric +# For adaptec_ava1515_bios_585201-00.bin reverted endian! BUT IS THIS ALWAYS TRUE? +>>>(26.s+0x0C) use \^PCI-vendor +>>>(26.s+0x0A) ubeshort x device=%#4.4x +# 3 byte Device type code; probably the same meaning as in PCI section? +# OK for storage controller SCSI (2975BIOS.BIN adaptec1542.bin) +# and network controller ethernet (efi-e1000.rom efi-rtl8139.rom) +>>(26.s+0x12) use PCI-class +# structure revision like: 01h +>>(26.s+4) ubyte !1 \b, revision %u +# PnP Header structure length in multiple of 16 bytes like: 2 +>>(26.s+5) uleshort !2 \b, length %u*16 +# offset to next header; 0 if none +>>(26.s+7) uleshort !0 \b, at %#x next header +# reserved byte; seems to be zero +>>(26.s+8) ubyte !0 \b, reserved %#x +# 8-bit checksum for this header; calculated and patched by patch2pnprom +>>(26.s+9) ubyte !0 \b, CRC %#x +# pointer to optional manufacturer string; like: 0 (4243.bin) 59h 5ch 60h c7h 14eh 27ch 296h 324h 3662h +>>(26.s+0x0E) uleshort >0 \b, at %#x +>>>(26.s+0x0C) uleshort x +# manufacturer ASCII-Z string like "http://ipxe.org" "Plop - Elmar Hanlhofer www.plop.at" "QEMU" +>>>>(&0.s) string x "%s" +# pointer to optional product string; like: 0 (2975BIOS.BIN) 6ch 70h 7ch d9h 160h 281h 29bh 329h +>>(26.s+0x10) uleshort >0 \b, at %#x +>>>(26.s+0x0E) uleshort x +# often human readable product ASCII-Z string like "iPXE" "Plop Boot Manager" +# "multiboot loader" "Intel UNDI, PXE-2.0 (build 082)" +>>>>(&0.s) string x "%s" +# PnP Device indicators; contains bits that identify the device as being capable of bootable +#>>(26.s+0x15) ubyte x \b, INDICATORS %#x +# device is a display device +>>(26.s+0x15) ubyte &0x01 \b, display +# device is an input device +>>(26.s+0x15) ubyte &0x02 \b, input +# device is an IPL device +>>(26.s+0x15) ubyte &0x04 \b, IPL +#>>(26.s+0x15) ubyte &0x08 reserved +# ROM is only required if this device is selected as a boot device +>>(26.s+0x15) ubyte &0x10 \b, bootable +# indicates ROM is read cacheable +>>(26.s+0x15) ubyte &0x20 \b, cacheable +# ROM may be shadowed in RAM +>>(26.s+0x15) ubyte &0x40 \b, shadowable +# ROM supports the device driver initialization model +>>(26.s+0x15) ubyte &0x80 \b, InitialModel +# boot connection vector; an offset to a routine that hook into INT 9h, INT 10h, or INT 13h +# 0 means disabled 0x0429 (4650_sr5.bin) 0x0072 (adaptec1542.bin) +>>(26.s+0x16) uleshort !0 \b, boot vector offset %#x +# disconnect vector; offset to routine that do cleanup from an unsuccessful boot attempt +>>(26.s+0x18) uleshort !0 \b, disconnect offset %#x +# bootstrap entry point/vector (BEV); offset to a routine (like RPL) that hook into INT 19h +# 0 means disabled 0x3c (multiboot.bin) 0x358 (efi-rtl8139.rom) 0xae7 (PXE-Intel.rom) +>>(26.s+0x1A) uleshort !0 \b, bootstrap offset %#x +# 2nd reserved area; seems to be zero +>>(26.s+0x1C) uleshort !0 \b, 2nd reserved %#x +# static resource information vector; 0 means disabled +>>(26.s+0x1E) uleshort !0 \b, static offset %#4.4x +################################################################################ +# 4 bytes ASCII Signature "PCIR" for PCI Data Structure +#>(24.s) string =PCIR FOUND PCIR +>(24.s) string =PCIR \b; +# pointer to PCI data structure like: 1Ch 38h 104h 8E44h +>>24 uleshort x at %#x PCI +# Vendor identification (ID) https://pci-ids.ucw.cz/v2.2/pci.ids +#>>(24.s+4) uleshort x ID=%4.4x +# show Vendor identification in human readable text form instead of numeric +>>(24.s+4) use PCI-vendor +# device identification (ID) +>>(24.s+6) uleshort x device=%#4.4x +# Base+sub class code https://wiki.osdev.org/PCI +>>(24.s+0x0D) use PCI-class +# pointer to vital product data (VPD); 0 indicates no VPD; WHAT EXACTLY iS VPD? +>>(24.s+8) uleshort !0 \b, at %#x VPD +# PCI data structure length like: 24h 28h +>>(24.s+0xA) uleshort >0x28 \b, length %u +# PCI data structure revision like: 0 3 +>>(24.s+0xC) ubyte >0 \b, revision %u +# image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83 +# Apparently this gives the same information as given by byte at offset 2 but as 16-bit +#>>(24.s+0x10) uleshort x \b, length %u*512 +# revision level of code/data like: 0 1 201h 502h +>>(24.s+0xC) ubyte >1 \b, code revision %#x +# code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved +>>(24.s+0x14) ubyte >0 \b, code type %#x +# last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved +>>(24.s+0x15) ubyte >0 +>>>(24.s+0x15) ubyte =0x80 \b, last ROM +# THIS SHOULD NOT HAPPEN! +>>>(24.s+0x15) ubyte !0x80 \b, indicator %x +# 3rd reserved area; seems to be zero in most cases but not for +# efi-e1000.rom efi-rtl8139.rom +>>(24.s+0x16) ubeshort !0 \b, 3rd reserved %#x # Flash descriptors for Intel SPI flash roms. # From Dr. Jesus <j@hug.gs> @@ -118,7 +302,7 @@ # length, in bytes, of the entire DSDT (including the header) >>4 ulelong x \b, %u bytes # entire table must sum to zero -#>>9 ubyte x \b, checksum 0x%x +#>>9 ubyte x \b, checksum %#x # vendor ID for the ASL Compiler like: INTL MSFT ... >>28 string >\0 \b, created by %.4s # revision number of the ASL Compiler like: 20051117 20140724 20190703 20200110 ... diff --git a/contrib/file/magic/Magdir/java b/contrib/file/magic/Magdir/java index b9854e54c159..d36127553513 100644 --- a/contrib/file/magic/Magdir/java +++ b/contrib/file/magic/Magdir/java @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: java,v 1.21 2019/02/18 17:58:50 christos Exp $ +# $File: java,v 1.22 2023/01/11 23:59:49 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". @@ -43,3 +43,10 @@ >6 leshort >0x00 \b, version %d >4 leshort x \b.%d !:mime application/x-java-image + +# JAR Manifest & Signature File +# Reference: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html +0 string/t Manifest-Version:\x201.0 JAR Manifest +!:ext MF +0 string/t Signature-Version:\x201.0 JAR Signature File +!:ext SF diff --git a/contrib/file/magic/Magdir/javascript b/contrib/file/magic/Magdir/javascript index 7fa9d9d404ca..90a09cce46a2 100644 --- a/contrib/file/magic/Magdir/javascript +++ b/contrib/file/magic/Magdir/javascript @@ -1,22 +1,171 @@ #------------------------------------------------------------------------------ -# $File: javascript,v 1.2 2019/08/05 10:34:26 christos Exp $ +# $File: javascript,v 1.5 2023/01/12 00:02:16 christos Exp $ # javascript: magic for javascript and node.js scripts. # -0 search/1/w #!/bin/node Node.js script text executable +0 string/tw #!/bin/node Node.js script executable !:mime application/javascript -0 search/1/w #!/usr/bin/node Node.js script text executable +0 string/tw #!/usr/bin/node Node.js script executable !:mime application/javascript -0 search/1/w #!/bin/nodejs Node.js script text executable +0 string/tw #!/bin/nodejs Node.js script executable !:mime application/javascript -0 search/1/w #!/usr/bin/nodejs Node.js script text executable +0 string/tw #!/usr/bin/nodejs Node.js script executable !:mime application/javascript -0 search/1 #!/usr/bin/env\ node Node.js script text executable +0 string/t #!/usr/bin/env\ node Node.js script executable !:mime application/javascript -0 search/1 #!/usr/bin/env\ nodejs Node.js script text executable +0 string/t #!/usr/bin/env\ nodejs Node.js script executable !:mime application/javascript + +# JavaScript +# The strength is increased to beat the C++ & HTML rules +0 search "use\x20strict" JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 search 'use\x20strict' JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex module(\\.|\\[["'])exports.*= JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(const|var|let).*=.*require\\( JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^export\x20(function|class|default|const|var|let|async)\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \\((async\x20)?function[(\x20] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export).*\x20from\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export)\x20["']\\./ JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^require\\(["'] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex typeof.*[!=]== JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js + +# React Native minified JavaScript +0 search/128 __BUNDLE_START_TIME__= React Native minified JavaScript +!:strength +30 +!:mime application/javascript +!:ext bundle/jsbundle + # Hermes by Facebook https://hermesengine.dev/ # https://github.com/facebook/hermes/blob/master/include/hermes/\ # BCGen/HBC/BytecodeFileFormat.h#L24 0 lequad 0x1F1903C103BC1FC6 Hermes JavaScript bytecode >8 lelong x \b, version %d + +# v8 JavaScript engine bytecode +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://v8.dev/docs/ignition +# Note: used in bytenode and NW.js protected source code +# V8 bytecode extraction was added in NodeJS v5.7.0 (V8 4.6.85.31). +# Version information is provided for some v8 versions found in NodeJS releases. +2 uleshort =0xC0DE +>0 ulelong^0xC0DE0000 >0 +# Reservation table starts at 40 +>>40 ulelong&0xFFFFFF00 =0x80000000 +# Stub keys present +>>>24 ulelong >0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0xEE4BF478 version 5.1.281.111, +>>>>4 ulelong =0xC4A0100C version 5.5.372.43, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x cpu features: %#08X, +>>>>16 ulelong x flag hash: %#08X, +>>>>20 ulelong x %u reservations, +>>>>28 ulelong x payload size: %u bytes, +>>>>32 ulelong x checksum1: %#08X, +>>>>36 ulelong x checksum2: %#08X +# No stub keys +>>>24 ulelong =0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x54F0AD81 version 6.2.414.46, +>>>>4 ulelong =0X7D1BF182 version 6.2.414.54, +>>>>4 ulelong =0x35BA122E version 6.2.414.77, +>>>>4 ulelong =0X9319F9C2 version 6.2.414.78, +>>>>4 ulelong =0xB1240060 version 6.6.346.32, +>>>>4 ulelong =0x2B757060 version 6.7.288.46, +>>>>4 ulelong =0x09D147AA version 6.7.288.49, +>>>>4 ulelong =0xF4D4F48A version 6.8.275.32, +>>>>4 ulelong =0xD3961326 version 7.0.276.38, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x cpu features: %#08X, +>>>>16 ulelong x flag hash: %#08X, +>>>>20 ulelong x %u reservations, +>>>>28 ulelong x payload size: %u bytes, +>>>>32 ulelong x checksum1: %#08X, +>>>>36 ulelong x checksum2: %#08X +# Reservation table starts at 32 +>>32 ulelong&0xFFFFFF00 =0x80000000 +# Second checksum present +>>>28 ulelong >0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x21DDF627 version 7.4.288.21, +>>>>4 ulelong =0x1FC9FE84 version 7.4.288.27, +>>>>4 ulelong =0x60A99E8B version 7.5.288.22, +>>>>4 ulelong =0x4F665E90 version 7.6.303.29, +>>>>4 ulelong =0xC7ACFCDE version 7.7.299.11, +>>>>4 ulelong =0x7F641D8F version 7.7.299.13, +>>>>4 ulelong =0xFD9A4F2E version 7.8.279.17, +>>>>4 ulelong =0x3A845324 version 7.8.279.23, +>>>>4 ulelong =0xFF52FEAF version 7.9.317.25, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x flag hash: %#08X, +>>>>16 ulelong x %u reservations, +>>>>20 ulelong x payload size: %u bytes, +>>>>24 ulelong x checksum1: %#08X, +>>>>28 ulelong x checksum2: %#08X +# No second checksum +>>>28 ulelong =0 +>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>>4 ulelong =0x8725E0F8 version 8.1.307.30, +>>>>4 ulelong =0x09ED1289 version 8.1.307.31, +>>>>4 ulelong =0xA5728C87 version 8.3.110.9, +>>>>4 ulelong =0xB45C5D30 version 8.4.371.23, +>>>>4 ulelong =0xED9C278B version 8.4.371.19, +>>>>4 ulelong =0xD27BFF42 version 8.6.395.16, +>>>>8 ulelong x source size: %u bytes, +>>>>12 ulelong x flag hash: %#08X, +>>>>16 ulelong x %u reservations, +>>>>20 ulelong x payload size: %u bytes, +>>>>24 ulelong x payload checksum: %#08X +# No reservation table and code starts at 24 +>>32 ulelong =0 +>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes, +>>>4 ulelong =0x9A6F0B0F version 9.0.257.17, +>>>4 ulelong =0x271D5D1E version 9.0.257.24, +>>>4 ulelong =0x4EEA75DF version 9.0.257.25, +>>>4 ulelong =0x80809479 version 9.1.269.36, +>>>4 ulelong =0x55C46F65 version 9.1.269.38, +>>>4 ulelong =0x8A9C758A version 9.2.230.21, +>>>4 ulelong =0x9712F0E1 version 9.3.345.16, +>>>4 ulelong =0x29593715 version 9.4.146.19, +>>>4 ulelong =0xCD991825 version 9.4.146.24, +>>>4 ulelong =0xACDD64EE version 9.4.146.26, +>>>4 ulelong =0xC96B4CD5 version 9.5.172.21, +>>>4 ulelong =0xBCCE4578 version 9.5.172.25, +>>>4 ulelong =0xA2EEA077 version 9.6.180.15, +>>>4 ulelong =0xFD350011 version 10.1.124.8, +>>>4 ulelong =0xBEF4028F version 10.2.154.13, +>>>4 ulelong =0xAF632352 version 10.2.154.4, +>>>8 ulelong x source size: %u bytes, +>>>12 ulelong x flag hash: %#08X, +>>>16 ulelong x payload size: %u bytes, +>>>20 ulelong x payload checksum: %#08X diff --git a/contrib/file/magic/Magdir/jpeg b/contrib/file/magic/Magdir/jpeg index 52c9ad36203e..9cebadad70d5 100644 --- a/contrib/file/magic/Magdir/jpeg +++ b/contrib/file/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.32 2018/10/01 18:58:29 christos Exp $ +# $File: jpeg,v 1.38 2022/12/02 17:42:04 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -9,11 +9,19 @@ # # both of which turn into "JPEG image data" here. # -0 beshort 0xffd8 JPEG image data +0 belong 0xffd8fff7 JPEG-LS image data +!:mime image/jls +!:ext jls +>0 use jpeg + +0 belong&0xffffff00 0xffd8ff00 JPEG image data !:mime image/jpeg !:apple 8BIMJPEG !:strength *3 !:ext jpeg/jpg/jpe/jfif +>0 use jpeg + +0 name jpeg >6 string JFIF \b, JFIF standard # The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these @@ -91,36 +99,154 @@ >>0 beshort&0xFFE0 !0xFFE0 >>>(2.S+2) use jpeg_segment -#>0 beshort x unknown 0x%x +#>0 beshort x unknown %#x #>>(2.S+2) use jpeg_segment # HSI is Handmade Software's proprietary JPEG encoding scheme +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HSI_JPEG +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-hsi1.trid.xml +# Note: called by TrID "HSI JPEG bitmap" 0 string hsi1 JPEG image data, HSI proprietary +#!:mime application/octet-stream +!:mime image/x-hsi +!:ext hsi/jpg # From: David Santinoli <david@santinoli.com> 0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 +# delete from ./animation (version 1.87) with jP (=6A50h) magic at offset 4 # From: Johan van der Knijff <johan.vanderknijff@kb.nl> # Added sub-entries for JP2, JPX, JPM and MJ2 formats; added mimetypes # https://github.com/bitsgalore/jp2kMagic # # Now read value of 'Brand' field, which yields a few possibilities: +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JP2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpeg2k.trid.xml +# Note: called by TrID "JPEG 2000 bitmap" >20 string \x6a\x70\x32\x20 Part 1 (JP2) +# aliases image/jpeg2000, image/jpeg2000-image, image/x-jpeg2000-image !:mime image/jp2 +!:ext jp2 +# URL: http://fileformats.archiveteam.org/wiki/JPX +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpx.trid.xml +# Note: called by TrID "JPEG 2000 eXtended bitmap" >20 string \x6a\x70\x78\x20 Part 2 (JPX) !:mime image/jpx +!:ext jpf/jpx +# URL: http://fileformats.archiveteam.org/wiki/JPM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpm.trid.xml +# Note: called by TrID "JPEG 2000 eXtended bitmap" >20 string \x6a\x70\x6d\x20 Part 6 (JPM) !:mime image/jpm +!:ext jpm +# URL: http://fileformats.archiveteam.org/wiki/MJ2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/v/video-mj2.trid.xml +# Note: called by TrID "Motion JPEG 2000 video" >20 string \x6d\x6a\x70\x32 Part 3 (MJ2) !:mime video/mj2 +!:ext mj2/mjp2 # Type: JPEG 2000 codesream # From: Mathieu Malaterre <mathieu.malaterre@gmail.com> +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_2000_codestream +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpc.trid.xml +# Note: called by TrID "JPEG-2000 Code Stream bitmap" 0 belong 0xff4fff51 JPEG 2000 codestream -45 beshort 0xff52 +# value like: 0701h FF50h +#>45 ubeshort x \b, at 45 %#4.4x +#!:mime application/octet-stream +# https://reposcope.com/mimetype/image/x-jp2-codestream +!:mime image/x-jp2-codestream +!:ext jpc/j2c/j2k +# MAYBE also JHC like in byte_causal.jhc ? +# WHAT IS THAT? DEAD ENTRY? +#45 beshort 0xff52 # JPEG extended range +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XR +# Reference: https://www.itu.int/rec/T-REC-T.832 +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wmp.trid.xml +# Note: called by TrID "JPEG XR bitmap" 0 string \x49\x49\xbc +# FILE_VERSION_ID; shall be equal to 1; other values are reserved for future use >3 byte 1 +# FIRST_IFD_OFFSET; shall be an integer multiple of 2; so skip DROID fmt-590-signature-id-931.wdp >>4 lelong%2 0 JPEG-XR +#!:mime image/vnd.ms-photo !:mime image/jxr -!:ext jxr +# NO example for HDP ! +!:ext jxr/wdp/hdp +# MAYBE also WMP ? +#!:ext jxr/wdp/hdp/wmp +# moved from ./images (version 1.205 ), merged and +# partly verified by XnView `nconvert -info abydos.jxr FLOWER.wdp` +# example: https://web.archive.org/web/20160403012904/ +# http://shikino.co.jp/solution/upfile/FLOWER.wdp.zip +>90 bequad 0x574D50484F544F00 +>>98 byte&0x08 =0x08 \b, hard tiling +>>99 byte&0x80 =0x80 \b, tiling present +>>99 byte&0x40 =0x40 \b, codestream present +>>99 byte&0x38 x \b, spatial xform= +>>99 byte&0x38 0x00 \bTL +>>99 byte&0x38 0x08 \bBL +>>99 byte&0x38 0x10 \bTR +>>99 byte&0x38 0x18 \bBR +>>99 byte&0x38 0x20 \bBT +>>99 byte&0x38 0x28 \bRB +>>99 byte&0x38 0x30 \bLT +>>99 byte&0x38 0x38 \bLB +>>100 byte&0x80 =0x80 \b, short header +>>>102 beshort+1 x \b, %d +>>>104 beshort+1 x \bx%d +>>100 byte&0x80 =0x00 \b, long header +>>>102 belong+1 x \b, %x +>>>106 belong+1 x \bx%x +>>101 beshort&0xf x \b, bitdepth= +>>>101 beshort&0xf 0x0 \b1-WHITE=1 +>>>101 beshort&0xf 0x1 \b8 +>>>101 beshort&0xf 0x2 \b16 +>>>101 beshort&0xf 0x3 \b16-SIGNED +>>>101 beshort&0xf 0x4 \b16-FLOAT +>>>101 beshort&0xf 0x5 \b(reserved 5) +>>>101 beshort&0xf 0x6 \b32-SIGNED +>>>101 beshort&0xf 0x7 \b32-FLOAT +>>>101 beshort&0xf 0x8 \b5 +>>>101 beshort&0xf 0x9 \b10 +>>>101 beshort&0xf 0xa \b5-6-5 +>>>101 beshort&0xf 0xb \b(reserved %d) +>>>101 beshort&0xf 0xc \b(reserved %d) +>>>101 beshort&0xf 0xd \b(reserved %d) +>>>101 beshort&0xf 0xe \b(reserved %d) +>>>101 beshort&0xf 0xf \b1-BLACK=1 +>>101 beshort&0xf0 x \b, colorfmt= +>>>101 beshort&0xf0 0x00 \bYONLY +>>>101 beshort&0xf0 0x10 \bYUV240 +>>>101 beshort&0xf0 0x20 \bYWV422 +>>>101 beshort&0xf0 0x30 \bYWV444 +>>>101 beshort&0xf0 0x40 \bCMYK +>>>101 beshort&0xf0 0x50 \bCMYKDIRECT +>>>101 beshort&0xf0 0x60 \bNCOMPONENT +>>>101 beshort&0xf0 0x70 \bRGB +>>>101 beshort&0xf0 0x80 \bRGBE +>>>101 beshort&0xf0 >0x80 \b(reserved %#x) + +# JPEG XL +# From: Ian Tester +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl.trid.xml +# Note: called by TrID "JPEG XL bitmap" +0 string \xff\x0a JPEG XL codestream +!:mime image/jxl +!:ext jxl + +# JPEG XL (transcoded JPEG file) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl-iso.trid.xml +# Note: called by TrID "JPEG XL bitmap (ISOBMFF)" +0 string \x00\x00\x00\x0cJXL\x20\x0d\x0a\x87\x0a JPEG XL container +!:mime image/jxl +!:ext jxl diff --git a/contrib/file/magic/Magdir/lammps b/contrib/file/magic/Magdir/lammps new file mode 100644 index 000000000000..5424383db80f --- /dev/null +++ b/contrib/file/magic/Magdir/lammps @@ -0,0 +1,64 @@ +#------------------------------------------------------------------------------ +# $File: lammps,v 1.1 2021/03/14 16:24:18 christos Exp $ +# + +# Magic file patterns for use with file(1) for the +# LAMMPS molecular dynamics simulation software. +# https://lammps.sandia.gov +# +# Updated: 2021-03-14 by akohlmey@gmail.com + +# Binary restart file for the LAMMPS MD code +0 string LammpS\ RestartT LAMMPS binary restart file +>0x14 long x (rev %d), +>>0x20 string x Version %s, +>>>0x10 lelong 0x0001 Little Endian +>>>0x10 lelong 0x1000 Big Endian + +# Atom style binary dump file for the LAMMPS MD code +# written on a little endian machine +0 lequad -8 +>0x08 string DUMPATOM LAMMPS atom style binary dump +>>0x14 long x (rev %d), +>>>0x10 lelong 0x0001 Little Endian, +>>>>0x18 lequad x First time step: %lld + +# written on a big endian machine +0 bequad -8 +>0x08 string DUMPATOM LAMMPS atom style binary dump +>>0x14 belong x (rev %d), +>>>0x10 lelong 0x1000 Big Endian, +>>>>0x18 bequad x First time step: %lld + +# Atom style binary dump file for the LAMMPS MD code +# written on a little endian machine +0 lequad -10 +>0x08 string DUMPCUSTOM LAMMPS custom style binary dump +>>0x16 lelong x (rev %d), +>>>0x12 lelong 0x0001 Little Endian, +>>>>0x1a lequad x First time step: %lld + +# written on a big endian machine +0 bequad -10 +>0x08 string DUMPCUSTOM LAMMPS custom style binary dump +>>0x16 belong x (rev %d), +>>>0x12 lelong 0x1000 Big Endian, +>>>>0x1a bequad x First time step: %lld + +# LAMMPS log file +0 string LAMMPS\ ( LAMMPS log file +>8 regex/16 [0-9]+\ [A-Za-z]+\ [0-9]+ written by version %s + +# Data file written either by LAMMPS, msi2lmp or VMD/TopoTools +0 string LAMMPS\ data\ file LAMMPS data file +>0x12 string CGCMM\ style written by TopoTools +>0x12 string msi2lmp written by msi2lmp +>0x11 string via\ write_data written by LAMMPS + +# LAMMPS data file written by OVITO +0 string #\ LAMMPS\ data\ file LAMMPS data file +>0x13 string written\ by\ OVITO written by OVITO + +# LAMMPS text mode dump file +0 string ITEM:\ TIMESTEP LAMMPS text mode dump, +>15 regex/16 [0-9]+ First time step: %s diff --git a/contrib/file/magic/Magdir/lif b/contrib/file/magic/Magdir/lif index a7a0a8abe776..3474a48d231e 100644 --- a/contrib/file/magic/Magdir/lif +++ b/contrib/file/magic/Magdir/lif @@ -1,8 +1,50 @@ #------------------------------------------------------------------------------ -# $File: lif,v 1.8 2009/09/19 16:28:10 christos Exp $ +# $File: lif,v 1.11 2022/10/19 20:15:16 christos Exp $ # lif: file(1) magic for lif # # (Daniel Quinlan <quinlan@yggdrasil.com>) # -0 beshort 0x8000 lif file +# Modified by: Joerg Jenderek +# URL: https://www.hp9845.net/9845/projects/hpdir/ +# https://github.com/bug400/lifutils +# Reference: https://www.hp9845.net/9845/downloads/manuals/LIF_excerpt_64941-90906_flpRef_Jan84.pdf +# Note: called by TrID "HP Logical Interchange Format disk image" +0 beshort 0x8000 +# GRR: line above is too general as it catches also compressed DEGAS low-res bitmap *.pc1 +# skip many compressed DEGAS low-res bitmap *.pc1 by test for unused bytes +>14 beshort =0 +# skip MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for low version number +>>20 ubeshort <0x0100 +# skip DROID fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx by test for ASCII like volume name +>>>2 ubelong >0x2020201F +>>>>0 use lif-file +0 name lif-file +# LIF ID +>0 beshort x lif file +!:mime application/x-lif-disk +# lif used by Tony Duell LIF utilities; enhanced version by Joachim Siebold use also dat; hpi used by hpdir +!:ext lif/hpi/dat +# volume label; A-Z 0-9 _ ; default are 6 spaces +>2 string x "%.6s" +#>2 ubelong x LABEL=%8.8x +# version number; 0 for systems without extensions or 1 for model 64000 +>20 ubeshort x \b, version %u +# LIF identifier; 010000 for system 3000 +>12 beshort !0x1000 \b, LIF identifier %#x +# directory start address in units like: 2 +>8 ubelong x \b, directory +>8 ubelong !2 start address %u +# length of directory like: 2 4 7 10 12 14 (for model 64000) 16 18 20 24 30 50 57 77 80 +>16 ubelong x length %u +# level 1 extensions +>20 beshort =0 +>>24 ubequad !0 \b, for extensions %#llx... +>20 beshort >0 +>>24 ubequad !0 \b, extensions %#llx... +# word 21-126 reserved for extensions and future use; set to nil +>42 ubequad !0 \b, RESERVED %#llx +# lif first file name for standard directory; 0xffff... means uninitialized +>8 ubelong 2 +>>512 string <\xff\xff \b, 1st file %-.10s + diff --git a/contrib/file/magic/Magdir/linux b/contrib/file/magic/Magdir/linux index e7d0a15607e2..ae181148dfb9 100644 --- a/contrib/file/magic/Magdir/linux +++ b/contrib/file/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.72 2020/06/07 21:56:13 christos Exp $ +# $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> @@ -67,8 +67,8 @@ >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, ->24 lelong x %d ->28 lelong x \bx%d +>28 lelong x %d +>24 lelong x \bx%d # Linux swap and hibernate files # Linux kernel: include/linux/swap.h @@ -83,20 +83,20 @@ # format v1, supported since 1998 0 name linux-swap ->0x400 lelong 1 little endian, version %u, ->>0x404 lelong x size %u pages, ->>0x408 lelong x %u bad pages, ->0x400 belong 1 big endian, version %u, ->>0x404 belong x size %u pages, ->>0x408 belong x %u bad pages, ->0x41c string \0 no label, ->0x41c string >\0 LABEL=%s, ->0x40c belong x UUID=%08x ->0x410 beshort x \b-%04x ->0x412 beshort x \b-%04x ->0x414 beshort x \b-%04x ->0x416 belong x \b-%08x ->0x41a beshort x \b%04x +>0x400 lelong 1 little endian, version %u, +>>0x404 lelong x size %u pages, +>>0x408 lelong x %u bad pages, +>0x400 belong 1 big endian, version %u, +>>0x404 belong x size %u pages, +>>0x408 belong x %u bad pages, +>0x41c string \0 no label, +>0x41c string >\0 LABEL=%s, +>0x40c ubelong x UUID=%08x +>0x410 ubeshort x \b-%04x +>0x412 ubeshort x \b-%04x +>0x414 ubeshort x \b-%04x +>0x416 ubelong x \b-%08x +>0x41a ubeshort x \b%04x 0xff6 string SWAPSPACE2 Linux swap file, 4k page size, >0 use linux-swap @@ -154,8 +154,8 @@ >>>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, ->>508 leshort >0 root_dev 0x%X, ->>502 leshort >0 swap_dev 0x%X, +>>508 leshort >0 root_dev %#X, +>>502 leshort >0 swap_dev %#X, >>504 leshort >0 RAMdisksize %u KB, >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA @@ -191,8 +191,8 @@ >497 leshort !0 x86 kernel >>504 leshort >0 RAMdisksize=%u KB ->>502 leshort >0 swap=0x%X ->>508 leshort >0 root=0x%X +>>502 leshort >0 swap=%#X +>>508 leshort >0 root=%#X >>>498 leshort 1 \b-ro >>>498 leshort 0 \b-rw >>506 leshort 0xFFFF vga=normal @@ -239,14 +239,14 @@ # From: Kevin Cernekee <cernekee@gmail.com> # Update: Joerg Jenderek 0x24 lelong 0x016f2818 Linux kernel ARM boot executable zImage -# There are three posible situations: LE, BE with LE bootloader and pure BE. +# There are three possible situations: LE, BE with LE bootloader and pure BE. # In order to aid telling these apart a new endian flag was added. In order # to support kernels before the flag and BE with LE bootloader was added we'll # do a negative check against the BE variant of the flag when we see a LE magic. >0x30 belong !0x04030201 (little-endian) ->0x30 belong 0x04030201 (big-endian) # raspian "kernel7.img", Vu+ Ultimo4K "kernel_auto.bin" !:ext img/bin +>0x30 belong 0x04030201 (big-endian) 0x24 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) ############################################################################ @@ -364,16 +364,6 @@ >24 lelong x %d symbols >28 lelong x %d ocons -# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec -# Anthon van der Neut (anthon@mnt.org) -0 string LUKS\xba\xbe LUKS encrypted file, ->6 beshort x ver %d ->8 string x [%s, ->40 string x %s, ->72 string x %s] ->168 string x UUID: %s - - # Summary: Xen saved domain file # Created by: Radek Vokal <rvokal@redhat.com> 0 string LinuxGuestRecord Xen saved domain @@ -390,26 +380,96 @@ # Systemd journald files # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> - -# check magic +# Update: Joerg Jenderek +# URL: https://systemd.io/JOURNAL_FILE_FORMAT/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml +# Note: called "systemd journal" by TrID +# verified by `journalctl --file=user-1000.journal` +# check magic signature[8] 0 string LPKSHHRH # check that state is one of known values +# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 >16 ubyte&252 0 # check that each half of three unique id128s is non-zero +# file_id >>24 ubequad >0 >>>32 ubequad >0 +# machine_id >>>>40 ubequad >0 >>>>>48 ubequad >0 +# boot_id; last writer >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file -!:mime application/octet-stream +#!:mime application/octet-stream +!:mime application/x-linux-journal # provide more info +# head_entry_realtime; contains a POSIX timestamp stored in microseconds +>>>>>>>>184 leqdate/1000000 !0 \b, %s >>>>>>>>184 leqdate 0 empty ->>>>>>>>16 ubyte 0 \b, offline ->>>>>>>>16 ubyte 1 \b, online +# If a file is closed after writing the state field should be set to STATE_OFFLINE +>>>>>>>>16 ubyte 0 \b, +# for offline and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 offline +# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html +# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: +# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' +!:ext journal~ +# for offline and non empty often *.journal~ but also user-1001.journal +>>>>>>>>>184 leqdate !0 offline +!:ext journal/journal~ +# if a file is opened for writing the state field should be set to STATE_ONLINE +>>>>>>>>16 ubyte 1 \b, +# for online and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 online +# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~ +!:ext journal~ +# for online and non empty only journal extension found +>>>>>>>>>184 leqdate !0 online +# system.journal user-1000.journal +!:ext journal +# after a file has been rotated it should be set to STATE_ARCHIVED >>>>>>>>16 ubyte 2 \b, archived +!:ext journal +# no *.journal~ found +#!:ext journal/journal~ +# compatible_flags >>>>>>>>8 ulelong&1 1 \b, sealed +# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 +#>>>>>>>>12 ulelong x FLAGS=%#x >>>>>>>>12 ulelong&1 1 \b, compressed +>>>>>>>>12 ulelong&2 !0 \b, compressed lz4 +>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 +>>>>>>>>12 ulelong&8 !0 \b, compressed zstd +>>>>>>>>12 ulelong&16 !0 \b, compact +# uint8_t reserved[7]; apparently nil +#>>17 long !0 \b, reserved %#8.8x +# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 +#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx +#>>>>>>>>80 ubequad x b%16.16llx +# header_size like: 100h +>>>>>>>>88 ulequad !0x100h \b, header size %#llx +# arena_size like: 0 7fff00h ffff00h 17fff00h +#>>>>>>>>96 ulequad >0 \b, arena size %#llx +# data_hash_table_offset like: 0 15f0h 15f0h +#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx +# data_hash_table_size like: 0 38e380h +#>>>>>>>>112 ulequad >0 \b, hash table size %#llx +# field_hash_table_offset like: 0 110h +#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx +# field_hash_table_size like: 0 14d0h +#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx +# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h +#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx +# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh +#>>>>>>>>144 ulequad >0 \b, objects %#llx +# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h +>>>>>>>>152 ulequad >0 \b, entries %#llx +# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh +#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx +# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah +#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx +# entry_array_offset like: 0 390058h 3909d8h 3909e0h +#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx # BCache backing and cache devices # From: Gabriel de Perthuis <g2p.code@gmail.com> @@ -438,17 +498,16 @@ # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed -# structure and strings must be within blob +# structure must be within blob, strings are omitted to handle devicetrees > 1M >&(8.L) byte x ->>&(12.L) byte x ->>>20 belong >1 Device Tree Blob version %d ->>>>4 belong x \b, size=%d ->>>>20 belong >1 ->>>>>28 belong x \b, boot CPU=%d ->>>>20 belong >2 ->>>>>32 belong x \b, string block size=%d ->>>>20 belong >16 ->>>>>36 belong x \b, DT structure block size=%d +>>20 belong >1 Device Tree Blob version %d +>>>4 belong x \b, size=%d +>>>20 belong >1 +>>>>28 belong x \b, boot CPU=%d +>>>20 belong >2 +>>>>32 belong x \b, string block size=%d +>>>20 belong >16 +>>>>36 belong x \b, DT structure block size=%d # glibc locale archive as defined in glibc locale/locarchive.h 0 lelong 0xde020109 locale archive @@ -503,9 +562,12 @@ 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files -# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION +# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION -0 string KDUMP Kdump compressed dump +0 string KDUMP\x20\x20\x20 Kdump compressed dump +>0 use kdump-compressed-dump + +0 name kdump-compressed-dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s @@ -514,7 +576,52 @@ >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s +# Flattened format +0 string makedumpfile +>16 bequad 1 +>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump +>>>0x1010 use kdump-compressed-dump + # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code !:strength +14 + + +# e2fsck undo file +# David Gilman <davidgilman1@gmail.com> +0 string E2UNDO02 e2fsck undo file, version 2 +>44 lelong x \b, undo file is +>>44 lelong&1 0 not finished +>>44 lelong&1 1 finished +>48 lelong x \b, undo file features: +>>48 lelong&1 0 lacks filesystem offset +>>48 lelong&1 1 has filesystem offset +>>>64 lequad x at %#llx + +# ansible vault (does not really belong here) +0 string $ANSIBLE_VAULT; Ansible Vault +>&0 regex [0-9]+\\.[0-9]+ \b, version %s +>>&0 string ; +>>>&0 regex [A-Z0-9]+ \b, encryption %s + +# From: Joerg Jenderek +# URL: https://www.gnu.org/software/grub +# Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz +# grub-2.06/include/grub/keyboard_layouts.h +# grub-2.06/grub-core/commands/keylayouts.c +# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC +0 string GRUBLAYO GRUB Keyboard +!:mime application/x-grub-keyboard +!:ext gkb +# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10 +>8 ulelong !10 \b, version %u +# 4 grub_uint32_t grub_keyboard_layout[160] +# for normal french keyboard this is letter a +>92 ubyte !0x71 +>>92 ubyte >0x40 \b, english q is %c +#>732 ubyte x \b, english Q is %c +# for normal german keyboard this is letter z +>124 ubyte !0x79 +>>124 ubyte >0x40 \b, english y is %c +#>764 ubyte x \b, english Y is %c diff --git a/contrib/file/magic/Magdir/lisp b/contrib/file/magic/Magdir/lisp index d32cc101a90a..c854fb7c74be 100644 --- a/contrib/file/magic/Magdir/lisp +++ b/contrib/file/magic/Magdir/lisp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: lisp,v 1.26 2019/04/19 00:42:27 christos Exp $ +# $File: lisp,v 1.27 2020/08/14 19:23:39 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) @@ -60,6 +60,9 @@ !:apple EMAxTEXT !:ext elc +# Files produced by GNU/Emacs pdumper +0 string DUMPEDGNUEMACS GNU/Emacs pdumper image + # Files produced by CLISP Common Lisp From: Bruno Haible <haible@ilog.fr> 0 string (SYSTEM::VERSION\040' CLISP byte-compiled Lisp program (pre 2004-03-27) 0 string (|SYSTEM|::|VERSION|\040' CLISP byte-compiled Lisp program text diff --git a/contrib/file/magic/Magdir/llvm b/contrib/file/magic/Magdir/llvm index 2691ef1ac92f..6befe7a8bf0f 100644 --- a/contrib/file/magic/Magdir/llvm +++ b/contrib/file/magic/Magdir/llvm @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: llvm,v 1.9 2019/04/19 00:42:27 christos Exp $ +# $File: llvm,v 1.10 2023/03/11 17:54:17 christos Exp $ # llvm: file(1) magic for LLVM byte-codes # URL: https://llvm.org/docs/BitCodeFormat.html # From: Al Stone <ahs3@fc.hp.com> @@ -9,6 +9,7 @@ 0 string llvc0 LLVM byte-codes, null compression 0 string llvc1 LLVM byte-codes, gzip compression 0 string llvc2 LLVM byte-codes, bzip2 compression +0 string CPCH LLVM Pre-compiled header file 0 lelong 0x0b17c0de LLVM bitcode, wrapper # Are these Mach-O ABI values? They appear to be. diff --git a/contrib/file/magic/Magdir/locoscript b/contrib/file/magic/Magdir/locoscript new file mode 100644 index 000000000000..87771ccdf9e6 --- /dev/null +++ b/contrib/file/magic/Magdir/locoscript @@ -0,0 +1,12 @@ + +#------------------------------------------------------------------------------ +# $File: locoscript,v 1.1 2021/01/03 20:56:25 christos Exp $ +# locoscript: file(1) magic for LocoScript documents and related files +# +# See http://fileformats.archiveteam.org/wiki/LocoScript +0 string JOY\x01\x01 LocoScript 1 document +0 string JOY\x01\x02 LocoScript 2 document +0 string JOY\x01\x04 LocoScript 3 document +0 string JOY\x01\x06 LocoScript 4 document +0 string DOC\x01\x01 LocoScript PC document +0 string DOC\x01\x03 LocoScript Professional document diff --git a/contrib/file/magic/Magdir/lua b/contrib/file/magic/Magdir/lua index 0e47c2f9122a..ab17374534de 100644 --- a/contrib/file/magic/Magdir/lua +++ b/contrib/file/magic/Magdir/lua @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: lua,v 1.7 2019/04/19 00:42:27 christos Exp $ +# $File: lua,v 1.8 2020/10/08 23:23:56 christos Exp $ # lua: file(1) magic for Lua scripting language # URL: https://www.lua.org/ # From: Reuben Thomas <rrt@sc3d.org>, Seo Sanghyeon <tinuviel@sparcs.kaist.ac.kr> @@ -17,6 +17,15 @@ # Lua bytecode 0 string \033Lua Lua bytecode, +# 2.4 uses 0x23 as its version byte because it shares the format +# with 2.3 (which was never released publicly). +>4 byte 0x23 version 2.4 +>4 byte 0x25 version 2.5/3.0 +>4 byte 0x31 version 3.1 +>4 byte 0x32 version 3.2 +>4 byte 0x40 version 4.0 >4 byte 0x50 version 5.0 >4 byte 0x51 version 5.1 >4 byte 0x52 version 5.2 +>4 byte 0x53 version 5.3 +>4 byte 0x54 version 5.4 diff --git a/contrib/file/magic/Magdir/luks b/contrib/file/magic/Magdir/luks index 6ecc40aff19a..16042517a332 100644 --- a/contrib/file/magic/Magdir/luks +++ b/contrib/file/magic/Magdir/luks @@ -1,13 +1,126 @@ #------------------------------------------------------------------------------ -# $File: luks,v 1.4 2009/09/19 16:28:10 christos Exp $ +# $File: luks,v 1.5 2022/09/07 11:23:44 christos Exp $ # luks: file(1) magic for Linux Unified Key Setup -# URL: http://luks.endorphin.org/spec +# URL: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup +# http://fileformats.archiveteam.org/wiki/LUKS # From: Anthon van der Neut <anthon@mnt.org> +# Update: Joerg Jenderek +# Note: verfied by command like `cryptsetup luksDump /dev/sda3` 0 string LUKS\xba\xbe LUKS encrypted file, +# https://reposcope.com/mimetype/application/x-raw-disk-image +!:mime application/x-raw-disk-image +#!:mime application/x-luks-volume +# img is the generic extension; no suffix for partitions; luksVolumeHeaderBackUp via zuluCrypt +!:ext /luks/img/luksVolumeHeaderBackUp +# version like: 1 2 >6 beshort x ver %d +# test for version 1 variant +>6 beshort 1 +>>0 use luks-v1 +# test for version 2 variant +>6 beshort >1 +>>0 use luks-v2 +# Reference: https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/l/luks.trid.xml +# display information about LUKS version 1 +0 name luks-v1 +# cipher-name like: aes twofish >8 string x [%s, +# cipher-mode like: xts-plain64 cbc-essiv >40 string x %s, +# hash specification like: sha256 sha1 ripemd160 >72 string x %s] >168 string x UUID: %s +# NEW PART! +# payload-offset; start offset of the bulk data +>104 ubelong x \b, at %#x data +# key-bytes; number of key bytes; key-bytes*8=MK-bits +>108 ubelong x \b, %u key bytes +# mk-digest[20]; master key checksum from PBKDF2 +>112 ubequad x \b, MK digest %#16.16llx +>>120 ubequad x \b%16.16llx +>>128 ubelong x \b%8.8x +# mk-digest-salt[32]; salt parameter for master key PBKDF2 +>132 ubequad x \b, MK salt %#16.16llx +>>140 ubequad x \b%16.16llx +>>148 ubequad x \b%16.16llx +>>156 ubequad x \b%16.16llx +# mk-digest-iter; iterations parameter for master key PBKDF2 +>164 ubelong x \b, %u MK iterations +# key slot 1 +>208 ubelong =0x00AC71F3 \b; slot #0 +>>208 use luks-slot +# key slot 2 +>256 ubelong =0x00AC71F3 \b; slot #1 +>>256 use luks-slot +# key slot 3 +>304 ubelong =0x00AC71F3 \b; slot #2 +>>304 use luks-slot +# key slot 4 +>352 ubelong =0x00AC71F3 \b; slot #3 +>>352 use luks-slot +# key slot 5 +>400 ubelong =0x00AC71F3 \b; slot #4 +>>400 use luks-slot +# key slot 6 +>448 ubelong =0x00AC71F3 \b; slot #5 +>>448 use luks-slot +# key slot 7 +>496 ubelong =0x00AC71F3 \b; slot #6 +>>496 use luks-slot +# key slot 8 +>544 ubelong =0x00AC71F3 \b; slot #7 +>>544 use luks-slot +# Reference: https://gitlab.com/cryptsetup/LUKS2-docs/-/raw/master/luks2_doc_wip.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/l/luks2.trid.xml +# display information about LUKS version 2 +0 name luks-v2 +# hdr_size; size including JSON area called Metadata area by cryptsetup with value like: 16384 +>8 ubequad x \b, header size %llu +# possible check for MAGIC_2ND after header +#>(8.Q) string SKUL\xba\xbe \b, 2nd_HEADER_OK +# seqid; sequence ID, increased on update; called Epoch by cryptsetup with value like: 3 4 8 10 +>16 ubequad x \b, ID %llu +# label[48]; optional ASCII label or empty; called Label by cryptsetup with value like: "LUKS2_EXT4_ROOT" +>24 string >\0 \b, label %s +# csum_alg[32]; checksum algorithm like: sha256 sha1 sha512 wirlpool ripemd160 +>72 string x \b, algo %s +# salt[64]; salt , unique for every header +>104 ubequad x \b, salt %#llx... +# uuid[40]; UID of device as string like: 242256c6-396e-4a35-af5f-5b70cb7af9a7 +>168 string x \b, UUID: %-.40s +# subsystem[48]; optional owner subsystem label or empty +>208 string >\0 \b, sub label %-.48s +# hdr_offset; offset from device start [ bytes ] like: 0 +>256 ubequad !0 \b, offset %llx +# char _padding [184]; must be zeroed +#>264 ubequad x \b, padding %#16.16llx +#>440 ubequad x \b...%16.16llx +# csum[64]; header checksum +>448 ubequad x \b, crc %#llx... +# char _padding4096 [7*512]; Padding , must be zeroed +#>512 ubequad x \b, more padding %#16.16llx +#>4088 ubequad x \b...%16.16llx +# JSON text data terminated by the zero character; unused remainder empty and filled with zeroes like: +# {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse" +>0x1000 string x \b, at 0x1000 %s +#>0x1000 indirect x +# display information (like active) about LUKS1 slot +0 name luks-slot +# state of keyslot; 0x00AC71F3~active 0x0000DEAD~inactive +#>0 ubelong x \b, status %#8.8x +>0 ubelong =0x00AC71F3 active +>0 ubelong =0x0000DEAD inactive +# iteration parameter for PBKDF2 +#>4 ubelong x \b, %u iterations +# salt parameter for PBKDF2 +#>8 ubequad x \b, salt %#16.16llx +#>>16 ubequad x \b%16.16llx +#>>24 ubequad x \b%16.16llx +#>>32 ubequad x \b%16.16llx +# start sector of key material like: 8 0x200 0x3f8 0x5f0 0xdd0 +>40 ubelong x \b, %#x material offset +# number of anti-forensic stripes like: 4000 +>44 ubelong !4000 \b, %u stripes diff --git a/contrib/file/magic/Magdir/mach b/contrib/file/magic/Magdir/mach index c1bec073480f..7eb98ff34e39 100644 --- a/contrib/file/magic/Magdir/mach +++ b/contrib/file/magic/Magdir/mach @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: mach,v 1.23 2015/10/15 21:51:22 christos Exp $ +# $File: mach,v 1.29 2021/04/26 15:56:00 christos Exp $ # Mach has two magic numbers, 0xcafebabe and 0xfeedface. # Unfortunately the first, cafebabe, is shared with # Java ByteCode, so they are both handled in the file "cafebabe". @@ -11,8 +11,11 @@ # it's also separate from the "64-bit libraries" bit in the # upper 8 bits of the CPU subtype +# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ +# include/mach-o/loader.h +# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... 0 name mach-o-cpu ->0 belong&0x01000000 0 +>0 belong&0xff000000 0 # # 32-bit ABIs. # @@ -51,37 +54,37 @@ >>>>4 belong&0x00fffff0 0x30 pentium_2_m3 >>>>4 belong&0x00fffff0 0x40 pentium_2_m0x40 >>>>4 belong&0x00fffff0 0x50 pentium_2_m5 ->>>>4 belong&0x00fffff0 >0x50 pentium_2_m0x%x +>>>>4 belong&0x00fffff0 >0x50 pentium_2_m%#x >>>4 belong&0x0000000f 7 celeron ->>>>4 belong&0x00fffff0 0x00 \b_m0x%x ->>>>4 belong&0x00fffff0 0x10 \b_m0x%x ->>>>4 belong&0x00fffff0 0x20 \b_m0x%x ->>>>4 belong&0x00fffff0 0x30 \b_m0x%x ->>>>4 belong&0x00fffff0 0x40 \b_m0x%x ->>>>4 belong&0x00fffff0 0x50 \b_m0x%x +>>>>4 belong&0x00fffff0 0x00 \b_m%#x +>>>>4 belong&0x00fffff0 0x10 \b_m%#x +>>>>4 belong&0x00fffff0 0x20 \b_m%#x +>>>>4 belong&0x00fffff0 0x30 \b_m%#x +>>>>4 belong&0x00fffff0 0x40 \b_m%#x +>>>>4 belong&0x00fffff0 0x50 \b_m%#x >>>>4 belong&0x00fffff0 0x60 >>>>4 belong&0x00fffff0 0x70 \b_mobile ->>>>4 belong&0x00fffff0 >0x70 \b_m0x%x +>>>>4 belong&0x00fffff0 >0x70 \b_m%#x >>>4 belong&0x0000000f 8 pentium_3 >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_m >>>>4 belong&0x00fffff0 0x20 \b_xeon ->>>>4 belong&0x00fffff0 >0x20 \b_m0x%x +>>>>4 belong&0x00fffff0 >0x20 \b_m%#x >>>4 belong&0x0000000f 9 pentiumM >>>>4 belong&0x00fffff0 0x00 ->>>>4 belong&0x00fffff0 >0x00 \b_m0x%x +>>>>4 belong&0x00fffff0 >0x00 \b_m%#x >>>4 belong&0x0000000f 10 pentium_4 >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_m ->>>>4 belong&0x00fffff0 >0x10 \b_m0x%x +>>>>4 belong&0x00fffff0 >0x10 \b_m%#x >>>4 belong&0x0000000f 11 itanium >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_2 ->>>>4 belong&0x00fffff0 >0x10 \b_m0x%x +>>>>4 belong&0x00fffff0 >0x10 \b_m%#x >>>4 belong&0x0000000f 12 xeon >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 0x10 \b_mp ->>>>4 belong&0x00fffff0 >0x10 \b_m0x%x +>>>>4 belong&0x00fffff0 >0x10 \b_m%#x >>>4 belong&0x0000000f >12 ia32 family=%d >>>>4 belong&0x00fffff0 0x00 >>>>4 belong&0x00fffff0 >0x00 model=%x @@ -139,13 +142,13 @@ >>>4 belong&0x00ffffff 6 \b_604 >>>4 belong&0x00ffffff 7 \b_604e >>>4 belong&0x00ffffff 8 \b_620 ->>>4 belong&0x00ffffff 9 \b_650 +>>>4 belong&0x00ffffff 9 \b_750 >>>4 belong&0x00ffffff 10 \b_7400 >>>4 belong&0x00ffffff 11 \b_7450 >>>4 belong&0x00ffffff 100 \b_970 >>>4 belong&0x00ffffff >100 subarchitecture=%d >>0 belong&0x00ffffff >18 architecture=%d ->0 belong&0x01000000 0x01000000 +>0 belong&0xff000000 0x01000000 # # 64-bit ABIs. # @@ -171,6 +174,15 @@ >>0 belong&0x00ffffff 12 arm64 >>>4 belong&0x00ffffff 0 >>>4 belong&0x00ffffff 1 \bv8 +>>>4 belong&0x00ffffff 2 \be +>>>>7 ubyte&0xff >0 (caps: +>>>>7 ubyte&0xff <0x80 %#02x +>>>>7 ubyte&0xc0 0x80 PAC +>>>>>7 ubyte&0x3f x \b%02d +>>>>7 ubyte&0xc0 0xc0 PAK +>>>>>7 ubyte&0x3f x \b%02d +>>>>7 ubyte&0xff x \b) +>>>4 belong&0x00ffffff >2 subarchitecture=%d >>0 belong&0x00ffffff 13 64-bit architecture=%d >>0 belong&0x00ffffff 14 64-bit architecture=%d >>0 belong&0x00ffffff 15 64-bit architecture=%d @@ -192,51 +204,91 @@ >>>4 belong&0x00ffffff 100 \b_970 >>>4 belong&0x00ffffff >100 subarchitecture=%d >>0 belong&0x00ffffff >18 64-bit architecture=%d - +>0 belong&0xff000000 0x02000000 +# +# 64_32-bit ABIs. +# +>>0 belong&0x00ffffff 0 64_32-bit architecture=%d +>>0 belong&0x00ffffff 1 64_32-bit architecture=%d +>>0 belong&0x00ffffff 2 64_32-bit architecture=%d +>>0 belong&0x00ffffff 3 64_32-bit architecture=%d +>>0 belong&0x00ffffff 4 64_32-bit architecture=%d +>>0 belong&0x00ffffff 5 64_32-bit architecture=%d +>>0 belong&0x00ffffff 6 64_32-bit architecture=%d +>>0 belong&0x00ffffff 7 64_32-bit architecture=%d +>>0 belong&0x00ffffff 8 64_32-bit architecture=%d +>>0 belong&0x00ffffff 9 64_32-bit architecture=%d +>>0 belong&0x00ffffff 10 64_32-bit architecture=%d +>>0 belong&0x00ffffff 11 64_32-bit architecture=%d +>>0 belong&0x00ffffff 12 64_32-bit arm +>>>4 belong&0x00ffffff 0 +>>>4 belong&0x00ffffff 1 \bv8 +>>>4 belong&0x00ffffff >1 subarchitecture=%d +>>0 belong&0x00ffffff 13 64_32-bit architecture=%d +>>0 belong&0x00ffffff 14 64_32-bit architecture=%d +>>0 belong&0x00ffffff 15 64_32-bit architecture=%d +>>0 belong&0x00ffffff 16 64_32-bit architecture=%d +>>0 belong&0x00ffffff 17 64_32-bit architecture=%d +>>0 belong&0x00ffffff 18 64_32-bit architecture=%d +>>0 belong&0x00ffffff >18 64_32-bit architecture=%d 0 name mach-o-be >0 byte 0xcf 64-bit >4 use mach-o-cpu >12 belong 1 object +# GRR: Does not work for Mach-O with 2 architectures; instead display oo +#!:ext o +!:ext o/ >12 belong 2 executable +# the executables normally have no file extension like perl, +# but exceptions like perl5.18 perl5.16 +!:ext 16/18/ >12 belong 3 fixed virtual memory shared library >12 belong 4 core >12 belong 5 preload executable >12 belong 6 dynamically linked shared library +# GRR: Does not work for Mach-O with 2 architectures; instead display dylibdylib +#!:ext dylib +!:ext dylib/ >12 belong 7 dynamic linker >12 belong 8 bundle +# normally name extension bundle; but exceptions like: AMDil_r700.dylib +!:ext bundle/dylib/ >12 belong 9 dynamically linked shared library stub >12 belong 10 dSYM companion file >12 belong 11 kext bundle >12 belong >11 >>12 belong x filetype=%d >24 belong >0 \b, flags:< ->>24 belong &0x0000001 \bNOUNDEFS ->>24 belong &0x0000002 \b|INCRLINK ->>24 belong &0x0000004 \b|DYLDLINK ->>24 belong &0x0000008 \b|BINDATLOAD ->>24 belong &0x0000010 \b|PREBOUND ->>24 belong &0x0000020 \b|SPLIT_SEGS ->>24 belong &0x0000040 \b|LAZY_INIT ->>24 belong &0x0000080 \b|TWOLEVEL ->>24 belong &0x0000100 \b|FORCE_FLAT ->>24 belong &0x0000200 \b|NOMULTIDEFS ->>24 belong &0x0000400 \b|NOFIXPREBINDING ->>24 belong &0x0000800 \b|PREBINDABLE ->>24 belong &0x0001000 \b|ALLMODSBOUND ->>24 belong &0x0002000 \b|SUBSECTIONS_VIA_SYMBOLS ->>24 belong &0x0004000 \b|CANONICAL ->>24 belong &0x0008000 \b|WEAK_DEFINES ->>24 belong &0x0010000 \b|BINDS_TO_WEAK ->>24 belong &0x0020000 \b|ALLOW_STACK_EXECUTION ->>24 belong &0x0040000 \b|ROOT_SAFE ->>24 belong &0x0080000 \b|SETUID_SAFE ->>24 belong &0x0100000 \b|NO_REEXPORTED_DYLIBS ->>24 belong &0x0200000 \b|PIE ->>24 belong &0x0400000 \b|DEAD_STRIPPABLE_DYLIB ->>24 belong &0x0800000 \b|HAS_TLV_DESCRIPTORS ->>24 belong &0x1000000 \b|NO_HEAP_EXECUTION ->>24 belong &0x2000000 \b|APP_EXTENSION_SAFE +>>24 belong &0x00000001 \bNOUNDEFS +>>24 belong &0x00000002 \b|INCRLINK +>>24 belong &0x00000004 \b|DYLDLINK +>>24 belong &0x00000008 \b|BINDATLOAD +>>24 belong &0x00000010 \b|PREBOUND +>>24 belong &0x00000020 \b|SPLIT_SEGS +>>24 belong &0x00000040 \b|LAZY_INIT +>>24 belong &0x00000080 \b|TWOLEVEL +>>24 belong &0x00000100 \b|FORCE_FLAT +>>24 belong &0x00000200 \b|NOMULTIDEFS +>>24 belong &0x00000400 \b|NOFIXPREBINDING +>>24 belong &0x00000800 \b|PREBINDABLE +>>24 belong &0x00001000 \b|ALLMODSBOUND +>>24 belong &0x00002000 \b|SUBSECTIONS_VIA_SYMBOLS +>>24 belong &0x00004000 \b|CANONICAL +>>24 belong &0x00008000 \b|WEAK_DEFINES +>>24 belong &0x00010000 \b|BINDS_TO_WEAK +>>24 belong &0x00020000 \b|ALLOW_STACK_EXECUTION +>>24 belong &0x00040000 \b|ROOT_SAFE +>>24 belong &0x00080000 \b|SETUID_SAFE +>>24 belong &0x00100000 \b|NO_REEXPORTED_DYLIBS +>>24 belong &0x00200000 \b|PIE +>>24 belong &0x00400000 \b|DEAD_STRIPPABLE_DYLIB +>>24 belong &0x00800000 \b|HAS_TLV_DESCRIPTORS +>>24 belong &0x01000000 \b|NO_HEAP_EXECUTION +>>24 belong &0x02000000 \b|APP_EXTENSION_SAFE +>>24 belong &0x04000000 \b|NLIST_OUTOFSYNC_WITH_DYLDINFO +>>24 belong &0x08000000 \b|SIM_SUPPORT +>>24 belong &0x80000000 \b|DYLIB_IN_CACHE >>24 belong x \b> # diff --git a/contrib/file/magic/Magdir/macintosh b/contrib/file/magic/Magdir/macintosh index 218a844dbefd..a74aac487caa 100644 --- a/contrib/file/magic/Magdir/macintosh +++ b/contrib/file/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.30 2019/12/14 20:40:26 christos Exp $ +# $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -17,7 +17,7 @@ 0 search/2652/b (This\ file\ >&0 use binhex 0 name binhex -# keep splitted search string format similar like in version 5.37 +# keep split search string format similar like in version 5.37 >0 string must\ be\ converted\ with\ BinHex\ BinHex binary text, version # http://www.macdisk.com/binhexen.php3 !:apple BNHQTEXT @@ -95,7 +95,10 @@ # MacBinary format (Eric Fischer, enf@pobox.com) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/MacBinary +# http://fileformats.archiveteam.org/wiki/MacBinary # Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt +# Note: verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and +# `deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin` # # Unfortunately MacBinary doesn't really have a magic number prior # to the MacBinary III format. @@ -114,19 +117,19 @@ >>>>74 byte 0 # zero fill, must be zero for compatibility >>>>>82 byte 0 +# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00 +>>>>>>2 ubelong <0xffff0000 # MacBinary I test for valid version numbers ->>>>>>122 ubeshort 0 -# additional check for creation date after 1 Jan 1970 ~ 7C25B080h -#>>>>>>>91 ubelong >0x7c25b07F +>>>>>>>122 ubeshort 0 # additional check for undefined header fields in MacBinary I -#>>>>>>>101 ulong 0 ->>>>>>>0 use mac-bin +#>>>>>>>>101 ulong 0 +>>>>>>>>0 use mac-bin # MacBinary II the newer versions begins at 129 ->>>>>>122 ubeshort 0x8181 ->>>>>>>0 use mac-bin +>>>>>>>122 ubeshort 0x8181 +>>>>>>>>0 use mac-bin # MacBinary III with MacBinary II to read ->>>>>122 ubeshort 0x8281 ->>>>>>0 use mac-bin +>>>>>>122 ubeshort 0x8281 +>>>>>>>0 use mac-bin # display information of MacBinary file 0 name mac-bin @@ -139,9 +142,9 @@ !:mime application/x-macbinary !:apple PSPTBINA !:ext bin/macbin -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified as MacBinary +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary #>1 ubyte >63 \b, name length %u too BIG! -#>122 ubeshort x \b, version 0x%x +#>122 ubeshort x \b, version %#x # Finder flags if not 0 # >73 byte !0 \b, flags 0x # >73 byte =0 @@ -164,28 +167,32 @@ # 77 beshort # horiz posn in window #>77 beshort !0 \b, h.pos %u # 79 beshort # window or folder ID ->79 ubeshort !0 \b, ID 0x%x +>79 ubeshort !0 \b, ID %#x # protected flag ->81 byte !0 \b, protected 0x%x +>81 byte !0 \b, protected %#x # length of comment after resource >99 ubeshort !0 \b, comment length %u # char. code of file name ->106 ubyte !0 \b, char. code 0x%x +>106 ubyte !0 \b, char. code %#x # still more Finder flags ->107 ubyte !0 \b, more flags 0x%x +>107 ubyte !0 \b, more flags %#x # length of total files when unpacked only used when pack and unpack on the fly >116 ubelong !0 \b, total length %u # 120 beshort # length of add'l header >120 ubeshort !0 \b, 2nd header length %u # 124 beshort # checksum -#>124 ubeshort !0 \b, CRC 0x%x +#>124 ubeshort !0 \b, CRC %#x # creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 ->91 beldate-0x7C25B080 x \b, %s -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified or time overflow +# few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields +>91 long !0 +>>91 beldate-0x7C25B080 x \b, %s +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow >91 ubelong <0x7c25b080 INVALID date -#>91 belong-0x7C25B080 x \b, DEBUG DATE %d +# reported date seconds by deark +#>91 ubelong x deark-DATE=%u # last modified date ->95 beldate-0x7C25B080 x \b, modified %s +>95 long !0 +>>95 beldate-0x7C25B080 x \b, modified %s # Apple creator+typ if not null # file creator (normally expressed as four characters) >69 ulong !0 \b, creator @@ -197,6 +204,7 @@ # length of data segment >83 ubelong !0 \b, %u bytes # filename (in the range 1-63) +# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2 (.sea)" >1 pstring x "%s" # print 1 space and then at offset 128 inspect data fork content if it has one >83 ubelong !0 \b @@ -204,7 +212,7 @@ # Afterwards resource fork if length of resource segment not zero >87 ubelong !0 # calculate resource fork offset ->>83 ubelong+128 x \b, at 0x%x +>>83 ubelong+128 x \b, at %#x # length of resource segment >>87 ubelong !0 %u bytes >>(83.S+128) ubequad x resource @@ -447,7 +455,7 @@ >>>0x412 beshort x number of blocks: %d, >>>0x424 pstring x volume name: %s -0x400 beshort 0x482B Macintosh HFS Extended +0 name hfsplus >&0 beshort x version %d data >0 beshort 0x4C4B (bootable) >0x404 belong ^0x00000100 (mounted) @@ -466,6 +474,11 @@ >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d +0x400 beshort 0x482B Apple HFS Plus +>&0 use hfsplus +0x400 beshort 0x4858 Apple HFS Plus Extended +>&0 use hfsplus + ## AFAIK, only the signature is different # same as Apple Partition Map # GRR: This magic is too weak, it is just "TS" @@ -490,14 +503,3 @@ # From: Remi Mommsen <mommsen@slac.stanford.edu> 0 string BOMStore Mac OS X bill of materials (BOM) file -# From: Adam Buchbinder <adam.buchbinder@gmail.com> -# URL: https://en.wikipedia.org/wiki/Datafork_TrueType -# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is -# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I -# don't know what they mean. -0 belong 0x100 ->(0x4.L+24) beshort x ->>&4 belong 0x73666e74 Mac OSX datafork font, TrueType ->>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' ->>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' ->>&4 belong 0x504f5354 Mac OSX datafork font, PostScript diff --git a/contrib/file/magic/Magdir/magic b/contrib/file/magic/Magdir/magic index 0de332aa3bfb..c8aa054b722b 100644 --- a/contrib/file/magic/Magdir/magic +++ b/contrib/file/magic/Magdir/magic @@ -1,10 +1,71 @@ #------------------------------------------------------------------------------ -# $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ +# $File: magic,v 1.11 2023/06/27 13:42:49 christos Exp $ # magic: file(1) magic for magic files # -0 string/t #\ Magic magic text file for file(1) cmd +# Update: Joerg Jenderek +# skip Magicsee_R1.cfg found on retropie starting with # Magicsee R1 one-handed controller +0 string/t #\ Magic\ magic text file for file(1) cmd +#!:mime text/plain +!:mime text/x-file +# no suffix in ../Header +!:ext / +# +# some samples start with a comment line +0 ubyte =0x23 +# many samples start with separator line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st comment line and without seperator comment line +>4 default x +# few sample with 1st comment line and without seperator comment line and regular expression like: sisu +>>1 search/112 regex\x09 +>>>0 use magic-fragment +>>1 default x +# few samples with 1st comment line and without seperator comment line and string value like: +# blcr bsi selinux ssh (file 3.34) digital gnu wordperfect +>>>1 search/471 string\x09 +>>>>0 use magic-fragment +>>>1 default x +# few samples with 1st comment line and without seperator comment line and short value like: +# (file 3.34) os9 osf1 +>>>>1 search/1716 short\x09 +>>>>>0 use magic-fragment +# but many samples start with an empty first line +0 ubyte =0x0A +# many samples sttart with separator comment line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st empty line and without seperator comment line like: biosig espressif +>4 default x +>>1 search/581 \041:mime +>>>0 use magic-fragment +# display information (lines) about magic text fragment +0 name magic-fragment +>0 string x magic text fragment for file(1) cmd +!:mime text/x-file +# most without suffix but mail.news varied.out varied.script +!:ext /news/out/script +# next lines are mainly for control reasons +# some (34/339) samples start comment line +>0 ubyte !0x0A +>>0 string x \b, 1st line "%s" +>>>&1 string x \b, 2nd line "%s" +# but most (305/339) samples start with an empty first line +>0 ubyte =0x0A +>>1 string x \b, 2nd line "%s" +>>>&1 string x \b, 3rd line "%s" +# +# URL: http://en.wikipedia.org/wiki/File_(command) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mgc.trid.xml +# Note: called "magic compiled data (LE)" by TrID 0 lelong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 lelong x (version %d) (little endian) 0 belong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 belong x (version %d) (big endian) diff --git a/contrib/file/magic/Magdir/mail.news b/contrib/file/magic/Magdir/mail.news index 006fe923a860..3ca3b405f613 100644 --- a/contrib/file/magic/Magdir/mail.news +++ b/contrib/file/magic/Magdir/mail.news @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: mail.news,v 1.25 2019/06/21 20:06:05 christos Exp $ +# $File: mail.news,v 1.30 2022/10/31 13:22:26 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. @@ -24,6 +24,8 @@ !:mime message/news 0 string/t From: news or mail text !:mime message/rfc822 +0 string/t Date: news or mail text +!:mime message/rfc822 0 string/t Article saved news text !:mime message/news # Reference: http://quimby.gnus.org/notes/BABYL @@ -42,8 +44,54 @@ #0 string/t Content- MIME entity text # TNEF files... -0 lelong 0x223E9F78 Transport Neutral Encapsulation Format +# URL: http://fileformats.archiveteam.org/wiki/Transport_Neutral_Encapsulation_Format +# https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tnef.trid.xml +# https://interoperability.blob.core.windows.net/files/MS-OXTNEF/%5bMS-OXTNEF%5d-210817.pdf +# Update: Joerg Jenderek +# Note: moved and merged from ./msdos (version 1.154) there just called "TNEF" +# partly verified by `tnef --list -v -f voice.tnef` and `ytnef -v triples.tnef` +# TNEF magic From "Joomy" <joomy@se-ed.net> +# TNEF_SIGNATURE +0 lelong 0x223E9F78 Transport Neutral Encapsulation Format (TNEF) !:mime application/vnd.ms-tnef +# winmail.dat or win.dat by Microsoft Outlook +!:ext tnef/dat +# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxtnef/7fdb64ee-7f63-4d95-9af1-c672e7475c3a +# LegacyKey +#>4 uleshort x \b, key %#4.4x +# attrLevelMessage; Level where attribute applies like: 1~attrLevelMessage 2~attrLevelAttachment +>6 ubyte !1 \b, 1st level %#2.2x +# other ID (like 02900000h) or TnefVersion ID (idTnefVersion=06900800h) +>7 ubelong !0x06900800 \b, 1st id %#8.8x +>7 ubelong =0x06900800 +# TnefVersion length like: 4 +>>11 ulelong !4 \b, TnefVersion length %x +# TNEFVersionData; TnefVersion data like: 00010000h +>>15 ulelong !0x00010000h \b, version %#8.8x +# Checksum like: 1 +>>19 uleshort !1 \b, checksum %#4.4x +# attrLevelMessage; level of attOemCodepage like: 1 +>>21 ubyte !1 \b, level %#2.2x +# idOEMCodePage; OEMCodePage ID like: 07900600h +>>22 ubelong =0x07900600 \b, OEM codepage +# OEMCodePage length like: 8 +>>>26 ulelong =8 +# OEMCodePageData; PrimaryCodePage like: 1251 1252 +>>>>30 ulelong x %u +# OEMCodePageData; SecondaryCodePage; unused and SHOULD contain zero +>>>>34 ulelong !0 and %u +# OEMCodePageData Checksum like: E7h E8h +>>>>38 uleshort x (checksum %#x) +# attrLevelMessage of attMessageClass like: 1 +>>40 ubyte !1 \b, level %u +# idMessageClass; ID of attMessageClass like: 08800700h +>>41 ubelong =0x08800700 \b, MessageAttribute +# attMessageClass length like: 16 24 25 +#>>>45 ulelong x (length %u) +# attMessageClass data like: "IPM.Microsoft Mail.Note" "IPM.Note.Portada Newseum" +# "IPM.Appointment" "IPM.Note.Microsoft.Voicemail.UM.CA" +>>>45 pstring/l x "%s" # From: Kevin Sullivan <ksulliva@psc.edu> 0 string *mbx* MBX mail folder @@ -75,3 +123,10 @@ >12 belong =1 version 1, big-endian >12 lelong =1 version 1, little-endian >12 belong x version %d, network-endian + +# Dovecot mail server, version 2.2 and later. +# Dovecot mailing list: dovecot@dovecot.org +# File format spec: https://wiki.dovecot.org/Design/Dcrypt/#File_format +# From: Stephen Gildea +0 string CRYPTED\003\007 Dovecot encrypted message +>9 byte x \b, dcrypt version %d diff --git a/contrib/file/magic/Magdir/make b/contrib/file/magic/Magdir/make index f522b4f18b11..1abdf7a3ee2e 100644 --- a/contrib/file/magic/Magdir/make +++ b/contrib/file/magic/Magdir/make @@ -1,36 +1,21 @@ #------------------------------------------------------------------------------ -# $File: make,v 1.4 2018/05/29 17:26:02 christos Exp $ +# $File: make,v 1.5 2022/03/12 15:09:47 christos Exp $ # make: file(1) magic for makefiles # # URL: https://en.wikipedia.org/wiki/Make_(software) -0 regex/100l \^CFLAGS makefile script text -!:mime text/x-makefile -0 regex/100l \^VPATH makefile script text -!:mime text/x-makefile -0 regex/100l \^LDFLAGS makefile script text -!:mime text/x-makefile -0 regex/100l \^all: makefile script text -!:mime text/x-makefile -0 regex/100l \^\\.PRECIOUS makefile script text +0 regex/100l \^(CFLAGS|VPATH|LDFLAGS|all:|\\.PRECIOUS) makefile script text !:mime text/x-makefile +!:strength -15 # Update: Joerg Jenderek # Reference: https://www.freebsd.org/cgi/man.cgi?make(1) # exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST" # by additional escaping point character -0 regex/100l \^\\.BEGIN BSD makefile script text -!:mime text/x-makefile -!:ext /mk -!:strength +10 # exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT" # and NSIS script with "!include" by additional escaping point character -0 regex/100l \^\\.include BSD makefile script text -!:mime text/x-makefile -!:ext /mk -!:strength +10 -0 regex/100l \^\\.endif BSD makefile script text +0 regex/100l \^\\.(BEGIN|endif|include) BSD makefile script text !:mime text/x-makefile !:ext /mk -!:strength +10 -0 regex/100l \^SUBDIRS automake makefile script text +!:strength -10 +0 regex/100l \^SUBDIRS[[:space:]]+= automake makefile script text !:mime text/x-makefile -!:strength +10 +!:strength -15 diff --git a/contrib/file/magic/Magdir/map b/contrib/file/magic/Magdir/map index 460746bab227..2d56df015631 100644 --- a/contrib/file/magic/Magdir/map +++ b/contrib/file/magic/Magdir/map @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: map,v 1.8 2019/12/01 22:46:23 christos Exp $ +# $File: map,v 1.10 2023/02/03 20:41:57 christos Exp $ # map: file(1) magic for Map data # @@ -40,7 +40,7 @@ >0 ubyte x Garmin !:mime application/x-garmin-map # If non-zero, every byte of the entire .img file is to be XORed with this value ->0 ubyte !0 \b, 0x%x XORed +>0 ubyte !0 \b, %#x XORed # goto block before FAT >(0x40.b*512) ubyte x # 1st fat name "DLLINFO TXT" only found for vpm @@ -54,7 +54,7 @@ >>&512 string !DLLINFO\ TXT map !:ext img # 9 zeros ->1 ubelong !0 \b, zeroes 0x%x +>1 ubelong !0 \b, zeroes %#x # Map's version major >8 ubyte x v%u # Map's version minor @@ -72,12 +72,12 @@ # Update month (0-11) >0xA ubyte x \b-%.2u # All zeroes ->0xc uleshort !0 \b, zeroes 0x%x +>0xc uleshort !0 \b, zeroes %#x # Mapsource flag, 1 - file created by Mapsource, 0 - Garmin map visible in Basecamp and Homeport -#>0xE ubyte !0 \b, Mapsource flag 0x%x +#>0xE ubyte !0 \b, Mapsource flag %#x >0xE ubyte 1 \b, Mapsource # Checksum, sum of all bytes modulo 256 should be 0 -#>0xF ubyte x \b, Checksum 0x%x +#>0xF ubyte x \b, Checksum %#x # Signature: DSKIMG 0x00 or DSDIMG 0x00 for demo map >0x10 string !DSKIMG \b, signature "%.7s" >0x39 use garmin-date @@ -99,20 +99,20 @@ # MBR signature >0x1FE leshort !0xAA55 \b, invalid MBR # 512 zeros ->0x200 uquad !0 \b, zeroes 0x%llx +>0x200 uquad !0 \b, zeroes %#llx # First sub-file offset (absolute); sometimes NO/UNKNOWN sub file! ->0x40C ulelong >0 \b, at 0x%x +>0x40C ulelong >0 \b, at %#x # sub-file Header length -#>>(0x40C.l) uleshort x \b, header len 0x%x +#>>(0x40C.l) uleshort x \b, header len %#x >>(0x40C.l) uleshort x %u bytes # sub-file Type[10] like "GARMIN RGN" "GARMIN TRE", "GARMIN TYP", etc. >>(0x40C.l+2) ubyte >0x1F >>>(0x40C.l+2) ubyte <0xFF >>>>(0x40C.l+2) string x "%.10s" # 0x00 for most maps, 0x80 for locked maps (City Nav, City Select, etc.) ->>>>(0x40C.l+13) ubyte >0 \b, locked 0x%x +>>>>(0x40C.l+13) ubyte >0 \b, locked %#x # Block sequence numbers like 0000 0100 0200 ... FFFF -# >0x420 ubequad >0 \b, seq. 0x%16.16llx +# >0x420 ubequad >0 \b, seq. %#16.16llx # >>0x428 ubequad >0 \b%16.16llx # >>>0x430 ubequad >0 \b%16.16llx # >>>>0x438 ubequad >0 \b%16.16llx @@ -147,12 +147,12 @@ # ... xth FAT block # # 314 zeros but not in vpm and also gmaptz.img ->0x84 uquad !0 \b, at 0x84 0x%llx +>0x84 uquad !0 \b, at 0x84 %#llx # display FileAllocationTable block entry in garmin map 0 name garmin-fat >0 ubyte x \b; # sub file part; 0x0003 seems to be garbage ->0x10 uleshort !0 next 0x%4.4x +>0x10 uleshort !0 next %#4.4x >0x10 uleshort =0 # fat flag 0~dummy block 1~true sub file >>0 ubyte !1 flag %u @@ -164,7 +164,7 @@ # size of sub file >>>0xC ulelong x \b, %u bytes # 32-bit block sequence numbers -#>>>0x20 ubequad x \b, seq. 0x%16.16llx +#>>>0x20 ubequad x \b, seq. %#16.16llx # display date stored inside Garmin maps like yyyy-mm-dd h:mm:ss 0 name garmin-date @@ -207,38 +207,38 @@ !:mime application/x-garmin-nod !:ext nod >>>0x0E use garmin-date -#>>>0x15 ulelong x \b, at 0x%x -#>>>0x19 ulelong x 0x%x bytes NOD1 -#>>>0x25 ulelong x \b, at 0x%x -#>>>0x29 ulelong x 0x%x bytes NOD2 -#>>>0x31 ulelong x \b, at 0x%x -#>>>0x35 ulelong x 0x%x bytes NOD3 +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes NOD1 +#>>>0x25 ulelong x \b, at %#x +#>>>0x29 ulelong x %#x bytes NOD2 +#>>>0x31 ulelong x \b, at %#x +#>>>0x35 ulelong x %#x bytes NOD3 # URL: http://www.pinns.co.uk/osm/net.html # routable highways (length, direction, allowed speed,house address information) >>9 string NET highways !:mime application/x-garmin-net !:ext net -#>>>0x15 ulelong x \b, at 0x%x -#>>>0x19 ulelong x 0x%x bytes NET1 +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes NET1 #>>>0x22 ulelong >0 -#>>>>0x1E ulelong x \b, at 0x%x -#>>>>0x22 ulelong x 0x%x bytes NET2 +#>>>>0x1E ulelong x \b, at %#x +#>>>>0x22 ulelong x %#x bytes NET2 #>>>0x2B ulelong >0 -#>>>>0x27 ulelong x \b, at 0x%x -#>>>>0x2B ulelong x 0x%x bytes NET3 +#>>>>0x27 ulelong x \b, at %#x +#>>>>0x2B ulelong x %#x bytes NET3 # URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/LBL_Subfile_Format >>9 string LBL labels !:mime application/x-garmin-lbl !:ext lbl >>>(0.s) string x %s # Label coding type 6h 9h and ah ->>>0x1E ubyte x \b, coding type 0x%x -#>>>0x15 ulelong x \b, at 0x%x -#>>>0x19 ulelong x 0x%x bytes LBL1 -#>>>0x1F ulelong x \b, at 0x%x -#>>>0x23 ulelong x 0x%x bytes LBL2 -#>>>0x2D ulelong x \b, at 0x%x -#>>>0x31 ulelong x 0x%x bytes LBL3 +>>>0x1E ubyte x \b, coding type %#x +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes LBL1 +#>>>0x1F ulelong x \b, at %#x +#>>>0x23 ulelong x %#x bytes LBL2 +#>>>0x2D ulelong x \b, at %#x +#>>>0x31 ulelong x %#x bytes LBL3 # URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/SRT_Subfile_Format # A lookup table of the chars in the map's codepage, and their collating sequence >>9 string SRT sort table @@ -256,16 +256,16 @@ # or http://www.openstreetmap.org/ >>>>&1 string x %s >>>0x0E use garmin-date -#>>>0x21 ulelong x \b, at 0x%x -#>>>0x25 ulelong x 0x%x bytes TRE1 -#>>>0x29 ulelong x \b, at 0x%x -#>>>0x2D ulelong x 0x%x bytes TRE2 -#>>>0x31 ulelong x \b, at 0x%x -#>>>0x35 ulelong x 0x%x bytes TRE3 +#>>>0x21 ulelong x \b, at %#x +#>>>0x25 ulelong x %#x bytes TRE1 +#>>>0x29 ulelong x \b, at %#x +#>>>0x2D ulelong x %#x bytes TRE2 +#>>>0x31 ulelong x \b, at %#x +#>>>0x35 ulelong x %#x bytes TRE3 # Copyright record size #>>>0x39 uleshort x \b, copyright record size %u # Map ID ->>>0x74 ulelong x \b, ID 0x%x +>>>0x74 ulelong x \b, ID %#x # URL: https://www.gpspower.net/garmin-tutorials/353310-basecamp-installing-free-desktop-map.html # For road traffic information service (RDS/TMS/TMC). Commonly seen in City Navigator maps >>9 string TRF traffic, @@ -285,11 +285,11 @@ # character set 1252 65001~UTF8 >>>0x15 uleshort x \b, code page %u # POIs -#>>>0x17 ulelong x \b, at 0x%x -#>>>0x1B ulelong x 0x%x bytes TYP1 +#>>>0x17 ulelong x \b, at %#x +#>>>0x1B ulelong x %#x bytes TYP1 # extra pois -#>>>0x5B ulelong x \b, at 0x%x -#>>>0x5F ulelong x 0x%x bytes TYP8 +#>>>0x5B ulelong x \b, at %#x +#>>>0x5F ulelong x %#x bytes TYP8 # URL: https://wiki.openstreetmap.org/wiki/OSM_Map_On_Garmin/RGN_Subfile_Format # http://www.pinns.co.uk/osm/RGN.html # region data used by the Garmin software @@ -297,24 +297,24 @@ !:mime application/x-garmin-rgn !:ext rgn # POIs,Indexed POIs,Polylines or Polygons or first map level -#>>>0x15 ulelong x \b, at 0x%x -#>>>0x19 ulelong x 0x%x bytes RGN1 +#>>>0x15 ulelong x \b, at %#x +#>>>0x19 ulelong x %#x bytes RGN1 # polygons with extended types #>>>0x21 ulelong >0 -#>>>>0x1D ulelong x \b, at 0x%x -#>>>>0x21 ulelong x 0x%x bytes RGN2 +#>>>>0x1D ulelong x \b, at %#x +#>>>>0x21 ulelong x %#x bytes RGN2 # polylines with extended types #>>>0x3D ulelong >0 -#>>>>0x39 ulelong x \b, at 0x%x -#>>>>0x3D ulelong x 0x%x bytes RGN3 +#>>>>0x39 ulelong x \b, at %#x +#>>>>0x3D ulelong x %#x bytes RGN3 # extended POIs #>>>0x59 ulelong >0 -#>>>>0x55 ulelong x \b, at 0x%x -#>>>>0x59 ulelong x 0x%x bytes RGN3 +#>>>>0x55 ulelong x \b, at %#x +#>>>>0x59 ulelong x %#x bytes RGN3 #>>9 default x unknown map type # Header length; GMP:31h 35h 3Dh,MDR:11Eh 238h 2C4h 310h,NOD:3Fh 7Fh,NET:64h, # LBL:2A9h,SRT:1Dh 25h 27h,TRE:CFh 135h,TRF:5Ah,TYP:5Bh 6Eh 7Ch AEh,RGN:7Dh ->>0 uleshort x \b, header length 0x%x +>>0 uleshort x \b, header length %#x # URL: https://www.memotech.franken.de/FileFormats/ # Reference: https://www.memotech.franken.de/FileFormats/Garmin_RGN_Format.pdf @@ -357,7 +357,7 @@ # display information of Garmin RGN record 0 name garmin-entry # record length: 2 for Data, for Application often 1Bh sometimes 1Dh, "big" for Region -#>0 ulelong x \b, length 0x%x +#>0 ulelong x \b, length %#x # data record (ID='D') with version content like 0064h~1.0 >4 ubyte =0x44 >>5 uleshort !0x0064 \b; Data @@ -382,11 +382,11 @@ # delay in ms: like 0, 500 >>7 ulelong !0 \b, %u ms # region size (is record length - 10) -#>>11 ulelong x \b, length 0x%x +#>>11 ulelong x \b, length %#x # region content like: # "KpGr"~recursiv embedded,"GARMIN BITMAP"~Garmin Bitmap *.srf, "PK"~ZIP archive #>>15 string x \b, content "%s" ->>15 ubequad x \b, content 0x%llx... +>>15 ubequad x \b, content %#llx... # This does NOT WORK! #>>15 indirect x \b; contains >4 default x \b; other @@ -406,3 +406,8 @@ >>>>5 byte x \b%d, >>>>6 leshort x product ID %04d) +# Garmin firmware: +# https://www.memotech.franken.de/FileFormats/Garmin_GCD_Format.pdf +# https://www.gpsrchive.com/GPSMAP/GPSMAP%2066sr/Firmware.html +0 string GARMIN +>6 uleshort 100 GARMIN firmware (version 1.0) diff --git a/contrib/file/magic/Magdir/maple b/contrib/file/magic/Magdir/maple index 44ab2842b604..80cf9f29a114 100644 --- a/contrib/file/magic/Magdir/maple +++ b/contrib/file/magic/Magdir/maple @@ -1,20 +1,72 @@ #------------------------------------------------------------------------------ -# $File: maple,v 1.8 2017/03/17 21:35:28 christos Exp $ +# $File: maple,v 1.10 2021/08/30 13:31:25 christos Exp $ # maple: file(1) magic for maple files # "H. Nanosecond" <aldomel@ix.netcom.com> # Maple V release 4, a multi-purpose math program # # maple library .lib -0 string \000MVR4\nI MapleVr4 library +# URL: https://en.wikipedia.org/wiki/Maple_(software) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lib-maple-v-r4.trid.xml +# Update: Joerg Jenderek +0 string \000MVR4\nI Maple Vr4 library +#!:mime application/octet-stream +!:mime application/x-maple-lib +!:ext lib + +# URL: https://en.wikipedia.org/wiki/Maple_(software) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lib-maple-v-r5.trid.xml +# From: Joerg Jenderek +0 string \000MVR5\n Maple Vr5 library +#!:mime application/octet-stream +!:mime application/x-maple-lib +!:ext lib + +# From: Joerg Jenderek +0x400 string M7R0\nI Maple Vr7 library +#!:mime application/octet-stream +!:mime application/x-maple-lib +!:ext lib +# null terminated library name like: C:\Maple12/Cliffordlib\maple.lib ../Maplets/Tutors.lib +>5 string x %s +# probably library name padding with nil or points (0x2E) +#>0xF8 uquad x \b, PADDING 0x%16.16llx +# null terminated strings like: Exterior Clifford FunctionArithmetics +# like: 1 20 40 +>0x115 ulelong x \b, %u string +# plural s +>0x115 ulelong >1 \bs +>0x119 string x 1st '%s' +# probably second name section padding with nil or points (0x2E) +#>0x3F0 uquad x \b, 2nd PADDING 0x%16.16llx +# line feed separated ASCII string with maximal 79 length +#>0x407 string x \b, section "%s" +>0x454 ubyte !0x0a \b, at 0x454 0x%x # .ind # no magic for these :-( # they are compiled indexes for maple files # .hdb -0 string \000\004\000\000 Maple help database +# Update: Joerg Jenderek +# URL: https://www.maplesoft.com/support/help/maple/view.aspx?path=Formats/HDB +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hdb-maple.trid.xml +# Note: This format was replaced in Maple 18 by the Maple Help format (*.help) +0 string \000\004\000\000 +# skip xBASE Compound Index file *.CDX by looking for version +>1028 string version Maple help database +# length of string version +#>>1024 ulelong !7 \b, at 0x400 unexpected %u +#!:mime application/octet-stream +!:mime application/x-maple-hdb +!:ext hdb +>1028 default x +# skip more xBASE Compound Index file *.CDX by looking for keyword Maple +# like hsum.hdb +>>4 search/0xCC41 Maple Maple help database +!:mime application/x-maple-hdb +!:ext hdb # .mhp # this has the form <PACKAGE=name> diff --git a/contrib/file/magic/Magdir/mathematica b/contrib/file/magic/Magdir/mathematica index e76957eea43a..dda71e884edb 100644 --- a/contrib/file/magic/Magdir/mathematica +++ b/contrib/file/magic/Magdir/mathematica @@ -1,48 +1,59 @@ #------------------------------------------------------------------------------ -# $File: mathematica,v 1.9 2017/03/17 21:35:28 christos Exp $ +# $File: mathematica,v 1.17 2023/06/16 19:33:58 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" <aldomel@ix.netcom.com> # Mathematica a multi-purpose math program # versions 2.2 and 3.0 -#mathematica .mb -0 string \064\024\012\000\035\000\000\000 Mathematica version 2 notebook -!:ext mb -0 string \064\024\011\000\035\000\000\000 Mathematica version 2 notebook +0 name wolfram +>0 string x Mathematica notebook version 2.x !:ext mb +!:mime application/vnd.wolfram.mathematica + +#mathematica .mb +0 string \064\024\012\000\035\000\000\000 +>0 use wolfram +0 string \064\024\011\000\035\000\000\000 +>0 use wolfram + +# +0 search/1000 Content-type:\040application/mathematica Mathematica notebook version 2.x +!:ext nb +!:mime application/mathematica + # .ma -# multiple possibilites: +# multiple possibilities: -0 string (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook +0 string (*^\n\n::[\011frontEndVersion\ = #>41 string >\0 %s -!:ext mb +>0 use wolfram -#0 string (*^\n\n::[\011palette Mathematica notebook version 2.x +#0 string (*^\n\n::[\011palette -#0 string (*^\n\n::[\011Information Mathematica notebook version 2.x +#0 string (*^\n\n::[\011Information #>675 string >\0 %s #doesn't work well -# there may be 'cr' instread of 'nl' in some does this matter? +# there may be 'cr' instead of 'nl' in some does this matter? # generic: -0 string (*^\r\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\015 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\r\n\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n::[\011 Mathematica notebook version 2.x -!:ext mb +0 string (*^\r\r::[\011 +>0 use wolfram +0 string (*^\r\n\r\n::[\011 +>0 use wolfram +0 string (*^\015 +>0 use wolfram +0 string (*^\n\r\n\r::[\011 +>0 use wolfram +0 string (*^\r::[\011 +>0 use wolfram +0 string (*^\r\n::[\011 +>0 use wolfram +0 string (*^\n\n::[\011 +>0 use wolfram +0 string (*^\n::[\011 +>0 use wolfram # Mathematica .mx files @@ -73,9 +84,109 @@ ######################### # MatLab v5 -0 string MATLAB Matlab v5 mat-file +# URL: http://fileformats.archiveteam.org/wiki/MAT +# Reference: https://www.mathworks.com/help/pdf_doc/matlab/matfile_format.pdf +# first 116 bytes of header contain text in human-readable form +0 string MATLAB Matlab v +#>11 string/T x \b, at 11 "%.105s" +#!:mime application/octet-stream +!:mime application/x-matlab-data +!:ext mat +# https://de.mathworks.com/help/matlab/import_export/mat-file-versions.html +# level of the MAT-file like: 5.0 7.0 or maybe 7.3 +#>7 string x LEVEL "%.3s" +>7 ubyte =0x35 \b5 mat-file +>7 ubyte !0x35 +>>7 string x \b%.3s mat-file >126 short 0x494d (big endian) ->>124 beshort x version 0x%04x +>>124 beshort x version %#04x >126 short 0x4d49 (little endian) ->>124 leshort x version 0x%04x - +# 0x0100 for level 5.0 and 0x0200 for level 7.0 +>>124 leshort x version %#04x +# test again so that default clause works +>126 short x +# created by MATLAB include Platform sometimes without leading comma (0x2C) or missing +# like: GLNX86 PCWIN PCWIN64 SOL2 Windows\0407 nt posix +>>20 search/2 Platform:\040 \b, platform +>>>&0 string x %-0.2s +>>>&2 ubyte !0x2C \b%c +>>>>&0 ubyte !0x2C \b%c +>>>>>&0 ubyte !0x2C \b%c +>>>>>>&0 ubyte !0x2C \b%c +>>>>>>>&0 ubyte !0x2C \b%c +>>>>>>>>&0 ubyte !0x2C \b%c +>>>>>>>>>&0 ubyte !0x2C \b%c +# examples without Platform tag like one_by_zero_char.mat +>>20 default x +>>>11 string x "%s" +# created by MATLAB include time like: Fri Feb 20 15:26:59 2009 +>34 search/9/c created\040on:\040 \b, created +>>&0 string x %-.24s +# MatLab v4 +# From: Joerg Jenderek +# check for valid imaginary flag of Matlab matrix version 4 +13 ushort 0 +# check for valid ASCII matrix name +>20 ubyte >0x1F +# skip PreviousEntries.dat with "invalid high" name \304P\344@\001 +>>20 ubyte <0304 +# skip some Netwfw*.dat and $I3KREPH.dat by checking for non zero number of rows +>>>4 ulong !0 +# skip some CD-ROM filesystem like test-hfs.iso by looking for valid big endian type flag +>>>>0 ubelong&0xFFffFF00 0x00000300 +>>>>>0 use matlab4 +# no example for 8-bit and 16-bit integers matrix +>>>>0 ubelong&0xFFffFF00 0x00000400 +>>>>>0 use matlab4 +# branch for Little-Endian variant of Matlab MATrix version 4 +# skip big endian variant by looking for valid low lttle endian type flag +>>>>0 ulelong <53 +# skip tokens.dat and some Netwfw*.dat by check for valid imaginary flag value of MAT version 4 +>>>>>12 ulelong <2 +# no misidentified little endian MATrix example with "short" matrix name +>>>>>>16 ulelong <3 +# skip radeon firmware BONAIRE_sdma.bin HAWAII_sdma.bin KABINI_sdma.bin KAVERI_sdma.bin MULLINS_sdma.bin +# by check for non zero matrix name length +>>>>>>>16 ubelong >0 +>>>>>>>>0 use \^matlab4 +# little endian MATrix with "long" matrix name or some misidentified samples +>>>>>>16 ulelong >2 +# skip TileCacheLogo-*.dat with invalid 2nd character \001 of matrix name with length 96 +>>>>>>>21 ubyte >0x1F +>>>>>>>>0 use \^matlab4 +# Note: called "MATLAB Mat File" with version "Level 4" by DROID via PUID fmt/1550 +# display information of Matlab v4 mat-file +0 name matlab4 Matlab v4 mat-file +#!:mime application/octet-stream +!:mime application/x-matlab-data +!:ext mat +# 20-byte header with 5 long integers that contains information describing certain attributes of the Matrix +# type flag decimal MOPT; maximal 4052=FD4h; maximal 52=34h for little endian +#>0 ubelong x \b, type flag %u +#>0 ubelong x (%#x) +# M: 0~little endian 1~Big Endian 2~VAX D-float 3~VAX G-float 4~Cray +#>0 ubelong/1000 x \b, M=%u +>0 ubelong/1000 0 (little endian) +>0 ubelong/1000 1 (big endian) +>0 ubelong/1000 2 (VAX D-float) +>0 ubelong/1000 3 (VAX G-float) +>0 ubelong/1000 4 (Cray) +# namlen; the length of the matrix name +#>16 ubelong x \b, name length %u +#>(16.L+19) ubyte x \b, TERMINATING NAME CHARACTER=%#x +# nul terminated matrix name like: fit_params testmatrix testsparsecomplex teststringarray +#>20 string x \b, MATRIX NAME="%s" +#>21 ubyte x \b, MAYBE 2ND CHAR=%c +>16 pstring/L x %s +# T indicates the matrix type: 0~numeric 1~text 2~sparse +#>0 ubelong%10 x \b, T=%u +>0 ubelong%10 0 \b, numeric +>0 ubelong%10 1 \b, text +>0 ubelong%10 2 \b, sparse +# mrows; number of rows in the matrix like: 1 3 8 +>4 ubelong x \b, rows %u +# ncols; number of columns in the matrix like: 1 3 4 5 9 43 +>8 ubelong x \b, columns %u +# imagf; imaginary flag; 1~matrix has an imaginary part 0~only real data +>12 ubelong !0 \b, imaginary (%u) +# real; Real part of the matrix consists of mrows * ncols numbers diff --git a/contrib/file/magic/Magdir/mcrypt b/contrib/file/magic/Magdir/mcrypt index 9c66af48b2a2..f2edd08912dd 100644 --- a/contrib/file/magic/Magdir/mcrypt +++ b/contrib/file/magic/Magdir/mcrypt @@ -1,14 +1,28 @@ #------------------------------------------------------------------------------ -# $File: mcrypt,v 1.5 2009/09/19 16:28:10 christos Exp $ +# $File: mcrypt,v 1.6 2022/02/08 18:51:45 christos Exp $ # Mavroyanopoulos Nikos <nmav@hellug.gr> # mcrypt: file(1) magic for mcrypt 2.2.x; +# URL: https://en.wikipedia.org/wiki/Mcrypt +# http://fileformats.archiveteam.org/wiki/MCrypt +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nc-mcrypt.trid.xml +# Update: Joerg Jenderek +# Note: called by TrID "mcrypt encrypted (v2.5)" 0 string \0m\3 mcrypt 2.5 encrypted data, +#!:mime application/octet-stream +!:mime application/x-crypt-nc +!:ext nc >4 string >\0 algorithm: %s, >>&1 leshort >0 keysize: %d bytes, >>>&0 string >\0 mode: %s, +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nc-mcrypt-22.trid.xml +# Note: called by TrID "mcrypt encrypted (v2.2)" 0 string \0m\2 mcrypt 2.2 encrypted data, +#!:mime application/octet-stream +!:mime application/x-crypt-nc +# no example +!:ext nc >3 byte 0 algorithm: blowfish-448, >3 byte 1 algorithm: DES, >3 byte 2 algorithm: 3DES, diff --git a/contrib/file/magic/Magdir/measure b/contrib/file/magic/Magdir/measure index c99cac841125..42e7186484c8 100644 --- a/contrib/file/magic/Magdir/measure +++ b/contrib/file/magic/Magdir/measure @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: measure,v 1.2 2018/06/23 16:13:15 christos Exp $ +# $File: measure,v 1.3 2021/03/25 17:30:10 christos Exp $ # measure: file(1) magic for measurement data # DIY-Thermocam raw data @@ -37,3 +37,8 @@ >>9600 default x (Lepton 2.x), >>>9600 use diy-thermocam-parser +# Becker & Hickl Photon Counting (PMS) data file +# format documentation: https://www.becker-hickl.com/wp-content/uploads/2018/11/opm-pms400-v01.pdf (page 57) +(0x02.l) string *IDENTIFICATION Becker & Hickl PMS Data File +>0x12 short x (%d data blocks) +!:ext sdt diff --git a/contrib/file/magic/Magdir/meteorological b/contrib/file/magic/Magdir/meteorological index 9e7a3f1bcca6..725982f8d907 100644 --- a/contrib/file/magic/Magdir/meteorological +++ b/contrib/file/magic/Magdir/meteorological @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ +# $File: meteorological,v 1.4 2022/12/09 18:02:09 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -45,5 +45,9 @@ # https://en.wikipedia.org/wiki/GRIB 0 string GRIB ->7 byte =1 Gridded binary (GRIB) version 1 +>7 byte =1 Gridded binary (GRIB) version 1 +!:mime application/x-grib +!:ext grb/grib >7 byte =2 Gridded binary (GRIB) version 2 +!:mime application/x-grib2 +!:ext grb2/grib2 diff --git a/contrib/file/magic/Magdir/misctools b/contrib/file/magic/Magdir/misctools index cef1da5f4e5f..dc1542adacd7 100644 --- a/contrib/file/magic/Magdir/misctools +++ b/contrib/file/magic/Magdir/misctools @@ -1,22 +1,97 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.18 2019/04/19 00:42:27 christos Exp $ +# $File: misctools,v 1.21 2023/02/03 20:43:48 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text -0 string/c BEGIN:VCALENDAR vCalendar calendar file -!:mime text/calendar -# updated by Joerg Jenderek at Apr 2015 -# Extension: .vcf +# URL: http://fileformats.archiveteam.org/wiki/ICalendar +# https://en.wikipedia.org/wiki/ICalendar +# Update: Joerg Jenderek +# Reference: https://www.rfc-editor.org/rfc/rfc5545 +# http://mark0.net/download/triddefs_xml.7z/defs/v/vcs.trid.xml +# Note: called "iCalendar - vCalendar" by TrID +0 string/c BEGIN:vcalendar +# skip DROID fmt-387-signature-id-572.vcs fmt-388-signature-id-573.ics +# with invalid separator 0x0 or 0xAB instead of CarriageReturn (0x0D) or LineFeed (0x0A) +>15 ubyte&0xF8 =0x08 +# look for VERSION keyword often on second line but sometimes later as in holidays_NRW_2014.ics +>>0 search/188 VERSION +# after VERSION keword :1.0 or often :2.0 but sometimes also ;VALUE=TEXT:2.0 like in Jewish religious Juish.ics +# http://www.webcal.guru/de-DE/kalender_herunterladen?calendar_instance_id=217 +# \n\040:2.0 like in import-real-world-2004-11-19.ics found at +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-real-world-2004-11-19.ics +#>>>&0 string x AFTER_VERSION=%.15s +# Note: called "Internet Calendar and Scheduling format" by DROID via PUID fmt/388 +# skip optional verparam=;other-param like ;VALUE=TEXT and look for version 2.0 that implies iCalendar variant +>>>&0 search/81 :2.0 iCalendar calendar +# look for Free/Busy component +>>>>15 search/278 :VFREEBUSY file, with Free/Busy component +!:mime text/calendar +!:apple ????iFBf +# no real examples found but only example on Wikipedia page +!:ext ifb +# iCalendar calendar without Free/Busy component +>>>>15 default x +# look for ALARM component +>>>>>15 search/154 :VALARM file, with ALARM component +!:mime text/calendar +!:apple ????iCal +# found on macOS beneath /Users/$USER/Library/Calendars/ as EventAllDayAlarms.icsalarm or EventTimedAlarms.icsalarm +# no isc examples found +!:ext icsalarm/ics +# iCalendar calendar without Free/Busy component and ALARM component +>>>>>15 default x file +!:mime text/calendar +!:apple ????iCal +# no examples found with .ical .icalender suffix +!:ext ics +# if no VERSION 2.0 is found then assume it is VERSION 1.0, that is older vCalendar +# URL: http://fileformats.archiveteam.org/wiki/VCalendar +# Note: called "VCalendar format" by DROID via fmt/387 +>>>&0 default x vCalendar calendar file +# deprecated +!:mime text/x-vcalendar +!:ext vcs +# GRR: without VERSION keyword violates specification but accepted by Thunderbird like +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-with-timezone.ics +>>0 default x vCalendar calendar file, without VERSION +!:mime text/x-vcalendar +#!:mime text/calendar +# no vcs example found +!:ext ics/vcs +# GRR: According to newest specification CarriageReturn (0xD) and LineFeed (0xA) should be used as separator but others accepted by Thunderbird +# like CRLF,LF in Sport Today.vcs created by calendar plugin of TV-Browser https://enwiki.tvbrowser.org/index.php/Calendar_Export +# or LF like https://www.schulferien.org/media/ical/deutschland/ferien_nordrhein-westfalen_2023.ics?k=foo +>>15 ubeshort !0x0D0A \b, without CRLF + +# updated by Joerg Jenderek at Apr 2015, May 2021 # https://en.wikipedia.org/wiki/VCard -0 string/c BEGIN:VCARD vCard visiting card +# URL: http://fileformats.archiveteam.org/wiki/VCard +# https://datatracker.ietf.org/doc/html/rfc6350 +# the value is case-insensitive +0 string/c begin:vcard +# skip DROID fmt-395-signature-id-634.vcf +>13 string !VERSION:END vCard visiting card # deprecated #!:mime text/x-vcard !:mime text/vcard +!:apple ????vCrd +!:ext vcf/vcard # VERSION must come right after BEGIN for 3.0 or 4.0 except in 2.1 , where it can be anywhere ->12 search/14000/c VERSION: +# Joerg_Jenderek_67.vcf +>>12 search/0x113b4/c version: # VERSION 2.1 , 3.0 or 4.0 ->>&0 string x \b, version %-.3s +>>>&0 string x \b, version %-.3s +>>>&0 string !2.1 +>>>>13 string !VERSION: \b, 2nd line does not start with VERSION: +# downcase violates RFC 6350, but some "bad" software produce such vcards +>>0 string !BEGIN \b, not up case +# http://ftp.mozilla.org/pub/thunderbird/candidates/ +# 78.10.1-candidates/build1/source/thunderbird-78.10.1.source.tar.xz +# thunderbird-78.10.1/comm/mailnews/import/test/unit/resources/basic_vcard_addressbook.vcf +>>11 beshort !0x0D0A \b, lines not separated by CRLF # Summary: Libtool library file # Extension: .la @@ -41,18 +116,18 @@ !:ext dmp/mdmp # The high-order word is an internal value that is implementation specific. # The low-order word is MINIDUMP_VERSION 0xA793 ->4 ulelong&0x0000FFFF !0xA793 \b, version 0x%4.4x +>4 ulelong&0x0000FFFF !0xA793 \b, version %#4.4x # NumberOfStreams 8,9,10,13 >8 ulelong x \b, %d streams # StreamDirectoryRva 0x20 ->12 ulelong !0x20 \b, 0x%8.8x RVA +>12 ulelong !0x20 \b, %#8.8x RVA # CheckSum 0 ->16 ulelong !0 \b, CheckSum 0x%8.8x +>16 ulelong !0 \b, CheckSum %#8.8x # Reserved or TimeDateStamp >20 ledate x \b, %s # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx # Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800 ->24 ulelong x \b, 0x%x type +>24 ulelong x \b, %#x type # >24 ulelong >0 \b; include # >>24 ulelong &0x00000001 \b data sections, # >>24 ulelong &0x00000020 \b list of unloaded modules, diff --git a/contrib/file/magic/Magdir/modem b/contrib/file/magic/Magdir/modem index c7a53ee436fe..5d59401f6cb2 100644 --- a/contrib/file/magic/Magdir/modem +++ b/contrib/file/magic/Magdir/modem @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: modem,v 1.9 2019/04/19 00:42:27 christos Exp $ +# $File: modem,v 1.11 2022/10/19 20:15:16 christos Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche <florian@knorke.saar.de> @@ -11,6 +11,7 @@ # Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header). # Modified by: Joerg Jenderek # URL: https://de.wikipedia.org/wiki/Fax +# http://fileformats.archiveteam.org/wiki/CCITT_Group_3 # Reference: https://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others 0 short 0x0100 @@ -32,7 +33,10 @@ # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom >>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom ->>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded +>>>>>>>8 ubequad !0x5dee74ad1aa56394 +# skip few (5/41) DEGAS mid-res bitmap (GEMINI01.PI2 GEMINI02.PI2 GEMINI03.PI2 CODE_RAM.PI2 TBX_DEMO.PI2) +# with file size 32034 +>>>>>>>>-0 offset !32034 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" !:mime image/g3fax #!:apple ????TIFF @@ -43,7 +47,9 @@ # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom >2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 ->2 default x raw G3 (Group 3) FAX +>2 default x +# skip some (84/1246) MacBinary II/III (Cyberdog2.068k.smi.bin FileMakerPro4.img.bin Hypercard1.25.image.bin UsbStorage1.3.5.smi.bin) with "non random" numbers by versions values 81h/82h + 81h +>>122 ubeshort&0xFcFf !0x8081 raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" !:mime image/g3fax !:ext g3 @@ -59,7 +65,7 @@ # 0 string RMD1 raw modem data >4 string >\0 (%s / ->20 short >0 compression type 0x%04x) +>20 short >0 compression type %#04x) # # portable voice format 1 diff --git a/contrib/file/magic/Magdir/motorola b/contrib/file/magic/Magdir/motorola index e19a9075621f..af93720f2968 100644 --- a/contrib/file/magic/Magdir/motorola +++ b/contrib/file/magic/Magdir/motorola @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: motorola,v 1.11 2014/04/30 21:41:02 christos Exp $ +# $File: motorola,v 1.12 2021/04/26 15:56:00 christos Exp $ # motorola: file(1) magic for Motorola 68K and 88K binaries # # 68K @@ -60,7 +60,7 @@ >22 belong &0x01 fastload flag, >22 belong &0x02 may be loaded to alternate RAM, >22 belong &0x04 malloc may be from alternate RAM, ->22 belong x flags: 0x%X, +>22 belong x flags: %#X, >26 beshort 0 no relocation tab >26 beshort !0 + relocation tab >30 string SFX [Self-Extracting LZH SFX archive] diff --git a/contrib/file/magic/Magdir/mozilla b/contrib/file/magic/Magdir/mozilla index bc6b6a66b91e..32f3bb7e9c46 100644 --- a/contrib/file/magic/Magdir/mozilla +++ b/contrib/file/magic/Magdir/mozilla @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: mozilla,v 1.10 2019/04/19 00:42:27 christos Exp $ +# $File: mozilla,v 1.12 2021/04/26 15:56:00 christos Exp $ # mozilla: file(1) magic for Mozilla XUL fastload files # (XUL.mfasl and XPC.mfasl) # URL: https://www.mozilla.org/ @@ -14,7 +14,7 @@ # Reference: https://github.com/avih/dejsonlz4/archive/master.zip/ # dejsonlz4-master\src\dejsonlz4.c # Note: mostly JSON compressed with a non-standard LZ4 header -# can be unpacked by dejsonlz4 but not lz4 programm. +# can be unpacked by dejsonlz4 but not lz4 program. 0 string mozLz40\0 Mozilla lz4 compressed data !:mime application/x-lz4+json # mozlz4 extension seems to be used for search/store, while jsonlz4 for bookmarks @@ -22,7 +22,7 @@ # decomp_size >8 ulelong x \b, originally %u bytes # lz4 data -#>12 ubequad x \b, lz4 data 0x%16.16llx +#>12 ubequad x \b, lz4 data %#16.16llx # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Firefox_4 diff --git a/contrib/file/magic/Magdir/msdos b/contrib/file/magic/Magdir/msdos index 7ddbb30fbbe0..aacf85946b09 100644 --- a/contrib/file/magic/Magdir/msdos +++ b/contrib/file/magic/Magdir/msdos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.137 2020/03/20 17:20:19 christos Exp $ +# $File: msdos,v 1.169 2023/04/17 16:39:19 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -47,29 +47,129 @@ # Tests for various EXE types. # -# Many of the compressed formats were extraced from IDARC 1.23 source code. +# Many of the compressed formats were extracted from IDARC 1.23 source code. # +# e_magic 0 string/b MZ -# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. ->0x18 leshort <0x40 MS-DOS executable +# TODO +# FLT: Syntrillium CoolEdit Filter https://en.wikipedia.org/wiki/Adobe_Audition +# FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FOD: WIFE Font Driver +# GAU: MS Flight Simulator Gauge +# IFS: OS/2 Installable File System https://en.wikipedia.org/wiki/OS/2 +# MEXW32:MATLAB Windows 32bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MEXW64:MATLAB Windows 64bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya +# PFL: PhotoFilter plugin http://photofiltre.free.fr +# 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html +# PLG: Aston Shell plugin http://www.astonshell.com/ +# QLB: Microsoft Basic Quick library https://en.wikipedia.org/wiki/QuickBASIC +# SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm +# TBK: Asymetrix ToolBook application http://www.toolbook.com +# TBP: The Bat! plugin http://www.ritlabs.com +# UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com +# XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com +# XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/ +# ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com +# +# NEXT LINES FOR DEBUGGING! +# e_cblp; bytes on last page of file +# e_cp; pages in file +#>4 uleshort x \b, e_cp 0x%x +# e_lfanew; file address of new exe header +#>0x3c ulelong x \b, e_lfanew 0x%x +# e_lfarlc; address of relocation table +#>0x18 uleshort x \b, e_lfarlc=0x%x +# e_ovno; overlay number. If zero, this is the main executable foo +#>0x1a uleshort !0 \b, e_ovno 0x%x +#>0x1C ubequad !0 \b, e_res 0x%16.16llx +# e_oemid; often 0 +#>0x24 uleshort !0 \b, e_oemid 0x%x +# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV) +# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV) +#>0x26 uleshort !0 \b, e_oeminfo 0x%x +# e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe +# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE +#>0x28 ubequad !0 \b, e_res2 0x%16.16llx +# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593 +# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs +# new exe header magic like: PE NE LE LX W3 W4 +# no examples found for ZM DL MP P2 P3 +#>(0x3c.l) string x \b, at [0x3c] %.2s +#>(0x3c.l) ubelong x \b, at [0x3c] %#8.8x +#>(0x3c.l+4) ubelong x \b, at [0x3c+4] %#8.8x +# +# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file. +# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe e_lfarlc=0x8ead +# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE e_lfarlc=0x1c +# some EFI apps Shell_Full.efi ext4_x64_signed.efi e_lfarlc=0 +# Icon library WORD60.ICL e_lfarlc=0 +# Microsoft compiled help format 2.0 WINWORD.DEV.HXS e_lfarlc=0 +>0x18 uleshort <0x40 +# check magic of new second header +# NE executable with low e_lfarlc like: WORD60.ICL +# ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library +>>(0x3c.l) string NE Windows Icons Library 16-bit +!:mime image/x-ms-icl +!:ext icl +# handle LX executable with low e_lfarlc like: PCISCAN.EXE +>>(0x3c.l) string LX +>>>(0x3c.l) use lx-executable +# skip Portable Executable (PE) with low e_lfarlc here, because handled later +# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS +>>(0x3c.l) string PE +# not New Executable (NE) and not PE with low e_lfarlc like: +# MACCNV55.EXE WORK_RTF.EXE TELE200.EXE NDD.EXE iflash.exe +>>(0x3c.l) default x MS-DOS executable, MZ for MS-DOS !:mime application/x-dosexec # Windows and later versions of DOS will allow .EXEs to be named with a .COM # extension, mostly for compatibility's sake. -!:ext exe/com +# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM +# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml +# also like: BGISRV.DRV +!:ext exe/com/vlm/drv # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) #>>0x18 leshort 0x1e (MS compiler) # Maybe it's a PE? +# URL: http://fileformats.archiveteam.org/wiki/Portable_Executable +# Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format >(0x3c.l) string PE\0\0 PE -!:mime application/x-dosexec +!:mime application/vnd.microsoft.portable-executable +# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics +# DLL Characteristics +#>>(0x3c.l+22) uleshort x \b, CHARACTERISTICS %#4.4x, +# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file +# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program. +# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL) >>(0x3c.l+24) leshort 0x010b \b32 executable +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x020b \b32+ executable +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x0107 ROM image >>(0x3c.l+24) default x Unknown PE signature ->>>&0 leshort x 0x%x +>>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x2000 >0 (DLL) +# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem +>>(0x3c.l+92) leshort 0 ( +# Summary: Microsoft compiled help *.HXS format 2.0 +# URL: https://en.wikipedia.org/wiki/Microsoft_Help_2 +# Reference: http://www.russotto.net/chm/itolitlsformat.html +# https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml +# Note: 2 PE sections (.rsrc, .its) implies Microsoft compiled help format; the .its section contains the help content ITOLITLS +# verified by command like `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS` +>>>(0x3c.l+6) uleshort =2 \bMicrosoft compiled help format 2.0) +!:ext hxs +# 3 PE sections (.text, .reloc, .rsrc) implies some Control Panel Item like: +# CPL: Control Panel item for WINE 1.7.28 https://www.winehq.org/ +>>>(0x3c.l+6) uleshort !2 \bControl Panel Item) +!:ext cpl +# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes >>(0x3c.l+92) leshort 1 # Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the # drivers in Windows/System32/drivers/*.sys. @@ -77,6 +177,7 @@ !:ext dll/sys >>>(0x3c.l+22) leshort&0x2000 0 (native) !:ext exe/sys +# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI The Windows graphical user interface (GUI) subsystem >>(0x3c.l+92) leshort 2 >>>(0x3c.l+22) leshort&0x2000 >0 (GUI) # These could probably be at least partially distinguished from one another by @@ -92,22 +193,73 @@ # Screen savers typically include code from the scrnsave.lib static library, but # that's not guaranteed. !:ext exe/scr +# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI The Windows character subsystem >>(0x3c.l+92) leshort 3 >>>(0x3c.l+22) leshort&0x2000 >0 (console) !:ext dll/cpl/tlb/ocx/acm/ax/ime >>>(0x3c.l+22) leshort&0x2000 0 (console) !:ext exe/com -# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format ->>(0x3c.l+92) leshort 7 (POSIX) ->>(0x3c.l+92) leshort 9 (Windows CE) +# NO Windows Subsystem number 4! +>>(0x3c.l+92) leshort 4 (Unknown subsystem 4) +# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem +>>(0x3c.l+92) leshort 5 (OS/2) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-os2 +# NO Windows Subsystem number 6! +>>(0x3c.l+92) leshort 6 (Unknown subsystem 6) +# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem +>>(0x3c.l+92) leshort 7 (POSIX +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: PSXDLL.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: PAX.EXE +!:ext exe +# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver +>>(0x3c.l+92) leshort 8 (Win9x) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-win98 +# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE +>>(0x3c.l+92) leshort 9 (Windows CE +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: NNGStart.exe navigator.exe +!:ext exe +# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application >>(0x3c.l+92) leshort 10 (EFI application) +# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi +!:ext efi +# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services >>(0x3c.l+92) leshort 11 (EFI boot service driver) +# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi +!:ext efi >>(0x3c.l+92) leshort 12 (EFI runtime driver) +# no sample found +!:ext efi +# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image >>(0x3c.l+92) leshort 13 (EFI ROM) +# no sample found +!:ext efi +# 14~IMAGE_SUBSYSTEM_XBOX XBOX >>(0x3c.l+92) leshort 14 (XBOX) ->>(0x3c.l+92) leshort 15 (Windows boot application) ->>(0x3c.l+92) default x (Unknown subsystem ->>>&0 leshort x 0x%x) +#!:ext foo-xbox +# NO Windows Subsystem number 15! +>>(0x3c.l+92) leshort 15 (Unknown subsystem 15) +# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application +>>(0x3c.l+92) leshort 16 (Windows boot application +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll +!:ext efi/exe +# GRR: the next 2 lines are not executed! +#>>(0x3c.l+92) default x (Unknown subsystem +#>>>&0 leshort x %#x) +>>(0x3c.l+92) leshort >16 (Unknown subsystem +>>>&0 leshort x %#x) >>(0x3c.l+4) leshort 0x14c Intel 80386 >>(0x3c.l+4) leshort 0x166 MIPS R4000 >>(0x3c.l+4) leshort 0x168 MIPS R10000 @@ -134,12 +286,15 @@ >>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit >>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit >>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit +>>(0x3c.l+4) leshort 0x6232 LoongArch 32-bit +>>(0x3c.l+4) leshort 0x6264 LoongArch 64-bit >>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R >>(0x3c.l+4) leshort 0x8664 x86-64 >>(0x3c.l+4) leshort 0xaa64 Aarch64 >>(0x3c.l+4) leshort 0xc0ee MSIL +# GRR: the next 2 lines are not executed! >>(0x3c.l+4) default x Unknown processor type ->>>&0 leshort x 0x%x +>>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) >>(0x3c.l+22) leshort&0x1000 >0 system file >>(0x3c.l+24) leshort 0x010b @@ -174,33 +329,134 @@ >>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>0x30 string Inno \b, InnoSetup self-extracting archive +# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc. +# PE used as container have less sections +>>(0x3c.l+6) leshort >1 \b, %u sections +# do not display for 1 section to get output like in version 5.43 and to keep output columns low +#>>(0x3c.l+6) leshort =1 \b, %u section # If the relocation table is 0x40 or more bytes into the file, it's definitely # not a DOS EXE. ->0x18 leshort >0x3f +>0x18 uleshort >0x3f # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable -!:mime application/x-dosexec +#!:mime application/x-dosexec >>(0x3c.l) string NE \b, NE -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-ne-executable +# FOR DEBUGGING! +# Reference: https://wiki.osdev.org/NE +# ProgFlags; Program flags, bitmapped +#>>>(0x3c.l+0x0C) ubyte x \b, ProgFlags 0x%2.2x +# >>>(0x3c.l+0x0c) ubyte&0x03 =0 \b, none +# >>>(0x3c.l+0x0c) ubyte&0x03 =1 \b, single shared +# >>>(0x3c.l+0x0c) ubyte&0x03 =2 \b, multiple +# >>>(0x3c.l+0x0c) ubyte&0x03 =3 \b, (null) +# >>>(0x3c.l+0x0c) ubyte &0x04 \b, Global initialization +# >>>(0x3c.l+0x0c) ubyte &0x08 \b, Protected mode only +# >>>(0x3c.l+0x0c) ubyte &0x10 \b, 8086 instructions +# >>>(0x3c.l+0x0c) ubyte &0x20 \b, 80286 instructions +# >>>(0x3c.l+0x0c) ubyte &0x40 \b, 80386 instructions +# >>>(0x3c.l+0x0c) ubyte &0x80 \b, 80x87 instructions +# ApplFlags; Application flags, bitmapped +# https://www.fileformat.info/format/exe/corion-ne.htm +#>>>(0x3c.l+0x0D) ubyte x \b, ApplFlags 0x%2.2x +# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API) +# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =1 \b, Full screen +#>>>(0x3c.l+0x0D) ubyte&0x07 =2 \b, Compatible with Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =3 \b, use Windows/P.M. API +# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle +#>>>(0x3c.l+0x0D) ubyte &0x80 \b, DLL or driver +# AutoDataSegIndex; automatic data segment index like: 0 2 3 22 +# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared +#>>>(0x3c.l+0x0e) uleshort x \b, AutoDataSegIndex %u +# InitHeapSize; intial local heap size like; 0 400h 1400h +# zero if there is no local allocation +#>>>(0x3c.l+0x10) uleshort !0 \b, InitHeapSize 0x%x +# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h +# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h +# 6D60h 8000h 40000h +# zero if the SS register value does not equal the DS register value +#>>>(0x3c.l+0x12) uleshort !0 \b, InitStackSize 0x%x +# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h +#>>>(0x3c.l+0x14) ulelong !0 \b, EntryPoint 0x%x +# InitStack; specifies the segment offset value of stack pointer SS:SP +# like: 0 20000h 160000h +#>>>(0x3c.l+0x18) ulelong !0 \b, InitStack 0x%x +# SegCount; number of segments in segment table like: 0 1 2 3 16h +#>>>(0x3c.l+0x1C) uleshort x \b, SegCount 0x%x +# ModRefs; number of module references (DLLs) like; 0 1 3 +#>>>(0x3c.l+0x1E) uleshort !0 \b, ModRefs %u +# NoResNamesTabSiz; size in bytes of non-resident names table +# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh +#>>>(0x3c.l+0x20) uleshort x \b, NoResNamesTabSiz 0x%x +# SegTableOffset; offset of Segment table like: 40h +#>>>(0x3c.l+0x22) uleshort !0x40 \b, SegTableOffset 0x%x +# ResTableOffset; offset of resources table like: 40h 50h 58h F0h +# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON +#>>>(0x3c.l+0x24) uleshort x \b, ResTableOffset 0x%x +# ResidNamTable; offset of resident names table +# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h +#>>>(0x3c.l+0x26) uleshort x \b, ResidNamTable 0x%x +# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h) +# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh +#>>>(0x3c.l+0x2a) uleshort x \b, ImportNameTable 0x%x +# OffStartNonResTab; offset from start of file to non-resident names table +# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h +#>>>(0x3c.l+0x2c) ulelong x \b, OffStartNonResTab 0x%x +# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446 +#>>>(0x3c.l+0x30) uleshort !0 \b, MovEntryCount %u +# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default) +#>>>(0x3c.l+0x32) uleshort !9 \b, FileAlnSzShftCnt %u +# nResTabEntries; number of resource table entries like: 0 2 +#>>>(0x3c.l+0x34) uleshort !0 \b, nResTabEntries %u +# targOS; Target OS; 0~unknown~OS/2 1.0 or MS Windows 1-2 +# OS/2 1.0 like: DTM.DLL SHELL11F.EXE HELPMSG.EXE CREATEDD.EXE +# or Windows 1.03 - 2.1 like: MSDOSD.EXE KARTEI.EXE KALENDER.EXE +#>>>(0x3c.l+0x36) byte x TARGOS %x +>>>(0x3c.l+0x36) byte 0 for OS/2 1.0 or MS Windows 1-2 >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte 4 for Windows 386 >>>(0x3c.l+0x36) byte 5 for Borland Operating System Services +# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip +# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE +# GRR: WHAT OS is this? +#>>>(0x3c.l+0x36) byte 6 for TARGET SIX +# https://en.wikipedia.org/wiki/Phar_Lap_(company) +>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender, OS/2 +# like: CVP7.EXE +>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap DOS extender, Windows >>>(0x3c.l+0x36) default x ->>>>(0x3c.l+0x36) byte x (unknown OS %x) ->>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender +>>>>(0x3c.l+0x36) ubyte x (unknown OS %#x) +# expctwinver; expected Windows version (minor first) like: +# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR +>>>(0x3c.l+0x3F) ubyte x (%u +>>>(0x3c.l+0x3E) ubyte x \b.%u) +# OS2EXEFlags; other EXE flags +# 0~Long filename support 1~2.x protected mode 4~2.x proportional fonts 8~Executable has gangload area +#>>>(0x3c.l+0x37) byte !0 \b, OS2EXEFlags 0x%x +# retThunkOffset; offset to return thunks or start of gangload area like: 0 34h 58h 246h +#>>>(0x3c.l+0x38) uleshort !0 \b, retThunkOffset 0x%x +# segrefthunksoff; offset to segment reference thunks or size of gangload area +# like: 0 33Eh 39Ah AEEh +#>>>(0x3c.l+0x3A) uleshort !0 \b, segrefthunksoff 0x%x +# mincodeswap; minimum code swap area size like 0 620Ch +#>>>(0x3c.l+0x3C) uleshort !0 \b, mincodeswap 0x%x >>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) # DRV: Driver # 3GR: Grabber device driver # CPL: Control Panel Item -# VBX: Visual Basic Extension -# FON: Bitmap font +# VBX: Visual Basic Extension https://en.wikipedia.org/wiki/Visual_Basic +# FON: Bitmap font http://fileformats.archiveteam.org/wiki/FON # FOT: Font resource file +# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE +# CNV: Microsoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data !:ext dll/drv/3gr/cpl/vbx/fon/fot >>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) !:ext exe/scr @@ -226,8 +482,17 @@ >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive # MS Windows system file, supposedly a collection of LE executables +# like vmm32.vxd WIN386.EXE >>(0x3c.l) string W3 \b, W3 for MS Windows -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-w3-executable +!:ext vxd/exe +# W4 executable +>>(0x3c.l) string W4 \b, W4 for MS Windows +#!:mime application/x-dosexec +!:mime application/x-ms-w4-executable +# windows 98 VMM32.VXD +!:ext vxd >>(0x3c.l) string LE\0\0 \b, LE executable !:mime application/x-dosexec @@ -266,11 +531,19 @@ !:ext exe/com # header data too small for extended executable >2 long !0 ->>0x18 leshort <0x40 +>>0x18 uleshort <0x40 >>>(4.s*512) leshort !0x014c >>>>&(2.s-514) string !LE ->>>>>&-2 string !BW \b, MZ for MS-DOS +>>>>>&-2 string !BW +#>>>>>>(0x3c.l) string x \b, 2ND MAGIC %.2s +# but some LX executable appear here also like: PCISCAN.EXE +>>>>>>(0x3c.l) string !LX +# because Portable Executable (PE) already done skip many here like: +# xcopy32.exe stinger64.exe WimUtil.exe +# NO such DOS examples found and +# DOS examples seems to be already handled by e_lfarlc <0x40 like: CMD8086.COM CMD-FR.COM +>>>>>>>(0x3c.l) string !PE \b, MZ for MS-DOS !:mime application/x-dosexec >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender @@ -289,7 +562,7 @@ >>>&1 string x for DOS, Win or OS/2, emx %s >>&(&0x42.l-3) byte x >>>&0x26 string UPX \b, UPX compressed -# and yet another guess: small .text, and after large .data is unusal, could be 32lite +# and yet another guess: small .text, and after large .data is unusual, could be 32lite >>&0x2c search/0xa0 .text >>>&0x0b lelong <0x2000 >>>>&0 lelong >0x6000 \b, 32lite compressed @@ -362,12 +635,94 @@ >>49824 leshort =1 \b, 1 file >>49824 leshort >1 \b, %u files +# Summary: OS/2 LX Library and device driver (no DOS stub) +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/EXE +# Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt +# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h +# Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)" +# TODO: unify with DOS stub variant (MZ magic) +0 string/b LX +>2 ushort =0 +>>0 use lx-executable +# no examples found for big endian variant +>2 ushort =0x0101 +>>0 use \^lx-executable +0 name lx-executable +# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" +#>0x00 uleshort x executable, +# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE +>0x00 uleshort =0x584c LX +>0x00 uleshort =0x454C LE +>0x00 uleshort x executable +#!:mime application/x-msdownload +!:mime application/x-lx-executable +!:ext exe +# byte order: 00h~little-endian non-zero=1~big-endian +#>0x02 ubyte =0 (little-endian) +>0x02 ubyte !0 (big-endian) +# FOR DEBUGGING! +# word order: 00h~little-endian non-zero=1~big-endian +#>0x03 ubyte =0 \b, little-endian word order +#>0x03 ubyte !0 \b, big-endian word order +# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 +#>0x08 uleshort x \b, CPU %u +# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386 +#>0x0A leshort x \b, OS %u +# flags; module type flags +#>0x10 ulelong x \b, FLAGS %#8.8x +# 00000002h ~Reserved for system use +#>0x10 ulelong &0x00000002 \b, 2h reserved +# OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file is invalid +#>0x10 ulelong &0x00000004 \b, per-process library Initialization +# OSF_INTERNAL_FIXUPS_DONE=00000010h ~Internal fixups for the module have been applied +#>0x10 ulelong &0x00000010 \b, int. fixup +# OSF_EXTERNAL_FIXUPS_DONE=00000020h ~External fixups for the module have been applied +#>0x10 ulelong &0x00000020 \b, ext. fixup +# OSF_NOT_PM_COMPATIBLE=00000100h ~Incompatible with PM windowing +#>0x10 ulelong&0x00000100 =0x00000100 \b, incompatible with PM windowing +# OSF_PM_COMPATIBLE=00000200h ~Compatible with PM windowing +#>0x10 ulelong&0x00000200 =0x00000200 \b, compatible with PM windowing +# bit 17; device driver +#>0x10 ulelong&0x00020000 >0 \b, device driver +# Per-process Library Termination; setting this bit for EXE file is invalid +#>0x10 ulelong&0x40000000 =0x40000000 \b, per-process library termination +>0x0a leshort 1 for OS/2 +# no example found +>0x0a leshort 3 for DOS +# http://www.ctyme.com/intr/rb-2939.htm#Table1610 +# library by module type mask 00038000h (bits 15-17); +# 0h ~executable Program module +>0x10 ulelong&0x00038000 =0x00000000 (program) +#!:ext exe +# OSF_IS_DLL=8000h ~Library module (DLL) +>0x10 ulelong&0x00038000 >0x00000000 +# OSF_PHYS_DEVICE=00020000h ~device driver +>>0x10 ulelong&0x00020000 >0 (device driver) +!:ext sys +# if not device driver it is library (DLL) +>>0x10 ulelong&0x00020000 =0 (library) +!:ext dll +# bits 8-10; OSF_PM_APP=300h in flags ~Uses PM windowing API; either it is GUI or console +>0x10 ulelong&0x00000300 =0x00000300 (GUI) +>0x10 ulelong&0x00000300 !0x00000300 (console) +# CPU type +>0x08 uleshort 1 i80286 +# all inspected examples +>0x08 uleshort 2 i80386 +>0x08 uleshort 3 i80486 +>0x08 uleshort 4 i80586 +# 21h Intel "N11" or compatible +# 40h MIPS Mark I ( R2000, R3000) or compatible +# 41h MIPS Mark II ( R6000 ) or compatible +# 42h MIPS Mark III ( R4000 ) or compatible + # added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc # and https://www.freedos.org/software/?prog=kpdos # for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 0 string/b KCF FreeDOS KEYBoard Layout collection # only version=0x100 found ->3 uleshort x \b, version 0x%x +>3 uleshort x \b, version %#x # length of string containing author,info and special characters >6 ubyte >0 #>>6 pstring x \b, name=%s @@ -378,42 +733,58 @@ # for FreeDOS *.KL files 0 string/b KLF FreeDOS KEYBoard Layout file # only version=0x100 or 0x101 found ->3 uleshort x \b, version 0x%x +>3 uleshort x \b, version %#x # stringlength >5 ubyte >0 >>8 string x \b, name=%-.2s 0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file -# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 -# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023 +# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver +# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html +# http://www.o3one.org/hwdocs/bios_doc/dosref22.html 0 ulequad&0x07a0ffffffff 0xffffffff ->0 use msdos-driver +# skip OS/2 INI ./os2 +>4 ubelong !0x14000000 +#>>10 ubequad x MAYBE_DRIVER_NAME=%16.16llx +# https://bugs.astron.com/view.php?id=434 +# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like" +>>10 ubequad !0 +>>>0 use msdos-driver 0 name msdos-driver DOS executable ( #!:mime application/octet-stream !:mime application/x-dosdriver # also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN -!:ext sys/dev/bin ->40 search/7 UPX! \bUPX compressed +# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used? +# PROTMAN.DOS ELNKPL.DOS +!:ext sys/dev/bin/dos +# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device" +>40 search/7 UPX! \bUPX compressed # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver # character device >4 uleshort&0x8000 0x8000 \b ->>4 uleshort&0x0008 0x0008 \bclock +# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$" +>>4 uleshort&0x0008 0x0008 \bclock # fast video output by int 29h ->>4 uleshort&0x0010 0x0010 \bfast +# 1 space char after "fast" to get phrase like "fast standard input/output character device driver" +>>4 uleshort&0x0010 0x0010 \bfast # standard input/output device ->>4 uleshort&0x0003 >0 \bstandard +# 1 space char after "standard" to get phrase like "standard input/output character device driver" +>>4 uleshort&0x0003 >0 \bstandard >>>4 uleshort&0x0001 0x0001 \binput >>>4 uleshort&0x0003 0x0003 \b/ ->>>4 uleshort&0x0002 0x0002 \boutput +# 1 space char after "output" to get phrase like "input/output character device driver" +>>>4 uleshort&0x0002 0x0002 \boutput >>4 uleshort&0x8000 0x8000 \bcharacter device driver >0 ubyte x # upx compressed device driver has garbage instead of real in name field of header >>40 search/7 UPX! >>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped ->>>12 ubyte >0x2E \b +# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE" +>>>12 ubyte >0x23 \b >>>>10 ubyte >0x20 >>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c @@ -456,6 +827,7 @@ >4 uleshort&0x8000 0x0000 >>4 uleshort&0x4842 >0 \bsupport >0 ubyte x \b) +>0 ulelong !0xffffffff with pointer %#x # DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 0 ulequad 0x0513c00000000012 >0 use msdos-driver @@ -464,6 +836,7 @@ >0 use msdos-driver 0 ulequad 0x007f00000000ffff >0 use msdos-driver +# https://www.uwe-sieber.de/files/cfg_echo.zip 0 ulequad 0x001600000000ffff >0 use msdos-driver # DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field @@ -471,6 +844,12 @@ >0 use msdos-driver 0 ulequad 0x07bd08c2ffffffff >0 use msdos-driver +# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS +0 ulequad 0x027ac0c0ffffffff +>0 use msdos-driver +# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS +0 ulequad 0x00228880ffffffff +>0 use msdos-driver # updated by Joerg Jenderek # GRR: line below too general as it catches also @@ -484,7 +863,8 @@ # skip "GPG symmetrically encrypted data" ./gnu # skip "PGP symmetric key encrypted data" ./pgp # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type ->>>4 ubyte >13 DOS executable (COM, 0x8C-variant) +>>>4 ubyte >13 +>>>>0 use msdos-com # the remaining files should be DOS *.COM executables # dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd # hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 @@ -494,48 +874,164 @@ # SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b # validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e # devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e -!:mime application/x-dosexec -!:ext com - -# updated by Joerg Jenderek at Oct 2008 -0 ulelong 0xffff10eb DR-DOS executable (COM) -# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb -0 ubeshort&0xeb8d >0xeb00 -# DR-DOS STACKER.COM SCREATE.SYS missed 0 name msdos-com ->0 byte x DOS executable (COM) -!:mime application/x-dosexec -!:ext com +# URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com) +>0 byte x DOS executable ( +# DOS executable with JuMP 16-bit instruction +>0 byte =0xE9 +# check for probably nil padding til offset 64 of Lotus driver name +>>56 quad =0 +# check for "long" alphabetic Lotus driver name like: +# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus" +>>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s +!:mime application/x-dosexec +# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2) +!:ext drv +# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1) +>>>24 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable with JuMP 16-bit and without nil padding +>>56 quad !0 +# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot +# TODO: HOWTO distinguish COMboot from pure DOS executables? +# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program +>>>1 search/0xc088 \xcd\x22 \bCOM or COMBOOT 16-bit) +!:mime application/x-dosexec +# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2) +!:ext com/cbt +>>>1 default x \bCOM) +!:mime application/x-dosexec +!:ext com +# DOS executable without JuMP 16-bit instruction +>0 byte !0xE9 +# SCREATE.SYS https://en.wikipedia.org/wiki/Stac_Electronics +>>10 string =?STACVOL \bSCREATE.SYS) +!:mime application/x-dosexec +!:ext sys +# COM executable without JuMP 16-bit instruction and not SCREATE.SYS +>>10 string !?STACVOL \bCOM) +!:mime application/x-dosexec +!:ext com >6 string SFX\ of\ LHarc \b, %s >0x1FE leshort 0xAA55 \b, boot code >85 string UPX \b, UPX compressed >4 string \ $ARX \b, ARX self-extracting archive >4 string \ $LHarc \b, LHarc self-extracting archive >0x20e string SFX\ by\ LARC \b, LARC self-extracting archive +# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2) +>1 search/0xc088 \xcd\x22 \b, maybe with interrupt 22h +>0 ubelong x \b, start instruction %#8.8x +# show more instructions but not in samples like: rem.com (DJGPP) +>4 ubelong x %8.8x # JMP 8bit 0 byte 0xeb +# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent # allow forward jumps only >1 byte >-1 # that offset must be accessible +# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc >>(1.b+2) byte x ->>>0 use msdos-com - +# if look like COM executable with x86 boot signature then this +# implies FAT volume with x86 real mode code already handled by ./filesystems +# +# No x86 boot signature implies often DOS executable +# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable +# like: FIXBIOS.COM (50 bytes) +>>>16 ubyte >3 +# https://www.drivedroid.io/ +# skip MBR disk image drivedroid.img version 12 July 2013 by start message +>>>>2 string !DriveDroid +# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/ +# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM) +# by check for characteristic message text near the beginning +>>>>>15 string !Non\040System\040disk +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar" +# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux +# by check for characteristic message text near the beginning +>>>>>>6 string !read\040error\015 +# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip +# skip ventoy 1.0.78 boot_hybrid.img +>>>>>>>24 string !\220\220\353I$\022\017 +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar" +# skip unusual floppy image PCDOS100.IMG of DOS 1.0 +# by check for characteristic message text near the beginning +>>>>>>>>9 string !7-May-81 +# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar" +# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems +# by check for characteristic message near the beginning +>>>>>>>>>3 string !\370sdfS\270 +# like: FIXBIOS.COM (50 bytes) +>>>>>>>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable +# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15) +>>>16 ubyte =0 +# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux) +>>>>0x1FE leshort =0xAA55 +>>>>0x1FE default x +# https://thestarman.pcministry.com/tool/hxd/dimtut.htm +# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10 +# by check for characteristic bootloader names near end of boot sector +>>>>>395 string !ibmbio\040\040com +>>>>>>0 use msdos-com +# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems +# like: balder.img +>>>16 default x +# skip disk images with boot signature at end of 1st sector +# like: TDSK-64b.img +>>>>(11.s-2) uleshort !0xAA55 +# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18) +# by check for characteristic file system type text for FAT (12 bit or 16 bit) +>>>>>54 string !FAT +# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar" +# skip unusual floppy image Disk4.img without boot signature and file system type text +# by check for characteristic OEM-ID text +>>>>>>3 string !COMPAQ\040\040 +# no such DOS COM executables found +>>>>>>>0 use msdos-com # JMP 16bit 0 byte 0xe9 +# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM +#>1 leshort x \b, OFFSET %d # forward jumps ->1 short >-1 +>1 leshort >-1 # that offset must be accessible +# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc >>(1.s+3) byte x ->>>0 use msdos-com +# check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable +# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes) +>>>16 ubyte >3 +>>>>0 use msdos-com +# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable +# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV +>>>16 ubyte =0 +>>>>0 use msdos-com +# maybe disc image with valid number of FATs or DOS executable +# like: IPXODI.COM PERUSE.COM TASKID.COM +>>>16 default x +# invalid low media descriptor. Then it is not a disk image and it is a DOS executable +>>>>21 ubyte <0xE5 +>>>>>0 use msdos-com +# valid media descriptor. Then it is maybe disk image or DOS executable +>>>>21 ubyte >0xE4 +# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable +# like: LEARN.COM (Word 1.15) +>>>>>11 uleshort&0x001f !0 +>>>>>>0 use msdos-com # negative offset, must not lead into PSP ->1 short <-259 +# like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4) +# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS) +>1 leshort <-259 # that offset must be accessible +# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset >>(1,s+65539) byte x +# after jump next instruction for DEBUGGING! +#>>>&-1 ubelong x \b, NEXT instruction %#8.8x >>>0 use msdos-com -# updated by Joerg Jenderek at Oct 2008,2015 +# updated by Joerg Jenderek at Oct 2008,2015,2022 # following line is too general 0 ubyte 0xb8 # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux @@ -558,35 +1054,78 @@ # syslinux version (4.x) # "COM executable (COM32R)" or "Syslinux COM32 module" by TrID >>>1 lelong 0x21CD4CFe \b, relocatable) -# remaining are DOS COM executables starting with assembler instruction MOV -# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM -# MS-DOS SYS.COM RESTART.COM -# SYSLINUX.COM (version 1.40 - 2.13) -# GFXBOOT.COM (version 3.75) -# COPYBS.COM POWEROFF.COM INT18.COM ->>1 default x COM executable for DOS -!:mime application/x-dosexec -#!:mime application/x-ms-dos-executable -#!:mime application/x-msdos-program -!:ext com - +>>1 default x +# look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x) +>>>3 search/118 \xCD +# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) +# 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS) +#>>>>&0 ubyte x \b, INTERUPT %#x +# few examples with interrupt 0x13 instruction +>>>>&0 ubyte =0x13 +# FOR DEBUGGING! +#>>>>>3 ubequad x \b, 2nd INSTRUCTION %#16.16llx +# skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax +>>>>>3 ubequad !0x8ec0b8c0078ed88d +# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com +# http://bootcd.narod.ru/bcdw150z_en.zip +>>>>>>0 use msdos-com +# few examples with interrupt 0x16 instruction like flashimg.img +>>>>&0 ubyte =0x16 +# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems +# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz +>>>>>8 ubelong !0x3DE4E475 +# no DOS executable with interrupt 0x16 found +>>>>>>0 use msdos-com +# most examples with interrupt instruction unequal 0x13 and 0x16 +>>>>&0 default x +#>>>>>&-1 ubyte x \b, INTERUPT %#x +# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com +>>>>>0 use msdos-com +# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM +# or some EUC-KR text files or one Ulead Imaginfo thumbnail +>>>3 default x +# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM) +# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt) +#>>>>3 ubyte x \b, 2nd INSTRUCTION %#x +# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow) +# inside SAMPLES/TEXTURES/SKY_SNOW +# from https://archive.org/download/PI3CANON/PI3CANON.iso +>>>>3 ubyte !0x0 +# skip some EUC-KR text files like: euckr_falsepositive.txt +# https://bugs.astron.com/view.php?id=186 +>>>>>3 ubyte !0xb1 +# like: RESTART.COM (DOS 7.10) REBOOT.COM +>>>>>>0 use msdos-com + +# URL: https://en.wikipedia.org/wiki/UPX +# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ +# src/stub/src/i086-dos16.com.S +# Update: Joerg Jenderek +# assembler instructions: cmp sp, offset sp_limit 0 string/b \x81\xfc +#>2 uleshort x \b, sp_limit=%#x +# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy >4 string \x77\x02\xcd\x20\xb9 ->>36 string UPX! FREE-DOS executable (COM), UPX compressed +#>9 uleshort x \b, [bytes_to_copy]=%#x +# at different offsets assembler instructions: push di; jump decomp_start_n2b +>0x1e search/3 \x57\xe9 +#>>&0 uleshort x \b, decomp_start_n2b=%#x +# src/stub/src/include/header.S; UPX_MAGIC_LE32 +>>&2 string UPX! FREE-DOS executable (COM), UPX !:mime application/x-dosexec +# UPX compressed *.CPI; See ./fonts +>>>&21 string =FONT compressed DOS code page font +!:ext cpx +>>>&21 string !FONT compressed !:ext com +# compressed size? +#>>>&14 uleshort+152 x \b, %u bytes +# uncompressed len +>>>&12 uleshort x \b, uncompressed %u bytes 252 string Must\ have\ DOS\ version DR-DOS executable (COM) !:mime application/x-dosexec !:ext com -# added by Joerg Jenderek at Oct 2008 -# GRR search is not working -#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed -34 string UPX! FREE-DOS executable (COM), UPX compressed -!:mime application/x-dosexec -!:ext com -35 string UPX! FREE-DOS executable (COM), UPX compressed -!:mime application/x-dosexec -!:ext com # GRR search is not working #2 search/28 \xcd\x21 COM executable for MS-DOS #WHICHFAT.cOM @@ -616,7 +1155,11 @@ !:mime application/x-dosexec !:ext com #HELP.COm EDIT.coM -18 string \xcd\x21 COM executable for MS-DOS +18 string \xcd\x21 +# not printable before it? +>17 byte >32 +>>17 byte <126 +>>17 default x COM executable for MS-DOS !:mime application/x-dosexec !:ext com #NWRPLTRM.COm @@ -687,7 +1230,7 @@ # reserved; must be zero #>>6 ulelong !0 \b, reserved %u # block pointer to the block containing optional file manager information -#>>0x1C uleshort x \b, at 0x%x info block +#>>0x1C uleshort x \b, at %#x info block # jump to File manager information block >>(0x1C.s*128) uleshort x # test for valid information start; maybe also 0012h @@ -717,7 +1260,7 @@ # number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 >>0x6A uleshort >0 \b, %u blocks # bit field for corrected text areas -#>>0x6C uleshort x \b, 0x%x bit field +#>>0x6C uleshort x \b, %#x bit field # text of document; some times start with 4 non printable characters like CR LF >>128 ubyte x \b, >>>128 ubyte >0x1F @@ -821,7 +1364,7 @@ >>>>6 uleshort !0x0004 formatting data !:ext fXX # main revision number ->>>>4 uleshort x \b, revision 0x%x +>>>>4 uleshort x \b, revision %#x >>>6 uleshort =0x0004 \b, cell range # active cellcoord range (start row, page,column ; end row, page, column) # start values normally 0~1st sheet A1 @@ -835,9 +1378,9 @@ >>>>12 uleshort x \b%d, >>>>15 ubyte x \b%d # Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) ->>>>20 ubyte >1 \b, character set 0x%x +>>>>20 ubyte >1 \b, character set %#x # flags ->>>>21 ubyte x \b, flags 0x%x +>>>>21 ubyte x \b, flags %#x >>>6 uleshort !0x0004 # record type (FONTNAME=00AEh) >>>>30 search/29 \0\xAE @@ -855,7 +1398,7 @@ !:strength -1 # skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h >7 ubyte 0 -# skip Windows cursors with image width 256 and keep Lotus with positiv opcode +# skip Windows cursors with image width 256 and keep Lotus with positive opcode >>6 ubyte >0 Lotus # !:mime application/x-123 !:mime application/vnd.lotus-1-2-3 @@ -911,10 +1454,10 @@ # (version 5.26) labeled the entry as "Lotus 1-2-3" >>>4 default x unknown worksheet or configuration !:ext cnf ->>>>4 uleshort x \b, revision 0x%x +>>>>4 uleshort x \b, revision %#x # 2nd record for most worksheets describes cells range >>>6 use lotus-cells -# 3nd record for most japan worksheets describes cells range +# 3rd record for most japan worksheets describes cells range >>>(8.s+10) use lotus-cells # check and then display Lotus worksheet cells range 0 name lotus-cells @@ -946,15 +1489,82 @@ 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in # Windows Metafile .WMF -0 string/b \327\315\306\232 Windows metafile -!:mime image/wmf -!:ext wmf +# URL: http://fileformats.archiveteam.org/wiki/Windows_Metafile +# http://en.wikipedia.org/wiki/Windows_Metafile +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml +# Note: called "Windows Metafile" by TrID and +# verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File) +# META_PLACEABLE Record (Aldus Placeable Metafile signature) +0 string/b \327\315\306\232 +# Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119 +# and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile" +# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h +# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300 +>26 uleshort&0xFDff =0x0100 Windows metafile +# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0 +# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf +>>4 uleshort !0 \b, resource handle %#x +# BoundingBox; the rectangle in the playback context measured in logical units for displaying +# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024) +# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589) +#>>6 ubequad x \b, bounding box %#16.16llx +# Left; x-coordinate of the upper-left corner of the rectangle +>>6 leshort x \b, bounding box (%d +# Top; y-coordinate upper-left corner +>>8 leshort x \b,%d +# Right; x-coordinate lower-right corner +>>10 leshort x / %d +# Bottom; y-coordinate lower-right corner +>>12 leshort x \b,%d) +# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540 +>>14 uleshort x \b, dpi %u +# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf +>>16 ulelong !0 \b, reserved %#x +# Checksum; checksum for the previous 10 words +>>20 uleshort x \b, checksum %#x +# META_HEADER Record after META_PLACEABLE Record +>>22 use wmf-head +# GRR: no example for type 2 (DISKMETAFILE) variant found under few thousands WMF 0 string/b \002\000\011\000 Windows metafile +>0 use wmf-head +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml +# Note: called "Windows Metafile (old Win 3.x format)" by TrID and +# "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119 +# verified by XnView `nconvert -info *.wmf` as Windows metafile +# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9 +0 string/b \001\000\011\000 +# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011) +>18 ulelong >0 Windows metafile +# GRR: in version 5.44 unequal and not endian variant not working! +#>18 ulelong !0 THIS_SHOULD_NOT_HAPPEN +#>18 long !0 THIS_SHOULD_NOT_HAPPEN +>>0 use wmf-head +# display information of Windows metafile header (type, size, objects) +0 name wmf-head +# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk +>0 uleshort !0x0001 \b, type %#x +# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes) +>2 uleshort*2 !18 \b, header size %u +# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported +# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf +>4 uleshort =0x0100 \b, DIBs not supported +>4 uleshort =0x0300 +#>4 uleshort =0x0300 \b, DIBs supported +# this should not happen! +>4 default x \b, version +>>4 uleshort x %#x +# Size; the number of WORDs in the entire metafile +>6 ulelong x \b, size %u words +#>6 ulelong*2 x \b, size %u bytes !:mime image/wmf !:ext wmf -0 string/b \001\000\011\000 Windows metafile -!:mime image/wmf -!:ext wmf +# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF +>10 uleshort x \b, %u objects +# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h +>12 ulelong x \b, largest record size %#x +# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf +>16 uleshort !0 \b, %u members #tz3 files whatever that is (MS Works files) 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file @@ -1037,7 +1647,7 @@ #>3 ubyte x \b, reserved %x #>8 ulelong x \b, image size %d # offset of PNG or DIB image -#>12 ulelong x \b, offset 0x%x +#>12 ulelong x \b, offset %#x # PNG header (\x89PNG) >(12.l) ubelong =0x89504e47 # 1 space char after "with" to get phrase "with PNG image" by magic in ./images @@ -1107,8 +1717,6 @@ 1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file -0 lelong 0x4C ->4 lelong 0x00021401 Windows shortcut file # .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm # only for windows versions equal or greater 3.0 @@ -1144,28 +1752,15 @@ >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT #>>&06 string x \b:%s -# DOS EPS Binary File Header -# From: Ed Sznyter <ews@Black.Market.NET> -0 belong 0xC5D0D3C6 DOS EPS Binary File -!:mime image/x-eps ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d ->>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d - -# TNEF magic From "Joomy" <joomy@se-ed.net> -# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) -0 lelong 0x223e9f78 TNEF -!:mime application/vnd.ms-tnef - # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # https://en.wikipedia.org/wiki/Norton_Guides 0 string NG\0\001 # only value 0x100 found at offset 2 >2 ulelong 0x00000100 Norton Guide +!:mime application/x-norton-guide +# often like NORTON.NG but some times like NC.HLP +!:ext ng/hlp # Title[40] >>8 string >\0 "%-.40s" #>>6 uleshort x \b, MenuCount=%u @@ -1173,6 +1768,66 @@ >>48 string >\0 \b, %-.66s >>114 string >\0 %-.66s +# URL: https://en.wikipedia.org/wiki/Norton_Commander +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml +# From: Joerg Jenderek +# Note: Message file is used by executable with same main name. +# Only tested with version 5.50 (english) and 2.01 (Windows) +0 string Abort +# \0 or i +#>5 ubyte x %x +# skip ASCII Abort text by looking for error message like in NCVIEW.MSG +>6 search/7089 Non-DOS\ disk Norton Commander module message +!:mime application/x-norton-msg +!:ext msg + +# URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml +# From: Joerg Jenderek +0 string DOS\ Client\ Message\ File: Novell DOS client message +#!:mime application/octet-stream +#!:mime application/x-novell-msg +!:ext msg +# look for second letter instead space character +>26 ubyte >0x20 +# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr +>>25 ubyte !0x20 %c +>>>26 ubyte !0x20 \b%c +>>>>27 ubyte !0x20 \b%c +>>>>>28 ubyte !0x20 \b%c +>>>>>>29 ubyte !0x20 \b%c +>>>>>>>30 ubyte !0x20 \b%c +>>>>>>>>31 ubyte !0x20 \b%c +>>>>>>>>>32 ubyte !0x20 \b%c +>>>>>>>>>>33 ubyte !0x20 \b%c +>>>>>>>>>>>34 ubyte !0x20 \b%c +>>>>>>>>>>>>35 ubyte !0x20 \b%c +>>>>>>>>>>>>>36 ubyte !0x20 \b%c +# followed by string like: 0 v.10 V1.20 +# +# followed by ,\040Tran +>28 search/14 ,\040Tran +# probably translated version string like: 0 v1.00 +>>&0 string x \b, tran version %s +# followed by Ctrl-J Ctrl-Z +>>>&0 ubyte !0xa \b, terminated by %#2.2x +>>>>&0 ubyte x \b%2.2x +# Ctrl-Z +>0x65 ubyte !0x1A \b, at 0x65 %#x +# one +>0x66 ubyte !0x01 \b, at 0x66 %#x +# URL: https://en.wikipedia.org/wiki/NetWare +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml +# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html +# From: Joerg Jenderek +0 string Novell\ Message\ Librarian\ Data\ File Novell message librarian data +#>35 string Version\ 1.00 +#>49 string COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc. +#>83 string \ \ All\ Rights\ Reserved +#!:mime application/octet-stream +#!:mime application/x-novell-msg +!:ext msg +#!:ext msg/dat # 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of https://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm @@ -1184,6 +1839,8 @@ # HtmlHelp files (.chm) 0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data +!:mime application/vnd.ms-htmlhelp +!:ext chm # GFA-BASIC (Wolfram Kleff) 2 string/b GFA-BASIC3 GFA-BASIC 3 data @@ -1234,7 +1891,7 @@ # member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims >>0x2c search/211/c .swf\0 skin !:ext ims -# member anim.im3 implies IncrediMail animation like in letter_fold.ima +# member anim.im3 implies IncrediMail animation like in letter_fold.ima >>0x2c search/92/c anim.im3\0 animation !:ext ima # other IncrediMail cab archive @@ -1248,6 +1905,12 @@ >0x2c default x # look for 1st member name >>(16.l+16) ubyte x +# From: Joerg Jenderek +# URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml +>>>&-1 string PackageInfo.xml \b, Device Metadata Package +!:mime application/vnd.ms-cab-compressed +!:ext devicemetadata-ms # https://en.wikipedia.org/wiki/SNP_file_format >>>&-1 string/c _accrpt_.snp \b, Access report snapshot !:mime application/msaccess @@ -1270,15 +1933,21 @@ !:mime application/vnd.ms-cab-compressed !:ext msu >>>&-1 default x -# look at point charcter of 1st archive member name for file name extension +# look at point character of 1st archive member name for file name extension +# GRR: search range is maybe too large and match point else where like in EN600x64.cab! >>>>&-1 search/255 . # http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm # PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 # packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB ->>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go +>>>>>&0 string/c ppt\0 +>>>>>>28 uleshort >1 \b, PowerPoint Packed and Go !:mime application/vnd.ms-powerpoint #!:mime application/mspowerpoint !:ext ppz +# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386 +>>>>>>28 uleshort =1 \b, one packed PowerPoint +!:mime application/vnd.ms-cab-compressed +!:ext pp_ # https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx # first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack # or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack @@ -1292,6 +1961,13 @@ >>>>>>(16.l+16) string !Panoram 7 or 8 !:ext themepack/deskthemepack >>>>>>(16.l+16) ubyte x Theme Pack +# URL: https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format +# http://fileformats.archiveteam.org/wiki/OneNote +# Reference: https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml +# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor Öffnen.onetoc2" +>>>>>&0 string/c one \b, OneNote Package +!:mime application/msonenote +!:ext onepkg >>>>>&0 default x # look for null terminator of 1st member name >>>>>>&0 search/255 \0 @@ -1319,6 +1995,16 @@ >>>>>>>>>30 uleshort !0x0000 \b, single !:mime application/vnd.ms-cab-compressed !:ext cab +# first archive name without point character +>>>>&-1 default x +>>>>>28 uleshort =1 \b, single +!:mime application/vnd.ms-cab-compressed +# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._ +!:ext _ +>>>>>28 uleshort >1 \b, many +!:mime application/vnd.ms-cab-compressed +# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab +!:ext cab # TODO: additional extensions like # .xtp InfoPath Template Part # .lvf Logitech Video Effects Face Accessory @@ -1329,7 +2015,7 @@ #>4 belong !0 \b, reserved1 %x #>12 belong !0 \b, reserved2 %x # offset of the first CFFILE entry coffFiles: minimal 2Ch ->16 ulelong x \b, at 0x%x +>16 ulelong x \b, at %#x >(16.l) use cab-file # at least also 2nd member >28 uleshort >1 @@ -1339,12 +2025,12 @@ >>>>&0 use cab-file #>20 belong !0 \b, reserved %x # Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 ->24 ubeshort !0x0301 \b version 0x%x +>24 ubeshort !0x0301 \b version %#x # number of CFFOLDER entries >26 uleshort >1 \b, %u cffolders # cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields # only found for flags 0 1 2 3 4 not 7 ->30 uleshort >0 \b, flags 0x%x +>30 uleshort >0 \b, flags %#x # Cabinet files have a 16-bit cabinet setID field that is designed for application use. # default is zero, however, the -i option of cabarc can be used to set this field >32 uleshort >0 \b, ID %u @@ -1395,30 +2081,30 @@ # display folder structure CFFOLDER information like compression of cabinet 0 name cab-folder # offset of the CFDATA block in this folder -#>0 ulelong x \b, coffCabStart 0x%x +#>0 ulelong x \b, coffCabStart %#x # number of CFDATA blocks in folder >4 uleshort x \b, %u datablock # plural s >4 uleshort >1 \bs # compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 ->6 uleshort x \b, 0x%x compression +>6 uleshort x \b, %#x compression # optional per-folder reserved area -#>8 ubequad x \b, abReserve 0x%llx +#>8 ubequad x \b, abReserve %#llx # display member structure CFFILE information like member name of cabinet 0 name cab-file -# cbFile is uncompressed size of file in bytes +# cbFile is uncompressed size of file in bytes #>0 ulelong x \b, cbFile %u # uoffFolderStart is uncompressed offset of file in folder -#>4 ulelong >0 \b, uoffFolderStart 0x%x +#>4 ulelong >0 \b, uoffFolderStart %#x # iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet # define ifoldCONTINUED_FROM_PREV (0xFFFD) # define ifoldCONTINUED_TO_NEXT (0xFFFE) # define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) ->8 uleshort >0 \b, iFolder 0x%x +>8 uleshort >0 \b, iFolder %#x # date stamp for file -#>10 uleshort x \b, date 0x%x +>10 lemsdosdate x last modified %s # time stamp for file -#>12 uleshort x \b, time 0x%x +>12 lemsdostime x %s # attribs is attribute flags for file # define _A_RDONLY (0x01) file is read-only # define _A_HIDDEN (0x02) file is hidden @@ -1428,7 +2114,7 @@ # define _A_EXEC (0x40) run after extraction # define _A_NAME_IS_UTF (0x80) szName[] contains UTF # define UNKNOWN (0x0100) undocumented or accident -#>14 uleshort x \b, attribs 0x%x +#>14 uleshort x \b, attribs %#x >14 uleshort >0 + >>14 uleshort &0x0001 \bR >>14 uleshort &0x0002 \bH @@ -1471,7 +2157,7 @@ # for further information. 0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data ->>44 ulelong x version 0x%x +>>44 ulelong x version %#x 0 string/b \224\246\056 Microsoft Word Document @@ -1516,7 +2202,8 @@ 0 string Jetsam0 Mallard BASIC Jetsam index data # DOS backup 2.0 to 3.2 - +# URL: http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS) +# Reference: http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm # backupid.@@@ # plausibility check for date @@ -1526,6 +2213,7 @@ # actually 121 nul bytes >>>0x7 string \0\0\0\0\0\0\0\0 >>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d +#!:mime application/octet-stream !:ext @@@ >>>>0x0 ubyte 0xff \b, last disk @@ -1548,7 +2236,7 @@ # but sometimes garbage according to Ralf Quint. So can not be used as test #>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 # first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator -# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE +# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE >>>>>5 ubyte&0x8C 0x0C # ./msdos (version 5.30) labeled the entry as # "DOS 2.0 backed up file %s, split file, sequence %d" or @@ -1559,7 +2247,9 @@ >>>>>>>1 uleshort x sequence %d of # full file name with path but without drive letter and colon stored from 0x05 til 0x52 >>>>>>0x5 string x file %s +#!:mime application/octet-stream # backup name is original filename +#!:ext doc/exe/rar/zip #!:ext * # magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' # file: line 1169: Bad magic entry ' *' @@ -1578,3 +2268,37 @@ # NB: The BACKUP.nnn files consist of the files backed up, # concatenated. + +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time +# Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime +# Note: DOS date+time format is different from formats such as Unix epoch +# bit encoded; uses year values relative to 1980 and 2 second precision +0 name dos-date +# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2) +#>0 uleshort x RAW TIME [%#4.4x] +# hour part +#>0 uleshort/2048 x hour [%u] +# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31) +#>2 uleshort x RAW DATE [%#4.4x] +# day part +>2 uleshort&0x001F x %u +#>2 uleshort/16 x MONTH PART [%#x] +# GRR: not working +#>2 uleshort/16 &0x000F MONTH [%u] +#>2 uleshort&0x01E0 x MONTH PART [%#4.4x] +>2 uleshort&0x01E0 =0x0020 jan +>2 uleshort&0x01E0 =0x0040 feb +>2 uleshort&0x01E0 =0x0060 mar +>2 uleshort&0x01E0 =0x0080 apr +>2 uleshort&0x01E0 =0x00A0 may +>2 uleshort&0x01E0 =0x00C0 jun +>2 uleshort&0x01E0 =0x00E0 jul +>2 uleshort&0x01E0 =0x0100 aug +>2 uleshort&0x01E0 =0x0120 sep +>2 uleshort&0x01E0 =0x0140 oct +>2 uleshort&0x01E0 =0x0160 nov +>2 uleshort&0x01E0 =0x0180 dec +# year part +>2 uleshort/512 x 1980+%u +# diff --git a/contrib/file/magic/Magdir/msooxml b/contrib/file/magic/Magdir/msooxml index 620d5e132f04..905017eb9123 100644 --- a/contrib/file/magic/Magdir/msooxml +++ b/contrib/file/magic/Magdir/msooxml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msooxml,v 1.13 2019/11/27 13:12:55 christos Exp $ +# $File: msooxml,v 1.19 2023/03/14 19:46:15 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown <ralf.brown@gmail.com> @@ -15,33 +15,54 @@ 0 name msooxml >0 string word/ Microsoft Word 2007+ !:mime application/vnd.openxmlformats-officedocument.wordprocessingml.document +!:ext docx >0 string ppt/ Microsoft PowerPoint 2007+ !:mime application/vnd.openxmlformats-officedocument.presentationml.presentation +!:ext pptx >0 string xl/ Microsoft Excel 2007+ !:mime application/vnd.openxmlformats-officedocument.spreadsheetml.sheet -0 string visio/ Microsoft Visio 2013+ +!:ext xlsx +>0 string visio/ Microsoft Visio 2013+ !:mime application/vnd.ms-visio.drawing.main+xml +>0 string AppManifest.xaml Microsoft Silverlight Application +!:mime application/x-silverlight-app # start by checking for ZIP local file header signature 0 string PK\003\004 !:strength +10 # make sure the first file is correct >0x1E use msooxml ->0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels|docProps +>0x1E default x +>>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels|docProps|customXml # skip to the second local file header # since some documents include a 520-byte extra field following the file # header, we need to scan for the next header ->>(18.l+49) search/6000 PK\003\004 +>>>(18.l+49) search/6000 PK\003\004 # now skip to the *third* local file header; again, we need to scan due to a # 520-byte extra field following the file header ->>>&26 search/6000 PK\003\004 +>>>>&26 search/6000 PK\003\004 # and check the subdirectory name to determine which type of OOXML # file we have. Correct the mimetype with the registered ones: # https://technet.microsoft.com/en-us/library/cc179224.aspx ->>>>&26 use msooxml ->>>>&26 default x +>>>>>&26 use msooxml +>>>>>&26 default x # OpenOffice/Libreoffice orders ZIP entry differently, so check the 4th file ->>>>>&26 search/6000 PK\003\004 ->>>>>>&26 use msooxml +>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 use msooxml +# Some OOXML generators add an extra customXml directory. Check another file. +>>>>>>>&26 default x +>>>>>>>>&26 search/6000 PK\003\004 +>>>>>>>>>&26 use msooxml +>>>>>>>>>&26 default x Microsoft OOXML +>>>>>>>&26 default x Microsoft OOXML +>>>>>&26 default x Microsoft OOXML +>>0x1E regex \\[trash\\] +>>>&26 search/6000 PK\003\004 +>>>>&26 search/6000 PK\003\004 +>>>>>&26 use msooxml +>>>>>&26 default x +>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 use msooxml +>>>>>>>&26 default x Microsoft OOXML >>>>>>&26 default x Microsoft OOXML >>>>>&26 default x Microsoft OOXML diff --git a/contrib/file/magic/Magdir/msvc b/contrib/file/magic/Magdir/msvc index 8cf5c166d3f1..fbfa4f266f9b 100644 --- a/contrib/file/magic/Magdir/msvc +++ b/contrib/file/magic/Magdir/msvc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msvc,v 1.10 2018/10/01 19:14:03 christos Exp $ +# $File: msvc,v 1.11 2022/01/17 17:17:30 christos Exp $ # msvc: file(1) magic for msvc # "H. Nanosecond" <aldomel@ix.netcom.com> # Microsoft visual C @@ -20,9 +20,162 @@ 0 string \377\003\000\377\001\000\060\020\350 MSVC .res #.lib -0 string \360\015\000\000 Microsoft Visual C library -0 string \360\075\000\000 Microsoft Visual C library -0 string \360\175\000\000 Microsoft Visual C library +# URL: https://en.wikipedia.org/wiki/Microsoft_Visual_C%2B%2B +# http://fileformats.archiveteam.org/wiki/Microsoft_Library +# http://fileformats.archiveteam.org/wiki/OMF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lib-msvc.trid.xml +# https://pierrelib.pagesperso-orange.fr/exec_formats/OMF_v1.1.pdf +# Update: Joerg Jenderek +#0 string \360\015\000\000 Microsoft Visual C library +#0 string \360\075\000\000 Microsoft Visual C library +#0 string \360\175\000\000 Microsoft Visual C library +# test for RecordType~LibraryHeaderRecord=0xF0 + RecordLength=???Dh + dictionary offset is multiple of 0x200 +0 ubelong&0xFF0f80ff =0xF00d0000 +# Microsoft Visual C library (strength=70) before MIDI SysEx messages (strength=50) handled by ./sysex +#!:strength +0 +# test for valid 2nd RecordType~Translator Header Record=THEADR=80h or LHEADR=82h +>(1.s+3) ubyte&0xFD =0x80 +>>0 use omf-lib +# display information about Microsoft Visual C/OMF library +0 name omf-lib +# RecordType~LibraryHeaderRecord=0xF0 +#>0 byte 0xF0 Microsoft Visual C library +# the above description was used in file version 5.41 +>0 byte 0xF0 Microsoft Visual C/OMF library +#>0 byte 0xF0 relocatable Object Module Format (OMF) libray +#!:mime application/octet-stream +!:mime application/x-omf-lib +!:ext lib +# 1st record data length like 13=0Dh 29=1Dh 61=3Dh 125=7Dh 509=01FDh ... 32765=7FFDh +#>1 uleshort x \b, 1st record data length %u +#>1 uleshort x \b, 1st record data length %#x +# 2**4=16 <= RecordLength+3 = PageSize = 2**n {16 32 512 no examples 64 128 256 1024 2048 ...32768} <= 2**15=32768 +>1 uleshort+3 x \b, page size %u +# dictionary offset like: 400h 600h a00h c00h 1200h 1800h 2400h 5600h 12800h 19200h 28a00h +>3 ulelong x \b, at %#x dictionary +# dictionary block a 512 bytes; the first 37 bytes correspond to the 37 buckets +#>(3.l) ubequad x (%#16.16llx...) +# dictionary size; length in 512-byte blocks; a prime number? like: +# 1 2 3 4 5 6 7 9 11 13 15 16 18 21 22 23 24 25 31 50 53 89 101 117 277 +>7 uleshort x with %u block +# plurals s +>7 uleshort >1 \bs +# If dictionary byte 38 (FFLAG) has the value 255, there is no space left +>(3.l+37) ubyte <0xFF (FFLAG=%#x) +>(3.l+37) ubyte =0xFF (FFLAG=full) +# dictionary entry; length byte of following symbol, the following text bytes of symbol, two bytes specifies the page number +# like: dbfntx1! DBFNTX.LIB zlibCompileFlags_ ZLIB.LIB atoi! mwlibc.lib +>(3.l+38) pstring x 1st entry %s +# like: 1 33 41 47 458 8783 +>>&0 uleshort x in page %u +# library flags; 0 or 1, but WHAT IS 0x4d in MOUSE.LIB ? +>9 ubyte >1 \b, flags %#x +>9 ubyte =1 case sensitive +# In the library after header comes first object module with a Library Module Header Record (LHEADR=82h) +# but in examples Translator Header Record (THEADR=80h) which is handled identically +>(1.s+3) ubyte x \b, 2nd record +>(1.s+3) ubyte !0x80 (type %#x) +#>(1.s+4) uleshort x \b, 2nd record data length %u +# Module name often source name like "dos\crt0.asm" in mlibce.lib or "QB4UTIL.ASM" in QB4UTIL.LIB +# or "C:\Documents and Settings\Allan Campbell\My Documents\FDOSBoot\zlib\zutil.c" in ZLIB.LIB +# or title like "87INIT" in FP87.LIB or "ACOSASIN" in MATHC.LIB or "Copyright" in calc-bcc.lib +>(1.s+6) pstring x "%s" +# 2nd record checksum +#>>&0 ubyte x checksum %#x +# 3rd RecordType: 96h~LNAMES 88h~COMENT +>>&1 ubyte x \b, 3rd record +>>&1 ubyte !0x88 +>>>&-1 ubyte !0x96 +# 3rd unusual record type +>>>>&-1 ubyte x (type %#x) +# 3rd record is a List of Names Record (LNAMES=96h) +>>&1 ubyte =0x96 LNAMES +# LNAMES record length like: 2 15 19 +#>>>&0 uleshort x \b, LNAMES record length %u +>>>&0 uleshort >2 +# 1st LNAME string length; null is valid; maximal 255 +#>>>>&0 ubyte x 1st LNAME length %u +>>>>&0 ubyte =0 +# 2nd LNAME length like: 4 7 8 17 31 +#>>>>>&0 ubyte x 2nd LNAME length %u +# name used for segment, class, group, overlay, etc like: +# CODE (mwlibc.lib) _TEXT32 (JMPPM32.LIB) _OVLCODE (WOVL.LIB) +>>>>>&0 pstring x %s +# 3rd LNAME length like: 4 5 +#>>>>>>&0 ubyte x 3rd LNAME length %u +# like: DATA (mwlibc.lib) CODE (JMPPM32.LIB) _TEXT (EMU87.LIB) +>>>>>>&0 pstring x %s +# maybe 4th LNAME length like: 4 6 +>>>>>>>&0 ubyte <44 +# like: DATA (DEBUG.LIB) DGROUP (mwlibc.lib MOUSE.LIB) +>>>>>>>>&-1 pstring x %s +# 3rd record is a COMMENT (Including all comment class extensions) +>>&1 ubyte =0x88 COMMENT +# comment record length like: 3 FLIB7M.LIB 1Bh 1Eh 23h 27h 2Bh 30h freetype-bcc.lib +#>>>&0 uleshort x \b, record length %#x +# real comment length = record length - 1 (comment type) - 1 (comment Class) - 1 (checksum) -1 (char count) +# like: 2 LIBFL.LIB 4 "UUID" 5 "dscap" 6 "int386" 7 "qb4util" 8 "AMSGEXIT" 16 REXX.LIB 20 27 35 44 freetype-bcc.lib +#>>>>&-2 uleshort-4 >0 \b, comment length %u +# check that record contain at least comment type (1 byte), comment class (1 byte), checksum (1 byte) +# probably always true +>>>&0 uleshort >2 +# comment type: 80h~NP~no purge bit 40h~NL~no list bit +#>>>>&0 ubyte !0 Type %#x +>>>>&0 ubyte &0x80 Preserved +# no example +>>>>&0 ubyte &0x40 NoList +# comment class like: 0~Translator A0~OMF extensions A3~LIBMOD A1~New OMF extensions AA~UNKNOWN +>>>>&1 ubyte x class=%#x +# check that comment record contains at least real content +>>>>&-2 uleshort >3 +# Translator comment record (0); it may name the source language or translator +>>>>>&1 ubyte =0 Translator +#>>>>>>&0 ubyte x Translator length %u +# like: "TC86 Borland Turbo C 2.01 " (GEMS.LIB) "TC86 Borland Turbo C++ 3.00" (CATDB.LIB) +>>>>>>&0 pstring x "%s" +# OMF extensions comment record (A0); first byte of commentary string identifies subtype +>>>>>&1 ubyte =0xA0 OMF extensions +# A0 subtype like: 1~IMPDEF +>>>>>>&0 ubyte !1 subtype %#x +# Import Definition Record (Comment Class A0, Subtype 01~IMPDEF) +>>>>>>&0 ubyte 1 IMPDEF +# ordinal flag; determines form of Entry Ident field. If nonzero (seems to be 1) Entry is ordinal +>>>>>>>&0 ubyte !0 ordinal +# like: IMPORT.LIB DOSCALLS.LIB mlibw.lib mwinlibc.lib REXX.LIB +>>>>>>>>&-1 ubyte >1 %u +# Internal Name in count, char string format; module name for the imported symbol +# like: 7 "REXXSAA" 9 11 13 14 15 16 20 21 26 "_Z10_clip_linePdS_S_S_dddd" +#>>>>>>>&1 ubyte x internal name length %u +# internal module name like: _DllGetVersion DllGetVersion BezierTerminationTest Copyright +>>>>>>>&1 pstring x %s +# module name in count, char string format; DLL name that supplies a matching export symbol +# like: jpeg62.dll (jpeg-bcc.lib) unrar3.dll (unrar-bcc.lib) REXX (REXX.LIB) +>>>>>>>>&0 pstring x exported by %s +# Entry Ident; 16-bit if ordinal flag != 0 or imported name in count, char string format if ordinal flag = 0 +# like: \0 (calc-bcc.lib) DllGetVersion (libtiff-bcc.lib) UTF8ToHtml (libxml2-bcc.lib) xslAddCall (libxslt-bcc.lib) +#>>>>>>>>>&0 pstring >\0 entry ident %s +# "New OMF" extensions comment (A1); indicate version of symbolic debug information +# like: LIBFL.LIB +>>>>>&1 ubyte =0xA1 New OMF extensions +# symbolic debug information version n +>>>>>>&0 ubyte x n=%u +# symbolic debug information style like: HL~IBM PM Debugger style (LIBFL.LIB) DX~AIX style CV~Microsoft symbol and type style +>>>>>>>&0 string HL IBM style +>>>>>>>&0 string DX AIX style +>>>>>>>&0 string CV Microsoft style +# LIBMOD comment record (A3) used only by the librarian +# Microsoft extension added for LIB version 3.07 in macro assembler (MASM 5.0) +>>>>>&1 ubyte =0xA3 LIBMOD +# The A3 LIBMOD record contains only the ASCII string of the module name in count char format +#>>>>>>&0 ubyte x LIBMOD length %u +# LIBMOD comment record module name without path and extension like: +# qb4util (QB4UTIL.LIB) affaldiv (libh.lib) crt0 (slibc.lib) clipper (DDDRAWS.LIB) dinpdev (DINPUTS.LIB) UUID (UUID.LIB) +>>>>>>&0 pstring x %s +# GRR: WHAT iS THAT? AA foo comment record +#>>>>>&1 ubyte =0xAA AA-comment +# like: OS220 +#>>>>>>&0 string x what=%-5.5s +# #.pch 0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch diff --git a/contrib/file/magic/Magdir/msx b/contrib/file/magic/Magdir/msx index 69df6416fe7c..60e16569e24f 100644 --- a/contrib/file/magic/Magdir/msx +++ b/contrib/file/magic/Magdir/msx @@ -138,8 +138,8 @@ >>>>>>>>>>>>>>>0x002D ubyte 2 \b, version=MSX2+ >>>>>>>>>>>>>>>0x002D ubyte 3 \b, version=MSX Turbo-R >>>>>>>>>>>>>>>0x002D ubyte >3 \b, version=Unknown MSX %d version ->>>>>>>>>>>>>>>0x0006 ubyte x \b, VDP.DR=0x%2x ->>>>>>>>>>>>>>>0x0007 ubyte x \b, VDP.DW=0x%2x +>>>>>>>>>>>>>>>0x0006 ubyte x \b, VDP.DR=%#2x +>>>>>>>>>>>>>>>0x0007 ubyte x \b, VDP.DW=%#2x >>>>>>>>>>>>>>>0x002B ubyte&0xF 0 \b, charset=Japanese >>>>>>>>>>>>>>>0x002B ubyte&0xF 1 \b, charset=International >>>>>>>>>>>>>>>0x002B ubyte&0xF 2 \b, charset=Korean @@ -188,32 +188,32 @@ # MSX extension ROMs 0 string/b AB >2 uleshort 0x0010 MSX ROM ->>2 uleshort x \b, init=0x%4x ->>4 uleshort >0 \b, stahdl=0x%4x ->>6 uleshort >0 \b, devhdl=0x%4x ->>8 uleshort >0 \b, bas=0x%4x +>>2 uleshort x \b, init=%#4x +>>4 uleshort >0 \b, stahdl=%#4x +>>6 uleshort >0 \b, devhdl=%#4x +>>8 uleshort >0 \b, bas=%#4x >2 uleshort 0x4010 MSX ROM ->>2 uleshort x \b, init=0x%04x ->>4 uleshort >0 \b, stahdl=0x%04x ->>6 uleshort >0 \b, devhdl=0x%04x ->>8 uleshort >0 \b, bas=0x%04x +>>2 uleshort x \b, init=%#04x +>>4 uleshort >0 \b, stahdl=%#04x +>>6 uleshort >0 \b, devhdl=%#04x +>>8 uleshort >0 \b, bas=%#04x >2 uleshort 0x8010 MSX ROM ->>2 uleshort x \b, init=0x%04x ->>4 uleshort >0 \b, stahdl=0x%04x ->>6 uleshort >0 \b, devhdl=0x%04x ->>8 uleshort >0 \b, bas=0x%04x +>>2 uleshort x \b, init=%#04x +>>4 uleshort >0 \b, stahdl=%#04x +>>6 uleshort >0 \b, devhdl=%#04x +>>8 uleshort >0 \b, bas=%#04x 0 string/b AB\0\0 >6 uleshort 0 >>4 uleshort >0x400F MSX-BASIC extension ROM ->>>4 uleshort >0 \b, stahdl=0x%04x ->>>6 uleshort >0 \b, devhdl=0x%04x +>>>4 uleshort >0 \b, stahdl=%#04x +>>>6 uleshort >0 \b, devhdl=%#04x >>>0x1C string OPLL \b, MSX-Music >>>>0x18 string PAC2 \b (external) >>>>0x18 string APRL \b (internal) 0 string/b AB\0\0\0\0 >6 uleshort >0x400F MSX device BIOS ->>6 uleshort >0 \b, devhdl=0x%04x +>>6 uleshort >0 \b, devhdl=%#04x 0 string/b AB @@ -233,38 +233,38 @@ >>>>>>0x12 ubyte x \b%d >>>>>>0x13 ubyte/16 x \b%d >>>>>>0x13 ubyte&0xF x \b%d ->>>>>2 uleshort x \b, init=0x%04x ->>>>>4 uleshort >0 \b, stahdl=0x%04x ->>>>>6 uleshort >0 \b, devhdl=0x%04x ->>>>>8 uleshort >0 \b, bas=0x%04x +>>>>>2 uleshort x \b, init=%#04x +>>>>>4 uleshort >0 \b, stahdl=%#04x +>>>>>6 uleshort >0 \b, devhdl=%#04x +>>>>>8 uleshort >0 \b, bas=%#04x >>>2 uleshort 0 >>>>4 uleshort 0 >>>>>6 uleshort 0 ->>>>>>8 uleshort >0 MSX BASIC program in ROM, bas=0x%04x +>>>>>>8 uleshort >0 MSX BASIC program in ROM, bas=%#04x 0x4000 string/b AB >0x4002 uleshort >0x400F >>0x400A string \0\0\0\0\0\0 MSX ROM with nonstandard page order ->>>0x4002 uleshort x \b, init=0x%04x ->>>0x4004 uleshort >0 \b, stahdl=0x%04x ->>>0x4006 uleshort >0 \b, devhdl=0x%04x ->>>0x4008 uleshort >0 \b, bas=0x%04x +>>>0x4002 uleshort x \b, init=%#04x +>>>0x4004 uleshort >0 \b, stahdl=%#04x +>>>0x4006 uleshort >0 \b, devhdl=%#04x +>>>0x4008 uleshort >0 \b, bas=%#04x 0x8000 string/b AB >0x8002 uleshort >0x400F >>0x800A string \0\0\0\0\0\0 MSX ROM with nonstandard page order ->>>0x8002 uleshort x \b, init=0x%04x ->>>0x8004 uleshort >0 \b, stahdl=0x%04x ->>>0x8006 uleshort >0 \b, devhdl=0x%04x ->>>0x8008 uleshort >0 \b, bas=0x%04x +>>>0x8002 uleshort x \b, init=%#04x +>>>0x8004 uleshort >0 \b, stahdl=%#04x +>>>0x8006 uleshort >0 \b, devhdl=%#04x +>>>0x8008 uleshort >0 \b, bas=%#04x 0x3C000 string/b AB >0x3C008 string \0\0\0\0\0\0\0\0 MSX MegaROM with nonstandard page order ->>0x3C002 uleshort x \b, init=0x%04x ->>0x3C004 uleshort >0 \b, stahdl=0x%04x ->>0x3C006 uleshort >0 \b, devhdl=0x%04x ->>0x3C008 uleshort >0 \b, bas=0x%04x +>>0x3C002 uleshort x \b, init=%#04x +>>0x3C004 uleshort >0 \b, stahdl=%#04x +>>0x3C006 uleshort >0 \b, devhdl=%#04x +>>0x3C008 uleshort >0 \b, bas=%#04x # MSX BIN file #0 byte 0xFE diff --git a/contrib/file/magic/Magdir/neko b/contrib/file/magic/Magdir/neko deleted file mode 100644 index 6bedc22a5a38..000000000000 --- a/contrib/file/magic/Magdir/neko +++ /dev/null @@ -1,12 +0,0 @@ - -#------------------------------------------------------------ -# $File: neko,v 1.2 2019/04/19 00:42:27 christos Exp $ - -# From: Mikhail Gusarov <dottedmag@dottedmag.net> -# NekoVM (https://nekovm.org/) bytecode -0 string NEKO NekoVM bytecode ->4 lelong x (%d global symbols, ->8 lelong x %d global fields, ->12 lelong x %d bytecode ops) -!:mime application/x-nekovm-bytecode - diff --git a/contrib/file/magic/Magdir/netware b/contrib/file/magic/Magdir/netware index c3f57e83819a..089a243644df 100644 --- a/contrib/file/magic/Magdir/netware +++ b/contrib/file/magic/Magdir/netware @@ -1,7 +1,11 @@ #------------------------------------------------------------------------------ -# $File: netware,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: netware,v 1.5 2020/09/04 16:30:51 christos Exp $ # netware: file(1) magic for NetWare Loadable Modules (NLMs) # From: Mads Martin Joergensen <mmj@suse.de> +# URL: https://en.wikipedia.org/wiki/NetWare_Loadable_Module 0 string NetWare\ Loadable\ Module NetWare Loadable Module +#!:mime application/octet-stream +!:ext nlm + diff --git a/contrib/file/magic/Magdir/nifty b/contrib/file/magic/Magdir/nifty new file mode 100644 index 000000000000..151d869872d4 --- /dev/null +++ b/contrib/file/magic/Magdir/nifty @@ -0,0 +1,202 @@ + +#------------------------------------------------------------------------------ +# $File: nifty,v 1.1 2022/02/14 16:51:15 christos Exp $ +# file(1) magic for the NIfTI file format + +# Type: NIfTI, Neuroimaging file format +# URL: https://nifti.nimh.nih.gov/ +# From: Yann Leprince <yann.leprince@cea.fr>, 2022 + +344 string n+1\0 NIfTI-1 neuroimaging data, +!:mime image/x.nifti +!:ext nii +>0 use nifti1 +344 string ni1\0 NIfTI-1 neuroimaging data header, +!:mime image/x.nifti +!:ext hdr +>0 use nifti1 + +4 string n+2\0\r\n\032\n NIfTI-2 neuroimaging data, +!:mime image/x.nifti +!:ext nii +>0 use nifti2 +4 string ni2\0\r\n\032\n NIfTI-2 neuroimaging data header, +!:mime image/x.nifti +!:ext hdr +>0 use nifti2 + +# Main subroutine for NIfTI-1 +0 name nifti1 +>0 clear x +>0 lelong =348 little endian +>>70 use nifti-datatype-le +>>112 lefloat !0 with scaling +>>0 use nifti1-dim-le +>>252 leshort >0 \b, with qform +>>>252 use xform-code-nifti1-le +>>254 leshort >0 \b, with sform +>>>254 use xform-code-nifti1-le +>>136 string >\0 \b, description: %s +>0 belong =348 big endian +>>70 use \^nifti-datatype-le +>>112 befloat !0 with scaling +>>0 use \^nifti1-dim-le +>>252 beshort >0 \b, with qform +>>>252 use \^xform-code-nifti1-le +>>254 beshort >0 \b, with sform +>>>254 use \^xform-code-nifti1-le +>>136 string >\0 \b, description: %s +>0 default x +>>0 long x invalid sizeof_hdr=%d + +# Main subroutine for NIfTI-2 +0 name nifti2 +>0 clear x +>0 lelong =540 little endian +>>12 use nifti-datatype-le +>>176 lefloat !0 with scaling +>>0 use nifti2-dim-le +>>344 lelong >0 \b, with qform +>>>344 use xform-code-nifti2-le +>>348 lelong >0 \b, with sform +>>>348 use xform-code-nifti2-le +>>240 string >\0 \b, description: %s +>0 belong =540 big endian +>>12 use \^nifti-datatype-le +>>176 befloat !0 with scaling +>>0 use \^nifti2-dim-le +>>344 lelong >0 \b, with qform +>>>344 use \^xform-code-nifti2-le +>>348 lelong >0 \b, with sform +>>>348 use \^xform-code-nifti2-le +>>240 string >\0 \b, description: %s +>0 default x +>>0 long x invalid sizeof_hdr=%d + + +# Other subroutines for details of NIfTI files + +0 name nifti-datatype-le +>0 clear x +>0 leshort =1 \b, binary datatype +>0 leshort =2 \b, uint8 datatype +>0 leshort =4 \b, int16 datatype +>0 leshort =8 \b, int32 datatype +>0 leshort =16 \b, float32 datatype +>0 leshort =32 \b, complex64 datatype +>0 leshort =64 \b, float64 datatype +>0 leshort =128 \b, RGB24 datatype +>0 leshort =256 \b, int8 datatype +>0 leshort =512 \b, uint16 datatype +>0 leshort =768 \b, uint32 datatype +>0 leshort =1024 \b, int64 datatype +>0 leshort =1280 \b, uint64 datatype +>0 leshort =1536 \b, float128 datatype +>0 leshort =1792 \b, complex128 datatype +>0 leshort =2048 \b, complex256 datatype +>0 leshort =2304 \b, RGBA32 datatype +>0 default x +>>0 leshort x \b, unknown datatype 0x%x +>>2 leshort x (%d bits/pixel) + +0 name nifti1-dim-le +>0 clear x +>40 leshort <0 \b, INVALID dim[0]=%d +>40 leshort >7 \b, INVALID dim[0]=%d +>0 default x +>>40 leshort x \b, %d-dimensional (size +>>42 leshort x %d +>>40 leshort >1 +>>>44 leshort x \bx%d +>>40 leshort >2 +>>>46 leshort x \bx%d +>>40 leshort >3 +>>>48 leshort x \bx%d +>>40 leshort >4 +>>>50 leshort x \bx%d +>>40 leshort >5 +>>>52 leshort x \bx%d +>>40 leshort >6 +>>>54 leshort x \bx%d +>>80 lefloat x \b, voxel size %f +>>40 leshort >1 +>>>84 lefloat x x %f +>>40 leshort >2 +>>>88 lefloat x x %f +>>123 use nifti1-xyz-unit +>>40 leshort >3 +>>>92 lefloat x x %f +>>>123 use nifti1-t-unit +>>40 leshort x \b) + +0 name nifti2-dim-le +>0 clear x +>16 lequad <0 \b, INVALID dim[0]=%lld +>16 lequad >7 \b, INVALID dim[0]=%lld +>0 default x +>>16 lequad x \b, %lld-dimensional (size +>>24 lequad x %lld +>>16 lequad >1 +>>>32 lequad x \bx%lld +>>16 lequad >2 +>>>40 lequad x \bx%lld +>>16 lequad >3 +>>>48 lequad x \bx%lld +>>16 lequad >4 +>>>56 lequad x \bx%lld +>>16 lequad >5 +>>>64 lequad x \bx%lld +>>16 lequad >6 +>>>72 lequad x \bx%lld, +>>112 ledouble x \b, voxel size %f +>>16 lequad >1 +>>>120 ledouble x x %f +>>16 lequad >2 +>>>128 ledouble x x %f +>>500 use nifti2-xyz-unit +>>16 lequad >3 +>>>136 ledouble x x %f +>>>500 use nifti2-t-unit +>>16 lequad x \b) + +0 name xform-code-nifti1-le +>0 leshort =1 to scanner-based coordinates +>0 leshort =2 to aligned coordinates +>0 leshort =3 to Talairach coordinates +>0 leshort =4 to MNI152 coordinates +>0 leshort =5 to template coordinates + +0 name xform-code-nifti2-le +>0 lelong =1 to scanner-based coordinates +>0 lelong =2 to aligned coordinates +>0 lelong =3 to Talairach coordinates +>0 lelong =4 to MNI152 coordinates +>0 lelong =5 to template coordinates + +0 name nifti1-xyz-unit +>0 byte &0x01 +>>0 byte ^0x02 m +>>0 byte &0x02 micron +>0 byte ^0x01 +>>0 byte &0x02 mm + +0 name nifti1-t-unit +>0 byte &0x08 +>>0 byte ^0x10 s +>>0 byte &0x10 ms +>0 byte ^0x08 +>>0 byte &0x10 microsecond + +0 name nifti2-xyz-unit +>0 lelong &0x01 +>>0 lelong ^0x02 m +>>0 lelong &0x02 micron +>0 lelong ^0x01 +>>0 lelong &0x02 mm + +0 name nifti2-t-unit +>0 lelong &0x08 +>>0 lelong ^0x10 s +>>0 lelong &0x10 ms +>0 lelong ^0x08 +>>0 lelong &0x10 microsecond diff --git a/contrib/file/magic/Magdir/nim-lang b/contrib/file/magic/Magdir/nim-lang new file mode 100644 index 000000000000..bc2cf987c7d3 --- /dev/null +++ b/contrib/file/magic/Magdir/nim-lang @@ -0,0 +1,29 @@ + +#------------------------------------------------------------------------------ +# $File: nim-lang,v 1.3 2021/07/06 12:34:06 christos Exp $ +# nim-lang: file(1) magic for nim +# URL: https://nim-lang.org/ + +0 search/8192 import +>&0 search/64 os +>>&0 use nim1 +>&0 default x +>>&0 search/64 osproc +>>>&0 use nim1 +>>&0 default x +>>>&0 search/64 strutils +>>>>&0 use nim1 + +0 name nim1 +>&0 search/8192 proc +>>&0 use nim2 +>&0 default x +>>&0 search/8192 template +>>>&0 use nim2 +>>&0 default x +>>>&0 search/8192 let +>>>>&0 use nim2 + +0 name nim2 +>&0 search/8192 when Nim source code +!:ext nim diff --git a/contrib/file/magic/Magdir/ole2compounddocs b/contrib/file/magic/Magdir/ole2compounddocs index 7b16a5fa8aea..2c451a9ab578 100644 --- a/contrib/file/magic/Magdir/ole2compounddocs +++ b/contrib/file/magic/Magdir/ole2compounddocs @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ole2compounddocs,v 1.8 2020/03/28 23:10:30 christos Exp $ +# $File: ole2compounddocs,v 1.26 2023/05/15 16:46:12 christos Exp $ # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format) # Additional tests for OLE 2 Compound Documents should be under this recipe. @@ -10,7 +10,7 @@ # https://digital-preservation.github.io/droid/ # skip droid skeleton like fmt-39-signature-id-128.doc by valid version >0x1A ushort !0xABAB OLE 2 Compound Document -#>0x1C uleshort x \b, endnian 0x%4.4x +#>0x1C uleshort x \b, endnian %#4.4x # big endian not tested >>0x1C ubeshort =0xfffe \b, big-endian >>>546 string jbjb : Microsoft Word Document @@ -26,25 +26,25 @@ # Minor Version 32h=50 3Bh=59 3Eh=62 >>>0x18 uleshort x \b.%u # SecID of first sector of the directory stream is often 1 but high like 3144h ->>>48 ulelong x \b, SecID 0x%x +>>>48 ulelong x \b, SecID %#x # Sector Shift Exponent in short-stream container stream: 6~64 bytes >>>32 uleshort !6 \b, exponent of short stream %u # total number of sectors used for the FAT >>>44 ulelong >1 \b, %u FAT sectors # SecID of first sector of the short-sector allocation table (Mini FAT) # or -2 (End Of ChainSecID) if not extant ->>>60 ulelong !0xffFFffFE \b, Mini FAT start sector 0x%x +>>>60 ulelong !0xffFFffFE \b, Mini FAT start sector %#x # total number of sectors used for the short-sector allocation table >>>64 ulelong !1 \b, %u Mini FAT sector # plural s >>>>64 ulelong >1 \bs # SecID of first sector of the master sector allocation table (DIFAT) # or -2 (End Of Chain SecID) if no additional sectors used ->>>68 ulelong !0xffFFffFE \b, DIFAT start sector 0x%x +>>>68 ulelong !0xffFFffFE \b, DIFAT start sector %#x # total number of sectors used for the master sector allocation table (DIFAT) >>>72 ulelong >0 \b, %u DIFAT sectors # First part of the master sector allocation table (DIFAT) containing 109 SecIDs -#>>>76 ubequad x \b, DIFAT=0x%16.16llx +#>>>76 ubequad x \b, DIFAT=%#16.16llx #>>>84 ubequad x \b%16.16llx... # pointer to root entry only works with standard configuration for SecID ~< 800h # Red-Carpet-presentation-1.0-1.sdd sg10.sdv 2000_GA_Annual_Review_Data.xls @@ -72,6 +72,7 @@ #>67 ubyte x \b, color %x # the DirIDs of the child nodes. Should both be -1 in the root storage entry #>68 bequad !0xffffffffffffffff \b, DirIDs %llx +# NEXT lines for DEBUGGING # second directory entry name like VisioDocument Control000 #>128 lestring16 x \b, 2nd %.20s # third directory entry like WordDocument @@ -87,8 +88,8 @@ # https://wikileaks.org/ciav7p1/cms/page_13762814.html # https://m.blog.naver.com/superman4u/40047693679 # https://misc.daniel-marschall.de/projects/guid_analysis/guid.txt -# http://www.windowstricks.in/online-windows-guid-converter -#>80 ubequad !0 \b, clsid 0x%16.16llx +# https://toolslick.com/conversion/data/guid +#>80 ubequad !0 \b, clsid %#16.16llx #>>88 ubequad x \b%16.16llx # test for "Root Entry" inside directory by type 5 value >66 ubyte 5 @@ -200,6 +201,34 @@ !:mime application/x-ms-info !:ext nfo # +# From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns-v14.trid.xml +# Note: older versions til 13 about middle 2021 handled by ./windows +# called "Sysinternals Autoruns data (v14)" by TrID +# second, third and fourth directory entry name like Header Items 0 +>>>>128 lestring16 Header : Microsoft sysinternals AutoRuns data, version 14 +#!:mime application/x-ole-storage +!:mime application/x-ms-arn +# like: MyHOSTNAME.arn +!:ext arn +# +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Access +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mdz.trid.xml +# http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: only version foo tested and called "Microsoft Access Wizard template" by TrID +# Fourth directory entry name TemplateID +>>>>384 lestring16 TemplateID : Microsoft Access wizard template +# Second directory entry name like \005SummaryInformation and 3rd name like \005DocumentSummaryInformation +#!:mime application/x-ole-storage +#!:mime application/vnd.ms-office +#!:mime application/vnd.ms-access +#!:mime application/msaccess +!:mime application/x-ms-mdz +# http://extension.nirsoft.net/mdz +!:ext mdz +# # URL: http://fileformats.archiveteam.org/wiki/Corel_Print_House # Second directory entry name Thumbnail >>>>128 lestring16 Thumbnail : Corel PrintHouse image @@ -210,11 +239,34 @@ >>>>256 lestring16 Thumbnail : Corel PrintHouse image !:mime application/x-corel-cph !:ext cph +# URL: http://fileformats.archiveteam.org/wiki/Corel_Gallery +# Note: format since Gallery 2; sometimes called Corel Multimedia Manager Album +# third directory entry name _INFO_ +>>>>256 lestring16 _INFO_ : Corel Gallery +# second directory entry name _ITEM_ or _DATA_ +# later directory entry names: _ALBUM_ _THUMBNAIL_ +#!:mime application/x-ole-storage +!:mime application/x-corel-gal +!:ext gal +# +# From: Joerg Jenderek +# URL: https://archive.org/details/iPhoto-Plus-4 +# https://filext.com/file-extension/TPL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tpl-ulead.trid.xml +# Note: found in Template sub directory in program directory of software iPhoto Plus version 4 +# second, third and fourth directory entry name like TplHeader TplMainImage TplPreview +>>>>128 lestring16 TplHeader : Ulead iPhoto Template +#!:mime application/x-ole-storage +!:mime image/x-ulead-tpl +# https://www.file-extensions.org/tpl-file-extension-ulead-photo-express-template +!:ext tpl # # URL: https://en.wikipedia.org/wiki/Hangul_(word_processor) +# https://www.hancom.com/etc/hwpDownload.do # Note: "HWP Document File" signature found in FileHeader +# Hangul Word Processor WORDIAN, 2002 and later is using HWP 5.0 format. # Second directory entry name FileHeader hint for Thinkfree Office document ->>>>128 lestring16 FileHeader : Hangul (Korean) 5.0 Word Processor File +>>>>128 lestring16 FileHeader : Hancom HWP (Hangul Word Processor) file, version 5.0 #!:mime application/haansofthwp !:mime application/x-hwp # https://example-files.online-convert.com/document/hwp/example.hwp @@ -231,7 +283,7 @@ >>>>128 lestring16 Current\ User : SoftMaker # third directory entry name SMNativeObjData >>>>>256 lestring16 SMNativeObjData -# 5th directory entry nane PowerPoint +# 5th directory entry name PowerPoint >>>>>>512 lestring16 PowerPoint PowerPoint presentation or template !:mime application/vnd.ms-powerpoint !:ext ppt/pps/pot @@ -249,54 +301,112 @@ !:ext prd/prv # 2nd directory entry name Pictures >>>>>>128 lestring16 Pictures with pictures +# +# URL: http://fileformats.archiveteam.org/wiki/PageMaker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p +# pagemaker-generic.trid.xml +# pagemaker-pm6.trid.xml +# pagemaker-pm65.trid.xml +# pmd-pm7.trid.xml +# From: Joerg Jenderek +# Note: since version 6 embedd as stream with PageMaker name the "old" format handled by ./wordprocessors +# verified by Michal Mutl Structured Storage Viewer `SSView.exe brochus.pt6` +# Second directory entry name PageMaker +>>>>128 lestring16 PageMaker : +# look for magic of "old" PageMaker like in 02TEMPLT.T65 +>>>>>0 search/0xa900/s \0\0\0\0\0\0\xff\x99 +# GRR: jump to PageMaker stream and inspect it by sub routine PageMaker of ./wordprocessors failed with wrong version! +#>>>>>>&0 use PageMaker +# THIS WORKS PARTLY! +>>>>>>&0 indirect x # remaining null clsid ->>>>128 default x : UNKNOWN -!:mime application/x-ole-storage +>>>>128 default x +>>>>>0 use ole2-unknown +# look for CLSID where "second" part is 0 +>>>80 ubequad !0x0 +# +# Summary: Family Tree Maker +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Family_Tree_Maker +# https://en.wikipedia.org/wiki/Family_Tree_Maker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/ftw.trid.xml +# Note called "Family Tree Maker Family Tree" by TrID and +# "FamilyTree Maker Database" with version "1-4" by DROID via PUID fmt/1352 +# tested only with version 2.0 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe my.ftw` +# newer versions are SQLite based and handled by ./sql +# directory names like: IND.DB AUX.DB GENERAL.DB NAME.NDX BIRTH.NDX EXTRA.DB +>>>>80 ubequad 0x5702000000000000 : Family Tree Maker Windows database, version 1-4 +# look for "File Format (C) Copyright 1993 Banner Blue Software Inc. - All Rights Reserved" in GENERAL.DB +#>>>>>0 search/0x5460c/s F\0i\0l\0e\0\040\0F\0o\0r\0m\0a\0t\0\040\0(\0C\0)\0 \b, VERSION +# GRR: jump to version value like 2 does not work! +#>>>>>>&-8 ubyte x %u +#!:mime application/x-ole-storage +!:mime application/x-fmt +# FBK is used for backup of FTW +!:ext ftw/fbk +# +>>>>80 default x +>>>>>0 use ole2-unknown # look for known clsid GUID # - Visio documents # URL: http://fileformats.archiveteam.org/wiki/Visio # Last update on 10/23/2006 by Lester Hightower, 07/20/2019 by Joerg Jenderek ->>88 ubequad 0xc000000000000046 : Microsoft ->>>80 ubequad 0x131a020000000000 Visio 2000-2002 Document, stencil or template +>>88 ubequad 0xc000000000000046 +>>>80 ubequad 0x131a020000000000 : Microsoft Visio 2000-2002 Document, stencil or template !:mime application/vnd.visio # VSD~Drawing VSS~Stencil VST~Template !:ext vsd/vss/vst ->>>80 ubequad 0x141a020000000000 Visio 2003-2010 Document, stencil or template +>>>80 ubequad 0x141a020000000000 : Microsoft Visio 2003-2010 Document, stencil or template !:mime application/vnd.visio !:ext vsd/vss/vst # # URL: http://fileformats.archiveteam.org/wiki/Windows_Installer ->>>80 ubequad 0x84100c0000000000 Windows Installer Package +# https://en.wikipedia.org/wiki/Windows_Installer#ICE_validation +# Update: Joerg Jenderek +# Windows Installer Package *.MSI or validation module *.CUB +>>>80 ubequad 0x84100c0000000000 : Microsoft Windows Installer Package or validation module !:mime application/x-msi #!:mime application/x-ms-win-installer -!:ext msi ->>>80 ubequad 0x86100c0000000000 Windows Installer Patch +# https://learn.microsoft.com/en-us/windows/win32/msi/internal-consistency-evaluators-ices +# cub is used for validation module like: Vstalogo.cub XPlogo.cub darice.cub logo.cub mergemod.cub +#!:mime application/x-ms-cub +!:ext msi/cub +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/Windows_Installer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mst.trid.xml +# called "Windows SDK Setup Transform script" by TrID +>>>80 ubequad 0x82100c0000000000 : Microsoft Windows Installer transform script +#!:mime application/x-ole-storage +!:mime application/x-ms-mst +!:ext mst +>>>80 ubequad 0x86100c0000000000 : Microsoft Windows Installer Patch # ?? !:mime application/x-wine-extension-msp #!:mime application/x-ms-msp !:ext msp # # URL: http://fileformats.archiveteam.org/wiki/DOC ->>>80 ubequad 0x0009020000000000 Word 6-95 document or template +>>>80 ubequad 0x0009020000000000 : Microsoft Word 6-95 document or template !:mime application/msword # for template MSWDW8TN !:apple MSWDWDBN !:ext doc/dot ->>>80 ubequad 0x0609020000000000 Word 97-2003 document or template +>>>80 ubequad 0x0609020000000000 : Microsoft Word 97-2003 document or template !:mime application/msword !:apple MSWDWDBN # dot for template; no extension on Macintosh !:ext doc/dot/ # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor ->>>80 ubequad 0x0213020000000000 Works 3-4 document or template +>>>80 ubequad 0x0213020000000000 : Microsoft Works 3-4 document or template !:mime application/vnd.ms-works !:apple ????AWWP # ps for template https://filext.com/file-extension/PS bps for backup !:ext wps/ps/bps # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database ->>>80 ubequad 0x0313020000000000 Works 3-4 database or template +>>>80 ubequad 0x0313020000000000 : Microsoft Works 3-4 database or template !:mime application/vnd.ms-works-db # https://www.macdisk.com/macsigen.php !:apple ????AWDB @@ -304,18 +414,18 @@ !:ext wdb/db/bdb # # URL: https://en.wikipedia.org/wiki/Microsoft_Excel ->>>80 ubequad 0x1008020000000000 Excel 5-95 worksheet, addin or template +>>>80 ubequad 0x1008020000000000 : Microsoft Excel 5-95 worksheet, addin or template !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php !:apple ????XLS5 # worksheet/addin/template/no extension on Macintosh !:ext xls/xla/xlt/ # ->>>80 ubequad 0x2008020000000000 Excel 97-2003 +>>>80 ubequad 0x2008020000000000 : Microsoft Excel 97-2003 !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php XLS5 for Excel 5 !:apple ????XLS9 -# 3nd directory entry name +# 3rd directory entry name >>>>256 lestring16 _VBA_PROJECT_CUR addin !:ext xla/ # 4th directory entry name @@ -327,23 +437,36 @@ #!:ext xls/xlt/ # # URL: http://fileformats.archiveteam.org/wiki/OLE2 ->>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 item -#>>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 Message +>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 item +#>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 Message #!:mime application/vnd.ms-outlook !:mime application/x-ms-msg !:ext msg # URL: https://wiki.fileformat.com/email/oft/ ->>>80 ubequad 0x46f0060000000000 Outlook 97-2003 item template +>>>80 ubequad 0x46f0060000000000 : Microsoft Outlook 97-2003 item template #!:mime application/vnd.ms-outlook !:mime application/x-ms-oft !:ext oft # # URL: http://fileformats.archiveteam.org/wiki/PPT ->>>80 ubequad 0x5148040000000000 PowerPoint 4.0 presentation +>>>80 ubequad 0x5148040000000000 : Microsoft PowerPoint 4.0 presentation !:mime application/vnd.ms-powerpoint # https://www.macdisk.com/macsigen.php !:apple ????PPT3 !:ext ppt +# Summary: "newer" Greenstreet Art drawing +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GST_ART +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/art-gst-docfile.trid.xml +# Note: called like "Greenstreet Art drawing" by TrID +# Note: CONTENT stream contains binary part of older versions with phrase GST:ART at offset 16 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe BCARD2.ART` +>>>80 ubequad 0x602c020000000000 : Greenstreet Art drawing +#!:mime application/x-ole-storage +!:mime image/x-greenstreet-art +!:ext art +>>>80 default x +>>>>0 use ole2-unknown #?? # URL: http://www.checkfilename.com/view-details/Microsoft-Works/RespageIndex/0/sTab/2/ >>88 ubequad 0xa29a00aa004a1a72 : Microsoft @@ -365,6 +488,21 @@ !:mime application/vnd.ms-works !:apple ????AWWP !:ext wps +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Works +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: probably version 6 and 7 +# organize pictures like JPFG images in streams __cf1 with names like +# 001.JPG, 002.JPG ... in streams __fname +>>88 ubequad 0xa1c800c04f612452 : Microsoft +>>>80 ubequad 0xc0c7266eb98cd311 Works portfolio +# 2nd directory entry name PfOrder, 3rd __LastID and 4th __SizeUsed +#!:mime application/x-ole-storage +# https://www.iana.org/assignments/media-types/application/vnd.ms-works +!:mime application/vnd.ms-works +# https://extension.nirsoft.net/wsb +# like: wsbsamp.wsb WORKS2003_CD:\MSWorks\Common\Sammlung.wsb +!:ext wsb #?? # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Publisher >>88 ubequad 0x00c0000000000046 : Microsoft @@ -387,6 +525,28 @@ !:apple ????PPT3 # /autostart/template !:ext ppt/pps/pot +# From: Joerg Jenderek +# URL: https://www.file-extensions.org/ppa-file-extension +# https://en.wikipedia.org/wiki/Microsoft_PowerPoint#cite_note-231 +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +>>88 ubequad 0x871800aa0060263b : Microsoft +# only version 8 (97) tested; PowerPoint 4.0 to 11.0 (2004) (Wikipedia); 97 to 2003 (file-extensions.org) +>>>80 ubequad 0xf04672810a72cf11 PowerPoint Addin or Wizard +# second, third and fourth directory entry name like VBA PROJECT PROJECTwm +# http://extension.nirsoft.net/pwz +!:mime application/vnd.ms-powerpoint +# like: BSHPPT97.PPA "AutoContent Wizard.pwz" +!:ext ppa/pwz +# +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/AWD_(At_Work_Document) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/awd-fax.trid.xml +# Note: called "Microsoft At Work Fax document" by TrID +>>88 ubequad 0xb29400dd010f2bf9 : Microsoft +>>>80 ubequad 0x801cb0023de01a10 At Work fax Document +#!:mime application/x-ole-storage +!:mime image/x-ms-awd +!:ext awd # # URL: https://en.wikipedia.org/wiki/Microsoft_Project #?? @@ -394,6 +554,39 @@ >>>80 ubequad 0x3a8fb774c8c8d111 Project !:mime application/vnd.ms-project !:ext mpp +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Microsoft_Office_shared_tools#Binder +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/obd.trid.xml +# http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: only version 8 tested and called "Office Binder Document" by TrID and +# "Microsoft Office Binder File for Windows" version 97-2000 by DROID fmt/240 +>>88 ubequad 0xb21c00aa004ba90b : Microsoft +>>>80 ubequad 0x0004855964661b10 Office Binder Document, Template or wizard +# second directory entry name like Binder +# https://www.file-extensions.org/obd-file-extension +#!:mime application/vnd.ms-binder +!:mime application/x-msbinder +# obt for template; obz for Microsoft Office Binder wizard +!:ext obd/obt/obz +# +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# https://github.com/OneWingedShark/WordPerfect/ +# blob/master/doc/SDK_Help/FileFormats/WPFF_DocumentStructure.htm +# From: Joerg Jenderek +# Note: internal version x.2 or 2.2 like in embedded ole6-PerfectOffice_MAIN.wpd +# 3rd directory entry name PerfectOffice_OBJECT and 2nd PerfectOffice_MAIN, +# which contains WordPerfect document \xffWPC signature handled by ./wordprocessors +>>88 ubequad 0x19370000929679cd : WordPerfect 7 +>>>80 ubequad 0xff739851ad2d2002 Document +!:mime application/vnd.wordperfect +#!:apple ????WPC? +# https://fossies.org/linux/wp2latex/test/ole6.wpd +!:ext wpd +#>>>>0 search/0xc01/s \xffWPC \b, WPC SIGNATURE +# inspect embedded WordPerfect document by ./wordprocessors with 1 space at end +#>>>>>&0 indirect x \b; contains +# GRR: the above expression does not work correctly # # URL: http://fileformats.archiveteam.org/wiki/SHW_(Corel) #??? @@ -413,6 +606,19 @@ !:apple ????WPC9 !:ext wpg # +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CorelCAD +# https://en.wikipedia.org/wiki/CorelCAD +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/ccd-corelcad.trid.xml +# Note: called "CorelCAD Drawing" by TrID and CorelCAD +# directory entry names like Contents ViewInfo CustomViewDescriptions LayerInfo +>>88 ubequad 0xbe26db67235e2689 : Corel +>>>80 ubequad 0x20f414de1cacce11 \bCAD Drawing or Template +#!:mime application/x-ole-storage +!:mime application/x-corel-cad +# CCT for CorelCAD Template +!:ext ccd/cct +# # URL: http://fileformats.archiveteam.org/wiki/StarOffice_binary_formats >>88 ubequad 0x996104021c007002 : StarOffice >>>80 ubequad 0x407e5cdc5cb31b10 StarWriter 3.0 document or template @@ -511,9 +717,44 @@ !:mime application/vnd.softmaker.planmaker # pmv for template https://www.file-extensions.org/pmv-file-extension !:ext pmd/pmv +# URL: http://fileformats.archiveteam.org/wiki/MAX_(3ds_Max) +# https://en.wikipedia.org/wiki/Autodesk_3ds_Max +# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File +# Note: called "3D Studio Max Scene" by TrID and "3DS Max" by DROID and +# "3DSMax thumbnail" by XnView and verfied by `nconvert -info A380.max` +# applies only to "newer" versions (about 2008-2020) +>>88 ubequad 0x9fed04143144cc1e : Autodesk +>>>80 ubequad 0x7b8cdd1cc081a045 3ds Max +#!:mime application/x-ole-storage +!:mime model/x-autodesk-max +# like: https://static.free3d.com/models/dropbox/dropbox/sq/A380.7z/A380.max +!:ext max +# also chr for character file according to DROID https://www.nationalarchives.gov.uk/PRONOM/fmt/978 +#!:ext max/chr # remaining non null clsid ->>88 default x : UNKNOWN +>>88 default x +>>>0 use ole2-unknown +# display information about directory for not detected CDF files +0 name ole2-unknown +>80 ubequad x : UNKNOWN +# https://reposcope.com/mimetype/application/x-ole-storage !:mime application/x-ole-storage ->>>80 ubequad !0 \b, clsid 0x%16.16llx ->>>88 ubequad x \b%16.16llx - +# according to file version 5.41 with -e soft option +#!:mime application/CDFV2 +#!:ext ??? +>80 ubequad !0 \b, clsid %#16.16llx +>>88 ubequad x \b%16.16llx +# converted hexadecimal format to standard GUUID notation +>>80 guid x {%s} +# second directory entry name like VisioDocument Control000 +>128 lestring16 x with names %.20s +# third directory entry like WordDocument Preview.dib +>256 lestring16 x %.20s +# forth like \005SummaryInformation +>384 lestring16 x %.25s +# 5th +>512 lestring16 x %.10s +# 6th +>640 lestring16 x %.10s +# 7th +>768 lestring16 x %.10s diff --git a/contrib/file/magic/Magdir/oric b/contrib/file/magic/Magdir/oric new file mode 100644 index 000000000000..38c02c5751d3 --- /dev/null +++ b/contrib/file/magic/Magdir/oric @@ -0,0 +1,16 @@ + +#------------------------------------------------------------------------------ +# $File: oric,v 1.2 2022/04/25 17:28:20 christos Exp $ +# Oric tape files +# From: Stefan A. Haubenthal <polluks@sdf.lonestar.org> +# References: +# http://fileformats.archiveteam.org/wiki/TAP_(Oric) +# http://fileformats.archiveteam.org/wiki/DSK_(Oric) +0 string \x16\x16\x16\x24 Oric tape, +>6 byte =0x00 BASIC, +>6 byte =0x80 memory block, +>7 byte >0x00 autorun, +>13 string x "%.15s" + +0 string ORICDISK Oric Image +0 string MFM_DISK Oric Image diff --git a/contrib/file/magic/Magdir/os2 b/contrib/file/magic/Magdir/os2 index ace69cb34b23..cb43e999f6f6 100644 --- a/contrib/file/magic/Magdir/os2 +++ b/contrib/file/magic/Magdir/os2 @@ -1,12 +1,14 @@ #------------------------------------------------------------------------------ -# $File: os2,v 1.10 2017/03/17 21:35:28 christos Exp $ +# $File: os2,v 1.14 2022/03/21 21:25:50 christos Exp $ # os2: file(1) magic for OS/2 files # # Provided 1998/08/22 by # David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net> 1 search/100 InternetShortcut MS Windows 95 Internet shortcut text +!:mime application/x-mswinurl +!:ext url >17 search/100 URL= (URL=< >>&0 string x \b%s>) @@ -25,6 +27,8 @@ #>5 string >\ (Local file) <%s> # >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) +# URL: http://fileformats.archiveteam.org/wiki/INF/HLP_(OS/2) +# Reference: http://www.edm2.com/0308/inf.html # Carl Hauser (chauser.parc@xerox.com) and # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) # list the following header format in inf02a.doc: @@ -41,9 +45,142 @@ # int16 unknown2; // unknown purpose # 0 string HSP\x01\x9b\x00 OS/2 INF +!:mime application/x-os2-inf +!:ext inf >107 string >0 (%s) 0 string HSP\x10\x9b\x00 OS/2 HLP +!:mime application/x-os2-hlp +!:ext hlp >107 string >0 (%s) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MSG_(OS/2) +# Reference: https://github.com/OS2World/UTIL-SYSTEM-MKMSGF/blob/master/mkmsgf.h +# Note: created by MKMSGF.EXE. Text source can be recreated by E_MSGF +# example like OS001H.MSG +0 string \xffMKMSGF\0 OS/2 help message +!:mime application/x-os2-msg +!:ext msg +# identifier[3] like: DOS NET REX SYS ... +>8 string x '%.3s' +# msgnumber: number of messages +>11 uleshort x \b, %u messages +# firstmsgnumber; number of the first message like: some times 0 often 1 169 1000 3502 +>13 uleshort >1 \b, 1st number %u +# offset16bit; 1~Index table has 16-bit offsets (files<64k) 0~Index table has 32-bit offsets +>15 ubyte =0 \b, 32-bit +#>15 ubyte =1 \b, 16-bit +# version; file version: 2~new 0~old +>16 uleshort !2 \b, version %u +# indextaboffset; offset of index table: 1F~after header 0~no index table for version 0? +>18 uleshort >0 +>>18 uleshort !0x1f \b, at %#x index +# 32-bit offset +>>15 ubyte =0 +# offset with message table +>>>(18.s) ulelong x \b, at %#x +# 1st message +# http://www.os2museum.com/files/docs/os210ptk/os2-1.0-ptk-tools-1988.pdf +# message type: E~Error H~Help I~Information P~Prompt W~Warning ? +>>>>(&-4.l) ubyte x %c-type +>>>>>&0 string x %s +# 16-bit offset +>>15 ubyte =1 +# msgnum; message number +>>>(18.s) uleshort x \b, number %u +# msgindex; offset of message from begin of file +>>>(18.s+2) uleshort x at %#x +# message type E H I P W ? +>>>>(&-2.s) ubyte x %c-type +# skip newline carriage return +>>>>>&0 ubeshort =0x0D0a +>>>>>>&0 string x %s +>>>>>&0 ubeshort !0x0D0a +>>>>>>&-2 string x %s +# for version 0 index table apparently at offset 1F +>16 uleshort 0 +>>15 ubyte 1 +# 1st message 16-bit +>>>0x1F uleshort x \b, at %#x +# message type: E~Error H~Help I~Information P~Prompt W~Warning ? +>>>>(0x1F.s) ubyte x %c-type +>>>>>&0 string x %s +# 2nd message 16-bit +>>>0x21 uleshort x \b, at %#x +>>>>(0x21.s) ubyte x %c-type +>>>>>&0 string x %s +# 3rd message 16-bit +>>>0x23 uleshort x \b, at %#x +>>>>(0x23.s) ubyte x %c-type +>>>>>&0 string x %s +# version 0 32-bit +>>15 ubyte 0 +# 1st message 32-bit +>>>0x1f ulelong x \b, at %#x +>>>>(0x1F.l) ubyte x %c-type +>>>>>&0 string x %s +# 2nd message 32-bit +>>>0x23 ulelong x \b, at %#x +>>>>(0x23.l) ubyte x %c-type +>>>>>&0 string x %s +# 3rd message 32-bit +>>>0x27 ulelong x \b, AT %#x +>>>>(0x27.l) ubyte x %c-type +>>>>>&0 string x %s +# countryinfo; offset of country info block: 0 for version 0 +>20 uleshort !0 \b, at %#x countryinfo +# nextcoutryinfo +>>22 uleshort >0 \b, at %#x next +# reserved[5]; Must be 0 +>>25 ulelong !0 \b, RESERVED %#x +>>(20.s) use os2-msg-info +# display country info block of MKMSGF message file +0 name os2-msg-info +# bytesperchar; bytes per char: 1~SBCS 2~DBCS +>0 ubyte >1 \b, %u bytes/char +# reserved; Not known +>1 uleshort !0 \b, reserved %#x +# langfamilyID; language family ID like: 0~? 1~Arabic ... 7~German ... 9~English ... 34~Slovene +>3 uleshort >0 \b, language %u +# langversionID; like: 7_1~German 7_2~Swiss German 12_1~French 12_3~Canadian French +>>5 uleshort x \b_%u +# langfamilyID too high. This should not happen +>3 uleshort >34 (invalid language) +# codepagesnumber; number of codepages like: 1 2 ... 16 +>7 uleshort x \b, %u code page +# plural s +>7 uleshort >1 \bs +# too many number of codepages. This should not happen +>7 uleshort >16 (Too many) +# codepages[16]; codepages list like 437 850 ... +>7 uleshort <17 +# 1st code page +>>9 uleshort >0 %u +# possible 2nd code page number +>>>7 uleshort >1 +>>>>11 uleshort x %u +# filename[260]; name of file like: dbaseos2.msg dde4c01e.msg os2ldr.mgr xdfh.msg ... +>41 string x \b, %s + # OS/2 INI (this is a guess) 0 string \xff\xff\xff\xff\x14\0\0\0 OS/2 INI +!:mime application/x-os2-ini +!:ext ini + +# From: Joerg Jenderek +# URL: http://warpin.netlabs.org/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-wpi.trid.xml +# Note: called by TrID "WarpIN Installer" +# probably magic at the beginning +0 ubelong =0x770402BE WarpIN Installer +#>4 ubelong =0x03000000 +#!:mime application/octet-stream +!:mime application/x-os2-wpi +!:ext wpi +# creator program name like: "reserved" or "WIC x.y.z" +>0x106 string x \b, created by %s +# name like: "reserved" or "OS/2 Netlabs" +>0x146 string x \b, '%s' +# name like: "N/A" "http://warpin.netlabs.org" +>0x186 string x \b, URL %s + diff --git a/contrib/file/magic/Magdir/palm b/contrib/file/magic/Magdir/palm index 8cec9df20db1..5d2b913c35fe 100644 --- a/contrib/file/magic/Magdir/palm +++ b/contrib/file/magic/Magdir/palm @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: palm,v 1.14 2019/04/19 00:42:27 christos Exp $ +# $File: palm,v 1.15 2021/12/16 21:50:06 christos Exp $ # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # # Brian Lalor <blalor@hcirisc.cs.binghamton.edu> @@ -55,6 +55,7 @@ # Mobipocket (www.mobipocket.com), donated by Carl Witty # expanded by Ralf Brown 60 string BOOKMOBI Mobipocket E-book +!:mime application/x-mobipocket-ebook # MobiPocket stores a full title, pointed at by the belong at offset # 0x54 in its header at (78.L), with length given by the belong at # offset 0x58. diff --git a/contrib/file/magic/Magdir/pascal b/contrib/file/magic/Magdir/pascal index ddb93b0c54f6..61688024560f 100644 --- a/contrib/file/magic/Magdir/pascal +++ b/contrib/file/magic/Magdir/pascal @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: pascal,v 1.3 2020/06/07 18:10:26 christos Exp $ +# $File: pascal,v 1.4 2022/07/30 16:53:06 christos Exp $ # pascal: file(1) magic for Pascal source # 0 search/8192 (input, Pascal source text @@ -12,3 +12,28 @@ # Free Pascal 0 string PPU Pascal unit >3 string x \b, version %s + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Dan_Bricklin +0 string/b Type +# URL: https://dl.winworldpc.com/Dan%20Bricklins%20Demo%20II%20Version%202%20Manual.7z +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-v2.trid.xml +>4 string D2 Dan Bricklin's Demo 2 demo +#!:mime application/octet-stream +!:ext dbd +# URL: https://muhaz.org/turbo-pascal-download-details.html +# From: Joerg Jenderek +# Note: used by Turbo Pascal 5.5 TOUR.EXE +>4 string T2 Turbo Pascal TOUR data +#!:mime application/octet-stream +!:mime application/x-borland-cbt +!:ext cbt +# WHAT iS THAT? +#>4 string \040P Dan Bricklin's Demo 2 foo +#!:mime application/octet-stream +# _PPRINT.SG2 _PASCII.SG2 +#!:ext sg2 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-gen.trid.xml +>4 default x Dan Bricklin's Demo demo (generic) +#!:mime application/octet-stream +!:ext dbd diff --git a/contrib/file/magic/Magdir/pci_ids b/contrib/file/magic/Magdir/pci_ids new file mode 100644 index 000000000000..34bc2e2f8afc --- /dev/null +++ b/contrib/file/magic/Magdir/pci_ids @@ -0,0 +1,116 @@ + +#------------------------------------------------------------------------------ +# $File: pci_ids,v 1.1 2022/04/02 14:47:42 christos Exp $ +# pci.ids: file(1) magic for PCI specific informations +# + +# Vendor identification (ID) https://pci-ids.ucw.cz/v2.2/pci.ids +# show hexadecimal PCI vendor identification in human readable text form +0 name PCI-vendor +# ID vendor name +#>0 uleshort =0x0f00 fOO +>0 uleshort =0x1000 Broadcom +>0 uleshort =0x1002 AMD/ATI +>0 uleshort =0x1013 Cirrus Logic +>0 uleshort =0x1014 IBM +>0 uleshort =0x1022 AMD +>0 uleshort =0x1050 Winbond +>0 uleshort =0x105a Promise +>0 uleshort =0x1095 Silicon +>0 uleshort =0x10EC Realtek +>0 uleshort =0x10de NVIDIA +>0 uleshort =0x1106 VIA +# Woodward McCoach, Inc. +>0 uleshort =0x1231 Woodward +# +>0 uleshort =0x1234 Bochs +>0 uleshort =0x15ad VMware +>0 uleshort =0x1af4 Virtio +>0 uleshort =0x1b36 QEMU +>0 uleshort =0x1de1 Tekram +# maybe also Promise? +#>0 uleshort =0x4289 Promise +#>0 uleshort =0x66a1 FOO +>0 uleshort =0x8086 Intel +>0 uleshort =0x9004 Adaptec +# also Adaptec; but no example +>0 uleshort =0x9005 Adaptec +# for unknown/missing manufactors +>0 default x UNKNOWN +>>0 uleshort x (%#4.4x) + +# https://blog.ladsai.com/pci-configuration-space-class-code.html +# Base class code https://wiki.osdev.org/PCI +# show hexadecimal PCI class+sub+ProgIF identification in human readable text form +0 name PCI-class +#>0 ubyte x CLASS=%x +>0 ubyte x +# Device was built prior definition of the class code field +>>0 ubyte 0x00 PRIOR +# Any device except for VGA-Compatible devices like: 2975BIOS.BIN Trm3x5.bin +# BUT also NVidia44.bin vgabios-stdvga-bin.rom +#>>>0 ubyte 0x00 NOT VGA +# VGA-Compatible Device; NO EXAMPLE found here!! +#>>>0 ubyte 0x01 VGA +# like 4243.bin +#>>>0 ubyte 0x04 SUB_CLASS_4 +>>0 ubyte 0x01 storage controller +# device sub-type and its definition is dependent upon the base-type code +>>>1 ubyte 0x00 SCSI +>>>1 ubyte 0x01 IDE +>>>1 ubyte 0x02 Floppy +>>>1 ubyte 0x03 IPI +>>>0 ubyte 0x04 RAID +>>>1 ubyte 0x05 ATA +>>>1 ubyte 0x06 SATA +>>>1 ubyte 0x07 SAS +>>>1 ubyte 0x08 NVM +# 4650_sr5.bin "PROMISE" "FT TX4650 Ary X" +>>>1 ubyte 0x80 OTHER +>>0 ubyte 0x02 network controller +>>>1 ubyte 0x00 ethernet +>>>1 ubyte 0x01 token ring +>>>1 ubyte 0x02 FDDI +>>>1 ubyte 0x03 ATM +>>>1 ubyte 0x04 ISDN +>>>1 ubyte 0x05 WorldFip +# PICMG 2.14 Multi Computing +>>>1 ubyte 0x06 PICMG +>>>1 ubyte 0x80 OTHER +>>0 ubyte 0x03 display controller +>>0 ubyte 0x04 multimedia controller +>>0 ubyte 0x05 memory controller +>>0 ubyte 0x06 bridge device +# Simple Communication Controllers +>>0 ubyte 0x07 communication controller +# Base System Peripherals +>>0 ubyte 0x08 base peripheral +# Input Devices +>>0 ubyte 0x09 input device +# Docking Stations +>>0 ubyte 0x0A docking station +>>0 ubyte 0x0B processor +>>0 ubyte 0x0C serial bus controller +>>0 ubyte 0x0D wireless controller +# Intelligent I/O Controllers +>>0 ubyte 0x0E I/O controller +# Satellite Communication Controllers +>>0 ubyte 0x0F satellite controller +# Encryption/Decryption Controllers +>>0 ubyte 0x10 encryption controller +# Data Acquisition and Signal Processing Controllers +>>0 ubyte 0x11 signal controller +# Processing Accelerator +>>0 ubyte 0x12 processing accelerator +# Non-Essential Instrumentation +>>0 ubyte 0x13 non-essential +# reserved or unassigned +>>0 default x +# device does not fit any defined class; Unassigned Class (Vendor specific) +>>>0 ubyte 0xFF UNASSIGNED +# THIS SHOULD NOT HAPPEN! BUT CLASS=8f for Promise 4650_sr5.bin 8660_sr5.bin +>>>0 default x RESERVED +>>>>0 ubyte x (%#x) +# Prog IF of PCI class code? +# defines the specific device programming interface +>2 ubyte >0 \b, ProgIF=%u diff --git a/contrib/file/magic/Magdir/pcjr b/contrib/file/magic/Magdir/pcjr new file mode 100644 index 000000000000..c3ab7a25fdf4 --- /dev/null +++ b/contrib/file/magic/Magdir/pcjr @@ -0,0 +1,8 @@ + +#------------------------------------------------------------------------------ +# $File: pcjr,v 1.1 2021/01/09 15:09:58 christos Exp $ +# pcjr: file(1) magic for PCjr Cartridge image file format +# From: Francis Laniel <laniel_francis@privacyrequired.com> +0 string PCjr +>0x80 beshort 0x55aa PCjr Cartridge image +>0x200 beshort 0x55aa PCjr Cartridge image diff --git a/contrib/file/magic/Magdir/pdf b/contrib/file/magic/Magdir/pdf index e386f454a593..7a99d8d3cf3d 100644 --- a/contrib/file/magic/Magdir/pdf +++ b/contrib/file/magic/Magdir/pdf @@ -1,15 +1,18 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.12 2020/01/30 01:48:44 christos Exp $ +# $File: pdf,v 1.18 2023/07/17 15:57:18 christos Exp $ # pdf: file(1) magic for Portable Document Format # 0 name pdf ->8 search/512 /Filter/FlateDecode/ (password protected) +>8 search /Count +>>&0 regex [0-9]+ \b, %s page(s) +>8 search/512 /Filter/FlateDecode/ (zip deflate encoded) 0 string %PDF- PDF document !:mime application/pdf !:strength +60 +!:ext pdf >5 byte x \b, version %c >7 byte x \b.%c >0 use pdf @@ -17,6 +20,7 @@ 0 string \012%PDF- PDF document !:mime application/pdf !:strength +60 +!:ext pdf >6 byte x \b, version %c >8 byte x \b.%c >0 use pdf @@ -24,6 +28,7 @@ 0 string \xef\xbb\xbf%PDF- PDF document (UTF-8) !:mime application/pdf !:strength +60 +!:ext pdf >6 byte x \b, version %c >8 byte x \b.%c >0 use pdf @@ -33,12 +38,14 @@ 0 string %FDF- FDF document !:mime application/vnd.fdf !:strength +60 +!:ext pdf >5 byte x \b, version %c >7 byte x \b.%c -0 search/256 %PDF- PDF document +0 search/1024 %PDF- PDF document !:mime application/pdf !:strength +60 +!:ext pdf >&0 byte x \b, version %c >&2 byte x \b.%c >0 use pdf diff --git a/contrib/file/magic/Magdir/perl b/contrib/file/magic/Magdir/perl index c391d4a72036..4a3756a483e1 100644 --- a/contrib/file/magic/Magdir/perl +++ b/contrib/file/magic/Magdir/perl @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ +# $File: perl,v 1.27 2023/07/17 16:01:36 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. @@ -34,12 +34,12 @@ # by Dmitry V. Levin and Alexey Tourbin # check the first line 0 search/8192 package ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; Perl5 module source text !:strength + 40 # not 'p', check other lines 0 search/8192 !p ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; ->>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; +>>0 regex \^1[[:space:]]*;|\^(use|sub|my)[[:space:]].*[(;{=] Perl5 module source text !:strength + 75 # Perl POD documents diff --git a/contrib/file/magic/Magdir/pgf b/contrib/file/magic/Magdir/pgf index b5a251efdf38..8318ce133804 100644 --- a/contrib/file/magic/Magdir/pgf +++ b/contrib/file/magic/Magdir/pgf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgf,v 1.2 2017/03/17 21:35:28 christos Exp $ +# $File: pgf,v 1.3 2021/02/23 00:51:10 christos Exp $ # pgf: file(1) magic for Progressive Graphics File (PGF) # # <http://www.libpgf.org/uploads/media/PGF_Details_01.pdf> @@ -25,7 +25,7 @@ >>20 byte 1 gray scale, >>20 byte 2 indexed color, >>20 byte 3 RGB color, ->>20 byte 4 CYMK color, +>>20 byte 4 CMYK color, >>20 byte 5 HSL color, >>20 byte 6 HSB color, >>20 byte 7 multi-channel, @@ -34,7 +34,7 @@ >>20 byte 10 gray scale 16, >>20 byte 11 RGB color 48, >>20 byte 12 LAB color 48, ->>20 byte 13 CYMK color 64, +>>20 byte 13 CMYK color 64, >>20 byte 14 deep multi-channel, >>20 byte 15 duo tone 16, >>20 byte 17 RGBA color, diff --git a/contrib/file/magic/Magdir/pgp b/contrib/file/magic/Magdir/pgp index 069c82eb8bef..d81883868b41 100644 --- a/contrib/file/magic/Magdir/pgp +++ b/contrib/file/magic/Magdir/pgp @@ -1,54 +1,11 @@ #------------------------------------------------------------------------------ -# $File: pgp,v 1.21 2020/03/20 17:11:05 christos Exp $ +# $File: pgp,v 1.25 2021/04/26 15:56:00 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy + +# Handling of binary PGP keys is in pgp-binary-keys. # see https://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # -# Update: Joerg Jenderek -# Note: verified by `gpg -v --debug 0x02 --list-packets < PUBRING263_10.PGP` -#0 byte 0x99 MAYBE PGP 0x99 -0 byte 0x99 -# 99h~10;0110;01~2=old packet type;tag 6=Public-Key Packet;1=two-octet length -# A two-octet body header encodes packet lengths of 192~00C0h - 8383~20BFh -#>1 ubeshort x \b, body length 0x%.4x -# skip Basic.Image Beauty.320 Pic.Icons by looking for low version number -#>3 ubyte x \b, V=%u -#>3 ubyte <5 VERSION OK ->3 ubyte <5 -# next packet type often b4h~(tag 13)~User ID Packet, b0h~(tag 12)~Trust packet -#>>(1.S+3) ubyte x \b, next packet type 0x%x -# skip 9900-v4.bin 9902-v4.bin by looking for valid second packet type (bit 7=1) -#>>(1.S+3) ubyte >0x7F TYPE OK, ->>(1.S+3) ubyte >0x7F -# old versions 2,3 implies Pretty Good Privacy ->>>3 ubyte <4 PGP key public ring (v%u) -!:mime application/pgp-keys -!:ext pgp/ASD ->>>>4 beldate x created %s -# days that this key is valid. If this number is zero, then it does not expire ->>>>8 ubeshort >0 \b, %u days valid ->>>>8 ubeshort =0 \b, not expire -# display key algorithm 1~RSA (Encrypt or Sign) ->>>>10 use key_algo -# Multiprecision Integers (MPI) size ->>>>11 ubeshort x %u bits -# MPI ->>>>13 ubequad x MPI=0x%16.16llx... -# new version implies Pretty Good Privacy (PGP) >= 5.0 or Gnu Privacy Guard (GPG) ->>>3 ubyte >3 PGP/GPG key public ring (v%u) -!:mime application/pgp-keys -!:ext pgp/gpg/pkr/asd ->>>>4 beldate x created %s -# display key algorithm 17~DSA ->>>>8 use key_algo -# Multiprecision Integers (MPI) size ->>>>9 ubeshort x %u bits ->>>>11 ubequad x MPI=0x%16.16llx... - -0 beshort 0x9501 PGP key security ring -!:mime application/x-pgp-keyring -0 beshort 0x9500 PGP key security ring -!:mime application/x-pgp-keyring 0 beshort 0xa600 PGP encrypted data #!:mime application/pgp-encrypted #0 string -----BEGIN\040PGP text/PGP armored data @@ -404,7 +361,7 @@ # we branch into the proper key size # signatures defined as x{keysize} ->0 name pgpkey +0 name pgpkey >0 string \x01\xd8 1024b >>2 use x1024 >0 string \x01\xeb 1024b @@ -582,8 +539,6 @@ # PGP RSA (e=65537) secret (sub-)key header -0 byte 0x95 PGP Secret Key - ->1 use pgpkey 0 byte 0x97 PGP Secret Sub-key - >1 use pgpkey 0 byte 0x9d @@ -591,9 +546,9 @@ # secret subkey packet (tag 7) with same structure as secret key packet (tag 5) # skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len >1 ubeshort >0 -#>1 ubeshort x \b, body length 0x%x +#>1 ubeshort x \b, body length %#x # next packet type often 88h,89h~(tag 2)~Signature Packet -#>>(1.S+3) ubyte x \b, next packet type 0x%x +#>>(1.S+3) ubyte x \b, next packet type %#x # skip Dragon.SHR DEMO.INIT by looking for positive version >>3 ubyte >0 # skip BUISSON.13 GUITAR1 by looking for low version number @@ -609,7 +564,7 @@ >>>>>11 ubeshort x %db >>>>>4 beldate x created on %s - # old versions use 2 additional bytes after time stamp -#>>>>>8 ubeshort x 0x%x +#>>>>>8 ubeshort x %#x # display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman >>>>>10 use key_algo >>>>>(11.S/8) ubequad x diff --git a/contrib/file/magic/Magdir/pgp-binary-keys b/contrib/file/magic/Magdir/pgp-binary-keys new file mode 100644 index 000000000000..1ce76d907b07 --- /dev/null +++ b/contrib/file/magic/Magdir/pgp-binary-keys @@ -0,0 +1,388 @@ + +#------------------------------------------------------------------------------ +# $File: pgp-binary-keys,v 1.2 2021/04/26 15:56:00 christos Exp $ +# pgp-binary-keys: This file handles pgp binary keys. +# +# An PGP certificate or message doesn't have a fixed header. Instead, +# they are sequences of packets: +# +# https://tools.ietf.org/html/rfc4880#section-4.3 +# +# whose order conforms to a grammar: +# +# https://tools.ietf.org/html/rfc4880#section-11 +# +# Happily most packets have a few fields that are constrained, which +# allow us to fingerprint them with relatively high certainty. +# +# A PGP packet is described by a single byte: the so-called CTB. The +# high-bit is always set. If bit 6 is set, then it is a so-called +# new-style CTB; if bit 6 is clear, then it is a so-called old-style +# CTB. Old-style CTBs have only four bits of type information; bits +# 1-0 are used to describe the length. New-style CTBs have 6 bits of +# type information. +# +# Following the CTB is the packet's length in bytes. If we blindly +# advance the file cursor by this amount past the end of the length +# information we come to the next packet. +# +# Data Structures +# =============== +# +# New Style CTB +# ------------- +# +# https://tools.ietf.org/html/rfc4880#section-4.2.2 +# +# 76543210 +# ||\----/ +# || tag +# |always 1 +# always 1 +# +# Tag bits 7 and 6 set +# 0 0xC0 -- Reserved - a packet tag MUST NOT have this value +# 1 0xC1 -- Public-Key Encrypted Session Key Packet +# 2 0xC2 -- Signature Packet +# 3 0xC3 -- Symmetric-Key Encrypted Session Key Packet +# 4 0xC4 -- One-Pass Signature Packet +# 5 0xC5 -- Secret-Key Packet +# 6 0xC6 -- Public-Key Packet +# 7 0xC7 -- Secret-Subkey Packet +# 8 0xC8 -- Compressed Data Packet +# 9 0xC9 -- Symmetrically Encrypted Data Packet +# 10 0xCA -- Marker Packet +# 11 0xCB -- Literal Data Packet +# 12 0xCC -- Trust Packet +# 13 0xCD -- User ID Packet +# 14 0xCE -- Public-Subkey Packet +# 17 0xD1 -- User Attribute Packet +# 18 0xD2 -- Sym. Encrypted and Integrity Protected Data Packet +# 19 0xD3 -- Modification Detection Code Packet +# 60 to 63 -- Private or Experimental Values +# +# The CTB is followed by the length header, which is densely encoded: +# +# if length[0] is: +# 0..191: one byte length (length[0]) +# 192..223: two byte length ((length[0] - 192) * 256 + length[2] + 192 +# 224..254: four byte length (big endian interpretation of length[1..5]) +# 255: partial body encoding +# +# The partial body encoding is similar to HTTP's chunk encoding. It +# is only allowed for container packets (SEIP, Compressed Data and +# Literal). +# +# Old Style CTB +# ------------- +# +# https://tools.ietf.org/html/rfc4880#section-4.2.1 +# +# CTB: +# +# 76543210 +# ||\--/\/ +# || | length encoding +# || tag +# |always 0 +# always 1 +# +# Tag: +# +# Tag bit 7 set, bits 6, 1, 0 clear +# 0 0x80 -- Reserved - a packet tag MUST NOT have this value +# 1 0x84 -- Public-Key Encrypted Session Key Packet +# 2 0x88 -- Signature Packet +# 3 0x8C -- Symmetric-Key Encrypted Session Key Packet +# 4 0x90 -- One-Pass Signature Packet +# 5 0x94 -- Secret-Key Packet +# 6 0x98 -- Public-Key Packet +# 7 0x9C -- Secret-Subkey Packet +# 8 0xA0 -- Compressed Data Packet +# 9 0xA4 -- Symmetrically Encrypted Data Packet +# 10 0xA8 -- Marker Packet +# 11 0xAC -- Literal Data Packet +# 12 0xB0 -- Trust Packet +# 13 0xB4 -- User ID Packet +# 14 0xB8 -- Public-Subkey Packet +# +# Length encoding: +# +# Value +# 0 1 byte length (following byte is the length) +# 1 2 byte length (following two bytes are the length) +# 2 4 byte length (following four bytes are the length) +# 3 indeterminate length: natural end of packet, e.g., EOF +# +# An indeterminate length is only allowed for container packets +# (SEIP, Compressed Data and Literal). +# +# Certificates +# ------------ +# +# We check the first three packets to determine if a sequence of +# OpenPGP packets is likely to be a certificate. The grammar allows +# the following prefixes: +# +# [Primary Key] [SIG] (EOF or another certificate) +# [Primary Key] [SIG] [User ID] [SIG]... +# [Primary Key] [SIG] [User Attribute] [SIG]... +# [Primary Key] [SIG] [Subkey] [SIG]... +# [Primary Key] [User ID] [SIG]... +# [Primary Key] [User Attribute] [SIG]... +# [Primary Key] [Subkey] [SIG]... +# +# Any number of marker packets are also allowed between each packet, +# but they are not normally used and we don't currently check for +# them. +# +# The keys and subkeys may be public or private. +# + +# Key packets and signature packets are versioned. There are two +# packet versions that we need to worry about in practice: v3 and v4. +# v4 packets were introduced in RFC 2440, which was published in 1998. +# It also deprecated v3 packets. There are no actively used v3 +# certificates (GnuPG removed the code to support them in November +# 2014). But there are v3 keys lying around and it is useful to +# identify them. The next version of OpenPGP will introduce v5 keys. +# The document has not yet been standardized so changes are still +# possible. But, for our purposes, it appears that v5 data structures +# will be identical to v4 data structures modulo the version number. +# +# https://tools.ietf.org/html/rfc2440 +# https://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000358.html +# https://www.ietf.org/id/draft-ietf-openpgp-rfc4880bis-09.html#name-key-material-packet + + + + +# The first packet has to be a public key or a secret key. +# +# New-Style Public Key +0 ubyte =0xC6 OpenPGP Public Key +>&0 use primary_key_length_new +# New-Style Secret Key +0 ubyte =0xC5 OpenPGP Secret Key +>&0 use primary_key_length_new +# Old-Style Public Key +0 ubyte&0xFC =0x98 OpenPGP Public Key +>&-1 use primary_key_length_old +# Old-Style Secret Key +0 ubyte&0xFC =0x94 OpenPGP Secret Key +>&-1 use primary_key_length_old + +# Parse the length, check the packet's body and finally advance to the +# next packet. + +# There are 4 different new-style length encodings, but the partial +# body encoding is only acceptable for the SEIP, Compressed Data, and +# Literal packets, which isn't valid for any packets in a certificate +# so we ignore it. +0 name primary_key_length_new +>&0 ubyte <192 +#>>&0 ubyte x (1 byte length encoding, %d bytes) +>>&0 use pgp_binary_key_pk_check +>>>&(&-1.B) use sig_or_component_1 +>&0 ubyte >191 +>>&-1 ubyte <225 +# offset = ((offset[0] - 192) << 8) + offset[1] + 192 (for the length header) +# raw - (192 * 256 - 192) +# = 48960 +#>>>&0 ubeshort x (2 byte length encoding, %d bytes) +>>>&1 use pgp_binary_key_pk_check +>>>>&(&-2.S-48960) use sig_or_component_1 +>&0 ubyte =255 +#>>&0 belong x (5 byte length encoding, %d bytes) +>>&4 use pgp_binary_key_pk_check +>>>&(&-4.L) use sig_or_component_1 +# Partial body encoding (only valid for container packets). +# >&0 ubyte >224 +# >>&0 ubyte <255 partial body encoding + +# There are 4 different old-style length encodings, but the +# indeterminate length encoding is only acceptable for the SEIP, +# Compressed Data, and Literal packets, which isn't valid for any +# packets in a certificate. +0 name primary_key_length_old +#>&0 ubyte x (ctb: %x) +>&0 ubyte&0x3 =0 +#>>&0 ubyte x (1 byte length encoding, %d bytes) +>>&1 use pgp_binary_key_pk_check +>>>&(&-1.B) use sig_or_component_1 +>&0 ubyte&0x3 =1 +#>>&0 ubeshort x (2 byte length encoding, %d bytes) +>>&2 use pgp_binary_key_pk_check +>>>&(&-2.S) use sig_or_component_1 +>&0 ubyte&0x3 =2 +#>>&0 ubelong x (4 byte length encoding, %d bytes) +>>&4 use pgp_binary_key_pk_check +>>>&(&-4.L) use sig_or_component_1 + +# Check the Key. +# +# https://tools.ietf.org/html/rfc4880#section-5.5.2 +0 name pgp_binary_key_pk_check +# Valid versions are: 2, 3, 4. 5 is proposed in RFC 4880bis. +# Anticipate a v6 / v7 format that like v5 is compatible with v4. +# key format in a decade or so :D. +>&0 ubyte >1 +>>&-1 ubyte <8 +>>>&-1 byte x Version %d +# Check that keys were created after 1990. +# (1990 - 1970) * 365.2524 * 24 * 60 * 60 = 631156147 +>>>&0 bedate >631156147 \b, Created %s +>>>>&-5 ubyte >3 +>>>>>&4 use pgp_binary_key_algo +>>>>&-5 ubyte <4 +>>>>>&6 use pgp_binary_key_algo + +# Print out the key's algorithm and the number of bits, if this is +# relevant (ECC keys are a fixed size). +0 name pgp_binary_key_algo +>0 clear x +>&0 ubyte =1 \b, RSA (Encrypt or Sign, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =2 \b, RSA (Encrypt, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =3 \b, RSA (Sign, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =16 \b, El Gamal (Encrypt, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =17 \b, DSA +>>&0 ubeshort x \b (%d bits) +>&0 ubyte =18 \b, ECDH +>&0 ubyte =19 \b, ECDSA +>&0 ubyte =20 \b, El Gamal (Encrypt or Sign, +>>&0 ubeshort x \b %d bits) +>&0 ubyte =22 \b, EdDSA +>&0 default x +>>&0 ubyte x \b, Unknown Algorithm (%#x) + +# Match all possible second packets. +0 name sig_or_component_1 +#>0 ubyte x (ctb: %x) +>&0 ubyte =0xC2 +>>0 ubyte x \b; Signature +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xCD +>>0 ubyte x \b; User ID +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xCE +>>0 ubyte x \b; Public Subkey +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xC7 +>>0 ubyte x \b; Secret Subkey +>>&0 use sig_or_component_1_length_new +>&0 ubyte =0xD1 +>>0 ubyte x \b; User Attribute +>>&0 use sig_or_component_1_length_new +>&0 ubyte&0xFC =0x88 +>>0 ubyte x \b; Signature +>>&-1 use sig_or_component_1_length_old +>&0 ubyte&0xFC =0xB4 +>>0 ubyte x \b; User ID +>>&-1 use sig_or_component_1_length_old +>&0 ubyte&0xFC =0xB8 +>>0 ubyte x \b; Public Subkey +>>&-1 use sig_or_component_1_length_old +>&0 ubyte&0xFC =0x9C +>>0 ubyte x \b; Secret Subkey +>>&-1 use sig_or_component_1_length_old + +# Copy of 'primary_key_length_new', but calls cert_packet_3. +0 name sig_or_component_1_length_new +>&0 ubyte <192 +#>>&0 ubyte x (1 byte new length encoding, %d bytes) +>>&(&-1.B) use cert_packet_3 +>&0 ubyte >191 +>>&-1 ubyte <225 +# offset = ((offset[0] - 192) << 8) + offset[1] + 192 + 1 (for the length header) +# raw - (192 * 256 - 192 - 1) +# = 48959 +#>>>&-1 ubeshort x (2 byte new length encoding, %d bytes) +>>>&(&-1.S-48959) use cert_packet_3 +>&0 ubyte =255 +#>>&0 belong x (5 byte new length encoding, %d bytes) +>>&(&-4.L) use cert_packet_3 +# Partial body encoding (only valid for container packets). +# >&0 ubyte >224 +# >>&0 ubyte <255 partial body encoding + +0 name sig_or_component_1_length_old +#>&0 ubyte x (ctb: %x) +>&0 ubyte&0x3 =0 +#>>&0 ubyte x (1 byte old length encoding, %d bytes) +>>&(&0.B+1) use cert_packet_3 +>&0 ubyte&0x3 =1 +#>>&0 ubeshort x (2 byte old length encoding, %d bytes) +>>&(&0.S+2) use cert_packet_3 +>&0 ubyte&0x3 =2 +#>>&0 ubelong x (4 byte old length encoding, %d bytes) +>>&(&0.L+4) use cert_packet_3 + +# Copy of above. +0 name cert_packet_3 +#>0 ubyte x (ctb: %x) +>&0 ubyte =0xC2 +>>0 ubyte x \b; Signature +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xCD +>>0 ubyte x \b; User ID +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xCE +>>0 ubyte x \b; Public Subkey +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xC7 +>>0 ubyte x \b; Secret Subkey +>>&0 use cert_packet_3_length_new +>&0 ubyte =0xD1 +>>0 ubyte x \b; User Attribute +>>&0 use cert_packet_3_length_new +>&0 ubyte&0xFC =0x88 +>>0 ubyte x \b; Signature +>>&-1 use cert_packet_3_length_old +>&0 ubyte&0xFC =0xB4 +>>0 ubyte x \b; User ID +>>&-1 use cert_packet_3_length_old +>&0 ubyte&0xFC =0xB8 +>>0 ubyte x \b; Public Subkey +>>&-1 use cert_packet_3_length_old +>&0 ubyte&0xFC =0x9C +>>0 ubyte x \b; Secret Subkey +>>&-1 use cert_packet_3_length_old + +# Copy of above. +0 name cert_packet_3_length_new +>&0 ubyte <192 +#>>&0 ubyte x (1 byte new length encoding, %d bytes) +>>&(&-1.B) use pgp_binary_keys_end +>&0 ubyte >191 +>>&-1 ubyte <225 +# offset = ((offset[0] - 192) << 8) + offset[1] + 192 + 1 (for the length header) +# raw - (192 * 256 - 192 - 1) +# = 48959 +#>>>&-1 ubeshort x (2 byte new length encoding, %d bytes) +>>>&(&-1.S-48959) use pgp_binary_keys_end +>&0 ubyte =255 +#>>&0 belong x (5 byte new length encoding, %d bytes) +>>&(&-4.L) use pgp_binary_keys_end + +0 name cert_packet_3_length_old +#>&0 ubyte x (ctb: %x) +>&0 ubyte&0x3 =0 +#>>&0 ubyte x (1 byte old length encoding, %d bytes) +>>&(&0.B+1) use pgp_binary_keys_end +>&0 ubyte&0x3 =1 +#>>&0 ubeshort x (2 byte old length encoding, %d bytes) +>>&(&0.S+2) use pgp_binary_keys_end +>&0 ubyte&0x3 =2 +#>>&0 ubelong x (4 byte old length encoding, %d bytes) +>>&(&0.L+4) use pgp_binary_keys_end + +# We managed to parse the first three packets of the certificate. Declare +# victory. +0 name pgp_binary_keys_end +>0 byte x \b; OpenPGP Certificate +!:mime application/pgp-keys +!:ext pgp/gpg/pkr/asd diff --git a/contrib/file/magic/Magdir/plan9 b/contrib/file/magic/Magdir/plan9 index da5eb66650ac..db068479c2d7 100644 --- a/contrib/file/magic/Magdir/plan9 +++ b/contrib/file/magic/Magdir/plan9 @@ -1,10 +1,11 @@ #------------------------------------------------------------------------------ -# $File: plan9,v 1.5 2009/09/19 16:28:11 christos Exp $ -# plan9: file(1) magic for AT&T Bell Labs' Plan 9 executables +# $File: plan9,v 1.6 2021/07/30 12:25:13 christos Exp $ +# plan9: file(1) magic for AT&T Bell Labs' Plan 9 executables and object files # From: "Stefan A. Haubenthal" <polluks@web.de> # 0 belong 0x00000107 Plan 9 executable, Motorola 68k +0 belong 0x00000197 Plan 9 executable, AT&T Hobbit 0 belong 0x000001EB Plan 9 executable, Intel 386 0 belong 0x00000247 Plan 9 executable, Intel 960 0 belong 0x000002AB Plan 9 executable, SPARC @@ -16,3 +17,9 @@ 0 belong 0x000006EB Plan 9 executable, PowerPC 0 belong 0x00000797 Plan 9 executable, MIPS R4000 LE 0 belong 0x0000084B Plan 9 executable, DEC Alpha + +0 belong 0x3A11013C Plan 9 object file, MIPS R3000 +0 belong 0x430D013C Plan 9 object file, AT&T Hobbit +0 belong 0x4D013201 Plan 9 object file, Motorola 68k +0 belong 0x7410013C Plan 9 object file, SPARC +0 belong 0x7E004501 Plan 9 object file, Intel 386 diff --git a/contrib/file/magic/Magdir/playdate b/contrib/file/magic/Magdir/playdate new file mode 100644 index 000000000000..77f8c689378d --- /dev/null +++ b/contrib/file/magic/Magdir/playdate @@ -0,0 +1,57 @@ + +#------------------------------------------------------------------------------ +# $File: playdate,v 1.1 2022/11/04 13:34:48 christos Exp $ +# +# Various native file formats for the Playdate portable video game console. +# +# These are unofficially documented at +# https://github.com/jaames/playdate-reverse-engineering +# +# The SDK is a source for many test files, and can be used to +# create others. https://play.date/dev/ + + +# pdi: static image +0 string Playdate\ IMG Playdate image data +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d +>12 belong&0x80 0x00 (uncompressed) +>>16 leshort x %d x +>>18 leshort x %d + +# pdt: multiple static images +0 string Playdate\ IMT Playdate image data set +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d, +>>28 lelong x %d cells +>12 belong&0x80 0x00 (uncompressed) +>>20 lelong x tile grid %d x +>>24 lelong x %d + +# pds: string tables +0 string Playdate\ STR Playdate localization strings +>12 belong&0x80 0x80 (compressed) +>12 belong&0x80 0x00 (uncompressed) + +# pda: audio +0 string Playdate\ AUD Playdate audio file +>12 lelong&0xffffff x %d Hz, +>15 byte 0 unsigned, 8-bit PCM, 1 channel +>15 byte 1 unsigned, 8-bit PCM, 2 channel +>15 byte 2 signed, 16-bit little-endian PCM, 1 channel +>15 byte 3 signed, 16-bit little-endian PCM, 1 channel +>15 byte 4 4-bit ADPCM, 1 channel +>15 byte 5 4-bit ADPCM, 2 channel + +# pda: video +0 string Playdate\ VID Playdate video file +>24 leshort x %d x +>26 leshort x %d, +>16 leshort x %d frames, +>20 lefloat x %.2f FPS + +# pdz: executable package +# Not a lot we can do, as it's a stream of entries with no summary information. +0 string Playdate\ PDZ Playdate executable package diff --git a/contrib/file/magic/Magdir/pmem b/contrib/file/magic/Magdir/pmem index 4c36275ea96f..c0ead7316b2c 100644 --- a/contrib/file/magic/Magdir/pmem +++ b/contrib/file/magic/Magdir/pmem @@ -1,31 +1,31 @@ #------------------------------------------------------------------------------ -# $File: pmem,v 1.3 2019/06/13 11:45:44 christos Exp $ +# $File: pmem,v 1.4 2021/04/26 15:56:00 christos Exp $ # pmem: file(1) magic for Persistent Memory Development Kit pool files # 0 string PMEM >4 string POOLSET Persistent Memory Poolset file >>11 search REPLICA with replica >4 regex LOG|BLK|OBJ Persistent Memory Pool file, type: %s, ->>8 lelong >0 version: 0x%x, ->>12 lelong x compat: 0x%x, ->>16 lelong x incompat: 0x%x, ->>20 lelong x ro_compat: 0x%x, +>>8 lelong >0 version: %#x, +>>12 lelong x compat: %#x, +>>16 lelong x incompat: %#x, +>>20 lelong x ro_compat: %#x, >>120 leqldate x crtime: %s, ->>128 lequad x alignment_desc: 0x%016llx, +>>128 lequad x alignment_desc: %#016llx, >>136 clear x >>136 byte 2 machine_class: 64-bit, >>136 default x machine_class: unknown ->>>136 byte x (0x%d), +>>>136 byte x (%#d), >>137 clear x >>137 byte 1 data: little-endian, >>137 byte 2 data: big-endian, >>137 default x data: unknown ->>>137 byte x (0x%d), +>>>137 byte x (%#d), >>138 byte !0 reserved[0]: %d, >>139 byte !0 reserved[1]: %d, @@ -36,7 +36,7 @@ >>142 leshort 62 machine: x86_64 >>142 leshort 183 machine: aarch64 >>142 default x machine: unknown ->>>142 leshort x (0x%d) +>>>142 leshort x (%#d) >4 string BLK >>4096 lelong x \b, blk.bsize: %d diff --git a/contrib/file/magic/Magdir/printer b/contrib/file/magic/Magdir/printer index e8fccd279717..b45a2025ec8a 100644 --- a/contrib/file/magic/Magdir/printer +++ b/contrib/file/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.29 2019/04/19 00:42:27 christos Exp $ +# $File: printer,v 1.34 2023/06/16 19:27:12 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -30,13 +30,42 @@ # DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> -0 belong 0xC5D0D3C6 DOS EPS Binary File ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Encapsulated_PostScript +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/eps-adobe.trid.xml +# Note: called "Encapsulated PostScript binary" by TrID and +# verified partly by ImageMagick `identify -verbose *` as EPT (Encapsulated PostScript with TIFF preview) +0 belong 0xC5D0D3C6 +# skip DROID fmt-122-signature-id-174.eps fmt-123-signature-id-178.eps fmt-124-signature-id-180.eps +# by looking for content after header +# GRR: in version 5.44 unequal and not endian variant not working! +>32 ulelong >0 DOS EPS Binary File +!:mime image/x-eps +# TODO: check that "long" is false on big endian machines +# Postscript often (850/857) comes after header; so values like: 30 32 or 2788 10644 43350 71828 +>>4 long >0 at byte %d +# 1 space char after length value to get phrase like "length 263893 PostScript document text" +>>>8 long >0 length %d +# PostScript document text handled by ./printer +>>>>(4.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-wmf.trid.xml +# Note: called "Encapsulated PostScript binary (with WMF preview)" by TrID +# verified partly by XnView `nconvert -info *.EP?` as TIFF epsp +>>>>12 long >0 at byte %d +!:ext eps +# GRR: in file version 5.44 calling indirect of ./msdos produce phrase like "length 452\012- Windows metafile" >>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d +# Windows metafile data handled by ./msdos +>>>>>(12.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-tiff.trid.xml +# Note: called "Encapsulated PostScript binary (with TIFF preview)" by TrID +>>>>20 long >0 at byte %d +# For the variant with the TIFF preview image sometimes the file extension ept is used +!:ext eps/ept +# GRR: in file version 5.44 calling indirect of ./images produce phrase like "length 43320\012- TIFF image data," +>>>>>24 long >0 length %d +# TIFF image data handled by ./images +>>>>>>(20.l) indirect x # Summary: Adobe's PostScript Printer Description File # Extension: .ppd @@ -45,6 +74,8 @@ # 0 string *PPD-Adobe:\x20 PPD file >&0 string x \b, version %s +!:ext ppd +!:mime application/vnd.cups-ppd # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data @@ -82,7 +113,16 @@ >0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS - +# Summary: Hewlett-Packard printer firmware update +# From: Joerg Jenderek +# URL: https://support.hp.com/us-en/drivers/selfservice/hp-envy-6000e-all-in-one-printer-series/2100187505/model/2100187513 +# Note: firmware update tested with ENVY 6000 All-in-One Printer +0 string @PJL\ ENTER\ LANGUAGE=FWUPDATE2 HP Printer firmware update +#!:mime application/octet-stream +#!:mime application/x-hp-firmware +# https://ftp.hp.com/pub/softlib/software13/printers/en6000/2214/EN6000_2214B.exe +# vasari_base_dist_pp1_001.2214B_nonassert_appsigned_lbi_rootfs_secure_signed.ful2 +!:ext ful2 # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string \033E\033 HP PCL printer data @@ -148,3 +188,91 @@ # From: Paolo <oopla@users.sf.net> # Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data + +# Summary: Hewlett-Packard Graphics Language +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HP-GL +# https://en.wikipedia.org/wiki/HPGL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpg.trid.xml +# Note: called "Hewlett-Packard Graphics Language" by TrID and +# "Hewlett Packard Graphics Language" by DROID via PUID x-fmt/293 and +# HPGL by XnView command `nconvert -info *` +# initialize, start a plotting job +0 string IN; +>0 use hpgl +# fill.plt +0 string INPS +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test1.hpgl +0 string DF; +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test3.hpgl +# Select Pen n; If no pen number or 0, the controller performs an end of file command; n in range between -32767 and 32768 like: 6 +0 string SP +# skip text Linux-syscall-note inside qemu sources starting with SPDX-Exception-Identifier: Linux-syscall-note +# by checking for valid Pen number +>2 regex \^([0-9]{1,5}) +#>2 regex \^([0-9]{1,5}) PEN_NUMBER=%s +>>0 use hpgl +# charsize.hp pages.hp set the scaling points (P1 and P2) to their default positions +0 string IP0 +>0 use hpgl +# ci.hp +0 string CO\040 +>0 use hpgl +# iw.hp 286x192.5_lh.hpg 286x192.5_lq.hpg +0 string PS\040 +>0 use hpgl +# thick.hp +0 string PS9 +>0 use hpgl +# ul.hp +0 string PS4 +>0 use hpgl +# la.hp +0 string BP +>0 use hpgl +# miter.hp +# Plot Absolute x,y{,x,y{...}}; x and y in range between -32767 and 32768 like: PA4000,3000; +0 string PA +# skip shell scripts test_msa_run_32r5eb.sh test_msa_run_32r5eb.sh with variable PATH_TO_QEMU +# by checking for valid x coordinate +>2 regex \^([-]{0,1}[0-9]{1,5}) +#>2 regex \^([-]{0,1}[0-9]{1,5}) COORDINATE=%s +>>0 use hpgl +# pw.hpg number of pens x +0 string NP +>0 use hpgl +# win_1.hp +#0 string \003INCA WHAT_IS_THAT +#>0 use hpgl +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpgl2.trid.xml +# Note: called "Hewlett-Packard Graphics Language 2" by TrID +0 string \033%-1B Hewlett-Packard Graphics Language 2 +!:mime application/vnd.hp-HPGL +# like: dt.plt +!:ext plt +#!:ext plt/gl2/hpg2/spl +# remaining part after escsape sequnce +>5 string x with "%-.10s" +# display Hewlett-Packard Graphics Language vector graphic information +0 name hpgl +>0 string x Hewlett-Packard Graphics Language +#!:mime vector/x-hpgl +# https://www.iana.org/assignments/media-types/application/vnd.hp-HPGL +!:mime application/vnd.hp-HPGL +# no example with HPL suffix found +!:ext hpgl/hpg/hp/plt +# like: "IN;" "DF;IN;LT;PU1000,1000;PD2000,10" "SP6;DI0,1;SR0.70,1.90;SC0,800," +# "CO Concentric circles drawn with different linewidths;" +>0 string x \b, starting with "%-.54s" +# continue but not for 1 long line without CR or LF +>>&0 ubyte <0x0E +#>>&0 ubyte <0x0E TERMINATOR=%x +# second line after 1 terminator character +>>>&0 string >\r with "%-.10s" +# next character again CR or LF +>>>&0 ubyte <0x0E +#>>>&0 ubyte <0x0E 2ND_CHARACTER=%x +# second line after 2 terminator characters +>>>>&0 string >\r with "%-.10s" diff --git a/contrib/file/magic/Magdir/puzzle b/contrib/file/magic/Magdir/puzzle new file mode 100644 index 000000000000..ac983f32b8e6 --- /dev/null +++ b/contrib/file/magic/Magdir/puzzle @@ -0,0 +1,17 @@ + +#------------------------------------------------------------------------------ +# $File: puzzle,v 1.2 2021/10/07 15:40:40 christos Exp $ +# wsdl: Magic for various puzzles + +# PUZ crossword puzzles from Alan De Smet +# Test files can be found at +# https://theworld.com/~wij/puzzles/wij-themed.html or using the +# "Universal" or "WS Journal" links on the right side of +# https://www.cruciverb.com/ . + +2 string ACROSS&DOWN PUZ crossword puzzle +>0x2c byte x %d x +>0x2d byte x %d, +>0x2e leshort x %d clues, +>0x1e leshort 0x0000 plain text solution +>0x1e leshort !0x0000 scrambled solution diff --git a/contrib/file/magic/Magdir/python b/contrib/file/magic/Magdir/python index 9d306c062529..00d90d123882 100644 --- a/contrib/file/magic/Magdir/python +++ b/contrib/file/magic/Magdir/python @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: python,v 1.42 2020/06/04 00:22:50 christos Exp $ +# $File: python,v 1.45 2022/07/24 23:59:37 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages @@ -8,213 +8,226 @@ # often the module starts with a multiline string 0 string/t """ Python script text executable # MAGIC as specified in Python/import.c (1.0 to 3.7) +# and in Lib/importlib/_bootstrap_external.py (3.5+) # two bytes of magic followed by "\r\n" in little endian order 0 belong 0x02099900 python 1.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x03099900 python 1.1/1.2 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x892e0d0a python 1.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x04170d0a python 1.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x994e0d0a python 1.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xfcc40d0a python 1.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xfdc40d0a python 1.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x87c60d0a python 2.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x88c60d0a python 2.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2aeb0d0a python 2.1 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2beb0d0a python 2.1 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2ded0d0a python 2.2 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2eed0d0a python 2.2 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x3bf20d0a python 2.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x3cf20d0a python 2.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x45f20d0a python 2.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x59f20d0a python 2.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x63f20d0a python 2.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x6df20d0a python 2.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x6ef20d0a python 2.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x77f20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x81f20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x8bf20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x8cf20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x95f20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x9ff20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xa9f20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xb3f20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xb4f20d0a python 2.5 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xc7f20d0a python 2.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xd1f20d0a python 2.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xd2f20d0a python 2.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xdbf20d0a python 2.7 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xe5f20d0a python 2.7 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xeff20d0a python 2.7 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xf9f20d0a python 2.7 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x03f30d0a python 2.7 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x04f30d0a python 2.7 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python +0 belong 0x0af30d0a PyPy2.7 byte-compiled +!:mime application/x-bytecode.python 0 belong 0xb80b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xc20b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xcc0b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xd60b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xe00b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xea0b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xf40b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xf50b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xff0b0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x090c0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x130c0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x1d0c0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x1f0c0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x270c0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x3b0c0d0a python 3.0 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x450c0d0a python 3.1 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x4f0c0d0a python 3.1 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x580c0d0a python 3.2 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x620c0d0a python 3.2 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x6c0c0d0a python 3.2 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x760c0d0a python 3.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x800c0d0a python 3.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x8a0c0d0a python 3.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x940c0d0a python 3.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x9e0c0d0a python 3.3 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xb20c0d0a python 3.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xbc0c0d0a python 3.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xc60c0d0a python 3.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xd00c0d0a python 3.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xda0c0d0a python 3.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xe40c0d0a python 3.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xee0c0d0a python 3.4 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0xf80c0d0a python 3.5.1- byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x020d0d0a python 3.5.1- byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x0c0d0d0a python 3.5.1- byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x160d0d0a python 3.5.1- byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x170d0d0a python 3.5.2+ byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x200d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x210d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2a0d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2b0d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2c0d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2d0d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x2f0d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x300d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x310d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x320d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x330d0d0a python 3.6 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x3e0d0d0a python 3.7 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python 0 belong 0x3f0d0d0a python 3.7 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x400d0d0a python 3.7 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x410d0d0a python 3.7 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x420d0d0a python 3.7 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x480d0d0a python 3.8 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x490d0d0a python 3.8 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x520d0d0a python 3.8 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x530d0d0a python 3.8 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x540d0d0a python 3.8 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x550d0d0a python 3.8 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x5c0d0d0a python 3.9 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x5d0d0d0a python 3.9 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x5e0d0d0a python 3.9 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x5f0d0d0a python 3.9 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x600d0d0a python 3.9 byte-compiled -!:mime text/x-bytecode.python -0 belong 0x610d0d0a python 3.9 byte-compiled -!:mime text/x-bytecode.python +!:mime application/x-bytecode.python + +# magic 3392+ implements PEP 552: Deterministic pycs +0 name pyc-pep552 +# the flag field determines how .pyc validity is checked +>4 ulelong&1 0 timestamp-based, +>>8 uledate x .py timestamp: %s UTC, +>>12 ulelong x .py size: %d bytes +>4 ulelong&1 !0 hash-based, check-source flag +>>4 ulelong&2 0 unset, +>>4 ulelong&2 !0 set, +>>8 ulequad x hash: 0x%llx + +# uleshort magic followed by \x0d\0xa +2 string \x0d\x0a +# extra check: only two bits of flag field are currently used +>4 ulelong <0x4 +# \x0d as part of magic should suffice till Python 3.14 (magic 3600) +>>1 ubyte 0x0d Byte-compiled Python module for +!:mime application/x-bytecode.python +# now look at the magic number to determine the version +>>>0 uleshort <3400 CPython 3.7, +>>>0 default x +>>>>0 uleshort <3420 CPython 3.8, +>>>>0 default x +>>>>>0 uleshort <3430 CPython 3.9, +>>>>>0 default x +>>>>>>0 uleshort <3450 CPython 3.10, +>>>>>>0 default x +>>>>>>>0 uleshort <3500 CPython 3.11, +>>>>>>>0 default x CPython 3.12 or newer, +>>>0 use pyc-pep552 +>>0 uleshort 240 Byte-compiled Python module for PyPy3.7, +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 +>>0 uleshort 256 Byte-compiled Python module for PyPy3.8, +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 +>>0 uleshort 336 Byte-compiled Python module for PyPy3.9, +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 0 search/1/w #!\040/usr/bin/python Python script text executable !:strength + 15 diff --git a/contrib/file/magic/Magdir/qt b/contrib/file/magic/Magdir/qt index 83aa124cfd3d..68085f2892f9 100644 --- a/contrib/file/magic/Magdir/qt +++ b/contrib/file/magic/Magdir/qt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: qt,v 1.3 2019/04/19 00:42:27 christos Exp $ +# $File: qt,v 1.4 2022/11/11 14:50:23 christos Exp $ # qt: file(1) magic for Qt # https://doc.qt.io/qt-5/resources.html @@ -17,3 +17,14 @@ # src/corelib/kernel/qtranslator.cpp#L62 0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 >8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file + + +# Qt V4 Javascript engine compiled unit +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/qt/qtdeclarative/blob/v6.4.0/src/qml/common/qv4compileddata_p.h +0 string qv4cdata QV4 compiled unit +!:ext qmlc +>8 ulelong x \b, version %d +>12 byte x \b, Qt %d +>13 byte x \b.%d +>14 byte x \b.%d diff --git a/contrib/file/magic/Magdir/riff b/contrib/file/magic/Magdir/riff index 33d31fe75a74..9b913a54f8b8 100644 --- a/contrib/file/magic/Magdir/riff +++ b/contrib/file/magic/Magdir/riff @@ -1,28 +1,122 @@ #------------------------------------------------------------------------------ -# $File: riff,v 1.35 2020/06/05 17:15:03 christos Exp $ +# $File: riff,v 1.45 2022/07/24 23:47:49 christos Exp $ # riff: file(1) magic for RIFF format # See # # https://www.seanet.com/users/matts/riffmci/riffmci.htm # http://www-mmsp.ece.mcgill.ca/Documents/AudioFormats/WAVE/Docs/riffmci.pdf +# https://www.iana.org/assignments/wave-avi-codec-registry/wave-avi-codec-registry.xml # # audio format tag. Assume limits: max 1024 bit, 128 channels, 1 MHz 0 name riff-wave ->0 leshort 1 \b, Microsoft PCM +>0 leshort 0x01 \b, Microsoft PCM >>14 leshort >0 >>>14 leshort <1024 \b, %d bit ->0 leshort 2 \b, Microsoft ADPCM ->0 leshort 6 \b, ITU G.711 A-law ->0 leshort 7 \b, ITU G.711 mu-law ->0 leshort 8 \b, Microsoft DTS ->0 leshort 17 \b, IMA ADPCM ->0 leshort 20 \b, ITU G.723 ADPCM (Yamaha) ->0 leshort 49 \b, GSM 6.10 ->0 leshort 64 \b, ITU G.721 ADPCM ->0 leshort 80 \b, MPEG ->0 leshort 85 \b, MPEG Layer 3 +>0 leshort 0x02 \b, Microsoft ADPCM +>0 leshort 0x03 \b, IEEE Float +>0 leshort 0x04 \b, Compaq VSELP +>0 leshort 0x05 \b, IBM CVSD +>0 leshort 0x06 \b, ITU G.711 A-law +>0 leshort 0x07 \b, ITU G.711 mu-law +>0 leshort 0x08 \b, Microsoft DTS +>0 leshort 0x10 \b, OKI ADPCM +>0 leshort 0x11 \b, IMA ADPCM +>0 leshort 0x12 \b, MediaSpace ADPCM +>0 leshort 0x13 \b, Sierra ADPCM +>0 leshort 0x14 \b, ITU G.723 ADPCM (Yamaha) +>0 leshort 0x15 \b, DSP Solutions DIGISTD +>0 leshort 0x16 \b, DSP Solutions DIGIFIX +>0 leshort 0x17 \b, Dialogic OKI ADPCM +>0 leshort 0x18 \b, MediaVision ADPCM +>0 leshort 0x19 \b, HP CU +>0 leshort 0x20 \b, Yamaha ADPCM +>0 leshort 0x21 \b, Speech Compression SONARC +>0 leshort 0x22 \b, DSP Group True Speech +>0 leshort 0x23 \b, Echo Speech EchoSC1 +>0 leshort 0x24 \b, AudioFile AF36 +>0 leshort 0x25 \b, APTX +>0 leshort 0x26 \b, AudioFile AF10 +>0 leshort 0x27 \b, Prosody 1612 +>0 leshort 0x28 \b, LRC +>0 leshort 0x30 \b, Dolby AC2 +>0 leshort 0x31 \b, GSM 6.10 +>0 leshort 0x32 \b, MSN Audio +>0 leshort 0x33 \b, Antex ADPCME +>0 leshort 0x34 \b, Control Res VQLPC +>0 leshort 0x35 \b, Digireal +>0 leshort 0x36 \b, DigiADPCM +>0 leshort 0x37 \b, Control Res CR10 +>0 leshort 0x38 \b, NMS VBXADPCM +>0 leshort 0x39 \b, Roland RDAC +>0 leshort 0x3A \b, Echo Speech EchoSC3 +>0 leshort 0x3B \b, Rockwell ADPCM +>0 leshort 0x3C \b, Rockwell Digitalk +>0 leshort 0x3D \b, Xebec +>0 leshort 0x40 \b, ITU G.721 ADPCM +>0 leshort 0x41 \b, ITU G.728 CELP +>0 leshort 0x42 \b, MSG723 +>0 leshort 0x50 \b, MPEG +>0 leshort 0x52 \b, RT24 +>0 leshort 0x53 \b, PAC +>0 leshort 0x55 \b, MPEG Layer 3 +>0 leshort 0x59 \b, Lucent G.723 +>0 leshort 0x60 \b, Cirrus +>0 leshort 0x61 \b, ESPCM +>0 leshort 0x62 \b, Voxware +>0 leshort 0x63 \b, Canopus Atrac +>0 leshort 0x64 \b, ITU G.726 ADPCM +>0 leshort 0x65 \b, ITU G.722 ADPCM +>0 leshort 0x66 \b, DSAT +>0 leshort 0x67 \b, DSAT Display +>0 leshort 0x69 \b, Voxware Byte Aligned +>0 leshort 0x70 \b, Voxware AC8 +>0 leshort 0x71 \b, Voxware AC10 +>0 leshort 0x72 \b, Voxware AC16 +>0 leshort 0x73 \b, Voxware AC20 +>0 leshort 0x74 \b, Voxware MetaVoice +>0 leshort 0x75 \b, Voxware MetaSound +>0 leshort 0x76 \b, Voxware RT29HW +>0 leshort 0x77 \b, Voxware VR12 +>0 leshort 0x78 \b, Voxware VR18 +>0 leshort 0x79 \b, Voxware TQ40 +>0 leshort 0x80 \b, Softsound +>0 leshort 0x81 \b, Voxware TQ60 +>0 leshort 0x82 \b, MSRT24 +>0 leshort 0x83 \b, ITU G.729A +>0 leshort 0x84 \b, MVI MV12 +>0 leshort 0x85 \b, DF G.726 +>0 leshort 0x86 \b, DF GSM610 +>0 leshort 0x88 \b, ISIAudio +>0 leshort 0x89 \b, Onlive +>0 leshort 0x91 \b, SBC24 +>0 leshort 0x92 \b, Dolby AC3 S/PDIF +>0 leshort 0x97 \b, ZyXEL ADPCM +>0 leshort 0x98 \b, Philips LPCBB +>0 leshort 0x99 \b, Packed +>0 leshort 0x100 \b, Rhetorex ADPCM +>0 leshort 0x101 \b, BeCubed Software IRAT +>0 leshort 0x111 \b, Vivo G.723 +>0 leshort 0x112 \b, Vivo Siren +>0 leshort 0x123 \b, Digital G.723 +>0 leshort 0x200 \b, Creative ADPCM +>0 leshort 0x202 \b, Creative FastSpeech8 +>0 leshort 0x203 \b, Creative FastSpeech10 +>0 leshort 0x220 \b, Quarterdeck +>0 leshort 0x300 \b, FM Towns Snd +>0 leshort 0x400 \b, BTV Digital +>0 leshort 0x680 \b, VME VMPCM +>0 leshort 0x1000 \b, OLIGSM +>0 leshort 0x1001 \b, OLIADPCM +>0 leshort 0x1002 \b, OLICELP +>0 leshort 0x1003 \b, OLISBC +>0 leshort 0x1004 \b, OLIOPR +>0 leshort 0x1100 \b, LH Codec +>0 leshort 0x1400 \b, Norris +>0 leshort 0x1401 \b, ISIAudio +>0 leshort 0x1500 \b, Soundspace Music Compression +>0 leshort 0x2000 \b, AC3 DVM >0 leshort 0x2001 \b, DTS >2 leshort =1 \b, mono >2 leshort =2 \b, stereo @@ -34,7 +128,7 @@ # try to find "fmt " 0 name riff-walk >0 string fmt\x20 ->>4 lelong <0x80 +>>4 lelong >15 >>>8 use riff-wave >0 string LIST >>&(4.l+4) use riff-walk @@ -67,6 +161,64 @@ #>0 string x we got %s #>>&(4.l+4) use riff-walk +# RecorderGear TR500 call recorder digits (BCD) +0 name tr500-call-recorder-digits +>0 byte&0xF0 0x00 \b0 +>0 byte&0xF0 0x10 \b1 +>0 byte&0xF0 0x20 \b2 +>0 byte&0xF0 0x30 \b3 +>0 byte&0xF0 0x40 \b4 +>0 byte&0xF0 0x50 \b5 +>0 byte&0xF0 0x60 \b6 +>0 byte&0xF0 0x70 \b7 +>0 byte&0xF0 0x80 \b8 +>0 byte&0xF0 0x90 \b9 +>0 byte&0xF0 0xb0 \b* +>0 byte&0xF0 0xc0 \b# +>0 byte&0x0F 0 \b0 +>0 byte&0x0F 1 \b1 +>0 byte&0x0F 2 \b2 +>0 byte&0x0F 3 \b3 +>0 byte&0x0F 4 \b4 +>0 byte&0x0F 5 \b5 +>0 byte&0x0F 6 \b6 +>0 byte&0x0F 7 \b7 +>0 byte&0x0F 8 \b8 +>0 byte&0x0F 9 \b9 +>0 byte&0x0F 0xb \b* +>0 byte&0x0F 0xc \b# + +# TR500 call recorder extended header +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Contains dialed/incoming phone number and timestamp. +# TODO: Verify byte 15. +0 name tr500-call-recorder-header +>15 byte 2 (outgoing call: +>15 byte 4 (incoming call: +>1 byte 0xFF \bno number +>1 byte !0xFF +>>1 use tr500-call-recorder-digits +>>2 byte !0xFF +>>>2 use tr500-call-recorder-digits +>>3 byte !0xFF +>>>3 use tr500-call-recorder-digits +>>4 byte !0xFF +>>>4 use tr500-call-recorder-digits +>>5 byte !0xFF +>>>5 use tr500-call-recorder-digits +>>6 byte !0xFF +>>>6 use tr500-call-recorder-digits +>>7 byte !0xFF +>>>7 use tr500-call-recorder-digits +>>8 byte !0xFF +>>>8 use tr500-call-recorder-digits +>9 byte x \b, 20%02x +>10 byte x \b/%02x +>11 byte x \b/%02x +>12 byte x %02x +>13 byte x \b:%02x +>14 byte x \b:%02x) + # AVI section extended by Patrik Radman <patrik+file-magic@iki.fi> # 0 string RIFF RIFF (little-endian) data @@ -74,6 +226,7 @@ # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Resource_Interchange_File_Format # Reference: https://worms2d.info/Palette_file +# WAVE/AVI codec registry: https://www.iana.org/assignments/wave-avi-codec-registry/wave-avi-codec-registry.xml >8 string PAL\ \b, palette !:mime application/x-riff # color palette by Microsoft Corporation @@ -87,7 +240,7 @@ # data chunk size = color entries * 4 + 4 + sometimes extra (4) appended bytes >>>16 ulelong x \b, data size %u # palVersion is always 0x0300 -#>>>20 leshort x \b, version 0x%4.4x +#>>>20 leshort x \b, version %#4.4x # palNumEntries specifies the number of palette color entries >>>22 uleshort x \b, %u entries # after palPalEntry sized (number of color entries * 4 ) vector @@ -95,9 +248,11 @@ # jump relative 22 ( 8 + 16) bytes forward points after end of file or to # appended extra bytes like in http://safecolours.rigdenage.com/set(ms).zip/Protan(MS).pal >>>>&16 ubelong x \b, extra bytes ->>>>>&-4 ubelong >0 0x%8.8x +>>>>>&-4 ubelong >0 %#8.8x # RIFF Device Independent Bitmap format +# URL: http://fileformats.archiveteam.org/wiki/RDIB >8 string RDIB \b, device-independent bitmap +!:ext rdi/dib >>16 string BM >>>30 leshort 12 \b, OS/2 1.x format >>>>34 leshort x \b, %d x @@ -110,16 +265,35 @@ >>>>38 lelong x %d x >>>>44 leshort x %d # RIFF MIDI format +# URL: http://fileformats.archiveteam.org/wiki/RIFF_MIDI >8 string RMID \b, MIDI +# http://extension.nirsoft.net/rmi +!:mime audio/mid +#!:mime audio/x-rmid +!:ext rmi # RIFF Multimedia Movie File format +# URL: http://fileformats.archiveteam.org/wiki/RIFF_Multimedia_Movie >8 string RMMP \b, multimedia movie +!:mime video/x-mmm +!:ext mmm # RIFF wrapper for MP3 >8 string RMP3 \b, MPEG Layer 3 audio +#!:mime audio/x-rmp3 # Microsoft WAVE format (*.wav) +# URL: http://fileformats.archiveteam.org/wiki/WAV >8 string WAVE \b, WAVE audio +#!:mime audio/vnd.wave !:mime audio/x-wav +# https://www.macdisk.com/macsigen.php +#!:apple ????WAVE +!:ext wav/wave >>12 string >\0 >>>12 use riff-walk +# TR500 call recorder extended header +>>16 ulelong 0x1E4 +>>>20 leshort 0x11 +>>>>256 byte 4 +>>>>>256 use tr500-call-recorder-header # Update: Joerg Jenderek # lower case for Corel Draw version 8 Bidi >8 string/c cdr @@ -147,10 +321,47 @@ # pattern created by newer software start with RIFF type PAT >8 string PAT >>0 use corel-draw +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Corel_Designer +# Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer +>8 string DES +>>8 string !DESC +>>>0 use corel-des +# Corel Draw templates with version 12.5 or Corel Designer illustration 12 +>>8 string =DESC +# MORE TESTS NEEDED HERE! +#>>>0 use corel-des +#>>>0 use corel-draw >8 string NUNDROOT \b, Steinberg CuBase +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/MIDI_Instrument_Definition_File +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/idf.trid.xml +# ftp://curscott.servebeer.com/Download/Apps/_Microsoft/ +# Visual%20Studio%206.0%20Professional%20MSDN/ +# SAMPLES/VC98/SDK/GRAPHICS/AUDIO/IDFEDIT/GLOBALS.H +# Note: called "MIDI Instrument Definition File" by TrID +>8 string IDF\ LIST \b, MIDI Instrument Definition File +!:mime audio/x-idf +!:ext idf +# 3rd chunk size like: 254 284 286 670 +#>>0x10 ulelong x \b, 3th SIZE %u +# for debugging purpose display next chunk like: MMAPhdr +#>>0x14 string x \b, 4th "%-8.8s" +#>>0x1C ulelong x \b, 4th SIZE 0x%x +# probably MIDI instrument name like: "Universal-MIDI-Instrument" "instrument name" "General MIDI" +>>0x30 string x "%s" +# look for inst TAG +>>0x31 search/256 inst by +# probably manufacture name like: "Unspecified Company" "NVidia Corporation" +>>>&0x24 string x "%s" # AVI == Audio Video Interleave +# Reference: http://fileformats.archiveteam.org/wiki/AVI >8 string AVI\040 \b, AVI +# https://reposcope.com/mimetype/video/x-msvideo !:mime video/x-msvideo +# https://www.iana.org/assignments/wave-avi-codec-registry/wave-avi-codec-registry.xml +#!:mime video/vnd.avi +!:ext avi/divx >>12 string LIST >>>20 string hdrlavih >>>>&36 lelong x \b, %u x @@ -214,15 +425,126 @@ # skip past vids strh >>>>>>(104.l+108) string strf >>>>>>>(104.l+132) lelong 1 RLE 8bpp +>>>>>>>(104.l+132) string/c anim Intel RDX +>>>>>>>(104.l+132) string/c aur2 AuraVision Aura 2 +>>>>>>>(104.l+132) string/c aura AuraVision Aura +>>>>>>>(104.l+132) string/c bt20 Brooktree MediaStream +>>>>>>>(104.l+132) string/c btcv Brooktree Composite Video +>>>>>>>(104.l+132) string/c cc12 Intel YUV12 +>>>>>>>(104.l+132) string/c cdvc Canopus DV +>>>>>>>(104.l+132) string/c cham Winnov Caviara Cham +>>>>>>>(104.l+132) string/c cljr Proprietary YUV 4 pixels +>>>>>>>(104.l+132) string/c cmyk Common Data Format in Printing +>>>>>>>(104.l+132) string/c cpla Weitek 4:2:0 YUV Planar >>>>>>>(104.l+132) string/c cvid Cinepak +>>>>>>>(104.l+132) string/c cwlt Microsoft Color WLT DIB +>>>>>>>(104.l+132) string/c cyuv Creative Labs YUV +>>>>>>>(104.l+132) string/c d261 H.261 +>>>>>>>(104.l+132) string/c d263 H.263 +>>>>>>>(104.l+132) string/c duck TrueMotion 1.0 +>>>>>>>(104.l+132) string/c dve2 DVE-2 Videoconferencing +>>>>>>>(104.l+132) string/c fljp Field Encoded Motion JPEG +>>>>>>>(104.l+132) string/c fvf1 Fractal Video Frame +>>>>>>>(104.l+132) string/c gwlt Microsoft Greyscale WLT DIB +>>>>>>>(104.l+132) string/c h260 H.260 +>>>>>>>(104.l+132) string/c h261 H.261 +>>>>>>>(104.l+132) string/c h262 H.262 +>>>>>>>(104.l+132) string/c h263 H.263 +>>>>>>>(104.l+132) string/c h264 H.264 +>>>>>>>(104.l+132) string/c h265 H.265 +>>>>>>>(104.l+132) string/c h266 H.266 +>>>>>>>(104.l+132) string/c h267 H.267 +>>>>>>>(104.l+132) string/c h268 H.268 +>>>>>>>(104.l+132) string/c h269 H.269 >>>>>>>(104.l+132) string/c i263 Intel I.263 ->>>>>>>(104.l+132) string/c iv32 Indeo 3.2 ->>>>>>>(104.l+132) string/c iv41 Indeo 4.1 ->>>>>>>(104.l+132) string/c iv50 Indeo 5.0 +>>>>>>>(104.l+132) string/c i420 Intel Indeo 4 +>>>>>>>(104.l+132) string/c ian Intel RDX +>>>>>>>(104.l+132) string/c iclb CellB Videoconferencing Codec +>>>>>>>(104.l+132) string/c ilvc Intel Layered Video +>>>>>>>(104.l+132) string/c ilvr ITU-T H.263+ +>>>>>>>(104.l+132) string/c iraw Intel YUV Uncompressed +>>>>>>>(104.l+132) string/c iv30 Intel Indeo 3 +>>>>>>>(104.l+132) string/c iv31 Intel Indeo 3.1 +>>>>>>>(104.l+132) string/c iv32 Intel Indeo 3.2 +>>>>>>>(104.l+132) string/c iv33 Intel Indeo 3.3 +>>>>>>>(104.l+132) string/c iv34 Intel Indeo 3.4 +>>>>>>>(104.l+132) string/c iv35 Intel Indeo 3.5 +>>>>>>>(104.l+132) string/c iv36 Intel Indeo 3.6 +>>>>>>>(104.l+132) string/c iv37 Intel Indeo 3.7 +>>>>>>>(104.l+132) string/c iv38 Intel Indeo 3.8 +>>>>>>>(104.l+132) string/c iv39 Intel Indeo 3.9 +>>>>>>>(104.l+132) string/c iv40 Intel Indeo 4.0 +>>>>>>>(104.l+132) string/c iv41 Intel Indeo 4.1 +>>>>>>>(104.l+132) string/c iv42 Intel Indeo 4.2 +>>>>>>>(104.l+132) string/c iv43 Intel Indeo 4.3 +>>>>>>>(104.l+132) string/c iv44 Intel Indeo 4.4 +>>>>>>>(104.l+132) string/c iv45 Intel Indeo 4.5 +>>>>>>>(104.l+132) string/c iv46 Intel Indeo 4.6 +>>>>>>>(104.l+132) string/c iv47 Intel Indeo 4.7 +>>>>>>>(104.l+132) string/c iv48 Intel Indeo 4.8 +>>>>>>>(104.l+132) string/c iv49 Intel Indeo 4.9 +>>>>>>>(104.l+132) string/c iv50 Intel Indeo 5.0 +>>>>>>>(104.l+132) string/c mpeg MPEG 1 Video Frame +>>>>>>>(104.l+132) string/c mjpg Motion JPEG >>>>>>>(104.l+132) string/c mp42 Microsoft MPEG-4 v2 >>>>>>>(104.l+132) string/c mp43 Microsoft MPEG-4 v3 +>>>>>>>(104.l+132) string/c mrca MR Codec +>>>>>>>(104.l+132) string/c mrle Run Length Encoding +>>>>>>>(104.l+132) string/c msvc Microsoft Video 1 +>>>>>>>(104.l+132) string/c phmo Photomotion +>>>>>>>(104.l+132) string/c qpeq QPEG 1.1 Format Video +>>>>>>>(104.l+132) string/c rgbt RGBT +>>>>>>>(104.l+132) string/c rle4 Run Length Encoded 4 +>>>>>>>(104.l+132) string/c rle8 Run Length Encoded 8 +>>>>>>>(104.l+132) string/c rt21 Intel Indeo 2.1 +>>>>>>>(104.l+132) string/c rvx Intel RDX +>>>>>>>(104.l+132) string/c sdcc Sun Digital Camera Codec +>>>>>>>(104.l+132) string/c sfmc Crystal Net SFM Codec +>>>>>>>(104.l+132) string/c smsc SMSC +>>>>>>>(104.l+132) string/c smsd SMSD +>>>>>>>(104.l+132) string/c splc Splash Studios ACM Audio Codec +>>>>>>>(104.l+132) string/c sqz2 Microsoft VXtreme Video Codec +>>>>>>>(104.l+132) string/c sv10 Sorenson Video R1 +>>>>>>>(104.l+132) string/c tlms TeraLogic Motion Intraframe Codec A +>>>>>>>(104.l+132) string/c tlst TeraLogic Motion Intraframe Codec B +>>>>>>>(104.l+132) string/c tm20 TrueMotion 2.0 +>>>>>>>(104.l+132) string/c tmic TeraLogic Motion Intraframe Codec 2 +>>>>>>>(104.l+132) string/c tmot TrueMotion Video Compression +>>>>>>>(104.l+132) string/c tr20 TrueMotion RT 2.0 +>>>>>>>(104.l+132) string/c ulti Ultimotion +>>>>>>>(104.l+132) string/c uyvy UYVY 4:2:2 byte ordering +>>>>>>>(104.l+132) string/c v422 24-bit YUV 4:2:2 format +>>>>>>>(104.l+132) string/c v655 16-bit YUV 4:2:2 format +>>>>>>>(104.l+132) string/c vcr1 ATI VCR 1.0 +>>>>>>>(104.l+132) string/c vcr2 ATI VCR 2.0 +>>>>>>>(104.l+132) string/c vcr3 ATI VCR 3.0 +>>>>>>>(104.l+132) string/c vcr4 ATI VCR 4.0 +>>>>>>>(104.l+132) string/c vcr5 ATI VCR 5.0 +>>>>>>>(104.l+132) string/c vcr6 ATI VCR 6.0 +>>>>>>>(104.l+132) string/c vcr7 ATI VCR 7.0 +>>>>>>>(104.l+132) string/c vcr8 ATI VCR 8.0 +>>>>>>>(104.l+132) string/c vcr9 ATI VCR 9.0 +>>>>>>>(104.l+132) string/c vdct Video Maker Pro DIB +>>>>>>>(104.l+132) string/c vids YUV 4:2:2 CCIR 601 for V422 +>>>>>>>(104.l+132) string/c vivo Vivo H.263 +>>>>>>>(104.l+132) string/c vixl VIXL +>>>>>>>(104.l+132) string/c vlv1 VLCAP.DRV +>>>>>>>(104.l+132) string/c wbvc W9960 +>>>>>>>(104.l+132) string/c x263 mmioFOURCC('X','2','6','3') +>>>>>>>(104.l+132) string/c xlv0 XL Video Decoder +>>>>>>>(104.l+132) string/c y211 YUV 2:1:1 Packed +>>>>>>>(104.l+132) string/c y411 YUV 4:1:1 Packed +>>>>>>>(104.l+132) string/c y41b YUV 4:1:1 Planar +>>>>>>>(104.l+132) string/c y41p PC1 4:1:1 +>>>>>>>(104.l+132) string/c y41t PC1 4:1:1 with transparency +>>>>>>>(104.l+132) string/c y42b YUV 4:2:2 Planar +>>>>>>>(104.l+132) string/c y42t PC1 4:2:2 with transparency +>>>>>>>(104.l+132) string/c yc12 Intel YUV12 Codec +>>>>>>>(104.l+132) string/c yuv8 Winnov Caviar YUV8 +>>>>>>>(104.l+132) string/c yuv9 YUV9 +>>>>>>>(104.l+132) string/c yuy2 YUY2 4:2:2 byte ordering packed +>>>>>>>(104.l+132) string/c yuyv BI_YUYV, Canopus >>>>>>>(104.l+132) string/c fmp4 FFMpeg MPEG-4 ->>>>>>>(104.l+132) string/c mjpg Motion JPEG >>>>>>>(104.l+132) string/c div3 DivX 3 >>>>>>>>112 string/c div3 Low-Motion >>>>>>>>112 string/c div4 Fast-Motion @@ -248,7 +570,7 @@ >>>>>>>>(92.l+180) leshort 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+180) leshort 0x2000 Dolby AC3 >>>>>>>>(92.l+180) leshort 0x0161 DivX -##>>>>>>>>(92.l+180) leshort x (0x%.4x) +##>>>>>>>>(92.l+180) leshort x (%#.4x) >>>>>>>>(92.l+182) leshort 1 (mono, >>>>>>>>(92.l+182) leshort 2 (stereo, >>>>>>>>(92.l+182) leshort >2 (%d channels, @@ -260,24 +582,74 @@ >>>>>>>>(92.l+188) leshort 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+188) leshort 0x2000 Dolby AC3 >>>>>>>>(92.l+188) leshort 0x0161 DivX -##>>>>>>>>(92.l+188) leshort x (0x%.4x) +##>>>>>>>>(92.l+188) leshort x (%#.4x) >>>>>>>>(92.l+190) leshort 1 (mono, >>>>>>>>(92.l+190) leshort 2 (stereo, >>>>>>>>(92.l+190) leshort >2 (%d channels, >>>>>>>>(92.l+192) lelong x %d Hz) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/VDR_(VirtualDub) +# Reference: http://sourceforge.net/projects/virtualdub/files/virtualdub-win/ +# 1.10.4.35491/VirtualDub-1.10.4-src.7z/src/vdremote/Main.cpp +# VirtualDub link handler +>8 string VDRM \b, VirtualDub link +!:mime video/x-vdr +!:ext vdr +>>12 string PATH \b, PATH +# remote-path to video file +>>16 pstring/l x %s # Animated Cursor format +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Windows_Animated_Cursor +# Reference: https://www.gdgsoft.com/anituner/help/aniformat.htm >8 string ACON \b, animated cursor +!:mime application/x-navi-animation +# http://extension.nirsoft.net/ani +#!:mime image/ani +!:ext ani +# INAM tag followed by length of title +>>24 string INAM +>>>28 pstring/l x "%s" +# IART tag followed by length of author +>>>(28.l+32) ubelong 0x49415254 +>>>>&0 pstring/l x %s # SoundFont 2 <mpruett@sgi.com> ->8 string sfbk SoundFont/Bank +# URL: http://fileformats.archiveteam.org/wiki/SoundFont_2.0 +>8 string sfbk \b, SoundFont/Bank +!:mime audio/x-sfbk +!:ext sf2 # MPEG-1 wrapped in a RIFF, apparently +# URL: http://file.fyicenter.com/17_Video_.DAT_File_Extension_for_VCD_Files.html >8 string CDXA \b, wrapped MPEG-1 (CDXA) +!:mime video/x-cdxa +!:ext mpg/dat +# URL: http://fileformats.archiveteam.org/wiki/4X_IMA_ADPCM >8 string 4XMV \b, 4X Movie file +!:mime video/x-4xmv +!:ext 4xm/4xa # AMV-type AVI file: https://wiki.multimedia.cx/index.php?title=AMV >8 string AMV\040 \b, AMV +# http://fileformats.archiveteam.org/wiki/MTV_Video_(.AMV) +!:mime video/x-amv +!:ext amv +#!:ext amv/mtv +# URL: http://fileformats.archiveteam.org/wiki/WebP >8 string WEBP \b, Web/P image !:mime image/webp +!:ext webp >>12 use riff-walk # From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/RIFF_MIDS +>8 string MIDS \b, MIDI Stream +!:mime audio/x-mids +!:ext mds +# From: Joerg Jenderek +# URL: http://mark0.net/soft-trid-e.html +# Reference: http://fileformats.archiveteam.org/wiki/Trd_(TRID) +>8 string TRID \b, TrID defs package +!:mime application/x-trid-trd +!:ext trd +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CorelDRAW # Reference: http://fileformats.archiveteam.org/wiki/CorelDRAW # Note: Since version 3 CorelDraw Pictures are RIFF based @@ -351,13 +723,44 @@ >>20 uleshort%100 >0 \b.%u # for debugging purpose display next chunk like: DISP LIST #>>22 string x \b, 4th "%-4.4s" -#>>26 ulelong x \b, 4th SIZE 0x%x +#>>26 ulelong x \b, 4th SIZE %#x # for debugging purpose display 5th chunk like: LIST DISP ccmm osfp #>>(26.l+30) string x \b, 5th "%-4.4s" # 1st data chunk length 10h implies 16 byte content with version info >16 ulelong 0x10 >>34 ubyte x %u >>>33 ubyte >0 \b.%u +# display information of RIFF based Corel Design formats +0 name corel-des +# display second chunk for debugging +#>8 string x \b, [8]=%.8s +>12 string x \b, Corel DESIGNER +!:mime image/x-corel-des +#!:mime application/x-vnd.corel.designer.document +# used by Corel Designer with newer versions since 16 +>12 string =fver graphics (root.dat) +!:ext dat +# used by Corel Designer templates with older versions with vrsn tag +>12 string !fver +# used by Corel Designer with versions 14-15 +>>11 string >D graphics (riffData.cdr) +!:ext cdr +# used by Corel Designer with versions 10-12 +>>11 string <E graphics +!:ext des +# version indicated by last ASCII char of second chunk tag +>11 string x \b, version '%-.1s' +# but vrsn short content is not always version indicator +# exceptions: 'A'~11.4 'B'~12 'C'~12.5 +>11 string >D +>>0 use corel-version +# for debugging purpose display next chunk like: DISP LIST +#>>22 string x \b, 4th "%-4.4s" +#>>26 ulelong x \b, 4th SIZE %#x +# for debugging purpose display 5th chunk like: LIST osfp +#>>(26.l+30) string x \b, 5th "%-4.4s" +>4 ulelong+8 x \b, %u bytes + # # XXX - some of the below may only appear in little-endian form. # diff --git a/contrib/file/magic/Magdir/ringdove b/contrib/file/magic/Magdir/ringdove new file mode 100644 index 000000000000..38dd4bfe6669 --- /dev/null +++ b/contrib/file/magic/Magdir/ringdove @@ -0,0 +1,45 @@ +#------------------------------------------------------------------------------ +# $File: ringdove,v 1.1 2022/08/16 12:04:30 christos Exp $ +# ringdove: file(1) magic for RingdoveEDA data files + +# librnd and global +0 regex/128l ha:rnd-menu-v[0-9]+[\ \t\r\n]*[{] librnd menu system (lihata) +0 regex/128l ha:rnd-menu-patch-v[0-9]+[\ \t\r\n]*[{] librnd menu patch (lihata) +0 regex/128l ha:coraleda-project-v[0-9]+[\ \t\r\n]*[{] CoralEDA/Ringdove project file (lihata) +0 regex/128l ha:ringdove-project-v[0-9]+[\ \t\r\n]*[{] Ringdove project file (lihata) + +# pcb-rnd +0 regex/128l ha:pcb-rnd-board-v[0-9]+[\ \t\r\n]*[{] pcb-rnd board file (lihata) +0 regex/128l li:pcb-rnd-subcircuit-v[0-9]+[\ \t\r\n]*[{] pcb-rnd subcircuit/footprint file (lihata) +0 regex/128l ha:pcb-rnd-buffer-v[0-9]+[\ \t\r\n]*[{] pcb-rnd paste buffer content (lihata) +0 regex/128l li:pcb-rnd-conf-v[0-9]+[\ \t\r\n]*[{] pcb-rnd configuration (lihata) +0 regex/128l ha:pcb-rnd-drc-query-v[0-9]+[\ \t\r\n]*[{] pcb-rnd drc query string (lihata) +0 regex/128l li:pcb-rnd-font-v[0-9]+[\ \t\r\n]*[{] pcb-rnd vector font (lihata) +0 regex/128l ha:pcb-rnd-log-v[0-9]+[\ \t\r\n]*[{] pcb-rnd message log dump (lihata) +0 regex/128l ha:pcb-rnd-padstack-v[0-9]+[\ \t\r\n]*[{] pcb-rnd padstack (lihata) +0 regex/128l li:pcb-rnd-view-list-v[0-9]+[\ \t\r\n]*[{] pcb-rnd view list (lihata) +0 regex/128l li:view-list-v[0-9]+[\ \t\r\n]*[{] pcb-rnd view list (lihata) +0 search Netlist(Freeze) pcb-rnd or gEDA/PCB netlist forward annotation action script + +# sch-rnd (cschem data model) +0 regex/128l li:cschem-buffer-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem buffer content (lihata) +0 regex/128l li:sch-rnd-conf-v[0-9]+[\ \t\r\n]*[{] sch-rnd configuration (lihata) +0 regex/128l ha:std_devmap.v[0-9]+[\ \t\r\n]*[{] sch-rnd devmap (device mapping; lihata) +0 regex/128l li:cschem-group-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem group or symbol (lihata) +0 regex/128l ha:cschem-sheet-v[0-9]+[\ \t\r\n]*[{] sch-rnd/cschem schematic sheet (lihata) + +# tEDAx (modular format) +0 regex/1l tEDAx[\ \t\r\n]v tEDAx (Trivial EDA eXchange) +>0 regex begin\ symbol\ v with schematic symbol +>0 regex begin\ board\ v with Printed Circuit Board +>0 regex begin\ route_req\ v with PCB routing request +>0 regex begin\ route_res\ v with PCB routing result +>0 regex begin\ camv_layer\ v with camv-rnd exported layer +>0 regex begin\ netlist\ v with netlist +>0 regex begin\ backann\ v with Ringdove EDA back annotation +>0 regex begin\ footprint\ v with PCB footprint +>0 regex begin\ drc\ v with PCB DRC script +>0 regex begin\ drc_query_rule\ v with pcb-rnd drc_query rules +>0 regex begin\ drc_query_def\ v with pcb-rnd drc_query value/config definitions +>0 regex begin\ etest\ v with PCB electric test + diff --git a/contrib/file/magic/Magdir/rpi b/contrib/file/magic/Magdir/rpi index 58e6dfde70a5..0d213b5357e7 100644 --- a/contrib/file/magic/Magdir/rpi +++ b/contrib/file/magic/Magdir/rpi @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: rpi,v 1.2 2019/10/02 02:07:30 christos Exp $ +# $File: rpi,v 1.3 2022/04/02 14:39:34 christos Exp $ # rpi: file(1) magic for Raspberry Pi images -44 lelong 0 >4 lelong 0 @@ -27,3 +27,26 @@ >>>>>>>>>40 string DDTK8 >>>>>>>>>>48 lelong 4 >>>>>>>>>>>52 string RPTL Raspberry PI kernel image + +# From: Joerg Jenderek +# URL: https://www.raspberrypi.com/documentation/computers/raspberry-pi.html +# #raspberry-pi-4-boot-eeprom +# Reference: https://github.com/raspberrypi/rpi-eeprom/blob/master/rpi-eeprom-config +# Note: start with same magic as for BIOS (ia32) ROM Extension handled by ./intel +# masked with MAGIC_MASK and then compared with MAGIC +0 belong&0xFFffF00F 0x55aaF00F Raspberry PI EEPROM +#!:mime application/octet-stream +!:mime application/x-raspberry-eeprom +# like: pieeprom-2020-09-03.bin +!:ext bin +# a 32 bit offset to the next section like: 000184d4 000184c8 00018534 ... 0000bb84 0000bbd4 0000bbd4 +>4 ubelong x \b, offset %8.8x +#>(4.L) ubelong x NEXT=%8.8x +# self.length +>8 ubelong !0 \b, length %x +# self.filename +>12 string >0 \b, "%s" +# length is zero +>8 ubelong =0 +# if length is zero then 2nd section magic here can be zero; this means sections parsing done +>>8 ubelong !0 \b, 2nd MAGIC=%8.8x diff --git a/contrib/file/magic/Magdir/rst b/contrib/file/magic/Magdir/rst index aadfad20b01c..0df15b8fa5dd 100644 --- a/contrib/file/magic/Magdir/rst +++ b/contrib/file/magic/Magdir/rst @@ -1,11 +1,13 @@ #------------------------------------------------------------------------------ -# $File: rst,v 1.3 2020/04/27 01:50:36 christos Exp $ +# $File: rst,v 1.4 2023/07/27 18:26:32 christos Exp $ # rst: ReStructuredText http://docutils.sourceforge.net/rst.html 0 search/256 \=\= !:strength + 30 >&0 regex/256 \^[\=]+$ ->>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 \012Authors: ReStructuredText file +>>&0 search/512 \012Author: ReStructuredText file >>&0 default x >>>&0 regex/512 \^\\.\\.[A-Za-z] ReStructuredText file !:ext rst diff --git a/contrib/file/magic/Magdir/rtf b/contrib/file/magic/Magdir/rtf index c2e1f273bb02..48a1f28af467 100644 --- a/contrib/file/magic/Magdir/rtf +++ b/contrib/file/magic/Magdir/rtf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: rtf,v 1.8 2020/05/17 19:28:49 christos Exp $ +# $File: rtf,v 1.9 2020/12/12 20:01:47 christos Exp $ # rtf: file(1) magic for Rich Text Format (RTF) # # Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk @@ -33,7 +33,7 @@ #>6 search/105 \\ansi \b, ANSI >6 search/502 \\ansi \b, ANSI >6 default x \b, unknown character set -# look for explict codepage keyword +# look for explicit codepage keyword # "Burow, Steffanie - Im Tal des Schneeleoparden.rtf" #>5 search/110 \\ansicpg >5 search/500 \\ansicpg diff --git a/contrib/file/magic/Magdir/rust b/contrib/file/magic/Magdir/rust new file mode 100644 index 000000000000..b1bbd9d9702c --- /dev/null +++ b/contrib/file/magic/Magdir/rust @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: rust,v 1.2 2022/11/18 15:58:15 christos Exp $ +# Magic for Rust and related languages programs +# + +# Rust compiler metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_metadata/src/rmeta/mod.rs +0 string rust\x00\x00\x00 +>12 string \014rustc\x20 Rust compiler metadata +!:ext rmeta +>>7 byte x \b, version %d + +# Rust incremental compilation metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_incremental/src/persist/file_format.rs +0 string RSIC +>4 uleshort =0 Rust incremental compilation metadata +!:ext bin +>>6 pstring x \b, rustc %s diff --git a/contrib/file/magic/Magdir/sccs b/contrib/file/magic/Magdir/sccs index 4717948fdbfc..04e7929921fd 100644 --- a/contrib/file/magic/Magdir/sccs +++ b/contrib/file/magic/Magdir/sccs @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: sccs,v 1.7 2017/03/17 21:35:28 christos Exp $ +# $File: sccs,v 1.8 2020/06/20 21:32:52 christos Exp $ # sccs: file(1) magic for SCCS archives # -# SCCS archive structure: +# SCCS v4 archive structure: # \001h01207 # \001s 00276/00000/00000 # \001d D 1.1 87/09/23 08:09:20 ian 1 0 @@ -17,6 +17,8 @@ # Maybe we should just switch everybody from SCCS to RCS! # Further, you can't just say '\001h0', because the five-digit number # is a checksum that could (presumably) have any leading digit, -# and we don't have regular expression matching yet. -# Hence the following official kludge: -8 string \001s\ SCCS archive data +# Fortunately we have regular expression matching: +0 string \001h +>2 regex [0-9][0-9][0-9][0-9][0-9]$ +>>8 string \001s\040 SCCS v4 archive data +>2 string V6,sum= SCCS v6 archive data diff --git a/contrib/file/magic/Magdir/scientific b/contrib/file/magic/Magdir/scientific index 0e78712fcab3..d52d6aeb0124 100644 --- a/contrib/file/magic/Magdir/scientific +++ b/contrib/file/magic/Magdir/scientific @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.13 2019/04/19 00:42:27 christos Exp $ +# $File: scientific,v 1.14 2023/04/29 17:28:09 christos Exp $ # scientific: file(1) magic for scientific formats # # From: Joe Krahn <krahn@niehs.nih.gov> @@ -62,15 +62,48 @@ # Type: GEDCOM genealogical (family history) data # From: Giuseppe Bilotta +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GEDCOM +# https://en.wikipedia.org/wiki/GEDCOM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/ +# ged.trid.xml ged-utf8.trid.xml ged-utf16.trid.xml +# Note: called "GEDCOM Family History" by TrID and "Genealogical Data Communication (GEDCOM) Format" by DROID via PUID fmt/851 0 search/1/c 0\ HEAD GEDCOM genealogy text +#!:mime text/plain +#!:mime application/x-gedcom +# https://www.iana.org/assignments/media-types/text/vnd.familysearch.gedcom +!:mime text/vnd.familysearch.gedcom +!:ext ged +# no gedcom sample found and ged suffix also used for other formats +#!:ext ged/gedcom >&0 search 1\ GEDC >>&0 search 2\ VERS version +# 4 5.0 5.3 5.4 5.5 5.5.1 5.5.5 5.6 7.0 or no version >>>&1 string >\0 %s # From: Phil Endecott <phil05@chezphil.org> -0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data -0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data +# 0\040HEAD as UTF-16 big endian without BOM +0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 big endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&2 bestring16 x %s +>>0 string x \b, UTF-16 (without BOM) big-endian text +# 0\040HEAD as UTF-16 little endian without BOM +0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 lttle endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&3 lestring16 x %s +>>2 string x \b, UTF-16 (without BOM) little-endian text +# Note: UTF-16 with BOM variants already described above by first test as "GEDCOM genealogy text" +# 0\040HEAD as UTF-16 big endian with BOM +#0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data +# 0\040HEAD as UTF-16 little endian with BOM +#0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data # PDB: Protein Data Bank files # Adam Buchbinder <adam.buchbinder@gmail.com> diff --git a/contrib/file/magic/Magdir/sendmail b/contrib/file/magic/Magdir/sendmail index 54028fdfe227..6808dbfd33aa 100644 --- a/contrib/file/magic/Magdir/sendmail +++ b/contrib/file/magic/Magdir/sendmail @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sendmail,v 1.11 2019/04/19 00:42:27 christos Exp $ +# $File: sendmail,v 1.12 2022/10/31 13:22:26 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? @@ -13,7 +13,7 @@ # - version \330jK\354 0 byte 046 # https://www.sendmail.com/sm/open_source/docs/older_release_notes/ -# freezed configuration file (dbm format?) created from sendmal.cf with -bz +# freezed configuration file (dbm format?) created from sendmail.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed # valid version numbers look like "7.14.4" and should be similar to output of commands # "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" diff --git a/contrib/file/magic/Magdir/sgi b/contrib/file/magic/Magdir/sgi index 951920477392..fe532e00106d 100644 --- a/contrib/file/magic/Magdir/sgi +++ b/contrib/file/magic/Magdir/sgi @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sgi,v 1.23 2018/05/29 02:26:56 christos Exp $ +# $File: sgi,v 1.24 2021/09/13 13:23:53 christos Exp $ # sgi: file(1) magic for Silicon Graphics operating systems and applications # # Executable images are handled either in aout (for old-style a.out @@ -74,25 +74,27 @@ 0 string PmNs PCP compiled namespace (V.0) 0 string PmN PCP compiled namespace >3 string >\0 (V.%1.1s) -#3 lelong 0x84500526 PCP archive 3 belong 0x84500526 PCP archive >7 byte x (V.%d) -#>20 lelong -2 temporal index -#>20 lelong -1 metadata -#>20 lelong 0 log volume #0 -#>20 lelong >0 log volume #%d >20 belong -2 temporal index >20 belong -1 metadata >20 belong 0 log volume #0 >20 belong >0 log volume #%d >24 string >\0 host: %s +3 belong 0x28500526 PCP archive +>7 byte x (V.%d) +>24 belong -2 temporal index +>24 belong -1 metadata +>24 belong 0 log volume #0 +>24 belong >0 log volume #%d +>36 string >\0 host: %s 0 string PCPFolio PCP >9 string Version: Archive Folio >18 string >\0 (V.%s) 0 string #pmchart PCP pmchart view >9 string Version >17 string >\0 (V%-3.3s) -0 string #kmchart PCP kmchart view +0 string #kmchart PCP pmchart view >9 string Version >17 string >\0 (V.%s) 0 string pmview PCP pmview config @@ -112,6 +114,10 @@ >16 string >\0 (V.%1.1s) 3 string pmieconf-pmie PCP pmie config >17 string >\0 (V.%1.1s) +0 string #pmlogconf-setup PCP pmlogconf config +>17 string >\0 (V.%1.1s) +1 string pmlogconf PCP pmlogger config +>11 string >\0 (V.%1.1s) 0 string MMV PCP memory mapped values >4 long x (V.%d) diff --git a/contrib/file/magic/Magdir/sgml b/contrib/file/magic/Magdir/sgml index 74ab855b927e..fb698a54a616 100644 --- a/contrib/file/magic/Magdir/sgml +++ b/contrib/file/magic/Magdir/sgml @@ -1,16 +1,18 @@ #------------------------------------------------------------------------------ -# $File: sgml,v 1.41 2020/06/07 18:16:43 christos Exp $ +# $File: sgml,v 1.48 2023/01/18 16:10:21 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres <tecnico@ejerciciosresueltos.com> 0 string \<?xml\ version= >14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \<svg SVG Scalable Vector Graphics image !:mime image/svg+xml +!:ext svg >>19 search/4096 \<gnc-v2 GnuCash file !:mime application/x-gnucash 0 string \<svg SVG Scalable Vector Graphics image !:mime image/svg+xml +!:ext svg # Sitemap file 0 string/t \<?xml\ version= @@ -43,75 +45,86 @@ # sgml: file(1) magic for Standard Generalized Markup Language # HyperText Markup Language (HTML) is an SGML document type, # from Daniel Quinlan (quinlan@yggdrasil.com) -# adapted to string extenstions by Anthon van der Neut <anthon@mnt.org) +# adapted to string extensions by Anthon van der Neut <anthon@mnt.org) 0 search/4096/cWt \<!doctype\ html HTML document text !:mime text/html !:strength + 5 +# avoid misdetection as JavaScript +0 string/cWt \<!doctype\ html HTML document text +!:mime text/html +0 string/ct \<html> HTML document text +!:mime text/html +0 string/ct \<!-- +>&0 search/4096/cWt \<!doctype\ html HTML document text +!:mime text/html +>&0 search/4096/ct \<html> HTML document text +!:mime text/html + # SVG document # https://www.w3.org/TR/SVG/single-page.html 0 search/4096/cWbt \<!doctype\ svg SVG XML document !:mime image/svg+xml -!:strength + 5 +!:strength + 15 0 search/4096/cwt \<head\> HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cWt \<head\ HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cwt \<title\> HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cWt \<title\ HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cwt \<html\> HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cWt \<html\ HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cwt \<script\> HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cWt \<script\ HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cwt \<style\> HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cWt \<style\ HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cwt \<table\> HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cWt \<table\ HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 0 search/4096/cwt \<a\ href= HTML document text !:mime text/html -!:strength + 5 +!:strength + 15 # Extensible markup language (XML), a subset of SGML # from Marc Prud'hommeaux (marc@apocalypse.org) 0 search/1/cwt \<?xml XML document text !:mime text/xml -!:strength + 5 +!:strength + 15 0 string/t \<?xml\ version\ " XML !:mime text/xml -!:strength + 5 +!:strength + 15 0 string/t \<?xml\ version=" XML !:mime text/xml -!:strength + 5 +!:strength + 15 >15 string/t >\0 %.3s document text >>23 search/1 \<xsl:stylesheet (XSL stylesheet) >>24 search/1 \<xsl:stylesheet (XSL stylesheet) 0 string/t \<?xml\ version=' XML !:mime text/xml -!:strength + 5 +!:strength + 15 >15 string/t >\0 %.3s document text >>23 search/1 \<xsl:stylesheet (XSL stylesheet) >>24 search/1 \<xsl:stylesheet (XSL stylesheet) @@ -139,7 +152,10 @@ # http://files.pef-format.org/specifications/pef-2008-1/pef-specification.html # # Simon Aittamaa <simon.aittamaa@gmail.com> -0 string \<?xml\ version= ->14 regex ['"\ \t]*[0-9.]+['"\ \t]* ->>19 search/4096 \<pef Portable Embosser Format +0 string \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* +>>19 search/4096 \<pef Portable Embosser Format !:mime application/x-pef+xml + +# https://www.qgis.org/en/site/ +0 string \<!DOCTYPE\040qgis QGIS XML document diff --git a/contrib/file/magic/Magdir/sinclair b/contrib/file/magic/Magdir/sinclair index 60088924f4a4..608d779d7b55 100644 --- a/contrib/file/magic/Magdir/sinclair +++ b/contrib/file/magic/Magdir/sinclair @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sinclair,v 1.6 2015/11/14 13:38:35 christos Exp $ +# $File: sinclair,v 1.7 2021/04/27 20:35:51 christos Exp $ # sinclair: file(1) sinclair QL # additions to /etc/magic by Thomas M. Ott (ThMO) @@ -31,6 +31,8 @@ # Sinclair QL executables (was ThMO) 4 belong 0x4AFB QDOS executable >9 pstring x '%s' +6 beshort 0x4AFB QDOS executable +>9 pstring x '%s' # Sinclair QL ROM (ThMO) 0 belong =0x4AFB0001 QL plugin-ROM data, diff --git a/contrib/file/magic/Magdir/sniffer b/contrib/file/magic/Magdir/sniffer index 25f5b83e3bbc..751d19737662 100644 --- a/contrib/file/magic/Magdir/sniffer +++ b/contrib/file/magic/Magdir/sniffer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sniffer,v 1.28 2020/03/13 16:47:29 christos Exp $ +# $File: sniffer,v 1.34 2022/12/14 18:27:36 christos Exp $ # sniffer: file(1) magic for packet capture files # # From: guy@alum.mit.edu (Guy Harris) @@ -262,8 +262,19 @@ >20 belong&0x03FFFFFF 279 (Elektrobit High Speed Capture and Replay (EBHSCR) >20 belong&0x03FFFFFF 281 (Broadcom tag >20 belong&0x03FFFFFF 282 (Broadcom tag (prepended) +>20 belong&0x03FFFFFF 283 (802.15.4 with TAP >20 belong&0x03FFFFFF 284 (Marvell DSA >20 belong&0x03FFFFFF 285 (Marvell EDSA +>20 belong&0x03FFFFFF 286 (ELEE lawful intercept +>20 belong&0x03FFFFFF 287 (Z-Wave serial +>20 belong&0x03FFFFFF 288 (USB 2.0 +>20 belong&0x03FFFFFF 289 (ATSC ALP +>20 belong&0x03FFFFFF 290 (Event Tracing for Windows +>20 belong&0x03FFFFFF 291 (Hilscher netANALYZER NG pseudo-footer +>20 belong&0x03FFFFFF 292 (ZBOSS NCP protocol with pseudo-header +>20 belong&0x03FFFFFF 293 (Low-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 294 (Full-Speed USB 2.0/1.1/1.0 +>20 belong&0x03FFFFFF 295 (High-Speed USB 2.0 # print default match >20 default x >>20 belong x (linktype#%u @@ -316,14 +327,79 @@ # # Novell LANalyzer capture files. -# -0 leshort 0x1001 Novell LANalyzer capture file -0 leshort 0x1007 Novell LANalyzer capture file +# URL: http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c +# Update: Joerg Jenderek +# +# regular trace header record (RT_HeaderRegular) +0 leshort 0x1001 +# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5 +# and VIC-20 BASIC V2 program +# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg) +# with invalid second record type 0 instead of "Trace receive channel name record" +>(2.s+4) leshort =0x1006h +>>0 use novell-lanalyzer +# cyclic trace header record (RT_HeaderCyclic) +0 leshort 0x1007 +>0 use novell-lanalyzer +0 name novell-lanalyzer +>0 leshort x Novell LANalyzer capture file +# https://reposcope.com/mimetype/application/x-lanalyzer +!:mime application/x-lanalyzer +# maybe also TR2 .. TR9 TRA .. TRZ +!:ext tr1 +# version like: 1.5 +>4 ubyte x \b, version %u +# minor version; one byte identifying the trace file minor version number +>5 ubyte x \b.%u +# Trace header record type like: 1001~regular or 1007~cyclic +>0 leshort !0x1001 \b, record type %4.4x +# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch +>2 leshort x \b, record length %#x +# second record type like: 1006h~Trace receive channel name record +>(2.s+4) leshort !0x1006h \b, 2nd record type %#4.4x +>(2.s+6) leshort x \b, 2nd record length %#x +# each channel name is a null-terminated, eight-byte ASCII string like: Channel1 +>(2.s+8) string x \b, names %.9s +# 2nd channel name like: Channel2 +>(2.s+17) string x %.9s ... # # HP-UX "nettl" capture files. -# +# URL: https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c +# Update: Joerg Jenderek +# Note: Wireshark fills "meta information header fields" with "dummy" values +# nettl_magic_hpux9[12]; for HP-UX 9.x not tested +0 string \x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00 HP/UX 9.x nettl capture file +!:mime application/x-nettl +!:ext trc0/trc1 +# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x 0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file +# https://reposcope.com/mimetype/application/x-nettl +!:mime application/x-nettl +# maybe also TRC000 TRC001 TRC002 ... +!:ext trc0/trc1 +# file_name[56]; maybe also like /tmp/raw.tr.TRC000 +>12 string !/tmp/wireshark.TRC000 +>>12 string x "%-.56s" +# tz[20]; like UTC +>68 string !UTC \b, tz +>>68 string x %-.20s +# host_name[9]; +>88 string >\0 \b, host %-.9s +# os_vers[9]; like B.11.11 +>97 string !B.11.11 \b, os +>>97 string x %-.9s +# os_v; like 55h +>>106 ubyte x (%#x) +# xxa[8]; like 0 +>107 ubequad !0 \b, xxa=%#16.16llx +# model[11] like: 9000/800 +>115 string !9000/800 \b, model +>>115 string x %-.11s +# unknown; probably just padding to 128 bytes like: 0406h +>126 ubeshort !0x0406h \b, at 126 %#4.4x # # RADCOM WAN/LAN Analyzer capture files. @@ -356,4 +432,51 @@ # # Files from Accellent Group's 5View products. # -0 string \xaa\xaa\xaa\xaa 5View capture file +# URL: http://www.infovista.com +# Reference: http://mark0.net/download/triddefs_xml.7z +# defs/0/5vw.trid.xml +# https://2.na.dl.wireshark.org/src/wireshark-3.6.2.tar.xz +# wireshark-3.6.2/wiretap/5views.c +# Update: Joerg Jenderek +# Note: called "5View capture" by TrID and +# "Wireshark capture file" on Windows or +# "Packet Capture (Accellent/InfoVista 5view)" by shared MIME-info database +# verified/falsified by `wireshark *.5vw` +0 string \xaa\xaa\xaa\xaa +# skip misidentified boot/x86_64/loader/kroete.dat on Suse LEAP DVD +# by check for valid record version +>8 ulelong =0x00010000 +>>0 use 5view-le +0 name 5view-le +# t_5VW_Info_Header.Signature = CST_5VW_INFO_HEADER_KEY = 0xAAAAAAAAU +>0 ulelong x 5View capture file +# https://reposcope.com/mimetype/application/x-5view +!:mime application/x-5view +!:ext 5vw +# size of header in bytes (included signature and reserved fields); probably always 20h +>4 ulelong !0x00000020 \b, header size %#x +# version of header record; apparently always CST_5VW_INFO_RECORD_VERSION=0x00010000U +>8 ulelong !0x00010000 \b, record version %#x +# DataSize; total size of data without header like: 18h +>12 ulelong x \b, record size %#x +# filetype; type of the capture file like: 18001000h +>16 ulelong x \b, file type %#8.8x +# Reserved[3]; reserved for future use; apparently zero +>20 quad !0 \b, Reserved %#llx +# look for record header key CST_5VW_RECORDS_HEADER_KEY of structure t_5VW_TimeStamped_Header +>0x20 search/0xB8/b \xEE\xEE\x33\x33 \b; record +# HeaderSize; actual size of this header in bytes like: 32 24h +>>&0 uleshort x size %#x +# HeaderType; exact type of this header; probably always 0x4000 +>>&2 uleshort !0x4000 \b, header type %#x +# RecType; type of record like: 80000000h +>>&4 ulelong x \b, record type %#x +# RecSubType; subtype of record like: 0 +>>&8 ulelong !0 \b, subtype %#x +# RecSize; Size of one record like: 5Ch +>>&12 ulelong x \b, RecSize %#x +# RecNb; Number of records like: 1 +>>&16 ulelong >1 \b, %#x records +# Timestamp Utc +#>>&20 ulelong x \b, RAW TIME %#8.8x +>>&20 date x \b, Time-stamp %s diff --git a/contrib/file/magic/Magdir/softquad b/contrib/file/magic/Magdir/softquad index 06c1f018f8cb..28f03b9b78cb 100644 --- a/contrib/file/magic/Magdir/softquad +++ b/contrib/file/magic/Magdir/softquad @@ -1,7 +1,8 @@ #------------------------------------------------------------------------------ -# $File: softquad,v 1.13 2009/09/19 16:28:12 christos Exp $ +# $File: softquad,v 1.14 2022/10/28 17:19:54 christos Exp $ # softquad: file(1) magic for SoftQuad Publishing Software +# URL: https://en.wikipedia.org/wiki/SoftQuad_Software # # Author/Editor and RulesBuilder # @@ -17,8 +18,10 @@ 0 short 0xc0da Compiled PSI (v2) data >3 string >\0 (%s) # Binary sqtroff font/desc files... -0 short 0125252 SoftQuad DESC or font file binary ->2 short >0 - version %d +# GRR: the line below is also true for 5View capture file handled by ./sniffer +0 short 0125252 +# skip 5View capture file with "invalid" version AAAAh +>2 short >0 SoftQuad DESC or font file binary - version %d # Bitmaps... 0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text #0 string SQ\ BITMAP2 SoftQuad Raster Format data diff --git a/contrib/file/magic/Magdir/sosi b/contrib/file/magic/Magdir/sosi index cfac5a3e2730..88ecc512badb 100644 --- a/contrib/file/magic/Magdir/sosi +++ b/contrib/file/magic/Magdir/sosi @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sosi,v 1.1 2019/05/20 17:25:09 christos Exp $ +# $File: sosi,v 1.2 2021/02/23 00:51:10 christos Exp $ # SOSI # Summary: Systematic Organization of Spatial Information # Long description: Norwegian text based map format @@ -23,7 +23,7 @@ # version and a separator. # # FIXME figure out how to accept any of [space], [tab], [newline] and -# [carrige return] as separators, not only line end. +# [carriage return] as separators, not only line end. # Not searching for full "OMR=C3=85DE" to match also for non-UTF-8 # character sets diff --git a/contrib/file/magic/Magdir/spectrum b/contrib/file/magic/Magdir/spectrum index e8304d7b8cdf..cf14551b4d6b 100644 --- a/contrib/file/magic/Magdir/spectrum +++ b/contrib/file/magic/Magdir/spectrum @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: spectrum,v 1.8 2017/09/11 23:51:12 christos Exp $ +# $File: spectrum,v 1.10 2023/05/08 01:33:36 christos Exp $ # spectrum: file(1) magic for Spectrum emulator files. # # John Elliott <jce@seasip.demon.co.uk> @@ -22,21 +22,125 @@ # # Update: Sanity-check string contents to be printable. # -Adam Buchbinder <adam.buchbinder@gmail.com> +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TAP_(ZX_Spectrum) +# Reference: http://web.archive.org/web/20110711141601/http://www.zxmodules.de/fileformats/tapformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tap-zx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TAP (ZX Spectrum)" by DROID via PUID fmt/801 +# verified by fuse-emulator-utils `tzxlist EXAMPLES.TAP` # +# headers length 19=023 and flag byte 0 indicating a standard ROM loading header 0 string \023\000\000 >4 string >\0 ->>4 string <\177 Spectrum .TAP data "%-10.10s" ->>>3 byte 0 - BASIC program ->>>3 byte 1 - number array ->>>3 byte 2 - character array ->>>3 byte 3 - memory block ->>>>14 belong 0x001B0040 (screen) +# skip {85CEE8D6-0F90-4492-B484-98E38862B28D}.2.ver0x0000000000000004.db {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db +# inside c:\ProgramData\Microsoft\Windows\Caches according to TrID and DROID +>>23 ubyte =0xFF +# skip DROID fmt-801-signature-id-1166.tap with invalid name \253\253\253\253\253\253\253\253\253\253 +# which looks like: "TF COPY II" "screen " "\023\001TF" " 1943 " +>>>4 string <\177 Spectrum .TAP data "%-10.10s" +#!:mime application/octet-stream +!:mime application/x-spectrum-tap +!:ext tap +>>>>3 byte 0 - BASIC program +# autostart line; 0..9999 are valid; 32768 means "no auto-loading" +>>>>>16 uleshort x \b, autostart line %u +# program length; length of BASIC program +>>>>>18 uleshort x \b, program length %u +>>>>3 byte 1 - number array +>>>>3 byte 2 - character array +>>>>3 byte 3 - memory block +# length of the following data 1B00h=6912 and start address 4000h=16384 in case of a SCREEN$ header +>>>>>14 belong 0x001B0040 (screen) +# unused 32768=8000h +>>>>>18 uleshort !32768 \b, unused %u +# zxlength; length of the following data after the header +>>>>14 uleshort x \b, data length %u +#>>14 uleshort x \b, data length %#x +# checksum byte; simply all bytes (including flag byte) XORed +#>>>>20 ubyte x \b, checksum %#x # The following three blocks are from pak21-spectrum@srcf.ucam.org # TZX tape images +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TZX +# Reference: https://worldofspectrum.net/TZXformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tzx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TZX Format" by DROID via PUID fmt/1000 0 string ZXTape!\x1a Spectrum .TZX data +#!:mime application/octet-stream +!:mime application/x-spectrum-tzx +# CDT is used for Amstrad tapes +!:ext tzx/cdt >8 byte x version %d >9 byte x \b.%d +# ID of first block +>10 ubyte x \b; ID %#x +# turbo speed data block +>10 ubyte =0x11 (turbo) +# length of PILOT tone (number of pulses) +>>21 uleshort x \b, %u pilot pulses +# length of PILOT pulse +>>11 uleshort x with %u tstates +# length of SYNC first pulse +>>13 uleshort x \b, %u and +# length of SYNC second pulse +>>15 uleshort x %u sync tstates +# length of ZERO bit pulse +>>17 uleshort x \b, %u zero tstates +# length of ONE bit pulse +>>19 uleshort x \b, %u one tstates +# used bits in the last byte +>>23 ubyte x \b, use %u bit +# plural s +>>23 ubyte >1 \bs +# pause after this block in milliseconds +>>24 uleshort x \b, %u ms pause +# BYTE[3]; length of data that follow +>>26 ulelong&0x00FFffFF x \b, %u data bytes +>10 ubyte =0x20 (pause) +# pause duration in milliseconds +>>11 uleshort x %u ms +# text description +>10 ubyte =0x30 (text) +# length of the text description +#>>11 ubyte x L=%u +>>11 pstring x "%s" +# archive text description in ASCII format +>10 ubyte =0x32 (archive info) +# length of archive text +>>11 uleshort x \b, %#x bytes +# number of text strings +>>13 ubyte x with %u (type) text parts +# text type identification byte: 0~title 1~publisher 2~author 3~year 4~language 5~type 6~price 7~protection 8~origin ff~comment +>>14 byte <9 (%d) +>>>14 byte >-2 +# length of text string +#>>>>15 ubyte x L=%u +>>>>15 pstring x %s +# 2nd possible text description +>>>>>&0 byte <9 (%d) +>>>>>>&-1 byte >-2 +>>>>>>>&0 pstring x %s +# 3rd possible text description +>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>&0 pstring x %s +# 4th possible text description +>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>&0 pstring x %s +# 5th possible text description +>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>&0 pstring x %s +# 6th possible text description +>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>&0 pstring x %s +# 7th possible text description +>>>>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>>>>&0 pstring x %s # RZX input recording files 0 string RZX! Spectrum .RZX data @@ -51,7 +155,7 @@ # Hard disk images 0 string RS-IDE\x1a Spectrum .HDF hard disk image ->7 byte x \b, version 0x%02x +>7 byte x \b, version %#02x # SZX snapshots (fuse and spectaculator) # Martin M. S. Pedersen <martin@linux.com> diff --git a/contrib/file/magic/Magdir/sql b/contrib/file/magic/Magdir/sql index 28d89e63bf48..00f36179f8a5 100644 --- a/contrib/file/magic/Magdir/sql +++ b/contrib/file/magic/Magdir/sql @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sql,v 1.22 2019/04/19 00:42:27 christos Exp $ +# $File: sql,v 1.26 2023/04/29 17:26:58 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" <mleisner@eng.mc.xerox.com> @@ -88,41 +88,182 @@ # Version 1 used GDBM internally; its files cannot be distinguished # from other GDBM files. # +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/sqlite-2x.trid.xml +# Note: called "SQLite 2.x database" by TrID and "SQLite Database File Format" version 2 by DROID via PUID fmt/1135 # Version 2 used this format: 0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database +!:mime application/x-sqlite2 +# FileAttributesStore.db test.sqlite2 +!:ext sqlite/sqlite2/db +# URL: https://en.wikipedia.org/wiki/SQLite +# Reference: https://www.sqlite.org/fileformat.html +# Update: Joerg Jenderek # Version 3 of SQLite allows applications to embed their own "user version" # number in the database at offset 60. Later, SQLite added an "application id" # at offset 68 that is preferred over "user version" for indicating the # associated application. # -0 string SQLite\ format\ 3 SQLite 3.x database -!:mime application/x-sqlite3 +0 string SQLite\ format\ 3 +# skip DROID fmt-729-signature-id-1053.sqlite by checking for valid page size +>16 ubeshort >0 SQLite 3.x +# deprecated +#!:mime application/x-sqlite3 +!:mime application/vnd.sqlite3 # seldom found extension sqlite3 like in SyncData.sqlite3 # db +# db3 like: AddrBook.db3 cgipcrvp.db3 +# https://www.maplesoft.com/support/help/Maple/view.aspx?path=worksheet%2freference%2fhelpdatabase +# help is used for newer Maple help database +# SQLite database weewx.sdb used by weather software weewx +# https://www.weewx.com/docs/usersguide.htm # Avira Antivir use extension "dbe" like in avevtdb.dbe, avguard_tchk.dbe # Unfortunately extension sqlite also used for other databases starting with string # "TTCONTAINER" like in tracks.sqlite contentconsumer.sqlite contentproducerrepository.sqlite # and with string "ZV-zlib" in like extra.sqlite -!:ext sqlite/sqlite3/db/dbe ->60 belong =0x5f4d544e (Monotone source repository) ->68 belong =0x0f055112 (Fossil checkout) ->68 belong =0x0f055113 (Fossil global configuration) ->68 belong =0x0f055111 (Fossil repository) ->68 belong =0x42654462 (Bentley Systems BeSQLite Database) ->68 belong =0x42654c6e (Bentley Systems Localization File) ->68 belong =0x47504b47 (OGC GeoPackage file) ->68 default x ->>68 belong !0 \b, application id %u ->>60 belong !0 \b, user version %d ->96 belong x \b, last written using SQLite version %d - +>>68 belong !0x5CDE09EF database +!:ext sqlite/sqlite3/db/db3/dbe/sdb/help +>>68 belong =0x5CDE09EF database +# maple is used for Maple Workbook +!:ext maple +>>60 belong =0x5f4d544e (Monotone source repository) +# if no known user version then check for Application IDs with default clause +>>60 belong !0x5f4d544e +# The "Application ID" set by PRAGMA application_id +>>>68 belong =0x0f055112 (Fossil checkout) +>>>68 belong =0x0f055113 (Fossil global configuration) +>>>68 belong =0x0f055111 (Fossil repository) +>>>68 belong =0x42654462 (Bentley Systems BeSQLite Database) +>>>68 belong =0x42654c6e (Bentley Systems Localization File) +>>>68 belong =0x47504b47 (OGC GeoPackage file) +# https://www.sqlite.org/src/artifact?ci=trunk&filename=magic.txt +>>>68 belong =0x47503130 (OGC GeoPackage version 1.0 file) +>>>68 belong =0x45737269 (Esri Spatially-Enabled Database) +>>>68 belong =0x4d504258 (MBTiles tileset) +# https://www.maplesoft.com/support/help/errors/view.aspx?path=Formats/Maple +>>>68 belong =0x5CDE09EF (Maple Workbook) +# unknown application ID +>>>68 default x +>>>>68 belong !0 \b, application id %u +# The "user version" as read and set by the user_version pragma like: +# 1 2 4 5 7 9 10 25 36 43 53 400 416 131073 131074 131075 +>>60 belong !0 \b, user version %d +# SQLITE_VERSION_NUMBER like: 0 3008011 3016002 3007014 3017000 3022000 3028000 3031001 +>>96 belong x \b, last written using SQLite version %d +# database page size in bytes; a power of two between 512 and 32768, or 1 for 65536 +# like: 512 1024 often 4096 32768 +>>16 ubeshort !4096 \b, page size %u +# File format write version. 1 for legacy; 2 for WAL; 0 for corruptDB.sqlite +>>18 ubyte !1 \b, writer version %u +# File format read version. 1 for legacy; 2 for WAL; 4 for corruptDB.sqlite +>>19 ubyte !1 \b, read version %u +# Bytes of unused "reserved" space at the end of each page. Usually 0 +>>20 ubyte !0 \b, unused bytes %u +# maximum embedded payload fraction. Must be 64; 1 for corruptDB.sqlite +>>21 ubyte !64 \b, maximum payload %u +# Minimum embedded payload fraction. Must be 32; 1 for corruptDB.sqlite +>>22 ubyte !32 \b, minimum payload %u +# Leaf payload fraction. Must be 32; 0 for corruptDB.sqlite +>>23 ubyte !32 \b, leaf payload %u +# file change counter +>>24 ubelong x \b, file counter %u +# Size of the database file in pages +>>28 ubelong x \b, database pages %u +# page number of the first freelist trunk page like: 0 2 3 4 5 9 +# 10 13 14 15 16 17 18 19 23 36 39 46 50 136 190 217 307 505 516 561 883 1659 +>>32 ubelong !0 \b, 1st free page %u +# total number of freelist pages +>>36 ubelong !0 \b, free pages %u +# The schema cookie like: 2 3 4 6 7 9 A D E F 13 14 1C 25 2A 2F 33 44 4B 53 5A 5F 62 86 87 8F 91 A8 +>>40 ubelong x \b, cookie %#x +# the schema format number. Supported formats are 1 2 3 and often 4 +# 3328 for corruptDB.sqlite and 0 for 512 byte storage.sqlite (TorBrowser Firefox Thunderbird) +>>44 ubelong x \b, schema %u +# Suggested cache size like: 0 2000 +>>48 ubelong !0 \b, cache page size %u +# The page number of the largest root b-tree page when in auto-vacuum or incremental-vacuum modes, or zero otherwise. +>>52 ubelong !0 \b, largest root page %u +# The database text encoding; a value of 1 means UTF-8; 2 means UTF-16le; 3 means UTF-16be +#>>56 ubelong x \b, encoding %u +>>56 ubelong x +>>>56 ubelong =1 \b, UTF-8 +>>>56 ubelong =2 \b, UTF-16 little endian +>>>56 ubelong =3 \b, UTF-16 big endian +# 0 for corruptDB.sqlite and for storage.sqlite with database pages 1 (TorBrowser Firefox Thunderbird) +# https://mozilla.github.io/firefox-browser-architecture/text/0010-firefox-data-stores.html +>>>56 default x +>>>>56 ubelong x \b, unknown %#x encoding +# True (non-zero) for incremental-vacuum mode; false (zero) otherwiseqy +>>64 ubelong !0 \b, vacuum mode %u +# Reserved for expansion. Must be zero +>>72 uquad !0 \b, reserved %#llx +# The version-valid-for number like: +# 1 2 3 4 C F 68h 95h 266h A99h 3DCDh B7CEh +>>92 ubelong x \b, version-valid-for %u # SQLite Write-Ahead Log from SQLite version >= 3.7.0 # https://www.sqlite.org/fileformat.html#walformat 0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, !:ext sqlite-wal/db-wal >4 belong x version %d +# Summary: SQLite Write-Ahead-Log index (shared memory) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/SQLite +# Reference: http://www.sqlite.org/draft/walformat.html#walidxfmt +# iVersion; WAL-index format version number; always 3007000=2DE218h +0 ulelong 0x002DE218 +>0 use shm-le +# big endian variant not tested +0 ubelong 0x002DE218 +>0 use \^shm-le +# show information about SQLite Write-Ahead-Log shared memory +0 name shm-le +>0 ulelong x SQLite Write-Ahead Log shared memory +#!:mime application/octet-stream +!:mime application/vnd.sqlite3 +# db3-shm Acronis BackupAndRecovery F4CEEE47-042C-4828-95A0-DE44EC267A28.db3-shm +# dbx-shm probably Dropbox filecache.dbx-shm +# aup3-shm Audacity project tada.aup3-shm +# srd-shm Microsoft Windows StateRepository service StateRepository-Deployment.srd-shm StateRepository-Machine.srd-shm: +!:ext sqlite-shm/db-shm/db3-shm/dbx-shm/aup3-shm/srd-shm +# unused padding space; must be zero +>4 ulelong !0 \b, unused %x +# iChange; unsigned integer counter, incremented with each transaction +>8 ulelong x \b, counter %u +# isInit; the "isInit" flag; 1 when the shm file has been initialized +>12 ubyte !1 \b, not initialized %u +# bigEndCksum; true if the WAL file uses big-ending checksums; 0 if the WAL uses little-endian checksums +>13 ubyte !0 \b, checksum type %u +# szPage; database page size in bytes, or 1 if the page size is 65536 +>14 uleshort !1 \b, page size %u +>14 uleshort =1 \b, page size 65536 +# mxFrame; number of valid and committed frames in the WAL file +>16 ulelong x \b, %u frames +# nPage; size of the database file in pages +>20 ulelong x \b, %u pages +# aFrameCksum; checksum of the last frame in the WAL file +>24 ulelong x \b, frame checksum %#x +# aSalt; two salt value copied from the WAL file header in the byte-order of the WAL file; might be different from machine byte-order +>32 ulequad x \b, salt %#llx +# aCksum; checksum over bytes 0 through 39 of this header +>40 ulelong x \b, header checksum %#x +# a copy of bytes 0 through 47 of header +>48 ulelong !3007000 \b, iversion %u +# nBackfill; number of WAL frames that have already been backfilled into the database by prior checkpoints +>96 ulelong !0 \b, %u backfilled +# nBackfillAttempted; number of WAL frames that have attempted to be backfilled +>>128 ulelong x (%u attempts) +# read-mark[0..4]; five "read marks"; each read mark is a 32-bit unsigned integer +>100 ulelong !0 \b, read-mark[0] %#x +>104 ulelong x \b, read-mark[1] %#x +>108 ulelong !0xffffffff \b, read-mark[2] %#x +>112 ulelong !0xffffffff \b, read-mark[3] %#x +>116 ulelong !0xffffffff \b, read-mark[4] %#x +# unused space set aside for 8 file locks +>120 ulequad !0 \b, space %#llx +# unused space reserved for further expansion +>132 ulelong !0 \b, reserved %#x # SQLite Rollback Journal # https://www.sqlite.org/fileformat.html#rollbackjournal @@ -139,3 +280,9 @@ # H2 Database from https://www.h2database.com/ 0 string --\ H2\ 0.5/B\ --\ \n H2 Database file + +# DuckDB database file from https://duckdb.org +8 string DUCK DuckDB database file +>12 lequad x \b, version %lld +#>20 lequad x \b, flags %#llx +#>28 lequad x \b, flags %#llx diff --git a/contrib/file/magic/Magdir/ssh b/contrib/file/magic/Magdir/ssh index 441f3b4a8e55..56b28a8488ea 100644 --- a/contrib/file/magic/Magdir/ssh +++ b/contrib/file/magic/Magdir/ssh @@ -1,12 +1,15 @@ # Type: OpenSSH key files # From: Nicolas Collignon <tsointsoin@gmail.com> -0 string SSH\ PRIVATE\ KEY OpenSSH RSA1 private key, +0 string SSH\040PRIVATE\040KEY OpenSSH RSA1 private key, >28 string >\0 version %s -0 string -----BEGIN\ OPENSSH\ PRIVATE\ KEY----- OpenSSH private key +0 string -----BEGIN\040OPENSSH\040PRIVATE\040KEY----- OpenSSH private key +# https://www.rfc-editor.org/rfc/rfc5958 +0 string -----BEGIN\040PRIVATE\040KEY----- OpenSSH private key (no password) +0 string -----BEGIN\040ENCRYPTED\040PRIVATE\040KEY----- OpenSSH private key (with password) -0 string ssh-dss\ OpenSSH DSA public key -0 string ssh-rsa\ OpenSSH RSA public key +0 string ssh-dss\040 OpenSSH DSA public key +0 string ssh-rsa\040 OpenSSH RSA public key 0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key diff --git a/contrib/file/magic/Magdir/statistics b/contrib/file/magic/Magdir/statistics new file mode 100644 index 000000000000..ca9f8591b68e --- /dev/null +++ b/contrib/file/magic/Magdir/statistics @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: statistics,v 1.3 2022/03/24 15:48:58 christos Exp $ +# statistics: file(1) magic for statistics related software +# + +# From Remy Rampin + +# Stata is a statistical software tool that was created in 1985. While I +# don't personally use it, data files in its native (proprietary) format +# are common (.dta files). +# +# Because they are so common, especially in statistical and social +# sciences, Stata files and SPSS files can be opened by a lot of modern +# software, for example Python's pandas package provides built-in +# support for them (read_stata() and read_spss()). +# +# I noticed that the magic database includes an entry for SPSS files but +# not Stata files. Stata files for Stata 13 and newer (formats 117, 118, +# and 119) always begin with the string "<stata_dta><header>" as per +# https://www.stata.com/help.cgi?dta#definition +# +# The format version number always follows, for example: +# <stata_dta><header><release>117</release> +# <stata_dta><header><release>118</release> +# +# Therefore the following line would do the trick: +# 0 string <stata_dta><header> Stata Data File +# +# (I'm sure the version number could be captured as well but I did not +# manage this without a regex) +# +# Unfortunately the previous formats (created by Stata before 13, which +# was released 2013) are harder to recognize. Format 115 starts with the +# four bytes 0x73010100 or 0x73020100, format 114 with 0x72010100 or +# 0x72020100, format 113 with 0x71010101 or 0x71020101. +# +# For additional reference, the Library of Congress website has an entry +# for the Stata Data File Format 118: +# https://www.loc.gov/preservation/digital/formats/fdd/fdd000471.shtml +# +# Example of those files can be found on Zenodo: +# https://zenodo.org/search?page=1&size=20&q=&file_type=dta +0 string \<stata_dta\>\<header\>\<release\> Stata Data File +>&0 regex [0-9]+ (Release %s) diff --git a/contrib/file/magic/Magdir/subtitle b/contrib/file/magic/Magdir/subtitle new file mode 100644 index 000000000000..cfbe293d59ed --- /dev/null +++ b/contrib/file/magic/Magdir/subtitle @@ -0,0 +1,38 @@ + +#------------------------------------------------------------------------------ +# $File: subtitle,v 1.2 2022/09/07 11:29:09 christos Exp $ +# subtitle: file(1) magic for subtitles files + +# EBU-STL +# https://tech.ebu.ch/docs/tech/tech3264.pdf +3 string STL EBU-STL subtitles +>6 regex =^[0-9][0-9] \b, rate %s +>>8 string .01 \b, v1 +!:mime application/x-ebu-stl +>>>16 regex =^[^\ ]{0,32} \b, title "%s" +>>>>224 regex =^[0-9]{2} \b, created %-.2s +>>>>>&0 regex =^[0-9]{2} \b-%-.2s +>>>>>>&0 regex =^[0-9]{2} \b-%-.2s +!:ext stl + +# SubRip (srt) subtitles +0 regex/20 =^1[\r\n]+0[01]:[0-9]{2}:[0-9]{2},[0-9]{3}\040--> SubRip +!:mime application/x-subrip +!:ext srt + +# WebVTT subtitles +# https://www.w3.org/TR/webvtt1/ +0 string/t WEBVTT +>&0 regex/255 =[0-9]{2}:[0-9]{2}\\.[0-9]{3}\040--> WebVTT subtitles +!:mime text/vtt +!:ext vtt + +# XML TTML subtitles +# https://www.w3.org/TR/ttml2/ +0 string/t \<?xml +>20 search/400 \020xmlns= +>>&0 regex ['"]http://www.w3.org/ns/ttml TTML subtitles +!:mime application/ttml+xml +# Augment strength to beat plain XML +!:strength * 3 +!:ext ttml diff --git a/contrib/file/magic/Magdir/svf b/contrib/file/magic/Magdir/svf new file mode 100644 index 000000000000..b0d5c980f944 --- /dev/null +++ b/contrib/file/magic/Magdir/svf @@ -0,0 +1,5 @@ +# $File: svf,v 1.2 2023/05/23 13:37:32 christos Exp $ +# +# file(1) magic(5) data for SmartVersion files with the .svf extension. + +0 string DFS\ File\x0D\x0Ahttp://www.difstream.com\x0D\x0A SmartVersion binary patch file diff --git a/contrib/file/magic/Magdir/sysex b/contrib/file/magic/Magdir/sysex index 967ac0ce30c1..d02389d9a457 100644 --- a/contrib/file/magic/Magdir/sysex +++ b/contrib/file/magic/Magdir/sysex @@ -1,20 +1,42 @@ #------------------------------------------------------------------------ -# $File: sysex,v 1.10 2019/04/19 00:42:27 christos Exp $ +# $File: sysex,v 1.12 2022/10/31 13:22:26 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems # where real SYStem EXclusive messages at offset 1 are limited to seven bits # https://en.wikipedia.org/wiki/MIDI -0 ubeshort&0xFF80 0xF000 SysEx File - - +# test for StartSysEx byte and upper unsed bit of vendor ID +0 ubeshort&0xFF80 0xF000 +# MIDI System Exclusive (SysEx) messages (strength=50) after Microsoft Visual C library (strength=70) +#!:strength +0 +# skip Microsoft Visual C library with page size 16 misidentified as ADA and +# page size 32 misidentified as Inventronics by looking for terminating End Of eXclusive byte (EOX) +>2 search/12 \xF7 +>>0 use midi-sysex +# display information about MIDI System Exclusive (SysEx) messages +0 name midi-sysex +# https://fileinfo.com/extension/syx +>1 ubyte x MIDI audio System Exclusive (SysEx) message - +# Note: file (version 5.41) labeled the above entry as "SysEx File" +#!:mime application/octet-stream +!:mime audio/x-syx +# https://onsongapp.com/docs/features/formats/sysex +!:ext syx/sysex +# https://www.midi.org/specifications-old/item/manufacturer-id-numbers +# https://raw.githubusercontent.com/insolace/MIDI-Sysex-MFG-IDs/master/Sysex%20ID%20Tables/MIDI%20Sysex%20MFG%20IDs.csv +# SysEx manufacturer ID; originally one byte, but now 0 is used as an escapement to reach the next two # North American Group ->1 byte 0x01 Sequential +#>1 byte 0x01 Sequential +>1 byte 0x01 Sequential Circuits >1 byte 0x02 IDP ->1 byte 0x03 OctavePlateau +#>1 byte 0x03 OctavePlateau +>1 byte 0x03 Voyetra Turtle Beach >1 byte 0x04 Moog ->1 byte 0x05 Passport ->1 byte 0x06 Lexicon +#>1 byte 0x05 Passport +>1 byte 0x05 Passport Designs +#>1 byte 0x06 Lexicon +>1 byte 0x06 Lexicon Inc. >1 byte 0x07 Kurzweil/Future Retro >>3 byte 0x77 777 >>4 byte 0x00 Bank @@ -38,12 +60,17 @@ >>5 byte 0x10 (ALL) >>2 byte x \b, Channel %d >1 byte 0x08 Fender ->1 byte 0x09 Gulbransen ->1 byte 0x0a AKG +#>1 byte 0x09 Gulbransen +>1 byte 0x09 MIDI9 +#>1 byte 0x0a AKG +>1 byte 0x0a AKG Acoustics >1 byte 0x0b Voyce >1 byte 0x0c Waveframe ->1 byte 0x0d ADA ->1 byte 0x0e Garfield +# not ADA programming language +#>1 byte 0x0d ADA +>1 byte 0x0d ADA Signal Processors Inc. +#>1 byte 0x0e Garfield +>1 byte 0x0e Garfield Electronics >1 byte 0x0f Ensoniq >1 byte 0x10 Oberheim >>2 byte 0x06 Matrix 6 series @@ -59,7 +86,8 @@ >1 byte 0x16 Lowrey >1 byte 0x17 AdamsSmith >1 byte 0x18 E-mu ->1 byte 0x19 Harmony +#>1 byte 0x19 Harmony +>1 byte 0x19 Harmony Systems >1 byte 0x1a ART >1 byte 0x1b Baldwin >1 byte 0x1c Eventide @@ -67,23 +95,28 @@ >1 byte 0x1f Clarity # European Group ->1 byte 0x21 SIEL +#>1 byte 0x21 SIEL +>1 byte 0x21 Proel Labs (SIEL) >1 byte 0x22 Synthaxe >1 byte 0x24 Hohner >1 byte 0x25 Twister ->1 byte 0x26 Solton +#>1 byte 0x26 Solton +>1 byte 0x26 Ketron s.r.l. >1 byte 0x27 Jellinghaus >1 byte 0x28 Southworth >1 byte 0x29 PPG >1 byte 0x2a JEN ->1 byte 0x2b SSL ->1 byte 0x2c AudioVertrieb +#>1 byte 0x2b SSL +>1 byte 0x2b Solid State Logic Organ Systems +#>1 byte 0x2c AudioVertrieb +>1 byte 0x2c Audio Veritrieb-P. Struven >1 byte 0x2f ELKA >>3 byte 0x09 EK-44 >1 byte 0x30 Dynacord ->1 byte 0x31 Jomox +#>1 byte 0x31 Jomox +>1 byte 0x31 Viscount International Spa >1 byte 0x33 Clavia >1 byte 0x39 Soundcraft # Some Waldorf info from http://Stromeko.Synth.net/Downloads#WaldorfDocs @@ -202,14 +235,16 @@ >1 byte 0x44 Casio >1 byte 0x46 Kamiya >1 byte 0x47 Akai ->1 byte 0x48 Victor +#>1 byte 0x48 Victor +>1 byte 0x48 Victor Company of Japan. Ltd. >1 byte 0x49 Mesosha >1 byte 0x4b Fujitsu >1 byte 0x4c Sony >1 byte 0x4e Teac >1 byte 0x50 Matsushita >1 byte 0x51 Fostex ->1 byte 0x52 Zoom +#>1 byte 0x52 Zoom +>1 byte 0x52 Zoom Corporation >1 byte 0x54 Matsushita >1 byte 0x57 Acoustic tech. lab. # https://www.midi.org/techspecs/manid.php @@ -317,4 +352,78 @@ >1 belong&0xffffff00 0x00204700 Klavis Tech. >1 belong&0xffffff00 0x00204800 Noteheads AB +# Update: Joerg Jenderek; January 2022 +>1 byte 0x00 ID EXTENSIONS +>1 byte 0x13 Digidesign Inc. +>1 byte 0x1e Key Concepts +>1 byte 0x20 Passac +>1 byte 0x23 Stepp +>1 byte 0x2d Neve +>1 byte 0x2e Soundtracs Ltd. +>1 byte 0x32 Drawmer +>1 byte 0x34 Audio Architecture +>1 byte 0x35 Generalmusic Corp SpA +>1 byte 0x36 Cheetah Marketing +>1 byte 0x37 C.T.M. +>1 byte 0x38 Simmons UK +>1 byte 0x3a Steinberg +>1 byte 0x3b Wersi GmbH +>1 byte 0x3c AVAB Niethammer AB +>1 byte 0x3d Digigram +>1 byte 0x3f Quasimidi +# +>1 byte 0x40 Kawai Musical Instruments MFG. CO. Ltd +#>1 byte 0x45 foo +#>1 byte 0x4a foo +#>1 byte 0x4d foo +#>1 byte 0x4f foo +#>1 byte 0x53 foo +>1 byte 0x55 Suzuki Musical Instruments MFG. Co. Ltd. +>1 byte 0x56 Fuji Sound Corporation Ltd. +#>1 byte 0x58 foo +>1 byte 0x59 Faith. Inc. +>1 byte 0x5a Internet Corporation +#>1 byte 0x5b foo +>1 byte 0x5c Seekers Co. Ltd. +#>1 byte 0x5d foo +#>1 byte 0x5e foo +>1 byte 0x5f SD Card Association +# Reserved for other uses for 60H to 7FH +# URL: https://www.philscomputerlab.com/roland-midi-emulator-project-20.html +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/syx--midiemu.trid.xml +# Note: called by TrID "MIDI Emulator Project SysEx preset command" +>1 byte 0x66 MIDI Emulator +# https://electronicmusic.fandom.com/wiki/List_of_MIDI_Manufacturer_IDs +# Educational, prototyping, test, private use and experimentation +>1 byte 0x7D PROTOTYPING +# universal non-real-time (sample dump, tuning table, etc.) +>1 byte 0x7E UNIVERSAL +# universal real time (MIDI time code, MIDI Machine control, etc.) +>1 byte 0x7F universal real time +# display information about End Of eXclusive byte (EOX=F7) +#>2 ubyte 0xF7 \b, at 2 EOX +#>3 ubyte 0xF7 \b, at 3 EOX +# https://tttapa.github.io/Control-Surface-doc/new-input/Doxygen/d2/d93/SysEx-Send-Receive_8ino-example.html +>4 ubyte 0xF7 \b, at 4 EOX +# http://www.1manband.nl/tutorials2/sysex.htm +>5 ubyte 0xF7 \b, at 5 EOX +# http://www.somascape.org/midi/tech/mfile.html#sysex +>6 ubyte 0xF7 \b, at 6 EOX +# +>7 ubyte 0xF7 \b, at 7 EOX +# https://webmidijs.org/forum/discussion/34/how-to-send-or-receive-system-exclusive-messages +>8 ubyte 0xF7 \b, at 8 EOX +# +>9 ubyte 0xF7 \b, at 9 EOX +# https://www.chd-el.cz/wp-content/uploads/845010_syxcom.pdf +>10 ubyte 0xF7 \b, at 10 EOX +# https://stackoverflow.com/questions/52906076/handling-midi-the-input-of-multiple-system-exclusive-messages-in-vb +>11 ubyte 0xF7 \b, at 11 EOX +# https://www.2writers.com/eddie/TutSysEx.htm +>12 ubyte 0xF7 \b, at 12 EOX +>13 ubyte 0xF7 \b, at 13 EOX +# http://www.chromakinetics.com/handsonic/rolSysEx.htm +>14 ubyte 0xF7 \b, at 14 EOX +#>15 ubyte 0xF7 \b, at 15 EOX + 0 string T707 Roland TR-707 Data diff --git a/contrib/file/magic/Magdir/terminfo b/contrib/file/magic/Magdir/terminfo index fc3bf7458ecd..41704eb55946 100644 --- a/contrib/file/magic/Magdir/terminfo +++ b/contrib/file/magic/Magdir/terminfo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: terminfo,v 1.11 2019/04/19 00:42:27 christos Exp $ +# $File: terminfo,v 1.13 2022/11/21 22:25:37 christos Exp $ # terminfo: file(1) magic for terminfo # # URL: https://invisible-island.net/ncurses/man/term.5.html @@ -30,13 +30,14 @@ >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled 32-bit terminfo entry "%-s" !:mime application/x-terminfo2 # -# While the compiled terminfo uses little-endian format irregardless of +# While the compiled terminfo uses little-endian format regardless of # platform, SystemV screen dumps do not. They came later, and that detail was # overlooked. # # AIX and HPUX use the SVr4 big-endian format # Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) 0 beshort 0433 SVr2 curses screen image, big-endian +# GRR: line below too general as it catches Commodore C128 program (crc32.prg XLINK.PRG) with start address 1C01h handled by ./c64 0 beshort 0434 SVr3 curses screen image, big-endian 0 beshort 0435 SVr4 curses screen image, big-endian # diff --git a/contrib/file/magic/Magdir/tex b/contrib/file/magic/Magdir/tex index aaeae169f336..e66f8ffdcecb 100644 --- a/contrib/file/magic/Magdir/tex +++ b/contrib/file/magic/Magdir/tex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: tex,v 1.21 2019/04/19 00:42:27 christos Exp $ +# $File: tex,v 1.22 2022/12/21 16:50:04 christos Exp $ # tex: file(1) magic for TeX files # # XXX - needs byte-endian stuff (big-endian and little-endian DVI?) @@ -10,13 +10,15 @@ # Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] -0 string \367\002 TeX DVI file +0 string \367\002 +>(14.b+15) string \213 +>>14 pstring >\0 TeX DVI file (%s) !:mime application/x-dvi ->16 string >\0 (%s) 0 string \367\203 TeX generic font data 0 string \367\131 TeX packed font data >3 string >\0 (%s) -0 string \367\312 TeX virtual font data +0 string \367\312 +>(2.b+11) string \363 TeX virtual font data 0 search/1 This\ is\ TeX, TeX transcript text 0 search/1 This\ is\ METAFONT, METAFONT transcript text diff --git a/contrib/file/magic/Magdir/timezone b/contrib/file/magic/Magdir/timezone index 9381a0cdd3f9..84e908166769 100644 --- a/contrib/file/magic/Magdir/timezone +++ b/contrib/file/magic/Magdir/timezone @@ -1,19 +1,19 @@ #------------------------------------------------------------------------------ -# $File: timezone,v 1.11 2009/09/19 16:28:12 christos Exp $ +# $File: timezone,v 1.13 2021/07/21 17:57:20 christos Exp $ # timezone: file(1) magic for timezone data # # from Daniel Quinlan (quinlan@yggdrasil.com) # this should work on Linux, SunOS, and maybe others # Added new official magic number for recent versions of the Olson code -0 string TZif timezone data +0 name timezone >4 byte 0 \b, old version >4 byte >0 \b, version %c >20 belong 0 \b, no gmt time flags >20 belong 1 \b, 1 gmt time flag >20 belong >1 \b, %d gmt time flags >24 belong 0 \b, no std time flags ->20 belong 1 \b, 1 std time flag +>24 belong 1 \b, 1 std time flag >24 belong >1 \b, %d std time flags >28 belong 0 \b, no leap seconds >28 belong 1 \b, 1 leap second @@ -21,9 +21,19 @@ >32 belong 0 \b, no transition times >32 belong 1 \b, 1 transition time >32 belong >1 \b, %d transition times ->36 belong 0 \b, no abbreviation chars ->36 belong 1 \b, 1 abbreviation char ->36 belong >1 \b, %d abbreviation chars +>36 belong 0 \b, no local time types +>36 belong 1 \b, 1 local time type +>36 belong >1 \b, %d local time types +>40 belong 0 \b, no abbreviation chars +>40 belong 1 \b, 1 abbreviation char +>40 belong >1 \b, %d abbreviation chars + +0 string TZif timezone data +>51 string TZif \b(slim) +>>51 use timezone +>51 default x \b(fat) +>>0 use timezone + 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0 old timezone data diff --git a/contrib/file/magic/Magdir/tplink b/contrib/file/magic/Magdir/tplink index fcd105dede00..1b4ef0f3369f 100644 --- a/contrib/file/magic/Magdir/tplink +++ b/contrib/file/magic/Magdir/tplink @@ -1,25 +1,32 @@ #------------------------------------------------------------------------------ -# $File: tplink,v 1.5 2020/03/28 23:14:26 christos Exp $ +# $File: tplink,v 1.8 2023/05/15 16:41:02 christos Exp $ # tplink: File magic for openwrt firmware files # URL: https://wiki.openwrt.org/doc/techref/header # Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bin-tplink-v1.trid.xml +# Note: called "TP-Link router firmware (v1)" by TrID # From: Joerg Jenderek # check for valid header version 1 or 2 0 ulelong <3 >0 ulelong !0 # test for header padding with nulls >>0x100 long 0 -# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor +# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor name >>>4 ubelong >0x1F000000 # skip user.dbt by looking for positive hardware id >>>>0x40 ubeshort >0 ->>>>>0 use firmware-tplink +# skip cversions.1.db cversions.2.db cversions.3.db inside +# c:\ProgramData\Microsoft\Windows\Caches +# with invalid vendor names \240\0\0\0 \140\0\0\0 \040\0\0\0 +>>>>>5 short !0 +>>>>>>0 use firmware-tplink 0 name firmware-tplink >0 ubyte x firmware !:mime application/x-tplink-bin +# like: TL-WR1043ND-V1-FW0.0.3-stripped.bin gluon-ffrefugee-0.9.2-tp-link-archer-c5-v1-sysupgrade.bin !:ext bin # hardware id like 10430001 07410001 09410004 09410006 >0x40 ubeshort x %x @@ -45,44 +52,44 @@ # total length of the firmware. not always true >0x7C ubelong x \b, %u bytes or less # unknown 1 ->0x48 ubelong !0 \b, UNKNOWN1 0x%x +>0x48 ubelong !0 \b, UNKNOWN1 %#x # md5sum1[16] #>0x4c ubequad x \b, MD5 %llx #>>0x54 ubequad x \b%llx # unknown 2 ->0x5c ubelong !0 \b, UNKNOWN2 0x%x +>0x5c ubelong !0 \b, UNKNOWN2 %#x # md5sum2[16] #>0x60 ubequad !0 \b, 2nd MD5 %llx #>>0x68 ubequad x \b%llx # unknown 3 ->0x70 ubelong !0 \b, UNKNOWN3 0x%x +>0x70 ubelong !0 \b, UNKNOWN3 %#x # kernel load address -#>0x74 ubelong x \b, 0x%x load +#>0x74 ubelong x \b, %#x load # kernel entry point -#>0x78 ubelong x \b, 0x%x entry +#>0x78 ubelong x \b, %#x entry # kernel data offset. 200h means direct after header ->0x80 ubelong x \b, at 0x%x +>0x80 ubelong x \b, at %#x # kernel data length and 1 space >0x84 ubelong x %u bytes # look for kernel type (gzip compressed vmlinux.bin by ./compress) >(0x80.L) indirect x # root file system data offset # WRONG in 5.35 with above indirect expression ->0x88 ubelong x \b, at 0x%x +>0x88 ubelong x \b, at %#x # rootfs data length and 1 space >0x8C ubelong x %u bytes # in 5.32 only true for offset ~< FILE_BYTES_MAX=9 MB defined in ../../src/file.h >(0x88.L) indirect x # 'qshs' for wr940nv1_en_3_13_7_up(111228).bin #>(0x88.L) string x \b, file system '%.4s' -#>(0x88.L) ubequad x \b, file system 0x%llx +#>(0x88.L) ubequad x \b, file system %#llx # bootloader data offset ->0x90 ubelong !0 \b, at 0x%x -# bootloader data length only resonable if bootloader offset not null +>0x90 ubelong !0 \b, at %#x +# bootloader data length only reasonable if bootloader offset not null >>0x94 ubelong !0 %u bytes # pad[354] should be 354 null bytes. -#>0x9E ubequad !0 \b, padding 0x%llx +#>0x9E ubequad !0 \b, padding %#llx # But at 0x120 18 non null bytes in examples like # wr940nv4_eu_3_16_9_up_boot(160620).bin # wr940nv6_us_3_18_1_up_boot(171030).bin -#>0x120 ubequad !0 \b, other padding 0x%llx +#>0x120 ubequad !0 \b, other padding %#llx diff --git a/contrib/file/magic/Magdir/troff b/contrib/file/magic/Magdir/troff index 5b8af64ce881..301a40bc34da 100644 --- a/contrib/file/magic/Magdir/troff +++ b/contrib/file/magic/Magdir/troff @@ -1,24 +1,30 @@ #------------------------------------------------------------------------------ -# $File: troff,v 1.13 2020/05/30 23:12:34 christos Exp $ +# $File: troff,v 1.14 2023/06/01 16:00:46 christos Exp $ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com) # troff input 0 search/1 .\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 '\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 '.\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 \\" troff or preprocessor input text +!:strength +12 !:mime text/troff #0 search/1 ''' troff or preprocessor input text #!:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9][\ \t] troff or preprocessor input text +!:strength +12 !:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9]$ troff or preprocessor input text +!:strength +12 !:mime text/troff # ditroff intermediate output text diff --git a/contrib/file/magic/Magdir/uf2 b/contrib/file/magic/Magdir/uf2 new file mode 100644 index 000000000000..49a86d7640c1 --- /dev/null +++ b/contrib/file/magic/Magdir/uf2 @@ -0,0 +1,72 @@ + +#------------------------------------------------------------------------------ +# $File: uf2,v 1.3 2021/04/28 01:00:31 christos Exp $ +# uf2: file(1) magic for UF2 firmware image files +# +# https://github.com/microsoft/uf2 +# +# Created by Blake Ramsdell <blaker@gmail.com> + +0 string UF2\n UF2 firmware image +!:ext uf2 +# This is for checking the other magic numbers, do we want to do that? +#>4 lelong 0x9E5D5157 howdy +#>>508 lelong 0x0AB16F30 doody +>8 lelong &0x0001 \b, not main flash +>8 lelong &0x1000 \b, file container +>8 lelong &0x2000 \b, family + +# To update the UF2 family data, use this fine command +# +# families=`curl \ +# https://raw.githubusercontent.com/microsoft/uf2/master/utils/uf2families.json \ +# | jq -r '.[] | ">>28\tlelong\t\(.id)\t\(.description)"' | sort -n -k 3` && \ +# perl -0777 -i -pe \ +# "s/(### BEGIN UF2 FAMILIES\\n).*(\\n### END UF2 FAMILIES)/\$1$families\$2/s" \ +# uf2 + +### BEGIN UF2 FAMILIES +>>28 lelong 0x00ff6919 ST STM32L4xx +>>28 lelong 0x04240bdf ST STM32L5xx +>>28 lelong 0x16573617 Microchip (Atmel) ATmega32 +>>28 lelong 0x1851780a Microchip (Atmel) SAML21 +>>28 lelong 0x1b57745f Nordic NRF52 +>>28 lelong 0x1c5f21b0 ESP32 +>>28 lelong 0x1e1f432d ST STM32L1xx +>>28 lelong 0x202e3a91 ST STM32L0xx +>>28 lelong 0x21460ff0 ST STM32WLxx +>>28 lelong 0x2abc77ec NXP LPC55xx +>>28 lelong 0x300f5633 ST STM32G0xx +>>28 lelong 0x31d228c6 GD32F350 +>>28 lelong 0x4c71240a ST STM32G4xx +>>28 lelong 0x4fb2d5bd NXP i.MX RT10XX +>>28 lelong 0x53b80f00 ST STM32F7xx +>>28 lelong 0x55114460 Microchip (Atmel) SAMD51 +>>28 lelong 0x57755a57 ST STM32F401 +>>28 lelong 0x5a18069b Cypress FX2 +>>28 lelong 0x5d1a0a2e ST STM32F2xx +>>28 lelong 0x5ee21072 ST STM32F103 +>>28 lelong 0x647824b6 ST STM32F0xx +>>28 lelong 0x68ed2b88 Microchip (Atmel) SAMD21 +>>28 lelong 0x6b846188 ST STM32F3xx +>>28 lelong 0x6d0922fa ST STM32F407 +>>28 lelong 0x6db66082 ST STM32H7xx +>>28 lelong 0x70d16653 ST STM32WBxx +>>28 lelong 0x7eab61ed ESP8266 +>>28 lelong 0x7f83e793 NXP KL32L2x +>>28 lelong 0x8fb060fe ST STM32F407VG +>>28 lelong 0xada52840 Nordic NRF52840 +>>28 lelong 0xbfdd4eee ESP32-S2 +>>28 lelong 0xc47e5767 ESP32-S3 +>>28 lelong 0xd42ba06c ESP32-C3 +>>28 lelong 0xe48bff56 Raspberry Pi RP2040 +### END UF2 FAMILIES + +>>28 default x +>>>28 lelong x %#08x +>8 lelong&0x2000 0 \b, file size +>>28 lelong x %#08x +>8 lelong &0x4000 \b, MD5 checksum present +>8 lelong &0x8000 \b, extension tags present +>12 lelong x \b, address %#08x +>24 lelong x \b, %u total blocks diff --git a/contrib/file/magic/Magdir/uterus b/contrib/file/magic/Magdir/uterus index a8be8a880d28..4b9e768b6424 100644 --- a/contrib/file/magic/Magdir/uterus +++ b/contrib/file/magic/Magdir/uterus @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: uterus,v 1.3 2014/04/30 21:41:02 christos Exp $ +# $File: uterus,v 1.4 2022/10/31 13:22:26 christos Exp $ # file(1) magic for uterus files # http://freecode.com/projects/uterus # @@ -11,6 +11,6 @@ >7 byte x \b%c >8 string \<\> \b, big-endian >>16 belong >0 \b, slut size %u ->8 string \>\< \b, litte-endian +>8 string \>\< \b, little-endian >>16 lelong >0 \b, slut size %u >10 byte &8 \b, compressed diff --git a/contrib/file/magic/Magdir/uuencode b/contrib/file/magic/Magdir/uuencode index 7844468484c2..df70dc5319a5 100644 --- a/contrib/file/magic/Magdir/uuencode +++ b/contrib/file/magic/Magdir/uuencode @@ -1,16 +1,18 @@ #------------------------------------------------------------------------------ -# $File: uuencode,v 1.8 2019/12/14 20:40:26 christos Exp $ +# $File: uuencode,v 1.9 2021/11/13 17:48:10 christos Exp $ # uuencode: file(1) magic for ASCII-encoded files # -# GRR: the first line of xxencoded files is identical to that in uuencoded -# files, but the first character in most subsequent lines is 'h' instead of -# 'M'. (xxencoding uses lowercase letters in place of most of uuencode's -# punctuation and survives BITNET gateways better.) If regular expressions -# were supported, this entry could possibly be split into two with -# "begin\040\.\*\012M" or "begin\040\.\*\012h" (where \. and \* are REs). -0 search/1 begin\ uuencoded or xxencoded text +# The first line of xxencoded files is identical to that in uuencoded files, +# but the first character in most subsequent lines is 'h' instead of 'M'. +# (xxencoding uses lowercase letters in place of most of uuencode's +# punctuation and survives BITNET gateways better.) +0 regex/1024 \^begin\040[0-7]{3}\040 +>&0 regex/256 [\012\015]+M[\040-\140]{60}[\012\015]+ uuencoded text +>&0 regex/256 [\012\015]+h[0-9A-Za-z\053\055]{60}[\012\015]+ xxencoded text +>&0 default x uuencoded or xxencoded text +>&0 string >\0 \b, file name "%s" # btoa(1) is an alternative to uuencode that requires less space. 0 search/1 xbtoa\ Begin btoa'd text diff --git a/contrib/file/magic/Magdir/varied.script b/contrib/file/magic/Magdir/varied.script index ff893882b01e..74b1b2276c51 100644 --- a/contrib/file/magic/Magdir/varied.script +++ b/contrib/file/magic/Magdir/varied.script @@ -1,59 +1,21 @@ #------------------------------------------------------------------------------ -# $File: varied.script,v 1.13 2019/10/11 14:35:29 christos Exp $ +# $File: varied.script,v 1.15 2022/10/18 13:01:30 christos Exp $ # varied.script: file(1) magic for various interpreter scripts -0 string/t #!\ / a ->3 string >\0 %s script text executable -!:strength / 2 +0 string/wt #!\ a +>&-1 string/T x %s script text executable +!:strength / 3 -0 string/b #!\ / a ->3 string >\0 %s script executable (binary data) -!:strength / 2 +0 string/wb #!\ a +>&-1 string/T x %s script executable (binary data) +!:strength / 3 -0 string/t #!\t/ a ->3 string >\0 %s script text executable -!:strength / 2 - -0 string/b #!\t/ a ->3 string >\0 %s script executable (binary data) -!:strength / 2 - -0 string/t #!/ a ->2 string >\0 %s script text executable -!:strength / 2 - -0 string/b #!/ a ->2 string >\0 %s script executable (binary data) -!:strength / 2 - -0 string/t #!\ script text executable ->3 string >\0 for %s -!:strength / 2 - -0 string/b #!\ script executable ->3 string >\0 for %s (binary data) -!:strength / 2 # using env -0 string/t #!/usr/bin/env a ->15 string/t >\0 %s script text executable -!:strength / 10 - -0 string/b #!/usr/bin/env a ->15 string/b >\0 %s script executable (binary data) -!:strength / 10 - -0 string/t #!\ /usr/bin/env a ->16 string/t >\0 %s script text executable -!:strength / 10 - -0 string/b #!\ /usr/bin/env a ->16 string/b >\0 %s script executable (binary data) -!:strength / 10 +0 string/wt #!\ /usr/bin/env a +>15 string/T >\0 %s script text executable +!:strength / 6 -# From: arno <arenevier@fdn.fr> -# mozilla xpconnect typelib -# see https://www.mozilla.org/scriptable/typelib_file.html -0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib ->0x10 byte x version %d ->>0x11 byte x \b.%d +0 string/wb #!\ /usr/bin/env a +>15 string/T >\0 %s script executable (binary data) +!:strength / 6 diff --git a/contrib/file/magic/Magdir/virtual b/contrib/file/magic/Magdir/virtual index e947ee33d29c..3372020421a7 100644 --- a/contrib/file/magic/Magdir/virtual +++ b/contrib/file/magic/Magdir/virtual @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: virtual,v 1.12 2020/02/15 01:20:15 christos Exp $ +# $File: virtual,v 1.17 2022/08/23 08:00:54 christos Exp $ # From: James Nobis <quel@quelrod.net> # Microsoft hard disk images for: # Virtual Server @@ -16,18 +16,18 @@ !:mime application/x-virtualbox-vhd !:ext vhd # Features is a bit field used to indicate specific feature support -#>8 ubelong !0x00000002 \b, Features 0x%x +#>8 ubelong !0x00000002 \b, Features %#x # Reserved. This bit must always be set to 1. -#>8 ubelong &0x00000002 \b, Reserved 0x%x +#>8 ubelong &0x00000002 \b, Reserved %#x # File Format Version for the current specification 0x00010000 -#>12 ubelong !0x00010000 \b, Version 0x%8.8x +#>12 ubelong !0x00010000 \b, Version %#8.8x # Data Offset only found 0x200 -#>16 ubequad !0x200 \b, Data Offset 0x%llx -#>16 ubequad x \b, at 0x%llx +#>16 ubequad !0x200 \b, Data Offset %#llx +#>16 ubequad x \b, at %#llx # Dynamic Disk Header cookie like cxsparse #>(16.Q) string x "%-.8s" # This field contains a Unicode string (UTF-16) of the parent hard disk filename -#>(16.Q+64) ubequad x \b, parent name 0x%llx +#>(16.Q+64) ubequad x \b, parent name %#llx # Creator Application # vpc~Microsoft Virtual PC, vs~Microsoft Virtual Server, vbox~VirtualBox, d2v~disk2vhd >28 string x \b, Creator %-4.4s @@ -35,7 +35,7 @@ # holds the major/minor version of the application that created the image >32 ubeshort x %x >34 ubeshort x \b.%x -#>32 ubelong x \b, Version 0x%8.8x +#>32 ubelong x \b, Version %#8.8x # Creator Host OS: 0x5769326B~Windows (Wi2k), 0x4D616320~Macintosh (Mac) >36 ubelong x ( >>36 ubelong 0x5769326B \bW2k @@ -45,30 +45,30 @@ # creation Time in seconds since 1 Jan 2000 UTC~946684800 sec. since Unix Epoch >24 bedate+946684800 x \b) %s # Original Size -#>40 ubequad x \b, o.-Size 0x%llx +#>40 ubequad x \b, o.-Size %#llx # Current Size is same as original size, but change when disk is expanded -#>48 ubequad x \b, Size 0x%llx +#>48 ubequad x \b, Size %#llx >48 ubequad x \b, %llu bytes # Disk Geometry: cylinder, heads, and sectors/track for hard disk -#>56 ubeshort x \b, Cylinder 0x%x +#>56 ubeshort x \b, Cylinder %#x >56 ubeshort x \b, CHS %u # Heads -#>58 ubyte x \b, Heads 0x%x +#>58 ubyte x \b, Heads %#x >58 ubyte x \b/%u # Sectors per track -#>59 ubyte x \b, Sectors 0x%x +#>59 ubyte x \b, Sectors %#x >59 ubyte x \b/%u # Disk Type: 3~Dynamic hard disk ->60 ubelong !0x3 \b, type 0x%x +>60 ubelong !0x3 \b, type %#x # Checksum -#>64 ubelong x \b, cksum 0x%x +#>64 ubelong x \b, cksum %#x # universally unique identifier (UUID) to associate a parent with its differencing image -#>68 ubequad x \b, id 0x%16.16llx +#>68 ubequad x \b, id %#16.16llx #>76 ubequad x \b-%16.16llx # Saved State: 1~Saved State ->84 ubyte !0 \b, State 0x%x +>84 ubyte !0 \b, State %#x # Reserved 427 bytes with nils -#>85 ubequad !0 \b, Reserved 0x%16.16llx +#>85 ubequad !0 \b, Reserved %#16.16llx # From: Joerg Jenderek # URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx @@ -88,43 +88,43 @@ # Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512" >>8 lestring16 x \b, by %.256s # The Checksum field is a CRC-32C hash over the entire 4 KB structure -#>>0x10004 ulelong x \b, CRC 0x%x +#>>0x10004 ulelong x \b, CRC %#x # SequenceNumber ->>0x10008 ulequad x \b, sequence 0x%llx +>>0x10008 ulequad x \b, sequence %#llx # FileWriteGuid -#>>0x10010 ubequad x \b, file id 0x%llx +#>>0x10010 ubequad x \b, file id %#llx #>>>0x10018 ubequad x \b-%llx # DataWriteGuid -#>>0x10020 ubequad x \b, data id 0x%llx +#>>0x10020 ubequad x \b, data id %#llx #>>>0x10028 ubequad x \b-%llx # LogGuid. If this field is zero, then the log is empty or has no valid entries ->>0x10030 ubequad >0 \b, log id 0x%llx +>>0x10030 ubequad >0 \b, log id %#llx >>>0x10038 ubequad x \b-%llx # LogVersion. If not 0 there is a log to replay ->>0x10040 uleshort >0 \b, LogVersion 0x%x +>>0x10040 uleshort >0 \b, LogVersion %#x # Version. This field must be set to 1 ->>0x10042 uleshort !1 \b, Version 0x%x +>>0x10042 uleshort !1 \b, Version %#x # LogLength must be multiples of 1 MB >>0x10044 ulelong/1048576 >1 \b, LogLength %u MB # LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB ->>0x10048 ulequad !0x100000 \b, LogOffset 0x%llx +>>0x10048 ulequad !0x100000 \b, LogOffset %#llx # Log Entry Signature must be 0x65676F6C~loge >>(0x10048.q) ulelong !0x65676F6C \b, NO Log Signature >>(0x10048.q) ulelong =0x65676F6C \b; LOG # Log Entry Checksum -#>>>(0x10048.q+4) ulelong x \b, Log CRC 0x%x +#>>>(0x10048.q+4) ulelong x \b, Log CRC %#x # Log Entry Length must be a multiple of 4 KB >>>(0x10048.q+8) ulelong/1024 >4 \b, EntryLength %u KB # Log Entry Tail must be a multiple of 4 KB -#>>>(0x10048.q+12) ulelong x \b, Tail 0x%x +#>>>(0x10048.q+12) ulelong x \b, Tail %#x # Log Entry SequenceNumber -#>>>(0x10048.q+16) ulequad x \b, # 0x%llx +#>>>(0x10048.q+16) ulequad x \b, # %#llx # Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8 -#>>>(0x10048.q+24) ulelong x \b, DescriptorCount 0x%llx +#>>>(0x10048.q+24) ulelong x \b, DescriptorCount %#llx # Log Entry Reserved must be set to 0 ->>>(0x10048.q+28) ulelong !0 \b, Reserved 0x%x +>>>(0x10048.q+28) ulelong !0 \b, Reserved %#x # Log Entry LogGuid -#>>>(0x10048.q+32) ubequad x \b, Log id 0x%llx +#>>>(0x10048.q+32) ubequad x \b, Log id %#llx #>>>(0x10048.q+40) ubequad x \b-%llx # Log Entry FlushedFileOffset should VHDX size when entry is written. #>>>(0x10048.q+48) ulequad x \b, FlushedFileOffset %llu @@ -133,28 +133,28 @@ # filling #>>>(0x10048.q+64) ulequad >0 \b, filling %llx # Reserved[4016] -#>>0x10050 ulequad >0 \b, Reserved 0x%llx +#>>0x10050 ulequad >0 \b, Reserved %#llx # VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB >0x30000 ulelong !0x69676572 \b, 1st region INVALID >0x30000 ulelong =0x69676572 \b; region # region Checksum. CRC-32C hash over the entire 64-KB table -#>>0x30004 ulelong x \b, CRC 0x%x +#>>0x30004 ulelong x \b, CRC %#x # The EntryCount specifies number of valid entries; Found 2; This must be =< 2047. >>0x30008 ulelong x \b, %u entries # reserved must be zero -#>>0x3000C ulelong !0 \b, RESERVED 0x%x +#>>0x3000C ulelong !0 \b, RESERVED %#x # Region Table Entry starts with identifier for the object. often BAT id >>0x30010 use vhdx-id # FileOffset ->>0x30020 ulequad x \b, at 0x%llx +>>0x30020 ulequad x \b, at %#llx # Length. Specifies the length of the object within the file -#>>0x30028 ulelong x \b, Length 0x%x +#>>0x30028 ulelong x \b, Length %#x # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX >>0x3002C ulelong x \b, Required %u # 2nd region entry often metadata id >>0x30030 use vhdx-id # 2nd entry FileOffset ->>0x30040 ulequad x \b, at 0x%llx +>>0x30040 ulequad x \b, at %#llx # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX >>0x3004C ulelong x \b, Required %u # 2nd region @@ -189,7 +189,7 @@ >>0 use vhdx-id-hex # in vhdx images show id as hexadecimal 0 name vhdx-id-hex ->0 ubequad x \b, ID 0x%16.16llx +>0 ubequad x \b, ID %#16.16llx >8 ubequad x \b-%16.16llx # # libvirt @@ -219,7 +219,8 @@ # Updated by Adam Buchbinder (adam.buchbinder@gmail.com) # Made by reading sources, reading documentation, and doing trial and error # on existing QCOW files -0 string/b QFI\xFB +0 string/b QFI\xFB QEMU QCOW Image +!:mime application/x-qemu-disk # Uncomment the following line to display Magic (only used for debugging # this magic number) @@ -227,8 +228,7 @@ # There are currently 2 Versions: "1" and "2". # https://www.gnome.org/~markmc/qcow-image-format-version-1.html ->4 belong !1 QEMU QCOW2 Image ->4 belong 1 QEMU QCOW Image (v1) +>4 belong x (v%d) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information diff --git a/contrib/file/magic/Magdir/vorbis b/contrib/file/magic/Magdir/vorbis index b4a8f33abdb4..49e75cb2d2e5 100644 --- a/contrib/file/magic/Magdir/vorbis +++ b/contrib/file/magic/Magdir/vorbis @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vorbis,v 1.24 2018/03/14 04:38:44 christos Exp $ +# $File: vorbis,v 1.26 2020/08/22 18:30:55 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner <leitner@fefe.de> @@ -132,11 +132,11 @@ >>>>>>(84.b+117) string 20140122 (1.3.4) >>>>>>(84.b+117) string 20150105 (1.3.5) -# non-Vorbis content: Opus https://tools.ietf.org/html/draft-ietf-codec-oggopus-06#section-5 +# non-Vorbis content: Opus https://tools.ietf.org/html/rfc7845#section-5 >>28 string OpusHead \b, Opus audio, !:mime audio/ogg >>>36 ubyte >0x0F UNKNOWN VERSION %u, ->>>36 ubyte &0x0F version 0.%d +>>>36 ubyte&0x0F !0 version 0.%u, >>>>46 ubyte >1 >>>>>46 ubyte !255 unknown channel mapping family %u, >>>>>37 ubyte x %u channels @@ -152,4 +152,4 @@ >>>>>37 ubyte 6 5.1 surround >>>>>37 ubyte 7 6.1 surround >>>>>37 ubyte 8 7.1 surround ->>>>40 lelong !0 \b, %u Hz +>>>>40 lelong !0 \b, %u Hz (Input Sample Rate)
\ No newline at end of file diff --git a/contrib/file/magic/Magdir/web b/contrib/file/magic/Magdir/web index ca8d812365e5..a0d26e67fb9c 100644 --- a/contrib/file/magic/Magdir/web +++ b/contrib/file/magic/Magdir/web @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: web,v 1.1 2020/05/17 19:14:28 christos Exp $ +# $File: web,v 1.2 2022/10/29 16:02:37 christos Exp $ # http://www.rdfhdt.org/ # From Christoph Biedl @@ -10,3 +10,9 @@ 0 string $HDT\x01 HDT file (binary compressed indexed RDF triples) type 1 !:mime application/vnd.hdt !:ext hdt + +0 string [Adblock\040Plus Adblock Plus +>&1 regex [0-9.]+ %s +>1 string x rules file +>10 search/100 Version: +>>&1 regex [0-9]+ \b, version %s diff --git a/contrib/file/magic/Magdir/webassembly b/contrib/file/magic/Magdir/webassembly index 3b1d37e667bd..469b45e22b8e 100644 --- a/contrib/file/magic/Magdir/webassembly +++ b/contrib/file/magic/Magdir/webassembly @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: webassembly,v 1.3 2019/04/19 00:42:27 christos Exp $ +# $File: webassembly,v 1.4 2022/08/16 11:16:39 christos Exp $ # webassembly: file(1) magic for WebAssembly modules # # WebAssembly is a virtual architecture developed by a W3C Community @@ -12,4 +12,6 @@ 0 string \0asm WebAssembly (wasm) binary module >4 lelong =1 version %#x (MVP) +!:mime application/wasm +!:ext wasm >4 lelong >1 version %#x diff --git a/contrib/file/magic/Magdir/windows b/contrib/file/magic/Magdir/windows index 8a7923fc1c73..f58ce3e5a511 100644 --- a/contrib/file/magic/Magdir/windows +++ b/contrib/file/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.31 2020/03/15 16:44:37 christos Exp $ +# $File: windows,v 1.63 2023/07/17 16:56:13 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -15,40 +15,255 @@ # Summary: Outlook Express DBX file -# Extension: .dbx # Created by: Christophe Monniez -0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file ->4 byte =0xC5 \b, message database ->4 byte =0xC6 \b, folder database ->4 byte =0xC7 \b, account information ->4 byte =0x30 \b, offline database +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Outlook_Express_Database +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbx.trid.xml +# https://sourceforge.net/projects/ol2mbox/files/LibDBX/ +# v1.0.4/libdbx_1.0.4.tar.gz/FILE-FORMAT +# Note: called "Outlook Express Database" by TrID and DROID via PUID fmt/838 fmt/839 +# and partly verified by `undbx --verbosity 4 Posteingang.dbx` +0 string \xCF\xAD\x12\xFE +# skip DROID fmt-838-signature-id-1193.dbx fmt-839-signature-id-1194.dbx by check for valid file size +>0x7C ulelong >0 MS Outlook Express DBX file +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-dbx +!:ext dbx +>>4 byte =0xC5 \b, message database +>>4 byte =0xC6 \b, folder database +>>4 byte =0xC7 \b, account information +>>4 byte =0x30 \b, offline database +# version like: 5.2 5.5 (typical) +>>20 ulequad !0x0000000500000005 \b, version +# major version +>>>24 ulelong x %u +# minor version +>>>20 ulelong x \b.%u +# CLSID: 6F74FDC5-E366-11d1-9A4E-00C04FA309D4~Message 6F74FDC6-E366-11D1-9A4E-00C04FA309D4~Folder +# 26FE9D30-1A8F-11D2-AABF-006097D474C4~offline +#>>4 guid x \b, CLSID %s +# file size; total size of file; sometimes real size a little bit higher +>>0x7C ulelong x \b, ~ %u bytes +# highest Email ID; the next email will have a number one higher than this +>>0x5c ulelong x \b, highest ID %#x +# item count; number of items stored in this DBX file +>>0xC4 ulelong x \b, %u item +# plural s +>>0xC4 ulelong !1 \bs +# index pointer; file offset pointing to a page of Data Indexes +>>0xE4 ulelong >0 \b, index pointer %#x +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Nickfile +# https://www.nirsoft.net/utils/outlook_nk2_edit.html +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nk2.trid.xml +# https://github.com/libyal/libnk2/blob/main/documentation +# Nickfile%20(NK2)%20format.asciidoc +# Note: called "Outlook Nickfile" by TrID & TestDisk and +# "Outlook Nickname File" by Microsoft Outlook and +# "Outlook AutoComplete File" by Nirsoft NK2Edit +# partly verfied by NK2Edit Raw Text Edit Mode +0 ubelong 0x0DF0ADBA MS Outlook Nickfile +#!:mime application/octet-stream +#!:mime application/vnd.ms-outlook +!:mime application/x-ms-nickfile +!:ext nk2/dat/bak +# nick is used by "older" Outlook; dat is used by "newer" Outlook (probably 2010 - 2016); bak is used for backup +#!:ext nick/nk2/dat/bak +# Unknown; probably a version indicator like: 0000000Ah 0000000Ch +>4 ulelong x \b, probably version %u +# Unknown2; probably a version indicator like: 1 0 +>8 ulelong x \b.%u +# number of rows (nickname or alias items) in file +>12 ulelong x \b, %u items +# number of item entries/columns/properties value like: 17h +>16 ulelong x \b, %u entries +# value type/property tag: 001Fh~4 bytes for data size of UTF-16 LE string +>20 uleshort x \b, value type %#4.4x +# entry type/property identifier: 6001h~PR_DOTSTUFF_STATE/PR_NICK_NAME_W +>22 uleshort x \b, entry type %#4.4x +# Reserved like: 0013FD90h +#>24 ulelong x \b, reserved %#8.8x +# value data array/Irrelevant Union like: 0000000004E31A80h +#>28 ulequad x \b, data %#16.16llx +# UTF-16 +>20 uleshort =0x001F +# unicode string bytes like: 2Ch +>>36 ulelong x \b, %u bytes +# unicode string value PT_UNICODE like: janesmith@contoso.org +>>40 lestring16 x "%s" # Summary: Windows crash dump -# Extension: .dmp # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2008/02/64bit_magic.html +# https://web.archive.org/web/20101125060849/https://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) +# Modified by (2): Joerg Jenderek (addtional fields, extension, URL) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp.trid.xml +# https://gitlab.com/qemu-project/qemu/-/blob/master/include/qemu/win_dump_defs.h +# Note: called "Windows memory dump" by TrID +# and verified by like Windows Kit `Dumpchk.exe 043022-18703-01.dmp` +# and partly by NirSoft `BlueScreenView.exe 043022-18703-01.dmp` +# char Signature[4] 0 string PAGE +# char ValidDump[4] >4 string DUMP MS Windows 32bit crash dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: Mini111013-01.dmp +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 2600 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 709000 +#>>16 ulelong x \b, DirectoryTableBase %#x +# PfnDatabase like: 805620c8 +#>>20 ulelong x \b, PfnDatabase %#x +# PsLoadedModuleList like: 8055d720 +#>>24 ulelong x \b, PsLoadedModuleList %#x +# PsActiveProcessHead like:805638b8 +#>>28 ulelong x \b, PsActiveProcessHead %#x +# MachineImageType like: 14c (intel x86) +>>32 ulelong !0x14c \b, MachineImageType %#x +# NumberProcessors like: 2 +>>36 ulelong x \b, %u processors +# BugcheckCode like: e2 +#>>40 ulelong x \b, BugcheckCode %#x +# BugcheckParameter1 like: 0 +#>>44 ulelong x \b, BugcheckParameter1 %#x +# BugcheckParameter2 like: 0 +#>>48 ulelong x \b, BugcheckParameter2 %#x +# BugcheckParameter3 like: 0 +#>>52 ulelong x \b, BugcheckParameter3 %#x +# BugcheckParameter4 like: 0 +#>>56 ulelong x \b, BugcheckParameter4 %#x +# VersionUser[32]; like "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>60 string x \b, VersionUser "%.32s" +# uint32_t reserved0 like: 45474101 +#>>92 ulelong x \b, reserved0 %#x >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE +# KdDebuggerDataBlock like: 8054d2e0 +#>>96 ulelong x \b, KdDebuggerDataBlock %#x +# uint8_t PhysicalMemoryBlockBuffer[700] +# WinDumpPhyMemDesc32 NumberOfRuns like: 45474150 +#>>100 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +#>>104 ulelong x \b, NumberOfPages %#x +# WinDumpPhyMemRun32 Run[86]; 688 bytes +#>>108 ulelong x \b, BasePage %#x +#>>112 ulelong x \b, PageCount %#x +# uint8_t reserved1[3200] +#>>800 string x \b, reserved "%s" +#>>4000 ulelong x \b, RequiredDumpSpace %#x +# uint8_t reserved2[92]; +#>>4004 string x \b, reserved2 "%s" >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump +# like: 4 +>>0xf88 lelong >3 \b, dump type (%#x) +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! +#>>104 ulelong x \b, NumberOfPages %#x >>0x068 lelong x \b, %d pages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp-64.trid.xml113o +# Note: called "Windows 64bit Memory Dump" by TrID +# char ValidDump[4] >4 string DU64 MS Windows 64bit crash dump ->>0xf98 lelong 1 \b, full dump ->>0xf98 lelong 2 \b, kernel dump ->>0xf98 lelong 3 \b, small dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: c:\Windows\Minidump\020322-18890-01.dmp c:\Windows\MEMORY.DMP +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 9600 19041 22621 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 001ab000 +#>>16 ulequad x \b, DirectoryTableBase %#llx +# PfnDatabase like: fffffa8000000000 +#>>24 ulequad x \b, PfnDatabase %#llx +# PsLoadedModuleList like: fffff800c553f650 +#>>32 ulequad x \b, PsLoadedModuleList %#llx +# PsActiveProcessHead like: fffff800c5525400 +#>>40 ulequad x \b, PsActiveProcessHead %#llx +# MachineImageType like: 00008664 +>>48 ulelong !0x8664 \b, MachineImageType %#x +# NumberProcessors like: 2 4 +>>52 ulelong x \b, %u processors +# BugcheckCode like: 1000007e +#>>56 ulelong x \b, BugcheckCode %#x +# unused0 +#>>60 ulelong x \b, unused0 %#x +# BugcheckParameter1 like: ffffffffc0000005 +#>>64 ulequad x \b, BugcheckParameter1 %#llx +# BugcheckParameter2 like: fffff801abb2158f +#>>72 ulequad x \b, BugcheckParameter2 %#llx +# BugcheckParameter3 like: ffffd000290d4288 +#>>80 ulequad x \b, BugcheckParameter3 %#llx +# BugcheckParameter4 like: ffffd000290d3aa0 +#>>88 ulequad x \b, BugcheckParameter4 %#llx +# VersionUser[32]; like "" "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>96 string x \b, VersionUser "%.32s" +# KdDebuggerDataBlock like: fffff800c550c530 +#>>128 ulequad x \b, KdDebuggerDataBlock %#llx +# uint8_t PhysicalMemoryBlockBuffer[704] +# WinDumpPhyMemDesc64 NumberOfRuns like: 6 7 0x45474150 +#>>136 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc64 unused like: 0 0x45474150 +#>>140 ulelong x \b, unused %#x +# WinDumpPhyMemRun64 Run[43] BasePage like: 1 +#>>152 ulequad x \b, BasePage %#llx +# WinDumpPhyMemRun64 Run[43] PageCount like: 57h +#>>160 ulequad x \b, PageCount %#llx +# uint8_t ContextBuffer[3000] like: "" "\001" "\0207J\266\001\340\377\377&8\007\312" +#>>840 string x \b, ContextBuffer "%s" +# WinDumpExceptionRecord ExceptionCode +#>>3840 ulelong x \b, ExceptionCode %#x +# WinDumpExceptionRecord ExceptionFlags +#>>3844 ulelong x \b, ExceptionFlags %#x +# WinDumpExceptionRecord ExceptionRecord +#>>3848 ulequad x \b, ExceptionRecord %#llx +# WinDumpExceptionRecord ExceptionAddress +#>>3856 ulequad x \b, ExceptionAddress %#llx +# WinDumpExceptionRecord NumberParameters +#>>3864 ulelong x \b, NumberParameters %#x +# WinDumpExceptionRecord unused +#>>3868 ulelong x \b, unsed %#x +# WinDumpExceptionRecord ExceptionInformation[15] +#>>3872 ulequad x \b, ExceptionInformation[0] %#llx +# https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options +# but DumpType like: 4~small 5~full (MEMORY.DMP) 6~kernel (MEMORY.DMP) +>>0xf98 ulelong x \b, +>>>0xf98 lelong 5 full dump +>>>0xf98 lelong 6 kernel dump +>>>0xf98 lelong 4 small dump +# This probably never occur +>>>0xf98 default x DumpType +>>>>0xf98 ulelong x (%#x) +# WinDumpPhyMemDesc64 uint64_t NumberOfPages like: 3142425 8341923 8366500 1162297680 4992030524978970960 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! >>0x090 lequad x \b, %lld pages - # Summary: Vista Event Log -# Extension: .evtx # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2007/05/some_magic.html -0 string ElfFile\0 MS Windows Vista Event Log +# Update: Joerg Jenderek +# URL: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc +# Reference (1): https://web.archive.org/web/20110803085000/ +# https://computer.forensikblog.de/en/2007/05/some_magic.html +# http://mark0.net/download/triddefs_xml.7z/defs/e/evtx.trid.xml +# Note: called "Vista Event Log" by TrID and "Event Log" by Windows +# verified partly by `wevtutil.exe gli /lf:true dumpfile.evtx` +0 string ElfFile\0 MS Windows +#!:mime application/octet-stream +!:mime application/x-ms-evtx +!:ext evtx +# Major+Minor format version: 3.1~Vista and later 3.2~Windows 10 (2004) and later +>0x24 ulelong =0x00030001 Vista-8.1 Event Log +>0x24 ulelong !0x00030001 10-11 Event Log, version +>>0x26 uleshort x %u +>>0x24 uleshort x \b.%u >0x2a leshort x \b, %d chunks >>0x10 lelong x \b (no. %d in use) >0x18 lelong >1 \b, next record no. %d @@ -56,6 +271,32 @@ >0x78 lelong &1 \b, DIRTY >0x78 lelong &2 \b, FULL +# Summary: Windows Event Trace Log +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/ETL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/etl.trid.xml +# https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracelog/trace_logfile_header.htm +# Note: called "Window tracing/diagnostic binary log" by TrID +# verified by `tracerpt.EXE Wifi.etl -of EVTX` +# and by etl-parser `etl2xml --input AMSITrace.etl --output AMSITrace.xml` +# Every ETL file begins with a WMI_BUFFER_HEADER, a SYSTEM_TRACE_HEADER and a TRACE_LOGFILE_HEADER +0 ubyte 0 +# look for corresponding encoded as UTF-16 file name extension like in: boot_BASE+CSWITCH_1.etl +>0 search/0x699087/b .\0e\0t\0l\0\0\0 +# GRR: line above only works if in ../../src/file.h FILE_BYTES_MAX is raised above 699086h (6,59 MiB) +>>0 use trace-etl +# display information of Windows Performance Analyzer Trace File (file name) +0 name trace-etl +>0 ubyte x Windows Event Trace Log +#!:mime application/x-ms-etl +# http://extension.nirsoft.net/etl +!:mime application/etl +!:ext etl +# look for DOS drive letter part of log file name like: PhotosAppTracing_startedInBGMode.etl +>0 search/0x2b4/sb :\0\x5c\0 +# like: "c:\Windows\Logs\NetSetup\service.0.etl" "C:\Windows\System32\LogFiles\WMI\Wifi.etl" +>>&-2 lestring16 x "%s" + # Summary: Windows System Deployment Image # Created by: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/System_Deployment_Image @@ -67,53 +308,53 @@ # \Boot\boot.sdi !:ext sdi # MDBtype: 0~Unspecified 1~RAM 2~ROM ->>8 ulequad !0 \b, MDBtype 0x%llx +>>8 ulequad !0 \b, MDBtype %#llx # BootCodeOffset ->>16 ulequad !0 \b, BootCodeOffset 0x%llx +>>16 ulequad !0 \b, BootCodeOffset %#llx # BootCodeSize ->>24 ulequad !0 \b, BootCodeSize 0x%llx +>>24 ulequad !0 \b, BootCodeSize %#llx # VendorID ->>32 ulequad !0 \b, VendorID 0x%llx +>>32 ulequad !0 \b, VendorID %#llx # DeviceID ->>40 ulequad !0 \b, DeviceID 0x%llx +>>40 ulequad !0 \b, DeviceID %#llx # DeviceModel ->>48 ulequad !0 \b, DeviceModel 0x%llx +>>48 ulequad !0 \b, DeviceModel %#llx >>>56 ulequad !0 \b%llx # DeviceRole ->>64 ulequad !0 \b, DeviceRole 0x%llx +>>64 ulequad !0 \b, DeviceRole %#llx # Reserved1; reserved fields and gaps between BLOBs are padded with \0 -#>>72 ulequad !0 \b, Reserved1 0x%llx +#>>72 ulequad !0 \b, Reserved1 %#llx # RuntimeGUID ->>80 ulequad !0 \b, RuntimeGUID 0x%llx +>>80 ulequad !0 \b, RuntimeGUID %#llx >>>88 ulequad !0 \b%llx # RuntimeOEMrev ->>96 ulequad !0 \b, RuntimeOEMrev 0x%llx +>>96 ulequad !0 \b, RuntimeOEMrev %#llx # Reserved2 -#>>104 ulequad !0 \b, Reserved2 0x%llx +#>>104 ulequad !0 \b, Reserved2 %#llx # BLOB alignment value in pages, as specified in sdimgr /pack: 1~4K 2~8k >>112 ulequad !0 \b, PageAlignment %llu # Reserved3[48] -#>>120 ulequad !0 \b, Reserved3 0x%llx +#>>120 ulequad !0 \b, Reserved3 %#llx # SDI checksum 39h ->>0x1f8 ulequad x \b, checksum 0x%llx +>>0x1f8 ulequad x \b, checksum %#llx # BLOBtype[8] \0-padded: PART, WIM , BOOT, LOAD, DISK >>0x400 string >\0 \b, type %-3.8s # 0~non-filesystem 7~NTFS 6~BIGFAT ->>>0x420 ulequad !0 (0x%llx) +>>>0x420 ulequad !0 (%#llx) # ATTRibutes ->>>0x408 ulequad !0 0x%llx attributes +>>>0x408 ulequad !0 %#llx attributes # Offset ->>>0x410 ulequad x at 0x%llx +>>>0x410 ulequad x at %#llx # print 1 space after size and then handles NTFS boot sector by ./filesystems >>>0x418 ulequad >0 %llu bytes >>>>(0x410.l) indirect x # 2nd BLOB: WIM >>0x440 string >\0 \b, type %-3.8s ->>>0x428 ulequad !0 (0x%llx) +>>>0x428 ulequad !0 (%#llx) # ATTRibutes ->>>0x448 ulequad !0 0x%llx attributes +>>>0x448 ulequad !0 %#llx attributes # Offset ->>>0x450 ulequad x at 0x%llx +>>>0x450 ulequad x at %#llx >>>0x458 ulequad >0 %llu bytes >>>>(0x450.l) indirect x # 3rd BLOB @@ -139,13 +380,13 @@ # apparently a version number: 2 for older like Vista, 3, 4 Windows 10 >0 ulelong >2 \b, version %u # apparently the size of the header: often 10h in older Windows, 14h, 18h ->4 ulelong !0x10 \b, header size 0x%x +>4 ulelong !0x10 \b, header size %#x #>4 ulelong !0x10 \b, header size %u # apparently the size of the file: always 0x00010000~64KiB # the file is acceptable to BOOTMGR only if it is exactly 64 KiB ->8 ulelong !0x00010000 \b, file size 0x%x +>8 ulelong !0x00010000 \b, file size %#x # size of valid data, in bytes: C8h 50h 172h 5D5Ch ->0xc ulelong x \b, 0x%x valid bytes +>0xc ulelong x \b, %#x valid bytes # skip header and jump to first bootstat entry and display information >(0x4.l-1) ubyte x >>&0 use bootstat-entry @@ -164,24 +405,24 @@ #>0x00 ubequad x \b, ENTRY %16.16llx # size of entry, in bytes: 40h(init) 78h(launced) 9Ch #>0x18 ulelong x \b; entry size %u ->0x18 ulelong x \b; entry size 0x%x +>0x18 ulelong x \b; entry size %#x # time stamp, in seconds ->0x00 ulelong x \b, 0x%x seconds +>0x00 ulelong x \b, %#x seconds # always zero, significance unknown >0x04 ulelong !0 \b, not null %u # GUID of event source; but empty if event source is BOOTMGR ->0x08 ubequad !0 \b, GUID 0x%16.16llx +>0x08 ubequad !0 \b, GUID %#16.16llx >>0x10 ubequad x \b%16.16llx # severity code: 1~informational 3~errors ->0x1C ulelong !1 \b, severity 0x%x +>0x1C ulelong !1 \b, severity %#x # apparently a version number: 2 >0x20 ulelong !2 \b, version %u # event identifier 1~log file initialised 11h~boot application launched -#>0x24 ulelong x \b, event 0x%x +#>0x24 ulelong x \b, event %#x >0x24 ulelong !1 ->>0x24 ulelong !0x11 \b, event 0x%x +>>0x24 ulelong !0x11 \b, event %#x # entry data; size depends on event identifier -#>0x28 ubequad x \b, data 0x%16.16llx +#>0x28 ubequad x \b, data %#16.16llx >0x24 ulelong =0x1 \b, Init # always 0, significance unknown >>0x34 uleshort !0 \b, not null %u @@ -248,7 +489,7 @@ >>>2 leshort 0x27 x.y >>>2 leshort 0x33 95 >>>2 default x y.z ->>>>2 leshort x 0x%x +>>>>2 leshort x %#x # to complete message string like "MS Windows 3.x help file" >>>2 leshort x help # GenDate often older than file creation date @@ -307,39 +548,39 @@ !:mime application/x-winhelp !:ext bmk ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN -##>>8 lelong x \b, FirstFreeBlock 0x%8.8x +##>>8 lelong x \b, FirstFreeBlock %#8.8x # EntireFileSize >>12 lelong x \b, %d bytes ## ReservedSpace normally 042Fh AFh for *.ANN -#>>(4.l) lelong x \b, ReservedSpace 0x%8.8x +#>>(4.l) lelong x \b, ReservedSpace %#8.8x ## UsedSpace normally 0426h A6h for *.ANN -#>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x +#>>(4.l+4) lelong x \b, UsedSpace %#8.8x ## FileFlags normally 04... -#>>(4.l+5) lelong x \b, FileFlags 0x%8.8x +#>>(4.l+5) lelong x \b, FileFlags %#8.8x ## file header magic 0x293B -#>>(4.l+9) uleshort x \b, file header magic 0x%4.4x +#>>(4.l+9) uleshort x \b, file header magic %#4.4x ## file header Flags 0x0402 -#>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x +#>>(4.l+11) uleshort x \b, file header Flags %#4.4x ## file header PageSize 0400h 80h for *.ANN -#>>(4.l+13) uleshort x \b, PageSize 0x%4.4x +#>>(4.l+13) uleshort x \b, PageSize %#4.4x ## Structure[16] z4 #>>(4.l+15) string >\0 \b, Structure_"%-.16s" ## MustBeZero 0 -#>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x +#>>(4.l+31) uleshort x \b, MustBeZero %#4.4x ## PageSplits -#>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x +#>>(4.l+33) uleshort x \b, PageSplits %#4.4x ## RootPage -#>>(4.l+35) uleshort x \b, RootPage 0x%4.4x +#>>(4.l+35) uleshort x \b, RootPage %#4.4x ## MustBeNegOne 0xffff -#>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x +#>>(4.l+37) uleshort x \b, MustBeNegOne %#4.4x ## TotalPages 1 -#>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x +#>>(4.l+39) uleshort x \b, TotalPages %#4.4x ## NLevels 0x0001 -#>>(4.l+41) uleshort x \b, NLevels 0x%4.4x +#>>(4.l+41) uleshort x \b, NLevels %#4.4x ## TotalBtreeEntries -#>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x +#>>(4.l+43) ulelong x \b, TotalBtreeEntries %#8.8x ## pages of the B+ tree -#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx +#>>(4.l+47) ubequad x \b, PageStart %#16.16llx # start with colon or semicolon for comment line like Back2Life.cnt 0 regex \^(:|;) @@ -358,7 +599,7 @@ # skip space at beginning >0 string \040 # name without extension and greater character or name with hlp extension ->>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" +>>1 regex/c \^([^\xd>]*|.*\\.hlp) MS Windows help file Content, based "%s" !:mime text/plain !:apple ????TEXT !:ext cnt @@ -370,66 +611,340 @@ >16 string >\0 for "%s" # Summary: Hyper terminal -# Extension: .ht # Created by: unknown +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/HyperACCESS +# https://www.hilgraeve.com/hyperterminal/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/ht.trid.xml +# Note: called "HyperTerminal data file" by TrID and "HyperTerminal File" on English Windows 0 string HyperTerminal\040 ->15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +>14 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +#!:mime application/octet-stream +!:mime application/x-ms-ht +!:ext ht # https://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut -# Extension: .lnk # Created by: unknown +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Windows_Shortcut +# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnk-shortcut.trid.xml +# https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf +# Note: called "Windows Shortcut" by TrID, "Microsoft Windows Shortcut" by DROID via PUID x-fmt/428 and "Windows shortcut file" by ./msdos (v 1.158) +# partly verified by command like `lnkinfo AOL.lnk` # 'L' + GUUID +# HeaderSize + LinkCLSID 00021401-0000-0000-C000-000000000046 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut +!:mime application/x-ms-shortcut +!:ext lnk +# LinkFlags +# HasLinkTargetIDList; if set a LinkTargetIDList structure MUST follow the ShellLinkHeader; If is not set, structure MUST NOT be present >20 lelong&1 1 \b, Item id list present +# HasLinkInfo; if set a LinkInfo structure MUST follow the ShellLinkHeader or LinkTargetIDList; If is not set, structure MUST NOT be present >20 lelong&2 2 \b, Points to a file or directory >20 lelong&4 4 \b, Has Description string >20 lelong&8 8 \b, Has Relative path >20 lelong&16 16 \b, Has Working directory >20 lelong&32 32 \b, Has command line arguments >20 lelong&64 64 \b, Icon +# IconIndex >>56 lelong x \b number=%d +# IsUnicode; If set then StringData section contains Unicode-encoded strings +>20 lelong&128 128 \b, Unicoded +# ForceNoLinkInfo; LinkInfo structure is ignored +>20 lelong&256 256 \b, NoLinkInfo +# HasExpString; with an EnvironmentVariableDataBlock +>20 lelong&512 512 \b, HasEnvironment +# look for BlockSize 314h and EnvironmentVariableDataBlock BlockSignature A0000001h +>>76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes): optional NULL-terminated path to same environment variable Unicode encoded +# like: "%windir%\system32\calc.exe" +>>>&260 lestring16 x "%s" +# RunInSeparateProcess; run in a separate virtual machine when launching a 16-bit application; no examples found +>20 lelong&1024 1024 \b, RunInSeparateProcess +# Unused1; undefined and MUST be ignored +#>20 lelong&2048 2048 \b, Unused1 +# HasDarwinID; with a DarwinDataBlock +>20 lelong&4096 4096 \b, HasDarwinID +# look for BlockSize 314h and DarwinDataBlock BlockSignature A0000006h +>>76 search/1972 \x14\x03\x00\x00\x06\x00\x00\xa0 +# DarwinDataAnsi (260 bytes); NULL-terminated application identifier encoded with system default code page; SHOULD be ignored +#>>>&0 string x '%s' +# DarwinDataUnicode (520 bytes); NULL-terminated application identifier Unicode encoded +>>>&260 lestring16 x "%s" +# RunAsUser; target application is run as a different user +>20 lelong&8192 8192 \b, RunAsUser +# HasExpIcon; with an IconEnvironmentDataBlock +>20 lelong&16384 16384 \b, HasExpIcon +# look for BlockSize 314h and IconEnvironmentDataBlock BlockSignature A0000007h +>>76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment icon variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes); optional NULL-terminated path to same icon environment variable Unicode encoded +# like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico" +>>>&260 lestring16 x "%s" +# NoPidlAlias; represented in the shell namespace; no examples found +>20 lelong&32768 32768 \b, NoPidlAlias +# Unused2; undefined and MUST be ignored +#>20 lelong&65536 65536 \b, Unused2 +# RunWithShimLayer; with a ShimDataBlock; no examples found +>20 lelong&131072 131072 \b, RunWithShimLayer +# ForceNoLinkTrack; TrackerDataBlock is ignored; no examples found +>20 lelong&262144 262144 \b, ForceNoLinkTrack +>20 lelong&262144 0 +# look for BlockSize 60h, TrackerDataBlock BlockSignature A0000003h, it length 58h and Version 0 +>>76 search/1972 \x60\x00\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\0\0\0\0 +# MachineID (16 bytes); a NULL-terminated NetBIOS name encoded with system default code page of the machine +>>>&0 string x \b, MachineID %0.16s +# Droid (32 bytes) +# +# DroidBirth (32 bytes) +# +# EnableTargetMetadata; collect target properties and store in PropertyStoreDataBlock +>20 lelong&524288 524288 \b, EnableTargetMetadata +# look for BlockSize >= Ch, PropertyStoreDataBlock BlockSignature A0000009h +#>>76 search/1972 \x00\x00\x09\x00\x00\xa0 +# PropertyStore (variable) +# +# DisableLinkPathTracking; EnvironmentVariableDataBlock is ignored; no examples found +>20 lelong&1048576 1048576 \b, DisableLinkPathTracking +# DisableKnownFolderTracking; SpecialFolderDataBlock and KnownFolderDataBlock are ignored and not saved +>20 lelong&2097152 2097152 \b, DisableKnownFolderTracking +>20 lelong&2097152 0 +# look for BlockSize 1Ch and KnownFolderDataBlock BlockSignature A000000Bh +>>76 search/1972 \x1c\x00\x00\x00\x0B\x00\x00\xa0 +# https://learn.microsoft.com/en-us/dotnet/desktop/winforms/controls/known-folder-guids-for-file-dialog-custom-places +# KnownFolderID specifies the folder GUID ID +# ProgramFiles 905E63B6-C1BF-494E-B29C-65B732D3D21A +# ProgramFilesX86 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E +>>>&0 guid x KnownFolderID %s +# DisableKnownFolderAlias; unaliased form of the known folder IDList SHOULD be used; no examples found +>20 lelong&4194304 4194304 \b, DisableKnownFolderAlias +# AllowLinkToLink; link that references another link is enabled; no examples found +>20 lelong&8388608 8388608 \b, AllowLinkToLink +# UnaliasOnSave; unaliased form of that known folder or the target IDList SHOULD be used; no examples found +>20 lelong&16777216 16777216 \b, UnaliasOnSave +# PreferEnvironmentPath; path specified in the EnvironmentVariableDataBlock SHOULD be used +>20 lelong&33554432 33554432 \b, PreferEnvironmentPath +# KeepLocalIDListForUNCTarget; UNC name SHOULD be stored in local path IDList in PropertyStoreDataBlock; no examples found +>20 lelong&67108864 67108864 \b, KeepLocalIDListForUNCTarget +# FileAttributes >24 lelong&1 1 \b, Read-Only >24 lelong&2 2 \b, Hidden >24 lelong&4 4 \b, System ->24 lelong&8 8 \b, Volume Label +# Reserved1; MUST be zero +>24 lelong&8 8 \b, Reserved1 >24 lelong&16 16 \b, Directory >24 lelong&32 32 \b, Archive ->24 lelong&64 64 \b, Encrypted +# Reserved2; MUST be zero +>24 lelong&64 64 \b, Reserved2 >24 lelong&128 128 \b, Normal >24 lelong&256 256 \b, Temporary +# no examples found >24 lelong&512 512 \b, Sparse +# no examples found >24 lelong&1024 1024 \b, Reparse point >24 lelong&2048 2048 \b, Compressed >24 lelong&4096 4096 \b, Offline ->28 leqwdate x \b, ctime=%s ->36 leqwdate x \b, mtime=%s ->44 leqwdate x \b, atime=%s +# FILE_ATTRIBUTE_NOT_CONTENT_INDEXED; contents need to be indexed +>24 lelong&8192 8192 \b, NeedIndexed +# FILE_ATTRIBUTE_ENCRYPTED; file or directory is encrypted +>24 lelong&16384 16384 \b, Encrypted +# value zero means there is no time set on the target +>28 leqwdate !0 \b, ctime=%s +# Access time of target in UTC +>36 leqwdate !0 \b, atime=%s +# write time of target in UTC +>44 leqwdate !0 \b, mtime=%s +# FileSize; 32 bit size of target in bytes >52 lelong x \b, length=%u, window= ->60 lelong&1 1 \bhide ->60 lelong&2 2 \bnormal ->60 lelong&4 4 \bshowminimized ->60 lelong&8 8 \bshowmaximized ->60 lelong&16 16 \bshownoactivate ->60 lelong&32 32 \bminimize ->60 lelong&64 64 \bshowminnoactive ->60 lelong&128 128 \bshowna ->60 lelong&256 256 \brestore ->60 lelong&512 512 \bshowdefault -#>20 lelong&1 0 -#>>20 lelong&2 2 -#>>>(72.l-64) pstring/h x \b [%s] -#>20 lelong&1 1 -#>>20 lelong&2 2 -#>>>(72.s) leshort x -#>>>&75 pstring/h x \b [%s] +# ShowCommand; 1~SW_SHOWNORMAL 3~SW_SHOWMAXIMIZED HerzlichMEDION.lnk 7~SW_SHOWMINNOACTIVE YaCy.lnk Privoxy.lnk; All other values like 2 MUST be treated as SW_SHOWNORMAL +#>60 lelong x ShowCommand=%#x +>60 lelong x +>>60 lelong 3 \bshowmaximized +>>60 lelong 7 \bshowminnoactive +>>60 default x \bnormal +# Hotkey +>64 uleshort >0 \b, hot key +# 41h~A 42h~B ... +>>64 ubyte x %c +# modifier keys: 0x01~HOTKEYF_SHIFT 0x02~HOTKEYF_CONTROL 0x04~HOTKEYF_ALT +>>65 ubyte&1 1 \b+SHIFT +>>65 ubyte&2 2 \b+CONTROL +>>65 ubyte&4 4 \b+ALT +# Reserved; MUST be zero +#>66 uleshort !0 \b, reserved %#x +# Reserved2; MUST be zero +#>68 ulelong !0 \b, reserved2 %#x +# Reserved3; MUST be zero +#>72 ulelong !0 \b, reserved3 %#x +# optional LINKTARGET_IDLIST if LinkFlags bit HasLinkTargetIDList is set +>20 lelong&1 1 +# IDListSize; size of IDList +>>76 uleshort x \b, IDListSize %#4.4x +# 1st item +>>78 use lnk-item +# 2nd possible item +>>(78.s+78) uleshort >0 +>>>(78.s+78) use lnk-item +# 3rd possible item +>>>&(&-2.s-2) uleshort >0 +>>>>&-2 use lnk-item +# 4th possible item +>>>>&(&-2.s-2) uleshort >0 +>>>>>&-2 use lnk-item +# Because HasLinkInfo is set, a LinkInfo structure follows +>20 lelong&2 2 +# if no LINKTARGET_IDLIST (no HasLinkTargetIDList) then direct after header; no example found +>>20 lelong&1 =0 +>>>76 use lnk-info +# if LINKTARGET_IDLIST (HasLinkTargetIDList) then after LINKTARGET_IDLIST by addtional IDListSize bytes +>>20 lelong&1 =1 +>>>76 uleshort >0 +#>>>>(76.s+78) use lnk-info +>>>>(76.s+78) ubelong x +# move pointer to beginnig of LinkInfo structure +>>>>>&-8 ubelong x +#>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x +>>>>>>&(&16.l) string x \b, LocalBasePath "%s" +# check and then display link item (size,data) +0 name lnk-item +# size value 0x0000 means TerminalID; indicates the end of the item IDs list +>0 uleshort >0 +#>>0 uleshort x \b, ItemIDSize %#4.4x +# item Data +#>>2 ubequad x \b, Item data=%#16.16llx +#>>2 ubyte x \b, Item type=%#x +>>2 ubyte =0x1f \b, Root folder +# like: "26EE0668-A00A-44D7-9371-BEB064C98683" Control Panel +# "20D04FE0-3AEA-1069-A2D8-08002B30309D" My Computer +# "871C5380-42A0-1069-A2EA-08002B30309D" Internet Explorer +>>>4 guid x "%s" +>>2 ubyte =0x2f \b, Volume +# like: "C:\" "D:\" +>>>3 string x "%s" +# Control panel category +#>>2 ubyte foo \b, Control panel category +# display LinkInfo structure (size,flags,offsets) +0 name lnk-info +# LinkInfoSize; size of the LinkInfo structure +>0 ulelong x \b, LinkInfoSize %#x +# LinkInfoHeaderSize; if 1C no optional fields; >=24 optional fields are specified +>4 ulelong x \b, LinkInfoHeaderSize %#x +# LinkInfoFlags; +#>8 ulelong x \b, LinkInfoFlags=%#x +>8 ulelong&1 1 \b, VolumeIDAndLocalBasePath +# VolumeIDOffset; location of the VolumeID field (VolumeIDSize DriveType DriveSerialNumber VolumeLabelOffset ... ) inside LinkInfo structure +>>12 ulelong x \b, VolumeIDOffset %#x +# LocalBasePathOffset; location of LocalBasePath field like "C:\test\a.txt" inside LinkInfo structure +>>16 ulelong x \b, LocalBasePathOffset %#x +# LocalBasePathOffsetUnicode; location of the LocalBasePathUnicode field inside LinkInfo structure +>>4 ulelong >23 +>>>28 ulelong x \b, LocalBasePathOffsetUnicode %#x +>8 ulelong&2 2 \b, CommonNetworkRelativeLinkAndPathSuffix +# CommonNetworkRelativeLinkOffset; location of the CommonNetworkRelativeLink field inside LinkInfo structure +>>20 ulelong x \b, CommonNetworkRelativeLinkOffset %#x +# CommonPathSuffixOffset; location of CommonPathSuffix field +>24 ulelong x \b, CommonPathSuffixOffset %#x +# CommonPathSuffixOffsetUnicode; location of CommonPathSuffixUnicode field inside LinkInfo structure +>4 ulelong >23 +>>32 ulelong x \b, CommonPathSuffixOffsetUnicode %#x # Summary: Outlook Personal Folders # Created by: unknown -0 lelong 0x4E444221 Microsoft Outlook email folder ->10 leshort 0x0e (<=2002) ->10 leshort 0x17 (>=2003) +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Personal_Folder_File +# https://en.wikipedia.org/wiki/Personal_Storage_Table +# Reference: https://interoperability.blob.core.windows.net/files/MS-PST/%5bMS-PST%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# dwMagic !BDN +0 lelong 0x4E444221 +# skip DROID x-fmt-75-signature-id-472.pab x-fmt-248-signature-id-260.pst x-fmt-249-signature-id-261.pst +# by check for existance of bPlatformCreate value +>14 ubyte x Microsoft Outlook +#!:mime application/octet-stream +# NOT official registered ! +!:mime application/vnd.ms-outlook +# dwCRCPartial; 32-bit cyclic redundancy check (CRC) value of followin 471 bytes; zero for 64-bit +#>>4 ulelong !0 \b, CRC %#x +# wMagicClient; AB (4142h) is used for PAB files; SM (534Dh) is used for PST files; SO (534Fh) is used for OST files +#>>8 leshort x \b, wMagicClient=%#x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml +# Note: called "Microsoft Personal Address Book" by TrID and +# "Microsoft Outlook Personal Address Book" by DROID via x-fmt/75 +>>8 leshort 0x4142 Personal Address Book +#!:mime application/x-ms-pab +!:ext pab +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/p/pst-unicode.trid.xml +# Note: called "Microsoft OutLook Personal Folder" by TrID and +# by DROID via x-fmt/248 for ANSI and via x-fmt/249 for Unicode +#>>8 leshort 0x4D53 \b, PST~ +# called "Microsoft Outlook email folder" in ./windows version 1.37 and older +>>8 leshort 0x4D53 Personal Storage +#!:mime application/x-ms-pst +!:ext pst +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ost.trid.xml +# Note: called "Outlook Exchange Offline Storage" by TrID +>>8 leshort 0x4F53 Offline Storage +#!:mime application/x-ms-ost +!:ext ost +# wVer; file format version. 14 or 15 if the file is ANSI; > 21 or 23(=17h) if Unicode; 37 for written by Outlook with WIP +>>10 uleshort x ( +# probably NO intermediate versions exist +>>10 leshort <0x10 \b<=2002, ANSI, +>>10 leshort >0x14 \b>=2003, Unicode, +>>10 uleshort x version %u) +# wVerClient; client file format version like: 19 22 +#>>12 uleshort x \b, wVerClient=%u +# bPlatformCreate; This value MUST be set to 1 but also found 2 +>>14 ubyte >1 \b, bPlatformCreate=%u +# bPlatformAccess; This value MUST be set to 1 but also found 2 +>>15 ubyte >1 \b, bPlatformAccess=%u +# dwReserved1; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>16 ulelong !0 \b, dwReserved1=%#x +# dwReserved2; SHOULD ignore and NOT modify this value; SHOULD initialize to zero +>>20 ulelong !0 \b, dwReserved2=%#x +# ANSI 32-bit variant Outlook 1997-2002 +>>10 uleshort <16 +# bidNextB; next BlockID (ANSI 4 bytes) +#>>>24 ulelong !0 \b, bidNextB=%#x +# bidNextP; Next available back BlockID pointer +#>>>28 ulelong !0 \b, bidNextP=%#x +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>32 ulelong !0 \b, dwUnique=%#x +# rgnid[128]; A fixed array of 32 NodeIDs, each corresponding to one of the 32 possible NID_TYPEs +#>>>36 ubequad x \b, rgnid=%#llx... +# dwReserved; Implementations SHOULD ignore this value and SHOULD NOT modify it; Initialized zero +>>>164 ulelong !0 \b, dwReserved=%#x +# ibFileEof; the size of the PST file, in bytes (ANSI 4 bytes) +>>>168 ulelong x \b, %u bytes +# ibAMapLast; offset to the last AMap page +#>>>172 ulelong x \b, ibAMapLast=%#x +# bSentinel; MUST be set to 0x80 +>>>460 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod: 0~No encryption 1~encryption with permutation 2~encryption with cyclic 16~encryption with Windows Information Protection (WIP) +>>>461 ubyte >0 \b, bCryptMethod=%u +# UNICODE 64-bit variant Outlook 2003-2007 +>>10 uleshort >20 +# bidUnused; Unused 8 bytes padding (Unicode only); sometimes like: 0x0000000100000004 +>>>24 ulequad !0x0000000100000004 \b, bidUnused=%#16.16llx +# dwUnique; value monotonically increased when modifying PST; so CRC is changing +>>>40 ulelong !0 \b, dwUnique=%#x +# rgnid[] (128 bytes): A fixed array of 32 NIDs, each corresponding to one of the 32 possible +#>>>44 ubequad x \b, rgnid=%#llx... +# ibFileEof; the size of the PST file, in bytes (Unicode 8 bytes) +>>>184 ulequad x \b, %llu bytes +# bSentinel; MUST be set to 0x80 +>>>512 ubyte !0x80 \b, bSentinel=%#x +# bCryptMethod; Encryption type like: 0 1 2 16 +>>>513 ubyte >0 \b, bCryptMethod=%u +# dwCRC; 32-bit CRC of the of the previous 516 bytes +>>>524 ulelong x \b, CRC32 %#x # Summary: Windows help cache @@ -495,10 +1010,16 @@ # empty line CRLF 0 ubeshort 0x0D0A >0 use ini-file -# comment line +# comment line starting with semicolon 0 string ; ->0 use ini-file -# section line +# look for phrase of Windows policy ADMinistrative template (with starting remark) +# like: WINDOW_95_CD/TOOLS/RESKIT/netadmin/poledit/conf.adm +>1 search/3548 END\040CATEGORY +# ADM with remark (by adm-rem.trid.xml) already done by generic ASCII variant +# if no Windows policy ADMinistrative template then Windows INItialization +>1 default x +>>0 use ini-file +# section line starting with left bracket 0 string [ >0 use ini-file # check and then display Windows INItialization configuration @@ -510,7 +1031,7 @@ # space after right bracket # or AutoRun.Amd64 for 64 bit systems # or only NL separator ->>&0 regex/c \^(autorun) +>>&0 regex/c \^autorun # but sometimes total commander directory tree file "treeinfo.wc" with lines like # [AUTORUN] # [boot] @@ -535,11 +1056,11 @@ # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent ->>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini +>>&0 regex/1024c \^(\\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini !:mime application/x-wine-extension-ini #!:mime text/plain # https://support.microsoft.com/kb/84709/ ->>&0 regex/c \^(don't\ load)] Windows CONTROL.INI +>>&0 regex/c \^don't\ load] Windows CONTROL.INI !:mime application/x-wine-extension-ini !:ext ini >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI @@ -555,27 +1076,95 @@ !:mime application/x-wine-extension-ini !:ext ini # http://www.mdgx.com/newtip6.htm ->>&0 regex/c \^(SafeList)] Windows IOS.INI +>>&0 regex/c \^SafeList] Windows IOS.INI !:mime application/x-wine-extension-ini !:ext ini # https://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information ->>&0 regex/c \^(boot\x20loader)] Windows boot.ini +>>&0 regex/c \^boot\x20loader] Windows boot.ini !:mime application/x-wine-extension-ini !:ext ini # https://en.wikipedia.org/wiki/CONFIG.SYS ->>&0 regex/c \^(menu)] MS-DOS CONFIG.SYS +>>&0 regex/c \^menu] MS-DOS CONFIG.SYS # @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE # CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYSTEM\MSCONFIG.EXE # CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYSTEM\MSCONFIG.EXE # dos and w40 used in dual booting scene !:ext sys/dos/w40 # https://support.microsoft.com/kb/118579/ ->>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS +>>&0 regex/c \^Paths]\r\n MS-DOS MSDOS.SYS !:ext sys/dos # http://chmspec.nongnu.org/latest/INI.html#HHP ->>&0 regex/c \^(options)]\r\n Microsoft HTML Help Project +>>&0 regex/c \^options]\r\n Microsoft HTML Help Project !:mime text/plain !:ext hhp +# From: Joerg Jenderek +# URL: https://documentation.basis.com/BASISHelp/WebHelp/b3odbc/ODBC_Driver/obdcdriv_character_translation.htm +# Reference: https://www.garykessler.net/library/file_sigs.html +# http://mark0.net/download/triddefs_xml.7z/defs/c/cpx.trid.xml +# Note: stored in directory %WINDIR%\SysWOW64 or %WINDIR%\system +# second word often Latin but sometimes Cyrillic like in 12510866.CPX +>>&0 regex/c \^Windows\ (Latin|Cyrillic) Windows codepage translator +#!:mime text/plain +!:mime text/x-ms-cpx +# like: 12510866.CPX +!:ext cpx +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/File_Explorer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-exp.trid.xml,scf-exp-old.trid.xml +# Note: called "Windows Explorer Command Shell File" by TrID and "File Explorer Command" by Windows via SHCmdFile +>>&0 regex/c \^Shell]\r\n Windows Explorer Shell Command File +#!:mime text/plain +!:mime text/x-ms-scf +# like: channels.scf desktop.scf explorer.scf "Desktop anzeigen.scf" +!:ext scf +# look for icon file directive maybe pointing to malicious file +>>>1 search/128 IconFile= \b, icon +>>>>&0 string x "%s" +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/VIA_Technologies +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-via.trid.xml +# Note: called "VIA setup configuration file" by TrID +>>&0 regex/c \^SCF]\r\n VIA setup configuration +#!:mime text/plain +!:mime text/x-via-scf +# like: SETUP.SCF +!:ext scf +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/InstallShield +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lid-is.trid.xml +# Note: contain also 3 keywords like: count Default key0 +>>&0 regex/c \^Languages] InstallShield Language Identifier +#!:mime text/plain +!:mime text/x-installshield-lid +# like: SETUP.LID +!:ext lid +# From: Joerg Jenderek +# URL: https://www.file-extensions.org/tag-file-extension +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/taginfo.trid.xml +# Note: contain also keywords like: Application Category Company Misc Version +>>&0 regex/c \^TagInfo] TagInfo +#!:mime text/plain +#!:mime text/prs.lines.tag +!:mime text/x-ms-tag +# like: DATA.TAG +!:ext tag +# URL: https://en.wikipedia.org/wiki/Flatpak +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/flatpakref.trid.xml +# Note: called "Flatpack Reference" by TrID +>>&0 string Flatpak\ Ref] Flatpak repository reference +#!:mime text/plain +# https://reposcope.com/mimetype/application/vnd.flatpak.ref +!:mime application/vnd.flatpak.ref +!:ext flatpakref +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CloneCD +# Reference: https://en.wikipedia.org/wiki/CloneCD_Control_File +# http://mark0.net/download/triddefs_xml.7z/defs/c/cdimage-clonecd-cue.trid.xml +# Note: called "CloneCD CDImage (description)" by TrID and "CloneCD Control File" by DROID via PUID fmt/1760 +>>&0 string CloneCD] CloneCD CD-image Description +#!:mime text/plain +!:mime text/x-ccd +!:ext ccd # unknown keyword after opening bracket >>&0 default x #>>>&0 string/c x UNKNOWN [%s @@ -585,39 +1174,94 @@ >>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript !:ext inf +# From: Joerg Jenderek +# URL: https://cdrtfe.sourceforge.io/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cfp-cdrtfe.trid.xml +>>>>&0 string FileExplorer] cdrtfe Project +!:mime text/x-cfp +!:ext cfp # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other >>>>&0 default x >>>>>&0 ubyte x # characters, digits, underscore and white space followed by right bracket # terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT ->>>>>>&-1 regex \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s +>>>>>>&-1 regex/T \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s # NETDEF.INF multiarc.ini #!:mime application/x-setupscript !:mime application/x-wine-extension-ini #!:mime text/plain !:ext ini/inf +# samples with only 1 and unknown section name +# XXX: matches a file containing '[1] 2' +#>>>&0 default x Generic INItialization configuration +#>>>>0 string x \b, 1st line "%s" +# UTF-16 BOM +0 ubeshort =0xFFFE +# look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml) +# like: wuau.adm +>2 search/0x384A E\0N\0D\0\040\0C\0A\0T\0E\0G\0O\0R\0Y\0 +>>0 use windows-adm +# if no Windows policy ADMinistrative template then Windows INFormation +>2 default x # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00 -0 ubelong&0xFFff89FF =0xFFFE0900 +>>0 ubelong&0xFFff89FF =0xFFFE0900 # look for left bracket in section line ->2 search/8192 [ +>>>2 search/8192 [ # keyword without 1st letter which is maybe up-/down-case ->>&3 lestring16 ersion] Windows setup INFormation +>>>>&3 lestring16 ersion] Windows setup INFormation !:mime application/x-setupscript +# like: hdaudio.inf iscsi.inf spaceport.inf tpm.inf usbhub3.inf UVncVirtualDisplay.inf !:ext inf ->>&3 lestring16 trings] Windows setup INFormation +>>>>&3 lestring16 trings] Windows setup INFormation !:mime application/x-setupscript +# like: arduino_gemma.inf iis.inf MSM8960.inf !:ext inf ->>&3 lestring16 ourceDisksNames] Windows setup INFormation +>>>>&3 lestring16 ourceDisksNames] Windows setup INFormation !:mime application/x-setupscript +# like: atiixpag.inf mdmnokia.inf netefe32.inf rdpbus.inf !:ext inf # netnwcli.inf start with ;---[ NetNWCli.INX ] ->>&3 default x +>>>>&3 default x # look for NL followed by left bracket ->>>&0 search/8192 \x0A\x00\x5b ->>>>&3 lestring16 ersion] Windows setup INFormation +>>>>>&0 search/8192 \x0A\x00\x5b +# like: defltwk.inf netvwifibus.inf WSDPrint.inf +>>>>>>&3 lestring16 ersion] Windows setup INFormation !:mime application/x-setupscript !:ext inf +# Summary: Windows Policy ADMinistrative template +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Administrative_Template +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adm.trid.xml +# Note: typically stored in directory like: %WINDIR%\system32\GroupPolicy\ADM +# worst case ASCII variant starting with remark line like: inetset.adm +0 search/0x4E CLASS\040 +>&0 string MACHINE +>>0 use windows-adm +>&0 string USER +>>0 use windows-adm +# display information about Windows policy ADMinistrative template +0 name windows-adm Windows Policy Administrative Template +!:mime text/x-ms-adm +!:ext adm +# UTF-16 BOM implies UTF-16 encoded ADM (by adm-uni.trid.xml) +>0 ubeshort =0xFFFE +>>2 lestring16 x \b, 1st line "%s" +# look for UTF-16 encoded CarriageReturn LineFeed +>>>2 search/0x3A \r\0\n\0 +>>>>&0 lestring16 x \b, 2nd line "%s" +# no UTF-16 BOM implies "ASCII" encoded ADM (by adm.trid.xml) +>0 ubeshort !0xFFFE +>>0 string x \b, 1st line "%s" +#>>>&0 ubequad x \b, 2ND %16.16llx +# 2nd line empty +>>>&2 beshort =0x0D0A +>>>>&0 beshort !0x0D0A \b, 3th line +>>>>>&-2 string x "%s" +# 2nd line with content +>>>&2 beshort !0x0D0A \b, 2nd line +>>>>&-2 string x "%s" + # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm # URL: http://fileformats.archiveteam.org/wiki/INF_(Windows) @@ -632,21 +1276,24 @@ >>>2 uleshort <3 # look for colon in WinDirPath after PNF header #>>>>0x59 search/18 : ->>>>0 use PreCompiledInf +# skip few Adobe Photoshop Color swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some +# Targa image (money-256.tga XING_B_UCM8.tga x-fmt-367-signature-id-604.tga) with "invalid low section name" \0 +>>>>(20.l) ubelong >0x40004000 +>>>>>0 use PreCompiledInf 0 name PreCompiledInf >0 uleshort x Windows Precompiled iNF !:mime application/x-pnf !:ext pnf # major version 1 for older Windows like XP and 3 since about Windows Vista -# 101h~98-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362 +# 101h~95-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362-Windows11 >1 ubyte x \b, version %u >0 ubyte x \b.%u >0 uleshort =0x0101 (Windows ->>4 ulelong&0x00000001 !0x00000001 98) +>>4 ulelong&0x00000001 !0x00000001 95-98) >>4 ulelong&0x00000001 =0x00000001 XP) >0 uleshort =0x0301 (Windows Vista-8.1) >0 uleshort =0x0302 (Windows 10 older) ->0 uleshort =0x0303 (Windows 10) +>0 uleshort =0x0303 (Windows 10-11) # 1 ,2 (windows 98 SE) >2 uleshort !2 \b, InfStyle %u # PNF_FLAG_IS_UNICODE 0x00000001 @@ -660,7 +1307,7 @@ # UNKNOWN1 0x01000000 # UNKNOWN2 0x02000000 >4 ulelong&0x03000180 >0 \b, flags ->>4 ulelong x 0x%x +>>4 ulelong x %#x >4 ulelong&0x00000001 0x00000001 \b, unicoded >4 ulelong&0x00000002 0x00000002 \b, has strings >4 ulelong&0x00000004 0x00000004 \b, src URL @@ -671,16 +1318,16 @@ # >4 ulelong&0x00000100 0x00000100 \b, UNKNOWN # >4 ulelong&0x01000000 0x01000000 \b, UNKNOWN1 # >4 ulelong&0x02000000 0x02000000 \b, UNKNOWN2 -#>8 ulelong x \b, InfSubstValueListOffset 0x%x +#>8 ulelong x \b, InfSubstValueListOffset %#x # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF # , 6 bth.PNF, 9 usbport.PNF, d netnwifi.PNF, 10h nettcpip.PNF -#>12 uleshort x \b, InfSubstValueCount 0x%x +#>12 uleshort x \b, InfSubstValueCount %#x # only < 9 found: 8 hcw85b64.PNF -#>14 uleshort x \b, InfVersionDatumCount 0x%x +#>14 uleshort x \b, InfVersionDatumCount %#x # only found values lower 0x0000ffff ?? -#>16 ulelong x \b, InfVersionDataSize 0x%x +#>16 ulelong x \b, InfVersionDataSize %#x # only found positive values lower 0x00ffFFff for InfVersionDataOffset ->20 ulelong x \b, at 0x%x +>20 ulelong x \b, at %#x >4 ulelong&0x00000001 =0x00000001 # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature >>(20.l) lestring16 x "%s" @@ -688,23 +1335,23 @@ >>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>24 ulequad x \b, InfVersionLastWriteTime %16.16llx -#>24 foodate-0xbar x \b, InfVersionLastWriteTime %s +>24 qwdate x \b, InfVersionLastWriteTime %s # for Windows 98, XP >0 uleshort <0x0102 # only found values lower 0x00ffFFff # often 70 but also 78h for corelist.PNF -# >>32 ulelong x \b, StringTableBlockOffset 0x%x -# >>36 ulelong x \b, StringTableBlockSize 0x%x -# >>40 ulelong x \b, InfSectionCount 0x%x -# >>44 ulelong x \b, InfSectionBlockOffset 0x%x -# >>48 ulelong x \b, InfSectionBlockSize 0x%x -# >>52 ulelong x \b, InfLineBlockOffset 0x%x -# >>56 ulelong x \b, InfLineBlockSize 0x%x -# >>60 ulelong x \b, InfValueBlockOffset 0x%x -# >>64 ulelong x \b, InfValueBlockSize 0x%x +# >>32 ulelong x \b, StringTableBlockOffset %#x +# >>36 ulelong x \b, StringTableBlockSize %#x +# >>40 ulelong x \b, InfSectionCount %#x +# >>44 ulelong x \b, InfSectionBlockOffset %#x +# >>48 ulelong x \b, InfSectionBlockSize %#x +# >>52 ulelong x \b, InfLineBlockOffset %#x +# >>56 ulelong x \b, InfLineBlockSize %#x +# >>60 ulelong x \b, InfValueBlockOffset %#x +# >>64 ulelong x \b, InfValueBlockSize %#x # WinDirPathOffset # like 58h, which means direct after PNF header -#>>68 ulelong x \b, at 0x%x +#>>68 ulelong x \b, at %#x >>68 ulelong x >>>4 ulelong&0x00000001 =0x00000001 #>>>>(68.l) ubequad =0x43003a005c005700 @@ -725,18 +1372,19 @@ # seldom C:\ instead empty >>>>>(72.l) string x OsLoaderPath "%s" # 1fdh -#>>>76 uleshort x \b, StringTableHashBucketCount 0x%x +#>>>76 uleshort x \b, StringTableHashBucketCount %#x +# https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a # only 407h found >>>78 uleshort !0x409 \b, LanguageID %x #>>>78 uleshort =0x409 \b, LanguageID %x # InfSourcePathOffset often 0 ->>>80 ulelong >0 \b, at 0x%x +>>>80 ulelong >0 \b, at %#x >>>>4 ulelong&0x00000001 =0x00000001 >>>>>(80.l) lestring16 x SourcePath "%s" >>>>4 ulelong&0x00000001 !0x00000001 >>>>>(80.l) string >\0 SourcePath "%s" # OriginalInfNameOffset often 0 ->>>84 ulelong >0 \b, at 0x%x +>>>84 ulelong >0 \b, at %#x >>>>4 ulelong&0x00000001 =0x00000001 >>>>>(84.l) lestring16 x InfName "%s" >>>>4 ulelong&0x00000001 !0x00000001 @@ -744,7 +1392,7 @@ # for newer Windows like Vista, 7 , 8.1 , 10 >0 uleshort >0x0101 ->>80 ulelong x \b, at 0x%x WinDirPath +>>80 ulelong x \b, at %#x WinDirPath >>>4 ulelong&0x00000001 0x00000001 # normally unicoded C:\Windows #>>>>(80.l) ubequad =0x43003a005c005700 @@ -754,7 +1402,7 @@ # language id: 0 407h~german 409h~English_US >>90 uleshort !0x409 \b, LanguageID %x #>>90 uleshort =0x409 \b, LanguageID %x ->>92 ulelong >0 \b, at 0x%x +>>92 ulelong >0 \b, at %#x >>>4 ulelong&0x00000001 0x00000001 # language string like: de-DE en-US >>>>(92.l) lestring16 x language %s @@ -809,7 +1457,7 @@ # Media Sequence Number >>>>>60 uleshort >1 \b, sequence %u # Password Encryption Algorithm (3) ->>>>>62 uleshort >0 \b, 0x%x encrypted +>>>>>62 uleshort >0 \b, %#x encrypted # Soft Filemark Block Size * 512 (2) #>>>>>64 uleshort =2 \b, soft size %u*512 >>>>>64 uleshort !2 \b, soft size %u*512 @@ -838,7 +1486,7 @@ # size of password name (0,1Ch) #>>>>>76 uleshort >0 \b, password size %4.4x # Software Vendor ID (CBEh) ->>>>>86 uleshort x \b, software (0x%x) +>>>>>86 uleshort x \b, software (%#x) # size of Software Name (6Eh) >>>>>80 uleshort >0 # offset of Software Name (1C8h,1CAh,1D0h) @@ -890,9 +1538,9 @@ >0x40 ubyte 0x7b >>0x40 string x %-.38s # do not know how this log version correlates to program version ->0x140 ulelong x \b, version 0x%x +>0x140 ulelong x \b, version %#x # NumRecs -#>0x144 ulelong x \b, 0x%4.4x records +#>0x144 ulelong x \b, %#4.4x records # EndOffset means files size >0x148 ulelong x \b, %u bytes # Flags 5 25h 35h @@ -918,9 +1566,39 @@ # directory like C:\Program Files\GIMP 2 >>>>&0 lestring16 x \b, %-.42s +# URL: https://jrsoftware.org/ishelp/index.php?topic=setup_signeduninstaller +# Reference:https://github.com/jrsoftware/issrc/blob/main/Projects/Struct.pas +# From: Joerg Jenderek +0 string Inno\ Setup\ Messages\ ( +# null padded til 0x40 boundary +>0x38 quad 0 InnoSetup messages +!:mime application/x-innosetup-msg +# unins000.msg, unins001.msg, ... +!:ext msg +# version like 5.1.1 5.1.11 5.5.0 5.5.3 6.0.0 +>>0x15 string x \b, version %.5s +# look for 6th char of version string or terminating right parentheses +>>>0x1a ubyte !0x29 \b%c +# NumMessages +>>0x40 ulelong x \b, %u messages +# TotalSize: Cardinal; +#>>0x44 ulelong x \b, TotalSize %u +# NotTotalSize: Cardinal; +#>>0x48 ulelong x \b, NotTotalSize %u +# CRCMessages: Longint; +#>>0x4C ulelong x \b, CRC %#x +>>0x40 ulelong x +# (u) after version means unicoded messages +>>>0x1c search/2 (u) (UTF-16), +>>>>0x50 lestring16 x %s +# ASCII coded message +>>>0x1c default x (ASCII), +>>>>0x50 string x %s + # Windows Imaging (WIM) Image -# Update: Joerg Jenderek at Mar 2019 +# Update: Joerg Jenderek at Mar 2019, 2021 # URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format +# http://fileformats.archiveteam.org/wiki/Windows_Imaging_Format # Reference: https://download.microsoft.com/download/f/e/f/ # fefdc36e-392d-4678-9e4e-771ffa2692ab/Windows%20Imaging%20File%20Format.rtf # Note: verified by like `7z t boot.wim` `wiminfo install.esd --header` @@ -936,21 +1614,27 @@ # TO avoid in file version 5.36 error like # Magdir/windows, 760: Warning: Current entry does not yet have a description # file: could not find any valid magic files! (No error) -# splitted WIM +# split WIM >16 ulelong &0x00000008 (SWM !:ext swm # usPartNumber; 1, unless the file was split into multiple parts >>40 uleshort x \b %u # usTotalParts; The total number of WIM file parts in a spanned set >>42 uleshort x \b of %u) image -# non splitted WIM +# non split WIM >16 ulelong ^0x00000008 # https://wimlib.net/man1/wimmount.html # solid WIMs; version 3584; usually contain LZMS-compressed and the .esd extension >>12 ulelong 3584 (ESD) image !:ext esd ->>12 ulelong !3584 (WIM) image -!:ext wim +>>12 ulelong !3584 ( +# look for archive member RunTime.xml like in Microsoft.Windows.Cosa.Desktop.Client.ppkg +>>>156 search/68233/s RunTime.xml \bWindows provisioning package) +!:ext ppkg +# if is is not a Windows provisioning package, then it is a WIM +>>>156 default x \bWIM) image +# second disk image part created by Microsoft's RecoveryDrive.exe has name Reconstruct.WIM2 +!:ext wim/wim2 >0 string/b WLPWM\000\000\000 \b, wimlib pipable format # cbSize size of the WIM header in bytes like 208 #>8 ulelong x \b, headersize %u @@ -963,7 +1647,7 @@ # 1-based index of the bootable image of the WIM, or 0 if no image is bootable >0x78 ulelong >0 \b, bootable no. %u # dwFlags -#>16 ulelong x \b, flags 0x%8.8x +#>16 ulelong x \b, flags %#8.8x #define FLAG_HEADER_COMPRESSION 0x00000002 #define FLAG_HEADER_READONLY 0x00000004 #define FLAG_HEADER_SPANNED 0x00000008 @@ -990,21 +1674,21 @@ # dwCompressionSize; Uncompressed chunk size for resources or 0 if uncompressed #>20 ulelong >0 \b, chunk size %u bytes # gWIMGuid -#>24 ubequad x \b, GUID 0x%16.16llx +#>24 ubequad x \b, GUID %#16.16llx #>>32 ubequad x \b%16.16llx # rhOffsetTable; the location of the resource lookup table # wim_reshdr_disk[24]= u8 size_in_wim[7] + u8 flags + le64 offset_in_wim + le64 uncompressed_size -#>48 ubequad x \b, rhOffsetTable 0x%16.16llx +#>48 ubequad x \b, rhOffsetTable %#16.16llx # rhXmlData; the location of the XML data -#>0x50 ulelong x \b, at 0x%8.8x +#>0x50 ulelong x \b, at %#8.8x # NOT WORKING \xff\xfe<\0W\0I\0M\0 #>(0x50.l) ubequad x \b, xml=%16.16llx # rhBootMetadata; the location of the metadata resource -#>0x60 ubequad x \b, rhBootMetadata 0x%16.16llx +#>0x60 ubequad x \b, rhBootMetadata %#16.16llx # rhIntegrity; the location of integrity table used to verify files -#>0x7c ubequad x \b, rhIntegrity 0x%16.16llx +#>0x7c ubequad x \b, rhIntegrity %#16.16llx # Unused[60] -#>148 ubequad !0 \b,unused 0x%16.16llx +#>148 ubequad !0 \b,unused %#16.16llx # # From: Joerg Jenderek @@ -1018,7 +1702,7 @@ !:ext mig >0x18 string =MRTS without password # data offset with 1 space at end ->>0x1c ulelong+0x38 x \b, at 0x%x +>>0x1c ulelong+0x38 x \b, at %#x # look for zlib compressed data by ./compress >>(0x1c.l+0x38) ubyte x >>>&-1 indirect x @@ -1037,3 +1721,102 @@ 0 string ID;P Microsoft SYLK program >4 string >0 \b, created by %s !:ext slk/sylk + +# Summary: Windows Performance Monitor Alert +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Performance_Monitor +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pma.trid.xml +# Note: called "Windows Performance Monitor Alert" by TrID +0 ubelong =0xDC058340 +>4 ubyte =0 Windows Performance Monitor Alert +#!:mime application/octet-stream +# https://www.thoughtco.com/mime-types-by-content-type-3469108 +# https://filext.com/file-extension/PAM +!:mime application/x-perfmon +#!:mime application/x-ms-pma +!:ext pma +# metric type like: "BrowserMetrics" "CrashpadMetrics" "SetupMetrics" +>>80 string x \b, "%s" + +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/InstallShield +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/ins.trid.xml +# Note: contain also keywords like: BATCH_INSTALL ISVERSION LOGHANDLE SRCDIR SRCDISK WINDIR WINSYSDISK +0 ubelong 0xB8C90C00 InstallShield Script +#!:mime application/octet-stream +!:mime application/x-installshield-ins +# like test.ins Setup.ins +!:ext ins +# UNKNOWN like: 160034121de07e00 1600341260befe00 16003412e0783700 +# 5000010021083f00 50000100b0335600 50000100cbfdf800 50000100dfbc4700 +#>4 ubequad x \b, at 4 %#16.16llx +# copyright text like: "Stirling Technologies, Inc. (c) 1990-1994" +# "InstallSHIELD Software Corporation (c) 1990-1997" +>13 pstring/h x "%s" +# look for specific ASCII variable names +>1 search/0x121/s SRCDIR \b, variable names: +# 1st like: SRCDIR +>>&-4 leshort x #%u +>>&-2 pstring/h x %s +# 2nd like: SRCDISK +>>>&0 leshort x #%u +>>>&2 pstring/h x %s +# 3rd like: TARGETDISK +>>>>&0 leshort x #%u +>>>>&2 pstring/h x %s +# 4th like: TARGETDIR +#>>>>>&0 leshort x #%u +#>>>>>&2 pstring/h x %s +# 5th like: WINDIR +#>>>>>>&0 leshort x #%u +#>>>>>>&2 pstring/h x %s +# 6th like: WINDISK +#>>>>>>>&0 leshort x #%u +#>>>>>>>&2 pstring/h x %s +# 7th like: WINSYSDIR +#>>>>>>>>&0 leshort x #%u +#>>>>>>>>&2 pstring/h x %s +# ... LOGHANDLE +>0 ubelong x ... +# + +# Summary: Microsoft Remote Desktop Protocol connection +# From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/r/rdp.trid.xml +# Note: called "Remote Desktop Connection Settings" by TrID +0 string screen\040mode\040id:i: Remote Desktop Protocol connection +#!:mime text/plain +!:mime text/x-ms-rdp +!:ext rdp +# Screen mode: 1~session appear in a window 2~session appear full screen +>17 string 1 \b, window mode +>17 string 2 \b, full screen mode + +0 guid 7B5C52E4-D88C-4DA7-AEB1-5378D02996D3 Microsoft OneNote +!:ext one +!:mime application/onenote +0 guid 43FF2FA1-EFD9-4C76-9EE2-10EA5722765F Microsoft OneNote Revision Store File + +# Microsoft XAML Binary Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/WalkingCat/XbfDump/blob/8832d2ffcaa738434d803fefa2ba99d3af37ed29/xbf_data.h +0 string XBF\0 +>12 ulelong <0xFF +>>16 ulelong <0xFF Microsoft XAML Binary Format +!:ext xbf +>>>12 ulelong x %d +>>>16 ulelong x \b.%d +>>>4 ulelong x \b, metadata size: %d bytes +>>>8 ulelong x \b, node size: %d bytes + +# Metaswitch MetaView Service Assurance Server exports +0 string MetaView\x20Service\x20Assurance\x20Export\x20File MetaView SAS export +>39 string Version\x20 +>>47 byte x \b, version %c + +# Active Directory Group Policy Registry Policy File Format +# From: Yuuta Liang <yuuta@yuuta.moe> +# URL: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format +0 string PReg +>4 lelong x Group Policy Registry Policy, Version=%d diff --git a/contrib/file/magic/Magdir/wordprocessors b/contrib/file/magic/Magdir/wordprocessors index 7f3c4e8a429e..3a2e1ceaa8ca 100644 --- a/contrib/file/magic/Magdir/wordprocessors +++ b/contrib/file/magic/Magdir/wordprocessors @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: wordprocessors,v 1.24 2020/05/22 19:28:47 christos Exp $ +# $File: wordprocessors,v 1.34 2023/01/24 20:13:40 christos Exp $ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: @@ -28,35 +28,170 @@ !:ext wps # Corel/WordPerfect +# URL: https://en.wikipedia.org/wiki/WordPerfect +# Reference: https://github.com/OneWingedShark/WordPerfect/blob/master/doc/SDK_Help/FileFormats/WPFF_DocumentStructure.htm +# http://mark0.net/download/triddefs_xml.7z/defs/w/wp-generic.trid.xml 0 string \xffWPC # WordPerfect >8 byte 1 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpm-macro.trid.xml +# Note: there exist other macro variants >>9 byte 1 WordPerfect macro +#!:mime application/octet-stream +!:mime application/x-wordperfect-wpm +# like: ALTD.WPM ENDFOOT.WPM FOOTEND.WPM LABELS.WPM REVEALTX.WPM +!:ext wpm +# Note: used in WordPerfect 5.1; there exist other FIL variants >>9 byte 2 WordPerfect help file +#!:mime application/octet-stream +!:mime application/x-wordperfect-help +# like: WPHELP.FIL +!:ext fil +# pointer to document area like: 10h +>>>4 ulelong !0x10 \b, at %#x document area >>9 byte 3 WordPerfect keyboard file +#!:mime application/octet-stream +!:mime application/x-wordperfect-keyboard +!:ext wpk +# no document area, so point to end of file; so this is file size like: 23381 2978 32835 3355 3775 919 +>>>4 ulelong x \b, %u bytes +>>9 byte 4 WordPerfect VAX keyboard definition +#!:mime application/octet-stream +!:mime application/x-wordperfect-keyboard +#!:ext foo +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpd-doc-gen.trid.xml >>9 byte 10 WordPerfect document +# https://www.iana.org/assignments/media-types/application/vnd.wordperfect +!:mime application/vnd.wordperfect +#!:apple ????WPC2 +# TODO: distinguish different suffix +!:ext wpd/wpt/wkb/icr/tut/sty/tst/crs >>9 byte 11 WordPerfect dictionary >>9 byte 12 WordPerfect thesaurus >>9 byte 13 WordPerfect block >>9 byte 14 WordPerfect rectangular block >>9 byte 15 WordPerfect column block >>9 byte 16 WordPerfect printer data +#!:mime application/octet-stream +!:mime application/x-wordperfect-prs +# like: STANDARD.PRS WORKBOOK.PRS +!:ext prs +# like: "Standard Printer" "Workbook Printer" +>>>0x64 pstring/B >A "%s" +#>>9 byte 18 WordPerfect Prefix information file +# printer resource .ALL >>9 byte 19 WordPerfect printer data +#!:mime application/octet-stream +!:mime application/x-wordperfect-all +!:ext all +# display Resource >>9 byte 20 WordPerfect driver resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-drs +# like: WPSMALL.DRS +!:ext drs +# pointer to index area with string "smalldrs" like: 46h +>>>4 uleshort !0x46 \b, at %#x index area +>>9 byte 21 WordPerfect Overlay file +#!:mime application/octet-stream +!:mime application/x-wordperfect-fil +# like: WP.FIL +!:ext fil +# URL: http://fileformats.archiveteam.org/wiki/WordPerfect_Graphics +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wpg.trid.xml +# Note: called "WordPerfect Graphics bitmap" by TrID and +# "WordPerfect Graphics Metafile" by DROID via x-fmt/395 fmt/1042 +# "WPG (Word Perfect Graphics)" by ImageMagick `identify -verbose BUTTRFLY.WPG` >>9 byte 22 WordPerfect graphic image +# TODO: skip DROID x-fmt-395-signature-id-132.wpg by check for existing document area +#>>>4 ulelong >15 WordPerfect_graphic_OK +#!:mime application/octet-stream +# http://extension.nirsoft.net/wpg +!:mime image/x-wordperfect-graphics +# https://reposcope.com/mimetype/application/x-wpg +#!:mime application/x-wpg +# like: BUTTRFLY.WPG STAR-5.WPG input.wpg WORDPFCT.WPG +!:ext wpg +# pointer to document area like: 10h 1Ah +>>>4 ulelong !0x1A \b, at %#x document area >>9 byte 23 WordPerfect hyphenation code >>9 byte 24 WordPerfect hyphenation data >>9 byte 25 WordPerfect macro resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-mrs +# like: WP.MRS +!:ext mrs >>9 byte 27 WordPerfect hyphenation lex >>9 byte 29 WordPerfect wordlist >>9 byte 30 WordPerfect equation resource data +#!:mime application/octet-stream +!:mime application/x-wordperfect-qrs +# like: WQ.QRS wpDE.qrs wpen.qrs +!:ext qrs +# jump to document area with some marker and equation +>>>(4.l) ubyte x +# equation like: "Fraction: x OVER y" +>>>>&1 string >A (...%-.19s...) +# pointer to document area like: 17C4h +>>>4 ulelong x \b, at %#x document area +#>>9 byte 31 reserved +#>>9 byte 32 WordPerfect VAX .SET >>9 byte 33 WordPerfect spell rules >>9 byte 34 WordPerfect dictionary rules +#>>9 byte 35 reserved +# video resource device driver +# Note: filetype 26 for VRS and filetype 36 for WPD apparently is wrong +>>9 byte 36 WordPerfect Video Resource +#!:mime application/octet-stream +!:mime application/x-wordperfect-vrs +# like: STANDARD.VRS +!:ext vrs +# like: "IBM CGA (& compatibles)" +>>>0x20 string >A "%.23s" >>9 byte 39 WordPerfect spell rules (Microlytics) +#>>9 byte 40 reserved +>>9 byte 41 WordPerfect Install options +#!:mime application/octet-stream +!:mime application/x-wordperfect-ins +# like: WP51.INS +!:ext ins +# probably default directory name like: "C:\WP51\" +>>>0x12 string >A "%.8s" +# maybe mouse driver for WP5.1 +>>9 byte 42 WordPerfect Resource +#!:mime application/octet-stream +!:mime application/x-wordperfect-irs +# like: STANDARD.IRS +!:ext irs +# like: "Mouse Driver (MOUSE.COM)" +>>>0x28 string >A "%.24s" >>9 byte 43 WordPerfect settings file +# maybe Macintosh WP2.0 document >>9 byte 44 WordPerfect 3.5 document +!:mime application/vnd.wordperfect +!:apple ????WPD3 +# like: WP3.wpd +!:ext wpd >>9 byte 45 WordPerfect 4.2 document +# External spell code module (WP5.1) +#>>9 byte 46 WordPerfect external spell +# external spell dictionary .LEX +#>>9 byte 47 WordPerfect external spell dictionary +# Macintosh SOFT graphics file (SOFT (Sequential Object Format) +#>>9 byte 48 WordPerfect SOFT graphics +#>>9 byte 49 reserved +#>>9 byte 50 reserved +# WPWin 5.1 Application Resource Library added for WPWin 5.1 +#>>9 byte 51 WordPerfect application resource library >>9 byte 69 WordPerfect dialog file +# From: Joerg Jenderek +# Note: found in sub directory WritingTools inside WordPerfect 2021 program directory +>>9 byte 70 WordPerfect Writing Tools +#!:mime application/octet-stream +!:mime application/x-wordperfect-cbt +# like: Wt13cbede.cbt Wt13cbeit.cbt Wt13cbefr.cbt WT21cbede.cbt Wt13cbeEN.CBD WT21cbeEN.CBD +!:ext cbd/cbt >>9 byte 76 WordPerfect button bar >>9 default x >>>9 byte x Corel WordPerfect: Unknown filetype %d @@ -153,7 +288,65 @@ >>9 default x >>>9 byte x Corel WordPerfect Office: Unknown filetype %d # Corel DrawPerfect +# URL: http://fileformats.archiveteam.org/wiki/Corel_Presentations +# Update: Joerg Jenderek >8 byte 15 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-2.trid.xml +# Note: called "WordPerfect Presentations (v2)" by TrID and +# "Corel Presentation" with version "7-8-9" by DROID via PUID fmt/877 +>>9 byte 10 WordPerfect Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: BENEFITS.SHW chartbar.shw chartbul.shw chartgal.shw chartorg.shw fig-demo.shw figurgal.shw mastrgal.shw scuba.shw tutorial.shw +!:ext shw +# pointer to document area like: 10h +>>>4 ulelong !0x10 \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# search for embedded WP file like in tutorial.shw +#>>>16 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-3.trid.xml +# Note: called "WordPerfect/Corel Presentations (v3)" by TrID and +# "Corel Presentation" with version "3" by DROID via PUID fmt/878 +>>9 byte 15 Corel Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: FIG_ANIM.SHW presenta.shw +!:ext shw +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file like in foo +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# embedded inside Compound Document variant handled by ./ole2compounddocs +>>9 byte 16 Corel Presentation (embeded) +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-corelpresentations +# like: PerfectOffice_MAIN +!:ext / +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains >>9 default x >>>9 byte x Corel DrawPerfect: Unknown filetype %d # Corel LetterPerfect @@ -196,21 +389,64 @@ >>9 byte 24 GroupWise admin ADS deferment data file >>9 default x >>>9 byte x GroupWise: Unknown filetype %d +# Corel Writing Tools WT*.* +# From: Joerg Jenderek +# URL: https://support.corel.com/hc/en-us/articles/215876258-Writing-Tools-Spell-Check-Dictionary-does-not-work-in-WordPerfect-X5 +# http://wordperfect.helpmax.net/en/editing-and-formatting-documents/using-the-writing-tools/working-with-user-word-lists/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/u/uwl-wp.trid.xml +>8 byte 32 +>>9 byte 10 Corel Writing Tools User Word List +#!:mime application/octet-stream +!:mime application/x-wordperfect-wordlist +# personal user word list UWL under user directory like: WTDE.UWL WTUS.UWL WT21DE.UWL WT21US.UWL WT13DE.UWL ... +# and "template" SAV/HWL variant under program directory like: wt13en.hwl Wt13de.sav Wt13it.sav wt13ru.sav WT21us.sav Wtcz.sav ... +!:ext uwl/hwl/sav +# jump to document area with some marker and word list +>>>(4.l) ubyte x +# look for beginning of word list starting mostly with letter a as UTF-16 like: Wt13es.sav +# but not found in russian wt13ru.sav +>>>>&0 search/91/sb a\0 +# word list starting like: "acsesory\022accessory.\001\026acomodate\026accommodate4\001" +>>>>>&0 lestring16 x (...%-.33s...) +# pointer to document area like: 200h +>>>4 ulelong !0x200 \b, at %#x document area +# file size, not including pad characters at EOF +>>>0x14 uleshort x \b, %u bytes # IntelliTAG >8 byte 33 >>9 byte 10 IntelliTAG (SGML) compiled DTD >>9 default x >>>9 byte x IntelliTAG: Unknown filetype %d +# Summary: Corel WordPerfect WritingTools advise part +# From: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adv-wp.trid.xml +>8 byte 34 +>>9 byte 11 Corel WordPerfect dictionary advise +#!:mime application/octet-stream +!:mime application/x-wordperfect-adv +#!:mime application/vnd.wordperfect.adv +# like: WT21de.adv Wt13de.adv Wt13es.adv Wt13fr.adv wt13us.adv +!:ext adv +# advise text part often start with tag like: 580A +#>>>(16.s) ubequad x ADVISE PART %#llx +# part of advise text like: "This is too informal for most writing." +>>>(16.s+16) string x (...%-.33s...) # everything else >8 default x >>8 byte x Unknown Corel/Wordperfect product %d, >>>9 byte x file type %d >10 byte 0 \b, v5. +# version of WP file; 2.1~WP 8.0 +# major version of WP file like: 1 2 >10 byte !0 \b, v%d. +# minor version of WP file like: 0 1 >11 byte x \b%d -# Hangul (Korean) Word Processor File -0 string HWP\ Document\ File Hangul (Korean) Word Processor File 3.0 +# Hancom HWP (Hangul Word Processor) +# Hangul Word Processor 3.0 through 97 used HWP 3.0 format. +# URL: https://www.hancom.com/etc/hwpDownload.do +0 string HWP\ Document\ File Hancom HWP (Hangul Word Processor) file, version 3.0 +!:ext hwp # CosmicBook, from Benoit Rouits 0 string CSBK Ted Neslson's CosmicBook hypertext file @@ -229,6 +465,68 @@ !:mime application/x-quark-xpress-3 2 string MMXPRa Motorola Quark Express Document (Korean) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/PageMaker +# https://en.wikipedia.org/wiki/Adobe_PageMaker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p +# pm4-pagemaker.trid.xml +# pm5-pagemaker.trid.xml +# Note: since version 6 in 1995 called Adobe PageMaker and +# embedded in Compound Document handled by ./ole2compounddocs +# mainly tested little endian variant +4 ubelong =0x0000FF99 +>0 use PageMaker +# big endian variant +4 ubelong =0x000099FF +>0 use \^PageMaker +# display information of Aldus/Adobe PageMaker document/publication +0 name PageMaker +>110 uleshort <0x0600 Aldus +>110 uleshort >0x05FF Adobe +>110 uleshort x PageMaker +# "MP" marker for newer version 4 and above according to TrID +#>108 string x \b, MARKER "%.2s" +# http://www.nationalarchives.gov.uk/pronom/fmt/876 +!:mime application/vnd.pagemaker +#!:mime application/x-pagemaker +# different file name extensions are used depending on version +# older version like 3 +>110 uleshort/256 =0 document +# https://www.macdisk.com/macsigen.php +!:apple ALB3ALD3 +# PT3 for template and no example for PageMaker document/publication with PM3 extension +!:ext pm3/pt3 +>110 uleshort/256 =4 document +!:apple ALD4ALB4 +# no example for PT4 template +!:ext pm4/pt4 +>110 uleshort/256 =5 document +!:apple ALD5ALB5 +# no example for PT5 template +!:ext pm5/pt5 +>110 uleshort =0x0600 document +!:apple ALD6ALB6 +# PT6 for template +!:ext pm6/pt6 +# HOWTO to distinguish version 7 from 6.5 ? +>110 uleshort =0x0632 document +!:apple AD65AB65 +# no example for T65 template +!:ext p65/t65/pmd/pmt +# version 7 with PMT extension for template +#!:ext pmd/pmt +#!:apple ????PUBF +# endian marker FF 99 for little endian +>6 ubyte =0xFF \b, little-endian +>6 ubyte =0x99 \b, big-endian +# newer numeric version like: 4 5 6 6.50 +#>110 uleshort x \b, VERSION=%#x +>110 uleshort >0x03FF +>>110 uleshort/256 x \b, version %u +>>110 uleshort%256 >0 \b.%u +# older version like 3 +>110 uleshort <0x0400 \b, maybe version 3 + # adobe indesign (document, whatever...) from querkan 0 belong 0x0606edf5 Adobe InDesign >16 string DOCUMENT Document @@ -275,10 +573,13 @@ # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/StarOffice +# Reference: http://mark0.net/download/triddefs_xml.7z +# /defs/t/thm-staroffice.trid.xml # Note: used in Star-, Open- and Libre-Office # named as soffice.StarConfigFile.6 or OpenOffice.org configuration by others 0 ubeshort 0x0400 -#>(2.s+8) ubequad x \b, gap 0x%16.16llx +# non nil gap +#>(2.s+8) ubequad x \b, gap %#16.16llx # test for null value in gap after theme name maybe unreliable #>(2.s+9) ubyte 0 \b, 0-byte # look for keyword GALRESRV near the end @@ -288,19 +589,27 @@ #>0 search/19299 GALRESRV \b, GALRESRV FOUND #>2 uleshort x \b, name length %u # skip file2147.chk by check for positive name length like for sg16.thm "3D" ->2 uleshort >0 StarOffice Gallery theme +>2 uleshort >0 +# skip dBase printer form T6.PRF with misidentified gallery +# name :\DBASE\IV\T6.txts by check for 1st object name or RESRV keyword +# https://www.clicketyclick.dk/databases/xbase/xbase/dbase_ex.zip +# template/t6/with_data/T6.PRF +# by first char of object name or RESRV part of keyword GALRESRV +>>(2.s+13) ubyte >0x1F StarOffice Gallery theme !:mime application/x-stargallery-thm +# thm is also used for JPEG thumbnail images !:ext thm -# gallery name ->>2 pstring/h x %s +# gallery name often 1 word like: 3D sounds Diagrams Flussdiagramme Fotos +# or like private://gallery/hidden/imgppt "Cisco - WAN - LAN" +>>>2 pstring/h x %s # number of objects ->>(2.s+4) ulelong x \b, %u object +>>>(2.s+4) ulelong x \b, %u object # plural s ->>(2.s+4) ulelong !1 \bs +>>>(2.s+4) ulelong !1 \bs # if available then display first object name ->>(2.s+4) ulelong >0 +>>>(2.s+4) ulelong >0 # partial file name, URL or internal name like "dd2*" of 1st object or RESRV ->>>(2.s+11) pstring/h x \b, 1st %s +>>>>(2.s+11) pstring/h x \b, 1st %s # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/StarOffice_Gallery @@ -309,7 +618,7 @@ # $HOME/.config/libreoffice/4/user/gallery 0 string SGA3 StarOffice Gallery thumbnails # Unknown like 0x04000?0001000142 -#>4 ubequad x \b, UNKNOWN 0x%16.16llx +#>4 ubequad x \b, UNKNOWN %#16.16llx #!:mime application/x-sdg !:mime application/x-stargallery-sdg !:ext sdg diff --git a/contrib/file/magic/Magdir/wsdl b/contrib/file/magic/Magdir/wsdl index 35edafc2f535..1c9e60aaa29d 100644 --- a/contrib/file/magic/Magdir/wsdl +++ b/contrib/file/magic/Magdir/wsdl @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: wsdl,v 1.5 2019/04/19 00:42:27 christos Exp $ +# $File: wsdl,v 1.6 2021/04/26 15:56:00 christos Exp $ # wsdl: PHP WSDL Cache, https://www.php.net/manual/en/book.soap.php # Cache format extracted from source: # https://svn.php.net/viewvc/php/php-src/trunk/ext/soap/php_sdl.c?revision=HEAD&view=markup # Requires file >= 5.05 # By Elan Ruusamae <glen@delfi.ee>, Patryk Zawadzki <patrys@pld-linux.org>, 2010-2011 0 string wsdl PHP WSDL cache, ->4 byte x version 0x%02x +>4 byte x version %#02x >6 ledate x \b, created %s # uri diff --git a/contrib/file/magic/Magdir/xenix b/contrib/file/magic/Magdir/xenix index fb83faa876ed..fc8027b74687 100644 --- a/contrib/file/magic/Magdir/xenix +++ b/contrib/file/magic/Magdir/xenix @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xenix,v 1.11 2017/03/17 21:35:28 christos Exp $ +# $File: xenix,v 1.15 2022/10/19 20:15:16 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small @@ -13,25 +13,38 @@ # 0 string core core file (Xenix) # URL: http://www.polarhome.com/service/man/?qf=86rel&tf=2&of=Xenix +# http://fileformats.archiveteam.org/wiki/OMF # Reference: http://www.azillionmonkeys.com/qed/Omfg.pdf # Update: Joerg Jenderek # recordtype~TranslatorHEADerRecord 0 byte 0x80 -# GRR: line above is too general as it catches also Extensible storage engine DataBase +# GRR: line above is too general as it catches also Extensible storage engine DataBase, +# all lif files like forth.lif hpcc88.lif lex90b.lif ( See ./lif) +# and all compressed DEGAS low-res bitmaps like: MUNCHIE.PC1 PIDER1.PC1 # skip examples like GENA.SND Switch.Snd by looking for record length maximal 1024-3 >1 uleshort <1022 -# skip examples like GAME.PICTURE Strange.Pic by looking for positiv record length +# skip examples like GAME.PICTURE Strange.Pic by looking for positive record length >>1 uleshort >0 -# skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positiv string length +# skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positive string length >>>3 ubyte >0 -# skip examples like OMBRE.6 with "UUUUUU" by looking for filename like "hello.c" ->>>>4 regex [a-zA-Z_/]{1,8}[.] 8086 relocatable (Microsoft) +# skip examples like OMBRE.6 with "UUUUUU" name by looking for valid high second record type +>>>>(1.s+3) ubyte >0x6D +# skip few Atari DEGAS bitmap TPDEMO.PC2 RECIPE.PC2 with invalid "high" second record type FEh FFh +>>>>>(1.s+3) ubyte <0xF2 8086 relocatable (Microsoft) #!:mime application/octet-stream !:mime application/x-object -!:ext o/a ->>>>>3 pstring x \b, "%s" +!:ext obj/o/a +# T-module name often source name like "hello.c" or "jmppm32.asm" in JMPPM32.OBJ or +# "kbhit" in KBHITS.OBJ or "CAUSEWAY_KERNAL" in CWAPI.OBJ +>>>>>>3 pstring x \b, "%s" +# data length probably lower 256 according to TrID obj_omf.trid.xml +>>>>>>1 uleshort x \b, 1st record data length %u # checksum -#>>>>>(3.b+4) ubyte x \b, checksum 0x%2.2x +#>>>>>>(3.b+4) ubyte x \b, checksum %#2.2x +# second recordtype: 96h~LNAMES 88h~COMENT 8CH~EXTDEF +# highest F1h~Library End Record +>>>>>>(1.s+3) ubyte x \b, 2nd record type %#x +>>>>>>(1.s+4) uleshort x \b, 2nd record data length %u 0 leshort 0xff65 x.out >2 string __.SYMDEF randomized >0 byte x archive @@ -90,3 +103,4 @@ >0x1e leshort &0x102 Huge Objects Enabled 0 leshort 0x580 XENIX 8086 relocatable or 80286 small model +# GRR: line above is too general as it catches also all 8086 relocatable (Microsoft) with 1st record data length 5 C0M.OBJ C0T.OBJ C0S.OBJ diff --git a/contrib/file/magic/Magdir/xilinx b/contrib/file/magic/Magdir/xilinx index a5219778d390..fd1467813cbc 100644 --- a/contrib/file/magic/Magdir/xilinx +++ b/contrib/file/magic/Magdir/xilinx @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xilinx,v 1.8 2017/03/17 21:35:28 christos Exp $ +# $File: xilinx,v 1.10 2022/12/18 14:59:32 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 @@ -33,8 +33,26 @@ # Then 'e' >>>>>>>>>>>&1 string e # And length of data ->>>>>>>>>>>>&0 belong x - data length 0x%x +>>>>>>>>>>>>&0 belong x - data length %#x # Raw bitstream files 0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) + +# AXLF (xclbin) files used by AMD/Xilinx accelerators. +# The file format is defined by XRT source tree: +# https://github.com/Xilinx/XRT/blob/master/src/runtime_src/core/include/xclbin.h +# Display file size, creation date, accelerator shell name, xclbin uuid and +# number of sections. + +0 string xclbin2 AMD/Xilinx accelerator AXLF (xclbin) file +>0x130 lequad x \b, %lld bytes +>0x138 leqdate x \b, created %s +>0x160 string >0 \b, shell "%.64s" +>0x1a0 ubelong x \b, uuid %08x +>0x1a4 ubeshort x \b-%04x +>0x1a6 ubeshort x \b-%04x +>0x1a8 ubeshort x \b-%04x +>0x1aa ubelong x \b-%08x +>0x1ae ubeshort x \b%04x +>0x1c0 lelong x \b, %d sections
\ No newline at end of file diff --git a/contrib/file/magic/Magdir/xo65 b/contrib/file/magic/Magdir/xo65 index 7b38818e090b..f7b555f59f1d 100644 --- a/contrib/file/magic/Magdir/xo65 +++ b/contrib/file/magic/Magdir/xo65 @@ -1,6 +1,7 @@ #------------------------------------------------------------------------------ -# $File: xo65,v 1.4 2009/09/19 16:28:13 christos Exp $ +# $File: xo65,v 1.5 2022/07/17 15:36:20 christos Exp $ +# https://cc65.github.io/doc/sim65.html # xo65 object files # From: "Ullrich von Bassewitz" <uz@cc65.org> # @@ -28,3 +29,9 @@ >6 leshort&0x0003 =0x0001 alignment 2 >6 leshort&0x0003 =0x0002 alignment 4 >6 leshort&0x0003 =0x0003 alignment 256 + +# sim65 executable files +0 string \x73\x69\x6d\x36\x35 sim65 executable, +>5 byte x version %d, +>6 leshort&0x0000 =0x0000 6502 +>6 leshort&0x0001 =0x0001 65C02 diff --git a/contrib/file/magic/Magdir/xwindows b/contrib/file/magic/Magdir/xwindows index 7118cadd05ef..d8c08c8702e7 100644 --- a/contrib/file/magic/Magdir/xwindows +++ b/contrib/file/magic/Magdir/xwindows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xwindows,v 1.11 2019/04/19 00:42:27 christos Exp $ +# $File: xwindows,v 1.13 2022/03/24 15:48:58 christos Exp $ # xwindows: file(1) magic for various X/Window system file formats. # Compiled X Keymap @@ -33,3 +33,11 @@ !:mime image/x-xcursor >10 leshort x version %d >>8 leshort x \b.%d + +# X bitmap https://en.wikipedia.org/wiki/X_BitMap +0 search/2048 #define\040 +>&0 regex [a-zA-Z0-9]+_width\040 xbm image +>>&0 regex [0-9]+ (%sx +>>>&0 string \n#define\040 +>>>>&0 regex [a-zA-Z0-9]+_height\040 +>>>>>&0 regex [0-9]+ \b%s) diff --git a/contrib/file/magic/Magdir/yara b/contrib/file/magic/Magdir/yara index e581c433a56a..6156cc63bc3d 100644 --- a/contrib/file/magic/Magdir/yara +++ b/contrib/file/magic/Magdir/yara @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: yara,v 1.3 2019/04/19 00:42:27 christos Exp $ +# $File: yara,v 1.4 2021/04/26 15:56:00 christos Exp $ # yara: file(1) magic for https://virustotal.github.io/yara/ # @@ -14,4 +14,4 @@ >>8 byte 8 created with version 3.4.0 >>8 byte 11 created with version 3.5.0 >>8 default x ->>>8 byte x development version 0x%02x +>>>8 byte x development version %#02x diff --git a/contrib/file/magic/Magdir/zfs b/contrib/file/magic/Magdir/zfs index 77675ed7196f..5cb0fdd180be 100644 --- a/contrib/file/magic/Magdir/zfs +++ b/contrib/file/magic/Magdir/zfs @@ -36,7 +36,7 @@ # full 64-bit values. # Big-endian values -8 string \000\000\000\002\365\272\313\254 ZFS shapshot (big-endian machine), +8 string \000\000\000\002\365\272\313\254 ZFS snapshot (big-endian machine), >20 belong x version %u, >32 belong 0 type: NONE, >32 belong 1 type: META, @@ -66,7 +66,7 @@ >56 string >\0 name: '%s' # Little-endian values -8 string \254\313\272\365\002\000\000\000 ZFS shapshot (little-endian machine), +8 string \254\313\272\365\002\000\000\000 ZFS snapshot (little-endian machine), >16 lelong x version %u, >32 lelong 0 type: NONE, >32 lelong 1 type: META, diff --git a/contrib/file/magic/Magdir/zip b/contrib/file/magic/Magdir/zip index cea7ceaac074..abf5284776d4 100644 --- a/contrib/file/magic/Magdir/zip +++ b/contrib/file/magic/Magdir/zip @@ -1,24 +1,33 @@ #------------------------------------------------------------------------------ -# $File: zip,v 1.4 2020/03/03 13:46:52 christos Exp $ +# $File: zip,v 1.8 2021/10/24 15:53:56 christos Exp $ # zip: file(1) magic for zip files; this is not use # Note the version of magic in archive is currently stronger, this is # just an example until negative offsets are supported better +# Note: All fields unless otherwise noted are unsigned! # Zip Central Directory record 0 name zipcd >0 string PK\001\002 Zip archive data +!:mime application/zip +# no "made by" in local file header with PK\3\4 magic >>4 leshort x \b, made by >>4 use zipversion >>4 use ziphost +# inside ./archive 1.151 called "at least" zipversion "to extract" >>6 leshort x \b, extract using at least >>6 use zipversion ->>12 ledate x \b, last modified %s ->>24 lelong >0 \b, uncompressed size %d +# This is DOS date like: ledate 21:00:48 19 Dec 2001 != DOS 00:00 1 Jan 2010 ~ 0000213C +>>12 ulelong x \b, last modified +>>14 lemsdosdate x \b, last modified %s +>>12 lemsdostime x %s +# uncompressed size of 1st entry; FFffFFff means real value stored in ZIP64 record +>>24 ulelong !0xFFffFFff \b, uncompressed size %u +# inside ./archive 1.151 called "compression method="zipcompression >>10 leshort x \b, method= >>10 use zipcompression # URL: https://en.wikipedia.org/wiki/Zip_(file_format) -# reference: https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.6.TXT +# reference: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT (Version: 6.3.9) # Zip known compressions 0 name zipcompression >0 leshort 0 \bstore @@ -33,11 +42,12 @@ #>0 leshort 13 \bReserved by PKWARE >0 leshort 14 \blzma #>0 leshort 15 \bReserved by PKWARE ->0 leshort 16 \bCMPSC Compression +>0 leshort 16 \bCMPSC (IBM z/OS) #>0 leshort 17 \bReserved by PKWARE >0 leshort 18 \bIBM TERSE ->0 leshort 19 \bIBM LZ77 -# https://support.winzip.com/hc/en-us/articles/115012122828-Compression-method-used-for-this-file-is-94 +>0 leshort 19 \bIBM LZ77 (z/Architecture) +>0 leshort 20 \bZstd (deprecated) +>0 leshort 93 \bZstd >0 leshort 94 \bMP3 >0 leshort 95 \bxz >0 leshort 96 \bJpeg @@ -97,14 +107,20 @@ >1 ubyte 18 OS/400 >1 ubyte 19 OS X # unused -#>1 ubyte >19 unused 0x%x +#>1 ubyte >19 unused %#x # Zip End Of Central Directory record +# GRR: wrong for ZIP with comment archive -22 string PK\005\006 -#>4 leshort >1 \b, %d disks -#>6 leshort >1 \b, central directory disk %d -#>8 leshort >1 \b, %d central directories on this disk -#>10 leshort >1 \b, %d central directories -#>12 lelong x \b, %d central directory bytes +#>4 uleshort !0xFFff \b, %u disks +#>6 uleshort !0xFFff \b, central directory disk %u +#>8 uleshort !0xFFff \b, %u central directories on this disk +#>10 uleshort !0xFFff \b, %u central directories +#>12 ulelong !0xFFffFFff \b, %u central directory bytes +# offset of central directory +#>16 ulelong x \b, central directory offset %#x >(16.l) use zipcd +# archive comment length n +#>>20 uleshort >0 \b, comment length %u +# archive comment >>20 pstring/l >0 \b, %s diff --git a/contrib/file/magic/Makefile.am b/contrib/file/magic/Makefile.am index 510c7eb3b6de..270c7fc25da6 100644 --- a/contrib/file/magic/Makefile.am +++ b/contrib/file/magic/Makefile.am @@ -1,5 +1,5 @@ # -# $File: Makefile.am,v 1.157 2020/05/21 16:22:47 christos Exp $ +# $File: Makefile.am,v 1.188 2023/05/21 17:19:08 christos Exp $ # MAGIC_FRAGMENT_BASE = Magdir MAGIC_DIR = $(top_srcdir)/magic @@ -7,12 +7,13 @@ MAGIC_FRAGMENT_DIR = $(MAGIC_DIR)/$(MAGIC_FRAGMENT_BASE) pkgdata_DATA = magic.mgc -EXTRA_DIST = \ +MAGIC_FRAGMENTS = \ $(MAGIC_DIR)/Header \ $(MAGIC_DIR)/Localstuff \ $(MAGIC_FRAGMENT_DIR)/acorn \ $(MAGIC_FRAGMENT_DIR)/adi \ $(MAGIC_FRAGMENT_DIR)/adventure \ +$(MAGIC_FRAGMENT_DIR)/aes \ $(MAGIC_FRAGMENT_DIR)/algol68 \ $(MAGIC_FRAGMENT_DIR)/allegro \ $(MAGIC_FRAGMENT_DIR)/alliant \ @@ -28,11 +29,14 @@ $(MAGIC_FRAGMENT_DIR)/application \ $(MAGIC_FRAGMENT_DIR)/applix \ $(MAGIC_FRAGMENT_DIR)/apt \ $(MAGIC_FRAGMENT_DIR)/archive \ +$(MAGIC_FRAGMENT_DIR)/aria \ +$(MAGIC_FRAGMENT_DIR)/arm \ $(MAGIC_FRAGMENT_DIR)/asf \ $(MAGIC_FRAGMENT_DIR)/assembler \ $(MAGIC_FRAGMENT_DIR)/asterix \ $(MAGIC_FRAGMENT_DIR)/att3b \ $(MAGIC_FRAGMENT_DIR)/audio \ +$(MAGIC_FRAGMENT_DIR)/avm \ $(MAGIC_FRAGMENT_DIR)/basis \ $(MAGIC_FRAGMENT_DIR)/beetle \ $(MAGIC_FRAGMENT_DIR)/ber \ @@ -44,15 +48,19 @@ $(MAGIC_FRAGMENT_DIR)/blackberry \ $(MAGIC_FRAGMENT_DIR)/blcr \ $(MAGIC_FRAGMENT_DIR)/blender \ $(MAGIC_FRAGMENT_DIR)/blit \ +$(MAGIC_FRAGMENT_DIR)/bm \ $(MAGIC_FRAGMENT_DIR)/bout \ $(MAGIC_FRAGMENT_DIR)/bsdi \ $(MAGIC_FRAGMENT_DIR)/bsi \ $(MAGIC_FRAGMENT_DIR)/btsnoop \ +$(MAGIC_FRAGMENT_DIR)/burp \ +$(MAGIC_FRAGMENT_DIR)/bytecode \ $(MAGIC_FRAGMENT_DIR)/c-lang \ $(MAGIC_FRAGMENT_DIR)/c64 \ $(MAGIC_FRAGMENT_DIR)/cad \ $(MAGIC_FRAGMENT_DIR)/cafebabe \ $(MAGIC_FRAGMENT_DIR)/cbor \ +$(MAGIC_FRAGMENT_DIR)/ccf \ $(MAGIC_FRAGMENT_DIR)/cddb \ $(MAGIC_FRAGMENT_DIR)/chord \ $(MAGIC_FRAGMENT_DIR)/cisco \ @@ -69,6 +77,7 @@ $(MAGIC_FRAGMENT_DIR)/console \ $(MAGIC_FRAGMENT_DIR)/convex \ $(MAGIC_FRAGMENT_DIR)/coverage \ $(MAGIC_FRAGMENT_DIR)/cracklib \ +$(MAGIC_FRAGMENT_DIR)/crypto \ $(MAGIC_FRAGMENT_DIR)/ctags \ $(MAGIC_FRAGMENT_DIR)/ctf \ $(MAGIC_FRAGMENT_DIR)/cubemap \ @@ -84,6 +93,7 @@ $(MAGIC_FRAGMENT_DIR)/diff \ $(MAGIC_FRAGMENT_DIR)/digital \ $(MAGIC_FRAGMENT_DIR)/dolby \ $(MAGIC_FRAGMENT_DIR)/dump \ +$(MAGIC_FRAGMENT_DIR)/dwarfs \ $(MAGIC_FRAGMENT_DIR)/dyadic \ $(MAGIC_FRAGMENT_DIR)/ebml \ $(MAGIC_FRAGMENT_DIR)/edid \ @@ -98,6 +108,7 @@ $(MAGIC_FRAGMENT_DIR)/esri \ $(MAGIC_FRAGMENT_DIR)/fcs \ $(MAGIC_FRAGMENT_DIR)/filesystems \ $(MAGIC_FRAGMENT_DIR)/finger \ +$(MAGIC_FRAGMENT_DIR)/firmware \ $(MAGIC_FRAGMENT_DIR)/flash \ $(MAGIC_FRAGMENT_DIR)/flif \ $(MAGIC_FRAGMENT_DIR)/fonts \ @@ -110,6 +121,7 @@ $(MAGIC_FRAGMENT_DIR)/fusecompress \ $(MAGIC_FRAGMENT_DIR)/games \ $(MAGIC_FRAGMENT_DIR)/gcc \ $(MAGIC_FRAGMENT_DIR)/gconv \ +$(MAGIC_FRAGMENT_DIR)/gentoo \ $(MAGIC_FRAGMENT_DIR)/geo \ $(MAGIC_FRAGMENT_DIR)/geos \ $(MAGIC_FRAGMENT_DIR)/gimp \ @@ -123,7 +135,6 @@ $(MAGIC_FRAGMENT_DIR)/gpu \ $(MAGIC_FRAGMENT_DIR)/grace \ $(MAGIC_FRAGMENT_DIR)/graphviz \ $(MAGIC_FRAGMENT_DIR)/gringotts \ -$(MAGIC_FRAGMENT_DIR)/guile \ $(MAGIC_FRAGMENT_DIR)/hardware \ $(MAGIC_FRAGMENT_DIR)/hitachi-sh \ $(MAGIC_FRAGMENT_DIR)/hp \ @@ -148,12 +159,14 @@ $(MAGIC_FRAGMENT_DIR)/keepass \ $(MAGIC_FRAGMENT_DIR)/kerberos \ $(MAGIC_FRAGMENT_DIR)/kicad \ $(MAGIC_FRAGMENT_DIR)/kml \ +$(MAGIC_FRAGMENT_DIR)/lammps \ $(MAGIC_FRAGMENT_DIR)/lecter \ $(MAGIC_FRAGMENT_DIR)/lex \ $(MAGIC_FRAGMENT_DIR)/lif \ $(MAGIC_FRAGMENT_DIR)/linux \ $(MAGIC_FRAGMENT_DIR)/lisp \ $(MAGIC_FRAGMENT_DIR)/llvm \ +$(MAGIC_FRAGMENT_DIR)/locoscript \ $(MAGIC_FRAGMENT_DIR)/lua \ $(MAGIC_FRAGMENT_DIR)/luks \ $(MAGIC_FRAGMENT_DIR)/m4 \ @@ -195,11 +208,12 @@ $(MAGIC_FRAGMENT_DIR)/music \ $(MAGIC_FRAGMENT_DIR)/nasa \ $(MAGIC_FRAGMENT_DIR)/natinst \ $(MAGIC_FRAGMENT_DIR)/ncr \ -$(MAGIC_FRAGMENT_DIR)/neko \ $(MAGIC_FRAGMENT_DIR)/netbsd \ $(MAGIC_FRAGMENT_DIR)/netscape \ $(MAGIC_FRAGMENT_DIR)/netware \ $(MAGIC_FRAGMENT_DIR)/news \ +$(MAGIC_FRAGMENT_DIR)/nifty \ +$(MAGIC_FRAGMENT_DIR)/nim-lang \ $(MAGIC_FRAGMENT_DIR)/nitpicker \ $(MAGIC_FRAGMENT_DIR)/numpy \ $(MAGIC_FRAGMENT_DIR)/oasis \ @@ -209,6 +223,7 @@ $(MAGIC_FRAGMENT_DIR)/ole2compounddocs \ $(MAGIC_FRAGMENT_DIR)/olf \ $(MAGIC_FRAGMENT_DIR)/openfst \ $(MAGIC_FRAGMENT_DIR)/opentimestamps \ +$(MAGIC_FRAGMENT_DIR)/oric \ $(MAGIC_FRAGMENT_DIR)/os2 \ $(MAGIC_FRAGMENT_DIR)/os400 \ $(MAGIC_FRAGMENT_DIR)/os9 \ @@ -221,13 +236,17 @@ $(MAGIC_FRAGMENT_DIR)/pbf \ $(MAGIC_FRAGMENT_DIR)/pbm \ $(MAGIC_FRAGMENT_DIR)/pc88 \ $(MAGIC_FRAGMENT_DIR)/pc98 \ +$(MAGIC_FRAGMENT_DIR)/pci_ids \ +$(MAGIC_FRAGMENT_DIR)/pcjr \ $(MAGIC_FRAGMENT_DIR)/pdf \ $(MAGIC_FRAGMENT_DIR)/pdp \ $(MAGIC_FRAGMENT_DIR)/perl \ $(MAGIC_FRAGMENT_DIR)/pgf \ $(MAGIC_FRAGMENT_DIR)/pgp \ +$(MAGIC_FRAGMENT_DIR)/pgp-binary-keys \ $(MAGIC_FRAGMENT_DIR)/pkgadd \ $(MAGIC_FRAGMENT_DIR)/plan9 \ +$(MAGIC_FRAGMENT_DIR)/playdate \ $(MAGIC_FRAGMENT_DIR)/plus5 \ $(MAGIC_FRAGMENT_DIR)/pmem \ $(MAGIC_FRAGMENT_DIR)/polyml \ @@ -236,11 +255,13 @@ $(MAGIC_FRAGMENT_DIR)/project \ $(MAGIC_FRAGMENT_DIR)/psdbms \ $(MAGIC_FRAGMENT_DIR)/psl \ $(MAGIC_FRAGMENT_DIR)/pulsar \ +$(MAGIC_FRAGMENT_DIR)/puzzle \ $(MAGIC_FRAGMENT_DIR)/pwsafe \ $(MAGIC_FRAGMENT_DIR)/pyramid \ $(MAGIC_FRAGMENT_DIR)/python \ $(MAGIC_FRAGMENT_DIR)/qt \ $(MAGIC_FRAGMENT_DIR)/revision \ +$(MAGIC_FRAGMENT_DIR)/ringdove \ $(MAGIC_FRAGMENT_DIR)/riff \ $(MAGIC_FRAGMENT_DIR)/rpi \ $(MAGIC_FRAGMENT_DIR)/rpm \ @@ -248,6 +269,7 @@ $(MAGIC_FRAGMENT_DIR)/rpmsg \ $(MAGIC_FRAGMENT_DIR)/rtf \ $(MAGIC_FRAGMENT_DIR)/rst \ $(MAGIC_FRAGMENT_DIR)/ruby \ +$(MAGIC_FRAGMENT_DIR)/rust \ $(MAGIC_FRAGMENT_DIR)/sc \ $(MAGIC_FRAGMENT_DIR)/sccs \ $(MAGIC_FRAGMENT_DIR)/scientific \ @@ -272,7 +294,10 @@ $(MAGIC_FRAGMENT_DIR)/spectrum \ $(MAGIC_FRAGMENT_DIR)/sql \ $(MAGIC_FRAGMENT_DIR)/ssh \ $(MAGIC_FRAGMENT_DIR)/ssl \ +$(MAGIC_FRAGMENT_DIR)/statistics \ +$(MAGIC_FRAGMENT_DIR)/subtitle \ $(MAGIC_FRAGMENT_DIR)/sun \ +$(MAGIC_FRAGMENT_DIR)/svf \ $(MAGIC_FRAGMENT_DIR)/sylk \ $(MAGIC_FRAGMENT_DIR)/symbos \ $(MAGIC_FRAGMENT_DIR)/sysex \ @@ -287,6 +312,7 @@ $(MAGIC_FRAGMENT_DIR)/tplink \ $(MAGIC_FRAGMENT_DIR)/troff \ $(MAGIC_FRAGMENT_DIR)/tuxedo \ $(MAGIC_FRAGMENT_DIR)/typeset \ +$(MAGIC_FRAGMENT_DIR)/uf2 \ $(MAGIC_FRAGMENT_DIR)/unicode \ $(MAGIC_FRAGMENT_DIR)/unisig \ $(MAGIC_FRAGMENT_DIR)/unknown \ @@ -325,6 +351,11 @@ $(MAGIC_FRAGMENT_DIR)/zilog \ $(MAGIC_FRAGMENT_DIR)/zip \ $(MAGIC_FRAGMENT_DIR)/zyxel +EXTRA_DIST = \ +$(MAGIC_DIR)/scripts/create_filemagic_flac \ +$(MAGIC_FRAGMENTS) + + MAGIC = magic.mgc CLEANFILES = ${MAGIC} $(MAGIC_FRAGMENT_DIR)/Localstuff @@ -338,9 +369,9 @@ FILE_COMPILE = $(top_builddir)/src/file${EXEEXT} FILE_COMPILE_DEP = $(FILE_COMPILE) endif -${MAGIC}: $(EXTRA_DIST) $(FILE_COMPILE_DEP) +${MAGIC}: $(MAGIC_FRAGMENTS) $(FILE_COMPILE_DEP) @rm -fr magic - @mkdir magic && cp -p $(EXTRA_DIST) magic + @mkdir magic && cp -p $(MAGIC_FRAGMENTS) magic @(if expr "${FILE_COMPILE}" : '.*/.*' > /dev/null; then \ echo "Using ${FILE_COMPILE} to generate ${MAGIC}" > /dev/null; \ else \ diff --git a/contrib/file/magic/Makefile.in b/contrib/file/magic/Makefile.in index 26b863df142f..c528269244d8 100644 --- a/contrib/file/magic/Makefile.in +++ b/contrib/file/magic/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.1 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2018 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -92,7 +92,8 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/visibility.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) @@ -164,8 +165,9 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAG_VISIBILITY = @CFLAG_VISIBILITY@ -CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ @@ -176,6 +178,7 @@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ @@ -264,6 +267,7 @@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -274,18 +278,19 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ # -# $File: Makefile.am,v 1.157 2020/05/21 16:22:47 christos Exp $ +# $File: Makefile.am,v 1.188 2023/05/21 17:19:08 christos Exp $ # MAGIC_FRAGMENT_BASE = Magdir MAGIC_DIR = $(top_srcdir)/magic MAGIC_FRAGMENT_DIR = $(MAGIC_DIR)/$(MAGIC_FRAGMENT_BASE) pkgdata_DATA = magic.mgc -EXTRA_DIST = \ +MAGIC_FRAGMENTS = \ $(MAGIC_DIR)/Header \ $(MAGIC_DIR)/Localstuff \ $(MAGIC_FRAGMENT_DIR)/acorn \ $(MAGIC_FRAGMENT_DIR)/adi \ $(MAGIC_FRAGMENT_DIR)/adventure \ +$(MAGIC_FRAGMENT_DIR)/aes \ $(MAGIC_FRAGMENT_DIR)/algol68 \ $(MAGIC_FRAGMENT_DIR)/allegro \ $(MAGIC_FRAGMENT_DIR)/alliant \ @@ -301,11 +306,14 @@ $(MAGIC_FRAGMENT_DIR)/application \ $(MAGIC_FRAGMENT_DIR)/applix \ $(MAGIC_FRAGMENT_DIR)/apt \ $(MAGIC_FRAGMENT_DIR)/archive \ +$(MAGIC_FRAGMENT_DIR)/aria \ +$(MAGIC_FRAGMENT_DIR)/arm \ $(MAGIC_FRAGMENT_DIR)/asf \ $(MAGIC_FRAGMENT_DIR)/assembler \ $(MAGIC_FRAGMENT_DIR)/asterix \ $(MAGIC_FRAGMENT_DIR)/att3b \ $(MAGIC_FRAGMENT_DIR)/audio \ +$(MAGIC_FRAGMENT_DIR)/avm \ $(MAGIC_FRAGMENT_DIR)/basis \ $(MAGIC_FRAGMENT_DIR)/beetle \ $(MAGIC_FRAGMENT_DIR)/ber \ @@ -317,15 +325,19 @@ $(MAGIC_FRAGMENT_DIR)/blackberry \ $(MAGIC_FRAGMENT_DIR)/blcr \ $(MAGIC_FRAGMENT_DIR)/blender \ $(MAGIC_FRAGMENT_DIR)/blit \ +$(MAGIC_FRAGMENT_DIR)/bm \ $(MAGIC_FRAGMENT_DIR)/bout \ $(MAGIC_FRAGMENT_DIR)/bsdi \ $(MAGIC_FRAGMENT_DIR)/bsi \ $(MAGIC_FRAGMENT_DIR)/btsnoop \ +$(MAGIC_FRAGMENT_DIR)/burp \ +$(MAGIC_FRAGMENT_DIR)/bytecode \ $(MAGIC_FRAGMENT_DIR)/c-lang \ $(MAGIC_FRAGMENT_DIR)/c64 \ $(MAGIC_FRAGMENT_DIR)/cad \ $(MAGIC_FRAGMENT_DIR)/cafebabe \ $(MAGIC_FRAGMENT_DIR)/cbor \ +$(MAGIC_FRAGMENT_DIR)/ccf \ $(MAGIC_FRAGMENT_DIR)/cddb \ $(MAGIC_FRAGMENT_DIR)/chord \ $(MAGIC_FRAGMENT_DIR)/cisco \ @@ -342,6 +354,7 @@ $(MAGIC_FRAGMENT_DIR)/console \ $(MAGIC_FRAGMENT_DIR)/convex \ $(MAGIC_FRAGMENT_DIR)/coverage \ $(MAGIC_FRAGMENT_DIR)/cracklib \ +$(MAGIC_FRAGMENT_DIR)/crypto \ $(MAGIC_FRAGMENT_DIR)/ctags \ $(MAGIC_FRAGMENT_DIR)/ctf \ $(MAGIC_FRAGMENT_DIR)/cubemap \ @@ -357,6 +370,7 @@ $(MAGIC_FRAGMENT_DIR)/diff \ $(MAGIC_FRAGMENT_DIR)/digital \ $(MAGIC_FRAGMENT_DIR)/dolby \ $(MAGIC_FRAGMENT_DIR)/dump \ +$(MAGIC_FRAGMENT_DIR)/dwarfs \ $(MAGIC_FRAGMENT_DIR)/dyadic \ $(MAGIC_FRAGMENT_DIR)/ebml \ $(MAGIC_FRAGMENT_DIR)/edid \ @@ -371,6 +385,7 @@ $(MAGIC_FRAGMENT_DIR)/esri \ $(MAGIC_FRAGMENT_DIR)/fcs \ $(MAGIC_FRAGMENT_DIR)/filesystems \ $(MAGIC_FRAGMENT_DIR)/finger \ +$(MAGIC_FRAGMENT_DIR)/firmware \ $(MAGIC_FRAGMENT_DIR)/flash \ $(MAGIC_FRAGMENT_DIR)/flif \ $(MAGIC_FRAGMENT_DIR)/fonts \ @@ -383,6 +398,7 @@ $(MAGIC_FRAGMENT_DIR)/fusecompress \ $(MAGIC_FRAGMENT_DIR)/games \ $(MAGIC_FRAGMENT_DIR)/gcc \ $(MAGIC_FRAGMENT_DIR)/gconv \ +$(MAGIC_FRAGMENT_DIR)/gentoo \ $(MAGIC_FRAGMENT_DIR)/geo \ $(MAGIC_FRAGMENT_DIR)/geos \ $(MAGIC_FRAGMENT_DIR)/gimp \ @@ -396,7 +412,6 @@ $(MAGIC_FRAGMENT_DIR)/gpu \ $(MAGIC_FRAGMENT_DIR)/grace \ $(MAGIC_FRAGMENT_DIR)/graphviz \ $(MAGIC_FRAGMENT_DIR)/gringotts \ -$(MAGIC_FRAGMENT_DIR)/guile \ $(MAGIC_FRAGMENT_DIR)/hardware \ $(MAGIC_FRAGMENT_DIR)/hitachi-sh \ $(MAGIC_FRAGMENT_DIR)/hp \ @@ -421,12 +436,14 @@ $(MAGIC_FRAGMENT_DIR)/keepass \ $(MAGIC_FRAGMENT_DIR)/kerberos \ $(MAGIC_FRAGMENT_DIR)/kicad \ $(MAGIC_FRAGMENT_DIR)/kml \ +$(MAGIC_FRAGMENT_DIR)/lammps \ $(MAGIC_FRAGMENT_DIR)/lecter \ $(MAGIC_FRAGMENT_DIR)/lex \ $(MAGIC_FRAGMENT_DIR)/lif \ $(MAGIC_FRAGMENT_DIR)/linux \ $(MAGIC_FRAGMENT_DIR)/lisp \ $(MAGIC_FRAGMENT_DIR)/llvm \ +$(MAGIC_FRAGMENT_DIR)/locoscript \ $(MAGIC_FRAGMENT_DIR)/lua \ $(MAGIC_FRAGMENT_DIR)/luks \ $(MAGIC_FRAGMENT_DIR)/m4 \ @@ -468,11 +485,12 @@ $(MAGIC_FRAGMENT_DIR)/music \ $(MAGIC_FRAGMENT_DIR)/nasa \ $(MAGIC_FRAGMENT_DIR)/natinst \ $(MAGIC_FRAGMENT_DIR)/ncr \ -$(MAGIC_FRAGMENT_DIR)/neko \ $(MAGIC_FRAGMENT_DIR)/netbsd \ $(MAGIC_FRAGMENT_DIR)/netscape \ $(MAGIC_FRAGMENT_DIR)/netware \ $(MAGIC_FRAGMENT_DIR)/news \ +$(MAGIC_FRAGMENT_DIR)/nifty \ +$(MAGIC_FRAGMENT_DIR)/nim-lang \ $(MAGIC_FRAGMENT_DIR)/nitpicker \ $(MAGIC_FRAGMENT_DIR)/numpy \ $(MAGIC_FRAGMENT_DIR)/oasis \ @@ -482,6 +500,7 @@ $(MAGIC_FRAGMENT_DIR)/ole2compounddocs \ $(MAGIC_FRAGMENT_DIR)/olf \ $(MAGIC_FRAGMENT_DIR)/openfst \ $(MAGIC_FRAGMENT_DIR)/opentimestamps \ +$(MAGIC_FRAGMENT_DIR)/oric \ $(MAGIC_FRAGMENT_DIR)/os2 \ $(MAGIC_FRAGMENT_DIR)/os400 \ $(MAGIC_FRAGMENT_DIR)/os9 \ @@ -494,13 +513,17 @@ $(MAGIC_FRAGMENT_DIR)/pbf \ $(MAGIC_FRAGMENT_DIR)/pbm \ $(MAGIC_FRAGMENT_DIR)/pc88 \ $(MAGIC_FRAGMENT_DIR)/pc98 \ +$(MAGIC_FRAGMENT_DIR)/pci_ids \ +$(MAGIC_FRAGMENT_DIR)/pcjr \ $(MAGIC_FRAGMENT_DIR)/pdf \ $(MAGIC_FRAGMENT_DIR)/pdp \ $(MAGIC_FRAGMENT_DIR)/perl \ $(MAGIC_FRAGMENT_DIR)/pgf \ $(MAGIC_FRAGMENT_DIR)/pgp \ +$(MAGIC_FRAGMENT_DIR)/pgp-binary-keys \ $(MAGIC_FRAGMENT_DIR)/pkgadd \ $(MAGIC_FRAGMENT_DIR)/plan9 \ +$(MAGIC_FRAGMENT_DIR)/playdate \ $(MAGIC_FRAGMENT_DIR)/plus5 \ $(MAGIC_FRAGMENT_DIR)/pmem \ $(MAGIC_FRAGMENT_DIR)/polyml \ @@ -509,11 +532,13 @@ $(MAGIC_FRAGMENT_DIR)/project \ $(MAGIC_FRAGMENT_DIR)/psdbms \ $(MAGIC_FRAGMENT_DIR)/psl \ $(MAGIC_FRAGMENT_DIR)/pulsar \ +$(MAGIC_FRAGMENT_DIR)/puzzle \ $(MAGIC_FRAGMENT_DIR)/pwsafe \ $(MAGIC_FRAGMENT_DIR)/pyramid \ $(MAGIC_FRAGMENT_DIR)/python \ $(MAGIC_FRAGMENT_DIR)/qt \ $(MAGIC_FRAGMENT_DIR)/revision \ +$(MAGIC_FRAGMENT_DIR)/ringdove \ $(MAGIC_FRAGMENT_DIR)/riff \ $(MAGIC_FRAGMENT_DIR)/rpi \ $(MAGIC_FRAGMENT_DIR)/rpm \ @@ -521,6 +546,7 @@ $(MAGIC_FRAGMENT_DIR)/rpmsg \ $(MAGIC_FRAGMENT_DIR)/rtf \ $(MAGIC_FRAGMENT_DIR)/rst \ $(MAGIC_FRAGMENT_DIR)/ruby \ +$(MAGIC_FRAGMENT_DIR)/rust \ $(MAGIC_FRAGMENT_DIR)/sc \ $(MAGIC_FRAGMENT_DIR)/sccs \ $(MAGIC_FRAGMENT_DIR)/scientific \ @@ -545,7 +571,10 @@ $(MAGIC_FRAGMENT_DIR)/spectrum \ $(MAGIC_FRAGMENT_DIR)/sql \ $(MAGIC_FRAGMENT_DIR)/ssh \ $(MAGIC_FRAGMENT_DIR)/ssl \ +$(MAGIC_FRAGMENT_DIR)/statistics \ +$(MAGIC_FRAGMENT_DIR)/subtitle \ $(MAGIC_FRAGMENT_DIR)/sun \ +$(MAGIC_FRAGMENT_DIR)/svf \ $(MAGIC_FRAGMENT_DIR)/sylk \ $(MAGIC_FRAGMENT_DIR)/symbos \ $(MAGIC_FRAGMENT_DIR)/sysex \ @@ -560,6 +589,7 @@ $(MAGIC_FRAGMENT_DIR)/tplink \ $(MAGIC_FRAGMENT_DIR)/troff \ $(MAGIC_FRAGMENT_DIR)/tuxedo \ $(MAGIC_FRAGMENT_DIR)/typeset \ +$(MAGIC_FRAGMENT_DIR)/uf2 \ $(MAGIC_FRAGMENT_DIR)/unicode \ $(MAGIC_FRAGMENT_DIR)/unisig \ $(MAGIC_FRAGMENT_DIR)/unknown \ @@ -598,6 +628,10 @@ $(MAGIC_FRAGMENT_DIR)/zilog \ $(MAGIC_FRAGMENT_DIR)/zip \ $(MAGIC_FRAGMENT_DIR)/zyxel +EXTRA_DIST = \ +$(MAGIC_DIR)/scripts/create_filemagic_flac \ +$(MAGIC_FRAGMENTS) + MAGIC = magic.mgc CLEANFILES = ${MAGIC} $(MAGIC_FRAGMENT_DIR)/Localstuff @IS_CROSS_COMPILE_FALSE@FILE_COMPILE = $(top_builddir)/src/file${EXEEXT} @@ -672,7 +706,6 @@ ctags CTAGS: cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am @@ -827,9 +860,9 @@ uninstall-am: uninstall-pkgdataDATA .PRECIOUS: Makefile -${MAGIC}: $(EXTRA_DIST) $(FILE_COMPILE_DEP) +${MAGIC}: $(MAGIC_FRAGMENTS) $(FILE_COMPILE_DEP) @rm -fr magic - @mkdir magic && cp -p $(EXTRA_DIST) magic + @mkdir magic && cp -p $(MAGIC_FRAGMENTS) magic @(if expr "${FILE_COMPILE}" : '.*/.*' > /dev/null; then \ echo "Using ${FILE_COMPILE} to generate ${MAGIC}" > /dev/null; \ else \ diff --git a/contrib/file/magic/scripts/create_filemagic_flac b/contrib/file/magic/scripts/create_filemagic_flac new file mode 100755 index 000000000000..0ecfb17277b6 --- /dev/null +++ b/contrib/file/magic/scripts/create_filemagic_flac @@ -0,0 +1,71 @@ +#!/usr/bin/env bash + +## bash script to generate file magic support for flac. +## https://github.com/file/file/blob/master/magic/Magdir/audio +## below "#some common sample rates" (line 471), ie: +## >>17 belong&0xfffff0 0x2ee000 \b, 192 kHz + +LANG=C + +target=magic/Magdir/audio + +## construct static list of sample rates based on standard crystal +## oscillator frequencies. +## 16.384 MHz Unknown audio application +## (16384 kHz = 32 kHz * 512 = 32 * 2^9) +## 22.5792 MHz Redbook/CD +## (22579.2 kHz = 44.1kHz * 512 = 44.1 * 2^9) +## also used: 11.2896, 16.9344, 33.8688 and 45.1584 +## 24.576 MHz DAT/Video +## (24576 kHz = 48 kHz * 512 = 48 * 2^9) +## also used: 49.1520 + +## 33.8688 > 16.9344 +## 36.864 > 18.432000 +declare -a a_ground_fs=(16384000 22579200 24576000) + +## multiply ground clock frequencies by 1953 to get usable base +## frequencies, for instance: +## DAT/video: 24.576 MHz * 1000000 / 512 = 48000Hz +## Redbook/CD: 22.5792 MHz * 1000000 / 512 = 44100Hz +## use base rates for calculating derived rates +declare -a samplerates +## min divider: fs/n +def_fs_n=512 +min_fs_n=4 +## start at base_fs/(def_fs*min_fs) +## add each derived sample rate to the array +for base_fs in "${a_ground_fs[@]}"; do + min_fs=$( echo "${base_fs} / ( ${def_fs_n} * ${min_fs_n} )" | bc) + ## max multiplier: fs*n*min_fs + max_fs_n=$(( 8 * min_fs_n )) + n=${max_fs_n} + while [[ ${n} -ge 1 ]]; do + sample_rate=$(( min_fs * n )) + samplerates+=(${sample_rate}) + n=$(( n / 2 )) + done +done + +declare -a stripped_rates +declare -a lines +for samplerate in "${samplerates[@]}"; do + ## use bc with sed to convert and format Hz to kHz + stripped_rate="$(LANG=C bc <<< "scale=5; ${samplerate} / 1000" | \ + sed 's#[0\.]*$##g')" + ## only add uniq sample rates (should be necessary + if [[ ! "${stripped_rates[@]}" =~ ${stripped_rate} ]]; then + printf -v line ">>17\tbelong&%#-15x\t%#08x\t%s, %s kHz\n" \ + "16777200" \ + "$(( samplerate * 16 ))" \ + "\b" \ + "${stripped_rate}" + stripped_rates+=("${stripped_rate}") + lines+=("${line}") + fi + +done +printf "## start cutting >>> \n" +## print out the formatted lines +printf "%s" "${lines[@]}" | sort -k5 -n +printf "## <<< stop cutting\n" |