/usr/share
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
#------------------------------------------------------------------------------# $File: acorn,v 1.7 2019/04/19 00:42:27 christos Exp $# acorn: file(1) magic for files found on Acorn systems# # RISC OS Chunk File Format# From RISC OS Programmer's Reference Manual, Appendix D# We guess the file type from the type of the first chunk.0 lelong 0xc3cbc6c5 RISC OS Chunk data>12 string OBJ_ \b, AOF object>12 string LIB_ \b, ALF library # RISC OS AIF, contains "SWI OS_Exit" at offset 16.16 lelong 0xef000011 RISC OS AIF executable # RISC OS Draw files# From RISC OS Programmer's Reference Manual, Appendix E0 string Draw RISC OS Draw file data # RISC OS new format font files# From RISC OS Programmer's Reference Manual, Appendix E0 string FONT\0 RISC OS outline font data,>5 byte x version %d0 string FONT\1 RISC OS 1bpp font data,>5 byte x version %d0 string FONT\4 RISC OS 4bpp font data>5 byte x version %d # RISC OS Music files# From RISC OS Programmer's Reference Manual, Appendix E0 string Maestro\r RISC OS music file>8 byte x version %d >8 byte x type %d # Digital Symphony data files# From: Bernard Jungen (bern8817@euphonynet.be)0 string \x02\x01\x13\x13\x13\x01\x0d\x10 Digital Symphony sound sample (RISC OS),>8 byte x version %d,>9 pstring x named "%s",>(9.b+19) byte =0 8-bit logarithmic>(9.b+19) byte =1 LZW-compressed linear>(9.b+19) byte =2 8-bit linear signed>(9.b+19) byte =3 16-bit linear signed>(9.b+19) byte =4 SigmaDelta-compressed linear>(9.b+19) byte =5 SigmaDelta-compressed logarithmic>(9.b+19) byte >5 unknown format 0 string \x02\x01\x13\x13\x14\x12\x01\x0b Digital Symphony song (RISC OS),>8 byte x version %d,>9 byte =1 1 voice,>9 byte !1 %d voices,>10 leshort =1 1 track,>10 leshort !1 %d tracks,>12 leshort =1 1 pattern>12 leshort !1 %d patterns 0 string \x02\x01\x13\x13\x10\x14\x12\x0e>9 byte =0 Digital Symphony sequence (RISC OS),>>8 byte x version %d,>>10 byte =1 1 line,>>10 byte !1 %d lines,>>11 leshort =1 1 position>>11 leshort !1 %d positions>9 byte =1 Digital Symphony pattern data (RISC OS),>>8 byte x version %d,>>10 leshort =1 1 pattern>>10 leshort !1 %d patterns # From: Joerg Jenderek# URL: https://www.kyzer.me.uk/pack/xad/#PackDir# reference: https://www.kyzer.me.uk/pack/xad/xad_PackDir.lha/PackDir.c# GRR: line below is too general as it matches also "Git pack" in ./revision0 string PACK\0# check for valid compression method 0-4>5 ulelong <5# https://www.riscosopen.org/wiki/documentation/show/Introduction%20To%20Filing%20Systems# To skip "Git pack" version 0 test for root directory object like# ADFS::RPC.$.websitezip.FONTFIX>>9 string >ADFS\ PackDir archive (RISC OS)# TrID labels above as "Acorn PackDir compressed Archive"# compression mode y (0 - 4) for GIF LZW with a maximum n bits# (y~n,0~12,1~13,2~14,3~15,4~16)>>>5 ulelong+12 x \b, LZW %u-bits compression# https://www.filebase.org.uk/filetypes# !Packdir compressed archive has three hexadecimal digits code 68E!:mime application/x-acorn-68E!:ext pkd/bin# null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo>>>9 string x \b, root "%s"# load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time>>>>&1 ulelong x \b, load address 0x%x# execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC>>>>&5 ulelong x \b, exec address 0x%x# attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write)>>>>&9 ulelong x \b, attributes 0x%x # number of entries in this directory. for root dir 0#>>>&13 ulelong x \b, entries 0x%x # the entries start here with object name>>>>&17 string x \b, 1st object "%s" #------------------------------------------------------------------------------# $File: adi,v 1.4 2009/09/19 16:28:07 christos Exp $# adi: file(1) magic for ADi's objects# From Gregory McGarry <g.mcgarry@ieee.org>#0 leshort 0x521c COFF DSP21k>18 lelong &02 executable,>18 lelong ^02>>18 lelong &01 static object,>>18 lelong ^01 relocatable object,>18 lelong &010 stripped>18 lelong ^010 not stripped #------------------------------------------------------------------------------# $File: adventure,v 1.18 2019/04/19 00:42:27 christos Exp $# adventure: file(1) magic for Adventure game files## from Allen Garvin <earendil@faeryland.tamu-commerce.edu># Edited by Dave Chapeskie <dchapes@ddm.on.ca> Jun 28, 1998# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002## ALAN# I assume there are other, lower versions, but these are the only ones I# saw in the archive.0 beshort 0x0206 ALAN game data>2 byte <10 version 2.6%d # Infocom (see z-machine)#------------------------------------------------------------------------------# Z-machine: file(1) magic for Z-machine binaries.# Sanity checks by David Griffith <dave@661.org># Updated by Adam Buchbinder <adam.buchbinder@gmail.com>##http://www.gnelson.demon.co.uk/zspec/sect11.html#https://www.jczorkmid.net/~jpenney/ZSpec11-latest.txt#https://en.wikipedia.org/wiki/Z-machine# The first byte is the Z-machine revision; it is always between 1 and 8. We# had false matches (for instance, inbig5.ocp from the Omega TeX extension as# well as an occasional MP3 file), so we sanity-check the version number.## It might be possible to sanity-check the release number as well, as it seems# (at least in classic Infocom games) to always be a relatively small number,# always under 150 or so, but as this isn't rigorous, we'll wait on that until# it becomes clear that it's needed.#0 ubyte >0>0 ubyte <9>>16 belong&0xfe00f0f0 0x3030>>>0 ubyte < 10>>>>2 ubeshort x>>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9]>>>>>>0 ubyte < 10 Infocom (Z-machine %d>>>>>>>2 ubeshort x \b, Release %d>>>>>>>>18 string >\0 \b, Serial %.6s>>>>>>>>18 string x \b)!:strength + 40!:mime application/x-zmachine #------------------------------------------------------------------------------# Glulx: file(1) magic for Glulx binaries.## David Griffith <dave@661.org># I haven't checked for false matches yet.#0 string Glul Glulx game data>4 beshort x (Version %d>>6 byte x \b.%d>>8 byte x \b.%d)>36 string Info Compiled by Inform!:mime application/x-glulx # For Quetzal and blorb magic see iff # TADS (Text Adventure Development System) version 2# All files are machine-independent (games compile to byte-code) and are tagged# with a version string of the form "V2.<digit>.<digit>\0".# Game files start with "TADS2 bin\n\r\032\0" then the compiler version.0 string TADS2\ bin TADS>9 belong !0x0A0D1A00 game data, CORRUPTED>9 belong 0x0A0D1A00>>13 string >\0 %s game data!:mime application/x-tads# Resource files start with "TADS2 rsc\n\r\032\0" then the compiler version.0 string TADS2\ rsc TADS>9 belong !0x0A0D1A00 resource data, CORRUPTED>9 belong 0x0A0D1A00>>13 string >\0 %s resource data!:mime application/x-tads# Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian# 2-byte length N, the N-char name of the game file *without* a NUL (darn!),# "TADS2 save\n\r\032\0" and the interpreter version.0 string TADS2\ save/g TADS>12 belong !0x0A0D1A00 saved game data, CORRUPTED>12 belong 0x0A0D1A00>>(16.s+32) string >\0 %s saved game data!:mime application/x-tads# Other saved game files start with "TADS2 save\n\r\032\0" and the interpreter# version.0 string TADS2\ save TADS>10 belong !0x0A0D1A00 saved game data, CORRUPTED>10 belong 0x0A0D1A00>>14 string >\0 %s saved game data!:mime application/x-tads # TADS (Text Adventure Development System) version 3# Game files start with "T3-image\015\012\032"0 string T3-image\015\012\032>11 leshort x TADS 3 game data (format version %d)# Saved game files start with "T3-state-v####\015\012\032"# where #### is a format version number0 string T3-state-v>14 string \015\012\032 TADS 3 saved game data (format version>>10 byte x %c>>11 byte x \b%c>>12 byte x \b%c>>13 byte x \b%c)!:mime application/x-t3vm-image # edited by David Griffith <dave@661.org># Danny Milosavljevic <danny.milo@gmx.net># These are ADRIFT (adventure game standard) game files, extension .taf# Checked from source at (http://www.adrift.co/) and various taf files# found at the Interactive Fiction Archive (https://ifarchive.org/)0 belong 0x3C423FC9>4 belong 0x6A87C2CF Adrift game file version>>8 belong 0x94453661 3.80>>8 belong 0x94453761 3.90>>8 belong 0x93453E61 4.0>>8 belong 0x92453E61 5.0>>8 default x unknown!:mime application/x-adrift #------------------------------------------------------------------------------# $File: algol68,v 1.3 2018/10/19 01:04:21 christos Exp $# algol68: file(1) magic for Algol 68 source#0 search/8192 (input, Algol 68 source text!:mime text/x-Algol680 regex/1024 \^PROC Algol 68 source text!:mime text/x-Algol680 regex/1024 \bMODE[\t\ ] Algol 68 source text!:mime text/x-Algol680 regex/1024 \bREF[\t\ ] Algol 68 source text!:mime text/x-Algol680 regex/1024 \bFLEX[\t\ ]\*\\[ Algol 68 source text!:mime text/x-Algol68#0 regex [\t\ ]OD Algol 68 source text#!:mime text/x-Algol68#0 regex [\t\ ]FI Algol 68 source text#!:mime text/x-Algol68 #------------------------------------------------------------------------------# $File: allegro,v 1.4 2009/09/19 16:28:07 christos Exp $# allegro: file(1) magic for Allegro datafiles# Toby Deshane <hac@shoelace.digivill.net>#0 belong 0x736C6821 Allegro datafile (packed)0 belong 0x736C682E Allegro datafile (not packed/autodetect)0 belong 0x736C682B Allegro datafile (appended exe data) #------------------------------------------------------------------------------# $File: alliant,v 1.7 2009/09/19 16:28:07 christos Exp $# alliant: file(1) magic for Alliant FX series a.out files## If the FX series is the one that had a processor with a 68K-derived# instruction set, the "short" should probably become "beshort" and the# "long" should probably become "belong".# If it's the i860-based one, they should probably become either the# big-endian or little-endian versions, depending on the mode they ran# the 860 in....#0 short 0420 0420 Alliant virtual executable>2 short &0x0020 common library>16 long >0 not stripped0 short 0421 0421 Alliant compact executable>2 short &0x0020 common library>16 long >0 not stripped #------------------------------------------------------------------------------# $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $# amanda: file(1) magic for amanda file format#0 string AMANDA:\ AMANDA>8 string TAPESTART\ DATE tape header file,>>23 string X>>>25 string >\ Unused %s>>23 string >\ DATE %s>8 string FILE\ dump file,>>13 string >\ DATE %s #------------------------------------------------------------------------------# $File: amigaos,v 1.17 2018/10/16 18:57:19 christos Exp $# amigaos: file(1) magic for AmigaOS binary formats: ## From ignatios@cs.uni-bonn.de (Ignatios Souvatzis)#0 belong 0x000003fa AmigaOS shared library0 belong 0x000003f3 AmigaOS loadseg()ble executable/binary0 belong 0x000003e7 AmigaOS object/library data#0 beshort 0xe310 Amiga Workbench>2 beshort 1>>48 byte 1 disk icon>>48 byte 2 drawer icon>>48 byte 3 tool icon>>48 byte 4 project icon>>48 byte 5 garbage icon>>48 byte 6 device icon>>48 byte 7 kickstart icon>>48 byte 8 workbench application icon>2 beshort >1 icon, vers. %d## various sound formats from the Amiga# G=F6tz Waschk <waschk@informatik.uni-rostock.de>#0 string FC14 Future Composer 1.4 Module sound file0 string SMOD Future Composer 1.3 Module sound file0 string AON4artofnoise Art Of Noise Module sound file1 string MUGICIAN/SOFTEYES Mugician Module sound file58 string SIDMON\ II\ -\ THE Sidmon 2.0 Module sound file0 string Synth4.0 Synthesis Module sound file0 string ARP. The Holy Noise Module sound file0 string BeEp\0 JamCracker Module sound file0 string COSO\0 Hippel-COSO Module sound file# Too simple (short, pure ASCII, deep), MPi#26 string V.3 Brian Postma's Soundmon Module sound file v3#26 string BPSM Brian Postma's Soundmon Module sound file v3#26 string V.2 Brian Postma's Soundmon Module sound file v2 # The following are from: "Stefan A. Haubenthal" <polluks@web.de>0 beshort 0x0f00 AmigaOS bitmap font0 beshort 0x0f03 AmigaOS outline font0 belong 0x80001001 AmigaOS outline tag0 string ##\ version catalog translation0 string EMOD\0 Amiga E module8 string ECXM\0 ECX module0 string/c @database AmigaGuide file # Amiga disk types#0 string RDSK Rigid Disk Block>160 string x on %.24s0 string DOS\0 Amiga DOS disk0 string DOS\1 Amiga FFS disk0 string DOS\2 Amiga Inter DOS disk0 string DOS\3 Amiga Inter FFS disk0 string DOS\4 Amiga Fastdir DOS disk0 string DOS\5 Amiga Fastdir FFS disk0 string KICK Kickstart disk # From: Alex Beregszaszi <alex@fsn.hu>0 string LZX LZX compressed archive (Amiga) # From: Przemek Kramarczyk <pkramarczyk@gmail.com>0 string .KEY AmigaDOS script0 string .key AmigaDOS script # AMOS Basic file formats# https://www.exotica.org.uk/wiki/AMOS_file_formats0 string AMOS\040Basic\040 AMOS Basic source code>11 byte =0x56 \b, tested>11 byte =0x76 \b, untested0 string AMOS\040Pro AMOS Basic source code>11 byte =0x56 \b, tested>11 byte =0x76 \b, untested0 string AmSp AMOS Basic sprite bank>4 beshort x \b, %d sprites0 string AmIc AMOS Basic icon bank>4 beshort x \b, %d icons0 string AmBk AMOS Basic memory bank>4 beshort x \b, bank number %d>8 belong&0xFFFFFFF x \b, length %d>12 regex .{8} \b, type %s0 string AmBs AMOS Basic memory banks>4 beshort x \b, %d banks #------------------------------------------------------------# $File: android,v 1.16 2019/11/15 21:03:14 christos Exp $# Various android related magic entries#------------------------------------------------------------ # Dalvik .dex format. http://retrodev.com/android/dexformat.html# From <mkf@google.com> "Mike Fleming"# Fixed to avoid regexec 17 errors on some dex files# From <diff@lookout.com> "Tim Strazzere"0 string dex\n>0 regex dex\n[0-9]{2}\0 Dalvik dex file>4 string >000 version %s0 string dey\n>0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host)>4 string >000 version %s # Android bootimg format# From https://android.googlesource.com/\# platform/system/core/+/master/mkbootimg/bootimg.h# https://github.com/djrbliss/loki/blob/master/loki.h#L430 string ANDROID! Android bootimg>1024 string LOKI \b, LOKI'd>>1028 lelong 0 \b (boot)>>1028 lelong 1 \b (recovery)>8 lelong >0 \b, kernel>>12 lelong >0 \b (0x%x)>16 lelong >0 \b, ramdisk>>20 lelong >0 \b (0x%x)>24 lelong >0 \b, second stage>>28 lelong >0 \b (0x%x)>36 lelong >0 \b, page size: %d>38 string >0 \b, name: %s>64 string >0 \b, cmdline (%s) # Android Backup archive# From: Ariel Shkedi# Update: Joerg Jenderek # URL: https://github.com/android/platform_frameworks_base/blob/\# 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\# android/server/BackupManagerService.java#L2367# Reference: https://sourceforge.net/projects/adbextractor/# android-backup-extractor/perl/backupencrypt.pl # Note: only unix line feeds "\n" found# After the header comes a tar file# If compressed, the entire tar file is compressed with JAVA deflate## Include the version number hardcoded with the magic string to avoid# false positives0 string/b ANDROID\ BACKUP\n Android Backup# maybe look for some more characteristics like linefeed '\n' or version#>16 string \n # No mime-type defined officially!:mime application/x-google-ab!:ext ab# on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2)>15 string >\0 \b, version %s# "1" on 3rd line means compressed>17 string 0\n \b, Not-Compressed>17 string 1\n \b, Compressed# The 4th line is encryption "none" or "AES-256"# any string as long as it's not the word none (which is matched below)>19 string none\n \b, Not-Encrypted# look for backup content after line with encryption info#>>19 search/7 \n# data part after header for not encrypted Android Backup #>>>&0 ubequad x \b, content 0x%16.16llx...# look for zlib compressed by ./compress after message with 1 space at end#>>>&0 indirect x \b; contains # look for tar archive block by ./archive for package name manifest>>288 string ustar \b; contains>>>31 use tar-file# look for zip/jar archive by ./archive ./zip after message with 1 space at end#>>2079 search/1025/s PK\003\004 \b; contains #>>>&0 indirect x>19 string !none >>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s)# Commented out because they don't seem useful to print# (but they are part of the header - the tar file comes after them):# The 5th line is User Password Salt (128 Hex)# string length too high with standard src configuration#>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s"#>>>&1 regex/1l .* \b, Password salt: %s# The 6th line is Master Key Checksum Salt (128 Hex)#>>>>&1 regex/1l .* \b, Master salt: %s# The 7th line is Number of PBDKF2 Rounds (10000)#>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s# The 8th line is User key Initialization Vector (IV) (32 Hex)#>>>>>>&1 regex/1l .* \b, IV: %s#>>>>>>&1 regex/1l .* \b, IV: %s# The 9th line is Master IV+Key+Checksum (192 Hex)#>>>>>>>&1 regex/1l .* \b, Key: %s# look for new line separator char after line number 9#>>>0x204 ubyte 0x0a NL found#>>>>&1 ubequad x \b, Content magic %16.16llx # *.pit files by Joerg Jenderek# https://forum.xda-developers.com/showthread.php?p=9122369# https://forum.xda-developers.com/showthread.php?t=816449# Partition Information Table for Samsung's smartphone with Android# used by flash software Odin0 ulelong 0x12349876# 1st pit entry marker>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000# minimal 13 and maximal 18 PIT entries found>>4 ulelong <128 Partition Information Table for Samsung smartphone>>>4 ulelong x \b, %d entries# 1. pit entry>>>4 ulelong >0 \b; #1>>>0x01C use PIT-entry>>>4 ulelong >1 \b; #2>>>0x0A0 use PIT-entry>>>4 ulelong >2 \b; #3>>>0x124 use PIT-entry>>>4 ulelong >3 \b; #4>>>0x1A8 use PIT-entry>>>4 ulelong >4 \b; #5>>>0x22C use PIT-entry>>>4 ulelong >5 \b; #6>>>0x2B0 use PIT-entry>>>4 ulelong >6 \b; #7>>>0x334 use PIT-entry>>>4 ulelong >7 \b; #8>>>0x3B8 use PIT-entry>>>4 ulelong >8 \b; #9>>>0x43C use PIT-entry>>>4 ulelong >9 \b; #10>>>0x4C0 use PIT-entry>>>4 ulelong >10 \b; #11>>>0x544 use PIT-entry>>>4 ulelong >11 \b; #12>>>0x5C8 use PIT-entry>>>4 ulelong >12 \b; #13>>>>0x64C use PIT-entry# 14. pit entry>>>4 ulelong >13 \b; #14>>>>0x6D0 use PIT-entry>>>4 ulelong >14 \b; #15>>>0x754 use PIT-entry>>>4 ulelong >15 \b; #16>>>0x7D8 use PIT-entry>>>4 ulelong >16 \b; #17>>>0x85C use PIT-entry# 18. pit entry>>>4 ulelong >17 \b; #18>>>0x8E0 use PIT-entry 0 name PIT-entry# garbage value implies end of pit entries>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000# skip empty partition name>>0x24 ubyte !0# partition name>>>0x24 string >\0 %-.32s# flags>>>0x0C ulelong&0x00000002 2 \b+RW# partition ID:# 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~KENREl,RECOVER,misc;7~RECOVER# ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW>>>0x08 ulelong x (0x%x)# filename>>>0x44 string >\0 "%-.64s"#>>>0x18 ulelong >0# blocksize in 512 byte units ?#>>>>0x18 ulelong x \b, %db# partition size in blocks ?#>>>>0x22 ulelong x \b*%d # Android sparse img format# From https://android.googlesource.com/\# platform/system/core/+/master/libsparse/sparse_format.h0 lelong 0xed26ff3a Android sparse image>4 leshort x \b, version: %d>6 leshort x \b.%d>16 lelong x \b, Total of %d>12 lelong x \b %d-byte output blocks in>20 lelong x \b %d input chunks. # Android binary XML magic# In include/androidfw/ResourceTypes.h:# RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header),# which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size).0 lelong 0x00080003 Android binary XML # Android cryptfs footer# From https://android.googlesource.com/\# platform/system/vold/+/refs/heads/master/cryptfs.h0 lelong 0xd0b5b1c4 Android cryptfs footer>4 leshort x \b, version: %d>6 leshort x \b.%d #------------------------------------------------------------------------------# $File: animation,v 1.77 2020/04/26 15:23:43 christos Exp $# animation: file(1) magic for animation/movie formats## animation formats# MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8)# FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) # SGI and Apple formats0 string MOVI Silicon Graphics movie file!:mime video/x-sgi-movie4 string moov Apple QuickTime!:mime video/quicktime>12 string mvhd \b movie (fast start)>12 string mdra \b URL>12 string cmov \b movie (fast start, compressed header)>12 string rmra \b multiple URLs4 string mdat Apple QuickTime movie (unoptimized)!:mime video/quicktime#4 string wide Apple QuickTime movie (unoptimized)#!:mime video/quicktime#4 string skip Apple QuickTime movie (modified)#!:mime video/quicktime#4 string free Apple QuickTime movie (modified)#!:mime video/quicktime4 string idsc Apple QuickTime image (fast start)!:mime image/x-quicktime#4 string idat Apple QuickTime image (unoptimized)#!:mime image/x-quicktime4 string pckg Apple QuickTime compressed archive!:mime application/x-quicktime-player4 string/W jP JPEG 2000 image!:mime image/jp2# https://www.ftyps.com/ with local additions4 string ftyp ISO Media# https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/>8 string XAVC \b, MPEG v4 system, Sony XAVC Codec>>96 string x \b, Audio "%.4s">>118 beshort x at %dHz>>140 string x \b, Video "%.4s">>168 beshort x %d>>170 beshort x \bx%d>8 string 3g2 \b, MPEG v4 system, 3GPP2!:mime video/3gpp2>>11 byte 4 \b v4 (H.263/AMR GSM 6.10)>>11 byte 5 \b v5 (H.263/AMR GSM 6.10)>>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10)# https://www.3gpp2.org/Public_html/Specs/C.S0050-B_v1.0_070521.pdf# Section 8.1.1, corresponds to a, b, c>>11 byte 0x61 \b C.S0050-0 V1.0>>11 byte 0x62 \b C.S0050-0-A V1.0.0>>11 byte 0x63 \b C.S0050-0-B V1.0>8 string 3ge \b, MPEG v4 system, 3GPP!:mime video/3gpp>>11 byte 6 \b, Release 6 MBMS Extended Presentations>>11 byte 7 \b, Release 7 MBMS Extended Presentations>8 string 3gg \b, MPEG v4 system, 3GPP!:mime video/3gpp>>11 byte 6 \b, Release 6 General Profile>8 string 3gp \b, MPEG v4 system, 3GPP!:mime video/3gpp>>11 byte 1 \b, Release %d (non existent)>>11 byte 2 \b, Release %d (non existent)>>11 byte 3 \b, Release %d (non existent)>>11 byte 4 \b, Release %d>>11 byte 5 \b, Release %d>>11 byte 6 \b, Release %d>>11 byte 7 \b, Release %d Streaming Servers>8 string 3gs \b, MPEG v4 system, 3GPP!:mime video/3gpp>>11 byte 7 \b, Release %d Streaming Servers>8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC [ISO 14496-12:2005]!:mime video/mp4>8 string/W qt \b, Apple QuickTime movie!:mime video/quicktime>8 string CAEP \b, Canon Digital Camera>8 string caqv \b, Casio Digital Camera>8 string CDes \b, Convergent Design>8 string da0a \b, DMB MAF w/ MPEG Layer II aud, MOT slides, DLS, JPG/PNG/MNG>8 string da0b \b, DMB MAF, ext DA0A, with 3GPP timed text, DID, TVA, REL, IPMP>8 string da1a \b, DMB MAF audio with ER-BSAC audio, JPG/PNG/MNG images>8 string da1b \b, DMB MAF, ext da1a, with 3GPP timed text, DID, TVA, REL, IPMP>8 string da2a \b, DMB MAF aud w/ HE-AAC v2 aud, MOT slides, DLS, JPG/PNG/MNG>8 string da2b \b, DMB MAF, ext da2a, with 3GPP timed text, DID, TVA, REL, IPMP>8 string da3a \b, DMB MAF aud with HE-AAC aud, JPG/PNG/MNG images>8 string da3b \b, DMB MAF, ext da3a w/ BIFS, 3GPP, DID, TVA, REL, IPMP>8 string dash \b, MPEG v4 system, Dynamic Adaptive Streaming over HTTP!:mime video/mp4>8 string dmb1 \b, DMB MAF supporting all the components defined in the spec>8 string dmpf \b, Digital Media Project>8 string drc1 \b, Dirac (wavelet compression), encap in ISO base media (MP4)>8 string dv1a \b, DMB MAF vid w/ AVC vid, ER-BSAC aud, BIFS, JPG/PNG/MNG, TS>8 string dv1b \b, DMB MAF, ext dv1a, with 3GPP timed text, DID, TVA, REL, IPMP>8 string dv2a \b, DMB MAF vid w/ AVC vid, HE-AAC v2 aud, BIFS, JPG/PNG/MNG, TS>8 string dv2b \b, DMB MAF, ext dv2a, with 3GPP timed text, DID, TVA, REL, IPMP>8 string dv3a \b, DMB MAF vid w/ AVC vid, HE-AAC aud, BIFS, JPG/PNG/MNG, TS>8 string dv3b \b, DMB MAF, ext dv3a, with 3GPP timed text, DID, TVA, REL, IPMP>8 string dvr1 \b, DVB (.DVB) over RTP!:mime video/vnd.dvb.file>8 string dvt1 \b, DVB (.DVB) over MPEG-2 Transport Stream!:mime video/vnd.dvb.file>8 string F4V \b, Video for Adobe Flash Player 9+ (.F4V)!:mime video/mp4>8 string F4P \b, Protected Video for Adobe Flash Player 9+ (.F4P)!:mime video/mp4>8 string F4A \b, Audio for Adobe Flash Player 9+ (.F4A)!:mime audio/mp4>8 string F4B \b, Audio Book for Adobe Flash Player 9+ (.F4B)!:mime audio/mp4>8 string isc2 \b, ISMACryp 2.0 Encrypted File# ?/enc-isoff-generic>8 string iso2 \b, MP4 Base Media v2 [ISO 14496-12:2005]!:mime video/mp4>8 string isom \b, MP4 Base Media v1 [IS0 14496-12:2003]!:mime video/mp4>8 string/W jp2 \b, JPEG 2000!:mime image/jp2>8 string JP2 \b, JPEG 2000 Image (.JP2) [ISO 15444-1 ?]!:mime image/jp2>8 string JP20 \b, Unknown, from GPAC samples (prob non-existent)>8 string jpm \b, JPEG 2000 Compound Image (.JPM) [ISO 15444-6]!:mime image/jpm>8 string jpx \b, JPEG 2000 w/ extensions (.JPX) [ISO 15444-2]!:mime image/jpx>8 string KDDI \b, 3GPP2 EZmovie for KDDI 3G cellphones!:mime video/3gpp2>8 string M4A \b, Apple iTunes ALAC/AAC-LC (.M4A) Audio!:mime audio/x-m4a>8 string M4B \b, Apple iTunes ALAC/AAC-LC (.M4B) Audio Book!:mime audio/mp4>8 string M4P \b, Apple iTunes ALAC/AAC-LC (.M4P) AES Protected Audio!:mime video/mp4>8 string M4V \b, Apple iTunes Video (.M4V) Video!:mime video/x-m4v>8 string M4VH \b, Apple TV (.M4V)!:mime video/x-m4v>8 string M4VP \b, Apple iPhone (.M4V)!:mime video/x-m4v>8 string mj2s \b, Motion JPEG 2000 [ISO 15444-3] Simple Profile!:mime video/mj2>8 string mjp2 \b, Motion JPEG 2000 [ISO 15444-3] General Profile!:mime video/mj2>8 string mmp4 \b, MPEG-4/3GPP Mobile Profile (.MP4 / .3GP) (for NTT)!:mime video/mp4>8 string mobi \b, MPEG-4, MOBI format!:mime video/mp4>8 string mp21 \b, MPEG-21 [ISO/IEC 21000-9]>8 string mp41 \b, MP4 v1 [ISO 14496-1:ch13]!:mime video/mp4>8 string mp42 \b, MP4 v2 [ISO 14496-14]!:mime video/mp4>8 string mp71 \b, MP4 w/ MPEG-7 Metadata [per ISO 14496-12]>8 string mp7t \b, MPEG v4 system, MPEG v7 XML>8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML>8 string mmp4 \b, MPEG v4 system, 3GPP Mobile!:mime video/mp4>8 string MPPI \b, Photo Player, MAF [ISO/IEC 23000-3]>8 string mqt \b, Sony / Mobile QuickTime (.MQV) US Pat 7,477,830!:mime video/quicktime>8 string MSNV \b, MPEG-4 (.MP4) for SonyPSP!:mime video/mp4>8 string NDAS \b, MP4 v2 [ISO 14496-14] Nero Digital AAC Audio!:mime audio/mp4>8 string NDSC \b, MPEG-4 (.MP4) Nero Cinema Profile!:mime video/mp4>8 string NDSH \b, MPEG-4 (.MP4) Nero HDTV Profile!:mime video/mp4>8 string NDSM \b, MPEG-4 (.MP4) Nero Mobile Profile!:mime video/mp4>8 string NDSP \b, MPEG-4 (.MP4) Nero Portable Profile!:mime video/mp4>8 string NDSS \b, MPEG-4 (.MP4) Nero Standard Profile!:mime video/mp4>8 string NDXC \b, H.264/MPEG-4 AVC (.MP4) Nero Cinema Profile!:mime video/mp4>8 string NDXH \b, H.264/MPEG-4 AVC (.MP4) Nero HDTV Profile!:mime video/mp4>8 string NDXM \b, H.264/MPEG-4 AVC (.MP4) Nero Mobile Profile!:mime video/mp4>8 string NDXP \b, H.264/MPEG-4 AVC (.MP4) Nero Portable Profile!:mime video/mp4>8 string NDXS \b, H.264/MPEG-4 AVC (.MP4) Nero Standard Profile!:mime video/mp4>8 string odcf \b, OMA DCF DRM Format 2.0 (OMA-TS-DRM-DCF-V2_0-20060303-A)>8 string opf2 \b, OMA PDCF DRM Format 2.1 (OMA-TS-DRM-DCF-V2_1-20070724-C)>8 string opx2 \b, OMA PDCF DRM + XBS ext (OMA-TS-DRM_XBS-V1_0-20070529-C)>8 string pana \b, Panasonic Digital Camera>8 string qt \b, Apple QuickTime (.MOV/QT)!:mime video/quicktime# HEIF image format# see https://nokiatech.github.io/heif/technical.html>8 string mif1 \b, HEIF Image!:mime image/heif>8 string msf1 \b, HEIF Image Sequence!:mime image/heif-sequence>8 string heic \b, HEIF Image HEVC Main or Main Still Picture Profile!:mime image/heic>8 string heix \b, HEIF Image HEVC Main 10 Profile!:mime image/heic>8 string hevc \b, HEIF Image Sequenz HEVC Main or Main Still Picture Profile!:mime image/heic-sequence>8 string hevx \b, HEIF Image Sequence HEVC Main 10 Profile!:mime image/heic-sequence# following HEIF brands are not mentioned in the heif technical info currently (Oct 2017)# but used in the reference implementation:# https://github.com/nokiatech/heif/blob/d5e9a21c8ba8df712bdf643021dd9f6518134776/Srcs/reader/hevcimagefilereader.cpp>8 string heim \b, HEIF Image L-HEVC!:mime image/heif>8 string heis \b, HEIF Image L-HEVC!:mime image/heif>8 string avic \b, HEIF Image AVC!:mime image/heif>8 string hevm \b, HEIF Image Sequence L-HEVC!:mime image/heif-sequence>8 string hevs \b, HEIF Image Sequence L-HEVC!:mime image/heif-sequence>8 string avcs \b, HEIF Image Sequence AVC!:mime image/heif-sequence >8 string ROSS \b, Ross Video>8 string sdv \b, SD Memory Card Video>8 string ssc1 \b, Samsung stereo, single stream (patent pending)>8 string ssc2 \b, Samsung stereo, dual stream (patent pending) # MPEG sequences# Scans for all common MPEG header start codes0 belong 0x00000001>4 byte&0x1F 0x07 JVT NAL sequence, H.264 video>>5 byte 66 \b, baseline>>5 byte 77 \b, main>>5 byte 88 \b, extended>>7 byte x \b @ L %u0 belong&0xFFFFFF00 0x00000100>3 byte 0xBA MPEG sequence!:mime video/mpeg>>4 byte &0x40 \b, v2, program multiplex>>4 byte ^0x40 \b, v1, system multiplex>3 byte 0xBB MPEG sequence, v1/2, multiplex (missing pack header)>3 byte&0x1F 0x07 MPEG sequence, H.264 video>>4 byte 66 \b, baseline>>4 byte 77 \b, main>>4 byte 88 \b, extended>>6 byte x \b @ L %u# GRR too general as it catches also FoxPro Memo example NG.FPT>3 byte 0xB0 MPEG sequence, v4# TODO: maybe this extra line exclude FoxPro Memo example NG.FPT starting with 000001b0 00000100 00000000#>>4 byte !0 MPEG sequence, v4!:mime video/mpeg4-generic>>5 belong 0x000001B5>>>9 byte &0x80>>>>10 byte&0xF0 16 \b, video>>>>10 byte&0xF0 32 \b, still texture>>>>10 byte&0xF0 48 \b, mesh>>>>10 byte&0xF0 64 \b, face>>>9 byte&0xF8 8 \b, video>>>9 byte&0xF8 16 \b, still texture>>>9 byte&0xF8 24 \b, mesh>>>9 byte&0xF8 32 \b, face>>4 byte 1 \b, simple @ L1>>4 byte 2 \b, simple @ L2>>4 byte 3 \b, simple @ L3>>4 byte 4 \b, simple @ L0>>4 byte 17 \b, simple scalable @ L1>>4 byte 18 \b, simple scalable @ L2>>4 byte 33 \b, core @ L1>>4 byte 34 \b, core @ L2>>4 byte 50 \b, main @ L2>>4 byte 51 \b, main @ L3>>4 byte 53 \b, main @ L4>>4 byte 66 \b, n-bit @ L2>>4 byte 81 \b, scalable texture @ L1>>4 byte 97 \b, simple face animation @ L1>>4 byte 98 \b, simple face animation @ L2>>4 byte 99 \b, simple face basic animation @ L1>>4 byte 100 \b, simple face basic animation @ L2>>4 byte 113 \b, basic animation text @ L1>>4 byte 114 \b, basic animation text @ L2>>4 byte 129 \b, hybrid @ L1>>4 byte 130 \b, hybrid @ L2>>4 byte 145 \b, advanced RT simple @ L!>>4 byte 146 \b, advanced RT simple @ L2>>4 byte 147 \b, advanced RT simple @ L3>>4 byte 148 \b, advanced RT simple @ L4>>4 byte 161 \b, core scalable @ L1>>4 byte 162 \b, core scalable @ L2>>4 byte 163 \b, core scalable @ L3>>4 byte 177 \b, advanced coding efficiency @ L1>>4 byte 178 \b, advanced coding efficiency @ L2>>4 byte 179 \b, advanced coding efficiency @ L3>>4 byte 180 \b, advanced coding efficiency @ L4>>4 byte 193 \b, advanced core @ L1>>4 byte 194 \b, advanced core @ L2>>4 byte 209 \b, advanced scalable texture @ L1>>4 byte 210 \b, advanced scalable texture @ L2>>4 byte 211 \b, advanced scalable texture @ L3>>4 byte 225 \b, simple studio @ L1>>4 byte 226 \b, simple studio @ L2>>4 byte 227 \b, simple studio @ L3>>4 byte 228 \b, simple studio @ L4>>4 byte 229 \b, core studio @ L1>>4 byte 230 \b, core studio @ L2>>4 byte 231 \b, core studio @ L3>>4 byte 232 \b, core studio @ L4>>4 byte 240 \b, advanced simple @ L0>>4 byte 241 \b, advanced simple @ L1>>4 byte 242 \b, advanced simple @ L2>>4 byte 243 \b, advanced simple @ L3>>4 byte 244 \b, advanced simple @ L4>>4 byte 245 \b, advanced simple @ L5>>4 byte 247 \b, advanced simple @ L3b>>4 byte 248 \b, FGS @ L0>>4 byte 249 \b, FGS @ L1>>4 byte 250 \b, FGS @ L2>>4 byte 251 \b, FGS @ L3>>4 byte 252 \b, FGS @ L4>>4 byte 253 \b, FGS @ L5>3 byte 0xB5 MPEG sequence, v4!:mime video/mpeg4-generic>>4 byte &0x80>>>5 byte&0xF0 16 \b, video (missing profile header)>>>5 byte&0xF0 32 \b, still texture (missing profile header)>>>5 byte&0xF0 48 \b, mesh (missing profile header)>>>5 byte&0xF0 64 \b, face (missing profile header)>>4 byte&0xF8 8 \b, video (missing profile header)>>4 byte&0xF8 16 \b, still texture (missing profile header)>>4 byte&0xF8 24 \b, mesh (missing profile header)>>4 byte&0xF8 32 \b, face (missing profile header)>3 byte 0xB3 MPEG sequence!:mime video/mpeg>>12 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video>>12 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video>>12 belong 0x000001B5 \b, v2,>>>16 byte&0x0F 1 \b HP>>>16 byte&0x0F 2 \b Spt>>>16 byte&0x0F 3 \b SNR>>>16 byte&0x0F 4 \b MP>>>16 byte&0x0F 5 \b SP>>>17 byte&0xF0 64 \b@HL>>>17 byte&0xF0 96 \b@H-14>>>17 byte&0xF0 128 \b@ML>>>17 byte&0xF0 160 \b@LL>>>17 byte &0x08 \b progressive>>>17 byte ^0x08 \b interlaced>>>17 byte&0x06 2 \b Y'CbCr 4:2:0 video>>>17 byte&0x06 4 \b Y'CbCr 4:2:2 video>>>17 byte&0x06 6 \b Y'CbCr 4:4:4 video>>11 byte &0x02>>>75 byte &0x01>>>>140 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video>>>>140 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video>>>>140 belong 0x000001B5 \b, v2,>>>>>144 byte&0x0F 1 \b HP>>>>>144 byte&0x0F 2 \b Spt>>>>>144 byte&0x0F 3 \b SNR>>>>>144 byte&0x0F 4 \b MP>>>>>144 byte&0x0F 5 \b SP>>>>>145 byte&0xF0 64 \b@HL>>>>>145 byte&0xF0 96 \b@H-14>>>>>145 byte&0xF0 128 \b@ML>>>>>145 byte&0xF0 160 \b@LL>>>>>145 byte &0x08 \b progressive>>>>>145 byte ^0x08 \b interlaced>>>>>145 byte&0x06 2 \b Y'CbCr 4:2:0 video>>>>>145 byte&0x06 4 \b Y'CbCr 4:2:2 video>>>>>145 byte&0x06 6 \b Y'CbCr 4:4:4 video>>76 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video>>76 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video>>76 belong 0x000001B5 \b, v2,>>>80 byte&0x0F 1 \b HP>>>80 byte&0x0F 2 \b Spt>>>80 byte&0x0F 3 \b SNR>>>80 byte&0x0F 4 \b MP>>>80 byte&0x0F 5 \b SP>>>81 byte&0xF0 64 \b@HL>>>81 byte&0xF0 96 \b@H-14>>>81 byte&0xF0 128 \b@ML>>>81 byte&0xF0 160 \b@LL>>>81 byte &0x08 \b progressive>>>81 byte ^0x08 \b interlaced>>>81 byte&0x06 2 \b Y'CbCr 4:2:0 video>>>81 byte&0x06 4 \b Y'CbCr 4:2:2 video>>>81 byte&0x06 6 \b Y'CbCr 4:4:4 video>>4 belong&0xFFFFFF00 0x78043800 \b, HD-TV 1920P>>>7 byte&0xF0 0x10 \b, 16:9>>4 belong&0xFFFFFF00 0x50002D00 \b, SD-TV 1280I>>>7 byte&0xF0 0x10 \b, 16:9>>4 belong&0xFFFFFF00 0x30024000 \b, PAL Capture>>>7 byte&0xF0 0x10 \b, 4:3>>4 beshort&0xFFF0 0x2C00 \b, 4CIF>>>5 beshort&0x0FFF 0x01E0 \b NTSC>>>5 beshort&0x0FFF 0x0240 \b PAL>>>7 byte&0xF0 0x20 \b, 4:3>>>7 byte&0xF0 0x30 \b, 16:9>>>7 byte&0xF0 0x40 \b, 11:5>>>7 byte&0xF0 0x80 \b, PAL 4:3>>>7 byte&0xF0 0xC0 \b, NTSC 4:3>>4 belong&0xFFFFFF00 0x2801E000 \b, LD-TV 640P>>>7 byte&0xF0 0x10 \b, 4:3>>4 belong&0xFFFFFF00 0x1400F000 \b, 320x240>>>7 byte&0xF0 0x10 \b, 4:3>>4 belong&0xFFFFFF00 0x0F00A000 \b, 240x160>>>7 byte&0xF0 0x10 \b, 4:3>>4 belong&0xFFFFFF00 0x0A007800 \b, 160x120>>>7 byte&0xF0 0x10 \b, 4:3>>4 beshort&0xFFF0 0x1600 \b, CIF>>>5 beshort&0x0FFF 0x00F0 \b NTSC>>>5 beshort&0x0FFF 0x0120 \b PAL>>>7 byte&0xF0 0x20 \b, 4:3>>>7 byte&0xF0 0x30 \b, 16:9>>>7 byte&0xF0 0x40 \b, 11:5>>>7 byte&0xF0 0x80 \b, PAL 4:3>>>7 byte&0xF0 0xC0 \b, NTSC 4:3>>>5 beshort&0x0FFF 0x0240 \b PAL 625>>>>7 byte&0xF0 0x20 \b, 4:3>>>>7 byte&0xF0 0x30 \b, 16:9>>>>7 byte&0xF0 0x40 \b, 11:5>>4 beshort&0xFFF0 0x2D00 \b, CCIR/ITU>>>5 beshort&0x0FFF 0x01E0 \b NTSC 525>>>5 beshort&0x0FFF 0x0240 \b PAL 625>>>7 byte&0xF0 0x20 \b, 4:3>>>7 byte&0xF0 0x30 \b, 16:9>>>7 byte&0xF0 0x40 \b, 11:5>>4 beshort&0xFFF0 0x1E00 \b, SVCD>>>5 beshort&0x0FFF 0x01E0 \b NTSC 525>>>5 beshort&0x0FFF 0x0240 \b PAL 625>>>7 byte&0xF0 0x20 \b, 4:3>>>7 byte&0xF0 0x30 \b, 16:9>>>7 byte&0xF0 0x40 \b, 11:5>>7 byte&0x0F 1 \b, 23.976 fps>>7 byte&0x0F 2 \b, 24 fps>>7 byte&0x0F 3 \b, 25 fps>>7 byte&0x0F 4 \b, 29.97 fps>>7 byte&0x0F 5 \b, 30 fps>>7 byte&0x0F 6 \b, 50 fps>>7 byte&0x0F 7 \b, 59.94 fps>>7 byte&0x0F 8 \b, 60 fps>>11 byte &0x04 \b, Constrained # MPEG ADTS Audio (*.mpx/mxa/aac)# from dreesen@math.fu-berlin.de# modified to fully support MPEG ADTS # MP3, M1A# modified by Joerg Jenderek# GRR the original test are too common for many DOS files# so don't accept as MP3 until we've tested the rate# But also beat GEMDOS fonts0 beshort&0xFFFE 0xFFFA# rates>2 byte&0xF0 !0 >>2 byte&0xF0 !0xF0 MPEG ADTS, layer III, v1!:strength +20!:mime audio/mpeg>2 byte&0xF0 0x10 \b, 32 kbps>2 byte&0xF0 0x20 \b, 40 kbps>2 byte&0xF0 0x30 \b, 48 kbps>2 byte&0xF0 0x40 \b, 56 kbps>2 byte&0xF0 0x50 \b, 64 kbps>2 byte&0xF0 0x60 \b, 80 kbps>2 byte&0xF0 0x70 \b, 96 kbps>2 byte&0xF0 0x80 \b, 112 kbps>2 byte&0xF0 0x90 \b, 128 kbps>2 byte&0xF0 0xA0 \b, 160 kbps>2 byte&0xF0 0xB0 \b, 192 kbps>2 byte&0xF0 0xC0 \b, 224 kbps>2 byte&0xF0 0xD0 \b, 256 kbps>2 byte&0xF0 0xE0 \b, 320 kbps# timing>2 byte&0x0C 0x00 \b, 44.1 kHz>2 byte&0x0C 0x04 \b, 48 kHz>2 byte&0x0C 0x08 \b, 32 kHz# channels/options>3 byte&0xC0 0x00 \b, Stereo>3 byte&0xC0 0x40 \b, JntStereo>3 byte&0xC0 0x80 \b, 2x Monaural>3 byte&0xC0 0xC0 \b, Monaural#>1 byte ^0x01 \b, Data Verify#>2 byte &0x02 \b, Packet Pad#>2 byte &0x01 \b, Custom Flag#>3 byte &0x08 \b, Copyrighted#>3 byte &0x04 \b, Original Source#>3 byte&0x03 1 \b, NR: 50/15 ms#>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M1A0 beshort&0xFFFE 0xFFFC MPEG ADTS, layer II, v1!:mime audio/mpeg# rates>2 byte&0xF0 0x10 \b, 32 kbps>2 byte&0xF0 0x20 \b, 48 kbps>2 byte&0xF0 0x30 \b, 56 kbps>2 byte&0xF0 0x40 \b, 64 kbps>2 byte&0xF0 0x50 \b, 80 kbps>2 byte&0xF0 0x60 \b, 96 kbps>2 byte&0xF0 0x70 \b, 112 kbps>2 byte&0xF0 0x80 \b, 128 kbps>2 byte&0xF0 0x90 \b, 160 kbps>2 byte&0xF0 0xA0 \b, 192 kbps>2 byte&0xF0 0xB0 \b, 224 kbps>2 byte&0xF0 0xC0 \b, 256 kbps>2 byte&0xF0 0xD0 \b, 320 kbps>2 byte&0xF0 0xE0 \b, 384 kbps# timing>2 byte&0x0C 0x00 \b, 44.1 kHz>2 byte&0x0C 0x04 \b, 48 kHz>2 byte&0x0C 0x08 \b, 32 kHz# channels/options>3 byte&0xC0 0x00 \b, Stereo>3 byte&0xC0 0x40 \b, JntStereo>3 byte&0xC0 0x80 \b, 2x Monaural>3 byte&0xC0 0xC0 \b, Monaural#>1 byte ^0x01 \b, Data Verify#>2 byte &0x02 \b, Packet Pad#>2 byte &0x01 \b, Custom Flag#>3 byte &0x08 \b, Copyrighted#>3 byte &0x04 \b, Original Source#>3 byte&0x03 1 \b, NR: 50/15 ms#>3 byte&0x03 3 \b, NR: CCIT J.17 # MPA, M1A# updated by Joerg Jenderek# GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448# GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE)# FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries#0 beshort&0xFFFE 0xFFFE#>2 ubyte&0xF0 >0x0F#>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1## rate#>>>2 byte&0xF0 0x10 \b, 32 kbps#>>>2 byte&0xF0 0x20 \b, 64 kbps#>>>2 byte&0xF0 0x30 \b, 96 kbps#>>>2 byte&0xF0 0x40 \b, 128 kbps#>>>2 byte&0xF0 0x50 \b, 160 kbps#>>>2 byte&0xF0 0x60 \b, 192 kbps#>>>2 byte&0xF0 0x70 \b, 224 kbps#>>>2 byte&0xF0 0x80 \b, 256 kbps#>>>2 byte&0xF0 0x90 \b, 288 kbps#>>>2 byte&0xF0 0xA0 \b, 320 kbps#>>>2 byte&0xF0 0xB0 \b, 352 kbps#>>>2 byte&0xF0 0xC0 \b, 384 kbps#>>>2 byte&0xF0 0xD0 \b, 416 kbps#>>>2 byte&0xF0 0xE0 \b, 448 kbps## timing#>>>2 byte&0x0C 0x00 \b, 44.1 kHz#>>>2 byte&0x0C 0x04 \b, 48 kHz#>>>2 byte&0x0C 0x08 \b, 32 kHz## channels/options#>>>3 byte&0xC0 0x00 \b, Stereo#>>>3 byte&0xC0 0x40 \b, JntStereo#>>>3 byte&0xC0 0x80 \b, 2x Monaural#>>>3 byte&0xC0 0xC0 \b, Monaural##>1 byte ^0x01 \b, Data Verify##>2 byte &0x02 \b, Packet Pad##>2 byte &0x01 \b, Custom Flag##>3 byte &0x08 \b, Copyrighted##>3 byte &0x04 \b, Original Source##>3 byte&0x03 1 \b, NR: 50/15 ms##>3 byte&0x03 3 \b, NR: CCIT J.17 # MP3, M2A0 beshort&0xFFFE 0xFFF2 MPEG ADTS, layer III, v2!:mime audio/mpeg# rate>2 byte&0xF0 0x10 \b, 8 kbps>2 byte&0xF0 0x20 \b, 16 kbps>2 byte&0xF0 0x30 \b, 24 kbps>2 byte&0xF0 0x40 \b, 32 kbps>2 byte&0xF0 0x50 \b, 40 kbps>2 byte&0xF0 0x60 \b, 48 kbps>2 byte&0xF0 0x70 \b, 56 kbps>2 byte&0xF0 0x80 \b, 64 kbps>2 byte&0xF0 0x90 \b, 80 kbps>2 byte&0xF0 0xA0 \b, 96 kbps>2 byte&0xF0 0xB0 \b, 112 kbps>2 byte&0xF0 0xC0 \b, 128 kbps>2 byte&0xF0 0xD0 \b, 144 kbps>2 byte&0xF0 0xE0 \b, 160 kbps# timing>2 byte&0x0C 0x00 \b, 22.05 kHz>2 byte&0x0C 0x04 \b, 24 kHz>2 byte&0x0C 0x08 \b, 16 kHz# channels/options>3 byte&0xC0 0x00 \b, Stereo>3 byte&0xC0 0x40 \b, JntStereo>3 byte&0xC0 0x80 \b, 2x Monaural>3 byte&0xC0 0xC0 \b, Monaural#>1 byte ^0x01 \b, Data Verify#>2 byte &0x02 \b, Packet Pad#>2 byte &0x01 \b, Custom Flag#>3 byte &0x08 \b, Copyrighted#>3 byte &0x04 \b, Original Source#>3 byte&0x03 1 \b, NR: 50/15 ms#>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M2A0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2!:mime audio/mpeg# rate>2 byte&0xF0 0x10 \b, 8 kbps>2 byte&0xF0 0x20 \b, 16 kbps>2 byte&0xF0 0x30 \b, 24 kbps>2 byte&0xF0 0x40 \b, 32 kbps>2 byte&0xF0 0x50 \b, 40 kbps>2 byte&0xF0 0x60 \b, 48 kbps>2 byte&0xF0 0x70 \b, 56 kbps>2 byte&0xF0 0x80 \b, 64 kbps>2 byte&0xF0 0x90 \b, 80 kbps>2 byte&0xF0 0xA0 \b, 96 kbps>2 byte&0xF0 0xB0 \b, 112 kbps>2 byte&0xF0 0xC0 \b, 128 kbps>2 byte&0xF0 0xD0 \b, 144 kbps>2 byte&0xF0 0xE0 \b, 160 kbps# timing>2 byte&0x0C 0x00 \b, 22.05 kHz>2 byte&0x0C 0x04 \b, 24 kHz>2 byte&0x0C 0x08 \b, 16 kHz# channels/options>3 byte&0xC0 0x00 \b, Stereo>3 byte&0xC0 0x40 \b, JntStereo>3 byte&0xC0 0x80 \b, 2x Monaural>3 byte&0xC0 0xC0 \b, Monaural#>1 byte ^0x01 \b, Data Verify#>2 byte &0x02 \b, Packet Pad#>2 byte &0x01 \b, Custom Flag#>3 byte &0x08 \b, Copyrighted#>3 byte &0x04 \b, Original Source#>3 byte&0x03 1 \b, NR: 50/15 ms#>3 byte&0x03 3 \b, NR: CCIT J.17 # MPA, M2A0 beshort&0xFFFE 0xFFF6 MPEG ADTS, layer I, v2!:mime audio/mpeg# rate>2 byte&0xF0 0x10 \b, 32 kbps>2 byte&0xF0 0x20 \b, 48 kbps>2 byte&0xF0 0x30 \b, 56 kbps>2 byte&0xF0 0x40 \b, 64 kbps>2 byte&0xF0 0x50 \b, 80 kbps>2 byte&0xF0 0x60 \b, 96 kbps>2 byte&0xF0 0x70 \b, 112 kbps>2 byte&0xF0 0x80 \b, 128 kbps>2 byte&0xF0 0x90 \b, 144 kbps>2 byte&0xF0 0xA0 \b, 160 kbps>2 byte&0xF0 0xB0 \b, 176 kbps>2 byte&0xF0 0xC0 \b, 192 kbps>2 byte&0xF0 0xD0 \b, 224 kbps>2 byte&0xF0 0xE0 \b, 256 kbps# timing>2 byte&0x0C 0x00 \b, 22.05 kHz>2 byte&0x0C 0x04 \b, 24 kHz>2 byte&0x0C 0x08 \b, 16 kHz# channels/options>3 byte&0xC0 0x00 \b, Stereo>3 byte&0xC0 0x40 \b, JntStereo>3 byte&0xC0 0x80 \b, 2x Monaural>3 byte&0xC0 0xC0 \b, Monaural#>1 byte ^0x01 \b, Data Verify#>2 byte &0x02 \b, Packet Pad#>2 byte &0x01 \b, Custom Flag#>3 byte &0x08 \b, Copyrighted#>3 byte &0x04 \b, Original Source#>3 byte&0x03 1 \b, NR: 50/15 ms#>3 byte&0x03 3 \b, NR: CCIT J.17 # MP3, M25A0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5!:mime audio/mpeg# rate>2 byte&0xF0 0x10 \b, 8 kbps>2 byte&0xF0 0x20 \b, 16 kbps>2 byte&0xF0 0x30 \b, 24 kbps>2 byte&0xF0 0x40 \b, 32 kbps>2 byte&0xF0 0x50 \b, 40 kbps>2 byte&0xF0 0x60 \b, 48 kbps>2 byte&0xF0 0x70 \b, 56 kbps>2 byte&0xF0 0x80 \b, 64 kbps>2 byte&0xF0 0x90 \b, 80 kbps>2 byte&0xF0 0xA0 \b, 96 kbps>2 byte&0xF0 0xB0 \b, 112 kbps>2 byte&0xF0 0xC0 \b, 128 kbps>2 byte&0xF0 0xD0 \b, 144 kbps>2 byte&0xF0 0xE0 \b, 160 kbps# timing>2 byte&0x0C 0x00 \b, 11.025 kHz>2 byte&0x0C 0x04 \b, 12 kHz>2 byte&0x0C 0x08 \b, 8 kHz# channels/options>3 byte&0xC0 0x00 \b, Stereo>3 byte&0xC0 0x40 \b, JntStereo>3 byte&0xC0 0x80 \b, 2x Monaural>3 byte&0xC0 0xC0 \b, Monaural#>1 byte ^0x01 \b, Data Verify#>2 byte &0x02 \b, Packet Pad#>2 byte &0x01 \b, Custom Flag#>3 byte &0x08 \b, Copyrighted#>3 byte &0x04 \b, Original Source#>3 byte&0x03 1 \b, NR: 50/15 ms#>3 byte&0x03 3 \b, NR: CCIT J.17 # AAC (aka MPEG-2 NBC audio) and MPEG-4 audio # Stored AAC streams (instead of the MP4 format)0 string ADIF MPEG ADIF, AAC!:mime audio/x-hx-aac-adif>4 byte &0x80>>13 byte &0x10 \b, VBR>>13 byte ^0x10 \b, CBR>>16 byte&0x1E 0x02 \b, single stream>>16 byte&0x1E 0x04 \b, 2 streams>>16 byte&0x1E 0x06 \b, 3 streams>>16 byte &0x08 \b, 4 or more streams>>16 byte &0x10 \b, 8 or more streams>>4 byte &0x80 \b, Copyrighted>>13 byte &0x40 \b, Original Source>>13 byte &0x20 \b, Home Flag>4 byte ^0x80>>4 byte &0x10 \b, VBR>>4 byte ^0x10 \b, CBR>>7 byte&0x1E 0x02 \b, single stream>>7 byte&0x1E 0x04 \b, 2 streams>>7 byte&0x1E 0x06 \b, 3 streams>>7 byte &0x08 \b, 4 or more streams>>7 byte &0x10 \b, 8 or more streams>>4 byte &0x40 \b, Original Stream(s)>>4 byte &0x20 \b, Home Source # Live or stored single AAC stream (used with MPEG-2 systems)0 beshort&0xFFF6 0xFFF0 MPEG ADTS, AAC!:mime audio/x-hx-aac-adts>1 byte &0x08 \b, v2>1 byte ^0x08 \b, v4# profile>>2 byte &0xC0 \b LTP>2 byte&0xc0 0x00 \b Main>2 byte&0xc0 0x40 \b LC>2 byte&0xc0 0x80 \b SSR# timing>2 byte&0x3c 0x00 \b, 96 kHz>2 byte&0x3c 0x04 \b, 88.2 kHz>2 byte&0x3c 0x08 \b, 64 kHz>2 byte&0x3c 0x0c \b, 48 kHz>2 byte&0x3c 0x10 \b, 44.1 kHz>2 byte&0x3c 0x14 \b, 32 kHz>2 byte&0x3c 0x18 \b, 24 kHz>2 byte&0x3c 0x1c \b, 22.05 kHz>2 byte&0x3c 0x20 \b, 16 kHz>2 byte&0x3c 0x24 \b, 12 kHz>2 byte&0x3c 0x28 \b, 11.025 kHz>2 byte&0x3c 0x2c \b, 8 kHz# channels>2 beshort&0x01c0 0x0040 \b, monaural>2 beshort&0x01c0 0x0080 \b, stereo>2 beshort&0x01c0 0x00c0 \b, stereo + center>2 beshort&0x01c0 0x0100 \b, stereo+center+LFE>2 beshort&0x01c0 0x0140 \b, surround>2 beshort&0x01c0 0x0180 \b, surround + LFE>2 beshort &0x01C0 \b, surround + side#>1 byte ^0x01 \b, Data Verify#>2 byte &0x02 \b, Custom Flag#>3 byte &0x20 \b, Original Stream#>3 byte &0x10 \b, Home Source#>3 byte &0x08 \b, Copyrighted # Live MPEG-4 audio streams (instead of RTP FlexMux)0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS!:mime audio/x-mp4a-latm#>1 beshort&0x1FFF x \b, %hu byte packet>3 byte&0xE0 0x40>>4 byte&0x3C 0x04 \b, single stream>>4 byte&0x3C 0x08 \b, 2 streams>>4 byte&0x3C 0x0C \b, 3 streams>>4 byte &0x08 \b, 4 or more streams>>4 byte &0x20 \b, 8 or more streams>3 byte&0xC0 0>>4 byte&0x78 0x08 \b, single stream>>4 byte&0x78 0x10 \b, 2 streams>>4 byte&0x78 0x18 \b, 3 streams>>4 byte &0x20 \b, 4 or more streams>>4 byte &0x40 \b, 8 or more streams# This magic isn't strong enough (matches plausible ISO-8859-1 text)#0 beshort 0x4DE1 MPEG-4 LO-EP audio stream#!:mime audio/x-mp4a-latm # Summary: FLI animation format# Created by: Daniel Quinlan <quinlan@yggdrasil.com># Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection)4 leshort 0xAF11# standard FLI always has 320x200 resolution and 8 bit color>8 leshort 320>>10 leshort 200>>>12 leshort 8 FLI animation, 320x200x8!:mime video/x-fli>>>>6 leshort x \b, %d frames# frame speed is multiple of 1/70s>>>>16 leshort x \b, %d/70s per frame # Summary: FLC animation format# Created by: Daniel Quinlan <quinlan@yggdrasil.com># Modified by (1): Abel Cheung <abelcheung@gmail.com> (avoid over-generic detection)4 leshort 0xAF12# standard FLC always use 8 bit color>12 leshort 8 FLC animation!:mime video/x-flc>>8 leshort x \b, %d>>10 leshort x \bx%dx8>>6 uleshort x \b, %d frames>>16 uleshort x \b, %dms per frame # DL animation format# XXX - collision with most `mips' magic## I couldn't find a real magic number for these, however, this# -appears- to work. Note that it might catch other files, too, so be# careful!## Note that title and author appear in the two 20-byte chunks# at decimal offsets 2 and 22, respectively, but they are XOR'ed with# 255 (hex FF)! The DL format is really bad.##0 byte 1 DL version 1, medium format (160x100, 4 images/screen)#!:mime video/x-unknown#>42 byte x - %d screens,#>43 byte x %d commands#0 byte 2 DL version 2#!:mime video/x-unknown#>1 byte 1 - large format (320x200,1 image/screen),#>1 byte 2 - medium format (160x100,4 images/screen),#>1 byte >2 - unknown format,#>42 byte x %d screens,#>43 byte x %d commands# Based on empirical evidence, DL version 3 have several nulls following the# \003. Most of them start with non-null values at hex offset 0x34 or so.#0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3 # iso 13818 transport stream## from Oskar Schirmer <schirmer@scara.com> Feb 3, 2001 (ISO 13818.1)# syncbyte 8 bit 0x47# error_ind 1 bit -# payload_start 1 bit 1# priority 1 bit -# PID 13 bit 0x0000# scrambling 2 bit -# adaptfld_ctrl 2 bit 1 or 3# conti_count 4 bit -0 belong&0xFF5FFF10 0x47400010>188 byte 0x47 MPEG transport stream data!:mime video/MP2T # DIF digital video file format <mpruett@sgi.com>0 belong&0xffffff00 0x1f070000 DIF>4 byte &0x01 (DVCPRO) movie file>4 byte ^0x01 (DV) movie file>3 byte &0x80 (PAL)>3 byte ^0x80 (NTSC) # MNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/>0 string \x8aMNG MNG video data,!:mime video/x-mng>4 belong !0x0d0a1a0a CORRUPTED,>4 belong 0x0d0a1a0a>>16 belong x %d x>>20 belong x %d # JNG Video Format, <URL:http://www.libpng.org/pub/mng/spec/>0 string \x8bJNG JNG video data,!:mime video/x-jng>4 belong !0x0d0a1a0a CORRUPTED,>4 belong 0x0d0a1a0a>>16 belong x %d x>>20 belong x %d # Vivo video (Wolfram Kleff)3 string \x0D\x0AVersion:Vivo Vivo video data # ABC (alembic.io 3d models)0 string 0gawa ABC 3d model # VRML (Virtual Reality Modelling Language)0 string/w #VRML\ V1.0\ ascii VRML 1 file!:mime model/vrml0 string/w #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file!:mime model/vrml # X3D (Extensible 3D) [https://www.web3d.org/specifications/x3d-3.0.dtd]# From Michel Briand <michelbriand@free.fr># mimetype from https://www.iana.org/assignments/media-types/model/x3d+xml# Example https://www.web3d.org/x3d/content/examples/Basic/course/CreateX3DFromStringRandomSpheres.x3d0 string/w \<?xml\ version=!:strength + 5>20 search/1000/w \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text!:mime model/x3d+xml #---------------------------------------------------------------------------# HVQM4: compressed movie format designed by Hudson for Nintendo GameCube# From Mark Sheppard <msheppard@climax.co.uk>, 2002-10-03#0 string HVQM4 %s>6 string >\0 v%s>0 byte x GameCube movie,>0x34 ubeshort x %d x>0x36 ubeshort x %d,>0x26 ubeshort x %dus,>0x42 ubeshort 0 no audio>0x42 ubeshort >0 %dHz audio # From: "Stefan A. Haubenthal" <polluks@web.de>0 string DVDVIDEO-VTS Video title set,>0x21 byte x v%x0 string DVDVIDEO-VMG Video manager,>0x21 byte x v%x # From: Behan Webster <behanw@websterwood.com># NuppelVideo used by Mythtv (*.nuv)# Note: there are two identical stanzas here differing only in the# initial string matched. It used to be done with a regex, but we're# trying to get rid of those.0 string NuppelVideo MythTV NuppelVideo>12 string x v%s>20 lelong x (%d>24 lelong x \bx%d),>36 string P \bprogressive,>36 string I \binterlaced,>40 ledouble x \baspect:%.2f,>48 ledouble x \bfps:%.2f0 string MythTV MythTV NuppelVideo>12 string x v%s>20 lelong x (%d>24 lelong x \bx%d),>36 string P \bprogressive,>36 string I \binterlaced,>40 ledouble x \baspect:%.2f,>48 ledouble x \bfps:%.2f # MPEG file# MPEG sequences# FIXME: This section is from the old magic.mime file and needs# integrating with the rest#0 belong 0x000001BA#>4 byte &0x40#!:mime video/mp2p#>4 byte ^0x40#!:mime video/mpeg#0 belong 0x000001BB#!:mime video/mpeg#0 belong 0x000001B0#!:mime video/mp4v-es#0 belong 0x000001B5#!:mime video/mp4v-es#0 belong 0x000001B3#!:mime video/mpv#0 belong&0xFF5FFF10 0x47400010#!:mime video/mp2t#0 belong 0x00000001#>4 byte&0x1F 0x07#!:mime video/h264 # Type: Bink Video# Extension: .bik# URL: https://wiki.multimedia.cx/index.php?title=Bink_Container# From: <hoehle@users.sourceforge.net> 2008-07-180 name bik#>4 ulelong x size %d>20 ulelong x \b, %d>24 ulelong x \bx%d>8 ulelong x \b, %d frames>32 ulelong x at rate %d/>28 ulelong >1 \b%d>40 ulelong =0 \b, no audio>40 ulelong !0 \b, %d audio track>>40 ulelong !1 \bs# follow properties of the first audio track only>>48 uleshort x %dHz>>51 byte&0x20 0 mono>>51 byte&0x20 !0 stereo#>>51 byte&0x10 0 FFT#>>51 byte&0x10 !0 DCT 0 string BIK>3 regex =[bdfghi] Bink Video rev.%s>>0 use bik 0 string KB2>3 regex =[adfghi] Bink Video 2 rev.%s>>0 use bik # Type: NUT Container# URL: https://wiki.multimedia.cx/index.php?title=NUT# From: Adam Buchbinder <adam.buchbinder@gmail.com>0 string nut/multimedia\ container\0 NUT multimedia container # Type: Nullsoft Video (NSV)# URL: https://wiki.multimedia.cx/index.php?title=Nullsoft_Video# From: Mike Melanson <mike@multimedia.cx>0 string NSVf Nullsoft Video # Type: REDCode Video# URL: https://www.red.com/ ; https://wiki.multimedia.cx/index.php?title=REDCode# From: Mike Melanson <mike@multimedia.cx>4 string RED1 REDCode Video # Type: MTV Multimedia File# URL: https://wiki.multimedia.cx/index.php?title=MTV# From: Mike Melanson <mike@multimedia.cx>0 string AMVS MTV Multimedia File # Type: ARMovie# URL: https://wiki.multimedia.cx/index.php?title=ARMovie# From: Mike Melanson <mike@multimedia.cx>0 string ARMovie\012 ARMovie # Type: Interplay MVE Movie# URL: https://wiki.multimedia.cx/index.php?title=Interplay_MVE# From: Mike Melanson <mike@multimedia.cx>0 string Interplay\040MVE\040File\032 Interplay MVE Movie # Type: Windows Television DVR File# URL: https://wiki.multimedia.cx/index.php?title=WTV# From: Mike Melanson <mike@mutlimedia.cx># This takes the form of a Windows-style GUID0 bequad 0xB7D800203749DA11>8 bequad 0xA64E0007E95EAD8D Windows Television DVR Media # Type: Sega FILM/CPK Multimedia# URL: https://wiki.multimedia.cx/index.php?title=Sega_FILM# From: Mike Melanson <mike@multimedia.cx>0 string FILM Sega FILM/CPK Multimedia,>32 belong x %d x>28 belong x %d # Type: Nintendo THP Multimedia# URL: https://wiki.multimedia.cx/index.php?title=THP# From: Mike Melanson <mike@multimedia.cx>0 string THP\0 Nintendo THP Multimedia # Type: BBC Dirac Video# URL: https://wiki.multimedia.cx/index.php?title=Dirac# From: Mike Melanson <mike@multimedia.cx>0 string BBCD BBC Dirac Video # Type: RAD Game Tools Smacker Multimedia# URL: https://wiki.multimedia.cx/index.php?title=Smacker# From: Mike Melanson <mike@multimedia.cx>0 string SMK RAD Game Tools Smacker Multimedia>3 byte x version %c,>4 lelong x %d x>8 lelong x %d,>12 lelong x %d frames # Material Exchange Format# More information:# https://en.wikipedia.org/wiki/Material_Exchange_Format# http://www.freemxf.org/0 string \x06\x0e\x2b\x34\x02\x05\x01\x01\x0d\x01\x02\x01\x01\x02 Material exchange container format!:ext mxf!:mime application/mxf # Recognize LucasArts Smush video files (cf.# https://wiki.multimedia.cx/index.php/Smush)0 string ANIM>8 string AHDR LucasArts Smush Animation Format (SAN) video0 string SANM>8 string SHDR LucasArts Smush v2 (SANM) video # Type: Scaleform video# Extension: .usm# URL: https://wiki.multimedia.cx/index.php/USM# From: David Korth <gerbilsoft@gerbilsoft.com>0 string CRID>32 string @UTF Scaleform video #------------------------------------------------------------------------------# $File: aout,v 1.1 2013/01/09 22:37:23 christos Exp $# aout: file(1) magic for a.out executable/object/etc entries that# handle executables on multiple platforms.# ## Little-endian 32-bit-int a.out, merged from bsdi (for BSD/OS, from# BSDI), netbsd, and vax (for UNIX/32V and BSD)## XXX - is there anything we can look at to distinguish BSD/OS 386 from# NetBSD 386 from various VAX binaries? The BSD/OS shared library flag# works only for binaries using shared libraries. Grabbing the entry# point from the a.out header, using it to find the first code executed# in the program, and looking at that might help.#0 lelong 0407 a.out little-endian 32-bit executable>16 lelong >0 not stripped>32 byte 0x6a (uses BSD/OS shared libs) 0 lelong 0410 a.out little-endian 32-bit pure executable>16 lelong >0 not stripped>32 byte 0x6a (uses BSD/OS shared libs) 0 lelong 0413 a.out little-endian 32-bit demand paged pure executable>16 lelong >0 not stripped>32 byte 0x6a (uses BSD/OS shared libs) ## Big-endian 32-bit-int a.out, merged from sun (for old 68010 SunOS a.out),# mips (for old 68020(!) SGI a.out), and netbsd (for old big-endian a.out).## XXX - is there anything we can look at to distinguish old SunOS 68010# from old 68020 IRIX from old NetBSD? Again, I guess we could look at# the first instruction or instructions in the program.#0 belong 0407 a.out big-endian 32-bit executable>16 belong >0 not stripped 0 belong 0410 a.out big-endian 32-bit pure executable>16 belong >0 not stripped 0 belong 0413 a.out big-endian 32-bit demand paged executable>16 belong >0 not stripped #------------------------------------------------------------------------------# $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $# apache: file(1) magic for Apache Big Data formats # Avro files0 string Obj Apache Avro>3 byte x version %d # ORC files# Important information is in file footer, which we can't index to :(0 string ORC Apache ORC # Parquet files0 string PAR1 Apache Parquet # Hive RC files0 string RCF Apache Hive RC file>3 byte x version %d # Sequence files (and the careless first version of RC file) 0 string SEQ>3 byte <6 Apache Hadoop Sequence file version %d>3 byte >6 Apache Hadoop Sequence file version %d>3 byte =6>>5 string org.apache.hadoop.hive.ql.io.RCFile$KeyBuffer Apache Hive RC file version 0>>3 default x Apache Hadoop Sequence file version 6 #------------------------------------------------------------------------------# $File: apl,v 1.6 2009/09/19 16:28:07 christos Exp $# apl: file(1) magic for APL (see also "pdp" and "vax" for other APL# workspaces)#0 long 0100554 APL workspace (Ken's original?) #------------------------------------------------------------------------------# $File: apple,v 1.44 2019/10/18 15:21:02 christos Exp $# apple: file(1) magic for Apple file formats#0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text0 string \x0aGL Binary II (apple ][) data0 string \x76\xff Squeezed (apple ][) data0 string NuFile NuFile archive (apple ][) data0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data0 belong 0x00051600 AppleSingle encoded Macintosh file0 belong 0x00051607 AppleDouble encoded Macintosh file # Type: Apple Emulator WOZ format# From: Greg Wildman <greg@apple2.org.za># Ref: https://applesaucefdc.com/woz/reference/# Ref: https://applesaucefdc.com/woz/reference2/## Note: The following test are mostly identical. I would rather not# use a regex to identify the WOZ format number.0 string WOZ1>4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image>12 string INFO>>21 byte 01 \b, 5.25 inch>>21 byte 02 \b, 3.5 inch>>22 byte 01 \b, write protected>>23 byte 01 \b, cross track synchronized>>25 string/T x \b, %.32s0 string WOZ2>4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image>12 string INFO>>21 byte 01 \b, 5.25 inch>>21 byte 02 \b, 3.5 inch>>22 byte 01 \b, write protected>>23 byte 01 \b, cross track synchronized>>25 string/T x \b, %.32s # Type: Apple Emulator disk images# From: Greg Wildman <greg@apple2.org.za># ProDOS boot loader?0 string \x01\x38\xB0\x03\x4C Apple ProDOS Image# Detect Volume Directory block ($02)>0x400 string \x00\x00\x03\x00>>0x404 byte &0xF0>>>0x405 string x \b, Volume /%s>>>0x429 leshort x \b, %u Blocks# ProDOS ordered ?>0xb00 string \x00\x00\x03\x00>>0xb04 byte &0xF0>>>0xb05 string x \b, Volume /%s>>>0xb29 leshort x \b, %u Blocks## DOS3.3 boot loader?0 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B>0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image>>0x11006 byte x \b, Volume %u>>0x11034 byte x \b, %u Tracks>>0x11035 byte x \b, %u Sectors>>0x11036 leshort x \b, %u bytes per sector# DOS3.2 ?>0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image>>0x11006 byte x \b, Volume %u>>0x11034 byte x \b, %u Tracks>>0x11035 byte x \b, %u Sectors>>0x11036 leshort x \b, %u bytes per sector# DOS3.1 ?>0x11001 string \x11\x0C\x01>>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image## Pascal boot loader?0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD>0xd6 pstring SYSTEM.APPLE>>0xb00 leshort 0x0000>>>0xb04 leshort 0x0000 Apple Pascal Image>>>>0xb06 pstring x \b, Volume %s:>>>>0xb0e leshort x \b, %u Blocks>>>>0xb10 leshort x \b, %u Files## Diversi Dos boot loader?0 string \x01\xA8\xAD\x81\xC0\xEE\x09\x08\xAD>0x11001 string \x11\x0F\x03 Apple Diversi Dos Image>>0x11006 byte x \b, Volume %u>>0x11034 byte x \b, %u Tracks>>0x11035 byte x \b, %u Sectors>>0x11036 leshort x \b, %u bytes per sector # Type: Apple Emulator 2IMG format# From: Radek Vokal <rvokal@redhat.com># Update: Greg Wildman <greg@apple2.org.za>0 string 2IMG Apple ][ 2IMG Disk Image>4 clear x>4 string XGS! \b, XGS>4 string CTKG \b, Catakig>4 string ShIm \b, Sheppy's ImageMaker>4 string SHEP \b, Sheppy's ImageMaker>4 string WOOF \b, Sweet 16>4 string B2TR \b, Bernie ][ the Rescue>4 string \!nfc \b, ASIMOV2>4 string \>BD\< \b, Brutal Deluxe's Cadius>4 string CdrP \b, CiderPress>4 string Vi][ \b, Virtual ][>4 string PRFS \b, ProFUSE>4 string FISH \b, FishWings>4 string RVLW \b, Revival for Windows>4 default x>>4 string x \b, Creator tag "%-4.4s">0xc byte 00 \b, DOS 3.3 sector order>>0x10 byte 00 \b, Volume 254>>0x10 byte&0x7f x \b, Volume %u>0xc byte 01 \b, ProDOS sector order# Detect Volume Directory block ($02) + 2mg header offset>>0x440 string \x00\x00\x03\x00>>>0x444 byte &0xF0>>>>0x445 string x \b, Volume /%s>>>>0x469 leshort x \b, %u Blocks>0xc byte 02 \b, NIB data # magic for Newton PDA package formats# from Ruda Moura <ruda@helllabs.org>0 string package0 Newton package, NOS 1.x,>12 belong &0x80000000 AutoRemove,>12 belong &0x40000000 CopyProtect,>12 belong &0x10000000 NoCompression,>12 belong &0x04000000 Relocation,>12 belong &0x02000000 UseFasterCompression,>16 belong x version %d 0 string package1 Newton package, NOS 2.x,>12 belong &0x80000000 AutoRemove,>12 belong &0x40000000 CopyProtect,>12 belong &0x10000000 NoCompression,>12 belong &0x04000000 Relocation,>12 belong &0x02000000 UseFasterCompression,>16 belong x version %d 0 string package4 Newton package,>8 byte 8 NOS 1.x,>8 byte 9 NOS 2.x,>12 belong &0x80000000 AutoRemove,>12 belong &0x40000000 CopyProtect,>12 belong &0x10000000 NoCompression, # The following entries for the Apple II are for files that have# been transferred as raw binary data from an Apple, without having# been encapsulated by any of the above archivers.## In general, Apple II formats are hard to identify because Apple DOS# and especially Apple ProDOS have strong typing in the file system and# therefore programmers never felt much need to include type information# in the files themselves.## Eric Fischer <enf@pobox.com> # AppleWorks word processor:# URL: https://en.wikipedia.org/wiki/AppleWorks# Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx# Update: Joerg Jenderek# NOTE:# The "O" is really the magic number, but that's so common that it's# necessary to check the tab stops that follow it to avoid false positives.# and/or look for unused bits of booleans bytes like zoom, paginated, mail merge# the newer AppleWorks is from claris with extension CWK4 string O# test for unused bits of zoom- , paginated-boolean bytes>84 ubequad ^0x00Fe00000000Fe00# look for tabstop definitions "=" no tab, "|" no tab# "<" left tab,"^" center tab,">" right tab, "." decimal tab,# unofficial "!" other , "\x8a" other# official only if SFMinVers is nonzero>>5 regex/s [=.<>|!^\x8a]{79} AppleWorks Word Processor# AppleWorks Word Processor File (Apple II)# ./apple (version 5.25) labeled the entry as "AppleWorks word processor data"# application/x-appleworks is mime type for claris version with cwk extension!:mime application/x-appleworks3# http://home.earthlink.net/~hughhood/appleiiworksenvoy/# ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type')# $70 $1A $F8 $FF is this the apple type ?#:apple pdosp^Z\xf8\xff!:ext awp# minimum version needed to read this files. SFMinVers (0 , 30~3.0 )>>>183 ubyte 30 3.0>>>183 ubyte !30>>>>183 ubyte !0 0x%x# usual tabstop start sequence "=====<">>>5 string x \b, tabstop ruler "%6.6s"# tabstop ruler#>>>5 string >\0 \b, tabstops "%-79s"# zoom switch>>>85 byte&0x01 >0 \b, zoomed# whether paginated>>>90 byte&0x01 >0 \b, paginated# contains any mail-merge commands>>>92 byte&0x01 >0 \b, with mail merge# left margin in 1/10 inches ( normally 0 or 10 )>>>91 ubyte >0>>>>91 ubyte x \b, %d/10 inch left margin # AppleWorks database:## This isn't really a magic number, but it's the closest thing to one# that I could find. The 1 and 2 really mean "order in which you defined# categories" and "left to right, top to bottom," respectively; the D and R# mean that the cursor should move either down or right when you press Return. #30 string \x01D AppleWorks database data#30 string \x02D AppleWorks database data#30 string \x01R AppleWorks database data#30 string \x02R AppleWorks database data # AppleWorks spreadsheet:## Likewise, this isn't really meant as a magic number. The R or C means# row- or column-order recalculation; the A or M means automatic or manual# recalculation. #131 string RA AppleWorks spreadsheet data#131 string RM AppleWorks spreadsheet data#131 string CA AppleWorks spreadsheet data#131 string CM AppleWorks spreadsheet data # Applesoft BASIC:## This is incredibly sloppy, but will be true if the program was# written at its usual memory location of 2048 and its first line# number is less than 256. Yuck.# update by Joerg Jenderek at Feb 2013 # GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000)#0 belong&0xff00ff 0x80000 Applesoft BASIC program data0 belong&0x00ff00ff 0x00080000# assuming that line number must be positive>2 leshort >0 Applesoft BASIC program data, first line number %d#>2 leshort x \b, first line number %d # ORCA/EZ assembler:## This will not identify ORCA/M source files, since those have# some sort of date code instead of the two zero bytes at 6 and 7# XXX Conflicts with ELF#4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data#>5 byte x \b, build number %d # Broderbund Fantavision## I don't know what these values really mean, but they seem to recur.# Will they cause too many conflicts? # Probably :-)#2 belong&0xFF00FF 0x040008 Fantavision movie data # Some attempts at images.## These are actually just bit-for-bit dumps of the frame buffer, so# there's really no reasonably way to distinguish them except for their# address (if preserved) -- 8192 or 16384 -- and their length -- 8192# or, occasionally, 8184.## Nevertheless this will manage to catch a lot of images that happen# to have a solid-colored line at the bottom of the screen. # GRR: Magic too weak#8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background#8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background#8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background#8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background#8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background # Beagle Bros. Apple Mechanic fonts 0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font # Apple Universal Disk Image Format (UDIF) - dmg files.# From Johan Gade.# These entries are disabled for now until we fix the following issues.## Note there might be some problems with the "VAX COFF executable"# entry. Note this entry should be placed before the mac filesystem section,# particularly the "Apple Partition data" entry.## The intended meaning of these tests is, that the file is only of the# specified type if both of the lines are correct - i.e. if the first# line matches and the second doesn't then it is not of that type.##0 long 0x7801730d#>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO)## Note that this entry is recognized correctly by the "Apple Partition# data" entry - however since this entry is more specific - this# information seems to be more useful.#0 long 0x45520200#>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson <toby@apple.com>0 string bplist00 Apple binary property list # Apple binary property list (bplist)# Assumes version bytes are hex.# Provides content hints for version 0 files. Assumes that the root# object is the first object (true for CoreFoundation implementation).# From: David Remahl <dremahl@apple.com>0 string bplist>6 byte x \bCoreFoundation binary property list data, version 0x%c>>7 byte x \b%c>6 string 00 \b>>8 byte&0xF0 0x00 \b>>>8 byte&0x0F 0x00 \b, root type: null>>>8 byte&0x0F 0x08 \b, root type: false boolean>>>8 byte&0x0F 0x09 \b, root type: true boolean>>8 byte&0xF0 0x10 \b, root type: integer>>8 byte&0xF0 0x20 \b, root type: real>>8 byte&0xF0 0x30 \b, root type: date>>8 byte&0xF0 0x40 \b, root type: data>>8 byte&0xF0 0x50 \b, root type: ascii string>>8 byte&0xF0 0x60 \b, root type: unicode string>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT)>>8 byte&0xF0 0xa0 \b, root type: array>>8 byte&0xF0 0xd0 \b, root type: dictionary # Apple/NeXT typedstream data# Serialization format used by NeXT and Apple for various# purposes in YellowStep/Cocoa, including some nib files.# From: David Remahl <dremahl@apple.com>2 string typedstream NeXT/Apple typedstream data, big endian>0 byte x \b, version %d>0 byte <5 \b>>13 byte 0x81 \b>>>14 ubeshort x \b, system %d2 string streamtyped NeXT/Apple typedstream data, little endian>0 byte x \b, version %d>0 byte <5 \b>>13 byte 0x81 \b>>>14 uleshort x \b, system %d #------------------------------------------------------------------------------# CAF: Apple CoreAudio File Format## Container format for high-end audio purposes.# From: David Remahl <dremahl@apple.com>#0 string caff CoreAudio Format audio file>4 beshort <10 version %d>6 beshort x #------------------------------------------------------------------------------# Keychain database files0 string kych Mac OS X Keychain File #------------------------------------------------------------------------------# Code Signing related file types0 belong 0xfade0c00 Mac OS X Code Requirement>8 belong 1 (opExpr)>4 belong x - %d bytes 0 belong 0xfade0c01 Mac OS X Code Requirement Set>8 belong >1 containing %d items>4 belong x - %d bytes 0 belong 0xfade0c02 Mac OS X Code Directory>8 belong x version %x>12 belong >0 flags 0x%x>4 belong x - %d bytes 0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable)>4 belong x - %d bytes 0 belong 0xfade0cc1 Mac OS X Detached Code Signature>8 belong >1 (%d elements)>4 belong x - %d bytes # From: "Nelson A. de Oliveira" <naoliv@gmail.com># .vdi4 string innotek\ VirtualBox\ Disk\ Image %s # Apple disk partition stuff# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map# Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h# Update: Joerg Jenderek# "ER" is APPLE_DRVR_MAP_MAGIC signature0 beshort 0x4552# display Apple Driver Map (strength=50) after Syslinux bootloader (71)#!:strength +0# strengthen the magic by looking for used blocksizes 512 2048>2 ubeshort&0xf1FF 0 Apple Driver Map# last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid#>>504 ubequad&0x0000FFffFFff0000 0!:mime application/x-apple-diskimage!:apple ????devr# https://en.wikipedia.org/wiki/Apple_Disk_Image!:ext dmg/iso# sbBlkSize for driver descriptor map 512 2048>>2 beshort x \b, blocksize %d# sbBlkCount sometimes garbish like# 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg# 0xf2720100 for bunziped Firefox 48.0-2.dmg# 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso# 0x00009090 by syslinux-6.03/utils/isohybrid.c>>4 ubelong x \b, blockcount %u# following device/driver information not very useful# device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)>>8 ubeshort x \b, devtype %u# device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)>>10 ubeshort x \b, devid %u# driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso)>>12 ubelong >0>>>12 ubelong x \b, driver data %u# number of driver descriptors sbDrvrCount <= 61# (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)>>16 ubeshort x \b, driver count %u# 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map# >>18 use apple-driver-map# >>26 use apple-driver-map# # ...# >>500 use apple-driver-map# number of partitions is always same in every partition (map block count)#>>0x0204 ubelong x \b, %u partitions>>0x0204 ubelong >0 \b, contains[@0x200]:>>>0x0200 use apple-apm>>0x0204 ubelong >1 \b, contains[@0x400]:>>>0x0400 use apple-apm>>0x0204 ubelong >2 \b, contains[@0x600]:>>>0x0600 use apple-apm>>0x0204 ubelong >3 \b, contains[@0x800]:>>>0x0800 use apple-apm>>0x0204 ubelong >4 \b, contains[@0xA00]:>>>0x0A00 use apple-apm>>0x0204 ubelong >5 \b, contains[@0xC00]:>>>0x0C00 use apple-apm>>0x0204 ubelong >6 \b, contains[@0xE00]:>>>0x0E00 use apple-apm>>0x0204 ubelong >7 \b, contains[@0x1000]:>>>0x1000 use apple-apm# display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type)0 name apple-driver-map>0 ubequad !0# descBlock first block of driver>>0 ubelong x \b, driver start block %u# descSize driver size in blocks>>4 ubeshort x \b, size %u# descType driver system type 1 701h F8FFh FFFFh>>6 ubeshort x \b, type 0x%x # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map# Reference: https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h# Update: Joerg Jenderek# Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the# magic stronger.# for apple partition map stored as a single file0 belong 0x504d0000# to display Apple Partition Map (strength=70) after Syslinux bootloader (71)#!:strength +0>0 use apple-apm# magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type# file: could not find any valid magic files!#!:ext bin# display apple partition map. Normally called after Apple driver map0 name apple-apm>0 belong 0x504d0000 Apple Partition Map# number of partitions>>4 ubelong x \b, map block count %u# logical block (512 bytes) start of partition>>8 ubelong x \b, start block %u>>12 ubelong x \b, block count %u>>16 string >0 \b, name %s>>48 string >0 \b, type %s# processor type dpme_process_id[16] e.g. "68000" "68020">>120 string >0 \b, processor %s# A/UX boot arguments BootArgs[128]>>136 string >0 \b, boot arguments %s# status of partition dpme_flags>>88 belong & 1 \b, valid>>88 belong & 2 \b, allocated>>88 belong & 4 \b, in use>>88 belong & 8 \b, has boot info>>88 belong & 16 \b, readable>>88 belong & 32 \b, writable>>88 belong & 64 \b, pic boot code>>88 belong & 128 \b, chain compatible driver>>88 belong & 256 \b, real driver>>88 belong & 512 \b, chain driver# mount automatically at startup APPLE_PS_AUTO_MOUNT>>88 ubelong &0x40000000 \b, mount at startup# is the startup partition APPLE_PS_STARTUP>>88 ubelong &0x80000000 \b, is the startup partition #https://wiki.mozilla.org/DS_Store_File_Format#https://en.wikipedia.org/wiki/.DS_Store0 string \0\0\0\1Bud1\0 Apple Desktop Services Store # HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015)# Usually not in separate files, but have either filename rsrc with# no extension, or a filename corresponding to another file, with# extensions rsr/rsrc0 string \000\000\001\000>4 leshort 0>>16 lelong 0 Apple HFS/HFS+ resource fork #https://en.wikipedia.org/wiki/AppleScript0 string FasdUAS AppleScript compiled # AppleWorks/ClarisWorks# https://github.com/joshenders/appleworks_format# http://fileformats.archiveteam.org/wiki/AppleWorks0 name appleworks>0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document>0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document>0 default x>>0 belong x AppleWorks/ClarisWorks CWK Document>0 byte x \b, version %d>30 beshort x \b, %d>32 beshort x \bx%d!:ext cwk 4 string BOBO>0 byte >4>>12 belong 0>>>26 belong 0>>>>0 use appleworks>0 belong 0x0481ad00>>0 use appleworks # magic for Apple File System (APFS)# from Alex Myczko <alex@aiei.ch>32 string NXSB Apple File System (APFS)>36 ulelong x \b, blocksize %u # iTunes cover art (versions 1 and 2)4 string itch>24 string artw>>0x1e8 string data iTunes cover art>>>0x1ed string PNG (PNG)>>>0x1ec beshort 0xffd8 (JPEG) # MacPaint image65 string PNTGMPNT MacPaint image data#0 belong 2 MacPaint image data #------------------------------------------------------------------------------# $File: application,v 1.1 2016/10/17 12:13:01 christos Exp $# application: file(1) magic for applications on small devices## Pebble Application0 string PBLAPP\000\000 Pebble application #------------------------------------------------------------------------------# $File: applix,v 1.5 2009/09/19 16:28:08 christos Exp $# applix: file(1) magic for Applixware# From: Peter Soos <sp@osb.hu>#0 string *BEGIN Applixware>7 string WORDS Words Document>7 string GRAPHICS Graphic>7 string RASTER Bitmap>7 string SPREADSHEETS Spreadsheet>7 string MACRO Macro>7 string BUILDER Builder Object #------------------------------------------------------------------------------# $File: apt,v 1.1 2016/10/17 19:51:57 christos Exp $# apt: file(1) magic for APT Cache files# <http://www.fifi.org/doc/libapt-pkg-doc/cache.html/ch2.html># <https://anonscm.debian.org/cgit/apt/apt.git/tree/apt-pkg/pkgcache.h#n292> # before version 10 ("old format"), data was in arch-specific long/short # old format 64 bit0 name apt-cache-64bit-be>12 beshort 1 \b, dirty>40 bequad x \b, %llu packages>48 bequad x \b, %llu versions # old format 32 bit0 name apt-cache-32bit-be>8 beshort 1 \b, dirty>40 belong x \b, %u packages>44 belong x \b, %u versions # new format0 name apt-cache-be>6 byte 1 \b, dirty>24 belong x \b, %u packages>28 belong x \b, %u versions 0 bequad 0x98FE76DC>8 ubeshort <10 APT cache data, version %u>>10 beshort x \b.%u, 64 bit big-endian>>0 use apt-cache-64bit-be 0 lequad 0x98FE76DC>8 uleshort <10 APT cache data, version %u>>10 leshort x \b.%u, 64 bit little-endian>>0 use \^apt-cache-64bit-be 0 belong 0x98FE76DC>4 ubeshort <10 APT cache data, version %u>>6 ubeshort x \b.%u, 32 bit big-endian>>0 use apt-cache-32bit-be>4 ubyte >9 APT cache data, version %u>>5 ubyte x \b.%u, big-endian>>0 use apt-cache-be 0 lelong 0x98FE76DC>4 uleshort <10 APT cache data, version %u>>6 uleshort x \b.%u, 32 bit little-endian>>0 use \^apt-cache-32bit-be>4 ubyte >9 APT cache data, version %u>>5 ubyte x \b.%u, little-endian>>0 use \^apt-cache-be#------------------------------------------------------------------------------# $File: archive,v 1.138 2020/06/07 23:29:26 christos Exp $# archive: file(1) magic for archive formats (see also "msdos" for self-# extracting compressed archives)## cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.# pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c. # POSIX tar archives# URL: https://en.wikipedia.org/wiki/Tar_(computing)# Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current# header mainly padded with nul bytes500 quad 0 !:strength /2# filename or extended attribute printable strings in range space null til umlaut ue>0 ubeshort >0x1F00 >>0 ubeshort <0xFCFD# last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad# at https://sourceforge.net/projects/s-tar/files/testscripts/>>>508 ubelong&0x8B9E8DFF 0 # nul, space or ascii digit 0-7 at start of mode>>>>100 ubyte&0xC8 =0 >>>>>101 ubyte&0xC8 =0 # nul, space at end of check sum>>>>>>155 ubyte&0xDF =0 # space or ascii digit 0 at start of check sum>>>>>>>148 ubyte&0xEF =0x20 >>>>>>>>0 use tar-file# minimal check and then display tar archive information which can also be# embedded inside others like Android Backup, Clam AntiVirus database0 name tar-file>257 string !ustar # header padded with nuls>>257 ulong =0 # GNU tar version 1.29 with non pax format option without refusing# creates misleading V7 header for Long path, Multi-volume, Volume type>>>156 ubyte 0x4c GNU tar archive!:mime application/x-gtar!:ext tar/gtar>>>156 ubyte 0x4d GNU tar archive!:mime application/x-gtar!:ext tar/gtar>>>156 ubyte 0x56 GNU tar archive!:mime application/x-gtar!:ext tar/gtar>>>156 default x tar archive (V7)!:mime application/x-tar!:ext tar# other stuff in padding# some implementations add new fields to the blank area at the end of the header record# created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option>>257 ulong !0 tar archive (old)!:mime application/x-tar!:ext tar# magic in newer, GNU, posix variants>257 string =ustar # 2 last char of magic and UStar version because string expression does not work# 2 space characters followed by a null for GNU variant>>261 ubelong =0x72202000 POSIX tar archive (GNU)!:mime application/x-gtar!:ext tar/gtar# UStar version with ASCII "00">>261 ubelong 0x72003030 POSIX# gLOBAL and ExTENSION type only found in POSIX.1-2001 format>>>156 ubyte 0x67 \b.1-2001>>>156 ubyte 0x78 \b.1-2001>>>156 ubyte x tar archive!:mime application/x-ustar!:ext tar/ustar# version with 2 binary nuls embedded in Android Backup like com.android.settings.ab>>261 ubelong 0x72000000 tar archive (ustar)!:mime application/x-ustar!:ext tar/ustar# not seen ustar variant with garbish version>>261 default x tar archive (unknown ustar)!:mime application/x-ustar!:ext tar/ustar# type flag of 1st tar archive member#>156 ubyte x \b, %c-type>156 ubyte x >>156 ubyte 0 \b, file>>156 ubyte 0x30 \b, file>>156 ubyte 0x31 \b, hard link>>156 ubyte 0x32 \b, symlink>>156 ubyte 0x33 \b, char device>>156 ubyte 0x34 \b, block device>>156 ubyte 0x35 \b, directory>>156 ubyte 0x36 \b, fifo>>156 ubyte 0x37 \b, reserved>>156 ubyte 0x4c \b, long path>>156 ubyte 0x4d \b, multi volume>>156 ubyte 0x56 \b, volume>>156 ubyte 0x67 \b, global>>156 ubyte 0x78 \b, extension>>156 default x \b, type>>>156 ubyte x '%c'# name[100]>0 string >\0 %-.60s# mode mainly stored as an octal number in ASCII null or space terminated>100 string >\0 \b, mode %-.7s# user id mainly as octal numbers in ASCII null or space terminated>108 string >\0 \b, uid %-.7s# group id mainly as octal numbers in ASCII null or space terminated>116 string >\0 \b, gid %-.7s# size mainly as octal number in ASCII>124 ubyte <0x38 >>124 string >\0 \b, size %-.12s# coding indicated by setting the high-order bit of the leftmost byte>124 ubyte >0xEF \b, size 0x>>124 ubyte !0xff \b%2.2x>>125 ubyte !0xff \b%2.2x>>126 ubyte !0xff \b%2.2x>>127 ubyte !0xff \b%2.2x>>128 ubyte !0xff \b%2.2x>>129 ubyte !0xff \b%2.2x>>130 ubyte !0xff \b%2.2x>>131 ubyte !0xff \b%2.2x>>132 ubyte !0xff \b%2.2x>>133 ubyte !0xff \b%2.2x>>134 ubyte !0xff \b%2.2x>>135 ubyte !0xff \b%2.2x# seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated>136 string >\0 \b, seconds %-.11s# header checksum stored as an octal number in ASCII null or space terminated#>148 string x \b, cksum %.7s# linkname[100]>157 string >\0 \b, linkname %-.40s# additional fields for ustar>257 string =ustar # owner user name null terminated>>265 string >\0 \b, user %-.32s# group name null terminated>>297 string >\0 \b, group %-.32s# device major minor if not zero>>329 ubequad&0xCFCFCFCFcFcFcFdf !0>>>329 string x \b, devmaj %-.7s>>337 ubequad&0xCFCFCFCFcFcFcFdf !0>>>337 string x \b, devmin %-.7s# prefix[155]>>345 string >\0 \b, prefix %-.155s# old non ustar/POSIX tar>257 string !ustar >>508 string =tar\0 # padding[255] in old star>>>257 string >\0 \b, padding: %-.40s>>508 default x # padding[255] in old tar sometimes comment field>>>257 string >\0 \b, comment: %-.40s # Incremental snapshot gnu-tar format from:# https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html0 string GNU\ tar- GNU tar incremental snapshot data>&0 regex [0-9]\.[0-9]+-[0-9]+ version %s # cpio archives## Yes, the top two "cpio archive" formats *are* supposed to just be "short".# The idea is to indicate archives produced on machines with the same# byte order as the machine running "file" with "cpio archive", and# to indicate archives produced on machines with the opposite byte order# from the machine running "file" with "byte-swapped cpio archive".## The SVR4 "cpio(4)" hints that there are additional formats, but they# are defined as "short"s; I think all the new formats are# character-header formats and thus are strings, not numbers.0 short 070707 cpio archive!:mime application/x-cpio0 short 0143561 byte-swapped cpio archive!:mime application/x-cpio # encoding: swapped0 string 070707 ASCII cpio archive (pre-SVR4 or odc)0 string 070701 ASCII cpio archive (SVR4 with no CRC)0 string 070702 ASCII cpio archive (SVR4 with CRC) ## Various archive formats used by various versions of the "ar"# command.# ## Original UNIX archive formats.# They were written with binary values in host byte order, and# the magic number was a host "int", which might have been 16 bits# or 32 bits. We don't say "PDP-11" or "VAX", as there might have# been ports to little-endian 16-bit-int or 32-bit-int platforms# (x86?) using some of those formats; if none existed, feel free# to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian# 32-bit. There might have been big-endian ports of that sort as# well.#0 leshort 0177555 very old 16-bit-int little-endian archive0 beshort 0177555 very old 16-bit-int big-endian archive0 lelong 0177555 very old 32-bit-int little-endian archive0 belong 0177555 very old 32-bit-int big-endian archive 0 leshort 0177545 old 16-bit-int little-endian archive>2 string __.SYMDEF random library0 beshort 0177545 old 16-bit-int big-endian archive>2 string __.SYMDEF random library0 lelong 0177545 old 32-bit-int little-endian archive>4 string __.SYMDEF random library0 belong 0177545 old 32-bit-int big-endian archive>4 string __.SYMDEF random library ## From "pdp" (but why a 4-byte quantity?)#0 lelong 0x39bed PDP-11 old archive0 lelong 0x39bee PDP-11 4.0 archive ## XXX - what flavor of APL used this, and was it a variant of# some ar archive format? It's similar to, but not the same# as, the APL workspace magic numbers in pdp.#0 long 0100554 apl workspace ## System V Release 1 portable(?) archive format.#0 string =<ar> System V Release 1 ar archive!:mime application/x-archive ## Debian package; it's in the portable archive format, and needs to go# before the entry for regular portable archives, as it's recognized as# a portable archive whose first member has a name beginning with# "debian".## Update: Joerg Jenderek# URL: https://en.wikipedia.org/wiki/Deb_(file_format)0 string =!<arch>\ndebian# https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html>14 string -split part of multipart Debian package!:mime application/vnd.debian.binary-package# udeb is used for stripped down deb file!:ext deb/udeb>14 string -binary Debian binary package!:mime application/vnd.debian.binary-package# For ipk packager see also https://en.wikipedia.org/wiki/Opkg!:ext deb/udeb/ipk# This should not happen>14 default x Unknown Debian package# NL terminated version; for most Debian cases this is 2.0 or 2.1 for splitted>68 string >\0 (format %s)#>68 string !2.0\n#>>68 string x (format %.3s)>68 string =2.0\n# 2nd archive name=control archive name like control.tar.gz or control.tar.xz>>72 string >\0 \b, with %.14s# look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma}>>0 search/0x93e4f data.tar. \b, data compression# the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised# for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb>>>&0 string x %.2s# skip space (0x20 BSD) and slash (0x2f System V) character marking end of name>>>&2 ubyte !0x20>>>>&-1 ubyte !0x2f# display 3rd character of file name extension like 2 of bz2 or m of lzma>>>>>&-1 ubyte x \b%c>>>>>>&0 ubyte !0x20>>>>>>>&-1 ubyte !0x2f# display 4th character of file name extension like a of lzma>>>>>>>>&-1 ubyte x \b%c# splitted debian package case>68 string =2.1\n# dpkg-1.18.25/dpkg-split/info.c# NL terminated ASCII package name like ckermit>>&0 string x \b, %s# NL terminated package version like 302-5.3>>>&1 string x %s# NL terminated MD5 checksum>>>>&1 string x \b, MD5 %s# NL terminated original package length>>>>>&1 string x \b, unsplitted size %s# NL terminated part length>>>>>>&1 string x \b, part length %s# NL terminated package part like n/m>>>>>>>&1 string x \b, part %s# NL terminated package architecture like armhf since dpkg 1.16.1 or later>>>>>>>>&1 string x \b, %s ## MIPS archive; they're in the portable archive format, and need to go# before the entry for regular portable archives, as it's recognized as# a portable archive whose first member has a name beginning with# "__________E".#0 string =!<arch>\n__________E MIPS archive!:mime application/x-archive>20 string U with MIPS Ucode members>21 string L with MIPSEL members>21 string B with MIPSEB members>19 string L and an EL hash table>19 string B and an EB hash table>22 string X -- out of date ## BSD/SVR2-and-later portable archive formats.## Update: Joerg Jenderek# URL: http://fileformats.archiveteam.org/wiki/AR# Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/# Note: Mach-O universal binary in ./cafebabe is dependent# TODO: unify current ar archive, MIPS archive, Debian package# distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR;# *.ar packages from *.a libraries. handle empty archive0 string =!<arch>\n current ar archive# print first and possibly second ar_name[16] for debugging purpose#>8 string x \b, 1st "%.16s"#>68 string x \b, 2nd "%.16s"!:mime application/x-archive# a in most case for libraries; lib for Microsoft libraries; ar else cases!:ext a/lib/ar>8 string __.SYMDEF random library# first member with long marked name __.SYMDEF SORTED implies BSD library>68 string __.SYMDEF\ SORTED random library# Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf# "archive file" entry moved from ./hp# LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture# LST header a_magic 0619h~relocatable library>68 belong 0x020b0619 - PA-RISC1.0 relocatable library>68 belong 0x02100619 - PA-RISC1.1 relocatable library>68 belong 0x02110619 - PA-RISC1.2 relocatable library>68 belong 0x02140619 - PA-RISC2.0 relocatable library#EOF for common ar archives ## "Thin" archive, as can be produced by GNU ar.#0 string =!<thin>\n thin archive with>68 belong 0 no symbol entries>68 belong 1 %d symbol entry>68 belong >1 %d symbol entries 0 search/1 -h- Software Tools format archive text # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)## The first byte is the magic (0x1a), byte 2 is the compression type for# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS# filename of the first file (null terminated). Since some types collide# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW!:mime application/x-arc0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed!:mime application/x-arc0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed!:mime application/x-arc0 lelong&0x8080ffff 0x0000031a ARC archive data, packed!:mime application/x-arc0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed!:mime application/x-arc0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched!:mime application/x-arc# [JW] stuff taken from idarc, obviously ARC successors:0 lelong&0x8080ffff 0x00000a1a PAK archive data!:mime application/x-arc0 lelong&0x8080ffff 0x0000141a ARC+ archive data!:mime application/x-arc0 lelong&0x8080ffff 0x0000481a HYP archive data!:mime application/x-arc # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)# I can't create either SPARK or ArcFS archives so I have not tested this stuff# [GRR: the original entries collide with ARC, above; replaced with combined# version (not tested)]#0 byte 0x1a RISC OS archive (spark format)0 string \032archive RISC OS archive (ArcFS format)0 string Archive\000 RISC OS archive (ArcFS format) # All these were taken from idarc, many could not be verified. Unfortunately,# there were many low-quality sigs, i.e. easy to trigger false positives.# Please notify me of any real-world fishy/ambiguous signatures and I'll try# to get my hands on the actual archiver and see if I find something better. [JW]# probably many can be enhanced by finding some 0-byte or control char near the start # idarc calls this Crush/Uncompressed... *shrug*0 string CRUSH Crush archive data# Squeeze It (.sqz)0 string HLSQZ Squeeze It archive data# SQWEZ0 string SQWEZ SQWEZ archive data# HPack (.hpk)0 string HPAK HPack archive data# HAP0 string \x91\x33HF HAP archive data# MD/MDCD0 string MDmd MDCD archive data# LIM0 string LIM\x1a LIM archive data# SAR3 string LH5 SAR archive data# BSArc/BS20 string \212\3SB\020\0 BSArc/BS2 archive data# Bethesda Softworks Archive (Oblivion)0 string BSA\0 BSArc archive data>4 lelong x version %d# MAR2 string =-ah MAR archive data# ACB#0 belong&0x00f800ff 0x00800000 ACB archive data# CPZ# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data# JRC0 string JRchive JRC archive data# Quantum0 string DS\0 Quantum archive data# ReSOF0 string PK\3\6 ReSOF archive data# QuArk0 string 7\4 QuArk archive data# YAC14 string YC YAC archive data# X10 string X1 X1 archive data0 string XhDr X1 archive data# CDC Codec (.dqt)0 belong&0xffffe000 0x76ff2000 CDC Codec archive data# AMGC0 string \xad6" AMGC archive data# NuLIB0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data# PakLeo0 string LEOLZW PAKLeo archive data# ChArc0 string SChF ChArc archive data# PSA0 string PSA PSA archive data# CrossePAC0 string DSIGDCC CrossePAC archive data# Freeze0 string \x1f\x9f\x4a\x10\x0a Freeze archive data# KBoom0 string \xc2\xa8MP\xc2\xa8 KBoom archive data# NSQ, must go after CDC Codec0 string \x76\xff NSQ archive data# DPA0 string Dirk\ Paehl DPA archive data# BA# TODO: idarc says "bytes 0-2 == bytes 3-5"# TTComp# URL: http://fileformats.archiveteam.org/wiki/TTComp_archive# Update: Joerg Jenderek# GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others0 string \0\6# look for first keyword of Panorama database *.pan>12 search/261 DESIGN# skip keyword with low entropy>12 default x TTComp archive, binary, 4K dictionary# (version 5.25) labeled the above entry as "TTComp archive data"# From: Joerg Jenderek# URL: https://wiki.68kmla.org/DiskCopy_4.2_format_specification# reference: http://nulib.com/library/FTN.e00005.htm0x52 ubeshort 0x0100# test for disk size equal or above 400k>0x40 ubelong >409599 Apple DiskCopy 4.2 image#!:mime application/octet-stream!:apple dCpydImg!:ext image/dc42# image pascal name padded with NULs like Microsoft Mail>>00 pstring/B x %s# data size in bytes like 409600>>0x40 ubelong x \b, %u bytes# tag size in bytes>>0x44 ubelong >0 \b, 0x%x tag size# data checksum#>>0x48 ubelong x \b, 0x%x checksum# tag checksum#>>0x4c ubelong x \b, 0x%x tag checksum# disk encoding>>0x50 ubyte 0 \b, GCR CLV ssdd (400k)>>0x50 ubyte 1 \b, GCR CLV dsdd (800k)>>0x50 ubyte 2 \b, MFM CAV dsdd (720k)>>0x50 ubyte 3 \b, MFM CAV dshd (1440k)>>0x50 ubyte >3 \b, 0x%x encoding# format byte>>0x51 ubyte x \b, 0x%x format#>>0x54 ubequad x \b, data 0x%16.16llx# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?0 string ESP ESP archive data# ZPack0 string \1ZPK\1 ZPack archive data# Sky0 string \xbc\x40 Sky archive data# UFA0 string UFA UFA archive data# Dry0 string =-H2O DRY archive data# FoxSQZ0 string FOXSQZ FoxSQZ archive data# AR70 string ,AR7 AR7 archive data# PPMZ0 string PPMZ PPMZ archive data# MS Compress# Update: Joerg Jenderek# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression# Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html# Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z 4 string \x88\xf0\x27# KWAJ variant>0 string KWAJ MS Compress archive data, KWAJ variant!:mime application/x-ms-compress-kwaj# extension not working in version 5.32# magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?'# file: line 284: Bad magic entry ' ??_'!:ext ??_# compression method (0-4)>>8 uleshort x \b, %u method# offset of compressed data>>10 uleshort x \b, 0x%x offset#>>(10.s) uleshort x#>>>&-6 string x \b, TEST extension %-.3s# header flags to mark header extensions>>12 uleshort >0 \b, 0x%x flags# 4 bytes: decompressed length of file>>12 uleshort &0x01>>>14 ulelong x \b, original size: %u bytes# 2 bytes: unknown purpose# 2 bytes: length of unknown data + mentioned bytes# 1-9 bytes: null-terminated file name# 1-4 bytes: null-terminated file extension>>12 uleshort &0x08>>>12 uleshort ^0x01>>>>12 uleshort ^0x02>>>>>12 uleshort ^0x04>>>>>>12 uleshort ^0x10 >>>>>>>14 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>14 string x \b, %-.8s>>>>>>>>&1 string x \b.%-.3s>>>>>12 uleshort &0x04>>>>>>12 uleshort ^0x10 >>>>>>>(14.s) uleshort x>>>>>>>>&14 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>(14.s) uleshort x>>>>>>>>&14 string x \b, %-.8s>>>>>>>>>&1 string x \b.%-.3s>>>>12 uleshort &0x02>>>>>12 uleshort ^0x04>>>>>>12 uleshort ^0x10 >>>>>>>16 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>16 string x \b, %-.8s>>>>>>>>&1 string x \b.%-.3s>>>>>12 uleshort &0x04>>>>>>12 uleshort ^0x10 >>>>>>>(16.s) uleshort x>>>>>>>>&16 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>(16.s) uleshort x>>>>>>>&16 string x %-.8s>>>>>>>>&1 string x \b.%-.3s>>>12 uleshort &0x01>>>>12 uleshort ^0x02>>>>>12 uleshort ^0x04>>>>>>12 uleshort ^0x10>>>>>>>18 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>18 string x \b, %-.8s>>>>>>>>&1 string x \b.%-.3s>>>>>12 uleshort &0x04>>>>>>12 uleshort ^0x10 >>>>>>>(18.s) uleshort x>>>>>>>>&18 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>(18.s) uleshort x>>>>>>>>&18 string x \b, %-.8s>>>>>>>>>&1 string x \b.%-.3s>>>>12 uleshort &0x02>>>>>12 uleshort ^0x04>>>>>>12 uleshort ^0x10 >>>>>>>20 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>20 string x \b, %-.8s>>>>>>>>&1 string x \b.%-.3s>>>>>12 uleshort &0x04>>>>>>12 uleshort ^0x10 >>>>>>>(20.s) uleshort x>>>>>>>>&20 string x \b, %-.8s>>>>>>12 uleshort &0x10 >>>>>>>(20.s) uleshort x>>>>>>>>&20 string x \b, %-.8s>>>>>>>>>&1 string x \b.%-.3s# 2 bytes: length of data + mentioned bytes## SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ>0 string SZDD MS Compress archive data, SZDD variant!:mime application/x-ms-compress-szdd!:ext ??_# The character missing from the end of the filename (0=unknown)>>9 string >\0 \b, %-.1s is last character of original name# https://www.betaarchive.com/forum/viewtopic.php?t=26161# Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e>>8 string !A \b, %-.1s method>>10 ulelong >0 \b, original size: %u bytes# QBasic SZDD variant3 string \x88\xf0\x27>0 string SZ\x20 MS Compress archive data, QBasic variant!:mime application/x-ms-compress-sz!:ext ??$>>8 ulelong >0 \b, original size: %u bytes # MP3 (archiver, not lossy audio compression)0 string MP3\x1a MP3-Archiver archive data# ZET0 string OZ\xc3\x9d ZET archive data# TSComp0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data# ARQ0 string gW\4\1 ARQ archive data# Squash3 string OctSqu Squash archive data# Terse0 string \5\1\1\0 Terse archive data# PUCrunch0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data# UHarc0 string UHA UHarc archive data# ABComp0 string \2AB ABComp archive data0 string \3AB2 ABComp archive data# CMP0 string CO\0 CMP archive data# Splint0 string \x93\xb9\x06 Splint archive data# InstallShield0 string \x13\x5d\x65\x8c InstallShield Z archive Data# Gather1 string GTH Gather archive data# BOA0 string BOA BOA archive data# RAX0 string ULEB\xa RAX archive data# Xtreme0 string ULEB\0 Xtreme archive data# Pack Magic0 string @\xc3\xa2\1\0 Pack Magic archive data# BTS0 belong&0xfeffffff 0x1a034465 BTS archive data# ELI 57500 string Ora\ ELI 5750 archive data# QFC0 string \x1aFC\x1a QFC archive data0 string \x1aQF\x1a QFC archive data# PRO-PACK0 string RNC PRO-PACK archive data# 7770 string 777 777 archive data# LZS2210 string sTaC LZS221 archive data# HPA0 string HPA HPA archive data# Arhangel0 string LG Arhangel archive data# EXP1, uses bzip20 string 0123456789012345BZh EXP1 archive data# IMP0 string IMP\xa IMP archive data# NRV0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data# Squish0 string \x73\xb2\x90\xf4 Squish archive data# Par0 string PHILIPP Par archive data0 string PAR Par archive data# HIT0 string UB HIT archive data# SBX0 belong&0xfffff000 0x53423000 SBX archive data# NaShrink0 string NSK NaShrink archive data# SAPCAR0 string #\ CAR\ archive\ header SAPCAR archive data0 string CAR\ 2.00RG SAPCAR archive data# Disintegrator0 string DST Disintegrator archive data# ASD0 string ASD ASD archive data# InstallShield CAB0 string ISc( InstallShield CAB# TOP40 string T4\x1a TOP4 archive data# BatComp left out: sig looks like COM executable# so TODO: get real 4dos batcomp file and find sig# BlakHole0 string BH\5\7 BlakHole archive data# BIX0 string BIX0 BIX archive data# ChiefLZA0 string ChfLZ ChiefLZA archive data# Blink0 string Blink Blink archive data# Logitech Compress0 string \xda\xfa Logitech Compress archive data# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)1 string (C)\ STEPANYUK ARS-Sfx archive data# AKT/AKT320 string AKT32 AKT32 archive data0 string AKT AKT archive data# NPack0 string MSTSM NPack archive data# PFT0 string \0\x50\0\x14 PFT archive data# SemOne0 string SEM SemOne archive data# PPMD0 string \x8f\xaf\xac\x84 PPMD archive data# FIZ0 string FIZ FIZ archive data# MSXiE0 belong&0xfffff0f0 0x4d530000 MSXiE archive data# DeepFreezer0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data# DC0 string =<DC- DC archive data# TPac0 string \4TPAC\3 TPac archive data# Ai0 string Ai\1\1\0 Ai archive data0 string Ai\1\0\0 Ai archive data# Ai320 string Ai\2\0 Ai32 archive data0 string Ai\2\1 Ai32 archive data# SBC0 string SBC SBC archive data# Ybs0 string YBS Ybs archive data# DitPack0 string \x9e\0\0 DitPack archive data# DMS0 string DMS! DMS archive data# EPC0 string \x8f\xaf\xac\x8c EPC archive data# VSARC0 string VS\x1a VSARC archive data# PDZ0 string PDZ PDZ archive data# ReDuq0 string rdqx ReDuq archive data# GCA0 string GCAX GCA archive data# PPMN0 string pN PPMN archive data# WinImage3 string WINIMAGE WinImage archive data# Compressia0 string CMP0CMP Compressia archive data# UHBC0 string UHB UHBC archive data# WinHKI0 string \x61\x5C\x04\x05 WinHKI archive data# WWPack data file0 string WWP WWPack archive data# BSN (BSA, PTS-DOS)0 string \xffBSG BSN archive data1 string \xffBSG BSN archive data3 string \xffBSG BSN archive data1 string \0\xae\2 BSN archive data1 string \0\xae\3 BSN archive data1 string \0\xae\7 BSN archive data# AIN0 string \x33\x18 AIN archive data0 string \x33\x17 AIN archive data# XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015# SZip (TODO: doesn't catch all versions)0 string SZ\x0a\4 SZip archive data# XPack DiskImage# *.XDI updated by Joerg Jenderek Sep 2015# ftp://ftp.sac.sk/pub/sac/pack/0index.txt# GRR: this test is still too general as it catches also text files starting with jm0 string jm# only found examples with this additional characteristic 2 bytes>2 string \x2\x4 Xpack DiskImage archive data#!:ext xdi# XPack Data# *.xpa updated by Joerg Jenderek Sep 2015# ftp://ftp.elf.stuba.sk/pub/pc/pack/0 string xpa XPA!:ext xpa# XPA32# ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip# created by XPA32.EXE version 1.0.2 for Windows>0 string xpa\0\1 \b32 archive data# created by XPACK.COM version 1.67m or 1.67r with short 0x1800>3 ubeshort !0x0001 \bck archive data# XPack Single Data# changed by Joerg Jenderek Sep 2015 back to like in version 5.12# letter 'I'+ acute accent is equivalent to \xcd0 string \xcd\ jm Xpack single archive data#!:mime application/x-xpa-compressed!:ext xpa # TODO: missing due to unknown magic/magic at end of file:#DWC#ARG#ZAR#PC/3270#InstallIt#RKive#RK#XPack Diskimage # These were inspired by idarc, but actually verified# Dzip archiver (.dz)# Update: Joerg Jenderek# URL: http://speeddemosarchive.com/dzip/# reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c # GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt0 string DZ # latest version is 2.9 dated 7 may 2003>2 byte <4 Dzip archive data!:mime application/x-dzip!:ext dz>>2 byte x \b, version %i>>3 byte x \b.%i>>4 ulelong x \b, offset 0x%x>>8 ulelong x \b, %u files# ZZip archiver (.zz)0 string ZZ\ \0\0 ZZip archive data0 string ZZ0 ZZip archive data# PAQ archiver (.paq)0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data0 string PAQ PAQ archive data>3 byte&0xf0 0x30>>3 byte x (v%c)# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data0 string JARCS JAR (ARJ Software, Inc.) archive data # ARJ archiver (jason@jarthur.Claremont.EDU)0 leshort 0xea60 ARJ archive data!:mime application/x-arj>5 byte x \b, v%d,>8 byte &0x04 multi-volume,>8 byte &0x10 slash-switched,>8 byte &0x20 backup,>34 string x original name: %s,>7 byte 0 os: MS-DOS>7 byte 1 os: PRIMOS>7 byte 2 os: Unix>7 byte 3 os: Amiga>7 byte 4 os: Macintosh>7 byte 5 os: OS/2>7 byte 6 os: Apple ][ GS>7 byte 7 os: Atari ST>7 byte 8 os: NeXT>7 byte 9 os: VAX/VMS>3 byte >0 %d]# [JW] idarc says this is also possible2 leshort 0xea60 ARJ archive data # HA archiver (Greg Roelofs, newt@uchicago.edu)# This is a really bad format. A file containing HAWAII will match this...#0 string HA HA archive data,#>2 leshort =1 1 file,#>2 leshort >1 %hu files,#>4 byte&0x0f =0 first is type CPY#>4 byte&0x0f =1 first is type ASC#>4 byte&0x0f =2 first is type HSC#>4 byte&0x0f =0x0e first is type DIR#>4 byte&0x0f =0x0f first is type SPECIAL# suggestion: at least identify small archives (<1024 files)0 belong&0xffff00fc 0x48410000 HA archive data>2 leshort =1 1 file,>2 leshort >1 %u files,>4 byte&0x0f =0 first is type CPY>4 byte&0x0f =1 first is type ASC>4 byte&0x0f =2 first is type HSC>4 byte&0x0f =0x0e first is type DIR>4 byte&0x0f =0x0f first is type SPECIAL # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)0 string HPAK HPACK archive data # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net0 string \351,\001JAM\ JAM archive,>7 string >\0 version %.4s>0x26 byte =0x27 ->>0x2b string >\0 label %.11s,>>0x27 lelong x serial %08x,>>0x36 string >\0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)# Update: Joerg Jenderek# URL: https://en.wikipedia.org/wiki/LHA_(file_format)# Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html## check and display information of lharc (LHa,PMarc) file0 name lharc-file# check 1st character of method id like -lz4- -lh5- or -pm2->2 string -# check 5th character of method id>>6 string -# check header level 0 1 2 3>>>20 ubyte <4# check 2nd, 3th and 4th character of method id>>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b !:mime application/x-lzh-compressed# creator type "LHA "!:apple ????LHA# display archive type name like "LHa/LZS archive data" or "LArc archive">>>>>2 string -lz \b !:ext lzs# already known -lzs- -lz4- -lz5- with old names>>>>>>2 string -lzs LHa/LZS archive data>>>>>>3 regex \^lz[45] LHarc 1.x archive data# missing -lz?- with wikipedia names>>>>>>3 regex \^lz[2378] LArc archive# display archive type name like "LHa (2.x) archive data">>>>>2 string -lh \b# already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names>>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data# LHice archiver use ".ICE" as name extension instead usual one ".lzh"# FOOBAR archiver use ".foo" as name extension instead usual one# "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment>>>>>>>2 string -lh1 \b !:ext lha/lzh/ice>>>>>>3 regex \^lh[23d] LHa 2.x? archive data>>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data>>>>>>3 regex \^lh[456] LHa (2.x) archive data>>>>>>>2 string -lh5 \b # https://en.wikipedia.org/wiki/BIOS# Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like# bios.rom , kd7_v14.bin, 1010.004, ...!:ext lha/lzh/rom/bin# missing -lh?- variants (Joe Jared)>>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive# UNLHA32 2.67a>>>>>>2 string -lhx LHa (UNLHA32) archive# lha archives with standard file name extensions ".lha" ".lzh">>>>>>3 regex !\^(lh1|lh5) \b !:ext lha/lzh# this should not happen if all -lh variants are described>>>>>>2 default x LHa (unknown) archive#!:ext lha# PMarc>>>>>3 regex \^pm[012] PMarc archive data!:ext pma# append method id without leading and trailing minus character>>>>>3 string x [%3.3s]>>>>>>0 use lharc-header## check and display information of lharc header0 name lharc-header# header size 0x4 , 0x1b-0x61>0 ubyte x# compressed data size != compressed file size#>7 ulelong x \b, data size %d# attribute: 0x2~?? 0x10~symlink|target 0x20~normal#>19 ubyte x \b, 19_0x%x# level identifier 0 1 2 3#>20 ubyte x \b, level %d# time stamp#>15 ubelong x DATE 0x%8.8x# OS ID for level 1>20 ubyte 1# 0x20 types find for *.rom files>>(21.b+24) ubyte <0x21 \b, 0x%x OS# ascii type like M for MSDOS>>(21.b+24) ubyte >0x20 \b, '%c' OS# OS ID for level 2>20 ubyte 2#>>23 ubyte x \b, OS ID 0x%x>>23 ubyte <0x21 \b, 0x%x OS>>23 ubyte >0x20 \b, '%c' OS# filename only for level 0 and 1>20 ubyte <2# length of filename>>21 ubyte >0 \b, with# filename>>>21 pstring x "%s"##2 string -lh0- LHarc 1.x/ARX archive data [lh0]#!:mime application/x-lharc2 string -lh0->0 use lharc-file#2 string -lh1- LHarc 1.x/ARX archive data [lh1]#!:mime application/x-lharc2 string -lh1->0 use lharc-file# NEW -lz2- ... -lz8-2 string -lz2->0 use lharc-file2 string -lz3->0 use lharc-file2 string -lz4->0 use lharc-file2 string -lz5->0 use lharc-file2 string -lz7->0 use lharc-file2 string -lz8->0 use lharc-file# [never seen any but the last; -lh4- reported in comp.compression:]#2 string -lzs- LHa/LZS archive data [lzs]2 string -lzs->0 use lharc-file# According to wikipedia and others such a version does not exist#2 string -lh\40- LHa 2.x? archive data [lh ]#2 string -lhd- LHa 2.x? archive data [lhd]2 string -lhd->0 use lharc-file#2 string -lh2- LHa 2.x? archive data [lh2]2 string -lh2->0 use lharc-file#2 string -lh3- LHa 2.x? archive data [lh3]2 string -lh3->0 use lharc-file#2 string -lh4- LHa (2.x) archive data [lh4]2 string -lh4->0 use lharc-file#2 string -lh5- LHa (2.x) archive data [lh5]2 string -lh5->0 use lharc-file#2 string -lh6- LHa (2.x) archive data [lh6]2 string -lh6->0 use lharc-file#2 string -lh7- LHa (2.x)/LHark archive data [lh7]2 string -lh7-# !:mime application/x-lha# >20 byte x - header level %d>0 use lharc-file# NEW -lh8- ... -lhe- , -lhx-2 string -lh8->0 use lharc-file2 string -lh9->0 use lharc-file2 string -lha->0 use lharc-file2 string -lhb->0 use lharc-file2 string -lhc->0 use lharc-file2 string -lhe->0 use lharc-file2 string -lhx->0 use lharc-file# taken from idarc [JW]2 string -lZ PUT archive data# already done by LHarc magics# this should never happen if all sub types of LZS archive are identified#2 string -lz LZS archive data2 string -sw1- Swag archive data 0 name rar-file-header>24 byte 15 \b, v1.5>24 byte 20 \b, v2.0>24 byte 29 \b, v4>15 byte 0 \b, os: MS-DOS>15 byte 1 \b, os: OS/2>15 byte 2 \b, os: Win32>15 byte 3 \b, os: Unix>15 byte 4 \b, os: Mac OS>15 byte 5 \b, os: BeOS 0 name rar-archive-header>3 leshort&0x1ff >0 \b, flags:>>3 leshort &0x01 ArchiveVolume>>3 leshort &0x02 Commented>>3 leshort &0x04 Locked>>3 leshort &0x10 NewVolumeNaming>>3 leshort &0x08 Solid>>3 leshort &0x20 Authenticated>>3 leshort &0x40 RecoveryRecordPresent>>3 leshort &0x80 EncryptedBlockHeader>>3 leshort &0x100 FirstVolume # RAR (Roshal Archive) archive0 string Rar!\x1a\7\0 RAR archive data!:mime application/x-rar!:ext rar/cbr# file header>(0xc.l+9) byte 0x74>>(0xc.l+7) use rar-file-header# subblock seems to share information with file header>(0xc.l+9) byte 0x7a>>(0xc.l+7) use rar-file-header>9 byte 0x73>>7 use rar-archive-header 0 string Rar!\x1a\7\1\0 RAR archive data, v5!:mime application/x-rar!:ext rar # Very old RAR archive# https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf0 string RE\x7e\x5e RAR archive data (<v1.5)!:mime application/x-rar!:ext rar/cbr # SQUISH archiver (Greg Roelofs, newt@uchicago.edu)0 string SQSH squished archive data (Acorn RISCOS) # UC2 archiver (Greg Roelofs, newt@uchicago.edu)# [JW] see exe section for self-extracting version0 string UC2\x1a UC2 archive data # PKZIP multi-volume archive0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract!:mime application/zip!:ext zip/cbz # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)0 string PK\005\006 Zip archive data (empty)!:mime application/zip!:ext zip/cbz!:strength +10 string PK\003\004!:strength +1 # Specialised zip formats which start with a member named 'mimetype'# (stored uncompressed, with no 'extra field') containing the file's MIME type.# Check for have 8-byte name, 0-byte extra field, name "mimetype", and# contents starting with "application/":>26 string \x8\0\0\0mimetypeapplication/ # KOffice / OpenOffice & StarOffice / OpenDocument formats# From: Abel Cheung <abel@oaka.org> # KOffice (1.2 or above) formats# (mimetype contains "application/vnd.kde.<SUBTYPE>")>>50 string vnd.kde. KOffice (>=1.2)>>>58 string karbon Karbon document>>>58 string kchart KChart document>>>58 string kformula KFormula document>>>58 string kivio Kivio document>>>58 string kontour Kontour document>>>58 string kpresenter KPresenter document>>>58 string kspread KSpread document>>>58 string kword KWord document # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)# (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")# URL: https://en.wikipedia.org/wiki/OpenOffice.org_XML# reference: http://fileformats.archiveteam.org/wiki/OpenOffice.org_XML>>50 string vnd.sun.xml. OpenOffice.org 1.x>>>62 string writer Writer>>>>68 byte !0x2e document!:mime application/vnd.sun.xml.writer!:ext sxw>>>>68 string .template template!:mime application/vnd.sun.xml.writer.template!:ext stw>>>>68 string .web Web template!:mime application/vnd.sun.xml.writer.web!:ext stw>>>>68 string .global global document!:mime application/vnd.sun.xml.writer.global!:ext sxg>>>62 string calc Calc>>>>66 byte !0x2e spreadsheet!:mime application/vnd.sun.xml.calc!:ext sxc>>>>66 string .template template!:mime application/vnd.sun.xml.calc.template!:ext stc>>>62 string draw Draw>>>>66 byte !0x2e document!:mime application/vnd.sun.xml.draw!:ext sxd>>>>66 string .template template!:mime application/vnd.sun.xml.draw.template!:ext std>>>62 string impress Impress>>>>69 byte !0x2e presentation!:mime application/vnd.sun.xml.impress!:ext sxi>>>>69 string .template template!:mime application/vnd.sun.xml.impress.template!:ext sti>>>62 string math Math document!:mime application/vnd.sun.xml.math!:ext sxm>>>62 string base Database file!:mime application/vnd.sun.xml.base!:ext sdb # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)# URL: http://fileformats.archiveteam.org/wiki/OpenDocument# https://lists.oasis-open.org/archives/office/200505/msg00006.html# (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")>>50 string vnd.oasis.opendocument. OpenDocument>>>73 string text>>>>77 byte !0x2d Text!:mime application/vnd.oasis.opendocument.text!:ext odt>>>>77 string -template Text Template!:mime application/vnd.oasis.opendocument.text-template!:ext ott>>>>77 string -web HTML Document Template!:mime application/vnd.oasis.opendocument.text-web!:ext oth>>>>77 string -master Master Document!:mime application/vnd.oasis.opendocument.text-master!:ext odm>>>73 string graphics>>>>81 byte !0x2d Drawing!:mime application/vnd.oasis.opendocument.graphics!:ext odg>>>>81 string -template Drawing Template!:mime application/vnd.oasis.opendocument.graphics-template!:ext otg>>>73 string presentation>>>>85 byte !0x2d Presentation!:mime application/vnd.oasis.opendocument.presentation!:ext odp>>>>85 string -template Presentation Template!:mime application/vnd.oasis.opendocument.presentation-template!:ext otp>>>73 string spreadsheet>>>>84 byte !0x2d Spreadsheet!:mime application/vnd.oasis.opendocument.spreadsheet!:ext ods>>>>84 string -template Spreadsheet Template!:mime application/vnd.oasis.opendocument.spreadsheet-template!:ext ots>>>73 string chart>>>>78 byte !0x2d Chart!:mime application/vnd.oasis.opendocument.chart!:ext odc>>>>78 string -template Chart Template!:mime application/vnd.oasis.opendocument.chart-template!:ext otc>>>73 string formula>>>>80 byte !0x2d Formula!:mime application/vnd.oasis.opendocument.formula!:ext odf>>>>80 string -template Formula Template!:mime application/vnd.oasis.opendocument.formula-template!:ext otf# https://www.loc.gov/preservation/digital/formats/fdd/fdd000441.shtml>>>73 string database Database!:mime application/vnd.oasis.opendocument.database!:ext odb# Valid for LibreOffice Base 6.0.1.1 at least>>>73 string base Database# https://bugs.documentfoundation.org/show_bug.cgi?id=45854!:mime application/vnd.oasis.opendocument.database#!:mime application/vnd.oasis.opendocument.base!:ext odb>>>73 string image>>>>78 byte !0x2d Image!:mime application/vnd.oasis.opendocument.image!:ext odi>>>>78 string -template Image Template!:mime application/vnd.oasis.opendocument.image-template!:ext oti # EPUB (OEBPS) books using OCF (OEBPS Container Format)# https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.# From: Ralf Brown <ralf.brown@gmail.com>>>50 string epub+zip EPUB document!:mime application/epub+zip # From: Joerg Jenderek# URL: http://en.wikipedia.org/wiki/CorelDRAW# NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based>>50 string x-vnd.corel. Corel>>>62 string draw.document+zip Draw drawing, version 14-16!:mime application/x-vnd.corel.draw.document+zip!:ext cdr>>>62 string draw.template+zip Draw template, version 14-16!:mime application/x-vnd.corel.draw.template+zip!:ext cdrt>>>62 string zcf.draw.document+zip Draw drawing, version 17-22!:mime application/x-vnd.corel.zcf.draw.document+zip!:ext cdr>>>62 string zcf.draw.template+zip Draw template, version 17-22!:mime application/x-vnd.corel.zcf.draw.template+zip!:ext cdt/cdrt# URL: http://product.corel.com/help/CorelDRAW/540240626/Main/EN/Doc/CorelDRAW-Other-file-formats.html>>>62 string zcf.pattern+zip Draw pattern, version 22!:mime application/x-vnd.corel.zcf.pattern+zip!:ext pat# URL: https://en.wikipedia.org/wiki/Corel_Designer# Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer# Note: called by TrID "Corel DESIGN graphics">>>62 string designer.document+zip DESIGNER graphics, version 14-16!:mime application/x-vnd.corel.designer.document+zip!:ext des>>>62 string zcf.designer.document+zip DESIGNER graphics, version 17-21!:mime application/x-vnd.corel.zcf.designer.document+zip!:ext des# URL: http://product.corel.com/help/CorelDRAW/540223850/Main/EN/Documentation/# CorelDRAW-Corel-Symbol-Library-CSL.html>>>62 string symbol.library+zip Symbol Library, version 6-16.3!:mime application/x-vnd.corel.symbol.library+zip!:ext csl>>>62 string zcf.symbol.library+zip Symbol Library, version 17-22!:mime application/x-vnd.corel.zcf.symbol.library+zip!:ext csl # Catch other ZIP-with-mimetype formats# In a ZIP file, the bytes immediately after a member's contents are# always "PK". The 2 regex rules here print the "mimetype" member's# contents up to the first 'P'. Luckily, most MIME types don't contain# any capital 'P's. This is a kludge.# (mimetype contains "application/<OTHER>")>>50 default x Zip data>>>38 regex [!-OQ-~]+ (MIME type "%s"?)!:mime application/zip# (mimetype contents other than "application/*")>26 string \x8\0\0\0mimetype>>38 string !application/>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)!:mime application/zip # Java Jar files>(26.s+30) leshort 0xcafe Java archive data (JAR)!:mime application/java-archive # iOS App>(26.s+30) leshort !0xcafe>>26 string !\x8\0\0\0mimetype>>>30 string Payload/>>>>38 search/64 .app/ iOS App!:mime application/x-ios-app >30 search/100/b application/epub+zip EPUB document!:mime application/epub+zip # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)# Next line excludes specialized formats:>(26.s+30) leshort !0xcafe>>30 search/100/b !application/epub+zip>>>26 string !\x8\0\0\0mimetype Zip archive data!:mime application/zip>>>>4 beshort x \b, at least>>>>4 use zipversion>>>>4 beshort x to extract>>>>0x161 string WINZIP \b, WinZIP self-extracting # StarView Metafile# From Pierre Ducroquet <pinaraf@pinaraf.info>0 string VCLMTF StarView MetaFile>6 beshort x \b, version %d>8 belong x \b, size %d # Zoo archiver20 lelong 0xfdc4a7dc Zoo archive data!:mime application/x-zoo>4 byte >48 \b, v%c.>>6 byte >47 \b%c>>>7 byte >47 \b%c>32 byte >0 \b, modify: v%d>>33 byte x \b.%d+>42 lelong 0xfdc4a7dc \b,>>70 byte >0 extract: v%d>>>71 byte x \b.%d+ # Shell archives10 string #\ This\ is\ a\ shell\ archive shell archive text!:mime application/octet-stream ## LBR. NB: May conflict with the questionable# "binary Computer Graphics Metafile" format.#0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data## PMA (CP/M derivative of LHA)# Update: Joerg Jenderek# URL: https://en.wikipedia.org/wiki/LHA_(file_format)##2 string -pm0- PMarc archive data [pm0]2 string -pm0->0 use lharc-file#2 string -pm1- PMarc archive data [pm1]2 string -pm1->0 use lharc-file#2 string -pm2- PMarc archive data [pm2]2 string -pm2->0 use lharc-file2 string -pms- PMarc SFX archive (CP/M, DOS)#!:mime application/x-foobar-exec!:ext com5 string -pc1- PopCom compressed executable (CP/M)#!:mime application/x-#!:ext com # From Rafael Laboissiere <rafael@laboissiere.net># The Project Revision Control System (see# http://prcs.sourceforge.net) generates a packaged project# file which is recognized by the following entry:0 leshort 0xeb81 PRCS packaged project # Microsoft cabinets# by David Necas (Yeti) <yeti@physics.muni.cz>#0 string MSCF\0\0\0\0 Microsoft cabinet file data,#>25 byte x v%d#>24 byte x \b.%d# MPi: All CABs have version 1.3, so this is pointless.# Better magic in debian-additions. # GTKtalog catalogs# by David Necas (Yeti) <yeti@physics.muni.cz>4 string gtktalog\ GTKtalog catalog data,>13 string 3 version 3>>14 beshort 0x677a (gzipped)>>14 beshort !0x677a (not gzipped)>13 string >3 version %s ############################################################################# Parity archive reconstruction file, the 'par' file format now used on Usenet.0 string PAR\0 PARity archive data>48 leshort =0 - Index file>48 leshort >0 - file number %d # Felix von Leitner <felix-file@fefe.de>0 string d8:announce BitTorrent file!:mime application/x-bittorrent# Durval Menezes, <jmgthbfile at durval dot com>0 string d13:announce-list BitTorrent file!:mime application/x-bittorrent0 string d7:comment BitTorrent file!:mime application/x-bittorrent0 string d4:info BitTorrent file!:mime application/x-bittorrent # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>0 beshort 0x0e0f Atari MSA archive data>2 beshort x \b, %d sectors per track>4 beshort 0 \b, 1 sided>4 beshort 1 \b, 2 sided>6 beshort x \b, starting track: %d>8 beshort x \b, ending track: %d # Alternate ZIP string (amc@arwen.cs.berkeley.edu)0 string PK00PK\003\004 Zip archive data!:mime application/zip!:ext zip/cbz # ACE archive (from http://www.wotsit.org/download.asp?f=ace)# by Stefan `Sec` Zehl <sec@42.org>7 string **ACE** ACE archive data>15 byte >0 version %d>16 byte =0x00 \b, from MS-DOS>16 byte =0x01 \b, from OS/2>16 byte =0x02 \b, from Win/32>16 byte =0x03 \b, from Unix>16 byte =0x04 \b, from MacOS>16 byte =0x05 \b, from WinNT>16 byte =0x06 \b, from Primos>16 byte =0x07 \b, from AppleGS>16 byte =0x08 \b, from Atari>16 byte =0x09 \b, from Vax/VMS>16 byte =0x0A \b, from Amiga>16 byte =0x0B \b, from Next>14 byte x \b, version %d to extract>5 leshort &0x0080 \b, multiple volumes,>>17 byte x \b (part %d),>5 leshort &0x0002 \b, contains comment>5 leshort &0x0200 \b, sfx>5 leshort &0x0400 \b, small dictionary>5 leshort &0x0800 \b, multi-volume>5 leshort &0x1000 \b, contains AV-String>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)>5 leshort &0x2000 \b, with recovery record>5 leshort &0x4000 \b, locked>5 leshort &0x8000 \b, solid# Date in MS-DOS format (whatever that is)#>18 lelong x Created on # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann# <doj@cubic.org>0x1A string sfArk sfArk compressed Soundfont>0x15 string 2>>0x1 string >\0 Version %s>>0x2A string >\0 : %s # DR-DOS 7.03 Packed File *.??_0 string Packed\ File\ Personal NetWare Packed File>12 string x \b, was "%.12s" # EET archive# From: Tilman Sauerbeck <tilman@code-monkey.de>0 belong 0x1ee7ff00 EET archive!:mime application/x-eet # rzip archives0 string RZIP rzip compressed data>4 byte x - version %d>5 byte x \b.%d>6 belong x (%d bytes) # From: Joerg Jenderek# URL: https://help.foxitsoftware.com/kb/install-fzip-file.php# reference: http://mark0.net/download/triddefs_xml.7z/# defs/f/fzip.trid.xml# Note: unknown compression; No "PK" zip magic; normally in directory like# "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install"0 ubequad 0x2506781901010000 Foxit add-on/update!:mime application/x-fzip!:ext fzip # From: "Robert Dale" <robdale@gmail.com>0 belong 123 dar archive,>4 belong x label "%.8x>>8 belong x %.8x>>>12 beshort x %.4x">14 byte 0x54 end slice>14 beshort 0x4e4e multi-part>14 beshort 0x4e53 multi-part, with -S # Symbian installation files# https://www.thouky.co.uk/software/psifs/sis.html# http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf8 lelong 0x10000419 Symbian installation file!:mime application/vnd.symbian.install>4 lelong 0x1000006D (EPOC release 3/4/5)>4 lelong 0x10003A12 (EPOC release 6)0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)!:mime x-epoc/x-sisx-app # From "Nelson A. de Oliveira" <naoliv@gmail.com>0 string MPQ\032 MoPaQ (MPQ) archive # From: "Nelson A. de Oliveira" <naoliv@gmail.com># .kgb0 string KGB_arch KGB Archiver file>10 string x with compression level %.1s # xar (eXtensible ARchiver) archive# URL: https://en.wikipedia.org/wiki/Xar_(archiver)# xar archive format: https://code.google.com/p/xar/# From: "David Remahl" <dremahl@apple.com># Update: Joerg Jenderek# TODO: lzma compression; X509Data for pkg and xip# Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or# 7z t -txar Xcode_10.2_beta_4.xip`0 string xar! xar archive!:mime application/x-xar# pkg for Mac OSX installer package like FullBundleUpdate.pkg# xip for signed Apple software like Xcode_10.2_beta_4.xip!:ext xar/pkg/xip# always 28 in older archives>4 ubeshort >28 \b, header size %u# currently there exit only version 1 since about 2014>6 ubeshort >1 version %u,>8 ubequad x compressed TOC: %llu,#>16 ubequad x uncompressed TOC: %llu,# cksum_alg 0-2 in older and also 3-4 in newer>24 belong 0 no checksum>24 belong 1 SHA-1 checksum>24 belong 2 MD5 checksum>24 belong 3 SHA-256 checksum>24 belong 4 SHA-512 checksum>24 belong >4 unknown 0x%x checksum#>24 belong >4 checksum# For no compression jump 0 bytes>24 belong 0>>0 ubyte x# jump more bytes forward by header size>>>&(4.S) ubyte x# jump more bytes forward by compressed table of contents size#>>>>&(8.Q) ubequad x \b, heap data 0x%llx>>>>&(8.Q) ubyte x# look for data by ./compress after message with 1 space at end>>>>>&-3 indirect x \b, contains # For SHA-1 jump 20 minus 2 bytes>24 belong 1>>18 ubyte x# jump more bytes forward by header size>>>&(4.S) ubyte x# jump more bytes forward by compressed table of contents size>>>>&(8.Q) ubyte x# data compressed by gzip, bzip, lzma or none>>>>>&-1 indirect x \b, contains # For SHA-256 jump 32 minus 2 bytes>24 belong 3>>30 ubyte x# jump more bytes forward by header size>>>&(4.S) ubyte x# jump more bytes forward by compressed table of contents size>>>>&(8.Q) ubyte x>>>>>&-1 indirect x \b, contains # For SHA-512 jump 64 minus 2 bytes>24 belong 4>>62 ubyte x# jump more bytes forward by header size>>>&(4.S) ubyte x# jump more bytes forward by compressed table of contents size>>>>&(8.Q) ubyte x>>>>>&-1 indirect x \b, contains # Type: Parity Archive# From: Daniel van Eeden <daniel_e@dds.nl>0 string PAR2 Parity Archive Volume Set # Bacula volume format. (Volumes always start with a block header.)# URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html# From: Adam Buchbinder <adam.buchbinder@gmail.com>12 string BB02 Bacula volume>20 bedate x \b, started %s # ePub is XHTML + XML inside a ZIP archive. The first member of the# archive must be an uncompressed file called 'mimetype' with contents# 'application/epub+zip' # From: "Michael Gorny" <mgorny@gentoo.org># ZPAQ: http://mattmahoney.net/dc/zpaq.html0 string zPQ ZPAQ stream>3 byte x \b, level %d# From: Barry Carter <carter.barry@gmail.com># https://encode.ru/threads/456-zpaq-updates/page320 string 7kSt ZPAQ file # BBeB ebook, unencrypted (LRF format)# URL: https://www.sven.de/librie/Librie/LrfFormat# From: Adam Buchbinder <adam.buchbinder@gmail.com>0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted>8 beshort x \b, version %d>36 byte 1 \b, front-to-back>36 byte 16 \b, back-to-front>42 beshort x \b, (%dx,>44 beshort x %d) # Symantec GHOST image by Joerg Jenderek at May 2014# https://us.norton.com/ghost/# https://www.garykessler.net/library/file_sigs.html0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image# *.GHO>2 ubyte&0x08 0x00 \b, first file# *.GHS or *.[0-9] with cns program option>2 ubyte&0x08 0x08 \b, split file# part of split index interesting for *.ghs>>4 ubyte x id=0x%x# compression tag minus one equals numeric compression command line switch z[1-9]>3 ubyte 0 \b, no compression>3 ubyte 2 \b, fast compression (Z1)>3 ubyte 3 \b, medium compression (Z2)>3 ubyte >3>>3 ubyte <11 \b, compression (Z%d-1)>2 ubyte&0x08 0x00# ~ 30 byte password field only for *.gho>>12 ubequad !0 \b, password protected>>44 ubyte !1# 1~Image All, sector-by-sector only for *.gho>>>10 ubyte 1 \b, sector copy# 1~Image Boot track only for *.gho>>>43 ubyte 1 \b, boot track# 1~Image Disc only for *.gho implies Image Boot track and sector copy>>44 ubyte 1 \b, disc sector copy# optional image description only *.gho>>0xff string >\0 "%-.254s"# look for DOS sector end sequence>0xE08 search/7776 \x55\xAA>>&-512 indirect x \b; contains # Google Chrome extensions# https://developer.chrome.com/extensions/crx# https://developer.chrome.com/extensions/hosting0 string Cr24 Google Chrome extension!:mime application/x-chrome-extension>4 ulong x \b, version %u # SeqBox - Sequenced container# ext: sbx, seqbox# Marco Pontello marcopon@gmail.com# reference: https://github.com/MarcoPon/SeqBox0 string SBx SeqBox,>3 byte x version %d # LyNX archive56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive # From: Joerg Jenderek# URL: https://www.acronis.com/# Reference: https://en.wikipedia.org/wiki/TIB_(file_format)# Note: only tested with True Image 2013 Build 5962 and 2019 Build 141100 ubequad 0xce24b9a220000000 Acronis True Image backup!:mime application/x-acronis-tib!:ext tib# 01000000#>20 ubelong x \b, at 20 0x%x# 20000000#>28 ubelong x \b, at 28 0x%x# strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0"# ???# strings like "\Device\0000011e" "\Device\0000015a"#>0 search/0x6852300/cs \\Device\\#>>&-1 pstring x \b, %s# "\Device\HarddiskVolume30" "\Device\HarddiskVolume39"#>>>&1 search/180/cs \\Device\\#>>>>&-1 pstring x \b, %s#>>>>>&0 search/29/cs \0\0\xc8\0# disk label#>>>>>>&10 lestring16 x \b, disk label %11.11s#>>>>>>&9 plestring16 x \b, disk label "%11.11s"#>>>>>>&10 ubequad x %16.16llx # Gentoo XPAK binary package# by Michal Gorny <mgorny@gentoo.org># https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5-4 string STOP>-16 string XPAKSTOP Gentoo binary package (XPAK) # From: Joerg Jenderek# URL: https://kodi.wiki/view/TexturePacker# Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz# /xbmc-Krypton/xbmc/guilib/XBTF.h# /xbmc-Krypton/xbmc/guilib/XBTF.cpp 0 string XBTF# skip ASCII text by looking for terminating \0 of path>264 ubyte 0 XBMC texture package!:mime application/x-xbmc-xbt!:ext xbt# XBTF_VERSION 2>>4 string !2 \b, version %-.1s# nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp>>5 ulelong x \b, %u file# plural s>>5 ulelong >1 \bs# path[CXBTFFile[MaximumPathLength=256]>>9 string x \b, 1st %s #------------------------------------------------------------------------------# $File: asf,v 1.1 2019/12/26 02:07:53 christos Exp $# asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files# http://www.staroceans.org/e-book/ASF_Specification.pdf 0 name asf-name# ASF_Data_Object#>0 guid 75B22636-668E-11CF-A6D9-00AA0062CE6C#>16 lequad >0#>>(16.q) use asf-object# ASF_Simple_Index_Object>0 guid 33000890-E5B1-11CF-89F4-00A0C90349CB>0 guid D6E229D3-35DA-11D1-9034-00A0C90349BE ASF_Index_Object>0 guid FEB103F8-12AD-4C64-840F-2A1D2F7AD48C ASF_Media_Object_Index_Object>0 guid 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C ASF_Timecode_Index_Object # ASF_File_Properties_Object>0 guid 8CABDCA1-A947-11CF-8EE4-00C00C205365 # ASF_Stream_Properties_Object>0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365#>>56 lequad x Time Offset %lld#>>64 lelong x Type-Specicic Data Length %d#>>68 lelong x Error Correction Data Length %d#>>72 leshort x Flags 0x%x#>>74 lelong x Reserved %x# ASF_Audio_Media>>24 guid F8699E40-5B4D-11CF-A8FD-00805F5C442B \b, Audio Media (>>>78 leshort x \bCodec Id %d>>>80 leshort x \b, Number of channels %d>>>82 lelong x \b, Samples Per Second %d>>>86 lelong x \b, Average Number of Bytes Per Second %d>>>90 lelong x \b, Block Alignment %d>>>94 leshort x \b, Bits Per Sample %d# ASF_Video_Media>>24 guid BC19EFC0-5B4D-11CF-A8FD-00805F5C442B \b, Video Media (>>>78 lelong x \bEncoded Image Width %d>>>82 lelong x \b, Encoded Image Height %d#>>>85 leshort x \b, Format Data Size %x>>>93 lelong x \b, Image Width %d>>>97 lelong x \b, Image Height %d#>>>101 leshort x \b, Reserved 0x%x>>>103 leshort x \b, Bits Per Pixel Count %d#>>>105 lelong x \b, Compression ID %d#>>>109 lelong x \b, Image Size %d#>>>113 lelong x \b, Horizontal Pixels Per Meter %d#>>>117 lelong x \b, Vertical Pixels Per Meter %d#>>>121 lelong x \b, Colors Used Count %d#>>>125 lelong x \b, Important Colors Count %d>>0 lelong x \b, Error correction type>>40 use asf-name >>0 lelong x \b)#ASF_Header_Extension_Object>0 guid 5FBF03B5-A92E-11CF-8EE3-00C00C205365# ASF_Codec_List_Object>0 guid 86D15240-311D-11D0-A3A4-00A0C90348F6>0 guid 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ASF_Script_Command_Object>0 guid F487CD01-A951-11CF-8EE6-00C00C205365 ASF_Marker_Object>0 guid D6E229DC-35DA-11D1-9034-00A0C90349BE ASF_Bitrate_Mutual_Exclusion_Object>0 guid 75B22635-668E-11CF-A6D9-00AA0062CE6C ASF_Error_Correction_Object# ASF_Content_Description_Object>0 guid 75B22633-668E-11CF-A6D9-00AA0062CE6C#>>24 leshort title length %d#>>26 leshort author length %d#>>28 leshort copyright length %d#>>30 leshort descriptor length %d#>>32 leshort rating length %d>0 guid D2D0A440-E307-11D2-97F0-00A0C95EA850 ASF_Extended_Content_Description_Object>0 guid 2211B3FA-BD23-11D2-B4B7-00A0C955FC6E ASF_Content_Branding_Object>0 guid 7BF875CE-468D-11D1-8D82-006097C9A2B2 ASF_Stream_Bitrate_Properties_Object>0 guid 2211B3FB-BD23-11D2-B4B7-00A0C955FC6E ASF_Content_Encryption_Object>0 guid 298AE614-2622-4C17-B935-DAE07EE9289C ASF_Extended_Content_Encryption_Object>0 guid 2211B3FC-BD23-11D2-B4B7-00A0C955FC6E ASF_Digital_Signature_Object# ASF_Padding_Object>0 guid 1806D474-CADF-4509-A4BA-9AABCB96AAE8>0 guid 14E6A5CB-C672-4332-8399-A96952065B5A ASF_Extended_Stream_Properties_Object>0 guid A08649CF-4775-4670-8A16-6E35357566CD ASF_Advanced_Mutual_Exclusion_Object>0 guid D1465A40-5A79-4338-B71B-E36B8FD6C249 ASF_Group_Mutual_Exclusion_Object>0 guid D4FED15B-88D3-454F-81F0-ED5C45999E24 ASF_Stream_Prioritization_Object>0 guid A69609E6-517B-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Object>0 guid 7C4346A9-EFE0-4BFC-B229-393EDE415C85 ASF_Language_List_Object>0 guid C5F8CBEA-5BAF-4877-8467-AA8C44FA4CCA ASF_Metadata_Object>0 guid 44231C94-9498-49D1-A141-1D134E457054 ASF_Metadata_Library_Object>0 guid D6E229DF-35DA-11D1-9034-00A0C90349BE ASF_Index_Parameters_Object>0 guid 6B203BAD-3F11-48E4-ACA8-D7613DE2CFA7 ASF_Media_Object_Index_Parameters_Object>0 guid F55E496D-9797-4B5D-8C8B-604DFE9BFB24 ASF_Timecode_Index_Parameters_Object>0 guid 26F18B5D-4584-47EC-9F5F-0E651F0452C9 ASF_Compatibility_Object>0 guid 43058533-6981-49E6-9B74-AD12CB86D58C ASF_Advanced_Content_Encryption_Object>0 guid 59DACFC0-59E6-11D0-A3AC-00A0C90348F6 ASF_Command_Media>0 guid B61BE100-5B4E-11CF-A8FD-00805F5C44 ASF_JFIF_Media>0 guid 35907DE0-E415-11CF-A917-00805F5C442B ASF_Degradable_JPEG_Media>0 guid 91BD222C-F21C-497A-8B6D-5AA86BFC0185 ASF_File_Transfer_Media>0 guid 3AFB65E2-47EF-40F2-AC2C-70A90D71D343 ASF_Binary_Media>0 guid 776257D4-C627-41CB-8F81-7AC7FF1C40CC ASF_Web_Stream_Media_Subtype>0 guid DA1E6B13-8359-4050-B398-388E965BF00C ASF_Web_Stream_Format>0 guid 20FB5700-5B55-11CF-A8FD-00805F5C442B ASF_No_Error_Correction>0 guid BFC3CD50-618F-11CF-8BB2-00AA00B4E220 ASF_Audio_Spread>0 guid ABD3D211-A9BA-11cf-8EE6-00C00C205365 ASF_Reserved_1>0 guid 7A079BB6-DAA4-4e12-A5CA-91D38DC11A8D ASF_Content_Encryption_System_Windows_Media_DRM# _Network_Devices>0 guid 86D15241-311D-11D0-A3A4-00A0C90348F6 ASF_Reserved_2>0 guid 4B1ACBE3-100B-11D0-A39B-00A0C90348F6 ASF_Reserved_3>0 guid 4CFEDB20-75F6-11CF-9C0F-00A0C90349CB ASF_Reserved_4>0 guid D6E22A00-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Language>0 guid D6E22A01-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Bitrate>0 guid D6E22A02-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Unknown>0 guid AF6060AA-5197-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Exclusive>0 guid AF6060AB-5197-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Partial>0 guid 399595EC-8667-4E2D-8FDB-98814CE76C1E ASF_Payload_Extension_System_Timecode>0 guid E165EC0E-19ED-45D7-B4A7-25CBD1E28E9B ASF_Payload_Extension_System_File_Name>0 guid D590DC20-07BC-436C-9CF7-F3BBFBF1A4DC ASF_Payload_Extension_System_Content_Type>0 guid 1B1EE554-F9EA-4BC8-821A-376B74E4C4B8 ASF_Payload_Extension_System_Pixel_Aspect_Ratio>0 guid C6BD9450-867F-4907-83A3-C77921B733AD ASF_Payload_Extension_System_Sample_Duration>0 guid 6698B84E-0AFA-4330-AEB2-1C0A98D7A44D ASF_Payload_Extension_System_Encryption_Sample_ID>0 guid 00E1AF06-7BEC-11D1-A582-00C04FC29CFB ASF_Payload_Extension_System_Degradable_JPEG 0 name asf-object>0 use asf-name#>>16 lequad >0 (size %lld) [>>16 lequad >0>>>(16.q) use asf-object#>>16 lequad 0 ] # Microsoft Advanced Streaming Format (ASF) <mpruett@sgi.com>0 guid 75B22630-668E-11CF-A6D9-00AA0062CE6C Microsoft ASF!:mime video/x-ms-asf #>16 lequad >0 (size %lld#>>24 lelong x \b, %d header objects)>16 lequad >0>>30 use asf-object>>(16.q) use asf-object#------------------------------------------------------------------------------# $File: assembler,v 1.6 2013/12/11 14:14:20 christos Exp $# make: file(1) magic for assembler source#0 regex \^[\040\t]{0,50}\\.asciiz assembler source text!:mime text/x-asm0 regex \^[\040\t]{0,50}\\.byte assembler source text!:mime text/x-asm0 regex \^[\040\t]{0,50}\\.even assembler source text!:mime text/x-asm0 regex \^[\040\t]{0,50}\\.globl assembler source text!:mime text/x-asm0 regex \^[\040\t]{0,50}\\.text assembler source text!:mime text/x-asm0 regex \^[\040\t]{0,50}\\.file assembler source text!:mime text/x-asm0 regex \^[\040\t]{0,50}\\.type assembler source text!:mime text/x-asm #------------------------------------------------------------------------------# $File: asterix,v 1.5 2009/09/19 16:28:08 christos Exp $# asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character# strings as "long" - we assume they're just strings:# From: guy@netapp.com (Guy Harris)#0 string *STA Aster*x>7 string WORD Words Document>7 string GRAP Graphic>7 string SPRE Spreadsheet>7 string MACR Macro0 string 2278 Aster*x Version 2>29 byte 0x36 Words Document>29 byte 0x35 Graphic>29 byte 0x32 Spreadsheet>29 byte 0x38 Macro #------------------------------------------------------------------------------# $File: att3b,v 1.10 2017/03/17 21:35:28 christos Exp $# att3b: file(1) magic for AT&T 3B machines## The `versions' should be un-commented if they work for you.# (Was the problem just one of endianness?)## 3B20## The 3B20 conflicts with SCCS.#0 beshort 0550 3b20 COFF executable#>12 belong >0 not stripped#>22 beshort >0 - version %d#0 beshort 0551 3b20 COFF executable (TV)#>12 belong >0 not stripped#>22 beshort >0 - version %d## WE32K#0 beshort 0560 WE32000 COFF>18 beshort ^00000020 object>18 beshort &00000020 executable>12 belong >0 not stripped>18 beshort ^00010000 N/A on 3b2/300 w/paging>18 beshort &00020000 32100 required>18 beshort &00040000 and MAU hardware required>20 beshort 0407 (impure)>20 beshort 0410 (pure)>20 beshort 0413 (demand paged)>20 beshort 0443 (target shared library)>22 beshort >0 - version %d0 beshort 0561 WE32000 COFF executable (TV)>12 belong >0 not stripped#>18 beshort &00020000 - 32100 required#>18 beshort &00040000 and MAU hardware required#>22 beshort >0 - version %d## core file for 3b20 string \000\004\036\212\200 3b2 core file>364 string >\0 of '%s' #------------------------------------------------------------------------------# $File: audio,v 1.118 2019/11/19 05:30:07 christos Exp $# audio: file(1) magic for sound formats (see also "iff")## Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com),# and others# # Sun/NeXT audio data0 string .snd Sun/NeXT audio data:>12 belong 1 8-bit ISDN mu-law,!:mime audio/basic>12 belong 2 8-bit linear PCM [REF-PCM],!:mime audio/basic>12 belong 3 16-bit linear PCM,!:mime audio/basic>12 belong 4 24-bit linear PCM,!:mime audio/basic>12 belong 5 32-bit linear PCM,!:mime audio/basic>12 belong 6 32-bit IEEE floating point,!:mime audio/basic>12 belong 7 64-bit IEEE floating point,!:mime audio/basic>12 belong 8 Fragmented sample data,>12 belong 10 DSP program,>12 belong 11 8-bit fixed point,>12 belong 12 16-bit fixed point,>12 belong 13 24-bit fixed point,>12 belong 14 32-bit fixed point,>12 belong 18 16-bit linear with emphasis,>12 belong 19 16-bit linear compressed,>12 belong 20 16-bit linear with emphasis and compression,>12 belong 21 Music kit DSP commands,>12 belong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.),!:mime audio/x-adpcm>12 belong 24 compressed (8-bit CCITT G.722 ADPCM)>12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM),>12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM),>12 belong 27 8-bit A-law (CCITT G.711),>20 belong 1 mono,>20 belong 2 stereo,>20 belong 4 quad,>16 belong >0 %d Hz # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format# that uses little-endian encoding and has a different magic number0 lelong 0x0064732E DEC audio data:>12 lelong 1 8-bit ISDN mu-law,!:mime audio/x-dec-basic>12 lelong 2 8-bit linear PCM [REF-PCM],!:mime audio/x-dec-basic>12 lelong 3 16-bit linear PCM,!:mime audio/x-dec-basic>12 lelong 4 24-bit linear PCM,!:mime audio/x-dec-basic>12 lelong 5 32-bit linear PCM,!:mime audio/x-dec-basic>12 lelong 6 32-bit IEEE floating point,!:mime audio/x-dec-basic>12 lelong 7 64-bit IEEE floating point,!:mime audio/x-dec-basic>12 belong 8 Fragmented sample data,>12 belong 10 DSP program,>12 belong 11 8-bit fixed point,>12 belong 12 16-bit fixed point,>12 belong 13 24-bit fixed point,>12 belong 14 32-bit fixed point,>12 belong 18 16-bit linear with emphasis,>12 belong 19 16-bit linear compressed,>12 belong 20 16-bit linear with emphasis and compression,>12 belong 21 Music kit DSP commands,>12 lelong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.),!:mime audio/x-dec-basic>12 belong 24 compressed (8-bit CCITT G.722 ADPCM)>12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM),>12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM),>12 belong 27 8-bit A-law (CCITT G.711),>20 lelong 1 mono,>20 lelong 2 stereo,>20 lelong 4 quad,>16 lelong >0 %d Hz # Creative Labs AUDIO stuff0 string MThd Standard MIDI data!:mime audio/midi>8 beshort x (format %d)>10 beshort x using %d track>10 beshort >1 \bs>12 beshort&0x7fff x at 1/%d>12 beshort&0x8000 >0 SMPTE 0 string CTMF Creative Music (CMF) data!:mime audio/x-unknown0 string SBI SoundBlaster instrument data!:mime audio/x-unknown0 string Creative\ Voice\ File Creative Labs voice data!:mime audio/x-unknown# is this next line right? it came this way...>19 byte 0x1A>23 byte >0 - version %d>22 byte >0 \b.%d # first entry is also the string "NTRK"0 belong 0x4e54524b MultiTrack sound data>4 belong x - version %d # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED# [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi]0 string EMOD Extended MOD sound data,>4 byte&0xf0 x version %d>4 byte&0x0f x \b.%d,>45 byte x %d instruments>83 byte 0 (module)>83 byte 1 (song) # Real Audio (Magic .ra\0375)0 belong 0x2e7261fd RealAudio sound file!:mime audio/x-pn-realaudio0 string .RMF\0\0\0 RealMedia file!:mime application/vnd.rn-realmedia#video/x-pn-realvideo#video/vnd.rn-realvideo#application/vnd.rn-realmedia# sigh, there are many mimes for that but the above are the most common. # MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net]# Oct 31, 1995# fixed by <doj@cubic.org> 2003-06-24# Too short...#0 string MTM MultiTracker Module sound file#0 string if Composer 669 Module sound data#0 string JN Composer 669 Module sound data (extended format)0 string MAS_U ULT(imate) Module sound data #0 string FAR Module sound data#>4 string >\15 Title: "%s" 0x2c string SCRM ScreamTracker III Module sound data>0 string >\0 Title: "%s"!:mime audio/x-s3m # .stm before it got above .s3m extension0x16 string \!Scream\! ScreamTracker Module sound data>0 string >\0 Title: "%s" # Gravis UltraSound patches# From <ache@nagual.ru> 0 string GF1PATCH110\0ID#000002\0 GUS patch0 string GF1PATCH100\0ID#000002\0 Old GUS patch # mime types according to http://www.geocities.com/nevilo/mod.htm:# audio/it .it# audio/x-zipped-it .itz# audio/xm fasttracker modules# audio/x-s3m screamtracker modules# audio/s3m screamtracker modules# audio/x-zipped-mod mdz# audio/mod mod# audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) ## Taken from loader code from mikmod version 2.14# by Steve McIntyre (stevem@chiark.greenend.org.uk)# <doj@cubic.org> added title printing on 2003-06-240 string MAS_UTrack_V00>14 string >/0 ultratracker V1.%.1s module sound data!:mime audio/x-mod#audio/x-tracker-module 0 string UN05 MikMod UNI format module sound data 0 string Extended\ Module: Fasttracker II module sound data!:mime audio/x-mod#audio/x-tracker-module>17 string >\0 Title: "%s" 21 string/c =!SCREAM! Screamtracker 2 module sound data!:mime audio/x-mod#audio/x-screamtracker-module21 string BMOD2STM Screamtracker 2 module sound data!:mime audio/x-mod#audio/x-screamtracker-module1080 string M.K. 4-channel Protracker module sound data!:mime audio/x-mod#audio/x-protracker-module>0 string >\0 Title: "%s"1080 string M!K! 4-channel Protracker module sound data!:mime audio/x-mod#audio/x-protracker-module>0 string >\0 Title: "%s"1080 string FLT4 4-channel Startracker module sound data!:mime audio/x-mod#audio/x-startracker-module>0 string >\0 Title: "%s"1080 string FLT8 8-channel Startracker module sound data!:mime audio/x-mod#audio/x-startracker-module>0 string >\0 Title: "%s"1080 string 4CHN 4-channel Fasttracker module sound data!:mime audio/x-mod#audio/x-fasttracker-module>0 string >\0 Title: "%s"1080 string 6CHN 6-channel Fasttracker module sound data!:mime audio/x-mod#audio/x-fasttracker-module>0 string >\0 Title: "%s"1080 string 8CHN 8-channel Fasttracker module sound data!:mime audio/x-mod#audio/x-fasttracker-module>0 string >\0 Title: "%s"1080 string CD81 8-channel Octalyser module sound data!:mime audio/x-mod#audio/x-octalysertracker-module>0 string >\0 Title: "%s"1080 string OKTA 8-channel Octalyzer module sound data!:mime audio/x-mod#audio/x-octalysertracker-module>0 string >\0 Title: "%s"# Not good enough.#1082 string CH#>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data1080 string 16CN 16-channel Taketracker module sound data!:mime audio/x-mod#audio/x-taketracker-module>0 string >\0 Title: "%s"1080 string 32CN 32-channel Taketracker module sound data!:mime audio/x-mod#audio/x-taketracker-module>0 string >\0 Title: "%s" # TOC sound files -Trevor Johnson <trevor@jpj.net>#0 string TOC TOC sound file # sidfiles <pooka@iki.fi># added name,author,(c) and new RSID type by <doj@cubic.org> 2003-06-240 string SIDPLAY\ INFOFILE Sidplay info file 0 string PSID PlaySID v2.2+ (AMIGA) sidtune>4 beshort >0 w/ header v%d,>14 beshort =1 single song,>14 beshort >1 %d songs,>16 beshort >0 default song: %d>0x16 string >\0 name: "%s">0x36 string >\0 author: "%s">0x56 string >\0 copyright: "%s" 0 string RSID RSID sidtune PlaySID compatible>4 beshort >0 w/ header v%d,>14 beshort =1 single song,>14 beshort >1 %d songs,>16 beshort >0 default song: %d>0x16 string >\0 name: "%s">0x36 string >\0 author: "%s">0x56 string >\0 copyright: "%s" # IRCAM sound files - Michael Pruett <michael@68k.org># http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/IRCAM/IRCAM.html0 belong 0x64a30100 IRCAM file (VAX little-endian)0 belong 0x0001a364 IRCAM file (VAX big-endian)0 belong 0x64a30200 IRCAM file (Sun big-endian)0 belong 0x0002a364 IRCAM file (Sun little-endian)0 belong 0x64a30300 IRCAM file (MIPS little-endian)0 belong 0x0003a364 IRCAM file (MIPS big-endian)0 belong 0x64a30400 IRCAM file (NeXT big-endian)0 belong 0x64a30400 IRCAM file (NeXT big-endian)0 belong 0x0004a364 IRCAM file (NeXT little-endian) # NIST SPHERE <mpruett@sgi.com>0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file # Sample Vision <mpruett@sgi.com>0 string SOUND\ SAMPLE\ DATA\ Sample Vision file # Audio Visual Research <tonigonenstein@users.sourceforge.net>0 string 2BIT Audio Visual Research file,>12 beshort =0 mono,>12 beshort =-1 stereo,>14 beshort x %d bits>16 beshort =0 unsigned,>16 beshort =-1 signed,>22 belong&0x00ffffff x %d Hz,>18 beshort =0 no loop,>18 beshort =-1 loop,>21 ubyte <128 note %d,>22 byte =0 replay 5.485 KHz>22 byte =1 replay 8.084 KHz>22 byte =2 replay 10.971 KHz>22 byte =3 replay 16.168 KHz>22 byte =4 replay 21.942 KHz>22 byte =5 replay 32.336 KHz>22 byte =6 replay 43.885 KHz>22 byte =7 replay 47.261 KHz # SGI SoundTrack <mpruett@sgi.com>0 string _SGI_SoundTrack SGI SoundTrack project file# ID3 version 2 tags <waschk@informatik.uni-rostock.de>0 string ID3 Audio file with ID3 version 2>3 byte x \b.%d>4 byte x \b.%d>>5 byte &0x80 \b, unsynchronized frames>>5 byte &0x40 \b, extended header>>5 byte &0x20 \b, experimental>>5 byte &0x10 \b, footer present>(6.I+10) indirect x \b, contains: # NSF (NES sound file) magic0 string NESM\x1a NES Sound File>14 string >\0 ("%s" by>46 string >\0 %s, copyright>78 string >\0 %s),>5 byte x version %d,>6 byte x %d tracks,>122 byte&0x2 =1 dual PAL/NTSC>122 byte&0x1 =1 PAL>122 byte&0x1 =0 NTSC # NSFE (Extended NES sound file) magic# http://slickproductions.org/docs/NSF/nsfespec.txt# From: David Pflug <david@pflug.email>0 string NSFE Extended NES Sound File>48 search/0x1000 auth>>&0 string >\0 ("%s">>>&1 string >\0 by %s>>>>&1 string >\0 \b, copyright %s>>>>>&1 string >\0 \b, ripped by %s>20 byte x \b), %d tracks,>18 byte&0x2 =1 dual PAL/NTSC>18 byte&0x2 =0>>18 byte&0x1 =1 PAL>>18 byte&0x1 =0 NTSC # Type: SNES SPC700 sound files# From: Josh Triplett <josh@freedesktop.org>0 string SNES-SPC700\ Sound\ File\ Data\ v SNES SPC700 sound file>&0 string 0.30 \b, version %s>>0x23 byte 0x1B \b, without ID666 tag>>0x23 byte 0x1A \b, with ID666 tag>>>0x2E string >\0 \b, song "%.32s">>>0x4E string >\0 \b, game "%.32s" # Impulse tracker module (audio/x-it)0 string IMPM Impulse Tracker module sound data -!:mime audio/x-mod>4 string >\0 "%s">40 leshort !0 compatible w/ITv%x>42 leshort !0 created w/ITv%x # Imago Orpheus module (audio/x-imf)60 string IM10 Imago Orpheus module sound data ->0 string >\0 "%s" # From <collver1@attbi.com># These are the /etc/magic entries to decode modules, instruments, and# samples in Impulse Tracker's native format. 0 string IMPS Impulse Tracker Sample>18 byte &2 16 bit>18 byte ^2 8 bit>18 byte &4 stereo>18 byte ^4 mono0 string IMPI Impulse Tracker Instrument>28 leshort !0 ITv%x>30 byte !0 %d samples # Yamaha TX Wave: file(1) magic for Yamaha TX Wave audio files# From <collver1@attbi.com>0 string LM8953 Yamaha TX Wave>22 byte 0x49 looped>22 byte 0xC9 non-looped>23 byte 1 33kHz>23 byte 2 50kHz>23 byte 3 16kHz # scream tracker: file(1) magic for Scream Tracker sample files## From <collver1@attbi.com>76 string SCRS Scream Tracker Sample>0 byte 1 sample>0 byte 2 adlib melody>0 byte >2 adlib drum>31 byte &2 stereo>31 byte ^2 mono>31 byte &4 16bit little endian>31 byte ^4 8bit>30 byte 0 unpacked>30 byte 1 packed # audio# From: Cory Dikkers <cdikkers@swbell.net>0 string MMD0 MED music file, version 00 string MMD1 OctaMED Pro music file, version 10 string MMD3 OctaMED Soundstudio music file, version 30 string OctaMEDCmpr OctaMED Soundstudio compressed file0 string MED MED_Song0 string SymM Symphonie SymMOD music file## Track Length (TRL), Tracks (TRK), Samples (SMP), Subsongs (SS)# http://lclevy.free.fr/exotica/ahx/ahxformat.txt0 string THX AHX version>3 byte =0 1 module data>3 byte =1 2 module data>10 byte x TRL: %u>11 byte x TRK: %u>12 byte x SMP: %u>13 byte x SS: %u#0 string OKTASONG Oktalyzer module data#0 string DIGI\ Booster\ module\0 %s>20 byte >0 %c>>21 byte >0 \b%c>>>22 byte >0 \b%c>>>>23 byte >0 \b%c>610 string >\0 \b, "%s"#0 string DBM0 DIGI Booster Pro Module>4 byte >0 V%X.>>5 byte x \b%02X>16 string >\0 \b, "%s"#0 string FTMN FaceTheMusic module>16 string >\0d \b, "%s" # From: <doj@cubic.org> 2003-06-240 string AMShdr\32 Velvet Studio AMS Module v2.20 string Extreme Extreme Tracker AMS Module v1.30 string DDMF Xtracker DMF Module>4 byte x v%i>0xD string >\0 Title: "%s">0x2B string >\0 Composer: "%s"0 string DSM\32 Dynamic Studio Module DSM0 string SONG DigiTrekker DTM Module0 string DMDL DigiTrakker MDL Module0 string PSM\32 Protracker Studio PSM Module44 string PTMF Poly Tracker PTM Module>0 string >\32 Title: "%s"0 string MT20 MadTracker 2.0 Module MT20 string RAD\40by\40REALiTY!! RAD Adlib Tracker Module RAD0 string RTMM RTM Module0x426 string MaDoKaN96 XMS Adlib Module>0 string >\0 Composer: "%s"0 string AMF AMF Module>4 string >\0 Title: "%s"0 string MODINFO1 Open Cubic Player Module Inforation MDZ0 string Extended\40Instrument: Fast Tracker II Instrument # From: Takeshi Hamasaki <hma@syd.odn.ne.jp># NOA Nancy Codec file0 string \210NOA\015\012\032 NOA Nancy Codec Movie file# Yamaha SMAF format0 string MMMD Yamaha SMAF file# Sharp Jisaku Melody format for PDC0 string \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody>20 string Ver01.00 Ver. 1.00>>32 byte x , %d tracks # Free lossless audio codec <http://flac.sourceforge.net># From: Przemyslaw Augustyniak <silvathraec@rpg.pl>0 string fLaC FLAC audio bitstream data!:mime audio/flac>4 byte&0x7f >0 \b, unknown version>4 byte&0x7f 0 \b# some common bits/sample values>>20 beshort&0x1f0 0x030 \b, 4 bit>>20 beshort&0x1f0 0x050 \b, 6 bit>>20 beshort&0x1f0 0x070 \b, 8 bit>>20 beshort&0x1f0 0x0b0 \b, 12 bit>>20 beshort&0x1f0 0x0f0 \b, 16 bit>>20 beshort&0x1f0 0x170 \b, 24 bit>>20 byte&0xe 0x0 \b, mono>>20 byte&0xe 0x2 \b, stereo>>20 byte&0xe 0x4 \b, 3 channels>>20 byte&0xe 0x6 \b, 4 channels>>20 byte&0xe 0x8 \b, 5 channels>>20 byte&0xe 0xa \b, 6 channels>>20 byte&0xe 0xc \b, 7 channels>>20 byte&0xe 0xe \b, 8 channels# sample rates derived from known oscillator frequencies;# 24.576 MHz (video/fs=48kHz), 22.5792 (audio/fs=44.1kHz) and# 16.384 (other/fs=32kHz).>>17 belong&0xfffff0 0x02b110 \b, 11.025 kHz>>17 belong&0xfffff0 0x03e800 \b, 16 kHz>>17 belong&0xfffff0 0x056220 \b, 22.05 kHz>>17 belong&0xfffff0 0x05dc00 \b, 24 kHz>>17 belong&0xfffff0 0x07d000 \b, 32 kHz>>17 belong&0xfffff0 0x0ac440 \b, 44.1 kHz>>17 belong&0xfffff0 0x0bb800 \b, 48 kHz>>17 belong&0xfffff0 0x0fa000 \b, 64 kHz>>17 belong&0xfffff0 0x158880 \b, 88.2 kHz>>17 belong&0xfffff0 0x177000 \b, 96 kHz>>17 belong&0xfffff0 0x1f4000 \b, 128 kHz>>17 belong&0xfffff0 0x2b1100 \b, 176.4 kHz>>17 belong&0xfffff0 0x2ee000 \b, 192 kHz>>17 belong&0xfffff0 0x3e8000 \b, 256 kHz>>17 belong&0xfffff0 0x562200 \b, 352.8 kHz>>17 belong&0xfffff0 0x5dc000 \b, 384 kHz>>21 byte&0xf >0 \b, >4G samples>>21 byte&0xf 0 \b>>>22 belong >0 \b, %u samples>>>22 belong 0 \b, length unknown # (ISDN) VBOX voice message file (Wolfram Kleff)0 string VBOX VBOX voice message data # ReBorn Song Files (.rbs)# David J. Singer <doc@deadvirgins.org.uk>8 string RB40 RBS Song file>29 string ReBorn created by ReBorn>37 string Propellerhead created by ReBirth # Synthesizer Generator and Kimwitu share their file format0 string A#S#C#S#S#L#V#3 Synthesizer Generator or Kimwitu data# Kimwitu++ uses a slightly different magic0 string A#S#C#S#S#L#HUB Kimwitu++ data # From "Simon Hosie0 string TFMX-SONG TFMX module sound data # Monkey's Audio compressed audio format (.ape)# From danny.milo@gmx.net (Danny Milosavljevic)# New version from Abel Cheung <abel (@) oaka.org>0 string MAC\040 Monkey's Audio compressed format!:mime audio/x-ape>4 uleshort >0x0F8B version %d>>(0x08.l) uleshort =1000 with fast compression>>(0x08.l) uleshort =2000 with normal compression>>(0x08.l) uleshort =3000 with high compression>>(0x08.l) uleshort =4000 with extra high compression>>(0x08.l) uleshort =5000 with insane compression>>(0x08.l+18) uleshort =1 \b, mono>>(0x08.l+18) uleshort =2 \b, stereo>>(0x08.l+20) ulelong x \b, sample rate %d>4 uleshort <0x0F8C version %d>>6 uleshort =1000 with fast compression>>6 uleshort =2000 with normal compression>>6 uleshort =3000 with high compression>>6 uleshort =4000 with extra high compression>>6 uleshort =5000 with insane compression>>10 uleshort =1 \b, mono>>10 uleshort =2 \b, stereo>>12 ulelong x \b, sample rate %d # adlib sound files# From: Alex Myczko <alex@aiei.ch> # https://github.com/rerrahkr/BambooTracker0 string BambooTrackerMod BambooTracker module>22 byte x \b, version %u>21 byte x \b.%u>20 byte x \b.%u 0 string BambooTrackerIst BambooTracker instrument>22 byte x \b, version %u>21 byte x \b.%u>20 byte x \b.%u 0 string CC2x CheeseCutter 2 song 0 string RAWADATA RdosPlay RAW 1068 string RoR AMUSIC Adlib Tracker 0 string JCH EdLib 0 string mpu401tr MPU-401 Trakker 0 string SAdT Surprise! Adlib Tracker>4 byte x Version %d 0 string XAD! eXotic ADlib 0 string ofTAZ! eXtra Simple Music 0 string FMK! FM Kingtracker Song 0 string DFM DFM Song 0 string \<CUD-FM-File\> CFF Song 0 string _A2module A2M Song # Spectrum 128 tunes (.ay files).# From: Emanuel Haupt <ehaupt@critical.ch>0 string ZXAYEMUL Spectrum 128 tune 0 string \0BONK BONK,#>5 byte x version %d>14 byte x %d channel(s),>15 byte =1 lossless,>15 byte =0 lossy,>16 byte x mid-side 384 string LockStream LockStream Embedded file (mostly MP3 on old Nokia phones) # format VQF (proprietary codec for sound)# some infos on the header file available at :# http://www.twinvq.org/english/technology_format.html0 string TWIN97012000 VQF data>27 short 0 \b, Mono>27 short 1 \b, Stereo>31 short >0 \b, %d kbit/s>35 short >0 \b, %d kHz # Nelson A. de Oliveira (naoliv@gmail.com)# .eqf0 string Winamp\ EQ\ library\ file %s# it will match only versions like v<digit>.<digit># Since I saw only eqf files with version v1.1 I think that it's OK>23 string x \b%.4s# .preset0 string [Equalizer\ preset] XMMS equalizer preset# .m3u0 search/1 #EXTM3U M3U playlist text# .pls0 search/1 [playlist] PLS playlist text# licq.conf1 string [licq] LICQ configuration file # Atari ST audio files by Dirk Jagdmann <doj@cubic.org># NOTE: Most SNDH music is packed using ICE, which has# magic numbers "ICE!" and "Ice!". Some SNDH music is# not packed, so we check for both packed and unpacked.12 string SNDH SNDH Atari ST music0 belong&0xFFDFDFFF 0x49434521>14 search/40 NDH SNDH Atari ST music>14 search/40 TITL SNDH Atari ST music0 string SC68\ Music-file\ /\ (c)\ (BeN)jami sc68 Atari ST music # musepak support From: "Jiri Pejchal" <jiri.pejchal@gmail.com>0 string MP+ Musepack audio (MP+)!:mime audio/x-musepack>3 byte 255 \b, SV pre8>3 byte&0xF 0x6 \b, SV 6>3 byte&0xF 0x8 \b, SV 8>3 byte&0xF 0x7 \b, SV 7>>3 byte&0xF0 0x0 \b.0>>3 byte&0xF0 0x10 \b.1>>3 byte&0xF0 240 \b.15>>10 byte&0xF0 0x0 \b, no profile>>10 byte&0xF0 0x10 \b, profile 'Unstable/Experimental'>>10 byte&0xF0 0x50 \b, quality 0>>10 byte&0xF0 0x60 \b, quality 1>>10 byte&0xF0 0x70 \b, quality 2 (Telephone)>>10 byte&0xF0 0x80 \b, quality 3 (Thumb)>>10 byte&0xF0 0x90 \b, quality 4 (Radio)>>10 byte&0xF0 0xA0 \b, quality 5 (Standard)>>10 byte&0xF0 0xB0 \b, quality 6 (Xtreme)>>10 byte&0xF0 0xC0 \b, quality 7 (Insane)>>10 byte&0xF0 0xD0 \b, quality 8 (BrainDead)>>10 byte&0xF0 0xE0 \b, quality 9>>10 byte&0xF0 0xF0 \b, quality 10>>27 byte 0x0 \b, Buschmann 1.7.0-9, Klemm 0.90-1.05>>27 byte 102 \b, Beta 1.02>>27 byte 104 \b, Beta 1.04>>27 byte 105 \b, Alpha 1.05>>27 byte 106 \b, Beta 1.06>>27 byte 110 \b, Release 1.1>>27 byte 111 \b, Alpha 1.11>>27 byte 112 \b, Beta 1.12>>27 byte 113 \b, Alpha 1.13>>27 byte 114 \b, Beta 1.14>>27 byte 115 \b, Alpha 1.15 0 string MPCK Musepack audio (MPCK)!:mime audio/x-musepack # IMY# from http://filext.com/detaillist.php?extdetail=IMY# https://cellphones.about.com/od/cellularfaqs/f/rf_imelody.htm# http://download.ncl.ie/doc/api/ie/ncl/media/music/IMelody.html# http://www.wx800.com/msg/download/irda/iMelody.pdf0 string BEGIN:IMELODY iMelody Ringtone Format # From: "Mateus Caruccio" <mateus@caruccio.com># guitar pro v3,4,5 from http://filext.com/file-extension/gp30 string \030FICHIER\ GUITAR\ PRO\ v3. Guitar Pro Ver. 3 Tablature # From: "Leslie P. Polzer" <leslie.polzer@gmx.net>60 string SONG SoundFX Module sound file # Type: Adaptive Multi-Rate Codec# URL: http://filext.com/detaillist.php?extdetail=AMR# From: Russell Coker <russell@coker.com.au>0 string #!AMR Adaptive Multi-Rate Codec (GSM telephony)!:mime audio/amr!:ext amr # Type: SuperCollider 3 Synth Definition File Format# From: Mario Lang <mlang@debian.org>0 string SCgf SuperCollider3 Synth Definition file,>4 belong x version %d # Type: True Audio Lossless Audio# URL: https://wiki.multimedia.cx/index.php?title=True_Audio# From: Mike Melanson <mike@multimedia.cx>0 string TTA1 True Audio Lossless Audio # Type: WavPack Lossless Audio# URL: https://wiki.multimedia.cx/index.php?title=WavPack# From: Mike Melanson <mike@multimedia.cx>0 string wvpk WavPack Lossless Audio # From Fabio R. Schmidlin <frs@pop.com.br># VGM music file0 string Vgm\040>9 ubyte >0 VGM Video Game Music dump v!:mime audio/x-vgm!:ext vgm>>9 ubyte/16 >0 \b%d>>9 ubyte&0x0F x \b%d>>8 ubyte/16 x \b.%d>>8 ubyte&0x0F >0 \b%d#Get soundchips>>8 ubyte x \b, soundchip(s)=>>0x0C ulelong >0 SN76489,>>0x10 ulelong >0 YM2413,>>0x2C ulelong >0 YM2612,>>0x30 ulelong >0 YM2151,>>0x38 ulelong >0 Sega PCM,>>0x34 ulelong >0xC>>>0x40 ulelong >0 RF5C68,>>0x34 ulelong >0x10>>>0x44 ulelong >0 YM2203,>>0x34 ulelong >0x14>>>0x48 ulelong >0 YM2608,>>0x34 ulelong >0x18>>>0x4C lelong >0 YM2610,>>>0x4C lelong <0 YM2610B,>>0x34 ulelong >0x1C>>>0x50 ulelong >0 YM3812,>>0x34 ulelong >0x20>>>0x54 ulelong >0 YM3526,>>0x34 ulelong >0x24>>>0x58 ulelong >0 Y8950,>>0x34 ulelong >0x28>>>0x5C ulelong >0 YMF262,>>0x34 ulelong >0x2C>>>0x60 ulelong >0 YMF278B,>>0x34 ulelong >0x30>>>0x64 ulelong >0 YMF271,>>0x34 ulelong >0x34>>>0x68 ulelong >0 YMZ280B,>>0x34 ulelong >0x38>>>0x6C ulelong >0 RF5C164,>>0x34 ulelong >0x3C>>>0x70 ulelong >0 PWM,>>0x34 ulelong >0x40>>>0x74 ulelong >0>>>>0x78 ubyte 0x00 AY-3-8910,>>>>0x78 ubyte 0x01 AY-3-8912,>>>>0x78 ubyte 0x02 AY-3-8913,>>>>0x78 ubyte 0x03 AY-3-8930,>>>>0x78 ubyte 0x10 YM2149,>>>>0x78 ubyte 0x11 YM3439,>>>>0x78 ubyte 0x12 YMZ284,>>>>0x78 ubyte 0x13 YMZ294,# VGM 1.61>>0x34 ulelong >0x4C>>>0x80 ulelong >0 DMG,>>0x34 ulelong >0x50>>>0x84 lelong >0 NES APU,>>>0x84 lelong <0 NES APU with FDS,>>0x34 ulelong >0x54>>>0x88 ulelong >0 MultiPCM,>>0x34 ulelong >0x58>>>0x8C ulelong >0 uPD7759,>>0x34 ulelong >0x5C>>>0x90 ulelong >0 OKIM6258,>>0x34 ulelong >0x64>>>0x98 ulelong >0 OKIM6295,>>0x34 ulelong >0x68>>>0x9C ulelong >0 K051649,>>0x34 ulelong >0x6C>>>0xA0 ulelong >0 K054539,>>0x34 ulelong >0x70>>>0xA4 ulelong >0 HuC6280,>>0x34 ulelong >0x74>>>0xA8 ulelong >0 C140,>>0x34 ulelong >0x78>>>0xAC ulelong >0 K053260,>>0x34 ulelong >0x7C>>>0xB0 ulelong >0 Pokey,>>0x34 ulelong >0x80>>>0xB4 ulelong >0 QSound,# VGM 1.71>>0x34 ulelong >0x84>>>0xB8 ulelong >0 SCSP,>>0x34 ulelong >0x8C>>>0xC0 ulelong >0 WonderSwan,>>0x34 ulelong >0x90>>>0xC4 ulelong >0 VSU,>>0x34 ulelong >0x94>>>0xC8 ulelong >0 SAA1099,>>0x34 ulelong >0x98>>>0xCC ulelong >0 ES5503,>>0x34 ulelong >0x9C>>>0xD0 lelong >0 ES5505,>>>0xD0 lelong <0 ES5506,>>0x34 ulelong >0xA4>>>0xD8 ulelong >0 X1-010,>>0x34 ulelong >0xA8>>>0xDC ulelong >0 C352,>>0x34 ulelong >0xAC>>>0xE0 ulelong >0 GA20, # GVOX Encore file format# Since this is a proprietary file format and there is no publicly available# format specification, this is just based on induction#0 string SCOW>4 byte 0xc4 GVOX Encore music, version 5.0 or above>4 byte 0xc2 GVOX Encore music, version < 5.0 0 string ZBOT>4 byte 0xc5 GVOX Encore music, version < 5.0 # Summary: Garmin Voice Processing Module (WAVE audios)# From: Joerg Jenderek# URL: https://www.garmin.com/# Reference: http://www.poi-factory.com/node/19580# NOTE: there exist 2 other Garmin VPM formats0 string AUDIMG# skip text files starting with string "AUDIMG">13 ubyte <13 Garmin Voice Processing Module!:mime audio/x-vpm-wav-garmin!:ext vpm# 3 bytes indicating the voice version (200,220)>>6 string x \b, version %3.3s# day of release (01-31)>>12 ubyte x \b, %.2d# month of release (01-12)>>13 ubyte x \b.%.2d# year of release (like 2006, 2007, 2008)>>14 uleshort x \b.%.4d# hour of release (0-23)>>11 ubyte x %.2d# minute of release (0-59)>>10 ubyte x \b:%.2d# second of release (0-59)>>9 ubyte x \b:%.2d# if you select a language like german on your garmin device# you can only select voice modules with corresponding language byte ID like 1>>18 ubyte x \b, language ID %d# structure for phrases/sentences?# number of voice sample in the 1st phrase?#>>19 uleshort x \b, 0x%x samples#>>>21 uleshort >0 \b, at 0x%4.4x#>>>(21.s) ubequad x 0x%llx# 2nd phrase?#>>23 uleshort x \b, 0x%x samples#>>>25 uleshort >0 \b, at 0x%4.4x#>>>(25.s) ubequad x 0x%llx# pointer to 1st audio WAV sample>>16 uleshort >0>>>(16.s) ulelong >0 \b, at 0x%x# WAV length# 1 space char after "bytes" to get phrase "bytes RIFF">>>>(16.s+4) ulelong >0 %u bytes # look for magic>>>>>(&-8.l) string RIFF# determine type by ./riff>>>>>>&-4 indirect x# 2 - ~ 131 WAV samples following same way## Summary: encrypted Garmin Voice Processing Module# From: Joerg Jenderek# URL: https://www.garmin.com/us/products/ontheroad/voicestudio# NOTE: Encrypted variant used in voices like DrNightmare, Elfred, Yeti.# There exist 2 other Garmin VPM formats0 ubequad 0xa141190fecc8ced6 Garmin Voice Processing Module (encrypted)!:mime audio/x-vpm-garmin!:ext vpm # From Martin Mueller Skarbiniks Pedersen0 string GDM>0x3 byte 0xFE General Digital Music.>0x4 string >\0 title: "%s">0x24 string >\0 musician: "%s">>0x44 beshort 0x0D0A>>>0x46 byte 0x1A>>>>0x47 string GMFS Version>>>>0x4B byte x %d.>>>>0x4C byte x \b%02d>>>>0x4D beshort 0x000 (2GDM v>>>>0x4F byte x \b%d.>>>>>0x50 byte x \b%d) 0 string MTM Multitracker>0x3 byte/16 x Version %d.>0x3 byte&0x0F x \b%02d>>0x4 string >\0 title: "%s" 0 string HVL>3 byte <2 Hively Tracker Song>3 byte 0 1 module data>3 byte 1 2 module data 0 string MO3>3 ubyte <6 MOdule with MP3>>3 byte 0 Version 0 (With MP3 and lossless)>>3 byte 1 Version 1 (With ogg and lossless)>>3 byte 3 Version 2.2>>3 byte 4 (With no LAME header)>>3 byte 5 Version 2.4 0 string ADRVPACK AProSys module # ftp://ftp.modland.com/pub/documents/format_documentation/\# Art%20Of%20Noise%20(.aon).txt0 string AON>4 string "ArtOfNoise by Bastian Spiegel(twice/lego)">0x2e string NAME Art of Noise Tracker Song>3 string <9>3 string 4 (4 voices)>3 string 8 (8 voices)>>0x36 string >\0 Title: "%s" 0 string FAR>0x2c byte 0x0d>0x2d byte 0x0a>0x2e byte 0x1a>>0x3 byte 0xFE Farandole Tracker Song>>>0x31 byte/16 x Version %d.>>>0x31 byte&0x0F x \b%02d>>>>0x4 string >\0 \b, title: "%s" # magic for Klystrack, https://kometbomb.github.io/klystrack/# from Alex Myczko <alex@aiei.ch>0 string cyd!song Klystrack song>8 byte >0 \b, version %u>8 byte >26#>>9 byte x \b, channels %u#>>10 leshort x \b, time signature %u#>>12 leshort x \b, sequence step %u#>>14 byte x \b, instruments %u#>>15 leshort x \b, patterns %u#>>17 leshort x \b, sequences %u#>>19 leshort x \b, length %u#>>21 leshort x \b, loop point %u#>>23 byte x \b, master volume %u#>>24 byte x \b, song speed %u#>>25 byte x \b, song speed2 %u#>>26 byte x \b, song rate %u#>>27 belong x \b, flags %#x#>>31 byte x \b, multiplex period %u#>>32 byte x \b, pitch inaccuracy %u>>149 pstring x \b, title %s 0 string cyd!inst Klystrack instrument # magic for WOPL instrument files, https://github.com/Wohlstand/OPL3BankEditor# see Specifications/WOPL-and-OPLI-Specification.txt 0 string WOPL3-INST\0 WOPL instrument>11 leshort x \b, version %u0 string WOPL3-BANK\0 WOPL instrument bank>11 leshort x \b, version %u # AdLib/OPL instrument files. Format specifications on# http://www.shikadi.net/moddingwiki0 string Junglevision\ Patch\ File Junglevision instrument data0 string #OPL_II# DMX OP2 instrument data0 string IBK\x1a IBK instrument data0 string 2OP\x1a IBK instrument data, 2 operators0 string 4OP\x1a IBK instrument data, 4 operators2 string ADLIB- AdLib instrument data>0 byte x \b, version %u>1 byte x \b.%u # CRI ADX ADPCM audio# Used by various Sega games.# https://en.wikipedia.org/wiki/ADX_(file_format)# https://wiki.multimedia.cx/index.php/CRI_ADX_file# Added by David Korth <gerbilsoft@gerbilsoft.com>0x00 beshort 0x8000>(2.S-2) string (c)CRI CRI ADX ADPCM audio!:ext adx!:mime audio/x-adx!:strength +50>>0x12 byte x v%u>>0x04 byte 0x02 \b, pre-set prediction coefficients>>0x04 byte 0x03 \b, standard ADX>>0x04 byte 0x04 \b, exponential scale>>0x04 byte 0x10 \b, AHX (Dreamcast)>>0x04 byte 0x11 \b, AHX>>0x08 belong x \b, %u Hz>>0x12 byte 0x03>>>0x02 beshort >0x2B>>>>0x18 belong !0 \b, looping>>0x12 byte 0x04>>>0x02 beshort >0x37>>>>0x24 belong !0 \b, looping>>0x13 byte&0x08 0x08 \b, encrypted # Lossless audio (.la) (http://www.lossless-audio.com/)0 string LA>2 string 03 Lossless audio version 0.3>2 string 04 Lossless audio version 0.4 # Sony PlayStation Audio (.xa)0 leshort 0x4158 Sony PlayStation Audio # Portable Sound Format# Used for audio rips for various consoles.# http://fileformats.archiveteam.org/wiki/Portable_Sound_Format# Added by David Korth <gerbilsoft@gerbilsoft.com>0 string PSF>3 byte 0x01>3 byte 0x02>3 byte 0x11>3 byte 0x12>3 byte 0x13>3 byte 0x21>3 byte 0x22>3 byte 0x23>3 byte 0x41>>0 string PSF Portable Sound Format!:mime audio/x-psf>>>3 byte 0x01 (Sony PlayStation)>>>3 byte 0x02 (Sony PlayStation 2)>>>3 byte 0x11 (Sega Saturn)>>>3 byte 0x12 (Sega Dreamcast)>>>3 byte 0x13 (Sega Mega Drive)>>>3 byte 0x21 (Nintendo 64)>>>3 byte 0x22 (Game Boy Advance)>>>3 byte 0x23 (Super NES)>>>3 byte 0x41 (Capcom QSound) # Atari 8-bit SAP audio format# http://asap.sourceforge.net/sap-format.html# Added by David Korth <gerbilsoft@gerbilsoft.com>0 string SAP\r\n Atari 8-bit SAP audio file!:mime audio/x-sap!:ext sap>5 search/1024 NAME>>&1 string x \b: %s>>5 search/1024 AUTHOR>>>&1 string x by %s # Nintendo Wii BRSTM audio format (fields)# NOTE: Assuming HEAD starts at 0x40.# FIXME: Replace 0x48 with HEAD offset plus 8.0 name nintendo-wii-brstm-fields>(0x10.L) string HEAD \b:>>(0x10.L+0x0C) belong x>>>(&-4.L+0x48) belong x>>>>&-4 byte 0 PCM, signed 8-bit,>>>>&-4 byte 1 PCM, signed 16-bit,>>>>&-4 byte 2 THP ADPCM,>>>>&-3 byte !0 looping,>>>>&-2 byte 1 mono>>>>&-2 byte 2 stereo>>>>&-2 byte 3 3 channels>>>>&-2 byte 4 quad>>>>&-2 byte >4 %u channels>>>>&0 beshort !0 %u Hz # Nintendo Wii BRSTM audio format# https://wiibrew.org/wiki/BRSTM_file# Added by David Korth <gerbilsoft@gerbilsoft.com>0 string RSTM Nintendo Wii BRSTM audio file!:mime audio/x-brstm!:ext brstm# Wii is big-endian, so default to BE.>4 beshort 0xFEFF>>0 use nintendo-wii-brstm-fields>4 leshort 0xFEFF>>0 use \^nintendo-wii-brstm-fields # Nintendo 3DS BCSTM audio format (fields)0 name nintendo-3ds-bcstm-fields>(0x18.l) string INFO \b:# INFO block: Stream information starts at 0x20 (minus 4 for the 'INFO' magic)>>&0x1C byte 0 PCM, signed 8-bit,>>&0x1C byte 1 PCM, signed 16-bit,>>&0x1C byte 2 DSP ADPCM,>>&0x1C byte 3 IMA ADPCM,>>&0x1D byte !0 looping,>>&0x1E byte 1 mono>>&0x1E byte 2 stereo>>&0x1E byte 3 3 channels>>&0x1E byte 4 quad>>&0x1E byte >4 %u channels>>&0x20 lelong !0 %u Hz # Nintendo 3DS BCSTM audio format# https://www.3dbrew.org/wiki/BCSTM# Added by David Korth <gerbilsoft@gerbilsoft.com>0 string CSTM Nintendo 3DS BCSTM audio file!:mime audio/x-bcstm!:ext bcstm# 3DS is little-endian, so default to LE.>4 leshort 0xFEFF>>0 use nintendo-3ds-bcstm-fields>4 beshort 0xFEFF>>0 use \^nintendo-3ds-bcstm-fields # Nintendo Wii U BFSTM audio format# http://mk8.tockdom.com/wiki/BFSTM_(File_Format)# NOTE: This format is very similar to BCSTM.# Added by David Korth <gerbilsoft@gerbilsoft.com>0 string FSTM Nintendo Wii U BFSTM audio file!:mime audio/x-bfstm!:ext bfstm# BFSTM is used on both Wii U (BE) and Switch (LE),# so default to LE.>4 leshort 0xFEFF>>0 use nintendo-3ds-bcstm-fields>4 beshort 0xFEFF>>0 use \^nintendo-3ds-bcstm-fields # Nintendo 3DS BCSTM audio format (fields)0 name nintendo-3ds-bcwav-fields>(0x18.l) string INFO \b:# INFO block (minus 4 for INFO magic)>>&0x4 byte 0 PCM, signed 8-bit,>>&0x4 byte 1 PCM, signed 16-bit,>>&0x4 byte 2 DSP ADPCM,>>&0x4 byte 3 IMA ADPCM,>>&0x5 byte !0 looping,>>&0x8 lelong x stereo>>&0x8 lelong !0 %u Hz # Nintendo 3DS BCWAV audio format# https://www.3dbrew.org/wiki/BCWAV# Added by David Korth <gerbilsoft@gerbilsoft.com>0 string CWAV Nintendo 3DS BCWAV audio file!:mime audio/x-bcwav!:ext bcwav# 3DS is little-endian, so default to LE.>4 leshort 0xFEFF>>0 use nintendo-3ds-bcwav-fields>4 beshort 0xFEFF>>0 use \^nintendo-3ds-bcwav-fields #----------------------------------------------------------------# $File: basis,v 1.5 2019/04/19 00:42:27 christos Exp $# basis: file(1) magic for BBx/Pro5-files# Oliver Dammer <dammer@olida.de> 2005/11/07# https://www.basis.com business-basic-files.#0 string \074\074bbx\076\076 BBx>7 string \000 indexed file>7 string \001 serial file>7 string \002 keyed file>>13 short 0 (sort)>7 string \004 program>>18 byte x (LEVEL %d)>>>23 string >\000 psaved>7 string \006 mkeyed file>>13 short 0 (sort)>>8 string \000 (mkey)#------------------------------------------------------------------------------# $File: beetle,v 1.2 2018/02/05 23:42:17 rrt Exp $# beetle: file(1) magic for Beetle VM object files# https://github.com/rrthomas/beetle/ # Beetle object module0 string BEETLE\000 Beetle VM object file #------------------------------------------------------------------------------# $File: ber,v 1.2 2019/04/19 00:42:27 christos Exp $# ber: file(1) magic for several BER formats used in the mobile# telecommunications industry (Georg Sauthoff) # The file formats are standardized by the GSMA (GSM association).# They are specified via ASN.1 schemas and some prose. Basic encoding# rules (BER) is the used encoding. The formats are used for exchanging# call data records (CDRs) between mobile operators and associated# parties for roaming clearing purposes and fraud detection. # The magic file covers: # - TAP files (TD.57) - CDR batches and notifications# - RAP files (TD.32) - return batches and acknowledgements# - NRT files (TD.35) - CDR batches for 'near real time' processing ## TAP 3 Files# TAP -> Transferred Account Procedure# cf. https://www.gsma.com/newsroom/wp-content/uploads/TD.57-v32.31.pdf# TransferBatch short tag0 byte 0x61# BatchControlInfo short tag>&1 search/b5 \x64# Sender long tag #TAP 3.x (BER encoded)>>&1 search/b8 \x5f\x81\x44# <SpecificationVersionNumber>3</><ReleaseVersionNumber> block>>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01>>>>&0 byte x TAP 3.%d Batch (TD.57, Transferred Account) # Notification short tag0 byte 0x62# Sender long tag>2 search/b8 \x5f\x81\x44# <SpecificationVersionNumber>3</><ReleaseVersionNumber> block>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01>>>&0 byte x TAP 3.%d Notification (TD.57, Transferred Account) # NRT Files# NRT a.k.a. NRTRDE0 byte 0x61# <SpecificationVersionNumber>2</><ReleaseVersionNumber> block>&1 search/b8 \x5f\x29\x01\x02\x5f\x25\x01>>&0 byte x NRT 2.%d (TD.35, Near Real Time Roaming Data Exchange) # RAP Files# cf. https://www.gsma.com/newsroom/wp-content/uploads/TD.32-v6.11.pdf# Long ReturnBatch tag0 string \x7f\x84\x16# Long RapBatchControlInfo tag>&1 search/b8 \x7f\x84\x19# <SpecificationVersionNumber>3</><ReleaseVersionNumber> block>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01# <RapSpecificationVersionNumber>1</><RapReleaseVersionNumber> block>>>&1 string/b \x5f\x84\x20\x01\x01\x5f\x84\x1f\x01>>>>&0 byte x RAP 1.%d Batch (TD.32, Returned Account Procedure),>>>&0 byte x TAP 3.%d # Long Acknowledgement tag0 string \x7f\x84\x17# Long Sender tag>&1 search/b5 \x5f\x81\x44 RAP Acknowledgement (TD.32, Returned Account Procedure) #------------------------------------------------------------------------------# $File: bflt,v 1.5 2014/04/30 21:41:02 christos Exp $# bFLT: file(1) magic for BFLT uclinux binary files## From Philippe De Muyter <phdm@macqel.be>#0 string bFLT BFLT executable>4 belong x - version %d>4 belong 4>>36 belong&0x1 0x1 ram>>36 belong&0x2 0x2 gotpic>>36 belong&0x4 0x4 gzip>>36 belong&0x8 0x8 gzdata #------------------------------------------------------------------------------# $File: bhl,v 1.1 2017/06/11 22:20:02 christos Exp $# BlockHashLoc# ext: bhl# Marco Pontello marcopon@gmail.com# reference: https://github.com/MarcoPon/BlockHashLoc0 string BlockHashLoc\x1a BlockHashLoc recovery info,>13 byte x version %d!:ext bhl #------------------------------------------------------------------------------# $File: bioinformatics,v 1.5 2019/04/19 00:42:27 christos Exp $# bioinfomatics: file(1) magic for Bioinfomatics file formats ################################################################################ BGZF (Blocked GNU Zip Format) - gzip compatible, but also indexable# used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml)###############################################################################0 string \037\213>3 byte &0x04>>12 string BC>>>14 leshort &0x02 Blocked GNU Zip Format (BGZF; gzip compatible)>>>>16 leshort x \b, block length %d!:mime application/x-gzip ################################################################################ Tabix index file# used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml)###############################################################################0 string TBI\1 SAMtools TBI (Tabix index format)>0x04 lelong =1 \b, with %d reference sequence>0x04 lelong >1 \b, with %d reference sequences>0x08 lelong &0x10000 \b, using half-closed-half-open coordinates (BED style)>0x08 lelong ^0x10000>>0x08 lelong =0 \b, using closed and one based coordinates (GFF style)>>0x08 lelong =1 \b, using SAM format>>0x08 lelong =2 \b, using VCF format>0x0c lelong x \b, sequence name column: %d>0x10 lelong x \b, region start column: %d>0x08 lelong =0>>0x14 lelong x \b, region end column: %d>0x18 byte x \b, comment character: %c>0x1c lelong x \b, skip line count: %d ################################################################################ BAM (Binary Sequence Alignment/Map format)# used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf)# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it###############################################################################0 string BAM\1 SAMtools BAM (Binary Sequence Alignment/Map)>0x04 lelong >0>>&0x00 regex =^[@]HD\t.*VN: \b, with SAM header>>>&0 regex =[0-9.]+ \b version %s>>&(0x04) lelong >0 \b, with %d reference sequences ################################################################################ BAI (BAM indexing format)# used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf)###############################################################################0 string BAI\1 SAMtools BAI (BAM indexing format)>0x04 lelong >0 \b, with %d reference sequences ################################################################################ CRAM (Binary Sequence Alignment/Map format)###############################################################################0 string CRAM CRAM>0x04 byte >-1 version %d.>0x05 byte >-1 \b%d>0x06 string >\0 (identified as %s) ################################################################################ BCF (Binary Call Format), version 1# used by SAMtools & VCFtools (http://vcftools.sourceforge.net/bcf.pdf)# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it###############################################################################0 string BCF\4# length of seqnm data in bytes is positive>&0x00 lelong >0# length of smpl data in bytes is positive>>&(&-0x04) lelong >0 SAMtools BCF (Binary Call Format)# length of meta in bytes>>>&(&-0x04) lelong >0# have meta text string>>>>&0x00 search ##samtoolsVersion=>>>>>&0x00 string x \b, generated by SAMtools version %s ################################################################################ BCF (Binary Call Format), version 2.1# used by SAMtools (https://samtools.github.io/hts-specs/BCFv2_qref.pdf)# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it###############################################################################0 string BCF\2\1 Binary Call Format (BCF) version 2.1# length of header text>&0x00 lelong >0# have header string>>&0x00 search ##samtoolsVersion=>>>&0x00 string x \b, generated by SAMtools version %s ################################################################################ BCF (Binary Call Format), version 2.2# used by SAMtools (https://samtools.github.io/hts-specs/BCFv2_qref.pdf)# data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it###############################################################################0 string BCF\2\2 Binary Call Format (BCF) version 2.2# length of header text>&0x00 lelong >0# have header string>>&0x00 search ##samtoolsVersion=>>>&0x00 string x \b, generated by SAMtools version %s ################################################################################ VCF (Variant Call Format)# used by VCFtools (http://vcftools.sourceforge.net/)###############################################################################0 search ##fileformat=VCFv Variant Call Format (VCF)>&0 string x \b version %s ################################################################################ FASTQ# used by MAQ (http://maq.sourceforge.net/fastq.shtml)################################################################################ XXX Broken?# @<seqname>#0 regex =^@[A-Za-z0-9_.:-]+\?\n# <seq>#>&1 regex =^[A-Za-z\n.~]++# +[<seqname>]#>>&1 regex =^[A-Za-z0-9_.:-]*\?\n# <qual>#>>>&1 regex =^[!-~\n]+\n FASTQ ################################################################################ FASTA# used by FASTA (https://fasta.bioch.virginia.edu/fasta_www2/fasta_guide.pdf)################################################################################0 byte 0x3e# q>0 regex =^[>][!-~\t\ ]+$# Amino Acid codes: [A-IK-Z*-]+#>>1 regex !=[!-'Jj;:=?@^`|~\\] FASTA# IUPAC codes/gaps: [ACGTURYKMSWBDHVNX-]+# not in IUPAC codes/gaps: [EFIJLOPQZ]#>>>1 regex !=[EFIJLOPQZefijlopqz] \b, with IUPAC nucleotide codes#>>>1 regex =^[EFIJLOPQZefijlopqz]+$ \b, with Amino Acid codes ################################################################################ SAM (Sequence Alignment/Map format)# used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf)################################################################################ Short-cut version to recognise SAM files with (optional) header at beginning###############################################################################0 string @HD\t>4 search VN: Sequence Alignment/Map (SAM), with header>>&0 regex [0-9.]+ \b version %s################################################################################ Longer version to recognise SAM alignment lines using (many) regexes################################################################################ SAM Alignment QNAME0 regex =^[!-?A-~]{1,255}(\t[^\t]+){11}# SAM Alignment FLAG>0 regex =^([^\t]+\t){1}[0-9]{1,5}\t# SAM Alignment RNAME>>0 regex =^([^\t]+\t){2}\\*|[^*=]*\t# SAM Alignment POS>>>0 regex =^([^\t]+\t){3}[0-9]{1,9}\t# SAM Alignment MAPQ>>>>0 regex =^([^\t]+\t){4}[0-9]{1,3}\t# SAM Alignment CIGAR>>>>>0 regex =\t(\\*|([0-9]+[MIDNSHPX=])+)\t# SAM Alignment RNEXT>>>>>>0 regex =\t(\\*|=|[!-()+->?-~][!-~]*)\t# SAM Alignment PNEXT>>>>>>>0 regex =^([^\t]+\t){7}[0-9]{1,9}\t# SAM Alignment TLEN>>>>>>>>0 regex =\t[+-]{0,1}[0-9]{1,9}\t.*\t# SAM Alignment SEQ>>>>>>>>>0 regex =^([^\t]+\t){9}(\\*|[A-Za-z=.]+)\t# SAM Alignment QUAL>>>>>>>>>>0 regex =^([^\t]+\t){10}[!-~]+ Sequence Alignment/Map (SAM)>>>>>>>>>>>0 regex =^[@]HD\t.*VN: \b, with header>>>>>>>>>>>>&0 regex =[0-9.]+ \b version %s ################################################################################ Magic ids for biomedical signal file formats # Copyright (C) 2018 Alois Schloegl <alois.schloegl@gmail.com>## The list has been derived from biosig projects# http://biosig.sourceforge.net# https://pub.ist.ac.at/~schloegl/matlab/eeg/# https://pub.ist.ac.at/~schloegl/biosig/TESTED################################################################################0 string ABF\x20 Biosig/Axon Binary format!:mime biosig/abf20 string ABF2\0\0 Biosig/Axon Binary format!:mime biosig/abf2#0 string ATES\x20MEDICA\x20SOFT.\x20EEG\x20for\x20Windows Biosig/ATES MEDICA SOFT. EEG for Windows!:mime biosig/ates#0 string ATF\x09 Biosig/Axon Text fomrat!:mime biosig/atf#0 string ADU1 Biosig/Axona file format!:mime biosig/axona0 string ADU2 Biosig/Axona file format!:mime biosig/axona#0 string ALPHA-TRACE-MEDICAL Biosig/alpha trace !:mime biosig/alpha#0 string AxGr Biosig/AXG0 string axgx Biosig/AXG!:mime biosig/axg#0 string HeaderLen= Biosig/BCI20000 string BCI2000V Biosig/BCI2000!:mime biosig/bci2000#### Specification: https://www.biosemi.com/faq/file_format.htm0 string \xffBIOSEMI Biosig/Biosemi data format!:mime biosig/bdf#0 string Brain\x20Vision\x20Data\x20Exchange\x20Header\x20File Biosig/Brainvision data file0 string Brain\x20Vision\x20V-Amp\x20Data\x20Header\x20File\x20Version Biosig/Brainvision V-Amp file0 string Brain\x20Vision\x20Data\x20Exchange\x20Marker\x20File,\x20Version Biosig/Brainvision Marker file!:mime biosig/brainvision#0 string CEDFILE Biosig/CFS: Cambridge Electronic devices File format !:mime biosig/ced#### Specification: https://www.edfplus.info/specs/index.html0 string 0\x20\x20\x20\x20\x20\x20\x20 Biosig/EDF: European Data format!:mime biosig/edf#### Specifications: https://arxiv.org/abs/cs/06080520 string GDF Biosig/GDF: General data format for biosignals!:mime biosig/gdf#0 string DATA\0\0\0\0 Biosig/Heka Patchmaster0 string DAT1\0\0\0\0 Biosig/Heka Patchmaster0 string DAT2\0\0\0\0 Biosig/Heka Patchmaster!:mime biosig/heka#0 string (C)\x20CED\x2087 Biosig/CED SMR !:mime biosig/ced-smr#0 string CFWB\1\0\0\0 Biosig/CFWB!:mime biosig/cfwb#0 string DEMG Biosig/DEMG!:mime biosig/demg#0 string EBS\x94\x0a\x13\x1a\x0d Biosig/EBS!:mime biosig/ebs#0 string Embla\x20data\x20file Biosig/Embla!:mime biosig/embla#0 string Header\r\nFile Version Biosig/ETG4000!:mime biosig/etg4000#0 string GALILEO\x20EEG\x20TRACE\x20FILE Biosig/Galileo !:mime biosig/galileo#0 string IGOR Biosig/IgorPro ITX file!:mime biosig/igorpro## Specification: http://www.ampsmedical.com/uploads/2017-12-7/The_ISHNE_Format.pdf0 string ISHNE1.0 Biosig/ISHNE!:mime biosig/ishne## CEN/ISO 11073/22077 series, http://www.mfer.org/en/document.htm0 string @\x20\x20MFER\x20 Biosig/MFER0 string @\x20MFR\x20 Biosig/MFER!:mime biosig/mfer#0 string NEURALEV Biosig/NEV0 string N.EV.\0 Biosig/NEV!:mime biosig/nev#0 string NEX1 Biosig/NEX!:mime biosig/nex1#0 string PLEX Biosig/Plexon v1.010 string PLEXON Biosig/Plexon v2.0!:mime biosig/plexon#0 string \x02\x27\x91\xC6 Biosig/RHD2000: Intan RHD2000 format## Specification: CEN 1064:2005/ISO 11073:9106416 string SCPECG\0\0 Biosig/SCP-ECG format CEN 1064:2005/ISO 11073:91064!:mime biosig/scpecg#0 string IAvSFo Biosig/SIGIF!:mime biosig/sigif#0 string POLY\x20SAMPLE\x20FILEversion\x20 Biosig/TMS32!:mime biosig/tms32#0 string FileId=TMSi\x20PortiLab\x20sample\x20log\x20file\x0a\x0dVersion= Biosig/TMSiLOG!:mime biosig/tmsilog#4 string Synergy\0\48\49\50\46\48\48\51\46\48\48\48\46\48\48\48\0\28\0\0\0\2\0\0\0>63 string CRawDataElement>>85 string CRawDataBuffer Biosig/SYNERGY!:mime biosig/synergy#4 string \40\0\4\1\44\1\102\2\146\3\44\0\190\3 Biosig/UNIPRO!:mime biosig/unipro#0 string VER=9\r\nCTIME= Biosig/WCP!:mime biosig/wcp#0 string \xAF\xFE\xDA\xDA Biosig/Walter Graphtek0 string \xDA\xDA\xFE\xAF Biosig/Walter Graphtek0 string \x55\x55\xFE\xAF Biosig/Walter Graphtek!:mime biosig/walter-graphtek#0 string V3.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20>32 string [PatInfo] Biosig/Sigma!:mime biosig/sigma#0 string \067\069\078\013\010\0x1a\04\0x84 Biosig/File exchange format (FEF)!:mime biosig/fef0 string \67\69\78\0x13\0x10\0x1a\4\0x84 Biosig/File exchange format (FEF)!:mime biosig/fef#0 string \0\0\0\x64\0\0\0\x1f\0\0\0\x14\0\0\0\0\0\1>36 string \0\0\0\x65\0\0\0\3\0\0\0\4\0\0>>56 string \0\0\0\x6a\0\0\0\3\0\0\0\4\0\0\0\0\xff\xff\xff\xff\0\0 Biosig/FIFF!:mime biosig/fiff# #------------------------------------------------------------------------------# $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $# blackberry: file(1) magic for BlackBerry file formats#5 belong 0>8 belong 010010010 BlackBerry RIM ETP file>>22 string x \b for %s# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files# https://ftg.lbl.gov/checkpoint0 string C\0\0\0R\0\0\0 BLCR>16 lelong 1 x86>16 lelong 3 alpha>16 lelong 5 x86-64>16 lelong 7 ARM>8 lelong x context data (little endian, version %d)# Uncomment the following only of your "file" program supports "search"#>0 search/1024 VMA\06 for kernel#>>&1 byte x %d.#>>&2 byte x %d.#>>&3 byte x %d0 string \0\0\0C\0\0\0R BLCR>16 belong 2 SPARC>16 belong 4 ppc>16 belong 6 ppc64>16 belong 7 ARMEB>16 belong 8 SPARC64>8 belong x context data (big endian, version %d)# Uncomment the following only of your "file" program supports "search"#>0 search/1024 VMA\06 for kernel#>>&1 byte x %d.#>>&2 byte x \b%d.#>>&3 byte x \b%d #------------------------------------------------------------------------------# $File: blender,v 1.8 2019/04/19 00:42:27 christos Exp $# blender: file(1) magic for Blender 3D related files## Native format rule v1.2. For questions use the developers list# https://lists.blender.org/mailman/listinfo/bf-committers# GLOB chunk was moved near start and provides subversion info since 2.42 0 string =BLENDER Blender3D,>7 string =_ saved as 32-bits>>8 string =v little endian>>>9 byte x with version %c.>>>10 byte x \b%c>>>11 byte x \b%c>>>0x40 string =GLOB \b.>>>>0x58 leshort x \b%.4d>>8 string =V big endian>>>9 byte x with version %c.>>>10 byte x \b%c>>>11 byte x \b%c>>>0x40 string =GLOB \b.>>>>0x58 beshort x \b%.4d>7 string =- saved as 64-bits>>8 string =v little endian>>9 byte x with version %c.>>10 byte x \b%c>>11 byte x \b%c>>0x44 string =GLOB \b.>>>0x60 leshort x \b%.4d>>8 string =V big endian>>>9 byte x with version %c.>>>10 byte x \b%c>>>11 byte x \b%c>>>0x44 string =GLOB \b.>>>>0x60 beshort x \b%.4d # Scripts that run in the embedded Python interpreter0 string #!BPY Blender3D BPython script #------------------------------------------------------------------------------# $File: blit,v 1.8 2009/09/19 16:28:08 christos Exp $# blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine## Note that this 0407 conflicts with several other a.out formats...## XXX - should this be redone with "be" and "le", so that it works on# little-endian machines as well? If so, what's the deal with# "VAX-order" and "VAX-order2"?##0 long 0407 68K Blit (standalone) executable#0 short 0407 VAX-order2 68K Blit (standalone) executable0 short 03401 VAX-order 68K Blit (standalone) executable0 long 0406 68k Blit mpx/mux executable0 short 0406 VAX-order2 68k Blit mpx/mux executable0 short 03001 VAX-order 68k Blit mpx/mux executable# Need more values for WE32 DMD executables.# Note that 0520 is the same as COFF#0 short 0520 tty630 layers executable #------------------------------------------------------------------------------# $File: bout,v 1.5 2009/09/19 16:28:08 christos Exp $# i80960 b.out objects and archives#0 long 0x10d i960 b.out relocatable object>16 long >0 not stripped## b.out archive (hp-rt on i960)0 string =!<bout> b.out archive>8 string __.SYMDEF random library #------------------------------------------------------------------------------# $File: bsdi,v 1.7 2014/03/29 15:40:34 christos Exp $# bsdi: file(1) magic for BSD/OS (from BSDI) objects# Some object/executable formats use the same magic numbers as are used# in other OSes; those are handled by entries in aout.# 0 lelong 0314 386 compact demand paged pure executable>16 lelong >0 not stripped>32 byte 0x6a (uses shared libs) # same as in SunOS 4.x, except for static shared libraries0 belong&077777777 0600413 SPARC demand paged>0 byte &0x80>>20 belong <4096 shared library>>20 belong =4096 dynamically linked executable>>20 belong >4096 dynamically linked executable>0 byte ^0x80 executable>16 belong >0 not stripped>36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600410 SPARC pure>0 byte &0x80 dynamically linked executable>0 byte ^0x80 executable>16 belong >0 not stripped>36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600407 SPARC>0 byte &0x80 dynamically linked executable>0 byte ^0x80 executable>16 belong >0 not stripped>36 belong 0xb4100001 (uses shared libs)# Chiasmus is an encryption standard developed by the German Federal# Office for Information Security (Bundesamt fuer Sicherheit in der# Informationstechnik). # Extension: .xia0 string XIA1 Chiasmus encrypted data # Extension: .xis0 string XIS Chiasmus key #------------------------------------------------------------------------------# $File: btsnoop,v 1.5 2009/09/19 16:28:08 christos Exp $# BTSnoop: file(1) magic for BTSnoop files## From <marcel@holtmann.org>0 string btsnoop\0 BTSnoop>8 belong x version %d,>12 belong 1001 Unencapsulated HCI>12 belong 1002 HCI UART (H4)>12 belong 1003 HCI BCSP>12 belong 1004 HCI Serial (H5)>>12 belong x type %d#------------------------------------------------------------------------------# $File: c-lang,v 1.28 2019/11/15 21:03:14 christos Exp $# c-lang: file(1) magic for C and related languages programs## The strength is to beat standard HTML # BCPL0 search/8192 "libhdr" BCPL source text!:mime text/x-bcpl0 search/8192 "LIBHDR" BCPL source text!:mime text/x-bcpl # C# Check for class if include is found, otherwise class is beaten by include because of lowered strength0 search/8192 #include>0 regex \^#include C>>0 regex \^class[[:space:]]+>>>&0 regex \\{[\.\*]\\}(;)?$ \b++>>&0 clear x source text!:strength + 13!:mime text/x-c0 search/8192 pragma>0 regex \^#[[:space:]]*pragma C source text!:mime text/x-c0 search/8192 endif>0 regex \^#[[:space:]]*(if\|ifn)def>>&0 regex \^#[[:space:]]*endif$ C source text!:mime text/x-c0 search/8192 define>0 regex \^#[[:space:]]*(if\|ifn)def>>&0 regex \^#[[:space:]]*define C source text!:mime text/x-c0 search/8192 char>0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text!:mime text/x-c0 search/8192 double>0 regex \^[[:space:]]*double(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text!:mime text/x-c0 search/8192 extern>0 regex \^[[:space:]]*extern[[:space:]]+ C source text!:mime text/x-c0 search/8192 float>0 regex \^[[:space:]]*float(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text!:mime text/x-c0 search/8192 struct>0 regex \^struct[[:space:]]+ C source text!:mime text/x-c0 search/8192 union>0 regex \^union[[:space:]]+ C source text!:mime text/x-c0 search/8192 main(>&0 regex \\)[[:space:]]*\\{ C source text!:mime text/x-c # C++# The strength of these rules is increased so they beat the C rules above0 search/8192 namespace>0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text!:strength + 30!:mime text/x-c++# using namespace [namespace] or using std::[lib]0 search/8192 using>0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text!:strength + 30!:mime text/x-c++0 search/8192 template>0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text!:strength + 30!:mime text/x-c++0 search/8192 virtual>0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text!:strength + 30!:mime text/x-c++# But class alone is reduced to avoid beating php (Jens Schleusener)0 search/8192 class>0 regex \^[[:space:]]*class[[:space:]]+[[:digit:][:alpha:]:_]+[[:space:]]*\\{(.*[\n]*)*\\}(;)?$ C++ source text!:strength + 13!:mime text/x-c++0 search/8192 public>0 regex \^[[:space:]]*public: C++ source text!:strength + 30!:mime text/x-c++0 search/8192 private>0 regex \^[[:space:]]*private: C++ source text!:strength + 30!:mime text/x-c++0 search/8192 protected>0 regex \^[[:space:]]*protected: C++ source text!:strength + 30!:mime text/x-c++ # Objective-C0 search/8192 #import>0 regex \^#import Objective-C source text!:strength + 25!:mime text/x-objective-c # From: Mikhail Teterin <mi@aldan.algebra.com>0 string cscope cscope reference data>7 string x version %.2s# We skip the path here, because it is often long (so file will# truncate it) and mostly redundant.# The inverted index functionality was added some time between# versions 11 and 15, so look for -q if version is above 14:>7 string >14>>10 search/100 \ -q\ with inverted index>10 search/100 \ -c\ text (non-compressed) #------------------------------------------------------------------------------# $File: c64,v 1.7 2017/11/15 12:19:06 christos Exp $# c64: file(1) magic for various commodore 64 related files## From: Dirk Jagdmann <doj@cubic.org> 0x16500 belong 0x12014100 D64 Image0x16500 belong 0x12014180 D71 Image0x61800 belong 0x28034400 D81 Image0 string C64\40CARTRIDGE CCS C64 Emultar Cartridge Image0 belong 0x43154164 X64 Image 0 string GCR-1541 GCR Image>8 byte x version: %i>9 byte x tracks: %i 9 string PSUR ARC archive (c64)2 string -LH1- LHA archive (c64) 0 string C64File PC64 Emulator file>8 string >\0 "%s"0 string C64Image PC64 Freezer Image 0 beshort 0x38CD C64 PCLink Image0 string CBM\144\0\0 Power 64 C64 Emulator Snapshot 0 belong 0xFF424CFF WRAptor packer (c64) 0 string C64S\x20tape\x20file T64 tape Image>32 leshort x Version:0x%x>36 leshort !0 Entries:%i>40 string x Name:%.24s 0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image>32 leshort x Version:0x%x>36 leshort !0 Entries:%i>40 string x Name:%.24s 0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image>32 leshort x Version:0x%x>36 leshort !0 Entries:%i>40 string x Name:%.24s # Raw tape file format (.tap files)# Esa Hyyti <esa@netlab.tkk.fi>0 string C64-TAPE-RAW C64 Raw Tape File (.tap),>0x0c byte x Version:%u,>0x10 lelong x Length:%u cycles # magic for Goattracker2, http://covertbitops.c64.org/# from Alex Myczko <alex@aiei.ch>0 string GTS5 GoatTracker 2 song>4 string >\0 \b, "%s">36 string >\0 \b by %s>68 string >\0 \b (C) %s>100 byte >0 \b, %u subsong(s) #------------------------------------------------------------------------------# $File: cad,v 1.23 2020/05/30 23:58:07 christos Exp $# autocad: file(1) magic for cad files# # Microstation DGN/CIT Files (www.bentley.com)# Last updated July 29, 2005 by Lester Hightower# DGN is the default file extension of Microstation/Intergraph CAD files.# CIT is the proprietary raster format (similar to TIFF) used to attach# raster underlays to Microstation DGN (vector) drawings.## http://www.wotsit.org/search.asp# https://filext.com/detaillist.php?extdetail=DGN# https://filext.com/detaillist.php?extdetail=CIT## https://www.bentley.com/products/default.cfm?objectid=97F351F5-9C35-4E5E-89C2# 3F86C928&method=display&p_objectid=97F351F5-9C35-4E5E-89C280A93F86C928# https://www.bentley.com/products/default.cfm?objectid=A5C2FD43-3AC9-4C71-B682# 721C479F&method=display&p_objectid=A5C2FD43-3AC9-4C71-B682C7BE721C479F# # URL: https://en.wikipedia.org/wiki/MicroStation# reference: http://dgnlib.maptools.org/dgn.html# http://dgnlib.maptools.org/dl/ref18.pdf# Update: Joerg Jenderek# Note: verfied by command like `dgndump seed2d_b.dgn`# test for level 8 and type 5 or 90 beshort&0x3F73 0x0801# level of element like 8#>0 ubyte&0x3F x \b, level %u#>0 ubyte &0x80 \b, complex#>0 ubyte &0x40 \b, reserved# type of element 9~TCB 8~Digitizer setup 5~Group Data Elements#>1 ubyte&0x7F x \b, type %u# words to follow in element: 17H~CEL libray 2FEh~DGN 9FEh,DFEh~CIT#>2 uleshort x \b, words 0x%4.4x to follow# test for 3 reserved 0 bytes in CIT or "conversion" in ViewInfo structure (DGN CEL)#>508 ubelong x \b, RESERVED %8.8x>508 ubelong&0xFFffFF00 =0# test for level 8 and type 9 for INGR raster image>>0 beshort 0x0809# test for length of 1st element is multiple of blocks a 512 bytes>>>2 ubyte 0xfe>>>>0 use ingr-image# test for DGN or CEL by jump words (uleshort) forward to next element>(2.s*2) ulong x# 2nd element type: 8~Digitizer~DesiGNfile 1~library cell header other~CIT#>>&1 ubyte&0x7F x \b, 2nd type %u# DGN>>&1 ubyte&0x7F 8>>>2 uleshort =0x02FE Bentley/Intergraph Microstation CAD drawing!:mime application/x-bentley-dgn!:ext dgn# The 0x40 bit of this byte is 1 if the file is 3D, otherwise 0>>>>1214 ubyte &0x40 3D>>>>1214 ubyte ^0x40 2D# 2 chars for name of subunits like ft FT in IN mu m mm '\0 '\040>>>>1120 string x \b, units %-.2s# 2 chars for name of master unit like IN in ML SU tn th TH HU mm "\0 "\040 \0\0>>>>1122 string >\0 %-.2s#>>>>1120 ubelong x \b, units 0x%8.8x# element range low,high x y z like xlow=0 08010000h 01080000h#>>>>4 ubelong !0 \b, xlow %8.8x#>>>>8 ubelong !0 \b, ylow %8.8x#>>>>12 ubelong !0 \b, zlow %8.8x#>>>>16 ubelong !0 \b, xhigh %8.8x#>>>>20 ubelong !0 \b, yhigh %8.8x#>>>>24 ubelong !0 \b, zhigh %8.8x# graphic group number; all other elements in that group have same non-0 number#>>>>28 leshort x \b, grphgrp 0x%4.4x# words to optional attribute linkage#>>>>30 ubyte x \b, attindx \%o#>>>>31 ubyte x \b\%o# >>30 string \026\105 DGNFile# >>30 string \034\105 DGNFile# >>30 string \073\107 DGNFile# >>30 string \073\110 DGNFile# >>30 string \106\107 DGNFile# >>30 string \110\103 DGNFile# >>30 string \120\104 DGNFile# >>30 string \172\104 DGNFile# >>30 string \172\105 DGNFile# >>30 string \172\106 DGNFile# >>30 string \234\106 DGNFile# >>30 string \273\105 DGNFile# >>30 string \306\106 DGNFile# >>30 string \310\104 DGNFile# >>30 string \341\104 DGNFile# >>30 string \372\103 DGNFile# >>30 string \372\104 DGNFile# >>30 string \372\106 DGNFile# >>30 string \376\103 DGNFile# elements properties indicator#>>>>32 uleshort !0 \b, properties 0x%4.4x# class 0~Primary#>>>>>32 uleshort&0x000F !0 \b, class 0x%4.4x# Symbology#>>>>>34 uleshort x \b, Symbology 0x%4.4x# test for 2nd element type 1~library cell header>>&1 ubyte&0x7F 1# test for 1st element with level 8 and type 5 for cell library>>>0 beshort 0x0805 Bentley/Intergraph Microstation CAD cell library!:mime application/x-bentley-cel!:ext cel## URL: http://fileformats.archiveteam.org/wiki/Intergraph_Raster# reference: https://web.archive.org/web/20140903185431/# http://oreilly.com/www/centers/gff/formats/ingr/index.htm# note: verfied by command like `nconvert -fullinfo LONGLAT.CIT`# display information for intergraph raster bitmap0 name ingr-image# in 5.37 "Microstation CITFile" "Bentley/Intergraph MicroStation CIT raster CAD"# DataTypeCode indicates format, depth of the pixel data and used compression >4 uleshort x Intergraph raster image>>4 uleshort 0x0009 \b, Run-Length Encoded 1-bit!:mime image/x-intergraph-rle!:ext rel>>4 uleshort 0x0018 \b, CCITT Group 4 1-bit!:mime image/x-intergraph-cit!:ext cit>>4 uleshort 27 \b, Adaptive RLE RGB!:mime image/x-intergraph-rgb!:ext rgb>>4 default x>>>4 uleshort x \b, Type %u!:mime image/x-intergraph# TODO:#>4 uleshort 0 \b, no data# ...#>4 uleshort 0x0045 \b, Continuous Tone CMKY (Uncompressed)# ApplicationType: 0~generic raster image 3~drawing, scanning# 8~I/IMAGE and MicroStation Imager 9~ModelView>6 uleshort !0 \b, ApplicationType %u#>6 uleshort x \b, ApplicationType %u# XViewOrigin; Raster grid data X origin#>8 ulequad !0 \b, XViewOrigin %llx# PixelsPerLine is the number of pixels in a scan line of bitmapp>184 ulelong x \b, %u x# NumberOfLines is height of the raster data in scanlines>188 ulelong x %u# DeviceResolution; resolution of scanning device# positive indicates number of micros between lines; negative indicates DPI#>192 leshort x \b, DeviceResolution %d# ScanlineOrient indicates the origin and the orientation of the scan lines#>194 ubyte x \b, ScanlineOrient %x>194 ubyte x \b, orientation>194 ubyte &0x01 right>194 ubyte ^0x01 left>194 ubyte &0x02 down>194 ubyte ^0x02 top>194 ubyte &0x04 horizontal>194 ubyte ^0x04 vertical# ScannableFlag; Scanline indexing method used#>195 ubyte !0 \b, ScannableFlag 0x%x# RotationAngle; Rotation angle of raster data#>196 ubequad !0 \b, RotationAngle 0x%llx# SkewAngle; Skew angle of raster data#>204 ubequad !0 \b, SkewAngle %llx# DataTypeModifier; Additional raster data format info#>212 uleshort !0 \b, DataTypeModifier 0x%4.4x# DesignFile[66]; Name of the design file>214 string >\0 \b, DesignFile %-.66s# DatabaseFile[66]; Name of the database file>280 string >\0 \b, DatabaseFile %-.66s# ParentGridFile[66]; Name of parent grid file>346 string >\0 \b, ParentGridFile %-.66s# FileDescription[80]; Text description of file and contents>412 string >\0 \b, FileDescription %-.80s# MinValue#>492 ubequad !0 \b, MinValue 0x%llx# MaxValue#>500 ubequad !0 \b, MaxValue 0x%llx# Reserved[3]; Unused (always 0)#>508 ubelong&0xFFffFF00 x \b, RESERVED %8.8x# GridFileVersion; Grid File Version like 2 3#>511 ubyte x \b, GridFileVersion %x # AutoCAD# Merge of the different contributions and updates from https://en.wikipedia.org/wiki/Dwg# and https://www.iana.org/assignments/media-types/image/vnd.dwg0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0!:mime image/vnd.dwg0 string AC1.2 DWG AutoDesk AutoCAD Release 1.2!:mime image/vnd.dwg0 string AC1.3 DWG AutoDesk AutoCAD Release 1.3!:mime image/vnd.dwg0 string AC1.40 DWG AutoDesk AutoCAD Release 1.40!:mime image/vnd.dwg0 string AC1.50 DWG AutoDesk AutoCAD Release 2.05!:mime image/vnd.dwg0 string AC2.10 DWG AutoDesk AutoCAD Release 2.10!:mime image/vnd.dwg0 string AC2.21 DWG AutoDesk AutoCAD Release 2.21!:mime image/vnd.dwg0 string AC2.22 DWG AutoDesk AutoCAD Release 2.22!:mime image/vnd.dwg0 string AC1001 DWG AutoDesk AutoCAD Release 2.22!:mime image/vnd.dwg0 string AC1002 DWG AutoDesk AutoCAD Release 2.50!:mime image/vnd.dwg0 string AC1003 DWG AutoDesk AutoCAD Release 2.60!:mime image/vnd.dwg0 string AC1004 DWG AutoDesk AutoCAD Release 9!:mime image/vnd.dwg0 string AC1006 DWG AutoDesk AutoCAD Release 10!:mime image/vnd.dwg0 string AC1009 DWG AutoDesk AutoCAD Release 11/12!:mime image/vnd.dwg# AutoCAD DWG versions R13/R14 (www.autodesk.com)# Written December 01, 2003 by Lester Hightower# Based on the DWG File Format Specifications at http://www.opendwg.org/# AutoCad, from Nahuel Greco# AutoCAD DWG versions R12/R13/R14 (www.autodesk.com)0 string AC1012 DWG AutoDesk AutoCAD Release 13!:mime image/vnd.dwg0 string AC1014 DWG AutoDesk AutoCAD Release 14!:mime image/vnd.dwg0 string AC1015 DWG AutoDesk AutoCAD 2000/2002!:mime image/vnd.dwg # A new version of AutoCAD DWG# Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru,# ICQ 358572321)# From various sources like:# https://autodesk.blogs.com/between_the_lines/autocad-release-history.html0 string AC1018 DWG AutoDesk AutoCAD 2004/2005/2006!:mime image/vnd.dwg0 string AC1021 DWG AutoDesk AutoCAD 2007/2008/2009!:mime image/vnd.dwg0 string AC1024 DWG AutoDesk AutoCAD 2010/2011/2012!:mime image/vnd.dwg0 string AC1027 DWG AutoDesk AutoCAD 2013-2017!:mime image/vnd.dwg # From GNU LibreDWG0 string AC1032 DWG AutoDesk AutoCAD 2018/2019!:mime image/vnd.dwg # KOMPAS 2D drawing from ASCON# This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor# gathered nor specification# ASCON https://ascon.net/main/ in English,# https://ascon.ru/ main site in Russian# Extension is CDW for drawing and FRW for fragment of drawing# Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru,# ICQ 358572321, https://vkontakte.ru/id16076543)# From:# https://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292# (in russian) and my experiments0 string KF>2 belong 0x4E00000C Kompas drawing 12.0 SP1>2 belong 0x4D00000C Kompas drawing 12.0>2 belong 0x3200000B Kompas drawing 11.0 SP1>2 belong 0x3100000B Kompas drawing 11.0>2 belong 0x2310000A Kompas drawing 10.0 SP1>2 belong 0x2110000A Kompas drawing 10.0>2 belong 0x08000009 Kompas drawing 9.0 SP1>2 belong 0x05000009 Kompas drawing 9.0>2 belong 0x33010008 Kompas drawing 8+>2 belong 0x1A000008 Kompas drawing 8.0>2 belong 0x2C010107 Kompas drawing 7+>2 belong 0x05000007 Kompas drawing 7.0>2 belong 0x32000006 Kompas drawing 6+>2 belong 0x09000006 Kompas drawing 6.0>2 belong 0x5C009005 Kompas drawing 5.11R03>2 belong 0x54009005 Kompas drawing 5.11R02>2 belong 0x51009005 Kompas drawing 5.11R01>2 belong 0x22009005 Kompas drawing 5.10R03>2 belong 0x22009005 Kompas drawing 5.10R02 mar>2 belong 0x21009005 Kompas drawing 5.10R02 febr>2 belong 0x19009005 Kompas drawing 5.10R01>2 belong 0xF4008005 Kompas drawing 5.9R01.003>2 belong 0x1C008005 Kompas drawing 5.9R01.002>2 belong 0x11008005 Kompas drawing 5.8R01.003 # CAD: file(1) magic for computer aided design files# Phillip Griffith <phillip dot griffith at gmail dot com># AutoCAD magic taken from the Open Design Alliance's OpenDWG specifications.# # 3DS (3d Studio files)0 leshort 0x4d4d>6 leshort 0x2>>8 lelong 0xa>>>16 leshort 0x3d3d 3D Studio model!:mime image/x-3ds!:ext 3ds # MegaCAD 2D/3D drawing (.prt)# https://megacad.de/# From: Markus Heidelberg <markus.heidelberg@web.de>0 string MegaCad23\0 MegaCAD 2D/3D drawing # Hoops CAD files# https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\# HSF_architecture.html# Stephane Charette <stephane.charette@gmail.com>0 string ;;\020HSF\020V OpenHSF (Hoops Stream Format)>7 regex/9 V[.0-9]{4,5}\020 %s!:ext hsf # AutoCAD Drawing Exchange Format0 regex \^[\ \t]*0\r?\000$>1 regex \^[\ \t]*SECTION\r?$>>2 regex \^[\ \t]*2\r?$>>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format!:mime application/x-dxf!:ext dxf>>>>&1 search/8192 AC1006 \b, R10>>>>&1 search/8192 AC1009 \b, R11/R12>>>>&1 search/8192 AC1012 \b, R13>>>>&1 search/8192 AC1014 \b, R14>>>>&1 search/8192 AC1015 \b, version 2000>>>>&1 search/8192 AC1018 \b, version 2004>>>>&1 search/8192 AC1021 \b, version 2007>>>>&1 search/8192 AC1024 \b, version 2010 # The Sketchup 3D model format https://www.sketchup.com/0 string \xff\xfe\xff\x0e\x53\x00\x6b\x00\x65\x00\x74\x00\x63\x00\x68\x00\x55\x00\x70\x00\x20\x00\x4d\x00\x6f\x00\x64\x00\x65\x00\x6c\x00 SketchUp Model!:mime application/vnd.sketchup.skp!:ext skp 4 regex/b P[0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9] NAXOS CAD System file from version %s!:strength +40 #------------------------------------------------------------------------------# $File: cafebabe,v 1.24 2018/10/01 23:33:15 christos Exp $# Cafe Babes unite!## Since Java bytecode and Mach-O universal binaries have the same magic number,# the test must be performed in the same "magic" sequence to get both right.# The long at offset 4 in a Mach-O universal binary tells the number of# architectures; the short at offset 4 in a Java bytecode file is the JVM minor# version and the short at offset 6 is the JVM major version. Since there are only# only 18 labeled Mach-O architectures at current, and the first released# Java class format was version 43.0, we can safely choose any number# between 18 and 39 to test the number of architectures against# (and use as a hack). Let's not use 18, because the Mach-O people# might add another one or two as time goes by...#### JAVA START ###0 belong 0xcafebabe>4 belong >30 compiled Java class data,!:mime application/x-java-applet>>6 beshort x version %d.>>4 beshort x \b%d# Which is which?#>>4 belong 0x032d (Java 1.0)#>>4 belong 0x032d (Java 1.1)>>4 belong 0x002e (Java 1.2)>>4 belong 0x002f (Java 1.3)>>4 belong 0x0030 (Java 1.4)>>4 belong 0x0031 (Java 1.5)>>4 belong 0x0032 (Java 1.6)>>4 belong 0x0033 (Java 1.7)>>4 belong 0x0034 (Java 1.8) 0 belong 0xcafed00d JAR compressed with pack200,>5 byte x version %d.>4 byte x \b%d!:mime application/x-java-pack200 0 belong 0xcafed00d JAR compressed with pack200,>5 byte x version %d.>4 byte x \b%d!:mime application/x-java-pack200 ### JAVA END ###### MACH-O START ### 0 name mach-o \b [>0 use mach-o-cpu \b>(8.L) indirect x \b:>0 belong x \b] 0 belong 0xcafebabe>4 belong 1 Mach-O universal binary with 1 architecture:!:mime application/x-mach-binary>>8 use mach-o \b>4 belong >1>>4 belong <20 Mach-O universal binary with %d architectures:!:mime application/x-mach-binary>>>8 use mach-o \b>>4 belong >1>>>28 use mach-o \b>>4 belong >2>>>48 use mach-o \b>>4 belong >3>>>68 use mach-o \b>>4 belong >4>>>88 use mach-o \b>>4 belong >5>>>108 use mach-o \b ### MACH-O END ### #------------------------------------------------------------------------------# $File: cbor,v 1.1 2015/01/28 01:05:21 christos Exp $# cbor: file(1) magic for CBOR files as defined in RFC 7049 0 string \xd9\xd9\xf7 Concise Binary Object Representation (CBOR) container!:mime application/cbor>3 ubyte <0x20 (positive integer)>3 ubyte <0x40>>3 ubyte >0x1f (negative integer)>3 ubyte <0x60>>3 ubyte >0x3f (byte string)>3 ubyte <0x80>>3 ubyte >0x5f (text string)>3 ubyte <0xa0>3 ubyte >0x7f (array)>3 ubyte <0xc0>>3 ubyte >0x9f (map)>3 ubyte <0xe0>>3 ubyte >0xbf (tagged)>3 ubyte >0xdf (other) #------------------------------------------------------------------------------# $File: cddb,v 1.4 2009/09/19 16:28:08 christos Exp $# CDDB: file(1) magic for CDDB(tm) format CD text data files## From <steve@gracenote.com>## This is the /etc/magic entry to decode datafiles as used by# CDDB-enabled CD player applications.# 0 search/1/w #\040xmcd CDDB(tm) format CD text data #------------------------------------------------------------------------------# $File: chord,v 1.5 2010/09/20 19:19:16 rrt Exp $# chord: file(1) magic for Chord music sheet typesetting utility input files## From Philippe De Muyter <phdm@macqel.be># File format is actually free, but many distributed files begin with `{title'#0 string {title Chord text file # Type: PowerTab file format# URL: http://www.power-tab.net/# From: Jelmer Vernooij <jelmer@samba.org>0 string ptab\003\000 Power-Tab v3 Tablature File0 string ptab\004\000 Power-Tab v4 Tablature File #------------------------------------------------------------------------------# $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $# cisco: file(1) magic for cisco Systems routers## Most cisco file-formats are covered by the generic elf code## Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha.0 belong&0xffffff00 0x85011400 cisco IOS microcode>7 string >\0 for '%s'0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode>7 string >\0 for '%s' #------------------------------------------------------------------------------# $File: citrus,v 1.4 2009/09/19 16:28:08 christos Exp $# citrus locale declaration# 0 string RuneCT Citrus locale declaration for LC_CTYPE #------------------------------------------------------------------------------# $File: clarion,v 1.5 2014/04/30 21:41:02 christos Exp $# clarion: file(1) magic for # Clarion Personal/Professional Developer# (v2 and above)# From: Julien Blache <jb@jblache.org> # Database files# signature0 leshort 0x3343 Clarion Developer (v2 and above) data file# attributes>2 leshort &0x0001 \b, locked>2 leshort &0x0004 \b, encrypted>2 leshort &0x0008 \b, memo file exists>2 leshort &0x0010 \b, compressed>2 leshort &0x0040 \b, read only# number of records>5 lelong x \b, %d records # Memo files0 leshort 0x334d Clarion Developer (v2 and above) memo data # Key/Index files# No magic? :( # Help files0 leshort 0x49e0 Clarion Developer (v2 and above) help data #------------------------------------------------------------------------------# $File: claris,v 1.8 2016/07/18 19:23:38 christos Exp $# claris: file(1) magic for claris# "H. Nanosecond" <aldomel@ix.netcom.com># Claris Works a word processor, etc.# Version 3.0 # .pct claris works clip art files#0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000#*#0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000#null to byte 1000 octal514 string \377\377\377\377\000>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art514 string \377\377\377\377\001>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art # Claris works files# .cwk# Moved to Apple AppleWorks document#0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works document# .plt0 string \020\341\000\000\010\010 Claris Works palette files .plt # .msp a dictionary file I am not sure about this I have only one .msp file0 string \002\271\262\000\040\002\000\164 Claris works dictionary # .usp are user dictionary bits# I am not sure about a magic header:#0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151# soh S p f 8 U D sp ^ S cr nl p o d i#0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043# a t r i s t sp ^ S cr nl d i v sp # # .mth Thesaurus# starts with \0 but no magic header # .chy Hyphenation file# I am not sure: 000 210 034 000 000 # other claris files#./windows/claris/useng.ndx: data#./windows/claris/xtndtran.l32: data#./windows/claris/xtndtran.lst: data#./windows/claris/clworks.lbl: data#./windows/claris/clworks.prf: data#./windows/claris/userd.spl: data #------------------------------------------------------------------------------# $File: clipper,v 1.8 2017/03/17 21:35:28 christos Exp $# clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper.## XXX - what byte order does the Clipper use?## XXX - what's the "!" stuff:## >18 short !074000,000000 C1 R1# >18 short !074000,004000 C2 R1# >18 short !074000,010000 C3 R1# >18 short !074000,074000 TEST## I shall assume it's ANDing the field with the first value and# comparing it with the second, and rewrite it as:## >18 short&074000 000000 C1 R1# >18 short&074000 004000 C2 R1# >18 short&074000 010000 C3 R1# >18 short&074000 074000 TEST## as SVR3.1's "file" doesn't support anything of the "!074000,000000"# sort, nor does SunOS 4.x, so either it's something Intergraph added# in CLIX, or something AT&T added in SVR3.2 or later, or something# somebody else thought was a good idea; it's not documented in the# man page for this version of "magic", nor does it appear to be# implemented (at least not after I blew off the bogus code to turn# old-style "&"s into new-style "&"s, which just didn't work at all).#0 short 0575 CLIPPER COFF executable (VAX #)>20 short 0407 (impure)>20 short 0410 (5.2 compatible)>20 short 0411 (pure)>20 short 0413 (demand paged)>20 short 0443 (target shared library)>12 long >0 not stripped>22 short >0 - version %d0 short 0577 CLIPPER COFF executable>18 short&074000 000000 C1 R1>18 short&074000 004000 C2 R1>18 short&074000 010000 C3 R1>18 short&074000 074000 TEST>20 short 0407 (impure)>20 short 0410 (pure)>20 short 0411 (separate I&D)>20 short 0413 (paged)>20 short 0443 (target shared library)>12 long >0 not stripped>22 short >0 - version %d>48 long&01 01 alignment trap enabled>52 byte 1 -Ctnc>52 byte 2 -Ctsw>52 byte 3 -Ctpw>52 byte 4 -Ctcb>53 byte 1 -Cdnc>53 byte 2 -Cdsw>53 byte 3 -Cdpw>53 byte 4 -Cdcb>54 byte 1 -Csnc>54 byte 2 -Cssw>54 byte 3 -Cspw>54 byte 4 -Cscb4 string pipe CLIPPER instruction trace4 string prof CLIPPER instruction profile#------------------------------------------------------------------------------# file: file(1) magic for Clojure# URL: https://clojure.org/# From: Jason Felice <jason.m.felice@gmail.com> 0 string/w #!\ /usr/bin/clj Clojure script text executable!:mime text/x-clojure0 string/w #!\ /usr/local/bin/clj Clojure script text executable!:mime text/x-clojure0 string/w #!\ /usr/bin/clojure Clojure script text executable!:mime text/x-clojure0 string/w #!\ /usr/local/bin/clojure Clojure script text executable!:mime text/x-clojure0 string/W #!/usr/bin/env\ clj Clojure script text executable!:mime text/x-clojure0 string/W #!/usr/bin/env\ clojure Clojure script text executable!:mime text/x-clojure0 string/W #!\ /usr/bin/env\ clj Clojure script text executable!:mime text/x-clojure0 string/W #!\ /usr/bin/env\ clojure Clojure script text executable!:mime text/x-clojure 0 regex \^\\\(ns[[:space:]]+[a-z] Clojure module source text!:mime text/x-clojure 0 regex \^\\\(ns[[:space:]]+\\\^\\{: Clojure module source text!:mime text/x-clojure 0 regex \^\\\(defn-?[[:space:]] Clojure module source text!:mime text/x-clojure #------------------------------------------------------------------------------# $File: coff,v 1.3 2018/08/01 10:34:03 christos Exp $# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures## COFF## by Joerg Jenderek at Oct 2015# https://en.wikipedia.org/wiki/COFF# https://de.wikipedia.org/wiki/Common_Object_File_Format# http://www.delorie.com/djgpp/doc/coff/filhdr.html # display name+variables+flags of Common Object Files Format (32bit)# Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel,# mips,motorola,msdos,osf1,sharc,varied.out,vax0 name display-coff# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags>18 uleshort&0x8E80 0>>0 clear x# f_magic - magic number# DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel)>>0 uleshort 0x014C Intel 80386# Hitachi SH big-endian COFF (./hitachi-sh)>>0 uleshort 0x0500 Hitachi SH big-endian# Hitachi SH little-endian COFF (./hitachi-sh)>>0 uleshort 0x0550 Hitachi SH little-endian# executable (RISC System/6000 V3.1) or obj module (./ibm6000)#>>0 uleshort 0x01DF# MS Windows COFF Intel Itanium, AMD64# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx>>0 uleshort 0x0200 Intel ia64>>0 uleshort 0x8664 Intel amd64# TODO for other COFFs#>>0 uleshort 0xABCD COFF_TEMPLATE>>0 default x>>>0 uleshort x type 0x%04x>>0 uleshort x COFF# F_EXEC flag bit>>18 leshort ^0x0002 object file#!:mime application/x-coff#!:ext cof/o/obj/lib>>18 leshort &0x0002 executable#!:mime application/x-coffexec# F_RELFLG flag bit,static object>>18 leshort &0x0001 \b, no relocation info# F_LNNO flag bit>>18 leshort &0x0004 \b, no line number info# F_LSYMS flag bit>>18 leshort &0x0008 \b, stripped>>18 leshort ^0x0008 \b, not stripped# flags in other COFF versions#0x0010 F_FDPR_PROF#0x0020 F_FDPR_OPTI#0x0040 F_DSA# F_AR32WR flag bit#>>>18 leshort &0x0100 \b, 32 bit little endian#0x1000 F_DYNLOAD#0x2000 F_SHROBJ#0x4000 F_LOADONLY# f_nscns - number of sections>>2 uleshort <2 \b, %d section>>2 uleshort >1 \b, %d sections# f_timdat - file time & date stamp only for little endian#>>4 date x \b, %s# f_symptr - symbol table pointer, only for not stripped>>8 ulelong >0 \b, symbol offset=0x%x# f_nsyms - number of symbols, only for not stripped>>12 ulelong >0 \b, %d symbols# f_opthdr - optional header size>>16 uleshort >0 \b, optional header size %d# at offset 20 can be optional header, extra bytes FILHSZ-20 because# do not rely on sizeof(FILHDR) to give the correct size for header.# or first section header# additional variables for other COFF files# >20 beshort 0407 (impure)# >20 beshort 0410 (pure)# >20 beshort 0413 (demand paged)# >20 beshort 0421 (standalone)# >22 leshort >0 - version %d# >168 string .lowmem Apple toolbox #------------------------------------------------------------------------------# $File: commands,v 1.63 2020/06/06 15:36:30 christos Exp $# commands: file(1) magic for various shells and interpreters##0 string/w : shell archive or script for antique kernel text0 string/wt #!\ /bin/sh POSIX shell script text executable!:mime text/x-shellscript0 string/wb #!\ /bin/sh POSIX shell script executable (binary data)!:mime text/x-shellscript 0 string/wt #!\ /bin/csh C shell script text executable!:mime text/x-shellscript # korn shell magic, sent by George Wu, gwu@clyde.att.com0 string/wt #!\ /bin/ksh Korn shell script text executable!:mime text/x-shellscript0 string/wb #!\ /bin/ksh Korn shell script executable (binary data)!:mime text/x-shellscript 0 string/wt #!\ /bin/tcsh Tenex C shell script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/bin/tcsh Tenex C shell script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/local/tcsh Tenex C shell script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/local/bin/tcsh Tenex C shell script text executable!:mime text/x-shellscript ## zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson)0 string/wt #!\ /bin/zsh Paul Falstad's zsh script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable!:mime text/x-shellscript0 search/1 #!/usr/bin/env\ zsh Paul Falstad's zsh script text executable!:mime text/x-shellscript 0 string/wt #!\ /usr/local/bin/ash Neil Brown's ash script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/local/bin/ae Neil Brown's ae script text executable!:mime text/x-shellscript0 string/wt #!\ /bin/nawk new awk script text executable!:mime text/x-nawk0 string/wt #!\ /usr/bin/nawk new awk script text executable!:mime text/x-nawk0 string/wt #!\ /usr/local/bin/nawk new awk script text executable!:mime text/x-nawk0 string/wt #!\ /bin/gawk GNU awk script text executable!:mime text/x-gawk0 string/wt #!\ /usr/bin/gawk GNU awk script text executable!:mime text/x-gawk0 string/wt #!\ /usr/local/bin/gawk GNU awk script text executable!:mime text/x-gawk#0 string/wt #!\ /bin/awk awk script text executable!:mime text/x-awk0 string/wt #!\ /usr/bin/awk awk script text executable!:mime text/x-awk0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text # AT&T Bell Labs' Plan 9 shell0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de)0 string/wt #!\ /bin/bash Bourne-Again shell script text executable!:mime text/x-shellscript0 string/wb #!\ /bin/bash Bourne-Again shell script executable (binary data)!:mime text/x-shellscript0 string/wt #!\ /usr/bin/bash Bourne-Again shell script text executable!:mime text/x-shellscript0 string/wb #!\ /usr/bin/bash Bourne-Again shell script executable (binary data)!:mime text/x-shellscript0 string/wt #!\ /usr/local/bash Bourne-Again shell script text executable!:mime text/x-shellscript0 string/wb #!\ /usr/local/bash Bourne-Again shell script executable (binary data)!:mime text/x-shellscript0 string/wt #!\ /usr/local/bin/bash Bourne-Again shell script text executable!:mime text/x-shellscript0 string/wb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data)!:mime text/x-shellscript0 string/wt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable!:mime text/x-shellscript # Fish shell magic# From: Benjamin Lowry <ben@ben.gmbh>0 string/wt #!\ /usr/local/bin/fish fish shell script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/bin/fish fish shell script text executable!:mime text/x-shellscript0 string/wt #!\ /usr/bin/env\ fish fish shell script text executable!:mime text/x-shellscript 0 search/1/wt #!\ /usr/bin/tclsh Tcl/Tk script text executable!:mime text/x-tcl 0 search/1/wt #!\ /usr/bin/texlua LuaTex script text executable!:mime text/x-luatex 0 search/1/wt #!\ /usr/bin/luatex LuaTex script text executable!:mime text/x-luatex 0 search/1/wt #!\ /usr/bin/stap Systemtap script text executable!:mime text/x-systemtap # PHP scripts# Ulf Harnhammar <ulfh@update.uu.se>0 search/1/c =<?php PHP script text!:strength + 30!:mime text/x-php0 search/1 =<?\n PHP script text!:mime text/x-php0 search/1 =<?\r PHP script text!:mime text/x-php0 search/1/w #!\ /usr/local/bin/php PHP script text executable!:strength + 10!:mime text/x-php0 search/1/w #!\ /usr/bin/php PHP script text executable!:strength + 10!:mime text/x-php# Smarty compiled template, https://www.smarty.net/# Elan Ruusamae <glen@delfi.ee>0 string =<?php>5 regex [\ \n]>>6 string /*\ Smarty\ version Smarty compiled template>>>24 regex [0-9.]+ \b, version %s!:mime text/x-php 0 string Zend\x00 PHP script Zend Optimizer data 0 string/t $! DCL command file # Type: Pdmenu# URL: https://packages.debian.org/pdmenu# From: Edward Betts <edward@debian.org>0 string #!/usr/bin/pdmenu Pdmenu configuration file text # From Danny Weldon0 string \x0b\x13\x08\x00>0x04 uleshort <4 ksh byte-code version %d #----------------------------------------------------------------------------# $File: communications,v 1.5 2009/09/19 16:28:08 christos Exp $# communication # TTCN is the Tree and Tabular Combined Notation described in ISO 9646-3.# It is used for conformance testing of communication protocols.# Added by W. Borgert <debacle@debian.org>.0 string $Suite TTCN Abstract Test Suite>&1 string $SuiteId>>&1 string >\n %s>&2 string $SuiteId>>&1 string >\n %s>&3 string $SuiteId>>&1 string >\n %s # MSC (message sequence charts) are a formal description technique,# described in ITU-T Z.120, mainly used for communication protocols.# Added by W. Borgert <debacle@debian.org>.0 string mscdocument Message Sequence Chart (document)0 string msc Message Sequence Chart (chart)0 string submsc Message Sequence Chart (subchart)#------------------------------------------------------------------------------# $File: compress,v 1.79 2020/05/30 23:53:04 christos Exp $# compress: file(1) magic for pure-compression formats (no archives)## compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc.## Formats for various forms of compressed data# Formats for "compress" proper have been moved into "compress.c",# because it tries to uncompress it to figure out what's inside. # standard unix compress0 string \037\235 compress'd data!:mime application/x-compress!:apple LZIVZIVU>2 byte&0x80 >0 block compressed>2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)# URL: https://en.wikipedia.org/wiki/Gzip# Reference: https://tools.ietf.org/html/rfc1952# Update: Joerg Jenderek, Apr 2019# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002# * Original filename is only at offset 10 if "extra field" absent# * Produce shorter output - notably, only report compression methods# other than 8 ("deflate", the only method defined in RFC 1952).# Note: find defs -iname '*.trid.xml' -exec grep -q '<Bytes>1F8B08' {} \; -ls# TODO:# FBR Blueberry FlashBack screen Record https://www.flashbackrecorder.com/# KPR KOffice/Calligra KPresenter application/x-kpresenter# KPT KOffice/Calligra KPresenter template? application/x-kpresenter# SAV Diggles Saved Game File http://www.innonics.com# SAV FarCry (demo) saved game http://www.farcry-thegame.com# DAT ZOAGZIP game data format http://en.wikipedia.org/wiki/SD_Gundam_Capsule_Fighter0 string \037\213# to display gzip compressed (strength=100=2*50) before other (strength=50)?#!:strength * 2# no FNAME and FCOMMENT bit implies no file name/comment. That means only binary>3 byte&0x18 =0# For binary gzipped no ASCII text should occur# mcd-monu-cad.trid.xml>>10 string MCD Monu-Cad Drawing, Component or Font#>>36 string Created\ with\ MONU-CAD #!:mime application/octet-stream# http://fileformats.archiveteam.org/wiki/Monu-CAD# http://www.monucad.com/downloads/FullDemo-2005.EXE# /HANDS96.MCC Component# /DEMO_DD01.MCD Drawing# /MCALF020.FNT Font!:ext mcc/mcd/fnt# http://www.generalcadd.com>>10 string GXD General CADD, Drawing or Component#!:mime application/octet-stream# /gxc/BUILDINGEDGE.gxc Component# /gxd/HOCKETT-STPAUL-WRHSE.gxd Drawing# /gxd/POWERLAND-MILL-ADD-11.gxd Drawing v9.1.06!:ext gxc/gxd#>>>13 ubyte 0 \b, version 0>>>13 string 09 \b, version 9# other gzipped binary like gzipped tar, VirtualBox extension package,...>>10 default x gzip compressed data!:mime application/gzip>>>0 use gzip-info# size of the original (uncompressed) input data modulo 2^32>>-0 offset >48>>>-4 ulelong x \b, original size modulo 2^32 %u>>-0 offset <48 \b, truncated# gzipped TAR or VirtualBox extension package#!:mime application/x-compressed-tar#!:mime application/x-virtualbox-vbox-extpack# https://www.w3.org/TR/SVG/mimereg.html#!:mime image/image/svg+xml-compressed# zlib.3.gz# microcode-20180312.tgz# tpz same as tgz# lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg# Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz# FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text>3 byte&0x18 >0 gzip compressed data!:mime application/gzip# gzipped tar, gzipped Abiword document#!:mime application/x-compressed-tar#!:mime application/x-abiword-compressed#!:mime image/image/svg+xml-compressed# kleopatra_splashscreen.svgz gzipped .svg!:ext gz/tgz/tpz/zabw/svgz>>0 use gzip-info# size of the original (uncompressed) input data modulo 2^32>>-0 offset >48>>>-4 ulelong x \b, original size modulo 2^32 %u>>-0 offset <48 \b, truncated# display information of gzip compressed files0 name gzip-info#>2 byte x THIS iS GZIP>2 byte <8 \b, reserved method>2 byte >8 \b, unknown method>3 byte &0x01 \b, ASCII>3 byte &0x02 \b, has CRC>3 byte &0x04 \b, extra field>3 byte&0xC =0x08>>10 string x \b, was "%s">3 byte &0x10 \b, has comment>3 byte &0x20 \b, encrypted>4 ledate >0 \b, last modified: %s>8 byte 2 \b, max compression>8 byte 4 \b, max speed>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)>9 byte =0x01 \b, from Amiga>9 byte =0x02 \b, from VMS>9 byte =0x03 \b, from Unix>9 byte =0x04 \b, from VM/CMS>9 byte =0x05 \b, from Atari>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)>9 byte =0x07 \b, from MacOS>9 byte =0x08 \b, from Z-System>9 byte =0x09 \b, from CP/M>9 byte =0x0A \b, from TOPS/20>9 byte =0x0B \b, from NTFS filesystem (NT)>9 byte =0x0C \b, from QDOS>9 byte =0x0D \b, from Acorn RISCOS# size of the original (uncompressed) input data modulo 2^32#>-4 ulelong x \b, original size modulo 2^32 %u#ERROR: line 114: non zero offset 1048572 at level 1 # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis0 string \037\036 packed data!:mime application/octet-stream>2 belong >1 \b, %d characters originally>2 belong =1 \b, %d character originally## This magic number is byte-order-independent.0 short 0x1f1f old packed data!:mime application/octet-stream # XXX - why *two* entries for "compacted data", one of which is# byte-order independent, and one of which is byte-order dependent?#0 short 0x1fff compacted data!:mime application/octet-stream# This string is valid for SunOS (BE) and a matching "short" is listed# in the Ultrix (LE) magic file.0 string \377\037 compacted data!:mime application/octet-stream0 short 0145405 huf output!:mime application/octet-stream # bzip20 string BZh bzip2 compressed data!:mime application/x-bzip2>3 byte >47 \b, block size = %c00k # bzip a block-sorting file compressor# by Julian Seward <sewardj@cs.man.ac.uk> and others0 string BZ0 bzip compressed data!:mime application/x-bzip>3 byte >47 \b, block size = %c00k # lzip0 string LZIP lzip compressed data!:mime application/x-lzip>4 byte x \b, version: %d # squeeze and crunch# Michael Haardt <michael@cantor.informatik.rwth-aachen.de>0 beshort 0x76FF squeezed data,>4 string x original name %s0 beshort 0x76FE crunched data,>2 string x original name %s0 beshort 0x76FD LZH compressed data,>2 string x original name %s # Freeze0 string \037\237 frozen file 2.10 string \037\236 frozen file 1.0 (or gzip 0.5) # SCO compress -H (LZH)0 string \037\240 SCO compress -H (LZH) data # European GSM 06.10 is a provisional standard for full-rate speech# transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse# excitation/long term prediction) coding at 13 kbit/s.## There's only a magic nibble (4 bits); that nibble repeats every 33# bytes. This isn't suited for use, but maybe we can use it someday.## This will cause very short GSM files to be declared as data and# mismatches to be declared as data too!#0 byte&0xF0 0xd0 data#>33 byte&0xF0 0xd0#>66 byte&0xF0 0xd0#>99 byte&0xF0 0xd0#>132 byte&0xF0 0xd0 GSM 06.10 compressed audio # lzop from <markus.oberhumer@jk.uni-linz.ac.at>0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data>9 beshort <0x0940>>9 byte&0xf0 =0x00 - version 0.>>9 beshort&0x0fff x \b%03x,>>13 byte 1 LZO1X-1,>>13 byte 2 LZO1X-1(15),>>13 byte 3 LZO1X-999,## >>22 bedate >0 last modified: %s,>>14 byte =0x00 os: MS-DOS>>14 byte =0x01 os: Amiga>>14 byte =0x02 os: VMS>>14 byte =0x03 os: Unix>>14 byte =0x05 os: Atari>>14 byte =0x06 os: OS/2>>14 byte =0x07 os: MacOS>>14 byte =0x0A os: Tops/20>>14 byte =0x0B os: WinNT>>14 byte =0x0E os: Win32>9 beshort >0x0939>>9 byte&0xf0 =0x00 - version 0.>>9 byte&0xf0 =0x10 - version 1.>>9 byte&0xf0 =0x20 - version 2.>>9 beshort&0x0fff x \b%03x,>>15 byte 1 LZO1X-1,>>15 byte 2 LZO1X-1(15),>>15 byte 3 LZO1X-999,## >>25 bedate >0 last modified: %s,>>17 byte =0x00 os: MS-DOS>>17 byte =0x01 os: Amiga>>17 byte =0x02 os: VMS>>17 byte =0x03 os: Unix>>17 byte =0x05 os: Atari>>17 byte =0x06 os: OS/2>>17 byte =0x07 os: MacOS>>17 byte =0x0A os: Tops/20>>17 byte =0x0B os: WinNT>>17 byte =0x0E os: Win32 # 4.3BSD-Quasijarus Strong Compression# https://minnie.tuhs.org/Quasijarus/compress.html0 string \037\241 Quasijarus strong compressed data # From: Cory Dikkers <cdikkers@swbell.net>0 string XPKF Amiga xpkf.library compressed data0 string PP11 Power Packer 1.1 compressed data0 string PP20 Power Packer 2.0 compressed data,>4 belong 0x09090909 fast compression>4 belong 0x090A0A0A mediocre compression>4 belong 0x090A0B0B good compression>4 belong 0x090A0C0C very good compression>4 belong 0x090A0C0D best compression # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)# https://www.7-zip.org or DOC/7zFormat.txt#0 string 7z\274\257\047\034 7-zip archive data,>6 byte x version %d>7 byte x \b.%d!:mime application/x-7z-compressed!:ext 7z/cb7 # Type: LZMA0 lelong&0xffffff =0x5d>12 leshort 0xff LZMA compressed data,!:mime application/x-lzma>>5 lequad =0xffffffffffffffff streamed>>5 lequad !0xffffffffffffffff non-streamed, size %lld>12 leshort 0 LZMA compressed data,>>5 lequad =0xffffffffffffffff streamed>>5 lequad !0xffffffffffffffff non-streamed, size %lld # http://tukaani.org/xz/xz-file-format.txt0 ustring \xFD7zXZ\x00 XZ compressed data!:strength * 2!:mime application/x-xz # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt0 string LRZI LRZIP compressed data>4 byte x - version %d>5 byte x \b.%d!:mime application/x-lrzip # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html0 lelong 0x184d2204 LZ4 compressed data (v1.4+)!:mime application/x-lz4# Added by osm0sis@xda-developers.com0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3)!:mime application/x-lz40 lelong 0x184c2102 LZ4 compressed data (v0.1-v0.9)!:mime application/x-lz4 # Zstandard/LZ4 skippable frames# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md0 lelong&0xFFFFFFF0 0x184D2A50>(4.l+8) indirect x # Zstandard Dictionary ID subroutine0 name zstd-dictionary-id# Single Segment = True>0 byte &0x20 \b, Dictionary ID:>>0 byte&0x03 0 None>>0 byte&0x03 1>>>1 byte x %u>>0 byte&0x03 2>>>1 leshort x %u>>0 byte&0x03 3>>>1 lelong x %u# Single Segment = False>0 byte ^0x20 \b, Dictionary ID:>>0 byte&0x03 0 None>>0 byte&0x03 1>>>2 byte x %u>>0 byte&0x03 2>>>2 leshort x %u>>0 byte&0x03 3>>>2 lelong x %u # Zstandard compressed data# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md0 lelong 0xFD2FB522 Zstandard compressed data (v0.2)!:mime application/zstd0 lelong 0xFD2FB523 Zstandard compressed data (v0.3)!:mime application/zstd0 lelong 0xFD2FB524 Zstandard compressed data (v0.4)!:mime application/zstd0 lelong 0xFD2FB525 Zstandard compressed data (v0.5)!:mime application/zstd0 lelong 0xFD2FB526 Zstandard compressed data (v0.6)!:mime application/zstd0 lelong 0xFD2FB527 Zstandard compressed data (v0.7)!:mime application/zstd>4 use zstd-dictionary-id0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+)!:mime application/zstd>4 use zstd-dictionary-id # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md0 lelong 0xEC30A437 Zstandard dictionary!:mime application/x-std-dictionary>4 lelong x (ID %u) # AFX compressed files (Wolfram Kleff)2 string -afx- AFX compressed file data # Supplementary magic data for the file(1) command to support# rzip(1). The format is described in magic(5).## Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with# this file.#0 string RZIP rzip compressed data>4 byte x - version %d>5 byte x \b.%d>6 belong x (%d bytes) 0 string ArC\x01 FreeArc archive <http://freearc.org> # Type: DACT compressed files0 long 0x444354C3 DACT compressed data>4 byte >-1 (version %i.>5 byte >-1 %i.>6 byte >-1 %i)>7 long >0 , original size: %i bytes>15 long >30 , block size: %i bytes # Valve Pack (VPK) files0 lelong 0x55aa1234 Valve Pak file>0x4 lelong x \b, version %u>0x8 lelong x \b, %u entries # Snappy framing format# https://code.google.com/p/snappy/source/browse/trunk/framing_format.txt0 string \377\006\0\0sNaPpY snappy framed data!:mime application/x-snappy-framed # qpress, https://www.quicklz.com/0 string qpress10 qpress compressed data!:mime application/x-qpress # Zlib https://www.ietf.org/rfc/rfc6713.txt0 string/b x>0 beshort%31 =0>>0 byte&0xf =8>>>0 byte&0x80 =0 zlib compressed data!:mime application/zlib # BWC compression0 string BWC>3 byte 0 BWC compressed data # UCL compression0 bequad 0x00e955434cff011a UCL compressed data # Softlib archive0 string SLIB Softlib archive>4 leshort x \b, version %d>6 leshort x (contains %d files) # URL: https://github.com/lzfse/lzfse/blob/master/src/lzfse_internal.h#L276# From: Eric Hall <eric.hall@darkart.com>0 string bvx- lzfse encoded, no compression0 string bvx1 lzfse compressed, uncompressed tables0 string bvx2 lzfse compressed, compressed tables0 string bvxn lzfse encoded, lzvn compressed # pcxLib.exe compression program# http://www.shikadi.net/moddingwiki/PCX_Library0 string/b pcxLib>0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed #------------------------------------------------------------------------------# $File: console,v 1.55 2020/04/19 17:30:55 christos Exp $# Console game magic# Toby Deshane <hac@shoelace.digivill.net> # ines: file(1) magic for Marat's iNES Nintendo Entertainment System ROM dump format# Updated by David Korth <gerbilsoft@gerbilsoft.com># References:# - https://wiki.nesdev.com/w/index.php/INES# - https://wiki.nesdev.com/w/index.php/NES_2.0 # Common header for iNES, NES 2.0, and Wii U iNES.0 name nes-rom-image-ines>7 byte&0x0C =0x8 (NES 2.0)>4 byte x \b: %ux16k PRG>5 byte x \b, %ux8k CHR>6 byte&0x08 =0x8 [4-Scr]>6 byte&0x09 =0x0 [H-mirror]>6 byte&0x09 =0x1 [V-mirror]>6 byte&0x02 =0x2 [SRAM]>6 byte&0x04 =0x4 [Trainer]>7 byte&0x03 =0x2 [PC10]>7 byte&0x03 =0x1 [VS]>>7 byte&0x0C =0x8# NES 2.0: VS PPU>>>13 byte&0x0F =0x0 \b, RP2C03B>>>13 byte&0x0F =0x1 \b, RP2C03G>>>13 byte&0x0F =0x2 \b, RP2C04-0001>>>13 byte&0x0F =0x3 \b, RP2C04-0002>>>13 byte&0x0F =0x4 \b, RP2C04-0003>>>13 byte&0x0F =0x5 \b, RP2C04-0004>>>13 byte&0x0F =0x6 \b, RP2C03B>>>13 byte&0x0F =0x7 \b, RP2C03C>>>13 byte&0x0F =0x8 \b, RP2C05-01>>>13 byte&0x0F =0x9 \b, RP2C05-02>>>13 byte&0x0F =0xA \b, RP2C05-03>>>13 byte&0x0F =0xB \b, RP2C05-04>>>13 byte&0x0F =0xC \b, RP2C05-05# TODO: VS protection hardware?>>7 byte x \b]# NES 2.0-specific flags.>7 byte&0x0C =0x8>>12 byte&0x03 =0x0 [NTSC]>>12 byte&0x03 =0x1 [PAL]>>12 byte&0x02 =0x2 [NTSC+PAL] # Standard iNES ROM header.0 string NES\x1A NES ROM image (iNES)!:mime application/x-nes-rom>0 use nes-rom-image-ines # Wii U Virtual Console iNES ROM header.0 belong 0x4E455300 NES ROM image (Wii U Virtual Console)!:mime application/x-nes-rom>0 use nes-rom-image-ines #------------------------------------------------------------------------------# unif: file(1) magic for UNIF-format Nintendo Entertainment System ROM images# Reference: https://wiki.nesdev.com/w/index.php/UNIF# From: David Korth <gerbilsoft@gerbilsoft.com>## NOTE: The UNIF format uses chunks instead of a fixed header,# so most of the data isn't easily parseable.#0 string UNIF>4 lelong <16 NES ROM image (UNIF v%d format)!:mime application/x-nes-rom #------------------------------------------------------------------------------# fds: file(1) magic for Famciom Disk System disk images# Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format# From: David Korth <gerbilsoft@gerbilsoft.com># TODO: Check "Disk info block" and get info from that in addition to the optional header. # Disk info block. (block 1)0 name nintendo-fds-disk-info-block>23 byte !1 FMC->23 byte 1 FSC->16 string x \b%.3s>15 byte x \b, mfr %02X>20 byte x (Rev.%02u) # Headered version.0 string FDS\x1A>0x11 string *NINTENDO-HVC* Famicom Disk System disk image:!:mime application/x-fds-disk>>0x10 use nintendo-fds-disk-info-block>4 byte 1 (%u side)>4 byte !1 (%u sides) # Unheadered version.1 string *NINTENDO-HVC* Famicom Disk System disk image:!:mime application/x-fds-disk>0 use nintendo-fds-disk-info-block #------------------------------------------------------------------------------# tnes: file(1) magic for TNES-format Nintendo Entertainment System ROM images# Used by Nintendo 3DS NES Virtual Console games.# From: David Korth <gerbilsoft@gerbilsoft.com>#0 string TNES NES ROM image (Nintendo 3DS Virtual Console)!:mime application/x-nes-rom>4 byte 100 \b: FDS,>>0x2010 use nintendo-fds-disk-info-block>4 byte !100 \b: TNES mapper %u>>5 byte x \b, %ux8k PRG>>6 byte x \b, %ux8k CHR>>7 byte&0x08 =1 [WRAM]>>8 byte&0x09 =1 [H-mirror]>>8 byte&0x09 =2 [V-mirror]>>8 byte&0x02 =3 [VRAM] #------------------------------------------------------------------------------# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format# Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header#0x104 bequad 0xCEED6666CC0D000B Game Boy ROM image# TODO: application/x-gameboy-color-rom for GBC.!:mime application/x-gameboy-rom>0x143 byte&0x80 0x80>>0x134 string >\0 \b: "%.15s">0x143 byte&0x80 !0x80>>0x134 string >\0 \b: "%.16s">0x14c byte x (Rev.%02u) # Machine type. (SGB, CGB, SGB+CGB)>0x14b byte 0x33>>0x146 byte 0x03>>>0x143 byte&0x80 0x80 [SGB+CGB]>>>0x143 byte&0x80 !0x80 [SGB]>>0x146 byte !0x03>>>0x143 byte&0xC0 0x80 [CGB]>>>0x143 byte&0xC0 0xC0 [CGB ONLY]>0x14b byte !0x33 # Mapper.>0x147 byte 0x00 [ROM ONLY]>0x147 byte 0x01 [MBC1]>0x147 byte 0x02 [MBC1+RAM]>0x147 byte 0x03 [MBC1+RAM+BATT]>0x147 byte 0x05 [MBC2]>0x147 byte 0x06 [MBC2+BATTERY]>0x147 byte 0x08 [ROM+RAM]>0x147 byte 0x09 [ROM+RAM+BATTERY]>0x147 byte 0x0B [MMM01]>0x147 byte 0x0C [MMM01+SRAM]>0x147 byte 0x0D [MMM01+SRAM+BATT]>0x147 byte 0x0F [MBC3+TIMER+BATT]>0x147 byte 0x10 [MBC3+TIMER+RAM+BATT]>0x147 byte 0x11 [MBC3]>0x147 byte 0x12 [MBC3+RAM]>0x147 byte 0x13 [MBC3+RAM+BATT]>0x147 byte 0x19 [MBC5]>0x147 byte 0x1A [MBC5+RAM]>0x147 byte 0x1B [MBC5+RAM+BATT]>0x147 byte 0x1C [MBC5+RUMBLE]>0x147 byte 0x1D [MBC5+RUMBLE+SRAM]>0x147 byte 0x1E [MBC5+RUMBLE+SRAM+BATT]>0x147 byte 0xFC [Pocket Camera]>0x147 byte 0xFD [Bandai TAMA5]>0x147 byte 0xFE [Hudson HuC-3]>0x147 byte 0xFF [Hudson HuC-1] # ROM size.>0x148 byte 0 \b, ROM: 256Kbit>0x148 byte 1 \b, ROM: 512Kbit>0x148 byte 2 \b, ROM: 1Mbit>0x148 byte 3 \b, ROM: 2Mbit>0x148 byte 4 \b, ROM: 4Mbit>0x148 byte 5 \b, ROM: 8Mbit>0x148 byte 6 \b, ROM: 16Mbit>0x148 byte 7 \b, ROM: 32Mbit>0x148 byte 0x52 \b, ROM: 9Mbit>0x148 byte 0x53 \b, ROM: 10Mbit>0x148 byte 0x54 \b, ROM: 12Mbit # RAM size.>0x149 byte 1 \b, RAM: 16Kbit>0x149 byte 2 \b, RAM: 64Kbit>0x149 byte 3 \b, RAM: 128Kbit>0x149 byte 4 \b, RAM: 1Mbit>0x149 byte 5 \b, RAM: 512Kbit #------------------------------------------------------------------------------# genesis: file(1) magic for various Sega Mega Drive / Genesis ROM image and disc formats# Updated by David Korth <gerbilsoft@gerbilsoft.com># References:# - https://www.retrodev.com/segacd.html# - http://devster.monkeeh.com/sega/32xguide1.txt# # Common Sega Mega Drive header format.# FIXME: Name fields are 48 bytes, but have spaces for padding instead of 00s.0 name sega-mega-drive-header# ROM title. (Use domestic if present; if not, use international.)>0x120 byte >0x20>>0x120 string >\0 \b: "%.16s">0x120 byte <0x21>>0x150 string >\0 \b: "%.16s"# Other information.>0x180 string >\0 (%.14s>>0x110 string >\0 \b, %.16s>0x180 byte 0>>0x110 string >\0 (%.16s>0 byte x \b) # TODO: Check for 32X CD?# Sega Mega CD disc images: 2048-byte sectors.0 string SEGADISCSYSTEM\ \ Sega Mega CD disc image!:mime application/x-sega-cd-rom>0 use sega-mega-drive-header>0 byte x \b, 2048-byte sectors0 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image!:mime application/x-sega-cd-rom>0 use sega-mega-drive-header>0 byte x \b, 2048-byte sectors# Sega Mega CD disc images: 2352-byte sectors.0x10 string SEGADISCSYSTEM\ \ Sega Mega CD disc image!:mime application/x-sega-cd-rom>0x10 use sega-mega-drive-header>0 byte x \b, 2352-byte sectors0x10 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image!:mime application/x-sega-cd-rom>0x10 use sega-mega-drive-header>0 byte x \b, 2352-byte sectors # Sega Mega Drive, 32X, Pico, and Mega CD Boot ROM images.0x100 string SEGA>0x3C0 bequad 0x4D41525320434845 Sega 32X ROM image!:mime application/x-genesis-32x-rom>>0 use sega-mega-drive-header>0x3C0 bequad !0x4D41525320434845>>0x105 belong 0x5049434F Sega Pico ROM image!:mime application/x-sega-pico-rom>>>0 use sega-mega-drive-header>>0x105 belong !0x5049434F>>>0x180 beshort 0x4252 Sega Mega CD Boot ROM image!:mime application/x-genesis-rom>>>0x180 beshort !0x4252 Sega Mega Drive / Genesis ROM image!:mime application/x-genesis-rom>>>0 use sega-mega-drive-header #------------------------------------------------------------------------------# genesis: file(1) magic for the Super MegaDrive ROM dump format# # NOTE: Due to interleaving, we can't display anything# other than the copier header information.0 name sega-genesis-smd-header>0 byte x %dx16k blocks>2 byte 0 \b, last in series or standalone>2 byte >0 \b, split ROM # "Sega Genesis" header.0x280 string EAGN>8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format):!:mime application/x-genesis-rom>>0 use sega-genesis-smd-header # "Sega Mega Drive" header.0x280 string EAMG>8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format):!:mime application/x-genesis-rom>>0 use sega-genesis-smd-header #------------------------------------------------------------------------------# smsgg: file(1) magic for Sega Master System and Game Gear ROM images# Detects all Game Gear and export Sega Master System ROM images,# and some Japanese Sega Master System ROM images.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://www.smspower.org/Development/ROMHeader# # General SMS header rule.# The SMS boot ROM checks the header at three locations.0 name sega-master-system-rom-header# Machine type.>0x0F byte&0xF0 0x30 Sega Master System!:mime application/x-sms-rom>0x0F byte&0xF0 0x40 Sega Master System!:mime application/x-sms-rom>0x0F byte&0xF0 0x50 Sega Game Gear!:mime application/x-gamegear-rom>0x0F byte&0xF0 0x60 Sega Game Gear!:mime application/x-gamegear-rom>0x0F byte&0xF0 0x70 Sega Game Gear!:mime application/x-gamegear-rom>0x0F default x Sega Master System / Game Gear!:mime application/x-sms-rom>0 byte x ROM image:# Product code.>0x0E byte&0xF0 0x10 1>0x0E byte&0xF0 0x20 2>0x0E byte&0xF0 0x30 3>0x0E byte&0xF0 0x40 4>0x0E byte&0xF0 0x50 5>0x0E byte&0xF0 0x60 6>0x0E byte&0xF0 0x70 7>0x0E byte&0xF0 0x80 8>0x0E byte&0xF0 0x90 9>0x0E byte&0xF0 0xA0 10>0x0E byte&0xF0 0xB0 11>0x0E byte&0xF0 0xC0 12>0x0E byte&0xF0 0xD0 13>0x0E byte&0xF0 0xE0 14>0x0E byte&0xF0 0xF0 15# If the product code is 5 digits, we'll need to backspace here.>0x0E byte&0xF0 !0>>0x0C leshort x \b%04x>0x0E byte&0xF0 0>>0x0C leshort x %04x# Revision.>0x0E byte&0x0F x (Rev.%02d)# ROM size. (Used for the boot ROM checksum routine.)>0x0F byte&0x0F 0x0A (8 KB)>0x0F byte&0x0F 0x0B (16 KB)>0x0F byte&0x0F 0x0C (32 KB)>0x0F byte&0x0F 0x0D (48 KB)>0x0F byte&0x0F 0x0E (64 KB)>0x0F byte&0x0F 0x0F (128 KB)>0x0F byte&0x0F 0x00 (256 KB)>0x0F byte&0x0F 0x01 (512 KB)>0x0F byte&0x0F 0x02 (1 MB) # SMS/GG header locations.0x7FF0 string TMR\ SEGA>0x7FF0 use sega-master-system-rom-header0x3FF0 string TMR\ SEGA>0x3FF0 use sega-master-system-rom-header0x1FF0 string TMR\ SEGA>0x1FF0 use sega-master-system-rom-header #------------------------------------------------------------------------------# saturn: file(1) magic for the Sega Saturn disc image format.# From: David Korth <gerbilsoft@gerbilsoft.com># # Common Sega Saturn disc header format.# NOTE: Title is 112 bytes, but we're only showing 32 due to space padding.# TODO: Release date, device information, region code, others?0 name sega-saturn-disc-header>0x60 string >\0 \b: "%.32s">0x20 string >\0 (%.10s>>0x2A string >\0 \b, %.6s)>>0x2A byte 0 \b) # 2048-byte sector version.0 string SEGA\ SEGASATURN\ Sega Saturn disc image!:mime application/x-saturn-rom>0 use sega-saturn-disc-header>0 byte x (2048-byte sectors)# 2352-byte sector version.0x10 string SEGA\ SEGASATURN\ Sega Saturn disc image!:mime application/x-saturn-rom>0x10 use sega-saturn-disc-header>0 byte x (2352-byte sectors) #------------------------------------------------------------------------------# dreamcast: file(1) magic for the Sega Dreamcast disc image format.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://mc.pp.se/dc/ip0000.bin.html# # Common Sega Dreamcast disc header format.# NOTE: Title is 128 bytes, but we're only showing 32 due to space padding.# TODO: Release date, device information, region code, others?0 name sega-dreamcast-disc-header>0x80 string >\0 \b: "%.32s">0x40 string >\0 (%.10s>>0x4A string >\0 \b, %.6s)>>0x4A byte 0 \b) # 2048-byte sector version.0 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image!:mime application/x-dc-rom>0 use sega-dreamcast-disc-header>0 byte x (2048-byte sectors)# 2352-byte sector version.0x10 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image!:mime application/x-dc-rom>0x10 use sega-dreamcast-disc-header>0 byte x (2352-byte sectors) #------------------------------------------------------------------------------# dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format#0 belong 0x21068028 Sega Dreamcast VMU game image0 string LCDi Dream Animator file #------------------------------------------------------------------------------# z64: file(1) magic for the Z64 format N64 ROM dumps# Reference: http://forum.pj64-emu.com/showthread.php?t=2239# From: David Korth <gerbilsoft@gerbilsoft.com>#0 bequad 0x803712400000000F Nintendo 64 ROM image!:mime application/x-n64-rom>0x20 string >\0 \b: "%.20s">0x3B string x (%.4s>0x3F byte x \b, Rev.%02u) #------------------------------------------------------------------------------# v64: file(1) magic for the V64 format N64 ROM dumps# Same as z64 format, but with 16-bit byteswapping.#0 bequad 0x3780401200000F00 Nintendo 64 ROM image (V64)!:mime application/x-n64-rom #------------------------------------------------------------------------------# n64-swap2: file(1) magic for the swap2 format N64 ROM dumps# Same as z64 format, but with swapped 16-bit words.#0 bequad 0x12408037000F0000 Nintendo 64 ROM image (wordswapped)!:mime application/x-n64-rom #------------------------------------------------------------------------------# n64-le32: file(1) magic for the 32-bit byteswapped format N64 ROM dumps# Same as z64 format, but with 32-bit byteswapping.#0 bequad 0x401237800F000000 Nintendo 64 ROM image (32-bit byteswapped)!:mime application/x-n64-rom #------------------------------------------------------------------------------# gba: file(1) magic for the Nintendo Game Boy Advance raw ROM format# Reference: https://problemkaputt.de/gbatek.htm#gbacartridgeheader## Original version from: "Nelson A. de Oliveira" <naoliv@gmail.com># Updated version from: David Korth <gerbilsoft@gerbilsoft.com>#4 bequad 0x24FFAE51699AA221 Game Boy Advance ROM image!:mime application/x-gba-rom>0xA0 string >\0 \b: "%.12s">0xAC string x (%.6s>0xBC byte x \b, Rev.%02u) #------------------------------------------------------------------------------# nds: file(1) magic for the Nintendo DS(i) raw ROM format# Reference: https://problemkaputt.de/gbatek.htm#dscartridgeheader## Original version from: "Nelson A. de Oliveira" <naoliv@gmail.com># Updated version from: David Korth <gerbilsoft@gerbilsoft.com>#0xC0 bequad 0x24FFAE51699AA221 Nintendo DS ROM image!:mime application/x-nintendo-ds-rom>0x00 string >\0 \b: "%.12s">0x0C string x (%.6s>0x1E byte x \b, Rev.%02u)>0x12 byte 2 (DSi enhanced)>0x12 byte 3 (DSi only)# Secure Area check.>0x20 lelong <0x4000 (homebrew)>0x20 lelong >0x3FFF>>0x4000 lequad 0x0000000000000000 (multiboot)>>0x4000 lequad !0x0000000000000000>>>0x4000 lequad 0xE7FFDEFFE7FFDEFF (decrypted)>>>0x4000 lequad !0xE7FFDEFFE7FFDEFF>>>>0x1000 lequad 0x0000000000000000 (encrypted)>>>>0x1000 lequad !0x0000000000000000 (mask ROM) #------------------------------------------------------------------------------# nds_passme: file(1) magic for Nintendo DS ROM images for GBA cartridge boot.# This is also used for loading .nds files using the MSET exploit on 3DS.# Reference: https://github.com/devkitPro/ndstool/blob/master/source/ndscreate.cpp0xC0 bequad 0xC8604FE201708FE2 Nintendo DS Slot-2 ROM image (PassMe)!:mime application/x-nintendo-ds-rom #------------------------------------------------------------------------------# ngp: file(1) magic for the Neo Geo Pocket (Color) raw ROM format.# From: David Korth <gerbilsoft@gerbilsoft.com># References:# - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp# - https://www.devrs.com/ngp/files/ngpctech.txt#0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket!:mime application/x-neo-geo-pocket-rom>0x23 byte 0x10 Color>0 byte x ROM image>0x24 string >\0 \b: "%.12s">0x1F byte 0xFF (debug mode enabled) #------------------------------------------------------------------------------# msx: file(1) magic for MSX game cartridge dumps# Too simple - MPi#0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :0 string PS-X\ EXE Sony Playstation executable>16 lelong x PC=0x%08x,>20 lelong !0 GP=0x%08x,>24 lelong !0 .text=[0x%08x,>>28 lelong x \b0x%x],>32 lelong !0 .data=[0x%08x,>>36 lelong x \b0x%x],>40 lelong !0 .bss=[0x%08x,>>44 lelong x \b0x%x],>48 lelong !0 Stack=0x%08x,>48 lelong =0 No Stack!,>52 lelong !0 StackSize=0x%x,#>76 string >\0 (%s)# Area:>113 string x (%s) # CPE executables0 string CPE CPE executable>3 byte x (version %d) #------------------------------------------------------------------------------# Microsoft Xbox executables .xbe (Esa Hyytia <ehyytia@cc.hut.fi>)0 string XBEH Microsoft Xbox executable!:mime audio/x-xbox-executable!:ext xbe# expect base address of 0x10000>0x0104 ulelong =0x10000>>(0x0118.l-0x0FFF4) lestring16 x \b: "%.40s">>(0x0118.l-0x0FFF5) byte x (%c>>(0x0118.l-0x0FFF6) byte x \b%c->>(0x0118.l-0x0FFF8) uleshort x \b%03u)>>(0x0118.l-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions>>(0x0118.l-0x0FF60) ulelong&0x80000007 !0x80000007>>>(0x0118.l-0x0FF60) ulelong >0 (regions:>>>>(0x0118.l-0x0FF60) ulelong &0x00000001 NA>>>>(0x0118.l-0x0FF60) ulelong &0x00000002 Japan>>>>(0x0118.l-0x0FF60) ulelong &0x00000004 Rest_of_World>>>>(0x0118.l-0x0FF60) ulelong &0x80000000 Manufacturer>>>(0x0118.l-0x0FF60) ulelong >0 \b)# probabilistic checks whether signed or not>0x0004 ulelong =0x0>>&2 ulelong =0x0>>>&2 ulelong =0x0 \b, not signed>0x0004 ulelong >0>>&2 ulelong >0>>>&2 ulelong >0 \b, signed # --------------------------------# Microsoft Xbox data file formats0 string XIP0 XIP, Microsoft Xbox data0 string XTF0 XTF, Microsoft Xbox data #------------------------------------------------------------------------------# Microsoft Xbox 360 executables (.xex)# From: David Korth <gerbilsoft@gerbilsoft.com># References:# - https://free60project.github.io/wiki/XEX.html# - https://github.com/xenia-project/xenia/blob/HEAD/src/xenia/kernel/util/xex2_info.h # Title ID (part of Execution ID section)0 name xbox-360-xex-execution-id>(0.L+0xC) byte x (%c>(0.L+0xD) byte x \b%c>(0.L+0xE) beshort x \b-%04u, media ID:>(0.L) belong x %08X) # Region code (part of Security Info)0 name xbox-360-xex-region-code>0 ubelong 0xFFFFFFFF \b, all regions>0 ubelong !0xFFFFFFFF>>0 ubelong >0 (regions:>>0 ubelong&0x000000FF 0x000000FF USA>>0 ubelong&0x00000100 0x00000100 Japan>>0 ubelong&0x00000200 0x00000200 China>>0 ubelong&0x0000FC00 0x0000FC00 Asia>>0 ubelong&0x00FF0000 0x00FF0000 PAL>>0 ubelong&0x00FF0000 0x00FE0000 PAL [except AU/NZ]>>0 ubelong&0x00FF0000 0x00010000 AU/NZ>>0 ubelong&0xFF000000 0xFF000000 Other>>0 ubelong >0 \b) 0 string XEX2 Microsoft Xbox 360 executable!:mime audio/x-xbox360-executable!:ext xex>0x18 search/0x100 \x00\x04\x00\x06>>&0 use xbox-360-xex-execution-id>(0x010.L+0x178) use xbox-360-xex-region-code 0 string XEX1 Microsoft Xbox 360 executable (XEX1)!:mime audio/x-xbox360-executable!:ext xex>0x18 search/0x100 \x00\x04\x00\x06>>&0 use xbox-360-xex-execution-id>(0x010.L+0x154) use xbox-360-xex-region-code #------------------------------------------------------------------------------# Microsoft Xbox 360 packages# From: David Korth <gerbilsoft@gerbilsoft.com># References:# - https://free60project.github.io/wiki/STFS.html# - https://github.com/xenia-project/xenia/blob/HEAD/src/xenia/kernel/util/xex2_info.h # TODO: More information for console-signed packages. 0 name xbox-360-package>0x360 byte x (%c>0x361 byte x \b%c>0x362 beshort x \b-%04u, media ID:>0x354 belong x %08X)>0x344 belong x \b, content type:>>0x344 belong 0x1 Saved Game>>0x344 belong 0x2 Marketplace Content>>0x344 belong 0x3 Publisher>>0x344 belong 0x1000 Xbox 360 Title>>0x344 belong 0x2000 IPTV Pause Buffer>>0x344 belong 0x4000 Installed Game>>0x344 belong 0x5000 Original Xbox Game>>0x344 belong 0x9000 Avatar Item>>0x344 belong 0x10000 Profile>>0x344 belong 0x20000 Gamer Picture>>0x344 belong 0x30000 Theme>>0x344 belong 0x40000 Cache File>>0x344 belong 0x50000 Storage Download>>0x344 belong 0x60000 Xbox Saved Game>>0x344 belong 0x70000 Xbox Download>>0x344 belong 0x80000 Game Demo>>0x344 belong 0x90000 Video>>0x344 belong 0xA0000 Game>>0x344 belong 0xB0000 Installer>>0x344 belong 0xC0000 Game Trailer>>0x344 belong 0xD0000 Arcade Title>>0x344 belong 0xE0000 XNA>>0x344 belong 0xF0000 License Store>>0x344 belong 0x100000 Movie>>0x344 belong 0x200000 TV>>0x344 belong 0x300000 Music Video>>0x344 belong 0x400000 Game Video>>0x344 belong 0x500000 Podcast Video>>0x344 belong 0x600000 Viral Video>>0x344 belong 0x2000000 Community Game 0 string CON\x20 Microsoft Xbox 360 package (console-signed)>0 use xbox-360-package0 string PIRS>0 belong 0 Microsoft Xbox 360 package (non-Xbox Live)>>0 use xbox-360-package0 string LIVE>0x104 belong 0 Microsoft Xbox 360 package (Xbox Live)>>0 use xbox-360-package # Atari Lynx cartridge dump (EXE/BLL header)# From: "Stefan A. Haubenthal" <polluks@web.de> # Double-check that the image type matches too, 0x8008 conflicts with# 8 character OMF-86 object file headers.0 beshort 0x8008>6 string BS93 Lynx homebrew cartridge!:mime application/x-atari-lynx-rom>>2 beshort x \b, RAM start $%04x>6 string LYNX Lynx cartridge!:mime application/x-atari-lynx-rom>>2 beshort x \b, RAM start $%04x # Opera file system that is used on the 3DO console# From: Serge van den Boom <svdb@stack.nl>0 string \x01ZZZZZ\x01 3DO "Opera" file system # From: Alex Myczko <alex@aiei.ch># From: David Pflug <david@pflug.email># is the offset 12 or the offset 16 correct?# GBS (Game Boy Sound) magic# ftp://ftp.modland.com/pub/documents/format_documentation/\# Gameboy%20Sound%20System%20(.gbs).txt0 string GBS Nintendo Gameboy Music/Audio Data#12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module>16 string >\0 ("%.32s" by>48 string >\0 %.32s, copyright>80 string >\0 %.32s),>3 byte x version %u,>4 byte x %u tracks # IPS Patch Files from: From: Thomas Klausner <tk@giga.or.at># see https://zerosoft.zophar.net/ips.php0 string PATCH IPS patch file!:ext ips # BPS Patch Files - from: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://www.romhacking.net/documents/746/0 string BPS1 BPS patch file!:ext bps # APS Patch Files - from: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://github.com/btimofeev/UniPatcher/wiki/APS-(N64)0 string APS10 APS patch file!:ext aps>5 byte 0 \b, simple patch>5 byte 1 \b, N64-specific patch for>>58 byte x N%c>>59 byte x \b%c>>60 byte x \b%c>7 byte !0x20# FIXME: /T specifier isn't working with a fixed-length string.>>7 string x \b: "%.50s" # UPS Patch Files - from: David Korth <gerbilsoft@gerbilsoft.com># Reference: http://fileformats.archiveteam.org/wiki/UPS_(binary_patch_format)0 string UPS1 UPS patch file!:ext ups # Playstations Patch Files from: From: Thomas Klausner <tk@giga.or.at>0 string PPF30 Playstation Patch File version 3.0>5 byte 0 \b, PPF 1.0 patch>5 byte 1 \b, PPF 2.0 patch>5 byte 2 \b, PPF 3.0 patch>>56 byte 0 \b, Imagetype BIN (any)>>56 byte 1 \b, Imagetype GI (PrimoDVD)>>57 byte 0 \b, Blockcheck disabled>>57 byte 1 \b, Blockcheck enabled>>58 byte 0 \b, Undo data not available>>58 byte 1 \b, Undo data available>6 string x \b, description: %s 0 string PPF20 Playstation Patch File version 2.0>5 byte 0 \b, PPF 1.0 patch>5 byte 1 \b, PPF 2.0 patch>>56 lelong >0 \b, size of file to patch %d>6 string x \b, description: %s 0 string PPF10 Playstation Patch File version 1.0>5 byte 0 \b, Simple Encoding>6 string x \b, description: %s # From: Daniel Dawson <ddawson@icehouse.net># SNES9x .smv "movie" file format.0 string SMV\x1A SNES9x input recording>0x4 lelong x \b, version %d# version 4 is latest so far>0x4 lelong <5>>0x8 ledate x \b, recorded at %s>>0xc lelong >0 \b, rerecorded %d times>>0x10 lelong x \b, %d frames long>>0x14 byte >0 \b, data for controller(s):>>>0x14 byte &0x1 #1>>>0x14 byte &0x2 #2>>>0x14 byte &0x4 #3>>>0x14 byte &0x8 #4>>>0x14 byte &0x10 #5>>0x15 byte ^0x1 \b, begins from snapshot>>0x15 byte &0x1 \b, begins from reset>>0x15 byte ^0x2 \b, NTSC standard>>0x15 byte &0x2 \b, PAL standard>>0x17 byte &0x1 \b, settings:# WIP1Timing not used as of version 4>>>0x4 lelong <4>>>>0x17 byte &0x2 WIP1Timing>>>0x17 byte &0x4 Left+Right>>>0x17 byte &0x8 VolumeEnvX>>>0x17 byte &0x10 FakeMute>>>0x17 byte &0x20 SyncSound# New flag as of version 4>>>0x4 lelong >3>>>>0x17 byte &0x80 NoCPUShutdown>>0x4 lelong <4>>>0x18 lelong >0x23>>>>0x20 leshort !0>>>>>0x20 lestring16 x \b, metadata: "%s">>0x4 lelong >3>>>0x24 byte >0 \b, port 1:>>>>0x24 byte 1 joypad>>>>0x24 byte 2 mouse>>>>0x24 byte 3 SuperScope>>>>0x24 byte 4 Justifier>>>>0x24 byte 5 multitap>>>0x24 byte >0 \b, port 2:>>>>0x25 byte 1 joypad>>>>0x25 byte 2 mouse>>>>0x25 byte 3 SuperScope>>>>0x25 byte 4 Justifier>>>>0x25 byte 5 multitap>>>0x18 lelong >0x43>>>>0x40 leshort !0>>>>>0x40 lestring16 x \b, metadata: "%s">>0x17 byte &0x40 \b, ROM:>>>(0x18.l-26) lelong x CRC32 0x%08x>>>(0x18.l-23) string x "%s" # Type: scummVM savegame files# From: Sven Hartge <debian@ds9.argh.org>0 string SCVM ScummVM savegame>12 string >\0 "%s" #------------------------------------------------------------------------------# Nintendo GameCube / Wii file formats.# # Type: Nintendo GameCube/Wii common disc header data.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://wiibrew.org/wiki/Wii_Disc0 name nintendo-gcn-disc-common>0x20 string x "%.64s">0x00 string x (%.6s>0x06 byte >0>>0x06 byte 1 \b, Disc 2>>0x06 byte 2 \b, Disc 3>>0x06 byte 3 \b, Disc 4>0x07 byte x \b, Rev.%02u)>0x18 belong 0x5D1C9EA3>>0x60 beshort 0x0101 \b (Unencrypted)>0x200 string NKIT \b (NKit compressed) # Type: Nintendo GameCube disc image# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://wiibrew.org/wiki/Wii_Disc0x1C belong 0xC2339F3D Nintendo GameCube disc image:!:mime application/x-gamecube-rom>0 use nintendo-gcn-disc-common # Type: Nintendo GameCube embedded disc image# Commonly found on demo discs.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: http://hitmen.c02.at/files/yagcd/yagcd/index.html#idx14.80 belong 0xAE0F38A2>0x0C belong 0x00100000>>(8.L+0x1C) belong 0xC2339F3D Nintendo GameCube embedded disc image:!:mime application/x-gamecube-rom>>>(8.L) use nintendo-gcn-disc-common # Type: Nintendo Wii disc image# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://wiibrew.org/wiki/Wii_Disc0x18 belong 0x5D1C9EA3 Nintendo Wii disc image:>0 use nintendo-gcn-disc-common # Type: Nintendo Wii disc image (WBFS format)# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://wiibrew.org/wiki/Wii_Disc0 string WBFS>0x218 belong 0x5D1C9EA3 Nintendo Wii disc image (WBFS format):!:mime application/x-wii-rom>>0x200 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (CISO format)# NOTE: This is NOT the same as Compact ISO or PSP CISO,# though it has the same magic number.0 string CISO# Other fields are used to determine what type of CISO this is:# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size)# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size)# - None of the above: Compact ISO.>4 lelong 0x200000>>8 byte 1>>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format):!:mime application/x-wii-rom>>>>0x8000 use nintendo-gcn-disc-common>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format):!:mime application/x-wii-rom>>>>0x8000 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (GCZ format)# Due to zlib compression, we can't get the actual disc information.0 lelong 0xB10BC001>4 lelong 0 Nintendo GameCube disc image (GCZ format)!:mime application/x-gamecube-rom>4 lelong 1 Nintendo Wii disc image (GCZ format)!:mime application/x-wii-rom>4 default x Nintendo GameCube/Wii disc image (GCZ format) # Type: Nintendo GameCube/Wii disc image (WDF format)0 string WII\001DISC>8 belong 1# WDFv1>>0x54 belong 0xC2339F3D Nintendo GameCube disc image (WDFv1 format):!:mime application/x-gamecube-rom>>>0x38 use nintendo-gcn-disc-common>>0x58 belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv1 format):!:mime application/x-wii-rom>>>0x38 use nintendo-gcn-disc-common>8 belong 2# WDFv2>>(12.L+0x1C) belong 0xC2339F3D Nintendo GameCube disc image (WDFv2 format):!:mime application/x-gamecube-rom>>>(12.L) use nintendo-gcn-disc-common>>(12.L+0x18) belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv2 format):!:mime application/x-wii-rom>>>(12.L) use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (WIA format)0 string WIA\001 Nintendo>0x48 belong 1 GameCube!:mime application/x-gamecube-rom>0x48 belong 2 Wii!:mime application/x-wii-rom>0x48 default x GameCube/Wii>0x48 belong x disc image (WIA format):>>0x58 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (with SDK header)# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://wiibrew.org/wiki/Wii_Disc0 belong 0xFFFF0000>0x18 belong 0x00000000>>0x1C belong 0x00000000>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii SDK disc image:!:mime application/x-wii-rom>>>>0x8000 use nintendo-gcn-disc-common>>>0x801C belong 0xC2339F3D Nintendo GameCube SDK disc image:!:mime application/x-gamecube-rom>>>>0x8000 use nintendo-gcn-disc-common #------------------------------------------------------------------------------# Nintendo 3DS file formats.# # Type: Nintendo 3DS "NCSD" image. (game cards and eMMC)# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://www.3dbrew.org/wiki/NCSD0x100 string NCSD>0x118 lequad 0 Nintendo 3DS Game Card image# NCCH header for partition 0. (game data)>>0x1150 string >\0 \b: "%.16s">>0x312 byte x (Rev.%02u)>>0x118C byte 2 (New3DS only)>>0x18D byte 0 (inner device)>>0x18D byte 1 (Card1)>>0x18D byte 2 (Card2)>>0x18D byte 3 (extended device)>0x118 bequad 0x0102020202000000 Nintendo 3DS eMMC dump (Old3DS)>0x118 bequad 0x0102020203000000 Nintendo 3DS eMMC dump (New3DS) # Nintendo 3DS version code.# Reference: https://www.3dbrew.org/wiki/Titles# Format: leshort containing three fields:# - 6-bit: Major# - 6-bit: Minor# - 4-bit: Revision# NOTE: Only supporting major/minor versions from 0-15 right now.# NOTE: Should be prefixed with "v".0 name nintendo-3ds-version-code# Raw version.>0 leshort x \b%u,# Major version.>0 leshort&0xFC00 0x0000 0>0 leshort&0xFC00 0x0400 1>0 leshort&0xFC00 0x0800 2>0 leshort&0xFC00 0x0C00 3>0 leshort&0xFC00 0x1000 4>0 leshort&0xFC00 0x1400 5>0 leshort&0xFC00 0x1800 6>0 leshort&0xFC00 0x1C00 7>0 leshort&0xFC00 0x2000 8>0 leshort&0xFC00 0x2400 9>0 leshort&0xFC00 0x2800 10>0 leshort&0xFC00 0x2C00 11>0 leshort&0xFC00 0x3000 12>0 leshort&0xFC00 0x3400 13>0 leshort&0xFC00 0x3800 14>0 leshort&0xFC00 0x3C00 15# Minor version.>0 leshort&0x03F0 0x0000 \b.0>0 leshort&0x03F0 0x0010 \b.1>0 leshort&0x03F0 0x0020 \b.2>0 leshort&0x03F0 0x0030 \b.3>0 leshort&0x03F0 0x0040 \b.4>0 leshort&0x03F0 0x0050 \b.5>0 leshort&0x03F0 0x0060 \b.6>0 leshort&0x03F0 0x0070 \b.7>0 leshort&0x03F0 0x0080 \b.8>0 leshort&0x03F0 0x0090 \b.9>0 leshort&0x03F0 0x00A0 \b.10>0 leshort&0x03F0 0x00B0 \b.11>0 leshort&0x03F0 0x00C0 \b.12>0 leshort&0x03F0 0x00D0 \b.13>0 leshort&0x03F0 0x00E0 \b.14>0 leshort&0x03F0 0x00F0 \b.15# Revision.>0 leshort&0x000F x \b.%u # Type: Nintendo 3DS "NCCH" container.# https://www.3dbrew.org/wiki/NCCH0x100 string NCCH Nintendo 3DS>0x18D byte&2 0 File Archive (CFA)>0x18D byte&2 2 Executable Image (CXI)>0x150 string >\0 \b: "%.16s">0x18D byte 0x05>>0x10E leshort x (Old3DS System Update v>>0x10E use nintendo-3ds-version-code>>0x10E leshort x \b)>0x18D byte 0x15>>0x10E leshort x (New3DS System Update v>>0x10E use nintendo-3ds-version-code>>0x10E leshort x \b)>0x18D byte !0x05>>0x18D byte !0x15>>>0x112 byte x (v>>>0x112 use nintendo-3ds-version-code>>>0x112 byte x \b)>0x18C byte 2 (New3DS only) # Type: Nintendo 3DS "SMDH" file. (application description)# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://3dbrew.org/wiki/SMDH0 string SMDH Nintendo 3DS SMDH file>0x208 leshort !0>>0x208 lestring16 x \b: "%.128s">>0x388 leshort !0>>>0x388 lestring16 x by %.128s>0x208 leshort 0>>0x008 leshort !0>>>0x008 lestring16 x \b: "%.128s">>>0x188 leshort !0>>>>0x188 lestring16 x by %.128s # Type: Nintendo 3DS Homebrew Application.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://3dbrew.org/wiki/3DSX_Format0 string 3DSX Nintendo 3DS Homebrew Application (3DSX) #------------------------------------------------------------------------------# a7800: file(1) magic for the Atari 7800 raw ROM format.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://sites.google.com/site/atari7800wiki/a78-header 0 byte >0>0 byte <3>>1 string ATARI7800 Atari 7800 ROM image!:mime application/x-atari-7800-rom>>>0x11 string >\0 \b: "%.32s"# Display type.>>>0x39 byte 0 (NTSC)>>>0x39 byte 1 (PAL)>>>0x36 byte&1 1 (POKEY) #------------------------------------------------------------------------------# vectrex: file(1) magic for the GCE Vectrex raw ROM format.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: http://www.playvectrex.com/designit/chrissalo/hello1.htm## NOTE: Title is terminated with 0x80, not 0.# The header is terminated with a 0, so that will# terminate the title as well.#0 string g\ GCE Vectrex ROM image>0x11 string >\0 \b: "%.16s" #------------------------------------------------------------------------------# amiibo: file(1) magic for Nintendo amiibo NFC dumps.# From: David Korth <gerbilsoft@gerbilsoft.com># Reference: https://www.3dbrew.org/wiki/Amiibo0x00 byte 0x04>0x0A beshort 0x0FE0>>0x0C belong 0xF110FFEE>>>0x208 beshort 0x0100>>>>0x020A byte 0x0F>>>>>0x020C bequad 0x000000045F000000>>>>>>0x5B byte 0x02>>>>>>>0x54 belong x Nintendo amiibo NFC dump - amiibo ID: %08X->>>>>>>0x58 belong x \b%08X #------------------------------------------------------------------------------# Type: Nintendo Switch XCI (Game Cartridge Image)# From: Benjamin Lowry <ben@ben.gmbh># Reference: https://switchbrew.org/wiki/Gamecard_Format0x100 string HEAD>0x10D byte 0xFA Nintendo Switch cartridge image (XCI), 1GB>0x10D byte 0xF8 Nintendo Switch cartridge image (XCI), 2GB>0x10D byte 0xF0 Nintendo Switch cartridge image (XCI), 4GB>0x10D byte 0xE0 Nintendo Switch cartridge image (XCI), 8GB>0x10D byte 0xE1 Nintendo Switch cartridge image (XCI), 16GB>0x10D byte 0xE2 Nintendo Switch cartridge image (XCI), 32GB #------------------------------------------------------------------------------# Type: Nintendo Switch Executable# From: Benjamin Lowry <ben@ben.gmbh># Reference: https://switchbrew.org/wiki/NSO0x00 string NSO0 Nintendo Switch executable (NSO) #------------------------------------------------------------------------------# Type: Nintendo Switch PFS0# From: Benjamin Lowry <ben@ben.gmbh># Reference: https://switchbrew.org/wiki/NCA_Format#PFS00x00 string PFS0 Nintendo Switch partition filesystem (PFS0)>0x04 ulelong x \b, %d files #------------------------------------------------------------------------------# amiibo: file(1) magic for Nintendo Badge Arcade files.# From: David Korth <gerbilsoft@gerbilsoft.com># References:# - https://github.com/GerbilSoft/rom-properties/issues/92# - https://github.com/CaitSith2/BadgeArcadeTool# - https://github.com/TheMachinumps/Advanced-badge-editor # PRBS: Individual badge and/or mega badge.0 string PRBS>0x44 byte >0x20 Nintendo Badge Arcade>>0xB8 ulelong <2>>>0xBC ulelong <2 badge:>>>0xBC ulelong >1 Mega Badge>>>>0xB8 ulelong x (%ux>>>>0xBC ulelong x \b%u):>>0xB8 ulelong >1 Mega Badge>>>0xB8 ulelong x (%ux>>>0xBC ulelong x \b%u):>0x44 string x "%s">0x3C ulelong x \b, badge ID: %u>0x74 byte >0x20>>0x74 string x \b, set: "%s">0xA8 ulelong !0xFFFFFFFF>>0xA8 ulelong x \b, launch title ID: %08X>>0xA4 ulelong x \b-%08X # CABS: Badge set.0 string CABS>0x2C byte >0x20 Nintendo Badge Arcade badge set:>>0x2C string x "%.48s">>0x24 ulelong x \b, set ID: %u #------------------------------------------------------------------------------# $File: convex,v 1.8 2012/10/03 23:44:43 christos Exp $# convex: file(1) magic for Convex boxes## Convexes are big-endian.## /*\# * Below are the magic numbers and tests added for Convex.# * Added at beginning, because they are expected to be used most.# \*/0 belong 0507 Convex old-style object>16 belong >0 not stripped0 belong 0513 Convex old-style demand paged executable>16 belong >0 not stripped0 belong 0515 Convex old-style pre-paged executable>16 belong >0 not stripped0 belong 0517 Convex old-style pre-paged, non-swapped executable>16 belong >0 not stripped0 belong 0x011257 Core file## The following are a series of dump format magic numbers. Each one# corresponds to a drastically different dump format. The first on is# the original dump format on a 4.1 BSD or earlier file system. The# second marks the change between the 4.1 file system and the 4.2 file# system. The Third marks the changing of the block size from 1K# to 2K to be compatible with an IDC file system. The fourth indicates# a dump that is dependent on Convex Storage Manager, because data in# secondary storage is not physically contained within the dump.# The restore program uses these number to determine how the data is# to be extracted.#24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible)24 belong =60014 dump format, Convex Storage Manager by-reference dump## what follows is a bunch of bit-mask checks on the flags field of the opthdr.# If there is no `=' sign, assume just checking for whether the bit is set?#0 belong 0601 Convex SOFF>88 belong&0x000f0000 =0x00000000 c1>88 belong &0x00010000 c2>88 belong &0x00020000 c2mp>88 belong &0x00040000 parallel>88 belong &0x00080000 intrinsic>88 belong &0x00000001 demand paged>88 belong &0x00000002 pre-paged>88 belong &0x00000004 non-swapped>88 belong &0x00000008 POSIX#>84 belong &0x80000000 executable>84 belong &0x40000000 object>84 belong&0x20000000 =0 not stripped>84 belong&0x18000000 =0x00000000 native fpmode>84 belong&0x18000000 =0x10000000 ieee fpmode>84 belong&0x18000000 =0x18000000 undefined fpmode#0 belong 0605 Convex SOFF core#0 belong 0607 Convex SOFF checkpoint>88 belong&0x000f0000 =0x00000000 c1>88 belong &0x00010000 c2>88 belong &0x00020000 c2mp>88 belong &0x00040000 parallel>88 belong &0x00080000 intrinsic>88 belong &0x00000008 POSIX#>84 belong&0x18000000 =0x00000000 native fpmode>84 belong&0x18000000 =0x10000000 ieee fpmode>84 belong&0x18000000 =0x18000000 undefined fpmode #------------------------------------------------------------------------------# $File: coverage,v 1.2 2019/04/19 00:42:27 christos Exp $# xoverage: file(1) magic for test coverage data # File formats used to store test coverage data# 2016-05-21, Georg Sauthoff <mail@georg.so> # - GCC gcno - written by GCC at compile time when compiling with# gcc -ftest-coverage# - GCC gcda - written by a program that was compiled with# gcc -fprofile-arcs# - LLVM raw profiles - generated by a program compiled with# clang -fprofile-instr-generate -fcoverage-mapping ...# - LLVM indexed profiles - generated by# llvm-profdata# - GCOV reports, i.e. the annotated source code# - LCOV trace files, i.e. aggregated GCC profiles## GCC coverage tracefiles# .gcno file are created during compile time,# while data collected during runtime is stored in .gcda files# cf. gcov-io.h# https://gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc/Gcov-Data-Files.html# Examples:# Fedora 23/x86-64/gcc-5.3.1: 6f 6e 63 67 52 33 30 35# Debian 8 PPC64/gcc-4.9.2 : 67 63 6e 6f 34 30 39 2a0 lelong 0x67636e6f GCC gcno coverage (-ftest-coverage),>&3 byte x version %c.>&1 byte x \b%c # big endian0 belong 0x67636e6f GCC gcno coverage (-ftest-coverage),>&0 byte x version %c.>&2 byte x \b%c (big-endian) # Examples:# Fedora 23/x86-64/gcc-5.3.1: 61 64 63 67 52 33 30 35# Debian 8 PPC64/gcc-4.9.2 : 67 63 64 61 34 30 39 2a0 lelong 0x67636461 GCC gcda coverage (-fprofile-arcs),>&3 byte x version %c.>&1 byte x \b%c # big endian0 belong 0x67636461 GCC gcda coverage (-fprofile-arcs),>&0 byte x version %c.>&2 byte x \b%c (big-endian) # LCOV tracefiles# cf. http://ltp.sourceforge.net/coverage/lcov/geninfo.1.php0 string TN:>&0 search/64 \nSF:/ LCOV coverage tracefile # Coverage reports generated by gcov# i.e. source code annoted with coverage information0 string \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Source:>&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Graph:>>&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Data: GCOV coverage report # LLVM coverage files # raw data after running a program compiled with:# `clang -fprofile-instr-generate -fcoverage-mapping ...`# default name: default.profraw# magic is: \xFF lprofr \x81# cf. https://llvm.org/docs/doxygen/html/InstrProfData_8inc_source.html0 lequad 0xff6c70726f667281 LLVM raw profile data,>&0 byte x version %d # big endian0 bequad 0xff6c70726f667281 LLVM raw profile data,>&7 byte x version %d (big-endian) # LLVM indexed instruction profile (as generated by llvm-profdata)# magic is: reverse(\xFF lprofi \x81)# cf. https://llvm.org/docs/CoverageMappingFormat.html# https://llvm.org/docs/doxygen/html/namespacellvm_1_1IndexedInstrProf.html# https://llvm.org/docs/CommandGuide/llvm-cov.html# https://llvm.org/docs/CommandGuide/llvm-profdata.html0 lequad 0x8169666f72706cff LLVM indexed profile data,>&0 byte x version %d # big endian0 bequad 0x8169666f72706cff LLVM indexed profile data,>&7 byte x version %d (big-endian) #------------------------------------------------------------------------------# $File: cracklib,v 1.7 2009/09/19 16:28:08 christos Exp $# cracklib: file (1) magic for cracklib v2.7 0 lelong 0x70775631 Cracklib password index, little endian>4 long >0 (%i words)>4 long 0 ("64-bit")>>8 long >-1 (%i words)0 belong 0x70775631 Cracklib password index, big endian>4 belong >-1 (%i words)# really bellong 0x00000000707756310 search/1 \0\0\0\0pwV1 Cracklib password index, big endian ("64-bit")>12 belong >0 (%i words) # ----------------------------------------------------------------------------# $File: ctags,v 1.6 2009/09/19 16:28:08 christos Exp $# ctags: file (1) magic for Exuberant Ctags files# From: Alexander Mai <mai@migdal.ikp.physik.tu-darmstadt.de>0 search/1 =!_TAG Exuberant Ctags tag file text #--------------------------------------------------------------# ctf: file(1) magic for CTF (Common Trace Format) trace files## Specs. available here: <https://www.efficios.com/ctf>#-------------------------------------------------------------- # CTF trace data0 lelong 0xc1fc1fc1 Common Trace Format (CTF) trace data (LE)0 belong 0xc1fc1fc1 Common Trace Format (CTF) trace data (BE) # CTF metadata (packetized)0 lelong 0x75d11d57 Common Trace Format (CTF) packetized metadata (LE)>35 byte x \b, v%d>36 byte x \b.%d0 belong 0x75d11d57 Common Trace Format (CTF) packetized metadata (BE)>35 byte x \b, v%d>36 byte x \b.%d # CTF metadata (plain text)0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata!:strength + 5 # this is to make sure we beat C>&0 regex [0-9]+\.[0-9]+ \b, v%s #------------------------------------------------------------------------------# $File: cubemap,v 1.1 2012/06/06 13:03:20 christos Exp $# file(1) magic(5) data for cubemaps Martin Erik Werner <martinerikwerner@gmail.com>#0 string ACMP Map file for the AssaultCube FPS game0 string CUBE Map file for cube and cube2 engine games0 string MAPZ) Map file for the Blood Frontier/Red Eclipse FPS games #------------------------------------------------------------------------------# $File: cups,v 1.6 2019/04/19 00:42:27 christos Exp $# Cups: file(1) magic for the cups raster file format# From: Laurent Martelli <martellilaurent@gmail.com># https://www.cups.org/documentation.php/spec-raster.html# 0 name cups-le>280 lelong x \b, %d>284 lelong x \bx%d dpi>376 lelong x \b, %dx>380 lelong x \b%d pixels>388 lelong x %d bits/color>392 lelong x %d bits/pixel>400 lelong 0 ColorOrder=Chunky>400 lelong 1 ColorOrder=Banded>400 lelong 2 ColorOrder=Planar>404 lelong 0 ColorSpace=gray>404 lelong 1 ColorSpace=RGB>404 lelong 2 ColorSpace=RGBA>404 lelong 3 ColorSpace=black>404 lelong 4 ColorSpace=CMY>404 lelong 5 ColorSpace=YMC>404 lelong 6 ColorSpace=CMYK>404 lelong 7 ColorSpace=YMCK>404 lelong 8 ColorSpace=KCMY>404 lelong 9 ColorSpace=KCMYcm>404 lelong 10 ColorSpace=GMCK>404 lelong 11 ColorSpace=GMCS>404 lelong 12 ColorSpace=WHITE>404 lelong 13 ColorSpace=GOLD>404 lelong 14 ColorSpace=SILVER>404 lelong 15 ColorSpace=CIE XYZ>404 lelong 16 ColorSpace=CIE Lab>404 lelong 17 ColorSpace=RGBW>404 lelong 18 ColorSpace=sGray>404 lelong 19 ColorSpace=sRGB>404 lelong 20 ColorSpace=AdobeRGB # Cups Raster image format, Big Endian0 string RaS>3 string t Cups Raster version 1, Big Endian>3 string 2 Cups Raster version 2, Big Endian>3 string 3 Cups Raster version 3, Big Endian!:mime application/vnd.cups-raster>0 use \^cups-le # Cups Raster image format, Little Endian1 string SaR>0 string t Cups Raster version 1, Little Endian>0 string 2 Cups Raster version 2, Little Endian>0 string 3 Cups Raster version 3, Little Endian!:mime application/vnd.cups-raster>0 use cups-le #------------------------------------------------------------------------------# $File: dact,v 1.4 2009/09/19 16:28:08 christos Exp $# dact: file(1) magic for DACT compressed files#0 long 0x444354C3 DACT compressed data>4 byte >-1 (version %i.>5 byte >-1 $BS%i.>6 byte >-1 $BS%i)>7 long >0 $BS, original size: %i bytes>15 long >30 $BS, block size: %i bytes #------------------------------------------------------------------------------# $File: database,v 1.59 2020/03/25 01:49:58 christos Exp $# database: file(1) magic for various databases## extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk)### GDBM magic numbers# Will be maintained as part of the GDBM distribution in the future.# <downsj@teeny.org>0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit!:mime application/x-gdbm0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old!:mime application/x-gdbm0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit!:mime application/x-gdbm0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit!:mime application/x-gdbm0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old!:mime application/x-gdbm0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit!:mime application/x-gdbm0 string GDBM GNU dbm 2.x database!:mime application/x-gdbm## Berkeley DB## Ian Darwin's file /etc/magic files: big/little-endian version.## Hash 1.85/1.86 databases store metadata in network byte order.# Btree 1.85/1.86 databases store the metadata in host byte order.# Hash and Btree 2.X and later databases store the metadata in host byte order. 0 long 0x00061561 Berkeley DB!:mime application/x-dbm>8 belong 4321>>4 belong >2 1.86>>4 belong <3 1.85>>4 belong >0 (Hash, version %d, native byte-order)>8 belong 1234>>4 belong >2 1.86>>4 belong <3 1.85>>4 belong >0 (Hash, version %d, little-endian) 0 belong 0x00061561 Berkeley DB>8 belong 4321>>4 belong >2 1.86>>4 belong <3 1.85>>4 belong >0 (Hash, version %d, big-endian)>8 belong 1234>>4 belong >2 1.86>>4 belong <3 1.85>>4 belong >0 (Hash, version %d, native byte-order) 0 long 0x00053162 Berkeley DB 1.85/1.86>4 long >0 (Btree, version %d, native byte-order)0 belong 0x00053162 Berkeley DB 1.85/1.86>4 belong >0 (Btree, version %d, big-endian)0 lelong 0x00053162 Berkeley DB 1.85/1.86>4 lelong >0 (Btree, version %d, little-endian) 12 long 0x00061561 Berkeley DB>16 long >0 (Hash, version %d, native byte-order)12 belong 0x00061561 Berkeley DB>16 belong >0 (Hash, version %d, big-endian)12 lelong 0x00061561 Berkeley DB>16 lelong >0 (Hash, version %d, little-endian) 12 long 0x00053162 Berkeley DB>16 long >0 (Btree, version %d, native byte-order)12 belong 0x00053162 Berkeley DB>16 belong >0 (Btree, version %d, big-endian)12 lelong 0x00053162 Berkeley DB>16 lelong >0 (Btree, version %d, little-endian) 12 long 0x00042253 Berkeley DB>16 long >0 (Queue, version %d, native byte-order)12 belong 0x00042253 Berkeley DB>16 belong >0 (Queue, version %d, big-endian)12 lelong 0x00042253 Berkeley DB>16 lelong >0 (Queue, version %d, little-endian) # From Max Bowsher.12 long 0x00040988 Berkeley DB>16 long >0 (Log, version %d, native byte-order)12 belong 0x00040988 Berkeley DB>16 belong >0 (Log, version %d, big-endian)12 lelong 0x00040988 Berkeley DB>16 lelong >0 (Log, version %d, little-endian) ### Round Robin Database Tool by Tobias Oetiker <oetiker@ee.ethz.ch>0 string/b RRD\0 RRDTool DB>4 string/b x version %s >>10 short !0 16bit aligned>>>10 bedouble 8.642135e+130 big-endian>>>>18 short x 32bit long (m68k) >>10 short 0>>>12 long !0 32bit aligned>>>>12 bedouble 8.642135e+130 big-endian>>>>>20 long 0 64bit long>>>>>20 long !0 32bit long>>>>12 ledouble 8.642135e+130 little-endian>>>>>24 long 0 64bit long>>>>>24 long !0 32bit long (i386)>>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian>>>>>24 short !0 32bit long (arm) >>8 quad 0 64bit aligned>>>16 bedouble 8.642135e+130 big-endian>>>>24 long 0 64bit long (s390x)>>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC)>>>16 ledouble 8.642135e+130 little-endian>>>>28 long 0 64bit long (alpha/amd64/ia64)>>>>28 long !0 32bit long (armel/mipsel) #----------------------------------------------------------------------# ROOT: file(1) magic for ROOT databases#0 string root\0 ROOT file>4 belong x Version %d>33 belong x (Compression: %d) # XXX: Weak magic.# Alex Ott <ott@jet.msk.su>## Paradox file formats#2 leshort 0x0800 Paradox#>0x39 byte 3 v. 3.0#>0x39 byte 4 v. 3.5#>0x39 byte 9 v. 4.x#>0x39 byte 10 v. 5.x#>0x39 byte 11 v. 5.x#>0x39 byte 12 v. 7.x#>>0x04 byte 0 indexed .DB data file#>>0x04 byte 1 primary index .PX file#>>0x04 byte 2 non-indexed .DB data file#>>0x04 byte 3 non-incrementing secondary index .Xnn file#>>0x04 byte 4 secondary index .Ynn file#>>0x04 byte 5 incrementing secondary index .Xnn file#>>0x04 byte 6 non-incrementing secondary index .XGn file#>>0x04 byte 7 secondary index .YGn file#>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files# updated by Joerg Jenderek at Feb 2013# https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm# https://www.clicketyclick.dk/databases/xbase/format/dbf.html# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 310 ubelong&0x0000FFFF <0x00000C20# skip Infocom game Z-machine>2 ubyte >0# skip Androids *.xml>>3 ubyte >0>>>3 ubyte <32# 1 < version VV>>>>0 ubyte >1# skip HELP.CA3 by test for reserved byte ( NULL )>>>>>27 ubyte 0# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF)#>>>>>30 ubeshort x 30NULL?%x# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)>>>>>>24 ubelong&0xffFFFFff >0x01302000# .DBF or .MDX>>>>>>24 ubelong&0xffFFFFff <0x01302001# for Xbase Database file (*.DBF) reserved (NULL) for multi-user>>>>>>>24 ubelong&0xffFFFFff =0# test for 2 reserved NULL bytes,transaction and encryption byte flag>>>>>>>>12 ubelong&0xFFFFfEfE 0# test for MDX flag>>>>>>>>>28 ubyte x>>>>>>>>>28 ubyte&0xf8 0# header size >= 32>>>>>>>>>>8 uleshort >31# skip PIC15736.PCX by test for language driver name or field name>>>>>>>>>>>32 ubyte >0#!:mime application/x-dbf; charset=unknown-8bit ??#!:mime application/x-dbase>>>>>>>>>>>>0 use xbase-type# database file>>>>>>>>>>>>0 ubyte x \b DBF>>>>>>>>>>>>4 lelong 0 \b, no records>>>>>>>>>>>>4 lelong >0 \b, %d record# plural s appended>>>>>>>>>>>>>4 lelong >1 \bs# https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF# 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000)>>>>>>>>>>>>10 uleshort x * %d# file size = records * record size + header size>>>>>>>>>>>>1 ubyte x \b, update-date>>>>>>>>>>>>1 use xbase-date# https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx#>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=0x%x# 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ?>>>>>>>>>>>>29 ubyte >0 \b, codepage ID=0x%x#>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file>>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX>>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer# 1st record offset + 1 = header size>>>>>>>>>>>>8 uleshort >0>>>>>>>>>>>>(8.s+1) ubyte >0>>>>>>>>>>>>>8 uleshort >0 \b, at offset %d>>>>>>>>>>>>>(8.s+1) ubyte >0>>>>>>>>>>>>>>&-1 string >\0 1st record "%s"# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)>>>>>>>24 ubelong&0x0133f7ff >0# test for reserved NULL byte>>>>>>>>47 ubyte 0# test for valid TAG key format (0x10 or 0)>>>>>>>>>559 ubyte&0xeF 0# test MM <= 12>>>>>>>>>>45 ubeshort <0x0C20>>>>>>>>>>>45 ubyte >0>>>>>>>>>>>>46 ubyte <32>>>>>>>>>>>>>46 ubyte >0#!:mime application/x-mdx>>>>>>>>>>>>>>0 use xbase-type>>>>>>>>>>>>>>0 ubyte x \b MDX>>>>>>>>>>>>>>1 ubyte x \b, creation-date>>>>>>>>>>>>>>1 use xbase-date>>>>>>>>>>>>>>44 ubyte x \b, update-date>>>>>>>>>>>>>>44 use xbase-date# No.of tags in use (1,2,5,12)>>>>>>>>>>>>>>28 uleshort x \b, %d# No. of entries in tag (0x30)>>>>>>>>>>>>>>25 ubyte x \b/%d tags# Length of tag>>>>>>>>>>>>>>26 ubyte x * %d# 1st tag name_>>>>>>>>>>>>>548 string x \b, 1st tag "%.11s"# 2nd tag name#>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s"## Print the xBase names of different version variants0 name xbase-type>0 ubyte <2# 1 < version>0 ubyte >1>>0 ubyte 0x02 FoxBase# FoxBase+/dBaseIII+, no memo>>0 ubyte 0x03 FoxBase+/dBase III!:mime application/x-dbf# dBASE IV no memo file>>0 ubyte 0x04 dBase IV!:mime application/x-dbf# dBASE V no memo file>>0 ubyte 0x05 dBase V!:mime application/x-dbf>>0 ubyte 0x30 Visual FoxPro!:mime application/x-dbf>>0 ubyte 0x31 Visual FoxPro, autoincrement!:mime application/x-dbf# Visual FoxPro, with field type Varchar or Varbinary>>0 ubyte 0x32 Visual FoxPro, with field type Varchar!:mime application/x-dbf# dBASE IV SQL, no memo;dbv memo var size (Flagship)>>0 ubyte 0x43 dBase IV, with SQL table!:mime application/x-dbf# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx#>>0 ubyte 0x62 dBase IV, with SQL table#!:mime application/x-dbf# dBASE IV, with memo!!>>0 ubyte 0x7b dBase IV, with memo!:mime application/x-dbf# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx#>>0 ubyte 0x82 dBase IV, with SQL system#!:mime application/x-dbf# FoxBase+/dBaseIII+ with memo .DBT!>>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT!:mime application/x-dbf# VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file>>0 ubyte 0x87 VISUAL OBJECTS, with memo file!:mime application/x-dbf# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx#>>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT#!:mime application/x-dbf# dBASE IV with memo!>>0 ubyte 0x8B dBase IV, with memo .DBT!:mime application/x-dbf# dBase IV with SQL Table,no memo?>>0 ubyte 0x8E dBase IV, with SQL table!:mime application/x-dbf# .dbv and .dbt memo (Flagship)?>>0 ubyte 0xB3 Flagship# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx#>>0 ubyte 0xCA dBase IV with memo .DBT#!:mime application/x-dbf# dBASE IV with SQL table, with memo .DBT>>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT!:mime application/x-dbf# HiPer-Six format;Clipper SIX, with SMT memo file>>0 ubyte 0xE5 Clipper SIX with memo!:mime application/x-dbf# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx#>>0 ubyte 0xF4 dBase IV, with SQL table, with memo#!:mime application/x-dbf>>0 ubyte 0xF5 FoxPro with memo!:mime application/x-dbf# https://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx#>>0 ubyte 0xFA FoxPro 2.x, with memo#!:mime application/x-dbf# unknown version (should not happen)>>0 default x xBase!:mime application/x-dbf>>>0 ubyte x (0x%x)# flags in version byte# DBT flag (with dBASE III memo .DBT)!!# >>0 ubyte&0x80 >0 DBT_FLAG=%x# memo flag ??# >>0 ubyte&0x08 >0 MEMO_FLAG=%x# SQL flag ??# >>0 ubyte&0x70 >0 SQL_FLAG=%x# test and print the date of xBase .DBF .MDX0 name xbase-date# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31>0 ubelong x>1 ubyte <13>>1 ubyte >0>>>2 ubyte >0>>>>2 ubyte <32>>>>>0 ubyte x# YY is interpreted as 20YY or 19YY>>>>>>0 ubyte <100 \b %.2d# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY>>>>>>0 ubyte >99 \b %d>>>>>1 ubyte x \b-%d>>>>>2 ubyte x \b-%d # dBase memo files .DBT or .FPT# https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx16 ubyte <4>16 ubyte !2>>16 ubyte !1# next free block index is positive>>>0 ulelong >0# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size>>>>17 ubelong&0xFFfdFEff 0x00000000# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h>>>>>20 ubelong&0xFF01209B 0x00000000# dBASE III>>>>>>16 ubyte 3# dBASE III DBT>>>>>>>0 use dbase3-memo-print# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage>>>>>>16 ubyte 0# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF>>>>>>>20 uleshort 0# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage>>>>>>>>8 ulong =0>>>>>>>>>6 ubeshort >0# skip emacs.PIF>>>>>>>>>>4 ushort 0# check for valid FoxPro field type>>>>>>>>>>>512 ubelong <3>>>>>>>>>>>>0 use foxpro-memo-print# dBASE III DBT , garbage# skip WORD1XW.DOC with improbably high free block index>>>>>>>>>0 ulelong <0x400000# skip WinStore.App.exe by looking for printable 2nd character of 1st memo item>>>>>>>>>>513 ubyte >037# unusual dBASE III DBT like adressen.dbt>>>>>>>>>>>0 use dbase3-memo-print# dBASE III DBT like angest.dbt, or garbage PCX DBF>>>>>>>>8 ubelong !0# skip PCX and some DBF by test for for reserved NULL bytes>>>>>>>>>510 ubeshort 0# skip bad symples with improbably high free block index above 2 GiB file limit>>>>>>>>>>0 ulelong <0x400000# skip AI070GEP.EPS by printable 1st character of 1st memo item>>>>>>>>>>>512 ubyte >037# skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character>>>>>>>>>>>>513 ubyte >037>>>>>>>>>>>>>0 use dbase3-memo-print# dBASE IV DBT with positive block size>>>>>>>20 uleshort >0# dBASE IV DBT with valid block length like 512, 1024# multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero# skip also 3600h 3E00h size>>>>>>>>20 uleshort&0xE00f 0>>>>>>>>>0 use dbase4-memo-print # Print the information of dBase III DBT memo file0 name dbase3-memo-print>0 ubyte x dBase III DBT!:mime application/x-dbt!:ext dbt# instead 3 as version number 0 for unusual examples like biblio.dbt>16 ubyte !3 \b, version number %u# Number of next available block for appending data#>0 lelong =0 \b, next free block index %u>0 lelong !0 \b, next free block index %u# no positiv block length#>20 uleshort =0 \b, block length %u>20 uleshort !0 \b, block length %u# dBase III memo field terminated by \032\032>512 string >\0 \b, 1st item "%s"# https://www.clicketyclick.dk/databases/xbase/format/dbt.html# Print the information of dBase IV DBT memo file0 name dbase4-memo-print>0 lelong x dBase IV DBT!:mime application/x-dbt!:ext dbt# 8 character shorted main name of coresponding dBASE IV DBF file>8 ubelong >0x20000000# skip unusual like for angest.dbt>>20 uleshort >0>>>8 string >\0 \b of %-.8s.DBF# value 0 implies 512 as size#>4 ulelong =0 \b, blocks size %u# size of blocks not reliable like 0x2020204C in angest.dbt>4 ulelong !0>>4 ulelong&0x0000003f 0 \b, blocks size %u# dBase IV DBT with positive block length (found 512 , 1024)>20 uleshort >0 \b, block length %u# next available block#>0 lelong =0 \b, next free block index %u>0 lelong !0 \b, next free block index %u>20 uleshort >0>>(20.s) ubelong x>>>&-4 use dbase4-memofield-print# unusual dBase IV DBT without block length (implies 512 as length)>20 uleshort =0>>512 ubelong x>>>&-4 use dbase4-memofield-print# Print the information of dBase IV memo field0 name dbase4-memofield-print# free dBase IV memo field>0 ubelong !0xFFFF0800>>0 lelong x \b, next free block %u>>4 lelong x \b, next used block %u# used dBase IV memo field>0 ubelong =0xFFFF0800# length of memo field>>4 lelong x \b, field length %d>>>8 string >\0 \b, 1st used item "%s"# http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm# Print the information of FoxPro FPT memo file0 name foxpro-memo-print>0 belong x FoxPro FPT!:mime application/x-fpt!:ext fpt# Size of blocks for FoxPro ( 64,256 )>6 ubeshort x \b, blocks size %u# next available block#>0 belong =0 \b, next free block index %u>0 belong !0 \b, next free block index %u# field type ( 0~picture, 1~memo, 2~object )>512 ubelong <3 \b, field type %u# length of memo field>512 ubelong 1>>516 belong >0 \b, field length %d>>>520 string >\0 \b, 1st item "%s" # TODO:# DBASE index file *.NDX# DBASE Compound Index file *.CDX# dBASE IV Printer Driver *.PRF## End of XBase database stuff # MS Access database4 string Standard\ Jet\ DB Microsoft Access Database!:mime application/x-msaccess4 string Standard\ ACE\ DB Microsoft Access Database!:mime application/x-msaccess # From: Joerg Jenderek# URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine# Reference: https://github.com/libyal/libesedb/archive/master.zip# libesedb-master/documentation/# Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc# Note: also known as "JET Blue". Used by numerous Windows components such as# Windows Search, Mail, Exchange and Active Directory.4 ubelong 0xefcdab89# unknown1>132 ubelong 0 Extensible storage engine!:mime application/x-ms-ese# file_type 0~database 1~stream>>12 ulelong 0 DataBase# Security DataBase (sdb)!:ext edb/sdb>>12 ulelong 1 STreaMing!:ext stm# format_version 620h>>8 uleshort x \b, version 0x%x>>10 uleshort >0 revision 0x%4.4x>>0 ubelong x \b, checksum 0x%8.8x# Page size 4096 8192 32768>>236 ulequad x \b, page size %lld# database_state>>52 ulelong 1 \b, JustCreated>>52 ulelong 2 \b, DirtyShutdown#>>52 ulelong 3 \b, CleanShutdown>>52 ulelong 4 \b, BeingConverted>>52 ulelong 5 \b, ForceDetach# Windows NT major version when the databases indexes were updated.>>216 ulelong x \b, Windows version %d# Windows NT minor version>>220 ulelong x \b.%d # From: Joerg Jenderek# URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility# Note: files contain application compatibility fixes, application compatibility modes and application help messages.8 string sdbf>7 ubyte 0# TAG_TYPE_LIST+TAG_INDEXES>>12 uleshort 0x7802 Windows application compatibility Shim DataBase# version? 2 3#>>>0 ulelong x \b, version %d!:mime application/x-ms-sdb!:ext sdb # TDB database from Samba et al - Martin Pool <mbp@samba.org>0 string TDB\ file TDB database>32 lelong 0x2601196D version 6, little-endian>>36 lelong x hash size %d bytes # SE Linux policy database0 lelong 0xf97cff8c SE Linux policy>16 lelong x v%d>20 lelong 1 MLS>24 lelong x %d symbols>28 lelong x %d ocons # ICE authority file data (Wolfram Kleff)2 string ICE ICE authority data # X11 Xauthority file (Wolfram Kleff)10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data # From: Maxime Henrion <mux@FreeBSD.org># PostgreSQL's custom dump format, Maxime Henrion <mux@FreeBSD.org>0 string PGDMP PostgreSQL custom database dump>5 byte x - v%d>6 byte x \b.%d>5 beshort <0x101 \b-0>5 beshort >0x100>>7 byte x \b-%d # Type: Advanced Data Format (ADF) database# URL: https://www.grc.nasa.gov/WWW/cgns/adf/# From: Nicolas Chauvat <nicolas.chauvat@logilab.fr>0 string @(#)ADF\ Database CGNS Advanced Data Format # Tokyo Cabinet magic data# http://tokyocabinet.sourceforge.net/index.html0 string ToKyO\ CaBiNeT\n Tokyo Cabinet>14 string x \b (%s)>32 byte 0 \b, Hash!:mime application/x-tokyocabinet-hash>32 byte 1 \b, B+ tree!:mime application/x-tokyocabinet-btree>32 byte 2 \b, Fixed-length!:mime application/x-tokyocabinet-fixed>32 byte 3 \b, Table!:mime application/x-tokyocabinet-table>33 byte &1 \b, [open]>33 byte &2 \b, [fatal]>34 byte x \b, apow=%d>35 byte x \b, fpow=%d>36 byte &0x01 \b, [large]>36 byte &0x02 \b, [deflate]>36 byte &0x04 \b, [bzip]>36 byte &0x08 \b, [tcbs]>36 byte &0x10 \b, [excodec]>40 lequad x \b, bnum=%lld>48 lequad x \b, rnum=%lld>56 lequad x \b, fsiz=%lld # Type: QDBM Quick Database Manager# From: Benoit Sibaud <bsibaud@april.org>0 string \\[depot\\]\n\f Quick Database Manager, little endian0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian # Type: TokyoCabinet database# URL: http://tokyocabinet.sourceforge.net/# From: Benoit Sibaud <bsibaud@april.org>0 string ToKyO\ CaBiNeT\n TokyoCabinet database>14 string x (version %s) # From: Stephane Blondon https://www.yaal.fr# Database file for Zope (done by FileStorage)0 string FS21 Zope Object Database File Storage v3 (data)0 string FS30 Zope Object Database File Storage v4 (data) # Cache file for the database of Zope (done by ClientStorage)0 string ZEC3 Zope Object Database Client Cache File (data) # IDA (Interactive Disassembler) database0 string IDA1 IDA (Interactive Disassembler) database # Hopper (reverse engineering tool) https://www.hopperapp.com/0 string hopperdb Hopper database # URL: https://en.wikipedia.org/wiki/Panorama_(database_engine)# Reference: http://www.provue.com/Panorama/# From: Joerg Jenderek# NOTE: test only versions 4 and 6.0 with Windows# length of Panorama database name5 ubyte >0# look after database name for "some" null bits>(5.B+7) ubelong&0xF3ffF000 0# look for first keyword>>&1 search/2 DESIGN Panorama database#!:mime application/x-panorama-database!:apple KASXZEPD!:ext pan# database name>>>5 pstring x \b, "%s" ### askSam Database by Stefan A. Haubenthal <polluks@web.de>0 string askw40\0 askSam DB ### MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de>0 string MBSTV\040 MUIbase DB>6 string x version %s ## CDB database0 string NBCDB\012 NetBSD Constant Database>7 byte x \b, version %d>8 string x \b, for '%s'>24 lelong x \b, datasize %d>28 lelong x \b, entries %d>32 lelong x \b, index %d>36 lelong x \b, seed %#x ## Redis RDB - https://redis.io/topics/persistence0 string REDIS Redis RDB file,>5 regex [0-9][0-9][0-9][0-9] version %s # Mork database.# Used by older versions of Mozilla Suite and Firefox,# and current versions of Thunderbird.# From: David Korth <gerbilsoft@gerbilsoft.com>0 string //\ <!--\ <mdb:mork:z\ v=" Mozilla Mork database>23 string x \b, version %.3s # URL: https://en.wikipedia.org/wiki/Management_Information_Format# Reference: https://www.dmtf.org/sites/default/files/standards/documents/DSP0005.pdf# From: Joerg Jenderek# Note: only tested with monitor asset reports of Dell Display Manager# skip start like Language=fr|CA|iso8859-10 search/27/C Start\040Component DMI Management Information Format#!:mime text/plain!:mime text/x-dmtf-mif!:ext mif #------------------------------------------------------------------------------# $File: dataone,v 1.2 2019/04/19 00:42:27 christos Exp $## DataONE- files from Dave Vieglais <dave.vieglais@gmail.com> &# Pratik Shrivastava <pratikshrivastava23@gmail.com>## file formats: https://cn.dataone.org/cn/v2/formats#------------------------------------------------------------------------------ # EML (Ecological Metadata Language Format)0 string <?xml>&0 regex (eml)-[0-9].[0-9].[0-9]+ eml://ecoinformatics.org/%s # onedcx (DataONE Dublin Core Extended v1.0)>&0 regex (onedcx/v)[0-9].[0-9]+ https://ns.dataone.org/metadata/schema/onedcx/v1.0 # FGDC-STD-001-1998 (Content Standard for Digital Geospatial Metadata,# version 001-1998)>&0 regex fgdc FGDC-STD-001-1998 # Mercury (Oak Ridge National Lab Mercury Metadata version 1.0)>&0 regex (mercury/terms/v)[0-9].[0-9] https://purl.org/ornl/schema/mercury/terms/v1.0 # ISOTC211 (Geographic MetaData (GMD) Extensible Markup Language)>&0 regex isotc211>>&0 regex eng;USA https://www.isotc211.org/2005/gmd # ISOTC211 (NOAA Variant Geographic MetaData (GMD) Extensible Markup Language)>>&0 regex gov.noaa.nodc:[0-9]+ https://www.isotc211.org/2005/gmd-noaa # ISOTC211 PANGAEA Variant Geographic MetaData (GMD) Extensible Markup Language>>&0 regex pangaea.dataset[0-9][0-9][0-9][0-9][0-9][0-9]+ https://www.isotc211.org/2005/gmd-pangaea!:mime text/xml # Object Reuse and Exchange Vocabulary0 string <?xml>&0 regex rdf>>&0 regex openarchives https://www.openarchives.org/ore/terms!:mime application/rdf+xml # Dryad Metadata Application Profile Version 3.10 string <DryadData>&0 regex (dryad-bibo/v)[0-9].[0-9] https://datadryad.org/profile/v3.1!:mime text/xml #------------------------------------------------------------------------------# $File: dbpf,v 1.3 2019/04/19 00:42:27 christos Exp $# dppf: Maxis Database Packed Files, the stored data file format used by all# Maxis games after the Sims: http://wiki.niotso.org/DBPF# https://www.wiki.sc4devotion.com/index.php?title=DBPF# 13 Oct 2017, Kip Warner <kip at thevertigo dot com>0 string DBPF Maxis Database Packed File>4 ulelong x \b, version: %u.>>8 ulelong x \b%u>>>36 ulelong x \b, files: %u>>24 ledate !0 \b, created: %s>>28 ledate !0 \b, modified: %s!:ext dbpf/package/dat/sc4!:mime application/x-maxis-dbpf#------------------------------------------------------------------------------# $File: der,v 1.3 2020/02/16 20:45:21 christos Exp $# der: file(1) magic for DER encoded files# # Certificate information piece0 name certinfo>0 der seq>>&0 der set>>>&0 der seq>>>>&0 der obj_id3=550406>>>>&0 der prt_str=x \b, countryName=%s>>&0 der set>>>&0 der seq>>>>&0 der obj_id3=550408>>>>&0 der utf8_str=x \b, stateOrProvinceName=%s>>&0 der set>>>&0 der seq>>>>&0 der obj_id3=55040a>>>>&0 der utf8_str=x \b, organizationName=%s>>&0 der set>>>&0 der seq>>>>&0 der obj_id3=550403>>>>&0 der utf8_str=x \b, commonName=%s>>&0 der seq # Certificate requests0 der seq>&0 der seq>>&0 der int1=00 DER Encoded Certificate request>>&0 use certinfo # Key Pairs0 der seq>&0 der int1=00>&0 der int65=x>&0 der int3=010001 DER Encoded Key Pair, 512 bits 0 der seq>&0 der int1=00>&0 der int129=x>&0 der int3=010001 DER Encoded Key Pair, 1024 bits 0 der seq>&0 der int1=00>&0 der int257=x>&0 der int3=010001 DER Encoded Key Pair, 2048 bits 0 der seq>&0 der int1=00>&0 der int513=x>&0 der int3=010001 DER Encoded Key Pair, 4096 bits 0 der seq>&0 der int1=00>&0 der int1025=x>&0 der int3=010001 DER Encoded Key Pair, 8192 bits 0 der seq>&0 der int1=00>&0 der int2049=x>&0 der int3=010001 DER Encoded Key Pair, 16k bits 0 der seq>&0 der int1=00>&0 der int4097=x>&0 der int3=010001 DER Encoded Key Pair, 32k bits # Certificates0 der seq>&0 der seq>>&0 der int2=0dfa DER Encoded Certificate, 512 bits>>&0 der int2=0dfb DER Encoded Certificate, 1024 bits>>&0 der int2=0dfc DER Encoded Certificate, 2048 bits>>&0 der int2=0dfd DER Encoded Certificate, 4096 bits>>&0 der int2=0dfe DER Encoded Certificate, 8192 bits>>&0 der int2=0dff DER Encoded Certificate, 16k bits>>&0 der int2=0e04 DER Encoded Certificate, 32k bits>>&0 der int2=x DER Encoded Certificate, ? bits (%s)>>&0 der seq>>>&0 der obj_id9=2a864886f70d010105 \b, sha1WithRSAEncryption>>>&0 der obj_id9=x \b, ? Encryption (%s)>>>&0 der null>>&0 der seq>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id3=550406>>>>>&0 der prt_str=x \b, countryName=%s>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id3=550408>>>>>&0 der prt_str=x \b, stateOrProvinceName=%s>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id3=550407>>>>>&0 der prt_str=x \b, localityName=%s>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id3=55040a>>>>>&0 der prt_str=x \b, organizationName=%s>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id3=55040b>>>>>&0 der prt_str=x \b, organizationUnitName=%s>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id3=550403>>>>>&0 der prt_str=x \b, commonName=%s>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id9=2a864886f70d010901>>>>>&0 der ia5_str=x \b, emailAddress=%s>>&0 der seq>>>&0 der utc_time=x \b, utcTime=%s>>>&0 der utc_time=x \b, utcTime=%s>>&0 use certinfo 0 der seq>&0 der seq>>&0 der eoc Certificate>>>&0 der int1=02 \b, Version=3>>&0 der int9=x \b, Serial=%s>>&0 der seq >>>&0 der obj_id9=2a864886f70d01010b>>>&0 der null>>&0 der seq>>>&0 der set>>>>&0 der seq >>>>>&0 der obj_id3=550403>>>>>&0 der utf8_str=x \b, Issuer=%s>>&0 der seq>>>&0 der utc_time=x \b, not-valid-before=%s>>>&0 der utc_time=x \b, not-valid-after=%s>>&0 der seq>>>&0 der set>>>>&0 der seq>>>>>&0 der obj_id3=550403>>>>>&0 der utf8_str=x \b, Subject=%s #------------------------------------------------------------------------------# $File: diamond,v 1.7 2009/09/19 16:28:08 christos Exp $# diamond: file(1) magic for Diamond system## ... diamond is a multi-media mail and electronic conferencing system....## XXX - I think it was either renamed Slate, or replaced by Slate....## The full deal is too long...#0 string <list>\n<protocol\ bbn-multimedia-format> Diamond Multimedia Document0 string =<list>\n<protocol\ bbn-m Diamond Multimedia Document #------------------------------------------------------------------------------# $File: dif,v 1.1 2020/04/09 19:14:01 christos Exp $# dif: file(1) magic for DIF text files #------------------------------------------------------------------------------# From: Joerg Jenderek# URL: http://en.wikipedia.org/wiki/Data_Interchange_Format# http://fileformats.archiveteam.org/wiki/Data_Interchange_Format# Note: called by TrID "Data Interchange Format",# by DROID x-fmt/368 "VisiCalc Database"0 string TABLE# skip text starting with TABLE by looking for numeric version on 2nd line>6 search/2 0,# skip DROID x-fmt-41-signature-id-380.dif by looking for key word TUPLES at the beginning>>27 search/128 TUPLES Data Interchange Format# https://www.pcmatic.com/company/libraries/fileextension/detail.asp?ext=dif.html#!:mime application/x-dif-spreadsheet Gnumeric# https://github.com/LibreOffice/online/blob/master/discovery.xml#!:mime application/x-dif-document LibreOffice# https://www.wikidata.org/wiki/Wikidata:WikiProject_Informatics/File_formats/Lists/File_formats!:mime application/x-dif# https://extension.nirsoft.net/dif#!:mime application/vnd.ms-excel#!:mime text/plain!:ext dif# look for double quote 0x22 on 3rd line>>>10 search/3 "# skip if next character also double quote >>>>&0 ubyte !0x22 \b, generator or table name# comment like EXCEL, pwm enclosed in double quotes>>>>>&-2 string x %s #------------------------------------------------------------------------------# $File: diff,v 1.16 2017/03/17 22:20:22 christos Exp $# diff: file(1) magic for diff(1) output#0 search/1 diff\040 diff output text!:mime text/x-diff0 search/1 ***\040 diff output text!:mime text/x-diff0 search/1 Only\040in\040 diff output text!:mime text/x-diff0 search/1 Common\040subdirectories:\040 diff output text!:mime text/x-diff 0 search/1 Index: RCS/CVS diff output text!:mime text/x-diff # bsdiff: file(1) magic for bsdiff(1) output0 string/b BSDIFF40 bsdiff(1) patch file # unified diff0 search/4096 ---\040>&0 search/1024 \n>>&0 search/1 +++\040>>>&0 search/1024 \n>>>>&0 search/1 @@ unified diff output text!:mime text/x-diff!:strength + 90 # librsync -- the library for network deltas## Copyright (C) 2001 by Martin Pool. You may do whatever you want with# this file.#0 belong 0x72730236 rdiff network-delta data 0 belong 0x72730136 rdiff network-delta signature data>4 belong x (block length=%d,>8 belong x signature strength=%d) #------------------------------------------------------------------------------# $File: digital,v 1.11 2013/01/11 16:45:23 christos Exp $# Digital UNIX - Info#0 string =!<arch>\n________64E Alpha archive>22 string X -- out of date# 0 leshort 0603>24 leshort 0410 COFF format alpha pure>24 leshort 0413 COFF format alpha demand paged>>22 leshort&030000 !020000 executable>>22 leshort&020000 !0 dynamically linked>>16 lelong !0 not stripped>>16 lelong 0 stripped>>27 byte x - version %d>>26 byte x \b.%d>>28 byte x \b-%d>24 leshort 0407 COFF format alpha object>>22 leshort&030000 020000 shared library>>27 byte x - version %d>>26 byte x \b.%d>>28 byte x \b-%d # Basic recognition of Digital UNIX core dumps - Mike Bremford <mike@opac.bl.uk>## The actual magic number is just "Core", followed by a 2-byte version# number; however, treating any file that begins with "Core" as a Digital# UNIX core dump file may produce too many false hits, so we include one# byte of the version number as well; DU 5.0 appears only to be up to# version 2.#0 string Core\001 Alpha COFF format core dump (Digital UNIX)>24 string >\0 \b, from '%s'0 string Core\002 Alpha COFF format core dump (Digital UNIX)>24 string >\0 \b, from '%s'## The next is incomplete, we could tell more about this format,# but its not worth it.0 leshort 0x188 Alpha compressed COFF0 leshort 0x18f Alpha u-code object### Some other interesting Digital formats,0 string \377\377\177 ddis/ddif0 string \377\377\174 ddis/dots archive0 string \377\377\176 ddis/dtif table data0 string \033c\033 LN03 output0 long 04553207 X image#0 string =!<PDF>!\n profiling data file## Locale data tables (MIPS and Alpha).#0 short 0x0501 locale data table>6 short 0x24 for MIPS>6 short 0x40 for Alpha #------------------------------------------------------------------------------# $File: dolby,v 1.9 2019/04/19 00:42:27 christos Exp $# ATSC A/53 aka AC-3 aka Dolby Digital <ashitaka@gmx.at># from https://www.atsc.org/standards/a_52a.pdf# corrections, additions, etc. are always welcome!## syncword0 beshort 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream,# Proposed audio/ac3 RFC/4184!:mime audio/vnd.dolby.dd-raw# fscod>4 byte&0xc0 = 0x00 48 kHz,>4 byte&0xc0 = 0x40 44.1 kHz,>4 byte&0xc0 = 0x80 32 kHz,# is this one used for 96 kHz?>4 byte&0xc0 = 0xc0 reserved frequency,#>5 byte&0x07 = 0x00 \b, complete main (CM)>5 byte&0x07 = 0x01 \b, music and effects (ME)>5 byte&0x07 = 0x02 \b, visually impaired (VI)>5 byte&0x07 = 0x03 \b, hearing impaired (HI)>5 byte&0x07 = 0x04 \b, dialogue (D)>5 byte&0x07 = 0x05 \b, commentary (C)>5 byte&0x07 = 0x06 \b, emergency (E)>5 beshort&0x07e0 0x0720 \b, voiceover (VO)>5 beshort&0x07e0 >0x0720 \b, karaoke# acmod>6 byte&0xe0 = 0x00 1+1 front,>>6 byte&0x10 = 0x10 LFE on,>6 byte&0xe0 = 0x20 1 front/0 rear,>>6 byte&0x10 = 0x10 LFE on,>6 byte&0xe0 = 0x40 2 front/0 rear,# dsurmod (for stereo only)>>6 byte&0x18 = 0x00 Dolby Surround not indicated>>6 byte&0x18 = 0x08 not Dolby Surround encoded>>6 byte&0x18 = 0x10 Dolby Surround encoded>>6 byte&0x18 = 0x18 reserved Dolby Surround mode>>6 byte&0x04 = 0x04 LFE on,>6 byte&0xe0 = 0x60 3 front/0 rear,>>6 byte&0x04 = 0x04 LFE on,>6 byte&0xe0 = 0x80 2 front/1 rear,>>6 byte&0x04 = 0x04 LFE on,>6 byte&0xe0 = 0xa0 3 front/1 rear,>>6 byte&0x01 = 0x01 LFE on,>6 byte&0xe0 = 0xc0 2 front/2 rear,>>6 byte&0x04 = 0x04 LFE on,>6 byte&0xe0 = 0xe0 3 front/2 rear,>>6 byte&0x01 = 0x01 LFE on,#>4 byte&0x3e = 0x00 \b, 32 kbit/s>4 byte&0x3e = 0x02 \b, 40 kbit/s>4 byte&0x3e = 0x04 \b, 48 kbit/s>4 byte&0x3e = 0x06 \b, 56 kbit/s>4 byte&0x3e = 0x08 \b, 64 kbit/s>4 byte&0x3e = 0x0a \b, 80 kbit/s>4 byte&0x3e = 0x0c \b, 96 kbit/s>4 byte&0x3e = 0x0e \b, 112 kbit/s>4 byte&0x3e = 0x10 \b, 128 kbit/s>4 byte&0x3e = 0x12 \b, 160 kbit/s>4 byte&0x3e = 0x14 \b, 192 kbit/s>4 byte&0x3e = 0x16 \b, 224 kbit/s>4 byte&0x3e = 0x18 \b, 256 kbit/s>4 byte&0x3e = 0x1a \b, 320 kbit/s>4 byte&0x3e = 0x1c \b, 384 kbit/s>4 byte&0x3e = 0x1e \b, 448 kbit/s>4 byte&0x3e = 0x20 \b, 512 kbit/s>4 byte&0x3e = 0x22 \b, 576 kbit/s>4 byte&0x3e = 0x24 \b, 640 kbit/s #------------------------------------------------------------------------------# $File: dump,v 1.17 2018/06/26 01:07:17 christos Exp $# dump: file(1) magic for dump file format--for new and old dump filesystems## We specify both byte orders in order to recognize byte-swapped dumps.#0 name new-dump-be>4 bedate x This dump %s,>8 bedate x Previous dump %s,>12 belong >0 Volume %d,>692 belong 0 Level zero, type:>692 belong >0 Level %d, type:>0 belong 1 tape header,>0 belong 2 beginning of file record,>0 belong 3 map of inodes on tape,>0 belong 4 continuation of file record,>0 belong 5 end of volume,>0 belong 6 map of inodes deleted,>0 belong 7 end of medium (for floppy),>676 string >\0 Label %s,>696 string >\0 Filesystem %s,>760 string >\0 Device %s,>824 string >\0 Host %s,>888 belong >0 Flags %x 0 name old-dump-be#>4 bedate x This dump %s,#>8 bedate x Previous dump %s,>12 belong >0 Volume %d,>692 belong 0 Level zero, type:>692 belong >0 Level %d, type:>0 belong 1 tape header,>0 belong 2 beginning of file record,>0 belong 3 map of inodes on tape,>0 belong 4 continuation of file record,>0 belong 5 end of volume,>0 belong 6 map of inodes deleted,>0 belong 7 end of medium (for floppy),>676 string >\0 Label %s,>696 string >\0 Filesystem %s,>760 string >\0 Device %s,>824 string >\0 Host %s,>888 belong >0 Flags %x 0 name ufs2-dump-be>896 beqdate x This dump %s,>904 beqdate x Previous dump %s,>12 belong >0 Volume %d,>692 belong 0 Level zero, type:>692 belong >0 Level %d, type:>0 belong 1 tape header,>0 belong 2 beginning of file record,>0 belong 3 map of inodes on tape,>0 belong 4 continuation of file record,>0 belong 5 end of volume,>0 belong 6 map of inodes deleted,>0 belong 7 end of medium (for floppy),>676 string >\0 Label %s,>696 string >\0 Filesystem %s,>760 string >\0 Device %s,>824 string >\0 Host %s,>888 belong >0 Flags %x 24 belong 60012 new-fs dump file (big endian),>0 use new-dump-be 24 belong 60011 old-fs dump file (big endian),>0 use old-dump-be 24 lelong 60012 new-fs dump file (little endian),# to correctly recognize '*.mo' GNU message catalog (little endian)!:strength - 15>0 use \^new-dump-be 24 lelong 60011 old-fs dump file (little endian),>0 use \^old-dump-be 24 belong 0x19540119 new-fs dump file (ufs2, big endian),>0 use ufs2-dump-be 24 lelong 0x19540119 new-fs dump file (ufs2, little endian),>0 use \^ufs2-dump-be 18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness),>2 medate x Previous dump %s,>6 medate x This dump %s,>10 leshort >0 Volume %d,>0 leshort 1 tape header.>0 leshort 2 beginning of file record.>0 leshort 3 map of inodes on tape.>0 leshort 4 continuation of file record.>0 leshort 5 end of volume.>0 leshort 6 map of inodes deleted.>0 leshort 7 end of medium (for floppy). #------------------------------------------------------------------------------# $File: dyadic,v 1.9 2019/04/19 00:42:27 christos Exp $# Dyadic: file(1) magic for Dyalog APL.## updated by Joerg Jenderek at Oct 2013# https://en.wikipedia.org/wiki/Dyalog_APL# https://www.dyalog.com/# .DXV Dyalog APL External Variable# .DIN Dyalog APL Input Table# .DOT Dyalog APL Output Table# .DFT Dyalog APL Format File0 ubeshort&0xFF60 0xaa00# skip biblio.dbt>1 byte !4# real Dyalog APL have non zero version numbers like 7.3 or 13.4>>2 ubeshort >0x0000 Dyalog APL>>>1 byte 0x00 aplcore#>>>1 byte 0x00 incomplete workspace# *.DCF Dyalog APL Component File>>>1 byte 0x01 component file 32-bit non-journaled non-checksummed#>>>1 byte 0x01 component file>>>1 byte 0x02 external variable exclusive#>>>1 byte 0x02 external variable# *.DWS Dyalog APL Workspace>>>1 byte 0x03 workspace>>>>7 byte&0x28 0x00 32-bit>>>>7 byte&0x28 0x20 64-bit>>>>7 byte&0x0c 0x00 classic>>>>7 byte&0x0c 0x04 unicode>>>>7 byte&0x88 0x00 big-endian>>>>7 byte&0x88 0x80 little-endian>>>1 byte 0x06 external variable shared# *.DSE Dyalog APL Session , *.DLF Dyalog APL Session Log File>>>1 byte 0x07 session>>>1 byte 0x08 mapped file 32-bit>>>1 byte 0x09 component file 64-bit non-journaled non-checksummed>>>1 byte 0x0a mapped file 64-bit>>>1 byte 0x0b component file 32-bit level 1 journaled non-checksummed>>>1 byte 0x0c component file 64-bit level 1 journaled non-checksummed>>>1 byte 0x0d component file 32-bit level 1 journaled checksummed>>>1 byte 0x0e component file 64-bit level 1 journaled checksummed>>>1 byte 0x0f component file 32-bit level 2 journaled checksummed>>>1 byte 0x10 component file 64-bit level 2 journaled checksummed>>>1 byte 0x11 component file 32-bit level 3 journaled checksummed>>>1 byte 0x12 component file 64-bit level 3 journaled checksummed>>>1 byte 0x13 component file 32-bit non-journaled checksummed>>>1 byte 0x14 component file 64-bit non-journaled checksummed>>>1 byte 0x15 component file under construction>>>1 byte 0x16 DFS component file 64-bit level 1 journaled checksummed>>>1 byte 0x17 DFS component file 64-bit level 2 journaled checksummed>>>1 byte 0x18 DFS component file 64-bit level 3 journaled checksummed>>>1 byte 0x19 external workspace>>>1 byte 0x80 DDB>>>2 byte x version %d>>>3 byte x \b.%d#>>>2 byte x type %d#>>>3 byte x subtype %d # *.DXF Dyalog APL Transfer File0 short 0x6060 Dyalog APL transfer #------------------------------------------------------------------------------# $File: ebml,v 1.2 2019/04/19 00:42:27 christos Exp $# ebml: file(1) magic for various Extensible Binary Meta Language# https://www.matroska.org/technical/specs/index.html#track0 belong 0x1a45dfa3 EBML file>4 search/b/100 \102\202>>&1 string x \b, creator %.8s #------------------------------------------------------------------------------# $File: edid,v 1.1 2019/03/28 12:36:01 christos Exp $# edid: file(1) magic for EDID dump files 0 quad 0x00ffffffffffff00 Extended display identification data dump!:mime application/x-edid-dump>18 byte 0x01 Version 1>>19 byte <0x04 \b.%d>18 byte 0x02 Version 2>>19 byte 0x00 \b.0 #------------------------------------------------------------------------------# $File: editors,v 1.11 2017/03/17 21:35:28 christos Exp $# T602 editor documents# by David Necas <yeti@physics.muni.cz>0 string @CT\ T602 document data,>4 string 0 Kamenicky>4 string 1 CP 852>4 string 2 KOI8-CS>4 string >2 unknown encoding # Vi IMproved Encrypted file# by David Necas <yeti@physics.muni.cz>0 string VimCrypt~ Vim encrypted file data 0 name vimnanoswap>67 byte 0>>107 byte 0#>>>2 string x %s swap file>>>24 ulelong x \b, pid %d>>>28 string >\0 \b, user %s>>>68 string >\0 \b, host %s>>>108 string >\0 \b, file %s>>>1007 byte 0x55 \b, modified # Vi IMproved Swap file# by Sven Wegener <swegener@gentoo.org>0 string b0VIM\ Vim swap file>&0 string >\0 \b, version %s>0 use vimnanoswap # Lock/swap file for several editors, at least# Vi IMproved and nano0 string b0nano Nano swap file>0 use vimnanoswap # kate (K Advanced Text Editor)0 string \x00\x00\x00\x12Kate\ Swap\ File\ 2.0\x00 Kate swap file #------------------------------------------------------------------------------# $File: efi,v 1.5 2014/04/30 21:41:02 christos Exp $# efi: file(1) magic for Universal EFI binaries 0 lelong 0x0ef1fab9>4 lelong 1 Universal EFI binary with 1 architecture>>&0 lelong 7 \b, i386>>&0 lelong 0x01000007 \b, x86_64>4 lelong 2 Universal EFI binary with 2 architectures>>&0 lelong 7 \b, i386>>&0 lelong 0x01000007 \b, x86_64>>&20 lelong 7 \b, i386>>&20 lelong 0x01000007 \b, x86_64>4 lelong >2 Universal EFI binary with %d architectures #------------------------------------------------------------------------------# $File: elf,v 1.80 2020/02/12 22:17:33 christos Exp $# elf: file(1) magic for ELF executables## We have to check the byte order flag to see what byte order all the# other stuff in the header is in.## What're the correct byte orders for the nCUBE and the Fujitsu VPP500?## Created by: unknown# Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com># Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support)# Modified by (3): Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de> (fix of core support)# Modified by (4): <gerardo.cacciari@gmail.com> (VMS Itanium)# Modified by (5): Matthias Urlichs <smurf@debian.org> (Listing of many architectures) 0 name elf-mips>0 lelong&0xf0000000 0x00000000 MIPS-I>0 lelong&0xf0000000 0x10000000 MIPS-II>0 lelong&0xf0000000 0x20000000 MIPS-III>0 lelong&0xf0000000 0x30000000 MIPS-IV>0 lelong&0xf0000000 0x40000000 MIPS-V>0 lelong&0xf0000000 0x50000000 MIPS32>0 lelong&0xf0000000 0x60000000 MIPS64>0 lelong&0xf0000000 0x70000000 MIPS32 rel2>0 lelong&0xf0000000 0x80000000 MIPS64 rel2>0 lelong&0xf0000000 0x90000000 MIPS32 rel6>0 lelong&0xf0000000 0xa0000000 MIPS64 rel6 0 name elf-sparc>0 lelong&0x00ffff00 0x00000100 V8+ Required,>0 lelong&0x00ffff00 0x00000200 Sun UltraSPARC1 Extensions Required,>0 lelong&0x00ffff00 0x00000400 HaL R1 Extensions Required,>0 lelong&0x00ffff00 0x00000800 Sun UltraSPARC3 Extensions Required,>0 lelong&0x3 0 total store ordering,>0 lelong&0x3 1 partial store ordering,>0 lelong&0x3 2 relaxed memory ordering, 0 name elf-pa-risc>2 leshort 0x020b 1.0>2 leshort 0x0210 1.1>2 leshort 0x0214 2.0>0 leshort &0x0008 (LP64) 0 name elf-le>16 leshort 0 no file type,!:mime application/octet-stream>16 leshort 1 relocatable,!:mime application/x-object>16 leshort 2 executable,!:mime application/x-executable>16 leshort 3 ${x?pie executable:shared object}, !:mime application/x-${x?pie-executable:sharedlib}>16 leshort 4 core file,!:mime application/x-coredump# OS-specific>7 byte 202>>16 leshort 0xFE01 executable,!:mime application/x-executable# Core file detection is not reliable.#>>>(0x38+0xcc) string >\0 of '%s'#>>>(0x38+0x10) lelong >0 (signal %d),>16 leshort &0xff00 processor-specific,>18 clear x>18 leshort 0 no machine,>18 leshort 1 AT&T WE32100,>18 leshort 2 SPARC,>18 leshort 3 Intel 80386,>18 leshort 4 Motorola m68k,>>4 byte 1>>>36 lelong &0x01000000 68000,>>>36 lelong &0x00810000 CPU32,>>>36 lelong 0 68020,>18 leshort 5 Motorola m88k,>18 leshort 6 Intel 80486,>18 leshort 7 Intel 80860,# The official e_machine number for MIPS is now #8, regardless of endianness.# The second number (#10) will be deprecated later. For now, we still# say something if #10 is encountered, but only gory details for #8.>18 leshort 8 MIPS,>>4 byte 1>>>36 lelong &0x20 N32>18 leshort 10 MIPS,>>4 byte 1>>>36 lelong &0x20 N32>18 leshort 8# only for 32-bit>>4 byte 1>>>36 use elf-mips# only for 64-bit>>4 byte 2>>>48 use elf-mips>18 leshort 9 Amdahl,>18 leshort 10 MIPS (deprecated),>18 leshort 11 RS6000,>18 leshort 15 PA-RISC,# only for 32-bit>>4 byte 1>>>36 use elf-pa-risc# only for 64-bit>>4 byte 2>>>48 use elf-pa-risc>18 leshort 16 nCUBE,>18 leshort 17 Fujitsu VPP500,>18 leshort 18 SPARC32PLUS,# only for 32-bit>>4 byte 1>>>36 use elf-sparc>18 leshort 19 Intel 80960,>18 leshort 20 PowerPC or cisco 4500,>18 leshort 21 64-bit PowerPC or cisco 7500,>18 leshort 22 IBM S/390,>18 leshort 23 Cell SPU,>18 leshort 24 cisco SVIP,>18 leshort 25 cisco 7200,>18 leshort 36 NEC V800 or cisco 12000,>18 leshort 37 Fujitsu FR20,>18 leshort 38 TRW RH-32,>18 leshort 39 Motorola RCE,>18 leshort 40 ARM,>>4 byte 1>>>36 lelong&0xff000000 0x04000000 EABI4>>>36 lelong&0xff000000 0x05000000 EABI5>>>36 lelong &0x00800000 BE8>>>36 lelong &0x00400000 LE8>18 leshort 41 Alpha,>18 leshort 42 Renesas SH,>18 leshort 43 SPARC V9,>>4 byte 2>>>48 use elf-sparc>18 leshort 44 Siemens Tricore Embedded Processor,>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,>18 leshort 46 Renesas H8/300,>18 leshort 47 Renesas H8/300H,>18 leshort 48 Renesas H8S,>18 leshort 49 Renesas H8/500,>18 leshort 50 IA-64,>18 leshort 51 Stanford MIPS-X,>18 leshort 52 Motorola Coldfire,>18 leshort 53 Motorola M68HC12,>18 leshort 54 Fujitsu MMA,>18 leshort 55 Siemens PCP,>18 leshort 56 Sony nCPU,>18 leshort 57 Denso NDR1,>18 leshort 58 Start*Core,>18 leshort 59 Toyota ME16,>18 leshort 60 ST100,>18 leshort 61 Tinyj emb.,>18 leshort 62 x86-64,>18 leshort 63 Sony DSP,>18 leshort 64 DEC PDP-10,>18 leshort 65 DEC PDP-11,>18 leshort 66 FX66,>18 leshort 67 ST9+ 8/16 bit,>18 leshort 68 ST7 8 bit,>18 leshort 69 MC68HC16,>18 leshort 70 MC68HC11,>18 leshort 71 MC68HC08,>18 leshort 72 MC68HC05,>18 leshort 73 SGI SVx or Cray NV1,>18 leshort 74 ST19 8 bit,>18 leshort 75 Digital VAX,>18 leshort 76 Axis cris,>18 leshort 77 Infineon 32-bit embedded,>18 leshort 78 Element 14 64-bit DSP,>18 leshort 79 LSI Logic 16-bit DSP,>18 leshort 80 MMIX,>18 leshort 81 Harvard machine-independent,>18 leshort 82 SiTera Prism,>18 leshort 83 Atmel AVR 8-bit,>18 leshort 84 Fujitsu FR30,>18 leshort 85 Mitsubishi D10V,>18 leshort 86 Mitsubishi D30V,>18 leshort 87 NEC v850,>18 leshort 88 Renesas M32R,>18 leshort 89 Matsushita MN10300,>18 leshort 90 Matsushita MN10200,>18 leshort 91 picoJava,>18 leshort 92 OpenRISC,>18 leshort 93 ARC Cores Tangent-A5,>18 leshort 94 Tensilica Xtensa,>18 leshort 95 Alphamosaic VideoCore,>18 leshort 96 Thompson Multimedia,>18 leshort 97 NatSemi 32k,>18 leshort 98 Tenor Network TPC,>18 leshort 99 Trebia SNP 1000,>18 leshort 100 STMicroelectronics ST200,>18 leshort 101 Ubicom IP2022,>18 leshort 102 MAX Processor,>18 leshort 103 NatSemi CompactRISC,>18 leshort 104 Fujitsu F2MC16,>18 leshort 105 TI msp430,>18 leshort 106 Analog Devices Blackfin,>18 leshort 107 S1C33 Family of Seiko Epson,>18 leshort 108 Sharp embedded,>18 leshort 109 Arca RISC,>18 leshort 110 PKU-Unity Ltd.,>18 leshort 111 eXcess: 16/32/64-bit,>18 leshort 112 Icera Deep Execution Processor,>18 leshort 113 Altera Nios II,>18 leshort 114 NatSemi CRX,>18 leshort 115 Motorola XGATE,>18 leshort 116 Infineon C16x/XC16x,>18 leshort 117 Renesas M16C series,>18 leshort 118 Microchip dsPIC30F,>18 leshort 119 Freescale RISC core,>18 leshort 120 Renesas M32C series,>18 leshort 131 Altium TSK3000 core,>18 leshort 132 Freescale RS08,>18 leshort 134 Cyan Technology eCOG2,>18 leshort 135 Sunplus S+core7 RISC,>18 leshort 136 New Japan Radio (NJR) 24-bit DSP,>18 leshort 137 Broadcom VideoCore III,>18 leshort 138 LatticeMico32,>18 leshort 139 Seiko Epson C17 family,>18 leshort 140 TI TMS320C6000 DSP family,>18 leshort 141 TI TMS320C2000 DSP family,>18 leshort 142 TI TMS320C55x DSP family,>18 leshort 160 STMicroelectronics 64bit VLIW DSP,>18 leshort 161 Cypress M8C,>18 leshort 162 Renesas R32C series,>18 leshort 163 NXP TriMedia family,>18 leshort 164 QUALCOMM DSP6,>18 leshort 165 Intel 8051 and variants,>18 leshort 166 STMicroelectronics STxP7x family,>18 leshort 167 Andes embedded RISC,>18 leshort 168 Cyan eCOG1X family,>18 leshort 169 Dallas MAXQ30,>18 leshort 170 New Japan Radio (NJR) 16-bit DSP,>18 leshort 171 M2000 Reconfigurable RISC,>18 leshort 172 Cray NV2 vector architecture,>18 leshort 173 Renesas RX family,>18 leshort 174 META,>18 leshort 175 MCST Elbrus,>18 leshort 176 Cyan Technology eCOG16 family,>18 leshort 177 NatSemi CompactRISC,>18 leshort 178 Freescale Extended Time Processing Unit,>18 leshort 179 Infineon SLE9X,>18 leshort 180 Intel L1OM,>18 leshort 181 Intel K1OM,>18 leshort 183 ARM aarch64,>18 leshort 185 Atmel 32-bit family,>18 leshort 186 STMicroeletronics STM8 8-bit,>18 leshort 187 Tilera TILE64,>18 leshort 188 Tilera TILEPro,>18 leshort 189 Xilinx MicroBlaze 32-bit RISC,>18 leshort 190 NVIDIA CUDA architecture,>18 leshort 191 Tilera TILE-Gx,>18 leshort 197 Renesas RL78 family,>18 leshort 199 Renesas 78K0R,>18 leshort 200 Freescale 56800EX,>18 leshort 201 Beyond BA1,>18 leshort 202 Beyond BA2,>18 leshort 203 XMOS xCORE,>18 leshort 204 Microchip 8-bit PIC(r),>18 leshort 210 KM211 KM32,>18 leshort 211 KM211 KMX32,>18 leshort 212 KM211 KMX16,>18 leshort 213 KM211 KMX8,>18 leshort 214 KM211 KVARC,>18 leshort 215 Paneve CDP,>18 leshort 216 Cognitive Smart Memory,>18 leshort 217 iCelero CoolEngine,>18 leshort 218 Nanoradio Optimized RISC,>18 leshort 243 UCB RISC-V,>18 leshort 247 eBPF,>18 leshort 251 NEC VE,>18 leshort 0x1057 AVR (unofficial),>18 leshort 0x1059 MSP430 (unofficial),>18 leshort 0x1223 Adapteva Epiphany (unofficial),>18 leshort 0x2530 Morpho MT (unofficial),>18 leshort 0x3330 FR30 (unofficial),>18 leshort 0x3426 OpenRISC (obsolete),>18 leshort 0x4688 Infineon C166 (unofficial),>18 leshort 0x5441 Cygnus FRV (unofficial),>18 leshort 0x5aa5 DLX (unofficial),>18 leshort 0x7650 Cygnus D10V (unofficial),>18 leshort 0x7676 Cygnus D30V (unofficial),>18 leshort 0x8217 Ubicom IP2xxx (unofficial),>18 leshort 0x8472 OpenRISC (obsolete),>18 leshort 0x9025 Cygnus PowerPC (unofficial),>18 leshort 0x9026 Alpha (unofficial),>18 leshort 0x9041 Cygnus M32R (unofficial),>18 leshort 0x9080 Cygnus V850 (unofficial),>18 leshort 0xa390 IBM S/390 (obsolete),>18 leshort 0xabc7 Old Xtensa (unofficial),>18 leshort 0xad45 xstormy16 (unofficial),>18 leshort 0xbaab Old MicroBlaze (unofficial),,>18 leshort 0xbeef Cygnus MN10300 (unofficial),>18 leshort 0xdead Cygnus MN10200 (unofficial),>18 leshort 0xf00d Toshiba MeP (unofficial),>18 leshort 0xfeb0 Renesas M32C (unofficial),>18 leshort 0xfeba Vitesse IQ2000 (unofficial),>18 leshort 0xfebb NIOS (unofficial),>18 leshort 0xfeed Moxie (unofficial),>18 default x>>18 leshort x *unknown arch 0x%x*>20 lelong 0 invalid version>20 lelong 1 version 1 0 string \177ELF ELF!:strength *2>4 byte 0 invalid class>4 byte 1 32-bit>4 byte 2 64-bit>5 byte 0 invalid byte order>5 byte 1 LSB>>0 use elf-le>5 byte 2 MSB>>0 use \^elf-le>7 byte 0 (SYSV)>7 byte 1 (HP-UX)>7 byte 2 (NetBSD)>7 byte 3 (GNU/Linux)>7 byte 4 (GNU/Hurd)>7 byte 5 (86Open)>7 byte 6 (Solaris)>7 byte 7 (Monterey)>7 byte 8 (IRIX)>7 byte 9 (FreeBSD)>7 byte 10 (Tru64)>7 byte 11 (Novell Modesto)>7 byte 12 (OpenBSD)>7 byte 13 (OpenVMS)>7 byte 14 (HP NonStop Kernel)>7 byte 15 (AROS Research Operating System)>7 byte 16 (FenixOS)>7 byte 17 (Nuxi CloudABI)>7 byte 97 (ARM)>7 byte 202 (Cafe OS)>7 byte 255 (embedded) #------------------------------------------------------------------------------# $File: encore,v 1.7 2014/04/30 21:41:02 christos Exp $# encore: file(1) magic for Encore machines## XXX - needs to have the byte order specified (NS32K was little-endian,# dunno whether they run the 88K in little-endian mode or not).#0 short 0x154 Encore>20 short 0x107 executable>20 short 0x108 pure executable>20 short 0x10b demand-paged executable>20 short 0x10f unsupported executable>12 long >0 not stripped>22 short >0 - version %d>22 short 0 -#>4 date x stamp %s0 short 0x155 Encore unsupported executable>12 long >0 not stripped>22 short >0 - version %d>22 short 0 -#>4 date x stamp %s #------------------------------------------------------------------------------# $File: epoc,v 1.9 2013/12/21 14:28:15 christos Exp $# EPOC : file(1) magic for EPOC documents [Psion Series 5/Osaris/Geofox 1]# Stefan Praszalowicz <hpicollo@worldnet.fr> and Peter Breitenlohner <peb@mppmu.mpg.de># Useful information for improving this file can be found at:# http://software.frodo.looijaard.name/psiconv/formats/Index.html#------------------------------------------------------------------------------0 lelong 0x10000037 Psion Series 5>4 lelong 0x10000039 font file>4 lelong 0x1000003A printer driver>4 lelong 0x1000003B clipboard>4 lelong 0x10000042 multi-bitmap image!:mime image/x-epoc-mbm>4 lelong 0x1000006A application information file>4 lelong 0x1000006D>>8 lelong 0x1000007D Sketch image!:mime image/x-epoc-sketch>>8 lelong 0x1000007E voice note>>8 lelong 0x1000007F Word file!:mime application/x-epoc-word>>8 lelong 0x10000085 OPL program (TextEd)!:mime application/x-epoc-opl>>8 lelong 0x10000087 Comms settings>>8 lelong 0x10000088 Sheet file!:mime application/x-epoc-sheet>>8 lelong 0x100001C4 EasyFax initialisation file>4 lelong 0x10000073 OPO module!:mime application/x-epoc-opo>4 lelong 0x10000074 OPL application!:mime application/x-epoc-app>4 lelong 0x1000008A exported multi-bitmap image>4 lelong 0x1000016D>>8 lelong 0x10000087 Comms names 0 lelong 0x10000041 Psion Series 5 ROM multi-bitmap image 0 lelong 0x10000050 Psion Series 5>4 lelong 0x1000006D database>>8 lelong 0x10000084 Agenda file!:mime application/x-epoc-agenda>>8 lelong 0x10000086 Data file!:mime application/x-epoc-data>>8 lelong 0x10000CEA Jotter file!:mime application/x-epoc-jotter>4 lelong 0x100000E4 ini file 0 lelong 0x10000079 Psion Series 5 binary:>4 lelong 0x00000000 DLL>4 lelong 0x10000049 comms hardware library>4 lelong 0x1000004A comms protocol library>4 lelong 0x1000005D OPX>4 lelong 0x1000006C application>4 lelong 0x1000008D DLL>4 lelong 0x100000AC logical device driver>4 lelong 0x100000AD physical device driver>4 lelong 0x100000E5 file transfer protocol>4 lelong 0x100000E5 file transfer protocol>4 lelong 0x10000140 printer definition>4 lelong 0x10000141 printer definition 0 lelong 0x1000007A Psion Series 5 executable #------------------------------------------------------------------------------# $File: erlang,v 1.7 2019/04/19 00:42:27 christos Exp $# erlang: file(1) magic for Erlang JAM and BEAM files# URL: https://www.erlang.org/faq/x779.html#AEN812 # OTP R3-R40 string \0177BEAM! Old Erlang BEAM file>6 short >0 - version %d # OTP R5 and onwards0 string FOR1>8 string BEAM Erlang BEAM file # 4.2 version may have a copyright notice!4 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.279 string Tue\ Jan\ 22\ 14:32:44\ MET\ 1991 Erlang JAM file - version 4.2 4 string 1.0\ Fri\ Feb\ 3\ 09:55:56\ MET\ 1995 Erlang JAM file - version 4.3 0 bequad 0x0000000000ABCDEF Erlang DETS file # $File: espressif,v 1.2 2019/11/15 21:03:14 christos Exp $# configuration dump of Tasmota firmware for ESP8266 based devices by Espressif# URL: https://github.com/arendst/Sonoff-Tasmota/# Reference: https://codeload.github.com/arendst/Sonoff-Tasmota/zip/release-6.2/# Sonoff-Tasmota-release-6.2.zip/Sonoff-Tasmota-release-6.2/sonoff/settings.h # From: Joerg Jenderek## cfg_holder=4617=0x12090 uleshort 4617# remaining settings normally 0x5A+offset XORed; free_1D5[20] empty since 5.12.0e>0x1D5 ubequad 0x2f30313233343536 configuration of Tasmota firmware (ESP8266)!:mime application/x-tasmota-dmp!:ext dmp# version like 6.2.1.0 ~ 0x06020100 XORed to 0x63666262>>11 ubyte^0x65 x \b, version %u>>10 ubyte^0x64 x \b.%u>>9 ubyte^0x63 x \b.%u>>8 ubyte^0x62 x \b.%u#>8 ubelong x (0x%x)# hostname[33] XORed>>0x165 ubyte^0x1BF x \b, hostname %c>>0x166 ubyte^0x1C0 >037 \b%c>>0x167 ubyte^0x1C1 >037 \b%c>>0x168 ubyte^0x1C2 >037 \b%c>>0x169 ubyte^0x1C3 >037 \b%c>>0x16A ubyte^0x1C4 >037 \b%c>>0x16B ubyte^0x1C5 >037 \b%c>>0x16C ubyte^0x1C6 >037 \b%c>>0x16D ubyte^0x1C7 >037 \b%c>>0x16E ubyte^0x1C8 >037 \b%c>>0x16F ubyte^0x1C9 >037 \b%c>>0x170 ubyte^0x1CA >037 \b%c>>0x171 ubyte^0x1CB >037 \b%c>>0x172 ubyte^0x1CC >037 \b%c>>0x173 ubyte^0x1CD >037 \b%c>>0x174 ubyte^0x1CE >037 \b%c>>0x175 ubyte^0x1CF >037 \b%c>>0x176 ubyte^0x1D0 >037 \b%c>>0x177 ubyte^0x1D1 >037 \b%c>>0x178 ubyte^0x1D2 >037 \b%c>>0x179 ubyte^0x1D3 >037 \b%c>>0x17A ubyte^0x1D4 >037 \b%c>>0x17B ubyte^0x1D5 >037 \b%c>>0x17C ubyte^0x1D6 >037 \b%c>>0x17D ubyte^0x1D7 >037 \b%c>>0x17E ubyte^0x1D8 >037 \b%c>>0x17F ubyte^0x1D9 >037 \b%c>>0x180 ubyte^0x1DA >037 \b%c>>0x181 ubyte^0x1DB >037 \b%c>>0x182 ubyte^0x1DC >037 \b%c>>0x183 ubyte^0x1DD >037 \b%c>>0x184 ubyte^0x1DE >037 \b%c>>0x185 ubyte^0x1DF >037 \b%c#>>0x165 string x (%.33s) #------------------------------------------------------------------------------# $File: esri,v 1.5 2019/04/19 00:42:27 christos Exp $# ESRI Shapefile format (.shp .shx .dbf=DBaseIII)# Based on info from# <URL:https://www.esri.com/library/whitepapers/pdfs/shapefile.pdf>0 belong 9994 ESRI Shapefile>4 belong =0>8 belong =0>12 belong =0>16 belong =0>20 belong =0>28 lelong x version %d>24 belong x length %d>32 lelong =0 type Null Shape>32 lelong =1 type Point>32 lelong =3 type PolyLine>32 lelong =5 type Polygon>32 lelong =8 type MultiPoint>32 lelong =11 type PointZ>32 lelong =13 type PolyLineZ>32 lelong =15 type PolygonZ>32 lelong =18 type MultiPointZ>32 lelong =21 type PointM>32 lelong =23 type PolyLineM>32 lelong =25 type PolygonM>32 lelong =28 type MultiPointM>32 lelong =31 type MultiPatch #------------------------------------------------------------------------------# $File: fcs,v 1.4 2009/09/19 16:28:09 christos Exp $# fcs: file(1) magic for FCS (Flow Cytometry Standard) data files# From Roger Leigh <roger@whinlatter.uklinux.net>0 string FCS1.0 Flow Cytometry Standard (FCS) data, version 1.00 string FCS2.0 Flow Cytometry Standard (FCS) data, version 2.00 string FCS3.0 Flow Cytometry Standard (FCS) data, version 3.0 #------------------------------------------------------------------------------# $File: filesystems,v 1.133 2020/05/17 19:32:00 christos Exp $# filesystems: file(1) magic for different filesystems#0 name partid>0 ubyte 0x00 Unused>0 ubyte 0x01 12-bit FAT>0 ubyte 0x02 XENIX />0 ubyte 0x03 XENIX /usr>0 ubyte 0x04 16-bit FAT, less than 32M>0 ubyte 0x05 extended partition>0 ubyte 0x06 16-bit FAT, more than 32M>0 ubyte 0x07 OS/2 HPFS, NTFS, QNX2, Adv. UNIX>0 ubyte 0x08 AIX or os, or etc.>0 ubyte 0x09 AIX boot partition or Coherent>0 ubyte 0x0a O/2 boot manager or Coherent swap>0 ubyte 0x0b 32-bit FAT>0 ubyte 0x0c 32-bit FAT, LBA-mapped>0 ubyte 0x0d 7XXX, LBA-mapped>0 ubyte 0x0e 16-bit FAT, LBA-mapped>0 ubyte 0x0f extended partition, LBA-mapped>0 ubyte 0x10 OPUS>0 ubyte 0x11 OS/2 DOS 12-bit FAT>0 ubyte 0x12 Compaq diagnostics>0 ubyte 0x14 OS/2 DOS 16-bit FAT <32M>0 ubyte 0x16 OS/2 DOS 16-bit FAT >=32M>0 ubyte 0x17 OS/2 hidden IFS>0 ubyte 0x18 AST Windows swapfile>0 ubyte 0x19 Willowtech Photon coS>0 ubyte 0x1b hidden win95 fat 32>0 ubyte 0x1c hidden win95 fat 32 lba>0 ubyte 0x1d hidden win95 fat 16 lba>0 ubyte 0x20 Willowsoft OFS1>0 ubyte 0x21 reserved>0 ubyte 0x23 reserved>0 ubyte 0x24 NEC DOS>0 ubyte 0x26 reserved>0 ubyte 0x31 reserved>0 ubyte 0x32 Alien Internet Services NOS>0 ubyte 0x33 reserved>0 ubyte 0x34 reserved>0 ubyte 0x35 JFS on OS2>0 ubyte 0x36 reserved>0 ubyte 0x38 Theos>0 ubyte 0x39 Plan 9, or Theos spanned>0 ubyte 0x3a Theos ver 4 4gb partition>0 ubyte 0x3b Theos ve 4 extended partition>0 ubyte 0x3c PartitionMagic recovery>0 ubyte 0x3d Hidden Netware>0 ubyte 0x40 VENIX 286 or LynxOS>0 ubyte 0x41 PReP>0 ubyte 0x42 linux swap sharing DRDOS disk>0 ubyte 0x43 linux sharing DRDOS disk>0 ubyte 0x44 GoBack change utility>0 ubyte 0x45 Boot US Boot manager>0 ubyte 0x46 EUMEL/Elan or Ergos 3>0 ubyte 0x47 EUMEL/Elan or Ergos 3>0 ubyte 0x48 EUMEL/Elan or Ergos 3>0 ubyte 0x4a ALFX/THIN filesystem for DOS>0 ubyte 0x4c Oberon partition>0 ubyte 0x4d QNX4.x>0 ubyte 0x4e QNX4.x 2nd part>0 ubyte 0x4f QNX4.x 3rd part>0 ubyte 0x50 DM (disk manager)>0 ubyte 0x51 DM6 Aux1 (or Novell)>0 ubyte 0x52 CP/M or Microport SysV/AT>0 ubyte 0x53 DM6 Aux3>0 ubyte 0x54 DM6 DDO>0 ubyte 0x55 EZ-Drive (disk manager)>0 ubyte 0x56 Golden Bow (disk manager)>0 ubyte 0x57 Drive PRO>0 ubyte 0x5c Priam Edisk (disk manager)>0 ubyte 0x61 SpeedStor>0 ubyte 0x63 GNU HURD or Mach or Sys V/386>0 ubyte 0x64 Novell Netware 2.xx or Speedstore>0 ubyte 0x65 Novell Netware 3.xx>0 ubyte 0x66 Novell 386 Netware>0 ubyte 0x67 Novell>0 ubyte 0x68 Novell>0 ubyte 0x69 Novell>0 ubyte 0x70 DiskSecure Multi-Boot>0 ubyte 0x71 reserved>0 ubyte 0x73 reserved>0 ubyte 0x74 reserved>0 ubyte 0x75 PC/IX>0 ubyte 0x76 reserved>0 ubyte 0x77 M2FS/M2CS partition>0 ubyte 0x78 XOSL boot loader filesystem>0 ubyte 0x80 MINIX until 1.4a>0 ubyte 0x81 MINIX since 1.4b>0 ubyte 0x82 Linux swap or Solaris>0 ubyte 0x83 Linux native>0 ubyte 0x84 OS/2 hidden C: drive>0 ubyte 0x85 Linux extended partition>0 ubyte 0x86 NT FAT volume set>0 ubyte 0x87 NTFS volume set or HPFS mirrored>0 ubyte 0x8a Linux Kernel AiR-BOOT partition>0 ubyte 0x8b Legacy Fault tolerant FAT32>0 ubyte 0x8c Legacy Fault tolerant FAT32 ext>0 ubyte 0x8d Hidden free FDISK FAT12>0 ubyte 0x8e Linux Logical Volume Manager>0 ubyte 0x90 Hidden free FDISK FAT16>0 ubyte 0x91 Hidden free FDISK DOS EXT>0 ubyte 0x92 Hidden free FDISK FAT16 Big>0 ubyte 0x93 Amoeba filesystem>0 ubyte 0x94 Amoeba bad block table>0 ubyte 0x95 MIT EXOPC native partitions>0 ubyte 0x97 Hidden free FDISK FAT32>0 ubyte 0x98 Datalight ROM-DOS Super-Boot>0 ubyte 0x99 Mylex EISA SCSI>0 ubyte 0x9a Hidden free FDISK FAT16 LBA>0 ubyte 0x9b Hidden free FDISK EXT LBA>0 ubyte 0x9f BSDI?>0 ubyte 0xa0 IBM Thinkpad hibernation>0 ubyte 0xa1 HP Volume expansion (SpeedStor)>0 ubyte 0xa3 HP Volume expansion (SpeedStor)>0 ubyte 0xa4 HP Volume expansion (SpeedStor)>0 ubyte 0xa5 386BSD partition type>0 ubyte 0xa6 OpenBSD partition type>0 ubyte 0xa7 NeXTSTEP 486>0 ubyte 0xa8 Apple UFS>0 ubyte 0xa9 NetBSD partition type>0 ubyte 0xaa Olivetty Fat12 1.44MB Service part>0 ubyte 0xab Apple Boot>0 ubyte 0xae SHAG OS filesystem>0 ubyte 0xaf Apple HFS>0 ubyte 0xb0 BootStar Dummy>0 ubyte 0xb1 reserved>0 ubyte 0xb3 reserved>0 ubyte 0xb4 reserved>0 ubyte 0xb6 reserved>0 ubyte 0xb7 BSDI BSD/386 filesystem>0 ubyte 0xb8 BSDI BSD/386 swap>0 ubyte 0xbb Boot Wizard Hidden>0 ubyte 0xbe Solaris 8 partition type>0 ubyte 0xbf Solaris partition type>0 ubyte 0xc0 CTOS>0 ubyte 0xc1 DRDOS/sec (FAT-12)>0 ubyte 0xc2 Hidden Linux>0 ubyte 0xc3 Hidden Linux swap>0 ubyte 0xc4 DRDOS/sec (FAT-16, < 32M)>0 ubyte 0xc5 DRDOS/sec (EXT)>0 ubyte 0xc6 DRDOS/sec (FAT-16, >= 32M)>0 ubyte 0xc7 Syrinx (Cyrnix?) or HPFS disabled>0 ubyte 0xc8 Reserved for DR-DOS 8.0+>0 ubyte 0xc9 Reserved for DR-DOS 8.0+>0 ubyte 0xca Reserved for DR-DOS 8.0+>0 ubyte 0xcb DR-DOS 7.04+ Secured FAT32 CHS>0 ubyte 0xcc DR-DOS 7.04+ Secured FAT32 LBA>0 ubyte 0xcd CTOS Memdump>0 ubyte 0xce DR-DOS 7.04+ FAT16X LBA>0 ubyte 0xcf DR-DOS 7.04+ EXT LBA>0 ubyte 0xd0 REAL/32 secure big partition>0 ubyte 0xd1 Old Multiuser DOS FAT12>0 ubyte 0xd4 Old Multiuser DOS FAT16 Small>0 ubyte 0xd5 Old Multiuser DOS Extended>0 ubyte 0xd6 Old Multiuser DOS FAT16 Big>0 ubyte 0xd8 CP/M 86>0 ubyte 0xdb CP/M or Concurrent CP/M>0 ubyte 0xdd Hidden CTOS Memdump>0 ubyte 0xde Dell PowerEdge Server utilities>0 ubyte 0xdf DG/UX virtual disk manager>0 ubyte 0xe0 STMicroelectronics ST AVFS>0 ubyte 0xe1 DOS access or SpeedStor 12-bit>0 ubyte 0xe3 DOS R/O or Storage Dimensions>0 ubyte 0xe4 SpeedStor 16-bit FAT < 1024 cyl.>0 ubyte 0xe5 reserved>0 ubyte 0xe6 reserved>0 ubyte 0xeb BeOS>0 ubyte 0xee GPT Protective MBR>0 ubyte 0xef EFI system partition>0 ubyte 0xf0 Linux PA-RISC boot loader>0 ubyte 0xf1 SpeedStor or Storage Dimensions>0 ubyte 0xf2 DOS 3.3+ Secondary>0 ubyte 0xf3 reserved>0 ubyte 0xf4 SpeedStor large partition>0 ubyte 0xf5 Prologue multi-volumen partition>0 ubyte 0xf6 reserved>0 ubyte 0xf9 pCache: ext2/ext3 persistent cache>0 ubyte 0xfa Bochs x86 emulator>0 ubyte 0xfb VMware File System>0 ubyte 0xfc VMware Swap>0 ubyte 0xfd Linux RAID partition persistent sb>0 ubyte 0xfe LANstep or IBM PS/2 IML>0 ubyte 0xff Xenix Bad Block Table 0 string \366\366\366\366 PC formatted floppy with no filesystem# Sun disk labels# From /usr/include/sun/dklabel.h:0774 beshort 0xdabe# modified by Joerg Jenderek, because original test# succeeds for Cabinet archive dao360.dl_ with negative blocks>0770 long >0 Sun disk label>>0 string x '%s>>>31 string >\0 \b%s>>>>63 string >\0 \b%s>>>>>95 string >\0 \b%s>>0 string x \b'>>0734 short >0 %d rpm,>>0736 short >0 %d phys cys,>>0740 short >0 %d alts/cyl,>>0746 short >0 %d interleave,>>0750 short >0 %d data cyls,>>0752 short >0 %d alt cyls,>>0754 short >0 %d heads/partition,>>0756 short >0 %d sectors/track,>>0764 long >0 start cyl %d,>>0770 long x %d blocks# Is there a boot block written 1 sector in?>512 belong&077777777 0600407 \b, boot block present # Joerg Jenderek: Smart Boot Manager backup file is 25 (MSDOS) or 41 (LINUX) byte header + first sectors of disk# (http://btmgr.sourceforge.net/docs/user-guide-3.html)0 string SBMBAKUP_ Smart Boot Manager backup file>9 string x \b, version %-5.5s>>14 string =_>>>15 string x %-.1s>>>>16 string =_ \b.>>>>>17 string x \b%-.1s>>>>>>18 string =_ \b.>>>>>>>19 string x \b%-.1s>>>22 ubyte 0>>>>21 ubyte x \b, from drive 0x%x>>>22 ubyte >0>>>>21 string x \b, from drive %s>>>535 search/17 \x55\xAA>>>>&-512 indirect x \b; contains # updated by Joerg Jenderek at Nov 2012# DOS Emulator image is 128 byte, null right padded header + harddisc image0 string DOSEMU\0>0x27E leshort 0xAA55#offset is 128>>19 ubyte 128>>>(19.b-1) ubyte 0x0 DOS Emulator image>>>>7 ulelong >0 \b, %u heads>>>>11 ulelong >0 \b, %d sectors/track>>>>15 ulelong >0 \b, %d cylinders>>>>128 indirect x \b; contains # added by Joerg Jenderek at Nov 2012# http://www.thenakedpc.com/articles/v04/08/0408-05.html# Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data0 string PNCIHISK\0 Norton Utilities disc image data# real x86 boot sector with jump instruction>509 search/1026 \x55\xAA\xeb>>&-1 indirect x \b; contains# http://file-extension.net/seeker/file_extension_dat0 string PNCIUNDO Norton Disk Doctor UnDo file# # DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013# for any allowed sector sizes30 search/481 \x55\xAA# to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111)# DOS BPB information (70) and after DOS floppy (120) like in previous file version!:strength +65# for sector sizes < 512 Bytes>11 uleshort <512>>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector# for sector sizes with 512 or more Bytes>0x1FE leshort 0xAA55 DOS/MBR boot sector # keep old DOS/MBR boot sector as dummy for mbr and bootloader displaying# only for sector sizes with 512 or more Bytes0x1FE leshort 0xAA55 DOS/MBR boot sector## to display information (50) before DOS BPB (strength=70) and after DOS floppy (120) like in old file version!:strength +65>2 string OSBS OS/BS MBR# added by Joerg Jenderek at Feb 2013 according to https://thestarman.pcministry.com/asm/mbr/# and https://en.wikipedia.org/wiki/Master_Boot_Record# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by# characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00>0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR# Microsoft Windows 95A and early ( https://thestarman.pcministry.com/asm/mbr/STDMBR.htm )# assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld>>8 ubequad 0x8bf45007501ffbfc# https://thestarman.pcministry.com/asm/mbr/200MBR.htm>>>0x16 ubyte 0xF3 \b,DOS 2>>>>219 regex Author\ -\ Author:# found "David Litton" , "A Pehrsson ">>>>>&0 string x "%s">>>0x16 ubyte 0xF2# NEC MS-DOS 3.30 Rev. 3 . See https://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm# assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz>>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3# version MS-DOS 3.30 til MS-Windows 95A (WinVer=4.00.1111)>>>>0x22 default x \b,D0S version 3.3-7.0# error messages are printed by assembler instructions: mov si,06nn;...;int 10 (0xBEnn06;...)# where nn is string offset varying for different languages# "Invalid partition table" nn=0x8b for english version>>>>>(0x49.b) string Invalid\ partition\ table english>>>>>(0x49.b) string Ung\201ltige\ Partitionstabelle german>>>>>(0x49.b) string Table\ de\ partition\ invalide french>>>>>(0x49.b) string Tabela\ de\ parti\207ao\ inv\240lida portuguese>>>>>(0x49.b) string Tabla\ de\ partici\242n\ no\ v\240lida spanish>>>>>(0x49.b) string Tavola\ delle\ partizioni\ non\ valida italian>>>>>0x49 ubyte >0 at offset 0x%x>>>>>>(0x49.b) string >\0 "%s"# "Error loading operating system" nn=0xa3 for english version# "Fehler beim Laden des Betriebssystems" nn=0xa7 for german version# "Erreur en chargeant syst\212me d'exploitation" nn=0xa7 for french version# "Erro na inicializa\207ao do sistema operacional" nn=0xa7 for portuguese Brazilian version# "Error al cargar sistema operativo" nn=0xa8 for spanish version# "Errore durante il caricamento del sistema operativo" nn=0xae for italian version>>>>>0x74 ubyte >0 at offset 0x%x>>>>>>(0x74.b) string >\0 "%s"# "Missing operating system" nn=0xc2 for english version# "Betriebssystem fehlt" nn=0xcd for german version# "Syst\212me d'exploitation absent" nn=0xd2 for french version# "Sistema operacional nao encontrado" nn=0xd4 for portuguese Brazilian version# "Falta sistema operativo" nn=0xca for spanish version# "Sistema operativo mancante" nn=0xe2 for italian version>>>>>0x79 ubyte >0 at offset 0x%x>>>>>>(0x79.b) string >\0 "%s"# Microsoft Windows 95B to XP (https://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm)# assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b>>8 ubequad 0x5007501ffcbe1b7c# assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04>>>24 ubequad 0xf3a4cbbebe07b104 9M# "Invalid partition table" nn=0x10F for english version# "Ung\201ltige Partitionstabelle" nn=0x10F for german version# "Table de partition erron\202e" nn=0x10F for french version# "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x10F for russian version>>>>(0x3C.b+0x0FF) string Invalid\ partition\ table english>>>>(0x3C.b+0x0FF) string Ung\201ltige\ Partitionstabelle german>>>>(0x3C.b+0x0FF) string Table\ de\ partition\ erron\202e french>>>>(0x3C.b+0x0FF) string \215\245\257\340\240\242\250\253\354\255\240\357\ \342\240\241\253\250\346\240 russian>>>>0x3C ubyte x at offset 0x%x+0xFF>>>>(0x3C.b+0x0FF) string >\0 "%s"# "Error loading operating system" nn=0x127 for english version# "Fehler beim Laden des Betriebssystems" nn=0x12b for german version# "Erreur lors du chargement du syst\212me d'exploitation" nn=0x12a for french version# "\216\350\250\241\252\240 \257\340\250 \247\240\243\340\343\247\252\245 \256\257\245\340\240\346\250\256\255\255\256\251 \341\250\341\342\245\254\353" nn=0x12d for russian version>>>>0xBD ubyte x at offset 0x1%x>>>>(0xBD.b+0x100) string >\0 "%s"# "Missing operating system" nn=0x146 for english version# "Betriebssystem fehlt" nn=0x151 for german version# "Syst\212me d'exploitation manquant" nn=0x15e for french version# "\216\257\245\340\240\346\250\256\255\255\240\357 \341\250\341\342\245\254\240 \255\245 \255\240\251\244\245\255\240" nn=0x156 for russian version>>>>0xA9 ubyte x at offset 0x1%x>>>>(0xA9.b+0x100) string >\0 "%s"# https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm# assembler instructions: rep;movsb;retf;mov BP,07be;mov cl,04>>>24 ubequad 0xf3a4cbbdbe07b104 XP# where xxyyzz are lower bits from offsets of error messages varying for different languages>>>>0x1B4 ubelong&0x00FFFFFF 0x002c4463 english>>>>0x1B4 ubelong&0x00FFFFFF 0x002c486e german# "Invalid partition table" xx=0x12C for english version# "Ung\201ltige Partitionstabelle" xx=0x12C for german version>>>>0x1b5 ubyte >0 at offset 0x1%x>>>>(0x1b5.b+0x100) string >\0 "%s"# "Error loading operating system" yy=0x144 for english version# "Fehler beim Laden des Betriebssystems" yy=0x148 for german version>>>>0x1b6 ubyte >0 at offset 0x1%x>>>>(0x1b6.b+0x100) string >\0 "%s"# "Missing operating system" zz=0x163 for english version# "Betriebssystem nicht vorhanden" zz=0x16e for german version>>>>0x1b7 ubyte >0 at offset 0x1%x>>>>(0x1b7.b+0x100) string >\0 "%s"# Microsoft Windows Vista or 7# assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00>>8 ubequad 0xc08ed8be007cbf00# Microsoft Windows Vista (https://thestarman.pcministry.com/asm/mbr/VistaMBR.htm)# assembler instructions: jnz 0729;cmp ebx,"TCPA">>>0xEC ubequad 0x753b6681fb544350 Vista# where xxyyzz are lower bits from offsets of error messages varying for different languages>>>>0x1B4 ubelong&0x00FFFFFF 0x00627a99 english#>>>>0x1B4 ubelong&0x00FFFFFF ? german# "Invalid partition table" xx=0x162 for english version# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version>>>>0x1b5 ubyte >0 at offset 0x1%x>>>>(0x1b5.b+0x100) string >\0 "%s"# "Error loading operating system" yy=0x17a for english version# "Fehler beim Laden des Betriebssystems" yy= 0x1?? for german version>>>>0x1b6 ubyte >0 at offset 0x1%x>>>>(0x1b6.b+0x100) string >\0 "%s"# "Missing operating system" zz=0x199 for english version# "Betriebssystem nicht vorhanden" zz=0x1?? for german version>>>>0x1b7 ubyte >0 at offset 0x1%x>>>>(0x1b7.b+0x100) string >\0 "%s"# Microsoft Windows 7 (https://thestarman.pcministry.com/asm/mbr/W7MBR.htm)# assembler instructions: cmp ebx,"TCPA";cmp>>>0xEC ubequad 0x6681fb5443504175 Windows 7# where xxyyzz are lower bits from offsets of error messages varying for different languages>>>>0x1B4 ubelong&0x00FFFFFF 0x00637b9a english#>>>>0x1B4 ubelong&0x00FFFFFF ? german# "Invalid partition table" xx=0x163 for english version# "Ung\201ltige Partitionstabelle" xx=0x1?? for german version>>>>0x1b5 ubyte >0 at offset 0x1%x>>>>(0x1b5.b+0x100) string >\0 "%s"# "Error loading operating system" yy=0x17b for english version# "Fehler beim Laden des Betriebssystems" yy=0x1?? for german version>>>>0x1b6 ubyte >0 at offset 0x1%x>>>>(0x1b6.b+0x100) string >\0 "%s"# "Missing operating system" zz=0x19a for english version# "Betriebssystem nicht vorhanden" zz=0x1?? for german version>>>>0x1b7 ubyte >0 at offset 0x1%x>>>>(0x1b7.b+0x100) string >\0 "%s"# https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DiskSigs# https://en.wikipedia.org/wiki/MBR_disk_signature#ID>>0x1b8 ulelong >0 \b, disk signature 0x%-.4x# driveID/timestamp for Win 95B,98,98SE and ME. See https://thestarman.pcministry.com/asm/mbr/mystery.htm>>0xDA uleshort 0>>>0xDC ulelong >0 \b, created# physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive>>>>0xDC ubyte x with driveID 0x%x# hours, minutes and seconds>>>>0xDf ubyte x at %x>>>>0xDe ubyte x \b:%x>>>>0xDd ubyte x \b:%x# special case for Microsoft MS-DOS 3.21 spanish# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov>0 ubequad 0xfab830008ed0bc00# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov>>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish# Microsoft MBR IPL end # dr-dos with some upper-, lowercase variants>0x9D string Invalid\ partition\ table$>>181 string No\ Operating\ System$>>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03>0x9D string Invalid\ partition\ table$>>181 string No\ operating\ system$>>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03>342 string Invalid\ partition\ table$>>366 string No\ operating\ system$>>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03>295 string NEWLDR\0>>302 string Bad\ PT\ $>>>310 string No\ OS\ $>>>>317 string OS\ load\ err$>>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r>>>>>>358 string Press\ any\ key\ to\ continue.\n\r$>>>>>>>387 string Copyright\ (c)\ 1984,1998>>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR)## tests for different MS-DOS Master Boot Records (MBR) moved and merged##>0x145 string Default:\ F \b, FREE-DOS MBR#>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR>0x145 search/7 Default:\ F \b, FREE-DOS MBR#>>313 string F0\ .\ .\ .#>>>322 string disk\ 1#>>>>382 string FAT3>64 string no\ active\ partition\ found>>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR# Ranish Partition Manager http://www.ranish.com/part/>387 search/4 \0\ Error!\r>>378 search/7 Virus!>>>397 search/4 Booting\040>>>>408 search/4 HD1/\0 \b, Ranish MBR (>>>>>416 string Writing\ changes... \b2.37>>>>>>438 ubyte x \b,0x%x dots>>>>>>440 ubyte >0 \b,virus check>>>>>>441 ubyte >0 \b,partition %c#2.38,2.42,2.44>>>>>416 string !Writing\ changes... \b>>>>>>418 ubyte 1 \bvirus check,>>>>>>419 ubyte x \b0x%x seconds>>>>>>420 ubyte&0x0F >0 \b,partition>>>>>>>420 ubyte&0x0F <5 \b %x>>>>>>>420 ubyte&0x0F 0Xf \b ask>>>>>420 ubyte x \b)## SYSLINUX MBR moved# https://www.acronis.de/>362 string MBR\ Error\ \0\r>>376 string ress\ any\ key\ to\040>>>392 string boot\ from\ floppy...\0 \b, Acronis MBR# added by Joerg Jenderek# https://www.visopsys.org/# https://partitionlogic.org.uk/>309 string No\ bootable\ partition\ found\r>>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR>349 string No\ bootable\ partition\ found\r>>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR# bootloader, bootmanager>0x40 string SBML# label with 11 characters of FAT 12 bit filesystem>>43 string SMART\ BTMGR>>>430 string SBMK\ Bad!\r \b, Smart Boot Manager# OEM-ID not always "SBM"#>>>>3 strings SBM>>>>6 string >\0 \b, version %s>382 string XOSLLOADXCF \b, eXtended Operating System Loader>6 string LILO \b, LInux i386 boot LOader>>120 string LILO \b, version 22.3.4 SuSe>>172 string LILO \b, version 22.5.8 Debian# updated by Joerg Jenderek at Oct 2008# variables according to grub-0.97/stage1/stage1.S or# https://www.gnu.org/software/grub/manual/grub.html#Embedded-data# usual values are marked with comments to get only informations of strange GRUB loaders>342 search/60 \0Geom\0#>0 ulelong x %x=0x009048EB , 0x2a9048EB 0>>0x41 ubyte <2>>>0x3E ubyte >2 \b; GRand Unified Bootloader# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90>>>>0x3E ubyte x \b, stage1 version 0x%x#If it is 0xFF, use a drive passed by BIOS>>>>0x40 ubyte <0xFF \b, boot drive 0x%x# in most case 0,1,0x2e for GRUB 0.5.95>>>>0x41 ubyte >0 \b, LBA flag 0x%x>>>>0x42 uleshort <0x8000 \b, stage2 address 0x%x#>>>>0x42 uleshort =0x8000 \b, stage2 address 0x%x (usual)>>>>0x42 uleshort >0x8000 \b, stage2 address 0x%x#>>>>0x44 ulelong =1 \b, 1st sector stage2 0x%x (default)>>>>0x44 ulelong >1 \b, 1st sector stage2 0x%x>>>>0x48 uleshort <0x800 \b, stage2 segment 0x%x#>>>>0x48 uleshort =0x800 \b, stage2 segment 0x%x (usual)>>>>0x48 uleshort >0x800 \b, stage2 segment 0x%x>>>>402 string Geom\0Hard\ Disk\0Read\0\ Error\0>>>>>394 string stage1 \b, GRUB version 0.5.95>>>>382 string Geom\0Hard\ Disk\0Read\0\ Error\0>>>>>376 string GRUB\ \0 \b, GRUB version 0.93 or 1.94>>>>383 string Geom\0Hard\ Disk\0Read\0\ Error\0>>>>>377 string GRUB\ \0 \b, GRUB version 0.94>>>>385 string Geom\0Hard\ Disk\0Read\0\ Error\0>>>>>379 string GRUB\ \0 \b, GRUB version 0.95 or 0.96>>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0>>>>>385 string GRUB\ \0 \b, GRUB version 0.97# unknown version>>>343 string Geom\0Read\0\ Error\0>>>>321 string Loading\ stage1.5 \b, GRUB version x.y>>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0>>>>374 string GRUB\ \0 \b, GRUB version n.m# SYSLINUX bootloader moved>395 string chksum\0\ ERROR!\0 \b, Gujin bootloader# http://www.bcdwb.de/bcdw/index_e.htm>3 string BCDL>>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z)# mbr partition table entries updated by Joerg Jenderek at Sep 2013# skip Norton Utilities disc image data>3 string !IHISK# skip Linux style boot sector starting with assember instructions mov 0x7c0,ax;>>0 belong !0xb8c0078e# not Linux kernel>>>514 string !HdrS# not BeOS>>>>422 string !Be\ Boot\ Loader# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr>>>>>0 ubelong&0xFD000000 =0xE9000000# AdvanceMAME mbr>>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e>>>>>>>446 use partition-table# mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader>>>>>0 ubelong&0xFD000000 !0xE9000000# skip FSInfosector>>>>>>0 string !RRaA# skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX,# https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm>>>>>>>0 ubequad !0xfa660fb64610668b# skip 13rd sector of MS x86 bootloader>>>>>>>>0 ubequad !0x660fb64610668b4e# skip sector starting with DOS new line>>>>>>>>>0 string !\r\n# allowed active flag 0,80h-FFh>>>>>>>>>>446 ubyte 0>>>>>>>>>>>446 use partition-table>>>>>>>>>>446 ubyte >0x7F>>>>>>>>>>>446 use partition-table# TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries# mbr partition table entries end# https://www.acronis.de/#FAT label=ACRONIS\ SZ#OEM-ID=BOOTWIZ0>442 string Non-system\ disk,\040>>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader# updated by Joerg Jenderek at Nov 2012, Sep 2013# DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes# display 1 space>>>447 ubyte x \b>>>477 use DOS-filename#>185 string FDBOOT\ Version\040>>204 string \rNo\ Systemdisk.\040>>>220 string Booting\ from\ harddisk.\n\r>>>245 string Cannot\ load\ from\ harddisk.\n\r>>>>273 string Insert\ Systemdisk\040>>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader>>>>>>200 string >\0 \b, version %-3s>242 string Bootsector\ from\ C.H.\ Hochst\204# http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c# updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string# skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut>242 search/127 Bootsector\ from\ C.H.\ Hochst>>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk# followed by variants with point,CR-NL or NL-CR>>>208 search/261 Cannot\ load\ from\ harddisk.# followed by variants CR-NL or NL-CR>>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key.# followed by variants with point,CR-NL or NL-CR>>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader# followed by string like "6.50 (c) 1993-2004 Gilles Vollant">>>>>>&0 string x \b, version %-4.4s>(1.b+2) ubyte 0xe>>(1.b+3) ubyte 0x1f>>>(1.b+4) ubyte 0xbe# message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others>>>>(1.b+5) ubyte&0xd3 0x53>>>>>(1.b+6) ubyte 0x7c# assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah,>>>>>>(1.b+7) ubyte 0xac>>>>>>>(1.b+8) ubyte 0x22>>>>>>>>(1.b+9) ubyte 0xc0>>>>>>>>>(1.b+10) ubyte 0x74>>>>>>>>>>(1.b+11) ubyte 0x0b>>>>>>>>>>>(1.b+12) ubyte 0x56>>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display# FAT1X version>>>>>>>>>>>>>(1.b+5) ubyte 0x5b>>>>>>>>>>>>>>0x5b string >\0 "%-s"# FAT32 version>>>>>>>>>>>>>(1.b+5) ubyte 0x77>>>>>>>>>>>>>>0x77 string >\0 "%-s">214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display#>>244 string from\ dosemu-freedos-*-bin.tgz\r#>>>170 string Sorry,\ could\ not\ load\ an\040#>>>>195 string operating\ system.\r\n#>103 string This\ is\ not\ a\ bootable\ disk.\040>>132 string Please\ insert\ a\ bootable\040>>>157 string floppy\ and\r\n>>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display#>66 string Solaris\ Boot\ Sector>>99 string Incomplete\ MDBoot\ load.>>>89 string Version \b, Sun Solaris Bootloader>>>>97 byte x version %c#>408 string OS/2\ !!\ SYS01475\r\0>>429 string OS/2\ !!\ SYS02025\r\0>>>450 string OS/2\ !!\ SYS02027\r\0>>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader#>409 string OS/2\ !!\ SYS01475\r\0>>430 string OS/2\ !!\ SYS02025\r\0>>>451 string OS/2\ !!\ SYS02027\r\0>>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader>112 string This\ disk\ is\ not\ bootable\r>>142 string If\ you\ wish\ to\ make\ it\ bootable>>>176 string run\ the\ DOS\ program\ SYS\040>>>200 string after\ the\r>>>>216 string system\ has\ been\ loaded\r\n>>>>>242 string Please\ insert\ a\ DOS\ diskette\040>>>>>271 string into\r\n\ the\ drive\ and\040>>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display# XP>430 string NTLDR\ is\ missing\xFF\r\n>>449 string Disk\ error\xFF\r\n>>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader# DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes>>>>417 ubyte&0xDF >0>>>>>417 string x %-.5s>>>>>>422 ubyte&0xDF >0>>>>>>>422 string x \b%-.3s>>>>>425 ubyte&0xDF >0>>>>>>425 string >\ \b.%-.3s#>>>>371 ubyte >0x20>>>>>368 ubyte&0xDF >0>>>>>>368 string x %-.5s>>>>>>>373 ubyte&0xDF >0>>>>>>>>373 string x \b%-.3s>>>>>>376 ubyte&0xDF >0>>>>>>>376 string x \b.%-.3s#>430 string NTLDR\ nicht\ gefunden\xFF\r\n>>453 string Datentr\204gerfehler\xFF\r\n>>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german)>>>>417 ubyte&0xDF >0>>>>>417 string x %-.5s>>>>>>422 ubyte&0xDF >0>>>>>>>422 string x \b%-.3s>>>>>425 ubyte&0xDF >0>>>>>>425 string >\ \b.%-.3s# offset variant>>>>379 string \0>>>>>368 ubyte&0xDF >0>>>>>>368 string x %-.5s>>>>>>>373 ubyte&0xDF >0>>>>>>>>373 string x \b%-.3s#>430 string NTLDR\ fehlt\xFF\r\n>>444 string Datentr\204gerfehler\xFF\r\n>>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german)>>>>417 ubyte&0xDF >0>>>>>417 string x %-.5s>>>>>>422 ubyte&0xDF >0>>>>>>>422 string x \b%-.3s>>>>>425 ubyte&0xDF >0>>>>>>425 string >\ \b.%-.3s# variant>>>>371 ubyte >0x20>>>>>368 ubyte&0xDF >0>>>>>>368 string x %-.5s>>>>>>>373 ubyte&0xDF >0>>>>>>>>373 string x \b%-.3s>>>>>>376 ubyte&0xDF >0>>>>>>>376 string x \b.%-.3s#>430 string NTLDR\ fehlt\xFF\r\n>>444 string Medienfehler\xFF\r\n>>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german)>>>>371 ubyte >0x20>>>>>368 ubyte&0xDF >0>>>>>>368 string x %-.5s>>>>>>>373 ubyte&0xDF >0>>>>>>>>373 string x \b%-.3s>>>>>>376 ubyte&0xDF >0>>>>>>>376 string x \b.%-.3s# variant>>>>417 ubyte&0xDF >0>>>>>417 string x %-.5s>>>>>>422 ubyte&0xDF >0>>>>>>>422 string x \b%-.3s>>>>>425 ubyte&0xDF >0>>>>>>425 string >\ \b.%-.3s#>430 string Datentr\204ger\ entfernen\xFF\r\n>>454 string Medienfehler\xFF\r\n>>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german)>>>>379 string \0>>>>>368 ubyte&0xDF >0>>>>>>368 string x %-.5s>>>>>>>373 ubyte&0xDF >0>>>>>>>>373 string x \b%-.3s>>>>>>376 ubyte&0xDF >0>>>>>>>376 string x \b.%-.3s# variant>>>>417 ubyte&0xDF >0>>>>>417 string x %-.5s>>>>>>422 ubyte&0xDF >0>>>>>>>422 string x \b%-.3s>>>>>425 ubyte&0xDF >0>>>>>>425 string >\ \b.%-.3s# #>3 string NTFS\ \ \ \040>389 string Fehler\ beim\ Lesen\040>>407 string des\ Datentr\204gers>>>426 string NTLDR\ fehlt>>>>440 string NTLDR\ ist\ komprimiert>>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german)#>3 string NTFS\ \ \ \040>313 string A\ disk\ read\ error\ occurred.\r>>345 string A\ kernel\ file\ is\ missing\040>>>370 string from\ the\ disk.\r>>>>484 string NTLDR\ is\ compressed>>>>>429 string Insert\ a\ system\ diskette\040>>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS# DOS loader variants different languages,offsets>472 ubyte&0xDF >0>>389 string Invalid\ system\ disk\xFF\r\n>>>411 string Disk\ I/O\ error>>>>428 string Replace\ the\ disk,\ and\040>>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader#IO.SYS>>>>>>472 ubyte&0xDF >0>>>>>>>472 string x \b %-.2s>>>>>>>>474 ubyte&0xDF >0>>>>>>>>>474 string x \b%-.5s>>>>>>>>>>479 ubyte&0xDF >0>>>>>>>>>>>479 string x \b%-.1s>>>>>>>480 ubyte&0xDF >0>>>>>>>>480 string x \b.%-.3s#MSDOS.SYS>>>>>>>483 ubyte&0xDF >0 \b+>>>>>>>>483 string x \b%-.5s>>>>>>>>>488 ubyte&0xDF >0>>>>>>>>>>488 string x \b%-.3s>>>>>>>>491 ubyte&0xDF >0>>>>>>>>>491 string x \b.%-.3s#>>390 string Invalid\ system\ disk\xFF\r\n>>>412 string Disk\ I/O\ error\xFF\r\n>>>>429 string Replace\ the\ disk,\ and\040>>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader>>388 string Ungueltiges\ System\ \xFF\r\n>>>410 string E/A-Fehler\ \ \ \ \xFF\r\n>>>>427 string Datentraeger\ wechseln\ und\040>>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german)#WINBOOT.SYS only not spaces (0xDF)>>>>>>497 ubyte&0xDF >0>>>>>>>497 string x %-.5s>>>>>>>>502 ubyte&0xDF >0>>>>>>>>>502 string x \b%-.1s>>>>>>>>>>503 ubyte&0xDF >0>>>>>>>>>>>503 string x \b%-.1s>>>>>>>>>>>>504 ubyte&0xDF >0>>>>>>>>>>>>>504 string x \b%-.1s>>>>>>505 ubyte&0xDF >0>>>>>>>505 string x \b.%-.3s#IO.SYS>>>>>>472 ubyte&0xDF >0 or>>>>>>>472 string x \b %-.2s>>>>>>>>474 ubyte&0xDF >0>>>>>>>>>474 string x \b%-.5s>>>>>>>>>>479 ubyte&0xDF >0>>>>>>>>>>>479 string x \b%-.1s>>>>>>>480 ubyte&0xDF >0>>>>>>>>480 string x \b.%-.3s#MSDOS.SYS>>>>>>>483 ubyte&0xDF >0 \b+>>>>>>>>483 string x \b%-.5s>>>>>>>>>488 ubyte&0xDF >0>>>>>>>>>>488 string x \b%-.3s>>>>>>>>491 ubyte&0xDF >0>>>>>>>>>491 string x \b.%-.3s#>>390 string Ungueltiges\ System\ \xFF\r\n>>>412 string E/A-Fehler\ \ \ \ \xFF\r\n>>>>429 string Datentraeger\ wechseln\ und\040>>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German)#WINBOOT.SYS only not spaces (0xDF)>>>>>>497 ubyte&0xDF >0>>>>>>>497 string x %-.7s>>>>>>>>504 ubyte&0xDF >0>>>>>>>>>504 string x \b%-.1s>>>>>>505 ubyte&0xDF >0>>>>>>>505 string x \b.%-.3s#IO.SYS>>>>>>472 ubyte&0xDF >0 or>>>>>>>472 string x \b %-.2s>>>>>>>>474 ubyte&0xDF >0>>>>>>>>>474 string x \b%-.6s>>>>>>>480 ubyte&0xDF >0>>>>>>>>480 string x \b.%-.3s#MSDOS.SYS>>>>>>>483 ubyte&0xDF >0 \b+>>>>>>>>483 string x \b%-.5s>>>>>>>>>488 ubyte&0xDF >0>>>>>>>>>>488 string x \b%-.3s>>>>>>>>491 ubyte&0xDF >0>>>>>>>>>491 string x \b.%-.3s#>>389 string Ungueltiges\ System\ \xFF\r\n>>>411 string E/A-Fehler\ \ \ \ \xFF\r\n>>>>428 string Datentraeger\ wechseln\ und\040>>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN)# DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes>>>>>>472 string x %-.2s>>>>>>>474 ubyte&0xDF >0>>>>>>>>474 string x \b%-.5s>>>>>>>>479 ubyte&0xDF >0>>>>>>>>>479 string x \b%-.1s>>>>>>480 ubyte&0xDF >0>>>>>>>480 string x \b.%-.3s>>>>>>483 ubyte&0xDF >0 \b+>>>>>>>483 string x \b%-.5s>>>>>>>488 ubyte&0xDF >0>>>>>>>>488 string x \b%-.2s>>>>>>>>490 ubyte&0xDF >0>>>>>>>>>490 string x \b%-.1s>>>>>>>491 ubyte&0xDF >0>>>>>>>>491 string x \b.%-.3s>479 ubyte&0xDF >0>>416 string Kein\ System\ oder\040>>>433 string Laufwerksfehler>>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german)#IO.SYS>>>>>479 string x \b %-.2s>>>>>>481 ubyte&0xDF >0>>>>>>>481 string x \b%-.6s>>>>>487 ubyte&0xDF >0>>>>>>487 string x \b.%-.3s#MSDOS.SYS>>>>>>490 ubyte&0xDF >0 \b+>>>>>>>490 string x \b%-.5s>>>>>>>>495 ubyte&0xDF >0>>>>>>>>>495 string x \b%-.3s>>>>>>>498 ubyte&0xDF >0>>>>>>>>498 string x \b.%-.3s#>376 search/41 Non-System\ disk\ or\040>>395 search/41 disk\ error\r>>>407 search/41 Replace\ and\040>>>>419 search/41 press\ \b,>>>>419 search/41 strike\ \b, old>>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader#449 Disk\ Boot\ failure\r MS 3.21#466 Boot\ Failure\r MS 3.30>>>>>468 search/18 \0#IO.SYS,IBMBIO.COM>>>>>>&0 string x \b %-.2s>>>>>>>&-20 ubyte&0xDF >0>>>>>>>>&-1 string x \b%-.4s>>>>>>>>>&-16 ubyte&0xDF >0>>>>>>>>>>&-1 string x \b%-.2s>>>>>>&8 ubyte&0xDF >0 \b.>>>>>>>&-1 string x \b%-.3s#MSDOS.SYS,IBMDOS.COM>>>>>>&11 ubyte&0xDF >0 \b+>>>>>>>&-1 string x \b%-.5s>>>>>>>>&-6 ubyte&0xDF >0>>>>>>>>>&-1 string x \b%-.1s>>>>>>>>>>&-5 ubyte&0xDF >0>>>>>>>>>>>&-1 string x \b%-.2s>>>>>>>&7 ubyte&0xDF >0 \b.>>>>>>>>&-1 string x \b%-.3s>441 string Cannot\ load\ from\ harddisk.\n\r>>469 string Insert\ Systemdisk\040>>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader#>43 string \224R-LOADER\ \ SYS =label>54 string SYS>>324 string VASKK>>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS)#>98 string Press\ a\ key\ to\ retry\0\r>>120 string Cannot\ find\ file\ \0\r>>>139 string Disk\ read\ error\0\r>>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader#DRBIOS.SYS>>>>>44 ubyte&0xDF >0>>>>>>44 string x \b %-.6s>>>>>>>50 ubyte&0xDF >0>>>>>>>>50 string x \b%-.2s>>>>>>52 ubyte&0xDF >0>>>>>>>52 string x \b.%-.3s#>70 string IBMBIO\ \ COM>>472 string Cannot\ load\ DOS!\040>>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader>>471 string Cannot\ load\ DOS\040>>487 string press\ key\ to\ retry \b, Open-DOS Bootloader#??>444 string KERNEL\ \ SYS>>314 string BOOT\ error! \b, FREE-DOS Bootloader>499 string KERNEL\ \ SYS>>305 string BOOT\ err!\0 \b, Free-DOS Bootloader>449 string KERNEL\ \ SYS>>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader#>449 string Loading\ FreeDOS>>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader>>>497 ubyte&0xDF >0>>>>497 string x \b %-.6s>>>>>503 ubyte&0xDF >0>>>>>>503 string x \b%-.1s>>>>>>>504 ubyte&0xDF >0>>>>>>>>504 string x \b%-.1s>>>>505 ubyte&0xDF >0>>>>>505 string x \b.%-.3s#>331 string Error!.0 \b, FREE-DOS 1.0 bootloader#>125 string Loading\ FreeDOS...\r>>311 string BOOT\ error!\r \b, FREE-DOS bootloader>>>441 ubyte&0xDF >0>>>>441 string x \b %-.6s>>>>>447 ubyte&0xDF >0>>>>>>447 string x \b%-.1s>>>>>>>448 ubyte&0xDF >0>>>>>>>>448 string x \b%-.1s>>>>449 ubyte&0xDF >0>>>>>449 string x \b.%-.3s>124 string FreeDOS\0>>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader# DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes>>>497 ubyte&0xDF >0>>>>497 string x \b %-.6s>>>>>503 ubyte&0xDF >0>>>>>>503 string x \b%-.1s>>>>>>>504 ubyte&0xDF >0>>>>>>>>504 string x \b%-.1s>>>>505 ubyte&0xDF >0>>>>>505 string x \b.%-.3s>>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader>>>497 ubyte&0xDF >0>>>>497 string x \b %-.6s>>>>>503 ubyte&0xDF >0>>>>>>503 string x \b%-.1s>>>>>>>504 ubyte&0xDF >0>>>>>>>>504 string x \b%-.1s>>>>505 ubyte&0xDF >0>>>>>505 string x \b.%-.3s>>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader>>>497 ubyte&0xDF >0>>>>497 string x \b %-.6s>>>>>503 ubyte&0xDF >0>>>>>>503 string x \b%-.1s>>>>>>>504 ubyte&0xDF >0>>>>>>>>504 string x \b%-.1s>>>>505 ubyte&0xDF >0>>>>>505 string x \b.%-.3s>336 string Error!\040>>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader>>>497 ubyte&0xDF >0>>>>497 string x \b %-.6s>>>>>503 ubyte&0xDF >0>>>>>>503 string x \b%-.1s>>>>>>>504 ubyte&0xDF >0>>>>>>>>504 string x \b%-.1s>>>>505 ubyte&0xDF >0>>>>>505 string x \b.%-.3s# added by Joerg Jenderek# https://www.visopsys.org/# https://partitionlogic.org.uk/# OEM-ID=Visopsys>478 ulelong 0>>(1.b+326) string I/O\ Error\ reading\040>>>(1.b+344) string Visopsys\ loader\r>>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader# http://alexfru.chat.ru/epm.html#bootprog>494 ubyte >0x4D>>495 string >E>>>495 string <S#OEM-ID is not reliable>>>>3 string BootProg# It just looks for a program file name at the root directory# and loads corresponding file with following execution.# DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader>>>>>499 use DOS-filename#If the boot sector fails to read any other sector,#it prints a very short message ("RE") to the screen and hangs the computer.#If the boot sector fails to find needed program in the root directory,#it also hangs with another message ("NF").>>>>>492 string RENF \b, FAT (12 bit)>>>>>495 string RENF \b, FAT (16 bit)#If the boot sector fails to read any other sector,#it prints a very short message ("RE") to the screen and hangs the computer.# x86 bootloader end # added by Joerg Jenderek at Feb 2013 according to https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO# and https://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector>0 string RRaA>>0x1E4 string rrAa \b, FSInfosector#>>0x1FC uleshort =0 SHOULD BE ZERO>>>0x1E8 ulelong <0xffffffff \b, %u free clusters>>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u # updated by Joerg Jenderek at Sep 2007>3 ubyte 0#no active flag>>446 ubyte 0# partition 1 not empty>>>450 ubyte >0# partitions 3,4 empty>>>>482 ubyte 0>>>>>498 ubyte 0# partition 2 ID=0,5,15>>>>>>466 ubyte <0x10>>>>>>>466 ubyte 0x05 \b, extended partition table>>>>>>>466 ubyte 0x0F \b, extended partition table (LBA)>>>>>>>466 ubyte 0x0 \b, extended partition table (last) # DOS x86 sector separated and moved from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 >0x200 lelong 0x82564557 \b, BSD disklabel # by Joerg Jenderek at Apr 2013# Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension# like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS0 name DOS-filename# space=0x20 (00100000b) means empty>0 ubyte&0xDF >0>>0 ubyte x \b%c>>>1 ubyte&0xDF >0>>>>1 ubyte x \b%c>>>>>2 ubyte&0xDF >0>>>>>>2 ubyte x \b%c>>>>>>>3 ubyte&0xDF >0>>>>>>>>3 ubyte x \b%c>>>>>>>>>4 ubyte&0xDF >0>>>>>>>>>>4 ubyte x \b%c>>>>>>>>>>>5 ubyte&0xDF >0>>>>>>>>>>>>5 ubyte x \b%c>>>>>>>>>>>>>6 ubyte&0xDF >0>>>>>>>>>>>>>>6 ubyte x \b%c>>>>>>>>>>>>>>>7 ubyte&0xDF >0>>>>>>>>>>>>>>>>7 ubyte x \b%c# DOS filename extension>>8 ubyte&0xDF >0 \b.>>>8 ubyte x \b%c>>>>9 ubyte&0xDF >0>>>>>9 ubyte x \b%c>>>>>>10 ubyte&0xDF >0>>>>>>>10 ubyte x \b%c# Print 2 following DOS filenames from directory entry form# like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com0 name 2xDOS-filename# display 1 space>0 ubyte x \b>0 use DOS-filename>11 ubyte x \b+>11 use DOS-filename # https://en.wikipedia.org/wiki/Master_boot_record#PTE# display standard partition table0 name partition-table#>0 ubyte x PARTITION-TABLE# test and display 1st til 4th partition table entry>0 use partition-entry-test>16 use partition-entry-test>32 use partition-entry-test>48 use partition-entry-test# test for entry of partition table0 name partition-entry-test# partition type ID > 0>4 ubyte >0# active flag 0>>0 ubyte 0>>>0 use partition-entry# active flag 0x80, 0x81, ...>>0 ubyte >0x7F>>>0 use partition-entry# Print entry of partition table0 name partition-entry# partition type ID > 0>4 ubyte >0 \b; partition>>64 leshort 0xAA55 1>>48 leshort 0xAA55 2>>32 leshort 0xAA55 3>>16 leshort 0xAA55 4>>4 ubyte x : ID=0x%x>>0 ubyte&0x80 0x80 \b, active>>0 ubyte >0x80 0x%x>>1 ubyte x \b, start-CHS (>>1 use partition-chs>>5 ubyte x \b), end-CHS (>>5 use partition-chs>>8 ulelong x \b), startsector %u>>12 ulelong x \b, %u sectors# Print cylinder,head,sector (CHS) of partition entry0 name partition-chs# cylinder>1 ubyte x \b0x>1 ubyte&0xC0 0x40 \b1>1 ubyte&0xC0 0x80 \b2>1 ubyte&0xC0 0xC0 \b3>2 ubyte x \b%x# head>0 ubyte x \b,%u# sector>1 ubyte&0x3F x \b,%u # FATX0 string FATX FATX filesystem data # romfs filesystems - Juan Cespedes <cespedes@debian.org>0 string -rom1fs- romfs filesystem, version 1>8 belong x %d bytes,>16 string x named %s. # netboot image - Juan Cespedes <cespedes@debian.org>0 lelong 0x1b031336L Netboot image,>4 lelong&0xFFFFFF00 0>>4 lelong&0x100 0x000 mode 2>>4 lelong&0x100 0x100 mode 3>4 lelong&0xFFFFFF00 !0 unknown mode 0x18b string OS/2 OS/2 Boot Manager # updated by Joerg Jenderek at Oct 2008 and Sep 2012# https://syslinux.zytor.com/iso.php# tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05# assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop0 ulequad&0x909000007cc0eafa 0x909000007c40eafa>631 search/689 ISOLINUX\ isolinux Loader>>&0 string x (version %-4.4s)# https://syslinux.zytor.com/pxe.php# assembler instructions: jmp 7C050 ulelong 0x007c05ea pxelinux loader (version 2.13 or older)# assembler instructions: pushfd;pushad0 ulelong 0x60669c66 pxelinux loader# assembler instructions: jmp 050 ulelong 0xc00005ea pxelinux loader (version 3.70 or newer)# https://syslinux.zytor.com/wiki/index.php/SYSLINUX0 string LDLINUX\ SYS\ SYSLINUX loader>12 string x (older version %-4.4s)0 string \r\nSYSLINUX\ SYSLINUX loader>11 string x (version %-4.4s)# syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012# assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX"0 ulelong&0x80909bEB 0x009018EB# OEM-ID not always "SYSLINUX">434 search/47 Boot\ failed# followed by \r\n\0 or :\>>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older)>>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9)>459 search/30 Boot\ error\r\n\0>>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer)# SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012# assembler instructions: mov di,0600h;mov cx,0100h16 search/4 \xbf\x00\x06\xb9\x00\x01# to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21)!:strength +36>94 search/249 Missing\ operating\ system# followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other# skip Ranish MBR>>408 search/4 HD1/\0>>408 default x>>>250 search/118 \0Operating\ system\ load SYSLINUX MBR# followed by "ing " or space>>>>292 search/98 error>>>>>&0 string \r (version 3.35 or older)>>>>>&0 string .\r (version 3.52 or newer)>>>>>&0 default x (version 3.36-3.51 )>368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR>>156 search/10 \0Boot\ partition\ not\ found\r\n>>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older)>>174 search/10 \0Missing\ OS\r\n>>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer)# SYSLINUX END # NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012# assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax,0 ubequad 0x31c08ed0bc007c8e# mbr_bootsel magic before partition table not reliable with small ipl fragments#>444 uleshort 0xb5e1>0004 uleshort x# ERRorTeXT>>181 search/166 Error\ \0\r\n NetBSD mbr# NT Drive Serial Number https://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS>>>0x1B8 ubelong >0 \b,Serial 0x%-.8x# BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx>>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector# BOOT_EXTENDED definitions contains assembler instructions:# xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13>>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended# COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al>>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO# not TERSE_ERROR>>>196 search/106 No\ active\ partition\0>>>>&0 string Disk\ read\ error\0>>>>>&0 string No\ operating\ system\0 \b,verbose# not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13>>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS# not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13>>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check# assembler instructions: movw nametab,bx>>>0x26 search/21 \xBB\x94\x07# not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf>>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94>>>>>181 search/166 Error\ \0# "a: disk" , "Fn: diskn" or "NetBSD MBR boot">>>>>>&3 string x \b,"%s">>>446 use partition-table# Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html# added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4# assembler instructions: jmp short 0x58;nop;ASCII0 ubequad&0xeb58908000000000 0xeb58900000000000# assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss,>(1.b+2) ubequad 0xfa31c08ed88ec08e# Error messages at end of code>>376 string No\ operating\ system\r\n\0>>>398 string Disk\ error\r\n\0FDD\0HDD\0>>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr # Neil Turton mbr loader variant of https://www.chiark.greenend.org.uk/~neilt/mbr/# added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11# for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI,# or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS,0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC# pointer to the data starting with Neil Turton signature string>(0x1BC.s) string NDTmbr>>&-14 string 1234F\0 Turton mbr (# parameters also viewed by install-mbr --list>>>(0x1BC.s+7) ubyte x \b%u<=>>>(0x1BC.s+9) ubyte x \bVersion<=%u#>>>(0x1BC.s+8) ubyte x asm_flag_%x>>>(0x1BC.s+8) ubyte&1 1 \b,Y2K-Fix# variant used by testdisk of https://www.cgsecurity.org/wiki/Menu_MBRCode>>>(0x1BC.s+8) ubyte&2 2 \b,TestDisk#0x1~1,..,0x8~4,0x10~F,0x80~A enabled#>>>(0x1BC.s+10) ubyte x \b,flags 0x%x#0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot#>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x# for older versions>>>(0x1BC.s+9) ubyte <2#>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds>>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds# floppy A: or B:>>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x>>>>(0x1BC.s+13) ubyte >1# 1st hard disc#>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x# not 1st hard disc>>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x# for version >= 2 maximal timeout can be 65534>>>(0x1BC.s+9) ubyte >1#>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds>>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds# floppy A: or B:>>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x>>>>(0x1BC.s+14) ubyte >1# 1st hard disc#>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x# not 1st hard disc>>>>>(0x1BC.s+14) ubyte !0x80 \b,drive 0x%x>>>0 ubyte x \b) # added by Joerg Jenderek# In the second sector (+0x200) are variables according to grub-0.97/stage2/asm.S or# grub-1.94/kern/i386/pc/startup.S# https://www.gnu.org/software/grub/manual/grub.html#Embedded-data# usual values are marked with comments to get only informations of strange GRUB loaders0x200 uleshort 0x70EA# found only version 3.{1,2}>0x206 ubeshort >0x0300# GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00">>0x212 ubyte >0x29>>>0x213 ubyte >0x29# not iso9660_stage1_5#>>>0 ulelong&0x00BE5652 0x00BE5652>>>>0x213 ubyte >0x29 GRand Unified Bootloader# config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2">>>>0x217 ubyte 0xFF stage1_5>>>>0x217 ubyte <0xFF stage2>>>>0x206 ubyte x \b version %u>>>>0x207 ubyte x \b.%u# module_size for 1.94>>>>0x208 ulelong <0xffffff \b, installed partition %u#>>>>0x208 ulelong =0xffffff \b, %lu (default)>>>>0x208 ulelong >0xffffff \b, installed partition %u# GRUB 0.5.95 unofficial>>>>0x20C ulelong&0x2E300000 0x2E300000# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs>>>>>0x20C ubyte x \b, identifier 0x%x#>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default)>>>>>0x20D ubyte >0 \b, LBA flag 0x%x# GRUB version as string>>>>>0x20E string >\0 \b, GRUB version %-s# for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default>>>>>>0x215 ulong 0xffffffff>>>>>>>0x219 string >\0 \b, configuration file %-s>>>>>>0x215 ulong !0xffffffff>>>>>>>0x215 string >\0 \b, configuration file %-s# newer GRUB versions>>>>0x20C ulelong&0x2E300000 !0x2E300000##>>>>>0x20C ulelong =0 \b, saved entry %d (usual)>>>>>0x20C ulelong >0 \b, saved entry %d# for 1.94 contains kernel image size# for 0.93,0.94,0.96,0.97# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2>>>>>0x210 ubyte x \b, identifier 0x%x# The flag for LBA forcing is in most cases 0#>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default)>>>>>0x211 ubyte >0 \b, LBA flag 0x%x# GRUB version as string>>>>>0x212 string >\0 \b, GRUB version %-s# for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default>>>>>0x217 ulong 0xffffffff>>>>>>0x21b string >\0 \b, configuration file %-s>>>>>0x217 ulong !0xffffffff>>>>>>0x217 string >\0 \b, configuration file %-s # DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011# JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90# over BIOS parameter block (BPB)# https://thestarman.pcministry.com/asm/2bytejumps.htm#FWD# older drives may use Near JuMP instruction E9 xx xx# minimal short forward jump found 0x29 for bootloaders or 0x0# maximal short forward jump is 0x7f# OEM-ID is empty or contain readable bytes0 ulelong&0x804000E9 0x000000E9!:strength +60# mtools-3.9.8/msdos.h# usual values are marked with comments to get only informations of strange FAT systems# valid sectorsize must be a power of 2 from 32 to 32768>11 uleshort&0x001f 0>>11 uleshort <32769>>>11 uleshort >31>>>>21 ubyte&0xf0 0xF0>>>>>0 ubyte 0xEB DOS/MBR boot sector>>>>>>1 ubyte x \b, code offset 0x%x+2>>>>>0 ubyte 0xE9>>>>>>1 uleshort x \b, code offset 0x%x+3>>>>>3 string >\0 \b, OEM-ID "%-.8s"#http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC>>>>>>8 string IHC \b cached by Windows 9M>>>>>11 uleshort >512 \b, Bytes/sector %u#>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual)>>>>>11 uleshort <512 \b, Bytes/sector %u>>>>>13 ubyte >1 \b, sectors/cluster %u#>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies)# for lazy FAT32 implementation like Transcend digital photo frame PF830>>>>>82 string/c fat32>>>>>>14 uleshort !32 \b, reserved sectors %u#>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32)>>>>>82 string/c !fat32>>>>>>14 uleshort >1 \b, reserved sectors %u#>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16)#>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS)>>>>>16 ubyte >2 \b, FATs %u#>>>>>16 ubyte =2 \b, FATs %u (usual)>>>>>16 ubyte =1 \b, FAT %u>>>>>16 ubyte >0>>>>>17 uleshort >0 \b, root entries %u#>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32)>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB)#>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32)>>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x#>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy)>>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x>>>>>22 uleshort >0 \b, sectors/FAT %u#>>>>>22 uleshort =0 \b, sectors/FAT %hu=0 (usual Fat32)>>>>>24 uleshort x \b, sectors/track %u>>>>>26 ubyte >2 \b, heads %u#>>>>>26 ubyte =2 \b, heads %u (usual floppy)>>>>>26 ubyte =1 \b, heads %u# valid only for sector sizes with more then 32 Bytes>>>>>11 uleshort >32# https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block# skip for values 2,2Ah,70h,73h,DFh# and continue for extended boot signature values 0,28h,29h,80h>>>>>>38 ubyte&0x56 =0>>>>>>>28 ulelong >0 \b, hidden sectors %u#>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy)>>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB)#>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB)# FAT<32 bit specific>>>>>>>82 string/c !fat32#>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk)#>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy)>>>>>>>>36 ubyte !0x80>>>>>>>>>36 ubyte !0 \b, physical drive 0x%x# VGA-copy CRC or# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too>>>>>>>>37 ubyte >0 \b, reserved 0x%x#>>>>>>>>37 ubyte =0 \b, reserved 0x%x# extended boot signatur value is 0x80 for NTFS, 0x28 or 0x29 for others>>>>>>>>38 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x)>>>>>>>>38 ubyte&0xFE =0x28>>>>>>>>>39 ulelong x \b, serial number 0x%x>>>>>>>>38 ubyte =0x29>>>>>>>>>43 string <NO\ NAME \b, label: "%11.11s">>>>>>>>>43 string >NO\ NAME \b, label: "%11.11s">>>>>>>>>43 string =NO\ NAME \b, unlabeled# there exist some old floppies without word FAT at offset 54# a word like "FATnm " is only a hint for a FAT size on nm-bits# Normally the number of clusters is calculated by the values of BPP.# if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit,# otherwise FAT is 16 bit.# http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html>>>>>82 string/c !fat32>>>>>>54 string FAT12 \b, FAT (12 bit)>>>>>>54 string FAT16 \b, FAT (16 bit)>>>>>>54 default x# determinate FAT bit size by media descriptor# small floppies implies FAT12>>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor)# with media descriptor F0h floppy or maybe superfloppy with FAT16>>>>>>>21 ubyte =0xF0# superfloppy (many sectors) implies FAT16>>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors)# no superfloppy with media descriptor F0h implies FAT12>>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors)# with media descriptor F8h floppy or hard disc with FAT12 or FAT16>>>>>>>21 ubyte =0xF8# 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12>>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry)# hard disc with FAT12 or FAT16>>>>>>>>19 default x \b, FAT (1Y bit by descriptor)# with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc>>>>>>>21 ubyte =0xFA# 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12>>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry)# RAM disc with FAT12 or FAT16 or Tandy hard disc>>>>>>>>19 default x \b, FAT (1Y bit by descriptor)# others are floppy>>>>>>>21 default x \b, FAT (12 bit by descriptor)# FAT32 bit specific>>>>>82 string/c fat32 \b, FAT (32 bit)>>>>>>36 ulelong x \b, sectors/FAT %u# https://technet.microsoft.com/en-us/library/cc977221.aspx>>>>>>40 uleshort >0 \b, extension flags 0x%x#>>>>>>40 uleshort =0 \b, extension flags %hu>>>>>>42 uleshort >0 \b, fsVersion %u#>>>>>>42 uleshort =0 \b, fsVersion %u (usual)>>>>>>44 ulelong >2 \b, rootdir cluster %u#>>>>>>44 ulelong =2 \b, rootdir cluster %u#>>>>>>44 ulelong =1 \b, rootdir cluster %u>>>>>>48 uleshort >1 \b, infoSector %u#>>>>>>48 uleshort =1 \b, infoSector %u (usual)>>>>>>48 uleshort <1 \b, infoSector %u# 0 or 0xFFFF instead of usual 6 means no backup sector>>>>>>50 uleshort =0xFFFF \b, no Backup boot sector>>>>>>50 uleshort =0 \b, no Backup boot sector#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual)>>>>>>50 default x>>>>>>>50 uleshort x \b, Backup boot sector %u# corrected by Joerg Jenderek at Feb 2011 according to https://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO>>>>>>52 ulelong >0 \b, reserved1 0x%x>>>>>>56 ulelong >0 \b, reserved2 0x%x>>>>>>60 ulelong >0 \b, reserved3 0x%x# same structure as FAT1X#>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk)#>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy)>>>>>>64 ubyte !0x80>>>>>>>64 ubyte >0 \b, physical drive 0x%x# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too>>>>>>65 ubyte >0 \b, reserved 0x%x>>>>>>66 ubyte !0x29 \b, dos < 4.0 BootSector (0x%x)>>>>>>66 ubyte =0x29>>>>>>>67 ulelong x \b, serial number 0x%x>>>>>>>71 string <NO\ NAME \b, label: "%11.11s">>>>>>>71 string >NO\ NAME \b, label: "%11.11s">>>>>>>71 string =NO\ NAME \b, unlabeled# additional tests for floppy image added by Joerg Jenderek# no fixed disk>>>>>21 ubyte !0xF8# floppy media with 12 bit FAT>>>>>>54 string !FAT16# test for FAT after bootsector>>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT# floppy image!:mime application/x-ima# NTFS specific added by Joerg Jenderek at Mar 2011 according to https://thestarman.pcministry.com/asm/mbr/NTFSBR.htm# and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html# 0 FATs>>>>>16 ubyte =0# 0 root entries>>>>>>17 uleshort =0# 0 DOS sectors>>>>>>>19 uleshort =0# 0 sectors/FAT# dos < 4.0 BootSector value found is 0x80#38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x)>>>>>>>>22 uleshort =0 \b; NTFS>>>>>>>>>24 uleshort >0 \b, sectors/track %u>>>>>>>>>36 ulelong !0x800080 \b, physical drive 0x%x>>>>>>>>>40 ulequad >0 \b, sectors %lld>>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld>>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld# Values 0 to 127 represent MFT record sizes of 0 to 127 clusters.# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes.>>>>>>>>>64 lelong <256>>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d>>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i)# Values 0 to 127 represent index block sizes of 0 to 127 clusters.# Values 128 to 255 represent index block sizes of 2^(256-N) byte>>>>>>>>>68 ulelong <256>>>>>>>>>>68 ulelong <128 \b, clusters/index block %d#>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d)>>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i)>>>>>>>>>72 ulequad x \b, serial number 0%llx>>>>>>>>>80 ulelong >0 \b, checksum 0x%x#>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual)# unicode loadername size jump>>>>>>>>>(0x200.s*2) ubyte x# in next sector loadername terminated by unicode CTRL-D and $>>>>>>>>>>&0x1FF ulequad&0x0000FFffFFffFF00 0x0000002400040000 \b; contains# if 2nd NTFS sectors is found then assume whole filesystem#!:mime application/x-raw-disk-image!:ext img/bin/ntfs>>>>>>>>>>>0x200 use ntfs-sector2 # For 2nd NTFS sector added by Joerg Jenderek at Jan 2013, Mar 2019# https://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm# unused assembler instructions short JMP y2;NOP;NOP0x056 ulelong&0xFFFF0FFF 0x909002EB NTFS#!:mime application/octet-stream!:ext bin>0 use ntfs-sector2# https://memory.dataram.com/products-and-services/software/ramdisk# assembler instructions JMP C000;NOP0x056 ulelong 0x9000c0e9 NTFS#!:mime application/octet-stream!:ext bin>0 use ntfs-sector2# check for characteristics of second NTFS sector and then display loader name0 name ntfs-sector2# number of utf16 characters of loadername>0 uleshort <8# unused assembler instructions JMP y2;NOP;NOP or JMP C000;NOP>>0x056 ulelong&0xFF0000FD 0x900000E9# loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR>>>0x002 lestring16 x bootstrap %-5.5s# check for 7 character length of loader name like BOOTMGR>>>0 uleshort 7>>>>0x0c lestring16 x \b%-2.2s### DOS,NTFS boot sectors end # ntfsclone-image is a special save format for NTFS volumes,# created and restored by the ntfsclone program0 string \0ntfsclone-image ntfsclone image,>0x10 byte x version %d.>0x11 byte x \b%d,>0x12 lelong x cluster size %d,>0x16 lequad x device size %lld,>0x1e lequad x %lld total clusters,>0x26 lequad x %lld clusters in use 9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian),>8404 string x last mounted on %s,#>9504 ledate x last checked at %s,>8224 ledate x last written at %s,>8401 byte x clean flag %d,>8228 lelong x number of blocks %d,>8232 lelong x number of data blocks %d,>8236 lelong x number of cylinder groups %d,>8240 lelong x block size %d,>8244 lelong x fragment size %d,>8252 lelong x minimum percentage of free blocks %d,>8256 lelong x rotational delay %dms,>8260 lelong x disk rotational speed %drps,>8320 lelong 0 TIME optimization>8320 lelong 1 SPACE optimization 42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian)>&-1164 string x last mounted on %s,>&-696 string >\0 volume name %s,>&-304 leqldate x last written at %s,>&-1167 byte x clean flag %d,>&-1168 byte x readonly flag %d,>&-296 lequad x number of blocks %lld,>&-288 lequad x number of data blocks %lld,>&-1332 lelong x number of cylinder groups %d,>&-1328 lelong x block size %d,>&-1324 lelong x fragment size %d,>&-180 lelong x average file size %d,>&-176 lelong x average number of files in dir %d,>&-272 lequad x pending blocks to free %lld,>&-264 lelong x pending inodes to free %d,>&-664 lequad x system-wide uuid %0llx,>&-1316 lelong x minimum percentage of free blocks %d,>&-1248 lelong 0 TIME optimization>&-1248 lelong 1 SPACE optimization 66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian)>&-1164 string x last mounted on %s,>&-696 string >\0 volume name %s,>&-304 leqldate x last written at %s,>&-1167 byte x clean flag %d,>&-1168 byte x readonly flag %d,>&-296 lequad x number of blocks %lld,>&-288 lequad x number of data blocks %lld,>&-1332 lelong x number of cylinder groups %d,>&-1328 lelong x block size %d,>&-1324 lelong x fragment size %d,>&-180 lelong x average file size %d,>&-176 lelong x average number of files in dir %d,>&-272 lequad x pending blocks to free %lld,>&-264 lelong x pending inodes to free %d,>&-664 lequad x system-wide uuid %0llx,>&-1316 lelong x minimum percentage of free blocks %d,>&-1248 lelong 0 TIME optimization>&-1248 lelong 1 SPACE optimization 9564 belong 0x00011954 Unix Fast File system [v1] (big-endian),>7168 belong 0x4c41424c Apple UFS Volume>>7186 string x named %s,>>7176 belong x volume label version %d,>>7180 bedate x created on %s,>8404 string x last mounted on %s,#>9504 bedate x last checked at %s,>8224 bedate x last written at %s,>8401 byte x clean flag %d,>8228 belong x number of blocks %d,>8232 belong x number of data blocks %d,>8236 belong x number of cylinder groups %d,>8240 belong x block size %d,>8244 belong x fragment size %d,>8252 belong x minimum percentage of free blocks %d,>8256 belong x rotational delay %dms,>8260 belong x disk rotational speed %drps,>8320 belong 0 TIME optimization>8320 belong 1 SPACE optimization 42332 belong 0x19540119 Unix Fast File system [v2] (big-endian)>&-1164 string x last mounted on %s,>&-696 string >\0 volume name %s,>&-304 beqldate x last written at %s,>&-1167 byte x clean flag %d,>&-1168 byte x readonly flag %d,>&-296 bequad x number of blocks %lld,>&-288 bequad x number of data blocks %lld,>&-1332 belong x number of cylinder groups %d,>&-1328 belong x block size %d,>&-1324 belong x fragment size %d,>&-180 belong x average file size %d,>&-176 belong x average number of files in dir %d,>&-272 bequad x pending blocks to free %lld,>&-264 belong x pending inodes to free %d,>&-664 bequad x system-wide uuid %0llx,>&-1316 belong x minimum percentage of free blocks %d,>&-1248 belong 0 TIME optimization>&-1248 belong 1 SPACE optimization 66908 belong 0x19540119 Unix Fast File system [v2] (big-endian)>&-1164 string x last mounted on %s,>&-696 string >\0 volume name %s,>&-304 beqldate x last written at %s,>&-1167 byte x clean flag %d,>&-1168 byte x readonly flag %d,>&-296 bequad x number of blocks %lld,>&-288 bequad x number of data blocks %lld,>&-1332 belong x number of cylinder groups %d,>&-1328 belong x block size %d,>&-1324 belong x fragment size %d,>&-180 belong x average file size %d,>&-176 belong x average number of files in dir %d,>&-272 bequad x pending blocks to free %lld,>&-264 belong x pending inodes to free %d,>&-664 bequad x system-wide uuid %0llx,>&-1316 belong x minimum percentage of free blocks %d,>&-1248 belong 0 TIME optimization>&-1248 belong 1 SPACE optimization 0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian),>0x90 lelong+1 x volume %d>0x94 lelong x (of %d),>0x50 string x name %s,>0x98 ulelong x version %u,>0xa0 ulelong x flags 0x%x # ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca># ext4 filesystem - Eric Sandeen <sandeen@sandeen.net># volume label and UUID Russell Coker# https://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/0x438 leshort 0xEF53 Linux>0x44c lelong x rev %d>0x43e leshort x \b.%d# No journal? ext2>0x45c lelong ^0x0000004 ext2 filesystem data>>0x43a leshort ^0x0000001 (mounted or unclean)# Has a journal? ext3 or ext4>0x45c lelong &0x0000004# and small INCOMPAT?>>0x460 lelong <0x0000040# and small RO_COMPAT?>>>0x464 lelong <0x0000008 ext3 filesystem data# else large RO_COMPAT?>>>0x464 lelong >0x0000007 ext4 filesystem data# else large INCOMPAT?>>0x460 lelong >0x000003f ext4 filesystem data>0x468 belong x \b, UUID=%08x>0x46c beshort x \b-%04x>0x46e beshort x \b-%04x>0x470 beshort x \b-%04x>0x472 belong x \b-%08x>0x476 beshort x \b%04x>0x478 string >0 \b, volume name "%s"# General flags for any ext* fs>0x460 lelong &0x0000004 (needs journal recovery)>0x43a leshort &0x0000002 (errors)# INCOMPAT flags>0x460 lelong &0x0000001 (compressed)#>0x460 lelong &0x0000002 (filetype)#>0x460 lelong &0x0000010 (meta bg)>0x460 lelong &0x0000040 (extents)>0x460 lelong &0x0000080 (64bit)#>0x460 lelong &0x0000100 (mmp)#>0x460 lelong &0x0000200 (flex bg)# RO_INCOMPAT flags#>0x464 lelong &0x0000001 (sparse super)>0x464 lelong &0x0000002 (large files)>0x464 lelong &0x0000008 (huge files)#>0x464 lelong &0x0000010 (gdt checksum)#>0x464 lelong &0x0000020 (many subdirs)#>0x463 lelong &0x0000040 (extra isize) # f2fs filesystem - Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>0x400 lelong 0xF2F52010 F2FS filesystem>0x46c belong x \b, UUID=%08x>0x470 beshort x \b-%04x>0x472 beshort x \b-%04x>0x474 beshort x \b-%04x>0x476 belong x \b-%08x>0x47a beshort x \b%04x>0x147c lestring16 x \b, volume name "%s" # Minix filesystems - Juan Cespedes <cespedes@debian.org>0x410 leshort 0x137f!:strength / 2>0x402 beshort < 100>0x402 beshort > -1 Minix filesystem, V1, 14 char names, %d zones>0x1e string minix \b, bootable0x410 beshort 0x137f!:strength / 2>0x402 beshort < 100>0x402 beshort > -1 Minix filesystem, V1 (big endian), %d zones>0x1e string minix \b, bootable0x410 leshort 0x138f!:strength / 2>0x402 beshort < 100>0x402 beshort > -1 Minix filesystem, V1, 30 char names, %d zones>0x1e string minix \b, bootable0x410 beshort 0x138f!:strength / 2>0x402 beshort < 100>0x402 beshort > -1 Minix filesystem, V1, 30 char names (big endian), %d zones>0x1e string minix \b, bootable# Weak Magic: this is $x#0x410 leshort 0x2468#>0x402 beshort < 100#>>0x402 beshort > -1 Minix filesystem, V2, 14 char names#>0x1e string minix \b, bootable#0x410 beshort 0x2468#>0x402 beshort < 100#>0x402 beshort > -1 Minix filesystem, V2 (big endian)#>0x1e string minix \b, bootable#0x410 leshort 0x2478#>0x402 beshort < 100#>0x402 beshort > -1 Minix filesystem, V2, 30 char names#>0x1e string minix \b, bootable#0x410 leshort 0x2478#>0x402 beshort < 100#>0x402 beshort > -1 Minix filesystem, V2, 30 char names#>0x1e string minix \b, bootable#0x410 beshort 0x2478#>0x402 beshort !0 Minix filesystem, V2, 30 char names (big endian)#>0x1e string minix \b, bootable# Weak Magic! this is MD#0x418 leshort 0x4d5a#>0x402 beshort <100#>>0x402 beshort > -1 Minix filesystem, V3, 60 char names # SGI disk labels - Nathan Scott <nathans@debian.org>0 belong 0x0BE5A941 SGI disk label (volume header) # SGI XFS filesystem - Nathan Scott <nathans@debian.org>0 belong 0x58465342 SGI XFS filesystem data>0x4 belong x (blksz %d,>0x68 beshort x inosz %d,>0x64 beshort ^0x2004 v1 dirs)>0x64 beshort &0x2004 v2 dirs) ############################################################################# Minix-ST kernel floppy0x800 belong 0x46fc2700 Atari-ST Minix kernel image# https://en.wikipedia.org/wiki/BIOS_parameter_block# floppies with valid BPB and any instruction at beginning>19 string \240\005\371\005\0\011\0\2\0 \b, 720k floppy>19 string \320\002\370\005\0\011\0\1\0 \b, 360k floppy ############################################################################# Hmmm, is this a better way of detecting _standard_ floppy images ?19 string \320\002\360\003\0\011\0\1\0 DOS floppy 360k>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector19 string \240\005\371\003\0\011\0\2\0 DOS floppy 720k>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector19 string \100\013\360\011\0\022\0\2\0 DOS floppy 1440k>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector 19 string \240\005\371\005\0\011\0\2\0 DOS floppy 720k, IBM>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector19 string \100\013\371\005\0\011\0\2\0 DOS floppy 1440k, mkdosfs>0x1FE leshort 0xAA55 \b, DOS/MBR hard disk boot sector 19 string \320\002\370\005\0\011\0\1\0 Atari-ST floppy 360k19 string \240\005\371\005\0\011\0\2\0 Atari-ST floppy 720k# | | | | |# | | | | heads# | | | sectors/track# | | sectors/FAT# | media descriptor# BPB: sectors # Valid media descriptor bytes for MS-DOS:## Byte Capacity Media Size and Type# -------------------------------------------------## F0 2.88 MB 3.5-inch, 2-sided, 36-sector# F0 1.44 MB 3.5-inch, 2-sided, 18-sector# F9 720K 3.5-inch, 2-sided, 9-sector# F9 1.2 MB 5.25-inch, 2-sided, 15-sector# FD 360K 5.25-inch, 2-sided, 9-sector# FF 320K 5.25-inch, 2-sided, 8-sector# FC 180K 5.25-inch, 1-sided, 9-sector# FE 160K 5.25-inch, 1-sided, 8-sector# FE 250K 8-inch, 1-sided, single-density# FD 500K 8-inch, 2-sided, single-density# FE 1.2 MB 8-inch, 2-sided, double-density# F8 ----- Fixed disk## FC xxxK Apricot 70x1x9 boot disk.## Originally a bitmap:# xxxxxxx0 Not two sided# xxxxxxx1 Double sided# xxxxxx0x Not 8 SPT# xxxxxx1x 8 SPT# xxxxx0xx Not Removable drive# xxxxx1xx Removable drive# 11111xxx Must be one.## But now it's rather random:# 111111xx Low density disk# 00 SS, Not 8 SPT# 01 DS, Not 8 SPT# 10 SS, 8 SPT# 11 DS, 8 SPT## 11111001 Double density 3 1/2 floppy disk, high density 5 1/4# 11110000 High density 3 1/2 floppy disk# 11111000 Hard disk any format# # all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013# https://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions# Too Weak.#512 ubelong&0xE0ffff00 0xE0ffff00# without valid Media descriptor in place of BPB, cases with are done at other places#>21 ubyte <0xE5 floppy with old FAT filesystem# but valid Media descriptor at begin of FAT#>>512 ubyte =0xed 720k#>>512 ubyte =0xf0 1440k#>>512 ubyte =0xf8 720k#>>512 ubyte =0xf9 1220k#>>512 ubyte =0xfa 320k#>>512 ubyte =0xfb 640k#>>512 ubyte =0xfc 180k# look like an old DOS directory entry#>>>0xA0E ubequad 0#>>>>0xA00 ubequad !0#!:mime application/x-ima#>>512 ubyte =0xfd# look for 2nd FAT at different location to distinguish between 360k and 500k#>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k#>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k#>>>0xA0E ubequad 0#!:mime application/x-ima#>>512 ubyte =0xfe#>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k#>>>>0x60E ubequad 0#>>>>>0x600 ubequad !0#!:mime application/x-ima#>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k#>>512 ubyte =0xff 320k#>>>0x60E ubequad 0#>>>>0x600 ubequad !0#!:mime application/x-ima#>>512 ubyte x \b, Media descriptor 0x%x# without x86 jump instruction#>>0 ulelong&0x804000E9 !0x000000E9# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV#>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader# IOSYS.COM+MSDOS.COM#>>>>0xc4 use 2xDOS-filename#>>0 ulelong&0x804000E9 =0x000000E9# only x86 short jump instruction found#>>>0 ubyte =0xEB#>>>>1 ubyte x \b, code offset 0x%x+2# https://thestarman.pcministry.com/DOS/ibm100/Boot.htm# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader# ibmbio.com+ibmdos.com#>>>>>0x176 use DOS-filename#>>>>>0x181 ubyte x \b+#>>>>>0x182 use DOS-filename# https://thestarman.pcministry.com/DOS/ibm110/Boot.htm# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader# ibmbio.com+ibmdos.com#>>>>>0x18b use DOS-filename#>>>>>0x196 ubyte x \b+#>>>>>0x197 use DOS-filename# https://en.wikipedia.org/wiki/Zenith_Data_Systems# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6#>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader# IO.SYS+MSDOS.SYS#>>>>>0x20 use 2xDOS-filename# https://en.wikipedia.org/wiki/Corona_Data_Systems# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX;#>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader# IO.SYS+MSDOS.SYS#>>>>>0x69 use 2xDOS-filename# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00;#>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader# defect IO.SYS+MSDOS.SYS ?#>>>>>0x162 use 2xDOS-filename 0 name cdrom>38913 string !NSR0 ISO 9660 CD-ROM filesystem data!:mime application/x-iso9660-image!:ext iso/iso9660>38913 string NSR0 UDF filesystem data!:mime application/x-iso9660-image!:ext iso/udf>>38917 string 1 (version 1.0)>>38917 string 2 (version 1.5)>>38917 string 3 (version 2.0)>>38917 byte >0x33 (unknown version, ID 0x%X)>>38917 byte <0x31 (unknown version, ID 0x%X)# The next line is not necessary because the MBR staff is done looking for boot signature>0x1FE leshort 0xAA55 (DOS/MBR boot sector)# "application id" which appears to be used as a volume label>32808 string/T >\0 '%s'>34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable)37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)!:mime application/x-iso9660-image32777 string CDROM High Sierra CD-ROM filesystem data # CDROM Filesystems# https://en.wikipedia.org/wiki/ISO_9660# Modified for UDF by gerardo.cacciari@gmail.com32769 string CD001# mime line at that position does not work# to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51)#!:strength -11# to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51)!:strength +35>0 use cdrom # URL: https://en.wikipedia.org/wiki/NRG_(file_format)# Reference: https://dl.opendesktop.org/api/files/download/id/1460731811/# 11577-mount-iso-0.9.5.tar.bz2/mount-iso-0.9.5/install.sh# From: Joerg Jenderek# Note: Only for nero disc with once (DAO) type after 300 KB header339969 string CD001 Nero CD image at 0x4B000!:mime application/x-nrg!:ext nrg>307200 use cdrom # .cso files# Reference: https://pismotec.com/ciso/ciso.h# NOTE: There are two other formats with the same magic but# completely incompatible specifications:# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h0 string CISO# Other fields are used to determine what type of CISO this is:# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size)# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size)# - 0x10 == 0x00004000: For >2GB files using maxcso...# https://github.com/unknownbrackets/maxcso/issues/26# - None of the above: Compact ISO.>4 lelong !0>>4 lelong !0x200000>>>16 lelong !0x800>>>>16 lelong !0x4000 Compressed ISO CD image # cramfs filesystem - russell@coker.com.au0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian>4 lelong x size %u>8 lelong &1 version #2>8 lelong &2 sorted_dirs>8 lelong &4 hole_support>32 lelong x CRC 0x%x,>36 lelong x edition %u,>40 lelong x %u blocks,>44 lelong x %u files 0 belong 0x28cd3d45 Linux Compressed ROM File System data, big endian>4 belong x size %u>8 belong &1 version #2>8 belong &2 sorted_dirs>8 belong &4 hole_support>32 belong x CRC 0x%x,>36 belong x edition %u,>40 belong x %u blocks,>44 belong x %u files # reiserfs - russell@coker.com.au0x10034 string ReIsErFs ReiserFS V3.50x10034 string ReIsEr2Fs ReiserFS V3.60x10034 string ReIsEr3Fs ReiserFS V3.6.19>0x1002c leshort x block size %d>0x10032 leshort &2 (mounted or unclean)>0x10000 lelong x num blocks %d>0x10040 lelong 1 tea hash>0x10040 lelong 2 yura hash>0x10040 lelong 3 r5 hash # EST flat binary format (which isn't, but anyway)# From: Mark Brown <broonie@sirena.org.uk>0 string ESTFBINR EST flat binary # Aculab VoIP firmware# From: Mark Brown <broonie@sirena.org.uk>0 string VoIP\ Startup\ and Aculab VoIP firmware>35 string x format %s # From: Mark Brown <broonie@sirena.org.uk> [old]# From: Behan Webster <behanw@websterwood.com>0 belong 0x27051956 u-boot legacy uImage,>32 string x %s,>28 byte 0 Invalid os/>28 byte 1 OpenBSD/>28 byte 2 NetBSD/>28 byte 3 FreeBSD/>28 byte 4 4.4BSD/>28 byte 5 Linux/>28 byte 6 SVR4/>28 byte 7 Esix/>28 byte 8 Solaris/>28 byte 9 Irix/>28 byte 10 SCO/>28 byte 11 Dell/>28 byte 12 NCR/>28 byte 13 LynxOS/>28 byte 14 VxWorks/>28 byte 15 pSOS/>28 byte 16 QNX/>28 byte 17 Firmware/>28 byte 18 RTEMS/>28 byte 19 ARTOS/>28 byte 20 Unity OS/>28 byte 21 INTEGRITY/>29 byte 0 \bInvalid CPU,>29 byte 1 \bAlpha,>29 byte 2 \bARM,>29 byte 3 \bIntel x86,>29 byte 4 \bIA64,>29 byte 5 \bMIPS,>29 byte 6 \bMIPS 64-bit,>29 byte 7 \bPowerPC,>29 byte 8 \bIBM S390,>29 byte 9 \bSuperH,>29 byte 10 \bSparc,>29 byte 11 \bSparc 64-bit,>29 byte 12 \bM68K,>29 byte 13 \bNios-32,>29 byte 14 \bMicroBlaze,>29 byte 15 \bNios-II,>29 byte 16 \bBlackfin,>29 byte 17 \bAVR32,>29 byte 18 \bSTMicroelectronics ST200,>29 byte 19 \bSandbox architecture,>29 byte 20 \bANDES Technology NDS32,>29 byte 21 \bOpenRISC 1000,>29 byte 22 \bARM 64-bit,>29 byte 23 \bDesignWare ARC,>29 byte 24 \bx86_64,>29 byte 25 \bXtensa,>29 byte 26 \bRISC-V,>30 byte 0 Invalid Image>30 byte 1 Standalone Program>30 byte 2 OS Kernel Image>30 byte 3 RAMDisk Image>30 byte 4 Multi-File Image>30 byte 5 Firmware Image>30 byte 6 Script File>30 byte 7 Filesystem Image (any type)>30 byte 8 Binary Flat Device Tree BLOB>31 byte 0 (Not compressed),>31 byte 1 (gzip),>31 byte 2 (bzip2),>31 byte 3 (lzma),>12 belong x %d bytes,>8 bedate x %s,>16 belong x Load Address: 0x%08X,>20 belong x Entry Point: 0x%08X,>4 belong x Header CRC: 0x%08X,>24 belong x Data CRC: 0x%08X # JFFS2 file system0 leshort 0x1984 Linux old jffs2 filesystem data little endian0 beshort 0x1984 Linux old jffs2 filesystem data big endian0 leshort 0x1985 Linux jffs2 filesystem data little endian0 beshort 0x1985 Linux jffs2 filesystem data big endian # Squashfs0 name squashfs>28 beshort x version %d.>30 beshort x \b%d,>20 beshort 0 uncompressed,>20 beshort 1 zlib>20 beshort 2 lzma>20 beshort 3 lzo>20 beshort 4 xz>20 beshort 5 lz4>20 beshort 6 zstd>20 beshort >0 compressed,>28 beshort <3>>8 belong x %d bytes,>28 beshort >2>>28 beshort <4>>>63 bequad x %lld bytes,>>28 beshort >3>>>40 bequad x %lld bytes,#>>67 belong x %d bytes,>4 belong x %d inodes,>28 beshort <2>>32 beshort x blocksize: %d bytes,>28 beshort >1>>28 beshort <4>>>51 belong x blocksize: %d bytes,>>28 beshort >3>>>12 belong x blocksize: %d bytes,>28 beshort <4>>39 bedate x created: %s>28 beshort >3>>8 bedate x created: %s 0 string sqsh Squashfs filesystem, big endian,>0 use squashfs 0 string hsqs Squashfs filesystem, little endian,>0 use \^squashfs # AFS Dump Magic# From: Ty Sarna <tsarna@sarna.org>0 string \x01\xb3\xa1\x13\x22 AFS Dump>&0 belong x (v%d)>>&0 byte 0x76>>>&0 belong x Vol %d,>>>>&0 byte 0x6e>>>>>&0 string x %s>>>>>>&1 byte 0x74>>>>>>>&0 beshort 2>>>>>>>>&4 bedate x on: %s>>>>>>>>&0 bedate =0 full dump>>>>>>>>&0 bedate !0 incremental since: %s #----------------------------------------------------------#delta ISO Daniel Novotny (dnovotny@redhat.com)0 string DISO Delta ISO data!:strength +50>4 belong x version %d # VMS backup savesets - gerardo.cacciari@gmail.com#4 string \x01\x00\x01\x00\x01\x00>(0.s+16) string \x01\x01>>&(&0.b+8) byte 0x42 OpenVMS backup saveset data>>>40 lelong x (block size %d,>>>49 string >\0 original name '%s',>>>2 short 1024 VAX generated)>>>2 short 2048 AXP generated)>>>2 short 4096 I64 generated) # Summary: Oracle Clustered Filesystem# Created by: Aaron Botsis <redhat@digitalmafia.org>8 string OracleCFS Oracle Clustered Filesystem,>4 long x rev %d>0 long x \b.%d,>560 string x label: %.64s,>136 string x mountpoint: %.128s # Summary: Oracle ASM tagged volume# Created by: Aaron Botsis <redhat@digitalmafia.org>32 string ORCLDISK Oracle ASM Volume,>40 string x Disk Name: %0.12s32 string ORCLCLRD Oracle ASM Volume (cleared),>40 string x Disk Name: %0.12s # Oracle Clustered Filesystem - Aaron Botsis <redhat@digitalmafia.org>8 string OracleCFS Oracle Clustered Filesystem,>4 long x rev %d>0 long x \b.%d,>560 string x label: %.64s,>136 string x mountpoint: %.128s # Oracle ASM tagged volume - Aaron Botsis <redhat@digitalmafia.org>32 string ORCLDISK Oracle ASM Volume,>40 string x Disk Name: %0.12s32 string ORCLCLRD Oracle ASM Volume (cleared),>40 string x Disk Name: %0.12s # Compaq/HP RILOE floppy image# From: Dirk Jagdmann <doj@cubic.org>0 string CPQRFBLO Compaq/HP RILOE floppy image #------------------------------------------------------------------------------# Files-11 On-Disk Structure (File system for various RSX-11 and VMS flavours).# These bits come from LBN 1 (home block) of ODS-1, ODS-2 and ODS-5 volumes,# which is mapped to VBN 2 of [000000]INDEXF.SYS;1 - gerardo.cacciari@gmail.com#1008 string DECFILE11 Files-11 On-Disk Structure>525 byte x (ODS-%d);>1017 string A RSX-11, VAX/VMS or OpenVMS VAX file system;>1017 string B>>525 byte 2 VAX/VMS or OpenVMS file system;>>525 byte 5 OpenVMS Alpha or Itanium file system;>984 string x volume label is '%-12.12s' # From: Thomas Klausner <wiz@NetBSD.org># https://filext.com/file-extension/DAA# describes the daa file format. The magic would be:0 string DAA\x0\x0\x0\x0\x0 PowerISO Direct-Access-Archive # From Albert Cahalan <acahalan@gmail.com># really le32 operation,destination,payloadsize (but quite predictable)# 01 00 00 00 00 00 00 c0 00 02 00 000 string \1\0\0\0\0\0\0\300\0\2\0\0 Marvell Libertas firmware # From Eric Sandeen# GFS20x10000 belong 0x01161970>0x10018 belong 0x0000051d GFS1 Filesystem>>0x10024 belong x (blocksize %d,>>0x10060 string >\0 lockproto %s)>0x10018 belong 0x00000709 GFS2 Filesystem>>0x10024 belong x (blocksize %d,>>0x10060 string >\0 lockproto %s) # Russell Coker <russell@coker.com.au>0x10040 string _BHRfS_M BTRFS Filesystem>0x1012b string >\0 label "%s",>0x10090 lelong x sectorsize %d,>0x10094 lelong x nodesize %d,>0x10098 lelong x leafsize %d,>0x10020 belong x UUID=%08x->0x10024 beshort x \b%04x->0x10026 beshort x \b%04x->0x10028 beshort x \b%04x->0x1002a beshort x \b%04x>0x1002c belong x \b%08x,>0x10078 lequad x %lld/>0x10070 lequad x \b%lld bytes used,>0x10088 lequad x %lld devices # dvdisaster's .ecc# From: "Nelson A. de Oliveira" <naoliv@gmail.com>0 string *dvdisaster* dvdisaster error correction file # xfs metadump image# mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog# but can we do the << ? For now it's always 512 (0x200) anyway.0 string XFSM>0x200 string XFSB XFS filesystem metadump image # Type: CROM filesystem# From: Werner Fink <werner@suse.de>0 string CROMFS CROMFS>6 string >\0 \b version %2.2s,>8 ulequad >0 \b block data at %lld,>16 ulequad >0 \b fblock table at %lld,>24 ulequad >0 \b inode table at %lld,>32 ulequad >0 \b root at %lld,>40 ulelong >0 \b fblock size = %d,>44 ulelong >0 \b block size = %d,>48 ulequad >0 \b bytes = %lld # Type: xfs metadump image# From: Daniel Novotny <dnovotny@redhat.com># mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog# but can we do the << ? For now it's always 512 (0x200) anyway.0 string XFSM>0x200 string XFSB XFS filesystem metadump image # Type: delta ISO# From: Daniel Novotny <dnovotny@redhat.com>0 string DISO Delta ISO data,>4 belong x version %d # JFS2 (Journaling File System) image. (Old JFS1 has superblock at 0x1000.)# See linux/fs/jfs/jfs_superblock.h for layout; see jfs_filsys.h for flags.# From: Adam Buchbinder <adam.buchbinder@gmail.com>0x8000 string JFS1# Because it's text-only magic, check a binary value (version) to be sure.# Should always be 2, but mkfs.jfs writes it as 1. Needs to be 2 or 1 to be# mountable.>&0 lelong <3 JFS2 filesystem image# Label is followed by a UUID; we have to limit string length to avoid# appending the UUID in the case of a 16-byte label.>>&144 regex [\x20-\x7E]{1,16} (label "%s")>>&0 lequad x \b, %lld blocks>>&8 lelong x \b, blocksize %d>>&32 lelong&0x00000006 >0 (dirty)>>&36 lelong >0 (compressed) # LFS0 lelong 0x070162 LFS filesystem image>4 lelong 1 version 1,>>8 lelong x \b blocks %u,>>12 lelong x \b blocks per segment %u,>4 lelong 2 version 2,>>8 lelong x \b fragments %u,>>12 lelong x \b bytes per segment %u,>16 lelong x \b disk blocks %u,>20 lelong x \b block size %u,>24 lelong x \b fragment size %u,>28 lelong x \b fragments per block %u,>32 lelong x \b start for free list %u,>36 lelong x \b number of free blocks %d,>40 lelong x \b number of files %u,>44 lelong x \b blocks available for writing %d,>48 lelong x \b inodes in cache %d,>52 lelong x \b inode file disk address 0x%x,>56 lelong x \b inode file inode number %u,>60 lelong x \b address of last segment written 0x%x,>64 lelong x \b address of next segment to write 0x%x,>68 lelong x \b address of current segment written 0x%x 0 string td\000 floppy image data (TeleDisk, compressed)0 string TD\000 floppy image data (TeleDisk) 0 string CQ\024 floppy image data (CopyQM,>16 leshort x %d sectors,>18 leshort x %d heads.) 0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) 0 beshort 0xAA58 floppy image data (IBM SaveDskF, old)0 beshort 0xAA59 floppy image data (IBM SaveDskF)0 beshort 0xAA5A floppy image data (IBM SaveDskF, compressed) 0 string \074CPM_Disk\076 disk image data (YAZE) # ReFS# Richard W.M. Jones <rjones@redhat.com>0 string \0\0\0ReFS\0 ReFS filesystem image # EFW encase image file format:# Gregoire Passault# http://www.forensicswiki.org/wiki/Encase_image_file_format0 string EVF\x09\x0d\x0a\xff\x00 EWF/Expert Witness/EnCase image file format # UBIfs# Linux kernel sources: fs/ubifs/ubifs-media.h0 lelong 0x06101831>0x16 leshort 0 UBIfs image>0x08 lequad x \b, sequence number %llu>0x10 leshort x \b, length %u>0x04 lelong x \b, CRC 0x%08x 0 lelong 0x23494255>0x04 leshort <2>0x05 string \0\0\0>0x1c string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>0x04 leshort x UBI image, version %u # NEC PC-88 2D disk image# From Fabio R. Schmidlin <sd-snatcher@users.sourceforge.net>0x20 ulelong&0xFFFFFEFF 0x2A0>0x10 string \0\0\0\0\0\0\0\0\0\0>>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>>>0x1A ubyte&0xEF 0>>>>0x1B ubyte&0x8F 0>>>>>0x1B ubyte&70 <0x40>>>>>>0x1C ulelong >0x21>>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s>>>>>>>>0x1B ubyte 0 \b, media=2D>>>>>>>>0x1B ubyte 0x10 \b, media=2DD>>>>>>>>0x1B ubyte 0x20 \b, media=2HD>>>>>>>>0x1B ubyte 0x30 \b, media=1D>>>>>>>>0x1B ubyte 0x40 \b, media=1DD>>>>>>>>0x1A ubyte 0x10 \b, write-protected # HDD Raw Copy Tool disk image, file extension: .imgc# From Benjamin Vanheuverzwijn <bvanheu@gmail.com>0 pstring HDD\ Raw\ Copy\ Tool %s>0x100 pstring x %s>0x200 pstring x - HD model: %s#>0x300 pstring x unknown %s>0x400 pstring x serial: %s#>0x500 pstring x unknown: %s!:ext imgc #------------------------------------------------------------------------------# $File: finger,v 1.3 2019/04/19 00:42:27 christos Exp $# fingerprint: file(1) magic for fingerprint data# XPM bitmaps)# # https://cgit.freedesktop.org/libfprint/libfprint/tree/libfprint/data.c 0 string FP1 libfprint fingerprint data V1>3 beshort x \b, driver_id %x>5 belong x \b, devtype %x 0 string FP2 libfprint fingerprint data V2>3 beshort x \b, driver_id %x>5 belong x \b, devtype %x #------------------------------------------------------------------------------# $File: flash,v 1.15 2019/04/19 00:42:27 christos Exp $# flash: file(1) magic for Macromedia Flash file format## See## https://www.macromedia.com/software/flash/open/# https://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/\# en/devnet/swf/pdf/swf-file-format-spec.pdf page 27# 0 name swf-details >0 string F>>8 byte&0xfd 0x08 Macromedia Flash data!:mime application/x-shockwave-flash>>>3 byte x \b, version %d>>8 byte&0xfe 0x10 Macromedia Flash data!:mime application/x-shockwave-flash>>>3 byte x \b, version %d>>8 byte 0x18 Macromedia Flash data!:mime application/x-shockwave-flash>>>3 byte x \b, version %d>>8 beshort&0xff87 0x2000 Macromedia Flash data!:mime application/x-shockwave-flash>>>3 byte x \b, version %d>>8 beshort&0xffe0 0x3000 Macromedia Flash data!:mime application/x-shockwave-flash>>>3 byte x \b, version %d>>8 byte&0x7 0>>>8 ubyte >0x2f>>>>9 ubyte <0x20 Macromedia Flash data!:mime application/x-shockwave-flash>>>>>3 byte x \b, version %d >0 string C>>8 byte 0x78 Macromedia Flash data (compressed)!:mime application/x-shockwave-flash>>>3 byte x \b, version %d >0 string Z>>8 byte 0x5d Macromedia Flash data (lzma compressed)!:mime application/x-shockwave-flash>>>3 byte x \b, version %d 1 string WS>4 ulelong >14>>3 ubyte !0>>>0 use swf-details # From: Cal Peake <cp@absolutedigital.net>0 string FLV\x01 Macromedia Flash Video!:mime video/x-flv ## Yosu Gomez0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document# From Dave Wilson0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document #------------------------------------------------------------------------------# $File: flif,v 1.1 2015/11/23 22:04:36 christos Exp $# flif: Magic data for file(1) command.# FLIF (Free Lossless Image Format) 0 string FLIF FLIF>4 string <H image data>>6 beshort x \b, %u>>8 beshort x \bx%u>>5 string 1 \b, 8-bit/color,>>5 string 2 \b, 16-bit/color,>>4 string 1 \b, grayscale, non-interlaced>>4 string 3 \b, RGB, non-interlaced>>4 string 4 \b, RGBA, non-interlaced>>4 string A \b, grayscale>>4 string C \b, RGB, interlaced>>4 string D \b, RGBA, interlaced>4 string >H \b, animation data>>5 ubyte <255 \b, %i frames>>>7 beshort x \b, %u>>>9 beshort x \bx%u>>>6 string =1 \b, 8-bit/color>>>6 string =2 \b, 16-bit/color>>5 ubyte 0xFF>>>6 beshort x \b, %i frames,>>>9 beshort x \b, %u>>>11 beshort x \bx%u>>>8 string =1 \b, 8-bit/color>>>8 string =2 \b, 16-bit/color>>4 string =Q \b, grayscale, non-interlaced>>4 string =S \b, RGB, non-interlaced>>4 string =T \b, RGBA, non-interlaced>>4 string =a \b, grayscale>>4 string =c \b, RGB, interlaced>>4 string =d \b, RGBA, interlaced #------------------------------------------------------------------------------# $File: fonts,v 1.43 2019/07/16 11:11:31 christos Exp $# fonts: file(1) magic for font data#0 search/1 FONT ASCII vfont text0 short 0436 Berkeley vfont data0 short 017001 byte-swapped Berkeley vfont data # PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com0 string %!PS-AdobeFont-1. PostScript Type 1 font text>20 string >\0 (%s)6 string %!PS-AdobeFont-1. PostScript Type 1 font program data0 string %!FontType1 PostScript Type 1 font program data6 string %!FontType1 PostScript Type 1 font program data0 string %!PS-Adobe-3.0\ Resource-Font PostScript Type 1 font text # Summary: PostScript Type 1 Printer Font Metrics# URL: https://en.wikipedia.org/wiki/PostScript_fonts# Reference: https://partners.adobe.com/public/developer/en/font/5178.PFM.pdf# Modified by: Joerg Jenderek# Note: moved from ./msdos magic# dfVersion 256=0100h0 uleshort 0x0100# GRR: line above is too general as it catches also TrueType font,# raw G3 data FAX, WhatsApp encrypted and Panorama database# dfType 129=0081h>66 uleshort 0x0081# dfVertRes 300=012Ch not needed as additional test#>>70 uleshort 0x012c# dfHorizRes 300=012Ch#>>>72 uleshort 0x012c# dfDriverInfo points to postscript information section>>(101.l) string/c Postscript Printer Font Metrics# above labeled "PFM data" by ./msdos (version 5.28) or "Adobe Printer Font Metrics" by TrID!:mime application/x-font-pfm# AppleShare Print Server#!:apple ASPS????!:ext pfm# dfCopyright 60 byte null padded Copyright string. uncomment it to get old looking#>>>6 string >\060 - %-.60s# dfDriverInfo>>>139 ulelong >0# often abbreviated and same as filename>>>>(139.l) string x %s# dfSize>>>2 ulelong x \b, %d bytes# dfFace 210=D2h 9Eh>>>105 ulelong >0# Windows font name>>>>(105.l) string x \b, %s# dfItalic>>>80 ubyte 1 italic# dfUnderline>>>81 ubyte 1 underline# dfStrikeOut>>>82 ubyte 1 strikeout# dfWeight 400=0x0190 300=0x012c 500=0x01f4 600=0x0258 700=0x02bc>>>83 uleshort >699 bold# dfPitchAndFamily 16 17 48 49 64 65>>>90 ubyte 16 serif>>>90 ubyte 17 serif proportional#>>>90 ubyte 48 other>>>90 ubyte 49 proportional>>>90 ubyte 64 script>>>90 ubyte 65 script proportional # X11 font files in SNF (Server Natural Format) format# updated by Joerg Jenderek at Feb 2013# http://computer-programming-forum.com/51-perl/8f22fb96d2e34bab.htm0 belong 00000004 X11 SNF font data, MSB first#>104 belong 00000004 X11 SNF font data, MSB first!:mime application/x-font-sfn# GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX0 lelong 00000004>104 lelong 00000004 X11 SNF font data, LSB first!:mime application/x-font-sfn # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com)0 search/1 STARTFONT\ X11 BDF font text # From: Joerg Jenderek# URL: https://grub.gibibit.com/New_font_format# Reference: util/grub-mkfont.c# include/grub/fontformat.h# FONT_FORMAT_SECTION_NAMES_FILE0 string FILE# FONT_FORMAT_PFF2_MAGIC>8 string PFF2# leng 4 only at the moment>>4 ubelong 4# FONT_FORMAT_SECTION_NAMES_FONT_NAME>>>12 string NAME GRUB2 font!:mime application/x-font-pf2!:ext pf2# length of font_name>>>>16 ubelong >0# font_name>>>>>20 string >\0 "%-s" # X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com)# PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides)0 string \001fcp X11 Portable Compiled Font data,>12 lelong ^0x08 bit: LSB,>12 lelong &0x08 bit: MSB,>12 lelong ^0x04 byte: LSB first>12 lelong &0x04 byte: MSB first0 string D1.0\015 X11 Speedo font data #------------------------------------------------------------------------------# FIGlet fonts and controlfiles# From figmagic supplied with Figlet version 2.2# "David E. O'Brien" <obrien@FreeBSD.ORG>0 string flf FIGlet font>3 string >2a version %-2.2s0 string flc FIGlet controlfile>3 string >2a version %-2.2s # libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu)# Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++0 belong 0x14025919 libGrx font data,>8 leshort x %dx>10 leshort x \b%d>40 string x %s# Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu)0 belong 0xff464f4e DOS code page font data collection7 belong 0x00454741 DOS code page font data7 belong 0x00564944 DOS code page font data (from Linux?)4098 string DOSFONT DOSFONT2 encrypted font data # From: Joerg Jenderek# URL: http://fileformats.archiveteam.org/wiki/GEM_bitmap_font# Reference: http://cd.textfiles.com/ataricompendium/BOOK/HTML/APPENDC.HTM#cnt## usual case with lightening mask and skewing mask 5555h~UU#62 ulelong 0x55555555# skip cl8m8ocofedso.testfile by looking for face size lower/equal 72#>2 uleshort <73#>>0 use gdos-font# BOX18.GFT COWBOY30.GFT ROYALK30.GFT#62 ulelong 0# skip ISO 9660 CD-ROM ./filesystem by looking for low positive face size#>2 uleshort >2# skip DOS 2.0 backup id file ./msdos by looking for face size lower/equal 72#>>2 uleshort <73# skip MS oem.hlp, some Windows ICO ./msdos by looking for valid long name like WYE#>>>4 ulelong >0x001F1f1F# skip Microsoft WinWord 2.0 ./msdos by looking for positive offset to font data#>>>>76 ulelong >83#>>>>>0 use gdos-font0 name gdos-font>0 uleshort x GEM GDOS font!:mime application/x-font-gdos# also .eps found like AA070GEP.EPS AI360GEP.EPS!:ext fnt/gtf# font name like Big&Tall, Celtic #s, Courier, University Bold, WYE>4 string x %.32s# face size in points 3-72 SLSS03CG.FNT H1CELT72.FNT>2 uleshort x %u# face ID (must be unique)>0 uleshort x \b, ID 0x%4.4x# lowest character index in face (4 but usually 32 for disk-loaded fonts)#>36 uleshort !32 \b, unusual character index %u# width of the widest character like 0 8 10 12 16 24 32#>50 uleshort x \b, %u char width# width of the widest character cell like 8 11 12 14 15 16 33 67#>52 uleshort x \b, %u cell width# thickening size in pixel like 0 1 2 3 4 5 6 7 8#>58 uleshort x \b, %u thick# lightening mask to eliminate pixels, usually 5555h>62 uleshort !0x5555 \b, lightening mask 0x%x# skewing mask to determine when to perform additional rotation when skewing, usually 5555h>64 uleshort !0x5555 \b, skewing mask 0x%x# offset to optional horizontal offset table 0 58h~88 5eh 252h#>68 ulelong x \b, 0x%x horizontal table offset# offset of character offset table 54h for many *.GFT 55h 58h 5Eh 120h 1D4h 202h 220h#>72 ulelong x \b, 0x%x coffset# offset to font data like 116h 118h 158 20Ah 20Eh>76 ulelong x \b, 0x%x foffset# form width in bytes like 58 67 156 190 227 317 345#>80 uleshort x \b, %u fwidth# form height in bytes like 4 8 11 17 26 56 70 90 120 146 150#>82 uleshort x \b, %u fheight# pointer to the next font like 0 10000h 20000h 30000h 40000h 60000h 80000h E0000h D0000h #>84 ulelong x \b, 0x%x noffset # downloadable fonts for browser (prints type) anthon@mnt.org# https://tools.ietf.org/html/rfc30730 string PFR1 Portable Font Resource font data (new)>102 string >0 \b: %s0 string PFR0 Portable Font Resource font data (old)>4 beshort >0 version %d # True Type fonts# Modified by: Joerg Jenderek# URL: https://en.wikipedia.org/wiki/TrueType# Reference: https://developer.apple.com/fonts/TrueType-Reference-Manual/## sfnt version "typ1" used by some Apple, but no example found0 string typ1>0 use sfnt-font>0 use sfnt-names# sfnt version "true" used by some Apple0 string true>0 use sfnt-font>0 use sfnt-names# GRR: below test is too general# sfnt version often 0x000100000 string \000\001\000\000>0 use sfnt-font>0 use sfnt-names# validate and display sfnt font data like number of tables0 name sfnt-font# file 5.30 version assumes 00FFh as maximal number of tables#>4 ubeshort <0x0100 # maximal 27 tables found like in Skia.ttf# 46 different table names mentioned on Apple specification# skip 1st sequence of DOS 2 backup with path separator (\~92 or /~47) misinterpreted as table number>4 ubeshort <47 # skip bad examples with garbage table names like in a5.show HYPERC MAC# tag names consist of up to four characters padded with spaces at end like# BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ...>>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ] #>>>0 ubelong x \b, sfnt version 0x%x>>>0 ubelong !0x4f54544f TrueType!:mime font/sfnt!:apple ????tfil# .ttf for TrueType font# EUDC.tte created by privat character editor %WINDIR%\system32\eudcedit.exe!:ext ttf/tte# sfnt version 4F54544Fh~OTTO>>>0 ubelong =0x4f54544f OpenType!:mime font/otf!:apple ????OTTO!:ext otf>>>0 ubelong x Font data# DSIG=44454947h table name implies a digitally signed font# search range = number of tables * 16 =< maximal number of tables * 16 = 27 * 16 = 432>>>12 search/432 DSIG \b, digitally signed>>>4 ubeshort x \b, %d tables# minimal 9 tables found like in NISC18030.ttf#>>>4 ubeshort <10 TMIN#>>>4 ubeshort >24 TBIG# table directory entries>>>12 string x \b, 1st "%4.4s" # search and display 1st name in sfnt font which is often copyright text# does not work inside font collections0 name sfnt-names# search for naming table>12 search/432/s name # biggest offset 0x0100bd28 like Windows10 Fonts\simsunb.ttf#>>>>&8 ubelong >0x0100bd27 BIGGEST OFFSET>>&8 ubelong >0x00100000 # offset of name table>>>&-4 ubelong x \b, name offset 0x%x# GRR: pointer to name table only works if offset ~< FILE_BYTES_MAX = 100000h defined in src\file.h>>&8 ubelong <0x00100000 >>>&-16 ubelong x # name table>>>>(&8.L) ubequad x # invalid format selector #>>>>>&-8 ubeshort !0 \b, invalid selector %x# minimal 3 name records found like in c:\Program Files (x86)\Tesseract-OCR\tessdata\pdf.ttf# maximal 1227 name records found like in Apple Chancery.ttf#>>>>>&-6 ubeshort <0x4 mincount#>>>>>&-6 ubeshort >130 maxcount>>>>>&-6 ubeshort x \b, %d names# offset to start of string storage from start of table#>>>>>&-4 ubeshort x \b, record offset %d# 1st name record# string offset from start of storage area #>>>>>&8 ubeshort x \b, string offset %d# string length#>>>>>&6 ubeshort x \b, string length %d# minimal name string 7 like in c:\Program Files (x86)\Kodi\addons\webinterface.default\lib\video-js\font\VideoJS.ttf# also found 0 like in SWZCONLN.TTF#>>>>>&6 ubeshort <8 MIN STRING# maximal name string 806 like in c:\Windows\Fonts\palabi.ttf#>>>>>&6 ubeshort >805 MAX STRING# platform identifier: 0~Apple Unicode, 1~Macintosh, 3~Microsoft#>>>>>&-2 ubeshort >3 BAD PLATFORM>>>>>&-2 ubeshort 0 \b, Unicode>>>>>&-2 ubeshort 1 \b, Macintosh>>>>>&-2 ubeshort 3 \b, Microsoft# languageID (0~english Macintosh, 0409h~english Microsoft, ...)>>>>>&2 ubeshort >0 \b, language 0x%x# name identifiers# often 0~copyright, 1~font, 2~font subfamily, 5~version, 13~license, 19~sample, ...>>>>>&4 ubeshort >0 \b, type %d string# platform specific encoding:# 0~undefined character set, 1~UGL set with Unicode, 3~Unicode 2.0 BMP only, 4~Unicode 2.0#>>>>>&0 ubeshort x \b, %d encoding>>>>>&0 ubeshort 0 # handle only name string offset 0 because do not know how to add 2 relative offsets>>>>>>&6 ubeshort 0 >>>>>>>&(&-14.S-18) ubyte !0 # GRR: instead 806 only first MAXstring = 96 characters are displayed as defined in src\file.h# often copyright string that starts like \251 2006 The Monotype Corporation>>>>>>>>&-1 string x \b, %-11.96s# test for unicode string>>>>>>>&(&-14.S-18) ubyte 0 >>>>>>>>&0 lestring16 x \b, %-11.96s# unicode encoding>>>>>&0 ubeshort >0 >>>>>>&6 ubeshort 0 >>>>>>>&(&-14.S-17) lestring16 x \b, %-11.96s 0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font # TrueType/OpenType font collections (.ttc)# URL: https://en.wikipedia.org/wiki/OpenType# https://www.microsoft.com/typography/otspec/otff.htm# Modified by: Joerg Jenderek# Note: container for TrueType, OpenType font0 string ttcf# skip ASCII text>4 ubyte 0 # sfnt version often 0x00010000 of 1st table is TrueType>>(12.L) ubelong !0x4f54544f TrueType!:mime font/ttf!:apple ????tfil!:ext ttc# sfnt version 4F54544Fh~OTTO of 1st table is OpenType font >>(12.L) ubelong =0x4f54544f OpenType!:mime font/otf!:apple ????OTTO# no example found for otc!:ext ttc/otc>>4 ubyte x font collection data#!:mime font/collection# TCC version>>4 belong 0x00010000 \b, 1.0>>4 belong 0x00020000 \b, 2.0>>8 ubelong >0 \b, %d fonts# array offset size = fonts * offsetsize = fonts * 4>>(8.L*4) ubequad x # 0x44454947 = 'DSIG'>>>&4 belong 0x44534947 \b, digitally signed# offset to 1st font>>12 ubelong x \b, at 0x%x# point to 1st font that starts with sfnt version>>(12.L) use sfnt-font # Opentype font data from Avi Bercovich0 string OTTO OpenType font data!:mime application/vnd.ms-opentype # From: Alex Myczko <alex@aiei.ch>0 string SplineFontDB: Spline Font Database!:mime application/vnd.font-fontforge-sfd>14 string x version %s # EOT0x40 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>0x22 string LP Embedded OpenType (EOT)# workaround until there's lepstring16# >>0x52 lepstring16/h >\0 \b, %s family>>0x52 short !0>>>0x54 lestring16 x \b, %s family!:mime application/vnd.ms-fontobject # Web Open Font Format (.woff)0 name woff>4 belong 0x00010000 \b, TrueType>4 belong 0x4F54544F \b, CFF>4 belong 0x74727565 \b, TrueType>4 default x>>4 belong x \b, flavor %d>8 belong x \b, length %d#>12 beshort x \b, numTables %d#>14 beshort x \b, reserved %d#>16 belong x \b, totalSfntSize %d # https://www.w3.org/TR/WOFF/0 string wOFF Web Open Font Format>0 use woff>20 beshort x \b, version %d>22 beshort x \b.%d# https://www.w3.org/TR/WOFF2/0 string wOF2 Web Open Font Format (Version 2)>0 use woff#>20 belong x \b, totalCompressedSize %d>24 beshort x \b, version %d>26 beshort x \b.%d #------------------------------------------------------------------------------# $File: forth,v 1.1 2019/06/06 19:14:20 christos Exp $# forth: file(1) magic for various Forth environments# From: Lubomir Rintel <lkundrak@v3.sk># # Has a FORTH stack diagram and something that looks very much like a FORTH# multi-line word definition. Probably a FORTH source.0 regex \[[:space:]]\\(([[:space:]].*)?\ --\ (.*[[:space:]])?\\)>0 regex \^:\[[:space:]]>>0 regex \^;$ FORTH program!:mime text/x-forth # Inline word definition complete with a stack diagram0 regex \^:[[:space:]].*[[:space:]]\\(([[:space:]].*)?\ --\ (.*[[:space:]])?\\)[[:space:]].*[[:space:]];$ FORTH program!:mime text/x-forth # Various dictionary images used by OpenFirware FORTH environent 0 lelong 0xe1a00000>8 lelong 0xe1a00000 ARM OpenFirmware FORTH Dictionary,>>24 lelong x Text length: %d bytes,>>28 lelong x Data length: %d bytes,>>32 lelong x Text Relocation Table length: %d bytes,>>36 lelong x Data Relocation Table length: %d bytes,>>40 lelong x Entry Point: 0x%08X,>>44 lelong x BSS length: %d bytes 0 string MP>28 lelong 1 x86 OpenFirmware FORTH Dictionary,>>4 leshort x %d blocks>>2 leshort x + %d bytes,>>6 leshort x %d relocations,>>8 leshort x Header length: %d paragraphs,>>10 leshort x Data Size: %d>>12 leshort x - %d 4K pages,>>14 lelong x Initial Stack Pointer: 0x%08X,>>20 lelong x Entry Point: 0x%08X,>>24 lelong x First Relocation Item: %d,>>26 lelong x Overlay Number: %d,>>18 leshort x Checksum: 0x%08X 0 belong 0x48000020 PowerPC OpenFirmware FORTH Dictionary,>4 belong x Text length: %d bytes,>8 belong x Data length: %d bytes,>12 belong x BSS length: %d bytes,>16 belong x Symbol Table length: %d bytes,>20 belong x Entry Point: 0x%08X,>24 belong x Text Relocation Table length: %d bytes,>28 belong x Data Relocation Table length: %d bytes 0 lelong 0x10000007 MIPS OpenFirmware FORTH Dictionary,>4 lelong x Text length: %d bytes,>8 lelong x Data length: %d bytes,>12 lelong x BSS length: %d bytes,>16 lelong x Symbol Table length: %d bytes,>20 lelong x Entry Point: 0x%08X,>24 lelong x Text Relocation Table length: %d bytes,>28 lelong x Data Relocation Table length: %d bytes # Dictionary images used by minimal C FORTH environments, any platform,# using native byte order. # Weak.#0 short 0x5820 cForth 16-bit Dictionary,#>2 short x Serial: 0x%08X,#>4 short x Dictionary Start: 0x%08X,#>6 short x Dictionary Size: %d bytes,#>8 short x User Area Start: 0x%08X,#>10 short x User Area Size: %d bytes,#>12 short x Entry Point: 0x%08X 0 long 0x581120 cForth 32-bit Dictionary,>4 long x Serial: 0x%08X,>8 long x Dictionary Start: 0x%08X,>12 long x Dictionary Size: %d bytes,>16 long x User Area Start: 0x%08X,>20 long x User Area Size: %d bytes,>24 long x Entry Point: 0x%08X #------------------------------------------------------------------------------# $File: fortran,v 1.10 2015/11/05 18:47:16 christos Exp $# FORTRAN source# Check that the first 100 lines start with C or whitespace first.0 regex/100l !\^[^Cc\ \t].*$>0 regex/100l \^[Cc][\ \t] FORTRAN program text!:mime text/x-fortran!:strength - 5 #------------------------------------------------------------------------------# $File: frame,v 1.14 2019/11/25 00:31:30 christos Exp $# frame: file(1) magic for FrameMaker files## This stuff came on a FrameMaker demo tape, most of which is# copyright, but this file is "published" as witness the following:## Note that this is the Framemaker Maker Interchange Format, not the# Normal format which would be application/vnd.framemaker.#0 string \<MakerFile FrameMaker document!:mime application/x-mif>11 string 5.5 (5.5>11 string 5.0 (5.0>11 string 4.0 (4.0>11 string 3.0 (3.0>11 string 2.0 (2.0>11 string 1.0 (1.0>14 byte x %c)# URL: http://fileformats.archiveteam.org/wiki/Maker_Interchange_Format# Reference: https://help.adobe.com/en_US/framemaker/mifreference/mifref.pdf# Update: Joerg Jenderek 2019 Nov0 string \<MIFFile FrameMaker MIF (ASCII) file# https://www.iana.org/assignments/media-types/application/vnd.mif!:mime application/vnd.mif# mif most but also find bookTOC.framemif!:ext mif/framemif# followed by space~20h#>8 ubyte 0x20 \b, space before version# 3 characters of version number of the MIF language like 1.0, 2.0 ... 2015 ...>9 string x (%.3s# if not greater sign then display 4th character of version>12 ubyte =0x3e \b)>12 ubyte !0x3e \b%c)# comment starting with # shows the name+version number of generating program>13 search/3 #>>&0 string x "%s"0 search/1 \<MakerDictionary FrameMaker Dictionary text!:mime application/x-mif>17 string 3.0 (3.0)>17 string 2.0 (2.0)>17 string 1.0 (1.x)0 string \<MakerScreenFont FrameMaker Font file!:mime application/x-mif>17 string 1.01 (%s)0 string \<MML FrameMaker MML file!:mime application/x-mif0 string \<BookFile FrameMaker Book file!:mime application/x-mif>10 string 3.0 (3.0>10 string 2.0 (2.0>10 string 1.0 (1.0>13 byte x %c)# XXX - this book entry should be verified, if you find one, uncomment this#0 string \<Book\040 FrameMaker Book (ASCII) file#!:mime application/x-mif#>6 string 3.0 (3.0)#>6 string 2.0 (2.0)#>6 string 1.0 (1.0)0 string \<Maker\040Intermediate\040Print\040File FrameMaker IPL file!:mime application/x-mif #------------------------------------------------------------------------------# $File: freebsd,v 1.7 2009/09/19 16:28:09 christos Exp $# freebsd: file(1) magic for FreeBSD objects## All new-style FreeBSD magic numbers are in host byte order (i.e.,# little-endian on x86).## XXX - this comes from the file "freebsd" in a recent FreeBSD version of# "file"; it, and the NetBSD stuff in "netbsd", appear to use different# schemes for distinguishing between executable images, shared libraries,# and object files.## FreeBSD says:## Regardless of whether it's pure, demand-paged, or none of the# above:## if the entry point is < 4096, then it's a shared library if# the "has run-time loader information" bit is set, and is# position-independent if the "is position-independent" bit# is set;## if the entry point is >= 4096 (or >4095, same thing), then it's# an executable, and is dynamically-linked if the "has run-time# loader information" bit is set.## On x86, NetBSD says:## If it's neither pure nor demand-paged:## if it has the "has run-time loader information" bit set, it's# a dynamically-linked executable;## if it doesn't have that bit set, then:## if it has the "is position-independent" bit set, it's# position-independent;## if the entry point is non-zero, it's an executable, otherwise# it's an object file.## If it's pure:## if it has the "has run-time loader information" bit set, it's# a dynamically-linked executable, otherwise it's just an# executable.## If it's demand-paged:## if it has the "has run-time loader information" bit set,# then:## if the entry point is < 4096, it's a shared library;## if the entry point is = 4096 or > 4096 (i.e., >= 4096),# it's a dynamically-linked executable);## if it doesn't have the "has run-time loader information" bit# set, then it's just an executable.## (On non-x86, NetBSD does much the same thing, except that it uses# 8192 on 68K - except for "68k4k", which is presumably "68K with 4K# pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's# had 8K pages; dunno about MIPS.)## I suspect the two will differ only in perverse and uninteresting cases# ("shared" libraries that aren't demand-paged and whose pages probably# won't actually be shared, executables with entry points <4096).## I leave it to those more familiar with FreeBSD and NetBSD to figure out# what the right answer is (although using ">4095", FreeBSD-style, is# probably better than separately checking for "=4096" and ">4096",# NetBSD-style). (The old "netbsd" file analyzed FreeBSD demand paged# executables using the NetBSD technique.)#0 lelong&0377777777 041400407 FreeBSD/i386>20 lelong <4096>>3 byte&0xC0 &0x80 shared library>>3 byte&0xC0 0x40 PIC object>>3 byte&0xC0 0x00 object>20 lelong >4095>>3 byte&0x80 0x80 dynamically linked executable>>3 byte&0x80 0x00 executable>16 lelong >0 not stripped 0 lelong&0377777777 041400410 FreeBSD/i386 pure>20 lelong <4096>>3 byte&0xC0 &0x80 shared library>>3 byte&0xC0 0x40 PIC object>>3 byte&0xC0 0x00 object>20 lelong >4095>>3 byte&0x80 0x80 dynamically linked executable>>3 byte&0x80 0x00 executable>16 lelong >0 not stripped 0 lelong&0377777777 041400413 FreeBSD/i386 demand paged>20 lelong <4096>>3 byte&0xC0 &0x80 shared library>>3 byte&0xC0 0x40 PIC object>>3 byte&0xC0 0x00 object>20 lelong >4095>>3 byte&0x80 0x80 dynamically linked executable>>3 byte&0x80 0x00 executable>16 lelong >0 not stripped 0 lelong&0377777777 041400314 FreeBSD/i386 compact demand paged>20 lelong <4096>>3 byte&0xC0 &0x80 shared library>>3 byte&0xC0 0x40 PIC object>>3 byte&0xC0 0x00 object>20 lelong >4095>>3 byte&0x80 0x80 dynamically linked executable>>3 byte&0x80 0x00 executable>16 lelong >0 not stripped # XXX gross hack to identify core files# cores start with a struct tss; we take advantage of the following:# byte 7: highest byte of the kernel stack pointer, always 0xfe# 8/9: kernel (ring 0) ss value, always 0x0010# 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0# 28: low order byte of the current PTD entry, always 0 since the# PTD is page-aligned#7 string \357\020\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 FreeBSD/i386 a.out core file>1039 string >\0 from '%s' # /var/run/ld.so.hints# What are you laughing about?0 lelong 011421044151 ld.so hints file (Little Endian>4 lelong >0 \b, version %d)>4 belong <1 \b)0 belong 011421044151 ld.so hints file (Big Endian>4 belong >0 \b, version %d)>4 belong <1 \b) ## Files generated by FreeBSD scrshot(1)/vidcontrol(1) utilities#0 string SCRSHOT_ scrshot(1) screenshot,>8 byte x version %d,>9 byte 2 %d bytes in header,>>10 byte x %d chars wide by>>11 byte x %d chars high #------------------------------------------------------------------------------# $File: fsav,v 1.19 2019/04/19 00:42:27 christos Exp $# fsav: file(1) magic for datafellows fsav virus definition files# Anthon van der Neut (anthon@mnt.org) # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def}0 beshort 0x1575 fsav macro virus signatures>8 leshort >0 (%d->11 byte >0 \b%02d->10 byte >0 \b%02d)# ftp://ftp.f-prot.com/pub/sign.zip#10 ubyte <12#>9 ubyte <32#>>8 ubyte 0x0a#>>>12 ubyte 0x07#>>>>11 uleshort >0 fsav DOS/Windows virus signatures (%d-#>>>>10 byte 0 \b01-#>>>>10 byte 1 \b02-#>>>>10 byte 2 \b03-#>>>>10 byte 3 \b04-#>>>>10 byte 4 \b05-#>>>>10 byte 5 \b06-#>>>>10 byte 6 \b07-#>>>>10 byte 7 \b08-#>>>>10 byte 8 \b09-#>>>>10 byte 9 \b10-#>>>>10 byte 10 \b11-#>>>>10 byte 11 \b12-#>>>>9 ubyte >0 \b%02d)# ftp://ftp.f-prot.com/pub/sign2.zip#0 ubyte 0x62#>1 ubyte 0xF5#>>2 ubyte 0x1#>>>3 ubyte 0x1#>>>>4 ubyte 0x0e#>>>>>13 ubyte >0 fsav virus signatures#>>>>>>11 ubyte x size 0x%02x#>>>>>>12 ubyte x \b%02x#>>>>>>13 ubyte x \b%02x bytes # Joerg Jenderek: joerg dot jenderek at web dot de# clamav-0.100.2\docs\html\node60.html # https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf# ClamAV virus database files start with a 512 bytes colon separated header# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime# + gzipped (optional) tarball files# output can often be verified by `sigtool --info=FILE`0 string ClamAV-VDB: Clam AntiVirus# padding spaces implies database>511 ubyte =0x20 database!:mime application/x-clamav-database# empty build time>>10 string =:: (unsigned)# sigtool(1) man page!:ext cud# display some text to avoid error like:# Magdir/fsav, 78: Warning: Current entry does not yet have a description for adding a EXTENSION type# file: could not find any valid magic files! (No error)>>10 default x (with buildtime)#>>10 default x# clamtmp is used for temporily database like update process# for pure tar database only cld extension found!:ext cld/cvd/clamtmp/cud>511 default x file!:mime application/x-clamav!:ext info>11 string >\0# buildDate empty or like "22 Mar 2017 12-57 -0400"; verified by `sigtool -i FILE`>>11 regex \^[^:]{0,23} \b, %s# version like 25170>>>&1 regex \^[^:]{1,6} \b, version %s# signaturesNumbers like 4566249>>>>&1 regex \^[^:]{1,10} \b, %s signatures# functionalityLevelRequired like 60>>>>>&1 regex \^[^:]{1,4} \b, level %s# X for nothing or MD5#>>>>>>&1 regex \^[^:]{1,32} \b, MD5 "%s">>>>>>&1 regex \^[^:]{1,32}# X for nothing or digital signature starting like AIzk/LYbX#>>>>>>>&1 regex \^[^:]{1,255} \b, signature "%s">>>>>>>&1 regex \^[^:]{1,255}# builder like neo>>>>>>>>&1 regex \^[^:]{1,32} \b, builder %s# buildTime like 1506611558#>>>>>>>>>&1 regex \^[^:]{1,10} \b, %s>>>>>>>>>&1 regex \^[^:]{1,10} # padding with spaces#>>>>>>>>>>&1 ubequad x \b, padding 0x%16.16llx>510 ubyte =0x20# inspect real database content#>>512 ubeshort x \b, database MAGIC 0x%x# ./archive handle pure tar archives>>1012 quad =0 \b, with>>>512 use tar-file# not pure tar>>1012 quad !0# one space at the end of text and then handles gziped archives by ./compress>>>512 string \037\213 \b, with >>>>512 indirect x # Type: Grisoft AVG AntiVirus# From: David Newgas <david@newgas.net>0 string AVG7_ANTIVIRUS_VAULT_FILE AVG 7 Antivirus vault file data 0 string X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR>33 string -STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EICAR virus test files # From: Joerg Jenderek# URL: https://www.avira.com/# Note: found in directory %ProgramData%\Avira\Antivirus\INFECTED (Windows)# tested with version 15.0.43.23 at November 20190 string AntiVir\ Qua Avira AntiVir quarantined!:mime application/x-avira-qua#!:mime application/octet-stream!:ext qua>156 string SUSPICIOUS_FILE# file path of suspicious file>>220 lestring16 x %s>156 string !SUSPICIOUS_FILE# file path of virus file>>228 lestring16 x %s# quarantined date>60 ldate x at %s# virus/danger name>156 string !SUSPICIOUS_FILE>>156 string x \b, category "%s" #------------------------------------------------------------------------------# $File: fusecompress,v 1.2 2011/08/08 09:05:55 christos Exp $# fusecompress: file(1) magic for fusecompress0 string \037\135\211 FuseCompress(ed) data>3 byte 0x00 (none format)>3 byte 0x01 (bz2 format)>3 byte 0x02 (gz format)>3 byte 0x03 (lzo format)>3 byte 0x04 (xor format)>3 byte >0x04 (unknown format)>4 long x uncompressed size: %d #------------------------------------------------------------------------------# $File: games,v 1.20 2020/02/01 16:32:33 christos Exp $# games: file(1) for games # Fabio Bonelli <fabiobonelli@libero.it># Quake II - III data files0 string IDP2 Quake II 3D Model file,>20 long x %u skin(s),>8 long x (%u x>12 long x %u),>40 long x %u frame(s),>16 long x Frame size %u bytes,>24 long x %u vertices/frame,>28 long x %u texture coordinates,>32 long x %u triangles/frame 0 string IBSP Quake>4 long 0x26 II Map file (BSP)>4 long 0x2E III Map file (BSP) 0 string IDS2 Quake II SP2 sprite file #---------------------------------------------------------------------------# Doom and Quake# submitted by Nicolas Patrois 0 string \xcb\x1dBoom\xe6\xff\x03\x01 Boom or linuxdoom demo# some doom lmp files don't match, I've got one beginning with \x6d\x02\x01\x01 24 string LxD\ 203 Linuxdoom save>0 string x , name=%s>44 string x , world=%s # Quake # Update: Joerg Jenderek# URL: http://fileformats.archiveteam.org/wiki/PAK# reference: https://quakewiki.org/wiki/.pak# GRR: line below is too general as it matches also Acorn PackDir compressed Archive# and Git pack ./revision0 string PACK # real Quake examples like pak0.pak have only some hundreds like 150 files# So test for few files>8 ulelong <0x01000000 # in file version 5.32 test for null terminator is only true for# offset ~< FILE_BYTES_MAX = 1 MB defined in ../../src/file.h # look for null terminator of 1st entry name>>(4.l+55) ubyte 0 Quake I or II world or extension!:mime application/x-dzip!:ext pak#>>>8 ulelong x \b, table size %u# dividing this by entry size (64) gives number of files>>>8 ulelong/64 x \b, %u files# offset to the beginning of the file table>>>4 ulelong x \b, offset 0x%x# 1st file entry>>>(4.l) use pak-entry# 2nd file entry#>>>4 ulelong+64 x \b, offset 0x%x#>>>(4.l+64) use pak-entry## display file table entry of Quake PAK archive0 name pak-entry# normally entry start after header which implies offset 12 or higher>56 ulelong >11 # the offset from the beginning of pak to beginning of this entry file contents>>56 ulelong x at 0x%x# the size of file for this entry >>60 ulelong x %u bytes# 56 byte null-terminated entry name string includes path like maps/e1m1.bsp>>0 string x '%-.56s'# inspect entry content by jumping to entry offset>>(56) indirect x \b: #0 string -1\x0a Quake I demo#>30 string x version %.4s#>61 string x level %s #0 string 5\x0a Quake I save # The levels # Quake 1 0 string 5\x0aIntroduction Quake I save: start Introduction0 string 5\x0athe_Slipgate_Complex Quake I save: e1m1 The slipgate complex0 string 5\x0aCastle_of_the_Damned Quake I save: e1m2 Castle of the damned0 string 5\x0athe_Necropolis Quake I save: e1m3 The necropolis0 string 5\x0athe_Grisly_Grotto Quake I save: e1m4 The grisly grotto0 string 5\x0aZiggurat_Vertigo Quake I save: e1m8 Ziggurat vertigo (secret)0 string 5\x0aGloom_Keep Quake I save: e1m5 Gloom keep0 string 5\x0aThe_Door_To_Chthon Quake I save: e1m6 The door to Chthon0 string 5\x0aThe_House_of_Chthon Quake I save: e1m7 The house of Chthon0 string 5\x0athe_Installation Quake I save: e2m1 The installation0 string 5\x0athe_Ogre_Citadel Quake I save: e2m2 The ogre citadel0 string 5\x0athe_Crypt_of_Decay Quake I save: e2m3 The crypt of decay (dopefish lives!)0 string 5\x0aUnderearth Quake I save: e2m7 Underearth (secret)0 string 5\x0athe_Ebon_Fortress Quake I save: e2m4 The ebon fortress0 string 5\x0athe_Wizard's_Manse Quake I save: e2m5 The wizard's manse0 string 5\x0athe_Dismal_Oubliette Quake I save: e2m6 The dismal oubliette0 string 5\x0aTermination_Central Quake I save: e3m1 Termination central0 string 5\x0aVaults_of_Zin Quake I save: e3m2 Vaults of Zin0 string 5\x0athe_Tomb_of_Terror Quake I save: e3m3 The tomb of terror0 string 5\x0aSatan's_Dark_Delight Quake I save: e3m4 Satan's dark delight0 string 5\x0athe_Haunted_Halls Quake I save: e3m7 The haunted halls (secret)0 string 5\x0aWind_Tunnels Quake I save: e3m5 Wind tunnels0 string 5\x0aChambers_of_Torment Quake I save: e3m6 Chambers of torment0 string 5\x0athe_Sewage_System Quake I save: e4m1 The sewage system0 string 5\x0aThe_Tower_of_Despair Quake I save: e4m2 The tower of despair0 string 5\x0aThe_Elder_God_Shrine Quake I save: e4m3 The elder god shrine0 string 5\x0athe_Palace_of_Hate Quake I save: e4m4 The palace of hate0 string 5\x0aHell's_Atrium Quake I save: e4m5 Hell's atrium0 string 5\x0athe_Nameless_City Quake I save: e4m8 The nameless city (secret)0 string 5\x0aThe_Pain_Maze Quake I save: e4m6 The pain maze0 string 5\x0aAzure_Agony Quake I save: e4m7 Azure agony0 string 5\x0aShub-Niggurath's_Pit Quake I save: end Shub-Niggurath's pit # Quake DeathMatch levels 0 string 5\x0aPlace_of_Two_Deaths Quake I save: dm1 Place of two deaths0 string 5\x0aClaustrophobopolis Quake I save: dm2 Claustrophobopolis0 string 5\x0aThe_Abandoned_Base Quake I save: dm3 The abandoned base0 string 5\x0aThe_Bad_Place Quake I save: dm4 The bad place0 string 5\x0aThe_Cistern Quake I save: dm5 The cistern0 string 5\x0aThe_Dark_Zone Quake I save: dm6 The dark zone # Scourge of Armagon 0 string 5\x0aCommand_HQ Quake I save: start Command HQ0 string 5\x0aThe_Pumping_Station Quake I save: hip1m1 The pumping station0 string 5\x0aStorage_Facility Quake I save: hip1m2 Storage facility0 string 5\x0aMilitary_Complex Quake I save: hip1m5 Military complex (secret)0 string 5\x0athe_Lost_Mine Quake I save: hip1m3 The lost mine0 string 5\x0aResearch_Facility Quake I save: hip1m4 Research facility0 string 5\x0aAncient_Realms Quake I save: hip2m1 Ancient realms0 string 5\x0aThe_Gremlin's_Domain Quake I save: hip2m6 The gremlin's domain (secret)0 string 5\x0aThe_Black_Cathedral Quake I save: hip2m2 The black cathedral0 string 5\x0aThe_Catacombs Quake I save: hip2m3 The catacombs0 string 5\x0athe_Crypt__ Quake I save: hip2m4 The crypt0 string 5\x0aMortum's_Keep Quake I save: hip2m5 Mortum's keep0 string 5\x0aTur_Torment Quake I save: hip3m1 Tur torment0 string 5\x0aPandemonium Quake I save: hip3m2 Pandemonium0 string 5\x0aLimbo Quake I save: hip3m3 Limbo0 string 5\x0athe_Edge_of_Oblivion Quake I save: hipdm1 The edge of oblivion (secret)0 string 5\x0aThe_Gauntlet Quake I save: hip3m4 The gauntlet0 string 5\x0aArmagon's_Lair Quake I save: hipend Armagon's lair # Malice 0 string 5\x0aThe_Academy Quake I save: start The academy0 string 5\x0aThe_Lab Quake I save: d1 The lab0 string 5\x0aArea_33 Quake I save: d1b Area 330 string 5\x0aSECRET_MISSIONS Quake I save: d3b Secret missions0 string 5\x0aThe_Hospital Quake I save: d10 The hospital (secret)0 string 5\x0aThe_Genetics_Lab Quake I save: d11 The genetics lab (secret)0 string 5\x0aBACK_2_MALICE Quake I save: d4b Back to Malice0 string 5\x0aArea44 Quake I save: d1c Area 440 string 5\x0aTakahiro_Towers Quake I save: d2 Takahiro towers0 string 5\x0aA_Rat's_Life Quake I save: d3 A rat's life0 string 5\x0aInto_The_Flood Quake I save: d4 Into the flood0 string 5\x0aThe_Flood Quake I save: d5 The flood0 string 5\x0aNuclear_Plant Quake I save: d6 Nuclear plant0 string 5\x0aThe_Incinerator_Plant Quake I save: d7 The incinerator plant0 string 5\x0aThe_Foundry Quake I save: d7b The foundry0 string 5\x0aThe_Underwater_Base Quake I save: d8 The underwater base0 string 5\x0aTakahiro_Base Quake I save: d9 Takahiro base0 string 5\x0aTakahiro_Laboratories Quake I save: d12 Takahiro laboratories0 string 5\x0aStayin'_Alive Quake I save: d13 Stayin' alive0 string 5\x0aB.O.S.S._HQ Quake I save: d14 B.O.S.S. HQ0 string 5\x0aSHOWDOWN! Quake I save: d15 Showdown! # Malice DeathMatch levels 0 string 5\x0aThe_Seventh_Precinct Quake I save: ddm1 The seventh precinct0 string 5\x0aSub_Station Quake I save: ddm2 Sub station0 string 5\x0aCrazy_Eights! Quake I save: ddm3 Crazy eights!0 string 5\x0aEast_Side_Invertationa Quake I save: ddm4 East side invertationa0 string 5\x0aSlaughterhouse Quake I save: ddm5 Slaughterhouse0 string 5\x0aDOMINO Quake I save: ddm6 Domino0 string 5\x0aSANDRA'S_LADDER Quake I save: ddm7 Sandra's ladder 0 string MComprHD MAME CHD compressed hard disk image,>12 belong x version %u # doom - submitted by Jon Dowland 0 string =IWAD doom main IWAD data>4 lelong x containing %d lumps0 string =PWAD doom patch PWAD data>4 lelong x containing %d lumps # Build engine group files (Duke Nukem, Shadow Warrior, ...)# Extension: .grp# Created by: "Ganael Laplanche" <ganael.laplanche@martymac.org>0 string KenSilverman Build engine group file>12 lelong x containing %d files # Summary: Warcraft 3 save# Extension: .w3g# Created by: "Nelson A. de Oliveira" <naoliv@gmail.com>0 string Warcraft\ III\ recorded\ game %s # Summary: Warcraft 3 map# Extension: .w3m# Created by: "Nelson A. de Oliveira" <naoliv@gmail.com>0 string HM3W Warcraft III map file # Summary: SGF Smart Game Format# Extension: .sgf# Reference: https://www.red-bean.com/sgf/# Created by: Eduardo Sabbatella <eduardo_sabbatella@yahoo.com.ar># Modified by (1): Abel Cheung (regex, more game format)# FIXME: Some games don't have GM (game type)0 regex \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format>2 search/0x200/b GM[>>&0 string 1] (Go)>>&0 string 2] (Othello)>>&0 string 3] (chess)>>&0 string 4] (Gomoku+Renju)>>&0 string 5] (Nine Men's Morris)>>&0 string 6] (Backgammon)>>&0 string 7] (Chinese chess)>>&0 string 8] (Shogi)>>&0 string 9] (Lines of Action)>>&0 string 10] (Ataxx)>>&0 string 11] (Hex)>>&0 string 12] (Jungle)>>&0 string 13] (Neutron)>>&0 string 14] (Philosopher's Football)>>&0 string 15] (Quadrature)>>&0 string 16] (Trax)>>&0 string 17] (Tantrix)>>&0 string 18] (Amazons)>>&0 string 19] (Octi)>>&0 string 20] (Gess)>>&0 string 21] (Twixt)>>&0 string 22] (Zertz)>>&0 string 23] (Plateau)>>&0 string 24] (Yinsh)>>&0 string 25] (Punct)>>&0 string 26] (Gobblet)>>&0 string 27] (hive)>>&0 string 28] (Exxit)>>&0 string 29] (Hnefatal)>>&0 string 30] (Kuba)>>&0 string 31] (Tripples)>>&0 string 32] (Chase)>>&0 string 33] (Tumbling Down)>>&0 string 34] (Sahara)>>&0 string 35] (Byte)>>&0 string 36] (Focus)>>&0 string 37] (Dvonn)>>&0 string 38] (Tamsk)>>&0 string 39] (Gipf)>>&0 string 40] (Kropki) ############################################### NetImmerse/Gamebryo game engine entries # Summary: Gamebryo game engine file# Extension: .nif, .kf# Created by: Abel Cheung <abelcheung@gmail.com>0 string Gamebryo\ File\ Format,\ Version\ Gamebryo game engine file>&0 regex [0-9a-z.]+ \b, version %s # Summary: Gamebryo game engine file# Extension: .kfm# Created by: Abel Cheung <abelcheung@gmail.com>0 string ;Gamebryo\ KFM\ File\ Version\ Gamebryo game engine animation File>&0 regex [0-9a-z.]+ \b, version %s # Summary: NetImmerse game engine file# Extension .nif# Created by: Abel Cheung <abelcheung@gmail.com>0 string NetImmerse\ File\ Format,\ Versio>&0 string n\ NetImmerse game engine file>>&0 regex [0-9a-z.]+ \b, version %s # Type: SGF Smart Game Format# URL: https://www.red-bean.com/sgf/# From: Eduardo Sabbatella <eduardo_sabbatella@yahoo.com.ar>2 regex/c \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format>2 regex/c GM\\[1\\] - Go Game>2 regex/c GM\\[6\\] - BackGammon Game>2 regex/c GM\\[11\\] - Hex Game>2 regex/c GM\\[18\\] - Amazons Game>2 regex/c GM\\[19\\] - Octi Game>2 regex/c GM\\[20\\] - Gess Game>2 regex/c GM\\[21\\] - twix Game # Epic Games/Unreal Engine Package#0 lelong 0x9E2A83C1 Unreal Engine Package,>4 leshort x version: %i>12 lelong !0 \b, names: %i>28 lelong !0 \b, imports: %i>20 lelong !0 \b, exports: %i 0 string ESVG>4 lelong 0x00160000>10 string TOC\020 Empire Deluxe for DOS saved game # Sid Meier's Civilization V/VI# From: Benjamin Lowry <ben@ben.gmbh>0 string CIV5>4 byte 0x08 Sid Meier's Civilization V saved game,>>12 regex [0-9a-z.]+ saved by game version %s>4 byte 0x01 Sid Meier's Civilization V replay data,>>12 regex [0-9a-z.]+ saved by game version %s 0 string CIV6 Sid Meier's Civilization VI saved game #------------------------------------------------------------------------------# $File: gcc,v 1.5 2016/07/01 23:31:13 christos Exp $# gcc: file(1) magic for GCC special files#0 string gpch GCC precompiled header # The version field is annoying. It's 3 characters, not zero-terminated.>5 byte x (version %c>6 byte x \b%c>7 byte x \b%c) # 67 = 'C', 111 = 'o', 43 = '+', 79 = 'O'>4 byte 67 for C>4 byte 111 for Objective-C>4 byte 43 for C++>4 byte 79 for Objective-C++ #------------------------------------------------------------------------------# $File: gconv# gconv: file(1) magic for iconv/gconv module configuration cache## Magic number defined in glibc/iconv/iconvconfig.h as GCONVCACHE_MAGIC## From: Marek Cermak <macermak@redhat.com>#0 lelong 0x20010324 gconv module configuration cache data #------------------------------------------------------------------------------# $File: geo,v 1.7 2019/04/19 00:42:27 christos Exp $# Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> ######################################################################## Acoustic Doppler Current Profilers (ADCP)####################################################################### 0 beshort 0x7f7f RDI Acoustic Doppler Current Profiler (ADCP) ######################################################################## Metadata####################################################################### 0 string Identification_Information FGDC ASCII metadata ######################################################################## Seimsic / Subbottom####################################################################### # Knudsen subbottom chirp profiler - Binary File Format: B9# KEB D409-03167 V1.75 Huffman0 string KEB\ Knudsen seismic KEL binary (KEB) ->4 regex [-A-Z0-9]* Software: %s>>&1 regex V[0-9]*\.[0-9]* version %s ######################################################################## LIDAR - Laser altimetry or bathy####################################################################### # Caris LIDAR format for LADS comes as two parts... ascii location file and binary waveform data0 string HCA LADS Caris Ascii Format (CAF) bathymetric lidar>4 regex [0-9]*\.[0-9]* version %s 0 string HCB LADS Caris Binary Format (CBF) bathymetric lidar waveform data>3 byte x version %d .>4 byte x %d ######################################################################## MULTIBEAM SONARS https://www.ldeo.columbia.edu/res/pi/MB-System/formatdoc/####################################################################### # GeoAcoustics - GeoSwath Plus4 beshort 0x2002 GeoSwath RDF0 string Start:- GeoSwatch auf text file # Seabeam 2100# mbsystem code mb410 string SB2100 SeaBeam 2100 multibeam sonar0 string SB2100DR SeaBeam 2100 DR multibeam sonar0 string SB2100PR SeaBeam 2100 PR multibeam sonar # This corresponds to MB-System format 94, L-3/ELAC/SeaBeam XSE vendor# format. It is the format of our upgraded SeaBeam 2112 on R/V KNORR.0 string $HSF XSE multibeam # mb121 https://www.saic.com/maritime/gsf/8 string GSF-v SAIC generic sensor format (GSF) sonar data,>&0 regex [0-9]*\.[0-9]* version %s # MGD77 - https://www.ngdc.noaa.gov/mgg/dat/geodas/docs/mgd77.htm# mb1619 string MGD77 MGD77 Header, Marine Geophysical Data Exchange Format # MBSystem processing caches the mbinfo output1 string Swath\ Data\ File: mbsystem info cache # Caris John Hughes Clark format0 string HDCS Caris multibeam sonar related data1 string Start/Stop\ parameter\ header: Caris ASCII project summary ######################################################################## Visualization and 3D modeling####################################################################### # IVS - IVS3d.com Tagged Data Represetation0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file # http://www.ecma-international.org/publications/standards/Ecma-363.htm# 3D in PDFs0 string U3D ECMA-363, Universal 3D ######################################################################## Support files####################################################################### # https://midas.psi.ch/elog/0 string $@MID@$ elog journal entry # Geospatial Designs https://www.geospatialdesigns.com/surfer6_format.htm0 string DSBB Surfer 6 binary grid file>4 leshort x \b, %d>6 leshort x \bx%d>8 ledouble x \b, minx=%g>16 ledouble x \b, maxx=%g>24 ledouble x \b, miny=%g>32 ledouble x \b, maxy=%g>40 ledouble x \b, minz=%g>48 ledouble x \b, maxz=%g # magic for LAS format files# alex myczko <alex@aiei.ch># https://www.asprs.org/wp-content/uploads/2010/12/LAS_1_3_r11.pdf0 string LASF LIDAR point data records>24 byte >0 \b, version %u>25 byte >0 \b.%u>26 string >\0 \b, SYSID %s>58 string >\0 \b, Generating Software %s # magic for PCD format files# alex myczko <alex@aiei.ch># http://pointclouds.org/documentation/tutorials/pcd_file_format.php0 string #\ .PCD Point Cloud Data #------------------------------------------------------------------------------# $File: geos,v 1.4 2009/09/19 16:28:09 christos Exp $# GEOS files (Vidar Madsen, vidar@gimp.org)# semi-commonly used in embedded and handheld systems.0 belong 0xc745c153 GEOS>40 byte 1 executable>40 byte 2 VMFile>40 byte 3 binary>40 byte 4 directory label>40 byte <1 unknown>40 byte >4 unknown>4 string >\0 \b, name "%s"#>44 short x \b, version %d#>46 short x \b.%d#>48 short x \b, rev %d#>50 short x \b.%d#>52 short x \b, proto %d#>54 short x \br%d#>168 string >\0 \b, copyright "%s" #------------------------------------------------------------------------------# $File: gimp,v 1.10 2019/10/15 18:19:40 christos Exp $# GIMP Gradient: file(1) magic for the GIMP's gradient data files (.ggr)# by Federico Mena <federico@nuclecu.unam.mx> 0 string/t GIMP\ Gradient GIMP gradient data#!:mime text/plain!:mime text/x-gimp-ggr!:ext ggr # GIMP palette (.gpl)# From: Markus Heidelberg <markus.heidelberg@web.de>0 string/t GIMP\ Palette GIMP palette data# URL: https://docs.gimp.org/en/gimp-concepts-palettes.html# Reference: http://fileformats.archiveteam.org/wiki/GIMP_Palette#!:mime text/plain!:mime text/x-gimp-gpl!:ext gpl #------------------------------------------------------------------------------# XCF: file(1) magic for the XCF image format used in the GIMP (.xcf) developed# by Spencer Kimball and Peter Mattis# ('Bucky' LaDieu, nega@vt.edu) # URL: https://en.wikipedia.org/wiki/XCF_(file_format)# Reference: https://gitlab.gnome.org/GNOME/gimp/blob/master/devel-docs/xcf.txt0 string gimp\ xcf GIMP XCF image data,!:mime image/x-xcf!:ext xcf>9 string file version 0,>9 string v version>>10 string >\0 %s,>14 belong x %u x>18 belong x %u,>22 belong 0 RGB Color>22 belong 1 Greyscale>22 belong 2 Indexed Color>22 belong >2 Unknown Image Type. #------------------------------------------------------------------------------# XCF: file(1) magic for the patterns used in the GIMP (.pat), developed# by Spencer Kimball and Peter Mattis# ('Bucky' LaDieu, nega@vt.edu) # Reference: http://fileformats.archiveteam.org/wiki/GIMP_Pattern20 string GPAT GIMP pattern data,>24 string x %s!:mime image/x-gimp-pat!:ext pat #------------------------------------------------------------------------------# XCF: file(1) magic for the brushes used in the GIMP (.gbr), developed# by Spencer Kimball and Peter Mattis# ('Bucky' LaDieu, nega@vt.edu) 20 string GIMP GIMP brush data# Reference: http://fileformats.archiveteam.org/wiki/GIMP_Brush!:mime image/x-gimp-gbr# some sources also list gpb!:ext gbr # From: Joerg Jenderek# URL: https://docs.gimp.org/en/gimp-using-animated-brushes.html# Reference: http://fileformats.archiveteam.org/wiki/GIMP_Animated_Brush# share\gimp\2.0\brushes\Legacy\confetti.gih0 search/21/b \040ncells: GIMP animated brush data!:mime image/x-gimp-gih!:ext gih # GIMP Curves File# From: "Nelson A. de Oliveira" <naoliv@gmail.com>0 string #\040GIMP\040Curves\040File GIMP curve file#!:mime text/plain!:mime text/x-gimp-curve!:ext /txt #------------------------------------------------------------------------------# $File: git,v 1.1 2019/10/04 18:46:29 christos Exp $# git: file(1) magic for Git objects 0 string blob\040>5 regex [0-9]+ Git blob %s 0 string tree\040>5 regex [0-9]+ Git tree %s 0 string commit\040>7 regex [0-9]+ Git commit %s #------------------------------------------------------------------------------# $File: glibc,v 1.1 2018/10/11 15:35:43 christos Exp $# glibc locale files## https://sourceware.org/git/?p=glibc.git;f=locale/localeinfo.h;h=68822a63#l32 0 belong 0x20070920 glibc locale file LC_CTYPE0 belong 0x14110320 glibc locale file LC_NUMERIC0 belong 0x17110320 glibc locale file LC_TIME0 belong 0x17100520 glibc locale file LC_COLLATE0 belong 0x11110320 glibc locale file LC_MONETARY0 belong 0x10110320 glibc locale file LC_MESSAGES0 belong 0x13110320 glibc locale file LC_ALL0 belong 0x12110320 glibc locale file LC_PAPER0 belong 0x1d110320 glibc locale file LC_NAME0 belong 0x1c110320 glibc locale file LC_ADDRESS0 belong 0x1f110320 glibc locale file LC_TELEPHONE0 belong 0x1e110320 glibc locale file LC_MEASUREMENT0 belong 0x19110320 glibc locale file LC_IDENTIFICATION #------------------------------------------------------------------------------# $File: gnome,v 1.6 2019/04/19 00:42:27 christos Exp $# GNOME related files # Contributed by Josh Triplett# FIXME: Could be simplified if pstring supported two-byte counts0 string GnomeKeyring\n\r\0\n GNOME keyring>&0 ubyte 0 \b, major version 0>>&0 ubyte 0 \b, minor version 0>>>&0 ubyte 0 \b, crypto type 0 (AES)>>>&0 ubyte >0 \b, crypto type %u (unknown)>>>&1 ubyte 0 \b, hash type 0 (MD5)>>>&1 ubyte >0 \b, hash type %u (unknown)>>>&2 ubelong 0xFFFFFFFF \b, name NULL>>>&2 ubelong !0xFFFFFFFF>>>>&-4 ubelong >255 \b, name too long for file's pstring type>>>>&-4 ubelong <256>>>>>&-1 pstring x \b, name "%s">>>>>>&0 ubeqdate x \b, last modified %s>>>>>>&8 ubeqdate x \b, created %s>>>>>>&16 ubelong &1>>>>>>>&0 ubelong x \b, locked if idle for %u seconds>>>>>>&16 ubelong ^1 \b, not locked if idle>>>>>>&24 ubelong x \b, hash iterations %u>>>>>>&28 ubequad x \b, salt %llu>>>>>>&52 ubelong x \b, %u item(s) # From: Alex Beregszaszi <alex@fsn.hu>4 string gtktalog GNOME Catalogue (gtktalog)>13 string >\0 version %s # Summary: GStreamer binary registry# Extension: .bin# Submitted by: Josh Triplett <josh@joshtriplett.org>0 belong 0xc0def00d GStreamer binary registry>4 string x \b, version %s # GVariant Database file# By Elan Ruusamae <glen@delfi.ee># https://github.com/GNOME/gvdb/blob/master/gvdb-format.h# It's always "GVariant", it's byte swapped on incompatible archs# See https://github.com/GNOME/gvdb/blob/master/gvdb-builder.c# file_builder_serialise()# https://developer.gnome.org/glib/2.34/glib-GVariant.html#GVariant0 string GVariant GVariant Database file,# version is never filled. probably future extension>8 lelong x version %d# not sure are these usable, so commented out#>>16 lelong x start %d,#>>>20 lelong x end %d # G-IR database made by gobject-introspect toolset,# https://live.gnome.org/GObjectIntrospection0 string GOBJ\nMETADATA\r\n\032 G-IR binary database>16 byte x \b, v%d>17 byte x \b.%d>20 leshort x \b, %d entries>22 leshort x \b/%d local #------------------------------------------------------------------------------# $File: gnu,v 1.22 2020/04/09 19:11:58 christos Exp $# gnu: file(1) magic for various GNU tools## GNU nlsutils message catalog file format## GNU message catalog (.mo and .gmo files) # Update: Joerg Jenderek# URL: https://www.gnu.org/software/gettext/manual/html_node/MO-Files.html# Reference: ftp://ftp.gnu.org/pub/gnu/gettext/gettext-0.19.8.tar.gz/# gettext-0.19.8.1/gettext-runtime/intl/gmo.h# Note: maybe call it like "GNU translation gettext machine object"0 string \336\22\4\225 GNU message catalog (little endian),#0 ulelong 0x950412DE GNU-format message catalog data# TODO: write lines in such a way that code can also be called for big endian variant#>0 use gettext-object#0 name gettext-object>4 ulelong x revision!:mime application/x-gettext-translation# mo extension is also used for Easeus Partition Master PE32 executable module# like ConvertFatToNTFS.mo!:ext gmo/mo# only found three revision combinations 0.0 0.1 1.1 as unsigned 32-bit# major revision>4 ulelong/0xFFff x %u.# minor revision>4 ulelong&0x0000FFff x \b%u>>8 ulelong x \b, %u message# plural s>>8 ulelong >1 \bs# size of hashing table#>20 ulelong x \b, %u hash#>20 ulelong >1 \bes#>24 ulelong x at 0x%x# for revsion x.0 offset of table with originals is 1Ch if directly after header>4 ulelong&0x0000FFff =0>>12 ulelong !0x1C \b, at 0x%x string table# but for x.1 table offset i found is 30h. That means directly after bigger header>4 ulelong&0x0000FFff >0>>12 ulelong !0x30 \b, at 0x%x string table# The following variables are only used in .mo files with minor revision >= 1# number of system dependent segments#>>28 ulelong x \b, %u segment#>>28 ulelong >1 \bs# offset of table describing system dependent segments#>>32 ulelong x at 0x%x# number of system dependent strings pairs>>36 ulelong x \b, %u sysdep message>>36 ulelong >1 \bs# offset of table with start offsets of original sysdep strings#>>40 ulelong x \b, at 0x%x sysdep strings# offset of table with start offsets of translated sysdep strings#>>44 ulelong x \b, at 0x%x sysdep translations# >>(44.l) ulelong x 0x%x chars# >>>&0 ulelong x at 0x%x# >>>>(&-4) string x "%s"# string table after big header#>>48 ubequad x \b, string table 0x%llx## 0th string length seems to be always 0#>(12.l) ulelong x \b, %u chars#>>&0 ulelong x at 0x%x# if 1st string length positiv inspect offset and string#>(12.l+8) ulelong >0 \b, %u chars#>>&0 ulelong x at 0x%x# if 2nd string length positiv inspect offset and string# >(12.l+16) ulelong >0 \b, %u chars# >>&0 ulelong x at 0x%x# skip newline byte#>>>(&-4) ubyte =0x0A#>>>>&0 string x "%s"#>>>(&-4) ubyte !0x0A#>>>>&-1 string x '%s'# offset of table with translation strings#>16 ulelong x \b, at 0x%x translation table# check translation 0 length and offset>(16.l) ulelong >0>>&0 ulelong x# translation 0 seems to be often Project-Id with name and version>>>(&-4) string x \b, %s# trans. 1 with bytes >= 1 unlike icoutils-0.31.0\po\en@boldquot.gmo with 1 NL>(16.l+8) ulelong >1>>&0 ulelong x>>>(&-4) ubyte !0x0A>>>>&-1 string x '%s'# 1 New Line like in tar-1.29\po\de.gmo>>>(&-4) ubyte =0x0A>>>>&0 ubyte !0x0A>>>>>&-1 string x '%s'# 2nd New Line like in parted-3.1\po\de.gmo>>>>&0 ubyte =0x0A>>>>>&0 string x '%s' 0 string \225\4\22\336 GNU message catalog (big endian),#0 ubelong 0x950412DE GNU-format message catalog data!:mime application/x-gettext-translation!:ext gmo/mo# TODO: for big endian use same code as for little endian#>0 use \^gettext-object# DEBUG code#>16 ubelong x \b, at 0x%x translation table#>(16.L) ubelong x 0x%x chars#>>&0 ubelong x at 0x%x# unexpected value HERE!#>>>(&-4) ubequad x 0x%llx#>4 beshort x revision %d.>6 beshort >0 \b%d,>>8 belong x %d messages,>>36 belong x %d sysdep messages>6 beshort =0 \b%d,>>8 belong x %d messages # GnuPG# The format is very similar to pgp0 string \001gpg GPG key trust database>4 byte x version %d# Note: magic.mime had 0x8501 for the next line instead of 0x85020 beshort 0x8502 GPG encrypted data!:mime text/PGP # encoding: data # Update: Joerg Jenderek# Note: PGP and GPG use same data structure.# So recognition is now done by ./pgp with start test for byte 0x99# This magic is not particularly good, as the keyrings don't have true# magic. Nevertheless, it covers many keyrings.# 0 ubeshort-0x9901 <2# >3 byte 4# >>4 bedate x GPG key public ring, created %s# !:mime application/x-gnupg-keyring # Symmetric encryption0 leshort 0x0d8c>4 leshort 0x0203>>2 leshort 0x0204 GPG symmetrically encrypted data (3DES cipher)>>2 leshort 0x0304 GPG symmetrically encrypted data (CAST5 cipher)>>2 leshort 0x0404 GPG symmetrically encrypted data (BLOWFISH cipher)>>2 leshort 0x0704 GPG symmetrically encrypted data (AES cipher)>>2 leshort 0x0804 GPG symmetrically encrypted data (AES192 cipher)>>2 leshort 0x0904 GPG symmetrically encrypted data (AES256 cipher)>>2 leshort 0x0a04 GPG symmetrically encrypted data (TWOFISH cipher)>>2 leshort 0x0b04 GPG symmetrically encrypted data (CAMELLIA128 cipher)>>2 leshort 0x0c04 GPG symmetrically encrypted data (CAMELLIA192 cipher)>>2 leshort 0x0d04 GPG symmetrically encrypted data (CAMELLIA256 cipher) # GnuPG Keybox file# <https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=kbx/keybox-blob.c;hb=HEAD># From: Philipp Hahn <hahn@univention.de>0 belong 32>4 byte 1>>8 string KBXf GPG keybox database>>>5 byte 1 version %d>>>16 bedate x \b, created-at %s>>>20 bedate x \b, last-maintained %s # From: James Youngman <jay@gnu.org># gnu find magic0 string \0LOCATE GNU findutils locate database data>7 string >\0 \b, format %s>7 string 02 \b (frcode) # Files produced by GNU gettext # gettext message catalogue0 search/1024 \nmsgid>&0 search/1024 \nmsgstr GNU gettext message catalogue text!:strength +100!:mime text/x-po #------------------------------------------------------------------------------# $File: gnumeric,v 1.4 2009/09/19 16:28:09 christos Exp $# gnumeric: file(1) magic for Gnumeric spreadsheet# This entry is only semi-helpful, as Gnumeric compresses its files, so# they will ordinarily reported as "compressed", but at least -z helps39 string =<gmr:Workbook Gnumeric spreadsheet!:mime application/x-gnumeric #------------------------------------------------------------------------------# $File: gpt,v 1.4 2017/03/17 21:35:28 christos Exp $## GPT Partition table patterns.# Author: Rogier Goossens (goossens.rogier@gmail.com)# Note that a GPT-formatted disk must contain an MBR as well.# # The initial segment (up to >>>>>>>>422) was copied from the X86# partition table code (aka MBR).# This is kept separate, so that MBR partitions are not reported as well.# (use -k if you do want them as well) # First, detect the MBR partiton table# If more than one GPT protective MBR partition exists, don't print anything# (the other MBR detection code will then just print the MBR partition table)0x1FE leshort 0xAA55>3 string !MS>>3 string !SYSLINUX>>>3 string !MTOOL>>>>3 string !NEWLDR>>>>>5 string !DOS# not FAT (32 bit)>>>>>>82 string !FAT32#not Linux kernel>>>>>>>514 string !HdrS#not BeOS>>>>>>>>422 string !Be\ Boot\ Loader# GPT with protective MBR entry in partition 1 (only)>>>>>>>>>450 ubyte 0xee>>>>>>>>>>466 ubyte !0xee>>>>>>>>>>>482 ubyte !0xee>>>>>>>>>>>>498 ubyte !0xee#>>>>>>>>>>>>>446 use gpt-mbr-partition>>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>0 ubyte x of 8192 bytes>>>>>>>>>>>>>(454.l*8192) string !EFI\ PART>>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes>>>>>>>>>>>>>>(454.l*4096) string !EFI\ PART>>>>>>>>>>>>>>>(454.l*2048) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes>>>>>>>>>>>>>>>(454.l*2048) string !EFI\ PART>>>>>>>>>>>>>>>>(454.l*1024) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes>>>>>>>>>>>>>>>>(454.l*1024) string !EFI\ PART>>>>>>>>>>>>>>>>>(454.l*512) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes# GPT with protective MBR entry in partition 2 (only)>>>>>>>>>450 ubyte !0xee>>>>>>>>>>466 ubyte 0xee>>>>>>>>>>>482 ubyte !0xee>>>>>>>>>>>>498 ubyte !0xee#>>>>>>>>>>>>>462 use gpt-mbr-partition>>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>0 ubyte x of 8192 bytes>>>>>>>>>>>>>(470.l*8192) string !EFI\ PART>>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes>>>>>>>>>>>>>>(470.l*4096) string !EFI\ PART>>>>>>>>>>>>>>>(470.l*2048) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes>>>>>>>>>>>>>>>(470.l*2048) string !EFI\ PART>>>>>>>>>>>>>>>>(470.l*1024) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes>>>>>>>>>>>>>>>>(470.l*1024) string !EFI\ PART>>>>>>>>>>>>>>>>>(470.l*512) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes# GPT with protective MBR entry in partition 3 (only)>>>>>>>>>450 ubyte !0xee>>>>>>>>>>466 ubyte !0xee>>>>>>>>>>>482 ubyte 0xee>>>>>>>>>>>>498 ubyte !0xee#>>>>>>>>>>>>>478 use gpt-mbr-partition>>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>0 ubyte x of 8192 bytes>>>>>>>>>>>>>(486.l*8192) string !EFI\ PART>>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes>>>>>>>>>>>>>>(486.l*4096) string !EFI\ PART>>>>>>>>>>>>>>>(486.l*2048) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes>>>>>>>>>>>>>>>(486.l*2048) string !EFI\ PART>>>>>>>>>>>>>>>>(486.l*1024) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes>>>>>>>>>>>>>>>>(486.l*1024) string !EFI\ PART>>>>>>>>>>>>>>>>>(486.l*512) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes# GPT with protective MBR entry in partition 4 (only)>>>>>>>>>450 ubyte !0xee>>>>>>>>>>466 ubyte !0xee>>>>>>>>>>>482 ubyte !0xee>>>>>>>>>>>>498 ubyte 0xee#>>>>>>>>>>>>>494 use gpt-mbr-partition>>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>0 ubyte x of 8192 bytes>>>>>>>>>>>>>(502.l*8192) string !EFI\ PART>>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>0 ubyte x of 4096 bytes>>>>>>>>>>>>>>(502.l*4096) string !EFI\ PART>>>>>>>>>>>>>>>(502.l*2048) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>0 ubyte x of 2048 bytes>>>>>>>>>>>>>>>(502.l*2048) string !EFI\ PART>>>>>>>>>>>>>>>>(502.l*1024) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>0 ubyte x of 1024 bytes>>>>>>>>>>>>>>>>(502.l*1024) string !EFI\ PART>>>>>>>>>>>>>>>>>(502.l*512) string EFI\ PART GPT partition table>>>>>>>>>>>>>>>>>>0 use gpt-mbr-type>>>>>>>>>>>>>>>>>>&-8 use gpt-table>>>>>>>>>>>>>>>>>>0 ubyte x of 512 bytes # The following code does GPT detection and processing, including# sector size detection.# It has to be duplicated above because the top-level pattern# (i.e. not called using 'use') must print *something* for file# to count it as a match. Text only printed in named patterns is# not counted, and causes file to continue, and try and match# other patterns.## Unfortunately, when assuming sector sizes >=16k, if the sector size# happens to be 512 instead, we may find confusing data after the GPT# table... If the GPT table has less than 128 entries, this may even# happen for assumed sector sizes as small as 4k# This could be solved by checking for the presence of the backup GPT# header as well, but that makes the logic extremely complex##0 name gpt-mbr-partition##>(8.l*8192) string EFI\ PART##>>(8.l*8192) use gpt-mbr-type##>>&-8 use gpt-table##>>0 ubyte x of 8192 bytes##>(8.l*8192) string !EFI\ PART##>>(8.l*4096) string EFI\ PART GPT partition table##>>>0 use gpt-mbr-type##>>>&-8 use gpt-table##>>>0 ubyte x of 4096 bytes##>>(8.l*4096) string !EFI\ PART##>>>(8.l*2048) string EFI\ PART GPT partition table##>>>>0 use gpt-mbr-type##>>>>&-8 use gpt-table##>>>>0 ubyte x of 2048 bytes##>>>(8.l*2048) string !EFI\ PART##>>>>(8.l*1024) string EFI\ PART GPT partition table##>>>>>0 use gpt-mbr-type##>>>>>&-8 use gpt-table##>>>>>0 ubyte x of 1024 bytes##>>>>(8.l*1024) string !EFI\ PART##>>>>>(8.l*512) string EFI\ PART GPT partition table##>>>>>>0 use gpt-mbr-type##>>>>>>&-8 use gpt-table##>>>>>>0 ubyte x of 512 bytes # Print details of MBR type for a GPT-disk# Calling code ensures that there is only one 0xee partition.0 name gpt-mbr-type# GPT with protective MBR entry in partition 1>450 ubyte 0xee>>454 ulelong 1>>>462 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR)>>454 ulelong !1 \b (nonstandard: not at LBA 1)# GPT with protective MBR entry in partition 2>466 ubyte 0xee>>470 ulelong 1>>>478 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR)>>>478 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR)>>470 ulelong !1 \b (nonstandard: not at LBA 1)# GPT with protective MBR entry in partition 3>482 ubyte 0xee>>486 ulelong 1>>>494 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0>>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR)>>>494 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR)>>486 ulelong !1 \b (nonstandard: not at LBA 1)# GPT with protective MBR entry in partition 4>498 ubyte 0xee>>502 ulelong 1>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR)>>502 ulelong !1 \b (nonstandard: not at LBA 1) # Print the information from a GPT partition table structure0 name gpt-table>10 uleshort x \b, version %u>8 uleshort x \b.%u>56 ulelong x \b, GUID: %08x>60 uleshort x \b-%04x>62 uleshort x \b-%04x>64 ubeshort x \b-%04x>66 ubeshort x \b-%04x>68 ubelong x \b%08x#>80 uleshort x \b, %d partition entries>32 ulequad+1 x \b, disk size: %lld sectors # In case a GPT data-structure is at LBA 0, report it as well# This covers systems which are not GPT-aware, and which show# and allow access to the protective partition. This code will# detect the contents of such a partition.0 string EFI\ PART GPT data structure (nonstandard: at LBA 0)>0 use gpt-table>0 ubyte x (sector size unknown) #------------------------------------------------------------------------------# $File: gpu,v 1.2 2017/03/23 22:11:53 christos Exp $# gpu: file(1) magic for GPU input files # Standard Portable Intermediate Representation (SPIR)# Documentation: https://www.khronos.org/spir# Typical file extension: .spv 0 belong 0x07230203 Khronos SPIR-V binary, big-endian>4 belong x \b, version 0x%08x>8 belong x \b, generator 0x%08x 0 lelong 0x07230203 Khronos SPIR-V binary, little-endian>4 lelong x \b, version 0x%08x>8 lelong x \b, generator 0x%08x # Vulkan Trace file# Documentation:# https://github.com/LunarG/VulkanTools/blob/master/vktrace/vktrace_common/\# vktrace_trace_packet_identifiers.h# Typical file extension: .vktrace 8 lequad 0xABADD068ADEAFD0C Vulkan trace file, little-endian>0 leshort x \b, version %d 8 bequad 0xABADD068ADEAFD0C Vulkan trace file, big-endian>0 beshort x \b, version %d #------------------------------------------------------------------------------# $File: grace,v 1.4 2009/09/19 16:28:09 christos Exp $# ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE## ACE/gr binary0 string \000\000\0001\000\000\0000\000\000\0000\000\000\0002\000\000\0000\000\000\0000\000\000\0003 old ACE/gr binary file>39 byte >0 - version %c# ACE/gr ascii0 string #\ xvgr\ parameter\ file ACE/gr ascii file0 string #\ xmgr\ parameter\ file ACE/gr ascii file0 string #\ ACE/gr\ parameter\ file ACE/gr ascii file# Grace projects0 string #\ Grace\ project\ file Grace project file>23 string @version\ (version>>32 byte >0 %c>>33 string >\0 \b.%.2s>>35 string >\0 \b.%.2s)# ACE/gr fit description files0 string #\ ACE/gr\ fit\ description\ ACE/gr fit description file# end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE #------------------------------------------------------------------------------# $File: graphviz,v 1.9 2019/04/30 04:01:40 christos Exp $# graphviz: file(1) magic for https://www.graphviz.org/ # FIXME: These patterns match too generally. For example, the first# line matches a LaTeX file containing the word "graph" (with a {# following later) and the second line matches this file.#0 regex/100l [\r\n\t\ ]*graph[\r\n\t\ ]+.*\\{ graphviz graph text#!:mime text/vnd.graphviz#0 regex/100l [\r\n\t\ ]*digraph[\r\n\t\ ]+.*\\{ graphviz digraph text#!:mime text/vnd.graphviz #------------------------------------------------------------------------------# $File: gringotts,v 1.6 2017/03/17 21:35:28 christos Exp $# gringotts: file(1) magic for Gringotts# http://devel.pluto.linux.it/projects/Gringotts/# author: Germano Rizzo <mano@pluto.linux.it>#GRG3????Y0 string GRG Gringotts data file#file format 1>3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9#file format 2>3 string 2 v.2, MCRYPT S2K,>>8 byte&0x70 0x00 RIJNDAEL-128 crypt,>>8 byte&0x70 0x10 SERPENT crypt,>>8 byte&0x70 0x20 TWOFISH crypt,>>8 byte&0x70 0x30 CAST-256 crypt,>>8 byte&0x70 0x40 SAFER+ crypt,>>8 byte&0x70 0x50 LOKI97 crypt,>>8 byte&0x70 0x60 3DES crypt,>>8 byte&0x70 0x70 RIJNDAEL-256 crypt,>>8 byte&0x08 0x00 SHA1 hash,>>8 byte&0x08 0x08 RIPEMD-160 hash,>>8 byte&0x04 0x00 ZLib>>8 byte&0x04 0x04 BZip2>>8 byte&0x03 0x00 lvl.0>>8 byte&0x03 0x01 lvl.3>>8 byte&0x03 0x02 lvl.6>>8 byte&0x03 0x03 lvl.9#file format 3>3 string 3 v.3, OpenPGP S2K,>>8 byte&0x70 0x00 RIJNDAEL-128 crypt,>>8 byte&0x70 0x10 SERPENT crypt,>>8 byte&0x70 0x20 TWOFISH crypt,>>8 byte&0x70 0x30 CAST-256 crypt,>>8 byte&0x70 0x40 SAFER+ crypt,>>8 byte&0x70 0x50 LOKI97 crypt,>>8 byte&0x70 0x60 3DES crypt,>>8 byte&0x70 0x70 RIJNDAEL-256 crypt,>>8 byte&0x08 0x00 SHA1 hash,>>8 byte&0x08 0x08 RIPEMD-160 hash,>>8 byte&0x04 0x00 ZLib>>8 byte&0x04 0x04 BZip2>>8 byte&0x03 0x00 lvl.0>>8 byte&0x03 0x01 lvl.3>>8 byte&0x03 0x02 lvl.6>>8 byte&0x03 0x03 lvl.9#file format >3>3 string >3 v.%.1s (unknown details) #------------------------------------------------------------------------------# $File: guile,v 1.2 2019/04/19 00:42:27 christos Exp $# Guile file magic from <dalepsmith@gmail.com># https://www.gnu.org/s/guile/# https://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 0 string GOOF---- Guile Object>8 string LE \b, little endian>8 string BE \b, big endian>11 string 4 \b, 32bit>11 string 8 \b, 64bit>13 regex .\.. \b, bytecode v%s #------------------------------------------------------------------------------# $File: hardware,v 1.1 2018/08/02 06:32:52 christos Exp $# hardware magic # EDID# https://en.wikipedia.org/wiki/Extended_Display_Identification_Data0 string \x00\xFF\xFF\xFF\xFF\xFF\xFF\x00>19 byte x>>18 byte x EDID data, version %u.>>19 byte x \b%u#>>17 ubyte+1990 <255 \b, manufactured %u #------------------------------------------------------------------------------# $File: hitachi-sh,v 1.9 2018/08/21 12:48:41 christos Exp $# hitach-sh: file(1) magic for Hitachi Super-H## Super-H COFF## updated by Joerg Jenderek at Oct 2015# https://en.wikipedia.org/wiki/COFF# https://de.wikipedia.org/wiki/Common_Object_File_Format# http://www.delorie.com/djgpp/doc/coff/filhdr.html# below test line conflicts with 2nd NTFS filesystem sector# 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR# and Portable Gaming Notation Compressed format (*.WID http://pgn.freeservers.com/)0 beshort 0x0500# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags>18 ubeshort&0x8E80 0# use big endian variant of subroutine to display name+variables+flags# for common object formated files>>0 use \^display-coff!:strength -10 0 leshort 0x0550# test for unused flag bits in f_flags>18 uleshort&0x8E80 0# use little endian variant of subroutine to# display name+variables+flags for common object formated files>>0 use display-coff!:strength -10 #------------------------------------------------------------------------------# $File: hp,v 1.25 2019/01/13 00:32:38 christos Exp $# hp: file(1) magic for Hewlett Packard machines (see also "printer")## XXX - somebody should figure out whether any byte order needs to be# applied to the "TML" stuff; I'm assuming the Apollo stuff is# big-endian as it was mostly 68K-based.## I think the 500 series was the old stack-based machines, running a# UNIX environment atop the "SUN kernel"; dunno whether it was# big-endian or little-endian.## Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based;# hp300 are 68020+68881 based; hp400 are also 68k. The following basic# HP magic is useful for reference, but using "long" magic is a better# practice in order to avoid collisions.## Guy Harris (guy@netapp.com): some additions to this list came from# HP-UX 10.0's "/usr/include/sys/unistd.h" (68030, 68040, PA-RISC 1.1,# 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0# "/etc/magic", though, except for the "archive file relocatable library"# stuff, and the 68030 and 68040 stuff isn't there at all - are they not# used in executables, or have they just not yet updated "/etc/magic"# completely?## 0 beshort 200 hp200 (68010) BSD binary# 0 beshort 300 hp300 (68020+68881) BSD binary# 0 beshort 0x20c hp200/300 HP-UX binary# 0 beshort 0x20d hp400 (68030) HP-UX binary# 0 beshort 0x20e hp400 (68040?) HP-UX binary# 0 beshort 0x20b PA-RISC1.0 HP-UX binary# 0 beshort 0x210 PA-RISC1.1 HP-UX binary# 0 beshort 0x211 PA-RISC1.2 HP-UX binary# 0 beshort 0x214 PA-RISC2.0 HP-UX binary ## The "misc" stuff needs a byte order; the archives look suspiciously# like the old 177545 archives (0xff65 = 0177545).##### Old Apollo stuff0 beshort 0627 Apollo m68k COFF executable>18 beshort ^040000 not stripped>22 beshort >0 - version %d0 beshort 0624 apollo a88k COFF executable>18 beshort ^040000 not stripped>22 beshort >0 - version %d0 long 01203604016 TML 0123 byte-order format0 long 01702407010 TML 1032 byte-order format0 long 01003405017 TML 2301 byte-order format0 long 01602007412 TML 3210 byte-order format#### PA-RISC 1.10 belong 0x02100106 PA-RISC1.1 relocatable object0 belong 0x02100107 PA-RISC1.1 executable>168 belong &0x00000004 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x02100108 PA-RISC1.1 shared executable>168 belong&0x4 0x4 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x0210010b PA-RISC1.1 demand-load executable>168 belong&0x4 0x4 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x0210010e PA-RISC1.1 shared library>96 belong >0 - not stripped 0 belong 0x0210010d PA-RISC1.1 dynamic load library>96 belong >0 - not stripped #### PA-RISC 2.00 belong 0x02140106 PA-RISC2.0 relocatable object 0 belong 0x02140107 PA-RISC2.0 executable>168 belong &0x00000004 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x02140108 PA-RISC2.0 shared executable>168 belong &0x00000004 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x0214010b PA-RISC2.0 demand-load executable>168 belong &0x00000004 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x0214010e PA-RISC2.0 shared library>96 belong >0 - not stripped 0 belong 0x0214010d PA-RISC2.0 dynamic load library>96 belong >0 - not stripped #### 8000 belong 0x020b0106 PA-RISC1.0 relocatable object 0 belong 0x020b0107 PA-RISC1.0 executable>168 belong&0x4 0x4 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x020b0108 PA-RISC1.0 shared executable>168 belong&0x4 0x4 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x020b010b PA-RISC1.0 demand-load executable>168 belong&0x4 0x4 dynamically linked>(144) belong 0x054ef630 dynamically linked>96 belong >0 - not stripped 0 belong 0x020b010e PA-RISC1.0 shared library>96 belong >0 - not stripped 0 belong 0x020b010d PA-RISC1.0 dynamic load library>96 belong >0 - not stripped #### 5000 long 0x02080106 HP s500 relocatable executable>16 long >0 - version %d 0 long 0x02080107 HP s500 executable>16 long >0 - version %d 0 long 0x02080108 HP s500 pure executable>16 long >0 - version %d #### 2000 belong 0x020c0108 HP s200 pure executable>4 beshort >0 - version %d>8 belong &0x80000000 save fp regs>8 belong &0x40000000 dynamically linked>8 belong &0x20000000 debuggable>36 belong >0 not stripped 0 belong 0x020c0107 HP s200 executable>4 beshort >0 - version %d>8 belong &0x80000000 save fp regs>8 belong &0x40000000 dynamically linked>8 belong &0x20000000 debuggable>36 belong >0 not stripped 0 belong 0x020c010b HP s200 demand-load executable>4 beshort >0 - version %d>8 belong &0x80000000 save fp regs>8 belong &0x40000000 dynamically linked>8 belong &0x20000000 debuggable>36 belong >0 not stripped 0 belong 0x020c0106 HP s200 relocatable executable>4 beshort >0 - version %d>6 beshort >0 - highwater %d>8 belong &0x80000000 save fp regs>8 belong &0x20000000 debuggable>8 belong &0x10000000 PIC 0 belong 0x020a0108 HP s200 (2.x release) pure executable>4 beshort >0 - version %d>36 belong >0 not stripped 0 belong 0x020a0107 HP s200 (2.x release) executable>4 beshort >0 - version %d>36 belong >0 not stripped 0 belong 0x020c010e HP s200 shared library>4 beshort >0 - version %d>6 beshort >0 - highwater %d>36 belong >0 not stripped 0 belong 0x020c010d HP s200 dynamic load library>4 beshort >0 - version %d>6 beshort >0 - highwater %d>36 belong >0 not stripped #### MISC0 long 0x0000ff65 HP old archive0 long 0x020aff65 HP s200 old archive0 long 0x020cff65 HP s200 old archive0 long 0x0208ff65 HP s500 old archive 0 long 0x015821a6 HP core file 0 long 0x4da7eee8 HP-WINDOWS font>8 byte >0 - version %d0 string Bitmapfile HP Bitmapfile 0 string IMGfile CIS compimg HP Bitmapfile# XXX - see "lif"#0 short 0x8000 lif file0 long 0x020c010c compiled Lisp 0 string msgcat01 HP NLS message catalog,>8 long >0 %d messages # Summary: HP-48/49 calculator# Created by: phk@data.fls.dk# Modified by (1): AMAKAWA Shuhei <sa264@cam.ac.uk># Modified by (2): Samuel Thibault <samuel.thibault@ens-lyon.org> (HP49 support)0 string HPHP HP>4 string 48 48 binary>4 string 49 49 binary>7 byte >64 - Rev %c>8 leshort 0x2911 (ADR)>8 leshort 0x2933 (REAL)>8 leshort 0x2955 (LREAL)>8 leshort 0x2977 (COMPLX)>8 leshort 0x299d (LCOMPLX)>8 leshort 0x29bf (CHAR)>8 leshort 0x29e8 (ARRAY)>8 leshort 0x2a0a (LNKARRAY)>8 leshort 0x2a2c (STRING)>8 leshort 0x2a4e (HXS)>8 leshort 0x2a74 (LIST)>8 leshort 0x2a96 (DIR)>8 leshort 0x2ab8 (ALG)>8 leshort 0x2ada (UNIT)>8 leshort 0x2afc (TAGGED)>8 leshort 0x2b1e (GROB)>8 leshort 0x2b40 (LIB)>8 leshort 0x2b62 (BACKUP)>8 leshort 0x2b88 (LIBDATA)>8 leshort 0x2d9d (PROG)>8 leshort 0x2dcc (CODE)>8 leshort 0x2e48 (GNAME)>8 leshort 0x2e6d (LNAME)>8 leshort 0x2e92 (XLIB) 0 string %%HP: HP text>6 string T(0) - T(0)>6 string T(1) - T(1)>6 string T(2) - T(2)>6 string T(3) - T(3)>10 string A(D) A(D)>10 string A(R) A(R)>10 string A(G) A(G)>14 string F(.) F(.);>14 string F(,) F(,); # Summary: HP-38/39 calculator# Created by: Samuel Thibault <samuel.thibault@ens-lyon.org>0 string HP3>3 string 8 HP 38>3 string 9 HP 39>4 string Bin binary>4 string Asc ASCII>7 string A (Directory List)>7 string B (Zaplet)>7 string C (Note)>7 string D (Program)>7 string E (Variable)>7 string F (List)>7 string G (Matrix)>7 string H (Library)>7 string I (Target List)>7 string J (ASCII Vector specification)>7 string K (wildcard) # Summary: HP-38/39 calculator# Created by: Samuel Thibault <samuel.thibault@ens-lyon.org>0 string HP3>3 string 8 HP 38>3 string 9 HP 39>4 string Bin binary>4 string Asc ASCII>7 string A (Directory List)>7 string B (Zaplet)>7 string C (Note)>7 string D (Program)>7 string E (Variable)>7 string F (List)>7 string G (Matrix)>7 string H (Library)>7 string I (Target List)>7 string J (ASCII Vector specification)>7 string K (wildcard) # hpBSD magic numbers0 beshort 200 hp200 (68010) BSD>2 beshort 0407 impure binary>2 beshort 0410 read-only binary>2 beshort 0413 demand paged binary0 beshort 300 hp300 (68020+68881) BSD>2 beshort 0407 impure binary>2 beshort 0410 read-only binary>2 beshort 0413 demand paged binary## From David Gero <dgero@nortelnetworks.com># HP-UX 10.20 core file format from /usr/include/sys/core.h# Unfortunately, HP-UX uses corehead blocks without specifying the order# There are four we care about:# CORE_KERNEL, which starts with the string "HP-UX"# CORE_EXEC, which contains the name of the command# CORE_PROC, which contains the signal number that caused the core dump# CORE_FORMAT, which contains the version of the core file format (== 1)# The only observed order in real core files is KERNEL, EXEC, FORMAT, PROC# but we include all 6 variations of the order of the first 3, and# assume that PROC will always be last# Order 1: KERNEL, EXEC, FORMAT, PROC0x10 string HP-UX>0 belong 2>>0xC belong 0x3C>>>0x4C belong 0x100>>>>0x58 belong 0x44>>>>>0xA0 belong 1>>>>>>0xAC belong 4>>>>>>>0xB0 belong 1>>>>>>>>0xB4 belong 4 core file>>>>>>>>>0x90 string >\0 from '%s'>>>>>>>>>0xC4 belong 3 - received SIGQUIT>>>>>>>>>0xC4 belong 4 - received SIGILL>>>>>>>>>0xC4 belong 5 - received SIGTRAP>>>>>>>>>0xC4 belong 6 - received SIGABRT>>>>>>>>>0xC4 belong 7 - received SIGEMT>>>>>>>>>0xC4 belong 8 - received SIGFPE>>>>>>>>>0xC4 belong 10 - received SIGBUS>>>>>>>>>0xC4 belong 11 - received SIGSEGV>>>>>>>>>0xC4 belong 12 - received SIGSYS>>>>>>>>>0xC4 belong 33 - received SIGXCPU>>>>>>>>>0xC4 belong 34 - received SIGXFSZ# Order 2: KERNEL, FORMAT, EXEC, PROC>>>0x4C belong 1>>>>0x58 belong 4>>>>>0x5C belong 1>>>>>>0x60 belong 0x100>>>>>>>0x6C belong 0x44>>>>>>>>0xB4 belong 4 core file>>>>>>>>>0xA4 string >\0 from '%s'>>>>>>>>>0xC4 belong 3 - received SIGQUIT>>>>>>>>>0xC4 belong 4 - received SIGILL>>>>>>>>>0xC4 belong 5 - received SIGTRAP>>>>>>>>>0xC4 belong 6 - received SIGABRT>>>>>>>>>0xC4 belong 7 - received SIGEMT>>>>>>>>>0xC4 belong 8 - received SIGFPE>>>>>>>>>0xC4 belong 10 - received SIGBUS>>>>>>>>>0xC4 belong 11 - received SIGSEGV>>>>>>>>>0xC4 belong 12 - received SIGSYS>>>>>>>>>0xC4 belong 33 - received SIGXCPU>>>>>>>>>0xC4 belong 34 - received SIGXFSZ# Order 3: FORMAT, KERNEL, EXEC, PROC0x24 string HP-UX>0 belong 1>>0xC belong 4>>>0x10 belong 1>>>>0x14 belong 2>>>>>0x20 belong 0x3C>>>>>>0x60 belong 0x100>>>>>>>0x6C belong 0x44>>>>>>>>0xB4 belong 4 core file>>>>>>>>>0xA4 string >\0 from '%s'>>>>>>>>>0xC4 belong 3 - received SIGQUIT>>>>>>>>>0xC4 belong 4 - received SIGILL>>>>>>>>>0xC4 belong 5 - received SIGTRAP>>>>>>>>>0xC4 belong 6 - received SIGABRT>>>>>>>>>0xC4 belong 7 - received SIGEMT>>>>>>>>>0xC4 belong 8 - received SIGFPE>>>>>>>>>0xC4 belong 10 - received SIGBUS>>>>>>>>>0xC4 belong 11 - received SIGSEGV>>>>>>>>>0xC4 belong 12 - received SIGSYS>>>>>>>>>0xC4 belong 33 - received SIGXCPU>>>>>>>>>0xC4 belong 34 - received SIGXFSZ# Order 4: EXEC, KERNEL, FORMAT, PROC0x64 string HP-UX>0 belong 0x100>>0xC belong 0x44>>>0x54 belong 2>>>>0x60 belong 0x3C>>>>>0xA0 belong 1>>>>>>0xAC belong 4>>>>>>>0xB0 belong 1>>>>>>>>0xB4 belong 4 core file>>>>>>>>>0x44 string >\0 from '%s'>>>>>>>>>0xC4 belong 3 - received SIGQUIT>>>>>>>>>0xC4 belong 4 - received SIGILL>>>>>>>>>0xC4 belong 5 - received SIGTRAP>>>>>>>>>0xC4 belong 6 - received SIGABRT>>>>>>>>>0xC4 belong 7 - received SIGEMT>>>>>>>>>0xC4 belong 8 - received SIGFPE>>>>>>>>>0xC4 belong 10 - received SIGBUS>>>>>>>>>0xC4 belong 11 - received SIGSEGV>>>>>>>>>0xC4 belong 12 - received SIGSYS>>>>>>>>>0xC4 belong 33 - received SIGXCPU>>>>>>>>>0xC4 belong 34 - received SIGXFSZ# Order 5: FORMAT, EXEC, KERNEL, PROC0x78 string HP-UX>0 belong 1>>0xC belong 4>>>0x10 belong 1>>>>0x14 belong 0x100>>>>>0x20 belong 0x44>>>>>>0x68 belong 2>>>>>>>0x74 belong 0x3C>>>>>>>>0xB4 belong 4 core file>>>>>>>>>0x58 string >\0 from '%s'>>>>>>>>>0xC4 belong 3 - received SIGQUIT>>>>>>>>>0xC4 belong 4 - received SIGILL>>>>>>>>>0xC4 belong 5 - received SIGTRAP>>>>>>>>>0xC4 belong 6 - received SIGABRT>>>>>>>>>0xC4 belong 7 - received SIGEMT>>>>>>>>>0xC4 belong 8 - received SIGFPE>>>>>>>>>0xC4 belong 10 - received SIGBUS>>>>>>>>>0xC4 belong 11 - received SIGSEGV>>>>>>>>>0xC4 belong 12 - received SIGSYS>>>>>>>>>0xC4 belong 33 - received SIGXCPU>>>>>>>>>0xC4 belong 34 - received SIGXFSZ# Order 6: EXEC, FORMAT, KERNEL, PROC>0 belong 0x100>>0xC belong 0x44>>>0x54 belong 1>>>>0x60 belong 4>>>>>0x64 belong 1>>>>>>0x68 belong 2>>>>>>>0x74 belong 0x2C>>>>>>>>0xB4 belong 4 core file>>>>>>>>>0x44 string >\0 from '%s'>>>>>>>>>0xC4 belong 3 - received SIGQUIT>>>>>>>>>0xC4 belong 4 - received SIGILL>>>>>>>>>0xC4 belong 5 - received SIGTRAP>>>>>>>>>0xC4 belong 6 - received SIGABRT>>>>>>>>>0xC4 belong 7 - received SIGEMT>>>>>>>>>0xC4 belong 8 - received SIGFPE>>>>>>>>>0xC4 belong 10 - received SIGBUS>>>>>>>>>0xC4 belong 11 - received SIGSEGV>>>>>>>>>0xC4 belong 12 - received SIGSYS>>>>>>>>>0xC4 belong 33 - received SIGXCPU>>>>>>>>>0xC4 belong 34 - received SIGXFSZ #------------------------------------------------------------------------------# $File: human68k,v 1.5 2009/09/19 16:28:09 christos Exp $# human68k: file(1) magic for Human68k (X680x0 DOS) binary formats# Magic too short!#0 string HU Human68k#>68 string LZX LZX compressed#>>72 string >\0 (version %s)#>(8.L+74) string LZX LZX compressed#>>(8.L+78) string >\0 (version %s)#>60 belong >0 binded#>(8.L+66) string #HUPAIR hupair#>0 string HU X executable#>(8.L+74) string #LIBCV1 - linked PD LIBC ver 1#>4 belong >0 - base address 0x%x#>28 belong >0 not stripped#>32 belong >0 with debug information#0 beshort 0x601a Human68k Z executable#0 beshort 0x6000 Human68k object file#0 belong 0xd1000000 Human68k ar binary archive#0 belong 0xd1010000 Human68k ar ascii archive#0 beshort 0x0068 Human68k lib archive#4 string LZX Human68k LZX compressed#>8 string >\0 (version %s)#>4 string LZX R executable#2 string #HUPAIR Human68k hupair R executable #------------------------------------------------------------------------------# $File: ibm370,v 1.10 2017/03/17 21:35:28 christos Exp $# ibm370: file(1) magic for IBM 370 and compatibles.## "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable".# What the heck *is* "USS/370"?# AIX 4.1's "/etc/magic" has## 0 short 0535 370 sysV executable# >12 long >0 not stripped# >22 short >0 - version %d# >30 long >0 - 5.2 format# 0 short 0530 370 sysV pure executable# >12 long >0 not stripped# >22 short >0 - version %d# >30 long >0 - 5.2 format## instead of the "USS/370" versions of the same magic numbers.#0 beshort 0537 370 XA sysV executable>12 belong >0 not stripped>22 beshort >0 - version %d>30 belong >0 - 5.2 format0 beshort 0532 370 XA sysV pure executable>12 belong >0 not stripped>22 beshort >0 - version %d>30 belong >0 - 5.2 format0 beshort 054001 370 sysV pure executable>12 belong >0 not stripped0 beshort 055001 370 XA sysV pure executable>12 belong >0 not stripped0 beshort 056401 370 sysV executable>12 belong >0 not stripped0 beshort 057401 370 XA sysV executable>12 belong >0 not stripped0 beshort 0531 SVR2 executable (Amdahl-UTS)>12 belong >0 not stripped>24 belong >0 - version %d0 beshort 0534 SVR2 pure executable (Amdahl-UTS)>12 belong >0 not stripped>24 belong >0 - version %d0 beshort 0530 SVR2 pure executable (USS/370)>12 belong >0 not stripped>24 belong >0 - version %d0 beshort 0535 SVR2 executable (USS/370)>12 belong >0 not stripped>24 belong >0 - version %d #------------------------------------------------------------------------------# $File: ibm6000,v 1.14 2019/03/07 17:21:54 christos Exp $# ibm6000: file(1) magic for RS/6000 and the RT PC.#0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module>12 belong >0 not stripped# Breaks sun4 statically linked execs.#0 beshort 0x0103 executable (RT Version 2) or obj module#>2 byte 0x50 pure#>28 belong >0 not stripped#>6 beshort >0 - version %ld0 beshort 0x0104 shared library0 beshort 0x0105 ctab data0 beshort 0xfe04 structured file0 string 0xabcdef AIX message catalog0 belong 0x000001f9 AIX compiled message catalog0 string \<aiaff> archive0 string \<bigaf> archive (big format)0 belong 0x09006bea AIX backup/restore format file0 belong 0x09006fea AIX backup/restore format file 0 beshort 0x01f7 64-bit XCOFF executable or object module>20 belong 0 not stripped# GRR: this test is still too general as it catches also many FATs of DOS filesystems4 belong &0x0feeddb0# real core dump could not be 32-bit and 64-bit together>7 byte&0x03 !3 AIX core file>>1 byte &0x01 fulldump>>7 byte &0x01 32-bit>>>0x6e0 string >\0 \b, %s>>7 byte &0x02 64-bit>>>0x524 string >\0 \b, %s #------------------------------------------------------------------------------# $File: icc,v 1.6 2019/11/15 21:03:14 christos Exp $# icc: file(1) magic for International Color Consortium file formats ## Color profiles as per the ICC's "Image technology colour management -# Architecture, profile format, and data structure" specification.# See## http://www.color.org/specification/ICC1v43_2010-12.pdf## for Specification ICC.1:2010 (Profile version 4.3.0.0).# URL: http://fileformats.archiveteam.org/wiki/ICC_profile# Reference: http://www.color.org/iccmax/ICC.2-2016-7.pdf# Update: Joerg Jenderek## Bytes 36 to 39 contain a generic profile file signature of "acsp";# bytes 40 to 43 "may be used to identify the primary platform/operating# system framework for which the profile was created".## check and display ICC/ICM color profile0 name color-profile>36 string acsp# skip ASCII like Cognacspirit.txt by month <= 12>>26 ubeshort <13# platform/operating system. Only 5 mentioned ## This appears to be what's used for Apple ColorSync profiles.# Instead of adding that, Apple just changed the generic "acsp" entry# to be for "ColorSync ICC Color Profile" rather than "Kodak Color# Management System, ICC Profile".# Yes, it's "APPL", not "AAPL"; see the spec.>>>40 string APPL ColorSync # Microsoft ICM color profile>>>40 string MSFT Microsoft # Yes, that's a blank after "SGI".>>>40 string SGI\ SGI # XXX - is this what's used for the Sun KCMS or not? The standard file# uses just "acsp" for that, but Apple's file uses it for "ColorSync",# and there *is* an identified "primary platform" value of SUNW.>>>40 string SUNW Sun KCMS # 5th platform>>>40 string TGNT Taligent # remaining "l" "e" of "color profile" printed later to avoid error>>>40 string x color profi#>>>40 string x (%.4s)!:mime application/vnd.iccprofile# for "ICM" extension only versions 2.x and for Kodak "CC" 2.0 is found>>>8 ubyte =2# do not use empty message text to avoid error like# icc, 82: Warning: Current entry does not yet have a description for adding a EXTENSION type# file.exe: could not find any valid magic files!>>>>9 ubyte !0 \ble!:ext icc/icm# minor version>>>>9 ubyte =0 \bl# Kodak colour management system>>>>>4 string =KCMS \be!:ext icc/icm/cc>>>>>4 string !KCMS \be!:ext icc/icm>>>8 ubyte !2 \ble!:ext icc# Profile version major.4bit-minor.sub1.sub2 like 4.3.0.0 (04300000h)>>>8 ubyte x %u>>>9 ubyte/16 x \b.%u# reserved and shall be null but 205.205 in umx1220u.icm>>>10 ubyte >0 \b.%u>>>>11 ubyte >0 \b.%u# preferred colour management module like appl CCMS KCMS Lino UCCM "Win " "FF "# skip space like in brmsl08f.icm and null like in brmsl09f.icm, brmsl07f.icm>>>4 string >\ \b, type %.2s>>>>6 string >\ \b%.1s>>>>>7 string >\ \b%.1s# colour space "XYZ " "Lab " "RGB " CMYK GRAY ...>>>16 string x \b, %.3s>>>19 string >\ \b%.1s# Profile Connection Space (PCS) field usually "XYZ " or "Lab " but sometimes# null or CMYK like in ISOcoated_v2_to_PSOcoated_v3_DeviceLink.icc>>>20 string >\0 \b/%.3s>>>>23 string >\ \b%.1s# eleven device classes>>>12 string x \b-%.4s device# skip 00001964h in hpf69000.icc or 0h in XRDC50Q.ICM or " ROT" in brmsl05f.icm>>>52 string >\040# skip "none" model like in "Trinitron Compatible 9300K G2.2.icm">>>>52 ubelong !0x6e6f6e65# device manufacturer field like "HP " "IBM " EPSO>>>>>48 string x \b, %.2s>>>>>50 string >\ \b%.1s>>>>>51 string >\ \b%.1s# model like "ADI " "A265" and skip 20000404h in IS330.icm for RICOH RUSSIAN-SC>>>>>52 string >\ \ \b/%.3s>>>>>>55 string >\ \b%.1s>>>>>52 string x model# creator (often same as manufacture) like HP SONY XROX or null like in A925A.icm>>>80 string >\0 by %.2s>>>>82 string >\ \b%.1s>>>>>83 string >\ \b%.1s# profile size>>>0 ubelong x \b, %u bytes# skip invalid date 0 like in linearSRGB.icc>>>24 ubequad !0# datetime dd-mm-yyyy hh:mm:ss>>>>28 ubeshort x \b, %u# month <= 12>>>>26 ubeshort x \b-%u# year>>>>24 ubeshort x \b-%u# do not display midnight time like in CNHP8308.ICC>>>>30 ubequad&0xFFffFFffFFff0000 !0# hour <= 24>>>>>30 ubeshort x %u# minutes <= 59>>>>>32 ubeshort x \b:%.2u# seconds <= 59>>>>>34 ubeshort x \b:%.2u# vendor specific flags like 2 in HPCLJ5.ICM>>>44 ubeshort >0 \b, 0x%x vendor flags# profile flags bits 0-2 of least 16 used by ICC#>>>44 ubelong >0 \b, 0x%x flags# icEmbeddedProfileTrue>>>44 ubelong &1 \b, embedded# icEmbeddedProfileFalse#>>>44 ubelong ^1 \b, not embedded# icUseWithEmbeddedDataOnly>>>44 ubelong &2 \b, dependently# icUseAnywhere#>>>44 ubelong ^2 \b, independently>>>44 ubelong &4 \b, MCS#>>>44 ubelong ^4 \b, no MCS# vendor specific device attributes 1~srgb.icc# E000D00h~CNB7QEDA.ICM C000A00h~CNB5FCAA.ICM 01040401h~CNB25PE3.ICM>>>56 ubelong >0 \b, 0x%x vendor attribute# ICC device attributes bits 0-7 used#>>>60 ubelong x \b, 0x%x attribute# http://www.color.org/icc34.h>>>60 ubelong &0x01 \b, transparent#>>>60 ubelong ^0x01 \b, reflective>>>60 ubelong &0x02 \b, matte#>>>60 ubelong ^0x02 \b, glossy>>>60 ubelong &0x04 \b, negative#>>>60 ubelong ^0x04 \b, positive>>>60 ubelong &0x08 \b, black&white#>>>60 ubelong ^0x08 \b, colour>>>60 ubelong &0x10 \b, non-paper#>>>60 ubelong ^0x10 \b, paper>>>60 ubelong &0x20 \b, non-textured#>>>60 ubelong ^0x20 \b, textured>>>60 ubelong &0x40 \b, non-isotropic#>>>60 ubelong ^0x40 \b, isotropic>>>60 ubelong &0x80 \b, self-luminous#>>>60 ubelong ^0x80 \b, non-self-luminous# rendering intent 0-3 but 7AEA5027h in EE051__1.ICM 6CB1BCh in EE061__1.ICM>>>64 ubelong >3 \b, 0x%x rendering intent#>>>64 ubelong =0 \b, perceptual>>>64 ubelong =1 \b, relative colorimetric>>>64 ubelong =2 \b, saturation>>>64 ubelong =3 \b, absolute colorimetric# PCS illuminant (3*s15Fixed16Numbers) often 0000f6d6 00010000 0000d32d>>>71 ubequad !0xd6000100000000d3 \b, PCS# usually X~0.9642*65536=63189.8112~63190=F6D5h ; but also found# often F6D6 in gt5000r.icm, F6B8 in kodakce.icm, F6CA in RSWOP.icm>>>>68 ubelong !0x0000f6d5 X=0x%x# usually Y=1.0~00010000h but Y=0 in brmsl07f.icm>>>>72 ubelong !0x00010000 Y=0x%x# usually Z~0.8249*65536=54060.6464~54061=D32Dh ; but also found# D2F7 in hp1200c.icm, often D32C in A925A.icm, D309 in RSWOP.icm , D2F8 in kodak_dc.icm>>>>76 ubelong !0x0000d32d Z=0x%x# Profile ID. MD5 fingerprinting method as defined in Internet RFC 1321.>>>84 ubequad >0 \b, 0x%llx MD5# reserved in older versions should be zero but also found CDCDCDCDCDCDCDCD#>>100 ubequad x \b 0x%llx reserved# tag table# 6 <= tags count <= 43#>>>128 ubelong >43 \b, %u tags>>>128 ubelong x# shall contain the profileDescriptionTag "desc" , copyrightTag "cprt"# search range = tags count * 12 -8=< maximal tag count * 12 -8= 43 * 12 -8= 508>>>>132 search/508 cprt# but no copyright tag in linearSRGB.icc# beneath /System/Library/Frameworks/WebKit.framework/# Versions/A/Frameworks/WebCore.framework/Versions/A/Resources>>>>132 default x \b, no copyright tag# 1st tag#>>>132 string x \b, 1st tag %.4s#>>>136 ubelong x 0x%x offset#>>>140 ubelong x 0x%x len# 2nd tag,...# look also for profileDescriptionTag "desc">>>132 search/508 desc# look further for TextDescriptionType "desc" signature>>>>(&0.L) string =desc>>>>>&4 pstring/l x "%s"# look alternative for multiLocalizedUnicodeType "mluc" signature like in VideoPAL.icc>>>>(&0.L) string =mluc>>>>>&(&8.L) ubequad x>>>>>>&4 bestring16 x '%s' # Any other profile.# XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles,# and use "acsp" for everything else and dump the "primary platform"# string in those cases?36 string acsp>0 use color-profile #------------------------------------------------------------------------------# $File: iff,v 1.14 2015/09/07 10:03:21 christos Exp $# iff: file(1) magic for Interchange File Format (see also "audio" & "images")## Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic# Arts for file interchange. It has also been used by Apple, SGI, and# especially Commodore-Amiga.## IFF files begin with an 8 byte FORM header, followed by a 4 character# FORM type, which is followed by the first chunk in the FORM. 0 string FORM IFF data#>4 belong x \b, FORM is %d bytes long# audio formats>8 string AIFF \b, AIFF audio!:mime audio/x-aiff>8 string AIFC \b, AIFF-C compressed audio!:mime audio/x-aiff>8 string 8SVX \b, 8SVX 8-bit sampled sound voice!:mime audio/x-aiff>8 string 16SV \b, 16SV 16-bit sampled sound voice>8 string SAMP \b, SAMP sampled audio>8 string MAUD \b, MAUD MacroSystem audio>8 string SMUS \b, SMUS simple music>8 string CMUS \b, CMUS complex music# image formats>8 string ILBMBMHD \b, ILBM interleaved image>>20 beshort x \b, %d x>>22 beshort x %d>8 string RGBN \b, RGBN 12-bit RGB image>8 string RGB8 \b, RGB8 24-bit RGB image>8 string DEEP \b, DEEP TVPaint/XiPaint image>8 string DR2D \b, DR2D 2-D object>8 string TDDD \b, TDDD 3-D rendering>8 string LWOB \b, LWOB 3-D object>8 string LWO2 \b, LWO2 3-D object, v2>8 string LWLO \b, LWLO 3-D layered object>8 string REAL \b, REAL Real3D rendering>8 string MC4D \b, MC4D MaxonCinema4D rendering>8 string ANIM \b, ANIM animation>8 string YAFA \b, YAFA animation>8 string SSA\ \b, SSA super smooth animation>8 string ACBM \b, ACBM continuous image>8 string FAXX \b, FAXX fax image# other formats>8 string FTXT \b, FTXT formatted text>8 string CTLG \b, CTLG message catalog>8 string PREF \b, PREF preferences>8 string DTYP \b, DTYP datatype description>8 string PTCH \b, PTCH binary patch>8 string AMFF \b, AMFF AmigaMetaFile format>8 string WZRD \b, WZRD StormWIZARD resource>8 string DOC\ \b, DOC desktop publishing document>8 string WVQA \b, Westwood Studios VQA Multimedia,>>24 leshort x %d video frames,>>26 leshort x %d x>>28 leshort x %d>8 string MOVE \b, Wing Commander III Video>>12 string _PC_ \b, PC version>>12 string 3DO_ \b, 3DO version # These go at the end of the iff rules## David Griffith <dave@661.org># I don't see why these might collide with anything else.## Interactive Fiction related formats#>8 string IFRS \b, Blorb Interactive Fiction>>24 string Exec with executable chunk>8 string IFZS \b, Z-machine or Glulx saved game file (Quetzal)!:mime application/x-blorb #------------------------------------------------------------------------------# $File: images,v 1.181 2020/05/30 23:49:03 christos Exp $# images: file(1) magic for image formats (see also "iff", and "c-lang" for# XPM bitmaps)## originally from jef@helios.ee.lbl.gov (Jef Poskanzer),# additions by janl@ifi.uio.no as well as others. Jan also suggested# merging several one- and two-line files into here.## little magic: PCX (first byte is 0x0a) # Targa - matches `povray', `ppmtotga' and `xv' outputs# by Philippe De Muyter <phdm@macqel.be># URL: http://justsolve.archiveteam.org/wiki/TGA# Reference: http://www.dca.fee.unicamp.br/~martino/disciplinas/ea978/tgaffs.pdf# Update: Joerg Jenderek# at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11# ,32 or 33 (both not observed)# at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise# or theoretically 2-128 reserved for use by Truevision or 128-255 may be used for developer applications# at 3, leshort Index is 0 for povray, ppmtotga and xv outputs# `xv' recognizes only a subset of the following (RGB with pixelsize = 24)# `tgatoppm' recognizes a superset (Index may be anything)## test of Color Map Type 0~no 1~color map# and Image Type 1 2 3 9 10 11 32 33# and Color Map Entry Size 0 15 16 24 320 ubequad&0x00FeC400000000C0 0# Conflict with MPEG sequences.!:strength -40# Prevent conflicts with CRI ADX.>(2.S-2) belong !0x28632943# skip more garbage like *.iso by looking for positive image type>>2 ubyte >0# skip some compiled terminfo like xterm+tmux by looking for image type less equal 33>>>2 ubyte <34# skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel depth 1 8 15 16 24 32>>>>16 ubyte 1>>>>>0 use tga-image>>>>16 ubyte 8>>>>>0 use tga-image>>>>16 ubyte 15>>>>>0 use tga-image>>>>16 ubyte 16>>>>>0 use tga-image>>>>16 ubyte 24>>>>>0 use tga-image>>>>16 ubyte 32>>>>>0 use tga-image# display tga bitmap image information0 name tga-image>2 ubyte <34 Targa image data!:mime image/x-tga!:apple ????TPIC# normal extension .tga but some Truevision products used others:# tpic (Apple),icb (Image Capture Board),vda (Video Display Adapter),vst (NuVista),win (UNSURE about that)!:ext tga/tpic/icb/vda/vst# image type 1 2 3 9 10 11 32 33>2 ubyte&0xF7 1 - Map>2 ubyte&0xF7 2 - RGB# alpha channel>>17 ubyte&0x0F >0 \bA>2 ubyte&0xF7 3 - Mono# type not found, but by http://www.fileformat.info/format/tga/corion.htm# Compressed color-mapped data, using Huffman, Delta, and runlength encoding>2 ubyte 32 - Color# Compressed color-mapped data, using Huffman, Delta, and RLE. 4-pass quadtree- type process>2 ubyte 33 - Color# Color Map Type 0~no 1~color map>1 ubyte 1 (# first color map entry, 0 normal>>3 uleshort >0 \b%d-# color map length 0 2 1dh 3bh d9h 100h>>5 uleshort x \b%d)# 8~run length encoding bit>2 ubyte&0x08 8 - RLE# gimp can create big pictures!>12 uleshort >0 %d x>12 uleshort =0 65536 x# image height. 0 interpreted as 65536>14 uleshort >0 %d>14 uleshort =0 65536# Image Pixel depth 1 8 15 16 24 32>16 ubyte x x %d# X origin of image. 0 normal>8 uleshort >0 +%d# Y origin of image. 0 normal; positive for top>10 uleshort >0 +%d# Image descriptor: bits 3-0 give the alpha channel depth, bits 5-4 give direction>17 ubyte&0x0F >0 - %d-bit alpha# bits 5-4 give direction. normal bottom left>17 ubyte &0x20 - top#>17 ubyte ^0x20 - bottom>17 ubyte &0x10 - right#>17 ubyte ^0x10 - left# some info say other bits 6-7 should be zero# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm# 00 - no interleave;01 - even/odd interleave; 10 - four way interleave; 11 - reserved#>17 ubyte&0xC0 0x00 - no interleave>17 ubyte&0xC0 0x40 - interleave>17 ubyte&0xC0 0x80 - four way interleave>17 ubyte&0xC0 0xC0 - reserved# positive length implies identification field>0 ubyte >0>>18 string x "%s"# last 18 bytes of newer tga file footer signature>18 search/4261301/s TRUEVISION-XFILE.\0# extension area offset if not 0>>&-8 ulelong >0# length of the extension area. normal 495 for version 2.0>>>(&-4.l) uleshort 0x01EF# AuthorName[41]>>>>&0 string >\0 - author "%-.40s"# Comment[324]=4 * 80 null terminated>>>>&41 string >\0 - comment "%-.80s"# date>>>>&365 ubequad&0xffffFFFFffff0000 !0# Day>>>>>&-6 uleshort x %d# Month>>>>>&-8 uleshort x \b-%d# Year>>>>>&-4 uleshort x \b-%d# time>>>>&371 ubequad&0xffffFFFFffff0000 !0# hour>>>>>&-8 uleshort x %d# minutes>>>>>&-6 uleshort x \b:%.2d# second>>>>>&-4 uleshort x \b:%.2d# JobName[41]>>>>&377 string >\0 - job "%-.40s"# JobHour Jobminute Jobsecond>>>>&418 ubequad&0xffffFFFFffff0000 !0>>>>>&-8 uleshort x %d>>>>>&-6 uleshort x \b:%.2d>>>>>&-4 uleshort x \b:%.2d# SoftwareId[41]>>>>&424 string >\0 - %-.40s# SoftwareVersionNumber>>>>&424 ubyte >0>>>>>&40 uleshort/100 x %d>>>>>&40 uleshort%100 x \b.%d# VersionLetter>>>>>&42 ubyte >0x20 \b%c# KeyColor>>>>&468 ulelong >0 - keycolor 0x%8.8x# Denominator of Pixel ratio. 0~no pixel aspect>>>>&474 uleshort >0# Numerator>>>>>&-4 uleshort >0 - aspect %d>>>>>&-2 uleshort x \b/%d# Denominator of Gamma ratio. 0~no Gamma value>>>>&478 uleshort >0# Numerator>>>>>&-4 uleshort >0 - gamma %d>>>>>&-2 uleshort x \b/%d# ColorOffset#>>>>&480 ulelong x - col offset 0x%8.8x# StampOffset#>>>>&484 ulelong x - stamp offset 0x%8.8x# ScanOffset#>>>>&488 ulelong x - scan offset 0x%8.8x# AttributesType#>>>>&492 ubyte x - Attributes 0x%x## EndOfTGA # PBMPLUS images# The next byte following the magic is always whitespace.# strength is changed to try these patterns before "x86 boot sector"0 name netpbm>3 regex/s =[0-9]{1,50}\ [0-9]{1,50} Netpbm image data>>&0 regex =[0-9]{1,50} \b, size = %s x>>>&0 regex =[0-9]{1,50} \b %s 0 search/1 P1>0 regex/4 P1[\040\t\f\r\n]>>0 use netpbm>>0 string x \b, bitmap!:strength + 65!:mime image/x-portable-bitmap 0 search/1 P2>0 regex/4 P2[\040\t\f\r\n]>>0 use netpbm>>0 string x \b, greymap!:strength + 65!:mime image/x-portable-greymap 0 search/1 P3>0 regex/4 P3[\040\t\f\r\n]>>0 use netpbm>>0 string x \b, pixmap!:strength + 65!:mime image/x-portable-pixmap 0 string P4>0 regex/4 P4[\040\t\f\r\n]>>0 use netpbm>>0 string x \b, rawbits, bitmap!:strength + 65!:mime image/x-portable-bitmap 0 string P5>0 regex/4 P5[\040\t\f\r\n]>>0 use netpbm>>0 string x \b, rawbits, greymap!:strength + 65!:mime image/x-portable-greymap 0 string P6>0 regex/4 P6[\040\t\f\r\n]>>0 use netpbm>>0 string x \b, rawbits, pixmap!:strength + 65!:mime image/x-portable-pixmap 0 string P7 Netpbm PAM image file!:mime image/x-portable-pixmap # From: bryanh@giraffe-data.com (Bryan Henderson)0 string \117\072 Solitaire Image Recorder format>4 string \013 MGI Type 11>4 string \021 MGI Type 170 string .MDA MicroDesign data>21 byte 48 version 2>21 byte 51 version 30 string .MDP MicroDesign page data>21 byte 48 version 2>21 byte 51 version 3 # NIFF (Navy Interchange File Format, a modification of TIFF) images# [GRR: this *must* go before TIFF]0 string IIN1 NIFF image data!:mime image/x-niff # Canon RAW version 1 (CRW) files are a type of Canon Image File Format# (CIFF) file. These are apparently all little-endian.# From: Adam Buchbinder <adam.buchbinder@gmail.com># URL: https://www.sno.phy.queensu.ca/~phil/exiftool/canon_raw.html0 string II\x1a\0\0\0HEAPCCDR Canon CIFF raw image data!:mime image/x-canon-crw>16 leshort x \b, version %d.>14 leshort x \b%d # Canon RAW version 2 (CR2) files are a kind of TIFF with an extra magic# number. Put this above the TIFF test to make sure we detect them.# These are apparently all little-endian.# From: Adam Buchbinder <adam.buchbinder@gmail.com># URL: https://libopenraw.freedesktop.org/wiki/Canon_CR20 string II\x2a\0\x10\0\0\0CR Canon CR2 raw image data!:mime image/x-canon-cr2!:strength +80>10 byte x \b, version %d.>11 byte x \b%d # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com)# The second word of TIFF files is the TIFF version number, 42, which has# never changed. The TIFF specification recommends testing for it.0 string MM\x00\x2a TIFF image data, big-endian!:strength +70!:mime image/tiff>(4.L) use \^tiff_ifd0 string II\x2a\x00 TIFF image data, little-endian!:mime image/tiff!:strength +70>(4.l) use tiff_ifd 0 name tiff_ifd>0 leshort x \b, direntries=%d>2 use tiff_entry 0 name tiff_entry# NewSubFileType>0 leshort 0xfe>>12 use tiff_entry>0 leshort 0x100>>4 lelong 1>>>12 use tiff_entry>>>8 leshort x \b, width=%d>0 leshort 0x101>>4 lelong 1>>>8 leshort x \b, height=%d>>>12 use tiff_entry>0 leshort 0x102>>8 leshort x \b, bps=%d>>12 use tiff_entry>0 leshort 0x103>>4 lelong 1 \b, compression=>>>8 leshort 1 \bnone>>>8 leshort 2 \bhuffman>>>8 leshort 3 \bbi-level group 3>>>8 leshort 4 \bbi-level group 4>>>8 leshort 5 \bLZW>>>8 leshort 6 \bJPEG (old)>>>8 leshort 7 \bJPEG>>>8 leshort 8 \bdeflate>>>8 leshort 9 \bJBIG, ITU-T T.85>>>8 leshort 0xa \bJBIG, ITU-T T.43>>>8 leshort 0x7ffe \bNeXT RLE 2-bit>>>8 leshort 0x8005 \bPackBits (Macintosh RLE)>>>8 leshort 0x8029 \bThunderscan RLE>>>8 leshort 0x807f \bRasterPadding (CT or MP)>>>8 leshort 0x8080 \bRLE (Line Work)>>>8 leshort 0x8081 \bRLE (High-Res Cont-Tone)>>>8 leshort 0x8082 \bRLE (Binary Line Work)>>>8 leshort 0x80b2 \bDeflate (PKZIP)>>>8 leshort 0x80b3 \bKodak DCS>>>8 leshort 0x8765 \bJBIG>>>8 leshort 0x8798 \bJPEG2000>>>8 leshort 0x8799 \bNikon NEF Compressed>>>8 default x>>>>8 leshort x \b(unknown 0x%x)>>>12 use tiff_entry>0 leshort 0x106 \b, PhotometricIntepretation=>>8 clear x>>8 leshort 0 \bWhiteIsZero>>8 leshort 1 \bBlackIsZero>>8 leshort 2 \bRGB>>8 leshort 3 \bRGB Palette>>8 leshort 4 \bTransparency Mask>>8 leshort 5 \bCMYK>>8 leshort 6 \bYCbCr>>8 leshort 8 \bCIELab>>8 default x>>>8 leshort x \b(unknown=0x%x)>>12 use tiff_entry# FillOrder>0 leshort 0x10a>>4 lelong 1>>>12 use tiff_entry# DocumentName>0 leshort 0x10d>>(8.l) string x \b, name=%s>>>12 use tiff_entry# ImageDescription>0 leshort 0x10e>>(8.l) string x \b, description=%s>>>12 use tiff_entry# Make>0 leshort 0x10f>>(8.l) string x \b, manufacturer=%s>>>12 use tiff_entry# Model>0 leshort 0x110>>(8.l) string x \b, model=%s>>>12 use tiff_entry# StripOffsets>0 leshort 0x111>>12 use tiff_entry# Orientation>0 leshort 0x112 \b, orientation=>>8 leshort 1 \bupper-left>>8 leshort 3 \blower-right>>8 leshort 6 \bupper-right>>8 leshort 8 \blower-left>>8 leshort 9 \bundefined>>8 default x>>>8 leshort x \b[*%d*]>>12 use tiff_entry# XResolution>0 leshort 0x11a>>8 lelong x \b, xresolution=%d>>12 use tiff_entry# YResolution>0 leshort 0x11b>>8 lelong x \b, yresolution=%d>>12 use tiff_entry# ResolutionUnit>0 leshort 0x128>>8 leshort x \b, resolutionunit=%d>>12 use tiff_entry# Software>0 leshort 0x131>>(8.l) string x \b, software=%s>>12 use tiff_entry# Datetime>0 leshort 0x132>>(8.l) string x \b, datetime=%s>>12 use tiff_entry# HostComputer>0 leshort 0x13c>>(8.l) string x \b, hostcomputer=%s>>12 use tiff_entry# WhitePoint>0 leshort 0x13e>>12 use tiff_entry# PrimaryChromaticities>0 leshort 0x13f>>12 use tiff_entry# YCbCrCoefficients>0 leshort 0x211>>12 use tiff_entry# YCbCrPositioning>0 leshort 0x213>>12 use tiff_entry# ReferenceBlackWhite>0 leshort 0x214>>12 use tiff_entry# Copyright>0 leshort 0x8298>>(8.l) string x \b, copyright=%s>>12 use tiff_entry# ExifOffset>0 leshort 0x8769>>12 use tiff_entry# GPS IFD>0 leshort 0x8825 \b, GPS-Data>>12 use tiff_entry #>0 leshort x \b, unknown=0x%x#>>12 use tiff_entry 0 string MM\x00\x2b Big TIFF image data, big-endian!:mime image/tiff0 string II\x2b\x00 Big TIFF image data, little-endian!:mime image/tiff # PNG [Portable Network Graphics, or "PNG's Not GIF"] images# (Greg Roelofs, newt@uchicago.edu)# (Albert Cahalan, acahalan@cs.uml.edu)## 137 P N G \r \n ^Z \n [4-byte length] I H D R [HEAD data] [HEAD crc] ...# # IHDR parser0 name png-ihdr>0 belong x \b, %d x>4 belong x %d,>8 byte x %d-bit>9 byte 0 grayscale,>9 byte 2 \b/color RGB,>9 byte 3 colormap,>9 byte 4 gray+alpha,>9 byte 6 \b/color RGBA,#>10 byte 0 deflate/32K,>12 byte 0 non-interlaced>12 byte 1 interlaced # Standard PNG image.0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data!:mime image/png!:ext png!:strength +10>16 use png-ihdr # Apple CgBI PNG image.0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x04CgBI>24 string \x00\x00\x00\x0DIHDR PNG image data (CgBI)!:mime image/png!:ext png!:strength +10>>32 use png-ihdr # possible GIF replacements; none yet released!# (Greg Roelofs, newt@uchicago.edu)## GRR 950115: this was mine ("Zip GIF"):0 string GIF94z ZIF image (GIF+deflate alpha)!:mime image/x-unknown## GRR 950115: this is Jeremy Wohl's Free Graphics Format (better):#0 string FGF95a FGF image (GIF+deflate beta)!:mime image/x-unknown## GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal# (best; not yet implemented):#0 string PBF PBF image (deflate compression)!:mime image/x-unknown # GIF# Strength set up to beat 0x55AA DOS/MBR signature word lookups (+65)0 string GIF8 GIF image data!:strength +80!:mime image/gif!:apple 8BIMGIFf>4 string 7a \b, version 8%s,>4 string 9a \b, version 8%s,>6 leshort >0 %d x>8 leshort >0 %d#>10 byte &0x80 color mapped,#>10 byte&0x07 =0x00 2 colors#>10 byte&0x07 =0x01 4 colors#>10 byte&0x07 =0x02 8 colors#>10 byte&0x07 =0x03 16 colors#>10 byte&0x07 =0x04 32 colors#>10 byte&0x07 =0x05 64 colors#>10 byte&0x07 =0x06 128 colors#>10 byte&0x07 =0x07 256 colors # ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster,# 1 plane, no encoding.0 string \361\0\100\273 CMU window manager raster image data>4 lelong >0 %d x>8 lelong >0 %d,>12 lelong >0 %d-bit # Magick Image File Format# URL: https://imagemagick.org/script/miff.php# Reference: http://fileformats.archiveteam.org/wiki/MIFF# Update: Joerg Jenderek# http://www.nationalarchives.gov.uk/pronom/fmt/9300 search/256/bc id=imagemagick# skip bad ASCII text by following new line~0x0A or space~0x20 character#>&0 ubyte x \b, next character 0x%x# called by TriD ImageMagick Machine independent File Format bitmap>&0 ubyte&0xD5 0 MIFF image data# https://reposcope.com/mimetype/image/miff#!:mime image/miff!:mime image/x-miff!:ext miff/mif# examples with standard file(1) magic#>>0 string =id=ImageMagick with standard magic# examples with unusual file(1) magic like >>0 string !id=ImageMagick starting with# start with comment (brace) like http://samples.fileformat.info/.../AQUARIUM.MIF>>>0 ubyte =0x7b comment# skip second character which is often a newline and show comment>>>>2 string x "%s"# does not start with comment, probably letters with other case like Id=ImageMagick# ImageMagick-7.0.9-2/Magick++/demo/smile_anim.miff>>>0 ubyte !0x7b>>>>0 string >\0 '%-.14s'# URL: https://imagemagick.org/# Reference: https://imagemagick.org/script/magick-vector-graphics.php# From: Joerg Jenderek# Note: all white-spaces between commands are ignored0 string push# skip some white spaces>5 search/3 graphic-context ImageMagick Vector Graphic# TODO: look for dangerous commands like CVE-2016-3715#!:mime text/plain!:mime image/x-mvg!:ext mvg # Artisan0 long 1123028772 Artisan image data>4 long 1 \b, rectangular 24-bit>4 long 2 \b, rectangular 8-bit with colormap>4 long 3 \b, rectangular 32-bit (24-bit with matte) # FIG (Facility for Interactive Generation of figures), an object-based format0 search/1 #FIG FIG image text>5 string x \b, version %.3s # PHIGS0 string ARF_BEGARF PHIGS clear text archive0 string @(#)SunPHIGS SunPHIGS# version number follows, in the form m.n>40 string SunBin binary>32 string archive archive # GKS (Graphics Kernel System)0 string GKSM GKS Metafile>24 string SunGKS \b, SunGKS # CGM image files0 string BEGMF clear text Computer Graphics Metafile # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de)0 string yz MGR bitmap, modern format, 8-bit aligned0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned0 string yx MGR bitmap, modern format, squeezed # Fuzzy Bitmap (FBM) images0 string %bitmap\0 FBM image data>30 long 0x31 \b, mono>30 long 0x33 \b, color # facsimile data1 string PC\ Research,\ Inc group 3 fax data>29 byte 0 \b, normal resolution (204x98 DPI)>29 byte 1 \b, fine resolution (204x196 DPI)# From: Herbert Rosmanith <herp@wildsau.idv.uni.linz.at>0 string Sfff structured fax file # From: Joerg Jenderek <joerg.jen.der.ek@gmx.net># most files with the extension .EPA and some with .BMP0 string \x11\x06 Award BIOS Logo, 136 x 84!:mime image/x-award-bioslogo0 string \x11\x09 Award BIOS Logo, 136 x 126!:mime image/x-award-bioslogo#0 string \x07\x1f BIOS Logo corrupted?# http://www.blackfiveservices.co.uk/awbmtools.shtml# http://biosgfx.narod.ru/v3/# http://biosgfx.narod.ru/abr-2/0 string AWBM>4 leshort <1981 Award BIOS bitmap!:mime image/x-award-bmp# image width is a multiple of 4>>4 leshort&0x0003 0>>>4 leshort x \b, %d>>>6 leshort x x %d>>4 leshort&0x0003 >0 \b,>>>4 leshort&0x0003 =1>>>>4 leshort x %d+3>>>4 leshort&0x0003 =2>>>>4 leshort x %d+2>>>4 leshort&0x0003 =3>>>>4 leshort x %d+1>>>6 leshort x x %d# at offset 8 starts imagedata followed by "RGB " marker # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu)# https://en.wikipedia.org/wiki/BMP_file_format#DIB_header_.\# 28bitmap_information_header.29# Note: variant starting direct with DIB header see# http://fileformats.archiveteam.org/wiki/BMP# verified by ImageMagick version 6.8.9-8 command `identify *.dib`0 leshort 40# skip bad samples like GAME by looking for valid number of color planes>12 uleshort 1 Device independent bitmap graphic!:mime image/bmp!:apple ????BMPp!:ext dib>>4 lelong x \b, %d x>>8 lelong x %d x>>14 leshort x %d# number of color planes (must be 1) #>>12 uleshort >1 \b, %u color planes# compression method: 0~no 1~RLE 8-bit/pixel 3~Huffman 1D#>>16 ulelong 3 \b, Huffman 1D compression>>16 ulelong >0 \b, %u compression# image size is the size of raw bitmap; a dummy 0 can be given for BI_RGB bitmaps>>20 ulelong x \b, image size %u# horizontal and vertical resolution of the image (pixel per metre, signed integer) >>24 lelong >0 \b, resolution %d x>>>28 lelong x %d px/m# number of colors in palette, or 0 to default to 2**n#>>32 ulelong >0 \b, %u colors# number of important colors used, or 0 when every color is important>>36 ulelong >0 \b, %u important colors0 string BM>14 leshort 12 PC bitmap, OS/2 1.x format!:mime image/x-ms-bmp>>18 leshort x \b, %d x>>20 leshort x %d>14 leshort 64 PC bitmap, OS/2 2.x format!:mime image/bmp!:apple ????BMPp!:ext bmp# image width and height fields are unsigned integers for OS/2>>18 ulelong x \b, %u x>>22 ulelong x %u# number of bits per pixel (color depth); found 1 4 8>>28 uleshort >1 x %u# x, y coordinates of the hotspot>>6 uleshort >0 \b, hotspot %ux>>>8 uleshort x \b%u>>26 uleshort >1 \b, %u color planes# cbSize; size of file or headers>>2 ulelong x \b, cbSize %u#>>2 ulelong x \b, cbSize 0x%x# offBits; offset to bitmap data like 56h 5Eh 8Eh 43Eh>>10 ulelong x \b, bits offset %u#>>10 ulelong x \b, bits offset 0x%x#>>(10.l) ubequad !0 \b, bits 0x%16.16llx# BITMAPV2INFOHEADER adds RGB bit masks>14 leshort 52 PC bitmap, Adobe Photoshop!:mime image/bmp!:apple ????BMPp!:ext bmp>>18 lelong x \b, %d x>>22 lelong x %d x>>28 leshort x %d# BITMAPV3INFOHEADER adds alpha channel bit mask>14 leshort 56 PC bitmap, Adobe Photoshop with alpha channel mask!:mime image/bmp!:apple ????BMPp!:ext bmp>>18 lelong x \b, %d x>>22 lelong x %d x>>28 leshort x %d>14 leshort 40# jump 4 bytes before end of file/header to skip fmt-116-signature-id-118.dib>>(2.l-4) ulong x PC bitmap, Windows 3.x format!:mime image/bmp!:apple ????BMPp>>>18 lelong x \b, %d x>>>22 lelong x %d# 320 x 400 https://en.wikipedia.org/wiki/LOGO.SYS>>>18 ulequad =0x0000019000000140 x!:ext bmp/sys>>>18 ulequad !0x0000019000000140# compression method 2~RLE 4-bit/pixel implies also extension rle>>>>30 ulelong 2 x!:ext bmp/rle>>>>30 default x x!:ext bmp# number of bits per pixel (color depth); found 1 2 4 8 16 24 32>>>28 leshort x %d# x, y coordinates of the hotspot; there is no hotspot in bitmaps, so values 0#>>>6 uleshort >0 \b, hotspot %uxPreview truncated. File is larger than the inline limit.