diff options
Diffstat (limited to 'contrib/file/magic/Magdir')
109 files changed, 2312 insertions, 1383 deletions
diff --git a/contrib/file/magic/Magdir/adventure b/contrib/file/magic/Magdir/adventure index 94835e1..6fae85a 100644 --- a/contrib/file/magic/Magdir/adventure +++ b/contrib/file/magic/Magdir/adventure @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: adventure,v 1.15 2015/09/07 10:03:21 christos Exp $ +# $File: adventure,v 1.17 2017/07/03 16:03:40 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin <earendil@faeryland.tamu-commerce.edu> @@ -36,11 +36,12 @@ >0 ubyte <9 >>16 belong&0xfe00f0f0 0x3030 >>>0 ubyte < 10 ->>>>2 ubeshort < 10 +>>>>2 ubeshort x >>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9] ->>>>>>0 ubyte < 10 Infocom (Z-machine %d, ->>>>>>>2 ubeshort < 10 Release %d / ->>>>>>>>18 string >\0 Serial %.6s) +>>>>>>0 ubyte < 10 Infocom (Z-machine %d +>>>>>>>2 ubeshort x \b, Release %d +>>>>>>>>18 string >\0 \b, Serial %.6s +>>>>>>>>18 string x \b) !:strength + 40 !:mime application/x-zmachine @@ -78,7 +79,7 @@ !:mime application/x-tads # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), -# "TADS2 save\n\r\032\0" and the interpreter version. +# "TADS2 save\n\r\032\0" and the interpreter version. 0 string TADS2\ save/g TADS >12 belong !0x0A0D1A00 saved game data, CORRUPTED >12 belong 0x0A0D1A00 @@ -109,7 +110,7 @@ # edited by David Griffith <dave@661.org> # Danny Milosavljevic <danny.milo@gmx.net> # These are ADRIFT (adventure game standard) game files, extension .taf -# Checked from source at (http://www.adrift.co/) and various taf files +# Checked from source at (http://www.adrift.co/) and various taf files # found at the Interactive Fiction Archive (http://ifarchive.org/) 0 belong 0x3C423FC9 >4 belong 0x6A87C2CF Adrift game file version diff --git a/contrib/file/magic/Magdir/amanda b/contrib/file/magic/Magdir/amanda index 395ef54..e7fa539 100644 --- a/contrib/file/magic/Magdir/amanda +++ b/contrib/file/magic/Magdir/amanda @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: amanda,v 1.5 2009/09/19 16:28:07 christos Exp $ +# $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $ # amanda: file(1) magic for amanda file format # -0 string AMANDA:\ AMANDA +0 string AMANDA:\ AMANDA >8 string TAPESTART\ DATE tape header file, >>23 string X >>>25 string >\ Unused %s diff --git a/contrib/file/magic/Magdir/amigaos b/contrib/file/magic/Magdir/amigaos index 8fdf376..d9330bd 100644 --- a/contrib/file/magic/Magdir/amigaos +++ b/contrib/file/magic/Magdir/amigaos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: amigaos,v 1.15 2012/06/21 01:13:59 christos Exp $ +# $File: amigaos,v 1.16 2017/03/17 21:35:28 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -11,7 +11,7 @@ 0 belong 0x000003e7 AmigaOS object/library data # 0 beshort 0xe310 Amiga Workbench ->2 beshort 1 +>2 beshort 1 >>48 byte 1 disk icon >>48 byte 2 drawer icon >>48 byte 3 tool icon @@ -49,7 +49,7 @@ 0 string/c @database AmigaGuide file # Amiga disk types -# +# 0 string RDSK Rigid Disk Block >160 string x on %.24s 0 string DOS\0 Amiga DOS disk diff --git a/contrib/file/magic/Magdir/android b/contrib/file/magic/Magdir/android index f1340d5..dca5c33 100644 --- a/contrib/file/magic/Magdir/android +++ b/contrib/file/magic/Magdir/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.9 2016/01/11 21:19:18 christos Exp $ +# $File: android,v 1.10 2017/03/17 21:35:28 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -61,9 +61,9 @@ # http://forum.xda-developers.com/showthread.php?t=816449 # Partition Information Table for Samsung's smartphone with Android # used by flash software Odin -0 ulelong 0x12349876 +0 ulelong 0x12349876 # 1st pit entry marker ->0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # minimal 13 and maximal 18 PIT entries found >>4 ulelong <128 Partition Information Table for Samsung smartphone >>>4 ulelong x \b, %d entries @@ -109,9 +109,9 @@ 0 name PIT-entry # garbage value implies end of pit entries ->0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # skip empty partition name ->>0x24 ubyte !0 +>>0x24 ubyte !0 # partition name >>>0x24 string >\0 %-.32s # flags @@ -122,7 +122,7 @@ >>>0x08 ulelong x (0x%x) # filename >>>0x44 string >\0 "%-.64s" -#>>>0x18 ulelong >0 +#>>>0x18 ulelong >0 # blocksize in 512 byte units ? #>>>>0x18 ulelong x \b, %db # partition size in blocks ? diff --git a/contrib/file/magic/Magdir/animation b/contrib/file/magic/Magdir/animation index faa839e..a6e50ff 100644 --- a/contrib/file/magic/Magdir/animation +++ b/contrib/file/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.58 2016/07/03 14:13:11 christos Exp $ +# $File: animation,v 1.63 2017/05/26 14:33:07 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -34,14 +34,23 @@ !:mime image/jp2 # http://www.ftyps.com/ with local additions 4 string ftyp ISO Media +# http://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ +>8 string XAVC \b, MPEG v4 system, Sony XAVC Codec +>>96 string x \b, Audio "%.4s" +>>118 beshort x at %dHz +>>140 string x \b, Video "%.4s" +>>168 beshort x %d +>>170 beshort x \bx%d >8 string 3g2 \b, MPEG v4 system, 3GPP2 !:mime video/3gpp2 >>11 byte 4 \b v4 (H.263/AMR GSM 6.10) >>11 byte 5 \b v5 (H.263/AMR GSM 6.10) >>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) ->>11 byte a \b C.S0050-0 V1.0 ->>11 byte b \b C.S0050-0-A V1.0.0 ->>11 byte c \b C.S0050-0-B V1.0 +# http://www.3gpp2.org/Public_html/Specs/C.S0050-B_v1.0_070521.pdf +# Section 8.1.1, corresponds to a, b, c +>>11 byte 0x61 \b C.S0050-0 V1.0 +>>11 byte 0x62 \b C.S0050-0-A V1.0.0 +>>11 byte 0x63 \b C.S0050-0-B V1.0 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release 6 MBMS Extended Presentations @@ -186,13 +195,13 @@ # MPEG sequences # Scans for all common MPEG header start codes -0 belong 0x00000001 +0 belong 0x00000001 >4 byte&0x1F 0x07 JVT NAL sequence, H.264 video >>5 byte 66 \b, baseline >>5 byte 77 \b, main >>5 byte 88 \b, extended >>7 byte x \b @ L %u -0 belong&0xFFFFFF00 0x00000100 +0 belong&0xFFFFFF00 0x00000100 >3 byte 0xBA MPEG sequence !:mime video/mpeg >>4 byte &0x40 \b, v2, program multiplex @@ -493,8 +502,8 @@ # GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448 # GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE) # FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries -#0 beshort&0xFFFE 0xFFFE -#>2 ubyte&0xF0 >0x0F +#0 beshort&0xFFFE 0xFFFE +#>2 ubyte&0xF0 >0x0F #>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1 ## rate #>>>2 byte&0xF0 0x10 \b, 32 kbps @@ -566,9 +575,9 @@ # MP2, M2A 0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 !:mime audio/mpeg -# rate +# rate >2 byte&0xF0 0x10 \b, 8 kbps ->2 byte&0xF0 0x20 \b, 16 kbps +>2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps @@ -636,7 +645,7 @@ # MP3, M25A 0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5 !:mime audio/mpeg -# rate +# rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps @@ -855,10 +864,12 @@ # X3D (Extensible 3D) [http://www.web3d.org/specifications/x3d-3.0.dtd] # From Michel Briand <michelbriand@free.fr> -0 string/t \<?xml\ version=" -!:strength +1 ->20 search/1000/cw \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text -!:mime model/x3d +# mimetype from https://www.iana.org/assignments/media-types/model/x3d+xml +# Example http://www.web3d.org/x3d/content/examples/Basic/course/CreateX3DFromStringRandomSpheres.x3d +0 string/w \<?xml\ version= +!:strength + 5 +>20 search/1000/w \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text +!:mime model/x3d+xml #--------------------------------------------------------------------------- # HVQM4: compressed movie format designed by Hudson for Nintendo GameCube diff --git a/contrib/file/magic/Magdir/apache b/contrib/file/magic/Magdir/apache new file mode 100644 index 0000000..d896b50 --- /dev/null +++ b/contrib/file/magic/Magdir/apache @@ -0,0 +1,28 @@ + +#------------------------------------------------------------------------------ +# $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $ +# apache: file(1) magic for Apache Big Data formats + +# Avro files +0 string Obj Apache Avro +>3 byte x version %d + +# ORC files +# Important information is in file footer, which we can't index to :( +0 string ORC Apache ORC + +# Parquet files +0 string PAR1 Apache Parquet + +# Hive RC files +0 string RCF Apache Hive RC file +>3 byte x version %d + +# Sequence files (and the careless first version of RC file) + +0 string SEQ +>3 byte <6 Apache Hadoop Sequence file version %d +>3 byte >6 Apache Hadoop Sequence file version %d +>3 byte =6 +>>5 string org.apache.hadoop.hive.ql.io.RCFile$KeyBuffer Apache Hive RC file version 0 +>>3 default x Apache Hadoop Sequence file version 6 diff --git a/contrib/file/magic/Magdir/apple b/contrib/file/magic/Magdir/apple index ce03298..391205f 100644 --- a/contrib/file/magic/Magdir/apple +++ b/contrib/file/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.35 2016/08/17 09:45:13 christos Exp $ +# $File: apple,v 1.36 2017/03/17 21:35:28 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -67,15 +67,15 @@ # AppleWorks word processor: # URL: https://en.wikipedia.org/wiki/AppleWorks # Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx -# Update: Joerg Jenderek +# Update: Joerg Jenderek # NOTE: # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. # and/or look for unused bits of booleans bytes like zoom, paginated, mail merge # the newer AppleWorks is from claris with extension CWK -4 string O +4 string O # test for unused bits of zoom- , paginated-boolean bytes ->84 ubequad ^0x00Fe00000000Fe00 +>84 ubequad ^0x00Fe00000000Fe00 # look for tabstop definitions "=" no tab, "|" no tab # "<" left tab,"^" center tab,">" right tab, "." decimal tab, # unofficial "!" other , "\x8a" other @@ -92,9 +92,9 @@ !:ext awp # minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) >>>183 ubyte 30 3.0 ->>>183 ubyte !30 +>>>183 ubyte !30 >>>>183 ubyte !0 0x%x -# usual tabstop start sequence "=====<" +# usual tabstop start sequence "=====<" >>>5 string x \b, tabstop ruler "%6.6s" # tabstop ruler #>>>5 string >\0 \b, tabstops "%-79s" @@ -105,7 +105,7 @@ # contains any mail-merge commands >>>92 byte&0x01 >0 \b, with mail merge # left margin in 1/10 inches ( normally 0 or 10 ) ->>>91 ubyte >0 +>>>91 ubyte >0 >>>>91 ubyte x \b, %d/10 inch left margin # AppleWorks database: @@ -140,13 +140,13 @@ # GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) #0 belong&0xff00ff 0x80000 Applesoft BASIC program data -0 belong&0x00ff00ff 0x00080000 +0 belong&0x00ff00ff 0x00080000 # assuming that line number must be positive >2 leshort >0 Applesoft BASIC program data, first line number %d #>2 leshort x \b, first line number %d # ORCA/EZ assembler: -# +# # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF @@ -186,18 +186,18 @@ # From Johan Gade. # These entries are disabled for now until we fix the following issues. # -# Note there might be some problems with the "VAX COFF executable" -# entry. Note this entry should be placed before the mac filesystem section, +# Note there might be some problems with the "VAX COFF executable" +# entry. Note this entry should be placed before the mac filesystem section, # particularly the "Apple Partition data" entry. # -# The intended meaning of these tests is, that the file is only of the +# The intended meaning of these tests is, that the file is only of the # specified type if both of the lines are correct - i.e. if the first # line matches and the second doesn't then it is not of that type. # #0 long 0x7801730d #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) # -# Note that this entry is recognized correctly by the "Apple Partition +# Note that this entry is recognized correctly by the "Apple Partition # data" entry - however since this entry is more specific - this # information seems to be more useful. #0 long 0x45520200 @@ -288,7 +288,7 @@ # Apple disk partition stuff # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h -# Update: Joerg Jenderek +# Update: Joerg Jenderek # "ER" is APPLE_DRVR_MAP_MAGIC signature 0 beshort 0x4552 # display Apple Driver Map (strength=50) after Syslinux bootloader (71) @@ -315,7 +315,7 @@ # device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>10 ubeshort x \b, devid %u # driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) ->>12 ubelong >0 +>>12 ubelong >0 >>>12 ubelong x \b, driver data %u # number of driver descriptors sbDrvrCount <= 61 # (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) @@ -327,26 +327,26 @@ # >>500 use apple-driver-map # number of partitions is always same in every partition (map block count) #>>0x0204 ubelong x \b, %u partitions ->>0x0204 ubelong >0 \b, contains[@0x200]: +>>0x0204 ubelong >0 \b, contains[@0x200]: >>>0x0200 use apple-apm ->>0x0204 ubelong >1 \b, contains[@0x400]: +>>0x0204 ubelong >1 \b, contains[@0x400]: >>>0x0400 use apple-apm ->>0x0204 ubelong >2 \b, contains[@0x600]: +>>0x0204 ubelong >2 \b, contains[@0x600]: >>>0x0600 use apple-apm ->>0x0204 ubelong >3 \b, contains[@0x800]: +>>0x0204 ubelong >3 \b, contains[@0x800]: >>>0x0800 use apple-apm ->>0x0204 ubelong >4 \b, contains[@0xA00]: +>>0x0204 ubelong >4 \b, contains[@0xA00]: >>>0x0A00 use apple-apm ->>0x0204 ubelong >5 \b, contains[@0xC00]: +>>0x0204 ubelong >5 \b, contains[@0xC00]: >>>0x0C00 use apple-apm ->>0x0204 ubelong >6 \b, contains[@0xE00]: +>>0x0204 ubelong >6 \b, contains[@0xE00]: >>>0x0E00 use apple-apm ->>0x0204 ubelong >7 \b, contains[@0x1000]: +>>0x0204 ubelong >7 \b, contains[@0x1000]: >>>0x1000 use apple-apm # display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) 0 name apple-driver-map ->0 ubequad !0 -# descBlock first block of driver +>0 ubequad !0 +# descBlock first block of driver >>0 ubelong x \b, driver start block %u # descSize driver size in blocks >>4 ubeshort x \b, size %u @@ -355,11 +355,11 @@ # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: http://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the # magic stronger. # for apple partition map stored as a single file -0 belong 0x504d0000 +0 belong 0x504d0000 # to display Apple Partition Map (strength=70) after Syslinux bootloader (71) #!:strength +0 >0 use apple-apm @@ -417,7 +417,7 @@ 0 name appleworks >0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document >0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document ->0 default x +>0 default x >>0 belong x AppleWorks/ClarisWorks CWK Document >0 byte x \b, version %d >30 beshort x \b, %d diff --git a/contrib/file/magic/Magdir/archive b/contrib/file/magic/Magdir/archive index e737550..abecf71 100644 --- a/contrib/file/magic/Magdir/archive +++ b/contrib/file/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.103 2016/05/05 17:07:40 christos Exp $ +# $File: archive,v 1.108 2017/08/30 13:45:10 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -249,9 +249,9 @@ # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive # Update: Joerg Jenderek # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others -0 string \0\6 +0 string \0\6 # look for first keyword of Panorama database *.pan ->12 search/261 DESIGN +>12 search/261 DESIGN # skip keyword with low entropy >12 default x TTComp archive, binary, 4K dictionary # (version 5.25) labeled the above entry as "TTComp archive data" @@ -447,9 +447,9 @@ 0 string SZ\x0a\4 SZip archive data # XPack DiskImage # *.XDI updated by Joerg Jenderek Sep 2015 -# ftp://ftp.sac.sk/pub/sac/pack/0index.txt +# ftp://ftp.sac.sk/pub/sac/pack/0index.txt # GRR: this test is still too general as it catches also text files starting with jm -0 string jm +0 string jm # only found examples with this additional characteristic 2 bytes >2 string \x2\x4 Xpack DiskImage archive data #!:ext xdi @@ -462,7 +462,7 @@ # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip # created by XPA32.EXE version 1.0.2 for Windows >0 string xpa\0\1 \b32 archive data -# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 +# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 >3 ubeshort !0x0001 \bck archive data # XPack Single Data # changed by Joerg Jenderek Sep 2015 back to like in version 5.12 @@ -552,7 +552,7 @@ >>0x36 string >\0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) -# Update: Joerg Jenderek +# Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html # @@ -561,14 +561,14 @@ # check 1st character of method id like -lz4- -lh5- or -pm2- >2 string - # check 5th character of method id ->>6 string - +>>6 string - # check header level 0 1 2 3 ->>>20 ubyte <4 +>>>20 ubyte <4 # check 2nd, 3th and 4th character of method id >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b !:mime application/x-lzh-compressed # creator type "LHA " -!:apple ????LHA +!:apple ????LHA # display archive type name like "LHa/LZS archive data" or "LArc archive" >>>>>2 string -lz \b !:ext lzs @@ -578,7 +578,7 @@ # missing -lz?- with wikipedia names >>>>>>3 regex \^lz[2378] LArc archive # display archive type name like "LHa (2.x) archive data" ->>>>>2 string -lh \b +>>>>>2 string -lh \b # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" @@ -614,28 +614,28 @@ # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 ->0 ubyte x +>0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d -# attribute: 0x2~?? 0x10~symlink|target 0x20~normal +# attribute: 0x2~?? 0x10~symlink|target 0x20~normal #>19 ubyte x \b, 19_0x%x # level identifier 0 1 2 3 #>20 ubyte x \b, level %d # time stamp #>15 ubelong x DATE 0x%8.8x # OS ID for level 1 ->20 ubyte 1 +>20 ubyte 1 # 0x20 types find for *.rom files >>(21.b+24) ubyte <0x21 \b, 0x%x OS # ascii type like M for MSDOS >>(21.b+24) ubyte >0x20 \b, '%c' OS # OS ID for level 2 ->20 ubyte 2 +>20 ubyte 2 #>>23 ubyte x \b, OS ID 0x%x >>23 ubyte <0x21 \b, 0x%x OS >>23 ubyte >0x20 \b, '%c' OS # filename only for level 0 and 1 ->20 ubyte <2 +>20 ubyte <2 # length of filename >>21 ubyte >0 \b, with # filename @@ -643,73 +643,73 @@ # #2 string -lh0- LHarc 1.x/ARX archive data [lh0] #!:mime application/x-lharc -2 string -lh0- +2 string -lh0- >0 use lharc-file #2 string -lh1- LHarc 1.x/ARX archive data [lh1] #!:mime application/x-lharc -2 string -lh1- +2 string -lh1- >0 use lharc-file # NEW -lz2- ... -lz8- -2 string -lz2- +2 string -lz2- >0 use lharc-file -2 string -lz3- +2 string -lz3- >0 use lharc-file -2 string -lz4- +2 string -lz4- >0 use lharc-file -2 string -lz5- +2 string -lz5- >0 use lharc-file -2 string -lz7- +2 string -lz7- >0 use lharc-file -2 string -lz8- +2 string -lz8- >0 use lharc-file # [never seen any but the last; -lh4- reported in comp.compression:] #2 string -lzs- LHa/LZS archive data [lzs] -2 string -lzs- +2 string -lzs- >0 use lharc-file # According to wikipedia and others such a version does not exist #2 string -lh\40- LHa 2.x? archive data [lh ] #2 string -lhd- LHa 2.x? archive data [lhd] -2 string -lhd- +2 string -lhd- >0 use lharc-file #2 string -lh2- LHa 2.x? archive data [lh2] -2 string -lh2- +2 string -lh2- >0 use lharc-file #2 string -lh3- LHa 2.x? archive data [lh3] -2 string -lh3- +2 string -lh3- >0 use lharc-file #2 string -lh4- LHa (2.x) archive data [lh4] -2 string -lh4- +2 string -lh4- >0 use lharc-file #2 string -lh5- LHa (2.x) archive data [lh5] -2 string -lh5- +2 string -lh5- >0 use lharc-file #2 string -lh6- LHa (2.x) archive data [lh6] -2 string -lh6- +2 string -lh6- >0 use lharc-file #2 string -lh7- LHa (2.x)/LHark archive data [lh7] -2 string -lh7- +2 string -lh7- # !:mime application/x-lha # >20 byte x - header level %d >0 use lharc-file # NEW -lh8- ... -lhe- , -lhx- -2 string -lh8- +2 string -lh8- >0 use lharc-file -2 string -lh9- +2 string -lh9- >0 use lharc-file -2 string -lha- +2 string -lha- >0 use lharc-file -2 string -lhb- +2 string -lhb- >0 use lharc-file -2 string -lhc- +2 string -lhc- >0 use lharc-file -2 string -lhe- +2 string -lhe- >0 use lharc-file -2 string -lhx- +2 string -lhx- >0 use lharc-file # taken from idarc [JW] 2 string -lZ PUT archive data # already done by LHarc magics -# this should never happen if all sub types of LZS archive are identified +# this should never happen if all sub types of LZS archive are identified #2 string -lz LZS archive data 2 string -sw1- Swag archive data @@ -908,7 +908,17 @@ >>>4 byte 0x0a \b, at least v1.0 to extract >>>4 byte 0x0b \b, at least v1.1 to extract >>>4 byte 0x14 \b, at least v2.0 to extract +>>>4 byte 0x15 \b, at least v2.1 to extract +>>>4 byte 0x19 \b, at least v2.5 to extract +>>>4 byte 0x1b \b, at least v2.7 to extract >>>4 byte 0x2d \b, at least v4.5 to extract +>>>4 byte 0x2e \b, at least v4.6 to extract +>>>4 byte 0x32 \b, at least v5.0 to extract +>>>4 byte 0x33 \b, at least v5.1 to extract +>>>4 byte 0x34 \b, at least v5.2 to extract +>>>4 byte 0x3d \b, at least v6.1 to extract +>>>4 byte 0x3e \b, at least v6.2 to extract +>>>4 byte 0x3f \b, at least v6.3 to extract >>>0x161 string WINZIP \b, WinZIP self-extracting # StarView Metafile @@ -940,17 +950,17 @@ 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) -# Update: Joerg Jenderek +# Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # #2 string -pm0- PMarc archive data [pm0] -2 string -pm0- +2 string -pm0- >0 use lharc-file #2 string -pm1- PMarc archive data [pm1] -2 string -pm1- +2 string -pm1- >0 use lharc-file #2 string -pm2- PMarc archive data [pm2] -2 string -pm2- +2 string -pm2- >0 use lharc-file 2 string -pms- PMarc SFX archive (CP/M, DOS) #!:mime application/x-foobar-exec @@ -1145,12 +1155,12 @@ >3 ubyte 0 \b, no compression >3 ubyte 2 \b, fast compression (Z1) >3 ubyte 3 \b, medium compression (Z2) ->3 ubyte >3 +>3 ubyte >3 >>3 ubyte <11 \b, compression (Z%d-1) ->2 ubyte&0x08 0x00 +>2 ubyte&0x08 0x00 # ~ 30 byte password field only for *.gho >>12 ubequad !0 \b, password protected ->>44 ubyte !1 +>>44 ubyte !1 # 1~Image All, sector-by-sector only for *.gho >>>10 ubyte 1 \b, sector copy # 1~Image Boot track only for *.gho @@ -1160,8 +1170,8 @@ # optional image description only *.gho >>0xff string >\0 "%-.254s" # look for DOS sector end sequence ->0xE08 search/7776 \x55\xAA ->>&-512 indirect x \b; contains +>0xE08 search/7776 \x55\xAA +>>&-512 indirect x \b; contains # Google Chrome extensions # https://developer.chrome.com/extensions/crx @@ -1169,3 +1179,10 @@ 0 string Cr24 Google Chrome extension !:mime application/x-chrome-extension >4 ulong x \b, version %u + +# SeqBox - Sequenced container +# ext: sbx, seqbox +# Marco Pontello marcopon@gmail.com +# reference: https://github.com/MarcoPon/SeqBox +0 string SBx SeqBox, +>3 byte x version %d diff --git a/contrib/file/magic/Magdir/att3b b/contrib/file/magic/Magdir/att3b index a3ed9c0..b83ae2e 100644 --- a/contrib/file/magic/Magdir/att3b +++ b/contrib/file/magic/Magdir/att3b @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: att3b,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: att3b,v 1.10 2017/03/17 21:35:28 christos Exp $ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. @@ -36,6 +36,6 @@ #>18 beshort &00040000 and MAU hardware required #>22 beshort >0 - version %d # -# core file for 3b2 +# core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' diff --git a/contrib/file/magic/Magdir/audio b/contrib/file/magic/Magdir/audio index 29442a5..0330bbf 100644 --- a/contrib/file/magic/Magdir/audio +++ b/contrib/file/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.75 2016/02/08 17:30:11 christos Exp $ +# $File: audio,v 1.80 2017/08/13 00:21:47 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -300,7 +300,7 @@ >>5 byte &0x40 \b, extended header >>5 byte &0x20 \b, experimental >>5 byte &0x10 \b, footer present ->(6.I+10) indirect x \b, contains: +>(6.I+10) indirect x \b, contains: # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File @@ -314,7 +314,7 @@ >122 byte&0x1 =0 NTSC # NSFE (Extended NES sound file) magic -# http://slickproductions.org/docs/NSF/nsfespec.txt +# http://slickproductions.org/docs/NSF/nsfespec.txt # From: David Pflug <david@pflug.email> 0 string NSFE Extended NES Sound File >48 search/0x1000 auth @@ -469,6 +469,8 @@ >>20 byte&0xe 0xc \b, 7 channels >>20 byte&0xe 0xe \b, 8 channels # some common sample rates +>>17 belong&0xfffff0 0x2ee000 \b, 192 kHz +>>17 belong&0xfffff0 0x158880 \b, 88.2 kHz >>17 belong&0xfffff0 0x0ac440 \b, 44.1 kHz >>17 belong&0xfffff0 0x0bb800 \b, 48 kHz >>17 belong&0xfffff0 0x07d000 \b, 32 kHz @@ -658,7 +660,7 @@ # From Fabio R. Schmidlin <frs@pop.com.br> # VGM music file -0 string Vgm\ +0 string Vgm\040 >9 ubyte >0 VGM Video Game Music dump v >>9 ubyte/16 >0 \b%d >>9 ubyte&0x0F x \b%d @@ -723,7 +725,7 @@ # URL: http://www.garmin.com/ # Reference: http://turboccc.wikispaces.com/share/view/28622555 # NOTE: there exist 2 other Garmin VPM formats -0 string AUDIMG +0 string AUDIMG # skip text files starting with string "AUDIMG" >13 ubyte <13 Garmin Voice Processing Module !:mime audio/x-vpm-wav-garmin @@ -743,16 +745,68 @@ # second of release (0-59) >>9 ubyte x \b:%.2d # if you select a language like german on your garmin device -# you can only select voice modules with correponding language byte ID like 1 +# you can only select voice modules with corresponding language byte ID like 1 >>18 ubyte x \b, language ID %d # pointer to 1st audio WAV sample ->>16 uleshort >0 +>>16 uleshort >0 >>>(16.s) ulelong >0 \b, at offset 0x%x # WAV length >>>>(16.s+4) ulelong >0 %d Bytes # look for magic ->>>>>(&-8.l) string RIFF +>>>>>(&-8.l) string RIFF # determine type by ./riff ->>>>>>&-4 indirect x \b +>>>>>>&-4 indirect x \b # 2 - ~ 131 WAV samples following same way +# From Martin Mueller Skarbiniks Pedersen +0 string GDM +>0x3 byte 0xFE General Digital Music. +>0x4 string >\0 title: "%s" +>0x24 string >\0 musician: "%s" +>>0x44 beshort 0x0D0A +>>>0x46 byte 0x1A +>>>>0x47 string GMFS Version +>>>>0x4B byte x %d. +>>>>0x4C byte x \b%02d +>>>>0x4D beshort 0x000 (2GDM v +>>>>0x4F byte x \b%d. +>>>>>0x50 byte x \b%d) + +0 string MTM Multitracker +>0x3 byte/16 x Version %d. +>0x3 byte&0x0F x \b%02d +>>0x4 string >\0 title: "%s" + +0 string HVL +>3 byte <2 Hively Tracker Song +>3 byte 0 1 module data +>3 byte 1 2 module data + +0 string MO3 +>3 ubyte <6 MOdule with MP3 +>>3 byte 0 Version 0 (With MP3 and lossless) +>>3 byte 1 Version 1 (With ogg and lossless) +>>3 byte 3 Version 2.2 +>>3 byte 4 (With no LAME header) +>>3 byte 5 Version 2.4 + +0 string ADRVPACK AProSys module + +# ftp://ftp.modland.com/pub/documents/format_documentation/\ +# Art%20Of%20Noise%20(.aon).txt +0 string AON +>4 string "ArtOfNoise by Bastian Spiegel(twice/lego)" +>0x2e string NAME Art of Noise Tracker Song +>3 string <9 +>3 string 4 (4 voices) +>3 string 8 (8 voices) +>>0x36 string >\0 Title: "%s" + +0 string FAR +>0x2c byte 0x0d +>0x2d byte 0x0a +>0x2e byte 0x1a +>>0x3 byte 0xFE Farandole Tracker Song +>>>0x31 byte/16 x Version %d. +>>>0x31 byte&0x0F x \b%02d +>>>>0x4 string >\0 \b, title: "%s" diff --git a/contrib/file/magic/Magdir/bhl b/contrib/file/magic/Magdir/bhl new file mode 100644 index 0000000..6f57f03 --- /dev/null +++ b/contrib/file/magic/Magdir/bhl @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: bhl,v 1.1 2017/06/11 22:20:02 christos Exp $ +# BlockHashLoc +# ext: bhl +# Marco Pontello marcopon@gmail.com +# reference: https://github.com/MarcoPon/BlockHashLoc +0 string BlockHashLoc\x1a BlockHashLoc recovery info, +>13 byte x version %d +!:ext bhl diff --git a/contrib/file/magic/Magdir/blackberry b/contrib/file/magic/Magdir/blackberry index 4a61d4e..2e38a54 100644 --- a/contrib/file/magic/Magdir/blackberry +++ b/contrib/file/magic/Magdir/blackberry @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: blackberry,v 1.1 2014/01/31 01:51:32 christos Exp $ +# $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $ # blackberry: file(1) magic for BlackBerry file formats # -5 belong 0 +5 belong 0 >8 belong 010010010 BlackBerry RIM ETP file >>22 string x \b for %s diff --git a/contrib/file/magic/Magdir/blender b/contrib/file/magic/Magdir/blender index 5b9c855..0948570 100644 --- a/contrib/file/magic/Magdir/blender +++ b/contrib/file/magic/Magdir/blender @@ -1,11 +1,11 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.6 2014/08/30 08:34:17 christos Exp $ +# $File: blender,v 1.7 2017/03/17 21:35:28 christos Exp $ # blender: file(1) magic for Blender 3D related files # -# Native format rule v1.2. For questions use the developers list +# Native format rule v1.2. For questions use the developers list # http://lists.blender.org/mailman/listinfo/bf-committers -# GLOB chunk was moved near start and provides subversion info since 2.42 +# GLOB chunk was moved near start and provides subversion info since 2.42 0 string =BLENDER Blender3D, >7 string =_ saved as 32-bits diff --git a/contrib/file/magic/Magdir/c-lang b/contrib/file/magic/Magdir/c-lang index bb594b0..7b3f703 100644 --- a/contrib/file/magic/Magdir/c-lang +++ b/contrib/file/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.24 2016/07/01 23:31:13 christos Exp $ +# $File: c-lang,v 1.26 2017/08/14 07:40:38 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -11,49 +11,72 @@ !:mime text/x-bcpl # C -0 regex \^#include C source text -!:strength +25 +# Check for class if include is found, otherwise class is beaten by include becouse of lowered strength +0 regex \^#include C +>0 regex \^class[[:space:]]+ +>>&0 regex \\{[\.\*]\\}(;)?$ \b++ +>&0 clear x source text +!:strength + 13 +!:mime text/x-c +0 regex \^#[[:space:]]*pragma C source text +!:mime text/x-c +0 regex \^#[[:space:]]*(if\|ifn)def +>&0 regex \^#[[:space:]]*endif$ C source text !:mime text/x-c -0 regex \^char[\ \t\n]+ C source text +0 regex \^#[[:space:]]*(if\|ifn)def +>&0 regex \^#[[:space:]]*define C source text !:mime text/x-c -0 regex \^double[\ \t\n]+ C source text +0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c -0 regex \^extern[\ \t\n]+ C source text +0 regex \^[[:space:]]*double(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c -0 regex \^float[\ \t\n]+ C source text +0 regex \^[[:space:]]*extern[[:space:]]+ C source text !:mime text/x-c -0 regex \^struct[\ \t\n]+ C source text +0 regex \^[[:space:]]*float(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c -0 regex \^union[\ \t\n]+ C source text +0 regex \^struct[[:space:]]+ C source text !:mime text/x-c -0 search/8192 main( C source text +0 regex \^union[[:space:]]+ C source text +!:mime text/x-c +0 search/8192 main( +>&0 regex \\)[[:space:]]*\\{ C source text !:mime text/x-c # C++ # The strength of these rules is increased so they beat the C rules above -0 regex \^template[\ \t]+<.*>[\ \t\n]+ C++ source text +0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text +!:strength + 30 +!:mime text/x-c++ +# using namespace [namespace] or using std::[lib] +0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text +!:strength + 30 +!:mime text/x-c++ +0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text !:strength + 30 !:mime text/x-c++ -0 regex \^virtual[\ \t\n]+ C++ source text +0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text !:strength + 30 !:mime text/x-c++ -0 regex \^class[\ \t\n]+ C++ source text -# But class is reduced to avoid beating php (Jens Schleusener) +# But class alone is reduced to avoid beating php (Jens Schleusener) +0 regex \^[[:space:]]*class[[:space:]]+[[:digit:][:alpha:]:_]+[[:space:]]*\\{(.*[\n]*)*\\}(;)?$ C++ source text !:strength + 13 !:mime text/x-c++ -0 regex \^public: C++ source text +0 regex \^[[:space:]]*public: C++ source text +!:strength + 30 +!:mime text/x-c++ +0 regex \^[[:space:]]*private: C++ source text !:strength + 30 !:mime text/x-c++ -0 regex \^private: C++ source text +0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++ # Objective-C -0 regex \^#import Objective-C source text -!:strength +25 +0 regex \^#import Objective-C source text +!:strength + 25 !:mime text/x-objective-c -# From: Mikhail Teterin <mi@aldan.algebra.com> +# From: Mikhail Teterin <mi@aldan.algebra.com> 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will diff --git a/contrib/file/magic/Magdir/cad b/contrib/file/magic/Magdir/cad index 9b09fd7..daafba9 100644 --- a/contrib/file/magic/Magdir/cad +++ b/contrib/file/magic/Magdir/cad @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.13 2014/03/23 18:05:38 christos Exp $ +# $File: cad,v 1.15 2017/06/24 15:24:56 christos Exp $ # autocad: file(1) magic for cad files # @@ -9,7 +9,7 @@ # DGN is the default file extension of Microstation/Intergraph CAD files. # CIT is the proprietary raster format (similar to TIFF) used to attach # raster underlays to Microstation DGN (vector) drawings. -# +# # http://www.wotsit.org/search.asp # http://filext.com/detaillist.php?extdetail=DGN # http://filext.com/detaillist.php?extdetail=CIT @@ -42,7 +42,7 @@ >4 string \030\000\000 CITFile >4 string \030\000\003 CITFile -# AutoCAD +# AutoCAD # Merge of the different contributions and updates from http://en.wikipedia.org/wiki/Dwg # and http://www.iana.org/assignments/media-types/image/vnd.dwg 0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0 @@ -99,42 +99,42 @@ 0 string AC1027 DWG AutoDesk AutoCAD 2013/2014 !:mime image/vnd.dwg -# KOMPAS 2D drawing from ASCON +# KOMPAS 2D drawing from ASCON # This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor # gathered nor specification # ASCON http://ascon.net/main/ in English, # http://ascon.ru/ main site in Russian -# Extension is CDW for drawing and FRW for fragment of drawing +# Extension is CDW for drawing and FRW for fragment of drawing # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321, http://vkontakte.ru/id16076543) # From: # http://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292 # (in russian) and my experiments 0 string KF ->2 belong 0x4E00000C Kompas drawing 12.0 SP1 ->2 belong 0x4D00000C Kompas drawing 12.0 ->2 belong 0x3200000B Kompas drawing 11.0 SP1 ->2 belong 0x3100000B Kompas drawing 11.0 ->2 belong 0x2310000A Kompas drawing 10.0 SP1 ->2 belong 0x2110000A Kompas drawing 10.0 ->2 belong 0x08000009 Kompas drawing 9.0 SP1 ->2 belong 0x05000009 Kompas drawing 9.0 ->2 belong 0x33010008 Kompas drawing 8+ ->2 belong 0x1A000008 Kompas drawing 8.0 ->2 belong 0x2C010107 Kompas drawing 7+ ->2 belong 0x05000007 Kompas drawing 7.0 ->2 belong 0x32000006 Kompas drawing 6+ ->2 belong 0x09000006 Kompas drawing 6.0 ->2 belong 0x5C009005 Kompas drawing 5.11R03 ->2 belong 0x54009005 Kompas drawing 5.11R02 ->2 belong 0x51009005 Kompas drawing 5.11R01 ->2 belong 0x22009005 Kompas drawing 5.10R03 ->2 belong 0x22009005 Kompas drawing 5.10R02 mar ->2 belong 0x21009005 Kompas drawing 5.10R02 febr ->2 belong 0x19009005 Kompas drawing 5.10R01 ->2 belong 0xF4008005 Kompas drawing 5.9R01.003 ->2 belong 0x1C008005 Kompas drawing 5.9R01.002 ->2 belong 0x11008005 Kompas drawing 5.8R01.003 +>2 belong 0x4E00000C Kompas drawing 12.0 SP1 +>2 belong 0x4D00000C Kompas drawing 12.0 +>2 belong 0x3200000B Kompas drawing 11.0 SP1 +>2 belong 0x3100000B Kompas drawing 11.0 +>2 belong 0x2310000A Kompas drawing 10.0 SP1 +>2 belong 0x2110000A Kompas drawing 10.0 +>2 belong 0x08000009 Kompas drawing 9.0 SP1 +>2 belong 0x05000009 Kompas drawing 9.0 +>2 belong 0x33010008 Kompas drawing 8+ +>2 belong 0x1A000008 Kompas drawing 8.0 +>2 belong 0x2C010107 Kompas drawing 7+ +>2 belong 0x05000007 Kompas drawing 7.0 +>2 belong 0x32000006 Kompas drawing 6+ +>2 belong 0x09000006 Kompas drawing 6.0 +>2 belong 0x5C009005 Kompas drawing 5.11R03 +>2 belong 0x54009005 Kompas drawing 5.11R02 +>2 belong 0x51009005 Kompas drawing 5.11R01 +>2 belong 0x22009005 Kompas drawing 5.10R03 +>2 belong 0x22009005 Kompas drawing 5.10R02 mar +>2 belong 0x21009005 Kompas drawing 5.10R02 febr +>2 belong 0x19009005 Kompas drawing 5.10R01 +>2 belong 0xF4008005 Kompas drawing 5.9R01.003 +>2 belong 0x1C008005 Kompas drawing 5.9R01.002 +>2 belong 0x11008005 Kompas drawing 5.8R01.003 # CAD: file(1) magic for computer aided design files # Phillip Griffith <phillip dot griffith at gmail dot com> @@ -147,8 +147,13 @@ >0x02 byte 0xfe >>0x04 beshort 0x1800 CIT raster CAD -# 3DS (3d Studio files) Conflicts with diff output 0x3d '=' -#16 beshort 0x3d3d image/x-3ds +# 3DS (3d Studio files) +0 leshort 0x4d4d +>6 leshort 0x2 +>>8 lelong 0xa +>>>16 leshort 0x3d3d 3D Studio model +!:mime image/x-3ds +!:extension 3ds # MegaCAD 2D/3D drawing (.prt) # http://megacad.de/ diff --git a/contrib/file/magic/Magdir/cafebabe b/contrib/file/magic/Magdir/cafebabe index 6d97ceb..6482858 100644 --- a/contrib/file/magic/Magdir/cafebabe +++ b/contrib/file/magic/Magdir/cafebabe @@ -1,14 +1,14 @@ #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.21 2015/10/15 20:56:51 christos Exp $ +# $File: cafebabe,v 1.23 2017/05/25 20:07:23 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, # the test must be performed in the same "magic" sequence to get both right. # The long at offset 4 in a Mach-O universal binary tells the number of # architectures; the short at offset 4 in a Java bytecode file is the JVM minor -# version and the short at offset 6 is the JVM major version. Since there are only -# only 18 labeled Mach-O architectures at current, and the first released +# version and the short at offset 6 is the JVM major version. Since there are only +# only 18 labeled Mach-O architectures at current, and the first released # Java class format was version 43.0, we can safely choose any number # between 18 and 39 to test the number of architectures against # (and use as a hack). Let's not use 18, because the Mach-O people @@ -47,7 +47,7 @@ 0 name mach-o \b [ >0 use mach-o-cpu \b ->(8.L) indirect \b: +>(8.L) indirect x \b: >0 belong x \b] 0 belong 0xcafebabe diff --git a/contrib/file/magic/Magdir/clipper b/contrib/file/magic/Magdir/clipper index 98278eb..2768b3a 100644 --- a/contrib/file/magic/Magdir/clipper +++ b/contrib/file/magic/Magdir/clipper @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: clipper,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: clipper,v 1.8 2017/03/17 21:35:28 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # -# >18 short !074000,000000 C1 R1 +# >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST @@ -15,7 +15,7 @@ # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # -# >18 short&074000 000000 C1 R1 +# >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST @@ -37,7 +37,7 @@ >12 long >0 not stripped >22 short >0 - version %d 0 short 0577 CLIPPER COFF executable ->18 short&074000 000000 C1 R1 +>18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 >18 short&074000 010000 C3 R1 >18 short&074000 074000 TEST diff --git a/contrib/file/magic/Magdir/coff b/contrib/file/magic/Magdir/coff index 02cbf9c..b4addec 100644 --- a/contrib/file/magic/Magdir/coff +++ b/contrib/file/magic/Magdir/coff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.1 2015/09/30 20:32:35 christos Exp $ +# $File: coff,v 1.2 2017/03/17 21:35:28 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF @@ -15,7 +15,7 @@ # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 uleshort&0x8E80 0 +>18 uleshort&0x8E80 0 >>0 clear x # f_magic - magic number # DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) @@ -25,7 +25,7 @@ # Hitachi SH little-endian COFF (./hitachi-sh) >>0 uleshort 0x0550 Hitachi SH little-endian # executable (RISC System/6000 V3.1) or obj module (./ibm6000) -#>>0 uleshort 0x01DF +#>>0 uleshort 0x01DF # TODO for other COFFs #>>0 uleshort 0xABCD COFF_TEMPLATE >>0 default x @@ -45,12 +45,12 @@ >>18 leshort &0x0008 \b, stripped >>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions -#0x0010 F_FDPR_PROF +#0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit #>>>18 leshort &0x0100 \b, 32 bit little endian -#0x1000 F_DYNLOAD +#0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY # f_nscns - number of sections @@ -62,7 +62,7 @@ >>8 ulelong >0 \b, symbol offset=0x%x # f_nsyms - number of symbols, only for not stripped >>12 ulelong >0 \b, %d symbols -# f_opthdr - optional header size +# f_opthdr - optional header size >>16 uleshort >0 \b, optional header size %d # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. diff --git a/contrib/file/magic/Magdir/commands b/contrib/file/magic/Magdir/commands index 48d7063..f6ad1c8 100644 --- a/contrib/file/magic/Magdir/commands +++ b/contrib/file/magic/Magdir/commands @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.56 2016/07/14 19:01:12 christos Exp $ +# $File: commands,v 1.59 2017/08/14 07:40:38 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text @@ -56,7 +56,7 @@ !:mime text/x-awk 0 string/wt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk -0 regex/4096 =^\\s{0,100}BEGIN\\s{0,100}[{] awk or perl script text +0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text # AT&T Bell Labs' Plan 9 shell 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable @@ -84,7 +84,7 @@ # PHP scripts # Ulf Harnhammar <ulfh@update.uu.se> 0 search/1/c =<?php PHP script text -!:strength + 10 +!:strength + 30 !:mime text/x-php 0 search/1 =<?\n PHP script text !:mime text/x-php diff --git a/contrib/file/magic/Magdir/compress b/contrib/file/magic/Magdir/compress index 3297d5d..6fa8f32 100644 --- a/contrib/file/magic/Magdir/compress +++ b/contrib/file/magic/Magdir/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.66 2016/09/16 12:12:05 christos Exp $ +# $File: compress,v 1.68 2017/05/25 20:07:23 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -223,7 +223,7 @@ # Zstandard/LZ4 skippable frames # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong&0xFFFFFFF0 0x184D2A50 ->(4.l+8) indirect +>(4.l+8) indirect x # Zstandard Dictionary ID subroutine 0 name zstd-dictionary-id @@ -310,7 +310,7 @@ # Zlib https://www.ietf.org/rfc/rfc6713.txt 0 string/b x ->0 beshort%31 =0 +>0 beshort%31 =0 >>0 byte&0xf =8 >>>0 byte&0x80 =0 zlib compressed data !:mime application/zlib diff --git a/contrib/file/magic/Magdir/console b/contrib/file/magic/Magdir/console index 2a1c9af..66f5dbd 100644 --- a/contrib/file/magic/Magdir/console +++ b/contrib/file/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.26 2016/06/12 15:20:37 christos Exp $ +# $File: console,v 1.32 2017/08/13 00:21:47 christos Exp $ # Console game magic # Toby Deshane <hac@shoelace.digivill.net> @@ -9,17 +9,19 @@ # References: # - http://wiki.nesdev.com/w/index.php/INES # - http://wiki.nesdev.com/w/index.php/NES_2.0 -0 string NES\x1A iNES ROM image + +# Common header for iNES, NES 2.0, and Wii U iNES. +0 name nes-rom-image-ines >7 byte&0x0C =0x8 (NES 2.0) >4 byte x \b: %ux16k PRG ->5 byte x \b, %ux16k CHR +>5 byte x \b, %ux8k CHR >6 byte&0x08 =0x8 [4-Scr] >6 byte&0x09 =0x0 [H-mirror] >6 byte&0x09 =0x1 [V-mirror] >6 byte&0x02 =0x2 [SRAM] >6 byte&0x04 =0x4 [Trainer] >7 byte&0x03 =0x2 [PC10] ->7 byte&0x03 =0x1 [VS +>7 byte&0x03 =0x1 [VS] >>7 byte&0x0C =0x8 # NES 2.0: VS PPU >>>13 byte&0x0F =0x0 \b, RP2C03B @@ -43,17 +45,24 @@ >>12 byte&0x03 =0x1 [PAL] >>12 byte&0x02 =0x2 [NTSC+PAL] +# Standard iNES ROM header. +0 string NES\x1A NES ROM image (iNES) +>0 use nes-rom-image-ines + +# Wii U Virtual Console iNES ROM header. +0 belong 0x4E455300 NES ROM image (Wii U Virtual Console) +>0 use nes-rom-image-ines + #------------------------------------------------------------------------------ # unif: file(1) magic for UNIF-format Nintendo Entertainment System ROM images # Reference: http://wiki.nesdev.com/w/index.php/UNIF # From: David Korth <gerbilsoft@gerbilsoft.com> -# TODO commit on 2016/03/21 # # NOTE: The UNIF format uses chunks instead of a fixed header, # so most of the data isn't easily parseable. # 0 string UNIF ->4 lelong <16 UNIF v%d format NES ROM image +>4 lelong <16 NES ROM image (UNIF v%d format) #------------------------------------------------------------------------------ # fds: file(1) magic for Famciom Disk System disk images @@ -63,25 +72,40 @@ # Disk info block. (block 1) 0 name nintendo-fds-disk-info-block ->1 string *NINTENDO-HVC* Famicom Disk System disk image: >23 byte !1 FMC- >23 byte 1 FSC- >16 string x \b%.3s ->15 byte x \b, mfr 0x%02X +>15 byte x \b, mfr %02X >20 byte x (Rev.%02u) # Headered version. 0 string FDS\x1A ->0x11 string *NINTENDO-HVC* +>0x11 string *NINTENDO-HVC* Famicom Disk System disk image: >>0x10 use nintendo-fds-disk-info-block >4 byte 1 (%u side) >4 byte !1 (%u sides) # Unheadered version. -1 string *NINTENDO-HVC* +1 string *NINTENDO-HVC* Famicom Disk System disk image: >0 use nintendo-fds-disk-info-block #------------------------------------------------------------------------------ +# tnes: file(1) magic for TNES-format Nintendo Entertainment System ROM images +# Used by Nintendo 3DS NES Virtual Console games. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# +0 string TNES NES ROM image (Nintendo 3DS Virtual Console) +>4 byte 100 \b: FDS, +>>0x2010 use nintendo-fds-disk-info-block +>4 byte !100 \b: TNES mapper %u +>>5 byte x \b, %ux8k PRG +>>6 byte x \b, %ux8k CHR +>>7 byte&0x08 =1 [WRAM] +>>8 byte&0x09 =1 [H-mirror] +>>8 byte&0x09 =2 [V-mirror] +>>8 byte&0x02 =3 [VRAM] + +#------------------------------------------------------------------------------ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header # @@ -389,6 +413,15 @@ >0x1E byte x \b, Rev.%02u) >0x12 byte 2 (DSi enhanced) >0x12 byte 3 (DSi only) +# Secure Area check. +>0x20 lelong <0x4000 (homebrew) +>0x20 lelong >0x3FFF +>>0x4000 lequad 0x0000000000000000 (multiboot) +>>0x4000 lequad !0x0000000000000000 +>>>0x4000 lequad 0xE7FFDEFFE7FFDEFF (decrypted) +>>>0x4000 lequad !0xE7FFDEFFE7FFDEFF +>>>>0x1000 lequad 0x0000000000000000 (encrypted) +>>>>0x1000 lequad !0x0000000000000000 (mask ROM) #------------------------------------------------------------------------------ # nds_passme: file(1) magic for Nintendo DS ROM images for GBA cartridge boot. @@ -412,7 +445,7 @@ #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps # Too simple - MPi -#0 beshort 0x4142 MSX game cartridge dump +#0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) : @@ -467,7 +500,7 @@ # Double-check that the image type matches too, 0x8008 conflicts with # 8 character OMF-86 object file headers. -0 beshort 0x8008 +0 beshort 0x8008 >6 string BS93 Lynx homebrew cartridge >>2 beshort x \b, RAM start $%04x >6 string LYNX Lynx cartridge @@ -482,7 +515,7 @@ # is the offset 12 or the offset 16 correct? # GBS (Game Boy Sound) magic # ftp://ftp.modland.com/pub/documents/format_documentation/\ -# Gameboy%20Sound%20System%20(.gbs).txt +# Gameboy%20Sound%20System%20(.gbs).txt 0 string GBS Nintendo Gameboy Music/Audio Data #12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module >16 string >\0 ("%s" by @@ -491,6 +524,10 @@ >3 byte x version %d, >4 byte x %d tracks +# IPS Patch Files from: From: Thomas Klausner <tk@giga.or.at> +# see http://zerosoft.zophar.net/ips.php +0 string PATCH IPS patch file + # Playstations Patch Files from: From: Thomas Klausner <tk@giga.or.at> 0 string PPF30 Playstation Patch File version 3.0 >5 byte 0 \b, PPF 1.0 patch @@ -518,7 +555,7 @@ # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording >0x4 lelong x \b, version %d -# version 4 is latest so far +# version 4 is latest so far >0x4 lelong <5 >>0x8 ledate x \b, recorded at %s >>0xc lelong >0 \b, rerecorded %d times @@ -617,6 +654,52 @@ >0x218 belong 0x5D1C9EA3 Nintendo Wii disc image (WBFS format): >>0x200 use nintendo-gcn-disc-common +# Type: Nintendo GameCube/Wii disc image (CISO format) +# NOTE: This is NOT the same as Compact ISO or PSP CISO, +# though it has the same magic number. +0 string CISO +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - None of the above: Compact ISO. +>4 lelong 0x200000 +>>8 byte 1 +>>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): +>>>>0x8000 use nintendo-gcn-disc-common +>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): +>>>>0x8000 use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (GCZ format) +# Due to zlib compression, we can't get the actual disc information. +0 lelong 0xB10BC001 +>4 lelong 0 Nintendo GameCube disc image (GCZ format) +>4 lelong 1 Nintendo Wii disc image (GCZ format) +>4 lelong >1 Nintendo GameCube/Wii disc image (GCZ format) + +# Type: Nintendo GameCube/Wii disc image (WDF format) +0 string WII\001DISC +>8 belong 1 +# WDFv1 +>>0x54 belong 0xC2339F3D Nintendo GameCube disc image (WDFv1 format): +>>>0x38 use nintendo-gcn-disc-common +>>0x58 belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv1 format): +>>>0x38 use nintendo-gcn-disc-common +>8 belong 2 +# WDFv2 +>>(12.L+0x1C) belong 0xC2339F3D Nintendo GameCube disc image (WDFv2 format): +>>>(12.L) use nintendo-gcn-disc-common +>>(12.L+0x18) belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv2 format): +>>>(12.L) use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (WIA format) +0 string WIA\001 Nintendo +>0x48 belong 0 GameCube/Wii +>0x48 belong 1 GameCube +>0x48 belong 2 Wii +>0x48 belong >2 GameCube/Wii +>0x48 belong x disc image (WIA format): +>>0x58 use nintendo-gcn-disc-common + #------------------------------------------------------------------------------ # Nintendo 3DS file formats. # @@ -722,7 +805,7 @@ # Type: Nintendo 3DS Homebrew Application. # From: David Korth <gerbilsoft@gerbilsoft.com> -# Refernece: https://3dbrew.org/wiki/3DSX_Format +# Reference: https://3dbrew.org/wiki/3DSX_Format 0 string 3DSX Nintendo 3DS Homebrew Application (3DSX) #------------------------------------------------------------------------------ @@ -750,3 +833,17 @@ # 0 string g\ GCE Vectrex ROM image >0x11 string >\0 \b: "%.16s" + +#------------------------------------------------------------------------------ +# amiibo: file(1) magic for Nintendo amiibo NFC dumps. +# From: David Korth <gerbilsoft@gerbilsoft.com> +# Reference: https://www.3dbrew.org/wiki/Amiibo +0x00 byte 0x04 +>0x0A beshort 0x0FE0 +>>0x0C belong 0xF110FFEE +>>>0x208 beshort 0x0100 +>>>>0x020A byte 0x0F +>>>>>0x020C bequad 0x000000045F000000 +>>>>>>0x5B byte 0x02 +>>>>>>>0x54 belong x Nintendo amiibo NFC dump - amiibo ID: %08X- +>>>>>>>0x58 belong x \b%08X diff --git a/contrib/file/magic/Magdir/cups b/contrib/file/magic/Magdir/cups index 4d0056b..a065de3 100644 --- a/contrib/file/magic/Magdir/cups +++ b/contrib/file/magic/Magdir/cups @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cups,v 1.4 2016/10/17 18:51:02 christos Exp $ +# $File: cups,v 1.5 2017/03/17 21:35:28 christos Exp $ # Cups: file(1) magic for the cups raster file format # From: Laurent Martelli <martellilaurent@gmail.com> # http://www.cups.org/documentation.php/spec-raster.html @@ -39,7 +39,7 @@ >404 lelong 20 ColorSpace=AdobeRGB # Cups Raster image format, Big Endian -0 string RaS +0 string RaS >3 string t Cups Raster version 1, Big Endian >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian @@ -48,7 +48,7 @@ # Cups Raster image format, Little Endian -1 string SaR +1 string SaR >0 string t Cups Raster version 1, Little Endian >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian diff --git a/contrib/file/magic/Magdir/database b/contrib/file/magic/Magdir/database index 15f94b1..a0300ae 100644 --- a/contrib/file/magic/Magdir/database +++ b/contrib/file/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.49 2016/06/11 17:01:51 christos Exp $ +# $File: database,v 1.52 2017/08/13 00:21:47 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -84,7 +84,7 @@ # From Max Bowsher. 12 long 0x00040988 Berkeley DB >16 long >0 (Log, version %d, native byte-order) -12 belong 0x00040988 Berkeley DB +12 belong 0x00040988 Berkeley DB >16 belong >0 (Log, version %d, big-endian) 12 lelong 0x00040988 Berkeley DB >16 lelong >0 (Log, version %d, little-endian) @@ -103,7 +103,7 @@ >>>12 long !0 32bit aligned >>>>12 bedouble 8.642135e+130 big-endian >>>>>20 long 0 64bit long ->>>>>20 long !0 32bit long +>>>>>20 long !0 32bit long >>>>12 ledouble 8.642135e+130 little-endian >>>>>24 long 0 64bit long >>>>>24 long !0 32bit long (i386) @@ -128,22 +128,22 @@ # XXX: Weak magic. # Alex Ott <ott@jet.msk.su> ## Paradox file formats -#2 leshort 0x0800 Paradox -#>0x39 byte 3 v. 3.0 -#>0x39 byte 4 v. 3.5 -#>0x39 byte 9 v. 4.x -#>0x39 byte 10 v. 5.x -#>0x39 byte 11 v. 5.x -#>0x39 byte 12 v. 7.x -#>>0x04 byte 0 indexed .DB data file -#>>0x04 byte 1 primary index .PX file -#>>0x04 byte 2 non-indexed .DB data file -#>>0x04 byte 3 non-incrementing secondary index .Xnn file -#>>0x04 byte 4 secondary index .Ynn file -#>>0x04 byte 5 incrementing secondary index .Xnn file -#>>0x04 byte 6 non-incrementing secondary index .XGn file -#>>0x04 byte 7 secondary index .YGn file -#>>>0x04 byte 8 incrementing secondary index .XGn file +#2 leshort 0x0800 Paradox +#>0x39 byte 3 v. 3.0 +#>0x39 byte 4 v. 3.5 +#>0x39 byte 9 v. 4.x +#>0x39 byte 10 v. 5.x +#>0x39 byte 11 v. 5.x +#>0x39 byte 12 v. 7.x +#>>0x04 byte 0 indexed .DB data file +#>>0x04 byte 1 primary index .PX file +#>>0x04 byte 2 non-indexed .DB data file +#>>0x04 byte 3 non-incrementing secondary index .Xnn file +#>>0x04 byte 4 secondary index .Ynn file +#>>0x04 byte 5 incrementing secondary index .Xnn file +#>>0x04 byte 6 non-incrementing secondary index .XGn file +#>>0x04 byte 7 secondary index .YGn file +#>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files # updated by Joerg Jenderek at Feb 2013 @@ -151,33 +151,33 @@ # http://www.clicketyclick.dk/databases/xbase/format/dbf.html # http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 -0 ubelong&0x0000FFFF <0x00000C20 +0 ubelong&0x0000FFFF <0x00000C20 # skip Infocom game Z-machine ->2 ubyte >0 +>2 ubyte >0 # skip Androids *.xml ->>3 ubyte >0 ->>>3 ubyte <32 +>>3 ubyte >0 +>>>3 ubyte <32 # 1 < version VV ->>>>0 ubyte >1 +>>>>0 ubyte >1 # skip HELP.CA3 by test for reserved byte ( NULL ) ->>>>>27 ubyte 0 +>>>>>27 ubyte 0 # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) #>>>>>30 ubeshort x 30NULL?%x -# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) ->>>>>>24 ubelong&0xffFFFFff >0x01302000 +# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>24 ubelong&0xffFFFFff >0x01302000 # .DBF or .MDX ->>>>>>24 ubelong&0xffFFFFff <0x01302001 +>>>>>>24 ubelong&0xffFFFFff <0x01302001 # for Xbase Database file (*.DBF) reserved (NULL) for multi-user ->>>>>>>24 ubelong&0xffFFFFff =0 +>>>>>>>24 ubelong&0xffFFFFff =0 # test for 2 reserved NULL bytes,transaction and encryption byte flag ->>>>>>>>12 ubelong&0xFFFFfEfE 0 +>>>>>>>>12 ubelong&0xFFFFfEfE 0 # test for MDX flag ->>>>>>>>>28 ubyte x ->>>>>>>>>28 ubyte&0xf8 0 +>>>>>>>>>28 ubyte x +>>>>>>>>>28 ubyte&0xf8 0 # header size >= 32 ->>>>>>>>>>8 uleshort >31 +>>>>>>>>>>8 uleshort >31 # skip PIC15736.PCX by test for language driver name or field name ->>>>>>>>>>>32 ubyte >0 +>>>>>>>>>>>32 ubyte >0 #!:mime application/x-dbf; charset=unknown-8bit ?? #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type @@ -202,22 +202,22 @@ >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT >>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer # 1st record offset + 1 = header size ->>>>>>>>>>>>8 uleshort >0 ->>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>8 uleshort >0 +>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>8 uleshort >0 \b, at offset %d ->>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>>&-1 string >\0 1st record "%s" -# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) ->>>>>>>24 ubelong&0x0133f7ff >0 +# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>>24 ubelong&0x0133f7ff >0 # test for reserved NULL byte ->>>>>>>>47 ubyte 0 +>>>>>>>>47 ubyte 0 # test for valid TAG key format (0x10 or 0) ->>>>>>>>>559 ubyte&0xeF 0 +>>>>>>>>>559 ubyte&0xeF 0 # test MM <= 12 ->>>>>>>>>>45 ubeshort <0x0C20 ->>>>>>>>>>>45 ubyte >0 ->>>>>>>>>>>>46 ubyte <32 ->>>>>>>>>>>>>46 ubyte >0 +>>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>>46 ubyte >0 #!:mime application/x-mdx >>>>>>>>>>>>>>0 use xbase-type >>>>>>>>>>>>>>0 ubyte x \b MDX @@ -236,11 +236,11 @@ # 2nd tag name #>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # -# Print the xBase names of different version variants +# Print the xBase names of different version variants 0 name xbase-type ->0 ubyte <2 +>0 ubyte <2 # 1 < version ->0 ubyte >1 +>0 ubyte >1 >>0 ubyte 0x02 FoxBase # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III @@ -293,7 +293,7 @@ # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT !:mime application/x-dbf -# HiPer-Six format;Clipper SIX, with SMT memo file +# HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx @@ -318,12 +318,12 @@ # test and print the date of xBase .DBF .MDX 0 name xbase-date # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 ->0 ubelong x ->1 ubyte <13 ->>1 ubyte >0 ->>>2 ubyte >0 ->>>>2 ubyte <32 ->>>>>0 ubyte x +>0 ubelong x +>1 ubyte <13 +>>1 ubyte >0 +>>>2 ubyte >0 +>>>>2 ubyte <32 +>>>>>0 ubyte x # YY is interpreted as 20YY or 19YY >>>>>>0 ubyte <100 \b %.2d # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY @@ -333,56 +333,56 @@ # dBase memo files .DBT or .FPT # http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx -16 ubyte <4 ->16 ubyte !2 ->>16 ubyte !1 +16 ubyte <4 +>16 ubyte !2 +>>16 ubyte !1 # next free block index is positive ->>>0 ulelong >0 +>>>0 ulelong >0 # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size ->>>>17 ubelong&0xFFfdFE00 0x00000000 +>>>>17 ubelong&0xFFfdFE00 0x00000000 # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h ->>>>>20 ubelong&0xFF01209B 0x00000000 +>>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III ->>>>>>16 ubyte 3 +>>>>>>16 ubyte 3 # dBASE III DBT >>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage ->>>>>>16 ubyte 0 +>>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF ->>>>>>>20 uleshort 0 +>>>>>>>20 uleshort 0 # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage ->>>>>>>>8 ulong =0 ->>>>>>>>>6 ubeshort >0 +>>>>>>>>8 ulong =0 +>>>>>>>>>6 ubeshort >0 # skip emacs.PIF ->>>>>>>>>>4 ushort 0 +>>>>>>>>>>4 ushort 0 >>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage ->>>>>>>>>6 ubeshort 0 +>>>>>>>>>6 ubeshort 0 # skip MM*DD*.bin by test for for reserved NULL byte ->>>>>>>>>>510 ubeshort 0 +>>>>>>>>>>510 ubeshort 0 # skip TK-DOS11.img image by looking for memo text ->>>>>>>>>>>512 ubelong <0xfeffff03 +>>>>>>>>>>>512 ubelong <0xfeffff03 # skip EFI executables by looking for memo text ->>>>>>>>>>>>512 ubelong >0x1F202020 ->>>>>>>>>>>>>513 ubyte >0 +>>>>>>>>>>>>512 ubelong >0x1F202020 +>>>>>>>>>>>>>513 ubyte >0 # unusual dBASE III DBT like adressen.dbt >>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF ->>>>>>>>8 ubelong !0 +>>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes ->>>>>>>>>510 ubeshort 0 +>>>>>>>>>510 ubeshort 0 # skip some DBF by test of invalid version ->>>>>>>>>>0 ubyte >5 ->>>>>>>>>>>0 ubyte <48 +>>>>>>>>>>0 ubyte >5 +>>>>>>>>>>>0 ubyte <48 >>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size ->>>>>>>20 uleshort >0 -# dBASE IV DBT with valid block length like 512, 1024 +>>>>>>>20 uleshort >0 +# dBASE IV DBT with valid block length like 512, 1024 # multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero ->>>>>>>>20 uleshort&0x800f 0 +>>>>>>>>20 uleshort&0x800f 0 >>>>>>>>>0 use dbase4-memo-print -# Print the information of dBase III DBT memo file +# Print the information of dBase III DBT memo file 0 name dbase3-memo-print >0 ubyte x dBase III DBT # instead 3 as version number 0 for unusual examples like biblio.dbt @@ -395,45 +395,45 @@ >20 uleshort !0 \b, block length %u # dBase III memo field terminated by \032\032 >512 string >\0 \b, 1st item "%s" -# Print the information of dBase IV DBT memo file +# Print the information of dBase IV DBT memo file 0 name dbase4-memo-print >0 lelong x dBase IV DBT !:mime application/x-dbt !:ext dbt # 8 character shorted main name of coresponding dBASE IV DBF file ->8 ubelong >0x20000000 +>8 ubelong >0x20000000 # skip unusual like for angest.dbt ->>20 uleshort >0 +>>20 uleshort >0 >>>8 string >\0 \b of %-.8s.DBF # value 0 implies 512 as size #>4 ulelong =0 \b, blocks size %u # size of blocks not reliable like 0x2020204C in angest.dbt ->4 ulelong !0 +>4 ulelong !0 >>4 ulelong&0x0000003f 0 \b, blocks size %u # dBase IV DBT with positive block length (found 512 , 1024) >20 uleshort >0 \b, block length %u # next available block #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u ->20 uleshort >0 ->>(20.s) ubelong x +>20 uleshort >0 +>>(20.s) ubelong x >>>&-4 use dbase4-memofield-print # unusual dBase IV DBT without block length (implies 512 as length) ->20 uleshort =0 ->>512 ubelong x +>20 uleshort =0 +>>512 ubelong x >>>&-4 use dbase4-memofield-print -# Print the information of dBase IV memo field +# Print the information of dBase IV memo field 0 name dbase4-memofield-print # free dBase IV memo field ->0 ubelong !0xFFFF0800 +>0 ubelong !0xFFFF0800 >>0 lelong x \b, next free block %u >>4 lelong x \b, next used block %u # used dBase IV memo field ->0 ubelong =0xFFFF0800 +>0 ubelong =0xFFFF0800 # length of memo field >>4 lelong x \b, field length %d >>>8 string >\0 \b, 1st used item "%s" -# Print the information of FoxPro FPT memo file +# Print the information of FoxPro FPT memo file 0 name foxpro-memo-print >0 belong x FoxPro FPT # Size of blocks for FoxPro ( 64,256 ) @@ -441,14 +441,14 @@ # next available block #>0 belong =0 \b, next free block index %u >0 belong !0 \b, next free block index %u -# field type ( 0~picture, 1~memo, 2~object ) +# field type ( 0~picture, 1~memo, 2~object ) >512 ubelong <3 \b, field type %u # length of memo field ->512 ubelong 1 +>512 ubelong 1 >>516 belong >0 \b, field length %d >>>520 string >\0 \b, 1st item "%s" -# TODO: +# TODO: # DBASE index file *.NDX # DBASE Compound Index file *.CDX # dBASE IV Printer Driver *.PRF @@ -465,9 +465,9 @@ # Reference: https://github.com/libyal/libesedb/archive/master.zip # libesedb-master/documentation/ # Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc -# Note: also known as "JET Blue". Used by numerous Windows components such as +# Note: also known as "JET Blue". Used by numerous Windows components such as # Windows Search, Mail, Exchange and Active Directory. -4 ubelong 0xefcdab89 +4 ubelong 0xefcdab89 # unknown1 >132 ubelong 0 Extensible storage engine !:mime application/x-ms-ese @@ -497,8 +497,8 @@ # From: Joerg Jenderek # URL: http://forensicswiki.org/wiki/Windows_Application_Compatibility # Note: files contain application compatibility fixes, application compatibility modes and application help messages. -8 string sdbf ->7 ubyte 0 +8 string sdbf +>7 ubyte 0 # TAG_TYPE_LIST+TAG_INDEXES >>12 uleshort 0x7802 Windows application compatibility Shim DataBase # version? 2 3 @@ -600,10 +600,10 @@ # Reference: http://www.provue.com/Panorama/ # From: Joerg Jenderek # NOTE: test only versions 4 and 6.0 with Windows -# length of Panorama database name -5 ubyte >0 +# length of Panorama database name +5 ubyte >0 # look after database name for "some" null bits ->(5.B+7) ubelong&0xF3ffF000 0 +>(5.B+7) ubelong&0xF3ffF000 0 # look for first keyword >>&1 search/2 DESIGN Panorama database #!:mime application/x-panorama-database @@ -622,3 +622,13 @@ # MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de> 0 string MBSTV\040 MUIbase DB >6 string x version %s + +# +# CDB database +0 string NBCDB\012 NetBSD Constant Database +>7 byte x \b, version %d +>8 string x \b, for '%s' +>24 lelong x \b, datasize %d +>28 lelong x \b, entries %d +>32 lelong x \b, index %d +>36 lelong x \b, seed %#x diff --git a/contrib/file/magic/Magdir/der b/contrib/file/magic/Magdir/der index abfbf9b..9c25f00 100644 --- a/contrib/file/magic/Magdir/der +++ b/contrib/file/magic/Magdir/der @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: der,v 1.1 2016/01/19 15:07:45 christos Exp $ +# $File: der,v 1.2 2017/03/17 21:35:28 christos Exp $ # der: file(1) magic for DER encoded files # @@ -32,37 +32,37 @@ # Key Pairs 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int65=x >&0 der int3=010001 DER Encoded Key Pair, 512 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int129=x >&0 der int3=010001 DER Encoded Key Pair, 1024 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int257=x >&0 der int3=010001 DER Encoded Key Pair, 2048 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int513=x >&0 der int3=010001 DER Encoded Key Pair, 4096 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int1025=x >&0 der int3=010001 DER Encoded Key Pair, 8192 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int2049=x >&0 der int3=010001 DER Encoded Key Pair, 16k bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int4097=x >&0 der int3=010001 DER Encoded Key Pair, 32k bits diff --git a/contrib/file/magic/Magdir/diff b/contrib/file/magic/Magdir/diff index 5924380..cd530d3 100644 --- a/contrib/file/magic/Magdir/diff +++ b/contrib/file/magic/Magdir/diff @@ -1,15 +1,15 @@ #------------------------------------------------------------------------------ -# $File: diff,v 1.14 2012/09/16 23:08:54 christos Exp $ +# $File: diff,v 1.16 2017/03/17 22:20:22 christos Exp $ # diff: file(1) magic for diff(1) output # -0 search/1 diff\ diff output text +0 search/1 diff\040 diff output text !:mime text/x-diff -0 search/1 ***\ diff output text +0 search/1 ***\040 diff output text !:mime text/x-diff -0 search/1 Only\ in\ diff output text +0 search/1 Only\040in\040 diff output text !:mime text/x-diff -0 search/1 Common\ subdirectories:\ diff output text +0 search/1 Common\040subdirectories:\040 diff output text !:mime text/x-diff 0 search/1 Index: RCS/CVS diff output text @@ -20,9 +20,9 @@ # unified diff -0 search/4096 ---\ +0 search/4096 ---\040 >&0 search/1024 \n ->>&0 search/1 +++\ +>>&0 search/1 +++\040 >>>&0 search/1024 \n >>>>&0 search/1 @@ unified diff output text !:mime text/x-diff diff --git a/contrib/file/magic/Magdir/dolby b/contrib/file/magic/Magdir/dolby index 573398f..8034edd 100644 --- a/contrib/file/magic/Magdir/dolby +++ b/contrib/file/magic/Magdir/dolby @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dolby,v 1.7 2014/01/08 22:37:23 christos Exp $ +# $File: dolby,v 1.8 2017/03/17 21:35:28 christos Exp $ # ATSC A/53 aka AC-3 aka Dolby Digital <ashitaka@gmx.at> # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! @@ -23,7 +23,7 @@ >5 byte&0x07 = 0x04 \b, dialogue (D) >5 byte&0x07 = 0x05 \b, commentary (C) >5 byte&0x07 = 0x06 \b, emergency (E) ->5 beshort&0x07e0 0x0720 \b, voiceover (VO) +>5 beshort&0x07e0 0x0720 \b, voiceover (VO) >5 beshort&0x07e0 >0x0720 \b, karaoke # acmod >6 byte&0xe0 = 0x00 1+1 front, diff --git a/contrib/file/magic/Magdir/dump b/contrib/file/magic/Magdir/dump index 1a20ace..73de3dc 100644 --- a/contrib/file/magic/Magdir/dump +++ b/contrib/file/magic/Magdir/dump @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dump,v 1.13 2014/04/30 21:41:02 christos Exp $ +# $File: dump,v 1.16 2017/07/22 19:21:02 christos Exp $ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. @@ -62,23 +62,25 @@ >824 string >\0 Host %s, >888 belong >0 Flags %x -24 belong 60012 new-fs dump file (big endian), +24 belong 60012 new-fs dump file (big endian), >0 use new-dump-be -24 belong 60011 old-fs dump file (big endian), +24 belong 60011 old-fs dump file (big endian), >0 use old-dump-be -24 lelong 60012 new-fs dump file (little endian), +24 lelong 60012 new-fs dump file (little endian), +# to correctly recognize '*.mo' GNU message catalog (little endian) +!:strength - 15 >0 use \^new-dump-be -24 lelong 60011 old-fs dump file (little endian), +24 lelong 60011 old-fs dump file (little endian), >0 use \^old-dump-be -24 belong 0x19540119 new-fs dump file (ufs2, big endian), +24 belong 0x19540119 new-fs dump file (ufs2, big endian), >0 use ufs2-dump-be -24 lelong 0x19540119 new-fs dump file (ufs2, little endian), +24 lelong 0x19540119 new-fs dump file (ufs2, little endian), >0 use \^ufs2-dump-be 18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), diff --git a/contrib/file/magic/Magdir/dyadic b/contrib/file/magic/Magdir/dyadic index ab73465..185970e 100644 --- a/contrib/file/magic/Magdir/dyadic +++ b/contrib/file/magic/Magdir/dyadic @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dyadic,v 1.7 2015/05/27 18:02:48 christos Exp $ +# $File: dyadic,v 1.8 2017/03/17 21:35:28 christos Exp $ # Dyadic: file(1) magic for Dyalog APL. # # updated by Joerg Jenderek at Oct 2013 @@ -10,9 +10,9 @@ # .DIN Dyalog APL Input Table # .DOT Dyalog APL Output Table # .DFT Dyalog APL Format File -0 ubeshort&0xFF60 0xaa00 +0 ubeshort&0xFF60 0xaa00 # skip biblio.dbt ->1 byte !4 +>1 byte !4 # real Dyalog APL have non zero version numbers like 7.3 or 13.4 >>2 ubeshort >0x0000 Dyalog APL >>>1 byte 0x00 aplcore diff --git a/contrib/file/magic/Magdir/editors b/contrib/file/magic/Magdir/editors index fa6cbc6..78f3a84 100644 --- a/contrib/file/magic/Magdir/editors +++ b/contrib/file/magic/Magdir/editors @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: editors,v 1.10 2016/07/18 17:44:49 christos Exp $ -# T602 editor documents +# $File: editors,v 1.11 2017/03/17 21:35:28 christos Exp $ +# T602 editor documents # by David Necas <yeti@physics.muni.cz> 0 string @CT\ T602 document data, >4 string 0 Kamenicky @@ -9,7 +9,7 @@ >4 string 2 KOI8-CS >4 string >2 unknown encoding -# Vi IMproved Encrypted file +# Vi IMproved Encrypted file # by David Necas <yeti@physics.muni.cz> 0 string VimCrypt~ Vim encrypted file data diff --git a/contrib/file/magic/Magdir/filesystems b/contrib/file/magic/Magdir/filesystems index b7c6e5b..48b74e0 100644 --- a/contrib/file/magic/Magdir/filesystems +++ b/contrib/file/magic/Magdir/filesystems @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.114 2016/09/05 08:34:25 christos Exp $ +# $File: filesystems,v 1.122 2017/07/21 10:34:41 christos Exp $ # filesystems: file(1) magic for different filesystems # -0 name partid +0 name partid >0 ubyte 0x00 Unused >0 ubyte 0x01 12-bit FAT >0 ubyte 0x02 XENIX / @@ -187,7 +187,7 @@ 0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: -0774 beshort 0xdabe +0774 beshort 0xdabe # modified by Joerg Jenderek, because original test # succeeds for Cabinet archive dao360.dl_ with negative blocks >0770 long >0 Sun disk label @@ -213,50 +213,50 @@ # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string SBMBAKUP_ Smart Boot Manager backup file >9 string x \b, version %-5.5s ->>14 string =_ +>>14 string =_ >>>15 string x %-.1s >>>>16 string =_ \b. >>>>>17 string x \b%-.1s >>>>>>18 string =_ \b. >>>>>>>19 string x \b%-.1s ->>>22 ubyte 0 +>>>22 ubyte 0 >>>>21 ubyte x \b, from drive 0x%x ->>>22 ubyte >0 +>>>22 ubyte >0 >>>>21 string x \b, from drive %s ->>>535 search/17 \x55\xAA ->>>>&-512 indirect x \b; contains +>>>535 search/17 \x55\xAA +>>>>&-512 indirect x \b; contains # updated by Joerg Jenderek at Nov 2012 # DOS Emulator image is 128 byte, null right padded header + harddisc image -0 string DOSEMU\0 ->0x27E leshort 0xAA55 +0 string DOSEMU\0 +>0x27E leshort 0xAA55 #offset is 128 ->>19 ubyte 128 +>>19 ubyte 128 >>>(19.b-1) ubyte 0x0 DOS Emulator image >>>>7 ulelong >0 \b, %u heads >>>>11 ulelong >0 \b, %d sectors/track >>>>15 ulelong >0 \b, %d cylinders ->>>>128 indirect x \b; contains +>>>>128 indirect x \b; contains # added by Joerg Jenderek at Nov 2012 # http://www.thenakedpc.com/articles/v04/08/0408-05.html # Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data 0 string PNCIHISK\0 Norton Utilities disc image data # real x86 boot sector with jump instruction ->509 search/1026 \x55\xAA\xeb ->>&-1 indirect x \b; contains +>509 search/1026 \x55\xAA\xeb +>>&-1 indirect x \b; contains # http://file-extension.net/seeker/file_extension_dat 0 string PNCIUNDO Norton Disk Doctor UnDo file # # DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013 # for any allowed sector sizes -30 search/481 \x55\xAA +30 search/481 \x55\xAA # to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) # DOS BPB information (70) and after DOS floppy (120) like in previous file version !:strength +65 # for sector sizes < 512 Bytes ->11 uleshort <512 +>11 uleshort <512 >>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector # for sector sizes with 512 or more Bytes >0x1FE leshort 0xAA55 DOS/MBR boot sector @@ -270,18 +270,18 @@ >2 string OSBS OS/BS MBR # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/ # and http://en.wikipedia.org/wiki/Master_Boot_Record -# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by +# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by # characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00 >0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR # Microsoft Windows 95A and early ( http://thestarman.pcministry.com/asm/mbr/STDMBR.htm ) # assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld ->>8 ubequad 0x8bf45007501ffbfc +>>8 ubequad 0x8bf45007501ffbfc # http://thestarman.pcministry.com/asm/mbr/200MBR.htm >>>0x16 ubyte 0xF3 \b,DOS 2 >>>>219 regex Author\ -\ Author: # found "David Litton" , "A Pehrsson " >>>>>&0 string x "%s" ->>>0x16 ubyte 0xF2 +>>>0x16 ubyte 0xF2 # NEC MS-DOS 3.30 Rev. 3 . See http://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm # assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz >>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3 @@ -316,7 +316,7 @@ >>>>>>(0x79.b) string >\0 "%s" # Microsoft Windows 95B to XP (http://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm) # assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b ->>8 ubequad 0x5007501ffcbe1b7c +>>8 ubequad 0x5007501ffcbe1b7c # assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 >>>24 ubequad 0xf3a4cbbebe07b104 9M # "Invalid partition table" nn=0x10F for english version @@ -361,7 +361,7 @@ >>>>(0x1b7.b+0x100) string >\0 "%s" # Microsoft Windows Vista or 7 # assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00 ->>8 ubequad 0xc08ed8be007cbf00 +>>8 ubequad 0xc08ed8be007cbf00 # Microsoft Windows Vista (http://thestarman.pcministry.com/asm/mbr/VistaMBR.htm) # assembler instructions: jnz 0729;cmp ebx,"TCPA" >>>0xEC ubequad 0x753b6681fb544350 Vista @@ -402,38 +402,38 @@ # http://en.wikipedia.org/wiki/MBR_disk_signature#ID >>0x1b8 ulelong >0 \b, disk signature 0x%-.4x # driveID/timestamp for Win 95B,98,98SE and ME. See http://thestarman.pcministry.com/asm/mbr/mystery.htm ->>0xDA uleshort 0 +>>0xDA uleshort 0 >>>0xDC ulelong >0 \b, created # physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive >>>>0xDC ubyte x with driveID 0x%x -# hours, minutes and seconds +# hours, minutes and seconds >>>>0xDf ubyte x at %x >>>>0xDe ubyte x \b:%x >>>>0xDd ubyte x \b:%x # special case for Microsoft MS-DOS 3.21 spanish -# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov ->0 ubequad 0xfab830008ed0bc00 -# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov +# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov +>0 ubequad 0xfab830008ed0bc00 +# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov >>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish # Microsoft MBR IPL end # dr-dos with some upper-, lowercase variants ->0x9D string Invalid\ partition\ table$ ->>181 string No\ Operating\ System$ +>0x9D string Invalid\ partition\ table$ +>>181 string No\ Operating\ System$ >>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 ->0x9D string Invalid\ partition\ table$ ->>181 string No\ operating\ system$ +>0x9D string Invalid\ partition\ table$ +>>181 string No\ operating\ system$ >>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 ->342 string Invalid\ partition\ table$ ->>366 string No\ operating\ system$ +>342 string Invalid\ partition\ table$ +>>366 string No\ operating\ system$ >>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03 ->295 string NEWLDR\0 ->>302 string Bad\ PT\ $ ->>>310 string No\ OS\ $ ->>>>317 string OS\ load\ err$ ->>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r ->>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ ->>>>>>>387 string Copyright\ (c)\ 1984,1998 +>295 string NEWLDR\0 +>>302 string Bad\ PT\ $ +>>>310 string No\ OS\ $ +>>>>317 string OS\ load\ err$ +>>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r +>>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ +>>>>>>>387 string Copyright\ (c)\ 1984,1998 >>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) # # tests for different MS-DOS Master Boot Records (MBR) moved and merged @@ -441,15 +441,15 @@ #>0x145 string Default:\ F \b, FREE-DOS MBR #>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR >0x145 search/7 Default:\ F \b, FREE-DOS MBR -#>>313 string F0\ .\ .\ . -#>>>322 string disk\ 1 -#>>>>382 string FAT3 ->64 string no\ active\ partition\ found +#>>313 string F0\ .\ .\ . +#>>>322 string disk\ 1 +#>>>>382 string FAT3 +>64 string no\ active\ partition\ found >>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR # Ranish Partition Manager http://www.ranish.com/part/ ->387 search/4 \0\ Error!\r ->>378 search/7 Virus! ->>>397 search/4 Booting\ +>387 search/4 \0\ Error!\r +>>378 search/7 Virus! +>>>397 search/4 Booting\040 >>>>408 search/4 HD1/\0 \b, Ranish MBR ( >>>>>416 string Writing\ changes... \b2.37 >>>>>>438 ubyte x \b,0x%x dots @@ -466,23 +466,23 @@ # # SYSLINUX MBR moved # http://www.acronis.de/ ->362 string MBR\ Error\ \0\r ->>376 string ress\ any\ key\ to\ +>362 string MBR\ Error\ \0\r +>>376 string ress\ any\ key\ to\040 >>>392 string boot\ from\ floppy...\0 \b, Acronis MBR # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ ->309 string No\ bootable\ partition\ found\r +>309 string No\ bootable\ partition\ found\r >>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR ->349 string No\ bootable\ partition\ found\r +>349 string No\ bootable\ partition\ found\r >>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR # bootloader, bootmanager ->0x40 string SBML +>0x40 string SBML # label with 11 characters of FAT 12 bit filesystem ->>43 string SMART\ BTMGR +>>43 string SMART\ BTMGR >>>430 string SBMK\ Bad!\r \b, Smart Boot Manager # OEM-ID not always "SBM" -#>>>>3 strings SBM +#>>>>3 strings SBM >>>>6 string >\0 \b, version %s >382 string XOSLLOADXCF \b, eXtended Operating System Loader >6 string LILO \b, LInux i386 boot LOader @@ -492,11 +492,11 @@ # variables according to grub-0.97/stage1/stage1.S or # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders ->342 search/60 \0Geom\0 +>342 search/60 \0Geom\0 #>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 ->>0x41 ubyte <2 +>>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader -# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 +# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 >>>>0x3E ubyte x \b, stage1 version 0x%x #If it is 0xFF, use a drive passed by BIOS >>>>0x40 ubyte <0xFF \b, boot drive 0x%x @@ -521,497 +521,497 @@ >>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>385 string GRUB\ \0 \b, GRUB version 0.97 # unknown version ->>>343 string Geom\0Read\0\ Error\0 +>>>343 string Geom\0Read\0\ Error\0 >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>374 string GRUB\ \0 \b, GRUB version n.m # SYSLINUX bootloader moved >395 string chksum\0\ ERROR!\0 \b, Gujin bootloader # http://www.bcdwb.de/bcdw/index_e.htm ->3 string BCDL +>3 string BCDL >>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) # mbr partition table entries updated by Joerg Jenderek at Sep 2013 # skip Norton Utilities disc image data ->3 string !IHISK +>3 string !IHISK # skip Linux style boot sector starting with assember instructions mov 0x7c0,ax; ->>0 belong !0xb8c0078e -# not Linux kernel ->>>514 string !HdrS +>>0 belong !0xb8c0078e +# not Linux kernel +>>>514 string !HdrS # not BeOS ->>>>422 string !Be\ Boot\ Loader -# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr ->>>>>0 ubelong&0xFD000000 =0xE9000000 +>>>>422 string !Be\ Boot\ Loader +# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr +>>>>>0 ubelong&0xFD000000 =0xE9000000 # AdvanceMAME mbr ->>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e +>>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e >>>>>>>446 use partition-table # mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader ->>>>>0 ubelong&0xFD000000 !0xE9000000 +>>>>>0 ubelong&0xFD000000 !0xE9000000 # skip FSInfosector ->>>>>>0 string !RRaA +>>>>>>0 string !RRaA # skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, # http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm ->>>>>>>0 ubequad !0xfa660fb64610668b +>>>>>>>0 ubequad !0xfa660fb64610668b # skip 13rd sector of MS x86 bootloader ->>>>>>>>0 ubequad !0x660fb64610668b4e +>>>>>>>>0 ubequad !0x660fb64610668b4e # skip sector starting with DOS new line ->>>>>>>>>0 string !\r\n +>>>>>>>>>0 string !\r\n # allowed active flag 0,80h-FFh ->>>>>>>>>>446 ubyte 0 +>>>>>>>>>>446 ubyte 0 >>>>>>>>>>>446 use partition-table ->>>>>>>>>>446 ubyte >0x7F +>>>>>>>>>>446 ubyte >0x7F >>>>>>>>>>>446 use partition-table # TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries # mbr partition table entries end # http://www.acronis.de/ #FAT label=ACRONIS\ SZ #OEM-ID=BOOTWIZ0 ->442 string Non-system\ disk,\ +>442 string Non-system\ disk,\040 >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader # updated by Joerg Jenderek at Nov 2012, Sep 2013 # DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes # display 1 space ->>>447 ubyte x \b +>>>447 ubyte x \b >>>477 use DOS-filename # ->185 string FDBOOT\ Version\ ->>204 string \rNo\ Systemdisk.\ ->>>220 string Booting\ from\ harddisk.\n\r ->>>245 string Cannot\ load\ from\ harddisk.\n\r ->>>>273 string Insert\ Systemdisk\ +>185 string FDBOOT\ Version\040 +>>204 string \rNo\ Systemdisk.\040 +>>>220 string Booting\ from\ harddisk.\n\r +>>>245 string Cannot\ load\ from\ harddisk.\n\r +>>>>273 string Insert\ Systemdisk\040 >>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader >>>>>>200 string >\0 \b, version %-3s ->242 string Bootsector\ from\ C.H.\ Hochst\204 +>242 string Bootsector\ from\ C.H.\ Hochst\204 # http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c # updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string # skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut ->242 search/127 Bootsector\ from\ C.H.\ Hochst ->>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk +>242 search/127 Bootsector\ from\ C.H.\ Hochst +>>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk # followed by variants with point,CR-NL or NL-CR ->>>208 search/261 Cannot\ load\ from\ harddisk. +>>>208 search/261 Cannot\ load\ from\ harddisk. # followed by variants CR-NL or NL-CR ->>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. +>>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. # followed by variants with point,CR-NL or NL-CR >>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader # followed by string like "6.50 (c) 1993-2004 Gilles Vollant" >>>>>>&0 string x \b, version %-4.4s ->(1.b+2) ubyte 0xe ->>(1.b+3) ubyte 0x1f ->>>(1.b+4) ubyte 0xbe +>(1.b+2) ubyte 0xe +>>(1.b+3) ubyte 0x1f +>>>(1.b+4) ubyte 0xbe # message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others ->>>>(1.b+5) ubyte&0xd3 0x53 ->>>>>(1.b+6) ubyte 0x7c +>>>>(1.b+5) ubyte&0xd3 0x53 +>>>>>(1.b+6) ubyte 0x7c # assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah, ->>>>>>(1.b+7) ubyte 0xac ->>>>>>>(1.b+8) ubyte 0x22 ->>>>>>>>(1.b+9) ubyte 0xc0 ->>>>>>>>>(1.b+10) ubyte 0x74 ->>>>>>>>>>(1.b+11) ubyte 0x0b ->>>>>>>>>>>(1.b+12) ubyte 0x56 +>>>>>>(1.b+7) ubyte 0xac +>>>>>>>(1.b+8) ubyte 0x22 +>>>>>>>>(1.b+9) ubyte 0xc0 +>>>>>>>>>(1.b+10) ubyte 0x74 +>>>>>>>>>>(1.b+11) ubyte 0x0b +>>>>>>>>>>>(1.b+12) ubyte 0x56 >>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display # FAT1X version ->>>>>>>>>>>>>(1.b+5) ubyte 0x5b +>>>>>>>>>>>>>(1.b+5) ubyte 0x5b >>>>>>>>>>>>>>0x5b string >\0 "%-s" # FAT32 version ->>>>>>>>>>>>>(1.b+5) ubyte 0x77 +>>>>>>>>>>>>>(1.b+5) ubyte 0x77 >>>>>>>>>>>>>>0x77 string >\0 "%-s" >214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display -#>>244 string from\ dosemu-freedos-*-bin.tgz\r -#>>>170 string Sorry,\ could\ not\ load\ an\ -#>>>>195 string operating\ system.\r\n +#>>244 string from\ dosemu-freedos-*-bin.tgz\r +#>>>170 string Sorry,\ could\ not\ load\ an\040 +#>>>>195 string operating\ system.\r\n # ->103 string This\ is\ not\ a\ bootable\ disk.\ ->>132 string Please\ insert\ a\ bootable\ ->>>157 string floppy\ and\r\n +>103 string This\ is\ not\ a\ bootable\ disk.\040 +>>132 string Please\ insert\ a\ bootable\040 +>>>157 string floppy\ and\r\n >>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display # ->66 string Solaris\ Boot\ Sector ->>99 string Incomplete\ MDBoot\ load. +>66 string Solaris\ Boot\ Sector +>>99 string Incomplete\ MDBoot\ load. >>>89 string Version \b, Sun Solaris Bootloader >>>>97 byte x version %c # ->408 string OS/2\ !!\ SYS01475\r\0 ->>429 string OS/2\ !!\ SYS02025\r\0 ->>>450 string OS/2\ !!\ SYS02027\r\0 +>408 string OS/2\ !!\ SYS01475\r\0 +>>429 string OS/2\ !!\ SYS02025\r\0 +>>>450 string OS/2\ !!\ SYS02027\r\0 >>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader # ->409 string OS/2\ !!\ SYS01475\r\0 ->>430 string OS/2\ !!\ SYS02025\r\0 ->>>451 string OS/2\ !!\ SYS02027\r\0 +>409 string OS/2\ !!\ SYS01475\r\0 +>>430 string OS/2\ !!\ SYS02025\r\0 +>>>451 string OS/2\ !!\ SYS02027\r\0 >>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader ->112 string This\ disk\ is\ not\ bootable\r ->>142 string If\ you\ wish\ to\ make\ it\ bootable ->>>176 string run\ the\ DOS\ program\ SYS\ ->>>200 string after\ the\r ->>>>216 string system\ has\ been\ loaded\r\n ->>>>>242 string Please\ insert\ a\ DOS\ diskette\ ->>>>>271 string into\r\n\ the\ drive\ and\ +>112 string This\ disk\ is\ not\ bootable\r +>>142 string If\ you\ wish\ to\ make\ it\ bootable +>>>176 string run\ the\ DOS\ program\ SYS\040 +>>>200 string after\ the\r +>>>>216 string system\ has\ been\ loaded\r\n +>>>>>242 string Please\ insert\ a\ DOS\ diskette\040 +>>>>>271 string into\r\n\ the\ drive\ and\040 >>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display # XP ->430 string NTLDR\ is\ missing\xFF\r\n ->>449 string Disk\ error\xFF\r\n +>430 string NTLDR\ is\ missing\xFF\r\n +>>449 string Disk\ error\xFF\r\n >>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader # DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # ->430 string NTLDR\ nicht\ gefunden\xFF\r\n ->>453 string Datentr\204gerfehler\xFF\r\n +>430 string NTLDR\ nicht\ gefunden\xFF\r\n +>>453 string Datentr\204gerfehler\xFF\r\n >>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german) ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # offset variant ->>>>379 string \0 ->>>>>368 ubyte&0xDF >0 +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s # ->430 string NTLDR\ fehlt\xFF\r\n ->>444 string Datentr\204gerfehler\xFF\r\n +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Datentr\204gerfehler\xFF\r\n >>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german) ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # variant ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # ->430 string NTLDR\ fehlt\xFF\r\n ->>444 string Medienfehler\xFF\r\n +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Medienfehler\xFF\r\n >>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german) ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # ->430 string Datentr\204ger\ entfernen\xFF\r\n ->>454 string Medienfehler\xFF\r\n +>430 string Datentr\204ger\ entfernen\xFF\r\n +>>454 string Medienfehler\xFF\r\n >>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) ->>>>379 string \0 ->>>>>368 ubyte&0xDF >0 +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # -#>3 string NTFS\ \ \ \ ->389 string Fehler\ beim\ Lesen\ +#>3 string NTFS\ \ \ \040 +>389 string Fehler\ beim\ Lesen\040 >>407 string des\ Datentr\204gers ->>>426 string NTLDR\ fehlt +>>>426 string NTLDR\ fehlt >>>>440 string NTLDR\ ist\ komprimiert >>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german) -#>3 string NTFS\ \ \ \ +#>3 string NTFS\ \ \ \040 >313 string A\ disk\ read\ error\ occurred.\r ->>345 string A\ kernel\ file\ is\ missing\ ->>>370 string from\ the\ disk.\r ->>>>484 string NTLDR\ is\ compressed ->>>>>429 string Insert\ a\ system\ diskette\ +>>345 string A\ kernel\ file\ is\ missing\040 +>>>370 string from\ the\ disk.\r +>>>>484 string NTLDR\ is\ compressed +>>>>>429 string Insert\ a\ system\ diskette\040 >>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS # DOS loader variants different languages,offsets >472 ubyte&0xDF >0 ->>389 string Invalid\ system\ disk\xFF\r\n ->>>411 string Disk\ I/O\ error ->>>>428 string Replace\ the\ disk,\ and\ +>>389 string Invalid\ system\ disk\xFF\r\n +>>>411 string Disk\ I/O\ error +>>>>428 string Replace\ the\ disk,\ and\040 >>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader #IO.SYS ->>>>>>472 ubyte&0xDF >0 +>>>>>>472 ubyte&0xDF >0 >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s ->>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>390 string Invalid\ system\ disk\xFF\r\n ->>>412 string Disk\ I/O\ error\xFF\r\n ->>>>429 string Replace\ the\ disk,\ and\ +>>390 string Invalid\ system\ disk\xFF\r\n +>>>412 string Disk\ I/O\ error\xFF\r\n +>>>>429 string Replace\ the\ disk,\ and\040 >>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader ->>388 string Ungueltiges\ System\ \xFF\r\n ->>>410 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>427 string Datentraeger\ wechseln\ und\ +>>388 string Ungueltiges\ System\ \xFF\r\n +>>>410 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>427 string Datentraeger\ wechseln\ und\040 >>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german) #WINBOOT.SYS only not spaces (0xDF) ->>>>>>497 ubyte&0xDF >0 +>>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.5s ->>>>>>>>502 ubyte&0xDF >0 +>>>>>>>>502 ubyte&0xDF >0 >>>>>>>>>502 string x \b%-.1s ->>>>>>>>>>503 ubyte&0xDF >0 +>>>>>>>>>>503 ubyte&0xDF >0 >>>>>>>>>>>503 string x \b%-.1s ->>>>>>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>>>>>504 string x \b%-.1s ->>>>>>505 ubyte&0xDF >0 +>>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s ->>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>390 string Ungueltiges\ System\ \xFF\r\n ->>>412 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>429 string Datentraeger\ wechseln\ und\ +>>390 string Ungueltiges\ System\ \xFF\r\n +>>>412 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>429 string Datentraeger\ wechseln\ und\040 >>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German) #WINBOOT.SYS only not spaces (0xDF) ->>>>>>497 ubyte&0xDF >0 +>>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.7s ->>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>504 string x \b%-.1s ->>>>>>505 ubyte&0xDF >0 +>>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.6s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>389 string Ungueltiges\ System\ \xFF\r\n ->>>411 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>428 string Datentraeger\ wechseln\ und\ +>>389 string Ungueltiges\ System\ \xFF\r\n +>>>411 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>428 string Datentraeger\ wechseln\ und\040 >>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN) # DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes >>>>>>472 string x %-.2s ->>>>>>>474 ubyte&0xDF >0 +>>>>>>>474 ubyte&0xDF >0 >>>>>>>>474 string x \b%-.5s ->>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>479 string x \b%-.1s ->>>>>>480 ubyte&0xDF >0 +>>>>>>480 ubyte&0xDF >0 >>>>>>>480 string x \b.%-.3s >>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>483 string x \b%-.5s ->>>>>>>488 ubyte&0xDF >0 +>>>>>>>488 ubyte&0xDF >0 >>>>>>>>488 string x \b%-.2s ->>>>>>>>490 ubyte&0xDF >0 +>>>>>>>>490 ubyte&0xDF >0 >>>>>>>>>490 string x \b%-.1s ->>>>>>>491 ubyte&0xDF >0 +>>>>>>>491 ubyte&0xDF >0 >>>>>>>>491 string x \b.%-.3s >479 ubyte&0xDF >0 ->>416 string Kein\ System\ oder\ ->>>433 string Laufwerksfehler +>>416 string Kein\ System\ oder\040 +>>>433 string Laufwerksfehler >>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german) #IO.SYS >>>>>479 string x \b %-.2s ->>>>>>481 ubyte&0xDF >0 +>>>>>>481 ubyte&0xDF >0 >>>>>>>481 string x \b%-.6s ->>>>>487 ubyte&0xDF >0 +>>>>>487 ubyte&0xDF >0 >>>>>>487 string x \b.%-.3s #MSDOS.SYS >>>>>>490 ubyte&0xDF >0 \b+ >>>>>>>490 string x \b%-.5s ->>>>>>>>495 ubyte&0xDF >0 +>>>>>>>>495 ubyte&0xDF >0 >>>>>>>>>495 string x \b%-.3s ->>>>>>>498 ubyte&0xDF >0 +>>>>>>>498 ubyte&0xDF >0 >>>>>>>>498 string x \b.%-.3s # ->376 search/41 Non-System\ disk\ or\ ->>395 search/41 disk\ error\r ->>>407 search/41 Replace\ and\ +>376 search/41 Non-System\ disk\ or\040 +>>395 search/41 disk\ error\r +>>>407 search/41 Replace\ and\040 >>>>419 search/41 press\ \b, >>>>419 search/41 strike\ \b, old >>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader #449 Disk\ Boot\ failure\r MS 3.21 #466 Boot\ Failure\r MS 3.30 ->>>>>468 search/18 \0 +>>>>>468 search/18 \0 #IO.SYS,IBMBIO.COM >>>>>>&0 string x \b %-.2s ->>>>>>>&-20 ubyte&0xDF >0 +>>>>>>>&-20 ubyte&0xDF >0 >>>>>>>>&-1 string x \b%-.4s ->>>>>>>>>&-16 ubyte&0xDF >0 +>>>>>>>>>&-16 ubyte&0xDF >0 >>>>>>>>>>&-1 string x \b%-.2s >>>>>>&8 ubyte&0xDF >0 \b. >>>>>>>&-1 string x \b%-.3s #MSDOS.SYS,IBMDOS.COM >>>>>>&11 ubyte&0xDF >0 \b+ >>>>>>>&-1 string x \b%-.5s ->>>>>>>>&-6 ubyte&0xDF >0 +>>>>>>>>&-6 ubyte&0xDF >0 >>>>>>>>>&-1 string x \b%-.1s ->>>>>>>>>>&-5 ubyte&0xDF >0 +>>>>>>>>>>&-5 ubyte&0xDF >0 >>>>>>>>>>>&-1 string x \b%-.2s >>>>>>>&7 ubyte&0xDF >0 \b. >>>>>>>>&-1 string x \b%-.3s >441 string Cannot\ load\ from\ harddisk.\n\r ->>469 string Insert\ Systemdisk\ +>>469 string Insert\ Systemdisk\040 >>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader -#>43 string \224R-LOADER\ \ SYS =label +#>43 string \224R-LOADER\ \ SYS =label >54 string SYS >>324 string VASKK >>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS) # ->98 string Press\ a\ key\ to\ retry\0\r ->>120 string Cannot\ find\ file\ \0\r ->>>139 string Disk\ read\ error\0\r +>98 string Press\ a\ key\ to\ retry\0\r +>>120 string Cannot\ find\ file\ \0\r +>>>139 string Disk\ read\ error\0\r >>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader #DRBIOS.SYS ->>>>>44 ubyte&0xDF >0 +>>>>>44 ubyte&0xDF >0 >>>>>>44 string x \b %-.6s ->>>>>>>50 ubyte&0xDF >0 +>>>>>>>50 ubyte&0xDF >0 >>>>>>>>50 string x \b%-.2s ->>>>>>52 ubyte&0xDF >0 +>>>>>>52 ubyte&0xDF >0 >>>>>>>52 string x \b.%-.3s # ->70 string IBMBIO\ \ COM ->>472 string Cannot\ load\ DOS!\ +>70 string IBMBIO\ \ COM +>>472 string Cannot\ load\ DOS!\040 >>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader ->>471 string Cannot\ load\ DOS\ +>>471 string Cannot\ load\ DOS\040 >>487 string press\ key\ to\ retry \b, Open-DOS Bootloader #?? ->444 string KERNEL\ \ SYS +>444 string KERNEL\ \ SYS >>314 string BOOT\ error! \b, FREE-DOS Bootloader ->499 string KERNEL\ \ SYS +>499 string KERNEL\ \ SYS >>305 string BOOT\ err!\0 \b, Free-DOS Bootloader ->449 string KERNEL\ \ SYS +>449 string KERNEL\ \ SYS >>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader # ->449 string Loading\ FreeDOS +>449 string Loading\ FreeDOS >>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # >331 string Error!.0 \b, FREE-DOS 1.0 bootloader # ->125 string Loading\ FreeDOS...\r +>125 string Loading\ FreeDOS...\r >>311 string BOOT\ error!\r \b, FREE-DOS bootloader ->>>441 ubyte&0xDF >0 +>>>441 ubyte&0xDF >0 >>>>441 string x \b %-.6s ->>>>>447 ubyte&0xDF >0 +>>>>>447 ubyte&0xDF >0 >>>>>>447 string x \b%-.1s ->>>>>>>448 ubyte&0xDF >0 +>>>>>>>448 ubyte&0xDF >0 >>>>>>>>448 string x \b%-.1s ->>>>449 ubyte&0xDF >0 +>>>>449 ubyte&0xDF >0 >>>>>449 string x \b.%-.3s ->124 string FreeDOS\0 +>124 string FreeDOS\0 >>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader # DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s ->336 string Error!\ +>336 string Error!\040 >>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ # OEM-ID=Visopsys ->478 ulelong 0 ->>(1.b+326) string I/O\ Error\ reading\ ->>>(1.b+344) string Visopsys\ loader\r +>478 ulelong 0 +>>(1.b+326) string I/O\ Error\ reading\040 +>>>(1.b+344) string Visopsys\ loader\r >>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader # http://alexfru.chat.ru/epm.html#bootprog ->494 ubyte >0x4D ->>495 string >E ->>>495 string <S +>494 ubyte >0x4D +>>495 string >E +>>>495 string <S #OEM-ID is not reliable ->>>>3 string BootProg +>>>>3 string BootProg # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes ->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader +>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader >>>>>499 use DOS-filename #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. @@ -1025,23 +1025,23 @@ # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO # and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector ->0 string RRaA +>0 string RRaA >>0x1E4 string rrAa \b, FSInfosector #>>0x1FC uleshort =0 SHOULD BE ZERO >>>0x1E8 ulelong <0xffffffff \b, %u free clusters >>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u # updated by Joerg Jenderek at Sep 2007 ->3 ubyte 0 +>3 ubyte 0 #no active flag ->>446 ubyte 0 +>>446 ubyte 0 # partition 1 not empty ->>>450 ubyte >0 +>>>450 ubyte >0 # partitions 3,4 empty ->>>>482 ubyte 0 ->>>>>498 ubyte 0 +>>>>482 ubyte 0 +>>>>>498 ubyte 0 # partition 2 ID=0,5,15 ->>>>>>466 ubyte <0x10 +>>>>>>466 ubyte <0x10 >>>>>>>466 ubyte 0x05 \b, extended partition table >>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) >>>>>>>466 ubyte 0x0 \b, extended partition table (last) @@ -1054,35 +1054,35 @@ # Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension # like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS 0 name DOS-filename -# space=0x20 (00100000b) means empty ->0 ubyte&0xDF >0 +# space=0x20 (00100000b) means empty +>0 ubyte&0xDF >0 >>0 ubyte x \b%c ->>>1 ubyte&0xDF >0 +>>>1 ubyte&0xDF >0 >>>>1 ubyte x \b%c ->>>>>2 ubyte&0xDF >0 +>>>>>2 ubyte&0xDF >0 >>>>>>2 ubyte x \b%c ->>>>>>>3 ubyte&0xDF >0 +>>>>>>>3 ubyte&0xDF >0 >>>>>>>>3 ubyte x \b%c ->>>>>>>>>4 ubyte&0xDF >0 +>>>>>>>>>4 ubyte&0xDF >0 >>>>>>>>>>4 ubyte x \b%c ->>>>>>>>>>>5 ubyte&0xDF >0 +>>>>>>>>>>>5 ubyte&0xDF >0 >>>>>>>>>>>>5 ubyte x \b%c ->>>>>>>>>>>>>6 ubyte&0xDF >0 +>>>>>>>>>>>>>6 ubyte&0xDF >0 >>>>>>>>>>>>>>6 ubyte x \b%c ->>>>>>>>>>>>>>>7 ubyte&0xDF >0 +>>>>>>>>>>>>>>>7 ubyte&0xDF >0 >>>>>>>>>>>>>>>>7 ubyte x \b%c # DOS filename extension >>8 ubyte&0xDF >0 \b. >>>8 ubyte x \b%c ->>>>9 ubyte&0xDF >0 +>>>>9 ubyte&0xDF >0 >>>>>9 ubyte x \b%c ->>>>>>10 ubyte&0xDF >0 +>>>>>>10 ubyte&0xDF >0 >>>>>>>10 ubyte x \b%c # Print 2 following DOS filenames from directory entry form # like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com 0 name 2xDOS-filename # display 1 space ->0 ubyte x \b +>0 ubyte x \b >0 use DOS-filename >11 ubyte x \b+ >11 use DOS-filename @@ -1101,10 +1101,10 @@ # partition type ID > 0 >4 ubyte >0 # active flag 0 ->>0 ubyte 0 +>>0 ubyte 0 >>>0 use partition-entry -# active flag 0x80, 0x81, ... ->>0 ubyte >0x7F +# active flag 0x80, 0x81, ... +>>0 ubyte >0x7F >>>0 use partition-entry # Print entry of partition table 0 name partition-entry @@ -1136,7 +1136,7 @@ # sector >1 ubyte&0x3F x \b,%u -# FATX +# FATX 0 string FATX FATX filesystem data # romfs filesystems - Juan Cespedes <cespedes@debian.org> @@ -1157,7 +1157,7 @@ # http://syslinux.zytor.com/iso.php # tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05 # assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop -0 ulequad&0x909000007cc0eafa 0x909000007c40eafa +0 ulequad&0x909000007cc0eafa 0x909000007c40eafa >631 search/689 ISOLINUX\ isolinux Loader >>&0 string x (version %-4.4s) # http://syslinux.zytor.com/pxe.php @@ -1174,88 +1174,88 @@ >11 string x (version %-4.4s) # syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX" -0 ulelong&0x80909bEB 0x009018EB +0 ulelong&0x80909bEB 0x009018EB # OEM-ID not always "SYSLINUX" ->434 search/47 Boot\ failed -# followed by \r\n\0 or :\ +>434 search/47 Boot\ failed +# followed by \r\n\0 or :\ >>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older) >>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9) ->459 search/30 Boot\ error\r\n\0 +>459 search/30 Boot\ error\r\n\0 >>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer) # SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: mov di,0600h;mov cx,0100h -16 search/4 \xbf\x00\x06\xb9\x00\x01 +16 search/4 \xbf\x00\x06\xb9\x00\x01 # to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21) !:strength +36 ->94 search/249 Missing\ operating\ system +>94 search/249 Missing\ operating\ system # followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other # skip Ranish MBR ->>408 search/4 HD1/\0 ->>408 default x +>>408 search/4 HD1/\0 +>>408 default x >>>250 search/118 \0Operating\ system\ load SYSLINUX MBR # followed by "ing " or space ->>>>292 search/98 error +>>>>292 search/98 error >>>>>&0 string \r (version 3.35 or older) >>>>>&0 string .\r (version 3.52 or newer) >>>>>&0 default x (version 3.36-3.51 ) >368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR ->>156 search/10 \0Boot\ partition\ not\ found\r\n +>>156 search/10 \0Boot\ partition\ not\ found\r\n >>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older) ->>174 search/10 \0Missing\ OS\r\n +>>174 search/10 \0Missing\ OS\r\n >>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer) # SYSLINUX END # NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012 # assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax, -0 ubequad 0x31c08ed0bc007c8e +0 ubequad 0x31c08ed0bc007c8e # mbr_bootsel magic before partition table not reliable with small ipl fragments -#>444 uleshort 0xb5e1 ->0004 uleshort x +#>444 uleshort 0xb5e1 +>0004 uleshort x # ERRorTeXT >>181 search/166 Error\ \0\r\n NetBSD mbr # NT Drive Serial Number http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS >>>0x1B8 ubelong >0 \b,Serial 0x%-.8x # BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx >>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector -# BOOT_EXTENDED definitions contains assembler instructions: +# BOOT_EXTENDED definitions contains assembler instructions: # xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13 >>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended # COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al >>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO # not TERSE_ERROR ->>>196 search/106 No\ active\ partition\0 ->>>>&0 string Disk\ read\ error\0 +>>>196 search/106 No\ active\ partition\0 +>>>>&0 string Disk\ read\ error\0 >>>>>&0 string No\ operating\ system\0 \b,verbose # not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13 >>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS # not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13 >>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check # assembler instructions: movw nametab,bx ->>>0x26 search/21 \xBB\x94\x07 +>>>0x26 search/21 \xBB\x94\x07 # not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf ->>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 ->>>>>181 search/166 Error\ \0 +>>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 +>>>>>181 search/166 Error\ \0 # "a: disk" , "Fn: diskn" or "NetBSD MBR boot" >>>>>>&3 string x \b,"%s" >>>446 use partition-table # Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html # added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 # assembler instructions: jmp short 0x58;nop;ASCII -0 ubequad&0xeb58908000000000 0xeb58900000000000 +0 ubequad&0xeb58908000000000 0xeb58900000000000 # assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss, ->(1.b+2) ubequad 0xfa31c08ed88ec08e +>(1.b+2) ubequad 0xfa31c08ed88ec08e # Error messages at end of code ->>376 string No\ operating\ system\r\n\0 ->>>398 string Disk\ error\r\n\0FDD\0HDD\0 +>>376 string No\ operating\ system\r\n\0 +>>>398 string Disk\ error\r\n\0FDD\0HDD\0 >>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr -# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ +# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ # added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11 # for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI, # or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS, -0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC +0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC # pointer to the data starting with Neil Turton signature string ->(0x1BC.s) string NDTmbr +>(0x1BC.s) string NDTmbr >>&-14 string 1234F\0 Turton mbr ( # parameters also viewed by install-mbr --list >>>(0x1BC.s+7) ubyte x \b%u<= @@ -1269,23 +1269,23 @@ #0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot #>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x # for older versions ->>>(0x1BC.s+9) ubyte <2 +>>>(0x1BC.s+9) ubyte <2 #>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x ->>>>(0x1BC.s+13) ubyte >1 +>>>>(0x1BC.s+13) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x # not 1st hard disc >>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x # for version >= 2 maximal timeout can be 65534 ->>>(0x1BC.s+9) ubyte >1 +>>>(0x1BC.s+9) ubyte >1 #>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds >>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x ->>>>(0x1BC.s+14) ubyte >1 +>>>>(0x1BC.s+14) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x # not 1st hard disc @@ -1297,14 +1297,14 @@ # grub-1.94/kern/i386/pc/startup.S # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders -0x200 uleshort 0x70EA +0x200 uleshort 0x70EA # found only version 3.{1,2} ->0x206 ubeshort >0x0300 +>0x206 ubeshort >0x0300 # GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00" ->>0x212 ubyte >0x29 ->>>0x213 ubyte >0x29 +>>0x212 ubyte >0x29 +>>>0x213 ubyte >0x29 # not iso9660_stage1_5 -#>>>0 ulelong&0x00BE5652 0x00BE5652 +#>>>0 ulelong&0x00BE5652 0x00BE5652 >>>>0x213 ubyte >0x29 GRand Unified Bootloader # config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2" >>>>0x217 ubyte 0xFF stage1_5 @@ -1316,7 +1316,7 @@ #>>>>0x208 ulelong =0xffffff \b, %lu (default) >>>>0x208 ulelong >0xffffff \b, installed partition %u # GRUB 0.5.95 unofficial ->>>>0x20C ulelong&0x2E300000 0x2E300000 +>>>>0x20C ulelong&0x2E300000 0x2E300000 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs >>>>>0x20C ubyte x \b, identifier 0x%x #>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default) @@ -1324,17 +1324,17 @@ # GRUB version as string >>>>>0x20E string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default ->>>>>>0x215 ulong 0xffffffff +>>>>>>0x215 ulong 0xffffffff >>>>>>>0x219 string >\0 \b, configuration file %-s ->>>>>>0x215 ulong !0xffffffff +>>>>>>0x215 ulong !0xffffffff >>>>>>>0x215 string >\0 \b, configuration file %-s # newer GRUB versions ->>>>0x20C ulelong&0x2E300000 !0x2E300000 +>>>>0x20C ulelong&0x2E300000 !0x2E300000 ##>>>>>0x20C ulelong =0 \b, saved entry %d (usual) >>>>>0x20C ulelong >0 \b, saved entry %d # for 1.94 contains kernel image size # for 0.93,0.94,0.96,0.97 -# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 +# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 >>>>>0x210 ubyte x \b, identifier 0x%x # The flag for LBA forcing is in most cases 0 #>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default) @@ -1342,9 +1342,9 @@ # GRUB version as string >>>>>0x212 string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default ->>>>>0x217 ulong 0xffffffff +>>>>>0x217 ulong 0xffffffff >>>>>>0x21b string >\0 \b, configuration file %-s ->>>>>0x217 ulong !0xffffffff +>>>>>0x217 ulong !0xffffffff >>>>>>0x217 string >\0 \b, configuration file %-s # DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 @@ -1360,13 +1360,13 @@ # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 ->11 uleshort&0x001f 0 ->>11 uleshort <32769 ->>>11 uleshort >31 ->>>>21 ubyte&0xf0 0xF0 +>11 uleshort&0x001f 0 +>>11 uleshort <32769 +>>>11 uleshort >31 +>>>>21 ubyte&0xf0 0xF0 >>>>>0 ubyte 0xEB DOS/MBR boot sector >>>>>>1 ubyte x \b, code offset 0x%x+2 ->>>>>0 ubyte 0xE9 +>>>>>0 ubyte 0xE9 >>>>>>1 uleshort x \b, code offset 0x%x+3 >>>>>3 string >\0 \b, OEM-ID "%-.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC @@ -1377,10 +1377,10 @@ >>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) # for lazy FAT32 implementation like Transcend digital photo frame PF830 ->>>>>82 string/c fat32 +>>>>>82 string/c fat32 >>>>>>14 uleshort !32 \b, reserved sectors %u #>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) ->>>>>82 string/c !fat32 +>>>>>82 string/c !fat32 >>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) #>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) @@ -1390,7 +1390,7 @@ >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u #>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) ->>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) +>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) #>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) @@ -1402,20 +1402,20 @@ #>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>26 ubyte =1 \b, heads %u # valid only for sector sizes with more then 32 Bytes ->>>>>11 uleshort >32 +>>>>>11 uleshort >32 # http://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block # skip for values 2,2Ah,70h,73h,DFh # and continue for extended boot signature values 0,28h,29h,80h ->>>>>>38 ubyte&0x56 =0 +>>>>>>38 ubyte&0x56 =0 >>>>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) ->>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) +>>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) -# FAT<32 bit specific ->>>>>>>82 string/c !fat32 +# FAT<32 bit specific +>>>>>>>82 string/c !fat32 #>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) #>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>>>36 ubyte !0x80 +>>>>>>>>36 ubyte !0x80 >>>>>>>>>36 ubyte !0 \b, physical drive 0x%x # VGA-copy CRC or # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too @@ -1435,27 +1435,27 @@ # if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, # otherwise FAT is 16 bit. # http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html ->>>>>82 string/c !fat32 +>>>>>82 string/c !fat32 >>>>>>54 string FAT12 \b, FAT (12 bit) >>>>>>54 string FAT16 \b, FAT (16 bit) ->>>>>>54 default x +>>>>>>54 default x # determinate FAT bit size by media descriptor # small floppies implies FAT12 >>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor) # with media descriptor F0h floppy or maybe superfloppy with FAT16 ->>>>>>>21 ubyte =0xF0 +>>>>>>>21 ubyte =0xF0 # superfloppy (many sectors) implies FAT16 >>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors) # no superfloppy with media descriptor F0h implies FAT12 >>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors) # with media descriptor F8h floppy or hard disc with FAT12 or FAT16 ->>>>>>>21 ubyte =0xF8 +>>>>>>>21 ubyte =0xF8 # 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry) # hard disc with FAT12 or FAT16 >>>>>>>>19 default x \b, FAT (1Y bit by descriptor) # with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc ->>>>>>>21 ubyte =0xFA +>>>>>>>21 ubyte =0xFA # 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry) # RAM disc with FAT12 or FAT16 or Tandy hard disc @@ -1479,17 +1479,17 @@ # 0 or 0xFFFF instead of usual 6 means no backup sector >>>>>>50 uleshort =0xFFFF \b, no Backup boot sector >>>>>>50 uleshort =0 \b, no Backup boot sector -#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) ->>>>>>50 default x +#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) +>>>>>>50 default x >>>>>>>50 uleshort x \b, Backup boot sector %u # corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO >>>>>>52 ulelong >0 \b, reserved1 0x%x >>>>>>56 ulelong >0 \b, reserved2 0x%x >>>>>>60 ulelong >0 \b, reserved3 0x%x -# same structure as FAT1X +# same structure as FAT1X #>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) #>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>64 ubyte !0x80 +>>>>>>64 ubyte !0x80 >>>>>>>64 ubyte >0 \b, physical drive 0x%x # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too >>>>>>65 ubyte >0 \b, reserved 0x%x @@ -1500,10 +1500,10 @@ >>>>>>>71 string >NO\ NAME \b, label: "%11.11s" >>>>>>>71 string =NO\ NAME \b, unlabeled # additional tests for floppy image added by Joerg Jenderek -# no fixed disk ->>>>>21 ubyte !0xF8 +# no fixed disk +>>>>>21 ubyte !0xF8 # floppy media with 12 bit FAT ->>>>>>54 string !FAT16 +>>>>>>54 string !FAT16 # test for FAT after bootsector >>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT # floppy image @@ -1511,11 +1511,11 @@ # NTFS specific added by Joerg Jenderek at Mar 2011 according to http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm # and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html # 0 FATs ->>>>>16 ubyte =0 +>>>>>16 ubyte =0 # 0 root entries ->>>>>>17 uleshort =0 +>>>>>>17 uleshort =0 # 0 DOS sectors ->>>>>>>19 uleshort =0 +>>>>>>>19 uleshort =0 # 0 sectors/FAT # dos < 4.0 BootSector value found is 0x80 #38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x) @@ -1526,33 +1526,43 @@ >>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld >>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld # Values 0 to 127 represent MFT record sizes of 0 to 127 clusters. -# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. ->>>>>>>>>64 lelong <256 +# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. +>>>>>>>>>64 lelong <256 >>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d >>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i) # Values 0 to 127 represent index block sizes of 0 to 127 clusters. # Values 128 to 255 represent index block sizes of 2^(256-N) byte ->>>>>>>>>68 ulelong <256 +>>>>>>>>>68 ulelong <256 >>>>>>>>>>68 ulelong <128 \b, clusters/index block %d #>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) >>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) >>>>>>>>>72 ulequad x \b, serial number 0%llx >>>>>>>>>80 ulelong >0 \b, checksum 0x%x #>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) ->>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 ->>>>>>>>>>&-92 indirect x \b; contains +>>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 +>>>>>>>>>>&-92 indirect x \b; contains # For 2nd NTFS sector added by Joerg Jenderek at Jan 2013 # http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm # unused assembler instructions JMP y2;NOP;NOP -0x056 ulelong&0xFFFF0FFF 0x909002EB +0x056 ulelong&0xFFFF0FFF 0x909002EB # unicode loadername terminated by CTRL-D ->(0.s*2) ulelong&0xFFFFFF00 0x00040000 +>(0.s*2) ulelong&0xFFFFFF00 0x00040000 # loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR >>0x002 lestring16 x Microsoft Windows XP/VISTA bootloader %-5.5s ->>0x12 string $ +>>0x12 string $ >>>0x0c lestring16 x \b%-2.2s ### DOS,NTFS boot sectors end +# ntfsclone-image is a special save format for NTFS volumes, +# created and restored by the ntfsclone program +0 string \0ntfsclone-image ntfsclone image, +>0x10 byte x version %d. +>0x11 byte x \b%d, +>0x12 lelong x cluster size %d, +>0x16 lequad x device size %lld, +>0x1e lequad x %lld total clusters, +>0x26 lequad x %lld clusters in use + 9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, @@ -1669,6 +1679,13 @@ >&-1248 belong 0 TIME optimization >&-1248 belong 1 SPACE optimization +0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), +>0x90 lelong+1 x volume %d +>0x94 lelong x (of %d), +>0x50 string x name %s, +>0x98 ulelong x version %u, +>0xa0 ulelong x flags 0x%x + # ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca> # ext4 filesystem - Eric Sandeen <sandeen@sandeen.net> # volume label and UUID Russell Coker @@ -1818,7 +1835,7 @@ # FE 250K 8-inch, 1-sided, single-density # FD 500K 8-inch, 2-sided, single-density # FE 1.2 MB 8-inch, 2-sided, double-density -# F8 ----- Fixed disk +# F8 ----- Fixed disk # # FC xxxK Apricot 70x1x9 boot disk. # @@ -1846,7 +1863,7 @@ # all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013 # http://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions # Too Weak. -#512 ubelong&0xE0ffff00 0xE0ffff00 +#512 ubelong&0xE0ffff00 0xE0ffff00 # without valid Media descriptor in place of BPB, cases with are done at other places #>21 ubyte <0xE5 floppy with old FAT filesystem # but valid Media descriptor at begin of FAT @@ -1858,61 +1875,61 @@ #>>512 ubyte =0xfb 640k #>>512 ubyte =0xfc 180k # look like an an old DOS directory entry -#>>>0xA0E ubequad 0 -#>>>>0xA00 ubequad !0 +#>>>0xA0E ubequad 0 +#>>>>0xA00 ubequad !0 #!:mime application/x-ima -#>>512 ubyte =0xfd +#>>512 ubyte =0xfd # look for 2nd FAT at different location to distinguish between 360k and 500k #>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k #>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k -#>>>0xA0E ubequad 0 +#>>>0xA0E ubequad 0 #!:mime application/x-ima -#>>512 ubyte =0xfe +#>>512 ubyte =0xfe #>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k -#>>>>0x60E ubequad 0 -#>>>>>0x600 ubequad !0 +#>>>>0x60E ubequad 0 +#>>>>>0x600 ubequad !0 #!:mime application/x-ima #>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k #>>512 ubyte =0xff 320k -#>>>0x60E ubequad 0 -#>>>>0x600 ubequad !0 +#>>>0x60E ubequad 0 +#>>>>0x600 ubequad !0 #!:mime application/x-ima #>>512 ubyte x \b, Media descriptor 0x%x # without x86 jump instruction -#>>0 ulelong&0x804000E9 !0x000000E9 -# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV +#>>0 ulelong&0x804000E9 !0x000000E9 +# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV #>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader # IOSYS.COM+MSDOS.COM #>>>>0xc4 use 2xDOS-filename -#>>0 ulelong&0x804000E9 =0x000000E9 +#>>0 ulelong&0x804000E9 =0x000000E9 # only x86 short jump instruction found #>>>0 ubyte =0xEB #>>>>1 ubyte x \b, code offset 0x%x+2 # http://thestarman.pcministry.com/DOS/ibm100/Boot.htm -# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 -#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 +#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader # ibmbio.com+ibmdos.com #>>>>>0x176 use DOS-filename #>>>>>0x181 ubyte x \b+ #>>>>>0x182 use DOS-filename # http://thestarman.pcministry.com/DOS/ibm110/Boot.htm -# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV -#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV +#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader # ibmbio.com+ibmdos.com #>>>>>0x18b use DOS-filename #>>>>>0x196 ubyte x \b+ #>>>>>0x197 use DOS-filename # http://en.wikipedia.org/wiki/Zenith_Data_Systems -# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 +# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 #>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x20 use 2xDOS-filename # http://en.wikipedia.org/wiki/Corona_Data_Systems -# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; +# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; #>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x69 use 2xDOS-filename -# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; +# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; #>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader # defect IO.SYS+MSDOS.SYS ? #>>>>>0x162 use 2xDOS-filename @@ -1942,14 +1959,25 @@ 32769 string CD001 # mime line at that position does not work # to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51) -!:strength -11 +#!:strength -11 # to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51) -# does not work -#!:strength +33 ->0 use cdrom +!:strength +34 +>0 use cdrom # .cso files -0 string CISO Compressed ISO CD image +# Reference: http://pismotec.com/ciso/ciso.h +# NOTE: There are two other formats with the same magic but +# completely incompatible specifications: +# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h +# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h +0 string CISO +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - None of the above: Compact ISO. +>4 lelong !0 +>>4 lelong !0x200000 +>>>0x10 lelong !0x800 Compressed ISO CD image # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian @@ -2041,6 +2069,13 @@ >29 byte 16 \bBlackfin, >29 byte 17 \bAVR32, >29 byte 18 \bSTMicroelectronics ST200, +>29 byte 19 \bSandbox architecture, +>29 byte 20 \bANDES Technology NDS32, +>29 byte 21 \bOpenRISC 1000, +>29 byte 22 \bARM 64-bit, +>29 byte 23 \bDesignWare ARC, +>29 byte 24 \bx86_64, +>29 byte 25 \bXtensa, >30 byte 0 Invalid Image >30 byte 1 Standalone Program >30 byte 2 OS Kernel Image @@ -2114,7 +2149,7 @@ >>8 ledate x created: %s # AFS Dump Magic -# From: Ty Sarna <tsarna@sarna.org> +# From: Ty Sarna <tsarna@sarna.org> 0 string \x01\xb3\xa1\x13\x22 AFS Dump >&0 belong x (v%d) >>&0 byte 0x76 @@ -2229,7 +2264,7 @@ # From: "Nelson A. de Oliveira" <naoliv@gmail.com> 0 string *dvdisaster* dvdisaster error correction file -# xfs metadump image +# xfs metadump image # mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog # but can we do the << ? For now it's always 512 (0x200) anyway. 0 string XFSM @@ -2301,8 +2336,8 @@ 0 string td\000 floppy image data (TeleDisk, compressed) 0 string TD\000 floppy image data (TeleDisk) -0 string CQ\024 floppy image data (CopyQM, ->16 leshort x %d sectors, +0 string CQ\024 floppy image data (CopyQM, +>16 leshort x %d sectors, >18 leshort x %d heads.) 0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) @@ -2352,3 +2387,13 @@ >>>>>>>>0x1B ubyte 0x30 \b, media=1D >>>>>>>>0x1B ubyte 0x40 \b, media=1DD >>>>>>>>0x1A ubyte 0x10 \b, write-protected + +# HDD Raw Copy Tool disk image, file extension: .imgc +# From Benjamin Vanheuverzwijn <bvanheu@gmail.com> +0 pstring HDD\ Raw\ Copy\ Tool %s +>0x100 pstring x %s +>0x200 pstring x - HD model: %s +#>0x300 pstring x unknown %s +>0x400 pstring x serial: %s +#>0x500 pstring x unknown: %s +!:ext imgc diff --git a/contrib/file/magic/Magdir/flash b/contrib/file/magic/Magdir/flash index b06f879..b48abe9 100644 --- a/contrib/file/magic/Magdir/flash +++ b/contrib/file/magic/Magdir/flash @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: flash,v 1.11 2014/05/02 00:26:49 christos Exp $ +# $File: flash,v 1.14 2017/05/25 20:09:55 christos Exp $ # flash: file(1) magic for Macromedia Flash file format # # See @@ -10,23 +10,45 @@ # en/devnet/swf/pdf/swf-file-format-spec.pdf page 27 # -0 name swf-details ->0 string F Macromedia Flash data +0 name swf-details + +>0 string F +>>8 byte&0xfd 0x08 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte&0xfe 0x10 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte 0x18 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 beshort&0xff87 0x2000 Macromedia Flash data !:mime application/x-shockwave-flash ->0 string C Macromedia Flash data (compressed) +>>>3 byte x \b, version %d +>>8 beshort&0xffe0 0x3000 Macromedia Flash data !:mime application/x-shockwave-flash ->0 string Z Macromedia Flash data (lzma compressed) +>>>3 byte x \b, version %d +>>8 byte&0x7 0 +>>>8 ubyte >0x2f +>>>>9 ubyte <0x20 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>>>3 byte x \b, version %d + +>0 string C +>>8 byte 0x78 Macromedia Flash data (compressed) +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d + +>0 string Z +>>8 byte 0x5d Macromedia Flash data (lzma compressed) !:mime application/x-shockwave-flash ->3 byte x \b, version %d +>>>3 byte x \b, version %d -1 string WS ->4 lelong !0 ->>3 byte 255 Suspicious ->>>0 use swf-details ->>3 ubyte <32 ->>>3 ubyte !0 ->>>>0 use swf-details +1 string WS +>4 ulelong >14 +>>3 ubyte !0 +>>>0 use swf-details # From: Cal Peake <cp@absolutedigital.net> 0 string FLV\x01 Macromedia Flash Video @@ -34,7 +56,7 @@ # # Yosu Gomez -0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document -0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document +0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document +0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document # From Dave Wilson -0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document +0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document diff --git a/contrib/file/magic/Magdir/fonts b/contrib/file/magic/Magdir/fonts index be489cb..7e9b0da 100644 --- a/contrib/file/magic/Magdir/fonts +++ b/contrib/file/magic/Magdir/fonts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fonts,v 1.33 2016/09/14 01:26:26 christos Exp $ +# $File: fonts,v 1.37 2017/06/24 00:39:00 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -19,17 +19,17 @@ # URL: https://en.wikipedia.org/wiki/PostScript_fonts # Reference: http://partners.adobe.com/public/developer/en/font/5178.PFM.pdf # Modified by: Joerg Jenderek -# Note: moved from ./msdos magic -# dfVersion 256=0100h -0 uleshort 0x0100 +# Note: moved from ./msdos magic +# dfVersion 256=0100h +0 uleshort 0x0100 # GRR: line above is too general as it catches also TrueType font, # raw G3 data FAX, WhatsApp encrypted and Panorama database # dfType 129=0081h ->66 uleshort 0x0081 +>66 uleshort 0x0081 # dfVertRes 300=012Ch not needed as additional test -#>>70 uleshort 0x012c +#>>70 uleshort 0x012c # dfHorizRes 300=012Ch -#>>>72 uleshort 0x012c +#>>>72 uleshort 0x012c # dfDriverInfo points to postscript information section >>(101.l) string/c Postscript Printer Font Metrics # above labeled "PFM data" by ./msdos (version 5.28) or "Adobe Printer Font Metrics" by TrID @@ -40,13 +40,13 @@ # dfCopyright 60 byte null padded Copyright string. uncomment it to get old looking #>>>6 string >\060 - %-.60s # dfDriverInfo ->>>139 ulelong >0 +>>>139 ulelong >0 # often abbreviated and same as filename >>>>(139.l) string x %s # dfSize >>>2 ulelong x \b, %d bytes # dfFace 210=D2h 9Eh ->>>105 ulelong >0 +>>>105 ulelong >0 # Windows font name >>>>(105.l) string x \b, %s # dfItalic @@ -72,7 +72,7 @@ #>104 belong 00000004 X11 SNF font data, MSB first !:mime application/x-font-sfn # GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX -0 lelong 00000004 +0 lelong 00000004 >104 lelong 00000004 X11 SNF font data, LSB first !:mime application/x-font-sfn @@ -82,27 +82,29 @@ # From: Joerg Jenderek # URL: http://grub.gibibit.com/New_font_format # Reference: util/grub-mkfont.c -# include/grub/fontformat.h +# include/grub/fontformat.h # FONT_FORMAT_SECTION_NAMES_FILE -0 string FILE +0 string FILE # FONT_FORMAT_PFF2_MAGIC ->8 string PFF2 +>8 string PFF2 # leng 4 only at the moment ->>4 ubelong 4 +>>4 ubelong 4 # FONT_FORMAT_SECTION_NAMES_FONT_NAME >>>12 string NAME GRUB2 font !:mime application/x-font-pf2 !:ext pf2 # length of font_name ->>>>16 ubelong >0 +>>>>16 ubelong >0 # font_name >>>>>20 string >\0 "%-s" # X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) # PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides) -0 string \001fcp X11 Portable Compiled Font data ->12 byte 0x02 \b, LSB first ->12 byte 0x0a \b, MSB first +0 string \001fcp X11 Portable Compiled Font data, +>12 lelong ^0x08 bit: LSB, +>12 lelong &0x08 bit: MSB, +>12 lelong ^0x04 byte: LSB first +>12 lelong &0x04 byte: MSB first 0 string D1.0\015 X11 Speedo font data #------------------------------------------------------------------------------ @@ -134,28 +136,166 @@ >4 beshort >0 version %d # True Type fonts -0 string \000\001\000\000\000 TrueType font data -!:mime application/x-font-ttf +# Modified by: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/TrueType +# Reference: https://developer.apple.com/fonts/TrueType-Reference-Manual/ +# +# sfnt version "typ1" used by some Apple, but no example found +0 string typ1 +>0 use sfnt-font +>0 use sfnt-names +# sfnt version "true" used by some Apple +0 string true +>0 use sfnt-font +>0 use sfnt-names +# GRR: below test is too general +# sfnt version often 0x00010000 +0 string \000\001\000\000 +>0 use sfnt-font +>0 use sfnt-names +# validate and display sfnt font data like number of tables +0 name sfnt-font +# file 5.30 version assumes 00FFh as maximal number of tables +#>4 ubeshort <0x0100 +# maximal 27 tables found like in Skia.ttf +# 46 different table names mentioned on Apple specification +# skip 1st sequence of DOS 2 backup with path separator (\~92 or /~47) misinterpreted as table number +>4 ubeshort <47 +# skip bad examples with garbage table names like in a5.show HYPERC MAC +# tag names consist of up to four characters padded with spaces at end like +# BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ... +>>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ] +#>>>0 ubelong x \b, sfnt version 0x%x +>>>0 ubelong !0x4f54544f TrueType +!:mime application/font-sfnt +#!:mime font/ttf +!:apple ????tfil +# .ttf for TrueType font +# EUDC.tte created by privat character editor %WINDIR%\system32\eudcedit.exe +!:ext ttf/tte +# sfnt version 4F54544Fh~OTTO +>>>0 ubelong =0x4f54544f OpenType +!:mime application/font-sfnt +#!:mime font/otf +!:apple ????OTTO +!:ext otf +>>>0 ubelong x Font data +# DSIG=44454947h table name implies a digitally signed font +# search range = number of tables * 16 =< maximal number of tables * 16 = 27 * 16 = 432 +>>>12 search/432 DSIG \b, digitally signed +>>>4 ubeshort x \b, %d tables +# minimal 9 tables found like in NISC18030.ttf +#>>>4 ubeshort <10 TMIN +#>>>4 ubeshort >24 TBIG +# table directory entries +>>>12 string x \b, 1st "%4.4s" + +# search and display 1st name in sfnt font which is often copyright text +# does not work inside font collections +0 name sfnt-names +# search for naming table +>12 search/432/s name +# biggest offset 0x0100bd28 like Windows10 Fonts\simsunb.ttf +#>>>>&8 ubelong >0x0100bd27 BIGGEST OFFSET +>>&8 ubelong >0x00100000 +# offset of name table +>>>&-4 ubelong x \b, name offset 0x%x +# GRR: pointer to name table only works if offset ~< FILE_BYTES_MAX = 100000h defined in src\file.h +>>&8 ubelong <0x00100000 +>>>&-16 ubelong x +# name table +>>>>(&8.L) ubequad x +# invalid format selector +#>>>>>&-8 ubeshort !0 \b, invalid selector %x +# minimal 3 name records found like in c:\Program Files (x86)\Tesseract-OCR\tessdata\pdf.ttf +# maximal 1227 name records found like in Apple Chancery.ttf +#>>>>>&-6 ubeshort <0x4 mincount +#>>>>>&-6 ubeshort >130 maxcount +>>>>>&-6 ubeshort x \b, %d names +# offset to start of string storage from start of table +#>>>>>&-4 ubeshort x \b, record offset %d +# 1st name record +# string offset from start of storage area +#>>>>>&8 ubeshort x \b, string offset %d +# string length +#>>>>>&6 ubeshort x \b, string length %d +# minimal name string 7 like in c:\Program Files (x86)\Kodi\addons\webinterface.default\lib\video-js\font\VideoJS.ttf +# also found 0 like in SWZCONLN.TTF +#>>>>>&6 ubeshort <8 MIN STRING +# maximal name string 806 like in c:\Windows\Fonts\palabi.ttf +#>>>>>&6 ubeshort >805 MAX STRING +# platform identifier: 0~Apple Unicode, 1~Macintosh, 3~Microsoft +#>>>>>&-2 ubeshort >3 BAD PLATFORM +>>>>>&-2 ubeshort 0 \b, Unicode +>>>>>&-2 ubeshort 1 \b, Macintosh +>>>>>&-2 ubeshort 3 \b, Microsoft +# languageID (0~english Macintosh, 0409h~english Microsoft, ...) +>>>>>&2 ubeshort >0 \b, language 0x%x +# name identifiers +# often 0~copyright, 1~font, 2~font subfamily, 5~version, 13~license, 19~sample, ... +>>>>>&4 ubeshort >0 \b, type %d string +# platform specific encoding: +# 0~undefined character set, 1~UGL set with Unicode, 3~Unicode 2.0 BMP only, 4~Unicode 2.0 +#>>>>>&0 ubeshort x \b, %d encoding +>>>>>&0 ubeshort 0 +# handle only name string offset 0 because do not know how to add 2 relative offsets +>>>>>>&6 ubeshort 0 +>>>>>>>&(&-14.S-18) ubyte !0 +# GRR: instead 806 only first MAXstring = 96 characters are displayed as defined in src\file.h +# often copyright string that starts like \251 2006 The Monotype Corporation +>>>>>>>>&-1 string x \b, %-11.96s +# test for unicode string +>>>>>>>&(&-14.S-18) ubyte 0 +>>>>>>>>&0 lestring16 x \b, %-11.96s +# unicode encoding +>>>>>&0 ubeshort >0 +>>>>>>&6 ubeshort 0 +>>>>>>>&(&-14.S-17) lestring16 x \b, %-11.96s 0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font 0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font # TrueType/OpenType font collections (.ttc) +# URL: https://en.wikipedia.org/wiki/OpenType # http://www.microsoft.com/typography/otspec/otff.htm -0 string ttcf TrueType font collection data ->4 belong 0x00010000 \b, 1.0 ->>8 belong >0 \b, %d fonts ->4 belong 0x00020000 \b, 2.0 ->>8 belong >0 \b, %d fonts +# Modified by: Joerg Jenderek +# Note: container for TrueType, OpenType font +0 string ttcf +# skip ASCII text +>4 ubyte 0 +# sfnt version often 0x00010000 of 1st table is TrueType +>>(12.L) ubelong !0x4f54544f TrueType +#!:mime font/ttf +!:apple ????tfil +!:ext ttc +# sfnt version 4F54544Fh~OTTO of 1st table is OpenType font +>>(12.L) ubelong =0x4f54544f OpenType +#!:mime font/otf +!:apple ????OTTO +# no example found for otc +!:ext ttc/otc +>>4 ubyte x font collection data +!:mime application/font-sfnt +#!:mime font/collection +# TCC version +>>4 belong 0x00010000 \b, 1.0 +>>4 belong 0x00020000 \b, 2.0 +>>8 ubelong >0 \b, %d fonts +# array offset size = fonts * offsetsize = fonts * 4 +>>(8.L*4) ubequad x # 0x44454947 = 'DSIG' ->>>16 belong 0x44534947 \b, digitally signed +>>>&4 belong 0x44534947 \b, digitally signed +# offset to 1st font +>>12 ubelong x \b, at 0x%x +# point to 1st font that starts with sfnt version +>>(12.L) use sfnt-font # Opentype font data from Avi Bercovich 0 string OTTO OpenType font data !:mime application/vnd.ms-opentype -# Gurkan Sengun <gurkan@linuks.mine.nu>, www.linuks.mine.nu -0 string SplineFontDB: Spline Font Database +# Gurkan Sengun <gurkan@linuks.mine.nu>, www.linuks.mine.nu +0 string SplineFontDB: Spline Font Database !:mime application/vnd.font-fontforge-sfd >14 string x version %s diff --git a/contrib/file/magic/Magdir/fsav b/contrib/file/magic/Magdir/fsav index ecdc4f6..5714798 100644 --- a/contrib/file/magic/Magdir/fsav +++ b/contrib/file/magic/Magdir/fsav @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ +# $File: fsav,v 1.14 2017/03/17 21:35:28 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) @@ -29,11 +29,11 @@ #>>>>10 byte 11 \b12- #>>>>9 ubyte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip -#0 ubyte 0x62 -#>1 ubyte 0xF5 -#>>2 ubyte 0x1 -#>>>3 ubyte 0x1 -#>>>>4 ubyte 0x0e +#0 ubyte 0x62 +#>1 ubyte 0xF5 +#>>2 ubyte 0x1 +#>>>3 ubyte 0x1 +#>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures #>>>>>>11 ubyte x size 0x%02x #>>>>>>12 ubyte x \b%02x @@ -44,16 +44,16 @@ # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files -0 string ClamAV-VDB: +0 string ClamAV-VDB: >11 string >\0 Clam AntiVirus database %-.23s ->>34 string : ->>>35 string !: \b, version +>>34 string : +>>>35 string !: \b, version >>>>35 string x \b%-.1s ->>>>>36 string !: +>>>>>36 string !: >>>>>>36 string x \b%-.1s ->>>>>>>37 string !: +>>>>>>>37 string !: >>>>>>>>37 string x \b%-.1s ->>>>>>>>>38 string !: +>>>>>>>>>38 string !: >>>>>>>>>>38 string x \b%-.1s >512 string \037\213 \b, gzipped >769 string ustar\0 \b, tarred diff --git a/contrib/file/magic/Magdir/games b/contrib/file/magic/Magdir/games index 779bc6c..9f72661 100644 --- a/contrib/file/magic/Magdir/games +++ b/contrib/file/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.14 2014/04/30 21:41:02 christos Exp $ +# $File: games,v 1.15 2017/03/17 21:35:28 christos Exp $ # games: file(1) for games # Fabio Bonelli <fabiobonelli@libero.it> @@ -39,7 +39,7 @@ #0 string -1\x0a Quake I demo #>30 string x version %.4s -#>61 string x level %s +#>61 string x level %s #0 string 5\x0a Quake I save @@ -240,7 +240,7 @@ # Summary: NetImmerse game engine file # Extension .nif # Created by: Abel Cheung <abelcheung@gmail.com> -0 string NetImmerse\ File\ Format,\ Versio +0 string NetImmerse\ File\ Format,\ Versio >&0 string n\ NetImmerse game engine file >>&0 regex [0-9a-z.]+ \b, version %s diff --git a/contrib/file/magic/Magdir/gconv b/contrib/file/magic/Magdir/gconv new file mode 100644 index 0000000..eec5ddc --- /dev/null +++ b/contrib/file/magic/Magdir/gconv @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: gconv +# gconv: file(1) magic for iconv/gconv module configuration cache +# +# Magic number defined in glibc/iconv/iconvconfig.h as GCONVCACHE_MAGIC +# +# From: Marek Cermak <macermak@redhat.com> +# +0 lelong 0x20010324 gconv module configuration cache data diff --git a/contrib/file/magic/Magdir/geo b/contrib/file/magic/Magdir/geo index 9a765fe..f93abd8 100644 --- a/contrib/file/magic/Magdir/geo +++ b/contrib/file/magic/Magdir/geo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geo,v 1.3 2013/01/04 00:47:02 christos Exp $ +# $File: geo,v 1.4 2017/03/17 21:35:28 christos Exp $ # Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> ###################################################################### @@ -57,7 +57,7 @@ 4 beshort 0x2002 GeoSwath RDF 0 string Start:- GeoSwatch auf text file -# Seabeam 2100 +# Seabeam 2100 # mbsystem code mb41 0 string SB2100 SeaBeam 2100 multibeam sonar 0 string SB2100DR SeaBeam 2100 DR multibeam sonar diff --git a/contrib/file/magic/Magdir/gnu b/contrib/file/magic/Magdir/gnu index 24609c1..8d5c972 100644 --- a/contrib/file/magic/Magdir/gnu +++ b/contrib/file/magic/Magdir/gnu @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gnu,v 1.17 2016/07/16 22:17:04 christos Exp $ +# $File: gnu,v 1.18 2017/03/17 21:35:28 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format @@ -71,7 +71,7 @@ # they will ordinarily reported as "compressed", but at least -z helps 39 string =<gmr:Workbook Gnumeric spreadsheet -# From: James Youngman <jay@gnu.org> +# From: James Youngman <jay@gnu.org> # gnu find magic 0 string \0LOCATE GNU findutils locate database data >7 string >\0 \b, format %s diff --git a/contrib/file/magic/Magdir/gpt b/contrib/file/magic/Magdir/gpt index c48a58f..76a223c 100644 --- a/contrib/file/magic/Magdir/gpt +++ b/contrib/file/magic/Magdir/gpt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gpt,v 1.3 2014/04/30 21:41:02 christos Exp $ +# $File: gpt,v 1.4 2017/03/17 21:35:28 christos Exp $ # # GPT Partition table patterns. # Author: Rogier Goossens (goossens.rogier@gmail.com) @@ -36,7 +36,7 @@ >>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(454.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -66,7 +66,7 @@ >>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(470.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -96,7 +96,7 @@ >>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(486.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -126,7 +126,7 @@ >>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(502.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -166,7 +166,7 @@ ##>(8.l*8192) string EFI\ PART ##>>(8.l*8192) use gpt-mbr-type ##>>&-8 use gpt-table -##>>0 ubyte x of 8192 bytes +##>>0 ubyte x of 8192 bytes ##>(8.l*8192) string !EFI\ PART ##>>(8.l*4096) string EFI\ PART GPT partition table ##>>>0 use gpt-mbr-type @@ -212,7 +212,7 @@ >>486 ulelong !1 \b (nonstandard: not at LBA 1) # GPT with protective MBR entry in partition 4 >498 ubyte 0xee ->>502 ulelong 1 +>>502 ulelong 1 >>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>502 ulelong !1 \b (nonstandard: not at LBA 1) diff --git a/contrib/file/magic/Magdir/gpu b/contrib/file/magic/Magdir/gpu new file mode 100644 index 0000000..62e30d0 --- /dev/null +++ b/contrib/file/magic/Magdir/gpu @@ -0,0 +1,28 @@ + +#------------------------------------------------------------------------------ +# $File: gpu,v 1.2 2017/03/23 22:11:53 christos Exp $ +# gpu: file(1) magic for GPU input files + +# Standard Portable Intermediate Representation (SPIR) +# Documentation: https://www.khronos.org/spir +# Typical file extension: .spv + +0 belong 0x07230203 Khronos SPIR-V binary, big-endian +>4 belong x \b, version 0x%08x +>8 belong x \b, generator 0x%08x + +0 lelong 0x07230203 Khronos SPIR-V binary, little-endian +>4 lelong x \b, version 0x%08x +>8 lelong x \b, generator 0x%08x + +# Vulkan Trace file +# Documentation: +# https://github.com/LunarG/VulkanTools/blob/master/vktrace/vktrace_common/\ +# vktrace_trace_packet_identifiers.h +# Typical file extension: .vktrace + +8 lequad 0xABADD068ADEAFD0C Vulkan trace file, little-endian +>0 leshort x \b, version %d + +8 bequad 0xABADD068ADEAFD0C Vulkan trace file, big-endian +>0 beshort x \b, version %d diff --git a/contrib/file/magic/Magdir/gringotts b/contrib/file/magic/Magdir/gringotts index 2bfef1b..b674754 100644 --- a/contrib/file/magic/Magdir/gringotts +++ b/contrib/file/magic/Magdir/gringotts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gringotts,v 1.5 2009/09/19 16:28:09 christos Exp $ +# $File: gringotts,v 1.6 2017/03/17 21:35:28 christos Exp $ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo <mano@pluto.linux.it> @@ -9,10 +9,10 @@ #file format 1 >3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9 #file format 2 ->3 string 2 v.2, MCRYPT S2K, +>3 string 2 v.2, MCRYPT S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, ->>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, @@ -27,10 +27,10 @@ >>8 byte&0x03 0x02 lvl.6 >>8 byte&0x03 0x03 lvl.9 #file format 3 ->3 string 3 v.3, OpenPGP S2K, +>3 string 3 v.3, OpenPGP S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, ->>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, diff --git a/contrib/file/magic/Magdir/hitachi-sh b/contrib/file/magic/Magdir/hitachi-sh index 1b615ae..0238ed7 100644 --- a/contrib/file/magic/Magdir/hitachi-sh +++ b/contrib/file/magic/Magdir/hitachi-sh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: hitachi-sh,v 1.7 2015/09/30 20:32:35 christos Exp $ +# $File: hitachi-sh,v 1.8 2017/03/17 21:35:28 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF @@ -9,20 +9,20 @@ # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html -# below test line conflicts with 2nd NTFS filesystem sector +# below test line conflicts with 2nd NTFS filesystem sector # 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR # and Portable Gaming Notation Compressed format (*.WID http://pgn.freeservers.com/) -0 beshort 0x0500 +0 beshort 0x0500 # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 ubeshort&0x8E80 0 +>18 ubeshort&0x8E80 0 # use big endian variant of subroutine to display name+variables+flags -# for common object formated files +# for common object formated files >>0 use \^display-coff -0 leshort 0x0550 +0 leshort 0x0550 # test for unused flag bits in f_flags ->18 uleshort&0x8E80 0 -# use little endian variant of subroutine to -# display name+variables+flags for common object formated files +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formated files >>0 use display-coff diff --git a/contrib/file/magic/Magdir/ibm370 b/contrib/file/magic/Magdir/ibm370 index 7887dc3..a49b28f 100644 --- a/contrib/file/magic/Magdir/ibm370 +++ b/contrib/file/magic/Magdir/ibm370 @@ -1,28 +1,28 @@ #------------------------------------------------------------------------------ -# $File: ibm370,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: ibm370,v 1.10 2017/03/17 21:35:28 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". # What the heck *is* "USS/370"? # AIX 4.1's "/etc/magic" has # -# 0 short 0535 370 sysV executable +# 0 short 0535 370 sysV executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format -# 0 short 0530 370 sysV pure executable +# 0 short 0530 370 sysV pure executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # # instead of the "USS/370" versions of the same magic numbers. # -0 beshort 0537 370 XA sysV executable +0 beshort 0537 370 XA sysV executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format -0 beshort 0532 370 XA sysV pure executable +0 beshort 0532 370 XA sysV pure executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format diff --git a/contrib/file/magic/Magdir/ibm6000 b/contrib/file/magic/Magdir/ibm6000 index 7f45072..8b48f37 100644 --- a/contrib/file/magic/Magdir/ibm6000 +++ b/contrib/file/magic/Magdir/ibm6000 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm6000,v 1.12 2013/09/16 15:12:42 christos Exp $ +# $File: ibm6000,v 1.13 2017/03/17 21:35:28 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module @@ -21,7 +21,7 @@ 0 beshort 0x01f7 64-bit XCOFF executable or object module >20 belong 0 not stripped # GRR: this test is still too general as it catches also many FATs of DOS filesystems -4 belong &0x0feeddb0 +4 belong &0x0feeddb0 # real core dump could not be 32-bit and 64-bit together >7 byte&0x03 !3 AIX core file >>1 byte &0x01 fulldump diff --git a/contrib/file/magic/Magdir/icc b/contrib/file/magic/Magdir/icc index 37fa30e..55583b7 100644 --- a/contrib/file/magic/Magdir/icc +++ b/contrib/file/magic/Magdir/icc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: icc,v 1.1 2013/01/08 01:43:18 christos Exp $ +# $File: icc,v 1.5 2017/08/13 00:21:47 christos Exp $ # icc: file(1) magic for International Color Consortium file formats # @@ -11,41 +11,204 @@ # http://www.color.org/specification/ICC1v43_2010-12.pdf # # for Specification ICC.1:2010 (Profile version 4.3.0.0). +# URL: http://fileformats.archiveteam.org/wiki/ICC_profile +# Reference: http://www.color.org/iccmax/ICC.2-2016-7.pdf +# Update: Joerg Jenderek # # Bytes 36 to 39 contain a generic profile file signature of "acsp"; # bytes 40 to 43 "may be used to identify the primary platform/operating # system framework for which the profile was created". # -# There are other fields that might be worth dumping as well. -# +# check and display ICC/ICM color profile +0 name color-profile +>36 string acsp +# skip ASCII like Cognacspirit.txt by month <= 12 +>>26 ubeshort <13 +# platform/operating system. Only 5 mentioned +# # This appears to be what's used for Apple ColorSync profiles. # Instead of adding that, Apple just changed the generic "acsp" entry # to be for "ColorSync ICC Color Profile" rather than "Kodak Color # Management System, ICC Profile". # Yes, it's "APPL", not "AAPL"; see the spec. -36 string acspAPPL ColorSync ICC Profile -!:mime application/vnd.iccprofile +>>>40 string APPL ColorSync # Microsoft ICM color profile -36 string acspMSFT Microsoft ICM Color Profile -!:mime application/vnd.iccprofile +>>>40 string MSFT Microsoft # Yes, that's a blank after "SGI". -36 string acspSGI\ SGI ICC Profile -!:mime application/vnd.iccprofile +>>>40 string SGI\ SGI # XXX - is this what's used for the Sun KCMS or not? The standard file # uses just "acsp" for that, but Apple's file uses it for "ColorSync", # and there *is* an identified "primary platform" value of SUNW. -36 string acspSUNW Sun KCMS ICC Profile +>>>40 string SUNW Sun KCMS + +# 5th platform +>>>40 string TGNT Taligent + +# remaining "l" "e" of "color profile" printed later to avoid error +>>>40 string x color profi +#>>>40 string x (%.4s) !:mime application/vnd.iccprofile +# for "ICM" extension only versions 2.x and for Kodak "CC" 2.0 is found +>>>8 ubyte =2 +# do not use empty message text to a avoid error like +# icc, 82: Warning: Current entry does not yet have a description for adding a EXTENSION type +# file.exe: could not find any valid magic files! +>>>>9 ubyte !0 \ble +!:ext icc/icm +# minor version +>>>>9 ubyte =0 \bl +# Kodak colour management system +>>>>>4 string =KCMS \be +!:ext icc/icm/cc +>>>>>4 string !KCMS \be +!:ext icc/icm +>>>8 ubyte !2 \ble +!:ext icc +# Profile version major.4bit-minor.sub1.sub2 like 4.3.0.0 (04300000h) +>>>8 ubyte x %u +>>>9 ubyte/16 x \b.%u +# reserved and shall be null but 205.205 in umx1220u.icm +>>>10 ubyte >0 \b.%u +>>>>11 ubyte >0 \b.%u +# preferred colour management module like appl CCMS KCMS Lino UCCM "Win " "FF " +# skip space like in brmsl08f.icm and null like in brmsl09f.icm, brmsl07f.icm +>>>4 string >\ \b, type %.2s +>>>>6 string >\ \b%.1s +>>>>>7 string >\ \b%.1s +# colour space "XYZ " "Lab " "RGB " CMYK GRAY ... +>>>16 string x \b, %.3s +>>>19 string >\ \b%.1s +# Profile Connection Space (PCS) field usually "XYZ " or "Lab " but sometimes +# null or CMYK like in ISOcoated_v2_to_PSOcoated_v3_DeviceLink.icc +>>>20 string >\0 \b/%.3s +>>>>23 string >\ \b%.1s +# eleven device classes +>>>12 string x \b-%.4s device +# skip 00001964h in hpf69000.icc or 0h in XRDC50Q.ICM or " ROT" in brmsl05f.icm +>>>52 string >\040 +# skip "none" model like in "Trinitron Compatible 9300K G2.2.icm" +>>>>52 ubelong !0x6e6f6e65 +# device manufacturer field like "HP " "IBM " EPSO +>>>>>48 string x \b, %.2s +>>>>>50 string >\ \b%.1s +>>>>>51 string >\ \b%.1s +# model like "ADI " "A265" and skip 20000404h in IS330.icm for RICOH RUSSIAN-SC +>>>>>52 string >\ \ \b/%.3s +>>>>>>55 string >\ \b%.1s +>>>>>52 string x model +# creator (often same as manufacture) like HP SONY XROX or null like in A925A.icm +>>>80 string >\0 by %.2s +>>>>82 string >\ \b%.1s +>>>>>83 string >\ \b%.1s +# profile size +>>>0 ubelong x \b, %u bytes +# skip invalid date 0 like in linearSRGB.icc +>>>24 ubequad !0 +# datetime dd-mm-yyyy hh:mm:ss +>>>>28 ubeshort x \b, %u +# month <= 12 +>>>>26 ubeshort x \b-%u +# year +>>>>24 ubeshort x \b-%u +# do not display midnight time like in CNHP8308.ICC +>>>>30 ubequad&0xFFffFFffFFff0000 !0 +# hour <= 24 +>>>>>30 ubeshort x %u +# minutes <= 59 +>>>>>32 ubeshort x \b:%.2u +# seconds <= 59 +>>>>>34 ubeshort x \b:%.2u +# vendor specific flags like 2 in HPCLJ5.ICM +>>>44 ubeshort >0 \b, 0x%x vendor flags +# profile flags bits 0-2 of least 16 used by ICC +#>>>44 ubelong >0 \b, 0x%x flags +# icEmbeddedProfileTrue +>>>44 ubelong &1 \b, embedded +# icEmbeddedProfileFalse +#>>>44 ubelong ^1 \b, not embedded +# icUseWithEmbeddedDataOnly +>>>44 ubelong &2 \b, dependently +# icUseAnywhere +#>>>44 ubelong ^2 \b, independently +>>>44 ubelong &4 \b, MCS +#>>>44 ubelong ^4 \b, no MCS +# vendor specific device attributes 1~srgb.icc +# E000D00h~CNB7QEDA.ICM C000A00h~CNB5FCAA.ICM 01040401h~CNB25PE3.ICM +>>>56 ubelong >0 \b, 0x%x vendor attribute +# ICC device attributes bits 0-7 used +#>>>60 ubelong x \b, 0x%x attribute +# http://www.color.org/icc34.h +>>>60 ubelong &0x01 \b, transparent +#>>>60 ubelong ^0x01 \b, reflective +>>>60 ubelong &0x02 \b, matte +#>>>60 ubelong ^0x02 \b, glossy +>>>60 ubelong &0x04 \b, negative +#>>>60 ubelong ^0x04 \b, positive +>>>60 ubelong &0x08 \b, black&white +#>>>60 ubelong ^0x08 \b, colour +>>>60 ubelong &0x10 \b, non-paper +#>>>60 ubelong ^0x10 \b, paper +>>>60 ubelong &0x20 \b, non-textured +#>>>60 ubelong ^0x20 \b, textured +>>>60 ubelong &0x40 \b, non-isotropic +#>>>60 ubelong ^0x40 \b, isotropic +>>>60 ubelong &0x80 \b, self-luminous +#>>>60 ubelong ^0x80 \b, non-self-luminous +# rendering intent 0-3 but 7AEA5027h in EE051__1.ICM 6CB1BCh in EE061__1.ICM +>>>64 ubelong >3 \b, 0x%x rendering intent +#>>>64 ubelong =0 \b, perceptual +>>>64 ubelong =1 \b, relative colorimetric +>>>64 ubelong =2 \b, saturation +>>>64 ubelong =3 \b, absolute colorimetric +# PCS illuminant (3*s15Fixed16Numbers) often 0000f6d6 00010000 0000d32d +>>>71 ubequad !0xd6000100000000d3 \b, PCS +# usually X~0.9642*65536=63189.8112~63190=F6D5h ; but also found +# often F6D6 in gt5000r.icm, F6B8 in kodakce.icm, F6CA in RSWOP.icm +>>>>68 ubelong !0x0000f6d5 X=0x%x +# usually Y=1.0~00010000h but Y=0 in brmsl07f.icm +>>>>72 ubelong !0x00010000 Y=0x%x +# usually Z~0.8249*65536=54060.6464~54061=D32Dh ; but also found +# D2F7 in hp1200c.icm, often D32C in A925A.icm, D309 in RSWOP.icm , D2F8 in kodak_dc.icm +>>>>76 ubelong !0x0000d32d Z=0x%x +# Profile ID. MD5 fingerprinting method as defined in Internet RFC 1321. +>>>84 ubequad >0 \b, 0x%llx MD5 +# reserved in older versions should be zero but also found CDCDCDCDCDCDCDCD +#>>100 ubequad x \b 0x%llx reserved +# tag table +# 6 <= tags count <= 43 +#>>>128 ubelong >43 \b, %u tags +>>>128 ubelong x +# shall contain the profileDescriptionTag "desc" , copyrightTag "cprt" +# search range = tags count * 12 -8=< maximal tag count * 12 -8= 43 * 12 -8= 508 +>>>>132 search/508 cprt +# but no copyright tag in linearSRGB.icc +# beneath /System/Library/Frameworks/WebKit.framework/ +# Versions/A/Frameworks/WebCore.framework/Versions/A/Resources +>>>>132 default x \b, no copyright tag +# 1st tag +#>>>132 string x \b, 1st tag %.4s +#>>>136 ubelong x 0x%x offset +#>>>140 ubelong x 0x%x len +# 2nd tag,... +# look also for profileDescriptionTag "desc" +>>>132 search/508 desc +# look further for TextDescriptionType "desc" signature +>>>>(&0.L) string =desc +>>>>>&4 pstring/l x "%s" +# look alternative for multiLocalizedUnicodeType "mluc" signature like in VideoPAL.icc +>>>>(&0.L) string =mluc +>>>>>&(&8.L) ubequad x +>>>>>>&4 bestring16 x '%s' # Any other profile. # XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles, # and use "acsp" for everything else and dump the "primary platform" # string in those cases? -36 string acsp ICC Profile -!:mime application/vnd.iccprofile +36 string acsp +>0 use color-profile diff --git a/contrib/file/magic/Magdir/images b/contrib/file/magic/Magdir/images index 3e9cd81..f0d087b 100644 --- a/contrib/file/magic/Magdir/images +++ b/contrib/file/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.117 2016/07/05 19:12:21 christos Exp $ +# $File: images,v 1.126 2017/06/11 22:25:44 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -26,23 +26,28 @@ # test of Color Map Type 0~no 1~color map # and Image Type 1 2 3 9 10 11 32 33 # and Color Map Entry Size 0 15 16 24 32 -0 ubequad&0x00FeC400000000C0 0 +0 ubequad&0x00FeC400000000C0 0 # skip more garbage by looking for positive image type ->2 ubyte >0 +>2 ubyte >0 # skip some compiled terminfo by looking for image type less equal 33 ->>2 ubyte <34 +>>2 ubyte <34 # skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel sizes 15 16 24 32 ->>>16 ubyte <33 +>>>16 ubyte <33 # skip more by looking for pixel size 0Fh 10h 18h 20h ->>>>16 ubyte&0xC0 0x00 -# skip 260-16.ico by looking for no color map ->>>>>1 ubyte 0 -# implies no first map entry ->>>>>>3 uleshort 0 ->>>>>>>0 use tga-image +>>>>16 ubyte&0xC0 0x00 # Color Map ->>>>>1 ubyte >0 +>>>>>1 belong&0xfff7ffff 0x01010000 +>>>>>>0 use tga-image +>>>>>1 belong&0xfff7ffff 0x00020000 +>>>>>>0 use tga-image +>>>>>1 belong&0xfff7ffff 0x00030000 >>>>>>0 use tga-image +>>>>>1 default x +# skip 260-16.ico by looking for no color map +>>>>>>1 ubyte 0 +# implies no first map entry +>>>>>>>3 uleshort 0 +>>>>>>>>0 use tga-image # display tga bitmap image information 0 name tga-image >2 ubyte <34 Targa image data @@ -78,7 +83,7 @@ >14 uleshort =0 65536 # Image Pixel Size 15 16 24 32 >16 ubyte x x %d -# X origin of image. 0 normal +# X origin of image. 0 normal >8 uleshort >0 +%d # Y origin of image. 0 normal; positive for top >10 uleshort >0 +%d @@ -90,27 +95,27 @@ >17 ubyte &0x10 - right #>17 ubyte ^0x10 - left # some info say other bits 6-7 should be zero -# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm +# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm # 00 - no interleave;01 - even/odd interleave; 10 - four way interleave; 11 - reserved #>17 ubyte&0xC0 0x00 - no interleave >17 ubyte&0xC0 0x40 - interleave >17 ubyte&0xC0 0x80 - four way interleave >17 ubyte&0xC0 0xC0 - reserved -# positive length implies identification field ->0 ubyte >0 +# positive length implies identification field +>0 ubyte >0 >>18 string x "%s" # last 18 bytes of newer tga file footer signature ->18 search/4261301/s TRUEVISION-XFILE.\0 +>18 search/4261301/s TRUEVISION-XFILE.\0 # extension area offset if not 0 ->>&-8 ulelong >0 +>>&-8 ulelong >0 # length of the extension area. normal 495 for version 2.0 ->>>(&-4.l) uleshort 0x01EF +>>>(&-4.l) uleshort 0x01EF # AuthorName[41] >>>>&0 string >\0 - author "%-.40s" # Comment[324]=4 * 80 null terminated >>>>&41 string >\0 - comment "%-.80s" # date ->>>>&365 ubequad&0xffffFFFFffff0000 !0 +>>>>&365 ubequad&0xffffFFFFffff0000 !0 # Day >>>>>&-6 uleshort x %d # Month @@ -118,7 +123,7 @@ # Year >>>>>&-4 uleshort x \b-%d # time ->>>>&371 ubequad&0xffffFFFFffff0000 !0 +>>>>&371 ubequad&0xffffFFFFffff0000 !0 # hour >>>>>&-8 uleshort x %d # minutes @@ -128,14 +133,14 @@ # JobName[41] >>>>&377 string >\0 - job "%-.40s" # JobHour Jobminute Jobsecond ->>>>&418 ubequad&0xffffFFFFffff0000 !0 +>>>>&418 ubequad&0xffffFFFFffff0000 !0 >>>>>&-8 uleshort x %d >>>>>&-6 uleshort x \b:%.2d >>>>>&-4 uleshort x \b:%.2d # SoftwareId[41] >>>>&424 string >\0 - %-.40s # SoftwareVersionNumber ->>>>&424 ubyte >0 +>>>>&424 ubyte >0 >>>>>&40 uleshort/100 x %d >>>>>&40 uleshort%100 x \b.%d # VersionLetter @@ -143,16 +148,16 @@ # KeyColor >>>>&468 ulelong >0 - keycolor 0x%8.8x # Denominator of Pixel ratio. 0~no pixel aspect ->>>>&474 uleshort >0 +>>>>&474 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - aspect %d >>>>>&-2 uleshort x \b/%d # Denominator of Gamma ratio. 0~no Gamma value ->>>>&478 uleshort >0 +>>>>&478 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - gamma %d >>>>>&-2 uleshort x \b/%d -# ColorOffset +# ColorOffset #>>>>&480 ulelong x - col offset 0x%8.8x # StampOffset #>>>>&484 ulelong x - stamp offset 0x%8.8x @@ -170,43 +175,43 @@ >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s -0 search/1 P1 ->0 regex/4 P1\\s +0 search/1 P1 +>0 regex/4 P1[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, bitmap !:strength + 45 !:mime image/x-portable-bitmap -0 search/1 P2 ->0 regex/4 P2\\s +0 search/1 P2 +>0 regex/4 P2[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, greymap !:strength + 45 !:mime image/x-portable-greymap 0 search/1 P3 ->0 regex/4 P3\\s +>0 regex/4 P3[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, pixmap !:strength + 45 !:mime image/x-portable-pixmap -0 string P4 ->0 regex/4 P4\\s +0 string P4 +>0 regex/4 P4[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, bitmap !:strength + 45 !:mime image/x-portable-bitmap -0 string P5 ->0 regex/4 P5\\s +0 string P5 +>0 regex/4 P5[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, greymap !:strength + 45 !:mime image/x-portable-greymap -0 string P6 ->0 regex/4 P6\\s +0 string P6 +>0 regex/4 P6[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, pixmap !:strength + 45 @@ -303,7 +308,7 @@ >>>8 leshort 0x8765 \bJBIG >>>8 leshort 0x8798 \bJPEG2000 >>>8 leshort 0x8799 \bNikon NEF Compressed ->>>8 default x +>>>8 default x >>>>8 leshort x \b(unknown 0x%x) >>>12 use tiff_entry >0 leshort 0x106 \b, PhotometricIntepretation= @@ -414,21 +419,35 @@ # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # -# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... +# 137 P N G \r \n ^Z \n [4-byte length] I H D R [HEAD data] [HEAD crc] ... # -0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data + +# IHDR parser +0 name png-ihdr +>0 belong x \b, %d x +>4 belong x %d, +>8 byte x %d-bit +>9 byte 0 grayscale, +>9 byte 2 \b/color RGB, +>9 byte 3 colormap, +>9 byte 4 gray+alpha, +>9 byte 6 \b/color RGBA, +#>10 byte 0 deflate/32K, +>12 byte 0 non-interlaced +>12 byte 1 interlaced + +# Standard PNG image. +0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data !:mime image/png ->16 belong x \b, %d x ->20 belong x %d, ->24 byte x %d-bit ->25 byte 0 grayscale, ->25 byte 2 \b/color RGB, ->25 byte 3 colormap, ->25 byte 4 gray+alpha, ->25 byte 6 \b/color RGBA, -#>26 byte 0 deflate/32K, ->28 byte 0 non-interlaced ->28 byte 1 interlaced +!:strength +10 +>16 use png-ihdr + +# Apple CgBI PNG image. +0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x04CgBI +>24 string \x00\x00\x00\x0DIHDR PNG image data (CgBI) +!:mime image/png +!:strength +10 +>>32 use png-ihdr # possible GIF replacements; none yet released! # (Greg Roelofs, newt@uchicago.edu) @@ -438,13 +457,13 @@ !:mime image/x-unknown # # GRR 950115: this is Jeremy Wohl's Free Graphics Format (better): -# +# 0 string FGF95a FGF image (GIF+deflate beta) !:mime image/x-unknown # # GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal # (best; not yet implemented): -# +# 0 string PBF PBF image (deflate compression) !:mime image/x-unknown @@ -528,19 +547,19 @@ # http://www.blackfiveservices.co.uk/awbmtools.shtml # http://biosgfx.narod.ru/v3/ # http://biosgfx.narod.ru/abr-2/ -0 string AWBM +0 string AWBM >4 leshort <1981 Award BIOS bitmap !:mime image/x-award-bmp # image width is a multiple of 4 ->>4 leshort&0x0003 0 +>>4 leshort&0x0003 0 >>>4 leshort x \b, %d >>>6 leshort x x %d >>4 leshort&0x0003 >0 \b, ->>>4 leshort&0x0003 =1 +>>>4 leshort&0x0003 =1 >>>>4 leshort x %d+3 ->>>4 leshort&0x0003 =2 +>>>4 leshort&0x0003 =2 >>>>4 leshort x %d+2 ->>>4 leshort&0x0003 =3 +>>>4 leshort&0x0003 =3 >>>>4 leshort x %d+1 >>>6 leshort x x %d # at offset 8 starts imagedata followed by "RGB " marker @@ -764,11 +783,11 @@ # http://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt # GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 # test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT -0 ubelong&0xffF8fe00 0x0a000000 -# for PCX bit depth > 0 ->3 ubyte >0 +0 ubelong&0xffF8fe00 0x0a000000 +# for PCX bit depth > 0 +>3 ubyte >0 # test for valid versions ->>1 ubyte <6 +>>1 ubyte <6 >>>1 ubyte !1 PCX !:mime image/x-pcx #!:mime image/pcx @@ -828,29 +847,29 @@ # Update: Joerg Jenderek # See http://fileformats.archiveteam.org/wiki/GEM_Raster # For variations, also see: -# http://www.seasip.info/Gem/ff_img.html (Ventura) +# http://www.seasip.info/Gem/ff_img.html (Ventura) # http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT) # http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT) # http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG) 0 beshort 0x0001 # header_size ->2 beshort 0x0008 +>2 beshort 0x0008 >>0 use gem_info ->2 beshort 0x0009 +>2 beshort 0x0009 >>0 use gem_info # no example for NOSIG ->2 beshort 24 +>2 beshort 24 >>0 use gem_info # no example for HYPERPAINT ->2 beshort 25 +>2 beshort 25 >>0 use gem_info -16 string XIMG\0 +16 string XIMG\0 >0 use gem_info # no example -16 string STTT\0\x10 +16 string STTT\0\x10 >0 use gem_info # no example or description -16 string TIMG\0 +16 string TIMG\0 >0 use gem_info 0 name gem_info @@ -859,15 +878,15 @@ # http://www.snowstone.org.uk/riscos/mimeman/mimemap.txt !:mime image/x-gem # header_size 24 25 27 59 779 words for colored bitmaps ->>2 beshort >9 +>>2 beshort >9 >>>16 string STTT\0\x10 STTT >>>16 string TIMG\0 TIMG # HYPERPAINT or NOSIG variant ->>>16 string \0\x80 +>>>16 string \0\x80 >>>>2 beshort =24 NOSIG >>>>2 beshort !24 HYPERPAINT # NOSIG or XIMG variant ->>>16 default x +>>>16 default x >>>>16 string !XIMG\0 NOSIG >>16 string =XIMG\0 XIMG Image data !:ext img/ximg @@ -1177,7 +1196,7 @@ # updated by: Joerg Jenderek # URL: http://techmods.net/nuvi/ 0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file -# extension is also used for +# extension is also used for # Sony SRF raw image (image/x-sony-srf) # SRF map # Terragen Surface Map (http://www.planetside.co.uk/terragen) @@ -1318,7 +1337,7 @@ !:mime image/x-icns !:apple ????icns !:ext icns ->4 ubelong >0 +>4 ubelong >0 # file size >>4 ubelong x \b, %d bytes # icon type @@ -1451,3 +1470,12 @@ >0x10 string GVRT Sega GVR image: >>0x10 use sega-gvr-image-header >>0x08 belong x \b, global index = %u + +# Light Field Picture +# Documentation: http://optics.miloush.net/lytro/TheFileFormat.aspx +# Typical file extensions: .lfp .lfr .lfx + +0 belong 0x894C4650 +>4 belong 0x0D0A1A0A +>12 belong 0x00000000 Lytro Light Field Picture +>8 belong x \b, version %d diff --git a/contrib/file/magic/Magdir/intel b/contrib/file/magic/Magdir/intel index 3f96b75..c4f0254 100644 --- a/contrib/file/magic/Magdir/intel +++ b/contrib/file/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.14 2015/11/10 00:13:27 christos Exp $ +# $File: intel,v 1.15 2017/03/17 21:35:28 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -36,8 +36,8 @@ # ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file" # ./intel (version 5.25) label labeled the next entry as "80386 COFF executable" # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan -0 leshort =0514 -# use subroutine to display name+flags+variables for common object formated files +0 leshort =0514 +# use subroutine to display name+flags+variables for common object formated files >0 use display-coff #>12 lelong >0 not stripped # no hint found, that at offset 22 is version diff --git a/contrib/file/magic/Magdir/isz b/contrib/file/magic/Magdir/isz index 3388a82..af68db2 100644 --- a/contrib/file/magic/Magdir/isz +++ b/contrib/file/magic/Magdir/isz @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: isz,v 1.3 2014/04/30 21:41:02 christos Exp $ -# ISO Zipped file format +# $File: isz,v 1.4 2017/03/17 21:35:28 christos Exp $ +# ISO Zipped file format # http://www.ezbsystems.com/isz/iszspec.txt 0 string IsZ! ISO Zipped file >4 byte x \b, header size %u diff --git a/contrib/file/magic/Magdir/jpeg b/contrib/file/magic/Magdir/jpeg index 2b49c21..57adb1e 100644 --- a/contrib/file/magic/Magdir/jpeg +++ b/contrib/file/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.30 2016/07/04 15:18:23 christos Exp $ +# $File: jpeg,v 1.31 2017/03/17 21:35:28 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -53,14 +53,14 @@ >>5 beshort x \b%d >>9 byte x \b, frames %d ->0 beshort 0xFFC1 +>0 beshort 0xFFC1 >>(2.S+2) use jpeg_segment >>4 byte x \b, extended sequential, precision %d >>7 beshort x \b, %dx >>5 beshort x \b%d >>9 byte x \b, frames %d ->0 beshort 0xFFC2 +>0 beshort 0xFFC2 >>(2.S+2) use jpeg_segment >>4 byte x \b, progressive, precision %d >>7 beshort x \b, %dx @@ -71,11 +71,11 @@ >0 beshort 0xFFC4 >>(2.S+2) use jpeg_segment ->0 beshort 0xFFE1 +>0 beshort 0xFFE1 # Recursion handled by FFE0 #>>(2.S+2) use jpeg_segment >>4 string Exif \b, Exif Standard: [ ->>>10 indirect/r x +>>>10 indirect/r x >>>10 string x \b] # Application specific markers diff --git a/contrib/file/magic/Magdir/kerberos b/contrib/file/magic/Magdir/kerberos index cb07fed..93b8f79 100644 --- a/contrib/file/magic/Magdir/kerberos +++ b/contrib/file/magic/Magdir/kerberos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: kerberos,v 1.1 2014/12/10 18:45:43 christos Exp $ +# $File: kerberos,v 1.2 2017/03/17 21:35:28 christos Exp $ # kerberos: MIT kerberos file binary formats # @@ -38,7 +38,7 @@ >>>>>&0 bedate x \b, date=%s >>>>>>&0 byte x \b, kvno=%u #>>>>>>>&0 pstring/H x -#>>>>>>>>&0 belong x +#>>>>>>>>&0 belong x #>>>>>>>>>>&0 use keytab_entry 0 belong 0x05020000 Kerberos Keytab file diff --git a/contrib/file/magic/Magdir/kml b/contrib/file/magic/Magdir/kml index ed0f42e..d603ea8 100644 --- a/contrib/file/magic/Magdir/kml +++ b/contrib/file/magic/Magdir/kml @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $ +# $File: kml,v 1.4 2017/03/17 21:35:28 christos Exp $ # Type: Google KML, formerly Keyhole Markup Language # Future development of this format has been handed # over to the Open Geospatial Consortium. # http://www.opengeospatial.org/standards/kml/ # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> 0 string/t \<?xml ->20 search/400 \ xmlns= +>20 search/400 \ xmlns= >>&0 regex ['"]http://earth.google.com/kml Google KML document !:mime application/vnd.google-earth.kml+xml >>>&1 string 2.0' \b, version 2.0 @@ -25,7 +25,7 @@ >>>&1 string/t 2.2 \b, version 2.2 #------------------------------------------------------------------------------ -# Type: Google KML Archive (ZIP based) +# Type: Google KML Archive (ZIP based) # http://code.google.com/apis/kml/documentation/kml_tut.html # From: Asbjoern Sloth Toennesen <asbjorn@lila.io> 0 string PK\003\004 diff --git a/contrib/file/magic/Magdir/linux b/contrib/file/magic/Magdir/linux index c8cc0df..0630a8a 100644 --- a/contrib/file/magic/Magdir/linux +++ b/contrib/file/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.63 2015/08/24 05:16:11 christos Exp $ +# $File: linux,v 1.64 2017/03/17 21:35:28 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> @@ -199,7 +199,7 @@ ############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless ->5 string . +>5 string . >>4 string >\0 \b, libc version %s 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable @@ -213,7 +213,7 @@ >2 byte&0x40 !0 \b, A_PURE >2 byte&0x80 !0 \b, A_TOVLY >28 long !0 \b, not stripped ->37 string . +>37 string . >>36 string >\0 \b, libc version %s # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable @@ -241,7 +241,7 @@ >24 lelong x %d symbols >28 lelong x %d ocons -# Linux Logical Volume Manager (LVM) +# Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net> # # System ID, UUID and volume group name are 128 bytes long @@ -301,7 +301,7 @@ >>&0x20 lequad x \b, size: %lld 0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) ->&(&-12.l-0x21) byte x +>&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s @@ -340,7 +340,7 @@ # Summary: Xen saved domain file # Created by: Radek Vokal <rvokal@redhat.com> 0 string LinuxGuestRecord Xen saved domain ->20 search/256 (name +>20 search/256 (name >>&1 string x (name %s) # Type: Xen, the virtual machine monitor @@ -397,7 +397,7 @@ >>0x1046 ubeshort x \b%04x # Linux device tree: -# File format description can be found in the Linux kernel sources at +# File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed diff --git a/contrib/file/magic/Magdir/lisp b/contrib/file/magic/Magdir/lisp index db0592e..43d102e 100644 --- a/contrib/file/magic/Magdir/lisp +++ b/contrib/file/magic/Magdir/lisp @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: lisp,v 1.24 2015/11/30 20:54:26 christos Exp $ +# $File: lisp,v 1.25 2017/03/17 21:35:28 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) # updated by Joerg Jenderek # GRR: This lot is too weak -#0 string ;; +#0 string ;; # windows INF files often begin with semicolon and use CRLF as line end # lisp files are mainly created on unix system with LF as line end #>2 search/4096 !\r Lisp/Scheme program text @@ -28,9 +28,9 @@ # URL: https://en.wikipedia.org/wiki/Emacs_Lisp # Reference: http://ftp.gnu.org/old-gnu/emacs/elisp-manual-18-1.03.tar.gz -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Emacs 18 - this is always correct, but not very magical. -0 string \012( +0 string \012( # look for emacs lisp keywords # GRR: split regex because it is too long or get error like # lisp, 36: Warning: cannot get string from `^(defun|defvar|defconst|defmacro|setq|fset|put|provide|require|' @@ -50,13 +50,13 @@ # Emacs 19+ - ver. recognition added by Ian Springer # Also applies to XEmacs 19+ .elc files; could tell them apart with regexs # - Chris Chittleborough <cchittleborough@yahoo.com.au> -# Update: Joerg Jenderek -0 string ;ELC +# Update: Joerg Jenderek +0 string ;ELC # version\0\0\0 >4 byte >18 Emacs/XEmacs v%d byte-compiled Lisp data # why less than 32 ? does not make sense to me. GNU Emacs version is 24.5 at April 2015 #>4 byte <32 Emacs/XEmacs v%d byte-compiled Lisp data -!:mime application/x-elc +!:mime application/x-elc !:apple EMAxTEXT !:ext elc @@ -67,7 +67,7 @@ 0 long 0x70768BD2 CLISP memory image data 0 long 0xD28B7670 CLISP memory image data, other endian -#.com and .bin for MIT scheme +#.com and .bin for MIT scheme 0 string \372\372\372\372 MIT scheme (library?) # From: David Allouche <david@allouche.net> diff --git a/contrib/file/magic/Magdir/m4 b/contrib/file/magic/Magdir/m4 index f6b5e52..3a1c6d1 100644 --- a/contrib/file/magic/Magdir/m4 +++ b/contrib/file/magic/Magdir/m4 @@ -1,6 +1,9 @@ #------------------------------------------------------------------------------ -# $File: m4,v 1.1 2011/12/08 12:12:46 rrt Exp $ +# $File: m4,v 1.2 2017/08/14 07:40:38 christos Exp $ # make: file(1) magic for M4 scripts # 0 regex \^dnl\ M4 macro processor script text !:mime text/x-m4 +0 regex \^AC_DEFUN\\(\\[ M4 macro processor script text +!:strength + 15 +!:mime text/x-m4 diff --git a/contrib/file/magic/Magdir/macintosh b/contrib/file/magic/Magdir/macintosh index d7f20f2..e7c0e5e 100644 --- a/contrib/file/magic/Magdir/macintosh +++ b/contrib/file/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.26 2015/11/25 00:36:02 christos Exp $ +# $File: macintosh,v 1.27 2017/03/17 21:35:28 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -109,9 +109,9 @@ # the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will # have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, # and that 74 will be 0. So something like -# +# # 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data -# +# # >73 byte&0x01 0x01 \b, inited # >73 byte&0x02 0x02 \b, changed # >73 byte&0x04 0x04 \b, busy @@ -254,7 +254,7 @@ >0x9C string INDEX data file index >0x9C string VIEW data view -# spss magic for SPSS system and portable files, +# spss magic for SPSS system and portable files, # from Bruce Foster (bef@nwu.edu). 0 long 0xc1e2c3c9 SPSS Portable File @@ -273,7 +273,7 @@ # entries depend on the data arithmetic added after v.35 # There's also some Pascal strings in here, ditto... -# The boot block signature, according to IM:Files, is +# The boot block signature, according to IM:Files, is # "for HFS volumes, this field always contains the value 0x4C4B." # But if this is true for MFS or HFS+ volumes, I don't know. # Alternatively, the boot block is supposed to be zeroed if it's @@ -291,10 +291,10 @@ # *.hfs updated by Joerg Jenderek # http://en.wikipedia.org/wiki/Hierarchical_File_System # "BD" gives many false positives -0x400 beshort 0x4244 +0x400 beshort 0x4244 # ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h # first block of volume bit map (always 3) ->0x40e ubeshort 0x0003 +>0x40e ubeshort 0x0003 # maximal length of volume name is 27 >>0x424 ubyte <28 Macintosh HFS data !:mime application/x-apple-diskimage @@ -351,15 +351,15 @@ #>0x230 string x first type: %s, #>0x210 string x name: %s, #>0x254 belong x number of blocks: %d, -#>0x400 beshort 0x504D +#>0x400 beshort 0x504D #>>0x430 string x second type: %s, #>>0x410 string x name: %s, #>>0x454 belong x number of blocks: %d, -#>>0x800 beshort 0x504D +#>>0x800 beshort 0x504D #>>>0x830 string x third type: %s, #>>>0x810 string x name: %s, #>>>0x854 belong x number of blocks: %d, -#>>>0xa00 beshort 0x504D +#>>>0xa00 beshort 0x504D #>>>>0xa30 string x fourth type: %s, #>>>>0xa10 string x name: %s, #>>>>0xa54 belong x number of blocks: %d diff --git a/contrib/file/magic/Magdir/make b/contrib/file/magic/Magdir/make index f8509d6..2895325 100644 --- a/contrib/file/magic/Magdir/make +++ b/contrib/file/magic/Magdir/make @@ -1,7 +1,8 @@ #------------------------------------------------------------------------------ -# $File: make,v 1.2 2015/08/25 07:34:06 christos Exp $ +# $File: make,v 1.3 2016/12/10 14:21:29 christos Exp $ # make: file(1) magic for makefiles # +# URL: https://en.wikipedia.org/wiki/Make_(software) 0 regex/100l \^CFLAGS makefile script text !:mime text/x-makefile 0 regex/100l \^VPATH makefile script text @@ -10,12 +11,19 @@ !:mime text/x-makefile 0 regex/100l \^all: makefile script text !:mime text/x-makefile -0 regex/100l \^\.PRECIOUS makefile script text +0 regex/100l \^\\.PRECIOUS makefile script text !:mime text/x-makefile -0 regex/100l \^\.BEGIN BSD makefile script text +# Update: Joerg Jenderek +# Reference: https://www.freebsd.org/cgi/man.cgi?make(1) +# exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST" +# by additional escaping point character +0 regex/100l \^\\.BEGIN BSD makefile script text with "%s" !:mime text/x-makefile -0 regex/100l \^\.include BSD makefile script text +!:ext /mk +# exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT" +# and NSIS script with "!include" by additional escaping point character +0 regex/100l \^\\.include BSD makefile script text with "%s" !:mime text/x-makefile - +!:ext /mk 0 regex/100l \^SUBDIRS automake makefile script text !:mime text/x-makefile diff --git a/contrib/file/magic/Magdir/maple b/contrib/file/magic/Magdir/maple index 05a8eaf..44ab284 100644 --- a/contrib/file/magic/Magdir/maple +++ b/contrib/file/magic/Magdir/maple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: maple,v 1.7 2013/01/11 16:45:23 christos Exp $ +# $File: maple,v 1.8 2017/03/17 21:35:28 christos Exp $ # maple: file(1) magic for maple files # "H. Nanosecond" <aldomel@ix.netcom.com> # Maple V release 4, a multi-purpose math program @@ -13,7 +13,7 @@ # no magic for these :-( # they are compiled indexes for maple files -# .hdb +# .hdb 0 string \000\004\000\000 Maple help database # .mhp @@ -40,7 +40,7 @@ # from byte 4 it is either 'nul E' or 'soh R' # I think 'nul E' means a file that was saved as a different name # a sort of revision marking -# 'soh R' means new +# 'soh R' means new >4 string \000\105 An old revision >4 string \001\122 The latest save diff --git a/contrib/file/magic/Magdir/marc21 b/contrib/file/magic/Magdir/marc21 index 7e859a3..fd509ec 100644 --- a/contrib/file/magic/Magdir/marc21 +++ b/contrib/file/magic/Magdir/marc21 @@ -2,27 +2,29 @@ # marc21: file(1) magic for MARC 21 Format # # Kevin Ford (kefo@loc.gov) -# +# # MARC21 formats are for the representation and communication # of bibliographic and related information in machine-readable # form. For more info, see http://www.loc.gov/marc/ # leader position 20-21 must be 45 -20 string 45 +# and 22-23 also 00 so far, but we check that later. +20 string 45 +>0 search/2048 \x1e # leader starts with 5 digits, followed by codes specific to MARC format ->0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic +>>0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic !:mime application/marc ->0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority +>>0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority !:mime application/marc ->0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings +>>0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings !:mime application/marc -0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification +>>0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification !:mime application/marc ->0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community +>>0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community !:mime application/marc # leader position 22-23, should be "00" but is it? ->0 regex/1l (^.{21})([^0]{2}) (non-conforming) +>>0 regex/1l (^.{21})([^0]{2}) (non-conforming) !:mime application/marc diff --git a/contrib/file/magic/Magdir/mathematica b/contrib/file/magic/Magdir/mathematica index a93899e..e76957e 100644 --- a/contrib/file/magic/Magdir/mathematica +++ b/contrib/file/magic/Magdir/mathematica @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: mathematica,v 1.8 2015/04/09 20:01:40 christos Exp $ +# $File: mathematica,v 1.9 2017/03/17 21:35:28 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" <aldomel@ix.netcom.com> # Mathematica a multi-purpose math program @@ -49,7 +49,7 @@ #0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ loaded\ with\ Get.*) Mathematica binary file 0 string (*This\ is\ a\ Mathematica\ binary\ Mathematica binary file -#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 +#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 # >71... is optional >88 string >\0 from %s @@ -59,7 +59,7 @@ 0 string MMAPBF\000\001\000\000\000\203\000\001\000 Mathematica PBF (fonts I think) # .ml files These are menu resources I think -# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ +# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ # how to put that into a magic rule? 4 string \ A~ MAthematica .ml file diff --git a/contrib/file/magic/Magdir/metastore b/contrib/file/magic/Magdir/metastore index 285c3cf..53f5b37 100644 --- a/contrib/file/magic/Magdir/metastore +++ b/contrib/file/magic/Magdir/metastore @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: metastore,v 1.1 2011/04/06 12:37:44 christos Exp $ +# $File: metastore,v 1.2 2017/03/17 21:35:28 christos Exp $ # metastore: file(1) magic for metastore files # From: Thomas Wissen # see http://david.hardeman.nu/software.php#metastore -0 string MeTaSt00r3 Metastore data file, +0 string MeTaSt00r3 Metastore data file, >10 bequad x version %0llx diff --git a/contrib/file/magic/Magdir/meteorological b/contrib/file/magic/Magdir/meteorological index 541bbbf..9e7a3f1 100644 --- a/contrib/file/magic/Magdir/meteorological +++ b/contrib/file/magic/Magdir/meteorological @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: meteorological,v 1.1 2014/08/04 06:26:16 christos Exp $ +# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -34,7 +34,7 @@ >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/meteorological ->80 search/256 XXRINEXN RINEX Data, Navigation +>80 search/256 XXRINEXN RINEX Data, Navigation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/navigation diff --git a/contrib/file/magic/Magdir/microfocus b/contrib/file/magic/Magdir/microfocus index b2d204b..e5b247c 100644 --- a/contrib/file/magic/Magdir/microfocus +++ b/contrib/file/magic/Magdir/microfocus @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: microfocus,v 1.1 2016/02/09 01:22:49 christos Exp $ -# Micro Focus COBOL data files. +# $File: microfocus,v 1.2 2017/03/17 21:35:28 christos Exp $ +# Micro Focus COBOL data files. # http://documentation.microfocus.com/help/index.jsp?topic=\ # %2FGUID-0E0191D8-C39A-44D1-BA4C-D67107BAF784%2FHRFLRHFILE05.html diff --git a/contrib/file/magic/Magdir/mime b/contrib/file/magic/Magdir/mime index 42ca52d..57b2dd5 100644 --- a/contrib/file/magic/Magdir/mime +++ b/contrib/file/magic/Magdir/mime @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: mime,v 1.6 2010/11/25 15:00:12 christos Exp $ +# $File: mime,v 1.8 2017/03/17 22:20:22 christos Exp $ # mime: file(1) magic for MIME encoded files # -0 string/t Content-Type:\ +0 string/t Content-Type:\040 >14 string >\0 %s 0 string/t Content-Type: >13 string >\0 %s diff --git a/contrib/file/magic/Magdir/misctools b/contrib/file/magic/Magdir/misctools index eeb518d..3ce91b5 100644 --- a/contrib/file/magic/Magdir/misctools +++ b/contrib/file/magic/Magdir/misctools @@ -1,6 +1,6 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.16 2016/02/14 15:46:52 christos Exp $ +# $File: misctools,v 1.17 2017/03/17 21:35:28 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text @@ -14,7 +14,7 @@ #!:mime text/x-vcard !:mime text/vcard # VERSION must come right after BEGIN for 3.0 or 4.0 except in 2.1 , where it can be anywhere ->12 search/14000/c VERSION: +>12 search/14000/c VERSION: # VERSION 2.1 , 3.0 or 4.0 >>&0 string x \b, version %-.3s @@ -48,7 +48,7 @@ >12 ulelong !0x20 \b, 0x%8.8x RVA # CheckSum 0 >16 ulelong !0 \b, CheckSum 0x%8.8x -# Reserved or TimeDateStamp +# Reserved or TimeDateStamp >20 ledate x \b, %s # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx # Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800 diff --git a/contrib/file/magic/Magdir/modem b/contrib/file/magic/Magdir/modem index e4decfd..d988e90 100644 --- a/contrib/file/magic/Magdir/modem +++ b/contrib/file/magic/Magdir/modem @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: modem,v 1.7 2016/01/08 00:56:42 christos Exp $ +# $File: modem,v 1.8 2017/03/17 21:35:28 christos Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche <florian@knorke.saar.de> @@ -13,24 +13,24 @@ # URL: https://de.wikipedia.org/wiki/Fax # Reference: http://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others -0 short 0x0100 +0 short 0x0100 # 16 0-bits near beginning like True Type fonts *.ttf, Postscript PrinterFontMetric *.pfm, FTYPE.HYPERCARD, XFER ->2 search/9 \0\0 +>2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 ->2 default x +>2 default x # skip IRCAM file (VAX big-endian) ./audio ->>0 belong !0x0001a364 +>>0 belong !0x0001a364 # skip GEM Image data ./images ->>>2 beshort !0x0008 +>>>2 beshort !0x0008 # look for first keyword of Panorama database *.pan ->>>>11 search/262 \x06DESIGN +>>>>11 search/262 \x06DESIGN # skip Panorama database ->>>>11 default x +>>>>11 default x # old Apple DreamWorld DreamGrafix *.3200 with keyword at end of g3 looking files ->>>>>27118 search/1864 DreamWorld ->>>>>27118 default x +>>>>>27118 search/1864 DreamWorld +>>>>>27118 default x # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom ->>>>>>8 ubequad !0x2e01010454010203 +>>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom >>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" @@ -39,9 +39,9 @@ !:ext g3 # unusual image starting with black pixel #0 short 0x1300 raw G3 (Group 3) FAX -0 short 0x1400 +0 short 0x1400 # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom ->2 search/9 \0\0 +>2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 >2 default x raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" diff --git a/contrib/file/magic/Magdir/mozilla b/contrib/file/magic/Magdir/mozilla index 173018c..2328801 100644 --- a/contrib/file/magic/Magdir/mozilla +++ b/contrib/file/magic/Magdir/mozilla @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: mozilla,v 1.6 2015/01/25 16:20:46 christos Exp $ -# mozilla: file(1) magic for Mozilla XUL fastload files +# $File: mozilla,v 1.7 2017/03/17 21:35:28 christos Exp $ +# mozilla: file(1) magic for Mozilla XUL fastload files # (XUL.mfasl and XPC.mfasl) # URL: http://www.mozilla.org/ # From: Josh Triplett <josh@freedesktop.org> diff --git a/contrib/file/magic/Magdir/msdos b/contrib/file/magic/Magdir/msdos index 55ea3e8..6eb12c2 100644 --- a/contrib/file/magic/Magdir/msdos +++ b/contrib/file/magic/Magdir/msdos @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.111 2016/09/14 01:26:26 christos Exp $ +# $File: msdos,v 1.120 2017/08/13 00:21:47 christos Exp $ # msdos: file(1) magic for MS-DOS files # # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) # updated by Joerg Jenderek at Oct 2008,Apr 2011 -0 string/t @ +0 string/t @ >1 string/cW \ echo\ off DOS batch file text !:mime text/x-msdos-batch >1 string/cW echo\ off DOS batch file text @@ -230,7 +230,7 @@ >>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s ->>&(&0x42.l-3) byte x +>>&(&0x42.l-3) byte x >>>&0x26 string UPX \b, UPX compressed # and yet another guess: small .text, and after large .data is unusal, could be 32lite >>&0x2c search/0xa0 .text @@ -240,8 +240,8 @@ >(8.s*16) string $WdX \b, WDos/X DOS extender # By now an executable type should have been printed out. The executable -# may be a self-uncompressing archive, so look for evidence of that and -# print it out. +# may be a self-uncompressing archive, so look for evidence of that and +# print it out. # # Some signatures below from Greg Roelofs, newt@uchicago.edu. # @@ -283,8 +283,8 @@ # Skip to the end of the EXE. This will usually work fine in the PE case # because the MZ image is hardcoded into the toolchain and almost certainly # won't match any of these signatures. ->(4.s*512) long x ->>&(2.s-517) byte x +>(4.s*512) long x +>>&(2.s-517) byte x >>>&0 string PK\3\4 \b, ZIP self-extracting archive >>>&0 string Rar! \b, RAR self-extracting archive >>>&0 string =!\x11 \b, AIN 2.x self-extracting archive @@ -312,71 +312,77 @@ # only version=0x100 found >3 uleshort x \b, version 0x%x # length of string containing author,info and special characters ->6 ubyte >0 +>6 ubyte >0 #>>6 pstring x \b, name=%s >>7 string >\0 \b, author=%-.14s >>7 search/254 \xff \b, info= #>>>&0 string x \b%-s >>>&0 string x \b%-.15s -# for FreeDOS *.KL files +# for FreeDOS *.KL files 0 string/b KLF FreeDOS KEYBoard Layout file # only version=0x100 or 0x101 found >3 uleshort x \b, version 0x%x # stringlength ->5 ubyte >0 +>5 ubyte >0 >>8 string x \b, name=%-.2s -0 string \xffKEYB\ \ \ \0\0\0\0 +0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file -# DOS device driver updated by Joerg Jenderek at May 2011 -# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 -0 ulequad&0x07a0ffffffff 0xffffffff DOS executable ( ->40 search/7 UPX! \bUPX compressed +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 +# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 +0 ulequad&0x07a0ffffffff 0xffffffff +>0 use msdos-driver +0 name msdos-driver DOS executable ( +#!:mime application/octet-stream +!:mime application/x-dosdriver +# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN +!:ext sys/dev/bin +>40 search/7 UPX! \bUPX compressed # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver # character device >4 uleshort&0x8000 0x8000 \b ->>4 uleshort&0x0008 0x0008 \bclock +>>4 uleshort&0x0008 0x0008 \bclock # fast video output by int 29h ->>4 uleshort&0x0010 0x0010 \bfast +>>4 uleshort&0x0010 0x0010 \bfast # standard input/output device ->>4 uleshort&0x0003 >0 \bstandard +>>4 uleshort&0x0003 >0 \bstandard >>>4 uleshort&0x0001 0x0001 \binput >>>4 uleshort&0x0003 0x0003 \b/ ->>>4 uleshort&0x0002 0x0002 \boutput +>>>4 uleshort&0x0002 0x0002 \boutput >>4 uleshort&0x8000 0x8000 \bcharacter device driver ->0 ubyte x +>0 ubyte x # upx compressed device driver has garbage instead of real in name field of header ->>40 search/7 UPX! ->>40 default x +>>40 search/7 UPX! +>>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped ->>>12 ubyte >0x27 \b ->>>>10 ubyte >0x20 ->>>>>10 ubyte !0x2E +>>>12 ubyte >0x2E \b +>>>>10 ubyte >0x20 +>>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c ->>>>11 ubyte >0x20 +>>>>11 ubyte >0x20 >>>>>11 ubyte !0x2E \b%c ->>>>12 ubyte >0x20 ->>>>>12 ubyte !0x39 +>>>>12 ubyte >0x20 +>>>>>12 ubyte !0x39 >>>>>>12 ubyte !0x2E \b%c ->>>13 ubyte >0x20 +>>>13 ubyte >0x20 >>>>13 ubyte !0x2E \b%c ->>>>14 ubyte >0x20 +>>>>14 ubyte >0x20 >>>>>14 ubyte !0x2E \b%c ->>>>15 ubyte >0x20 +>>>>15 ubyte >0x20 >>>>>15 ubyte !0x2E \b%c ->>>>16 ubyte >0x20 ->>>>>16 ubyte !0x2E +>>>>16 ubyte >0x20 +>>>>>16 ubyte !0x2E >>>>>>16 ubyte <0xCB \b%c ->>>>17 ubyte >0x20 ->>>>>17 ubyte !0x2E +>>>>17 ubyte >0x20 +>>>>>17 ubyte !0x2E >>>>>>17 ubyte <0x90 \b%c # some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field ->>>4 uleshort&0x8000 0x8000 ->>>>12 ubyte <0x2F +>>>12 ubyte <0x2F # they have their real name at offset 22 ->>>>>22 string >\0 \b%-.5s ->4 uleshort&0x8000 0x0000 +# also block device drivers like DUMBDRV.SYS +>>>>22 string >\056 %-.6s +>4 uleshort&0x8000 0x0000 # 32 bit sector addressing ( > 32 MB) for block devices >>4 uleshort&0x0002 0x0002 \b,32-bit sector- # support by driver functions 13h, 17h, 18h @@ -384,33 +390,42 @@ # open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh >4 uleshort&0x0800 0x0800 \b,close media- # output until busy support by int 10h for character device driver ->4 uleshort&0x8000 0x8000 +>4 uleshort&0x8000 0x8000 >>4 uleshort&0x2000 0x2000 \b,until busy- # direct read/write support by driver functions 03h,0Ch >4 uleshort&0x4000 0x4000 \b,control strings- ->4 uleshort&0x8000 0x8000 +>4 uleshort&0x8000 0x8000 >>4 uleshort&0x6840 >0 \bsupport ->4 uleshort&0x8000 0x0000 +>4 uleshort&0x8000 0x0000 >>4 uleshort&0x4842 >0 \bsupport >0 ubyte x \b) -# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header -# Too weak, matches files that only contain 0's -#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable ( -#>4 uleshort&0x8000 0x8000 \bcharacter device driver -#>>10 string x %-.8s -#>4 uleshort&0x4000 0x4000 \b,control strings-support) +# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header +0 ulequad 0x0513c00000000012 +>0 use msdos-driver +# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field +0 ulequad 0x32f28000ffff0016 +>0 use msdos-driver +0 ulequad 0x007f00000000ffff +>0 use msdos-driver +0 ulequad 0x001600000000ffff +>0 use msdos-driver +# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field +0 ulequad 0x0bf708c2ffffffff +>0 use msdos-driver +0 ulequad 0x07bd08c2ffffffff +>0 use msdos-driver # updated by Joerg Jenderek -# GRR: line below too general as it catches also +# GRR: line below too general as it catches also # rt.lib DYADISKS.PIC and many more # start with assembler instruction MOV -0 ubyte 0x8c +0 ubyte 0x8c # skip "AppleWorks word processor data" like ARTICLE.1 ./apple ->4 string !O==== +>4 string !O==== # skip some unknown basic binaries like RocketRnger.SHR ->>5 string !MAIN +>>5 string !MAIN # skip "GPG symmetrically encrypted data" ./gnu -# skip "PGP symmetric key encrypted data" ./pgp +# skip "PGP symmetric key encrypted data" ./pgp # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type >>>4 ubyte >13 DOS executable (COM, 0x8C-variant) # the remaining files should be DOS *.COM executables @@ -428,7 +443,7 @@ # updated by Joerg Jenderek at Oct 2008 0 ulelong 0xffff10eb DR-DOS executable (COM) # byte 0xeb conflicts with "sequent" magic leshort 0xn2eb -0 ubeshort&0xeb8d >0xeb00 +0 ubeshort&0xeb8d >0xeb00 # DR-DOS STACKER.COM SCREATE.SYS missed 0 name msdos-com @@ -463,9 +478,9 @@ # updated by Joerg Jenderek at Oct 2008,2015 # following line is too general -0 ubyte 0xb8 +0 ubyte 0xb8 # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux ->0 string !\xb8\xc0\x07\x8e +>0 string !\xb8\xc0\x07\x8e # modified by Joerg Jenderek # syslinux COM32 or COM32R executable >>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT @@ -496,8 +511,8 @@ #!:mime application/x-msdos-program !:ext com -0 string/b \x81\xfc ->4 string \x77\x02\xcd\x20\xb9 +0 string/b \x81\xfc +>4 string \x77\x02\xcd\x20\xb9 >>36 string UPX! FREE-DOS executable (COM), UPX compressed 252 string Must\ have\ DOS\ version DR-DOS executable (COM) # added by Joerg Jenderek at Oct 2008 @@ -514,10 +529,10 @@ #IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 5 string \xcd\x21 COM executable for DOS #DELTMP.COm HASFAT32.cOM -7 string \xcd\x21 +7 string \xcd\x21 >0 byte !0xb8 COM executable for DOS #COMP.cOM MORE.COm -10 string \xcd\x21 +10 string \xcd\x21 >5 string !\xcd\x21 COM executable for DOS #comecho.com 13 string \xcd\x21 COM executable for DOS @@ -565,10 +580,23 @@ 0 string/b PO^Q` Microsoft Word 6.0 Document !:mime application/msword # -0 string/b \376\067\0\043 Microsoft Office Document +4 long 0 +>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 !:mime application/msword -0 string/b \333\245-\0\0\0 Microsoft Office Document +!:ext mcw +>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 !:mime application/msword +!:ext mcw +>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 +!:mime application/msword +!:ext mcw +>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 +!:mime application/msword +!:ext mcw + +0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document +!:mime application/msword +!:ext doc 512 string/b \354\245\301 Microsoft Word Document !:mime application/msword @@ -599,11 +627,11 @@ # Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf # Note: newer Lotus versions >2 use longer BOF record # record type (BeginningOfFile=0000h) + length (001Ah) -0 belong 0x00001a00 +0 belong 0x00001a00 # reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 -#>18 uleshort&0x73E0 0 +#>18 uleshort&0x73E0 0 # Lotus Multi Byte Character Set (LMBCS=1-31) ->20 ubyte >0 +>20 ubyte >0 >>20 ubyte <32 Lotus 1-2-3 #!:mime application/x-123 !:mime application/vnd.lotus-1-2-3 @@ -640,10 +668,10 @@ !:ext fXX # main revision number >>>>4 uleshort x \b, revision 0x%x ->>>6 uleshort =0x0004 \b, cell range +>>>6 uleshort =0x0004 \b, cell range # active cellcoord range (start row, page,column ; end row, page, column) # start values normally 0~1st sheet A1 ->>>>8 ulelong !0 +>>>>8 ulelong !0 >>>>>10 ubyte >0 \b%d* >>>>>8 uleshort x \b%d, >>>>>11 ubyte x \b%d- @@ -656,9 +684,9 @@ >>>>20 ubyte >1 \b, character set 0x%x # flags >>>>21 ubyte x \b, flags 0x%x ->>>6 uleshort !0x0004 +>>>6 uleshort !0x0004 # record type (FONTNAME=00AEh) ->>>>30 search/29 \0\xAE +>>>>30 search/29 \0\xAE # variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) >>>>>&4 string >\0 \b, 1st font "%s" # @@ -667,12 +695,12 @@ # Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT # Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x # record type (BeginningOfFile=0000h) + length (0002h) -0 belong 0x00000200 +0 belong 0x00000200 # GRR: line above is too general as it catches also MS Windows CURsor # to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) !:strength -1 # skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h ->7 ubyte 0 +>7 ubyte 0 # skip Windows cursors with image width 256 and keep Lotus with positiv opcode >>6 ubyte >0 Lotus # !:mime application/x-123 @@ -737,9 +765,9 @@ # check and then display Lotus worksheet cells range 0 name lotus-cells # look for type (RANGE=0006h) + length (0008h) at record begin ->0 ubelong 0x06000800 \b, cell range +>0 ubelong 0x06000800 \b, cell range # cell range (start column, row, end column, row) start values normally 0,0~A1 cell ->>4 ulong !0 +>>4 ulong !0 >>>4 uleshort x \b%d, >>>6 uleshort x \b%d- # end of cell range @@ -792,19 +820,19 @@ # Windows icons # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CUR_(file_format) -# Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG +# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 0 belong 0x00000100 >9 byte 0 ->>0 byte x +>>0 byte x >>0 use cur-ico-dir >9 ubyte 0xff ->>0 byte x +>>0 byte x >>0 use cur-ico-dir # displays number of icons and information for icon or cursor 0 name cur-ico-dir # skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with # 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h ->18 ulelong &0x00000006 +>18 ulelong &0x00000006 # skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) >>(18.l) ulelong x MS Windows >>>0 ubelong 0x00000100 icon resource @@ -817,7 +845,7 @@ # 1st icon >>>>0x06 use ico-entry # 2nd icon ->>>>4 uleshort >1 +>>>>4 uleshort >1 >>>>>0x16 use ico-entry >>>0 ubelong 0x00000200 cursor resource #!:mime image/x-cur @@ -854,16 +882,16 @@ # offset of PNG or DIB image #>12 ulelong x \b, offset 0x%x # PNG header (\x89PNG) ->(12.l) ubelong =0x89504e47 ->>&-4 indirect x \b with +>(12.l) ubelong =0x89504e47 +>>&-4 indirect x \b with # DIB image ->(12.l) ubelong !0x89504e47 +>(12.l) ubelong !0x89504e47 #>>&-4 use dib-image # Windows non-animated cursors # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CUR_(file_format) -# Note: similiar to Windows ICOn. container for BMP ( only DIB part) +# Note: similar to Windows ICOn. container for BMP ( only DIB part) # GRR: line below is too general as it catches also Lotus 1-2-3 files 0 belong 0x00000200 >9 byte 0 @@ -872,13 +900,13 @@ >>0 use cur-ico-dir # .chr files -0 string/b PK\010\010BGI Borland font +0 string/b PK\010\010BGI Borland font >4 string >\0 %s # then there is a copyright notice # .bgi files -0 string/b pk\010\010BGI Borland device +0 string/b pk\010\010BGI Borland device >4 string >\0 %s # then there is a copyright notice @@ -909,7 +937,7 @@ 0 lelong 0x08086b70 TurboC BGI file 0 lelong 0x08084b50 TurboC Font file -# Debian#712046: The magic below identifies "Delphi compiled form data". +# Debian#712046: The magic below identifies "Delphi compiled form data". # An additional source of information is available at: # http://www.woodmann.com/fravia/dafix_t1.htm 0 string TPF0 @@ -918,7 +946,7 @@ # tests for DBase files moved, updated and merged to database 0 string PMCC Windows 3.x .GRP file -1 string RDC-meg MegaDots +1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file 0 lelong 0x4C @@ -935,16 +963,16 @@ #>0x181 leshort x \b, offset %x #>0x183 leshort x \b, offsetdata %x #>0x185 leshort x \b, section length %x ->0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 ->>&0x5e ubyte >0 +>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 +>>&0x5e ubyte >0 >>>&-1 string <PIFMGR.DLL \b, icon=%s #>>>&-1 string PIFMGR.DLL \b, icon=%s >>>&-1 string >PIFMGR.DLL \b, icon=%s ->>&0xF0 ubyte >0 +>>&0xF0 ubyte >0 >>>&-1 string <Terminal \b, font=%.32s #>>>&-1 string =Terminal \b, font=%.32s >>>&-1 string >Terminal \b, font=%.32s ->>&0x110 ubyte >0 +>>&0x110 ubyte >0 >>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s #>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s >>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s @@ -960,6 +988,7 @@ # DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> 0 belong 0xC5D0D3C6 DOS EPS Binary File +!:mime image/x-eps >4 long >0 Postscript starts at byte %d >>8 long >0 length %d >>>12 long >0 Metafile starts at byte %d @@ -967,15 +996,15 @@ >>>20 long >0 TIFF starts at byte %d >>>>24 long >0 length %d -# TNEF magic From "Joomy" <joomy@se-ed.net> +# TNEF magic From "Joomy" <joomy@se-ed.net> # Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) -0 leshort 0x223e9f78 TNEF +0 lelong 0x223e9f78 TNEF !:mime application/vnd.ms-tnef # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # http://en.wikipedia.org/wiki/Norton_Guides -0 string NG\0\001 +0 string NG\0\001 # only value 0x100 found at offset 2 >2 ulelong 0x00000100 Norton Guide # Title[40] @@ -985,7 +1014,7 @@ >>48 string >\0 \b, %-.66s >>114 string >\0 %-.66s -# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS +# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of http://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm 0 ulelong 0x48443408 4DOS help file @@ -1033,7 +1062,7 @@ # Windows Enhanced Metafile (EMF) -# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp +# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. 0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data @@ -1095,7 +1124,7 @@ 0 string/b MSWIM\000\000\000 Windows imaging (WIM) image 0 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format -# The second byte of these signatures is a file version; I don't know what, +# The second byte of these signatures is a file version; I don't know what, # if anything, produced files with version numbers 0-2. # From: John Elliott <johne@seasip.demon.co.uk> 0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) @@ -1106,3 +1135,66 @@ 0 string MIOPEN Mallard BASIC Jetsam data 0 string Jetsam0 Mallard BASIC Jetsam index data +# DOS backup 2.0 to 3.2 + +# backupid.@@@ + +# plausibility check for date +0x3 ushort >1979 +>0x5 ubyte-1 <31 +>>0x6 ubyte-1 <12 +# actually 121 nul bytes +>>>0x7 string \0\0\0\0\0\0\0\0 +>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d +!:ext @@@ +>>>>0x0 ubyte 0xff \b, last disk + +# backed up file + +# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd +# by looking for trailing nul of maximal file name string +0x52 ubyte 0 +# test for flag byte: FFh~complete file, 00h~split file +# FFh -127 = -1 -127 = -128 +# 00h -127 = 0 -127 = -127 +>0 byte-127 <-126 +# plausibility check for file name length +>>0x53 ubyte-1 <78 +# looking for terminating nul of file name string +>>>(0x53.b+4) ubyte 0 +# looking if last char of string is valid DOS file name +>>>>(0x53.b+3) ubyte >0x1F +# actually 44 nul bytes +# but sometimes garbage according to Ralf Quint. So can not be used as test +#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator +# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE +>>>>>5 ubyte&0x8C 0x0C +# ./msdos (version 5.30) labeled the entry as +# "DOS 2.0 backed up file %s, split file, sequence %d" or +# "DOS 2.0 backed up file %s, complete file" +>>>>>>0 ubyte x DOS 2.0-3.2 backed up +#>>>>>>0 ubyte 0xff complete +>>>>>>0 ubyte 0 +>>>>>>>1 uleshort x sequence %d of +# full file name with path but without drive letter and colon stored from 0x05 til 0x52 +>>>>>>0x5 string x file %s +# backup name is original filename +#!:ext * +# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' +# file: line 1169: Bad magic entry ' *' +# after header original file content +>>>>>>128 indirect x \b; + + +# DOS backup 3.3 to 5.x + +# CONTROL.nnn files +0 string \x8bBACKUP\x20 +# actually 128 nul bytes +>0xa string \0\0\0\0\0\0\0\0 +>>0x9 ubyte x DOS 3.3 backup control file, sequence %d +>>0x8a ubyte 0xff \b, last disk + +# NB: The BACKUP.nnn files consist of the files backed up, +# concatenated. diff --git a/contrib/file/magic/Magdir/msvc b/contrib/file/magic/Magdir/msvc index bf4ab0c..13f847f 100644 --- a/contrib/file/magic/Magdir/msvc +++ b/contrib/file/magic/Magdir/msvc @@ -1,10 +1,10 @@ #------------------------------------------------------------------------------ -# $File: msvc,v 1.6 2016/01/26 00:03:19 christos Exp $ +# $File: msvc,v 1.9 2017/08/02 08:15:20 christos Exp $ # msvc: file(1) magic for msvc # "H. Nanosecond" <aldomel@ix.netcom.com> # Microsoft visual C -# +# # I have version 1.0 # .aps @@ -30,10 +30,10 @@ # Summary: Symbol Table / Debug info used by Microsoft compilers # URL: https://en.wikipedia.org/wiki/Program_database # Reference: https://code.google.com/p/pdbparser/wiki/MSF_Format -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Note: test only for Windows XP+SP3 x86 , 8.1 x64 arm and 10.1 x86 # info does only applies partly for older files like msvbvm50.pdb about year 2001 -0 string Microsoft\ C/C++\ +0 string Microsoft\ C/C++\040 # "Microsoft Program DataBase" by TrID >24 search/14 \r\n\x1A MSVC program database !:mime application/x-ms-pdb @@ -42,18 +42,21 @@ >>16 regex \([0-9.]+\) ver %s #>>>0x38 search/128123456 /LinkInfo \b with linkinfo # "MSF 7.00" variant ->>0x1e leshort 0 +>>0x1e leshort 0 # PageSize 400h 1000h >>>0x20 lelong x \b, %d # Page Count >>>0x28 lelong x \b*%d bytes # "program database 2.00" variant ->>0x1e leshort !0 +>>0x1e leshort !0 # PageSize 400h >>>0x2c lelong x \b, %d # Page Count for msoo-dll.pdb 4379h >>>0x32 leshort x \b*%d bytes +# Reference: https://github.com/Microsoft/vstest/pull/856/commits/fdc7a9f074ca5a8dfeec83b1be9162bf0cf4000d +0 string/c bsjb\001\000\001\000\000\000\000\000\f\000\000\000pdb\ v1.0 Microsoft Rosyln C# debugging symbols version 1.0 + #.sbr 0 string \000\002\000\007\000 MSVC .sbr >5 string >\0 %s diff --git a/contrib/file/magic/Magdir/msx b/contrib/file/magic/Magdir/msx index ef2a7bb..69df641 100644 --- a/contrib/file/magic/Magdir/msx +++ b/contrib/file/magic/Magdir/msx @@ -7,7 +7,7 @@ ############## MSX Music file formats ############## # Gigamix MGSDRV music file -0 string/b MGS MSX Gigamix MGSDRV3 music file, +0 string/b MGS MSX Gigamix MGSDRV3 music file, >6 ubeshort 0x0D0A >>3 byte x \bv%c >>4 byte x \b.%c @@ -35,7 +35,7 @@ >>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+) >>0xF byte&0x02 0x02 \b, soundchips: SN76489 >>>0xF byte&0x04 0x04 stereo ->>0xF byte&0x01 0x01 \b, +>>0xF byte&0x01 0x01 \b, >>>0xF byte&0x18 0x00 \bYM2413 >>>0xF byte&0x18 0x08 \bYM2413, Y8950 >>>0xF byte&0x18 0x18 \bYM2413+Y8950 pseudostereo @@ -245,18 +245,18 @@ 0x4000 string/b AB >0x4002 uleshort >0x400F >>0x400A string \0\0\0\0\0\0 MSX ROM with nonstandard page order ->>0x4002 uleshort x \b, init=0x%04x ->>0x4004 uleshort >0 \b, stahdl=0x%04x ->>0x4006 uleshort >0 \b, devhdl=0x%04x ->>0x4008 uleshort >0 \b, bas=0x%04x +>>>0x4002 uleshort x \b, init=0x%04x +>>>0x4004 uleshort >0 \b, stahdl=0x%04x +>>>0x4006 uleshort >0 \b, devhdl=0x%04x +>>>0x4008 uleshort >0 \b, bas=0x%04x 0x8000 string/b AB >0x8002 uleshort >0x400F >>0x800A string \0\0\0\0\0\0 MSX ROM with nonstandard page order ->>0x8002 uleshort x \b, init=0x%04x ->>0x8004 uleshort >0 \b, stahdl=0x%04x ->>0x8006 uleshort >0 \b, devhdl=0x%04x ->>0x8008 uleshort >0 \b, bas=0x%04x +>>>0x8002 uleshort x \b, init=0x%04x +>>>0x8004 uleshort >0 \b, stahdl=0x%04x +>>>0x8006 uleshort >0 \b, devhdl=0x%04x +>>>0x8008 uleshort >0 \b, bas=0x%04x 0x3C000 string/b AB @@ -296,7 +296,7 @@ 4 uleshort 0x0900 >0xF byte 1 >>0x14 byte 0 ->>>0x1E string \ \ \ +>>>0x1E string \040\040\040 >>>>0x23 byte 1 >>>>>0x25 byte 0 >>>>>>0x15 string >\x30 diff --git a/contrib/file/magic/Magdir/mup b/contrib/file/magic/Magdir/mup index 5060c01..05b9471 100644 --- a/contrib/file/magic/Magdir/mup +++ b/contrib/file/magic/Magdir/mup @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# $File: mup,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: mup,v 1.5 2017/03/17 21:35:28 christos Exp $ # mup: file(1) magic for Mup (Music Publisher) input file. # # From: Abel Cheung <abel (@) oaka.org> @@ -12,13 +12,13 @@ # 0 search/1 //!Mup Mup music publication program input text >6 string -Arkkra (Arkkra) ->>13 string - ->>>16 string . +>>13 string - +>>>16 string . >>>>14 string x \b, need V%.4s ->>>15 string . +>>>15 string . >>>>14 string x \b, need V%.3s ->6 string - ->>9 string . +>6 string - +>>9 string . >>>7 string x \b, need V%.4s ->>8 string . +>>8 string . >>>7 string x \b, need V%.3s diff --git a/contrib/file/magic/Magdir/nasa b/contrib/file/magic/Magdir/nasa index 49673b3..de3545f 100644 --- a/contrib/file/magic/Magdir/nasa +++ b/contrib/file/magic/Magdir/nasa @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# nasa: file(1) magic +# nasa: file(1) magic # From: Barry Carter <carter.barry@gmail.com> 0 string DAF/SPK NASA SPICE file (binary format) diff --git a/contrib/file/magic/Magdir/netbsd b/contrib/file/magic/Magdir/netbsd index eb0847b..5ee2d71 100644 --- a/contrib/file/magic/Magdir/netbsd +++ b/contrib/file/magic/Magdir/netbsd @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: netbsd,v 1.23 2015/11/29 01:55:14 christos Exp $ +# $File: netbsd,v 1.24 2017/03/17 21:35:28 christos Exp $ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. @@ -10,7 +10,7 @@ # 0 belong&0377777777 041400413 a.out NetBSD/i386 demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -32,7 +32,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 041600413 a.out NetBSD/m68k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable @@ -54,7 +54,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042000413 a.out NetBSD/m68k4k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable @@ -76,7 +76,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042200413 a.out NetBSD/ns32532 demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -101,7 +101,7 @@ >12 string >\0 from '%s' 0 belong&0377777777 042400413 a.out NetBSD/SPARC demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable @@ -123,7 +123,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042600413 a.out NetBSD/pmax demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -145,7 +145,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 043000413 a.out NetBSD/vax 1k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -167,7 +167,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 045400413 a.out NetBSD/vax 4k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -189,7 +189,7 @@ >32 lelong !0 (signal %d) # NetBSD/alpha does not support (and has never supported) a.out objects, -# so no rules are provided for them. NetBSD/alpha ELF objects are +# so no rules are provided for them. NetBSD/alpha ELF objects are # dealt with in "elf". 0 lelong 0x00070185 ECOFF NetBSD/alpha binary >10 leshort 0x0001 not stripped @@ -199,7 +199,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 043400413 a.out NetBSD/mips demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable diff --git a/contrib/file/magic/Magdir/netscape b/contrib/file/magic/Magdir/netscape index a9b43cd..0e1ca61 100644 --- a/contrib/file/magic/Magdir/netscape +++ b/contrib/file/magic/Magdir/netscape @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: netscape,v 1.7 2015/08/24 05:20:52 christos Exp $ +# $File: netscape,v 1.8 2017/03/17 21:35:28 christos Exp $ # netscape: file(1) magic for Netscape files # "H. Nanosecond" <aldomel@ix.netcom.com> # version 3 and 4 I think @@ -15,8 +15,8 @@ # .snm Caches 0 string #\ Netscape\ folder\ cache Netscape folder cache 0 string \000\036\204\220\000 Netscape folder cache -# .n2p -# Net 2 Phone +# .n2p +# Net 2 Phone #0 string 123\130\071\066\061\071\071\071\060\070\061\060\061\063\060 0 string SX961999 Net2phone diff --git a/contrib/file/magic/Magdir/nitpicker b/contrib/file/magic/Magdir/nitpicker index 2486dee..48c3d63 100644 --- a/contrib/file/magic/Magdir/nitpicker +++ b/contrib/file/magic/Magdir/nitpicker @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: nitpicker,v 1.6 2014/04/30 21:41:02 christos Exp $ +# $File: nitpicker,v 1.7 2017/03/17 21:35:28 christos Exp $ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann <C.Jachmann@gmx.net> http://www.nitpicker.de -0 string NPFF NItpicker Flow File +0 string NPFF NItpicker Flow File >4 byte x V%d. >5 byte x %d >6 bedate x started: %s diff --git a/contrib/file/magic/Magdir/os2 b/contrib/file/magic/Magdir/os2 index 21c1c00..ace69cb 100644 --- a/contrib/file/magic/Magdir/os2 +++ b/contrib/file/magic/Magdir/os2 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: os2,v 1.9 2016/05/11 15:51:57 christos Exp $ +# $File: os2,v 1.10 2017/03/17 21:35:28 christos Exp $ # os2: file(1) magic for OS/2 files # @@ -25,7 +25,7 @@ #>5 string >\ (Local file) <%s> # >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) -# Carl Hauser (chauser.parc@xerox.com) and +# Carl Hauser (chauser.parc@xerox.com) and # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) # list the following header format in inf02a.doc: # @@ -35,11 +35,11 @@ # // bit 0: set if INF style file # // bit 4: set if HLP style file # // patching this byte allows reading HLP files -# // using the VIEW command, while help files +# // using the VIEW command, while help files # // seem to work with INF settings here as well. # int16 hdrsize; // total size of header # int16 unknown2; // unknown purpose -# +# 0 string HSP\x01\x9b\x00 OS/2 INF >107 string >0 (%s) 0 string HSP\x10\x9b\x00 OS/2 HLP diff --git a/contrib/file/magic/Magdir/os9 b/contrib/file/magic/Magdir/os9 index 52b04be..74b47f3 100644 --- a/contrib/file/magic/Magdir/os9 +++ b/contrib/file/magic/Magdir/os9 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: os9,v 1.7 2011/05/13 22:15:54 christos Exp $ +# $File: os9,v 1.8 2017/03/17 21:35:28 christos Exp $ # # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. # @@ -15,7 +15,7 @@ # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; diff --git a/contrib/file/magic/Magdir/pbf b/contrib/file/magic/Magdir/pbf index d133d12..8de6db0 100644 --- a/contrib/file/magic/Magdir/pbf +++ b/contrib/file/magic/Magdir/pbf @@ -1,11 +1,11 @@ #------------------------------------------------------------------------------ -# $File: pbf,v 1.1 2013/12/21 14:27:24 christos Exp $ +# $File: pbf,v 1.2 2017/01/18 16:16:21 christos Exp $ # file(1) magic(5) data for OpenStreetMap # OpenStreetMap Protocolbuffer Binary Format (.osm.pbf) # http://wiki.openstreetmap.org/wiki/PBF_Format # From: Markus Heidelberg <markus.heidelberg@web.de> -0 belong 0x0000000D ->4 beshort 0x0A09 ->>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format +0 belong&0xfffffff0 0 +>4 beshort 0x0A09 +>>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format diff --git a/contrib/file/magic/Magdir/pc88 b/contrib/file/magic/Magdir/pc88 index e604a3b..03822f5 100644 --- a/contrib/file/magic/Magdir/pc88 +++ b/contrib/file/magic/Magdir/pc88 @@ -9,7 +9,7 @@ >>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 >>>0x1A ubyte&0xEF 0 >>>>0x1B ubyte&0x8F 0 ->>>>>0x1B ubyte&70 <0x40 +>>>>>0x1B ubyte&70 <0x40 >>>>>>0x1C ulelong >0x21 >>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s >>>>>>>>0x1B ubyte 0 \b, media=2D diff --git a/contrib/file/magic/Magdir/pc98 b/contrib/file/magic/Magdir/pc98 index 30f1ea3..3b995ed 100644 --- a/contrib/file/magic/Magdir/pc98 +++ b/contrib/file/magic/Magdir/pc98 @@ -8,7 +8,7 @@ # http://www.jisyo.com/viewer/faq/maki_tech.htm 0 string/b MAKI01 Maki-chan v1. >6 ubyte|0x20 x \b%c image ->8 ubelong >0x40404040 \b, system ID: +>8 ubelong >0x40404040 \b, system ID: >>8 byte x %c >>9 byte x \b%c >>10 byte x \b%c diff --git a/contrib/file/magic/Magdir/pdf b/contrib/file/magic/Magdir/pdf index b43a675..04b564d 100644 --- a/contrib/file/magic/Magdir/pdf +++ b/contrib/file/magic/Magdir/pdf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.8 2015/01/11 18:19:18 christos Exp $ +# $File: pdf,v 1.9 2017/05/24 17:35:20 christos Exp $ # pdf: file(1) magic for Portable Document Format # @@ -20,3 +20,8 @@ !:mime application/vnd.fdf >5 byte x \b, version %c >7 byte x \b.%c + +0 search/256 %PDF- PDF document +!:mime application/pdf +>&0 byte x \b, version %c +>&2 byte x \b.%c diff --git a/contrib/file/magic/Magdir/pdp b/contrib/file/magic/Magdir/pdp index 0afee0c9..2d18b62 100644 --- a/contrib/file/magic/Magdir/pdp +++ b/contrib/file/magic/Magdir/pdp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pdp,v 1.10 2014/04/30 21:41:02 christos Exp $ +# $File: pdp,v 1.11 2017/03/17 21:35:28 christos Exp $ # pdp: file(1) magic for PDP-11 executable/object and APL workspace # 0 lelong 0101555 PDP-11 single precision APL workspace @@ -14,8 +14,8 @@ # updated by Joerg Jenderek at Mar 2013 # GRR: line below too general as it catches also Windows precompiled setup information *.PNF -0 leshort 0401 -# skip *.PNF with WinDirPathOffset 58h +0 leshort 0401 +# skip *.PNF with WinDirPathOffset 58h >68 ulelong !0x00000058 PDP-11 UNIX/RT ldp # skip *.PNF with high byte of InfVersionDatumCount zero #>>15 byte !0 PDP-11 UNIX/RT ldp diff --git a/contrib/file/magic/Magdir/perl b/contrib/file/magic/Magdir/perl index 099a22d..c391d4a 100644 --- a/contrib/file/magic/Magdir/perl +++ b/contrib/file/magic/Magdir/perl @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: perl,v 1.25 2016/06/07 23:28:37 rrt Exp $ +# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. @@ -33,14 +33,14 @@ # by Dmitry V. Levin and Alexey Tourbin # check the first line -0 search/1024 package +0 search/8192 package >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text -!:strength + 10 +!:strength + 40 # not 'p', check other lines -0 search/1024 !p +0 search/8192 !p >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; >>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text -!:strength + 10 +!:strength + 75 # Perl POD documents # From: Tom Hukins <tom@eborcom.com> diff --git a/contrib/file/magic/Magdir/pgf b/contrib/file/magic/Magdir/pgf index 825f5f6..b5a251e 100644 --- a/contrib/file/magic/Magdir/pgf +++ b/contrib/file/magic/Magdir/pgf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgf,v 1.1 2013/04/22 15:19:49 christos Exp $ +# $File: pgf,v 1.2 2017/03/17 21:35:28 christos Exp $ # pgf: file(1) magic for Progressive Graphics File (PGF) # # <http://www.libpgf.org/uploads/media/PGF_Details_01.pdf> @@ -42,7 +42,7 @@ >>20 byte 19 RGB color 12, >>20 byte 20 RGB color 16, >>20 byte 255 unknown format, ->>20 default x format +>>20 default x format >>>20 byte x \b %d, >>21 byte x %d bpc # PGFPostHeader diff --git a/contrib/file/magic/Magdir/pgp b/contrib/file/magic/Magdir/pgp index 6e685fc..585475d 100644 --- a/contrib/file/magic/Magdir/pgp +++ b/contrib/file/magic/Magdir/pgp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgp,v 1.12 2016/10/07 20:22:12 christos Exp $ +# $File: pgp,v 1.14 2017/03/17 21:35:28 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # @@ -19,15 +19,15 @@ #>15 string SIGNED\040MESSAGE- signed message #>15 string PGP\040SIGNATURE- signature -2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- PGP public key block +2 string ---BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK- PGP public key block !:mime application/pgp-keys >10 search/100 \n\n >>&0 use pgp -0 string -----BEGIN\040PGP\40MESSAGE- PGP message +0 string -----BEGIN\040PGP\040MESSAGE- PGP message !:mime application/pgp >10 search/100 \n\n >>&0 use pgp -0 string -----BEGIN\040PGP\40SIGNATURE- PGP signature +0 string -----BEGIN\040PGP\040SIGNATURE- PGP signature !:mime application/pgp-signature >10 search/100 \n\n >>&0 use pgp @@ -77,7 +77,7 @@ >0 byte 0x30 >>1 byte&0xc0 0x00 Unused [0%x] >>1 byte&0xc0 0x40 User Attribute ->>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data +>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data >>1 byte&0xc0 0xc0 Modification Detection Code # magic signatures to detect PGP crypto material (from stef) @@ -206,7 +206,7 @@ >0 byte 19 ECDSA >0 byte 20 ElGamal (Encrypt or Sign) >0 byte 21 Diffie-Hellman ->0 default x +>0 default x >>0 ubyte <22 unknown (pub %d) # this should never happen >>0 ubyte >21 invalid (%d) @@ -482,16 +482,16 @@ >1 use pgpkey 0 byte 0x97 PGP Secret Sub-key - >1 use pgpkey -0 byte 0x9d +0 byte 0x9d # Update: Joerg Jenderek # secret subkey packet (tag 7) with same structure as secret key packet (tag 5) # skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len ->1 ubeshort >0 +>1 ubeshort >0 #>1 ubeshort x \b, body length 0x%x # next packet type often 88h,89h~(tag 2)~Signature Packet #>>(1.S+3) ubyte x \b, next packet type 0x%x # skip Dragon.SHR DEMO.INIT by looking for positive version ->>3 ubyte >0 +>>3 ubyte >0 # skip BUISSON.13 GUITAR1 by looking for low version number >>>3 ubyte <5 PGP Secret Sub-key # sub-key are normally part of secret key. So it does not occur as standalone file @@ -500,7 +500,7 @@ >>>>3 ubyte x (v%d) >>>>3 ubyte x - # old versions 2 or 3 but no real example found ->>>>3 ubyte <4 +>>>>3 ubyte <4 # 2 byte for key bits in version 5.28 look >>>>>11 ubeshort x %db >>>>>4 beldate x created on %s - @@ -508,15 +508,15 @@ #>>>>>8 ubeshort x 0x%x # display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman >>>>>10 use key_algo ->>>>>(11.S/8) ubequad x +>>>>>(11.S/8) ubequad x # look after first key >>>>>>&5 use keyend # new version ->>>>3 ubyte >3 +>>>>3 ubyte >3 >>>>>9 ubeshort x %db >>>>>4 beldate x created on %s - # display key algorithm >>>>>8 use key_algo ->>>>>(9.S/8) ubequad x +>>>>>(9.S/8) ubequad x # look after first key for something like s2k >>>>>>&3 use keyend diff --git a/contrib/file/magic/Magdir/printer b/contrib/file/magic/Magdir/printer index 1016826..98fc1df 100644 --- a/contrib/file/magic/Magdir/printer +++ b/contrib/file/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.26 2014/04/12 14:51:52 christos Exp $ +# $File: printer,v 1.28 2017/03/17 22:20:22 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -13,7 +13,7 @@ >>>15 string EPS \b, type %s >>>15 string Query \b, type %s >>>15 string ExitServer \b, type %s ->>>15 search/1000 %%LanguageLevel:\ +>>>15 search/1000 %%LanguageLevel:\040 >>>>&0 string >\0 \b, Level %s # Some PCs have the annoying habit of adding a ^D as a document separator 0 string \004%! PostScript document text @@ -24,7 +24,7 @@ >>>16 string EPS \b, type %s >>>16 string Query \b, type %s >>>16 string ExitServer \b, type %s ->>>16 search/1000 %%LanguageLevel:\ +>>>16 search/1000 %%LanguageLevel:\040 >>>>&0 string >\0 \b, Level %s 0 string \033%-12345X%!PS PostScript document @@ -49,18 +49,18 @@ # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data # HP Printer Job Language -# The header found on Win95 HP plot files is the "Silliest Thing possible" +# The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de> -# +# 0 string \033%-12345X@PJL HP Printer Job Language data ->&0 string >\0 %s ->>&0 string >\0 %s ->>>&0 string >\0 %s ->>>>&0 string >\0 %s +>&0 string >\0 %s +>>&0 string >\0 %s +>>>&0 string >\0 %s +>>>>&0 string >\0 %s #>15 string \ ENTER\ LANGUAGE\ = #>31 string PostScript PostScript @@ -143,8 +143,8 @@ #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file -0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware +0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From: Paolo <oopla@users.sf.net> -# Epson ESC/Page, ESC/PageColor +# Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data diff --git a/contrib/file/magic/Magdir/project b/contrib/file/magic/Magdir/project index efa5d40..9180b57 100644 --- a/contrib/file/magic/Magdir/project +++ b/contrib/file/magic/Magdir/project @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: project,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: project,v 1.5 2017/03/17 21:35:28 christos Exp $ # project: file(1) magic for Project management -# +# # Magic strings for ftnchek project files. Alexander Mai 0 string FTNCHEK_\ P project file for ftnchek >10 string 1 version 2.7 diff --git a/contrib/file/magic/Magdir/psdbms b/contrib/file/magic/Magdir/psdbms index 1d218c0..3eec965 100644 --- a/contrib/file/magic/Magdir/psdbms +++ b/contrib/file/magic/Magdir/psdbms @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: psdbms,v 1.7 2016/01/08 00:41:02 christos Exp $ +# $File: psdbms,v 1.8 2017/03/17 21:35:28 christos Exp $ # psdbms: file(1) magic for psdatabase # # Update: Joerg Jenderek # GRR: line below too general as it catches also some Panorama database *.pan , # AppleWorks word processor -0 belong&0xff00ffff 0x56000000 +0 belong&0xff00ffff 0x56000000 # assume version starts with digit >1 regex/s =^[0-9] ps database >>1 string >\0 version %s diff --git a/contrib/file/magic/Magdir/python b/contrib/file/magic/Magdir/python index 29dcc15..f21ff65 100644 --- a/contrib/file/magic/Magdir/python +++ b/contrib/file/magic/Magdir/python @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: python,v 1.29 2016/07/27 09:42:16 rrt Exp $ +# $File: python,v 1.34 2017/08/14 07:40:38 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages @@ -24,7 +24,11 @@ 0 belong 0x6c0c0d0a python 3.2 byte-compiled 0 belong 0x9e0c0d0a python 3.3 byte-compiled 0 belong 0xee0c0d0a python 3.4 byte-compiled -0 belong 0x160d0d0a python 3.5 byte-compiled +0 belong 0x160d0d0a python 3.5.1- byte-compiled +0 belong 0x170d0d0a python 3.5.2+ byte-compiled +0 belong 0x330d0d0a python 3.6 byte-compiled +0 belong 0x3e0d0d0a python 3.7 byte-compiled + 0 search/1/w #!\ /usr/bin/python Python script text executable !:strength + 15 @@ -41,12 +45,25 @@ # from module.submodule import func1, func2 -0 regex \^from\\s+(\\w|\\.)+\\s+import.*$ Python script text executable +0 regex \^from[\040\t\f\r\n]+([A-Za-z0-9_]|\\.)+[\040\t\f\r\n]+import.*$ Python script text executable +!:strength + 15 !:mime text/x-python # def __init__ (self, ...): 0 search/4096 def\ __init__ >&0 search/64 self Python script text executable +!:strength + 15 +!:mime text/x-python + +# if __name__ == "__main__": +0 search/4096 if\ __name__ +>&0 search/64 '__main__' Python script text executable +>&0 search/64 "__main__" Python script text executable +!:strength + 15 +!:mime text/x-python + +# import module [as abrev] +0 regex \^import\ [_[:alpha:]]+\ as\ [[:alpha:]][[:space:]]*$ Python script text executable !:mime text/x-python # comments @@ -62,12 +79,19 @@ # except: or finally: # block 0 search/4096 try: ->&0 regex \^\\s*except.*: Python script text executable +>&0 regex \^[[:space:]]*except.*:$ Python script text executable +!:strength + 15 !:mime text/x-python >&0 search/4096 finally: Python script text executable !:mime text/x-python -# def name(args, args): -0 regex \^(\ |\\t){0,50}def\ {1,50}[a-zA-Z]{1,100} ->&0 regex \ {0,50}\\(([a-zA-Z]|,|\ ){1,255}\\):$ Python script text executable +# class name[(base classes,)]: [pass] +0 regex \^class\ [_[:alpha:]]+(\\(.*\\))?(\ )*:([\ \t]+pass)?$ Python script text executable +!:strength + 15 +!:mime text/x-python + +# def name(*args, **kwargs): +0 regex \^[[:space:]]{0,50}def\ {1,50}[_a-zA-Z]{1,100} +>&0 regex \\(([[:alpha:]*_,\ ]){0,255}\\):$ Python script text executable +!:strength + 15 !:mime text/x-python diff --git a/contrib/file/magic/Magdir/riff b/contrib/file/magic/Magdir/riff index 55cfb20..adf0fc9 100644 --- a/contrib/file/magic/Magdir/riff +++ b/contrib/file/magic/Magdir/riff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: riff,v 1.31 2015/02/14 17:30:03 christos Exp $ +# $File: riff,v 1.32 2017/03/17 21:35:28 christos Exp $ # riff: file(1) magic for RIFF format # See # @@ -75,7 +75,7 @@ >>18 leshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap ->>16 string BM +>>16 string BM >>>30 leshort 12 \b, OS/2 1.x format >>>>34 leshort x \b, %d x >>>>36 leshort x %d @@ -226,9 +226,9 @@ >8 string sfbk SoundFont/Bank # MPEG-1 wrapped in a RIFF, apparently >8 string CDXA \b, wrapped MPEG-1 (CDXA) ->8 string 4XMV \b, 4X Movie file +>8 string 4XMV \b, 4X Movie file # AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV ->8 string AMV\040 \b, AMV +>8 string AMV\040 \b, AMV >8 string WEBP \b, Web/P image !:mime image/webp >>12 use riff-walk @@ -246,7 +246,7 @@ >>18 beshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap ->>16 string BM +>>16 string BM >>>30 beshort 12 \b, OS/2 1.x format >>>>34 beshort x \b, %d x >>>>36 beshort x %d @@ -284,7 +284,7 @@ #------------------------------------------------------------------------------ # Sony Wave64 # see http://www.vcs.de/fileadmin/user_upload/MBS/PDF/Whitepaper/Informations_about_Sony_Wave64.pdf -# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian +# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian 0 string riff\x2E\x91\xCF\x11\xA5\xD6\x28\xDB\x04\xC1\x00\x00 Sony Wave64 RIFF data # 128 bit + total file size (64 bits) so 24 bytes # then WAVE-GUID { 65766177-ACF3-11D3-8CD1-00C04F8EDB8A } diff --git a/contrib/file/magic/Magdir/ruby b/contrib/file/magic/Magdir/ruby index cc3abd0..45a253c 100644 --- a/contrib/file/magic/Magdir/ruby +++ b/contrib/file/magic/Magdir/ruby @@ -1,32 +1,51 @@ #------------------------------------------------------------------------------ -# $File: ruby,v 1.6 2016/07/27 09:46:29 rrt Exp $ +# $File: ruby,v 1.7 2017/08/14 13:39:18 christos Exp $ # ruby: file(1) magic for Ruby scripting language # URL: http://www.ruby-lang.org/ # From: Reuben Thomas <rrt@sc3d.org> # Ruby scripts -0 search/1/w #!\ /usr/bin/ruby Ruby script text executable +0 search/1/w #!\ /usr/bin/ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby 0 search/1/w #!\ /usr/local/bin/ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby -0 search/1 #!/usr/bin/env\ ruby Ruby script text executable +0 search/1 #!/usr/bin/env\ ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby -0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable +0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby # What looks like ruby, but does not have a shebang # (modules and such) # From: Lubomir Rintel <lkundrak@v3.sk> -0 regex \^[\ \t]*require[\ \t]'[A-Za-z_/]+' ->0 regex include\ [A-Z]|def\ [a-z]|\ do$ ->>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby script text +0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/]+' +>0 regex def\ [a-z]|\ do$ +>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 30 !:mime text/x-ruby -0 regex \^[\ \t]*(class|module)[\ \t][A-Z] +0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z] >0 regex (modul|includ)e\ [A-Z]|def\ [a-z] ->>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby module source text +>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 30 +!:mime text/x-ruby +# Classes with no modules or defs, beats simple ASCII +0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z] +>&0 regex \^[[:space:]]*end([[:space:]]+[;#if].*)?$ Ruby script text +!:strength + 10 +!:mime text/x-ruby +# Looks for function definition to balance python magic +# def name (args) +# end +0 regex \^[[:space:]]*def\ [a-z]|def\ [[:alpha:]]+::[a-z] +>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 10 +!:mime text/x-ruby + +0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/]+' Ruby script text +!:mime text/x-ruby +0 regex \^[[:space:]]*include\ ([A-Z]+[a-z]*(::))+ Ruby script text !:mime text/x-ruby diff --git a/contrib/file/magic/Magdir/sccs b/contrib/file/magic/Magdir/sccs index 95b3a5db..4717948 100644 --- a/contrib/file/magic/Magdir/sccs +++ b/contrib/file/magic/Magdir/sccs @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sccs,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File: sccs,v 1.7 2017/03/17 21:35:28 christos Exp $ # sccs: file(1) magic for SCCS archives # # SCCS archive structure: @@ -17,6 +17,6 @@ # Maybe we should just switch everybody from SCCS to RCS! # Further, you can't just say '\001h0', because the five-digit number # is a checksum that could (presumably) have any leading digit, -# and we don't have regular expression matching yet. +# and we don't have regular expression matching yet. # Hence the following official kludge: 8 string \001s\ SCCS archive data diff --git a/contrib/file/magic/Magdir/scientific b/contrib/file/magic/Magdir/scientific index e39720c..2e0cf49 100644 --- a/contrib/file/magic/Magdir/scientific +++ b/contrib/file/magic/Magdir/scientific @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.10 2015/08/24 05:18:55 christos Exp $ -# scientific: file(1) magic for scientific formats +# $File: scientific,v 1.12 2017/03/17 22:20:22 christos Exp $ +# scientific: file(1) magic for scientific formats # # From: Joe Krahn <krahn@niehs.nih.gov> @@ -90,7 +90,7 @@ # format DD-MMM-YY, e.g., 01-JAN-70, and the IDcode consists of numbers and # uppercase letters. However, examples have been seen without the date string, # e.g., the example on the chemime site. -0 string HEADER\ \ \ \ +0 string HEADER\ \ \ \040 >&0 regex/1l \^.{40} >>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} >>>&0 regex/1ls [A-Z0-9]{4}.{14}$ diff --git a/contrib/file/magic/Magdir/sendmail b/contrib/file/magic/Magdir/sendmail index 2900410..840859c 100644 --- a/contrib/file/magic/Magdir/sendmail +++ b/contrib/file/magic/Magdir/sendmail @@ -1,27 +1,27 @@ #------------------------------------------------------------------------------ -# $File: sendmail,v 1.8 2015/11/11 15:27:03 christos Exp $ +# $File: sendmail,v 1.10 2017/08/13 00:21:47 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? # -# Update: Joerg Jenderek +# Update: Joerg Jenderek # GRR: this test is too general as it catches also # READ.ME.FIRST.AWP Sendmail frozen configuration # - version ====|====|====|====|====|====|====|====|====|====|====|====|=== # Email_23_f217153422.ts Sendmail frozen configuration # - version \330jK\354 -0 byte 046 +0 byte 046 # http://www.sendmail.com/sm/open_source/docs/older_release_notes/ # freezed configuration file (dbm format?) created from sendmal.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed -# valid version numbers look like "7.14.4" and should be simliar to output of commands -# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" +# valid version numbers look like "7.14.4" and should be similar to output of commands +# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration # normally only /etc/sendmail.fc or /var/adm/sendmail/sendmail.fc !:ext fc >>16 string >\0 - version %s -0 short 0x271c +0 short 0x271c # look for valid version number >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration !:ext fc diff --git a/contrib/file/magic/Magdir/sequent b/contrib/file/magic/Magdir/sequent index 5137c0e..780d77e 100644 --- a/contrib/file/magic/Magdir/sequent +++ b/contrib/file/magic/Magdir/sequent @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sequent,v 1.12 2014/08/16 16:07:12 christos Exp $ +# $File: sequent,v 1.13 2017/03/17 21:35:28 christos Exp $ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins <atsun!dwiggins>. @@ -33,9 +33,9 @@ # http://en.wikipedia.org/wiki/Sequent_Computer_Systems # below test line conflicts with MS-DOS 2.11 floppies and Acronis loader #0 leshort 0x42eb SYMMETRY i386 standalone executable -0 leshort 0x42eb +0 leshort 0x42eb # skip unlike negative version ->124 lelong >-1 +>124 lelong >-1 # assuming version 28867614 is very low probable >>124 lelong !28867614 SYMMETRY i386 standalone executable >>>16 lelong >0 not stripped diff --git a/contrib/file/magic/Magdir/sgml b/contrib/file/magic/Magdir/sgml index e3dcc26..34edd3c 100644 --- a/contrib/file/magic/Magdir/sgml +++ b/contrib/file/magic/Magdir/sgml @@ -1,8 +1,10 @@ -#------------------------------------------------------------------------------ # $File: sgml,v 1.34 2016/09/11 13:56:42 christos Exp $ + +#------------------------------------------------------------------------------ +# $File: sgml,v 1.37 2017/07/23 08:23:33 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres <tecnico@ejerciciosresueltos.com> -0 string \<?xml\ version=" ->15 string >\0 +0 string \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \<svg SVG Scalable Vector Graphics image !:mime image/svg+xml >>19 search/4096 \<gnc-v2 GnuCash file @@ -11,16 +13,16 @@ !:mime image/svg # Sitemap file -0 string/t \<?xml\ version=" ->15 string >\0 +0 string/t \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \<urlset XML Sitemap document text !:mime application/xml-sitemap # OpenStreetMap XML (.osm) # http://wiki.openstreetmap.org/wiki/OSM_XML # From: Markus Heidelberg <markus.heidelberg@web.de> -0 string \<?xml\ version=" ->15 string >\0 +0 string \<?xml\ version= +>14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \<osm OpenStreetMap XML data # xhtml @@ -46,6 +48,12 @@ !:mime text/html !:strength + 5 +# SVG document +# https://www.w3.org/TR/SVG/single-page.html +0 search/4096/cWbt \<!doctype\ svg SVG XML document +!:mime image/svg+xml +!:strength + 5 + 0 search/4096/cwt \<head\> HTML document text !:mime text/html !:strength + 5 diff --git a/contrib/file/magic/Magdir/sharc b/contrib/file/magic/Magdir/sharc index b40e652..e54088b 100644 --- a/contrib/file/magic/Magdir/sharc +++ b/contrib/file/magic/Magdir/sharc @@ -1,9 +1,9 @@ #------------------------------------------------------------------------ -# $File: sharc,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: sharc,v 1.8 2017/03/17 21:35:28 christos Exp $ # file(1) magic for sharc files # -# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by +# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by # FutureGroove Music (dsp@futuregroove.de) #------------------------------------------------------------------------ diff --git a/contrib/file/magic/Magdir/sketch b/contrib/file/magic/Magdir/sketch index 82dacb8..ee731dd 100644 --- a/contrib/file/magic/Magdir/sketch +++ b/contrib/file/magic/Magdir/sketch @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sketch,v 1.4 2009/09/19 16:28:12 christos Exp $ -# Sketch Drawings: http://sketch.sourceforge.net/ +# $File: sketch,v 1.5 2017/03/17 21:35:28 christos Exp $ +# Sketch Drawings: http://sketch.sourceforge.net/ # From: Edwin Mons <e@ik.nu> 0 search/1 ##Sketch Sketch document text diff --git a/contrib/file/magic/Magdir/sql b/contrib/file/magic/Magdir/sql index b07350a..acc4529 100644 --- a/contrib/file/magic/Magdir/sql +++ b/contrib/file/magic/Magdir/sql @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sql,v 1.20 2016/07/05 19:49:59 christos Exp $ +# $File: sql,v 1.21 2017/03/17 21:35:28 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" <mleisner@eng.mc.xerox.com> @@ -73,7 +73,7 @@ >>3 byte x Version %d #------------------------------------------------------------------------------ -# iRiver H Series database file +# iRiver H Series database file # From Ken Guest <ken@linux.ie> # As observed from iRivNavi.iDB and unencoded firmware # @@ -133,9 +133,9 @@ 0 string PSDB\0 Panasonic channel list DataBase !:ext db/bin #!:mime application/x-db-svl-panasonic ->126 string SQLite\ format\ 3 +>126 string SQLite\ format\ 3 #!:mime application/x-panasonic-sqlite3 ->>&-15 indirect x \b; contains +>>&-15 indirect x \b; contains # H2 Database from http://www.h2database.com/ 0 string --\ H2\ 0.5/B\ --\ \n H2 Database file diff --git a/contrib/file/magic/Magdir/ssl b/contrib/file/magic/Magdir/ssl index 5d5daee..2094ef5 100644 --- a/contrib/file/magic/Magdir/ssl +++ b/contrib/file/magic/Magdir/ssl @@ -1,8 +1,20 @@ + +#------------------------------------------------------------------------------ +# $File: ssl,v 1.4 2017/01/22 21:14:25 christos Exp $ +# ssl: file(1) magic for SSL file formats + # Type: OpenSSL certificates/key files # From: Nicolas Collignon <tsointsoin@gmail.com> -0 string -----BEGIN\ CERTIFICATE----- PEM certificate -0 string -----BEGIN\ CERTIFICATE\ REQ PEM certificate request -0 string -----BEGIN\ RSA\ PRIVATE PEM RSA private key -0 string -----BEGIN\ DSA\ PRIVATE PEM DSA private key -0 string -----BEGIN\ EC\ PRIVATE PEM EC private key +0 string -----BEGIN\040CERTIFICATE----- PEM certificate +0 string -----BEGIN\040CERTIFICATE\040REQ PEM certificate request +0 string -----BEGIN\040RSA\040PRIVATE PEM RSA private key +0 string -----BEGIN\040DSA\040PRIVATE PEM DSA private key +0 string -----BEGIN\040EC\040PRIVATE PEM EC private key +0 string -----BEGIN\040ECDSA\040PRIVATE PEM ECDSA private key + +# From Luc Gommans +# OpenSSL enc file (recognized by a magic string preceding the password's salt) +0 string Salted__ openssl enc'd data with salted password +# Using the -a or -base64 option, OpenSSL will base64-encode the data. +0 string U2FsdGVkX19 openssl enc'd data with salted password, base64 encoded diff --git a/contrib/file/magic/Magdir/sysex b/contrib/file/magic/Magdir/sysex index 97472e2..fc9cbf4 100644 --- a/contrib/file/magic/Magdir/sysex +++ b/contrib/file/magic/Magdir/sysex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------ -# $File: sysex,v 1.8 2014/06/03 19:17:27 christos Exp $ +# $File: sysex,v 1.9 2017/03/17 21:35:28 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems @@ -256,7 +256,7 @@ >1 belong&0xffffff00 0x00011d00 Nemesys >1 belong&0xffffff00 0x00011e00 DBX >1 belong&0xffffff00 0x00011f00 Syndyne ->1 belong&0xffffff00 0x00012000 Bitheadz +>1 belong&0xffffff00 0x00012000 Bitheadz >1 belong&0xffffff00 0x00012100 Cakewalk >1 belong&0xffffff00 0x00012200 Staccato >1 belong&0xffffff00 0x00012300 National Semicon. diff --git a/contrib/file/magic/Magdir/terminfo b/contrib/file/magic/Magdir/terminfo index b201bca..43e9d43 100644 --- a/contrib/file/magic/Magdir/terminfo +++ b/contrib/file/magic/Magdir/terminfo @@ -1,24 +1,51 @@ #------------------------------------------------------------------------------ -# $File: terminfo,v 1.7 2016/03/17 21:02:29 christos Exp $ +# $File: terminfo,v 1.9 2017/04/28 16:28:58 christos Exp $ # terminfo: file(1) magic for terminfo # -# XXX - byte order for screen images? +# URL: http://invisible-island.net/ncurses/man/term.5.html +# URL: http://invisible-island.net/ncurses/man/scr_dump.5.html # -# URL: https://en.wikipedia.org/wiki/Terminfo -# Reference: ncurses-5.9/ncurses/tinfo/write_entry.c -# Update: Joerg Jenderek -# -# GRR: line below too general as it catches also +# Workaround for Targa image type by Joerg Jenderek +# GRR: line below too general as it catches also # Targa image type 1 with 26 long identification field # and HELP.DSK -0 string \032\001 +0 string \032\001 # 5th character of terminal name list, but not Targa image pixel size (15 16 24 32) ->16 ubyte >32 +>16 ubyte >32 # namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0.4.1" >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled terminfo entry "%-s" !:mime application/x-terminfo # no extension -#!:ext -0 short 0433 Curses screen image -0 short 0434 Curses screen image +#!:ext +# +# While the compiled terminfo uses little-endian format irregardless of +# platform, SystemV screen dumps do not. They came later, and that detail was +# overlooked. +# +# AIX and HPUX use the SVr4 big-endian format +# Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) +0 beshort 0433 SVr2 curses screen image, big-endian +0 beshort 0434 SVr3 curses screen image, big-endian +0 beshort 0435 SVr4 curses screen image, big-endian +# +0 leshort 0433 SVr2 curses screen image, little-endian +0 leshort 0434 SVr3 curses screen image, little-endian +0 leshort 0435 SVr4 curses screen image, little-endian +# +# Rather than SVr4, Solaris "xcurses" writes this header: +0 regex \^MAX=[0-9]+,[0-9]+$ +>1 regex \^BEG=[0-9]+,[0-9]+$ +>2 regex \^SCROLL=[0-9]+,[0-9]+$ +>3 regex \^VMIN=[0-9]+$ +>4 regex \^VTIME=[0-9]+$ +>5 regex \^FLAGS=0x[[:xdigit:]]+$ +>6 regex \^FG=[0-9],[0-9]+$ +>7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image +# +# ncurses5 (and before) did not use a magic number, making screen dumps "data". +# ncurses6 (2015) uses this format, ignoring byte-order +0 string \210\210\210\210ncurses ncurses6 screen image +# +# PDCurses added this in 2005 +0 string PDC\001 PDCurses screen image diff --git a/contrib/file/magic/Magdir/vms b/contrib/file/magic/Magdir/vms index 4939303..56d57ae 100644 --- a/contrib/file/magic/Magdir/vms +++ b/contrib/file/magic/Magdir/vms @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vms,v 1.9 2014/08/17 13:47:59 christos Exp $ +# $File: vms,v 1.10 2017/03/17 21:35:28 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) @@ -25,6 +25,6 @@ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # # GRR this test is still too general as it catches example adressen.dbt -0 belong 0x03000000 +0 belong 0x03000000 >8 ubelong 0xec020000 VMS Alpha executable >>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption diff --git a/contrib/file/magic/Magdir/vmware b/contrib/file/magic/Magdir/vmware index b6b6a61..cd1a9d9 100644 --- a/contrib/file/magic/Magdir/vmware +++ b/contrib/file/magic/Magdir/vmware @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vmware,v 1.7 2009/09/19 16:28:13 christos Exp $ +# $File: vmware,v 1.8 2017/03/17 21:35:28 christos Exp $ # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) -0 belong 0x4d52564e VMware nvram +0 belong 0x4d52564e VMware nvram diff --git a/contrib/file/magic/Magdir/vorbis b/contrib/file/magic/Magdir/vorbis index 3b5e51f..5335ca8 100644 --- a/contrib/file/magic/Magdir/vorbis +++ b/contrib/file/magic/Magdir/vorbis @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vorbis,v 1.22 2015/03/28 15:14:55 christos Exp $ +# $File: vorbis,v 1.23 2017/03/17 21:35:28 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner <leitner@fefe.de> @@ -95,7 +95,7 @@ # in a different place, so we must use an indirect offset. >>>(84.b+85) string \x03vorbis >>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I ->>>>>(84.b+120) string >00000000 +>>>>>(84.b+120) string >00000000 # Map to beta version numbers: >>>>>>(84.b+120) string <20000508 (<beta1, prepublic) >>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2) @@ -117,7 +117,7 @@ >>>>>>(84.b+120) string >20011231 (pre-1.0 CVS) # For the 1.0 release, Xiphophorus is replaced by Xiph.Org >>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I ->>>>>(84.b+117) string >00000000 +>>>>>(84.b+117) string >00000000 >>>>>>(84.b+117) string <20020717 (pre-1.0 CVS) >>>>>>(84.b+117) string 20020717 (1.0) >>>>>>(84.b+117) string 20030909 (1.0.1) @@ -128,13 +128,13 @@ !:mime audio/ogg >>>36 ubyte >0x0F UNKNOWN VERSION %u, >>>36 ubyte &0x0F version 0.%d ->>>>46 ubyte >1 +>>>>46 ubyte >1 >>>>>46 ubyte !255 unknown channel mapping family %u, >>>>>37 ubyte x %u channels >>>>46 ubyte 0 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo ->>>>46 ubyte 1 +>>>>46 ubyte 1 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo >>>>>37 ubyte 3 linear surround diff --git a/contrib/file/magic/Magdir/webassembly b/contrib/file/magic/Magdir/webassembly new file mode 100644 index 0000000..8a4ce1b --- /dev/null +++ b/contrib/file/magic/Magdir/webassembly @@ -0,0 +1,15 @@ +#------------------------------------------------------------------------------ +# $File: webassembly,v 1.2 2017/05/02 14:05:29 christos Exp $ +# webassembly: file(1) magic for WebAssembly modules +# +# WebAssembly is a virtual architecture developed by a W3C Community +# Group at http://webassembly.org/. The file extension is .wasm, and +# the MIME type is application/wasm. +# +# http://webassembly.org/docs/binary-encoding/ is the main +# document describing the binary format. +# From: Pip Cet <pipcet@gmail.com> and Joel Martin + +0 string \0asm WebAssembly (wasm) binary module +>4 lelong =1 version %#x (MVP) +>4 lelong >1 version %#x diff --git a/contrib/file/magic/Magdir/windows b/contrib/file/magic/Magdir/windows index faaa7e2..169d4f8 100644 --- a/contrib/file/magic/Magdir/windows +++ b/contrib/file/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $ +# $File: windows,v 1.16 2017/03/17 22:20:22 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -29,7 +29,7 @@ # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) -0 string PAGE +0 string PAGE >4 string DUMP MS Windows 32bit crash dump >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE @@ -66,13 +66,13 @@ # Summary: Old format help files # URL: https://en.wikipedia.org/wiki/WinHelp # Reference: http://www.oocities.org/mwinterhoff/helpfile.htm -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Created by: Dirk Jagdmann <doj@cubic.org> # # check and then display version and date inside MS Windows HeLP file fragment 0 name help-ver-date # look for Magic of SYSTEMHEADER ->0 leshort 0x036C +>0 leshort 0x036C # version Major 1 for right file fragment >>4 leshort 1 Windows # print non empty string above to avoid error message @@ -93,7 +93,7 @@ >>>6 ldate x \b, %s # # Magic for HeLP files -0 lelong 0x00035f3f +0 lelong 0x00035f3f # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" # file header magic 0x293B at DirectoryStart+9 >(4.l+9) uleshort 0x293B MS @@ -101,37 +101,37 @@ >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation !:mime application/x-winhelp !:ext ann ->>0xD4 string !\x62\x6D\x66\x01\x00 +>>0xD4 string !\x62\x6D\x66\x01\x00 # "GID Help index" by TrID >>>(4.l+0x65) string =|Pete Windows help Global Index !:mime application/x-winhelp !:ext gid # HeLP Bookmark or # "Windows HELP File" by TrID ->>>(4.l+0x65) string !|Pete +>>>(4.l+0x65) string !|Pete # maybe there exist a cleaner way to detect HeLP fragments # brute search for Magic 0x036C with matching Major maximal 7 iterations # discapp.hlp ->>>>16 search/0x49AF/s \x6c\x03 +>>>>16 search/0x49AF/s \x6c\x03 >>>>>&0 use help-ver-date ->>>>>&4 leshort !1 +>>>>>&4 leshort !1 # putty.hlp ->>>>>>&0 search/0x69AF/s \x6c\x03 +>>>>>>&0 search/0x69AF/s \x6c\x03 >>>>>>>&0 use help-ver-date ->>>>>>>&4 leshort !1 ->>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>&4 leshort !1 +>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>&0 use help-ver-date ->>>>>>>>>&4 leshort !1 ->>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>&4 leshort !1 +>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 # GCC.HLP is detected after 7 iterations >>>>>>>>>>>>>>>>>&0 use help-ver-date # this only happens if bigger hlp file is detected after used search iterations @@ -139,7 +139,7 @@ !:mime application/winhelp !:ext hlp # repeat search again or following default line does not work ->>>>16 search/0x49AF/s \x6c\x03 +>>>>16 search/0x49AF/s \x6c\x03 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) >>>>16 default x Windows help Bookmark !:mime application/x-winhelp @@ -180,21 +180,21 @@ #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx # start with colon or semicolon for comment line like Back2Life.cnt -0 regex \^(:|;) +0 regex \^(:|;) # look for first keyword Base ->0 search/45 :Base +>0 search/45 :Base >>&0 use cnt-name # only solution to search again from beginning , because relative offsets changes when use is called ->0 search/45 :Base ->0 default x +>0 search/45 :Base +>0 default x # look for other keyword Title like in putty.cnt ->>0 search/45 :Title +>>0 search/45 :Title >>>&0 use cnt-name # # display mime type and name of Windows help Content source 0 name cnt-name # skip space at beginning ->0 string \ +>0 string \040 # name without extension and greater character or name with hlp extension >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" !:mime text/plain @@ -210,10 +210,10 @@ # Summary: Hyper terminal # Extension: .ht # Created by: unknown -0 string HyperTerminal\ +0 string HyperTerminal\040 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile -# http://ithreats.files.wordpress.com/2009/05/\ +# http://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut # Extension: .lnk @@ -293,7 +293,7 @@ # Extension: .reg # Submitted by: Abel Cheung <abelcheung@gmail.com> 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) -0 string Windows\ Registry\ Editor\ +0 string Windows\ Registry\ Editor\040 >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 @@ -301,10 +301,10 @@ # PR/383: remove unicode BOM because it is not portable across regex impls 0 regex/s \\`(\\r\\n|;|[[]) # left bracket in section line ->&0 search/8192 [ +>&0 search/8192 [ # http://en.wikipedia.org/wiki/Autorun.inf # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx ->>&0 regex/c \^(autorun)]\r\n +>>&0 regex/c \^(autorun)]\r\n >>>&0 ubyte =0x5b INItialization configuration !:mime application/x-wine-extension-ini # From: Pal Tamas <folti@balabit.hu> @@ -343,31 +343,31 @@ # http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information >>&0 regex/c \^(boot\x20loader)] Windows boot.ini !:mime application/x-wine-extension-ini ->>>&0 ubyte x +>>>&0 ubyte x # http://en.wikipedia.org/wiki/CONFIG.SYS >>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS # http://support.microsoft.com/kb/118579/ >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS # VERS string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # STRI string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 # NGS] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation !:mime application/x-setupscript # unknown keyword after opening bracket ->>&0 default x ->>>&0 search/8192 [ +>>&0 default x +>>>&0 search/8192 [ # version Strings FileIdentification ->>>>&0 string/c version Windows setup INFormation +>>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript # VERS string unicoded case-independent ->>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other #>>>>&0 default x Generic INItialization configuration @@ -376,21 +376,21 @@ # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp -0 leshort&0xFeFe 0x0000 +0 leshort&0xFeFe 0x0000 !:strength -5 # test for unused null bits in PNF_FLAGs ->4 ulelong&0xFCffFe00 0x00000000 +>4 ulelong&0xFCffFe00 0x00000000 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure ->>68 ulelong >0x57 +>>68 ulelong >0x57 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF !:mime application/x-pnf # currently only found Major Version=1 and Minor Version=1 -#>>>>0 uleshort =0x0101 +#>>>>0 uleshort =0x0101 #>>>>>1 ubyte x \b, version %u #>>>>>0 ubyte x \b.%u ->>>>0 uleshort !0x0101 +>>>>0 uleshort !0x0101 >>>>>1 ubyte x \b, version %u >>>>>0 ubyte x \b.%u # 1 ,2 (windows 98 SE) @@ -416,10 +416,10 @@ #>>>>16 ulelong x \b, InfVersionDataSize 0x%x # only found positive values lower 0x00ffFFff for InfVersionDataOffset >>>>20 ulelong x \b, at 0x%x ->>>>4 ulelong&0x00000001 =0x00000001 -# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature +>>>>4 ulelong&0x00000001 =0x00000001 +# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature >>>>>(20.l) lestring16 x "%s" ->>>>4 ulelong&0x00000001 !0x00000001 +>>>>4 ulelong&0x00000001 !0x00000001 >>>>>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx @@ -435,23 +435,23 @@ #>>>>64 ulelong x \b, InfValueBlockSize 0x%x # WinDirPathOffset #>>>>68 ulelong x \b, at 0x%x ->>>>68 ulelong >0x57 ->>>>>4 ulelong&0x00000001 =0x00000001 ->>>>>>(68.l) ubequad =0x43003a005c005700 +>>>>68 ulelong >0x57 +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(68.l) ubequad =0x43003a005c005700 # normally unicoded C:\Windows #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>>(68.l) ubequad !0x43003a005c005700 +>>>>>>(68.l) ubequad !0x43003a005c005700 >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # normally ASCII C:\WINDOWS #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" -# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF +# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF #>>>>72 ulelong >0 \b, at 0x%x >>>>72 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(72.l) lestring16 x OsLoaderPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # seldom C:\ instead empty >>>>>>(72.l) string x OsLoaderPath "%s" # 1fdh @@ -462,16 +462,16 @@ # InfSourcePathOffset often 0 #>>>>80 ulelong >0 \b, at 0x%x >>>>80 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(80.l) lestring16 x SourcePath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(80.l) string >\0 SourcePath "%s" # OriginalInfNameOffset often 0 #>>>>84 ulelong >0 \b, at 0x%x >>>>84 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(84.l) lestring16 x InfName "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(84.l) string >\0 InfName "%s" # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 @@ -480,13 +480,13 @@ # URL: http://en.wikipedia.org/wiki/NTBackup # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF # Descriptor BloCK name of Microsoft Tape Format -0 string TAPE +0 string TAPE # Format Logical Address is zero ->20 ulequad 0 +>20 ulequad 0 # Reserved for MBC is zero ->>28 uleshort 0 +>>28 uleshort 0 # Control Block ID is zero ->>>36 ulelong 0 +>>>36 ulelong 0 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive #!:mime application/x-ntbackup @@ -508,7 +508,7 @@ >>>>>4 ulelong&0x00000004 !0 \b, compressed # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit ->>>>>4 ulelong&0x00020000 0 +>>>>>4 ulelong&0x00020000 0 # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape >>>>>>4 ulelong&0x00010000 !0 \b, with catalog # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present @@ -531,37 +531,37 @@ # Media Based Catalog Type (1,2) #>>>>>66 uleshort x \b, catalog type %4.4x # size of Media Name (66,68,6Eh) ->>>>>68 uleshort >0 +>>>>>68 uleshort >0 # offset of Media Name (5Eh) ->>>>>>70 uleshort >0 +>>>>>>70 uleshort >0 # 0~, 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 +>>>>>>>48 ubyte 1 # size terminated ansi coded string normally followed by "MTF Media Label" >>>>>>>>(70.s) string >\0 \b, name: %s ->>>>>>>48 ubyte 2 +>>>>>>>48 ubyte 2 # Not null, but size terminated unicoded string >>>>>>>>(70.s) lestring16 x \b, name: %s # size of Media Label (104h) ->>>>>72 uleshort >0 +>>>>>72 uleshort >0 # offset of Media Label (C4h,C6h,CCh) ->>>>>74 uleshort >0 ->>>>>>48 ubyte 1 +>>>>>74 uleshort >0 +>>>>>>48 ubyte 1 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields >>>>>>>(74.s) string >\0 \b, label: %s ->>>>>>48 ubyte 2 +>>>>>>48 ubyte 2 >>>>>>>(74.s) lestring16 x \b, label: %s # size of password name (0,1Ch) #>>>>>76 uleshort >0 \b, password size %4.4x # Software Vendor ID (CBEh) >>>>>86 uleshort x \b, software (0x%x) # size of Software Name (6Eh) ->>>>>80 uleshort >0 +>>>>>80 uleshort >0 # offset of Software Name (1C8h,1CAh,1D0h) ->>>>>>82 uleshort >0 +>>>>>>82 uleshort >0 # 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 +>>>>>>>48 ubyte 1 >>>>>>>>(82.s) string >\0 \b: %s ->>>>>>>48 ubyte 2 +>>>>>>>48 ubyte 2 # size terminated unicoded coded string normally followed by "SPAD" >>>>>>>>(82.s) lestring16 x \b: %s # Format Logical Block Size (512,1024) diff --git a/contrib/file/magic/Magdir/xenix b/contrib/file/magic/Magdir/xenix index 89de603..fb83faa 100644 --- a/contrib/file/magic/Magdir/xenix +++ b/contrib/file/magic/Magdir/xenix @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xenix,v 1.10 2016/04/19 18:14:19 christos Exp $ +# $File: xenix,v 1.11 2017/03/17 21:35:28 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small @@ -16,14 +16,14 @@ # Reference: http://www.azillionmonkeys.com/qed/Omfg.pdf # Update: Joerg Jenderek # recordtype~TranslatorHEADerRecord -0 byte 0x80 +0 byte 0x80 # GRR: line above is too general as it catches also Extensible storage engine DataBase # skip examples like GENA.SND Switch.Snd by looking for record length maximal 1024-3 ->1 uleshort <1022 +>1 uleshort <1022 # skip examples like GAME.PICTURE Strange.Pic by looking for positiv record length ->>1 uleshort >0 +>>1 uleshort >0 # skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positiv string length ->>>3 ubyte >0 +>>>3 ubyte >0 # skip examples like OMBRE.6 with "UUUUUU" by looking for filename like "hello.c" >>>>4 regex [a-zA-Z_/]{1,8}[.] 8086 relocatable (Microsoft) #!:mime application/octet-stream @@ -54,8 +54,8 @@ >0x1c byte &0x9 286 >0x1c byte &0xa 386 >0x1f byte <0x040 small model ->0x1f byte =0x048 large model ->0x1f byte =0x049 huge model +>0x1f byte =0x048 large model +>0x1f byte =0x049 huge model >0x1e leshort &0x1 executable >0x1e leshort ^0x1 object file >0x1e leshort &0x40 Large Text diff --git a/contrib/file/magic/Magdir/xilinx b/contrib/file/magic/Magdir/xilinx index 91e84d9..a521977 100644 --- a/contrib/file/magic/Magdir/xilinx +++ b/contrib/file/magic/Magdir/xilinx @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: xilinx,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: xilinx,v 1.8 2017/03/17 21:35:28 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 # -# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, -# fixes at least reading of bitfiles from Spartan 2, 3, 6. +# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, +# fixes at least reading of bitfiles from Spartan 2, 3, 6. # http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm # # First there is the sync header and its length @@ -20,7 +20,7 @@ >>>>&0 pstring/H x - from %s # And then 'b' >>>>>&1 string b -# Then the model / part number: +# Then the model / part number: >>>>>>&0 pstring/H x - for %s # Then 'c' >>>>>>>&1 string c @@ -36,5 +36,5 @@ >>>>>>>>>>>>&0 belong x - data length 0x%x # Raw bitstream files -0 long 0xffffffff +0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) diff --git a/contrib/file/magic/Magdir/xwindows b/contrib/file/magic/Magdir/xwindows index eb20892..85f64c8 100644 --- a/contrib/file/magic/Magdir/xwindows +++ b/contrib/file/magic/Magdir/xwindows @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: xwindows,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: xwindows,v 1.10 2017/03/17 21:35:28 christos Exp $ # xwindows: file(1) magic for various X/Window system file formats. -# Compiled X Keymap +# Compiled X Keymap # XKM (compiled X keymap) files (including version and byte ordering) 1 string mkx Compiled XKB Keymap: lsb, >0 byte >0 version %d diff --git a/contrib/file/magic/Magdir/yara b/contrib/file/magic/Magdir/yara new file mode 100644 index 0000000..523a2d0 --- /dev/null +++ b/contrib/file/magic/Magdir/yara @@ -0,0 +1,17 @@ + + +#------------------------------------------------------------------------------ +# $File: yara,v 1.2 2017/05/25 20:07:23 christos Exp $ +# yara: file(1) magic for http://virustotal.github.io/yara/ +# + +0 string YARA +>4 lelong >2047 +>8 byte <20 YARA 3.x compiled rule set +# version +>>8 clear x +>>8 byte 6 created with version 3.3.0 +>>8 byte 8 created with version 3.4.0 +>>8 byte 11 created with version 3.5.0 +>>8 default x +>>>8 byte x development version 0x%02x |
