diff options
Diffstat (limited to 'magic/Magdir/archive')
| -rw-r--r-- | magic/Magdir/archive | 291 |
1 files changed, 248 insertions, 43 deletions
diff --git a/magic/Magdir/archive b/magic/Magdir/archive index 6e1f9678e7ac..b920f9930f41 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.193 2023/07/27 17:55:58 christos Exp $ +# $File: archive,v 1.207 2024/11/27 15:37:46 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -25,6 +25,11 @@ >>>>>>155 ubyte&0xDF =0 # space or ascii digit 0 at start of check sum >>>>>>>148 ubyte&0xEF =0x20 +# check for specific 1st member name that indicates other mime type and file name suffix +>>>>>>>>0 string TpmEmuTpms/permall +# maybe also look for 2nd tar member efi/nvram containing UEFI variables part +#>>>>>>>>>512 search/0x1800 efi/nvram\0 EFI_PART_FOUND +>>>>>>>>>0 use tar-nvram # FOR DEBUGGING: #>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s" # check for 1st image main name with digits used for sorting @@ -34,9 +39,35 @@ # check for 1st member name with ovf suffix >>>>>>>>0 regex \^.{1,96}[.](ovf) >>>>>>>>>0 use tar-ova -# if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive +# look for relative directory ./var/ or ./lte/ as 1st member name that indicates AVM firmware with other file name suffix +>>>>>>>>0 ubequad&0xFFffE5eaE8ffFFff 0x2e2f6460602f0000 +>>>>>>>>>0 use tar-avm +# maybe look for AVM specific 2nd name entry +# >>>>>>>>>517 string /content\0 content~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /install\0 install~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /chksum\0 chksum~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /modfw.nfo\0 modfw~ +# >>>>>>>>>>0 use tar-avm +# most (419/429) *.WBM (71/71) *.WBT with user name jcameron of Webmin developer Jamie Cameron in first tar archive member +>>>>>>>>265 string jcameron +>>>>>>>>>0 use tar-webmin +# if 1st member name without digits and without used image suffix, without *.ovf, +# ./var/ , ./lte/ and TpmEmuTpms/ then it is a pure TAR archive or Webmin without jcameron user name >>>>>>>>0 default x ->>>>>>>>>0 use tar-file +# few (10/429) *.WBM without user name jcameron in 1st tar member but with WBM module.info name like: +# apcupsd-0.81-2.wbm csavupdate.wbm cwmail.wbm dac960.wbm etcupdate.wbm logviewer.wbm memcached.wbm rinetd.wbm shoutcast.wbm vacationadmin-webmin-module-1.1.2.wbm +# few (10/95) *.WBT without user name jcameron in 1st tar member but with WBT theme.info name like: +# authentic-theme-21.09.5.wbt Mozilla-Modern.wbt virtual-server-theme-2.7.wbt fkn-webmintheme.0.6.0.wbt +>>>>>>>>>512 search/210965/s e.info\0 +>>>>>>>>>>0 use tar-webmin +# pure TAR +>>>>>>>>>0 default x +>>>>>>>>>>0 use tar-file +# Note: called "TAR - Tape ARchive" by TrID, "Tape Archive Format" by DROID via PUID x-fmt/265 +# and "Tar archive" by shared MIME-info database from freedesktop.org # minimal check and then display tar archive information which can also be # embedded inside others like Android Backup, Clam AntiVirus database 0 name tar-file @@ -86,7 +117,11 @@ >>261 default x tar archive (unknown ustar) !:mime application/x-ustar !:ext tar/ustar -# type flag of 1st tar archive member +# show information for 1st tar archive member +>0 use tar-entry +# display information of tar archive member (file type, name, permissions, user, group) +0 name tar-entry +# type flag of tar archive member #>156 ubyte x \b, %c-type >156 ubyte x >>156 ubyte 0 \b, file @@ -142,7 +177,7 @@ >>265 string >\0 \b, user %-.32s # group name null terminated >>297 string >\0 \b, group %-.32s -# device major minor if not zero +# device major minor if not zero (binary or ASCII) >>329 ubequad&0xCFCFCFCFcFcFcFdf !0 >>>329 string x \b, devmaj %-.7s >>337 ubequad&0xCFCFCFCFcFcFcFdf !0 @@ -157,6 +192,25 @@ >>508 default x # padding[255] in old tar sometimes comment field >>>257 string >\0 \b, comment: %-.40s +# Summary: VirtualBox NvramFile with UEFI variables packed inside TAR archive +# URL: hhttps://www.virtualbox.org/manual/ch08.html#vboxmanage-modifynvram +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nvram-virtualbox-tar.trid.xml +# Note: called "VirtualBox saved (U)EFI BIOS settings (TAR) by TrID and +# verified by 7-Zip `7z l -ttar Mint-21.1.nvram` and +# VirtualBox `VBoxManage modifynvram "Mint-21.1" listvars` +0 name tar-nvram +# +>0 string x VirtualBox NVRAM file +#!:mime application/x-gtar +!:mime application/x-virtualbox-nvram +!:ext nvram +# first name[100] like: TpmEmuTpms/permall +>0 use tar-entry +# 2nd tar member efi/nvram contains UEFI variables part described by ./virtual +>512 search/0x1800/s efi/nvram\0 +>>&0 use tar-entry +# 2nd tar member efi/nvram content could be described by ./virtual +#>>&512 indirect x # Summary: Comic Book Archive *.CBT with TAR format # URL: https://en.wikipedia.org/wiki/Comic_book_archive # http://fileformats.archiveteam.org/wiki/Comic_Book_Archive @@ -169,7 +223,8 @@ !:ext cbt # name[100] probably like: 19.jpg 0001.png 0002.png # or maybe like ComicInfo.xml ->0 string >\0 \b, 1st image %-.60s +#>0 string >\0 \b, 1st image %-.60s +>0 use tar-entry # Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format @@ -184,7 +239,85 @@ !:mime application/x-virtualbox-ova !:ext ova # assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf ->0 string >\0 \b, with %-.60s +#>0 string >\0 \b, with %-.60s +>0 use tar-entry +# Summary: AVM firmware (FRITZ!OS) for the FRITZ!Box (router) +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Fritz!Box +# https://www.redteam-pentesting.de/de/advisories/rt-sa-2014-010/-avm-fritz-box-firmware-signature-bypass +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/image-avm.trid.xml +# Note: verified by 7-Zip `7z l -ttar FRITZ.Box_4040-07.57.image` +0 name tar-avm +>0 string x AVM FRITZ!Box firmware +#!:mime application/x-gtar +!:mime application/x-avm-image +!:ext image +# tar member ./var/content starts with line like "Product=Fritz_Box_HW227 (FRITZ!Box 4040)" +>>1024 search/512 Product=Fritz_Box_ +>>>&0 string x %s +# version string like: 07.57 07.58 +>>>1044 search Version= \b, version +>>>>&0 string x %s +# product phrase too far behind (dozen MB) in many samples like: FRITZ.Box_4040-07.12.image FRITZ.Box_6820v3_LTE-07.57.image +# so try to look for other characteristic foo +# >>1024 default x OTHER_PATTERN! +# >>>1023 search AVM_PATTERN PATTERNfound +# first name[100] like: ./var/ ./lte/ +>0 use tar-entry +# if 1st entry is directory then show 2nd entry +>156 ubyte 0x35 +# 2nd tar member name like: ./var/content (often ) ./var/install ./var/chksum ./lte/modfw.nfo +>>512 use tar-entry +# Summary: Webmin Module or Theme +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Webmin +# https://webmin.com/docs/development/creating-modules/ +# https://webmin.com/docs/development/creating-themes/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wbm.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/w/wbt.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/w/wbt-gif.trid.xml +# Note: called "Webmin Module" "Webmin Theme" by TrID +# most verfied by 7-Zip `7z l -ttar *.wbm | grep "\module.info"` and +# `7z l -ttar *.wbt | grep "\theme.info"` +0 name tar-webmin +>0 string x Webmin +# Webmin module or theme +>>512 search/1767941/s /module.info Module +!:mime application/x-webmin-module +!:ext wbm +# According to documentation module.info is mandatory but instead theme.info is found in +# old-blue-theme.wbm old-blue-theme-1.0.wbm old-mscstyle3.wbm virtual-server-mobile.wbm +# GRR: maybe here wrong file name suffix WBM instead of WBT +>>512 default x +>>>512 search/3149333/s /theme.info Theme +!:mime application/x-webmin-theme +!:ext wbt +# next 3 lines should not happen +>>>512 default x Module or Theme +!:mime application/x-webmin +!:ext wbm/wbt +# GNU or POSIX tar +>257 string =ustar ( +# 2 space characters followed by a null for GNU variant for most (428/429) WBM samples +>>261 ubelong =0x72202000 \bGNU tar) +#!:mime application/x-gtar +# UStar version variant with ASCII "00" as in few (1/429) samples like cwmail.wbm +>>261 ubelong 0x72003030 \bPOSIX tar) +#!:mime application/x-ustar +#>>>156 ubyte x tar archive +# Apparently first archive member name[100] is directory like: dynbind/ ssh/ virtualmin-powerdns/ virtual-server-mobile/ vnc/ +>>0 use tar-entry +# look for characteristic WBM module info name starting with "module.info" for language variant like in: ssh2.wbm +>>512 search/1767941/s /module.info +# look for TAR magic of WBM archive module info +>>>&0 search/257/s ustar +# show details for WBM archive member module info +>>>>&-257 use tar-entry +# look for characteristic WBT theme info name with "theme.info" like in: authentic-theme-21.09.5.wbt +>>512 search/3149333/s /theme.info\0 +# look for TAR magic of WBT archive theme info +>>>&0 search/257/s ustar +>>>>&-257 use tar-entry # Incremental snapshot gnu-tar format from: # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html @@ -765,7 +898,7 @@ >>>>>>>(16.s) uleshort x >>>>>>>>&16 string x \b, %-.8s >>>>>>12 uleshort &0x10 ->>>>>>>(16.s) uleshort x +#>>>>>>>(16.s) uleshort x >>>>>>>&16 string x %-.8s >>>>>>>>&1 string x \b.%-.3s >>>12 uleshort &0x01 @@ -957,7 +1090,45 @@ # ZET 0 string OZ\xc3\x9d ZET archive data # TSComp -0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data +# Update: Joerg Jenderek 2023 Nov +# URL: http://fileformats.archiveteam.org/wiki/TSComp +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tscomp.trid.xml +# https://entropymine.com/deark/releases/deark-1.6.5.tar.gz +# deark-1.6.5/modules/installshld.c +# Note: called "TSComp compressed data" by TrID +# verified by command like `deark -m tscomp -l -d2 MAKERRES.DL$` +# The "13" might be a version number. The "8c" is a mystery +0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive +#!:mime application/octet-stream +!:mime application/x-tscomp-compressed +# filename style: 0~old version 1~without wildcard 2~with wildcard +#>0x08 ubyte x \b, filename style %u +>0x08 ubyte 0 data, filename style 0 +# no example found +!:ext ??$ +#>0x08 ubyte 1 data, without wildcard +>0x08 ubyte 1 data +# for single-file archives, often the last letter of the filename extension is changed to "$"; but also name like: BUILD3.BM! +!:ext ??$/??! +>0x08 ubyte 2 data, with wildcard +# for multi-file archives common extensions seem to be .lib and .cmp, but also names like: SAMPMIF$ OTDATA.$$$ TWOFILES.TSC WIN.PAK +!:ext /lib/cmp/$$$/tsc/pak +# fnlen; pascal string length; original 1st file name like: CHFORMAT.MML +>0x1c pstring x \b, %s +# md->fi->timestamp +>0x16 lemsdosdate x \b, modified %s +>0x18 lemsdostime x %s +# 1st compressed size: like 180 (SAMPMML$$) +>0x0E ulelong x \b, compressed size %u +# de_dbg_indent(c, 1): like: 12h +#>0x0d ubyte x b, at 0xD %#x +# like: 0 +#>0x1A ubeshort x \b, at 0x1A %#x +# 2nd member offset +#>0x12 ulelong x \b, next offset %#x +>0x12 ulelong >0 +# original 2nd archive member name like: FORMATS.MML +>>(0x12.l+15) pstring x \b, %s ... # ARQ 0 string gW\4\1 ARQ archive data # Squash @@ -1376,7 +1547,7 @@ # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, -#>2 leshort >1 %hu files, +#>2 leshort >1 %u files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC @@ -1466,7 +1637,7 @@ # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 ->0 ubyte x +#>0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d # attribute: 0x2~?? 0x10~symlink|target 0x20~normal @@ -1590,7 +1761,7 @@ # RAR (Roshal Archive) archive 0 string Rar!\x1a\7\0 RAR archive data -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar/cbr # file header >(0xc.l+9) byte 0x74 @@ -1602,13 +1773,13 @@ >>7 use rar-archive-header 0 string Rar!\x1a\7\1\0 RAR archive data, v5 -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar # Very old RAR archive # https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf 0 string RE\x7e\x5e RAR archive data (<v1.5) -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar/cbr # SQUISH archiver (Greg Roelofs, newt@uchicago.edu) @@ -1623,9 +1794,19 @@ !:mime application/zip !:ext zip/cbz -# Android APK file (Zip archive) + 0 string PK\003\004 !:strength +1 +# IOS/IPadOS IPA file (Zip archive) +# Starts with Payload (file name length = 19) +>26 uleshort 8 +>>30 string Payload IOS/iPadOS IPA file +>>>&26 search/6000 PK\003\004 +>>>>&34 string x containing %s +!:mime application/x-ios-app +!:ext ipa + +# Android APK file (Zip archive) # Starts with AndroidManifest.xml (file name length = 19) >26 uleshort 19 >>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml @@ -1693,20 +1874,7 @@ !:ext apk >>>>>-22 string PK\005\006 >>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block -# APK Signing Block ->0 default x ->>-22 string PK\005\006 ->>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block -!:mime application/vnd.android.package-archive -!:ext apk -# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -0 string PK\005\006 Zip archive data (empty) -!:mime application/zip -!:ext zip/cbz -!:strength +1 -0 string PK\003\004 -!:strength +1 # Specialised zip formats which start with a member named 'mimetype' # (stored uncompressed, with no 'extra field') containing the file's MIME type. @@ -1946,18 +2114,41 @@ #>30 search/100/b application/epub+zip EPUB document #!:mime application/epub+zip -# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -# Next line excludes specialized formats: +# APK Signing Block >(26.s+30) leshort !0xcafe >>30 search/100/b !application/epub+zip ->>>26 string !\x8\0\0\0mimetype Zip archive data +>>>26 string !\x8\0\0\0mimetype +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk + +# Keyman Compiled Package File (keyman.com) +# https://help.keyman.com/developer/current-version/reference/file-types/kmp +# Find start of central directory +>>>>>(-6.l) string PK\001\002 +# Scan central directory for string 'kmp.json', will suffice for a +# package containing about 150 files +>>>>>>(-6.l) search/9000 kmp.json Keyman Compiled Package File +!:mime application/vnd.keyman.kmp+zip +!:ext kmp + +# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +# Next line excludes specialized formats: +>>>>+4 default x +>>>>>4 beshort x Zip archive data, at least !:mime application/zip ->>>>4 beshort x \b, at least ->>>>4 use zipversion ->>>>4 beshort x to extract ->>>>8 beshort x \b, compression method= ->>>>8 use zipcompression ->>>>0x161 string WINZIP \b, WinZIP self-extracting +>>>>>4 use zipversion +>>>>>4 beshort x to extract +>>>>>8 beshort x \b, compression method= +>>>>>8 use zipcompression +>>>>>0x161 string WINZIP \b, WinZIP self-extracting + +# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +0 string PK\005\006 Zip archive data (empty) +!:mime application/zip +!:ext zip/cbz +!:strength +1 # StarView Metafile # From Pierre Ducroquet <pinaraf@pinaraf.info> @@ -2252,12 +2443,6 @@ 0 belong 0x1ee7ff00 EET archive !:mime application/x-eet -# rzip archives -0 string RZIP rzip compressed data ->4 byte x - version %d ->5 byte x \b.%d ->6 belong x (%d bytes) - # From: Joerg Jenderek # URL: https://help.foxitsoftware.com/kb/install-fzip-file.php # reference: http://mark0.net/download/triddefs_xml.7z/ @@ -2605,3 +2790,23 @@ >>(12.l+12) string }}}} Electron ASAR archive !:ext asar >>>12 ulelong x \b, header length: %d bytes + +# Wasay ImageIt DataPack +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.neowin.net/forum/topic/615151-anyone-know-what-program-opens-dsi-and-wsi-files/ +# Note: Used in Acer eRecovery and Lenovo OneKey Recovery (OKR) +4 string WSVD +# bytes 3-4 are the checksum or the first 32 bytes of the file +>0 uleshort 0x40 Wasay ImageIt DataPack +>>8 uleshort x v%u +>>10 uleshort x \b.%u +>>16 lestring16/8 x \b, "%s" +>>12 uleshort x (%u) +>>32 byte x \b, created on %02d +>>33 byte x \b%02d +>>34 byte x \b/%02d +>>35 byte x \b/%02d +>>36 byte x %02d +>>37 byte x \b:%02d +>>38 byte x \b:%02d +>>56 ulelong x \b, size: %u bytes |