file_ex/magic/Magdir/gnu

174 lines
6 KiB
Text
Raw Normal View History

2023-08-06 16:12:15 +00:00
#------------------------------------------------------------------------------
# $File: gnu,v 1.24 2021/04/26 15:56:00 christos Exp $
# gnu: file(1) magic for various GNU tools
#
# GNU nlsutils message catalog file format
#
# GNU message catalog (.mo and .gmo files)
# Update: Joerg Jenderek
# URL: https://www.gnu.org/software/gettext/manual/html_node/MO-Files.html
# Reference: ftp://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.8.tar.gz/
# gettext-0.19.8.1/gettext-runtime/intl/gmo.h
# Note: maybe call it like "GNU translation gettext machine object"
0 string \336\22\4\225 GNU message catalog (little endian),
#0 ulelong 0x950412DE GNU-format message catalog data
# TODO: write lines in such a way that code can also be called for big endian variant
#>0 use gettext-object
#0 name gettext-object
>4 ulelong x revision
!:mime application/x-gettext-translation
# mo extension is also used for Easeus Partition Master PE32 executable module
# like ConvertFatToNTFS.mo
!:ext gmo/mo
# only found three revision combinations 0.0 0.1 1.1 as unsigned 32-bit
# major revision
>4 ulelong/0xFFff x %u.
# minor revision
>4 ulelong&0x0000FFff x \b%u
>>8 ulelong x \b, %u message
# plural s
>>8 ulelong >1 \bs
# size of hashing table
#>20 ulelong x \b, %u hash
#>20 ulelong >1 \bes
#>24 ulelong x at %#x
# for revision x.0 offset of table with originals is 1Ch if directly after header
>4 ulelong&0x0000FFff =0
>>12 ulelong !0x1C \b, at %#x string table
# but for x.1 table offset i found is 30h. That means directly after bigger header
>4 ulelong&0x0000FFff >0
>>12 ulelong !0x30 \b, at %#x string table
# The following variables are only used in .mo files with minor revision >= 1
# number of system dependent segments
#>>28 ulelong x \b, %u segment
#>>28 ulelong >1 \bs
# offset of table describing system dependent segments
#>>32 ulelong x at %#x
# number of system dependent strings pairs
>>36 ulelong x \b, %u sysdep message
>>36 ulelong >1 \bs
# offset of table with start offsets of original sysdep strings
#>>40 ulelong x \b, at %#x sysdep strings
# offset of table with start offsets of translated sysdep strings
#>>44 ulelong x \b, at %#x sysdep translations
# >>(44.l) ulelong x %#x chars
# >>>&0 ulelong x at %#x
# >>>>(&-4) string x "%s"
# string table after big header
#>>48 ubequad x \b, string table %#llx
#
# 0th string length seems to be always 0
#>(12.l) ulelong x \b, %u chars
#>>&0 ulelong x at %#x
# if 1st string length positive inspect offset and string
#>(12.l+8) ulelong >0 \b, %u chars
#>>&0 ulelong x at %#x
# if 2nd string length positive inspect offset and string
# >(12.l+16) ulelong >0 \b, %u chars
# >>&0 ulelong x at %#x
# skip newline byte
#>>>(&-4) ubyte =0x0A
#>>>>&0 string x "%s"
#>>>(&-4) ubyte !0x0A
#>>>>&-1 string x '%s'
# offset of table with translation strings
#>16 ulelong x \b, at %#x translation table
# check translation 0 length and offset
>(16.l) ulelong >0
>>&0 ulelong x
# translation 0 seems to be often Project-Id with name and version
>>>(&-4) string x \b, %s
# trans. 1 with bytes >= 1 unlike icoutils-0.31.0\po\en@boldquot.gmo with 1 NL
>(16.l+8) ulelong >1
>>&0 ulelong x
>>>(&-4) ubyte !0x0A
>>>>&-1 string x '%s'
# 1 New Line like in tar-1.29\po\de.gmo
>>>(&-4) ubyte =0x0A
>>>>&0 ubyte !0x0A
>>>>>&-1 string x '%s'
# 2nd New Line like in parted-3.1\po\de.gmo
>>>>&0 ubyte =0x0A
>>>>>&0 string x '%s'
0 string \225\4\22\336 GNU message catalog (big endian),
#0 ubelong 0x950412DE GNU-format message catalog data
!:mime application/x-gettext-translation
!:ext gmo/mo
# TODO: for big endian use same code as for little endian
#>0 use \^gettext-object
# DEBUG code
#>16 ubelong x \b, at %#x translation table
#>(16.L) ubelong x %#x chars
#>>&0 ubelong x at %#x
# unexpected value HERE!
#>>>(&-4) ubequad x %#llx
#
>4 beshort x revision %d.
>6 beshort >0 \b%d,
>>8 belong x %d messages,
>>36 belong x %d sysdep messages
>6 beshort =0 \b%d,
>>8 belong x %d messages
# GnuPG
# The format is very similar to pgp
0 string \001gpg GPG key trust database
>4 byte x version %d
# Note: magic.mime had 0x8501 for the next line instead of 0x8502
0 beshort 0x8502 GPG encrypted data
!:mime text/PGP # encoding: data
# Update: Joerg Jenderek
# Note: PGP and GPG use same data structure.
# So recognition is now done by ./pgp with start test for byte 0x99
# This magic is not particularly good, as the keyrings don't have true
# magic. Nevertheless, it covers many keyrings.
# 0 ubeshort-0x9901 <2
# >3 byte 4
# >>4 bedate x GPG key public ring, created %s
# !:mime application/x-gnupg-keyring
# Symmetric encryption
0 leshort 0x0d8c
>4 leshort 0x0203
>>2 leshort 0x0204 GPG symmetrically encrypted data (3DES cipher)
>>2 leshort 0x0304 GPG symmetrically encrypted data (CAST5 cipher)
>>2 leshort 0x0404 GPG symmetrically encrypted data (BLOWFISH cipher)
>>2 leshort 0x0704 GPG symmetrically encrypted data (AES cipher)
>>2 leshort 0x0804 GPG symmetrically encrypted data (AES192 cipher)
>>2 leshort 0x0904 GPG symmetrically encrypted data (AES256 cipher)
>>2 leshort 0x0a04 GPG symmetrically encrypted data (TWOFISH cipher)
>>2 leshort 0x0b04 GPG symmetrically encrypted data (CAMELLIA128 cipher)
>>2 leshort 0x0c04 GPG symmetrically encrypted data (CAMELLIA192 cipher)
>>2 leshort 0x0d04 GPG symmetrically encrypted data (CAMELLIA256 cipher)
# GnuPG Keybox file
# <https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=kbx/keybox-blob.c;hb=HEAD>
# From: Philipp Hahn <hahn@univention.de>
0 belong 32
>4 byte 1
>>8 string KBXf GPG keybox database
>>>5 byte 1 version %d
>>>16 bedate x \b, created-at %s
>>>20 bedate x \b, last-maintained %s
# From: James Youngman <jay@gnu.org>
# gnu find magic
0 string \0LOCATE GNU findutils locate database data
>7 string >\0 \b, format %s
>7 string 02 \b (frcode)
# Files produced by GNU gettext
# gettext message catalogue
0 search/1024 \nmsgid
>&0 search/1024 \nmsgstr GNU gettext message catalogue text
!:strength +100
!:mime text/x-po