ok
Direktori : /proc/self/root/proc/self/root/proc/self/root/proc/thread-self/root/usr/share/ |
Current File : //proc/self/root/proc/self/root/proc/self/root/proc/thread-self/root/usr/share/magic |
#------------------------------------------------------------------------------ # $File: acorn,v 1.5 2009/09/19 16:28:07 christos Exp $ # acorn: file(1) magic for files found on Acorn systems # # RISC OS Chunk File Format # From RISC OS Programmer's Reference Manual, Appendix D # We guess the file type from the type of the first chunk. 0 lelong 0xc3cbc6c5 RISC OS Chunk data >12 string OBJ_ \b, AOF object >12 string LIB_ \b, ALF library # RISC OS AIF, contains "SWI OS_Exit" at offset 16. 16 lelong 0xef000011 RISC OS AIF executable # RISC OS Draw files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Draw RISC OS Draw file data # RISC OS new format font files # From RISC OS Programmer's Reference Manual, Appendix E 0 string FONT\0 RISC OS outline font data, >5 byte x version %d 0 string FONT\1 RISC OS 1bpp font data, >5 byte x version %d 0 string FONT\4 RISC OS 4bpp font data >5 byte x version %d # RISC OS Music files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Maestro\r RISC OS music file >8 byte x version %d >8 byte x type %d # Digital Symphony data files # From: Bernard Jungen (bern8817@euphonynet.be) 0 string \x02\x01\x13\x13\x13\x01\x0d\x10 Digital Symphony sound sample (RISC OS), >8 byte x version %d, >9 pstring x named "%s", >(9.b+19) byte =0 8-bit logarithmic >(9.b+19) byte =1 LZW-compressed linear >(9.b+19) byte =2 8-bit linear signed >(9.b+19) byte =3 16-bit linear signed >(9.b+19) byte =4 SigmaDelta-compressed linear >(9.b+19) byte =5 SigmaDelta-compressed logarithmic >(9.b+19) byte >5 unknown format 0 string \x02\x01\x13\x13\x14\x12\x01\x0b Digital Symphony song (RISC OS), >8 byte x version %d, >9 byte =1 1 voice, >9 byte !1 %d voices, >10 leshort =1 1 track, >10 leshort !1 %d tracks, >12 leshort =1 1 pattern >12 leshort !1 %d patterns 0 string \x02\x01\x13\x13\x10\x14\x12\x0e >9 byte =0 Digital Symphony sequence (RISC OS), >>8 byte x version %d, >>10 byte =1 1 line, >>10 byte !1 %d lines, >>11 leshort =1 1 position >>11 leshort !1 %d positions >9 byte =1 Digital Symphony pattern data (RISC OS), >>8 byte x version %d, >>10 leshort =1 1 pattern >>10 leshort !1 %d patterns #------------------------------------------------------------------------------ # $File: adi,v 1.4 2009/09/19 16:28:07 christos Exp $ # adi: file(1) magic for ADi's objects # From Gregory McGarry <g.mcgarry@ieee.org> # 0 leshort 0x521c COFF DSP21k >18 lelong &02 executable, >18 lelong ^02 >>18 lelong &01 static object, >>18 lelong ^01 relocatable object, >18 lelong &010 stripped >18 lelong ^010 not stripped #------------------------------------------------------------------------------ # $File: adventure,v 1.13 2010/12/31 16:32:54 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin <earendil@faeryland.tamu-commerce.edu> # Edited by Dave Chapeskie <dchapes@ddm.on.ca> Jun 28, 1998 # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # # ALAN # I assume there are other, lower versions, but these are the only ones I # saw in the archive. 0 beshort 0x0206 ALAN game data >2 byte <10 version 2.6%d # Infocom (see z-machine) #------------------------------------------------------------------------------ # Z-machine: file(1) magic for Z-machine binaries. # Updated by Adam Buchbinder <adam.buchbinder@gmail.com> # #http://www.gnelson.demon.co.uk/zspec/sect11.html #http://www.jczorkmid.net/~jpenney/ZSpec11-latest.txt #http://en.wikipedia.org/wiki/Z-machine # The first byte is the Z-machine revision; it is always between 1 and 8. We # had false matches (for instance, inbig5.ocp from the Omega TeX extension as # well as an occasional MP3 file), so we sanity-check the version number. # # It might be possible to sanity-check the release number as well, as it seems # (at least in classic Infocom games) to always be a relatively small number, # always under 150 or so, but as this isn't rigorous, we'll wait on that until # it becomes clear that it's needed. # 0 ubyte >0 >0 ubyte <9 >>16 belong&0xfe00f0f0 0x3030 Infocom game data >>>0 ubyte x (Z-machine %d, >>>>2 ubeshort x Release %d / >>>>18 string >\0 Serial %.6s) #------------------------------------------------------------------------------ # Glulx: file(1) magic for Glulx binaries. # # I haven't checked for false matches yet. # 0 string Glul Glulx game data >4 beshort x (Version %d >>6 byte x \b.%d >>8 byte x \b.%d) >36 string Info Compiled by Inform # For Quetzal and blorb magic see iff # TADS (Text Adventure Development System) version 2 # All files are machine-independent (games compile to byte-code) and are tagged # with a version string of the form "V2.<digit>.<digit>\0". # Game files start with "TADS2 bin\n\r\032\0" then the compiler version. 0 string TADS2\ bin TADS >9 belong !0x0A0D1A00 game data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s game data # Resource files start with "TADS2 rsc\n\r\032\0" then the compiler version. 0 string TADS2\ rsc TADS >9 belong !0x0A0D1A00 resource data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s resource data # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), # "TADS2 save\n\r\032\0" and the interpreter version. 0 string TADS2\ save/g TADS >12 belong !0x0A0D1A00 saved game data, CORRUPTED >12 belong 0x0A0D1A00 >>(16.s+32) string >\0 %s saved game data # Other saved game files start with "TADS2 save\n\r\032\0" and the interpreter # version. 0 string TADS2\ save TADS >10 belong !0x0A0D1A00 saved game data, CORRUPTED >10 belong 0x0A0D1A00 >>14 string >\0 %s saved game data # TADS (Text Adventure Development System) version 3 # Game files start with "T3-image\015\012\032" 0 string T3-image\015\012\032 >11 leshort x TADS 3 game data (format version %d) # Saved game files start with "T3-state-v####\015\012\032" # where #### is a format version number 0 string T3-state-v >14 string \015\012\032 TADS 3 saved game data (format version >>10 byte x %c >>11 byte x \b%c >>12 byte x \b%c >>13 byte x \b%c) # Danny Milosavljevic <danny.milo@gmx.net> # this are adrift (adventure game standard) game files, extension .taf # depending on version magic continues with 0x93453E6139FA (V 4.0) # 0x9445376139FA (V 3.90) # 0x9445366139FA (V 3.80) # this is from source (http://www.adrift.org.uk/) and I have some taf # files, and checked them. #0 belong 0x3C423FC9 #>4 belong 0x6A87C2CF Adrift game file #!:mime application/x-adrift #------------------------------------------------------------------------------ # $File: allegro,v 1.4 2009/09/19 16:28:07 christos Exp $ # allegro: file(1) magic for Allegro datafiles # Toby Deshane <hac@shoelace.digivill.net> # 0 belong 0x736C6821 Allegro datafile (packed) 0 belong 0x736C682E Allegro datafile (not packed/autodetect) 0 belong 0x736C682B Allegro datafile (appended exe data) #------------------------------------------------------------------------------ # $File: alliant,v 1.7 2009/09/19 16:28:07 christos Exp $ # alliant: file(1) magic for Alliant FX series a.out files # # If the FX series is the one that had a processor with a 68K-derived # instruction set, the "short" should probably become "beshort" and the # "long" should probably become "belong". # If it's the i860-based one, they should probably become either the # big-endian or little-endian versions, depending on the mode they ran # the 860 in.... # 0 short 0420 0420 Alliant virtual executable >2 short &0x0020 common library >16 long >0 not stripped 0 short 0421 0421 Alliant compact executable >2 short &0x0020 common library >16 long >0 not stripped #------------------------------------------------------------------------------ # $File: amanda,v 1.5 2009/09/19 16:28:07 christos Exp $ # amanda: file(1) magic for amanda file format # 0 string AMANDA:\ AMANDA >8 string TAPESTART\ DATE tape header file, >>23 string X >>>25 string >\ Unused %s >>23 string >\ DATE %s >8 string FILE\ dump file, >>13 string >\ DATE %s #------------------------------------------------------------------------------ # $File: amigaos,v 1.14 2009/09/19 16:28:07 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # # From ignatios@cs.uni-bonn.de (Ignatios Souvatzis) # 0 belong 0x000003fa AmigaOS shared library 0 belong 0x000003f3 AmigaOS loadseg()ble executable/binary 0 belong 0x000003e7 AmigaOS object/library data # 0 beshort 0xe310 Amiga Workbench >2 beshort 1 >>48 byte 1 disk icon >>48 byte 2 drawer icon >>48 byte 3 tool icon >>48 byte 4 project icon >>48 byte 5 garbage icon >>48 byte 6 device icon >>48 byte 7 kickstart icon >>48 byte 8 workbench application icon >2 beshort >1 icon, vers. %d # # various sound formats from the Amiga # G=F6tz Waschk <waschk@informatik.uni-rostock.de> # 0 string FC14 Future Composer 1.4 Module sound file 0 string SMOD Future Composer 1.3 Module sound file 0 string AON4artofnoise Art Of Noise Module sound file 1 string MUGICIAN/SOFTEYES Mugician Module sound file 58 string SIDMON\ II\ -\ THE Sidmon 2.0 Module sound file 0 string Synth4.0 Synthesis Module sound file 0 string ARP. The Holy Noise Module sound file 0 string BeEp\0 JamCracker Module sound file 0 string COSO\0 Hippel-COSO Module sound file # Too simple (short, pure ASCII, deep), MPi #26 string V.3 Brian Postma's Soundmon Module sound file v3 #26 string BPSM Brian Postma's Soundmon Module sound file v3 #26 string V.2 Brian Postma's Soundmon Module sound file v2 # The following are from: "Stefan A. Haubenthal" <polluks@web.de> 0 beshort 0x0f00 AmigaOS bitmap font 0 beshort 0x0f03 AmigaOS outline font 0 belong 0x80001001 AmigaOS outline tag 0 string ##\ version catalog translation 0 string EMOD\0 Amiga E module 8 string ECXM\0 ECX module 0 string/c @database AmigaGuide file # Amiga disk types # 0 string RDSK Rigid Disk Block >160 string x on %.24s 0 string DOS\0 Amiga DOS disk 0 string DOS\1 Amiga FFS disk 0 string DOS\2 Amiga Inter DOS disk 0 string DOS\3 Amiga Inter FFS disk 0 string DOS\4 Amiga Fastdir DOS disk 0 string DOS\5 Amiga Fastdir FFS disk 0 string KICK Kickstart disk # From: Alex Beregszaszi <alex@fsn.hu> 0 string LZX LZX compressed archive (Amiga) #------------------------------------------------------------------------------ # $File: animation,v 1.45 2011/09/06 11:00:06 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats # MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) # FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) # SGI and Apple formats 0 string MOVI Silicon Graphics movie file !:mime video/x-sgi-movie 4 string moov Apple QuickTime !:mime video/quicktime >12 string mvhd \b movie (fast start) >12 string mdra \b URL >12 string cmov \b movie (fast start, compressed header) >12 string rmra \b multiple URLs 4 string mdat Apple QuickTime movie (unoptimized) !:mime video/quicktime #4 string wide Apple QuickTime movie (unoptimized) #!:mime video/quicktime #4 string skip Apple QuickTime movie (modified) #!:mime video/quicktime #4 string free Apple QuickTime movie (modified) #!:mime video/quicktime 4 string idsc Apple QuickTime image (fast start) !:mime image/x-quicktime #4 string idat Apple QuickTime image (unoptimized) #!:mime image/x-quicktime 4 string pckg Apple QuickTime compressed archive !:mime application/x-quicktime-player 4 string/W jP JPEG 2000 image !:mime image/jp2 4 string ftyp ISO Media >8 string isom \b, MPEG v4 system, version 1 !:mime video/mp4 >8 string iso2 \b, MPEG v4 system, part 12 revision >8 string mp41 \b, MPEG v4 system, version 1 !:mime video/mp4 >8 string mp42 \b, MPEG v4 system, version 2 !:mime video/mp4 >8 string mp7t \b, MPEG v4 system, MPEG v7 XML >8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML >8 string/W jp2 \b, JPEG 2000 !:mime image/jp2 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp >8 string 3gg \b, MPEG v4 system, 3GPP !:mime video/3gpp >8 string 3gp \b, MPEG v4 system, 3GPP !:mime video/3gpp >8 string 3gs \b, MPEG v4 system, 3GPP !:mime video/3gpp >8 string 3g2 \b, MPEG v4 system, 3GPP2 !:mime video/3gpp2 >>11 byte 4 \b v4 (H.263/AMR GSM 6.10) >>11 byte 5 \b v5 (H.263/AMR GSM 6.10) >>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) >8 string mmp4 \b, MPEG v4 system, 3GPP Mobile !:mime video/mp4 >8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC !:mime video/3gpp >8 string/W M4A \b, MPEG v4 system, iTunes AAC-LC !:mime audio/mp4 >8 string/W M4V \b, MPEG v4 system, iTunes AVC-LC !:mime video/mp4 >8 string/W M4P \b, MPEG v4 system, iTunes AES encrypted >8 string/W M4B \b, MPEG v4 system, iTunes bookmarked >8 string/W qt \b, Apple QuickTime movie !:mime video/quicktime # MPEG sequences # Scans for all common MPEG header start codes 0 belong 0x00000001 >4 byte&0x1F 0x07 JVT NAL sequence, H.264 video >>5 byte 66 \b, baseline >>5 byte 77 \b, main >>5 byte 88 \b, extended >>7 byte x \b @ L %u 0 belong&0xFFFFFF00 0x00000100 >3 byte 0xBA MPEG sequence !:mime video/mpeg >>4 byte &0x40 \b, v2, program multiplex >>4 byte ^0x40 \b, v1, system multiplex >3 byte 0xBB MPEG sequence, v1/2, multiplex (missing pack header) >3 byte&0x1F 0x07 MPEG sequence, H.264 video >>4 byte 66 \b, baseline >>4 byte 77 \b, main >>4 byte 88 \b, extended >>6 byte x \b @ L %u >3 byte 0xB0 MPEG sequence, v4 !:mime video/mpeg4-generic >>5 belong 0x000001B5 >>>9 byte &0x80 >>>>10 byte&0xF0 16 \b, video >>>>10 byte&0xF0 32 \b, still texture >>>>10 byte&0xF0 48 \b, mesh >>>>10 byte&0xF0 64 \b, face >>>9 byte&0xF8 8 \b, video >>>9 byte&0xF8 16 \b, still texture >>>9 byte&0xF8 24 \b, mesh >>>9 byte&0xF8 32 \b, face >>4 byte 1 \b, simple @ L1 >>4 byte 2 \b, simple @ L2 >>4 byte 3 \b, simple @ L3 >>4 byte 4 \b, simple @ L0 >>4 byte 17 \b, simple scalable @ L1 >>4 byte 18 \b, simple scalable @ L2 >>4 byte 33 \b, core @ L1 >>4 byte 34 \b, core @ L2 >>4 byte 50 \b, main @ L2 >>4 byte 51 \b, main @ L3 >>4 byte 53 \b, main @ L4 >>4 byte 66 \b, n-bit @ L2 >>4 byte 81 \b, scalable texture @ L1 >>4 byte 97 \b, simple face animation @ L1 >>4 byte 98 \b, simple face animation @ L2 >>4 byte 99 \b, simple face basic animation @ L1 >>4 byte 100 \b, simple face basic animation @ L2 >>4 byte 113 \b, basic animation text @ L1 >>4 byte 114 \b, basic animation text @ L2 >>4 byte 129 \b, hybrid @ L1 >>4 byte 130 \b, hybrid @ L2 >>4 byte 145 \b, advanced RT simple @ L! >>4 byte 146 \b, advanced RT simple @ L2 >>4 byte 147 \b, advanced RT simple @ L3 >>4 byte 148 \b, advanced RT simple @ L4 >>4 byte 161 \b, core scalable @ L1 >>4 byte 162 \b, core scalable @ L2 >>4 byte 163 \b, core scalable @ L3 >>4 byte 177 \b, advanced coding efficiency @ L1 >>4 byte 178 \b, advanced coding efficiency @ L2 >>4 byte 179 \b, advanced coding efficiency @ L3 >>4 byte 180 \b, advanced coding efficiency @ L4 >>4 byte 193 \b, advanced core @ L1 >>4 byte 194 \b, advanced core @ L2 >>4 byte 209 \b, advanced scalable texture @ L1 >>4 byte 210 \b, advanced scalable texture @ L2 >>4 byte 211 \b, advanced scalable texture @ L3 >>4 byte 225 \b, simple studio @ L1 >>4 byte 226 \b, simple studio @ L2 >>4 byte 227 \b, simple studio @ L3 >>4 byte 228 \b, simple studio @ L4 >>4 byte 229 \b, core studio @ L1 >>4 byte 230 \b, core studio @ L2 >>4 byte 231 \b, core studio @ L3 >>4 byte 232 \b, core studio @ L4 >>4 byte 240 \b, advanced simple @ L0 >>4 byte 241 \b, advanced simple @ L1 >>4 byte 242 \b, advanced simple @ L2 >>4 byte 243 \b, advanced simple @ L3 >>4 byte 244 \b, advanced simple @ L4 >>4 byte 245 \b, advanced simple @ L5 >>4 byte 247 \b, advanced simple @ L3b >>4 byte 248 \b, FGS @ L0 >>4 byte 249 \b, FGS @ L1 >>4 byte 250 \b, FGS @ L2 >>4 byte 251 \b, FGS @ L3 >>4 byte 252 \b, FGS @ L4 >>4 byte 253 \b, FGS @ L5 >3 byte 0xB5 MPEG sequence, v4 !:mime video/mpeg4-generic >>4 byte &0x80 >>>5 byte&0xF0 16 \b, video (missing profile header) >>>5 byte&0xF0 32 \b, still texture (missing profile header) >>>5 byte&0xF0 48 \b, mesh (missing profile header) >>>5 byte&0xF0 64 \b, face (missing profile header) >>4 byte&0xF8 8 \b, video (missing profile header) >>4 byte&0xF8 16 \b, still texture (missing profile header) >>4 byte&0xF8 24 \b, mesh (missing profile header) >>4 byte&0xF8 32 \b, face (missing profile header) >3 byte 0xB3 MPEG sequence !:mime video/mpeg >>12 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong 0x000001B5 \b, v2, >>>16 byte&0x0F 1 \b HP >>>16 byte&0x0F 2 \b Spt >>>16 byte&0x0F 3 \b SNR >>>16 byte&0x0F 4 \b MP >>>16 byte&0x0F 5 \b SP >>>17 byte&0xF0 64 \b@HL >>>17 byte&0xF0 96 \b@H-14 >>>17 byte&0xF0 128 \b@ML >>>17 byte&0xF0 160 \b@LL >>>17 byte &0x08 \b progressive >>>17 byte ^0x08 \b interlaced >>>17 byte&0x06 2 \b Y'CbCr 4:2:0 video >>>17 byte&0x06 4 \b Y'CbCr 4:2:2 video >>>17 byte&0x06 6 \b Y'CbCr 4:4:4 video >>11 byte &0x02 >>>75 byte &0x01 >>>>140 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>>>140 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>>>140 belong 0x000001B5 \b, v2, >>>>>144 byte&0x0F 1 \b HP >>>>>144 byte&0x0F 2 \b Spt >>>>>144 byte&0x0F 3 \b SNR >>>>>144 byte&0x0F 4 \b MP >>>>>144 byte&0x0F 5 \b SP >>>>>145 byte&0xF0 64 \b@HL >>>>>145 byte&0xF0 96 \b@H-14 >>>>>145 byte&0xF0 128 \b@ML >>>>>145 byte&0xF0 160 \b@LL >>>>>145 byte &0x08 \b progressive >>>>>145 byte ^0x08 \b interlaced >>>>>145 byte&0x06 2 \b Y'CbCr 4:2:0 video >>>>>145 byte&0x06 4 \b Y'CbCr 4:2:2 video >>>>>145 byte&0x06 6 \b Y'CbCr 4:4:4 video >>76 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>76 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>76 belong 0x000001B5 \b, v2, >>>80 byte&0x0F 1 \b HP >>>80 byte&0x0F 2 \b Spt >>>80 byte&0x0F 3 \b SNR >>>80 byte&0x0F 4 \b MP >>>80 byte&0x0F 5 \b SP >>>81 byte&0xF0 64 \b@HL >>>81 byte&0xF0 96 \b@H-14 >>>81 byte&0xF0 128 \b@ML >>>81 byte&0xF0 160 \b@LL >>>81 byte &0x08 \b progressive >>>81 byte ^0x08 \b interlaced >>>81 byte&0x06 2 \b Y'CbCr 4:2:0 video >>>81 byte&0x06 4 \b Y'CbCr 4:2:2 video >>>81 byte&0x06 6 \b Y'CbCr 4:4:4 video >>4 belong&0xFFFFFF00 0x78043800 \b, HD-TV 1920P >>>7 byte&0xF0 0x10 \b, 16:9 >>4 belong&0xFFFFFF00 0x50002D00 \b, SD-TV 1280I >>>7 byte&0xF0 0x10 \b, 16:9 >>4 belong&0xFFFFFF00 0x30024000 \b, PAL Capture >>>7 byte&0xF0 0x10 \b, 4:3 >>4 beshort&0xFFF0 0x2C00 \b, 4CIF >>>5 beshort&0x0FFF 0x01E0 \b NTSC >>>5 beshort&0x0FFF 0x0240 \b PAL >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>>7 byte&0xF0 0x80 \b, PAL 4:3 >>>7 byte&0xF0 0xC0 \b, NTSC 4:3 >>4 belong&0xFFFFFF00 0x2801E000 \b, LD-TV 640P >>>7 byte&0xF0 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 0x1400F000 \b, 320x240 >>>7 byte&0xF0 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 0x0F00A000 \b, 240x160 >>>7 byte&0xF0 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 0x0A007800 \b, 160x120 >>>7 byte&0xF0 0x10 \b, 4:3 >>4 beshort&0xFFF0 0x1600 \b, CIF >>>5 beshort&0x0FFF 0x00F0 \b NTSC >>>5 beshort&0x0FFF 0x0120 \b PAL >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>>7 byte&0xF0 0x80 \b, PAL 4:3 >>>7 byte&0xF0 0xC0 \b, NTSC 4:3 >>>5 beshort&0x0FFF 0x0240 \b PAL 625 >>>>7 byte&0xF0 0x20 \b, 4:3 >>>>7 byte&0xF0 0x30 \b, 16:9 >>>>7 byte&0xF0 0x40 \b, 11:5 >>4 beshort&0xFFF0 0x2D00 \b, CCIR/ITU >>>5 beshort&0x0FFF 0x01E0 \b NTSC 525 >>>5 beshort&0x0FFF 0x0240 \b PAL 625 >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>4 beshort&0xFFF0 0x1E00 \b, SVCD >>>5 beshort&0x0FFF 0x01E0 \b NTSC 525 >>>5 beshort&0x0FFF 0x0240 \b PAL 625 >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>7 byte&0x0F 1 \b, 23.976 fps >>7 byte&0x0F 2 \b, 24 fps >>7 byte&0x0F 3 \b, 25 fps >>7 byte&0x0F 4 \b, 29.97 fps >>7 byte&0x0F 5 \b, 30 fps >>7 byte&0x0F 6 \b, 50 fps >>7 byte&0x0F 7 \b, 59.94 fps >>7 byte&0x0F 8 \b, 60 fps >>11 byte &0x04 \b, Constrained # MPEG ADTS Audio (*.mpx/mxa/aac) # from dreesen@math.fu-berlin.de # modified to fully support MPEG ADTS # MP3, M1A # modified by Joerg Jenderek # GRR the original test are too common for many DOS files # so don't accept as MP3 until we've tested the rate 0 beshort&0xFFFE 0xFFFA # rates >2 byte&0xF0 0x10 MPEG ADTS, layer III, v1, 32 kbps !:mime audio/mpeg >2 byte&0xF0 0x20 MPEG ADTS, layer III, v1, 40 kbps !:mime audio/mpeg >2 byte&0xF0 0x30 MPEG ADTS, layer III, v1, 48 kbps !:mime audio/mpeg >2 byte&0xF0 0x40 MPEG ADTS, layer III, v1, 56 kbps !:mime audio/mpeg >2 byte&0xF0 0x50 MPEG ADTS, layer III, v1, 64 kbps !:mime audio/mpeg >2 byte&0xF0 0x60 MPEG ADTS, layer III, v1, 80 kbps !:mime audio/mpeg >2 byte&0xF0 0x70 MPEG ADTS, layer III, v1, 96 kbps !:mime audio/mpeg >2 byte&0xF0 0x80 MPEG ADTS, layer III, v1, 112 kbps !:mime audio/mpeg >2 byte&0xF0 0x90 MPEG ADTS, layer III, v1, 128 kbps !:mime audio/mpeg >2 byte&0xF0 0xA0 MPEG ADTS, layer III, v1, 160 kbps !:mime audio/mpeg >2 byte&0xF0 0xB0 MPEG ADTS, layer III, v1, 192 kbps !:mime audio/mpeg >2 byte&0xF0 0xC0 MPEG ADTS, layer III, v1, 224 kbps !:mime audio/mpeg >2 byte&0xF0 0xD0 MPEG ADTS, layer III, v1, 256 kbps !:mime audio/mpeg >2 byte&0xF0 0xE0 MPEG ADTS, layer III, v1, 320 kbps !:mime audio/mpeg # timing >2 byte&0x0C 0x00 \b, 44.1 kHz >2 byte&0x0C 0x04 \b, 48 kHz >2 byte&0x0C 0x08 \b, 32 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M1A 0 beshort&0xFFFE 0xFFFC MPEG ADTS, layer II, v1 !:mime audio/mpeg # rates >2 byte&0xF0 0x10 \b, 32 kbps >2 byte&0xF0 0x20 \b, 48 kbps >2 byte&0xF0 0x30 \b, 56 kbps >2 byte&0xF0 0x40 \b, 64 kbps >2 byte&0xF0 0x50 \b, 80 kbps >2 byte&0xF0 0x60 \b, 96 kbps >2 byte&0xF0 0x70 \b, 112 kbps >2 byte&0xF0 0x80 \b, 128 kbps >2 byte&0xF0 0x90 \b, 160 kbps >2 byte&0xF0 0xA0 \b, 192 kbps >2 byte&0xF0 0xB0 \b, 224 kbps >2 byte&0xF0 0xC0 \b, 256 kbps >2 byte&0xF0 0xD0 \b, 320 kbps >2 byte&0xF0 0xE0 \b, 384 kbps # timing >2 byte&0x0C 0x00 \b, 44.1 kHz >2 byte&0x0C 0x04 \b, 48 kHz >2 byte&0x0C 0x08 \b, 32 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MPA, M1A # updated by Joerg Jenderek # GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448 # GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE) # FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries #0 beshort&0xFFFE 0xFFFE #>2 ubyte&0xF0 >0x0F #>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1 ## rate #>>>2 byte&0xF0 0x10 \b, 32 kbps #>>>2 byte&0xF0 0x20 \b, 64 kbps #>>>2 byte&0xF0 0x30 \b, 96 kbps #>>>2 byte&0xF0 0x40 \b, 128 kbps #>>>2 byte&0xF0 0x50 \b, 160 kbps #>>>2 byte&0xF0 0x60 \b, 192 kbps #>>>2 byte&0xF0 0x70 \b, 224 kbps #>>>2 byte&0xF0 0x80 \b, 256 kbps #>>>2 byte&0xF0 0x90 \b, 288 kbps #>>>2 byte&0xF0 0xA0 \b, 320 kbps #>>>2 byte&0xF0 0xB0 \b, 352 kbps #>>>2 byte&0xF0 0xC0 \b, 384 kbps #>>>2 byte&0xF0 0xD0 \b, 416 kbps #>>>2 byte&0xF0 0xE0 \b, 448 kbps ## timing #>>>2 byte&0x0C 0x00 \b, 44.1 kHz #>>>2 byte&0x0C 0x04 \b, 48 kHz #>>>2 byte&0x0C 0x08 \b, 32 kHz ## channels/options #>>>3 byte&0xC0 0x00 \b, Stereo #>>>3 byte&0xC0 0x40 \b, JntStereo #>>>3 byte&0xC0 0x80 \b, 2x Monaural #>>>3 byte&0xC0 0xC0 \b, Monaural ##>1 byte ^0x01 \b, Data Verify ##>2 byte &0x02 \b, Packet Pad ##>2 byte &0x01 \b, Custom Flag ##>3 byte &0x08 \b, Copyrighted ##>3 byte &0x04 \b, Original Source ##>3 byte&0x03 1 \b, NR: 50/15 ms ##>3 byte&0x03 3 \b, NR: CCIT J.17 # MP3, M2A 0 beshort&0xFFFE 0xFFF2 MPEG ADTS, layer III, v2 !:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps >2 byte&0xF0 0x60 \b, 48 kbps >2 byte&0xF0 0x70 \b, 56 kbps >2 byte&0xF0 0x80 \b, 64 kbps >2 byte&0xF0 0x90 \b, 80 kbps >2 byte&0xF0 0xA0 \b, 96 kbps >2 byte&0xF0 0xB0 \b, 112 kbps >2 byte&0xF0 0xC0 \b, 128 kbps >2 byte&0xF0 0xD0 \b, 144 kbps >2 byte&0xF0 0xE0 \b, 160 kbps # timing >2 byte&0x0C 0x00 \b, 22.05 kHz >2 byte&0x0C 0x04 \b, 24 kHz >2 byte&0x0C 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M2A 0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps >2 byte&0xF0 0x60 \b, 48 kbps >2 byte&0xF0 0x70 \b, 56 kbps >2 byte&0xF0 0x80 \b, 64 kbps >2 byte&0xF0 0x90 \b, 80 kbps >2 byte&0xF0 0xA0 \b, 96 kbps >2 byte&0xF0 0xB0 \b, 112 kbps >2 byte&0xF0 0xC0 \b, 128 kbps >2 byte&0xF0 0xD0 \b, 144 kbps >2 byte&0xF0 0xE0 \b, 160 kbps # timing >2 byte&0x0C 0x00 \b, 22.05 kHz >2 byte&0x0C 0x04 \b, 24 kHz >2 byte&0x0C 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MPA, M2A 0 beshort&0xFFFE 0xFFF6 MPEG ADTS, layer I, v2 !:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 32 kbps >2 byte&0xF0 0x20 \b, 48 kbps >2 byte&0xF0 0x30 \b, 56 kbps >2 byte&0xF0 0x40 \b, 64 kbps >2 byte&0xF0 0x50 \b, 80 kbps >2 byte&0xF0 0x60 \b, 96 kbps >2 byte&0xF0 0x70 \b, 112 kbps >2 byte&0xF0 0x80 \b, 128 kbps >2 byte&0xF0 0x90 \b, 144 kbps >2 byte&0xF0 0xA0 \b, 160 kbps >2 byte&0xF0 0xB0 \b, 176 kbps >2 byte&0xF0 0xC0 \b, 192 kbps >2 byte&0xF0 0xD0 \b, 224 kbps >2 byte&0xF0 0xE0 \b, 256 kbps # timing >2 byte&0x0C 0x00 \b, 22.05 kHz >2 byte&0x0C 0x04 \b, 24 kHz >2 byte&0x0C 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP3, M25A 0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5 !:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps >2 byte&0xF0 0x60 \b, 48 kbps >2 byte&0xF0 0x70 \b, 56 kbps >2 byte&0xF0 0x80 \b, 64 kbps >2 byte&0xF0 0x90 \b, 80 kbps >2 byte&0xF0 0xA0 \b, 96 kbps >2 byte&0xF0 0xB0 \b, 112 kbps >2 byte&0xF0 0xC0 \b, 128 kbps >2 byte&0xF0 0xD0 \b, 144 kbps >2 byte&0xF0 0xE0 \b, 160 kbps # timing >2 byte&0x0C 0x00 \b, 11.025 kHz >2 byte&0x0C 0x04 \b, 12 kHz >2 byte&0x0C 0x08 \b, 8 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # AAC (aka MPEG-2 NBC audio) and MPEG-4 audio # Stored AAC streams (instead of the MP4 format) 0 string ADIF MPEG ADIF, AAC !:mime audio/x-hx-aac-adif >4 byte &0x80 >>13 byte &0x10 \b, VBR >>13 byte ^0x10 \b, CBR >>16 byte&0x1E 0x02 \b, single stream >>16 byte&0x1E 0x04 \b, 2 streams >>16 byte&0x1E 0x06 \b, 3 streams >>16 byte &0x08 \b, 4 or more streams >>16 byte &0x10 \b, 8 or more streams >>4 byte &0x80 \b, Copyrighted >>13 byte &0x40 \b, Original Source >>13 byte &0x20 \b, Home Flag >4 byte ^0x80 >>4 byte &0x10 \b, VBR >>4 byte ^0x10 \b, CBR >>7 byte&0x1E 0x02 \b, single stream >>7 byte&0x1E 0x04 \b, 2 streams >>7 byte&0x1E 0x06 \b, 3 streams >>7 byte &0x08 \b, 4 or more streams >>7 byte &0x10 \b, 8 or more streams >>4 byte &0x40 \b, Original Stream(s) >>4 byte &0x20 \b, Home Source # Live or stored single AAC stream (used with MPEG-2 systems) 0 beshort&0xFFF6 0xFFF0 MPEG ADTS, AAC !:mime audio/x-hx-aac-adts >1 byte &0x08 \b, v2 >1 byte ^0x08 \b, v4 # profile >>2 byte &0xC0 \b LTP >2 byte&0xc0 0x00 \b Main >2 byte&0xc0 0x40 \b LC >2 byte&0xc0 0x80 \b SSR # timing >2 byte&0x3c 0x00 \b, 96 kHz >2 byte&0x3c 0x04 \b, 88.2 kHz >2 byte&0x3c 0x08 \b, 64 kHz >2 byte&0x3c 0x0c \b, 48 kHz >2 byte&0x3c 0x10 \b, 44.1 kHz >2 byte&0x3c 0x14 \b, 32 kHz >2 byte&0x3c 0x18 \b, 24 kHz >2 byte&0x3c 0x1c \b, 22.05 kHz >2 byte&0x3c 0x20 \b, 16 kHz >2 byte&0x3c 0x24 \b, 12 kHz >2 byte&0x3c 0x28 \b, 11.025 kHz >2 byte&0x3c 0x2c \b, 8 kHz # channels >2 beshort&0x01c0 0x0040 \b, monaural >2 beshort&0x01c0 0x0080 \b, stereo >2 beshort&0x01c0 0x00c0 \b, stereo + center >2 beshort&0x01c0 0x0100 \b, stereo+center+LFE >2 beshort&0x01c0 0x0140 \b, surround >2 beshort&0x01c0 0x0180 \b, surround + LFE >2 beshort &0x01C0 \b, surround + side #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Custom Flag #>3 byte &0x20 \b, Original Stream #>3 byte &0x10 \b, Home Source #>3 byte &0x08 \b, Copyrighted # Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS !:mime audio/x-mp4a-latm #>1 beshort&0x1FFF x \b, %u byte packet >3 byte&0xE0 0x40 >>4 byte&0x3C 0x04 \b, single stream >>4 byte&0x3C 0x08 \b, 2 streams >>4 byte&0x3C 0x0C \b, 3 streams >>4 byte &0x08 \b, 4 or more streams >>4 byte &0x20 \b, 8 or more streams >3 byte&0xC0 0 >>4 byte&0x78 0x08 \b, single stream >>4 byte&0x78 0x10 \b, 2 streams >>4 byte&0x78 0x18 \b, 3 streams >>4 byte &0x20 \b, 4 or more streams >>4 byte &0x40 \b, 8 or more streams # This magic isn't strong enough (matches plausible ISO-8859-1 text) #0 beshort 0x4DE1 MPEG-4 LO-EP audio stream #!:mime audio/x-mp4a-latm # Summary: FLI animation format # Created by: Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection) 4 leshort 0xAF11 # standard FLI always has 320x200 resolution and 8 bit color >8 leshort 320 >>10 leshort 200 >>>12 leshort 8 FLI animation, 320x200x8 !:mime video/x-fli >>>>6 leshort x \b, %d frames # frame speed is multiple of 1/70s >>>>16 leshort x \b, %d/70s per frame # Summary: FLC animation format # Created by: Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection) 4 leshort 0xAF12 # standard FLC always use 8 bit color >12 leshort 8 FLC animation !:mime video/x-flc >>8 leshort x \b, %d >>10 leshort x \bx%dx8 >>6 uleshort x \b, %d frames >>16 uleshort x \b, %dms per frame # DL animation format # XXX - collision with most `mips' magic # # I couldn't find a real magic number for these, however, this # -appears- to work. Note that it might catch other files, too, so be # careful! # # Note that title and author appear in the two 20-byte chunks # at decimal offsets 2 and 22, respectively, but they are XOR'ed with # 255 (hex FF)! The DL format is really bad. # #0 byte 1 DL version 1, medium format (160x100, 4 images/screen) #!:mime video/x-unknown #>42 byte x - %d screens, #>43 byte x %d commands #0 byte 2 DL version 2 #!:mime video/x-unknown #>1 byte 1 - large format (320x200,1 image/screen), #>1 byte 2 - medium format (160x100,4 images/screen), #>1 byte >2 - unknown format, #>42 byte x %d screens, #>43 byte x %d commands # Based on empirical evidence, DL version 3 have several nulls following the # \003. Most of them start with non-null values at hex offset 0x34 or so. #0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3 # iso 13818 transport stream # # from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 (ISO 13818.1) # (the following is a little bit restrictive and works fine for a stream # that starts with PAT properly. it won't work for stream data, that is # cut from an input device data right in the middle, but this shouldn't # disturb) # syncbyte 8 bit 0x47 # error_ind 1 bit - # payload_start 1 bit 1 # priority 1 bit - # PID 13 bit 0x0000 # scrambling 2 bit - # adaptfld_ctrl 2 bit 1 or 3 # conti_count 4 bit 0 0 belong&0xFF5FFF1F 0x47400010 MPEG transport stream data >188 byte !0x47 CORRUPTED # DIF digital video file format <mpruett@sgi.com> 0 belong&0xffffff00 0x1f070000 DIF >4 byte &0x01 (DVCPRO) movie file >4 byte ^0x01 (DV) movie file >3 byte &0x80 (PAL) >3 byte ^0x80 (NTSC) # Microsoft Advanced Streaming Format (ASF) <mpruett@sgi.com> 0 belong 0x3026b275 Microsoft ASF !:mime video/x-ms-asf # MNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/> 0 string \x8aMNG MNG video data, !:mime video/x-mng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a >>16 belong x %ld x >>20 belong x %ld # JNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/> 0 string \x8bJNG JNG video data, !:mime video/x-jng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a >>16 belong x %ld x >>20 belong x %ld # Vivo video (Wolfram Kleff) 3 string \x0D\x0AVersion:Vivo Vivo video data # VRML (Virtual Reality Modelling Language) 0 string/w #VRML\ V1.0\ ascii VRML 1 file !:mime model/vrml 0 string/w #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file !:mime model/vrml # X3D (Extensible 3D) [http://www.web3d.org/specifications/x3d-3.0.dtd] # From Michel Briand <michelbriand@free.fr> 0 string/t \<?xml\ version=" !:strength +1 >20 search/1000/cw \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text !:mime model/x3d #--------------------------------------------------------------------------- # HVQM4: compressed movie format designed by Hudson for Nintendo GameCube # From Mark Sheppard <msheppard@climax.co.uk>, 2002-10-03 # 0 string HVQM4 %s >6 string >\0 v%s >0 byte x GameCube movie, >0x34 ubeshort x %d x >0x36 ubeshort x %d, >0x26 ubeshort x %dµs, >0x42 ubeshort 0 no audio >0x42 ubeshort >0 %dHz audio # From: "Stefan A. Haubenthal" <polluks@web.de> 0 string DVDVIDEO-VTS Video title set, >0x21 byte x v%x 0 string DVDVIDEO-VMG Video manager, >0x21 byte x v%x # From: Behan Webster <behanw@websterwood.com> # NuppelVideo used by Mythtv (*.nuv) # Note: there are two identical stanzas here differing only in the # initial string matched. It used to be done with a regex, but we're # trying to get rid of those. 0 string NuppelVideo MythTV NuppelVideo >12 string x v%s >20 lelong x (%d >24 lelong x \bx%d), >36 string P \bprogressive, >36 string I \binterlaced, >40 ledouble x \baspect:%.2f, >48 ledouble x \bfps:%.2f 0 string MythTV MythTV NuppelVideo >12 string x v%s >20 lelong x (%d >24 lelong x \bx%d), >36 string P \bprogressive, >36 string I \binterlaced, >40 ledouble x \baspect:%.2f, >48 ledouble x \bfps:%.2f # MPEG file # MPEG sequences # FIXME: This section is from the old magic.mime file and needs integrating with the rest 0 belong 0x000001BA >4 byte &0x40 !:mime video/mp2p >4 byte ^0x40 !:mime video/mpeg 0 belong 0x000001BB !:mime video/mpeg 0 belong 0x000001B0 !:mime video/mp4v-es 0 belong 0x000001B5 !:mime video/mp4v-es 0 belong 0x000001B3 !:mime video/mpv 0 belong&0xFF5FFF1F 0x47400010 !:mime video/mp2t 0 belong 0x00000001 >4 byte&0x1F 0x07 !:mime video/h264 # Type: Bink Video # Extension: .bik # URL: http://wiki.multimedia.cx/index.php?title=Bink_Container # From: <hoehle@users.sourceforge.net> 2008-07-18 0 string BIK Bink Video >3 regex =[a-z] rev.%s #>4 ulelong x size %d >20 ulelong x \b, %d >24 ulelong x \bx%d >8 ulelong x \b, %d frames >32 ulelong x at rate %d/ >28 ulelong >1 \b%d >40 ulelong =0 \b, no audio >40 ulelong !0 \b, %d audio track >>40 ulelong !1 \bs # follow properties of the first audio track only >>48 uleshort x %dHz >>51 byte&0x20 0 mono >>51 byte&0x20 !0 stereo #>>51 byte&0x10 0 FFT #>>51 byte&0x10 !0 DCT # Type: NUT Container # URL: http://wiki.multimedia.cx/index.php?title=NUT # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0 string nut/multimedia\ container\0 NUT multimedia container # Type: Nullsoft Video (NSV) # URL: http://wiki.multimedia.cx/index.php?title=Nullsoft_Video # From: Mike Melanson <mike@multimedia.cx> 0 string NSVf Nullsoft Video # Type: REDCode Video # URL: http://www.red.com/ ; http://wiki.multimedia.cx/index.php?title=REDCode # From: Mike Melanson <mike@multimedia.cx> 4 string RED1 REDCode Video # Type: MTV Multimedia File # URL: http://wiki.multimedia.cx/index.php?title=MTV # From: Mike Melanson <mike@multimedia.cx> 0 string AMVS MTV Multimedia File # Type: ARMovie # URL: http://wiki.multimedia.cx/index.php?title=ARMovie # From: Mike Melanson <mike@multimedia.cx> 0 string ARMovie\012 ARMovie # Type: Interplay MVE Movie # URL: http://wiki.multimedia.cx/index.php?title=Interplay_MVE # From: Mike Melanson <mike@multimedia.cx> 0 string Interplay\040MVE\040File\032 Interplay MVE Movie # Type: Windows Television DVR File # URL: http://wiki.multimedia.cx/index.php?title=WTV # From: Mike Melanson <mike@mutlimedia.cx> # This takes the form of a Windows-style GUID 0 bequad 0xB7D800203749DA11 >8 bequad 0xA64E0007E95EAD8D Windows Television DVR Media # Type: Sega FILM/CPK Multimedia # URL: http://wiki.multimedia.cx/index.php?title=Sega_FILM # From: Mike Melanson <mike@multimedia.cx> 0 string FILM Sega FILM/CPK Multimedia, >32 belong x %d x >28 belong x %d # Type: Nintendo THP Multimedia # URL: http://wiki.multimedia.cx/index.php?title=THP # From: Mike Melanson <mike@multimedia.cx> 0 string THP\0 Nintendo THP Multimedia # Type: BBC Dirac Video # URL: http://wiki.multimedia.cx/index.php?title=Dirac # From: Mike Melanson <mike@multimedia.cx> 0 string BBCD BBC Dirac Video # Type: RAD Game Tools Smacker Multimedia # URL: http://wiki.multimedia.cx/index.php?title=Smacker # From: Mike Melanson <mike@multimedia.cx> 0 string SMK RAD Game Tools Smacker Multimedia >3 byte x version %c, >4 lelong x %d x >8 lelong x %d, >12 lelong x %d frames #------------------------------------------------------------------------------ # $File: apl,v 1.6 2009/09/19 16:28:07 christos Exp $ # apl: file(1) magic for APL (see also "pdp" and "vax" for other APL # workspaces) # 0 long 0100554 APL workspace (Ken's original?) #------------------------------------------------------------------------------ # $File: apple,v 1.24 2010/11/25 15:00:12 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 0 string \x0aGL Binary II (apple ][) data 0 string \x76\xff Squeezed (apple ][) data 0 string NuFile NuFile archive (apple ][) data 0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file # Type: Apple Emulator 2IMG format # From: Radek Vokal <rvokal@redhat.com> 0 string 2IMG Apple ][ 2IMG Disk Image >4 string XGS! \b, XGS >4 string CTKG \b, Catakig >4 string ShIm \b, Sheppy's ImageMaker >4 string WOOF \b, Sweet 16 >4 string B2TR \b, Bernie ][ the Rescue >4 string !nfc \b, ASIMOV2 >4 string x \b, Unknown Format >0xc byte 00 \b, DOS 3.3 sector order >>0x10 byte 00 \b, Volume 254 >>0x10 byte&0x7f x \b, Volume %u >0xc byte 01 \b, ProDOS sector order >>0x14 short x \b, %u Blocks >0xc byte 02 \b, NIB data # magic for Newton PDA package formats # from Ruda Moura <ruda@helllabs.org> 0 string package0 Newton package, NOS 1.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d 0 string package1 Newton package, NOS 2.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d 0 string package4 Newton package, >8 byte 8 NOS 1.x, >8 byte 9 NOS 2.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, # The following entries for the Apple II are for files that have # been transferred as raw binary data from an Apple, without having # been encapsulated by any of the above archivers. # # In general, Apple II formats are hard to identify because Apple DOS # and especially Apple ProDOS have strong typing in the file system and # therefore programmers never felt much need to include type information # in the files themselves. # # Eric Fischer <enf@pobox.com> # AppleWorks word processor: # # This matches the standard tab stops for an AppleWorks file, but if # a file has a tab stop set in the first four columns this will fail. # # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. 4 string O==== AppleWorks word processor data >85 byte&0x01 >0 \b, zoomed >90 byte&0x01 >0 \b, paginated >92 byte&0x01 >0 \b, with mail merge #>91 byte x \b, left margin %d # AppleWorks database: # # This isn't really a magic number, but it's the closest thing to one # that I could find. The 1 and 2 really mean "order in which you defined # categories" and "left to right, top to bottom," respectively; the D and R # mean that the cursor should move either down or right when you press Return. #30 string \x01D AppleWorks database data #30 string \x02D AppleWorks database data #30 string \x01R AppleWorks database data #30 string \x02R AppleWorks database data # AppleWorks spreadsheet: # # Likewise, this isn't really meant as a magic number. The R or C means # row- or column-order recalculation; the A or M means automatic or manual # recalculation. #131 string RA AppleWorks spreadsheet data #131 string RM AppleWorks spreadsheet data #131 string CA AppleWorks spreadsheet data #131 string CM AppleWorks spreadsheet data # Applesoft BASIC: # # This is incredibly sloppy, but will be true if the program was # written at its usual memory location of 2048 and its first line # number is less than 256. Yuck. 0 belong&0xff00ff 0x80000 Applesoft BASIC program data #>2 leshort x \b, first line number %d # ORCA/EZ assembler: # # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data #>5 byte x \b, build number %d # Broderbund Fantavision # # I don't know what these values really mean, but they seem to recur. # Will they cause too many conflicts? # Probably :-) #2 belong&0xFF00FF 0x040008 Fantavision movie data # Some attempts at images. # # These are actually just bit-for-bit dumps of the frame buffer, so # there's really no reasonably way to distinguish them except for their # address (if preserved) -- 8192 or 16384 -- and their length -- 8192 # or, occasionally, 8184. # # Nevertheless this will manage to catch a lot of images that happen # to have a solid-colored line at the bottom of the screen. # GRR: Magic too weak #8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background #8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background #8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background #8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background #8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background # Beagle Bros. Apple Mechanic fonts 0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font # Apple Universal Disk Image Format (UDIF) - dmg files. # From Johan Gade. # These entries are disabled for now until we fix the following issues. # # Note there might be some problems with the "VAX COFF executable" # entry. Note this entry should be placed before the mac filesystem section, # particularly the "Apple Partition data" entry. # # The intended meaning of these tests is, that the file is only of the # specified type if both of the lines are correct - i.e. if the first # line matches and the second doesn't then it is not of that type. # #0 long 0x7801730d #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) # # Note that this entry is recognized correctly by the "Apple Partition # data" entry - however since this entry is more specific - this # information seems to be more useful. #0 long 0x45520200 #>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson <toby@apple.com> 0 string bplist00 Apple binary property list # Apple binary property list (bplist) # Assumes version bytes are hex. # Provides content hints for version 0 files. Assumes that the root # object is the first object (true for CoreFoundation implementation). # From: David Remahl <dremahl@apple.com> 0 string bplist >6 byte x \bCoreFoundation binary property list data, version 0x%c >>7 byte x \b%c >6 string 00 \b >>8 byte&0xF0 0x00 \b >>>8 byte&0x0F 0x00 \b, root type: null >>>8 byte&0x0F 0x08 \b, root type: false boolean >>>8 byte&0x0F 0x09 \b, root type: true boolean >>8 byte&0xF0 0x10 \b, root type: integer >>8 byte&0xF0 0x20 \b, root type: real >>8 byte&0xF0 0x30 \b, root type: date >>8 byte&0xF0 0x40 \b, root type: data >>8 byte&0xF0 0x50 \b, root type: ascii string >>8 byte&0xF0 0x60 \b, root type: unicode string >>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) >>8 byte&0xF0 0xa0 \b, root type: array >>8 byte&0xF0 0xd0 \b, root type: dictionary # Apple/NeXT typedstream data # Serialization format used by NeXT and Apple for various # purposes in YellowStep/Cocoa, including some nib files. # From: David Remahl <dremahl@apple.com> 2 string typedstream NeXT/Apple typedstream data, big endian >0 byte x \b, version %hhd >0 byte <5 \b >>13 byte 0x81 \b >>>14 ubeshort x \b, system %hd 2 string streamtyped NeXT/Apple typedstream data, little endian >0 byte x \b, version %hhd >0 byte <5 \b >>13 byte 0x81 \b >>>14 uleshort x \b, system %hd #------------------------------------------------------------------------------ # CAF: Apple CoreAudio File Format # # Container format for high-end audio purposes. # From: David Remahl <dremahl@apple.com> # 0 string caff CoreAudio Format audio file >4 beshort <10 version %d >6 beshort x #------------------------------------------------------------------------------ # Keychain database files 0 string kych Mac OS X Keychain File #------------------------------------------------------------------------------ # Code Signing related file types 0 belong 0xfade0c00 Mac OS X Code Requirement >8 belong 1 (opExpr) >4 belong x - %d bytes 0 belong 0xfade0c01 Mac OS X Code Requirement Set >8 belong >1 containing %d items >4 belong x - %d bytes 0 belong 0xfade0c02 Mac OS X Code Directory >8 belong x version %x >12 belong >0 flags 0x%x >4 belong x - %d bytes 0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) >4 belong x - %d bytes 0 belong 0xfade0cc1 Mac OS X Detached Code Signature >8 belong >1 (%d elements) >4 belong x - %d bytes # From: "Nelson A. de Oliveira" <naoliv@gmail.com> # .vdi 4 string innotek\ VirtualBox\ Disk\ Image %s #------------------------------------------------------------------------------ # $File: applix,v 1.5 2009/09/19 16:28:08 christos Exp $ # applix: file(1) magic for Applixware # From: Peter Soos <sp@osb.hu> # 0 string *BEGIN Applixware >7 string WORDS Words Document >7 string GRAPHICS Graphic >7 string RASTER Bitmap >7 string SPREADSHEETS Spreadsheet >7 string MACRO Macro >7 string BUILDER Builder Object #------------------------------------------------------------------------------ # $File: archive,v 1.70 2011/10/26 15:44:47 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. # pre-POSIX "tar" archives are handled in the C code. # POSIX tar archives 257 string ustar\0 POSIX tar archive !:mime application/x-tar # encoding: posix 257 string ustar\040\040\0 GNU tar archive !:mime application/x-tar # encoding: gnu # Incremental snapshot gnu-tar format from: # http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html 0 string GNU\ tar- GNU tar incremental snapshot data >&0 regex [0-9]\.[0-9]+-[0-9]+ version %s # cpio archives # # Yes, the top two "cpio archive" formats *are* supposed to just be "short". # The idea is to indicate archives produced on machines with the same # byte order as the machine running "file" with "cpio archive", and # to indicate archives produced on machines with the opposite byte order # from the machine running "file" with "byte-swapped cpio archive". # # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. 0 short 070707 cpio archive !:mime application/x-cpio 0 short 0143561 byte-swapped cpio archive !:mime application/x-cpio # encoding: swapped 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) 0 string 070701 ASCII cpio archive (SVR4 with no CRC) 0 string 070702 ASCII cpio archive (SVR4 with CRC) # Debian package (needs to go before regular portable archives) # 0 string =!<arch>\ndebian !:mime application/x-debian-package >8 string debian-split part of multipart Debian package >8 string debian-binary Debian binary package >8 string !debian >68 string >\0 (format %s) # These next two lines do not work, because a bzip2 Debian archive # still uses gzip for the control.tar (first in the archive). Only # data.tar varies, and the location of its filename varies too. # file/libmagic does not current have support for ascii-string based # (offsets) as of 2005-09-15. #>81 string bz2 \b, uses bzip2 compression #>84 string gz \b, uses gzip compression #>136 ledate x created: %s # other archives 0 long 0177555 very old archive 0 short 0177555 very old PDP-11 archive 0 long 0177545 old archive 0 short 0177545 old PDP-11 archive 0 long 0100554 apl workspace 0 string =<ar> archive !:mime application/x-archive # MIPS archive (needs to go before regular portable archives) # 0 string =!<arch>\n__________E MIPS archive >20 string U with MIPS Ucode members >21 string L with MIPSEL members >21 string B with MIPSEB members >19 string L and an EL hash table >19 string B and an EB hash table >22 string X -- out of date 0 search/1 -h- Software Tools format archive text # # XXX - why are there multiple <ar> thingies? Note that 0x213c6172 is # "!<ar", so, for new-style (4.xBSD/SVR2andup) archives, we have: # # 0 string =!<arch> current ar archive # 0 long 0x213c6172 archive file # # and for SVR1 archives, we have: # # 0 string \<ar> System V Release 1 ar archive # 0 string =<ar> archive # # XXX - did Aegis really store shared libraries, breakpointed modules, # and absolute code program modules in the same format as new-style # "ar" archives? # 0 string =!<arch> current ar archive !:mime application/x-archive >8 string __.SYMDEF random library >0 belong =65538 - pre SR9.5 >0 belong =65539 - post SR9.5 >0 beshort 2 - object archive >0 beshort 3 - shared library module >0 beshort 4 - debug break-pointed module >0 beshort 5 - absolute code program module 0 string \<ar> System V Release 1 ar archive 0 string =<ar> archive # # XXX - from "vax", which appears to collect a bunch of byte-swapped # thingies, to help you recognize VAX files on big-endian machines; # with "leshort", "lelong", and "string", that's no longer necessary.... # 0 belong 0x65ff0000 VAX 3.0 archive 0 belong 0x3c61723e VAX 5.0 archive # 0 long 0x213c6172 archive file 0 lelong 0177555 very old VAX archive 0 leshort 0177555 very old PDP-11 archive # # XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus # be a random library (it said 0xff65 rather than 0177545). # 0 lelong 0177545 old VAX archive >8 string __.SYMDEF random library 0 leshort 0177545 old PDP-11 archive >8 string __.SYMDEF random library # # From "pdp" (but why a 4-byte quantity?) # 0 lelong 0x39bed PDP-11 old archive 0 lelong 0x39bee PDP-11 4.0 archive # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) # # The first byte is the magic (0x1a), byte 2 is the compression type for # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS # filename of the first file (null terminated). Since some types collide # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW !:mime application/x-arc 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched !:mime application/x-arc # [JW] stuff taken from idarc, obviously ARC successors: 0 lelong&0x8080ffff 0x00000a1a PAK archive data !:mime application/x-arc 0 lelong&0x8080ffff 0x0000141a ARC+ archive data !:mime application/x-arc 0 lelong&0x8080ffff 0x0000481a HYP archive data !:mime application/x-arc # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) # I can't create either SPARK or ArcFS archives so I have not tested this stuff # [GRR: the original entries collide with ARC, above; replaced with combined # version (not tested)] #0 byte 0x1a RISC OS archive (spark format) 0 string \032archive RISC OS archive (ArcFS format) 0 string Archive\000 RISC OS archive (ArcFS format) # All these were taken from idarc, many could not be verified. Unfortunately, # there were many low-quality sigs, i.e. easy to trigger false positives. # Please notify me of any real-world fishy/ambiguous signatures and I'll try # to get my hands on the actual archiver and see if I find something better. [JW] # probably many can be enhanced by finding some 0-byte or control char near the start # idarc calls this Crush/Uncompressed... *shrug* 0 string CRUSH Crush archive data # Squeeze It (.sqz) 0 string HLSQZ Squeeze It archive data # SQWEZ 0 string SQWEZ SQWEZ archive data # HPack (.hpk) 0 string HPAK HPack archive data # HAP 0 string \x91\x33HF HAP archive data # MD/MDCD 0 string MDmd MDCD archive data # LIM 0 string LIM\x1a LIM archive data # SAR 3 string LH5 SAR archive data # BSArc/BS2 0 string \212\3SB \0 BSArc/BS2 archive data # MAR 2 string =-ah MAR archive data # ACB #0 belong&0x00f800ff 0x00800000 ACB archive data # CPZ # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data # JRC 0 string JRchive JRC archive data # Quantum 0 string DS\0 Quantum archive data # ReSOF 0 string PK\3\6 ReSOF archive data # QuArk 0 string 7\4 QuArk archive data # YAC 14 string YC YAC archive data # X1 0 string X1 X1 archive data 0 string XhDr X1 archive data # CDC Codec (.dqt) 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data # AMGC 0 string \xad6" AMGC archive data # NuLIB 0 string NõFélå NuLIB archive data # PakLeo 0 string LEOLZW PAKLeo archive data # ChArc 0 string SChF ChArc archive data # PSA 0 string PSA PSA archive data # CrossePAC 0 string DSIGDCC CrossePAC archive data # Freeze 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data # KBoom 0 string ¨MP¨ KBoom archive data # NSQ, must go after CDC Codec 0 string \x76\xff NSQ archive data # DPA 0 string Dirk\ Paehl DPA archive data # BA # TODO: idarc says "bytes 0-2 == bytes 3-5" # TTComp 0 string \0\6 TTComp archive data # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 0 string ESP ESP archive data # ZPack 0 string \1ZPK\1 ZPack archive data # Sky 0 string \xbc\x40 Sky archive data # UFA 0 string UFA UFA archive data # Dry 0 string =-H2O DRY archive data # FoxSQZ 0 string FOXSQZ FoxSQZ archive data # AR7 0 string ,AR7 AR7 archive data # PPMZ 0 string PPMZ PPMZ archive data # MS Compress 4 string \x88\xf0\x27 MS Compress archive data # updated by Joerg Jenderek >9 string \0 >>0 string KWAJ >>>7 string \321\003 MS Compress archive data >>>>14 ulong >0 \b, original size: %ld bytes >>>>18 ubyte >0x65 >>>>>18 string x \b, was %.8s >>>>>(10.b-4) string x \b.%.3s # MP3 (archiver, not lossy audio compression) 0 string MP3\x1a MP3-Archiver archive data # ZET 0 string OZÝ ZET archive data # TSComp 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data # ARQ 0 string gW\4\1 ARQ archive data # Squash 3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data # PUCrunch 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string UHA UHarc archive data # ABComp 0 string \2AB ABComp archive data 0 string \3AB2 ABComp archive data # CMP 0 string CO\0 CMP archive data # Splint 0 string \x93\xb9\x06 Splint archive data # InstallShield 0 string \x13\x5d\x65\x8c InstallShield Z archive Data # Gather 1 string GTH Gather archive data # BOA 0 string BOA BOA archive data # RAX 0 string ULEB\xa RAX archive data # Xtreme 0 string ULEB\0 Xtreme archive data # Pack Magic 0 string @â\1\0 Pack Magic archive data # BTS 0 belong&0xfeffffff 0x1a034465 BTS archive data # ELI 5750 0 string Ora\ ELI 5750 archive data # QFC 0 string \x1aFC\x1a QFC archive data 0 string \x1aQF\x1a QFC archive data # PRO-PACK 0 string RNC PRO-PACK archive data # 777 0 string 777 777 archive data # LZS221 0 string sTaC LZS221 archive data # HPA 0 string HPA HPA archive data # Arhangel 0 string LG Arhangel archive data # EXP1, uses bzip2 0 string 0123456789012345BZh EXP1 archive data # IMP 0 string IMP\xa IMP archive data # NRV 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data # Squish 0 string \x73\xb2\x90\xf4 Squish archive data # Par 0 string PHILIPP Par archive data 0 string PAR Par archive data # HIT 0 string UB HIT archive data # SBX 0 belong&0xfffff000 0x53423000 SBX archive data # NaShrink 0 string NSK NaShrink archive data # SAPCAR 0 string #\ CAR\ archive\ header SAPCAR archive data 0 string CAR\ 2.00RG SAPCAR archive data # Disintegrator 0 string DST Disintegrator archive data # ASD 0 string ASD ASD archive data # InstallShield CAB 0 string ISc( InstallShield CAB # TOP4 0 string T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable # so TODO: get real 4dos batcomp file and find sig # BlakHole 0 string BH\5\7 BlakHole archive data # BIX 0 string BIX0 BIX archive data # ChiefLZA 0 string ChfLZ ChiefLZA archive data # Blink 0 string Blink Blink archive data # Logitech Compress 0 string \xda\xfa Logitech Compress archive data # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) 1 string (C)\ STEPANYUK ARS-Sfx archive data # AKT/AKT32 0 string AKT32 AKT32 archive data 0 string AKT AKT archive data # NPack 0 string MSTSM NPack archive data # PFT 0 string \0\x50\0\x14 PFT archive data # SemOne 0 string SEM SemOne archive data # PPMD 0 string \x8f\xaf\xac\x84 PPMD archive data # FIZ 0 string FIZ FIZ archive data # MSXiE 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data # DeepFreezer 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data # DC 0 string =<DC- DC archive data # TPac 0 string \4TPAC\3 TPac archive data # Ai 0 string Ai\1\1\0 Ai archive data 0 string Ai\1\0\0 Ai archive data # Ai32 0 string Ai\2\0 Ai32 archive data 0 string Ai\2\1 Ai32 archive data # SBC 0 string SBC SBC archive data # Ybs 0 string YBS Ybs archive data # DitPack 0 string \x9e\0\0 DitPack archive data # DMS 0 string DMS! DMS archive data # EPC 0 string \x8f\xaf\xac\x8c EPC archive data # VSARC 0 string VS\x1a VSARC archive data # PDZ 0 string PDZ PDZ archive data # ReDuq 0 string rdqx ReDuq archive data # GCA 0 string GCAX GCA archive data # PPMN 0 string pN PPMN archive data # WinImage 3 string WINIMAGE WinImage archive data # Compressia 0 string CMP0CMP Compressia archive data # UHBC 0 string UHB UHBC archive data # WinHKI 0 string \x61\x5C\x04\x05 WinHKI archive data # WWPack data file 0 string WWP WWPack archive data # BSN (BSA, PTS-DOS) 0 string \xffBSG BSN archive data 1 string \xffBSG BSN archive data 3 string \xffBSG BSN archive data 1 string \0\xae\2 BSN archive data 1 string \0\xae\3 BSN archive data 1 string \0\xae\7 BSN archive data # AIN 0 string \x33\x18 AIN archive data 0 string \x33\x17 AIN archive data # XPA32 0 string xpa\0\1 XPA32 archive data # SZip (TODO: doesn't catch all versions) 0 string SZ\x0a\4 SZip archive data # XPack DiskImage 0 string jm XPack DiskImage archive data # XPack Data 0 string xpa XPack archive data # XPack Single Data 0 string Í\ jm XPack single archive data # TODO: missing due to unknown magic/magic at end of file: #DWC #ARG #ZAR #PC/3270 #InstallIt #RKive #RK #XPack Diskimage # These were inspired by idarc, but actually verified # Dzip archiver (.dz) 0 string DZ Dzip archive data >2 byte x \b, version %i >3 byte x \b.%i # ZZip archiver (.zz) 0 string ZZ\ \0\0 ZZip archive data 0 string ZZ0 ZZip archive data # PAQ archiver (.paq) 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data 0 string PAQ PAQ archive data >3 byte&0xf0 0x30 >>3 byte x (v%c) # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data 0 string JARCS JAR (ARJ Software, Inc.) archive data # ARJ archiver (jason@jarthur.Claremont.EDU) 0 leshort 0xea60 ARJ archive data !:mime application/x-arj >5 byte x \b, v%d, >8 byte &0x04 multi-volume, >8 byte &0x10 slash-switched, >8 byte &0x20 backup, >34 string x original name: %s, >7 byte 0 os: MS-DOS >7 byte 1 os: PRIMOS >7 byte 2 os: Unix >7 byte 3 os: Amiga >7 byte 4 os: Macintosh >7 byte 5 os: OS/2 >7 byte 6 os: Apple ][ GS >7 byte 7 os: Atari ST >7 byte 8 os: NeXT >7 byte 9 os: VAX/VMS >3 byte >0 %d] # [JW] idarc says this is also possible 2 leshort 0xea60 ARJ archive data # HA archiver (Greg Roelofs, newt@uchicago.edu) # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, #>2 leshort >1 %u files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC #>4 byte&0x0f =0x0e first is type DIR #>4 byte&0x0f =0x0f first is type SPECIAL # suggestion: at least identify small archives (<1024 files) 0 belong&0xffff00fc 0x48410000 HA archive data >2 leshort =1 1 file, >2 leshort >1 %u files, >4 byte&0x0f =0 first is type CPY >4 byte&0x0f =1 first is type ASC >4 byte&0x0f =2 first is type HSC >4 byte&0x0f =0x0e first is type DIR >4 byte&0x0f =0x0f first is type SPECIAL # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 0 string HPAK HPACK archive data # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 0 string \351,\001JAM\ JAM archive, >7 string >\0 version %.4s >0x26 byte =0x27 - >>0x2b string >\0 label %.11s, >>0x27 lelong x serial %08x, >>0x36 string >\0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 2 string -lh0- LHarc 1.x/ARX archive data [lh0] !:mime application/x-lharc 2 string -lh1- LHarc 1.x/ARX archive data [lh1] !:mime application/x-lharc 2 string -lz4- LHarc 1.x archive data [lz4] !:mime application/x-lharc 2 string -lz5- LHarc 1.x archive data [lz5] !:mime application/x-lharc # [never seen any but the last; -lh4- reported in comp.compression:] 2 string -lzs- LHa/LZS archive data [lzs] !:mime application/x-lha 2 string -lh\40- LHa 2.x? archive data [lh ] !:mime application/x-lha 2 string -lhd- LHa 2.x? archive data [lhd] !:mime application/x-lha 2 string -lh2- LHa 2.x? archive data [lh2] !:mime application/x-lha 2 string -lh3- LHa 2.x? archive data [lh3] !:mime application/x-lha 2 string -lh4- LHa (2.x) archive data [lh4] !:mime application/x-lha 2 string -lh5- LHa (2.x) archive data [lh5] !:mime application/x-lha 2 string -lh6- LHa (2.x) archive data [lh6] !:mime application/x-lha 2 string -lh7- LHa (2.x)/LHark archive data [lh7] !:mime application/x-lha >20 byte x - header level %d # taken from idarc [JW] 2 string -lZ PUT archive data 2 string -lz LZS archive data 2 string -sw1- Swag archive data # RAR archiver (Greg Roelofs, newt@uchicago.edu) 0 string Rar! RAR archive data, !:mime application/x-rar >44 byte x v%0x, >10 byte >0 flags: >>10 byte &0x01 Archive volume, >>10 byte &0x02 Commented, >>10 byte &0x04 Locked, >>10 byte &0x08 Solid, >>10 byte &0x20 Authenticated, >35 byte 0 os: MS-DOS >35 byte 1 os: OS/2 >35 byte 2 os: Win32 >35 byte 3 os: Unix # some old version? idarc says: 0 string RE\x7e\x5e RAR archive data # SQUISH archiver (Greg Roelofs, newt@uchicago.edu) 0 string SQSH squished archive data (Acorn RISCOS) # UC2 archiver (Greg Roelofs, newt@uchicago.edu) # [JW] see exe section for self-extracting version 0 string UC2\x1a UC2 archive data # PKZIP multi-volume archive 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract !:mime application/zip # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\003\004 # Specialised zip formats which start with a member named 'mimetype' # (stored uncompressed, with no 'extra field') containing the file's MIME type. # Check for have 8-byte name, 0-byte extra field, name "mimetype", and # contents starting with "application/": >26 string \x8\0\0\0mimetypeapplication/ # KOffice / OpenOffice & StarOffice / OpenDocument formats # From: Abel Cheung <abel@oaka.org> # KOffice (1.2 or above) formats # (mimetype contains "application/vnd.kde.<SUBTYPE>") >>50 string vnd.kde. KOffice (>=1.2) >>>58 string karbon Karbon document >>>58 string kchart KChart document >>>58 string kformula KFormula document >>>58 string kivio Kivio document >>>58 string kontour Kontour document >>>58 string kpresenter KPresenter document >>>58 string kspread KSpread document >>>58 string kword KWord document # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) # (mimetype contains "application/vnd.sun.xml.<SUBTYPE>") >>50 string vnd.sun.xml. OpenOffice.org 1.x >>>62 string writer Writer >>>>68 byte !0x2e document >>>>68 string .template template >>>>68 string .global global document >>>62 string calc Calc >>>>66 byte !0x2e spreadsheet >>>>66 string .template template >>>62 string draw Draw >>>>66 byte !0x2e document >>>>66 string .template template >>>62 string impress Impress >>>>69 byte !0x2e presentation >>>>69 string .template template >>>62 string math Math document >>>62 string base Database file # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) # http://lists.oasis-open.org/archives/office/200505/msg00006.html # (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>") >>50 string vnd.oasis.opendocument. OpenDocument >>>73 string text >>>>77 byte !0x2d Text !:mime application/vnd.oasis.opendocument.text >>>>77 string -template Text Template !:mime application/vnd.oasis.opendocument.text-template >>>>77 string -web HTML Document Template !:mime application/vnd.oasis.opendocument.text-web >>>>77 string -master Master Document !:mime application/vnd.oasis.opendocument.text-master >>>73 string graphics >>>>81 byte !0x2d Drawing !:mime application/vnd.oasis.opendocument.graphics >>>>81 string -template Template !:mime application/vnd.oasis.opendocument.graphics-template >>>73 string presentation >>>>85 byte !0x2d Presentation !:mime application/vnd.oasis.opendocument.presentation >>>>85 string -template Template !:mime application/vnd.oasis.opendocument.presentation-template >>>73 string spreadsheet >>>>84 byte !0x2d Spreadsheet !:mime application/vnd.oasis.opendocument.spreadsheet >>>>84 string -template Template !:mime application/vnd.oasis.opendocument.spreadsheet-template >>>73 string chart >>>>78 byte !0x2d Chart !:mime application/vnd.oasis.opendocument.chart >>>>78 string -template Template !:mime application/vnd.oasis.opendocument.chart-template >>>73 string formula >>>>80 byte !0x2d Formula !:mime application/vnd.oasis.opendocument.formula >>>>80 string -template Template !:mime application/vnd.oasis.opendocument.formula-template >>>73 string database Database !:mime application/vnd.oasis.opendocument.database >>>73 string image >>>>78 byte !0x2d Image !:mime application/vnd.oasis.opendocument.image >>>>78 string -template Template !:mime application/vnd.oasis.opendocument.image-template # EPUB (OEBPS) books using OCF (OEBPS Container Format) # From: Adam Buchbinder <adam.buchbinder@gmail.com> # http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4. # (mimetype contains "application/epub+zip") >>50 string epub+zip EPUB ebook data !:mime application/epub+zip # Catch other ZIP-with-mimetype formats # In a ZIP file, the bytes immediately after a member's contents are # always "PK". The 2 regex rules here print the "mimetype" member's # contents up to the first 'P'. Luckily, most MIME types don't contain # any capital 'P's. This is a kludge. # (mimetype contains "application/<OTHER>") >>50 string !epub+zip >>>50 string !vnd.oasis.opendocument. >>>>50 string !vnd.sun.xml. >>>>>50 string !vnd.kde. >>>>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip # (mimetype contents other than "application/*") >26 string \x8\0\0\0mimetype >>38 string !application/ >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) # Next line excludes specialized formats: >26 string !\x8\0\0\0mimetype Zip archive data !:mime application/zip >>4 byte 0x09 \b, at least v0.9 to extract >>4 byte 0x0a \b, at least v1.0 to extract >>4 byte 0x0b \b, at least v1.1 to extract >>4 byte 0x14 \b, at least v2.0 to extract >>4 byte 0x2d \b, at least v3.0 to extract >>0x161 string WINZIP \b, WinZIP self-extracting # StarView Metafile # From Pierre Ducroquet <pinaraf@pinaraf.info> 0 string VCLMTF StarView MetaFile >6 beshort x \b, version %d >8 belong x \b, size %d # Zoo archiver 20 lelong 0xfdc4a7dc Zoo archive data !:mime application/x-zoo >4 byte >48 \b, v%c. >>6 byte >47 \b%c >>>7 byte >47 \b%c >32 byte >0 \b, modify: v%d >>33 byte x \b.%d+ >42 lelong 0xfdc4a7dc \b, >>70 byte >0 extract: v%d >>>71 byte x \b.%d+ # Shell archives 10 string #\ This\ is\ a\ shell\ archive shell archive text !:mime application/octet-stream # # LBR. NB: May conflict with the questionable # "binary Computer Graphics Metafile" format. # 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) # 2 string -pm0- PMarc archive data [pm0] 2 string -pm1- PMarc archive data [pm1] 2 string -pm2- PMarc archive data [pm2] 2 string -pms- PMarc SFX archive (CP/M, DOS) 5 string -pc1- PopCom compressed executable (CP/M) # From Rafael Laboissiere <rafael@laboissiere.net> # The Project Revision Control System (see # http://prcs.sourceforge.net) generates a packaged project # file which is recognized by the following entry: 0 leshort 0xeb81 PRCS packaged project # Microsoft cabinets # by David Necas (Yeti) <yeti@physics.muni.cz> #0 string MSCF\0\0\0\0 Microsoft cabinet file data, #>25 byte x v%d #>24 byte x \b.%d # MPi: All CABs have version 1.3, so this is pointless. # Better magic in debian-additions. # GTKtalog catalogs # by David Necas (Yeti) <yeti@physics.muni.cz> 4 string gtktalog\ GTKtalog catalog data, >13 string 3 version 3 >>14 beshort 0x677a (gzipped) >>14 beshort !0x677a (not gzipped) >13 string >3 version %s ############################################################################ # Parity archive reconstruction file, the 'par' file format now used on Usenet. 0 string PAR\0 PARity archive data >48 leshort =0 - Index file >48 leshort >0 - file number %d # Felix von Leitner <felix-file@fefe.de> 0 string d8:announce BitTorrent file !:mime application/x-bittorrent # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> 0 beshort 0x0e0f Atari MSA archive data >2 beshort x \b, %d sectors per track >4 beshort 0 \b, 1 sided >4 beshort 1 \b, 2 sided >6 beshort x \b, starting track: %d >8 beshort x \b, ending track: %d # Alternate ZIP string (amc@arwen.cs.berkeley.edu) 0 string PK00PK\003\004 Zip archive data # ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl <sec@42.org> 7 string **ACE** ACE archive data >15 byte >0 version %d >16 byte =0x00 \b, from MS-DOS >16 byte =0x01 \b, from OS/2 >16 byte =0x02 \b, from Win/32 >16 byte =0x03 \b, from Unix >16 byte =0x04 \b, from MacOS >16 byte =0x05 \b, from WinNT >16 byte =0x06 \b, from Primos >16 byte =0x07 \b, from AppleGS >16 byte =0x08 \b, from Atari >16 byte =0x09 \b, from Vax/VMS >16 byte =0x0A \b, from Amiga >16 byte =0x0B \b, from Next >14 byte x \b, version %d to extract >5 leshort &0x0080 \b, multiple volumes, >>17 byte x \b (part %d), >5 leshort &0x0002 \b, contains comment >5 leshort &0x0200 \b, sfx >5 leshort &0x0400 \b, small dictionary >5 leshort &0x0800 \b, multi-volume >5 leshort &0x1000 \b, contains AV-String >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered) >5 leshort &0x2000 \b, with recovery record >5 leshort &0x4000 \b, locked >5 leshort &0x8000 \b, solid # Date in MS-DOS format (whatever that is) #>18 lelong x Created on # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann # <doj@cubic.org> 0x1A string sfArk sfArk compressed Soundfont >0x15 string 2 >>0x1 string >\0 Version %s >>0x2A string >\0 : %s # DR-DOS 7.03 Packed File *.??_ 0 string Packed\ File\ Personal NetWare Packed File >12 string x \b, was "%.12s" # EET archive # From: Tilman Sauerbeck <tilman@code-monkey.de> 0 belong 0x1ee7ff00 EET archive !:mime application/x-eet # rzip archives 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) # From: "Robert Dale" <robdale@gmail.com> 0 belong 123 dar archive, >4 belong x label "%.8x >>8 belong x %.8x >>>12 beshort x %.4x" >14 byte 0x54 end slice >14 beshort 0x4e4e multi-part >14 beshort 0x4e53 multi-part, with -S # Symbian installation files # http://www.thouky.co.uk/software/psifs/sis.html # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf 8 lelong 0x10000419 Symbian installation file !:mime application/vnd.symbian.install >4 lelong 0x1000006D (EPOC release 3/4/5) >4 lelong 0x10003A12 (EPOC release 6) 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x) !:mime x-epoc/x-sisx-app # From "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string MPQ\032 MoPaQ (MPQ) archive # From: Dirk Jagdmann <doj@cubic.org> # xar archive format: http://code.google.com/p/xar/ 0 string xar! xar archive >6 beshort x - version %ld # From: "Nelson A. de Oliveira" <naoliv@gmail.com> # .kgb 0 string KGB_arch KGB Archiver file >10 string x with compression level %.1s # xar (eXtensible ARchiver) archive # From: "David Remahl" <dremahl@apple.com> 0 string xar! xar archive #>4 beshort x header size %d >6 beshort x version %d, #>8 quad x compressed TOC: %d, #>16 quad x uncompressed TOC: %d, >24 belong 0 no checksum >24 belong 1 SHA-1 checksum >24 belong 2 MD5 checksum # Type: Parity Archive # From: Daniel van Eeden <daniel_e@dds.nl> 0 string PAR2 Parity Archive Volume Set # Bacula volume format. (Volumes always start with a block header.) # URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html # From: Adam Buchbinder <adam.buchbinder@gmail.com> 12 string BB02 Bacula volume >20 bedate x \b, started %s # ePub is XHTML + XML inside a ZIP archive. The first member of the # archive must be an uncompressed file called 'mimetype' with contents # 'application/epub+zip' # start by checking that this is a ZIP archive, then check for the # proper mimetype file # From: Ralf Brown <ralf.brown@gmail.com> 0 string PK\003\004 >0x1E string mimetypeapplication/epub+zip EPUB document !:mime application/epub+zip # From: "Michał Górny" <mgorny@gentoo.org> # ZPAQ: http://mattmahoney.net/dc/zpaq.html 0 string zPQ ZPAQ stream >3 byte x \b, level %d # BBeB ebook, unencrypted (LRF format) # URL: http://www.sven.de/librie/Librie/LrfFormat # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted >8 beshort x \b, version %d >36 byte 1 \b, front-to-back >36 byte 16 \b, back-to-front >42 beshort x \b, (%dx, >44 beshort x %d) #------------------------------------------------------------------------------ # $File: assembler,v 1.1 2011/12/08 12:12:46 rrt Exp $ # make: file(1) magic for assembler source # 0 regex \^\.asciiz\? assembler source text !:mime text/x-asm 0 regex \^\.byte assembler source text !:mime text/x-asm 0 regex \^\.even assembler source text !:mime text/x-asm 0 regex \^\.globl assembler source text !:mime text/x-asm 0 regex \^\.text assembler source text !:mime text/x-asm #------------------------------------------------------------------------------ # $File: asterix,v 1.5 2009/09/19 16:28:08 christos Exp $ # asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character # strings as "long" - we assume they're just strings: # From: guy@netapp.com (Guy Harris) # 0 string *STA Aster*x >7 string WORD Words Document >7 string GRAP Graphic >7 string SPRE Spreadsheet >7 string MACR Macro 0 string 2278 Aster*x Version 2 >29 byte 0x36 Words Document >29 byte 0x35 Graphic >29 byte 0x32 Spreadsheet >29 byte 0x38 Macro #------------------------------------------------------------------------------ # $File: att3b,v 1.8 2009/09/19 16:28:08 christos Exp $ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # # 3B20 # # The 3B20 conflicts with SCCS. #0 beshort 0550 3b20 COFF executable #>12 belong >0 not stripped #>22 beshort >0 - version %ld #0 beshort 0551 3b20 COFF executable (TV) #>12 belong >0 not stripped #>22 beshort >0 - version %ld # # WE32K # 0 beshort 0560 WE32000 COFF >18 beshort ^00000020 object >18 beshort &00000020 executable >12 belong >0 not stripped >18 beshort ^00010000 N/A on 3b2/300 w/paging >18 beshort &00020000 32100 required >18 beshort &00040000 and MAU hardware required >20 beshort 0407 (impure) >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0443 (target shared library) >22 beshort >0 - version %ld 0 beshort 0561 WE32000 COFF executable (TV) >12 belong >0 not stripped #>18 beshort &00020000 - 32100 required #>18 beshort &00040000 and MAU hardware required #>22 beshort >0 - version %ld # # core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' #------------------------------------------------------------------------------ # $File: audio,v 1.64 2012/02/20 16:37:34 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), # and others # # Sun/NeXT audio data 0 string .snd Sun/NeXT audio data: >12 belong 1 8-bit ISDN mu-law, !:mime audio/basic >12 belong 2 8-bit linear PCM [REF-PCM], !:mime audio/basic >12 belong 3 16-bit linear PCM, !:mime audio/basic >12 belong 4 24-bit linear PCM, !:mime audio/basic >12 belong 5 32-bit linear PCM, !:mime audio/basic >12 belong 6 32-bit IEEE floating point, !:mime audio/basic >12 belong 7 64-bit IEEE floating point, !:mime audio/basic >12 belong 8 Fragmented sample data, >12 belong 10 DSP program, >12 belong 11 8-bit fixed point, >12 belong 12 16-bit fixed point, >12 belong 13 24-bit fixed point, >12 belong 14 32-bit fixed point, >12 belong 18 16-bit linear with emphasis, >12 belong 19 16-bit linear compressed, >12 belong 20 16-bit linear with emphasis and compression, >12 belong 21 Music kit DSP commands, >12 belong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.), !:mime audio/x-adpcm >12 belong 24 compressed (8-bit CCITT G.722 ADPCM) >12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM), >12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM), >12 belong 27 8-bit A-law (CCITT G.711), >20 belong 1 mono, >20 belong 2 stereo, >20 belong 4 quad, >16 belong >0 %d Hz # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format # that uses little-endian encoding and has a different magic number 0 lelong 0x0064732E DEC audio data: >12 lelong 1 8-bit ISDN mu-law, !:mime audio/x-dec-basic >12 lelong 2 8-bit linear PCM [REF-PCM], !:mime audio/x-dec-basic >12 lelong 3 16-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 4 24-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 5 32-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 6 32-bit IEEE floating point, !:mime audio/x-dec-basic >12 lelong 7 64-bit IEEE floating point, !:mime audio/x-dec-basic >12 belong 8 Fragmented sample data, >12 belong 10 DSP program, >12 belong 11 8-bit fixed point, >12 belong 12 16-bit fixed point, >12 belong 13 24-bit fixed point, >12 belong 14 32-bit fixed point, >12 belong 18 16-bit linear with emphasis, >12 belong 19 16-bit linear compressed, >12 belong 20 16-bit linear with emphasis and compression, >12 belong 21 Music kit DSP commands, >12 lelong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.), !:mime audio/x-dec-basic >12 belong 24 compressed (8-bit CCITT G.722 ADPCM) >12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM), >12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM), >12 belong 27 8-bit A-law (CCITT G.711), >20 lelong 1 mono, >20 lelong 2 stereo, >20 lelong 4 quad, >16 lelong >0 %d Hz # Creative Labs AUDIO stuff 0 string MThd Standard MIDI data !:mime audio/midi >8 beshort x (format %d) >10 beshort x using %d track >10 beshort >1 \bs >12 beshort&0x7fff x at 1/%d >12 beshort&0x8000 >0 SMPTE 0 string CTMF Creative Music (CMF) data !:mime audio/x-unknown 0 string SBI SoundBlaster instrument data !:mime audio/x-unknown 0 string Creative\ Voice\ File Creative Labs voice data !:mime audio/x-unknown # is this next line right? it came this way... >19 byte 0x1A >23 byte >0 - version %d >22 byte >0 \b.%d # first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data >4 belong x - version %ld # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED # [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] 0 string EMOD Extended MOD sound data, >4 byte&0xf0 x version %d >4 byte&0x0f x \b.%d, >45 byte x %d instruments >83 byte 0 (module) >83 byte 1 (song) # Real Audio (Magic .ra\0375) 0 belong 0x2e7261fd RealAudio sound file !:mime audio/x-pn-realaudio 0 string .RMF\0\0\0 RealMedia file !:mime application/vnd.rn-realmedia #video/x-pn-realvideo #video/vnd.rn-realvideo #application/vnd.rn-realmedia # sigh, there are many mimes for that but the above are the most common. # MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net] # Oct 31, 1995 # fixed by <doj@cubic.org> 2003-06-24 # Too short... #0 string MTM MultiTracker Module sound file #0 string if Composer 669 Module sound data #0 string JN Composer 669 Module sound data (extended format) 0 string MAS_U ULT(imate) Module sound data #0 string FAR Module sound data #>4 string >\15 Title: "%s" 0x2c string SCRM ScreamTracker III Module sound data >0 string >\0 Title: "%s" # Gravis UltraSound patches # From <ache@nagual.ru> 0 string GF1PATCH110\0ID#000002\0 GUS patch 0 string GF1PATCH100\0ID#000002\0 Old GUS patch # mime types according to http://www.geocities.com/nevilo/mod.htm: # audio/it .it # audio/x-zipped-it .itz # audio/xm fasttracker modules # audio/x-s3m screamtracker modules # audio/s3m screamtracker modules # audio/x-zipped-mod mdz # audio/mod mod # audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) # # Taken from loader code from mikmod version 2.14 # by Steve McIntyre (stevem@chiark.greenend.org.uk) # <doj@cubic.org> added title printing on 2003-06-24 0 string MAS_UTrack_V00 >14 string >/0 ultratracker V1.%.1s module sound data !:mime audio/x-mod #audio/x-tracker-module 0 string UN05 MikMod UNI format module sound data 0 string Extended\ Module: Fasttracker II module sound data !:mime audio/x-mod #audio/x-tracker-module >17 string >\0 Title: "%s" 21 string/c =!SCREAM! Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module 21 string BMOD2STM Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module 1080 string M.K. 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" 1080 string M!K! 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" 1080 string FLT4 4-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" 1080 string FLT8 8-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" 1080 string 4CHN 4-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" 1080 string 6CHN 6-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" 1080 string 8CHN 8-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" 1080 string CD81 8-channel Octalyser module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" 1080 string OKTA 8-channel Octalyzer module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data 1080 string 16CN 16-channel Taketracker module sound data !:mime audio/x-mod #audio/x-taketracker-module >0 string >\0 Title: "%s" 1080 string 32CN 32-channel Taketracker module sound data !:mime audio/x-mod #audio/x-taketracker-module >0 string >\0 Title: "%s" # TOC sound files -Trevor Johnson <trevor@jpj.net> # 0 string TOC TOC sound file # sidfiles <pooka@iki.fi> # added name,author,(c) and new RSID type by <doj@cubic.org> 2003-06-24 0 string SIDPLAY\ INFOFILE Sidplay info file 0 string PSID PlaySID v2.2+ (AMIGA) sidtune >4 beshort >0 w/ header v%d, >14 beshort =1 single song, >14 beshort >1 %d songs, >16 beshort >0 default song: %d >0x16 string >\0 name: "%s" >0x36 string >\0 author: "%s" >0x56 string >\0 copyright: "%s" 0 string RSID RSID sidtune PlaySID compatible >4 beshort >0 w/ header v%d, >14 beshort =1 single song, >14 beshort >1 %d songs, >16 beshort >0 default song: %d >0x16 string >\0 name: "%s" >0x36 string >\0 author: "%s" >0x56 string >\0 copyright: "%s" # IRCAM sound files - Michael Pruett <michael@68k.org> # http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/IRCAM/IRCAM.html 0 belong 0x64a30100 IRCAM file (VAX little-endian) 0 belong 0x0001a364 IRCAM file (VAX big-endian) 0 belong 0x64a30200 IRCAM file (Sun big-endian) 0 belong 0x0002a364 IRCAM file (Sun little-endian) 0 belong 0x64a30300 IRCAM file (MIPS little-endian) 0 belong 0x0003a364 IRCAM file (MIPS big-endian) 0 belong 0x64a30400 IRCAM file (NeXT big-endian) 0 belong 0x64a30400 IRCAM file (NeXT big-endian) 0 belong 0x0004a364 IRCAM file (NeXT little-endian) # NIST SPHERE <mpruett@sgi.com> 0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file # Sample Vision <mpruett@sgi.com> 0 string SOUND\ SAMPLE\ DATA\ Sample Vision file # Audio Visual Research <tonigonenstein@users.sourceforge.net> 0 string 2BIT Audio Visual Research file, >12 beshort =0 mono, >12 beshort =-1 stereo, >14 beshort x %d bits >16 beshort =0 unsigned, >16 beshort =-1 signed, >22 belong&0x00ffffff x %d Hz, >18 beshort =0 no loop, >18 beshort =-1 loop, >21 ubyte <128 note %d, >22 byte =0 replay 5.485 KHz >22 byte =1 replay 8.084 KHz >22 byte =2 replay 10.971 KHz >22 byte =3 replay 16.168 KHz >22 byte =4 replay 21.942 KHz >22 byte =5 replay 32.336 KHz >22 byte =6 replay 43.885 KHz >22 byte =7 replay 47.261 KHz # SGI SoundTrack <mpruett@sgi.com> 0 string _SGI_SoundTrack SGI SoundTrack project file # ID3 version 2 tags <waschk@informatik.uni-rostock.de> 0 string ID3 Audio file with ID3 version 2 >3 byte x \b.%d >4 byte x \b.%d >>5 byte &0x80 \b, unsynchronized frames >>5 byte &0x40 \b, extended header >>5 byte &0x20 \b, experimental >>5 byte &0x10 \b, footer present >(6.I) indirect x \b, contains: # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File >14 string >\0 ("%s" by >46 string >\0 %s, copyright >78 string >\0 %s), >5 byte x version %d, >6 byte x %d tracks, >122 byte&0x2 =1 dual PAL/NTSC >122 byte&0x1 =1 PAL >122 byte&0x1 =0 NTSC # Type: SNES SPC700 sound files # From: Josh Triplett <josh@freedesktop.org> 0 string SNES-SPC700\ Sound\ File\ Data\ v SNES SPC700 sound file >&0 string 0.30 \b, version %s >>0x23 byte 0x1B \b, without ID666 tag >>0x23 byte 0x1A \b, with ID666 tag >>>0x2E string >\0 \b, song "%.32s" >>>0x4E string >\0 \b, game "%.32s" # Impulse tracker module (audio/x-it) 0 string IMPM Impulse Tracker module sound data - !:mime audio/x-mod >4 string >\0 "%s" >40 leshort !0 compatible w/ITv%x >42 leshort !0 created w/ITv%x # Imago Orpheus module (audio/x-imf) 60 string IM10 Imago Orpheus module sound data - >0 string >\0 "%s" # From <collver1@attbi.com> # These are the /etc/magic entries to decode modules, instruments, and # samples in Impulse Tracker's native format. 0 string IMPS Impulse Tracker Sample >18 byte &2 16 bit >18 byte ^2 8 bit >18 byte &4 stereo >18 byte ^4 mono 0 string IMPI Impulse Tracker Instrument >28 leshort !0 ITv%x >30 byte !0 %d samples # Yamaha TX Wave: file(1) magic for Yamaha TX Wave audio files # From <collver1@attbi.com> 0 string LM8953 Yamaha TX Wave >22 byte 0x49 looped >22 byte 0xC9 non-looped >23 byte 1 33kHz >23 byte 2 50kHz >23 byte 3 16kHz # scream tracker: file(1) magic for Scream Tracker sample files # # From <collver1@attbi.com> 76 string SCRS Scream Tracker Sample >0 byte 1 sample >0 byte 2 adlib melody >0 byte >2 adlib drum >31 byte &2 stereo >31 byte ^2 mono >31 byte &4 16bit little endian >31 byte ^4 8bit >30 byte 0 unpacked >30 byte 1 packed # audio # From: Cory Dikkers <cdikkers@swbell.net> 0 string MMD0 MED music file, version 0 0 string MMD1 OctaMED Pro music file, version 1 0 string MMD3 OctaMED Soundstudio music file, version 3 0 string OctaMEDCmpr OctaMED Soundstudio compressed file 0 string MED MED_Song 0 string SymM Symphonie SymMOD music file # 0 string THX AHX version >3 byte =0 1 module data >3 byte =1 2 module data # 0 string OKTASONG Oktalyzer module data # 0 string DIGI\ Booster\ module\0 %s >20 byte >0 %c >>21 byte >0 \b%c >>>22 byte >0 \b%c >>>>23 byte >0 \b%c >610 string >\0 \b, "%s" # 0 string DBM0 DIGI Booster Pro Module >4 byte >0 V%X. >>5 byte x \b%02X >16 string >\0 \b, "%s" # 0 string FTMN FaceTheMusic module >16 string >\0d \b, "%s" # From: <doj@cubic.org> 2003-06-24 0 string AMShdr\32 Velvet Studio AMS Module v2.2 0 string Extreme Extreme Tracker AMS Module v1.3 0 string DDMF Xtracker DMF Module >4 byte x v%i >0xD string >\0 Title: "%s" >0x2B string >\0 Composer: "%s" 0 string DSM\32 Dynamic Studio Module DSM 0 string SONG DigiTrekker DTM Module 0 string DMDL DigiTrakker MDL Module 0 string PSM\32 Protracker Studio PSM Module 44 string PTMF Poly Tracker PTM Module >0 string >\32 Title: "%s" 0 string MT20 MadTracker 2.0 Module MT2 0 string RAD\40by\40REALiTY!! RAD Adlib Tracker Module RAD 0 string RTMM RTM Module 0x426 string MaDoKaN96 XMS Adlib Module >0 string >\0 Composer: "%s" 0 string AMF AMF Module >4 string >\0 Title: "%s" 0 string MODINFO1 Open Cubic Player Module Inforation MDZ 0 string Extended\40Instrument: Fast Tracker II Instrument # From: Takeshi Hamasaki <hma@syd.odn.ne.jp> # NOA Nancy Codec file 0 string \210NOA\015\012\032 NOA Nancy Codec Movie file # Yamaha SMAF format 0 string MMMD Yamaha SMAF file # Sharp Jisaku Melody format for PDC 0 string \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody >20 string Ver01.00 Ver. 1.00 >>32 byte x , %d tracks # Free lossless audio codec <http://flac.sourceforge.net> # From: Przemyslaw Augustyniak <silvathraec@rpg.pl> 0 string fLaC FLAC audio bitstream data !:mime audio/x-flac >4 byte&0x7f >0 \b, unknown version >4 byte&0x7f 0 \b # some common bits/sample values >>20 beshort&0x1f0 0x030 \b, 4 bit >>20 beshort&0x1f0 0x050 \b, 6 bit >>20 beshort&0x1f0 0x070 \b, 8 bit >>20 beshort&0x1f0 0x0b0 \b, 12 bit >>20 beshort&0x1f0 0x0f0 \b, 16 bit >>20 beshort&0x1f0 0x170 \b, 24 bit >>20 byte&0xe 0x0 \b, mono >>20 byte&0xe 0x2 \b, stereo >>20 byte&0xe 0x4 \b, 3 channels >>20 byte&0xe 0x6 \b, 4 channels >>20 byte&0xe 0x8 \b, 5 channels >>20 byte&0xe 0xa \b, 6 channels >>20 byte&0xe 0xc \b, 7 channels >>20 byte&0xe 0xe \b, 8 channels # some common sample rates >>17 belong&0xfffff0 0x0ac440 \b, 44.1 kHz >>17 belong&0xfffff0 0x0bb800 \b, 48 kHz >>17 belong&0xfffff0 0x07d000 \b, 32 kHz >>17 belong&0xfffff0 0x056220 \b, 22.05 kHz >>17 belong&0xfffff0 0x05dc00 \b, 24 kHz >>17 belong&0xfffff0 0x03e800 \b, 16 kHz >>17 belong&0xfffff0 0x02b110 \b, 11.025 kHz >>17 belong&0xfffff0 0x02ee00 \b, 12 kHz >>17 belong&0xfffff0 0x01f400 \b, 8 kHz >>17 belong&0xfffff0 0x177000 \b, 96 kHz >>17 belong&0xfffff0 0x0fa000 \b, 64 kHz >>21 byte&0xf >0 \b, >4G samples >>21 byte&0xf 0 \b >>>22 belong >0 \b, %u samples >>>22 belong 0 \b, length unknown # (ISDN) VBOX voice message file (Wolfram Kleff) 0 string VBOX VBOX voice message data # ReBorn Song Files (.rbs) # David J. Singer <doc@deadvirgins.org.uk> 8 string RB40 RBS Song file >29 string ReBorn created by ReBorn >37 string Propellerhead created by ReBirth # Synthesizer Generator and Kimwitu share their file format 0 string A#S#C#S#S#L#V#3 Synthesizer Generator or Kimwitu data # Kimwitu++ uses a slightly different magic 0 string A#S#C#S#S#L#HUB Kimwitu++ data # From "Simon Hosie 0 string TFMX-SONG TFMX module sound data # Monkey's Audio compressed audio format (.ape) # From danny.milo@gmx.net (Danny Milosavljevic) # New version from Abel Cheung <abel (@) oaka.org> 0 string MAC\040 Monkey's Audio compressed format !:mime audio/x-ape >4 uleshort >0x0F8B version %d >>(0x08.l) uleshort =1000 with fast compression >>(0x08.l) uleshort =2000 with normal compression >>(0x08.l) uleshort =3000 with high compression >>(0x08.l) uleshort =4000 with extra high compression >>(0x08.l) uleshort =5000 with insane compression >>(0x08.l+18) uleshort =1 \b, mono >>(0x08.l+18) uleshort =2 \b, stereo >>(0x08.l+20) ulelong x \b, sample rate %d >4 uleshort <0x0F8C version %d >>6 uleshort =1000 with fast compression >>6 uleshort =2000 with normal compression >>6 uleshort =3000 with high compression >>6 uleshort =4000 with extra high compression >>6 uleshort =5000 with insane compression >>10 uleshort =1 \b, mono >>10 uleshort =2 \b, stereo >>12 ulelong x \b, sample rate %d # adlib sound files # From Gürkan Sengün <gurkan@linuks.mine.nu>, http://www.linuks.mine.nu 0 string RAWADATA RdosPlay RAW 1068 string RoR AMUSIC Adlib Tracker 0 string JCH EdLib 0 string mpu401tr MPU-401 Trakker 0 string SAdT Surprise! Adlib Tracker >4 byte x Version %d 0 string XAD! eXotic ADlib 0 string ofTAZ! eXtra Simple Music # Spectrum 128 tunes (.ay files). # From: Emanuel Haupt <ehaupt@critical.ch> 0 string ZXAYEMUL Spectrum 128 tune 0 string \0BONK BONK, #>5 byte x version %d >14 byte x %d channel(s), >15 byte =1 lossless, >15 byte =0 lossy, >16 byte x mid-side 384 string LockStream LockStream Embedded file (mostly MP3 on old Nokia phones) # format VQF (proprietary codec for sound) # some infos on the header file available at : # http://www.twinvq.org/english/technology_format.html 0 string TWIN97012000 VQF data >27 short 0 \b, Mono >27 short 1 \b, Stereo >31 short >0 \b, %d kbit/s >35 short >0 \b, %d kHz # Nelson A. de Oliveira (naoliv@gmail.com) # .eqf 0 string Winamp\ EQ\ library\ file %s # it will match only versions like v<digit>.<digit> # Since I saw only eqf files with version v1.1 I think that it's OK >23 string x \b%.4s # .preset 0 string [Equalizer\ preset] XMMS equalizer preset # .m3u 0 search/1 #EXTM3U M3U playlist text # .pls 0 search/1 [playlist] PLS playlist text # licq.conf 1 string [licq] LICQ configuration file # Atari ST audio files by Dirk Jagdmann <doj@cubic.org> 0 string ICE! SNDH Atari ST music 0 string SC68\ Music-file\ /\ (c)\ (BeN)jami sc68 Atari ST music # musepak support From: "Jiri Pejchal" <jiri.pejchal@gmail.com> 0 string MP+ Musepack audio >3 byte 255 \b, SV pre8 >3 byte&0xF 0x6 \b, SV 6 >3 byte&0xF 0x8 \b, SV 8 >3 byte&0xF 0x7 \b, SV 7 >>3 byte&0xF0 0x0 \b.0 >>3 byte&0xF0 0x10 \b.1 >>3 byte&0xF0 240 \b.15 >>10 byte&0xF0 0x0 \b, no profile >>10 byte&0xF0 0x10 \b, profile 'Unstable/Experimental' >>10 byte&0xF0 0x50 \b, quality 0 >>10 byte&0xF0 0x60 \b, quality 1 >>10 byte&0xF0 0x70 \b, quality 2 (Telephone) >>10 byte&0xF0 0x80 \b, quality 3 (Thumb) >>10 byte&0xF0 0x90 \b, quality 4 (Radio) >>10 byte&0xF0 0xA0 \b, quality 5 (Standard) >>10 byte&0xF0 0xB0 \b, quality 6 (Xtreme) >>10 byte&0xF0 0xC0 \b, quality 7 (Insane) >>10 byte&0xF0 0xD0 \b, quality 8 (BrainDead) >>10 byte&0xF0 0xE0 \b, quality 9 >>10 byte&0xF0 0xF0 \b, quality 10 >>27 byte 0x0 \b, Buschmann 1.7.0-9, Klemm 0.90-1.05 >>27 byte 102 \b, Beta 1.02 >>27 byte 104 \b, Beta 1.04 >>27 byte 105 \b, Alpha 1.05 >>27 byte 106 \b, Beta 1.06 >>27 byte 110 \b, Release 1.1 >>27 byte 111 \b, Alpha 1.11 >>27 byte 112 \b, Beta 1.12 >>27 byte 113 \b, Alpha 1.13 >>27 byte 114 \b, Beta 1.14 >>27 byte 115 \b, Alpha 1.15 # IMY # from http://filext.com/detaillist.php?extdetail=IMY # http://cellphones.about.com/od/cellularfaqs/f/rf_imelody.htm # http://download.ncl.ie/doc/api/ie/ncl/media/music/IMelody.html # http://www.wx800.com/msg/download/irda/iMelody.pdf 0 string BEGIN:IMELODY iMelody Ringtone Format # From: "Mateus Caruccio" <mateus@caruccio.com> # guitar pro v3,4,5 from http://filext.com/file-extension/gp3 0 string \030FICHIER\ GUITAR\ PRO\ v3. Guitar Pro Ver. 3 Tablature # From: "Leslie P. Polzer" <leslie.polzer@gmx.net> 60 string SONG SoundFX Module sound file # Type: Adaptive Multi-Rate Codec # URL: http://filext.com/detaillist.php?extdetail=AMR # From: Russell Coker <russell@coker.com.au> 0 string #!AMR Adaptive Multi-Rate Codec (GSM telephony) # Type: SuperCollider 3 Synth Definition File Format # From: Mario Lang <mlang@debian.org> 0 string SCgf SuperCollider3 Synth Definition file, >4 belong x version %d # Type: True Audio Lossless Audio # URL: http://wiki.multimedia.cx/index.php?title=True_Audio # From: Mike Melanson <mike@multimedia.cx> 0 string TTA1 True Audio Lossless Audio # Type: WavPack Lossless Audio # URL: http://wiki.multimedia.cx/index.php?title=WavPack # From: Mike Melanson <mike@multimedia.cx> 0 string wvpk WavPack Lossless Audio #---------------------------------------------------------------- # $File: basis,v 1.4 2009/09/19 16:28:08 christos Exp $ # basis: file(1) magic for BBx/Pro5-files # Oliver Dammer <dammer@olida.de> 2005/11/07 # http://www.basis.com business-basic-files. # 0 string \074\074bbx\076\076 BBx >7 string \000 indexed file >7 string \001 serial file >7 string \002 keyed file >>13 short 0 (sort) >7 string \004 program >>18 byte x (LEVEL %d) >>>23 string >\000 psaved >7 string \006 mkeyed file >>13 short 0 (sort) >>8 string \000 (mkey) #------------------------------------------------------------------------------ # $File: bflt,v 1.4 2009/09/19 16:28:08 christos Exp $ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter <phdm@macqel.be> # 0 string bFLT BFLT executable >4 belong x - version %ld >4 belong 4 >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata # Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files # http://ftg.lbl.gov/checkpoint 0 string C\0\0\0R\0\0\0 BLCR >16 lelong 1 x86 >16 lelong 3 alpha >16 lelong 5 x86-64 >16 lelong 7 ARM >8 lelong x context data (little endian, version %d) # Uncomment the following only of your "file" program supports "search" #>0 search/1024 VMA\06 for kernel #>>&1 byte x %d. #>>&2 byte x %d. #>>&3 byte x %d 0 string \0\0\0C\0\0\0R BLCR >16 belong 2 SPARC >16 belong 4 ppc >16 belong 6 ppc64 >16 belong 7 ARMEB >16 belong 8 SPARC64 >8 belong x context data (big endian, version %d) # Uncomment the following only of your "file" program supports "search" #>0 search/1024 VMA\06 for kernel #>>&1 byte x %d. #>>&2 byte x \b%d. #>>&3 byte x \b%d #------------------------------------------------------------------------------ # $File: blender,v 1.5 2009/09/19 16:28:08 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list # http://lists.blender.org/mailman/listinfo/bf-committers # GLOB chunk was moved near start and provides subversion info since 2.42 0 string =BLENDER Blender3D, >7 string =_ saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 leshort x \b%.4d >>8 string =V big endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 beshort x \b%.4d >7 string =- saved as 64-bits >>8 string =v little endian >>9 byte x with version %c. >>10 byte x \b%c >>11 byte x \b%c >>0x44 string =GLOB \b. >>>0x60 leshort x \b%.4d >>8 string =V big endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x44 string =GLOB \b. >>>>0x60 beshort x \b%.4d # Scripts that run in the embeded Python interpreter 0 string #!BPY Blender3D BPython script #------------------------------------------------------------------------------ # $File: blit,v 1.8 2009/09/19 16:28:08 christos Exp $ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... # # XXX - should this be redone with "be" and "le", so that it works on # little-endian machines as well? If so, what's the deal with # "VAX-order" and "VAX-order2"? # #0 long 0407 68K Blit (standalone) executable #0 short 0407 VAX-order2 68K Blit (standalone) executable 0 short 03401 VAX-order 68K Blit (standalone) executable 0 long 0406 68k Blit mpx/mux executable 0 short 0406 VAX-order2 68k Blit mpx/mux executable 0 short 03001 VAX-order 68k Blit mpx/mux executable # Need more values for WE32 DMD executables. # Note that 0520 is the same as COFF #0 short 0520 tty630 layers executable #------------------------------------------------------------------------------ # $File: bout,v 1.5 2009/09/19 16:28:08 christos Exp $ # i80960 b.out objects and archives # 0 long 0x10d i960 b.out relocatable object >16 long >0 not stripped # # b.out archive (hp-rt on i960) 0 string =!<bout> b.out archive >8 string __.SYMDEF random library #------------------------------------------------------------------------------ # $File: bsdi,v 1.5 2009/09/19 16:28:08 christos Exp $ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # 0 lelong 0314 386 compact demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) 0 lelong 0407 386 executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) 0 lelong 0410 386 pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) 0 lelong 0413 386 demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) # same as in SunOS 4.x, except for static shared libraries 0 belong&077777777 0600413 sparc demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600410 sparc pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600407 sparc >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) # Chiasmus is a encryption standard developed by the German Federal # Office for Information Security (Bundesamt fuer Sicherheit in der # Informationstechnik). # Extension: .xia 0 string XIA1 Chiasmus encrypted data # Extension: .xis 0 string XIS Chiasmus key #------------------------------------------------------------------------------ # $File: btsnoop,v 1.5 2009/09/19 16:28:08 christos Exp $ # BTSnoop: file(1) magic for BTSnoop files # # From <marcel@holtmann.org> 0 string btsnoop\0 BTSnoop >8 belong x version %d, >12 belong 1001 Unencapsulated HCI >12 belong 1002 HCI UART (H4) >12 belong 1003 HCI BCSP >12 belong 1004 HCI Serial (H5) >>12 belong x type %d #------------------------------------------------------------------------------ # $File: c-lang,v 1.16 2011/12/09 08:02:16 rrt Exp $ # c-lang: file(1) magic for C and related languages programs # # BCPL 0 search/8192 "libhdr" BCPL source text !:mime text/x-bcpl !:strength / 2 0 search/8192 "LIBHDR" BCPL source text !:mime text/x-bcpl !:strength / 2 # C 0 regex \^#include C source text !:mime text/x-c !:strength / 2 0 regex \^char C source text !:mime text/x-c !:strength / 2 0 regex \^double C source text !:mime text/x-c !:strength / 2 0 regex \^extern C source text !:mime text/x-c !:strength / 2 0 regex \^float C source text !:mime text/x-c !:strength / 2 0 regex \^struct C source text !:mime text/x-c !:strength / 2 0 regex \^union C source text !:mime text/x-c !:strength / 2 0 search/8192 main( C source text !:mime text/x-c !:strength / 2 # C++ # The strength of these rules is increased so they beat the C rules above 0 regex \^template C++ source text !:strength + 10 !:mime text/x-c++ 0 regex \^virtual C++ source text !:strength + 10 !:mime text/x-c++ 0 regex \^class C++ source text !:strength + 10 !:mime text/x-c++ 0 regex \^public: C++ source text !:strength + 10 !:mime text/x-c++ 0 regex \^private: C++ source text !:strength + 10 !:mime text/x-c++ # From: Mikhail Teterin <mi@aldan.algebra.com> 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. # The inverted index functionality was added some time betwen # versions 11 and 15, so look for -q if version is above 14: >7 string >14 >>10 search/100 \ -q\ with inverted index >10 search/100 \ -c\ text (non-compressed) #------------------------------------------------------------------------------ # $File: c64,v 1.5 2009/09/19 16:28:08 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann <doj@cubic.org> 0x16500 belong 0x12014100 D64 Image 0x16500 belong 0x12014180 D71 Image 0x61800 belong 0x28034400 D81 Image 0 string C64\40CARTRIDGE CCS C64 Emultar Cartridge Image 0 belong 0x43154164 X64 Image 0 string GCR-1541 GCR Image >8 byte x version: %i >9 byte x tracks: %i 9 string PSUR ARC archive (c64) 2 string -LH1- LHA archive (c64) 0 string C64File PC64 Emulator file >8 string >\0 "%s" 0 string C64Image PC64 Freezer Image 0 beshort 0x38CD C64 PCLink Image 0 string CBM\144\0\0 Power 64 C64 Emulator Snapshot 0 belong 0xFF424CFF WRAptor packer (c64) 0 string C64S\x20tape\x20file T64 tape Image >32 leshort x Version:0x%x >36 leshort !0 Entries:%i >40 string x Name:%.24s 0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x Version:0x%x >36 leshort !0 Entries:%i >40 string x Name:%.24s 0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x Version:0x%x >36 leshort !0 Entries:%i >40 string x Name:%.24s #------------------------------------------------------------------------------ # $File: cad,v 1.11 2011/12/08 12:12:46 rrt Exp $ # autocad: file(1) magic for cad files # # AutoCAD DWG versions R13/R14 (www.autodesk.com) # Written December 01, 2003 by Lester Hightower # Based on the DWG File Format Specifications at http://www.opendwg.org/ 0 string \101\103\061\060\061 AutoCAD >5 string \062\000\000\000\000 DWG ver. R13 >5 string \064\000\000\000\000 DWG ver. R14 # Microstation DGN/CIT Files (www.bentley.com) # Last updated July 29, 2005 by Lester Hightower # DGN is the default file extension of Microstation/Intergraph CAD files. # CIT is the proprietary raster format (similar to TIFF) used to attach # raster underlays to Microstation DGN (vector) drawings. # # http://www.wotsit.org/search.asp # http://filext.com/detaillist.php?extdetail=DGN # http://filext.com/detaillist.php?extdetail=CIT # # http://www.bentley.com/products/default.cfm?objectid=97F351F5-9C35-4E5E-89C2 # 3F86C928&method=display&p_objectid=97F351F5-9C35-4E5E-89C280A93F86C928 # http://www.bentley.com/products/default.cfm?objectid=A5C2FD43-3AC9-4C71-B682 # 721C479F&method=display&p_objectid=A5C2FD43-3AC9-4C71-B682C7BE721C479F 0 string \010\011\376 Microstation >3 string \002 >>30 string \026\105 DGNFile >>30 string \034\105 DGNFile >>30 string \073\107 DGNFile >>30 string \073\110 DGNFile >>30 string \106\107 DGNFile >>30 string \110\103 DGNFile >>30 string \120\104 DGNFile >>30 string \172\104 DGNFile >>30 string \172\105 DGNFile >>30 string \172\106 DGNFile >>30 string \234\106 DGNFile >>30 string \273\105 DGNFile >>30 string \306\106 DGNFile >>30 string \310\104 DGNFile >>30 string \341\104 DGNFile >>30 string \372\103 DGNFile >>30 string \372\104 DGNFile >>30 string \372\106 DGNFile >>30 string \376\103 DGNFile >4 string \030\000\000 CITFile >4 string \030\000\003 CITFile # AutoCad, from Nahuel Greco # AutoCAD DWG versions R12/R13/R14 (www.autodesk.com) 0 string AC1012 DWG AutoDesk AutoCad (release 12) 0 string AC1013 DWG AutoDesk AutoCad (release 13) 0 string AC1014 DWG AutoDesk AutoCad (release 14) # A new version of AutoCAD DWG # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321) # From various sources like: # http://autodesk.blogs.com/between_the_lines/autocad-release-history.html 0 string AC1018 DWG AutoDesk AutoCAD 2004/2005/2006 0 string AC1021 DWG AutoDesk AutoCAD 2007/2008/2009 0 string AC1024 DWG AutoDesk AutoCAD 2010/2011 # KOMPAS 2D drawing from ASCON # This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor # gathered nor specification # ASCON http://ascon.net/main/ in English, # http://ascon.ru/ main site in Russian # Extension is CDW for drawing and FRW for fragment of drawing # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321, http://vkontakte.ru/id16076543) # From: # http://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292 # (in russian) and my experiments 0 string KF >2 belong 0x4E00000C Kompas drawing 12.0 SP1 >2 belong 0x4D00000C Kompas drawing 12.0 >2 belong 0x3200000B Kompas drawing 11.0 SP1 >2 belong 0x3100000B Kompas drawing 11.0 >2 belong 0x2310000A Kompas drawing 10.0 SP1 >2 belong 0x2110000A Kompas drawing 10.0 >2 belong 0x08000009 Kompas drawing 9.0 SP1 >2 belong 0x05000009 Kompas drawing 9.0 >2 belong 0x33010008 Kompas drawing 8+ >2 belong 0x1A000008 Kompas drawing 8.0 >2 belong 0x2C010107 Kompas drawing 7+ >2 belong 0x05000007 Kompas drawing 7.0 >2 belong 0x32000006 Kompas drawing 6+ >2 belong 0x09000006 Kompas drawing 6.0 >2 belong 0x5C009005 Kompas drawing 5.11R03 >2 belong 0x54009005 Kompas drawing 5.11R02 >2 belong 0x51009005 Kompas drawing 5.11R01 >2 belong 0x22009005 Kompas drawing 5.10R03 >2 belong 0x22009005 Kompas drawing 5.10R02 mar >2 belong 0x21009005 Kompas drawing 5.10R02 febr >2 belong 0x19009005 Kompas drawing 5.10R01 >2 belong 0xF4008005 Kompas drawing 5.9R01.003 >2 belong 0x1C008005 Kompas drawing 5.9R01.002 >2 belong 0x11008005 Kompas drawing 5.8R01.003 # CAD: file(1) magic for computer aided design files # Phillip Griffith <phillip dot griffith at gmail dot com> # AutoCAD magic taken from the Open Design Alliance's OpenDWG specifications. # 0 belong 0x08051700 Bentley/Intergraph MicroStation DGN cell library 0 belong 0x0809fe02 Bentley/Intergraph MicroStation DGN vector CAD 0 belong 0xc809fe02 Bentley/Intergraph MicroStation DGN vector CAD 0 beshort 0x0809 Bentley/Intergraph MicroStation >0x02 byte 0xfe >>0x04 beshort 0x1800 CIT raster CAD 0 string AC1012 AutoDesk AutoCAD R13 0 string AC1014 AutoDesk AutoCAD R14 0 string AC1015 AutoDesk AutoCAD R2000 # 3DS (3d Studio files) Conflicts with diff output 0x3d '=' #16 beshort 0x3d3d image/x-3ds #------------------------------------------------------------------------------ # $File: cafebabe,v 1.8 2009/09/19 16:28:08 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O fat-files have the same magic number, the test # must be performed in the same "magic" sequence to get both right. The long # at offset 4 in a mach-O fat file tells the number of architectures; the short at # offset 4 in a Java bytecode file is the JVM minor version and the # short at offset 6 is the JVM major version. Since there are only # only 18 labeled Mach-O architectures at current, and the first released # Java class format was version 43.0, we can safely choose any number # between 18 and 39 to test the number of architectures against # (and use as a hack). Let's not use 18, because the Mach-O people # might add another one or two as time goes by... # 0 belong 0xcafebabe !:mime application/x-java-applet >4 belong >30 compiled Java class data, >>6 beshort x version %d. >>4 beshort x \b%d # Which is which? #>>4 belong 0x032d (Java 1.0) #>>4 belong 0x032d (Java 1.1) >>4 belong 0x002e (Java 1.2) >>4 belong 0x002f (Java 1.3) >>4 belong 0x0030 (Java 1.4) >>4 belong 0x0031 (Java 1.5) >>4 belong 0x0032 (Java 1.6) >>4 belong 0x0033 (Java 1.7) >>4 belong 0x0034 (Java 1.8) 0 belong 0xcafebabe >4 belong 1 Mach-O fat file with 1 architecture >4 belong >1 >>4 belong <20 Mach-O fat file with %ld architectures 0 belong 0xcafed00d JAR compressed with pack200, >>5 byte x version %d. >>4 byte x \b%d !:mime application/x-java-pack200 #------------------------------------------------------------------------------ # $File: cddb,v 1.4 2009/09/19 16:28:08 christos Exp $ # CDDB: file(1) magic for CDDB(tm) format CD text data files # # From <steve@gracenote.com> # # This is the /etc/magic entry to decode datafiles as used by # CDDB-enabled CD player applications. # 0 search/1/w #\040xmcd CDDB(tm) format CD text data #------------------------------------------------------------------------------ # $File: chord,v 1.5 2010/09/20 19:19:16 rrt Exp $ # chord: file(1) magic for Chord music sheet typesetting utility input files # # From Philippe De Muyter <phdm@macqel.be> # File format is actually free, but many distributed files begin with `{title' # 0 string {title Chord text file # Type: PowerTab file format # URL: http://www.power-tab.net/ # From: Jelmer Vernooij <jelmer@samba.org> 0 string ptab\003\000 Power-Tab v3 Tablature File 0 string ptab\004\000 Power-Tab v4 Tablature File #------------------------------------------------------------------------------ # $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code # # Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. 0 belong&0xffffff00 0x85011400 cisco IOS microcode >7 string >\0 for '%s' 0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode >7 string >\0 for '%s' #------------------------------------------------------------------------------ # $File: citrus,v 1.4 2009/09/19 16:28:08 christos Exp $ # citrus locale declaration # 0 string RuneCT Citrus locale declaration for LC_CTYPE #------------------------------------------------------------------------------ # $File: clarion,v 1.4 2009/09/19 16:28:08 christos Exp $ # clarion: file(1) magic for # Clarion Personal/Professional Developer # (v2 and above) # From: Julien Blache <jb@jblache.org> # Database files # signature 0 leshort 0x3343 Clarion Developer (v2 and above) data file # attributes >2 leshort &0x0001 \b, locked >2 leshort &0x0004 \b, encrypted >2 leshort &0x0008 \b, memo file exists >2 leshort &0x0010 \b, compressed >2 leshort &0x0040 \b, read only # number of records >5 lelong x \b, %ld records # Memo files 0 leshort 0x334d Clarion Developer (v2 and above) memo data # Key/Index files # No magic? :( # Help files 0 leshort 0x49e0 Clarion Developer (v2 and above) help data #------------------------------------------------------------------------------ # $File: claris,v 1.5 2009/09/19 16:28:08 christos Exp $ # claris: file(1) magic for claris # "H. Nanosecond" <aldomel@ix.netcom.com> # Claris Works a word processor, etc. # Version 3.0 # .pct claris works clip art files #0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 #* #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 #null to byte 1000 octal 514 string \377\377\377\377\000 Claris clip art? >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. 514 string \377\377\377\377\001 Claris clip art? >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. # Claris works files # .cwk 0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works document # .plt 0 string \020\341\000\000\010\010 Claris Works pallete files .plt # .msp a dictionary file I am not sure about this I have only one .msp file 0 string \002\271\262\000\040\002\000\164 Claris works dictionary # .usp are user dictionary bits # I am not sure about a magic header: #0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151 # soh S p f 8 U D sp ^ S cr nl p o d i #0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043 # a t r i s t sp ^ S cr nl d i v sp # # .mth Thesaurus # starts with \0 but no magic header # .chy Hyphenation file # I am not sure: 000 210 034 000 000 # other claris files #./windows/claris/useng.ndx: data #./windows/claris/xtndtran.l32: data #./windows/claris/xtndtran.lst: data #./windows/claris/clworks.lbl: data #./windows/claris/clworks.prf: data #./windows/claris/userd.spl: data #------------------------------------------------------------------------------ # $File: clipper,v 1.6 2009/09/19 16:28:08 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # # >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST # # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # # >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST # # as SVR3.1's "file" doesn't support anything of the "!074000,000000" # sort, nor does SunOS 4.x, so either it's something Intergraph added # in CLIX, or something AT&T added in SVR3.2 or later, or something # somebody else thought was a good idea; it's not documented in the # man page for this version of "magic", nor does it appear to be # implemented (at least not after I blew off the bogus code to turn # old-style "&"s into new-style "&"s, which just didn't work at all). # 0 short 0575 CLIPPER COFF executable (VAX #) >20 short 0407 (impure) >20 short 0410 (5.2 compatible) >20 short 0411 (pure) >20 short 0413 (demand paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %ld 0 short 0577 CLIPPER COFF executable >18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 >18 short&074000 010000 C3 R1 >18 short&074000 074000 TEST >20 short 0407 (impure) >20 short 0410 (pure) >20 short 0411 (separate I&D) >20 short 0413 (paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %ld >48 long&01 01 alignment trap enabled >52 byte 1 -Ctnc >52 byte 2 -Ctsw >52 byte 3 -Ctpw >52 byte 4 -Ctcb >53 byte 1 -Cdnc >53 byte 2 -Cdsw >53 byte 3 -Cdpw >53 byte 4 -Cdcb >54 byte 1 -Csnc >54 byte 2 -Cssw >54 byte 3 -Cspw >54 byte 4 -Cscb 4 string pipe CLIPPER instruction trace 4 string prof CLIPPER instruction profile #------------------------------------------------------------------------------ # $File: commands,v 1.42 2011/12/05 23:14:02 rrt Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text 0 string/wt #!\ /bin/sh POSIX shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript # korn shell magic, sent by George Wu, gwu@clyde.att.com 0 string/wt #!\ /bin/ksh Korn shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript # # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) 0 string/wt #!\ /bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/ae Neil Brown's ae script text executable !:mime text/x-shellscript 0 string/wt #!\ /bin/nawk new awk script text executable !:mime text/x-nawk 0 string/wt #!\ /usr/bin/nawk new awk script text executable !:mime text/x-nawk 0 string/wt #!\ /usr/local/bin/nawk new awk script text executable !:mime text/x-nawk 0 string/wt #!\ /bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/wt #!\ /usr/bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/wt #!\ /usr/local/bin/gawk GNU awk script text executable !:mime text/x-gawk # 0 string/wt #!\ /bin/awk awk script text executable !:mime text/x-awk 0 string/wt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk 0 regex/4096 =^\\s{0,100}BEGIN\\s{0,100}[{] awk script text !:strength - 12 # AT&T Bell Labs' Plan 9 shell 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string/wt #!\ /bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bash Bourne-Again shell script text executable !:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript # PHP scripts # Ulf Harnhammar <ulfh@update.uu.se> 0 search/1/c =<?php PHP script text !:mime text/x-php 0 search/1 =<?\n PHP script text !:mime text/x-php 0 search/1 =<?\r PHP script text !:mime text/x-php 0 search/1/w #!\ /usr/local/bin/php PHP script text executable !:mime text/x-php 0 search/1/w #!\ /usr/bin/php PHP script text executable !:mime text/x-php # Smarty compiled template, http://www.smarty.net/ # Elan Ruusamäe <glen@delfi.ee> 0 string =<?php\ /*\ Smarty\ version Smarty compiled template >24 regex [0-9.]+ \b, version %s !:mime text/x-php 0 string Zend\x00 PHP script Zend Optimizer data 0 string/t $! DCL command file # Type: Pdmenu # URL: http://packages.debian.org/pdmenu # From: Edward Betts <edward@debian.org> 0 string #!/usr/bin/pdmenu Pdmenu configuration file text #---------------------------------------------------------------------------- # $File: communications,v 1.5 2009/09/19 16:28:08 christos Exp $ # communication # TTCN is the Tree and Tabular Combined Notation described in ISO 9646-3. # It is used for conformance testing of communication protocols. # Added by W. Borgert <debacle@debian.org>. 0 string $Suite TTCN Abstract Test Suite >&1 string $SuiteId >>&1 string >\n %s >&2 string $SuiteId >>&1 string >\n %s >&3 string $SuiteId >>&1 string >\n %s # MSC (message sequence charts) are a formal description technique, # described in ITU-T Z.120, mainly used for communication protocols. # Added by W. Borgert <debacle@debian.org>. 0 string mscdocument Message Sequence Chart (document) 0 string msc Message Sequence Chart (chart) 0 string submsc Message Sequence Chart (subchart) #------------------------------------------------------------------------------ # $File: compress,v 1.49 2011/12/07 22:04:27 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. # # Formats for various forms of compressed data # Formats for "compress" proper have been moved into "compress.c", # because it tries to uncompress it to figure out what's inside. # standard unix compress 0 string \037\235 compress'd data !:mime application/x-compress !:apple LZIVZIVU >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). 0 string \037\213 gzip compressed data !:mime application/x-gzip !:strength * 2 >2 byte <8 \b, reserved method >2 byte >8 \b, unknown method >3 byte &0x01 \b, ASCII >3 byte &0x02 \b, has CRC >3 byte &0x04 \b, extra field >3 byte&0xC =0x08 >>10 string x \b, was "%s" >3 byte &0x10 \b, has comment >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS >9 byte =0x03 \b, from Unix >9 byte =0x04 \b, from VM/CMS >9 byte =0x05 \b, from Atari >9 byte =0x06 \b, from HPFS filesystem (OS/2, NT) >9 byte =0x07 \b, from MacOS >9 byte =0x08 \b, from Z-System >9 byte =0x09 \b, from CP/M >9 byte =0x0A \b, from TOPS/20 >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS >3 byte &0x10 \b, comment >3 byte &0x20 \b, encrypted >4 ledate >0 \b, last modified: %s >8 byte 2 \b, max compression >8 byte 4 \b, max speed # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data !:mime application/octet-stream >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # # This magic number is byte-order-independent. 0 short 0x1f1f old packed data !:mime application/octet-stream # XXX - why *two* entries for "compacted data", one of which is # byte-order independent, and one of which is byte-order dependent? # 0 short 0x1fff compacted data !:mime application/octet-stream # This string is valid for SunOS (BE) and a matching "short" is listed # in the Ultrix (LE) magic file. 0 string \377\037 compacted data !:mime application/octet-stream 0 short 0145405 huf output !:mime application/octet-stream # bzip2 0 string BZh bzip2 compressed data !:mime application/x-bzip2 >3 byte >47 \b, block size = %c00k # lzip 0 string LZIP lzip compressed data !:mime application/x-lzip >4 byte x \b, version: %d # squeeze and crunch # Michael Haardt <michael@cantor.informatik.rwth-aachen.de> 0 beshort 0x76FF squeezed data, >4 string x original name %s 0 beshort 0x76FE crunched data, >2 string x original name %s 0 beshort 0x76FD LZH compressed data, >2 string x original name %s # Freeze 0 string \037\237 frozen file 2.1 0 string \037\236 frozen file 1.0 (or gzip 0.5) # SCO compress -H (LZH) 0 string \037\240 SCO compress -H (LZH) data # European GSM 06.10 is a provisional standard for full-rate speech # transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse # excitation/long term prediction) coding at 13 kbit/s. # # There's only a magic nibble (4 bits); that nibble repeats every 33 # bytes. This isn't suited for use, but maybe we can use it someday. # # This will cause very short GSM files to be declared as data and # mismatches to be declared as data too! #0 byte&0xF0 0xd0 data #>33 byte&0xF0 0xd0 #>66 byte&0xF0 0xd0 #>99 byte&0xF0 0xd0 #>132 byte&0xF0 0xd0 GSM 06.10 compressed audio # bzip a block-sorting file compressor # by Julian Seward <sewardj@cs.man.ac.uk> and others # #0 string BZ bzip compressed data #>2 byte x \b, version: %c #>3 string =1 \b, compression block size 100k #>3 string =2 \b, compression block size 200k #>3 string =3 \b, compression block size 300k #>3 string =4 \b, compression block size 400k #>3 string =5 \b, compression block size 500k #>3 string =6 \b, compression block size 600k #>3 string =7 \b, compression block size 700k #>3 string =8 \b, compression block size 800k #>3 string =9 \b, compression block size 900k # lzop from <markus.oberhumer@jk.uni-linz.ac.at> 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, >>13 byte 1 LZO1X-1, >>13 byte 2 LZO1X-1(15), >>13 byte 3 LZO1X-999, ## >>22 bedate >0 last modified: %s, >>14 byte =0x00 os: MS-DOS >>14 byte =0x01 os: Amiga >>14 byte =0x02 os: VMS >>14 byte =0x03 os: Unix >>14 byte =0x05 os: Atari >>14 byte =0x06 os: OS/2 >>14 byte =0x07 os: MacOS >>14 byte =0x0A os: Tops/20 >>14 byte =0x0B os: WinNT >>14 byte =0x0E os: Win32 >9 beshort >0x0939 >>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x10 - version 1. >>9 byte&0xf0 =0x20 - version 2. >>9 beshort&0x0fff x \b%03x, >>15 byte 1 LZO1X-1, >>15 byte 2 LZO1X-1(15), >>15 byte 3 LZO1X-999, ## >>25 bedate >0 last modified: %s, >>17 byte =0x00 os: MS-DOS >>17 byte =0x01 os: Amiga >>17 byte =0x02 os: VMS >>17 byte =0x03 os: Unix >>17 byte =0x05 os: Atari >>17 byte =0x06 os: OS/2 >>17 byte =0x07 os: MacOS >>17 byte =0x0A os: Tops/20 >>17 byte =0x0B os: WinNT >>17 byte =0x0E os: Win32 # 4.3BSD-Quasijarus Strong Compression # http://minnie.tuhs.org/Quasijarus/compress.html 0 string \037\241 Quasijarus strong compressed data # From: Cory Dikkers <cdikkers@swbell.net> 0 string XPKF Amiga xpkf.library compressed data 0 string PP11 Power Packer 1.1 compressed data 0 string PP20 Power Packer 2.0 compressed data, >4 belong 0x09090909 fast compression >4 belong 0x090A0A0A mediocre compression >4 belong 0x090A0B0B good compression >4 belong 0x090A0C0C very good compression >4 belong 0x090A0C0D best compression # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) # http://www.7-zip.org or DOC/7zFormat.txt # 0 string 7z\274\257\047\034 7-zip archive data, >6 byte x version %d >7 byte x \b.%d !:mime application/x-7z-compressed # Type: LZMA 0 lelong&0xffffff =0x5d >12 leshort =0xff LZMA compressed data, >>5 lequad =0xffffffffffffffff streamed >>5 lequad !0xffffffffffffffff non-streamed, size %lld !:mime application/x-lzma # http://tukaani.org/xz/xz-file-format.txt 0 ustring \xFD7zXZ\x00 XZ compressed data !:mime application/x-xz # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data >4 byte x - version %d >5 byte x \b.%d !:mime application/x-lrzip # AFX compressed files (Wolfram Kleff) 2 string -afx- AFX compressed file data # Supplementary magic data for the file(1) command to support # rzip(1). The format is described in magic(5). # # Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with # this file. # 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) 0 string ArC\x01 FreeArc archive <http://freearc.org> # Type: DACT compressed files 0 long 0x444354C3 DACT compressed data >4 byte >-1 (version %i. >5 byte >-1 %i. >6 byte >-1 %i) >7 long >0 , original size: %i bytes >15 long >30 , block size: %i bytes #------------------------------------------------------------------------------ # $File: console,v 1.18 2010/09/20 19:19:17 rrt Exp $ # Console game magic # Toby Deshane <hac@shoelace.digivill.net> # ines: file(1) magic for Marat's iNES Nintendo Entertainment System # ROM dump format 0 string NES\032 iNES ROM dump, >4 byte x %dx16k PRG >5 byte x \b, %dx8k CHR >6 byte&0x01 =0x1 \b, [Vert.] >6 byte&0x01 =0x0 \b, [Horiz.] >6 byte&0x02 =0x2 \b, [SRAM] >6 byte&0x04 =0x4 \b, [Trainer] >6 byte&0x04 =0x8 \b, [4-Scr] #------------------------------------------------------------------------------ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # 0x104 belong 0xCEED6666 Gameboy ROM: >0x134 string >\0 "%.16s" >0x146 byte 0x03 \b,[SGB] >0x147 byte 0x00 \b, [ROM ONLY] >0x147 byte 0x01 \b, [ROM+MBC1] >0x147 byte 0x02 \b, [ROM+MBC1+RAM] >0x147 byte 0x03 \b, [ROM+MBC1+RAM+BATT] >0x147 byte 0x05 \b, [ROM+MBC2] >0x147 byte 0x06 \b, [ROM+MBC2+BATTERY] >0x147 byte 0x08 \b, [ROM+RAM] >0x147 byte 0x09 \b, [ROM+RAM+BATTERY] >0x147 byte 0x0B \b, [ROM+MMM01] >0x147 byte 0x0C \b, [ROM+MMM01+SRAM] >0x147 byte 0x0D \b, [ROM+MMM01+SRAM+BATT] >0x147 byte 0x0F \b, [ROM+MBC3+TIMER+BATT] >0x147 byte 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT] >0x147 byte 0x11 \b, [ROM+MBC3] >0x147 byte 0x12 \b, [ROM+MBC3+RAM] >0x147 byte 0x13 \b, [ROM+MBC3+RAM+BATT] >0x147 byte 0x19 \b, [ROM+MBC5] >0x147 byte 0x1A \b, [ROM+MBC5+RAM] >0x147 byte 0x1B \b, [ROM+MBC5+RAM+BATT] >0x147 byte 0x1C \b, [ROM+MBC5+RUMBLE] >0x147 byte 0x1D \b, [ROM+MBC5+RUMBLE+SRAM] >0x147 byte 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT] >0x147 byte 0x1F \b, [Pocket Camera] >0x147 byte 0xFD \b, [Bandai TAMA5] >0x147 byte 0xFE \b, [Hudson HuC-3] >0x147 byte 0xFF \b, [Hudson HuC-1] >0x148 byte 0 \b, ROM: 256Kbit >0x148 byte 1 \b, ROM: 512Kbit >0x148 byte 2 \b, ROM: 1Mbit >0x148 byte 3 \b, ROM: 2Mbit >0x148 byte 4 \b, ROM: 4Mbit >0x148 byte 5 \b, ROM: 8Mbit >0x148 byte 6 \b, ROM: 16Mbit >0x148 byte 0x52 \b, ROM: 9Mbit >0x148 byte 0x53 \b, ROM: 10Mbit >0x148 byte 0x54 \b, ROM: 12Mbit >0x149 byte 1 \b, RAM: 16Kbit >0x149 byte 2 \b, RAM: 64Kbit >0x149 byte 3 \b, RAM: 128Kbit >0x149 byte 4 \b, RAM: 1Mbit #>0x14e long x \b, CRC: %x #------------------------------------------------------------------------------ # genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format # 0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump >0x120 string >\0 Name: "%.16s" >0x110 string >\0 %.16s >0x1B0 string RA with SRAM #------------------------------------------------------------------------------ # genesis: file(1) magic for the Super MegaDrive ROM dump format # 0x280 string EAGN Super MagicDrive ROM dump >0 byte x %dx16k blocks >2 byte 0 \b, last in series or standalone >2 byte >0 \b, split ROM >8 byte 0xAA >9 byte 0xBB #------------------------------------------------------------------------------ # genesis: file(1) alternate magic for the Super MegaDrive ROM dump format # 0x280 string EAMG Super MagicDrive ROM dump >0 byte x %dx16k blocks >2 byte x \b, last in series or standalone >8 byte 0xAA >9 byte 0xBB #------------------------------------------------------------------------------ # smsgg: file(1) magic for Sega Master System and Game Gear ROM dumps # # Does not detect all images. Very preliminary guesswork. Need more data # on format. # # FIXME: need a little more info...;P # #0 byte 0xF3 #>1 byte 0xED Sega Master System/Game Gear ROM dump #>1 byte 0x31 Sega Master System/Game Gear ROM dump #>1 byte 0xDB Sega Master System/Game Gear ROM dump #>1 byte 0xAF Sega Master System/Game Gear ROM dump #>1 byte 0xC3 Sega Master System/Game Gear ROM dump #------------------------------------------------------------------------------ # dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format # 0 belong 0x21068028 Sega Dreamcast VMU game image 0 string LCDi Dream Animator file #------------------------------------------------------------------------------ # v64: file(1) uncertain magic for the V64 format N64 ROM dumps # 0 belong 0x37804012 V64 Nintendo 64 ROM dump # From: "Nelson A. de Oliveira" <naoliv@gmail.com> # Nintendo .nds 192 string \044\377\256Qi\232 Nintendo DS Game ROM Image # Nintendo .gba 0 string \056\000\000\352$\377\256Qi Nintendo Game Boy Advance ROM Image #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps # Too simple - MPi #0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : 0 string PS-X\ EXE Sony Playstation executable # Area: >113 string x (%s) #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytiä <ehyytia@cc.hut.fi>) 0 string XBEH XBE, Microsoft Xbox executable # probabilistic checks whether signed or not >0x0004 ulelong =0x0 >>&2 ulelong =0x0 >>>&2 ulelong =0x0 \b, not signed >0x0004 ulelong >0 >>&2 ulelong >0 >>>&2 ulelong >0 \b, signed # expect base address of 0x10000 >0x0104 ulelong =0x10000 >>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions >>(0x0118-0x0FF60) ulelong&0x80000007 !0x80000007 >>>(0x0118-0x0FF60) ulelong >0 (regions: >>>>(0x0118-0x0FF60) ulelong &0x00000001 NA >>>>(0x0118-0x0FF60) ulelong &0x00000002 Japan >>>>(0x0118-0x0FF60) ulelong &0x00000004 Rest_of_World >>>>(0x0118-0x0FF60) ulelong &0x80000000 Manufacturer >>>(0x0118-0x0FF60) ulelong >0 \b) # -------------------------------- # Microsoft Xbox data file formats 0 string XIP0 XIP, Microsoft Xbox data 0 string XTF0 XTF, Microsoft Xbox data # Atari Lynx cartridge dump (EXE/BLL header) # From: "Stefan A. Haubenthal" <polluks@web.de> # Double-check that the image type matches too, 0x8008 conflicts with # 8 character OMF-86 object file headers. 0 beshort 0x8008 >6 string BS93 Lynx homebrew cartridge >>2 beshort x \b, RAM start $%04x >6 string LYNX Lynx cartridge >>2 beshort x \b, RAM start $%04x # Opera file system that is used on the 3DO console # From: Serge van den Boom <svdb@stack.nl> 0 string \x01ZZZZZ\x01 3DO "Opera" file system # From Gürkan Sengün <gurkan@linuks.mine.nu>, www.linuks.mine.nu 0 string GBS Nintendo Gameboy Music/Audio Data 12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module # Playstations Patch Files from: From: Thomas Klausner <tk@giga.or.at> 0 string PPF30 Playstation Patch File version 3.0 >5 byte 0 \b, PPF 1.0 patch >5 byte 1 \b, PPF 2.0 patch >5 byte 2 \b, PPF 3.0 patch >>56 byte 0 \b, Imagetype BIN (any) >>56 byte 1 \b, Imagetype GI (PrimoDVD) >>57 byte 0 \b, Blockcheck disabled >>57 byte 1 \b, Blockcheck enabled >>58 byte 0 \b, Undo data not available >>58 byte 1 \b, Undo data available >6 string x \b, description: %s 0 string PPF20 Playstation Patch File version 2.0 >5 byte 0 \b, PPF 1.0 patch >5 byte 1 \b, PPF 2.0 patch >>56 lelong >0 \b, size of file to patch %d >6 string x \b, description: %s 0 string PPF10 Playstation Patch File version 1.0 >5 byte 0 \b, Simple Encoding >6 string x \b, description: %s # From: Daniel Dawson <ddawson@icehouse.net> # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording >0x4 lelong x \b, version %d # version 4 is latest so far >0x4 lelong <5 >>0x8 ledate x \b, recorded at %s >>0xc lelong >0 \b, rerecorded %d times >>0x10 lelong x \b, %d frames long >>0x14 byte >0 \b, data for controller(s): >>>0x14 byte &0x1 #1 >>>0x14 byte &0x2 #2 >>>0x14 byte &0x4 #3 >>>0x14 byte &0x8 #4 >>>0x14 byte &0x10 #5 >>0x15 byte ^0x1 \b, begins from snapshot >>0x15 byte &0x1 \b, begins from reset >>0x15 byte ^0x2 \b, NTSC standard >>0x15 byte &0x2 \b, PAL standard >>0x17 byte &0x1 \b, settings: # WIP1Timing not used as of version 4 >>>0x4 lelong <4 >>>>0x17 byte &0x2 WIP1Timing >>>0x17 byte &0x4 Left+Right >>>0x17 byte &0x8 VolumeEnvX >>>0x17 byte &0x10 FakeMute >>>0x17 byte &0x20 SyncSound # New flag as of version 4 >>>0x4 lelong >3 >>>>0x17 byte &0x80 NoCPUShutdown >>0x4 lelong <4 >>>0x18 lelong >0x23 >>>>0x20 leshort !0 >>>>>0x20 lestring16 x \b, metadata: "%s" >>0x4 lelong >3 >>>0x24 byte >0 \b, port 1: >>>>0x24 byte 1 joypad >>>>0x24 byte 2 mouse >>>>0x24 byte 3 SuperScope >>>>0x24 byte 4 Justifier >>>>0x24 byte 5 multitap >>>0x24 byte >0 \b, port 2: >>>>0x25 byte 1 joypad >>>>0x25 byte 2 mouse >>>>0x25 byte 3 SuperScope >>>>0x25 byte 4 Justifier >>>>0x25 byte 5 multitap >>>0x18 lelong >0x43 >>>>0x40 leshort !0 >>>>>0x40 lestring16 x \b, metadata: "%s" >>0x17 byte &0x40 \b, ROM: >>>(0x18.l-26) lelong x CRC32 0x%08x >>>(0x18.l-23) string x "%s" # Type: scummVM savegame files # From: Sven Hartge <debian@ds9.argh.org> 0 string SCVM ScummVM savegame >12 string >\0 "%s" #------------------------------------------------------------------------------ # $File: convex,v 1.7 2009/09/19 16:28:08 christos Exp $ # convex: file(1) magic for Convex boxes # # Convexes are big-endian. # # /*\ # * Below are the magic numbers and tests added for Convex. # * Added at beginning, because they are expected to be used most. # \*/ 0 belong 0507 Convex old-style object >16 belong >0 not stripped 0 belong 0513 Convex old-style demand paged executable >16 belong >0 not stripped 0 belong 0515 Convex old-style pre-paged executable >16 belong >0 not stripped 0 belong 0517 Convex old-style pre-paged, non-swapped executable >16 belong >0 not stripped 0 belong 0x011257 Core file # # The following are a series of dump format magic numbers. Each one # corresponds to a drastically different dump format. The first on is # the original dump format on a 4.1 BSD or earlier file system. The # second marks the change between the 4.1 file system and the 4.2 file # system. The Third marks the changing of the block size from 1K # to 2K to be compatible with an IDC file system. The fourth indicates # a dump that is dependent on Convex Storage Manager, because data in # secondary storage is not physically contained within the dump. # The restore program uses these number to determine how the data is # to be extracted. # 24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible) 24 belong =60014 dump format, Convex Storage Manager by-reference dump # # what follows is a bunch of bit-mask checks on the flags field of the opthdr. # If there is no `=' sign, assume just checking for whether the bit is set? # 0 belong 0601 Convex SOFF >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000001 demand paged >88 belong &0x00000002 pre-paged >88 belong &0x00000004 non-swapped >88 belong &0x00000008 POSIX # >84 belong &0x80000000 executable >84 belong &0x40000000 object >84 belong&0x20000000 =0 not stripped >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode # 0 belong 0605 Convex SOFF core # 0 belong 0607 Convex SOFF checkpoint >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000008 POSIX # >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode #------------------------------------------------------------------------------ # $File: cracklib,v 1.7 2009/09/19 16:28:08 christos Exp $ # cracklib: file (1) magic for cracklib v2.7 0 lelong 0x70775631 Cracklib password index, little endian >4 long >0 (%i words) >4 long 0 ("64-bit") >>8 long >-1 (%i words) 0 belong 0x70775631 Cracklib password index, big endian >4 belong >-1 (%i words) # really bellong 0x0000000070775631 0 search/1 \0\0\0\0pwV1 Cracklib password index, big endian ("64-bit") >12 belong >0 (%i words) # ---------------------------------------------------------------------------- # $File: ctags,v 1.6 2009/09/19 16:28:08 christos Exp $ # ctags: file (1) magic for Exuberant Ctags files # From: Alexander Mai <mai@migdal.ikp.physik.tu-darmstadt.de> 0 search/1 =!_TAG Exuberant Ctags tag file text #------------------------------------------------------------------------------ # $File: cups,v 1.1 2011/11/10 18:59:54 christos Exp $ # Cups: file(1) magic for the cups raster file format # From: Laurent Martelli <martellilaurent@gmail.com> # http://www.cups.org/documentation.php/spec-raster.html # # Cups Raster image format, Big Endian 0 string RaS !:mime application/vnd.cups-raster >3 string t Cups Raster version 1, Big Endian >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian >280 belong x \b, %d >284 belong x \bx%d dpi >376 belong x \b, %dx >380 belong x \b%d pixels >388 belong x %d bits/color >392 belong x %d bits/pixel >400 belong 0 ColorOrder=Chunky >400 belong 1 ColorOrder=Banded >400 belong 2 ColorOrder=Planar >404 belong 0 ColorSpace=gray >404 belong 1 ColorSpace=RGB >404 belong 2 ColorSpace=RGBA >404 belong 3 ColorSpace=black >404 belong 4 ColorSpace=CMY >404 belong 5 ColorSpace=YMC >404 belong 6 ColorSpace=CMYK >404 belong 7 ColorSpace=YMCK >404 belong 8 ColorSpace=KCMY >404 belong 9 ColorSpace=KCMYcm >404 belong 10 ColorSpace=GMCK >404 belong 11 ColorSpace=GMCS >404 belong 12 ColorSpace=WHITE >404 belong 13 ColorSpace=GOLD >404 belong 14 ColorSpace=SILVER >404 belong 15 ColorSpace=CIE XYZ >404 belong 16 ColorSpace=CIE Lab >404 belong 17 ColorSpace=RGBW >404 belong 18 ColorSpace=sGray >404 belong 19 ColorSpace=sRGB >404 belong 20 ColorSpace=AdobeRGB # Cups Raster image format, Little Endian 1 string SaR >0 string t Cups Raster version 1, Little Endian >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian !:mime application/vnd.cups-raster >280 lelong x \b, %d >284 lelong x \bx%d dpi >376 lelong x \b, %dx >380 lelong x \b%d pixels >388 lelong x %d bits/color >392 lelong x %d bits/pixel >400 lelong 0 ColorOrder=Chunky >400 lelong 1 ColorOrder=Banded >400 lelong 2 ColorOrder=Planar >404 lelong 0 ColorSpace=gray >404 lelong 1 ColorSpace=RGB >404 lelong 2 ColorSpace=RGBA >404 lelong 3 ColorSpace=black >404 lelong 4 ColorSpace=CMY >404 lelong 5 ColorSpace=YMC >404 lelong 6 ColorSpace=CMYK >404 lelong 7 ColorSpace=YMCK >404 lelong 8 ColorSpace=KCMY >404 lelong 9 ColorSpace=KCMYcm >404 lelong 10 ColorSpace=GMCK >404 lelong 11 ColorSpace=GMCS >404 lelong 12 ColorSpace=WHITE >404 lelong 13 ColorSpace=GOLD >404 lelong 14 ColorSpace=SILVER >404 lelong 15 ColorSpace=CIE XYZ >404 lelong 16 ColorSpace=CIE Lab >404 lelong 17 ColorSpace=RGBW >404 lelong 18 ColorSpace=sGray >404 lelong 19 ColorSpace=sRGB >404 lelong 20 ColorSpace=AdobeRGB #------------------------------------------------------------------------------ # $File: dact,v 1.4 2009/09/19 16:28:08 christos Exp $ # dact: file(1) magic for DACT compressed files # 0 long 0x444354C3 DACT compressed data >4 byte >-1 (version %i. >5 byte >-1 $BS%i. >6 byte >-1 $BS%i) >7 long >0 $BS, original size: %i bytes >15 long >30 $BS, block size: %i bytes #------------------------------------------------------------------------------ # $File: database,v 1.28 2011/09/16 19:40:40 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) # # # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # <downsj@teeny.org> 0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian !:mime application/x-gdbm 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian !:mime application/x-gdbm 0 string GDBM GNU dbm 2.x database !:mime application/x-gdbm # # Berkeley DB # # Ian Darwin's file /etc/magic files: big/little-endian version. # # Hash 1.85/1.86 databases store metadata in network byte order. # Btree 1.85/1.86 databases store the metadata in host byte order. # Hash and Btree 2.X and later databases store the metadata in host byte order. 0 long 0x00061561 Berkeley DB !:mime application/x-dbm >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, little-endian) 0 belong 0x00061561 Berkeley DB >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, big-endian) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) 0 long 0x00053162 Berkeley DB 1.85/1.86 >4 long >0 (Btree, version %d, native byte-order) 0 belong 0x00053162 Berkeley DB 1.85/1.86 >4 belong >0 (Btree, version %d, big-endian) 0 lelong 0x00053162 Berkeley DB 1.85/1.86 >4 lelong >0 (Btree, version %d, little-endian) 12 long 0x00061561 Berkeley DB >16 long >0 (Hash, version %d, native byte-order) 12 belong 0x00061561 Berkeley DB >16 belong >0 (Hash, version %d, big-endian) 12 lelong 0x00061561 Berkeley DB >16 lelong >0 (Hash, version %d, little-endian) 12 long 0x00053162 Berkeley DB >16 long >0 (Btree, version %d, native byte-order) 12 belong 0x00053162 Berkeley DB >16 belong >0 (Btree, version %d, big-endian) 12 lelong 0x00053162 Berkeley DB >16 lelong >0 (Btree, version %d, little-endian) 12 long 0x00042253 Berkeley DB >16 long >0 (Queue, version %d, native byte-order) 12 belong 0x00042253 Berkeley DB >16 belong >0 (Queue, version %d, big-endian) 12 lelong 0x00042253 Berkeley DB >16 lelong >0 (Queue, version %d, little-endian) # From Max Bowsher. 12 long 0x00040988 Berkeley DB >16 long >0 (Log, version %d, native byte-order) 12 belong 0x00040988 Berkeley DB >16 belong >0 (Log, version %d, big-endian) 12 lelong 0x00040988 Berkeley DB >16 lelong >0 (Log, version %d, little-endian) # # # Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch> 0 string/b RRD\0 RRDTool DB >4 string/b x version %s #---------------------------------------------------------------------- # ROOT: file(1) magic for ROOT databases # 0 string root\0 ROOT file >4 belong x Version %d >33 belong x (Compression: %d) # XXX: Weak magic. # Alex Ott <ott@jet.msk.su> ## Paradox file formats #2 leshort 0x0800 Paradox #>0x39 byte 3 v. 3.0 #>0x39 byte 4 v. 3.5 #>0x39 byte 9 v. 4.x #>0x39 byte 10 v. 5.x #>0x39 byte 11 v. 5.x #>0x39 byte 12 v. 7.x #>>0x04 byte 0 indexed .DB data file #>>0x04 byte 1 primary index .PX file #>>0x04 byte 2 non-indexed .DB data file #>>0x04 byte 3 non-incrementing secondary index .Xnn file #>>0x04 byte 4 secondary index .Ynn file #>>0x04 byte 5 incrementing secondary index .Xnn file #>>0x04 byte 6 non-incrementing secondary index .XGn file #>>0x04 byte 7 secondary index .YGn file #>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files #0 byte 0x02 #>8 leshort >0 #>>12 leshort 0 FoxBase #!:mime application/x-dbf #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x03 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 FoxBase+, FoxPro, dBaseIII+, dBaseIV, no memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x04 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 dBASE IV no memo file #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x05 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 dBASE V no memo file #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x30 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 Visual FoxPro #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x43 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 FlagShip with memo var size #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x7b #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 dBASEIV with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x83 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 FoxBase+, dBaseIII+ with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x8b #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 dBaseIV with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x8e #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 dBaseIV with SQL Table #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0xb3 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 FlagShip with .dbt memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0xf5 #!:mime application/x-dbf #>8 leshort >0 #>>12 leshort 0 FoxPro with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 leshort 0x0006 DBase 3 index file # MS Access database 4 string Standard\ Jet\ DB Microsoft Access Database !:mime application/x-msaccess # TDB database from Samba et al - Martin Pool <mbp@samba.org> 0 string TDB\ file TDB database >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes # SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data # X11 Xauthority file (Wolfram Kleff) 10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data # From: Maxime Henrion <mux@FreeBSD.org> # PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org> 0 string PGDMP PostgreSQL custom database dump >5 byte x - v%d >6 byte x \b.%d >5 beshort <0x101 \b-0 >5 beshort >0x100 >>7 byte x \b-%d # Type: Advanced Data Format (ADF) database # URL: http://www.grc.nasa.gov/WWW/cgns/adf/ # From: Nicolas Chauvat <nicolas.chauvat@logilab.fr> 0 string @(#)ADF\ Database CGNS Advanced Data Format # Tokyo Cabinet magic data # http://tokyocabinet.sourceforge.net/index.html 0 string ToKyO\ CaBiNeT\n Tokyo Cabinet >14 string x \b (%s) >32 byte 0 \b, Hash !:mime application/x-tokyocabinet-hash >32 byte 1 \b, B+ tree !:mime application/x-tokyocabinet-btree >32 byte 2 \b, Fixed-length !:mime application/x-tokyocabinet-fixed >32 byte 3 \b, Table !:mime application/x-tokyocabinet-table >33 byte &1 \b, [open] >33 byte &2 \b, [fatal] >34 byte x \b, apow=%d >35 byte x \b, fpow=%d >36 byte &0x01 \b, [large] >36 byte &0x02 \b, [deflate] >36 byte &0x04 \b, [bzip] >36 byte &0x08 \b, [tcbs] >36 byte &0x10 \b, [excodec] >40 lequad x \b, bnum=%lld >48 lequad x \b, rnum=%lld >56 lequad x \b, fsiz=%lld # G-IR database made by gobject-introspect toolset, # http://live.gnome.org/GObjectIntrospection 0 string GOBJ\nMETADATA\r\n\032 G-IR binary database >16 byte x \b, v%d >17 byte x \b.%d >20 leshort x \b, %d entries >22 leshort x \b/%d local # Type: QDBM Quick Database Manager # From: Benoit Sibaud <bsibaud@april.org> 0 string \\[depot\\]\n\f Quick Database Manager, little endian 0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian # Type: TokyoCabinet database # URL: http://tokyocabinet.sourceforge.net/ # From: Benoit Sibaud <bsibaud@april.org> 0 string ToKyO\ CaBiNeT\n TokyoCabinet database >14 string x (version %s) # From: Stéphane Blondon http://www.yaal.fr # Database file for Zope (done by FileStorage) 0 string FS21 Zope Object Database File Storage (data) # Cache file for the database of Zope (done by ClientStorage) 0 string ZEC3 Zope Object Database Client Cache File (data) #------------------------------------------------------------------------------ # $File: diamond,v 1.7 2009/09/19 16:28:08 christos Exp $ # diamond: file(1) magic for Diamond system # # ... diamond is a multi-media mail and electronic conferencing system.... # # XXX - I think it was either renamed Slate, or replaced by Slate.... # # The full deal is too long... #0 string <list>\n<protocol\ bbn-multimedia-format> Diamond Multimedia Document 0 string =<list>\n<protocol\ bbn-m Diamond Multimedia Document #------------------------------------------------------------------------------ # $File: diff,v 1.12 2010/12/07 16:52:52 christos Exp $ # diff: file(1) magic for diff(1) output # 0 search/1 diff\ diff output text !:mime text/x-diff 0 search/1 ***\ diff output text !:mime text/x-diff 0 search/1 Only\ in\ diff output text !:mime text/x-diff 0 search/1 Common\ subdirectories:\ diff output text !:mime text/x-diff 0 search/1 Index: RCS/CVS diff output text !:mime text/x-diff # bsdiff: file(1) magic for bsdiff(1) output 0 string/t BSDIFF40 bsdiff(1) patch file # unified diff 0 search/4096 ---\ >&0 search/1024 \n >>&0 search/1 +++\ >>>&0 search/1024 \n >>>>&0 search/1 @@ unified diff output text !:mime text/x-diff !:strength + 90 #------------------------------------------------------------------------------ # $File: digital,v 1.10 2011/05/03 01:44:17 christos Exp $ # Digital UNIX - Info # 0 string =!<arch>\n________64E Alpha archive >22 string X -- out of date # 0 leshort 0603 >>24 leshort 0410 COFF format alpha pure >>24 leshort 0413 COFF format alpha demand paged >>>22 leshort&030000 !020000 executable >>>22 leshort&020000 !0 dynamically linked >>>16 lelong !0 not stripped >>>16 lelong 0 stripped >>>27 byte x - version %d >>>26 byte x \b.%d >>>28 byte x \b-%d >>24 leshort 0407 COFF format alpha object >>>22 leshort&030000 020000 shared library >>>27 byte x - version %d >>>26 byte x \b.%d >>>28 byte x \b-%d # Basic recognition of Digital UNIX core dumps - Mike Bremford <mike@opac.bl.uk> # # The actual magic number is just "Core", followed by a 2-byte version # number; however, treating any file that begins with "Core" as a Digital # UNIX core dump file may produce too many false hits, so we include one # byte of the version number as well; DU 5.0 appears only to be up to # version 2. # 0 string Core\001 Alpha COFF format core dump (Digital UNIX) >24 string >\0 \b, from '%s' 0 string Core\002 Alpha COFF format core dump (Digital UNIX) >24 string >\0 \b, from '%s' # # The next is incomplete, we could tell more about this format, # but its not worth it. 0 leshort 0x188 Alpha compressed COFF 0 leshort 0x18f Alpha u-code object # # # Some other interesting Digital formats, 0 string \377\377\177 ddis/ddif 0 string \377\377\174 ddis/dots archive 0 string \377\377\176 ddis/dtif table data 0 string \033c\033 LN03 output 0 long 04553207 X image # 0 string =!<PDF>!\n profiling data file # # Locale data tables (MIPS and Alpha). # 0 short 0x0501 locale data table >6 short 0x24 for MIPS >6 short 0x40 for Alpha #------------------------------------------------------------------------------ # $File: dolby,v 1.5 2009/09/19 16:28:08 christos Exp $ # ATSC A/53 aka AC-3 aka Dolby Digital <ashitaka@gmx.at> # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! # # syncword 0 beshort 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream, # fscod >4 byte&0xc0 0x00 48 kHz, >4 byte&0xc0 0x40 44.1 kHz, >4 byte&0xc0 0x80 32 kHz, # is this one used for 96 kHz? >4 byte&0xc0 0xc0 reserved frequency, # >5 byte&7 = 0 \b, complete main (CM) >5 byte&7 = 1 \b, music and effects (ME) >5 byte&7 = 2 \b, visually impaired (VI) >5 byte&7 = 3 \b, hearing impaired (HI) >5 byte&7 = 4 \b, dialogue (D) >5 byte&7 = 5 \b, commentary (C) >5 byte&7 = 6 \b, emergency (E) # acmod >6 byte&0xe0 0x00 1+1 front, >6 byte&0xe0 0x20 1 front/0 rear, >6 byte&0xe0 0x40 2 front/0 rear, >6 byte&0xe0 0x60 3 front/0 rear, >6 byte&0xe0 0x80 2 front/1 rear, >6 byte&0xe0 0xa0 3 front/1 rear, >6 byte&0xe0 0xc0 2 front/2 rear, >6 byte&0xe0 0xe0 3 front/2 rear, # lfeon (these may be incorrect) >7 byte&0x40 0x00 LFE off, >7 byte&0x40 0x40 LFE on, # >4 byte&0x3e = 0x00 \b, 32 kbit/s >4 byte&0x3e = 0x02 \b, 40 kbit/s >4 byte&0x3e = 0x04 \b, 48 kbit/s >4 byte&0x3e = 0x06 \b, 56 kbit/s >4 byte&0x3e = 0x08 \b, 64 kbit/s >4 byte&0x3e = 0x0a \b, 80 kbit/s >4 byte&0x3e = 0x0c \b, 96 kbit/s >4 byte&0x3e = 0x0e \b, 112 kbit/s >4 byte&0x3e = 0x10 \b, 128 kbit/s >4 byte&0x3e = 0x12 \b, 160 kbit/s >4 byte&0x3e = 0x14 \b, 192 kbit/s >4 byte&0x3e = 0x16 \b, 224 kbit/s >4 byte&0x3e = 0x18 \b, 256 kbit/s >4 byte&0x3e = 0x1a \b, 320 kbit/s >4 byte&0x3e = 0x1c \b, 384 kbit/s >4 byte&0x3e = 0x1e \b, 448 kbit/s >4 byte&0x3e = 0x20 \b, 512 kbit/s >4 byte&0x3e = 0x22 \b, 576 kbit/s >4 byte&0x3e = 0x24 \b, 640 kbit/s # dsurmod (these may be incorrect) >6 beshort&0x0180 0x0000 Dolby Surround not indicated >6 beshort&0x0180 0x0080 not Dolby Surround encoded >6 beshort&0x0180 0x0100 Dolby Surround encoded >6 beshort&0x0180 0x0180 reserved Dolby Surround mode #------------------------------------------------------------------------------ # $File: dump,v 1.11 2009/09/19 16:28:09 christos Exp $ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. # 24 belong 60012 new-fs dump file (big endian), >4 bedate x Previous dump %s, >8 bedate x This dump %s, >12 belong >0 Volume %ld, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, >0 belong 2 beginning of file record, >0 belong 3 map of inodes on tape, >0 belong 4 continuation of file record, >0 belong 5 end of volume, >0 belong 6 map of inodes deleted, >0 belong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 belong >0 Flags %x 24 belong 60011 old-fs dump file (big endian), #>4 bedate x Previous dump %s, #>8 bedate x This dump %s, >12 belong >0 Volume %ld, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, >0 belong 2 beginning of file record, >0 belong 3 map of inodes on tape, >0 belong 4 continuation of file record, >0 belong 5 end of volume, >0 belong 6 map of inodes deleted, >0 belong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 belong >0 Flags %x 24 lelong 60012 new-fs dump file (little endian), >4 ledate x This dump %s, >8 ledate x Previous dump %s, >12 lelong >0 Volume %ld, >692 lelong 0 Level zero, type: >692 lelong >0 Level %d, type: >0 lelong 1 tape header, >0 lelong 2 beginning of file record, >0 lelong 3 map of inodes on tape, >0 lelong 4 continuation of file record, >0 lelong 5 end of volume, >0 lelong 6 map of inodes deleted, >0 lelong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 lelong >0 Flags %x 24 lelong 60011 old-fs dump file (little endian), #>4 ledate x Previous dump %s, #>8 ledate x This dump %s, >12 lelong >0 Volume %ld, >692 lelong 0 Level zero, type: >692 lelong >0 Level %d, type: >0 lelong 1 tape header, >0 lelong 2 beginning of file record, >0 lelong 3 map of inodes on tape, >0 lelong 4 continuation of file record, >0 lelong 5 end of volume, >0 lelong 6 map of inodes deleted, >0 lelong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 lelong >0 Flags %x 18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), >2 medate x Previous dump %s, >6 medate x This dump %s, >10 leshort >0 Volume %ld, >0 leshort 1 tape header. >0 leshort 2 beginning of file record. >0 leshort 3 map of inodes on tape. >0 leshort 4 continuation of file record. >0 leshort 5 end of volume. >0 leshort 6 map of inodes deleted. >0 leshort 7 end of medium (for floppy). 24 belong 0x19540119 new-fs dump file (ufs2, big endian), >896 beqdate x Previous dump %s, >904 beqdate x This dump %s, >12 belong >0 Volume %ld, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, >0 belong 2 beginning of file record, >0 belong 3 map of inodes on tape, >0 belong 4 continuation of file record, >0 belong 5 end of volume, >0 belong 6 map of inodes deleted, >0 belong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 belong >0 Flags %x 24 lelong 0x19540119 new-fs dump file (ufs2, little endian), >896 leqdate x This dump %s, >904 leqdate x Previous dump %s, >12 lelong >0 Volume %ld, >692 lelong 0 Level zero, type: >692 lelong >0 Level %d, type: >0 lelong 1 tape header, >0 lelong 2 beginning of file record, >0 lelong 3 map of inodes on tape, >0 lelong 4 continuation of file record, >0 lelong 5 end of volume, >0 lelong 6 map of inodes deleted, >0 lelong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 lelong >0 Flags %x #------------------------------------------------------------------------------ # $File: dyadic,v 1.5 2010/09/20 18:55:20 rrt Exp $ # Dyadic: file(1) magic for Dyalog APL. # 0 byte 0xaa >1 byte <4 Dyalog APL >>1 byte 0x00 incomplete workspace >>1 byte 0x01 component file >>1 byte 0x02 external variable >>1 byte 0x03 workspace >>2 byte x version %d >>3 byte x .%d 0 beshort 0xaa03 Dyalog APL >2 byte x workspace type %d >3 byte x subtype %d >7 byte&0x28 0x00 32-bit >7 byte&0x28 0x20 64-bit >7 byte&0x0c 0x00 classic >7 byte&0x0c 0x04 unicode >7 byte&0x88 0x00 big-endian >7 byte&0x88 0x80 little-endian 0 byte 0xaa Dyalog APL >1 byte 0x00 aplcore >1 byte 0x01 component file 32-bit non-journaled non-checksummed >1 byte 0x02 external variable exclusive >1 byte 0x06 external variable shared >1 byte 0x07 session >1 byte 0x08 mapped file 32-bit >1 byte 0x09 component file 64-bit non-journaled non-checksummed >1 byte 0x0a mapped file 64-bit >1 byte 0x0b component file 32-bit level 1 journaled non-checksummed >1 byte 0x0c component file 64-bit level 1 journaled non-checksummed >1 byte 0x0d component file 32-bit level 1 journaled checksummed >1 byte 0x0e component file 64-bit level 1 journaled checksummed >1 byte 0x0f component file 32-bit level 2 journaled checksummed >1 byte 0x10 component file 64-bit level 2 journaled checksummed >1 byte 0x11 component file 32-bit level 3 journaled checksummed >1 byte 0x12 component file 64-bit level 3 journaled checksummed >1 byte 0x13 component file 32-bit non-journaled checksummed >1 byte 0x14 component file 64-bit non-journaled checksummed >1 byte 0x80 DDB 0 short 0x6060 Dyalog APL transfer #------------------------------------------------------------------------------ # $File: ebml,v 1.1 2010/07/02 00:07:03 christos Exp $ # ebml: file(1) magic for various Extensible Binary Meta Language # http://www.matroska.org/technical/specs/index.html#track 0 belong 0x1a45dfa3 EBML file >4 search/b/100 \102\202 >>&1 string x \b, creator %.8s #------------------------------------------------------------------------------ # $File: editors,v 1.8 2009/09/19 16:28:09 christos Exp $ # T602 editor documents # by David Necas <yeti@physics.muni.cz> 0 string @CT\ T602 document data, >4 string 0 Kamenicky >4 string 1 CP 852 >4 string 2 KOI8-CS >4 string >2 unknown encoding # Vi IMproved Encrypted file # by David Necas <yeti@physics.muni.cz> 0 string VimCrypt~ Vim encrypted file data # Vi IMproved Swap file # by Sven Wegener <swegener@gentoo.org> 0 string b0VIM\ Vim swap file >&0 string >\0 \b, version %s #------------------------------------------------------------------------------ # $File: efi,v 1.4 2009/09/19 16:28:09 christos Exp $ # efi: file(1) magic for Universal EFI binaries 0 lelong 0x0ef1fab9 >4 lelong 1 Universal EFI binary with 1 architecture >>&0 lelong 7 \b, i386 >>&0 lelong 0x01000007 \b, x86_64 >4 lelong 2 Universal EFI binary with 2 architectures >>&0 lelong 7 \b, i386 >>&0 lelong 0x01000007 \b, x86_64 >>&20 lelong 7 \b, i386 >>&20 lelong 0x01000007 \b, x86_64 >4 lelong >2 Universal EFI binary with %ld architectures #------------------------------------------------------------------------------ # $File: elf,v 1.54 2011/12/17 17:16:29 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # Created by: unknown # Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support) # Modified by (3): Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> (fix of core support) # Modified by (4): <gerardo.cacciari@gmail.com> (VMS Itanium) # Modified by (5): Matthias Urlichs <smurf@debian.org> (Listing of many architectures) 0 string \177ELF ELF >4 byte 0 invalid class >4 byte 1 32-bit >4 byte 2 64-bit >5 byte 0 invalid byte order >5 byte 1 LSB >>16 leshort 0 no file type, !:strength *2 !:mime application/octet-stream >>16 leshort 1 relocatable, !:mime application/x-object >>16 leshort 2 executable, !:mime application/x-executable >>16 leshort 3 shared object, !:mime application/x-sharedlib >>16 leshort 4 core file !:mime application/x-coredump # Core file detection is not reliable. #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), >>16 leshort &0xff00 processor-specific, >>18 leshort 0 no machine, >>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 2 SPARC - invalid byte order, >>18 leshort 3 Intel 80386, >>18 leshort 4 Motorola >>>36 lelong &0x01000000 68000 - invalid byte order, >>>36 lelong &0x00810000 CPU32 - invalid byte order, >>>36 lelong 0 68020 - invalid byte order, >>18 leshort 5 Motorola 88000 - invalid byte order, >>18 leshort 6 Intel 80486, >>18 leshort 7 Intel 80860, # The official e_machine number for MIPS is now #8, regardless of endianness. # The second number (#10) will be deprecated later. For now, we still # say something if #10 is encountered, but only gory details for #8. >>18 leshort 8 MIPS, >>>36 lelong &0x20 N32 >>18 leshort 10 MIPS, >>>36 lelong &0x20 N32 >>18 leshort 8 # only for 32-bit >>>4 byte 1 >>>>36 lelong&0xf0000000 0x00000000 MIPS-I >>>>36 lelong&0xf0000000 0x10000000 MIPS-II >>>>36 lelong&0xf0000000 0x20000000 MIPS-III >>>>36 lelong&0xf0000000 0x30000000 MIPS-IV >>>>36 lelong&0xf0000000 0x40000000 MIPS-V >>>>36 lelong&0xf0000000 0x50000000 MIPS32 >>>>36 lelong&0xf0000000 0x60000000 MIPS64 >>>>36 lelong&0xf0000000 0x70000000 MIPS32 rel2 >>>>36 lelong&0xf0000000 0x80000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 lelong&0xf0000000 0x00000000 MIPS-I >>>>48 lelong&0xf0000000 0x10000000 MIPS-II >>>>48 lelong&0xf0000000 0x20000000 MIPS-III >>>>48 lelong&0xf0000000 0x30000000 MIPS-IV >>>>48 lelong&0xf0000000 0x40000000 MIPS-V >>>>48 lelong&0xf0000000 0x50000000 MIPS32 >>>>48 lelong&0xf0000000 0x60000000 MIPS64 >>>>48 lelong&0xf0000000 0x70000000 MIPS32 rel2 >>>>48 lelong&0xf0000000 0x80000000 MIPS64 rel2 >>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 10 MIPS (deprecated), >>18 leshort 11 RS6000 - invalid byte order, >>18 leshort 15 PA-RISC - invalid byte order, >>>50 leshort 0x0214 2.0 >>>48 leshort &0x0008 (LP64), >>18 leshort 16 nCUBE, >>18 leshort 17 Fujitsu VPP500, >>18 leshort 18 SPARC32PLUS, # only for 32-bit >>>4 byte 1 >>>>36 lelong&0xffff00 0x000100 V8+ Required, >>>>36 lelong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, >>>>36 lelong&0xffff00 0x000400 HaL R1 Extensions Required, >>>>36 lelong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, >>18 leshort 19 Intel 80960, >>18 leshort 20 PowerPC or cisco 4500, >>18 leshort 21 64-bit PowerPC or cisco 7500, >>18 leshort 22 IBM S/390, >>18 leshort 23 Cell SPU, >>18 leshort 24 cisco SVIP, >>18 leshort 25 cisco 7200, >>18 leshort 36 NEC V800 or cisco 12000, >>18 leshort 37 Fujitsu FR20, >>18 leshort 38 TRW RH-32, >>18 leshort 39 Motorola RCE, >>18 leshort 40 ARM, >>18 leshort 41 Alpha, >>18 leshort 0xa390 IBM S/390 (obsolete), >>18 leshort 42 Renesas SH, >>18 leshort 43 SPARC V9 - invalid byte order, >>18 leshort 44 Siemens Tricore Embedded Processor, >>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 leshort 46 Renesas H8/300, >>18 leshort 47 Renesas H8/300H, >>18 leshort 48 Renesas H8S, >>18 leshort 49 Renesas H8/500, >>18 leshort 50 IA-64, >>18 leshort 51 Stanford MIPS-X, >>18 leshort 52 Motorola Coldfire, >>18 leshort 53 Motorola M68HC12, >>18 leshort 54 Fujitsu MMA, >>18 leshort 55 Siemens PCP, >>18 leshort 56 Sony nCPU, >>18 leshort 57 Denso NDR1, >>18 leshort 58 Start*Core, >>18 leshort 59 Toyota ME16, >>18 leshort 60 ST100, >>18 leshort 61 Tinyj emb., >>18 leshort 62 x86-64, >>18 leshort 63 Sony DSP, >>18 leshort 66 FX66, >>18 leshort 67 ST9+ 8/16 bit, >>18 leshort 68 ST7 8 bit, >>18 leshort 69 MC68HC16, >>18 leshort 70 MC68HC11, >>18 leshort 71 MC68HC08, >>18 leshort 72 MC68HC05, >>18 leshort 73 SGI SVx, >>18 leshort 74 ST19 8 bit, >>18 leshort 75 Digital VAX, >>18 leshort 76 Axis cris, >>18 leshort 77 Infineon 32-bit embedded, >>18 leshort 78 Element 14 64-bit DSP, >>18 leshort 79 LSI Logic 16-bit DSP, >>18 leshort 80 MMIX, >>18 leshort 81 Harvard machine-independent, >>18 leshort 82 SiTera Prism, >>18 leshort 83 Atmel AVR 8-bit, >>18 leshort 84 Fujitsu FR30, >>18 leshort 85 Mitsubishi D10V, >>18 leshort 86 Mitsubishi D30V, >>18 leshort 87 NEC v850, >>18 leshort 88 Renesas M32R, >>18 leshort 89 Matsushita MN10300, >>18 leshort 90 Matsushita MN10200, >>18 leshort 91 picoJava, >>18 leshort 92 OpenRISC, >>18 leshort 93 ARC Cores Tangent-A5, >>18 leshort 94 Tensilica Xtensa, >>18 leshort 97 NatSemi 32k, >>18 leshort 106 Analog Devices Blackfin, >>18 leshort 113 Altera Nios II, >>18 leshort 174 META, >>18 leshort 183 ARM aarch64, >>18 leshort 187 Tilera TILE64, >>18 leshort 188 Tilera TILEPro, >>18 leshort 191 Tilera TILE-Gx, >>18 leshort 0x9026 Alpha (unofficial), >>20 lelong 0 invalid version >>20 lelong 1 version 1 >>36 lelong 1 MathCoPro/FPU/MAU Required >5 byte 2 MSB >>16 beshort 0 no file type, !:mime application/octet-stream >>16 beshort 1 relocatable, !:mime application/x-object >>16 beshort 2 executable, !:mime application/x-executable >>16 beshort 3 shared object, !:mime application/x-sharedlib >>16 beshort 4 core file, !:mime application/x-coredump #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) belong >0 (signal %d), >>16 beshort &0xff00 processor-specific, >>18 beshort 0 no machine, >>18 beshort 1 AT&T WE32100, >>18 beshort 2 SPARC, >>18 beshort 3 Intel 80386 - invalid byte order, >>18 beshort 4 Motorola >>>36 belong &0x01000000 68000, >>>36 belong &0x00810000 CPU32, >>>36 belong 0 68020, >>18 beshort 5 Motorola 88000, >>18 beshort 6 Intel 80486 - invalid byte order, >>18 beshort 7 Intel 80860, # only for MIPS - see comment in little-endian section above. >>18 beshort 8 MIPS, >>>36 belong &0x20 N32 >>18 beshort 10 MIPS, >>>36 belong &0x20 N32 >>18 beshort 8 # only for 32-bit >>>4 byte 1 >>>>36 belong&0xf0000000 0x00000000 MIPS-I >>>>36 belong&0xf0000000 0x10000000 MIPS-II >>>>36 belong&0xf0000000 0x20000000 MIPS-III >>>>36 belong&0xf0000000 0x30000000 MIPS-IV >>>>36 belong&0xf0000000 0x40000000 MIPS-V >>>>36 belong&0xf0000000 0x50000000 MIPS32 >>>>36 belong&0xf0000000 0x60000000 MIPS64 >>>>36 belong&0xf0000000 0x70000000 MIPS32 rel2 >>>>36 belong&0xf0000000 0x80000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 belong&0xf0000000 0x00000000 MIPS-I >>>>48 belong&0xf0000000 0x10000000 MIPS-II >>>>48 belong&0xf0000000 0x20000000 MIPS-III >>>>48 belong&0xf0000000 0x30000000 MIPS-IV >>>>48 belong&0xf0000000 0x40000000 MIPS-V >>>>48 belong&0xf0000000 0x50000000 MIPS32 >>>>48 belong&0xf0000000 0x60000000 MIPS64 >>>>48 belong&0xf0000000 0x70000000 MIPS32 rel2 >>>>48 belong&0xf0000000 0x80000000 MIPS64 rel2 >>18 beshort 9 Amdahl, >>18 beshort 10 MIPS (deprecated), >>18 beshort 11 RS6000, >>18 beshort 15 PA-RISC >>>50 beshort 0x0214 2.0 >>>48 beshort &0x0008 (LP64) >>18 beshort 16 nCUBE, >>18 beshort 17 Fujitsu VPP500, >>18 beshort 18 SPARC32PLUS, >>>36 belong&0xffff00 0x000100 V8+ Required, >>>36 belong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, >>>36 belong&0xffff00 0x000400 HaL R1 Extensions Required, >>>36 belong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, >>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 21 64-bit PowerPC or cisco 7500, >>18 beshort 22 IBM S/390, >>18 beshort 23 Cell SPU, >>18 beshort 24 cisco SVIP, >>18 beshort 25 cisco 7200, >>18 beshort 36 NEC V800 or cisco 12000, >>18 beshort 37 Fujitsu FR20, >>18 beshort 38 TRW RH-32, >>18 beshort 39 Motorola RCE, >>18 beshort 40 ARM, >>18 beshort 41 Alpha, >>18 beshort 42 Renesas SH, >>18 beshort 43 SPARC V9, >>>48 belong&0xffff00 0x000200 Sun UltraSPARC1 Extensions Required, >>>48 belong&0xffff00 0x000400 HaL R1 Extensions Required, >>>48 belong&0xffff00 0x000800 Sun UltraSPARC3 Extensions Required, >>>48 belong&0x3 0 total store ordering, >>>48 belong&0x3 1 partial store ordering, >>>48 belong&0x3 2 relaxed memory ordering, >>18 beshort 44 Siemens Tricore Embedded Processor, >>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 beshort 46 Renesas H8/300, >>18 beshort 47 Renesas H8/300H, >>18 beshort 48 Renesas H8S, >>18 beshort 49 Renesas H8/500, >>18 beshort 50 IA-64, >>18 beshort 51 Stanford MIPS-X, >>18 beshort 52 Motorola Coldfire, >>18 beshort 53 Motorola M68HC12, >>18 beshort 73 Cray NV1, >>18 beshort 75 Digital VAX, >>18 beshort 88 Renesas M32R, >>18 leshort 92 OpenRISC, >>18 leshort 0x3426 OpenRISC (obsolete), >>18 leshort 0x8472 OpenRISC (obsolete), >>18 beshort 94 Tensilica Xtensa, >>18 beshort 97 NatSemi 32k, >>18 beshort 187 Tilera TILE64, >>18 beshort 188 Tilera TILEPro, >>18 beshort 191 Tilera TILE-Gx, >>18 beshort 0x18ad AVR32 (unofficial), >>18 beshort 0x9026 Alpha (unofficial), >>18 beshort 0xa390 IBM S/390 (obsolete), >>20 belong 0 invalid version >>20 belong 1 version 1 >>36 belong 1 MathCoPro/FPU/MAU Required # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # like proper ELF, but extracting the string had bad results. >4 byte <0x80 >>8 string >\0 (%s) >8 string \0 >>7 byte 0 (SYSV) >>7 byte 1 (HP-UX) >>7 byte 2 (NetBSD) >>7 byte 3 (GNU/Linux) >>7 byte 4 (GNU/Hurd) >>7 byte 5 (86Open) >>7 byte 6 (Solaris) >>7 byte 7 (Monterey) >>7 byte 8 (IRIX) >>7 byte 9 (FreeBSD) >>7 byte 10 (Tru64) >>7 byte 11 (Novell Modesto) >>7 byte 12 (OpenBSD) >8 string \2 >>7 byte 13 (OpenVMS) >>7 byte 97 (ARM) >>7 byte 255 (embedded) #------------------------------------------------------------------------------ # $File: encore,v 1.6 2009/09/19 16:28:09 christos Exp $ # encore: file(1) magic for Encore machines # # XXX - needs to have the byte order specified (NS32K was little-endian, # dunno whether they run the 88K in little-endian mode or not). # 0 short 0x154 Encore >20 short 0x107 executable >20 short 0x108 pure executable >20 short 0x10b demand-paged executable >20 short 0x10f unsupported executable >12 long >0 not stripped >22 short >0 - version %ld >22 short 0 - #>4 date x stamp %s 0 short 0x155 Encore unsupported executable >12 long >0 not stripped >22 short >0 - version %ld >22 short 0 - #>4 date x stamp %s #------------------------------------------------------------------------------ # $File: epoc,v 1.7 2009/09/19 16:28:09 christos Exp $ # EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1] # Stefan Praszalowicz <hpicollo@worldnet.fr> and Peter Breitenlohner <peb@mppmu.mpg.de> # Useful information for improving this file can be found at: # http://software.frodo.looijaard.name/psiconv/formats/Index.html #------------------------------------------------------------------------------ 0 lelong 0x10000037 Psion Series 5 >4 lelong 0x10000039 font file >4 lelong 0x1000003A printer driver >4 lelong 0x1000003B clipboard >4 lelong 0x10000042 multi-bitmap image !:mime image/x-epoc-mbm >4 lelong 0x1000006A application information file >4 lelong 0x1000006D >>8 lelong 0x1000007D Sketch image !:mime image/x-epoc-sketch >>8 lelong 0x1000007E voice note >>8 lelong 0x1000007F Word file !:mime application/x-epoc-word >>8 lelong 0x10000085 OPL program (TextEd) !:mime application/x-epoc-opl >>8 lelong 0x10000088 Sheet file !:mime application/x-epoc-sheet >>8 lelong 0x100001C4 EasyFax initialisation file >4 lelong 0x10000073 OPO module !:mime application/x-epoc-opo >4 lelong 0x10000074 OPL application !:mime application/x-epoc-app >4 lelong 0x1000008A exported multi-bitmap image 0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image 0 lelong 0x10000050 Psion Series 5 >4 lelong 0x1000006D database >4 lelong 0x100000E4 ini file 0 lelong 0x10000079 Psion Series 5 binary: >4 lelong 0x00000000 DLL >4 lelong 0x10000049 comms hardware library >4 lelong 0x1000004A comms protocol library >4 lelong 0x1000005D OPX >4 lelong 0x1000006C application >4 lelong 0x1000008D DLL >4 lelong 0x100000AC logical device driver >4 lelong 0x100000AD physical device driver >4 lelong 0x100000E5 file transfer protocol >4 lelong 0x100000E5 file transfer protocol >4 lelong 0x10000140 printer definition >4 lelong 0x10000141 printer definition 0 lelong 0x1000007A Psion Series 5 executable #------------------------------------------------------------------------------ # $File: erlang,v 1.6 2010/09/20 19:19:17 rrt Exp $ # erlang: file(1) magic for Erlang JAM and BEAM files # URL: http://www.erlang.org/faq/x779.html#AEN812 # OTP R3-R4 0 string \0177BEAM! Old Erlang BEAM file >6 short >0 - version %d # OTP R5 and onwards 0 string FOR1 >8 string BEAM Erlang BEAM file # 4.2 version may have a copyright notice! 4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 79 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 4 string 1.0\ Fri\ Feb\ 3\ 09:55:56\ MET\ 1995 Erlang JAM file - version 4.3 0 bequad 0x0000000000ABCDEF Erlang DETS file #------------------------------------------------------------------------------ # $File: esri,v 1.4 2009/09/19 16:28:09 christos Exp $ # ESRI Shapefile format (.shp .shx .dbf=DBaseIII) # Based on info from # <URL:http://www.esri.com/library/whitepapers/pdfs/shapefile.pdf> 0 belong 9994 ESRI Shapefile >4 belong =0 >8 belong =0 >12 belong =0 >16 belong =0 >20 belong =0 >28 lelong x version %d >24 belong x length %d >32 lelong =0 type Null Shape >32 lelong =1 type Point >32 lelong =3 type PolyLine >32 lelong =5 type Polygon >32 lelong =8 type MultiPoint >32 lelong =11 type PointZ >32 lelong =13 type PolyLineZ >32 lelong =15 type PolygonZ >32 lelong =18 type MultiPointZ >32 lelong =21 type PointM >32 lelong =23 type PolyLineM >32 lelong =25 type PolygonM >32 lelong =28 type MultiPointM >32 lelong =31 type MultiPatch #------------------------------------------------------------------------------ # $File: fcs,v 1.4 2009/09/19 16:28:09 christos Exp $ # fcs: file(1) magic for FCS (Flow Cytometry Standard) data files # From Roger Leigh <roger@whinlatter.uklinux.net> 0 string FCS1.0 Flow Cytometry Standard (FCS) data, version 1.0 0 string FCS2.0 Flow Cytometry Standard (FCS) data, version 2.0 0 string FCS3.0 Flow Cytometry Standard (FCS) data, version 3.0 #------------------------------------------------------------------------------ # $File: filesystems,v 1.61 2011/01/10 14:01:10 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: 0774 beshort 0xdabe # modified by Joerg Jenderek, because original test # succeeds for Cabinet archive dao360.dl_ with negative blocks >0770 long >0 Sun disk label >>0 string x '%s >>>31 string >\0 \b%s >>>>63 string >\0 \b%s >>>>>95 string >\0 \b%s >>0 string x \b' >>0734 short >0 %d rpm, >>0736 short >0 %d phys cys, >>0740 short >0 %d alts/cyl, >>0746 short >0 %d interleave, >>0750 short >0 %d data cyls, >>0752 short >0 %d alt cyls, >>0754 short >0 %d heads/partition, >>0756 short >0 %d sectors/track, >>0764 long >0 start cyl %ld, >>0770 long x %ld blocks # Is there a boot block written 1 sector in? >512 belong&077777777 0600407 \b, boot block present # Joerg Jenderek: Smart Boot Manager backup file is 41 byte header + first sectors of disc # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string SBMBAKUP_ Smart Boot Manager backup file >9 string x \b, version %-5.5s >>14 string =_ >>>15 string x %-.1s >>>>16 string =_ \b. >>>>>17 string x \b%-.1s >>>>>>18 string =_ \b. >>>>>>>19 string x \b%-.1s >>>22 ubyte 0 >>>>21 ubyte x \b, from drive 0x%x >>>22 ubyte >0 >>>>21 string x \b, from drive %s # Joerg Jenderek # DOS Emulator image is 128 byte, null right padded header + harddisc image 0 string DOSEMU\0 >0x27E leshort 0xAA55 #offset is 128 >>19 ubyte 128 >>>(19.b-1) ubyte 0x0 DOS Emulator image >>>>7 ulelong >0 \b, %u heads >>>>11 ulelong >0 \b, %d sectors/track >>>>15 ulelong >0 \b, %d cylinders # updated by Joerg Jenderek at Sep 2007 # only for sector sizes with 512 or more Bytes 0x1FE leshort 0xAA55 x86 boot sector # to do also for sectors < than 512 Bytes and some other files, GRR #30 search/481 \x55\xAA x86 boot sector # not for BeOS floppy 1440k, MBRs #(11.s-2) uleshort 0xAA55 x86 boot sector >2 string OSBS \b, OS/BS MBR # J\xf6rg Jenderek <joerg dot jenderek at web dot de> >0x8C string Invalid\ partition\ table \b, MS-DOS MBR # dr-dos with some upper-, lowercase variants >0x9D string Invalid\ partition\ table$ >>181 string No\ Operating\ System$ >>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 >0x9D string Invalid\ partition\ table$ >>181 string No\ operating\ system$ >>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 >342 string Invalid\ partition\ table$ >>366 string No\ operating\ system$ >>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03 >295 string NEWLDR\0 >>302 string Bad\ PT\ $ >>>310 string No\ OS\ $ >>>>317 string OS\ load\ err$ >>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r >>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ >>>>>>>387 string Copyright\ (c)\ 1984,1998 >>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) >0x10F string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 4.10.1998, 4.10.2222 >>0x1B8 ubelong >0 \b, Serial 0x%-.4x >0x8B string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 5.00 to 4.00.950 >271 string Invalid\ partition\ table\0 >>295 string Error\ loading\ operating\ system\0 >>>326 string Missing\ operating\ system\0 \b, mbr # >139 string Invalid\ partition\ table\0 >>163 string Error\ loading\ operating\ system\0 >>>194 string Missing\ operating\ system\0 \b, Microsoft Windows XP mbr # http://www.heise.de/ct/05/09/006/ page 184 #HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\DosDevices\?:=Serial4Bytes+8Bytes >>>>0x1B8 ulelong >0 \b,Serial 0x%-.4x >300 string Invalid\ partition\ table\0 >>324 string Error\ loading\ operating\ system\0 >>>355 string Missing\ operating\ system\0 \b, Microsoft Windows XP MBR #??>>>389 string Invalid\ system\ disk >>>>0x1B8 ulelong >0 \b, Serial 0x%-.4x >300 string Ung\201ltige\ Partitionstabelle #split string to avoid error: String too long >>328 string Fehler\ beim\ Laden\ >>>346 string des\ Betriebssystems >>>>366 string Betriebssystem\ nicht\ vorhanden \b, Microsoft Windows XP MBR (german) >>>>>0x1B8 ulelong >0 \b, Serial 0x%-.4x #>0x145 string Default:\ F \b, FREE-DOS MBR #>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR >0x145 search/7 Default:\ F \b, FREE-DOS MBR #>>313 string F0\ .\ .\ . #>>>322 string disk\ 1 #>>>>382 string FAT3 >64 string no\ active\ partition\ found >>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR # Ranish Partition Manager http://www.ranish.com/part/ >387 search/4 \0\ Error!\r >>378 search/7 Virus! >>>397 search/4 Booting\ >>>>408 search/4 HD1/\0 \b, Ranish MBR ( >>>>>416 string Writing\ changes... \b2.37 >>>>>>438 ubyte x \b,0x%x dots >>>>>>440 ubyte >0 \b,virus check >>>>>>441 ubyte >0 \b,partition %c #2.38,2.42,2.44 >>>>>416 string !Writing\ changes... \b >>>>>>418 ubyte 1 \bvirus check, >>>>>>419 ubyte x \b0x%x seconds >>>>>>420 ubyte&0x0F >0 \b,partition >>>>>>>420 ubyte&0x0F <5 \b %x >>>>>>>420 ubyte&0x0F 0Xf \b ask >>>>>420 ubyte x \b) # >271 string Operating\ system\ loading >>296 string error\r \b, SYSLINUX MBR (2.10) # http://www.acronis.de/ >362 string MBR\ Error\ \0\r >>376 string ress\ any\ key\ to\ >>>392 string boot\ from\ floppy...\0 \b, Acronis MBR # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ >309 string No\ bootable\ partition\ found\r >>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR >349 string No\ bootable\ partition\ found\r >>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR # bootloader, bootmanager >0x40 string SBML # label with 11 characters of FAT 12 bit filesystem >>43 string SMART\ BTMGR >>>430 string SBMK\ Bad!\r \b, Smart Boot Manager # OEM-ID not always "SBM" #>>>>3 strings SBM >>>>6 string >\0 \b, version %s >382 string XOSLLOADXCF \b, eXtended Operating System Loader >6 string LILO \b, LInux i386 boot LOader >>120 string LILO \b, version 22.3.4 SuSe >>172 string LILO \b, version 22.5.8 Debian # updated by Joerg Jenderek at Oct 2008 # variables according to grub-0.97/stage1/stage1.S or # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders >342 search/60 \0Geom\0 #>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 >>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader # 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 >>>>0x3E ubyte x \b, stage1 version 0x%x #If it is 0xFF, use a drive passed by BIOS >>>>0x40 ubyte <0xFF \b, boot drive 0x%x # in most case 0,1,0x2e for GRUB 0.5.95 >>>>0x41 ubyte >0 \b, LBA flag 0x%x >>>>0x42 uleshort <0x8000 \b, stage2 address 0x%x #>>>>0x42 uleshort =0x8000 \b, stage2 address 0x%x (usual) >>>>0x42 uleshort >0x8000 \b, stage2 address 0x%x #>>>>0x44 ulelong =1 \b, 1st sector stage2 0x%x (default) >>>>0x44 ulelong >1 \b, 1st sector stage2 0x%x >>>>0x48 uleshort <0x800 \b, stage2 segment 0x%x #>>>>0x48 uleshort =0x800 \b, stage2 segment 0x%x (usual) >>>>0x48 uleshort >0x800 \b, stage2 segment 0x%x >>>>402 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>394 string stage1 \b, GRUB version 0.5.95 >>>>382 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>376 string GRUB\ \0 \b, GRUB version 0.93 or 1.94 >>>>383 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>377 string GRUB\ \0 \b, GRUB version 0.94 >>>>385 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>379 string GRUB\ \0 \b, GRUB version 0.95 or 0.96 >>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>385 string GRUB\ \0 \b, GRUB version 0.97 #unkown version >>>343 string Geom\0Read\0\ Error\0 >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>374 string GRUB\ \0 \b, GRUB version n.m # http://syslinux.zytor.com/ >478 string Boot\ failed\r >>495 string LDLINUX\ SYS \b, SYSLINUX bootloader (1.62) >480 string Boot\ failed\r >>495 string LDLINUX\ SYS \b, SYSLINUX bootloader (2.06 or 2.11) >484 string Boot\ error\r \b, SYSLINUX bootloader (3.11) >395 string chksum\0\ ERROR!\0 \b, Gujin bootloader # http://www.bcdwb.de/bcdw/index_e.htm >3 string BCDL >>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) # mbr partition table entries # OEM-ID does not contain MicroSoft,NEWLDR,DOS,SYSLINUX,or MTOOLs >3 string !MS >>3 string !SYSLINUX >>>3 string !MTOOL >>>>3 string !NEWLDR >>>>>5 string !DOS # not FAT (32 bit) >>>>>>82 string !FAT32 #not Linux kernel >>>>>>>514 string !HdrS #not BeOS >>>>>>>>422 string !Be\ Boot\ Loader # active flag 0 or 0x80 and type > 0 >>>>>>>>>446 ubyte <0x81 >>>>>>>>>>446 ubyte&0x7F 0 >>>>>>>>>>>450 ubyte >0 \b; partition 1: ID=0x%x >>>>>>>>>>>>446 ubyte 0x80 \b, active >>>>>>>>>>>>447 ubyte x \b, starthead %u #>>>>>>>>>>>>448 ubyte x \b, start C_S: 0x%x #>>>>>>>>>>>>448 ubeshort&1023 x \b, startcylinder? %d >>>>>>>>>>>>454 ulelong x \b, startsector %u >>>>>>>>>>>>458 ulelong x \b, %u sectors # >>>>>>>>>462 ubyte <0x81 >>>>>>>>>>462 ubyte&0x7F 0 >>>>>>>>>>>466 ubyte >0 \b; partition 2: ID=0x%x >>>>>>>>>>>>462 ubyte 0x80 \b, active >>>>>>>>>>>>463 ubyte x \b, starthead %u #>>>>>>>>>>>>464 ubyte x \b, start C_S: 0x%x #>>>>>>>>>>>>464 ubeshort&1023 x \b, startcylinder? %d >>>>>>>>>>>>470 ulelong x \b, startsector %u >>>>>>>>>>>>474 ulelong x \b, %u sectors # >>>>>>>>>478 ubyte <0x81 >>>>>>>>>>478 ubyte&0x7F 0 >>>>>>>>>>>482 ubyte >0 \b; partition 3: ID=0x%x >>>>>>>>>>>>478 ubyte 0x80 \b, active >>>>>>>>>>>>479 ubyte x \b, starthead %u #>>>>>>>>>>>>480 ubyte x \b, start C_S: 0x%x #>>>>>>>>>>>>481 ubyte x \b, start C2S: 0x%x #>>>>>>>>>>>>480 ubeshort&1023 x \b, startcylinder? %d >>>>>>>>>>>>486 ulelong x \b, startsector %u >>>>>>>>>>>>490 ulelong x \b, %u sectors # >>>>>>>>>494 ubyte <0x81 >>>>>>>>>>494 ubyte&0x7F 0 >>>>>>>>>>>498 ubyte >0 \b; partition 4: ID=0x%x >>>>>>>>>>>>494 ubyte 0x80 \b, active >>>>>>>>>>>>495 ubyte x \b, starthead %u #>>>>>>>>>>>>496 ubyte x \b, start C_S: 0x%x #>>>>>>>>>>>>496 ubeshort&1023 x \b, startcylinder? %d >>>>>>>>>>>>502 ulelong x \b, startsector %u >>>>>>>>>>>>506 ulelong x \b, %u sectors # mbr partition table entries end # http://www.acronis.de/ #FAT label=ACRONIS\ SZ #OEM-ID=BOOTWIZ0 >442 string Non-system\ disk,\ >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader # DOS names like F11.SYS are 8 right space padded bytes+3 bytes >>>477 ubyte&0xDF >0 >>>>477 string x \b %-.3s >>>>>480 ubyte&0xDF >0 >>>>>>480 string x \b%-.5s >>>>485 ubyte&0xDF >0 >>>>>485 string x \b.%-.3s # >185 string FDBOOT\ Version\ >>204 string \rNo\ Systemdisk.\ >>>220 string Booting\ from\ harddisk.\n\r >>>245 string Cannot\ load\ from\ harddisk.\n\r >>>>273 string Insert\ Systemdisk\ >>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader >>>>>>200 string >\0 \b, version %-3s >242 string Bootsector\ from\ C.H.\ Hochst\204 >>278 string No\ Systemdisk.\ >>>293 string Booting\ from\ harddisk.\n\r >>>441 string Cannot\ load\ from\ harddisk.\n\r >>>>469 string Insert\ Systemdisk\ >>>>>487 string and\ press\ any\ key.\n\r \b, WinImage harddisk Bootloader >>>>>>209 string >\0 \b, version %-4.4s >(1.b+2) ubyte 0xe >>(1.b+3) ubyte 0x1f >>>(1.b+4) ubyte 0xbe >>>>(1.b+5) ubyte 0x77 >>>>(1.b+6) ubyte 0x7c >>>>>(1.b+7) ubyte 0xac >>>>>>(1.b+8) ubyte 0x22 >>>>>>>(1.b+9) ubyte 0xc0 >>>>>>>>(1.b+10) ubyte 0x74 >>>>>>>>>(1.b+11) ubyte 0xb >>>>>>>>>>(1.b+12) ubyte 0x56 >>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display >214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display #>>244 string from\ dosemu-freedos-*-bin.tgz\r #>>>170 string Sorry,\ could\ not\ load\ an\ #>>>>195 string operating\ system.\r\n # >103 string This\ is\ not\ a\ bootable\ disk.\ >>132 string Please\ insert\ a\ bootable\ >>>157 string floppy\ and\r\n >>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display # >66 string Solaris\ Boot\ Sector >>99 string Incomplete\ MDBoot\ load. >>>89 string Version \b, Sun Solaris Bootloader >>>>97 byte x version %c # >408 string OS/2\ !!\ SYS01475\r\0 >>429 string OS/2\ !!\ SYS02025\r\0 >>>450 string OS/2\ !!\ SYS02027\r\0 >>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader # >409 string OS/2\ !!\ SYS01475\r\0 >>430 string OS/2\ !!\ SYS02025\r\0 >>>451 string OS/2\ !!\ SYS02027\r\0 >>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader >112 string This\ disk\ is\ not\ bootable\r >>142 string If\ you\ wish\ to\ make\ it\ bootable >>>176 string run\ the\ DOS\ program\ SYS\ >>>200 string after\ the\r >>>>216 string system\ has\ been\ loaded\r\n >>>>>242 string Please\ insert\ a\ DOS\ diskette\ >>>>>271 string into\r\n\ the\ drive\ and\ >>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display # XP >430 string NTLDR\ is\ missing\xFF\r\n >>449 string Disk\ error\xFF\r\n >>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader # DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # >>>>371 ubyte >0x20 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # >430 string NTLDR\ nicht\ gefunden\xFF\r\n >>453 string Datentr\204gerfehler\xFF\r\n >>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german) >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # offset variant >>>>379 string \0 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s # >430 string NTLDR\ fehlt\xFF\r\n >>444 string Datentr\204gerfehler\xFF\r\n >>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german) >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # variant >>>>371 ubyte >0x20 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # >430 string NTLDR\ fehlt\xFF\r\n >>444 string Medienfehler\xFF\r\n >>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german) >>>>371 ubyte >0x20 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # >430 string Datentr\204ger\ entfernen\xFF\r\n >>454 string Medienfehler\xFF\r\n >>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) >>>>379 string \0 >>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s >>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s >>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant >>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s >>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s >>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # #>3 string NTFS\ \ \ \ >389 string Fehler\ beim\ Lesen\ >>407 string des\ Datentr\204gers >>>426 string NTLDR\ fehlt >>>>440 string NTLDR\ ist\ komprimiert >>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german) #>3 string NTFS\ \ \ \ >313 string A\ disk\ read\ error\ occurred.\r >>345 string A\ kernel\ file\ is\ missing\ >>>370 string from\ the\ disk.\r >>>>484 string NTLDR\ is\ compressed >>>>>429 string Insert\ a\ system\ diskette\ >>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS # DOS loader variants different languages,offsets >472 ubyte&0xDF >0 >>389 string Invalid\ system\ disk\xFF\r\n >>>411 string Disk\ I/O\ error >>>>428 string Replace\ the\ disk,\ and\ >>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader #IO.SYS >>>>>>472 ubyte&0xDF >0 >>>>>>>472 string x \b %-.2s >>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s >>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s >>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s >>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s >>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # >>390 string Invalid\ system\ disk\xFF\r\n >>>412 string Disk\ I/O\ error\xFF\r\n >>>>429 string Replace\ the\ disk,\ and\ >>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader >>388 string Ungueltiges\ System\ \xFF\r\n >>>410 string E/A-Fehler\ \ \ \ \xFF\r\n >>>>427 string Datentraeger\ wechseln\ und\ >>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german) #WINBOOT.SYS only not spaces (0xDF) >>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.5s >>>>>>>>502 ubyte&0xDF >0 >>>>>>>>>502 string x \b%-.1s >>>>>>>>>>503 ubyte&0xDF >0 >>>>>>>>>>>503 string x \b%-.1s >>>>>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>>>>>504 string x \b%-.1s >>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s >>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s >>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s >>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s >>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s >>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # >>390 string Ungueltiges\ System\ \xFF\r\n >>>412 string E/A-Fehler\ \ \ \ \xFF\r\n >>>>429 string Datentraeger\ wechseln\ und\ >>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German) #WINBOOT.SYS only not spaces (0xDF) >>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.7s >>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>504 string x \b%-.1s >>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s >>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.6s >>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s >>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s >>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # >>389 string Ungueltiges\ System\ \xFF\r\n >>>411 string E/A-Fehler\ \ \ \ \xFF\r\n >>>>428 string Datentraeger\ wechseln\ und\ >>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN) # DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes >>>>>>472 string x %-.2s >>>>>>>474 ubyte&0xDF >0 >>>>>>>>474 string x \b%-.5s >>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>479 string x \b%-.1s >>>>>>480 ubyte&0xDF >0 >>>>>>>480 string x \b.%-.3s >>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>483 string x \b%-.5s >>>>>>>488 ubyte&0xDF >0 >>>>>>>>488 string x \b%-.2s >>>>>>>>490 ubyte&0xDF >0 >>>>>>>>>490 string x \b%-.1s >>>>>>>491 ubyte&0xDF >0 >>>>>>>>491 string x \b.%-.3s >479 ubyte&0xDF >0 >>416 string Kein\ System\ oder\ >>>433 string Laufwerksfehler >>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german) #IO.SYS >>>>>479 string x \b %-.2s >>>>>>481 ubyte&0xDF >0 >>>>>>>481 string x \b%-.6s >>>>>487 ubyte&0xDF >0 >>>>>>487 string x \b.%-.3s #MSDOS.SYS >>>>>>490 ubyte&0xDF >0 \b+ >>>>>>>490 string x \b%-.5s >>>>>>>>495 ubyte&0xDF >0 >>>>>>>>>495 string x \b%-.3s >>>>>>>498 ubyte&0xDF >0 >>>>>>>>498 string x \b.%-.3s # >376 search/41 Non-System\ disk\ or\ >>395 search/41 disk\ error\r >>>407 search/41 Replace\ and\ >>>>419 search/41 press\ \b, >>>>419 search/41 strike\ \b, old >>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader #449 Disk\ Boot\ failure\r MS 3.21 #466 Boot\ Failure\r MS 3.30 >>>>>468 search/18 \0 #IO.SYS,IBMBIO.COM >>>>>>&0 string x \b %-.2s >>>>>>>&-20 ubyte&0xDF >0 >>>>>>>>&-1 string x \b%-.4s >>>>>>>>>&-16 ubyte&0xDF >0 >>>>>>>>>>&-1 string x \b%-.2s >>>>>>&8 ubyte&0xDF >0 \b. >>>>>>>&-1 string x \b%-.3s #MSDOS.SYS,IBMDOS.COM >>>>>>&11 ubyte&0xDF >0 \b+ >>>>>>>&-1 string x \b%-.5s >>>>>>>>&-6 ubyte&0xDF >0 >>>>>>>>>&-1 string x \b%-.1s >>>>>>>>>>&-5 ubyte&0xDF >0 >>>>>>>>>>>&-1 string x \b%-.2s >>>>>>>&7 ubyte&0xDF >0 \b. >>>>>>>>&-1 string x \b%-.3s >441 string Cannot\ load\ from\ harddisk.\n\r >>469 string Insert\ Systemdisk\ >>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader #>43 string \224R-LOADER\ \ SYS =label >54 string SYS >>324 string VASKK >>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS) # >98 string Press\ a\ key\ to\ retry\0\r >>120 string Cannot\ find\ file\ \0\r >>>139 string Disk\ read\ error\0\r >>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader #DRBIOS.SYS >>>>>44 ubyte&0xDF >0 >>>>>>44 string x \b %-.6s >>>>>>>50 ubyte&0xDF >0 >>>>>>>>50 string x \b%-.2s >>>>>>52 ubyte&0xDF >0 >>>>>>>52 string x \b.%-.3s # >70 string IBMBIO\ \ COM >>472 string Cannot\ load\ DOS!\ >>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader >>471 string Cannot\ load\ DOS\ >>487 string press\ key\ to\ retry \b, Open-DOS Bootloader #?? >444 string KERNEL\ \ SYS >>314 string BOOT\ error! \b, FREE-DOS Bootloader >499 string KERNEL\ \ SYS >>305 string BOOT\ err!\0 \b, Free-DOS Bootloader >449 string KERNEL\ \ SYS >>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader # >449 string Loading\ FreeDOS >>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # >331 string Error!.0 \b, FREE-DOS 1.0 bootloader # >125 string Loading\ FreeDOS...\r >>311 string BOOT\ error!\r \b, FREE-DOS bootloader >>>441 ubyte&0xDF >0 >>>>441 string x \b %-.6s >>>>>447 ubyte&0xDF >0 >>>>>>447 string x \b%-.1s >>>>>>>448 ubyte&0xDF >0 >>>>>>>>448 string x \b%-.1s >>>>449 ubyte&0xDF >0 >>>>>449 string x \b.%-.3s >124 string FreeDOS\0 >>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader # DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >336 string Error!\ >>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader >>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s >>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s >>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s >>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ # OEM-ID=Visopsys >478 ulelong 0 >>(1.b+326) string I/O\ Error\ reading\ >>>(1.b+344) string Visopsys\ loader\r >>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader # http://alexfru.chat.ru/epm.html#bootprog >494 ubyte >0x4D >>495 string >E >>>495 string <S #OEM-ID is not reliable >>>>3 string BootProg # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes >>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader >>>>>499 string x \b %-.1s >>>>>>500 ubyte&0xDF >0 >>>>>>>500 string x \b%-.1s >>>>>>>>501 ubyte&0xDF >0 >>>>>>>>>501 string x \b%-.1s >>>>>>>>>>502 ubyte&0xDF >0 >>>>>>>>>>>502 string x \b%-.1s >>>>>>>>>>>>503 ubyte&0xDF >0 >>>>>>>>>>>>>503 string x \b%-.1s >>>>>>>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>>>>>>>504 string x \b%-.1s >>>>>>>>>>>>>>>>505 ubyte&0xDF >0 >>>>>>>>>>>>>>>>>505 string x \b%-.1s >>>>>>>>>>>>>>>>>>506 ubyte&0xDF >0 >>>>>>>>>>>>>>>>>>>506 string x \b%-.1s #name extension >>>>>507 ubyte&0xDF >0 \b. >>>>>>507 string x \b%-.1s >>>>>>>508 ubyte&0xDF >0 >>>>>>>>508 string x \b%-.1s >>>>>>>>>509 ubyte&0xDF >0 >>>>>>>>>>509 string x \b%-.1s #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. #If the boot sector fails to find needed program in the root directory, #it also hangs with another message ("NF"). >>>>>492 string RENF \b, FAT (12 bit) >>>>>495 string RENF \b, FAT (16 bit) # http://alexfru.chat.ru/epm.html#bootprog >494 ubyte >0x4D >>495 string >E >>>495 string <S #OEM-ID is not reliable >>>>3 string BootProg # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes >>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader >>>>>499 string x \b %-.1s >>>>>>500 ubyte&0xDF >0 >>>>>>>500 string x \b%-.1s >>>>>>>>501 ubyte&0xDF >0 >>>>>>>>>501 string x \b%-.1s >>>>>>>>>>502 ubyte&0xDF >0 >>>>>>>>>>>502 string x \b%-.1s >>>>>>>>>>>>503 ubyte&0xDF >0 >>>>>>>>>>>>>503 string x \b%-.1s >>>>>>>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>>>>>>>504 string x \b%-.1s >>>>>>>>>>>>>>>>505 ubyte&0xDF >0 >>>>>>>>>>>>>>>>>505 string x \b%-.1s >>>>>>>>>>>>>>>>>>506 ubyte&0xDF >0 >>>>>>>>>>>>>>>>>>>506 string x \b%-.1s #name extension >>>>>507 ubyte&0xDF >0 \b. >>>>>>507 string x \b%-.1s >>>>>>>508 ubyte&0xDF >0 >>>>>>>>508 string x \b%-.1s >>>>>>>>>509 ubyte&0xDF >0 >>>>>>>>>>509 string x \b%-.1s #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. #If the boot sector fails to find needed program in the root directory, #it also hangs with another message ("NF"). >>>>>492 string RENF \b, FAT (12 bit) >>>>>495 string RENF \b, FAT (16 bit) # x86 bootloader end # updated by Joerg Jenderek at Sep 2007 >3 ubyte 0 #no active flag >>446 ubyte 0 # partition 1 not empty >>>450 ubyte >0 # partitions 3,4 empty >>>>482 ubyte 0 >>>>>498 ubyte 0 # partition 2 ID=0,5,15 >>>>>>466 ubyte <0x10 >>>>>>>466 ubyte 0x05 \b, extended partition table >>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) >>>>>>>466 ubyte 0x0 \b, extended partition table (last) # JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 # http://mirror.href.com/thestarman/asm/2bytejumps.htmm#FWD # older drives may use Near JuMP instruction E9 xx xx >0 lelong&0x009000EB 0x009000EB >0 lelong&0x000000E9 0x000000E9 # minimal short forward jump found 03cx?? # maximal short forward jump is 07fx >1 ubyte <0xff \b, code offset 0x%x # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 >>11 uleshort&0x000f x >>>11 uleshort <32769 >>>>11 uleshort >31 >>>>>21 ubyte&0xf0 0xF0 >>>>>>3 string >\0 \b, OEM-ID "%8.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC >>>>>>>8 string IHC \b cached by Windows 9M >>>>>>11 uleshort >512 \b, Bytes/sector %u #>>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual) >>>>>>11 uleshort <512 \b, Bytes/sector %u >>>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) >>>>>>14 uleshort >32 \b, reserved sectors %u #>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) #>>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) >>>>>>14 uleshort <1 \b, reserved sectors %u >>>>>>16 ubyte >2 \b, FATs %u #>>>>>>16 ubyte =2 \b, FATs %u (usual) >>>>>>16 ubyte =1 \b, FAT %u >>>>>>16 ubyte >0 >>>>>>17 uleshort >0 \b, root entries %u #>>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32) >>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) #>>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32) >>>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) >>>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x >>>>>>22 uleshort >0 \b, sectors/FAT %u #>>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32) >>>>>>26 ubyte >2 \b, heads %u #>>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>>26 ubyte =1 \b, heads %u #skip for Digital Research DOS (version 3.41) 1440 kB Bootdisk >>>>>>38 ubyte !0x70 >>>>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) >>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) # FAT<32 specific >>>>>>82 string !FAT32 #>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) #>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>>36 ubyte !0x80 >>>>>>>>36 ubyte !0 \b, physical drive 0x%x >>>>>>>37 ubyte >0 \b, reserved 0x%x #>>>>>>>37 ubyte =0 \b, reserved 0x%x >>>>>>>38 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>>38 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>>38 ubyte =0x29 >>>>>>>>39 ulelong x \b, serial number 0x%x >>>>>>>>43 string <NO\ NAME \b, label: "%11.11s" >>>>>>>>43 string >NO\ NAME \b, label: "%11.11s" >>>>>>>>43 string =NO\ NAME \b, unlabeled >>>>>>>54 string FAT \b, FAT >>>>>>>>54 string FAT12 \b (12 bit) >>>>>>>>54 string FAT16 \b (16 bit) # FAT32 specific >>>>>>82 string FAT32 \b, FAT (32 bit) >>>>>>>36 ulelong x \b, sectors/FAT %u >>>>>>>40 uleshort >0 \b, extension flags %u #>>>>>>>40 uleshort =0 \b, extension flags %u >>>>>>>42 uleshort >0 \b, fsVersion %u #>>>>>>>42 uleshort =0 \b, fsVersion %u (usual) >>>>>>>44 ulelong >2 \b, rootdir cluster %u #>>>>>>>44 ulelong =2 \b, rootdir cluster %u #>>>>>>>44 ulelong =1 \b, rootdir cluster %u >>>>>>>48 uleshort >1 \b, infoSector %u #>>>>>>>48 uleshort =1 \b, infoSector %u (usual) >>>>>>>48 uleshort <1 \b, infoSector %u >>>>>>>50 uleshort >6 \b, Backup boot sector %u #>>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) >>>>>>>50 uleshort <6 \b, Backup boot sector %u >>>>>>>54 ulelong >0 \b, reserved1 0x%x >>>>>>>58 ulelong >0 \b, reserved2 0x%x >>>>>>>62 ulelong >0 \b, reserved3 0x%x # same structure as FAT1X >>>>>>>64 ubyte >0x80 \b, physical drive 0x%x #>>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) >>>>>>>64 ubyte&0x7F >0 \b, physical drive 0x%x #>>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>>65 ubyte >0 \b, reserved 0x%x >>>>>>>66 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>>66 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>>66 ubyte =0x29 >>>>>>>>67 ulelong x \b, serial number 0x%x >>>>>>>>71 string <NO\ NAME \b, label: "%11.11s" >>>>>>>71 string >NO\ NAME \b, label: "%11.11s" >>>>>>>71 string =NO\ NAME \b, unlabeled ### FATs end >0x200 lelong 0x82564557 \b, BSD disklabel # FATX 0 string FATX FATX filesystem data # Minix filesystems - Juan Cespedes <cespedes@debian.org> 0x410 leshort 0x137f !:strength / 2 >0x402 beshort < 100 >0x402 beshort > -1 Minix filesystem, V1, %d zones >0x1e string minix \b, bootable 0x410 beshort 0x137f !:strength / 2 >0x402 beshort < 100 >0x402 beshort > -1 Minix filesystem, V1 (big endian), %d zones >0x1e string minix \b, bootable 0x410 leshort 0x138f !:strength / 2 >0x402 beshort < 100 >0x402 beshort > -1 Minix filesystem, V1, 30 char names, %d zones >0x1e string minix \b, bootable 0x410 beshort 0x138f !:strength / 2 >0x402 beshort < 100 >0x402 beshort > -1 Minix filesystem, V1, 30 char names (big endian), %d zones >0x1e string minix \b, bootable 0x410 leshort 0x2468 >0x402 beshort < 100 >>0x402 beshort > -1 Minix filesystem, V2, %d zones >0x1e string minix \b, bootable 0x410 beshort 0x2468 >0x402 beshort < 100 >0x402 beshort > -1 Minix filesystem, V2 (big endian), %d zones >0x1e string minix \b, bootable 0x410 leshort 0x2478 >0x402 beshort < 100 >0x402 beshort > -1 Minix filesystem, V2, 30 char names, %d zones >0x1e string minix \b, bootable 0x410 leshort 0x2478 >0x402 beshort < 100 >0x402 beshort > -1 Minix filesystem, V2, 30 char names, %d zones >0x1e string minix \b, bootable 0x410 beshort 0x2478 >0x402 beshort !0 Minix filesystem, V2, 30 char names (big endian), %d zones >0x1e string minix \b, bootable 0x410 leshort 0x4d5a >0x402 beshort !0 Minix filesystem, V3, %d zones >0x1e string minix \b, bootable # romfs filesystems - Juan Cespedes <cespedes@debian.org> 0 string -rom1fs- romfs filesystem, version 1 >8 belong x %d bytes, >16 string x named %s. # netboot image - Juan Cespedes <cespedes@debian.org> 0 lelong 0x1b031336L Netboot image, >4 lelong&0xFFFFFF00 0 >>4 lelong&0x100 0x000 mode 2 >>4 lelong&0x100 0x100 mode 3 >4 lelong&0xFFFFFF00 !0 unknown mode 0x18b string OS/2 OS/2 Boot Manager # updated by Joerg Jenderek at Oct 2008!! # http://syslinux.zytor.com/iso.php 0 ulelong 0x7c40eafa isolinux Loader # http://syslinux.zytor.com/pxe.php 0 ulelong 0x007c05ea pxelinux Loader 0 ulelong 0x60669c66 pxelinux Loader # added by Joerg Jenderek # In the second sector (+0x200) are variables according to grub-0.97/stage2/asm.S or # grub-1.94/kern/i386/pc/startup.S # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders 0x200 uleshort 0x70EA # found only version 3.{1,2} >0x206 ubeshort >0x0300 # GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00" >>0x212 ubyte >0x29 >>>0x213 ubyte >0x29 # not iso9660_stage1_5 #>>>0 ulelong&0x00BE5652 0x00BE5652 >>>>0x213 ubyte >0x29 GRand Unified Bootloader # config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2" >>>>0x217 ubyte 0xFF stage1_5 >>>>0x217 ubyte <0xFF stage2 >>>>0x206 ubyte x \b version %u >>>>0x207 ubyte x \b.%u # module_size for 1.94 >>>>0x208 ulelong <0xffffff \b, installed partition %u #>>>>0x208 ulelong =0xffffff \b, %u (default) >>>>0x208 ulelong >0xffffff \b, installed partition %u # GRUB 0.5.95 unofficial >>>>0x20C ulelong&0x2E300000 0x2E300000 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs >>>>>0x20C ubyte x \b, identifier 0x%x #>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default) >>>>>0x20D ubyte >0 \b, LBA flag 0x%x # GRUB version as string >>>>>0x20E string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default >>>>>>0x215 ulong 0xffffffff >>>>>>>0x219 string >\0 \b, configuration file %-s >>>>>>0x215 ulong !0xffffffff >>>>>>>0x215 string >\0 \b, configuration file %-s # newer GRUB versions >>>>0x20C ulelong&0x2E300000 !0x2E300000 ##>>>>>0x20C ulelong =0 \b, saved entry %d (usual) >>>>>0x20C ulelong >0 \b, saved entry %d # for 1.94 contains kernel image size # for 0.93,0.94,0.96,0.97 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 >>>>>0x210 ubyte x \b, identifier 0x%x # The flag for LBA forcing is in most cases 0 #>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default) >>>>>0x211 ubyte >0 \b, LBA flag 0x%x # GRUB version as string >>>>>0x212 string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default >>>>>0x217 ulong 0xffffffff >>>>>>0x21b string >\0 \b, configuration file %-s >>>>>0x217 ulong !0xffffffff >>>>>>0x217 string >\0 \b, configuration file %-s 9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x last written at %s, >8401 byte x clean flag %d, >8228 lelong x number of blocks %d, >8232 lelong x number of data blocks %d, >8236 lelong x number of cylinder groups %d, >8240 lelong x block size %d, >8244 lelong x fragment size %d, >8252 lelong x minimum percentage of free blocks %d, >8256 lelong x rotational delay %dms, >8260 lelong x disk rotational speed %drps, >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization 42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 leqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 lequad x number of blocks %lld, >&-288 lequad x number of data blocks %lld, >&-1332 lelong x number of cylinder groups %d, >&-1328 lelong x block size %d, >&-1324 lelong x fragment size %d, >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, >&-264 lelong x pending inodes to free %ld, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization >&-1248 lelong 1 SPACE optimization 66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 leqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 lequad x number of blocks %lld, >&-288 lequad x number of data blocks %lld, >&-1332 lelong x number of cylinder groups %d, >&-1328 lelong x block size %d, >&-1324 lelong x fragment size %d, >&-180 lelong x average file size %d, >&-176 lelong x average number of files in dir %d, >&-272 lequad x pending blocks to free %lld, >&-264 lelong x pending inodes to free %ld, >&-664 lequad x system-wide uuid %0llx, >&-1316 lelong x minimum percentage of free blocks %d, >&-1248 lelong 0 TIME optimization >&-1248 lelong 1 SPACE optimization 9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), >7168 belong 0x4c41424c Apple UFS Volume >>7186 string x named %s, >>7176 belong x volume label version %d, >>7180 bedate x created on %s, >8404 string x last mounted on %s, #>9504 bedate x last checked at %s, >8224 bedate x last written at %s, >8401 byte x clean flag %d, >8228 belong x number of blocks %d, >8232 belong x number of data blocks %d, >8236 belong x number of cylinder groups %d, >8240 belong x block size %d, >8244 belong x fragment size %d, >8252 belong x minimum percentage of free blocks %d, >8256 belong x rotational delay %dms, >8260 belong x disk rotational speed %drps, >8320 belong 0 TIME optimization >8320 belong 1 SPACE optimization 42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 beqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 bequad x number of blocks %lld, >&-288 bequad x number of data blocks %lld, >&-1332 belong x number of cylinder groups %d, >&-1328 belong x block size %d, >&-1324 belong x fragment size %d, >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, >&-264 belong x pending inodes to free %ld, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization >&-1248 belong 1 SPACE optimization 66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) >&-1164 string x last mounted on %s, >&-696 string >\0 volume name %s, >&-304 beqldate x last written at %s, >&-1167 byte x clean flag %d, >&-1168 byte x readonly flag %d, >&-296 bequad x number of blocks %lld, >&-288 bequad x number of data blocks %lld, >&-1332 belong x number of cylinder groups %d, >&-1328 belong x block size %d, >&-1324 belong x fragment size %d, >&-180 belong x average file size %d, >&-176 belong x average number of files in dir %d, >&-272 bequad x pending blocks to free %lld, >&-264 belong x pending inodes to free %ld, >&-664 bequad x system-wide uuid %0llx, >&-1316 belong x minimum percentage of free blocks %d, >&-1248 belong 0 TIME optimization >&-1248 belong 1 SPACE optimization # ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca> # ext4 filesystem - Eric Sandeen <sandeen@sandeen.net> # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 0x438 leshort 0xEF53 Linux >0x44c lelong x rev %d >0x43e leshort x \b.%d # No journal? ext2 >0x45c lelong ^0x0000004 ext2 filesystem data >>0x43a leshort ^0x0000001 (mounted or unclean) # Has a journal? ext3 or ext4 >0x45c lelong &0x0000004 # and small INCOMPAT? >>0x460 lelong <0x0000040 # and small RO_COMPAT? >>>0x464 lelong <0x0000008 ext3 filesystem data # else large RO_COMPAT? >>>0x464 lelong >0x0000007 ext4 filesystem data # else large INCOMPAT? >>0x460 lelong >0x000003f ext4 filesystem data >0x468 belong x \b, UUID=%08x >0x46c beshort x \b-%04x >0x46e beshort x \b-%04x >0x470 beshort x \b-%04x >0x472 belong x \b-%08x >0x476 beshort x \b%04x >0x478 string >0 \b, volume name "%s" # General flags for any ext* fs >0x460 lelong &0x0000004 (needs journal recovery) >0x43a leshort &0x0000002 (errors) # INCOMPAT flags >0x460 lelong &0x0000001 (compressed) #>0x460 lelong &0x0000002 (filetype) #>0x460 lelong &0x0000010 (meta bg) >0x460 lelong &0x0000040 (extents) >0x460 lelong &0x0000080 (64bit) #>0x460 lelong &0x0000100 (mmp) #>0x460 lelong &0x0000200 (flex bg) # RO_INCOMPAT flags #>0x464 lelong &0x0000001 (sparse super) >0x464 lelong &0x0000002 (large files) >0x464 lelong &0x0000008 (huge files) #>0x464 lelong &0x0000010 (gdt checksum) #>0x464 lelong &0x0000020 (many subdirs) #>0x463 lelong &0x0000040 (extra isize) # SGI disk labels - Nathan Scott <nathans@debian.org> 0 belong 0x0BE5A941 SGI disk label (volume header) # SGI XFS filesystem - Nathan Scott <nathans@debian.org> 0 belong 0x58465342 SGI XFS filesystem data >0x4 belong x (blksz %d, >0x68 beshort x inosz %d, >0x64 beshort ^0x2004 v1 dirs) >0x64 beshort &0x2004 v2 dirs) ############################################################################ # Minix-ST kernel floppy 0x800 belong 0x46fc2700 Atari-ST Minix kernel image >19 string \240\5\371\5\0\011\0\2\0 \b, 720k floppy >19 string \320\2\370\5\0\011\0\1\0 \b, 360k floppy ############################################################################ # Hmmm, is this a better way of detecting _standard_ floppy images ? 19 string \320\2\360\3\0\011\0\1\0 DOS floppy 360k >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \240\5\371\3\0\011\0\2\0 DOS floppy 720k >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \100\013\360\011\0\022\0\2\0 DOS floppy 1440k >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \240\5\371\5\0\011\0\2\0 DOS floppy 720k, IBM >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \100\013\371\5\0\011\0\2\0 DOS floppy 1440k, mkdosfs >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \320\2\370\5\0\011\0\1\0 Atari-ST floppy 360k 19 string \240\5\371\5\0\011\0\2\0 Atari-ST floppy 720k # Valid media descriptor bytes for MS-DOS: # # Byte Capacity Media Size and Type # ------------------------------------------------- # # F0 2.88 MB 3.5-inch, 2-sided, 36-sector # F0 1.44 MB 3.5-inch, 2-sided, 18-sector # F9 720K 3.5-inch, 2-sided, 9-sector # F9 1.2 MB 5.25-inch, 2-sided, 15-sector # FD 360K 5.25-inch, 2-sided, 9-sector # FF 320K 5.25-inch, 2-sided, 8-sector # FC 180K 5.25-inch, 1-sided, 9-sector # FE 160K 5.25-inch, 1-sided, 8-sector # FE 250K 8-inch, 1-sided, single-density # FD 500K 8-inch, 2-sided, single-density # FE 1.2 MB 8-inch, 2-sided, double-density # F8 ----- Fixed disk # # FC xxxK Apricot 70x1x9 boot disk. # # Originally a bitmap: # xxxxxxx0 Not two sided # xxxxxxx1 Double sided # xxxxxx0x Not 8 SPT # xxxxxx1x 8 SPT # xxxxx0xx Not Removable drive # xxxxx1xx Removable drive # 11111xxx Must be one. # # But now it's rather random: # 111111xx Low density disk # 00 SS, Not 8 SPT # 01 DS, Not 8 SPT # 10 SS, 8 SPT # 11 DS, 8 SPT # # 11111001 Double density 3� floppy disk, high density 5� # 11110000 High density 3� floppy disk # 11111000 Hard disk any format # # CDROM Filesystems # Modified for UDF by gerardo.cacciari@gmail.com 32769 string CD001 # !:mime application/x-iso9660-image >38913 string !NSR0 ISO 9660 CD-ROM filesystem data >38913 string NSR0 UDF filesystem data >>38917 string 1 (version 1.0) >>38917 string 2 (version 1.5) >>38917 string 3 (version 2.0) >>38917 byte >0x33 (unknown version, ID 0x%X) >>38917 byte <0x31 (unknown version, ID 0x%X) # "application id" which appears to be used as a volume label >32808 string/T >\0 '%s' >34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) 37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) !:mime application/x-iso9660-image 32776 string CDROM High Sierra CD-ROM filesystem data # .cso files 0 string CISO Compressed ISO CD image # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian >4 lelong x size %lu >8 lelong &1 version #2 >8 lelong &2 sorted_dirs >8 lelong &4 hole_support >32 lelong x CRC 0x%x, >36 lelong x edition %lu, >40 lelong x %lu blocks, >44 lelong x %lu files 0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian >4 belong x size %lu >8 belong &1 version #2 >8 belong &2 sorted_dirs >8 belong &4 hole_support >32 belong x CRC 0x%x, >36 belong x edition %lu, >40 belong x %lu blocks, >44 belong x %lu files # reiserfs - russell@coker.com.au 0x10034 string ReIsErFs ReiserFS V3.5 0x10034 string ReIsEr2Fs ReiserFS V3.6 0x10034 string ReIsEr3Fs ReiserFS V3.6.19 >0x1002c leshort x block size %d >0x10032 leshort &2 (mounted or unclean) >0x10000 lelong x num blocks %d >0x10040 lelong 1 tea hash >0x10040 lelong 2 yura hash >0x10040 lelong 3 r5 hash # EST flat binary format (which isn't, but anyway) # From: Mark Brown <broonie@sirena.org.uk> 0 string ESTFBINR EST flat binary # Aculab VoIP firmware # From: Mark Brown <broonie@sirena.org.uk> 0 string VoIP\ Startup\ and Aculab VoIP firmware >35 string x format %s # From: Mark Brown <broonie@sirena.org.uk> [old] # From: Behan Webster <behanw@websterwood.com> 0 belong 0x27051956 u-boot legacy uImage, >32 string x %s, >28 byte 0 Invalid os/ >28 byte 1 OpenBSD/ >28 byte 2 NetBSD/ >28 byte 3 FreeBSD/ >28 byte 4 4.4BSD/ >28 byte 5 Linux/ >28 byte 6 SVR4/ >28 byte 7 Esix/ >28 byte 8 Solaris/ >28 byte 9 Irix/ >28 byte 10 SCO/ >28 byte 11 Dell/ >28 byte 12 NCR/ >28 byte 13 LynxOS/ >28 byte 14 VxWorks/ >28 byte 15 pSOS/ >28 byte 16 QNX/ >28 byte 17 Firmware/ >28 byte 18 RTEMS/ >28 byte 19 ARTOS/ >28 byte 20 Unity OS/ >28 byte 21 INTEGRITY/ >29 byte 0 \bInvalid CPU, >29 byte 1 \bAlpha, >29 byte 2 \bARM, >29 byte 3 \bIntel x86, >29 byte 4 \bIA64, >29 byte 5 \bMIPS, >29 byte 6 \bMIPS 64-bit, >29 byte 7 \bPowerPC, >29 byte 8 \bIBM S390, >29 byte 9 \bSuperH, >29 byte 10 \bSparc, >29 byte 11 \bSparc 64-bit, >29 byte 12 \bM68K, >29 byte 13 \bNios-32, >29 byte 14 \bMicroBlaze, >29 byte 15 \bNios-II, >29 byte 16 \bBlackfin, >29 byte 17 \bAVR32, >29 byte 18 \bSTMicroelectronics ST200, >30 byte 0 Invalid Image >30 byte 1 Standalone Program >30 byte 2 OS Kernel Image >30 byte 3 RAMDisk Image >30 byte 4 Multi-File Image >30 byte 5 Firmware Image >30 byte 6 Script File >30 byte 7 Filesystem Image (any type) >30 byte 8 Binary Flat Device Tree BLOB >31 byte 0 (Not compressed), >31 byte 1 (gzip), >31 byte 2 (bzip2), >31 byte 3 (lzma), >12 belong x %d bytes, >8 bedate x %s, >16 belong x Load Address: 0x%08X, >20 belong x Entry Point: 0x%08X, >4 belong x Header CRC: 0x%08X, >24 belong x Data CRC: 0x%08X # JFFS2 file system 0 leshort 0x1984 Linux old jffs2 filesystem data little endian 0 beshort 0x1984 Linux old jffs2 filesystem data big endian 0 leshort 0x1985 Linux jffs2 filesystem data little endian 0 beshort 0x1985 Linux jffs2 filesystem data big endian # Squashfs 0 string sqsh Squashfs filesystem, big endian, >28 beshort x version %d. >30 beshort x \b%d, >28 beshort <3 >>8 belong x %d bytes, >28 beshort >2 >>28 beshort <4 >>>63 bequad x %lld bytes, >>28 beshort >3 >>>40 bequad x %lld bytes, #>>67 belong x %d bytes, >4 belong x %d inodes, >28 beshort <2 >>32 beshort x blocksize: %d bytes, >28 beshort >1 >>28 beshort <4 >>>51 belong x blocksize: %d bytes, >>28 beshort >3 >>>12 belong x blocksize: %d bytes, >28 beshort <4 >>39 bedate x created: %s >28 beshort >3 >>8 bedate x created: %s 0 string hsqs Squashfs filesystem, little endian, >28 leshort x version %d. >30 leshort x \b%d, >28 leshort <3 >>8 lelong x %d bytes, >28 leshort >2 >>28 leshort <4 >>>63 lequad x %lld bytes, >>28 leshort >3 >>>40 lequad x %lld bytes, #>>63 lelong x %d bytes, >4 lelong x %d inodes, >28 leshort <2 >>32 leshort x blocksize: %d bytes, >28 leshort >1 >>28 leshort <4 >>>51 lelong x blocksize: %d bytes, >>28 leshort >3 >>>12 lelong x blocksize: %d bytes, >28 leshort <4 >>39 ledate x created: %s >28 leshort >3 >>8 ledate x created: %s 0 string td\000 floppy image data (TeleDisk) # AFS Dump Magic # From: Ty Sarna <tsarna@sarna.org> 0 string \x01\xb3\xa1\x13\x22 AFS Dump >&0 belong x (v%d) >>&0 byte 0x76 >>>&0 belong x Vol %d, >>>>&0 byte 0x6e >>>>>&0 string x %s >>>>>>&1 byte 0x74 >>>>>>>&0 beshort 2 >>>>>>>>&4 bedate x on: %s >>>>>>>>&0 bedate =0 full dump >>>>>>>>&0 bedate !0 incremental since: %s #---------------------------------------------------------- #delta ISO Daniel Novotny (dnovotny@redhat.com) 0 string DISO Delta ISO data >4 belong x version %d # VMS backup savesets - gerardo.cacciari@gmail.com # 4 string \x01\x00\x01\x00\x01\x00 >(0.s+16) string \x01\x01 >>&(&0.b+8) byte 0x42 OpenVMS backup saveset data >>>40 lelong x (block size %d, >>>49 string >\0 original name '%s', >>>2 short 1024 VAX generated) >>>2 short 2048 AXP generated) >>>2 short 4096 I64 generated) # Summary: Oracle Clustered Filesystem # Created by: Aaron Botsis <redhat@digitalmafia.org> 8 string OracleCFS Oracle Clustered Filesystem, >4 long x rev %d >0 long x \b.%d, >560 string x label: %.64s, >136 string x mountpoint: %.128s # Summary: Oracle ASM tagged volume # Created by: Aaron Botsis <redhat@digitalmafia.org> 32 string ORCLDISK Oracle ASM Volume, >40 string x Disk Name: %0.12s 32 string ORCLCLRD Oracle ASM Volume (cleared), >40 string x Disk Name: %0.12s # Oracle Clustered Filesystem - Aaron Botsis <redhat@digitalmafia.org> 8 string OracleCFS Oracle Clustered Filesystem, >4 long x rev %d >0 long x \b.%d, >560 string x label: %.64s, >136 string x mountpoint: %.128s # Oracle ASM tagged volume - Aaron Botsis <redhat@digitalmafia.org> 32 string ORCLDISK Oracle ASM Volume, >40 string x Disk Name: %0.12s 32 string ORCLCLRD Oracle ASM Volume (cleared), >40 string x Disk Name: %0.12s # Compaq/HP RILOE floppy image # From: Dirk Jagdmann <doj@cubic.org> 0 string CPQRFBLO Compaq/HP RILOE floppy image #------------------------------------------------------------------------------ # Files-11 On-Disk Structure (File system for various RSX-11 and VMS flavours). # These bits come from LBN 1 (home block) of ODS-1, ODS-2 and ODS-5 volumes, # which is mapped to VBN 2 of [000000]INDEXF.SYS;1 - gerardo.cacciari@gmail.com # 1008 string DECFILE11 Files-11 On-Disk Structure >525 byte x Level %d >525 byte x (ODS-%d); >1017 string A RSX-11, VAX/VMS or OpenVMS VAX file system; >1017 string B >>525 byte 2 VAX/VMS or OpenVMS file system; >>525 byte 5 OpenVMS Alpha or Itanium file system; >984 string x volume label is '%-12.12s' # From: Thomas Klausner <wiz@NetBSD.org> # http://filext.com/file-extension/DAA # describes the daa file format. The magic would be: 0 string DAA\x0\x0\x0\x0\x0 PowerISO Direct-Access-Archive # From Albert Cahalan <acahalan@gmail.com> # really le32 operation,destination,payloadsize (but quite predictable) # 01 00 00 00 00 00 00 c0 00 02 00 00 0 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware # From Eric Sandeen # GFS2 0x10000 belong 0x01161970 >0x10018 belong 0x0000051d GFS1 Filesystem >>0x10024 belong x (blocksize %d, >>0x10060 string >\0 lockproto %s) >0x10018 belong 0x00000709 GFS2 Filesystem >>0x10024 belong x (blocksize %d, >>0x10060 string >\0 lockproto %s) # BTRFS 0x10040 string _BHRfS_M BTRFS Filesystem >0x1012b string >\0 (label "%s", >0x10090 lelong x sectorsize %d, >0x10094 lelong x nodesize %d, >0x10098 lelong x leafsize %d) # dvdisaster's .ecc # From: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string *dvdisaster* dvdisaster error correction file # xfs metadump image # mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog # but can we do the << ? For now it's always 512 (0x200) anyway. 0 string XFSM >0x200 string XFSB XFS filesystem metadump image # Type: CROM filesystem # From: Werner Fink <werner@suse.de> 0 string CROMFS CROMFS >6 string >\0 \b version %2.2s, >8 ulequad >0 \b block data at %lld, >16 ulequad >0 \b fblock table at %lld, >24 ulequad >0 \b inode table at %lld, >32 ulequad >0 \b root at %lld, >40 ulelong >0 \b fblock size = %ld, >44 ulelong >0 \b block size = %ld, >48 ulequad >0 \b bytes = %lld # Type: xfs metadump image # From: Daniel Novotny <dnovotny@redhat.com> # mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog # but can we do the << ? For now it's always 512 (0x200) anyway. 0 string XFSM >0x200 string XFSB XFS filesystem metadump image # Type: delta ISO # From: Daniel Novotny <dnovotny@redhat.com> 0 string DISO Delta ISO data, >4 belong x version %d # JFS2 (Journaling File System) image. (Old JFS1 has superblock at 0x1000.) # See linux/fs/jfs/jfs_superblock.h for layout; see jfs_filsys.h for flags. # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0x8000 string JFS1 # Because it's text-only magic, check a binary value (version) to be sure. # Should always be 2, but mkfs.jfs writes it as 1. Needs to be 2 or 1 to be # mountable. >&0 lelong <3 JFS2 filesystem image # Label is followed by a UUID; we have to limit string length to avoid # appending the UUID in the case of a 16-byte label. >>&144 regex [\x20-\x7E]{1,16} (label "%s") >>&0 lequad x \b, %lld blocks >>&8 lelong x \b, blocksize %d >>&32 lelong&0x00000006 >0 (dirty) >>&36 lelong >0 (compressed) #------------------------------------------------------------------------------ # $File: flash,v 1.9 2009/11/08 01:30:01 christos Exp $ # flash: file(1) magic for Macromedia Flash file format # # See # # http://www.macromedia.com/software/flash/open/ # 0 string FWS Macromedia Flash data, >3 byte x version %d !:mime application/x-shockwave-flash 0 string CWS Macromedia Flash data (compressed), !:mime application/x-shockwave-flash >3 byte x version %d # From: Cal Peake <cp@absolutedigital.net> 0 string FLV Macromedia Flash Video !:mime video/x-flv # # Yosu Gomez 0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document 0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document # From Dave Wilson 0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document #------------------------------------------------------------------------------ # $File: fonts,v 1.23 2010/09/20 18:55:20 rrt Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text 0 short 0436 Berkeley vfont data 0 short 017001 byte-swapped Berkeley vfont data # PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com 0 string %!PS-AdobeFont-1. PostScript Type 1 font text >20 string >\0 (%s) 6 string %!PS-AdobeFont-1. PostScript Type 1 font program data 0 string %!FontType1 PostScript Type 1 font program data 6 string %!FontType1 PostScript Type 1 font program data 0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text # X11 font files in SNF (Server Natural Format) format 0 belong 00000004 X11 SNF font data, MSB first 0 lelong 00000004 X11 SNF font data, LSB first # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 STARTFONT\ X11 BDF font text # X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) # PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides) 0 string \001fcp X11 Portable Compiled Font data >12 byte 0x02 \b, LSB first >12 byte 0x0a \b, MSB first 0 string D1.0\015 X11 Speedo font data #------------------------------------------------------------------------------ # FIGlet fonts and controlfiles # From figmagic supplied with Figlet version 2.2 # "David E. O'Brien" <obrien@FreeBSD.ORG> 0 string flf FIGlet font >3 string >2a version %-2.2s 0 string flc FIGlet controlfile >3 string >2a version %-2.2s # libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu) # Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++ 0 belong 0x14025919 libGrx font data, >8 leshort x %dx >10 leshort x \b%d >40 string x %s # Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu) 0 belong 0xff464f4e DOS code page font data collection 7 belong 0x00454741 DOS code page font data 7 belong 0x00564944 DOS code page font data (from Linux?) 4098 string DOSFONT DOSFONT2 encrypted font data # downloadable fonts for browser (prints type) anthon@mnt.org 0 string PFR1 PFR1 font >102 string >0 \b: %s # True Type fonts 0 string \000\001\000\000\000 TrueType font data !:mime application/x-font-ttf 0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font 0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font # TrueType/OpenType font collections (.ttc) # http://www.microsoft.com/typography/otspec/otff.htm 0 string ttcf TrueType font collection data >4 belong 0x00010000 \b, 1.0 >>8 belong >0 \b, %d fonts >4 belong 0x00020000 \b, 2.0 >>8 belong >0 \b, %d fonts # 0x44454947 = 'DSIG' >>>16 belong 0x44534947 \b, digitally signed # Opentype font data from Avi Bercovich 0 string OTTO OpenType font data !:mime application/vnd.ms-opentype # Gürkan Sengün <gurkan@linuks.mine.nu>, www.linuks.mine.nu 0 string SplineFontDB: Spline Font Database !:mime application/vnd.font-fontforge-sfd >14 string x version %s # EOT 34 string LP Embedded OpenType (EOT) !:mime application/vnd.ms-fontobject #------------------------------------------------------------------------------ # $File: fortran,v 1.6 2009/09/19 16:28:09 christos Exp $ # FORTRAN source 0 regex/100 \^[Cc][\ \t] FORTRAN program !:mime text/x-fortran #------------------------------------------------------------------------------ # $File: frame,v 1.12 2009/09/19 16:28:09 christos Exp $ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is # copyright, but this file is "published" as witness the following: # # Note that this is the Framemaker Maker Interchange Format, not the # Normal format which would be application/vnd.framemaker. # 0 string \<MakerFile FrameMaker document !:mime application/x-mif >11 string 5.5 (5.5 >11 string 5.0 (5.0 >11 string 4.0 (4.0 >11 string 3.0 (3.0 >11 string 2.0 (2.0 >11 string 1.0 (1.0 >14 byte x %c) 0 string \<MIFFile FrameMaker MIF (ASCII) file !:mime application/x-mif >9 string 4.0 (4.0) >9 string 3.0 (3.0) >9 string 2.0 (2.0) >9 string 1.0 (1.x) 0 search/1 \<MakerDictionary FrameMaker Dictionary text !:mime application/x-mif >17 string 3.0 (3.0) >17 string 2.0 (2.0) >17 string 1.0 (1.x) 0 string \<MakerScreenFont FrameMaker Font file !:mime application/x-mif >17 string 1.01 (%s) 0 string \<MML FrameMaker MML file !:mime application/x-mif 0 string \<BookFile FrameMaker Book file !:mime application/x-mif >10 string 3.0 (3.0 >10 string 2.0 (2.0 >10 string 1.0 (1.0 >13 byte x %c) # XXX - this book entry should be verified, if you find one, uncomment this #0 string \<Book\ FrameMaker Book (ASCII) file #!:mime application/x-mif #>6 string 3.0 (3.0) #>6 string 2.0 (2.0) #>6 string 1.0 (1.0) 0 string \<Maker Intermediate Print File FrameMaker IPL file !:mime application/x-mif #------------------------------------------------------------------------------ # $File: freebsd,v 1.7 2009/09/19 16:28:09 christos Exp $ # freebsd: file(1) magic for FreeBSD objects # # All new-style FreeBSD magic numbers are in host byte order (i.e., # little-endian on x86). # # XXX - this comes from the file "freebsd" in a recent FreeBSD version of # "file"; it, and the NetBSD stuff in "netbsd", appear to use different # schemes for distinguishing between executable images, shared libraries, # and object files. # # FreeBSD says: # # Regardless of whether it's pure, demand-paged, or none of the # above: # # if the entry point is < 4096, then it's a shared library if # the "has run-time loader information" bit is set, and is # position-independent if the "is position-independent" bit # is set; # # if the entry point is >= 4096 (or >4095, same thing), then it's # an executable, and is dynamically-linked if the "has run-time # loader information" bit is set. # # On x86, NetBSD says: # # If it's neither pure nor demand-paged: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable; # # if it doesn't have that bit set, then: # # if it has the "is position-independent" bit set, it's # position-independent; # # if the entry point is non-zero, it's an executable, otherwise # it's an object file. # # If it's pure: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable, otherwise it's just an # executable. # # If it's demand-paged: # # if it has the "has run-time loader information" bit set, # then: # # if the entry point is < 4096, it's a shared library; # # if the entry point is = 4096 or > 4096 (i.e., >= 4096), # it's a dynamically-linked executable); # # if it doesn't have the "has run-time loader information" bit # set, then it's just an executable. # # (On non-x86, NetBSD does much the same thing, except that it uses # 8192 on 68K - except for "68k4k", which is presumably "68K with 4K # pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's # had 8K pages; dunno about MIPS.) # # I suspect the two will differ only in perverse and uninteresting cases # ("shared" libraries that aren't demand-paged and whose pages probably # won't actually be shared, executables with entry points <4096). # # I leave it to those more familiar with FreeBSD and NetBSD to figure out # what the right answer is (although using ">4095", FreeBSD-style, is # probably better than separately checking for "=4096" and ">4096", # NetBSD-style). (The old "netbsd" file analyzed FreeBSD demand paged # executables using the NetBSD technique.) # 0 lelong&0377777777 041400407 FreeBSD/i386 >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped 0 lelong&0377777777 041400410 FreeBSD/i386 pure >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped 0 lelong&0377777777 041400413 FreeBSD/i386 demand paged >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped 0 lelong&0377777777 041400314 FreeBSD/i386 compact demand paged >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped # XXX gross hack to identify core files # cores start with a struct tss; we take advantage of the following: # byte 7: highest byte of the kernel stack pointer, always 0xfe # 8/9: kernel (ring 0) ss value, always 0x0010 # 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0 # 28: low order byte of the current PTD entry, always 0 since the # PTD is page-aligned # 7 string \357\020\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 FreeBSD/i386 a.out core file >1039 string >\0 from '%s' # /var/run/ld.so.hints # What are you laughing about? 0 lelong 011421044151 ld.so hints file (Little Endian >4 lelong >0 \b, version %d) >4 belong <1 \b) 0 belong 011421044151 ld.so hints file (Big Endian >4 belong >0 \b, version %d) >4 belong <1 \b) # # Files generated by FreeBSD scrshot(1)/vidcontrol(1) utilities # 0 string SCRSHOT_ scrshot(1) screenshot, >8 byte x version %d, >9 byte 2 %d bytes in header, >>10 byte x %d chars wide by >>11 byte x %d chars high #------------------------------------------------------------------------------ # $File: fsav,v 1.11 2009/09/19 16:28:09 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 0 beshort 0x1575 fsav macro virus signatures >8 leshort >0 (%d- >11 byte >0 \b%02d- >10 byte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign.zip #10 ubyte <12 #>9 ubyte <32 #>>8 ubyte 0x0a #>>>12 ubyte 0x07 #>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d- #>>>>10 byte 0 \b01- #>>>>10 byte 1 \b02- #>>>>10 byte 2 \b03- #>>>>10 byte 3 \b04- #>>>>10 byte 4 \b05- #>>>>10 byte 5 \b06- #>>>>10 byte 6 \b07- #>>>>10 byte 7 \b08- #>>>>10 byte 8 \b09- #>>>>10 byte 9 \b10- #>>>>10 byte 10 \b11- #>>>>10 byte 11 \b12- #>>>>9 ubyte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip #0 ubyte 0x62 #>1 ubyte 0xF5 #>>2 ubyte 0x1 #>>>3 ubyte 0x1 #>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures #>>>>>>11 ubyte x size 0x%02x #>>>>>>12 ubyte x \b%02x #>>>>>>13 ubyte x \b%02x bytes # Joerg Jenderek: joerg dot jenderek at web dot de # http://www.clamav.net/doc/latest/html/node45.html # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files 0 string ClamAV-VDB: >11 string >\0 Clam AntiVirus database %-.23s >>34 string : >>>35 string !: \b, version >>>>35 string x \b%-.1s >>>>>36 string !: >>>>>>36 string x \b%-.1s >>>>>>>37 string !: >>>>>>>>37 string x \b%-.1s >>>>>>>>>38 string !: >>>>>>>>>>38 string x \b%-.1s >512 string \037\213 \b, gzipped >769 string ustar\0 \b, tarred # Type: Grisoft AVG AntiVirus # From: David Newgas <david@newgas.net> 0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data #------------------------------------------------------------------------------ # $File: fusecompress,v 1.2 2011/08/08 09:05:55 christos Exp $ # fusecompress: file(1) magic for fusecompress 0 string \037\135\211 FuseCompress(ed) data >3 byte 0x00 (none format) >3 byte 0x01 (bz2 format) >3 byte 0x02 (gz format) >3 byte 0x03 (lzo format) >3 byte 0x04 (xor format) >3 byte >0x04 (unknown format) >4 long x uncompressed size: %d #------------------------------------------------------------------------------ # $File: games,v 1.13 2012/02/13 22:50:50 christos Exp $ # games: file(1) for games # Fabio Bonelli <fabiobonelli@libero.it> # Quake II - III data files 0 string IDP2 Quake II 3D Model file, >20 long x %lu skin(s), >8 long x (%lu x >12 long x %lu), >40 long x %lu frame(s), >16 long x Frame size %lu bytes, >24 long x %lu vertices/frame, >28 long x %lu texture coordinates, >32 long x %lu triangles/frame 0 string IBSP Quake >4 long 0x26 II Map file (BSP) >4 long 0x2E III Map file (BSP) 0 string IDS2 Quake II SP2 sprite file #--------------------------------------------------------------------------- # Doom and Quake # submitted by Nicolas Patrois 0 string \xcb\x1dBoom\xe6\xff\x03\x01 Boom or linuxdoom demo # some doom lmp files don't match, I've got one beginning with \x6d\x02\x01\x01 24 string LxD\ 203 Linuxdoom save >0 string x , name=%s >44 string x , world=%s # Quake 0 string PACK Quake I or II world or extension >8 lelong >0 \b, %d entries #0 string -1\x0a Quake I demo #>30 string x version %.4s #>61 string x level %s #0 string 5\x0a Quake I save # The levels # Quake 1 0 string 5\x0aIntroduction Quake I save: start Introduction 0 string 5\x0athe_Slipgate_Complex Quake I save: e1m1 The slipgate complex 0 string 5\x0aCastle_of_the_Damned Quake I save: e1m2 Castle of the damned 0 string 5\x0athe_Necropolis Quake I save: e1m3 The necropolis 0 string 5\x0athe_Grisly_Grotto Quake I save: e1m4 The grisly grotto 0 string 5\x0aZiggurat_Vertigo Quake I save: e1m8 Ziggurat vertigo (secret) 0 string 5\x0aGloom_Keep Quake I save: e1m5 Gloom keep 0 string 5\x0aThe_Door_To_Chthon Quake I save: e1m6 The door to Chthon 0 string 5\x0aThe_House_of_Chthon Quake I save: e1m7 The house of Chthon 0 string 5\x0athe_Installation Quake I save: e2m1 The installation 0 string 5\x0athe_Ogre_Citadel Quake I save: e2m2 The ogre citadel 0 string 5\x0athe_Crypt_of_Decay Quake I save: e2m3 The crypt of decay (dopefish lives!) 0 string 5\x0aUnderearth Quake I save: e2m7 Underearth (secret) 0 string 5\x0athe_Ebon_Fortress Quake I save: e2m4 The ebon fortress 0 string 5\x0athe_Wizard's_Manse Quake I save: e2m5 The wizard's manse 0 string 5\x0athe_Dismal_Oubliette Quake I save: e2m6 The dismal oubliette 0 string 5\x0aTermination_Central Quake I save: e3m1 Termination central 0 string 5\x0aVaults_of_Zin Quake I save: e3m2 Vaults of Zin 0 string 5\x0athe_Tomb_of_Terror Quake I save: e3m3 The tomb of terror 0 string 5\x0aSatan's_Dark_Delight Quake I save: e3m4 Satan's dark delight 0 string 5\x0athe_Haunted_Halls Quake I save: e3m7 The haunted halls (secret) 0 string 5\x0aWind_Tunnels Quake I save: e3m5 Wind tunnels 0 string 5\x0aChambers_of_Torment Quake I save: e3m6 Chambers of torment 0 string 5\x0athe_Sewage_System Quake I save: e4m1 The sewage system 0 string 5\x0aThe_Tower_of_Despair Quake I save: e4m2 The tower of despair 0 string 5\x0aThe_Elder_God_Shrine Quake I save: e4m3 The elder god shrine 0 string 5\x0athe_Palace_of_Hate Quake I save: e4m4 The palace of hate 0 string 5\x0aHell's_Atrium Quake I save: e4m5 Hell's atrium 0 string 5\x0athe_Nameless_City Quake I save: e4m8 The nameless city (secret) 0 string 5\x0aThe_Pain_Maze Quake I save: e4m6 The pain maze 0 string 5\x0aAzure_Agony Quake I save: e4m7 Azure agony 0 string 5\x0aShub-Niggurath's_Pit Quake I save: end Shub-Niggurath's pit # Quake DeathMatch levels 0 string 5\x0aPlace_of_Two_Deaths Quake I save: dm1 Place of two deaths 0 string 5\x0aClaustrophobopolis Quake I save: dm2 Claustrophobopolis 0 string 5\x0aThe_Abandoned_Base Quake I save: dm3 The abandoned base 0 string 5\x0aThe_Bad_Place Quake I save: dm4 The bad place 0 string 5\x0aThe_Cistern Quake I save: dm5 The cistern 0 string 5\x0aThe_Dark_Zone Quake I save: dm6 The dark zone # Scourge of Armagon 0 string 5\x0aCommand_HQ Quake I save: start Command HQ 0 string 5\x0aThe_Pumping_Station Quake I save: hip1m1 The pumping station 0 string 5\x0aStorage_Facility Quake I save: hip1m2 Storage facility 0 string 5\x0aMilitary_Complex Quake I save: hip1m5 Military complex (secret) 0 string 5\x0athe_Lost_Mine Quake I save: hip1m3 The lost mine 0 string 5\x0aResearch_Facility Quake I save: hip1m4 Research facility 0 string 5\x0aAncient_Realms Quake I save: hip2m1 Ancient realms 0 string 5\x0aThe_Gremlin's_Domain Quake I save: hip2m6 The gremlin's domain (secret) 0 string 5\x0aThe_Black_Cathedral Quake I save: hip2m2 The black cathedral 0 string 5\x0aThe_Catacombs Quake I save: hip2m3 The catacombs 0 string 5\x0athe_Crypt__ Quake I save: hip2m4 The crypt 0 string 5\x0aMortum's_Keep Quake I save: hip2m5 Mortum's keep 0 string 5\x0aTur_Torment Quake I save: hip3m1 Tur torment 0 string 5\x0aPandemonium Quake I save: hip3m2 Pandemonium 0 string 5\x0aLimbo Quake I save: hip3m3 Limbo 0 string 5\x0athe_Edge_of_Oblivion Quake I save: hipdm1 The edge of oblivion (secret) 0 string 5\x0aThe_Gauntlet Quake I save: hip3m4 The gauntlet 0 string 5\x0aArmagon's_Lair Quake I save: hipend Armagon's lair # Malice 0 string 5\x0aThe_Academy Quake I save: start The academy 0 string 5\x0aThe_Lab Quake I save: d1 The lab 0 string 5\x0aArea_33 Quake I save: d1b Area 33 0 string 5\x0aSECRET_MISSIONS Quake I save: d3b Secret missions 0 string 5\x0aThe_Hospital Quake I save: d10 The hospital (secret) 0 string 5\x0aThe_Genetics_Lab Quake I save: d11 The genetics lab (secret) 0 string 5\x0aBACK_2_MALICE Quake I save: d4b Back to Malice 0 string 5\x0aArea44 Quake I save: d1c Area 44 0 string 5\x0aTakahiro_Towers Quake I save: d2 Takahiro towers 0 string 5\x0aA_Rat's_Life Quake I save: d3 A rat's life 0 string 5\x0aInto_The_Flood Quake I save: d4 Into the flood 0 string 5\x0aThe_Flood Quake I save: d5 The flood 0 string 5\x0aNuclear_Plant Quake I save: d6 Nuclear plant 0 string 5\x0aThe_Incinerator_Plant Quake I save: d7 The incinerator plant 0 string 5\x0aThe_Foundry Quake I save: d7b The foundry 0 string 5\x0aThe_Underwater_Base Quake I save: d8 The underwater base 0 string 5\x0aTakahiro_Base Quake I save: d9 Takahiro base 0 string 5\x0aTakahiro_Laboratories Quake I save: d12 Takahiro laboratories 0 string 5\x0aStayin'_Alive Quake I save: d13 Stayin' alive 0 string 5\x0aB.O.S.S._HQ Quake I save: d14 B.O.S.S. HQ 0 string 5\x0aSHOWDOWN! Quake I save: d15 Showdown! # Malice DeathMatch levels 0 string 5\x0aThe_Seventh_Precinct Quake I save: ddm1 The seventh precinct 0 string 5\x0aSub_Station Quake I save: ddm2 Sub station 0 string 5\x0aCrazy_Eights! Quake I save: ddm3 Crazy eights! 0 string 5\x0aEast_Side_Invertationa Quake I save: ddm4 East side invertationa 0 string 5\x0aSlaughterhouse Quake I save: ddm5 Slaughterhouse 0 string 5\x0aDOMINO Quake I save: ddm6 Domino 0 string 5\x0aSANDRA'S_LADDER Quake I save: ddm7 Sandra's ladder 0 string MComprHD MAME CHD compressed hard disk image, >12 belong x version %lu # doom - submitted by Jon Dowland 0 string =IWAD doom main IWAD data >4 lelong x containing %d lumps 0 string =PWAD doom patch PWAD data >4 lelong x containing %d lumps # Build engine group files (Duke Nukem, Shadow Warrior, ...) # Extension: .grp # Created by: "Ganael Laplanche" <ganael.laplanche@martymac.org> 0 string KenSilverman Build engine group file >12 lelong x containing %d files # Summary: Warcraft 3 save # Extension: .w3g # Created by: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string Warcraft\ III\ recorded\ game %s # Summary: Warcraft 3 map # Extension: .w3m # Created by: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string HM3W Warcraft III map file # Summary: SGF Smart Game Format # Extension: .sgf # Reference: http://www.red-bean.com/sgf/ # Created by: Eduardo Sabbatella <eduardo_sabbatella@yahoo.com.ar> # Modified by (1): Abel Cheung (regex, more game format) # FIXME: Some games don't have GM (game type) 0 regex \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format >2 search/0x200/b GM[ >>&0 string 1] (Go) >>&0 string 2] (Othello) >>&0 string 3] (chess) >>&0 string 4] (Gomoku+Renju) >>&0 string 5] (Nine Men's Morris) >>&0 string 6] (Backgammon) >>&0 string 7] (Chinese chess) >>&0 string 8] (Shogi) >>&0 string 9] (Lines of Action) >>&0 string 10] (Ataxx) >>&0 string 11] (Hex) >>&0 string 12] (Jungle) >>&0 string 13] (Neutron) >>&0 string 14] (Philosopher's Football) >>&0 string 15] (Quadrature) >>&0 string 16] (Trax) >>&0 string 17] (Tantrix) >>&0 string 18] (Amazons) >>&0 string 19] (Octi) >>&0 string 20] (Gess) >>&0 string 21] (Twixt) >>&0 string 22] (Zertz) >>&0 string 23] (Plateau) >>&0 string 24] (Yinsh) >>&0 string 25] (Punct) >>&0 string 26] (Gobblet) >>&0 string 27] (hive) >>&0 string 28] (Exxit) >>&0 string 29] (Hnefatal) >>&0 string 30] (Kuba) >>&0 string 31] (Tripples) >>&0 string 32] (Chase) >>&0 string 33] (Tumbling Down) >>&0 string 34] (Sahara) >>&0 string 35] (Byte) >>&0 string 36] (Focus) >>&0 string 37] (Dvonn) >>&0 string 38] (Tamsk) >>&0 string 39] (Gipf) >>&0 string 40] (Kropki) ############################################## # NetImmerse/Gamebryo game engine entries # Summary: Gamebryo game engine file # Extension: .nif, .kf # Created by: Abel Cheung <abelcheung@gmail.com> 0 string Gamebryo\ File\ Format,\ Version\ Gamebryo game engine file >&0 regex [0-9a-z.]+ \b, version %s # Summary: Gamebryo game engine file # Extension: .kfm # Created by: Abel Cheung <abelcheung@gmail.com> 0 string ;Gamebryo\ KFM\ File\ Version\ Gamebryo game engine animation File >&0 regex [0-9a-z.]+ \b, version %s # Summary: NetImmerse game engine file # Extension .nif # Created by: Abel Cheung <abelcheung@gmail.com> 0 string NetImmerse\ File\ Format,\ Versio >&0 string n\ NetImmerse game engine file >>&0 regex [0-9a-z.]+ \b, version %s # Type: SGF Smart Game Format # URL: http://www.red-bean.com/sgf/ # From: Eduardo Sabbatella <eduardo_sabbatella@yahoo.com.ar> 2 regex/c \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format >2 regex/c GM\\[1\\] - Go Game >2 regex/c GM\\[6\\] - BackGammon Game >2 regex/c GM\\[11\\] - Hex Game >2 regex/c GM\\[18\\] - Amazons Game >2 regex/c GM\\[19\\] - Octi Game >2 regex/c GM\\[20\\] - Gess Game >2 regex/c GM\\[21\\] - twix Game # Epic Games/Unreal Engine Package # 0 lelong 0x9E2A83C1 Unreal Engine Package, >4 leshort x version: %i >12 lelong !0 \b, names: %i >28 lelong !0 \b, imports: %i >20 lelong !0 \b, exports: %i #------------------------------------------------------------------------------ # $File: gcc,v 1.4 2009/09/19 16:28:09 christos Exp $ # gcc: file(1) magic for GCC special files # 0 string gpch GCC precompiled header # The version field is annoying. It's 3 characters, not zero-terminated. >5 byte x (version %c >6 byte x \b%c >7 byte x \b%c) # 67 = 'C', 111 = 'o', 43 = '+', 79 = 'O' >4 byte 67 for C >4 byte 111 for Objective C >4 byte 43 for C++ >4 byte 79 for Objective C++ #------------------------------------------------------------------------------ # $File: geo,v 1.1 2010/02/23 23:40:07 christos Exp $ # Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> ###################################################################### # # Acoustic Doppler Current Profilers (ADCP) # ###################################################################### 0 beshort 0x7f7f RDI Acoustic Doppler Current Profiler (ADCP) ###################################################################### # # Metadata # ###################################################################### 0 string Identification_Information FGDC ASCII metadata ###################################################################### # # Seimsic / Subbottom # ###################################################################### # Knudsen subbottom chirp profiler - Binary File Format: B9 # KEB D409-03167 V1.75 Huffman 0 string KEB\ Knudsen seismic KEL binary (KEB) - >4 regex [-A-Z0-9]* Software: %s >>&1 regex V[0-9]*\.[0-9]* version %s ###################################################################### # # LIDAR - Laser altimetry or bathy # ###################################################################### # Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data 0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar >4 regex [0-9]*\.[0-9]* version %s 0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data >3 byte x version %d . >4 byte x %d ###################################################################### # # MULTIBEAM SONARS http://www.ldeo.columbia.edu/res/pi/MB-System/formatdoc/ # ###################################################################### # GeoAcoustics - GeoSwath Plus 4 beshort 0x2002 GeoSwath RDF 0 string Start:- GeoSwatch auf text file # Seabeam 2100 # mbsystem code mb41 0 string SB2100 SeaBeam 2100 multibeam sonar 0 string SB2100DR SeaBeam 2100 DR multibeam sonar 0 string SB2100PR SeaBeam 2100 PR multibeam sonar # This corresponds to MB-System format 94, L-3/ELAC/SeaBeam XSE vendor # format. It is the format of our upgraded SeaBeam 2112 on R/V KNORR. 0 string $HSF XSE multibeam # mb121 http://www.saic.com/maritime/gsf/ 8 string GSF-v SAIC generic sensor format (GSF) sonar data, >&0 regex [0-9]*\.[0-9]* version %s # MGD77 - http://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm # mb161 9 string MGD77 MGD77 Header, Marine Geophysical Data Exchange Format # MBSystem processing caches the mbinfo output 1 string Swath\ Data\ File: mbsystem info cache # Caris John Hughes Clark format 0 string HDCS Caris multibeam sonar related data 1 string Start/Stop\ parameter\ header: Caris ASCII project summary ###################################################################### # # Visualization and 3D modeling # ###################################################################### # IVS - IVS3d.com Tagged Data Represetation 0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file # http://www.ecma-international.org/publications/standards/Ecma-363.htm # 3D in PDFs 0 string U3D ECMA-363, Universal 3D ###################################################################### # # Support files # ###################################################################### # https://midas.psi.ch/elog/ 0 string $@MID@$ elog journal entry #------------------------------------------------------------------------------ # $File: geos,v 1.4 2009/09/19 16:28:09 christos Exp $ # GEOS files (Vidar Madsen, vidar@gimp.org) # semi-commonly used in embedded and handheld systems. 0 belong 0xc745c153 GEOS >40 byte 1 executable >40 byte 2 VMFile >40 byte 3 binary >40 byte 4 directory label >40 byte <1 unknown >40 byte >4 unknown >4 string >\0 \b, name "%s" #>44 short x \b, version %d #>46 short x \b.%d #>48 short x \b, rev %d #>50 short x \b.%d #>52 short x \b, proto %d #>54 short x \br%d #>168 string >\0 \b, copyright "%s" #------------------------------------------------------------------------------ # $File: gimp,v 1.7 2010/09/20 18:55:20 rrt Exp $ # GIMP Gradient: file(1) magic for the GIMP's gradient data files # by Federico Mena <federico@nuclecu.unam.mx> 0 string GIMP\ Gradient GIMP gradient data #------------------------------------------------------------------------------ # XCF: file(1) magic for the XCF image format used in the GIMP developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 0 string gimp\ xcf GIMP XCF image data, !:mime image/x-xcf >9 string file version 0, >9 string v version >>10 string >\0 %s, >14 belong x %lu x >18 belong x %lu, >22 belong 0 RGB Color >22 belong 1 Greyscale >22 belong 2 Indexed Color >22 belong >2 Unknown Image Type. #------------------------------------------------------------------------------ # XCF: file(1) magic for the patterns used in the GIMP, developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 20 string GPAT GIMP pattern data, >24 string x %s #------------------------------------------------------------------------------ # XCF: file(1) magic for the brushes used in the GIMP, developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 20 string GIMP GIMP brush data # GIMP Curves File # From: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string #\040GIMP\040Curves\040File GIMP curve file #------------------------------------------------------------------------------ # $File: gnome-keyring,v 1.2 2009/09/19 16:28:09 christos Exp $ # GNOME keyring # Contributed by Josh Triplett # FIXME: Could be simplified if pstring supported two-byte counts 0 string GnomeKeyring\n\r\0\n GNOME keyring >&0 ubyte 0 \b, major version 0 >>&0 ubyte 0 \b, minor version 0 >>>&0 ubyte 0 \b, crypto type 0 (AEL) >>>&0 ubyte >0 \b, crypto type %hhu (unknown) >>>&1 ubyte 0 \b, hash type 0 (MD5) >>>&1 ubyte >0 \b, hash type %hhu (unknown) >>>&2 ubelong 0xFFFFFFFF \b, name NULL >>>&2 ubelong !0xFFFFFFFF >>>>&-4 ubelong >255 \b, name too long for file's pstring type >>>>&-4 ubelong <256 >>>>>&-1 pstring x \b, name "%s" >>>>>>&0 ubeqdate x \b, last modified %s >>>>>>&8 ubeqdate x \b, created %s >>>>>>&16 ubelong &1 >>>>>>>&0 ubelong x \b, locked if idle for %u seconds >>>>>>&16 ubelong ^1 \b, not locked if idle >>>>>>&24 ubelong x \b, hash iterations %u >>>>>>&28 ubequad x \b, salt %llu >>>>>>&52 ubelong x \b, %u item(s) #------------------------------------------------------------------------------ # $File: gnu,v 1.13 2012/01/03 17:16:54 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format # # GNU message catalog (.mo and .gmo files) 0 string \336\22\4\225 GNU message catalog (little endian), >6 leshort x revision %d. >4 leshort >0 \b%d, >>8 lelong x %d messages, >>36 lelong x %d sysdep messages >4 leshort =0 \b%d, >>8 lelong x %d messages 0 string \225\4\22\336 GNU message catalog (big endian), >4 beshort x revision %d. >6 beshort >0 \b%d, >>8 belong x %d messages, >>36 belong x %d sysdep messages >6 beshort =0 \b%d, >>8 belong x %d messages # GnuPG # The format is very similar to pgp 0 string \001gpg GPG key trust database >4 byte x version %d # Note: magic.mime had 0x8501 for the next line instead of 0x8502 0 beshort 0x8502 GPG encrypted data !:mime text/PGP # encoding: data # This magic is not particularly good, as the keyrings don't have true # magic. Nevertheless, it covers many keyrings. 0 beshort 0x9901 GPG key public ring !:mime application/x-gnupg-keyring # Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps 39 string =<gmr:Workbook Gnumeric spreadsheet # From: James Youngman <jay@gnu.org> # gnu find magic 0 string \0LOCATE GNU findutils locate database data >7 string >\0 \b, format %s >7 string 02 \b (frcode) # Files produced by GNU gettext 0 long 0xDE120495 GNU-format message catalog data 0 long 0x950412DE GNU-format message catalog data # gettext message catalogue 0 regex \^msgid\ GNU gettext message catalogue text !:mime text/x-po #------------------------------------------------------------------------------ # $File: gnumeric,v 1.4 2009/09/19 16:28:09 christos Exp $ # gnumeric: file(1) magic for Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps 39 string =<gmr:Workbook Gnumeric spreadsheet !:mime application/x-gnumeric #------------------------------------------------------------------------------ # $File: grace,v 1.4 2009/09/19 16:28:09 christos Exp $ # ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE # # ACE/gr binary 0 string \000\000\0001\000\000\0000\000\000\0000\000\000\0002\000\000\0000\000\000\0000\000\000\0003 old ACE/gr binary file >39 byte >0 - version %c # ACE/gr ascii 0 string #\ xvgr\ parameter\ file ACE/gr ascii file 0 string #\ xmgr\ parameter\ file ACE/gr ascii file 0 string #\ ACE/gr\ parameter\ file ACE/gr ascii file # Grace projects 0 string #\ Grace\ project\ file Grace project file >23 string @version\ (version >>32 byte >0 %c >>33 string >\0 \b.%.2s >>35 string >\0 \b.%.2s) # ACE/gr fit description files 0 string #\ ACE/gr\ fit\ description\ ACE/gr fit description file # end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE #------------------------------------------------------------------------------ # $File: graphviz,v 1.7 2009/09/19 16:28:09 christos Exp $ # graphviz: file(1) magic for http://www.graphviz.org/ # FIXME: These patterns match too generally. For example, the first # line matches a LaTeX file containing the word "graph" (with a { # following later) and the second line matches this file. #0 regex/100 [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text #!:mime text/vnd.graphviz #0 regex/100 [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text #!:mime text/vnd.graphviz #------------------------------------------------------------------------------ # $File: gringotts,v 1.5 2009/09/19 16:28:09 christos Exp $ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo <mano@pluto.linux.it> #GRG3????Y 0 string GRG Gringotts data file #file format 1 >3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9 #file format 2 >3 string 2 v.2, MCRYPT S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, >>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, >>8 byte&0x70 0x60 3DES crypt, >>8 byte&0x70 0x70 RIJNDAEL-256 crypt, >>8 byte&0x08 0x00 SHA1 hash, >>8 byte&0x08 0x08 RIPEMD-160 hash, >>8 byte&0x04 0x00 ZLib >>8 byte&0x04 0x04 BZip2 >>8 byte&0x03 0x00 lvl.0 >>8 byte&0x03 0x01 lvl.3 >>8 byte&0x03 0x02 lvl.6 >>8 byte&0x03 0x03 lvl.9 #file format 3 >3 string 3 v.3, OpenPGP S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, >>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, >>8 byte&0x70 0x60 3DES crypt, >>8 byte&0x70 0x70 RIJNDAEL-256 crypt, >>8 byte&0x08 0x00 SHA1 hash, >>8 byte&0x08 0x08 RIPEMD-160 hash, >>8 byte&0x04 0x00 ZLib >>8 byte&0x04 0x04 BZip2 >>8 byte&0x03 0x00 lvl.0 >>8 byte&0x03 0x01 lvl.3 >>8 byte&0x03 0x02 lvl.6 >>8 byte&0x03 0x03 lvl.9 #file format >3 >3 string >3 v.%.1s (unknown details) #------------------------------------------------------------------------------ # $File: guile,v 1.1 2011/12/16 17:44:33 christos Exp $ # Guile file magic from <dalepsmith@gmail.com> # http://www.gnu.org/s/guile/ # http://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 0 string GOOF---- Guile Object >8 string LE \b, little endian >8 string BE \b, big endian >11 string 4 \b, 32bit >11 string 8 \b, 64bit >13 regex .\.. \b, bytecode v%s #------------------------------------------------------------------------------ # $File: hitachi-sh,v 1.5 2009/09/19 16:28:09 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF # 0 beshort 0x0500 Hitachi SH big-endian COFF >18 beshort&0x0002 =0x0000 object >18 beshort&0x0002 =0x0002 executable >18 beshort&0x0008 =0x0008 \b, stripped >18 beshort&0x0008 =0x0000 \b, not stripped # 0 leshort 0x0550 Hitachi SH little-endian COFF >18 leshort&0x0002 =0x0000 object >18 leshort&0x0002 =0x0002 executable >18 leshort&0x0008 =0x0008 \b, stripped >18 leshort&0x0008 =0x0000 \b, not stripped #------------------------------------------------------------------------------ # $File: hp,v 1.23 2009/09/19 16:28:09 christos Exp $ # hp: file(1) magic for Hewlett Packard machines (see also "printer") # # XXX - somebody should figure out whether any byte order needs to be # applied to the "TML" stuff; I'm assuming the Apollo stuff is # big-endian as it was mostly 68K-based. # # I think the 500 series was the old stack-based machines, running a # UNIX environment atop the "SUN kernel"; dunno whether it was # big-endian or little-endian. # # Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based; # hp300 are 68020+68881 based; hp400 are also 68k. The following basic # HP magic is useful for reference, but using "long" magic is a better # practice in order to avoid collisions. # # Guy Harris (guy@netapp.com): some additions to this list came from # HP-UX 10.0's "/usr/include/sys/unistd.h" (68030, 68040, PA-RISC 1.1, # 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0 # "/etc/magic", though, except for the "archive file relocatable library" # stuff, and the 68030 and 68040 stuff isn't there at all - are they not # used in executables, or have they just not yet updated "/etc/magic" # completely? # # 0 beshort 200 hp200 (68010) BSD binary # 0 beshort 300 hp300 (68020+68881) BSD binary # 0 beshort 0x20c hp200/300 HP-UX binary # 0 beshort 0x20d hp400 (68030) HP-UX binary # 0 beshort 0x20e hp400 (68040?) HP-UX binary # 0 beshort 0x20b PA-RISC1.0 HP-UX binary # 0 beshort 0x210 PA-RISC1.1 HP-UX binary # 0 beshort 0x211 PA-RISC1.2 HP-UX binary # 0 beshort 0x214 PA-RISC2.0 HP-UX binary # # The "misc" stuff needs a byte order; the archives look suspiciously # like the old 177545 archives (0xff65 = 0177545). # #### Old Apollo stuff 0 beshort 0627 Apollo m68k COFF executable >18 beshort ^040000 not stripped >22 beshort >0 - version %ld 0 beshort 0624 apollo a88k COFF executable >18 beshort ^040000 not stripped >22 beshort >0 - version %ld 0 long 01203604016 TML 0123 byte-order format 0 long 01702407010 TML 1032 byte-order format 0 long 01003405017 TML 2301 byte-order format 0 long 01602007412 TML 3210 byte-order format #### PA-RISC 1.1 0 belong 0x02100106 PA-RISC1.1 relocatable object 0 belong 0x02100107 PA-RISC1.1 executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x02100108 PA-RISC1.1 shared executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0210010b PA-RISC1.1 demand-load executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0210010e PA-RISC1.1 shared library >96 belong >0 - not stripped 0 belong 0x0210010d PA-RISC1.1 dynamic load library >96 belong >0 - not stripped #### PA-RISC 2.0 0 belong 0x02140106 PA-RISC2.0 relocatable object 0 belong 0x02140107 PA-RISC2.0 executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x02140108 PA-RISC2.0 shared executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0214010b PA-RISC2.0 demand-load executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0214010e PA-RISC2.0 shared library >96 belong >0 - not stripped 0 belong 0x0214010d PA-RISC2.0 dynamic load library >96 belong >0 - not stripped #### 800 0 belong 0x020b0106 PA-RISC1.0 relocatable object 0 belong 0x020b0107 PA-RISC1.0 executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x020b0108 PA-RISC1.0 shared executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x020b010b PA-RISC1.0 demand-load executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x020b010e PA-RISC1.0 shared library >96 belong >0 - not stripped 0 belong 0x020b010d PA-RISC1.0 dynamic load library >96 belong >0 - not stripped 0 belong 0x213c6172 archive file >68 belong 0x020b0619 - PA-RISC1.0 relocatable library >68 belong 0x02100619 - PA-RISC1.1 relocatable library >68 belong 0x02110619 - PA-RISC1.2 relocatable library >68 belong 0x02140619 - PA-RISC2.0 relocatable library #### 500 0 long 0x02080106 HP s500 relocatable executable >16 long >0 - version %ld 0 long 0x02080107 HP s500 executable >16 long >0 - version %ld 0 long 0x02080108 HP s500 pure executable >16 long >0 - version %ld #### 200 0 belong 0x020c0108 HP s200 pure executable >4 beshort >0 - version %ld >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0107 HP s200 executable >4 beshort >0 - version %ld >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c010b HP s200 demand-load executable >4 beshort >0 - version %ld >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0106 HP s200 relocatable executable >4 beshort >0 - version %ld >6 beshort >0 - highwater %d >8 belong &0x80000000 save fp regs >8 belong &0x20000000 debuggable >8 belong &0x10000000 PIC 0 belong 0x020a0108 HP s200 (2.x release) pure executable >4 beshort >0 - version %ld >36 belong >0 not stripped 0 belong 0x020a0107 HP s200 (2.x release) executable >4 beshort >0 - version %ld >36 belong >0 not stripped 0 belong 0x020c010e HP s200 shared library >4 beshort >0 - version %ld >6 beshort >0 - highwater %d >36 belong >0 not stripped 0 belong 0x020c010d HP s200 dynamic load library >4 beshort >0 - version %ld >6 beshort >0 - highwater %d >36 belong >0 not stripped #### MISC 0 long 0x0000ff65 HP old archive 0 long 0x020aff65 HP s200 old archive 0 long 0x020cff65 HP s200 old archive 0 long 0x0208ff65 HP s500 old archive 0 long 0x015821a6 HP core file 0 long 0x4da7eee8 HP-WINDOWS font >8 byte >0 - version %ld 0 string Bitmapfile HP Bitmapfile 0 string IMGfile CIS compimg HP Bitmapfile # XXX - see "lif" #0 short 0x8000 lif file 0 long 0x020c010c compiled Lisp 0 string msgcat01 HP NLS message catalog, >8 long >0 %d messages # Summary: HP-48/49 calculator # Created by: phk@data.fls.dk # Modified by (1): AMAKAWA Shuhei <sa264@cam.ac.uk> # Modified by (2): Samuel Thibault <samuel.thibault@ens-lyon.org> (HP49 support) 0 string HPHP HP >4 string 48 48 binary >4 string 49 49 binary >7 byte >64 - Rev %c >8 leshort 0x2911 (ADR) >8 leshort 0x2933 (REAL) >8 leshort 0x2955 (LREAL) >8 leshort 0x2977 (COMPLX) >8 leshort 0x299d (LCOMPLX) >8 leshort 0x29bf (CHAR) >8 leshort 0x29e8 (ARRAY) >8 leshort 0x2a0a (LNKARRAY) >8 leshort 0x2a2c (STRING) >8 leshort 0x2a4e (HXS) >8 leshort 0x2a74 (LIST) >8 leshort 0x2a96 (DIR) >8 leshort 0x2ab8 (ALG) >8 leshort 0x2ada (UNIT) >8 leshort 0x2afc (TAGGED) >8 leshort 0x2b1e (GROB) >8 leshort 0x2b40 (LIB) >8 leshort 0x2b62 (BACKUP) >8 leshort 0x2b88 (LIBDATA) >8 leshort 0x2d9d (PROG) >8 leshort 0x2dcc (CODE) >8 leshort 0x2e48 (GNAME) >8 leshort 0x2e6d (LNAME) >8 leshort 0x2e92 (XLIB) 0 string %%HP: HP text >6 string T(0) - T(0) >6 string T(1) - T(1) >6 string T(2) - T(2) >6 string T(3) - T(3) >10 string A(D) A(D) >10 string A(R) A(R) >10 string A(G) A(G) >14 string F(.) F(.); >14 string F(,) F(,); # Summary: HP-38/39 calculator # Created by: Samuel Thibault <samuel.thibault@ens-lyon.org> 0 string HP3 >3 string 8 HP 38 >3 string 9 HP 39 >4 string Bin binary >4 string Asc ASCII >7 string A (Directory List) >7 string B (Zaplet) >7 string C (Note) >7 string D (Program) >7 string E (Variable) >7 string F (List) >7 string G (Matrix) >7 string H (Library) >7 string I (Target List) >7 string J (ASCII Vector specification) >7 string K (wildcard) # Summary: HP-38/39 calculator # Created by: Samuel Thibault <samuel.thibault@ens-lyon.org> 0 string HP3 >3 string 8 HP 38 >3 string 9 HP 39 >4 string Bin binary >4 string Asc ASCII >7 string A (Directory List) >7 string B (Zaplet) >7 string C (Note) >7 string D (Program) >7 string E (Variable) >7 string F (List) >7 string G (Matrix) >7 string H (Library) >7 string I (Target List) >7 string J (ASCII Vector specification) >7 string K (wildcard) # hpBSD magic numbers 0 beshort 200 hp200 (68010) BSD >2 beshort 0407 impure binary >2 beshort 0410 read-only binary >2 beshort 0413 demand paged binary 0 beshort 300 hp300 (68020+68881) BSD >2 beshort 0407 impure binary >2 beshort 0410 read-only binary >2 beshort 0413 demand paged binary # # From David Gero <dgero@nortelnetworks.com> # HP-UX 10.20 core file format from /usr/include/sys/core.h # Unfortunately, HP-UX uses corehead blocks without specifying the order # There are four we care about: # CORE_KERNEL, which starts with the string "HP-UX" # CORE_EXEC, which contains the name of the command # CORE_PROC, which contains the signal number that caused the core dump # CORE_FORMAT, which contains the version of the core file format (== 1) # The only observed order in real core files is KERNEL, EXEC, FORMAT, PROC # but we include all 6 variations of the order of the first 3, and # assume that PROC will always be last # Order 1: KERNEL, EXEC, FORMAT, PROC 0x10 string HP-UX >0 belong 2 >>0xC belong 0x3C >>>0x4C belong 0x100 >>>>0x58 belong 0x44 >>>>>0xA0 belong 1 >>>>>>0xAC belong 4 >>>>>>>0xB0 belong 1 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x90 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 2: KERNEL, FORMAT, EXEC, PROC >>>0x4C belong 1 >>>>0x58 belong 4 >>>>>0x5C belong 1 >>>>>>0x60 belong 0x100 >>>>>>>0x6C belong 0x44 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0xA4 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 3: FORMAT, KERNEL, EXEC, PROC 0x24 string HP-UX >0 belong 1 >>0xC belong 4 >>>0x10 belong 1 >>>>0x14 belong 2 >>>>>0x20 belong 0x3C >>>>>>0x60 belong 0x100 >>>>>>>0x6C belong 0x44 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0xA4 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 4: EXEC, KERNEL, FORMAT, PROC 0x64 string HP-UX >0 belong 0x100 >>0xC belong 0x44 >>>0x54 belong 2 >>>>0x60 belong 0x3C >>>>>0xA0 belong 1 >>>>>>0xAC belong 4 >>>>>>>0xB0 belong 1 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x44 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 5: FORMAT, EXEC, KERNEL, PROC 0x78 string HP-UX >0 belong 1 >>0xC belong 4 >>>0x10 belong 1 >>>>0x14 belong 0x100 >>>>>0x20 belong 0x44 >>>>>>0x68 belong 2 >>>>>>>0x74 belong 0x3C >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x58 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 6: EXEC, FORMAT, KERNEL, PROC >0 belong 0x100 >>0xC belong 0x44 >>>0x54 belong 1 >>>>0x60 belong 4 >>>>>0x64 belong 1 >>>>>>0x68 belong 2 >>>>>>>0x74 belong 0x2C >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x44 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ #------------------------------------------------------------------------------ # $File: human68k,v 1.5 2009/09/19 16:28:09 christos Exp $ # human68k: file(1) magic for Human68k (X680x0 DOS) binary formats # Magic too short! #0 string HU Human68k #>68 string LZX LZX compressed #>>72 string >\0 (version %s) #>(8.L+74) string LZX LZX compressed #>>(8.L+78) string >\0 (version %s) #>60 belong >0 binded #>(8.L+66) string #HUPAIR hupair #>0 string HU X executable #>(8.L+74) string #LIBCV1 - linked PD LIBC ver 1 #>4 belong >0 - base address 0x%x #>28 belong >0 not stripped #>32 belong >0 with debug information #0 beshort 0x601a Human68k Z executable #0 beshort 0x6000 Human68k object file #0 belong 0xd1000000 Human68k ar binary archive #0 belong 0xd1010000 Human68k ar ascii archive #0 beshort 0x0068 Human68k lib archive #4 string LZX Human68k LZX compressed #>8 string >\0 (version %s) #>4 string LZX R executable #2 string #HUPAIR Human68k hupair R executable #------------------------------------------------------------------------------ # $File: ibm370,v 1.8 2009/09/19 16:28:09 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". # What the heck *is* "USS/370"? # AIX 4.1's "/etc/magic" has # # 0 short 0535 370 sysV executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # 0 short 0530 370 sysV pure executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # # instead of the "USS/370" versions of the same magic numbers. # 0 beshort 0537 370 XA sysV executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format 0 beshort 0532 370 XA sysV pure executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format 0 beshort 054001 370 sysV pure executable >12 belong >0 not stripped 0 beshort 055001 370 XA sysV pure executable >12 belong >0 not stripped 0 beshort 056401 370 sysV executable >12 belong >0 not stripped 0 beshort 057401 370 XA sysV executable >12 belong >0 not stripped 0 beshort 0531 SVR2 executable (Amdahl-UTS) >12 belong >0 not stripped >24 belong >0 - version %ld 0 beshort 0534 SVR2 pure executable (Amdahl-UTS) >12 belong >0 not stripped >24 belong >0 - version %ld 0 beshort 0530 SVR2 pure executable (USS/370) >12 belong >0 not stripped >24 belong >0 - version %ld 0 beshort 0535 SVR2 executable (USS/370) >12 belong >0 not stripped >24 belong >0 - version %ld #------------------------------------------------------------------------------ # $File: ibm6000,v 1.9 2009/09/19 16:28:09 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module >12 belong >0 not stripped # Breaks sun4 statically linked execs. #0 beshort 0x0103 executable (RT Version 2) or obj module #>2 byte 0x50 pure #>28 belong >0 not stripped #>6 beshort >0 - version %ld 0 beshort 0x0104 shared library 0 beshort 0x0105 ctab data 0 beshort 0xfe04 structured file 0 string 0xabcdef AIX message catalog 0 belong 0x000001f9 AIX compiled message catalog 0 string \<aiaff> archive 0 string \<bigaf> archive (big format) #------------------------------------------------------------------------------ # $File: iff,v 1.13 2011/09/06 11:00:06 christos Exp $ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic # Arts for file interchange. It has also been used by Apple, SGI, and # especially Commodore-Amiga. # # IFF files begin with an 8 byte FORM header, followed by a 4 character # FORM type, which is followed by the first chunk in the FORM. 0 string FORM IFF data #>4 belong x \b, FORM is %d bytes long # audio formats >8 string AIFF \b, AIFF audio !:mime audio/x-aiff >8 string AIFC \b, AIFF-C compressed audio !:mime audio/x-aiff >8 string 8SVX \b, 8SVX 8-bit sampled sound voice !:mime audio/x-aiff >8 string 16SV \b, 16SV 16-bit sampled sound voice >8 string SAMP \b, SAMP sampled audio >8 string MAUD \b, MAUD MacroSystem audio >8 string SMUS \b, SMUS simple music >8 string CMUS \b, CMUS complex music # image formats >8 string ILBMBMHD \b, ILBM interleaved image >>20 beshort x \b, %d x >>22 beshort x %d >8 string RGBN \b, RGBN 12-bit RGB image >8 string RGB8 \b, RGB8 24-bit RGB image >8 string DEEP \b, DEEP TVPaint/XiPaint image >8 string DR2D \b, DR2D 2-D object >8 string TDDD \b, TDDD 3-D rendering >8 string LWOB \b, LWOB 3-D object >8 string LWO2 \b, LWO2 3-D object, v2 >8 string LWLO \b, LWLO 3-D layered object >8 string REAL \b, REAL Real3D rendering >8 string MC4D \b, MC4D MaxonCinema4D rendering >8 string ANIM \b, ANIM animation >8 string YAFA \b, YAFA animation >8 string SSA\ \b, SSA super smooth animation >8 string ACBM \b, ACBM continuous image >8 string FAXX \b, FAXX fax image # other formats >8 string FTXT \b, FTXT formatted text >8 string CTLG \b, CTLG message catalog >8 string PREF \b, PREF preferences >8 string DTYP \b, DTYP datatype description >8 string PTCH \b, PTCH binary patch >8 string AMFF \b, AMFF AmigaMetaFile format >8 string WZRD \b, WZRD StormWIZARD resource >8 string DOC\ \b, DOC desktop publishing document >8 string WVQA \b, Westwood Studios VQA Multimedia, >>24 leshort x %d video frames, >>26 leshort x %d x >>28 leshort x %d >8 string MOVE \b, Wing Commander III Video >>12 string _PC_ \b, PC version >>12 string 3DO_ \b, 3DO version # These go at the end of the iff rules # # I don't see why these might collide with anything else. # # Interactive Fiction related formats # >8 string IFRS \b, Blorb Interactive Fiction >>24 string Exec with executable chunk >8 string IFZS \b, Z-machine or Glulx saved game file (Quetzal) #------------------------------------------------------------------------------ # $File: images,v 1.72 2011/12/08 12:12:46 rrt Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # # originally from jef@helios.ee.lbl.gov (Jef Poskanzer), # additions by janl@ifi.uio.no as well as others. Jan also suggested # merging several one- and two-line files into here. # # little magic: PCX (first byte is 0x0a) # Targa - matches `povray', `ppmtotga' and `xv' outputs # by Philippe De Muyter <phdm@macqel.be> # at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11 # at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise # at 3, leshort Index is 0 for povray, ppmtotga and xv outputs # `xv' recognizes only a subset of the following (RGB with pixelsize = 24) # `tgatoppm' recognizes a superset (Index may be anything) 1 belong&0xfff7ffff 0x01010000 Targa image data - Map >2 byte&8 8 - RLE >12 leshort >0 %hd x >14 leshort >0 %hd 1 belong&0xfff7ffff 0x00020000 Targa image data - RGB >2 byte&8 8 - RLE >12 leshort >0 %hd x >14 leshort >0 %hd 1 belong&0xfff7ffff 0x00030000 Targa image data - Mono >2 byte&8 8 - RLE >12 leshort >0 %hd x >14 leshort >0 %hd # PBMPLUS images # The next byte following the magic is always whitespace. # strength is changed to try these patterns before "x86 boot sector" 0 search/1 P1 >3 regex =[0-9]*\ [0-9]* Netpbm PBM image text >3 regex =[0-9]+\ \b, size = %sx >>3 regex =\ [0-9]+ \b%s !:strength + 45 !:mime image/x-portable-bitmap 0 search/1 P2 >3 regex =[0-9]*\ [0-9]* Netpbm PGM image text >3 regex =[0-9]+\ \b, size = %sx >>3 regex =\ [0-9]+ \b%s !:strength + 45 !:mime image/x-portable-greymap 0 search/1 P3 Netpbm PPM image text >3 regex =[0-9]*\ [0-9]* Netpbm PPM image text >3 regex =[0-9]+\ \b, size = %sx >>3 regex =\ [0-9]+ \b%s !:strength + 45 !:mime image/x-portable-pixmap 0 string P4 >3 regex =[0-9]*\ [0-9]* Netpbm PBM "rawbits" image data >3 regex =[0-9]+\ \b, size = %sx >>3 regex =\ [0-9]+ \b%s !:strength + 45 !:mime image/x-portable-bitmap 0 string P5 >3 regex =[0-9]*\ [0-9]* Netpbm PGM "rawbits" image data >3 regex =[0-9]+\ \b, size = %sx >>3 regex =\ [0-9]+ \b%s !:strength + 45 !:mime image/x-portable-greymap 0 string P6 >3 regex =[0-9]*\ [0-9]* Netpbm PPM "rawbits" image data >3 regex =[0-9]+\ \b, size = %sx >>3 regex =\ [0-9]+ \b%s !:strength + 45 !:mime image/x-portable-pixmap 0 string P7 Netpbm PAM image file !:mime image/x-portable-pixmap # From: bryanh@giraffe-data.com (Bryan Henderson) 0 string \117\072 Solitaire Image Recorder format >4 string \013 MGI Type 11 >4 string \021 MGI Type 17 0 string .MDA MicroDesign data >21 byte 48 version 2 >21 byte 51 version 3 0 string .MDP MicroDesign page data >21 byte 48 version 2 >21 byte 51 version 3 # NIFF (Navy Interchange File Format, a modification of TIFF) images # [GRR: this *must* go before TIFF] 0 string IIN1 NIFF image data !:mime image/x-niff # Canon RAW version 1 (CRW) files are a type of Canon Image File Format # (CIFF) file. These are apparently all little-endian. # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://www.sno.phy.queensu.ca/~phil/exiftool/canon_raw.html 0 string II\x1a\0\0\0HEAPCCDR Canon CIFF raw image data !:mime image/x-canon-crw >16 leshort x \b, version %d. >14 leshort x \b%d # Canon RAW version 2 (CR2) files are a kind of TIFF with an extra magic # number. Put this above the TIFF test to make sure we detect them. # These are apparently all little-endian. # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://libopenraw.freedesktop.org/wiki/Canon_CR2 0 string II\x2a\0\x10\0\0\0CR Canon CR2 raw image data !:mime image/x-canon-cr2 >10 byte x \b, version %d. >11 byte x \b%d # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. 0 string MM\x00\x2a TIFF image data, big-endian !:mime image/tiff 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff 0 string MM\x00\x2b Big TIFF image data, big-endian !:mime image/tiff 0 string II\x2b\x00 Big TIFF image data, little-endian !:mime image/tiff # PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # 0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data !:mime image/png >16 belong x \b, %ld x >20 belong x %ld, >24 byte x %d-bit >25 byte 0 grayscale, >25 byte 2 \b/color RGB, >25 byte 3 colormap, >25 byte 4 gray+alpha, >25 byte 6 \b/color RGBA, #>26 byte 0 deflate/32K, >28 byte 0 non-interlaced >28 byte 1 interlaced # possible GIF replacements; none yet released! # (Greg Roelofs, newt@uchicago.edu) # # GRR 950115: this was mine ("Zip GIF"): 0 string GIF94z ZIF image (GIF+deflate alpha) !:mime image/x-unknown # # GRR 950115: this is Jeremy Wohl's Free Graphics Format (better): # 0 string FGF95a FGF image (GIF+deflate beta) !:mime image/x-unknown # # GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal # (best; not yet implemented): # 0 string PBF PBF image (deflate compression) !:mime image/x-unknown # GIF 0 string GIF8 GIF image data !:mime image/gif !:apple 8BIMGIFf >4 string 7a \b, version 8%s, >4 string 9a \b, version 8%s, >6 leshort >0 %hd x >8 leshort >0 %hd #>10 byte &0x80 color mapped, #>10 byte&0x07 =0x00 2 colors #>10 byte&0x07 =0x01 4 colors #>10 byte&0x07 =0x02 8 colors #>10 byte&0x07 =0x03 16 colors #>10 byte&0x07 =0x04 32 colors #>10 byte&0x07 =0x05 64 colors #>10 byte&0x07 =0x06 128 colors #>10 byte&0x07 =0x07 256 colors # ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster, # 1 plane, no encoding. 0 string \361\0\100\273 CMU window manager raster image data >4 lelong >0 %d x >8 lelong >0 %d, >12 lelong >0 %d-bit # Magick Image File Format 0 string id=ImageMagick MIFF image data # Artisan 0 long 1123028772 Artisan image data >4 long 1 \b, rectangular 24-bit >4 long 2 \b, rectangular 8-bit with colormap >4 long 3 \b, rectangular 32-bit (24-bit with matte) # FIG (Facility for Interactive Generation of figures), an object-based format 0 search/1 #FIG FIG image text >5 string x \b, version %.3s # PHIGS 0 string ARF_BEGARF PHIGS clear text archive 0 string @(#)SunPHIGS SunPHIGS # version number follows, in the form m.n >40 string SunBin binary >32 string archive archive # GKS (Graphics Kernel System) 0 string GKSM GKS Metafile >24 string SunGKS \b, SunGKS # CGM image files 0 string BEGMF clear text Computer Graphics Metafile # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) 0 string yz MGR bitmap, modern format, 8-bit aligned 0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned 0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned 0 string yx MGR bitmap, modern format, squeezed # Fuzzy Bitmap (FBM) images 0 string %bitmap\0 FBM image data >30 long 0x31 \b, mono >30 long 0x33 \b, color # facsimile data 1 string PC\ Research,\ Inc group 3 fax data >29 byte 0 \b, normal resolution (204x98 DPI) >29 byte 1 \b, fine resolution (204x196 DPI) # From: Herbert Rosmanith <herp@wildsau.idv.uni.linz.at> 0 string Sfff structured fax file # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) 0 string BM >14 leshort 12 PC bitmap, OS/2 1.x format !:mime image/x-ms-bmp >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 64 PC bitmap, OS/2 2.x format !:mime image/x-ms-bmp >>18 leshort x \b, %d x >>20 leshort x %d >14 leshort 40 PC bitmap, Windows 3.x format !:mime image/x-ms-bmp >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d >14 leshort 128 PC bitmap, Windows NT/2000 format !:mime image/x-ms-bmp >>18 lelong x \b, %d x >>22 lelong x %d x >>28 leshort x %d # Too simple - MPi #0 string IC PC icon data #0 string PI PC pointer image data #0 string CI PC color icon data #0 string CP PC color pointer image data # Conflicts with other entries [BABYL] #0 string BA PC bitmap array data # XPM icons (Greg Roelofs, newt@uchicago.edu) 0 search/1 /*\ XPM\ */ X pixmap image text !:mime image/x-xpmi # Utah Raster Toolkit RLE images (janl@ifi.uio.no) 0 leshort 0xcc52 RLE image data, >6 leshort x %d x >8 leshort x %d >2 leshort >0 \b, lower left corner: %d >4 leshort >0 \b, lower right corner: %d >10 byte&0x1 =0x1 \b, clear first >10 byte&0x2 =0x2 \b, no background >10 byte&0x4 =0x4 \b, alpha channel >10 byte&0x8 =0x8 \b, comment >11 byte >0 \b, %d color channels >12 byte >0 \b, %d bits per pixel >13 byte >0 \b, %d color map channels # image file format (Robert Potter, potter@cs.rochester.edu) 0 string Imagefile\ version- iff image data # this adds the whole header (inc. version number), informative but longish >10 string >\0 %s # Sun raster images, from Daniel Quinlan (quinlan@yggdrasil.com) 0 belong 0x59a66a95 Sun raster image data >4 belong >0 \b, %d x >8 belong >0 %d, >12 belong >0 %d-bit, #>16 belong >0 %d bytes long, >20 belong 0 old format, #>20 belong 1 standard, >20 belong 2 compressed, >20 belong 3 RGB, >20 belong 4 TIFF, >20 belong 5 IFF, >20 belong 0xffff reserved for testing, >24 belong 0 no colormap >24 belong 1 RGB colormap >24 belong 2 raw colormap #>28 belong >0 colormap is %d bytes long # SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com) # # See # http://reality.sgi.com/grafica/sgiimage.html # 0 beshort 474 SGI image data #>2 byte 0 \b, verbatim >2 byte 1 \b, RLE #>3 byte 1 \b, normal precision >3 byte 2 \b, high precision >4 beshort x \b, %d-D >6 beshort x \b, %d x >8 beshort x %d >10 beshort x \b, %d channel >10 beshort !1 \bs >80 string >0 \b, "%s" 0 string IT01 FIT image data >4 belong x \b, %d x >8 belong x %d x >12 belong x %d # 0 string IT02 FIT image data >4 belong x \b, %d x >8 belong x %d x >12 belong x %d # 2048 string PCD_IPI Kodak Photo CD image pack file >0xe02 byte&0x03 0x00 , landscape mode >0xe02 byte&0x03 0x01 , portrait mode >0xe02 byte&0x03 0x02 , landscape mode >0xe02 byte&0x03 0x03 , portrait mode 0 string PCD_OPA Kodak Photo CD overview pack file # FITS format. Jeff Uphoff <juphoff@tarsier.cv.nrao.edu> # FITS is the Flexible Image Transport System, the de facto standard for # data and image transfer, storage, etc., for the astronomical community. # (FITS floating point formats are big-endian.) 0 string SIMPLE\ \ = FITS image data >109 string 8 \b, 8-bit, character or unsigned binary integer >108 string 16 \b, 16-bit, two's complement binary integer >107 string \ 32 \b, 32-bit, two's complement binary integer >107 string -32 \b, 32-bit, floating point, single precision >107 string -64 \b, 64-bit, floating point, double precision # other images 0 string This\ is\ a\ BitMap\ file Lisp Machine bit-array-file # From SunOS 5.5.1 "/etc/magic" - appeared right before Sun raster image # stuff. # 0 beshort 0x1010 PEX Binary Archive # DICOM medical imaging data 128 string DICM DICOM medical imaging data !:mime application/dicom # XWD - X Window Dump file. # As described in /usr/X11R6/include/X11/XWDFile.h # used by the xwd program. # Bradford Castalia, idaeim, 1/01 # updated by Adam Buchbinder, 2/09 # The following assumes version 7 of the format; the first long is the length # of the header, which is at least 25 4-byte longs, and the one at offset 8 # is a constant which is always either 1 or 2. Offset 12 is the pixmap depth, # which is a maximum of 32. 0 belong >100 >8 belong <3 >>12 belong <33 >>>4 belong 7 XWD X Window Dump image data !:mime image/x-xwindowdump >>>>100 string >\0 \b, "%s" >>>>16 belong x \b, %dx >>>>20 belong x \b%dx >>>>12 belong x \b%d # PDS - Planetary Data System # These files use Parameter Value Language in the header section. # Unfortunately, there is no certain magic, but the following # strings have been found to be most likely. 0 string NJPL1I00 PDS (JPL) image data 2 string NJPL1I PDS (JPL) image data 0 string CCSD3ZF PDS (CCSD) image data 2 string CCSD3Z PDS (CCSD) image data 0 string PDS_ PDS image data 0 string LBLSIZE= PDS (VICAR) image data # pM8x: ATARI STAD compressed bitmap format # # from Oskar Schirmer <schirmer@scara.com> Feb 2, 2001 # p M 8 5/6 xx yy zz data... # Atari ST STAD bitmap is always 640x400, bytewise runlength compressed. # bytes either run horizontally (pM85) or vertically (pM86). yy is the # most frequent byte, xx and zz are runlength escape codes, where xx is # used for runs of yy. # 0 string pM85 Atari ST STAD bitmap image data (hor) >5 byte 0x00 (white background) >5 byte 0xFF (black background) 0 string pM86 Atari ST STAD bitmap image data (vert) >5 byte 0x00 (white background) >5 byte 0xFF (black background) # Gürkan Sengün <gurkan@linuks.mine.nu>, www.linuks.mine.nu # http://www.atarimax.com/jindroush.atari.org/afmtatr.html 0 leshort 0x0296 Atari ATR image # XXX: # This is bad magic 0x5249 == 'RI' conflicts with RIFF and other # magic. # SGI RICE image file <mpruett@sgi.com> #0 beshort 0x5249 RICE image #>2 beshort x v%d #>4 beshort x (%d x #>6 beshort x %d) #>8 beshort 0 8 bit #>8 beshort 1 10 bit #>8 beshort 2 12 bit #>8 beshort 3 13 bit #>10 beshort 0 4:2:2 #>10 beshort 1 4:2:2:4 #>10 beshort 2 4:4:4 #>10 beshort 3 4:4:4:4 #>12 beshort 1 RGB #>12 beshort 2 CCIR601 #>12 beshort 3 RP175 #>12 beshort 4 YUV #------------------------------------------------------------------------------ # # Marco Schmidt (marcoschmidt@users.sourceforge.net) -- an image file format # for the EPOC operating system, which is used with PDAs like those from Psion # # see http://huizen.dds.nl/~frodol/psiconv/html/Index.html for a description # of various EPOC file formats 0 string \x37\x00\x00\x10\x42\x00\x00\x10\x00\x00\x00\x00\x39\x64\x39\x47 EPOC MBM image file # PCX image files # From: Dan Fandrich <dan@coneharvesters.com> 0 beshort 0x0a00 PCX ver. 2.5 image data 0 beshort 0x0a02 PCX ver. 2.8 image data, with palette 0 beshort 0x0a03 PCX ver. 2.8 image data, without palette 0 beshort 0x0a04 PCX for Windows image data 0 beshort 0x0a05 PCX ver. 3.0 image data >4 leshort x bounding box [%hd, >6 leshort x %hd] - >8 leshort x [%hd, >10 leshort x %hd], >65 byte >1 %d planes each of >3 byte x %hhd-bit >68 byte 0 image, >68 byte 1 colour, >68 byte 2 grayscale, >68 byte >2 image, >68 byte <0 image, >12 leshort >0 %hd x >>14 leshort x %hd dpi, >2 byte 0 uncompressed >2 byte 1 RLE compressed # Adobe Photoshop # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> 0 string 8BPS Adobe Photoshop Image !:mime image/vnd.adobe.photoshop >4 beshort 2 (PSB) >18 belong x \b, %d x >14 belong x %d, >24 beshort 0 bitmap >24 beshort 1 grayscale >>12 beshort 2 with alpha >24 beshort 2 indexed >24 beshort 3 RGB >>12 beshort 4 \bA >24 beshort 4 CMYK >>12 beshort 5 \bA >24 beshort 7 multichannel >24 beshort 8 duotone >24 beshort 9 lab >12 beshort > 1 >>12 beshort x \b, %dx >12 beshort 1 \b, >22 beshort x %d-bit channel >12 beshort > 1 \bs # XV thumbnail indicator (ThMO) 0 string P7\ 332 XV thumbnail image data # NITF is defined by United States MIL-STD-2500A 0 string NITF National Imagery Transmission Format >25 string >\0 dated %.14s # GEM Image: Version 1, Headerlen 8 (Wolfram Kleff) 0 belong 0x00010008 GEM Image data >12 beshort x %d x >14 beshort x %d, >4 beshort x %d planes, >8 beshort x %d x >10 beshort x %d pixelsize # GEM Metafile (Wolfram Kleff) 0 lelong 0x0018FFFF GEM Metafile data >4 leshort x version %d # # SMJPEG. A custom Motion JPEG format used by Loki Entertainment # Software Torbjorn Andersson <d91tan@Update.UU.SE>. # 0 string \0\nSMJPEG SMJPEG >8 belong x %d.x data # According to the specification you could find any number of _TXT # headers here, but I can't think of any way of handling that. None of # the SMJPEG files I tried it on used this feature. Even if such a # file is encountered the output should still be reasonable. >16 string _SND \b, >>24 beshort >0 %d Hz >>26 byte 8 8-bit >>26 byte 16 16-bit >>28 string NONE uncompressed # >>28 string APCM ADPCM compressed >>27 byte 1 mono >>28 byte 2 stereo # Help! Isn't there any way to avoid writing this part twice? >>32 string _VID \b, # >>>48 string JFIF JPEG >>>40 belong >0 %d frames >>>44 beshort >0 (%d x >>>46 beshort >0 %d) >16 string _VID \b, # >>32 string JFIF JPEG >>24 belong >0 %d frames >>28 beshort >0 (%d x >>30 beshort >0 %d) 0 string Paint\ Shop\ Pro\ Image\ File Paint Shop Pro Image File # "thumbnail file" (icon) # descended from "xv", but in use by other applications as well (Wolfram Kleff) 0 string P7\ 332 XV "thumbnail file" (icon) data # taken from fkiss: (<yav@mte.biglobe.ne.jp> ?) 0 string KiSS KISS/GS >4 byte 16 color >>5 byte x %d bit >>8 leshort x %d colors >>10 leshort x %d groups >4 byte 32 cell >>5 byte x %d bit >>8 leshort x %d x >>10 leshort x %d >>12 leshort x +%d >>14 leshort x +%d # Webshots (www.webshots.com), by John Harrison 0 string C\253\221g\230\0\0\0 Webshots Desktop .wbz file # Hercules DASD image files # From Jan Jaeger <jj@septa.nl> 0 string CKD_P370 Hercules CKD DASD image file >8 long x \b, %d heads per cylinder >12 long x \b, track size %d bytes >16 byte x \b, device type 33%2.2X 0 string CKD_C370 Hercules compressed CKD DASD image file >8 long x \b, %d heads per cylinder >12 long x \b, track size %d bytes >16 byte x \b, device type 33%2.2X 0 string CKD_S370 Hercules CKD DASD shadow file >8 long x \b, %d heads per cylinder >12 long x \b, track size %d bytes >16 byte x \b, device type 33%2.2X # Squeak images and programs - etoffi@softhome.net 0 string \146\031\0\0 Squeak image data 0 search/1 'From\040Squeak Squeak program text # partimage: file(1) magic for PartImage files (experimental, incomplete) # Author: Hans-Joachim Baader <hjb@pro-linux.de> 0 string PaRtImAgE-VoLuMe PartImage >0x0020 string 0.6.1 file version %s >>0x0060 lelong >-1 volume %ld #>>0x0064 8 byte identifier #>>0x007c reserved >>0x0200 string >\0 type %s >>0x1400 string >\0 device %s, >>0x1600 string >\0 original filename %s, # Some fields omitted >>0x2744 lelong 0 not compressed >>0x2744 lelong 1 gzip compressed >>0x2744 lelong 2 bzip2 compressed >>0x2744 lelong >2 compressed with unknown algorithm >0x0020 string >0.6.1 file version %s >0x0020 string <0.6.1 file version %s # DCX is multi-page PCX, using a simple header of up to 1024 # offsets for the respective PCX components. # From: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de> 0 lelong 987654321 DCX multi-page PCX image data # Simon Walton <simonw@matteworld.com> # Kodak Cineon format for scanned negatives # http://www.kodak.com/US/en/motion/support/dlad/ 0 lelong 0xd75f2a80 Cineon image data >200 belong >0 \b, %ld x >204 belong >0 %ld # Bio-Rad .PIC is an image format used by microscope control systems # and related image processing software used by biologists. # From: Vebjorn Ljosa <vebjorn@ljosa.com> # BOOL values are two-byte integers; use them to rule out false positives. # http://web.archive.org/web/20050317223257/www.cs.ubc.ca/spider/ladic/text/biorad.txt # Samples: http://www.loci.wisc.edu/software/sample-data 14 leshort <2 >62 leshort <2 >>54 leshort 12345 Bio-Rad .PIC Image File >>>0 leshort >0 %hd x >>>2 leshort >0 %hd, >>>4 leshort =1 1 image in file >>>4 leshort >1 %hd images in file # From Jan "Yenya" Kasprzak <kas@fi.muni.cz> # The description of *.mrw format can be found at # http://www.dalibor.cz/minolta/raw_file_format.htm 0 string \000MRM Minolta Dimage camera raw image data # Summary: DjVu image / document # Extension: .djvu # Reference: http://djvu.org/docs/DjVu3Spec.djvu # Submitted by: Stephane Loeuillet <stephane.loeuillet@tiscali.fr> # Modified by (1): Abel Cheung <abelcheung@gmail.com> 0 string AT&TFORM >12 string DJVM DjVu multiple page document !:mime image/vnd.djvu >12 string DJVU DjVu image or single page document !:mime image/vnd.djvu >12 string DJVI DjVu shared document !:mime image/vnd.djvu >12 string THUM DjVu page thumbnails !:mime image/vnd.djvu # From Marc Espie 0 lelong 20000630 OpenEXR image data # From: Tom Hilinski <tom.hilinski@comcast.net> # http://www.unidata.ucar.edu/packages/netcdf/ 0 string CDF\001 NetCDF Data Format data #----------------------------------------------------------------------- # Hierarchical Data Format, used to facilitate scientific data exchange # specifications at http://hdf.ncsa.uiuc.edu/ 0 belong 0x0e031301 Hierarchical Data Format (version 4) data !:mime application/x-hdf 0 string \211HDF\r\n\032\n Hierarchical Data Format (version 5) data !:mime application/x-hdf # From: Tobias Burnus <burnus@net-b.de> # Xara (for a while: Corel Xara) is a graphic package, see # http://www.xara.com/ for Windows and as GPL application for Linux 0 string XARA\243\243 Xara graphics file # http://www.cartesianinc.com/Tech/ 0 string CPC\262 Cartesian Perceptual Compression image !:mime image/x-cpi # From Albert Cahalan <acahalan@gmail.com> # puredigital used it for the CVS disposable camcorder #8 lelong 4 ZBM bitmap image data #>4 leshort x %u x #>6 leshort x %u # From Albert Cahalan <acahalan@gmail.com> # uncompressed 5:6:5 HighColor image for OLPC XO firmware icons 0 string C565 OLPC firmware icon image data >4 leshort x %u x >6 leshort x %u # Applied Images - Image files from Cytovision # Gustavo Junior Alves <gjalves@gjalves.com.br> 0 string \xce\xda\xde\xfa Cytovision Metaphases file 0 string \xed\xad\xef\xac Cytovision Karyotype file 0 string \x0b\x00\x03\x00 Cytovision FISH Probe file 0 string \xed\xfe\xda\xbe Cytovision FLEX file 0 string \xed\xab\xed\xfe Cytovision FLEX file 0 string \xad\xfd\xea\xad Cytovision RATS file # Wavelet Scalar Quantization format used in gray-scale fingerprint images # From Tano M Fotang <mfotang@quanteq.com> 0 string \xff\xa0\xff\xa8\x00 Wavelet Scalar Quantization image data # JPEG 2000 Code Stream Bitmap # From Petr Splichal <psplicha@redhat.com> 0 string \xFF\x4F\xFF\x51\x00 JPEG-2000 Code Stream Bitmap data # From: Rick Richardson <rick.richardson@comcast.net> 0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file # Type: Ulead Photo Explorer5 (.pe5) # URL: http://www.jisyo.com/cgibin/view.cgi?EXT=pe5 (Japanese) # From: Simon Horman <horms@debian.org> 0 string IIO2H Ulead Photo Explorer5 # Type: X11 cursor # URL: http://webcvs.freedesktop.org/mime/shared-mime-info/freedesktop.org.xml.in?view=markup # From: Mathias Brodala <info@noctus.net> 0 string Xcur X11 cursor # Type: Olympus ORF raw images. # URL: http://libopenraw.freedesktop.org/wiki/Olympus_ORF # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0 string MMOR Olympus ORF raw image data, big-endian !:mime image/x-olympus-orf 0 string IIRO Olympus ORF raw image data, little-endian !:mime image/x-olympus-orf 0 string IIRS Olympus ORF raw image data, little-endian !:mime image/x-olympus-orf # Type: files used in modern AVCHD camcoders to store clip information # Extension: .cpi # From: Alexander Danilov <alexander.a.danilov@gmail.com> 0 string HDMV0100 AVCHD Clip Information # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ # Radiance HDR; usually has .pic or .hdr extension. 0 string #?RADIANCE\n Radiance HDR image data #!mime image/vnd.radiance # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf # Used by the pfstools packages. The regex matches for the image size could # probably use some work. The MIME type is made up; if there's one in # actual common use, it should replace the one below. 0 string PFS1\x0a PFS HDR image data #!mime image/x-pfs >1 regex [0-9]*\ \b, %s >>1 regex \ [0-9]{4} \bx%s # Type: Foveon X3F # URL: http://www.photofo.com/downloads/x3f-raw-format.pdf # From: Adam Buchbinder <adam.buchbinder@gmail.com> # Note that the MIME type isn't defined anywhere that I can find; if # there's a canonical type for this format, it should replace this one. 0 string FOVb Foveon X3F raw image data !:mime image/x-x3f >6 leshort x \b, version %d. >4 leshort x \b%d >28 lelong x \b, %dx >32 lelong x \b%d # Paint.NET file # From Adam Buchbinder <adam.buchbinder@gmail.com> 0 string PDN3 Paint.NET image data !:mime image/x-paintnet # Not really an image. # From: "Tano M. Fotang" <mfotang@quanteq.com> 0 string \x46\x4d\x52\x00 ISO/IEC 19794-2 Format Minutiae Record (FMR) #------------------------------------------------------------------------------ # $File: inform,v 1.5 2009/09/19 16:28:09 christos Exp $ # inform: file(1) magic for Inform interactive fiction language # URL: http://www.inform-fiction.org/ # From: Reuben Thomas <rrt@sc3d.org> 0 search/100/cW constant\ story Inform source text #------------------------------------------------------------------------------ # $File: intel,v 1.10 2011/03/30 19:51:00 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which # is in "microsoft"). DOS is in "msdos"; the ambitious soul can do # Windows as well. # # Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and # whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere # as well, if, as, and when IBM makes it portable. # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # 0 leshort 0502 basic-16 executable >12 lelong >0 not stripped #>22 leshort >0 - version %ld 0 leshort 0503 basic-16 executable (TV) >12 lelong >0 not stripped #>22 leshort >0 - version %ld 0 leshort 0510 x86 executable >12 lelong >0 not stripped 0 leshort 0511 x86 executable (TV) >12 lelong >0 not stripped 0 leshort =0512 iAPX 286 executable small model (COFF) >12 lelong >0 not stripped #>22 leshort >0 - version %ld 0 leshort =0522 iAPX 286 executable large model (COFF) >12 lelong >0 not stripped #>22 leshort >0 - version %ld # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan 0 leshort =0514 80386 COFF executable >12 lelong >0 not stripped >22 leshort >0 - version %ld # rom: file(1) magic for BIOS ROM Extensions found in intel machines # mapped into memory between 0xC0000 and 0xFFFFF # From Gürkan Sengün <gurkan@linuks.mine.nu>, www.linuks.mine.nu 0 beshort 0x55AA BIOS (ia32) ROM Ext. >5 string USB USB >7 string LDR UNDI image >30 string IBM IBM comp. Video >26 string Adaptec Adaptec >28 string Adaptec Adaptec >42 string PROMISE Promise >2 byte x (%d*512) # Flash descriptors for Intel SPI flash roms. # From Dr. Jesus <j@hug.gs> 0 lelong 0x0ff0a55a Intel serial flash for ICH/PCH ROM <= 5 or 3400 series A-step 16 lelong 0x0ff0a55a Intel serial flash for PCH ROM #------------------------------------------------------------------------------ # $File: interleaf,v 1.10 2009/09/19 16:28:10 christos Exp $ # interleaf: file(1) magic for InterLeaf TPS: # 0 string =\210OPS Interleaf saved data 0 string =<!OPS Interleaf document text >5 string ,\ Version\ = \b, version >>17 string >\0 %.3s #------------------------------------------------------------------------------ # $File: island,v 1.5 2009/09/19 16:28:10 christos Exp $ # island: file(1) magic for IslandWite/IslandDraw, from SunOS 5.5.1 # "/etc/magic": # From: guy@netapp.com (Guy Harris) # 4 string pgscriptver IslandWrite document 13 string DrawFile IslandDraw document #------------------------------------------------------------------------------ # $File: ispell,v 1.8 2009/09/19 16:28:10 christos Exp $ # ispell: file(1) magic for ispell # # Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic # will match 0x9600 through 0x9603 in *both* little endian and big endian. # (No other current magic entries collide.) # # Updated by Daniel Quinlan (quinlan@yggdrasil.com) # 0 leshort&0xFFFC 0x9600 little endian ispell >0 byte 0 hash file (?), >0 byte 1 3.0 hash file, >0 byte 2 3.1 hash file, >0 byte 3 hash file (?), >2 leshort 0x00 8-bit, no capitalization, 26 flags >2 leshort 0x01 7-bit, no capitalization, 26 flags >2 leshort 0x02 8-bit, capitalization, 26 flags >2 leshort 0x03 7-bit, capitalization, 26 flags >2 leshort 0x04 8-bit, no capitalization, 52 flags >2 leshort 0x05 7-bit, no capitalization, 52 flags >2 leshort 0x06 8-bit, capitalization, 52 flags >2 leshort 0x07 7-bit, capitalization, 52 flags >2 leshort 0x08 8-bit, no capitalization, 128 flags >2 leshort 0x09 7-bit, no capitalization, 128 flags >2 leshort 0x0A 8-bit, capitalization, 128 flags >2 leshort 0x0B 7-bit, capitalization, 128 flags >2 leshort 0x0C 8-bit, no capitalization, 256 flags >2 leshort 0x0D 7-bit, no capitalization, 256 flags >2 leshort 0x0E 8-bit, capitalization, 256 flags >2 leshort 0x0F 7-bit, capitalization, 256 flags >4 leshort >0 and %d string characters 0 beshort&0xFFFC 0x9600 big endian ispell >1 byte 0 hash file (?), >1 byte 1 3.0 hash file, >1 byte 2 3.1 hash file, >1 byte 3 hash file (?), >2 beshort 0x00 8-bit, no capitalization, 26 flags >2 beshort 0x01 7-bit, no capitalization, 26 flags >2 beshort 0x02 8-bit, capitalization, 26 flags >2 beshort 0x03 7-bit, capitalization, 26 flags >2 beshort 0x04 8-bit, no capitalization, 52 flags >2 beshort 0x05 7-bit, no capitalization, 52 flags >2 beshort 0x06 8-bit, capitalization, 52 flags >2 beshort 0x07 7-bit, capitalization, 52 flags >2 beshort 0x08 8-bit, no capitalization, 128 flags >2 beshort 0x09 7-bit, no capitalization, 128 flags >2 beshort 0x0A 8-bit, capitalization, 128 flags >2 beshort 0x0B 7-bit, capitalization, 128 flags >2 beshort 0x0C 8-bit, no capitalization, 256 flags >2 beshort 0x0D 7-bit, no capitalization, 256 flags >2 beshort 0x0E 8-bit, capitalization, 256 flags >2 beshort 0x0F 7-bit, capitalization, 256 flags >4 beshort >0 and %d string characters # ispell 4.0 hash files kromJx <kromJx@crosswinds.net> # Ispell 4.0 0 string ISPL ispell >4 long x hash file version %d, >8 long x lexletters %d, >12 long x lexsize %d, >16 long x hashsize %d, >20 long x stblsize %d #------------------------------------------------------------------------------ # $File: isz,v 1.1 2010/03/27 16:17:09 christos Exp $ # ISO Zipped file format # http://www.ezbsystems.com/isz/iszspec.txt 0 string IsZ! ISO Zipped file >4 byte x \b, header size %u >5 byte x \b, version %u >8 lelong x \b, serial %u #12 leshort x \b, sector size %u #>16 lelong x \b, total sectors %u >17 byte >0 \b, password protected #>24 lequad x \b, segment size %llu #>32 lelong x \b, blocks %u #>36 lelong x \b, block size %u #------------------------------------------------------------ # $File: java,v 1.13 2011/12/08 12:12:46 rrt Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". #------------------------------------------------------------ # Java serialization # From Martin Pool (m.pool@pharos.com.au) 0 beshort 0xaced Java serialization data >2 beshort >0x0004 \b, version %d 0 belong 0xfeedfeed Java KeyStore !:mime application/x-java-keystore 0 belong 0xcececece Java JCE KeyStore !:mime application/x-java-jce-keystore # Dalvik .dex format. http://retrodev.com/android/dexformat.html # From <mkf@google.com> "Mike Fleming" 0 string dex\n >0 regex dex\n[0-9][0-9][0-9]\0 Dalvik dex file >4 string >000 version %s 0 string dey\n >0 regex dey\n[0-9][0-9][0-9]\0 Dalvik dex file (optimized for host) >4 string >000 version %s # Java source 0 regex ^import.*;$ Java source !:mime text/x-java #------------------------------------------------------------------------------ # $File: jpeg,v 1.16 2011/01/04 19:29:32 rrt Exp $ # JPEG images # SunOS 5.5.1 had # # 0 string \377\330\377\340 JPEG file # 0 string \377\330\377\356 JPG file # # both of which turn into "JPEG image data" here. # 0 beshort 0xffd8 JPEG image data !:mime image/jpeg !:apple 8BIMJPEG !:strength +1 >6 string JFIF \b, JFIF standard # The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these # tests are not fool-proof since some perfectly valid JPEGs are currently # impossible to specify in magic(4) format. # First, a little JFIF version info: >>11 byte x \b %d. >>12 byte x \b%02d # Next, the resolution or aspect ratio of the image: #>>13 byte 0 \b, aspect ratio #>>13 byte 1 \b, resolution (DPI) #>>13 byte 2 \b, resolution (DPCM) #>>4 beshort x \b, segment length %d # Next, show thumbnail info, if it exists: >>18 byte !0 \b, thumbnail %dx >>>19 byte x \b%d # EXIF moved down here to avoid reporting a bogus version number, # and EXIF version number printing added. # - Patrik R=E5dman <patrik+file-magic@iki.fi> >6 string Exif \b, EXIF standard # Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. # All possible combinations of entries have to be enumerated, since no looping # is possible. And both endians are possible... # The combinations included below are from real-world JPEGs. # Little-endian >>12 string II # IFD 0 Entry #5: >>>70 leshort 0x8769 # EXIF IFD Entry #1: >>>>(78.l+14) leshort 0x9000 >>>>>(78.l+23) byte x %c >>>>>(78.l+24) byte x \b.%c >>>>>(78.l+25) byte !0x30 \b%c # IFD 0 Entry #9: >>>118 leshort 0x8769 # EXIF IFD Entry #3: >>>>(126.l+38) leshort 0x9000 >>>>>(126.l+47) byte x %c >>>>>(126.l+48) byte x \b.%c >>>>>(126.l+49) byte !0x30 \b%c # IFD 0 Entry #10 >>>130 leshort 0x8769 # EXIF IFD Entry #3: >>>>(138.l+38) leshort 0x9000 >>>>>(138.l+47) byte x %c >>>>>(138.l+48) byte x \b.%c >>>>>(138.l+49) byte !0x30 \b%c # EXIF IFD Entry #4: >>>>(138.l+50) leshort 0x9000 >>>>>(138.l+59) byte x %c >>>>>(138.l+60) byte x \b.%c >>>>>(138.l+61) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(138.l+62) leshort 0x9000 >>>>>(138.l+71) byte x %c >>>>>(138.l+72) byte x \b.%c >>>>>(138.l+73) byte !0x30 \b%c # IFD 0 Entry #11 >>>142 leshort 0x8769 # EXIF IFD Entry #3: >>>>(150.l+38) leshort 0x9000 >>>>>(150.l+47) byte x %c >>>>>(150.l+48) byte x \b.%c >>>>>(150.l+49) byte !0x30 \b%c # EXIF IFD Entry #4: >>>>(150.l+50) leshort 0x9000 >>>>>(150.l+59) byte x %c >>>>>(150.l+60) byte x \b.%c >>>>>(150.l+61) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(150.l+62) leshort 0x9000 >>>>>(150.l+71) byte x %c >>>>>(150.l+72) byte x \b.%c >>>>>(150.l+73) byte !0x30 \b%c # Big-endian >>12 string MM # IFD 0 Entry #9: >>>118 beshort 0x8769 # EXIF IFD Entry #1: >>>>(126.L+14) beshort 0x9000 >>>>>(126.L+23) byte x %c >>>>>(126.L+24) byte x \b.%c >>>>>(126.L+25) byte !0x30 \b%c # EXIF IFD Entry #3: >>>>(126.L+38) beshort 0x9000 >>>>>(126.L+47) byte x %c >>>>>(126.L+48) byte x \b.%c >>>>>(126.L+49) byte !0x30 \b%c # IFD 0 Entry #10 >>>130 beshort 0x8769 # EXIF IFD Entry #3: >>>>(138.L+38) beshort 0x9000 >>>>>(138.L+47) byte x %c >>>>>(138.L+48) byte x \b.%c >>>>>(138.L+49) byte !0x30 \b%c # EXIF IFD Entry #5: >>>>(138.L+62) beshort 0x9000 >>>>>(138.L+71) byte x %c >>>>>(138.L+72) byte x \b.%c >>>>>(138.L+73) byte !0x30 \b%c # IFD 0 Entry #11 >>>142 beshort 0x8769 # EXIF IFD Entry #4: >>>>(150.L+50) beshort 0x9000 >>>>>(150.L+59) byte x %c >>>>>(150.L+60) byte x \b.%c >>>>>(150.L+61) byte !0x30 \b%c # Here things get sticky. We can do ONE MORE marker segment with # indirect addressing, and that's all. It would be great if we could # do pointer arithemetic like in an assembler language. Christos? # And if there was some sort of looping construct to do searches, plus a few # named accumulators, it would be even more effective... # At least we can show a comment if no other segments got inserted before: >(4.S+5) byte 0xFE \b, comment: >>(4.S+6) pstring/HJ x "%s" # Or, we can show the encoding type (I've included only the three most common) # and image dimensions if we are lucky and the SOFn (image segment) is here: >(4.S+5) byte 0xC0 \b, baseline >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d >(4.S+5) byte 0xC1 \b, extended sequential >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d >(4.S+5) byte 0xC2 \b, progressive >>(4.S+6) byte x \b, precision %d >>(4.S+7) beshort x \b, %dx >>(4.S+9) beshort x \b%d # I've commented-out quantisation table reporting. I doubt anyone cares yet. #>(4.S+5) byte 0xDB \b, quantisation table #>>(4.S+6) beshort x \b length=%d #>14 beshort x \b, %d x #>16 beshort x \b %d # HSI is Handmade Software's proprietary JPEG encoding scheme 0 string hsi1 JPEG image data, HSI proprietary # From: David Santinoli <david@santinoli.com> 0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 image data # Type: JPEG 2000 codesream # From: Mathieu Malaterre <mathieu.malaterre@gmail.com> 0 belong 0xff4fff51 JPEG 2000 codestream 45 beshort 0xff52 #------------------------------------------------------------------------------ # $File: karma,v 1.6 2009/09/19 16:28:10 christos Exp $ # karma: file(1) magic for Karma data files # # From <rgooch@atnf.csiro.au> 0 string KarmaRHD Version Karma Data Structure Version >16 belong x %lu #------------------------------------------------------------------------------ # $File: kde,v 1.5 2010/11/25 15:00:12 christos Exp $ # kde: file(1) magic for KDE 0 string/t [KDE\ Desktop\ Entry] KDE desktop entry !:mime application/x-kdelnk 0 string/t #\ KDE\ Config\ File KDE config file !:mime application/x-kdelnk 0 string/t #\ xmcd xmcd database file for kscd !:mime text/x-xmcd #------------------------------------------------------------------------------ # $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $ # Type: Google KML, formerly Keyhole Markup Language # Future development of this format has been handed # over to the Open Geospatial Consortium. # http://www.opengeospatial.org/standards/kml/ # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> 0 string/t \<?xml >20 search/400 \ xmlns= >>&0 regex ['"]http://earth.google.com/kml Google KML document !:mime application/vnd.google-earth.kml+xml >>>&1 string 2.0' \b, version 2.0 >>>&1 string 2.1' \b, version 2.1 >>>&1 string 2.2' \b, version 2.2 #------------------------------------------------------------------------------ # Type: OpenGIS KML, formerly Keyhole Markup Language # This standard is maintained by the # Open Geospatial Consortium. # http://www.opengeospatial.org/standards/kml/ # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> >>&0 regex ['"]http://www.opengis.net/kml OpenGIS KML document !:mime application/vnd.google-earth.kml+xml >>>&1 string/t 2.2 \b, version 2.2 #------------------------------------------------------------------------------ # Type: Google KML Archive (ZIP based) # http://code.google.com/apis/kml/documentation/kml_tut.html # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> 0 string PK\003\004 >4 byte 0x14 >>30 string doc.kml Compressed Google KML Document, including resources. !:mime application/vnd.google-earth.kmz #------------------------------------------------------------------------------ # $File: lecter,v 1.4 2009/09/19 16:28:10 christos Exp $ # DEC SRC Virtual Paper: Lectern files # Karl M. Hegbloom <karlheg@inetarena.com> 0 string lect DEC SRC Virtual Paper Lectern file #------------------------------------------------------------------------------ # $File: lex,v 1.6 2009/09/19 16:28:10 christos Exp $ # lex: file(1) magic for lex # # derived empirically, your offsets may vary! 0 search/100 yyprevious C program text (from lex) >3 search/1 >\0 for %s # C program text from GNU flex, from Daniel Quinlan <quinlan@yggdrasil.com> 0 search/100 generated\ by\ flex C program text (from flex) # lex description file, from Daniel Quinlan <quinlan@yggdrasil.com> 0 search/1 %{ lex description text #------------------------------------------------------------------------------ # $File: lif,v 1.8 2009/09/19 16:28:10 christos Exp $ # lif: file(1) magic for lif # # (Daniel Quinlan <quinlan@yggdrasil.com>) # 0 beshort 0x8000 lif file #------------------------------------------------------------------------------ # $File: linux,v 1.42 2012/02/07 21:35:03 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> # The following basic Linux magic is useful for reference, but using # "long" magic is a better practice in order to avoid collisions. # # 2 leshort 100 Linux/i386 # >0 leshort 0407 impure executable (OMAGIC) # >0 leshort 0410 pure executable (NMAGIC) # >0 leshort 0413 demand-paged executable (ZMAGIC) # >0 leshort 0314 demand-paged executable (QMAGIC) # 0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) >16 lelong 0 \b, stripped 0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC) >16 lelong 0 \b, stripped # 0 string \007\001\000 Linux/i386 object file >20 lelong >0x1020 \b, DLL library # Linux-8086 stuff: 0 string \01\03\020\04 Linux-8086 impure executable >28 long !0 not stripped 0 string \01\03\040\04 Linux-8086 executable >28 long !0 not stripped # 0 string \243\206\001\0 Linux-8086 object file # 0 string \01\03\020\20 Minix-386 impure executable >28 long !0 not stripped 0 string \01\03\040\20 Minix-386 executable >28 long !0 not stripped # core dump file, from Bill Reynolds <bill@goshawk.lanl.gov> 216 lelong 0421 Linux/i386 core file >220 string >\0 of '%s' >200 lelong >0 (signal %d) # # LILO boot/chain loaders, from Daniel Quinlan <quinlan@yggdrasil.com> # this can be overridden by the DOS executable (COM) entry 2 string LILO Linux/i386 LILO boot/chain loader # # Linux make config build file, from Ole Aamot <oka@oka.no> 28 string make\ config Linux make config build file # # PSF fonts, from H. Peter Anvin <hpa@yggdrasil.com> # Updated by Adam Buchbinder <adam.buchbinder@gmail.com> # See: http://www.win.tue.nl/~aeb/linux/kbd/font-formats-1.html 0 leshort 0x0436 Linux/i386 PC Screen Font v1 data, >2 byte&0x01 0 256 characters, >2 byte&0x01 !0 512 characters, >2 byte&0x02 0 no directory, >2 byte&0x02 !0 Unicode directory, >3 byte >0 8x%d 0 string \x72\xb5\x4a\x86\x00\x00 Linux/i386 PC Screen Font v2 data, >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, >24 lelong x %d >28 lelong x \bx%d # Linux swap file, from Daniel Quinlan <quinlan@yggdrasil.com> 4086 string SWAP-SPACE Linux/i386 swap file # From: Jeff Bailey <jbailey@ubuntu.com> # Linux swap file with swsusp1 image, from Jeff Bailey <jbailey@ubuntu.com> 4076 string SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image # From: James Hunt <james.hunt@ubuntu.com> 4076 string SWAPSPACE2LINHIB0001 Linux/i386 swap file (new style) (compressed hibernate) # according to man page of mkswap (8) March 1999 # volume label and UUID Russell Coker # http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/ 4086 string SWAPSPACE2 Linux/i386 swap file (new style), >0x400 long x version %d (4K pages), >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x # From Daniel Novotny <dnovotny@redhat.com> # swap file for PowerPC 65526 string SWAPSPACE2 Linux swap file >0x400 long x version %d, >0x404 long x size %d pages, >1052 string \0 no label, >1052 string >\0 LABEL=%s, >0x40c belong x UUID=%08x >0x410 beshort x \b-%04x >0x412 beshort x \b-%04x >0x414 beshort x \b-%04x >0x416 belong x \b-%08x >0x41a beshort x \b%04x 16374 string SWAPSPACE2 Linux/ia64 swap file # # Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu> # and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de> # and Nicol�s Lichtmaier <nick@debian.org> # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # Linux kernel boot images (i386 arch) (Wolfram Kleff) 514 string HdrS Linux kernel >510 leshort 0xAA55 x86 boot executable >>518 leshort >0x1ff >>>529 byte 0 zImage, >>>529 byte 1 bzImage, >>>(526.s+0x200) string >\0 version %s, >>498 leshort 1 RO-rootFS, >>498 leshort 0 RW-rootFS, >>508 leshort >0 root_dev 0x%X, >>502 leshort >0 swap_dev 0x%X, >>504 leshort >0 RAMdisksize %u KB, >>506 leshort 0xFFFF Normal VGA >>506 leshort 0xFFFE Extended VGA >>506 leshort 0xFFFD Prompt for Videomode >>506 leshort >0 Video mode %d # This also matches new kernels, which were caught above by "HdrS". 0 belong 0xb8c0078e Linux kernel >0x1e3 string Loading version 1.3.79 or older >0x1e9 string Loading from prehistoric times # System.map files - Nicol�s Lichtmaier <nick@debian.org> 8 search/1 \ A\ _text Linux kernel symbol map text # LSM entries - Nicol�s Lichtmaier <nick@debian.org> 0 search/1 Begin3 Linux Software Map entry text 0 search/1 Begin4 Linux Software Map entry text (new format) # From Matt Zimmerman, enhanced for v3 by Matthew Palmer 0 belong 0x4f4f4f4d User-mode Linux COW file >4 belong <3 \b, version %d >>8 string >\0 \b, backing file %s >4 belong >2 \b, version %d >>32 string >\0 \b, backing file %s ############################################################################ # Linux kernel versions 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux >497 leshort 0 x86 boot sector >>514 belong 0x8e of a kernel from the dawn of time! >>514 belong 0x908ed8b4 version 0.99-1.1.42 >>514 belong 0x908ed8b8 for memtest86 >497 leshort !0 x86 kernel >>504 leshort >0 RAMdisksize=%u KB >>502 leshort >0 swap=0x%X >>508 leshort >0 root=0x%X >>>498 leshort 1 \b-ro >>>498 leshort 0 \b-rw >>506 leshort 0xFFFF vga=normal >>506 leshort 0xFFFE vga=extended >>506 leshort 0xFFFD vga=ask >>506 leshort >0 vga=%d >>514 belong 0x908ed881 version 1.1.43-1.1.45 >>514 belong 0x15b281cd >>>0xa8e belong 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 >>>0xa99 belong 0x55AA5a5a version 1.3.1,2 >>>0xaa3 belong 0x55AA5a5a version 1.3.3-1.3.30 >>>0xaa6 belong 0x55AA5a5a version 1.3.31-1.3.41 >>>0xb2b belong 0x55AA5a5a version 1.3.42-1.3.45 >>>0xaf7 belong 0x55AA5a5a version 1.3.46-1.3.72 >>514 string HdrS >>>518 leshort >0x1FF >>>>529 byte 0 \b, zImage >>>>529 byte 1 \b, bzImage >>>>(526.s+0x200) string >\0 \b, version %s # Linux boot sector thefts. 0 belong 0xb8c0078e Linux >0x1e6 belong 0x454c4b53 ELKS Kernel >0x1e6 belong !0x454c4b53 style boot sector ############################################################################ # Linux S390 kernel image # Created by: Jan Kaluza <jkaluza@redhat.com> 8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390 >0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc # 64bit >>&0 string \xc1\x00\xef\xe3\xf0\x68\x00\x00 Z10 64bit kernel >>&0 string \xc1\x00\xef\xc3\x00\x00\x00\x00 Z9-109 64bit kernel >>&0 string \xc0\x00\x20\x00\x00\x00\x00\x00 Z990 64bit kernel >>&0 string \x00\x00\x00\x00\x00\x00\x00\x00 Z900 64bit kernel # 32bit >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z10 32bit kernel >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel >>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel >>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel # Linux ARM compressed kernel image # From: Kevin Cernekee <cernekee@gmail.com> 36 lelong 0x016f2818 Linux kernel ARM boot executable zImage (little-endian) 36 belong 0x016f2818 Linux kernel ARM boot executable zImage (big-endian) ############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless >5 string . >>4 string >\0 \b, libc version %s 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable >2 byte&0x01 !0 \b, unmapped zero page >2 byte&0x20 0 \b, impure >2 byte&0x20 !0 >>2 byte&0x10 !0 \b, A_EXEC >2 byte&0x02 !0 \b, A_PAL >2 byte&0x04 !0 \b, A_NSYM >2 byte&0x08 !0 \b, A_STAND >2 byte&0x40 !0 \b, A_PURE >2 byte&0x80 !0 \b, A_TOVLY >28 long !0 \b, not stripped >37 string . >>36 string >\0 \b, libc version %s # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable # 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable # 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable # 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable # SYSLINUX boot logo files (from 'ppmtolss16' sources) # http://syslinux.zytor.com/ # 0 lelong =0x1413f33d SYSLINUX' LSS16 image data >4 leshort x \b, width %d >6 leshort x \b, height %d 0 string OOOM User-Mode-Linux's Copy-On-Write disk image >4 belong x version %d # SE Linux policy database # From: Mike Frysinger <vapier@gentoo.org> 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net> # # System ID, UUID and volume group name are 128 bytes long # but they should never be full and initialized with zeros... # # LVM1 # 0x0 string HM\001 LVM1 (Linux Logical Volume Manager), version 1 >0x12c string >\0 , System ID: %s 0x0 string HM\002 LVM1 (Linux Logical Volume Manager), version 2 >0x12c string >\0 , System ID: %s # LVM2 # # It seems that the label header can be in one the four first sector # of the disk... (from _find_labeller in lib/label/label.c of LVM2) # # 0x200 seems to be the common case 0x218 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) # read the offset to add to the start of the header, and the header # start in 0x200 >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld 0x018 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld 0x418 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld 0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) >&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s >>&0xa string >\x2f \b-%.4s >>&0xe string >\x2f \b-%.4s >>&0x12 string >\x2f \b-%.4s >>&0x16 string >\x2f \b-%.4s >>&0x1a string >\x2f \b-%.6s >>&0x20 lequad x \b, size: %lld # LVM snapshot # from Jason Farrel 0 string SnAp LVM Snapshot (CopyOnWrite store) >4 lelong !0 - valid, >4 lelong 0 - invalid, >8 lelong x version %d, >12 lelong x chunk_size %d # SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec # Anthon van der Neut (anthon@mnt.org) 0 string LUKS\xba\xbe LUKS encrypted file, >6 beshort x ver %d >8 string x [%s, >40 string x %s, >72 string x %s] >168 string x UUID: %s # Summary: Xen saved domain file # Created by: Radek Vokal <rvokal@redhat.com> 0 string LinuxGuestRecord Xen saved domain >20 search/256 (name >>&1 string x (name %s) # Type: Xen, the virtual machine monitor # From: Radek Vokal <rvokal@redhat.com> 0 string LinuxGuestRecord Xen saved domain #>2 regex \(name\ [^)]*\) %s >20 search/256 (name (name >>&1 string x %s...) #------------------------------------------------------------------------------ # $File: lisp,v 1.23 2009/09/19 16:28:10 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) # updated by Joerg Jenderek # GRR: This lot is too weak #0 string ;; # windows INF files often begin with semicolon and use CRLF as line end # lisp files are mainly created on unix system with LF as line end #>2 search/4096 !\r Lisp/Scheme program text #>2 search/4096 \r Windows INF file 0 search/4096 (setq\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (defvar\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (defparam\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (defun\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (autoload\ Lisp/Scheme program text !:mime text/x-lisp 0 search/4096 (custom-set-variables\ Lisp/Scheme program text !:mime text/x-lisp # Emacs 18 - this is always correct, but not very magical. 0 string \012( Emacs v18 byte-compiled Lisp data !:mime application/x-elc # Emacs 19+ - ver. recognition added by Ian Springer # Also applies to XEmacs 19+ .elc files; could tell them apart with regexs # - Chris Chittleborough <cchittleborough@yahoo.com.au> 0 string ;ELC >4 byte >18 >4 byte <32 Emacs/XEmacs v%d byte-compiled Lisp data !:mime application/x-elc # Files produced by CLISP Common Lisp From: Bruno Haible <haible@ilog.fr> 0 string (SYSTEM::VERSION\040' CLISP byte-compiled Lisp program (pre 2004-03-27) 0 string (|SYSTEM|::|VERSION|\040' CLISP byte-compiled Lisp program text 0 long 0x70768BD2 CLISP memory image data 0 long 0xD28B7670 CLISP memory image data, other endian #.com and .bin for MIT scheme 0 string \372\372\372\372 MIT scheme (library?) # From: David Allouche <david@allouche.net> 0 search/1 \<TeXmacs| TeXmacs document text !:mime text/texmacs #------------------------------------------------------------------------------ # $File: llvm,v 1.5 2010/09/20 18:55:20 rrt Exp $ # llvm: file(1) magic for LLVM byte-codes # URL: http://llvm.org/docs/BitCodeFormat.html # From: Al Stone <ahs3@fc.hp.com> 0 string llvm LLVM byte-codes, uncompressed 0 string llvc0 LLVM byte-codes, null compression 0 string llvc1 LLVM byte-codes, gzip compression 0 string llvc2 LLVM byte-codes, bzip2 compression 0 string \xde\xc0\x17\x0b LLVM bitcode, wrapper 0 string BC\xc0\xde LLVM bitcode #------------------------------------------------------------------------------ # $File: lua,v 1.5 2009/09/19 16:28:10 christos Exp $ # lua: file(1) magic for Lua scripting language # URL: http://www.lua.org/ # From: Reuben Thomas <rrt@sc3d.org>, Seo Sanghyeon <tinuviel@sparcs.kaist.ac.kr> # Lua scripts 0 search/1/w #!\ /usr/bin/lua Lua script text executable !:mime text/x-lua 0 search/1/w #!\ /usr/local/bin/lua Lua script text executable !:mime text/x-lua 0 search/1 #!/usr/bin/env\ lua Lua script text executable !:mime text/x-lua 0 search/1 #!\ /usr/bin/env\ lua Lua script text executable !:mime text/x-lua # Lua bytecode 0 string \033Lua Lua bytecode, >4 byte 0x50 version 5.0 >4 byte 0x51 version 5.1 #------------------------------------------------------------------------------ # $File: luks,v 1.4 2009/09/19 16:28:10 christos Exp $ # luks: file(1) magic for Linux Unified Key Setup # URL: http://luks.endorphin.org/spec # From: Anthon van der Neut <anthon@mnt.org> 0 string LUKS\xba\xbe LUKS encrypted file, >6 beshort x ver %d >8 string x [%s, >40 string x %s, >72 string x %s] >168 string x UUID: %s #------------------------------------------------------------------------------ # $File: m4,v 1.1 2011/12/08 12:12:46 rrt Exp $ # make: file(1) magic for M4 scripts # 0 regex \^dnl\ M4 macro processor script text !:mime text/x-m4 #------------------------------------------------------------ # $File: mach,v 1.9 2009/09/19 16:28:10 christos Exp $ # Mach has two magic numbers, 0xcafebabe and 0xfeedface. # Unfortunately the first, cafebabe, is shared with # Java ByteCode, so they are both handled in the file "cafebabe". # The "feedface" ones are handled herein. #------------------------------------------------------------ 0 lelong&0xfffffffe 0xfeedface Mach-O >0 byte 0xcf 64-bit >12 lelong 1 object >12 lelong 2 executable >12 lelong 3 fixed virtual memory shared library >12 lelong 4 core >12 lelong 5 preload executable >12 lelong 6 dynamically linked shared library >12 lelong 7 dynamic linker >12 lelong 8 bundle >12 lelong 9 dynamically linked shared library stub >12 lelong >9 >>12 lelong x filetype=%ld >4 lelong <0 >>4 lelong x architecture=%ld >4 lelong 1 vax >4 lelong 2 romp >4 lelong 3 architecture=3 >4 lelong 4 ns32032 >4 lelong 5 ns32332 >4 lelong 6 m68k >4 lelong 7 i386 >4 lelong 8 mips >4 lelong 9 ns32532 >4 lelong 10 architecture=10 >4 lelong 11 hppa >4 lelong 12 acorn >4 lelong 13 m88k >4 lelong 14 sparc >4 lelong 15 i860-big >4 lelong 16 i860 >4 lelong 17 rs6000 >4 lelong 18 ppc >4 lelong 16777234 ppc64 >4 lelong >16777234 >>4 lelong x architecture=%ld # 0 belong&0xfffffffe 0xfeedface Mach-O >3 byte 0xcf 64-bit >12 belong 1 object >12 belong 2 executable >12 belong 3 fixed virtual memory shared library >12 belong 4 core >12 belong 5 preload executable >12 belong 6 dynamically linked shared library >12 belong 7 dynamic linker >12 belong 8 bundle >12 belong 9 dynamically linked shared library stub >12 belong >9 >>12 belong x filetype=%ld >4 belong <0 >>4 belong x architecture=%ld >4 belong 1 vax >4 belong 2 romp >4 belong 3 architecture=3 >4 belong 4 ns32032 >4 belong 5 ns32332 >4 belong 6 for m68k architecture # from NeXTstep 3.0 <mach/machine.h> # i.e. mc680x0_all, ignore # >>8 belong 1 (mc68030) >>8 belong 2 (mc68040) >>8 belong 3 (mc68030 only) >4 belong 7 i386 >4 belong 8 mips >4 belong 9 ns32532 >4 belong 10 architecture=10 >4 belong 11 hppa >4 belong 12 acorn >4 belong 13 m88k >4 belong 14 sparc >4 belong 15 i860-big >4 belong 16 i860 >4 belong 17 rs6000 >4 belong 18 ppc >4 belong 16777234 ppc64 >4 belong >16777234 >>4 belong x architecture=%ld #------------------------------------------------------------------------------ # $File: macintosh,v 1.22 2011/05/17 17:40:31 rrt Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") # Daniel Quinlan, quinlan@yggdrasil.com 11 string must\ be\ converted\ with\ BinHex BinHex binary text !:mime application/mac-binhex40 >41 string x \b, version %.3s # Stuffit archives are the de facto standard of compression for Macintosh # files obtained from most archives. (franklsm@tuns.ca) 0 string SIT! StuffIt Archive (data) !:mime application/x-stuffit !:apple SIT!SIT! >2 string x : %s 0 string SITD StuffIt Deluxe (data) >2 string x : %s 0 string Seg StuffIt Deluxe Segment (data) >2 string x : %s # Newer StuffIt archives (grant@netbsd.org) 0 string StuffIt StuffIt Archive !:mime application/x-stuffit !:apple SIT!SIT! #>162 string >0 : %s # Macintosh Applications and Installation binaries (franklsm@tuns.ca) # GRR: Too weak #0 string APPL Macintosh Application (data) #>2 string x \b: %s # Macintosh System files (franklsm@tuns.ca) # GRR: Too weak #0 string zsys Macintosh System File (data) #0 string FNDR Macintosh Finder (data) #0 string libr Macintosh Library (data) #>2 string x : %s #0 string shlb Macintosh Shared Library (data) #>2 string x : %s #0 string cdev Macintosh Control Panel (data) #>2 string x : %s #0 string INIT Macintosh Extension (data) #>2 string x : %s #0 string FFIL Macintosh Truetype Font (data) #>2 string x : %s #0 string LWFN Macintosh Postscript Font (data) #>2 string x : %s # Additional Macintosh Files (franklsm@tuns.ca) # GRR: Too weak #0 string PACT Macintosh Compact Pro Archive (data) #>2 string x : %s #0 string ttro Macintosh TeachText File (data) #>2 string x : %s #0 string TEXT Macintosh TeachText File (data) #>2 string x : %s #0 string PDF Macintosh PDF File (data) #>2 string x : %s # MacBinary format (Eric Fischer, enf@pobox.com) # # Unfortunately MacBinary doesn't really have a magic number prior # to the MacBinary III format. The checksum is really the way to # do it, but the magic file format isn't up to the challenge. # # 0 byte 0 # 1 byte # filename length # 2 string # filename # 65 string # file type # 69 string # file creator # 73 byte # Finder flags # 74 byte 0 # 75 beshort # vertical posn in window # 77 beshort # horiz posn in window # 79 beshort # window or folder ID # 81 byte # protected? # 82 byte 0 # 83 belong # length of data segment # 87 belong # length of resource segment # 91 belong # file creation date # 95 belong # file modification date # 99 beshort # length of comment after resource # 101 byte # new Finder flags # 102 string mBIN # (only in MacBinary III) # 106 byte # char. code of file name # 107 byte # still more Finder flags # 116 belong # total file length # 120 beshort # length of add'l header # 122 byte 129 # for MacBinary II # 122 byte 130 # for MacBinary III # 123 byte 129 # minimum version that can read fmt # 124 beshort # checksum # # This attempts to use the version numbers as a magic number, requiring # that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second # be 0x81. This works for the files I have, but maybe not for everyone's. # Unfortunately, this magic is quite weak - MPi #122 beshort&0xFCFF 0x8081 Macintosh MacBinary data # MacBinary I doesn't have the version number field at all, but MacBinary II # has been in use since 1987 so I hope there aren't many really old files # floating around that this will miss. The original spec calls for using # the nulls in 0, 74, and 82 as the magic number. # # Another possibility, that would also work for MacBinary I, is to use # the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will # have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, # and that 74 will be 0. So something like # # 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data # # >73 byte&0x01 0x01 \b, inited # >73 byte&0x02 0x02 \b, changed # >73 byte&0x04 0x04 \b, busy # >73 byte&0x08 0x08 \b, bozo # >73 byte&0x10 0x10 \b, system # >73 byte&0x10 0x20 \b, bundle # >73 byte&0x10 0x40 \b, invisible # >73 byte&0x10 0x80 \b, locked #>65 string x \b, type "%4.4s" #>65 string 8BIM (PhotoShop) #>65 string ALB3 (PageMaker 3) #>65 string ALB4 (PageMaker 4) #>65 string ALT3 (PageMaker 3) #>65 string APPL (application) #>65 string AWWP (AppleWorks word processor) #>65 string CIRC (simulated circuit) #>65 string DRWG (MacDraw) #>65 string EPSF (Encapsulated PostScript) #>65 string FFIL (font suitcase) #>65 string FKEY (function key) #>65 string FNDR (Macintosh Finder) #>65 string GIFf (GIF image) #>65 string Gzip (GNU gzip) #>65 string INIT (system extension) #>65 string LIB\ (library) #>65 string LWFN (PostScript font) #>65 string MSBC (Microsoft BASIC) #>65 string PACT (Compact Pro archive) #>65 string PDF\ (Portable Document Format) #>65 string PICT (picture) #>65 string PNTG (MacPaint picture) #>65 string PREF (preferences) #>65 string PROJ (Think C project) #>65 string QPRJ (Think Pascal project) #>65 string SCFL (Defender scores) #>65 string SCRN (startup screen) #>65 string SITD (StuffIt Deluxe) #>65 string SPn3 (SuperPaint) #>65 string STAK (HyperCard stack) #>65 string Seg\ (StuffIt segment) #>65 string TARF (Unix tar archive) #>65 string TEXT (ASCII) #>65 string TIFF (TIFF image) #>65 string TOVF (Eudora table of contents) #>65 string WDBN (Microsoft Word word processor) #>65 string WORD (MacWrite word processor) #>65 string XLS\ (Microsoft Excel) #>65 string ZIVM (compress (.Z)) #>65 string ZSYS (Pre-System 7 system file) #>65 string acf3 (Aldus FreeHand) #>65 string cdev (control panel) #>65 string dfil (Desk Acessory suitcase) #>65 string libr (library) #>65 string nX^d (WriteNow word processor) #>65 string nX^w (WriteNow dictionary) #>65 string rsrc (resource) #>65 string scbk (Scrapbook) #>65 string shlb (shared library) #>65 string ttro (SimpleText read-only) #>65 string zsys (system file) #>69 string x \b, creator "%4.4s" # Somewhere, Apple has a repository of registered Creator IDs. These are # just the ones that I happened to have files from and was able to identify. #>69 string 8BIM (Adobe Photoshop) #>69 string ALD3 (PageMaker 3) #>69 string ALD4 (PageMaker 4) #>69 string ALFA (Alpha editor) #>69 string APLS (Apple Scanner) #>69 string APSC (Apple Scanner) #>69 string BRKL (Brickles) #>69 string BTFT (BitFont) #>69 string CCL2 (Common Lisp 2) #>69 string CCL\ (Common Lisp) #>69 string CDmo (The Talking Moose) #>69 string CPCT (Compact Pro) #>69 string CSOm (Eudora) #>69 string DMOV (Font/DA Mover) #>69 string DSIM (DigSim) #>69 string EDIT (Macintosh Edit) #>69 string ERIK (Macintosh Finder) #>69 string EXTR (self-extracting archive) #>69 string Gzip (GNU gzip) #>69 string KAHL (Think C) #>69 string LWFU (LaserWriter Utility) #>69 string LZIV (compress) #>69 string MACA (MacWrite) #>69 string MACS (Macintosh operating system) #>69 string MAcK (MacKnowledge terminal emulator) #>69 string MLND (Defender) #>69 string MPNT (MacPaint) #>69 string MSBB (Microsoft BASIC (binary)) #>69 string MSWD (Microsoft Word) #>69 string NCSA (NCSA Telnet) #>69 string PJMM (Think Pascal) #>69 string PSAL (Hunt the Wumpus) #>69 string PSI2 (Apple File Exchange) #>69 string R*ch (BBEdit) #>69 string RMKR (Resource Maker) #>69 string RSED (Resource Editor) #>69 string Rich (BBEdit) #>69 string SIT! (StuffIt) #>69 string SPNT (SuperPaint) #>69 string Unix (NeXT Mac filesystem) #>69 string VIM! (Vim editor) #>69 string WILD (HyperCard) #>69 string XCEL (Microsoft Excel) #>69 string aCa2 (Fontographer) #>69 string aca3 (Aldus FreeHand) #>69 string dosa (Macintosh MS-DOS file system) #>69 string movr (Font/DA Mover) #>69 string nX^n (WriteNow) #>69 string pdos (Apple ProDOS file system) #>69 string scbk (Scrapbook) #>69 string ttxt (SimpleText) #>69 string ufox (Foreign File Access) # Just in case... 102 string mBIN MacBinary III data with surprising version number # sas magic from Bruce Foster (bef@nwu.edu) # #0 string SAS SAS #>8 string x %s 0 string SAS SAS >24 string DATA data file >24 string CATALOG catalog >24 string INDEX data file index >24 string VIEW data view # sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com) # 0x54 string SAS SAS 7+ >0x9C string DATA data file >0x9C string CATALOG catalog >0x9C string INDEX data file index >0x9C string VIEW data view # spss magic for SPSS system and portable files, # from Bruce Foster (bef@nwu.edu). 0 long 0xc1e2c3c9 SPSS Portable File >40 string x %s 0 string $FL2 SPSS System File >24 string x %s # Macintosh filesystem data # From "Tom N Harris" <telliamed@mac.com> # Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net> # The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these # entries depend on the data arithmetic added after v.35 # There's also some Pascal strings in here, ditto... # The boot block signature, according to IM:Files, is # "for HFS volumes, this field always contains the value 0x4C4B." # But if this is true for MFS or HFS+ volumes, I don't know. # Alternatively, the boot block is supposed to be zeroed if it's # unused, so a simply >0 should suffice. 0x400 beshort 0xD2D7 Macintosh MFS data >0 beshort 0x4C4B (bootable) >0x40a beshort &0x8000 (locked) >0x402 beldate-0x7C25B080 x created: %s, >0x406 beldate-0x7C25B080 >0 last backup: %s, >0x414 belong x block size: %d, >0x412 beshort x number of blocks: %d, >0x424 pstring x volume name: %s # "BD" gives many false positives #0x400 beshort 0x4244 Macintosh HFS data #>0 beshort 0x4C4B (bootable) #>0x40a beshort &0x8000 (locked) #>0x40a beshort ^0x0100 (mounted) #>0x40a beshort &0x0200 (spared blocks) #>0x40a beshort &0x0800 (unclean) #>0x47C beshort 0x482B (Embedded HFS+ Volume) #>0x402 beldate-0x7C25B080 x created: %s, #>0x406 beldate-0x7C25B080 x last modified: %s, #>0x440 beldate-0x7C25B080 >0 last backup: %s, #>0x414 belong x block size: %d, #>0x412 beshort x number of blocks: %d, #>0x424 pstring x volume name: %s 0x400 beshort 0x482B Macintosh HFS Extended >&0 beshort x version %d data >0 beshort 0x4C4B (bootable) >0x404 belong ^0x00000100 (mounted) >&2 belong &0x00000200 (spared blocks) >&2 belong &0x00000800 (unclean) >&2 belong &0x00008000 (locked) >&6 string x last mounted by: '%.4s', # really, that should be treated as a belong and we print a string # based on the value. TN1150 only mentions '8.10' for "MacOS 8.1" >&14 beldate-0x7C25B080 x created: %s, # only the creation date is local time, all other timestamps in HFS+ are UTC. >&18 bedate-0x7C25B080 x last modified: %s, >&22 bedate-0x7C25B080 >0 last backup: %s, >&26 bedate-0x7C25B080 >0 last checked: %s, >&38 belong x block size: %d, >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d # I don't think this is really necessary since it doesn't do much and # anything with a valid driver descriptor will also have a valid # partition map #0 beshort 0x4552 Apple Device Driver data #>&24 beshort =1 \b, MacOS # Is that the partition type a cstring or a pstring? Well, IM says "strings # shorter than 32 bytes must be terminated with NULL" so I'll treat it as a # cstring. Of course, partitions can contain more than four entries, but # what're you gonna do? # GRR: This magic is too weak, it is just "PM" #0x200 beshort 0x504D Apple Partition data #>0x2 beshort x (block size: %d): #>0x230 string x first type: %s, #>0x210 string x name: %s, #>0x254 belong x number of blocks: %d, #>0x400 beshort 0x504D #>>0x430 string x second type: %s, #>>0x410 string x name: %s, #>>0x454 belong x number of blocks: %d, #>>0x600 beshort 0x504D #>>>0x630 string x third type: %s, #>>>0x610 string x name: %s, #>>>0x654 belong x number of blocks: %d, #>>0x800 beshort 0x504D #>>>0x830 string x fourth type: %s, #>>>0x810 string x name: %s, #>>>0x854 belong x number of blocks: %d, #>>>0xa00 beshort 0x504D #>>>>0xa30 string x fifth type: %s, #>>>>0xa10 string x name: %s, #>>>>0xa54 belong x number of blocks: %d #>>>0xc00 beshort 0x504D #>>>>0xc30 string x sixth type: %s, #>>>>0xc10 string x name: %s, #>>>>0xc54 belong x number of blocks: %d ## AFAIK, only the signature is different #0x200 beshort 0x5453 Apple Old Partition data #>0x2 beshort x block size: %d, #>0x230 string x first type: %s, #>0x210 string x name: %s, #>0x254 belong x number of blocks: %d, #>0x400 beshort 0x504D #>>0x430 string x second type: %s, #>>0x410 string x name: %s, #>>0x454 belong x number of blocks: %d, #>>0x800 beshort 0x504D #>>>0x830 string x third type: %s, #>>>0x810 string x name: %s, #>>>0x854 belong x number of blocks: %d, #>>>0xa00 beshort 0x504D #>>>>0xa30 string x fourth type: %s, #>>>>0xa10 string x name: %s, #>>>>0xa54 belong x number of blocks: %d # From: Remi Mommsen <mommsen@slac.stanford.edu> 0 string BOMStore Mac OS X bill of materials (BOM) file # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: http://en.wikipedia.org/wiki/Datafork_TrueType # Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is # TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I # don't know what they mean. 0 belong 0x100 >(0x4.L+24) beshort x >>&4 belong 0x73666e74 Mac OSX datafork font, TrueType >>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' >>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' >>&4 belong 0x504f5354 Mac OSX datafork font, PostScript #------------------------------------------------------------------------------ # $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ # magic: file(1) magic for magic files # 0 string/t #\ Magic magic text file for file(1) cmd 0 lelong 0xF11E041C magic binary file for file(1) cmd >4 lelong x (version %d) (little endian) 0 belong 0xF11E041C magic binary file for file(1) cmd >4 belong x (version %d) (big endian) #------------------------------------------------------------------------------ # $File: mail.news,v 1.20 2011/12/08 12:12:46 rrt Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. #0 string From mail text 0 string/t Relay-Version: old news text !:mime message/rfc822 0 string/t #!\ rnews batched news text !:mime message/rfc822 0 string/t N#!\ rnews mailed, batched news text !:mime message/rfc822 0 string/t Forward\ to mail forwarding text !:mime message/rfc822 0 string/t Pipe\ to mail piping text !:mime message/rfc822 0 string/t Delivered-To: SMTP mail text !:mime message/rfc822 0 string/t Return-Path: SMTP mail text !:mime message/rfc822 0 string/t Path: news text !:mime message/news 0 string/t Xref: news text !:mime message/news 0 string/t From: news or mail text !:mime message/rfc822 0 string/t Article saved news text !:mime message/news 0 string/t BABYL Emacs RMAIL text 0 string/t Received: RFC 822 mail text !:mime message/rfc822 0 string/t MIME-Version: MIME entity text #0 string/t Content- MIME entity text # TNEF files... 0 lelong 0x223E9F78 Transport Neutral Encapsulation Format !:mime application/vnd.ms-tnef # From: Kevin Sullivan <ksulliva@psc.edu> 0 string *mbx* MBX mail folder # From: Simon Matter <simon.matter@invoca.ch> 0 string \241\002\213\015skiplist\ file\0\0\0 Cyrus skiplist DB # JAM(mbp) Fidonet message area databases # JHR file 0 string JAM\0 JAM message area header file >12 leshort >0 (%d messages) # Squish Fidonet message area databases # SQD file (requires at least one message in the area) # XXX: Weak magic #256 leshort 0xAFAE4453 Squish message area data file #>4 leshort >0 (%d messages) #0 string \<!--\ MHonArc text/html; x-type=mhonarc # Cyrus: file(1) magic for compiled Cyrus sieve scripts # URL: http://www.cyrusimap.org/docs/cyrus-imapd/2.4.6/internal/bytecode.php # URL: http://git.cyrusimap.org/cyrus-imapd/tree/sieve/bytecode.h?h=master # From: Philipp Hahn <hahn@univention.de> # Compiled Cyrus sieve script 0 string CyrSBytecode Cyrus sieve bytecode data, >12 belong =1 version 1, big-endian >12 lelong =1 version 1, little-endian >12 belong x version %d, network-endian #------------------------------------------------------------------------------ # $File: make,v 1.1 2011/12/08 12:12:46 rrt Exp $ # make: file(1) magic for makefiles # 0 regex \^CFLAGS makefile script text !:mime text/x-makefile 0 regex \^LDFLAGS makefile script text !:mime text/x-makefile 0 regex \^all: makefile script text !:mime text/x-makefile 0 regex \^.PRECIOUS makefile script text !:mime text/x-makefile 0 regex \^SUBDIRS automake makefile script text !:mime text/x-makefile #------------------------------------------------------------------------------ # $File: maple,v 1.6 2009/09/19 16:28:10 christos Exp $ # maple: file(1) magic for maple files # "H. Nanosecond" <aldomel@ix.netcom.com> # Maple V release 4, a multi-purpose math program # # maple library .lib 0 string \000MVR4\nI MapleVr4 library # .ind # no magic for these :-( # they are compiled indexes for maple files # .hdb 0 string \000\004\000\000 Maple help database # .mhp # this has the form <PACKAGE=name> 0 string \<PACKAGE= Maple help file 0 string \<HELP\ NAME= Maple help file 0 string \n\<HELP\ NAME= Maple help file with extra carriage return at start (yuck) #0 string #\ Newton Maple help file, old style 0 string #\ daub Maple help file, old style #0 string #=========== Maple help file, old style # .mws 0 string \000\000\001\044\000\221 Maple worksheet #this is anomalous 0 string WriteNow\000\002\000\001\000\000\000\000\100\000\000\000\000\000 Maple worksheet, but weird # this has the form {VERSION 2 3 "IBM INTEL NT" "2.3" }\n # that is {VERSION major_version miunor_version computer_type version_string} 0 string {VERSION\ Maple worksheet >9 string >\0 version %.1s. >>>11 string >\0 %.1s # .mps 0 string \0\0\001$ Maple something # from byte 4 it is either 'nul E' or 'soh R' # I think 'nul E' means a file that was saved as a different name # a sort of revision marking # 'soh R' means new >4 string \000\105 An old revision >4 string \001\122 The latest save # .mpl # some of these are the same as .mps above #0000000 000 000 001 044 000 105 same as .mps #0000000 000 000 001 044 001 122 same as .mps 0 string #\n##\ <SHAREFILE= Maple something 0 string \n#\n##\ <SHAREFILE= Maple something 0 string ##\ <SHAREFILE= Maple something 0 string #\r##\ <SHAREFILE= Maple something 0 string \r#\r##\ <SHAREFILE= Maple something 0 string #\ \r##\ <DESCRIBE> Maple something anomalous. #-------------------------------------------- # marc21: file(1) magic for MARC 21 Format # # Kevin Ford (kefo@loc.gov) # # MARC21 formats are for the representation and communication # of bibliographic and related information in machine-readable # form. For more info, see http://www.loc.gov/marc/ # leader position 20-21 must be 45 20 string 45 # leader starts with 5 digits, followed by codes specific to MARC format >0 regex/1 (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic !:mime application/marc >0 regex/1 (^[0-9]{5})[acdnosx][z] MARC21 Authority !:mime application/marc >0 regex/1 (^[0-9]{5})[cdn][uvxy] MARC21 Holdings !:mime application/marc 0 regex/1 (^[0-9]{5})[acdn][w] MARC21 Classification !:mime application/marc >0 regex/1 (^[0-9]{5})[cdn][q] MARC21 Community !:mime application/marc # leader position 22-23, should be "00" but is it? >0 regex/1 (^.{21})([^0]{2}) (non-conforming) !:mime application/marc #------------------------------------------------------------------------------ # $File: mathcad,v 1.5 2009/09/19 16:28:10 christos Exp $ # mathcad: file(1) magic for Mathcad documents # URL: http://www.mathsoft.com/ # From: Josh Triplett <josh@freedesktop.org> 0 string .MCAD\t Mathcad document #------------------------------------------------------------------------------ # $File: mathematica,v 1.7 2009/09/19 16:28:10 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" <aldomel@ix.netcom.com> # Mathematica a multi-purpose math program # versions 2.2 and 3.0 #mathematica .mb 0 string \064\024\012\000\035\000\000\000 Mathematica version 2 notebook 0 string \064\024\011\000\035\000\000\000 Mathematica version 2 notebook # .ma # multiple possibilites: 0 string (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook #>41 string >\0 %s #0 string (*^\n\n::[\011palette Mathematica notebook version 2.x #0 string (*^\n\n::[\011Information Mathematica notebook version 2.x #>675 string >\0 %s #doesn't work well # there may be 'cr' instread of 'nl' in some does this matter? # generic: 0 string (*^\r\r::[\011 Mathematica notebook version 2.x 0 string (*^\r\n\r\n::[\011 Mathematica notebook version 2.x 0 string (*^\015 Mathematica notebook version 2.x 0 string (*^\n\r\n\r::[\011 Mathematica notebook version 2.x 0 string (*^\r::[\011 Mathematica notebook version 2.x 0 string (*^\r\n::[\011 Mathematica notebook version 2.x 0 string (*^\n\n::[\011 Mathematica notebook version 2.x 0 string (*^\n::[\011 Mathematica notebook version 2.x # Mathematica .mx files #0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ loaded\ with\ Get.*) Mathematica binary file 0 string (*This\ is\ a\ Mathematica\ binary\ Mathematica binary file #>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 # >71... is optional >88 string >\0 from %s # Mathematica files PBF: # 115 115 101 120 102 106 000 001 000 000 000 203 000 001 000 0 string MMAPBF\000\001\000\000\000\203\000\001\000 Mathematica PBF (fonts I think) # .ml files These are menu resources I think # these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ # how to put that into a magic rule? 4 string \ A~ MAthematica .ml file # .nb files #too long 0 string (***********************************************************************\n\n\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ Mathematica-Compatible Notebook Mathematica 3.0 notebook 0 string (*********************** Mathematica 3.0 notebook # other (* matches it is a comment start in these langs # GRR: Too weak; also matches other languages e.g. ML #0 string (* Mathematica, or Pascal, Modula-2 or 3 code text ######################### # MatLab v5 0 string MATLAB Matlab v5 mat-file >126 short 0x494d (big endian) >>124 beshort x version 0x%04x >126 short 0x4d49 (little endian) >>124 leshort x version 0x%04x #------------------------------------------------------------------------------ # $File: matroska,v 1.6 2010/09/20 21:11:35 rrt Exp $ # matroska: file(1) magic for Matroska files # # See http://www.matroska.org/ # # EBML id: 0 belong 0x1a45dfa3 # DocType id: >5 beshort 0x4282 # DocType contents: >>8 string matroska Matroska data !:mime video/x-matroska # EBML id: 0 belong 0x1a45dfa3 # DocType id: >0 search/4096 \x42\x82 # DocType contents: >>&1 string webm WebM !:mime video/webm #------------------------------------------------------------------------------ # $File: mcrypt,v 1.5 2009/09/19 16:28:10 christos Exp $ # Mavroyanopoulos Nikos <nmav@hellug.gr> # mcrypt: file(1) magic for mcrypt 2.2.x; 0 string \0m\3 mcrypt 2.5 encrypted data, >4 string >\0 algorithm: %s, >>&1 leshort >0 keysize: %d bytes, >>>&0 string >\0 mode: %s, 0 string \0m\2 mcrypt 2.2 encrypted data, >3 byte 0 algorithm: blowfish-448, >3 byte 1 algorithm: DES, >3 byte 2 algorithm: 3DES, >3 byte 3 algorithm: 3-WAY, >3 byte 4 algorithm: GOST, >3 byte 6 algorithm: SAFER-SK64, >3 byte 7 algorithm: SAFER-SK128, >3 byte 8 algorithm: CAST-128, >3 byte 9 algorithm: xTEA, >3 byte 10 algorithm: TWOFISH-128, >3 byte 11 algorithm: RC2, >3 byte 12 algorithm: TWOFISH-192, >3 byte 13 algorithm: TWOFISH-256, >3 byte 14 algorithm: blowfish-128, >3 byte 15 algorithm: blowfish-192, >3 byte 16 algorithm: blowfish-256, >3 byte 100 algorithm: RC6, >3 byte 101 algorithm: IDEA, >4 byte 0 mode: CBC, >4 byte 1 mode: ECB, >4 byte 2 mode: CFB, >4 byte 3 mode: OFB, >4 byte 4 mode: nOFB, >5 byte 0 keymode: 8bit >5 byte 1 keymode: 4bit >5 byte 2 keymode: SHA-1 hash >5 byte 3 keymode: MD5 hash #------------------------------------------------------------------------------ # $File: mercurial,v 1.4 2009/09/19 16:28:10 christos Exp $ # mercurial: file(1) magic for Mercurial changeset bundles # http://www.selenic.com/mercurial/wiki/ # # Jesse Glick (jesse.glick@sun.com) # 0 string HG10 Mercurial changeset bundle >4 string UN (uncompressed) >4 string GZ (gzip compressed) >4 string BZ (bzip2 compressed) #------------------------------------------------------------------------------ # $File: metastore,v 1.1 2011/04/06 12:37:44 christos Exp $ # metastore: file(1) magic for metastore files # From: Thomas Wissen # see http://david.hardeman.nu/software.php#metastore 0 string MeTaSt00r3 Metastore data file, >10 bequad x version %0llx #------------------------------------------------------------------------------ # $File: mime,v 1.6 2010/11/25 15:00:12 christos Exp $ # mime: file(1) magic for MIME encoded files # 0 string/t Content-Type:\ >14 string >\0 %s 0 string/t Content-Type: >13 string >\0 %s #------------------------------------------------------------------------------ # $File: mips,v 1.7 2011/05/03 01:44:17 christos Exp $ # mips: file(1) magic for Silicon Graphics (MIPS, IRIS, IRIX, etc.) # Dec Ultrix (MIPS) # all of SGI's *current* machines and OSes run in big-endian mode on the # MIPS machines, as far as I know. # # XXX - what is the blank "-" line? # # kbd file definitions 0 string kbd!map kbd map file >8 byte >0 Ver %d: >10 short >0 with %d table(s) 0 belong 0407 old SGI 68020 executable 0 belong 0410 old SGI 68020 pure executable 0 beshort 0x8765 disk quotas file 0 beshort 0x0506 IRIS Showcase file >2 byte 0x49 - >3 byte x - version %ld 0 beshort 0x0226 IRIS Showcase template >2 byte 0x63 - >3 byte x - version %ld 0 belong 0x5343464d IRIS Showcase file >4 byte x - version %ld 0 belong 0x5443464d IRIS Showcase template >4 byte x - version %ld 0 belong 0xdeadbabe IRIX Parallel Arena >8 belong >0 - version %ld # 0 beshort 0x0160 MIPSEB ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0162 MIPSEL-BE ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d >22 byte x \b.%ld # 0 beshort 0x6001 MIPSEB-LE ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %d >22 byte x \b.%ld # 0 beshort 0x6201 MIPSEL ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # # MIPS 2 additions # 0 beshort 0x0163 MIPSEB MIPS-II ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # # MIPS 3 additions # 0 beshort 0x0140 MIPSEB MIPS-III ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable >20 beshort 0407 (impure) >20 beshort 0410 (swapped) >20 beshort 0413 (paged) >8 belong >0 not stripped >8 belong 0 stripped >22 byte x - version %ld >23 byte x \b.%ld # 0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable >20 beshort 03401 (impure) >20 beshort 04001 (swapped) >20 beshort 05401 (paged) >8 belong >0 not stripped >8 belong 0 stripped >23 byte x - version %ld >22 byte x \b.%ld # 0 beshort 0x180 MIPSEB Ucode 0 beshort 0x182 MIPSEL-BE Ucode # 32bit core file 0 belong 0xdeadadb0 IRIX core dump >4 belong 1 of >16 string >\0 '%s' # 64bit core file 0 belong 0xdeadad40 IRIX 64-bit core dump >4 belong 1 of >16 string >\0 '%s' # N32bit core file 0 belong 0xbabec0bb IRIX N32 core dump >4 belong 1 of >16 string >\0 '%s' # New style crash dump file 0 string \x43\x72\x73\x68\x44\x75\x6d\x70 IRIX vmcore dump of >36 string >\0 '%s' # Trusted IRIX info 0 string SGIAUDIT SGI Audit file >8 byte x - version %d >9 byte x \b.%ld # 0 string WNGZWZSC Wingz compiled script 0 string WNGZWZSS Wingz spreadsheet 0 string WNGZWZHP Wingz help file # 0 string #Inventor V IRIS Inventor 1.0 file 0 string #Inventor V2 Open Inventor 2.0 file # GLF is OpenGL stream encoding 0 string glfHeadMagic(); GLF_TEXT 4 belong 0x7d000000 GLF_BINARY_LSB_FIRST !:strength -30 4 belong 0x0000007d GLF_BINARY_MSB_FIRST !:strength -30 # GLS is OpenGL stream encoding; GLS is the successor of GLF 0 string glsBeginGLS( GLS_TEXT 4 belong 0x10000000 GLS_BINARY_LSB_FIRST !:strength -30 4 belong 0x00000010 GLS_BINARY_MSB_FIRST !:strength -30 #------------------------------------------------------------------------------ # $File: mirage,v 1.7 2009/09/19 16:28:10 christos Exp $ # mirage: file(1) magic for Mirage executables # # XXX - byte order? # 0 long 31415 Mirage Assembler m.out executable #----------------------------------------------------------------------------- # $File: misctools,v 1.12 2010/09/29 18:36:49 rrt Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text 0 string/c BEGIN:VCALENDAR vCalendar calendar file !:mime text/calendar 0 string/c BEGIN:VCARD vCard visiting card !:mime text/x-vcard # From: Alex Beregszaszi <alex@fsn.hu> 4 string gtktalog GNOME Catalogue (gtktalog) >13 string >\0 version %s # Summary: GStreamer binary registry # Extension: .bin # Submitted by: Josh Triplett <josh@joshtriplett.org> 0 belong 0xc0def00d GStreamer binary registry >4 string x \b, version %s # Summary: Libtool library file # Extension: .la # Submitted by: Tomasz Trojanowski <tomek@uninet.com.pl> 0 search/80 .la\ -\ a\ libtool\ library\ file libtool library file # Summary: Libtool object file # Extension: .lo # Submitted by: Abel Cheung <abelcheung@gmail.com> 0 search/80 .lo\ -\ a\ libtool\ object\ file libtool object file # From: Daniel Novotny <dnovotny@redhat.com> 0 string MDMP\x93\xA7 MDMP crash report data #------------------------------------------------------------------------------ # $File: mkid,v 1.6 2009/09/19 16:28:10 christos Exp $ # mkid: file(1) magic for mkid(1) databases # # ID is the binary tags database produced by mkid(1). # # XXX - byte order? # 0 string \311\304 ID tags data >2 short >0 version %d #------------------------------------------------------------------------------ # $File: mlssa,v 1.4 2009/09/19 16:28:10 christos Exp $ # mlssa: file(1) magic for MLSSA datafiles # 0 lelong 0xffffabcd MLSSA datafile, >4 leshort x algorithm %d, >10 lelong x %d samples #------------------------------------------------------------------------------ # $File: mmdf,v 1.6 2009/09/19 16:28:10 christos Exp $ # mmdf: file(1) magic for MMDF mail files # 0 string \001\001\001\001 MMDF mailbox #------------------------------------------------------------------------------ # $File: modem,v 1.5 2010/09/20 18:55:20 rrt Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche <florian@knorke.saar.de> 1 string PC\ Research,\ Inc Digifax-G3-File >29 byte 1 \b, fine resolution >29 byte 0 \b, normal resolution 0 short 0x0100 raw G3 data, byte-padded 0 short 0x1400 raw G3 data # # Magic data for vgetty voice formats # (Martin Seine & Marc Eberhard) # # raw modem data version 1 # 0 string RMD1 raw modem data >4 string >\0 (%s / >20 short >0 compression type 0x%04x) # # portable voice format 1 # 0 string PVF1\n portable voice format >5 string >\0 (binary %s) # # portable voice format 2 # 0 string PVF2\n portable voice format >5 string >\0 (ascii %s) #------------------------------------------------------------------------------ # $File: motorola,v 1.10 2009/09/19 16:28:11 christos Exp $ # motorola: file(1) magic for Motorola 68K and 88K binaries # # 68K # 0 beshort 0520 mc68k COFF >18 beshort ^00000020 object >18 beshort &00000020 executable >12 belong >0 not stripped >168 string .lowmem Apple toolbox >20 beshort 0407 (impure) >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0421 (standalone) 0 beshort 0521 mc68k executable (shared) >12 belong >0 not stripped 0 beshort 0522 mc68k executable (shared demand paged) >12 belong >0 not stripped # # Motorola/UniSoft 68K Binary Compatibility Standard (BCS) # 0 beshort 0554 68K BCS executable # # 88K # # Motorola/88Open BCS # 0 beshort 0555 88K BCS executable # # Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de> 0 string S0 Motorola S-Record; binary data in text format # ATARI ST relocatable PRG # # from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 # (according to Roland Waldi, Oct 21, 1987) # besides the magic 0x601a, the text segment size is checked to be # not larger than 1 MB (which is a lot on ST). # The additional 0x601b distinction I took from Doug Lee's magic. 0 belong&0xFFFFFFF0 0x601A0000 Atari ST M68K contiguous executable >2 belong x (txt=%ld, >6 belong x dat=%ld, >10 belong x bss=%ld, >14 belong x sym=%ld) 0 belong&0xFFFFFFF0 0x601B0000 Atari ST M68K non-contig executable >2 belong x (txt=%ld, >6 belong x dat=%ld, >10 belong x bss=%ld, >14 belong x sym=%ld) # Atari ST/TT... program format (sent by Wolfram Kleff <kleff@cs.uni-bonn.de>) 0 beshort 0x601A Atari 68xxx executable, >2 belong x text len %lu, >6 belong x data len %lu, >10 belong x BSS len %lu, >14 belong x symboltab len %lu, >18 belong 0 >22 belong &0x01 fastload flag, >22 belong &0x02 may be loaded to alternate RAM, >22 belong &0x04 malloc may be from alternate RAM, >22 belong x flags: 0x%lX, >26 beshort 0 no relocation tab >26 beshort !0 + relocation tab >30 string SFX [Self-Extracting LZH SFX archive] >38 string SFX [Self-Extracting LZH SFX archive] >44 string ZIP! [Self-Extracting ZIP SFX archive] 0 beshort 0x0064 Atari 68xxx CPX file >8 beshort x (version %04lx) #------------------------------------------------------------------------------ # $File: mozilla,v 1.4 2009/09/19 16:28:11 christos Exp $ # mozilla: file(1) magic for Mozilla XUL fastload files # (XUL.mfasl and XPC.mfasl) # URL: http://www.mozilla.org/ # From: Josh Triplett <josh@freedesktop.org> 0 string XPCOM\nMozFASL\r\n\x1A Mozilla XUL fastload data #------------------------------------------------------------------------------ # $File: msdos,v 1.77 2011/12/07 22:05:05 christos Exp $ # msdos: file(1) magic for MS-DOS files # # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) # updated by Joerg Jenderek at Oct 2008,Apr 2011 0 string/t @ >1 string/cW \ echo\ off DOS batch file text !:mime text/x-msdos-batch >1 string/cW echo\ off DOS batch file text !:mime text/x-msdos-batch >1 string/cW rem DOS batch file text !:mime text/x-msdos-batch >1 string/cW set\ DOS batch file text !:mime text/x-msdos-batch # OS/2 batch files are REXX. the second regex is a bit generic, oh well # the matched commands seem to be common in REXX and uncommon elsewhere 100 search/0xffff rxfuncadd >100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 100 search/0xffff say >100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 0 leshort 0x14c MS Windows COFF Intel 80386 object file #>4 ledate x stamp %s 0 leshort 0x166 MS Windows COFF MIPS R4000 object file #>4 ledate x stamp %s 0 leshort 0x184 MS Windows COFF Alpha object file #>4 ledate x stamp %s 0 leshort 0x268 MS Windows COFF Motorola 68000 object file #>4 ledate x stamp %s 0 leshort 0x1f0 MS Windows COFF PowerPC object file #>4 ledate x stamp %s 0 leshort 0x290 MS Windows COFF PA-RISC object file #>4 ledate x stamp %s # Tests for various EXE types. # # Many of the compressed formats were extraced from IDARC 1.23 source code. # 0 string/b MZ !:mime application/x-dosexec # All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. >0x18 leshort <0x40 MS-DOS executable # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) #>>0x18 leshort 0x1e (MS compiler) # If the relocation table is 0x40 or more bytes into the file, it's definitely # not a DOS EXE. >0x18 leshort >0x3f # Maybe it's a PE? >>(0x3c.l) string PE\0\0 PE >>>(0x3c.l+24) leshort 0x010b \b32 executable >>>(0x3c.l+24) leshort 0x020b \b32+ executable >>>(0x3c.l+24) leshort 0x0107 ROM image >>>(0x3c.l+24) default x Unknown PE signature >>>>&0 leshort x 0x%x >>>(0x3c.l+22) leshort&0x2000 >0 (DLL) >>>(0x3c.l+92) leshort 1 (native) >>>(0x3c.l+92) leshort 2 (GUI) >>>(0x3c.l+92) leshort 3 (console) >>>(0x3c.l+92) leshort 7 (POSIX) >>>(0x3c.l+92) leshort 9 (Windows CE) >>>(0x3c.l+92) leshort 10 (EFI application) >>>(0x3c.l+92) leshort 11 (EFI boot service driver) >>>(0x3c.l+92) leshort 12 (EFI runtime driver) >>>(0x3c.l+92) leshort 13 (EFI ROM) >>>(0x3c.l+92) leshort 14 (XBOX) >>>(0x3c.l+92) leshort 15 (Windows boot application) >>>(0x3c.l+92) default x (Unknown subsystem >>>>&0 leshort x 0x%x) >>>(0x3c.l+4) leshort 0x14c Intel 80386 >>>(0x3c.l+4) leshort 0x166 MIPS R4000 >>>(0x3c.l+4) leshort 0x168 MIPS R10000 >>>(0x3c.l+4) leshort 0x184 Alpha >>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 >>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 >>>(0x3c.l+4) leshort 0x1c0 ARM >>>(0x3c.l+4) leshort 0x1c2 ARM Thumb >>>(0x3c.l+4) leshort 0x1f0 PowerPC >>>(0x3c.l+4) leshort 0x200 Intel Itanium >>>(0x3c.l+4) leshort 0x266 MIPS16 >>>(0x3c.l+4) leshort 0x268 Motorola 68000 >>>(0x3c.l+4) leshort 0x290 PA-RISC >>>(0x3c.l+4) leshort 0x366 MIPSIV >>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU >>>(0x3c.l+4) leshort 0xebc EFI byte code >>>(0x3c.l+4) leshort 0x8664 x86-64 >>>(0x3c.l+4) leshort 0xc0ee MSIL >>>(0x3c.l+4) default x Unknown processor type >>>>&0 leshort x 0x%x >>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) >>>(0x3c.l+22) leshort&0x1000 >0 system file >>>(0x3c.l+24) leshort 0x010b >>>>(0x3c.l+232) lelong >0 Mono/.Net assembly >>>(0x3c.l+24) leshort 0x020b >>>>(0x3c.l+248) lelong >0 Mono/.Net assembly # hooray, there's a DOS extender using the PE format, with a valid PE # executable inside (which just prints a message and exits if run in win) >>>(8.s*16) string 32STUB \b, 32rtm DOS extender >>>(8.s*16) string !32STUB \b, for MS Windows >>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed >>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed >>>(0x3c.l+0xf8) search/0x140 UPX2 >>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>(0x3c.l+0xf8) search/0x140 .idata >>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) >>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive >>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .rsrc >>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive >>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive >>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive >>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .data >>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed >>>>(0x3c.l+0xf7) byte x >>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive >>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive >>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>>0x30 string Inno \b, InnoSetup self-extracting archive # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable >>(0x3c.l) string NE \b, NE >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte 4 for Windows 386 >>>(0x3c.l+0x36) byte 5 for Borland Operating System Services >>>(0x3c.l+0x36) default x >>>>(0x3c.l+0x36) byte x (unknown OS %x) >>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender >>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) >>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) >>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive >>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) >>(0x3c.l) string LX\0\0 \b, LX >>>(0x3c.l+0x0a) leshort <1 (unknown OS) >>>(0x3c.l+0x0a) leshort 1 for OS/2 >>>(0x3c.l+0x0a) leshort 2 for MS Windows >>>(0x3c.l+0x0a) leshort 3 for DOS >>>(0x3c.l+0x0a) leshort >3 (unknown OS) >>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) >>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) >>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) >>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) >>>(0x3c.l+0x08) leshort 1 i80286 >>>(0x3c.l+0x08) leshort 2 i80386 >>>(0x3c.l+0x08) leshort 3 i80486 >>>(8.s*16) string emx \b, emx >>>>&1 string x %s >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive # MS Windows system file, supposedly a collection of LE executables >>(0x3c.l) string W3 \b, W3 for MS Windows >>(0x3c.l) string LE\0\0 \b, LE executable >>>(0x3c.l+0x0a) leshort 1 # some DOS extenders use LE files with OS/2 header >>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender >>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender >>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender >>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender >>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) >>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) >>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) # this is a wild guess; hopefully it is a specific signature >>>>&0x24 lelong <0x50 >>>>>(&0x4c.l) string \xfc\xb8WATCOM >>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed # another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP #>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 # fails with DOS-Extenders. >>>(0x3c.l+0x0a) leshort 2 for MS Windows >>>(0x3c.l+0x0a) leshort 3 for DOS >>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) >>>(&0x7c.l+0x26) string UPX \b, UPX compressed >>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive # looks like ASCII, probably some embedded copyright message. # and definitely not NE/LE/LX/PE >>0x3c lelong >0x20000000 >>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS # header data too small for extended executable >2 long !0 >>0x18 leshort <0x40 >>>(4.s*512) leshort !0x014c >>>>&(2.s-514) string !LE >>>>>&-2 string !BW \b, MZ for MS-DOS >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender # educated guess since indirection is still not capable enough for complex offset # calculations (next embedded executable would be at &(&2*512+&0-2) # I suspect there are only LE executables in these multi-exe files >>>>&(2.s-514) string BW >>>>>0x240 search/0x100 DOS/4G ,\b LE for MS-DOS, DOS4GW DOS extender (embedded) >>>>>0x240 search/0x100 !DOS/4G ,\b BW collection for MS-DOS # This sequence skips to the first COFF segment, usually .text >(4.s*512) leshort 0x014c \b, COFF >>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s >>&(&0x42.l-3) byte x >>>&0x26 string UPX \b, UPX compressed # and yet another guess: small .text, and after large .data is unusal, could be 32lite >>&0x2c search/0xa0 .text >>>&0x0b lelong <0x2000 >>>>&0 lelong >0x6000 \b, 32lite compressed >(8.s*16) string $WdX \b, WDos/X DOS extender # By now an executable type should have been printed out. The executable # may be a self-uncompressing archive, so look for evidence of that and # print it out. # # Some signatures below from Greg Roelofs, newt@uchicago.edu. # >0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed >0xe7 string LH/2\ Self-Extract \b, %s >0x1c string UC2X \b, UCEXE compressed >0x1c string WWP\ \b, WWPACK compressed >0x1c string RJSX \b, ARJ self-extracting archive >0x1c string diet \b, diet compressed >0x1c string LZ09 \b, LZEXE v0.90 compressed >0x1c string LZ91 \b, LZEXE v0.91 compressed >0x1c string tz \b, TinyProg compressed >0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive !:mime application/zip # Yes, this really is "Copr", not "Corp." >0x1e string PKLITE\ Copr. Self-extracting PKZIP archive !:mime application/zip # winarj stores a message in the stub instead of the sig in the MZ header >0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive >0x20 string AIN >>0x23 string 2 \b, AIN 2.x compressed >>0x23 string <2 \b, AIN 1.x compressed >>0x23 string >2 \b, AIN 1.x compressed >0x24 string LHa's\ SFX \b, LHa self-extracting archive !:mime application/x-lha >0x24 string LHA's\ SFX \b, LHa self-extracting archive !:mime application/x-lha >0x24 string \ $ARX \b, ARX self-extracting archive >0x24 string \ $LHarc \b, LHarc self-extracting archive >0x20 string SFX\ by\ LARC \b, LARC self-extracting archive >0x40 string aPKG \b, aPackage self-extracting archive >0x64 string W\ Collis\0\0 \b, Compack compressed >0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive >>&0xf4 search/0x140 \x0\x40\x1\x0 >>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive >1638 string -lh5- \b, LHa self-extracting archive v2.13S >0x17888 string Rar! \b, RAR self-extracting archive # Skip to the end of the EXE. This will usually work fine in the PE case # because the MZ image is hardcoded into the toolchain and almost certainly # won't match any of these signatures. >(4.s*512) long x >>&(2.s-517) byte x >>>&0 string PK\3\4 \b, ZIP self-extracting archive >>>&0 string Rar! \b, RAR self-extracting archive >>>&0 string =!\x11 \b, AIN 2.x self-extracting archive >>>&0 string =!\x12 \b, AIN 2.x self-extracting archive >>>&0 string =!\x17 \b, AIN 1.x self-extracting archive >>>&0 string =!\x18 \b, AIN 1.x self-extracting archive >>>&7 search/400 **ACE** \b, ACE self-extracting archive >>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive # a few unknown ZIP sfxes, no idea if they are needed or if they are # already captured by the generic patterns above >(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) # TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive # # TELVOX Teleinformatica CODEC self-extractor for OS/2: >49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 >>49824 leshort =1 \b, 1 file >>49824 leshort >1 \b, %u files # added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc # and http://www.freedos.org/software/?prog=kpdos # for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 0 string/b KCF FreeDOS KEYBoard Layout collection # only version=0x100 found >3 uleshort x \b, version 0x%x # length of string containing author,info and special characters >6 ubyte >0 #>>6 pstring x \b, name=%s >>7 string >\0 \b, author=%-.14s >>7 search/254 \xff \b, info= #>>>&0 string x \b%-s >>>&0 string x \b%-.15s # for FreeDOS *.KL files 0 string/b KLF FreeDOS KEYBoard Layout file # only version=0x100 or 0x101 found >3 uleshort x \b, version 0x%x # stringlength >5 ubyte >0 >>8 string x \b, name=%-.2s 0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\360 MS-DOS KEYBoard Layout file # .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) # Uncommenting only the first two lines will cover about 2/3 of COM files, # but it isn't feasible to match all COM files since there must be at least # two dozen different one-byte "magics". # test too generic ? #0 byte 0xe9 DOS executable (COM) #>0x1FE leshort 0xAA55 \b, boot code #>6 string SFX\ of\ LHarc (%s) # DOS device driver updated by Joerg Jenderek at May 2011 # http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 0 ulequad&0x07a0ffffffff 0xffffffff DOS executable ( >40 search/7 UPX! \bUPX compressed # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver # character device >4 uleshort&0x8000 0x8000 \b >>4 uleshort&0x0008 0x0008 \bclock # fast video output by int 29h >>4 uleshort&0x0010 0x0010 \bfast # standard input/output device >>4 uleshort&0x0003 >0 \bstandard >>>4 uleshort&0x0001 0x0001 \binput >>>4 uleshort&0x0003 0x0003 \b/ >>>4 uleshort&0x0002 0x0002 \boutput >>4 uleshort&0x8000 0x8000 \bcharacter device driver >0 ubyte x # upx compressed device driver has garbage instead of real in name field of header >>40 search/7 UPX! >>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped >>>12 ubyte >0x27 \b >>>>10 ubyte >0x20 >>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c >>>>11 ubyte >0x20 >>>>>11 ubyte !0x2E \b%c >>>>12 ubyte >0x20 >>>>>12 ubyte !0x39 >>>>>>12 ubyte !0x2E \b%c >>>13 ubyte >0x20 >>>>13 ubyte !0x2E \b%c >>>>14 ubyte >0x20 >>>>>14 ubyte !0x2E \b%c >>>>15 ubyte >0x20 >>>>>15 ubyte !0x2E \b%c >>>>16 ubyte >0x20 >>>>>16 ubyte !0x2E >>>>>>16 ubyte <0xCB \b%c >>>>17 ubyte >0x20 >>>>>17 ubyte !0x2E >>>>>>17 ubyte <0x90 \b%c # some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field >>>4 uleshort&0x8000 0x8000 >>>>12 ubyte <0x2F # they have their real name at offset 22 >>>>>22 string >\0 \b%-.5s >4 uleshort&0x8000 0x0000 # 32 bit sector adressing ( > 32 MB) for block devices >>4 uleshort&0x0002 0x0002 \b,32-bit sector- # support by driver functions 13h, 17h, 18h >4 uleshort&0x0040 0x0040 \b,IOCTL- # open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh >4 uleshort&0x0800 0x0800 \b,close media- # output until busy support by int 10h for character device driver >4 uleshort&0x8000 0x8000 >>4 uleshort&0x2000 0x2000 \b,until busy- # direct read/write support by driver functions 03h,0Ch >4 uleshort&0x4000 0x4000 \b,control strings- >4 uleshort&0x8000 0x8000 >>4 uleshort&0x6840 >0 \bsupport >4 uleshort&0x8000 0x0000 >>4 uleshort&0x4842 >0 \bsupport >0 ubyte x \b) # DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header # Too weak, matches files that only contain 0's #0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable ( #>4 uleshort&0x8000 0x8000 \bcharacter device driver #>>10 string x %-.8s #>4 uleshort&0x4000 0x4000 \b,control strings-support) # test too generic ? #0 byte 0x8c DOS executable (COM) # updated by Joerg Jenderek at Oct 2008 0 ulelong 0xffff10eb DR-DOS executable (COM) # byte 0xeb conflicts with "sequent" magic leshort 0xn2eb #0 ubeshort&0xeb8d >0xeb00 # DR-DOS STACKER.COM SCREATE.SYS missed #>0 byte 0xeb #>>0x1FE leshort 0xAA55 DOS executable (COM), boot code #>>85 string UPX DOS executable (COM), UPX compressed #>>4 string \ $ARX DOS executable (COM), ARX self-extracting archive #>>4 string \ $LHarc DOS executable (COM), LHarc self-extracting archive #>>0x20e string SFX\ by\ LARC DOS executable (COM), LARC self-extracting archive # updated by Joerg Jenderek at Oct 2008 #0 byte 0xb8 COM executable #0 uleshort&0x80ff 0x00b8 # modified by Joerg Jenderek #>1 lelong !0x21cd4cff COM executable for DOS # http://syslinux.zytor.com/comboot.php # (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode # start with assembler instructions mov eax,21cd4cffh #0 uleshort&0xc0ff 0xc0b8 #>1 lelong 0x21cd4cff COM executable (32-bit COMBOOT) # syslinux:doc/comboot.txt # A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov # eax,21cd4cfeh) as a magic number. 0 string/b \xb8\xfe\x4c\xcd\x21 COM executable (COM32R) # start with assembler instructions mov eax,21cd4cfeh 0 uleshort&0xc0ff 0xc0b8 >1 lelong 0x21cd4cfe COM executable (32-bit COMBOOT, relocatable) 0 string/b \x81\xfc >4 string \x77\x02\xcd\x20\xb9 >>36 string UPX! FREE-DOS executable (COM), UPX compressed 252 string Must\ have\ DOS\ version DR-DOS executable (COM) # added by Joerg Jenderek at Oct 2008 # GRR search is not working #34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 34 string UPX! FREE-DOS executable (COM), UPX compressed 35 string UPX! FREE-DOS executable (COM), UPX compressed # GRR search is not working #2 search/28 \xcd\x21 COM executable for MS-DOS #WHICHFAT.cOM #2 string \xcd\x21 COM executable for DOS #DELTREE.cOM DELTREE2.cOM #4 string \xcd\x21 COM executable for DOS #IFMEMDSK.cOM ASSIGN.cOM COMP.cOM #5 string \xcd\x21 COM executable for DOS #DELTMP.COm HASFAT32.cOM #7 string \xcd\x21 #>0 byte !0xb8 COM executable for DOS #COMP.cOM MORE.COm #10 string \xcd\x21 #>5 string !\xcd\x21 COM executable for DOS #comecho.com #13 string \xcd\x21 COM executable for DOS #HELP.COm EDIT.coM #18 string \xcd\x21 COM executable for MS-DOS #NWRPLTRM.COm #23 string \xcd\x21 COM executable for MS-DOS #LOADFIX.cOm LOADFIX.cOm #30 string \xcd\x21 COM executable for MS-DOS #syslinux.com 3.11 #70 string \xcd\x21 COM executable for DOS # many compressed/converted COMs start with a copy loop instead of a jump 0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS >0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed # FIXME: missing diet .com compression # miscellaneous formats 0 string/b LZ MS-DOS executable (built-in) #0 byte 0xf0 MS-DOS program library data # # AAF files: # <stuartc@rd.bbc.co.uk> Stuart Cunningham 0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage >30 byte 9 (512B sectors) >30 byte 12 (4kB sectors) 0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage >30 byte 9 (512B sectors) >30 byte 12 (4kB sectors) # Popular applications 2080 string Microsoft\ Word\ 6.0\ Document %s !:mime application/msword 2080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data !:mime application/msword # Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 2112 string MSWordDoc Microsoft Word document data !:mime application/msword # 0 belong 0x31be0000 Microsoft Word Document !:mime application/msword # 0 string/b PO^Q` Microsoft Word 6.0 Document !:mime application/msword # 0 string/b \376\067\0\043 Microsoft Office Document !:mime application/msword 0 string/b \333\245-\0\0\0 Microsoft Office Document !:mime application/msword 512 string/b \354\245\301 Microsoft Word Document !:mime application/msword # 2080 string Microsoft\ Excel\ 5.0\ Worksheet %s !:mime application/vnd.ms-excel 2080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s !:mime application/vnd.ms-excel # # Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 2114 string Biff5 Microsoft Excel 5.0 Worksheet !:mime application/vnd.ms-excel # Italian MS-Excel 2121 string Biff5 Microsoft Excel 5.0 Worksheet !:mime application/vnd.ms-excel 0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet !:mime application/vnd.ms-excel # 0 belong 0x00001a00 Lotus 1-2-3 !:mime application/x-123 >4 belong 0x00100400 wk3 document data >4 belong 0x02100400 wk4 document data >4 belong 0x07800100 fm3 or fmb document data >4 belong 0x07800000 fm3 or fmb document data # 0 belong 0x00000200 Lotus 1-2-3 !:mime application/x-123 >4 belong 0x06040600 wk1 document data >4 belong 0x06800200 fmt document data 0 string/b WordPro\0 Lotus WordPro !:mime application/vnd.lotus-wordpro 0 string/b WordPro\r\373 Lotus WordPro !:mime application/vnd.lotus-wordpro # Summary: Script used by InstallScield to uninstall applications # Extension: .isu # Submitted by: unknown # Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 0 string \x71\xa8\x00\x00\x01\x02 >12 string Stirling\ Technologies, InstallShield Uninstall Script # Winamp .avs #0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in # Windows Metafont .WMF 0 string/b \327\315\306\232 ms-windows metafont .wmf 0 string/b \002\000\011\000 ms-windows metafont .wmf 0 string/b \001\000\011\000 ms-windows metafont .wmf #tz3 files whatever that is (MS Works files) 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file # PGP sig files .sig #0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig # windows zips files .dmf 0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file #ico files 0 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows # Windows icons (Ian Springer <ips@fpk.hp.com>) 0 string/b \000\000\001\000 MS Windows icon resource !:mime image/x-icon >4 byte 1 - 1 icon >4 byte >1 - %d icons >>6 byte >0 \b, %dx >>>7 byte >0 \b%d >>8 byte 0 \b, 256-colors >>8 byte >0 \b, %d-colors # .chr files 0 string/b PK\010\010BGI Borland font >4 string >\0 %s # then there is a copyright notice # .bgi files 0 string/b pk\010\010BGI Borland device >4 string >\0 %s # then there is a copyright notice # Windows Recycle Bin record file (named INFO2) # By Abel Cheung (abelcheung AT gmail dot com) # Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes # Since Vista uses another structure, INFO2 structure probably won't change # anymore. Detailed analysis in: # http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 0 lelong 0x00000004 >12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 0 lelong 0x00000005 >12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) ##### put in Either Magic/font or Magic/news # Acroread or something files wrongly identified as G3 .pfm # these have the form \000 \001 any? \002 \000 \000 # or \000 \001 any? \022 \000 \000 0 belong&0xffff00ff 0x00010012 PFM data >4 string \000\000 >6 string >\060 - %s 0 belong&0xffff00ff 0x00010002 PFM data >4 string \000\000 >6 string >\060 - %s #0 string \000\001 pfm? #>3 string \022\000\000Copyright\ yes #>3 string \002\000\000Copyright\ yes #>3 string >\0 oops, not a font file. Cancel that. #it clashes with ttf files so put it lower down. # From Doug Lee via a FreeBSD pr 9 string GERBILDOC First Choice document 9 string GERBILDB First Choice database 9 string GERBILCLIP First Choice database 0 string GERBIL First Choice device file 9 string RABBITGRAPH RabbitGraph file 0 string DCU1 Borland Delphi .DCU file 0 string =!<spell> MKS Spell hash list (old format) 0 string =!<spell2> MKS Spell hash list # Too simple - MPi #0 string AH Halo(TM) bitmapped font file 0 lelong 0x08086b70 TurboC BGI file 0 lelong 0x08084b50 TurboC Font file # WARNING: below line conflicts with Infocom game data Z-machine 3 0 byte 0x03 >0x02 byte <0x13 DBase 3 data file >>0x04 lelong 0 (no records) >>0x04 lelong >0 (%ld records) 0 byte 0x83 >0x02 byte <0x13 DBase 3 data file with memo(s) >>0x04 lelong 0 (no records) >>0x04 lelong >0 (%ld records) 0 leshort 0x0006 DBase 3 index file 0 string PMCC Windows 3.x .GRP file 1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file 0 lelong 0x4C >4 lelong 0x00021401 Windows shortcut file # .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm # only for windows versions equal or greater 3.0 0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File !:mime application/x-dosexec #>2 string >\0 \b, Title:%.30s >0x24 string >\0 \b for %.63s >0x65 string >\0 \b, directory=%.64s >0xA5 string >\0 \b, parameters=%.64s #>0x181 leshort x \b, offset %x #>0x183 leshort x \b, offsetdata %x #>0x185 leshort x \b, section length %x >0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 >>&0x5e ubyte >0 >>>&-1 string <PIFMGR.DLL \b, icon=%s #>>>&-1 string PIFMGR.DLL \b, icon=%s >>>&-1 string >PIFMGR.DLL \b, icon=%s >>&0xF0 ubyte >0 >>>&-1 string <Terminal \b, font=%.32s #>>>&-1 string =Terminal \b, font=%.32s >>>&-1 string >Terminal \b, font=%.32s >>&0x110 ubyte >0 >>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s #>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s >>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s #>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style #>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style >0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style #>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style >0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS #>>&06 string x \b:%s >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT #>>&06 string x \b:%s # DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> 0 belong 0xC5D0D3C6 DOS EPS Binary File >4 long >0 Postscript starts at byte %d >>8 long >0 length %d >>>12 long >0 Metafile starts at byte %d >>>>16 long >0 length %d >>>20 long >0 TIFF starts at byte %d >>>>24 long >0 length %d # TNEF magic From "Joomy" <joomy@se-ed.net> # Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 0 leshort 0x223e9f78 TNEF !:mime application/vnd.ms-tnef # HtmlHelp files (.chm) 0 string/b ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data # GFA-BASIC (Wolfram Kleff) 2 string/b GFA-BASIC3 GFA-BASIC 3 data #------------------------------------------------------------------------------ # From Stuart Caie <kyzer@4u.net> (developer of cabextract) # Microsoft Cabinet files 0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data !:mime application/vnd.ms-cab-compressed >8 lelong x \b, %u bytes >28 leshort 1 \b, 1 file >28 leshort >1 \b, %u files # InstallShield Cabinet files 0 string/b ISc( InstallShield Cabinet archive data >5 byte&0xf0 =0x60 version 6, >5 byte&0xf0 !0x60 version 4/5, >(12.l+40) lelong x %u files # Windows CE package files 0 string/b MSCE\0\0\0\0 Microsoft WinCE install header >20 lelong 0 \b, architecture-independent >20 lelong 103 \b, Hitachi SH3 >20 lelong 104 \b, Hitachi SH4 >20 lelong 0xA11 \b, StrongARM >20 lelong 4000 \b, MIPS R4000 >20 lelong 10003 \b, Hitachi SH3 >20 lelong 10004 \b, Hitachi SH3E >20 lelong 10005 \b, Hitachi SH4 >20 lelong 70001 \b, ARM 7TDMI >52 leshort 1 \b, 1 file >52 leshort >1 \b, %u files >56 leshort 1 \b, 1 registry entry >56 leshort >1 \b, %u registry entries # Windows Enhanced Metafile (EMF) # See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. 0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data >>44 ulelong x version 0x%x # From: Alex Beregszaszi <alex@fsn.hu> 0 string/b COWD VMWare3 >4 byte 3 disk image >>32 lelong x (%d/ >>36 lelong x \b%d/ >>40 lelong x \b%d) >4 byte 2 undoable disk image >>32 string >\0 (%s) 0 string/b VMDK VMware4 disk image 0 string/b KDMV VMware4 disk image #-------------------------------------------------------------------- # Qemu Emulator Images # Lines written by Friedrich Schwittay (f.schwittay@yousable.de) # Updated by Adam Buchbinder (adam.buchbinder@gmail.com) # Made by reading sources, reading documentation, and doing trial and error # on existing QCOW files 0 string/b QFI\xFB QEMU QCOW Image # Uncomment the following line to display Magic (only used for debugging # this magic number) #>0 string/b x , Magic: %s # There are currently 2 Versions: "1" and "2". # http://www.gnome.org/~markmc/qcow-image-format-version-1.html >4 belong 1 (v1) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>12 belong >0 \b, has backing file ( # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. >>>(12.L) string >\0 \bpath %s # Modification time of the Backing File # Really useful if you want to know if your backing # file is still usable together with this image >>>>20 bedate >0 \b, mtime %s) >>>>20 default x \b) # Size is stored in bytes in a big-endian u64. >>24 bequad x \b, %lld bytes # 1 for AES encryption, 0 for none. >>36 belong 1 \b, AES-encrypted # http://www.gnome.org/~markmc/qcow-image-format.html >4 belong 2 (v2) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>8 bequad >0 \b, has backing file # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. Also, since there's no # .Q modifier, we just use the bottom four bytes as an offset. Note that if # the file is over 4G, and the backing file path is stored after the first 4G, # the wrong filename will be printed. (This should be (8.Q), when that syntax # is introduced.) >>>(12.L) string >\0 (path %s) >>24 bequad x \b, %lld bytes >>32 belong 1 \b, AES-encrypted >4 belong 3 (v3) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>8 bequad >0 \b, has backing file # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. Also, since there's no # .Q modifier, we just use the bottom four bytes as an offset. Note that if # the file is over 4G, and the backing file path is stored after the first 4G, # the wrong filename will be printed. (This should be (8.Q), when that syntax # is introduced.) >>>(12.L) string >\0 (path %s) >>24 bequad x \b, %lld bytes >>32 belong 1 \b, AES-encrypted >4 default x (unknown version) 0 string/b QEVM QEMU suspend to disk image # QEMU QED Image # http://wiki.qemu.org/Features/QED/Specification 0 string/b QED\0 QEMU QED Image # VDI Image 64 string/b \x7f\x10\xda\xbe VDI Image >68 string/b \x01\x00\x01\x00 version 1.1 >0 string >\0 (%s) >368 lequad x \b, %lld bytes 0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, >32 string x type %s, >48 string x subtype %s 0 lelong 0x02468ace Bochs Sparse disk image # from http://filext.com by Derek M Jones <derek@knosof.co.uk> # False positive with PPT (also currently this string is too long) #0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 0 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document #>48 byte 0x1B Excel Document #!:mime application/vnd.ms-excel >546 string bjbj Microsoft Word Document !:mime application/msword >546 string jbjb Microsoft Word Document !:mime application/msword 0 string/b \224\246\056 Microsoft Word Document !:mime application/msword 512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document !:mime application/msword # From: "Nelson A. de Oliveira" <naoliv@gmail.com> # Magic type for Dell's BIOS .hdr files # Dell's .hdr 0 string/b $RBU >23 string Dell %s system BIOS >5 byte 2 >>48 byte x version %d. >>49 byte x \b%d. >>50 byte x \b%d >5 byte <2 >>48 string x version %.3s # Type: Microsoft DirectDraw Surface # URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp # From: Morten Hustveit <morten@debian.org> 0 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), >16 lelong >0 %hd x >12 lelong >0 %hd, >84 string x %.4s # Type: Microsoft Document Imaging Format (.mdi) # URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format # From: Daniele Sempione <scrows@oziosi.org> 0 short 0x5045 Microsoft Document Imaging Format # MS eBook format (.lit) 0 string/b ITOLITLS Microsoft Reader eBook Data >8 lelong x \b, version %u !:mime application/x-ms-reader # Windows CE Binary Image Data Format # From: Dr. Jesus <j@hug.gs> 0 string/b B000FF\n Windows Embedded CE binary image # Windows Imaging (WIM) Image 0 string/b MSWIM\000\000\000 Windows imaging (WIM) image #------------------------------------------------------------------------------ # $File: msooxml,v 1.1 2011/01/25 18:36:19 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown <ralf.brown@gmail.com> # .docx, .pptx, and .xlsx are XML plus other files inside a ZIP # archive. The first member file is normally "[Content_Types].xml". # Since MSOOXML doesn't have anything like the uncompressed "mimetype" # file of ePub or OpenDocument, we'll have to scan for a filename # which can distinguish between the three types # start by checking for ZIP local file header signature 0 string PK\003\004 # make sure the first file is correct >0x1E string [Content_Types].xml # skip to the second local file header # since some documents include a 520-byte extra field following the file # header, we need to scan for the next header >>(18.l+49) search/2000 PK\003\004 # now skip to the *third* local file header; again, we need to scan due to a # 520-byte extra field following the file header >>>&26 search/1000 PK\003\004 # and check the subdirectory name to determine which type of OOXML # file we have >>>>&26 string word/ Microsoft Word 2007+ !:mime application/msword >>>>&26 string ppt/ Microsoft PowerPoint 2007+ !:mime application/vnd.ms-powerpoint >>>>&26 string xl/ Microsoft Excel 2007+ !:mime application/vnd.ms-excel >>>>&26 default x Microsoft OOXML !:strength +10 #------------------------------------------------------------------------------ # $File: msvc,v 1.5 2009/09/19 16:28:11 christos Exp $ # msvc: file(1) magic for msvc # "H. Nanosecond" <aldomel@ix.netcom.com> # Microsoft visual C # # I have version 1.0 # .aps 0 string HWB\000\377\001\000\000\000 Microsoft Visual C .APS file # .ide #too long 0 string \102\157\162\154\141\156\144\040\103\053\053\040\120\162\157\152\145\143\164\040\106\151\154\145\012\000\032\000\002\000\262\000\272\276\372\316 MSVC .ide 0 string \102\157\162\154\141\156\144\040\103\053\053\040\120\162\157 MSVC .ide # .res 0 string \000\000\000\000\040\000\000\000\377 MSVC .res 0 string \377\003\000\377\001\000\020\020\350 MSVC .res 0 string \377\003\000\377\001\000\060\020\350 MSVC .res #.lib 0 string \360\015\000\000 Microsoft Visual C library 0 string \360\075\000\000 Microsoft Visual C library 0 string \360\175\000\000 Microsoft Visual C library #.pch 0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch # .pdb # too long 0 string Microsoft\ C/C++\ program\ database\ 0 string Microsoft\ C/C++\ MSVC program database >18 string program\ database\ >33 string >\0 ver %s #.sbr 0 string \000\002\000\007\000 MSVC .sbr >5 string >\0 %s #.bsc 0 string \002\000\002\001 MSVC .bsc #.wsp 0 string 1.00\ .0000.0000\000\003 MSVC .wsp version 1.0000.0000 # these seem to start with the version and contain menus # ------------------------------------------------------------------------ # $File: mup,v 1.4 2009/09/19 16:28:11 christos Exp $ # mup: file(1) magic for Mup (Music Publisher) input file. # # From: Abel Cheung <abel (@) oaka.org> # # NOTE: This header is mainly proposed in the Arkkra mailing list, # and is not a mandatory header because of old mup input file # compatibility. Noteedit also use mup format, but is not forcing # user to use any header as well. # 0 search/1 //!Mup Mup music publication program input text >6 string -Arkkra (Arkkra) >>13 string - >>>16 string . >>>>14 string x \b, need V%.4s >>>15 string . >>>>14 string x \b, need V%.3s >6 string - >>9 string . >>>7 string x \b, need V%.4s >>8 string . >>>7 string x \b, need V%.3s #------------------------------------------------------------------------------ # $File: music,v 1.1 2011/11/25 03:28:17 christos Exp $ # music: file (1) magic for music formats # BWW format used by Bagpipe Music Writer Gold by Robert MacNeil Musicworks # and Bagpipe Writer by Doug Wickstrom # 0 string Bagpipe Bagpipe >8 string Reader Reader >>15 string >\0 (version %.3s) >8 string Music\ Writer Music Writer >>20 string : >>>21 string >\0 (version %.3s) >>21 string Gold Gold >>>25 string : >>>>26 string >\0 (version %.3s) #----------------------------------------------------------------------------- # $File: natinst,v 1.4 2009/09/19 16:28:11 christos Exp $ # natinst: file(1) magic for National Instruments Code Files # # From <egamez@fcfm.buap.mx> Enrique G�mez-Flores # version 1 # Many formats still missing, we use, for the moment LabVIEW # We guess VXI format file. VISA, LabWindowsCVI, BridgeVIEW, etc, are missing # 0 string RSRC National Instruments, # Check if it's a LabVIEW File >8 string LV LabVIEW File, # Check wich kind of file is >>10 string SB Code Resource File, data >>10 string IN Virtual Instrument Program, data >>10 string AR VI Library, data # This is for Menu Libraries >8 string LMNULBVW Portable File Names, data # This is for General Resources >8 string rsc Resources File, data # This is for VXI Package 0 string VMAP National Instruments, VXI File, data #------------------------------------------------------------------------------ # $File: ncr,v 1.7 2009/09/19 16:28:11 christos Exp $ # ncr: file(1) magic for NCR Tower objects # # contributed by # Michael R. Wayne *** TMC & Associates *** INTERNET: wayne@ford-vax.arpa # uucp: {philabs | pyramid} !fmsrl7!wayne OR wayne@fmsrl7.UUCP # 0 beshort 000610 Tower/XP rel 2 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %ld 0 beshort 000615 Tower/XP rel 2 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %ld 0 beshort 000620 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %ld 0 beshort 000625 Tower/XP rel 3 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %ld 0 beshort 000630 Tower32/600/400 68020 object >12 belong >0 not stripped >20 beshort 0407 executable >20 beshort 0410 pure executable >22 beshort >0 - version %ld 0 beshort 000640 Tower32/800 68020 >18 beshort &020000 w/68881 object >18 beshort &040000 compatible object >18 beshort &060000 object >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped >22 beshort >0 - version %ld 0 beshort 000645 Tower32/800 68010 >18 beshort &040000 compatible object >18 beshort &060000 object >20 beshort 0407 executable >20 beshort 0413 pure executable >12 belong >0 not stripped >22 beshort >0 - version %ld #------------------------------------------------------------------------------ # $File: netbsd,v 1.19 2011/10/31 17:23:34 christos Exp $ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. # 0 lelong 000000407 a.out NetBSD little-endian object file >16 lelong >0 not stripped 0 belong 000000407 a.out NetBSD big-endian object file >16 belong >0 not stripped 0 belong&0377777777 041400413 a.out NetBSD/i386 demand paged >0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 041400410 a.out NetBSD/i386 pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 041400407 a.out NetBSD/i386 >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 lelong !0 executable >>20 lelong =0 object file >16 lelong >0 not stripped 0 belong&0377777777 041400507 a.out NetBSD/i386 core >12 string >\0 from '%s' >32 lelong !0 (signal %d) 0 belong&0377777777 041600413 a.out NetBSD/m68k demand paged >0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 041600410 a.out NetBSD/m68k pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 041600407 a.out NetBSD/m68k >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 belong !0 executable >>20 belong =0 object file >16 belong >0 not stripped 0 belong&0377777777 041600507 a.out NetBSD/m68k core >12 string >\0 from '%s' >32 belong !0 (signal %d) 0 belong&0377777777 042000413 a.out NetBSD/m68k4k demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 042000410 a.out NetBSD/m68k4k pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 042000407 a.out NetBSD/m68k4k >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 belong !0 executable >>20 belong =0 object file >16 belong >0 not stripped 0 belong&0377777777 042000507 a.out NetBSD/m68k4k core >12 string >\0 from '%s' >32 belong !0 (signal %d) 0 belong&0377777777 042200413 a.out NetBSD/ns32532 demand paged >0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 042200410 a.out NetBSD/ns32532 pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 042200407 a.out NetBSD/ns32532 >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 lelong !0 executable >>20 lelong =0 object file >16 lelong >0 not stripped 0 belong&0377777777 042200507 a.out NetBSD/ns32532 core >12 string >\0 from '%s' >32 lelong !0 (signal %d) 0 belong&0377777777 045200507 a.out NetBSD/powerpc core >12 string >\0 from '%s' 0 belong&0377777777 042400413 a.out NetBSD/sparc demand paged >0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 042400410 a.out NetBSD/sparc pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 042400407 a.out NetBSD/sparc >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 belong !0 executable >>20 belong =0 object file >16 belong >0 not stripped 0 belong&0377777777 042400507 a.out NetBSD/sparc core >12 string >\0 from '%s' >32 belong !0 (signal %d) 0 belong&0377777777 042600413 a.out NetBSD/pmax demand paged >0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 042600410 a.out NetBSD/pmax pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 042600407 a.out NetBSD/pmax >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 lelong !0 executable >>20 lelong =0 object file >16 lelong >0 not stripped 0 belong&0377777777 042600507 a.out NetBSD/pmax core >12 string >\0 from '%s' >32 lelong !0 (signal %d) 0 belong&0377777777 043000413 a.out NetBSD/vax 1k demand paged >0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 043000410 a.out NetBSD/vax 1k pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 043000407 a.out NetBSD/vax 1k >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 lelong !0 executable >>20 lelong =0 object file >16 lelong >0 not stripped 0 belong&0377777777 043000507 a.out NetBSD/vax 1k core >12 string >\0 from '%s' >32 lelong !0 (signal %d) 0 belong&0377777777 045400413 a.out NetBSD/vax 4k demand paged >0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 045400410 a.out NetBSD/vax 4k pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 045400407 a.out NetBSD/vax 4k >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 lelong !0 executable >>20 lelong =0 object file >16 lelong >0 not stripped 0 belong&0377777777 045400507 a.out NetBSD/vax 4k core >12 string >\0 from '%s' >32 lelong !0 (signal %d) # NetBSD/alpha does not support (and has never supported) a.out objects, # so no rules are provided for them. NetBSD/alpha ELF objects are # dealt with in "elf". 0 lelong 0x00070185 ECOFF NetBSD/alpha binary >10 leshort 0x0001 not stripped >10 leshort 0x0000 stripped 0 belong&0377777777 043200507 a.out NetBSD/alpha core >12 string >\0 from '%s' >32 lelong !0 (signal %d) 0 belong&0377777777 043400413 a.out NetBSD/mips demand paged >0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 043400410 a.out NetBSD/mips pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&0377777777 043400407 a.out NetBSD/mips >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 belong !0 executable >>20 belong =0 object file >16 belong >0 not stripped 0 belong&0377777777 043400507 a.out NetBSD/mips core >12 string >\0 from '%s' >32 belong !0 (signal %d) 0 belong&0377777777 043600413 a.out NetBSD/arm32 demand paged >0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 043600410 a.out NetBSD/arm32 pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 lelong >0 not stripped 0 belong&0377777777 043600407 a.out NetBSD/arm32 >0 byte &0x80 dynamically linked executable >0 byte ^0x80 >>0 byte &0x40 position independent >>20 lelong !0 executable >>20 lelong =0 object file >16 lelong >0 not stripped # NetBSD/arm26 has always used ELF objects, but it shares a core file # format with NetBSD/arm32. 0 belong&0377777777 043600507 a.out NetBSD/arm core >12 string >\0 from '%s' >32 lelong !0 (signal %d) # Kernel core dump format 0 belong&0x0000ffff 0x00008fca NetBSD kernel core file >0 belong&0x03ff0000 0x00000000 \b, Unknown >0 belong&0x03ff0000 0x00001000 \b, sun 68010/68020 >0 belong&0x03ff0000 0x00020000 \b, sun 68020 >0 belong&0x03ff0000 0x00640000 \b, 386 PC >0 belong&0x03ff0000 0x00860000 \b, i386 BSD >0 belong&0x03ff0000 0x00870000 \b, m68k BSD (8K pages) >0 belong&0x03ff0000 0x00880000 \b, m68k BSD (4K pages) >0 belong&0x03ff0000 0x00890000 \b, ns32532 BSD >0 belong&0x03ff0000 0x008a0000 \b, sparc/32 BSD >0 belong&0x03ff0000 0x008b0000 \b, pmax BSD >0 belong&0x03ff0000 0x008c0000 \b, vax BSD (1K pages) >0 belong&0x03ff0000 0x008d0000 \b, alpha BSD >0 belong&0x03ff0000 0x008e0000 \b, mips BSD (Big Endian) >0 belong&0x03ff0000 0x008f0000 \b, arm6 BSD >0 belong&0x03ff0000 0x00900000 \b, m68k BSD (2K pages) >0 belong&0x03ff0000 0x00910000 \b, sh3 BSD >0 belong&0x03ff0000 0x00920000 \b, ppc BSD (Big Endian) >0 belong&0x03ff0000 0x00930000 \b, vax BSD (4K pages) >0 belong&0x03ff0000 0x00940000 \b, mips1 BSD >0 belong&0x03ff0000 0x00950000 \b, mips2 BSD >0 belong&0x03ff0000 0x00960000 \b, parisc BSD >0 belong&0x03ff0000 0x00970000 \b, sh5/64 BSD >0 belong&0x03ff0000 0x00980000 \b, sparc/64 BSD >0 belong&0x03ff0000 0x00990000 \b, amd64 BSD >0 belong&0x03ff0000 0x009a0000 \b, hp200 (68010) BSD >0 belong&0x03ff0000 0x009b0000 \b, hp300 (68020+68881) BSD >0 belong&0x03ff0000 0x009b0000 \b, hp300 (68020+68881) BSD >0 belong&0x03ff0000 0x00c80000 \b, hp200 >0 belong&0x03ff0000 0x020b0000 \b, hp300 (68020+68881) HP-UX >0 belong&0x03ff0000 0x020c0000 \b, hp300 (68020+68881) HP-UX >0 belong&0xfc000000 0x04000000 \b, CPU >0 belong&0xfc000000 0x08000000 \b, DATA >0 belong&0xfc000000 0x10000000 \b, STACK >4 leshort x \b, (headersize = %d >6 leshort x \b, segmentsize = %d >6 lelong x \b, segments = %d) #------------------------------------------------------------------------------ # $File: netscape,v 1.6 2009/09/19 16:28:11 christos Exp $ # netscape: file(1) magic for Netscape files # "H. Nanosecond" <aldomel@ix.netcom.com> # version 3 and 4 I think # # Netscape Address book .nab 0 string \000\017\102\104\000\000\000\000\000\000\001\000\000\000\000\002\000\000\000\002\000\000\004\000 Netscape Address book # Netscape Communicator address book 0 string \000\017\102\111 Netscape Communicator address book # .snm Caches 0 string #\ Netscape\ folder\ cache Netscape folder cache 0 string \000\036\204\220\000 Netscape folder cache # .n2p # Net 2 Phone #0 string 123\130\071\066\061\071\071\071\060\070\061\060\061\063\060 0 string SX961999 Net2phone # #This is files ending in .art, FIXME add more rules 0 string JG\004\016\0\0\0\0 ART #------------------------------------------------------------------------------ # $File: netware,v 1.4 2009/09/19 16:28:11 christos Exp $ # netware: file(1) magic for NetWare Loadable Modules (NLMs) # From: Mads Martin Joergensen <mmj@suse.de> 0 string NetWare\ Loadable\ Module NetWare Loadable Module #------------------------------------------------------------------------------ # $File: news,v 1.6 2009/09/19 16:28:11 christos Exp $ # news: file(1) magic for SunOS NeWS fonts (not "news" as in "netnews") # 0 string StartFontMetrics ASCII font metrics 0 string StartFont ASCII font bits 0 belong 0x137A2944 NeWS bitmap font 0 belong 0x137A2947 NeWS font family 0 belong 0x137A2950 scalable OpenFont binary 0 belong 0x137A2951 encrypted scalable OpenFont binary 8 belong 0x137A2B45 X11/NeWS bitmap font 8 belong 0x137A2B48 X11/NeWS font family #------------------------------------------------------------------------------ # $File: nitpicker,v 1.4 2009/09/19 16:28:11 christos Exp $ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann <C.Jachmann@gmx.net> http://www.nitpicker.de 0 string NPFF NItpicker Flow File >4 byte x V%d. >5 byte x %d >6 bedate x started: %s >10 bedate x stopped: %s >14 belong x Bytes: %u >18 belong x Bytes1: %u >22 belong x Flows: %u >26 belong x Pkts: %u #------------------------------------------------------------------------------ # $File: oasis,v 1.1 2011/03/15 02:09:38 christos Exp $ # OASIS # Summary: OASIS stream file # Long descripton: Open Artwork System Interchange Standard # File extension: .oas # Full name: Ben Cowley (bcowley@broadcom.com) # Philip Dixon (pdixon@broadcom.com) # Reference: http://www.wrcad.com/oasis/oasis-3626-042303-draft.pdf # (see page 3) 0 string %SEMI-OASIS\r\n OASIS Stream file #------------------------------------------------------------------------------ # $File: ocaml,v 1.5 2010/09/20 18:55:20 rrt Exp $ # ocaml: file(1) magic for Objective Caml files. 0 string Caml1999 OCaml >8 string X exec file >8 string I interface file (.cmi) >8 string O object file (.cmo) >8 string A library file (.cma) >8 string Y native object file (.cmx) >8 string Z native library file (.cmxa) >8 string M abstract syntax tree implementation file >8 string N abstract syntax tree interface file >9 string >\0 (Version %3.3s) #------------------------------------------------------------------------------ # $File: octave,v 1.4 2009/09/19 16:28:11 christos Exp $ # octave binary data file(1) magic, from Dirk Eddelbuettel <edd@debian.org> 0 string Octave-1-L Octave binary data (little endian) 0 string Octave-1-B Octave binary data (big endian) #------------------------------------------------------------------------------ # $File: ole2compounddocs,v 1.4 2009/09/19 16:28:11 christos Exp $ # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # storage (http://en.wikipedia.org/wiki/Structured_Storage) # Additional tests for OLE 2 Compound Documents should be under this recipe. 0 string \320\317\021\340\241\261\032\341 OLE 2 Compound Document # - Microstation V8 DGN files (www.bentley.com) # Last update on 10/23/2006 by Lester Hightower > 0x480 string D\000g\000n\000~\000H : Microstation V8 DGN # - Visio documents # Last update on 10/23/2006 by Lester Hightower > 0x480 string V\000i\000s\000i\000o\000D\000o\000c : Visio Document #------------------------------------------------------------------------------ # $File: olf,v 1.4 2009/09/19 16:28:11 christos Exp $ # olf: file(1) magic for OLF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # MIPS R3000 may also be for MIPS R2000. # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # Created by Erik Theisen <etheisen@openbsd.org> # Based on elf from Daniel Quinlan <quinlan@yggdrasil.com> 0 string \177OLF OLF >4 byte 0 invalid class >4 byte 1 32-bit >4 byte 2 64-bit >7 byte 0 invalid os >7 byte 1 OpenBSD >7 byte 2 NetBSD >7 byte 3 FreeBSD >7 byte 4 4.4BSD >7 byte 5 Linux >7 byte 6 SVR4 >7 byte 7 esix >7 byte 8 Solaris >7 byte 9 Irix >7 byte 10 SCO >7 byte 11 Dell >7 byte 12 NCR >5 byte 0 invalid byte order >5 byte 1 LSB >>16 leshort 0 no file type, >>16 leshort 1 relocatable, >>16 leshort 2 executable, >>16 leshort 3 shared object, # Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de> # corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> >>16 leshort 4 core file >>>(0x38+0xcc) string >\0 of '%s' >>>(0x38+0x10) lelong >0 (signal %d), >>16 leshort &0xff00 processor-specific, >>18 leshort 0 no machine, >>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 2 SPARC - invalid byte order, >>18 leshort 3 Intel 80386, >>18 leshort 4 Motorola 68000 - invalid byte order, >>18 leshort 5 Motorola 88000 - invalid byte order, >>18 leshort 6 Intel 80486, >>18 leshort 7 Intel 80860, >>18 leshort 8 MIPS R3000_BE - invalid byte order, >>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 10 MIPS R3000_LE, >>18 leshort 11 RS6000 - invalid byte order, >>18 leshort 15 PA-RISC - invalid byte order, >>18 leshort 16 nCUBE, >>18 leshort 17 VPP500, >>18 leshort 18 SPARC32PLUS, >>18 leshort 20 PowerPC, >>18 leshort 0x9026 Alpha, >>20 lelong 0 invalid version >>20 lelong 1 version 1 >>36 lelong 1 MathCoPro/FPU/MAU Required >8 string >\0 (%s) >5 byte 2 MSB >>16 beshort 0 no file type, >>16 beshort 1 relocatable, >>16 beshort 2 executable, >>16 beshort 3 shared object, >>16 beshort 4 core file, >>>(0x38+0xcc) string >\0 of '%s' >>>(0x38+0x10) belong >0 (signal %d), >>16 beshort &0xff00 processor-specific, >>18 beshort 0 no machine, >>18 beshort 1 AT&T WE32100, >>18 beshort 2 SPARC, >>18 beshort 3 Intel 80386 - invalid byte order, >>18 beshort 4 Motorola 68000, >>18 beshort 5 Motorola 88000, >>18 beshort 6 Intel 80486 - invalid byte order, >>18 beshort 7 Intel 80860, >>18 beshort 8 MIPS R3000_BE, >>18 beshort 9 Amdahl, >>18 beshort 10 MIPS R3000_LE - invalid byte order, >>18 beshort 11 RS6000, >>18 beshort 15 PA-RISC, >>18 beshort 16 nCUBE, >>18 beshort 17 VPP500, >>18 beshort 18 SPARC32PLUS, >>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 21 cisco 7500, >>18 beshort 24 cisco SVIP, >>18 beshort 25 cisco 7200, >>18 beshort 36 cisco 12000, >>18 beshort 0x9026 Alpha, >>20 belong 0 invalid version >>20 belong 1 version 1 >>36 belong 1 MathCoPro/FPU/MAU Required #------------------------------------------------------------------------------ # $File: os2,v 1.7 2009/09/19 16:28:11 christos Exp $ # os2: file(1) magic for OS/2 files # # Provided 1998/08/22 by # David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net> 1 search/1 InternetShortcut MS Windows 95 Internet shortcut text >24 search/1 >\ (URL=<%s>) # OS/2 URL objects # Provided 1998/08/22 by # David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net> #0 string http: OS/2 URL object text #>5 string >\ (WWW) <http:%s> #0 string mailto: OS/2 URL object text #>7 string >\ (email) <%s> #0 string news: OS/2 URL object text #>5 string >\ (Usenet) <%s> #0 string ftp: OS/2 URL object text #>4 string >\ (FTP) <ftp:%s> #0 string file: OS/2 URL object text #>5 string >\ (Local file) <%s> # >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) # Carl Hauser (chauser.parc@xerox.com) and # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) # list the following header format in inf02a.doc: # # int16 ID; // ID magic word (5348h = "HS") # int8 unknown1; // unknown purpose, could be third letter of ID # int8 flags; // probably a flag word... # // bit 0: set if INF style file # // bit 4: set if HLP style file # // patching this byte allows reading HLP files # // using the VIEW command, while help files # // seem to work with INF settings here as well. # int16 hdrsize; // total size of header # int16 unknown2; // unknown purpose # 0 string HSP\x01\x9b\x00 OS/2 INF >107 string >0 (%s) 0 string HSP\x10\x9b\x00 OS/2 HLP >107 string >0 (%s) # OS/2 INI (this is a guess) 0 string \xff\xff\xff\xff\x14\0\0\0 OS/2 INI #------------------------------------------------------------------------------ # $File: os400,v 1.5 2009/09/19 16:28:11 christos Exp $ # os400: file(1) magic for IBM OS/400 files # # IBM OS/400 (i5/OS) Save file (SAVF) - gerardo.cacciari@gmail.com # In spite of its quite variable format (due to internal memory page # length differences between CISC and RISC versions of the OS) the # SAVF structure hasn't suitable offsets to identify the catalog # header in the first descriptor where there are some useful infos, # so we must search in a somewhat large area for a particular string # that represents the EBCDIC encoding of 'QSRDSSPC' (save/restore # descriptor space) preceded by a two byte constant. # 1090 search/7393 \x19\xDB\xD8\xE2\xD9\xC4\xE2\xE2\xD7\xC3 IBM OS/400 save file data >&212 byte 0x01 \b, created with SAVOBJ >&212 byte 0x02 \b, created with SAVLIB >&212 byte 0x07 \b, created with SAVCFG >&212 byte 0x08 \b, created with SAVSECDTA >&212 byte 0x0A \b, created with SAVSECDTA >&212 byte 0x0B \b, created with SAVDLO >&212 byte 0x0D \b, created with SAVLICPGM >&212 byte 0x11 \b, created with SAVCHGOBJ >&213 byte 0x44 \b, at least V5R4 to open >&213 byte 0x43 \b, at least V5R3 to open >&213 byte 0x42 \b, at least V5R2 to open >&213 byte 0x41 \b, at least V5R1 to open >&213 byte 0x40 \b, at least V4R5 to open >&213 byte 0x3F \b, at least V4R4 to open >&213 byte 0x3E \b, at least V4R3 to open >&213 byte 0x3C \b, at least V4R2 to open >&213 byte 0x3D \b, at least V4R1M4 to open >&213 byte 0x3B \b, at least V4R1 to open >&213 byte 0x3A \b, at least V3R7 to open >&213 byte 0x35 \b, at least V3R6 to open >&213 byte 0x36 \b, at least V3R2 to open >&213 byte 0x34 \b, at least V3R1 to open >&213 byte 0x31 \b, at least V3R0M5 to open >&213 byte 0x30 \b, at least V2R3 to open #------------------------------------------------------------------------------ # $File: os9,v 1.7 2011/05/13 22:15:54 christos Exp $ # # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # # OS9/6809 module descriptions: # 0 beshort 0x87CD OS9/6809 module: # >6 byte&0x0f 0x00 non-executable >6 byte&0x0f 0x01 machine language >6 byte&0x0f 0x02 BASIC I-code >6 byte&0x0f 0x03 Pascal P-code >6 byte&0x0f 0x04 C I-code >6 byte&0x0f 0x05 COBOL I-code >6 byte&0x0f 0x06 Fortran I-code # >6 byte&0xf0 0x10 program executable >6 byte&0xf0 0x20 subroutine >6 byte&0xf0 0x30 multi-module >6 byte&0xf0 0x40 data module # >6 byte&0xf0 0xC0 system module >6 byte&0xf0 0xD0 file manager >6 byte&0xf0 0xE0 device driver >6 byte&0xf0 0xF0 device descriptor # # OS9/m68k stuff (to be continued) # 0 beshort 0x4AFC OS9/68K module: # # attr >0x14 byte&0x80 0x80 re-entrant >0x14 byte&0x40 0x40 ghost >0x14 byte&0x20 0x20 system-state # # lang: # >0x13 byte 1 machine language >0x13 byte 2 BASIC I-code >0x13 byte 3 Pascal P-code >0x13 byte 4 C I-code >0x13 byte 5 COBOL I-code >0x13 byte 6 Fortran I-code # # # type: # >0x12 byte 1 program executable >0x12 byte 2 subroutine >0x12 byte 3 multi-module >0x12 byte 4 data module >0x12 byte 11 trap library >0x12 byte 12 system module >0x12 byte 13 file manager >0x12 byte 14 device driver >0x12 byte 15 device descriptor #------------------------------------------------------------------------------ # $File: osf1,v 1.7 2009/09/19 16:28:11 christos Exp $ # # Mach magic number info # 0 long 0xefbe OSF/Rose object # I386 magic number info # 0 short 0565 i386 COFF object #------------------------------------------------------------------------------ # $File: palm,v 1.9 2012/01/16 15:16:43 christos Exp $ # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # # Brian Lalor <blalor@hcirisc.cs.binghamton.edu> # These are weak, byte 59 is not guaranteed to be 0 and there are # 8 character identifiers at byte 60, one I found for appl is BIGb. # What are the possibilities and where is this documented? # appl #59 byte \0 #>60 string appl PalmOS application #>0 string >\0 "%s" # TEXt #59 byte \0 #>60 belong TEXt AportisDoc file #>0 string >\0 "%s" # HACK #59 byte \0 #>60 string HACK HackMaster hack #>0 string >\0 "%s" # Variety of PalmOS document types # Michael-John Turner <mj@debian.org> # Thanks to Hasan Umit Ezerce <humit@tr-net.net.tr> for his DocType 60 string BVokBDIC BDicty PalmOS document >0 string >\0 "%s" 60 string DB99DBOS DB PalmOS document >0 string >\0 "%s" 60 string vIMGView FireViewer/ImageViewer PalmOS document >0 string >\0 "%s" 60 string PmDBPmDB HanDBase PalmOS document >0 string >\0 "%s" 60 string InfoINDB InfoView PalmOS document >0 string >\0 "%s" 60 string ToGoToGo iSilo PalmOS document >0 string >\0 "%s" 60 string JfDbJBas JFile PalmOS document >0 string >\0 "%s" 60 string JfDbJFil JFile Pro PalmOS document >0 string >\0 "%s" 60 string DATALSdb List PalmOS document >0 string >\0 "%s" 60 string Mdb1Mdb1 MobileDB PalmOS document >0 string >\0 "%s" 60 string PNRdPPrs PeanutPress PalmOS document >0 string >\0 "%s" 60 string DataPlkr Plucker PalmOS document >0 string >\0 "%s" 60 string DataSprd QuickSheet PalmOS document >0 string >\0 "%s" 60 string SM01SMem SuperMemo PalmOS document >0 string >\0 "%s" 60 string TEXtTlDc TealDoc PalmOS document >0 string >\0 "%s" 60 string InfoTlIf TealInfo PalmOS document >0 string >\0 "%s" 60 string DataTlMl TealMeal PalmOS document >0 string >\0 "%s" 60 string DataTlPt TealPaint PalmOS document >0 string >\0 "%s" 60 string dataTDBP ThinkDB PalmOS document >0 string >\0 "%s" 60 string TdatTide Tides PalmOS document >0 string >\0 "%s" 60 string ToRaTRPW TomeRaider PalmOS document >0 string >\0 "%s" # A GutenPalm zTXT etext for use on Palm Pilots (http://gutenpalm.sf.net) # For version 1.xx zTXTs, outputs version and numbers of bookmarks and # annotations. # For other versions, just outputs version. # 60 string zTXT A GutenPalm zTXT e-book >0 string >\0 "%s" >(0x4E.L) byte 0 >>(0x4E.L+1) byte x (v0.%02d) >(0x4E.L) byte 1 >>(0x4E.L+1) byte x (v1.%02d) >>>(0x4E.L+10) beshort >0 >>>>(0x4E.L+10) beshort <2 - 1 bookmark >>>>(0x4E.L+10) beshort >1 - %d bookmarks >>>(0x4E.L+14) beshort >0 >>>>(0x4E.L+14) beshort <2 - 1 annotation >>>>(0x4E.L+14) beshort >1 - %d annotations >(0x4E.L) byte >1 (v%d. >>(0x4E.L+1) byte x %02d) # Palm OS .prc file types 60 string libr Palm OS dynamic library data >0 string >\0 "%s" 60 string ptch Palm OS operating system patch data >0 string >\0 "%s" # Mobipocket (www.mobipocket.com), donated by Carl Witty 60 string BOOKMOBI Mobipocket E-book >0 string >\0 "%s" #------------------------------------------------------------------------------ # $File: parix,v 1.4 2009/09/19 16:28:11 christos Exp $ # # Parix COFF executables # From: Ignatios Souvatzis <ignatios@cs.uni-bonn.de> # 0 beshort&0xfff 0xACE PARIX >0 byte&0xf0 0x80 T800 >0 byte&0xf0 0x90 T9000 >19 byte&0x02 0x02 executable >19 byte&0x02 0x00 object >19 byte&0x0c 0x00 not stripped #------------------------------------------------------------------------------ # $File: parrot,v 1.1 2010/07/08 20:18:40 christos Exp $ # parrot: file(1) magic for Parrot Virtual Machine # URL: http://www.lua.org/ # From: Lubomir Rintel <lkundrak@v3.sk> # Compiled Parrot byte code 0 string \376PBC\r\n\032\n Parrot bytecode >64 byte x %d. >72 byte x \b%d, >8 byte >0 %d byte words, >16 byte 0 little-endian, >16 byte 1 big-endian, >32 byte 0 IEEE-754 8 byte double floats, >32 byte 1 x86 12 byte long double floats, >32 byte 2 IEEE-754 16 byte long double floats, >32 byte 3 MIPS 16 byte long double floats, >32 byte 4 AIX 16 byte long double floats, >32 byte 5 4-byte floats, >40 byte x Parrot %d. >48 byte x \b%d. >56 byte x \b%d #------------------------------------------------------------------------------ # $File: pascal,v 1.1 2011/12/08 12:12:46 rrt Exp $ # pascal: file(1) magic for Pascal source # 0 search/8192 (input, Pascal source text !:mime text/x-pascal #0 regex \^program Pascal source text #!:mime text/x-pascal #0 regex \^record Pascal source text #!:mime text/x-pascal #------------------------------------------------------------------------------ # $File: pbm,v 1.6 2009/09/19 16:28:11 christos Exp $ # pbm: file(1) magic for Portable Bitmap files # # XXX - byte order? # 0 short 0x2a17 "compact bitmap" format (Poskanzer) #------------------------------------------------------------------------------ # $File: pdf,v 1.6 2009/09/19 16:28:11 christos Exp $ # pdf: file(1) magic for Portable Document Format # 0 string %PDF- PDF document !:mime application/pdf >5 byte x \b, version %c >7 byte x \b.%c # From: Nick Schmalenberger <nick@schmalenberger.us> # Forms Data Format 0 string %FDF- FDF document >5 byte x \b, version %c >7 byte x \b.%c #------------------------------------------------------------------------------ # $File: pdp,v 1.8 2009/09/19 16:28:11 christos Exp $ # pdp: file(1) magic for PDP-11 executable/object and APL workspace # 0 lelong 0101555 PDP-11 single precision APL workspace 0 lelong 0101554 PDP-11 double precision APL workspace # # PDP-11 a.out # 0 leshort 0407 PDP-11 executable >8 leshort >0 not stripped >15 byte >0 - version %ld 0 leshort 0401 PDP-11 UNIX/RT ldp 0 leshort 0405 PDP-11 old overlay 0 leshort 0410 PDP-11 pure executable >8 leshort >0 not stripped >15 byte >0 - version %ld 0 leshort 0411 PDP-11 separate I&D executable >8 leshort >0 not stripped >15 byte >0 - version %ld 0 leshort 0437 PDP-11 kernel overlay # These last three are derived from 2.11BSD file(1) 0 leshort 0413 PDP-11 demand-paged pure executable >8 leshort >0 not stripped 0 leshort 0430 PDP-11 overlaid pure executable >8 leshort >0 not stripped 0 leshort 0431 PDP-11 overlaid separate executable >8 leshort >0 not stripped #------------------------------------------------------------------------------ # $File: perl,v 1.17 2011/12/16 16:24:40 rrt Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. # Keith Waclena <keith@cerberus.uchicago.edu> # Send additions to <perl5-porters@perl.org> 0 search/1 eval\ "exec\ /bin/perl Perl script text !:mime text/x-perl 0 search/1 eval\ "exec\ /usr/bin/perl Perl script text !:mime text/x-perl 0 search/1 eval\ "exec\ /usr/local/bin/perl Perl script text !:mime text/x-perl 0 search/1 eval\ '(exit\ $?0)'\ &&\ eval\ 'exec Perl script text !:mime text/x-perl 0 search/1 #! >0 regex \^#!.*/bin/perl.*$ Perl script text executable !:mime text/x-perl >0 regex \^#!.*/bin/env\ perl.*$ Perl script text executable !:mime text/x-perl # to be tried before awk script !:strength + 40 # by Dmitry V. Levin and Alexey Tourbin # check the first line 0 search/1 package >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text # to be tried before C source !:strength + 5 # not 'p', check other lines 0 search/1 !p >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; >>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text # to be tried before C source !:strength + 40 # Perl POD documents # From: Tom Hukins <tom@eborcom.com> 0 search/1/W \=pod\n Perl POD document text 0 search/1/W \n\=pod\n Perl POD document text 0 search/1/W \=head1\ Perl POD document text 0 search/1/W \n\=head1\ Perl POD document text 0 search/1/W \=head2\ Perl POD document text 0 search/1/W \n\=head2\ Perl POD document text # Perl Storable data files. 0 string perl-store perl Storable (v0.6) data >4 byte >0 (net-order %d) >>4 byte &01 (network-ordered) >>4 byte =3 (major 1) >>4 byte =2 (major 1) 0 string pst0 perl Storable (v0.7) data >4 byte >0 >>4 byte &01 (network-ordered) >>4 byte =5 (major 2) >>4 byte =4 (major 2) >>5 byte >0 (minor %d) #------------------------------------------------------------------------------ # $File: pgp,v 1.9 2009/09/19 16:28:11 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # 0 beshort 0x9900 PGP key public ring !:mime application/x-pgp-keyring 0 beshort 0x9501 PGP key security ring !:mime application/x-pgp-keyring 0 beshort 0x9500 PGP key security ring !:mime application/x-pgp-keyring 0 beshort 0xa600 PGP encrypted data #!:mime application/pgp-encrypted #0 string -----BEGIN\040PGP text/PGP armored data !:mime text/PGP # encoding: armored data #>15 string PUBLIC\040KEY\040BLOCK- public key block #>15 string MESSAGE- message #>15 string SIGNED\040MESSAGE- signed message #>15 string PGP\040SIGNATURE- signature 2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- PGP public key block !:mime application/pgp-keys 0 string -----BEGIN\040PGP\40MESSAGE- PGP message !:mime application/pgp 0 string -----BEGIN\040PGP\40SIGNATURE- PGP signature !:mime application/pgp-signature #------------------------------------------------------------------------------ # $File: pkgadd,v 1.6 2009/09/19 16:28:11 christos Exp $ # pkgadd: file(1) magic for SysV R4 PKG Datastreams # 0 string #\ PaCkAgE\ DaTaStReAm pkg Datastream (SVR4) !:mime application/x-svr4-package #------------------------------------------------------------------------------ # $File: plan9,v 1.5 2009/09/19 16:28:11 christos Exp $ # plan9: file(1) magic for AT&T Bell Labs' Plan 9 executables # From: "Stefan A. Haubenthal" <polluks@web.de> # 0 belong 0x00000107 Plan 9 executable, Motorola 68k 0 belong 0x000001EB Plan 9 executable, Intel 386 0 belong 0x00000247 Plan 9 executable, Intel 960 0 belong 0x000002AB Plan 9 executable, SPARC 0 belong 0x00000407 Plan 9 executable, MIPS R3000 0 belong 0x0000048B Plan 9 executable, AT&T DSP 3210 0 belong 0x00000517 Plan 9 executable, MIPS R4000 BE 0 belong 0x000005AB Plan 9 executable, AMD 29000 0 belong 0x00000647 Plan 9 executable, ARM 7-something 0 belong 0x000006EB Plan 9 executable, PowerPC 0 belong 0x00000797 Plan 9 executable, MIPS R4000 LE 0 belong 0x0000084B Plan 9 executable, DEC Alpha #------------------------------------------------------------------------------ # $File: plus5,v 1.6 2009/09/19 16:28:11 christos Exp $ # plus5: file(1) magic for Plus Five's UNIX MUMPS # # XXX - byte order? Paging Hokey.... # 0 short 0x259 mumps avl global >2 byte >0 (V%d) >6 byte >0 with %d byte name >7 byte >0 and %d byte data cells 0 short 0x25a mumps blt global >2 byte >0 (V%d) >8 short >0 - %d byte blocks >15 byte 0x00 - P/D format >15 byte 0x01 - P/K/D format >15 byte 0x02 - K/D format >15 byte >0x02 - Bad Flags #------------------------------------------------------------------------------ # $File: printer,v 1.25 2011/05/20 23:31:46 christos Exp $ # printer: file(1) magic for printer-formatted files # # PostScript, updated by Daniel Quinlan (quinlan@yggdrasil.com) 0 string %! PostScript document text !:mime application/postscript !:apple ASPSTEXT >2 string PS-Adobe- conforming >>11 string >\0 DSC level %.3s >>>15 string EPS \b, type %s >>>15 string Query \b, type %s >>>15 string ExitServer \b, type %s >>>15 search/1000 %%LanguageLevel:\ >>>>&0 string >\0 \b, Level %s # Some PCs have the annoying habit of adding a ^D as a document separator 0 string \004%! PostScript document text !:mime application/postscript !:apple ASPSTEXT >3 string PS-Adobe- conforming >>12 string >\0 DSC level %.3s >>>16 string EPS \b, type %s >>>16 string Query \b, type %s >>>16 string ExitServer \b, type %s >>>16 search/1000 %%LanguageLevel:\ >>>>&0 string >\0 \b, Level %s 0 string \033%-12345X%!PS PostScript document # DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> 0 belong 0xC5D0D3C6 DOS EPS Binary File >4 long >0 Postscript starts at byte %d >>8 long >0 length %d >>>12 long >0 Metafile starts at byte %d >>>>16 long >0 length %d >>>20 long >0 TIFF starts at byte %d >>>>24 long >0 length %d # Summary: Adobe's PostScript Printer Description File # Extension: .ppd # Reference: http://partners.adobe.com/public/developer/en/ps/5003.PPD_Spec_v4.3.pdf, Section 3.8 # Submitted by: Yves Arrouye <arrouye@marin.fdn.fr> # 0 string *PPD-Adobe:\x20 PPD file >&0 string x \b, version %s # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data # HP Printer Job Language # The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de> # 0 string \033%-12345X@PJL HP Printer Job Language data >&0 string >\0 %s >>&0 string >\0 %s >>>&0 string >\0 %s >>>>&0 string >\0 %s #>15 string \ ENTER\ LANGUAGE\ = #>31 string PostScript PostScript # From: Stefan Thurner <thurners@nicsys.de> 0 string \033%-12345X@PJL >&0 search/10000 %! PJL encapsulated PostScript document text # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string \033E\033 HP PCL printer data >3 string \&l0A - default page size >3 string \&l1A - US executive page size >3 string \&l2A - US letter page size >3 string \&l3A - US legal page size >3 string \&l26A - A4 page size >3 string \&l80A - Monarch envelope size >3 string \&l81A - No. 10 envelope size >3 string \&l90A - Intl. DL envelope size >3 string \&l91A - Intl. C5 envelope size >3 string \&l100A - Intl. B5 envelope size >3 string \&l-81A - No. 10 envelope size (landscape) >3 string \&l-90A - Intl. DL envelope size (landscape) # IMAGEN printer-ready files: 0 string @document( Imagen printer # this only works if "language xxx" is first item in Imagen header. >10 string language\ impress (imPRESS data) >10 string language\ daisy (daisywheel text) >10 string language\ diablo (daisywheel text) >10 string language\ printer (line printer emulation) >10 string language\ tektronix (Tektronix 4014 emulation) # Add any other languages that your Imagen uses - remember # to keep the word `text' if the file is human-readable. # [GRR 950115: missing "postscript" or "ultrascript" (whatever it was called)] # # Now magic for IMAGEN font files... 0 string Rast RST-format raster font data >45 string >0 face %s # From Jukka Ukkonen 0 string \033[K\002\0\0\017\033(a\001\0\001\033(g Canon Bubble Jet BJC formatted data # From <mike@flyn.org> # These are the /etc/magic entries to decode data sent to an Epson printer. 0 string \x1B\x40\x1B\x28\x52\x08\x00\x00REMOTE1P Epson Stylus Color 460 data #------------------------------------------------------------------------------ # zenographics: file(1) magic for Zenographics ZjStream printer data # Rick Richardson rickr@mn.rr.com 0 string JZJZ >0x12 string ZZ Zenographics ZjStream printer data (big-endian) 0 string ZJZJ >0x12 string ZZ Zenographics ZjStream printer data (little-endian) #------------------------------------------------------------------------------ # Oak Technologies printer stream # Rick Richardson <rickr@mn.rr.com> 0 string OAK >0x07 byte 0 >0x0b byte 0 Oak Technologies printer stream # This would otherwise be recognized as PostScript - nick@debian.org 0 string %!VMF SunClock's Vector Map Format data #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file 0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From: Paolo <oopla@users.sf.net> # Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data #------------------------------------------------------------------------------ # $File: project,v 1.4 2009/09/19 16:28:11 christos Exp $ # project: file(1) magic for Project management # # Magic strings for ftnchek project files. Alexander Mai 0 string FTNCHEK_\ P project file for ftnchek >10 string 1 version 2.7 >10 string 2 version 2.8 to 2.10 >10 string 3 version 2.11 or later #------------------------------------------------------------------------------ # $File: psdbms,v 1.6 2009/09/19 16:28:11 christos Exp $ # psdbms: file(1) magic for psdatabase # 0 belong&0xff00ffff 0x56000000 ps database >1 string >\0 version %s >4 string >\0 from kernel %s #------------------------------------------------------------------------------ # $File: pulsar,v 1.5 2009/09/19 16:28:12 christos Exp $ # pulsar: file(1) magic for Pulsar POP3 daemon binary files # # http://pulsar.sourceforge.net # mailto:rok.papez@lugos.si # 0 belong 0x1ee7f11e Pulsar POP3 daemon mailbox cache file. >4 ubelong x Version: %d. >8 ubelong x \b%d #------------------------------------------------------------------------------ # $File: pyramid,v 1.7 2009/09/19 16:28:12 christos Exp $ # pyramid: file(1) magic for Pyramids # # XXX - byte order? # 0 long 0x50900107 Pyramid 90x family executable 0 long 0x50900108 Pyramid 90x family pure executable >16 long >0 not stripped 0 long 0x5090010b Pyramid 90x family demand paged pure executable >16 long >0 not stripped #------------------------------------------------------------------------------ # $File: python,v 1.20 2011/12/13 13:53:14 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages # From: David Necas <yeti@physics.muni.cz> # often the module starts with a multiline string 0 string/t """ Python script text executable # MAGIC as specified in Python/import.c (1.5 to 2.7a0 and 3.1a0, assuming # that Py_UnicodeFlag is off for Python 2) # 20121 ( YEAR - 1995 ) + MONTH + DAY (little endian followed by "\r\n" 0 belong 0x994e0d0a python 1.5/1.6 byte-compiled 0 belong 0x87c60d0a python 2.0 byte-compiled 0 belong 0x2aeb0d0a python 2.1 byte-compiled 0 belong 0x2ded0d0a python 2.2 byte-compiled 0 belong 0x3bf20d0a python 2.3 byte-compiled 0 belong 0x6df20d0a python 2.4 byte-compiled 0 belong 0xb3f20d0a python 2.5 byte-compiled 0 belong 0xd1f20d0a python 2.6 byte-compiled 0 belong 0x03f30d0a python 2.7 byte-compiled 0 belong 0x3b0c0d0a python 3.0 byte-compiled 0 belong 0x4f0c0d0a python 3.1 byte-compiled 0 belong 0x6c0c0d0a python 3.2 byte-compiled 0 belong 0x9e0c0d0a python 3.3 byte-compiled 0 belong 0xee0c0d0a python 3.4 byte-compiled 0 belong 0x160d0d0a python 3.5 byte-compiled 0 search/1/w #!\ /usr/bin/python Python script text executable !:mime text/x-python 0 search/1/w #!\ /usr/local/bin/python Python script text executable !:mime text/x-python 0 search/1 #!/usr/bin/env\ python Python script text executable !:mime text/x-python 0 search/1 #!\ /usr/bin/env\ python Python script text executable !:mime text/x-python # from module.submodule import func1, func2 0 regex \^from\\s+(\\w|\\.)+\\s+import.*$ Python script text executable !:mime text/x-python # def __init__ (self, ...): 0 search/4096 def\ __init__ >&0 search/64 self Python script text executable !:mime text/x-python # comments #0 search/4096 ''' #>&0 regex .*'''$ Python script text executable #!:mime text/x-python #0 search/4096 """ #>&0 regex .*"""$ Python script text executable #!:mime text/x-python # try: # except: or finally: # block 0 search/4096 try: >&0 regex \^\\s*except.*: Python script text executable !:mime text/x-python >&0 search/4096 finally: Python script text executable !:mime text/x-python # def name(args, args): 0 regex \^(\ |\\t)*def\ +[a-zA-Z]+ >&0 regex \ *\\(([a-zA-Z]|,|\ )*\\):$ Python script text executable !:mime text/x-python #------------------------------------------------------------------------------ # $File: revision,v 1.8 2010/11/25 15:00:12 christos Exp $ # file(1) magic for revision control files # From Hendrik Scholz <hendrik@scholz.net> 0 string/t /1\ :pserver: cvs password text file # Conary changesets # From: Jonathan Smith <smithj@rpath.com> 0 belong 0xea3f81bb Conary changeset data # Type: Git bundles (git-bundle) # From: Josh Triplett <josh@freedesktop.org> 0 string #\ v2\ git\ bundle\n Git bundle # Type: Git pack # From: Adam Buchbinder <adam.buchbinder@gmail.com> # The actual magic is 'PACK', but that clashes with Doom/Quake packs. However, # those have a little-endian offset immediately following the magic 'PACK', # the first byte of which is never 0, while the first byte of the Git pack # version, since it's a tiny number stored in big-endian format, is always 0. 0 string PACK\0 Git pack >4 belong >0 \b, version %d >>8 belong >0 \b, %d objects # Type: Git pack index # From: Adam Buchbinder <adam.buchbinder@gmail.com> 0 string \377tOc Git pack index >4 belong =2 \b, version 2 # Type: Git index file # From: Frédéric Brière <fbriere@fbriere.net> 0 string DIRC Git index >4 belong >0 \b, version %d >>8 belong >0 \b, %d entries # Type: Mercurial bundles # From: Seo Sanghyeon <tinuviel@sparcs.kaist.ac.kr> 0 string HG10 Mercurial bundle, >4 string UN uncompressed >4 string BZ bzip2 compressed # Type: Subversion (SVN) dumps # From: Uwe Zeisberger <zeisberg@informatik.uni-freiburg.de> 0 string SVN-fs-dump-format-version: Subversion dumpfile >28 string >\0 (version: %s) # Type: Bazaar revision bundles and merge requests # URL: http://www.bazaar-vcs.org/ # From: Jelmer Vernooij <jelmer@samba.org> 0 string #\ Bazaar\ revision\ bundle\ v Bazaar Bundle 0 string #\ Bazaar\ merge\ directive\ format Bazaar merge directive #------------------------------------------------------------------------------ # $File: riff,v 1.22 2011/09/06 11:00:06 christos Exp $ # riff: file(1) magic for RIFF format # See # # http://www.seanet.com/users/matts/riffmci/riffmci.htm # # AVI section extended by Patrik R�dman <patrik+file-magic@iki.fi> # 0 string RIFF RIFF (little-endian) data # RIFF Palette format >8 string PAL \b, palette >>16 leshort x \b, version %d >>18 leshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap >>16 string BM >>>30 leshort 12 \b, OS/2 1.x format >>>>34 leshort x \b, %d x >>>>36 leshort x %d >>>30 leshort 64 \b, OS/2 2.x format >>>>34 leshort x \b, %d x >>>>36 leshort x %d >>>30 leshort 40 \b, Windows 3.x format >>>>34 lelong x \b, %d x >>>>38 lelong x %d x >>>>44 leshort x %d # RIFF MIDI format >8 string RMID \b, MIDI # RIFF Multimedia Movie File format >8 string RMMP \b, multimedia movie # RIFF wrapper for MP3 >8 string RMP3 \b, MPEG Layer 3 audio # Microsoft WAVE format (*.wav) >8 string WAVE \b, WAVE audio !:mime audio/x-wav >>20 leshort 1 \b, Microsoft PCM >>>34 leshort >0 \b, %d bit >>20 leshort 2 \b, Microsoft ADPCM >>20 leshort 6 \b, ITU G.711 A-law >>20 leshort 7 \b, ITU G.711 mu-law >>20 leshort 8 \b, Microsoft DTS >>20 leshort 17 \b, IMA ADPCM >>20 leshort 20 \b, ITU G.723 ADPCM (Yamaha) >>20 leshort 49 \b, GSM 6.10 >>20 leshort 64 \b, ITU G.721 ADPCM >>20 leshort 80 \b, MPEG >>20 leshort 85 \b, MPEG Layer 3 >>20 leshort 0x2001 \b, DTS >>22 leshort =1 \b, mono >>22 leshort =2 \b, stereo >>22 leshort >2 \b, %d channels >>24 lelong >0 %d Hz # Corel Draw Picture >8 string CDRA \b, Corel Draw Picture !:mime image/x-coreldraw # AVI == Audio Video Interleave >8 string AVI\040 \b, AVI !:mime video/x-msvideo >>12 string LIST >>>20 string hdrlavih >>>>&36 lelong x \b, %lu x >>>>&40 lelong x %lu, >>>>&4 lelong >1000000 <1 fps, >>>>&4 lelong 1000000 1.00 fps, >>>>&4 lelong 500000 2.00 fps, >>>>&4 lelong 333333 3.00 fps, >>>>&4 lelong 250000 4.00 fps, >>>>&4 lelong 200000 5.00 fps, >>>>&4 lelong 166667 6.00 fps, >>>>&4 lelong 142857 7.00 fps, >>>>&4 lelong 125000 8.00 fps, >>>>&4 lelong 111111 9.00 fps, >>>>&4 lelong 100000 10.00 fps, # ]9.9,10.1[ >>>>&4 lelong <101010 >>>>>&-4 lelong >99010 >>>>>>&-4 lelong !100000 ~10 fps, >>>>&4 lelong 83333 12.00 fps, # ]11.9,12.1[ >>>>&4 lelong <84034 >>>>>&-4 lelong >82645 >>>>>>&-4 lelong !83333 ~12 fps, >>>>&4 lelong 66667 15.00 fps, # ]14.9,15.1[ >>>>&4 lelong <67114 >>>>>&-4 lelong >66225 >>>>>>&-4 lelong !66667 ~15 fps, >>>>&4 lelong 50000 20.00 fps, >>>>&4 lelong 41708 23.98 fps, >>>>&4 lelong 41667 24.00 fps, # ]23.9,24.1[ >>>>&4 lelong <41841 >>>>>&-4 lelong >41494 >>>>>>&-4 lelong !41708 >>>>>>>&-4 lelong !41667 ~24 fps, >>>>&4 lelong 40000 25.00 fps, # ]24.9,25.1[ >>>>&4 lelong <40161 >>>>>&-4 lelong >39841 >>>>>>&-4 lelong !40000 ~25 fps, >>>>&4 lelong 33367 29.97 fps, >>>>&4 lelong 33333 30.00 fps, # ]29.9,30.1[ >>>>&4 lelong <33445 >>>>>&-4 lelong >33223 >>>>>>&-4 lelong !33367 >>>>>>>&-4 lelong !33333 ~30 fps, >>>>&4 lelong <32224 >30 fps, ##>>>>&4 lelong x (%lu) ##>>>>&20 lelong x %lu frames, # Note: The tests below assume that the AVI has 1 or 2 streams, # "vids" optionally followed by "auds". # (Should cover 99.9% of all AVIs.) # assuming avih length = 56 >>>88 string LIST >>>>96 string strlstrh >>>>>108 string vids video: >>>>>>&0 lelong 0 uncompressed # skip past vids strh >>>>>>(104.l+108) string strf >>>>>>>(104.l+132) lelong 1 RLE 8bpp >>>>>>>(104.l+132) string/c cvid Cinepak >>>>>>>(104.l+132) string/c i263 Intel I.263 >>>>>>>(104.l+132) string/c iv32 Indeo 3.2 >>>>>>>(104.l+132) string/c iv41 Indeo 4.1 >>>>>>>(104.l+132) string/c iv50 Indeo 5.0 >>>>>>>(104.l+132) string/c mp42 Microsoft MPEG-4 v2 >>>>>>>(104.l+132) string/c mp43 Microsoft MPEG-4 v3 >>>>>>>(104.l+132) string/c fmp4 FFMpeg MPEG-4 >>>>>>>(104.l+132) string/c mjpg Motion JPEG >>>>>>>(104.l+132) string/c div3 DivX 3 >>>>>>>>112 string/c div3 Low-Motion >>>>>>>>112 string/c div4 Fast-Motion >>>>>>>(104.l+132) string/c divx DivX 4 >>>>>>>(104.l+132) string/c dx50 DivX 5 >>>>>>>(104.l+132) string/c xvid XviD >>>>>>>(104.l+132) string/c h264 H.264 >>>>>>>(104.l+132) string/c wmv3 Windows Media Video 9 >>>>>>>(104.l+132) string/c h264 X.264 or H.264 >>>>>>>(104.l+132) lelong 0 ##>>>>>>>(104.l+132) string x (%.4s) # skip past first (video) LIST >>>>(92.l+96) string LIST >>>>>(92.l+104) string strlstrh >>>>>>(92.l+116) string auds \b, audio: # auds strh length = 56: >>>>>>>(92.l+172) string strf >>>>>>>>(92.l+180) leshort 0x0001 uncompressed PCM >>>>>>>>(92.l+180) leshort 0x0002 ADPCM >>>>>>>>(92.l+180) leshort 0x0006 aLaw >>>>>>>>(92.l+180) leshort 0x0007 uLaw >>>>>>>>(92.l+180) leshort 0x0050 MPEG-1 Layer 1 or 2 >>>>>>>>(92.l+180) leshort 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+180) leshort 0x2000 Dolby AC3 >>>>>>>>(92.l+180) leshort 0x0161 DivX ##>>>>>>>>(92.l+180) leshort x (0x%.4x) >>>>>>>>(92.l+182) leshort 1 (mono, >>>>>>>>(92.l+182) leshort 2 (stereo, >>>>>>>>(92.l+182) leshort >2 (%d channels, >>>>>>>>(92.l+184) lelong x %d Hz) # auds strh length = 64: >>>>>>>(92.l+180) string strf >>>>>>>>(92.l+188) leshort 0x0001 uncompressed PCM >>>>>>>>(92.l+188) leshort 0x0002 ADPCM >>>>>>>>(92.l+188) leshort 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+188) leshort 0x2000 Dolby AC3 >>>>>>>>(92.l+188) leshort 0x0161 DivX ##>>>>>>>>(92.l+188) leshort x (0x%.4x) >>>>>>>>(92.l+190) leshort 1 (mono, >>>>>>>>(92.l+190) leshort 2 (stereo, >>>>>>>>(92.l+190) leshort >2 (%d channels, >>>>>>>>(92.l+192) lelong x %d Hz) # Animated Cursor format >8 string ACON \b, animated cursor # SoundFont 2 <mpruett@sgi.com> >8 string sfbk SoundFont/Bank # MPEG-1 wrapped in a RIFF, apparently >8 string CDXA \b, wrapped MPEG-1 (CDXA) >8 string 4XMV \b, 4X Movie file # AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV >8 string AMV\040 \b, AMV # # XXX - some of the below may only appear in little-endian form. # # Also "MV93" appears to be for one form of Macromedia Director # files, and "GDMF" appears to be another multimedia format. # 0 string RIFX RIFF (big-endian) data # RIFF Palette format >8 string PAL \b, palette >>16 beshort x \b, version %d >>18 beshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap >>16 string BM >>>30 beshort 12 \b, OS/2 1.x format >>>>34 beshort x \b, %d x >>>>36 beshort x %d >>>30 beshort 64 \b, OS/2 2.x format >>>>34 beshort x \b, %d x >>>>36 beshort x %d >>>30 beshort 40 \b, Windows 3.x format >>>>34 belong x \b, %d x >>>>38 belong x %d x >>>>44 beshort x %d # RIFF MIDI format >8 string RMID \b, MIDI # RIFF Multimedia Movie File format >8 string RMMP \b, multimedia movie # Microsoft WAVE format (*.wav) >8 string WAVE \b, WAVE audio >>20 leshort 1 \b, Microsoft PCM >>>34 leshort >0 \b, %d bit >>22 beshort =1 \b, mono >>22 beshort =2 \b, stereo >>22 beshort >2 \b, %d channels >>24 belong >0 %d Hz # Corel Draw Picture >8 string CDRA \b, Corel Draw Picture # AVI == Audio Video Interleave >8 string AVI\040 \b, AVI # Animated Cursor format >8 string ACON \b, animated cursor # Notation Interchange File Format (big-endian only) >8 string NIFF \b, Notation Interchange File Format # SoundFont 2 <mpruett@sgi.com> >8 string sfbk SoundFont/Bank #------------------------------------------------------------------------------ # Sony Wave64 # see http://www.vcs.de/fileadmin/user_upload/MBS/PDF/Whitepaper/Informations_about_Sony_Wave64.pdf # 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian 0 string riff\x2E\x91\xCF\x11\xA5\xD6\x28\xDB\x04\xC1\x00\x00 Sony Wave64 RIFF data # 128 bit + total file size (64 bits) so 24 bytes # then WAVE-GUID { 65766177-ACF3-11D3-8CD1-00C04F8EDB8A } >24 string wave\xF3\xAC\xD3\x11\x8C\xD1\x00\xC0\x4F\x8E\xDB\x8A \b, WAVE 64 audio !:mime audio/x-w64 # FMT-GUID { 20746D66-ACF3-11D3-8CD1-00C04F8EDB8A } >>40 search/256 fmt\x20\xF3\xAC\xD3\x11\x8C\xD1\x00\xC0\x4F\x8E\xDB\x8A \b >>>&10 leshort =1 \b, mono >>>&10 leshort =2 \b, stereo >>>&10 leshort >2 \b, %d channels >>>&12 lelong >0 %d Hz #------------------------------------------------------------------------------ # MBWF/RF64 # see EBU � TECH 3306 http://tech.ebu.ch/docs/tech/tech3306-2009.pdf 0 string RF64\xff\xff\xff\xffWAVEds64 MBWF/RF64 audio !:mime audio/x-wav >40 search/256 fmt\x20 \b >>&6 leshort =1 \b, mono >>&6 leshort =2 \b, stereo >>&6 leshort >2 \b, %d channels >>&8 lelong >0 %d Hz #------------------------------------------------------------------------------ # $File: rinex,v 1.4 2011/05/03 01:44:17 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf # data for testing: ftp://cddis.gsfc.nasa.gov/pub/gps/data 60 string RINEX >80 search/256 XXRINEXB RINEX Data, GEO SBAS Broadcast >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/broadcast >80 search/256 XXRINEXD RINEX Data, Observation (Hatanaka comp) >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/observation >80 search/256 XXRINEXC RINEX Data, Clock >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/clock >80 search/256 XXRINEXH RINEX Data, GEO SBAS Navigation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/navigation >80 search/256 XXRINEXG RINEX Data, GLONASS Navigation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/navigation >80 search/256 XXRINEXL RINEX Data, Galileo Navigation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/navigation >80 search/256 XXRINEXM RINEX Data, Meteorological >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/meteorological >80 search/256 XXRINEXN RINEX Data, Navigation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/navigation >80 search/256 XXRINEXO RINEX Data, Observation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/observation #------------------------------------------------------------------------------ # $File: rpm,v 1.11 2011/06/14 12:47:41 christos Exp $ # # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) # 0 belong 0xedabeedb RPM !:mime application/x-rpm >4 byte x v%d >5 byte x \b.%d >6 beshort 1 src >6 beshort 0 bin >>8 beshort 1 i386/x86_64 >>8 beshort 2 Alpha/Sparc64 >>8 beshort 3 Sparc >>8 beshort 4 MIPS >>8 beshort 5 PowerPC >>8 beshort 6 68000 >>8 beshort 7 SGI >>8 beshort 8 RS6000 >>8 beshort 9 IA64 >>8 beshort 10 Sparc64 >>8 beshort 11 MIPSel >>8 beshort 12 ARM >>8 beshort 13 MiNT >>8 beshort 14 S/390 >>8 beshort 15 S/390x >>8 beshort 16 PowerPC64 >>8 beshort 17 SuperH >>8 beshort 18 Xtensa >>8 beshort 255 noarch >>10 string x %s #delta RPM Daniel Novotny (dnovotny@redhat.com) 0 string drpm Delta RPM !:mime application/x-rpm >12 string x %s >>>8 beshort 11 MIPSel >>>8 beshort 12 ARM >>>8 beshort 13 MiNT >>>8 beshort 14 S/390 >>>8 beshort 15 S/390x >>>8 beshort 16 PowerPC64 >>>8 beshort 17 SuperH >>>8 beshort 18 Xtensa >>10 string x %s # Type: Delta RPM # From: Daniel Novotny (dnovotny@redhat.com) 0 string drpm Delta RPM !:mime application/x-rpm >12 string x %s #------------------------------------------------------------------------------ # $File: rtf,v 1.7 2009/09/19 16:28:12 christos Exp $ # rtf: file(1) magic for Rich Text Format (RTF) # # Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk # 0 string {\\rtf Rich Text Format data, !:mime text/rtf >5 string 1 version 1, >>6 string \\ansi ANSI >>6 string \\mac Apple Macintosh >>6 string \\pc IBM PC, code page 437 >>6 string \\pca IBM PS/2, code page 850 >>6 default x unknown character set >5 default x unknown version #------------------------------------------------------------------------------ # $File: ruby,v 1.5 2010/07/21 16:47:17 christos Exp $ # ruby: file(1) magic for Ruby scripting language # URL: http://www.ruby-lang.org/ # From: Reuben Thomas <rrt@sc3d.org> # Ruby scripts 0 search/1/w #!\ /usr/bin/ruby Ruby script text executable !:mime text/x-ruby 0 search/1/w #!\ /usr/local/bin/ruby Ruby script text executable !:mime text/x-ruby 0 search/1 #!/usr/bin/env\ ruby Ruby script text executable !:mime text/x-ruby 0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable !:mime text/x-ruby # What looks like ruby, but does not have a shebang # (modules and such) # From: Lubomir Rintel <lkundrak@v3.sk> 0 regex \^[\ \t]*require[\ \t]'[A-Za-z_/]+' >0 regex include\ [A-Z]|def\ [a-z]|\ do$ >>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby script text !:mime text/x-ruby 0 regex \^[\ \t]*(class|module)[\ \t][A-Z] >0 regex (modul|includ)e\ [A-Z]|def\ [a-z] >>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby module source text !:mime text/x-ruby #------------------------------------------------------------------------------ # $File: sc,v 1.6 2009/09/19 16:28:12 christos Exp $ # sc: file(1) magic for "sc" spreadsheet # 38 string Spreadsheet sc spreadsheet file !:mime application/x-sc #------------------------------------------------------------------------------ # $File: sccs,v 1.6 2009/09/19 16:28:12 christos Exp $ # sccs: file(1) magic for SCCS archives # # SCCS archive structure: # \001h01207 # \001s 00276/00000/00000 # \001d D 1.1 87/09/23 08:09:20 ian 1 0 # \001c date and time created 87/09/23 08:09:20 by ian # \001e # \001u # \001U # ... etc. # Now '\001h' happens to be the same as the 3B20's a.out magic number (0550). # *Sigh*. And these both came from various parts of the USG. # Maybe we should just switch everybody from SCCS to RCS! # Further, you can't just say '\001h0', because the five-digit number # is a checksum that could (presumably) have any leading digit, # and we don't have regular expression matching yet. # Hence the following official kludge: 8 string \001s\ SCCS archive data #------------------------------------------------------------------------------ # $File: scientific,v 1.7 2010/09/20 19:19:17 rrt Exp $ # scientific: file(1) magic for scientific formats # # From: Joe Krahn <krahn@niehs.nih.gov> ######################################################## # CCP4 data and plot files: 0 string MTZ\040 MTZ reflection file 92 string PLOT%%84 Plot84 plotting file >52 byte 1 , Little-endian >55 byte 1 , Big-endian ######################################################## # Electron density MAP/MASK formats 0 string EZD_MAP NEWEZD Electron Density Map 109 string MAP\040( Old EZD Electron Density Map 0 string/c :-)\040Origin BRIX Electron Density Map >170 string >0 , Sigma:%.12s #>4 string >0 %.178s #>4 addr x %.178s 7 string 18\040!NTITLE XPLOR ASCII Electron Density Map 9 string \040!NTITLE\012\040REMARK CNS ASCII electron density map 208 string MAP\040 CCP4 Electron Density Map # Assumes same stamp for float and double (normal case) >212 byte 17 \b, Big-endian >212 byte 34 \b, VAX format >212 byte 68 \b, Little-endian >212 byte 85 \b, Convex native ############################################################ # X-Ray Area Detector images 0 string R-AXIS4\ \ \ R-Axis Area Detector Image: >796 lelong <20 Little-endian, IP #%d, >>768 lelong >0 Size=%dx >>772 lelong >0 \b%d >796 belong <20 Big-endian, IP #%d, >>768 belong >0 Size=%dx >>772 belong >0 \b%d 0 string RAXIS\ \ \ \ \ R-Axis Area Detector Image, Win32: >796 lelong <20 Little-endian, IP #%d, >>768 lelong >0 Size=%dx >>772 lelong >0 \b%d >796 belong <20 Big-endian, IP #%d, >>768 belong >0 Size=%dx >>772 belong >0 \b%d 1028 string MMX\000\000\000\000\000\000\000\000\000\000\000\000\000 MAR Area Detector Image, >1072 ulong >1 Compressed(%d), >1100 ulong >1 %d headers, >1104 ulong >0 %d x >1108 ulong >0 %d, >1120 ulong >0 %d bits/pixel # Type: GEDCOM genealogical (family history) data # From: Giuseppe Bilotta 0 search/1/c 0\ HEAD GEDCOM genealogy text >&0 search 1\ GEDC >>&0 search 2\ VERS version >>>&1 search/1 >\0 %s # From: Phil Endecott <phil05@chezphil.org> 0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data 0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data 0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data 0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data # PDB: Protein Data Bank files # Adam Buchbinder <adam.buchbinder@gmail.com> # # http://www.wwpdb.org/documentation/format32/sect2.html # http://www.ch.ic.ac.uk/chemime/ # # The PDB file format is fixed-field, 80 columns. From the spec: # # COLS DATA # 1 - 6 "HEADER" # 11 - 50 String(40) # 51 - 59 Date # 63 - 66 IDcode # # Thus, positions 7-10, 60-62 and 67-80 are spaces. The Date must be in the # format DD-MMM-YY, e.g., 01-JAN-70, and the IDcode consists of numbers and # uppercase letters. However, examples have been seen without the date string, # e.g., the example on the chemime site. 0 string HEADER\ \ \ \ >&0 regex/1 \^.{40} >>&0 regex/1 [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} >>>&0 regex/1s [A-Z0-9]{4}.{14}$ >>>>&0 regex/1 [A-Z0-9]{4} Protein Data Bank data, ID Code %s !:mime chemical/x-pdb >>>>0 regex/1 [0-9]{2}-[A-Z]{3}-[0-9]{2} \b, %s # Type: GDSII Stream file 0 belong 0x00060002 GDSII Stream file >4 byte 0x00 >>5 byte x version %d.0 >4 byte >0x00 version %d >>5 byte x \b.%d #------------------------------------------------------------------------------ # $File: securitycerts,v 1.4 2009/09/19 16:28:12 christos Exp $ 0 search/1 -----BEGIN\ CERTIFICATE------ RFC1421 Security Certificate text 0 search/1 -----BEGIN\ NEW\ CERTIFICATE RFC1421 Security Certificate Signing Request text 0 belong 0xedfeedfe Sun 'jks' Java Keystore File data 0 string \0volume_key volume_key escrow packet # Type: SE Linux policy modules *.pp reference policy # for Fedora 5 to 9, RHEL5, and Debian Etch and Lenny. # URL: http://doc.coker.com.au/computers/selinux-magic # From: Russell Coker <russell@coker.com.au> 0 lelong 0xf97cff8f SE Linux modular policy >4 lelong x version %d, >8 lelong x %d sections, >>(12.l) lelong 0xf97cff8d >>>(12.l+27) lelong x mod version %d, >>>(12.l+31) lelong 0 Not MLS, >>>(12.l+31) lelong 1 MLS, >>>(12.l+23) lelong 2 >>>>(12.l+47) string >\0 module name %s >>>(12.l+23) lelong 1 base 1 string policy_module( SE Linux policy module source 2 string policy_module( SE Linux policy module source 0 string ##\ <summary> SE Linux policy interface source #0 search gen_context( SE Linux policy file contexts #0 search gen_sens( SE Linux policy MLS constraints source #------------------------------------------------------------------------------ # $File: sendmail,v 1.7 2009/09/19 16:28:12 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? # 0 byte 046 Sendmail frozen configuration >16 string >\0 - version %s 0 short 0x271c Sendmail frozen configuration >16 string >\0 - version %s #------------------------------------------------------------------------------ # sendmail: file(1) magic for sendmail m4(1) files # # From Hendrik Scholz <hendrik@scholz.net> # i.e. files in /usr/share/sendmail/cf/ # 0 string divert(-1)\n sendmail m4 text file #------------------------------------------------------------------------------ # $File: sequent,v 1.8 2009/09/19 16:28:12 christos Exp $ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins <atsun!dwiggins>. # For Sequent's multiprocessor systems (incomplete). 0 lelong 0x00ea BALANCE NS32000 .o >16 lelong >0 not stripped >124 lelong >0 version %ld 0 lelong 0x10ea BALANCE NS32000 executable (0 @ 0) >16 lelong >0 not stripped >124 lelong >0 version %ld 0 lelong 0x20ea BALANCE NS32000 executable (invalid @ 0) >16 lelong >0 not stripped >124 lelong >0 version %ld 0 lelong 0x30ea BALANCE NS32000 standalone executable >16 lelong >0 not stripped >124 lelong >0 version %ld # # Symmetry information added by Jason Merrill <jason@jarthur.claremont.edu>. # Symmetry magic nums will not be reached if DOS COM comes before them; # byte 0xeb is matched before these get a chance. 0 leshort 0x12eb SYMMETRY i386 .o >16 lelong >0 not stripped >124 lelong >0 version %ld 0 leshort 0x22eb SYMMETRY i386 executable (0 @ 0) >16 lelong >0 not stripped >124 lelong >0 version %ld 0 leshort 0x32eb SYMMETRY i386 executable (invalid @ 0) >16 lelong >0 not stripped >124 lelong >0 version %ld 0 leshort 0x42eb SYMMETRY i386 standalone executable >16 lelong >0 not stripped >124 lelong >0 version %ld #------------------------------------------------------------------------------ # $File: sgi,v 1.18 2010/11/25 15:00:12 christos Exp $ # sgi: file(1) magic for Silicon Graphics applications # # # Performance Co-Pilot file types 0 string PmNs PCP compiled namespace (V.0) 0 string PmN PCP compiled namespace >3 string >\0 (V.%1.1s) #3 lelong 0x84500526 PCP archive 3 belong 0x84500526 PCP archive >7 byte x (V.%d) #>20 lelong -2 temporal index #>20 lelong -1 metadata #>20 lelong 0 log volume #0 #>20 lelong >0 log volume #%ld >20 belong -2 temporal index >20 belong -1 metadata >20 belong 0 log volume #0 >20 belong >0 log volume #%ld >24 string >\0 host: %s 0 string PCPFolio PCP >9 string Version: Archive Folio >18 string >\0 (V.%s) 0 string #pmchart PCP pmchart view >9 string Version >17 string >\0 (V%-3.3s) 0 string #kmchart PCP kmchart view >9 string Version >17 string >\0 (V.%s) 0 string pmview PCP pmview config >7 string Version >15 string >\0 (V%-3.3s) 0 string #pmlogger PCP pmlogger config >10 string Version >18 string >\0 (V%1.1s) 0 string #pmdahotproc PCP pmdahotproc config >13 string Version >21 string >\0 (V%-3.3s) 0 string PcPh PCP Help >4 string 1 Index >4 string 2 Text >5 string >\0 (V.%1.1s) 0 string #pmieconf-rules PCP pmieconf rules >16 string >\0 (V.%1.1s) 3 string pmieconf-pmie PCP pmie config >17 string >\0 (V.%1.1s) # SpeedShop data files 0 lelong 0x13130303 SpeedShop data file # mdbm files 0 lelong 0x01023962 mdbm file, version 0 (obsolete) 0 string mdbm mdbm file, >5 byte x version %d, >6 byte x 2^%d pages, >7 byte x pagesize 2^%d, >17 byte x hash %d, >11 byte x dataformat %d # Alias Maya files 0 string/t //Maya ASCII Alias Maya Ascii File, >13 string >\0 version %s 8 string MAYAFOR4 Alias Maya Binary File, >32 string >\0 version %s scene 8 string MayaFOR4 Alias Maya Binary File, >32 string >\0 version %s scene 8 string CIMG Alias Maya Image File 8 string DEEP Alias Maya Image File #------------------------------------------------------------------------------ # $File: sgml,v 1.27 2011/12/07 12:01:24 rrt Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres <tecnico@ejerciciosresueltos.com> 0 string \<?xml\ version=" >15 string >\0 >>19 search/4096 \<svg SVG Scalable Vector Graphics image !:mime image/svg+xml >>19 search/4096 \<gnc-v2 GnuCash file !:mime application/x-gnucash # Sitemap file 0 string/t \<?xml\ version=" >15 string >\0 >>19 search/4096 \<urlset XML Sitemap document text !:mime application/xml-sitemap # xhtml 0 string/t \<?xml\ version=" >19 search/4096/cWbt \<!doctype\ html XHTML document text >>15 string >\0 (version %.3s) !:mime text/html 0 string/t \<?xml\ version=' >19 search/4096/cWbt \<!doctype\ html XHTML document text >>15 string >\0 (version %.3s) !:mime text/html 0 string/t \<?xml\ version=" >19 search/4096/cWbt \<html broken XHTML document text >>15 string >\0 (version %.3s) !:mime text/html #------------------------------------------------------------------------------ # sgml: file(1) magic for Standard Generalized Markup Language # HyperText Markup Language (HTML) is an SGML document type, # from Daniel Quinlan (quinlan@yggdrasil.com) # adapted to string extenstions by Anthon van der Neut <anthon@mnt.org) 0 search/4096/cWt \<!doctype\ html HTML document text !:mime text/html 0 search/4096/cwt \<head HTML document text !:mime text/html 0 search/4096/cwt \<title HTML document text !:mime text/html 0 search/4096/cwt \<html HTML document text !:mime text/html 0 search/4096/cwt \<script HTML document text !:mime text/html 0 search/4096/cwt \<style HTML document text !:mime text/html 0 search/4096/cwt \<table HTML document text !:mime text/html 0 search/4096/cwt \<a\ href= HTML document text !:mime text/html # Extensible markup language (XML), a subset of SGML # from Marc Prud'hommeaux (marc@apocalypse.org) 0 search/1/cwt \<?xml XML document text !:mime application/xml 0 string/t \<?xml\ version\ " XML !:mime application/xml 0 string/t \<?xml\ version=" XML !:mime application/xml >15 string/t >\0 %.3s document text >>23 search/1 \<xsl:stylesheet (XSL stylesheet) >>24 search/1 \<xsl:stylesheet (XSL stylesheet) 0 string \<?xml\ version=' XML !:mime application/xml >15 string/t >\0 %.3s document text >>23 search/1 \<xsl:stylesheet (XSL stylesheet) >>24 search/1 \<xsl:stylesheet (XSL stylesheet) 0 search/1/wt \<?XML broken XML document text !:mime application/xml !:strength - 10 # SGML, mostly from rph@sq 0 search/4096/cwt \<!doctype exported SGML document text 0 search/4096/cwt \<!subdoc exported SGML subdocument text 0 search/4096/cwt \<!-- exported SGML document text !:strength - 10 # Web browser cookie files # (Mozilla, Galeon, Netscape 4, Konqueror..) # Ulf Harnhammar <ulfh@update.uu.se> 0 search/1 #\ HTTP\ Cookie\ File Web browser cookie text 0 search/1 #\ Netscape\ HTTP\ Cookie\ File Netscape cookie text 0 search/1 #\ KDE\ Cookie\ File Konqueror cookie text #------------------------------------------------------------------------ # $File: sharc,v 1.6 2009/09/19 16:28:12 christos Exp $ # file(1) magic for sharc files # # SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by # FutureGroove Music (dsp@futuregroove.de) #------------------------------------------------------------------------ #0 string Draw RiscOS Drawfile #0 string PACK RiscOS PackdDir archive #------------------------------------------------------------------------ # SHARC DSP stuff (based on the FGM SHARC DSP SDK) #0 string =! Assembler source #0 string Analog ADi asm listing file 0 string .SYSTEM SHARC architecture file 0 string .system SHARC architecture file 0 leshort 0x521C SHARC COFF binary >2 leshort >1 , %hd sections >>12 lelong >0 , not stripped #------------------------------------------------------------------------------ # $File: sinclair,v 1.5 2009/09/19 16:28:12 christos Exp $ # sinclair: file(1) sinclair QL # additions to /etc/magic by Thomas M. Ott (ThMO) # Sinclair QL floppy disk formats (ThMO) 0 string =QL5 QL disk dump data, >3 string =A 720 KB, >3 string =B 1.44 MB, >3 string =C 3.2 MB, >4 string >\0 label:%.10s # Sinclair QL OS dump (ThMO) # (NOTE: if `file' would be able to use indirect references in a endian format # differing from the natural host format, this could be written more # reliably and faster...) # # we *can't* lookup QL OS code dumps, because `file' is UNABLE to read more # than the first 8K of a file... #-( # #0 belong =0x30000 #>49124 belong <47104 #>>49128 belong <47104 #>>>49132 belong <47104 #>>>>49136 belong <47104 QL OS dump data, #>>>>>49148 string >\0 type %.3s, #>>>>>49142 string >\0 version %.4s # Sinclair QL firmware executables (ThMO) 0 string NqNqNq`\004 QL firmware executable (BCPL) # Sinclair QL libraries (was ThMO) 0 beshort 0xFB01 QDOS object >2 pstring x '%s' # Sinclair QL executables (was ThMO) 4 belong 0x4AFB QDOS executable >9 pstring x '%s' # Sinclair QL ROM (ThMO) 0 belong =0x4AFB0001 QL plugin-ROM data, >9 pstring =\0 un-named >9 pstring >\0 named: %s # Type: SiSU Markup Language # URL: http://www.sisudoc.org/ # From: Ralph Amissah <ralph.amissah@gmail.com> 0 regex \^%?[\ \t]*SiSU[\ \t]+insert SiSU text insert >5 regex [0-9.]+ %s 0 regex \^%[\ \t]+SiSU[\ \t]+master SiSU text master >5 regex [0-9.]+ %s 0 regex \^%?[\ \t]*SiSU[\ \t]+text SiSU text >5 regex [0-9.]+ %s 0 regex \^%?[\ \t]*SiSU[\ \t][0-9.]+ SiSU text >5 regex [0-9.]+ %s 0 regex \^%*[\ \t]*sisu-[0-9.]+ SiSU text >5 regex [0-9.]+ %s #------------------------------------------------------------------------------ # $File: sketch,v 1.4 2009/09/19 16:28:12 christos Exp $ # Sketch Drawings: http://sketch.sourceforge.net/ # From: Edwin Mons <e@ik.nu> 0 search/1 ##Sketch Sketch document text #----------------------------------------------- # $File: smalltalk,v 1.5 2009/09/19 16:28:12 christos Exp $ # GNU Smalltalk image, starting at version 1.6.2 # From: catull_us@yahoo.com # 0 string GSTIm\0\0 GNU SmallTalk # little-endian >7 byte&1 =0 LE image version >>10 byte x %d. >>9 byte x \b%d. >>8 byte x \b%d #>>12 lelong x , data: %ld #>>16 lelong x , table: %ld #>>20 lelong x , memory: %ld # big-endian >7 byte&1 =1 BE image version >>8 byte x %d. >>9 byte x \b%d. >>10 byte x \b%d #>>12 belong x , data: %ld #>>16 belong x , table: %ld #>>20 belong x , memory: %ld #------------------------------------------------------------------------------ # $File: smile,v 1.1 2011/08/17 17:37:18 christos Exp $ # smile: file(1) magic for Smile serialization # # The Smile serialization format uses a 4-byte header: # # Constant byte #0: 0x3A (ASCII ':') # Constant byte #1: 0x29 (ASCII ')') # Constant byte #2: 0x0A (ASCII linefeed, '\n') # Variable byte #3, consisting of bits: # Bits 4-7 (4 MSB): 4-bit version number # Bits 3: Reserved # Bit 2 (mask 0x04): Whether raw binary (unescaped 8-bit) values may be present in content # Bit 1 (mask 0x02): Whether shared String value checking was enabled during encoding, default false # Bit 0 (mask 0x01): Whether shared property name checking was enabled during encoding, default true # # Reference: http://wiki.fasterxml.com/SmileFormatSpec # Created by: Pierre-Alexandre Meyer <pierre@mouraf.org> # Detection 0 string :)\n Smile binary data # Versioning >3 byte&0xF0 x version %d: # Properties >3 byte&0x04 0x04 binary raw, >3 byte&0x04 0x00 binary encoded, >3 byte&0x02 0x02 shared String values enabled, >3 byte&0x02 0x00 shared String values disabled, >3 byte&0x01 0x01 shared field names enabled >3 byte&0x01 0x00 shared field names disabled #------------------------------------------------------------------------------ # $File: sniffer,v 1.18 2011/08/08 08:49:27 christos Exp $ # sniffer: file(1) magic for packet capture files # # From: guy@alum.mit.edu (Guy Harris) # # # Microsoft Network Monitor 1.x capture files. # 0 string RTSS NetMon capture file >5 byte x - version %d >4 byte x \b.%d >6 leshort 0 (Unknown) >6 leshort 1 (Ethernet) >6 leshort 2 (Token Ring) >6 leshort 3 (FDDI) >6 leshort 4 (ATM) # # Microsoft Network Monitor 2.x capture files. # 0 string GMBU NetMon capture file >5 byte x - version %d >4 byte x \b.%d >6 leshort 0 (Unknown) >6 leshort 1 (Ethernet) >6 leshort 2 (Token Ring) >6 leshort 3 (FDDI) >6 leshort 4 (ATM) # # Network General Sniffer capture files. # Sorry, make that "Network Associates Sniffer capture files." # Sorry, make that "Network General old DOS Sniffer capture files." # 0 string TRSNIFF\ data\ \ \ \ \032 Sniffer capture file >33 byte 2 (compressed) >23 leshort x - version %d >25 leshort x \b.%d >32 byte 0 (Token Ring) >32 byte 1 (Ethernet) >32 byte 2 (ARCNET) >32 byte 3 (StarLAN) >32 byte 4 (PC Network broadband) >32 byte 5 (LocalTalk) >32 byte 6 (Znet) >32 byte 7 (Internetwork Analyzer) >32 byte 9 (FDDI) >32 byte 10 (ATM) # # Cinco Networks NetXRay capture files. # Sorry, make that "Network General Sniffer Basic capture files." # Sorry, make that "Network Associates Sniffer Basic capture files." # Sorry, make that "Network Associates Sniffer Basic, and Windows # Sniffer Pro", capture files." # Sorry, make that "Network General Sniffer capture files." # 0 string XCP\0 NetXRay capture file >4 string >\0 - version %s >44 leshort 0 (Ethernet) >44 leshort 1 (Token Ring) >44 leshort 2 (FDDI) >44 leshort 3 (WAN) >44 leshort 8 (ATM) >44 leshort 9 (802.11) # # "libpcap" capture files. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is # the main program that uses that format, but there are other programs # that use "libpcap", or that use the same capture file format.) # 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) !:mime application/vnd.tcpdump.pcap >4 beshort x - version %d >6 beshort x \b.%d >20 belong 0 (No link-layer encapsulation >20 belong 1 (Ethernet >20 belong 2 (3Mb Ethernet >20 belong 3 (AX.25 >20 belong 4 (ProNET >20 belong 5 (CHAOS >20 belong 6 (Token Ring >20 belong 7 (BSD ARCNET >20 belong 8 (SLIP >20 belong 9 (PPP >20 belong 10 (FDDI >20 belong 11 (RFC 1483 ATM >20 belong 12 (raw IP >20 belong 13 (BSD/OS SLIP >20 belong 14 (BSD/OS PPP >20 belong 19 (Linux ATM Classical IP >20 belong 50 (PPP or Cisco HDLC >20 belong 51 (PPP-over-Ethernet >20 belong 99 (Symantec Enterprise Firewall >20 belong 100 (RFC 1483 ATM >20 belong 101 (raw IP >20 belong 102 (BSD/OS SLIP >20 belong 103 (BSD/OS PPP >20 belong 104 (BSD/OS Cisco HDLC >20 belong 105 (802.11 >20 belong 106 (Linux Classical IP over ATM >20 belong 107 (Frame Relay >20 belong 108 (OpenBSD loopback >20 belong 109 (OpenBSD IPsec encrypted >20 belong 112 (Cisco HDLC >20 belong 113 (Linux "cooked" >20 belong 114 (LocalTalk >20 belong 117 (OpenBSD PFLOG >20 belong 119 (802.11 with Prism header >20 belong 122 (RFC 2625 IP over Fibre Channel >20 belong 123 (SunATM >20 belong 127 (802.11 with radiotap header >20 belong 129 (Linux ARCNET >20 belong 138 (Apple IP over IEEE 1394 >20 belong 140 (MTP2 >20 belong 141 (MTP3 >20 belong 143 (DOCSIS >20 belong 144 (IrDA >20 belong 147 (Private use 0 >20 belong 148 (Private use 1 >20 belong 149 (Private use 2 >20 belong 150 (Private use 3 >20 belong 151 (Private use 4 >20 belong 152 (Private use 5 >20 belong 153 (Private use 6 >20 belong 154 (Private use 7 >20 belong 155 (Private use 8 >20 belong 156 (Private use 9 >20 belong 157 (Private use 10 >20 belong 158 (Private use 11 >20 belong 159 (Private use 12 >20 belong 160 (Private use 13 >20 belong 161 (Private use 14 >20 belong 162 (Private use 15 >20 belong 163 (802.11 with AVS header >16 belong x \b, capture length %d) 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) !:mime application/vnd.tcpdump.pcap >4 leshort x - version %d >6 leshort x \b.%d >20 lelong 0 (No link-layer encapsulation >20 lelong 1 (Ethernet >20 lelong 2 (3Mb Ethernet >20 lelong 3 (AX.25 >20 lelong 4 (ProNET >20 lelong 5 (CHAOS >20 lelong 6 (Token Ring >20 lelong 7 (ARCNET >20 lelong 8 (SLIP >20 lelong 9 (PPP >20 lelong 10 (FDDI >20 lelong 11 (RFC 1483 ATM >20 lelong 12 (raw IP >20 lelong 13 (BSD/OS SLIP >20 lelong 14 (BSD/OS PPP >20 lelong 19 (Linux ATM Classical IP >20 lelong 50 (PPP or Cisco HDLC >20 lelong 51 (PPP-over-Ethernet >20 lelong 99 (Symantec Enterprise Firewall >20 lelong 100 (RFC 1483 ATM >20 lelong 101 (raw IP >20 lelong 102 (BSD/OS SLIP >20 lelong 103 (BSD/OS PPP >20 lelong 104 (BSD/OS Cisco HDLC >20 lelong 105 (802.11 >20 lelong 106 (Linux Classical IP over ATM >20 lelong 107 (Frame Relay >20 lelong 108 (OpenBSD loopback >20 lelong 109 (OpenBSD IPsec encrypted >20 lelong 112 (Cisco HDLC >20 lelong 113 (Linux "cooked" >20 lelong 114 (LocalTalk >20 lelong 117 (OpenBSD PFLOG >20 lelong 119 (802.11 with Prism header >20 lelong 122 (RFC 2625 IP over Fibre Channel >20 lelong 123 (SunATM >20 lelong 127 (802.11 with radiotap header >20 lelong 129 (Linux ARCNET >20 lelong 138 (Apple IP over IEEE 1394 >20 lelong 140 (MTP2 >20 lelong 141 (MTP3 >20 lelong 143 (DOCSIS >20 lelong 144 (IrDA >20 lelong 147 (Private use 0 >20 lelong 148 (Private use 1 >20 lelong 149 (Private use 2 >20 lelong 150 (Private use 3 >20 lelong 151 (Private use 4 >20 lelong 152 (Private use 5 >20 lelong 153 (Private use 6 >20 lelong 154 (Private use 7 >20 lelong 155 (Private use 8 >20 lelong 156 (Private use 9 >20 lelong 157 (Private use 10 >20 lelong 158 (Private use 11 >20 lelong 159 (Private use 12 >20 lelong 160 (Private use 13 >20 lelong 161 (Private use 14 >20 lelong 162 (Private use 15 >20 lelong 163 (802.11 with AVS header >16 lelong x \b, capture length %d) # # "libpcap"-with-Alexey-Kuznetsov's-patches capture files. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is # the main program that uses that format, but there are other programs # that use "libpcap", or that use the same capture file format.) # 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) >4 beshort x - version %d >6 beshort x \b.%d >20 belong 0 (No link-layer encapsulation >20 belong 1 (Ethernet >20 belong 2 (3Mb Ethernet >20 belong 3 (AX.25 >20 belong 4 (ProNET >20 belong 5 (CHAOS >20 belong 6 (Token Ring >20 belong 7 (ARCNET >20 belong 8 (SLIP >20 belong 9 (PPP >20 belong 10 (FDDI >20 belong 11 (RFC 1483 ATM >20 belong 12 (raw IP >20 belong 13 (BSD/OS SLIP >20 belong 14 (BSD/OS PPP >16 belong x \b, capture length %d) 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) >4 leshort x - version %d >6 leshort x \b.%d >20 lelong 0 (No link-layer encapsulation >20 lelong 1 (Ethernet >20 lelong 2 (3Mb Ethernet >20 lelong 3 (AX.25 >20 lelong 4 (ProNET >20 lelong 5 (CHAOS >20 lelong 6 (Token Ring >20 lelong 7 (ARCNET >20 lelong 8 (SLIP >20 lelong 9 (PPP >20 lelong 10 (FDDI >20 lelong 11 (RFC 1483 ATM >20 lelong 12 (raw IP >20 lelong 13 (BSD/OS SLIP >20 lelong 14 (BSD/OS PPP >16 lelong x \b, capture length %d) # # "pcap-ng" capture files. # http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html # Pcap-ng files can contain multiple sections. Printing the endianness, # snaplen, or other information from the first SHB may be misleading. # 0 ubelong 0x0a0d0d0a >8 ubelong 0x1a2b3c4d pcap-ng capture file >>12 beshort x - version %d >>14 beshort x \b.%d 0 ulelong 0x0a0d0d0a >8 ulelong 0x1a2b3c4d pcap-ng capture file >>12 leshort x - version %d >>14 leshort x \b.%d # # AIX "iptrace" capture files. # 0 string iptrace\ 1.0 "iptrace" capture file 0 string iptrace\ 2.0 "iptrace" capture file # # Novell LANalyzer capture files. # 0 leshort 0x1001 LANalyzer capture file 0 leshort 0x1007 LANalyzer capture file # # HP-UX "nettl" capture files. # 0 string \x54\x52\x00\x64\x00 "nettl" capture file # # RADCOM WAN/LAN Analyzer capture files. # 0 string \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file # # NetStumbler log files. Not really packets, per se, but about as # close as you can get. These are log files from NetStumbler, a # Windows program, that scans for 802.11b networks. # 0 string NetS NetStumbler log file >8 lelong x \b, %d stations found # # EtherPeek/AiroPeek "version 9" capture files. # 0 string \177ver EtherPeek/AiroPeek capture file # # Visual Networks traffic capture files. # 0 string \x05VNF Visual Networks traffic capture file # # Network Instruments Observer capture files. # 0 string ObserverPktBuffe Network Instruments Observer capture file # # Files from Accellent Group's 5View products. # 0 string \xaa\xaa\xaa\xaa 5View capture file #------------------------------------------------------------------------------ # $File: softquad,v 1.13 2009/09/19 16:28:12 christos Exp $ # softquad: file(1) magic for SoftQuad Publishing Software # # Author/Editor and RulesBuilder # # XXX - byte order? # 0 string \<!SQ\ DTD> Compiled SGML rules file >9 string >\0 Type %s 0 string \<!SQ\ A/E> A/E SGML Document binary >9 string >\0 Type %s 0 string \<!SQ\ STS> A/E SGML binary styles file >9 string >\0 Type %s 0 short 0xc0de Compiled PSI (v1) data 0 short 0xc0da Compiled PSI (v2) data >3 string >\0 (%s) # Binary sqtroff font/desc files... 0 short 0125252 SoftQuad DESC or font file binary >2 short >0 - version %d # Bitmaps... 0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text #0 string SQ\ BITMAP2 SoftQuad Raster Format data # sqtroff intermediate language (replacement for ditroff int. lang.) 0 string X\ SoftQuad troff Context intermediate >2 string 495 for AT&T 495 laser printer >2 string hp for Hewlett-Packard LaserJet >2 string impr for IMAGEN imPRESS >2 string ps for PostScript # From: Michael Piefel <piefel@debian.org> # sqtroff intermediate language (replacement for ditroff int. lang.) 0 string X\ 495 SoftQuad troff Context intermediate for AT&T 495 laser printer 0 string X\ hp SoftQuad troff Context intermediate for HP LaserJet 0 string X\ impr SoftQuad troff Context intermediate for IMAGEN imPRESS 0 string X\ ps SoftQuad troff Context intermediate for PostScript #------------------------------------------------------------------------------ # $File: spec,v 1.4 2009/09/19 16:28:12 christos Exp $ # spec: file(1) magic for SPEC raw results (*.raw, *.rsf) # # Cloyce D. Spradling <cloyce@headgear.org> 0 string spec SPEC >4 string .cpu CPU >>8 string <: \b%.4s >>12 string . raw result text 17 string version=SPECjbb SPECjbb >32 string <: \b%.4s >>37 string <: v%.4s raw result text 0 string BEGIN\040SPECWEB SPECweb >13 string <: \b%.2s >>15 string _SSL \b_SSL >>>20 string <: v%.4s raw result text >>16 string <: v%.4s raw result text #------------------------------------------------------------------------------ # $File: spectrum,v 1.7 2010/09/20 18:55:20 rrt Exp $ # spectrum: file(1) magic for Spectrum emulator files. # # John Elliott <jce@seasip.demon.co.uk> # # Spectrum +3DOS header # 0 string PLUS3DOS\032 Spectrum +3 data >15 byte 0 - BASIC program >15 byte 1 - number array >15 byte 2 - character array >15 byte 3 - memory block >>16 belong 0x001B0040 (screen) >15 byte 4 - Tasword document >15 string TAPEFILE - ZXT tapefile # # Tape file. This assumes the .TAP starts with a Spectrum-format header, # which nearly all will. # # Update: Sanity-check string contents to be printable. # -Adam Buchbinder <adam.buchbinder@gmail.com> # 0 string \023\000\000 >4 string >\0 >>4 string <\177 Spectrum .TAP data "%-10.10s" >>>3 byte 0 - BASIC program >>>3 byte 1 - number array >>>3 byte 2 - character array >>>3 byte 3 - memory block >>>>14 belong 0x001B0040 (screen) # The following three blocks are from pak21-spectrum@srcf.ucam.org # TZX tape images 0 string ZXTape!\x1a Spectrum .TZX data >8 byte x version %d >9 byte x \b.%d # RZX input recording files 0 string RZX! Spectrum .RZX data >4 byte x version %d >5 byte x \b.%d # Floppy disk images 0 string MV\ -\ CPCEMU\ Disk-Fil Amstrad/Spectrum .DSK data 0 string MV\ -\ CPC\ format\ Dis Amstrad/Spectrum DU54 .DSK data 0 string EXTENDED\ CPC\ DSK\ Fil Amstrad/Spectrum Extended .DSK data 0 string SINCLAIR Spectrum .SCL Betadisk image # Hard disk images 0 string RS-IDE\x1a Spectrum .HDF hard disk image >7 byte x \b, version 0x%02x #------------------------------------------------------------------------------ # $File: sql,v 1.6 2009/09/19 16:28:12 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" <mleisner@eng.mc.xerox.com> # Recognize some MySQL files. # 0 beshort 0xfe01 MySQL table definition file >2 byte x Version %d 0 belong&0xffffff00 0xfefe0300 MySQL MISAM index file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0700 MySQL MISAM compressed data file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0500 MySQL ISAM index file >3 byte x Version %d 0 belong&0xffffff00 0xfefe0600 MySQL ISAM compressed data file >3 byte x Version %d 0 string \376bin MySQL replication log #------------------------------------------------------------------------------ # iRiver H Series database file # From Ken Guest <ken@linux.ie> # As observed from iRivNavi.iDB and unencoded firmware # 0 string iRivDB iRiver Database file >11 string >\0 Version %s >39 string iHP-100 [H Series] #------------------------------------------------------------------------------ # SQLite database files # Ken Guest <ken@linux.ie>, Ty Sarna, Zack Weinberg # # Version 1 used GDBM internally; its files cannot be distinguished # from other GDBM files. # # Version 2 used this format: 0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database # Version 3 of SQLite allows applications to embed their own "user version" # number in the database. Detect this and distinguish those files. 0 string SQLite\ format\ 3 >60 string _MTN Monotone source repository >60 belong !0 SQLite 3.x database, user version %u >60 belong 0 SQLite 3.x database # Type: OpenSSH key files # From: Nicolas Collignon <tsointsoin@gmail.com> 0 string SSH\ PRIVATE\ KEY OpenSSH RSA1 private key, >28 string >\0 version %s 0 string ssh-dss\ OpenSSH DSA public key 0 string ssh-rsa\ OpenSSH RSA public key # Type: OpenSSL certificates/key files # From: Nicolas Collignon <tsointsoin@gmail.com> 0 string -----BEGIN\ CERTIFICATE----- PEM certificate 0 string -----BEGIN\ CERTIFICATE\ REQ PEM certificate request 0 string -----BEGIN\ RSA\ PRIVATE PEM RSA private key 0 string -----BEGIN\ DSA\ PRIVATE PEM DSA private key #------------------------------------------------------------------------------ # $File: sun,v 1.22 2011/02/10 01:52:51 christos Exp $ # sun: file(1) magic for Sun machines # # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x # releases. (5.x uses ELF.) # 0 belong&077777777 0600413 sparc demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0600410 sparc pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0600407 sparc >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0400413 mc68020 demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0400410 mc68020 pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0400407 mc68020 >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0200413 mc68010 demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0200410 mc68010 pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0200407 mc68010 >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped # reworked these to avoid anything beginning with zero becoming "old sun-2" 0 belong 0407 old sun-2 executable >16 belong >0 not stripped 0 belong 0410 old sun-2 pure executable >16 belong >0 not stripped 0 belong 0413 old sun-2 demand paged executable >16 belong >0 not stripped # # Core files. "SPARC 4.x BCP" means "core file from a SunOS 4.x SPARC # binary executed in compatibility mode under SunOS 5.x". # 0 belong 0x080456 SunOS core file >4 belong 432 (SPARC) >>132 string >\0 from '%s' >>116 belong =3 (quit) >>116 belong =4 (illegal instruction) >>116 belong =5 (trace trap) >>116 belong =6 (abort) >>116 belong =7 (emulator trap) >>116 belong =8 (arithmetic exception) >>116 belong =9 (kill) >>116 belong =10 (bus error) >>116 belong =11 (segmentation violation) >>116 belong =12 (bad argument to system call) >>116 belong =29 (resource lost) >>120 belong x (T=%dK, >>124 belong x D=%dK, >>128 belong x S=%dK) >4 belong 826 (68K) >>128 string >\0 from '%s' >4 belong 456 (SPARC 4.x BCP) >>152 string >\0 from '%s' # Sun SunPC 0 long 0xfa33c08e SunPC 4.0 Hard Disk 0 string #SUNPC_CONFIG SunPC 4.0 Properties Values # Sun snoop (see RFC 1761, which describes the capture file format). # 0 string snoop Snoop capture file >8 belong >0 - version %ld >12 belong 0 (IEEE 802.3) >12 belong 1 (IEEE 802.4) >12 belong 2 (IEEE 802.5) >12 belong 3 (IEEE 802.6) >12 belong 4 (Ethernet) >12 belong 5 (HDLC) >12 belong 6 (Character synchronous) >12 belong 7 (IBM channel-to-channel adapter) >12 belong 8 (FDDI) >12 belong 9 (Unknown) # Microsoft ICM color profile 36 string acspMSFT Microsoft ICM Color Profile !:mime application/vnd.iccprofile # Sun KCMS 36 string acsp Kodak Color Management System, ICC Profile !:mime application/vnd.iccprofile #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie <duncan@sun.com> (a # lead Sun/Cobalt developer) who agrees that they are good and worthy of # inclusion. # Boot ROM images for Sun/Cobalt Linux server appliances 0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged COBALT boot rom >38 string x V%.4s # New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # at the very end where file(1) can't get it. 0 string CRfs COBALT boot rom data (Flat boot rom or file system) #------------------------------------------------------------------------ # $File: sysex,v 1.6 2009/09/19 16:28:12 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # 0 byte 0xF0 SysEx File - # North American Group >1 byte 0x01 Sequential >1 byte 0x02 IDP >1 byte 0x03 OctavePlateau >1 byte 0x04 Moog >1 byte 0x05 Passport >1 byte 0x06 Lexicon >1 byte 0x07 Kurzweil/Future Retro >>3 byte 0x77 777 >>4 byte 0x00 Bank >>4 byte 0x01 Song >>5 byte 0x0f 16 >>5 byte 0x0e 15 >>5 byte 0x0d 14 >>5 byte 0x0c 13 >>5 byte 0x0b 12 >>5 byte 0x0a 11 >>5 byte 0x09 10 >>5 byte 0x08 9 >>5 byte 0x07 8 >>5 byte 0x06 7 >>5 byte 0x05 6 >>5 byte 0x04 5 >>5 byte 0x03 4 >>5 byte 0x02 3 >>5 byte 0x01 2 >>5 byte 0x00 1 >>5 byte 0x10 (ALL) >>2 byte x \b, Channel %d >1 byte 0x08 Fender >1 byte 0x09 Gulbransen >1 byte 0x0a AKG >1 byte 0x0b Voyce >1 byte 0x0c Waveframe >1 byte 0x0d ADA >1 byte 0x0e Garfield >1 byte 0x0f Ensoniq >1 byte 0x10 Oberheim >>2 byte 0x06 Matrix 6 series >>3 byte 0x0A Dump (All) >>3 byte 0x01 Dump (Bank) >>4 belong 0x0002040E Matrix 1000 >>>11 byte <2 User bank %d >>>11 byte >1 Preset bank %d >1 byte 0x11 Apple >1 byte 0x12 GreyMatter >1 byte 0x14 PalmTree >1 byte 0x15 JLCooper >1 byte 0x16 Lowrey >1 byte 0x17 AdamsSmith >1 byte 0x18 E-mu >1 byte 0x19 Harmony >1 byte 0x1a ART >1 byte 0x1b Baldwin >1 byte 0x1c Eventide >1 byte 0x1d Inventronics >1 byte 0x1f Clarity # European Group >1 byte 0x21 SIEL >1 byte 0x22 Synthaxe >1 byte 0x24 Hohner >1 byte 0x25 Twister >1 byte 0x26 Solton >1 byte 0x27 Jellinghaus >1 byte 0x28 Southworth >1 byte 0x29 PPG >1 byte 0x2a JEN >1 byte 0x2b SSL >1 byte 0x2c AudioVertrieb >1 byte 0x2f ELKA >>3 byte 0x09 EK-44 >1 byte 0x30 Dynacord >1 byte 0x31 Jomox >1 byte 0x33 Clavia >1 byte 0x39 Soundcraft # Some Waldorf info from http://Stromeko.Synth.net/Downloads#WaldorfDocs >1 byte 0x3e Waldorf >>2 byte 0x00 microWave >>2 byte 0x0E microwave2 / XT >>2 byte 0x0F Q / Q+ >>3 byte =0 (default id) >>3 byte >0 ( >>>3 byte <0x7F \bdevice %d) >>>3 byte =0x7F \bbroadcast id) >>3 byte 0x7f Microwave I >>>4 byte 0x00 SNDR (Sound Request) >>>4 byte 0x10 SNDD (Sound Dump) >>>4 byte 0x20 SNDP (Sound Parameter Change) >>>4 byte 0x30 SNDQ (Sound Parameter Inquiry) >>>4 byte 0x70 BOOT (Sound Reserved) >>>4 byte 0x01 MULR (Multi Request) >>>4 byte 0x11 MULD (Multi Dump) >>>4 byte 0x21 MULP (Multi Parameter Change) >>>4 byte 0x31 MULQ (Multi Parameter Inquiry) >>>4 byte 0x71 OS (Multi Reserved) >>>4 byte 0x02 DRMR (Drum Map Request) >>>4 byte 0x12 DRMD (Drum Map Dump) >>>4 byte 0x22 DRMP (Drum Map Parameter Change) >>>4 byte 0x32 DRMQ (Drum Map Parameter Inquiry) >>>4 byte 0x72 BIN (Drum Map Reserved) >>>4 byte 0x03 PATR (Sequencer Pattern Request) >>>4 byte 0x13 PATD (Sequencer Pattern Dump) >>>4 byte 0x23 PATP (Sequencer Pattern Parameter Change) >>>4 byte 0x33 PATQ (Sequencer Pattern Parameter Inquiry) >>>4 byte 0x73 AFM (Sequencer Pattern Reserved) >>>4 byte 0x04 GLBR (Global Parameter Request) >>>4 byte 0x14 GLBD (Global Parameter Dump) >>>4 byte 0x24 GLBP (Global Parameter Parameter Change) >>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) >>>4 byte 0x07 MODR (Mode Parameter Request) >>>4 byte 0x17 MODD (Mode Parameter Dump) >>>4 byte 0x27 MODP (Mode Parameter Parameter Change) >>>4 byte 0x37 MODQ (Mode Parameter Parameter Inquiry) >>2 byte 0x10 microQ >>>4 byte 0x00 SNDR (Sound Request) >>>4 byte 0x10 SNDD (Sound Dump) >>>4 byte 0x20 SNDP (Sound Parameter Change) >>>4 byte 0x30 SNDQ (Sound Parameter Inquiry) >>>4 byte 0x70 (Sound Reserved) >>>4 byte 0x01 MULR (Multi Request) >>>4 byte 0x11 MULD (Multi Dump) >>>4 byte 0x21 MULP (Multi Parameter Change) >>>4 byte 0x31 MULQ (Multi Parameter Inquiry) >>>4 byte 0x71 OS (Multi Reserved) >>>4 byte 0x02 DRMR (Drum Map Request) >>>4 byte 0x12 DRMD (Drum Map Dump) >>>4 byte 0x22 DRMP (Drum Map Parameter Change) >>>4 byte 0x32 DRMQ (Drum Map Parameter Inquiry) >>>4 byte 0x72 BIN (Drum Map Reserved) >>>4 byte 0x04 GLBR (Global Parameter Request) >>>4 byte 0x14 GLBD (Global Parameter Dump) >>>4 byte 0x24 GLBP (Global Parameter Parameter Change) >>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) >>2 byte 0x11 rackAttack >>>4 byte 0x00 SNDR (Sound Parameter Request) >>>4 byte 0x10 SNDD (Sound Parameter Dump) >>>4 byte 0x20 SNDP (Sound Parameter Parameter Change) >>>4 byte 0x30 SNDQ (Sound Parameter Parameter Inquiry) >>>4 byte 0x01 PRGR (Program Parameter Request) >>>4 byte 0x11 PRGD (Program Parameter Dump) >>>4 byte 0x21 PRGP (Program Parameter Parameter Change) >>>4 byte 0x31 PRGQ (Program Parameter Parameter Inquiry) >>>4 byte 0x71 OS (Program Parameter Reserved) >>>4 byte 0x03 PATR (Pattern Parameter Request) >>>4 byte 0x13 PATD (Pattern Parameter Dump) >>>4 byte 0x23 PATP (Pattern Parameter Parameter Change) >>>4 byte 0x33 PATQ (Pattern Parameter Parameter Inquiry) >>>4 byte 0x04 GLBR (Global Parameter Request) >>>4 byte 0x14 GLBD (Global Parameter Dump) >>>4 byte 0x24 GLBP (Global Parameter Parameter Change) >>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) >>>4 byte 0x05 EFXR (FX Parameter Request) >>>4 byte 0x15 EFXD (FX Parameter Dump) >>>4 byte 0x25 EFXP (FX Parameter Parameter Change) >>>4 byte 0x35 EFXQ (FX Parameter Parameter Inquiry) >>>4 byte 0x07 MODR (Mode Command Request) >>>4 byte 0x17 MODD (Mode Command Dump) >>>4 byte 0x27 MODP (Mode Command Parameter Change) >>>4 byte 0x37 MODQ (Mode Command Parameter Inquiry) >>2 byte 0x03 Wave >>>4 byte 0x00 SBPR (Soundprogram) >>>4 byte 0x01 SAPR (Performance) >>>4 byte 0x02 SWAVE (Wave) >>>4 byte 0x03 SWTBL (Wave control table) >>>4 byte 0x04 SVT (Velocity Curve) >>>4 byte 0x05 STT (Tuning Table) >>>4 byte 0x06 SGLB (Global Parameters) >>>4 byte 0x07 SARRMAP (Performance Program Change Map) >>>4 byte 0x08 SBPRMAP (Sound Program Change Map) >>>4 byte 0x09 SBPRPAR (Sound Parameter) >>>4 byte 0x0A SARRPAR (Performance Parameter) >>>4 byte 0x0B SINSPAR (Instrument/External Parameter) >>>4 byte 0x0F SBULK (Bulk Switch on/off) # Japanese Group >1 byte 0x40 Kawai >>3 byte 0x20 K1 >>3 byte 0x22 K4 >1 byte 0x41 Roland >>3 byte 0x14 D-50 >>3 byte 0x2b U-220 >>3 byte 0x02 TR-707 >1 byte 0x42 Korg >>3 byte 0x19 M1 >1 byte 0x43 Yamaha >1 byte 0x44 Casio >1 byte 0x46 Kamiya >1 byte 0x47 Akai >1 byte 0x48 Victor >1 byte 0x49 Mesosha >1 byte 0x4b Fujitsu >1 byte 0x4c Sony >1 byte 0x4e Teac >1 byte 0x50 Matsushita >1 byte 0x51 Fostex >1 byte 0x52 Zoom >1 byte 0x54 Matsushita >1 byte 0x57 Acoustic tech. lab. >1 belong&0xffffff00 0x00007400 Ta Horng >1 belong&0xffffff00 0x00007500 e-Tek >1 belong&0xffffff00 0x00007600 E-Voice >1 belong&0xffffff00 0x00007700 Midisoft >1 belong&0xffffff00 0x00007800 Q-Sound >1 belong&0xffffff00 0x00007900 Westrex >1 belong&0xffffff00 0x00007a00 Nvidia* >1 belong&0xffffff00 0x00007b00 ESS >1 belong&0xffffff00 0x00007c00 Mediatrix >1 belong&0xffffff00 0x00007d00 Brooktree >1 belong&0xffffff00 0x00007e00 Otari >1 belong&0xffffff00 0x00007f00 Key Electronics >1 belong&0xffffff00 0x00010000 Shure >1 belong&0xffffff00 0x00010100 AuraSound >1 belong&0xffffff00 0x00010200 Crystal >1 belong&0xffffff00 0x00010300 Rockwell >1 belong&0xffffff00 0x00010400 Silicon Graphics >1 belong&0xffffff00 0x00010500 Midiman >1 belong&0xffffff00 0x00010600 PreSonus >1 belong&0xffffff00 0x00010800 Topaz >1 belong&0xffffff00 0x00010900 Cast Lightning >1 belong&0xffffff00 0x00010a00 Microsoft >1 belong&0xffffff00 0x00010b00 Sonic Foundry >1 belong&0xffffff00 0x00010c00 Line 6 >1 belong&0xffffff00 0x00010d00 Beatnik Inc. >1 belong&0xffffff00 0x00010e00 Van Koerving >1 belong&0xffffff00 0x00010f00 Altech Systems >1 belong&0xffffff00 0x00011000 S & S Research >1 belong&0xffffff00 0x00011100 VLSI Technology >1 belong&0xffffff00 0x00011200 Chromatic >1 belong&0xffffff00 0x00011300 Sapphire >1 belong&0xffffff00 0x00011400 IDRC >1 belong&0xffffff00 0x00011500 Justonic Tuning >1 belong&0xffffff00 0x00011600 TorComp >1 belong&0xffffff00 0x00011700 Newtek Inc. >1 belong&0xffffff00 0x00011800 Sound Sculpture >1 belong&0xffffff00 0x00011900 Walker Technical >1 belong&0xffffff00 0x00011a00 Digital Harmony >1 belong&0xffffff00 0x00011b00 InVision >1 belong&0xffffff00 0x00011c00 T-Square >1 belong&0xffffff00 0x00011d00 Nemesys >1 belong&0xffffff00 0x00011e00 DBX >1 belong&0xffffff00 0x00011f00 Syndyne >1 belong&0xffffff00 0x00012000 Bitheadz >1 belong&0xffffff00 0x00012100 Cakewalk >1 belong&0xffffff00 0x00012200 Staccato >1 belong&0xffffff00 0x00012300 National Semicon. >1 belong&0xffffff00 0x00012400 Boom Theory >1 belong&0xffffff00 0x00012500 Virtual DSP Corp >1 belong&0xffffff00 0x00012600 Antares >1 belong&0xffffff00 0x00012700 Angel Software >1 belong&0xffffff00 0x00012800 St Louis Music >1 belong&0xffffff00 0x00012900 Lyrrus dba G-VOX >1 belong&0xffffff00 0x00012a00 Ashley Audio >1 belong&0xffffff00 0x00012b00 Vari-Lite >1 belong&0xffffff00 0x00012c00 Summit Audio >1 belong&0xffffff00 0x00012d00 Aureal Semicon. >1 belong&0xffffff00 0x00012e00 SeaSound >1 belong&0xffffff00 0x00012f00 U.S. Robotics >1 belong&0xffffff00 0x00013000 Aurisis >1 belong&0xffffff00 0x00013100 Nearfield Multimedia >1 belong&0xffffff00 0x00013200 FM7 Inc. >1 belong&0xffffff00 0x00013300 Swivel Systems >1 belong&0xffffff00 0x00013400 Hyperactive >1 belong&0xffffff00 0x00013500 MidiLite >1 belong&0xffffff00 0x00013600 Radical >1 belong&0xffffff00 0x00013700 Roger Linn >1 belong&0xffffff00 0x00013800 Helicon >1 belong&0xffffff00 0x00013900 Event >1 belong&0xffffff00 0x00013a00 Sonic Network >1 belong&0xffffff00 0x00013b00 Realtime Music >1 belong&0xffffff00 0x00013c00 Apogee Digital >1 belong&0xffffff00 0x00202b00 Medeli Electronics >1 belong&0xffffff00 0x00202c00 Charlie Lab >1 belong&0xffffff00 0x00202d00 Blue Chip Music >1 belong&0xffffff00 0x00202e00 BEE OH Corp >1 belong&0xffffff00 0x00202f00 LG Semicon America >1 belong&0xffffff00 0x00203000 TESI >1 belong&0xffffff00 0x00203100 EMAGIC >1 belong&0xffffff00 0x00203200 Behringer >1 belong&0xffffff00 0x00203300 Access Music >1 belong&0xffffff00 0x00203400 Synoptic >1 belong&0xffffff00 0x00203500 Hanmesoft Corp >1 belong&0xffffff00 0x00203600 Terratec >1 belong&0xffffff00 0x00203700 Proel SpA >1 belong&0xffffff00 0x00203800 IBK MIDI >1 belong&0xffffff00 0x00203900 IRCAM >1 belong&0xffffff00 0x00203a00 Propellerhead Software >1 belong&0xffffff00 0x00203b00 Red Sound Systems >1 belong&0xffffff00 0x00203c00 Electron ESI AB >1 belong&0xffffff00 0x00203d00 Sintefex Audio >1 belong&0xffffff00 0x00203e00 Music and More >1 belong&0xffffff00 0x00203f00 Amsaro >1 belong&0xffffff00 0x00204000 CDS Advanced Technology >1 belong&0xffffff00 0x00204100 Touched by Sound >1 belong&0xffffff00 0x00204200 DSP Arts >1 belong&0xffffff00 0x00204300 Phil Rees Music >1 belong&0xffffff00 0x00204400 Stamer Musikanlagen GmbH >1 belong&0xffffff00 0x00204500 Soundart >1 belong&0xffffff00 0x00204600 C-Mexx Software >1 belong&0xffffff00 0x00204700 Klavis Tech. >1 belong&0xffffff00 0x00204800 Noteheads AB 0 string T707 Roland TR-707 Data #------------------------------------------------------------------------------ # file: file(1) magic for Tcl scripting language # URL: http://www.tcl.tk/ # From: gustaf neumann # Tcl scripts 0 search/1/w #!\ /usr/bin/tcl Tcl script text executable !:mime text/x-lua 0 search/1/w #!\ /usr/local/bin/tcl Tcl script text executable !:mime text/x-tcl 0 search/1 #!/usr/bin/env\ tcl Tcl script text executable !:mime text/x-tcl 0 search/1 #!\ /usr/bin/env\ tcl Tcl script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/bin/wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/local/bin/wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1 #!/usr/bin/env\ wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1 #!\ /usr/bin/env\ wish Tcl/Tk script text executable !:mime text/x-tcl # check the first line 0 search/1 package\ req >0 regex \^package[\ \t]+req Tcl script # not 'p', check other lines 0 search/1 !p >0 regex \^package[\ \t]+req Tcl script #------------------------------------------------------------------------------ # $File: teapot,v 1.4 2009/09/19 16:28:12 christos Exp $ # teapot: file(1) magic for "teapot" spreadsheet # 0 string #!teapot\012xdr teapot work sheet (XDR format) #------------------------------------------------------------------------------ # $File: terminfo,v 1.6 2009/09/19 16:28:12 christos Exp $ # terminfo: file(1) magic for terminfo # # XXX - byte order for screen images? # 0 string \032\001 Compiled terminfo entry 0 short 0433 Curses screen image 0 short 0434 Curses screen image #------------------------------------------------------------------------------ # $File: tex,v 1.18 2011/02/08 13:45:15 christos Exp $ # tex: file(1) magic for TeX files # # XXX - needs byte-endian stuff (big-endian and little-endian DVI?) # # From <conklin@talisman.kaleida.com> # Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] 0 string \367\002 TeX DVI file !:mime application/x-dvi >16 string >\0 (%s) 0 string \367\203 TeX generic font data 0 string \367\131 TeX packed font data >3 string >\0 (%s) 0 string \367\312 TeX virtual font data 0 search/1 This\ is\ TeX, TeX transcript text 0 search/1 This\ is\ METAFONT, METAFONT transcript text # There is no way to detect TeX Font Metric (*.tfm) files without # breaking them apart and reading the data. The following patterns # match most *.tfm files generated by METAFONT or afm2tfm. 2 string \000\021 TeX font metric data !:mime application/x-tex-tfm >33 string >\0 (%s) 2 string \000\022 TeX font metric data !:mime application/x-tex-tfm >33 string >\0 (%s) # Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 \\input\ texinfo Texinfo source text !:mime text/x-texinfo 0 search/1 This\ is\ Info\ file GNU Info text !:mime text/x-info # TeX documents, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/4096 \\input TeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\section LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\setlength LaTeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\documentstyle LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\chapter LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\documentclass LaTeX 2e document text !:mime text/x-tex !:strength + 15 0 search/4096 \\relax LaTeX auxiliary file !:mime text/x-tex !:strength + 15 0 search/4096 \\contentsline LaTeX table of contents !:mime text/x-tex !:strength + 15 0 search/4096 %\ -*-latex-*- LaTeX document text !:mime text/x-tex # Tex document, from Hendrik Scholz <hendrik@scholz.net> 0 search/1 \\ifx TeX document text # Index and glossary files 0 search/4096 \\indexentry LaTeX raw index file 0 search/4096 \\begin{theindex} LaTeX sorted index 0 search/4096 \\glossaryentry LaTeX raw glossary 0 search/4096 \\begin{theglossary} LaTeX sorted glossary 0 search/4096 This\ is\ makeindex Makeindex log file # End of TeX #------------------------------------------------------------------------------ # file(1) magic for BibTex text files # From Hendrik Scholz <hendrik@scholz.net> 0 search/1/c @article{ BibTeX text file 0 search/1/c @book{ BibTeX text file 0 search/1/c @inbook{ BibTeX text file 0 search/1/c @incollection{ BibTeX text file 0 search/1/c @inproceedings{ BibTeX text file 0 search/1/c @manual{ BibTeX text file 0 search/1/c @misc{ BibTeX text file 0 search/1/c @preamble{ BibTeX text file 0 search/1/c @phdthesis{ BibTeX text file 0 search/1/c @techreport{ BibTeX text file 0 search/1/c @unpublished{ BibTeX text file 73 search/1 %%%\ \ BibTeX-file{ BibTex text file (with full header) 73 search/1 %%%\ \ @BibTeX-style-file{ BibTeX style text file (with full header) 0 search/1 %\ BibTeX\ standard\ bibliography\ BibTeX standard bibliography style text file 0 search/1 %\ BibTeX\ ` BibTeX custom bibliography style text file 0 search/1 @c\ @mapfile{ TeX font aliases text file 0 string #LyX LyX document text #------------------------------------------------------------------------------ # $File: tgif,v 1.7 2010/09/20 19:03:46 rrt Exp $ # file(1) magic for tgif(1) files # From Hendrik Scholz <hendrik@scholz.net> 0 string %TGIF\ Tgif file version >6 string x %s #------------------------------------------------------------------------------ # $File: ti-8x,v 1.6 2009/09/19 16:28:12 christos Exp $ # ti-8x: file(1) magic for the TI-8x and TI-9x Graphing Calculators. # # From: Ryan McGuire (rmcguire@freenet.columbus.oh.us). # # Update: Romain Lievin (roms@lpg.ticalc.org). # # NOTE: This list is not complete. # Files for the TI-80 and TI-81 are pretty rare. I'm not going to put the # program/group magic numbers in here because I cannot find any. 0 string **TI80** TI-80 Graphing Calculator File. 0 string **TI81** TI-81 Graphing Calculator File. # # Magic Numbers for the TI-73 # 0 string **TI73** TI-73 Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (equation) >0x00003B byte 0x04 (string) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (assembly program) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0C (complex number) >0x00003B byte 0x0F (window settings) >0x00003B byte 0x10 (zoom) >0x00003B byte 0x11 (table setup) >0x00003B byte 0x13 (backup) # Magic Numbers for the TI-82 # 0 string **TI82** TI-82 Graphing Calculator >0x00003B byte 0x00 (real) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (Y-variable) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (protected prgm) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0B (window settings) >0x00003B byte 0x0C (window settings) >0x00003B byte 0x0D (table setup) >0x00003B byte 0x0E (screenshot) >0x00003B byte 0x0F (backup) # # Magic Numbers for the TI-83 # 0 string **TI83** TI-83 Graphing Calculator >0x00003B byte 0x00 (real) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (Y-variable) >0x00003B byte 0x04 (string) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (protected prgm) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0B (window settings) >0x00003B byte 0x0C (window settings) >0x00003B byte 0x0D (table setup) >0x00003B byte 0x0E (screenshot) >0x00003B byte 0x13 (backup) # # Magic Numbers for the TI-83+ # 0 string **TI83F* TI-83+ Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (equation) >0x00003B byte 0x04 (string) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (assembly program) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0C (complex number) >0x00003B byte 0x0F (window settings) >0x00003B byte 0x10 (zoom) >0x00003B byte 0x11 (table setup) >0x00003B byte 0x13 (backup) >0x00003B byte 0x15 (application variable) >0x00003B byte 0x17 (group of variable) # # Magic Numbers for the TI-85 # 0 string **TI85** TI-85 Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (complex number) >0x00003B byte 0x02 (real vector) >0x00003B byte 0x03 (complex vector) >0x00003B byte 0x04 (real list) >0x00003B byte 0x05 (complex list) >0x00003B byte 0x06 (real matrix) >0x00003B byte 0x07 (complex matrix) >0x00003B byte 0x08 (real constant) >0x00003B byte 0x09 (complex constant) >0x00003B byte 0x0A (equation) >0x00003B byte 0x0C (string) >0x00003B byte 0x0D (function GDB) >0x00003B byte 0x0E (polar GDB) >0x00003B byte 0x0F (parametric GDB) >0x00003B byte 0x10 (diffeq GDB) >0x00003B byte 0x11 (picture) >0x00003B byte 0x12 (program) >0x00003B byte 0x13 (range) >0x00003B byte 0x17 (window settings) >0x00003B byte 0x18 (window settings) >0x00003B byte 0x19 (window settings) >0x00003B byte 0x1A (window settings) >0x00003B byte 0x1B (zoom) >0x00003B byte 0x1D (backup) >0x00003B byte 0x1E (unknown) >0x00003B byte 0x2A (equation) >0x000032 string ZS4 - ZShell Version 4 File. >0x000032 string ZS3 - ZShell Version 3 File. # # Magic Numbers for the TI-86 # 0 string **TI86** TI-86 Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (complex number) >0x00003B byte 0x02 (real vector) >0x00003B byte 0x03 (complex vector) >0x00003B byte 0x04 (real list) >0x00003B byte 0x05 (complex list) >0x00003B byte 0x06 (real matrix) >0x00003B byte 0x07 (complex matrix) >0x00003B byte 0x08 (real constant) >0x00003B byte 0x09 (complex constant) >0x00003B byte 0x0A (equation) >0x00003B byte 0x0C (string) >0x00003B byte 0x0D (function GDB) >0x00003B byte 0x0E (polar GDB) >0x00003B byte 0x0F (parametric GDB) >0x00003B byte 0x10 (diffeq GDB) >0x00003B byte 0x11 (picture) >0x00003B byte 0x12 (program) >0x00003B byte 0x13 (range) >0x00003B byte 0x17 (window settings) >0x00003B byte 0x18 (window settings) >0x00003B byte 0x19 (window settings) >0x00003B byte 0x1A (window settings) >0x00003B byte 0x1B (zoom) >0x00003B byte 0x1D (backup) >0x00003B byte 0x1E (unknown) >0x00003B byte 0x2A (equation) # # Magic Numbers for the TI-89 # 0 string **TI89** TI-89 Graphing Calculator >0x000048 byte 0x00 (expression) >0x000048 byte 0x04 (list) >0x000048 byte 0x06 (matrix) >0x000048 byte 0x0A (data) >0x000048 byte 0x0B (text) >0x000048 byte 0x0C (string) >0x000048 byte 0x0D (graphic data base) >0x000048 byte 0x0E (figure) >0x000048 byte 0x10 (picture) >0x000048 byte 0x12 (program) >0x000048 byte 0x13 (function) >0x000048 byte 0x14 (macro) >0x000048 byte 0x1C (zipped) >0x000048 byte 0x21 (assembler) # # Magic Numbers for the TI-92 # 0 string **TI92** TI-92 Graphing Calculator >0x000048 byte 0x00 (expression) >0x000048 byte 0x04 (list) >0x000048 byte 0x06 (matrix) >0x000048 byte 0x0A (data) >0x000048 byte 0x0B (text) >0x000048 byte 0x0C (string) >0x000048 byte 0x0D (graphic data base) >0x000048 byte 0x0E (figure) >0x000048 byte 0x10 (picture) >0x000048 byte 0x12 (program) >0x000048 byte 0x13 (function) >0x000048 byte 0x14 (macro) >0x000048 byte 0x1D (backup) # # Magic Numbers for the TI-92+/V200 # 0 string **TI92P* TI-92+/V200 Graphing Calculator >0x000048 byte 0x00 (expression) >0x000048 byte 0x04 (list) >0x000048 byte 0x06 (matrix) >0x000048 byte 0x0A (data) >0x000048 byte 0x0B (text) >0x000048 byte 0x0C (string) >0x000048 byte 0x0D (graphic data base) >0x000048 byte 0x0E (figure) >0x000048 byte 0x10 (picture) >0x000048 byte 0x12 (program) >0x000048 byte 0x13 (function) >0x000048 byte 0x14 (macro) >0x000048 byte 0x1C (zipped) >0x000048 byte 0x21 (assembler) # # Magic Numbers for the TI-73/83+/89/92+/V200 FLASH upgrades # 0x0000016 string Advanced TI-XX Graphing Calculator (FLASH) 0 string **TIFL** TI-XX Graphing Calculator (FLASH) >8 byte >0 - Revision %d >>9 byte x \b.%d, >12 byte >0 Revision date %02x >>13 byte x \b/%02x >>14 beshort x \b/%04x, >17 string >/0 name: '%s', >48 byte 0x74 device: TI-73, >48 byte 0x73 device: TI-83+, >48 byte 0x98 device: TI-89, >48 byte 0x88 device: TI-92+, >49 byte 0x23 type: OS upgrade, >49 byte 0x24 type: application, >49 byte 0x25 type: certificate, >49 byte 0x3e type: license, >74 lelong >0 size: %ld bytes # VTi & TiEmu skins (TI Graphing Calculators). # From: Romain Lievin (roms@lpg.ticalc.org). # Magic Numbers for the VTi skins 0 string VTI Virtual TI skin >3 string v - Version >>4 byte >0 \b %c >>6 byte x \b.%c # Magic Numbers for the TiEmu skins 0 string TiEmu TiEmu skin >6 string v - Version >>7 byte >0 \b %c >>9 byte x \b.%c >>10 byte x \b%c #------------------------------------------------------------------------------ # $File: timezone,v 1.11 2009/09/19 16:28:12 christos Exp $ # timezone: file(1) magic for timezone data # # from Daniel Quinlan (quinlan@yggdrasil.com) # this should work on Linux, SunOS, and maybe others # Added new official magic number for recent versions of the Olson code 0 string TZif timezone data >4 byte 0 \b, old version >4 byte >0 \b, version %c >20 belong 0 \b, no gmt time flags >20 belong 1 \b, 1 gmt time flag >20 belong >1 \b, %d gmt time flags >24 belong 0 \b, no std time flags >20 belong 1 \b, 1 std time flag >24 belong >1 \b, %d std time flags >28 belong 0 \b, no leap seconds >28 belong 1 \b, 1 leap second >28 belong >1 \b, %d leap seconds >32 belong 0 \b, no transition times >32 belong 1 \b, 1 transition time >32 belong >1 \b, %d transition times >36 belong 0 \b, no abbreviation chars >36 belong 1 \b, 1 abbreviation char >36 belong >1 \b, %d abbreviation chars 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 old timezone data #------------------------------------------------------------------------------ # $File: troff,v 1.10 2009/09/19 16:28:12 christos Exp $ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com) # troff input 0 search/1 .\\" troff or preprocessor input text !:mime text/troff 0 search/1 '\\" troff or preprocessor input text !:mime text/troff 0 search/1 '.\\" troff or preprocessor input text !:mime text/troff 0 search/1 \\" troff or preprocessor input text !:mime text/troff 0 search/1 ''' troff or preprocessor input text !:mime text/troff 0 regex/20 \^\\.[A-Za-z0-9][A-Za-z0-9][\ \t] troff or preprocessor input text !:mime text/troff 0 regex/20 \^\\.[A-Za-z0-9][A-Za-z0-9]$ troff or preprocessor input text !:mime text/troff # ditroff intermediate output text 0 search/1 x\ T ditroff output text >4 search/1 cat for the C/A/T phototypesetter >4 search/1 ps for PostScript >4 search/1 dvi for DVI >4 search/1 ascii for ASCII >4 search/1 lj4 for LaserJet 4 >4 search/1 latin1 for ISO 8859-1 (Latin 1) >4 search/1 X75 for xditview at 75dpi >>7 search/1 -12 (12pt) >4 search/1 X100 for xditview at 100dpi >>8 search/1 -12 (12pt) # output data formats 0 string \100\357 very old (C/A/T) troff output data #------------------------------------------------------------------------------ # $File: tuxedo,v 1.4 2009/09/19 16:28:13 christos Exp $ # tuxedo: file(1) magic for BEA TUXEDO data files # # from Ian Springer <ispringer@hotmail.com> # 0 string \0\0\1\236\0\0\0\0\0\0\0\0\0\0\0\0 BEA TUXEDO DES mask data #------------------------------------------------------------------------------ # $File: typeset,v 1.8 2009/09/19 16:28:13 christos Exp $ # typeset: file(1) magic for other typesetting # 0 string Interpress/Xerox Xerox InterPress data >16 string / (version >>17 string >\0 %s) #------------------------------------------------------------------------------ # $File: unicode,v 1.6 2010/09/20 18:55:20 rrt Exp $ # Unicode: BOM prefixed text files - Adrian Havill <havill@turbolinux.co.jp> # GRR: These types should be recognised in file_ascmagic so these # encodings can be treated by text patterns. # Missing types are already dealt with internally. # 0 string +/v8 Unicode text, UTF-7 0 string +/v9 Unicode text, UTF-7 0 string +/v+ Unicode text, UTF-7 0 string +/v/ Unicode text, UTF-7 0 string \335\163\146\163 Unicode text, UTF-8-EBCDIC 0 string \000\000\376\377 Unicode text, UTF-32, big-endian 0 string \377\376\000\000 Unicode text, UTF-32, little-endian 0 string \016\376\377 Unicode text, SCSU (Standard Compression Scheme for Unicode) #------------------------------------------------------------------------------ # $File: unknown,v 1.7 2009/09/19 16:28:13 christos Exp $ # unknown: file(1) magic for unknown machines # # XXX - this probably should be pruned, as it'll match PDP-11 and # VAX image formats. # # 0x107 is 0407; 0x108 is 0410; both are PDP-11 (executable and pure, # respectively). # # 0x109 is 0411; that's PDP-11 split I&D, but the PDP-11 version doesn't # have the "version %ld", which may be a bogus COFFism (I don't think # there ever was COFF for the PDP-11). # # 0x10B is 0413; that's VAX demand-paged, but this is a short, not a # long, as it would be on a VAX. # # 0x10C is 0414 and 0x10E is 416; those *are* unknown. # 0 short 0x107 unknown machine executable >8 short >0 not stripped >15 byte >0 - version %ld 0 short 0x108 unknown pure executable >8 short >0 not stripped >15 byte >0 - version %ld 0 short 0x109 PDP-11 separate I&D >8 short >0 not stripped >15 byte >0 - version %ld 0 short 0x10b unknown pure executable >8 short >0 not stripped >15 byte >0 - version %ld 0 long 0x10c unknown demand paged pure executable >16 long >0 not stripped 0 long 0x10e unknown readable demand paged pure executable #------------------------------------------------------------------------------ # $File: uuencode,v 1.7 2009/09/19 16:28:13 christos Exp $ # uuencode: file(1) magic for ASCII-encoded files # # GRR: the first line of xxencoded files is identical to that in uuencoded # files, but the first character in most subsequent lines is 'h' instead of # 'M'. (xxencoding uses lowercase letters in place of most of uuencode's # punctuation and survives BITNET gateways better.) If regular expressions # were supported, this entry could possibly be split into two with # "begin\040\.\*\012M" or "begin\040\.\*\012h" (where \. and \* are REs). 0 search/1 begin\ uuencoded or xxencoded text # btoa(1) is an alternative to uuencode that requires less space. 0 search/1 xbtoa\ Begin btoa'd text # ship(1) is another, much cooler alternative to uuencode. # Greg Roelofs, newt@uchicago.edu 0 search/1 $\012ship ship'd binary text # bencode(8) is used to encode compressed news batches (Bnews/Cnews only?) # Greg Roelofs, newt@uchicago.edu 0 search/1 Decode\ the\ following\ with\ bdeco bencoded News text # BinHex is the Macintosh ASCII-encoded file format (see also "apple") # Daniel Quinlan, quinlan@yggdrasil.com 11 search/1 must\ be\ converted\ with\ BinHex BinHex binary text >41 search/1 x \b, version %.3s # GRR: handle BASE64 #------------------------------------------------------------------------------ # $File: varied.out,v 1.22 2010/07/02 00:06:27 christos Exp $ # varied.out: file(1) magic for various USG systems # # Herewith many of the object file formats used by USG systems. # Most have been moved to files for a particular processor, # and deleted if they duplicate other entries. # 0 short 0610 Perkin-Elmer executable # AMD 29K 0 beshort 0572 amd 29k coff noprebar executable 0 beshort 01572 amd 29k coff prebar executable 0 beshort 0160007 amd 29k coff archive # Cray 6 beshort 0407 unicos (cray) executable # Ultrix 4.3 596 string \130\337\377\377 Ultrix core file >600 string >\0 from '%s' # BeOS and MAcOS PEF executables # From: hplus@zilker.net (Jon Watte) 0 string Joy!peffpwpc header for PowerPC PEF executable # # ava assembler/linker Uros Platise <uros.platise@ijs.si> 0 string avaobj AVR assembler object code >7 string >\0 version '%s' # gnu gmon magic From: Eugen Dedu <dedu@ese-metz.fr> 0 string gmon GNU prof performance data >4 long x - version %ld # From: Dave Pearson <davep@davep.org> # Harbour <URL:http://harbour-project.org/> HRB files. 0 string \xc0HRB Harbour HRB file >4 leshort x version %d # Harbour HBV files 0 string \xc0HBV Harbour variable dump file >4 leshort x version %d # From: Alex Beregszaszi <alex@fsn.hu> # 0 string exec BugOS executable # 0 string pack BugOS archive # From: Jason Spence <jspence@lightconsulting.com> # Generated by the "examples" in STM's ST40 devkit, and derived code. 0 lelong 0x13a9f17e ST40 component image format >4 string >\0 \b, name '%s' #------------------------------------------------------------------------------ # $File: varied.script,v 1.9 2011/12/16 16:32:48 rrt Exp $ # varied.script: file(1) magic for various interpreter scripts 0 string/t #!\ / a >3 string >\0 %s script text executable !:strength / 2 0 string/t #!\t/ a >3 string >\0 %s script text executable !:strength / 2 0 string/t #!/ a >2 string >\0 %s script text executable !:strength / 2 0 string/t #!\ script text executable >3 string >\0 for %s !:strength / 3 # using env 0 string/t #!/usr/bin/env a >15 string/t >\0 %s script text executable !:strength / 10 0 string/t #!\ /usr/bin/env a >16 string/t >\0 %s script text executable !:strength / 10 # From: arno <arenevier@fdn.fr> # mozilla xpconnect typelib # see http://www.mozilla.org/scriptable/typelib_file.html 0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib >0x10 byte x version %d >>0x11 byte x \b.%d #------------------------------------------------------------------------------ # $File: vax,v 1.7 2009/09/19 16:28:13 christos Exp $ # vax: file(1) magic for VAX executable/object and APL workspace # 0 lelong 0101557 VAX single precision APL workspace 0 lelong 0101556 VAX double precision APL workspace # # VAX a.out (32V, BSD) # 0 lelong 0407 VAX executable >16 lelong >0 not stripped 0 lelong 0410 VAX pure executable >16 lelong >0 not stripped 0 lelong 0413 VAX demand paged pure executable >16 lelong >0 not stripped 0 lelong 0420 VAX demand paged (first page unmapped) pure executable >16 lelong >0 not stripped # # VAX COFF # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # 0 leshort 0570 VAX COFF executable >12 lelong >0 not stripped >22 leshort >0 - version %ld 0 leshort 0575 VAX COFF pure executable >12 lelong >0 not stripped >22 leshort >0 - version %ld #------------------------------------------------------------------------------ # $File: vicar,v 1.4 2009/09/19 16:28:13 christos Exp $ # vicar: file(1) magic for VICAR files. # # From: Ossama Othman <othman@astrosun.tn.cornell.edu # VICAR is JPL's in-house spacecraft image processing program # VICAR image 0 string LBLSIZE= VICAR image data >32 string BYTE \b, 8 bits = VAX byte >32 string HALF \b, 16 bits = VAX word = Fortran INTEGER*2 >32 string FULL \b, 32 bits = VAX longword = Fortran INTEGER*4 >32 string REAL \b, 32 bits = VAX longword = Fortran REAL*4 >32 string DOUB \b, 64 bits = VAX quadword = Fortran REAL*8 >32 string COMPLEX \b, 64 bits = VAX quadword = Fortran COMPLEX*8 # VICAR label file 43 string SFDU_LABEL VICAR label file #------------------------------------------------------------------------------ # $File: virtual,v 1.2 2011/11/22 13:30:05 christos Exp $ # From: James Nobis <quel@quelrod.net> # Microsoft hard disk images for: # Virtual Server # Virtual PC # http://technet.microsoft.com/en-us/virtualserver/bb676673.aspx # .vhd 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC # Sun xVM VirtualBox Disk Image # From: Richard W.M. Jones <rich@annexia.org> # VirtualBox Disk Image 0x40 ulelong 0xbeda107f VirtualBox Disk Image >0x44 uleshort >0 \b, major %u >0x46 uleshort >0 \b, minor %u #------------------------------------------------------------------------------ # $File: virtutech,v 1.4 2009/09/19 16:28:13 christos Exp $ # Virtutech Compressed Random Access File Format # # From <gustav@virtutech.com> 0 string \211\277\036\203 Virtutech CRAFF >4 belong x v%d >20 belong 0 uncompressed >20 belong 1 bzipp2ed >20 belong 2 gzipped >24 belong 0 not clean #------------------------------------------------------------------------------ # $File: visx,v 1.5 2009/09/19 16:28:13 christos Exp $ # visx: file(1) magic for Visx format files # 0 short 0x5555 VISX image file >2 byte 0 (zero) >2 byte 1 (unsigned char) >2 byte 2 (short integer) >2 byte 3 (float 32) >2 byte 4 (float 64) >2 byte 5 (signed char) >2 byte 6 (bit-plane) >2 byte 7 (classes) >2 byte 8 (statistics) >2 byte 10 (ascii text) >2 byte 15 (image segments) >2 byte 100 (image set) >2 byte 101 (unsigned char vector) >2 byte 102 (short integer vector) >2 byte 103 (float 32 vector) >2 byte 104 (float 64 vector) >2 byte 105 (signed char vector) >2 byte 106 (bit plane vector) >2 byte 121 (feature vector) >2 byte 122 (feature vector library) >2 byte 124 (chain code) >2 byte 126 (bit vector) >2 byte 130 (graph) >2 byte 131 (adjacency graph) >2 byte 132 (adjacency graph library) >2 string .VISIX (ascii text) #------------------------------------------------------------------------------ # $File: vms,v 1.6 2009/09/19 16:28:13 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) # GRR 950122: I'm just guessing on these, based on inspection of the headers # of three executables each for Alpha and VAX architectures. The VAX files # all had headers similar to this: # # 00000 b0 00 30 00 44 00 60 00 00 00 00 00 30 32 30 35 ..0.D.`.....0205 # 00010 01 01 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ # 0 string \xb0\0\x30\0 VMS VAX executable >44032 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption # # The AXP files all looked like this, except that the byte at offset 0x22 # was 06 in some of them and 07 in others: # # 00000 03 00 00 00 00 00 00 00 ec 02 00 00 10 01 00 00 ................ # 00010 68 00 00 00 98 00 00 00 b8 00 00 00 00 00 00 00 h............... # 00020 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ # 00030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # 0 belong 0x03000000 VMS Alpha executable >75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption #------------------------------------------------------------------------------ # $File: vmware,v 1.7 2009/09/19 16:28:13 christos Exp $ # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) 0 belong 0x4d52564e VMware nvram #------------------------------------------------------------------------------ # $File: vorbis,v 1.16 2009/09/19 16:28:13 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner <leitner@fefe.de> # Extended by Beni Cherniavsky <cben@crosswinds.net> # Further extended by Greg Wooledge <greg@wooledge.org> # # Most (everything but the number of channels and bitrate) is commented # out with `##' as it's not interesting to the average user. The most # probable things advanced users would want to uncomment are probably # the number of comments and the encoder version. # # FIXME: The first match has been made a search, so that it can skip # over prepended ID3 tags. This will work for MIME type detection, but # won't work for detecting other properties of the file (they all need # to be made relative to the search). In any case, if the file has ID3 # tags, the ID3 information will be printed, not the Ogg information, # so until that's fixed, this doesn't matter. # FIXME[2]: Disable the above for now, since search assumes text mode. # # --- Ogg Framing --- #0 search/1000 OggS Ogg data 0 string OggS Ogg data !:mime application/ogg >4 byte !0 UNKNOWN REVISION %u ##>4 byte 0 revision 0 >4 byte 0 ##>>14 lelong x (Serial %lX) # non-Vorbis content: FLAC (Free Lossless Audio Codec, http://flac.sourceforge.net) >>28 string \x7fFLAC \b, FLAC audio # non-Vorbis content: Theora >>28 string \x80theora \b, Theora video # non-Vorbis content: Kate >>28 string \x80kate\0\0\0\0 \b, Kate >>>37 ubyte x v%u >>>38 ubyte x \b.%u, >>>40 byte 0 utf8 encoding, >>>40 byte !0 unknown character encoding, >>>60 string >\0 language %s, >>>60 string \0 no language set, >>>76 string >\0 category %s >>>76 string \0 no category set # non-Vorbis content: Skeleton >>28 string fishead\0 \b, Skeleton >>>36 short x v%u >>>40 short x \b.%u # non-Vorbis content: Speex >>28 string Speex\ \ \ \b, Speex audio # non-Vorbis content: OGM >>28 string \x01video\0\0\0 \b, OGM video >>>37 string/c div3 (DivX 3) >>>37 string/c divx (DivX 4) >>>37 string/c dx50 (DivX 5) >>>37 string/c xvid (XviD) # --- First vorbis packet - general header --- >>28 string \x01vorbis \b, Vorbis audio, >>>35 lelong !0 UNKNOWN VERSION %lu, ##>>>35 lelong 0 version 0, >>>35 lelong 0 >>>>39 ubyte 1 mono, >>>>39 ubyte 2 stereo, >>>>39 ubyte >2 %u channels, >>>>40 lelong x %lu Hz # Minimal, nominal and maximal bitrates specified when encoding >>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \b, # The above tests if at least one of these is specified: >>>>>52 lelong !-1 # Vorbis RC2 has a bug which puts -1000 in the min/max bitrate fields # instead of -1. # Vorbis 1.0 uses 0 instead of -1. >>>>>>52 lelong !0 >>>>>>>52 lelong !-1000 >>>>>>>>52 lelong x <%lu >>>>>48 lelong !-1 >>>>>>48 lelong x ~%lu >>>>>44 lelong !-1 >>>>>>44 lelong !-1000 >>>>>>>44 lelong !0 >>>>>>>>44 lelong x >%lu >>>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff bps # -- Second vorbis header packet - the comments # A kludge to read the vendor string. It's a counted string, not a # zero-terminated one, so file(1) can't read it in a generic way. # libVorbis is the only one existing currently, so I detect specifically # it. The interesting value is the cvs date (8 digits decimal). # Post-RC1 Ogg files have the second header packet (and thus the version) # in a different place, so we must use an indirect offset. >>>(84.b+85) string \x03vorbis >>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I >>>>>(84.b+120) string >00000000 # Map to beta version numbers: >>>>>>(84.b+120) string <20000508 (<beta1, prepublic) >>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2) >>>>>>(84.b+120) string >20000508 >>>>>>>(84.b+120) string <20001031 (beta2-3) >>>>>>(84.b+120) string 20001031 (1.0 beta 3) >>>>>>(84.b+120) string >20001031 >>>>>>>(84.b+120) string <20010225 (beta3-4) >>>>>>(84.b+120) string 20010225 (1.0 beta 4) >>>>>>(84.b+120) string >20010225 >>>>>>>(84.b+120) string <20010615 (beta4-RC1) >>>>>>(84.b+120) string 20010615 (1.0 RC1) >>>>>>(84.b+120) string 20010813 (1.0 RC2) >>>>>>(84.b+120) string 20010816 (RC2 - Garf tuned v1) >>>>>>(84.b+120) string 20011014 (RC2 - Garf tuned v2) >>>>>>(84.b+120) string 20011217 (1.0 RC3) >>>>>>(84.b+120) string 20011231 (1.0 RC3) # Some pre-1.0 CVS snapshots still had "Xiphphorus"... >>>>>>(84.b+120) string >20011231 (pre-1.0 CVS) # For the 1.0 release, Xiphophorus is replaced by Xiph.Org >>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I >>>>>(84.b+117) string >00000000 >>>>>>(84.b+117) string <20020717 (pre-1.0 CVS) >>>>>>(84.b+117) string 20020717 (1.0) >>>>>>(84.b+117) string 20030909 (1.0.1) >>>>>>(84.b+117) string 20040629 (1.1.0 RC1) #------------------------------------------------------------------------------ # $File: vxl,v 1.4 2009/09/19 16:28:13 christos Exp $ # VXL: file(1) magic for VXL binary IO data files # # from Ian Scott <scottim@sf.net> # # VXL is a collection of C++ libraries for Computer Vision. # See the vsl chapter in the VXL Book for more info # http://www.isbe.man.ac.uk/public_vxl_doc/books/vxl/book.html # http:/vxl.sf.net 2 lelong 0x472b2c4e VXL data file, >0 leshort >0 schema version no %d #------------------------------------------------------------------------------ # $File: warc,v 1.3 2010/11/25 15:05:43 christos Exp $ # warc: file(1) magic for WARC files 0 string WARC/ WARC Archive >5 string x version %.4s !:mime application/warc #------------------------------------------------------------------------------ # Arc File Format from Internet Archive # see http://www.archive.org/web/researcher/ArcFileFormat.php 0 string filedesc:// Internet Archive File !:mime application/x-ia-arc >11 search/256 \x0A \b >>&0 ubyte >0 \b version %c #------------------------------------------------------------------------------ # weak: file(1) magic for very weak magic entries, disabled by default # # These entries are so weak that they might interfere identification of # other formats. Example include: # - Only identify for 1 or 2 bytes # - Match against very wide range of values # - Match against generic word in some spoken languages (e.g. English) # Summary: Computer Graphics Metafile # Extension: .cgm #0 beshort&0xffe0 0x0020 binary Computer Graphics Metafile #0 beshort 0x3020 character Computer Graphics Metafile #0 string =!! Bennet Yee's "face" format #------------------------------------------------------------------------------ # $File: windows,v 1.4 2009/09/19 16:28:13 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs # using them are run almost always on MS Windows 3.x or # above, or files only used exclusively in Windows OS, # where there is no better category to allocate for. # For example, even though WinZIP almost run on Windows # only, it is better to treat them as "archive" instead. # For format usable in DOS, such as generic executable # format, please specify under "msdos" file. # # Summary: Outlook Express DBX file # Extension: .dbx # Created by: Christophe Monniez 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file >4 byte =0xC5 \b, message database >4 byte =0xC6 \b, folder database >4 byte =0xC7 \b, account information >4 byte =0x30 \b, offline database # Summary: Windows crash dump # Extension: .dmp # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 0 string PAGE >4 string DUMP MS Windows 32bit crash dump >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump >>0x068 lelong x \b, %ld pages >4 string DU64 MS Windows 64bit crash dump >>0xf98 lelong 1 \b, full dump >>0xf98 lelong 2 \b, kernel dump >>0xf98 lelong 3 \b, small dump >>0x090 lequad x \b, %lld pages # Summary: Vista Event Log # Extension: .evtx # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 0 string ElfFile\0 MS Windows Vista Event Log >0x2a leshort x \b, %d chunks >>0x10 lelong x \b (no. %d in use) >0x18 lelong >1 \b, next record no. %d >0x18 lelong =1 \b, empty >0x78 lelong &1 \b, DIRTY >0x78 lelong &2 \b, FULL # Summary: Windows 3.1 group files # Extension: .grp # Created by: unknown 0 string \120\115\103\103 MS Windows 3.1 group files # Summary: Old format help files # Extension: .hlp # Created by: Dirk Jagdmann <doj@cubic.org> 0 lelong 0x00035f3f MS Windows 3.x help file # Summary: Hyper terminal # Extension: .ht # Created by: unknown 0 string HyperTerminal\ >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile # Summary: Windows shortcut # Extension: .lnk # Created by: unknown 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut # Summary: Outlook Personal Folders # Created by: unknown 0 lelong 0x4E444221 Microsoft Outlook email folder >10 leshort 0x0e (<=2002) >10 leshort 0x17 (>=2003) # Summary: Windows help cache # Created by: unknown 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache # Summary: IE cache file # Created by: Christophe Monniez 0 string Client\ UrlCache\ MMF Internet Explorer cache file >20 string >\0 version %s # Summary: Registry files # Created by: unknown # Modified by (1): Joerg Jenderek 0 string regf MS Windows registry file, NT/2000 or above 0 string CREG MS Windows 95/98/ME registry file 0 string SHCC3 MS Windows 3.1 registry file # Summary: Windows Registry text # Extension: .reg # Submitted by: Abel Cheung <abelcheung@gmail.com> 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) 0 string Windows\ Registry\ Editor\ >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) # From: Pal Tamas <folti@balabit.hu> # Autorun File 0 string/c [autorun]\r\n Microsoft Windows Autorun file. !:mime application/x-setupscript. #------------------------------------------------------------------------------ # $File: wireless,v 1.2 2009/09/19 16:28:13 christos Exp $ # wireless-regdb: file(1) magic for CRDA wireless-regdb file format # 0 string RGDB CRDA wireless regulatory database file >4 belong 19 (Version 1) #------------------------------------------------------------------------------ # $File: wordprocessors,v 1.15 2010/09/20 19:19:17 rrt Exp $ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: 2 string \040\040\040\040\040\040\040\040\040\040\040ML4D\040'92 Smith Corona PWP >24 byte 2 \b, single spaced >24 byte 3 \b, 1.5 spaced >24 byte 4 \b, double spaced >25 byte 0x42 \b, letter >25 byte 0x54 \b, legal >26 byte 0x46 \b, A4 #WordPerfect type files Version 1.6 - PLEASE DO NOT REMOVE THIS LINE 0 string \377WPC\020\000\000\000\022\012\001\001\000\000\000\000 (WP) loadable file >15 byte 0 Optimized for Intel >15 byte 1 Optimized for Non-Intel 1 string WPC (Corel/WP) >8 short 257 WordPerfect macro >8 short 258 WordPerfect help file >8 short 259 WordPerfect keyboard file >8 short 266 WordPerfect document >8 short 267 WordPerfect dictionary >8 short 268 WordPerfect thesaurus >8 short 269 WordPerfect block >8 short 270 WordPerfect rectangular block >8 short 271 WordPerfect column block >8 short 272 WordPerfect printer data >8 short 275 WordPerfect printer data >8 short 276 WordPerfect driver resource data >8 short 279 WordPerfect hyphenation code >8 short 280 WordPerfect hyphenation data >8 short 281 WordPerfect macro resource data >8 short 283 WordPerfect hyphenation lex >8 short 285 WordPerfect wordlist >8 short 286 WordPerfect equation resource data >8 short 289 WordPerfect spell rules >8 short 290 WordPerfect dictionary rules >8 short 295 WordPerfect spell rules (Microlytics) >8 short 299 WordPerfect settings file >8 short 301 WordPerfect 4.2 document >8 short 325 WordPerfect dialog file >8 short 332 WordPerfect button bar >8 short 513 Shell macro >8 short 522 Shell definition >8 short 769 Notebook macro >8 short 770 Notebook help file >8 short 771 Notebook keyboard file >8 short 778 Notebook definition >8 short 1026 Calculator help file >8 short 1538 Calendar help file >8 short 1546 Calendar data file >8 short 1793 Editor macro >8 short 1794 Editor help file >8 short 1795 Editor keyboard file >8 short 1817 Editor macro resource file >8 short 2049 Macro editor macro >8 short 2050 Macro editor help file >8 short 2051 Macro editor keyboard file >8 short 2305 PlanPerfect macro >8 short 2306 PlanPerfect help file >8 short 2307 PlanPerfect keyboard file >8 short 2314 PlanPerfect worksheet >8 short 2319 PlanPerfect printer definition >8 short 2322 PlanPerfect graphic definition >8 short 2323 PlanPerfect data >8 short 2324 PlanPerfect temporary printer >8 short 2329 PlanPerfect macro resource data >8 byte 11 Mail >8 short 2818 help file >8 short 2821 distribution list >8 short 2826 out box >8 short 2827 in box >8 short 2836 users archived mailbox >8 short 2837 archived message database >8 short 2838 archived attachments >8 short 3083 Printer temporary file >8 short 3330 Scheduler help file >8 short 3338 Scheduler in file >8 short 3339 Scheduler out file >8 short 3594 GroupWise settings file >8 short 3601 GroupWise directory services >8 short 3627 GroupWise settings file >8 short 4362 Terminal resource data >8 short 4363 Terminal resource data >8 short 4395 Terminal resource data >8 short 4619 GUI loadable text >8 short 4620 graphics resource data >8 short 4621 printer settings file >8 short 4622 port definition file >8 short 4623 print queue parameters >8 short 4624 compressed file >8 short 5130 Network service msg file >8 short 5131 Network service msg file >8 short 5132 Async gateway login msg >8 short 5134 GroupWise message file >8 short 7956 GroupWise admin domain database >8 short 7957 GroupWise admin host database >8 short 7959 GroupWise admin remote host database >8 short 7960 GroupWise admin ADS deferment data file >8 short 8458 IntelliTAG (SGML) compiled DTD >8 long 18219264 WordPerfect graphic image (1.0) >8 long 18219520 WordPerfect graphic image (2.0) #end of WordPerfect type files Version 1.6 - PLEASE DO NOT REMOVE THIS LINE # Hangul (Korean) Word Processor File 0 string HWP\ Document\ File Hangul (Korean) Word Processor File 3.0 # From: Won-Kyu Park <wkpark@kldp.org> 512 string R\0o\0o\0t\0 Hangul (Korean) Word Processor File 2000 !:mime application/x-hwp # CosmicBook, from Beno�t Rouits 0 string CSBK Ted Neslson's CosmicBook hypertext file 2 string EYWR AmigaWriter file # chi: file(1) magic for ChiWriter files 0 string \\1cw\ ChiWriter file >5 string >\0 version %s 0 string \\1cw ChiWriter file # Quark Express from http://www.garykessler.net/library/file_sigs.html 2 string IIXPR3 Intel Quark Express Document (English) 2 string IIXPRa Intel Quark Express Document (Korean) 2 string MMXPR3 Motorola Quark Express Document (English) !:mime application/x-quark-xpress-3 2 string MMXPRa Motorola Quark Express Document (Korean) # adobe indesign (document, whatever...) from querkan 0 belong 0x0606edf5 Adobe InDesign >16 string DOCUMENT Document #------------------------------------------------------------------------------ # ichitaro456: file(1) magic for Just System Word Processor Ichitaro # # Contributor kenzo-: # Reversed-engineered JS Ichitaro magic numbers # 0 string DOC >43 byte 0x14 Just System Word Processor Ichitaro v4 !:mime application/x-ichitaro4 >144 string JDASH application/x-ichitaro4 0 string DOC >43 byte 0x15 Just System Word Processor Ichitaro v5 !:mime application/x-ichitaro5 0 string DOC >43 byte 0x16 Just System Word Processor Ichitaro v6 !:mime application/x-ichitaro6 # Type: Freemind mindmap documents # From: Jamie Thompson <debian-bugs@jamie-thompson.co.uk> 0 string/w \<map\ version Freemind document !:mime application/x-freemind # Type: Scribus # From: Werner Fink <werner@suse.de> 0 string \<SCRIBUSUTF8\ Version Scribus Document 0 string \<SCRIBUSUTF8NEW\ Version Scribus Document !:mime application/x-scribus #------------------------------------------------------------------------------ # $File: wsdl,v 1.1 2011/01/19 19:34:50 christos Exp $ # wsdl: PHP WSDL Cache, http://www.php.net/manual/en/book.soap.php # Cache format extracted from source: # http://svn.php.net/viewvc/php/php-src/trunk/ext/soap/php_sdl.c?revision=HEAD&view=markup # Requires file >= 5.05, see http://mx.gw.com/pipermail/file/2010/000683.html # By Elan Ruusamäe <glen@delfi.ee>, Patryk Zawadzki <patrys@pld-linux.org>, 2010-2011 0 string wsdl PHP WSDL cache, >4 byte x version 0x%02x >6 ledate x \b, created %s # uri >10 lelong <0x7fffffff >>10 pstring/l x \b, uri: "%s" # source >>>&0 lelong <0x7fffffff >>>>&-4 pstring/l x \b, source: "%s" # target_ns >>>>>&0 lelong <0x7fffffff >>>>>>&-4 pstring/l x \b, target_ns: "%s" #------------------------------------------------------------------------------ # $File: xdelta,v 1.5 2011/08/08 09:01:05 christos Exp $ # file(1) magic(5) data for xdelta Josh MacDonald <jmacd@CS.Berkeley.EDU> # 0 string %XDELTA% XDelta binary patch file 0.14 0 string %XDZ000% XDelta binary patch file 0.18 0 string %XDZ001% XDelta binary patch file 0.20 0 string %XDZ002% XDelta binary patch file 1.0 0 string %XDZ003% XDelta binary patch file 1.0.4 0 string %XDZ004% XDelta binary patch file 1.1 0 string \xD6\xC3\xC4\x00 VCDIFF binary diff #------------------------------------------------------------------------------ # $File: xenix,v 1.9 2009/09/19 16:28:13 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small # model" lifted from "magic.xenix", with comment "derived empirically; # treat as folklore until proven" # # "small model", "large model", "huge model" stuff lifted from XXX # # XXX - "x.out" collides with PDP-11 archives # 0 string core core file (Xenix) 0 byte 0x80 8086 relocatable (Microsoft) 0 leshort 0xff65 x.out >2 string __.SYMDEF randomized >0 byte x archive 0 leshort 0x206 Microsoft a.out >8 leshort 1 Middle model >0x1e leshort &0x10 overlay >0x1e leshort &0x2 separate >0x1e leshort &0x4 pure >0x1e leshort &0x800 segmented >0x1e leshort &0x400 standalone >0x1e leshort &0x8 fixed-stack >0x1c byte &0x80 byte-swapped >0x1c byte &0x40 word-swapped >0x10 lelong >0 not-stripped >0x1e leshort ^0xc000 pre-SysV >0x1e leshort &0x4000 V2.3 >0x1e leshort &0x8000 V3.0 >0x1c byte &0x4 86 >0x1c byte &0xb 186 >0x1c byte &0x9 286 >0x1c byte &0xa 386 >0x1f byte <0x040 small model >0x1f byte =0x048 large model >0x1f byte =0x049 huge model >0x1e leshort &0x1 executable >0x1e leshort ^0x1 object file >0x1e leshort &0x40 Large Text >0x1e leshort &0x20 Large Data >0x1e leshort &0x120 Huge Objects Enabled >0x10 lelong >0 not stripped 0 leshort 0x140 old Microsoft 8086 x.out >0x3 byte &0x4 separate >0x3 byte &0x2 pure >0 byte &0x1 executable >0 byte ^0x1 relocatable >0x14 lelong >0 not stripped 0 lelong 0x206 b.out >0x1e leshort &0x10 overlay >0x1e leshort &0x2 separate >0x1e leshort &0x4 pure >0x1e leshort &0x800 segmented >0x1e leshort &0x400 standalone >0x1e leshort &0x1 executable >0x1e leshort ^0x1 object file >0x1e leshort &0x4000 V2.3 >0x1e leshort &0x8000 V3.0 >0x1c byte &0x4 86 >0x1c byte &0xb 186 >0x1c byte &0x9 286 >0x1c byte &0x29 286 >0x1c byte &0xa 386 >0x1e leshort &0x4 Large Text >0x1e leshort &0x2 Large Data >0x1e leshort &0x102 Huge Objects Enabled 0 leshort 0x580 XENIX 8086 relocatable or 80286 small model #------------------------------------------------------------------------------ # $File: xilinx,v 1.4 2009/09/19 16:28:13 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 # # First there is the sync header and its length 0 beshort 0x0009 >2 belong =0x0ff00ff0 >>&0 belong =0x0ff00ff0 >>>&0 beshort =0x0000 >>>>&0 pstring a Xilinx BIT data # Next is a Pascal-style string with the NCD name. We want to capture that. >>>>0x0F pstring x - from %s # It is followed by a NUL >>>>>&1 byte 0x00 # And then 'b' >>>>>&2 string b # With the part number: #>>>>>&5 string 4v (Virtex4) #>>>>>&5 string 2v (Virtex II #>>>>>>&0 string !p \b) #>>>>>>&0 string p Pro) >>>>>&4 pstring x - for %s # And then NUL / 'c' / Build Data / NUL / 'd' / Date / NUL / 'e' / Data Length >>>>>>&1 byte 0x00 >>>>>>&2 string c >>>>>>&4 pstring x - built %s >>>>>>>&1 byte 0x00 >>>>>>>&2 string d >>>>>>>&4 pstring x \b(%s) >>>>>>>>&1 byte 0x00 >>>>>>>>&2 string e >>>>>>>>&4 belong x - data length 0x%lx #------------------------------------------------------------------------------ # $File: xo65,v 1.4 2009/09/19 16:28:13 christos Exp $ # xo65 object files # From: "Ullrich von Bassewitz" <uz@cc65.org> # 0 string \x55\x7A\x6E\x61 xo65 object, >4 leshort x version %d, >6 leshort&0x0001 =0x0001 with debug info >6 leshort&0x0001 =0x0000 no debug info # xo65 library files 0 string \x6E\x61\x55\x7A xo65 library, >4 leshort x version %d # o65 object files 0 string \x01\x00\x6F\x36\x35 o65 >6 leshort&0x1000 =0x0000 executable, >6 leshort&0x1000 =0x1000 object, >5 byte x version %d, >6 leshort&0x8000 =0x8000 65816, >6 leshort&0x8000 =0x0000 6502, >6 leshort&0x2000 =0x2000 32 bit, >6 leshort&0x2000 =0x0000 16 bit, >6 leshort&0x4000 =0x4000 page reloc, >6 leshort&0x4000 =0x0000 byte reloc, >6 leshort&0x0003 =0x0000 alignment 1 >6 leshort&0x0003 =0x0001 alignment 2 >6 leshort&0x0003 =0x0002 alignment 4 >6 leshort&0x0003 =0x0003 alignment 256 #------------------------------------------------------------------------------ # $File: xwindows,v 1.7 2011/05/03 01:44:17 christos Exp $ # xwindows: file(1) magic for various X/Window system file formats. # Compiled X Keymap # XKM (compiled X keymap) files (including version and byte ordering) 1 string mkx Compiled XKB Keymap: lsb, >0 byte >0 version %d >0 byte =0 obsolete 0 string xkm Compiled XKB Keymap: msb, >3 byte >0 version %d >0 byte =0 obsolete # xfsdump archive 0 string xFSdump0 xfsdump archive >8 belong x (version %d) # Jaleo XFS files 0 long 395726 Jaleo XFS file >4 long x - version %ld >8 long x - [%ld - >20 long x \b%ldx >24 long x \b%ldx >28 long 1008 \bYUV422] >28 long 1000 \bRGB24] # Xcursor data # X11 mouse cursor format defined in libXcursor, see # http://www.x.org/archive/X11R6.8.1/doc/Xcursor.3.html # http://cgit.freedesktop.org/xorg/lib/libXcursor/tree/include/X11/Xcursor/Xcursor.h 0 string Xcur Xcursor data !:mime image/x-xcursor >10 leshort x version %hd >>8 leshort x \b.%hd #------------------------------------------------------------------------------ # zfs: file(1) magic for ZFS dumps # # From <rea-fbsd@codelabs.ru> # ZFS dump header has the following structure (as per zfs_ioctl.h # in FreeBSD with drr_type is set to DRR_BEGIN) # # enum { # DRR_BEGIN, DRR_OBJECT, DRR_FREEOBJECTS, # DRR_WRITE, DRR_FREE, DRR_END, # } drr_type; # uint32_t drr_pad; # uint64_t drr_magic; # uint64_t drr_version; # uint64_t drr_creation_time; # dmu_objset_type_t drr_type; # uint32_t drr_pad; # uint64_t drr_toguid; # uint64_t drr_fromguid; # char drr_toname[MAXNAMELEN]; # # Backup magic is 0x00000002f5bacbac (quad word) # The drr_type is defined as # typedef enum dmu_objset_type { # DMU_OST_NONE, # DMU_OST_META, # DMU_OST_ZFS, # DMU_OST_ZVOL, # DMU_OST_OTHER, /* For testing only! */ # DMU_OST_ANY, /* Be careful! */ # DMU_OST_NUMTYPES # } dmu_objset_type_t; # # Almost all uint64_t fields are printed as the 32-bit ones (with high # 32 bits zeroed), because there is no simple way to print them as the # full 64-bit values. # Big-endian values 8 string \000\000\000\002\365\272\313\254 ZFS shapshot (big-endian machine), >20 belong x version %lu, >32 belong 0 type: NONE, >32 belong 1 type: META, >32 belong 2 type: ZFS, >32 belong 3 type: ZVOL, >32 belong 4 type: OTHER, >32 belong 5 type: ANY, >32 belong >5 type: UNKNOWN (%lu), >40 byte x destination GUID: %02X >41 byte x %02X >42 byte x %02X >43 byte x %02X >44 byte x %02X >45 byte x %02X >46 byte x %02X >47 byte x %02X, >48 ulong >0 >>52 ulong >0 >>>48 byte x source GUID: %02X >>>49 byte x %02X >>>50 byte x %02X >>>51 byte x %02X >>>52 byte x %02X >>>53 byte x %02X >>>54 byte x %02X >>>55 byte x %02X, >56 string >\0 name: '%s' # Little-endian values 8 string \254\313\272\365\002\000\000\000 ZFS shapshot (little-endian machine), >16 lelong x version %lu, >32 lelong 0 type: NONE, >32 lelong 1 type: META, >32 lelong 2 type: ZFS, >32 lelong 3 type: ZVOL, >32 lelong 4 type: OTHER, >32 lelong 5 type: ANY, >32 lelong >5 type: UNKNOWN (%lu), >47 byte x destination GUID: %02X >46 byte x %02X >45 byte x %02X >44 byte x %02X >43 byte x %02X >42 byte x %02X >41 byte x %02X >40 byte x %02X, >48 ulong >0 >>52 ulong >0 >>>55 byte x source GUID: %02X >>>54 byte x %02X >>>53 byte x %02X >>>52 byte x %02X >>>51 byte x %02X >>>50 byte x %02X >>>49 byte x %02X >>>48 byte x %02X, >56 string >\0 name: '%s' #------------------------------------------------------------------------------ # $File: zilog,v 1.7 2009/09/19 16:28:13 christos Exp $ # zilog: file(1) magic for Zilog Z8000. # # Was it big-endian or little-endian? My Product Specification doesn't # say. # 0 long 0xe807 object file (z8000 a.out) 0 long 0xe808 pure object file (z8000 a.out) 0 long 0xe809 separate object file (z8000 a.out) 0 long 0xe805 overlay object file (z8000 a.out) #------------------------------------------------------------------------------ # $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $ # zyxel: file(1) magic for ZyXEL modems # # From <rob@pe1chl.ampr.org> # These are the /etc/magic entries to decode datafiles as used for the # ZyXEL U-1496E DATA/FAX/VOICE modems. (This header conforms to a # ZyXEL-defined standard) 0 string ZyXEL\002 ZyXEL voice data >10 byte 0 - CELP encoding >10 byte&0x0B 1 - ADPCM2 encoding >10 byte&0x0B 2 - ADPCM3 encoding >10 byte&0x0B 3 - ADPCM4 encoding >10 byte&0x0B 8 - New ADPCM3 encoding >10 byte&0x04 4 with resync