AkkomaGang/file_ex
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
file_ex/magic/Magdir/archive
FloatingGhost fea2f90423 file 5.45
2023-08-08 12:16:24 +01:00

2607 lines
93 KiB
Text
Raw Permalink Blame History

#------------------------------------------------------------------------------
# $File: archive,v 1.193 2023/07/27 17:55:58 christos Exp $
# archive: file(1) magic for archive formats (see also "msdos" for self-
# extracting compressed archives)
#
# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
# pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c.
# POSIX tar archives
# URL: https://en.wikipedia.org/wiki/Tar_(computing)
# Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current
# header mainly padded with nul bytes
500 quad 0
!:strength /2
# filename or extended attribute printable strings in range space null til umlaut ue
>0 ubeshort >0x1F00
>>0 ubeshort <0xFCFD
# last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad
# at https://sourceforge.net/projects/s-tar/files/testscripts/
>>>508 ubelong&0x8B9E8DFF 0
# nul, space or ascii digit 0-7 at start of mode
>>>>100 ubyte&0xC8 =0
>>>>>101 ubyte&0xC8 =0
# nul, space at end of check sum
>>>>>>155 ubyte&0xDF =0
# space or ascii digit 0 at start of check sum
>>>>>>>148 ubyte&0xEF =0x20
# FOR DEBUGGING:
#>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s"
# check for 1st image main name with digits used for sorting
# and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP
>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp)
>>>>>>>>>0 use tar-cbt
# check for 1st member name with ovf suffix
>>>>>>>>0 regex \^.{1,96}[.](ovf)
>>>>>>>>>0 use tar-ova
# if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive
>>>>>>>>0 default x
>>>>>>>>>0 use tar-file
# minimal check and then display tar archive information which can also be
# embedded inside others like Android Backup, Clam AntiVirus database
0 name tar-file
>257 string !ustar
# header padded with nuls
>>257 ulong =0
# GNU tar version 1.29 with non pax format option without refusing
# creates misleading V7 header for Long path, Multi-volume, Volume type
>>>156 ubyte 0x4c GNU tar archive
!:mime application/x-gtar
!:ext tar/gtar
>>>156 ubyte 0x4d GNU tar archive
!:mime application/x-gtar
!:ext tar/gtar
>>>156 ubyte 0x56 GNU tar archive
!:mime application/x-gtar
!:ext tar/gtar
>>>156 default x tar archive (V7)
!:mime application/x-tar
!:ext tar
# other stuff in padding
# some implementations add new fields to the blank area at the end of the header record
# created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option
>>257 ulong !0 tar archive (old)
!:mime application/x-tar
!:ext tar
# magic in newer, GNU, posix variants
>257 string =ustar
# 2 last char of magic and UStar version because string expression does not work
# 2 space characters followed by a null for GNU variant
>>261 ubelong =0x72202000 POSIX tar archive (GNU)
!:mime application/x-gtar
!:ext tar/gtar
# UStar version with ASCII "00"
>>261 ubelong 0x72003030 POSIX
# gLOBAL and ExTENSION type only found in POSIX.1-2001 format
>>>156 ubyte 0x67 \b.1-2001
>>>156 ubyte 0x78 \b.1-2001
>>>156 ubyte x tar archive
!:mime application/x-ustar
!:ext tar/ustar
# version with 2 binary nuls embedded in Android Backup like com.android.settings.ab
>>261 ubelong 0x72000000 tar archive (ustar)
!:mime application/x-ustar
!:ext tar/ustar
# not seen ustar variant with garbish version
>>261 default x tar archive (unknown ustar)
!:mime application/x-ustar
!:ext tar/ustar
# type flag of 1st tar archive member
#>156 ubyte x \b, %c-type
>156 ubyte x
>>156 ubyte 0 \b, file
>>156 ubyte 0x30 \b, file
>>156 ubyte 0x31 \b, hard link
>>156 ubyte 0x32 \b, symlink
>>156 ubyte 0x33 \b, char device
>>156 ubyte 0x34 \b, block device
>>156 ubyte 0x35 \b, directory
>>156 ubyte 0x36 \b, fifo
>>156 ubyte 0x37 \b, reserved
>>156 ubyte 0x4c \b, long path
>>156 ubyte 0x4d \b, multi volume
>>156 ubyte 0x56 \b, volume
>>156 ubyte 0x67 \b, global
>>156 ubyte 0x78 \b, extension
>>156 default x \b, type
>>>156 ubyte x '%c'
# name[100]
>0 string >\0 %-.60s
# mode mainly stored as an octal number in ASCII null or space terminated
>100 string >\0 \b, mode %-.7s
# user id mainly as octal numbers in ASCII null or space terminated
>108 string >\0 \b, uid %-.7s
# group id mainly as octal numbers in ASCII null or space terminated
>116 string >\0 \b, gid %-.7s
# size mainly as octal number in ASCII
>124 ubyte <0x38
>>124 string >\0 \b, size %-.12s
# coding indicated by setting the high-order bit of the leftmost byte
>124 ubyte >0xEF \b, size 0x
>>124 ubyte !0xff \b%2.2x
>>125 ubyte !0xff \b%2.2x
>>126 ubyte !0xff \b%2.2x
>>127 ubyte !0xff \b%2.2x
>>128 ubyte !0xff \b%2.2x
>>129 ubyte !0xff \b%2.2x
>>130 ubyte !0xff \b%2.2x
>>131 ubyte !0xff \b%2.2x
>>132 ubyte !0xff \b%2.2x
>>133 ubyte !0xff \b%2.2x
>>134 ubyte !0xff \b%2.2x
>>135 ubyte !0xff \b%2.2x
# seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated
>136 string >\0 \b, seconds %-.11s
# header checksum stored as an octal number in ASCII null or space terminated
#>148 string x \b, cksum %.7s
# linkname[100]
>157 string >\0 \b, linkname %-.40s
# additional fields for ustar
>257 string =ustar
# owner user name null terminated
>>265 string >\0 \b, user %-.32s
# group name null terminated
>>297 string >\0 \b, group %-.32s
# device major minor if not zero
>>329 ubequad&0xCFCFCFCFcFcFcFdf !0
>>>329 string x \b, devmaj %-.7s
>>337 ubequad&0xCFCFCFCFcFcFcFdf !0
>>>337 string x \b, devmin %-.7s
# prefix[155]
>>345 string >\0 \b, prefix %-.155s
# old non ustar/POSIX tar
>257 string !ustar
>>508 string =tar\0
# padding[255] in old star
>>>257 string >\0 \b, padding: %-.40s
>>508 default x
# padding[255] in old tar sometimes comment field
>>>257 string >\0 \b, comment: %-.40s
# Summary: Comic Book Archive *.CBT with TAR format
# URL: https://en.wikipedia.org/wiki/Comic_book_archive
# http://fileformats.archiveteam.org/wiki/Comic_Book_Archive
# Note: there exist also RAR, ZIP, ACE and 7Z packed variants
0 name tar-cbt
>0 string x Comic Book archive, tar archive
#!:mime application/x-tar
!:mime application/vnd.comicbook
#!:mime application/vnd.comicbook+tar
!:ext cbt
# name[100] probably like: 19.jpg 0001.png 0002.png
# or maybe like ComicInfo.xml
>0 string >\0 \b, 1st image %-.60s
# Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA
# From: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format
# http://fileformats.archiveteam.org/wiki/OVF_(Open_Virtualization_Format)
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ova.trid.xml
# Note: called "Open Virtualization Format package" by TrID
# assuming *.ovf comes first
0 name tar-ova
>0 string x Open Virtualization Format Archive
#!:mime application/x-ustar
# http://extension.nirsoft.net/ova
!:mime application/x-virtualbox-ova
!:ext ova
# assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf
>0 string >\0 \b, with %-.60s
# Incremental snapshot gnu-tar format from:
# https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
0 string GNU\ tar- GNU tar incremental snapshot data
>&0 regex [0-9]\\.[0-9]+-[0-9]+ version %s
# cpio archives
#
# Yes, the top two "cpio archive" formats *are* supposed to just be "short".
# The idea is to indicate archives produced on machines with the same
# byte order as the machine running "file" with "cpio archive", and
# to indicate archives produced on machines with the opposite byte order
# from the machine running "file" with "byte-swapped cpio archive".
#
# The SVR4 "cpio(4)" hints that there are additional formats, but they
# are defined as "short"s; I think all the new formats are
# character-header formats and thus are strings, not numbers.
# URL: http://fileformats.archiveteam.org/wiki/Cpio
# https://en.wikipedia.org/wiki/Cpio
# Reference: https://people.freebsd.org/~kientzle/libarchive/man/cpio.5.txt
# Update: Joerg Jenderek
#
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin.trid.xml
# Note: called "CPIO archive (binary)" by TrID, "cpio/Binary LE" by 7-Zip and "CPIO" by DROID via PUID fmt/635
0 short 070707
# skip DROID fmt-635-signature-id-960.cpio by looking for pathname of 1st entry
>26 string >\0 cpio archive
!:mime application/x-cpio
# https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-NET-x86_64-Media.iso
# boot/x86_64/loader/bootlogo
# message.cpi
!:ext /cpio/cpi
>>0 use cpio-bin
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin-sw.trid.xml
# Note: called "CPIO archive (byte swapped binary)" by TrID and "Cpio/Binary BE" by 7-Zip
0 short 0143561 byte-swapped cpio archive
!:mime application/x-cpio # encoding: swapped
# https://telparia.com/fileFormatSamples/archive/cpio/skeleton2.cpio
!:ext cpio
>0 use cpio-bin-be
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio.trid.xml
# Note: called "CPIO archive (portable)" by TrID, "cpio/Portable ASCII" by 7-Zip and "cpio/odc" by GNU cpio
0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
!:mime application/x-cpio
# https://telparia.com/fileFormatSamples/archive/cpio/ pthreads-1.60B5.osr5src.cpio cinema.cpi VOL.000.008 VOL.000.012
!:ext cpio/cpi/008/012
# Note: called "CPIO archive (portable)" by TrID, "cpio/New ASCII" by 7-Zip and "cpio/newc" by GNU cpio
0 string 070701 ASCII cpio archive (SVR4 with no CRC)
!:mime application/x-cpio
# https://telparia.com/fileFormatSamples/archive/cpio/MainActor-2.06.3.cpio
!:ext cpio
# Note: called "CPIO archive (portable)" by TrID, "cpio/New CRC" by 7-Zip and "cpio/crc" by GNU cpio
0 string 070702 ASCII cpio archive (SVR4 with CRC)
!:mime application/x-cpio
# http://ftp.gnu.org/gnu/tar/tar-1.27.cpio.gz
# https://telparia.com/fileFormatSamples/archive/cpio/pcmcia
!:ext /cpio
# display information of old binary cpio archive
# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and
# `cpio -ivt --numeric-uid-gid --file=clam.bin-le.cpio`
0 name cpio-bin
# c_dev; device number; WHAT IS THAT?
>2 uleshort x \b; device %u
# c_ino; truncated inode number; use `ls --inode`
>4 uleshort x \b, inode %u
# c_mode; mode specifies permissions and file type like: ?622~?rw-r--r-- by `ls -l`
>6 uleshort x \b, mode %o
# c_uid; numeric user id; use `ls --numeric-uid-gid`
>8 uleshort x \b, uid %u
# c_gid; numeric group id
>10 uleshort x \b, gid %u
# c_nlink; links to this file; directories at least 2
>12 uleshort >1 \b, %u links
# c_rdev; device number for block and character entries; zero for all other entries by writers
# like 0x0440 for /dev/ttyS0
>14 uleshort >0 \b, device %#4.4x
# c_mtime[2]; modification time in seconds since 1 January 1970; most-significant 16 bits first
>16 medate x \b, modified %s
# c_filesize[2]; size of pathname; most-significant 16 bits first like: 544
>22 melong x \b, %u bytes
# c_namesize; bytes in the pathname that follows the header like: 9
#>20 uleshort x \b, namesize %u
# pathname of entry like: "clam.exe"
>26 string x "%s"
# display information of old binary byte swapped cpio archive
# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and
# `LANGUAGE=C cpio -ivt --numeric-uid-gid --file=clam.bin-be.cpio`
0 name cpio-bin-be
>2 ubeshort x \b; device %u
>4 ubeshort x \b, inode %u
>6 ubeshort x \b, mode %o
>8 ubeshort x \b, uid %u
>10 ubeshort x \b, gid %u
>12 ubeshort >1 \b, %u links
>14 ubeshort >0 \b, device %#4.4x
>16 bedate x \b, modified %s
>22 ubelong x \b, %u bytes
#>20 ubeshort x \b, namesize %u
>26 string x "%s"
#
# Various archive formats used by various versions of the "ar"
# command.
#
#
# Original UNIX archive formats.
# They were written with binary values in host byte order, and
# the magic number was a host "int", which might have been 16 bits
# or 32 bits. We don't say "PDP-11" or "VAX", as there might have
# been ports to little-endian 16-bit-int or 32-bit-int platforms
# (x86?) using some of those formats; if none existed, feel free
# to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
# 32-bit. There might have been big-endian ports of that sort as
# well.
#
0 leshort 0177555 very old 16-bit-int little-endian archive
0 beshort 0177555 very old 16-bit-int big-endian archive
0 lelong 0177555 very old 32-bit-int little-endian archive
0 belong 0177555 very old 32-bit-int big-endian archive
0 leshort 0177545 old 16-bit-int little-endian archive
>2 string __.SYMDEF random library
0 beshort 0177545 old 16-bit-int big-endian archive
>2 string __.SYMDEF random library
0 lelong 0177545 old 32-bit-int little-endian archive
>4 string __.SYMDEF random library
0 belong 0177545 old 32-bit-int big-endian archive
>4 string __.SYMDEF random library
#
# From "pdp" (but why a 4-byte quantity?)
#
0 lelong 0x39bed PDP-11 old archive
0 lelong 0x39bee PDP-11 4.0 archive
#
# XXX - what flavor of APL used this, and was it a variant of
# some ar archive format? It's similar to, but not the same
# as, the APL workspace magic numbers in pdp.
#
0 long 0100554 apl workspace
#
# System V Release 1 portable(?) archive format.
#
0 string =<ar> System V Release 1 ar archive
!:mime application/x-archive
#
# Debian package; it's in the portable archive format, and needs to go
# before the entry for regular portable archives, as it's recognized as
# a portable archive whose first member has a name beginning with
# "debian".
#
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Deb_(file_format)
0 string =!<arch>\ndebian
# https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html
>14 string -split part of multipart Debian package
!:mime application/vnd.debian.binary-package
# udeb is used for stripped down deb file
!:ext deb/udeb
>14 string -binary Debian binary package
!:mime application/vnd.debian.binary-package
# For ipk packager see also https://en.wikipedia.org/wiki/Opkg
!:ext deb/udeb/ipk
# This should not happen
>14 default x Unknown Debian package
# NL terminated version; for most Debian cases this is 2.0 or 2.1 for split
>68 string >\0 (format %s)
#>68 string !2.0\n
#>>68 string x (format %.3s)
>68 string =2.0\n
# 2nd archive name=control archive name like control.tar.gz or control.tar.xz
# or control.tar.zst
>>72 string >\0 \b, with %.15s
# look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma}
>>0 search/0x93e4f data.tar. \b, data compression
# the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised
# for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb
>>>&0 string x %.2s
# skip space (0x20 BSD) and slash (0x2f System V) character marking end of name
>>>&2 ubyte !0x20
>>>>&-1 ubyte !0x2f
# display 3rd character of file name extension like 2 of bz2 or m of lzma
>>>>>&-1 ubyte x \b%c
>>>>>>&0 ubyte !0x20
>>>>>>>&-1 ubyte !0x2f
# display 4th character of file name extension like a of lzma
>>>>>>>>&-1 ubyte x \b%c
# split debian package case
>68 string =2.1\n
# dpkg-1.18.25/dpkg-split/info.c
# NL terminated ASCII package name like ckermit
>>&0 string x \b, %s
# NL terminated package version like 302-5.3
>>>&1 string x %s
# NL terminated MD5 checksum
>>>>&1 string x \b, MD5 %s
# NL terminated original package length
>>>>>&1 string x \b, unsplitted size %s
# NL terminated part length
>>>>>>&1 string x \b, part length %s
# NL terminated package part like n/m
>>>>>>>&1 string x \b, part %s
# NL terminated package architecture like armhf since dpkg 1.16.1 or later
>>>>>>>>&1 string x \b, %s
#
# MIPS archive; they're in the portable archive format, and need to go
# before the entry for regular portable archives, as it's recognized as
# a portable archive whose first member has a name beginning with
# "__________E".
#
0 string =!<arch>\n__________E MIPS archive
!:mime application/x-archive
>20 string U with MIPS Ucode members
>21 string L with MIPSEL members
>21 string B with MIPSEB members
>19 string L and an EL hash table
>19 string B and an EB hash table
>22 string X -- out of date
#
# BSD/SVR2-and-later portable archive formats.
#
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/AR
# Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/
# Note: Mach-O universal binary in ./cafebabe is dependent
# TODO: unify current ar archive, MIPS archive, Debian package
# distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR;
# *.ar packages from *.a libraries. handle empty archive
0 string =!<arch>\n current ar archive
# print first and possibly second ar_name[16] for debugging purpose
#>8 string x \b, 1st "%.16s"
#>68 string x \b, 2nd "%.16s"
!:mime application/x-archive
# a in most case for libraries; lib for Microsoft libraries; ar else cases
!:ext a/lib/ar
>8 string __.SYMDEF random library
# first member with long marked name __.SYMDEF SORTED implies BSD library
>68 string __.SYMDEF\ SORTED random library
# Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf
# "archive file" entry moved from ./hp
# LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture
# LST header a_magic 0619h~relocatable library
>68 belong 0x020b0619 - PA-RISC1.0 relocatable library
>68 belong 0x02100619 - PA-RISC1.1 relocatable library
>68 belong 0x02110619 - PA-RISC1.2 relocatable library
>68 belong 0x02140619 - PA-RISC2.0 relocatable library
#EOF for common ar archives
#
# "Thin" archive, as can be produced by GNU ar.
#
0 string =!<thin>\n thin archive with
>68 belong 0 no symbol entries
>68 belong 1 %d symbol entry
>68 belong >1 %d symbol entries
0 search/1 -h- Software Tools format archive text
# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
#
# The first byte is the magic (0x1a), byte 2 is the compression type for
# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
# filename of the first file (null terminated). Since some types collide
# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
!:mime application/x-arc
0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
!:mime application/x-arc
0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
!:mime application/x-arc
0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
!:mime application/x-arc
0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
!:mime application/x-arc
0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
!:mime application/x-arc
# [JW] stuff taken from idarc, obviously ARC successors:
0 lelong&0x8080ffff 0x00000a1a PAK archive data
!:mime application/x-arc
0 lelong&0x8080ffff 0x0000141a ARC+ archive data
!:mime application/x-arc
0 lelong&0x8080ffff 0x0000481a HYP archive data
!:mime application/x-arc
# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
# I can't create either SPARK or ArcFS archives so I have not tested this stuff
# [GRR: the original entries collide with ARC, above; replaced with combined
# version (not tested)]
#0 byte 0x1a RISC OS archive (spark format)
0 string \032archive RISC OS archive (ArcFS format)
0 string Archive\000 RISC OS archive (ArcFS format)
# All these were taken from idarc, many could not be verified. Unfortunately,
# there were many low-quality sigs, i.e. easy to trigger false positives.
# Please notify me of any real-world fishy/ambiguous signatures and I'll try
# to get my hands on the actual archiver and see if I find something better. [JW]
# probably many can be enhanced by finding some 0-byte or control char near the start
# idarc calls this Crush/Uncompressed... *shrug*
0 string CRUSH Crush archive data
# Squeeze It (.sqz)
0 string HLSQZ Squeeze It archive data
# SQWEZ
0 string SQWEZ SQWEZ archive data
# HPack (.hpk)
0 string HPAK HPack archive data
# HAP
0 string \x91\x33HF HAP archive data
# MD/MDCD
0 string MDmd MDCD archive data
# LIM
0 string LIM\x1a LIM archive data
# SAR
3 string LH5 SAR archive data
# BSArc/BS2
0 string \212\3SB\020\0 BSArc/BS2 archive data
# Bethesda Softworks Archive (Oblivion)
0 string BSA\0 BSArc archive data
>4 lelong x version %d
# MAR
2 string =-ah MAR archive data
# ACB
#0 belong&0x00f800ff 0x00800000 ACB archive data
# CPZ
# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
# JRC
0 string JRchive JRC archive data
# Quantum
0 string DS\0 Quantum archive data
# ReSOF
0 string PK\3\6 ReSOF archive data
# QuArk
0 string 7\4 QuArk archive data
# YAC
14 string YC YAC archive data
# X1
0 string X1 X1 archive data
0 string XhDr X1 archive data
# CDC Codec (.dqt)
0 belong&0xffffe000 0x76ff2000 CDC Codec archive data
# AMGC
0 string \xad6" AMGC archive data
# NuLIB
0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
# PakLeo
0 string LEOLZW PAKLeo archive data
# ChArc
0 string SChF ChArc archive data
# PSA
0 string PSA PSA archive data
# CrossePAC
0 string DSIGDCC CrossePAC archive data
# Freeze
0 string \x1f\x9f\x4a\x10\x0a Freeze archive data
# KBoom
0 string \xc2\xa8MP\xc2\xa8 KBoom archive data
# NSQ, must go after CDC Codec
0 string \x76\xff NSQ archive data
# DPA
0 string Dirk\ Paehl DPA archive data
# BA
# TODO: idarc says "bytes 0-2 == bytes 3-5"
# TTComp
# URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
# Update: Joerg Jenderek
# GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
0 string \0\6
# look for first keyword of Panorama database *.pan
>12 search/261 DESIGN
# skip keyword with low entropy
>12 default x
# skip DOS 2.0 backup id file, sequence 6 with many nils like BACKUPID_xx6.@@@ handled by ./msdos
>>8 quad !0
>>>0 use ttcomp
# variant ASCII, 4K dictionary (strength=48=50-2). With strength=49 wrong order! WHY?
0 string \1\6
# TODO:
# skip VAX-order 68k Blit mpx/mux executable (strength=50) handled by ./blit
!:strength -2
>0 use ttcomp
0 string \0\5
# skip some DOS 2.0 backup id file, sequence 5 with many nils like BACKUPID_075.@@@ handled by ./msdos
>8 quad !0
>>0 use ttcomp
0 string \1\5
# TODO:
# variant ASCII, 2K dictionary (strength=48=50-2). With strength=49 wrong order! WHY?
# skip ctab data (strength=50) handled by ./ibm6000
# skip locale data table (strength=50) handled by ./digital
!:strength -2
>0 use ttcomp
0 string \0\4
# skip many Maple help database *.hdb with version tag handled by ./maple
>1028 string !version
# skip veclib maple.hdb by looking for Mable keyword
>>4 search/1091 Maple\040
#>4 search/34090 Maple\040
>>4 default x
# skip DOS 2.0-3.2 backed up sequence 4 with many nils like LOTUS5.RAR handled by ./msdos
# skip xBASE Compound Index file *.CDX with many nils
>>>0x54 quad !0
>>>>0 use ttcomp
0 string \1\4
# TODO:
# skip shared library (strength=50) handled by ./ibm6000
!:strength -2
# skip Commodore PET BASIC programs (Mastermind.prg) with last 3 nil bytes (\0~end of line followed by 0000h line offset)
#>-4 ubelong x LAST_BYTES=%8.8x
>-4 ubelong&0x00FFffFF !0
>>0 use ttcomp
# display information of TTComp archive
0 name ttcomp
# (version 5.25) labeled the entry as "TTComp archive data"
>0 ubyte x TTComp archive data
!:mime application/x-compress-ttcomp
# PBACKSCR.PI1
!:ext $xe/$ts/pi1/__d
# compression type: 0~binary compression 1~ASCII compression
>0 ubyte 0 \b, binary
>0 ubyte 1 \b, ASCII
# size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes
>1 ubyte 4 \b, 1K
>1 ubyte 5 \b, 2K
>1 ubyte 6 \b, 4K
>1 ubyte x dictionary
# https://mark0.net/forum/index.php?topic=848
# last 3 bytes probably have only 8 possible bit sequences
# xxxxxxxx 0000000x 11111111 ____FFh
# xxxxxxxx 10000000 01111111 __807Fh
# 0xxxxxxx 11000000 00111111 __C03Fh
# 00xxxxxx 11100000 00011111 __E01Fh
# 000xxxxx 11110000 00001111 __F00Fh
# 0000xxxx 11111000 00000111 __F807h
# 00000xxx 11111100 00000011 __FC03h
# 000000xx 11111110 00000001 __FE01h
# but for quickgif.__d 0A7DD4h
#>-3 ubyte x \b, last 3 bytes 0x%2.2x
#>-2 ubeshort x \b%4.4x
# From: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Disk_Copy
# reference: http://nulib.com/library/FTN.e00005.htm
0x52 ubeshort 0x0100
# test for disk image size equal or above 400k
>0x40 ubelong >409599
# test also for disk image size equal or below 1440k to skip
# windows7en.mbr UNICODE.DAT
#>>0x40 ubelong <1474561
# test now for "low" disk image size equal or below 64 MiB to skip
# windows7en.mbr (B441BBAAh) UNICODE.DAT (0400AF05h)
>>0x40 ubelong <0x04000001
# To skip Flags$StringJoiner.class with size 00106A61h test also for valid disk image sizes
# 00064000 for 400k GCR disks dc42-400k-gcr.trid.xml
# 000c8000 for 800k GCR disks dc42-800k-gcr.trid.xml
# 000b4000 for 720k MFM disks dc42-720k-mfm.trid.xml
# 00168000 for 1440k MFM disks dc42-1440k-mfm.trid.xml
# https://lisaem.sunder.net/LisaProjectDocs.txt
# 00500000 05M available
# 00A00000 10M available
# 01800000 24M possible
# 02000000 32M uncertain
# 04000000 64M uncertain
>>>0x40 ubelong&0xf8003fFF 0
# skip samples with invalid disk name length like:
# 181 (biosmd80.rom) 202 (Flags$StringJoiner.class) 90 (UNICODE.DAT)
>>>>0x0 ubyte <64
>>>>>0 use dc42-floppy
# display information of Apple DiskCopy 4.2 floppy image
0 name dc42-floppy
# disk name length; maximal 63
#>0 ubyte x DISK NAME LENGTH %u
# ASCII image pascal (maximal 63 bytes) name padded with NULs like:
# "Microsoft Mail" "Disquette 2" "IIe Installer Disk"
# "-lisaem.sunder.net hd-" (dc42-lisaem.trid.xml) "-not a Macintosh disk" (dc42-nonmac.trid.xml)
>00 pstring/B x Apple DiskCopy 4.2 image %s
#!:mime application/octet-stream
!:mime application/x-dc42-floppy-image
!:apple dCpydImg
# probably also img like: "Utilitaires 2.img" "Installation 7.img"
!:ext image/dc42/img
# data size in bytes like: 409600 737280 819200 1474560
>0x40 ubelong x \b, %u bytes
# for debugging purpose size in hexadecimal
#>0x40 ubelong x (%#8.8x)
# tag size in bytes like: 0 (often) 2580h (PUID fmt/625) 4B00h (Microsoft Mail.image)
>0x44 ubelong >0 \b, %#x tag size
# data checksum
#>0x48 ubelong x \b, %#x checksum
# tag checksum
#>0x4c ubelong x \b, %#x tag checksum
# disk encoding like: 0 1 2 3 (PUID: fmt/625)
>0x50 ubyte 0 \b, GCR CLV ssdd (400k)
>0x50 ubyte 1 \b, GCR CLV dsdd (800k)
>0x50 ubyte 2 \b, MFM CAV dsdd (720k)
>0x50 ubyte 3 \b, MFM CAV dshd (1440k)
>0x50 ubyte >3 \b, %#x encoding
# format byte like: 12h (Lisa 400K) 24h (400K Macintosh) 96h (800K Apple II disk)
# 2 (Mac 400k "Disquette Installation 13.image")
# 22h (double-sided MFM or Mac 800k "Disco 12.image" "IIe Installer Disk.image")
>0x51 ubyte x \b, %#x format
#>0x54 ubequad x \b, data %#16.16llx
# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
0 string ESP ESP archive data
# ZPack
0 string \1ZPK\1 ZPack archive data
# Sky
0 string \xbc\x40 Sky archive data
# UFA
0 string UFA UFA archive data
# Dry
0 string =-H2O DRY archive data
# FoxSQZ
0 string FOXSQZ FoxSQZ archive data
# AR7
0 string ,AR7 AR7 archive data
# PPMZ
0 string PPMZ PPMZ archive data
# MS Compress
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
# Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html
# Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z
4 string \x88\xf0\x27
# KWAJ variant
>0 string KWAJ MS Compress archive data, KWAJ variant
!:mime application/x-ms-compress-kwaj
# extension not working in version 5.32
# magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?'
# file: line 284: Bad magic entry ' ??_'
!:ext ??_
# compression method (0-4)
>>8 uleshort x \b, %u method
# offset of compressed data
>>10 uleshort x \b, %#x offset
#>>(10.s) uleshort x
#>>>&-6 string x \b, TEST extension %-.3s
# header flags to mark header extensions
>>12 uleshort >0 \b, %#x flags
# 4 bytes: decompressed length of file
>>12 uleshort &0x01
>>>14 ulelong x \b, original size: %u bytes
# 2 bytes: unknown purpose
# 2 bytes: length of unknown data + mentioned bytes
# 1-9 bytes: null-terminated file name
# 1-4 bytes: null-terminated file extension
>>12 uleshort &0x08
>>>12 uleshort ^0x01
>>>>12 uleshort ^0x02
>>>>>12 uleshort ^0x04
>>>>>>12 uleshort ^0x10
>>>>>>>14 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>14 string x \b, %-.8s
>>>>>>>>&1 string x \b.%-.3s
>>>>>12 uleshort &0x04
>>>>>>12 uleshort ^0x10
>>>>>>>(14.s) uleshort x
>>>>>>>>&14 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>(14.s) uleshort x
>>>>>>>>&14 string x \b, %-.8s
>>>>>>>>>&1 string x \b.%-.3s
>>>>12 uleshort &0x02
>>>>>12 uleshort ^0x04
>>>>>>12 uleshort ^0x10
>>>>>>>16 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>16 string x \b, %-.8s
>>>>>>>>&1 string x \b.%-.3s
>>>>>12 uleshort &0x04
>>>>>>12 uleshort ^0x10
>>>>>>>(16.s) uleshort x
>>>>>>>>&16 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>(16.s) uleshort x
>>>>>>>&16 string x %-.8s
>>>>>>>>&1 string x \b.%-.3s
>>>12 uleshort &0x01
>>>>12 uleshort ^0x02
>>>>>12 uleshort ^0x04
>>>>>>12 uleshort ^0x10
>>>>>>>18 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>18 string x \b, %-.8s
>>>>>>>>&1 string x \b.%-.3s
>>>>>12 uleshort &0x04
>>>>>>12 uleshort ^0x10
>>>>>>>(18.s) uleshort x
>>>>>>>>&18 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>(18.s) uleshort x
>>>>>>>>&18 string x \b, %-.8s
>>>>>>>>>&1 string x \b.%-.3s
>>>>12 uleshort &0x02
>>>>>12 uleshort ^0x04
>>>>>>12 uleshort ^0x10
>>>>>>>20 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>20 string x \b, %-.8s
>>>>>>>>&1 string x \b.%-.3s
>>>>>12 uleshort &0x04
>>>>>>12 uleshort ^0x10
>>>>>>>(20.s) uleshort x
>>>>>>>>&20 string x \b, %-.8s
>>>>>>12 uleshort &0x10
>>>>>>>(20.s) uleshort x
>>>>>>>>&20 string x \b, %-.8s
>>>>>>>>>&1 string x \b.%-.3s
# 2 bytes: length of data + mentioned bytes
#
# SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ
# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
# Reference: http://www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html
# http://mark0.net/download/triddefs_xml.7z/defs/s/szdd.trid.xml
# Note: called "Microsoft SZDD compressed (Haruhiko Okumura's LZSS)" by TrID
# verfied by 7-Zip `7z l -tMsLZ -slt *.??_` as MsLZ
# `deark -l -m lzss_oku -d2 setup-1-41.bin` as "LZSS.C by Haruhiko Okumura"
>0 string SZDD MS Compress archive data, SZDD variant
# 2nd part of signature
#>>4 ubelong 0x88F02733 \b, SIGNATURE OK
!:mime application/x-ms-compress-szdd
!:ext ??_
# The character missing from the end of the filename (0=unknown)
>>9 string >\0 \b, %-.1s is last character of original name
# https://www.betaarchive.com/forum/viewtopic.php?t=26161
# Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e
>>8 string !A \b, %-.1s method
>>10 ulelong >0 \b, original size: %u bytes
# Summary: InstallShield archive with SZDD compressed
# URL: https://community.flexera.com/t5/InstallShield-Knowledge-Base/InstallShield-Redistributable-Files/ta-p/5647
# From: Joerg Jenderek
1 search/48/bs SZDD\x88\xF0\x27\x33 InstallShield archive
#!:mime application/octet-stream
!:mime application/x-installshield-compress-szdd
!:ext ibt
# name of compressed archive member like: setup.dl_ _setup7int.dl_ _setup2k.dl_ _igdi.dl_ cabinet.dl_
>0 string x %s
# name of uncompressed archive member like: setup.dll _Setup.dll IGdi.dll CABINET.DLL
>>&1 string x (%s)
# probably version like: 9.0.0.333 9.1.0.429 11.50.0.42618
>>>&1 string x \b, version %s
# SZDD member length like: 168048 169333 181842
>>>>&1 string x \b, %s bytes
# MS Compress archive data
#>&0 string SZDD \b, SIGNATURE FOUND
>&0 indirect x
# QBasic SZDD variant
3 string \x88\xf0\x27
>0 string SZ\x20 MS Compress archive data, QBasic variant
!:mime application/x-ms-compress-sz
!:ext ??$
>>8 ulelong >0 \b, original size: %u bytes
# Summary: lzss compressed/EDI Pack
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/EDI_Install_packed_file
# Note: called "EDI Install LZS compressed data" by TrID and verified by
# command like `deark -l -m edi_pack -d2 BOOK01A.IC$` as "EDI Pack LZSS1"
0 string EDILZSS
>7 string 1
# look for point character before orginal file name extension
>>8 search/9/b .
# check suffix of possible orginal file anme
#>>>&0 ubelong x SUFFIX=%8.8x
# samples without valid character after point in original file name field like: FENNEL.LZS PLANTAIN.LZS
>>>&0 ubyte <0x20
>>>>0 use edi-lzs
# samples with valid character after point in original file name field
>>>&0 ubyte >0x1F
# check 2nd charcter of suffix
#>>>>&0 ubyte x 2ND_SUFFIX=%x
# sample with one valid character after point followed by \0 in original file name field like: SPELMATE.H$
>>>>&0 ubyte =0
>>>>>0 use edi-pack
>>>>&0 ubyte >0x1F
# check 3rd charcter of suffix
#>>>>>&0 ubyte x 3RD_SUFFIX=%x
# no sample with 2 valid characters after point followed by \0 in original file name field
>>>>>&0 ubyte =0
>>>>>>0 use edi-pack
# samples with valid 3rd character after point in original file name field
>>>>>&0 ubyte >0x1F
# sample with 3 valid character after point followed by \0 in original file name field like: BOOK01A.IC$ CTL3D.DL$
>>>>>>&0 ubyte =0
>>>>>>>0 use edi-pack
# sample with 3 valid character after point followed by no \0 in original file name field like: HERBTEXT.LZS
>>>>>>&0 ubyte !0
>>>>>>>0 use edi-lzs
# no sample with invalid 3rd character after point in original file name field
>>>>>&0 default x
>>>>>>0 use edi-lzs
# sample with invalid 2nd character after point in original file name field like: LACERATE.LZS SPLINTER.LZS
>>>>&0 default x
>>>>>0 use edi-lzs
# sample without point character in original file name field like GUNSHOT.LZS
>>8 default x
>>>0 use edi-lzs
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/edi-lzss2.trid.xml
# Note: called "EDI Install Pro LZSS2 compressed data" by TrID and verified by
# command like `deark -l -m edi_pack -d2 4WAY.WA$` as "EDI Pack LZSS2"
>7 string 2 EDI LZSS2 packed
#!:mime application/octet-stream
!:mime application/x-edi-pack-lzss
# the name of a compressed file often ends in character '$' or '_'
!:ext ??$/??_
# original filename, NUL-terminated, padded to 13 bytes like: mci.vbx 4way.wav skymap.exe cmdialog.vbx
>>8 string x "%-0.13s"
# original file size, as a 4-byte integer.
>>21 ulelong x \b, %u bytes
# compressed data like: ff5249464606ec00 ff4d5aa601010000
>>>25 ubequad x \b, data %#16.16llx...
0 name edi-pack
# Note: verified by command like `deark -l -d2 SPELMATE.H$` as "EDI Pack LZSS1"
# original filename, NUL-terminated, padded to 13 bytes like: ctl3d.dll spelmate.h filemenu.rc owl.def index-it.exe
# but not like \377Aloe.lzs\273 (HERBTEXT.LZS)
>8 string x EDI LZSS packed "%-.13s"
#!:mime application/octet-stream
!:mime application/x-edi-pack-lzss
# the name of a compressed file often ends in character '$' or '_'
!:ext ??$/?$
# compressed data like: f7000001eff02020 ff4d5aa900020000 ff2f2a207370656c
>21 ubequad x \b, data %#16.16llx...
# URL: http://fileformats.archiveteam.org/wiki/EDI_LZSSLib
# Note: verified partly by command like `deark -l -m edi_pack -d2 GUNSHOT.LZS` as "EDI LZSSLib"
0 name edi-lzs
# Note: verified by command like `deark -l -d2 GUNSHOT.LZS` as "EDI LZSSLib"
# no original filename looks like: \277BM\226.\0 \277BM.n\001 \277BM\226.\0 \277BM.g\001 \377Aloe.lzs\273
>8 string x EDI LZSSLib packed
#!:mime application/octet-stream
!:mime application/x-edi-pack-lzss
# The name of a compressed file ends with LZS suffix
!:ext lzs
# compressed data like: bf424df6e10100f3 ff416c6f652e6c7a ff416c6f652e6c7a
>8 ubequad x \b, data %#16.16llx...
# Summary: CAZIP compressed file
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/CAZIP
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/caz.trid.xml
# Note: Format is distinct from CAZIPXP compressed
0 string \x0D\x0A\x1ACAZIP CAZIP compressed file
#!:mime application/octet-stream
!:mime application/x-compress-cazip
# like: BLINKER.WR_ CLIPDEFS._ CAOSETUP.EX_ CLIPPER.EX_ FILEIO.C_
!:ext ??_/?_/_
# Summary: FTCOMP compressed archive
# From: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/FTCOMP
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ftcomp.trid.xml
# Note: called by TrID "FTCOMP compressed archive"
# extracted by `unpack seahelp.hl_`
24 string/b FTCOMP FTCOMP compressed archive
#!:mime application/octet-stream
!:mime application/x-compress-ftcomp
!:ext ??_/??@/dll/drv/pk2/
# probably A596FDFF magic at the beginning
>0 ubelong !0xA596FDFF \b, at beginning %#x
# probably original file name with directory like: \OS2\unpack.exe \SYSTEM\8514.DRV MAHJONGG.EXE
>41 string x "%s"
# MP3 (archiver, not lossy audio compression)
0 string MP3\x1a MP3-Archiver archive data
# ZET
0 string OZ\xc3\x9d ZET archive data
# TSComp
0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
# ARQ
0 string gW\4\1 ARQ archive data
# Squash
3 string OctSqu Squash archive data
# Terse
0 string \5\1\1\0 Terse archive data
# UHarc
0 string UHA UHarc archive data
# ABComp
0 string \2AB ABComp archive data
0 string \3AB2 ABComp archive data
# CMP
0 string CO\0 CMP archive data
# Splint
0 string \x93\xb9\x06 Splint archive data
# InstallShield
0 string \x13\x5d\x65\x8c InstallShield Z archive Data
# Gather
1 string GTH Gather archive data
# BOA
0 string BOA BOA archive data
# RAX
0 string ULEB\xa RAX archive data
# Xtreme
0 string ULEB\0 Xtreme archive data
# Pack Magic
0 string @\xc3\xa2\1\0 Pack Magic archive data
# BTS
0 belong&0xfeffffff 0x1a034465 BTS archive data
# ELI 5750
0 string Ora\ ELI 5750 archive data
# QFC
0 string \x1aFC\x1a QFC archive data
0 string \x1aQF\x1a QFC archive data
# PRO-PACK https://www.segaretro.org/Rob_Northen_compression
0 string RNC
>3 byte 1 PRO-PACK archive data (compression 1)
>3 byte 2 PRO-PACK archive data (compression 2)
# 777
0 string 777 777 archive data
# LZS221
0 string sTaC LZS221 archive data
# HPA
0 string HPA HPA archive data
# Arhangel
0 string LG Arhangel archive data
# EXP1, uses bzip2
0 string 0123456789012345BZh EXP1 archive data
# IMP
0 string IMP\xa IMP archive data
# NRV
0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
# Squish
0 string \x73\xb2\x90\xf4 Squish archive data
# Par
0 string PHILIPP Par archive data
0 string PAR Par archive data
# HIT
0 string UB HIT archive data
# SBX
0 belong&0xfffff000 0x53423000 SBX archive data
# NaShrink
0 string NSK NaShrink archive data
# SAPCAR
0 string #\ CAR\ archive\ header SAPCAR archive data
0 string CAR\ 2.00 SAPCAR archive data
0 string CAR\ 2.01 SAPCAR archive data
#!:mime application/octet-stream
!:mime application/vnd.sar
!:ext sar
# Disintegrator
0 string DST Disintegrator archive data
# ASD
0 string ASD ASD archive data
# InstallShield CAB
# Update: Joerg Jenderek at Nov 2021
# URL: https://en.wikipedia.org/wiki/InstallShield
# Reference: https://github.com/twogood/unshield/blob/master/lib/cabfile.h
# Note: Not compatible with Microsoft CAB files
# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield.trid.xml
# CAB_SIGNATURE 0x28635349
0 string ISc( InstallShield
#!:mime application/octet-stream
!:mime application/x-installshield
# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield-hdr.trid.xml
>16 ulelong !0 setup header
# like: _SYS1.HDR _USER1.HDR data1.hdr
!:ext hdr
>16 ulelong =0 CAB
# like: _SYS1.CAB _USER1.CAB DATA1.CAB data2.cab
!:ext cab
# https://github.com/twogood/unshield/blob/master/lib/helper.c
# version like: 0x1005201 0x100600c 0x1007000 0x1009500
# 0x2000578 0x20005dc 0x2000640 0x40007d0 0x4000834
>4 ulelong x \b, version %#x
# volume_info like: 0
>8 ulelong !0 \b, volume_info %#x
# cab_descriptor_offset like: 0x200
>12 ulelong !0x200 \b, offset %#x
#>0x200 ubequad x \b, at 0x200 %#16.16llx
# cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2
>16 ulelong !0 \b, descriptor size %#x
# TOP4
0 string T4\x1a TOP4 archive data
# BatComp left out: sig looks like COM executable
# so TODO: get real 4dos batcomp file and find sig
# BlakHole
0 string BH\5\7 BlakHole archive data
# BIX
0 string BIX0 BIX archive data
# ChiefLZA
0 string ChfLZ ChiefLZA archive data
# Blink
0 string Blink Blink archive data
# Logitech Compress
0 string \xda\xfa Logitech Compress archive data
# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
1 string (C)\ STEPANYUK ARS-Sfx archive data
# AKT/AKT32
0 string AKT32 AKT32 archive data
0 string AKT AKT archive data
# NPack
0 string MSTSM NPack archive data
# PFT
0 string \0\x50\0\x14 PFT archive data
# SemOne
0 string SEM SemOne archive data
# PPMD
0 string \x8f\xaf\xac\x84 PPMD archive data
# FIZ
0 string FIZ FIZ archive data
# MSXiE
0 belong&0xfffff0f0 0x4d530000 MSXiE archive data
# DeepFreezer
0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
# DC
0 string =<DC- DC archive data
# TPac
0 string \4TPAC\3 TPac archive data
# Ai
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/Ai_Archiver
0 string Ai\1\1\0 Ai archive data
#!:mime application/octet-stream
!:mime application/x-compress-ai
!:ext ai
0 string Ai\1\0\0 Ai archive data
#!:mime application/octet-stream
!:mime application/x-compress-ai
!:ext ai
# Ai32
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ai.trid.xml
# Note: called "Ai Archivator compressed archive" by TrID
0 string Ai\2\0 Ai32 archive data
#!:mime application/octet-stream
!:mime application/x-compress-ai
!:ext ai
# original file name
>8 pstring/h x "%s"
# according to TrID the next 3 bytes are nil
>5 ubyte !0 \b, at 5 %#x
>6 ubyte !0 \b, at 6 %#x
>7 ubyte !0 \b, at 7 %#x
# the fourth byte with value 0 is probably a flag for "non solid" mode
#>3 ubyte =0x00 \b, unsolid mode
0 string Ai\2\1 Ai32 archive data
#!:mime application/octet-stream
!:mime application/x-compress-ai
!:ext ai
# original file name
>8 pstring/h x "%s"
# the fourth byte with value 0x01 is probably a flag for "solid" mode; this is not the default
>3 ubyte =0x01 \b, solid mode
# SBC
0 string SBC SBC archive data
# Ybs
0 string YBS Ybs archive data
# DitPack
0 string \x9e\0\0 DitPack archive data
# DMS
0 string DMS! DMS archive data
# EPC
0 string \x8f\xaf\xac\x8c EPC archive data
# VSARC
0 string VS\x1a VSARC archive data
# PDZ
0 string PDZ PDZ archive data
# ReDuq
0 string rdqx ReDuq archive data
# GCA
0 string GCAX GCA archive data
# PPMN
0 string pN PPMN archive data
# WinImage
3 string WINIMAGE WinImage archive data
# Compressia
0 string CMP0CMP Compressia archive data
# UHBC
0 string UHB UHBC archive data
# WinHKI
0 string \x61\x5C\x04\x05 WinHKI archive data
# WWPack data file
0 string WWP WWPack archive data
# BSN (BSA, PTS-DOS)
0 string \xffBSG BSN archive data
1 string \xffBSG BSN archive data
3 string \xffBSG BSN archive data
1 string \0\xae\2 BSN archive data
1 string \0\xae\3 BSN archive data
1 string \0\xae\7 BSN archive data
# AIN
0 string \x33\x18 AIN archive data
0 string \x33\x17 AIN archive data
# XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015
# SZip (TODO: doesn't catch all versions)
0 string SZ\x0a\4 SZip archive data
# XPack DiskImage
# *.XDI updated by Joerg Jenderek Sep 2015
# ftp://ftp.sac.sk/pub/sac/pack/0index.txt
# GRR: this test is still too general as it catches also text files starting with jm
0 string jm
# only found examples with this additional characteristic 2 bytes
>2 string \x2\x4 Xpack DiskImage archive data
#!:ext xdi
# XPack Data
# *.xpa updated by Joerg Jenderek Sep 2015
# ftp://ftp.elf.stuba.sk/pub/pc/pack/
0 string xpa XPA
!:ext xpa
# XPA32
# ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
# created by XPA32.EXE version 1.0.2 for Windows
>0 string xpa\0\1 \b32 archive data
# created by XPACK.COM version 1.67m or 1.67r with short 0x1800
>3 ubeshort !0x0001 \bck archive data
# XPack Single Data
# changed by Joerg Jenderek Sep 2015 back to like in version 5.12
# letter 'I'+ acute accent is equivalent to \xcd
0 string \xcd\ jm Xpack single archive data
#!:mime application/x-xpa-compressed
!:ext xpa
# TODO: missing due to unknown magic/magic at end of file:
#DWC
#ARG
#ZAR
#PC/3270
#InstallIt
#RKive
#RK
#XPack Diskimage
# These were inspired by idarc, but actually verified
# Dzip archiver (.dz)
# Update: Joerg Jenderek
# URL: http://speeddemosarchive.com/dzip/
# reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c
# GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt
0 string DZ
# latest version is 2.9 dated 7 may 2003
>2 byte <4 Dzip archive data
!:mime application/x-dzip
!:ext dz
>>2 byte x \b, version %i
>>3 byte x \b.%i
>>4 ulelong x \b, offset %#x
>>8 ulelong x \b, %u files
# ZZip archiver (.zz)
0 string ZZ\ \0\0 ZZip archive data
0 string ZZ0 ZZip archive data
# PAQ archiver (.paq)
0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
0 string PAQ PAQ archive data
>3 byte&0xf0 0x30
>>3 byte x (v%c)
# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/JAR_(ARJ_Software)
# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jar.trid.xml
# https://www.sac.sk/download/pack/jar102x.exe/TECHNOTE.DOC
# Note: called "JAR compressed archive" by TrID
0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
#!:mime application/octet-stream
!:mime application/x-compress-j
>0 ulelong x \b, CRC32 %#x
# standard suffix is ".j"; for multi volumes following order j01 j02 ... j99 100 ... 990
!:ext j/j01/j02
# URL: http://fileformats.archiveteam.org/wiki/JARCS
# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jarcs.trid.xml
# Note: called "JARCS compressed archive" by TrID
0 string JARCS JAR (ARJ Software, Inc.) archive data
#!:mime application/octet-stream
!:mime application/x-compress-jar
!:ext jar
# ARJ archiver (jason@jarthur.Claremont.EDU)
# URL: http://fileformats.archiveteam.org/wiki/ARJ
# reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-arj.trid.xml
# https://github.com/FarGroup/FarManager/
# blob/master/plugins/multiarc/arc.doc/arj.txt
# Note: called "ARJ compressed archive" by TrID and
# "ARJ File Format" by DROID via PUID fmt/610
# verified by `7z l -tarj PHRACK1.ARJ` and
# `arj.exe l TEST-hk9.ARJ`
0 leshort 0xea60
# skip DROID fmt-610-signature-id-946.arj by check for valid file type of main header
>0xA ubyte 2
>>0 use arj-archive
0 name arj-archive
>0 leshort x ARJ archive
!:mime application/x-arj
# look for terminating 0-character of filename
>0x26 search/1024 \0
# file name extension is normally .arj but not for parts of multi volume
#>>&-5 string x extension %.4s
>>&-5 string/c .arj data
!:ext arj
>>&-5 default x
# for multi volume first name is archive.arj then following parts archive.a01 archive.a02 ...
>>>8 byte &0x04 data
!:ext a01/a02
# for SFX first name is archive.exe then following parts archive.e01 archive.e02 ...
>>>8 byte ^0x04 data, SFX multi-volume
!:ext e01/e02
# basic header size like: 0x002b 0x002c 0x04e0 0x04e3 0x04e7
#>2 uleshort x basic header size %#4.4x
# next fragment content like: 0x0a200a003a8fc713 0x524a000010bb3471 0x524a0000c73c70f9
#>(2.s) ubequad x NEXT FRAGMENT CONTENT %#16.16llx
# first_hdr_size; seems to be same as basic header size
#>2 uleshort x 1st header size %#x
# archiver version number like: 3 4 6 11 102
>5 byte x \b, v%d
# minimum archiver version to extract like: 1
>6 ubyte !1 \b, minimum %u to extract
# FOR DEBUGGING
#>8 byte x \b, FLAGS %#x
# GARBLED_FLAG1; garble with password; g switch
>8 byte &0x01 \b, password-protected
# encryption version: 0~old 1~old 2~new 3~reserved 4~40 bit key GOST
>>0x20 ubyte x (v%u)
#>8 byte &0x02 \b, secured
# ANSIPAGE_FLAG; indicates ANSI codepage used by ARJ32; hy switch
>8 byte &0x02 \b, ANSI codepage
# VOLUME_FLAG indicates presence of succeeding volume; but apparently not for SFX
>8 byte &0x04 \b, multi-volume
#>8 byte &0x08 \b, file-offset
# ARJPROT_FLAG; build with data protection record; hk switch
>8 byte &0x08 \b, recoverable
# arj protection factor; maximal 10; switch hky -> factor=y+1
>>0x22 byte x (factor %u)
>8 byte &0x10 \b, slash-switched
# BACKUP_FLAG; obsolete
>8 byte &0x20 \b, backup
# SECURED_FLAG;
>8 byte &0x40 \b, secured,
# ALTNAME_FLAG; indicates dual-name archive
>8 byte &0x80 \b, dual-name
# security version; 0~old 2~current
>9 ubyte !0
>>9 ubyte !2 \b, security version %u
# file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel
>0xA ubyte !2 \b, file type %u
# date+time when original archive was created in MS-DOS format via ./msdos
>0xC ulelong x \b, created
>0xC use dos-date
# or date and time by new internal function
#>0xE lemsdosdate x %s
#>0xC lemsdostime x %s
# FOR DEBUGGING
#>0x12 uleshort x RAW DATE %#4.4x
#>0x10 uleshort x RAW TIME %#4.4x
# date+time when archive was last modified; sometimes nil or
# maybe wrong like in HP4DRVR.ARJ
#>0x10 ulelong >0 \b, modified
#>>0x10 use dos-date
# or date and time by new internal function
#>>0x12 lemsdosdate x %s
#>>0x10 lemsdostime x %s
# archive size (currently used only for secured archives); MAYBE?
#>0x14 ulelong !0 \b, file size %u
# security envelope file position; MAYBE?
#>0x18 ulelong !0 \b, at %#x security envelope
# filespec position in filename; WHAT IS THAT?
#>0x1C uleshort >0 \b, filespec position %#x
# length in bytes of security envelope data like: 2CAh 301h 364h 471h
>0x1E uleshort !0 \b, security envelope length %#x
# last chapter like: 0 1
>0x21 ubyte !0 \b, last chapter %u
# filename (null-terminated string); sometimes at 0x26 when 4 bytes for extra data
>34 byte x \b, original name:
# with extras data
>34 byte <0x0B
>>38 string x %s
# without extras data
>34 byte >0x0A
>>34 string x %s
# host OS: 0~MSDOS ... 11~WIN32
>7 byte 0 \b, os: MS-DOS
>7 byte 1 \b, os: PRIMOS
>7 byte 2 \b, os: Unix
>7 byte 3 \b, os: Amiga
>7 byte 4 \b, os: Macintosh
>7 byte 5 \b, os: OS/2
>7 byte 6 \b, os: Apple ][ GS
>7 byte 7 \b, os: Atari ST
>7 byte 8 \b, os: NeXT
>7 byte 9 \b, os: VAX/VMS
>7 byte 10 \b, os: WIN95
>7 byte 11 \b, os: WIN32
# [JW] idarc says this is also possible
2 leshort 0xea60 ARJ archive data
#2 leshort 0xea60
#>2 use arj-archive
# HA archiver (Greg Roelofs, newt@uchicago.edu)
# This is a really bad format. A file containing HAWAII will match this...
#0 string HA HA archive data,
#>2 leshort =1 1 file,
#>2 leshort >1 %hu files,
#>4 byte&0x0f =0 first is type CPY
#>4 byte&0x0f =1 first is type ASC
#>4 byte&0x0f =2 first is type HSC
#>4 byte&0x0f =0x0e first is type DIR
#>4 byte&0x0f =0x0f first is type SPECIAL
# suggestion: at least identify small archives (<1024 files)
0 belong&0xffff00fc 0x48410000 HA archive data
>2 leshort =1 1 file,
>2 leshort >1 %u files,
>4 byte&0x0f =0 first is type CPY
>4 byte&0x0f =1 first is type ASC
>4 byte&0x0f =2 first is type HSC
>4 byte&0x0f =0x0e first is type DIR
>4 byte&0x0f =0x0f first is type SPECIAL
# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
0 string HPAK HPACK archive data
# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
0 string \351,\001JAM\ JAM archive,
>7 string >\0 version %.4s
>0x26 byte =0x27 -
>>0x2b string >\0 label %.11s,
>>0x27 lelong x serial %08x,
>>0x36 string >\0 fstype %.8s
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/LHA_(file_format)
# Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
#
# check and display information of lharc (LHa,PMarc) file
0 name lharc-file
# check 1st character of method id like -lz4- -lh5- or -pm2-
>2 string -
# check 5th character of method id
>>6 string -
# check header level 0 1 2 3
>>>20 ubyte <4
# check 2nd, 3th and 4th character of method id
>>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b
!:mime application/x-lzh-compressed
# creator type "LHA "
!:apple ????LHA
# display archive type name like "LHa/LZS archive data" or "LArc archive"
>>>>>2 string -lz \b
!:ext lzs
# already known -lzs- -lz4- -lz5- with old names
>>>>>>2 string -lzs LHa/LZS archive data
>>>>>>3 regex \^lz[45] LHarc 1.x archive data
# missing -lz?- with wikipedia names
>>>>>>3 regex \^lz[2378] LArc archive
# display archive type name like "LHa (2.x) archive data"
>>>>>2 string -lh \b
# already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
>>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data
# LHice archiver use ".ICE" as name extension instead usual one ".lzh"
# FOOBAR archiver use ".foo" as name extension instead usual one
# "Florian Orjanov's and Olga Bachetska's ARchiver" not found at the moment
>>>>>>>2 string -lh1 \b
!:ext lha/lzh/ice
>>>>>>3 regex \^lh[23d] LHa 2.x? archive data
>>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data
>>>>>>3 regex \^lh[456] LHa (2.x) archive data
>>>>>>>2 string -lh5 \b
# https://en.wikipedia.org/wiki/BIOS
# Some mainboard BIOS like Award use LHa compression. So archives with unusual extension are found like
# bios.rom , kd7_v14.bin, 1010.004, ...
!:ext lha/lzh/rom/bin
# missing -lh?- variants (Joe Jared)
>>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive
# UNLHA32 2.67a
>>>>>>2 string -lhx LHa (UNLHA32) archive
# lha archives with standard file name extensions ".lha" ".lzh"
>>>>>>3 regex !\^(lh1|lh5) \b
!:ext lha/lzh
# this should not happen if all -lh variants are described
>>>>>>2 default x LHa (unknown) archive
#!:ext lha
# PMarc
>>>>>3 regex \^pm[012] PMarc archive data
!:ext pma
# append method id without leading and trailing minus character
>>>>>3 string x [%3.3s]
>>>>>>0 use lharc-header
#
# check and display information of lharc header
0 name lharc-header
# header size 0x4 , 0x1b-0x61
>0 ubyte x
# compressed data size != compressed file size
#>7 ulelong x \b, data size %d
# attribute: 0x2~?? 0x10~symlink|target 0x20~normal
#>19 ubyte x \b, 19_%#x
# level identifier 0 1 2 3
#>20 ubyte x \b, level %d
# time stamp
#>15 ubelong x DATE %#8.8x
# OS ID for level 1
>20 ubyte 1
# 0x20 types find for *.rom files
>>(21.b+24) ubyte <0x21 \b, %#x OS
# ascii type like M for MSDOS
>>(21.b+24) ubyte >0x20 \b, '%c' OS
# OS ID for level 2
>20 ubyte 2
#>>23 ubyte x \b, OS ID %#x
>>23 ubyte <0x21 \b, %#x OS
>>23 ubyte >0x20 \b, '%c' OS
# filename only for level 0 and 1
>20 ubyte <2
# length of filename
>>21 ubyte >0 \b, with
# filename
>>>21 pstring x "%s"
#
#2 string -lh0- LHarc 1.x/ARX archive data [lh0]
#!:mime application/x-lharc
2 string -lh0-
>0 use lharc-file
#2 string -lh1- LHarc 1.x/ARX archive data [lh1]
#!:mime application/x-lharc
2 string -lh1-
>0 use lharc-file
# NEW -lz2- ... -lz8-
2 string -lz2-
>0 use lharc-file
2 string -lz3-
>0 use lharc-file
2 string -lz4-
>0 use lharc-file
2 string -lz5-
>0 use lharc-file
2 string -lz7-
>0 use lharc-file
2 string -lz8-
>0 use lharc-file
# [never seen any but the last; -lh4- reported in comp.compression:]
#2 string -lzs- LHa/LZS archive data [lzs]
2 string -lzs-
>0 use lharc-file
# According to wikipedia and others such a version does not exist
#2 string -lh\40- LHa 2.x? archive data [lh ]
#2 string -lhd- LHa 2.x? archive data [lhd]
2 string -lhd-
>0 use lharc-file
#2 string -lh2- LHa 2.x? archive data [lh2]
2 string -lh2-
>0 use lharc-file
#2 string -lh3- LHa 2.x? archive data [lh3]
2 string -lh3-
>0 use lharc-file
#2 string -lh4- LHa (2.x) archive data [lh4]
2 string -lh4-
>0 use lharc-file
#2 string -lh5- LHa (2.x) archive data [lh5]
2 string -lh5-
>0 use lharc-file
#2 string -lh6- LHa (2.x) archive data [lh6]
2 string -lh6-
>0 use lharc-file
#2 string -lh7- LHa (2.x)/LHark archive data [lh7]
2 string -lh7-
# !:mime application/x-lha
# >20 byte x - header level %d
>0 use lharc-file
# NEW -lh8- ... -lhe- , -lhx-
2 string -lh8-
>0 use lharc-file
2 string -lh9-
>0 use lharc-file
2 string -lha-
>0 use lharc-file
2 string -lhb-
>0 use lharc-file
2 string -lhc-
>0 use lharc-file
2 string -lhe-
>0 use lharc-file
2 string -lhx-
>0 use lharc-file
# taken from idarc [JW]
2 string -lZ PUT archive data
# already done by LHarc magics
# this should never happen if all sub types of LZS archive are identified
#2 string -lz LZS archive data
2 string -sw1- Swag archive data
0 name rar-file-header
>24 byte 15 \b, v1.5
>24 byte 20 \b, v2.0
>24 byte 29 \b, v4
>15 byte 0 \b, os: MS-DOS
>15 byte 1 \b, os: OS/2
>15 byte 2 \b, os: Win32
>15 byte 3 \b, os: Unix
>15 byte 4 \b, os: Mac OS
>15 byte 5 \b, os: BeOS
0 name rar-archive-header
>3 leshort&0x1ff >0 \b, flags:
>>3 leshort &0x01 ArchiveVolume
>>3 leshort &0x02 Commented
>>3 leshort &0x04 Locked
>>3 leshort &0x10 NewVolumeNaming
>>3 leshort &0x08 Solid
>>3 leshort &0x20 Authenticated
>>3 leshort &0x40 RecoveryRecordPresent
>>3 leshort &0x80 EncryptedBlockHeader
>>3 leshort &0x100 FirstVolume
# RAR (Roshal Archive) archive
0 string Rar!\x1a\7\0 RAR archive data
!:mime application/x-rar
!:ext rar/cbr
# file header
>(0xc.l+9) byte 0x74
>>(0xc.l+7) use rar-file-header
# subblock seems to share information with file header
>(0xc.l+9) byte 0x7a
>>(0xc.l+7) use rar-file-header
>9 byte 0x73
>>7 use rar-archive-header
0 string Rar!\x1a\7\1\0 RAR archive data, v5
!:mime application/x-rar
!:ext rar
# Very old RAR archive
# https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
0 string RE\x7e\x5e RAR archive data (<v1.5)
!:mime application/x-rar
!:ext rar/cbr
# SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
0 string SQSH squished archive data (Acorn RISCOS)
# UC2 archiver (Greg Roelofs, newt@uchicago.edu)
# [JW] see exe section for self-extracting version
0 string UC2\x1a UC2 archive data
# PKZIP multi-volume archive
0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
!:mime application/zip
!:ext zip/cbz
# Android APK file (Zip archive)
0 string PK\003\004
!:strength +1
# Starts with AndroidManifest.xml (file name length = 19)
>26 uleshort 19
>>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml
!:mime application/vnd.android.package-archive
!:ext apk
>>>-22 string PK\005\006
>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
# Starts with META-INF/com/android/build/gradle/app-metadata.properties
>26 uleshort 57
>>30 string META-INF/com/android/build/gradle/
>>>&0 string app-metadata.properties Android package (APK), with gradle app-metadata.properties
!:mime application/vnd.android.package-archive
!:ext apk
>>>>-22 string PK\005\006
>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
# Starts with classes.dex (file name length = 11)
>26 uleshort 11
>>30 string classes.dex Android package (APK), with classes.dex
!:mime application/vnd.android.package-archive
!:ext apk
>>>-22 string PK\005\006
>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
# Starts with META-INF/MANIFEST.MF (file name length = 20)
# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files
>26 uleshort 20
>>30 string META-INF/MANIFEST.MF
# Contains resources.arsc (near the end, in the central directory)
>>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc
!:mime application/vnd.android.package-archive
!:ext apk
>>>>-22 string PK\005\006
>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
>>>-512 default x
# Contains classes.dex (near the end, in the central directory)
>>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex
!:mime application/vnd.android.package-archive
!:ext apk
>>>>>-22 string PK\005\006
>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
>>>>-512 default x
# Contains lib/armeabi (near the end, in the central directory)
>>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib
!:mime application/vnd.android.package-archive
!:ext apk
>>>>>>-22 string PK\005\006
>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
>>>>>-512 default x
# Contains drawables (near the end, in the central directory)
>>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables
!:mime application/vnd.android.package-archive
!:ext apk
>>>>>>>-22 string PK\005\006
>>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
# It may or may not be an APK file, but it's definitely a Java JAR file
>>>>>>-512 default x Java archive data (JAR)
!:mime application/java-archive
!:ext jar
# Starts with zipflinger virtual entry (28 + 104 = 132 bytes)
# See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230
>4 string \x00\x00\x00\x00\x00\x00
>>&0 string \x21\x08\x21\x02
>>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
>>>>&0 string \x00\x00 Android package (APK), with zipflinger virtual entry
!:mime application/vnd.android.package-archive
!:ext apk
>>>>>-22 string PK\005\006
>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
# APK Signing Block
>0 default x
>>-22 string PK\005\006
>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block
!:mime application/vnd.android.package-archive
!:ext apk
# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
0 string PK\005\006 Zip archive data (empty)
!:mime application/zip
!:ext zip/cbz
!:strength +1
0 string PK\003\004
!:strength +1
# Specialised zip formats which start with a member named 'mimetype'
# (stored uncompressed, with no 'extra field') containing the file's MIME type.
# Check for have 8-byte name, 0-byte extra field, name "mimetype", and
# contents starting with "application/":
>26 string \x8\0\0\0mimetypeapplication/
# KOffice / OpenOffice & StarOffice / OpenDocument formats
# From: Abel Cheung <abel@oaka.org>
# KOffice (1.2 or above) formats
# (mimetype contains "application/vnd.kde.<SUBTYPE>")
>>50 string vnd.kde. KOffice (>=1.2)
>>>58 string karbon Karbon document
>>>58 string kchart KChart document
>>>58 string kformula KFormula document
>>>58 string kivio Kivio document
>>>58 string kontour Kontour document
>>>58 string kpresenter KPresenter document
>>>58 string kspread KSpread document
>>>58 string kword KWord document
# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
# (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
# URL: https://en.wikipedia.org/wiki/OpenOffice.org_XML
# reference: http://fileformats.archiveteam.org/wiki/OpenOffice.org_XML
>>50 string vnd.sun.xml. OpenOffice.org 1.x
>>>62 string writer Writer
>>>>68 byte !0x2e document
!:mime application/vnd.sun.xml.writer
!:ext sxw
>>>>68 string .template template
!:mime application/vnd.sun.xml.writer.template
!:ext stw
>>>>68 string .web Web template
!:mime application/vnd.sun.xml.writer.web
!:ext stw
>>>>68 string .global global document
!:mime application/vnd.sun.xml.writer.global
!:ext sxg
>>>62 string calc Calc
>>>>66 byte !0x2e spreadsheet
!:mime application/vnd.sun.xml.calc
!:ext sxc
>>>>66 string .template template
!:mime application/vnd.sun.xml.calc.template
!:ext stc
>>>62 string draw Draw
>>>>66 byte !0x2e document
!:mime application/vnd.sun.xml.draw
!:ext sxd
>>>>66 string .template template
!:mime application/vnd.sun.xml.draw.template
!:ext std
>>>62 string impress Impress
>>>>69 byte !0x2e presentation
!:mime application/vnd.sun.xml.impress
!:ext sxi
>>>>69 string .template template
!:mime application/vnd.sun.xml.impress.template
!:ext sti
>>>62 string math Math document
!:mime application/vnd.sun.xml.math
!:ext sxm
>>>62 string base Database file
!:mime application/vnd.sun.xml.base
!:ext sdb
# URL: https://wiki.openoffice.org/wiki/Documentation/DevGuide/Extensions/File_Format
# From: Joerg Jenderek
# Note: only few OXT samples are detected here by mimetype member
# is used by OpenOffice and LibreOffice and probably also NeoOffice
# verified by `unzip -Zv *.oxt` or `7z l -slt *.oxt`
>>50 string vnd.openofficeorg. OpenOffice
>>>68 string extension \b/LibreOffice Extension
# http://extension.nirsoft.net/oxt
!:mime application/vnd.openofficeorg.extension
# like: Gallery-Puzzle.2.1.0.1.oxt
!:ext oxt
# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
# URL: http://fileformats.archiveteam.org/wiki/OpenDocument
# https://lists.oasis-open.org/archives/office/200505/msg00006.html
# (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
>>50 string vnd.oasis.opendocument. OpenDocument
>>>73 string text
>>>>77 byte !0x2d Text
!:mime application/vnd.oasis.opendocument.text
!:ext odt
>>>>77 string -template Text Template
!:mime application/vnd.oasis.opendocument.text-template
!:ext ott
>>>>77 string -web HTML Document Template
!:mime application/vnd.oasis.opendocument.text-web
!:ext oth
>>>>77 string -master
>>>>>84 byte !0x2d Master Document
!:mime application/vnd.oasis.opendocument.text-master
!:ext odm
>>>>>84 string -template Master Template
!:mime application/vnd.oasis.opendocument.text-master-template
!:ext otm
>>>73 string graphics
>>>>81 byte !0x2d Drawing
!:mime application/vnd.oasis.opendocument.graphics
!:ext odg
>>>>81 string -template Drawing Template
!:mime application/vnd.oasis.opendocument.graphics-template
!:ext otg
>>>73 string presentation
>>>>85 byte !0x2d Presentation
!:mime application/vnd.oasis.opendocument.presentation
!:ext odp
>>>>85 string -template Presentation Template
!:mime application/vnd.oasis.opendocument.presentation-template
!:ext otp
>>>73 string spreadsheet
>>>>84 byte !0x2d Spreadsheet
!:mime application/vnd.oasis.opendocument.spreadsheet
!:ext ods
>>>>84 string -template Spreadsheet Template
!:mime application/vnd.oasis.opendocument.spreadsheet-template
!:ext ots
>>>73 string chart
>>>>78 byte !0x2d Chart
!:mime application/vnd.oasis.opendocument.chart
!:ext odc
>>>>78 string -template Chart Template
!:mime application/vnd.oasis.opendocument.chart-template
!:ext otc
>>>73 string formula
>>>>80 byte !0x2d Formula
!:mime application/vnd.oasis.opendocument.formula
!:ext odf
>>>>80 string -template Formula Template
!:mime application/vnd.oasis.opendocument.formula-template
!:ext otf
# https://www.loc.gov/preservation/digital/formats/fdd/fdd000441.shtml
>>>73 string database Database
!:mime application/vnd.oasis.opendocument.database
!:ext odb
# Valid for LibreOffice Base 6.0.1.1 at least
>>>73 string base Database
# https://bugs.documentfoundation.org/show_bug.cgi?id=45854
!:mime application/vnd.oasis.opendocument.base
!:ext odb
>>>73 string image
>>>>78 byte !0x2d Image
!:mime application/vnd.oasis.opendocument.image
!:ext odi
>>>>78 string -template Image Template
!:mime application/vnd.oasis.opendocument.image-template
!:ext oti
# EPUB (OEBPS) books using OCF (OEBPS Container Format)
# https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
# From: Ralf Brown <ralf.brown@gmail.com>
>>50 string epub+zip EPUB document
!:mime application/epub+zip
# From: Hajin Jang <jb6804@naver.com>
# hwpx (OWPML) document format follows OCF specification.
# Hangul Word Processor 2010+ supports HWPX format.
# URL: https://www.hancom.com/etc/hwpDownload.do
# https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101
# https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331
>>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX
!:mime application/x-hwp+zip
!:ext hwpx
# From: Joerg Jenderek
# URL: http://en.wikipedia.org/wiki/CorelDRAW
# NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based
>>50 string x-vnd.corel. Corel
>>>62 string draw.document+zip Draw drawing, version 14-16
!:mime application/x-vnd.corel.draw.document+zip
!:ext cdr
>>>62 string draw.template+zip Draw template, version 14-16
!:mime application/x-vnd.corel.draw.template+zip
!:ext cdrt
>>>62 string zcf.draw.document+zip Draw drawing, version 17-22
!:mime application/x-vnd.corel.zcf.draw.document+zip
!:ext cdr
>>>62 string zcf.draw.template+zip Draw template, version 17-22
!:mime application/x-vnd.corel.zcf.draw.template+zip
!:ext cdt/cdrt
# URL: http://product.corel.com/help/CorelDRAW/540240626/Main/EN/Doc/CorelDRAW-Other-file-formats.html
>>>62 string zcf.pattern+zip Draw pattern, version 22
!:mime application/x-vnd.corel.zcf.pattern+zip
!:ext pat
# URL: https://en.wikipedia.org/wiki/Corel_Designer
# Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer
# Note: called by TrID "Corel DESIGN graphics"
>>>62 string designer.document+zip DESIGNER graphics, version 14-16
!:mime application/x-vnd.corel.designer.document+zip
!:ext des
>>>62 string zcf.designer.document+zip DESIGNER graphics, version 17-21
!:mime application/x-vnd.corel.zcf.designer.document+zip
!:ext des
# URL: http://product.corel.com/help/CorelDRAW/540223850/Main/EN/Documentation/
# CorelDRAW-Corel-Symbol-Library-CSL.html
>>>62 string symbol.library+zip Symbol Library, version 6-16.3
!:mime application/x-vnd.corel.symbol.library+zip
!:ext csl
>>>62 string zcf.symbol.library+zip Symbol Library, version 17-22
!:mime application/x-vnd.corel.zcf.symbol.library+zip
!:ext csl
# Catch other ZIP-with-mimetype formats
# In a ZIP file, the bytes immediately after a member's contents are
# always "PK". The 2 regex rules here print the "mimetype" member's
# contents up to the first 'P'. Luckily, most MIME types don't contain
# any capital 'P's. This is a kludge.
# (mimetype contains "application/<OTHER>")
>>50 default x Zip data
>>>38 regex [!-OQ-~]+ (MIME type "%s"?)
!:mime application/zip
# (mimetype contents other than "application/*")
>26 string \x8\0\0\0mimetype
>>38 string !application/
>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
!:mime application/zip
# Java Jar files (see also APK files above)
>(26.s+30) leshort 0xcafe Java archive data (JAR)
!:mime application/java-archive
!:ext jar
# iOS App
>(26.s+30) leshort !0xcafe
>>26 string !\x8\0\0\0mimetype
>>>30 string Payload/
>>>>38 search/64 .app/ iOS App
!:mime application/x-ios-app
# Dup, see above.
#>30 search/100/b application/epub+zip EPUB document
#!:mime application/epub+zip
# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
# Next line excludes specialized formats:
>(26.s+30) leshort !0xcafe
>>30 search/100/b !application/epub+zip
>>>26 string !\x8\0\0\0mimetype Zip archive data
!:mime application/zip
>>>>4 beshort x \b, at least
>>>>4 use zipversion
>>>>4 beshort x to extract
>>>>8 beshort x \b, compression method=
>>>>8 use zipcompression
>>>>0x161 string WINZIP \b, WinZIP self-extracting
# StarView Metafile
# From Pierre Ducroquet <pinaraf@pinaraf.info>
0 string VCLMTF StarView MetaFile
>6 beshort x \b, version %d
>8 belong x \b, size %d
# Zoo archiver
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Zoo_(file_format)
# http://fileformats.archiveteam.org/wiki/Zoo
# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-zoo-strict.trid.xml
# http://distcache.freebsd.org/ports-distfiles/zoo-2.10pl1.tar.gz/zoo.h
# Note: called "ZOO compressed archive (strict)" by TrID and "ZOO Compressed Archive" by DROID via PUID x-fmt/269
# verified by command like `deark -m zoo -l -d2 WHRCGA.ZOO`
20 lelong 0xfdc4a7dc
# skip DROID x-fmt-269-signature-id-621.zoo by looking for valid major version to manipulate archive
>32 byte >0 Zoo archive data
!:mime application/x-zoo
# bak is extension of backup-ed zoo
!:ext zoo/bak
# version in text form like: 1.50 2.00 2.10
>>4 byte >48 \b, v%c.
>>>6 byte >47 \b%c
>>>>7 byte >47 \b%c
# ZOO files typically start with "ZOO ?.?? Archive.", followed by the bytes 0x1a 0x0 0x0; not used by Zoo and they may be anything
>>8 string !\040Archive.\032 \b, at 8
>>>8 string x text "%0.10s"
# major_ver.minor_ver; minimum version needed to manipulate archive like: 1.0 2.0
>>32 byte >0 \b, modify: v%d
>>>33 byte x \b.%d+
# major_ver.minor_ver; minimum version needed to extract after modify like in old versions
>>(24.l+28) ubyte x \b, extract: v%u
>>(24.l+29) ubyte x \b.%u+
# with zoo 2.00 additional fields have been added in the archive header
>>32 byte >1
# type; type of archive header like: 1 2
>>>34 ubyte !1 \b, header type %u
# acmt_pos; position of archive comment like: 6258 30599 61369 149501
>>>35 lelong >0 \b, at %d
# acmt_len; length of archive comment like: 258
>>>>39 uleshort x %u bytes comment
#>>>>(35.l) ubequad x COMMENT=%16.16llx
# 1st character of comment maybe is CarriageReturn (0x0d)
>>>>(35.l) ubyte <040
# 2nd character of comment maybe is LineFeed (0x0a)
>>>>>(35.l+1) ubyte <040
# comment string after CRLF like "Anonymous ftp site garbo.uwasa.fi 128.214.87.1 moderated by"
>>>>>>(35.l+2) string x %s
# next character of remaining comment maybe is CarriageReturn (0x0d)
>>>>>>>&0 ubyte <040
>>>>>>>>&0 ubyte <040
# 2nd comment part like: Timo Salmi ts@chyde.uwasa.fi PC directories and uploads\015\012Harri Valkama hv@chyde.uwasa.fi PC, Mac, Unix files, and upload
>>>>>>>>>&0 string >037 %s
# vdata; archive-level versioning byte like: 1 3
>>>41 ubyte !1 \b, vdata %#x
# zoo_start; pointer to 1st entry header
>>24 lelong x \b; at %u
# zoo_minus; zoo_start -1 for consistency checking
#>>28 lelong x \b, zoo_minus %#x
# zoo_tag; tag for check
#>>(24.l+0) ulelong !0xfdc4a7dc \b, zoo_tag=%8.8x
# type; type of directory entry like: 1 2
>>(24.l+4) ubyte !2 type=%u
# packing_method; 0~no packing 1~normal LZW 2~lzh
>>(24.l+5) ubyte x method=
>>>(24.l+5) ubyte 0 \bnot-compressed
>>>(24.l+5) ubyte 1 \blzd
>>>(24.l+5) ubyte 2 \blzh
# next; position of next directory entry
>>(24.l+6) ulelong x \b, next entry at %u
# offset; position of file data for this entry
#>>(24.l+10) ulelong x \b, data at %u
# file_crc; CRC-16 of file data
>>(24.l+18) uleshort x \b, CRC %#4.4x
# comment; zero if none or points to entry comment like ADD9h (WHRCGA.ZOO)
>>(24.l+32) lelong >0 \b, at %#x
# cmt_size; if not 0 for none then length of entry comment like: 46
>>>(24.l+36) uleshort >0 %u bytes comment
# entry comment itself like: "CGA .GL file showing menu input from keyboard"
>>>>(&-6.l) string x "%s"
# org_size; original size of file
>>(24.l+20) ulelong x \b, size %u
# size_now; compressed size of file
>>(24.l+24) ulelong x (%u compressed)
# major_ver.minor_ver; minimum version needed to extract already done
# deleted; will be 1 if deleted, 0 if not
>>(24.l+30) ubyte =1 \b, deleted
# struc; file structure if any; WHAT IS THAT?
>>(24.l+31) ubyte !0 \b, structured
# fname[13]; short/DOS file name like 12345678.012
>>(24.l+38) string x \b, %0.13s
# for directory entry type 2 with variable part
>>(24.l+4) ubyte =2
# var_dir_len; length of variable part of dir entry
>>>(24.l+51) uleshort >0
#>>>(24.l+51) uleshort >0 \b, variable part length %u
# namlen; length of long filename
#>>>>(24.l+56) ubyte x \b, namlen %u
# dirlen; length of directory name
#>>>>(24.l+57) ubyte x \b, dirlen %u
# if file length positive then show long file name
>>>>(24.l+56) ubyte >0
# lfname[256]; long file name \0-terminated
>>>>>(24.l+58) string x "%s"
# if directory length positive then jump before file name field and then jump this addtional length plus 2 (\0-terminator + dirlen field) to following directory name
>>>>(24.l+57) ubyte >0
>>>>>(24.l+55) ubyte x
# dirname[256]; directory name \0-terminated
>>>>>>&(&0.b+2) string x in "%s"
# dir_crc; CRC of directory entry
#>>>(24.l+54) uleshort x \b, entry CRC %#4.4x
# tz; timezone where file was archived; 7Fh~unknown 4~1.00hoursWestOfUTC 12 16 20~5.00hoursWestOfUTC -107~26.75hoursEastOfUTC -4~1.00hoursEastOfUTC
>>>(24.l+53) byte !0x7f \b, time zone %d/4
# date; last mod file date in DOS format
>>>(24.l+14) lemsdosdate x \b, modified %s
# time; last mod file time in DOS format
>>>(24.l+16) lemsdostime x %s
# Shell archives
10 string #\ This\ is\ a\ shell\ archive shell archive text
!:mime application/octet-stream
#
# LBR. NB: May conflict with the questionable
# "binary Computer Graphics Metafile" format.
#
0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
#
# PMA (CP/M derivative of LHA)
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/LHA_(file_format)
#
#2 string -pm0- PMarc archive data [pm0]
2 string -pm0-
>0 use lharc-file
#2 string -pm1- PMarc archive data [pm1]
2 string -pm1-
>0 use lharc-file
#2 string -pm2- PMarc archive data [pm2]
2 string -pm2-
>0 use lharc-file
2 string -pms- PMarc SFX archive (CP/M, DOS)
#!:mime application/x-foobar-exec
!:ext com
5 string -pc1- PopCom compressed executable (CP/M)
#!:mime application/x-
#!:ext com
# From Rafael Laboissiere <rafael@laboissiere.net>
# The Project Revision Control System (see
# http://prcs.sourceforge.net) generates a packaged project
# file which is recognized by the following entry:
0 leshort 0xeb81 PRCS packaged project
# Microsoft cabinets
# by David Necas (Yeti) <yeti@physics.muni.cz>
#0 string MSCF\0\0\0\0 Microsoft cabinet file data,
#>25 byte x v%d
#>24 byte x \b.%d
# MPi: All CABs have version 1.3, so this is pointless.
# Better magic in debian-additions.
# GTKtalog catalogs
# by David Necas (Yeti) <yeti@physics.muni.cz>
4 string gtktalog\ GTKtalog catalog data,
>13 string 3 version 3
>>14 beshort 0x677a (gzipped)
>>14 beshort !0x677a (not gzipped)
>13 string >3 version %s
############################################################################
# Parity archive reconstruction file, the 'par' file format now used on Usenet.
0 string PAR\0 PARity archive data
>48 leshort =0 - Index file
>48 leshort >0 - file number %d
# Felix von Leitner <felix-file@fefe.de>
0 string d8:announce BitTorrent file
!:mime application/x-bittorrent
!:ext torrent
# Durval Menezes, <jmgthbfile at durval dot com>
0 string d13:announce-list BitTorrent file
!:mime application/x-bittorrent
!:ext torrent
0 string d7:comment BitTorrent file
!:mime application/x-bittorrent
!:ext torrent
0 string d4:info BitTorrent file
!:mime application/x-bittorrent
!:ext torrent
# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
# URL: http://fileformats.archiveteam.org/wiki/MSA_(Magic_Shadow_Archiver)
# Reference: http://info-coach.fr/atari/documents/_mydoc/FD_Image_File_Format.pdf
# http://mark0.net/download/triddefs_xml.7z/defs/m/msa.trid.xml
# Update: Joerg Jenderek
# Note: called by TrID "Atari MSA Disk Image" and verified by
# command like `deark -l -m msa -d2 PDATS578.msa` as " Atari ST floppy disk image"
# GRR: line below is too general as it matches setup.skin
0 beshort 0x0e0f
# skip foo setup.skin with unrealistic high number 52255 of sides by check for valid "low" value
>4 ubeshort <2 Atari MSA archive data
#!:mime application/octet-stream
!:mime application/x-atari-msa
!:ext msa
# sectors per track like: 9 10
>>2 beshort x \b, %d sectors per track
# sides (0 or 1; add 1 to this to get correct number of sides)
>>4 beshort 0 \b, 1 sided
>>4 beshort 1 \b, 2 sided
# starting track like: 0
>>6 beshort x \b, starting track: %d
# ending track like: 39 79 80 81
>>8 beshort x \b, ending track: %d
# tracks content
#>>10 ubequad x \b, track content %#16.16llx
# Alternate ZIP string (amc@arwen.cs.berkeley.edu)
0 string PK00PK\003\004 Zip archive data
!:mime application/zip
!:ext zip/cbz
# Recognize ZIP archives with prepended data by end-of-central-directory record
# https://en.wikipedia.org/wiki/ZIP_(file_format)#End_of_central_directory_record_(EOCD)
# by Michal Gorny <mgorny@gentoo.org>
-2 uleshort 0
>&-22 string PK\005\006
# without #!
>>0 string !#! Zip archive, with extra data prepended
!:mime application/zip
!:ext zip/cbz
# with #!
>>0 string/w #!\ a
>>>&-1 string/T x %s script executable (Zip archive)
# ACE archive (from http://www.wotsit.org/download.asp?f=ace)
# by Stefan `Sec` Zehl <sec@42.org>
7 string **ACE** ACE archive data
!:mime application/x-ace-compressed
!:ext ace
>15 byte >0 version %d
>16 byte =0x00 \b, from MS-DOS
>16 byte =0x01 \b, from OS/2
>16 byte =0x02 \b, from Win/32
>16 byte =0x03 \b, from Unix
>16 byte =0x04 \b, from MacOS
>16 byte =0x05 \b, from WinNT
>16 byte =0x06 \b, from Primos
>16 byte =0x07 \b, from AppleGS
>16 byte =0x08 \b, from Atari
>16 byte =0x09 \b, from Vax/VMS
>16 byte =0x0A \b, from Amiga
>16 byte =0x0B \b, from Next
>14 byte x \b, version %d to extract
>5 leshort &0x0080 \b, multiple volumes,
>>17 byte x \b (part %d),
>5 leshort &0x0002 \b, contains comment
>5 leshort &0x0200 \b, sfx
>5 leshort &0x0400 \b, small dictionary
>5 leshort &0x0800 \b, multi-volume
>5 leshort &0x1000 \b, contains AV-String
>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
>5 leshort &0x2000 \b, with recovery record
>5 leshort &0x4000 \b, locked
>5 leshort &0x8000 \b, solid
# Date in MS-DOS format (whatever that is)
#>18 lelong x Created on
# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
# <doj@cubic.org>
0x1A string sfArk sfArk compressed Soundfont
>0x15 string 2
>>0x1 string >\0 Version %s
>>0x2A string >\0 : %s
# DR-DOS 7.03 Packed File *.??_
# Reference: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm
# Note: unpacked by PNUNPACK.EXE
0 string Packed\ File\
# by looking for Control-Z skip ASCII text starting with Packed File
>0x18 ubyte 0x1a Personal NetWare Packed File
!:mime application/x-novell-compress
!:ext ??_
>>12 string x \b, was "%.12s"
# 1 or 2
#>>0x19 ubyte x \b, at 0x19 %u
>>0x1b ulelong x with %u bytes
# EET archive
# From: Tilman Sauerbeck <tilman@code-monkey.de>
0 belong 0x1ee7ff00 EET archive
!:mime application/x-eet
# rzip archives
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# From: Joerg Jenderek
# URL: https://help.foxitsoftware.com/kb/install-fzip-file.php
# reference: http://mark0.net/download/triddefs_xml.7z/
# defs/f/fzip.trid.xml
# Note: unknown compression; No "PK" zip magic; normally in directory like
# "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install"
0 ubequad 0x2506781901010000 Foxit add-on/update
!:mime application/x-fzip
!:ext fzip
# From: "Robert Dale" <robdale@gmail.com>
0 belong 123 dar archive,
>4 belong x label "%.8x
>>8 belong x %.8x
>>>12 beshort x %.4x"
>14 byte 0x54 end slice
>14 beshort 0x4e4e multi-part
>14 beshort 0x4e53 multi-part, with -S
# Symbian installation files
# https://www.thouky.co.uk/software/psifs/sis.html
# http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
8 lelong 0x10000419 Symbian installation file
!:mime application/vnd.symbian.install
>4 lelong 0x1000006D (EPOC release 3/4/5)
>4 lelong 0x10003A12 (EPOC release 6)
0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
!:mime x-epoc/x-sisx-app
# From "Nelson A. de Oliveira" <naoliv@gmail.com>
0 string MPQ\032 MoPaQ (MPQ) archive
# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
# .kgb
0 string KGB_arch KGB Archiver file
>10 string x with compression level %.1s
# xar (eXtensible ARchiver) archive
# URL: https://en.wikipedia.org/wiki/Xar_(archiver)
# xar archive format: https://code.google.com/p/xar/
# From: "David Remahl" <dremahl@apple.com>
# Update: Joerg Jenderek
# TODO: lzma compression; X509Data for pkg and xip
# Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or
# 7z t -txar Xcode_10.2_beta_4.xip`
0 string xar! xar archive
!:mime application/x-xar
# pkg for Mac OSX installer package like FullBundleUpdate.pkg
# xip for signed Apple software like Xcode_10.2_beta_4.xip
!:ext xar/pkg/xip
# always 28 in older archives
>4 ubeshort >28 \b, header size %u
# currently there exit only version 1 since about 2014
>6 ubeshort >1 version %u,
>8 ubequad x compressed TOC: %llu,
#>16 ubequad x uncompressed TOC: %llu,
# cksum_alg 0-2 in older and also 3-4 in newer
>24 belong 0 no checksum
>24 belong 1 SHA-1 checksum
>24 belong 2 MD5 checksum
>24 belong 3 SHA-256 checksum
>24 belong 4 SHA-512 checksum
>24 belong >4 unknown %#x checksum
#>24 belong >4 checksum
# For no compression jump 0 bytes
>24 belong 0
>>0 ubyte x
# jump more bytes forward by header size
>>>&(4.S) ubyte x
# jump more bytes forward by compressed table of contents size
#>>>>&(8.Q) ubequad x \b, heap data %#llx
>>>>&(8.Q) ubyte x
# look for data by ./compress after message with 1 space at end
>>>>>&-3 indirect x \b, contains
# For SHA-1 jump 20 minus 2 bytes
>24 belong 1
>>18 ubyte x
# jump more bytes forward by header size
>>>&(4.S) ubyte x
# jump more bytes forward by compressed table of contents size
>>>>&(8.Q) ubyte x
# data compressed by gzip, bzip, lzma or none
>>>>>&-1 indirect x \b, contains
# For SHA-256 jump 32 minus 2 bytes
>24 belong 3
>>30 ubyte x
# jump more bytes forward by header size
>>>&(4.S) ubyte x
# jump more bytes forward by compressed table of contents size
>>>>&(8.Q) ubyte x
>>>>>&-1 indirect x \b, contains
# For SHA-512 jump 64 minus 2 bytes
>24 belong 4
>>62 ubyte x
# jump more bytes forward by header size
>>>&(4.S) ubyte x
# jump more bytes forward by compressed table of contents size
>>>>&(8.Q) ubyte x
>>>>>&-1 indirect x \b, contains
# Type: Parity Archive
# From: Daniel van Eeden <daniel_e@dds.nl>
0 string PAR2 Parity Archive Volume Set
# Bacula volume format. (Volumes always start with a block header.)
# URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
12 string BB02 Bacula volume
>20 bedate x \b, started %s
# ePub is XHTML + XML inside a ZIP archive. The first member of the
# archive must be an uncompressed file called 'mimetype' with contents
# 'application/epub+zip'
# From: "Michael Gorny" <mgorny@gentoo.org>
# ZPAQ: http://mattmahoney.net/dc/zpaq.html
0 string zPQ ZPAQ stream
>3 byte x \b, level %d
# From: Barry Carter <carter.barry@gmail.com>
# https://encode.ru/threads/456-zpaq-updates/page32
0 string 7kSt ZPAQ file
# BBeB ebook, unencrypted (LRF format)
# URL: https://www.sven.de/librie/Librie/LrfFormat
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
>8 beshort x \b, version %d
>36 byte 1 \b, front-to-back
>36 byte 16 \b, back-to-front
>42 beshort x \b, (%dx,
>44 beshort x %d)
# Symantec GHOST image by Joerg Jenderek at May 2014
# https://us.norton.com/ghost/
# https://www.garykessler.net/library/file_sigs.html
0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
# *.GHO
>2 ubyte&0x08 0x00 \b, first file
# *.GHS or *.[0-9] with cns program option
>2 ubyte&0x08 0x08 \b, split file
# part of split index interesting for *.ghs
>>4 ubyte x id=%#x
# compression tag minus one equals numeric compression command line switch z[1-9]
>3 ubyte 0 \b, no compression
>3 ubyte 2 \b, fast compression (Z1)
>3 ubyte 3 \b, medium compression (Z2)
>3 ubyte >3
>>3 ubyte <11 \b, compression (Z%d-1)
>2 ubyte&0x08 0x00
# ~ 30 byte password field only for *.gho
>>12 ubequad !0 \b, password protected
>>44 ubyte !1
# 1~Image All, sector-by-sector only for *.gho
>>>10 ubyte 1 \b, sector copy
# 1~Image Boot track only for *.gho
>>>43 ubyte 1 \b, boot track
# 1~Image Disc only for *.gho implies Image Boot track and sector copy
>>44 ubyte 1 \b, disc sector copy
# optional image description only *.gho
>>0xff string >\0 "%-.254s"
# look for DOS sector end sequence
>0xE08 search/7776 \x55\xAA
>>&-512 indirect x \b; contains
# Google Chrome extensions
# https://developer.chrome.com/extensions/crx
# https://developer.chrome.com/extensions/hosting
0 string Cr24 Google Chrome extension
!:mime application/x-chrome-extension
>4 ulong x \b, version %u
# SeqBox - Sequenced container
# ext: sbx, seqbox
# Marco Pontello marcopon@gmail.com
# reference: https://github.com/MarcoPon/SeqBox
0 string SBx SeqBox,
>3 byte x version %d
# LyNX archive
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/Lynx_archive
# Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT
# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml
# Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64
# TODO: merge and unify with Commodore C64 BASIC program
56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive
# display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64
#!:strength +0
#!:mime application/octet-stream
!:mime application/x-commodore-lnx
!:ext lnx
# afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn
>86 search/10 \x8910\0\0\0\r \b,
# for DEBUGGING
#>>&0 string x STRING="%s"
# number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5
>>&0 regex [0-9]{1,5} %s directory blocks
# signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*"
>>>&2 regex [^\r]{1,24} \b, signature "%s"
# number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?)
>>>>&1 regex [0-9]{1,3} \b, %s files
# From: Joerg Jenderek
# URL: https://www.acronis.com/
# Reference: https://en.wikipedia.org/wiki/TIB_(file_format)
# Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110
0 ubequad 0xce24b9a220000000 Acronis True Image backup
!:mime application/x-acronis-tib
!:ext tib
# 01000000
#>20 ubelong x \b, at 20 %#x
# 20000000
#>28 ubelong x \b, at 28 %#x
# strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0"
# ???
# strings like "\Device\0000011e" "\Device\0000015a"
#>0 search/0x6852300/cs \\Device\\
#>>&-1 pstring x \b, %s
# "\Device\HarddiskVolume30" "\Device\HarddiskVolume39"
#>>>&1 search/180/cs \\Device\\
#>>>>&-1 pstring x \b, %s
#>>>>>&0 search/29/cs \0\0\xc8\0
# disk label
#>>>>>>&10 lestring16 x \b, disk label %11.11s
#>>>>>>&9 plestring16 x \b, disk label "%11.11s"
#>>>>>>&10 ubequad x %16.16llx
# Gentoo XPAK binary package
# by Michal Gorny <mgorny@gentoo.org>
# https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5
-4 string STOP
>-16 string XPAKSTOP Gentoo binary package (XPAK)
!:mime application/vnd.gentoo.xpak
# From: Joerg Jenderek
# URL: https://kodi.wiki/view/TexturePacker
# Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz
# /xbmc-Krypton/xbmc/guilib/XBTF.h
# /xbmc-Krypton/xbmc/guilib/XBTF.cpp
0 string XBTF
# skip ASCII text by looking for terminating \0 of path
>264 ubyte 0 XBMC texture package
!:mime application/x-xbmc-xbt
!:ext xbt
# XBTF_VERSION 2
>>4 string !2 \b, version %-.1s
# nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp
>>5 ulelong x \b, %u file
# plural s
>>5 ulelong >1 \bs
# path[CXBTFFile[MaximumPathLength=256]
>>9 string x \b, 1st %s
# ALZIP archive
# by Hyungjun Park <hyungjun.park@worksmobile.com>, Hajin Jang <hajin_jang@worksmobile.com>
# http://kippler.com/win/unalz/
# https://salsa.debian.org/l10n-korean-team/unalz
0 string ALZ\001 ALZ archive data
!:ext alz
# https://cf-aldn.altools.co.kr/setup/EGG_Specification.zip
0 string EGGA EGG archive data,
!:ext egg
>5 byte x version %u
>4 byte x \b.%u
>>0x0E ulelong =0x08E28222
>>0x0E ulelong =0x24F5A262 \b, split
>>0x0E ulelong =0x24E5A060 \b, solid
>>0x0E default x \b, unknown
# PAQ9A archive
# URL: http://mattmahoney.net/dc/#paq9a
# Note: Line 1186 of paq9a.cpp gives the magic bytes
0 string pQ9\001 PAQ9A archive
# From wof (wof@stachelkaktus.net)
0 string Unison\ archive\ format Unison archive format
# https://ankiweb.net
30 string collection.anki2 Anki APKG file
#!:ext .apkg
# Synology archive (DiskStation Manager 7.0+)
# From: Alexandre Iooss <erdnaxe@crans.org>
# Note: These archives are signed and encrypted.
0 ulelong&0xFFFFFF00 0xEFBEAD00
# MessagePack header (fixarray of 5 elements starting with a bin of 32 bytes)
>8 ulelong&0x00FFFFFF 0x20C495 Synology archive
!:ext spk
# Extract some properties from MessagePack third item
>>43 search/0x10000 package=
>>>&0 string x \b, package %s
>>43 search/0x10000 arch=
>>>&0 string x %s
>>43 search/0x10000 version=
>>>&0 string x %s
>>43 search/0x10000 create_time=
>>>&0 string x \b, created on %s
# MonoGame/XNA processed assets archive
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/MonoGame/MonoGame/blob/v3.8.1/MonoGame.Framework/Content/ContentManager.cs
0 string XNB
# XNB must be version 4 or 5
>4 byte <6
>>4 byte >3
# Size must be positive
>>>6 lelong >0 MonoGame/XNA processed assets
!:ext xnb
>>>>3 string =w \b, for Windows
>>>>3 string =x \b, for Xbox360
>>>>3 string =i \b, for iOS
>>>>3 string =a \b, for Android
>>>>3 string =d \b, for DesktopGL
>>>>3 string =X \b, for MacOSX
>>>>3 string =W \b, for WindowsStoreApp
>>>>3 string =n \b, for NativeClient
>>>>3 string =M \b, for WindowsPhone8
>>>>3 string =r \b, for RaspberryPi
>>>>3 string =P \b, for PlayStation4
>>>>3 string =5 \b, for PlayStation5
>>>>3 string =O \b, for XboxOne
>>>>3 string =S \b, for Nintendo Switch
>>>>3 string =G \b, for Google Stadia
>>>>3 string =b \b, for WebAssembly and Bridge.NET
>>>>3 string =m \b, for WindowsPhone7.0 (XNA)
>>>>3 string =p \b, for PlayStationMobile
>>>>3 string =v \b, for PSVita
>>>>3 string =g \b, for Windows (OpenGL)
>>>>3 string =l \b, for Linux
>>>>4 byte x \b, version %d
>>>>5 byte &0x80 \b, LZX compressed
>>>>>10 lelong x \b, decompressed size: %d bytes
>>>>5 byte &0x40 \b, LZ4 compressed
>>>>>10 lelong x \b, decompressed size: %d bytes
# Electron ASAR archive
# From: Alexandre Iooss <erdnaxe@crans.org>
# URL: https://github.com/electron/asar
0 ulelong 4
# Match JSON header start and end
>16 string {"files":{"
>>(12.l+12) string }}}} Electron ASAR archive
!:ext asar
>>>12 ulelong x \b, header length: %d bytes
Reference in a new issue View git blame Copy permalink