file 5.45

This commit is contained in:
FloatingGhost 2023-08-08 12:16:24 +01:00
parent cc7067c7d4
commit fea2f90423
96 changed files with 9440 additions and 2061 deletions

2
file

@ -1 +1 @@
Subproject commit 504206e53a89fd6eed71aeaf878aa3512418eab1 Subproject commit 4cbd5c8f0851201d203755b76cb66ba991ffd8be

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: algol68,v 1.4 2021/08/15 06:00:55 christos Exp $ # $File: algol68,v 1.6 2022/11/06 18:36:55 christos Exp $
# algol68: file(1) magic for Algol 68 source # algol68: file(1) magic for Algol 68 source
# #
# URL: https://en.wikipedia.org/wiki/ALGOL_68 # URL: https://en.wikipedia.org/wiki/ALGOL_68
@ -9,14 +9,8 @@
0 search/8192 (input, 0 search/8192 (input,
>0 use algol_68 >0 use algol_68
# graph_2d.a68 # graph_2d.a68
0 regex/4006 \^PROC 0 regex/4006 \^PROC[[:space:]][a-zA-Z0-9_[:space:]]*[[:space:]]=
#>&-4 string x \b, dBase or Algol "%s" >0 use algol_68
# most xBase scripts *.prg with PROCEDURE like: Areacode BarCount Def_mens Vendors
#>&-4 string =PROCEDURE \b, dBase PROCEDURE
# skip xBase program scripts *.prg with PROCEDURE keyword
# keyword proc probably followed by white space used to specify algol procedures
>&-4 string !PROCEDURE
>>0 use algol_68
0 regex/1024 \bMODE[\t\ ] 0 regex/1024 \bMODE[\t\ ]
>0 use algol_68 >0 use algol_68
0 regex/1024 \bMODE[\t\ ] 0 regex/1024 \bMODE[\t\ ]

30
magic/Magdir/alpha Normal file
View file

@ -0,0 +1,30 @@
#------------------------------------------------------------------------------
# alpha architecture description
#
0 leshort 0603 COFF format alpha
>22 leshort&030000 !020000 executable
>24 leshort 0410 pure
>24 leshort 0413 paged
>22 leshort&020000 !0 dynamically linked
>16 lelong !0 not stripped
>16 lelong 0 stripped
>22 leshort&030000 020000 shared library
>24 leshort 0407 object
>27 byte x - version %d
>26 byte x .%d
>28 byte x -%d
# Basic recognition of Digital UNIX core dumps - Mike Bremford <mike@opac.bl.uk>
#
# The actual magic number is just "Core", followed by a 2-byte version
# number; however, treating any file that begins with "Core" as a Digital
# UNIX core dump file may produce too many false hits, so we include one
# byte of the version number as well; DU 5.0 appears only to be up to
# version 2.
#
0 string Core\001 Alpha COFF format core dump (Digital UNIX)
>24 string >\0 \b, from '%s'
0 string Core\002 Alpha COFF format core dump (Digital UNIX)
>24 string >\0 \b, from '%s'

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------ #------------------------------------------------------------
# $File: android,v 1.19 2021/04/26 15:56:00 christos Exp $ # $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $
# Various android related magic entries # Various android related magic entries
#------------------------------------------------------------ #------------------------------------------------------------
@ -180,7 +180,9 @@
# In include/androidfw/ResourceTypes.h: # In include/androidfw/ResourceTypes.h:
# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),
# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).
# The strength is increased to avoid misidentifying as Targa image data
0 lelong 0x00080003 Android binary XML 0 lelong 0x00080003 Android binary XML
!:strength +1
# Android cryptfs footer # Android cryptfs footer
# From https://android.googlesource.com/\ # From https://android.googlesource.com/\
@ -207,3 +209,51 @@
>8 string >000 dex section version: %s, >8 string >000 dex section version: %s,
>12 lelong >0 number of dex files: %d, >12 lelong >0 number of dex files: %d,
>16 lelong >0 verifier deps size: %d >16 lelong >0 verifier deps size: %d
# Disassembled DEX files
0 string/t .class\x20
>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali)
!:ext smali
# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm
# Reference: https://android.googlesource.com/platform/frameworks/support/\
# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
# src/main/java/androidx/profileinstaller/ProfileTranscoder.java
# Reference: https://android.googlesource.com/platform/frameworks/support/\
# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\
# src/main/java/androidx/profileinstaller/ProfileVersion.java
0 string pro\x00
>0 regex pro\x000[0-9][0-9]\x00 Android ART profile
!:ext prof
>>4 string 001\x00 \b, version 001 N
>>4 string 005\x00 \b, version 005 O
>>4 string 009\x00 \b, version 009 O MR1
>>4 string 010\x00 \b, version 010 P
>>4 string 015\x00 \b, version 015 S
0 string prm\x00
>0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata
!:ext profm
>>4 string 001\x00 \b, version 001 N
>>4 string 002\x00 \b, version 002
# Android package resource table (ARSC): resources.arsc
# Reference: https://android.googlesource.com/platform/tools/base/\
# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\
# src/main/java/com/google/devrel/gmscore/tools/apk/arsc
# 00: resource table type = 0x0002 (2) + header size = 12 (2)
# 04: chunk size (4, skipped)
# 08: #packages (4)
0 ulelong 0x000c0002 Android package resource table (ARSC)
!:ext arsc
>8 ulelong !1 \b, %d packages
# 12: string pool type = 0x0001 (2) + header size = 28 (2)
# 16: chunk size (4, skipped)
# 20: #strings (4), #styles (4), flags (4)
>12 ulelong 0x001c0001
>>20 ulelong !0 \b, %d string(s)
>>24 ulelong !0 \b, %d style(s)
>>28 ulelong &1 \b, sorted
>>28 ulelong &256 \b, utf8
# extracted APK Signing Block
-16 string APK\x20Sig\x20Block\x2042 APK Signing Block

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: animation,v 1.87 2021/08/24 09:25:11 christos Exp $ # $File: animation,v 1.94 2023/06/16 20:06:50 christos Exp $
# animation: file(1) magic for animation/movie formats # animation: file(1) magic for animation/movie formats
# #
# animation formats # animation formats
@ -18,8 +18,8 @@
>12 string rmra \b multiple URLs >12 string rmra \b multiple URLs
4 string mdat Apple QuickTime movie (unoptimized) 4 string mdat Apple QuickTime movie (unoptimized)
!:mime video/quicktime !:mime video/quicktime
#4 string wide Apple QuickTime movie (unoptimized) 4 string wide Apple QuickTime movie (unoptimized)
#!:mime video/quicktime !:mime video/quicktime
#4 string skip Apple QuickTime movie (modified) #4 string skip Apple QuickTime movie (modified)
#!:mime video/quicktime #!:mime video/quicktime
#4 string free Apple QuickTime movie (modified) #4 string free Apple QuickTime movie (modified)
@ -30,8 +30,6 @@
#!:mime image/x-quicktime #!:mime image/x-quicktime
4 string pckg Apple QuickTime compressed archive 4 string pckg Apple QuickTime compressed archive
!:mime application/x-quicktime-player !:mime application/x-quicktime-player
4 string/W jP JPEG 2000 image
!:mime image/jp2
#### MP4 #### #### MP4 ####
# https://www.ftyps.com/ with local additions # https://www.ftyps.com/ with local additions
@ -39,6 +37,7 @@
4 string ftyp ISO Media 4 string ftyp ISO Media
# https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ # https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/
>8 string XAVC \b, MPEG v4 system, Sony XAVC Codec >8 string XAVC \b, MPEG v4 system, Sony XAVC Codec
!:mime video/mp4
>>96 string x \b, Audio "%.4s" >>96 string x \b, Audio "%.4s"
>>118 beshort x at %dHz >>118 beshort x at %dHz
>>140 string x \b, Video "%.4s" >>140 string x \b, Video "%.4s"
@ -168,6 +167,7 @@
# ?/enc-isoff-generic # ?/enc-isoff-generic
>8 string iso \b, MP4 Base Media >8 string iso \b, MP4 Base Media
!:mime video/mp4 !:mime video/mp4
!:ext mp4
>>11 string m v1 [ISO 14496-12:2003] >>11 string m v1 [ISO 14496-12:2003]
>>11 string 2 v2 [ISO 14496-12:2005] >>11 string 2 v2 [ISO 14496-12:2005]
>>11 string 4 v4 >>11 string 4 v4
@ -937,9 +937,20 @@
0 belong&0xFF5FFF10 0x47400010 0 belong&0xFF5FFF10 0x47400010
>188 byte 0x47 MPEG transport stream data >188 byte 0x47 MPEG transport stream data
!:mime video/MP2T !:mime video/MP2T
!:ext ts
# Blu-ray disc Audio-Video MPEG-2 transport stream
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://en.wikipedia.org/wiki/MPEG_transport_stream
# Note: similar to ISO 13818.1 but with 4 extra bytes per packets
4 belong&0xFF5FFF10 =0x47400010
>196 byte =0x47 BDAV MPEG-2 Transport Stream (M2TS)
!:mime video/MP2T
!:ext m2ts/mts
# DIF digital video file format <mpruett@sgi.com> # DIF digital video file format <mpruett@sgi.com>
0 belong&0xffffff00 0x1f070000 DIF 0 belong&0xffffff00 0x1f070000 DIF
!:mime video/x-dv
>4 byte &0x01 (DVCPRO) movie file >4 byte &0x01 (DVCPRO) movie file
>4 byte ^0x01 (DV) movie file >4 byte ^0x01 (DV) movie file
>3 byte &0x80 (PAL) >3 byte &0x80 (PAL)
@ -1184,3 +1195,12 @@
>30 lelong x \b, height: %d >30 lelong x \b, height: %d
>34 lelong x \b, %d bit >34 lelong x \b, %d bit
>38 lelong x \b, frames: %d >38 lelong x \b, frames: %d
# https://wiki.multimedia.cx/index.php/Duck_IVF
0 string DKIF Duck IVF video file
!:mime video/x-ivf
>4 leshort >0 \b, version %d
>8 string x \b, codec %s
>12 leshort x \b, %d
>14 leshort x \bx%d
>24 lelong >0 \b, %d frames

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: apple,v 1.45 2021/04/26 15:56:00 christos Exp $ # $File: apple,v 1.48 2023/05/01 14:20:21 christos Exp $
# apple: file(1) magic for Apple file formats # apple: file(1) magic for Apple file formats
# #
0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text
@ -11,26 +11,48 @@
0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051600 AppleSingle encoded Macintosh file
0 belong 0x00051607 AppleDouble encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file
# Type: Apple Emulator A2R format
# From: Greg Wildman <greg@apple2.org.za>
# Ref: https://applesaucefdc.com/a2r2-reference/
# Ref: https://applesaucefdc.com/a2r/
0 string A2R
>3 string \x31\xFF\x0A\x0D\x0A Applesauce A2R 1.x Disk Image
>3 string \x32\xFF\x0A\x0D\x0A Applesauce A2R 2.x Disk Image
>3 string \x33\xFF\x0A\x0D\x0A Applesauce A2R 3.x Disk Image
>8 string INFO
>>49 byte 01 \b, 5.25″ SS 40trk
>>49 byte 02 \b, 3.5″ DS 80trk
>>49 byte 03 \b, 5.25″ DS 80trk
>>49 byte 04 \b, 5.25″ DS 40trk
>>49 byte 05 \b, 3.5″ DS 80trk
>>49 byte 06 \b, 8″ DS
>>50 byte 01 \b, write protected
>>51 byte 01 \b, cross track synchronized
>>17 string/T x \b, %.32s
# Type: Apple Emulator WOZ format # Type: Apple Emulator WOZ format
# From: Greg Wildman <greg@apple2.org.za> # From: Greg Wildman <greg@apple2.org.za>
# Ref: https://applesaucefdc.com/woz/reference/ # Ref: https://applesaucefdc.com/woz/reference/
# Ref: https://applesaucefdc.com/woz/reference2/ # Ref: https://applesaucefdc.com/woz/reference2/
# 0 string WOZ
# Note: The following test are mostly identical. I would rather not >3 string \x31\xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image
# use a regex to identify the WOZ format number. >3 string \x32\xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image
0 string WOZ1
>4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image
>12 string INFO >12 string INFO
>>21 byte 01 \b, 5.25 inch >>21 byte 01 \b, 5.25 inch
>>21 byte 02 \b, 3.5 inch >>21 byte 02 \b, 3.5 inch
>>22 byte 01 \b, write protected >>22 byte 01 \b, write protected
>>23 byte 01 \b, cross track synchronized >>23 byte 01 \b, cross track synchronized
>>25 string/T x \b, %.32s >>25 string/T x \b, %.32s
0 string WOZ2
>4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image # Type: Apple Macintosh Emulator MOOF format
# From: Greg Wildman <greg@apple2.org.za>
# Ref: https://applesaucefdc.com/moof-reference/
0 string MOOF
>4 string \xFF\x0A\x0D\x0A Apple Macintosh MOOF Disk Image
>12 string INFO >12 string INFO
>>21 byte 01 \b, 5.25 inch >>21 byte 01 \b, SSDD GCR (400K)
>>21 byte 02 \b, 3.5 inch >>21 byte 02 \b, DSDD GCR (800K)
>>21 byte 03 \b, DSHD MFM (1.44M)
>>22 byte 01 \b, write protected >>22 byte 01 \b, write protected
>>23 byte 01 \b, cross track synchronized >>23 byte 01 \b, cross track synchronized
>>25 string/T x \b, %.32s >>25 string/T x \b, %.32s
@ -43,29 +65,79 @@
>0x400 string \x00\x00\x03\x00 >0x400 string \x00\x00\x03\x00
>>0x404 byte &0xF0 >>0x404 byte &0xF0
>>>0x405 string x \b, Volume /%s >>>0x405 string x \b, Volume /%s
>>>0x429 leshort x \b, %u Blocks >>>0x429 uleshort x \b, %u Blocks
# ProDOS ordered ? # ProDOS ordered ?
>0xb00 string \x00\x00\x03\x00 >0xb00 string \x00\x00\x03\x00
>>0xb04 byte &0xF0 >>0xb04 byte &0xF0
>>>0xb05 string x \b, Volume /%s >>>0xb05 string x \b, Volume /%s
>>>0xb29 leshort x \b, %u Blocks >>>0xb29 uleshort x \b, %u Blocks
# #
# DOS3.3 boot loader? # Proboot HD
0 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B 0 string \x01\x8A\x48\xD8\x2C\x82\xC0\x8D\x0E\xC0\x8D\x0C Apple ProDOS ProBoot Image
>0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image >0x400 string \x00\x00\x03\x00
>>0x11006 byte x \b, Volume %u >>0x404 byte &0xF0
>>0x11034 byte x \b, %u Tracks >>>0x405 string x \b, Volume /%s
>>0x11035 byte x \b, %u Sectors >>>0x429 uleshort x \b, %u Blocks
>>0x11036 leshort x \b, %u bytes per sector >0xb00 string \x00\x00\x03\x00
# DOS3.2 ? >>0xb04 byte &0xF0
>0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image >>>0xb05 string x \b, Volume /%s
>>0x11006 byte x \b, Volume %u >>>0xb29 uleshort x \b, %u Blocks
>>0x11034 byte x \b, %u Tracks 0 string \x01\xA8\x8A\x20\x7B\xF8\x29\x07\x09\xC0\x99\x30 Apple ProDOS ProBoot Image
>>0x11035 byte x \b, %u Sectors >0x400 string \x00\x00\x03\x00
>>0x11036 leshort x \b, %u bytes per sector >>0x404 byte &0xF0
# DOS3.1 ? >>>0x405 string x \b, Volume /%s
>0x11001 string \x11\x0C\x01 >>>0x429 uleshort x \b, %u Blocks
>>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image >0xb00 string \x00\x00\x03\x00
>>0xb04 byte &0xF0
>>>0xb05 string x \b, Volume /%s
>>>0xb29 uleshort x \b, %u Blocks
0 string \x01\x4A\xD0\x34\xE6\x3D\x8A\x20\x7B\xF8\x09\xC0 Apple ProDOS ProBoot Image
>0x400 string \x00\x00\x03\x00
>>0x404 byte &0xF0
>>>0x405 string x \b, Volume /%s
>>>0x429 uleshort x \b, %u Blocks
>0xb00 string \x00\x00\x03\x00
>>0xb04 byte &0xF0
>>>0xb05 string x \b, Volume /%s
>>>0xb29 uleshort x \b, %u Blocks
#
# ProDOS formatted
0 string \x01\xBD\x88\xC0\x20\x2F\xFB\x20\x58\xFC\x20\x40 Apple ProDOS Unbootable Image
>0x400 string \x00\x00\x03\x00
>>0x404 byte &0xF0
>>>0x405 string x \b, Volume /%s
>>>0x429 uleshort x \b, %u Blocks
>0xb00 string \x00\x00\x03\x00
>>0xb04 byte &0xF0
>>>0xb05 string x \b, Volume /%s
>>>0xb29 uleshort x \b, %u Blocks
0 string \x01\x38\xB0\x03\x4C\x1C\x09\x78\x86\x43\xC9\x03 Apple ProDOS Unbootable Image
>0x400 string \x00\x00\x03\x00
>>0x404 byte &0xF0
>>>0x405 string x \b, Volume /%s
>>>0x429 uleshort x \b, %u Blocks
>0xb00 string \x00\x00\x03\x00
>>0xb04 byte &0xF0
>>>0xb05 string x \b, Volume /%s
>>>0xb29 uleshort x \b, %u Blocks
#
# DOS3 boot loader
0 string \x01\xA5\x27\xC9\x09\xD0
>0x11001 byte 0x11
>>0x11003 ubyte x Apple DOS 3.%u Image
>>0x11006 ubyte x \b, Volume #%03u
>>0x11034 ubyte x \b, %u Tracks
>>0x11035 ubyte x \b, %u Sectors
>>0x11036 uleshort x \b, %u bytes per sector
#
# DOS3 uninitialized disk
0 string \x01\xA6\x2B\xBD\x88\xC0\x8A\x4A\x4A
>0x11001 byte 0x11
>>0x11003 ubyte x Apple DOS 3.%u Unbootable Image
>>>0x11006 ubyte x \b, Volume #%03u
>>>0x11034 ubyte x \b, %u Tracks
>>>0x11035 ubyte x \b, %u Sectors
>>>0x11036 uleshort x \b, %u bytes per sector
# #
# Pascal boot loader? # Pascal boot loader?
0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD 0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD
@ -112,9 +184,70 @@
>>0x440 string \x00\x00\x03\x00 >>0x440 string \x00\x00\x03\x00
>>>0x444 byte &0xF0 >>>0x444 byte &0xF0
>>>>0x445 string x \b, Volume /%s >>>>0x445 string x \b, Volume /%s
>>>>0x469 leshort x \b, %u Blocks >>>>0x469 uleshort x \b, %u Blocks
>0xc byte 02 \b, NIB data >0xc byte 02 \b, NIB data
# Type: Peter Ferrie QBoot
# From: Greg Wildman <greg@apple2.org.za>
# Ref: https://github.com/peterferrie/qboot
0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9
>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ QBoot Image
# Type: Peter Ferrie 0Boot
# From: Greg Wildman <greg@apple2.org.za>
# Ref: https://github.com/peterferrie/0boot
0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9
>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ 0Boot Image
# Different proprietary boot sectors
0 string \x01\x0F\x21\x74\x00\x01\x6B\x00\x02\x30\x81\x5D Apple ][ Disk Image
0 string \x01\x20\x58\xFC\xA2\x00\x8E\x78\x04\x8E\xF4\x03 Apple ][ Disk Image
0 string \x01\x20\x58\xFC\xAD\x51\xC0\xAD\x54\xC0\xA6\x2B Apple ][ Disk Image
0 string \x01\x20\x89\xFE\x20\x93\xFE\xA6\x2B\xBD\x88\xC0 Apple ][ Disk Image
0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x25\x08\x68\x85 Apple ][ Disk Image
0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x2D\x08\x68\x85 Apple ][ Disk Image
0 string \x01\x38\x90\x2A\xC9\x01\xF0\x33\xA8\xC8\xC0\x10 Apple ][ Disk Image
0 string \x01\x38\xB0\x03\x4C\x32\xA1\x87\x43\xC9\x03\x08 Apple ][ Disk Image
0 string \x01\x4C\x04\x08\xA9\x2A\x8D\x02\x08\x86\x2B\xEE Apple ][ Disk Image
0 string \x01\x4C\x60\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image
0 string \x01\x4C\x92\x08\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image
0 string \x01\x4C\xB3\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image
0 string \x01\x8D\xFB\x03\x8E\xFC\x03\x8C\xFD\x03\x8A\x29 Apple ][ Disk Image
0 string \x01\xA2\xFF\x9A\xD8\x20\x20\x08\x20\x34\x08\xAD Apple ][ Disk Image
0 string \x01\xA5\x27\xBD\x88\xC0\x2C\x10\xC0\xA2\x00\xA9 Apple ][ Disk Image
0 string \x01\xA5\x2B\xAE\x51\xC0\xEA\xAA\xBD\x88\xC0\x20 Apple ][ Disk Image
0 string \x01\xA6\x27\xBD\x0B\x08\x48\xBD\x0A\x08\x48\x85 Apple ][ Disk Image
0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x01\x85 Apple ][ Disk Image
0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x25\x85 Apple ][ Disk Image
0 string \x01\xA8\xC0\x0F\x90\x16\xF0\x12\xA0\xFF\x18\xAD Apple ][ Disk Image
0 string \x01\xA9\x00\x85\xF0\xA9\x04\x85\xF1\xA0\x00\xA9 Apple ][ Disk Image
0 string \x01\xA9\x5C\x8D\xF2\x03\xA9\xC6\x8D\xF3\x03\x49 Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\x20\x2F\xFB\x20\x58\xFC Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\x20\x49\x08\xA9\x0A\x85 Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\x2C\x82\xC0\xBD\x88\xC0 Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\x86\x43\x8A\x4A\x4A\x4A Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\x86\xFF\xB5\x00 Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\xA9\xB2\x8D\xF2\x03\xA9 Apple ][ Disk Image
0 string \x01\xA9\x60\x8D\x01\x08\xA9\xFF\x8D\xF3\x03\x8D Apple ][ Disk Image
0 string \x01\xAC\x00\x08\xF0\x19\xB9\x30\x08\x85\x3D\xCE Apple ][ Disk Image
0 string \x01\xAC\x23\x08\x30\x2E\xB9\x24\x08\x85\x3D\xCE Apple ][ Disk Image
0 string \x01\xAD\x00\x08\xC9\x09\xB0\x20\x69\x02\x8D\x00 Apple ][ Disk Image
0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\x86\x2B\x8A\x4A Apple ][ Disk Image
0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\xA9\xF5\x8D\xF2 Apple ][ Disk Image
0 string \x01\xB0\x00\xA9\x3F\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image
0 string \x01\xB0\x00\xA9\x48\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image
0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x09\xC0\x8D Apple ][ Disk Image
0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x8D\x2F\x08 Apple ][ Disk Image
0 string \x01\xD8\x2C\x81\xC0\xA9\x60\x4D\x58\xFF\xD0\xFE Apple ][ Disk Image
0 string \x01\xD8\x78\xBD\x88\xC0\xA9\xFD\x85\x37\x85\x39 Apple ][ Disk Image
0 string \x01\xE0\x60\xF0\x03\x4C\x16\x09\xAD\x00\x08\xC9 Apple ][ Disk Image
0 string \x01\xE0\x60\xF0\x03\x4C\xCB\x08\xAD\x00\x08\xC9 Apple ][ Disk Image
0 string \x01\xE0\x60\xF0\x03\x4C\xEE\x08\xAD\x00\x08\xC9 Apple ][ Disk Image
0 string \x01\xE0\x60\xF0\x03\x4C\xEF\x08\xAD\x00\x08\xC9 Apple ][ Disk Image
0 string \x01\xE0\x70\xB0\x04\xE0\x40\xB0\x39\xBD\x88\xC0 Apple ][ Disk Image
0 string \x01\xEA\x8D\xF4\x03\xA9\x60\x9D\x88\xC0\x8D\x51 Apple ][ Disk Image
# magic for Newton PDA package formats # magic for Newton PDA package formats
# from Ruda Moura <ruda@helllabs.org> # from Ruda Moura <ruda@helllabs.org>
0 string package0 Newton package, NOS 1.x, 0 string package0 Newton package, NOS 1.x,
@ -291,7 +424,13 @@
#>0x410 string disk\ image UDIF read/write image (UDRW) #>0x410 string disk\ image UDIF read/write image (UDRW)
# From: Toby Peterson <toby@apple.com> # From: Toby Peterson <toby@apple.com>
# From https://www.nationalarchives.gov.uk/pronom/fmt/866
0 string bplist00
>8 search/500 WebMainResource Apple Safari Webarchive
!:mime application/x-webarchive
!:strength +50
0 string bplist00 Apple binary property list 0 string bplist00 Apple binary property list
!:mime application/x-bplist
# Apple binary property list (bplist) # Apple binary property list (bplist)
# Assumes version bytes are hex. # Assumes version bytes are hex.
@ -491,9 +630,107 @@
# Usually not in separate files, but have either filename rsrc with # Usually not in separate files, but have either filename rsrc with
# no extension, or a filename corresponding to another file, with # no extension, or a filename corresponding to another file, with
# extensions rsr/rsrc # extensions rsr/rsrc
# URL: http://fileformats.archiveteam.org/wiki/Macintosh_resource_file
# https://en.wikipedia.org/wiki/Resource_fork
# Reference: https://github.com/kreativekorp/ksfl/wiki/Macintosh-Resource-File-Format
# http://developer.apple.com/legacy/mac/library/documentation/mac/pdf/MoreMacintoshToolbox.pdf
# https://formats.kaitai.io/resource_fork/
# Update: Joerg Jenderek
# Note: verified often by command like `deark -m macrsrc Icon_.rsrc`
# offset of resource data; usually starts at offset 0x0100
0 string \000\000\001\000 0 string \000\000\001\000
>4 leshort 0 # skip NPETraceSession.etl with invalid "low" map offset 0
>>16 lelong 0 Apple HFS/HFS+ resource fork >4 ubelong >0xFF
# skip few Atari DEGAS Elite bitmap (eil2.pi1 nastro.pi1) with ivalid "high" 0x6550766 0x7510763 map length
>>12 ubelong <0x8001
# most examples with zeroed system reserved field
>>>16 lelong =0
>>>>0 use apple-rsr
# few samples with not zeroed system reserved field like: Empty.rsrc.rsr OpenSans-CondBold.dfont
>>>16 lelong !0
# resource fork variant with not zeroed system reserved field and copy of header
>>>>(4.L) ubelong 0x100
# GRR: the line above only works if in ../../src/file.h FILE_BYTES_MAX is raised from 1 MiB above 0x6ab0f4 (HelveticaNeue.dfont)
>>>>>0 use apple-rsr
# data fork variant with not zeroed system reserved field and no copy of header
>>>>(4.L) ubelong 0
>>>>>0 use apple-rsr
# Note: moved and merged from ./macintosh
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
# URL: https://en.wikipedia.org/wiki/Datafork_TrueType
# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is
# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I
# don't know what they mean.
# display information about Mac OSX datafork font DFONT
0 name apple-dfont
>(4.L+30) ubelong x Mac OSX datafork font,
# https://en.wikipedia.org/wiki/Datafork_TrueType
!:mime application/x-dfont
!:ext dfont
# https://exiftool.org/TagNames/RSRC.html
>(4.L+30) ubelong 0x73666e74 TrueType
>(4.L+30) ubelong 0x464f4e54 'FONT'
>(4.L+30) ubelong 0x4e464e54 'NFNT'
>(4.L+30) ubelong 0x504f5354 PostScript
>(4.L+30) ubelong 0x464f4e44 'FOND'
>(4.L+30) ubelong 0x76657273 'vers'
# display information about Macintosh resource
0 name apple-rsr
>(4.L+30) ubelong 0x73666e74
>>0 use apple-dfont
>(4.L+30) ubelong 0x464f4e54
>>0 use apple-dfont
>(4.L+30) ubelong 0x4e464e54
>>0 use apple-dfont
>(4.L+30) ubelong 0x504f5354
>>0 use apple-dfont
>(4.L+30) ubelong 0x464f4e44
>>0 use apple-dfont
>(4.L+30) ubelong 0x76657273
>>0 use apple-dfont
>(4.L+30) default x Apple HFS/HFS+ resource fork
#!:mime application/octet-stream
!:mime application/x-apple-rsr
!:ext rsrc/rsr
# offset to resource data; usually starts at offset 0x0100
>0 ubelong !0x100 \b, data offset %#x
# offset to resource map; positive but not nil like in NPETraceSession.etl
>4 ubelong x \b, map offset %#x
# length of resource map; positive with 32K limitation but not
# nil like in NPETraceSession.etl or high like 0x7510763 in nastro.pi1
>12 ubelong x \b, map length %#x
# length of resource data; positive but not nil like in NPETraceSession.etl
>8 ubelong x \b, data length %#x
# reserved 112 bytes for system use; apparently often nil, but 8fd20000h in Empty.rsrc.rsr and 0x00768c2b in OpenSans-CondBold.dfont
>16 ubelong !0 \b, at 16 %#8.8x
# https://fontforge.org/docs/techref/macformats.html
# jump to resource map
# a copy of resource header or 16 bytes of zeros for data fork
#>(4.L) ubelong x \b, DATA offset %#x
#>(4.L+4) ubelong x \b, MAP offset %#x
#>(4.L+8) ubelong x \b, DATA length %#x
#>(4.L+12) ubelong x \b, MAP length %#x
# nextResourceMap; handle to next resource map; used by the Resource Manager for internal bookkeeping; should be zero
>(4.L+16) ubelong !0 \b, nextResourceMap %#x
# fileRef; file reference number; used by the Resource Manager for internal bookkeeping; should be zero
>(4.L+20) ubeshort !0 \b, fileRef %#x
# attributes; Resource fork attributes (80h~read-only 40h~compression needed 20h~changed); other bits are reserved and should be zero
>(4.L+22) ubeshort !0 \b, attributes %#x
# typeListOffset; offset from resource map to start of type list like: 1Ch
>(4.L+24) ubeshort x \b, list offset %#x
# nameListOffset; offset from esource map to start of name list like: 32h 46h 56h (XLISP.RSR XLISPTIN.RSR) 13Eh (HelveticaNeue.dfont)
>(4.L+26) ubeshort x \b, name offset %#x
# typeCount; number of types in the map minus 1; If there are no resources, this is 0xFFFF
>(4.L+28) beshort+1 >0 \b, %u type
# plural s
>>(4.L+28) beshort+1 >1 \bs
# resource type list array; 1st resource type like: ALRT CODE FOND MPSR icns scsz
>>(4.L+30) ubelong x \b, %#x
>>(4.L+30) string x '%-.4s'
# resourceCount; number of this type resources minus one. If there is one resource of this type, this is 0x0000
>>(4.L+34) beshort+1 x * %d
# resourceListOffset; offset from type list to resource list like: Ah 12h DAh
>(4.L+36) ubeshort x resource offset %#x
#https://en.wikipedia.org/wiki/AppleScript #https://en.wikipedia.org/wiki/AppleScript
0 string FasdUAS AppleScript compiled 0 string FasdUAS AppleScript compiled

File diff suppressed because it is too large Load diff

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: arm,v 1.2 2021/07/14 17:40:31 christos Exp $ # $File: arm,v 1.3 2022/10/31 14:35:39 christos Exp $
# arm: file(1) magic for ARM COFF # arm: file(1) magic for ARM COFF
# #
# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format # https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
@ -39,3 +39,12 @@
# display name+variables+flags for common object formatted files # display name+variables+flags for common object formatted files
>>0 use display-coff >>0 use display-coff
!:strength -10 !:strength -10
# ARM64EC
0 leshort 0xa641
# test for unused flag bits in f_flags
>18 uleshort&0x8E80 0
# use little endian variant of subroutine to
# display name+variables+flags for common object formatted files
>>0 use display-coff
!:strength -10

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: asf,v 1.2 2021/04/26 15:56:00 christos Exp $ # $File: asf,v 1.4 2022/10/31 13:22:26 christos Exp $
# asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files # asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files
# http://www.staroceans.org/e-book/ASF_Specification.pdf # http://www.staroceans.org/e-book/ASF_Specification.pdf
@ -21,7 +21,7 @@
# ASF_Stream_Properties_Object # ASF_Stream_Properties_Object
>0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 >0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365
#>>56 lequad x Time Offset %lld #>>56 lequad x Time Offset %lld
#>>64 lelong x Type-Specicic Data Length %d #>>64 lelong x Type-Specific Data Length %d
#>>68 lelong x Error Correction Data Length %d #>>68 lelong x Error Correction Data Length %d
#>>72 leshort x Flags %#x #>>72 leshort x Flags %#x
#>>74 lelong x Reserved %x #>>74 lelong x Reserved %x
@ -88,7 +88,7 @@
>0 guid 26F18B5D-4584-47EC-9F5F-0E651F0452C9 ASF_Compatibility_Object >0 guid 26F18B5D-4584-47EC-9F5F-0E651F0452C9 ASF_Compatibility_Object
>0 guid 43058533-6981-49E6-9B74-AD12CB86D58C ASF_Advanced_Content_Encryption_Object >0 guid 43058533-6981-49E6-9B74-AD12CB86D58C ASF_Advanced_Content_Encryption_Object
>0 guid 59DACFC0-59E6-11D0-A3AC-00A0C90348F6 ASF_Command_Media >0 guid 59DACFC0-59E6-11D0-A3AC-00A0C90348F6 ASF_Command_Media
>0 guid B61BE100-5B4E-11CF-A8FD-00805F5C44 ASF_JFIF_Media >0 guid B61BE100-5B4E-11CF-A8FD-00805F5C442B ASF_JFIF_Media
>0 guid 35907DE0-E415-11CF-A917-00805F5C442B ASF_Degradable_JPEG_Media >0 guid 35907DE0-E415-11CF-A917-00805F5C442B ASF_Degradable_JPEG_Media
>0 guid 91BD222C-F21C-497A-8B6D-5AA86BFC0185 ASF_File_Transfer_Media >0 guid 91BD222C-F21C-497A-8B6D-5AA86BFC0185 ASF_File_Transfer_Media
>0 guid 3AFB65E2-47EF-40F2-AC2C-70A90D71D343 ASF_Binary_Media >0 guid 3AFB65E2-47EF-40F2-AC2C-70A90D71D343 ASF_Binary_Media

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: audio,v 1.121 2021/04/26 15:56:00 christos Exp $ # $File: audio,v 1.127 2023/03/05 20:15:49 christos Exp $
# audio: file(1) magic for sound formats (see also "iff") # audio: file(1) magic for sound formats (see also "iff")
# #
# Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com),
@ -183,42 +183,57 @@
21 string BMOD2STM Screamtracker 2 module sound data 21 string BMOD2STM Screamtracker 2 module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-screamtracker-module #audio/x-screamtracker-module
1080 string \!PM! 4-channel Protracker module sound data
!:mime audio/x-mod
#audio/x-protracker-module
>0 string >\0 Title: "%s"
1080 string M.K. 4-channel Protracker module sound data 1080 string M.K. 4-channel Protracker module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-protracker-module #audio/x-protracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string M!K! 4-channel Protracker module sound data 1080 string M!K! 4-channel Protracker module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-protracker-module #audio/x-protracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string FLT4 4-channel Startracker module sound data 1080 string FLT4 4-channel Startracker module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-startracker-module #audio/x-startracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string FLT8 8-channel Startracker module sound data 1080 string FLT8 8-channel Startracker module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-startracker-module #audio/x-startracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string 4CHN 4-channel Fasttracker module sound data 1080 string 4CHN 4-channel Fasttracker module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-fasttracker-module #audio/x-fasttracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string 6CHN 6-channel Fasttracker module sound data 1080 string 6CHN 6-channel Fasttracker module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-fasttracker-module #audio/x-fasttracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string 8CHN 8-channel Fasttracker module sound data 1080 string 8CHN 8-channel Fasttracker module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-fasttracker-module #audio/x-fasttracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string CD81 8-channel Octalyser module sound data 1080 string CD81 8-channel Octalyser module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-octalysertracker-module #audio/x-octalysertracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
1080 string OKTA 8-channel Octalyzer module sound data 1080 string OKTA 8-channel Octalyzer module sound data
!:mime audio/x-mod !:mime audio/x-mod
#audio/x-octalysertracker-module #audio/x-octalysertracker-module
>0 string >\0 Title: "%s" >0 string >\0 Title: "%s"
# Not good enough. # Not good enough.
#1082 string CH #1082 string CH
#>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data
@ -403,10 +418,26 @@
0 string THX AHX version 0 string THX AHX version
>3 byte =0 1 module data >3 byte =0 1 module data
>3 byte =1 2 module data >3 byte =1 2 module data
>10 byte x TRL: %u >11 ubyte x TRK: %u
>11 byte x TRK: %u >10 ubyte x TRL: %u
>12 byte x SMP: %u >12 ubyte x SMP: %u
>13 byte x SS: %u >13 ubyte x SS: %u
>(4.H) string x Title: "%.128s"
# header is mostly AHX format
0 string HVL
>3 byte <2 Hively Tracker Song
>3 byte =0 v1 module data
>3 byte =1 v2 module data
>11 ubyte x TRK: %u
>10 ubyte x TRL: %u
>12 ubyte x SMP: %u
>13 ubyte x SS: %u
>8 ubyte/4 =0 CHN: 4
>8 ubyte/4 >0 CHN: 4+%u
#>-0 offset <0xffff
>(4.H) string x Title: "%.128s"
# #
0 string OKTASONG Oktalyzer module data 0 string OKTASONG Oktalyzer module data
# #
@ -548,15 +579,13 @@
# From: Alex Myczko <alex@aiei.ch> # From: Alex Myczko <alex@aiei.ch>
# https://github.com/rerrahkr/BambooTracker # https://github.com/rerrahkr/BambooTracker
0 string BambooTrackerMod BambooTracker module 0 string BambooTracker BambooTracker
>22 byte x \b, version %u >13 string Mod Module
>21 byte x \b.%u >13 string Ist Instrument
>20 byte x \b.%u >13 string Bnk Bank
>22 byte x \b, version %u
0 string BambooTrackerIst BambooTracker instrument >21 byte x \b.%u
>22 byte x \b, version %u >20 byte x \b.%u
>21 byte x \b.%u
>20 byte x \b.%u
0 string CC2x CheeseCutter 2 song 0 string CC2x CheeseCutter 2 song
@ -894,11 +923,6 @@
>0x3 byte&0x0F x \b%02d >0x3 byte&0x0F x \b%02d
>>0x4 string >\0 title: "%s" >>0x4 string >\0 title: "%s"
0 string HVL
>3 byte <2 Hively Tracker Song
>3 byte 0 1 module data
>3 byte 1 2 module data
0 string MO3 0 string MO3
>3 ubyte <6 MOdule with MP3 >3 ubyte <6 MOdule with MP3
>>3 byte 0 Version 0 (With MP3 and lossless) >>3 byte 0 Version 0 (With MP3 and lossless)
@ -1136,3 +1160,132 @@
>>0 use nintendo-3ds-bcwav-fields >>0 use nintendo-3ds-bcwav-fields
>4 beshort 0xFEFF >4 beshort 0xFEFF
>>0 use \^nintendo-3ds-bcwav-fields >>0 use \^nintendo-3ds-bcwav-fields
# Philips DSDIFF audio format (Direct Stream Digital Interchange File Format)
# Used for DSD audio recordings and Super Audio CD (SACD) mastering annotations
# https://dsd-guide.com/sites/default/files/white-papers/DSDIFF_1.5_Spec.pdf
# From: Toni Ruottu <toni.ruottu@iki.fi>
0 string FRM8
12 string DSD\x20 DSDIFF audio bitstream data
!:mime audio/x-dff
!:ext dff
# format version chunk
>&0 string FVER
# version 1
>>&8 byte 1
# v1 / sampling resolution ( 1 bit PDM only )
>>>&0 string x \b, 1 bit
# v1 / sound property chunk
>>>&0 search/0xff PROP
>>>>&8 string SND
# v1 / sound property chunk / channel configuration chunk
>>>>>&0 search/0xff CHNL
>>>>>>&8 ubeshort 1 \b, mono
>>>>>>&8 ubeshort 2
>>>>>>>&0 string SLFTSRGT \b, stereo
>>>>>>>&0 default x \b, 2 channels
>>>>>>&8 ubeshort 3
>>>>>>>&0 string SLFTSRGTLFE\x20 \b, 2.1 stereo
>>>>>>>&0 string SLFTSRGTC\x20\x20\x20 \b, 3.0 stereo
>>>>>>>&0 default x \b, 3 channels
>>>>>>&8 ubeshort 4
>>>>>>>&0 string MLFTMRGTLS\x20\x20RS\x20\x20 \b, 4.0 surround
>>>>>>>&0 string SLFTSRGTC\x20\x20\x20LFE\x20 \b, 3.1 stereo
>>>>>>>&0 default x \b, 4 channels
>>>>>>&8 ubeshort 5
>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LS\x20\x20RS\x20\x20 \b, 5.0 surround
>>>>>>>&0 string MLFTMRGTLFE\x20LS\x20\x20RS\x20\x20 \b, 4.1 surround
>>>>>>>&0 default x \b, 5 channels
>>>>>>&8 ubeshort 6
>>>>>>>&0 string MLFTMRGTC\x20\x20\x20LFE\x20LS\x20\x20RS\x20\x20 \b, 5.1 surround
>>>>>>>&0 default x \b, 6 channels
>>>>>>&8 ubeshort >6 \b, %u channels
# v1 / sound property chunk / sample rate chunk
>>>>>&0 search/0xff FS\x20\x20
>>>>>>&0 string x \b,
>>>>>>&8 ubelong%44100 0
>>>>>>>&-4 ubelong/44100 x "DSD %u"
>>>>>>>&-4 ubelong x %u Hz
# v1 / sound property chunk / compression type chunk
>>>>>&0 search/0xff CMPR
>>>>>>&8 string DSD\x20 \b, no compression
>>>>>>&8 string DST\x20 \b, DST compression
>>>>>>&8 default x \b, unknown compression
# v1 / quest for metadata
>>>&0 string x
# v1 / quest for metadata / edited master information chunk
>>>>&0 search DIIN
>>>>>&0 ubequad >0 \b, "edited master" metadata
# v1 / quest for metadata / ID3 chunk ( defacto standard )
>>>>&0 search ID3\x20
>>>>>&8 string ID3 \b, ID3 version 2
>>>>>&0 byte x \b.%u
>>>>>&1 byte x \b.%u
# v1 / quest for metadata / failure ( possibly due to -P bytes=... being too low )
>>>>&0 default x \b, ID3 missing (or unreachable)
# version > 1 or 0
>>&0 default x \b, unknown version
# Sony DSF audio format (Direct Stream Digital Stream File)
# Used for lossless digital storage of songs produced as DSD audio
# Portable analog of a track stored on a Super Audio CD (SACD)
# https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf
# From: Toni Ruottu <toni.ruottu@iki.fi>
0 string DSD\x20 DSF audio bitstream data
!:mime audio/x-dsf
!:ext dsf
# format chunk
>28 string fmt\x20
# version 1
>>&8 ulelong 1
# v1 / sampling resolution ( 1 bit PDM only )
# NOTE: the spec incorrectly uses "bits per sample" instead of "bits per byte"
>>>&0 string x \b, 1 bit
# v1 / channel configuration
>>>>&4 ulelong 1 \b, mono
>>>>&4 ulelong 2 \b, stereo
>>>>&4 ulelong 3 \b, 3.0 stereo
>>>>&4 ulelong 4 \b, 4.0 surround
>>>>&4 ulelong 5 \b, 3.1 stereo
>>>>&4 ulelong 6 \b, 5.0 surround
>>>>&4 ulelong 7 \b, 5.1 surround
>>>>&0 default x
>>>>>&4 ulelong x \b, %u channels
# v1 / sample rate chunk
>>>>&0 string x \b,
>>>>&12 ulelong%44100 0
>>>>>&-4 ulelong/44100 x "DSD %u"
>>>>&12 ulelong x %u Hz
# v1 / compression
>>>>&0 string x
>>>>>&0 ulelong 0 \b, no compression
>>>>>&0 default x \b, unknown compression
# v1 / embedded ID3v2 metadata
>>>0 string x \b, ID3
>>>>20 ulequad !0
>>>>>(20.q) string ID3 version 2
>>>>>>&0 byte x \b.%u
>>>>>>&1 byte x \b.%u
# unable to verify ID3 ( possibly due to -P bytes=... being too low )
>>>>>&0 default x unreachable
>>>>&0 default x missing
# version > 1 or 0
>>&0 default x \b, unknown version

View file

@ -1,13 +1,24 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: blender,v 1.8 2019/04/19 00:42:27 christos Exp $ # $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $
# blender: file(1) magic for Blender 3D related files # blender: file(1) magic for Blender 3D related files
# #
# Native format rule v1.2. For questions use the developers list # Native format rule v1.2. For questions use the developers list
# https://lists.blender.org/mailman/listinfo/bf-committers # https://lists.blender.org/mailman/listinfo/bf-committers
# GLOB chunk was moved near start and provides subversion info since 2.42 # GLOB chunk was moved near start and provides subversion info since 2.42
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/BLEND
# http://www.blender.org/
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/blend.trid.xml
# http://formats.kaitai.io/blender_blend/index.html
# Note: called "Blender 3D data" by TrID
# and gzip compressed variant handled by ./compress
0 string =BLENDER Blender3D, 0 string =BLENDER Blender3D,
#!:mime application/octet-stream
!:mime application/x-blender
!:ext blend
# no sample found with extension blender
#!:ext blend/blender
>7 string =_ saved as 32-bits >7 string =_ saved as 32-bits
>>8 string =v little endian >>8 string =v little endian
>>>9 byte x with version %c. >>>9 byte x with version %c.

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------ #------------------------------------------------------------
# $File: bytecode,v 1.2 2021/06/30 11:57:32 christos Exp $ # $File: bytecode,v 1.5 2023/02/20 16:25:05 christos Exp $
# magic for various bytecodes # magic for various bytecodes
# From: Mikhail Gusarov <dottedmag@dottedmag.net> # From: Mikhail Gusarov <dottedmag@dottedmag.net>
@ -27,4 +27,15 @@
>8 string BE \b, big endian >8 string BE \b, big endian
>11 string 4 \b, 32bit >11 string 4 \b, 32bit
>11 string 8 \b, 64bit >11 string 8 \b, 64bit
>13 regex .\.. \b, bytecode v%s >13 regex .\\.. \b, bytecode v%s
# Racket file magic
# From: Haelwenn (lanodan) Monnier <contact+libmagic@hacktivis.me>
# https://racket-lang.org/
# https://github.com/racket/racket/blob/master/racket/src/expander/compile/write-linklet.rkt
0 string #~
>&0 pstring x
>>&0 pstring racket
>>>0 string #~ Racket bytecode
>>>>&0 pstring x (version %s)

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: c-lang,v 1.30 2021/08/16 10:17:05 christos Exp $ # $File: c-lang,v 1.32 2023/06/16 19:57:19 christos Exp $
# c-lang: file(1) magic for C and related languages programs # c-lang: file(1) magic for C and related languages programs
# #
# The strength is to beat standard HTML # The strength is to beat standard HTML
@ -17,7 +17,7 @@
>>0 regex \^class[[:space:]]+ >>0 regex \^class[[:space:]]+
>>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++
>>&0 clear x source text >>&0 clear x source text
!:strength + 13 !:strength + 15
!:mime text/x-c !:mime text/x-c
0 search/8192 pragma 0 search/8192 pragma
>0 regex \^#[[:space:]]*pragma C source text >0 regex \^#[[:space:]]*pragma C source text
@ -88,13 +88,13 @@
!:strength + 30 !:strength + 30
!:mime text/x-c++ !:mime text/x-c++
0 search/8192 protected 0 search/8192 protected
>0 regex \^[[:space:]]*protected: C++ source text >0 regex \^[[:space:]]*protected: C++ source text
!:strength + 30 !:strength + 30
!:mime text/x-c++ !:mime text/x-c++
# Objective-C # Objective-C
0 search/8192 #import 0 search/8192 #import
>0 regex \^#import Objective-C source text >0 regex \^#import[[:space:]]+["<] Objective-C source text
!:strength + 25 !:strength + 25
!:mime text/x-objective-c !:mime text/x-objective-c

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: c64,v 1.9 2021/04/26 15:56:00 christos Exp $ # $File: c64,v 1.14 2023/06/16 19:24:06 christos Exp $
# c64: file(1) magic for various commodore 64 related files # c64: file(1) magic for various commodore 64 related files
# #
# From: Dirk Jagdmann <doj@cubic.org> # From: Dirk Jagdmann <doj@cubic.org>
@ -8,9 +8,146 @@
0x16500 belong 0x12014100 D64 Image 0x16500 belong 0x12014100 D64 Image
0x16500 belong 0x12014180 D71 Image 0x16500 belong 0x12014180 D71 Image
0x61800 belong 0x28034400 D81 Image 0x61800 belong 0x28034400 D81 Image
0 string C64\40CARTRIDGE CCS C64 Emultar Cartridge Image
0 belong 0x43154164 X64 Image 0 belong 0x43154164 X64 Image
# C64 (and other CBM) cartridges
# Extended by David Korth <gerbilsoft@gerbilsoft.com>
# Reference: https://vice-emu.sourceforge.io/vice_17.html#SEC391
0 string C64\40CARTRIDGE Commodore 64 cartridge
>0x20 ubyte 0 \b,
>0x20 ubyte !0
>>0x20 string/T x \b: "%.32s",
>0x16 beshort 0
>>0x18 beshort 0x0000 16 KB game
>>0x18 beshort 0x0001 8 KB game
>>0x18 beshort 0x0100 UltiMax mode
>>0x18 beshort 0x0101 RAM/disabled
>0x16 beshort 1 Action Replay
>0x16 beshort 2 KCS Power Cartridge
>0x16 beshort 3 Final Cartridge III
>0x16 beshort 4 Simons' BASIC
>0x16 beshort 5 Ocean type 1
>0x16 beshort 6 Expert Cartridge
>0x16 beshort 7 Fun Play, Power Play
>0x16 beshort 8 Super Games
>0x16 beshort 9 Atomic Power
>0x16 beshort 10 Epyx Fastload
>0x16 beshort 11 Westermann Learning
>0x16 beshort 12 Rex Utility
>0x16 beshort 13 Final Cartridge I
>0x16 beshort 14 Magic Formel
>0x16 beshort 15 C64 Game System, System 3
>0x16 beshort 16 Warp Speed
>0x16 beshort 17 Dinamic
>0x16 beshort 18 Zaxxon / Super Zaxxon (Sega)
>0x16 beshort 19 Magic Desk, Domark, HES Australia
>0x16 beshort 20 Super Snapshot V5
>0x16 beshort 21 Comal-80
>0x16 beshort 22 Structured BASIC
>0x16 beshort 23 Ross
>0x16 beshort 24 Dela EP64
>0x16 beshort 25 Dela EP7x8
>0x16 beshort 26 Dela EP256
>0x16 beshort 27 Rex EP256
>0x16 beshort 28 Mikro Assembler
>0x16 beshort 29 Final Cartridge Plus
>0x16 beshort 30 Action Replay 4
>0x16 beshort 31 Stardos
>0x16 beshort 32 EasyFlash
>0x16 beshort 33 EasyFlash Xbank
>0x16 beshort 34 Capture
>0x16 beshort 35 Action Replay 3
>0x16 beshort 36
>>0x1A ubyte 1 Nordic Replay
>>0x1A ubyte !1 Retro Replay
>0x16 beshort 37 MMC64
>0x16 beshort 38 MMC Replay
>0x16 beshort 39 IDE64
>0x16 beshort 40 Super Snapshot V4
>0x16 beshort 41 IEEE-488
>0x16 beshort 42 Game Killer
>0x16 beshort 43 Prophet64
>0x16 beshort 44 EXOS
>0x16 beshort 45 Freeze Frame
>0x16 beshort 46 Freeze Machine
>0x16 beshort 47 Snapshot64
>0x16 beshort 48 Super Explode V5.0
>0x16 beshort 49 Magic Voice
>0x16 beshort 50 Action Replay 2
>0x16 beshort 51 MACH 5
>0x16 beshort 52 Diashow-Maker
>0x16 beshort 53 Pagefox
>0x16 beshort 54 Kingsoft
>0x16 beshort 55 Silverrock 128K Cartridge
>0x16 beshort 56 Formel 64
>0x16 beshort 57
>>0x1A ubyte 1 Hucky
>>0x1A ubyte !1 RGCD
>0x16 beshort 58 RR-Net MK3
>0x16 beshort 59 EasyCalc
>0x16 beshort 60 GMod2
>0x16 beshort 61 MAX Basic
>0x16 beshort 62 GMod3
>0x16 beshort 63 ZIPP-CODE 48
>0x16 beshort 64 Blackbox V8
>0x16 beshort 65 Blackbox V3
>0x16 beshort 66 Blackbox V4
>0x16 beshort 67 REX RAM-Floppy
>0x16 beshort 68 BIS-Plus
>0x16 beshort 69 SD-BOX
>0x16 beshort 70 MultiMAX
>0x16 beshort 71 Blackbox V9
>0x16 beshort 72 Lt. Kernal Host Adaptor
>0x16 beshort 73 RAMLink
>0x16 beshort 74 H.E.R.O.
>0x16 beshort 75 IEEE Flash! 64
>0x16 beshort 76 Turtle Graphics II
>0x16 beshort 77 Freeze Frame MK2
0 string C128\40CARTRIDGE Commodore 128 cartridge
>0x20 ubyte 0 \b,
>0x20 ubyte !0
>>0x20 string/T x \b: "%.32s",
>0x16 beshort 0 generic cartridge
>0x16 beshort 1 Warpspeed128
>>0x1A ubyte 1 \b, REU support
>>0x1A ubyte 2 \b, REU support, with I/O and ROM banking
0 string CBM2\40CARTRIDGE Commodore CBM-II cartridge
>0x20 ubyte !0
>>0x20 string/T x \b: "%.32s"
0 string VIC20\40CARTRIDGE Commodore VIC-20 cartridge
>0x20 ubyte 0 \b,
>0x20 ubyte !0
>>0x20 string/T x \b: "%.32s",
>0x16 beshort 0 generic cartridge
>0x16 beshort 1 Mega-Cart
>0x16 beshort 2 Behr Bonz
>0x16 beshort 3 Vic Flash Plugin
>0x16 beshort 4 UltiMem
>0x16 beshort 5 Final Expansion
0 string PLUS4\40CARTRIDGE Commodore 16/Plus4 cartridge
>0x20 ubyte !0
>>0x20 string/T x \b: "%.32s"
# DreamLoad archives see:
# https://www.lemon64.com/forum/viewtopic.php?t=37415\
# &sid=494dc2ca91289e05dadf80a7f8a968fe (at the bottom).
# https://www.c64-wiki.com/wiki/DreamLoad.
# Example HVSC Commodore 64 music collection:
# https://kohina.duckdns.org/HVSC/C64Music/10_Years_HVSC.dfi
0 byte 0
>1 string DREAMLOAD\40FILE\40ARCHIVE
>>0x17 byte 0 DFI Image
>>>0x1a leshort x version: %d.
>>>0x18 leshort x \b%d
>>>0x1c lelong x tracks: %d
0 string GCR-1541 GCR Image 0 string GCR-1541 GCR Image
>8 byte x version: %i >8 byte x version: %i
>9 byte x tracks: %i >9 byte x tracks: %i
@ -57,7 +194,356 @@
>100 byte >0 \b, %u subsong(s) >100 byte >0 \b, %u subsong(s)
# CBM BASIC (cc65 compiled) # CBM BASIC (cc65 compiled)
# Summary: binary executable or Basic program for Commodore C64 computers
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/Commodore_BASIC_tokenized_file
# Reference: https://www.c64-wiki.com/wiki/BASIC_token
# https://github.com/thezerobit/bastext/blob/master/bastext.doc
# http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c64.trid.xml
# TODO: unify Commodore BASIC/program sub routines
# Note: "PUCrunch archive data" moved from ./archive and merged with c64-exe
0 leshort 0x0801 0 leshort 0x0801
>2 leshort 0x080b # display Commodore C64 BASIC program (strength=50) after "Lynx archive" (strength=330) handled by ./archive
>6 string \x9e CBM BASIC #!:strength +0
>7 string >\0 \b, SYS %s # if first token is not SYS this implies BASIC program in most cases
>6 ubyte !0x9e
# but sELF-ExTRACTING-zIP executable unzp6420.prg contains SYS token at end of second BASIC line (at 0x35)
>>23 search/30 \323ELF-E\330TRACTING-\332IP
>>>0 use c64-exe
>>23 default x
>>>0 use c64-prg
# if first token is SYS this implies binary executable
>6 ubyte =0x9e
>>0 use c64-exe
# display information about C64 binary executable (memory address, line number, token)
0 name c64-exe
>0 uleshort x Commodore C64
# http://a1bert.kapsi.fi/Dev/pucrunch/
# start address 0801h; next offset 080bh; BASIC line number is 239=00EFh; BASIC instruction is SYS 2061
# the above combination appartly also occur for other Commodore programs like: gunzip111.c64.prg
# and there exist PUCrunch archive for other machines like C16 with other magics
>0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program, probably PUCrunch archive data
!:mime application/x-compress-pucrunch
!:ext prg/pck
>0 string !\x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program
!:mime application/x-commodore-exec
!:ext prg/
# start address like: 801h
>0 uleshort !0x0801 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x800) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# valid 2nd BASIC fragment found only in sELF-ExTRACTING-zIP executable unzp6420.prg
>>23 search/30 \323ELF-E\330TRACTING-\332IP
# jump again from beginning
>>>(2.s-0x800) ubyte x
>>>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# display information about tokenized C64 BASIC program (memory address, line number, token)
0 name c64-prg
>0 uleshort x Commodore C64 BASIC program
!:mime application/x-commodore-basic
# Tokenized BASIC programs were stored by Commodore as file type program "PRG" in separate field in directory structures.
# So file name can have no suffix like in saveroms; When transferring to other platforms, they are often saved with .prg extensions.
# BAS suffix is typically used for the BASIC source but also found in program pods.bas
!:ext prg/bas/
# start address like: 801h
>0 uleshort !0x0801 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x0800) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# 2nd BASIC fragment
>>&0 use basic-line
# zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# Summary: binary executable or Basic program for Commodore C128 computers
# URL: https://en.wikipedia.org/wiki/Commodore_128
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c128.trid.xml
# From: Joerg Jenderek
# Note: Commodore 128 BASIC 7.0 variant; there exist varaints with different start addresses
0 leshort 0x1C01
!:strength +1
# GRR: line above with strength 51 (50+1) is too generic because it matches SVr3 curses screen image, big-endian with strength (50) handled by ./terminfo
# probably skip SVr3 curses images with "invalid high" second line offset
>2 uleshort <0x1D02
# skip foo with "invalid low" second line offset
>>2 uleshort >0x1C06
# if first token is not SYS this implies BASIC program
>>>6 ubyte !0x9e
>>>>0 use c128-prg
# if first token is SYS this implies binary executable
>>>6 ubyte =0x9e
>>>>0 use c128-exe
# Summary: binary executable or Basic program for Commodore C128 computers
# Note: Commodore 128 BASIC 7.1 extension by Rick Simon
# start adress 132Dh
#0 leshort 0x132D THIS_IS_C128_7.1
#>0 use c128-prg
# Summary: binary executable or Basic program for Commodore C128 computers
# Note: Commodore 128 BASIC 7.0 saved with graphics mode enabled
# start adress 4001h
#0 leshort 0x4001 THIS_IS_C128_GRAPHIC
#>0 use c128-prg
# display information about tokenized C128 BASIC program (memory address, line number, token)
0 name c128-prg
>0 uleshort x Commodore C128 BASIC program
!:mime application/x-commodore-basic
!:ext prg
# start address like: 1C01h
>0 uleshort !0x1C01 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x1C00) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# 2nd BASIC fragment
>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# display information about C128 program (memory address, line number, token)
0 name c128-exe
>0 uleshort x Commodore C128 program
!:mime application/x-commodore-exec
!:ext prg/
# start address like: 1C01h
>0 uleshort !0x1C01 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x1C00) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# no valid 2nd BASIC fragment in Commodore executables
#>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# Summary: binary executable or Basic program for Commodore C16/VIC-20/Plus4 computers
# URL: https://en.wikipedia.org/wiki/Commodore_Plus/4
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20.trid.xml
# defs/p/prg-plus4.trid.xml
# From: Joerg Jenderek
# Note: there exist VIC-20 variants with different start address
# GRR: line below is too generic because it matches Novell LANalyzer capture
# with regular trace header record handled by ./sniffer
0 leshort 0x1001
# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" token value 54h
>6 ubyte >0x7F
# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" second line offset 4Ch
#>>2 uleshort >0x1006 OFFSET_NOT_TOO_LOW
# skip foo with "invalid high" second line offset but not for 0x123b (Minefield.prg)
#>>>2 uleshort <0x1102 OFFSET_NOT_TOO_HIGH
# if first token is not SYS this implies BASIC program
>>6 ubyte !0x9e
# valid second end of line separator implies BASIC program
>>>(2.s-0x1000) ubyte =0
>>>>0 use c16-prg
# invalid second end of line separator !=0 implies binary executable like: Minefield.prg
>>>(2.s-0x1000) ubyte !0
>>>>0 use c16-exe
# if first token is SYS this implies binary executable
>>6 ubyte =0x9e
>>>0 use c16-exe
# display information about C16 program (memory address, line number, token)
0 name c16-exe
>0 uleshort x Commodore C16/VIC-20/Plus4 program
!:mime application/x-commodore-exec
!:ext prg/
# start address like: 1001h
>0 uleshort !0x1001 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x1000) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# no valid 2nd BASIC fragment in excutables
#>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# display information about tokenized C16 BASIC program (memory address, line number, token)
0 name c16-prg
>0 uleshort x Commodore C16/VIC-20/Plus4 BASIC program
!:mime application/x-commodore-basic
!:ext prg
# start address like: 1001h
>0 uleshort !0x1001 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x1000) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# 2nd BASIC fragment
>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# Summary: binary executable or Basic program for Commodore VIC-20 computer with 8K RAM expansion
# URL: https://en.wikipedia.org/wiki/VIC-20
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20-8k.trid.xml
# From: Joerg Jenderek
# Note: Basic v2.0 with Basic v4.0 extension (VIC20); there exist VIC-20 variants with different start addresses
# start adress 1201h
0 leshort 0x1201
# if first token is not SYS this implies BASIC program
>6 ubyte !0x9e
>>0 use vic-prg
# if first token is SYS this implies binary executable
>6 ubyte =0x9e
>>0 use vic-exe
# display information about Commodore VIC-20 BASIC+8K program (memory address, line number, token)
0 name vic-prg
>0 uleshort x Commodore VIC-20 +8K BASIC program
!:mime application/x-commodore-basic
!:ext prg
# start address like: 1201h
>0 uleshort !0x1201 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x1200) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# 2nd BASIC fragment
>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# display information about Commodore VIC-20 +8K program (memory address, line number, token)
0 name vic-exe
>0 uleshort x Commodore VIC-20 +8K program
!:mime application/x-commodore-exec
!:ext prg/
# start address like: 1201h
>0 uleshort !0x1201 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x0400) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# no valid 2nd BASIC fragment in excutables
#>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# Summary: binary executable or Basic program for Commodore PET computers
# URL: https://en.wikipedia.org/wiki/Commodore_PET
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-pet.trid.xml
# From: Joerg Jenderek
# start adress 0401h
0 leshort 0x0401
!:strength +1
# GRR: line above with strength 51 (50+1) is too generic because it matches TTComp archive data, ASCII, 1K dictionary
# (strength=48=50-2) handled by ./archive and shared library (strength=50) handled by ./ibm6000
# skip TTComp archive data, ASCII, 1K dictionary ttcomp-ascii-1k.bin with "invalid high" second line offset 4162h
>2 uleshort <0x0502
# skip foo with "invalid low" second line offset
#>>2 uleshort >0x0406 OFFSET_NOT_TOO_LOW
# skip bar with "invalid end of line"
#>>>(2.s-0x0400) ubyte =0 END_OF_LINE_OK
# if first token is not SYS this implies BASIC program
>>6 ubyte !0x9e
>>>0 use pet-prg
# if first token is SYS this implies binary executable
>>6 ubyte =0x9e
>>>0 use pet-exe
# display information about Commodore PET BASIC program (memory address, line number, token)
0 name pet-prg
>0 uleshort x Commodore PET BASIC program
!:mime application/x-commodore-basic
!:ext prg
# start address like: 0401h
>0 uleshort !0x0401 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x0400) ubyte x
# 2nd BASIC fragment
>>&0 use basic-line
# zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# display information about Commodore PET program (memory address, line number, token)
0 name pet-exe
>0 uleshort x Commodore PET program
!:mime application/x-commodore-exec
!:ext prg/
# start address like: 0401h
>0 uleshort !0x0401 \b, start address %#4.4x
# 1st BASIC fragment
>2 use basic-line
# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line
>(2.s-0x0400) ubyte x
>>&-1 ubyte !0 \b, no EOL=%#x
# no valid 2nd BASIC fragment in excutables
#>>&0 use basic-line
# Zero-byte marking the end of the BASIC line
>-3 ubyte !0 \b, 3 last bytes %#2.2x
# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program
>>-2 ubeshort x \b%4.4x
# display information about tokenized BASIC line (memory address, line number, Token)
0 name basic-line
# pointer to memory address of beginning of "next" BASIC line
# greater then previous offset but maximal 100h difference
>0 uleshort x \b, offset %#4.4x
# offset 0x0000 indicates the end of BASIC program; so bytes afterwards may be some other data
>0 uleshort 0
# not line number but first 2 data bytes
>>2 ubeshort x \b, data %#4.4x
# not token but next 2 data bytes
>>4 ubeshort x \b%4.4x
# not token arguments but next data bytes
>>6 ubequad x \b%16.16llx
>>14 ubequad x \b%16.16llx...
# like 0x0d20352020204c594e5820495820204259205749 "\r 5 LYNX IX BY WILL CORLEY" for LyNX archive Darkon.lnx handled by ./archive
#>>3 string x "%-0.30s"
>0 uleshort >0
# BASIC line number with range from 0 to 65520; practice to increment numbers by some value (5, 10 or 100)
>>2 uleshort x \b, line %u
# https://www.c64-wiki.com/wiki/BASIC_token
# The "high-bit" bytes from #128-#254 stood for the various BASIC commands and mathematical operators
>>4 ubyte x \b, token (%#x)
# https://www.c64-wiki.com/wiki/REM
>>4 string \x8f REM
# remark string like: ** SYNTHESIZER BY RICOCHET **
>>>5 string >\0 %s
#>>>>&1 uleshort x \b, NEXT OFFSET %#4.4x
# https://www.c64-wiki.com/wiki/PRINT
>>4 string \x99 PRINT
# string like: "Hello world" "\021 \323ELF-E\330TRACTING-\332IP (64 ONLY)\016\231":\2362141
>>>5 string x %s
#>>>>&0 ubequad x AFTER_PRINT=%#16.16llx
# https://www.c64-wiki.com/wiki/POKE
>>4 string \x97 POKE
# <Memory address>,<number>
>>>5 regex \^[0-9,\040]+ %s
# BASIC command delimiter colon (:=3Ah)
>>>>&-2 ubyte =0x3A
# after BASIC command delimiter colon remaining (<255) other tokenized BASIC commands
>>>>>&0 string x "%s"
# https://www.c64-wiki.com/wiki/SYS 0x9e=\236
>>4 string \x9e SYS
# SYS <Address> parameter is a 16-bit unsigned integer; in the range 0 - 65535
>>>5 regex \^[0-9]{1,5} %s
# maybe followed by spaces, "control-characters" or colon (:) followed by next commnds or in victracker.prg
# (\302(43)\252256\254\302(44)\25236) /T.L.R/
#>>>5 string x SYS_STRING="%s"
# https://www.c64-wiki.com/wiki/GOSUB
>>4 string \x8d GOSUB
# <line>
>>>5 string >\0 %s

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: cad,v 1.28 2021/04/26 15:56:00 christos Exp $ # $File: cad,v 1.31 2022/12/09 15:36:23 christos Exp $
# autocad: file(1) magic for cad files # autocad: file(1) magic for cad files
# #
@ -287,6 +287,8 @@
>6 leshort 0x2 >6 leshort 0x2
>>8 lelong 0xa >>8 lelong 0xa
>>>16 leshort 0x3d3d 3D Studio model >>>16 leshort 0x3d3d 3D Studio model
# Beat sgi MMV
!:strength +20
!:mime image/x-3ds !:mime image/x-3ds
!:ext 3ds !:ext 3ds
@ -299,18 +301,50 @@
# https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\ # https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\
# HSF_architecture.html # HSF_architecture.html
# Stephane Charette <stephane.charette@gmail.com> # Stephane Charette <stephane.charette@gmail.com>
0 string ;;\020HSF\020V OpenHSF (Hoops Stream Format) 0 string ;;\040HSF\040V OpenHSF (Hoops Stream Format)
>7 regex/9 V[.0-9]{4,5}\020 %s >7 regex/9 V[.0-9]{4,5}\040 %s
!:ext hsf !:ext hsf
# AutoCAD Drawing Exchange Format # AutoCAD Drawing Exchange Format
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/DXF
# https://en.wikipedia.org/wiki/AutoCAD_DXF
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/
# dxf-var0.trid.xml dxf-var0u.trid.xml dxf-var2.trid.xml dxf-var2u.trid.xml
# Note: called "AutoCAD Drawing eXchange Format" by TrID and
# "Drawing Interchange File Format (ASCII)" by DROID
# GRR: some samples does not match 1st test like: abydos.dxf
0 regex \^[\ \t]*0\r?\000$ 0 regex \^[\ \t]*0\r?\000$
>1 regex \^[\ \t]*SECTION\r?$ >1 regex \^[\ \t]*SECTION\r?$
>>2 regex \^[\ \t]*2\r?$ >>2 regex \^[\ \t]*2\r?$
# GRR: some samples without HEADER section like: airplan2.dxf
>>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format >>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format
!:mime application/x-dxf #!:mime application/x-dxf
!:mime image/vnd.dxf
!:ext dxf !:ext dxf
# DROID PUID fmt/64 fmt-64-signature-id-99.dxf
>>>>&1 search/8192 MC0.0 \b, 1.0
# DROID PUID fmt/65 fmt-65-signature-id-100.dxf
>>>>&1 search/8192 AC1.2 \b, 1.2
# DROID PUID fmt/66 fmt-66-signature-id-101.dxf
>>>>&1 search/8192 AC1.3 \b, 1.3
# DROID PUID fmt/67 fmt-67-signature-id-102.dxf
>>>>&1 search/8192 AC1.40 \b, 1.4
# DROID PUID fmt/68 fmt-68-signature-id-103.dxf
>>>>&1 search/8192 AC1.50 \b, 2.0
# DROID PUID fmt/69 fmt-69-signature-id-104.dxf
>>>>&1 search/8192 AC2.10 \b, 2.1
# DROID PUID fmt/70 fmt-70-signature-id-105.dxf
>>>>&1 search/8192 AC2.21 \b, 2.2
# DROID PUID fmt/71 fmt-71-signature-id-106.dxf
>>>>&1 search/8192 AC1002 \b, 2.5
# DROID PUID fmt/72 fmt-72-signature-id-107.dxf
>>>>&1 search/8192 AC1003 \b, 2.6
# DROID PUID fmt/73 fmt-73-signature-id-108.dxf
>>>>&1 search/8192 AC1004 \b, R9
>>>>&1 search/8192 AC1006 \b, R10 >>>>&1 search/8192 AC1006 \b, R10
# http://cd.textfiles.com/amigaenv/DXF/OBJEKTE/LASTMINUTE/apple.dxf
#>>>>&1 search/8192 AC1008 \b, Rfoo
>>>>&1 search/8192 AC1009 \b, R11/R12 >>>>&1 search/8192 AC1009 \b, R11/R12
>>>>&1 search/8192 AC1012 \b, R13 >>>>&1 search/8192 AC1012 \b, R13
>>>>&1 search/8192 AC1013 \b, R13c3 >>>>&1 search/8192 AC1013 \b, R13c3

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: cafebabe,v 1.27 2021/04/26 15:56:00 christos Exp $ # $File: cafebabe,v 1.28 2022/07/01 23:24:47 christos Exp $
# Cafe Babes unite! # Cafe Babes unite!
# #
# Since Java bytecode and Mach-O universal binaries have the same magic number, # Since Java bytecode and Mach-O universal binaries have the same magic number,
@ -44,6 +44,12 @@
>>4 belong 0x0038 (Java SE 12) >>4 belong 0x0038 (Java SE 12)
>>4 belong 0x0039 (Java SE 13) >>4 belong 0x0039 (Java SE 13)
>>4 belong 0x003A (Java SE 14) >>4 belong 0x003A (Java SE 14)
>>4 belong 0x003B (Java SE 15)
>>4 belong 0x003C (Java SE 16)
>>4 belong 0x003D (Java SE 17)
>>4 belong 0x003E (Java SE 18)
>>4 belong 0x003F (Java SE 19)
>>4 belong 0x0040 (Java SE 20)
# pool count unequal zero # pool count unequal zero
#>>8 beshort x \b, pool count %#x #>>8 beshort x \b, pool count %#x
# pool table # pool table

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: coff,v 1.6 2021/04/26 15:56:00 christos Exp $ # $File: coff,v 1.7 2022/11/21 22:30:22 christos Exp $
# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures
# #
# COFF # COFF
@ -37,6 +37,7 @@
# ARM COFF (./arm) # ARM COFF (./arm)
>>>>0 uleshort 0xaa64 Aarch64 >>>>0 uleshort 0xaa64 Aarch64
>>>>0 uleshort 0x01c0 ARM >>>>0 uleshort 0x01c0 ARM
>>>>0 uleshort 0xa641 ARM64EC
>>>>0 uleshort 0x01c2 ARM Thumb >>>>0 uleshort 0x01c2 ARM Thumb
>>>>0 uleshort 0x01c4 ARMv7 Thumb >>>>0 uleshort 0x01c4 ARMv7 Thumb
# TODO for other COFFs # TODO for other COFFs

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: commands,v 1.66 2021/07/03 13:50:29 christos Exp $ # $File: commands,v 1.73 2022/11/06 18:39:23 christos Exp $
# commands: file(1) magic for various shells and interpreters # commands: file(1) magic for various shells and interpreters
# #
#0 string/w : shell archive or script for antique kernel text #0 string/w : shell archive or script for antique kernel text
@ -8,6 +8,8 @@
!:mime text/x-shellscript !:mime text/x-shellscript
0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data) 0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data)
!:mime text/x-shellscript !:mime text/x-shellscript
>10 string #\040This\040script\040was\040generated\040using\040Makeself \b, self-executable archive
>>53 string x \b, Makeself %s
0 string/fwt #!\ /bin/csh C shell script text executable 0 string/fwt #!\ /bin/csh C shell script text executable
!:mime text/x-shellscript !:mime text/x-shellscript
@ -35,7 +37,7 @@
!:mime text/x-shellscript !:mime text/x-shellscript
0 string/fwt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable 0 string/fwt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable
!:mime text/x-shellscript !:mime text/x-shellscript
0 search/1 #!/usr/bin/env\ zsh Paul Falstad's zsh script text executable 0 string/fwt #!\ /usr/bin/env\ zsh Paul Falstad's zsh script text executable
!:mime text/x-shellscript !:mime text/x-shellscript
0 string/fwt #!\ /bin/ash Neil Brown's ash script text executable 0 string/fwt #!\ /bin/ash Neil Brown's ash script text executable
@ -97,9 +99,6 @@
0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable 0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable
!:mime text/x-shellscript !:mime text/x-shellscript
0 string/wt #!\ a
>&-1 string x %s script text executable
0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable 0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable
!:mime text/x-tcl !:mime text/x-tcl
@ -153,6 +152,32 @@
0 string Zend\x00 PHP script Zend Optimizer data 0 string Zend\x00 PHP script Zend Optimizer data
# From: Anatol Belski <ab@php.net>
0 string OPCACHE
>7 ubyte 0 PHP opcache filecache data
0 search/64 --TEST--
>16 search/64 --FILE--
>24 search/8192 --EXPECT PHP core test
!:ext phpt
# https://www.php.net/manual/en/phar.fileformat.signature.php
-4 string GBMB PHP phar archive
>-8 ubyte 0x1 with MD5 signature
!:ext phar
>-8 ubyte 0x2 with SHA1 signature
!:ext phar
>-8 ubyte 0x3 with SHA256 signature
!:ext phar
>-8 ubyte 0x4 with SHA512 signature
!:ext phar
>-8 ubyte 0x10 with OpenSSL signature
!:ext phar
>-8 ubyte 0x11 with OpenSSL SHA256 signature
!:ext phar
>-8 ubyte 0x12 with OpenSSL SHA512 signature
!:ext phar
0 string/t $! DCL command file 0 string/t $! DCL command file
# Type: Pdmenu # Type: Pdmenu
@ -163,3 +188,14 @@
# From Danny Weldon # From Danny Weldon
0 string \x0b\x13\x08\x00 0 string \x0b\x13\x08\x00
>0x04 uleshort <4 ksh byte-code version %d >0x04 uleshort <4 ksh byte-code version %d
# From: arno <arenevier@fdn.fr>
# mozilla xpconnect typelib
# see https://www.mozilla.org/scriptable/typelib_file.html
0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib
>0x10 byte x version %d
>>0x11 byte x \b.%d
0 string/fwt #!\ /usr/bin/env\ runghc GHC script executable
0 string/fwt #!\ /usr/bin/env\ runhaskell Haskell script executable
0 string/fwt #!\ /usr/bin/env\ julia Julia script executable

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: compress,v 1.82 2021/06/30 08:11:29 christos Exp $ # $File: compress,v 1.91 2023/06/16 19:37:47 christos Exp $
# compress: file(1) magic for pure-compression formats (no archives) # compress: file(1) magic for pure-compression formats (no archives)
# #
# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc.
@ -12,13 +12,14 @@
0 string \037\235 compress'd data 0 string \037\235 compress'd data
!:mime application/x-compress !:mime application/x-compress
!:apple LZIVZIVU !:apple LZIVZIVU
!:ext Z
>2 byte&0x80 >0 block compressed >2 byte&0x80 >0 block compressed
>2 byte&0x1f x %d bits >2 byte&0x1f x %d bits
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# URL: https://en.wikipedia.org/wiki/Gzip # URL: https://en.wikipedia.org/wiki/Gzip
# Reference: https://tools.ietf.org/html/rfc1952 # Reference: https://tools.ietf.org/html/rfc1952
# Update: Joerg Jenderek, Apr 2019 # Update: Joerg Jenderek, Apr 2019, Dec 2022
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent # * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods # * Produce shorter output - notably, only report compression methods
@ -61,20 +62,24 @@
!:mime application/gzip !:mime application/gzip
>>>0 use gzip-info >>>0 use gzip-info
# size of the original (uncompressed) input data modulo 2^32 # size of the original (uncompressed) input data modulo 2^32
>>-0 offset >48 # TODO: check for GXD MCD cad the reported size
>>>-4 ulelong x \b, original size modulo 2^32 %u >>>-4 ulelong x \b, original size modulo 2^32 %u
>>-0 offset <48 \b, truncated
# gzipped TAR or VirtualBox extension package # gzipped TAR or VirtualBox extension package
#!:mime application/x-compressed-tar #!:mime application/x-compressed-tar
#!:mime application/x-virtualbox-vbox-extpack #!:mime application/x-virtualbox-vbox-extpack
# https://www.w3.org/TR/SVG/mimereg.html # https://www.w3.org/TR/SVG/mimereg.html
#!:mime image/image/svg+xml-compressed #!:mime image/svg+xml-compressed
# zlib.3.gz # zlib.3.gz
# microcode-20180312.tgz # microcode-20180312.tgz
# tpz same as tgz # tpz same as tgz
# lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg # lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg
# Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack # Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack
!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz # trees.blend http://fileformats.archiveteam.org/wiki/BLEND
# 2020-07-19-Note-16-24.xoj https://xournal.sourceforge.net/manual.html
# MYgnucash-gz.gnucash https://wiki.gnucash.org/wiki/GnuCash_XML_format
# text-rotate.dia https://en.wikipedia.org/wiki/Dia_(software)
# MYrdata.RData https://en.wikipedia.org/wiki/R_(programming_language)
!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz/blend/dia/gnucash/rdata/xoj
# FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text # FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text
>3 byte&0x18 >0 gzip compressed data >3 byte&0x18 >0 gzip compressed data
!:mime application/gzip !:mime application/gzip
@ -83,12 +88,13 @@
#!:mime application/x-abiword-compressed #!:mime application/x-abiword-compressed
#!:mime image/image/svg+xml-compressed #!:mime image/image/svg+xml-compressed
# kleopatra_splashscreen.svgz gzipped .svg # kleopatra_splashscreen.svgz gzipped .svg
!:ext gz/tgz/tpz/zabw/svgz # RSI-Mega-Demo_Disk1.adz gzipped .adf http://fileformats.archiveteam.org/wiki/ADF_(Amiga)
# PostbankTest.kmy gzipped XML https://docs.kde.org/stable5/en/kmymoney/kmymoney/details.formats.compressed.html
# Logo.xcfgz gzipped .xcf http://fileformats.archiveteam.org/wiki/XCF
!:ext gz/tgz/tpz/zabw/svgz/adz/kmy/xcfgz
>>0 use gzip-info >>0 use gzip-info
# size of the original (uncompressed) input data modulo 2^32 # size of the original (uncompressed) input data modulo 2^32
>>-0 offset >48 >>-4 ulelong x \b, original size modulo 2^32 %u
>>>-4 ulelong x \b, original size modulo 2^32 %u
>>-0 offset <48 \b, truncated
# display information of gzip compressed files # display information of gzip compressed files
0 name gzip-info 0 name gzip-info
#>2 byte x THIS iS GZIP #>2 byte x THIS iS GZIP
@ -125,6 +131,7 @@
# packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis
0 string \037\036 packed data 0 string \037\036 packed data
!:mime application/octet-stream !:mime application/octet-stream
!:ext z
>2 belong >1 \b, %d characters originally >2 belong >1 \b, %d characters originally
>2 belong =1 \b, %d character originally >2 belong =1 \b, %d character originally
# #
@ -147,6 +154,7 @@
# bzip2 # bzip2
0 string BZh bzip2 compressed data 0 string BZh bzip2 compressed data
!:mime application/x-bzip2 !:mime application/x-bzip2
!:ext bz2
>3 byte >47 \b, block size = %c00k >3 byte >47 \b, block size = %c00k
# bzip a block-sorting file compressor # bzip a block-sorting file compressor
@ -158,6 +166,7 @@
# lzip # lzip
0 string LZIP lzip compressed data 0 string LZIP lzip compressed data
!:mime application/x-lzip !:mime application/x-lzip
!:ext lz
>4 byte x \b, version: %d >4 byte x \b, version: %d
# squeeze and crunch # squeeze and crunch
@ -193,6 +202,7 @@
# lzop from <markus.oberhumer@jk.uni-linz.ac.at> # lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
!:ext lzo
>9 beshort <0x0940 >9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x, >>9 beshort&0x0fff x \b%03x,
@ -253,20 +263,24 @@
!:mime application/x-7z-compressed !:mime application/x-7z-compressed
!:ext 7z/cb7 !:ext 7z/cb7
0 name lzma LZMA compressed data,
!:mime application/x-lzma
!:ext lzma
>5 lequad =0xffffffffffffffff streamed
>5 lequad !0xffffffffffffffff non-streamed, size %lld
# Type: LZMA # Type: LZMA
0 lelong&0xffffff =0x5d 0 lelong&0xffffff =0x5d
>12 leshort 0xff LZMA compressed data, >12 leshort 0xff
!:mime application/x-lzma >>0 use lzma
>>5 lequad =0xffffffffffffffff streamed >12 leshort 0
>>5 lequad !0xffffffffffffffff non-streamed, size %lld >>0 use lzma
>12 leshort 0 LZMA compressed data,
>>5 lequad =0xffffffffffffffff streamed
>>5 lequad !0xffffffffffffffff non-streamed, size %lld
# http://tukaani.org/xz/xz-file-format.txt # http://tukaani.org/xz/xz-file-format.txt
0 ustring \xFD7zXZ\x00 XZ compressed data, checksum 0 ustring \xFD7zXZ\x00 XZ compressed data, checksum
!:strength * 2 !:strength * 2
!:mime application/x-xz !:mime application/x-xz
!:ext xz
>7 byte&0xf 0x0 NONE >7 byte&0xf 0x0 NONE
>7 byte&0xf 0x1 CRC32 >7 byte&0xf 0x1 CRC32
>7 byte&0xf 0x4 CRC64 >7 byte&0xf 0x4 CRC64
@ -274,14 +288,15 @@
# https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt
0 string LRZI LRZIP compressed data 0 string LRZI LRZIP compressed data
!:mime application/x-lrzip
>4 byte x - version %d >4 byte x - version %d
>5 byte x \b.%d >5 byte x \b.%d
>22 byte 1 \b, encrypted >22 byte 1 \b, encrypted
!:mime application/x-lrzip
# https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html
0 lelong 0x184d2204 LZ4 compressed data (v1.4+) 0 lelong 0x184d2204 LZ4 compressed data (v1.4+)
!:mime application/x-lz4 !:mime application/x-lz4
!:ext lz4
# Added by osm0sis@xda-developers.com # Added by osm0sis@xda-developers.com
0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) 0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3)
!:mime application/x-lz4 !:mime application/x-lz4
@ -318,19 +333,26 @@
# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md
0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) 0 lelong 0xFD2FB522 Zstandard compressed data (v0.2)
!:mime application/zstd !:mime application/zstd
!:ext zst
0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) 0 lelong 0xFD2FB523 Zstandard compressed data (v0.3)
!:mime application/zstd !:mime application/zstd
!:ext zst
0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) 0 lelong 0xFD2FB524 Zstandard compressed data (v0.4)
!:mime application/zstd !:mime application/zstd
!:ext zst
0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) 0 lelong 0xFD2FB525 Zstandard compressed data (v0.5)
!:mime application/zstd !:mime application/zstd
!:ext zst
0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) 0 lelong 0xFD2FB526 Zstandard compressed data (v0.6)
!:mime application/zstd !:mime application/zstd
!:ext zst
0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) 0 lelong 0xFD2FB527 Zstandard compressed data (v0.7)
!:mime application/zstd !:mime application/zstd
!:ext zst
>4 use zstd-dictionary-id >4 use zstd-dictionary-id
0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) 0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+)
!:mime application/zstd !:mime application/zstd
!:ext zst
>4 use zstd-dictionary-id >4 use zstd-dictionary-id
# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md
@ -406,3 +428,34 @@
# http://www.shikadi.net/moddingwiki/PCX_Library # http://www.shikadi.net/moddingwiki/PCX_Library
0 string/b pcxLib 0 string/b pcxLib
>0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed >0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed
# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/SW/ORA/ORAFormatSpecification.htm
0 uleshort 0x7c49
>2 lelong 0x80 ORA FASTQ compressed file
>>6 ulelong x \b, DNA size %u
>>10 ulelong x \b, read names size %u
>>14 ulelong x \b, quality buffer 1 size %u
>>18 ulelong x \b, quality buffer 2 size %u
>>22 ulelong x \b, sequence buffer size %u
>>26 ulelong x \b, N-position buffer size %u
>>30 ulelong x \b, crypto buffer size %u
>>34 ulelong x \b, misc buffer 1 size %u
>>38 ulelong x \b, misc buffer 2 size %u
>>42 ulelong x \b, flags %#x
>>46 lelong x \b, read size %d
>>50 lelong x \b, number of reads %d
>>54 leshort x \b, version %d
# https://github.com/kspalaiologos/bzip3/blob/master/doc/file_format.md
0 string/b BZ3v1 bzip3 compressed data
>5 ulelong x \b, blocksize %u
# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/\
# SW/ORA/ORAFormatSpecification.htm
# From Guillaume Rizk
0 short =0x7C49 DRAGEN ORA file,
>-261 short =0x7C49 with metadata:
>-125 u8 x NB reads: %llu,
>-109 u8 x NB bases: %llu.
>-219 u4&0x02 2 File contains interleaved paired reads

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: console,v 1.63 2021/04/26 15:56:00 christos Exp $ # $File: console,v 1.72 2023/06/16 19:24:06 christos Exp $
# Console game magic # Console game magic
# Toby Deshane <hac@shoelace.digivill.net> # Toby Deshane <hac@shoelace.digivill.net>
@ -68,7 +68,7 @@
!:mime application/x-nes-rom !:mime application/x-nes-rom
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# fds: file(1) magic for Famciom Disk System disk images # fds: file(1) magic for Famicom Disk System disk images
# Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format # Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format
# From: David Korth <gerbilsoft@gerbilsoft.com> # From: David Korth <gerbilsoft@gerbilsoft.com>
# TODO: Check "Disk info block" and get info from that in addition to the optional header. # TODO: Check "Disk info block" and get info from that in addition to the optional header.
@ -78,8 +78,8 @@
>23 byte !1 FMC- >23 byte !1 FMC-
>23 byte 1 FSC- >23 byte 1 FSC-
>16 string x \b%.3s >16 string x \b%.3s
>15 byte x \b, mfr %02X >15 ubyte x \b, mfr %02X
>20 byte x (Rev.%02u) >20 ubyte x (Rev.%02u)
# Headered version. # Headered version.
0 string FDS\x1A 0 string FDS\x1A
@ -228,21 +228,56 @@
>0x10 use sega-mega-drive-header >0x10 use sega-mega-drive-header
>0 byte x \b, 2352-byte sectors >0 byte x \b, 2352-byte sectors
# Sega Mega Drive, 32X, Pico, and Mega CD Boot ROM images. # Sega Mega Drive: Identify the system ID.
0x100 string SEGA 0x100 string SEGA
>0x3C0 bequad 0x4D41525320434845 Sega 32X ROM image >0x3C0 string MARS\ CHECK\ MODE Sega 32X ROM image
!:mime application/x-genesis-32x-rom !:mime application/x-genesis-32x-rom
>>0 use sega-mega-drive-header >>0 use sega-mega-drive-header
>0x3C0 bequad !0x4D41525320434845 >0x104 string \ PICO Sega Pico ROM image
>>0x105 belong 0x5049434F Sega Pico ROM image
!:mime application/x-sega-pico-rom !:mime application/x-sega-pico-rom
>>>0 use sega-mega-drive-header >>0 use sega-mega-drive-header
>>0x105 belong !0x5049434F >0x104 string TOYS\ PICO Sega Pico ROM image
>>>0x180 beshort 0x4252 Sega Mega CD Boot ROM image !:mime application/x-sega-pico-rom
>>0 use sega-mega-drive-header
>0x104 string \ TOYS\ PICO Sega Pico ROM image
!:mime application/x-sega-pico-rom
>>0 use sega-mega-drive-header
>0x104 string \ IAC Sega Pico ROM image
!:mime application/x-sega-pico-rom
>>0 use sega-mega-drive-header
>0x104 string \ TERA68K Sega Teradrive (68K) ROM image
!:mime application/x-sega-teradrive-rom
>>0 use sega-mega-drive-header
>0x104 string \ TERA286 Sega Teradrive (286) ROM image
!:mime application/x-sega-teradrive-rom
>>0 use sega-mega-drive-header
>0x180 string BR Sega Mega CD Boot ROM image
!:mime application/x-genesis-rom !:mime application/x-genesis-rom
>>>0x180 beshort !0x4252 Sega Mega Drive / Genesis ROM image >>0 use sega-mega-drive-header
>0x104 default x Sega Mega Drive / Genesis ROM image
!:mime application/x-genesis-rom !:mime application/x-genesis-rom
>>>0 use sega-mega-drive-header >>0 use sega-mega-drive-header
# Sega Mega Drive: Some ROMs have "SEGA" at 0x101, not 0x100.
0x100 string \ SEGA Sega Mega Drive / Genesis ROM image
>0 use sega-mega-drive-header
# Sega Pico ROMs that don't start with "SEGA".
0x100 string SAMSUNG\ PICO Samsung Pico ROM image
!:mime application/x-sega-pico-rom
>0 use sega-mega-drive-header
0x100 string IMA\ IKUNOUJYUKU Samsung Pico ROM image
!:mime application/x-sega-pico-rom
>0 use sega-mega-drive-header
0x100 string IMA IKUNOJYUKU Samsung Pico ROM image
!:mime application/x-sega-pico-rom
>0 use sega-mega-drive-header
# Sega Picture Magic (modified 32X)
0x100 string Picture\ Magic
>0x3C0 string PICTURE MAGIC-01 Sega 32X ROM image
!:mime application/x-genesis-32x-rom
>>0 use sega-mega-drive-header
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# genesis: file(1) magic for the Super MegaDrive ROM dump format # genesis: file(1) magic for the Super MegaDrive ROM dump format
@ -474,12 +509,13 @@
# - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp # - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp
# - https://www.devrs.com/ngp/files/ngpctech.txt # - https://www.devrs.com/ngp/files/ngpctech.txt
# #
0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket 0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket
!:mime application/x-neo-geo-pocket-rom !:mime application/x-neo-geo-pocket-rom
>0x23 byte 0x10 Color >0x23 byte 0x10 Color
>0 byte x ROM image >0 byte x ROM image
>0x24 string >\0 \b: "%.12s" >0x24 string >\0 \b: "%.12s"
>0x1F byte 0xFF (debug mode enabled) >0x21 uleshort x \b, NEOP%04X
>0x1F ubyte 0xFF (debug mode enabled)
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# msx: file(1) magic for MSX game cartridge dumps # msx: file(1) magic for MSX game cartridge dumps
@ -508,6 +544,19 @@
0 string CPE CPE executable 0 string CPE CPE executable
>3 byte x (version %d) >3 byte x (version %d)
# Sony PlayStation archive (PSARC)
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://www.psdevwiki.com/ps3/PlayStation_archive_(PSARC)
0 string PSAR Sony PlayStation Archive
!:ext psarc
>4 ubeshort x \b, version %d.
>6 ubeshort x \b%d
>8 string zlib \b, zlib compression
>8 string lzma \b, LZMA compression
>28 ubeshort&2 0 \b, relative paths
>28 ubeshort&2 2 \b, absolute paths
>28 ubeshort&1 1 \b, ignore case
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# Microsoft Xbox executables .xbe (Esa Hyytia <ehyytia@cc.hut.fi>) # Microsoft Xbox executables .xbe (Esa Hyytia <ehyytia@cc.hut.fi>)
0 string XBEH Microsoft Xbox executable 0 string XBEH Microsoft Xbox executable
@ -639,17 +688,34 @@
>>0 use xbox-360-package >>0 use xbox-360-package
# Atari Lynx cartridge dump (EXE/BLL header) # Atari Lynx cartridge dump (EXE/BLL header)
# From: "Stefan A. Haubenthal" <polluks@web.de> # From: "Stefan A. Haubenthal" <polluks@sdf.lonestar.org>
# Reference:
# https://raw.githubusercontent.com/cc65/cc65/master/libsrc/lynx/exehdr.s
# Double-check that the image type matches too, 0x8008 conflicts with # Double-check that the image type matches too, 0x8008 conflicts with
# 8 character OMF-86 object file headers. # 8 character OMF-86 object file headers.
0 beshort 0x8008 0 beshort 0x8008
>6 string BS93 Lynx homebrew cartridge >6 string BS93 Lynx homebrew cartridge
!:mime application/x-atari-lynx-rom !:mime application/x-atari-lynx-rom
>>2 beshort x \b, RAM start $%04x >>2 beshort x \b, RAM start $%04x
>6 string LYNX Lynx cartridge # Update: Joerg Jenderek
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnx.trid.xml
# Note: called "Atari Lynx ROM" by TrID
0 string LYNX Lynx cartridge
!:mime application/x-atari-lynx-rom !:mime application/x-atari-lynx-rom
>>2 beshort x \b, RAM start $%04x !:ext lnx
# bank 0 page size like: 128 256 512
>4 leshort/4 >0 \b, bank 0 %dk
>6 leshort/4 >0 \b, bank 1 %dk
# 32 bytes cart name like: "jconnort.lyx" "viking~1.lyx" "Eye of the Beholder" "C:\EMU\LYNX\ROMS\ULTCHESS.LYX"
>10 string >\0 \b, "%.32s"
# 16 bytes manufacturer like: "Atari" "NuFX Inc." "Matthias Domin"
>42 string >\0 \b, "%.16s"
# version number
#>8 leshort !1 \b, version number %u
# rotation: 1~left Lexis (NA).lnx 2~right Centipede (Prototype).lnx
>58 ubyte >0 \b, rotation %u
# spare
#>59 lelong !0 \b, spare %#x
# Opera file system that is used on the 3DO console # Opera file system that is used on the 3DO console
# From: Serge van den Boom <svdb@stack.nl> # From: Serge van den Boom <svdb@stack.nl>
@ -720,6 +786,28 @@
>5 byte 0 \b, Simple Encoding >5 byte 0 \b, Simple Encoding
>6 string x \b, description: %s >6 string x \b, description: %s
# Compressed ISO disc image (used mostly by PSP, PS2 and MegaDrive)
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://en.wikipedia.org/wiki/.CSO
# NOTE: This is NOT the same as Compact ISO or GameCube/Wii disc image,
# though it has the same magic number.
0 string CISO
# Match CISO version 1 with ISO-9660 sector size
>20 ubyte <2
>>16 ulelong =2048 CSO v1 disk image
!:mime application/x-compressed-iso
!:ext ciso/cso
>>>8 ulequad x \b, original size %llu bytes
>>>16 ulelong x \b, datablock size %u bytes
# Match CISO version 2
>20 ubyte =2
>>22 uleshort =0
>>>4 ulelong =24 CSO v2 disk image
!:mime application/x-compressed-iso
!:ext ciso/cso
>>>>8 ulequad x \b, original size %llu bytes
>>>>16 ulelong x \b, datablock size %u bytes
# From: Daniel Dawson <ddawson@icehouse.net> # From: Daniel Dawson <ddawson@icehouse.net>
# SNES9x .smv "movie" file format. # SNES9x .smv "movie" file format.
0 string SMV\x1A SNES9x input recording 0 string SMV\x1A SNES9x input recording
@ -898,6 +986,16 @@
!:mime application/x-gamecube-rom !:mime application/x-gamecube-rom
>>>>0x8000 use nintendo-gcn-disc-common >>>>0x8000 use nintendo-gcn-disc-common
# Type: Nintendo GameCube/Wii disc image (RVZ format)
0 string RVZ\001 Nintendo
>0x48 belong 1 GameCube
!:mime application/x-gamecube-rom
>0x48 belong 2 Wii
!:mime application/x-wii-rom
>0x48 default x GameCube/Wii
>0x48 belong x disc image (RVZ format):
>>0x58 use nintendo-gcn-disc-common
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# Nintendo 3DS file formats. # Nintendo 3DS file formats.
# #
@ -1126,14 +1224,3 @@
>>0x34 ubyte 1 [FastROM] >>0x34 ubyte 1 [FastROM]
>>0x35 ubyte 1 [SRAM] >>0x35 ubyte 1 [SRAM]
>>0x35 ubyte 3 [Special] >>0x35 ubyte 3 [Special]
# Type: Nintendo GameCube/Wii disc image (RVZ format)
0 string RVZ\001 Nintendo
>0x48 belong 1 GameCube
!:mime application/x-gamecube-rom
>0x48 belong 2 Wii
!:mime application/x-wii-rom
>0x48 default x GameCube/Wii
>0x48 belong x disc image (RVZ format):
>>0x58 use nintendo-gcn-disc-common

View file

@ -1,5 +1,49 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: crypto,v 1.2 2021/03/27 20:15:53 christos Exp $ # $File: crypto,v 1.4 2023/07/17 16:41:48 christos Exp $
# crypto: file(1) magic for crypto formats # crypto: file(1) magic for crypto formats
# #
# Bitcoin block files
0 lelong 0xD9B4BEF9 Bitcoin
>(4.l+40) lelong 0xD9B4BEF9 reverse block
>>4 lelong x \b, size %u
# normal block below
>0 default x block
>>4 lelong x \b, size %u
>>8 lelong&0xE0000000 0x20000000
>>>8 lelong x \b, BIP9 0x%x
>>8 lelong&0xE0000000 !0x20000000
>>>8 lelong x \b, version 0x%x
>>76 ledate x \b, %s UTC
# VarInt counter
>>88 ubyte <0xfd \b, txcount %u
>>88 ubyte 0xfd
>>>89 leshort x \b, txcount %u
>>88 ubyte 0xfe
>>>89 lelong x \b, txcount %u
>>88 ubyte 0xff
>>>89 lequad x \b, txcount %llu
!:ext dat
# option to find more blocks in the file
#>>(4.l+8) indirect x ;
# LevelDB
-8 lequad 0xdb4775248b80fb57 LevelDB table data
# http://www.tarsnap.com/scrypt.html
# see scryptenc_setup() in lib/scryptenc/scryptenc.c
0 string scrypt\0 scrypt encrypted file
>7 byte x \b, N=2**%d
>8 belong x \b, r=%d
>12 belong x \b, p=%d
# https://age-encryption.org/
# Only the first recipient is printed in detail to prevent repetitive output
# in extreme cases ("ssh-rsa, ssh-rsa, ssh-rsa, ...").
0 string age-encryption.org/v1\n age encrypted file
>25 regex/128 \^[^\040]+ \b, %s recipient
>>25 string scrypt
>>>&0 regex/64 [0-9]+\$ (N=2**%s)
>>&0 search/256 \n->\040 \b, among others
0 string -----BEGIN\040AGE\040ENCRYPTED\040FILE----- age encrypted file, ASCII armored

View file

@ -20,4 +20,4 @@
# CTF metadata (plain text) # CTF metadata (plain text)
0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata 0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata
!:strength + 5 # this is to make sure we beat C !:strength + 5 # this is to make sure we beat C
>&0 regex [0-9]+\.[0-9]+ \b, v%s >&0 regex [0-9]+\\.[0-9]+ \b, v%s

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: database,v 1.63 2021/10/04 00:44:30 christos Exp $ # $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $
# database: file(1) magic for various databases # database: file(1) magic for various databases
# #
# extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk)
@ -151,6 +151,7 @@
# https://www.clicketyclick.dk/databases/xbase/format/dbf.html # https://www.clicketyclick.dk/databases/xbase/format/dbf.html
# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
0 ubelong&0x0000FFFF <0x00000C20 0 ubelong&0x0000FFFF <0x00000C20
!:strength +10
# skip Infocom game Z-machine # skip Infocom game Z-machine
>2 ubyte >0 >2 ubyte >0
# skip Androids *.xml # skip Androids *.xml
@ -386,8 +387,22 @@
>>>>>20 ubelong&0xFF01209B 0x00000000 >>>>>20 ubelong&0xFF01209B 0x00000000
# dBASE III # dBASE III
>>>>>>16 ubyte 3 >>>>>>16 ubyte 3
# dBASE III DBT # skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod
>>>>>>>0 use dbase3-memo-print >>>>>>>512 ubyte >040
# skip with valid 1st item "rintf" keylayouts.mod
# by looking for valid terminating character Ctrl-Z like in test.dbt
>>>>>>>>513 search/3308 \032
# skip GRUB plan9.mod with invalid second terminating character 007
# by checking second terminating character Ctrl-Z like in test.dbt
>>>>>>>>>&0 ubyte 032
# dBASE III DBT with two Ctr-Z terminating characters
>>>>>>>>>>0 use dbase3-memo-print
# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod
>>>>>>>>>&0 ubyte 0
# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0
>>>>>>>>>>0x1ad string !grub_mod_init
# like dbase-memo.dbt
>>>>>>>>>>>0 use dbase3-memo-print
# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage
>>>>>>16 ubyte 0 >>>>>>16 ubyte 0
# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF
@ -399,14 +414,35 @@
>>>>>>>>>>4 ushort 0 >>>>>>>>>>4 ushort 0
# check for valid FoxPro field type # check for valid FoxPro field type
>>>>>>>>>>>512 ubelong <3 >>>>>>>>>>>512 ubelong <3
>>>>>>>>>>>>0 use foxpro-memo-print # skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh
>>>>>>>>>>>>6 ubeshort&0x002f 0
>>>>>>>>>>>>>0 use foxpro-memo-print
# dBASE III DBT , garbage # dBASE III DBT , garbage
# skip WORD1XW.DOC with improbably high free block index # skip WORD1XW.DOC with improbably high free block index
>>>>>>>>>0 ulelong <0x400000 >>>>>>>>>0 ulelong <0x400000
# skip WinStore.App.exe by looking for printable 2nd character of 1st memo item # skip WinStore.App.exe by looking for printable 2nd character of 1st memo item
>>>>>>>>>>513 ubyte >037 >>>>>>>>>>513 ubyte >037
# unusual dBASE III DBT like adressen.dbt # skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item
>>>>>>>>>>>0 use dbase3-memo-print >>>>>>>>>>>512 ubyte >037
# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377
>>>>>>>>>>>>512 ubyte <0377
# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2)
# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb.
# by looking for valid terminating character Ctrl-Z
>>>>>>>>>>>>>513 search/523 \032
# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character
#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o
# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt
>>>>>>>>>>>>>>&0 ubyte 032
>>>>>>>>>>>>>>>0 use dbase3-memo-print
# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt
>>>>>>>>>>>>>>&0 ubyte 0
# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space"
>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show
# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt
>>>>>>>>>>>>>>>514 default x
# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt
>>>>>>>>>>>>>>>>0 use dbase3-memo-print
# dBASE III DBT like angest.dbt, or garbage PCX DBF # dBASE III DBT like angest.dbt, or garbage PCX DBF
>>>>>>>>8 ubelong !0 >>>>>>>>8 ubelong !0
# skip PCX and some DBF by test for for reserved NULL bytes # skip PCX and some DBF by test for for reserved NULL bytes
@ -415,9 +451,23 @@
>>>>>>>>>>0 ulelong <0x400000 >>>>>>>>>>0 ulelong <0x400000
# skip AI070GEP.EPS by printable 1st character of 1st memo item # skip AI070GEP.EPS by printable 1st character of 1st memo item
>>>>>>>>>>>512 ubyte >037 >>>>>>>>>>>512 ubyte >037
# skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB
>>>>>>>>>>>>512 ubyte <0200
# skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character
>>>>>>>>>>>>513 ubyte >037 >>>>>>>>>>>>>513 ubyte >037
>>>>>>>>>>>>>0 use dbase3-memo-print # skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like
# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727"
# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735"
# "10586.494.amd64fre.th2_release_sec.160630-1736"
# by looking for valid terminating character Ctrl-Z
>>>>>>>>>>>>>>513 search/0x11E \032
# followed by second character Ctrl-Z implies typical DBT
>>>>>>>>>>>>>>>&0 ubyte 032
# examples like: angest.dbt
>>>>>>>>>>>>>>>>0 use dbase3-memo-print
>>>>>>>>>>>>>>>&0 ubyte 0
# no example found here with terminating sequence CTRL-Z + \0
>>>>>>>>>>>>>>>>0 use dbase3-memo-print
# dBASE IV DBT with positive block size # dBASE IV DBT with positive block size
>>>>>>>20 uleshort >0 >>>>>>>20 uleshort >0
# dBASE IV DBT with valid block length like 512, 1024 # dBASE IV DBT with valid block length like 512, 1024
@ -439,8 +489,16 @@
# no positive block length # no positive block length
#>20 uleshort =0 \b, block length %u #>20 uleshort =0 \b, block length %u
>20 uleshort !0 \b, block length %u >20 uleshort !0 \b, block length %u
# dBase III memo field terminated by \032\032 # dBase III memo field terminated often by \032\032
# like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT
>512 string >\0 \b, 1st item "%s" >512 string >\0 \b, 1st item "%s"
# For DEBUGGING
#>512 ubelong x \b, 1ST item %#8.8x
#>513 search/0x225 \032 FOUND_TERMINATOR
#>>&0 ubyte 032 2xCTRL_Z
# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte
#>>&0 ubyte 0 1xCTRL_Z
# https://www.clicketyclick.dk/databases/xbase/format/dbt.html # https://www.clicketyclick.dk/databases/xbase/format/dbt.html
# Print the information of dBase IV DBT memo file # Print the information of dBase IV DBT memo file
0 name dbase4-memo-print 0 name dbase4-memo-print
@ -486,7 +544,7 @@
>0 belong x FoxPro FPT >0 belong x FoxPro FPT
!:mime application/x-fpt !:mime application/x-fpt
!:ext fpt !:ext fpt
# Size of blocks for FoxPro ( 64,256 ) # Size of blocks for FoxPro ( 64,256 ); probably a multiple of two
>6 ubeshort x \b, blocks size %u >6 ubeshort x \b, blocks size %u
# next available block # next available block
#>0 belong =0 \b, next free block index %u #>0 belong =0 \b, next free block index %u

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: dataone,v 1.2 2019/04/19 00:42:27 christos Exp $ # $File: dataone,v 1.3 2022/04/18 21:38:10 christos Exp $
# #
# DataONE- files from Dave Vieglais <dave.vieglais@gmail.com> & # DataONE- files from Dave Vieglais <dave.vieglais@gmail.com> &
# Pratik Shrivastava <pratikshrivastava23@gmail.com> # Pratik Shrivastava <pratikshrivastava23@gmail.com>
@ -9,39 +9,39 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# EML (Ecological Metadata Language Format) # EML (Ecological Metadata Language Format)
0 string <?xml 0 string \<?xml\ version=
>&0 regex (eml)-[0-9].[0-9].[0-9]+ eml://ecoinformatics.org/%s >&0 regex/1024 eml-[0-9]\\.[0-9]\\.[0-9]+ eml://ecoinformatics.org/%s
# onedcx (DataONE Dublin Core Extended v1.0) # onedcx (DataONE Dublin Core Extended v1.0)
>&0 regex (onedcx/v)[0-9].[0-9]+ https://ns.dataone.org/metadata/schema/onedcx/v1.0 >&0 regex/1024 onedcx/v[0-9]\\.[0-9]+ https://ns.dataone.org/metadata/schema/onedcx/v1.0
# FGDC-STD-001-1998 (Content Standard for Digital Geospatial Metadata, # FGDC-STD-001-1998 (Content Standard for Digital Geospatial Metadata,
# version 001-1998) # version 001-1998)
>&0 regex fgdc FGDC-STD-001-1998 >&0 search/1024 fgdc FGDC-STD-001-1998
# Mercury (Oak Ridge National Lab Mercury Metadata version 1.0) # Mercury (Oak Ridge National Lab Mercury Metadata version 1.0)
>&0 regex (mercury/terms/v)[0-9].[0-9] https://purl.org/ornl/schema/mercury/terms/v1.0 >&0 regex/1024 mercury/terms/v[0-9]\\.[0-9] https://purl.org/ornl/schema/mercury/terms/v1.0
# ISOTC211 (Geographic MetaData (GMD) Extensible Markup Language) # ISOTC211 (Geographic MetaData (GMD) Extensible Markup Language)
>&0 regex isotc211 >&0 search/1024 isotc211
>>&0 regex eng;USA https://www.isotc211.org/2005/gmd >>&0 search/1024 eng;USA https://www.isotc211.org/2005/gmd
# ISOTC211 (NOAA Variant Geographic MetaData (GMD) Extensible Markup Language) # ISOTC211 (NOAA Variant Geographic MetaData (GMD) Extensible Markup Language)
>>&0 regex gov.noaa.nodc:[0-9]+ https://www.isotc211.org/2005/gmd-noaa >>&0 regex/1024 gov\\.noaa\\.nodc:[0-9]+ https://www.isotc211.org/2005/gmd-noaa
# ISOTC211 PANGAEA Variant Geographic MetaData (GMD) Extensible Markup Language # ISOTC211 PANGAEA Variant Geographic MetaData (GMD) Extensible Markup Language
>>&0 regex pangaea.dataset[0-9][0-9][0-9][0-9][0-9][0-9]+ https://www.isotc211.org/2005/gmd-pangaea >>&0 regex/1024 pangaea\\.dataset[0-9][0-9][0-9][0-9][0-9][0-9]+ https://www.isotc211.org/2005/gmd-pangaea
!:mime text/xml !:mime text/xml
# Object Reuse and Exchange Vocabulary # Object Reuse and Exchange Vocabulary
0 string <?xml 0 string \<?xml\ version=
>&0 regex rdf >&0 search/1024 rdf
>>&0 regex openarchives https://www.openarchives.org/ore/terms >>&0 search/1024 openarchives https://www.openarchives.org/ore/terms
!:mime application/rdf+xml !:mime application/rdf+xml
# Dryad Metadata Application Profile Version 3.1 # Dryad Metadata Application Profile Version 3.1
0 string <DryadData 0 string <DryadData
>&0 regex (dryad-bibo/v)[0-9].[0-9] https://datadryad.org/profile/v3.1 >&0 regex/1024 dryad-bibo/v[0-9]\\.[0-9] https://datadryad.org/profile/v3.1
!:mime text/xml !:mime text/xml

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: der,v 1.4 2021/03/14 17:12:04 christos Exp $ # $File: der,v 1.6 2023/01/11 23:59:49 christos Exp $
# der: file(1) magic for DER encoded files # der: file(1) magic for DER encoded files
# #
@ -110,9 +110,9 @@
>>>>&0 der seq >>>>&0 der seq
>>>>>&0 der obj_id9=2a864886f70d010901 >>>>>&0 der obj_id9=2a864886f70d010901
>>>>>&0 der ia5_str=x \b, emailAddress=%s >>>>>&0 der ia5_str=x \b, emailAddress=%s
>>&0 der seq #>>&0 der seq
>>>&0 der utc_time=x \b, utcTime=%s #>>>&0 der utc_time=x \b, utcTime=%s
>>>&0 der utc_time=x \b, utcTime=%s #>>>&0 der utc_time=x \b, utcTime=%s
>>&0 use certinfo >>&0 use certinfo
0 der seq 0 der seq
@ -129,11 +129,18 @@
>>>>&0 der seq >>>>&0 der seq
>>>>>&0 der obj_id3=550403 >>>>>&0 der obj_id3=550403
>>>>>&0 der utf8_str=x \b, Issuer=%s >>>>>&0 der utf8_str=x \b, Issuer=%s
>>&0 der seq #>>&0 der seq
>>>&0 der utc_time=x \b, not-valid-before=%s #>>>&0 der utc_time=x \b, not-valid-before=%s
>>>&0 der utc_time=x \b, not-valid-after=%s #>>>&0 der utc_time=x \b, not-valid-after=%s
>>&0 der seq >>&0 der seq
>>>&0 der set >>>&0 der set
>>>>&0 der seq >>>>&0 der seq
>>>>>&0 der obj_id3=550403 >>>>>&0 der obj_id3=550403
>>>>>&0 der utf8_str=x \b, Subject=%s >>>>>&0 der utf8_str=x \b, Subject=%s
# PKCS#7 Signed Data (e.g. JAR Signature Block File)
# OID 1.2.840.113549.1.7.2 (2a864886f70d010702)
# Reference: https://www.rfc-editor.org/rfc/rfc2315
0 der seq
>&0 der obj_id9=2a864886f70d010702 DER Encoded PKCS#7 Signed Data
!:ext RSA/DSA/EC

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: elf,v 1.87 2021/05/25 15:19:51 christos Exp $ # $File: elf,v 1.88 2023/01/08 17:09:18 christos Exp $
# elf: file(1) magic for ELF executables # elf: file(1) magic for ELF executables
# #
# We have to check the byte order flag to see what byte order all the # We have to check the byte order flag to see what byte order all the
@ -8,6 +8,8 @@
# #
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
# #
# https://www.sco.com/developers/gabi/latest/ch4.eheader.html
#
# Created by: unknown # Created by: unknown
# Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com>
# Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support) # Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support)
@ -282,6 +284,12 @@
>18 leshort 216 Cognitive Smart Memory, >18 leshort 216 Cognitive Smart Memory,
>18 leshort 217 iCelero CoolEngine, >18 leshort 217 iCelero CoolEngine,
>18 leshort 218 Nanoradio Optimized RISC, >18 leshort 218 Nanoradio Optimized RISC,
>18 leshort 219 CSR Kalimba architecture family
>18 leshort 220 Zilog Z80
>18 leshort 221 Controls and Data Services VISIUMcore processor
>18 leshort 222 FTDI Chip FT32 high performance 32-bit RISC architecture
>18 leshort 223 Moxie processor family
>18 leshort 224 AMD GPU architecture
>18 leshort 243 UCB RISC-V, >18 leshort 243 UCB RISC-V,
# only for 32-bit # only for 32-bit
>>4 byte 1 >>4 byte 1

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: filesystems,v 1.145 2021/09/07 18:57:50 christos Exp $ # $File: filesystems,v 1.158 2023/05/21 17:19:08 christos Exp $
# filesystems: file(1) magic for different filesystems # filesystems: file(1) magic for different filesystems
# #
0 name partid 0 name partid
@ -1596,7 +1596,8 @@
>0x1e lequad x %lld total clusters, >0x1e lequad x %lld total clusters,
>0x26 lequad x %lld clusters in use >0x26 lequad x %lld clusters in use
9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian),
0 name ffsv1
>8404 string x last mounted on %s, >8404 string x last mounted on %s,
#>9504 ledate x last checked at %s, #>9504 ledate x last checked at %s,
>8224 ledate x last written at %s, >8224 ledate x last written at %s,
@ -1612,105 +1613,59 @@
>8320 lelong 0 TIME optimization >8320 lelong 0 TIME optimization
>8320 lelong 1 SPACE optimization >8320 lelong 1 SPACE optimization
42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) 9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian),
>&-1164 string x last mounted on %s, >0 use ffsv1
>&-696 string >\0 volume name %s,
>&-304 leqldate x last written at %s,
>&-1167 byte x clean flag %d,
>&-1168 byte x readonly flag %d,
>&-296 lequad x number of blocks %lld,
>&-288 lequad x number of data blocks %lld,
>&-1332 lelong x number of cylinder groups %d,
>&-1328 lelong x block size %d,
>&-1324 lelong x fragment size %d,
>&-180 lelong x average file size %d,
>&-176 lelong x average number of files in dir %d,
>&-272 lequad x pending blocks to free %lld,
>&-264 lelong x pending inodes to free %d,
>&-664 lequad x system-wide uuid %0llx,
>&-1316 lelong x minimum percentage of free blocks %d,
>&-1248 lelong 0 TIME optimization
>&-1248 lelong 1 SPACE optimization
66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian)
>&-1164 string x last mounted on %s,
>&-696 string >\0 volume name %s,
>&-304 leqldate x last written at %s,
>&-1167 byte x clean flag %d,
>&-1168 byte x readonly flag %d,
>&-296 lequad x number of blocks %lld,
>&-288 lequad x number of data blocks %lld,
>&-1332 lelong x number of cylinder groups %d,
>&-1328 lelong x block size %d,
>&-1324 lelong x fragment size %d,
>&-180 lelong x average file size %d,
>&-176 lelong x average number of files in dir %d,
>&-272 lequad x pending blocks to free %lld,
>&-264 lelong x pending inodes to free %d,
>&-664 lequad x system-wide uuid %0llx,
>&-1316 lelong x minimum percentage of free blocks %d,
>&-1248 lelong 0 TIME optimization
>&-1248 lelong 1 SPACE optimization
9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), 9564 belong 0x00011954 Unix Fast File system [v1] (big-endian),
>7168 belong 0x4c41424c Apple UFS Volume >7168 belong 0x4c41424c Apple UFS Volume
>>7186 string x named %s, >>7186 string x named %s,
>>7176 belong x volume label version %d, >>7176 belong x volume label version %d,
>>7180 bedate x created on %s, >>7180 bedate x created on %s,
>8404 string x last mounted on %s, >0 use \^ffsv1
#>9504 bedate x last checked at %s,
>8224 bedate x last written at %s, 0 name ffsv2
>8401 byte x clean flag %d, >212 string x last mounted on %s,
>8228 belong x number of blocks %d, >680 string >\0 volume name %s,
>8232 belong x number of data blocks %d, >1072 leqldate x last written at %s,
>8236 belong x number of cylinder groups %d, >209 byte x clean flag %d,
>8240 belong x block size %d, >210 byte x readonly flag %d,
>8244 belong x fragment size %d, >1080 lequad x number of blocks %lld,
>8252 belong x minimum percentage of free blocks %d, >1088 lequad x number of data blocks %lld,
>8256 belong x rotational delay %dms, >44 lelong x number of cylinder groups %d,
>8260 belong x disk rotational speed %drps, >48 lelong x block size %d,
>8320 belong 0 TIME optimization >52 lelong x fragment size %d,
>8320 belong 1 SPACE optimization >1196 lelong x average file size %d,
>1200 lelong x average number of files in dir %d,
>1104 lequad x pending blocks to free %lld,
>1112 lelong x pending inodes to free %d,
>712 lequad x system-wide uuid %0llx,
>60 lelong x minimum percentage of free blocks %d,
>128 lelong 0 TIME optimization
>128 lelong 1 SPACE optimization
42332 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian)
>40960 use ffsv2
42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian)
>40960 use ffsv2
42332 belong 0x19012038 Unix Fast File system [v2ea] (little-endian)
>40960 use \^ffsv2
42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) 42332 belong 0x19540119 Unix Fast File system [v2] (big-endian)
>&-1164 string x last mounted on %s, >40960 use \^ffsv2
>&-696 string >\0 volume name %s,
>&-304 beqldate x last written at %s, 66908 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian)
>&-1167 byte x clean flag %d, >65536 use ffsv2
>&-1168 byte x readonly flag %d,
>&-296 bequad x number of blocks %lld, 66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian)
>&-288 bequad x number of data blocks %lld, >65536 use ffsv2
>&-1332 belong x number of cylinder groups %d,
>&-1328 belong x block size %d, 66908 belong 0x19012038 Unix Fast File system [v2ea] (little-endian)
>&-1324 belong x fragment size %d, >65536 use \^ffsv2
>&-180 belong x average file size %d,
>&-176 belong x average number of files in dir %d,
>&-272 bequad x pending blocks to free %lld,
>&-264 belong x pending inodes to free %d,
>&-664 bequad x system-wide uuid %0llx,
>&-1316 belong x minimum percentage of free blocks %d,
>&-1248 belong 0 TIME optimization
>&-1248 belong 1 SPACE optimization
66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) 66908 belong 0x19540119 Unix Fast File system [v2] (big-endian)
>&-1164 string x last mounted on %s, >65536 use \^ffsv2
>&-696 string >\0 volume name %s,
>&-304 beqldate x last written at %s,
>&-1167 byte x clean flag %d,
>&-1168 byte x readonly flag %d,
>&-296 bequad x number of blocks %lld,
>&-288 bequad x number of data blocks %lld,
>&-1332 belong x number of cylinder groups %d,
>&-1328 belong x block size %d,
>&-1324 belong x fragment size %d,
>&-180 belong x average file size %d,
>&-176 belong x average number of files in dir %d,
>&-272 bequad x pending blocks to free %lld,
>&-264 belong x pending inodes to free %d,
>&-664 bequad x system-wide uuid %0llx,
>&-1316 belong x minimum percentage of free blocks %d,
>&-1248 belong 0 TIME optimization
>&-1248 belong 1 SPACE optimization
0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), 0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian),
>0x90 lelong+1 x volume %d >0x90 lelong+1 x volume %d
@ -2317,6 +2272,8 @@
>0x10070 lequad x \b%lld bytes used, >0x10070 lequad x \b%lld bytes used,
>0x10088 lequad x %lld devices >0x10088 lequad x %lld devices
0 string btrfs-stream BTRFS stream file
# dvdisaster's .ecc # dvdisaster's .ecc
# From: "Nelson A. de Oliveira" <naoliv@gmail.com> # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
0 string *dvdisaster* dvdisaster error correction file 0 string *dvdisaster* dvdisaster error correction file
@ -2399,12 +2356,167 @@
0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) 0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk)
0 beshort 0xAA58 floppy image data (IBM SaveDskF, old) # URL: http://fileformats.archiveteam.org/wiki/LoadDskF/SaveDskF
0 beshort 0xAA59 floppy image data (IBM SaveDskF) # Update: Joerg Jenderek
0 beshort 0xAA5A floppy image data (IBM SaveDskF, compressed) # Note: called "IBM SKF disk image" by TrID
# verfied by 7-Zip `7z l -tFAT -slt *.dsk` and
# `deark -l -m loaddskf 06200D19.DSK`
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf-old.trid.xml
0 beshort 0xAA58
>0 use SaveDskF
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf.trid.xml
0 beshort 0xAA59
>0 use SaveDskF
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dsk-skf-comp.trid.xml
0 beshort 0xAA5A
# skip foo by additional check for unused upper byte of media type in SaveDskF header
#>3 ubyte =0
# skip bar by additional check for valid "low" number of heads in SaveDskF header
#>>26 uleshort <3
# skip foo by additional check for unused double word field in SaveDskF header
#>>>30 long =0
#>>>>0 use SaveDskF
>0 use SaveDskF
# display information about IBM SaveDskF floppy disk images
0 name SaveDskF
# SaveDskF magic
>0 beshort x floppy image data (IBM SaveDskF
#!:mime application/octet-stream
!:mime application/x-ibm-dsk
!:ext dsk
# also suffix with digit (1dk .2dk ...); NO example FOUND!
#!:ext dsk/1dk/2dk
>1 ubyte =0x58 \b, old)
>1 ubyte =0x59 \b)
>1 ubyte =0x5A \b, compressed)
# media type; the first byte of the FAT like: 0xF0 (usual floppy) 0xF9 0xFE
# https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system
>2 ubyte !0xF0 \b, Media descriptor %#x
# upper byte of media type is not used; so this seems to be nil
>3 ubyte !0 \b, upper byte of media type %#x
# sector size in bytes as in the BIOS parameter block like: 512 ; SAVEDSKF.EXE with other sizes produce garbage images
>4 uleshort !512 \b, Bytes/sector %u
# cluster mask; number of sectors per cluster, minus 1
>6 uleshort+1 >1 \b, sectors/cluster %u
#>6 uleshort+1 x \b, sectors/cluster %u
# cluster shift; log2(cluster size / sector size) like: 0~1=ClusterSize/SectorSize
>7 ubyte >0 \b, cluster shift %u
#>7 ubyte x \b, cluster shift %u
# reserved sectors; as in the BIOS parameter block like: 1 256 (2M256R-K.DSK)
>8 uleshort >1 \b, reserved sectors %u
#>8 uleshort x \b, reserved sectors %u
# FAT copies; as in the BIOS parameter block like: 2 (usual) 1 (2-NK.DSK)
>10 ubyte !2 \b, FAT
# plural s
>>10 ubyte >1 \bs
>>10 ubyte x %u
# root directory entries; as in the BIOS parameter block like: 224 (usual) 64 (H1-NK.DSK) 4096 (2-NK.DSK)
>11 uleshort !224 \b, root entries %u
# sector number of first cluster (count sectors used by boot sector, FATs and root directory) like: 7 10 29 33 288
>13 uleshort !33 \b, 1st cluster at sector %u
# number of clusters in image; empty clusters at the end are not saved and counted like: 2372 2848
>15 uleshort x \b, %u clusters
# sectors/FAT; as in the BIOS parameter block like: 1 (H1-NK.DSK) 7 9
>17 ubyte !9 \b, sectors/FAT %u
# sector number of root directory (ie, count of sectors used by boot sector and FATs) like: 3 (H1-NK.DSK) 9 10 15 19 274 (2M256R-K.DSK)
>18 uleshort !19 \b, root directory at sector %u
# checksum; sum of all bytes in the file
>20 ulelong x \b, checksum %#8.8x
# cylinders; number of cylinders like: 40 80
>24 uleshort !80 \b, %u cylinders
#>24 uleshort x \b, %u cylinders
# heads; number of heads as in the BIOS parameter block like: 1 (H1-NK.DSK) 2
>26 uleshort !2 \b, heads %u
#>26 uleshort x \b, heads %u
# sectors/track; number of sectors per track as in the BIOS parameter block like: 8 15 18 36
>28 uleshort !18 \b, sectors/track %u
#>28 uleshort x \b, sectors/track %u
# unused double word field seems to be always like: 0
>30 ulelong !0 \b, at 0x1E %#x
# number of sectors in images like: 1017 2786 2880
>34 uleshort x \b, sectors %u
# if string is "printable" it can be a real comment
>(36.s) ubyte !0x00
# if 1st sector is far enough away (> 0x29) then there is space for comment part
>>38 uleshort >41
# offset to comment string like: 28h=40
>>>36 uleshort x \b, at %#x
# comment string terminated with \r\n\0
>>>(36.s) string x "%s"
# offset to the first sector like: 0 (If this is 0, assume it is 0x200) 29h=41 (DISPLAY3.DSK) 31h 43h 45h 46h 48h 50h 200h=512
>38 uleshort !0 \b, 1st sector at %#x
# FOR DEBUGGING!
#>(38.s) ubelong x SECTOR CONTENT %x
# not compressed floppy image implies readable DOS boot sector inside image
>>1 ubyte !0x5A
# when not compressed it is readable as DOS boot sector via ./filesystems
#>>>(38.s) indirect x \b; contains
>38 uleshort =0 \b, 1st sector at 0x200 (0)
# maybe standard DOS boot sector; NO example FOUND HERE!
#>>0x200 indirect x \b; contains
0 string \074CPM_Disk\076 disk image data (YAZE) 0 string \074CPM_Disk\076 disk image data (YAZE)
# From: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Central_Point_Software#cite_note-6
# Reference: https://www.robcraig.com/download/transcopy-5-x-file-format
# https://www.robcraig.com/download/transcopy-file-format-by-gene-thompson
# http://mark0.net/download/triddefs_xml.7z/defs/t/tc-transcopy.trid.xml
# TransCopy signature
0 beshort 0x5AA5
# skip Intel serial flash ROM with invalid 0 disk sides handled by ./intel
>0x103 ubyte !0
# skip Intel serial flash ROM with unlikely "high" start cylinder 100 handled by ./intel
#>>0x101 ubyte <100 VALID_START_CYLINDER
# skip Intel serial flash ROM with unlikely description handled by ./intel
#>>>2 beshort !0xF00f VALID_DESCRIPTION
# skip Intel serial flash ROM with invalid disk types 89h 88h handled by ./intel
#>>>>0x100 byte !0x89 VALID_DISK_TYPE
>>0 use tc-floppy
# display information of Central Point Software (CPS) Option Board TransCopy floppy image
0 name tc-floppy
>0 beshort x TransCopy disk image
#!:mime application/octet-stream
!:mime application/x-floppy-image-tc
# like: disk04.tc VOCALC2.TC WIZ5_A.tc WIZ2_720.IMG
!:ext tc/img
# 1st description (optional 0-terminated maximal 32) like:
# "Project Workbench 2.20" "Visi On Calc" "Wizardry V Disk 1 of 3"
>2 string >\0 %.32s
# 2nd desc. (optional 0-terminated maximal 32) like:
# "(1988)." "Advanced - Utility" 'Program Disk 2"
>0x22 string >\0 "%.32s"
# Looks like ascii (like MESSAGES) formatted with attribute bytes (190)?
# not needed for disk copy
#>>0x42 string x '%.190s'
#>>0x88 lestring16 x "%.8s"
# disktype: 2~MFM High Density 3~MFM Double Density 4~Apple II GCR 5~FM Single Density
# 6~Commodore GCR 7~MFM Double Density 8~Commodore Amiga Ch~Atari FM FFh~Unknown
>0x100 ubyte !0xFF \b, disk type %u
# StartingCylinder like: 0
>0x101 ubyte x \b, cylinder
>0x101 ubyte !0 start=%u
# EndingCylinder like: 40 (often) 41 79
>0x102 ubyte x end=%u
# NumberOfSides like: 2
>0x103 ubyte !2 \b, %u sides
# TrackIncrement like: 1
>0x104 ubyte !1 \b, track increment %u
# TrackPosTbl Track skew
#>0x105 ubequad x \b, Track skew %#16.16llx
# TrackOffsTbl
#>0x305 ubequad x \b, TrackOffsTbl %#16.16llx
# TrackLngthTbl
#>0x505 ubequad x \b, TrackLngthTbl %#16.16llx
# TrackTypeTable
#>0x705 ubequad x \b, TrackTypeTable %#16.16llx
# Address mark timing
#>0x905 ubequad x \b, Address mark timing %#16.16llx
# Track fragment
#>0x2905 ubequad !0 \b, Track fragment %#16.16llx
# Track data
#>0x4000 ubequad !0 \b, Track data %#16.16llx
# ReFS # ReFS
# Richard W.M. Jones <rjones@redhat.com> # Richard W.M. Jones <rjones@redhat.com>
0 string \0\0\0ReFS\0 ReFS filesystem image 0 string \0\0\0ReFS\0 ReFS filesystem image
@ -2491,16 +2603,92 @@
>10 ubelong x \b-%08x >10 ubelong x \b-%08x
>14 ubeshort x \b%04x >14 ubeshort x \b%04x
0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 bcachefs 0 name bcachefs bcachefs
>0x1068 lequad 8 \b, UUID= >0x68 lequad 8 \b, UUID=
>>0x1038 use bcachefs-uuid >>0x38 use bcachefs-uuid
>>0x1048 string >0 \b, label "%.32s" >>0x48 string >0 \b, label "%.32s"
>>0x1010 uleshort x \b, version %u >>0x10 uleshort x \b, version %u
>>0x1012 uleshort x \b, min version %u >>0x12 uleshort x \b, min version %u
>>0x107a byte x \b, device %d >>0x7a byte x \b, device %d
# assumes the first field is the members field # assumes the first field is the members field
>>0x12f4 ulelong 0x01 \b/UUID= >>0x2f4 ulelong 0x01 \b/UUID=
>>>0x12f0 default x >>>0x2f0 default x
>>>&(0x107a.b*56) use bcachefs-uuid >>>&(0x07a.b*56) use bcachefs-uuid
>>0x107b byte x \b, %d devices >>0x07b byte x \b, %d devices
>>0x1090 byte ^0x02 \b (unclean) >>0x090 byte ^0x02 \b (unclean)
0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81
>0x1000 use bcachefs
0x1018 string \xc6\x85\x73\xf6\x66\xce\x90\xa9\xd9\x6a\x60\xcf\x80\x3d\xf7\xef
>0x1000 use bcachefs
# EROFS
# https://kernel.googlesource.com/pub/scm/linux/kernel/git/xiang/erofs-utils/\
# +/refs/heads/experimental/include/erofs_fs.h#12
1024 lelong 0xE0F5E1E2 EROFS filesystem
#>1028 lelong x \b, checksum=%#x
>1032 lelong >0 \b, compat:
>>1032 lelong &1 SB_CHKSUM
>>1032 lelong &2 MTIME
>1036 byte x \b, blocksize=%u
>1037 byte x \b, exslots=%u
#>1038 leshort x \b, root_nid=%d
#>1040 lequad x \b, inodes=%ld
#>1048 leldate x \b, build_time=%s
#>1056 lelong x \b.%d
#>1060 lelong x \b, blocks=%d
#>1064 lelong x \b, metadata@%#x
#>1068 lelong x \b, xattr@%#x
>1072 guid x \b, uuid=%s
>1088 string >0 \b, name=%s
>1104 lelong >0 \b, incompat:
>>1104 lelong &1 LZ4_0PADDING
>>1104 lelong &2 BIG_PCLUSTER
>>1104 lelong &4 CHUNKED_FILE
>>1104 lelong &8 DEVICE_TABLE
>>1104 lelong &16 ZTAILPACKING
# YAFFS
# The layout itself is undocumented, determined by the memory layout of the
# reference implementation. This signature is derived from the
# reference implementation code and generated test cases
# We recognize the start of an object header defined by yaffs_obj_hdr:
# (Note the values being encoded depending on platform endianess)
# u32 type /* enum yaffs_obj_type, valid 1-5 */
# u32 parent_obj_id; /* 1 for root objects we recognize */
# u16 sum_no_longer_used; /* checksum of name. Not used by YAFFS and memset to 0xFF */
# YCHAR name[YAFFS_MAX_NAME_LENGTH + 1];
# mkyaffsimage always writes a root directory with empty name, then processing the target directory contents
# mkyaffs2image directly proceeds to writing entries with the appropriate u32 YAFFS_OBJECT_TYPE (1-5 valid), each with parent id 1
0 name yaffs
>0 ulelong 1 \b, type file
>0 ulelong 2 \b, type symlink
>0 ulelong 3 \b, type root or directory
>0 ulelong 4 \b, type hardlink
>0 ulelong 5 \b, type special
>0xA byte 0 \b, v1 root directory
>0xA byte !0 \b, object entry
>>0xA string x (name: "%s")
# Little Endian: XX 00 00 00 01 00 00 00 FF FF YY
# XX: 01 - 05 (object type)
# YY: 00 for version 1 root directory, > 00 for version 2 (name data)
0x1 string \x00\x00\x00\x01\x00\x00\x00\xFF\xFF
>0 ulelong 0
>0 ulelong >5
>0 default x YAFFS filesystem root entry (little endian)
>>0 use yaffs
# Big Endian: 00 00 00 XX 00 00 00 01 FF FF YY
# XX: 01 - 05 (object type)
# YY: 00 for version 1 root directory, > 00 for version 2 (name data)
0x4 string \x00\x00\x00\x01\xFF\xFF
>0 string \x00\x00\x00
>>0 ubelong 0
>>0 ubelong >5
>>0 default x YAFFS filesystem root entry (big endian)
>>>0 use \^yaffs

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: fonts,v 1.46 2021/04/26 15:56:00 christos Exp $ # $File: fonts,v 1.51 2022/08/16 11:16:39 christos Exp $
# fonts: file(1) magic for font data # fonts: file(1) magic for font data
# #
0 search/1 FONT ASCII vfont text 0 search/1 FONT ASCII vfont text
@ -8,13 +8,56 @@
0 short 017001 byte-swapped Berkeley vfont data 0 short 017001 byte-swapped Berkeley vfont data
# PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com # PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com
# Modified by: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/PostScript_fonts
# http://fileformats.archiveteam.org/wiki/Adobe_Type_1
# Reference: http://mark0.net/download/triddefs_xml.7z
# defs/p/pfb.trid.xml
# Note: PFB stands for Printer Font Binary
0 string %!PS-AdobeFont-1. PostScript Type 1 font text 0 string %!PS-AdobeFont-1. PostScript Type 1 font text
#!:mime font/x-postscript-pfb
#!:ext pfb
>20 string >\0 (%s) >20 string >\0 (%s)
6 string %!PS-AdobeFont-1. PostScript Type 1 font program data # http://www.nationalarchives.gov.uk/pronom/fmt/525
>26 string >\0 (%s) 6 string %!PS-AdobeFont-1.
# skip DROID fmt-525-signature-id-816.pfb by checking for content after header
>24 ubyte x PostScript Type 1 font program data
#!:mime application/octet-stream
!:mime font/x-postscript-pfb
!:ext pfb
# often followed by colon (3Ah) and space (20h) and font name like: DarkGardenMK LetterGothic
>>24 ubyte =0x3A
>>>26 string >\0 (%s)
# some times instead of colon %%CreationDate: and "font name" later
>>24 ubyte !0x3A
# font name directive followed by def like: c0633bt_.pfb
>>>25 search/1247 /FontName\040/
# show font name in parentheses like: Frankfurt Lithos CharterBT-BoldItalic Courier10PitchBT-Bold
>>>>&0 regex [A-Za-z0-9-]+ (%s)
# http://cd.textfiles.com/maxfonts/ATM/M/MIRROR__.PFB
6 string %PS-AdobeFont-1. PostScript Type 1 font program data
!:mime font/x-postscript-pfb
!:ext pfb
# font name like: Times-Mirror
>25 string >\0 (%s)
0 string %!FontType1 PostScript Type 1 font program data 0 string %!FontType1 PostScript Type 1 font program data
#!:mime font/x-postscript-pfb
#!:ext pfb
6 string %!FontType1 PostScript Type 1 font program data 6 string %!FontType1 PostScript Type 1 font program data
#!:mime application/octet-stream
!:mime font/x-postscript-pfb
!:ext pfb
# font name like: CaslonOpenFace FetteFraktur Kaufmann Linotext MesozoicGothic Old-Town
>23 string >\0 (%s)
# http://cd.textfiles.com/maxfonts/ATM/P/PLAYBI.PFB
230 string %!FontType1 PostScript Type 1 font program data
!:mime font/x-postscript-pfb
!:ext pfb
# font name like: Playbill
>247 string >\0 (%s)
0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text 0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text
#!:mime font/x-postscript-pfb
#!:ext pfb
# Summary: PostScript Type 1 Printer Font Metrics # Summary: PostScript Type 1 Printer Font Metrics
# URL: https://en.wikipedia.org/wiki/PostScript_fonts # URL: https://en.wikipedia.org/wiki/PostScript_fonts
@ -67,15 +110,23 @@
>>>90 ubyte 65 script proportional >>>90 ubyte 65 script proportional
# X11 font files in SNF (Server Natural Format) format # X11 font files in SNF (Server Natural Format) format
# updated by Joerg Jenderek at Feb 2013 # updated by Joerg Jenderek at Feb 2013 and Nov 2021
# http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm # http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm
0 belong 00000004 X11 SNF font data, MSB first # URL: http://fileformats.archiveteam.org/wiki/SNF
#>104 belong 00000004 X11 SNF font data, MSB first # Reference: https://cgit.freedesktop.org/xorg/lib/libXfont/tree/src/bitmap/snfstr.h
0 belong 00000004
# version2 same as version1 in struct _snfFontInfo
>104 belong 00000004 X11 SNF font data, MSB first
# GRR: line above is too general as it catches also DEGAS low-res bitmap like:
# http://cd.textfiles.com/geminiatari/FILES/GRAPHICS/ANIMAT/SPID_PAT/BIGSPID.PI1
!:mime application/x-font-sfn !:mime application/x-font-sfn
# GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX !:ext snf
# GRR: line below is too general as it catches also Xbase index file t3-CHAR.NDX
0 lelong 00000004 0 lelong 00000004
>104 lelong 00000004 X11 SNF font data, LSB first >104 lelong 00000004 X11 SNF font data, LSB first
!:mime application/x-font-sfn !:mime application/x-font-sfn
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/snf-x11-lsb.trid.xml
!:ext snf
# X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com)
0 search/1 STARTFONT\ X11 BDF font text 0 search/1 STARTFONT\ X11 BDF font text
@ -384,11 +435,14 @@
# https://www.w3.org/TR/WOFF/ # https://www.w3.org/TR/WOFF/
0 string wOFF Web Open Font Format 0 string wOFF Web Open Font Format
!:mime font/woff
>0 use woff >0 use woff
>20 beshort x \b, version %d >20 beshort x \b, version %d
>22 beshort x \b.%d >22 beshort x \b.%d
# https://www.w3.org/TR/WOFF2/ # https://www.w3.org/TR/WOFF2/
0 string wOF2 Web Open Font Format (Version 2) 0 string wOF2 Web Open Font Format (Version 2)
!:mime font/woff2
!:ext woff2
>0 use woff >0 use woff
#>20 belong x \b, totalCompressedSize %d #>20 belong x \b, totalCompressedSize %d
>24 beshort x \b, version %d >24 beshort x \b, version %d

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: freebsd,v 1.7 2009/09/19 16:28:09 christos Exp $ # $File: freebsd,v 1.9 2022/01/19 12:44:13 christos Exp $
# freebsd: file(1) magic for FreeBSD objects # freebsd: file(1) magic for FreeBSD objects
# #
# All new-style FreeBSD magic numbers are in host byte order (i.e., # All new-style FreeBSD magic numbers are in host byte order (i.e.,
@ -142,3 +142,23 @@
>9 byte 2 %d bytes in header, >9 byte 2 %d bytes in header,
>>10 byte x %d chars wide by >>10 byte x %d chars wide by
>>11 byte x %d chars high >>11 byte x %d chars high
#
# FreeBSD kernel minidumps
#
0 string minidump\040FreeBSD/ FreeBSD kernel minidump
# powerpc uses 32-byte magic, followed by 32-byte mmu kind, then version
>17 string powerpc
>>17 string >\0 for %s,
>>>32 string >\0 %s,
>>>>64 byte 0 big endian,
>>>>>64 belong x version %d
>>>>64 default x little endian,
>>>>>64 lelong x version %d
# all other architectures use 24-byte magic, followed by version
>17 default x
>>17 string >\0 for %s,
>>>24 byte 0 big endian,
>>>>24 belong x version %d
>>>24 default x little endian,
>>>>24 lelong x version %d

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: games,v 1.24 2021/04/26 15:56:00 christos Exp $ # $File: games,v 1.31 2023/03/29 22:57:27 christos Exp $
# games: file(1) for games # games: file(1) for games
# Fabio Bonelli <fabiobonelli@libero.it> # Fabio Bonelli <fabiobonelli@libero.it>
@ -184,6 +184,15 @@
0 string MComprHD MAME CHD compressed hard disk image, 0 string MComprHD MAME CHD compressed hard disk image,
>12 belong x version %u >12 belong x version %u
# MAME input recordings
0 string MAMEINP\0 MAME input recording
>8 leqdate x at %s,
>16 leshort x format version %d.
>18 leshort x \b%d,
>20 string x %s driver,
>32 string x %s
# doom - submitted by Jon Dowland # doom - submitted by Jon Dowland
0 string =IWAD doom main IWAD data 0 string =IWAD doom main IWAD data
@ -293,12 +302,92 @@
>2 regex/c GM\\[21\\] - twix Game >2 regex/c GM\\[21\\] - twix Game
# Epic Games/Unreal Engine Package # Epic Games/Unreal Engine Package
# # URL: https://docs.unrealengine.com/udk/Three/ContentCooking.html
0 lelong 0x9E2A83C1 Unreal Engine Package, # https://eliotvu.com/page/unreal-package-file-format
>4 leshort x version: %i # Little-endian version (such as x86 PC)
>12 lelong !0 \b, names: %i 0 lelong 0x9E2A83C1 Unreal Engine package (little-endian)
>28 lelong !0 \b, imports: %i !:ext xxx/tfc/upk/me1/u
>20 lelong !0 \b, exports: %i >4 uleshort !0 \b, version %u
>>6 uleshort !0 \b/%03u
>>0 use upk_header
# Big-endian version (such as PS3)
0 belong 0x9E2A83C1 Unreal Engine package (big-endian)
!:ext xxx/tfc
>6 ubeshort !0 \b, version %u
>>4 ubeshort !0 \b/%03u
>>0 use \^upk_header
0 name upk_header
# Identify game from version and licensee
>4 ulelong 0x000002b2 (Alice Madness Returns)
>4 ulelong 0x002f0313 (Aliens: Colonial Marines)
>4 ulelong 0x005b021b (Alpha Protocol)
>4 ulelong 0x0000032c (AntiChamber)
>4 ulelong 0x00200223 (APB: All Points Bulletin)
>4 ulelong 0x004b02d7 (Bioshock Infinite)
>4 ulelong 0x00380340 (Borderlands 2)
>4 ulelong 0x001d02e6 (Bulletstorm)
>4 ulelong 0x00050240 (CrimeCraft)
>4 ulelong 0x00000356 (Deadlight)
>4 ulelong 0x001e0321 (Dishonored)
>4 ulelong 0x000202a6 (Dungeon Defenders)
>4 ulelong 0x000901ea (Gears of War)
>4 ulelong 0x0000023f (Gears of War 2)
>4 ulelong 0x0000033c (Gears of War 3)
>4 ulelong 0x0000034e (Gears of War: Judgement)
>4 ulelong 0x0004035c (Hawken)
>4 ulelong 0x0001034a (Infinity Blade 2)
>4 ulelong 0x00000350 (InMomentum)
>4 ulelong 0x0015037D (Life Is Strange)
>4 ulelong 0x000b01a5 (Medal of Honor: Airborne)
>4 ulelong 0x002b0218 (Mirrors Edge)
>4 ulelong 0x0000027e (Monday Night Combat)
>4 ulelong 0x0000024b (MoonBase Alpha)
>4 ulelong 0x002e01d8 (Mortal Kombat Komplete Edition 2605)
>4 ulelong 0x0000035c (Painkiller HD)
>4 ulelong 0x0000034d (Q.U.B.E)
>4 ulelong 0x80660340 (Quantum Conundrum)
>4 ulelong 0x0000035b (Ravaged)
>4 ulelong 0x00150340 (Remember Me)
>4 ulelong 0x00060171 (Roboblitz)
>4 ulelong 0x00000325 (Rock of Ages)
>4 ulelong 0x0000032a (Sanctum)
>4 ulelong 0x00030248 (Saw)
>4 ulelong 0x007e0248 (Singularity)
>4 ulelong 0x00090388 (Soldier Front 2)
>4 ulelong 0x000701e6 (Stargate Worlds)
>4 ulelong 0x00000334 (Super Monday Night Combat)
>4 ulelong 0x000002c2 (The Ball)
>4 ulelong 0x000e0262 (The Exiled Realm of Arborea or TERA)
>4 ulelong 0x0000035b (The Five Cores)
>4 ulelong 0x00000349 (The Haunted: Hells Reach)
>4 ulelong 0x00000354 (Unmechanical)
>4 ulelong 0x035c0298 (Unreal Development Kit)
>4 ulelong 0x00000200 (Unreal Tournament 3)
>4 ulelong 0x0000032d (Waves)
>4 ulelong 0x003b034d (XCOM: Enemy Unknown)
# Newer versions insert more headers
>4 ulelong&0xFFFF <249
>>12 lelong !0 \b, names: %d
>>28 lelong !0 \b, imports: %d
>>20 lelong !0 \b, exports: %d
>4 ulelong&0xFFFF >248
>>12 belong&0xFF !0
>>>12 string x \b, folder "%s"
>>>>&5 lelong !0 \b, names: %d
>>>>&21 lelong !0 \b, imports: %d
>>>>&13 lelong !0 \b, exports: %d
>>12 belong&0xFF 0
>>>16 belong&0xFF !0
>>>>16 string x \b, folder "%s"
>>>>>&5 lelong !0 \b, names: %d
>>>>>&21 lelong !0 \b, imports: %d
>>>>>&13 lelong !0 \b, exports: %d
>>>16 belong&0xFF 0
>>>>20 string x \b, folder "%s"
>>>>>&5 lelong !0 \b, names: %d
>>>>>&21 lelong !0 \b, imports: %d
>>>>>&13 lelong !0 \b, exports: %d
0 string ESVG 0 string ESVG
>4 lelong 0x00160000 >4 lelong 0x00160000
@ -496,25 +585,112 @@
>4 ulelong x version %d, used in GTA IV, >4 ulelong x version %d, used in GTA IV,
>>8 ulelong x %d items >>8 ulelong x %d items
0 uleshort 0x5250 RAGE Package Format (RPF), # RPF[0-8]
>2 uleshort 0x4630 version 0, used in Rockstar Table Tennis, 0 ulelong&0xfffffff0 =0x52504630
>>4 ulelong x %d bytes, >0 ulelong&0xf <9 RAGE Package Format (RPF), version %d, used in
>>>8 ulelong x %d entries >>0 ulelong&0xf =0 Rockstar Table Tennis,
>2 uleshort 0x4632 version 2, used in GTA IV, >>0 ulelong&0xf =1 *unknown*
>>4 ulelong x %d bytes, >>0 ulelong&0xf =2 GTA IV,
>>>8 ulelong x %d entries >>0 ulelong&0xf =3 GTA IV Audio & Midnight Club: LA,
>2 uleshort 0x4633 version 3, used in GTA IV Audio & Midnight Club: LA, >>0 ulelong&0xf =4 Max Payne 3,
>>4 ulelong x %d bytes, >>0 ulelong&0xf =5 *unknown*
>>>8 ulelong x %d entries >>0 ulelong&0xf =6 RDR,
>2 uleshort 0x4634 version 4, used in Max Payne 3, >>0 ulelong&0xf =7 GTA V,
>>4 ulelong x %d bytes, >>0 ulelong&0xf =8 RDR 2,
>>>8 ulelong x %d entries
>2 uleshort 0x4636 version 6, used in RDR,
>>4 ulelong x %d bytes,
>>>8 ulelong x %d entries
>2 uleshort 0x4637 version 7, used in GTA V,
>>4 ulelong x %d bytes,
>>>8 ulelong x %d entries
>2 uleshort 0x4638 version 8, used in RDR 2,
>>4 ulelong x %d bytes, >>4 ulelong x %d bytes,
>>>8 ulelong x %d entries >>>8 ulelong x %d entries
# Blitz3D Model File Format
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/minetest/B3DExport/blob/master/B3DExport.py
0 string BB3D
>4 lelong >0
>>8 lelong >0 Blitz3D Model
!:ext b3d
>>>8 lelong x \b, version %d
# Minetest Schematic File Format
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/minetest/minetest/blob/5.6.1/src/mapgen/mg_schematic.h
0 string MTSM Minetest Schematic
!:ext mts
>4 ubeshort x \b, version %d
>6 ubeshort x \b, size [%d
>8 ubeshort x \b, %d
>10 ubeshort x \b, %d]
# MagicaVoxel File Format
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/ephtracy/voxel-model/blob/ee2216c28a78ebb68691dc6cfa9c4ba429117ea2/MagicaVoxel-file-format-vox.txt
# Note: This format is used in Veloren voxel RPG.
0 string VOX\x20
>4 lelong >0 MagicaVoxel model
!:ext vox
>>4 lelong x \b, version %d
# Wwise SoundBank
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://wiki.xentax.com/index.php/Wwise_SoundBank_(*.bnk)
0 string BKHD
# Little-endian version (such as x86 PC)
>4 ulelong <0x100 Wwise SoundBank (little-endian)
!:ext bnk
>>0 use wwise_bkhd
# Big-endian version (such as PS3)
>4 ubelong <0x100 Wwise SoundBank (big-endian)
!:ext bnk
>>0 use \^wwise_bkhd
0 name wwise_bkhd
>8 ulelong x \b, version %d
>12 ulelong x \b, id %08X
>16 ulelong =0x00 \b, SFX
>16 ulelong =0x01 \b, arabic
>16 ulelong =0x02 \b, bulgarian
>16 ulelong =0x03 \b, chinese (HK)
>16 ulelong =0x04 \b, chinese (PRC)
>16 ulelong =0x05 \b, chinese (Taiwan)
>16 ulelong =0x06 \b, czech
>16 ulelong =0x07 \b, danish
>16 ulelong =0x08 \b, dutch
>16 ulelong =0x09 \b, english (Australia)
>16 ulelong =0x0A \b, english (India)
>16 ulelong =0x0B \b, english (UK)
>16 ulelong =0x0C \b, english (US)
>16 ulelong =0x0D \b, finnish
>16 ulelong =0x0E \b, french (Canada)
>16 ulelong =0x0F \b, french (France)
>16 ulelong =0x10 \b, german
>16 ulelong =0x11 \b, greek
>16 ulelong =0x12 \b, hebrew
>16 ulelong =0x13 \b, hungarian
>16 ulelong =0x14 \b, indonesian
>16 ulelong =0x15 \b, italian
>16 ulelong =0x16 \b, japanese
>16 ulelong =0x17 \b, korean
>16 ulelong =0x18 \b, latin
>16 ulelong =0x19 \b, norwegian
>16 ulelong =0x1A \b, polish
>16 ulelong =0x1B \b, portuguese (Brazil)
>16 ulelong =0x1C \b, portuguese (Portugal)
>16 ulelong =0x1D \b, romanian
>16 ulelong =0x1E \b, russian
>16 ulelong =0x1F \b, slovenian
>16 ulelong =0x20 \b, spanish (Mexico)
>16 ulelong =0x21 \b, spanish (Spain)
>16 ulelong =0x22 \b, spanish (US)
>16 ulelong =0x23 \b, swedish
>16 ulelong =0x24 \b, turkish
>16 ulelong =0x25 \b, ukrainian
>16 ulelong =0x26 \b, vietnamese
# Wwise Audio Package
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://wiki.xentax.com/index.php/Wwise_Audio_PCK
0 string AKPK
# Little-endian version (such as x86 PC)
>8 ulelong <0x100 Wwise Audio Package (little-endian)
!:ext pck
# Big-endian version (such as PS3)
>8 ubelong <0x100 Wwise Audio Package (big-endian)
!:ext pck

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: geo,v 1.7 2019/04/19 00:42:27 christos Exp $ # $File: geo,v 1.10 2022/10/31 13:22:26 christos Exp $
# Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> # Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu>
###################################################################### ######################################################################
@ -28,8 +28,8 @@
# Knudsen subbottom chirp profiler - Binary File Format: B9 # Knudsen subbottom chirp profiler - Binary File Format: B9
# KEB D409-03167 V1.75 Huffman # KEB D409-03167 V1.75 Huffman
0 string KEB\ Knudsen seismic KEL binary (KEB) - 0 string KEB\ Knudsen seismic KEL binary (KEB) -
>4 regex [-A-Z0-9]* Software: %s >4 regex [-A-Z0-9]+ Software: %s
>>&1 regex V[0-9]*\.[0-9]* version %s >>&1 regex V[0-9]+\\.[0-9]+ version %s
###################################################################### ######################################################################
# #
@ -40,7 +40,7 @@
# Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data # Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data
0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar 0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar
>4 regex [0-9]*\.[0-9]* version %s >4 regex [0-9]+\\.[0-9]+ version %s
0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data 0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data
>3 byte x version %d . >3 byte x version %d .
@ -54,7 +54,43 @@
###################################################################### ######################################################################
# GeoAcoustics - GeoSwath Plus # GeoAcoustics - GeoSwath Plus
4 beshort 0x2002 GeoSwath RDF # Update: Joerg Jenderek
# URL: https://www.mbari.org/products/research-software/mb-system/
# Reference: http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/
# GS%2B-6063-BB-GS%2B-Broadcast-Raw-Data-File-Format-Command-Specification.pdf
# Note: All data is written using Intel 80x86 byte ordering (LSB to MSB)
# raw_header_siz; file header size is 544 bytes
4 beshort 0x2002
# GRR: line above is too general as it matches also some Microsoft Event Trace Logs *.ETL
# skip many (63/753) Microsoft Event Trace Logs (AMSITrace.etl lxcore_kernel.etl NotificationUxBroker.052.etl WindowsBackup.4.etl) with invalid "low" ping header size 0
>6 leshort >0 GeoSwath RDF
# skip foo samples with invalid "high" spare bytes
#>>536 ulequad =0 OK_THIS_IS_GeoSwath_RDF
#!:mime application/octet-stream
!:mime application/x-geoswath-rdf
# http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/060116342.rdf
!:ext rdf
# filename; original file name like: "C:\GS+\Projects\Default\Raw Data Files\060116342.rdf"
>>8 string x "%-.512s"
# version[8]; recording software version number like: 3.16c
>>527 string x \b, version %-.8s
# creation; unsigned int file creation time; WHAT time format is this?
>>0 ulelong x \b, creation time %#8.8x
# raw_ping_header_size; size of ping header in bytes like: 64
>>6 leshort !64 \b, ping header size %d
# frequency; system frequency in hertz like: 500000
>>520 lelong x \b, frequency %d
# echo_type; Echosounder type index like: 1
>>524 leshort x \b, echo type %#x
# file_mode; file mode mask (0x00 bathy & sidescan, 0x80 bathy, 0x40 sidescan, 0x20 seismic)
>>526 ubyte !0 \b, file mode %#2.2x
# pps_mode; PPS synch mode like: 2
>>535 byte x \b, pps mode %#x
# char spare[8]; apparently zeroed
>>536 ubequad !0 \b, spare %#16.16llx
# Ping_number; 1st ping number like: 4944
>>544 lelong x \b, 1st ping number %d
0 string Start:- GeoSwatch auf text file 0 string Start:- GeoSwatch auf text file
# Seabeam 2100 # Seabeam 2100
@ -69,7 +105,7 @@
# mb121 https://www.saic.com/maritime/gsf/ # mb121 https://www.saic.com/maritime/gsf/
8 string GSF-v SAIC generic sensor format (GSF) sonar data, 8 string GSF-v SAIC generic sensor format (GSF) sonar data,
>&0 regex [0-9]*\.[0-9]* version %s >&0 regex [0-9]+\\.[0-9]+ version %s
# MGD77 - https://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm # MGD77 - https://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm
# mb161 # mb161
@ -88,7 +124,7 @@
# #
###################################################################### ######################################################################
# IVS - IVS3d.com Tagged Data Represetation # IVS - IVS3d.com Tagged Data Representation
0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file 0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file
# http://www.ecma-international.org/publications/standards/Ecma-363.htm # http://www.ecma-international.org/publications/standards/Ecma-363.htm

View file

@ -0,0 +1,23 @@
# GNOME keyring
# Contributed by Josh Triplett
# FIXME: Could be simplified if pstring supported two-byte counts
0 string GnomeKeyring\n\r\0\n GNOME keyring
>&0 ubyte 0 \b, major version 0
>>&0 ubyte 0 \b, minor version 0
>>>&0 ubyte 0 \b, crypto type 0 (AEL)
>>>&0 ubyte >0 \b, crypto type %hhu (unknown)
>>>&1 ubyte 0 \b, hash type 0 (MD5)
>>>&1 ubyte >0 \b, hash type %hhu (unknown)
>>>&2 ubelong 0xFFFFFFFF \b, name NULL
>>>&2 ubelong !0xFFFFFFFF
>>>>&-4 ubelong >255 \b, name too long for file's pstring type
>>>>&-4 ubelong <256
>>>>>&-1 pstring x \b, name "%s"
>>>>>>&0 ubeqdate x \b, last modified %s
>>>>>>&8 ubeqdate x \b, created %s
>>>>>>&16 ubelong &1
>>>>>>>&0 ubelong x \b, locked if idle for %u seconds
>>>>>>&16 ubelong ^1 \b, not locked if idle
>>>>>>&24 ubelong x \b, hash iterations %u
>>>>>>&28 ubequad x \b, salt %llu
>>>>>>&52 ubelong x \b, %u item(s)

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: iff,v 1.17 2021/02/23 01:07:32 christos Exp $ # $File: iff,v 1.18 2022/03/21 19:57:18 christos Exp $
# iff: file(1) magic for Interchange File Format (see also "audio" & "images") # iff: file(1) magic for Interchange File Format (see also "audio" & "images")
# #
# Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic
@ -45,6 +45,7 @@
>8 string ACBM \b, ACBM continuous image >8 string ACBM \b, ACBM continuous image
>8 string FAXX \b, FAXX fax image >8 string FAXX \b, FAXX fax image
>8 string STFX \b, ST-Fax image >8 string STFX \b, ST-Fax image
>8 string IMAGIHDR \b, CD-i image
# other formats # other formats
>8 string FTXT \b, FTXT formatted text >8 string FTXT \b, FTXT formatted text
>8 string CTLG \b, CTLG message catalog >8 string CTLG \b, CTLG message catalog

File diff suppressed because it is too large Load diff

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: intel,v 1.20 2021/04/26 15:56:00 christos Exp $ # $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $
# intel: file(1) magic for x86 Unix # intel: file(1) magic for x86 Unix
# #
# Various flavors of x86 UNIX executable/object (other than Xenix, which # Various flavors of x86 UNIX executable/object (other than Xenix, which
@ -43,7 +43,16 @@
# no hint found, that at offset 22 is version # no hint found, that at offset 22 is version
#>22 leshort >0 - version %d #>22 leshort >0 - version %d
0 leshort 0x0200 0 leshort 0x0200
>0 use display-coff # no F_EXEC flag bit implies Intel ia64 COFF object file without optional header
>18 leshort ^0x0002
# skip some DEGAS high-res uncompressed bitmap *.pi3 handled by ./images like
# GEMINI03.PI3 MODEM2.PI3 POWERFIX.PI3 sigirl1.pi3 vanna5.pi3
# by test for valid starting character (often point 0x2E) of 1st section name
>>20 ubyte >0x1F
>>>0 use display-coff
# F_EXEC flag bit implies Intel ia64 COFF executable
>18 leshort &0x0002
>>0 use display-coff
0 leshort 0x8664 0 leshort 0x8664
>0 use display-coff >0 use display-coff
@ -52,16 +61,191 @@
# From: Alex Myczko <alex@aiei.ch> # From: Alex Myczko <alex@aiei.ch>
# updated by Joerg Jenderek # updated by Joerg Jenderek
# https://en.wikipedia.org/wiki/Option_ROM # https://en.wikipedia.org/wiki/Option_ROM
0 beshort 0x55AA BIOS (ia32) ROM Ext. # URL: http://fileformats.archiveteam.org/wiki/BIOS
!:mime application/octet-stream # Reference: http://www.lejabeach.com/sisubb/BIOS_Disassembly_Ninjutsu_Uncovered.pdf
0 beshort 0x55AA
# skip misidentified raspberry pi pieeprom-*.bin by check for
# unlikely high ROM size (0xF0*512=240*512) and not observed start instruction 0x0F
>2 ubeshort !0xF00F
# skip 2 byte sized eof.bin with start magic
>>0 use rom-x86
0 name rom-x86
>0 beshort x BIOS (ia32) ROM Ext.
#!:mime application/octet-stream
!:mime application/x-ibm-rom
!:ext rom/bin !:ext rom/bin
>5 string USB USB ################################################################################
>7 string LDR UNDI image # not Plug aNd Play ($PnP) like 00000000 (ide_xtp.bin kvmvapic.bin V7VGA.ROM) 000000fc (MCT-VGA.bin)
# 55aaf00f (pieeprom-*.bin) 55aa40e9 (Trm3x5.bin) 24506f4f (sgabios-bin.rom)
# 55aa4be9 (vgabios-stdvga.rom vgabios-cirrus-bin.rom vgabios-vmware-bin.rom)
>(26.s) ubelong !0x24506e50
#>(26.s) ubelong !0x24506e50 NOT PNP=%8.8x
# also not PCI (PCIR) implies "old" ISA cards or foo like: 8a168404 (MCT-VGA.bin)
# 55aaf00f (pieeprom*.bin)
>>(24.s) ubelong !0x50434952
#>>(24.s) ubelong !0x50434952 ISA CARD=%8.8x
# "old" identification strings used in file version 5.41 and earlier
# probably an USB controller
>>>5 string USB USB
# probably https://en.wikipedia.org/wiki/Preboot_Execution_Environment
>>>7 string LDR UNDI image
# probably another Adaptec SCSI controller
>>>26 string Adaptec Adaptec
# http://minuszerodegrees.net/rom/bin/adaptec_aha1542cp_bios_908501-00.bin
# already done by PNP variant
#>>>28 string Adaptec Adaptec
# probably Promise SCSI controller
>>>42 string PROMISE Promise
# old test for IBM compatible Video cards; INTERNAL FACTS WHY IS THIS WORKING?
>30 string IBM IBM comp. Video >30 string IBM IBM comp. Video
>26 string Adaptec Adaptec # display exact text for IBM compatible Video cards with longer text
>28 string Adaptec Adaptec >>33 ubyte !0
>42 string PROMISE Promise >>>30 string x "%s"
>2 byte x (%d*512) # http://minuszerodegrees.net/rom/bin/unknown/MCT-VGA-16%20-%20TDVGA%203588%20BIOS%20Version%20V1.04A.zip
# "IBM COMPATIBLETDVGA 3588 BIOS Version V1.04A2+" "MCT-VGA-16 - TDVGA 3588 BIOS Version V1.04A.bin"
# "IBM VGA Compatible\001" NVidia44.bin
# "IBM EGA ROM Video Seven BIOS Code, Version 1.04" V7VGA.ROM
# "IBM" vgabios-stdvga.rom
# "IBM" vgabios-vmware-bin.rom:
# "IBM" vgabios-cirrus-bin.rom
# "IBM" vgabios-virtio-bin.rom
################################################################################
# ROM size in 512B blocks must be interpreted as unsigned for ROM of network cards
# like: efi-eepro100.rom efi-rtl8139.rom pxe-e1000.rom
>2 ubyte x (%u*512)
# file name file size calculated size remark
# eof.bin 2 - with start magic nothing is shown here
# orchid.bin 188 0 =0*512 on window 95 CD in Drivers\audio\orchid3d
# multiboot.bin 1024 1024 =2*512 QEMU emulator
# loader1.bin 512 2048 =4*512
# ide_xtp.bin 8192 8192 =16*512
# kvmvapic.bin 9216 9216 =18*512
# V7VGA.ROM 18832 16384 =32*512
# adaptec1542.bin 32768 16384 =32*512
# MCT-VGA.bin 32768 24576 =48*512
# 2975BIOS.BIN 32768 32256 =63*512
# efi-e1000.rom 196608 64000 =125*512
# efi-rtl8139.rom 176640 66048 =129*512
# pieeprom*.bin 524288 122880 =240*512
################################################################################
# initialization vector with executable code; often near JuMP instruction E9 yy zz
>3 ubyte =0xE9 jmp
# jmp offset like: 008fh 0093h 009fh 00afh 0143h 3ad7h 5417h 54ech 594dh 895fh
>>4 uleshort x %#4.4x
# for initialization vector samples without 3 byte jump instruction
>3 ubyte !0xE9 instruction
# eb4b3734h NVidia44.bin
# 00003234h V7VGA.ROM
# 060e0731h kvmvapic.bin
# cb000000h linuxboot-bin.rom
# e80d0fcbh PXE-Intel.rom
# b8004875h orchid.bin
>>3 ubelong x %#8.8x
# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f
#>2 ubeshort x \b, AT 2 %#4.4x
################################################################################
# new sections for BIOS (ia32) ROM Extension
# 4 bytes ASCII Signature "$PnP" for Plug aNd Play expansion header
>(26.s) string =$PnP \b;
#>(26.s) string =$PnP FOUND $PnP
# at 1Ah possible offset to expansion header structure; new for Plug aNd Play
>>26 uleshort x at %#x PNP
# Plug and Play vendor+device ID like: 0 0x000f1000 (2975BIOS.BIN) 0x31121095 (4243.bin) 0x04904215 (adaptec1542.bin)
#>>(26.s+0x0A) ulelong !0 NOT-nullID=%8.8x
>>(26.s+0x0A) uleshort !0
# show PnP Vendor identification in human readable text form instead of numeric
# For adaptec_ava1515_bios_585201-00.bin reverted endian! BUT IS THIS ALWAYS TRUE?
>>>(26.s+0x0C) use \^PCI-vendor
>>>(26.s+0x0A) ubeshort x device=%#4.4x
# 3 byte Device type code; probably the same meaning as in PCI section?
# OK for storage controller SCSI (2975BIOS.BIN adaptec1542.bin)
# and network controller ethernet (efi-e1000.rom efi-rtl8139.rom)
>>(26.s+0x12) use PCI-class
# structure revision like: 01h
>>(26.s+4) ubyte !1 \b, revision %u
# PnP Header structure length in multiple of 16 bytes like: 2
>>(26.s+5) uleshort !2 \b, length %u*16
# offset to next header; 0 if none
>>(26.s+7) uleshort !0 \b, at %#x next header
# reserved byte; seems to be zero
>>(26.s+8) ubyte !0 \b, reserved %#x
# 8-bit checksum for this header; calculated and patched by patch2pnprom
>>(26.s+9) ubyte !0 \b, CRC %#x
# pointer to optional manufacturer string; like: 0 (4243.bin) 59h 5ch 60h c7h 14eh 27ch 296h 324h 3662h
>>(26.s+0x0E) uleshort >0 \b, at %#x
>>>(26.s+0x0C) uleshort x
# manufacturer ASCII-Z string like "http://ipxe.org" "Plop - Elmar Hanlhofer www.plop.at" "QEMU"
>>>>(&0.s) string x "%s"
# pointer to optional product string; like: 0 (2975BIOS.BIN) 6ch 70h 7ch d9h 160h 281h 29bh 329h
>>(26.s+0x10) uleshort >0 \b, at %#x
>>>(26.s+0x0E) uleshort x
# often human readable product ASCII-Z string like "iPXE" "Plop Boot Manager"
# "multiboot loader" "Intel UNDI, PXE-2.0 (build 082)"
>>>>(&0.s) string x "%s"
# PnP Device indicators; contains bits that identify the device as being capable of bootable
#>>(26.s+0x15) ubyte x \b, INDICATORS %#x
# device is a display device
>>(26.s+0x15) ubyte &0x01 \b, display
# device is an input device
>>(26.s+0x15) ubyte &0x02 \b, input
# device is an IPL device
>>(26.s+0x15) ubyte &0x04 \b, IPL
#>>(26.s+0x15) ubyte &0x08 reserved
# ROM is only required if this device is selected as a boot device
>>(26.s+0x15) ubyte &0x10 \b, bootable
# indicates ROM is read cacheable
>>(26.s+0x15) ubyte &0x20 \b, cacheable
# ROM may be shadowed in RAM
>>(26.s+0x15) ubyte &0x40 \b, shadowable
# ROM supports the device driver initialization model
>>(26.s+0x15) ubyte &0x80 \b, InitialModel
# boot connection vector; an offset to a routine that hook into INT 9h, INT 10h, or INT 13h
# 0 means disabled 0x0429 (4650_sr5.bin) 0x0072 (adaptec1542.bin)
>>(26.s+0x16) uleshort !0 \b, boot vector offset %#x
# disconnect vector; offset to routine that do cleanup from an unsuccessful boot attempt
>>(26.s+0x18) uleshort !0 \b, disconnect offset %#x
# bootstrap entry point/vector (BEV); offset to a routine (like RPL) that hook into INT 19h
# 0 means disabled 0x3c (multiboot.bin) 0x358 (efi-rtl8139.rom) 0xae7 (PXE-Intel.rom)
>>(26.s+0x1A) uleshort !0 \b, bootstrap offset %#x
# 2nd reserved area; seems to be zero
>>(26.s+0x1C) uleshort !0 \b, 2nd reserved %#x
# static resource information vector; 0 means disabled
>>(26.s+0x1E) uleshort !0 \b, static offset %#4.4x
################################################################################
# 4 bytes ASCII Signature "PCIR" for PCI Data Structure
#>(24.s) string =PCIR FOUND PCIR
>(24.s) string =PCIR \b;
# pointer to PCI data structure like: 1Ch 38h 104h 8E44h
>>24 uleshort x at %#x PCI
# Vendor identification (ID) https://pci-ids.ucw.cz/v2.2/pci.ids
#>>(24.s+4) uleshort x ID=%4.4x
# show Vendor identification in human readable text form instead of numeric
>>(24.s+4) use PCI-vendor
# device identification (ID)
>>(24.s+6) uleshort x device=%#4.4x
# Base+sub class code https://wiki.osdev.org/PCI
>>(24.s+0x0D) use PCI-class
# pointer to vital product data (VPD); 0 indicates no VPD; WHAT EXACTLY iS VPD?
>>(24.s+8) uleshort !0 \b, at %#x VPD
# PCI data structure length like: 24h 28h
>>(24.s+0xA) uleshort >0x28 \b, length %u
# PCI data structure revision like: 0 3
>>(24.s+0xC) ubyte >0 \b, revision %u
# image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83
# Apparently this gives the same information as given by byte at offset 2 but as 16-bit
#>>(24.s+0x10) uleshort x \b, length %u*512
# revision level of code/data like: 0 1 201h 502h
>>(24.s+0xC) ubyte >1 \b, code revision %#x
# code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved
>>(24.s+0x14) ubyte >0 \b, code type %#x
# last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved
>>(24.s+0x15) ubyte >0
>>>(24.s+0x15) ubyte =0x80 \b, last ROM
# THIS SHOULD NOT HAPPEN!
>>>(24.s+0x15) ubyte !0x80 \b, indicator %x
# 3rd reserved area; seems to be zero in most cases but not for
# efi-e1000.rom efi-rtl8139.rom
>>(24.s+0x16) ubeshort !0 \b, 3rd reserved %#x
# Flash descriptors for Intel SPI flash roms. # Flash descriptors for Intel SPI flash roms.
# From Dr. Jesus <j@hug.gs> # From Dr. Jesus <j@hug.gs>

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------ #------------------------------------------------------------
# $File: java,v 1.21 2019/02/18 17:58:50 christos Exp $ # $File: java,v 1.22 2023/01/11 23:59:49 christos Exp $
# Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the
# same magic number, 0xcafebabe, so they are both handled # same magic number, 0xcafebabe, so they are both handled
# in the entry called "cafebabe". # in the entry called "cafebabe".
@ -43,3 +43,10 @@
>6 leshort >0x00 \b, version %d >6 leshort >0x00 \b, version %d
>4 leshort x \b.%d >4 leshort x \b.%d
!:mime application/x-java-image !:mime application/x-java-image
# JAR Manifest & Signature File
# Reference: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html
0 string/t Manifest-Version:\x201.0 JAR Manifest
!:ext MF
0 string/t Signature-Version:\x201.0 JAR Signature File
!:ext SF

View file

@ -1,22 +1,171 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: javascript,v 1.2 2019/08/05 10:34:26 christos Exp $ # $File: javascript,v 1.5 2023/01/12 00:02:16 christos Exp $
# javascript: magic for javascript and node.js scripts. # javascript: magic for javascript and node.js scripts.
# #
0 search/1/w #!/bin/node Node.js script text executable 0 string/tw #!/bin/node Node.js script executable
!:mime application/javascript !:mime application/javascript
0 search/1/w #!/usr/bin/node Node.js script text executable 0 string/tw #!/usr/bin/node Node.js script executable
!:mime application/javascript !:mime application/javascript
0 search/1/w #!/bin/nodejs Node.js script text executable 0 string/tw #!/bin/nodejs Node.js script executable
!:mime application/javascript !:mime application/javascript
0 search/1/w #!/usr/bin/nodejs Node.js script text executable 0 string/tw #!/usr/bin/nodejs Node.js script executable
!:mime application/javascript !:mime application/javascript
0 search/1 #!/usr/bin/env\ node Node.js script text executable 0 string/t #!/usr/bin/env\ node Node.js script executable
!:mime application/javascript !:mime application/javascript
0 search/1 #!/usr/bin/env\ nodejs Node.js script text executable 0 string/t #!/usr/bin/env\ nodejs Node.js script executable
!:mime application/javascript !:mime application/javascript
# JavaScript
# The strength is increased to beat the C++ & HTML rules
0 search "use\x20strict" JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 search 'use\x20strict' JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex module(\\.|\\[["'])exports.*= JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex \^(const|var|let).*=.*require\\( JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex \^export\x20(function|class|default|const|var|let|async)\x20 JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex \\((async\x20)?function[(\x20] JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex \^(import|export).*\x20from\x20 JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex \^(import|export)\x20["']\\./ JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex \^require\\(["'] JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
0 regex typeof.*[!=]== JavaScript source
!:strength +30
!:mime application/javascript
!:ext js
# React Native minified JavaScript
0 search/128 __BUNDLE_START_TIME__= React Native minified JavaScript
!:strength +30
!:mime application/javascript
!:ext bundle/jsbundle
# Hermes by Facebook https://hermesengine.dev/ # Hermes by Facebook https://hermesengine.dev/
# https://github.com/facebook/hermes/blob/master/include/hermes/\ # https://github.com/facebook/hermes/blob/master/include/hermes/\
# BCGen/HBC/BytecodeFileFormat.h#L24 # BCGen/HBC/BytecodeFileFormat.h#L24
0 lequad 0x1F1903C103BC1FC6 Hermes JavaScript bytecode 0 lequad 0x1F1903C103BC1FC6 Hermes JavaScript bytecode
>8 lelong x \b, version %d >8 lelong x \b, version %d
# v8 JavaScript engine bytecode
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://v8.dev/docs/ignition
# Note: used in bytenode and NW.js protected source code
# V8 bytecode extraction was added in NodeJS v5.7.0 (V8 4.6.85.31).
# Version information is provided for some v8 versions found in NodeJS releases.
2 uleshort =0xC0DE
>0 ulelong^0xC0DE0000 >0
# Reservation table starts at 40
>>40 ulelong&0xFFFFFF00 =0x80000000
# Stub keys present
>>>24 ulelong >0
>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes,
>>>>4 ulelong =0xEE4BF478 version 5.1.281.111,
>>>>4 ulelong =0xC4A0100C version 5.5.372.43,
>>>>8 ulelong x source size: %u bytes,
>>>>12 ulelong x cpu features: %#08X,
>>>>16 ulelong x flag hash: %#08X,
>>>>20 ulelong x %u reservations,
>>>>28 ulelong x payload size: %u bytes,
>>>>32 ulelong x checksum1: %#08X,
>>>>36 ulelong x checksum2: %#08X
# No stub keys
>>>24 ulelong =0
>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes,
>>>>4 ulelong =0x54F0AD81 version 6.2.414.46,
>>>>4 ulelong =0X7D1BF182 version 6.2.414.54,
>>>>4 ulelong =0x35BA122E version 6.2.414.77,
>>>>4 ulelong =0X9319F9C2 version 6.2.414.78,
>>>>4 ulelong =0xB1240060 version 6.6.346.32,
>>>>4 ulelong =0x2B757060 version 6.7.288.46,
>>>>4 ulelong =0x09D147AA version 6.7.288.49,
>>>>4 ulelong =0xF4D4F48A version 6.8.275.32,
>>>>4 ulelong =0xD3961326 version 7.0.276.38,
>>>>8 ulelong x source size: %u bytes,
>>>>12 ulelong x cpu features: %#08X,
>>>>16 ulelong x flag hash: %#08X,
>>>>20 ulelong x %u reservations,
>>>>28 ulelong x payload size: %u bytes,
>>>>32 ulelong x checksum1: %#08X,
>>>>36 ulelong x checksum2: %#08X
# Reservation table starts at 32
>>32 ulelong&0xFFFFFF00 =0x80000000
# Second checksum present
>>>28 ulelong >0
>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes,
>>>>4 ulelong =0x21DDF627 version 7.4.288.21,
>>>>4 ulelong =0x1FC9FE84 version 7.4.288.27,
>>>>4 ulelong =0x60A99E8B version 7.5.288.22,
>>>>4 ulelong =0x4F665E90 version 7.6.303.29,
>>>>4 ulelong =0xC7ACFCDE version 7.7.299.11,
>>>>4 ulelong =0x7F641D8F version 7.7.299.13,
>>>>4 ulelong =0xFD9A4F2E version 7.8.279.17,
>>>>4 ulelong =0x3A845324 version 7.8.279.23,
>>>>4 ulelong =0xFF52FEAF version 7.9.317.25,
>>>>8 ulelong x source size: %u bytes,
>>>>12 ulelong x flag hash: %#08X,
>>>>16 ulelong x %u reservations,
>>>>20 ulelong x payload size: %u bytes,
>>>>24 ulelong x checksum1: %#08X,
>>>>28 ulelong x checksum2: %#08X
# No second checksum
>>>28 ulelong =0
>>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes,
>>>>4 ulelong =0x8725E0F8 version 8.1.307.30,
>>>>4 ulelong =0x09ED1289 version 8.1.307.31,
>>>>4 ulelong =0xA5728C87 version 8.3.110.9,
>>>>4 ulelong =0xB45C5D30 version 8.4.371.23,
>>>>4 ulelong =0xED9C278B version 8.4.371.19,
>>>>4 ulelong =0xD27BFF42 version 8.6.395.16,
>>>>8 ulelong x source size: %u bytes,
>>>>12 ulelong x flag hash: %#08X,
>>>>16 ulelong x %u reservations,
>>>>20 ulelong x payload size: %u bytes,
>>>>24 ulelong x payload checksum: %#08X
# No reservation table and code starts at 24
>>32 ulelong =0
>>>0 ulelong^0xC0DE0000 x v8 bytecode, external reference table size: %u bytes,
>>>4 ulelong =0x9A6F0B0F version 9.0.257.17,
>>>4 ulelong =0x271D5D1E version 9.0.257.24,
>>>4 ulelong =0x4EEA75DF version 9.0.257.25,
>>>4 ulelong =0x80809479 version 9.1.269.36,
>>>4 ulelong =0x55C46F65 version 9.1.269.38,
>>>4 ulelong =0x8A9C758A version 9.2.230.21,
>>>4 ulelong =0x9712F0E1 version 9.3.345.16,
>>>4 ulelong =0x29593715 version 9.4.146.19,
>>>4 ulelong =0xCD991825 version 9.4.146.24,
>>>4 ulelong =0xACDD64EE version 9.4.146.26,
>>>4 ulelong =0xC96B4CD5 version 9.5.172.21,
>>>4 ulelong =0xBCCE4578 version 9.5.172.25,
>>>4 ulelong =0xA2EEA077 version 9.6.180.15,
>>>4 ulelong =0xFD350011 version 10.1.124.8,
>>>4 ulelong =0xBEF4028F version 10.2.154.13,
>>>4 ulelong =0xAF632352 version 10.2.154.4,
>>>8 ulelong x source size: %u bytes,
>>>12 ulelong x flag hash: %#08X,
>>>16 ulelong x payload size: %u bytes,
>>>20 ulelong x payload checksum: %#08X

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: jpeg,v 1.36 2021/08/28 12:30:52 christos Exp $ # $File: jpeg,v 1.38 2022/12/02 17:42:04 christos Exp $
# JPEG images # JPEG images
# SunOS 5.5.1 had # SunOS 5.5.1 had
# #
@ -103,43 +103,150 @@
#>>(2.S+2) use jpeg_segment #>>(2.S+2) use jpeg_segment
# HSI is Handmade Software's proprietary JPEG encoding scheme # HSI is Handmade Software's proprietary JPEG encoding scheme
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/HSI_JPEG
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-hsi1.trid.xml
# Note: called by TrID "HSI JPEG bitmap"
0 string hsi1 JPEG image data, HSI proprietary 0 string hsi1 JPEG image data, HSI proprietary
#!:mime application/octet-stream
!:mime image/x-hsi
!:ext hsi/jpg
# From: David Santinoli <david@santinoli.com> # From: David Santinoli <david@santinoli.com>
0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 0 string \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000
# delete from ./animation (version 1.87) with jP (=6A50h) magic at offset 4
# From: Johan van der Knijff <johan.vanderknijff@kb.nl> # From: Johan van der Knijff <johan.vanderknijff@kb.nl>
# Added sub-entries for JP2, JPX, JPM and MJ2 formats; added mimetypes # Added sub-entries for JP2, JPX, JPM and MJ2 formats; added mimetypes
# https://github.com/bitsgalore/jp2kMagic # https://github.com/bitsgalore/jp2kMagic
# #
# Now read value of 'Brand' field, which yields a few possibilities: # Now read value of 'Brand' field, which yields a few possibilities:
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/JP2
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpeg2k.trid.xml
# Note: called by TrID "JPEG 2000 bitmap"
>20 string \x6a\x70\x32\x20 Part 1 (JP2) >20 string \x6a\x70\x32\x20 Part 1 (JP2)
# aliases image/jpeg2000, image/jpeg2000-image, image/x-jpeg2000-image
!:mime image/jp2 !:mime image/jp2
!:ext jp2
# URL: http://fileformats.archiveteam.org/wiki/JPX
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpx.trid.xml
# Note: called by TrID "JPEG 2000 eXtended bitmap"
>20 string \x6a\x70\x78\x20 Part 2 (JPX) >20 string \x6a\x70\x78\x20 Part 2 (JPX)
!:mime image/jpx !:mime image/jpx
!:ext jpf/jpx
# URL: http://fileformats.archiveteam.org/wiki/JPM
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpm.trid.xml
# Note: called by TrID "JPEG 2000 eXtended bitmap"
>20 string \x6a\x70\x6d\x20 Part 6 (JPM) >20 string \x6a\x70\x6d\x20 Part 6 (JPM)
!:mime image/jpm !:mime image/jpm
!:ext jpm
# URL: http://fileformats.archiveteam.org/wiki/MJ2
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/v/video-mj2.trid.xml
# Note: called by TrID "Motion JPEG 2000 video"
>20 string \x6d\x6a\x70\x32 Part 3 (MJ2) >20 string \x6d\x6a\x70\x32 Part 3 (MJ2)
!:mime video/mj2 !:mime video/mj2
!:ext mj2/mjp2
# Type: JPEG 2000 codesream # Type: JPEG 2000 codesream
# From: Mathieu Malaterre <mathieu.malaterre@gmail.com> # From: Mathieu Malaterre <mathieu.malaterre@gmail.com>
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/JPEG_2000_codestream
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jpc.trid.xml
# Note: called by TrID "JPEG-2000 Code Stream bitmap"
0 belong 0xff4fff51 JPEG 2000 codestream 0 belong 0xff4fff51 JPEG 2000 codestream
45 beshort 0xff52 # value like: 0701h FF50h
#>45 ubeshort x \b, at 45 %#4.4x
#!:mime application/octet-stream
# https://reposcope.com/mimetype/image/x-jp2-codestream
!:mime image/x-jp2-codestream
!:ext jpc/j2c/j2k
# MAYBE also JHC like in byte_causal.jhc ?
# WHAT IS THAT? DEAD ENTRY?
#45 beshort 0xff52
# JPEG extended range # JPEG extended range
# URL: http://fileformats.archiveteam.org/wiki/JPEG_XR
# Reference: https://www.itu.int/rec/T-REC-T.832
# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wmp.trid.xml
# Note: called by TrID "JPEG XR bitmap"
0 string \x49\x49\xbc 0 string \x49\x49\xbc
# FILE_VERSION_ID; shall be equal to 1; other values are reserved for future use
>3 byte 1 >3 byte 1
# FIRST_IFD_OFFSET; shall be an integer multiple of 2; so skip DROID fmt-590-signature-id-931.wdp
>>4 lelong%2 0 JPEG-XR >>4 lelong%2 0 JPEG-XR
#!:mime image/vnd.ms-photo
!:mime image/jxr !:mime image/jxr
!:ext jxr # NO example for HDP !
!:ext jxr/wdp/hdp
# MAYBE also WMP ?
#!:ext jxr/wdp/hdp/wmp
# moved from ./images (version 1.205 ), merged and
# partly verified by XnView `nconvert -info abydos.jxr FLOWER.wdp`
# example: https://web.archive.org/web/20160403012904/
# http://shikino.co.jp/solution/upfile/FLOWER.wdp.zip
>90 bequad 0x574D50484F544F00
>>98 byte&0x08 =0x08 \b, hard tiling
>>99 byte&0x80 =0x80 \b, tiling present
>>99 byte&0x40 =0x40 \b, codestream present
>>99 byte&0x38 x \b, spatial xform=
>>99 byte&0x38 0x00 \bTL
>>99 byte&0x38 0x08 \bBL
>>99 byte&0x38 0x10 \bTR
>>99 byte&0x38 0x18 \bBR
>>99 byte&0x38 0x20 \bBT
>>99 byte&0x38 0x28 \bRB
>>99 byte&0x38 0x30 \bLT
>>99 byte&0x38 0x38 \bLB
>>100 byte&0x80 =0x80 \b, short header
>>>102 beshort+1 x \b, %d
>>>104 beshort+1 x \bx%d
>>100 byte&0x80 =0x00 \b, long header
>>>102 belong+1 x \b, %x
>>>106 belong+1 x \bx%x
>>101 beshort&0xf x \b, bitdepth=
>>>101 beshort&0xf 0x0 \b1-WHITE=1
>>>101 beshort&0xf 0x1 \b8
>>>101 beshort&0xf 0x2 \b16
>>>101 beshort&0xf 0x3 \b16-SIGNED
>>>101 beshort&0xf 0x4 \b16-FLOAT
>>>101 beshort&0xf 0x5 \b(reserved 5)
>>>101 beshort&0xf 0x6 \b32-SIGNED
>>>101 beshort&0xf 0x7 \b32-FLOAT
>>>101 beshort&0xf 0x8 \b5
>>>101 beshort&0xf 0x9 \b10
>>>101 beshort&0xf 0xa \b5-6-5
>>>101 beshort&0xf 0xb \b(reserved %d)
>>>101 beshort&0xf 0xc \b(reserved %d)
>>>101 beshort&0xf 0xd \b(reserved %d)
>>>101 beshort&0xf 0xe \b(reserved %d)
>>>101 beshort&0xf 0xf \b1-BLACK=1
>>101 beshort&0xf0 x \b, colorfmt=
>>>101 beshort&0xf0 0x00 \bYONLY
>>>101 beshort&0xf0 0x10 \bYUV240
>>>101 beshort&0xf0 0x20 \bYWV422
>>>101 beshort&0xf0 0x30 \bYWV444
>>>101 beshort&0xf0 0x40 \bCMYK
>>>101 beshort&0xf0 0x50 \bCMYKDIRECT
>>>101 beshort&0xf0 0x60 \bNCOMPONENT
>>>101 beshort&0xf0 0x70 \bRGB
>>>101 beshort&0xf0 0x80 \bRGBE
>>>101 beshort&0xf0 >0x80 \b(reserved %#x)
# JPEG XL # JPEG XL
# From: Ian Tester # From: Ian Tester
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl.trid.xml
# Note: called by TrID "JPEG XL bitmap"
0 string \xff\x0a JPEG XL codestream 0 string \xff\x0a JPEG XL codestream
!:mime image/jxl !:mime image/jxl
!:ext jxl !:ext jxl
# JPEG XL (transcoded JPEG file) # JPEG XL (transcoded JPEG file)
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/JPEG_XL
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl-iso.trid.xml
# Note: called by TrID "JPEG XL bitmap (ISOBMFF)"
0 string \x00\x00\x00\x0cJXL\x20\x0d\x0a\x87\x0a JPEG XL container 0 string \x00\x00\x00\x0cJXL\x20\x0d\x0a\x87\x0a JPEG XL container
!:mime image/jxl !:mime image/jxl
!:ext jxl !:ext jxl

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: lif,v 1.10 2021/04/26 15:56:00 christos Exp $ # $File: lif,v 1.11 2022/10/19 20:15:16 christos Exp $
# lif: file(1) magic for lif # lif: file(1) magic for lif
# #
# (Daniel Quinlan <quinlan@yggdrasil.com>) # (Daniel Quinlan <quinlan@yggdrasil.com>)
@ -16,9 +16,9 @@
>14 beshort =0 >14 beshort =0
# skip MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for low version number # skip MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for low version number
>>20 ubeshort <0x0100 >>20 ubeshort <0x0100
# skip DEGAS MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for ASCII like volume name # skip DROID fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx by test for ASCII like volume name
#>>>2 ubelong >0x2020201F >>>2 ubelong >0x2020201F
>>>0 use lif-file >>>>0 use lif-file
0 name lif-file 0 name lif-file
# LIF ID # LIF ID
>0 beshort x lif file >0 beshort x lif file
@ -27,6 +27,7 @@
!:ext lif/hpi/dat !:ext lif/hpi/dat
# volume label; A-Z 0-9 _ ; default are 6 spaces # volume label; A-Z 0-9 _ ; default are 6 spaces
>2 string x "%.6s" >2 string x "%.6s"
#>2 ubelong x LABEL=%8.8x
# version number; 0 for systems without extensions or 1 for model 64000 # version number; 0 for systems without extensions or 1 for model 64000
>20 ubeshort x \b, version %u >20 ubeshort x \b, version %u
# LIF identifier; 010000 for system 3000 # LIF identifier; 010000 for system 3000

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: linux,v 1.79 2021/04/26 15:56:00 christos Exp $ # $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $
# linux: file(1) magic for Linux files # linux: file(1) magic for Linux files
# #
# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
@ -67,8 +67,8 @@
>16 lelong x %d characters, >16 lelong x %d characters,
>12 lelong&0x01 0 no directory, >12 lelong&0x01 0 no directory,
>12 lelong&0x01 !0 Unicode directory, >12 lelong&0x01 !0 Unicode directory,
>24 lelong x %d >28 lelong x %d
>28 lelong x \bx%d >24 lelong x \bx%d
# Linux swap and hibernate files # Linux swap and hibernate files
# Linux kernel: include/linux/swap.h # Linux kernel: include/linux/swap.h
@ -364,16 +364,6 @@
>24 lelong x %d symbols >24 lelong x %d symbols
>28 lelong x %d ocons >28 lelong x %d ocons
# LUKS: Linux Unified Key Setup, On-Disk Format, http://luks.endorphin.org/spec
# Anthon van der Neut (anthon@mnt.org)
0 string LUKS\xba\xbe LUKS encrypted file,
>6 beshort x ver %d
>8 string x [%s,
>40 string x %s,
>72 string x %s]
>168 string x UUID: %s
# Summary: Xen saved domain file # Summary: Xen saved domain file
# Created by: Radek Vokal <rvokal@redhat.com> # Created by: Radek Vokal <rvokal@redhat.com>
0 string LinuxGuestRecord Xen saved domain 0 string LinuxGuestRecord Xen saved domain
@ -390,26 +380,96 @@
# Systemd journald files # Systemd journald files
# See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/.
# From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
# Update: Joerg Jenderek
# check magic # URL: https://systemd.io/JOURNAL_FILE_FORMAT/
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml
# Note: called "systemd journal" by TrID
# verified by `journalctl --file=user-1000.journal`
# check magic signature[8]
0 string LPKSHHRH 0 string LPKSHHRH
# check that state is one of known values # check that state is one of known values
# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2
>16 ubyte&252 0 >16 ubyte&252 0
# check that each half of three unique id128s is non-zero # check that each half of three unique id128s is non-zero
# file_id
>>24 ubequad >0 >>24 ubequad >0
>>>32 ubequad >0 >>>32 ubequad >0
# machine_id
>>>>40 ubequad >0 >>>>40 ubequad >0
>>>>>48 ubequad >0 >>>>>48 ubequad >0
# boot_id; last writer
>>>>>>56 ubequad >0 >>>>>>56 ubequad >0
>>>>>>>64 ubequad >0 Journal file >>>>>>>64 ubequad >0 Journal file
!:mime application/octet-stream #!:mime application/octet-stream
!:mime application/x-linux-journal
# provide more info # provide more info
# head_entry_realtime; contains a POSIX timestamp stored in microseconds
>>>>>>>>184 leqdate/1000000 !0 \b, %s
>>>>>>>>184 leqdate 0 empty >>>>>>>>184 leqdate 0 empty
>>>>>>>>16 ubyte 0 \b, offline # If a file is closed after writing the state field should be set to STATE_OFFLINE
>>>>>>>>16 ubyte 1 \b, online >>>>>>>>16 ubyte 0 \b,
# for offline and empty only journal~ extension found
>>>>>>>>>184 leqdate 0 offline
# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html
# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like:
# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~'
!:ext journal~
# for offline and non empty often *.journal~ but also user-1001.journal
>>>>>>>>>184 leqdate !0 offline
!:ext journal/journal~
# if a file is opened for writing the state field should be set to STATE_ONLINE
>>>>>>>>16 ubyte 1 \b,
# for online and empty only journal~ extension found
>>>>>>>>>184 leqdate 0 online
# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~
!:ext journal~
# for online and non empty only journal extension found
>>>>>>>>>184 leqdate !0 online
# system.journal user-1000.journal
!:ext journal
# after a file has been rotated it should be set to STATE_ARCHIVED
>>>>>>>>16 ubyte 2 \b, archived >>>>>>>>16 ubyte 2 \b, archived
!:ext journal
# no *.journal~ found
#!:ext journal/journal~
# compatible_flags
>>>>>>>>8 ulelong&1 1 \b, sealed >>>>>>>>8 ulelong&1 1 \b, sealed
# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16
#>>>>>>>>12 ulelong x FLAGS=%#x
>>>>>>>>12 ulelong&1 1 \b, compressed >>>>>>>>12 ulelong&1 1 \b, compressed
>>>>>>>>12 ulelong&2 !0 \b, compressed lz4
>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24
>>>>>>>>12 ulelong&8 !0 \b, compressed zstd
>>>>>>>>12 ulelong&16 !0 \b, compact
# uint8_t reserved[7]; apparently nil
#>>17 long !0 \b, reserved %#8.8x
# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6
#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx
#>>>>>>>>80 ubequad x b%16.16llx
# header_size like: 100h
>>>>>>>>88 ulequad !0x100h \b, header size %#llx
# arena_size like: 0 7fff00h ffff00h 17fff00h
#>>>>>>>>96 ulequad >0 \b, arena size %#llx
# data_hash_table_offset like: 0 15f0h 15f0h
#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx
# data_hash_table_size like: 0 38e380h
#>>>>>>>>112 ulequad >0 \b, hash table size %#llx
# field_hash_table_offset like: 0 110h
#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx
# field_hash_table_size like: 0 14d0h
#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx
# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h
#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx
# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh
#>>>>>>>>144 ulequad >0 \b, objects %#llx
# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h
>>>>>>>>152 ulequad >0 \b, entries %#llx
# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh
#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx
# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah
#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx
# entry_array_offset like: 0 390058h 3909d8h 3909e0h
#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx
# BCache backing and cache devices # BCache backing and cache devices
# From: Gabriel de Perthuis <g2p.code@gmail.com> # From: Gabriel de Perthuis <g2p.code@gmail.com>
@ -502,9 +562,12 @@
0 lelong 0x58313116 CRIU inventory 0 lelong 0x58313116 CRIU inventory
# Kdump compressed dump files # Kdump compressed dump files
# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION # https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION
0 string KDUMP Kdump compressed dump 0 string KDUMP\x20\x20\x20 Kdump compressed dump
>0 use kdump-compressed-dump
0 name kdump-compressed-dump
>8 long x v%d >8 long x v%d
>12 string >\0 \b, system %s >12 string >\0 \b, system %s
>77 string >\0 \b, node %s >77 string >\0 \b, node %s
@ -513,6 +576,12 @@
>272 string >\0 \b, machine %s >272 string >\0 \b, machine %s
>337 string >\0 \b, domain %s >337 string >\0 \b, domain %s
# Flattened format
0 string makedumpfile
>16 bequad 1
>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump
>>>0x1010 use kdump-compressed-dump
# Device Tree files # Device Tree files
0 search/1024 /dts-v1/ Device Tree File (v1) 0 search/1024 /dts-v1/ Device Tree File (v1)
# beat c code # beat c code
@ -532,6 +601,27 @@
# ansible vault (does not really belong here) # ansible vault (does not really belong here)
0 string $ANSIBLE_VAULT; Ansible Vault 0 string $ANSIBLE_VAULT; Ansible Vault
>&0 regex [0-9]*\.[0-9]* \b, version %s >&0 regex [0-9]+\\.[0-9]+ \b, version %s
>>&0 string ; >>&0 string ;
>>>&0 regex [A-Z0-9]* \b, encryption %s >>>&0 regex [A-Z0-9]+ \b, encryption %s
# From: Joerg Jenderek
# URL: https://www.gnu.org/software/grub
# Reference: https://ftp.gnu.org/gnu/grub/grub-2.06.tar.gz
# grub-2.06/include/grub/keyboard_layouts.h
# grub-2.06/grub-core/commands/keylayouts.c
# GRUB_KEYBOARD_LAYOUTS_FILEMAGIC
0 string GRUBLAYO GRUB Keyboard
!:mime application/x-grub-keyboard
!:ext gkb
# GRUB_KEYBOARD_LAYOUTS_VERSION like: 10
>8 ulelong !10 \b, version %u
# 4 grub_uint32_t grub_keyboard_layout[160]
# for normal french keyboard this is letter a
>92 ubyte !0x71
>>92 ubyte >0x40 \b, english q is %c
#>732 ubyte x \b, english Q is %c
# for normal german keyboard this is letter z
>124 ubyte !0x79
>>124 ubyte >0x40 \b, english y is %c
#>764 ubyte x \b, english Y is %c

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: llvm,v 1.9 2019/04/19 00:42:27 christos Exp $ # $File: llvm,v 1.10 2023/03/11 17:54:17 christos Exp $
# llvm: file(1) magic for LLVM byte-codes # llvm: file(1) magic for LLVM byte-codes
# URL: https://llvm.org/docs/BitCodeFormat.html # URL: https://llvm.org/docs/BitCodeFormat.html
# From: Al Stone <ahs3@fc.hp.com> # From: Al Stone <ahs3@fc.hp.com>
@ -9,6 +9,7 @@
0 string llvc0 LLVM byte-codes, null compression 0 string llvc0 LLVM byte-codes, null compression
0 string llvc1 LLVM byte-codes, gzip compression 0 string llvc1 LLVM byte-codes, gzip compression
0 string llvc2 LLVM byte-codes, bzip2 compression 0 string llvc2 LLVM byte-codes, bzip2 compression
0 string CPCH LLVM Pre-compiled header file
0 lelong 0x0b17c0de LLVM bitcode, wrapper 0 lelong 0x0b17c0de LLVM bitcode, wrapper
# Are these Mach-O ABI values? They appear to be. # Are these Mach-O ABI values? They appear to be.

View file

@ -1,13 +1,126 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: luks,v 1.4 2009/09/19 16:28:10 christos Exp $ # $File: luks,v 1.5 2022/09/07 11:23:44 christos Exp $
# luks: file(1) magic for Linux Unified Key Setup # luks: file(1) magic for Linux Unified Key Setup
# URL: http://luks.endorphin.org/spec # URL: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup
# http://fileformats.archiveteam.org/wiki/LUKS
# From: Anthon van der Neut <anthon@mnt.org> # From: Anthon van der Neut <anthon@mnt.org>
# Update: Joerg Jenderek
# Note: verfied by command like `cryptsetup luksDump /dev/sda3`
0 string LUKS\xba\xbe LUKS encrypted file, 0 string LUKS\xba\xbe LUKS encrypted file,
# https://reposcope.com/mimetype/application/x-raw-disk-image
!:mime application/x-raw-disk-image
#!:mime application/x-luks-volume
# img is the generic extension; no suffix for partitions; luksVolumeHeaderBackUp via zuluCrypt
!:ext /luks/img/luksVolumeHeaderBackUp
# version like: 1 2
>6 beshort x ver %d >6 beshort x ver %d
# test for version 1 variant
>6 beshort 1
>>0 use luks-v1
# test for version 2 variant
>6 beshort >1
>>0 use luks-v2
# Reference: https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/LUKS_docs/on-disk-format.pdf
# http://mark0.net/download/triddefs_xml.7z/defs/l/luks.trid.xml
# display information about LUKS version 1
0 name luks-v1
# cipher-name like: aes twofish
>8 string x [%s, >8 string x [%s,
# cipher-mode like: xts-plain64 cbc-essiv
>40 string x %s, >40 string x %s,
# hash specification like: sha256 sha1 ripemd160
>72 string x %s] >72 string x %s]
>168 string x UUID: %s >168 string x UUID: %s
# NEW PART!
# payload-offset; start offset of the bulk data
>104 ubelong x \b, at %#x data
# key-bytes; number of key bytes; key-bytes*8=MK-bits
>108 ubelong x \b, %u key bytes
# mk-digest[20]; master key checksum from PBKDF2
>112 ubequad x \b, MK digest %#16.16llx
>>120 ubequad x \b%16.16llx
>>128 ubelong x \b%8.8x
# mk-digest-salt[32]; salt parameter for master key PBKDF2
>132 ubequad x \b, MK salt %#16.16llx
>>140 ubequad x \b%16.16llx
>>148 ubequad x \b%16.16llx
>>156 ubequad x \b%16.16llx
# mk-digest-iter; iterations parameter for master key PBKDF2
>164 ubelong x \b, %u MK iterations
# key slot 1
>208 ubelong =0x00AC71F3 \b; slot #0
>>208 use luks-slot
# key slot 2
>256 ubelong =0x00AC71F3 \b; slot #1
>>256 use luks-slot
# key slot 3
>304 ubelong =0x00AC71F3 \b; slot #2
>>304 use luks-slot
# key slot 4
>352 ubelong =0x00AC71F3 \b; slot #3
>>352 use luks-slot
# key slot 5
>400 ubelong =0x00AC71F3 \b; slot #4
>>400 use luks-slot
# key slot 6
>448 ubelong =0x00AC71F3 \b; slot #5
>>448 use luks-slot
# key slot 7
>496 ubelong =0x00AC71F3 \b; slot #6
>>496 use luks-slot
# key slot 8
>544 ubelong =0x00AC71F3 \b; slot #7
>>544 use luks-slot
# Reference: https://gitlab.com/cryptsetup/LUKS2-docs/-/raw/master/luks2_doc_wip.pdf
# http://mark0.net/download/triddefs_xml.7z/defs/l/luks2.trid.xml
# display information about LUKS version 2
0 name luks-v2
# hdr_size; size including JSON area called Metadata area by cryptsetup with value like: 16384
>8 ubequad x \b, header size %llu
# possible check for MAGIC_2ND after header
#>(8.Q) string SKUL\xba\xbe \b, 2nd_HEADER_OK
# seqid; sequence ID, increased on update; called Epoch by cryptsetup with value like: 3 4 8 10
>16 ubequad x \b, ID %llu
# label[48]; optional ASCII label or empty; called Label by cryptsetup with value like: "LUKS2_EXT4_ROOT"
>24 string >\0 \b, label %s
# csum_alg[32]; checksum algorithm like: sha256 sha1 sha512 wirlpool ripemd160
>72 string x \b, algo %s
# salt[64]; salt , unique for every header
>104 ubequad x \b, salt %#llx...
# uuid[40]; UID of device as string like: 242256c6-396e-4a35-af5f-5b70cb7af9a7
>168 string x \b, UUID: %-.40s
# subsystem[48]; optional owner subsystem label or empty
>208 string >\0 \b, sub label %-.48s
# hdr_offset; offset from device start [ bytes ] like: 0
>256 ubequad !0 \b, offset %llx
# char _padding [184]; must be zeroed
#>264 ubequad x \b, padding %#16.16llx
#>440 ubequad x \b...%16.16llx
# csum[64]; header checksum
>448 ubequad x \b, crc %#llx...
# char _padding4096 [7*512]; Padding , must be zeroed
#>512 ubequad x \b, more padding %#16.16llx
#>4088 ubequad x \b...%16.16llx
# JSON text data terminated by the zero character; unused remainder empty and filled with zeroes like:
# {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offse"
>0x1000 string x \b, at 0x1000 %s
#>0x1000 indirect x
# display information (like active) about LUKS1 slot
0 name luks-slot
# state of keyslot; 0x00AC71F3~active 0x0000DEAD~inactive
#>0 ubelong x \b, status %#8.8x
>0 ubelong =0x00AC71F3 active
>0 ubelong =0x0000DEAD inactive
# iteration parameter for PBKDF2
#>4 ubelong x \b, %u iterations
# salt parameter for PBKDF2
#>8 ubequad x \b, salt %#16.16llx
#>>16 ubequad x \b%16.16llx
#>>24 ubequad x \b%16.16llx
#>>32 ubequad x \b%16.16llx
# start sector of key material like: 8 0x200 0x3f8 0x5f0 0xdd0
>40 ubelong x \b, %#x material offset
# number of anti-forensic stripes like: 4000
>44 ubelong !4000 \b, %u stripes

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: macintosh,v 1.32 2021/04/26 15:56:00 christos Exp $ # $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $
# macintosh description # macintosh description
# #
# BinHex is the Macintosh ASCII-encoded file format (see also "apple") # BinHex is the Macintosh ASCII-encoded file format (see also "apple")
@ -95,7 +95,10 @@
# MacBinary format (Eric Fischer, enf@pobox.com) # MacBinary format (Eric Fischer, enf@pobox.com)
# Update: Joerg Jenderek # Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/MacBinary # URL: https://en.wikipedia.org/wiki/MacBinary
# http://fileformats.archiveteam.org/wiki/MacBinary
# Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt # Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt
# Note: verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and
# `deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin`
# #
# Unfortunately MacBinary doesn't really have a magic number prior # Unfortunately MacBinary doesn't really have a magic number prior
# to the MacBinary III format. # to the MacBinary III format.
@ -114,19 +117,19 @@
>>>>74 byte 0 >>>>74 byte 0
# zero fill, must be zero for compatibility # zero fill, must be zero for compatibility
>>>>>82 byte 0 >>>>>82 byte 0
# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00
>>>>>>2 ubelong <0xffff0000
# MacBinary I test for valid version numbers # MacBinary I test for valid version numbers
>>>>>>122 ubeshort 0 >>>>>>>122 ubeshort 0
# additional check for creation date after 1 Jan 1970 ~ 7C25B080h
#>>>>>>>91 ubelong >0x7c25b07F
# additional check for undefined header fields in MacBinary I # additional check for undefined header fields in MacBinary I
#>>>>>>>101 ulong 0 #>>>>>>>>101 ulong 0
>>>>>>>0 use mac-bin >>>>>>>>0 use mac-bin
# MacBinary II the newer versions begins at 129 # MacBinary II the newer versions begins at 129
>>>>>>122 ubeshort 0x8181 >>>>>>>122 ubeshort 0x8181
>>>>>>>0 use mac-bin >>>>>>>>0 use mac-bin
# MacBinary III with MacBinary II to read # MacBinary III with MacBinary II to read
>>>>>122 ubeshort 0x8281 >>>>>>122 ubeshort 0x8281
>>>>>>0 use mac-bin >>>>>>>0 use mac-bin
# display information of MacBinary file # display information of MacBinary file
0 name mac-bin 0 name mac-bin
@ -139,7 +142,7 @@
!:mime application/x-macbinary !:mime application/x-macbinary
!:apple PSPTBINA !:apple PSPTBINA
!:ext bin/macbin !:ext bin/macbin
# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified as MacBinary # THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary
#>1 ubyte >63 \b, name length %u too BIG! #>1 ubyte >63 \b, name length %u too BIG!
#>122 ubeshort x \b, version %#x #>122 ubeshort x \b, version %#x
# Finder flags if not 0 # Finder flags if not 0
@ -180,12 +183,16 @@
# 124 beshort # checksum # 124 beshort # checksum
#>124 ubeshort !0 \b, CRC %#x #>124 ubeshort !0 \b, CRC %#x
# creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 # creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080
>91 beldate-0x7C25B080 x \b, %s # few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields
# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified or time overflow >91 long !0
>>91 beldate-0x7C25B080 x \b, %s
# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow
>91 ubelong <0x7c25b080 INVALID date >91 ubelong <0x7c25b080 INVALID date
#>91 belong-0x7C25B080 x \b, DEBUG DATE %d # reported date seconds by deark
#>91 ubelong x deark-DATE=%u
# last modified date # last modified date
>95 beldate-0x7C25B080 x \b, modified %s >95 long !0
>>95 beldate-0x7C25B080 x \b, modified %s
# Apple creator+typ if not null # Apple creator+typ if not null
# file creator (normally expressed as four characters) # file creator (normally expressed as four characters)
>69 ulong !0 \b, creator >69 ulong !0 \b, creator
@ -197,6 +204,7 @@
# length of data segment # length of data segment
>83 ubelong !0 \b, %u bytes >83 ubelong !0 \b, %u bytes
# filename (in the range 1-63) # filename (in the range 1-63)
# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2 (.sea)"
>1 pstring x "%s" >1 pstring x "%s"
# print 1 space and then at offset 128 inspect data fork content if it has one # print 1 space and then at offset 128 inspect data fork content if it has one
>83 ubelong !0 \b >83 ubelong !0 \b
@ -447,7 +455,7 @@
>>>0x412 beshort x number of blocks: %d, >>>0x412 beshort x number of blocks: %d,
>>>0x424 pstring x volume name: %s >>>0x424 pstring x volume name: %s
0x400 beshort 0x482B Macintosh HFS Extended 0 name hfsplus
>&0 beshort x version %d data >&0 beshort x version %d data
>0 beshort 0x4C4B (bootable) >0 beshort 0x4C4B (bootable)
>0x404 belong ^0x00000100 (mounted) >0x404 belong ^0x00000100 (mounted)
@ -466,6 +474,11 @@
>&42 belong x number of blocks: %d, >&42 belong x number of blocks: %d,
>&46 belong x free blocks: %d >&46 belong x free blocks: %d
0x400 beshort 0x482B Apple HFS Plus
>&0 use hfsplus
0x400 beshort 0x4858 Apple HFS Plus Extended
>&0 use hfsplus
## AFAIK, only the signature is different ## AFAIK, only the signature is different
# same as Apple Partition Map # same as Apple Partition Map
# GRR: This magic is too weak, it is just "TS" # GRR: This magic is too weak, it is just "TS"
@ -490,14 +503,3 @@
# From: Remi Mommsen <mommsen@slac.stanford.edu> # From: Remi Mommsen <mommsen@slac.stanford.edu>
0 string BOMStore Mac OS X bill of materials (BOM) file 0 string BOMStore Mac OS X bill of materials (BOM) file
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
# URL: https://en.wikipedia.org/wiki/Datafork_TrueType
# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is
# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I
# don't know what they mean.
0 belong 0x100
>(0x4.L+24) beshort x
>>&4 belong 0x73666e74 Mac OSX datafork font, TrueType
>>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT'
>>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT'
>>&4 belong 0x504f5354 Mac OSX datafork font, PostScript

View file

@ -1,10 +1,71 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ # $File: magic,v 1.11 2023/06/27 13:42:49 christos Exp $
# magic: file(1) magic for magic files # magic: file(1) magic for magic files
# #
0 string/t #\ Magic magic text file for file(1) cmd # Update: Joerg Jenderek
# skip Magicsee_R1.cfg found on retropie starting with # Magicsee R1 one-handed controller
0 string/t #\ Magic\ magic text file for file(1) cmd
#!:mime text/plain
!:mime text/x-file
# no suffix in ../Header
!:ext /
#
# some samples start with a comment line
0 ubyte =0x23
# many samples start with separator line
>4 string --------
>>0 use magic-fragment
# few samples with 1st comment line and without seperator comment line
>4 default x
# few sample with 1st comment line and without seperator comment line and regular expression like: sisu
>>1 search/112 regex\x09
>>>0 use magic-fragment
>>1 default x
# few samples with 1st comment line and without seperator comment line and string value like:
# blcr bsi selinux ssh (file 3.34) digital gnu wordperfect
>>>1 search/471 string\x09
>>>>0 use magic-fragment
>>>1 default x
# few samples with 1st comment line and without seperator comment line and short value like:
# (file 3.34) os9 osf1
>>>>1 search/1716 short\x09
>>>>>0 use magic-fragment
# but many samples start with an empty first line
0 ubyte =0x0A
# many samples sttart with separator comment line
>4 string --------
>>0 use magic-fragment
# few samples with 1st empty line and without seperator comment line like: biosig espressif
>4 default x
>>1 search/581 \041:mime
>>>0 use magic-fragment
# display information (lines) about magic text fragment
0 name magic-fragment
>0 string x magic text fragment for file(1) cmd
!:mime text/x-file
# most without suffix but mail.news varied.out varied.script
!:ext /news/out/script
# next lines are mainly for control reasons
# some (34/339) samples start comment line
>0 ubyte !0x0A
>>0 string x \b, 1st line "%s"
>>>&1 string x \b, 2nd line "%s"
# but most (305/339) samples start with an empty first line
>0 ubyte =0x0A
>>1 string x \b, 2nd line "%s"
>>>&1 string x \b, 3rd line "%s"
#
# URL: http://en.wikipedia.org/wiki/File_(command)
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mgc.trid.xml
# Note: called "magic compiled data (LE)" by TrID
0 lelong 0xF11E041C magic binary file for file(1) cmd 0 lelong 0xF11E041C magic binary file for file(1) cmd
#!:mime application/octet-stream
!:mime application/x-file
!:ext mgc
>4 lelong x (version %d) (little endian) >4 lelong x (version %d) (little endian)
0 belong 0xF11E041C magic binary file for file(1) cmd 0 belong 0xF11E041C magic binary file for file(1) cmd
#!:mime application/octet-stream
!:mime application/x-file
!:ext mgc
>4 belong x (version %d) (big endian) >4 belong x (version %d) (big endian)

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: mail.news,v 1.28 2021/09/11 19:20:15 christos Exp $ # $File: mail.news,v 1.30 2022/10/31 13:22:26 christos Exp $
# mail.news: file(1) magic for mail and news # mail.news: file(1) magic for mail and news
# #
# Unfortunately, saved netnews also has From line added in some news software. # Unfortunately, saved netnews also has From line added in some news software.
@ -44,8 +44,54 @@
#0 string/t Content- MIME entity text #0 string/t Content- MIME entity text
# TNEF files... # TNEF files...
0 lelong 0x223E9F78 Transport Neutral Encapsulation Format # URL: http://fileformats.archiveteam.org/wiki/Transport_Neutral_Encapsulation_Format
# https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tnef.trid.xml
# https://interoperability.blob.core.windows.net/files/MS-OXTNEF/%5bMS-OXTNEF%5d-210817.pdf
# Update: Joerg Jenderek
# Note: moved and merged from ./msdos (version 1.154) there just called "TNEF"
# partly verified by `tnef --list -v -f voice.tnef` and `ytnef -v triples.tnef`
# TNEF magic From "Joomy" <joomy@se-ed.net>
# TNEF_SIGNATURE
0 lelong 0x223E9F78 Transport Neutral Encapsulation Format (TNEF)
!:mime application/vnd.ms-tnef !:mime application/vnd.ms-tnef
# winmail.dat or win.dat by Microsoft Outlook
!:ext tnef/dat
# https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-oxtnef/7fdb64ee-7f63-4d95-9af1-c672e7475c3a
# LegacyKey
#>4 uleshort x \b, key %#4.4x
# attrLevelMessage; Level where attribute applies like: 1~attrLevelMessage 2~attrLevelAttachment
>6 ubyte !1 \b, 1st level %#2.2x
# other ID (like 02900000h) or TnefVersion ID (idTnefVersion=06900800h)
>7 ubelong !0x06900800 \b, 1st id %#8.8x
>7 ubelong =0x06900800
# TnefVersion length like: 4
>>11 ulelong !4 \b, TnefVersion length %x
# TNEFVersionData; TnefVersion data like: 00010000h
>>15 ulelong !0x00010000h \b, version %#8.8x
# Checksum like: 1
>>19 uleshort !1 \b, checksum %#4.4x
# attrLevelMessage; level of attOemCodepage like: 1
>>21 ubyte !1 \b, level %#2.2x
# idOEMCodePage; OEMCodePage ID like: 07900600h
>>22 ubelong =0x07900600 \b, OEM codepage
# OEMCodePage length like: 8
>>>26 ulelong =8
# OEMCodePageData; PrimaryCodePage like: 1251 1252
>>>>30 ulelong x %u
# OEMCodePageData; SecondaryCodePage; unused and SHOULD contain zero
>>>>34 ulelong !0 and %u
# OEMCodePageData Checksum like: E7h E8h
>>>>38 uleshort x (checksum %#x)
# attrLevelMessage of attMessageClass like: 1
>>40 ubyte !1 \b, level %u
# idMessageClass; ID of attMessageClass like: 08800700h
>>41 ubelong =0x08800700 \b, MessageAttribute
# attMessageClass length like: 16 24 25
#>>>45 ulelong x (length %u)
# attMessageClass data like: "IPM.Microsoft Mail.Note" "IPM.Note.Portada Newseum"
# "IPM.Appointment" "IPM.Note.Microsoft.Voicemail.UM.CA"
>>>45 pstring/l x "%s"
# From: Kevin Sullivan <ksulliva@psc.edu> # From: Kevin Sullivan <ksulliva@psc.edu>
0 string *mbx* MBX mail folder 0 string *mbx* MBX mail folder

View file

@ -1,36 +1,21 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: make,v 1.4 2018/05/29 17:26:02 christos Exp $ # $File: make,v 1.5 2022/03/12 15:09:47 christos Exp $
# make: file(1) magic for makefiles # make: file(1) magic for makefiles
# #
# URL: https://en.wikipedia.org/wiki/Make_(software) # URL: https://en.wikipedia.org/wiki/Make_(software)
0 regex/100l \^CFLAGS makefile script text 0 regex/100l \^(CFLAGS|VPATH|LDFLAGS|all:|\\.PRECIOUS) makefile script text
!:mime text/x-makefile
0 regex/100l \^VPATH makefile script text
!:mime text/x-makefile
0 regex/100l \^LDFLAGS makefile script text
!:mime text/x-makefile
0 regex/100l \^all: makefile script text
!:mime text/x-makefile
0 regex/100l \^\\.PRECIOUS makefile script text
!:mime text/x-makefile !:mime text/x-makefile
!:strength -15
# Update: Joerg Jenderek # Update: Joerg Jenderek
# Reference: https://www.freebsd.org/cgi/man.cgi?make(1) # Reference: https://www.freebsd.org/cgi/man.cgi?make(1)
# exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST" # exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST"
# by additional escaping point character # by additional escaping point character
0 regex/100l \^\\.BEGIN BSD makefile script text
!:mime text/x-makefile
!:ext /mk
!:strength +10
# exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT" # exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT"
# and NSIS script with "!include" by additional escaping point character # and NSIS script with "!include" by additional escaping point character
0 regex/100l \^\\.include BSD makefile script text 0 regex/100l \^\\.(BEGIN|endif|include) BSD makefile script text
!:mime text/x-makefile !:mime text/x-makefile
!:ext /mk !:ext /mk
!:strength +10 !:strength -10
0 regex/100l \^\\.endif BSD makefile script text 0 regex/100l \^SUBDIRS[[:space:]]+= automake makefile script text
!:mime text/x-makefile !:mime text/x-makefile
!:ext /mk !:strength -15
!:strength +10
0 regex/100l \^SUBDIRS automake makefile script text
!:mime text/x-makefile
!:strength +10

View file

@ -1,7 +1,7 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: map,v 1.9 2021/04/26 15:56:00 christos Exp $ # $File: map,v 1.10 2023/02/03 20:41:57 christos Exp $
# map: file(1) magic for Map data # map: file(1) magic for Map data
# #
@ -406,3 +406,8 @@
>>>>5 byte x \b%d, >>>>5 byte x \b%d,
>>>>6 leshort x product ID %04d) >>>>6 leshort x product ID %04d)
# Garmin firmware:
# https://www.memotech.franken.de/FileFormats/Garmin_GCD_Format.pdf
# https://www.gpsrchive.com/GPSMAP/GPSMAP%2066sr/Firmware.html
0 string GARMIN
>6 uleshort 100 GARMIN firmware (version 1.0)

View file

@ -1,48 +1,59 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: mathematica,v 1.13 2021/07/14 09:06:24 christos Exp $ # $File: mathematica,v 1.17 2023/06/16 19:33:58 christos Exp $
# mathematica: file(1) magic for mathematica files # mathematica: file(1) magic for mathematica files
# "H. Nanosecond" <aldomel@ix.netcom.com> # "H. Nanosecond" <aldomel@ix.netcom.com>
# Mathematica a multi-purpose math program # Mathematica a multi-purpose math program
# versions 2.2 and 3.0 # versions 2.2 and 3.0
0 name wolfram
>0 string x Mathematica notebook version 2.x
!:ext mb
!:mime application/vnd.wolfram.mathematica
#mathematica .mb #mathematica .mb
0 string \064\024\012\000\035\000\000\000 Mathematica version 2 notebook 0 string \064\024\012\000\035\000\000\000
!:ext mb >0 use wolfram
0 string \064\024\011\000\035\000\000\000 Mathematica version 2 notebook 0 string \064\024\011\000\035\000\000\000
!:ext mb >0 use wolfram
#
0 search/1000 Content-type:\040application/mathematica Mathematica notebook version 2.x
!:ext nb
!:mime application/mathematica
# .ma # .ma
# multiple possibilities: # multiple possibilities:
0 string (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook 0 string (*^\n\n::[\011frontEndVersion\ =
#>41 string >\0 %s #>41 string >\0 %s
!:ext mb >0 use wolfram
#0 string (*^\n\n::[\011palette Mathematica notebook version 2.x #0 string (*^\n\n::[\011palette
#0 string (*^\n\n::[\011Information Mathematica notebook version 2.x #0 string (*^\n\n::[\011Information
#>675 string >\0 %s #doesn't work well #>675 string >\0 %s #doesn't work well
# there may be 'cr' instead of 'nl' in some does this matter? # there may be 'cr' instead of 'nl' in some does this matter?
# generic: # generic:
0 string (*^\r\r::[\011 Mathematica notebook version 2.x 0 string (*^\r\r::[\011
!:ext mb >0 use wolfram
0 string (*^\r\n\r\n::[\011 Mathematica notebook version 2.x 0 string (*^\r\n\r\n::[\011
!:ext mb >0 use wolfram
0 string (*^\015 Mathematica notebook version 2.x 0 string (*^\015
!:ext mb >0 use wolfram
0 string (*^\n\r\n\r::[\011 Mathematica notebook version 2.x 0 string (*^\n\r\n\r::[\011
!:ext mb >0 use wolfram
0 string (*^\r::[\011 Mathematica notebook version 2.x 0 string (*^\r::[\011
!:ext mb >0 use wolfram
0 string (*^\r\n::[\011 Mathematica notebook version 2.x 0 string (*^\r\n::[\011
!:ext mb >0 use wolfram
0 string (*^\n\n::[\011 Mathematica notebook version 2.x 0 string (*^\n\n::[\011
!:ext mb >0 use wolfram
0 string (*^\n::[\011 Mathematica notebook version 2.x 0 string (*^\n::[\011
!:ext mb >0 use wolfram
# Mathematica .mx files # Mathematica .mx files
@ -117,16 +128,33 @@
13 ushort 0 13 ushort 0
# check for valid ASCII matrix name # check for valid ASCII matrix name
>20 ubyte >0x1F >20 ubyte >0x1F
# skip PreviousEntries.dat with "invalid high" name \304P\344@\001
>>20 ubyte <0304
# skip some Netwfw*.dat and $I3KREPH.dat by checking for non zero number of rows
>>>4 ulong !0
# skip some CD-ROM filesystem like test-hfs.iso by looking for valid big endian type flag # skip some CD-ROM filesystem like test-hfs.iso by looking for valid big endian type flag
>>0 ubelong&0xFFffFF00 0x00000300 >>>>0 ubelong&0xFFffFF00 0x00000300
>>>0 use matlab4 >>>>>0 use matlab4
# no example for 8-bit and 16-bit integers matrix # no example for 8-bit and 16-bit integers matrix
>>0 ubelong&0xFFffFF00 0x00000400 >>>>0 ubelong&0xFFffFF00 0x00000400
>>>0 use matlab4 >>>>>0 use matlab4
>>0 ulelong x # branch for Little-Endian variant of Matlab MATrix version 4
# skip big endian variant by looking for valid low lttle endian type flag # skip big endian variant by looking for valid low lttle endian type flag
>>0 ulelong <53 >>>>0 ulelong <53
>>>0 use \^matlab4 # skip tokens.dat and some Netwfw*.dat by check for valid imaginary flag value of MAT version 4
>>>>>12 ulelong <2
# no misidentified little endian MATrix example with "short" matrix name
>>>>>>16 ulelong <3
# skip radeon firmware BONAIRE_sdma.bin HAWAII_sdma.bin KABINI_sdma.bin KAVERI_sdma.bin MULLINS_sdma.bin
# by check for non zero matrix name length
>>>>>>>16 ubelong >0
>>>>>>>>0 use \^matlab4
# little endian MATrix with "long" matrix name or some misidentified samples
>>>>>>16 ulelong >2
# skip TileCacheLogo-*.dat with invalid 2nd character \001 of matrix name with length 96
>>>>>>>21 ubyte >0x1F
>>>>>>>>0 use \^matlab4
# Note: called "MATLAB Mat File" with version "Level 4" by DROID via PUID fmt/1550
# display information of Matlab v4 mat-file # display information of Matlab v4 mat-file
0 name matlab4 Matlab v4 mat-file 0 name matlab4 Matlab v4 mat-file
#!:mime application/octet-stream #!:mime application/octet-stream
@ -145,8 +173,10 @@
>0 ubelong/1000 4 (Cray) >0 ubelong/1000 4 (Cray)
# namlen; the length of the matrix name # namlen; the length of the matrix name
#>16 ubelong x \b, name length %u #>16 ubelong x \b, name length %u
#>(16.L+19) ubyte x \b, TERMINATING NAME CHARACTER=%#x
# nul terminated matrix name like: fit_params testmatrix testsparsecomplex teststringarray # nul terminated matrix name like: fit_params testmatrix testsparsecomplex teststringarray
#>20 string x \b, MATRIX NAME="%s" #>20 string x \b, MATRIX NAME="%s"
#>21 ubyte x \b, MAYBE 2ND CHAR=%c
>16 pstring/L x %s >16 pstring/L x %s
# T indicates the matrix type: 0~numeric 1~text 2~sparse # T indicates the matrix type: 0~numeric 1~text 2~sparse
#>0 ubelong%10 x \b, T=%u #>0 ubelong%10 x \b, T=%u
@ -158,5 +188,5 @@
# ncols; number of columns in the matrix like: 1 3 4 5 9 43 # ncols; number of columns in the matrix like: 1 3 4 5 9 43
>8 ubelong x \b, columns %u >8 ubelong x \b, columns %u
# imagf; imaginary flag; 1~matrix has an imaginary part 0~only real data # imagf; imaginary flag; 1~matrix has an imaginary part 0~only real data
>12 ubelong !0 \b, imaginary >12 ubelong !0 \b, imaginary (%u)
# real; Real part of the matrix consists of mrows * ncols numbers # real; Real part of the matrix consists of mrows * ncols numbers

View file

@ -1,14 +1,28 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: mcrypt,v 1.5 2009/09/19 16:28:10 christos Exp $ # $File: mcrypt,v 1.6 2022/02/08 18:51:45 christos Exp $
# Mavroyanopoulos Nikos <nmav@hellug.gr> # Mavroyanopoulos Nikos <nmav@hellug.gr>
# mcrypt: file(1) magic for mcrypt 2.2.x; # mcrypt: file(1) magic for mcrypt 2.2.x;
# URL: https://en.wikipedia.org/wiki/Mcrypt
# http://fileformats.archiveteam.org/wiki/MCrypt
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nc-mcrypt.trid.xml
# Update: Joerg Jenderek
# Note: called by TrID "mcrypt encrypted (v2.5)"
0 string \0m\3 mcrypt 2.5 encrypted data, 0 string \0m\3 mcrypt 2.5 encrypted data,
#!:mime application/octet-stream
!:mime application/x-crypt-nc
!:ext nc
>4 string >\0 algorithm: %s, >4 string >\0 algorithm: %s,
>>&1 leshort >0 keysize: %d bytes, >>&1 leshort >0 keysize: %d bytes,
>>>&0 string >\0 mode: %s, >>>&0 string >\0 mode: %s,
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nc-mcrypt-22.trid.xml
# Note: called by TrID "mcrypt encrypted (v2.2)"
0 string \0m\2 mcrypt 2.2 encrypted data, 0 string \0m\2 mcrypt 2.2 encrypted data,
#!:mime application/octet-stream
!:mime application/x-crypt-nc
# no example
!:ext nc
>3 byte 0 algorithm: blowfish-448, >3 byte 0 algorithm: blowfish-448,
>3 byte 1 algorithm: DES, >3 byte 1 algorithm: DES,
>3 byte 2 algorithm: 3DES, >3 byte 2 algorithm: 3DES,

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ # $File: meteorological,v 1.4 2022/12/09 18:02:09 christos Exp $
# rinex: file(1) magic for RINEX files # rinex: file(1) magic for RINEX files
# http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt
# ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf
@ -45,5 +45,9 @@
# https://en.wikipedia.org/wiki/GRIB # https://en.wikipedia.org/wiki/GRIB
0 string GRIB 0 string GRIB
>7 byte =1 Gridded binary (GRIB) version 1 >7 byte =1 Gridded binary (GRIB) version 1
!:mime application/x-grib
!:ext grb/grib
>7 byte =2 Gridded binary (GRIB) version 2 >7 byte =2 Gridded binary (GRIB) version 2
!:mime application/x-grib2
!:ext grb2/grib2

View file

@ -1,11 +1,71 @@
#----------------------------------------------------------------------------- #-----------------------------------------------------------------------------
# $File: misctools,v 1.20 2021/05/25 15:13:55 christos Exp $ # $File: misctools,v 1.21 2023/02/03 20:43:48 christos Exp $
# misctools: file(1) magic for miscellaneous UNIX tools. # misctools: file(1) magic for miscellaneous UNIX tools.
# #
0 search/1 %%!! X-Post-It-Note text 0 search/1 %%!! X-Post-It-Note text
0 string/c BEGIN:VCALENDAR vCalendar calendar file # URL: http://fileformats.archiveteam.org/wiki/ICalendar
!:mime text/calendar # https://en.wikipedia.org/wiki/ICalendar
# Update: Joerg Jenderek
# Reference: https://www.rfc-editor.org/rfc/rfc5545
# http://mark0.net/download/triddefs_xml.7z/defs/v/vcs.trid.xml
# Note: called "iCalendar - vCalendar" by TrID
0 string/c BEGIN:vcalendar
# skip DROID fmt-387-signature-id-572.vcs fmt-388-signature-id-573.ics
# with invalid separator 0x0 or 0xAB instead of CarriageReturn (0x0D) or LineFeed (0x0A)
>15 ubyte&0xF8 =0x08
# look for VERSION keyword often on second line but sometimes later as in holidays_NRW_2014.ics
>>0 search/188 VERSION
# after VERSION keword :1.0 or often :2.0 but sometimes also ;VALUE=TEXT:2.0 like in Jewish religious Juish.ics
# http://www.webcal.guru/de-DE/kalender_herunterladen?calendar_instance_id=217
# \n\040:2.0 like in import-real-world-2004-11-19.ics found at
# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz
# emacs-28.1/test/lisp/calendar/icalendar-resources/import-real-world-2004-11-19.ics
#>>>&0 string x AFTER_VERSION=%.15s
# Note: called "Internet Calendar and Scheduling format" by DROID via PUID fmt/388
# skip optional verparam=;other-param like ;VALUE=TEXT and look for version 2.0 that implies iCalendar variant
>>>&0 search/81 :2.0 iCalendar calendar
# look for Free/Busy component
>>>>15 search/278 :VFREEBUSY file, with Free/Busy component
!:mime text/calendar
!:apple ????iFBf
# no real examples found but only example on Wikipedia page
!:ext ifb
# iCalendar calendar without Free/Busy component
>>>>15 default x
# look for ALARM component
>>>>>15 search/154 :VALARM file, with ALARM component
!:mime text/calendar
!:apple ????iCal
# found on macOS beneath /Users/$USER/Library/Calendars/ as EventAllDayAlarms.icsalarm or EventTimedAlarms.icsalarm
# no isc examples found
!:ext icsalarm/ics
# iCalendar calendar without Free/Busy component and ALARM component
>>>>>15 default x file
!:mime text/calendar
!:apple ????iCal
# no examples found with .ical .icalender suffix
!:ext ics
# if no VERSION 2.0 is found then assume it is VERSION 1.0, that is older vCalendar
# URL: http://fileformats.archiveteam.org/wiki/VCalendar
# Note: called "VCalendar format" by DROID via fmt/387
>>>&0 default x vCalendar calendar file
# deprecated
!:mime text/x-vcalendar
!:ext vcs
# GRR: without VERSION keyword violates specification but accepted by Thunderbird like
# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz
# emacs-28.1/test/lisp/calendar/icalendar-resources/import-with-timezone.ics
>>0 default x vCalendar calendar file, without VERSION
!:mime text/x-vcalendar
#!:mime text/calendar
# no vcs example found
!:ext ics/vcs
# GRR: According to newest specification CarriageReturn (0xD) and LineFeed (0xA) should be used as separator but others accepted by Thunderbird
# like CRLF,LF in Sport Today.vcs created by calendar plugin of TV-Browser https://enwiki.tvbrowser.org/index.php/Calendar_Export
# or LF like https://www.schulferien.org/media/ical/deutschland/ferien_nordrhein-westfalen_2023.ics?k=foo
>>15 ubeshort !0x0D0A \b, without CRLF
# updated by Joerg Jenderek at Apr 2015, May 2021 # updated by Joerg Jenderek at Apr 2015, May 2021
# https://en.wikipedia.org/wiki/VCard # https://en.wikipedia.org/wiki/VCard
# URL: http://fileformats.archiveteam.org/wiki/VCard # URL: http://fileformats.archiveteam.org/wiki/VCard

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: modem,v 1.10 2021/04/26 15:56:00 christos Exp $ # $File: modem,v 1.11 2022/10/19 20:15:16 christos Exp $
# modem: file(1) magic for modem programs # modem: file(1) magic for modem programs
# #
# From: Florian La Roche <florian@knorke.saar.de> # From: Florian La Roche <florian@knorke.saar.de>
@ -11,6 +11,7 @@
# Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header). # Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header).
# Modified by: Joerg Jenderek # Modified by: Joerg Jenderek
# URL: https://de.wikipedia.org/wiki/Fax # URL: https://de.wikipedia.org/wiki/Fax
# http://fileformats.archiveteam.org/wiki/CCITT_Group_3
# Reference: https://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # Reference: https://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm
# GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others
0 short 0x0100 0 short 0x0100
@ -32,7 +33,10 @@
# skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom
>>>>>>8 ubequad !0x2e01010454010203 >>>>>>8 ubequad !0x2e01010454010203
# skip PICTUREH.SML found on Golden Orchard Apple II CD Rom # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom
>>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded >>>>>>>8 ubequad !0x5dee74ad1aa56394
# skip few (5/41) DEGAS mid-res bitmap (GEMINI01.PI2 GEMINI02.PI2 GEMINI03.PI2 CODE_RAM.PI2 TBX_DEMO.PI2)
# with file size 32034
>>>>>>>>-0 offset !32034 raw G3 (Group 3) FAX, byte-padded
# version 5.25 labeled the entry above "raw G3 data, byte-padded" # version 5.25 labeled the entry above "raw G3 data, byte-padded"
!:mime image/g3fax !:mime image/g3fax
#!:apple ????TIFF #!:apple ????TIFF
@ -43,7 +47,9 @@
# 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom
>2 search/9 \0\0 >2 search/9 \0\0
# maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3
>2 default x raw G3 (Group 3) FAX >2 default x
# skip some (84/1246) MacBinary II/III (Cyberdog2.068k.smi.bin FileMakerPro4.img.bin Hypercard1.25.image.bin UsbStorage1.3.5.smi.bin) with "non random" numbers by versions values 81h/82h + 81h
>>122 ubeshort&0xFcFf !0x8081 raw G3 (Group 3) FAX
# version 5.25 labeled the above entry as "raw G3 data" # version 5.25 labeled the above entry as "raw G3 data"
!:mime image/g3fax !:mime image/g3fax
!:ext g3 !:ext g3

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: msdos,v 1.152 2021/10/12 18:26:10 christos Exp $ # $File: msdos,v 1.169 2023/04/17 16:39:19 christos Exp $
# msdos: file(1) magic for MS-DOS files # msdos: file(1) magic for MS-DOS files
# #
@ -49,29 +49,127 @@
# #
# Many of the compressed formats were extracted from IDARC 1.23 source code. # Many of the compressed formats were extracted from IDARC 1.23 source code.
# #
# e_magic
0 string/b MZ 0 string/b MZ
# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. # TODO
>0x18 leshort <0x40 MS-DOS executable # FLT: Syntrillium CoolEdit Filter https://en.wikipedia.org/wiki/Adobe_Audition
# FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker
# FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker
# FOD: WIFE Font Driver
# GAU: MS Flight Simulator Gauge
# IFS: OS/2 Installable File System https://en.wikipedia.org/wiki/OS/2
# MEXW32:MATLAB Windows 32bit compiled function https://en.wikipedia.org/wiki/MATLAB
# MEXW64:MATLAB Windows 64bit compiled function https://en.wikipedia.org/wiki/MATLAB
# MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya
# PFL: PhotoFilter plugin http://photofiltre.free.fr
# 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html
# PLG: Aston Shell plugin http://www.astonshell.com/
# QLB: Microsoft Basic Quick library https://en.wikipedia.org/wiki/QuickBASIC
# SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm
# TBK: Asymetrix ToolBook application http://www.toolbook.com
# TBP: The Bat! plugin http://www.ritlabs.com
# UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com
# XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com
# XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/
# ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com
#
# NEXT LINES FOR DEBUGGING!
# e_cblp; bytes on last page of file
# e_cp; pages in file
#>4 uleshort x \b, e_cp 0x%x
# e_lfanew; file address of new exe header
#>0x3c ulelong x \b, e_lfanew 0x%x
# e_lfarlc; address of relocation table
#>0x18 uleshort x \b, e_lfarlc=0x%x
# e_ovno; overlay number. If zero, this is the main executable foo
#>0x1a uleshort !0 \b, e_ovno 0x%x
#>0x1C ubequad !0 \b, e_res 0x%16.16llx
# e_oemid; often 0
#>0x24 uleshort !0 \b, e_oemid 0x%x
# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV)
# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV)
#>0x26 uleshort !0 \b, e_oeminfo 0x%x
# e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe
# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE
#>0x28 ubequad !0 \b, e_res2 0x%16.16llx
# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593
# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs
# new exe header magic like: PE NE LE LX W3 W4
# no examples found for ZM DL MP P2 P3
#>(0x3c.l) string x \b, at [0x3c] %.2s
#>(0x3c.l) ubelong x \b, at [0x3c] %#8.8x
#>(0x3c.l+4) ubelong x \b, at [0x3c+4] %#8.8x
#
# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file.
# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe e_lfarlc=0x8ead
# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE e_lfarlc=0x1c
# some EFI apps Shell_Full.efi ext4_x64_signed.efi e_lfarlc=0
# Icon library WORD60.ICL e_lfarlc=0
# Microsoft compiled help format 2.0 WINWORD.DEV.HXS e_lfarlc=0
>0x18 uleshort <0x40
# check magic of new second header
# NE executable with low e_lfarlc like: WORD60.ICL
# ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library
>>(0x3c.l) string NE Windows Icons Library 16-bit
!:mime image/x-ms-icl
!:ext icl
# handle LX executable with low e_lfarlc like: PCISCAN.EXE
>>(0x3c.l) string LX
>>>(0x3c.l) use lx-executable
# skip Portable Executable (PE) with low e_lfarlc here, because handled later
# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS
>>(0x3c.l) string PE
# not New Executable (NE) and not PE with low e_lfarlc like:
# MACCNV55.EXE WORK_RTF.EXE TELE200.EXE NDD.EXE iflash.exe
>>(0x3c.l) default x MS-DOS executable, MZ for MS-DOS
!:mime application/x-dosexec !:mime application/x-dosexec
# Windows and later versions of DOS will allow .EXEs to be named with a .COM # Windows and later versions of DOS will allow .EXEs to be named with a .COM
# extension, mostly for compatibility's sake. # extension, mostly for compatibility's sake.
# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM
# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM # URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM
# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml # Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml
!:ext exe/com/vlm # also like: BGISRV.DRV
!:ext exe/com/vlm/drv
# These traditional tests usually work but not always. When test quality support is # These traditional tests usually work but not always. When test quality support is
# implemented these can be turned on. # implemented these can be turned on.
#>>0x18 leshort 0x1c (Borland compiler) #>>0x18 leshort 0x1c (Borland compiler)
#>>0x18 leshort 0x1e (MS compiler) #>>0x18 leshort 0x1e (MS compiler)
# Maybe it's a PE? # Maybe it's a PE?
# URL: http://fileformats.archiveteam.org/wiki/Portable_Executable
# Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format
>(0x3c.l) string PE\0\0 PE >(0x3c.l) string PE\0\0 PE
!:mime application/x-dosexec !:mime application/vnd.microsoft.portable-executable
# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics
# DLL Characteristics
#>>(0x3c.l+22) uleshort x \b, CHARACTERISTICS %#4.4x,
# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file
# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program.
# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL)
>>(0x3c.l+24) leshort 0x010b \b32 executable >>(0x3c.l+24) leshort 0x010b \b32 executable
# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem
#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u
>>(0x3c.l+24) leshort 0x020b \b32+ executable >>(0x3c.l+24) leshort 0x020b \b32+ executable
#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u
>>(0x3c.l+24) leshort 0x0107 ROM image >>(0x3c.l+24) leshort 0x0107 ROM image
>>(0x3c.l+24) default x Unknown PE signature >>(0x3c.l+24) default x Unknown PE signature
>>>&0 leshort x %#x >>>&0 leshort x %#x
>>(0x3c.l+22) leshort&0x2000 >0 (DLL) >>(0x3c.l+22) leshort&0x2000 >0 (DLL)
# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem
>>(0x3c.l+92) leshort 0 (
# Summary: Microsoft compiled help *.HXS format 2.0
# URL: https://en.wikipedia.org/wiki/Microsoft_Help_2
# Reference: http://www.russotto.net/chm/itolitlsformat.html
# https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml
# Note: 2 PE sections (.rsrc, .its) implies Microsoft compiled help format; the .its section contains the help content ITOLITLS
# verified by command like `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS`
>>>(0x3c.l+6) uleshort =2 \bMicrosoft compiled help format 2.0)
!:ext hxs
# 3 PE sections (.text, .reloc, .rsrc) implies some Control Panel Item like:
# CPL: Control Panel item for WINE 1.7.28 https://www.winehq.org/
>>>(0x3c.l+6) uleshort !2 \bControl Panel Item)
!:ext cpl
# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes
>>(0x3c.l+92) leshort 1 >>(0x3c.l+92) leshort 1
# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the # Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the
# drivers in Windows/System32/drivers/*.sys. # drivers in Windows/System32/drivers/*.sys.
@ -79,6 +177,7 @@
!:ext dll/sys !:ext dll/sys
>>>(0x3c.l+22) leshort&0x2000 0 (native) >>>(0x3c.l+22) leshort&0x2000 0 (native)
!:ext exe/sys !:ext exe/sys
# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI The Windows graphical user interface (GUI) subsystem
>>(0x3c.l+92) leshort 2 >>(0x3c.l+92) leshort 2
>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) >>>(0x3c.l+22) leshort&0x2000 >0 (GUI)
# These could probably be at least partially distinguished from one another by # These could probably be at least partially distinguished from one another by
@ -94,21 +193,72 @@
# Screen savers typically include code from the scrnsave.lib static library, but # Screen savers typically include code from the scrnsave.lib static library, but
# that's not guaranteed. # that's not guaranteed.
!:ext exe/scr !:ext exe/scr
# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI The Windows character subsystem
>>(0x3c.l+92) leshort 3 >>(0x3c.l+92) leshort 3
>>>(0x3c.l+22) leshort&0x2000 >0 (console) >>>(0x3c.l+22) leshort&0x2000 >0 (console)
!:ext dll/cpl/tlb/ocx/acm/ax/ime !:ext dll/cpl/tlb/ocx/acm/ax/ime
>>>(0x3c.l+22) leshort&0x2000 0 (console) >>>(0x3c.l+22) leshort&0x2000 0 (console)
!:ext exe/com !:ext exe/com
# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format # NO Windows Subsystem number 4!
>>(0x3c.l+92) leshort 7 (POSIX) >>(0x3c.l+92) leshort 4 (Unknown subsystem 4)
>>(0x3c.l+92) leshort 9 (Windows CE) # 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem
>>(0x3c.l+92) leshort 5 (OS/2)
# GRR: No examples found by Joerg Jenderek
#!:ext foo-exe-os2
# NO Windows Subsystem number 6!
>>(0x3c.l+92) leshort 6 (Unknown subsystem 6)
# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem
>>(0x3c.l+92) leshort 7 (POSIX
>>>(0x3c.l+22) leshort&0x2000 >0 \b)
# like: PSXDLL.DLL
!:ext dll
>>>(0x3c.l+22) leshort&0x2000 0 \b)
# like: PAX.EXE
!:ext exe
# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver
>>(0x3c.l+92) leshort 8 (Win9x)
# GRR: No examples found by Joerg Jenderek
#!:ext foo-exe-win98
# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE
>>(0x3c.l+92) leshort 9 (Windows CE
>>>(0x3c.l+22) leshort&0x2000 >0 \b)
# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL
!:ext dll
>>>(0x3c.l+22) leshort&0x2000 0 \b)
# like: NNGStart.exe navigator.exe
!:ext exe
# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application
>>(0x3c.l+92) leshort 10 (EFI application) >>(0x3c.l+92) leshort 10 (EFI application)
# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi
!:ext efi
# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services
>>(0x3c.l+92) leshort 11 (EFI boot service driver) >>(0x3c.l+92) leshort 11 (EFI boot service driver)
# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi
!:ext efi
>>(0x3c.l+92) leshort 12 (EFI runtime driver) >>(0x3c.l+92) leshort 12 (EFI runtime driver)
# no sample found
!:ext efi
# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image
>>(0x3c.l+92) leshort 13 (EFI ROM) >>(0x3c.l+92) leshort 13 (EFI ROM)
# no sample found
!:ext efi
# 14~IMAGE_SUBSYSTEM_XBOX XBOX
>>(0x3c.l+92) leshort 14 (XBOX) >>(0x3c.l+92) leshort 14 (XBOX)
>>(0x3c.l+92) leshort 15 (Windows boot application) #!:ext foo-xbox
>>(0x3c.l+92) default x (Unknown subsystem # NO Windows Subsystem number 15!
>>(0x3c.l+92) leshort 15 (Unknown subsystem 15)
# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application
>>(0x3c.l+92) leshort 16 (Windows boot application
>>>(0x3c.l+22) leshort&0x2000 >0 \b)
# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll
!:ext dll
>>>(0x3c.l+22) leshort&0x2000 0 \b)
# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll
!:ext efi/exe
# GRR: the next 2 lines are not executed!
#>>(0x3c.l+92) default x (Unknown subsystem
#>>>&0 leshort x %#x)
>>(0x3c.l+92) leshort >16 (Unknown subsystem
>>>&0 leshort x %#x) >>>&0 leshort x %#x)
>>(0x3c.l+4) leshort 0x14c Intel 80386 >>(0x3c.l+4) leshort 0x14c Intel 80386
>>(0x3c.l+4) leshort 0x166 MIPS R4000 >>(0x3c.l+4) leshort 0x166 MIPS R4000
@ -136,10 +286,13 @@
>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit >>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit
>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit >>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit
>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit >>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit
>>(0x3c.l+4) leshort 0x6232 LoongArch 32-bit
>>(0x3c.l+4) leshort 0x6264 LoongArch 64-bit
>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R >>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R
>>(0x3c.l+4) leshort 0x8664 x86-64 >>(0x3c.l+4) leshort 0x8664 x86-64
>>(0x3c.l+4) leshort 0xaa64 Aarch64 >>(0x3c.l+4) leshort 0xaa64 Aarch64
>>(0x3c.l+4) leshort 0xc0ee MSIL >>(0x3c.l+4) leshort 0xc0ee MSIL
# GRR: the next 2 lines are not executed!
>>(0x3c.l+4) default x Unknown processor type >>(0x3c.l+4) default x Unknown processor type
>>>&0 leshort x %#x >>>&0 leshort x %#x
>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) >>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB)
@ -176,33 +329,134 @@
>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip)
>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive
>>0x30 string Inno \b, InnoSetup self-extracting archive >>0x30 string Inno \b, InnoSetup self-extracting archive
# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc.
# PE used as container have less sections
>>(0x3c.l+6) leshort >1 \b, %u sections
# do not display for 1 section to get output like in version 5.43 and to keep output columns low
#>>(0x3c.l+6) leshort =1 \b, %u section
# If the relocation table is 0x40 or more bytes into the file, it's definitely # If the relocation table is 0x40 or more bytes into the file, it's definitely
# not a DOS EXE. # not a DOS EXE.
>0x18 leshort >0x3f >0x18 uleshort >0x3f
# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
# must be one of the unusual subformats. # must be one of the unusual subformats.
>>(0x3c.l) string !PE\0\0 MS-DOS executable >>(0x3c.l) string !PE\0\0 MS-DOS executable
!:mime application/x-dosexec #!:mime application/x-dosexec
>>(0x3c.l) string NE \b, NE >>(0x3c.l) string NE \b, NE
!:mime application/x-dosexec #!:mime application/x-dosexec
!:mime application/x-ms-ne-executable
# FOR DEBUGGING!
# Reference: https://wiki.osdev.org/NE
# ProgFlags; Program flags, bitmapped
#>>>(0x3c.l+0x0C) ubyte x \b, ProgFlags 0x%2.2x
# >>>(0x3c.l+0x0c) ubyte&0x03 =0 \b, none
# >>>(0x3c.l+0x0c) ubyte&0x03 =1 \b, single shared
# >>>(0x3c.l+0x0c) ubyte&0x03 =2 \b, multiple
# >>>(0x3c.l+0x0c) ubyte&0x03 =3 \b, (null)
# >>>(0x3c.l+0x0c) ubyte &0x04 \b, Global initialization
# >>>(0x3c.l+0x0c) ubyte &0x08 \b, Protected mode only
# >>>(0x3c.l+0x0c) ubyte &0x10 \b, 8086 instructions
# >>>(0x3c.l+0x0c) ubyte &0x20 \b, 80286 instructions
# >>>(0x3c.l+0x0c) ubyte &0x40 \b, 80386 instructions
# >>>(0x3c.l+0x0c) ubyte &0x80 \b, 80x87 instructions
# ApplFlags; Application flags, bitmapped
# https://www.fileformat.info/format/exe/corion-ne.htm
#>>>(0x3c.l+0x0D) ubyte x \b, ApplFlags 0x%2.2x
# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API)
# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API
#>>>(0x3c.l+0x0D) ubyte&0x07 =1 \b, Full screen
#>>>(0x3c.l+0x0D) ubyte&0x07 =2 \b, Compatible with Windows/P.M. API
#>>>(0x3c.l+0x0D) ubyte&0x07 =3 \b, use Windows/P.M. API
# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle
#>>>(0x3c.l+0x0D) ubyte &0x80 \b, DLL or driver
# AutoDataSegIndex; automatic data segment index like: 0 2 3 22
# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared
#>>>(0x3c.l+0x0e) uleshort x \b, AutoDataSegIndex %u
# InitHeapSize; intial local heap size like; 0 400h 1400h
# zero if there is no local allocation
#>>>(0x3c.l+0x10) uleshort !0 \b, InitHeapSize 0x%x
# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h
# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h
# 6D60h 8000h 40000h
# zero if the SS register value does not equal the DS register value
#>>>(0x3c.l+0x12) uleshort !0 \b, InitStackSize 0x%x
# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h
#>>>(0x3c.l+0x14) ulelong !0 \b, EntryPoint 0x%x
# InitStack; specifies the segment offset value of stack pointer SS:SP
# like: 0 20000h 160000h
#>>>(0x3c.l+0x18) ulelong !0 \b, InitStack 0x%x
# SegCount; number of segments in segment table like: 0 1 2 3 16h
#>>>(0x3c.l+0x1C) uleshort x \b, SegCount 0x%x
# ModRefs; number of module references (DLLs) like; 0 1 3
#>>>(0x3c.l+0x1E) uleshort !0 \b, ModRefs %u
# NoResNamesTabSiz; size in bytes of non-resident names table
# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh
#>>>(0x3c.l+0x20) uleshort x \b, NoResNamesTabSiz 0x%x
# SegTableOffset; offset of Segment table like: 40h
#>>>(0x3c.l+0x22) uleshort !0x40 \b, SegTableOffset 0x%x
# ResTableOffset; offset of resources table like: 40h 50h 58h F0h
# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON
#>>>(0x3c.l+0x24) uleshort x \b, ResTableOffset 0x%x
# ResidNamTable; offset of resident names table
# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h
#>>>(0x3c.l+0x26) uleshort x \b, ResidNamTable 0x%x
# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h)
# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh
#>>>(0x3c.l+0x2a) uleshort x \b, ImportNameTable 0x%x
# OffStartNonResTab; offset from start of file to non-resident names table
# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h
#>>>(0x3c.l+0x2c) ulelong x \b, OffStartNonResTab 0x%x
# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446
#>>>(0x3c.l+0x30) uleshort !0 \b, MovEntryCount %u
# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default)
#>>>(0x3c.l+0x32) uleshort !9 \b, FileAlnSzShftCnt %u
# nResTabEntries; number of resource table entries like: 0 2
#>>>(0x3c.l+0x34) uleshort !0 \b, nResTabEntries %u
# targOS; Target OS; 0~unknown~OS/2 1.0 or MS Windows 1-2
# OS/2 1.0 like: DTM.DLL SHELL11F.EXE HELPMSG.EXE CREATEDD.EXE
# or Windows 1.03 - 2.1 like: MSDOSD.EXE KARTEI.EXE KALENDER.EXE
#>>>(0x3c.l+0x36) byte x TARGOS %x
>>>(0x3c.l+0x36) byte 0 for OS/2 1.0 or MS Windows 1-2
>>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 1 for OS/2 1.x
>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x
>>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte 3 for MS-DOS
>>>(0x3c.l+0x36) byte 4 for Windows 386 >>>(0x3c.l+0x36) byte 4 for Windows 386
>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services >>>(0x3c.l+0x36) byte 5 for Borland Operating System Services
# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip
# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE
# GRR: WHAT OS is this?
#>>>(0x3c.l+0x36) byte 6 for TARGET SIX
# https://en.wikipedia.org/wiki/Phar_Lap_(company)
>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender, OS/2
# like: CVP7.EXE
>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap DOS extender, Windows
>>>(0x3c.l+0x36) default x >>>(0x3c.l+0x36) default x
>>>>(0x3c.l+0x36) byte x (unknown OS %x) >>>>(0x3c.l+0x36) ubyte x (unknown OS %#x)
>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender # expctwinver; expected Windows version (minor first) like:
# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR
>>>(0x3c.l+0x3F) ubyte x (%u
>>>(0x3c.l+0x3E) ubyte x \b.%u)
# OS2EXEFlags; other EXE flags
# 0~Long filename support 1~2.x protected mode 4~2.x proportional fonts 8~Executable has gangload area
#>>>(0x3c.l+0x37) byte !0 \b, OS2EXEFlags 0x%x
# retThunkOffset; offset to return thunks or start of gangload area like: 0 34h 58h 246h
#>>>(0x3c.l+0x38) uleshort !0 \b, retThunkOffset 0x%x
# segrefthunksoff; offset to segment reference thunks or size of gangload area
# like: 0 33Eh 39Ah AEEh
#>>>(0x3c.l+0x3A) uleshort !0 \b, segrefthunksoff 0x%x
# mincodeswap; minimum code swap area size like 0 620Ch
#>>>(0x3c.l+0x3C) uleshort !0 \b, mincodeswap 0x%x
>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) >>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font)
# DRV: Driver # DRV: Driver
# 3GR: Grabber device driver # 3GR: Grabber device driver
# CPL: Control Panel Item # CPL: Control Panel Item
# VBX: Visual Basic Extension # VBX: Visual Basic Extension https://en.wikipedia.org/wiki/Visual_Basic
# FON: Bitmap font # FON: Bitmap font http://fileformats.archiveteam.org/wiki/FON
# FOT: Font resource file # FOT: Font resource file
# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE
# CNV: Microsoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data
!:ext dll/drv/3gr/cpl/vbx/fon/fot !:ext dll/drv/3gr/cpl/vbx/fon/fot
>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) >>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE)
!:ext exe/scr !:ext exe/scr
@ -228,8 +482,17 @@
>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive
# MS Windows system file, supposedly a collection of LE executables # MS Windows system file, supposedly a collection of LE executables
# like vmm32.vxd WIN386.EXE
>>(0x3c.l) string W3 \b, W3 for MS Windows >>(0x3c.l) string W3 \b, W3 for MS Windows
!:mime application/x-dosexec #!:mime application/x-dosexec
!:mime application/x-ms-w3-executable
!:ext vxd/exe
# W4 executable
>>(0x3c.l) string W4 \b, W4 for MS Windows
#!:mime application/x-dosexec
!:mime application/x-ms-w4-executable
# windows 98 VMM32.VXD
!:ext vxd
>>(0x3c.l) string LE\0\0 \b, LE executable >>(0x3c.l) string LE\0\0 \b, LE executable
!:mime application/x-dosexec !:mime application/x-dosexec
@ -268,11 +531,19 @@
!:ext exe/com !:ext exe/com
# header data too small for extended executable # header data too small for extended executable
>2 long !0 >2 long !0
>>0x18 leshort <0x40 >>0x18 uleshort <0x40
>>>(4.s*512) leshort !0x014c >>>(4.s*512) leshort !0x014c
>>>>&(2.s-514) string !LE >>>>&(2.s-514) string !LE
>>>>>&-2 string !BW \b, MZ for MS-DOS >>>>>&-2 string !BW
#>>>>>>(0x3c.l) string x \b, 2ND MAGIC %.2s
# but some LX executable appear here also like: PCISCAN.EXE
>>>>>>(0x3c.l) string !LX
# because Portable Executable (PE) already done skip many here like:
# xcopy32.exe stinger64.exe WimUtil.exe
# NO such DOS examples found and
# DOS examples seems to be already handled by e_lfarlc <0x40 like: CMD8086.COM CMD-FR.COM
>>>>>>>(0x3c.l) string !PE \b, MZ for MS-DOS
!:mime application/x-dosexec !:mime application/x-dosexec
>>>>&(2.s-514) string LE \b, LE >>>>&(2.s-514) string LE \b, LE
>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender
@ -386,6 +657,7 @@
>0x00 uleshort x executable >0x00 uleshort x executable
#!:mime application/x-msdownload #!:mime application/x-msdownload
!:mime application/x-lx-executable !:mime application/x-lx-executable
!:ext exe
# byte order: 00h~little-endian non-zero=1~big-endian # byte order: 00h~little-endian non-zero=1~big-endian
#>0x02 ubyte =0 (little-endian) #>0x02 ubyte =0 (little-endian)
>0x02 ubyte !0 (big-endian) >0x02 ubyte !0 (big-endian)
@ -420,7 +692,7 @@
>0x0a leshort 3 for DOS >0x0a leshort 3 for DOS
# http://www.ctyme.com/intr/rb-2939.htm#Table1610 # http://www.ctyme.com/intr/rb-2939.htm#Table1610
# library by module type mask 00038000h (bits 15-17); # library by module type mask 00038000h (bits 15-17);
# 0h ~exectable Program module # 0h ~executable Program module
>0x10 ulelong&0x00038000 =0x00000000 (program) >0x10 ulelong&0x00038000 =0x00000000 (program)
#!:ext exe #!:ext exe
# OSF_IS_DLL=8000h ~Library module (DLL) # OSF_IS_DLL=8000h ~Library module (DLL)
@ -468,14 +740,18 @@
0 string \xffKEYB\ \ \ \0\0\0\0 0 string \xffKEYB\ \ \ \0\0\0\0
>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file
# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 # DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023
# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver # URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver
# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html # Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html
# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 # http://www.o3one.org/hwdocs/bios_doc/dosref22.html
0 ulequad&0x07a0ffffffff 0xffffffff 0 ulequad&0x07a0ffffffff 0xffffffff
# skip OS/2 INI ./os2 # skip OS/2 INI ./os2
>4 ubelong !0x14000000 >4 ubelong !0x14000000
>>0 use msdos-driver #>>10 ubequad x MAYBE_DRIVER_NAME=%16.16llx
# https://bugs.astron.com/view.php?id=434
# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like"
>>10 ubequad !0
>>>0 use msdos-driver
0 name msdos-driver DOS executable ( 0 name msdos-driver DOS executable (
#!:mime application/octet-stream #!:mime application/octet-stream
!:mime application/x-dosdriver !:mime application/x-dosdriver
@ -507,8 +783,8 @@
>>40 search/7 UPX! >>40 search/7 UPX!
>>40 default x >>40 default x
# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
# 1 space char before device driver name to get phrase like "device driver PROTMAN$" # 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE"
>>>12 ubyte >0x2E \b >>>12 ubyte >0x23 \b
>>>>10 ubyte >0x20 >>>>10 ubyte >0x20
>>>>>10 ubyte !0x2E >>>>>10 ubyte !0x2E
>>>>>>10 ubyte !0x2A \b%c >>>>>>10 ubyte !0x2A \b%c
@ -587,7 +863,8 @@
# skip "GPG symmetrically encrypted data" ./gnu # skip "GPG symmetrically encrypted data" ./gnu
# skip "PGP symmetric key encrypted data" ./pgp # skip "PGP symmetric key encrypted data" ./pgp
# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) >>>4 ubyte >13
>>>>0 use msdos-com
# the remaining files should be DOS *.COM executables # the remaining files should be DOS *.COM executables
# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd # dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd
# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 # hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
@ -597,48 +874,164 @@
# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b # SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e # validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e
# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e # devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e
!:mime application/x-dosexec
!:ext com
# updated by Joerg Jenderek at Oct 2008
0 ulelong 0xffff10eb DR-DOS executable (COM)
# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
0 ubeshort&0xeb8d >0xeb00
# DR-DOS STACKER.COM SCREATE.SYS missed
0 name msdos-com 0 name msdos-com
>0 byte x DOS executable (COM) # URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com)
!:mime application/x-dosexec >0 byte x DOS executable (
!:ext com # DOS executable with JuMP 16-bit instruction
>0 byte =0xE9
# check for probably nil padding til offset 64 of Lotus driver name
>>56 quad =0
# check for "long" alphabetic Lotus driver name like:
# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus"
>>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s
!:mime application/x-dosexec
# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2)
!:ext drv
# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1)
>>>24 default x \bCOM)
!:mime application/x-dosexec
!:ext com
# DOS executable with JuMP 16-bit and without nil padding
>>56 quad !0
# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot
# TODO: HOWTO distinguish COMboot from pure DOS executables?
# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program
>>>1 search/0xc088 \xcd\x22 \bCOM or COMBOOT 16-bit)
!:mime application/x-dosexec
# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2)
!:ext com/cbt
>>>1 default x \bCOM)
!:mime application/x-dosexec
!:ext com
# DOS executable without JuMP 16-bit instruction
>0 byte !0xE9
# SCREATE.SYS https://en.wikipedia.org/wiki/Stac_Electronics
>>10 string =?STACVOL \bSCREATE.SYS)
!:mime application/x-dosexec
!:ext sys
# COM executable without JuMP 16-bit instruction and not SCREATE.SYS
>>10 string !?STACVOL \bCOM)
!:mime application/x-dosexec
!:ext com
>6 string SFX\ of\ LHarc \b, %s >6 string SFX\ of\ LHarc \b, %s
>0x1FE leshort 0xAA55 \b, boot code >0x1FE leshort 0xAA55 \b, boot code
>85 string UPX \b, UPX compressed >85 string UPX \b, UPX compressed
>4 string \ $ARX \b, ARX self-extracting archive >4 string \ $ARX \b, ARX self-extracting archive
>4 string \ $LHarc \b, LHarc self-extracting archive >4 string \ $LHarc \b, LHarc self-extracting archive
>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive >0x20e string SFX\ by\ LARC \b, LARC self-extracting archive
# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2)
>1 search/0xc088 \xcd\x22 \b, maybe with interrupt 22h
>0 ubelong x \b, start instruction %#8.8x
# show more instructions but not in samples like: rem.com (DJGPP)
>4 ubelong x %8.8x
# JMP 8bit # JMP 8bit
0 byte 0xeb 0 byte 0xeb
# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent
# allow forward jumps only # allow forward jumps only
>1 byte >-1 >1 byte >-1
# that offset must be accessible # that offset must be accessible
# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc
>>(1.b+2) byte x >>(1.b+2) byte x
>>>0 use msdos-com # if look like COM executable with x86 boot signature then this
# implies FAT volume with x86 real mode code already handled by ./filesystems
#
# No x86 boot signature implies often DOS executable
# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable
# like: FIXBIOS.COM (50 bytes)
>>>16 ubyte >3
# https://www.drivedroid.io/
# skip MBR disk image drivedroid.img version 12 July 2013 by start message
>>>>2 string !DriveDroid
# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/
# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM)
# by check for characteristic message text near the beginning
>>>>>15 string !Non\040System\040disk
# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar"
# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux
# by check for characteristic message text near the beginning
>>>>>>6 string !read\040error\015
# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip
# skip ventoy 1.0.78 boot_hybrid.img
>>>>>>>24 string !\220\220\353I$\022\017
# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar"
# skip unusual floppy image PCDOS100.IMG of DOS 1.0
# by check for characteristic message text near the beginning
>>>>>>>>9 string !7-May-81
# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar"
# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems
# by check for characteristic message near the beginning
>>>>>>>>>3 string !\370sdfS\270
# like: FIXBIOS.COM (50 bytes)
>>>>>>>>>>0 use msdos-com
# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable
# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15)
>>>16 ubyte =0
# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux)
>>>>0x1FE leshort =0xAA55
>>>>0x1FE default x
# https://thestarman.pcministry.com/tool/hxd/dimtut.htm
# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10
# by check for characteristic bootloader names near end of boot sector
>>>>>395 string !ibmbio\040\040com
>>>>>>0 use msdos-com
# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems
# like: balder.img
>>>16 default x
# skip disk images with boot signature at end of 1st sector
# like: TDSK-64b.img
>>>>(11.s-2) uleshort !0xAA55
# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18)
# by check for characteristic file system type text for FAT (12 bit or 16 bit)
>>>>>54 string !FAT
# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar"
# skip unusual floppy image Disk4.img without boot signature and file system type text
# by check for characteristic OEM-ID text
>>>>>>3 string !COMPAQ\040\040
# no such DOS COM executables found
>>>>>>>0 use msdos-com
# JMP 16bit # JMP 16bit
0 byte 0xe9 0 byte 0xe9
# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM
#>1 leshort x \b, OFFSET %d
# forward jumps # forward jumps
>1 short >-1 >1 leshort >-1
# that offset must be accessible # that offset must be accessible
# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc
>>(1.s+3) byte x >>(1.s+3) byte x
>>>0 use msdos-com # check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable
# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes)
>>>16 ubyte >3
>>>>0 use msdos-com
# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable
# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV
>>>16 ubyte =0
>>>>0 use msdos-com
# maybe disc image with valid number of FATs or DOS executable
# like: IPXODI.COM PERUSE.COM TASKID.COM
>>>16 default x
# invalid low media descriptor. Then it is not a disk image and it is a DOS executable
>>>>21 ubyte <0xE5
>>>>>0 use msdos-com
# valid media descriptor. Then it is maybe disk image or DOS executable
>>>>21 ubyte >0xE4
# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable
# like: LEARN.COM (Word 1.15)
>>>>>11 uleshort&0x001f !0
>>>>>>0 use msdos-com
# negative offset, must not lead into PSP # negative offset, must not lead into PSP
>1 short <-259 # like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4)
# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS)
>1 leshort <-259
# that offset must be accessible # that offset must be accessible
# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset
>>(1,s+65539) byte x >>(1,s+65539) byte x
# after jump next instruction for DEBUGGING!
#>>>&-1 ubelong x \b, NEXT instruction %#8.8x
>>>0 use msdos-com >>>0 use msdos-com
# updated by Joerg Jenderek at Oct 2008,2015 # updated by Joerg Jenderek at Oct 2008,2015,2022
# following line is too general # following line is too general
0 ubyte 0xb8 0 ubyte 0xb8
# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
@ -661,19 +1054,49 @@
# syslinux version (4.x) # syslinux version (4.x)
# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID # "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
>>>1 lelong 0x21CD4CFe \b, relocatable) >>>1 lelong 0x21CD4CFe \b, relocatable)
# Hajin Jang <hajin_jang@worksmobile.com>: >>1 default x
# Disable simplest COM signature to prevent false positive on some EUC-KR text files. # look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x)
## remaining are DOS COM executables starting with assembler instruction MOV >>>3 search/118 \xCD
## like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM # FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux)
## MS-DOS SYS.COM RESTART.COM # 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS)
## SYSLINUX.COM (version 1.40 - 2.13) #>>>>&0 ubyte x \b, INTERUPT %#x
## GFXBOOT.COM (version 3.75) # few examples with interrupt 0x13 instruction
## COPYBS.COM POWEROFF.COM INT18.COM >>>>&0 ubyte =0x13
>>1 default x COM executable for DOS # FOR DEBUGGING!
!:mime application/x-dosexec #>>>>>3 ubequad x \b, 2nd INSTRUCTION %#16.16llx
##!:mime application/x-ms-dos-executable # skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems
##!:mime application/x-msdos-program # by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax
!:ext com >>>>>3 ubequad !0x8ec0b8c0078ed88d
# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com
# http://bootcd.narod.ru/bcdw150z_en.zip
>>>>>>0 use msdos-com
# few examples with interrupt 0x16 instruction like flashimg.img
>>>>&0 ubyte =0x16
# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems
# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz
>>>>>8 ubelong !0x3DE4E475
# no DOS executable with interrupt 0x16 found
>>>>>>0 use msdos-com
# most examples with interrupt instruction unequal 0x13 and 0x16
>>>>&0 default x
#>>>>>&-1 ubyte x \b, INTERUPT %#x
# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com
>>>>>0 use msdos-com
# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM
# or some EUC-KR text files or one Ulead Imaginfo thumbnail
>>>3 default x
# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM)
# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt)
#>>>>3 ubyte x \b, 2nd INSTRUCTION %#x
# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow)
# inside SAMPLES/TEXTURES/SKY_SNOW
# from https://archive.org/download/PI3CANON/PI3CANON.iso
>>>>3 ubyte !0x0
# skip some EUC-KR text files like: euckr_falsepositive.txt
# https://bugs.astron.com/view.php?id=186
>>>>>3 ubyte !0xb1
# like: RESTART.COM (DOS 7.10) REBOOT.COM
>>>>>>0 use msdos-com
# URL: https://en.wikipedia.org/wiki/UPX # URL: https://en.wikipedia.org/wiki/UPX
# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ # Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/
@ -1066,15 +1489,82 @@
0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in
# Windows Metafile .WMF # Windows Metafile .WMF
0 string/b \327\315\306\232 Windows metafile # URL: http://fileformats.archiveteam.org/wiki/Windows_Metafile
!:mime image/wmf # http://en.wikipedia.org/wiki/Windows_Metafile
!:ext wmf # Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf
# http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml
# Note: called "Windows Metafile" by TrID and
# verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File)
# META_PLACEABLE Record (Aldus Placeable Metafile signature)
0 string/b \327\315\306\232
# Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119
# and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile"
# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h
# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300
>26 uleshort&0xFDff =0x0100 Windows metafile
# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0
# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf
>>4 uleshort !0 \b, resource handle %#x
# BoundingBox; the rectangle in the playback context measured in logical units for displaying
# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024)
# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589)
#>>6 ubequad x \b, bounding box %#16.16llx
# Left; x-coordinate of the upper-left corner of the rectangle
>>6 leshort x \b, bounding box (%d
# Top; y-coordinate upper-left corner
>>8 leshort x \b,%d
# Right; x-coordinate lower-right corner
>>10 leshort x / %d
# Bottom; y-coordinate lower-right corner
>>12 leshort x \b,%d)
# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540
>>14 uleshort x \b, dpi %u
# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf
>>16 ulelong !0 \b, reserved %#x
# Checksum; checksum for the previous 10 words
>>20 uleshort x \b, checksum %#x
# META_HEADER Record after META_PLACEABLE Record
>>22 use wmf-head
# GRR: no example for type 2 (DISKMETAFILE) variant found under few thousands WMF
0 string/b \002\000\011\000 Windows metafile 0 string/b \002\000\011\000 Windows metafile
>0 use wmf-head
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml
# Note: called "Windows Metafile (old Win 3.x format)" by TrID and
# "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119
# verified by XnView `nconvert -info *.wmf` as Windows metafile
# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9
0 string/b \001\000\011\000
# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011)
>18 ulelong >0 Windows metafile
# GRR: in version 5.44 unequal and not endian variant not working!
#>18 ulelong !0 THIS_SHOULD_NOT_HAPPEN
#>18 long !0 THIS_SHOULD_NOT_HAPPEN
>>0 use wmf-head
# display information of Windows metafile header (type, size, objects)
0 name wmf-head
# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk
>0 uleshort !0x0001 \b, type %#x
# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes)
>2 uleshort*2 !18 \b, header size %u
# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported
# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf
>4 uleshort =0x0100 \b, DIBs not supported
>4 uleshort =0x0300
#>4 uleshort =0x0300 \b, DIBs supported
# this should not happen!
>4 default x \b, version
>>4 uleshort x %#x
# Size; the number of WORDs in the entire metafile
>6 ulelong x \b, size %u words
#>6 ulelong*2 x \b, size %u bytes
!:mime image/wmf !:mime image/wmf
!:ext wmf !:ext wmf
0 string/b \001\000\011\000 Windows metafile # NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF
!:mime image/wmf >10 uleshort x \b, %u objects
!:ext wmf # MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h
>12 ulelong x \b, largest record size %#x
# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf
>16 uleshort !0 \b, %u members
#tz3 files whatever that is (MS Works files) #tz3 files whatever that is (MS Works files)
0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file
@ -1227,8 +1717,6 @@
1 string RDC-meg MegaDots 1 string RDC-meg MegaDots
>8 byte >0x2F version %c >8 byte >0x2F version %c
>9 byte >0x2F \b.%c file >9 byte >0x2F \b.%c file
0 lelong 0x4C
>4 lelong 0x00021401 Windows shortcut file
# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm # .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm
# only for windows versions equal or greater 3.0 # only for windows versions equal or greater 3.0
@ -1264,22 +1752,6 @@
>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT
#>>&06 string x \b:%s #>>&06 string x \b:%s
# DOS EPS Binary File Header
# From: Ed Sznyter <ews@Black.Market.NET>
0 belong 0xC5D0D3C6 DOS EPS Binary File
!:mime image/x-eps
>4 long >0 Postscript starts at byte %d
>>8 long >0 length %d
>>>12 long >0 Metafile starts at byte %d
>>>>16 long >0 length %d
>>>20 long >0 TIFF starts at byte %d
>>>>24 long >0 length %d
# TNEF magic From "Joomy" <joomy@se-ed.net>
# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
0 lelong 0x223e9f78 TNEF
!:mime application/vnd.ms-tnef
# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
# of http://www.davep.org/norton-guides/ng2h-105.tgz # of http://www.davep.org/norton-guides/ng2h-105.tgz
# https://en.wikipedia.org/wiki/Norton_Guides # https://en.wikipedia.org/wiki/Norton_Guides
@ -1367,6 +1839,8 @@
# HtmlHelp files (.chm) # HtmlHelp files (.chm)
0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data
!:mime application/vnd.ms-htmlhelp
!:ext chm
# GFA-BASIC (Wolfram Kleff) # GFA-BASIC (Wolfram Kleff)
2 string/b GFA-BASIC3 GFA-BASIC 3 data 2 string/b GFA-BASIC3 GFA-BASIC 3 data
@ -1431,6 +1905,12 @@
>0x2c default x >0x2c default x
# look for 1st member name # look for 1st member name
>>(16.l+16) ubyte x >>(16.l+16) ubyte x
# From: Joerg Jenderek
# URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml
>>>&-1 string PackageInfo.xml \b, Device Metadata Package
!:mime application/vnd.ms-cab-compressed
!:ext devicemetadata-ms
# https://en.wikipedia.org/wiki/SNP_file_format # https://en.wikipedia.org/wiki/SNP_file_format
>>>&-1 string/c _accrpt_.snp \b, Access report snapshot >>>&-1 string/c _accrpt_.snp \b, Access report snapshot
!:mime application/msaccess !:mime application/msaccess
@ -1454,14 +1934,20 @@
!:ext msu !:ext msu
>>>&-1 default x >>>&-1 default x
# look at point character of 1st archive member name for file name extension # look at point character of 1st archive member name for file name extension
# GRR: search range is maybe too large and match point else where like in EN600x64.cab!
>>>>&-1 search/255 . >>>>&-1 search/255 .
# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm # http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm
# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 # PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002
# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB # packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB
>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go >>>>>&0 string/c ppt\0
>>>>>>28 uleshort >1 \b, PowerPoint Packed and Go
!:mime application/vnd.ms-powerpoint !:mime application/vnd.ms-powerpoint
#!:mime application/mspowerpoint #!:mime application/mspowerpoint
!:ext ppz !:ext ppz
# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386
>>>>>>28 uleshort =1 \b, one packed PowerPoint
!:mime application/vnd.ms-cab-compressed
!:ext pp_
# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx # https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx
# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack # first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack
# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack # or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack
@ -1475,6 +1961,13 @@
>>>>>>(16.l+16) string !Panoram 7 or 8 >>>>>>(16.l+16) string !Panoram 7 or 8
!:ext themepack/deskthemepack !:ext themepack/deskthemepack
>>>>>>(16.l+16) ubyte x Theme Pack >>>>>>(16.l+16) ubyte x Theme Pack
# URL: https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format
# http://fileformats.archiveteam.org/wiki/OneNote
# Reference: https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml
# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor Öffnen.onetoc2"
>>>>>&0 string/c one \b, OneNote Package
!:mime application/msonenote
!:ext onepkg
>>>>>&0 default x >>>>>&0 default x
# look for null terminator of 1st member name # look for null terminator of 1st member name
>>>>>>&0 search/255 \0 >>>>>>&0 search/255 \0
@ -1502,6 +1995,16 @@
>>>>>>>>>30 uleshort !0x0000 \b, single >>>>>>>>>30 uleshort !0x0000 \b, single
!:mime application/vnd.ms-cab-compressed !:mime application/vnd.ms-cab-compressed
!:ext cab !:ext cab
# first archive name without point character
>>>>&-1 default x
>>>>>28 uleshort =1 \b, single
!:mime application/vnd.ms-cab-compressed
# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._
!:ext _
>>>>>28 uleshort >1 \b, many
!:mime application/vnd.ms-cab-compressed
# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab
!:ext cab
# TODO: additional extensions like # TODO: additional extensions like
# .xtp InfoPath Template Part # .xtp InfoPath Template Part
# .lvf Logitech Video Effects Face Accessory # .lvf Logitech Video Effects Face Accessory
@ -1599,9 +2102,9 @@
# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) # define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF)
>8 uleshort >0 \b, iFolder %#x >8 uleshort >0 \b, iFolder %#x
# date stamp for file # date stamp for file
#>10 uleshort x \b, date %#x >10 lemsdosdate x last modified %s
# time stamp for file # time stamp for file
#>12 uleshort x \b, time %#x >12 lemsdostime x %s
# attribs is attribute flags for file # attribs is attribute flags for file
# define _A_RDONLY (0x01) file is read-only # define _A_RDONLY (0x01) file is read-only
# define _A_HIDDEN (0x02) file is hidden # define _A_HIDDEN (0x02) file is hidden
@ -1765,3 +2268,37 @@
# NB: The BACKUP.nnn files consist of the files backed up, # NB: The BACKUP.nnn files consist of the files backed up,
# concatenated. # concatenated.
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time
# Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime
# Note: DOS date+time format is different from formats such as Unix epoch
# bit encoded; uses year values relative to 1980 and 2 second precision
0 name dos-date
# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2)
#>0 uleshort x RAW TIME [%#4.4x]
# hour part
#>0 uleshort/2048 x hour [%u]
# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31)
#>2 uleshort x RAW DATE [%#4.4x]
# day part
>2 uleshort&0x001F x %u
#>2 uleshort/16 x MONTH PART [%#x]
# GRR: not working
#>2 uleshort/16 &0x000F MONTH [%u]
#>2 uleshort&0x01E0 x MONTH PART [%#4.4x]
>2 uleshort&0x01E0 =0x0020 jan
>2 uleshort&0x01E0 =0x0040 feb
>2 uleshort&0x01E0 =0x0060 mar
>2 uleshort&0x01E0 =0x0080 apr
>2 uleshort&0x01E0 =0x00A0 may
>2 uleshort&0x01E0 =0x00C0 jun
>2 uleshort&0x01E0 =0x00E0 jul
>2 uleshort&0x01E0 =0x0100 aug
>2 uleshort&0x01E0 =0x0120 sep
>2 uleshort&0x01E0 =0x0140 oct
>2 uleshort&0x01E0 =0x0160 nov
>2 uleshort&0x01E0 =0x0180 dec
# year part
>2 uleshort/512 x 1980+%u
#

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: msooxml,v 1.16 2021/08/16 10:06:55 christos Exp $ # $File: msooxml,v 1.19 2023/03/14 19:46:15 christos Exp $
# msooxml: file(1) magic for Microsoft Office XML # msooxml: file(1) magic for Microsoft Office XML
# From: Ralf Brown <ralf.brown@gmail.com> # From: Ralf Brown <ralf.brown@gmail.com>
@ -15,10 +15,13 @@
0 name msooxml 0 name msooxml
>0 string word/ Microsoft Word 2007+ >0 string word/ Microsoft Word 2007+
!:mime application/vnd.openxmlformats-officedocument.wordprocessingml.document !:mime application/vnd.openxmlformats-officedocument.wordprocessingml.document
!:ext docx
>0 string ppt/ Microsoft PowerPoint 2007+ >0 string ppt/ Microsoft PowerPoint 2007+
!:mime application/vnd.openxmlformats-officedocument.presentationml.presentation !:mime application/vnd.openxmlformats-officedocument.presentationml.presentation
!:ext pptx
>0 string xl/ Microsoft Excel 2007+ >0 string xl/ Microsoft Excel 2007+
!:mime application/vnd.openxmlformats-officedocument.spreadsheetml.sheet !:mime application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
!:ext xlsx
>0 string visio/ Microsoft Visio 2013+ >0 string visio/ Microsoft Visio 2013+
!:mime application/vnd.ms-visio.drawing.main+xml !:mime application/vnd.ms-visio.drawing.main+xml
>0 string AppManifest.xaml Microsoft Silverlight Application >0 string AppManifest.xaml Microsoft Silverlight Application
@ -30,7 +33,7 @@
# make sure the first file is correct # make sure the first file is correct
>0x1E use msooxml >0x1E use msooxml
>0x1E default x >0x1E default x
>>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels|docProps >>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels|docProps|customXml
# skip to the second local file header # skip to the second local file header
# since some documents include a 520-byte extra field following the file # since some documents include a 520-byte extra field following the file
# header, we need to scan for the next header # header, we need to scan for the next header
@ -46,5 +49,20 @@
# OpenOffice/Libreoffice orders ZIP entry differently, so check the 4th file # OpenOffice/Libreoffice orders ZIP entry differently, so check the 4th file
>>>>>>&26 search/6000 PK\003\004 >>>>>>&26 search/6000 PK\003\004
>>>>>>>&26 use msooxml >>>>>>>&26 use msooxml
# Some OOXML generators add an extra customXml directory. Check another file.
>>>>>>>&26 default x
>>>>>>>>&26 search/6000 PK\003\004
>>>>>>>>>&26 use msooxml
>>>>>>>>>&26 default x Microsoft OOXML
>>>>>>>&26 default x Microsoft OOXML >>>>>>>&26 default x Microsoft OOXML
>>>>>&26 default x Microsoft OOXML >>>>>&26 default x Microsoft OOXML
>>0x1E regex \\[trash\\]
>>>&26 search/6000 PK\003\004
>>>>&26 search/6000 PK\003\004
>>>>>&26 use msooxml
>>>>>&26 default x
>>>>>>&26 search/6000 PK\003\004
>>>>>>>&26 use msooxml
>>>>>>>&26 default x Microsoft OOXML
>>>>>>&26 default x Microsoft OOXML
>>>>>&26 default x Microsoft OOXML

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: msvc,v 1.10 2018/10/01 19:14:03 christos Exp $ # $File: msvc,v 1.11 2022/01/17 17:17:30 christos Exp $
# msvc: file(1) magic for msvc # msvc: file(1) magic for msvc
# "H. Nanosecond" <aldomel@ix.netcom.com> # "H. Nanosecond" <aldomel@ix.netcom.com>
# Microsoft visual C # Microsoft visual C
@ -20,9 +20,162 @@
0 string \377\003\000\377\001\000\060\020\350 MSVC .res 0 string \377\003\000\377\001\000\060\020\350 MSVC .res
#.lib #.lib
0 string \360\015\000\000 Microsoft Visual C library # URL: https://en.wikipedia.org/wiki/Microsoft_Visual_C%2B%2B
0 string \360\075\000\000 Microsoft Visual C library # http://fileformats.archiveteam.org/wiki/Microsoft_Library
0 string \360\175\000\000 Microsoft Visual C library # http://fileformats.archiveteam.org/wiki/OMF
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lib-msvc.trid.xml
# https://pierrelib.pagesperso-orange.fr/exec_formats/OMF_v1.1.pdf
# Update: Joerg Jenderek
#0 string \360\015\000\000 Microsoft Visual C library
#0 string \360\075\000\000 Microsoft Visual C library
#0 string \360\175\000\000 Microsoft Visual C library
# test for RecordType~LibraryHeaderRecord=0xF0 + RecordLength=???Dh + dictionary offset is multiple of 0x200
0 ubelong&0xFF0f80ff =0xF00d0000
# Microsoft Visual C library (strength=70) before MIDI SysEx messages (strength=50) handled by ./sysex
#!:strength +0
# test for valid 2nd RecordType~Translator Header Record=THEADR=80h or LHEADR=82h
>(1.s+3) ubyte&0xFD =0x80
>>0 use omf-lib
# display information about Microsoft Visual C/OMF library
0 name omf-lib
# RecordType~LibraryHeaderRecord=0xF0
#>0 byte 0xF0 Microsoft Visual C library
# the above description was used in file version 5.41
>0 byte 0xF0 Microsoft Visual C/OMF library
#>0 byte 0xF0 relocatable Object Module Format (OMF) libray
#!:mime application/octet-stream
!:mime application/x-omf-lib
!:ext lib
# 1st record data length like 13=0Dh 29=1Dh 61=3Dh 125=7Dh 509=01FDh ... 32765=7FFDh
#>1 uleshort x \b, 1st record data length %u
#>1 uleshort x \b, 1st record data length %#x
# 2**4=16 <= RecordLength+3 = PageSize = 2**n {16 32 512 no examples 64 128 256 1024 2048 ...32768} <= 2**15=32768
>1 uleshort+3 x \b, page size %u
# dictionary offset like: 400h 600h a00h c00h 1200h 1800h 2400h 5600h 12800h 19200h 28a00h
>3 ulelong x \b, at %#x dictionary
# dictionary block a 512 bytes; the first 37 bytes correspond to the 37 buckets
#>(3.l) ubequad x (%#16.16llx...)
# dictionary size; length in 512-byte blocks; a prime number? like:
# 1 2 3 4 5 6 7 9 11 13 15 16 18 21 22 23 24 25 31 50 53 89 101 117 277
>7 uleshort x with %u block
# plurals s
>7 uleshort >1 \bs
# If dictionary byte 38 (FFLAG) has the value 255, there is no space left
>(3.l+37) ubyte <0xFF (FFLAG=%#x)
>(3.l+37) ubyte =0xFF (FFLAG=full)
# dictionary entry; length byte of following symbol, the following text bytes of symbol, two bytes specifies the page number
# like: dbfntx1! DBFNTX.LIB zlibCompileFlags_ ZLIB.LIB atoi! mwlibc.lib
>(3.l+38) pstring x 1st entry %s
# like: 1 33 41 47 458 8783
>>&0 uleshort x in page %u
# library flags; 0 or 1, but WHAT IS 0x4d in MOUSE.LIB ?
>9 ubyte >1 \b, flags %#x
>9 ubyte =1 case sensitive
# In the library after header comes first object module with a Library Module Header Record (LHEADR=82h)
# but in examples Translator Header Record (THEADR=80h) which is handled identically
>(1.s+3) ubyte x \b, 2nd record
>(1.s+3) ubyte !0x80 (type %#x)
#>(1.s+4) uleshort x \b, 2nd record data length %u
# Module name often source name like "dos\crt0.asm" in mlibce.lib or "QB4UTIL.ASM" in QB4UTIL.LIB
# or "C:\Documents and Settings\Allan Campbell\My Documents\FDOSBoot\zlib\zutil.c" in ZLIB.LIB
# or title like "87INIT" in FP87.LIB or "ACOSASIN" in MATHC.LIB or "Copyright" in calc-bcc.lib
>(1.s+6) pstring x "%s"
# 2nd record checksum
#>>&0 ubyte x checksum %#x
# 3rd RecordType: 96h~LNAMES 88h~COMENT
>>&1 ubyte x \b, 3rd record
>>&1 ubyte !0x88
>>>&-1 ubyte !0x96
# 3rd unusual record type
>>>>&-1 ubyte x (type %#x)
# 3rd record is a List of Names Record (LNAMES=96h)
>>&1 ubyte =0x96 LNAMES
# LNAMES record length like: 2 15 19
#>>>&0 uleshort x \b, LNAMES record length %u
>>>&0 uleshort >2
# 1st LNAME string length; null is valid; maximal 255
#>>>>&0 ubyte x 1st LNAME length %u
>>>>&0 ubyte =0
# 2nd LNAME length like: 4 7 8 17 31
#>>>>>&0 ubyte x 2nd LNAME length %u
# name used for segment, class, group, overlay, etc like:
# CODE (mwlibc.lib) _TEXT32 (JMPPM32.LIB) _OVLCODE (WOVL.LIB)
>>>>>&0 pstring x %s
# 3rd LNAME length like: 4 5
#>>>>>>&0 ubyte x 3rd LNAME length %u
# like: DATA (mwlibc.lib) CODE (JMPPM32.LIB) _TEXT (EMU87.LIB)
>>>>>>&0 pstring x %s
# maybe 4th LNAME length like: 4 6
>>>>>>>&0 ubyte <44
# like: DATA (DEBUG.LIB) DGROUP (mwlibc.lib MOUSE.LIB)
>>>>>>>>&-1 pstring x %s
# 3rd record is a COMMENT (Including all comment class extensions)
>>&1 ubyte =0x88 COMMENT
# comment record length like: 3 FLIB7M.LIB 1Bh 1Eh 23h 27h 2Bh 30h freetype-bcc.lib
#>>>&0 uleshort x \b, record length %#x
# real comment length = record length - 1 (comment type) - 1 (comment Class) - 1 (checksum) -1 (char count)
# like: 2 LIBFL.LIB 4 "UUID" 5 "dscap" 6 "int386" 7 "qb4util" 8 "AMSGEXIT" 16 REXX.LIB 20 27 35 44 freetype-bcc.lib
#>>>>&-2 uleshort-4 >0 \b, comment length %u
# check that record contain at least comment type (1 byte), comment class (1 byte), checksum (1 byte)
# probably always true
>>>&0 uleshort >2
# comment type: 80h~NP~no purge bit 40h~NL~no list bit
#>>>>&0 ubyte !0 Type %#x
>>>>&0 ubyte &0x80 Preserved
# no example
>>>>&0 ubyte &0x40 NoList
# comment class like: 0~Translator A0~OMF extensions A3~LIBMOD A1~New OMF extensions AA~UNKNOWN
>>>>&1 ubyte x class=%#x
# check that comment record contains at least real content
>>>>&-2 uleshort >3
# Translator comment record (0); it may name the source language or translator
>>>>>&1 ubyte =0 Translator
#>>>>>>&0 ubyte x Translator length %u
# like: "TC86 Borland Turbo C 2.01 " (GEMS.LIB) "TC86 Borland Turbo C++ 3.00" (CATDB.LIB)
>>>>>>&0 pstring x "%s"
# OMF extensions comment record (A0); first byte of commentary string identifies subtype
>>>>>&1 ubyte =0xA0 OMF extensions
# A0 subtype like: 1~IMPDEF
>>>>>>&0 ubyte !1 subtype %#x
# Import Definition Record (Comment Class A0, Subtype 01~IMPDEF)
>>>>>>&0 ubyte 1 IMPDEF
# ordinal flag; determines form of Entry Ident field. If nonzero (seems to be 1) Entry is ordinal
>>>>>>>&0 ubyte !0 ordinal
# like: IMPORT.LIB DOSCALLS.LIB mlibw.lib mwinlibc.lib REXX.LIB
>>>>>>>>&-1 ubyte >1 %u
# Internal Name in count, char string format; module name for the imported symbol
# like: 7 "REXXSAA" 9 11 13 14 15 16 20 21 26 "_Z10_clip_linePdS_S_S_dddd"
#>>>>>>>&1 ubyte x internal name length %u
# internal module name like: _DllGetVersion DllGetVersion BezierTerminationTest Copyright
>>>>>>>&1 pstring x %s
# module name in count, char string format; DLL name that supplies a matching export symbol
# like: jpeg62.dll (jpeg-bcc.lib) unrar3.dll (unrar-bcc.lib) REXX (REXX.LIB)
>>>>>>>>&0 pstring x exported by %s
# Entry Ident; 16-bit if ordinal flag != 0 or imported name in count, char string format if ordinal flag = 0
# like: \0 (calc-bcc.lib) DllGetVersion (libtiff-bcc.lib) UTF8ToHtml (libxml2-bcc.lib) xslAddCall (libxslt-bcc.lib)
#>>>>>>>>>&0 pstring >\0 entry ident %s
# "New OMF" extensions comment (A1); indicate version of symbolic debug information
# like: LIBFL.LIB
>>>>>&1 ubyte =0xA1 New OMF extensions
# symbolic debug information version n
>>>>>>&0 ubyte x n=%u
# symbolic debug information style like: HL~IBM PM Debugger style (LIBFL.LIB) DX~AIX style CV~Microsoft symbol and type style
>>>>>>>&0 string HL IBM style
>>>>>>>&0 string DX AIX style
>>>>>>>&0 string CV Microsoft style
# LIBMOD comment record (A3) used only by the librarian
# Microsoft extension added for LIB version 3.07 in macro assembler (MASM 5.0)
>>>>>&1 ubyte =0xA3 LIBMOD
# The A3 LIBMOD record contains only the ASCII string of the module name in count char format
#>>>>>>&0 ubyte x LIBMOD length %u
# LIBMOD comment record module name without path and extension like:
# qb4util (QB4UTIL.LIB) affaldiv (libh.lib) crt0 (slibc.lib) clipper (DDDRAWS.LIB) dinpdev (DINPUTS.LIB) UUID (UUID.LIB)
>>>>>>&0 pstring x %s
# GRR: WHAT iS THAT? AA foo comment record
#>>>>>&1 ubyte =0xAA AA-comment
# like: OS220
#>>>>>>&0 string x what=%-5.5s
#
#.pch #.pch
0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch 0 string DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: ole2compounddocs,v 1.12 2021/09/04 16:00:38 christos Exp $ # $File: ole2compounddocs,v 1.26 2023/05/15 16:46:12 christos Exp $
# Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured
# storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format) # storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format)
# Additional tests for OLE 2 Compound Documents should be under this recipe. # Additional tests for OLE 2 Compound Documents should be under this recipe.
@ -72,6 +72,7 @@
#>67 ubyte x \b, color %x #>67 ubyte x \b, color %x
# the DirIDs of the child nodes. Should both be -1 in the root storage entry # the DirIDs of the child nodes. Should both be -1 in the root storage entry
#>68 bequad !0xffffffffffffffff \b, DirIDs %llx #>68 bequad !0xffffffffffffffff \b, DirIDs %llx
# NEXT lines for DEBUGGING
# second directory entry name like VisioDocument Control000 # second directory entry name like VisioDocument Control000
#>128 lestring16 x \b, 2nd %.20s #>128 lestring16 x \b, 2nd %.20s
# third directory entry like WordDocument # third directory entry like WordDocument
@ -200,6 +201,34 @@
!:mime application/x-ms-info !:mime application/x-ms-info
!:ext nfo !:ext nfo
# #
# From: Joerg Jenderek
# URL: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns-v14.trid.xml
# Note: older versions til 13 about middle 2021 handled by ./windows
# called "Sysinternals Autoruns data (v14)" by TrID
# second, third and fourth directory entry name like Header Items 0
>>>>128 lestring16 Header : Microsoft sysinternals AutoRuns data, version 14
#!:mime application/x-ole-storage
!:mime application/x-ms-arn
# like: MyHOSTNAME.arn
!:ext arn
#
# From: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Microsoft_Access
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mdz.trid.xml
# http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File
# Note: only version foo tested and called "Microsoft Access Wizard template" by TrID
# Fourth directory entry name TemplateID
>>>>384 lestring16 TemplateID : Microsoft Access wizard template
# Second directory entry name like \005SummaryInformation and 3rd name like \005DocumentSummaryInformation
#!:mime application/x-ole-storage
#!:mime application/vnd.ms-office
#!:mime application/vnd.ms-access
#!:mime application/msaccess
!:mime application/x-ms-mdz
# http://extension.nirsoft.net/mdz
!:ext mdz
#
# URL: http://fileformats.archiveteam.org/wiki/Corel_Print_House # URL: http://fileformats.archiveteam.org/wiki/Corel_Print_House
# Second directory entry name Thumbnail # Second directory entry name Thumbnail
>>>>128 lestring16 Thumbnail : Corel PrintHouse image >>>>128 lestring16 Thumbnail : Corel PrintHouse image
@ -220,10 +249,24 @@
!:mime application/x-corel-gal !:mime application/x-corel-gal
!:ext gal !:ext gal
# #
# From: Joerg Jenderek
# URL: https://archive.org/details/iPhoto-Plus-4
# https://filext.com/file-extension/TPL
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tpl-ulead.trid.xml
# Note: found in Template sub directory in program directory of software iPhoto Plus version 4
# second, third and fourth directory entry name like TplHeader TplMainImage TplPreview
>>>>128 lestring16 TplHeader : Ulead iPhoto Template
#!:mime application/x-ole-storage
!:mime image/x-ulead-tpl
# https://www.file-extensions.org/tpl-file-extension-ulead-photo-express-template
!:ext tpl
#
# URL: https://en.wikipedia.org/wiki/Hangul_(word_processor) # URL: https://en.wikipedia.org/wiki/Hangul_(word_processor)
# https://www.hancom.com/etc/hwpDownload.do
# Note: "HWP Document File" signature found in FileHeader # Note: "HWP Document File" signature found in FileHeader
# Hangul Word Processor WORDIAN, 2002 and later is using HWP 5.0 format.
# Second directory entry name FileHeader hint for Thinkfree Office document # Second directory entry name FileHeader hint for Thinkfree Office document
>>>>128 lestring16 FileHeader : Hangul (Korean) 5.0 Word Processor File >>>>128 lestring16 FileHeader : Hancom HWP (Hangul Word Processor) file, version 5.0
#!:mime application/haansofthwp #!:mime application/haansofthwp
!:mime application/x-hwp !:mime application/x-hwp
# https://example-files.online-convert.com/document/hwp/example.hwp # https://example-files.online-convert.com/document/hwp/example.hwp
@ -258,60 +301,112 @@
!:ext prd/prv !:ext prd/prv
# 2nd directory entry name Pictures # 2nd directory entry name Pictures
>>>>>>128 lestring16 Pictures with pictures >>>>>>128 lestring16 Pictures with pictures
#
# URL: http://fileformats.archiveteam.org/wiki/PageMaker
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p
# pagemaker-generic.trid.xml
# pagemaker-pm6.trid.xml
# pagemaker-pm65.trid.xml
# pmd-pm7.trid.xml
# From: Joerg Jenderek
# Note: since version 6 embedd as stream with PageMaker name the "old" format handled by ./wordprocessors
# verified by Michal Mutl Structured Storage Viewer `SSView.exe brochus.pt6`
# Second directory entry name PageMaker
>>>>128 lestring16 PageMaker :
# look for magic of "old" PageMaker like in 02TEMPLT.T65
>>>>>0 search/0xa900/s \0\0\0\0\0\0\xff\x99
# GRR: jump to PageMaker stream and inspect it by sub routine PageMaker of ./wordprocessors failed with wrong version!
#>>>>>>&0 use PageMaker
# THIS WORKS PARTLY!
>>>>>>&0 indirect x
# remaining null clsid # remaining null clsid
>>>>128 default x : UNKNOWN >>>>128 default x
# second directory entry name like VisioDocument Control000 >>>>>0 use ole2-unknown
>>>>>128 lestring16 x with names %.20s # look for CLSID where "second" part is 0
# third directory entry like WordDocument >>>80 ubequad !0x0
>>>>>256 lestring16 x %.20s #
# forth # Summary: Family Tree Maker
>>>>>384 lestring16 x %.20s # From: Joerg Jenderek
!:mime application/x-ole-storage # URL: http://fileformats.archiveteam.org/wiki/Family_Tree_Maker
# https://en.wikipedia.org/wiki/Family_Tree_Maker
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/ftw.trid.xml
# Note called "Family Tree Maker Family Tree" by TrID and
# "FamilyTree Maker Database" with version "1-4" by DROID via PUID fmt/1352
# tested only with version 2.0
# verified by Michal Mutl Structured Storage Viewer `SSView.exe my.ftw`
# newer versions are SQLite based and handled by ./sql
# directory names like: IND.DB AUX.DB GENERAL.DB NAME.NDX BIRTH.NDX EXTRA.DB
>>>>80 ubequad 0x5702000000000000 : Family Tree Maker Windows database, version 1-4
# look for "File Format (C) Copyright 1993 Banner Blue Software Inc. - All Rights Reserved" in GENERAL.DB
#>>>>>0 search/0x5460c/s F\0i\0l\0e\0\040\0F\0o\0r\0m\0a\0t\0\040\0(\0C\0)\0 \b, VERSION
# GRR: jump to version value like 2 does not work!
#>>>>>>&-8 ubyte x %u
#!:mime application/x-ole-storage
!:mime application/x-fmt
# FBK is used for backup of FTW
!:ext ftw/fbk
#
>>>>80 default x
>>>>>0 use ole2-unknown
# look for known clsid GUID # look for known clsid GUID
# - Visio documents # - Visio documents
# URL: http://fileformats.archiveteam.org/wiki/Visio # URL: http://fileformats.archiveteam.org/wiki/Visio
# Last update on 10/23/2006 by Lester Hightower, 07/20/2019 by Joerg Jenderek # Last update on 10/23/2006 by Lester Hightower, 07/20/2019 by Joerg Jenderek
>>88 ubequad 0xc000000000000046 : Microsoft >>88 ubequad 0xc000000000000046
>>>80 ubequad 0x131a020000000000 Visio 2000-2002 Document, stencil or template >>>80 ubequad 0x131a020000000000 : Microsoft Visio 2000-2002 Document, stencil or template
!:mime application/vnd.visio !:mime application/vnd.visio
# VSD~Drawing VSS~Stencil VST~Template # VSD~Drawing VSS~Stencil VST~Template
!:ext vsd/vss/vst !:ext vsd/vss/vst
>>>80 ubequad 0x141a020000000000 Visio 2003-2010 Document, stencil or template >>>80 ubequad 0x141a020000000000 : Microsoft Visio 2003-2010 Document, stencil or template
!:mime application/vnd.visio !:mime application/vnd.visio
!:ext vsd/vss/vst !:ext vsd/vss/vst
# #
# URL: http://fileformats.archiveteam.org/wiki/Windows_Installer # URL: http://fileformats.archiveteam.org/wiki/Windows_Installer
>>>80 ubequad 0x84100c0000000000 Windows Installer Package # https://en.wikipedia.org/wiki/Windows_Installer#ICE_validation
# Update: Joerg Jenderek
# Windows Installer Package *.MSI or validation module *.CUB
>>>80 ubequad 0x84100c0000000000 : Microsoft Windows Installer Package or validation module
!:mime application/x-msi !:mime application/x-msi
#!:mime application/x-ms-win-installer #!:mime application/x-ms-win-installer
!:ext msi # https://learn.microsoft.com/en-us/windows/win32/msi/internal-consistency-evaluators-ices
>>>80 ubequad 0x86100c0000000000 Windows Installer Patch # cub is used for validation module like: Vstalogo.cub XPlogo.cub darice.cub logo.cub mergemod.cub
#!:mime application/x-ms-cub
!:ext msi/cub
# From: Joerg Jenderek
# URL: http://en.wikipedia.org/wiki/Windows_Installer
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mst.trid.xml
# called "Windows SDK Setup Transform script" by TrID
>>>80 ubequad 0x82100c0000000000 : Microsoft Windows Installer transform script
#!:mime application/x-ole-storage
!:mime application/x-ms-mst
!:ext mst
>>>80 ubequad 0x86100c0000000000 : Microsoft Windows Installer Patch
# ?? # ??
!:mime application/x-wine-extension-msp !:mime application/x-wine-extension-msp
#!:mime application/x-ms-msp #!:mime application/x-ms-msp
!:ext msp !:ext msp
# #
# URL: http://fileformats.archiveteam.org/wiki/DOC # URL: http://fileformats.archiveteam.org/wiki/DOC
>>>80 ubequad 0x0009020000000000 Word 6-95 document or template >>>80 ubequad 0x0009020000000000 : Microsoft Word 6-95 document or template
!:mime application/msword !:mime application/msword
# for template MSWDW8TN # for template MSWDW8TN
!:apple MSWDWDBN !:apple MSWDWDBN
!:ext doc/dot !:ext doc/dot
>>>80 ubequad 0x0609020000000000 Word 97-2003 document or template >>>80 ubequad 0x0609020000000000 : Microsoft Word 97-2003 document or template
!:mime application/msword !:mime application/msword
!:apple MSWDWDBN !:apple MSWDWDBN
# dot for template; no extension on Macintosh # dot for template; no extension on Macintosh
!:ext doc/dot/ !:ext doc/dot/
# #
# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor
>>>80 ubequad 0x0213020000000000 Works 3-4 document or template >>>80 ubequad 0x0213020000000000 : Microsoft Works 3-4 document or template
!:mime application/vnd.ms-works !:mime application/vnd.ms-works
!:apple ????AWWP !:apple ????AWWP
# ps for template https://filext.com/file-extension/PS bps for backup # ps for template https://filext.com/file-extension/PS bps for backup
!:ext wps/ps/bps !:ext wps/ps/bps
# #
# URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database
>>>80 ubequad 0x0313020000000000 Works 3-4 database or template >>>80 ubequad 0x0313020000000000 : Microsoft Works 3-4 database or template
!:mime application/vnd.ms-works-db !:mime application/vnd.ms-works-db
# https://www.macdisk.com/macsigen.php # https://www.macdisk.com/macsigen.php
!:apple ????AWDB !:apple ????AWDB
@ -319,14 +414,14 @@
!:ext wdb/db/bdb !:ext wdb/db/bdb
# #
# URL: https://en.wikipedia.org/wiki/Microsoft_Excel # URL: https://en.wikipedia.org/wiki/Microsoft_Excel
>>>80 ubequad 0x1008020000000000 Excel 5-95 worksheet, addin or template >>>80 ubequad 0x1008020000000000 : Microsoft Excel 5-95 worksheet, addin or template
!:mime application/vnd.ms-excel !:mime application/vnd.ms-excel
# https://www.macdisk.com/macsigen.php # https://www.macdisk.com/macsigen.php
!:apple ????XLS5 !:apple ????XLS5
# worksheet/addin/template/no extension on Macintosh # worksheet/addin/template/no extension on Macintosh
!:ext xls/xla/xlt/ !:ext xls/xla/xlt/
# #
>>>80 ubequad 0x2008020000000000 Excel 97-2003 >>>80 ubequad 0x2008020000000000 : Microsoft Excel 97-2003
!:mime application/vnd.ms-excel !:mime application/vnd.ms-excel
# https://www.macdisk.com/macsigen.php XLS5 for Excel 5 # https://www.macdisk.com/macsigen.php XLS5 for Excel 5
!:apple ????XLS9 !:apple ????XLS9
@ -342,23 +437,36 @@
#!:ext xls/xlt/ #!:ext xls/xlt/
# #
# URL: http://fileformats.archiveteam.org/wiki/OLE2 # URL: http://fileformats.archiveteam.org/wiki/OLE2
>>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 item >>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 item
#>>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 Message #>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 Message
#!:mime application/vnd.ms-outlook #!:mime application/vnd.ms-outlook
!:mime application/x-ms-msg !:mime application/x-ms-msg
!:ext msg !:ext msg
# URL: https://wiki.fileformat.com/email/oft/ # URL: https://wiki.fileformat.com/email/oft/
>>>80 ubequad 0x46f0060000000000 Outlook 97-2003 item template >>>80 ubequad 0x46f0060000000000 : Microsoft Outlook 97-2003 item template
#!:mime application/vnd.ms-outlook #!:mime application/vnd.ms-outlook
!:mime application/x-ms-oft !:mime application/x-ms-oft
!:ext oft !:ext oft
# #
# URL: http://fileformats.archiveteam.org/wiki/PPT # URL: http://fileformats.archiveteam.org/wiki/PPT
>>>80 ubequad 0x5148040000000000 PowerPoint 4.0 presentation >>>80 ubequad 0x5148040000000000 : Microsoft PowerPoint 4.0 presentation
!:mime application/vnd.ms-powerpoint !:mime application/vnd.ms-powerpoint
# https://www.macdisk.com/macsigen.php # https://www.macdisk.com/macsigen.php
!:apple ????PPT3 !:apple ????PPT3
!:ext ppt !:ext ppt
# Summary: "newer" Greenstreet Art drawing
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/GST_ART
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/art-gst-docfile.trid.xml
# Note: called like "Greenstreet Art drawing" by TrID
# Note: CONTENT stream contains binary part of older versions with phrase GST:ART at offset 16
# verified by Michal Mutl Structured Storage Viewer `SSView.exe BCARD2.ART`
>>>80 ubequad 0x602c020000000000 : Greenstreet Art drawing
#!:mime application/x-ole-storage
!:mime image/x-greenstreet-art
!:ext art
>>>80 default x
>>>>0 use ole2-unknown
#?? #??
# URL: http://www.checkfilename.com/view-details/Microsoft-Works/RespageIndex/0/sTab/2/ # URL: http://www.checkfilename.com/view-details/Microsoft-Works/RespageIndex/0/sTab/2/
>>88 ubequad 0xa29a00aa004a1a72 : Microsoft >>88 ubequad 0xa29a00aa004a1a72 : Microsoft
@ -417,6 +525,28 @@
!:apple ????PPT3 !:apple ????PPT3
# /autostart/template # /autostart/template
!:ext ppt/pps/pot !:ext ppt/pps/pot
# From: Joerg Jenderek
# URL: https://www.file-extensions.org/ppa-file-extension
# https://en.wikipedia.org/wiki/Microsoft_PowerPoint#cite_note-231
# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File
>>88 ubequad 0x871800aa0060263b : Microsoft
# only version 8 (97) tested; PowerPoint 4.0 to 11.0 (2004) (Wikipedia); 97 to 2003 (file-extensions.org)
>>>80 ubequad 0xf04672810a72cf11 PowerPoint Addin or Wizard
# second, third and fourth directory entry name like VBA PROJECT PROJECTwm
# http://extension.nirsoft.net/pwz
!:mime application/vnd.ms-powerpoint
# like: BSHPPT97.PPA "AutoContent Wizard.pwz"
!:ext ppa/pwz
#
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/AWD_(At_Work_Document)
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/awd-fax.trid.xml
# Note: called "Microsoft At Work Fax document" by TrID
>>88 ubequad 0xb29400dd010f2bf9 : Microsoft
>>>80 ubequad 0x801cb0023de01a10 At Work fax Document
#!:mime application/x-ole-storage
!:mime image/x-ms-awd
!:ext awd
# #
# URL: https://en.wikipedia.org/wiki/Microsoft_Project # URL: https://en.wikipedia.org/wiki/Microsoft_Project
#?? #??
@ -424,6 +554,20 @@
>>>80 ubequad 0x3a8fb774c8c8d111 Project >>>80 ubequad 0x3a8fb774c8c8d111 Project
!:mime application/vnd.ms-project !:mime application/vnd.ms-project
!:ext mpp !:ext mpp
# From: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Microsoft_Office_shared_tools#Binder
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/obd.trid.xml
# http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File
# Note: only version 8 tested and called "Office Binder Document" by TrID and
# "Microsoft Office Binder File for Windows" version 97-2000 by DROID fmt/240
>>88 ubequad 0xb21c00aa004ba90b : Microsoft
>>>80 ubequad 0x0004855964661b10 Office Binder Document, Template or wizard
# second directory entry name like Binder
# https://www.file-extensions.org/obd-file-extension
#!:mime application/vnd.ms-binder
!:mime application/x-msbinder
# obt for template; obz for Microsoft Office Binder wizard
!:ext obd/obt/obz
# #
# URL: http://fileformats.archiveteam.org/wiki/WordPerfect # URL: http://fileformats.archiveteam.org/wiki/WordPerfect
# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File # Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File
@ -462,6 +606,19 @@
!:apple ????WPC9 !:apple ????WPC9
!:ext wpg !:ext wpg
# #
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/CorelCAD
# https://en.wikipedia.org/wiki/CorelCAD
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/ccd-corelcad.trid.xml
# Note: called "CorelCAD Drawing" by TrID and CorelCAD
# directory entry names like Contents ViewInfo CustomViewDescriptions LayerInfo
>>88 ubequad 0xbe26db67235e2689 : Corel
>>>80 ubequad 0x20f414de1cacce11 \bCAD Drawing or Template
#!:mime application/x-ole-storage
!:mime application/x-corel-cad
# CCT for CorelCAD Template
!:ext ccd/cct
#
# URL: http://fileformats.archiveteam.org/wiki/StarOffice_binary_formats # URL: http://fileformats.archiveteam.org/wiki/StarOffice_binary_formats
>>88 ubequad 0x996104021c007002 : StarOffice >>88 ubequad 0x996104021c007002 : StarOffice
>>>80 ubequad 0x407e5cdc5cb31b10 StarWriter 3.0 document or template >>>80 ubequad 0x407e5cdc5cb31b10 StarWriter 3.0 document or template
@ -560,9 +717,44 @@
!:mime application/vnd.softmaker.planmaker !:mime application/vnd.softmaker.planmaker
# pmv for template https://www.file-extensions.org/pmv-file-extension # pmv for template https://www.file-extensions.org/pmv-file-extension
!:ext pmd/pmv !:ext pmd/pmv
# URL: http://fileformats.archiveteam.org/wiki/MAX_(3ds_Max)
# https://en.wikipedia.org/wiki/Autodesk_3ds_Max
# Reference: http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File
# Note: called "3D Studio Max Scene" by TrID and "3DS Max" by DROID and
# "3DSMax thumbnail" by XnView and verfied by `nconvert -info A380.max`
# applies only to "newer" versions (about 2008-2020)
>>88 ubequad 0x9fed04143144cc1e : Autodesk
>>>80 ubequad 0x7b8cdd1cc081a045 3ds Max
#!:mime application/x-ole-storage
!:mime model/x-autodesk-max
# like: https://static.free3d.com/models/dropbox/dropbox/sq/A380.7z/A380.max
!:ext max
# also chr for character file according to DROID https://www.nationalarchives.gov.uk/PRONOM/fmt/978
#!:ext max/chr
# remaining non null clsid # remaining non null clsid
>>88 default x : UNKNOWN >>88 default x
>>>0 use ole2-unknown
# display information about directory for not detected CDF files
0 name ole2-unknown
>80 ubequad x : UNKNOWN
# https://reposcope.com/mimetype/application/x-ole-storage
!:mime application/x-ole-storage !:mime application/x-ole-storage
>>>80 ubequad !0 \b, clsid %#16.16llx # according to file version 5.41 with -e soft option
>>>88 ubequad x \b%16.16llx #!:mime application/CDFV2
#!:ext ???
>80 ubequad !0 \b, clsid %#16.16llx
>>88 ubequad x \b%16.16llx
# converted hexadecimal format to standard GUUID notation
>>80 guid x {%s}
# second directory entry name like VisioDocument Control000
>128 lestring16 x with names %.20s
# third directory entry like WordDocument Preview.dib
>256 lestring16 x %.20s
# forth like \005SummaryInformation
>384 lestring16 x %.25s
# 5th
>512 lestring16 x %.10s
# 6th
>640 lestring16 x %.10s
# 7th
>768 lestring16 x %.10s

View file

@ -1,12 +1,14 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: os2,v 1.13 2021/04/26 15:56:00 christos Exp $ # $File: os2,v 1.14 2022/03/21 21:25:50 christos Exp $
# os2: file(1) magic for OS/2 files # os2: file(1) magic for OS/2 files
# #
# Provided 1998/08/22 by # Provided 1998/08/22 by
# David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net> # David Mediavilla <davidme.news@REMOVEIFNOTSPAMusa.net>
1 search/100 InternetShortcut MS Windows 95 Internet shortcut text 1 search/100 InternetShortcut MS Windows 95 Internet shortcut text
!:mime application/x-mswinurl
!:ext url
>17 search/100 URL= (URL=< >17 search/100 URL= (URL=<
>>&0 string x \b%s>) >>&0 string x \b%s>)

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: palm,v 1.14 2019/04/19 00:42:27 christos Exp $ # $File: palm,v 1.15 2021/12/16 21:50:06 christos Exp $
# palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks
# #
# Brian Lalor <blalor@hcirisc.cs.binghamton.edu> # Brian Lalor <blalor@hcirisc.cs.binghamton.edu>
@ -55,6 +55,7 @@
# Mobipocket (www.mobipocket.com), donated by Carl Witty # Mobipocket (www.mobipocket.com), donated by Carl Witty
# expanded by Ralf Brown # expanded by Ralf Brown
60 string BOOKMOBI Mobipocket E-book 60 string BOOKMOBI Mobipocket E-book
!:mime application/x-mobipocket-ebook
# MobiPocket stores a full title, pointed at by the belong at offset # MobiPocket stores a full title, pointed at by the belong at offset
# 0x54 in its header at (78.L), with length given by the belong at # 0x54 in its header at (78.L), with length given by the belong at
# offset 0x58. # offset 0x58.

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: pascal,v 1.3 2020/06/07 18:10:26 christos Exp $ # $File: pascal,v 1.4 2022/07/30 16:53:06 christos Exp $
# pascal: file(1) magic for Pascal source # pascal: file(1) magic for Pascal source
# #
0 search/8192 (input, Pascal source text 0 search/8192 (input, Pascal source text
@ -12,3 +12,28 @@
# Free Pascal # Free Pascal
0 string PPU Pascal unit 0 string PPU Pascal unit
>3 string x \b, version %s >3 string x \b, version %s
# From: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Dan_Bricklin
0 string/b Type
# URL: https://dl.winworldpc.com/Dan%20Bricklins%20Demo%20II%20Version%202%20Manual.7z
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-v2.trid.xml
>4 string D2 Dan Bricklin's Demo 2 demo
#!:mime application/octet-stream
!:ext dbd
# URL: https://muhaz.org/turbo-pascal-download-details.html
# From: Joerg Jenderek
# Note: used by Turbo Pascal 5.5 TOUR.EXE
>4 string T2 Turbo Pascal TOUR data
#!:mime application/octet-stream
!:mime application/x-borland-cbt
!:ext cbt
# WHAT iS THAT?
#>4 string \040P Dan Bricklin's Demo 2 foo
#!:mime application/octet-stream
# _PPRINT.SG2 _PASCII.SG2
#!:ext sg2
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbd-gen.trid.xml
>4 default x Dan Bricklin's Demo demo (generic)
#!:mime application/octet-stream
!:ext dbd

View file

@ -1,12 +1,12 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: pdf,v 1.16 2021/07/30 11:47:07 christos Exp $ # $File: pdf,v 1.18 2023/07/17 15:57:18 christos Exp $
# pdf: file(1) magic for Portable Document Format # pdf: file(1) magic for Portable Document Format
# #
0 name pdf 0 name pdf
>8 search /Count >8 search /Count
>>&0 regex [0-9]+ \b, %s pages >>&0 regex [0-9]+ \b, %s page(s)
>8 search/512 /Filter/FlateDecode/ (zip deflate encoded) >8 search/512 /Filter/FlateDecode/ (zip deflate encoded)
0 string %PDF- PDF document 0 string %PDF- PDF document
@ -42,7 +42,7 @@
>5 byte x \b, version %c >5 byte x \b, version %c
>7 byte x \b.%c >7 byte x \b.%c
0 search/256 %PDF- PDF document 0 search/1024 %PDF- PDF document
!:mime application/pdf !:mime application/pdf
!:strength +60 !:strength +60
!:ext pdf !:ext pdf

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ # $File: perl,v 1.27 2023/07/17 16:01:36 christos Exp $
# perl: file(1) magic for Larry Wall's perl language. # perl: file(1) magic for Larry Wall's perl language.
# #
# The `eval' lines recognizes an outrageously clever hack. # The `eval' lines recognizes an outrageously clever hack.
@ -34,12 +34,12 @@
# by Dmitry V. Levin and Alexey Tourbin # by Dmitry V. Levin and Alexey Tourbin
# check the first line # check the first line
0 search/8192 package 0 search/8192 package
>0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text >0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; Perl5 module source text
!:strength + 40 !:strength + 40
# not 'p', check other lines # not 'p', check other lines
0 search/8192 !p 0 search/8192 !p
>0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; >0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*;
>>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text >>0 regex \^1[[:space:]]*;|\^(use|sub|my)[[:space:]].*[(;{=] Perl5 module source text
!:strength + 75 !:strength + 75
# Perl POD documents # Perl POD documents

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: printer,v 1.29 2019/04/19 00:42:27 christos Exp $ # $File: printer,v 1.34 2023/06/16 19:27:12 christos Exp $
# printer: file(1) magic for printer-formatted files # printer: file(1) magic for printer-formatted files
# #
@ -30,13 +30,42 @@
# DOS EPS Binary File Header # DOS EPS Binary File Header
# From: Ed Sznyter <ews@Black.Market.NET> # From: Ed Sznyter <ews@Black.Market.NET>
0 belong 0xC5D0D3C6 DOS EPS Binary File # Update: Joerg Jenderek
>4 long >0 Postscript starts at byte %d # URL: http://fileformats.archiveteam.org/wiki/Encapsulated_PostScript
>>8 long >0 length %d # Reference: http://mark0.net/download/triddefs_xml.7z/defs/eps-adobe.trid.xml
>>>12 long >0 Metafile starts at byte %d # Note: called "Encapsulated PostScript binary" by TrID and
# verified partly by ImageMagick `identify -verbose *` as EPT (Encapsulated PostScript with TIFF preview)
0 belong 0xC5D0D3C6
# skip DROID fmt-122-signature-id-174.eps fmt-123-signature-id-178.eps fmt-124-signature-id-180.eps
# by looking for content after header
# GRR: in version 5.44 unequal and not endian variant not working!
>32 ulelong >0 DOS EPS Binary File
!:mime image/x-eps
# TODO: check that "long" is false on big endian machines
# Postscript often (850/857) comes after header; so values like: 30 32 or 2788 10644 43350 71828
>>4 long >0 at byte %d
# 1 space char after length value to get phrase like "length 263893 PostScript document text"
>>>8 long >0 length %d
# PostScript document text handled by ./printer
>>>>(4.l) indirect x
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-wmf.trid.xml
# Note: called "Encapsulated PostScript binary (with WMF preview)" by TrID
# verified partly by XnView `nconvert -info *.EP?` as TIFF epsp
>>>>12 long >0 at byte %d
!:ext eps
# GRR: in file version 5.44 calling indirect of ./msdos produce phrase like "length 452\012- Windows metafile"
>>>>16 long >0 length %d >>>>16 long >0 length %d
>>>20 long >0 TIFF starts at byte %d # Windows metafile data handled by ./msdos
>>>>24 long >0 length %d >>>>>(12.l) indirect x
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-tiff.trid.xml
# Note: called "Encapsulated PostScript binary (with TIFF preview)" by TrID
>>>>20 long >0 at byte %d
# For the variant with the TIFF preview image sometimes the file extension ept is used
!:ext eps/ept
# GRR: in file version 5.44 calling indirect of ./images produce phrase like "length 43320\012- TIFF image data,"
>>>>>24 long >0 length %d
# TIFF image data handled by ./images
>>>>>>(20.l) indirect x
# Summary: Adobe's PostScript Printer Description File # Summary: Adobe's PostScript Printer Description File
# Extension: .ppd # Extension: .ppd
@ -45,6 +74,8 @@
# #
0 string *PPD-Adobe:\x20 PPD file 0 string *PPD-Adobe:\x20 PPD file
>&0 string x \b, version %s >&0 string x \b, version %s
!:ext ppd
!:mime application/vnd.cups-ppd
# HP Printer Job Language # HP Printer Job Language
0 string \033%-12345X@PJL HP Printer Job Language data 0 string \033%-12345X@PJL HP Printer Job Language data
@ -82,7 +113,16 @@
>0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL
>0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL
>0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS >0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS
# Summary: Hewlett-Packard printer firmware update
# From: Joerg Jenderek
# URL: https://support.hp.com/us-en/drivers/selfservice/hp-envy-6000e-all-in-one-printer-series/2100187505/model/2100187513
# Note: firmware update tested with ENVY 6000 All-in-One Printer
0 string @PJL\ ENTER\ LANGUAGE=FWUPDATE2 HP Printer firmware update
#!:mime application/octet-stream
#!:mime application/x-hp-firmware
# https://ftp.hp.com/pub/softlib/software13/printers/en6000/2214/EN6000_2214B.exe
# vasari_base_dist_pp1_001.2214B_nonassert_appsigned_lbi_rootfs_secure_signed.ful2
!:ext ful2
# HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com)
0 string \033E\033 HP PCL printer data 0 string \033E\033 HP PCL printer data
@ -148,3 +188,91 @@
# From: Paolo <oopla@users.sf.net> # From: Paolo <oopla@users.sf.net>
# Epson ESC/Page, ESC/PageColor # Epson ESC/Page, ESC/PageColor
0 string \x1b\x01@EJL Epson ESC/Page language printer data 0 string \x1b\x01@EJL Epson ESC/Page language printer data
# Summary: Hewlett-Packard Graphics Language
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/HP-GL
# https://en.wikipedia.org/wiki/HPGL
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpg.trid.xml
# Note: called "Hewlett-Packard Graphics Language" by TrID and
# "Hewlett Packard Graphics Language" by DROID via PUID x-fmt/293 and
# HPGL by XnView command `nconvert -info *`
# initialize, start a plotting job
0 string IN;
>0 use hpgl
# fill.plt
0 string INPS
>0 use hpgl
# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test1.hpgl
0 string DF;
>0 use hpgl
# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test3.hpgl
# Select Pen n; If no pen number or 0, the controller performs an end of file command; n in range between -32767 and 32768 like: 6
0 string SP
# skip text Linux-syscall-note inside qemu sources starting with SPDX-Exception-Identifier: Linux-syscall-note
# by checking for valid Pen number
>2 regex \^([0-9]{1,5})
#>2 regex \^([0-9]{1,5}) PEN_NUMBER=%s
>>0 use hpgl
# charsize.hp pages.hp set the scaling points (P1 and P2) to their default positions
0 string IP0
>0 use hpgl
# ci.hp
0 string CO\040
>0 use hpgl
# iw.hp 286x192.5_lh.hpg 286x192.5_lq.hpg
0 string PS\040
>0 use hpgl
# thick.hp
0 string PS9
>0 use hpgl
# ul.hp
0 string PS4
>0 use hpgl
# la.hp
0 string BP
>0 use hpgl
# miter.hp
# Plot Absolute x,y{,x,y{...}}; x and y in range between -32767 and 32768 like: PA4000,3000;
0 string PA
# skip shell scripts test_msa_run_32r5eb.sh test_msa_run_32r5eb.sh with variable PATH_TO_QEMU
# by checking for valid x coordinate
>2 regex \^([-]{0,1}[0-9]{1,5})
#>2 regex \^([-]{0,1}[0-9]{1,5}) COORDINATE=%s
>>0 use hpgl
# pw.hpg number of pens x
0 string NP
>0 use hpgl
# win_1.hp
#0 string \003INCA WHAT_IS_THAT
#>0 use hpgl
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpgl2.trid.xml
# Note: called "Hewlett-Packard Graphics Language 2" by TrID
0 string \033%-1B Hewlett-Packard Graphics Language 2
!:mime application/vnd.hp-HPGL
# like: dt.plt
!:ext plt
#!:ext plt/gl2/hpg2/spl
# remaining part after escsape sequnce
>5 string x with "%-.10s"
# display Hewlett-Packard Graphics Language vector graphic information
0 name hpgl
>0 string x Hewlett-Packard Graphics Language
#!:mime vector/x-hpgl
# https://www.iana.org/assignments/media-types/application/vnd.hp-HPGL
!:mime application/vnd.hp-HPGL
# no example with HPL suffix found
!:ext hpgl/hpg/hp/plt
# like: "IN;" "DF;IN;LT;PU1000,1000;PD2000,10" "SP6;DI0,1;SR0.70,1.90;SC0,800,"
# "CO Concentric circles drawn with different linewidths;"
>0 string x \b, starting with "%-.54s"
# continue but not for 1 long line without CR or LF
>>&0 ubyte <0x0E
#>>&0 ubyte <0x0E TERMINATOR=%x
# second line after 1 terminator character
>>>&0 string >\r with "%-.10s"
# next character again CR or LF
>>>&0 ubyte <0x0E
#>>>&0 ubyte <0x0E 2ND_CHARACTER=%x
# second line after 2 terminator characters
>>>>&0 string >\r with "%-.10s"

43
magic/Magdir/psion Normal file
View file

@ -0,0 +1,43 @@
#------------------------------------------------------------------------------
# psion: file(1) magic for Psion handhelds data
# from: Peter Breitenlohner <peb@mppmu.mpg.de>
#
0 lelong 0x10000037 Psion Series 5
>4 lelong 0x10000039 font file
>4 lelong 0x1000003A printer driver
>4 lelong 0x1000003B clipboard
>4 lelong 0x10000042 multi-bitmap image
>4 lelong 0x1000006A application information file
>4 lelong 0x1000006D
>>8 lelong 0x1000007D sketch image
!:mime image/x-psion-sketch
>>8 lelong 0x1000007E voice note
>>8 lelong 0x1000007F word file
>>8 lelong 0x10000085 OPL program
>>8 lelong 0x10000088 sheet file
>>8 lelong 0x100001C4 EasyFax initialisation file
>4 lelong 0x10000073 OPO module
>4 lelong 0x10000074 OPL application
>4 lelong 0x1000008A exported multi-bitmap image
0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image
0 lelong 0x10000050 Psion Series 5
>4 lelong 0x1000006D database
>4 lelong 0x100000E4 ini file
0 lelong 0x10000079 Psion Series 5 binary:
>4 lelong 0x00000000 DLL
>4 lelong 0x10000049 comms hardware library
>4 lelong 0x1000004A comms protocol library
>4 lelong 0x1000005D OPX
>4 lelong 0x1000006C application
>4 lelong 0x1000008D DLL
>4 lelong 0x100000AC logical device driver
>4 lelong 0x100000AD physical device driver
>4 lelong 0x100000E5 file transfer protocol
>4 lelong 0x100000E5 file transfer protocol
>4 lelong 0x10000140 printer definition
>4 lelong 0x10000141 printer definition
0 lelong 0x1000007A Psion Series 5 executable

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: python,v 1.43 2021/05/25 15:12:03 christos Exp $ # $File: python,v 1.45 2022/07/24 23:59:37 christos Exp $
# python: file(1) magic for python # python: file(1) magic for python
# #
# Outlook puts """ too for urgent messages # Outlook puts """ too for urgent messages
@ -8,6 +8,7 @@
# often the module starts with a multiline string # often the module starts with a multiline string
0 string/t """ Python script text executable 0 string/t """ Python script text executable
# MAGIC as specified in Python/import.c (1.0 to 3.7) # MAGIC as specified in Python/import.c (1.0 to 3.7)
# and in Lib/importlib/_bootstrap_external.py (3.5+)
# two bytes of magic followed by "\r\n" in little endian order # two bytes of magic followed by "\r\n" in little endian order
0 belong 0x02099900 python 1.0 byte-compiled 0 belong 0x02099900 python 1.0 byte-compiled
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
@ -85,6 +86,8 @@
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0x04f30d0a python 2.7 byte-compiled 0 belong 0x04f30d0a python 2.7 byte-compiled
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0x0af30d0a PyPy2.7 byte-compiled
!:mime application/x-bytecode.python
0 belong 0xb80b0d0a python 3.0 byte-compiled 0 belong 0xb80b0d0a python 3.0 byte-compiled
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0xc20b0d0a python 3.0 byte-compiled 0 belong 0xc20b0d0a python 3.0 byte-compiled
@ -185,36 +188,46 @@
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0x3f0d0d0a python 3.7 byte-compiled 0 belong 0x3f0d0d0a python 3.7 byte-compiled
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0x400d0d0a python 3.7 byte-compiled
# magic 3392+ implements PEP 552: Deterministic pycs
0 name pyc-pep552
# the flag field determines how .pyc validity is checked
>4 ulelong&1 0 timestamp-based,
>>8 uledate x .py timestamp: %s UTC,
>>12 ulelong x .py size: %d bytes
>4 ulelong&1 !0 hash-based, check-source flag
>>4 ulelong&2 0 unset,
>>4 ulelong&2 !0 set,
>>8 ulequad x hash: 0x%llx
# uleshort magic followed by \x0d\0xa
2 string \x0d\x0a
# extra check: only two bits of flag field are currently used
>4 ulelong <0x4
# \x0d as part of magic should suffice till Python 3.14 (magic 3600)
>>1 ubyte 0x0d Byte-compiled Python module for
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0x410d0d0a python 3.7 byte-compiled # now look at the magic number to determine the version
>>>0 uleshort <3400 CPython 3.7,
>>>0 default x
>>>>0 uleshort <3420 CPython 3.8,
>>>>0 default x
>>>>>0 uleshort <3430 CPython 3.9,
>>>>>0 default x
>>>>>>0 uleshort <3450 CPython 3.10,
>>>>>>0 default x
>>>>>>>0 uleshort <3500 CPython 3.11,
>>>>>>>0 default x CPython 3.12 or newer,
>>>0 use pyc-pep552
>>0 uleshort 240 Byte-compiled Python module for PyPy3.7,
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0x420d0d0a python 3.7 byte-compiled >>>0 use pyc-pep552
>>0 uleshort 256 Byte-compiled Python module for PyPy3.8,
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
0 belong 0x480d0d0a python 3.8 byte-compiled >>>0 use pyc-pep552
!:mime application/x-bytecode.python >>0 uleshort 336 Byte-compiled Python module for PyPy3.9,
0 belong 0x490d0d0a python 3.8 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x520d0d0a python 3.8 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x530d0d0a python 3.8 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x540d0d0a python 3.8 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x550d0d0a python 3.8 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x5c0d0d0a python 3.9 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x5d0d0d0a python 3.9 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x5e0d0d0a python 3.9 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x5f0d0d0a python 3.9 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x600d0d0a python 3.9 byte-compiled
!:mime application/x-bytecode.python
0 belong 0x610d0d0a python 3.9 byte-compiled
!:mime application/x-bytecode.python !:mime application/x-bytecode.python
>>>0 use pyc-pep552
0 search/1/w #!\040/usr/bin/python Python script text executable 0 search/1/w #!\040/usr/bin/python Python script text executable
!:strength + 15 !:strength + 15

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: qt,v 1.3 2019/04/19 00:42:27 christos Exp $ # $File: qt,v 1.4 2022/11/11 14:50:23 christos Exp $
# qt: file(1) magic for Qt # qt: file(1) magic for Qt
# https://doc.qt.io/qt-5/resources.html # https://doc.qt.io/qt-5/resources.html
@ -17,3 +17,14 @@
# src/corelib/kernel/qtranslator.cpp#L62 # src/corelib/kernel/qtranslator.cpp#L62
0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95
>8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file >8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file
# Qt V4 Javascript engine compiled unit
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/qt/qtdeclarative/blob/v6.4.0/src/qml/common/qv4compileddata_p.h
0 string qv4cdata QV4 compiled unit
!:ext qmlc
>8 ulelong x \b, version %d
>12 byte x \b, Qt %d
>13 byte x \b.%d
>14 byte x \b.%d

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: riff,v 1.43 2021/04/26 15:56:00 christos Exp $ # $File: riff,v 1.45 2022/07/24 23:47:49 christos Exp $
# riff: file(1) magic for RIFF format # riff: file(1) magic for RIFF format
# See # See
# #
@ -161,6 +161,64 @@
#>0 string x we got %s #>0 string x we got %s
#>>&(4.l+4) use riff-walk #>>&(4.l+4) use riff-walk
# RecorderGear TR500 call recorder digits (BCD)
0 name tr500-call-recorder-digits
>0 byte&0xF0 0x00 \b0
>0 byte&0xF0 0x10 \b1
>0 byte&0xF0 0x20 \b2
>0 byte&0xF0 0x30 \b3
>0 byte&0xF0 0x40 \b4
>0 byte&0xF0 0x50 \b5
>0 byte&0xF0 0x60 \b6
>0 byte&0xF0 0x70 \b7
>0 byte&0xF0 0x80 \b8
>0 byte&0xF0 0x90 \b9
>0 byte&0xF0 0xb0 \b*
>0 byte&0xF0 0xc0 \b#
>0 byte&0x0F 0 \b0
>0 byte&0x0F 1 \b1
>0 byte&0x0F 2 \b2
>0 byte&0x0F 3 \b3
>0 byte&0x0F 4 \b4
>0 byte&0x0F 5 \b5
>0 byte&0x0F 6 \b6
>0 byte&0x0F 7 \b7
>0 byte&0x0F 8 \b8
>0 byte&0x0F 9 \b9
>0 byte&0x0F 0xb \b*
>0 byte&0x0F 0xc \b#
# TR500 call recorder extended header
# From: David Korth <gerbilsoft@gerbilsoft.com>
# Contains dialed/incoming phone number and timestamp.
# TODO: Verify byte 15.
0 name tr500-call-recorder-header
>15 byte 2 (outgoing call:
>15 byte 4 (incoming call:
>1 byte 0xFF \bno number
>1 byte !0xFF
>>1 use tr500-call-recorder-digits
>>2 byte !0xFF
>>>2 use tr500-call-recorder-digits
>>3 byte !0xFF
>>>3 use tr500-call-recorder-digits
>>4 byte !0xFF
>>>4 use tr500-call-recorder-digits
>>5 byte !0xFF
>>>5 use tr500-call-recorder-digits
>>6 byte !0xFF
>>>6 use tr500-call-recorder-digits
>>7 byte !0xFF
>>>7 use tr500-call-recorder-digits
>>8 byte !0xFF
>>>8 use tr500-call-recorder-digits
>9 byte x \b, 20%02x
>10 byte x \b/%02x
>11 byte x \b/%02x
>12 byte x %02x
>13 byte x \b:%02x
>14 byte x \b:%02x)
# AVI section extended by Patrik Radman <patrik+file-magic@iki.fi> # AVI section extended by Patrik Radman <patrik+file-magic@iki.fi>
# #
0 string RIFF RIFF (little-endian) data 0 string RIFF RIFF (little-endian) data
@ -231,6 +289,11 @@
!:ext wav/wave !:ext wav/wave
>>12 string >\0 >>12 string >\0
>>>12 use riff-walk >>>12 use riff-walk
# TR500 call recorder extended header
>>16 ulelong 0x1E4
>>>20 leshort 0x11
>>>>256 byte 4
>>>>>256 use tr500-call-recorder-header
# Update: Joerg Jenderek # Update: Joerg Jenderek
# lower case for Corel Draw version 8 Bidi # lower case for Corel Draw version 8 Bidi
>8 string/c cdr >8 string/c cdr
@ -270,6 +333,27 @@
#>>>0 use corel-des #>>>0 use corel-des
#>>>0 use corel-draw #>>>0 use corel-draw
>8 string NUNDROOT \b, Steinberg CuBase >8 string NUNDROOT \b, Steinberg CuBase
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/MIDI_Instrument_Definition_File
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/idf.trid.xml
# ftp://curscott.servebeer.com/Download/Apps/_Microsoft/
# Visual%20Studio%206.0%20Professional%20MSDN/
# SAMPLES/VC98/SDK/GRAPHICS/AUDIO/IDFEDIT/GLOBALS.H
# Note: called "MIDI Instrument Definition File" by TrID
>8 string IDF\ LIST \b, MIDI Instrument Definition File
!:mime audio/x-idf
!:ext idf
# 3rd chunk size like: 254 284 286 670
#>>0x10 ulelong x \b, 3th SIZE %u
# for debugging purpose display next chunk like: MMAPhdr
#>>0x14 string x \b, 4th "%-8.8s"
#>>0x1C ulelong x \b, 4th SIZE 0x%x
# probably MIDI instrument name like: "Universal-MIDI-Instrument" "instrument name" "General MIDI"
>>0x30 string x "%s"
# look for inst TAG
>>0x31 search/256 inst by
# probably manufacture name like: "Unspecified Company" "NVidia Corporation"
>>>&0x24 string x "%s"
# AVI == Audio Video Interleave # AVI == Audio Video Interleave
# Reference: http://fileformats.archiveteam.org/wiki/AVI # Reference: http://fileformats.archiveteam.org/wiki/AVI
>8 string AVI\040 \b, AVI >8 string AVI\040 \b, AVI
@ -676,6 +760,7 @@
# for debugging purpose display 5th chunk like: LIST osfp # for debugging purpose display 5th chunk like: LIST osfp
#>>(26.l+30) string x \b, 5th "%-4.4s" #>>(26.l+30) string x \b, 5th "%-4.4s"
>4 ulelong+8 x \b, %u bytes >4 ulelong+8 x \b, %u bytes
# #
# XXX - some of the below may only appear in little-endian form. # XXX - some of the below may only appear in little-endian form.
# #

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: rpi,v 1.2 2019/10/02 02:07:30 christos Exp $ # $File: rpi,v 1.3 2022/04/02 14:39:34 christos Exp $
# rpi: file(1) magic for Raspberry Pi images # rpi: file(1) magic for Raspberry Pi images
-44 lelong 0 -44 lelong 0
>4 lelong 0 >4 lelong 0
@ -27,3 +27,26 @@
>>>>>>>>>40 string DDTK8 >>>>>>>>>40 string DDTK8
>>>>>>>>>>48 lelong 4 >>>>>>>>>>48 lelong 4
>>>>>>>>>>>52 string RPTL Raspberry PI kernel image >>>>>>>>>>>52 string RPTL Raspberry PI kernel image
# From: Joerg Jenderek
# URL: https://www.raspberrypi.com/documentation/computers/raspberry-pi.html
# #raspberry-pi-4-boot-eeprom
# Reference: https://github.com/raspberrypi/rpi-eeprom/blob/master/rpi-eeprom-config
# Note: start with same magic as for BIOS (ia32) ROM Extension handled by ./intel
# masked with MAGIC_MASK and then compared with MAGIC
0 belong&0xFFffF00F 0x55aaF00F Raspberry PI EEPROM
#!:mime application/octet-stream
!:mime application/x-raspberry-eeprom
# like: pieeprom-2020-09-03.bin
!:ext bin
# a 32 bit offset to the next section like: 000184d4 000184c8 00018534 ... 0000bb84 0000bbd4 0000bbd4
>4 ubelong x \b, offset %8.8x
#>(4.L) ubelong x NEXT=%8.8x
# self.length
>8 ubelong !0 \b, length %x
# self.filename
>12 string >0 \b, "%s"
# length is zero
>8 ubelong =0
# if length is zero then 2nd section magic here can be zero; this means sections parsing done
>>8 ubelong !0 \b, 2nd MAGIC=%8.8x

View file

@ -1,11 +1,13 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: rst,v 1.3 2020/04/27 01:50:36 christos Exp $ # $File: rst,v 1.4 2023/07/27 18:26:32 christos Exp $
# rst: ReStructuredText http://docutils.sourceforge.net/rst.html # rst: ReStructuredText http://docutils.sourceforge.net/rst.html
0 search/256 \=\= 0 search/256 \=\=
!:strength + 30 !:strength + 30
>&0 regex/256 \^[\=]+$ >&0 regex/256 \^[\=]+$
>>&0 search/512 :Author: ReStructuredText file >>&0 search/512 :Author: ReStructuredText file
>>&0 search/512 \012Authors: ReStructuredText file
>>&0 search/512 \012Author: ReStructuredText file
>>&0 default x >>&0 default x
>>>&0 regex/512 \^\\.\\.[A-Za-z] ReStructuredText file >>>&0 regex/512 \^\\.\\.[A-Za-z] ReStructuredText file
!:ext rst !:ext rst

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: scientific,v 1.13 2019/04/19 00:42:27 christos Exp $ # $File: scientific,v 1.14 2023/04/29 17:28:09 christos Exp $
# scientific: file(1) magic for scientific formats # scientific: file(1) magic for scientific formats
# #
# From: Joe Krahn <krahn@niehs.nih.gov> # From: Joe Krahn <krahn@niehs.nih.gov>
@ -62,15 +62,48 @@
# Type: GEDCOM genealogical (family history) data # Type: GEDCOM genealogical (family history) data
# From: Giuseppe Bilotta # From: Giuseppe Bilotta
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/GEDCOM
# https://en.wikipedia.org/wiki/GEDCOM
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/
# ged.trid.xml ged-utf8.trid.xml ged-utf16.trid.xml
# Note: called "GEDCOM Family History" by TrID and "Genealogical Data Communication (GEDCOM) Format" by DROID via PUID fmt/851
0 search/1/c 0\ HEAD GEDCOM genealogy text 0 search/1/c 0\ HEAD GEDCOM genealogy text
#!:mime text/plain
#!:mime application/x-gedcom
# https://www.iana.org/assignments/media-types/text/vnd.familysearch.gedcom
!:mime text/vnd.familysearch.gedcom
!:ext ged
# no gedcom sample found and ged suffix also used for other formats
#!:ext ged/gedcom
>&0 search 1\ GEDC >&0 search 1\ GEDC
>>&0 search 2\ VERS version >>&0 search 2\ VERS version
# 4 5.0 5.3 5.4 5.5 5.5.1 5.5.5 5.6 7.0 or no version
>>>&1 string >\0 %s >>>&1 string >\0 %s
# From: Phil Endecott <phil05@chezphil.org> # From: Phil Endecott <phil05@chezphil.org>
0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data # 0\040HEAD as UTF-16 big endian without BOM
0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data 0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM genealogy text
0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data !:mime text/vnd.familysearch.gedcom
0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data !:ext ged
# look for VERS tag encoded as UTF-16 big endian
>12 search/0x65 V\0E\0R\0S version
# version like: 5.5.1
>>&2 bestring16 x %s
>>0 string x \b, UTF-16 (without BOM) big-endian text
# 0\040HEAD as UTF-16 little endian without BOM
0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM genealogy text
!:mime text/vnd.familysearch.gedcom
!:ext ged
# look for VERS tag encoded as UTF-16 lttle endian
>12 search/0x65 V\0E\0R\0S version
# version like: 5.5.1
>>&3 lestring16 x %s
>>2 string x \b, UTF-16 (without BOM) little-endian text
# Note: UTF-16 with BOM variants already described above by first test as "GEDCOM genealogy text"
# 0\040HEAD as UTF-16 big endian with BOM
#0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data
# 0\040HEAD as UTF-16 little endian with BOM
#0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data
# PDB: Protein Data Bank files # PDB: Protein Data Bank files
# Adam Buchbinder <adam.buchbinder@gmail.com> # Adam Buchbinder <adam.buchbinder@gmail.com>

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: sendmail,v 1.11 2019/04/19 00:42:27 christos Exp $ # $File: sendmail,v 1.12 2022/10/31 13:22:26 christos Exp $
# sendmail: file(1) magic for sendmail config files # sendmail: file(1) magic for sendmail config files
# #
# XXX - byte order? # XXX - byte order?
@ -13,7 +13,7 @@
# - version \330jK\354 # - version \330jK\354
0 byte 046 0 byte 046
# https://www.sendmail.com/sm/open_source/docs/older_release_notes/ # https://www.sendmail.com/sm/open_source/docs/older_release_notes/
# freezed configuration file (dbm format?) created from sendmal.cf with -bz # freezed configuration file (dbm format?) created from sendmail.cf with -bz
# by older sendmail. til version 8.6 support for frozen configuration files is removed # by older sendmail. til version 8.6 support for frozen configuration files is removed
# valid version numbers look like "7.14.4" and should be similar to output of commands # valid version numbers look like "7.14.4" and should be similar to output of commands
# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" # "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf"

View file

@ -1,16 +1,18 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: sgml,v 1.42 2020/12/12 20:01:47 christos Exp $ # $File: sgml,v 1.48 2023/01/18 16:10:21 christos Exp $
# Type: SVG Vectorial Graphics # Type: SVG Vectorial Graphics
# From: Noel Torres <tecnico@ejerciciosresueltos.com> # From: Noel Torres <tecnico@ejerciciosresueltos.com>
0 string \<?xml\ version= 0 string \<?xml\ version=
>14 regex ['"\ \t]*[0-9.]+['"\ \t]* >14 regex ['"\ \t]*[0-9.]+['"\ \t]*
>>19 search/4096 \<svg SVG Scalable Vector Graphics image >>19 search/4096 \<svg SVG Scalable Vector Graphics image
!:mime image/svg+xml !:mime image/svg+xml
!:ext svg
>>19 search/4096 \<gnc-v2 GnuCash file >>19 search/4096 \<gnc-v2 GnuCash file
!:mime application/x-gnucash !:mime application/x-gnucash
0 string \<svg SVG Scalable Vector Graphics image 0 string \<svg SVG Scalable Vector Graphics image
!:mime image/svg+xml !:mime image/svg+xml
!:ext svg
# Sitemap file # Sitemap file
0 string/t \<?xml\ version= 0 string/t \<?xml\ version=
@ -48,70 +50,81 @@
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 5
# avoid misdetection as JavaScript
0 string/cWt \<!doctype\ html HTML document text
!:mime text/html
0 string/ct \<html> HTML document text
!:mime text/html
0 string/ct \<!--
>&0 search/4096/cWt \<!doctype\ html HTML document text
!:mime text/html
>&0 search/4096/ct \<html> HTML document text
!:mime text/html
# SVG document # SVG document
# https://www.w3.org/TR/SVG/single-page.html # https://www.w3.org/TR/SVG/single-page.html
0 search/4096/cWbt \<!doctype\ svg SVG XML document 0 search/4096/cWbt \<!doctype\ svg SVG XML document
!:mime image/svg+xml !:mime image/svg+xml
!:strength + 5 !:strength + 15
0 search/4096/cwt \<head\> HTML document text 0 search/4096/cwt \<head\> HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cWt \<head\ HTML document text 0 search/4096/cWt \<head\ HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cwt \<title\> HTML document text 0 search/4096/cwt \<title\> HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cWt \<title\ HTML document text 0 search/4096/cWt \<title\ HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cwt \<html\> HTML document text 0 search/4096/cwt \<html\> HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cWt \<html\ HTML document text 0 search/4096/cWt \<html\ HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cwt \<script\> HTML document text 0 search/4096/cwt \<script\> HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cWt \<script\ HTML document text 0 search/4096/cWt \<script\ HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cwt \<style\> HTML document text 0 search/4096/cwt \<style\> HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cWt \<style\ HTML document text 0 search/4096/cWt \<style\ HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cwt \<table\> HTML document text 0 search/4096/cwt \<table\> HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cWt \<table\ HTML document text 0 search/4096/cWt \<table\ HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
0 search/4096/cwt \<a\ href= HTML document text 0 search/4096/cwt \<a\ href= HTML document text
!:mime text/html !:mime text/html
!:strength + 5 !:strength + 15
# Extensible markup language (XML), a subset of SGML # Extensible markup language (XML), a subset of SGML
# from Marc Prud'hommeaux (marc@apocalypse.org) # from Marc Prud'hommeaux (marc@apocalypse.org)
0 search/1/cwt \<?xml XML document text 0 search/1/cwt \<?xml XML document text
!:mime text/xml !:mime text/xml
!:strength + 5 !:strength + 15
0 string/t \<?xml\ version\ " XML 0 string/t \<?xml\ version\ " XML
!:mime text/xml !:mime text/xml
!:strength + 5 !:strength + 15
0 string/t \<?xml\ version=" XML 0 string/t \<?xml\ version=" XML
!:mime text/xml !:mime text/xml
!:strength + 5 !:strength + 15
>15 string/t >\0 %.3s document text >15 string/t >\0 %.3s document text
>>23 search/1 \<xsl:stylesheet (XSL stylesheet) >>23 search/1 \<xsl:stylesheet (XSL stylesheet)
>>24 search/1 \<xsl:stylesheet (XSL stylesheet) >>24 search/1 \<xsl:stylesheet (XSL stylesheet)
0 string/t \<?xml\ version=' XML 0 string/t \<?xml\ version=' XML
!:mime text/xml !:mime text/xml
!:strength + 5 !:strength + 15
>15 string/t >\0 %.3s document text >15 string/t >\0 %.3s document text
>>23 search/1 \<xsl:stylesheet (XSL stylesheet) >>23 search/1 \<xsl:stylesheet (XSL stylesheet)
>>24 search/1 \<xsl:stylesheet (XSL stylesheet) >>24 search/1 \<xsl:stylesheet (XSL stylesheet)
@ -139,7 +152,10 @@
# http://files.pef-format.org/specifications/pef-2008-1/pef-specification.html # http://files.pef-format.org/specifications/pef-2008-1/pef-specification.html
# #
# Simon Aittamaa <simon.aittamaa@gmail.com> # Simon Aittamaa <simon.aittamaa@gmail.com>
0 string \<?xml\ version= 0 string \<?xml\ version=
>14 regex ['"\ \t]*[0-9.]+['"\ \t]* >14 regex ['"\ \t]*[0-9.]+['"\ \t]*
>>19 search/4096 \<pef Portable Embosser Format >>19 search/4096 \<pef Portable Embosser Format
!:mime application/x-pef+xml !:mime application/x-pef+xml
# https://www.qgis.org/en/site/
0 string \<!DOCTYPE\040qgis QGIS XML document

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: sniffer,v 1.30 2021/07/03 13:51:56 christos Exp $ # $File: sniffer,v 1.34 2022/12/14 18:27:36 christos Exp $
# sniffer: file(1) magic for packet capture files # sniffer: file(1) magic for packet capture files
# #
# From: guy@alum.mit.edu (Guy Harris) # From: guy@alum.mit.edu (Guy Harris)
@ -270,6 +270,11 @@
>20 belong&0x03FFFFFF 288 (USB 2.0 >20 belong&0x03FFFFFF 288 (USB 2.0
>20 belong&0x03FFFFFF 289 (ATSC ALP >20 belong&0x03FFFFFF 289 (ATSC ALP
>20 belong&0x03FFFFFF 290 (Event Tracing for Windows >20 belong&0x03FFFFFF 290 (Event Tracing for Windows
>20 belong&0x03FFFFFF 291 (Hilscher netANALYZER NG pseudo-footer
>20 belong&0x03FFFFFF 292 (ZBOSS NCP protocol with pseudo-header
>20 belong&0x03FFFFFF 293 (Low-Speed USB 2.0/1.1/1.0
>20 belong&0x03FFFFFF 294 (Full-Speed USB 2.0/1.1/1.0
>20 belong&0x03FFFFFF 295 (High-Speed USB 2.0
# print default match # print default match
>20 default x >20 default x
>>20 belong x (linktype#%u >>20 belong x (linktype#%u
@ -322,14 +327,79 @@
# #
# Novell LANalyzer capture files. # Novell LANalyzer capture files.
# URL: http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt
# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c
# Update: Joerg Jenderek
# #
0 leshort 0x1001 Novell LANalyzer capture file # regular trace header record (RT_HeaderRegular)
0 leshort 0x1007 Novell LANalyzer capture file 0 leshort 0x1001
# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5
# and VIC-20 BASIC V2 program
# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg)
# with invalid second record type 0 instead of "Trace receive channel name record"
>(2.s+4) leshort =0x1006h
>>0 use novell-lanalyzer
# cyclic trace header record (RT_HeaderCyclic)
0 leshort 0x1007
>0 use novell-lanalyzer
0 name novell-lanalyzer
>0 leshort x Novell LANalyzer capture file
# https://reposcope.com/mimetype/application/x-lanalyzer
!:mime application/x-lanalyzer
# maybe also TR2 .. TR9 TRA .. TRZ
!:ext tr1
# version like: 1.5
>4 ubyte x \b, version %u
# minor version; one byte identifying the trace file minor version number
>5 ubyte x \b.%u
# Trace header record type like: 1001~regular or 1007~cyclic
>0 leshort !0x1001 \b, record type %4.4x
# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch
>2 leshort x \b, record length %#x
# second record type like: 1006h~Trace receive channel name record
>(2.s+4) leshort !0x1006h \b, 2nd record type %#4.4x
>(2.s+6) leshort x \b, 2nd record length %#x
# each channel name is a null-terminated, eight-byte ASCII string like: Channel1
>(2.s+8) string x \b, names %.9s
# 2nd channel name like: Channel2
>(2.s+17) string x %.9s ...
# #
# HP-UX "nettl" capture files. # HP-UX "nettl" capture files.
# # URL: https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html
# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c
# Update: Joerg Jenderek
# Note: Wireshark fills "meta information header fields" with "dummy" values
# nettl_magic_hpux9[12]; for HP-UX 9.x not tested
0 string \x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00 HP/UX 9.x nettl capture file
!:mime application/x-nettl
!:ext trc0/trc1
# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x
0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file 0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file
# https://reposcope.com/mimetype/application/x-nettl
!:mime application/x-nettl
# maybe also TRC000 TRC001 TRC002 ...
!:ext trc0/trc1
# file_name[56]; maybe also like /tmp/raw.tr.TRC000
>12 string !/tmp/wireshark.TRC000
>>12 string x "%-.56s"
# tz[20]; like UTC
>68 string !UTC \b, tz
>>68 string x %-.20s
# host_name[9];
>88 string >\0 \b, host %-.9s
# os_vers[9]; like B.11.11
>97 string !B.11.11 \b, os
>>97 string x %-.9s
# os_v; like 55h
>>106 ubyte x (%#x)
# xxa[8]; like 0
>107 ubequad !0 \b, xxa=%#16.16llx
# model[11] like: 9000/800
>115 string !9000/800 \b, model
>>115 string x %-.11s
# unknown; probably just padding to 128 bytes like: 0406h
>126 ubeshort !0x0406h \b, at 126 %#4.4x
# #
# RADCOM WAN/LAN Analyzer capture files. # RADCOM WAN/LAN Analyzer capture files.
@ -362,4 +432,51 @@
# #
# Files from Accellent Group's 5View products. # Files from Accellent Group's 5View products.
# #
0 string \xaa\xaa\xaa\xaa 5View capture file # URL: http://www.infovista.com
# Reference: http://mark0.net/download/triddefs_xml.7z
# defs/0/5vw.trid.xml
# https://2.na.dl.wireshark.org/src/wireshark-3.6.2.tar.xz
# wireshark-3.6.2/wiretap/5views.c
# Update: Joerg Jenderek
# Note: called "5View capture" by TrID and
# "Wireshark capture file" on Windows or
# "Packet Capture (Accellent/InfoVista 5view)" by shared MIME-info database
# verified/falsified by `wireshark *.5vw`
0 string \xaa\xaa\xaa\xaa
# skip misidentified boot/x86_64/loader/kroete.dat on Suse LEAP DVD
# by check for valid record version
>8 ulelong =0x00010000
>>0 use 5view-le
0 name 5view-le
# t_5VW_Info_Header.Signature = CST_5VW_INFO_HEADER_KEY = 0xAAAAAAAAU
>0 ulelong x 5View capture file
# https://reposcope.com/mimetype/application/x-5view
!:mime application/x-5view
!:ext 5vw
# size of header in bytes (included signature and reserved fields); probably always 20h
>4 ulelong !0x00000020 \b, header size %#x
# version of header record; apparently always CST_5VW_INFO_RECORD_VERSION=0x00010000U
>8 ulelong !0x00010000 \b, record version %#x
# DataSize; total size of data without header like: 18h
>12 ulelong x \b, record size %#x
# filetype; type of the capture file like: 18001000h
>16 ulelong x \b, file type %#8.8x
# Reserved[3]; reserved for future use; apparently zero
>20 quad !0 \b, Reserved %#llx
# look for record header key CST_5VW_RECORDS_HEADER_KEY of structure t_5VW_TimeStamped_Header
>0x20 search/0xB8/b \xEE\xEE\x33\x33 \b; record
# HeaderSize; actual size of this header in bytes like: 32 24h
>>&0 uleshort x size %#x
# HeaderType; exact type of this header; probably always 0x4000
>>&2 uleshort !0x4000 \b, header type %#x
# RecType; type of record like: 80000000h
>>&4 ulelong x \b, record type %#x
# RecSubType; subtype of record like: 0
>>&8 ulelong !0 \b, subtype %#x
# RecSize; Size of one record like: 5Ch
>>&12 ulelong x \b, RecSize %#x
# RecNb; Number of records like: 1
>>&16 ulelong >1 \b, %#x records
# Timestamp Utc
#>>&20 ulelong x \b, RAW TIME %#8.8x
>>&20 date x \b, Time-stamp %s

View file

@ -1,7 +1,8 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: softquad,v 1.13 2009/09/19 16:28:12 christos Exp $ # $File: softquad,v 1.14 2022/10/28 17:19:54 christos Exp $
# softquad: file(1) magic for SoftQuad Publishing Software # softquad: file(1) magic for SoftQuad Publishing Software
# URL: https://en.wikipedia.org/wiki/SoftQuad_Software
# #
# Author/Editor and RulesBuilder # Author/Editor and RulesBuilder
# #
@ -17,8 +18,10 @@
0 short 0xc0da Compiled PSI (v2) data 0 short 0xc0da Compiled PSI (v2) data
>3 string >\0 (%s) >3 string >\0 (%s)
# Binary sqtroff font/desc files... # Binary sqtroff font/desc files...
0 short 0125252 SoftQuad DESC or font file binary # GRR: the line below is also true for 5View capture file handled by ./sniffer
>2 short >0 - version %d 0 short 0125252
# skip 5View capture file with "invalid" version AAAAh
>2 short >0 SoftQuad DESC or font file binary - version %d
# Bitmaps... # Bitmaps...
0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text 0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text
#0 string SQ\ BITMAP2 SoftQuad Raster Format data #0 string SQ\ BITMAP2 SoftQuad Raster Format data

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: spectrum,v 1.9 2021/04/26 15:56:00 christos Exp $ # $File: spectrum,v 1.10 2023/05/08 01:33:36 christos Exp $
# spectrum: file(1) magic for Spectrum emulator files. # spectrum: file(1) magic for Spectrum emulator files.
# #
# John Elliott <jce@seasip.demon.co.uk> # John Elliott <jce@seasip.demon.co.uk>
@ -22,21 +22,125 @@
# #
# Update: Sanity-check string contents to be printable. # Update: Sanity-check string contents to be printable.
# -Adam Buchbinder <adam.buchbinder@gmail.com> # -Adam Buchbinder <adam.buchbinder@gmail.com>
# Update: Joerg Jenderek 2023 May
# URL: http://fileformats.archiveteam.org/wiki/TAP_(ZX_Spectrum)
# Reference: http://web.archive.org/web/20110711141601/http://www.zxmodules.de/fileformats/tapformat.html
# http://mark0.net/download/triddefs_xml.7z/defs/t/tap-zx.trid.xml
# Note: called "ZX Spectrum Tape image" by TrID and "TAP (ZX Spectrum)" by DROID via PUID fmt/801
# verified by fuse-emulator-utils `tzxlist EXAMPLES.TAP`
# #
# headers length 19=023 and flag byte 0 indicating a standard ROM loading header
0 string \023\000\000 0 string \023\000\000
>4 string >\0 >4 string >\0
>>4 string <\177 Spectrum .TAP data "%-10.10s" # skip {85CEE8D6-0F90-4492-B484-98E38862B28D}.2.ver0x0000000000000004.db {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
>>>3 byte 0 - BASIC program # inside c:\ProgramData\Microsoft\Windows\Caches according to TrID and DROID
>>>3 byte 1 - number array >>23 ubyte =0xFF
>>>3 byte 2 - character array # skip DROID fmt-801-signature-id-1166.tap with invalid name \253\253\253\253\253\253\253\253\253\253
>>>3 byte 3 - memory block # which looks like: "TF COPY II" "screen " "\023\001TF" " 1943 "
>>>>14 belong 0x001B0040 (screen) >>>4 string <\177 Spectrum .TAP data "%-10.10s"
#!:mime application/octet-stream
!:mime application/x-spectrum-tap
!:ext tap
>>>>3 byte 0 - BASIC program
# autostart line; 0..9999 are valid; 32768 means "no auto-loading"
>>>>>16 uleshort x \b, autostart line %u
# program length; length of BASIC program
>>>>>18 uleshort x \b, program length %u
>>>>3 byte 1 - number array
>>>>3 byte 2 - character array
>>>>3 byte 3 - memory block
# length of the following data 1B00h=6912 and start address 4000h=16384 in case of a SCREEN$ header
>>>>>14 belong 0x001B0040 (screen)
# unused 32768=8000h
>>>>>18 uleshort !32768 \b, unused %u
# zxlength; length of the following data after the header
>>>>14 uleshort x \b, data length %u
#>>14 uleshort x \b, data length %#x
# checksum byte; simply all bytes (including flag byte) XORed
#>>>>20 ubyte x \b, checksum %#x
# The following three blocks are from pak21-spectrum@srcf.ucam.org # The following three blocks are from pak21-spectrum@srcf.ucam.org
# TZX tape images # TZX tape images
# Update: Joerg Jenderek 2023 May
# URL: http://fileformats.archiveteam.org/wiki/TZX
# Reference: https://worldofspectrum.net/TZXformat.html
# http://mark0.net/download/triddefs_xml.7z/defs/t/tzx.trid.xml
# Note: called "ZX Spectrum Tape image" by TrID and "TZX Format" by DROID via PUID fmt/1000
0 string ZXTape!\x1a Spectrum .TZX data 0 string ZXTape!\x1a Spectrum .TZX data
#!:mime application/octet-stream
!:mime application/x-spectrum-tzx
# CDT is used for Amstrad tapes
!:ext tzx/cdt
>8 byte x version %d >8 byte x version %d
>9 byte x \b.%d >9 byte x \b.%d
# ID of first block
>10 ubyte x \b; ID %#x
# turbo speed data block
>10 ubyte =0x11 (turbo)
# length of PILOT tone (number of pulses)
>>21 uleshort x \b, %u pilot pulses
# length of PILOT pulse
>>11 uleshort x with %u tstates
# length of SYNC first pulse
>>13 uleshort x \b, %u and
# length of SYNC second pulse
>>15 uleshort x %u sync tstates
# length of ZERO bit pulse
>>17 uleshort x \b, %u zero tstates
# length of ONE bit pulse
>>19 uleshort x \b, %u one tstates
# used bits in the last byte
>>23 ubyte x \b, use %u bit
# plural s
>>23 ubyte >1 \bs
# pause after this block in milliseconds
>>24 uleshort x \b, %u ms pause
# BYTE[3]; length of data that follow
>>26 ulelong&0x00FFffFF x \b, %u data bytes
>10 ubyte =0x20 (pause)
# pause duration in milliseconds
>>11 uleshort x %u ms
# text description
>10 ubyte =0x30 (text)
# length of the text description
#>>11 ubyte x L=%u
>>11 pstring x "%s"
# archive text description in ASCII format
>10 ubyte =0x32 (archive info)
# length of archive text
>>11 uleshort x \b, %#x bytes
# number of text strings
>>13 ubyte x with %u (type) text parts
# text type identification byte: 0~title 1~publisher 2~author 3~year 4~language 5~type 6~price 7~protection 8~origin ff~comment
>>14 byte <9 (%d)
>>>14 byte >-2
# length of text string
#>>>>15 ubyte x L=%u
>>>>15 pstring x %s
# 2nd possible text description
>>>>>&0 byte <9 (%d)
>>>>>>&-1 byte >-2
>>>>>>>&0 pstring x %s
# 3rd possible text description
>>>>>>>>&0 byte <9 (%d)
>>>>>>>>>&-1 byte >-2
>>>>>>>>>>&0 pstring x %s
# 4th possible text description
>>>>>>>>>>>&0 byte <9 (%d)
>>>>>>>>>>>>&-1 byte >-2
>>>>>>>>>>>>>&0 pstring x %s
# 5th possible text description
>>>>>>>>>>>>>>&0 byte <9 (%d)
>>>>>>>>>>>>>>>&-1 byte >-2
>>>>>>>>>>>>>>>>&0 pstring x %s
# 6th possible text description
>>>>>>>>>>>>>>>>>&0 byte <9 (%d)
>>>>>>>>>>>>>>>>>>&-1 byte >-2
>>>>>>>>>>>>>>>>>>>&0 pstring x %s
# 7th possible text description
>>>>>>>>>>>>>>>>>>>>&0 byte <9 (%d)
>>>>>>>>>>>>>>>>>>>>>&-1 byte >-2
>>>>>>>>>>>>>>>>>>>>>>&0 pstring x %s
# RZX input recording files # RZX input recording files
0 string RZX! Spectrum .RZX data 0 string RZX! Spectrum .RZX data

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: sql,v 1.23 2021/07/30 14:53:38 christos Exp $ # $File: sql,v 1.26 2023/04/29 17:26:58 christos Exp $
# sql: file(1) magic for SQL files # sql: file(1) magic for SQL files
# #
# From: "Marty Leisner" <mleisner@eng.mc.xerox.com> # From: "Marty Leisner" <mleisner@eng.mc.xerox.com>
@ -88,8 +88,14 @@
# Version 1 used GDBM internally; its files cannot be distinguished # Version 1 used GDBM internally; its files cannot be distinguished
# from other GDBM files. # from other GDBM files.
# #
# Update: Joerg Jenderek
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/sqlite-2x.trid.xml
# Note: called "SQLite 2.x database" by TrID and "SQLite Database File Format" version 2 by DROID via PUID fmt/1135
# Version 2 used this format: # Version 2 used this format:
0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database 0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database
!:mime application/x-sqlite2
# FileAttributesStore.db test.sqlite2
!:ext sqlite/sqlite2/db
# URL: https://en.wikipedia.org/wiki/SQLite # URL: https://en.wikipedia.org/wiki/SQLite
# Reference: https://www.sqlite.org/fileformat.html # Reference: https://www.sqlite.org/fileformat.html
@ -201,6 +207,63 @@
0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, 0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log,
!:ext sqlite-wal/db-wal !:ext sqlite-wal/db-wal
>4 belong x version %d >4 belong x version %d
# Summary: SQLite Write-Ahead-Log index (shared memory)
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/SQLite
# Reference: http://www.sqlite.org/draft/walformat.html#walidxfmt
# iVersion; WAL-index format version number; always 3007000=2DE218h
0 ulelong 0x002DE218
>0 use shm-le
# big endian variant not tested
0 ubelong 0x002DE218
>0 use \^shm-le
# show information about SQLite Write-Ahead-Log shared memory
0 name shm-le
>0 ulelong x SQLite Write-Ahead Log shared memory
#!:mime application/octet-stream
!:mime application/vnd.sqlite3
# db3-shm Acronis BackupAndRecovery F4CEEE47-042C-4828-95A0-DE44EC267A28.db3-shm
# dbx-shm probably Dropbox filecache.dbx-shm
# aup3-shm Audacity project tada.aup3-shm
# srd-shm Microsoft Windows StateRepository service StateRepository-Deployment.srd-shm StateRepository-Machine.srd-shm:
!:ext sqlite-shm/db-shm/db3-shm/dbx-shm/aup3-shm/srd-shm
# unused padding space; must be zero
>4 ulelong !0 \b, unused %x
# iChange; unsigned integer counter, incremented with each transaction
>8 ulelong x \b, counter %u
# isInit; the "isInit" flag; 1 when the shm file has been initialized
>12 ubyte !1 \b, not initialized %u
# bigEndCksum; true if the WAL file uses big-ending checksums; 0 if the WAL uses little-endian checksums
>13 ubyte !0 \b, checksum type %u
# szPage; database page size in bytes, or 1 if the page size is 65536
>14 uleshort !1 \b, page size %u
>14 uleshort =1 \b, page size 65536
# mxFrame; number of valid and committed frames in the WAL file
>16 ulelong x \b, %u frames
# nPage; size of the database file in pages
>20 ulelong x \b, %u pages
# aFrameCksum; checksum of the last frame in the WAL file
>24 ulelong x \b, frame checksum %#x
# aSalt; two salt value copied from the WAL file header in the byte-order of the WAL file; might be different from machine byte-order
>32 ulequad x \b, salt %#llx
# aCksum; checksum over bytes 0 through 39 of this header
>40 ulelong x \b, header checksum %#x
# a copy of bytes 0 through 47 of header
>48 ulelong !3007000 \b, iversion %u
# nBackfill; number of WAL frames that have already been backfilled into the database by prior checkpoints
>96 ulelong !0 \b, %u backfilled
# nBackfillAttempted; number of WAL frames that have attempted to be backfilled
>>128 ulelong x (%u attempts)
# read-mark[0..4]; five "read marks"; each read mark is a 32-bit unsigned integer
>100 ulelong !0 \b, read-mark[0] %#x
>104 ulelong x \b, read-mark[1] %#x
>108 ulelong !0xffffffff \b, read-mark[2] %#x
>112 ulelong !0xffffffff \b, read-mark[3] %#x
>116 ulelong !0xffffffff \b, read-mark[4] %#x
# unused space set aside for 8 file locks
>120 ulequad !0 \b, space %#llx
# unused space reserved for further expansion
>132 ulelong !0 \b, reserved %#x
# SQLite Rollback Journal # SQLite Rollback Journal
# https://www.sqlite.org/fileformat.html#rollbackjournal # https://www.sqlite.org/fileformat.html#rollbackjournal
@ -217,3 +280,9 @@
# H2 Database from https://www.h2database.com/ # H2 Database from https://www.h2database.com/
0 string --\ H2\ 0.5/B\ --\ \n H2 Database file 0 string --\ H2\ 0.5/B\ --\ \n H2 Database file
# DuckDB database file from https://duckdb.org
8 string DUCK DuckDB database file
>12 lequad x \b, version %lld
#>20 lequad x \b, flags %#llx
#>28 lequad x \b, flags %#llx

View file

@ -1,12 +1,15 @@
# Type: OpenSSH key files # Type: OpenSSH key files
# From: Nicolas Collignon <tsointsoin@gmail.com> # From: Nicolas Collignon <tsointsoin@gmail.com>
0 string SSH\ PRIVATE\ KEY OpenSSH RSA1 private key, 0 string SSH\040PRIVATE\040KEY OpenSSH RSA1 private key,
>28 string >\0 version %s >28 string >\0 version %s
0 string -----BEGIN\ OPENSSH\ PRIVATE\ KEY----- OpenSSH private key 0 string -----BEGIN\040OPENSSH\040PRIVATE\040KEY----- OpenSSH private key
# https://www.rfc-editor.org/rfc/rfc5958
0 string -----BEGIN\040PRIVATE\040KEY----- OpenSSH private key (no password)
0 string -----BEGIN\040ENCRYPTED\040PRIVATE\040KEY----- OpenSSH private key (with password)
0 string ssh-dss\ OpenSSH DSA public key 0 string ssh-dss\040 OpenSSH DSA public key
0 string ssh-rsa\ OpenSSH RSA public key 0 string ssh-rsa\040 OpenSSH RSA public key
0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key
0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key
0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: statistics,v 1.2 2020/10/08 17:51:53 christos Exp $ # $File: statistics,v 1.3 2022/03/24 15:48:58 christos Exp $
# statistics: file(1) magic for statistics related software # statistics: file(1) magic for statistics related software
# #
@ -42,4 +42,4 @@
# Example of those files can be found on Zenodo: # Example of those files can be found on Zenodo:
# https://zenodo.org/search?page=1&size=20&q=&file_type=dta # https://zenodo.org/search?page=1&size=20&q=&file_type=dta
0 string \<stata_dta\>\<header\>\<release\> Stata Data File 0 string \<stata_dta\>\<header\>\<release\> Stata Data File
>&0 regex [0-9]* (Release %s) >&0 regex [0-9]+ (Release %s)

View file

@ -1,20 +1,42 @@
#------------------------------------------------------------------------ #------------------------------------------------------------------------
# $File: sysex,v 1.10 2019/04/19 00:42:27 christos Exp $ # $File: sysex,v 1.12 2022/10/31 13:22:26 christos Exp $
# sysex: file(1) magic for MIDI sysex files # sysex: file(1) magic for MIDI sysex files
# #
# GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems
# where real SYStem EXclusive messages at offset 1 are limited to seven bits # where real SYStem EXclusive messages at offset 1 are limited to seven bits
# https://en.wikipedia.org/wiki/MIDI # https://en.wikipedia.org/wiki/MIDI
0 ubeshort&0xFF80 0xF000 SysEx File - # test for StartSysEx byte and upper unsed bit of vendor ID
0 ubeshort&0xFF80 0xF000
# MIDI System Exclusive (SysEx) messages (strength=50) after Microsoft Visual C library (strength=70)
#!:strength +0
# skip Microsoft Visual C library with page size 16 misidentified as ADA and
# page size 32 misidentified as Inventronics by looking for terminating End Of eXclusive byte (EOX)
>2 search/12 \xF7
>>0 use midi-sysex
# display information about MIDI System Exclusive (SysEx) messages
0 name midi-sysex
# https://fileinfo.com/extension/syx
>1 ubyte x MIDI audio System Exclusive (SysEx) message -
# Note: file (version 5.41) labeled the above entry as "SysEx File"
#!:mime application/octet-stream
!:mime audio/x-syx
# https://onsongapp.com/docs/features/formats/sysex
!:ext syx/sysex
# https://www.midi.org/specifications-old/item/manufacturer-id-numbers
# https://raw.githubusercontent.com/insolace/MIDI-Sysex-MFG-IDs/master/Sysex%20ID%20Tables/MIDI%20Sysex%20MFG%20IDs.csv
# SysEx manufacturer ID; originally one byte, but now 0 is used as an escapement to reach the next two
# North American Group # North American Group
>1 byte 0x01 Sequential #>1 byte 0x01 Sequential
>1 byte 0x01 Sequential Circuits
>1 byte 0x02 IDP >1 byte 0x02 IDP
>1 byte 0x03 OctavePlateau #>1 byte 0x03 OctavePlateau
>1 byte 0x03 Voyetra Turtle Beach
>1 byte 0x04 Moog >1 byte 0x04 Moog
>1 byte 0x05 Passport #>1 byte 0x05 Passport
>1 byte 0x06 Lexicon >1 byte 0x05 Passport Designs
#>1 byte 0x06 Lexicon
>1 byte 0x06 Lexicon Inc.
>1 byte 0x07 Kurzweil/Future Retro >1 byte 0x07 Kurzweil/Future Retro
>>3 byte 0x77 777 >>3 byte 0x77 777
>>4 byte 0x00 Bank >>4 byte 0x00 Bank
@ -38,12 +60,17 @@
>>5 byte 0x10 (ALL) >>5 byte 0x10 (ALL)
>>2 byte x \b, Channel %d >>2 byte x \b, Channel %d
>1 byte 0x08 Fender >1 byte 0x08 Fender
>1 byte 0x09 Gulbransen #>1 byte 0x09 Gulbransen
>1 byte 0x0a AKG >1 byte 0x09 MIDI9
#>1 byte 0x0a AKG
>1 byte 0x0a AKG Acoustics
>1 byte 0x0b Voyce >1 byte 0x0b Voyce
>1 byte 0x0c Waveframe >1 byte 0x0c Waveframe
>1 byte 0x0d ADA # not ADA programming language
>1 byte 0x0e Garfield #>1 byte 0x0d ADA
>1 byte 0x0d ADA Signal Processors Inc.
#>1 byte 0x0e Garfield
>1 byte 0x0e Garfield Electronics
>1 byte 0x0f Ensoniq >1 byte 0x0f Ensoniq
>1 byte 0x10 Oberheim >1 byte 0x10 Oberheim
>>2 byte 0x06 Matrix 6 series >>2 byte 0x06 Matrix 6 series
@ -59,7 +86,8 @@
>1 byte 0x16 Lowrey >1 byte 0x16 Lowrey
>1 byte 0x17 AdamsSmith >1 byte 0x17 AdamsSmith
>1 byte 0x18 E-mu >1 byte 0x18 E-mu
>1 byte 0x19 Harmony #>1 byte 0x19 Harmony
>1 byte 0x19 Harmony Systems
>1 byte 0x1a ART >1 byte 0x1a ART
>1 byte 0x1b Baldwin >1 byte 0x1b Baldwin
>1 byte 0x1c Eventide >1 byte 0x1c Eventide
@ -67,23 +95,28 @@
>1 byte 0x1f Clarity >1 byte 0x1f Clarity
# European Group # European Group
>1 byte 0x21 SIEL #>1 byte 0x21 SIEL
>1 byte 0x21 Proel Labs (SIEL)
>1 byte 0x22 Synthaxe >1 byte 0x22 Synthaxe
>1 byte 0x24 Hohner >1 byte 0x24 Hohner
>1 byte 0x25 Twister >1 byte 0x25 Twister
>1 byte 0x26 Solton #>1 byte 0x26 Solton
>1 byte 0x26 Ketron s.r.l.
>1 byte 0x27 Jellinghaus >1 byte 0x27 Jellinghaus
>1 byte 0x28 Southworth >1 byte 0x28 Southworth
>1 byte 0x29 PPG >1 byte 0x29 PPG
>1 byte 0x2a JEN >1 byte 0x2a JEN
>1 byte 0x2b SSL #>1 byte 0x2b SSL
>1 byte 0x2c AudioVertrieb >1 byte 0x2b Solid State Logic Organ Systems
#>1 byte 0x2c AudioVertrieb
>1 byte 0x2c Audio Veritrieb-P. Struven
>1 byte 0x2f ELKA >1 byte 0x2f ELKA
>>3 byte 0x09 EK-44 >>3 byte 0x09 EK-44
>1 byte 0x30 Dynacord >1 byte 0x30 Dynacord
>1 byte 0x31 Jomox #>1 byte 0x31 Jomox
>1 byte 0x31 Viscount International Spa
>1 byte 0x33 Clavia >1 byte 0x33 Clavia
>1 byte 0x39 Soundcraft >1 byte 0x39 Soundcraft
# Some Waldorf info from http://Stromeko.Synth.net/Downloads#WaldorfDocs # Some Waldorf info from http://Stromeko.Synth.net/Downloads#WaldorfDocs
@ -202,14 +235,16 @@
>1 byte 0x44 Casio >1 byte 0x44 Casio
>1 byte 0x46 Kamiya >1 byte 0x46 Kamiya
>1 byte 0x47 Akai >1 byte 0x47 Akai
>1 byte 0x48 Victor #>1 byte 0x48 Victor
>1 byte 0x48 Victor Company of Japan. Ltd.
>1 byte 0x49 Mesosha >1 byte 0x49 Mesosha
>1 byte 0x4b Fujitsu >1 byte 0x4b Fujitsu
>1 byte 0x4c Sony >1 byte 0x4c Sony
>1 byte 0x4e Teac >1 byte 0x4e Teac
>1 byte 0x50 Matsushita >1 byte 0x50 Matsushita
>1 byte 0x51 Fostex >1 byte 0x51 Fostex
>1 byte 0x52 Zoom #>1 byte 0x52 Zoom
>1 byte 0x52 Zoom Corporation
>1 byte 0x54 Matsushita >1 byte 0x54 Matsushita
>1 byte 0x57 Acoustic tech. lab. >1 byte 0x57 Acoustic tech. lab.
# https://www.midi.org/techspecs/manid.php # https://www.midi.org/techspecs/manid.php
@ -317,4 +352,78 @@
>1 belong&0xffffff00 0x00204700 Klavis Tech. >1 belong&0xffffff00 0x00204700 Klavis Tech.
>1 belong&0xffffff00 0x00204800 Noteheads AB >1 belong&0xffffff00 0x00204800 Noteheads AB
# Update: Joerg Jenderek; January 2022
>1 byte 0x00 ID EXTENSIONS
>1 byte 0x13 Digidesign Inc.
>1 byte 0x1e Key Concepts
>1 byte 0x20 Passac
>1 byte 0x23 Stepp
>1 byte 0x2d Neve
>1 byte 0x2e Soundtracs Ltd.
>1 byte 0x32 Drawmer
>1 byte 0x34 Audio Architecture
>1 byte 0x35 Generalmusic Corp SpA
>1 byte 0x36 Cheetah Marketing
>1 byte 0x37 C.T.M.
>1 byte 0x38 Simmons UK
>1 byte 0x3a Steinberg
>1 byte 0x3b Wersi GmbH
>1 byte 0x3c AVAB Niethammer AB
>1 byte 0x3d Digigram
>1 byte 0x3f Quasimidi
#
>1 byte 0x40 Kawai Musical Instruments MFG. CO. Ltd
#>1 byte 0x45 foo
#>1 byte 0x4a foo
#>1 byte 0x4d foo
#>1 byte 0x4f foo
#>1 byte 0x53 foo
>1 byte 0x55 Suzuki Musical Instruments MFG. Co. Ltd.
>1 byte 0x56 Fuji Sound Corporation Ltd.
#>1 byte 0x58 foo
>1 byte 0x59 Faith. Inc.
>1 byte 0x5a Internet Corporation
#>1 byte 0x5b foo
>1 byte 0x5c Seekers Co. Ltd.
#>1 byte 0x5d foo
#>1 byte 0x5e foo
>1 byte 0x5f SD Card Association
# Reserved for other uses for 60H to 7FH
# URL: https://www.philscomputerlab.com/roland-midi-emulator-project-20.html
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/syx--midiemu.trid.xml
# Note: called by TrID "MIDI Emulator Project SysEx preset command"
>1 byte 0x66 MIDI Emulator
# https://electronicmusic.fandom.com/wiki/List_of_MIDI_Manufacturer_IDs
# Educational, prototyping, test, private use and experimentation
>1 byte 0x7D PROTOTYPING
# universal non-real-time (sample dump, tuning table, etc.)
>1 byte 0x7E UNIVERSAL
# universal real time (MIDI time code, MIDI Machine control, etc.)
>1 byte 0x7F universal real time
# display information about End Of eXclusive byte (EOX=F7)
#>2 ubyte 0xF7 \b, at 2 EOX
#>3 ubyte 0xF7 \b, at 3 EOX
# https://tttapa.github.io/Control-Surface-doc/new-input/Doxygen/d2/d93/SysEx-Send-Receive_8ino-example.html
>4 ubyte 0xF7 \b, at 4 EOX
# http://www.1manband.nl/tutorials2/sysex.htm
>5 ubyte 0xF7 \b, at 5 EOX
# http://www.somascape.org/midi/tech/mfile.html#sysex
>6 ubyte 0xF7 \b, at 6 EOX
#
>7 ubyte 0xF7 \b, at 7 EOX
# https://webmidijs.org/forum/discussion/34/how-to-send-or-receive-system-exclusive-messages
>8 ubyte 0xF7 \b, at 8 EOX
#
>9 ubyte 0xF7 \b, at 9 EOX
# https://www.chd-el.cz/wp-content/uploads/845010_syxcom.pdf
>10 ubyte 0xF7 \b, at 10 EOX
# https://stackoverflow.com/questions/52906076/handling-midi-the-input-of-multiple-system-exclusive-messages-in-vb
>11 ubyte 0xF7 \b, at 11 EOX
# https://www.2writers.com/eddie/TutSysEx.htm
>12 ubyte 0xF7 \b, at 12 EOX
>13 ubyte 0xF7 \b, at 13 EOX
# http://www.chromakinetics.com/handsonic/rolSysEx.htm
>14 ubyte 0xF7 \b, at 14 EOX
#>15 ubyte 0xF7 \b, at 15 EOX
0 string T707 Roland TR-707 Data 0 string T707 Roland TR-707 Data

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: terminfo,v 1.12 2021/02/23 00:51:10 christos Exp $ # $File: terminfo,v 1.13 2022/11/21 22:25:37 christos Exp $
# terminfo: file(1) magic for terminfo # terminfo: file(1) magic for terminfo
# #
# URL: https://invisible-island.net/ncurses/man/term.5.html # URL: https://invisible-island.net/ncurses/man/term.5.html
@ -37,6 +37,7 @@
# AIX and HPUX use the SVr4 big-endian format # AIX and HPUX use the SVr4 big-endian format
# Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) # Solaris uses the SVr3 formats (sparc and x86 differ endian-ness)
0 beshort 0433 SVr2 curses screen image, big-endian 0 beshort 0433 SVr2 curses screen image, big-endian
# GRR: line below too general as it catches Commodore C128 program (crc32.prg XLINK.PRG) with start address 1C01h handled by ./c64
0 beshort 0434 SVr3 curses screen image, big-endian 0 beshort 0434 SVr3 curses screen image, big-endian
0 beshort 0435 SVr4 curses screen image, big-endian 0 beshort 0435 SVr4 curses screen image, big-endian
# #

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: tex,v 1.21 2019/04/19 00:42:27 christos Exp $ # $File: tex,v 1.22 2022/12/21 16:50:04 christos Exp $
# tex: file(1) magic for TeX files # tex: file(1) magic for TeX files
# #
# XXX - needs byte-endian stuff (big-endian and little-endian DVI?) # XXX - needs byte-endian stuff (big-endian and little-endian DVI?)
@ -10,13 +10,15 @@
# Although we may know the offset of certain text fields in TeX DVI # Although we may know the offset of certain text fields in TeX DVI
# and font files, we can't use them reliably because they are not # and font files, we can't use them reliably because they are not
# zero terminated. [but we do anyway, christos] # zero terminated. [but we do anyway, christos]
0 string \367\002 TeX DVI file 0 string \367\002
>(14.b+15) string \213
>>14 pstring >\0 TeX DVI file (%s)
!:mime application/x-dvi !:mime application/x-dvi
>16 string >\0 (%s)
0 string \367\203 TeX generic font data 0 string \367\203 TeX generic font data
0 string \367\131 TeX packed font data 0 string \367\131 TeX packed font data
>3 string >\0 (%s) >3 string >\0 (%s)
0 string \367\312 TeX virtual font data 0 string \367\312
>(2.b+11) string \363 TeX virtual font data
0 search/1 This\ is\ TeX, TeX transcript text 0 search/1 This\ is\ TeX, TeX transcript text
0 search/1 This\ is\ METAFONT, METAFONT transcript text 0 search/1 This\ is\ METAFONT, METAFONT transcript text

View file

@ -1,25 +1,32 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: tplink,v 1.7 2021/04/26 15:56:00 christos Exp $ # $File: tplink,v 1.8 2023/05/15 16:41:02 christos Exp $
# tplink: File magic for openwrt firmware files # tplink: File magic for openwrt firmware files
# URL: https://wiki.openwrt.org/doc/techref/header # URL: https://wiki.openwrt.org/doc/techref/header
# Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c # Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c
# http://mark0.net/download/triddefs_xml.7z/defs/b/bin-tplink-v1.trid.xml
# Note: called "TP-Link router firmware (v1)" by TrID
# From: Joerg Jenderek # From: Joerg Jenderek
# check for valid header version 1 or 2 # check for valid header version 1 or 2
0 ulelong <3 0 ulelong <3
>0 ulelong !0 >0 ulelong !0
# test for header padding with nulls # test for header padding with nulls
>>0x100 long 0 >>0x100 long 0
# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor # skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor name
>>>4 ubelong >0x1F000000 >>>4 ubelong >0x1F000000
# skip user.dbt by looking for positive hardware id # skip user.dbt by looking for positive hardware id
>>>>0x40 ubeshort >0 >>>>0x40 ubeshort >0
>>>>>0 use firmware-tplink # skip cversions.1.db cversions.2.db cversions.3.db inside
# c:\ProgramData\Microsoft\Windows\Caches
# with invalid vendor names \240\0\0\0 \140\0\0\0 \040\0\0\0
>>>>>5 short !0
>>>>>>0 use firmware-tplink
0 name firmware-tplink 0 name firmware-tplink
>0 ubyte x firmware >0 ubyte x firmware
!:mime application/x-tplink-bin !:mime application/x-tplink-bin
# like: TL-WR1043ND-V1-FW0.0.3-stripped.bin gluon-ffrefugee-0.9.2-tp-link-archer-c5-v1-sysupgrade.bin
!:ext bin !:ext bin
# hardware id like 10430001 07410001 09410004 09410006 # hardware id like 10430001 07410001 09410004 09410006
>0x40 ubeshort x %x >0x40 ubeshort x %x

View file

@ -1,24 +1,30 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: troff,v 1.13 2020/05/30 23:12:34 christos Exp $ # $File: troff,v 1.14 2023/06/01 16:00:46 christos Exp $
# troff: file(1) magic for *roff # troff: file(1) magic for *roff
# #
# updated by Daniel Quinlan (quinlan@yggdrasil.com) # updated by Daniel Quinlan (quinlan@yggdrasil.com)
# troff input # troff input
0 search/1 .\\" troff or preprocessor input text 0 search/1 .\\" troff or preprocessor input text
!:strength +12
!:mime text/troff !:mime text/troff
0 search/1 '\\" troff or preprocessor input text 0 search/1 '\\" troff or preprocessor input text
!:strength +12
!:mime text/troff !:mime text/troff
0 search/1 '.\\" troff or preprocessor input text 0 search/1 '.\\" troff or preprocessor input text
!:strength +12
!:mime text/troff !:mime text/troff
0 search/1 \\" troff or preprocessor input text 0 search/1 \\" troff or preprocessor input text
!:strength +12
!:mime text/troff !:mime text/troff
#0 search/1 ''' troff or preprocessor input text #0 search/1 ''' troff or preprocessor input text
#!:mime text/troff #!:mime text/troff
0 regex/20l \^\\.[A-Za-z][A-Za-z0-9][\ \t] troff or preprocessor input text 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9][\ \t] troff or preprocessor input text
!:strength +12
!:mime text/troff !:mime text/troff
0 regex/20l \^\\.[A-Za-z][A-Za-z0-9]$ troff or preprocessor input text 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9]$ troff or preprocessor input text
!:strength +12
!:mime text/troff !:mime text/troff
# ditroff intermediate output text # ditroff intermediate output text

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: uterus,v 1.3 2014/04/30 21:41:02 christos Exp $ # $File: uterus,v 1.4 2022/10/31 13:22:26 christos Exp $
# file(1) magic for uterus files # file(1) magic for uterus files
# http://freecode.com/projects/uterus # http://freecode.com/projects/uterus
# #
@ -11,6 +11,6 @@
>7 byte x \b%c >7 byte x \b%c
>8 string \<\> \b, big-endian >8 string \<\> \b, big-endian
>>16 belong >0 \b, slut size %u >>16 belong >0 \b, slut size %u
>8 string \>\< \b, litte-endian >8 string \>\< \b, little-endian
>>16 lelong >0 \b, slut size %u >>16 lelong >0 \b, slut size %u
>10 byte &8 \b, compressed >10 byte &8 \b, compressed

View file

@ -1,16 +1,18 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: uuencode,v 1.8 2019/12/14 20:40:26 christos Exp $ # $File: uuencode,v 1.9 2021/11/13 17:48:10 christos Exp $
# uuencode: file(1) magic for ASCII-encoded files # uuencode: file(1) magic for ASCII-encoded files
# #
# GRR: the first line of xxencoded files is identical to that in uuencoded # The first line of xxencoded files is identical to that in uuencoded files,
# files, but the first character in most subsequent lines is 'h' instead of # but the first character in most subsequent lines is 'h' instead of 'M'.
# 'M'. (xxencoding uses lowercase letters in place of most of uuencode's # (xxencoding uses lowercase letters in place of most of uuencode's
# punctuation and survives BITNET gateways better.) If regular expressions # punctuation and survives BITNET gateways better.)
# were supported, this entry could possibly be split into two with 0 regex/1024 \^begin\040[0-7]{3}\040
# "begin\040\.\*\012M" or "begin\040\.\*\012h" (where \. and \* are REs). >&0 regex/256 [\012\015]+M[\040-\140]{60}[\012\015]+ uuencoded text
0 search/1 begin\ uuencoded or xxencoded text >&0 regex/256 [\012\015]+h[0-9A-Za-z\053\055]{60}[\012\015]+ xxencoded text
>&0 default x uuencoded or xxencoded text
>&0 string >\0 \b, file name "%s"
# btoa(1) is an alternative to uuencode that requires less space. # btoa(1) is an alternative to uuencode that requires less space.
0 search/1 xbtoa\ Begin btoa'd text 0 search/1 xbtoa\ Begin btoa'd text

View file

@ -1,59 +1,21 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: varied.script,v 1.13 2019/10/11 14:35:29 christos Exp $ # $File: varied.script,v 1.15 2022/10/18 13:01:30 christos Exp $
# varied.script: file(1) magic for various interpreter scripts # varied.script: file(1) magic for various interpreter scripts
0 string/t #!\ / a 0 string/wt #!\ a
>3 string >\0 %s script text executable >&-1 string/T x %s script text executable
!:strength / 2 !:strength / 3
0 string/b #!\ / a 0 string/wb #!\ a
>3 string >\0 %s script executable (binary data) >&-1 string/T x %s script executable (binary data)
!:strength / 2 !:strength / 3
0 string/t #!\t/ a
>3 string >\0 %s script text executable
!:strength / 2
0 string/b #!\t/ a
>3 string >\0 %s script executable (binary data)
!:strength / 2
0 string/t #!/ a
>2 string >\0 %s script text executable
!:strength / 2
0 string/b #!/ a
>2 string >\0 %s script executable (binary data)
!:strength / 2
0 string/t #!\ script text executable
>3 string >\0 for %s
!:strength / 2
0 string/b #!\ script executable
>3 string >\0 for %s (binary data)
!:strength / 2
# using env # using env
0 string/t #!/usr/bin/env a 0 string/wt #!\ /usr/bin/env a
>15 string/t >\0 %s script text executable >15 string/T >\0 %s script text executable
!:strength / 10 !:strength / 6
0 string/b #!/usr/bin/env a 0 string/wb #!\ /usr/bin/env a
>15 string/b >\0 %s script executable (binary data) >15 string/T >\0 %s script executable (binary data)
!:strength / 10 !:strength / 6
0 string/t #!\ /usr/bin/env a
>16 string/t >\0 %s script text executable
!:strength / 10
0 string/b #!\ /usr/bin/env a
>16 string/b >\0 %s script executable (binary data)
!:strength / 10
# From: arno <arenevier@fdn.fr>
# mozilla xpconnect typelib
# see https://www.mozilla.org/scriptable/typelib_file.html
0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib
>0x10 byte x version %d
>>0x11 byte x \b.%d

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: virtual,v 1.14 2021/04/26 15:56:00 christos Exp $ # $File: virtual,v 1.17 2022/08/23 08:00:54 christos Exp $
# From: James Nobis <quel@quelrod.net> # From: James Nobis <quel@quelrod.net>
# Microsoft hard disk images for: # Microsoft hard disk images for:
# Virtual Server # Virtual Server
@ -9,10 +9,10 @@
# URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk) # URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk)
# Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/ # Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/
# Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc # Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc
0 string connectix Microsoft Disk Image, Virtual Server or Virtual PC 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC
# alternative shorter names # alternative shorter names
#0 string connectix Microsoft Virtual Hard Disk image #0 string conectix Microsoft Virtual Hard Disk image
#0 string connectix Microsoft Virtual HD image #0 string conectix Microsoft Virtual HD image
!:mime application/x-virtualbox-vhd !:mime application/x-virtualbox-vhd
!:ext vhd !:ext vhd
# Features is a bit field used to indicate specific feature support # Features is a bit field used to indicate specific feature support
@ -219,7 +219,8 @@
# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) # Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
# Made by reading sources, reading documentation, and doing trial and error # Made by reading sources, reading documentation, and doing trial and error
# on existing QCOW files # on existing QCOW files
0 string/b QFI\xFB 0 string/b QFI\xFB QEMU QCOW Image
!:mime application/x-qemu-disk
# Uncomment the following line to display Magic (only used for debugging # Uncomment the following line to display Magic (only used for debugging
# this magic number) # this magic number)
@ -227,8 +228,7 @@
# There are currently 2 Versions: "1" and "2". # There are currently 2 Versions: "1" and "2".
# https://www.gnome.org/~markmc/qcow-image-format-version-1.html # https://www.gnome.org/~markmc/qcow-image-format-version-1.html
>4 belong !1 QEMU QCOW2 Image >4 belong x (v%d)
>4 belong 1 QEMU QCOW Image (v1)
# Using the existence of the Backing File Offset to determine whether # Using the existence of the Backing File Offset to determine whether
# to read Backing File Information # to read Backing File Information

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: web,v 1.1 2020/05/17 19:14:28 christos Exp $ # $File: web,v 1.2 2022/10/29 16:02:37 christos Exp $
# http://www.rdfhdt.org/ # http://www.rdfhdt.org/
# From Christoph Biedl # From Christoph Biedl
@ -10,3 +10,9 @@
0 string $HDT\x01 HDT file (binary compressed indexed RDF triples) type 1 0 string $HDT\x01 HDT file (binary compressed indexed RDF triples) type 1
!:mime application/vnd.hdt !:mime application/vnd.hdt
!:ext hdt !:ext hdt
0 string [Adblock\040Plus Adblock Plus
>&1 regex [0-9.]+ %s
>1 string x rules file
>10 search/100 Version:
>>&1 regex [0-9]+ \b, version %s

View file

@ -1,5 +1,5 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: webassembly,v 1.3 2019/04/19 00:42:27 christos Exp $ # $File: webassembly,v 1.4 2022/08/16 11:16:39 christos Exp $
# webassembly: file(1) magic for WebAssembly modules # webassembly: file(1) magic for WebAssembly modules
# #
# WebAssembly is a virtual architecture developed by a W3C Community # WebAssembly is a virtual architecture developed by a W3C Community
@ -12,4 +12,6 @@
0 string \0asm WebAssembly (wasm) binary module 0 string \0asm WebAssembly (wasm) binary module
>4 lelong =1 version %#x (MVP) >4 lelong =1 version %#x (MVP)
!:mime application/wasm
!:ext wasm
>4 lelong >1 version %#x >4 lelong >1 version %#x

File diff suppressed because it is too large Load diff

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: wordprocessors,v 1.26 2021/08/21 12:45:34 christos Exp $ # $File: wordprocessors,v 1.34 2023/01/24 20:13:40 christos Exp $
# wordprocessors: file(1) magic fo word processors. # wordprocessors: file(1) magic fo word processors.
# #
####### PWP file format used on Smith Corona Personal Word Processors: ####### PWP file format used on Smith Corona Personal Word Processors:
@ -28,35 +28,170 @@
!:ext wps !:ext wps
# Corel/WordPerfect # Corel/WordPerfect
# URL: https://en.wikipedia.org/wiki/WordPerfect
# Reference: https://github.com/OneWingedShark/WordPerfect/blob/master/doc/SDK_Help/FileFormats/WPFF_DocumentStructure.htm
# http://mark0.net/download/triddefs_xml.7z/defs/w/wp-generic.trid.xml
0 string \xffWPC 0 string \xffWPC
# WordPerfect # WordPerfect
>8 byte 1 >8 byte 1
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpm-macro.trid.xml
# Note: there exist other macro variants
>>9 byte 1 WordPerfect macro >>9 byte 1 WordPerfect macro
#!:mime application/octet-stream
!:mime application/x-wordperfect-wpm
# like: ALTD.WPM ENDFOOT.WPM FOOTEND.WPM LABELS.WPM REVEALTX.WPM
!:ext wpm
# Note: used in WordPerfect 5.1; there exist other FIL variants
>>9 byte 2 WordPerfect help file >>9 byte 2 WordPerfect help file
#!:mime application/octet-stream
!:mime application/x-wordperfect-help
# like: WPHELP.FIL
!:ext fil
# pointer to document area like: 10h
>>>4 ulelong !0x10 \b, at %#x document area
>>9 byte 3 WordPerfect keyboard file >>9 byte 3 WordPerfect keyboard file
#!:mime application/octet-stream
!:mime application/x-wordperfect-keyboard
!:ext wpk
# no document area, so point to end of file; so this is file size like: 23381 2978 32835 3355 3775 919
>>>4 ulelong x \b, %u bytes
>>9 byte 4 WordPerfect VAX keyboard definition
#!:mime application/octet-stream
!:mime application/x-wordperfect-keyboard
#!:ext foo
# URL: http://fileformats.archiveteam.org/wiki/WordPerfect
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpd-doc-gen.trid.xml
>>9 byte 10 WordPerfect document >>9 byte 10 WordPerfect document
# https://www.iana.org/assignments/media-types/application/vnd.wordperfect
!:mime application/vnd.wordperfect
#!:apple ????WPC2
# TODO: distinguish different suffix
!:ext wpd/wpt/wkb/icr/tut/sty/tst/crs
>>9 byte 11 WordPerfect dictionary >>9 byte 11 WordPerfect dictionary
>>9 byte 12 WordPerfect thesaurus >>9 byte 12 WordPerfect thesaurus
>>9 byte 13 WordPerfect block >>9 byte 13 WordPerfect block
>>9 byte 14 WordPerfect rectangular block >>9 byte 14 WordPerfect rectangular block
>>9 byte 15 WordPerfect column block >>9 byte 15 WordPerfect column block
>>9 byte 16 WordPerfect printer data >>9 byte 16 WordPerfect printer data
#!:mime application/octet-stream
!:mime application/x-wordperfect-prs
# like: STANDARD.PRS WORKBOOK.PRS
!:ext prs
# like: "Standard Printer" "Workbook Printer"
>>>0x64 pstring/B >A "%s"
#>>9 byte 18 WordPerfect Prefix information file
# printer resource .ALL
>>9 byte 19 WordPerfect printer data >>9 byte 19 WordPerfect printer data
#!:mime application/octet-stream
!:mime application/x-wordperfect-all
!:ext all
# display Resource
>>9 byte 20 WordPerfect driver resource data >>9 byte 20 WordPerfect driver resource data
#!:mime application/octet-stream
!:mime application/x-wordperfect-drs
# like: WPSMALL.DRS
!:ext drs
# pointer to index area with string "smalldrs" like: 46h
>>>4 uleshort !0x46 \b, at %#x index area
>>9 byte 21 WordPerfect Overlay file
#!:mime application/octet-stream
!:mime application/x-wordperfect-fil
# like: WP.FIL
!:ext fil
# URL: http://fileformats.archiveteam.org/wiki/WordPerfect_Graphics
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wpg.trid.xml
# Note: called "WordPerfect Graphics bitmap" by TrID and
# "WordPerfect Graphics Metafile" by DROID via x-fmt/395 fmt/1042
# "WPG (Word Perfect Graphics)" by ImageMagick `identify -verbose BUTTRFLY.WPG`
>>9 byte 22 WordPerfect graphic image >>9 byte 22 WordPerfect graphic image
# TODO: skip DROID x-fmt-395-signature-id-132.wpg by check for existing document area
#>>>4 ulelong >15 WordPerfect_graphic_OK
#!:mime application/octet-stream
# http://extension.nirsoft.net/wpg
!:mime image/x-wordperfect-graphics
# https://reposcope.com/mimetype/application/x-wpg
#!:mime application/x-wpg
# like: BUTTRFLY.WPG STAR-5.WPG input.wpg WORDPFCT.WPG
!:ext wpg
# pointer to document area like: 10h 1Ah
>>>4 ulelong !0x1A \b, at %#x document area
>>9 byte 23 WordPerfect hyphenation code >>9 byte 23 WordPerfect hyphenation code
>>9 byte 24 WordPerfect hyphenation data >>9 byte 24 WordPerfect hyphenation data
>>9 byte 25 WordPerfect macro resource data >>9 byte 25 WordPerfect macro resource data
#!:mime application/octet-stream
!:mime application/x-wordperfect-mrs
# like: WP.MRS
!:ext mrs
>>9 byte 27 WordPerfect hyphenation lex >>9 byte 27 WordPerfect hyphenation lex
>>9 byte 29 WordPerfect wordlist >>9 byte 29 WordPerfect wordlist
>>9 byte 30 WordPerfect equation resource data >>9 byte 30 WordPerfect equation resource data
#!:mime application/octet-stream
!:mime application/x-wordperfect-qrs
# like: WQ.QRS wpDE.qrs wpen.qrs
!:ext qrs
# jump to document area with some marker and equation
>>>(4.l) ubyte x
# equation like: "Fraction: x OVER y"
>>>>&1 string >A (...%-.19s...)
# pointer to document area like: 17C4h
>>>4 ulelong x \b, at %#x document area
#>>9 byte 31 reserved
#>>9 byte 32 WordPerfect VAX .SET
>>9 byte 33 WordPerfect spell rules >>9 byte 33 WordPerfect spell rules
>>9 byte 34 WordPerfect dictionary rules >>9 byte 34 WordPerfect dictionary rules
#>>9 byte 35 reserved
# video resource device driver
# Note: filetype 26 for VRS and filetype 36 for WPD apparently is wrong
>>9 byte 36 WordPerfect Video Resource
#!:mime application/octet-stream
!:mime application/x-wordperfect-vrs
# like: STANDARD.VRS
!:ext vrs
# like: "IBM CGA (& compatibles)"
>>>0x20 string >A "%.23s"
>>9 byte 39 WordPerfect spell rules (Microlytics) >>9 byte 39 WordPerfect spell rules (Microlytics)
#>>9 byte 40 reserved
>>9 byte 41 WordPerfect Install options
#!:mime application/octet-stream
!:mime application/x-wordperfect-ins
# like: WP51.INS
!:ext ins
# probably default directory name like: "C:\WP51\"
>>>0x12 string >A "%.8s"
# maybe mouse driver for WP5.1
>>9 byte 42 WordPerfect Resource
#!:mime application/octet-stream
!:mime application/x-wordperfect-irs
# like: STANDARD.IRS
!:ext irs
# like: "Mouse Driver (MOUSE.COM)"
>>>0x28 string >A "%.24s"
>>9 byte 43 WordPerfect settings file >>9 byte 43 WordPerfect settings file
# maybe Macintosh WP2.0 document
>>9 byte 44 WordPerfect 3.5 document >>9 byte 44 WordPerfect 3.5 document
!:mime application/vnd.wordperfect
!:apple ????WPD3
# like: WP3.wpd
!:ext wpd
>>9 byte 45 WordPerfect 4.2 document >>9 byte 45 WordPerfect 4.2 document
# External spell code module (WP5.1)
#>>9 byte 46 WordPerfect external spell
# external spell dictionary .LEX
#>>9 byte 47 WordPerfect external spell dictionary
# Macintosh SOFT graphics file (SOFT (Sequential Object Format)
#>>9 byte 48 WordPerfect SOFT graphics
#>>9 byte 49 reserved
#>>9 byte 50 reserved
# WPWin 5.1 Application Resource Library added for WPWin 5.1
#>>9 byte 51 WordPerfect application resource library
>>9 byte 69 WordPerfect dialog file >>9 byte 69 WordPerfect dialog file
# From: Joerg Jenderek
# Note: found in sub directory WritingTools inside WordPerfect 2021 program directory
>>9 byte 70 WordPerfect Writing Tools
#!:mime application/octet-stream
!:mime application/x-wordperfect-cbt
# like: Wt13cbede.cbt Wt13cbeit.cbt Wt13cbefr.cbt WT21cbede.cbt Wt13cbeEN.CBD WT21cbeEN.CBD
!:ext cbd/cbt
>>9 byte 76 WordPerfect button bar >>9 byte 76 WordPerfect button bar
>>9 default x >>9 default x
>>>9 byte x Corel WordPerfect: Unknown filetype %d >>>9 byte x Corel WordPerfect: Unknown filetype %d
@ -153,7 +288,65 @@
>>9 default x >>9 default x
>>>9 byte x Corel WordPerfect Office: Unknown filetype %d >>>9 byte x Corel WordPerfect Office: Unknown filetype %d
# Corel DrawPerfect # Corel DrawPerfect
# URL: http://fileformats.archiveteam.org/wiki/Corel_Presentations
# Update: Joerg Jenderek
>8 byte 15 >8 byte 15
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-2.trid.xml
# Note: called "WordPerfect Presentations (v2)" by TrID and
# "Corel Presentation" with version "7-8-9" by DROID via PUID fmt/877
>>9 byte 10 WordPerfect Presentation
#!:mime application/octet-stream
#!:mime application/vnd.wordperfect
!:mime application/x-drawperfect-shw
# like: BENEFITS.SHW chartbar.shw chartbul.shw chartgal.shw chartorg.shw fig-demo.shw figurgal.shw mastrgal.shw scuba.shw tutorial.shw
!:ext shw
# pointer to document area like: 10h
>>>4 ulelong !0x10 \b, at %#x document area
# according to TrID this is nil
>>>12 ulelong !0 \b, at 0xC %#x
# search for embedded WP file like in tutorial.shw
#>>>16 search/638/sb \xffWPC WPC_MAGIC_FOUND
# GRR: indirect call leads to recursion! WHY?
#>>>>&0 indirect x \b; contains
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-3.trid.xml
# Note: called "WordPerfect/Corel Presentations (v3)" by TrID and
# "Corel Presentation" with version "3" by DROID via PUID fmt/878
>>9 byte 15 Corel Presentation
#!:mime application/octet-stream
#!:mime application/vnd.wordperfect
!:mime application/x-drawperfect-shw
# like: FIG_ANIM.SHW presenta.shw
!:ext shw
# pointer to document area like: 1ah
>>>4 ulelong !0x1a \b, at %#x document area
# according to TrID this is nil
>>>12 ulelong !0 \b, at 0xC %#x
# reserved like: 3
>>>16 ulelong !0x3 \b, at 0x10 %#x
# file size, not including pad characters at EOF
>>>0x14 ulelong x \b, %u bytes
# search for embedded WP file like in foo
#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND
# GRR: indirect call leads to recursion! WHY?
#>>>>&0 indirect x \b; contains
# embedded inside Compound Document variant handled by ./ole2compounddocs
>>9 byte 16 Corel Presentation (embeded)
#!:mime application/octet-stream
#!:mime application/vnd.wordperfect
!:mime application/x-corelpresentations
# like: PerfectOffice_MAIN
!:ext /
# pointer to document area like: 1ah
>>>4 ulelong !0x1a \b, at %#x document area
>>>12 ulelong !0 \b, at 0xC %#x
# reserved like: 3
>>>16 ulelong !0x3 \b, at 0x10 %#x
# file size, not including pad characters at EOF
>>>0x14 ulelong x \b, %u bytes
# search for embedded WP file
#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND
# GRR: indirect call leads to recursion! WHY?
#>>>>&0 indirect x \b; contains
>>9 default x >>9 default x
>>>9 byte x Corel DrawPerfect: Unknown filetype %d >>>9 byte x Corel DrawPerfect: Unknown filetype %d
# Corel LetterPerfect # Corel LetterPerfect
@ -196,21 +389,64 @@
>>9 byte 24 GroupWise admin ADS deferment data file >>9 byte 24 GroupWise admin ADS deferment data file
>>9 default x >>9 default x
>>>9 byte x GroupWise: Unknown filetype %d >>>9 byte x GroupWise: Unknown filetype %d
# Corel Writing Tools WT*.*
# From: Joerg Jenderek
# URL: https://support.corel.com/hc/en-us/articles/215876258-Writing-Tools-Spell-Check-Dictionary-does-not-work-in-WordPerfect-X5
# http://wordperfect.helpmax.net/en/editing-and-formatting-documents/using-the-writing-tools/working-with-user-word-lists/
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/u/uwl-wp.trid.xml
>8 byte 32
>>9 byte 10 Corel Writing Tools User Word List
#!:mime application/octet-stream
!:mime application/x-wordperfect-wordlist
# personal user word list UWL under user directory like: WTDE.UWL WTUS.UWL WT21DE.UWL WT21US.UWL WT13DE.UWL ...
# and "template" SAV/HWL variant under program directory like: wt13en.hwl Wt13de.sav Wt13it.sav wt13ru.sav WT21us.sav Wtcz.sav ...
!:ext uwl/hwl/sav
# jump to document area with some marker and word list
>>>(4.l) ubyte x
# look for beginning of word list starting mostly with letter a as UTF-16 like: Wt13es.sav
# but not found in russian wt13ru.sav
>>>>&0 search/91/sb a\0
# word list starting like: "acsesory\022accessory.\001\026acomodate\026accommodate4\001"
>>>>>&0 lestring16 x (...%-.33s...)
# pointer to document area like: 200h
>>>4 ulelong !0x200 \b, at %#x document area
# file size, not including pad characters at EOF
>>>0x14 uleshort x \b, %u bytes
# IntelliTAG # IntelliTAG
>8 byte 33 >8 byte 33
>>9 byte 10 IntelliTAG (SGML) compiled DTD >>9 byte 10 IntelliTAG (SGML) compiled DTD
>>9 default x >>9 default x
>>>9 byte x IntelliTAG: Unknown filetype %d >>>9 byte x IntelliTAG: Unknown filetype %d
# Summary: Corel WordPerfect WritingTools advise part
# From: Joerg Jenderek
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adv-wp.trid.xml
>8 byte 34
>>9 byte 11 Corel WordPerfect dictionary advise
#!:mime application/octet-stream
!:mime application/x-wordperfect-adv
#!:mime application/vnd.wordperfect.adv
# like: WT21de.adv Wt13de.adv Wt13es.adv Wt13fr.adv wt13us.adv
!:ext adv
# advise text part often start with tag like: 580A
#>>>(16.s) ubequad x ADVISE PART %#llx
# part of advise text like: "This is too informal for most writing."
>>>(16.s+16) string x (...%-.33s...)
# everything else # everything else
>8 default x >8 default x
>>8 byte x Unknown Corel/Wordperfect product %d, >>8 byte x Unknown Corel/Wordperfect product %d,
>>>9 byte x file type %d >>>9 byte x file type %d
>10 byte 0 \b, v5. >10 byte 0 \b, v5.
# version of WP file; 2.1~WP 8.0
# major version of WP file like: 1 2
>10 byte !0 \b, v%d. >10 byte !0 \b, v%d.
# minor version of WP file like: 0 1
>11 byte x \b%d >11 byte x \b%d
# Hangul (Korean) Word Processor File # Hancom HWP (Hangul Word Processor)
0 string HWP\ Document\ File Hangul (Korean) Word Processor File 3.0 # Hangul Word Processor 3.0 through 97 used HWP 3.0 format.
# URL: https://www.hancom.com/etc/hwpDownload.do
0 string HWP\ Document\ File Hancom HWP (Hangul Word Processor) file, version 3.0
!:ext hwp
# CosmicBook, from Benoit Rouits # CosmicBook, from Benoit Rouits
0 string CSBK Ted Neslson's CosmicBook hypertext file 0 string CSBK Ted Neslson's CosmicBook hypertext file
@ -229,6 +465,68 @@
!:mime application/x-quark-xpress-3 !:mime application/x-quark-xpress-3
2 string MMXPRa Motorola Quark Express Document (Korean) 2 string MMXPRa Motorola Quark Express Document (Korean)
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/PageMaker
# https://en.wikipedia.org/wiki/Adobe_PageMaker
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p
# pm4-pagemaker.trid.xml
# pm5-pagemaker.trid.xml
# Note: since version 6 in 1995 called Adobe PageMaker and
# embedded in Compound Document handled by ./ole2compounddocs
# mainly tested little endian variant
4 ubelong =0x0000FF99
>0 use PageMaker
# big endian variant
4 ubelong =0x000099FF
>0 use \^PageMaker
# display information of Aldus/Adobe PageMaker document/publication
0 name PageMaker
>110 uleshort <0x0600 Aldus
>110 uleshort >0x05FF Adobe
>110 uleshort x PageMaker
# "MP" marker for newer version 4 and above according to TrID
#>108 string x \b, MARKER "%.2s"
# http://www.nationalarchives.gov.uk/pronom/fmt/876
!:mime application/vnd.pagemaker
#!:mime application/x-pagemaker
# different file name extensions are used depending on version
# older version like 3
>110 uleshort/256 =0 document
# https://www.macdisk.com/macsigen.php
!:apple ALB3ALD3
# PT3 for template and no example for PageMaker document/publication with PM3 extension
!:ext pm3/pt3
>110 uleshort/256 =4 document
!:apple ALD4ALB4
# no example for PT4 template
!:ext pm4/pt4
>110 uleshort/256 =5 document
!:apple ALD5ALB5
# no example for PT5 template
!:ext pm5/pt5
>110 uleshort =0x0600 document
!:apple ALD6ALB6
# PT6 for template
!:ext pm6/pt6
# HOWTO to distinguish version 7 from 6.5 ?
>110 uleshort =0x0632 document
!:apple AD65AB65
# no example for T65 template
!:ext p65/t65/pmd/pmt
# version 7 with PMT extension for template
#!:ext pmd/pmt
#!:apple ????PUBF
# endian marker FF 99 for little endian
>6 ubyte =0xFF \b, little-endian
>6 ubyte =0x99 \b, big-endian
# newer numeric version like: 4 5 6 6.50
#>110 uleshort x \b, VERSION=%#x
>110 uleshort >0x03FF
>>110 uleshort/256 x \b, version %u
>>110 uleshort%256 >0 \b.%u
# older version like 3
>110 uleshort <0x0400 \b, maybe version 3
# adobe indesign (document, whatever...) from querkan # adobe indesign (document, whatever...) from querkan
0 belong 0x0606edf5 Adobe InDesign 0 belong 0x0606edf5 Adobe InDesign
>16 string DOCUMENT Document >16 string DOCUMENT Document

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: xenix,v 1.14 2021/04/26 15:56:00 christos Exp $ # $File: xenix,v 1.15 2022/10/19 20:15:16 christos Exp $
# xenix: file(1) magic for Microsoft Xenix # xenix: file(1) magic for Microsoft Xenix
# #
# "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small
@ -28,20 +28,23 @@
# skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positive string length # skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positive string length
>>>3 ubyte >0 >>>3 ubyte >0
# skip examples like OMBRE.6 with "UUUUUU" name by looking for valid high second record type # skip examples like OMBRE.6 with "UUUUUU" name by looking for valid high second record type
>>>>(1.s+3) ubyte >0x6D 8086 relocatable (Microsoft) >>>>(1.s+3) ubyte >0x6D
# skip few Atari DEGAS bitmap TPDEMO.PC2 RECIPE.PC2 with invalid "high" second record type FEh FFh
>>>>>(1.s+3) ubyte <0xF2 8086 relocatable (Microsoft)
#!:mime application/octet-stream #!:mime application/octet-stream
!:mime application/x-object !:mime application/x-object
!:ext obj/o/a !:ext obj/o/a
# T-module name often source name like "hello.c" or "jmppm32.asm" in JMPPM32.OBJ or # T-module name often source name like "hello.c" or "jmppm32.asm" in JMPPM32.OBJ or
# "kbhit" in KBHITS.OBJ or "CAUSEWAY_KERNAL" in CWAPI.OBJ # "kbhit" in KBHITS.OBJ or "CAUSEWAY_KERNAL" in CWAPI.OBJ
>>>>>3 pstring x \b, "%s" >>>>>>3 pstring x \b, "%s"
# data length probably lower 256 according to TrID obj_omf.trid.xml # data length probably lower 256 according to TrID obj_omf.trid.xml
>>>>>1 uleshort x \b, 1st record data length %u >>>>>>1 uleshort x \b, 1st record data length %u
# checksum # checksum
#>>>>>(3.b+4) ubyte x \b, checksum %#2.2x #>>>>>>(3.b+4) ubyte x \b, checksum %#2.2x
# second recordtype: 96h~LNAMES 88h~COMENT 8CH~EXTDEF # second recordtype: 96h~LNAMES 88h~COMENT 8CH~EXTDEF
>>>>>(1.s+3) ubyte x \b, 2nd record type %#x # highest F1h~Library End Record
>>>>>(1.s+4) uleshort x \b, 2nd record data length %u >>>>>>(1.s+3) ubyte x \b, 2nd record type %#x
>>>>>>(1.s+4) uleshort x \b, 2nd record data length %u
0 leshort 0xff65 x.out 0 leshort 0xff65 x.out
>2 string __.SYMDEF randomized >2 string __.SYMDEF randomized
>0 byte x archive >0 byte x archive
@ -100,3 +103,4 @@
>0x1e leshort &0x102 Huge Objects Enabled >0x1e leshort &0x102 Huge Objects Enabled
0 leshort 0x580 XENIX 8086 relocatable or 80286 small model 0 leshort 0x580 XENIX 8086 relocatable or 80286 small model
# GRR: line above is too general as it catches also all 8086 relocatable (Microsoft) with 1st record data length 5 C0M.OBJ C0T.OBJ C0S.OBJ

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: xilinx,v 1.9 2021/04/26 15:56:00 christos Exp $ # $File: xilinx,v 1.10 2022/12/18 14:59:32 christos Exp $
# This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # This is Aaron's attempt at a MAGIC file for Xilinx .bit files.
# Xilinx-Magic@RevRagnarok.com # Xilinx-Magic@RevRagnarok.com
# Got the info from FPGA-FAQ 0026 # Got the info from FPGA-FAQ 0026
@ -38,3 +38,21 @@
# Raw bitstream files # Raw bitstream files
0 long 0xffffffff 0 long 0xffffffff
>&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN)
# AXLF (xclbin) files used by AMD/Xilinx accelerators.
# The file format is defined by XRT source tree:
# https://github.com/Xilinx/XRT/blob/master/src/runtime_src/core/include/xclbin.h
# Display file size, creation date, accelerator shell name, xclbin uuid and
# number of sections.
0 string xclbin2 AMD/Xilinx accelerator AXLF (xclbin) file
>0x130 lequad x \b, %lld bytes
>0x138 leqdate x \b, created %s
>0x160 string >0 \b, shell "%.64s"
>0x1a0 ubelong x \b, uuid %08x
>0x1a4 ubeshort x \b-%04x
>0x1a6 ubeshort x \b-%04x
>0x1a8 ubeshort x \b-%04x
>0x1aa ubelong x \b-%08x
>0x1ae ubeshort x \b%04x
>0x1c0 lelong x \b, %d sections

View file

@ -1,6 +1,7 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: xo65,v 1.4 2009/09/19 16:28:13 christos Exp $ # $File: xo65,v 1.5 2022/07/17 15:36:20 christos Exp $
# https://cc65.github.io/doc/sim65.html
# xo65 object files # xo65 object files
# From: "Ullrich von Bassewitz" <uz@cc65.org> # From: "Ullrich von Bassewitz" <uz@cc65.org>
# #
@ -28,3 +29,9 @@
>6 leshort&0x0003 =0x0001 alignment 2 >6 leshort&0x0003 =0x0001 alignment 2
>6 leshort&0x0003 =0x0002 alignment 4 >6 leshort&0x0003 =0x0002 alignment 4
>6 leshort&0x0003 =0x0003 alignment 256 >6 leshort&0x0003 =0x0003 alignment 256
# sim65 executable files
0 string \x73\x69\x6d\x36\x35 sim65 executable,
>5 byte x version %d,
>6 leshort&0x0000 =0x0000 6502
>6 leshort&0x0001 =0x0001 65C02

View file

@ -1,6 +1,6 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: xwindows,v 1.12 2021/08/24 08:31:10 christos Exp $ # $File: xwindows,v 1.13 2022/03/24 15:48:58 christos Exp $
# xwindows: file(1) magic for various X/Window system file formats. # xwindows: file(1) magic for various X/Window system file formats.
# Compiled X Keymap # Compiled X Keymap
@ -37,7 +37,7 @@
# X bitmap https://en.wikipedia.org/wiki/X_BitMap # X bitmap https://en.wikipedia.org/wiki/X_BitMap
0 search/2048 #define\040 0 search/2048 #define\040
>&0 regex [a-zA-Z0-9]+_width\040 xbm image >&0 regex [a-zA-Z0-9]+_width\040 xbm image
>>&0 regex [0-9]* (%sx >>&0 regex [0-9]+ (%sx
>>>&0 string \n#define\040 >>>&0 string \n#define\040
>>>>&0 regex [a-zA-Z0-9]+_height\040 >>>>&0 regex [a-zA-Z0-9]+_height\040
>>>>>&0 regex [0-9]* \b%s) >>>>>&0 regex [0-9]+ \b%s)

View file

@ -1,20 +1,28 @@
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# $File: zip,v 1.7 2021/04/26 15:56:00 christos Exp $ # $File: zip,v 1.8 2021/10/24 15:53:56 christos Exp $
# zip: file(1) magic for zip files; this is not use # zip: file(1) magic for zip files; this is not use
# Note the version of magic in archive is currently stronger, this is # Note the version of magic in archive is currently stronger, this is
# just an example until negative offsets are supported better # just an example until negative offsets are supported better
# Note: All fields unless otherwise noted are unsigned!
# Zip Central Directory record # Zip Central Directory record
0 name zipcd 0 name zipcd
>0 string PK\001\002 Zip archive data >0 string PK\001\002 Zip archive data
!:mime application/zip !:mime application/zip
# no "made by" in local file header with PK\3\4 magic
>>4 leshort x \b, made by >>4 leshort x \b, made by
>>4 use zipversion >>4 use zipversion
>>4 use ziphost >>4 use ziphost
# inside ./archive 1.151 called "at least" zipversion "to extract"
>>6 leshort x \b, extract using at least >>6 leshort x \b, extract using at least
>>6 use zipversion >>6 use zipversion
>>12 ledate x \b, last modified %s # This is DOS date like: ledate 21:00:48 19 Dec 2001 != DOS 00:00 1 Jan 2010 ~ 0000213C
>>24 lelong >0 \b, uncompressed size %d >>12 ulelong x \b, last modified
>>14 lemsdosdate x \b, last modified %s
>>12 lemsdostime x %s
# uncompressed size of 1st entry; FFffFFff means real value stored in ZIP64 record
>>24 ulelong !0xFFffFFff \b, uncompressed size %u
# inside ./archive 1.151 called "compression method="zipcompression
>>10 leshort x \b, method= >>10 leshort x \b, method=
>>10 use zipcompression >>10 use zipcompression
@ -102,11 +110,17 @@
#>1 ubyte >19 unused %#x #>1 ubyte >19 unused %#x
# Zip End Of Central Directory record # Zip End Of Central Directory record
# GRR: wrong for ZIP with comment archive
-22 string PK\005\006 -22 string PK\005\006
#>4 leshort >1 \b, %d disks #>4 uleshort !0xFFff \b, %u disks
#>6 leshort >1 \b, central directory disk %d #>6 uleshort !0xFFff \b, central directory disk %u
#>8 leshort >1 \b, %d central directories on this disk #>8 uleshort !0xFFff \b, %u central directories on this disk
#>10 leshort >1 \b, %d central directories #>10 uleshort !0xFFff \b, %u central directories
#>12 lelong x \b, %d central directory bytes #>12 ulelong !0xFFffFFff \b, %u central directory bytes
# offset of central directory
#>16 ulelong x \b, central directory offset %#x
>(16.l) use zipcd >(16.l) use zipcd
# archive comment length n
#>>20 uleshort >0 \b, comment length %u
# archive comment
>>20 pstring/l >0 \b, %s >>20 pstring/l >0 \b, %s

View file

@ -1,5 +1,5 @@
# #
# $File: Makefile.am,v 1.172 2021/10/07 15:41:22 christos Exp $ # $File: Makefile.am,v 1.188 2023/05/21 17:19:08 christos Exp $
# #
MAGIC_FRAGMENT_BASE = Magdir MAGIC_FRAGMENT_BASE = Magdir
MAGIC_DIR = $(top_srcdir)/magic MAGIC_DIR = $(top_srcdir)/magic
@ -29,6 +29,7 @@ $(MAGIC_FRAGMENT_DIR)/application \
$(MAGIC_FRAGMENT_DIR)/applix \ $(MAGIC_FRAGMENT_DIR)/applix \
$(MAGIC_FRAGMENT_DIR)/apt \ $(MAGIC_FRAGMENT_DIR)/apt \
$(MAGIC_FRAGMENT_DIR)/archive \ $(MAGIC_FRAGMENT_DIR)/archive \
$(MAGIC_FRAGMENT_DIR)/aria \
$(MAGIC_FRAGMENT_DIR)/arm \ $(MAGIC_FRAGMENT_DIR)/arm \
$(MAGIC_FRAGMENT_DIR)/asf \ $(MAGIC_FRAGMENT_DIR)/asf \
$(MAGIC_FRAGMENT_DIR)/assembler \ $(MAGIC_FRAGMENT_DIR)/assembler \
@ -52,12 +53,14 @@ $(MAGIC_FRAGMENT_DIR)/bout \
$(MAGIC_FRAGMENT_DIR)/bsdi \ $(MAGIC_FRAGMENT_DIR)/bsdi \
$(MAGIC_FRAGMENT_DIR)/bsi \ $(MAGIC_FRAGMENT_DIR)/bsi \
$(MAGIC_FRAGMENT_DIR)/btsnoop \ $(MAGIC_FRAGMENT_DIR)/btsnoop \
$(MAGIC_FRAGMENT_DIR)/burp \
$(MAGIC_FRAGMENT_DIR)/bytecode \ $(MAGIC_FRAGMENT_DIR)/bytecode \
$(MAGIC_FRAGMENT_DIR)/c-lang \ $(MAGIC_FRAGMENT_DIR)/c-lang \
$(MAGIC_FRAGMENT_DIR)/c64 \ $(MAGIC_FRAGMENT_DIR)/c64 \
$(MAGIC_FRAGMENT_DIR)/cad \ $(MAGIC_FRAGMENT_DIR)/cad \
$(MAGIC_FRAGMENT_DIR)/cafebabe \ $(MAGIC_FRAGMENT_DIR)/cafebabe \
$(MAGIC_FRAGMENT_DIR)/cbor \ $(MAGIC_FRAGMENT_DIR)/cbor \
$(MAGIC_FRAGMENT_DIR)/ccf \
$(MAGIC_FRAGMENT_DIR)/cddb \ $(MAGIC_FRAGMENT_DIR)/cddb \
$(MAGIC_FRAGMENT_DIR)/chord \ $(MAGIC_FRAGMENT_DIR)/chord \
$(MAGIC_FRAGMENT_DIR)/cisco \ $(MAGIC_FRAGMENT_DIR)/cisco \
@ -90,6 +93,7 @@ $(MAGIC_FRAGMENT_DIR)/diff \
$(MAGIC_FRAGMENT_DIR)/digital \ $(MAGIC_FRAGMENT_DIR)/digital \
$(MAGIC_FRAGMENT_DIR)/dolby \ $(MAGIC_FRAGMENT_DIR)/dolby \
$(MAGIC_FRAGMENT_DIR)/dump \ $(MAGIC_FRAGMENT_DIR)/dump \
$(MAGIC_FRAGMENT_DIR)/dwarfs \
$(MAGIC_FRAGMENT_DIR)/dyadic \ $(MAGIC_FRAGMENT_DIR)/dyadic \
$(MAGIC_FRAGMENT_DIR)/ebml \ $(MAGIC_FRAGMENT_DIR)/ebml \
$(MAGIC_FRAGMENT_DIR)/edid \ $(MAGIC_FRAGMENT_DIR)/edid \
@ -104,6 +108,7 @@ $(MAGIC_FRAGMENT_DIR)/esri \
$(MAGIC_FRAGMENT_DIR)/fcs \ $(MAGIC_FRAGMENT_DIR)/fcs \
$(MAGIC_FRAGMENT_DIR)/filesystems \ $(MAGIC_FRAGMENT_DIR)/filesystems \
$(MAGIC_FRAGMENT_DIR)/finger \ $(MAGIC_FRAGMENT_DIR)/finger \
$(MAGIC_FRAGMENT_DIR)/firmware \
$(MAGIC_FRAGMENT_DIR)/flash \ $(MAGIC_FRAGMENT_DIR)/flash \
$(MAGIC_FRAGMENT_DIR)/flif \ $(MAGIC_FRAGMENT_DIR)/flif \
$(MAGIC_FRAGMENT_DIR)/fonts \ $(MAGIC_FRAGMENT_DIR)/fonts \
@ -116,6 +121,7 @@ $(MAGIC_FRAGMENT_DIR)/fusecompress \
$(MAGIC_FRAGMENT_DIR)/games \ $(MAGIC_FRAGMENT_DIR)/games \
$(MAGIC_FRAGMENT_DIR)/gcc \ $(MAGIC_FRAGMENT_DIR)/gcc \
$(MAGIC_FRAGMENT_DIR)/gconv \ $(MAGIC_FRAGMENT_DIR)/gconv \
$(MAGIC_FRAGMENT_DIR)/gentoo \
$(MAGIC_FRAGMENT_DIR)/geo \ $(MAGIC_FRAGMENT_DIR)/geo \
$(MAGIC_FRAGMENT_DIR)/geos \ $(MAGIC_FRAGMENT_DIR)/geos \
$(MAGIC_FRAGMENT_DIR)/gimp \ $(MAGIC_FRAGMENT_DIR)/gimp \
@ -206,6 +212,7 @@ $(MAGIC_FRAGMENT_DIR)/netbsd \
$(MAGIC_FRAGMENT_DIR)/netscape \ $(MAGIC_FRAGMENT_DIR)/netscape \
$(MAGIC_FRAGMENT_DIR)/netware \ $(MAGIC_FRAGMENT_DIR)/netware \
$(MAGIC_FRAGMENT_DIR)/news \ $(MAGIC_FRAGMENT_DIR)/news \
$(MAGIC_FRAGMENT_DIR)/nifty \
$(MAGIC_FRAGMENT_DIR)/nim-lang \ $(MAGIC_FRAGMENT_DIR)/nim-lang \
$(MAGIC_FRAGMENT_DIR)/nitpicker \ $(MAGIC_FRAGMENT_DIR)/nitpicker \
$(MAGIC_FRAGMENT_DIR)/numpy \ $(MAGIC_FRAGMENT_DIR)/numpy \
@ -216,6 +223,7 @@ $(MAGIC_FRAGMENT_DIR)/ole2compounddocs \
$(MAGIC_FRAGMENT_DIR)/olf \ $(MAGIC_FRAGMENT_DIR)/olf \
$(MAGIC_FRAGMENT_DIR)/openfst \ $(MAGIC_FRAGMENT_DIR)/openfst \
$(MAGIC_FRAGMENT_DIR)/opentimestamps \ $(MAGIC_FRAGMENT_DIR)/opentimestamps \
$(MAGIC_FRAGMENT_DIR)/oric \
$(MAGIC_FRAGMENT_DIR)/os2 \ $(MAGIC_FRAGMENT_DIR)/os2 \
$(MAGIC_FRAGMENT_DIR)/os400 \ $(MAGIC_FRAGMENT_DIR)/os400 \
$(MAGIC_FRAGMENT_DIR)/os9 \ $(MAGIC_FRAGMENT_DIR)/os9 \
@ -228,6 +236,7 @@ $(MAGIC_FRAGMENT_DIR)/pbf \
$(MAGIC_FRAGMENT_DIR)/pbm \ $(MAGIC_FRAGMENT_DIR)/pbm \
$(MAGIC_FRAGMENT_DIR)/pc88 \ $(MAGIC_FRAGMENT_DIR)/pc88 \
$(MAGIC_FRAGMENT_DIR)/pc98 \ $(MAGIC_FRAGMENT_DIR)/pc98 \
$(MAGIC_FRAGMENT_DIR)/pci_ids \
$(MAGIC_FRAGMENT_DIR)/pcjr \ $(MAGIC_FRAGMENT_DIR)/pcjr \
$(MAGIC_FRAGMENT_DIR)/pdf \ $(MAGIC_FRAGMENT_DIR)/pdf \
$(MAGIC_FRAGMENT_DIR)/pdp \ $(MAGIC_FRAGMENT_DIR)/pdp \
@ -237,6 +246,7 @@ $(MAGIC_FRAGMENT_DIR)/pgp \
$(MAGIC_FRAGMENT_DIR)/pgp-binary-keys \ $(MAGIC_FRAGMENT_DIR)/pgp-binary-keys \
$(MAGIC_FRAGMENT_DIR)/pkgadd \ $(MAGIC_FRAGMENT_DIR)/pkgadd \
$(MAGIC_FRAGMENT_DIR)/plan9 \ $(MAGIC_FRAGMENT_DIR)/plan9 \
$(MAGIC_FRAGMENT_DIR)/playdate \
$(MAGIC_FRAGMENT_DIR)/plus5 \ $(MAGIC_FRAGMENT_DIR)/plus5 \
$(MAGIC_FRAGMENT_DIR)/pmem \ $(MAGIC_FRAGMENT_DIR)/pmem \
$(MAGIC_FRAGMENT_DIR)/polyml \ $(MAGIC_FRAGMENT_DIR)/polyml \
@ -251,6 +261,7 @@ $(MAGIC_FRAGMENT_DIR)/pyramid \
$(MAGIC_FRAGMENT_DIR)/python \ $(MAGIC_FRAGMENT_DIR)/python \
$(MAGIC_FRAGMENT_DIR)/qt \ $(MAGIC_FRAGMENT_DIR)/qt \
$(MAGIC_FRAGMENT_DIR)/revision \ $(MAGIC_FRAGMENT_DIR)/revision \
$(MAGIC_FRAGMENT_DIR)/ringdove \
$(MAGIC_FRAGMENT_DIR)/riff \ $(MAGIC_FRAGMENT_DIR)/riff \
$(MAGIC_FRAGMENT_DIR)/rpi \ $(MAGIC_FRAGMENT_DIR)/rpi \
$(MAGIC_FRAGMENT_DIR)/rpm \ $(MAGIC_FRAGMENT_DIR)/rpm \
@ -258,6 +269,7 @@ $(MAGIC_FRAGMENT_DIR)/rpmsg \
$(MAGIC_FRAGMENT_DIR)/rtf \ $(MAGIC_FRAGMENT_DIR)/rtf \
$(MAGIC_FRAGMENT_DIR)/rst \ $(MAGIC_FRAGMENT_DIR)/rst \
$(MAGIC_FRAGMENT_DIR)/ruby \ $(MAGIC_FRAGMENT_DIR)/ruby \
$(MAGIC_FRAGMENT_DIR)/rust \
$(MAGIC_FRAGMENT_DIR)/sc \ $(MAGIC_FRAGMENT_DIR)/sc \
$(MAGIC_FRAGMENT_DIR)/sccs \ $(MAGIC_FRAGMENT_DIR)/sccs \
$(MAGIC_FRAGMENT_DIR)/scientific \ $(MAGIC_FRAGMENT_DIR)/scientific \
@ -283,7 +295,9 @@ $(MAGIC_FRAGMENT_DIR)/sql \
$(MAGIC_FRAGMENT_DIR)/ssh \ $(MAGIC_FRAGMENT_DIR)/ssh \
$(MAGIC_FRAGMENT_DIR)/ssl \ $(MAGIC_FRAGMENT_DIR)/ssl \
$(MAGIC_FRAGMENT_DIR)/statistics \ $(MAGIC_FRAGMENT_DIR)/statistics \
$(MAGIC_FRAGMENT_DIR)/subtitle \
$(MAGIC_FRAGMENT_DIR)/sun \ $(MAGIC_FRAGMENT_DIR)/sun \
$(MAGIC_FRAGMENT_DIR)/svf \
$(MAGIC_FRAGMENT_DIR)/sylk \ $(MAGIC_FRAGMENT_DIR)/sylk \
$(MAGIC_FRAGMENT_DIR)/symbos \ $(MAGIC_FRAGMENT_DIR)/symbos \
$(MAGIC_FRAGMENT_DIR)/sysex \ $(MAGIC_FRAGMENT_DIR)/sysex \