# Magic data for file(1) command. # Format is described in magic(files), where: # files is 5 on V7 and BSD, 4 on SV, and ?? on SVID. # Don't edit this file, edit /etc/magic or send your magic improvements # to the maintainers, at file@astron.com #------------------------------------------------------------------------------ # Localstuff: file(1) magic for locally observed files # # $File: Localstuff,v 1.5 2007/01/12 17:38:27 christos Exp $ # Add any locally observed files here. Remember: # text if readable, executable if runnable binary, data if unreadable. #------------------------------------------------------------------------------ # $File: acorn,v 1.8 2021/04/26 15:56:00 christos Exp $ # acorn: file(1) magic for files found on Acorn systems # # RISC OS Chunk File Format # From RISC OS Programmer's Reference Manual, Appendix D # We guess the file type from the type of the first chunk. 0 lelong 0xc3cbc6c5 RISC OS Chunk data >12 string OBJ_ \b, AOF object >12 string LIB_ \b, ALF library # RISC OS AIF, contains "SWI OS_Exit" at offset 16. 16 lelong 0xef000011 RISC OS AIF executable # RISC OS Draw files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Draw RISC OS Draw file data # RISC OS new format font files # From RISC OS Programmer's Reference Manual, Appendix E 0 string FONT\0 RISC OS outline font data, >5 byte x version %d 0 string FONT\1 RISC OS 1bpp font data, >5 byte x version %d 0 string FONT\4 RISC OS 4bpp font data >5 byte x version %d # RISC OS Music files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Maestro\r RISC OS music file >8 byte x version %d >8 byte x type %d # Digital Symphony data files # From: Bernard Jungen (bern8817@euphonynet.be) 0 string \x02\x01\x13\x13\x13\x01\x0d\x10 Digital Symphony sound sample (RISC OS), >8 byte x version %d, >9 pstring x named "%s", >(9.b+19) byte =0 8-bit logarithmic >(9.b+19) byte =1 LZW-compressed linear >(9.b+19) byte =2 8-bit linear signed >(9.b+19) byte =3 16-bit linear signed >(9.b+19) byte =4 SigmaDelta-compressed linear >(9.b+19) byte =5 SigmaDelta-compressed logarithmic >(9.b+19) byte >5 unknown format 0 string \x02\x01\x13\x13\x14\x12\x01\x0b Digital Symphony song (RISC OS), >8 byte x version %d, >9 byte =1 1 voice, >9 byte !1 %d voices, >10 leshort =1 1 track, >10 leshort !1 %d tracks, >12 leshort =1 1 pattern >12 leshort !1 %d patterns 0 string \x02\x01\x13\x13\x10\x14\x12\x0e >9 byte =0 Digital Symphony sequence (RISC OS), >>8 byte x version %d, >>10 byte =1 1 line, >>10 byte !1 %d lines, >>11 leshort =1 1 position >>11 leshort !1 %d positions >9 byte =1 Digital Symphony pattern data (RISC OS), >>8 byte x version %d, >>10 leshort =1 1 pattern >>10 leshort !1 %d patterns # From: Joerg Jenderek # URL: https://www.kyzer.me.uk/pack/xad/#PackDir # reference: https://www.kyzer.me.uk/pack/xad/xad_PackDir.lha/PackDir.c # GRR: line below is too general as it matches also "Git pack" in ./revision 0 string PACK\0 # check for valid compression method 0-4 >5 ulelong <5 # https://www.riscosopen.org/wiki/documentation/show/Introduction%20To%20Filing%20Systems # To skip "Git pack" version 0 test for root directory object like # ADFS::RPC.$.websitezip.FONTFIX >>9 string >ADFS\ PackDir archive (RISC OS) # TrID labels above as "Acorn PackDir compressed Archive" # compression mode y (0 - 4) for GIF LZW with a maximum n bits # (y~n,0~12,1~13,2~14,3~15,4~16) >>>5 ulelong+12 x \b, LZW %u-bits compression # https://www.filebase.org.uk/filetypes # !Packdir compressed archive has three hexadecimal digits code 68E !:mime application/x-acorn-68E !:ext pkd/bin # null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo >>>9 string x \b, root "%s" # load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time >>>>&1 ulelong x \b, load address %#x # execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC >>>>&5 ulelong x \b, exec address %#x # attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write) >>>>&9 ulelong x \b, attributes %#x # number of entries in this directory. for root dir 0 #>>>&13 ulelong x \b, entries %#x # the entries start here with object name >>>>&17 string x \b, 1st object "%s" #------------------------------------------------------------------------------ # $File: adi,v 1.4 2009/09/19 16:28:07 christos Exp $ # adi: file(1) magic for ADi's objects # From Gregory McGarry # 0 leshort 0x521c COFF DSP21k >18 lelong &02 executable, >18 lelong ^02 >>18 lelong &01 static object, >>18 lelong ^01 relocatable object, >18 lelong &010 stripped >18 lelong ^010 not stripped #------------------------------------------------------------------------------ # $File: adventure,v 1.18 2019/04/19 00:42:27 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin # Edited by Dave Chapeskie Jun 28, 1998 # Edited by Chris Chittleborough , March 2002 # # ALAN # I assume there are other, lower versions, but these are the only ones I # saw in the archive. 0 beshort 0x0206 ALAN game data >2 byte <10 version 2.6%d # Infocom (see z-machine) #------------------------------------------------------------------------------ # Z-machine: file(1) magic for Z-machine binaries. # Sanity checks by David Griffith # Updated by Adam Buchbinder # #http://www.gnelson.demon.co.uk/zspec/sect11.html #https://www.jczorkmid.net/~jpenney/ZSpec11-latest.txt #https://en.wikipedia.org/wiki/Z-machine # The first byte is the Z-machine revision; it is always between 1 and 8. We # had false matches (for instance, inbig5.ocp from the Omega TeX extension as # well as an occasional MP3 file), so we sanity-check the version number. # # It might be possible to sanity-check the release number as well, as it seems # (at least in classic Infocom games) to always be a relatively small number, # always under 150 or so, but as this isn't rigorous, we'll wait on that until # it becomes clear that it's needed. # 0 ubyte >0 >0 ubyte <9 >>16 belong&0xfe00f0f0 0x3030 >>>0 ubyte < 10 >>>>2 ubeshort x >>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9] >>>>>>0 ubyte < 10 Infocom (Z-machine %d >>>>>>>2 ubeshort x \b, Release %d >>>>>>>>18 string >\0 \b, Serial %.6s >>>>>>>>18 string x \b) !:strength + 40 !:mime application/x-zmachine #------------------------------------------------------------------------------ # Glulx: file(1) magic for Glulx binaries. # # David Griffith # I haven't checked for false matches yet. # 0 string Glul Glulx game data >4 beshort x (Version %d >>6 byte x \b.%d >>8 byte x \b.%d) >36 string Info Compiled by Inform !:mime application/x-glulx # For Quetzal and blorb magic see iff # TADS (Text Adventure Development System) version 2 # All files are machine-independent (games compile to byte-code) and are tagged # with a version string of the form "V2..\0". # Game files start with "TADS2 bin\n\r\032\0" then the compiler version. 0 string TADS2\ bin TADS >9 belong !0x0A0D1A00 game data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s game data !:mime application/x-tads # Resource files start with "TADS2 rsc\n\r\032\0" then the compiler version. 0 string TADS2\ rsc TADS >9 belong !0x0A0D1A00 resource data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s resource data !:mime application/x-tads # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), # "TADS2 save\n\r\032\0" and the interpreter version. 0 string TADS2\ save/g TADS >12 belong !0x0A0D1A00 saved game data, CORRUPTED >12 belong 0x0A0D1A00 >>(16.s+32) string >\0 %s saved game data !:mime application/x-tads # Other saved game files start with "TADS2 save\n\r\032\0" and the interpreter # version. 0 string TADS2\ save TADS >10 belong !0x0A0D1A00 saved game data, CORRUPTED >10 belong 0x0A0D1A00 >>14 string >\0 %s saved game data !:mime application/x-tads # TADS (Text Adventure Development System) version 3 # Game files start with "T3-image\015\012\032" 0 string T3-image\015\012\032 >11 leshort x TADS 3 game data (format version %d) # Saved game files start with "T3-state-v####\015\012\032" # where #### is a format version number 0 string T3-state-v >14 string \015\012\032 TADS 3 saved game data (format version >>10 byte x %c >>11 byte x \b%c >>12 byte x \b%c >>13 byte x \b%c) !:mime application/x-t3vm-image # edited by David Griffith # Danny Milosavljevic # These are ADRIFT (adventure game standard) game files, extension .taf # Checked from source at (http://www.adrift.co/) and various taf files # found at the Interactive Fiction Archive (https://ifarchive.org/) 0 belong 0x3C423FC9 >4 belong 0x6A87C2CF Adrift game file version >>8 belong 0x94453661 3.80 >>8 belong 0x94453761 3.90 >>8 belong 0x93453E61 4.0 >>8 belong 0x92453E61 5.0 >>8 default x unknown !:mime application/x-adrift #------------------------------------------------------------------------------ # $File: aes,v 1.1 2020/08/18 21:20:22 christos Exp $ # # aes: magic file for AES encrypted files # Summary: AES Crypt Encrypted Data File # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard # Reference: https://www.aescrypt.com/aes_file_format.html 0 string AES >3 ubyte <3 AES encrypted data, version %u #!:mime application/aes !:mime application/x-aes-encrypted !:ext aes # For Version 2 the encrypted file can have text tags >>3 ubyte =2 # length of an extension identifier and contents like: 0 24 33 38 #>>5 ubeshort x \b, tag length %u #>>5 pstring/H x '%s' # standard extension tags like CREATED_BY >>>7 string CREATED_BY \b, created by # software product, manufacturer like "SharpAESCrypt v1.3.3.0" "aescrypt (Windows GUI) 3.10" ... >>>>&1 string x "%s" # TODO: more other tags # tag CREATED_DATE like YYYY-MM-DD # tag CREATED_TIME like HH:MM:SS # #------------------------------------------------------------------------------ # $File: algol68,v 1.4 2021/08/15 06:00:55 christos Exp $ # algol68: file(1) magic for Algol 68 source # # URL: https://en.wikipedia.org/wiki/ALGOL_68 # Reference: http://www.softwarepreservation.org/projects/ALGOL/report/Algol68_revised_report-AB.pdf # Update: Joerg Jenderek 0 search/8192 (input, >0 use algol_68 # graph_2d.a68 0 regex/4006 \^PROC #>&-4 string x \b, dBase or Algol "%s" # most xBase scripts *.prg with PROCEDURE like: Areacode BarCount Def_mens Vendors #>&-4 string =PROCEDURE \b, dBase PROCEDURE # skip xBase program scripts *.prg with PROCEDURE keyword # keyword proc probably followed by white space used to specify algol procedures >&-4 string !PROCEDURE >>0 use algol_68 0 regex/1024 \bMODE[\t\ ] >0 use algol_68 0 regex/1024 \bMODE[\t\ ] >0 use algol_68 0 regex/1024 \bREF[\t\ ] >0 use algol_68 0 regex/1024 \bFLEX[\t\ ]\*\\[ >0 use algol_68 # display information like mime type and file name extension of Algol 68 source text 0 name algol_68 Algol 68 source text !:mime text/x-Algol68 # https://file-extension.net/seeker/file_extension_a68 !:ext a68 #!:ext a68/alg #0 regex [\t\ ]OD Algol 68 source text #>0 use algol_68 #!:mime text/x-Algol68 #0 regex [\t\ ]FI Algol 68 source text #>0 use algol_68 #!:mime text/x-Algol68 #------------------------------------------------------------------------------ # $File: allegro,v 1.4 2009/09/19 16:28:07 christos Exp $ # allegro: file(1) magic for Allegro datafiles # Toby Deshane # 0 belong 0x736C6821 Allegro datafile (packed) 0 belong 0x736C682E Allegro datafile (not packed/autodetect) 0 belong 0x736C682B Allegro datafile (appended exe data) #------------------------------------------------------------------------------ # $File: alliant,v 1.7 2009/09/19 16:28:07 christos Exp $ # alliant: file(1) magic for Alliant FX series a.out files # # If the FX series is the one that had a processor with a 68K-derived # instruction set, the "short" should probably become "beshort" and the # "long" should probably become "belong". # If it's the i860-based one, they should probably become either the # big-endian or little-endian versions, depending on the mode they ran # the 860 in.... # 0 short 0420 0420 Alliant virtual executable >2 short &0x0020 common library >16 long >0 not stripped 0 short 0421 0421 Alliant compact executable >2 short &0x0020 common library >16 long >0 not stripped #------------------------------------------------------------------------------ # $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $ # amanda: file(1) magic for amanda file format # 0 string AMANDA:\ AMANDA >8 string TAPESTART\ DATE tape header file, >>23 string X >>>25 string >\ Unused %s >>23 string >\ DATE %s >8 string FILE\ dump file, >>13 string >\ DATE %s #------------------------------------------------------------------------------ # $File: amigaos,v 1.20 2021/09/20 00:42:19 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # # From ignatios@cs.uni-bonn.de (Ignatios Souvatzis) # 0 belong 0x000003fa AmigaOS shared library 0 belong 0x000003f3 AmigaOS loadseg()ble executable/binary 0 belong 0x000003e7 AmigaOS object/library data # 0 beshort 0xe310 Amiga Workbench >2 beshort 1 >>48 byte 1 disk icon >>48 byte 2 drawer icon >>48 byte 3 tool icon >>48 byte 4 project icon >>48 byte 5 garbage icon >>48 byte 6 device icon >>48 byte 7 kickstart icon >>48 byte 8 workbench application icon >2 beshort >1 icon, vers. %d # # various sound formats from the Amiga # G=F6tz Waschk # 0 string FC14 Future Composer 1.4 Module sound file 0 string SMOD Future Composer 1.3 Module sound file 0 string AON4artofnoise Art Of Noise Module sound file 1 string MUGICIAN/SOFTEYES Mugician Module sound file 58 string SIDMON\ II\ -\ THE Sidmon 2.0 Module sound file 0 string Synth4.0 Synthesis Module sound file 0 string ARP. The Holy Noise Module sound file 0 string BeEp\0 JamCracker Module sound file 0 string COSO\0 Hippel-COSO Module sound file # Too simple (short, pure ASCII, deep), MPi #26 string V.3 Brian Postma's Soundmon Module sound file v3 #26 string BPSM Brian Postma's Soundmon Module sound file v3 #26 string V.2 Brian Postma's Soundmon Module sound file v2 # The following are from: "Stefan A. Haubenthal" # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Amiga_bitmap_font # Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/font-amiga.trid.xml # https://wiki.amigaos.net/wiki/Graphics_Library_and_Text # fch_FileID=FCH_ID=0x0f00 0 beshort 0x0f00 # skip some AVM powerline firmware images by check for positive number of font elements # https://download.avm.de/fritzpowerline/fritzpowerline-1000e-t/other/fritz.os/fritz.powerline_1000ET_01_05.image >2 ubeshort >0 AmigaOS bitmap font #!:mime application/octet-stream !:mime font/x-amiga-font !:ext font # struct FontContents fch_FC; 1st fc_FileName [MAXFONTPATH=256]; ~ filename "/" fc_YSize # like: topazb/6 suits/8 Excel/9e emerald/17 Franklin/23 DIAMONDS/60.8C >>4 string x "%.256s" # fc_YSize ~number after slash in fc_FileName; like: 6 7 8 9 11 12 16 17 21 23 45 60 >>260 beshort x \b, fc_YSize %u # fch_NumEntries; number of FontContents elements like: # 1 (often) 2 3 (IconCondensed.font tempfont.font) 4 (Franklin.font) 6 (mcoop.font) >>2 ubeshort >1 \b, %u elements #>>2 beshort x \b, %u element # plural s #>>2 beshort !1 \bs # like: 6 7 8 9 11 12 16 17 21 23 45 60 #>>262 beshort x \b, FLAGS_STYLE >>2 beshort >1 \b, 2nd # 2nd fc_FileName like: Franklin/36 >>>264 string x "%.256s" >>2 beshort >2 \b, 3rd # 3rd fc_FileName like: Franklin/18 >>>524 string x "%.256s" # URL: http://fileformats.archiveteam.org/wiki/Amiga_bitmap_font # Reference: https://wiki.amigaos.net/wiki/Graphics_Library_and_Text # http://mark0.net/download/triddefs_xml.7z/defs/f/font-amiga-var2.trid.xml # Note: called by TrID "Amiga bitmap Font (var.2)" # fch_FileID=TFCH_ID=0x0f02 0 beshort 0x0f02 # skip possible misidentified foo by check for positive number of font elements >2 ubeshort >0 AmigaOS bitmap font (TFCH) #!:mime application/octet-stream !:mime font/x-amiga-font !:ext font # struct TFontContents fch_TFC[]; 1st tfc_FileName [254]; ~ filename "/" fc_YSize # like: Abbey/45 XScript/75 XTriumvirate/45 >>4 string x "%.254s" # tfc_TagCount; including the TAG_END tag like: 4 >>258 ubeshort x \b, tfc_TagCount %u # tfc_YSize ~number after slash in tfc_FileName; like: 45 75 >>260 beshort x \b, tfc_YSize %u # tfc_Style; tfc_Flags like: 8022h 8222h #>>262 ubeshort x \b, FLAGS_STYLE %#x # fch_NumEntries; number of FontContents elements like: 1 (abbey.font) 2 (xscript.font xtriumvirate.font) >>2 ubeshort >1 \b, %u elements >>2 beshort >1 \b, 2nd # 2nd tfc_FileName like: XScript/45 XTriumvirate/30 >>>264 string x "%.254s" 0 beshort 0x0f03 AmigaOS outline font 0 belong 0x80001001 AmigaOS outline tag 0 string ##\ version catalog translation 0 string EMOD\0 Amiga E module 8 string ECXM\0 ECX module 0 string/c @database AmigaGuide file # Amiga disk types # display information like volume name of root block on Amiga (floppy) disk 0 name adf-rootblock # block primary type = T_HEADER (value 2) >0x000 ubelong !2 \b, type %u # header_key; unused in rootblock (value 0) >0x004 ubelong !0 \b, header_key %u # high_seq; unused (value 0) >0x008 ubelong !0 \b, high_seq %u # ht_size; hash table size; 0x48 for flopies >0x00c ubelong !0x48 \b, hash table size %#x # bm_flag; bitmap flag, -1 means VALID >0x138 belong !-1 \b, bitmap flag %#x # bm_ext; first bitmap extension block (Hard disks only) >0x1A0 ubelong !0 \b, bitmap extension block %#x # name_len; volume name length; diskname[30]; volume name >0x1B0 pstring >\0 \b, "%s" # first directory cache block for FFS; otherwise 0 >0x1F8 ubelong !0 \b, directory cache block %#x # block secondary type = ST_ROOT (value 1) >0x1FC ubelong !1 \b, sec_type %#x # 0 string RDSK Rigid Disk Block >160 string x on %.24s # URL: http://fileformats.archiveteam.org/wiki/ADF_(Amiga) # https://en.wikipedia.org/wiki/Amiga_Fast_File_System # Reference: http://lclevy.free.fr/adflib/adf_info.html # Update: Joerg Jenderek # Note: created by ADFOpus.exe # and verified by `unadf -l TURBO_SILVER_SV.ADF` 0 string DOS # skip DOS Client Message Files like IPXODI.MSG DOSRQSTR.MSG >3 ubyte <8 Amiga # https://reposcope.com/mimetype/application/x-amiga-disk-format !:mime application/x-amiga-disk-format !:ext adf >>3 ubyte 0 DOS disk >>3 ubyte 1 FFS disk >>3 ubyte 2 Inter DOS disk >>3 ubyte 3 Inter FFS disk # For Fastdir mode the international mode is also enabled, >>3 ubyte 4 Fastdir DOS disk >>3 ubyte 5 Fastdir FFS dis # called by TrID "Amiga Disk image File (OFS+INTL+DIRC)" >>3 ubyte 6 Inter Fastdir DOS disk # called by TrID "Amiga Disk image File (FFS+INTL+DIRC)" >>3 ubyte 7 Inter Fastdir FFS disk # but according to Wikipedia variants with long name support #>>3 ubyte 6 long name DOS disk #>>3 ubyte 7 long name FFS disk # DOES NOT only work! Partly for file size ~< FILE_BYTES_MAX=1 MiB defined in ../../src/file.h #>>-0 offset x \b, %lld bytes # Correct file size, but next lines are NOT executed #>>-0 offset 901120 (DD 880 KiB floppy) # 880 KiB Double Density floppy disk by characteristic hash table size 0x48 and T_HEADER=2 >>0x6E00C ubelong 0x48 >>>0x6E000 ubelong 2 (DD 880 KiB) # 1760 KiB High Density floppy disk (1802240 bytes) by characteristic hash table size 0x48 >>0xDC00C ubelong 0x48 >>>0xDC000 ubelong 2 (HD 1760 KiB) # Chksum; special block checksum like: 0 0x44ccf4c0 0x51f32cac 0xe33d0e7d ... #>>4 ubelong x \b, CRC %#x # Rootblock: 0 880 (often for DD and HD) 1146049280 (IMAGINE_1_0_DISK_01.ADF TURBO_SILVER_SV.ADF) >>8 ubelong >0 \b, probably root block %d # bootblock code >>12 quad !0 \b, bootable # assembler instructions: lea exp(pc),a1; moveq 25h,d0; jsr -552(a6) >>>12 ubequad =0x43fa003e70254eae AmigaDOS 3.0 >>>12 default x >>>>12 ubequad !0x43fa003e70254eae %#llx.. # 880 KiB Double Density floppy disk (901120 bytes) >>0x6E00C ubelong 0x48 >>>0x6E000 ubelong 2 >>>>0x6E000 use adf-rootblock # 1760 KiB High Density floppy disk (1802240 bytes) >>0xDC00C ubelong 0x48 >>>0xDC000 ubelong 2 >>>>0xDC000 use adf-rootblock # 1 MiB hard disc by test for T_HEADER=2 and header_key=0=high_seq >>0x80000 ubelong 2 >>>0x80004 quad 0 >>>>0x80000 use adf-rootblock # 2 MiB hard disc; only works if in ../../src/file.h FILE_BYTES_MAX is raised to 2 MiB #>>0x100000 ubelong x 2 MiB TEST #>>0x100000 ubelong 2 \b, 2 MiB hard disc rootblock #>>>0x100000 use adf-rootblock 0 string KICK Kickstart disk # From: Alex Beregszaszi 0 string LZX LZX compressed archive (Amiga) # From: Przemek Kramarczyk 0 string .KEY AmigaDOS script 0 string .key AmigaDOS script # AMOS Basic file formats # https://www.exotica.org.uk/wiki/AMOS_file_formats 0 string AMOS\040Basic\040 AMOS Basic source code >11 byte =0x56 \b, tested >11 byte =0x76 \b, untested 0 string AMOS\040Pro AMOS Basic source code >11 byte =0x56 \b, tested >11 byte =0x76 \b, untested 0 string AmSp AMOS Basic sprite bank >4 beshort x \b, %d sprites 0 string AmIc AMOS Basic icon bank >4 beshort x \b, %d icons 0 string AmBk AMOS Basic memory bank >4 beshort x \b, bank number %d >8 belong&0xFFFFFFF x \b, length %d >12 regex .{8} \b, type %s 0 string AmBs AMOS Basic memory banks >4 beshort x \b, %d banks #------------------------------------------------------------ # $File: android,v 1.19 2021/04/26 15:56:00 christos Exp $ # Various android related magic entries #------------------------------------------------------------ # Dalvik .dex format. http://retrodev.com/android/dexformat.html # From "Mike Fleming" # Fixed to avoid regexec 17 errors on some dex files # From "Tim Strazzere" 0 string dex\n >0 regex dex\n[0-9]{2}\0 Dalvik dex file >4 string >000 version %s 0 string dey\n >0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) >4 string >000 version %s # Android bootimg format # From https://android.googlesource.com/\ # platform/system/core/+/master/mkbootimg/bootimg.h # https://github.com/djrbliss/loki/blob/master/loki.h#L43 0 string ANDROID! Android bootimg >1024 string LOKI \b, LOKI'd >>1028 lelong 0 \b (boot) >>1028 lelong 1 \b (recovery) >8 lelong >0 \b, kernel >>12 lelong >0 \b (%#x) >16 lelong >0 \b, ramdisk >>20 lelong >0 \b (%#x) >24 lelong >0 \b, second stage >>28 lelong >0 \b (%#x) >36 lelong >0 \b, page size: %d >38 string >0 \b, name: %s >64 string >0 \b, cmdline (%s) # Android Backup archive # From: Ariel Shkedi # Update: Joerg Jenderek # URL: https://github.com/android/platform_frameworks_base/blob/\ # 0bacfd2ba68d21a68a3df345b830bc2a1e515b5a/services/java/com/\ # android/server/BackupManagerService.java#L2367 # Reference: https://sourceforge.net/projects/adbextractor/ # android-backup-extractor/perl/backupencrypt.pl # Note: only unix line feeds "\n" found # After the header comes a tar file # If compressed, the entire tar file is compressed with JAVA deflate # # Include the version number hardcoded with the magic string to avoid # false positives 0 string/b ANDROID\ BACKUP\n Android Backup # maybe look for some more characteristics like linefeed '\n' or version #>16 string \n # No mime-type defined officially !:mime application/x-google-ab !:ext ab # on 2nd line version (often 1, 2 on kitkat 4.4.3+, 4 on 7.1.2) >15 string >\0 \b, version %s # "1" on 3rd line means compressed >17 string 0\n \b, Not-Compressed >17 string 1\n \b, Compressed # The 4th line is encryption "none" or "AES-256" # any string as long as it's not the word none (which is matched below) >19 string none\n \b, Not-Encrypted # look for backup content after line with encryption info #>>19 search/7 \n # data part after header for not encrypted Android Backup #>>>&0 ubequad x \b, content %#16.16llx... # look for zlib compressed by ./compress after message with 1 space at end #>>>&0 indirect x \b; contains # look for tar archive block by ./archive for package name manifest >>288 string ustar \b; contains >>>31 use tar-file # look for zip/jar archive by ./archive ./zip after message with 1 space at end #>>2079 search/1025/s PK\003\004 \b; contains #>>>&0 indirect x >19 string !none >>19 regex/1l \^([^n\n]|n[^o]|no[^n]|non[^e]|none.+).* \b, Encrypted (%s) # Commented out because they don't seem useful to print # (but they are part of the header - the tar file comes after them): # The 5th line is User Password Salt (128 Hex) # string length too high with standard src configuration #>>>&1 string >\0 \b, PASSWORD salt: "%-128.128s" #>>>&1 regex/1l .* \b, Password salt: %s # The 6th line is Master Key Checksum Salt (128 Hex) #>>>>&1 regex/1l .* \b, Master salt: %s # The 7th line is Number of PBDKF2 Rounds (10000) #>>>>>&1 regex/1l .* \b, PBKDF2 rounds: %s # The 8th line is User key Initialization Vector (IV) (32 Hex) #>>>>>>&1 regex/1l .* \b, IV: %s #>>>>>>&1 regex/1l .* \b, IV: %s # The 9th line is Master IV+Key+Checksum (192 Hex) #>>>>>>>&1 regex/1l .* \b, Key: %s # look for new line separator char after line number 9 #>>>0x204 ubyte 0x0a NL found #>>>>&1 ubequad x \b, Content magic %16.16llx # *.pit files by Joerg Jenderek # https://forum.xda-developers.com/showthread.php?p=9122369 # https://forum.xda-developers.com/showthread.php?t=816449 # Partition Information Table for Samsung's smartphone with Android # used by flash software Odin 0 ulelong 0x12349876 # 1st pit entry marker >0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # minimal 13 and maximal 18 PIT entries found >>4 ulelong <128 Partition Information Table for Samsung smartphone >>>4 ulelong x \b, %d entries # 1. pit entry >>>4 ulelong >0 \b; #1 >>>0x01C use PIT-entry >>>4 ulelong >1 \b; #2 >>>0x0A0 use PIT-entry >>>4 ulelong >2 \b; #3 >>>0x124 use PIT-entry >>>4 ulelong >3 \b; #4 >>>0x1A8 use PIT-entry >>>4 ulelong >4 \b; #5 >>>0x22C use PIT-entry >>>4 ulelong >5 \b; #6 >>>0x2B0 use PIT-entry >>>4 ulelong >6 \b; #7 >>>0x334 use PIT-entry >>>4 ulelong >7 \b; #8 >>>0x3B8 use PIT-entry >>>4 ulelong >8 \b; #9 >>>0x43C use PIT-entry >>>4 ulelong >9 \b; #10 >>>0x4C0 use PIT-entry >>>4 ulelong >10 \b; #11 >>>0x544 use PIT-entry >>>4 ulelong >11 \b; #12 >>>0x5C8 use PIT-entry >>>4 ulelong >12 \b; #13 >>>>0x64C use PIT-entry # 14. pit entry >>>4 ulelong >13 \b; #14 >>>>0x6D0 use PIT-entry >>>4 ulelong >14 \b; #15 >>>0x754 use PIT-entry >>>4 ulelong >15 \b; #16 >>>0x7D8 use PIT-entry >>>4 ulelong >16 \b; #17 >>>0x85C use PIT-entry # 18. pit entry >>>4 ulelong >17 \b; #18 >>>0x8E0 use PIT-entry 0 name PIT-entry # garbage value implies end of pit entries >0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # skip empty partition name >>0x24 ubyte !0 # partition name >>>0x24 string >\0 %-.32s # flags >>>0x0C ulelong&0x00000002 2 \b+RW # partition ID: # 0~IPL,MOVINAND,GANG;1~PIT,GPT;2~HIDDEN;3~SBL,HIDDEN;4~SBL2,HIDDEN;5~BOOT;6~kernel,RECOVER,misc;7~RECOVER # ;11~MODEM;20~efs;21~PARAM;22~FACTORY,SYSTEM;23~DBDATAFS,USERDATA;24~CACHE;80~BOOTLOADER;81~TZSW >>>0x08 ulelong x (%#x) # filename >>>0x44 string >\0 "%-.64s" #>>>0x18 ulelong >0 # blocksize in 512 byte units ? #>>>>0x18 ulelong x \b, %db # partition size in blocks ? #>>>>0x22 ulelong x \b*%d # Android sparse img format # From https://android.googlesource.com/\ # platform/system/core/+/master/libsparse/sparse_format.h 0 lelong 0xed26ff3a Android sparse image >4 leshort x \b, version: %d >6 leshort x \b.%d >16 lelong x \b, Total of %d >12 lelong x \b %d-byte output blocks in >20 lelong x \b %d input chunks. # Android binary XML magic # In include/androidfw/ResourceTypes.h: # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). 0 lelong 0x00080003 Android binary XML # Android cryptfs footer # From https://android.googlesource.com/\ # platform/system/vold/+/refs/heads/master/cryptfs.h 0 lelong 0xd0b5b1c4 Android cryptfs footer >4 leshort x \b, version: %d >6 leshort x \b.%d # Android Vdex format # From https://android.googlesource.com/\ # platform/art/+/master/runtime/vdex_file.h 0 string vdex Android vdex file, >4 string >000 verifier deps version: %s, >8 string >000 dex section version: %s, >12 lelong >0 number of dex files: %d, >16 lelong >0 verifier deps size: %d # Android Vdex format, dexfile is currently being updated # by android system # From https://android.googlesource.com/\ # platform/art/+/master/dex2oat/dex2oat.cc 0 string wdex Android vdex file, being processed by dex2oat, >4 string >000 verifier deps version: %s, >8 string >000 dex section version: %s, >12 lelong >0 number of dex files: %d, >16 lelong >0 verifier deps size: %d #------------------------------------------------------------------------------ # $File: animation,v 1.90 2022/08/16 11:16:39 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats # MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) # FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) # SGI and Apple formats 0 string MOVI Silicon Graphics movie file !:mime video/x-sgi-movie 4 string moov Apple QuickTime !:mime video/quicktime >12 string mvhd \b movie (fast start) >12 string mdra \b URL >12 string cmov \b movie (fast start, compressed header) >12 string rmra \b multiple URLs 4 string mdat Apple QuickTime movie (unoptimized) !:mime video/quicktime #4 string wide Apple QuickTime movie (unoptimized) #!:mime video/quicktime #4 string skip Apple QuickTime movie (modified) #!:mime video/quicktime #4 string free Apple QuickTime movie (modified) #!:mime video/quicktime 4 string idsc Apple QuickTime image (fast start) !:mime image/x-quicktime #4 string idat Apple QuickTime image (unoptimized) #!:mime image/x-quicktime 4 string pckg Apple QuickTime compressed archive !:mime application/x-quicktime-player #### MP4 #### # https://www.ftyps.com/ with local additions # https://cconcolato.github.io/mp4ra/filetype.html 4 string ftyp ISO Media # https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ >8 string XAVC \b, MPEG v4 system, Sony XAVC Codec >>96 string x \b, Audio "%.4s" >>118 beshort x at %dHz >>140 string x \b, Video "%.4s" >>168 beshort x %d >>170 beshort x \bx%d >8 string 3g2 \b, MPEG v4 system, 3GPP2 !:mime video/3gpp2 >>11 byte 4 \b v4 (H.263/AMR GSM 6.10) >>11 byte 5 \b v5 (H.263/AMR GSM 6.10) >>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) # https://www.3gpp2.org/Public_html/Specs/C.S0050-B_v1.0_070521.pdf # Section 8.1.1, corresponds to a, b, c >>11 byte 0x61 \b C.S0050-0 V1.0 >>11 byte 0x62 \b C.S0050-0-A V1.0.0 >>11 byte 0x63 \b C.S0050-0-B V1.0 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release %d MBMS Extended Presentations >>11 byte 7 \b, Release %d MBMS Extended Presentations >>11 byte 9 \b, Release %d MBMS Extended Presentations >8 string 3gf \b, MPEG v4 system, 3GPP >>11 byte 9 \b, Release %d File-delivery profile >8 string 3gg \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release %d General Profile >>11 byte 9 \b, Release %d General Profile >8 string 3gh \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 9 \b, Release %d Adaptive Streaming Profile >8 string 3gm \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 9 \b, Release %d Media Segment Profile >8 string 3gp \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 1 \b, Release %d (non existent) >>11 byte 2 \b, Release %d (non existent) >>11 byte 3 \b, Release %d (non existent) >>11 byte 4 \b, Release %d >>11 byte 5 \b, Release %d >>11 byte 6 \b, Release %d >>11 byte 7 \b, Release %d Streaming Servers >8 string 3gr \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release %d Progressive Download Profile >>11 byte 9 \b, Release %d Progressive Download Profile >8 string 3gs \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release %d Streaming Servers >>11 byte 7 \b, Release %d Streaming Servers >>11 byte 9 \b, Release %d Streaming Servers >8 string 3gt \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 8 \b, Release %d Media Stream Recording Profile >>11 byte 9 \b, Release %d Media Stream Recording Profile >8 string ARRI \b, MPEG v4 system, ARRI Digital Camera !:mime video/mp4 >8 string avc1 \b, MPEG v4 system, 3GPP JVT AVC [ISO 14496-12:2005] !:mime video/mp4 >8 string bbxm \b, Blinkbox Master File: H.264 video/16-bit LE LPCM audio !:mime video/mp4 >8 string/W qt \b, Apple QuickTime movie !:mime video/quicktime >8 string CAEP \b, Canon Digital Camera >8 string caqv \b, Casio Digital Camera >8 string CDes \b, Convergent Design >8 string caaa \b, CMAF Media Profile - AAC Adaptive Audio >8 string caac \b, CMAF Media Profile - AAC Core >8 string caqv \b, Casio Digital Camera Casio >8 string ccea \b, CMAF Supplemental Data - CEA-608/708 >8 string ccff \b, Common container file format >8 string cfhd \b, CMAF Media Profile - AVC HD >8 string cfsd \b, CMAF Media Profile - AVC SD >8 string chd1 \b, CMAF Media Profile - HEVC HDR10 >8 string chdf \b, CMAF Media Profile - AVC HDHF >8 string chhd \b, CMAF Media Profile - HEVC HHD8 >8 string chh1 \b, CMAF Media Profile - HEVC HHD10 >8 string clg1 \b, CMAF Media Profile - HEVC HLG10 >8 string cmfc \b, CMAF Track Format >8 string cmff \b, CMAF Fragment Format >8 string cmfl \b, CMAF Chunk Format >8 string cmfs \b, CMAF Segment Format >8 string cud1 \b, CMAF Media Profile - HEVC UHD10 >8 string cud8 \b, CMAF Media Profile - HEVC UHD8 >8 string cwvt \b, CMAF Media Profile - WebVTT >8 string da0a \b, DMB MAF w/ MPEG Layer II aud, MOT slides, DLS, JPG/PNG/MNG >8 string da0b \b, DMB MAF, ext DA0A, with 3GPP timed text, DID, TVA, REL, IPMP >8 string da1a \b, DMB MAF audio with ER-BSAC audio, JPG/PNG/MNG images >8 string da1b \b, DMB MAF, ext da1a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string da2a \b, DMB MAF aud w/ HE-AAC v2 aud, MOT slides, DLS, JPG/PNG/MNG >8 string da2b \b, DMB MAF, ext da2a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string da3a \b, DMB MAF aud with HE-AAC aud, JPG/PNG/MNG images >8 string da3b \b, DMB MAF, ext da3a w/ BIFS, 3GPP, DID, TVA, REL, IPMP >8 string dash \b, MPEG v4 system, Dynamic Adaptive Streaming over HTTP !:mime video/mp4 >8 string dby1 \b, MP4 files with Dolby content >8 string dsms \b, Media Segment DASH conformant >8 string dts1 \b, MP4 track file with audio codecs dtsc dtsh or dtse >8 string dts2 \b, MP4 track file with audio codec dtsx >8 string dts3 \b, MP4 track file with audio codec dtsy >8 string dxo$20 \b, DxO ONE camera >8 string dmb1 \b, DMB MAF supporting all the components defined in the spec >8 string dmpf \b, Digital Media Project >8 string drc1 \b, Dirac (wavelet compression), encap in ISO base media (MP4) >8 string dv1a \b, DMB MAF vid w/ AVC vid, ER-BSAC aud, BIFS, JPG/PNG/MNG, TS >8 string dv1b \b, DMB MAF, ext dv1a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string dv2a \b, DMB MAF vid w/ AVC vid, HE-AAC v2 aud, BIFS, JPG/PNG/MNG, TS >8 string dv2b \b, DMB MAF, ext dv2a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string dv3a \b, DMB MAF vid w/ AVC vid, HE-AAC aud, BIFS, JPG/PNG/MNG, TS >8 string dv3b \b, DMB MAF, ext dv3a, with 3GPP timed text, DID, TVA, REL, IPMP >8 string dvr1 \b, DVB (.DVB) over RTP !:mime video/vnd.dvb.file >8 string dvt1 \b, DVB (.DVB) over MPEG-2 Transport Stream >8 string emsg \b, Event message box present !:mime video/vnd.dvb.file >8 string F4V \b, Video for Adobe Flash Player 9+ (.F4V) !:mime video/mp4 >8 string F4P \b, Protected Video for Adobe Flash Player 9+ (.F4P) !:mime video/mp4 >8 string F4A \b, Audio for Adobe Flash Player 9+ (.F4A) !:mime audio/mp4 >8 string F4B \b, Audio Book for Adobe Flash Player 9+ (.F4B) !:mime audio/mp4 >8 string ifrm \b, Apple iFrame Specification, Version 8.1 Jan 2013 >8 string im1i \b, CMAF Media Profile - IMSC1 Image >8 string im1t \b, CMAF Media Profile - IMSC1 Text >8 string isc2 \b, ISMACryp 2.0 Encrypted File # ?/enc-isoff-generic >8 string iso \b, MP4 Base Media !:mime video/mp4 !:ext mp4 >>11 string m v1 [ISO 14496-12:2003] >>11 string 2 v2 [ISO 14496-12:2005] >>11 string 4 v4 >>11 string 5 v5 >>11 string 6 v6 >8 string isml \b, MP4 Base Media v2 [ISO 14496-12:2005] !:mime video/mp4 >8 string J2P0 \b, JPEG2000 Profile 0 >8 string J2P1 \b, JPEG2000 Profile 1 >8 string/W jp2 \b, JPEG 2000 !:mime image/jp2 >8 string JP2 \b, JPEG 2000 Image (.JP2) [ISO 15444-1 ?] !:mime image/jp2 >8 string JP20 \b, Unknown, from GPAC samples (prob non-existent) >8 string jpm \b, JPEG 2000 Compound Image (.JPM) [ISO 15444-6] !:mime image/jpm >8 string jpsi \b, The JPSearch data interchange format >8 string jpx \b, JPEG 2000 w/ extensions (.JPX) [ISO 15444-2] !:mime image/jpx >8 string KDDI \b, 3GPP2 EZmovie for KDDI 3G cellphones !:mime video/3gpp2 >8 string LCAG \b, Leica digital camera >8 string lmsg \b, Last Media Segment indicator for ISO base media file format. >8 string M4A \b, Apple iTunes ALAC/AAC-LC (.M4A) Audio !:mime audio/x-m4a >8 string M4B \b, Apple iTunes ALAC/AAC-LC (.M4B) Audio Book !:mime audio/mp4 >8 string M4P \b, Apple iTunes ALAC/AAC-LC (.M4P) AES Protected Audio !:mime video/mp4 >8 string M4V \b, Apple iTunes Video (.M4V) Video !:mime video/x-m4v >8 string M4VH \b, Apple TV (.M4V) !:mime video/x-m4v >8 string M4VP \b, Apple iPhone (.M4V) !:mime video/x-m4v >8 string mj2s \b, Motion JPEG 2000 [ISO 15444-3] Simple Profile !:mime video/mj2 >8 string mjp2 \b, Motion JPEG 2000 [ISO 15444-3] General Profile >8 string MFSM \b, Media File for Samsung video Metadata >8 string MGSV \b, Sony Home and Mobile Multimedia Platform (HMMP) !:mime video/mj2 >8 string mmp4 \b, MPEG-4/3GPP Mobile Profile (.MP4 / .3GP) (for NTT) !:mime video/mp4 >8 string mobi \b, MPEG-4, MOBI format !:mime video/mp4 >8 string mp21 \b, MPEG-21 [ISO/IEC 21000-9] >8 string mp41 \b, MP4 v1 [ISO 14496-1:ch13] !:mime video/mp4 >8 string mp42 \b, MP4 v2 [ISO 14496-14] !:mime video/mp4 >8 string mp71 \b, MP4 w/ MPEG-7 Metadata [per ISO 14496-12] >8 string mp7t \b, MPEG v4 system, MPEG v7 XML >8 string mp7b \b, MPEG v4 system, MPEG v7 binary XML >8 string mpuf \b, Compliance with the MMT Processing Unit format >8 string msdh \b, Media Segment conforming to ISO base media file format. >8 string msix \b, Media Segment conforming to ISO base media file format. >8 string mmp4 \b, MPEG v4 system, 3GPP Mobile !:mime video/mp4 >8 string MPPI \b, Photo Player, MAF [ISO/IEC 23000-3] >8 string mqt \b, Sony / Mobile QuickTime (.MQV) US Pat 7,477,830 !:mime video/quicktime >8 string MSNV \b, MPEG-4 (.MP4) for SonyPSP !:mime audio/mp4 >8 string NDAS \b, MP4 v2 [ISO 14496-14] Nero Digital AAC Audio !:mime audio/mp4 >8 string NDSC \b, MPEG-4 (.MP4) Nero Cinema Profile !:mime video/mp4 >8 string NDSH \b, MPEG-4 (.MP4) Nero HDTV Profile !:mime video/mp4 >8 string NDSM \b, MPEG-4 (.MP4) Nero Mobile Profile !:mime video/mp4 >8 string NDSP \b, MPEG-4 (.MP4) Nero Portable Profile !:mime video/mp4 >8 string NDSS \b, MPEG-4 (.MP4) Nero Standard Profile !:mime video/mp4 >8 string NDXC \b, H.264/MPEG-4 AVC (.MP4) Nero Cinema Profile !:mime video/mp4 >8 string NDXH \b, H.264/MPEG-4 AVC (.MP4) Nero HDTV Profile !:mime video/mp4 >8 string NDXM \b, H.264/MPEG-4 AVC (.MP4) Nero Mobile Profile !:mime video/mp4 >8 string NDXP \b, H.264/MPEG-4 AVC (.MP4) Nero Portable Profile !:mime video/mp4 >8 string NDXS \b, H.264/MPEG-4 AVC (.MP4) Nero Standard Profile >8 string niko \b, Nikon Digital Camera !:mime video/mp4 >8 string odcf \b, OMA DCF DRM Format 2.0 (OMA-TS-DRM-DCF-V2_0-20060303-A) >8 string opf2 \b, OMA PDCF DRM Format 2.1 (OMA-TS-DRM-DCF-V2_1-20070724-C) >8 string opx2 \b, OMA PDCF DRM + XBS ext (OMA-TS-DRM_XBS-V1_0-20070529-C) >8 string pana \b, Panasonic Digital Camera >8 string piff \b, Protected Interoperable File Format >8 string pnvi ]b, Panasonic Video Intercom >8 string qt \b, Apple QuickTime (.MOV/QT) !:mime video/quicktime # HEIF image format # see https://nokiatech.github.io/heif/technical.html >8 string mif1 \b, HEIF Image !:mime image/heif >8 string msf1 \b, HEIF Image Sequence !:mime image/heif-sequence >8 string heic \b, HEIF Image HEVC Main or Main Still Picture Profile !:mime image/heic >8 string heix \b, HEIF Image HEVC Main 10 Profile !:mime image/heic >8 string hevc \b, HEIF Image Sequenz HEVC Main or Main Still Picture Profile !:mime image/heic-sequence >8 string hevx \b, HEIF Image Sequence HEVC Main 10 Profile !:mime image/heic-sequence # following HEIF brands are not mentioned in the heif technical info currently (Oct 2017) # but used in the reference implementation: # https://github.com/nokiatech/heif/blob/d5e9a21c8ba8df712bdf643021dd9f6518134776/Srcs/reader/hevcimagefilereader.cpp >8 string heim \b, HEIF Image L-HEVC !:mime image/heif >8 string heis \b, HEIF Image L-HEVC !:mime image/heif >8 string avic \b, HEIF Image AVC !:mime image/heif >8 string hevm \b, HEIF Image Sequence L-HEVC !:mime image/heif-sequence >8 string hevs \b, HEIF Image Sequence L-HEVC !:mime image/heif-sequence >8 string avcs \b, HEIF Image Sequence AVC !:mime image/heif-sequence # AVIF image format # see https://aomediacodec.github.io/av1-avif/ >8 string avif \b, AVIF Image !:mime image/avif >8 string avis \b, AVIF Image Sequence !:mime image/avif >8 string risx \b, Representation Index Segment for MPEG-2 TS Segments >8 string ROSS \b, Ross Video >8 string sdv \b, SD Memory Card Video >8 string ssc1 \b, Samsung stereo, single stream (patent pending) >8 string ssc2 \b, Samsung stereo, dual stream (patent pending) >8 string SEAU \b, Sony Home and Mobile Multimedia Platform (HMMP) >8 string SEBK \b, Sony Home and Mobile Multimedia Platform (HMMP) >8 string senv \b, Video contents Sony Entertainment Network >8 string sims \b, Media Segment for Sub-Indexed Media Segment format >8 string sisx \b, Single Index Segment forindex MPEG-2 TS >8 string ssss \b, Subsegment Index Segment used to index MPEG-2 Segments >8 string uvvu \b, UltraViolet file brand for DECE Common Format # MPEG sequences # Scans for all common MPEG header start codes 0 belong 0x00000001 >4 byte&0x1F 0x07 JVT NAL sequence, H.264 video >>5 byte 66 \b, baseline >>5 byte 77 \b, main >>5 byte 88 \b, extended >>7 byte x \b @ L %u 0 belong&0xFFFFFF00 0x00000100 >3 byte 0xBA MPEG sequence !:mime video/mpeg # http://fileformats.archiveteam.org/wiki/Enhanced_VOB # https://reposcope.com/mimetype/video/mpeg !:ext vob/evo/mpg/mpeg >>4 byte &0x40 \b, v2, program multiplex >>4 byte ^0x40 \b, v1, system multiplex >3 byte 0xBB MPEG sequence, v1/2, multiplex (missing pack header) >3 byte&0x1F 0x07 MPEG sequence, H.264 video >>4 byte 66 \b, baseline >>4 byte 77 \b, main >>4 byte 88 \b, extended >>6 byte x \b @ L %u # GRR too general as it catches also FoxPro Memo example NG.FPT >3 byte 0xB0 MPEG sequence, v4 # TODO: maybe this extra line exclude FoxPro Memo example NG.FPT starting with 000001b0 00000100 00000000 #>>4 byte !0 MPEG sequence, v4 !:mime video/mpeg4-generic >>5 belong 0x000001B5 >>>9 byte &0x80 >>>>10 byte&0xF0 16 \b, video >>>>10 byte&0xF0 32 \b, still texture >>>>10 byte&0xF0 48 \b, mesh >>>>10 byte&0xF0 64 \b, face >>>9 byte&0xF8 8 \b, video >>>9 byte&0xF8 16 \b, still texture >>>9 byte&0xF8 24 \b, mesh >>>9 byte&0xF8 32 \b, face >>4 byte 1 \b, simple @ L1 >>4 byte 2 \b, simple @ L2 >>4 byte 3 \b, simple @ L3 >>4 byte 4 \b, simple @ L0 >>4 byte 17 \b, simple scalable @ L1 >>4 byte 18 \b, simple scalable @ L2 >>4 byte 33 \b, core @ L1 >>4 byte 34 \b, core @ L2 >>4 byte 50 \b, main @ L2 >>4 byte 51 \b, main @ L3 >>4 byte 53 \b, main @ L4 >>4 byte 66 \b, n-bit @ L2 >>4 byte 81 \b, scalable texture @ L1 >>4 byte 97 \b, simple face animation @ L1 >>4 byte 98 \b, simple face animation @ L2 >>4 byte 99 \b, simple face basic animation @ L1 >>4 byte 100 \b, simple face basic animation @ L2 >>4 byte 113 \b, basic animation text @ L1 >>4 byte 114 \b, basic animation text @ L2 >>4 byte 129 \b, hybrid @ L1 >>4 byte 130 \b, hybrid @ L2 >>4 byte 145 \b, advanced RT simple @ L! >>4 byte 146 \b, advanced RT simple @ L2 >>4 byte 147 \b, advanced RT simple @ L3 >>4 byte 148 \b, advanced RT simple @ L4 >>4 byte 161 \b, core scalable @ L1 >>4 byte 162 \b, core scalable @ L2 >>4 byte 163 \b, core scalable @ L3 >>4 byte 177 \b, advanced coding efficiency @ L1 >>4 byte 178 \b, advanced coding efficiency @ L2 >>4 byte 179 \b, advanced coding efficiency @ L3 >>4 byte 180 \b, advanced coding efficiency @ L4 >>4 byte 193 \b, advanced core @ L1 >>4 byte 194 \b, advanced core @ L2 >>4 byte 209 \b, advanced scalable texture @ L1 >>4 byte 210 \b, advanced scalable texture @ L2 >>4 byte 211 \b, advanced scalable texture @ L3 >>4 byte 225 \b, simple studio @ L1 >>4 byte 226 \b, simple studio @ L2 >>4 byte 227 \b, simple studio @ L3 >>4 byte 228 \b, simple studio @ L4 >>4 byte 229 \b, core studio @ L1 >>4 byte 230 \b, core studio @ L2 >>4 byte 231 \b, core studio @ L3 >>4 byte 232 \b, core studio @ L4 >>4 byte 240 \b, advanced simple @ L0 >>4 byte 241 \b, advanced simple @ L1 >>4 byte 242 \b, advanced simple @ L2 >>4 byte 243 \b, advanced simple @ L3 >>4 byte 244 \b, advanced simple @ L4 >>4 byte 245 \b, advanced simple @ L5 >>4 byte 247 \b, advanced simple @ L3b >>4 byte 248 \b, FGS @ L0 >>4 byte 249 \b, FGS @ L1 >>4 byte 250 \b, FGS @ L2 >>4 byte 251 \b, FGS @ L3 >>4 byte 252 \b, FGS @ L4 >>4 byte 253 \b, FGS @ L5 >3 byte 0xB5 MPEG sequence, v4 !:mime video/mpeg4-generic >>4 byte &0x80 >>>5 byte&0xF0 16 \b, video (missing profile header) >>>5 byte&0xF0 32 \b, still texture (missing profile header) >>>5 byte&0xF0 48 \b, mesh (missing profile header) >>>5 byte&0xF0 64 \b, face (missing profile header) >>4 byte&0xF8 8 \b, video (missing profile header) >>4 byte&0xF8 16 \b, still texture (missing profile header) >>4 byte&0xF8 24 \b, mesh (missing profile header) >>4 byte&0xF8 32 \b, face (missing profile header) >3 byte 0xB3 MPEG sequence !:mime video/mpeg >>12 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong 0x000001B5 \b, v2, >>>16 byte&0x0F 1 \b HP >>>16 byte&0x0F 2 \b Spt >>>16 byte&0x0F 3 \b SNR >>>16 byte&0x0F 4 \b MP >>>16 byte&0x0F 5 \b SP >>>17 byte&0xF0 64 \b@HL >>>17 byte&0xF0 96 \b@H-14 >>>17 byte&0xF0 128 \b@ML >>>17 byte&0xF0 160 \b@LL >>>17 byte &0x08 \b progressive >>>17 byte ^0x08 \b interlaced >>>17 byte&0x06 2 \b Y'CbCr 4:2:0 video >>>17 byte&0x06 4 \b Y'CbCr 4:2:2 video >>>17 byte&0x06 6 \b Y'CbCr 4:4:4 video >>11 byte &0x02 >>>75 byte &0x01 >>>>140 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>>>140 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>>>140 belong 0x000001B5 \b, v2, >>>>>144 byte&0x0F 1 \b HP >>>>>144 byte&0x0F 2 \b Spt >>>>>144 byte&0x0F 3 \b SNR >>>>>144 byte&0x0F 4 \b MP >>>>>144 byte&0x0F 5 \b SP >>>>>145 byte&0xF0 64 \b@HL >>>>>145 byte&0xF0 96 \b@H-14 >>>>>145 byte&0xF0 128 \b@ML >>>>>145 byte&0xF0 160 \b@LL >>>>>145 byte &0x08 \b progressive >>>>>145 byte ^0x08 \b interlaced >>>>>145 byte&0x06 2 \b Y'CbCr 4:2:0 video >>>>>145 byte&0x06 4 \b Y'CbCr 4:2:2 video >>>>>145 byte&0x06 6 \b Y'CbCr 4:4:4 video >>76 belong 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>76 belong 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>76 belong 0x000001B5 \b, v2, >>>80 byte&0x0F 1 \b HP >>>80 byte&0x0F 2 \b Spt >>>80 byte&0x0F 3 \b SNR >>>80 byte&0x0F 4 \b MP >>>80 byte&0x0F 5 \b SP >>>81 byte&0xF0 64 \b@HL >>>81 byte&0xF0 96 \b@H-14 >>>81 byte&0xF0 128 \b@ML >>>81 byte&0xF0 160 \b@LL >>>81 byte &0x08 \b progressive >>>81 byte ^0x08 \b interlaced >>>81 byte&0x06 2 \b Y'CbCr 4:2:0 video >>>81 byte&0x06 4 \b Y'CbCr 4:2:2 video >>>81 byte&0x06 6 \b Y'CbCr 4:4:4 video >>4 belong&0xFFFFFF00 0x78043800 \b, HD-TV 1920P >>>7 byte&0xF0 0x10 \b, 16:9 >>4 belong&0xFFFFFF00 0x50002D00 \b, SD-TV 1280I >>>7 byte&0xF0 0x10 \b, 16:9 >>4 belong&0xFFFFFF00 0x30024000 \b, PAL Capture >>>7 byte&0xF0 0x10 \b, 4:3 >>4 beshort&0xFFF0 0x2C00 \b, 4CIF >>>5 beshort&0x0FFF 0x01E0 \b NTSC >>>5 beshort&0x0FFF 0x0240 \b PAL >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>>7 byte&0xF0 0x80 \b, PAL 4:3 >>>7 byte&0xF0 0xC0 \b, NTSC 4:3 >>4 belong&0xFFFFFF00 0x2801E000 \b, LD-TV 640P >>>7 byte&0xF0 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 0x1400F000 \b, 320x240 >>>7 byte&0xF0 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 0x0F00A000 \b, 240x160 >>>7 byte&0xF0 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 0x0A007800 \b, 160x120 >>>7 byte&0xF0 0x10 \b, 4:3 >>4 beshort&0xFFF0 0x1600 \b, CIF >>>5 beshort&0x0FFF 0x00F0 \b NTSC >>>5 beshort&0x0FFF 0x0120 \b PAL >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>>7 byte&0xF0 0x80 \b, PAL 4:3 >>>7 byte&0xF0 0xC0 \b, NTSC 4:3 >>>5 beshort&0x0FFF 0x0240 \b PAL 625 >>>>7 byte&0xF0 0x20 \b, 4:3 >>>>7 byte&0xF0 0x30 \b, 16:9 >>>>7 byte&0xF0 0x40 \b, 11:5 >>4 beshort&0xFFF0 0x2D00 \b, CCIR/ITU >>>5 beshort&0x0FFF 0x01E0 \b NTSC 525 >>>5 beshort&0x0FFF 0x0240 \b PAL 625 >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>4 beshort&0xFFF0 0x1E00 \b, SVCD >>>5 beshort&0x0FFF 0x01E0 \b NTSC 525 >>>5 beshort&0x0FFF 0x0240 \b PAL 625 >>>7 byte&0xF0 0x20 \b, 4:3 >>>7 byte&0xF0 0x30 \b, 16:9 >>>7 byte&0xF0 0x40 \b, 11:5 >>7 byte&0x0F 1 \b, 23.976 fps >>7 byte&0x0F 2 \b, 24 fps >>7 byte&0x0F 3 \b, 25 fps >>7 byte&0x0F 4 \b, 29.97 fps >>7 byte&0x0F 5 \b, 30 fps >>7 byte&0x0F 6 \b, 50 fps >>7 byte&0x0F 7 \b, 59.94 fps >>7 byte&0x0F 8 \b, 60 fps >>11 byte &0x04 \b, Constrained # MPEG ADTS Audio (*.mpx/mxa/aac) # from dreesen@math.fu-berlin.de # modified to fully support MPEG ADTS # MP3, M1A # modified by Joerg Jenderek # GRR the original test are too common for many DOS files # so don't accept as MP3 until we've tested the rate # But also beat GEMDOS fonts 0 beshort&0xFFFE 0xFFFA # rates >2 byte&0xF0 !0 >>2 byte&0xF0 !0xF0 MPEG ADTS, layer III, v1 !:strength +20 !:mime audio/mpeg >2 byte&0xF0 0x10 \b, 32 kbps >2 byte&0xF0 0x20 \b, 40 kbps >2 byte&0xF0 0x30 \b, 48 kbps >2 byte&0xF0 0x40 \b, 56 kbps >2 byte&0xF0 0x50 \b, 64 kbps >2 byte&0xF0 0x60 \b, 80 kbps >2 byte&0xF0 0x70 \b, 96 kbps >2 byte&0xF0 0x80 \b, 112 kbps >2 byte&0xF0 0x90 \b, 128 kbps >2 byte&0xF0 0xA0 \b, 160 kbps >2 byte&0xF0 0xB0 \b, 192 kbps >2 byte&0xF0 0xC0 \b, 224 kbps >2 byte&0xF0 0xD0 \b, 256 kbps >2 byte&0xF0 0xE0 \b, 320 kbps # timing >2 byte&0x0C 0x00 \b, 44.1 kHz >2 byte&0x0C 0x04 \b, 48 kHz >2 byte&0x0C 0x08 \b, 32 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M1A 0 beshort&0xFFFE 0xFFFC MPEG ADTS, layer II, v1 !:mime audio/mpeg # rates >2 byte&0xF0 0x10 \b, 32 kbps >2 byte&0xF0 0x20 \b, 48 kbps >2 byte&0xF0 0x30 \b, 56 kbps >2 byte&0xF0 0x40 \b, 64 kbps >2 byte&0xF0 0x50 \b, 80 kbps >2 byte&0xF0 0x60 \b, 96 kbps >2 byte&0xF0 0x70 \b, 112 kbps >2 byte&0xF0 0x80 \b, 128 kbps >2 byte&0xF0 0x90 \b, 160 kbps >2 byte&0xF0 0xA0 \b, 192 kbps >2 byte&0xF0 0xB0 \b, 224 kbps >2 byte&0xF0 0xC0 \b, 256 kbps >2 byte&0xF0 0xD0 \b, 320 kbps >2 byte&0xF0 0xE0 \b, 384 kbps # timing >2 byte&0x0C 0x00 \b, 44.1 kHz >2 byte&0x0C 0x04 \b, 48 kHz >2 byte&0x0C 0x08 \b, 32 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MPA, M1A # updated by Joerg Jenderek # GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448 # GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE) # FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries #0 beshort&0xFFFE 0xFFFE #>2 ubyte&0xF0 >0x0F #>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1 ## rate #>>>2 byte&0xF0 0x10 \b, 32 kbps #>>>2 byte&0xF0 0x20 \b, 64 kbps #>>>2 byte&0xF0 0x30 \b, 96 kbps #>>>2 byte&0xF0 0x40 \b, 128 kbps #>>>2 byte&0xF0 0x50 \b, 160 kbps #>>>2 byte&0xF0 0x60 \b, 192 kbps #>>>2 byte&0xF0 0x70 \b, 224 kbps #>>>2 byte&0xF0 0x80 \b, 256 kbps #>>>2 byte&0xF0 0x90 \b, 288 kbps #>>>2 byte&0xF0 0xA0 \b, 320 kbps #>>>2 byte&0xF0 0xB0 \b, 352 kbps #>>>2 byte&0xF0 0xC0 \b, 384 kbps #>>>2 byte&0xF0 0xD0 \b, 416 kbps #>>>2 byte&0xF0 0xE0 \b, 448 kbps ## timing #>>>2 byte&0x0C 0x00 \b, 44.1 kHz #>>>2 byte&0x0C 0x04 \b, 48 kHz #>>>2 byte&0x0C 0x08 \b, 32 kHz ## channels/options #>>>3 byte&0xC0 0x00 \b, Stereo #>>>3 byte&0xC0 0x40 \b, JntStereo #>>>3 byte&0xC0 0x80 \b, 2x Monaural #>>>3 byte&0xC0 0xC0 \b, Monaural ##>1 byte ^0x01 \b, Data Verify ##>2 byte &0x02 \b, Packet Pad ##>2 byte &0x01 \b, Custom Flag ##>3 byte &0x08 \b, Copyrighted ##>3 byte &0x04 \b, Original Source ##>3 byte&0x03 1 \b, NR: 50/15 ms ##>3 byte&0x03 3 \b, NR: CCIT J.17 # MP3, M2A 0 beshort&0xFFFE 0xFFF2 MPEG ADTS, layer III, v2 !:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps >2 byte&0xF0 0x60 \b, 48 kbps >2 byte&0xF0 0x70 \b, 56 kbps >2 byte&0xF0 0x80 \b, 64 kbps >2 byte&0xF0 0x90 \b, 80 kbps >2 byte&0xF0 0xA0 \b, 96 kbps >2 byte&0xF0 0xB0 \b, 112 kbps >2 byte&0xF0 0xC0 \b, 128 kbps >2 byte&0xF0 0xD0 \b, 144 kbps >2 byte&0xF0 0xE0 \b, 160 kbps # timing >2 byte&0x0C 0x00 \b, 22.05 kHz >2 byte&0x0C 0x04 \b, 24 kHz >2 byte&0x0C 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M2A 0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 !:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps >2 byte&0xF0 0x60 \b, 48 kbps >2 byte&0xF0 0x70 \b, 56 kbps >2 byte&0xF0 0x80 \b, 64 kbps >2 byte&0xF0 0x90 \b, 80 kbps >2 byte&0xF0 0xA0 \b, 96 kbps >2 byte&0xF0 0xB0 \b, 112 kbps >2 byte&0xF0 0xC0 \b, 128 kbps >2 byte&0xF0 0xD0 \b, 144 kbps >2 byte&0xF0 0xE0 \b, 160 kbps # timing >2 byte&0x0C 0x00 \b, 22.05 kHz >2 byte&0x0C 0x04 \b, 24 kHz >2 byte&0x0C 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MPA, M2A 0 beshort&0xFFFE 0xFFF6 MPEG ADTS, layer I, v2 !:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 32 kbps >2 byte&0xF0 0x20 \b, 48 kbps >2 byte&0xF0 0x30 \b, 56 kbps >2 byte&0xF0 0x40 \b, 64 kbps >2 byte&0xF0 0x50 \b, 80 kbps >2 byte&0xF0 0x60 \b, 96 kbps >2 byte&0xF0 0x70 \b, 112 kbps >2 byte&0xF0 0x80 \b, 128 kbps >2 byte&0xF0 0x90 \b, 144 kbps >2 byte&0xF0 0xA0 \b, 160 kbps >2 byte&0xF0 0xB0 \b, 176 kbps >2 byte&0xF0 0xC0 \b, 192 kbps >2 byte&0xF0 0xD0 \b, 224 kbps >2 byte&0xF0 0xE0 \b, 256 kbps # timing >2 byte&0x0C 0x00 \b, 22.05 kHz >2 byte&0x0C 0x04 \b, 24 kHz >2 byte&0x0C 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP3, M25A 0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5 !:mime audio/mpeg # rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps >2 byte&0xF0 0x60 \b, 48 kbps >2 byte&0xF0 0x70 \b, 56 kbps >2 byte&0xF0 0x80 \b, 64 kbps >2 byte&0xF0 0x90 \b, 80 kbps >2 byte&0xF0 0xA0 \b, 96 kbps >2 byte&0xF0 0xB0 \b, 112 kbps >2 byte&0xF0 0xC0 \b, 128 kbps >2 byte&0xF0 0xD0 \b, 144 kbps >2 byte&0xF0 0xE0 \b, 160 kbps # timing >2 byte&0x0C 0x00 \b, 11.025 kHz >2 byte&0x0C 0x04 \b, 12 kHz >2 byte&0x0C 0x08 \b, 8 kHz # channels/options >3 byte&0xC0 0x00 \b, Stereo >3 byte&0xC0 0x40 \b, JntStereo >3 byte&0xC0 0x80 \b, 2x Monaural >3 byte&0xC0 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # AAC (aka MPEG-2 NBC audio) and MPEG-4 audio # Stored AAC streams (instead of the MP4 format) 0 string ADIF MPEG ADIF, AAC !:mime audio/x-hx-aac-adif >4 byte &0x80 >>13 byte &0x10 \b, VBR >>13 byte ^0x10 \b, CBR >>16 byte&0x1E 0x02 \b, single stream >>16 byte&0x1E 0x04 \b, 2 streams >>16 byte&0x1E 0x06 \b, 3 streams >>16 byte &0x08 \b, 4 or more streams >>16 byte &0x10 \b, 8 or more streams >>4 byte &0x80 \b, Copyrighted >>13 byte &0x40 \b, Original Source >>13 byte &0x20 \b, Home Flag >4 byte ^0x80 >>4 byte &0x10 \b, VBR >>4 byte ^0x10 \b, CBR >>7 byte&0x1E 0x02 \b, single stream >>7 byte&0x1E 0x04 \b, 2 streams >>7 byte&0x1E 0x06 \b, 3 streams >>7 byte &0x08 \b, 4 or more streams >>7 byte &0x10 \b, 8 or more streams >>4 byte &0x40 \b, Original Stream(s) >>4 byte &0x20 \b, Home Source # Live or stored single AAC stream (used with MPEG-2 systems) 0 beshort&0xFFF6 0xFFF0 MPEG ADTS, AAC !:mime audio/x-hx-aac-adts >1 byte &0x08 \b, v2 >1 byte ^0x08 \b, v4 # profile >>2 byte &0xC0 \b LTP >2 byte&0xc0 0x00 \b Main >2 byte&0xc0 0x40 \b LC >2 byte&0xc0 0x80 \b SSR # timing >2 byte&0x3c 0x00 \b, 96 kHz >2 byte&0x3c 0x04 \b, 88.2 kHz >2 byte&0x3c 0x08 \b, 64 kHz >2 byte&0x3c 0x0c \b, 48 kHz >2 byte&0x3c 0x10 \b, 44.1 kHz >2 byte&0x3c 0x14 \b, 32 kHz >2 byte&0x3c 0x18 \b, 24 kHz >2 byte&0x3c 0x1c \b, 22.05 kHz >2 byte&0x3c 0x20 \b, 16 kHz >2 byte&0x3c 0x24 \b, 12 kHz >2 byte&0x3c 0x28 \b, 11.025 kHz >2 byte&0x3c 0x2c \b, 8 kHz # channels >2 beshort&0x01c0 0x0040 \b, monaural >2 beshort&0x01c0 0x0080 \b, stereo >2 beshort&0x01c0 0x00c0 \b, stereo + center >2 beshort&0x01c0 0x0100 \b, stereo+center+LFE >2 beshort&0x01c0 0x0140 \b, surround >2 beshort&0x01c0 0x0180 \b, surround + LFE >2 beshort &0x01C0 \b, surround + side #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Custom Flag #>3 byte &0x20 \b, Original Stream #>3 byte &0x10 \b, Home Source #>3 byte &0x08 \b, Copyrighted # Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS !:mime audio/x-mp4a-latm #>1 beshort&0x1FFF x \b, %hu byte packet >3 byte&0xE0 0x40 >>4 byte&0x3C 0x04 \b, single stream >>4 byte&0x3C 0x08 \b, 2 streams >>4 byte&0x3C 0x0C \b, 3 streams >>4 byte &0x08 \b, 4 or more streams >>4 byte &0x20 \b, 8 or more streams >3 byte&0xC0 0 >>4 byte&0x78 0x08 \b, single stream >>4 byte&0x78 0x10 \b, 2 streams >>4 byte&0x78 0x18 \b, 3 streams >>4 byte &0x20 \b, 4 or more streams >>4 byte &0x40 \b, 8 or more streams # This magic isn't strong enough (matches plausible ISO-8859-1 text) #0 beshort 0x4DE1 MPEG-4 LO-EP audio stream #!:mime audio/x-mp4a-latm # Summary: FLI animation format # Created by: Daniel Quinlan # Modified by (1): Abel Cheung (avoid over-generic detection) 4 leshort 0xAF11 # standard FLI always has 320x200 resolution and 8 bit color >8 leshort 320 >>10 leshort 200 >>>12 leshort 8 FLI animation, 320x200x8 !:mime video/x-fli >>>>6 leshort x \b, %d frames # frame speed is multiple of 1/70s >>>>16 leshort x \b, %d/70s per frame # Summary: FLC animation format # Created by: Daniel Quinlan # Modified by (1): Abel Cheung (avoid over-generic detection) 4 leshort 0xAF12 # standard FLC always use 8 bit color >12 leshort 8 FLC animation !:mime video/x-flc >>8 leshort x \b, %d >>10 leshort x \bx%dx8 >>6 uleshort x \b, %d frames >>16 uleshort x \b, %dms per frame # DL animation format # XXX - collision with most `mips' magic # # I couldn't find a real magic number for these, however, this # -appears- to work. Note that it might catch other files, too, so be # careful! # # Note that title and author appear in the two 20-byte chunks # at decimal offsets 2 and 22, respectively, but they are XOR'ed with # 255 (hex FF)! The DL format is really bad. # #0 byte 1 DL version 1, medium format (160x100, 4 images/screen) #!:mime video/x-unknown #>42 byte x - %d screens, #>43 byte x %d commands #0 byte 2 DL version 2 #!:mime video/x-unknown #>1 byte 1 - large format (320x200,1 image/screen), #>1 byte 2 - medium format (160x100,4 images/screen), #>1 byte >2 - unknown format, #>42 byte x %d screens, #>43 byte x %d commands # Based on empirical evidence, DL version 3 have several nulls following the # \003. Most of them start with non-null values at hex offset 0x34 or so. #0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3 # iso 13818 transport stream # # from Oskar Schirmer Feb 3, 2001 (ISO 13818.1) # syncbyte 8 bit 0x47 # error_ind 1 bit - # payload_start 1 bit 1 # priority 1 bit - # PID 13 bit 0x0000 # scrambling 2 bit - # adaptfld_ctrl 2 bit 1 or 3 # conti_count 4 bit - 0 belong&0xFF5FFF10 0x47400010 >188 byte 0x47 MPEG transport stream data !:mime video/MP2T !:ext ts # DIF digital video file format 0 belong&0xffffff00 0x1f070000 DIF !:mime video/x-dv >4 byte &0x01 (DVCPRO) movie file >4 byte ^0x01 (DV) movie file >3 byte &0x80 (PAL) >3 byte ^0x80 (NTSC) # MNG Video Format, 0 string \x8aMNG MNG video data, !:mime video/x-mng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a >>16 belong x %d x >>20 belong x %d # JNG Video Format, 0 string \x8bJNG JNG video data, !:mime video/x-jng >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a >>16 belong x %d x >>20 belong x %d # Vivo video (Wolfram Kleff) 3 string \x0D\x0AVersion:Vivo Vivo video data # ABC (alembic.io 3d models) 0 string 0gawa ABC 3d model #--------------------------------------------------------------------------- # HVQM4: compressed movie format designed by Hudson for Nintendo GameCube # From Mark Sheppard , 2002-10-03 # 0 string HVQM4 %s >6 string >\0 v%s >0 byte x GameCube movie, >0x34 ubeshort x %d x >0x36 ubeshort x %d, >0x26 ubeshort x %dus, >0x42 ubeshort 0 no audio >0x42 ubeshort >0 %dHz audio # From: Stefan A. Haubenthal # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/VOB 0 string DVDVIDEO-VTS Video title set, !:mime video/x-ifo !:ext ifo/bup >0x21 byte x v%x 0 string DVDVIDEO-VMG Video manager, !:mime video/x-ifo !:ext ifo/bup >0x21 byte x v%x # From: Stefan A. Haubenthal 0 string xMovieSetter MovieSetter movie 0 string xSceneEditor MovieSetter movie # From: Behan Webster # NuppelVideo used by Mythtv (*.nuv) # Note: there are two identical stanzas here differing only in the # initial string matched. It used to be done with a regex, but we're # trying to get rid of those. 0 string NuppelVideo MythTV NuppelVideo >12 string x v%s >20 lelong x (%d >24 lelong x \bx%d), >36 string P \bprogressive, >36 string I \binterlaced, >40 ledouble x \baspect:%.2f, >48 ledouble x \bfps:%.2f 0 string MythTV MythTV NuppelVideo >12 string x v%s >20 lelong x (%d >24 lelong x \bx%d), >36 string P \bprogressive, >36 string I \binterlaced, >40 ledouble x \baspect:%.2f, >48 ledouble x \bfps:%.2f # MPEG file # MPEG sequences # FIXME: This section is from the old magic.mime file and needs # integrating with the rest #0 belong 0x000001BA #>4 byte &0x40 #!:mime video/mp2p #>4 byte ^0x40 #!:mime video/mpeg #0 belong 0x000001BB #!:mime video/mpeg #0 belong 0x000001B0 #!:mime video/mp4v-es #0 belong 0x000001B5 #!:mime video/mp4v-es #0 belong 0x000001B3 #!:mime video/mpv #0 belong&0xFF5FFF10 0x47400010 #!:mime video/mp2t #0 belong 0x00000001 #>4 byte&0x1F 0x07 #!:mime video/h264 # Type: Bink Video # Extension: .bik # URL: https://wiki.multimedia.cx/index.php?title=Bink_Container # From: 2008-07-18 0 name bik #>4 ulelong x size %d >20 ulelong x \b, %d >24 ulelong x \bx%d >8 ulelong x \b, %d frames >32 ulelong x at rate %d/ >28 ulelong >1 \b%d >40 ulelong =0 \b, no audio >40 ulelong !0 \b, %d audio track >>40 ulelong !1 \bs # follow properties of the first audio track only >>48 uleshort x %dHz >>51 byte&0x20 0 mono >>51 byte&0x20 !0 stereo #>>51 byte&0x10 0 FFT #>>51 byte&0x10 !0 DCT 0 string BIK >3 regex =[bdfghi] Bink Video rev.%s >>0 use bik 0 string KB2 >3 regex =[adfghi] Bink Video 2 rev.%s >>0 use bik # Type: NUT Container # URL: https://wiki.multimedia.cx/index.php?title=NUT # From: Adam Buchbinder 0 string nut/multimedia\ container\0 NUT multimedia container # Type: Nullsoft Video (NSV) # URL: https://wiki.multimedia.cx/index.php?title=Nullsoft_Video # From: Mike Melanson 0 string NSVf Nullsoft Video # Type: REDCode Video # URL: https://www.red.com/ ; https://wiki.multimedia.cx/index.php?title=REDCode # From: Mike Melanson 4 string RED1 REDCode Video # Type: MTV Multimedia File # URL: https://wiki.multimedia.cx/index.php?title=MTV # From: Mike Melanson 0 string AMVS MTV Multimedia File # Type: ARMovie # URL: https://wiki.multimedia.cx/index.php?title=ARMovie # From: Mike Melanson 0 string ARMovie\012 ARMovie # Type: Interplay MVE Movie # URL: https://wiki.multimedia.cx/index.php?title=Interplay_MVE # From: Mike Melanson 0 string Interplay\040MVE\040File\032 Interplay MVE Movie # Type: Windows Television DVR File # URL: https://wiki.multimedia.cx/index.php?title=WTV # From: Mike Melanson # This takes the form of a Windows-style GUID 0 bequad 0xB7D800203749DA11 >8 bequad 0xA64E0007E95EAD8D Windows Television DVR Media # Type: Sega FILM/CPK Multimedia # URL: https://wiki.multimedia.cx/index.php?title=Sega_FILM # From: Mike Melanson 0 string FILM Sega FILM/CPK Multimedia, >32 belong x %d x >28 belong x %d # Type: Nintendo THP Multimedia # URL: https://wiki.multimedia.cx/index.php?title=THP # From: Mike Melanson 0 string THP\0 Nintendo THP Multimedia # Type: BBC Dirac Video # URL: https://wiki.multimedia.cx/index.php?title=Dirac # From: Mike Melanson 0 string BBCD BBC Dirac Video # Type: RAD Game Tools Smacker Multimedia # URL: https://wiki.multimedia.cx/index.php?title=Smacker # From: Mike Melanson 0 string SMK RAD Game Tools Smacker Multimedia >3 byte x version %c, >4 lelong x %d x >8 lelong x %d, >12 lelong x %d frames # Material Exchange Format # More information: # https://en.wikipedia.org/wiki/Material_Exchange_Format # http://www.freemxf.org/ 0 string \x06\x0e\x2b\x34\x02\x05\x01\x01\x0d\x01\x02\x01\x01\x02 Material exchange container format !:ext mxf !:mime application/mxf # Recognize LucasArts Smush video files (cf. # https://wiki.multimedia.cx/index.php/Smush) 0 string ANIM >8 string AHDR LucasArts Smush Animation Format (SAN) video 0 string SANM >8 string SHDR LucasArts Smush v2 (SANM) video # Type: Scaleform video # Extension: .usm # URL: https://wiki.multimedia.cx/index.php/USM # From: David Korth 0 string CRID >32 string @UTF Scaleform video # http://www.jerrysguide.com/tips/demystify-tvs-file-format.html 0 string TVS\015\012 >&0 string Version\040 TeamViewer Session File >>&0 string x \b, version %s # SER file format - simple uncompressed video format for astronomical use # Initially developed by Lucam Recorder, # as of 2021 maintained by Heiko Wilkens, Grischa Hahn # Typical extensions: .SER # http://www.grischa-hahn.homepage.t-online.de/astro/ser/SER%20Doc%20V3b.pdf 0 string LUCAM-RECORDER SER video sequence !:ext ser >18 lelong 0 \b, bayer: mono >18 lelong 8 \b, bayer: RGGB >18 lelong 9 \b, bayer: GRBG >18 lelong 10 \b, bayer: GBRG >18 lelong 11 \b, bayer: BGGR >18 lelong 16 \b, bayer: CYYM >18 lelong 17 \b, bayer: YCMY >18 lelong 18 \b, bayer: YMCY >18 lelong 19 \b, bayer: MYYC >18 lelong 100 \b, bayer: RGB >18 lelong 101 \b, bayer: BGR >22 lelong 0 \b, big-endian >22 lelong 1 \b, little-endian >26 lelong x \b, width: %d >30 lelong x \b, height: %d >34 lelong x \b, %d bit >38 lelong x \b, frames: %d #------------------------------------------------------------------------------ # $File: aout,v 1.1 2013/01/09 22:37:23 christos Exp $ # aout: file(1) magic for a.out executable/object/etc entries that # handle executables on multiple platforms. # # # Little-endian 32-bit-int a.out, merged from bsdi (for BSD/OS, from # BSDI), netbsd, and vax (for UNIX/32V and BSD) # # XXX - is there anything we can look at to distinguish BSD/OS 386 from # NetBSD 386 from various VAX binaries? The BSD/OS shared library flag # works only for binaries using shared libraries. Grabbing the entry # point from the a.out header, using it to find the first code executed # in the program, and looking at that might help. # 0 lelong 0407 a.out little-endian 32-bit executable >16 lelong >0 not stripped >32 byte 0x6a (uses BSD/OS shared libs) 0 lelong 0410 a.out little-endian 32-bit pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses BSD/OS shared libs) 0 lelong 0413 a.out little-endian 32-bit demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses BSD/OS shared libs) # # Big-endian 32-bit-int a.out, merged from sun (for old 68010 SunOS a.out), # mips (for old 68020(!) SGI a.out), and netbsd (for old big-endian a.out). # # XXX - is there anything we can look at to distinguish old SunOS 68010 # from old 68020 IRIX from old NetBSD? Again, I guess we could look at # the first instruction or instructions in the program. # 0 belong 0407 a.out big-endian 32-bit executable >16 belong >0 not stripped 0 belong 0410 a.out big-endian 32-bit pure executable >16 belong >0 not stripped 0 belong 0413 a.out big-endian 32-bit demand paged executable >16 belong >0 not stripped #------------------------------------------------------------------------------ # $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $ # apache: file(1) magic for Apache Big Data formats # Avro files 0 string Obj Apache Avro >3 byte x version %d # ORC files # Important information is in file footer, which we can't index to :( 0 string ORC Apache ORC # Parquet files 0 string PAR1 Apache Parquet # Hive RC files 0 string RCF Apache Hive RC file >3 byte x version %d # Sequence files (and the careless first version of RC file) 0 string SEQ >3 byte <6 Apache Hadoop Sequence file version %d >3 byte >6 Apache Hadoop Sequence file version %d >3 byte =6 >>5 string org.apache.hadoop.hive.ql.io.RCFile$KeyBuffer Apache Hive RC file version 0 >>3 default x Apache Hadoop Sequence file version 6 #------------------------------------------------------------------------------ # $File: apl,v 1.6 2009/09/19 16:28:07 christos Exp $ # apl: file(1) magic for APL (see also "pdp" and "vax" for other APL # workspaces) # 0 long 0100554 APL workspace (Ken's original?) #------------------------------------------------------------------------------ # $File: apple,v 1.45 2021/04/26 15:56:00 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 0 string \x0aGL Binary II (apple ][) data 0 string \x76\xff Squeezed (apple ][) data 0 string NuFile NuFile archive (apple ][) data 0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file # Type: Apple Emulator WOZ format # From: Greg Wildman # Ref: https://applesaucefdc.com/woz/reference/ # Ref: https://applesaucefdc.com/woz/reference2/ # # Note: The following test are mostly identical. I would rather not # use a regex to identify the WOZ format number. 0 string WOZ1 >4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image >12 string INFO >>21 byte 01 \b, 5.25 inch >>21 byte 02 \b, 3.5 inch >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s 0 string WOZ2 >4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image >12 string INFO >>21 byte 01 \b, 5.25 inch >>21 byte 02 \b, 3.5 inch >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s # Type: Apple Emulator disk images # From: Greg Wildman # ProDOS boot loader? 0 string \x01\x38\xB0\x03\x4C Apple ProDOS Image # Detect Volume Directory block ($02) >0x400 string \x00\x00\x03\x00 >>0x404 byte &0xF0 >>>0x405 string x \b, Volume /%s >>>0x429 leshort x \b, %u Blocks # ProDOS ordered ? >0xb00 string \x00\x00\x03\x00 >>0xb04 byte &0xF0 >>>0xb05 string x \b, Volume /%s >>>0xb29 leshort x \b, %u Blocks # # DOS3.3 boot loader? 0 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B >0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image >>0x11006 byte x \b, Volume %u >>0x11034 byte x \b, %u Tracks >>0x11035 byte x \b, %u Sectors >>0x11036 leshort x \b, %u bytes per sector # DOS3.2 ? >0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image >>0x11006 byte x \b, Volume %u >>0x11034 byte x \b, %u Tracks >>0x11035 byte x \b, %u Sectors >>0x11036 leshort x \b, %u bytes per sector # DOS3.1 ? >0x11001 string \x11\x0C\x01 >>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image # # Pascal boot loader? 0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD >0xd6 pstring SYSTEM.APPLE >>0xb00 leshort 0x0000 >>>0xb04 leshort 0x0000 Apple Pascal Image >>>>0xb06 pstring x \b, Volume %s: >>>>0xb0e leshort x \b, %u Blocks >>>>0xb10 leshort x \b, %u Files # # Diversi Dos boot loader? 0 string \x01\xA8\xAD\x81\xC0\xEE\x09\x08\xAD >0x11001 string \x11\x0F\x03 Apple Diversi Dos Image >>0x11006 byte x \b, Volume %u >>0x11034 byte x \b, %u Tracks >>0x11035 byte x \b, %u Sectors >>0x11036 leshort x \b, %u bytes per sector # Type: Apple Emulator 2IMG format # From: Radek Vokal # Update: Greg Wildman 0 string 2IMG Apple ][ 2IMG Disk Image >4 clear x >4 string XGS! \b, XGS >4 string CTKG \b, Catakig >4 string ShIm \b, Sheppy's ImageMaker >4 string SHEP \b, Sheppy's ImageMaker >4 string WOOF \b, Sweet 16 >4 string B2TR \b, Bernie ][ the Rescue >4 string \!nfc \b, ASIMOV2 >4 string \>BD\< \b, Brutal Deluxe's Cadius >4 string CdrP \b, CiderPress >4 string Vi][ \b, Virtual ][ >4 string PRFS \b, ProFUSE >4 string FISH \b, FishWings >4 string RVLW \b, Revival for Windows >4 default x >>4 string x \b, Creator tag "%-4.4s" >0xc byte 00 \b, DOS 3.3 sector order >>0x10 byte 00 \b, Volume 254 >>0x10 byte&0x7f x \b, Volume %u >0xc byte 01 \b, ProDOS sector order # Detect Volume Directory block ($02) + 2mg header offset >>0x440 string \x00\x00\x03\x00 >>>0x444 byte &0xF0 >>>>0x445 string x \b, Volume /%s >>>>0x469 leshort x \b, %u Blocks >0xc byte 02 \b, NIB data # magic for Newton PDA package formats # from Ruda Moura 0 string package0 Newton package, NOS 1.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d 0 string package1 Newton package, NOS 2.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d 0 string package4 Newton package, >8 byte 8 NOS 1.x, >8 byte 9 NOS 2.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, # The following entries for the Apple II are for files that have # been transferred as raw binary data from an Apple, without having # been encapsulated by any of the above archivers. # # In general, Apple II formats are hard to identify because Apple DOS # and especially Apple ProDOS have strong typing in the file system and # therefore programmers never felt much need to include type information # in the files themselves. # # Eric Fischer # AppleWorks word processor: # URL: https://en.wikipedia.org/wiki/AppleWorks # Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx # Update: Joerg Jenderek # NOTE: # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. # and/or look for unused bits of booleans bytes like zoom, paginated, mail merge # the newer AppleWorks is from claris with extension CWK 4 string O # test for unused bits of zoom- , paginated-boolean bytes >84 ubequad ^0x00Fe00000000Fe00 # look for tabstop definitions "=" no tab, "|" no tab # "<" left tab,"^" center tab,">" right tab, "." decimal tab, # unofficial "!" other , "\x8a" other # official only if SFMinVers is nonzero >>5 regex/s [=.<>|!^\x8a]{79} AppleWorks Word Processor # AppleWorks Word Processor File (Apple II) # ./apple (version 5.25) labeled the entry as "AppleWorks word processor data" # application/x-appleworks is mime type for claris version with cwk extension !:mime application/x-appleworks3 # http://home.earthlink.net/~hughhood/appleiiworksenvoy/ # ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type') # $70 $1A $F8 $FF is this the apple type ? #:apple pdosp^Z\xf8\xff !:ext awp # minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) >>>183 ubyte 30 3.0 >>>183 ubyte !30 >>>>183 ubyte !0 %#x # usual tabstop start sequence "=====<" >>>5 string x \b, tabstop ruler "%6.6s" # tabstop ruler #>>>5 string >\0 \b, tabstops "%-79s" # zoom switch >>>85 byte&0x01 >0 \b, zoomed # whether paginated >>>90 byte&0x01 >0 \b, paginated # contains any mail-merge commands >>>92 byte&0x01 >0 \b, with mail merge # left margin in 1/10 inches ( normally 0 or 10 ) >>>91 ubyte >0 >>>>91 ubyte x \b, %d/10 inch left margin # AppleWorks database: # # This isn't really a magic number, but it's the closest thing to one # that I could find. The 1 and 2 really mean "order in which you defined # categories" and "left to right, top to bottom," respectively; the D and R # mean that the cursor should move either down or right when you press Return. #30 string \x01D AppleWorks database data #30 string \x02D AppleWorks database data #30 string \x01R AppleWorks database data #30 string \x02R AppleWorks database data # AppleWorks spreadsheet: # # Likewise, this isn't really meant as a magic number. The R or C means # row- or column-order recalculation; the A or M means automatic or manual # recalculation. #131 string RA AppleWorks spreadsheet data #131 string RM AppleWorks spreadsheet data #131 string CA AppleWorks spreadsheet data #131 string CM AppleWorks spreadsheet data # Applesoft BASIC: # # This is incredibly sloppy, but will be true if the program was # written at its usual memory location of 2048 and its first line # number is less than 256. Yuck. # update by Joerg Jenderek at Feb 2013 # GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) #0 belong&0xff00ff 0x80000 Applesoft BASIC program data 0 belong&0x00ff00ff 0x00080000 # assuming that line number must be positive >2 leshort >0 Applesoft BASIC program data, first line number %d #>2 leshort x \b, first line number %d # ORCA/EZ assembler: # # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data #>5 byte x \b, build number %d # Broderbund Fantavision # # I don't know what these values really mean, but they seem to recur. # Will they cause too many conflicts? # Probably :-) #2 belong&0xFF00FF 0x040008 Fantavision movie data # Some attempts at images. # # These are actually just bit-for-bit dumps of the frame buffer, so # there's really no reasonably way to distinguish them except for their # address (if preserved) -- 8192 or 16384 -- and their length -- 8192 # or, occasionally, 8184. # # Nevertheless this will manage to catch a lot of images that happen # to have a solid-colored line at the bottom of the screen. # GRR: Magic too weak #8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background #8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background #8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background #8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background #8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background # Beagle Bros. Apple Mechanic fonts 0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font # Apple Universal Disk Image Format (UDIF) - dmg files. # From Johan Gade. # These entries are disabled for now until we fix the following issues. # # Note there might be some problems with the "VAX COFF executable" # entry. Note this entry should be placed before the mac filesystem section, # particularly the "Apple Partition data" entry. # # The intended meaning of these tests is, that the file is only of the # specified type if both of the lines are correct - i.e. if the first # line matches and the second doesn't then it is not of that type. # #0 long 0x7801730d #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) # # Note that this entry is recognized correctly by the "Apple Partition # data" entry - however since this entry is more specific - this # information seems to be more useful. #0 long 0x45520200 #>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson 0 string bplist00 Apple binary property list # Apple binary property list (bplist) # Assumes version bytes are hex. # Provides content hints for version 0 files. Assumes that the root # object is the first object (true for CoreFoundation implementation). # From: David Remahl 0 string bplist >6 byte x \bCoreFoundation binary property list data, version %#c >>7 byte x \b%c >6 string 00 \b >>8 byte&0xF0 0x00 \b >>>8 byte&0x0F 0x00 \b, root type: null >>>8 byte&0x0F 0x08 \b, root type: false boolean >>>8 byte&0x0F 0x09 \b, root type: true boolean >>8 byte&0xF0 0x10 \b, root type: integer >>8 byte&0xF0 0x20 \b, root type: real >>8 byte&0xF0 0x30 \b, root type: date >>8 byte&0xF0 0x40 \b, root type: data >>8 byte&0xF0 0x50 \b, root type: ascii string >>8 byte&0xF0 0x60 \b, root type: unicode string >>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) >>8 byte&0xF0 0xa0 \b, root type: array >>8 byte&0xF0 0xd0 \b, root type: dictionary # Apple/NeXT typedstream data # Serialization format used by NeXT and Apple for various # purposes in YellowStep/Cocoa, including some nib files. # From: David Remahl 2 string typedstream NeXT/Apple typedstream data, big endian >0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b >>>14 ubeshort x \b, system %d 2 string streamtyped NeXT/Apple typedstream data, little endian >0 byte x \b, version %d >0 byte <5 \b >>13 byte 0x81 \b >>>14 uleshort x \b, system %d #------------------------------------------------------------------------------ # CAF: Apple CoreAudio File Format # # Container format for high-end audio purposes. # From: David Remahl # 0 string caff CoreAudio Format audio file >4 beshort <10 version %d >6 beshort x #------------------------------------------------------------------------------ # Keychain database files 0 string kych Mac OS X Keychain File #------------------------------------------------------------------------------ # Code Signing related file types 0 belong 0xfade0c00 Mac OS X Code Requirement >8 belong 1 (opExpr) >4 belong x - %d bytes 0 belong 0xfade0c01 Mac OS X Code Requirement Set >8 belong >1 containing %d items >4 belong x - %d bytes 0 belong 0xfade0c02 Mac OS X Code Directory >8 belong x version %x >12 belong >0 flags %#x >4 belong x - %d bytes 0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) >4 belong x - %d bytes 0 belong 0xfade0cc1 Mac OS X Detached Code Signature >8 belong >1 (%d elements) >4 belong x - %d bytes # From: "Nelson A. de Oliveira" # .vdi 4 string innotek\ VirtualBox\ Disk\ Image %s # Apple disk partition stuff # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h # Update: Joerg Jenderek # "ER" is APPLE_DRVR_MAP_MAGIC signature 0 beshort 0x4552 # display Apple Driver Map (strength=50) after Syslinux bootloader (71) #!:strength +0 # strengthen the magic by looking for used blocksizes 512 2048 >2 ubeshort&0xf1FF 0 Apple Driver Map # last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid #>>504 ubequad&0x0000FFffFFff0000 0 !:mime application/x-apple-diskimage !:apple ????devr # https://en.wikipedia.org/wiki/Apple_Disk_Image !:ext dmg/iso # sbBlkSize for driver descriptor map 512 2048 >>2 beshort x \b, blocksize %d # sbBlkCount sometimes garbish like # 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg # 0xf2720100 for bunziped Firefox 48.0-2.dmg # 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso # 0x00009090 by syslinux-6.03/utils/isohybrid.c >>4 ubelong x \b, blockcount %u # following device/driver information not very useful # device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>8 ubeshort x \b, devtype %u # device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>10 ubeshort x \b, devid %u # driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>12 ubelong >0 >>>12 ubelong x \b, driver data %u # number of driver descriptors sbDrvrCount <= 61 # (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>16 ubeshort x \b, driver count %u # 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map # >>18 use apple-driver-map # >>26 use apple-driver-map # # ... # >>500 use apple-driver-map # number of partitions is always same in every partition (map block count) #>>0x0204 ubelong x \b, %u partitions >>0x0204 ubelong >0 \b, contains[@0x200]: >>>0x0200 use apple-apm >>0x0204 ubelong >1 \b, contains[@0x400]: >>>0x0400 use apple-apm >>0x0204 ubelong >2 \b, contains[@0x600]: >>>0x0600 use apple-apm >>0x0204 ubelong >3 \b, contains[@0x800]: >>>0x0800 use apple-apm >>0x0204 ubelong >4 \b, contains[@0xA00]: >>>0x0A00 use apple-apm >>0x0204 ubelong >5 \b, contains[@0xC00]: >>>0x0C00 use apple-apm >>0x0204 ubelong >6 \b, contains[@0xE00]: >>>0x0E00 use apple-apm >>0x0204 ubelong >7 \b, contains[@0x1000]: >>>0x1000 use apple-apm # display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) 0 name apple-driver-map >0 ubequad !0 # descBlock first block of driver >>0 ubelong x \b, driver start block %u # descSize driver size in blocks >>4 ubeshort x \b, size %u # descType driver system type 1 701h F8FFh FFFFh >>6 ubeshort x \b, type %#x # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h # Update: Joerg Jenderek # Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the # magic stronger. # for apple partition map stored as a single file 0 belong 0x504d0000 # to display Apple Partition Map (strength=70) after Syslinux bootloader (71) #!:strength +0 >0 use apple-apm # magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type # file: could not find any valid magic files! #!:ext bin # display apple partition map. Normally called after Apple driver map 0 name apple-apm >0 belong 0x504d0000 Apple Partition Map # number of partitions >>4 ubelong x \b, map block count %u # logical block (512 bytes) start of partition >>8 ubelong x \b, start block %u >>12 ubelong x \b, block count %u >>16 string >0 \b, name %s >>48 string >0 \b, type %s # processor type dpme_process_id[16] e.g. "68000" "68020" >>120 string >0 \b, processor %s # A/UX boot arguments BootArgs[128] >>136 string >0 \b, boot arguments %s # status of partition dpme_flags >>88 belong & 1 \b, valid >>88 belong & 2 \b, allocated >>88 belong & 4 \b, in use >>88 belong & 8 \b, has boot info >>88 belong & 16 \b, readable >>88 belong & 32 \b, writable >>88 belong & 64 \b, pic boot code >>88 belong & 128 \b, chain compatible driver >>88 belong & 256 \b, real driver >>88 belong & 512 \b, chain driver # mount automatically at startup APPLE_PS_AUTO_MOUNT >>88 ubelong &0x40000000 \b, mount at startup # is the startup partition APPLE_PS_STARTUP >>88 ubelong &0x80000000 \b, is the startup partition #https://wiki.mozilla.org/DS_Store_File_Format #https://en.wikipedia.org/wiki/.DS_Store 0 string \0\0\0\1Bud1\0 Apple Desktop Services Store # HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015) # Usually not in separate files, but have either filename rsrc with # no extension, or a filename corresponding to another file, with # extensions rsr/rsrc 0 string \000\000\001\000 >4 leshort 0 >>16 lelong 0 Apple HFS/HFS+ resource fork #https://en.wikipedia.org/wiki/AppleScript 0 string FasdUAS AppleScript compiled # AppleWorks/ClarisWorks # https://github.com/joshenders/appleworks_format # http://fileformats.archiveteam.org/wiki/AppleWorks 0 name appleworks >0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document >0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document >0 default x >>0 belong x AppleWorks/ClarisWorks CWK Document >0 byte x \b, version %d >30 beshort x \b, %d >32 beshort x \bx%d !:ext cwk 4 string BOBO >0 byte >4 >>12 belong 0 >>>26 belong 0 >>>>0 use appleworks >0 belong 0x0481ad00 >>0 use appleworks # magic for Apple File System (APFS) # from Alex Myczko 32 string NXSB Apple File System (APFS) >36 ulelong x \b, blocksize %u # iTunes cover art (versions 1 and 2) 4 string itch >24 string artw >>0x1e8 string data iTunes cover art >>>0x1ed string PNG (PNG) >>>0x1ec beshort 0xffd8 (JPEG) # MacPaint image 65 string PNTGMPNT MacPaint image data #0 belong 2 MacPaint image data #------------------------------------------------------------------------------ # $File: application,v 1.1 2016/10/17 12:13:01 christos Exp $ # application: file(1) magic for applications on small devices # # Pebble Application 0 string PBLAPP\000\000 Pebble application #------------------------------------------------------------------------------ # $File: applix,v 1.5 2009/09/19 16:28:08 christos Exp $ # applix: file(1) magic for Applixware # From: Peter Soos # 0 string *BEGIN Applixware >7 string WORDS Words Document >7 string GRAPHICS Graphic >7 string RASTER Bitmap >7 string SPREADSHEETS Spreadsheet >7 string MACRO Macro >7 string BUILDER Builder Object #------------------------------------------------------------------------------ # $File: apt,v 1.1 2016/10/17 19:51:57 christos Exp $ # apt: file(1) magic for APT Cache files # # # before version 10 ("old format"), data was in arch-specific long/short # old format 64 bit 0 name apt-cache-64bit-be >12 beshort 1 \b, dirty >40 bequad x \b, %llu packages >48 bequad x \b, %llu versions # old format 32 bit 0 name apt-cache-32bit-be >8 beshort 1 \b, dirty >40 belong x \b, %u packages >44 belong x \b, %u versions # new format 0 name apt-cache-be >6 byte 1 \b, dirty >24 belong x \b, %u packages >28 belong x \b, %u versions 0 bequad 0x98FE76DC >8 ubeshort <10 APT cache data, version %u >>10 beshort x \b.%u, 64 bit big-endian >>0 use apt-cache-64bit-be 0 lequad 0x98FE76DC >8 uleshort <10 APT cache data, version %u >>10 leshort x \b.%u, 64 bit little-endian >>0 use \^apt-cache-64bit-be 0 belong 0x98FE76DC >4 ubeshort <10 APT cache data, version %u >>6 ubeshort x \b.%u, 32 bit big-endian >>0 use apt-cache-32bit-be >4 ubyte >9 APT cache data, version %u >>5 ubyte x \b.%u, big-endian >>0 use apt-cache-be 0 lelong 0x98FE76DC >4 uleshort <10 APT cache data, version %u >>6 uleshort x \b.%u, 32 bit little-endian >>0 use \^apt-cache-32bit-be >4 ubyte >9 APT cache data, version %u >>5 ubyte x \b.%u, little-endian >>0 use \^apt-cache-be #------------------------------------------------------------------------------ # $File: archive,v 1.169 2022/09/12 13:13:28 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. # pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c. # POSIX tar archives # URL: https://en.wikipedia.org/wiki/Tar_(computing) # Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current # header mainly padded with nul bytes 500 quad 0 !:strength /2 # filename or extended attribute printable strings in range space null til umlaut ue >0 ubeshort >0x1F00 >>0 ubeshort <0xFCFD # last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad # at https://sourceforge.net/projects/s-tar/files/testscripts/ >>>508 ubelong&0x8B9E8DFF 0 # nul, space or ascii digit 0-7 at start of mode >>>>100 ubyte&0xC8 =0 >>>>>101 ubyte&0xC8 =0 # nul, space at end of check sum >>>>>>155 ubyte&0xDF =0 # space or ascii digit 0 at start of check sum >>>>>>>148 ubyte&0xEF =0x20 # FOR DEBUGGING: #>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s" # check for 1st image main name with digits used for sorting # and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP >>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) #foo >>>>>>>>>0 use tar-cbt # if 1st member name without digits and without used image suffix then it is a TAR archive >>>>>>>>0 default x >>>>>>>>>0 use tar-file # minimal check and then display tar archive information which can also be # embedded inside others like Android Backup, Clam AntiVirus database 0 name tar-file >257 string !ustar # header padded with nuls >>257 ulong =0 # GNU tar version 1.29 with non pax format option without refusing # creates misleading V7 header for Long path, Multi-volume, Volume type >>>156 ubyte 0x4c GNU tar archive !:mime application/x-gtar !:ext tar/gtar >>>156 ubyte 0x4d GNU tar archive !:mime application/x-gtar !:ext tar/gtar >>>156 ubyte 0x56 GNU tar archive !:mime application/x-gtar !:ext tar/gtar >>>156 default x tar archive (V7) !:mime application/x-tar !:ext tar # other stuff in padding # some implementations add new fields to the blank area at the end of the header record # created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option >>257 ulong !0 tar archive (old) !:mime application/x-tar !:ext tar # magic in newer, GNU, posix variants >257 string =ustar # 2 last char of magic and UStar version because string expression does not work # 2 space characters followed by a null for GNU variant >>261 ubelong =0x72202000 POSIX tar archive (GNU) !:mime application/x-gtar !:ext tar/gtar # UStar version with ASCII "00" >>261 ubelong 0x72003030 POSIX # gLOBAL and ExTENSION type only found in POSIX.1-2001 format >>>156 ubyte 0x67 \b.1-2001 >>>156 ubyte 0x78 \b.1-2001 >>>156 ubyte x tar archive !:mime application/x-ustar !:ext tar/ustar # version with 2 binary nuls embedded in Android Backup like com.android.settings.ab >>261 ubelong 0x72000000 tar archive (ustar) !:mime application/x-ustar !:ext tar/ustar # not seen ustar variant with garbish version >>261 default x tar archive (unknown ustar) !:mime application/x-ustar !:ext tar/ustar # type flag of 1st tar archive member #>156 ubyte x \b, %c-type >156 ubyte x >>156 ubyte 0 \b, file >>156 ubyte 0x30 \b, file >>156 ubyte 0x31 \b, hard link >>156 ubyte 0x32 \b, symlink >>156 ubyte 0x33 \b, char device >>156 ubyte 0x34 \b, block device >>156 ubyte 0x35 \b, directory >>156 ubyte 0x36 \b, fifo >>156 ubyte 0x37 \b, reserved >>156 ubyte 0x4c \b, long path >>156 ubyte 0x4d \b, multi volume >>156 ubyte 0x56 \b, volume >>156 ubyte 0x67 \b, global >>156 ubyte 0x78 \b, extension >>156 default x \b, type >>>156 ubyte x '%c' # name[100] >0 string >\0 %-.60s # mode mainly stored as an octal number in ASCII null or space terminated >100 string >\0 \b, mode %-.7s # user id mainly as octal numbers in ASCII null or space terminated >108 string >\0 \b, uid %-.7s # group id mainly as octal numbers in ASCII null or space terminated >116 string >\0 \b, gid %-.7s # size mainly as octal number in ASCII >124 ubyte <0x38 >>124 string >\0 \b, size %-.12s # coding indicated by setting the high-order bit of the leftmost byte >124 ubyte >0xEF \b, size 0x >>124 ubyte !0xff \b%2.2x >>125 ubyte !0xff \b%2.2x >>126 ubyte !0xff \b%2.2x >>127 ubyte !0xff \b%2.2x >>128 ubyte !0xff \b%2.2x >>129 ubyte !0xff \b%2.2x >>130 ubyte !0xff \b%2.2x >>131 ubyte !0xff \b%2.2x >>132 ubyte !0xff \b%2.2x >>133 ubyte !0xff \b%2.2x >>134 ubyte !0xff \b%2.2x >>135 ubyte !0xff \b%2.2x # seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated >136 string >\0 \b, seconds %-.11s # header checksum stored as an octal number in ASCII null or space terminated #>148 string x \b, cksum %.7s # linkname[100] >157 string >\0 \b, linkname %-.40s # additional fields for ustar >257 string =ustar # owner user name null terminated >>265 string >\0 \b, user %-.32s # group name null terminated >>297 string >\0 \b, group %-.32s # device major minor if not zero >>329 ubequad&0xCFCFCFCFcFcFcFdf !0 >>>329 string x \b, devmaj %-.7s >>337 ubequad&0xCFCFCFCFcFcFcFdf !0 >>>337 string x \b, devmin %-.7s # prefix[155] >>345 string >\0 \b, prefix %-.155s # old non ustar/POSIX tar >257 string !ustar >>508 string =tar\0 # padding[255] in old star >>>257 string >\0 \b, padding: %-.40s >>508 default x # padding[255] in old tar sometimes comment field >>>257 string >\0 \b, comment: %-.40s # Summary: Comic Book Archive *.CBT with TAR format # URL: https://en.wikipedia.org/wiki/Comic_book_archive # http://fileformats.archiveteam.org/wiki/Comic_Book_Archive # Note: there exist also RAR, ZIP, ACE and 7Z packed variants 0 name tar-cbt >0 string x Comic Book archive, tar archive #!:mime application/x-tar !:mime application/vnd.comicbook #!:mime application/vnd.comicbook+tar !:ext cbt # name[100] probably like: 19.jpg 0001.png 0002.png # or maybe like ComicInfo.xml >0 string >\0 \b, 1st image %-.60s # Incremental snapshot gnu-tar format from: # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html 0 string GNU\ tar- GNU tar incremental snapshot data >&0 regex [0-9]\\.[0-9]+-[0-9]+ version %s # cpio archives # # Yes, the top two "cpio archive" formats *are* supposed to just be "short". # The idea is to indicate archives produced on machines with the same # byte order as the machine running "file" with "cpio archive", and # to indicate archives produced on machines with the opposite byte order # from the machine running "file" with "byte-swapped cpio archive". # # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. 0 short 070707 cpio archive !:mime application/x-cpio 0 short 0143561 byte-swapped cpio archive !:mime application/x-cpio # encoding: swapped 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) !:mime application/x-cpio 0 string 070701 ASCII cpio archive (SVR4 with no CRC) !:mime application/x-cpio 0 string 070702 ASCII cpio archive (SVR4 with CRC) !:mime application/x-cpio # # Various archive formats used by various versions of the "ar" # command. # # # Original UNIX archive formats. # They were written with binary values in host byte order, and # the magic number was a host "int", which might have been 16 bits # or 32 bits. We don't say "PDP-11" or "VAX", as there might have # been ports to little-endian 16-bit-int or 32-bit-int platforms # (x86?) using some of those formats; if none existed, feel free # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian # 32-bit. There might have been big-endian ports of that sort as # well. # 0 leshort 0177555 very old 16-bit-int little-endian archive 0 beshort 0177555 very old 16-bit-int big-endian archive 0 lelong 0177555 very old 32-bit-int little-endian archive 0 belong 0177555 very old 32-bit-int big-endian archive 0 leshort 0177545 old 16-bit-int little-endian archive >2 string __.SYMDEF random library 0 beshort 0177545 old 16-bit-int big-endian archive >2 string __.SYMDEF random library 0 lelong 0177545 old 32-bit-int little-endian archive >4 string __.SYMDEF random library 0 belong 0177545 old 32-bit-int big-endian archive >4 string __.SYMDEF random library # # From "pdp" (but why a 4-byte quantity?) # 0 lelong 0x39bed PDP-11 old archive 0 lelong 0x39bee PDP-11 4.0 archive # # XXX - what flavor of APL used this, and was it a variant of # some ar archive format? It's similar to, but not the same # as, the APL workspace magic numbers in pdp. # 0 long 0100554 apl workspace # # System V Release 1 portable(?) archive format. # 0 string = System V Release 1 ar archive !:mime application/x-archive # # Debian package; it's in the portable archive format, and needs to go # before the entry for regular portable archives, as it's recognized as # a portable archive whose first member has a name beginning with # "debian". # # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Deb_(file_format) 0 string =!\ndebian # https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html >14 string -split part of multipart Debian package !:mime application/vnd.debian.binary-package # udeb is used for stripped down deb file !:ext deb/udeb >14 string -binary Debian binary package !:mime application/vnd.debian.binary-package # For ipk packager see also https://en.wikipedia.org/wiki/Opkg !:ext deb/udeb/ipk # This should not happen >14 default x Unknown Debian package # NL terminated version; for most Debian cases this is 2.0 or 2.1 for split >68 string >\0 (format %s) #>68 string !2.0\n #>>68 string x (format %.3s) >68 string =2.0\n # 2nd archive name=control archive name like control.tar.gz or control.tar.xz >>72 string >\0 \b, with %.14s # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma} >>0 search/0x93e4f data.tar. \b, data compression # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised # for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb >>>&0 string x %.2s # skip space (0x20 BSD) and slash (0x2f System V) character marking end of name >>>&2 ubyte !0x20 >>>>&-1 ubyte !0x2f # display 3rd character of file name extension like 2 of bz2 or m of lzma >>>>>&-1 ubyte x \b%c >>>>>>&0 ubyte !0x20 >>>>>>>&-1 ubyte !0x2f # display 4th character of file name extension like a of lzma >>>>>>>>&-1 ubyte x \b%c # split debian package case >68 string =2.1\n # dpkg-1.18.25/dpkg-split/info.c # NL terminated ASCII package name like ckermit >>&0 string x \b, %s # NL terminated package version like 302-5.3 >>>&1 string x %s # NL terminated MD5 checksum >>>>&1 string x \b, MD5 %s # NL terminated original package length >>>>>&1 string x \b, unsplitted size %s # NL terminated part length >>>>>>&1 string x \b, part length %s # NL terminated package part like n/m >>>>>>>&1 string x \b, part %s # NL terminated package architecture like armhf since dpkg 1.16.1 or later >>>>>>>>&1 string x \b, %s # # MIPS archive; they're in the portable archive format, and need to go # before the entry for regular portable archives, as it's recognized as # a portable archive whose first member has a name beginning with # "__________E". # 0 string =!\n__________E MIPS archive !:mime application/x-archive >20 string U with MIPS Ucode members >21 string L with MIPSEL members >21 string B with MIPSEB members >19 string L and an EL hash table >19 string B and an EB hash table >22 string X -- out of date # # BSD/SVR2-and-later portable archive formats. # # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/AR # Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/ # Note: Mach-O universal binary in ./cafebabe is dependent # TODO: unify current ar archive, MIPS archive, Debian package # distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR; # *.ar packages from *.a libraries. handle empty archive 0 string =!\n current ar archive # print first and possibly second ar_name[16] for debugging purpose #>8 string x \b, 1st "%.16s" #>68 string x \b, 2nd "%.16s" !:mime application/x-archive # a in most case for libraries; lib for Microsoft libraries; ar else cases !:ext a/lib/ar >8 string __.SYMDEF random library # first member with long marked name __.SYMDEF SORTED implies BSD library >68 string __.SYMDEF\ SORTED random library # Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf # "archive file" entry moved from ./hp # LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture # LST header a_magic 0619h~relocatable library >68 belong 0x020b0619 - PA-RISC1.0 relocatable library >68 belong 0x02100619 - PA-RISC1.1 relocatable library >68 belong 0x02110619 - PA-RISC1.2 relocatable library >68 belong 0x02140619 - PA-RISC2.0 relocatable library #EOF for common ar archives # # "Thin" archive, as can be produced by GNU ar. # 0 string =!\n thin archive with >68 belong 0 no symbol entries >68 belong 1 %d symbol entry >68 belong >1 %d symbol entries 0 search/1 -h- Software Tools format archive text # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) # # The first byte is the magic (0x1a), byte 2 is the compression type for # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS # filename of the first file (null terminated). Since some types collide # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW !:mime application/x-arc 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed !:mime application/x-arc 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched !:mime application/x-arc # [JW] stuff taken from idarc, obviously ARC successors: 0 lelong&0x8080ffff 0x00000a1a PAK archive data !:mime application/x-arc 0 lelong&0x8080ffff 0x0000141a ARC+ archive data !:mime application/x-arc 0 lelong&0x8080ffff 0x0000481a HYP archive data !:mime application/x-arc # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) # I can't create either SPARK or ArcFS archives so I have not tested this stuff # [GRR: the original entries collide with ARC, above; replaced with combined # version (not tested)] #0 byte 0x1a RISC OS archive (spark format) 0 string \032archive RISC OS archive (ArcFS format) 0 string Archive\000 RISC OS archive (ArcFS format) # All these were taken from idarc, many could not be verified. Unfortunately, # there were many low-quality sigs, i.e. easy to trigger false positives. # Please notify me of any real-world fishy/ambiguous signatures and I'll try # to get my hands on the actual archiver and see if I find something better. [JW] # probably many can be enhanced by finding some 0-byte or control char near the start # idarc calls this Crush/Uncompressed... *shrug* 0 string CRUSH Crush archive data # Squeeze It (.sqz) 0 string HLSQZ Squeeze It archive data # SQWEZ 0 string SQWEZ SQWEZ archive data # HPack (.hpk) 0 string HPAK HPack archive data # HAP 0 string \x91\x33HF HAP archive data # MD/MDCD 0 string MDmd MDCD archive data # LIM 0 string LIM\x1a LIM archive data # SAR 3 string LH5 SAR archive data # BSArc/BS2 0 string \212\3SB\020\0 BSArc/BS2 archive data # Bethesda Softworks Archive (Oblivion) 0 string BSA\0 BSArc archive data >4 lelong x version %d # MAR 2 string =-ah MAR archive data # ACB #0 belong&0x00f800ff 0x00800000 ACB archive data # CPZ # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data # JRC 0 string JRchive JRC archive data # Quantum 0 string DS\0 Quantum archive data # ReSOF 0 string PK\3\6 ReSOF archive data # QuArk 0 string 7\4 QuArk archive data # YAC 14 string YC YAC archive data # X1 0 string X1 X1 archive data 0 string XhDr X1 archive data # CDC Codec (.dqt) 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data # AMGC 0 string \xad6" AMGC archive data # NuLIB 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data # PakLeo 0 string LEOLZW PAKLeo archive data # ChArc 0 string SChF ChArc archive data # PSA 0 string PSA PSA archive data # CrossePAC 0 string DSIGDCC CrossePAC archive data # Freeze 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data # KBoom 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data # NSQ, must go after CDC Codec 0 string \x76\xff NSQ archive data # DPA 0 string Dirk\ Paehl DPA archive data # BA # TODO: idarc says "bytes 0-2 == bytes 3-5" # TTComp # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive # Update: Joerg Jenderek # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others 0 string \0\6 # look for first keyword of Panorama database *.pan >12 search/261 DESIGN # skip keyword with low entropy >12 default x # skip DOS 2.0 backup id file, sequence 6 with many nils like BACKUPID_xx6.@@@ handled by ./msdos >>8 quad !0 >>>0 use ttcomp # variant ASCII, 4K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? 0 string \1\6 # TODO: # skip VAX-order 68k Blit mpx/mux executable (strength=50) handled by ./blit !:strength -2 >0 use ttcomp 0 string \0\5 # skip some DOS 2.0 backup id file, sequence 5 with many nils like BACKUPID_075.@@@ handled by ./msdos >8 quad !0 >>0 use ttcomp 0 string \1\5 # TODO: # variant ASCII, 2K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? # skip ctab data (strength=50) handled by ./ibm6000 # skip locale data table (strength=50) handled by ./digital !:strength -2 >0 use ttcomp 0 string \0\4 # skip many Maple help database *.hdb with version tag handled by ./maple >1028 string !version # skip veclib maple.hdb by looking for Mable keyword >>4 search/1091 Maple\040 #>4 search/34090 Maple\040 >>4 default x # skip DOS 2.0-3.2 backed up sequence 4 with many nils like LOTUS5.RAR handled by ./msdos # skip xBASE Compound Index file *.CDX with many nils >>>0x54 quad !0 >>>>0 use ttcomp 0 string \1\4 # TODO: # skip Commodore PET BASIC 4.0 program *.prg # variant ASCII, 1K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? # skip shared library (strength=50) handled by ./ibm6000 !:strength -2 >0 use ttcomp # display information of TTComp archive 0 name ttcomp # (version 5.25) labeled the entry as "TTComp archive data" >0 ubyte x TTComp archive data !:mime application/x-compress-ttcomp # PBACKSCR.PI1 !:ext $xe/$ts/pi1/__d # compression type: 0~binary compression 1~ASCII compression >0 ubyte 0 \b, binary >0 ubyte 1 \b, ASCII # size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes >1 ubyte 4 \b, 1K >1 ubyte 5 \b, 2K >1 ubyte 6 \b, 4K >1 ubyte x dictionary # https://mark0.net/forum/index.php?topic=848 # last 3 bytes probably have only 8 possible bit sequences # xxxxxxxx 0000000x 11111111 ____FFh # xxxxxxxx 10000000 01111111 __807Fh # 0xxxxxxx 11000000 00111111 __C03Fh # 00xxxxxx 11100000 00011111 __E01Fh # 000xxxxx 11110000 00001111 __F00Fh # 0000xxxx 11111000 00000111 __F807h # 00000xxx 11111100 00000011 __FC03h # 000000xx 11111110 00000001 __FE01h # but for quickgif.__d 0A7DD4h #>-3 ubyte x \b, last 3 bytes 0x%2.2x #>-2 ubeshort x \b%4.4x # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Disk_Copy # reference: http://nulib.com/library/FTN.e00005.htm 0x52 ubeshort 0x0100 # test for disk image size equal or above 400k >0x40 ubelong >409599 # test also for disk image size equal or below 1440k to skip # windows7en.mbr UNICODE.DAT #>>0x40 ubelong <1474561 # test now for "low" disk image size equal or below 64 MiB to skip # windows7en.mbr (B441BBAAh) UNICODE.DAT (0400AF05h) >>0x40 ubelong <0x04000001 # To skip Flags$StringJoiner.class with size 00106A61h test also for valid disk image sizes # 00064000 for 400k GCR disks dc42-400k-gcr.trid.xml # 000c8000 for 800k GCR disks dc42-800k-gcr.trid.xml # 000b4000 for 720k MFM disks dc42-720k-mfm.trid.xml # 00168000 for 1440k MFM disks dc42-1440k-mfm.trid.xml # https://lisaem.sunder.net/LisaProjectDocs.txt # 00500000 05M available # 00A00000 10M available # 01800000 24M possible # 02000000 32M uncertain # 04000000 64M uncertain >>>0x40 ubelong&0xf8003fFF 0 # skip samples with invalid disk name length like: # 181 (biosmd80.rom) 202 (Flags$StringJoiner.class) 90 (UNICODE.DAT) >>>>0x0 ubyte <64 >>>>>0 use dc42-floppy # display information of Apple DiskCopy 4.2 floppy image 0 name dc42-floppy # disk name length; maximal 63 #>0 ubyte x DISK NAME LENGTH %u # ASCII image pascal (maximal 63 bytes) name padded with NULs like: # "Microsoft Mail" "Disquette 2" "IIe Installer Disk" # "-lisaem.sunder.net hd-" (dc42-lisaem.trid.xml) "-not a Macintosh disk" (dc42-nonmac.trid.xml) >00 pstring/B x Apple DiskCopy 4.2 image %s #!:mime application/octet-stream !:mime application/x-dc42-floppy-image !:apple dCpydImg # probably also img like: "Utilitaires 2.img" "Installation 7.img" !:ext image/dc42/img # data size in bytes like: 409600 737280 819200 1474560 >0x40 ubelong x \b, %u bytes # for debugging purpose size in hexadecimal #>0x40 ubelong x (%#8.8x) # tag size in bytes like: 0 (often) 2580h (PUID fmt/625) 4B00h (Microsoft Mail.image) >0x44 ubelong >0 \b, %#x tag size # data checksum #>0x48 ubelong x \b, %#x checksum # tag checksum #>0x4c ubelong x \b, %#x tag checksum # disk encoding like: 0 1 2 3 (PUID: fmt/625) >0x50 ubyte 0 \b, GCR CLV ssdd (400k) >0x50 ubyte 1 \b, GCR CLV dsdd (800k) >0x50 ubyte 2 \b, MFM CAV dsdd (720k) >0x50 ubyte 3 \b, MFM CAV dshd (1440k) >0x50 ubyte >3 \b, %#x encoding # format byte like: 12h (Lisa 400K) 24h (400K Macintosh) 96h (800K Apple II disk) # 2 (Mac 400k "Disquette Installation 13.image") # 22h (double-sided MFM or Mac 800k "Disco 12.image" "IIe Installer Disk.image") >0x51 ubyte x \b, %#x format #>0x54 ubequad x \b, data %#16.16llx # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 0 string ESP ESP archive data # ZPack 0 string \1ZPK\1 ZPack archive data # Sky 0 string \xbc\x40 Sky archive data # UFA 0 string UFA UFA archive data # Dry 0 string =-H2O DRY archive data # FoxSQZ 0 string FOXSQZ FoxSQZ archive data # AR7 0 string ,AR7 AR7 archive data # PPMZ 0 string PPMZ PPMZ archive data # MS Compress # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression # Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html # Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z 4 string \x88\xf0\x27 # KWAJ variant >0 string KWAJ MS Compress archive data, KWAJ variant !:mime application/x-ms-compress-kwaj # extension not working in version 5.32 # magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?' # file: line 284: Bad magic entry ' ??_' !:ext ??_ # compression method (0-4) >>8 uleshort x \b, %u method # offset of compressed data >>10 uleshort x \b, %#x offset #>>(10.s) uleshort x #>>>&-6 string x \b, TEST extension %-.3s # header flags to mark header extensions >>12 uleshort >0 \b, %#x flags # 4 bytes: decompressed length of file >>12 uleshort &0x01 >>>14 ulelong x \b, original size: %u bytes # 2 bytes: unknown purpose # 2 bytes: length of unknown data + mentioned bytes # 1-9 bytes: null-terminated file name # 1-4 bytes: null-terminated file extension >>12 uleshort &0x08 >>>12 uleshort ^0x01 >>>>12 uleshort ^0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>14 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>14 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(14.s) uleshort x >>>>>>>>&14 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(14.s) uleshort x >>>>>>>>&14 string x \b, %-.8s >>>>>>>>>&1 string x \b.%-.3s >>>>12 uleshort &0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>16 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>16 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(16.s) uleshort x >>>>>>>>&16 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(16.s) uleshort x >>>>>>>&16 string x %-.8s >>>>>>>>&1 string x \b.%-.3s >>>12 uleshort &0x01 >>>>12 uleshort ^0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>18 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>18 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(18.s) uleshort x >>>>>>>>&18 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(18.s) uleshort x >>>>>>>>&18 string x \b, %-.8s >>>>>>>>>&1 string x \b.%-.3s >>>>12 uleshort &0x02 >>>>>12 uleshort ^0x04 >>>>>>12 uleshort ^0x10 >>>>>>>20 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>20 string x \b, %-.8s >>>>>>>>&1 string x \b.%-.3s >>>>>12 uleshort &0x04 >>>>>>12 uleshort ^0x10 >>>>>>>(20.s) uleshort x >>>>>>>>&20 string x \b, %-.8s >>>>>>12 uleshort &0x10 >>>>>>>(20.s) uleshort x >>>>>>>>&20 string x \b, %-.8s >>>>>>>>>&1 string x \b.%-.3s # 2 bytes: length of data + mentioned bytes # # SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression # Reference: http://www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html # http://mark0.net/download/triddefs_xml.7z/defs/s/szdd.trid.xml # Note: called "Microsoft SZDD compressed (Haruhiko Okumura's LZSS)" by TrID # verfied by 7-Zip `7z l -tMsLZ -slt *.??_` as MsLZ # `deark -l -m lzss_oku -d2 setup-1-41.bin` as "LZSS.C by Haruhiko Okumura" >0 string SZDD MS Compress archive data, SZDD variant # 2nd part of signature #>>4 ubelong 0x88F02733 \b, SIGNATURE OK !:mime application/x-ms-compress-szdd !:ext ??_ # The character missing from the end of the filename (0=unknown) >>9 string >\0 \b, %-.1s is last character of original name # https://www.betaarchive.com/forum/viewtopic.php?t=26161 # Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e >>8 string !A \b, %-.1s method >>10 ulelong >0 \b, original size: %u bytes # Summary: InstallShield archive with SZDD compressed # URL: https://community.flexera.com/t5/InstallShield-Knowledge-Base/InstallShield-Redistributable-Files/ta-p/5647 # From: Joerg Jenderek 1 search/48/bs SZDD\x88\xF0\x27\x33 InstallShield archive #!:mime application/octet-stream !:mime application/x-installshield-compress-szdd !:ext ibt # name of compressed archive member like: setup.dl_ _setup7int.dl_ _setup2k.dl_ _igdi.dl_ cabinet.dl_ >0 string x %s # name of uncompressed archive member like: setup.dll _Setup.dll IGdi.dll CABINET.DLL >>&1 string x (%s) # probably version like: 9.0.0.333 9.1.0.429 11.50.0.42618 >>>&1 string x \b, version %s # SZDD member length like: 168048 169333 181842 >>>>&1 string x \b, %s bytes # MS Compress archive data #>&0 string SZDD \b, SIGNATURE FOUND >&0 indirect x # QBasic SZDD variant 3 string \x88\xf0\x27 >0 string SZ\x20 MS Compress archive data, QBasic variant !:mime application/x-ms-compress-sz !:ext ??$ >>8 ulelong >0 \b, original size: %u bytes # Summary: CAZIP compressed file # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/CAZIP # Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/caz.trid.xml # Note: Format is distinct from CAZIPXP compressed 0 string \x0D\x0A\x1ACAZIP CAZIP compressed file #!:mime application/octet-stream !:mime application/x-compress-cazip # like: BLINKER.WR_ CLIPDEFS._ CAOSETUP.EX_ CLIPPER.EX_ FILEIO.C_ !:ext ??_/?_/_ # Summary: FTCOMP compressed archive # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/FTCOMP # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ftcomp.trid.xml # Note: called by TrID "FTCOMP compressed archive" # extracted by `unpack seahelp.hl_` 24 string/b FTCOMP FTCOMP compressed archive #!:mime application/octet-stream !:mime application/x-compress-ftcomp !:ext ??_/??@/dll/drv/pk2/ # probably A596FDFF magic at the beginning >0 ubelong !0xA596FDFF \b, at beginning %#x # probably original file name with directory like: \OS2\unpack.exe \SYSTEM\8514.DRV MAHJONGG.EXE >41 string x "%s" # MP3 (archiver, not lossy audio compression) 0 string MP3\x1a MP3-Archiver archive data # ZET 0 string OZ\xc3\x9d ZET archive data # TSComp 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data # ARQ 0 string gW\4\1 ARQ archive data # Squash 3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data # PUCrunch 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string UHA UHarc archive data # ABComp 0 string \2AB ABComp archive data 0 string \3AB2 ABComp archive data # CMP 0 string CO\0 CMP archive data # Splint 0 string \x93\xb9\x06 Splint archive data # InstallShield 0 string \x13\x5d\x65\x8c InstallShield Z archive Data # Gather 1 string GTH Gather archive data # BOA 0 string BOA BOA archive data # RAX 0 string ULEB\xa RAX archive data # Xtreme 0 string ULEB\0 Xtreme archive data # Pack Magic 0 string @\xc3\xa2\1\0 Pack Magic archive data # BTS 0 belong&0xfeffffff 0x1a034465 BTS archive data # ELI 5750 0 string Ora\ ELI 5750 archive data # QFC 0 string \x1aFC\x1a QFC archive data 0 string \x1aQF\x1a QFC archive data # PRO-PACK 0 string RNC PRO-PACK archive data # 777 0 string 777 777 archive data # LZS221 0 string sTaC LZS221 archive data # HPA 0 string HPA HPA archive data # Arhangel 0 string LG Arhangel archive data # EXP1, uses bzip2 0 string 0123456789012345BZh EXP1 archive data # IMP 0 string IMP\xa IMP archive data # NRV 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data # Squish 0 string \x73\xb2\x90\xf4 Squish archive data # Par 0 string PHILIPP Par archive data 0 string PAR Par archive data # HIT 0 string UB HIT archive data # SBX 0 belong&0xfffff000 0x53423000 SBX archive data # NaShrink 0 string NSK NaShrink archive data # SAPCAR 0 string #\ CAR\ archive\ header SAPCAR archive data 0 string CAR\ 2.00 SAPCAR archive data 0 string CAR\ 2.01 SAPCAR archive data #!:mime application/octet-stream !:mime application/vnd.sar !:ext sar # Disintegrator 0 string DST Disintegrator archive data # ASD 0 string ASD ASD archive data # InstallShield CAB # Update: Joerg Jenderek at Nov 2021 # URL: https://en.wikipedia.org/wiki/InstallShield # Reference: https://github.com/twogood/unshield/blob/master/lib/cabfile.h # Note: Not compatible with Microsoft CAB files # http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield.trid.xml # CAB_SIGNATURE 0x28635349 0 string ISc( InstallShield #!:mime application/octet-stream !:mime application/x-installshield # http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield-hdr.trid.xml >16 ulelong !0 setup header # like: _SYS1.HDR _USER1.HDR data1.hdr !:ext hdr >16 ulelong =0 CAB # like: _SYS1.CAB _USER1.CAB DATA1.CAB data2.cab !:ext cab # https://github.com/twogood/unshield/blob/master/lib/helper.c # version like: 0x1005201 0x100600c 0x1007000 0x1009500 # 0x2000578 0x20005dc 0x2000640 0x40007d0 0x4000834 >4 ulelong x \b, version %#x # volume_info like: 0 >8 ulelong !0 \b, volume_info %#x # cab_descriptor_offset like: 0x200 >12 ulelong !0x200 \b, offset %#x #>0x200 ubequad x \b, at 0x200 %#16.16llx # cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2 >16 ulelong !0 \b, descriptor size %#x # TOP4 0 string T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable # so TODO: get real 4dos batcomp file and find sig # BlakHole 0 string BH\5\7 BlakHole archive data # BIX 0 string BIX0 BIX archive data # ChiefLZA 0 string ChfLZ ChiefLZA archive data # Blink 0 string Blink Blink archive data # Logitech Compress 0 string \xda\xfa Logitech Compress archive data # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) 1 string (C)\ STEPANYUK ARS-Sfx archive data # AKT/AKT32 0 string AKT32 AKT32 archive data 0 string AKT AKT archive data # NPack 0 string MSTSM NPack archive data # PFT 0 string \0\x50\0\x14 PFT archive data # SemOne 0 string SEM SemOne archive data # PPMD 0 string \x8f\xaf\xac\x84 PPMD archive data # FIZ 0 string FIZ FIZ archive data # MSXiE 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data # DeepFreezer 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data # DC 0 string =2 string \x2\x4 Xpack DiskImage archive data #!:ext xdi # XPack Data # *.xpa updated by Joerg Jenderek Sep 2015 # ftp://ftp.elf.stuba.sk/pub/pc/pack/ 0 string xpa XPA !:ext xpa # XPA32 # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip # created by XPA32.EXE version 1.0.2 for Windows >0 string xpa\0\1 \b32 archive data # created by XPACK.COM version 1.67m or 1.67r with short 0x1800 >3 ubeshort !0x0001 \bck archive data # XPack Single Data # changed by Joerg Jenderek Sep 2015 back to like in version 5.12 # letter 'I'+ acute accent is equivalent to \xcd 0 string \xcd\ jm Xpack single archive data #!:mime application/x-xpa-compressed !:ext xpa # TODO: missing due to unknown magic/magic at end of file: #DWC #ARG #ZAR #PC/3270 #InstallIt #RKive #RK #XPack Diskimage # These were inspired by idarc, but actually verified # Dzip archiver (.dz) # Update: Joerg Jenderek # URL: http://speeddemosarchive.com/dzip/ # reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c # GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt 0 string DZ # latest version is 2.9 dated 7 may 2003 >2 byte <4 Dzip archive data !:mime application/x-dzip !:ext dz >>2 byte x \b, version %i >>3 byte x \b.%i >>4 ulelong x \b, offset %#x >>8 ulelong x \b, %u files # ZZip archiver (.zz) 0 string ZZ\ \0\0 ZZip archive data 0 string ZZ0 ZZip archive data # PAQ archiver (.paq) 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data 0 string PAQ PAQ archive data >3 byte&0xf0 0x30 >>3 byte x (v%c) # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/JAR_(ARJ_Software) # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jar.trid.xml # https://www.sac.sk/download/pack/jar102x.exe/TECHNOTE.DOC # Note: called "JAR compressed archive" by TrID 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data #!:mime application/octet-stream !:mime application/x-compress-j >0 ulelong x \b, CRC32 %#x # standard suffix is ".j"; for multi volumes following order j01 j02 ... j99 100 ... 990 !:ext j/j01/j02 # URL: http://fileformats.archiveteam.org/wiki/JARCS # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jarcs.trid.xml # Note: called "JARCS compressed archive" by TrID 0 string JARCS JAR (ARJ Software, Inc.) archive data #!:mime application/octet-stream !:mime application/x-compress-jar !:ext jar # ARJ archiver (jason@jarthur.Claremont.EDU) # URL: http://fileformats.archiveteam.org/wiki/ARJ # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-arj.trid.xml # https://github.com/FarGroup/FarManager/ # blob/master/plugins/multiarc/arc.doc/arj.txt # Note: called "ARJ compressed archive" by TrID and # "ARJ File Format" by DROID via PUID fmt/610 # verified by `7z l -tarj PHRACK1.ARJ` and # `arj.exe l TEST-hk9.ARJ` 0 leshort 0xea60 # skip DROID fmt-610-signature-id-946.arj by check for valid file type of main header >0xA ubyte 2 >>0 use arj-archive 0 name arj-archive >0 leshort x ARJ archive !:mime application/x-arj # look for terminating 0-character of filename >0x26 search/1024 \0 # file name extension is normally .arj but not for parts of multi volume #>>&-5 string x extension %.4s >>&-5 string/c .arj data !:ext arj >>&-5 default x # for multi volume first name is archive.arj then following parts archive.a01 archive.a02 ... >>>8 byte &0x04 data !:ext a01/a02 # for SFX first name is archive.exe then following parts archive.e01 archive.e02 ... >>>8 byte ^0x04 data, SFX multi-volume !:ext e01/e02 # basic header size like: 0x002b 0x002c 0x04e0 0x04e3 0x04e7 #>2 uleshort x basic header size %#4.4x # next fragment content like: 0x0a200a003a8fc713 0x524a000010bb3471 0x524a0000c73c70f9 #>(2.s) ubequad x NEXT FRAGMENT CONTENT %#16.16llx # first_hdr_size; seems to be same as basic header size #>2 uleshort x 1st header size %#x # archiver version number like: 3 4 6 11 102 >5 byte x \b, v%d # minimum archiver version to extract like: 1 >6 ubyte !1 \b, minimum %u to extract # FOR DEBUGGING #>8 byte x \b, FLAGS %#x # GARBLED_FLAG1; garble with password; g switch >8 byte &0x01 \b, password-protected # encryption version: 0~old 1~old 2~new 3~reserved 4~40 bit key GOST >>0x20 ubyte x (v%u) #>8 byte &0x02 \b, secured # ANSIPAGE_FLAG; indicates ANSI codepage used by ARJ32; hy switch >8 byte &0x02 \b, ANSI codepage # VOLUME_FLAG indicates presence of succeeding volume; but apparently not for SFX >8 byte &0x04 \b, multi-volume #>8 byte &0x08 \b, file-offset # ARJPROT_FLAG; build with data protection record; hk switch >8 byte &0x08 \b, recoverable # arj protection factor; maximal 10; switch hky -> factor=y+1 >>0x22 byte x (factor %u) >8 byte &0x10 \b, slash-switched # BACKUP_FLAG; obsolete >8 byte &0x20 \b, backup # SECURED_FLAG; >8 byte &0x40 \b, secured, # ALTNAME_FLAG; indicates dual-name archive >8 byte &0x80 \b, dual-name # security version; 0~old 2~current >9 ubyte !0 >>9 ubyte !2 \b, security version %u # file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel >0xA ubyte !2 \b, file type %u # date+time when original archive was created in MS-DOS format via ./msdos >0xC ulelong x \b, created >0xC use dos-date # or date and time by new internal function #>0xE lemsdosdate x %s #>0xC lemsdostime x %s # FOR DEBUGGING #>0x12 uleshort x RAW DATE %#4.4x #>0x10 uleshort x RAW TIME %#4.4x # date+time when archive was last modified; sometimes nil or # maybe wrong like in HP4DRVR.ARJ #>0x10 ulelong >0 \b, modified #>>0x10 use dos-date # or date and time by new internal function #>>0x12 lemsdosdate x %s #>>0x10 lemsdostime x %s # archive size (currently used only for secured archives); MAYBE? #>0x14 ulelong !0 \b, file size %u # security envelope file position; MAYBE? #>0x18 ulelong !0 \b, at %#x security envelope # filespec position in filename; WHAT IS THAT? #>0x1C uleshort >0 \b, filespec position %#x # length in bytes of security envelope data like: 2CAh 301h 364h 471h >0x1E uleshort !0 \b, security envelope length %#x # last chapter like: 0 1 >0x21 ubyte !0 \b, last chapter %u # filename (null-terminated string); sometimes at 0x26 when 4 bytes for extra data >34 byte x \b, original name: # with extras data >34 byte <0x0B >>38 string x %s # without extras data >34 byte >0x0A >>34 string x %s # host OS: 0~MSDOS ... 11~WIN32 >7 byte 0 \b, os: MS-DOS >7 byte 1 \b, os: PRIMOS >7 byte 2 \b, os: Unix >7 byte 3 \b, os: Amiga >7 byte 4 \b, os: Macintosh >7 byte 5 \b, os: OS/2 >7 byte 6 \b, os: Apple ][ GS >7 byte 7 \b, os: Atari ST >7 byte 8 \b, os: NeXT >7 byte 9 \b, os: VAX/VMS >7 byte 10 \b, os: WIN95 >7 byte 11 \b, os: WIN32 # [JW] idarc says this is also possible 2 leshort 0xea60 ARJ archive data #2 leshort 0xea60 #>2 use arj-archive # HA archiver (Greg Roelofs, newt@uchicago.edu) # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, #>2 leshort >1 %hu files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC #>4 byte&0x0f =0x0e first is type DIR #>4 byte&0x0f =0x0f first is type SPECIAL # suggestion: at least identify small archives (<1024 files) 0 belong&0xffff00fc 0x48410000 HA archive data >2 leshort =1 1 file, >2 leshort >1 %u files, >4 byte&0x0f =0 first is type CPY >4 byte&0x0f =1 first is type ASC >4 byte&0x0f =2 first is type HSC >4 byte&0x0f =0x0e first is type DIR >4 byte&0x0f =0x0f first is type SPECIAL # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 0 string HPAK HPACK archive data # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 0 string \351,\001JAM\ JAM archive, >7 string >\0 version %.4s >0x26 byte =0x27 - >>0x2b string >\0 label %.11s, >>0x27 lelong x serial %08x, >>0x36 string >\0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html # # check and display information of lharc (LHa,PMarc) file 0 name lharc-file # check 1st character of method id like -lz4- -lh5- or -pm2- >2 string - # check 5th character of method id >>6 string - # check header level 0 1 2 3 >>>20 ubyte <4 # check 2nd, 3th and 4th character of method id >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b !:mime application/x-lzh-compressed # creator type "LHA " !:apple ????LHA # display archive type name like "LHa/LZS archive data" or "LArc archive" >>>>>2 string -lz \b !:ext lzs # already known -lzs- -lz4- -lz5- with old names >>>>>>2 string -lzs LHa/LZS archive data >>>>>>3 regex \^lz[45] LHarc 1.x archive data # missing -lz?- with wikipedia names >>>>>>3 regex \^lz[2378] LArc archive # display archive type name like "LHa (2.x) archive data" >>>>>2 string -lh \b # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" # FOOBAR archiver use ".foo" as name extension instead usual one # "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment >>>>>>>2 string -lh1 \b !:ext lha/lzh/ice >>>>>>3 regex \^lh[23d] LHa 2.x? archive data >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data >>>>>>3 regex \^lh[456] LHa (2.x) archive data >>>>>>>2 string -lh5 \b # https://en.wikipedia.org/wiki/BIOS # Some mainboard BIOS like Award use LHa compression. So archives with unusual extension are found like # bios.rom , kd7_v14.bin, 1010.004, ... !:ext lha/lzh/rom/bin # missing -lh?- variants (Joe Jared) >>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive # UNLHA32 2.67a >>>>>>2 string -lhx LHa (UNLHA32) archive # lha archives with standard file name extensions ".lha" ".lzh" >>>>>>3 regex !\^(lh1|lh5) \b !:ext lha/lzh # this should not happen if all -lh variants are described >>>>>>2 default x LHa (unknown) archive #!:ext lha # PMarc >>>>>3 regex \^pm[012] PMarc archive data !:ext pma # append method id without leading and trailing minus character >>>>>3 string x [%3.3s] >>>>>>0 use lharc-header # # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 >0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d # attribute: 0x2~?? 0x10~symlink|target 0x20~normal #>19 ubyte x \b, 19_%#x # level identifier 0 1 2 3 #>20 ubyte x \b, level %d # time stamp #>15 ubelong x DATE %#8.8x # OS ID for level 1 >20 ubyte 1 # 0x20 types find for *.rom files >>(21.b+24) ubyte <0x21 \b, %#x OS # ascii type like M for MSDOS >>(21.b+24) ubyte >0x20 \b, '%c' OS # OS ID for level 2 >20 ubyte 2 #>>23 ubyte x \b, OS ID %#x >>23 ubyte <0x21 \b, %#x OS >>23 ubyte >0x20 \b, '%c' OS # filename only for level 0 and 1 >20 ubyte <2 # length of filename >>21 ubyte >0 \b, with # filename >>>21 pstring x "%s" # #2 string -lh0- LHarc 1.x/ARX archive data [lh0] #!:mime application/x-lharc 2 string -lh0- >0 use lharc-file #2 string -lh1- LHarc 1.x/ARX archive data [lh1] #!:mime application/x-lharc 2 string -lh1- >0 use lharc-file # NEW -lz2- ... -lz8- 2 string -lz2- >0 use lharc-file 2 string -lz3- >0 use lharc-file 2 string -lz4- >0 use lharc-file 2 string -lz5- >0 use lharc-file 2 string -lz7- >0 use lharc-file 2 string -lz8- >0 use lharc-file # [never seen any but the last; -lh4- reported in comp.compression:] #2 string -lzs- LHa/LZS archive data [lzs] 2 string -lzs- >0 use lharc-file # According to wikipedia and others such a version does not exist #2 string -lh\40- LHa 2.x? archive data [lh ] #2 string -lhd- LHa 2.x? archive data [lhd] 2 string -lhd- >0 use lharc-file #2 string -lh2- LHa 2.x? archive data [lh2] 2 string -lh2- >0 use lharc-file #2 string -lh3- LHa 2.x? archive data [lh3] 2 string -lh3- >0 use lharc-file #2 string -lh4- LHa (2.x) archive data [lh4] 2 string -lh4- >0 use lharc-file #2 string -lh5- LHa (2.x) archive data [lh5] 2 string -lh5- >0 use lharc-file #2 string -lh6- LHa (2.x) archive data [lh6] 2 string -lh6- >0 use lharc-file #2 string -lh7- LHa (2.x)/LHark archive data [lh7] 2 string -lh7- # !:mime application/x-lha # >20 byte x - header level %d >0 use lharc-file # NEW -lh8- ... -lhe- , -lhx- 2 string -lh8- >0 use lharc-file 2 string -lh9- >0 use lharc-file 2 string -lha- >0 use lharc-file 2 string -lhb- >0 use lharc-file 2 string -lhc- >0 use lharc-file 2 string -lhe- >0 use lharc-file 2 string -lhx- >0 use lharc-file # taken from idarc [JW] 2 string -lZ PUT archive data # already done by LHarc magics # this should never happen if all sub types of LZS archive are identified #2 string -lz LZS archive data 2 string -sw1- Swag archive data 0 name rar-file-header >24 byte 15 \b, v1.5 >24 byte 20 \b, v2.0 >24 byte 29 \b, v4 >15 byte 0 \b, os: MS-DOS >15 byte 1 \b, os: OS/2 >15 byte 2 \b, os: Win32 >15 byte 3 \b, os: Unix >15 byte 4 \b, os: Mac OS >15 byte 5 \b, os: BeOS 0 name rar-archive-header >3 leshort&0x1ff >0 \b, flags: >>3 leshort &0x01 ArchiveVolume >>3 leshort &0x02 Commented >>3 leshort &0x04 Locked >>3 leshort &0x10 NewVolumeNaming >>3 leshort &0x08 Solid >>3 leshort &0x20 Authenticated >>3 leshort &0x40 RecoveryRecordPresent >>3 leshort &0x80 EncryptedBlockHeader >>3 leshort &0x100 FirstVolume # RAR (Roshal Archive) archive 0 string Rar!\x1a\7\0 RAR archive data !:mime application/x-rar !:ext rar/cbr # file header >(0xc.l+9) byte 0x74 >>(0xc.l+7) use rar-file-header # subblock seems to share information with file header >(0xc.l+9) byte 0x7a >>(0xc.l+7) use rar-file-header >9 byte 0x73 >>7 use rar-archive-header 0 string Rar!\x1a\7\1\0 RAR archive data, v5 !:mime application/x-rar !:ext rar # Very old RAR archive # https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf 0 string RE\x7e\x5e RAR archive data (26 string \x8\0\0\0mimetypeapplication/ # KOffice / OpenOffice & StarOffice / OpenDocument formats # From: Abel Cheung # KOffice (1.2 or above) formats # (mimetype contains "application/vnd.kde.") >>50 string vnd.kde. KOffice (>=1.2) >>>58 string karbon Karbon document >>>58 string kchart KChart document >>>58 string kformula KFormula document >>>58 string kivio Kivio document >>>58 string kontour Kontour document >>>58 string kpresenter KPresenter document >>>58 string kspread KSpread document >>>58 string kword KWord document # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) # (mimetype contains "application/vnd.sun.xml.") # URL: https://en.wikipedia.org/wiki/OpenOffice.org_XML # reference: http://fileformats.archiveteam.org/wiki/OpenOffice.org_XML >>50 string vnd.sun.xml. OpenOffice.org 1.x >>>62 string writer Writer >>>>68 byte !0x2e document !:mime application/vnd.sun.xml.writer !:ext sxw >>>>68 string .template template !:mime application/vnd.sun.xml.writer.template !:ext stw >>>>68 string .web Web template !:mime application/vnd.sun.xml.writer.web !:ext stw >>>>68 string .global global document !:mime application/vnd.sun.xml.writer.global !:ext sxg >>>62 string calc Calc >>>>66 byte !0x2e spreadsheet !:mime application/vnd.sun.xml.calc !:ext sxc >>>>66 string .template template !:mime application/vnd.sun.xml.calc.template !:ext stc >>>62 string draw Draw >>>>66 byte !0x2e document !:mime application/vnd.sun.xml.draw !:ext sxd >>>>66 string .template template !:mime application/vnd.sun.xml.draw.template !:ext std >>>62 string impress Impress >>>>69 byte !0x2e presentation !:mime application/vnd.sun.xml.impress !:ext sxi >>>>69 string .template template !:mime application/vnd.sun.xml.impress.template !:ext sti >>>62 string math Math document !:mime application/vnd.sun.xml.math !:ext sxm >>>62 string base Database file !:mime application/vnd.sun.xml.base !:ext sdb # URL: https://wiki.openoffice.org/wiki/Documentation/DevGuide/Extensions/File_Format # From: Joerg Jenderek # Note: only few OXT samples are detected here by mimetype member # is used by OpenOffice and LibreOffice and probably also NeoOffice # verified by `unzip -Zv *.oxt` or `7z l -slt *.oxt` >>50 string vnd.openofficeorg. OpenOffice >>>68 string extension \b/LibreOffice Extension # http://extension.nirsoft.net/oxt !:mime application/vnd.openofficeorg.extension # like: Gallery-Puzzle.2.1.0.1.oxt !:ext oxt # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) # URL: http://fileformats.archiveteam.org/wiki/OpenDocument # https://lists.oasis-open.org/archives/office/200505/msg00006.html # (mimetype contains "application/vnd.oasis.opendocument.") >>50 string vnd.oasis.opendocument. OpenDocument >>>73 string text >>>>77 byte !0x2d Text !:mime application/vnd.oasis.opendocument.text !:ext odt >>>>77 string -template Text Template !:mime application/vnd.oasis.opendocument.text-template !:ext ott >>>>77 string -web HTML Document Template !:mime application/vnd.oasis.opendocument.text-web !:ext oth >>>>77 string -master Master Document !:mime application/vnd.oasis.opendocument.text-master !:ext odm >>>73 string graphics >>>>81 byte !0x2d Drawing !:mime application/vnd.oasis.opendocument.graphics !:ext odg >>>>81 string -template Drawing Template !:mime application/vnd.oasis.opendocument.graphics-template !:ext otg >>>73 string presentation >>>>85 byte !0x2d Presentation !:mime application/vnd.oasis.opendocument.presentation !:ext odp >>>>85 string -template Presentation Template !:mime application/vnd.oasis.opendocument.presentation-template !:ext otp >>>73 string spreadsheet >>>>84 byte !0x2d Spreadsheet !:mime application/vnd.oasis.opendocument.spreadsheet !:ext ods >>>>84 string -template Spreadsheet Template !:mime application/vnd.oasis.opendocument.spreadsheet-template !:ext ots >>>73 string chart >>>>78 byte !0x2d Chart !:mime application/vnd.oasis.opendocument.chart !:ext odc >>>>78 string -template Chart Template !:mime application/vnd.oasis.opendocument.chart-template !:ext otc >>>73 string formula >>>>80 byte !0x2d Formula !:mime application/vnd.oasis.opendocument.formula !:ext odf >>>>80 string -template Formula Template !:mime application/vnd.oasis.opendocument.formula-template !:ext otf # https://www.loc.gov/preservation/digital/formats/fdd/fdd000441.shtml >>>73 string database Database !:mime application/vnd.oasis.opendocument.database !:ext odb # Valid for LibreOffice Base 6.0.1.1 at least >>>73 string base Database # https://bugs.documentfoundation.org/show_bug.cgi?id=45854 !:mime application/vnd.oasis.opendocument.database #!:mime application/vnd.oasis.opendocument.base !:ext odb >>>73 string image >>>>78 byte !0x2d Image !:mime application/vnd.oasis.opendocument.image !:ext odi >>>>78 string -template Image Template !:mime application/vnd.oasis.opendocument.image-template !:ext oti # EPUB (OEBPS) books using OCF (OEBPS Container Format) # https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4. # From: Ralf Brown >>50 string epub+zip EPUB document !:mime application/epub+zip # From: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/CorelDRAW # NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based >>50 string x-vnd.corel. Corel >>>62 string draw.document+zip Draw drawing, version 14-16 !:mime application/x-vnd.corel.draw.document+zip !:ext cdr >>>62 string draw.template+zip Draw template, version 14-16 !:mime application/x-vnd.corel.draw.template+zip !:ext cdrt >>>62 string zcf.draw.document+zip Draw drawing, version 17-22 !:mime application/x-vnd.corel.zcf.draw.document+zip !:ext cdr >>>62 string zcf.draw.template+zip Draw template, version 17-22 !:mime application/x-vnd.corel.zcf.draw.template+zip !:ext cdt/cdrt # URL: http://product.corel.com/help/CorelDRAW/540240626/Main/EN/Doc/CorelDRAW-Other-file-formats.html >>>62 string zcf.pattern+zip Draw pattern, version 22 !:mime application/x-vnd.corel.zcf.pattern+zip !:ext pat # URL: https://en.wikipedia.org/wiki/Corel_Designer # Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer # Note: called by TrID "Corel DESIGN graphics" >>>62 string designer.document+zip DESIGNER graphics, version 14-16 !:mime application/x-vnd.corel.designer.document+zip !:ext des >>>62 string zcf.designer.document+zip DESIGNER graphics, version 17-21 !:mime application/x-vnd.corel.zcf.designer.document+zip !:ext des # URL: http://product.corel.com/help/CorelDRAW/540223850/Main/EN/Documentation/ # CorelDRAW-Corel-Symbol-Library-CSL.html >>>62 string symbol.library+zip Symbol Library, version 6-16.3 !:mime application/x-vnd.corel.symbol.library+zip !:ext csl >>>62 string zcf.symbol.library+zip Symbol Library, version 17-22 !:mime application/x-vnd.corel.zcf.symbol.library+zip !:ext csl # Catch other ZIP-with-mimetype formats # In a ZIP file, the bytes immediately after a member's contents are # always "PK". The 2 regex rules here print the "mimetype" member's # contents up to the first 'P'. Luckily, most MIME types don't contain # any capital 'P's. This is a kludge. # (mimetype contains "application/") >>50 default x Zip data >>>38 regex [!-OQ-~]+ (MIME type "%s"?) !:mime application/zip # (mimetype contents other than "application/*") >26 string \x8\0\0\0mimetype >>38 string !application/ >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip # Java Jar files >(26.s+30) leshort 0xcafe Java archive data (JAR) !:mime application/java-archive # iOS App >(26.s+30) leshort !0xcafe >>26 string !\x8\0\0\0mimetype >>>30 string Payload/ >>>>38 search/64 .app/ iOS App !:mime application/x-ios-app # Dup, see above. #>30 search/100/b application/epub+zip EPUB document #!:mime application/epub+zip # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) # Next line excludes specialized formats: >(26.s+30) leshort !0xcafe >>30 search/100/b !application/epub+zip >>>26 string !\x8\0\0\0mimetype Zip archive data !:mime application/zip >>>>4 beshort x \b, at least >>>>4 use zipversion >>>>4 beshort x to extract >>>>8 beshort x \b, compression method= >>>>8 use zipcompression >>>>0x161 string WINZIP \b, WinZIP self-extracting # StarView Metafile # From Pierre Ducroquet 0 string VCLMTF StarView MetaFile >6 beshort x \b, version %d >8 belong x \b, size %d # Zoo archiver 20 lelong 0xfdc4a7dc Zoo archive data !:mime application/x-zoo >4 byte >48 \b, v%c. >>6 byte >47 \b%c >>>7 byte >47 \b%c >32 byte >0 \b, modify: v%d >>33 byte x \b.%d+ >42 lelong 0xfdc4a7dc \b, >>70 byte >0 extract: v%d >>>71 byte x \b.%d+ # Shell archives 10 string #\ This\ is\ a\ shell\ archive shell archive text !:mime application/octet-stream # # LBR. NB: May conflict with the questionable # "binary Computer Graphics Metafile" format. # 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # #2 string -pm0- PMarc archive data [pm0] 2 string -pm0- >0 use lharc-file #2 string -pm1- PMarc archive data [pm1] 2 string -pm1- >0 use lharc-file #2 string -pm2- PMarc archive data [pm2] 2 string -pm2- >0 use lharc-file 2 string -pms- PMarc SFX archive (CP/M, DOS) #!:mime application/x-foobar-exec !:ext com 5 string -pc1- PopCom compressed executable (CP/M) #!:mime application/x- #!:ext com # From Rafael Laboissiere # The Project Revision Control System (see # http://prcs.sourceforge.net) generates a packaged project # file which is recognized by the following entry: 0 leshort 0xeb81 PRCS packaged project # Microsoft cabinets # by David Necas (Yeti) #0 string MSCF\0\0\0\0 Microsoft cabinet file data, #>25 byte x v%d #>24 byte x \b.%d # MPi: All CABs have version 1.3, so this is pointless. # Better magic in debian-additions. # GTKtalog catalogs # by David Necas (Yeti) 4 string gtktalog\ GTKtalog catalog data, >13 string 3 version 3 >>14 beshort 0x677a (gzipped) >>14 beshort !0x677a (not gzipped) >13 string >3 version %s ############################################################################ # Parity archive reconstruction file, the 'par' file format now used on Usenet. 0 string PAR\0 PARity archive data >48 leshort =0 - Index file >48 leshort >0 - file number %d # Felix von Leitner 0 string d8:announce BitTorrent file !:mime application/x-bittorrent !:ext torrent # Durval Menezes, 0 string d13:announce-list BitTorrent file !:mime application/x-bittorrent !:ext torrent 0 string d7:comment BitTorrent file !:mime application/x-bittorrent !:ext torrent 0 string d4:info BitTorrent file !:mime application/x-bittorrent !:ext torrent # Atari MSA archive - Teemu Hukkanen # URL: http://fileformats.archiveteam.org/wiki/MSA_(Magic_Shadow_Archiver) # Reference: http://info-coach.fr/atari/documents/_mydoc/FD_Image_File_Format.pdf # http://mark0.net/download/triddefs_xml.7z/defs/m/msa.trid.xml # Update: Joerg Jenderek # Note: called by TrID "Atari MSA Disk Image" and verified by # command like `deark -l -m msa -d2 PDATS578.msa` as " Atari ST floppy disk image" # GRR: line below is too general as it matches setup.skin 0 beshort 0x0e0f # skip foo setup.skin with unrealistic high number 52255 of sides by check for valid "low" value >4 ubeshort <2 Atari MSA archive data #!:mime application/octet-stream !:mime application/x-atari-msa !:ext msa # sectors per track like: 9 10 >>2 beshort x \b, %d sectors per track # sides (0 or 1; add 1 to this to get correct number of sides) >>4 beshort 0 \b, 1 sided >>4 beshort 1 \b, 2 sided # starting track like: 0 >>6 beshort x \b, starting track: %d # ending track like: 39 79 80 81 >>8 beshort x \b, ending track: %d # tracks content #>>10 ubequad x \b, track content %#16.16llx # Alternate ZIP string (amc@arwen.cs.berkeley.edu) 0 string PK00PK\003\004 Zip archive data !:mime application/zip !:ext zip/cbz # ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl 7 string **ACE** ACE archive data !:mime application/x-ace-compressed !:ext ace >15 byte >0 version %d >16 byte =0x00 \b, from MS-DOS >16 byte =0x01 \b, from OS/2 >16 byte =0x02 \b, from Win/32 >16 byte =0x03 \b, from Unix >16 byte =0x04 \b, from MacOS >16 byte =0x05 \b, from WinNT >16 byte =0x06 \b, from Primos >16 byte =0x07 \b, from AppleGS >16 byte =0x08 \b, from Atari >16 byte =0x09 \b, from Vax/VMS >16 byte =0x0A \b, from Amiga >16 byte =0x0B \b, from Next >14 byte x \b, version %d to extract >5 leshort &0x0080 \b, multiple volumes, >>17 byte x \b (part %d), >5 leshort &0x0002 \b, contains comment >5 leshort &0x0200 \b, sfx >5 leshort &0x0400 \b, small dictionary >5 leshort &0x0800 \b, multi-volume >5 leshort &0x1000 \b, contains AV-String >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered) >5 leshort &0x2000 \b, with recovery record >5 leshort &0x4000 \b, locked >5 leshort &0x8000 \b, solid # Date in MS-DOS format (whatever that is) #>18 lelong x Created on # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann # 0x1A string sfArk sfArk compressed Soundfont >0x15 string 2 >>0x1 string >\0 Version %s >>0x2A string >\0 : %s # DR-DOS 7.03 Packed File *.??_ # Reference: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm # Note: unpacked by PNUNPACK.EXE 0 string Packed\ File\ # by looking for Control-Z skip ASCII text starting with Packed File >0x18 ubyte 0x1a Personal NetWare Packed File !:mime application/x-novell-compress !:ext ??_ >>12 string x \b, was "%.12s" # 1 or 2 #>>0x19 ubyte x \b, at 0x19 %u >>0x1b ulelong x with %u bytes # EET archive # From: Tilman Sauerbeck 0 belong 0x1ee7ff00 EET archive !:mime application/x-eet # rzip archives 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) # From: Joerg Jenderek # URL: https://help.foxitsoftware.com/kb/install-fzip-file.php # reference: http://mark0.net/download/triddefs_xml.7z/ # defs/f/fzip.trid.xml # Note: unknown compression; No "PK" zip magic; normally in directory like # "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install" 0 ubequad 0x2506781901010000 Foxit add-on/update !:mime application/x-fzip !:ext fzip # From: "Robert Dale" 0 belong 123 dar archive, >4 belong x label "%.8x >>8 belong x %.8x >>>12 beshort x %.4x" >14 byte 0x54 end slice >14 beshort 0x4e4e multi-part >14 beshort 0x4e53 multi-part, with -S # Symbian installation files # https://www.thouky.co.uk/software/psifs/sis.html # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf 8 lelong 0x10000419 Symbian installation file !:mime application/vnd.symbian.install >4 lelong 0x1000006D (EPOC release 3/4/5) >4 lelong 0x10003A12 (EPOC release 6) 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x) !:mime x-epoc/x-sisx-app # From "Nelson A. de Oliveira" 0 string MPQ\032 MoPaQ (MPQ) archive # From: "Nelson A. de Oliveira" # .kgb 0 string KGB_arch KGB Archiver file >10 string x with compression level %.1s # xar (eXtensible ARchiver) archive # URL: https://en.wikipedia.org/wiki/Xar_(archiver) # xar archive format: https://code.google.com/p/xar/ # From: "David Remahl" # Update: Joerg Jenderek # TODO: lzma compression; X509Data for pkg and xip # Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or # 7z t -txar Xcode_10.2_beta_4.xip` 0 string xar! xar archive !:mime application/x-xar # pkg for Mac OSX installer package like FullBundleUpdate.pkg # xip for signed Apple software like Xcode_10.2_beta_4.xip !:ext xar/pkg/xip # always 28 in older archives >4 ubeshort >28 \b, header size %u # currently there exit only version 1 since about 2014 >6 ubeshort >1 version %u, >8 ubequad x compressed TOC: %llu, #>16 ubequad x uncompressed TOC: %llu, # cksum_alg 0-2 in older and also 3-4 in newer >24 belong 0 no checksum >24 belong 1 SHA-1 checksum >24 belong 2 MD5 checksum >24 belong 3 SHA-256 checksum >24 belong 4 SHA-512 checksum >24 belong >4 unknown %#x checksum #>24 belong >4 checksum # For no compression jump 0 bytes >24 belong 0 >>0 ubyte x # jump more bytes forward by header size >>>&(4.S) ubyte x # jump more bytes forward by compressed table of contents size #>>>>&(8.Q) ubequad x \b, heap data %#llx >>>>&(8.Q) ubyte x # look for data by ./compress after message with 1 space at end >>>>>&-3 indirect x \b, contains # For SHA-1 jump 20 minus 2 bytes >24 belong 1 >>18 ubyte x # jump more bytes forward by header size >>>&(4.S) ubyte x # jump more bytes forward by compressed table of contents size >>>>&(8.Q) ubyte x # data compressed by gzip, bzip, lzma or none >>>>>&-1 indirect x \b, contains # For SHA-256 jump 32 minus 2 bytes >24 belong 3 >>30 ubyte x # jump more bytes forward by header size >>>&(4.S) ubyte x # jump more bytes forward by compressed table of contents size >>>>&(8.Q) ubyte x >>>>>&-1 indirect x \b, contains # For SHA-512 jump 64 minus 2 bytes >24 belong 4 >>62 ubyte x # jump more bytes forward by header size >>>&(4.S) ubyte x # jump more bytes forward by compressed table of contents size >>>>&(8.Q) ubyte x >>>>>&-1 indirect x \b, contains # Type: Parity Archive # From: Daniel van Eeden 0 string PAR2 Parity Archive Volume Set # Bacula volume format. (Volumes always start with a block header.) # URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html # From: Adam Buchbinder 12 string BB02 Bacula volume >20 bedate x \b, started %s # ePub is XHTML + XML inside a ZIP archive. The first member of the # archive must be an uncompressed file called 'mimetype' with contents # 'application/epub+zip' # From: "Michael Gorny" # ZPAQ: http://mattmahoney.net/dc/zpaq.html 0 string zPQ ZPAQ stream >3 byte x \b, level %d # From: Barry Carter # https://encode.ru/threads/456-zpaq-updates/page32 0 string 7kSt ZPAQ file # BBeB ebook, unencrypted (LRF format) # URL: https://www.sven.de/librie/Librie/LrfFormat # From: Adam Buchbinder 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted >8 beshort x \b, version %d >36 byte 1 \b, front-to-back >36 byte 16 \b, back-to-front >42 beshort x \b, (%dx, >44 beshort x %d) # Symantec GHOST image by Joerg Jenderek at May 2014 # https://us.norton.com/ghost/ # https://www.garykessler.net/library/file_sigs.html 0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image # *.GHO >2 ubyte&0x08 0x00 \b, first file # *.GHS or *.[0-9] with cns program option >2 ubyte&0x08 0x08 \b, split file # part of split index interesting for *.ghs >>4 ubyte x id=%#x # compression tag minus one equals numeric compression command line switch z[1-9] >3 ubyte 0 \b, no compression >3 ubyte 2 \b, fast compression (Z1) >3 ubyte 3 \b, medium compression (Z2) >3 ubyte >3 >>3 ubyte <11 \b, compression (Z%d-1) >2 ubyte&0x08 0x00 # ~ 30 byte password field only for *.gho >>12 ubequad !0 \b, password protected >>44 ubyte !1 # 1~Image All, sector-by-sector only for *.gho >>>10 ubyte 1 \b, sector copy # 1~Image Boot track only for *.gho >>>43 ubyte 1 \b, boot track # 1~Image Disc only for *.gho implies Image Boot track and sector copy >>44 ubyte 1 \b, disc sector copy # optional image description only *.gho >>0xff string >\0 "%-.254s" # look for DOS sector end sequence >0xE08 search/7776 \x55\xAA >>&-512 indirect x \b; contains # Google Chrome extensions # https://developer.chrome.com/extensions/crx # https://developer.chrome.com/extensions/hosting 0 string Cr24 Google Chrome extension !:mime application/x-chrome-extension >4 ulong x \b, version %u # SeqBox - Sequenced container # ext: sbx, seqbox # Marco Pontello marcopon@gmail.com # reference: https://github.com/MarcoPon/SeqBox 0 string SBx SeqBox, >3 byte x version %d # LyNX archive 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive # From: Joerg Jenderek # URL: https://www.acronis.com/ # Reference: https://en.wikipedia.org/wiki/TIB_(file_format) # Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110 0 ubequad 0xce24b9a220000000 Acronis True Image backup !:mime application/x-acronis-tib !:ext tib # 01000000 #>20 ubelong x \b, at 20 %#x # 20000000 #>28 ubelong x \b, at 28 %#x # strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0" # ??? # strings like "\Device\0000011e" "\Device\0000015a" #>0 search/0x6852300/cs \\Device\\ #>>&-1 pstring x \b, %s # "\Device\HarddiskVolume30" "\Device\HarddiskVolume39" #>>>&1 search/180/cs \\Device\\ #>>>>&-1 pstring x \b, %s #>>>>>&0 search/29/cs \0\0\xc8\0 # disk label #>>>>>>&10 lestring16 x \b, disk label %11.11s #>>>>>>&9 plestring16 x \b, disk label "%11.11s" #>>>>>>&10 ubequad x %16.16llx # Gentoo XPAK binary package # by Michal Gorny # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5 -4 string STOP >-16 string XPAKSTOP Gentoo binary package (XPAK) # From: Joerg Jenderek # URL: https://kodi.wiki/view/TexturePacker # Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz # /xbmc-Krypton/xbmc/guilib/XBTF.h # /xbmc-Krypton/xbmc/guilib/XBTF.cpp 0 string XBTF # skip ASCII text by looking for terminating \0 of path >264 ubyte 0 XBMC texture package !:mime application/x-xbmc-xbt !:ext xbt # XBTF_VERSION 2 >>4 string !2 \b, version %-.1s # nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp >>5 ulelong x \b, %u file # plural s >>5 ulelong >1 \bs # path[CXBTFFile[MaximumPathLength=256] >>9 string x \b, 1st %s # ALZIP archive # by Hyungjun Park , Hajin Jang # http://kippler.com/win/unalz/ # https://salsa.debian.org/l10n-korean-team/unalz 0 string ALZ\001 ALZ archive data !:ext alz # https://cf-aldn.altools.co.kr/setup/EGG_Specification.zip 0 string EGGA EGG archive data, !:ext egg >5 byte x version %u >4 byte x \b.%u >>0x0E ulelong =0x08E28222 >>0x0E ulelong =0x24F5A262 \b, split >>0x0E ulelong =0x24E5A060 \b, solid >>0x0E default x \b, unknown # PAQ9A archive # URL: http://mattmahoney.net/dc/#paq9a # Note: Line 1186 of paq9a.cpp gives the magic bytes 0 string pQ9\001 PAQ9A archive # From wof (wof@stachelkaktus.net) 0 string Unison\ archive\ format Unison archive format #------------------------------------------------------------------------------ # URL: https://de.wikipedia.org/wiki/Aria_(Software) # Reference: https://github.com/aria2/aria2/blob/master/doc/manual-src/en/technical-notes.rst # From: Joerg Jenderek # Note: only version 1 suited # check for valid version one 0 beshort 0x0001 # skip most uncompressed DEGAS med-res bitmap *.PI2 and GEM bitmap (v1) *.IMG # by test for valid infoHashCheck extension >2 ubelong&0xffFFffFE 0x00000000 # skip DEGAS med-res bitmap DIAGRAM1.PI2 by test for valid length of download >>(6.L+14) ubequad >0 >>>0 use aria 0 name aria # version; (0x0000) or (0x0001); for 0 all multi-byte are in host byte order. For 1 big endian >0 beshort x aria2 control file, version %u #!:mime application/octet-stream !:mime application/x-aria !:ext aria2 # EXTension; if EXT[3]&1 == 1 checks whether saved InfoHash and current downloading the same; infoHashCheck extension >2 ubelong !0 \b, infoHashCheck %#x # info hash length like: 0 14h >6 ubelong !0 \b, %#x bytes info hash # info hash; BitTorrent InfoHash >>10 ubequad x %#16.16llx... # piece length; the length of the piece like: 400h 100000h >(6.L+10) ubelong x \b, piece length 0x%x # total length; the total length of the download >(6.L+14) ubequad x \b, total length %llu #>(6.L+14) ubequad x \b, total length %#llx # upload length; the uploaded length of download like: 0 400h >(6.L+22) ubequad !0 \b, upload length %#llx # bitfield length; the length of bitfield like: 4 6 Ah 10h 13h 167h >(6.L+30) ubelong x \b, %#x bytes bitfield # bitfield; bitfield which represents current download progress >(6.L+34) ubequad !0 %#llx... #------------------------------------------------------------------------------ # $File: arm,v 1.2 2021/07/14 17:40:31 christos Exp $ # arm: file(1) magic for ARM COFF # # https://docs.microsoft.com/en-us/windows/win32/debug/pe-format # Aarch64 0 leshort 0xaa64 # test for unused flag bits in f_flags >18 uleshort&0x8E80 0 # use little endian variant of subroutine to # display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 # ARM 0 leshort 0x01c0 # test for unused flag bits in f_flags >18 uleshort&0x8E80 0 # use little endian variant of subroutine to # display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 # ARM Thumb 0 leshort 0x01c2 # test for unused flag bits in f_flags >18 uleshort&0x8E80 0 # use little endian variant of subroutine to # display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 # ARMv7 Thumb 0 leshort 0x01c4 # test for unused flag bits in f_flags >18 uleshort&0x8E80 0 # use little endian variant of subroutine to # display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 #------------------------------------------------------------------------------ # $File: asf,v 1.3 2022/04/25 17:33:13 christos Exp $ # asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files # http://www.staroceans.org/e-book/ASF_Specification.pdf 0 name asf-name # ASF_Data_Object #>0 guid 75B22636-668E-11CF-A6D9-00AA0062CE6C #>16 lequad >0 #>>(16.q) use asf-object # ASF_Simple_Index_Object >0 guid 33000890-E5B1-11CF-89F4-00A0C90349CB >0 guid D6E229D3-35DA-11D1-9034-00A0C90349BE ASF_Index_Object >0 guid FEB103F8-12AD-4C64-840F-2A1D2F7AD48C ASF_Media_Object_Index_Object >0 guid 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C ASF_Timecode_Index_Object # ASF_File_Properties_Object >0 guid 8CABDCA1-A947-11CF-8EE4-00C00C205365 # ASF_Stream_Properties_Object >0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 #>>56 lequad x Time Offset %lld #>>64 lelong x Type-Specicic Data Length %d #>>68 lelong x Error Correction Data Length %d #>>72 leshort x Flags %#x #>>74 lelong x Reserved %x # ASF_Audio_Media >>24 guid F8699E40-5B4D-11CF-A8FD-00805F5C442B \b, Audio Media ( >>>78 leshort x \bCodec Id %d >>>80 leshort x \b, Number of channels %d >>>82 lelong x \b, Samples Per Second %d >>>86 lelong x \b, Average Number of Bytes Per Second %d >>>90 lelong x \b, Block Alignment %d >>>94 leshort x \b, Bits Per Sample %d # ASF_Video_Media >>24 guid BC19EFC0-5B4D-11CF-A8FD-00805F5C442B \b, Video Media ( >>>78 lelong x \bEncoded Image Width %d >>>82 lelong x \b, Encoded Image Height %d #>>>85 leshort x \b, Format Data Size %x >>>93 lelong x \b, Image Width %d >>>97 lelong x \b, Image Height %d #>>>101 leshort x \b, Reserved %#x >>>103 leshort x \b, Bits Per Pixel Count %d #>>>105 lelong x \b, Compression ID %d #>>>109 lelong x \b, Image Size %d #>>>113 lelong x \b, Horizontal Pixels Per Meter %d #>>>117 lelong x \b, Vertical Pixels Per Meter %d #>>>121 lelong x \b, Colors Used Count %d #>>>125 lelong x \b, Important Colors Count %d >>0 lelong x \b, Error correction type >>40 use asf-name >>0 lelong x \b) #ASF_Header_Extension_Object >0 guid 5FBF03B5-A92E-11CF-8EE3-00C00C205365 # ASF_Codec_List_Object >0 guid 86D15240-311D-11D0-A3A4-00A0C90348F6 >0 guid 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ASF_Script_Command_Object >0 guid F487CD01-A951-11CF-8EE6-00C00C205365 ASF_Marker_Object >0 guid D6E229DC-35DA-11D1-9034-00A0C90349BE ASF_Bitrate_Mutual_Exclusion_Object >0 guid 75B22635-668E-11CF-A6D9-00AA0062CE6C ASF_Error_Correction_Object # ASF_Content_Description_Object >0 guid 75B22633-668E-11CF-A6D9-00AA0062CE6C #>>24 leshort title length %d #>>26 leshort author length %d #>>28 leshort copyright length %d #>>30 leshort descriptor length %d #>>32 leshort rating length %d >0 guid D2D0A440-E307-11D2-97F0-00A0C95EA850 ASF_Extended_Content_Description_Object >0 guid 2211B3FA-BD23-11D2-B4B7-00A0C955FC6E ASF_Content_Branding_Object >0 guid 7BF875CE-468D-11D1-8D82-006097C9A2B2 ASF_Stream_Bitrate_Properties_Object >0 guid 2211B3FB-BD23-11D2-B4B7-00A0C955FC6E ASF_Content_Encryption_Object >0 guid 298AE614-2622-4C17-B935-DAE07EE9289C ASF_Extended_Content_Encryption_Object >0 guid 2211B3FC-BD23-11D2-B4B7-00A0C955FC6E ASF_Digital_Signature_Object # ASF_Padding_Object >0 guid 1806D474-CADF-4509-A4BA-9AABCB96AAE8 >0 guid 14E6A5CB-C672-4332-8399-A96952065B5A ASF_Extended_Stream_Properties_Object >0 guid A08649CF-4775-4670-8A16-6E35357566CD ASF_Advanced_Mutual_Exclusion_Object >0 guid D1465A40-5A79-4338-B71B-E36B8FD6C249 ASF_Group_Mutual_Exclusion_Object >0 guid D4FED15B-88D3-454F-81F0-ED5C45999E24 ASF_Stream_Prioritization_Object >0 guid A69609E6-517B-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Object >0 guid 7C4346A9-EFE0-4BFC-B229-393EDE415C85 ASF_Language_List_Object >0 guid C5F8CBEA-5BAF-4877-8467-AA8C44FA4CCA ASF_Metadata_Object >0 guid 44231C94-9498-49D1-A141-1D134E457054 ASF_Metadata_Library_Object >0 guid D6E229DF-35DA-11D1-9034-00A0C90349BE ASF_Index_Parameters_Object >0 guid 6B203BAD-3F11-48E4-ACA8-D7613DE2CFA7 ASF_Media_Object_Index_Parameters_Object >0 guid F55E496D-9797-4B5D-8C8B-604DFE9BFB24 ASF_Timecode_Index_Parameters_Object >0 guid 26F18B5D-4584-47EC-9F5F-0E651F0452C9 ASF_Compatibility_Object >0 guid 43058533-6981-49E6-9B74-AD12CB86D58C ASF_Advanced_Content_Encryption_Object >0 guid 59DACFC0-59E6-11D0-A3AC-00A0C90348F6 ASF_Command_Media >0 guid B61BE100-5B4E-11CF-A8FD-00805F5C442B ASF_JFIF_Media >0 guid 35907DE0-E415-11CF-A917-00805F5C442B ASF_Degradable_JPEG_Media >0 guid 91BD222C-F21C-497A-8B6D-5AA86BFC0185 ASF_File_Transfer_Media >0 guid 3AFB65E2-47EF-40F2-AC2C-70A90D71D343 ASF_Binary_Media >0 guid 776257D4-C627-41CB-8F81-7AC7FF1C40CC ASF_Web_Stream_Media_Subtype >0 guid DA1E6B13-8359-4050-B398-388E965BF00C ASF_Web_Stream_Format >0 guid 20FB5700-5B55-11CF-A8FD-00805F5C442B ASF_No_Error_Correction >0 guid BFC3CD50-618F-11CF-8BB2-00AA00B4E220 ASF_Audio_Spread >0 guid ABD3D211-A9BA-11cf-8EE6-00C00C205365 ASF_Reserved_1 >0 guid 7A079BB6-DAA4-4e12-A5CA-91D38DC11A8D ASF_Content_Encryption_System_Windows_Media_DRM # _Network_Devices >0 guid 86D15241-311D-11D0-A3A4-00A0C90348F6 ASF_Reserved_2 >0 guid 4B1ACBE3-100B-11D0-A39B-00A0C90348F6 ASF_Reserved_3 >0 guid 4CFEDB20-75F6-11CF-9C0F-00A0C90349CB ASF_Reserved_4 >0 guid D6E22A00-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Language >0 guid D6E22A01-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Bitrate >0 guid D6E22A02-35DA-11D1-9034-00A0C90349BE ASF_Mutex_Unknown >0 guid AF6060AA-5197-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Exclusive >0 guid AF6060AB-5197-11D2-B6AF-00C04FD908E9 ASF_Bandwidth_Sharing_Partial >0 guid 399595EC-8667-4E2D-8FDB-98814CE76C1E ASF_Payload_Extension_System_Timecode >0 guid E165EC0E-19ED-45D7-B4A7-25CBD1E28E9B ASF_Payload_Extension_System_File_Name >0 guid D590DC20-07BC-436C-9CF7-F3BBFBF1A4DC ASF_Payload_Extension_System_Content_Type >0 guid 1B1EE554-F9EA-4BC8-821A-376B74E4C4B8 ASF_Payload_Extension_System_Pixel_Aspect_Ratio >0 guid C6BD9450-867F-4907-83A3-C77921B733AD ASF_Payload_Extension_System_Sample_Duration >0 guid 6698B84E-0AFA-4330-AEB2-1C0A98D7A44D ASF_Payload_Extension_System_Encryption_Sample_ID >0 guid 00E1AF06-7BEC-11D1-A582-00C04FC29CFB ASF_Payload_Extension_System_Degradable_JPEG 0 name asf-object >0 use asf-name #>>16 lequad >0 (size %lld) [ >>16 lequad >0 >>>(16.q) use asf-object #>>16 lequad 0 ] # Microsoft Advanced Streaming Format (ASF) 0 guid 75B22630-668E-11CF-A6D9-00AA0062CE6C Microsoft ASF !:mime video/x-ms-asf #>16 lequad >0 (size %lld #>>24 lelong x \b, %d header objects) >16 lequad >0 >>30 use asf-object >>(16.q) use asf-object #------------------------------------------------------------------------------ # $File: assembler,v 1.6 2013/12/11 14:14:20 christos Exp $ # make: file(1) magic for assembler source # 0 regex \^[\040\t]{0,50}\\.asciiz assembler source text !:mime text/x-asm 0 regex \^[\040\t]{0,50}\\.byte assembler source text !:mime text/x-asm 0 regex \^[\040\t]{0,50}\\.even assembler source text !:mime text/x-asm 0 regex \^[\040\t]{0,50}\\.globl assembler source text !:mime text/x-asm 0 regex \^[\040\t]{0,50}\\.text assembler source text !:mime text/x-asm 0 regex \^[\040\t]{0,50}\\.file assembler source text !:mime text/x-asm 0 regex \^[\040\t]{0,50}\\.type assembler source text !:mime text/x-asm #------------------------------------------------------------------------------ # $File: asterix,v 1.5 2009/09/19 16:28:08 christos Exp $ # asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character # strings as "long" - we assume they're just strings: # From: guy@netapp.com (Guy Harris) # 0 string *STA Aster*x >7 string WORD Words Document >7 string GRAP Graphic >7 string SPRE Spreadsheet >7 string MACR Macro 0 string 2278 Aster*x Version 2 >29 byte 0x36 Words Document >29 byte 0x35 Graphic >29 byte 0x32 Spreadsheet >29 byte 0x38 Macro #------------------------------------------------------------------------------ # $File: att3b,v 1.10 2017/03/17 21:35:28 christos Exp $ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # # 3B20 # # The 3B20 conflicts with SCCS. #0 beshort 0550 3b20 COFF executable #>12 belong >0 not stripped #>22 beshort >0 - version %d #0 beshort 0551 3b20 COFF executable (TV) #>12 belong >0 not stripped #>22 beshort >0 - version %d # # WE32K # 0 beshort 0560 WE32000 COFF >18 beshort ^00000020 object >18 beshort &00000020 executable >12 belong >0 not stripped >18 beshort ^00010000 N/A on 3b2/300 w/paging >18 beshort &00020000 32100 required >18 beshort &00040000 and MAU hardware required >20 beshort 0407 (impure) >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0443 (target shared library) >22 beshort >0 - version %d 0 beshort 0561 WE32000 COFF executable (TV) >12 belong >0 not stripped #>18 beshort &00020000 - 32100 required #>18 beshort &00040000 and MAU hardware required #>22 beshort >0 - version %d # # core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' #------------------------------------------------------------------------------ # $File: audio,v 1.124 2022/08/28 08:58:20 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), # and others # # Sun/NeXT audio data 0 string .snd Sun/NeXT audio data: >12 belong 1 8-bit ISDN mu-law, !:mime audio/basic >12 belong 2 8-bit linear PCM [REF-PCM], !:mime audio/basic >12 belong 3 16-bit linear PCM, !:mime audio/basic >12 belong 4 24-bit linear PCM, !:mime audio/basic >12 belong 5 32-bit linear PCM, !:mime audio/basic >12 belong 6 32-bit IEEE floating point, !:mime audio/basic >12 belong 7 64-bit IEEE floating point, !:mime audio/basic >12 belong 8 Fragmented sample data, >12 belong 10 DSP program, >12 belong 11 8-bit fixed point, >12 belong 12 16-bit fixed point, >12 belong 13 24-bit fixed point, >12 belong 14 32-bit fixed point, >12 belong 18 16-bit linear with emphasis, >12 belong 19 16-bit linear compressed, >12 belong 20 16-bit linear with emphasis and compression, >12 belong 21 Music kit DSP commands, >12 belong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.), !:mime audio/x-adpcm >12 belong 24 compressed (8-bit CCITT G.722 ADPCM) >12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM), >12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM), >12 belong 27 8-bit A-law (CCITT G.711), >20 belong 1 mono, >20 belong 2 stereo, >20 belong 4 quad, >16 belong >0 %d Hz # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format # that uses little-endian encoding and has a different magic number 0 lelong 0x0064732E DEC audio data: >12 lelong 1 8-bit ISDN mu-law, !:mime audio/x-dec-basic >12 lelong 2 8-bit linear PCM [REF-PCM], !:mime audio/x-dec-basic >12 lelong 3 16-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 4 24-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 5 32-bit linear PCM, !:mime audio/x-dec-basic >12 lelong 6 32-bit IEEE floating point, !:mime audio/x-dec-basic >12 lelong 7 64-bit IEEE floating point, !:mime audio/x-dec-basic >12 belong 8 Fragmented sample data, >12 belong 10 DSP program, >12 belong 11 8-bit fixed point, >12 belong 12 16-bit fixed point, >12 belong 13 24-bit fixed point, >12 belong 14 32-bit fixed point, >12 belong 18 16-bit linear with emphasis, >12 belong 19 16-bit linear compressed, >12 belong 20 16-bit linear with emphasis and compression, >12 belong 21 Music kit DSP commands, >12 lelong 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice enc.), !:mime audio/x-dec-basic >12 belong 24 compressed (8-bit CCITT G.722 ADPCM) >12 belong 25 compressed (3-bit CCITT G.723.3 ADPCM), >12 belong 26 compressed (5-bit CCITT G.723.5 ADPCM), >12 belong 27 8-bit A-law (CCITT G.711), >20 lelong 1 mono, >20 lelong 2 stereo, >20 lelong 4 quad, >16 lelong >0 %d Hz # Creative Labs AUDIO stuff 0 string MThd Standard MIDI data !:mime audio/midi >8 beshort x (format %d) >10 beshort x using %d track >10 beshort >1 \bs >12 beshort&0x7fff x at 1/%d >12 beshort&0x8000 >0 SMPTE 0 string CTMF Creative Music (CMF) data !:mime audio/x-unknown 0 string SBI SoundBlaster instrument data !:mime audio/x-unknown 0 string Creative\ Voice\ File Creative Labs voice data !:mime audio/x-unknown # is this next line right? it came this way... >19 byte 0x1A >23 byte >0 - version %d >22 byte >0 \b.%d # first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data >4 belong x - version %d # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED # [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] 0 string EMOD Extended MOD sound data, >4 byte&0xf0 x version %d >4 byte&0x0f x \b.%d, >45 byte x %d instruments >83 byte 0 (module) >83 byte 1 (song) # Real Audio (Magic .ra\0375) 0 belong 0x2e7261fd RealAudio sound file !:mime audio/x-pn-realaudio 0 string .RMF\0\0\0 RealMedia file !:mime application/vnd.rn-realmedia #video/x-pn-realvideo #video/vnd.rn-realvideo #application/vnd.rn-realmedia # sigh, there are many mimes for that but the above are the most common. # MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net] # Oct 31, 1995 # fixed by 2003-06-24 # Too short... #0 string MTM MultiTracker Module sound file #0 string if Composer 669 Module sound data #0 string JN Composer 669 Module sound data (extended format) 0 string MAS_U ULT(imate) Module sound data #0 string FAR Module sound data #>4 string >\15 Title: "%s" 0x2c string SCRM ScreamTracker III Module sound data >0 string >\0 Title: "%s" !:mime audio/x-s3m # .stm before it got above .s3m extension 0x16 string \!Scream\! ScreamTracker Module sound data >0 string >\0 Title: "%s" # Gravis UltraSound patches # From 0 string GF1PATCH110\0ID#000002\0 GUS patch 0 string GF1PATCH100\0ID#000002\0 Old GUS patch # mime types according to http://www.geocities.com/nevilo/mod.htm: # audio/it .it # audio/x-zipped-it .itz # audio/xm fasttracker modules # audio/x-s3m screamtracker modules # audio/s3m screamtracker modules # audio/x-zipped-mod mdz # audio/mod mod # audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) # # Taken from loader code from mikmod version 2.14 # by Steve McIntyre (stevem@chiark.greenend.org.uk) # added title printing on 2003-06-24 0 string MAS_UTrack_V00 >14 string >/0 ultratracker V1.%.1s module sound data !:mime audio/x-mod #audio/x-tracker-module 0 string UN05 MikMod UNI format module sound data 0 string Extended\ Module: Fasttracker II module sound data !:mime audio/x-mod #audio/x-tracker-module >17 string >\0 Title: "%s" 21 string/c =!SCREAM! Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module 21 string BMOD2STM Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module 1080 string M.K. 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" 1080 string M!K! 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" 1080 string FLT4 4-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" 1080 string FLT8 8-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" 1080 string 4CHN 4-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" 1080 string 6CHN 6-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" 1080 string 8CHN 8-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" 1080 string CD81 8-channel Octalyser module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" 1080 string OKTA 8-channel Octalyzer module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data 1080 string 16CN 16-channel Taketracker module sound data !:mime audio/x-mod #audio/x-taketracker-module >0 string >\0 Title: "%s" 1080 string 32CN 32-channel Taketracker module sound data !:mime audio/x-mod #audio/x-taketracker-module >0 string >\0 Title: "%s" # TOC sound files -Trevor Johnson # 0 string TOC TOC sound file # sidfiles # added name,author,(c) and new RSID type by 2003-06-24 0 string SIDPLAY\ INFOFILE Sidplay info file 0 string PSID PlaySID v2.2+ (AMIGA) sidtune >4 beshort >0 w/ header v%d, >14 beshort =1 single song, >14 beshort >1 %d songs, >16 beshort >0 default song: %d >0x16 string >\0 name: "%s" >0x36 string >\0 author: "%s" >0x56 string >\0 copyright: "%s" 0 string RSID RSID sidtune PlaySID compatible >4 beshort >0 w/ header v%d, >14 beshort =1 single song, >14 beshort >1 %d songs, >16 beshort >0 default song: %d >0x16 string >\0 name: "%s" >0x36 string >\0 author: "%s" >0x56 string >\0 copyright: "%s" # IRCAM sound files - Michael Pruett # http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/IRCAM/IRCAM.html 0 belong 0x64a30100 IRCAM file (VAX little-endian) 0 belong 0x0001a364 IRCAM file (VAX big-endian) 0 belong 0x64a30200 IRCAM file (Sun big-endian) 0 belong 0x0002a364 IRCAM file (Sun little-endian) 0 belong 0x64a30300 IRCAM file (MIPS little-endian) 0 belong 0x0003a364 IRCAM file (MIPS big-endian) 0 belong 0x64a30400 IRCAM file (NeXT big-endian) 0 belong 0x64a30400 IRCAM file (NeXT big-endian) 0 belong 0x0004a364 IRCAM file (NeXT little-endian) # NIST SPHERE 0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file # Sample Vision 0 string SOUND\ SAMPLE\ DATA\ Sample Vision file # Audio Visual Research 0 string 2BIT Audio Visual Research file, >12 beshort =0 mono, >12 beshort =-1 stereo, >14 beshort x %d bits >16 beshort =0 unsigned, >16 beshort =-1 signed, >22 belong&0x00ffffff x %d Hz, >18 beshort =0 no loop, >18 beshort =-1 loop, >21 ubyte <128 note %d, >22 byte =0 replay 5.485 KHz >22 byte =1 replay 8.084 KHz >22 byte =2 replay 10.971 KHz >22 byte =3 replay 16.168 KHz >22 byte =4 replay 21.942 KHz >22 byte =5 replay 32.336 KHz >22 byte =6 replay 43.885 KHz >22 byte =7 replay 47.261 KHz # SGI SoundTrack 0 string _SGI_SoundTrack SGI SoundTrack project file # ID3 version 2 tags 0 string ID3 Audio file with ID3 version 2 >3 byte x \b.%d >4 byte x \b.%d >>5 byte &0x80 \b, unsynchronized frames >>5 byte &0x40 \b, extended header >>5 byte &0x20 \b, experimental >>5 byte &0x10 \b, footer present >(6.I+10) indirect x \b, contains: # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File >14 string >\0 ("%s" by >46 string >\0 %s, copyright >78 string >\0 %s), >5 byte x version %d, >6 byte x %d tracks, >122 byte&0x2 =1 dual PAL/NTSC >122 byte&0x1 =1 PAL >122 byte&0x1 =0 NTSC # NSFE (Extended NES sound file) magic # http://slickproductions.org/docs/NSF/nsfespec.txt # From: David Pflug 0 string NSFE Extended NES Sound File >48 search/0x1000 auth >>&0 string >\0 ("%s" >>>&1 string >\0 by %s >>>>&1 string >\0 \b, copyright %s >>>>>&1 string >\0 \b, ripped by %s >20 byte x \b), %d tracks, >18 byte&0x2 =1 dual PAL/NTSC >18 byte&0x2 =0 >>18 byte&0x1 =1 PAL >>18 byte&0x1 =0 NTSC # Type: SNES SPC700 sound files # From: Josh Triplett 0 string SNES-SPC700\ Sound\ File\ Data\ v SNES SPC700 sound file >&0 string 0.30 \b, version %s >>0x23 byte 0x1B \b, without ID666 tag >>0x23 byte 0x1A \b, with ID666 tag >>>0x2E string >\0 \b, song "%.32s" >>>0x4E string >\0 \b, game "%.32s" # Impulse tracker module (audio/x-it) 0 string IMPM Impulse Tracker module sound data - !:mime audio/x-mod >4 string >\0 "%s" >40 leshort !0 compatible w/ITv%x >42 leshort !0 created w/ITv%x # Imago Orpheus module (audio/x-imf) 60 string IM10 Imago Orpheus module sound data - >0 string >\0 "%s" # From # These are the /etc/magic entries to decode modules, instruments, and # samples in Impulse Tracker's native format. 0 string IMPS Impulse Tracker Sample >18 byte &2 16 bit >18 byte ^2 8 bit >18 byte &4 stereo >18 byte ^4 mono 0 string IMPI Impulse Tracker Instrument >28 leshort !0 ITv%x >30 byte !0 %d samples # Yamaha TX Wave: file(1) magic for Yamaha TX Wave audio files # From 0 string LM8953 Yamaha TX Wave >22 byte 0x49 looped >22 byte 0xC9 non-looped >23 byte 1 33kHz >23 byte 2 50kHz >23 byte 3 16kHz # scream tracker: file(1) magic for Scream Tracker sample files # # From 76 string SCRS Scream Tracker Sample >0 byte 1 sample >0 byte 2 adlib melody >0 byte >2 adlib drum >31 byte &2 stereo >31 byte ^2 mono >31 byte &4 16bit little endian >31 byte ^4 8bit >30 byte 0 unpacked >30 byte 1 packed # audio # From: Cory Dikkers 0 string MMD0 MED music file, version 0 0 string MMD1 OctaMED Pro music file, version 1 0 string MMD3 OctaMED Soundstudio music file, version 3 0 string OctaMEDCmpr OctaMED Soundstudio compressed file 0 string MED MED_Song 0 string SymM Symphonie SymMOD music file # # Track Length (TRL), Tracks (TRK), Samples (SMP), Subsongs (SS) # http://lclevy.free.fr/exotica/ahx/ahxformat.txt 0 string THX AHX version >3 byte =0 1 module data >3 byte =1 2 module data >11 ubyte x TRK: %u >10 ubyte x TRL: %u >12 ubyte x SMP: %u >13 ubyte x SS: %u >(4.H) string x Title: "%.128s" # header is mostly AHX format 0 string HVL >3 byte <2 Hively Tracker Song >3 byte =0 v1 module data >3 byte =1 v2 module data >11 ubyte x TRK: %u >10 ubyte x TRL: %u >12 ubyte x SMP: %u >13 ubyte x SS: %u >8 ubyte/4 =0 CHN: 4 >8 ubyte/4 >0 CHN: 4+%u #>-0 offset <0xffff >(4.H) string x Title: "%.128s" # 0 string OKTASONG Oktalyzer module data # 0 string DIGI\ Booster\ module\0 %s >20 byte >0 %c >>21 byte >0 \b%c >>>22 byte >0 \b%c >>>>23 byte >0 \b%c >610 string >\0 \b, "%s" # 0 string DBM0 DIGI Booster Pro Module >4 byte >0 V%X. >>5 byte x \b%02X >16 string >\0 \b, "%s" # 0 string FTMN FaceTheMusic module >16 string >\0d \b, "%s" # From: 2003-06-24 0 string AMShdr\32 Velvet Studio AMS Module v2.2 0 string Extreme Extreme Tracker AMS Module v1.3 0 string DDMF Xtracker DMF Module >4 byte x v%i >0xD string >\0 Title: "%s" >0x2B string >\0 Composer: "%s" 0 string DSM\32 Dynamic Studio Module DSM 0 string SONG DigiTrekker DTM Module 0 string DMDL DigiTrakker MDL Module 0 string PSM\32 Protracker Studio PSM Module 44 string PTMF Poly Tracker PTM Module >0 string >\32 Title: "%s" 0 string MT20 MadTracker 2.0 Module MT2 0 string RAD\40by\40REALiTY!! RAD Adlib Tracker Module RAD 0 string RTMM RTM Module 0x426 string MaDoKaN96 XMS Adlib Module >0 string >\0 Composer: "%s" 0 string AMF AMF Module >4 string >\0 Title: "%s" 0 string MODINFO1 Open Cubic Player Module Information MDZ 0 string Extended\40Instrument: Fast Tracker II Instrument # From: Takeshi Hamasaki # NOA Nancy Codec file 0 string \210NOA\015\012\032 NOA Nancy Codec Movie file # Yamaha SMAF format 0 string MMMD Yamaha SMAF file # Sharp Jisaku Melody format for PDC 0 string \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody >20 string Ver01.00 Ver. 1.00 >>32 byte x , %d tracks # Free lossless audio codec # From: Przemyslaw Augustyniak 0 string fLaC FLAC audio bitstream data !:mime audio/flac >4 byte&0x7f >0 \b, unknown version >4 byte&0x7f 0 \b # some common bits/sample values >>20 beshort&0x1f0 0x030 \b, 4 bit >>20 beshort&0x1f0 0x050 \b, 6 bit >>20 beshort&0x1f0 0x070 \b, 8 bit >>20 beshort&0x1f0 0x0b0 \b, 12 bit >>20 beshort&0x1f0 0x0f0 \b, 16 bit >>20 beshort&0x1f0 0x170 \b, 24 bit >>20 byte&0xe 0x0 \b, mono >>20 byte&0xe 0x2 \b, stereo >>20 byte&0xe 0x4 \b, 3 channels >>20 byte&0xe 0x6 \b, 4 channels >>20 byte&0xe 0x8 \b, 5 channels >>20 byte&0xe 0xa \b, 6 channels >>20 byte&0xe 0xc \b, 7 channels >>20 byte&0xe 0xe \b, 8 channels # sample rates derived from known oscillator frequencies; # 24.576 MHz (video/fs=48kHz), 22.5792 (audio/fs=44.1kHz) and # 16.384 (other/fs=32kHz). >>17 belong&0xfffff0 0x02b110 \b, 11.025 kHz >>17 belong&0xfffff0 0x03e800 \b, 16 kHz >>17 belong&0xfffff0 0x056220 \b, 22.05 kHz >>17 belong&0xfffff0 0x05dc00 \b, 24 kHz >>17 belong&0xfffff0 0x07d000 \b, 32 kHz >>17 belong&0xfffff0 0x0ac440 \b, 44.1 kHz >>17 belong&0xfffff0 0x0bb800 \b, 48 kHz >>17 belong&0xfffff0 0x0fa000 \b, 64 kHz >>17 belong&0xfffff0 0x158880 \b, 88.2 kHz >>17 belong&0xfffff0 0x177000 \b, 96 kHz >>17 belong&0xfffff0 0x1f4000 \b, 128 kHz >>17 belong&0xfffff0 0x2b1100 \b, 176.4 kHz >>17 belong&0xfffff0 0x2ee000 \b, 192 kHz >>17 belong&0xfffff0 0x3e8000 \b, 256 kHz >>17 belong&0xfffff0 0x562200 \b, 352.8 kHz >>17 belong&0xfffff0 0x5dc000 \b, 384 kHz >>21 byte&0xf >0 \b, >4G samples >>21 byte&0xf 0 \b >>>22 belong >0 \b, %u samples >>>22 belong 0 \b, length unknown # (ISDN) VBOX voice message file (Wolfram Kleff) 0 string VBOX VBOX voice message data # ReBorn Song Files (.rbs) # David J. Singer 8 string RB40 RBS Song file >29 string ReBorn created by ReBorn >37 string Propellerhead created by ReBirth # Synthesizer Generator and Kimwitu share their file format 0 string A#S#C#S#S#L#V#3 Synthesizer Generator or Kimwitu data # Kimwitu++ uses a slightly different magic 0 string A#S#C#S#S#L#HUB Kimwitu++ data # From "Simon Hosie 0 string TFMX-SONG TFMX module sound data # Monkey's Audio compressed audio format (.ape) # From danny.milo@gmx.net (Danny Milosavljevic) # New version from Abel Cheung 0 string MAC\040 Monkey's Audio compressed format !:mime audio/x-ape >4 uleshort >0x0F8B version %d >>(0x08.l) uleshort =1000 with fast compression >>(0x08.l) uleshort =2000 with normal compression >>(0x08.l) uleshort =3000 with high compression >>(0x08.l) uleshort =4000 with extra high compression >>(0x08.l) uleshort =5000 with insane compression >>(0x08.l+18) uleshort =1 \b, mono >>(0x08.l+18) uleshort =2 \b, stereo >>(0x08.l+20) ulelong x \b, sample rate %d >4 uleshort <0x0F8C version %d >>6 uleshort =1000 with fast compression >>6 uleshort =2000 with normal compression >>6 uleshort =3000 with high compression >>6 uleshort =4000 with extra high compression >>6 uleshort =5000 with insane compression >>10 uleshort =1 \b, mono >>10 uleshort =2 \b, stereo >>12 ulelong x \b, sample rate %d # adlib sound files # From: Alex Myczko # https://github.com/rerrahkr/BambooTracker 0 string BambooTracker BambooTracker >13 string Mod Module >13 string Ist Instrument >13 string Bnk Bank >22 byte x \b, version %u >21 byte x \b.%u >20 byte x \b.%u 0 string CC2x CheeseCutter 2 song 0 string RAWADATA RdosPlay RAW 1068 string RoR AMUSIC Adlib Tracker 0 string JCH EdLib 0 string mpu401tr MPU-401 Trakker 0 string SAdT Surprise! Adlib Tracker >4 byte x Version %d 0 string XAD! eXotic ADlib 0 string ofTAZ! eXtra Simple Music 0 string FMK! FM Kingtracker Song 0 string DFM DFM Song 0 string \ CFF Song 0 string _A2module A2M Song # Spectrum 128 tunes (.ay files). # From: Emanuel Haupt 0 string ZXAYEMUL Spectrum 128 tune 0 string \0BONK BONK, #>5 byte x version %d >14 byte x %d channel(s), >15 byte =1 lossless, >15 byte =0 lossy, >16 byte x mid-side 384 string LockStream LockStream Embedded file (mostly MP3 on old Nokia phones) # format VQF (proprietary codec for sound) # some infos on the header file available at : # http://www.twinvq.org/english/technology_format.html 0 string TWIN97012000 VQF data >27 short 0 \b, Mono >27 short 1 \b, Stereo >31 short >0 \b, %d kbit/s >35 short >0 \b, %d kHz # Nelson A. de Oliveira (naoliv@gmail.com) # .eqf 0 string Winamp\ EQ\ library\ file %s # it will match only versions like v. # Since I saw only eqf files with version v1.1 I think that it's OK >23 string x \b%.4s # .preset 0 string [Equalizer\ preset] XMMS equalizer preset # .m3u 0 search/1 #EXTM3U M3U playlist text # .pls 0 search/1 [playlist] PLS playlist text # licq.conf 1 string [licq] LICQ configuration file # Atari ST audio files by Dirk Jagdmann # NOTE: Most SNDH music is packed using ICE, which has # magic numbers "ICE!" and "Ice!". Some SNDH music is # not packed, so we check for both packed and unpacked. 12 string SNDH SNDH Atari ST music 0 belong&0xFFDFDFFF 0x49434521 >14 search/40 NDH SNDH Atari ST music >14 search/40 TITL SNDH Atari ST music 0 string SC68\ Music-file\ /\ (c)\ (BeN)jami sc68 Atari ST music # musepak support From: "Jiri Pejchal" 0 string MP+ Musepack audio (MP+) !:mime audio/x-musepack >3 byte 255 \b, SV pre8 >3 byte&0xF 0x6 \b, SV 6 >3 byte&0xF 0x8 \b, SV 8 >3 byte&0xF 0x7 \b, SV 7 >>3 byte&0xF0 0x0 \b.0 >>3 byte&0xF0 0x10 \b.1 >>3 byte&0xF0 240 \b.15 >>10 byte&0xF0 0x0 \b, no profile >>10 byte&0xF0 0x10 \b, profile 'Unstable/Experimental' >>10 byte&0xF0 0x50 \b, quality 0 >>10 byte&0xF0 0x60 \b, quality 1 >>10 byte&0xF0 0x70 \b, quality 2 (Telephone) >>10 byte&0xF0 0x80 \b, quality 3 (Thumb) >>10 byte&0xF0 0x90 \b, quality 4 (Radio) >>10 byte&0xF0 0xA0 \b, quality 5 (Standard) >>10 byte&0xF0 0xB0 \b, quality 6 (Xtreme) >>10 byte&0xF0 0xC0 \b, quality 7 (Insane) >>10 byte&0xF0 0xD0 \b, quality 8 (BrainDead) >>10 byte&0xF0 0xE0 \b, quality 9 >>10 byte&0xF0 0xF0 \b, quality 10 >>27 byte 0x0 \b, Buschmann 1.7.0-9, Klemm 0.90-1.05 >>27 byte 102 \b, Beta 1.02 >>27 byte 104 \b, Beta 1.04 >>27 byte 105 \b, Alpha 1.05 >>27 byte 106 \b, Beta 1.06 >>27 byte 110 \b, Release 1.1 >>27 byte 111 \b, Alpha 1.11 >>27 byte 112 \b, Beta 1.12 >>27 byte 113 \b, Alpha 1.13 >>27 byte 114 \b, Beta 1.14 >>27 byte 115 \b, Alpha 1.15 0 string MPCK Musepack audio (MPCK) !:mime audio/x-musepack # IMY # from http://filext.com/detaillist.php?extdetail=IMY # https://cellphones.about.com/od/cellularfaqs/f/rf_imelody.htm # http://download.ncl.ie/doc/api/ie/ncl/media/music/IMelody.html # http://www.wx800.com/msg/download/irda/iMelody.pdf 0 string BEGIN:IMELODY iMelody Ringtone Format # From: "Mateus Caruccio" # guitar pro v3,4,5 from http://filext.com/file-extension/gp3 0 string \030FICHIER\ GUITAR\ PRO\ v3. Guitar Pro Ver. 3 Tablature # From: "Leslie P. Polzer" 60 string SONG SoundFX Module sound file # Type: Adaptive Multi-Rate Codec # URL: http://filext.com/detaillist.php?extdetail=AMR # From: Russell Coker 0 string #!AMR Adaptive Multi-Rate Codec (GSM telephony) !:mime audio/amr !:ext amr # Type: SuperCollider 3 Synth Definition File Format # From: Mario Lang 0 string SCgf SuperCollider3 Synth Definition file, >4 belong x version %d # Type: True Audio Lossless Audio # URL: https://wiki.multimedia.cx/index.php?title=True_Audio # From: Mike Melanson 0 string TTA1 True Audio Lossless Audio # Type: WavPack Lossless Audio # URL: https://wiki.multimedia.cx/index.php?title=WavPack # From: Mike Melanson 0 string wvpk WavPack Lossless Audio # From Fabio R. Schmidlin # VGM music file 0 string Vgm\040 >9 ubyte >0 VGM Video Game Music dump v !:mime audio/x-vgm !:ext vgm >>9 ubyte/16 >0 \b%d >>9 ubyte&0x0F x \b%d >>8 ubyte/16 x \b.%d >>8 ubyte&0x0F >0 \b%d #Get soundchips >>8 ubyte x \b, soundchip(s)= >>0x0C ulelong >0 SN76489 (PSG), >>0x10 ulelong >0 YM2413 (OPLL), >>0x2C ulelong >0 YM2612 (OPN2), >>0x30 ulelong >0 YM2151 (OPM), >>0x38 ulelong >0 Sega PCM, >>0x34 ulelong >0xC >>>0x40 ulelong >0 RF5C68 (PCM), >>0x34 ulelong >0x10 >>>0x44 ulelong >0 YM2203 (OPN), >>0x34 ulelong >0x14 >>>0x48 ulelong >0 YM2608 (OPNA), >>0x34 ulelong >0x18 >>>0x4C lelong >0 YM2610 (OPNB), >>>0x4C lelong <0 YM2610B (OPNB+2FM), >>0x34 ulelong >0x1C >>>0x50 ulelong >0 YM3812 (OPL2), >>0x34 ulelong >0x20 >>>0x54 ulelong >0 YM3526 (OPL), >>0x34 ulelong >0x24 >>>0x58 ulelong >0 Y8950 (MSX-Audio), >>0x34 ulelong >0x28 >>>0x5C ulelong >0 YMF262 (OPL3), >>0x34 ulelong >0x2C >>>0x60 ulelong >0 YMF278B (OPL4), >>0x34 ulelong >0x30 >>>0x64 ulelong >0 YMF271 (OPX), >>0x34 ulelong >0x34 >>>0x68 ulelong >0 YMZ280B (PCMD8), >>0x34 ulelong >0x38 >>>0x6C ulelong >0 RF5C164 (PCM), >>0x34 ulelong >0x3C >>>0x70 ulelong >0 PWM, >>0x34 ulelong >0x40 >>>0x74 ulelong >0 >>>>0x78 ubyte 0x00 AY-3-8910, >>>>0x78 ubyte 0x01 AY-3-8912, >>>>0x78 ubyte 0x02 AY-3-8913, >>>>0x78 ubyte 0x03 AY-3-8930, >>>>0x78 ubyte 0x10 YM2149, >>>>0x78 ubyte 0x11 YM3439, >>>>0x78 ubyte 0x12 YMZ284, >>>>0x78 ubyte 0x13 YMZ294, # VGM 1.61 >>0x34 ulelong >0x4C >>>0x80 ulelong >0 DMG, >>0x34 ulelong >0x50 >>>0x84 lelong >0 NES APU, >>>0x84 lelong <0 NES APU with FDS, >>0x34 ulelong >0x54 >>>0x88 ulelong >0 MultiPCM, >>0x34 ulelong >0x58 >>>0x8C ulelong >0 uPD7759 (ADPCM Speech), >>0x34 ulelong >0x5C >>>0x90 ulelong >0 OKIM6258 (ADPCM Speech), >>0x34 ulelong >0x64 >>>0x98 ulelong >0 OKIM6295 (ADPCM), >>0x34 ulelong >0x68 >>>0x9C ulelong >0 K051649, >>0x34 ulelong >0x6C >>>0xA0 ulelong >0 K054539, >>0x34 ulelong >0x70 >>>0xA4 ulelong >0 HuC6280, >>0x34 ulelong >0x74 >>>0xA8 ulelong >0 C140, >>0x34 ulelong >0x78 >>>0xAC ulelong >0 K053260, >>0x34 ulelong >0x7C >>>0xB0 ulelong >0 Pokey, >>0x34 ulelong >0x80 >>>0xB4 ulelong >0 QSound, # VGM 1.71 >>0x34 ulelong >0x84 >>>0xB8 ulelong >0 SCSP, >>0x34 ulelong >0x8C >>>0xC0 ulelong >0 WonderSwan, >>0x34 ulelong >0x90 >>>0xC4 ulelong >0 VSU, >>0x34 ulelong >0x94 >>>0xC8 ulelong >0 SAA1099, >>0x34 ulelong >0x98 >>>0xCC ulelong >0 ES5503 (DOC), >>0x34 ulelong >0x9C >>>0xD0 lelong >0 ES5505 (OTIS), >>>0xD0 lelong <0 ES5506 (OTTO), >>0x34 ulelong >0xA4 >>>0xD8 ulelong >0 X1-010, >>0x34 ulelong >0xA8 >>>0xDC ulelong >0 C352, >>0x34 ulelong >0xAC >>>0xE0 ulelong >0 GA20, # GVOX Encore file format # Since this is a proprietary file format and there is no publicly available # format specification, this is just based on induction # 0 string SCOW >4 byte 0xc4 GVOX Encore music, version 5.0 or above >4 byte 0xc2 GVOX Encore music, version < 5.0 0 string ZBOT >4 byte 0xc5 GVOX Encore music, version < 5.0 # Summary: Garmin Voice Processing Module (WAVE audios) # From: Joerg Jenderek # URL: https://www.garmin.com/ # Reference: http://www.poi-factory.com/node/19580 # NOTE: there exist 2 other Garmin VPM formats 0 string AUDIMG # skip text files starting with string "AUDIMG" >13 ubyte <13 Garmin Voice Processing Module !:mime audio/x-vpm-wav-garmin !:ext vpm # 3 bytes indicating the voice version (200,220) >>6 string x \b, version %3.3s # day of release (01-31) >>12 ubyte x \b, %.2d # month of release (01-12) >>13 ubyte x \b.%.2d # year of release (like 2006, 2007, 2008) >>14 uleshort x \b.%.4d # hour of release (0-23) >>11 ubyte x %.2d # minute of release (0-59) >>10 ubyte x \b:%.2d # second of release (0-59) >>9 ubyte x \b:%.2d # if you select a language like german on your garmin device # you can only select voice modules with corresponding language byte ID like 1 >>18 ubyte x \b, language ID %d # structure for phrases/sentences? # number of voice sample in the 1st phrase? #>>19 uleshort x \b, %#x samples #>>>21 uleshort >0 \b, at %#4.4x #>>>(21.s) ubequad x %#llx # 2nd phrase? #>>23 uleshort x \b, %#x samples #>>>25 uleshort >0 \b, at %#4.4x #>>>(25.s) ubequad x %#llx # pointer to 1st audio WAV sample >>16 uleshort >0 >>>(16.s) ulelong >0 \b, at %#x # WAV length # 1 space char after "bytes" to get phrase "bytes RIFF" >>>>(16.s+4) ulelong >0 %u bytes # look for magic >>>>>(&-8.l) string RIFF # determine type by ./riff >>>>>>&-4 indirect x # 2 - ~ 131 WAV samples following same way # # Summary: encrypted Garmin Voice Processing Module # From: Joerg Jenderek # URL: https://www.garmin.com/us/products/ontheroad/voicestudio # NOTE: Encrypted variant used in voices like DrNightmare, Elfred, Yeti. # There exist 2 other Garmin VPM formats 0 ubequad 0xa141190fecc8ced6 Garmin Voice Processing Module (encrypted) !:mime audio/x-vpm-garmin !:ext vpm # From Martin Mueller Skarbiniks Pedersen 0 string GDM >0x3 byte 0xFE General Digital Music. >0x4 string >\0 title: "%s" >0x24 string >\0 musician: "%s" >>0x44 beshort 0x0D0A >>>0x46 byte 0x1A >>>>0x47 string GMFS Version >>>>0x4B byte x %d. >>>>0x4C byte x \b%02d >>>>0x4D beshort 0x000 (2GDM v >>>>0x4F byte x \b%d. >>>>>0x50 byte x \b%d) 0 string MTM Multitracker >0x3 byte/16 x Version %d. >0x3 byte&0x0F x \b%02d >>0x4 string >\0 title: "%s" 0 string MO3 >3 ubyte <6 MOdule with MP3 >>3 byte 0 Version 0 (With MP3 and lossless) >>3 byte 1 Version 1 (With ogg and lossless) >>3 byte 3 Version 2.2 >>3 byte 4 (With no LAME header) >>3 byte 5 Version 2.4 0 string ADRVPACK AProSys module # ftp://ftp.modland.com/pub/documents/format_documentation/\ # Art%20Of%20Noise%20(.aon).txt 0 string AON >4 string "ArtOfNoise by Bastian Spiegel(twice/lego)" >0x2e string NAME Art of Noise Tracker Song >3 string <9 >3 string 4 (4 voices) >3 string 8 (8 voices) >>0x36 string >\0 Title: "%s" 0 string FAR >0x2c byte 0x0d >0x2d byte 0x0a >0x2e byte 0x1a >>0x3 byte 0xFE Farandole Tracker Song >>>0x31 byte/16 x Version %d. >>>0x31 byte&0x0F x \b%02d >>>>0x4 string >\0 \b, title: "%s" # magic for Klystrack, https://kometbomb.github.io/klystrack/ # from Alex Myczko 0 string cyd!song Klystrack song >8 byte >0 \b, version %u >8 byte >26 #>>9 byte x \b, channels %u #>>10 leshort x \b, time signature %u #>>12 leshort x \b, sequence step %u #>>14 byte x \b, instruments %u #>>15 leshort x \b, patterns %u #>>17 leshort x \b, sequences %u #>>19 leshort x \b, length %u #>>21 leshort x \b, loop point %u #>>23 byte x \b, master volume %u #>>24 byte x \b, song speed %u #>>25 byte x \b, song speed2 %u #>>26 byte x \b, song rate %u #>>27 belong x \b, flags %#x #>>31 byte x \b, multiplex period %u #>>32 byte x \b, pitch inaccuracy %u >>149 pstring x \b, title %s 0 string cyd!inst Klystrack instrument # magic for WOPL instrument files, https://github.com/Wohlstand/OPL3BankEditor # see Specifications/WOPL-and-OPLI-Specification.txt 0 string WOPL3-INST\0 WOPL instrument >11 leshort x \b, version %u 0 string WOPL3-BANK\0 WOPL instrument bank >11 leshort x \b, version %u # AdLib/OPL instrument files. Format specifications on # http://www.shikadi.net/moddingwiki 0 string Junglevision\ Patch\ File Junglevision instrument data 0 string #OPL_II# DMX OP2 instrument data 0 string IBK\x1a IBK instrument data 0 string 2OP\x1a IBK instrument data, 2 operators 0 string 4OP\x1a IBK instrument data, 4 operators 2 string ADLIB- AdLib instrument data >0 byte x \b, version %u >1 byte x \b.%u # CRI ADX ADPCM audio # Used by various Sega games. # https://en.wikipedia.org/wiki/ADX_(file_format) # https://wiki.multimedia.cx/index.php/CRI_ADX_file # Added by David Korth 0x00 beshort 0x8000 >(2.S-2) string (c)CRI CRI ADX ADPCM audio !:ext adx !:mime audio/x-adx !:strength +50 >>0x12 byte x v%u >>0x04 byte 0x02 \b, pre-set prediction coefficients >>0x04 byte 0x03 \b, standard ADX >>0x04 byte 0x04 \b, exponential scale >>0x04 byte 0x10 \b, AHX (Dreamcast) >>0x04 byte 0x11 \b, AHX >>0x08 belong x \b, %u Hz >>0x12 byte 0x03 >>>0x02 beshort >0x2B >>>>0x18 belong !0 \b, looping >>0x12 byte 0x04 >>>0x02 beshort >0x37 >>>>0x24 belong !0 \b, looping >>0x13 byte&0x08 0x08 \b, encrypted # Lossless audio (.la) (http://www.lossless-audio.com/) 0 string LA >2 string 03 Lossless audio version 0.3 >2 string 04 Lossless audio version 0.4 # Sony PlayStation Audio (.xa) 0 leshort 0x4158 Sony PlayStation Audio # Portable Sound Format # Used for audio rips for various consoles. # http://fileformats.archiveteam.org/wiki/Portable_Sound_Format # Added by David Korth 0 string PSF >3 byte 0x01 >3 byte 0x02 >3 byte 0x11 >3 byte 0x12 >3 byte 0x13 >3 byte 0x21 >3 byte 0x22 >3 byte 0x23 >3 byte 0x41 >>0 string PSF Portable Sound Format !:mime audio/x-psf >>>3 byte 0x01 (Sony PlayStation) >>>3 byte 0x02 (Sony PlayStation 2) >>>3 byte 0x11 (Sega Saturn) >>>3 byte 0x12 (Sega Dreamcast) >>>3 byte 0x13 (Sega Mega Drive) >>>3 byte 0x21 (Nintendo 64) >>>3 byte 0x22 (Game Boy Advance) >>>3 byte 0x23 (Super NES) >>>3 byte 0x41 (Capcom QSound) # Atari 8-bit SAP audio format # http://asap.sourceforge.net/sap-format.html # Added by David Korth 0 string SAP\r\n Atari 8-bit SAP audio file !:mime audio/x-sap !:ext sap >5 search/1024 NAME >>&1 string x \b: %s >>5 search/1024 AUTHOR >>>&1 string x by %s # Nintendo Wii BRSTM audio format (fields) # NOTE: Assuming HEAD starts at 0x40. # FIXME: Replace 0x48 with HEAD offset plus 8. 0 name nintendo-wii-brstm-fields >(0x10.L) string HEAD \b: >>(0x10.L+0x0C) belong x >>>(&-4.L+0x48) belong x >>>>&-4 byte 0 PCM, signed 8-bit, >>>>&-4 byte 1 PCM, signed 16-bit, >>>>&-4 byte 2 THP ADPCM, >>>>&-3 byte !0 looping, >>>>&-2 byte 1 mono >>>>&-2 byte 2 stereo >>>>&-2 byte 3 3 channels >>>>&-2 byte 4 quad >>>>&-2 byte >4 %u channels >>>>&0 beshort !0 %u Hz # Nintendo Wii BRSTM audio format # https://wiibrew.org/wiki/BRSTM_file # Added by David Korth 0 string RSTM Nintendo Wii BRSTM audio file !:mime audio/x-brstm !:ext brstm # Wii is big-endian, so default to BE. >4 beshort 0xFEFF >>0 use nintendo-wii-brstm-fields >4 leshort 0xFEFF >>0 use \^nintendo-wii-brstm-fields # Nintendo 3DS BCSTM audio format (fields) 0 name nintendo-3ds-bcstm-fields >(0x18.l) string INFO \b: # INFO block: Stream information starts at 0x20 (minus 4 for the 'INFO' magic) >>&0x1C byte 0 PCM, signed 8-bit, >>&0x1C byte 1 PCM, signed 16-bit, >>&0x1C byte 2 DSP ADPCM, >>&0x1C byte 3 IMA ADPCM, >>&0x1D byte !0 looping, >>&0x1E byte 1 mono >>&0x1E byte 2 stereo >>&0x1E byte 3 3 channels >>&0x1E byte 4 quad >>&0x1E byte >4 %u channels >>&0x20 lelong !0 %u Hz # Nintendo 3DS BCSTM audio format # https://www.3dbrew.org/wiki/BCSTM # Added by David Korth 0 string CSTM Nintendo 3DS BCSTM audio file !:mime audio/x-bcstm !:ext bcstm # 3DS is little-endian, so default to LE. >4 leshort 0xFEFF >>0 use nintendo-3ds-bcstm-fields >4 beshort 0xFEFF >>0 use \^nintendo-3ds-bcstm-fields # Nintendo Wii U BFSTM audio format # http://mk8.tockdom.com/wiki/BFSTM_(File_Format) # NOTE: This format is very similar to BCSTM. # Added by David Korth 0 string FSTM Nintendo Wii U BFSTM audio file !:mime audio/x-bfstm !:ext bfstm # BFSTM is used on both Wii U (BE) and Switch (LE), # so default to LE. >4 leshort 0xFEFF >>0 use nintendo-3ds-bcstm-fields >4 beshort 0xFEFF >>0 use \^nintendo-3ds-bcstm-fields # Nintendo 3DS BCSTM audio format (fields) 0 name nintendo-3ds-bcwav-fields >(0x18.l) string INFO \b: # INFO block (minus 4 for INFO magic) >>&0x4 byte 0 PCM, signed 8-bit, >>&0x4 byte 1 PCM, signed 16-bit, >>&0x4 byte 2 DSP ADPCM, >>&0x4 byte 3 IMA ADPCM, >>&0x5 byte !0 looping, >>&0x8 lelong x stereo >>&0x8 lelong !0 %u Hz # Nintendo 3DS BCWAV audio format # https://www.3dbrew.org/wiki/BCWAV # Added by David Korth 0 string CWAV Nintendo 3DS BCWAV audio file !:mime audio/x-bcwav !:ext bcwav # 3DS is little-endian, so default to LE. >4 leshort 0xFEFF >>0 use nintendo-3ds-bcwav-fields >4 beshort 0xFEFF >>0 use \^nintendo-3ds-bcwav-fields # Philips DSDIFF audio format (Direct Stream Digital Interchange File Format) # Used for DSD audio recordings and Super Audio CD (SACD) mastering annotations # https://dsd-guide.com/sites/default/files/white-papers/DSDIFF_1.5_Spec.pdf # From: Toni Ruottu 0 string FRM8 12 string DSD\x20 DSDIFF audio bitstream data !:mime audio/x-dff !:ext dff # format version chunk >&0 string FVER # version 1 >>&8 byte 1 # v1 / sampling resolution ( 1 bit PDM only ) >>>&0 string x \b, 1 bit # v1 / sound property chunk >>>&0 search/0xff PROP >>>>&8 string SND # v1 / sound property chunk / channel configuration chunk >>>>>&0 search/0xff CHNL >>>>>>&8 ubeshort 1 \b, mono >>>>>>&8 ubeshort 2 >>>>>>>&0 string SLFTSRGT \b, stereo >>>>>>>&0 default x \b, 2 channels >>>>>>&8 ubeshort 3 >>>>>>>&0 string SLFTSRGTLFE\x20 \b, 2.1 stereo >>>>>>>&0 string SLFTSRGTC\x20\x20\x20 \b, 3.0 stereo >>>>>>>&0 default x \b, 3 channels >>>>>>&8 ubeshort 4 >>>>>>>&0 string MLFTMRGTLS\x20\x20RS\x20\x20 \b, 4.0 surround >>>>>>>&0 string SLFTSRGTC\x20\x20\x20LFE\x20 \b, 3.1 stereo >>>>>>>&0 default x \b, 4 channels >>>>>>&8 ubeshort 5 >>>>>>>&0 string MLFTMRGTC\x20\x20\x20LS\x20\x20RS\x20\x20 \b, 5.0 surround >>>>>>>&0 string MLFTMRGTLFE\x20LS\x20\x20RS\x20\x20 \b, 4.1 surround >>>>>>>&0 default x \b, 5 channels >>>>>>&8 ubeshort 6 >>>>>>>&0 string MLFTMRGTC\x20\x20\x20LFE\x20LS\x20\x20RS\x20\x20 \b, 5.1 surround >>>>>>>&0 default x \b, 6 channels >>>>>>&8 ubeshort >6 \b, %u channels # v1 / sound property chunk / sample rate chunk >>>>>&0 search/0xff FS\x20\x20 >>>>>>&0 string x \b, >>>>>>&8 ubelong%44100 0 >>>>>>>&-4 ubelong/44100 x "DSD %u" >>>>>>>&-4 ubelong x %u Hz # v1 / sound property chunk / compression type chunk >>>>>&0 search/0xff CMPR >>>>>>&8 string DSD\x20 \b, no compression >>>>>>&8 string DST\x20 \b, DST compression >>>>>>&8 default x \b, unknown compression # v1 / quest for metadata >>>&0 string x # v1 / quest for metadata / edited master information chunk >>>>&0 search DIIN >>>>>&0 ubequad >0 \b, "edited master" metadata # v1 / quest for metadata / ID3 chunk ( defacto standard ) >>>>&0 search ID3\x20 >>>>>&8 string ID3 \b, ID3 version 2 >>>>>&0 byte x \b.%u >>>>>&1 byte x \b.%u # v1 / quest for metadata / failure ( possibly due to -P bytes=... being too low ) >>>>&0 default x \b, ID3 missing (or unreachable) # version > 1 or 0 >>&0 default x \b, unknown version # Sony DSF audio format (Direct Stream Digital Stream File) # Used for lossless digital storage of songs produced as DSD audio # Portable analog of a track stored on a Super Audio CD (SACD) # https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf # From: Toni Ruottu 0 string DSD\x20 DSF audio bitstream data !:mime audio/x-dsf !:ext dsf # format chunk >28 string fmt\x20 # version 1 >>&8 ulelong 1 # v1 / sampling resolution ( 1 bit PDM only ) # NOTE: the spec incorrectly uses "bits per sample" instead of "bits per byte" >>>&0 string x \b, 1 bit # v1 / channel configuration >>>>&4 ulelong 1 \b, mono >>>>&4 ulelong 2 \b, stereo >>>>&4 ulelong 3 \b, 3.0 stereo >>>>&4 ulelong 4 \b, 4.0 surround >>>>&4 ulelong 5 \b, 3.1 stereo >>>>&4 ulelong 6 \b, 5.0 surround >>>>&4 ulelong 7 \b, 5.1 surround >>>>&0 default x >>>>>&4 ulelong x \b, %u channels # v1 / sample rate chunk >>>>&0 string x \b, >>>>&12 ulelong%44100 0 >>>>>&-4 ulelong/44100 x "DSD %u" >>>>&12 ulelong x %u Hz # v1 / compression >>>>&0 string x >>>>>&0 ulelong 0 \b, no compression >>>>>&0 default x \b, unknown compression # v1 / embedded ID3v2 metadata >>>0 string x \b, ID3 >>>>20 ulequad !0 >>>>>(20.q) string ID3 version 2 >>>>>>&0 byte x \b.%u >>>>>>&1 byte x \b.%u # unable to verify ID3 ( possibly due to -P bytes=... being too low ) >>>>>&0 default x unreachable >>>>&0 default x missing # version > 1 or 0 >>&0 default x \b, unknown version #------------------------------------------------------------------------------ # $File: avm,v 1.1 2020/08/28 20:37:58 christos Exp $ # avm: file(1) magic for avm files; this is not use # Summary: FRITZ!Box router configuration backup # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Fritz!Box # Reference: http://www.mengelke.de/Projekte/FritzBoxTools2 # Note: only tested with models 4040 and 6490 Cable (lgi) 0 string ****\ FRITZ!Box\ FRITZ!Box configuration backup #!:mime text/plain !:mime application/x-avm-export !:ext export # router model name like "4040" , "6490 Cable (lgi)" followed by " CONFIGURATION EXPORT" >15 string x of %-.4s # on 2nd line hashed password #>41 search/54 Password= \b, password # on 3rd line firmware version like: 141.06.24 141.06.50 141.07.10 ... 155.06.83 >41 search/172 FirmwareVersion= \b, firmware version >>&0 string x %s # on 5th line oem like: avme lgi >41 search/285 OEM= \b, oem >>&0 string x %s # on 7th line language like: de en >41 search/305 Language= \b, language >>&0 string x %s # on 10th line cfg file name like: /var/tmp.cfg >41 search/349 tmp.cfg # on 11th line date inside c-comment like: Thu Jun 4 22:25:19 2015 >>&4 string x \b, %s # #---------------------------------------------------------------- # $File: basis,v 1.5 2019/04/19 00:42:27 christos Exp $ # basis: file(1) magic for BBx/Pro5-files # Oliver Dammer 2005/11/07 # https://www.basis.com business-basic-files. # 0 string \074\074bbx\076\076 BBx >7 string \000 indexed file >7 string \001 serial file >7 string \002 keyed file >>13 short 0 (sort) >7 string \004 program >>18 byte x (LEVEL %d) >>>23 string >\000 psaved >7 string \006 mkeyed file >>13 short 0 (sort) >>8 string \000 (mkey) #------------------------------------------------------------------------------ # $File: beetle,v 1.2 2018/02/05 23:42:17 rrt Exp $ # beetle: file(1) magic for Beetle VM object files # https://github.com/rrthomas/beetle/ # Beetle object module 0 string BEETLE\000 Beetle VM object file #------------------------------------------------------------------------------ # $File: ber,v 1.2 2019/04/19 00:42:27 christos Exp $ # ber: file(1) magic for several BER formats used in the mobile # telecommunications industry (Georg Sauthoff) # The file formats are standardized by the GSMA (GSM association). # They are specified via ASN.1 schemas and some prose. Basic encoding # rules (BER) is the used encoding. The formats are used for exchanging # call data records (CDRs) between mobile operators and associated # parties for roaming clearing purposes and fraud detection. # The magic file covers: # - TAP files (TD.57) - CDR batches and notifications # - RAP files (TD.32) - return batches and acknowledgements # - NRT files (TD.35) - CDR batches for 'near real time' processing # # TAP 3 Files # TAP -> Transferred Account Procedure # cf. https://www.gsma.com/newsroom/wp-content/uploads/TD.57-v32.31.pdf # TransferBatch short tag 0 byte 0x61 # BatchControlInfo short tag >&1 search/b5 \x64 # Sender long tag #TAP 3.x (BER encoded) >>&1 search/b8 \x5f\x81\x44 # 3 block >>>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 >>>>&0 byte x TAP 3.%d Batch (TD.57, Transferred Account) # Notification short tag 0 byte 0x62 # Sender long tag >2 search/b8 \x5f\x81\x44 # 3 block >>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 >>>&0 byte x TAP 3.%d Notification (TD.57, Transferred Account) # NRT Files # NRT a.k.a. NRTRDE 0 byte 0x61 # 2 block >&1 search/b8 \x5f\x29\x01\x02\x5f\x25\x01 >>&0 byte x NRT 2.%d (TD.35, Near Real Time Roaming Data Exchange) # RAP Files # cf. https://www.gsma.com/newsroom/wp-content/uploads/TD.32-v6.11.pdf # Long ReturnBatch tag 0 string \x7f\x84\x16 # Long RapBatchControlInfo tag >&1 search/b8 \x7f\x84\x19 # 3 block >>&64 search/b64 \x5f\x81\x49\x01\x03\x5f\x81\x3d\x01 # 1 block >>>&1 string/b \x5f\x84\x20\x01\x01\x5f\x84\x1f\x01 >>>>&0 byte x RAP 1.%d Batch (TD.32, Returned Account Procedure), >>>&0 byte x TAP 3.%d # Long Acknowledgement tag 0 string \x7f\x84\x17 # Long Sender tag >&1 search/b5 \x5f\x81\x44 RAP Acknowledgement (TD.32, Returned Account Procedure) #------------------------------------------------------------------------------ # $File: bflt,v 1.5 2014/04/30 21:41:02 christos Exp $ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter # 0 string bFLT BFLT executable >4 belong x - version %d >4 belong 4 >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata #------------------------------------------------------------------------------ # $File: bhl,v 1.1 2017/06/11 22:20:02 christos Exp $ # BlockHashLoc # ext: bhl # Marco Pontello marcopon@gmail.com # reference: https://github.com/MarcoPon/BlockHashLoc 0 string BlockHashLoc\x1a BlockHashLoc recovery info, >13 byte x version %d !:ext bhl #------------------------------------------------------------------------------ # $File: bioinformatics,v 1.5 2019/04/19 00:42:27 christos Exp $ # bioinfomatics: file(1) magic for Bioinfomatics file formats ############################################################################### # BGZF (Blocked GNU Zip Format) - gzip compatible, but also indexable # used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml) ############################################################################### 0 string \037\213 >3 byte &0x04 >>12 string BC >>>14 leshort &0x02 Blocked GNU Zip Format (BGZF; gzip compatible) >>>>16 leshort x \b, block length %d !:mime application/x-gzip ############################################################################### # Tabix index file # used by SAMtools bgzip/tabix (http://samtools.sourceforge.net/tabix.shtml) ############################################################################### 0 string TBI\1 SAMtools TBI (Tabix index format) >0x04 lelong =1 \b, with %d reference sequence >0x04 lelong >1 \b, with %d reference sequences >0x08 lelong &0x10000 \b, using half-closed-half-open coordinates (BED style) >0x08 lelong ^0x10000 >>0x08 lelong =0 \b, using closed and one based coordinates (GFF style) >>0x08 lelong =1 \b, using SAM format >>0x08 lelong =2 \b, using VCF format >0x0c lelong x \b, sequence name column: %d >0x10 lelong x \b, region start column: %d >0x08 lelong =0 >>0x14 lelong x \b, region end column: %d >0x18 byte x \b, comment character: %c >0x1c lelong x \b, skip line count: %d ############################################################################### # BAM (Binary Sequence Alignment/Map format) # used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BAM\1 SAMtools BAM (Binary Sequence Alignment/Map) >0x04 lelong >0 >>&0x00 regex =^[@]HD\t.*VN: \b, with SAM header >>>&0 regex =[0-9.]+ \b version %s >>&(0x04) lelong >0 \b, with %d reference sequences ############################################################################### # BAI (BAM indexing format) # used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) ############################################################################### 0 string BAI\1 SAMtools BAI (BAM indexing format) >0x04 lelong >0 \b, with %d reference sequences ############################################################################### # CRAM (Binary Sequence Alignment/Map format) ############################################################################### 0 string CRAM CRAM >0x04 byte >-1 version %d. >0x05 byte >-1 \b%d >0x06 string >\0 (identified as %s) ############################################################################### # BCF (Binary Call Format), version 1 # used by SAMtools & VCFtools (http://vcftools.sourceforge.net/bcf.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BCF\4 # length of seqnm data in bytes is positive >&0x00 lelong >0 # length of smpl data in bytes is positive >>&(&-0x04) lelong >0 SAMtools BCF (Binary Call Format) # length of meta in bytes >>>&(&-0x04) lelong >0 # have meta text string >>>>&0x00 search ##samtoolsVersion= >>>>>&0x00 string x \b, generated by SAMtools version %s ############################################################################### # BCF (Binary Call Format), version 2.1 # used by SAMtools (https://samtools.github.io/hts-specs/BCFv2_qref.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BCF\2\1 Binary Call Format (BCF) version 2.1 # length of header text >&0x00 lelong >0 # have header string >>&0x00 search ##samtoolsVersion= >>>&0x00 string x \b, generated by SAMtools version %s ############################################################################### # BCF (Binary Call Format), version 2.2 # used by SAMtools (https://samtools.github.io/hts-specs/BCFv2_qref.pdf) # data is normally present only within compressed BGZF blocks (CDATA), so use file -z to examine it ############################################################################### 0 string BCF\2\2 Binary Call Format (BCF) version 2.2 # length of header text >&0x00 lelong >0 # have header string >>&0x00 search ##samtoolsVersion= >>>&0x00 string x \b, generated by SAMtools version %s ############################################################################### # VCF (Variant Call Format) # used by VCFtools (http://vcftools.sourceforge.net/) ############################################################################### 0 search ##fileformat=VCFv Variant Call Format (VCF) >&0 string x \b version %s ############################################################################### # FASTQ # used by MAQ (http://maq.sourceforge.net/fastq.shtml) ############################################################################### # XXX Broken? # @ #0 regex =^@[A-Za-z0-9_.:-]+\?\n # #>&1 regex =^[A-Za-z\n.~]++ # +[] #>>&1 regex =^[A-Za-z0-9_.:-]*\?\n # #>>>&1 regex =^[!-~\n]+\n FASTQ ############################################################################### # FASTA # used by FASTA (https://fasta.bioch.virginia.edu/fasta_www2/fasta_guide.pdf) ############################################################################### #0 byte 0x3e # q>0 regex =^[>][!-~\t\ ]+$ # Amino Acid codes: [A-IK-Z*-]+ #>>1 regex !=[!-'Jj;:=?@^`|~\\] FASTA # IUPAC codes/gaps: [ACGTURYKMSWBDHVNX-]+ # not in IUPAC codes/gaps: [EFIJLOPQZ] #>>>1 regex !=[EFIJLOPQZefijlopqz] \b, with IUPAC nucleotide codes #>>>1 regex =^[EFIJLOPQZefijlopqz]+$ \b, with Amino Acid codes ############################################################################### # SAM (Sequence Alignment/Map format) # used by SAMtools (http://samtools.sourceforge.net/SAM1.pdf) ############################################################################### # Short-cut version to recognise SAM files with (optional) header at beginning ############################################################################### 0 string @HD\t >4 search VN: Sequence Alignment/Map (SAM), with header >>&0 regex [0-9.]+ \b version %s ############################################################################### # Longer version to recognise SAM alignment lines using (many) regexes ############################################################################### # SAM Alignment QNAME 0 regex =^[!-?A-~]{1,255}(\t[^\t]+){11} # SAM Alignment FLAG >0 regex =^([^\t]+\t){1}[0-9]{1,5}\t # SAM Alignment RNAME >>0 regex =^([^\t]+\t){2}\\*|[^*=]*\t # SAM Alignment POS >>>0 regex =^([^\t]+\t){3}[0-9]{1,9}\t # SAM Alignment MAPQ >>>>0 regex =^([^\t]+\t){4}[0-9]{1,3}\t # SAM Alignment CIGAR >>>>>0 regex =\t(\\*|([0-9]+[MIDNSHPX=])+)\t # SAM Alignment RNEXT >>>>>>0 regex =\t(\\*|=|[!-()+->?-~][!-~]*)\t # SAM Alignment PNEXT >>>>>>>0 regex =^([^\t]+\t){7}[0-9]{1,9}\t # SAM Alignment TLEN >>>>>>>>0 regex =\t[+-]{0,1}[0-9]{1,9}\t.*\t # SAM Alignment SEQ >>>>>>>>>0 regex =^([^\t]+\t){9}(\\*|[A-Za-z=.]+)\t # SAM Alignment QUAL >>>>>>>>>>0 regex =^([^\t]+\t){10}[!-~]+ Sequence Alignment/Map (SAM) >>>>>>>>>>>0 regex =^[@]HD\t.*VN: \b, with header >>>>>>>>>>>>&0 regex =[0-9.]+ \b version %s ############################################################################## # # Magic ids for biomedical signal file formats # Copyright (C) 2018 Alois Schloegl # # The list has been derived from biosig projects # http://biosig.sourceforge.net # https://pub.ist.ac.at/~schloegl/matlab/eeg/ # https://pub.ist.ac.at/~schloegl/biosig/TESTED # ############################################################################## # 0 string ABF\x20 Biosig/Axon Binary format !:mime biosig/abf2 0 string ABF2\0\0 Biosig/Axon Binary format !:mime biosig/abf2 # 0 string ATES\x20MEDICA\x20SOFT.\x20EEG\x20for\x20Windows Biosig/ATES MEDICA SOFT. EEG for Windows !:mime biosig/ates # 0 string ATF\x09 Biosig/Axon Text format !:mime biosig/atf # 0 string ADU1 Biosig/Axona file format !:mime biosig/axona 0 string ADU2 Biosig/Axona file format !:mime biosig/axona # 0 string ALPHA-TRACE-MEDICAL Biosig/alpha trace !:mime biosig/alpha # 0 string AxGr Biosig/AXG 0 string axgx Biosig/AXG !:mime biosig/axg # 0 string HeaderLen= Biosig/BCI2000 0 string BCI2000V Biosig/BCI2000 !:mime biosig/bci2000 # ### Specification: https://www.biosemi.com/faq/file_format.htm 0 string \xffBIOSEMI Biosig/Biosemi data format !:mime biosig/bdf # 0 string Brain\x20Vision\x20Data\x20Exchange\x20Header\x20File Biosig/Brainvision data file 0 string Brain\x20Vision\x20V-Amp\x20Data\x20Header\x20File\x20Version Biosig/Brainvision V-Amp file 0 string Brain\x20Vision\x20Data\x20Exchange\x20Marker\x20File,\x20Version Biosig/Brainvision Marker file !:mime biosig/brainvision # 0 string CEDFILE Biosig/CFS: Cambridge Electronic devices File format !:mime biosig/ced # ### Specification: https://www.edfplus.info/specs/index.html 0 string 0\x20\x20\x20\x20\x20\x20\x20 Biosig/EDF: European Data format !:mime biosig/edf # ### Specifications: https://arxiv.org/abs/cs/0608052 0 string GDF Biosig/GDF: General data format for biosignals !:mime biosig/gdf # 0 string DATA\0\0\0\0 Biosig/Heka Patchmaster 0 string DAT1\0\0\0\0 Biosig/Heka Patchmaster 0 string DAT2\0\0\0\0 Biosig/Heka Patchmaster !:mime biosig/heka # 0 string (C)\x20CED\x2087 Biosig/CED SMR !:mime biosig/ced-smr # 0 string CFWB\1\0\0\0 Biosig/CFWB !:mime biosig/cfwb # 0 string DEMG Biosig/DEMG !:mime biosig/demg # 0 string EBS\x94\x0a\x13\x1a\x0d Biosig/EBS !:mime biosig/ebs # 0 string Embla\x20data\x20file Biosig/Embla !:mime biosig/embla # 0 string Header\r\nFile Version Biosig/ETG4000 !:mime biosig/etg4000 # 0 string GALILEO\x20EEG\x20TRACE\x20FILE Biosig/Galileo !:mime biosig/galileo # 0 string IGOR Biosig/IgorPro ITX file !:mime biosig/igorpro # # Specification: http://www.ampsmedical.com/uploads/2017-12-7/The_ISHNE_Format.pdf 0 string ISHNE1.0 Biosig/ISHNE !:mime biosig/ishne # # CEN/ISO 11073/22077 series, http://www.mfer.org/en/document.htm 0 string @\x20\x20MFER\x20 Biosig/MFER 0 string @\x20MFR\x20 Biosig/MFER !:mime biosig/mfer # 0 string NEURALEV Biosig/NEV 0 string N.EV.\0 Biosig/NEV !:mime biosig/nev # 0 string NEX1 Biosig/NEX !:mime biosig/nex1 # 0 string PLEX Biosig/Plexon v1.0 10 string PLEXON Biosig/Plexon v2.0 !:mime biosig/plexon # 0 string \x02\x27\x91\xC6 Biosig/RHD2000: Intan RHD2000 format # # Specification: CEN 1064:2005/ISO 11073:91064 16 string SCPECG\0\0 Biosig/SCP-ECG format CEN 1064:2005/ISO 11073:91064 !:mime biosig/scpecg # 0 string IAvSFo Biosig/SIGIF !:mime biosig/sigif # 0 string POLY\x20SAMPLE\x20FILEversion\x20 Biosig/TMS32 !:mime biosig/tms32 # 0 string FileId=TMSi\x20PortiLab\x20sample\x20log\x20file\x0a\x0dVersion= Biosig/TMSiLOG !:mime biosig/tmsilog # 4 string Synergy\0\48\49\50\46\48\48\51\46\48\48\48\46\48\48\48\0\28\0\0\0\2\0\0\0 >63 string CRawDataElement >>85 string CRawDataBuffer Biosig/SYNERGY !:mime biosig/synergy # 4 string \40\0\4\1\44\1\102\2\146\3\44\0\190\3 Biosig/UNIPRO !:mime biosig/unipro # 0 string VER=9\r\nCTIME= Biosig/WCP !:mime biosig/wcp # 0 string \xAF\xFE\xDA\xDA Biosig/Walter Graphtek 0 string \xDA\xDA\xFE\xAF Biosig/Walter Graphtek 0 string \x55\x55\xFE\xAF Biosig/Walter Graphtek !:mime biosig/walter-graphtek # 0 string V3.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 >32 string [PatInfo] Biosig/Sigma !:mime biosig/sigma # 0 string \067\069\078\013\010\0x1a\04\0x84 Biosig/File exchange format (FEF) !:mime biosig/fef 0 string \67\69\78\0x13\0x10\0x1a\4\0x84 Biosig/File exchange format (FEF) !:mime biosig/fef # 0 string \0\0\0\x64\0\0\0\x1f\0\0\0\x14\0\0\0\0\0\1 >36 string \0\0\0\x65\0\0\0\3\0\0\0\4\0\0 >>56 string \0\0\0\x6a\0\0\0\3\0\0\0\4\0\0\0\0\xff\xff\xff\xff\0\0 Biosig/FIFF !:mime biosig/fiff # #------------------------------------------------------------------------------ # $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $ # blackberry: file(1) magic for BlackBerry file formats # 5 belong 0 >8 belong 010010010 BlackBerry RIM ETP file >>22 string x \b for %s # Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files # https://ftg.lbl.gov/checkpoint 0 string C\0\0\0R\0\0\0 BLCR >16 lelong 1 x86 >16 lelong 3 alpha >16 lelong 5 x86-64 >16 lelong 7 ARM >8 lelong x context data (little endian, version %d) # Uncomment the following only of your "file" program supports "search" #>0 search/1024 VMA\06 for kernel #>>&1 byte x %d. #>>&2 byte x %d. #>>&3 byte x %d 0 string \0\0\0C\0\0\0R BLCR >16 belong 2 SPARC >16 belong 4 ppc >16 belong 6 ppc64 >16 belong 7 ARMEB >16 belong 8 SPARC64 >8 belong x context data (big endian, version %d) # Uncomment the following only of your "file" program supports "search" #>0 search/1024 VMA\06 for kernel #>>&1 byte x %d. #>>&2 byte x \b%d. #>>&3 byte x \b%d #------------------------------------------------------------------------------ # $File: blender,v 1.8 2019/04/19 00:42:27 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list # https://lists.blender.org/mailman/listinfo/bf-committers # GLOB chunk was moved near start and provides subversion info since 2.42 0 string =BLENDER Blender3D, >7 string =_ saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 leshort x \b%.4d >>8 string =V big endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 beshort x \b%.4d >7 string =- saved as 64-bits >>8 string =v little endian >>9 byte x with version %c. >>10 byte x \b%c >>11 byte x \b%c >>0x44 string =GLOB \b. >>>0x60 leshort x \b%.4d >>8 string =V big endian >>>9 byte x with version %c. >>>10 byte x \b%c >>>11 byte x \b%c >>>0x44 string =GLOB \b. >>>>0x60 beshort x \b%.4d # Scripts that run in the embedded Python interpreter 0 string #!BPY Blender3D BPython script #------------------------------------------------------------------------------ # $File: blit,v 1.9 2021/07/03 14:01:46 christos Exp $ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... # # XXX - should this be redone with "be" and "le", so that it works on # little-endian machines as well? If so, what's the deal with # "VAX-order" and "VAX-order2"? # #0 long 0407 68K Blit (standalone) executable #0 short 0407 VAX-order2 68K Blit (standalone) executable 0 short 03401 VAX-order 68K Blit (standalone) executable 0 long 0406 68k Blit mpx/mux executable 0 short 0406 VAX-order2 68k Blit mpx/mux executable # GRR: line below is too general as it matches also TTComp archive, ASCII, 4K handled by ./archive 0 short 03001 VAX-order 68k Blit mpx/mux executable # TODO: # skip TTComp archive, ASCII, 4K by looking for executable keyword like main #>0 search/5536 main\0 VAX-order 68k Blit mpx/mux executable # Need more values for WE32 DMD executables. # Note that 0520 is the same as COFF #0 short 0520 tty630 layers executable #------------------------------------------------------------------------------ # $File: bm,v 1.2 2021/03/14 16:56:51 christos Exp $ # bm: file(1) magic for "Birtual Machine", cf. https://github.com/tsoding/bm 0 string bm\001\244 Birtual Machine >4 leshort x \b, version %d >6 lelong x \b, program size %u >14 lelong x \b, memory size %u >22 lelong x \b, memory capacity %u #------------------------------------------------------------------------------ # $File: bout,v 1.5 2009/09/19 16:28:08 christos Exp $ # i80960 b.out objects and archives # 0 long 0x10d i960 b.out relocatable object >16 long >0 not stripped # # b.out archive (hp-rt on i960) 0 string =! b.out archive >8 string __.SYMDEF random library #------------------------------------------------------------------------------ # $File: bsdi,v 1.7 2014/03/29 15:40:34 christos Exp $ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # Some object/executable formats use the same magic numbers as are used # in other OSes; those are handled by entries in aout. # 0 lelong 0314 386 compact demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) # same as in SunOS 4.x, except for static shared libraries 0 belong&077777777 0600413 SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600410 SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600407 SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) # Chiasmus is an encryption standard developed by the German Federal # Office for Information Security (Bundesamt fuer Sicherheit in der # Informationstechnik). # https://www.bsi.bund.de/EN/Topics/OtherTopics/Chiasmus/Chiasmus_node.html 0 string XIA1\r Chiasmus Encrypted data !:ext xia 0 string XIS Chiasmus key !:ext xis #------------------------------------------------------------------------------ # $File: btsnoop,v 1.5 2009/09/19 16:28:08 christos Exp $ # BTSnoop: file(1) magic for BTSnoop files # # From 0 string btsnoop\0 BTSnoop >8 belong x version %d, >12 belong 1001 Unencapsulated HCI >12 belong 1002 HCI UART (H4) >12 belong 1003 HCI BCSP >12 belong 1004 HCI Serial (H5) >>12 belong x type %d #------------------------------------------------------------ # $File: burp,v 1.1 2022/07/04 17:15:09 christos Exp $ # Burp file, I don't know the version #------------------------------------------------------------ # From wof (wof@stachelkaktus.net) 0 bequad 0x6685828000000001 Burp project save file #------------------------------------------------------------ # $File: bytecode,v 1.3 2022/03/24 15:48:58 christos Exp $ # magic for various bytecodes # From: Mikhail Gusarov # NekoVM (https://nekovm.org/) bytecode 0 string NEKO NekoVM bytecode >4 lelong x (%d global symbols, >8 lelong x %d global fields, >12 lelong x %d bytecode ops) !:mime application/x-nekovm-bytecode # https://www.iana.org/assignments/media-types/application/vnd.resilient.logic # From: Benedikt Muessig 0 belong 0x07524c4d Resilient Logic bytecode !:mime application/vnd.resilient.logic >4 byte/16 x \b, version %d >4 byte&0x0f x \b.%d # Guile file magic from # https://www.gnu.org/s/guile/ # https://git.savannah.gnu.org/gitweb/?p=guile.git;f=libguile/_scm.h;hb=HEAD#l250 0 string GOOF---- Guile Object >8 string LE \b, little endian >8 string BE \b, big endian >11 string 4 \b, 32bit >11 string 8 \b, 64bit >13 regex .\\.. \b, bytecode v%s #------------------------------------------------------------------------------ # $File: c64,v 1.12 2022/05/14 20:03:39 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann 0x16500 belong 0x12014100 D64 Image 0x16500 belong 0x12014180 D71 Image 0x61800 belong 0x28034400 D81 Image 0 belong 0x43154164 X64 Image # C64 (and other CBM) cartridges # Extended by David Korth # Reference: https://vice-emu.sourceforge.io/vice_17.html#SEC391 0 string C64\40CARTRIDGE Commodore 64 cartridge >0x20 ubyte 0 \b, >0x20 ubyte !0 >>0x20 string/T x \b: "%.32s", >0x16 beshort 0 >>0x18 beshort 0x0000 16 KB game >>0x18 beshort 0x0001 8 KB game >>0x18 beshort 0x0100 UltiMax mode >>0x18 beshort 0x0101 RAM/disabled >0x16 beshort 1 Action Replay >0x16 beshort 2 KCS Power Cartridge >0x16 beshort 3 Final Cartridge III >0x16 beshort 4 Simons' BASIC >0x16 beshort 5 Ocean type 1 >0x16 beshort 6 Expert Cartridge >0x16 beshort 7 Fun Play, Power Play >0x16 beshort 8 Super Games >0x16 beshort 9 Atomic Power >0x16 beshort 10 Epyx Fastload >0x16 beshort 11 Westermann Learning >0x16 beshort 12 Rex Utility >0x16 beshort 13 Final Cartridge I >0x16 beshort 14 Magic Formel >0x16 beshort 15 C64 Game System, System 3 >0x16 beshort 16 Warp Speed >0x16 beshort 17 Dinamic >0x16 beshort 18 Zaxxon / Super Zaxxon (Sega) >0x16 beshort 19 Magic Desk, Domark, HES Australia >0x16 beshort 20 Super Snapshot V5 >0x16 beshort 21 Comal-80 >0x16 beshort 22 Structured BASIC >0x16 beshort 23 Ross >0x16 beshort 24 Dela EP64 >0x16 beshort 25 Dela EP7x8 >0x16 beshort 26 Dela EP256 >0x16 beshort 27 Rex EP256 >0x16 beshort 28 Mikro Assembler >0x16 beshort 29 Final Cartridge Plus >0x16 beshort 30 Action Replay 4 >0x16 beshort 31 Stardos >0x16 beshort 32 EasyFlash >0x16 beshort 33 EasyFlash Xbank >0x16 beshort 34 Capture >0x16 beshort 35 Action Replay 3 >0x16 beshort 36 >>0x1A ubyte 1 Nordic Replay >>0x1A ubyte !1 Retro Replay >0x16 beshort 37 MMC64 >0x16 beshort 38 MMC Replay >0x16 beshort 39 IDE64 >0x16 beshort 40 Super Snapshot V4 >0x16 beshort 41 IEEE-488 >0x16 beshort 42 Game Killer >0x16 beshort 43 Prophet64 >0x16 beshort 44 EXOS >0x16 beshort 45 Freeze Frame >0x16 beshort 46 Freeze Machine >0x16 beshort 47 Snapshot64 >0x16 beshort 48 Super Explode V5.0 >0x16 beshort 49 Magic Voice >0x16 beshort 50 Action Replay 2 >0x16 beshort 51 MACH 5 >0x16 beshort 52 Diashow-Maker >0x16 beshort 53 Pagefox >0x16 beshort 54 Kingsoft >0x16 beshort 55 Silverrock 128K Cartridge >0x16 beshort 56 Formel 64 >0x16 beshort 57 >>0x1A ubyte 1 Hucky >>0x1A ubyte !1 RGCD >0x16 beshort 58 RR-Net MK3 >0x16 beshort 59 EasyCalc >0x16 beshort 60 GMod2 >0x16 beshort 61 MAX Basic >0x16 beshort 62 GMod3 >0x16 beshort 63 ZIPP-CODE 48 >0x16 beshort 64 Blackbox V8 >0x16 beshort 65 Blackbox V3 >0x16 beshort 66 Blackbox V4 >0x16 beshort 67 REX RAM-Floppy >0x16 beshort 68 BIS-Plus >0x16 beshort 69 SD-BOX >0x16 beshort 70 MultiMAX >0x16 beshort 71 Blackbox V9 >0x16 beshort 72 Lt. Kernal Host Adaptor >0x16 beshort 73 RAMLink >0x16 beshort 74 H.E.R.O. >0x16 beshort 75 IEEE Flash! 64 >0x16 beshort 76 Turtle Graphics II >0x16 beshort 77 Freeze Frame MK2 0 string C128\40CARTRIDGE Commodore 128 cartridge >0x20 ubyte 0 \b, >0x20 ubyte !0 >>0x20 string/T x \b: "%.32s", >0x16 beshort 0 generic cartridge >0x16 beshort 1 Warpspeed128 >>0x1A ubyte 1 \b, REU support >>0x1A ubyte 2 \b, REU support, with I/O and ROM banking 0 string CBM2\40CARTRIDGE Commodore CBM-II cartridge >0x20 ubyte !0 >>0x20 string/T x \b: "%.32s" 0 string VIC20\40CARTRIDGE Commodore VIC-20 cartridge >0x20 ubyte 0 \b, >0x20 ubyte !0 >>0x20 string/T x \b: "%.32s", >0x16 beshort 0 generic cartridge >0x16 beshort 1 Mega-Cart >0x16 beshort 2 Behr Bonz >0x16 beshort 3 Vic Flash Plugin >0x16 beshort 4 UltiMem >0x16 beshort 5 Final Expansion 0 string PLUS4\40CARTRIDGE Commodore 16/Plus4 cartridge >0x20 ubyte !0 >>0x20 string/T x \b: "%.32s" # DreamLoad archives see: # https://www.lemon64.com/forum/viewtopic.php?t=37415\ # &sid=494dc2ca91289e05dadf80a7f8a968fe (at the bottom). # https://www.c64-wiki.com/wiki/DreamLoad. # Example HVSC Commodore 64 music collection: # https://kohina.duckdns.org/HVSC/C64Music/10_Years_HVSC.dfi 0 byte 0 >1 string DREAMLOAD\40FILE\40ARCHIVE >>0x17 byte 0 DFI Image >>>0x1a leshort x version: %d. >>>0x18 leshort x \b%d >>>0x1c lelong x tracks: %d 0 string GCR-1541 GCR Image >8 byte x version: %i >9 byte x tracks: %i 9 string PSUR ARC archive (c64) 2 string -LH1- LHA archive (c64) 0 string C64File PC64 Emulator file >8 string >\0 "%s" 0 string C64Image PC64 Freezer Image 0 beshort 0x38CD C64 PCLink Image 0 string CBM\144\0\0 Power 64 C64 Emulator Snapshot 0 belong 0xFF424CFF WRAptor packer (c64) 0 string C64S\x20tape\x20file T64 tape Image >32 leshort x Version:%#x >36 leshort !0 Entries:%i >40 string x Name:%.24s 0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x Version:%#x >36 leshort !0 Entries:%i >40 string x Name:%.24s 0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x Version:%#x >36 leshort !0 Entries:%i >40 string x Name:%.24s # Raw tape file format (.tap files) # Esa Hyyti 0 string C64-TAPE-RAW C64 Raw Tape File (.tap), >0x0c byte x Version:%u, >0x10 lelong x Length:%u cycles # magic for Goattracker2, http://covertbitops.c64.org/ # from Alex Myczko 0 string GTS5 GoatTracker 2 song >4 string >\0 \b, "%s" >36 string >\0 \b by %s >68 string >\0 \b (C) %s >100 byte >0 \b, %u subsong(s) # CBM BASIC (cc65 compiled) 0 leshort 0x0801 >2 leshort 0x080b >6 string \x9e CBM BASIC >7 string >\0 \b, SYS %s #------------------------------------------------------------------------------ # $File: cad,v 1.29 2021/12/06 19:33:27 christos Exp $ # autocad: file(1) magic for cad files # # Microstation DGN/CIT Files (www.bentley.com) # Last updated July 29, 2005 by Lester Hightower # DGN is the default file extension of Microstation/Intergraph CAD files. # CIT is the proprietary raster format (similar to TIFF) used to attach # raster underlays to Microstation DGN (vector) drawings. # # http://www.wotsit.org/search.asp # https://filext.com/detaillist.php?extdetail=DGN # https://filext.com/detaillist.php?extdetail=CIT # # https://www.bentley.com/products/default.cfm?objectid=97F351F5-9C35-4E5E-89C2 # 3F86C928&method=display&p_objectid=97F351F5-9C35-4E5E-89C280A93F86C928 # https://www.bentley.com/products/default.cfm?objectid=A5C2FD43-3AC9-4C71-B682 # 721C479F&method=display&p_objectid=A5C2FD43-3AC9-4C71-B682C7BE721C479F # # URL: https://en.wikipedia.org/wiki/MicroStation # reference: http://dgnlib.maptools.org/dgn.html # http://dgnlib.maptools.org/dl/ref18.pdf # Update: Joerg Jenderek # Note: verfied by command like `dgndump seed2d_b.dgn` # test for level 8 and type 5 or 9 0 beshort&0x3F73 0x0801 # level of element like 8 #>0 ubyte&0x3F x \b, level %u #>0 ubyte &0x80 \b, complex #>0 ubyte &0x40 \b, reserved # type of element 9~TCB 8~Digitizer setup 5~Group Data Elements #>1 ubyte&0x7F x \b, type %u # words to follow in element: 17H~CEL library 2FEh~DGN 9FEh,DFEh~CIT #>2 uleshort x \b, words %#4.4x to follow # test for 3 reserved 0 bytes in CIT or "conversion" in ViewInfo structure (DGN CEL) #>508 ubelong x \b, RESERVED %8.8x >508 ubelong&0xFFffFF00 =0 # test for level 8 and type 9 for INGR raster image >>0 beshort 0x0809 # test for length of 1st element is multiple of blocks a 512 bytes >>>2 ubyte 0xfe >>>>0 use ingr-image # test for DGN or CEL by jump words (uleshort) forward to next element >(2.s*2) ulong x # 2nd element type: 8~Digitizer~DesiGNfile 1~library cell header other~CIT #>>&1 ubyte&0x7F x \b, 2nd type %u # DGN >>&1 ubyte&0x7F 8 >>>2 uleshort =0x02FE Bentley/Intergraph Microstation CAD drawing !:mime application/x-bentley-dgn !:ext dgn # The 0x40 bit of this byte is 1 if the file is 3D, otherwise 0 >>>>1214 ubyte &0x40 3D >>>>1214 ubyte ^0x40 2D # 2 chars for name of subunits like ft FT in IN mu m mm '\0 '\040 >>>>1120 string x \b, units %-.2s # 2 chars for name of master unit like IN in ML SU tn th TH HU mm "\0 "\040 \0\0 >>>>1122 string >\0 %-.2s #>>>>1120 ubelong x \b, units %#8.8x # element range low,high x y z like xlow=0 08010000h 01080000h #>>>>4 ubelong !0 \b, xlow %8.8x #>>>>8 ubelong !0 \b, ylow %8.8x #>>>>12 ubelong !0 \b, zlow %8.8x #>>>>16 ubelong !0 \b, xhigh %8.8x #>>>>20 ubelong !0 \b, yhigh %8.8x #>>>>24 ubelong !0 \b, zhigh %8.8x # graphic group number; all other elements in that group have same non-0 number #>>>>28 leshort x \b, grphgrp %#4.4x # words to optional attribute linkage #>>>>30 ubyte x \b, attindx \%o #>>>>31 ubyte x \b\%o # >>30 string \026\105 DGNFile # >>30 string \034\105 DGNFile # >>30 string \073\107 DGNFile # >>30 string \073\110 DGNFile # >>30 string \106\107 DGNFile # >>30 string \110\103 DGNFile # >>30 string \120\104 DGNFile # >>30 string \172\104 DGNFile # >>30 string \172\105 DGNFile # >>30 string \172\106 DGNFile # >>30 string \234\106 DGNFile # >>30 string \273\105 DGNFile # >>30 string \306\106 DGNFile # >>30 string \310\104 DGNFile # >>30 string \341\104 DGNFile # >>30 string \372\103 DGNFile # >>30 string \372\104 DGNFile # >>30 string \372\106 DGNFile # >>30 string \376\103 DGNFile # elements properties indicator #>>>>32 uleshort !0 \b, properties %#4.4x # class 0~Primary #>>>>>32 uleshort&0x000F !0 \b, class %#4.4x # Symbology #>>>>>34 uleshort x \b, Symbology %#4.4x # test for 2nd element type 1~library cell header >>&1 ubyte&0x7F 1 # test for 1st element with level 8 and type 5 for cell library >>>0 beshort 0x0805 Bentley/Intergraph Microstation CAD cell library !:mime application/x-bentley-cel !:ext cel # # URL: http://fileformats.archiveteam.org/wiki/Intergraph_Raster # reference: https://web.archive.org/web/20140903185431/ # http://oreilly.com/www/centers/gff/formats/ingr/index.htm # note: verfied by command like `nconvert -fullinfo LONGLAT.CIT` # display information for intergraph raster bitmap 0 name ingr-image # in 5.37 "Microstation CITFile" "Bentley/Intergraph MicroStation CIT raster CAD" # DataTypeCode indicates format, depth of the pixel data and used compression >4 uleshort x Intergraph raster image >>4 uleshort 0x0009 \b, Run-Length Encoded 1-bit !:mime image/x-intergraph-rle !:ext rel >>4 uleshort 0x0018 \b, CCITT Group 4 1-bit !:mime image/x-intergraph-cit !:ext cit >>4 uleshort 27 \b, Adaptive RLE RGB !:mime image/x-intergraph-rgb !:ext rgb >>4 default x >>>4 uleshort x \b, Type %u !:mime image/x-intergraph # TODO: #>4 uleshort 0 \b, no data # ... #>4 uleshort 0x0045 \b, Continuous Tone CMKY (Uncompressed) # ApplicationType: 0~generic raster image 3~drawing, scanning # 8~I/IMAGE and MicroStation Imager 9~ModelView >6 uleshort !0 \b, ApplicationType %u #>6 uleshort x \b, ApplicationType %u # XViewOrigin; Raster grid data X origin #>8 ulequad !0 \b, XViewOrigin %llx # PixelsPerLine is the number of pixels in a scan line of bitmapp >184 ulelong x \b, %u x # NumberOfLines is height of the raster data in scanlines >188 ulelong x %u # DeviceResolution; resolution of scanning device # positive indicates number of micros between lines; negative indicates DPI #>192 leshort x \b, DeviceResolution %d # ScanlineOrient indicates the origin and the orientation of the scan lines #>194 ubyte x \b, ScanlineOrient %x >194 ubyte x \b, orientation >194 ubyte &0x01 right >194 ubyte ^0x01 left >194 ubyte &0x02 down >194 ubyte ^0x02 top >194 ubyte &0x04 horizontal >194 ubyte ^0x04 vertical # ScannableFlag; Scanline indexing method used #>195 ubyte !0 \b, ScannableFlag %#x # RotationAngle; Rotation angle of raster data #>196 ubequad !0 \b, RotationAngle %#llx # SkewAngle; Skew angle of raster data #>204 ubequad !0 \b, SkewAngle %llx # DataTypeModifier; Additional raster data format info #>212 uleshort !0 \b, DataTypeModifier %#4.4x # DesignFile[66]; Name of the design file >214 string >\0 \b, DesignFile %-.66s # DatabaseFile[66]; Name of the database file >280 string >\0 \b, DatabaseFile %-.66s # ParentGridFile[66]; Name of parent grid file >346 string >\0 \b, ParentGridFile %-.66s # FileDescription[80]; Text description of file and contents >412 string >\0 \b, FileDescription %-.80s # MinValue #>492 ubequad !0 \b, MinValue %#llx # MaxValue #>500 ubequad !0 \b, MaxValue %#llx # Reserved[3]; Unused (always 0) #>508 ubelong&0xFFffFF00 x \b, RESERVED %8.8x # GridFileVersion; Grid File Version like 2 3 #>511 ubyte x \b, GridFileVersion %x # AutoCAD # Merge of the different contributions and updates from https://en.wikipedia.org/wiki/Dwg # and https://www.iana.org/assignments/media-types/image/vnd.dwg 0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0 !:mime image/vnd.dwg 0 string AC1.2 DWG AutoDesk AutoCAD Release 1.2 !:mime image/vnd.dwg 0 string AC1.3 DWG AutoDesk AutoCAD Release 1.3 !:mime image/vnd.dwg 0 string AC1.40 DWG AutoDesk AutoCAD Release 1.40 !:mime image/vnd.dwg 0 string AC1.50 DWG AutoDesk AutoCAD Release 2.05 !:mime image/vnd.dwg 0 string AC2.10 DWG AutoDesk AutoCAD Release 2.10 !:mime image/vnd.dwg 0 string AC2.21 DWG AutoDesk AutoCAD Release 2.21 !:mime image/vnd.dwg 0 string AC2.22 DWG AutoDesk AutoCAD Release 2.22 !:mime image/vnd.dwg 0 string AC1001 DWG AutoDesk AutoCAD Release 2.22 !:mime image/vnd.dwg 0 string AC1002 DWG AutoDesk AutoCAD Release 2.50 !:mime image/vnd.dwg 0 string AC1003 DWG AutoDesk AutoCAD Release 2.60 !:mime image/vnd.dwg 0 string AC1004 DWG AutoDesk AutoCAD Release 9 !:mime image/vnd.dwg 0 string AC1006 DWG AutoDesk AutoCAD Release 10 !:mime image/vnd.dwg 0 string AC1009 DWG AutoDesk AutoCAD Release 11/12 !:mime image/vnd.dwg # AutoCAD DWG versions R13/R14 (www.autodesk.com) # Written December 01, 2003 by Lester Hightower # Based on the DWG File Format Specifications at http://www.opendwg.org/ # AutoCad, from Nahuel Greco # AutoCAD DWG versions R12/R13/R14 (www.autodesk.com) 0 string AC1012 DWG AutoDesk AutoCAD Release 13 !:mime image/vnd.dwg 0 string AC1013 DWG AutoDesk AutoCAD Release 13c3 !:mime image/vnd.dwg 0 string AC1014 DWG AutoDesk AutoCAD Release 14 !:mime image/vnd.dwg 0 string AC1015 DWG AutoDesk AutoCAD 2000 !:mime image/vnd.dwg # A new version of AutoCAD DWG # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321) # From various sources like: # https://autodesk.blogs.com/between_the_lines/autocad-release-history.html 0 string AC1018 DWG AutoDesk AutoCAD 2004/2005/2006 !:mime image/vnd.dwg 0 string AC1021 DWG AutoDesk AutoCAD 2007/2008/2009 !:mime image/vnd.dwg 0 string AC1024 DWG AutoDesk AutoCAD 2010/2011/2012 !:mime image/vnd.dwg 0 string AC1027 DWG AutoDesk AutoCAD 2013-2017 !:mime image/vnd.dwg # From GNU LibreDWG 0 string AC1032 DWG AutoDesk AutoCAD 2018/2019/2020 !:mime image/vnd.dwg 0 string AC1035 DWG AutoDesk AutoCAD 2021 !:mime image/vnd.dwg # KOMPAS 2D drawing from ASCON # This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor # gathered nor specification # ASCON https://ascon.net/main/ in English, # https://ascon.ru/ main site in Russian # Extension is CDW for drawing and FRW for fragment of drawing # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321, https://vkontakte.ru/id16076543) # From: # https://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292 # (in russian) and my experiments 0 string KF >2 belong 0x4E00000C Kompas drawing 12.0 SP1 >2 belong 0x4D00000C Kompas drawing 12.0 >2 belong 0x3200000B Kompas drawing 11.0 SP1 >2 belong 0x3100000B Kompas drawing 11.0 >2 belong 0x2310000A Kompas drawing 10.0 SP1 >2 belong 0x2110000A Kompas drawing 10.0 >2 belong 0x08000009 Kompas drawing 9.0 SP1 >2 belong 0x05000009 Kompas drawing 9.0 >2 belong 0x33010008 Kompas drawing 8+ >2 belong 0x1A000008 Kompas drawing 8.0 >2 belong 0x2C010107 Kompas drawing 7+ >2 belong 0x05000007 Kompas drawing 7.0 >2 belong 0x32000006 Kompas drawing 6+ >2 belong 0x09000006 Kompas drawing 6.0 >2 belong 0x5C009005 Kompas drawing 5.11R03 >2 belong 0x54009005 Kompas drawing 5.11R02 >2 belong 0x51009005 Kompas drawing 5.11R01 >2 belong 0x22009005 Kompas drawing 5.10R03 >2 belong 0x22009005 Kompas drawing 5.10R02 mar >2 belong 0x21009005 Kompas drawing 5.10R02 febr >2 belong 0x19009005 Kompas drawing 5.10R01 >2 belong 0xF4008005 Kompas drawing 5.9R01.003 >2 belong 0x1C008005 Kompas drawing 5.9R01.002 >2 belong 0x11008005 Kompas drawing 5.8R01.003 # CAD: file(1) magic for computer aided design files # Phillip Griffith # AutoCAD magic taken from the Open Design Alliance's OpenDWG specifications. # # 3DS (3d Studio files) 0 leshort 0x4d4d >6 leshort 0x2 >>8 lelong 0xa >>>16 leshort 0x3d3d 3D Studio model # Beat sgi MMV !:strength +20 !:mime image/x-3ds !:ext 3ds # MegaCAD 2D/3D drawing (.prt) # https://megacad.de/ # From: Markus Heidelberg 0 string MegaCad23\0 MegaCAD 2D/3D drawing # Hoops CAD files # https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\ # HSF_architecture.html # Stephane Charette 0 string ;;\020HSF\020V OpenHSF (Hoops Stream Format) >7 regex/9 V[.0-9]{4,5}\020 %s !:ext hsf # AutoCAD Drawing Exchange Format 0 regex \^[\ \t]*0\r?\000$ >1 regex \^[\ \t]*SECTION\r?$ >>2 regex \^[\ \t]*2\r?$ >>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format !:mime application/x-dxf !:ext dxf >>>>&1 search/8192 AC1006 \b, R10 >>>>&1 search/8192 AC1009 \b, R11/R12 >>>>&1 search/8192 AC1012 \b, R13 >>>>&1 search/8192 AC1013 \b, R13c3 >>>>&1 search/8192 AC1014 \b, R14 >>>>&1 search/8192 AC1015 \b, version 2000 >>>>&1 search/8192 AC1018 \b, version 2004 >>>>&1 search/8192 AC1021 \b, version 2007 >>>>&1 search/8192 AC1024 \b, version 2010 >>>>&1 search/8192 AC1027 \b, version 2013 >>>>&1 search/8192 AC1032 \b, version 2018 >>>>&1 search/8192 AC1035 \b, version 2021 # The Sketchup 3D model format https://www.sketchup.com/ 0 string \xff\xfe\xff\x0e\x53\x00\x6b\x00\x65\x00\x74\x00\x63\x00\x68\x00\x55\x00\x70\x00\x20\x00\x4d\x00\x6f\x00\x64\x00\x65\x00\x6c\x00 SketchUp Model !:mime application/vnd.sketchup.skp !:ext skp 4 regex/b P[0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9][0-9][0-9][0-9]\\.[0-9] NAXOS CAD System file from version %s !:strength +40 # glTF (GL Transmission Format) - by the Khronos Group # Reference: https://github.com/KhronosGroup/glTF/tree/master/specification/2.0#glb-file-format-specification 0 string glTF glTF binary model >4 ulelong x \b, version %d >8 ulelong x \b, length %d bytes !:mime model/gltf-binary !:ext glb # FBX (FilmBoX) - by Kaydara/Autodesk # Reference: https://code.blender.org/2013/08/fbx-binary-file-format-specification 0 string Kaydara\ FBX\ Binary\ \ \0 Kaydara FBX model, >&2 ulelong x version %d !:ext fbx # PLY (Polygon File Format/Stanford Triangle Format) - by Greg Turk # Reference: https://web.archive.org/web/20161204152348/http://www.dcs.ed.ac.uk/teaching/cs4/www/graphics/Web/ply.html 0 string ply\n PLY model, !:ext ply >4 string format\ ascii\ ASCII, >>&0 regex/6 [0-9.]+ version %s >4 string format\ binary binary, >>&0 string _little_endian\ little endian, >>>&0 regex/6 [0-9.]+ version %s >>&0 string _big_endian\ big endian, >>>&0 regex/6 [0-9.]+ version %s # VRML (Virtual Reality Modeling Language) - by the Web3D Consortium # From: Michel Briand # Reference: https://www.web3d.org/standards 0 string/w #VRML\ V1.0\ ascii VRML 1 file !:mime model/vrml !:ext wrl 0 string/w #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file !:mime model/vrml !:ext wrl # X3D, VRML encoded 0 string #X3D X3D (Extensible 3D) model, VRML format >4 string V >>5 regex/6 [0-9.]+ \b, version %s !:mime model/x3d+vrml !:ext x3dv ## XML-based 3D CAD Formats # From: Michel Briand , Oliver Galvin 0 string/w \20 search/1000/w \20 search/1000/w \20 search/1000/w xmlns="http://schemas.microsoft.com/3dmanufacturing 3MF (3D Manufacturing Format) model, XML document !:mime model/3mf !:ext 3mf # AMF (Additive Manufacturing File) # Reference: https://www.astm.org/Standards/ISOASTM52915.htm >20 search/1000/w \4 ubelong >30 compiled Java class data, !:mime application/x-java-applet #!:mime application/java-byte-code !:ext class >>6 ubeshort x version %d. >>4 ubeshort x \b%d # for debugging purpose version as hexadecimal to compare with Mach-O universal binary #>>4 ubelong x (%#8.8x) # Which is which? # https://docs.oracle.com/javase/specs/jvms/se6/html/ClassFile.doc.html #>>4 belong 0x002b (Java 0.?) #>>4 belong 0x032d (Java 1.0) #>>4 belong 0x032d (Java 1.1) >>4 belong 0x002e (Java 1.2) >>4 belong 0x002f (Java 1.3) >>4 belong 0x0030 (Java 1.4) >>4 belong 0x0031 (Java 1.5) >>4 belong 0x0032 (Java 1.6) >>4 belong 0x0033 (Java 1.7) >>4 belong 0x0034 (Java 1.8) >>4 belong 0x0035 (Java SE 9) >>4 belong 0x0036 (Java SE 10) >>4 belong 0x0037 (Java SE 11) >>4 belong 0x0038 (Java SE 12) >>4 belong 0x0039 (Java SE 13) >>4 belong 0x003A (Java SE 14) >>4 belong 0x003B (Java SE 15) >>4 belong 0x003C (Java SE 16) >>4 belong 0x003D (Java SE 17) >>4 belong 0x003E (Java SE 18) >>4 belong 0x003F (Java SE 19) >>4 belong 0x0040 (Java SE 20) # pool count unequal zero #>>8 beshort x \b, pool count %#x # pool table #>>10 ubequad x \b, pool %#16.16llx... 0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. >4 byte x \b%d !:mime application/x-java-pack200 0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. >4 byte x \b%d !:mime application/x-java-pack200 ### JAVA END ### ### MACH-O START ### # URL: https://en.wikipedia.org/wiki/Mach-O 0 name mach-o \b [ # for debugging purpose CPU type as hexadecimal #>0 ubequad x CPU=%16.16llx # display CPU type as string like: i386 x86_64 ... armv7 armv7k ... >0 use mach-o-cpu \b # for debugging purpose print offset to 1st mach_header like: # 1000h 4000h seldom 2d000h 88000h 5b000h 10e000 h #>8 ubelong x at %#x offset >(8.L) indirect x \b: >0 belong x \b] # Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ # include/mach-o/fat.h # include/mach/machine.h 0 belong 0xcafebabe >4 belong 1 Mach-O universal binary with 1 architecture: !:mime application/x-mach-binary >>8 use mach-o \b # nfat_arch; number of CPU architectures; highest is 18 for CPU_TYPE_POWERPC in 2020 >4 ubelong >1 >>4 ubelong <20 Mach-O universal binary with %d architectures: !:mime application/x-mach-binary >>>8 use mach-o \b >>>4 ubelong >1 >>>>28 use mach-o \b >>>4 ubelong >2 >>>>48 use mach-o \b >>>4 ubelong >3 >>>>68 use mach-o \b >>>4 ubelong >4 >>>>88 use mach-o \b >>>4 ubelong >5 >>>>108 use mach-o \b ### MACH-O END ### #------------------------------------------------------------------------------ # $File: cbor,v 1.1 2015/01/28 01:05:21 christos Exp $ # cbor: file(1) magic for CBOR files as defined in RFC 7049 0 string \xd9\xd9\xf7 Concise Binary Object Representation (CBOR) container !:mime application/cbor >3 ubyte <0x20 (positive integer) >3 ubyte <0x40 >>3 ubyte >0x1f (negative integer) >3 ubyte <0x60 >>3 ubyte >0x3f (byte string) >3 ubyte <0x80 >>3 ubyte >0x5f (text string) >3 ubyte <0xa0 >3 ubyte >0x7f (array) >3 ubyte <0xc0 >>3 ubyte >0x9f (map) >3 ubyte <0xe0 >>3 ubyte >0xbf (tagged) >3 ubyte >0xdf (other) #------------------------------------------------------------------------------ # $File: ccf,v 1.1 2022/02/15 12:57:45 christos Exp $ # file(1) magic(5) data for Phillips remote controls # Exchange format for Philips Pronto universal infrared remote controls # A CCF file describes a learned/customized remote control, # i.e. it contains button UI and infrared pulse code definitions # (Georg Sauthoff) # http://files.remotecentral.com/download/45/pan-air-csakr.zip.html # https://github.com/gsauthof/pronto-ccf/blob/ 8 string @\xa5Z@_CCF >32 string CCF\x00 Philips Pronto IR remote control CCF #------------------------------------------------------------------------------ # $File: cddb,v 1.4 2009/09/19 16:28:08 christos Exp $ # CDDB: file(1) magic for CDDB(tm) format CD text data files # # From # # This is the /etc/magic entry to decode datafiles as used by # CDDB-enabled CD player applications. # 0 search/1/w #\040xmcd CDDB(tm) format CD text data #------------------------------------------------------------------------------ # $File: chord,v 1.5 2010/09/20 19:19:16 rrt Exp $ # chord: file(1) magic for Chord music sheet typesetting utility input files # # From Philippe De Muyter # File format is actually free, but many distributed files begin with `{title' # 0 string {title Chord text file # Type: PowerTab file format # URL: http://www.power-tab.net/ # From: Jelmer Vernooij 0 string ptab\003\000 Power-Tab v3 Tablature File 0 string ptab\004\000 Power-Tab v4 Tablature File #------------------------------------------------------------------------------ # $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code # # Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. 0 belong&0xffffff00 0x85011400 cisco IOS microcode >7 string >\0 for '%s' 0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode >7 string >\0 for '%s' #------------------------------------------------------------------------------ # $File: citrus,v 1.5 2021/01/04 19:48:31 christos Exp $ # citrus locale declaration # 0 string RuneCT Citrus locale declaration for LC_CTYPE 0 string CtrsME Citrus locale declaration for LC_MESSAGES 0 string CtrsMO Citrus locale declaration for LC_MONETARY 0 string CtrsNU Citrus locale declaration for LC_NUMERIC 0 string CtrsTI Citrus locale declaration for LC_TIME #------------------------------------------------------------------------------ # $File: c-lang,v 1.30 2021/08/16 10:17:05 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML # BCPL 0 search/8192 "libhdr" BCPL source text !:mime text/x-bcpl 0 search/8192 "LIBHDR" BCPL source text !:mime text/x-bcpl # C # Check for class if include is found, otherwise class is beaten by include because of lowered strength 0 search/8192 #include >0 regex \^#include C >>0 regex \^class[[:space:]]+ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>&0 clear x source text !:strength + 13 !:mime text/x-c 0 search/8192 pragma >0 regex \^#[[:space:]]*pragma C source text !:mime text/x-c 0 search/8192 endif >0 regex \^#[[:space:]]*(if\|ifn)def >>&0 regex \^#[[:space:]]*endif$ C source text !:mime text/x-c 0 search/8192 define >0 regex \^#[[:space:]]*(if\|ifn)def >>&0 regex \^#[[:space:]]*define C source text !:mime text/x-c 0 search/8192 char >0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c 0 search/8192 double >0 regex \^[[:space:]]*double(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c 0 search/8192 extern >0 regex \^[[:space:]]*extern[[:space:]]+ C source text !:mime text/x-c 0 search/8192 float >0 regex \^[[:space:]]*float(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c 0 search/8192 struct >0 regex \^struct[[:space:]]+ C source text !:mime text/x-c 0 search/8192 union >0 regex \^union[[:space:]]+ C source text !:mime text/x-c 0 search/8192 main( >&0 search/64 String Java source text !:mime text/x-java >&0 default x >>&0 regex \\)[[:space:]]*\\{ C source text !:mime text/x-c # C++ # The strength of these rules is increased so they beat the C rules above 0 search/8192 namespace >0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text !:strength + 30 !:mime text/x-c++ # using namespace [namespace] or using std::[lib] 0 search/8192 using >0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text !:strength + 30 !:mime text/x-c++ 0 search/8192 template >0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text !:strength + 30 !:mime text/x-c++ 0 search/8192 virtual >0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text !:strength + 30 !:mime text/x-c++ # But class alone is reduced to avoid beating php (Jens Schleusener) 0 search/8192 class >0 regex \^[[:space:]]*class[[:space:]]+[[:digit:][:alpha:]:_]+[[:space:]]*\\{(.*[\n]*)*\\}(;)?$ C++ source text !:strength + 13 !:mime text/x-c++ 0 search/8192 public >0 regex \^[[:space:]]*public: C++ source text !:strength + 30 !:mime text/x-c++ 0 search/8192 private >0 regex \^[[:space:]]*private: C++ source text !:strength + 30 !:mime text/x-c++ 0 search/8192 protected >0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++ # Objective-C 0 search/8192 #import >0 regex \^#import Objective-C source text !:strength + 25 !:mime text/x-objective-c # From: Mikhail Teterin 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. # The inverted index functionality was added some time between # versions 11 and 15, so look for -q if version is above 14: >7 string >14 >>10 search/100 \ -q\ with inverted index >10 search/100 \ -c\ text (non-compressed) #------------------------------------------------------------------------------ # $File: clarion,v 1.5 2014/04/30 21:41:02 christos Exp $ # clarion: file(1) magic for # Clarion Personal/Professional Developer # (v2 and above) # From: Julien Blache # Database files # signature 0 leshort 0x3343 Clarion Developer (v2 and above) data file # attributes >2 leshort &0x0001 \b, locked >2 leshort &0x0004 \b, encrypted >2 leshort &0x0008 \b, memo file exists >2 leshort &0x0010 \b, compressed >2 leshort &0x0040 \b, read only # number of records >5 lelong x \b, %d records # Memo files 0 leshort 0x334d Clarion Developer (v2 and above) memo data # Key/Index files # No magic? :( # Help files 0 leshort 0x49e0 Clarion Developer (v2 and above) help data #------------------------------------------------------------------------------ # $File: claris,v 1.8 2016/07/18 19:23:38 christos Exp $ # claris: file(1) magic for claris # "H. Nanosecond" # Claris Works a word processor, etc. # Version 3.0 # .pct claris works clip art files #0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 #* #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 #null to byte 1000 octal 514 string \377\377\377\377\000 >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art 514 string \377\377\377\377\001 >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art # Claris works files # .cwk # Moved to Apple AppleWorks document #0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works document # .plt 0 string \020\341\000\000\010\010 Claris Works palette files .plt # .msp a dictionary file I am not sure about this I have only one .msp file 0 string \002\271\262\000\040\002\000\164 Claris works dictionary # .usp are user dictionary bits # I am not sure about a magic header: #0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151 # soh S p f 8 U D sp ^ S cr nl p o d i #0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043 # a t r i s t sp ^ S cr nl d i v sp # # .mth Thesaurus # starts with \0 but no magic header # .chy Hyphenation file # I am not sure: 000 210 034 000 000 # other claris files #./windows/claris/useng.ndx: data #./windows/claris/xtndtran.l32: data #./windows/claris/xtndtran.lst: data #./windows/claris/clworks.lbl: data #./windows/claris/clworks.prf: data #./windows/claris/userd.spl: data #------------------------------------------------------------------------------ # $File: clipper,v 1.9 2020/12/15 23:57:27 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # # >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST # # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # # >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST # # as SVR3.1's "file" doesn't support anything of the "!074000,000000" # sort, nor does SunOS 4.x, so either it's something Intergraph added # in CLIX, or something AT&T added in SVR3.2 or later, or something # somebody else thought was a good idea; it's not documented in the # man page for this version of "magic", nor does it appear to be # implemented (at least not after I blew off the bogus code to turn # old-style "&"s into new-style "&"s, which just didn't work at all). # 0 short 0575 CLIPPER COFF executable (VAX #) >20 short 0407 (impure) >20 short 0410 (5.2 compatible) >20 short 0411 (pure) >20 short 0413 (demand paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %d 0 short 0577 CLIPPER COFF executable >18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 >18 short&074000 010000 C3 R1 >18 short&074000 074000 TEST >20 short 0407 (impure) >20 short 0410 (pure) >20 short 0411 (separate I&D) >20 short 0413 (paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %d >48 long&01 01 alignment trap enabled >52 byte 1 -Ctnc >52 byte 2 -Ctsw >52 byte 3 -Ctpw >52 byte 4 -Ctcb >53 byte 1 -Cdnc >53 byte 2 -Cdsw >53 byte 3 -Cdpw >53 byte 4 -Cdcb >54 byte 1 -Csnc >54 byte 2 -Cssw >54 byte 3 -Cspw >54 byte 4 -Cscb #4 string pipe CLIPPER instruction trace #4 string prof CLIPPER instruction profile #------------------------------------------------------------------------------ # file: file(1) magic for Clojure # URL: https://clojure.org/ # From: Jason Felice 0 string/w #!\ /usr/bin/clj Clojure script text executable !:mime text/x-clojure 0 string/w #!\ /usr/local/bin/clj Clojure script text executable !:mime text/x-clojure 0 string/w #!\ /usr/bin/clojure Clojure script text executable !:mime text/x-clojure 0 string/w #!\ /usr/local/bin/clojure Clojure script text executable !:mime text/x-clojure 0 string/W #!/usr/bin/env\ clj Clojure script text executable !:mime text/x-clojure 0 string/W #!/usr/bin/env\ clojure Clojure script text executable !:mime text/x-clojure 0 string/W #!\ /usr/bin/env\ clj Clojure script text executable !:mime text/x-clojure 0 string/W #!\ /usr/bin/env\ clojure Clojure script text executable !:mime text/x-clojure 0 regex \^\\\(ns[[:space:]]+[a-z] Clojure module source text !:mime text/x-clojure 0 regex \^\\\(ns[[:space:]]+\\\^\\{: Clojure module source text !:mime text/x-clojure 0 regex \^\\\(defn-?[[:space:]] Clojure module source text !:mime text/x-clojure #------------------------------------------------------------------------------ # $File: coff,v 1.6 2021/04/26 15:56:00 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF # # by Joerg Jenderek at Oct 2015, Feb 2021 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html # display name+variables+flags of Common Object Files Format (32bit) # Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel, # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags >18 uleshort&0x8E80 0 # skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections >>2 uleshort >0 # skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections >>>2 uleshort <4207 >>>>0 clear x # f_magic - magic number # DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) >>>>0 uleshort 0x014C Intel 80386 # Hitachi SH big-endian COFF (./hitachi-sh) >>>>0 uleshort 0x0500 Hitachi SH big-endian # Hitachi SH little-endian COFF (./hitachi-sh) >>>>0 uleshort 0x0550 Hitachi SH little-endian # executable (RISC System/6000 V3.1) or obj module (./ibm6000) #>>>>0 uleshort 0x01DF # MS Windows COFF Intel Itanium, AMD64 # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx >>>>0 uleshort 0x0200 Intel ia64 >>>>0 uleshort 0x8664 Intel amd64 # ARM COFF (./arm) >>>>0 uleshort 0xaa64 Aarch64 >>>>0 uleshort 0x01c0 ARM >>>>0 uleshort 0x01c2 ARM Thumb >>>>0 uleshort 0x01c4 ARMv7 Thumb # TODO for other COFFs #>>>>0 uleshort 0xABCD COFF_TEMPLATE >>>>0 default x >>>>>0 uleshort x type %#04x >>>>0 uleshort x COFF # F_EXEC flag bit >>>>18 leshort ^0x0002 object file !:mime application/x-coff !:ext o/obj/lib # no cof sample found #!:ext cof/o/obj/lib >>>>18 leshort &0x0002 executable #!:mime application/x-coffexec # F_RELFLG flag bit,static object >>>>18 leshort &0x0001 \b, no relocation info # F_LNNO flag bit >>>>18 leshort &0x0004 \b, no line number info # F_LSYMS flag bit >>>>18 leshort &0x0008 \b, stripped >>>>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions #0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit #>>>>18 leshort &0x0100 \b, 32 bit little endian #0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY # f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124 >>>>2 uleshort <2 \b, %u section >>>>2 uleshort >1 \b, %u sections # f_symptr - symbol table pointer, only for not stripped # like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0 >>>>8 ulelong >0 \b, symbol offset=%#x # f_nsyms - number of symbols, only for not stripped # like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 >>>>12 ulelong >0 \b, %d symbols # f_opthdr - optional header size. An object file should have a value of 0 >>>>16 uleshort >0 \b, optional header size %u # f_timdat - file time & date stamp only for little endian >>>>4 ledate >0 \b, created %s # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. # or first section header # additional variables for other COFF files >>>>16 uleshort =0 # first section name s_name[8] like: .text .data .debug$S .drectve .testseg >>>>>20 string x \b, 1st section name "%.8s" # >20 beshort 0407 (impure) # >20 beshort 0410 (pure) # >20 beshort 0413 (demand paged) # >20 beshort 0421 (standalone) # >22 leshort >0 - version %d # >168 string .lowmem Apple toolbox #------------------------------------------------------------------------------ # $File: commands,v 1.69 2022/04/20 21:14:23 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text 0 string/fwt #!\ /bin/sh POSIX shell script text executable !:mime text/x-shellscript 0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data) !:mime text/x-shellscript 0 string/fwt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript # korn shell magic, sent by George Wu, gwu@clyde.att.com 0 string/fwt #!\ /bin/ksh Korn shell script text executable !:mime text/x-shellscript 0 string/fwb #!\ /bin/ksh Korn shell script executable (binary data) !:mime text/x-shellscript 0 string/fwt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/local/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/local/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript # # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) 0 string/fwt #!\ /bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/env\ zsh Paul Falstad's zsh script text executable !:mime text/x-shellscript 0 string/fwt #!\ /bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/local/bin/ash Neil Brown's ash script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/local/bin/ae Neil Brown's ae script text executable !:mime text/x-shellscript 0 string/fwt #!\ /bin/nawk new awk script text executable !:mime text/x-nawk 0 string/fwt #!\ /usr/bin/nawk new awk script text executable !:mime text/x-nawk 0 string/fwt #!\ /usr/local/bin/nawk new awk script text executable !:mime text/x-nawk 0 string/fwt #!\ /bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/wt #!\ /usr/bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/fwt #!\ /usr/local/bin/gawk GNU awk script text executable !:mime text/x-gawk # 0 string/fwt #!\ /bin/awk awk script text executable !:mime text/x-awk 0 string/fwt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk 0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text # AT&T Bell Labs' Plan 9 shell 0 string/fwt #!\ /bin/rc Plan 9 rc shell script text executable # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string/fwt #!\ /bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript 0 string/fwb #!\ /bin/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript 0 string/fwb #!\ /usr/bin/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript 0 string/fwt #!\ /usr/local/bash Bourne-Again shell script text executable !:mime text/x-shellscript 0 string/fwb #!\ /usr/local/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript 0 string/fwt #!\ /usr/local/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript 0 string/fwb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable !:mime text/x-shellscript # Fish shell magic # From: Benjamin Lowry 0 string/fwt #!\ /usr/local/bin/fish fish shell script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/fish fish shell script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable !:mime text/x-shellscript 0 string/wt #!\ a >&-1 string/T x %s script text executable 0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable !:mime text/x-tcl 0 search/1/fwt #!\ /usr/bin/texlua LuaTex script text executable !:mime text/x-luatex 0 search/1/fwt #!\ /usr/bin/luatex LuaTex script text executable !:mime text/x-luatex 0 search/1/fwt #!\ /usr/bin/stap Systemtap script text executable !:mime text/x-systemtap # From: Kylie McClain # Type: execline scripts # URL: https://skarnet.org/software/execline/ 0 string/fwt #!\ /command/execlineb execline script text executable !:mime text/x-execline 0 string/fwt #!\ /bin/execlineb execline script text executable !:mime text/x-execline 0 string/fwt #!\ /usr/bin/execlineb execline script text executable !:mime text/x-execline 0 string/fwt #!\ /usr/bin/env\ execlineb execline script text executable !:mime text/x-execline 0 string #! >0 regex \^#!.*/bin/execlineb([[:space:]].*)*$ execline script text executable !:mime text/x-execline # PHP scripts # Ulf Harnhammar 0 search/1/c = 0 string =5 regex [\ \n] >>6 string /*\ Smarty\ version Smarty compiled template >>>24 regex [0-9.]+ \b, version %s !:mime text/x-php 0 string Zend\x00 PHP script Zend Optimizer data # From: Anatol Belski 0 string OPCACHE >7 ubyte 0 PHP opcache filecache data 0 search/64 --TEST-- >16 search/64 --FILE-- >24 search/8192 --EXPECT PHP core test !:ext phpt # https://www.php.net/manual/en/phar.fileformat.signature.php -4 string GBMB PHP phar archive >-8 ubyte 0x1 with MD5 signature !:ext phar >-8 ubyte 0x2 with SHA1 signature !:ext phar >-8 ubyte 0x3 with SHA256 signature !:ext phar >-8 ubyte 0x4 with SHA512 signature !:ext phar >-8 ubyte 0x10 with OpenSSL signature !:ext phar >-8 ubyte 0x11 with OpenSSL SHA256 signature !:ext phar >-8 ubyte 0x12 with OpenSSL SHA512 signature !:ext phar 0 string/t $! DCL command file # Type: Pdmenu # URL: https://packages.debian.org/pdmenu # From: Edward Betts 0 string #!/usr/bin/pdmenu Pdmenu configuration file text # From Danny Weldon 0 string \x0b\x13\x08\x00 >0x04 uleshort <4 ksh byte-code version %d #---------------------------------------------------------------------------- # $File: communications,v 1.5 2009/09/19 16:28:08 christos Exp $ # communication # TTCN is the Tree and Tabular Combined Notation described in ISO 9646-3. # It is used for conformance testing of communication protocols. # Added by W. Borgert . 0 string $Suite TTCN Abstract Test Suite >&1 string $SuiteId >>&1 string >\n %s >&2 string $SuiteId >>&1 string >\n %s >&3 string $SuiteId >>&1 string >\n %s # MSC (message sequence charts) are a formal description technique, # described in ITU-T Z.120, mainly used for communication protocols. # Added by W. Borgert . 0 string mscdocument Message Sequence Chart (document) 0 string msc Message Sequence Chart (chart) 0 string submsc Message Sequence Chart (subchart) #------------------------------------------------------------------------------ # $File: compress,v 1.83 2022/08/16 11:16:39 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. # # Formats for various forms of compressed data # Formats for "compress" proper have been moved into "compress.c", # because it tries to uncompress it to figure out what's inside. # standard unix compress 0 string \037\235 compress'd data !:mime application/x-compress !:apple LZIVZIVU >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # URL: https://en.wikipedia.org/wiki/Gzip # Reference: https://tools.ietf.org/html/rfc1952 # Update: Joerg Jenderek, Apr 2019 # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). # Note: find defs -iname '*.trid.xml' -exec grep -q '1F8B08' {} \; -ls # TODO: # FBR Blueberry FlashBack screen Record https://www.flashbackrecorder.com/ # KPR KOffice/Calligra KPresenter application/x-kpresenter # KPT KOffice/Calligra KPresenter template? application/x-kpresenter # SAV Diggles Saved Game File http://www.innonics.com # SAV FarCry (demo) saved game http://www.farcry-thegame.com # DAT ZOAGZIP game data format http://en.wikipedia.org/wiki/SD_Gundam_Capsule_Fighter 0 string \037\213 # to display gzip compressed (strength=100=2*50) before other (strength=50)? #!:strength * 2 # no FNAME and FCOMMENT bit implies no file name/comment. That means only binary >3 byte&0x18 =0 # For binary gzipped no ASCII text should occur # mcd-monu-cad.trid.xml >>10 string MCD Monu-Cad Drawing, Component or Font #>>36 string Created\ with\ MONU-CAD #!:mime application/octet-stream # http://fileformats.archiveteam.org/wiki/Monu-CAD # http://www.monucad.com/downloads/FullDemo-2005.EXE # /HANDS96.MCC Component # /DEMO_DD01.MCD Drawing # /MCALF020.FNT Font !:ext mcc/mcd/fnt # http://www.generalcadd.com >>10 string GXD General CADD, Drawing or Component #!:mime application/octet-stream # /gxc/BUILDINGEDGE.gxc Component # /gxd/HOCKETT-STPAUL-WRHSE.gxd Drawing # /gxd/POWERLAND-MILL-ADD-11.gxd Drawing v9.1.06 !:ext gxc/gxd #>>>13 ubyte 0 \b, version 0 >>>13 string 09 \b, version 9 # other gzipped binary like gzipped tar, VirtualBox extension package,... >>10 default x gzip compressed data !:mime application/gzip >>>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 >>-0 offset >48 >>>-4 ulelong x \b, original size modulo 2^32 %u >>-0 offset <48 \b, truncated # gzipped TAR or VirtualBox extension package #!:mime application/x-compressed-tar #!:mime application/x-virtualbox-vbox-extpack # https://www.w3.org/TR/SVG/mimereg.html #!:mime image/image/svg+xml-compressed # zlib.3.gz # microcode-20180312.tgz # tpz same as tgz # lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg # Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack !:ext gz/tgz/tpz/ipk/vbox-extpack/svgz # FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text >3 byte&0x18 >0 gzip compressed data !:mime application/gzip # gzipped tar, gzipped Abiword document #!:mime application/x-compressed-tar #!:mime application/x-abiword-compressed #!:mime image/image/svg+xml-compressed # kleopatra_splashscreen.svgz gzipped .svg !:ext gz/tgz/tpz/zabw/svgz >>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 >>-0 offset >48 >>>-4 ulelong x \b, original size modulo 2^32 %u >>-0 offset <48 \b, truncated # display information of gzip compressed files 0 name gzip-info #>2 byte x THIS iS GZIP >2 byte <8 \b, reserved method >2 byte >8 \b, unknown method >3 byte &0x01 \b, ASCII >3 byte &0x02 \b, has CRC >3 byte &0x04 \b, extra field >3 byte&0xC =0x08 >>10 string x \b, was "%s" >3 byte &0x10 \b, has comment >3 byte &0x20 \b, encrypted >4 ledate >0 \b, last modified: %s >8 byte 2 \b, max compression >8 byte 4 \b, max speed >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS >9 byte =0x03 \b, from Unix >9 byte =0x04 \b, from VM/CMS >9 byte =0x05 \b, from Atari >9 byte =0x06 \b, from HPFS filesystem (OS/2, NT) >9 byte =0x07 \b, from MacOS >9 byte =0x08 \b, from Z-System >9 byte =0x09 \b, from CP/M >9 byte =0x0A \b, from TOPS/20 >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS # size of the original (uncompressed) input data modulo 2^32 #>-4 ulelong x \b, original size modulo 2^32 %u #ERROR: line 114: non zero offset 1048572 at level 1 # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data !:mime application/octet-stream >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # # This magic number is byte-order-independent. 0 short 0x1f1f old packed data !:mime application/octet-stream # XXX - why *two* entries for "compacted data", one of which is # byte-order independent, and one of which is byte-order dependent? # 0 short 0x1fff compacted data !:mime application/octet-stream # This string is valid for SunOS (BE) and a matching "short" is listed # in the Ultrix (LE) magic file. 0 string \377\037 compacted data !:mime application/octet-stream 0 short 0145405 huf output !:mime application/octet-stream # bzip2 0 string BZh bzip2 compressed data !:mime application/x-bzip2 !:ext bz2 >3 byte >47 \b, block size = %c00k # bzip a block-sorting file compressor # by Julian Seward and others 0 string BZ0 bzip compressed data !:mime application/x-bzip >3 byte >47 \b, block size = %c00k # lzip 0 string LZIP lzip compressed data !:mime application/x-lzip >4 byte x \b, version: %d # squeeze and crunch # Michael Haardt 0 beshort 0x76FF squeezed data, >4 string x original name %s 0 beshort 0x76FE crunched data, >2 string x original name %s 0 beshort 0x76FD LZH compressed data, >2 string x original name %s # Freeze 0 string \037\237 frozen file 2.1 0 string \037\236 frozen file 1.0 (or gzip 0.5) # SCO compress -H (LZH) 0 string \037\240 SCO compress -H (LZH) data # European GSM 06.10 is a provisional standard for full-rate speech # transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse # excitation/long term prediction) coding at 13 kbit/s. # # There's only a magic nibble (4 bits); that nibble repeats every 33 # bytes. This isn't suited for use, but maybe we can use it someday. # # This will cause very short GSM files to be declared as data and # mismatches to be declared as data too! #0 byte&0xF0 0xd0 data #>33 byte&0xF0 0xd0 #>66 byte&0xF0 0xd0 #>99 byte&0xF0 0xd0 #>132 byte&0xF0 0xd0 GSM 06.10 compressed audio # lzop from 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, >>13 byte 1 LZO1X-1, >>13 byte 2 LZO1X-1(15), >>13 byte 3 LZO1X-999, ## >>22 bedate >0 last modified: %s, >>14 byte =0x00 os: MS-DOS >>14 byte =0x01 os: Amiga >>14 byte =0x02 os: VMS >>14 byte =0x03 os: Unix >>14 byte =0x05 os: Atari >>14 byte =0x06 os: OS/2 >>14 byte =0x07 os: MacOS >>14 byte =0x0A os: Tops/20 >>14 byte =0x0B os: WinNT >>14 byte =0x0E os: Win32 >9 beshort >0x0939 >>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x10 - version 1. >>9 byte&0xf0 =0x20 - version 2. >>9 beshort&0x0fff x \b%03x, >>15 byte 1 LZO1X-1, >>15 byte 2 LZO1X-1(15), >>15 byte 3 LZO1X-999, ## >>25 bedate >0 last modified: %s, >>17 byte =0x00 os: MS-DOS >>17 byte =0x01 os: Amiga >>17 byte =0x02 os: VMS >>17 byte =0x03 os: Unix >>17 byte =0x05 os: Atari >>17 byte =0x06 os: OS/2 >>17 byte =0x07 os: MacOS >>17 byte =0x0A os: Tops/20 >>17 byte =0x0B os: WinNT >>17 byte =0x0E os: Win32 # 4.3BSD-Quasijarus Strong Compression # https://minnie.tuhs.org/Quasijarus/compress.html 0 string \037\241 Quasijarus strong compressed data # From: Cory Dikkers 0 string XPKF Amiga xpkf.library compressed data 0 string PP11 Power Packer 1.1 compressed data 0 string PP20 Power Packer 2.0 compressed data, >4 belong 0x09090909 fast compression >4 belong 0x090A0A0A mediocre compression >4 belong 0x090A0B0B good compression >4 belong 0x090A0C0C very good compression >4 belong 0x090A0C0D best compression # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) # https://www.7-zip.org or DOC/7zFormat.txt # 0 string 7z\274\257\047\034 7-zip archive data, >6 byte x version %d >7 byte x \b.%d !:mime application/x-7z-compressed !:ext 7z/cb7 # Type: LZMA 0 lelong&0xffffff =0x5d >12 leshort 0xff LZMA compressed data, !:mime application/x-lzma >>5 lequad =0xffffffffffffffff streamed >>5 lequad !0xffffffffffffffff non-streamed, size %lld >12 leshort 0 LZMA compressed data, >>5 lequad =0xffffffffffffffff streamed >>5 lequad !0xffffffffffffffff non-streamed, size %lld # http://tukaani.org/xz/xz-file-format.txt 0 ustring \xFD7zXZ\x00 XZ compressed data, checksum !:strength * 2 !:mime application/x-xz >7 byte&0xf 0x0 NONE >7 byte&0xf 0x1 CRC32 >7 byte&0xf 0x4 CRC64 >7 byte&0xf 0xa SHA-256 # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data >4 byte x - version %d >5 byte x \b.%d >22 byte 1 \b, encrypted !:mime application/x-lrzip # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html 0 lelong 0x184d2204 LZ4 compressed data (v1.4+) !:mime application/x-lz4 # Added by osm0sis@xda-developers.com 0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) !:mime application/x-lz4 0 lelong 0x184c2102 LZ4 compressed data (v0.1-v0.9) !:mime application/x-lz4 # Zstandard/LZ4 skippable frames # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong&0xFFFFFFF0 0x184D2A50 >(4.l+8) indirect x # Zstandard Dictionary ID subroutine 0 name zstd-dictionary-id # Single Segment = True >0 byte &0x20 \b, Dictionary ID: >>0 byte&0x03 0 None >>0 byte&0x03 1 >>>1 byte x %u >>0 byte&0x03 2 >>>1 leshort x %u >>0 byte&0x03 3 >>>1 lelong x %u # Single Segment = False >0 byte ^0x20 \b, Dictionary ID: >>0 byte&0x03 0 None >>0 byte&0x03 1 >>>2 byte x %u >>0 byte&0x03 2 >>>2 leshort x %u >>0 byte&0x03 3 >>>2 lelong x %u # Zstandard compressed data # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) !:mime application/zstd 0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) !:mime application/zstd 0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) !:mime application/zstd 0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) !:mime application/zstd 0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) !:mime application/zstd 0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) !:mime application/zstd >4 use zstd-dictionary-id 0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) !:mime application/zstd >4 use zstd-dictionary-id # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong 0xEC30A437 Zstandard dictionary !:mime application/x-std-dictionary >4 lelong x (ID %u) # AFX compressed files (Wolfram Kleff) 2 string -afx- AFX compressed file data # Supplementary magic data for the file(1) command to support # rzip(1). The format is described in magic(5). # # Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with # this file. # 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) 0 string ArC\x01 FreeArc archive # Type: DACT compressed files 0 long 0x444354C3 DACT compressed data >4 byte >-1 (version %i. >5 byte >-1 %i. >6 byte >-1 %i) >7 long >0 , original size: %i bytes >15 long >30 , block size: %i bytes # Valve Pack (VPK) files 0 lelong 0x55aa1234 Valve Pak file >0x4 lelong x \b, version %u >0x8 lelong x \b, %u entries # Snappy framing format # https://code.google.com/p/snappy/source/browse/trunk/framing_format.txt 0 string \377\006\0\0sNaPpY snappy framed data !:mime application/x-snappy-framed # qpress, https://www.quicklz.com/ 0 string qpress10 qpress compressed data !:mime application/x-qpress # Zlib https://www.ietf.org/rfc/rfc6713.txt 0 string/b x >0 beshort%31 =0 >>0 byte&0xf =8 >>>0 byte&0x80 =0 zlib compressed data !:mime application/zlib # BWC compression 0 string BWC >3 byte 0 BWC compressed data # UCL compression 0 bequad 0x00e955434cff011a UCL compressed data # Softlib archive 0 string SLIB Softlib archive >4 leshort x \b, version %d >6 leshort x (contains %d files) # URL: https://github.com/lzfse/lzfse/blob/master/src/lzfse_internal.h#L276 # From: Eric Hall 0 string bvx- lzfse encoded, no compression 0 string bvx1 lzfse compressed, uncompressed tables 0 string bvx2 lzfse compressed, compressed tables 0 string bvxn lzfse encoded, lzvn compressed # pcxLib.exe compression program # http://www.shikadi.net/moddingwiki/PCX_Library 0 string/b pcxLib >0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed #------------------------------------------------------------------------------ # $File: console,v 1.68 2022/05/14 20:04:43 christos Exp $ # Console game magic # Toby Deshane # ines: file(1) magic for Marat's iNES Nintendo Entertainment System ROM dump format # Updated by David Korth # References: # - https://wiki.nesdev.com/w/index.php/INES # - https://wiki.nesdev.com/w/index.php/NES_2.0 # Common header for iNES, NES 2.0, and Wii U iNES. 0 name nes-rom-image-ines >7 byte&0x0C =0x8 (NES 2.0) >4 byte x \b: %ux16k PRG >5 byte x \b, %ux8k CHR >6 byte&0x08 =0x8 [4-Scr] >6 byte&0x09 =0x0 [H-mirror] >6 byte&0x09 =0x1 [V-mirror] >6 byte&0x02 =0x2 [SRAM] >6 byte&0x04 =0x4 [Trainer] >7 byte&0x03 =0x2 [PC10] >7 byte&0x03 =0x1 [VS] >>7 byte&0x0C =0x8 # NES 2.0: VS PPU >>>13 byte&0x0F =0x0 \b, RP2C03B >>>13 byte&0x0F =0x1 \b, RP2C03G >>>13 byte&0x0F =0x2 \b, RP2C04-0001 >>>13 byte&0x0F =0x3 \b, RP2C04-0002 >>>13 byte&0x0F =0x4 \b, RP2C04-0003 >>>13 byte&0x0F =0x5 \b, RP2C04-0004 >>>13 byte&0x0F =0x6 \b, RP2C03B >>>13 byte&0x0F =0x7 \b, RP2C03C >>>13 byte&0x0F =0x8 \b, RP2C05-01 >>>13 byte&0x0F =0x9 \b, RP2C05-02 >>>13 byte&0x0F =0xA \b, RP2C05-03 >>>13 byte&0x0F =0xB \b, RP2C05-04 >>>13 byte&0x0F =0xC \b, RP2C05-05 # TODO: VS protection hardware? >>7 byte x \b] # NES 2.0-specific flags. >7 byte&0x0C =0x8 >>12 byte&0x03 =0x0 [NTSC] >>12 byte&0x03 =0x1 [PAL] >>12 byte&0x02 =0x2 [NTSC+PAL] # Standard iNES ROM header. 0 string NES\x1A NES ROM image (iNES) !:mime application/x-nes-rom >0 use nes-rom-image-ines # Wii U Virtual Console iNES ROM header. 0 belong 0x4E455300 NES ROM image (Wii U Virtual Console) !:mime application/x-nes-rom >0 use nes-rom-image-ines #------------------------------------------------------------------------------ # unif: file(1) magic for UNIF-format Nintendo Entertainment System ROM images # Reference: https://wiki.nesdev.com/w/index.php/UNIF # From: David Korth # # NOTE: The UNIF format uses chunks instead of a fixed header, # so most of the data isn't easily parseable. # 0 string UNIF >4 lelong <16 NES ROM image (UNIF v%d format) !:mime application/x-nes-rom #------------------------------------------------------------------------------ # fds: file(1) magic for Famciom Disk System disk images # Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format # From: David Korth # TODO: Check "Disk info block" and get info from that in addition to the optional header. # Disk info block. (block 1) 0 name nintendo-fds-disk-info-block >23 byte !1 FMC- >23 byte 1 FSC- >16 string x \b%.3s >15 ubyte x \b, mfr %02X >20 ubyte x (Rev.%02u) # Headered version. 0 string FDS\x1A >0x11 string *NINTENDO-HVC* Famicom Disk System disk image: !:mime application/x-fds-disk >>0x10 use nintendo-fds-disk-info-block >4 byte 1 (%u side) >4 byte !1 (%u sides) # Unheadered version. 1 string *NINTENDO-HVC* Famicom Disk System disk image: !:mime application/x-fds-disk >0 use nintendo-fds-disk-info-block #------------------------------------------------------------------------------ # tnes: file(1) magic for TNES-format Nintendo Entertainment System ROM images # Used by Nintendo 3DS NES Virtual Console games. # From: David Korth # 0 string TNES NES ROM image (Nintendo 3DS Virtual Console) !:mime application/x-nes-rom >4 byte 100 \b: FDS, >>0x2010 use nintendo-fds-disk-info-block >4 byte !100 \b: TNES mapper %u >>5 byte x \b, %ux8k PRG >>6 byte x \b, %ux8k CHR >>7 byte&0x08 =1 [WRAM] >>8 byte&0x09 =1 [H-mirror] >>8 byte&0x09 =2 [V-mirror] >>8 byte&0x02 =3 [VRAM] #------------------------------------------------------------------------------ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header # 0x104 bequad 0xCEED6666CC0D000B Game Boy ROM image # TODO: application/x-gameboy-color-rom for GBC. !:mime application/x-gameboy-rom >0x143 byte&0x80 0x80 >>0x134 string >\0 \b: "%.15s" >0x143 byte&0x80 !0x80 >>0x134 string >\0 \b: "%.16s" >0x14c byte x (Rev.%02u) # Machine type. (SGB, CGB, SGB+CGB) # Old licensee code 0x33 is required for SGB, but not CGB. >0x14b byte 0x33 >>0x146 byte 0x03 >>>0x143 byte&0x80 0x80 [SGB+CGB] >>>0x143 byte&0x80 !0x80 [SGB] >>0x146 byte !0x03 >>>0x143 byte&0xC0 0x80 [CGB] >>>0x143 byte&0xC0 0xC0 [CGB ONLY] >0x14b byte !0x33 >>0x143 byte&0xC0 0x80 [CGB] >>0x143 byte&0xC0 0xC0 [CGB ONLY] # Mapper. >0x147 byte 0x00 [ROM ONLY] >0x147 byte 0x01 [MBC1] >0x147 byte 0x02 [MBC1+RAM] >0x147 byte 0x03 [MBC1+RAM+BATT] >0x147 byte 0x05 [MBC2] >0x147 byte 0x06 [MBC2+BATTERY] >0x147 byte 0x08 [ROM+RAM] >0x147 byte 0x09 [ROM+RAM+BATTERY] >0x147 byte 0x0B [MMM01] >0x147 byte 0x0C [MMM01+SRAM] >0x147 byte 0x0D [MMM01+SRAM+BATT] >0x147 byte 0x0F [MBC3+TIMER+BATT] >0x147 byte 0x10 [MBC3+TIMER+RAM+BATT] >0x147 byte 0x11 [MBC3] >0x147 byte 0x12 [MBC3+RAM] >0x147 byte 0x13 [MBC3+RAM+BATT] >0x147 byte 0x19 [MBC5] >0x147 byte 0x1A [MBC5+RAM] >0x147 byte 0x1B [MBC5+RAM+BATT] >0x147 byte 0x1C [MBC5+RUMBLE] >0x147 byte 0x1D [MBC5+RUMBLE+SRAM] >0x147 byte 0x1E [MBC5+RUMBLE+SRAM+BATT] >0x147 byte 0xFC [Pocket Camera] >0x147 byte 0xFD [Bandai TAMA5] >0x147 byte 0xFE [Hudson HuC-3] >0x147 byte 0xFF [Hudson HuC-1] # ROM size. >0x148 byte 0 \b, ROM: 256Kbit >0x148 byte 1 \b, ROM: 512Kbit >0x148 byte 2 \b, ROM: 1Mbit >0x148 byte 3 \b, ROM: 2Mbit >0x148 byte 4 \b, ROM: 4Mbit >0x148 byte 5 \b, ROM: 8Mbit >0x148 byte 6 \b, ROM: 16Mbit >0x148 byte 7 \b, ROM: 32Mbit >0x148 byte 0x52 \b, ROM: 9Mbit >0x148 byte 0x53 \b, ROM: 10Mbit >0x148 byte 0x54 \b, ROM: 12Mbit # RAM size. >0x149 byte 1 \b, RAM: 16Kbit >0x149 byte 2 \b, RAM: 64Kbit >0x149 byte 3 \b, RAM: 256Kbit >0x149 byte 4 \b, RAM: 1Mbit >0x149 byte 5 \b, RAM: 512Kbit #------------------------------------------------------------------------------ # genesis: file(1) magic for various Sega Mega Drive / Genesis ROM image and disc formats # Updated by David Korth # References: # - https://www.retrodev.com/segacd.html # - http://devster.monkeeh.com/sega/32xguide1.txt # # Common Sega Mega Drive header format. # FIXME: Name fields are 48 bytes, but have spaces for padding instead of 00s. 0 name sega-mega-drive-header # ROM title. (Use domestic if present; if not, use international.) >0x120 byte >0x20 >>0x120 string >\0 \b: "%.16s" >0x120 byte <0x21 >>0x150 string >\0 \b: "%.16s" # Other information. >0x180 string >\0 (%.14s >>0x110 string >\0 \b, %.16s >0x180 byte 0 >>0x110 string >\0 (%.16s >0 byte x \b) # TODO: Check for 32X CD? # Sega Mega CD disc images: 2048-byte sectors. 0 string SEGADISCSYSTEM\ \ Sega Mega CD disc image !:mime application/x-sega-cd-rom >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors 0 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image !:mime application/x-sega-cd-rom >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors # Sega Mega CD disc images: 2352-byte sectors. 0x10 string SEGADISCSYSTEM\ \ Sega Mega CD disc image !:mime application/x-sega-cd-rom >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors 0x10 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image !:mime application/x-sega-cd-rom >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors # Sega Mega Drive: Identify the system ID. 0x100 string SEGA >0x3C0 string MARS\ CHECK\ MODE Sega 32X ROM image !:mime application/x-genesis-32x-rom >>0 use sega-mega-drive-header >0x104 string \ PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header >0x104 string TOYS\ PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header >0x104 string \ TOYS\ PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header >0x104 string \ IAC Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header >0x104 string \ TERA68K Sega Teradrive (68K) ROM image !:mime application/x-sega-teradrive-rom >>0 use sega-mega-drive-header >0x104 string \ TERA286 Sega Teradrive (286) ROM image !:mime application/x-sega-teradrive-rom >>0 use sega-mega-drive-header >0x180 string BR Sega Mega CD Boot ROM image !:mime application/x-genesis-rom >>0 use sega-mega-drive-header >0x104 default x Sega Mega Drive / Genesis ROM image !:mime application/x-genesis-rom >>0 use sega-mega-drive-header # Sega Mega Drive: Some ROMs have "SEGA" at 0x101, not 0x100. 0x100 string \ SEGA Sega Mega Drive / Genesis ROM image >0 use sega-mega-drive-header # Sega Pico ROMs that don't start with "SEGA". 0x100 string SAMSUNG\ PICO Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header 0x100 string IMA\ IKUNOUJYUKU Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header 0x100 string IMA IKUNOJYUKU Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header # Sega Picture Magic (modified 32X) 0x100 string Picture\ Magic >0x3C0 string PICTURE MAGIC-01 Sega 32X ROM image !:mime application/x-genesis-32x-rom >>0 use sega-mega-drive-header #------------------------------------------------------------------------------ # genesis: file(1) magic for the Super MegaDrive ROM dump format # # NOTE: Due to interleaving, we can't display anything # other than the copier header information. 0 name sega-genesis-smd-header >0 byte x %dx16k blocks >2 byte 0 \b, last in series or standalone >2 byte >0 \b, split ROM # "Sega Genesis" header. 0x280 string EAGN >8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format): !:mime application/x-genesis-rom >>0 use sega-genesis-smd-header # "Sega Mega Drive" header. 0x280 string EAMG >8 beshort 0xAABB Sega Mega Drive / Genesis ROM image (SMD format): !:mime application/x-genesis-rom >>0 use sega-genesis-smd-header #------------------------------------------------------------------------------ # smsgg: file(1) magic for Sega Master System and Game Gear ROM images # Detects all Game Gear and export Sega Master System ROM images, # and some Japanese Sega Master System ROM images. # From: David Korth # Reference: https://www.smspower.org/Development/ROMHeader # # General SMS header rule. # The SMS boot ROM checks the header at three locations. 0 name sega-master-system-rom-header # Machine type. >0x0F byte&0xF0 0x30 Sega Master System !:mime application/x-sms-rom >0x0F byte&0xF0 0x40 Sega Master System !:mime application/x-sms-rom >0x0F byte&0xF0 0x50 Sega Game Gear !:mime application/x-gamegear-rom >0x0F byte&0xF0 0x60 Sega Game Gear !:mime application/x-gamegear-rom >0x0F byte&0xF0 0x70 Sega Game Gear !:mime application/x-gamegear-rom >0x0F default x Sega Master System / Game Gear !:mime application/x-sms-rom >0 byte x ROM image: # Product code. >0x0E byte&0xF0 0x10 1 >0x0E byte&0xF0 0x20 2 >0x0E byte&0xF0 0x30 3 >0x0E byte&0xF0 0x40 4 >0x0E byte&0xF0 0x50 5 >0x0E byte&0xF0 0x60 6 >0x0E byte&0xF0 0x70 7 >0x0E byte&0xF0 0x80 8 >0x0E byte&0xF0 0x90 9 >0x0E byte&0xF0 0xA0 10 >0x0E byte&0xF0 0xB0 11 >0x0E byte&0xF0 0xC0 12 >0x0E byte&0xF0 0xD0 13 >0x0E byte&0xF0 0xE0 14 >0x0E byte&0xF0 0xF0 15 # If the product code is 5 digits, we'll need to backspace here. >0x0E byte&0xF0 !0 >>0x0C leshort x \b%04x >0x0E byte&0xF0 0 >>0x0C leshort x %04x # Revision. >0x0E byte&0x0F x (Rev.%02d) # ROM size. (Used for the boot ROM checksum routine.) >0x0F byte&0x0F 0x0A (8 KB) >0x0F byte&0x0F 0x0B (16 KB) >0x0F byte&0x0F 0x0C (32 KB) >0x0F byte&0x0F 0x0D (48 KB) >0x0F byte&0x0F 0x0E (64 KB) >0x0F byte&0x0F 0x0F (128 KB) >0x0F byte&0x0F 0x00 (256 KB) >0x0F byte&0x0F 0x01 (512 KB) >0x0F byte&0x0F 0x02 (1 MB) # SMS/GG header locations. 0x7FF0 string TMR\ SEGA >0x7FF0 use sega-master-system-rom-header 0x3FF0 string TMR\ SEGA >0x3FF0 use sega-master-system-rom-header 0x1FF0 string TMR\ SEGA >0x1FF0 use sega-master-system-rom-header #------------------------------------------------------------------------------ # saturn: file(1) magic for the Sega Saturn disc image format. # From: David Korth # # Common Sega Saturn disc header format. # NOTE: Title is 112 bytes, but we're only showing 32 due to space padding. # TODO: Release date, device information, region code, others? 0 name sega-saturn-disc-header >0x60 string >\0 \b: "%.32s" >0x20 string >\0 (%.10s >>0x2A string >\0 \b, %.6s) >>0x2A byte 0 \b) # 2048-byte sector version. 0 string SEGA\ SEGASATURN\ Sega Saturn disc image !:mime application/x-saturn-rom >0 use sega-saturn-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. 0x10 string SEGA\ SEGASATURN\ Sega Saturn disc image !:mime application/x-saturn-rom >0x10 use sega-saturn-disc-header >0 byte x (2352-byte sectors) #------------------------------------------------------------------------------ # dreamcast: file(1) magic for the Sega Dreamcast disc image format. # From: David Korth # Reference: https://mc.pp.se/dc/ip0000.bin.html # # Common Sega Dreamcast disc header format. # NOTE: Title is 128 bytes, but we're only showing 32 due to space padding. # TODO: Release date, device information, region code, others? 0 name sega-dreamcast-disc-header >0x80 string >\0 \b: "%.32s" >0x40 string >\0 (%.10s >>0x4A string >\0 \b, %.6s) >>0x4A byte 0 \b) # 2048-byte sector version. 0 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image !:mime application/x-dc-rom >0 use sega-dreamcast-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. 0x10 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image !:mime application/x-dc-rom >0x10 use sega-dreamcast-disc-header >0 byte x (2352-byte sectors) #------------------------------------------------------------------------------ # dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format # 0 belong 0x21068028 Sega Dreamcast VMU game image 0 string LCDi Dream Animator file #------------------------------------------------------------------------------ # z64: file(1) magic for the Z64 format N64 ROM dumps # Reference: http://forum.pj64-emu.com/showthread.php?t=2239 # From: David Korth # 0 bequad 0x803712400000000F Nintendo 64 ROM image !:mime application/x-n64-rom >0x20 string >\0 \b: "%.20s" >0x3B string x (%.4s >0x3F byte x \b, Rev.%02u) #------------------------------------------------------------------------------ # v64: file(1) magic for the V64 format N64 ROM dumps # Same as z64 format, but with 16-bit byteswapping. # 0 bequad 0x3780401200000F00 Nintendo 64 ROM image (V64) !:mime application/x-n64-rom #------------------------------------------------------------------------------ # n64-swap2: file(1) magic for the swap2 format N64 ROM dumps # Same as z64 format, but with swapped 16-bit words. # 0 bequad 0x12408037000F0000 Nintendo 64 ROM image (wordswapped) !:mime application/x-n64-rom #------------------------------------------------------------------------------ # n64-le32: file(1) magic for the 32-bit byteswapped format N64 ROM dumps # Same as z64 format, but with 32-bit byteswapping. # 0 bequad 0x401237800F000000 Nintendo 64 ROM image (32-bit byteswapped) !:mime application/x-n64-rom #------------------------------------------------------------------------------ # gba: file(1) magic for the Nintendo Game Boy Advance raw ROM format # Reference: https://problemkaputt.de/gbatek.htm#gbacartridgeheader # # Original version from: "Nelson A. de Oliveira" # Updated version from: David Korth # 4 bequad 0x24FFAE51699AA221 Game Boy Advance ROM image !:mime application/x-gba-rom >0xA0 string >\0 \b: "%.12s" >0xAC string x (%.6s >0xBC byte x \b, Rev.%02u) #------------------------------------------------------------------------------ # nds: file(1) magic for the Nintendo DS(i) raw ROM format # Reference: https://problemkaputt.de/gbatek.htm#dscartridgeheader # # Original version from: "Nelson A. de Oliveira" # Updated version from: David Korth # 0xC0 bequad 0x24FFAE51699AA221 Nintendo DS ROM image !:mime application/x-nintendo-ds-rom >0x00 string >\0 \b: "%.12s" >0x0C string x (%.6s >0x1E byte x \b, Rev.%02u) >0x12 byte 2 (DSi enhanced) >0x12 byte 3 (DSi only) # Secure Area check. >0x20 lelong <0x4000 (homebrew) >0x20 lelong >0x3FFF >>0x4000 lequad 0x0000000000000000 (multiboot) >>0x4000 lequad !0x0000000000000000 >>>0x4000 lequad 0xE7FFDEFFE7FFDEFF (decrypted) >>>0x4000 lequad !0xE7FFDEFFE7FFDEFF >>>>0x1000 lequad 0x0000000000000000 (encrypted) >>>>0x1000 lequad !0x0000000000000000 (mask ROM) #------------------------------------------------------------------------------ # nds_passme: file(1) magic for Nintendo DS ROM images for GBA cartridge boot. # This is also used for loading .nds files using the MSET exploit on 3DS. # Reference: https://github.com/devkitPro/ndstool/blob/master/source/ndscreate.cpp 0xC0 bequad 0xC8604FE201708FE2 Nintendo DS Slot-2 ROM image (PassMe) !:mime application/x-nintendo-ds-rom #------------------------------------------------------------------------------ # ngp: file(1) magic for the Neo Geo Pocket (Color) raw ROM format. # From: David Korth # References: # - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp # - https://www.devrs.com/ngp/files/ngpctech.txt # 0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket !:mime application/x-neo-geo-pocket-rom >0x23 byte 0x10 Color >0 byte x ROM image >0x24 string >\0 \b: "%.12s" >0x21 uleshort x \b, NEOP%04X >0x1F ubyte 0xFF (debug mode enabled) #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps # Too simple - MPi #0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren ) : 0 string PS-X\ EXE Sony Playstation executable >16 lelong x PC=%#08x, >20 lelong !0 GP=%#08x, >24 lelong !0 .text=[%#08x, >>28 lelong x \b%#x], >32 lelong !0 .data=[%#08x, >>36 lelong x \b%#x], >40 lelong !0 .bss=[%#08x, >>44 lelong x \b%#x], >48 lelong !0 Stack=%#08x, >48 lelong =0 No Stack!, >52 lelong !0 StackSize=%#x, #>76 string >\0 (%s) # Area: >113 string x (%s) # CPE executables 0 string CPE CPE executable >3 byte x (version %d) #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytia ) 0 string XBEH Microsoft Xbox executable !:mime audio/x-xbox-executable !:ext xbe # expect base address of 0x10000 >0x0104 ulelong =0x10000 >>(0x0118.l-0x0FFF4) lestring16 x \b: "%.40s" >>(0x0118.l-0x0FFF5) byte x (%c >>(0x0118.l-0x0FFF6) byte x \b%c- >>(0x0118.l-0x0FFF8) uleshort x \b%03u) >>(0x0118.l-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions >>(0x0118.l-0x0FF60) ulelong&0x80000007 !0x80000007 >>>(0x0118.l-0x0FF60) ulelong >0 (regions: >>>>(0x0118.l-0x0FF60) ulelong &0x00000001 NA >>>>(0x0118.l-0x0FF60) ulelong &0x00000002 Japan >>>>(0x0118.l-0x0FF60) ulelong &0x00000004 Rest_of_World >>>>(0x0118.l-0x0FF60) ulelong &0x80000000 Manufacturer >>>(0x0118.l-0x0FF60) ulelong >0 \b) # probabilistic checks whether signed or not >0x0004 ulelong =0x0 >>&2 ulelong =0x0 >>>&2 ulelong =0x0 \b, not signed >0x0004 ulelong >0 >>&2 ulelong >0 >>>&2 ulelong >0 \b, signed # -------------------------------- # Microsoft Xbox data file formats 0 string XIP0 XIP, Microsoft Xbox data 0 string XTF0 XTF, Microsoft Xbox data #------------------------------------------------------------------------------ # Microsoft Xbox 360 executables (.xex) # From: David Korth # References: # - https://free60project.github.io/wiki/XEX.html # - https://github.com/xenia-project/xenia/blob/HEAD/src/xenia/kernel/util/xex2_info.h # Title ID (part of Execution ID section) 0 name xbox-360-xex-execution-id >(0.L+0xC) byte x (%c >(0.L+0xD) byte x \b%c >(0.L+0xE) beshort x \b-%04u, media ID: >(0.L) belong x %08X) # Region code (part of Security Info) 0 name xbox-360-xex-region-code >0 ubelong 0xFFFFFFFF \b, all regions >0 ubelong !0xFFFFFFFF >>0 ubelong >0 (regions: >>0 ubelong&0x000000FF 0x000000FF USA >>0 ubelong&0x00000100 0x00000100 Japan >>0 ubelong&0x00000200 0x00000200 China >>0 ubelong&0x0000FC00 0x0000FC00 Asia >>0 ubelong&0x00FF0000 0x00FF0000 PAL >>0 ubelong&0x00FF0000 0x00FE0000 PAL [except AU/NZ] >>0 ubelong&0x00FF0000 0x00010000 AU/NZ >>0 ubelong&0xFF000000 0xFF000000 Other >>0 ubelong >0 \b) 0 string XEX2 Microsoft Xbox 360 executable !:mime audio/x-xbox360-executable !:ext xex >0x18 search/0x100 \x00\x04\x00\x06 >>&0 use xbox-360-xex-execution-id >(0x010.L+0x178) use xbox-360-xex-region-code 0 string XEX1 Microsoft Xbox 360 executable (XEX1) !:mime audio/x-xbox360-executable !:ext xex >0x18 search/0x100 \x00\x04\x00\x06 >>&0 use xbox-360-xex-execution-id >(0x010.L+0x154) use xbox-360-xex-region-code #------------------------------------------------------------------------------ # Microsoft Xbox 360 packages # From: David Korth # References: # - https://free60project.github.io/wiki/STFS.html # - https://github.com/xenia-project/xenia/blob/HEAD/src/xenia/kernel/util/xex2_info.h # TODO: More information for console-signed packages. 0 name xbox-360-package >0x360 byte x (%c >0x361 byte x \b%c >0x362 beshort x \b-%04u, media ID: >0x354 belong x %08X) >0x344 belong x \b, content type: >>0x344 belong 0x1 Saved Game >>0x344 belong 0x2 Marketplace Content >>0x344 belong 0x3 Publisher >>0x344 belong 0x1000 Xbox 360 Title >>0x344 belong 0x2000 IPTV Pause Buffer >>0x344 belong 0x4000 Installed Game >>0x344 belong 0x5000 Original Xbox Game >>0x344 belong 0x9000 Avatar Item >>0x344 belong 0x10000 Profile >>0x344 belong 0x20000 Gamer Picture >>0x344 belong 0x30000 Theme >>0x344 belong 0x40000 Cache File >>0x344 belong 0x50000 Storage Download >>0x344 belong 0x60000 Xbox Saved Game >>0x344 belong 0x70000 Xbox Download >>0x344 belong 0x80000 Game Demo >>0x344 belong 0x90000 Video >>0x344 belong 0xA0000 Game >>0x344 belong 0xB0000 Installer >>0x344 belong 0xC0000 Game Trailer >>0x344 belong 0xD0000 Arcade Title >>0x344 belong 0xE0000 XNA >>0x344 belong 0xF0000 License Store >>0x344 belong 0x100000 Movie >>0x344 belong 0x200000 TV >>0x344 belong 0x300000 Music Video >>0x344 belong 0x400000 Game Video >>0x344 belong 0x500000 Podcast Video >>0x344 belong 0x600000 Viral Video >>0x344 belong 0x2000000 Community Game 0 string CON\x20 Microsoft Xbox 360 package (console-signed) >0 use xbox-360-package 0 string PIRS >0 belong 0 Microsoft Xbox 360 package (non-Xbox Live) >>0 use xbox-360-package 0 string LIVE >0x104 belong 0 Microsoft Xbox 360 package (Xbox Live) >>0 use xbox-360-package # Atari Lynx cartridge dump (EXE/BLL header) # From: "Stefan A. Haubenthal" # Reference: # https://raw.githubusercontent.com/cc65/cc65/master/libsrc/lynx/exehdr.s # Double-check that the image type matches too, 0x8008 conflicts with # 8 character OMF-86 object file headers. 0 beshort 0x8008 >6 string BS93 Lynx homebrew cartridge !:mime application/x-atari-lynx-rom >>2 beshort x \b, RAM start $%04x 0 string LYNX Lynx cartridge !:mime application/x-atari-lynx-rom >4 leshort/4 >0 \b, bank 0 %dk >6 leshort/4 >0 \b, bank 1 %dk >10 string >\0 \b, "%.32s" >42 string >\0 \b, "%.16s" # Opera file system that is used on the 3DO console # From: Serge van den Boom 0 string \x01ZZZZZ\x01 3DO "Opera" file system # From: Alex Myczko # From: David Pflug # is the offset 12 or the offset 16 correct? # GBS (Game Boy Sound) magic # ftp://ftp.modland.com/pub/documents/format_documentation/\ # Gameboy%20Sound%20System%20(.gbs).txt 0 string GBS Nintendo Gameboy Music/Audio Data #12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module >16 string >\0 ("%.32s" by >48 string >\0 %.32s, copyright >80 string >\0 %.32s), >3 byte x version %u, >4 byte x %u tracks # IPS Patch Files from: From: Thomas Klausner # see https://zerosoft.zophar.net/ips.php 0 string PATCH IPS patch file !:ext ips # BPS Patch Files - from: David Korth # Reference: https://www.romhacking.net/documents/746/ 0 string BPS1 BPS patch file !:ext bps # APS Patch Files - from: David Korth # Reference: https://github.com/btimofeev/UniPatcher/wiki/APS-(N64) 0 string APS10 APS patch file !:ext aps >5 byte 0 \b, simple patch >5 byte 1 \b, N64-specific patch for >>58 byte x N%c >>59 byte x \b%c >>60 byte x \b%c >7 byte !0x20 # FIXME: /T specifier isn't working with a fixed-length string. >>7 string x \b: "%.50s" # UPS Patch Files - from: David Korth # Reference: http://fileformats.archiveteam.org/wiki/UPS_(binary_patch_format) 0 string UPS1 UPS patch file !:ext ups # Playstations Patch Files from: From: Thomas Klausner 0 string PPF30 Playstation Patch File version 3.0 >5 byte 0 \b, PPF 1.0 patch >5 byte 1 \b, PPF 2.0 patch >5 byte 2 \b, PPF 3.0 patch >>56 byte 0 \b, Imagetype BIN (any) >>56 byte 1 \b, Imagetype GI (PrimoDVD) >>57 byte 0 \b, Blockcheck disabled >>57 byte 1 \b, Blockcheck enabled >>58 byte 0 \b, Undo data not available >>58 byte 1 \b, Undo data available >6 string x \b, description: %s 0 string PPF20 Playstation Patch File version 2.0 >5 byte 0 \b, PPF 1.0 patch >5 byte 1 \b, PPF 2.0 patch >>56 lelong >0 \b, size of file to patch %d >6 string x \b, description: %s 0 string PPF10 Playstation Patch File version 1.0 >5 byte 0 \b, Simple Encoding >6 string x \b, description: %s # From: Daniel Dawson # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording >0x4 lelong x \b, version %d # version 4 is latest so far >0x4 lelong <5 >>0x8 ledate x \b, recorded at %s >>0xc lelong >0 \b, rerecorded %d times >>0x10 lelong x \b, %d frames long >>0x14 byte >0 \b, data for controller(s): >>>0x14 byte &0x1 #1 >>>0x14 byte &0x2 #2 >>>0x14 byte &0x4 #3 >>>0x14 byte &0x8 #4 >>>0x14 byte &0x10 #5 >>0x15 byte ^0x1 \b, begins from snapshot >>0x15 byte &0x1 \b, begins from reset >>0x15 byte ^0x2 \b, NTSC standard >>0x15 byte &0x2 \b, PAL standard >>0x17 byte &0x1 \b, settings: # WIP1Timing not used as of version 4 >>>0x4 lelong <4 >>>>0x17 byte &0x2 WIP1Timing >>>0x17 byte &0x4 Left+Right >>>0x17 byte &0x8 VolumeEnvX >>>0x17 byte &0x10 FakeMute >>>0x17 byte &0x20 SyncSound # New flag as of version 4 >>>0x4 lelong >3 >>>>0x17 byte &0x80 NoCPUShutdown >>0x4 lelong <4 >>>0x18 lelong >0x23 >>>>0x20 leshort !0 >>>>>0x20 lestring16 x \b, metadata: "%s" >>0x4 lelong >3 >>>0x24 byte >0 \b, port 1: >>>>0x24 byte 1 joypad >>>>0x24 byte 2 mouse >>>>0x24 byte 3 SuperScope >>>>0x24 byte 4 Justifier >>>>0x24 byte 5 multitap >>>0x24 byte >0 \b, port 2: >>>>0x25 byte 1 joypad >>>>0x25 byte 2 mouse >>>>0x25 byte 3 SuperScope >>>>0x25 byte 4 Justifier >>>>0x25 byte 5 multitap >>>0x18 lelong >0x43 >>>>0x40 leshort !0 >>>>>0x40 lestring16 x \b, metadata: "%s" >>0x17 byte &0x40 \b, ROM: >>>(0x18.l-26) lelong x CRC32 %#08x >>>(0x18.l-23) string x "%s" # Type: scummVM savegame files # From: Sven Hartge 0 string SCVM ScummVM savegame >12 string >\0 "%s" #------------------------------------------------------------------------------ # Nintendo GameCube / Wii file formats. # # Type: Nintendo GameCube/Wii common disc header data. # From: David Korth # Reference: https://wiibrew.org/wiki/Wii_Disc 0 name nintendo-gcn-disc-common >0x20 string x "%.64s" >0x00 string x (%.6s >0x06 byte >0 >>0x06 byte 1 \b, Disc 2 >>0x06 byte 2 \b, Disc 3 >>0x06 byte 3 \b, Disc 4 >0x07 byte x \b, Rev.%02u) >0x18 belong 0x5D1C9EA3 >>0x60 beshort 0x0101 \b (Unencrypted) >0x200 string NKIT \b (NKit compressed) # Type: Nintendo GameCube disc image # From: David Korth # Reference: https://wiibrew.org/wiki/Wii_Disc 0x1C belong 0xC2339F3D Nintendo GameCube disc image: !:mime application/x-gamecube-rom >0 use nintendo-gcn-disc-common # Type: Nintendo GameCube embedded disc image # Commonly found on demo discs. # From: David Korth # Reference: http://hitmen.c02.at/files/yagcd/yagcd/index.html#idx14.8 0 belong 0xAE0F38A2 >0x0C belong 0x00100000 >>(8.L+0x1C) belong 0xC2339F3D Nintendo GameCube embedded disc image: !:mime application/x-gamecube-rom >>>(8.L) use nintendo-gcn-disc-common # Type: Nintendo Wii disc image # From: David Korth # Reference: https://wiibrew.org/wiki/Wii_Disc 0x18 belong 0x5D1C9EA3 Nintendo Wii disc image: >0 use nintendo-gcn-disc-common # Type: Nintendo Wii disc image (WBFS format) # From: David Korth # Reference: https://wiibrew.org/wiki/Wii_Disc 0 string WBFS >0x218 belong 0x5D1C9EA3 Nintendo Wii disc image (WBFS format): !:mime application/x-wii-rom >>0x200 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (CISO format) # NOTE: This is NOT the same as Compact ISO or PSP CISO, # though it has the same magic number. 0 string CISO # Other fields are used to determine what type of CISO this is: # - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) # - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) # - None of the above: Compact ISO. >4 lelong 0x200000 >>8 byte 1 >>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): !:mime application/x-wii-rom >>>>0x8000 use nintendo-gcn-disc-common >>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): !:mime application/x-wii-rom >>>>0x8000 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (GCZ format) # Due to zlib compression, we can't get the actual disc information. 0 lelong 0xB10BC001 >4 lelong 0 Nintendo GameCube disc image (GCZ format) !:mime application/x-gamecube-rom >4 lelong 1 Nintendo Wii disc image (GCZ format) !:mime application/x-wii-rom >4 default x Nintendo GameCube/Wii disc image (GCZ format) # Type: Nintendo GameCube/Wii disc image (WDF format) 0 string WII\001DISC >8 belong 1 # WDFv1 >>0x54 belong 0xC2339F3D Nintendo GameCube disc image (WDFv1 format): !:mime application/x-gamecube-rom >>>0x38 use nintendo-gcn-disc-common >>0x58 belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv1 format): !:mime application/x-wii-rom >>>0x38 use nintendo-gcn-disc-common >8 belong 2 # WDFv2 >>(12.L+0x1C) belong 0xC2339F3D Nintendo GameCube disc image (WDFv2 format): !:mime application/x-gamecube-rom >>>(12.L) use nintendo-gcn-disc-common >>(12.L+0x18) belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv2 format): !:mime application/x-wii-rom >>>(12.L) use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (WIA format) 0 string WIA\001 Nintendo >0x48 belong 1 GameCube !:mime application/x-gamecube-rom >0x48 belong 2 Wii !:mime application/x-wii-rom >0x48 default x GameCube/Wii >0x48 belong x disc image (WIA format): >>0x58 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (with SDK header) # From: David Korth # Reference: https://wiibrew.org/wiki/Wii_Disc 0 belong 0xFFFF0000 >0x18 belong 0x00000000 >>0x1C belong 0x00000000 >>>0x8018 belong 0x5D1C9EA3 Nintendo Wii SDK disc image: !:mime application/x-wii-rom >>>>0x8000 use nintendo-gcn-disc-common >>>0x801C belong 0xC2339F3D Nintendo GameCube SDK disc image: !:mime application/x-gamecube-rom >>>>0x8000 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (RVZ format) 0 string RVZ\001 Nintendo >0x48 belong 1 GameCube !:mime application/x-gamecube-rom >0x48 belong 2 Wii !:mime application/x-wii-rom >0x48 default x GameCube/Wii >0x48 belong x disc image (RVZ format): >>0x58 use nintendo-gcn-disc-common #------------------------------------------------------------------------------ # Nintendo 3DS file formats. # # Type: Nintendo 3DS "NCSD" image. (game cards and eMMC) # From: David Korth # Reference: https://www.3dbrew.org/wiki/NCSD 0x100 string NCSD >0x118 lequad 0 Nintendo 3DS Game Card image # NCCH header for partition 0. (game data) >>0x1150 string >\0 \b: "%.16s" >>0x312 byte x (Rev.%02u) >>0x118C byte 2 (New3DS only) >>0x18D byte 0 (inner device) >>0x18D byte 1 (Card1) >>0x18D byte 2 (Card2) >>0x18D byte 3 (extended device) >0x118 bequad 0x0102020202000000 Nintendo 3DS eMMC dump (Old3DS) >0x118 bequad 0x0102020203000000 Nintendo 3DS eMMC dump (New3DS) # Nintendo 3DS version code. # Reference: https://www.3dbrew.org/wiki/Titles # Format: leshort containing three fields: # - 6-bit: Major # - 6-bit: Minor # - 4-bit: Revision # NOTE: Only supporting major/minor versions from 0-15 right now. # NOTE: Should be prefixed with "v". 0 name nintendo-3ds-version-code # Raw version. >0 leshort x \b%u, # Major version. >0 leshort&0xFC00 0x0000 0 >0 leshort&0xFC00 0x0400 1 >0 leshort&0xFC00 0x0800 2 >0 leshort&0xFC00 0x0C00 3 >0 leshort&0xFC00 0x1000 4 >0 leshort&0xFC00 0x1400 5 >0 leshort&0xFC00 0x1800 6 >0 leshort&0xFC00 0x1C00 7 >0 leshort&0xFC00 0x2000 8 >0 leshort&0xFC00 0x2400 9 >0 leshort&0xFC00 0x2800 10 >0 leshort&0xFC00 0x2C00 11 >0 leshort&0xFC00 0x3000 12 >0 leshort&0xFC00 0x3400 13 >0 leshort&0xFC00 0x3800 14 >0 leshort&0xFC00 0x3C00 15 # Minor version. >0 leshort&0x03F0 0x0000 \b.0 >0 leshort&0x03F0 0x0010 \b.1 >0 leshort&0x03F0 0x0020 \b.2 >0 leshort&0x03F0 0x0030 \b.3 >0 leshort&0x03F0 0x0040 \b.4 >0 leshort&0x03F0 0x0050 \b.5 >0 leshort&0x03F0 0x0060 \b.6 >0 leshort&0x03F0 0x0070 \b.7 >0 leshort&0x03F0 0x0080 \b.8 >0 leshort&0x03F0 0x0090 \b.9 >0 leshort&0x03F0 0x00A0 \b.10 >0 leshort&0x03F0 0x00B0 \b.11 >0 leshort&0x03F0 0x00C0 \b.12 >0 leshort&0x03F0 0x00D0 \b.13 >0 leshort&0x03F0 0x00E0 \b.14 >0 leshort&0x03F0 0x00F0 \b.15 # Revision. >0 leshort&0x000F x \b.%u # Type: Nintendo 3DS "NCCH" container. # https://www.3dbrew.org/wiki/NCCH 0x100 string NCCH Nintendo 3DS >0x18D byte&2 0 File Archive (CFA) >0x18D byte&2 2 Executable Image (CXI) >0x150 string >\0 \b: "%.16s" >0x18D byte 0x05 >>0x10E leshort x (Old3DS System Update v >>0x10E use nintendo-3ds-version-code >>0x10E leshort x \b) >0x18D byte 0x15 >>0x10E leshort x (New3DS System Update v >>0x10E use nintendo-3ds-version-code >>0x10E leshort x \b) >0x18D byte !0x05 >>0x18D byte !0x15 >>>0x112 byte x (v >>>0x112 use nintendo-3ds-version-code >>>0x112 byte x \b) >0x18C byte 2 (New3DS only) # Type: Nintendo 3DS "SMDH" file. (application description) # From: David Korth # Reference: https://3dbrew.org/wiki/SMDH 0 string SMDH Nintendo 3DS SMDH file >0x208 leshort !0 >>0x208 lestring16 x \b: "%.128s" >>0x388 leshort !0 >>>0x388 lestring16 x by %.128s >0x208 leshort 0 >>0x008 leshort !0 >>>0x008 lestring16 x \b: "%.128s" >>>0x188 leshort !0 >>>>0x188 lestring16 x by %.128s # Type: Nintendo 3DS Homebrew Application. # From: David Korth # Reference: https://3dbrew.org/wiki/3DSX_Format 0 string 3DSX Nintendo 3DS Homebrew Application (3DSX) # Type: Nintendo 3DS Banner Model Data. # From: David Korth # Reference: https://3dbrew.org/wiki/CBMD 0 string CBMD\0\0\0\0 Nintendo 3DS Banner Model Data #------------------------------------------------------------------------------ # a7800: file(1) magic for the Atari 7800 raw ROM format. # From: David Korth # Reference: https://sites.google.com/site/atari7800wiki/a78-header 0 byte >0 >0 byte <3 >>1 string ATARI7800 Atari 7800 ROM image !:mime application/x-atari-7800-rom >>>0x11 string >\0 \b: "%.32s" # Display type. >>>0x39 byte 0 (NTSC) >>>0x39 byte 1 (PAL) >>>0x36 byte&1 1 (POKEY) #------------------------------------------------------------------------------ # vectrex: file(1) magic for the GCE Vectrex raw ROM format. # From: David Korth # Reference: http://www.playvectrex.com/designit/chrissalo/hello1.htm # # NOTE: Title is terminated with 0x80, not 0. # The header is terminated with a 0, so that will # terminate the title as well. # 0 string g\ GCE Vectrex ROM image >0x11 string >\0 \b: "%.16s" #------------------------------------------------------------------------------ # amiibo: file(1) magic for Nintendo amiibo NFC dumps. # From: David Korth # Reference: https://www.3dbrew.org/wiki/Amiibo 0x00 byte 0x04 >0x0A beshort 0x0FE0 >>0x0C belong 0xF110FFEE >>>0x208 beshort 0x0100 >>>>0x020A byte 0x0F >>>>>0x020C bequad 0x000000045F000000 >>>>>>0x5B byte 0x02 >>>>>>>0x54 belong x Nintendo amiibo NFC dump - amiibo ID: %08X- >>>>>>>0x58 belong x \b%08X #------------------------------------------------------------------------------ # Type: Nintendo Switch XCI (Game Cartridge Image) # From: Benjamin Lowry # Reference: https://switchbrew.org/wiki/Gamecard_Format 0x100 string HEAD >0x10D byte 0xFA Nintendo Switch cartridge image (XCI), 1GB >0x10D byte 0xF8 Nintendo Switch cartridge image (XCI), 2GB >0x10D byte 0xF0 Nintendo Switch cartridge image (XCI), 4GB >0x10D byte 0xE0 Nintendo Switch cartridge image (XCI), 8GB >0x10D byte 0xE1 Nintendo Switch cartridge image (XCI), 16GB >0x10D byte 0xE2 Nintendo Switch cartridge image (XCI), 32GB #------------------------------------------------------------------------------ # Type: Nintendo Switch Executable # From: Benjamin Lowry # Reference: https://switchbrew.org/wiki/NSO 0x00 string NSO0 Nintendo Switch executable (NSO) #------------------------------------------------------------------------------ # Type: Nintendo Switch PFS0 # From: Benjamin Lowry # Reference: https://switchbrew.org/wiki/NCA_Format#PFS0 0x00 string PFS0 Nintendo Switch partition filesystem (PFS0) >0x04 ulelong x \b, %d files #------------------------------------------------------------------------------ # amiibo: file(1) magic for Nintendo Badge Arcade files. # From: David Korth # References: # - https://github.com/GerbilSoft/rom-properties/issues/92 # - https://github.com/CaitSith2/BadgeArcadeTool # - https://github.com/TheMachinumps/Advanced-badge-editor # PRBS: Individual badge and/or mega badge. 0 string PRBS >0x44 byte >0x20 Nintendo Badge Arcade >>0xB8 ulelong <2 >>>0xBC ulelong <2 badge: >>>0xBC ulelong >1 Mega Badge >>>>0xB8 ulelong x (%ux >>>>0xBC ulelong x \b%u): >>0xB8 ulelong >1 Mega Badge >>>0xB8 ulelong x (%ux >>>0xBC ulelong x \b%u): >0x44 string x "%s" >0x3C ulelong x \b, badge ID: %u >0x74 byte >0x20 >>0x74 string x \b, set: "%s" >0xA8 ulelong !0xFFFFFFFF >>0xA8 ulelong x \b, launch title ID: %08X >>0xA4 ulelong x \b-%08X # CABS: Badge set. 0 string CABS >0x2C byte >0x20 Nintendo Badge Arcade badge set: >>0x2C string x "%.48s" >>0x24 ulelong x \b, set ID: %u #------------------------------------------------------------------------------ # sufami: file(1) magic for Sufami Turbo ROM images. # From: David Korth # References: # - https://problemkaputt.de/fullsnes.htm#snescartsufamiturbominicartridgeadaptor 0 string BANDAI\ SFC-ADX >0x10 string !SFC-ADX\ BACKUP Sufami Turbo ROM image: >>0x10 string/T x "%.14s" >>0x30 byte x \b, ID %02X >>0x31 byte x \b%02X >>0x32 byte x \b%02X >>0x33 ubyte >0 \b, series index %u >>0x34 ubyte 0 [SlowROM] >>0x34 ubyte 1 [FastROM] >>0x35 ubyte 1 [SRAM] >>0x35 ubyte 3 [Special] #------------------------------------------------------------------------------ # $File: convex,v 1.8 2012/10/03 23:44:43 christos Exp $ # convex: file(1) magic for Convex boxes # # Convexes are big-endian. # # /*\ # * Below are the magic numbers and tests added for Convex. # * Added at beginning, because they are expected to be used most. # \*/ 0 belong 0507 Convex old-style object >16 belong >0 not stripped 0 belong 0513 Convex old-style demand paged executable >16 belong >0 not stripped 0 belong 0515 Convex old-style pre-paged executable >16 belong >0 not stripped 0 belong 0517 Convex old-style pre-paged, non-swapped executable >16 belong >0 not stripped 0 belong 0x011257 Core file # # The following are a series of dump format magic numbers. Each one # corresponds to a drastically different dump format. The first on is # the original dump format on a 4.1 BSD or earlier file system. The # second marks the change between the 4.1 file system and the 4.2 file # system. The Third marks the changing of the block size from 1K # to 2K to be compatible with an IDC file system. The fourth indicates # a dump that is dependent on Convex Storage Manager, because data in # secondary storage is not physically contained within the dump. # The restore program uses these number to determine how the data is # to be extracted. # 24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible) 24 belong =60014 dump format, Convex Storage Manager by-reference dump # # what follows is a bunch of bit-mask checks on the flags field of the opthdr. # If there is no `=' sign, assume just checking for whether the bit is set? # 0 belong 0601 Convex SOFF >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000001 demand paged >88 belong &0x00000002 pre-paged >88 belong &0x00000004 non-swapped >88 belong &0x00000008 POSIX # >84 belong &0x80000000 executable >84 belong &0x40000000 object >84 belong&0x20000000 =0 not stripped >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode # 0 belong 0605 Convex SOFF core # 0 belong 0607 Convex SOFF checkpoint >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000008 POSIX # >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode #------------------------------------------------------------------------------ # $File: coverage,v 1.3 2021/02/23 00:51:10 christos Exp $ # xoverage: file(1) magic for test coverage data # File formats used to store test coverage data # 2016-05-21, Georg Sauthoff # - GCC gcno - written by GCC at compile time when compiling with # gcc -ftest-coverage # - GCC gcda - written by a program that was compiled with # gcc -fprofile-arcs # - LLVM raw profiles - generated by a program compiled with # clang -fprofile-instr-generate -fcoverage-mapping ... # - LLVM indexed profiles - generated by # llvm-profdata # - GCOV reports, i.e. the annotated source code # - LCOV trace files, i.e. aggregated GCC profiles # # GCC coverage tracefiles # .gcno file are created during compile time, # while data collected during runtime is stored in .gcda files # cf. gcov-io.h # https://gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc/Gcov-Data-Files.html # Examples: # Fedora 23/x86-64/gcc-5.3.1: 6f 6e 63 67 52 33 30 35 # Debian 8 PPC64/gcc-4.9.2 : 67 63 6e 6f 34 30 39 2a 0 lelong 0x67636e6f GCC gcno coverage (-ftest-coverage), >&3 byte x version %c. >&1 byte x \b%c # big endian 0 belong 0x67636e6f GCC gcno coverage (-ftest-coverage), >&0 byte x version %c. >&2 byte x \b%c (big-endian) # Examples: # Fedora 23/x86-64/gcc-5.3.1: 61 64 63 67 52 33 30 35 # Debian 8 PPC64/gcc-4.9.2 : 67 63 64 61 34 30 39 2a 0 lelong 0x67636461 GCC gcda coverage (-fprofile-arcs), >&3 byte x version %c. >&1 byte x \b%c # big endian 0 belong 0x67636461 GCC gcda coverage (-fprofile-arcs), >&0 byte x version %c. >&2 byte x \b%c (big-endian) # LCOV tracefiles # cf. http://ltp.sourceforge.net/coverage/lcov/geninfo.1.php 0 string TN: >&0 search/64 \nSF:/ LCOV coverage tracefile # Coverage reports generated by gcov # i.e. source code annotated with coverage information 0 string \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Source: >&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Graph: >>&0 search/128 \x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Data: GCOV coverage report # LLVM coverage files # raw data after running a program compiled with: # `clang -fprofile-instr-generate -fcoverage-mapping ...` # default name: default.profraw # magic is: \xFF lprofr \x81 # cf. https://llvm.org/docs/doxygen/html/InstrProfData_8inc_source.html 0 lequad 0xff6c70726f667281 LLVM raw profile data, >&0 byte x version %d # big endian 0 bequad 0xff6c70726f667281 LLVM raw profile data, >&7 byte x version %d (big-endian) # LLVM indexed instruction profile (as generated by llvm-profdata) # magic is: reverse(\xFF lprofi \x81) # cf. https://llvm.org/docs/CoverageMappingFormat.html # https://llvm.org/docs/doxygen/html/namespacellvm_1_1IndexedInstrProf.html # https://llvm.org/docs/CommandGuide/llvm-cov.html # https://llvm.org/docs/CommandGuide/llvm-profdata.html 0 lequad 0x8169666f72706cff LLVM indexed profile data, >&0 byte x version %d # big endian 0 bequad 0x8169666f72706cff LLVM indexed profile data, >&7 byte x version %d (big-endian) #------------------------------------------------------------------------------ # $File: cracklib,v 1.7 2009/09/19 16:28:08 christos Exp $ # cracklib: file (1) magic for cracklib v2.7 0 lelong 0x70775631 Cracklib password index, little endian >4 long >0 (%i words) >4 long 0 ("64-bit") >>8 long >-1 (%i words) 0 belong 0x70775631 Cracklib password index, big endian >4 belong >-1 (%i words) # really bellong 0x0000000070775631 0 search/1 \0\0\0\0pwV1 Cracklib password index, big endian ("64-bit") >12 belong >0 (%i words) #------------------------------------------------------------------------------ # $File: crypto,v 1.2 2021/03/27 20:15:53 christos Exp $ # crypto: file(1) magic for crypto formats # # ---------------------------------------------------------------------------- # $File: ctags,v 1.6 2009/09/19 16:28:08 christos Exp $ # ctags: file (1) magic for Exuberant Ctags files # From: Alexander Mai 0 search/1 =!_TAG Exuberant Ctags tag file text #-------------------------------------------------------------- # ctf: file(1) magic for CTF (Common Trace Format) trace files # # Specs. available here: #-------------------------------------------------------------- # CTF trace data 0 lelong 0xc1fc1fc1 Common Trace Format (CTF) trace data (LE) 0 belong 0xc1fc1fc1 Common Trace Format (CTF) trace data (BE) # CTF metadata (packetized) 0 lelong 0x75d11d57 Common Trace Format (CTF) packetized metadata (LE) >35 byte x \b, v%d >36 byte x \b.%d 0 belong 0x75d11d57 Common Trace Format (CTF) packetized metadata (BE) >35 byte x \b, v%d >36 byte x \b.%d # CTF metadata (plain text) 0 string /*\x20CTF\x20 Common Trace Format (CTF) plain text metadata !:strength + 5 # this is to make sure we beat C >&0 regex [0-9]+\\.[0-9]+ \b, v%s #------------------------------------------------------------------------------ # $File: cubemap,v 1.1 2012/06/06 13:03:20 christos Exp $ # file(1) magic(5) data for cubemaps Martin Erik Werner # 0 string ACMP Map file for the AssaultCube FPS game 0 string CUBE Map file for cube and cube2 engine games 0 string MAPZ) Map file for the Blood Frontier/Red Eclipse FPS games #------------------------------------------------------------------------------ # $File: cups,v 1.6 2019/04/19 00:42:27 christos Exp $ # Cups: file(1) magic for the cups raster file format # From: Laurent Martelli # https://www.cups.org/documentation.php/spec-raster.html # 0 name cups-le >280 lelong x \b, %d >284 lelong x \bx%d dpi >376 lelong x \b, %dx >380 lelong x \b%d pixels >388 lelong x %d bits/color >392 lelong x %d bits/pixel >400 lelong 0 ColorOrder=Chunky >400 lelong 1 ColorOrder=Banded >400 lelong 2 ColorOrder=Planar >404 lelong 0 ColorSpace=gray >404 lelong 1 ColorSpace=RGB >404 lelong 2 ColorSpace=RGBA >404 lelong 3 ColorSpace=black >404 lelong 4 ColorSpace=CMY >404 lelong 5 ColorSpace=YMC >404 lelong 6 ColorSpace=CMYK >404 lelong 7 ColorSpace=YMCK >404 lelong 8 ColorSpace=KCMY >404 lelong 9 ColorSpace=KCMYcm >404 lelong 10 ColorSpace=GMCK >404 lelong 11 ColorSpace=GMCS >404 lelong 12 ColorSpace=WHITE >404 lelong 13 ColorSpace=GOLD >404 lelong 14 ColorSpace=SILVER >404 lelong 15 ColorSpace=CIE XYZ >404 lelong 16 ColorSpace=CIE Lab >404 lelong 17 ColorSpace=RGBW >404 lelong 18 ColorSpace=sGray >404 lelong 19 ColorSpace=sRGB >404 lelong 20 ColorSpace=AdobeRGB # Cups Raster image format, Big Endian 0 string RaS >3 string t Cups Raster version 1, Big Endian >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian !:mime application/vnd.cups-raster >0 use \^cups-le # Cups Raster image format, Little Endian 1 string SaR >0 string t Cups Raster version 1, Little Endian >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian !:mime application/vnd.cups-raster >0 use cups-le #------------------------------------------------------------------------------ # $File: dact,v 1.4 2009/09/19 16:28:08 christos Exp $ # dact: file(1) magic for DACT compressed files # 0 long 0x444354C3 DACT compressed data >4 byte >-1 (version %i. >5 byte >-1 $BS%i. >6 byte >-1 $BS%i) >7 long >0 $BS, original size: %i bytes >15 long >30 $BS, block size: %i bytes #------------------------------------------------------------------------------ # $File: database,v 1.67 2022/07/12 18:57:42 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) # # # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # 0 belong 0x13579acd GNU dbm 1.x or ndbm database, big endian, 32-bit !:mime application/x-gdbm 0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian, old !:mime application/x-gdbm 0 belong 0x13579acf GNU dbm 1.x or ndbm database, big endian, 64-bit !:mime application/x-gdbm 0 lelong 0x13579acd GNU dbm 1.x or ndbm database, little endian, 32-bit !:mime application/x-gdbm 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian, old !:mime application/x-gdbm 0 lelong 0x13579acf GNU dbm 1.x or ndbm database, little endian, 64-bit !:mime application/x-gdbm 0 string GDBM GNU dbm 2.x database !:mime application/x-gdbm # # Berkeley DB # # Ian Darwin's file /etc/magic files: big/little-endian version. # # Hash 1.85/1.86 databases store metadata in network byte order. # Btree 1.85/1.86 databases store the metadata in host byte order. # Hash and Btree 2.X and later databases store the metadata in host byte order. 0 long 0x00061561 Berkeley DB !:mime application/x-dbm >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, little-endian) 0 belong 0x00061561 Berkeley DB >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, big-endian) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) 0 long 0x00053162 Berkeley DB 1.85/1.86 >4 long >0 (Btree, version %d, native byte-order) 0 belong 0x00053162 Berkeley DB 1.85/1.86 >4 belong >0 (Btree, version %d, big-endian) 0 lelong 0x00053162 Berkeley DB 1.85/1.86 >4 lelong >0 (Btree, version %d, little-endian) 12 long 0x00061561 Berkeley DB >16 long >0 (Hash, version %d, native byte-order) 12 belong 0x00061561 Berkeley DB >16 belong >0 (Hash, version %d, big-endian) 12 lelong 0x00061561 Berkeley DB >16 lelong >0 (Hash, version %d, little-endian) 12 long 0x00053162 Berkeley DB >16 long >0 (Btree, version %d, native byte-order) 12 belong 0x00053162 Berkeley DB >16 belong >0 (Btree, version %d, big-endian) 12 lelong 0x00053162 Berkeley DB >16 lelong >0 (Btree, version %d, little-endian) 12 long 0x00042253 Berkeley DB >16 long >0 (Queue, version %d, native byte-order) 12 belong 0x00042253 Berkeley DB >16 belong >0 (Queue, version %d, big-endian) 12 lelong 0x00042253 Berkeley DB >16 lelong >0 (Queue, version %d, little-endian) # From Max Bowsher. 12 long 0x00040988 Berkeley DB >16 long >0 (Log, version %d, native byte-order) 12 belong 0x00040988 Berkeley DB >16 belong >0 (Log, version %d, big-endian) 12 lelong 0x00040988 Berkeley DB >16 lelong >0 (Log, version %d, little-endian) # # # Round Robin Database Tool by Tobias Oetiker 0 string/b RRD\0 RRDTool DB >4 string/b x version %s >>10 short !0 16bit aligned >>>10 bedouble 8.642135e+130 big-endian >>>>18 short x 32bit long (m68k) >>10 short 0 >>>12 long !0 32bit aligned >>>>12 bedouble 8.642135e+130 big-endian >>>>>20 long 0 64bit long >>>>>20 long !0 32bit long >>>>12 ledouble 8.642135e+130 little-endian >>>>>24 long 0 64bit long >>>>>24 long !0 32bit long (i386) >>>>12 string \x43\x2b\x1f\x5b\x2f\x25\xc0\xc7 middle-endian >>>>>24 short !0 32bit long (arm) >>8 quad 0 64bit aligned >>>16 bedouble 8.642135e+130 big-endian >>>>24 long 0 64bit long (s390x) >>>>24 long !0 32bit long (hppa/mips/ppc/s390/SPARC) >>>16 ledouble 8.642135e+130 little-endian >>>>28 long 0 64bit long (alpha/amd64/ia64) >>>>28 long !0 32bit long (armel/mipsel) #---------------------------------------------------------------------- # ROOT: file(1) magic for ROOT databases # 0 string root\0 ROOT file >4 belong x Version %d >33 belong x (Compression: %d) # XXX: Weak magic. # Alex Ott ## Paradox file formats #2 leshort 0x0800 Paradox #>0x39 byte 3 v. 3.0 #>0x39 byte 4 v. 3.5 #>0x39 byte 9 v. 4.x #>0x39 byte 10 v. 5.x #>0x39 byte 11 v. 5.x #>0x39 byte 12 v. 7.x #>>0x04 byte 0 indexed .DB data file #>>0x04 byte 1 primary index .PX file #>>0x04 byte 2 non-indexed .DB data file #>>0x04 byte 3 non-incrementing secondary index .Xnn file #>>0x04 byte 4 secondary index .Ynn file #>>0x04 byte 5 incrementing secondary index .Xnn file #>>0x04 byte 6 non-incrementing secondary index .XGn file #>>0x04 byte 7 secondary index .YGn file #>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files # updated by Joerg Jenderek at Feb 2013 # https://www.dbase.com/Knowledgebase/INT/db7_file_fmt.htm # https://www.clicketyclick.dk/databases/xbase/format/dbf.html # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 0 ubelong&0x0000FFFF <0x00000C20 !:strength +10 # skip Infocom game Z-machine >2 ubyte >0 # skip Androids *.xml >>3 ubyte >0 >>>3 ubyte <32 # 1 < version VV >>>>0 ubyte >1 # skip HELP.CA3 by test for reserved byte ( NULL ) >>>>>27 ubyte 0 # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) #>>>>>30 ubeshort x 30NULL?%x # possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) >>>>>>24 ubelong&0xffFFFFff >0x01302000 # .DBF or .MDX >>>>>>24 ubelong&0xffFFFFff <0x01302001 # for Xbase Database file (*.DBF) reserved (NULL) for multi-user >>>>>>>24 ubelong&0xffFFFFff =0 # test for 2 reserved NULL bytes,transaction and encryption byte flag >>>>>>>>12 ubelong&0xFFFFfEfE 0 # test for MDX flag >>>>>>>>>28 ubyte x >>>>>>>>>28 ubyte&0xf8 0 # header size >= 32 >>>>>>>>>>8 uleshort >31 # skip PIC15736.PCX by test for language driver name or field name >>>>>>>>>>>32 ubyte >0 #!:mime application/x-dbf; charset=unknown-8bit ?? #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type # database file >>>>>>>>>>>>28 ubyte&0x04 =0 \b DBF !:ext dbf >>>>>>>>>>>>28 ubyte&0x04 =4 \b DataBaseContainer !:ext dbc >>>>>>>>>>>>4 lelong 0 \b, no records >>>>>>>>>>>>4 lelong >0 \b, %d record # plural s appended >>>>>>>>>>>>>4 lelong >1 \bs # https://www.clicketyclick.dk/databases/xbase/format/dbf_check.html#CHECK_DBF # 1 <= record size <= 4000 (dBase 3,4) or 32 * KB (=0x8000) >>>>>>>>>>>>10 uleshort x * %d # file size = records * record size + header size >>>>>>>>>>>>1 ubyte x \b, update-date >>>>>>>>>>>>1 use xbase-date # https://msdn.microsoft.com/de-de/library/cc483186(v=vs.71).aspx #>>>>>>>>>>>>29 ubyte =0 \b, codepage ID=%#x # 2~cp850 , 3~cp1252 , 0x1b~?? ; what code page is 0x1b ? >>>>>>>>>>>>29 ubyte >0 \b, codepage ID=%#x #>>>>>>>>>>>>28 ubyte&0x01 0 \b, no index file # MDX or CDX index >>>>>>>>>>>>28 ubyte&0x01 1 \b, with index file .MDX >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT #>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer # 1st record offset + 1 = header size >>>>>>>>>>>>8 uleshort >0 >>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>8 uleshort >0 \b, at offset %d >>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>>&-1 string >\0 1st record "%s" # for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) >>>>>>>24 ubelong&0x0133f7ff >0 # test for reserved NULL byte >>>>>>>>47 ubyte 0 # test for valid TAG key format (0x10 or 0) >>>>>>>>>559 ubyte&0xeF 0 # test MM <= 12 >>>>>>>>>>45 ubeshort <0x0C20 >>>>>>>>>>>45 ubyte >0 >>>>>>>>>>>>46 ubyte <32 >>>>>>>>>>>>>46 ubyte >0 #!:mime application/x-mdx >>>>>>>>>>>>>>0 use xbase-type >>>>>>>>>>>>>>0 ubyte x \b MDX >>>>>>>>>>>>>>1 ubyte x \b, creation-date >>>>>>>>>>>>>>1 use xbase-date >>>>>>>>>>>>>>44 ubyte x \b, update-date >>>>>>>>>>>>>>44 use xbase-date # No.of tags in use (1,2,5,12) >>>>>>>>>>>>>>28 uleshort x \b, %d # No. of entries in tag (0x30) >>>>>>>>>>>>>>25 ubyte x \b/%d tags # Length of tag >>>>>>>>>>>>>>26 ubyte x * %d # 1st tag name_ >>>>>>>>>>>>>548 string x \b, 1st tag "%.11s" # 2nd tag name #>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # # Print the xBase names of different version variants 0 name xbase-type >0 ubyte <2 # 1 < version >0 ubyte >1 >>0 ubyte 0x02 FoxBase !:mime application/x-dbf # like: ACCESS.DBF USER.DBF dbase3date.dbf mitarbei.dbf produkte.dbf umlaut-test-v2.dbf # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III !:mime application/x-dbf # like: 92DATA.DBF MSCATLOG.DBF SYLLABI2.DBF SYLLABUS.DBF T4.DBF Teleadr.dbf us_city.dbf # dBASE IV no memo file >>0 ubyte 0x04 dBase IV !:mime application/x-dbf # like: Quattro-test11.dbf umlaut-test-v4.dbf # dBASE V no memo file >>0 ubyte 0x05 dBase V !:mime application/x-dbf # like: dbase4double.dbf Quattro-test2.dbf umlaut-test7.dbf !:ext dbf # probably Apollo Database Server 9.7? xBase (0x6) >>0 ubyte 0x06 Apollo !:mime application/x-dbf # like: ALIAS.DBF CRYPT.DBF PROCS.DBF USERS.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x2F FoxBase+/Dbase III plus, no memo !:mime application/x-dbf # no example >>0 ubyte 0x30 Visual FoxPro !:mime application/x-dbf # like: 26FRX.DBF 30DBC.DBF 30DBCPRO.DBF BEHINDSC.DBF USER_LEV.DBF # Microsoft Visual FoxPro Database Container File like: FOXPRO-DB-TEST.DBC TESTDATA.DBC TASTRADE.DBC >>0 ubyte 0x31 Visual FoxPro, autoincrement !:mime application/x-dbf # like: AI_Table.DBF dbase_31.dbf w_cityFoxpro.dbf # Visual FoxPro, with field type Varchar or Varbinary >>0 ubyte 0x32 Visual FoxPro, with field type Varchar !:mime application/x-dbf # like: dbase_32.dbf # dBASE IV SQL, no memo;dbv memo var size (Flagship) >>0 ubyte 0x43 dBase IV, with SQL table !:mime application/x-dbf # like: ASSEMBLY.DBF INVENTRY.DBF STAFF.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x62 dBase IV, with SQL table #!:mime application/x-dbf # no example # dBASE IV, with memo!! >>0 ubyte 0x7b dBase IV, with memo !:mime application/x-dbf # like: test3memo.DBF dbase5.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x82 dBase IV, with SQL system #!:mime application/x-dbf # no example # FoxBase+/dBaseIII+ with memo .DBT! >>0 ubyte 0x83 FoxBase+/dBase III, with memo .DBT !:mime application/x-dbf # like: T2.DBF t3.DBF biblio.dbf dbase_83.dbf dbase3dbt0_4.dbf fsadress.dbf stop.dbf # VISUAL OBJECTS (first 1.0 versions) for the Dbase III files (NTX clipper driver); memo file >>0 ubyte 0x87 VISUAL OBJECTS, with memo file !:mime application/x-dbf # like: ACCESS.DBF dbase3date.dbf dbase3float.dbf holdings.dbf mitarbei.dbf # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0x8A FoxBase+/dBase III, with memo .DBT #!:mime application/x-dbf # no example # dBASE IV with memo! >>0 ubyte 0x8B dBase IV, with memo .DBT !:mime application/x-dbf # like: animals.dbf archive.dbf callin.dbf dbase_8b.dbf phnebook.dbf t6.dbf # dBase IV with SQL Table,no memo? >>0 ubyte 0x8E dBase IV, with SQL table !:mime application/x-dbf # like: dbase5.DBF test3memo.DBF test-memo.DBF # .dbv and .dbt memo (Flagship)? >>0 ubyte 0xB3 Flagship !:mime application/x-dbf # no example # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0xCA dBase IV with memo .DBT #!:mime application/x-dbf # no example # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT !:mime application/x-dbf # like: dbase5.DBF test3memo.DBF test-memo.DBF # HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo !:mime application/x-dbf # like: dbase5.DBF test3memo.DBF test-memo.DBF testClipper.dbf DATA.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) >>0 ubyte 0xF4 dBase IV, with SQL table, with memo #!:mime application/x-dbf # no example >>0 ubyte 0xF5 FoxPro with memo !:mime application/x-dbf # like: CUSTOMER.DBF FOXUSER1.DBF Invoice.DBF NG.DBF OBJSAMP.DBF dbase_f5.dbf kunde.dbf # probably Apollo Database Server 9.7 with SQL and memo mask? xBase (0xF6) >>0 ubyte 0xF6 Apollo, with SQL table with memo !:mime application/x-dbf # like: SCRIPTS.DBF # https://docs.microsoft.com/en-us/previous-versions/visualstudio/foxpro/st4a0s68(v=vs.80) #>>0 ubyte 0xFA FoxPro 2.x, with memo #!:mime application/x-dbf # no example # unknown version (should not happen) >>0 default x xBase !:mime application/x-dbf >>>0 ubyte x (%#x) # flags in version byte # DBT flag (with dBASE III memo .DBT)!! # >>0 ubyte&0x80 >0 DBT_FLAG=%x # memo flag ?? # >>0 ubyte&0x08 >0 MEMO_FLAG=%x # SQL flag ?? # >>0 ubyte&0x70 >0 SQL_FLAG=%x # test and print the date of xBase .DBF .MDX 0 name xbase-date # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 >0 ubelong x >1 ubyte <13 >>1 ubyte >0 >>>2 ubyte >0 >>>>2 ubyte <32 >>>>>0 ubyte x # YY is interpreted as 20YY or 19YY >>>>>>0 ubyte <100 \b %.2d # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY >>>>>>0 ubyte >99 \b %d >>>>>1 ubyte x \b-%d >>>>>2 ubyte x \b-%d # dBase memo files .DBT or .FPT # https://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx 16 ubyte <4 >16 ubyte !2 >>16 ubyte !1 # next free block index is positive >>>0 ulelong >0 # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size >>>>17 ubelong&0xFFfdFEff 0x00000000 # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 # dBASE III DBT >>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF >>>>>>>20 uleshort 0 # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage >>>>>>>>8 ulong =0 >>>>>>>>>6 ubeshort >0 # skip emacs.PIF >>>>>>>>>>4 ushort 0 # check for valid FoxPro field type >>>>>>>>>>>512 ubelong <3 # skip LXMDCLN4.OUT LXMDCLN6.OUT LXMDALG6.OUT with invalid blocksize 170=AAh >>>>>>>>>>>>6 ubeshort&0x002f 0 >>>>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage # skip WORD1XW.DOC with improbably high free block index >>>>>>>>>0 ulelong <0x400000 # skip WinStore.App.exe by looking for printable 2nd character of 1st memo item >>>>>>>>>>513 ubyte >037 # skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 # unusual dBASE III DBT like adressen.dbt >>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes >>>>>>>>>510 ubeshort 0 # skip bad symples with improbably high free block index above 2 GiB file limit >>>>>>>>>>0 ulelong <0x400000 # skip AI070GEP.EPS by printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 # skip some Microsoft Visual C, OMF library like: BZ2.LIB WATTCPWL.LIB ZLIB.LIB >>>>>>>>>>>>512 ubyte <0200 # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character >>>>>>>>>>>>>513 ubyte >037 >>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 # multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero # skip also 3600h 3E00h size >>>>>>>>20 uleshort&0xE00f 0 >>>>>>>>>0 use dbase4-memo-print # Print the information of dBase III DBT memo file 0 name dbase3-memo-print >0 ubyte x dBase III DBT !:mime application/x-dbt !:ext dbt # instead 3 as version number 0 for unusual examples like biblio.dbt >16 ubyte !3 \b, version number %u # Number of next available block for appending data #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u # no positive block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u # dBase III memo field terminated by \032\032 # like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT >512 string >\0 \b, 1st item "%s" # For DEBUGGING #>512 ubelong x \b, 1ST item %#8.8x # https://www.clicketyclick.dk/databases/xbase/format/dbt.html # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print >0 lelong x dBase IV DBT !:mime application/x-dbt !:ext dbt # 8 character shorted main name of corresponding dBASE IV DBF file >8 ubelong >0x20000000 # skip unusual like for angest.dbt >>20 uleshort >0 >>>8 string >\0 \b of %-.8s.DBF # value 0 implies 512 as size #>4 ulelong =0 \b, blocks size %u # size of blocks not reliable like 0x2020204C in angest.dbt >4 ulelong !0 >>4 ulelong&0x0000003f 0 \b, blocks size %u # dBase IV DBT with positive block length (found 512 , 1024) >20 uleshort >0 \b, block length %u # next available block #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u >20 uleshort >0 >>(20.s) ubelong x >>>&-4 use dbase4-memofield-print # unusual dBase IV DBT without block length (implies 512 as length) >20 uleshort =0 >>512 ubelong x >>>&-4 use dbase4-memofield-print # Print the information of dBase IV memo field 0 name dbase4-memofield-print # free dBase IV memo field >0 ubelong !0xFFFF0800 >>0 lelong x \b, next free block %u >>4 lelong x \b, next used block %u # used dBase IV memo field >0 ubelong =0xFFFF0800 # length of memo field >>4 lelong x \b, field length %d >>>8 string >\0 \b, 1st used item "%s" # http://www.dbfree.org/webdocs/1-documentation/0018-developers_stuff_(advanced)/os_related_stuff/xbase_file_format.htm # Print the information of FoxPro FPT memo file 0 name foxpro-memo-print >0 belong x FoxPro FPT !:mime application/x-fpt !:ext fpt # Size of blocks for FoxPro ( 64,256 ); probably a multiple of two >6 ubeshort x \b, blocks size %u # next available block #>0 belong =0 \b, next free block index %u >0 belong !0 \b, next free block index %u # field type ( 0~picture, 1~memo, 2~object ) >512 ubelong <3 \b, field type %u # length of memo field >512 ubelong 1 >>516 belong >0 \b, field length %d >>>520 string >\0 \b, 1st item "%s" # Summary: DBASE Compound Index file *.CDX and FoxPro index *.IDX # From: Joerg Jenderek # URL: https://www.clicketyclick.dk/databases/xbase/format/cdx.html # https://www.clicketyclick.dk/databases/xbase/format/idx.html # https://www.clicketyclick.dk/databases/xbase/format/idx_comp.html # Reference: https://mark0.net/download/triddefs_xml.7z/defs/s/sybase-ianywhere-cdx.trid.xml # https://mark0.net/download/triddefs_xml.7z/defs/c/cdx-vfp7.trid.xml # like: kunde.cdx 0 ulelong 0x1C00 >0 use xbase-index # like: SYLLABI2.CDX SYLLABUS.CDX 0 ulelong 0x0800 >0 use xbase-index # often in xBase index pointer to root node 400h 0 ulelong 0x0400 # skip most Maple help database *.hdb with version tag handled by ./maple >1028 string !version # skip Maple help database hsum.hdb checking for valid reserved area >>492 quad =0 # skip remaining Maple help database *.hdb by checking key length #>>>12 uleshort !0x000F KEY_LENGTHVALID >>>0 use xbase-index # display information about dBase/FoxPro index 0 name xbase-index >0 ulelong x xBase !:mime application/x-dbase-index >14 ubyte &0x40 compound index # DCX for FoxPro database index like: TESTDATA.DCX !:ext cdx/dcx >14 ubyte ^0x40 index # only 1 example like: TEST.IDX !:ext idx # pointer to root node like: 1C00h 800h often 400h >0 ulelong !0x400 \b, root pointer %#x # Pointer to free node list: often 0 but -1 if not present >4 ulelong !0 \b, free node pointer %#x # MAYBE number of pages in file (Foxbase, FoxPro 1.x) or # http://www.foxpert.com/foxpro/knowlbits/files/knowlbits_200708_1.HTM # Whenever Visual FoxPro updates the index file it increments this reserved field # Reserved for internal use like: 02000000h 03000000h 460c0000h 780f0000h 89000000h 9fdc0100h often 0 >8 ulelong !0 \b, reserved counter %#x # length of key like: mostly 000Ah 0028h (TEST.IDX) >12 uleshort !0x000A \b, key length %#x # index options like: 24h E0h E8h # 1~a unique index 8~index has FOR clause 32~compact index format 64~compound index header # 16~Bit vector (SoftC) 128~Structure index (FoxPro) >14 ubyte x \b, index options (%#x >14 ubyte &0x01 \b, unique >14 ubyte &0x08 \b, has FOR clause >14 ubyte &0x10 \b, bit vector (SoftC) >14 ubyte &0x20 \b, compact format #>14 ubyte &0x40 \b, compound header >14 ubyte &0x80 \b, structure >14 ubyte x \b) # WHAT EXACTLY IS THAT? index signature like: 0 (sybase-ianywhere-cdx.trid.xml) 1 (cdx-vfp7.trid.xml) >15 ubyte !0 \b, index signature %u # reserved area (0-bytes) til about 500, but not for uncompressed Index files *.idx >16 quad !0 \b, at 16 reserved %#llx >492 quad !0 \b, at 492 reserved %#llx # for IDX variant #>14 ubyte ^0x40 IDX # for CDX variant >14 ubyte &0x40 # Ascending or descending: 0~ascending 1~descending >>502 uleshort x \b, sort order %u # Total expression length (FoxPro 2) like: 0 1 >>504 uleshort !0 \b, expression length %u # FOR expression pool length like: 1 >>506 uleshort !1 \b, FOR expression pool length %#x # reserved for internal use like: 0 >>508 uleshort !0 \b, at 0x508 reserved %#x # Key expression pool length like: 1 >>510 uleshort !1 \b, key expression pool length %#x # 512 - 1023 Key & FOR expression pool (uncompiled) >>512 quad !0 \b, key expression pool %#llx #>>520 quad !0 \b, key expression pool %#llx # Summary: dBASE IV Printer Form *.PRF # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/.dbf#Other_file_types_found_in_dBASE # Reference: https://mark0.net/download/triddefs_xml.7z/defs/p/prf-dbase.trid.xml 0 ubeshort 0x0400 # skip some Xbase Index files *.ndx and Infocom (Z-machine 4) *.z4 handled by ./adventure # by looking for valid printer driver name extension >0x58 search/8 .PR2 >>0 use xbase-prf # display information of dbase print form like printer driver *.PR2 0 name xbase-prf dBase Printer Form !:mime application/x-dbase-prf !:ext prf # MAYBE version? like: 4~DBASE IV #>0 ubyte x \b, version %u # MAYBE flag like: 1~with output file name 0~not #>2 ubyte !0 \b, flag %u # optional printer text output file name like E:\DBASE\IV\T6.txt >3 string >\0 \b, output file %s # probably padding with nils til 0x53 #>0x48 uquad !0 \b, at 0x48 padding %#llx # dBASE IV printer driver name like: Generic.PR2 ASCII.PR2 >0x56 string >\0 \b, using printer driver %s # 2 is probably last character of previous dBASE printer driver name #>0x60 ubyte !0x32 \b, at 0x60 %#x # probably padding with nils til 0xa8 #>0x61 uquad !0 \b, at 0x61 padding %#llx # unknown 0x03020300 0x03020100 at 0xa8 >0xa8 ubelong x \b, at 0xa8 unknown %#8.8x # probably padding with nils til 0x2aa #>0x2a0 uquad !0 \b, at 0x2a0 padding %#llx # unknown 0x100ff7f01000001 at 0x2AB >0x2ab ubequad !0x100ff7f01000001 \b, at 0x2ab unknown %#llx # unknown 0x0042 at 0x2b3 >0x2b3 ubeshort !0x0042 \b, at 0x2b3 unknown %#4.4x # unknown last 4 bytes at 0x2b6 like: 0 0x23 >0x2b6 ubelong !0 \b, at 0x2b6 unknown %#8.8x # TODO: # DBASE index file *.NDX # dBASE compiled Format *.FMO # FoxPro Database memo file *.DCT # FoxPro Forms Memo *.SCT # FoxPro Generated Menu Program *.MPR # FoxPro Report *.FRX # FoxPro Report Memo *.FRT # Foxpro Generated Screen Program *.SPR # Foxpro memo *.PJT ## End of XBase database stuff # MS Access database 4 string Standard\ Jet\ DB Microsoft Access Database !:mime application/x-msaccess 4 string Standard\ ACE\ DB Microsoft Access Database !:mime application/x-msaccess # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine # Reference: https://github.com/libyal/libesedb/archive/master.zip # libesedb-master/documentation/ # Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc # Note: also known as "JET Blue". Used by numerous Windows components such as # Windows Search, Mail, Exchange and Active Directory. 4 ubelong 0xefcdab89 # unknown1 >132 ubelong 0 Extensible storage engine !:mime application/x-ms-ese # file_type 0~database 1~stream >>12 ulelong 0 DataBase # Security DataBase (sdb) !:ext edb/sdb >>12 ulelong 1 STreaMing !:ext stm # format_version 620h >>8 uleshort x \b, version %#x >>10 uleshort >0 revision %#4.4x >>0 ubelong x \b, checksum %#8.8x # Page size 4096 8192 32768 >>236 ulequad x \b, page size %lld # database_state >>52 ulelong 1 \b, JustCreated >>52 ulelong 2 \b, DirtyShutdown #>>52 ulelong 3 \b, CleanShutdown >>52 ulelong 4 \b, BeingConverted >>52 ulelong 5 \b, ForceDetach # Windows NT major version when the databases indexes were updated. >>216 ulelong x \b, Windows version %d # Windows NT minor version >>220 ulelong x \b.%d # From: Joerg Jenderek # URL: https://forensicswiki.org/wiki/Windows_Application_Compatibility # Note: files contain application compatibility fixes, application compatibility modes and application help messages. 8 string sdbf >7 ubyte 0 # TAG_TYPE_LIST+TAG_INDEXES >>12 uleshort 0x7802 Windows application compatibility Shim DataBase # version? 2 3 #>>>0 ulelong x \b, version %d !:mime application/x-ms-sdb !:ext sdb # TDB database from Samba et al - Martin Pool 0 string TDB\ file TDB database >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes # SE Linux policy database 0 lelong 0xf97cff8c SE Linux policy >16 lelong x v%d >20 lelong 1 MLS >24 lelong x %d symbols >28 lelong x %d ocons # ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data # X11 Xauthority file (Wolfram Kleff) 10 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 11 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 12 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 13 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 14 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 15 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data 18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data # From: Maxime Henrion # PostgreSQL's custom dump format, Maxime Henrion 0 string PGDMP PostgreSQL custom database dump >5 byte x - v%d >6 byte x \b.%d >5 beshort <0x101 \b-0 >5 beshort >0x100 >>7 byte x \b-%d # Type: Advanced Data Format (ADF) database # URL: https://www.grc.nasa.gov/WWW/cgns/adf/ # From: Nicolas Chauvat 0 string @(#)ADF\ Database CGNS Advanced Data Format # Tokyo Cabinet magic data # http://tokyocabinet.sourceforge.net/index.html 0 string ToKyO\ CaBiNeT\n Tokyo Cabinet >14 string x \b (%s) >32 byte 0 \b, Hash !:mime application/x-tokyocabinet-hash >32 byte 1 \b, B+ tree !:mime application/x-tokyocabinet-btree >32 byte 2 \b, Fixed-length !:mime application/x-tokyocabinet-fixed >32 byte 3 \b, Table !:mime application/x-tokyocabinet-table >33 byte &1 \b, [open] >33 byte &2 \b, [fatal] >34 byte x \b, apow=%d >35 byte x \b, fpow=%d >36 byte &0x01 \b, [large] >36 byte &0x02 \b, [deflate] >36 byte &0x04 \b, [bzip] >36 byte &0x08 \b, [tcbs] >36 byte &0x10 \b, [excodec] >40 lequad x \b, bnum=%lld >48 lequad x \b, rnum=%lld >56 lequad x \b, fsiz=%lld # Type: QDBM Quick Database Manager # From: Benoit Sibaud 0 string \\[depot\\]\n\f Quick Database Manager, little endian 0 string \\[DEPOT\\]\n\f Quick Database Manager, big endian # Type: TokyoCabinet database # URL: http://tokyocabinet.sourceforge.net/ # From: Benoit Sibaud 0 string ToKyO\ CaBiNeT\n TokyoCabinet database >14 string x (version %s) # From: Stephane Blondon https://www.yaal.fr # Database file for Zope (done by FileStorage) 0 string FS21 Zope Object Database File Storage v3 (data) 0 string FS30 Zope Object Database File Storage v4 (data) # Cache file for the database of Zope (done by ClientStorage) 0 string ZEC3 Zope Object Database Client Cache File (data) # IDA (Interactive Disassembler) database 0 string IDA1 IDA (Interactive Disassembler) database # Hopper (reverse engineering tool) https://www.hopperapp.com/ 0 string hopperdb Hopper database # URL: https://en.wikipedia.org/wiki/Panorama_(database_engine) # Reference: http://www.provue.com/Panorama/ # From: Joerg Jenderek # NOTE: test only versions 4 and 6.0 with Windows # length of Panorama database name 5 ubyte >0 # look after database name for "some" null bits >(5.B+7) ubelong&0xF3ffF000 0 # look for first keyword >>&1 search/2 DESIGN Panorama database #!:mime application/x-panorama-database !:apple KASXZEPD !:ext pan # database name >>>5 pstring x \b, "%s" # # # askSam Database by Stefan A. Haubenthal 0 string askw40\0 askSam DB # # # MUIbase Database Tool by Stefan A. Haubenthal 0 string MBSTV\040 MUIbase DB >6 string x version %s # # CDB database 0 string NBCDB\012 NetBSD Constant Database >7 byte x \b, version %d >8 string x \b, for '%s' >24 lelong x \b, datasize %d >28 lelong x \b, entries %d >32 lelong x \b, index %d >36 lelong x \b, seed %#x # # Redis RDB - https://redis.io/topics/persistence 0 string REDIS Redis RDB file, >5 regex [0-9][0-9][0-9][0-9] version %s # Mork database. # Used by older versions of Mozilla Suite and Firefox, # and current versions of Thunderbird. # From: David Korth 0 string //\ SubRip !:mime application/x-subrip !:ext srt # WebVTT subtitles # https://www.w3.org/TR/webvtt1/ 0 string/t WEBVTT >&0 regex/255 =[0-9]{2}:[0-9]{2}\\.[0-9]{3}\040--> WebVTT subtitles !:mime text/vtt !:ext vtt # XML TTML subtitles # https://www.w3.org/TR/ttml2/ 0 string/t \20 search/400 \020xmlns= >>&0 regex ['"]http://www.w3.org/ns/ttml TTML subtitles !:mime application/ttml+xml # Augment strength to beat plain XML !:strength * 3 !:ext ttml #------------------------------------------------------------------------------ # $File: sun,v 1.28 2019/04/19 00:42:27 christos Exp $ # sun: file(1) magic for Sun machines # # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x # releases. (5.x uses ELF.) Entries for executables without an # architecture type, used before the 68020-based Sun-3's came out, # are in aout, as they're indistinguishable from other big-endian # 32-bit a.out files. # 0 belong&077777777 0600413 a.out SunOS SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0600410 a.out SunOS SPARC pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0600407 a.out SunOS SPARC >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0400413 a.out SunOS mc68020 demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0400410 a.out SunOS mc68020 pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0400407 a.out SunOS mc68020 >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0200413 a.out SunOS mc68010 demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0200410 a.out SunOS mc68010 pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped 0 belong&077777777 0200407 a.out SunOS mc68010 >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped # # Core files. "SPARC 4.x BCP" means "core file from a SunOS 4.x SPARC # binary executed in compatibility mode under SunOS 5.x". # 0 belong 0x080456 SunOS core file >4 belong 432 (SPARC) >>132 string >\0 from '%s' >>116 belong =3 (quit) >>116 belong =4 (illegal instruction) >>116 belong =5 (trace trap) >>116 belong =6 (abort) >>116 belong =7 (emulator trap) >>116 belong =8 (arithmetic exception) >>116 belong =9 (kill) >>116 belong =10 (bus error) >>116 belong =11 (segmentation violation) >>116 belong =12 (bad argument to system call) >>116 belong =29 (resource lost) >>120 belong x (T=%dK, >>124 belong x D=%dK, >>128 belong x S=%dK) >4 belong 826 (68K) >>128 string >\0 from '%s' >4 belong 456 (SPARC 4.x BCP) >>152 string >\0 from '%s' # Sun SunPC 0 long 0xfa33c08e SunPC 4.0 Hard Disk 0 string #SUNPC_CONFIG SunPC 4.0 Properties Values # Sun snoop (see RFC 1761, which describes the capture file format, # RFC 3827, which describes some additional datalink types, and # https://www.iana.org/assignments/snoop-datalink-types/snoop-datalink-types.xml, # which is the IANA registry of Snoop datalink types) # 0 string snoop Snoop capture file >8 belong >0 - version %d >12 belong 0 (IEEE 802.3) >12 belong 1 (IEEE 802.4) >12 belong 2 (IEEE 802.5) >12 belong 3 (IEEE 802.6) >12 belong 4 (Ethernet) >12 belong 5 (HDLC) >12 belong 6 (Character synchronous) >12 belong 7 (IBM channel-to-channel adapter) >12 belong 8 (FDDI) >12 belong 9 (Other) >12 belong 10 (type %d) >12 belong 11 (type %d) >12 belong 12 (type %d) >12 belong 13 (type %d) >12 belong 14 (type %d) >12 belong 15 (type %d) >12 belong 16 (Fibre Channel) >12 belong 17 (ATM) >12 belong 18 (ATM Classical IP) >12 belong 19 (type %d) >12 belong 20 (type %d) >12 belong 21 (type %d) >12 belong 22 (type %d) >12 belong 23 (type %d) >12 belong 24 (type %d) >12 belong 25 (type %d) >12 belong 26 (IP over Infiniband) >12 belong >26 (type %d) #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie (a # lead Sun/Cobalt developer) who agrees that they are good and worthy of # inclusion. # Boot ROM images for Sun/Cobalt Linux server appliances 0 string Cobalt\ Networks\ Inc.\nFirmware\ v Paged COBALT boot rom >38 string x V%.4s # New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # at the very end where file(1) can't get it. 0 string CRfs COBALT boot rom data (Flat boot rom or file system) #------------------------------------------------------------------------------ # $File: sylk,v 1.1 2020/04/05 22:18:34 christos Exp $ # sylk: file(1) magic for SYLK text files # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/SYmbolic_LinK_%28SYLK%29 # http://fileformats.archiveteam.org/wiki/SYLK # Note: called by TrID "SYLK - SYmbolic LinK data", # by DROID "Microsoft Symbolic Link (SYLK) File" # by FreeDesktop.org "spreadsheet interchange document" 0 string ID;P # skip short DROID x-fmt-106-signature-id-603.slk >7 ubyte >0 spreadsheet interchange document # https://reposcope.com/mimetype/text/spreadsheet #!:mime text/spreadsheet # https://reposcope.com/mimetype/application/x-sylk by Gnumeric !:mime application/x-sylk !:ext slk/sylk >>4 ubyte >037 \b, created by # Gnumeric, pmw~PlanMaker, CALCOOO32~LibreOffice OpenOffice, SCALC3~StarOffice # MP~Multiplan, XL~Excel WXL~Excel Windows >>>4 string Gnumeric Gnumeric >>>4 string pmw PlanMaker >>>4 string CALCOOO32 Libre/OpenOffice Calc >>>4 string SCALC3 StarOffice Calc >>>4 string XL Excel # Excel, version probably running on Windows >>>4 string WXL Excel # not tested >>>4 string MP Multiplan # unknown spreadsheet software >>>4 default x >>>>4 string x %s #------------------------------------------------------------------------------ # msx: file(1) magic for the SymbOS operating system # http://www.symbos.de # Fabio R. Schmidlin # SymbOS EXE file 0x30 string SymExe SymbOS executable >0x36 ubyte x v%c >0x37 ubyte x \b.%c >0xF string x \b, name: %s # SymbOS DOX document 0 string INFOq\0 SymbOS DOX document # Symbos driver 0 string SMD1 SymbOS driver >19 byte x \b, name: %c >20 byte x \b%c >21 byte x \b%c >22 byte x \b%c >23 byte x \b%c >24 byte x \b%c >25 byte x \b%c >26 byte x \b%c >27 byte x \b%c >28 byte x \b%c >29 byte x \b%c >30 byte x \b%c >31 byte x \b%c # Symbos video 0 string SymVid SymbOS video >6 ubyte x v%c >7 ubyte x \b.%c # Soundtrakker 128 ST2 music 0 byte 0 >0xC string \x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x40\x00 Soundtrakker 128 ST2 music, >>1 string x name: %s #------------------------------------------------------------------------ # $File: sysex,v 1.11 2022/01/17 17:16:51 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems # where real SYStem EXclusive messages at offset 1 are limited to seven bits # https://en.wikipedia.org/wiki/MIDI # test for StartSysEx byte and upper unsed bit of vendor ID 0 ubeshort&0xFF80 0xF000 # MIDI System Exclusive (SysEx) messages (strength=50) after Microsoft Visual C library (strength=70) #!:strength +0 # skip Microsoft Visual C library with page size 16 misidentifed as ADA and # page size 32 misidentifed as Inventronics by looking for terminating End Of eXclusive byte (EOX) >2 search/12 \xF7 >>0 use midi-sysex # display information about MIDI System Exclusive (SysEx) messages 0 name midi-sysex # https://fileinfo.com/extension/syx >1 ubyte x MIDI audio System Exclusive (SysEx) message - # Note: file (version 5.41) labeled the above entry as "SysEx File" #!:mime application/octet-stream !:mime audio/x-syx # https://onsongapp.com/docs/features/formats/sysex !:ext syx/sysex # https://www.midi.org/specifications-old/item/manufacturer-id-numbers # https://raw.githubusercontent.com/insolace/MIDI-Sysex-MFG-IDs/master/Sysex%20ID%20Tables/MIDI%20Sysex%20MFG%20IDs.csv # SysEx manufacturer ID; originally one byte, but now 0 is used as an escapement to reach the next two # North American Group #>1 byte 0x01 Sequential >1 byte 0x01 Sequential Circuits >1 byte 0x02 IDP #>1 byte 0x03 OctavePlateau >1 byte 0x03 Voyetra Turtle Beach >1 byte 0x04 Moog #>1 byte 0x05 Passport >1 byte 0x05 Passport Designs #>1 byte 0x06 Lexicon >1 byte 0x06 Lexicon Inc. >1 byte 0x07 Kurzweil/Future Retro >>3 byte 0x77 777 >>4 byte 0x00 Bank >>4 byte 0x01 Song >>5 byte 0x0f 16 >>5 byte 0x0e 15 >>5 byte 0x0d 14 >>5 byte 0x0c 13 >>5 byte 0x0b 12 >>5 byte 0x0a 11 >>5 byte 0x09 10 >>5 byte 0x08 9 >>5 byte 0x07 8 >>5 byte 0x06 7 >>5 byte 0x05 6 >>5 byte 0x04 5 >>5 byte 0x03 4 >>5 byte 0x02 3 >>5 byte 0x01 2 >>5 byte 0x00 1 >>5 byte 0x10 (ALL) >>2 byte x \b, Channel %d >1 byte 0x08 Fender #>1 byte 0x09 Gulbransen >1 byte 0x09 MIDI9 #>1 byte 0x0a AKG >1 byte 0x0a AKG Acoustics >1 byte 0x0b Voyce >1 byte 0x0c Waveframe # not ADA programming language #>1 byte 0x0d ADA >1 byte 0x0d ADA Signal Processors Inc. #>1 byte 0x0e Garfield >1 byte 0x0e Garfield Electronics >1 byte 0x0f Ensoniq >1 byte 0x10 Oberheim >>2 byte 0x06 Matrix 6 series >>3 byte 0x0A Dump (All) >>3 byte 0x01 Dump (Bank) >>4 belong 0x0002040E Matrix 1000 >>>11 byte <2 User bank %d >>>11 byte >1 Preset bank %d >1 byte 0x11 Apple >1 byte 0x12 GreyMatter >1 byte 0x14 PalmTree >1 byte 0x15 JLCooper >1 byte 0x16 Lowrey >1 byte 0x17 AdamsSmith >1 byte 0x18 E-mu #>1 byte 0x19 Harmony >1 byte 0x19 Harmony Systems >1 byte 0x1a ART >1 byte 0x1b Baldwin >1 byte 0x1c Eventide >1 byte 0x1d Inventronics >1 byte 0x1f Clarity # European Group #>1 byte 0x21 SIEL >1 byte 0x21 Proel Labs (SIEL) >1 byte 0x22 Synthaxe >1 byte 0x24 Hohner >1 byte 0x25 Twister #>1 byte 0x26 Solton >1 byte 0x26 Ketron s.r.l. >1 byte 0x27 Jellinghaus >1 byte 0x28 Southworth >1 byte 0x29 PPG >1 byte 0x2a JEN #>1 byte 0x2b SSL >1 byte 0x2b Solid State Logic Organ Systems #>1 byte 0x2c AudioVertrieb >1 byte 0x2c Audio Veritrieb-P. Struven >1 byte 0x2f ELKA >>3 byte 0x09 EK-44 >1 byte 0x30 Dynacord #>1 byte 0x31 Jomox >1 byte 0x31 Viscount International Spa >1 byte 0x33 Clavia >1 byte 0x39 Soundcraft # Some Waldorf info from http://Stromeko.Synth.net/Downloads#WaldorfDocs >1 byte 0x3e Waldorf >>2 byte 0x00 microWave >>2 byte 0x0E microwave2 / XT >>2 byte 0x0F Q / Q+ >>3 byte =0 (default id) >>3 byte >0 ( >>>3 byte <0x7F \bdevice %d) >>>3 byte =0x7F \bbroadcast id) >>3 byte 0x7f Microwave I >>>4 byte 0x00 SNDR (Sound Request) >>>4 byte 0x10 SNDD (Sound Dump) >>>4 byte 0x20 SNDP (Sound Parameter Change) >>>4 byte 0x30 SNDQ (Sound Parameter Inquiry) >>>4 byte 0x70 BOOT (Sound Reserved) >>>4 byte 0x01 MULR (Multi Request) >>>4 byte 0x11 MULD (Multi Dump) >>>4 byte 0x21 MULP (Multi Parameter Change) >>>4 byte 0x31 MULQ (Multi Parameter Inquiry) >>>4 byte 0x71 OS (Multi Reserved) >>>4 byte 0x02 DRMR (Drum Map Request) >>>4 byte 0x12 DRMD (Drum Map Dump) >>>4 byte 0x22 DRMP (Drum Map Parameter Change) >>>4 byte 0x32 DRMQ (Drum Map Parameter Inquiry) >>>4 byte 0x72 BIN (Drum Map Reserved) >>>4 byte 0x03 PATR (Sequencer Pattern Request) >>>4 byte 0x13 PATD (Sequencer Pattern Dump) >>>4 byte 0x23 PATP (Sequencer Pattern Parameter Change) >>>4 byte 0x33 PATQ (Sequencer Pattern Parameter Inquiry) >>>4 byte 0x73 AFM (Sequencer Pattern Reserved) >>>4 byte 0x04 GLBR (Global Parameter Request) >>>4 byte 0x14 GLBD (Global Parameter Dump) >>>4 byte 0x24 GLBP (Global Parameter Parameter Change) >>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) >>>4 byte 0x07 MODR (Mode Parameter Request) >>>4 byte 0x17 MODD (Mode Parameter Dump) >>>4 byte 0x27 MODP (Mode Parameter Parameter Change) >>>4 byte 0x37 MODQ (Mode Parameter Parameter Inquiry) >>2 byte 0x10 microQ >>>4 byte 0x00 SNDR (Sound Request) >>>4 byte 0x10 SNDD (Sound Dump) >>>4 byte 0x20 SNDP (Sound Parameter Change) >>>4 byte 0x30 SNDQ (Sound Parameter Inquiry) >>>4 byte 0x70 (Sound Reserved) >>>4 byte 0x01 MULR (Multi Request) >>>4 byte 0x11 MULD (Multi Dump) >>>4 byte 0x21 MULP (Multi Parameter Change) >>>4 byte 0x31 MULQ (Multi Parameter Inquiry) >>>4 byte 0x71 OS (Multi Reserved) >>>4 byte 0x02 DRMR (Drum Map Request) >>>4 byte 0x12 DRMD (Drum Map Dump) >>>4 byte 0x22 DRMP (Drum Map Parameter Change) >>>4 byte 0x32 DRMQ (Drum Map Parameter Inquiry) >>>4 byte 0x72 BIN (Drum Map Reserved) >>>4 byte 0x04 GLBR (Global Parameter Request) >>>4 byte 0x14 GLBD (Global Parameter Dump) >>>4 byte 0x24 GLBP (Global Parameter Parameter Change) >>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) >>2 byte 0x11 rackAttack >>>4 byte 0x00 SNDR (Sound Parameter Request) >>>4 byte 0x10 SNDD (Sound Parameter Dump) >>>4 byte 0x20 SNDP (Sound Parameter Parameter Change) >>>4 byte 0x30 SNDQ (Sound Parameter Parameter Inquiry) >>>4 byte 0x01 PRGR (Program Parameter Request) >>>4 byte 0x11 PRGD (Program Parameter Dump) >>>4 byte 0x21 PRGP (Program Parameter Parameter Change) >>>4 byte 0x31 PRGQ (Program Parameter Parameter Inquiry) >>>4 byte 0x71 OS (Program Parameter Reserved) >>>4 byte 0x03 PATR (Pattern Parameter Request) >>>4 byte 0x13 PATD (Pattern Parameter Dump) >>>4 byte 0x23 PATP (Pattern Parameter Parameter Change) >>>4 byte 0x33 PATQ (Pattern Parameter Parameter Inquiry) >>>4 byte 0x04 GLBR (Global Parameter Request) >>>4 byte 0x14 GLBD (Global Parameter Dump) >>>4 byte 0x24 GLBP (Global Parameter Parameter Change) >>>4 byte 0x34 GLBQ (Global Parameter Parameter Inquiry) >>>4 byte 0x05 EFXR (FX Parameter Request) >>>4 byte 0x15 EFXD (FX Parameter Dump) >>>4 byte 0x25 EFXP (FX Parameter Parameter Change) >>>4 byte 0x35 EFXQ (FX Parameter Parameter Inquiry) >>>4 byte 0x07 MODR (Mode Command Request) >>>4 byte 0x17 MODD (Mode Command Dump) >>>4 byte 0x27 MODP (Mode Command Parameter Change) >>>4 byte 0x37 MODQ (Mode Command Parameter Inquiry) >>2 byte 0x03 Wave >>>4 byte 0x00 SBPR (Soundprogram) >>>4 byte 0x01 SAPR (Performance) >>>4 byte 0x02 SWAVE (Wave) >>>4 byte 0x03 SWTBL (Wave control table) >>>4 byte 0x04 SVT (Velocity Curve) >>>4 byte 0x05 STT (Tuning Table) >>>4 byte 0x06 SGLB (Global Parameters) >>>4 byte 0x07 SARRMAP (Performance Program Change Map) >>>4 byte 0x08 SBPRMAP (Sound Program Change Map) >>>4 byte 0x09 SBPRPAR (Sound Parameter) >>>4 byte 0x0A SARRPAR (Performance Parameter) >>>4 byte 0x0B SINSPAR (Instrument/External Parameter) >>>4 byte 0x0F SBULK (Bulk Switch on/off) # Japanese Group >1 byte 0x40 Kawai >>3 byte 0x20 K1 >>3 byte 0x22 K4 >1 byte 0x41 Roland >>3 byte 0x14 D-50 >>3 byte 0x2b U-220 >>3 byte 0x02 TR-707 >1 byte 0x42 Korg >>3 byte 0x19 M1 >1 byte 0x43 Yamaha >1 byte 0x44 Casio >1 byte 0x46 Kamiya >1 byte 0x47 Akai #>1 byte 0x48 Victor >1 byte 0x48 Victor Company of Japan. Ltd. >1 byte 0x49 Mesosha >1 byte 0x4b Fujitsu >1 byte 0x4c Sony >1 byte 0x4e Teac >1 byte 0x50 Matsushita >1 byte 0x51 Fostex #>1 byte 0x52 Zoom >1 byte 0x52 Zoom Corporation >1 byte 0x54 Matsushita >1 byte 0x57 Acoustic tech. lab. # https://www.midi.org/techspecs/manid.php >1 belong&0xffffff00 0x00007400 Ta Horng >1 belong&0xffffff00 0x00007500 e-Tek >1 belong&0xffffff00 0x00007600 E-Voice >1 belong&0xffffff00 0x00007700 Midisoft >1 belong&0xffffff00 0x00007800 Q-Sound >1 belong&0xffffff00 0x00007900 Westrex >1 belong&0xffffff00 0x00007a00 Nvidia* >1 belong&0xffffff00 0x00007b00 ESS >1 belong&0xffffff00 0x00007c00 Mediatrix >1 belong&0xffffff00 0x00007d00 Brooktree >1 belong&0xffffff00 0x00007e00 Otari >1 belong&0xffffff00 0x00007f00 Key Electronics >1 belong&0xffffff00 0x00010000 Shure >1 belong&0xffffff00 0x00010100 AuraSound >1 belong&0xffffff00 0x00010200 Crystal >1 belong&0xffffff00 0x00010300 Rockwell >1 belong&0xffffff00 0x00010400 Silicon Graphics >1 belong&0xffffff00 0x00010500 Midiman >1 belong&0xffffff00 0x00010600 PreSonus >1 belong&0xffffff00 0x00010800 Topaz >1 belong&0xffffff00 0x00010900 Cast Lightning >1 belong&0xffffff00 0x00010a00 Microsoft >1 belong&0xffffff00 0x00010b00 Sonic Foundry >1 belong&0xffffff00 0x00010c00 Line 6 >1 belong&0xffffff00 0x00010d00 Beatnik Inc. >1 belong&0xffffff00 0x00010e00 Van Koerving >1 belong&0xffffff00 0x00010f00 Altech Systems >1 belong&0xffffff00 0x00011000 S & S Research >1 belong&0xffffff00 0x00011100 VLSI Technology >1 belong&0xffffff00 0x00011200 Chromatic >1 belong&0xffffff00 0x00011300 Sapphire >1 belong&0xffffff00 0x00011400 IDRC >1 belong&0xffffff00 0x00011500 Justonic Tuning >1 belong&0xffffff00 0x00011600 TorComp >1 belong&0xffffff00 0x00011700 Newtek Inc. >1 belong&0xffffff00 0x00011800 Sound Sculpture >1 belong&0xffffff00 0x00011900 Walker Technical >1 belong&0xffffff00 0x00011a00 Digital Harmony >1 belong&0xffffff00 0x00011b00 InVision >1 belong&0xffffff00 0x00011c00 T-Square >1 belong&0xffffff00 0x00011d00 Nemesys >1 belong&0xffffff00 0x00011e00 DBX >1 belong&0xffffff00 0x00011f00 Syndyne >1 belong&0xffffff00 0x00012000 Bitheadz >1 belong&0xffffff00 0x00012100 Cakewalk >1 belong&0xffffff00 0x00012200 Staccato >1 belong&0xffffff00 0x00012300 National Semicon. >1 belong&0xffffff00 0x00012400 Boom Theory >1 belong&0xffffff00 0x00012500 Virtual DSP Corp >1 belong&0xffffff00 0x00012600 Antares >1 belong&0xffffff00 0x00012700 Angel Software >1 belong&0xffffff00 0x00012800 St Louis Music >1 belong&0xffffff00 0x00012900 Lyrrus dba G-VOX >1 belong&0xffffff00 0x00012a00 Ashley Audio >1 belong&0xffffff00 0x00012b00 Vari-Lite >1 belong&0xffffff00 0x00012c00 Summit Audio >1 belong&0xffffff00 0x00012d00 Aureal Semicon. >1 belong&0xffffff00 0x00012e00 SeaSound >1 belong&0xffffff00 0x00012f00 U.S. Robotics >1 belong&0xffffff00 0x00013000 Aurisis >1 belong&0xffffff00 0x00013100 Nearfield Multimedia >1 belong&0xffffff00 0x00013200 FM7 Inc. >1 belong&0xffffff00 0x00013300 Swivel Systems >1 belong&0xffffff00 0x00013400 Hyperactive >1 belong&0xffffff00 0x00013500 MidiLite >1 belong&0xffffff00 0x00013600 Radical >1 belong&0xffffff00 0x00013700 Roger Linn >1 belong&0xffffff00 0x00013800 Helicon >1 belong&0xffffff00 0x00013900 Event >1 belong&0xffffff00 0x00013a00 Sonic Network >1 belong&0xffffff00 0x00013b00 Realtime Music >1 belong&0xffffff00 0x00013c00 Apogee Digital >1 belong&0xffffff00 0x00202b00 Medeli Electronics >1 belong&0xffffff00 0x00202c00 Charlie Lab >1 belong&0xffffff00 0x00202d00 Blue Chip Music >1 belong&0xffffff00 0x00202e00 BEE OH Corp >1 belong&0xffffff00 0x00202f00 LG Semicon America >1 belong&0xffffff00 0x00203000 TESI >1 belong&0xffffff00 0x00203100 EMAGIC >1 belong&0xffffff00 0x00203200 Behringer >1 belong&0xffffff00 0x00203300 Access Music >1 belong&0xffffff00 0x00203400 Synoptic >1 belong&0xffffff00 0x00203500 Hanmesoft Corp >1 belong&0xffffff00 0x00203600 Terratec >1 belong&0xffffff00 0x00203700 Proel SpA >1 belong&0xffffff00 0x00203800 IBK MIDI >1 belong&0xffffff00 0x00203900 IRCAM >1 belong&0xffffff00 0x00203a00 Propellerhead Software >1 belong&0xffffff00 0x00203b00 Red Sound Systems >1 belong&0xffffff00 0x00203c00 Electron ESI AB >1 belong&0xffffff00 0x00203d00 Sintefex Audio >1 belong&0xffffff00 0x00203e00 Music and More >1 belong&0xffffff00 0x00203f00 Amsaro >1 belong&0xffffff00 0x00204000 CDS Advanced Technology >1 belong&0xffffff00 0x00204100 Touched by Sound >1 belong&0xffffff00 0x00204200 DSP Arts >1 belong&0xffffff00 0x00204300 Phil Rees Music >1 belong&0xffffff00 0x00204400 Stamer Musikanlagen GmbH >1 belong&0xffffff00 0x00204500 Soundart >1 belong&0xffffff00 0x00204600 C-Mexx Software >1 belong&0xffffff00 0x00204700 Klavis Tech. >1 belong&0xffffff00 0x00204800 Noteheads AB # Update: Joerg Jenderek; January 2022 >1 byte 0x00 ID EXTENSIONS >1 byte 0x13 Digidesign Inc. >1 byte 0x1e Key Concepts >1 byte 0x20 Passac >1 byte 0x23 Stepp >1 byte 0x2d Neve >1 byte 0x2e Soundtracs Ltd. >1 byte 0x32 Drawmer >1 byte 0x34 Audio Architecture >1 byte 0x35 Generalmusic Corp SpA >1 byte 0x36 Cheetah Marketing >1 byte 0x37 C.T.M. >1 byte 0x38 Simmons UK >1 byte 0x3a Steinberg >1 byte 0x3b Wersi GmbH >1 byte 0x3c AVAB Niethammer AB >1 byte 0x3d Digigram >1 byte 0x3f Quasimidi # >1 byte 0x40 Kawai Musical Instruments MFG. CO. Ltd #>1 byte 0x45 foo #>1 byte 0x4a foo #>1 byte 0x4d foo #>1 byte 0x4f foo #>1 byte 0x53 foo >1 byte 0x55 Suzuki Musical Instruments MFG. Co. Ltd. >1 byte 0x56 Fuji Sound Corporation Ltd. #>1 byte 0x58 foo >1 byte 0x59 Faith. Inc. >1 byte 0x5a Internet Corporation #>1 byte 0x5b foo >1 byte 0x5c Seekers Co. Ltd. #>1 byte 0x5d foo #>1 byte 0x5e foo >1 byte 0x5f SD Card Association # Reserved for other uses for 60H to 7FH # URL: https://www.philscomputerlab.com/roland-midi-emulator-project-20.html # Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/syx--midiemu.trid.xml # Note: called by TrID "MIDI Emulator Project SysEx preset command" >1 byte 0x66 MIDI Emulator # https://electronicmusic.fandom.com/wiki/List_of_MIDI_Manufacturer_IDs # Educational, prototyping, test, private use and experimentation >1 byte 0x7D PROTOTYPING # universal non-real-time (sample dump, tuning table, etc.) >1 byte 0x7E UNIVERSAL # universal real time (MIDI time code, MIDI Machine control, etc.) >1 byte 0x7F universal real time # display information about End Of eXclusive byte (EOX=F7) #>2 ubyte 0xF7 \b, at 2 EOX #>3 ubyte 0xF7 \b, at 3 EOX # https://tttapa.github.io/Control-Surface-doc/new-input/Doxygen/d2/d93/SysEx-Send-Receive_8ino-example.html >4 ubyte 0xF7 \b, at 4 EOX # http://www.1manband.nl/tutorials2/sysex.htm >5 ubyte 0xF7 \b, at 5 EOX # http://www.somascape.org/midi/tech/mfile.html#sysex >6 ubyte 0xF7 \b, at 6 EOX # >7 ubyte 0xF7 \b, at 7 EOX # https://webmidijs.org/forum/discussion/34/how-to-send-or-receive-system-exclusive-messages >8 ubyte 0xF7 \b, at 8 EOX # >9 ubyte 0xF7 \b, at 9 EOX # https://www.chd-el.cz/wp-content/uploads/845010_syxcom.pdf >10 ubyte 0xF7 \b, at 10 EOX # https://stackoverflow.com/questions/52906076/handling-midi-the-input-of-multiple-system-exclusive-messages-in-vb >11 ubyte 0xF7 \b, at 11 EOX # https://www.2writers.com/eddie/TutSysEx.htm >12 ubyte 0xF7 \b, at 12 EOX >13 ubyte 0xF7 \b, at 13 EOX # http://www.chromakinetics.com/handsonic/rolSysEx.htm >14 ubyte 0xF7 \b, at 14 EOX #>15 ubyte 0xF7 \b, at 15 EOX 0 string T707 Roland TR-707 Data #------------------------------------------------------------------------------ # file: file(1) magic for Tcl scripting language # URL: https://www.tcl.tk/ # From: gustaf neumann # Tcl scripts 0 search/1/w #!\ /usr/bin/tcl Tcl script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/local/bin/tcl Tcl script text executable !:mime text/x-tcl 0 search/1 #!/usr/bin/env\ tcl Tcl script text executable !:mime text/x-tcl 0 search/1 #!\ /usr/bin/env\ tcl Tcl script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/bin/wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1/w #!\ /usr/local/bin/wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1 #!/usr/bin/env\ wish Tcl/Tk script text executable !:mime text/x-tcl 0 search/1 #!\ /usr/bin/env\ wish Tcl/Tk script text executable !:mime text/x-tcl # check the first line 0 search/1 package\ req >0 regex \^package[\ \t]+req Tcl script # not 'p', check other lines 0 search/1 !p >0 regex \^package[\ \t]+req Tcl script #------------------------------------------------------------------------------ # $File: teapot,v 1.4 2009/09/19 16:28:12 christos Exp $ # teapot: file(1) magic for "teapot" spreadsheet # 0 string #!teapot\012xdr teapot work sheet (XDR format) #------------------------------------------------------------------------------ # $File: terminfo,v 1.12 2021/02/23 00:51:10 christos Exp $ # terminfo: file(1) magic for terminfo # # URL: https://invisible-island.net/ncurses/man/term.5.html # URL: https://invisible-island.net/ncurses/man/scr_dump.5.html # # Workaround for Targa image type by Joerg Jenderek # GRR: line below too general as it catches also # Targa image type 1 with 26 long identification field # and HELP.DSK 0 string \032\001 # 5th character of terminal name list, but not Targa image pixel size (15 16 24 32) >16 ubyte >32 # namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0.4.1" >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled terminfo entry "%-s" !:mime application/x-terminfo # no extension #!:ext # #------------------------------------------------------------------------------ # The following was added for ncurses6 development: #------------------------------------------------------------------------------ # 0 string \036\002 # imitate the legacy compiled-format, to get the entry-name printed >16 ubyte >32 # namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0. 4.1" >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled 32-bit terminfo entry "%-s" !:mime application/x-terminfo2 # # While the compiled terminfo uses little-endian format regardless of # platform, SystemV screen dumps do not. They came later, and that detail was # overlooked. # # AIX and HPUX use the SVr4 big-endian format # Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) 0 beshort 0433 SVr2 curses screen image, big-endian 0 beshort 0434 SVr3 curses screen image, big-endian 0 beshort 0435 SVr4 curses screen image, big-endian # 0 leshort 0433 SVr2 curses screen image, little-endian 0 leshort 0434 SVr3 curses screen image, little-endian 0 leshort 0435 SVr4 curses screen image, little-endian # # Rather than SVr4, Solaris "xcurses" writes this header: 0 regex \^MAX=[0-9]+,[0-9]+$ >1 regex \^BEG=[0-9]+,[0-9]+$ >2 regex \^SCROLL=[0-9]+,[0-9]+$ >3 regex \^VMIN=[0-9]+$ >4 regex \^VTIME=[0-9]+$ >5 regex \^FLAGS=0x[[:xdigit:]]+$ >6 regex \^FG=[0-9],[0-9]+$ >7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image # # ncurses5 (and before) did not use a magic number, making screen dumps "data". # ncurses6 (2015) uses this format, ignoring byte-order 0 string \210\210\210\210ncurses ncurses6 screen image # # PDCurses added this in 2005 0 string PDC\001 PDCurses screen image #------------------------------------------------------------------------------ # $File: tex,v 1.21 2019/04/19 00:42:27 christos Exp $ # tex: file(1) magic for TeX files # # XXX - needs byte-endian stuff (big-endian and little-endian DVI?) # # From # Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] 0 string \367\002 TeX DVI file !:mime application/x-dvi >16 string >\0 (%s) 0 string \367\203 TeX generic font data 0 string \367\131 TeX packed font data >3 string >\0 (%s) 0 string \367\312 TeX virtual font data 0 search/1 This\ is\ TeX, TeX transcript text 0 search/1 This\ is\ METAFONT, METAFONT transcript text # There is no way to detect TeX Font Metric (*.tfm) files without # breaking them apart and reading the data. The following patterns # match most *.tfm files generated by METAFONT or afm2tfm. 2 string \000\021 TeX font metric data !:mime application/x-tex-tfm >33 string >\0 (%s) 2 string \000\022 TeX font metric data !:mime application/x-tex-tfm >33 string >\0 (%s) # Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/1 \\input\ texinfo Texinfo source text !:mime text/x-texinfo 0 search/1 This\ is\ Info\ file GNU Info text !:mime text/x-info # TeX documents, from Daniel Quinlan (quinlan@yggdrasil.com) 0 search/4096 \\input TeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\begin LaTeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\section LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\setlength LaTeX document text !:mime text/x-tex !:strength + 15 0 search/4096 \\documentstyle LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\chapter LaTeX document text !:mime text/x-tex !:strength + 18 0 search/4096 \\documentclass LaTeX 2e document text !:mime text/x-tex !:strength + 15 0 search/4096 \\relax LaTeX auxiliary file !:mime text/x-tex !:strength + 15 0 search/4096 \\contentsline LaTeX table of contents !:mime text/x-tex !:strength + 15 0 search/4096 %\ -*-latex-*- LaTeX document text !:mime text/x-tex # Tex document, from Hendrik Scholz 0 search/1 \\ifx TeX document text # Index and glossary files 0 search/4096 \\indexentry LaTeX raw index file 0 search/4096 \\begin{theindex} LaTeX sorted index 0 search/4096 \\glossaryentry LaTeX raw glossary 0 search/4096 \\begin{theglossary} LaTeX sorted glossary 0 search/4096 This\ is\ makeindex Makeindex log file # End of TeX #------------------------------------------------------------------------------ # file(1) magic for BibTex text files # From Hendrik Scholz 0 search/1/c @article{ BibTeX text file 0 search/1/c @book{ BibTeX text file 0 search/1/c @inbook{ BibTeX text file 0 search/1/c @incollection{ BibTeX text file 0 search/1/c @inproceedings{ BibTeX text file 0 search/1/c @manual{ BibTeX text file 0 search/1/c @misc{ BibTeX text file 0 search/1/c @preamble{ BibTeX text file 0 search/1/c @phdthesis{ BibTeX text file 0 search/1/c @techreport{ BibTeX text file 0 search/1/c @unpublished{ BibTeX text file 73 search/1 %%%\ \ BibTeX-file{ BibTex text file (with full header) 73 search/1 %%%\ \ @BibTeX-style-file{ BibTeX style text file (with full header) 0 search/1 %\ BibTeX\ standard\ bibliography\ BibTeX standard bibliography style text file 0 search/1 %\ BibTeX\ ` BibTeX custom bibliography style text file 0 search/1 @c\ @mapfile{ TeX font aliases text file 0 string #LyX LyX document text # ConTeXt documents # https://wiki.contextgarden.net/ 0 search/4096 \\setupcolors[ ConTeXt document text !:strength + 15 0 search/4096 \\definecolor[ ConTeXt document text !:strength + 15 0 search/4096 \\setupinteraction[ ConTeXt document text !:strength + 15 0 search/4096 \\useURL[ ConTeXt document text !:strength + 15 0 search/4096 \\setuppapersize[ ConTeXt document text !:strength + 15 0 search/4096 \\setuplayout[ ConTeXt document text !:strength + 15 0 search/4096 \\setupfooter[ ConTeXt document text !:strength + 15 0 search/4096 \\setupfootertexts[ ConTeXt document text !:strength + 15 0 search/4096 \\setuppagenumbering[ ConTeXt document text !:strength + 15 0 search/4096 \\setupbodyfont[ ConTeXt document text !:strength + 15 0 search/4096 \\setuphead[ ConTeXt document text !:strength + 15 0 search/4096 \\setupitemize[ ConTeXt document text !:strength + 15 0 search/4096 \\setupwhitespace[ ConTeXt document text !:strength + 15 0 search/4096 \\setupindenting[ ConTeXt document text !:strength + 15 #------------------------------------------------------------------------------ # $File: tgif,v 1.7 2010/09/20 19:03:46 rrt Exp $ # file(1) magic for tgif(1) files # From Hendrik Scholz 0 string %TGIF\ Tgif file version >6 string x %s #------------------------------------------------------------------------------ # $File: ti-8x,v 1.8 2020/02/12 22:13:01 christos Exp $ # ti-8x: file(1) magic for the TI-8x and TI-9x Graphing Calculators. # # From: Ryan McGuire (rmcguire@freenet.columbus.oh.us). # # Update: Romain Lievin (roms@lpg.ticalc.org). # # NOTE: This list is not complete. # Files for the TI-80 and TI-81 are pretty rare. I'm not going to put the # program/group magic numbers in here because I cannot find any. 0 string **TI80** TI-80 Graphing Calculator File. 0 string **TI81** TI-81 Graphing Calculator File. # # Magic Numbers for the TI-73 # 0 string **TI73** TI-73 Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (equation) >0x00003B byte 0x04 (string) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (assembly program) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0C (complex number) >0x00003B byte 0x0F (window settings) >0x00003B byte 0x10 (zoom) >0x00003B byte 0x11 (table setup) >0x00003B byte 0x13 (backup) # Magic Numbers for the TI-82 # 0 string **TI82** TI-82 Graphing Calculator >0x00003B byte 0x00 (real) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (Y-variable) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (protected prgm) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0B (window settings) >0x00003B byte 0x0C (window settings) >0x00003B byte 0x0D (table setup) >0x00003B byte 0x0E (screenshot) >0x00003B byte 0x0F (backup) # # Magic Numbers for the TI-83 # 0 string **TI83** TI-83 Graphing Calculator >0x00003B byte 0x00 (real) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (Y-variable) >0x00003B byte 0x04 (string) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (protected prgm) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0B (window settings) >0x00003B byte 0x0C (window settings) >0x00003B byte 0x0D (table setup) >0x00003B byte 0x0E (screenshot) >0x00003B byte 0x13 (backup) # # Magic Numbers for the TI-83+ # 0 string **TI83F* TI-83+ Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (list) >0x00003B byte 0x02 (matrix) >0x00003B byte 0x03 (equation) >0x00003B byte 0x04 (string) >0x00003B byte 0x05 (program) >0x00003B byte 0x06 (assembly program) >0x00003B byte 0x07 (picture) >0x00003B byte 0x08 (gdb) >0x00003B byte 0x0C (complex number) >0x00003B byte 0x0F (window settings) >0x00003B byte 0x10 (zoom) >0x00003B byte 0x11 (table setup) >0x00003B byte 0x13 (backup) >0x00003B byte 0x15 (application variable) >0x00003B byte 0x17 (group of variable) # # Magic Numbers for the TI-85 # 0 string **TI85** TI-85 Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (complex number) >0x00003B byte 0x02 (real vector) >0x00003B byte 0x03 (complex vector) >0x00003B byte 0x04 (real list) >0x00003B byte 0x05 (complex list) >0x00003B byte 0x06 (real matrix) >0x00003B byte 0x07 (complex matrix) >0x00003B byte 0x08 (real constant) >0x00003B byte 0x09 (complex constant) >0x00003B byte 0x0A (equation) >0x00003B byte 0x0C (string) >0x00003B byte 0x0D (function GDB) >0x00003B byte 0x0E (polar GDB) >0x00003B byte 0x0F (parametric GDB) >0x00003B byte 0x10 (diffeq GDB) >0x00003B byte 0x11 (picture) >0x00003B byte 0x12 (program) >0x00003B byte 0x13 (range) >0x00003B byte 0x17 (window settings) >0x00003B byte 0x18 (window settings) >0x00003B byte 0x19 (window settings) >0x00003B byte 0x1A (window settings) >0x00003B byte 0x1B (zoom) >0x00003B byte 0x1D (backup) >0x00003B byte 0x1E (unknown) >0x00003B byte 0x2A (equation) >0x000032 string ZS4 - ZShell Version 4 File. >0x000032 string ZS3 - ZShell Version 3 File. # # Magic Numbers for the TI-86 # 0 string **TI86** TI-86 Graphing Calculator >0x00003B byte 0x00 (real number) >0x00003B byte 0x01 (complex number) >0x00003B byte 0x02 (real vector) >0x00003B byte 0x03 (complex vector) >0x00003B byte 0x04 (real list) >0x00003B byte 0x05 (complex list) >0x00003B byte 0x06 (real matrix) >0x00003B byte 0x07 (complex matrix) >0x00003B byte 0x08 (real constant) >0x00003B byte 0x09 (complex constant) >0x00003B byte 0x0A (equation) >0x00003B byte 0x0C (string) >0x00003B byte 0x0D (function GDB) >0x00003B byte 0x0E (polar GDB) >0x00003B byte 0x0F (parametric GDB) >0x00003B byte 0x10 (diffeq GDB) >0x00003B byte 0x11 (picture) >0x00003B byte 0x12 (program) >0x00003B byte 0x13 (range) >0x00003B byte 0x17 (window settings) >0x00003B byte 0x18 (window settings) >0x00003B byte 0x19 (window settings) >0x00003B byte 0x1A (window settings) >0x00003B byte 0x1B (zoom) >0x00003B byte 0x1D (backup) >0x00003B byte 0x1E (unknown) >0x00003B byte 0x2A (equation) # # Magic Numbers for the TI-89 # 0 string **TI89** TI-89 Graphing Calculator >0x000048 byte 0x00 (expression) >0x000048 byte 0x04 (list) >0x000048 byte 0x06 (matrix) >0x000048 byte 0x0A (data) >0x000048 byte 0x0B (text) >0x000048 byte 0x0C (string) >0x000048 byte 0x0D (graphic data base) >0x000048 byte 0x0E (figure) >0x000048 byte 0x10 (picture) >0x000048 byte 0x12 (program) >0x000048 byte 0x13 (function) >0x000048 byte 0x14 (macro) >0x000048 byte 0x1C (zipped) >0x000048 byte 0x21 (assembler) # # Magic Numbers for the TI-92 # 0 string **TI92** TI-92 Graphing Calculator >0x000048 byte 0x00 (expression) >0x000048 byte 0x04 (list) >0x000048 byte 0x06 (matrix) >0x000048 byte 0x0A (data) >0x000048 byte 0x0B (text) >0x000048 byte 0x0C (string) >0x000048 byte 0x0D (graphic data base) >0x000048 byte 0x0E (figure) >0x000048 byte 0x10 (picture) >0x000048 byte 0x12 (program) >0x000048 byte 0x13 (function) >0x000048 byte 0x14 (macro) >0x000048 byte 0x1D (backup) # # Magic Numbers for the TI-92+/V200 # 0 string **TI92P* TI-92+/V200 Graphing Calculator >0x000048 byte 0x00 (expression) >0x000048 byte 0x04 (list) >0x000048 byte 0x06 (matrix) >0x000048 byte 0x0A (data) >0x000048 byte 0x0B (text) >0x000048 byte 0x0C (string) >0x000048 byte 0x0D (graphic data base) >0x000048 byte 0x0E (figure) >0x000048 byte 0x10 (picture) >0x000048 byte 0x12 (program) >0x000048 byte 0x13 (function) >0x000048 byte 0x14 (macro) >0x000048 byte 0x1C (zipped) >0x000048 byte 0x21 (assembler) # # Magic Numbers for the TI-73/83+/89/92+/V200 FLASH upgrades # #0x0000016 string Advanced TI-XX Graphing Calculator (FLASH) 0 string **TIFL** TI-XX Graphing Calculator (FLASH) >8 byte >0 - Revision %d >>9 byte x \b.%d, >12 byte >0 Revision date %02x >>13 byte x \b/%02x >>14 beshort x \b/%04x, >17 string >/0 name: '%s', >48 byte 0x74 device: TI-73, >48 byte 0x73 device: TI-83+, >48 byte 0x98 device: TI-89, >48 byte 0x88 device: TI-92+, >49 byte 0x23 type: OS upgrade, >49 byte 0x24 type: application, >49 byte 0x25 type: certificate, >49 byte 0x3e type: license, >74 lelong >0 size: %d bytes # VTi & TiEmu skins (TI Graphing Calculators). # From: Romain Lievin (roms@lpg.ticalc.org). # Magic Numbers for the VTi skins 0 string VTI Virtual TI skin >3 string v - Version >>4 byte >0 \b %c >>6 byte x \b.%c # Magic Numbers for the TiEmu skins 0 string TiEmu TiEmu skin >6 string v - Version >>7 byte >0 \b %c >>9 byte x \b.%c >>10 byte x \b%c #------------------------------------------------------------------------------ # $File: timezone,v 1.13 2021/07/21 17:57:20 christos Exp $ # timezone: file(1) magic for timezone data # # from Daniel Quinlan (quinlan@yggdrasil.com) # this should work on Linux, SunOS, and maybe others # Added new official magic number for recent versions of the Olson code 0 name timezone >4 byte 0 \b, old version >4 byte >0 \b, version %c >20 belong 0 \b, no gmt time flags >20 belong 1 \b, 1 gmt time flag >20 belong >1 \b, %d gmt time flags >24 belong 0 \b, no std time flags >24 belong 1 \b, 1 std time flag >24 belong >1 \b, %d std time flags >28 belong 0 \b, no leap seconds >28 belong 1 \b, 1 leap second >28 belong >1 \b, %d leap seconds >32 belong 0 \b, no transition times >32 belong 1 \b, 1 transition time >32 belong >1 \b, %d transition times >36 belong 0 \b, no local time types >36 belong 1 \b, 1 local time type >36 belong >1 \b, %d local time types >40 belong 0 \b, no abbreviation chars >40 belong 1 \b, 1 abbreviation char >40 belong >1 \b, %d abbreviation chars 0 string TZif timezone data >51 string TZif \b(slim) >>51 use timezone >51 default x \b(fat) >>0 use timezone 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 old timezone data 0 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 old timezone data #------------------------------------------------------------------------------ # $File: tplink,v 1.7 2021/04/26 15:56:00 christos Exp $ # tplink: File magic for openwrt firmware files # URL: https://wiki.openwrt.org/doc/techref/header # Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c # From: Joerg Jenderek # check for valid header version 1 or 2 0 ulelong <3 >0 ulelong !0 # test for header padding with nulls >>0x100 long 0 # skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor >>>4 ubelong >0x1F000000 # skip user.dbt by looking for positive hardware id >>>>0x40 ubeshort >0 >>>>>0 use firmware-tplink 0 name firmware-tplink >0 ubyte x firmware !:mime application/x-tplink-bin !:ext bin # hardware id like 10430001 07410001 09410004 09410006 >0x40 ubeshort x %x >0x42 ubeshort x v%x # hardware revision like 1 >0x44 ubelong !1 (revision %u) # vendor_name[24] like OpenWrt or TP-LINK Technologies >4 string x %.24s # fw_version[36] like r49389 or ver. 1.0 >0x1c string x %.36s # header version 1 or 2 >0 ubyte !1 V%X # ver_hi.ver_mid.ver_lo >0x98 long !0 \b, version >>0x98 ubeshort x %u >>0x9A ubeshort x \b.%u >>0x9C ubeshort x \b.%u # region code 0~universal 1~US >0x48 ubelong x #>>0x48 ubelong 0 (universal) >>0x48 ubelong 1 (US) >>0x48 ubelong >1 (region %u) # total length of the firmware. not always true >0x7C ubelong x \b, %u bytes or less # unknown 1 >0x48 ubelong !0 \b, UNKNOWN1 %#x # md5sum1[16] #>0x4c ubequad x \b, MD5 %llx #>>0x54 ubequad x \b%llx # unknown 2 >0x5c ubelong !0 \b, UNKNOWN2 %#x # md5sum2[16] #>0x60 ubequad !0 \b, 2nd MD5 %llx #>>0x68 ubequad x \b%llx # unknown 3 >0x70 ubelong !0 \b, UNKNOWN3 %#x # kernel load address #>0x74 ubelong x \b, %#x load # kernel entry point #>0x78 ubelong x \b, %#x entry # kernel data offset. 200h means direct after header >0x80 ubelong x \b, at %#x # kernel data length and 1 space >0x84 ubelong x %u bytes # look for kernel type (gzip compressed vmlinux.bin by ./compress) >(0x80.L) indirect x # root file system data offset # WRONG in 5.35 with above indirect expression >0x88 ubelong x \b, at %#x # rootfs data length and 1 space >0x8C ubelong x %u bytes # in 5.32 only true for offset ~< FILE_BYTES_MAX=9 MB defined in ../../src/file.h >(0x88.L) indirect x # 'qshs' for wr940nv1_en_3_13_7_up(111228).bin #>(0x88.L) string x \b, file system '%.4s' #>(0x88.L) ubequad x \b, file system %#llx # bootloader data offset >0x90 ubelong !0 \b, at %#x # bootloader data length only reasonable if bootloader offset not null >>0x94 ubelong !0 %u bytes # pad[354] should be 354 null bytes. #>0x9E ubequad !0 \b, padding %#llx # But at 0x120 18 non null bytes in examples like # wr940nv4_eu_3_16_9_up_boot(160620).bin # wr940nv6_us_3_18_1_up_boot(171030).bin #>0x120 ubequad !0 \b, other padding %#llx #------------------------------------------------------------------------------ # $File: troff,v 1.13 2020/05/30 23:12:34 christos Exp $ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com) # troff input 0 search/1 .\\" troff or preprocessor input text !:mime text/troff 0 search/1 '\\" troff or preprocessor input text !:mime text/troff 0 search/1 '.\\" troff or preprocessor input text !:mime text/troff 0 search/1 \\" troff or preprocessor input text !:mime text/troff #0 search/1 ''' troff or preprocessor input text #!:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9][\ \t] troff or preprocessor input text !:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9]$ troff or preprocessor input text !:mime text/troff # ditroff intermediate output text 0 search/1 x\ T ditroff output text >4 search/1 cat for the C/A/T phototypesetter >4 search/1 ps for PostScript >4 search/1 dvi for DVI >4 search/1 ascii for ASCII >4 search/1 lj4 for LaserJet 4 >4 search/1 latin1 for ISO 8859-1 (Latin 1) >4 search/1 X75 for xditview at 75dpi >>7 search/1 -12 (12pt) >4 search/1 X100 for xditview at 100dpi >>8 search/1 -12 (12pt) # output data formats 0 string \100\357 very old (C/A/T) troff output data #------------------------------------------------------------------------------ # $File: tuxedo,v 1.4 2009/09/19 16:28:13 christos Exp $ # tuxedo: file(1) magic for BEA TUXEDO data files # # from Ian Springer # 0 string \0\0\1\236\0\0\0\0\0\0\0\0\0\0\0\0 BEA TUXEDO DES mask data #------------------------------------------------------------------------------ # $File: typeset,v 1.8 2009/09/19 16:28:13 christos Exp $ # typeset: file(1) magic for other typesetting # 0 string Interpress/Xerox Xerox InterPress data >16 string / (version >>17 string >\0 %s) #------------------------------------------------------------------------------ # $File: uf2,v 1.3 2021/04/28 01:00:31 christos Exp $ # uf2: file(1) magic for UF2 firmware image files # # https://github.com/microsoft/uf2 # # Created by Blake Ramsdell 0 string UF2\n UF2 firmware image !:ext uf2 # This is for checking the other magic numbers, do we want to do that? #>4 lelong 0x9E5D5157 howdy #>>508 lelong 0x0AB16F30 doody >8 lelong &0x0001 \b, not main flash >8 lelong &0x1000 \b, file container >8 lelong &0x2000 \b, family # To update the UF2 family data, use this fine command # # families=`curl \ # https://raw.githubusercontent.com/microsoft/uf2/master/utils/uf2families.json \ # | jq -r '.[] | ">>28\tlelong\t\(.id)\t\(.description)"' | sort -n -k 3` && \ # perl -0777 -i -pe \ # "s/(### BEGIN UF2 FAMILIES\\n).*(\\n### END UF2 FAMILIES)/\$1$families\$2/s" \ # uf2 ### BEGIN UF2 FAMILIES >>28 lelong 0x00ff6919 ST STM32L4xx >>28 lelong 0x04240bdf ST STM32L5xx >>28 lelong 0x16573617 Microchip (Atmel) ATmega32 >>28 lelong 0x1851780a Microchip (Atmel) SAML21 >>28 lelong 0x1b57745f Nordic NRF52 >>28 lelong 0x1c5f21b0 ESP32 >>28 lelong 0x1e1f432d ST STM32L1xx >>28 lelong 0x202e3a91 ST STM32L0xx >>28 lelong 0x21460ff0 ST STM32WLxx >>28 lelong 0x2abc77ec NXP LPC55xx >>28 lelong 0x300f5633 ST STM32G0xx >>28 lelong 0x31d228c6 GD32F350 >>28 lelong 0x4c71240a ST STM32G4xx >>28 lelong 0x4fb2d5bd NXP i.MX RT10XX >>28 lelong 0x53b80f00 ST STM32F7xx >>28 lelong 0x55114460 Microchip (Atmel) SAMD51 >>28 lelong 0x57755a57 ST STM32F401 >>28 lelong 0x5a18069b Cypress FX2 >>28 lelong 0x5d1a0a2e ST STM32F2xx >>28 lelong 0x5ee21072 ST STM32F103 >>28 lelong 0x647824b6 ST STM32F0xx >>28 lelong 0x68ed2b88 Microchip (Atmel) SAMD21 >>28 lelong 0x6b846188 ST STM32F3xx >>28 lelong 0x6d0922fa ST STM32F407 >>28 lelong 0x6db66082 ST STM32H7xx >>28 lelong 0x70d16653 ST STM32WBxx >>28 lelong 0x7eab61ed ESP8266 >>28 lelong 0x7f83e793 NXP KL32L2x >>28 lelong 0x8fb060fe ST STM32F407VG >>28 lelong 0xada52840 Nordic NRF52840 >>28 lelong 0xbfdd4eee ESP32-S2 >>28 lelong 0xc47e5767 ESP32-S3 >>28 lelong 0xd42ba06c ESP32-C3 >>28 lelong 0xe48bff56 Raspberry Pi RP2040 ### END UF2 FAMILIES >>28 default x >>>28 lelong x %#08x >8 lelong&0x2000 0 \b, file size >>28 lelong x %#08x >8 lelong &0x4000 \b, MD5 checksum present >8 lelong &0x8000 \b, extension tags present >12 lelong x \b, address %#08x >24 lelong x \b, %u total blocks #------------------------------------------------------------------------------ # $File: unicode,v 1.7 2019/02/19 20:34:42 christos Exp $ # Unicode: BOM prefixed text files - Adrian Havill # These types are recognised in file_ascmagic so these encodings can be # treated by text patterns. Missing types are already dealt with internally. # 0 string +/v8 Unicode text, UTF-7 0 string +/v9 Unicode text, UTF-7 0 string +/v+ Unicode text, UTF-7 0 string +/v/ Unicode text, UTF-7 0 string \335\163\146\163 Unicode text, UTF-8-EBCDIC 0 string \000\000\376\377 Unicode text, UTF-32, big-endian 0 string \377\376\000\000 Unicode text, UTF-32, little-endian 0 string \016\376\377 Unicode text, SCSU (Standard Compression Scheme for Unicode) #------------------------------------------------------------------------------ # $File: unisig,v 1.1 2020/04/09 19:05:44 christos Exp $ # unisig: file(1) magic for files carrying a uniform signature (Unisig) # From: Lassi Kortela, John Cowan # URL: https://github.com/unisig # 0 string \xDC\xDC\x0D\x0A\x1A\x0A\x00 Unisig: >7 ubyte =0 UUID >>8 guid x %s >7 ubyte >0 URI >>7 pstring x %s #------------------------------------------------------------------------------ # $File: unknown,v 1.8 2013/01/09 22:37:24 christos Exp $ # unknown: file(1) magic for unknown machines # # 0x107 is 0407, 0x108 is 0410, and 0x109 is 0411; those are all PDP-11 # (executable, pure, and split I&D, respectively), but the PDP-11 version # doesn't have the "version %ld", which may be a bogus COFFism (I don't # think there was ever COFF for the PDP-11). # # 0x10B is 0413; that's VAX demand-paged, but this is a short, not a # long, as it would be on a VAX. In any case, that could collide with # VAX demand-paged files, as the magic number is little-endian on those # binaries, so the first 16 bits of the file would contain 0x10B. # # Therefore, those entries are commented out. # # 0x10C is 0414 and 0x10E is 0416; those *are* unknown. # #0 short 0x107 unknown machine executable #>8 short >0 not stripped #>15 byte >0 - version %ld #0 short 0x108 unknown pure executable #>8 short >0 not stripped #>15 byte >0 - version %ld #0 short 0x109 PDP-11 separate I&D #>8 short >0 not stripped #>15 byte >0 - version %ld #0 short 0x10b unknown pure executable #>8 short >0 not stripped #>15 byte >0 - version %ld 0 long 0x10c unknown demand paged pure executable >16 long >0 not stripped 0 long 0x10e unknown readable demand paged pure executable #------------------------------------------------------------------------------ # $File: usd,v 1.2 2020/05/21 22:17:00 christos Exp $ # # From Christian Schmidbauer # # https://github.com/PixarAnimationStudios/USD # USD crate file # https://github.com/PixarAnimationStudios/USD/blob/ebac0a8b6703f4fa1c27115f1f013bb9819662f4/pxr/usd/usd/crateFile.h#L441-L450 0 string PXR-USDC USD crate >8 byte x \b, version %x. >9 byte x \b%x. >10 byte x \b%x !:ext usd # USD ASCII file 0 string #usda\040 USD ASCII >6 string x \b, version %s !:mime text/plain !:ext usd #------------------------------------------------------------------------------ # $File: uterus,v 1.3 2014/04/30 21:41:02 christos Exp $ # file(1) magic for uterus files # http://freecode.com/projects/uterus # 0 string UTE+ uterus file >4 string v \b, version >5 byte x %c >6 string . \b. >7 byte x \b%c >8 string \<\> \b, big-endian >>16 belong >0 \b, slut size %u >8 string \>\< \b, litte-endian >>16 lelong >0 \b, slut size %u >10 byte &8 \b, compressed #------------------------------------------------------------------------------ # $File: uuencode,v 1.9 2021/11/13 17:48:10 christos Exp $ # uuencode: file(1) magic for ASCII-encoded files # # The first line of xxencoded files is identical to that in uuencoded files, # but the first character in most subsequent lines is 'h' instead of 'M'. # (xxencoding uses lowercase letters in place of most of uuencode's # punctuation and survives BITNET gateways better.) 0 regex/1024 \^begin\040[0-7]{3}\040 >&0 regex/256 [\012\015]+M[\040-\140]{60}[\012\015]+ uuencoded text >&0 regex/256 [\012\015]+h[0-9A-Za-z\053\055]{60}[\012\015]+ xxencoded text >&0 default x uuencoded or xxencoded text >&0 string >\0 \b, file name "%s" # btoa(1) is an alternative to uuencode that requires less space. 0 search/1 xbtoa\ Begin btoa'd text # ship(1) is another, much cooler alternative to uuencode. # Greg Roelofs, newt@uchicago.edu 0 search/1 $\012ship ship'd binary text # bencode(8) is used to encode compressed news batches (Bnews/Cnews only?) # Greg Roelofs, newt@uchicago.edu 0 search/1 Decode\ the\ following\ with\ bdeco bencoded News text # GRR: handle BASE64 #------------------------------------------------------------------------------ # $File: vacuum-cleaner,v 1.1 2015/11/14 13:38:35 christos Exp $ # vacuum cleaner magic by Thomas M. Ott (ThMO) # # navigation map for LG robot vacuum cleaner models VR62xx, VR64xx, VR63xx # file: MAPDATAyyyymmddhhmmss_xxxxxx_cc.blk # -> yyyymmdd: year, month, day of cleaning # -> hhmmss: hour, minute, second of cleaning # -> xxxxxx: 6 digits # -> cc: cleaning runs counter # size: 136044 bytes # # struct maphdr { # int32_t map_cnt; /* 0: single map */ # int32_t min_ceil; /* 4: 100 mm == 10 cm == min. ceil */ # int32_t max_ceil; /* 8: 10000 mm == 100 m == max. ceil */ # int32_t max_climb; /* 12: 50 mm = 5 cm == max. height to climb */ # int32_t unknown; /* 16: 50000 ??? */ # int32_t cell_bytes; /* 20: # of bytes for cells per block */ # int32_t block_max; /* 24: 1000 == max. # of blocks */ # int32_t route_max; /* 28: 1000 == max. # of routes */ # int32_t used_blocks; /* 32: 5/45/33/... == # of block entries used! */ # int32_t cell_dim; /* 36: 10 == cell dimension */ # int32_t clock_tick; /* 40: 100 == clock ticks */ # #if 0 # struct { /* 44: 1000 blocks for 10x10 cells */ # int32_t yoffset; # int32_t xoffset; # int32_t posxy; # int32_t timecode; # } blocks[ 1000]; # char cells[ 1000* 100]; /* 16044: 1000 10x10 cells */ # int16_t routes[ 1000* 10]; /* 116044: 1000 10-routes */ # #endif # }; 0 lelong =1 >4 lelong =100 >>8 lelong =10000 >>>12 lelong =50 >>>>16 lelong =50000 >>>>>20 lelong =100 >>>>>>24 lelong =1000 >>>>>>>28 lelong =1000 >>>>>>>>36 lelong =10 >>>>>>>>>40 lelong =100 >>>>>>>>>>32 lelong x LG robot VR6[234]xx %dm^2 navigation >>>>>>>>>>136040 lelong =-1 reuse map data >>>>>>>>>>136040 lelong =0 map data >>>>>>>>>>136040 lelong >0 spurious map data >>>>>>>>>>136040 lelong <-1 spurious map data #------------------------------------------------------------------------------ # $File: varied.out,v 1.23 2014/04/30 21:41:02 christos Exp $ # varied.out: file(1) magic for various USG systems # # Herewith many of the object file formats used by USG systems. # Most have been moved to files for a particular processor, # and deleted if they duplicate other entries. # 0 short 0610 Perkin-Elmer executable # AMD 29K 0 beshort 0572 amd 29k coff noprebar executable 0 beshort 01572 amd 29k coff prebar executable 0 beshort 0160007 amd 29k coff archive # Cray 6 beshort 0407 unicos (cray) executable # Ultrix 4.3 596 string \130\337\377\377 Ultrix core file >600 string >\0 from '%s' # BeOS and MAcOS PEF executables # From: hplus@zilker.net (Jon Watte) 0 string Joy!peffpwpc header for PowerPC PEF executable # # ava assembler/linker Uros Platise 0 string avaobj AVR assembler object code >7 string >\0 version '%s' # gnu gmon magic From: Eugen Dedu 0 string gmon GNU prof performance data >4 long x - version %d # From: Dave Pearson # Harbour HRB files. 0 string \xc0HRB Harbour HRB file >4 leshort x version %d # Harbour HBV files 0 string \xc0HBV Harbour variable dump file >4 leshort x version %d # From: Alex Beregszaszi # 0 string exec BugOS executable # 0 string pack BugOS archive # From: Jason Spence # Generated by the "examples" in STM's ST40 devkit, and derived code. 0 lelong 0x13a9f17e ST40 component image format >4 string >\0 \b, name '%s' #------------------------------------------------------------------------------ # $File: varied.script,v 1.13 2019/10/11 14:35:29 christos Exp $ # varied.script: file(1) magic for various interpreter scripts 0 string/t #!\ / a >3 string >\0 %s script text executable !:strength / 2 0 string/b #!\ / a >3 string >\0 %s script executable (binary data) !:strength / 2 0 string/t #!\t/ a >3 string >\0 %s script text executable !:strength / 2 0 string/b #!\t/ a >3 string >\0 %s script executable (binary data) !:strength / 2 0 string/t #!/ a >2 string >\0 %s script text executable !:strength / 2 0 string/b #!/ a >2 string >\0 %s script executable (binary data) !:strength / 2 0 string/t #!\ script text executable >3 string >\0 for %s !:strength / 2 0 string/b #!\ script executable >3 string >\0 for %s (binary data) !:strength / 2 # using env 0 string/t #!/usr/bin/env a >15 string/t >\0 %s script text executable !:strength / 10 0 string/b #!/usr/bin/env a >15 string/b >\0 %s script executable (binary data) !:strength / 10 0 string/t #!\ /usr/bin/env a >16 string/t >\0 %s script text executable !:strength / 10 0 string/b #!\ /usr/bin/env a >16 string/b >\0 %s script executable (binary data) !:strength / 10 # From: arno # mozilla xpconnect typelib # see https://www.mozilla.org/scriptable/typelib_file.html 0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib >0x10 byte x version %d >>0x11 byte x \b.%d #------------------------------------------------------------------------------ # $File: vax,v 1.10 2019/10/04 18:07:46 christos Exp $ # vax: file(1) magic for VAX executable/object and APL workspace # 0 lelong 0101557 VAX single precision APL workspace 0 lelong 0101556 VAX double precision APL workspace # # VAX a.out (BSD; others collide with 386 and other 32-bit little-endian # executables, and are handled in aout) # 0 lelong 0420 a.out VAX demand paged (first page unmapped) pure executable >16 lelong >0 not stripped # # VAX COFF # # The `versions' were commented out, but have been un-commented out. # (Was the problem just one of endianness?) # 0 leshort 0570 >2 uleshort <100 VAX COFF executable, sections %d >>4 ledate x \b, created %s >>12 lelong >0 \b, not stripped >>22 leshort >0 \b, version %d 0 leshort 0575 >2 uleshort <100 VAX COFF pure executable, sections %d >>4 ledate x \b, created %s >>12 lelong >0 \b, not stripped >>22 leshort >0 \b, version %d #------------------------------------------------------------------------------ # $File: vicar,v 1.4 2009/09/19 16:28:13 christos Exp $ # vicar: file(1) magic for VICAR files. # # From: Ossama Othman 32 string BYTE \b, 8 bits = VAX byte >32 string HALF \b, 16 bits = VAX word = Fortran INTEGER*2 >32 string FULL \b, 32 bits = VAX longword = Fortran INTEGER*4 >32 string REAL \b, 32 bits = VAX longword = Fortran REAL*4 >32 string DOUB \b, 64 bits = VAX quadword = Fortran REAL*8 >32 string COMPLEX \b, 64 bits = VAX quadword = Fortran COMPLEX*8 # VICAR label file 43 string SFDU_LABEL VICAR label file #------------------------------------------------------------------------------ # $File: virtual,v 1.17 2022/08/23 08:00:54 christos Exp $ # From: James Nobis # Microsoft hard disk images for: # Virtual Server # Virtual PC # VirtualBox # URL: http://fileformats.archiveteam.org/wiki/VHD_(Virtual_Hard_Disk) # Reference: https://download.microsoft.com/download/f/f/e/ffef50a5-07dd-4cf8-aaa3-442c0673a029/ # Virtual%20Hard%20Disk%20Format%20Spec_10_18_06.doc 0 string conectix Microsoft Disk Image, Virtual Server or Virtual PC # alternative shorter names #0 string conectix Microsoft Virtual Hard Disk image #0 string conectix Microsoft Virtual HD image !:mime application/x-virtualbox-vhd !:ext vhd # Features is a bit field used to indicate specific feature support #>8 ubelong !0x00000002 \b, Features %#x # Reserved. This bit must always be set to 1. #>8 ubelong &0x00000002 \b, Reserved %#x # File Format Version for the current specification 0x00010000 #>12 ubelong !0x00010000 \b, Version %#8.8x # Data Offset only found 0x200 #>16 ubequad !0x200 \b, Data Offset %#llx #>16 ubequad x \b, at %#llx # Dynamic Disk Header cookie like cxsparse #>(16.Q) string x "%-.8s" # This field contains a Unicode string (UTF-16) of the parent hard disk filename #>(16.Q+64) ubequad x \b, parent name %#llx # Creator Application # vpc~Microsoft Virtual PC, vs~Microsoft Virtual Server, vbox~VirtualBox, d2v~disk2vhd >28 string x \b, Creator %-4.4s # Creator Version: 0x00010000~Virtual Server 2004, 0x00050000~Virtual PC 2004 # holds the major/minor version of the application that created the image >32 ubeshort x %x >34 ubeshort x \b.%x #>32 ubelong x \b, Version %#8.8x # Creator Host OS: 0x5769326B~Windows (Wi2k), 0x4D616320~Macintosh (Mac) >36 ubelong x ( >>36 ubelong 0x5769326B \bW2k >>36 ubelong 0x4D616320 \bMac >>36 default x \b0x >>>36 ubelong x \b%8.8x # creation Time in seconds since 1 Jan 2000 UTC~946684800 sec. since Unix Epoch >24 bedate+946684800 x \b) %s # Original Size #>40 ubequad x \b, o.-Size %#llx # Current Size is same as original size, but change when disk is expanded #>48 ubequad x \b, Size %#llx >48 ubequad x \b, %llu bytes # Disk Geometry: cylinder, heads, and sectors/track for hard disk #>56 ubeshort x \b, Cylinder %#x >56 ubeshort x \b, CHS %u # Heads #>58 ubyte x \b, Heads %#x >58 ubyte x \b/%u # Sectors per track #>59 ubyte x \b, Sectors %#x >59 ubyte x \b/%u # Disk Type: 3~Dynamic hard disk >60 ubelong !0x3 \b, type %#x # Checksum #>64 ubelong x \b, cksum %#x # universally unique identifier (UUID) to associate a parent with its differencing image #>68 ubequad x \b, id %#16.16llx #>76 ubequad x \b-%16.16llx # Saved State: 1~Saved State >84 ubyte !0 \b, State %#x # Reserved 427 bytes with nils #>85 ubequad !0 \b, Reserved %#16.16llx # From: Joerg Jenderek # URL: https://msdn.microsoft.com/en-us/library/mt740058.aspx # Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/ # MS-VHDX/[MS-VHDX].pdf # Note: extends the VHD format with new capabilities, such as a 16TB maximum size # TODO: find and display values like virtual size, disk size, cluster_size, etc # display id in GUID format # # VHDX_FILE_IDENTIFIER signature 0x656C696678646876 0 string vhdxfile # VHDX_HEADER signature. 1 header is stored at offset 64KB and the other at 128KB >0x10000 string head Microsoft Disk Image eXtended #>0x20000 string head \b, 2nd header #!:mime application/x-virtualbox-vhdx !:ext vhdx # Creator[256] like "QEMU v3.0.0", "Microsoft Windows 6.3.9600.18512" >>8 lestring16 x \b, by %.256s # The Checksum field is a CRC-32C hash over the entire 4 KB structure #>>0x10004 ulelong x \b, CRC %#x # SequenceNumber >>0x10008 ulequad x \b, sequence %#llx # FileWriteGuid #>>0x10010 ubequad x \b, file id %#llx #>>>0x10018 ubequad x \b-%llx # DataWriteGuid #>>0x10020 ubequad x \b, data id %#llx #>>>0x10028 ubequad x \b-%llx # LogGuid. If this field is zero, then the log is empty or has no valid entries >>0x10030 ubequad >0 \b, log id %#llx >>>0x10038 ubequad x \b-%llx # LogVersion. If not 0 there is a log to replay >>0x10040 uleshort >0 \b, LogVersion %#x # Version. This field must be set to 1 >>0x10042 uleshort !1 \b, Version %#x # LogLength must be multiples of 1 MB >>0x10044 ulelong/1048576 >1 \b, LogLength %u MB # LogOffset (normally 0x100000 when log direct after header); multiples of 1 MB >>0x10048 ulequad !0x100000 \b, LogOffset %#llx # Log Entry Signature must be 0x65676F6C~loge >>(0x10048.q) ulelong !0x65676F6C \b, NO Log Signature >>(0x10048.q) ulelong =0x65676F6C \b; LOG # Log Entry Checksum #>>>(0x10048.q+4) ulelong x \b, Log CRC %#x # Log Entry Length must be a multiple of 4 KB >>>(0x10048.q+8) ulelong/1024 >4 \b, EntryLength %u KB # Log Entry Tail must be a multiple of 4 KB #>>>(0x10048.q+12) ulelong x \b, Tail %#x # Log Entry SequenceNumber #>>>(0x10048.q+16) ulequad x \b, # %#llx # Log Entry DescriptorCount may be zero. only 4 bytes in other docs instead 8 #>>>(0x10048.q+24) ulelong x \b, DescriptorCount %#llx # Log Entry Reserved must be set to 0 >>>(0x10048.q+28) ulelong !0 \b, Reserved %#x # Log Entry LogGuid #>>>(0x10048.q+32) ubequad x \b, Log id %#llx #>>>(0x10048.q+40) ubequad x \b-%llx # Log Entry FlushedFileOffset should VHDX size when entry is written. #>>>(0x10048.q+48) ulequad x \b, FlushedFileOffset %llu # Log Entry LastFileOffset #>>>(0x10048.q+56) ulequad x \b, LastFileOffset %llu # filling #>>>(0x10048.q+64) ulequad >0 \b, filling %llx # Reserved[4016] #>>0x10050 ulequad >0 \b, Reserved %#llx # VHDX_REGION_TABLE_HEADER Signature 0x69676572~regi at offset 192 KB and 256 KB >0x30000 ulelong !0x69676572 \b, 1st region INVALID >0x30000 ulelong =0x69676572 \b; region # region Checksum. CRC-32C hash over the entire 64-KB table #>>0x30004 ulelong x \b, CRC %#x # The EntryCount specifies number of valid entries; Found 2; This must be =< 2047. >>0x30008 ulelong x \b, %u entries # reserved must be zero #>>0x3000C ulelong !0 \b, RESERVED %#x # Region Table Entry starts with identifier for the object. often BAT id >>0x30010 use vhdx-id # FileOffset >>0x30020 ulequad x \b, at %#llx # Length. Specifies the length of the object within the file #>>0x30028 ulelong x \b, Length %#x # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX >>0x3002C ulelong x \b, Required %u # 2nd region entry often metadata id >>0x30030 use vhdx-id # 2nd entry FileOffset >>0x30040 ulequad x \b, at %#llx # 1 means region entry is required. if region not recognized, then REFUSE to load VHDX >>0x3004C ulelong x \b, Required %u # 2nd region >>0x40000 ulelong !0x69676572 \b, 2nd region INVALID # check in vhdx images for known id and show names instead hexadecimal 0 name vhdx-id # https://www.windowstricks.in/online-windows-guid-converter # 2DC27766-F623-4200-9D64-115E9BFD4A08 BAT GUID # 6677C22D23F600429D64115E9BFD4A08 BAT ID >0 ubequad =0x6677C22D23F60042 >>8 ubequad =0x9D64115E9BFD4A08 \b, id BAT # no BAT id >>8 default x >>>0 use vhdx-id-hex # 8B7CA206-4790-4B9A-B8FE-575F050F886E Metadata region GUID # 06A27C8B90479A4BB8FE575F050F886E Metadata region ID >0 ubequad =0x06A27C8B90479A4B >>8 ubequad =0xB8FE575F050F886E \b, id Metadata # no Metadata id >>8 default x >>>0 use vhdx-id-hex # 2FA54224-CD1B-4876-B211-5DBED83BF4B8 Virtual Disk Size GUID # 2442A52F1BCD7648B2115DBED83BF4B8 Virtual Disk Size ID # value "virtual size" can be verified by command `qemu-img info ` >0 ubequad =0x2442A52F1BCD7648 >>8 ubequad =0xB2115DBED83BF4B8 \b, id vsize # no Virtual Disk Size ID >>8 default x >>>0 use vhdx-id-hex # other ids >0 default x >>0 use vhdx-id-hex # in vhdx images show id as hexadecimal 0 name vhdx-id-hex >0 ubequad x \b, ID %#16.16llx >8 ubequad x \b-%16.16llx # # libvirt # From: Philipp Hahn 0 string LibvirtQemudSave Libvirt QEMU Suspend Image >0x10 lelong x \b, version %u >0x14 lelong x \b, XML length %u >0x18 lelong 1 \b, running >0x1c lelong 1 \b, compressed 0 string LibvirtQemudPart Libvirt QEMU partial Suspend Image # From: Alex Beregszaszi 0 string/b COWD VMWare3 >4 byte 3 disk image >>32 lelong x (%d/ >>36 lelong x \b%d/ >>40 lelong x \b%d) >4 byte 2 undoable disk image >>32 string >\0 (%s) 0 string/b VMDK VMware4 disk image 0 string/b KDMV VMware4 disk image #-------------------------------------------------------------------- # Qemu Emulator Images # Lines written by Friedrich Schwittay (f.schwittay@yousable.de) # Updated by Adam Buchbinder (adam.buchbinder@gmail.com) # Made by reading sources, reading documentation, and doing trial and error # on existing QCOW files 0 string/b QFI\xFB QEMU QCOW Image !:mime application/x-qemu-disk # Uncomment the following line to display Magic (only used for debugging # this magic number) #>0 string/b x , Magic: %s # There are currently 2 Versions: "1" and "2". # https://www.gnome.org/~markmc/qcow-image-format-version-1.html >4 belong x (v%d) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>12 belong >0 \b, has backing file ( # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. >>>(12.L) string >\0 \bpath %s # Modification time of the Backing File # Really useful if you want to know if your backing # file is still usable together with this image >>>>20 bedate >0 \b, mtime %s) >>>>20 default x \b) # Size is stored in bytes in a big-endian u64. >>24 bequad x \b, %lld bytes # 1 for AES encryption, 0 for none. >>36 belong 1 \b, AES-encrypted # https://www.gnome.org/~markmc/qcow-image-format.html >4 belong 2 (v2) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>8 bequad >0 \b, has backing file # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. Also, since there's no # .Q modifier, we just use the bottom four bytes as an offset. Note that if # the file is over 4G, and the backing file path is stored after the first 4G, # the wrong filename will be printed. (This should be (8.Q), when that syntax # is introduced.) >>>(12.L) string >\0 (path %s) >>24 bequad x \b, %lld bytes >>32 belong 1 \b, AES-encrypted >4 belong 3 (v3) # Using the existence of the Backing File Offset to determine whether # to read Backing File Information >>8 bequad >0 \b, has backing file # Note that this isn't a null-terminated string; the length is actually # (16.L). Assuming a null-terminated string happens to work usually, but it # may spew junk until it reaches a \0 in some cases. Also, since there's no # .Q modifier, we just use the bottom four bytes as an offset. Note that if # the file is over 4G, and the backing file path is stored after the first 4G, # the wrong filename will be printed. (This should be (8.Q), when that syntax # is introduced.) >>>(12.L) string >\0 (path %s) >>24 bequad x \b, %lld bytes >>32 belong 1 \b, AES-encrypted >4 default x (unknown version) 0 string/b QEVM QEMU suspend to disk image # QEMU QED Image # https://wiki.qemu.org/Features/QED/Specification 0 string/b QED\0 QEMU QED Image # VDI Image # Sun xVM VirtualBox Disk Image # From: Richard W.M. Jones # VirtualBox Disk Image 0x40 ulelong 0xbeda107f VirtualBox Disk Image >0x44 uleshort >0 \b, major %u >0x46 uleshort >0 \b, minor %u >0 string >\0 (%s) >368 lequad x \b, %lld bytes 0 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, >32 string x type %s, >48 string x subtype %s 0 lelong 0x02468ace Bochs Sparse disk image #------------------------------------------------------------------------------ # $File: virtutech,v 1.4 2009/09/19 16:28:13 christos Exp $ # Virtutech Compressed Random Access File Format # # From 0 string \211\277\036\203 Virtutech CRAFF >4 belong x v%d >20 belong 0 uncompressed >20 belong 1 bzipp2ed >20 belong 2 gzipped >24 belong 0 not clean #------------------------------------------------------------------------------ # $File: visx,v 1.5 2009/09/19 16:28:13 christos Exp $ # visx: file(1) magic for Visx format files # 0 short 0x5555 VISX image file >2 byte 0 (zero) >2 byte 1 (unsigned char) >2 byte 2 (short integer) >2 byte 3 (float 32) >2 byte 4 (float 64) >2 byte 5 (signed char) >2 byte 6 (bit-plane) >2 byte 7 (classes) >2 byte 8 (statistics) >2 byte 10 (ascii text) >2 byte 15 (image segments) >2 byte 100 (image set) >2 byte 101 (unsigned char vector) >2 byte 102 (short integer vector) >2 byte 103 (float 32 vector) >2 byte 104 (float 64 vector) >2 byte 105 (signed char vector) >2 byte 106 (bit plane vector) >2 byte 121 (feature vector) >2 byte 122 (feature vector library) >2 byte 124 (chain code) >2 byte 126 (bit vector) >2 byte 130 (graph) >2 byte 131 (adjacency graph) >2 byte 132 (adjacency graph library) >2 string .VISIX (ascii text) #------------------------------------------------------------------------------ # $File: vms,v 1.10 2017/03/17 21:35:28 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) # GRR 950122: I'm just guessing on these, based on inspection of the headers # of three executables each for Alpha and VAX architectures. The VAX files # all had headers similar to this: # # 00000 b0 00 30 00 44 00 60 00 00 00 00 00 30 32 30 35 ..0.D.`.....0205 # 00010 01 01 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ # 0 string \xb0\0\x30\0 VMS VAX executable >44032 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption # # The AXP files all looked like this, except that the byte at offset 0x22 # was 06 in some of them and 07 in others: # # 00000 03 00 00 00 00 00 00 00 ec 02 00 00 10 01 00 00 ................ # 00010 68 00 00 00 98 00 00 00 b8 00 00 00 00 00 00 00 h............... # 00020 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ # 00030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # # GRR this test is still too general as it catches example adressen.dbt 0 belong 0x03000000 >8 ubelong 0xec020000 VMS Alpha executable >>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption #------------------------------------------------------------------------------ # $File: vmware,v 1.8 2017/03/17 21:35:28 christos Exp $ # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) 0 belong 0x4d52564e VMware nvram #------------------------------------------------------------------------------ # $File: vorbis,v 1.26 2020/08/22 18:30:55 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner # Extended by Beni Cherniavsky # Further extended by Greg Wooledge # # Most (everything but the number of channels and bitrate) is commented # out with `##' as it's not interesting to the average user. The most # probable things advanced users would want to uncomment are probably # the number of comments and the encoder version. # # FIXME: The first match has been made a search, so that it can skip # over prepended ID3 tags. This will work for MIME type detection, but # won't work for detecting other properties of the file (they all need # to be made relative to the search). In any case, if the file has ID3 # tags, the ID3 information will be printed, not the Ogg information, # so until that's fixed, this doesn't matter. # FIXME[2]: Disable the above for now, since search assumes text mode. # # --- Ogg Framing --- #0 search/1000 OggS Ogg data 0 string OggS Ogg data >4 byte !0 UNKNOWN REVISION %u ##>4 byte 0 revision 0 >4 byte 0 ##>>14 lelong x (Serial %lX) # non-Vorbis content: FLAC (Free Lossless Audio Codec, http://flac.sourceforge.net) >>28 string \x7fFLAC \b, FLAC audio # non-Vorbis content: Theora !:mime audio/ogg >>28 string \x80theora \b, Theora video !:mime video/ogg # non-Vorbis content: Kate >>28 string \x80kate\0\0\0\0 \b, Kate (Karaoke and Text) !:mime application/ogg >>>37 ubyte x v%u >>>38 ubyte x \b.%u, >>>40 byte 0 utf8 encoding, >>>40 byte !0 unknown character encoding, >>>60 string >\0 language %s, >>>60 string \0 no language set, >>>76 string >\0 category %s >>>76 string \0 no category set # non-Vorbis content: Skeleton >>28 string fishead\0 \b, Skeleton !:mime video/ogg >>>36 leshort x v%u >>>40 leshort x \b.%u # non-Vorbis content: Speex >>28 string Speex\ \ \ \b, Speex audio !:mime audio/ogg # non-Vorbis content: OGM >>28 string \x01video\0\0\0 \b, OGM video !:mime video/ogg >>>37 string/c div3 (DivX 3) >>>37 string/c divx (DivX 4) >>>37 string/c dx50 (DivX 5) >>>37 string/c xvid (XviD) # --- First vorbis packet - general header --- >>28 string \x01vorbis \b, Vorbis audio, !:mime audio/ogg >>>35 lelong !0 UNKNOWN VERSION %u, ##>>>35 lelong 0 version 0, >>>35 lelong 0 >>>>39 ubyte 1 mono, >>>>39 ubyte 2 stereo, >>>>39 ubyte >2 %u channels, >>>>40 lelong x %u Hz # Minimal, nominal and maximal bitrates specified when encoding >>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \b, # The above tests if at least one of these is specified: >>>>>52 lelong !-1 # Vorbis RC2 has a bug which puts -1000 in the min/max bitrate fields # instead of -1. # Vorbis 1.0 uses 0 instead of -1. >>>>>>52 lelong !0 >>>>>>>52 lelong !-1000 >>>>>>>>52 lelong x <%u >>>>>48 lelong !-1 >>>>>>48 lelong x ~%u >>>>>44 lelong !-1 >>>>>>44 lelong !-1000 >>>>>>>44 lelong !0 >>>>>>>>44 lelong x >%u >>>>>48 string <\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff bps # -- Second vorbis header packet - the comments # A kludge to read the vendor string. It's a counted string, not a # zero-terminated one, so file(1) can't read it in a generic way. # libVorbis is the only one existing currently, so I detect specifically # it. The interesting value is the cvs date (8 digits decimal). # Post-RC1 Ogg files have the second header packet (and thus the version) # in a different place, so we must use an indirect offset. >>>(84.b+85) string \x03vorbis >>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I >>>>>(84.b+120) string >00000000 # Map to beta version numbers: >>>>>>(84.b+120) string <20000508 (>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2) >>>>>>(84.b+120) string >20000508 >>>>>>>(84.b+120) string <20001031 (beta2-3) >>>>>>(84.b+120) string 20001031 (1.0 beta 3) >>>>>>(84.b+120) string >20001031 >>>>>>>(84.b+120) string <20010225 (beta3-4) >>>>>>(84.b+120) string 20010225 (1.0 beta 4) >>>>>>(84.b+120) string >20010225 >>>>>>>(84.b+120) string <20010615 (beta4-RC1) >>>>>>(84.b+120) string 20010615 (1.0 RC1) >>>>>>(84.b+120) string 20010813 (1.0 RC2) >>>>>>(84.b+120) string 20010816 (RC2 - Garf tuned v1) >>>>>>(84.b+120) string 20011014 (RC2 - Garf tuned v2) >>>>>>(84.b+120) string 20011217 (1.0 RC3) >>>>>>(84.b+120) string 20011231 (1.0 RC3) # Some pre-1.0 CVS snapshots still had "Xiphphorus"... >>>>>>(84.b+120) string >20011231 (pre-1.0 CVS) # For the 1.0 release, Xiphophorus is replaced by Xiph.Org >>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I >>>>>(84.b+117) string >00000000 >>>>>>(84.b+117) string <20020717 (pre-1.0 CVS) >>>>>>(84.b+117) string 20020717 (1.0) >>>>>>(84.b+117) string 20030909 (1.0.1) >>>>>>(84.b+117) string 20040629 (1.1.0 RC1) >>>>>>(84.b+117) string 20050304 (1.1.2) >>>>>>(84.b+117) string 20070622 (1.2.0) >>>>>>(84.b+117) string 20090624 (1.2.2) >>>>>>(84.b+117) string 20090709 (1.2.3) >>>>>>(84.b+117) string 20100325 (1.3.1) >>>>>>(84.b+117) string 20101101 (1.3.2) >>>>>>(84.b+117) string 20120203 (1.3.3) >>>>>>(84.b+117) string 20140122 (1.3.4) >>>>>>(84.b+117) string 20150105 (1.3.5) # non-Vorbis content: Opus https://tools.ietf.org/html/rfc7845#section-5 >>28 string OpusHead \b, Opus audio, !:mime audio/ogg >>>36 ubyte >0x0F UNKNOWN VERSION %u, >>>36 ubyte&0x0F !0 version 0.%u, >>>>46 ubyte >1 >>>>>46 ubyte !255 unknown channel mapping family %u, >>>>>37 ubyte x %u channels >>>>46 ubyte 0 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo >>>>46 ubyte 1 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo >>>>>37 ubyte 3 linear surround >>>>>37 ubyte 4 quadraphonic >>>>>37 ubyte 5 5.0 surround >>>>>37 ubyte 6 5.1 surround >>>>>37 ubyte 7 6.1 surround >>>>>37 ubyte 8 7.1 surround >>>>40 lelong !0 \b, %u Hz (Input Sample Rate) #------------------------------------------------------------------------------ # $File: vxl,v 1.4 2009/09/19 16:28:13 christos Exp $ # VXL: file(1) magic for VXL binary IO data files # # from Ian Scott # # VXL is a collection of C++ libraries for Computer Vision. # See the vsl chapter in the VXL Book for more info # http://www.isbe.man.ac.uk/public_vxl_doc/books/vxl/book.html # http:/vxl.sf.net 2 lelong 0x472b2c4e VXL data file, >0 leshort >0 schema version no %d #------------------------------------------------------------------------------ # $File: warc,v 1.4 2019/04/19 00:42:27 christos Exp $ # warc: file(1) magic for WARC files 0 string WARC/ WARC Archive >5 string x version %.4s !:mime application/warc #------------------------------------------------------------------------------ # Arc File Format from Internet Archive # see https://www.archive.org/web/researcher/ArcFileFormat.php 0 string filedesc:// Internet Archive File !:mime application/x-ia-arc >11 search/256 \x0A \b >>&0 ubyte >0 \b version %c #------------------------------------------------------------------------------ # weak: file(1) magic for very weak magic entries, disabled by default # # These entries are so weak that they might interfere identification of # other formats. Example include: # - Only identify for 1 or 2 bytes # - Match against very wide range of values # - Match against generic word in some spoken languages (e.g. English) # Summary: Computer Graphics Metafile # Extension: .cgm #0 beshort&0xffe0 0x0020 binary Computer Graphics Metafile #0 beshort 0x3020 character Computer Graphics Metafile #0 string =!! Bennet Yee's "face" format #------------------------------------------------------------------------------ # $File: web,v 1.1 2020/05/17 19:14:28 christos Exp $ # http://www.rdfhdt.org/ # From Christoph Biedl # http://www.rdfhdt.org/hdt-internals/ # https://github.com/rdfhdt/hdt-cpp 0 string $HDT\x01 HDT file (binary compressed indexed RDF triples) type 1 !:mime application/vnd.hdt !:ext hdt #------------------------------------------------------------------------------ # $File: webassembly,v 1.4 2022/08/16 11:16:39 christos Exp $ # webassembly: file(1) magic for WebAssembly modules # # WebAssembly is a virtual architecture developed by a W3C Community # Group at https://webassembly.org/. The file extension is .wasm, and # the MIME type is application/wasm. # # https://webassembly.org/docs/binary-encoding/ is the main # document describing the binary format. # From: Pip Cet and Joel Martin 0 string \0asm WebAssembly (wasm) binary module >4 lelong =1 version %#x (MVP) !:mime application/wasm !:ext wasm >4 lelong >1 version %#x #------------------------------------------------------------------------------ # $File: windows,v 1.46 2022/07/02 17:46:09 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs # using them are run almost always on MS Windows 3.x or # above, or files only used exclusively in Windows OS, # where there is no better category to allocate for. # For example, even though WinZIP almost run on Windows # only, it is better to treat them as "archive" instead. # For format usable in DOS, such as generic executable # format, please specify under "msdos" file. # # Summary: Outlook Express DBX file # Created by: Christophe Monniez # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Outlook_Express_Database # Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dbx.trid.xml # https://sourceforge.net/projects/ol2mbox/files/LibDBX/ # v1.0.4/libdbx_1.0.4.tar.gz/FILE-FORMAT # Note: called "Outlook Express Database" by TrID and DROID via PUID fmt/838 fmt/839 # and partly verified by `undbx --verbosity 4 Posteingang.dbx` 0 string \xCF\xAD\x12\xFE # skip DROID fmt-838-signature-id-1193.dbx fmt-839-signature-id-1194.dbx by check for valid file size >0x7C ulelong >0 MS Outlook Express DBX file #!:mime application/octet-stream #!:mime application/vnd.ms-outlook !:mime application/x-ms-dbx !:ext dbx >>4 byte =0xC5 \b, message database >>4 byte =0xC6 \b, folder database >>4 byte =0xC7 \b, account information >>4 byte =0x30 \b, offline database # version like: 5.2 5.5 (typical) >>20 ulequad !0x0000000500000005 \b, version # major version >>>24 ulelong x %u # minor version >>>20 ulelong x \b.%u # CLSID: 6F74FDC5-E366-11d1-9A4E-00C04FA309D4~Message 6F74FDC6-E366-11D1-9A4E-00C04FA309D4~Folder # 26FE9D30-1A8F-11D2-AABF-006097D474C4~offline #>>4 guid x \b, CLSID %s # file size; total size of file; sometimes real size a little bit higher >>0x7C ulelong x \b, ~ %u bytes # highest Email ID; the next email will have a number one higher than this >>0x5c ulelong x \b, highest ID %#x # item count; number of items stored in this DBX file >>0xC4 ulelong x \b, %u item # plural s >>0xC4 ulelong !1 \bs # index pointer; file offset pointing to a page of Data Indexes >>0xE4 ulelong >0 \b, index pointer %#x # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Nickfile # https://www.nirsoft.net/utils/outlook_nk2_edit.html # Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nk2.trid.xml # https://github.com/libyal/libnk2/blob/main/documentation # Nickfile%20(NK2)%20format.asciidoc # Note: called "Outlook Nickfile" by TrID & TestDisk and # "Outlook Nickname File" by Microsoft Outlook and # "Outlook AutoComplete File" by Nirsoft NK2Edit # partly verfied by NK2Edit Raw Text Edit Mode 0 ubelong 0x0DF0ADBA MS Outlook Nickfile #!:mime application/octet-stream #!:mime application/vnd.ms-outlook !:mime application/x-ms-nickfile !:ext nk2/dat/bak # nick is used by "older" Outlook; dat is used by "newer" Outlook (probably 2010 - 2016); bak is used for backup #!:ext nick/nk2/dat/bak # Unknown; probably a version indicator like: 0000000Ah 0000000Ch >4 ulelong x \b, probably version %u # Unknown2; probably a version indicator like: 1 0 >8 ulelong x \b.%u # number of rows (nickname or alias items) in file >12 ulelong x \b, %u items # number of item entries/columns/properties value like: 17h >16 ulelong x \b, %u entries # value type/property tag: 001Fh~4 bytes for data size of UTF-16 LE string >20 uleshort x \b, value type %#4.4x # entry type/property identifier: 6001h~PR_DOTSTUFF_STATE/PR_NICK_NAME_W >22 uleshort x \b, entry type %#4.4x # Reserved like: 0013FD90h #>24 ulelong x \b, reserved %#8.8x # value data array/Irrelevant Union like: 0000000004E31A80h #>28 ulequad x \b, data %#16.16llx # UTF-16 >20 uleshort =0x001F # unicode string bytes like: 2Ch >>36 ulelong x \b, %u bytes # unicode string value PT_UNICODE like: janesmith@contoso.org >>40 lestring16 x "%s" # Summary: Windows crash dump # Extension: .dmp # Created by: Andreas Schuster (https://computer.forensikblog.de/) # Reference (1): https://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 0 string PAGE >4 string DUMP MS Windows 32bit crash dump >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump >>0x068 lelong x \b, %d pages >4 string DU64 MS Windows 64bit crash dump >>0xf98 lelong 1 \b, full dump >>0xf98 lelong 2 \b, kernel dump >>0xf98 lelong 3 \b, small dump >>0x090 lequad x \b, %lld pages # Summary: Vista Event Log # Extension: .evtx # Created by: Andreas Schuster (https://computer.forensikblog.de/) # Reference (1): https://computer.forensikblog.de/en/2007/05/some_magic.html 0 string ElfFile\0 MS Windows Vista Event Log >0x2a leshort x \b, %d chunks >>0x10 lelong x \b (no. %d in use) >0x18 lelong >1 \b, next record no. %d >0x18 lelong =1 \b, empty >0x78 lelong &1 \b, DIRTY >0x78 lelong &2 \b, FULL # Summary: Windows System Deployment Image # Created by: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/System_Deployment_Image # Reference: http://skolk.livejournal.com/1320.html 0 string $SDI >4 string 0001 System Deployment Image !:mime application/x-ms-sdi #!:mime application/octet-stream # \Boot\boot.sdi !:ext sdi # MDBtype: 0~Unspecified 1~RAM 2~ROM >>8 ulequad !0 \b, MDBtype %#llx # BootCodeOffset >>16 ulequad !0 \b, BootCodeOffset %#llx # BootCodeSize >>24 ulequad !0 \b, BootCodeSize %#llx # VendorID >>32 ulequad !0 \b, VendorID %#llx # DeviceID >>40 ulequad !0 \b, DeviceID %#llx # DeviceModel >>48 ulequad !0 \b, DeviceModel %#llx >>>56 ulequad !0 \b%llx # DeviceRole >>64 ulequad !0 \b, DeviceRole %#llx # Reserved1; reserved fields and gaps between BLOBs are padded with \0 #>>72 ulequad !0 \b, Reserved1 %#llx # RuntimeGUID >>80 ulequad !0 \b, RuntimeGUID %#llx >>>88 ulequad !0 \b%llx # RuntimeOEMrev >>96 ulequad !0 \b, RuntimeOEMrev %#llx # Reserved2 #>>104 ulequad !0 \b, Reserved2 %#llx # BLOB alignment value in pages, as specified in sdimgr /pack: 1~4K 2~8k >>112 ulequad !0 \b, PageAlignment %llu # Reserved3[48] #>>120 ulequad !0 \b, Reserved3 %#llx # SDI checksum 39h >>0x1f8 ulequad x \b, checksum %#llx # BLOBtype[8] \0-padded: PART, WIM , BOOT, LOAD, DISK >>0x400 string >\0 \b, type %-3.8s # 0~non-filesystem 7~NTFS 6~BIGFAT >>>0x420 ulequad !0 (%#llx) # ATTRibutes >>>0x408 ulequad !0 %#llx attributes # Offset >>>0x410 ulequad x at %#llx # print 1 space after size and then handles NTFS boot sector by ./filesystems >>>0x418 ulequad >0 %llu bytes >>>>(0x410.l) indirect x # 2nd BLOB: WIM >>0x440 string >\0 \b, type %-3.8s >>>0x428 ulequad !0 (%#llx) # ATTRibutes >>>0x448 ulequad !0 %#llx attributes # Offset >>>0x450 ulequad x at %#llx >>>0x458 ulequad >0 %llu bytes >>>>(0x450.l) indirect x # 3rd BLOB >>0x480 string >\0 \b, type %-3.8s # Summary: Windows boot status log BOOTSTAT.DAT # From: Joerg Jenderek # Reference: https://www.geoffchappell.com/notes/windows/boot/bsd.htm # Note: mainly refers to older Windows Vista, sometimes # BOOTSTAT.DAT only contains nulls or invalid data # checking for valid version below 5 0 ulelong <5 # skip many ISO images by checking for valid 64 KiB file size >8 ulelong =0x00010000 >>0 use bootstat-dat # display information of BOOTSTAT.DAT 0 name bootstat-dat >0 ulelong x Windows boot log #!:mime application/octet-stream !:mime application/x-ms-dat # BOOTSTAT.DAT in BOOT subdirectory !:ext dat # apparently a version number: 2 for older like Vista, 3, 4 Windows 10 >0 ulelong >2 \b, version %u # apparently the size of the header: often 10h in older Windows, 14h, 18h >4 ulelong !0x10 \b, header size %#x #>4 ulelong !0x10 \b, header size %u # apparently the size of the file: always 0x00010000~64KiB # the file is acceptable to BOOTMGR only if it is exactly 64 KiB >8 ulelong !0x00010000 \b, file size %#x # size of valid data, in bytes: C8h 50h 172h 5D5Ch >0xc ulelong x \b, %#x valid bytes # skip header and jump to first bootstat entry and display information >(0x4.l-1) ubyte x >>&0 use bootstat-entry # jump to first entry again because pointer are bad after "use" >(0x4.l-1) ubyte x # by 1st entry size jump to 2nd entry and display information >>&(&0x18.l-1) ubyte x >>>&0 use bootstat-entry # jump to possible 3rd boot entry and display information # >(0x4.l-1) ubyte x # >>&(&0x18.l-1) ubyte x # >>>&(&0x18.l-1) ubyte x # >>>>&0 use bootstat-entry # display BOOTSTAT.DAT entry 0 name bootstat-entry #>0x00 ubequad x \b, ENTRY %16.16llx # size of entry, in bytes: 40h(init) 78h(launced) 9Ch #>0x18 ulelong x \b; entry size %u >0x18 ulelong x \b; entry size %#x # time stamp, in seconds >0x00 ulelong x \b, %#x seconds # always zero, significance unknown >0x04 ulelong !0 \b, not null %u # GUID of event source; but empty if event source is BOOTMGR >0x08 ubequad !0 \b, GUID %#16.16llx >>0x10 ubequad x \b%16.16llx # severity code: 1~informational 3~errors >0x1C ulelong !1 \b, severity %#x # apparently a version number: 2 >0x20 ulelong !2 \b, version %u # event identifier 1~log file initialised 11h~boot application launched #>0x24 ulelong x \b, event %#x >0x24 ulelong !1 >>0x24 ulelong !0x11 \b, event %#x # entry data; size depends on event identifier #>0x28 ubequad x \b, data %#16.16llx >0x24 ulelong =0x1 \b, Init # always 0, significance unknown >>0x34 uleshort !0 \b, not null %u # always 7, significance unknown >>0x36 uleshort !7 \b, not seven %u # year >>0x28 uleshort x %u # month >>0x2A uleshort x \b-%u # day >>0x2C uleshort x \b-%u # hour >>0x2E uleshort x %u # minute >>0x30 uleshort x \b:%u # second >>0x32 uleshort x \b:%u # boot application launched >0x24 ulelong =0x11 \b, launched # type of start: 0 normally, 1 or 2 maybe in a recovery sequence >>0x38 uleshort !0 \b, type %u # pathname of boot application, as null-terminated Unicode string; typically # \Windows\system32\winload.exe \Windows\system32\winload.efi >>0x3C lestring16 x %s # Summary: Windows Error Report text files # URL: https://en.wikipedia.org/wiki/Windows_Error_Reporting # Reference: https://www.nirsoft.net/utils/app_crash_view.html # Created by: Joerg Jenderek # Note: in directories %ProgramData%\Microsoft\Windows\WER\{ReportArchive,ReportQueue} # %LOCALAPPDATA%\Microsoft\Windows\WER\{ReportArchive,ReportQueue} 0 lestring16 Version= >22 lestring16 EventType Windows Error Report !:mime text/plain # Report.wer !:ext wer # Summary: Windows 3.1 group files # Extension: .grp # Created by: unknown 0 string \120\115\103\103 MS Windows 3.1 group files # Summary: Old format help files # URL: https://en.wikipedia.org/wiki/WinHelp # Reference: https://www.oocities.org/mwinterhoff/helpfile.htm # Update: Joerg Jenderek # Created by: Dirk Jagdmann # # check and then display version and date inside MS Windows HeLP file fragment 0 name help-ver-date # look for Magic of SYSTEMHEADER >0 leshort 0x036C # version Major 1 for right file fragment >>4 leshort 1 Windows # print non empty string above to avoid error message # Warning: Current entry does not yet have a description for adding a MIME type !:mime application/winhelp !:ext hlp # version Minor of help file format is hint for windows version >>>2 leshort 0x0F 3.x >>>2 leshort 0x15 3.0 >>>2 leshort 0x21 3.1 >>>2 leshort 0x27 x.y >>>2 leshort 0x33 95 >>>2 default x y.z >>>>2 leshort x %#x # to complete message string like "MS Windows 3.x help file" >>>2 leshort x help # GenDate often older than file creation date >>>6 ldate x \b, %s # # Magic for HeLP files 0 lelong 0x00035f3f # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" # file header magic 0x293B at DirectoryStart+9 >(4.l+9) uleshort 0x293B MS # look for @VERSION bmf.. like IBMAVW.ANN >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation !:mime application/x-winhelp !:ext ann >>0xD4 string !\x62\x6D\x66\x01\x00 # "GID Help index" by TrID >>>(4.l+0x65) string =|Pete Windows help Global Index !:mime application/x-winhelp !:ext gid # HeLP Bookmark or # "Windows HELP File" by TrID >>>(4.l+0x65) string !|Pete # maybe there exist a cleaner way to detect HeLP fragments # brute search for Magic 0x036C with matching Major maximal 7 iterations # discapp.hlp >>>>16 search/0x49AF/s \x6c\x03 >>>>>&0 use help-ver-date >>>>>&4 leshort !1 # putty.hlp >>>>>>&0 search/0x69AF/s \x6c\x03 >>>>>>>&0 use help-ver-date >>>>>>>&4 leshort !1 >>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>&0 use help-ver-date >>>>>>>>>&4 leshort !1 >>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>&4 leshort !1 >>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>>>&4 leshort !1 >>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>>>&0 use help-ver-date >>>>>>>>>>>>>>>&4 leshort !1 >>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 # GCC.HLP is detected after 7 iterations >>>>>>>>>>>>>>>>>&0 use help-ver-date # this only happens if bigger hlp file is detected after used search iterations >>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help !:mime application/winhelp !:ext hlp # repeat search again or following default line does not work >>>>16 search/0x49AF/s \x6c\x03 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) >>>>16 default x Windows help Bookmark !:mime application/x-winhelp !:ext bmk ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN ##>>8 lelong x \b, FirstFreeBlock %#8.8x # EntireFileSize >>12 lelong x \b, %d bytes ## ReservedSpace normally 042Fh AFh for *.ANN #>>(4.l) lelong x \b, ReservedSpace %#8.8x ## UsedSpace normally 0426h A6h for *.ANN #>>(4.l+4) lelong x \b, UsedSpace %#8.8x ## FileFlags normally 04... #>>(4.l+5) lelong x \b, FileFlags %#8.8x ## file header magic 0x293B #>>(4.l+9) uleshort x \b, file header magic %#4.4x ## file header Flags 0x0402 #>>(4.l+11) uleshort x \b, file header Flags %#4.4x ## file header PageSize 0400h 80h for *.ANN #>>(4.l+13) uleshort x \b, PageSize %#4.4x ## Structure[16] z4 #>>(4.l+15) string >\0 \b, Structure_"%-.16s" ## MustBeZero 0 #>>(4.l+31) uleshort x \b, MustBeZero %#4.4x ## PageSplits #>>(4.l+33) uleshort x \b, PageSplits %#4.4x ## RootPage #>>(4.l+35) uleshort x \b, RootPage %#4.4x ## MustBeNegOne 0xffff #>>(4.l+37) uleshort x \b, MustBeNegOne %#4.4x ## TotalPages 1 #>>(4.l+39) uleshort x \b, TotalPages %#4.4x ## NLevels 0x0001 #>>(4.l+41) uleshort x \b, NLevels %#4.4x ## TotalBtreeEntries #>>(4.l+43) ulelong x \b, TotalBtreeEntries %#8.8x ## pages of the B+ tree #>>(4.l+47) ubequad x \b, PageStart %#16.16llx # start with colon or semicolon for comment line like Back2Life.cnt 0 regex \^(:|;) # look for first keyword Base >0 search/45 :Base >>&0 use cnt-name # only solution to search again from beginning , because relative offsets changes when use is called >0 search/45 :Base >0 default x # look for other keyword Title like in putty.cnt >>0 search/45 :Title >>>&0 use cnt-name # # display mime type and name of Windows help Content source 0 name cnt-name # skip space at beginning >0 string \040 # name without extension and greater character or name with hlp extension >>1 regex/c \^([^\xd>]*|.*\\.hlp) MS Windows help file Content, based "%s" !:mime text/plain !:apple ????TEXT !:ext cnt # # Windows creates a full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 0 string tfMR MS Windows help Full Text Search index !:mime application/x-winhelp-fts !:ext fts >16 string >\0 for "%s" # Summary: Hyper terminal # Extension: .ht # Created by: unknown 0 string HyperTerminal\040 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile # https://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut # Extension: .lnk # Created by: unknown # 'L' + GUUID 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut !:mime application/x-ms-shortcut !:ext lnk >20 lelong&1 1 \b, Item id list present >20 lelong&2 2 \b, Points to a file or directory >20 lelong&4 4 \b, Has Description string >20 lelong&8 8 \b, Has Relative path >20 lelong&16 16 \b, Has Working directory >20 lelong&32 32 \b, Has command line arguments >20 lelong&64 64 \b, Icon >>56 lelong x \b number=%d >24 lelong&1 1 \b, Read-Only >24 lelong&2 2 \b, Hidden >24 lelong&4 4 \b, System >24 lelong&8 8 \b, Volume Label >24 lelong&16 16 \b, Directory >24 lelong&32 32 \b, Archive >24 lelong&64 64 \b, Encrypted >24 lelong&128 128 \b, Normal >24 lelong&256 256 \b, Temporary >24 lelong&512 512 \b, Sparse >24 lelong&1024 1024 \b, Reparse point >24 lelong&2048 2048 \b, Compressed >24 lelong&4096 4096 \b, Offline >28 leqwdate x \b, ctime=%s >36 leqwdate x \b, mtime=%s >44 leqwdate x \b, atime=%s >52 lelong x \b, length=%u, window= >60 lelong&1 1 \bhide >60 lelong&2 2 \bnormal >60 lelong&4 4 \bshowminimized >60 lelong&8 8 \bshowmaximized >60 lelong&16 16 \bshownoactivate >60 lelong&32 32 \bminimize >60 lelong&64 64 \bshowminnoactive >60 lelong&128 128 \bshowna >60 lelong&256 256 \brestore >60 lelong&512 512 \bshowdefault #>20 lelong&1 0 #>>20 lelong&2 2 #>>>(72.l-64) pstring/h x \b [%s] #>20 lelong&1 1 #>>20 lelong&2 2 #>>>(72.s) leshort x #>>>&75 pstring/h x \b [%s] # Summary: Outlook Personal Folders # Created by: unknown # Update: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/Personal_Folder_File # https://en.wikipedia.org/wiki/Personal_Storage_Table # Reference: https://interoperability.blob.core.windows.net/files/MS-PST/%5bMS-PST%5d.pdf # http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml # dwMagic !BDN 0 lelong 0x4E444221 # skip DROID x-fmt-75-signature-id-472.pab x-fmt-248-signature-id-260.pst x-fmt-249-signature-id-261.pst # by check for existance of bPlatformCreate value >14 ubyte x Microsoft Outlook #!:mime application/octet-stream # NOT official registered ! !:mime application/vnd.ms-outlook # dwCRCPartial; 32-bit cyclic redundancy check (CRC) value of followin 471 bytes; zero for 64-bit #>>4 ulelong !0 \b, CRC %#x # wMagicClient; AB (4142h) is used for PAB files; SM (534Dh) is used for PST files; SO (534Fh) is used for OST files #>>8 leshort x \b, wMagicClient=%#x # Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pab.trid.xml # Note: called "Microsoft Personal Address Book" by TrID and # "Microsoft Outlook Personal Address Book" by DROID via x-fmt/75 >>8 leshort 0x4142 Personal Address Book #!:mime application/x-ms-pab !:ext pab # Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pst.trid.xml # http://mark0.net/download/triddefs_xml.7z/defs/p/pst-unicode.trid.xml # Note: called "Microsoft OutLook Personal Folder" by TrID and # by DROID via x-fmt/248 for ANSI and via x-fmt/249 for Unicode #>>8 leshort 0x4D53 \b, PST~ # called "Microsoft Outlook email folder" in ./windows version 1.37 and older >>8 leshort 0x4D53 Personal Storage #!:mime application/x-ms-pst !:ext pst # Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ost.trid.xml # Note: called "Outlook Exchange Offline Storage" by TrID >>8 leshort 0x4F53 Offline Storage #!:mime application/x-ms-ost !:ext ost # wVer; file format version. 14 or 15 if the file is ANSI; > 21 or 23(=17h) if Unicode; 37 for written by Outlook with WIP >>10 uleshort x ( # probably NO intermediate versions exist >>10 leshort <0x10 \b<=2002, ANSI, >>10 leshort >0x14 \b>=2003, Unicode, >>10 uleshort x version %u) # wVerClient; client file format version like: 19 22 #>>12 uleshort x \b, wVerClient=%u # bPlatformCreate; This value MUST be set to 1 but also found 2 >>14 ubyte >1 \b, bPlatformCreate=%u # bPlatformAccess; This value MUST be set to 1 but also found 2 >>15 ubyte >1 \b, bPlatformAccess=%u # dwReserved1; SHOULD ignore and NOT modify this value; SHOULD initialize to zero >>16 ulelong !0 \b, dwReserved1=%#x # dwReserved2; SHOULD ignore and NOT modify this value; SHOULD initialize to zero >>20 ulelong !0 \b, dwReserved2=%#x # ANSI 32-bit variant Outlook 1997-2002 >>10 uleshort <16 # bidNextB; next BlockID (ANSI 4 bytes) #>>>24 ulelong !0 \b, bidNextB=%#x # bidNextP; Next available back BlockID pointer #>>>28 ulelong !0 \b, bidNextP=%#x # dwUnique; value monotonically increased when modifying PST; so CRC is changing >>>32 ulelong !0 \b, dwUnique=%#x # rgnid[128]; A fixed array of 32 NodeIDs, each corresponding to one of the 32 possible NID_TYPEs #>>>36 ubequad x \b, rgnid=%#llx... # dwReserved; Implementations SHOULD ignore this value and SHOULD NOT modify it; Initialized zero >>>164 ulelong !0 \b, dwReserved=%#x # ibFileEof; the size of the PST file, in bytes (ANSI 4 bytes) >>>168 ulelong x \b, %u bytes # ibAMapLast; offset to the last AMap page #>>>172 ulelong x \b, ibAMapLast=%#x # bSentinel; MUST be set to 0x80 >>>460 ubyte !0x80 \b, bSentinel=%#x # bCryptMethod: 0~No encryption 1~encryption with permutation 2~encryption with cyclic 16~encryption with Windows Information Protection (WIP) >>>461 ubyte >0 \b, bCryptMethod=%u # UNICODE 64-bit variant Outlook 2003-2007 >>10 uleshort >20 # bidUnused; Unused 8 bytes padding (Unicode only); sometimes like: 0x0000000100000004 >>>24 ulequad !0x0000000100000004 \b, bidUnused=%#16.16llx # dwUnique; value monotonically increased when modifying PST; so CRC is changing >>>40 ulelong !0 \b, dwUnique=%#x # rgnid[] (128 bytes): A fixed array of 32 NIDs, each corresponding to one of the 32 possible #>>>44 ubequad x \b, rgnid=%#llx... # ibFileEof; the size of the PST file, in bytes (Unicode 8 bytes) >>>184 ulequad x \b, %llu bytes # bSentinel; MUST be set to 0x80 >>>512 ubyte !0x80 \b, bSentinel=%#x # bCryptMethod; Encryption type like: 0 1 2 16 >>>513 ubyte >0 \b, bCryptMethod=%u # dwCRC; 32-bit CRC of the of the previous 516 bytes >>>524 ulelong x \b, CRC32 %#x # Summary: Windows help cache # Created by: unknown 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache # Summary: IE cache file # Created by: Christophe Monniez 0 string Client\ UrlCache\ MMF Internet Explorer cache file >20 string >\0 version %s # Summary: Registry files # Created by: unknown # Modified by (1): Joerg Jenderek 0 string regf MS Windows registry file, NT/2000 or above 0 string CREG MS Windows 95/98/ME registry file 0 string SHCC3 MS Windows 3.1 registry file # Summary: Windows Registry text # URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files # Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry # Submitted by: Abel Cheung # Update: Joerg Jenderek # Windows 3-9X variant 0 string REGEDIT # skip ASCII text like "REGEDITor.txt" but match # L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL >7 search/3 \n Windows Registry text !:mime text/x-ms-regedit !:ext reg # Windows 9X variant >>0 string REGEDIT4 (Win95 or above) # Windows 2K ANSI variant 0 string Windows\ Registry\ Editor\ >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) !:mime text/x-ms-regedit !:ext reg # Windows 2K UTF-16 variant 2 lestring16 Windows\ Registry\ Editor\ >0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) # relative offset not working #>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) !:mime text/x-ms-regedit !:ext reg # WINE variant # URL: https://en.wikipedia.org/wiki/Wine_(software) # Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html # Note: WINE use text based registry (system.reg,user.reg,userdef.reg) # instead binary hiv structure like Windows 0 string WINE\ REGISTRY\ Version\ WINE registry text # version 2 >&0 string x \b, version %s !:mime text/x-wine-extension-reg !:ext reg # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018 # empty ,comment , section # PR/383: remove unicode BOM because it is not portable across regex impls #0 regex/s \\`(\\r\\n|;|[[]) # empty line CRLF 0 ubeshort 0x0D0A >0 use ini-file # comment line starting with semicolon 0 string ; # look for phrase of Windows policy ADMinistrative template (with starting remark) # like: WINDOW_95_CD/TOOLS/RESKIT/netadmin/poledit/conf.adm >1 search/3548 END\040CATEGORY # ADM with remark (by adm-rem.trid.xml) already done by generic ASCII variant # if no Windows policy ADMinistrative template then Windows INItialization >1 default x >>0 use ini-file # section line starting with left bracket 0 string [ >0 use ini-file # check and then display Windows INItialization configuration 0 name ini-file # look for left bracket in section line >0 search/8192 [ # https://en.wikipedia.org/wiki/Autorun.inf # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx # space after right bracket # or AutoRun.Amd64 for 64 bit systems # or only NL separator >>&0 regex/c \^autorun # but sometimes total commander directory tree file "treeinfo.wc" with lines like # [AUTORUN] # [boot] >>>&0 string =]\r\n[ Total commander directory treeinfo.wc !:mime text/plain !:ext wc # From: Pal Tamas # Autorun File >>>&0 string !]\r\n[ Microsoft Windows Autorun file !:mime application/x-setupscript !:ext inf # https://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx # version strings ASCII coded case-independent for Windows setup information script file >>&0 regex/c \^(version|strings)] Windows setup INFormation !:mime application/x-setupscript #!:mime application/x-wine-extension-inf !:ext inf # NETCRC.INF OEMCPL.INF >>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation !:mime application/x-setupscript !:ext inf # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent >>&0 regex/1024c \^(\\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini !:mime application/x-wine-extension-ini #!:mime text/plain # https://support.microsoft.com/kb/84709/ >>&0 regex/c \^don't\ load] Windows CONTROL.INI !:mime application/x-wine-extension-ini !:ext ini >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI !:mime application/x-wine-extension-ini !:ext ini # https://technet.microsoft.com/en-us/library/cc722567.aspx # http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm >>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI !:mime application/x-wine-extension-ini !:ext ini # https://en.wikipedia.org/wiki/SYSTEM.INI >>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI !:mime application/x-wine-extension-ini !:ext ini # http://www.mdgx.com/newtip6.htm >>&0 regex/c \^SafeList] Windows IOS.INI !:mime application/x-wine-extension-ini !:ext ini # https://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information >>&0 regex/c \^boot\x20loader] Windows boot.ini !:mime application/x-wine-extension-ini !:ext ini # https://en.wikipedia.org/wiki/CONFIG.SYS >>&0 regex/c \^menu] MS-DOS CONFIG.SYS # @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE # CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYSTEM\MSCONFIG.EXE # CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYSTEM\MSCONFIG.EXE # dos and w40 used in dual booting scene !:ext sys/dos/w40 # https://support.microsoft.com/kb/118579/ >>&0 regex/c \^Paths]\r\n MS-DOS MSDOS.SYS !:ext sys/dos # http://chmspec.nongnu.org/latest/INI.html#HHP >>&0 regex/c \^options]\r\n Microsoft HTML Help Project !:mime text/plain !:ext hhp # From: Joerg Jenderek # URL: https://documentation.basis.com/BASISHelp/WebHelp/b3odbc/ODBC_Driver/obdcdriv_character_translation.htm # Reference: https://www.garykessler.net/library/file_sigs.html # http://mark0.net/download/triddefs_xml.7z/defs/c/cpx.trid.xml # Note: stored in directory %WINDIR%\SysWOW64 or %WINDIR%\system # second word often Latin but sometimes Cyrillic like in 12510866.CPX >>&0 regex/c \^Windows\ (Latin|Cyrillic) Windows codepage translator #!:mime text/plain !:mime text/x-ms-cpx # like: 12510866.CPX !:ext cpx # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/InstallShield # Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lid-is.trid.xml # Note: contain also 3 keywords like: count Default key0 >>&0 regex/c \^Languages] InstallShield Language Identifier #!:mime text/plain !:mime text/x-installshield-lid # like: SETUP.LID !:ext lid # From: Joerg Jenderek # URL: https://www.file-extensions.org/tag-file-extension # Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/taginfo.trid.xml # Note: contain also keywords like: Application Category Company Misc Version >>&0 regex/c \^TagInfo] TagInfo #!:mime text/plain #!:mime text/prs.lines.tag !:mime text/x-ms-tag # like: DATA.TAG !:ext tag # unknown keyword after opening bracket >>&0 default x #>>>&0 string/c x UNKNOWN [%s # look for left bracket of second section >>>&0 search/8192 [ # version Strings FileIdentification >>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript !:ext inf # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other >>>>&0 default x >>>>>&0 ubyte x # characters, digits, underscore and white space followed by right bracket # terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT >>>>>>&-1 regex/T \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s # NETDEF.INF multiarc.ini #!:mime application/x-setupscript !:mime application/x-wine-extension-ini #!:mime text/plain !:ext ini/inf # UTF-16 BOM 0 ubeshort =0xFFFE # look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml) # like: wuau.adm >2 search/0x384A E\0N\0D\0\040\0C\0A\0T\0E\0G\0O\0R\0Y\0 >>0 use windows-adm # if no Windows policy ADMinistrative template then Windows INFormation >2 default x # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00 >>0 ubelong&0xFFff89FF =0xFFFE0900 # look for left bracket in section line >>>2 search/8192 [ # keyword without 1st letter which is maybe up-/down-case >>>>&3 lestring16 ersion] Windows setup INFormation !:mime application/x-setupscript # like: hdaudio.inf iscsi.inf spaceport.inf tpm.inf usbhub3.inf UVncVirtualDisplay.inf !:ext inf >>>>&3 lestring16 trings] Windows setup INFormation !:mime application/x-setupscript # like: arduino_gemma.inf iis.inf MSM8960.inf !:ext inf >>>>&3 lestring16 ourceDisksNames] Windows setup INFormation !:mime application/x-setupscript # like: atiixpag.inf mdmnokia.inf netefe32.inf rdpbus.inf !:ext inf # netnwcli.inf start with ;---[ NetNWCli.INX ] >>>>&3 default x # look for NL followed by left bracket >>>>>&0 search/8192 \x0A\x00\x5b # like: defltwk.inf netvwifibus.inf WSDPrint.inf >>>>>>&3 lestring16 ersion] Windows setup INFormation !:mime application/x-setupscript !:ext inf # Summary: Windows Policy ADMinistrative template # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Administrative_Template # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adm.trid.xml # Note: typically stored in directory like: %WINDIR%\system32\GroupPolicy\ADM # worst case ASCII variant starting with remark line like: inetset.adm 0 search/0x4E CLASS\040 >&0 string MACHINE >>0 use windows-adm >&0 string USER >>0 use windows-adm # display information about Windows policy ADMinistrative template 0 name windows-adm Windows Policy Administrative Template !:mime text/x-ms-adm !:ext adm # UTF-16 BOM implies UTF-16 encoded ADM (by adm-uni.trid.xml) >0 ubeshort =0xFFFE >>2 lestring16 x \b, 1st line "%s" # look for UTF-16 encoded CarriageReturn LineFeed >>>2 search/0x3A \r\0\n\0 >>>>&0 lestring16 x \b, 2nd line "%s" # no UTF-16 BOM implies "ASCII" encoded ADM (by adm.trid.xml) >0 ubeshort !0xFFFE >>0 string x \b, 1st line "%s" #>>>&0 ubequad x \b, 2ND %16.16llx # 2nd line empty >>>&2 beshort =0x0D0A >>>>&0 beshort !0x0D0A \b, 3th line >>>>>&-2 string x "%s" # 2nd line with content >>>&2 beshort !0x0D0A \b, 2nd line >>>>&-2 string x "%s" # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm # URL: http://fileformats.archiveteam.org/wiki/INF_(Windows) # Reference: http://en.verysource.com/code/10350344_1/inf.h.html # Note: stored in %Windir%\Inf %Windir%\System32\DriverStore\FileRepository # check for valid major and minor versions: 101h - 303h 0 leshort&0xFcFc =0x0000 # GRR: line above (strength 50) is too general as it catches also "PDP-11 UNIX/RT ldp" ./pdp >0 leshort&0x0303 !0x0000 # test for valid InfStyles: 1 2 >>2 uleshort >0 >>>2 uleshort <3 # look for colon in WinDirPath after PNF header #>>>>0x59 search/18 : >>>>0 use PreCompiledInf 0 name PreCompiledInf >0 uleshort x Windows Precompiled iNF !:mime application/x-pnf !:ext pnf # major version 1 for older Windows like XP and 3 since about Windows Vista # 101h~98-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362 >1 ubyte x \b, version %u >0 ubyte x \b.%u >0 uleshort =0x0101 (Windows >>4 ulelong&0x00000001 !0x00000001 98) >>4 ulelong&0x00000001 =0x00000001 XP) >0 uleshort =0x0301 (Windows Vista-8.1) >0 uleshort =0x0302 (Windows 10 older) >0 uleshort =0x0303 (Windows 10) # 1 ,2 (windows 98 SE) >2 uleshort !2 \b, InfStyle %u # PNF_FLAG_IS_UNICODE 0x00000001 # PNF_FLAG_HAS_STRINGS 0x00000002 # PNF_FLAG_SRCPATH_IS_URL 0x00000004 # PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 # PNF_FLAG_INF_VERIFIED 0x00000010 # PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 # UNKNOWN8 0x00000080 # UNKNOWN 0x00000100 # UNKNOWN1 0x01000000 # UNKNOWN2 0x02000000 >4 ulelong&0x03000180 >0 \b, flags >>4 ulelong x %#x >4 ulelong&0x00000001 0x00000001 \b, unicoded >4 ulelong&0x00000002 0x00000002 \b, has strings >4 ulelong&0x00000004 0x00000004 \b, src URL >4 ulelong&0x00000008 0x00000008 \b, volatile dir ids >4 ulelong&0x00000010 0x00000010 \b, verified >4 ulelong&0x00000020 0x00000020 \b, digitally signed # >4 ulelong&0x00000080 0x00000080 \b, UNKNOWN8 # >4 ulelong&0x00000100 0x00000100 \b, UNKNOWN # >4 ulelong&0x01000000 0x01000000 \b, UNKNOWN1 # >4 ulelong&0x02000000 0x02000000 \b, UNKNOWN2 #>8 ulelong x \b, InfSubstValueListOffset %#x # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF # , 6 bth.PNF, 9 usbport.PNF, d netnwifi.PNF, 10h nettcpip.PNF #>12 uleshort x \b, InfSubstValueCount %#x # only < 9 found: 8 hcw85b64.PNF #>14 uleshort x \b, InfVersionDatumCount %#x # only found values lower 0x0000ffff ?? #>16 ulelong x \b, InfVersionDataSize %#x # only found positive values lower 0x00ffFFff for InfVersionDataOffset >20 ulelong x \b, at %#x >4 ulelong&0x00000001 =0x00000001 # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature >>(20.l) lestring16 x "%s" >4 ulelong&0x00000001 !0x00000001 >>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>24 ulequad x \b, InfVersionLastWriteTime %16.16llx #>24 foodate-0xbar x \b, InfVersionLastWriteTime %s # for Windows 98, XP >0 uleshort <0x0102 # only found values lower 0x00ffFFff # often 70 but also 78h for corelist.PNF # >>32 ulelong x \b, StringTableBlockOffset %#x # >>36 ulelong x \b, StringTableBlockSize %#x # >>40 ulelong x \b, InfSectionCount %#x # >>44 ulelong x \b, InfSectionBlockOffset %#x # >>48 ulelong x \b, InfSectionBlockSize %#x # >>52 ulelong x \b, InfLineBlockOffset %#x # >>56 ulelong x \b, InfLineBlockSize %#x # >>60 ulelong x \b, InfValueBlockOffset %#x # >>64 ulelong x \b, InfValueBlockSize %#x # WinDirPathOffset # like 58h, which means direct after PNF header #>>68 ulelong x \b, at %#x >>68 ulelong x >>>4 ulelong&0x00000001 =0x00000001 #>>>>(68.l) ubequad =0x43003a005c005700 # normally unicoded C:\Windows #>>>>>(68.l) lestring16 x \b, WinDirPath "%s" >>>>(68.l) ubequad !0x43003a005c005700 >>>>>(68.l) lestring16 x \b, WinDirPath "%s" >>>4 ulelong&0x00000001 !0x00000001 # normally ASCII C:\WINDOWS #>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" >>>>(68.l) string !C:\\WINDOWS >>>>>(68.l) string x \b, WinDirPath "%s" # found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF >>>72 ulelong >0 \b, >>>>4 ulelong&0x00000001 =0x00000001 >>>>>(72.l) lestring16 x OsLoaderPath "%s" >>>>4 ulelong&0x00000001 !0x00000001 # seldom C:\ instead empty >>>>>(72.l) string x OsLoaderPath "%s" # 1fdh #>>>76 uleshort x \b, StringTableHashBucketCount %#x # only 407h found >>>78 uleshort !0x409 \b, LanguageID %x #>>>78 uleshort =0x409 \b, LanguageID %x # InfSourcePathOffset often 0 >>>80 ulelong >0 \b, at %#x >>>>4 ulelong&0x00000001 =0x00000001 >>>>>(80.l) lestring16 x SourcePath "%s" >>>>4 ulelong&0x00000001 !0x00000001 >>>>>(80.l) string >\0 SourcePath "%s" # OriginalInfNameOffset often 0 >>>84 ulelong >0 \b, at %#x >>>>4 ulelong&0x00000001 =0x00000001 >>>>>(84.l) lestring16 x InfName "%s" >>>>4 ulelong&0x00000001 !0x00000001 >>>>>(84.l) string >\0 InfName "%s" # for newer Windows like Vista, 7 , 8.1 , 10 >0 uleshort >0x0101 >>80 ulelong x \b, at %#x WinDirPath >>>4 ulelong&0x00000001 0x00000001 # normally unicoded C:\Windows #>>>>(80.l) ubequad =0x43003a005c005700 #>>>>>(80.l) lestring16 x "%s" >>>>(80.l) ubequad !0x43003a005c005700 >>>>>(80.l) lestring16 x "%s" # language id: 0 407h~german 409h~English_US >>90 uleshort !0x409 \b, LanguageID %x #>>90 uleshort =0x409 \b, LanguageID %x >>92 ulelong >0 \b, at %#x >>>4 ulelong&0x00000001 0x00000001 # language string like: de-DE en-US >>>>(92.l) lestring16 x language %s # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 # Extension: .bkf # Created by: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/NTBackup # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF # Descriptor BloCK name of Microsoft Tape Format 0 string TAPE # Format Logical Address is zero >20 ulequad 0 # Reserved for MBC is zero >>28 uleshort 0 # Control Block ID is zero >>>36 ulelong 0 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive #!:mime application/x-ntbackup !:ext bkf # OS ID >>>>>10 ubyte 1 \b NetWare >>>>>10 ubyte 13 \b NetWare SMS >>>>>10 ubyte 14 \b NT >>>>>10 ubyte 24 \b 3 >>>>>10 ubyte 25 \b OS/2 >>>>>10 ubyte 26 \b 95 >>>>>10 ubyte 27 \b Macintosh >>>>>10 ubyte 28 \b UNIX # OS Version (2) #>>>>>11 ubyte x OS V=%x # MTF_CONTINUATION Media Sequence Number > 1 #>>>>>4 ulelong&0x00000001 !0 \b, continued # MTF_COMPRESSION >>>>>4 ulelong&0x00000004 !0 \b, compressed # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit >>>>>4 ulelong&0x00020000 0 # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape >>>>>>4 ulelong&0x00010000 !0 \b, with catalog # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present >>>>>4 ulelong&0x00020000 !0 \b, with file catalog # Offset To First Event 238h,240h,28Ch #>>>>>8 uleshort x \b, event offset %4.4x # Displayable Size (20e0230h 20e024ch 20e0224h) #>>>>>8 ulequad x dis. size %16.16llx # Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) #>>>>>52 ulelong x family ID %8.8x # TAPE Attributes (3) #>>>>>56 ulelong x TAPE %8.8x # Media Sequence Number >>>>>60 uleshort >1 \b, sequence %u # Password Encryption Algorithm (3) >>>>>62 uleshort >0 \b, %#x encrypted # Soft Filemark Block Size * 512 (2) #>>>>>64 uleshort =2 \b, soft size %u*512 >>>>>64 uleshort !2 \b, soft size %u*512 # Media Based Catalog Type (1,2) #>>>>>66 uleshort x \b, catalog type %4.4x # size of Media Name (66,68,6Eh) >>>>>68 uleshort >0 # offset of Media Name (5Eh) >>>>>>70 uleshort >0 # 0~, 1~ANSI, 2~UNICODE >>>>>>>48 ubyte 1 # size terminated ansi coded string normally followed by "MTF Media Label" >>>>>>>>(70.s) string >\0 \b, name: %s >>>>>>>48 ubyte 2 # Not null, but size terminated unicoded string >>>>>>>>(70.s) lestring16 x \b, name: %s # size of Media Label (104h) >>>>>72 uleshort >0 # offset of Media Label (C4h,C6h,CCh) >>>>>74 uleshort >0 >>>>>>48 ubyte 1 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields >>>>>>>(74.s) string >\0 \b, label: %s >>>>>>48 ubyte 2 >>>>>>>(74.s) lestring16 x \b, label: %s # size of password name (0,1Ch) #>>>>>76 uleshort >0 \b, password size %4.4x # Software Vendor ID (CBEh) >>>>>86 uleshort x \b, software (%#x) # size of Software Name (6Eh) >>>>>80 uleshort >0 # offset of Software Name (1C8h,1CAh,1D0h) >>>>>>82 uleshort >0 # 1~ANSI, 2~UNICODE >>>>>>>48 ubyte 1 >>>>>>>>(82.s) string >\0 \b: %s >>>>>>>48 ubyte 2 # size terminated unicoded coded string normally followed by "SPAD" >>>>>>>>(82.s) lestring16 x \b: %s # Format Logical Block Size (512,1024) #>>>>>84 uleshort =1024 \b, block size %u >>>>>84 uleshort !1024 \b, block size %u # Media Date of MTF_DATE_TIME type with 5 bytes #>>>>>>88 ubequad x DATE %16.16llx # MTF Major Version (1) #>>>>>>93 ubyte x \b, MFT version %x # # URL: https://en.wikipedia.org/wiki/PaintShop_Pro # Reference: https://www.cryer.co.uk/file-types/p/pal.htm # Created by: Joerg Jenderek # Note: there exist other color palette formats also with .pal extension 0 string JASC-PAL\r\n PaintShop Pro color palette #!:mime text/plain # PspPalette extension is used by newer (probably 8) PaintShopPro versions !:ext pal/PspPalette # 2nd line contains palette file version. For example "0100" >10 string !0100 \b, version %.4s # third line contains the number of colours: 16 256 ... >16 string x \b, %.3s colors # URL: https://en.wikipedia.org/wiki/Innosetup # Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas # Created by: Joerg Jenderek # Note: created by like "InnoSetup self-extracting archive" inside ./msdos # TrID labeles the entry as "Inno Setup Uninstall Log" # TUninstallLogID 0 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log !:mime application/x-innosetup # unins000.dat, unins001.dat, ... !:ext dat # " 64-bit" variant >0x1c string >\0 \b%.7s # AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ... >0xc0 string x %s # AppId[0x80] is similar to AppName or # GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace >0x40 ubyte 0x7b >>0x40 string x %-.38s # do not know how this log version correlates to program version >0x140 ulelong x \b, version %#x # NumRecs #>0x144 ulelong x \b, %#4.4x records # EndOffset means files size >0x148 ulelong x \b, %u bytes # Flags 5 25h 35h #>0x14c ulelong x \b, flags %8.8x # Reserved: array[0..26] of Longint # the non Unicode HighestSupportedVersion may never become greater than or equal to 1000 >0x140 ulelong <1000 # hostname >>0x1d6 pstring x \b, %s # user name >>>&0 pstring x \b\%s # directory like C:\Program Files (x86)\GnuWin32 >>>>&0 pstring x \b, "%s" # version 1000 or higher implies unicode >0x140 ulelong >999 # hostname >>0x1db lestring16 x \b, %-.9s # utf string variant with prepending fe??ffFFff >>0x1db search/43 \xFF\xFF\xFF # user name >>>&0 lestring16 x \b\%-.9s >>>&0 search/43 \xFF\xFF\xFF # directory like C:\Program Files\GIMP 2 >>>>&0 lestring16 x \b, %-.42s # URL: https://jrsoftware.org/ishelp/index.php?topic=setup_signeduninstaller # Reference:https://github.com/jrsoftware/issrc/blob/main/Projects/Struct.pas # From: Joerg Jenderek 0 string Inno\ Setup\ Messages\ ( # null padded til 0x40 boundary >0x38 quad 0 InnoSetup messages !:mime application/x-innosetup-msg # unins000.msg, unins001.msg, ... !:ext msg # version like 5.1.1 5.1.11 5.5.0 5.5.3 6.0.0 >>0x15 string x \b, version %.5s # look for 6th char of version string or terminating right parentheses >>>0x1a ubyte !0x29 \b%c # NumMessages >>0x40 ulelong x \b, %u messages # TotalSize: Cardinal; #>>0x44 ulelong x \b, TotalSize %u # NotTotalSize: Cardinal; #>>0x48 ulelong x \b, NotTotalSize %u # CRCMessages: Longint; #>>0x4C ulelong x \b, CRC %#x >>0x40 ulelong x # (u) after version means unicoded messages >>>0x1c search/2 (u) (UTF-16), >>>>0x50 lestring16 x %s # ASCII coded message >>>0x1c default x (ASCII), >>>>0x50 string x %s # Windows Imaging (WIM) Image # Update: Joerg Jenderek at Mar 2019, 2021 # URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format # http://fileformats.archiveteam.org/wiki/Windows_Imaging_Format # Reference: https://download.microsoft.com/download/f/e/f/ # fefdc36e-392d-4678-9e4e-771ffa2692ab/Windows%20Imaging%20File%20Format.rtf # Note: verified by like `7z t boot.wim` `wiminfo install.esd --header` 0 string MSWIM\000\000\000 >0 use wim-archive # https://wimlib.net/man1/wimoptimize.html 0 string WLPWM\000\000\000 >0 use wim-archive 0 name wim-archive # _WIMHEADER_V1_PACKED ImageTag[8] >0 string x Windows imaging !:mime application/x-ms-wim # TO avoid in file version 5.36 error like # Magdir/windows, 760: Warning: Current entry does not yet have a description # file: could not find any valid magic files! (No error) # split WIM >16 ulelong &0x00000008 (SWM !:ext swm # usPartNumber; 1, unless the file was split into multiple parts >>40 uleshort x \b %u # usTotalParts; The total number of WIM file parts in a spanned set >>42 uleshort x \b of %u) image # non split WIM >16 ulelong ^0x00000008 # https://wimlib.net/man1/wimmount.html # solid WIMs; version 3584; usually contain LZMS-compressed and the .esd extension >>12 ulelong 3584 (ESD) image !:ext esd >>12 ulelong !3584 ( # look for archive member RunTime.xml like in Microsoft.Windows.Cosa.Desktop.Client.ppkg >>>156 search/68233/s RunTime.xml \bWindows provisioning package) !:ext ppkg # if is is not a Windows provisioning package, then it is a WIM >>>156 default x \bWIM) image # second disk image part created by Microsoft's RecoveryDrive.exe has name Reconstruct.WIM2 !:ext wim/wim2 >0 string/b WLPWM\000\000\000 \b, wimlib pipable format # cbSize size of the WIM header in bytes like 208 #>8 ulelong x \b, headersize %u # dwVersion version of the WIM file 00010d00h~1.13 00000e00h~0.14 >14 uleshort x v%u >13 ubyte x \b.%u # dwImageCount; The number of images contained in the WIM file >44 ulelong >1 \b, %u images # dwBootIndex # 1-based index of the bootable image of the WIM, or 0 if no image is bootable >0x78 ulelong >0 \b, bootable no. %u # dwFlags #>16 ulelong x \b, flags %#8.8x #define FLAG_HEADER_COMPRESSION 0x00000002 #define FLAG_HEADER_READONLY 0x00000004 #define FLAG_HEADER_SPANNED 0x00000008 #define FLAG_HEADER_RESOURCE_ONLY 0x00000010 #define FLAG_HEADER_METADATA_ONLY 0x00000020 #define FLAG_HEADER_WRITE_IN_PROGRESS 0x00000040 #define FLAG_HEADER_RP_FIX 0x00000080 reparse point fixup #define FLAG_HEADER_COMPRESS_RESERVED 0x00010000 #define FLAG_HEADER_COMPRESS_XPRESS 0x00020000 #define FLAG_HEADER_COMPRESS_LZX 0x00040000 #define FLAG_HEADER_COMPRESS_LZMS 0x00080000 #define FLAG_HEADER_COMPRESS_XPRESS2 0x00100000 wimlib-1.13.0\include\wimlib\header.h # XPRESS, with small chunk size >16 ulelong &0x00100000 \b, XPRESS2 >16 ulelong &0x00080000 \b, LZMS >16 ulelong &0x00040000 \b, LZX >16 ulelong &0x00020000 \b, XPRESS >16 ulelong &0x00000002 compressed >16 ulelong &0x00000004 \b, read only >16 ulelong &0x00000010 \b, resource only >16 ulelong &0x00000020 \b, metadata only >16 ulelong &0x00000080 \b, reparse point fixup #>16 ulelong &0x00010000 \b, RESERVED # dwCompressionSize; Uncompressed chunk size for resources or 0 if uncompressed #>20 ulelong >0 \b, chunk size %u bytes # gWIMGuid #>24 ubequad x \b, GUID %#16.16llx #>>32 ubequad x \b%16.16llx # rhOffsetTable; the location of the resource lookup table # wim_reshdr_disk[24]= u8 size_in_wim[7] + u8 flags + le64 offset_in_wim + le64 uncompressed_size #>48 ubequad x \b, rhOffsetTable %#16.16llx # rhXmlData; the location of the XML data #>0x50 ulelong x \b, at %#8.8x # NOT WORKING \xff\xfe<\0W\0I\0M\0 #>(0x50.l) ubequad x \b, xml=%16.16llx # rhBootMetadata; the location of the metadata resource #>0x60 ubequad x \b, rhBootMetadata %#16.16llx # rhIntegrity; the location of integrity table used to verify files #>0x7c ubequad x \b, rhIntegrity %#16.16llx # Unused[60] #>148 ubequad !0 \b,unused %#16.16llx # # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Windows_Easy_Transfer # Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mig.trid.xml # Note: called "Windows Easy Transfer migration data" by TrID, # "Migration Store" or "EasyTransfer file" by Microsoft 0 string 1giM Windows Easy Transfer migration data #!:mime application/octet-stream !:mime application/x-ms-mig !:ext mig >0x18 string =MRTS without password # data offset with 1 space at end >>0x1c ulelong+0x38 x \b, at %#x # look for zlib compressed data by ./compress >>(0x1c.l+0x38) ubyte x >>>&-1 indirect x # in password protected examples MRTS comes some bytes further >0x18 string !MRTS with password # look for first MRTS tag >0x18 search/29/b MRTS # probably first file name length like 178, ... #>>&0 ulelong x \b, 1st length %u # URL like File\C:\Users\nutzer\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini >>&20 lestring16 x \b, 1st %-s # Microsoft SYLK # https://en.wikipedia.org/wiki/SYmbolic_LinK_(SYLK) # https://outflank.nl/upload/sylksum.txt 0 string ID;P Microsoft SYLK program >4 string >0 \b, created by %s !:ext slk/sylk # Summary: Windows Performance Monitor Alert # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Performance_Monitor # Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/pma.trid.xml # Note: called "Windows Performance Monitor Alert" by TrID 0 ubelong =0xDC058340 >4 ubyte =0 Windows Performance Monitor Alert #!:mime application/octet-stream # https://www.thoughtco.com/mime-types-by-content-type-3469108 # https://filext.com/file-extension/PAM !:mime application/x-perfmon #!:mime application/x-ms-pma !:ext pma # metric type like: "BrowserMetrics" "CrashpadMetrics" "SetupMetrics" >>80 string x \b, "%s" # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/InstallShield # Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/ins.trid.xml # Note: contain also keywords like: BATCH_INSTALL ISVERSION LOGHANDLE SRCDIR SRCDISK WINDIR WINSYSDISK 0 ubelong 0xB8C90C00 InstallShield Script #!:mime application/octet-stream !:mime application/x-installshield-ins # like test.ins Setup.ins !:ext ins # UNKNOWN like: 160034121de07e00 1600341260befe00 16003412e0783700 # 5000010021083f00 50000100b0335600 50000100cbfdf800 50000100dfbc4700 #>4 ubequad x \b, at 4 %#16.16llx # copyright text like: "Stirling Technologies, Inc. (c) 1990-1994" # "InstallSHIELD Software Coporation (c) 1990-1997" >13 pstring/h x "%s" # look for specific ASCII variable names >1 search/0x121/s SRCDIR \b, variable names: # 1st like: SRCDIR >>&-4 leshort x #%u >>&-2 pstring/h x %s # 2nd like: SRCDISK >>>&0 leshort x #%u >>>&2 pstring/h x %s # 3rd like: TARGETDISK >>>>&0 leshort x #%u >>>>&2 pstring/h x %s # 4th like: TARGETDIR #>>>>>&0 leshort x #%u #>>>>>&2 pstring/h x %s # 5th like: WINDIR #>>>>>>&0 leshort x #%u #>>>>>>&2 pstring/h x %s # 6th like: WINDISK #>>>>>>>&0 leshort x #%u #>>>>>>>&2 pstring/h x %s # 7th like: WINSYSDIR #>>>>>>>>&0 leshort x #%u #>>>>>>>>&2 pstring/h x %s # ... LOGHANDLE >0 ubelong x ... # #------------------------------------------------------------------------------ # $File: wireless,v 1.2 2009/09/19 16:28:13 christos Exp $ # wireless-regdb: file(1) magic for CRDA wireless-regdb file format # 0 string RGDB CRDA wireless regulatory database file >4 belong 19 (Version 1) #------------------------------------------------------------------------------ # $File: wordprocessors,v 1.31 2022/08/31 08:00:53 christos Exp $ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: 2 string \040\040\040\040\040\040\040\040\040\040\040ML4D\040'92 Smith Corona PWP >24 byte 2 \b, single spaced >24 byte 3 \b, 1.5 spaced >24 byte 4 \b, double spaced >25 byte 0x42 \b, letter >25 byte 0x54 \b, legal >26 byte 0x46 \b, A4 # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor # reference: http://mark0.net/download/triddefs_xml.7z # /defs/w/wps-works-dos.trid.xml # From: Joerg Jenderek # Note: older non OLE 2 Compound based versions 0 ubeshort =0x01FE >112 ubeshort =0x0100 Microsoft Works 1-3 (DOS) or 2 (Windows) document # title like THE GREAT KHAN GAME >>0x100 string x %s !:mime application/vnd-ms-works #!:mime application/x-msworks # https://www.macdisk.com/macsigen.php !:apple ????AWWP !:ext wps # Corel/WordPerfect # URL: https://en.wikipedia.org/wiki/WordPerfect # Reference: https://github.com/OneWingedShark/WordPerfect/blob/master/doc/SDK_Help/FileFormats/WPFF_DocumentStructure.htm # http://mark0.net/download/triddefs_xml.7z/defs/w/wp-generic.trid.xml 0 string \xffWPC # WordPerfect >8 byte 1 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpm-macro.trid.xml # Note: there exist other macro variants >>9 byte 1 WordPerfect macro #!:mime application/octet-stream !:mime application/x-wordperfect-wpm # like: ALTD.WPM ENDFOOT.WPM FOOTEND.WPM LABELS.WPM REVEALTX.WPM !:ext wpm # Note: used in WordPerfect 5.1; there exist other FIL variants >>9 byte 2 WordPerfect help file #!:mime application/octet-stream !:mime application/x-wordperfect-help # like: WPHELP.FIL !:ext fil # pointer to document area like: 10h >>>4 ulelong !0x10 \b, at %#x document area >>9 byte 3 WordPerfect keyboard file #!:mime application/octet-stream !:mime application/x-wordperfect-keyboard !:ext wpk # no document area, so point to end of file; so this is file size like: 23381 2978 32835 3355 3775 919 >>>4 ulelong x \b, %u bytes >>9 byte 4 WordPerfect VAX keyboard definition #!:mime application/octet-stream !:mime application/x-wordperfect-keyboard #!:ext foo # URL: http://fileformats.archiveteam.org/wiki/WordPerfect # Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wpd-doc-gen.trid.xml >>9 byte 10 WordPerfect document # https://www.iana.org/assignments/media-types/application/vnd.wordperfect !:mime application/vnd.wordperfect #!:apple ????WPC2 # TODO: distinguish different suffix !:ext wpd/wpt/wkb/icr/tut/sty/tst/crs >>9 byte 11 WordPerfect dictionary >>9 byte 12 WordPerfect thesaurus >>9 byte 13 WordPerfect block >>9 byte 14 WordPerfect rectangular block >>9 byte 15 WordPerfect column block >>9 byte 16 WordPerfect printer data #!:mime application/octet-stream !:mime application/x-wordperfect-prs # like: STANDARD.PRS WORKBOOK.PRS !:ext prs # like: "Standard Printer" "Workbook Printer" >>>0x64 pstring/B >A "%s" #>>9 byte 18 WordPerfect Prefix information file # printer resource .ALL >>9 byte 19 WordPerfect printer data #!:mime application/octet-stream !:mime application/x-wordperfect-all !:ext all # display Resource >>9 byte 20 WordPerfect driver resource data #!:mime application/octet-stream !:mime application/x-wordperfect-drs # like: WPSMALL.DRS !:ext drs # pointer to index area with string "smalldrs" like: 46h >>>4 uleshort !0x46 \b, at %#x index area >>9 byte 21 WordPerfect Overlay file #!:mime application/octet-stream !:mime application/x-wordperfect-fil # like: WP.FIL !:ext fil # URL: http://fileformats.archiveteam.org/wiki/WordPerfect_Graphics # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-wpg.trid.xml # Note: called "WordPerfect Graphics bitmap" by TrID and # "WordPerfect Graphics Metafile" by DROID via x-fmt/395 fmt/1042 # "WPG (Word Perfect Graphics)" by ImageMagick `identify -verbose BUTTRFLY.WPG` >>9 byte 22 WordPerfect graphic image # TODO: skip DROID x-fmt-395-signature-id-132.wpg by check for existing document area #>>>4 ulelong >15 WordPerfect_graphic_OK #!:mime application/octet-stream # http://extension.nirsoft.net/wpg !:mime image/x-wordperfect-graphics # https://reposcope.com/mimetype/application/x-wpg #!:mime application/x-wpg # like: BUTTRFLY.WPG STAR-5.WPG input.wpg WORDPFCT.WPG !:ext wpg # pointer to document area like: 10h 1Ah >>>4 ulelong !0x1A \b, at %#x document area >>9 byte 23 WordPerfect hyphenation code >>9 byte 24 WordPerfect hyphenation data >>9 byte 25 WordPerfect macro resource data #!:mime application/octet-stream !:mime application/x-wordperfect-mrs # like: WP.MRS !:ext mrs >>9 byte 27 WordPerfect hyphenation lex >>9 byte 29 WordPerfect wordlist >>9 byte 30 WordPerfect equation resource data #!:mime application/octet-stream !:mime application/x-wordperfect-qrs # like: WQ.QRS wpDE.qrs wpen.qrs !:ext qrs # jump to document area with some marker and equation >>>(4.l) ubyte x # equation like: "Fraction: x OVER y" >>>>&1 string >A (...%-.19s...) # pointer to document area like: 17C4h >>>4 ulelong x \b, at %#x document area #>>9 byte 31 reserved #>>9 byte 32 WordPerfect VAX .SET >>9 byte 33 WordPerfect spell rules >>9 byte 34 WordPerfect dictionary rules #>>9 byte 35 reserved # video resource device driver # Note: filetype 26 for VRS and filetype 36 for WPD apparently is wrong >>9 byte 36 WordPerfect Video Resource #!:mime application/octet-stream !:mime application/x-wordperfect-vrs # like: STANDARD.VRS !:ext vrs # like: "IBM CGA (& compatibles)" >>>0x20 string >A "%.23s" >>9 byte 39 WordPerfect spell rules (Microlytics) #>>9 byte 40 reserved >>9 byte 41 WordPerfect Install options #!:mime application/octet-stream !:mime application/x-wordperfect-ins # like: WP51.INS !:ext ins # probably default directory name like: "C:\WP51\" >>>0x12 string >A "%.8s" # maybe mouse driver for WP5.1 >>9 byte 42 WordPerfect Resource #!:mime application/octet-stream !:mime application/x-wordperfect-irs # like: STANDARD.IRS !:ext irs # like: "Mouse Driver (MOUSE.COM)" >>>0x28 string >A "%.24s" >>9 byte 43 WordPerfect settings file # maybe Macintosh WP2.0 document >>9 byte 44 WordPerfect 3.5 document !:mime application/vnd.wordperfect !:apple ????WPD3 # like: WP3.wpd !:ext wpd >>9 byte 45 WordPerfect 4.2 document # External spell code module (WP5.1) #>>9 byte 46 WordPerfect external spell # external spell dictionary .LEX #>>9 byte 47 WordPerfect external spell dictionary # Macintosh SOFT graphics file (SOFT (Sequential Object Format) #>>9 byte 48 WordPerfect SOFT graphics #>>9 byte 49 reserved #>>9 byte 50 reserved # WPWin 5.1 Application Resource Library added for WPWin 5.1 #>>9 byte 51 WordPerfect application resource library >>9 byte 69 WordPerfect dialog file # From: Joerg Jenderek # Note: found in sub directory WritingTools inside WordPerfect 2021 program directory >>9 byte 70 WordPerfect Writing Tools #!:mime application/octet-stream !:mime application/x-wordperfect-cbt # like: Wt13cbede.cbt Wt13cbeit.cbt Wt13cbefr.cbt WT21cbede.cbt Wt13cbeEN.CBD WT21cbeEN.CBD !:ext cbd/cbt >>9 byte 76 WordPerfect button bar >>9 default x >>>9 byte x Corel WordPerfect: Unknown filetype %d # Corel Shell >8 byte 2 >>9 byte 1 Corel shell macro >>9 byte 10 Corel shell definition >>9 default x >>>9 byte x Corel Shell: Unknown filetype %d # Corel Notebook >8 byte 3 >>9 byte 1 Corel Notebook macro >>9 byte 2 Corel Notebook help file >>9 byte 3 Corel Notebook keyboard file >>9 byte 10 Corel Notebook definition >>9 default x >>>9 byte x Corel Notebook: Unknown filetype %d # Corel Calculator >8 byte 4 >>9 byte 2 Corel Calculator help file >>9 default x >>>9 byte x Corel Calculator: Unknown filetype %d # Corel File Manager >8 byte 5 >>9 default x >>>9 byte x Corel File Manager: Unknown filetype %d # Corel Calendar >8 byte 6 >>9 byte 2 Corel Calendar help file >>9 byte 10 Corel Calendar data file >>9 default x >>>9 byte x Corel Calendar: Unknown filetype %d # Corel Program Editor/Ed Editor >8 byte 7 >>9 byte 1 Corel Editor macro >>9 byte 2 Corel Editor help file >>9 byte 3 Corel Editor keyboard file >>9 byte 25 Corel Editor macro resource file >>9 default x >>>9 byte x Corel Program Editor/Ed Editor: Unknown filetype %d # Corel Macro Editor >8 byte 8 >>9 byte 1 Corel Macro editor macro >>9 byte 2 Corel Macro editor help file >>9 byte 3 Corel Macro editor keyboard file >>9 default x >>>9 byte x Corel Macro Editor: Unknown filetype %d # Corel Plan Perfect >8 byte 9 >>9 default x >>>9 byte x Corel Plan Perfect: Unknown filetype %d # Corel DataPerfect >8 byte 10 # CHECK: Don't these belong into product 9? >>9 byte 1 Corel PlanPerfect macro >>9 byte 2 Corel PlanPerfect help file >>9 byte 3 Corel PlanPerfect keyboard file >>9 byte 10 Corel PlanPerfect worksheet >>9 byte 15 Corel PlanPerfect printer definition >>9 byte 18 Corel PlanPerfect graphic definition >>9 byte 19 Corel PlanPerfect data >>9 byte 20 Corel PlanPerfect temporary printer >>9 byte 25 Corel PlanPerfect macro resource data >>9 default x >>>9 byte x Corel DataPerfect: Unknown filetype %d # Corel Mail >8 byte 11 >>9 byte 2 Corel Mail help file >>9 byte 5 Corel Mail distribution list >>9 byte 10 Corel Mail out box >>9 byte 11 Corel Mail in box >>9 byte 20 Corel Mail users archived mailbox >>9 byte 21 Corel Mail archived message database >>9 byte 22 Corel Mail archived attachments >>9 default x >>>9 byte x Corel Mail: Unknown filetype %d # Corel Printer >8 byte 12 >>9 byte 11 Corel Printer temporary file >>9 default x >>>9 byte x Corel Printer: Unknown filetype %d # Corel Scheduler >8 byte 13 >>9 byte 2 Corel Scheduler help file >>9 byte 10 Corel Scheduler in file >>9 byte 11 Corel Scheduler out file >>9 default x >>>9 byte x Corel Scheduler: Unknown filetype %d # Corel WordPerfect Office >8 byte 14 >>9 byte 10 Corel GroupWise settings file >>9 byte 17 Corel GroupWise directory services >>9 byte 43 Corel GroupWise settings file >>9 default x >>>9 byte x Corel WordPerfect Office: Unknown filetype %d # Corel DrawPerfect >8 byte 15 >>9 default x >>>9 byte x Corel DrawPerfect: Unknown filetype %d # Corel LetterPerfect >8 byte 16 >>9 default x >>>9 byte x Corel LetterPerfect: Unknown filetype %d # Corel Terminal >8 byte 17 >>9 byte 10 Corel Terminal resource data >>9 byte 11 Corel Terminal resource data >>9 byte 43 Corel Terminal resource data >>9 default x >>>9 byte x Corel Terminal: Unknown filetype %d # Corel loadable file >8 byte 18 >>9 byte 10 Corel loadable file >>9 byte 11 Corel GUI loadable text >>9 byte 12 Corel graphics resource data >>9 byte 13 Corel printer settings file >>9 byte 14 Corel port definition file >>9 byte 15 Corel print queue parameters >>9 byte 16 Corel compressed file >>9 default x >>>9 byte x Corel loadable file: Unknown filetype %d >>15 byte 0 \b, optimized for Intel >>15 byte 1 \b, optimized for Non-Intel # Network service >8 byte 20 >>9 byte 10 Corel Network service msg file >>9 byte 11 Corel Network service msg file >>9 byte 12 Corel Async gateway login msg >>9 byte 14 Corel GroupWise message file >>9 default x >>>9 byte x Corel Network service: Unknown filetype %d # GroupWise >8 byte 31 >>9 byte 20 GroupWise admin domain database >>9 byte 21 GroupWise admin host database >>9 byte 23 GroupWise admin remote host database >>9 byte 24 GroupWise admin ADS deferment data file >>9 default x >>>9 byte x GroupWise: Unknown filetype %d # Corel Writing Tools WT*.* # From: Joerg Jenderek # URL: https://support.corel.com/hc/en-us/articles/215876258-Writing-Tools-Spell-Check-Dictionary-does-not-work-in-WordPerfect-X5 # http://wordperfect.helpmax.net/en/editing-and-formatting-documents/using-the-writing-tools/working-with-user-word-lists/ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/u/uwl-wp.trid.xml >8 byte 32 >>9 byte 10 Corel Writing Tools User Word List #!:mime application/octet-stream !:mime application/x-wordperfect-wordlist # personal user word list UWL under user directory like: WTDE.UWL WTUS.UWL WT21DE.UWL WT21US.UWL WT13DE.UWL ... # and "template" SAV/HWL variant under program directory like: wt13en.hwl Wt13de.sav Wt13it.sav wt13ru.sav WT21us.sav Wtcz.sav ... !:ext uwl/hwl/sav # jump to document area with some marker and word list >>>(4.l) ubyte x # look for beginning of word list starting mostly with letter a as UTF-16 like: Wt13es.sav # but not found in russian wt13ru.sav >>>>&0 search/91/sb a\0 # word list starting like: "acsesory\022accessory.\001\026acomodate\026accommodate4\001" >>>>>&0 lestring16 x (...%-.33s...) # pointer to document area like: 200h >>>4 ulelong !0x200 \b, at %#x document area # file size, not including pad characters at EOF >>>0x14 uleshort x \b, %u bytes # IntelliTAG >8 byte 33 >>9 byte 10 IntelliTAG (SGML) compiled DTD >>9 default x >>>9 byte x IntelliTAG: Unknown filetype %d # Summary: Corel WordPerfect WritingTools advise part # From: Joerg Jenderek # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/adv-wp.trid.xml >8 byte 34 >>9 byte 11 Corel WordPerfect dictionary advise #!:mime application/octet-stream !:mime application/x-wordperfect-adv #!:mime application/vnd.wordperfect.adv # like: WT21de.adv Wt13de.adv Wt13es.adv Wt13fr.adv wt13us.adv !:ext adv # advise text part often start with tag like: 580A #>>>(16.s) ubequad x ADVISE PART %#llx # part of advise text like: "This is too informal for most writing." >>>(16.s+16) string x (...%-.33s...) # everything else >8 default x >>8 byte x Unknown Corel/Wordperfect product %d, >>>9 byte x file type %d >10 byte 0 \b, v5. >10 byte !0 \b, v%d. >11 byte x \b%d # Hangul (Korean) Word Processor File 0 string HWP\ Document\ File Hangul (Korean) Word Processor File 3.0 # CosmicBook, from Benoit Rouits 0 string CSBK Ted Neslson's CosmicBook hypertext file 2 string EYWR AmigaWriter file # chi: file(1) magic for ChiWriter files 0 string \\1cw\ ChiWriter file >5 string >\0 version %s 0 string \\1cw ChiWriter file # Quark Express from https://www.garykessler.net/library/file_sigs.html 2 string IIXPR3 Intel Quark Express Document (English) 2 string IIXPRa Intel Quark Express Document (Korean) 2 string MMXPR3 Motorola Quark Express Document (English) !:mime application/x-quark-xpress-3 2 string MMXPRa Motorola Quark Express Document (Korean) # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/PageMaker # https://en.wikipedia.org/wiki/Adobe_PageMaker # Reference: http://mark0.net/download/triddefs_xml.7z/defs/p # pm4-pagemaker.trid.xml # pm5-pagemaker.trid.xml # Note: since version 6 in 1995 called Adobe PageMaker and # embedded in Compound Document handled by ./ole2compounddocs # mainly tested little endian variant 4 ubelong =0x0000FF99 >0 use PageMaker # big endian variant 4 ubelong =0x000099FF >0 use \^PageMaker # display information of Aldus/Adobe PageMaker document/publication 0 name PageMaker >110 uleshort <0x0600 Aldus >110 uleshort >0x05FF Adobe >110 uleshort x PageMaker # "MP" marker for newer version 4 and above according to TrID #>108 string x \b, MARKER "%.2s" # http://www.nationalarchives.gov.uk/pronom/fmt/876 !:mime application/vnd.pagemaker #!:mime application/x-pagemaker # different file name extensions are used depending on version # older version like 3 >110 uleshort/256 =0 document # https://www.macdisk.com/macsigen.php !:apple ALB3ALD3 # PT3 for template and no example for PageMaker document/publiction with PM3 extension !:ext pm3/pt3 >110 uleshort/256 =4 document !:apple ALD4ALB4 # no example for PT4 template !:ext pm4/pt4 >110 uleshort/256 =5 document !:apple ALD5ALB5 # no example for PT5 template !:ext pm5/pt5 >110 uleshort =0x0600 document !:apple ALD6ALB6 # PT6 for template !:ext pm6/pt6 # HOWTO to distinguish version 7 from 6.5 ? >110 uleshort =0x0632 document !:apple AD65AB65 # no example for T65 template !:ext p65/t65/pmd/pmt # version 7 with PMT extension for template #!:ext pmd/pmt #!:apple ????PUBF # endian marker FF 99 for little endian >6 ubyte =0xFF \b, little-endian >6 ubyte =0x99 \b, big-endian # newer numeric version like: 4 5 6 6.50 #>110 uleshort x \b, VERSION=%#x >110 uleshort >0x03FF >>110 uleshort/256 x \b, version %u >>110 uleshort%256 >0 \b.%u # older version like 3 >110 uleshort <0x0400 \b, maybe version 3 # adobe indesign (document, whatever...) from querkan 0 belong 0x0606edf5 Adobe InDesign >16 string DOCUMENT Document #------------------------------------------------------------------------------ # ichitaro456: file(1) magic for Just System Word Processor Ichitaro # # Contributor kenzo-: # Reversed-engineered JS Ichitaro magic numbers # 0 string DOC >43 byte 0x14 Just System Word Processor Ichitaro v4 !:mime application/x-ichitaro4 >144 string JDASH application/x-ichitaro4 0 string DOC >43 byte 0x15 Just System Word Processor Ichitaro v5 !:mime application/x-ichitaro5 0 string DOC >43 byte 0x16 Just System Word Processor Ichitaro v6 !:mime application/x-ichitaro6 # Type: Freemind mindmap documents # From: Jamie Thompson 0 string/w \ 0 string/w \(2.s+8) ubequad x \b, gap %#16.16llx # test for null value in gap after theme name maybe unreliable #>(2.s+9) ubyte 0 \b, 0-byte # look for keyword GALRESRV near the end # "C:\Program Files (x86)\StarOffice6.0\share\gallery\sg27.thm" Navigation, 238 objects #>0 search/8415 GALRESRV \b, GALRESRV found # "neues thema6.thm" MorePictures, 315 objects #>0 search/19299 GALRESRV \b, GALRESRV FOUND #>2 uleshort x \b, name length %u # skip file2147.chk by check for positive name length like for sg16.thm "3D" >2 uleshort >0 # skip dBase printer form T6.PRF with misidentified gallery # name :\DBASE\IV\T6.txts by check for 1st object name or RESRV keyword # https://www.clicketyclick.dk/databases/xbase/xbase/dbase_ex.zip # template/t6/with_data/T6.PRF # by first char of object name or RESRV part of keyword GALRESRV >>(2.s+13) ubyte >0x1F StarOffice Gallery theme !:mime application/x-stargallery-thm # thm is also used for JPEG thumbnail images !:ext thm # gallery name often 1 word like: 3D sounds Diagrams Flussdiagramme Fotos # or like private://gallery/hidden/imgppt "Cisco - WAN - LAN" >>>2 pstring/h x %s # number of objects >>>(2.s+4) ulelong x \b, %u object # plural s >>>(2.s+4) ulelong !1 \bs # if available then display first object name >>>(2.s+4) ulelong >0 # partial file name, URL or internal name like "dd2*" of 1st object or RESRV >>>>(2.s+11) pstring/h x \b, 1st %s # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/StarOffice_Gallery # Note: used in Star-, Open- and Libre-Office and found in directories like # %APPDATA%\Roaming\LibreOffice\4\user\gallery # $HOME/.config/libreoffice/4/user/gallery 0 string SGA3 StarOffice Gallery thumbnails # Unknown like 0x04000?0001000142 #>4 ubequad x \b, UNKNOWN %#16.16llx #!:mime application/x-sdg !:mime application/x-stargallery-sdg !:ext sdg # display image magic for debugging purpose like 'BM' # looking like PC bitmap, Windows 3.x format with unknown compression #>11 string x \b, image magic '%-.2s' # inspect 1st GALLERY thumbnail magic by ./images with 1 space at end #>11 indirect x \b; contains #------------------------------------------------------------------------------ # $File: wsdl,v 1.6 2021/04/26 15:56:00 christos Exp $ # wsdl: PHP WSDL Cache, https://www.php.net/manual/en/book.soap.php # Cache format extracted from source: # https://svn.php.net/viewvc/php/php-src/trunk/ext/soap/php_sdl.c?revision=HEAD&view=markup # Requires file >= 5.05 # By Elan Ruusamae , Patryk Zawadzki , 2010-2011 0 string wsdl PHP WSDL cache, >4 byte x version %#02x >6 ledate x \b, created %s # uri >10 lelong <0x7fffffff >>10 pstring/l x \b, uri: "%s" # source >>>&0 lelong <0x7fffffff >>>>&-4 pstring/l x \b, source: "%s" # target_ns >>>>>&0 lelong <0x7fffffff >>>>>>&-4 pstring/l x \b, target_ns: "%s" #------------------------------------------------------------------------------ # x68000: file(1) magic for the Sharp Home Computer # v1.0 # Fabio R. Schmidlin # Yanagisawa PIC picture 0 string PIC >3 search/0x200 \x1A >>&0 search/0x200 \x0 >>>&0 ubyte 0 Yanagisawa PIC image file, >>>>&0 ubyte&15 0 model: X68000, >>>>&0 ubyte&15 1 model: PC-88VA, >>>>&0 ubyte&15 2 model: FM-TOWNS, >>>>&0 ubyte&15 3 model: MAC, >>>>&0 ubyte&15 15 model: Generic, >>>>&3 ubeshort x %dx >>>>&5 ubeshort x \b%d, >>>>&1 ubeshort 4 colors: 16 >>>>&1 ubeshort 8 colors: 256 >>>>&1 ubeshort 12 colors: 4096 >>>>&1 ubeshort 15 colors: 32768 >>>>&1 ubeshort 16 colors: 65536 >>>>&1 ubeshort >16 colors: %d-bit #------------------------------------------------------------------------------ # $File: xdelta,v 1.5 2011/08/08 09:01:05 christos Exp $ # file(1) magic(5) data for xdelta Josh MacDonald # 0 string %XDELTA% XDelta binary patch file 0.14 0 string %XDZ000% XDelta binary patch file 0.18 0 string %XDZ001% XDelta binary patch file 0.20 0 string %XDZ002% XDelta binary patch file 1.0 0 string %XDZ003% XDelta binary patch file 1.0.4 0 string %XDZ004% XDelta binary patch file 1.1 0 string \xD6\xC3\xC4\x00 VCDIFF binary diff #------------------------------------------------------------------------------ # $File: xenix,v 1.14 2021/04/26 15:56:00 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small # model" lifted from "magic.xenix", with comment "derived empirically; # treat as folklore until proven" # # "small model", "large model", "huge model" stuff lifted from XXX # # XXX - "x.out" collides with PDP-11 archives # 0 string core core file (Xenix) # URL: http://www.polarhome.com/service/man/?qf=86rel&tf=2&of=Xenix # http://fileformats.archiveteam.org/wiki/OMF # Reference: http://www.azillionmonkeys.com/qed/Omfg.pdf # Update: Joerg Jenderek # recordtype~TranslatorHEADerRecord 0 byte 0x80 # GRR: line above is too general as it catches also Extensible storage engine DataBase, # all lif files like forth.lif hpcc88.lif lex90b.lif ( See ./lif) # and all compressed DEGAS low-res bitmaps like: MUNCHIE.PC1 PIDER1.PC1 # skip examples like GENA.SND Switch.Snd by looking for record length maximal 1024-3 >1 uleshort <1022 # skip examples like GAME.PICTURE Strange.Pic by looking for positive record length >>1 uleshort >0 # skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positive string length >>>3 ubyte >0 # skip examples like OMBRE.6 with "UUUUUU" name by looking for valid high second record type >>>>(1.s+3) ubyte >0x6D 8086 relocatable (Microsoft) #!:mime application/octet-stream !:mime application/x-object !:ext obj/o/a # T-module name often source name like "hello.c" or "jmppm32.asm" in JMPPM32.OBJ or # "kbhit" in KBHITS.OBJ or "CAUSEWAY_KERNAL" in CWAPI.OBJ >>>>>3 pstring x \b, "%s" # data length probably lower 256 according to TrID obj_omf.trid.xml >>>>>1 uleshort x \b, 1st record data length %u # checksum #>>>>>(3.b+4) ubyte x \b, checksum %#2.2x # second recordtype: 96h~LNAMES 88h~COMENT 8CH~EXTDEF >>>>>(1.s+3) ubyte x \b, 2nd record type %#x >>>>>(1.s+4) uleshort x \b, 2nd record data length %u 0 leshort 0xff65 x.out >2 string __.SYMDEF randomized >0 byte x archive 0 leshort 0x206 Microsoft a.out >8 leshort 1 Middle model >0x1e leshort &0x10 overlay >0x1e leshort &0x2 separate >0x1e leshort &0x4 pure >0x1e leshort &0x800 segmented >0x1e leshort &0x400 standalone >0x1e leshort &0x8 fixed-stack >0x1c byte &0x80 byte-swapped >0x1c byte &0x40 word-swapped >0x10 lelong >0 not-stripped >0x1e leshort ^0xc000 pre-SysV >0x1e leshort &0x4000 V2.3 >0x1e leshort &0x8000 V3.0 >0x1c byte &0x4 86 >0x1c byte &0xb 186 >0x1c byte &0x9 286 >0x1c byte &0xa 386 >0x1f byte <0x040 small model >0x1f byte =0x048 large model >0x1f byte =0x049 huge model >0x1e leshort &0x1 executable >0x1e leshort ^0x1 object file >0x1e leshort &0x40 Large Text >0x1e leshort &0x20 Large Data >0x1e leshort &0x120 Huge Objects Enabled >0x10 lelong >0 not stripped 0 leshort 0x140 old Microsoft 8086 x.out >0x3 byte &0x4 separate >0x3 byte &0x2 pure >0 byte &0x1 executable >0 byte ^0x1 relocatable >0x14 lelong >0 not stripped 0 lelong 0x206 b.out >0x1e leshort &0x10 overlay >0x1e leshort &0x2 separate >0x1e leshort &0x4 pure >0x1e leshort &0x800 segmented >0x1e leshort &0x400 standalone >0x1e leshort &0x1 executable >0x1e leshort ^0x1 object file >0x1e leshort &0x4000 V2.3 >0x1e leshort &0x8000 V3.0 >0x1c byte &0x4 86 >0x1c byte &0xb 186 >0x1c byte &0x9 286 >0x1c byte &0x29 286 >0x1c byte &0xa 386 >0x1e leshort &0x4 Large Text >0x1e leshort &0x2 Large Data >0x1e leshort &0x102 Huge Objects Enabled 0 leshort 0x580 XENIX 8086 relocatable or 80286 small model #------------------------------------------------------------------------------ # $File: xilinx,v 1.9 2021/04/26 15:56:00 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 # # Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, # fixes at least reading of bitfiles from Spartan 2, 3, 6. # http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm # # First there is the sync header and its length 0 beshort 0x0009 >2 belong =0x0ff00ff0 >>&0 belong =0x0ff00ff0 >>>&0 byte =0x00 >>>&1 beshort =0x0001 >>>&3 string a Xilinx BIT data # Next is a Pascal-style string with the NCD name. We want to capture that. >>>>&0 pstring/H x - from %s # And then 'b' >>>>>&1 string b # Then the model / part number: >>>>>>&0 pstring/H x - for %s # Then 'c' >>>>>>>&1 string c # Then the build-date >>>>>>>>&0 pstring/H x - built %s # Then 'd' >>>>>>>>>&1 string d # Then the build-time >>>>>>>>>>&0 pstring/H x \b(%s) # Then 'e' >>>>>>>>>>>&1 string e # And length of data >>>>>>>>>>>>&0 belong x - data length %#x # Raw bitstream files 0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) #------------------------------------------------------------------------------ # $File: xo65,v 1.5 2022/07/17 15:36:20 christos Exp $ # https://cc65.github.io/doc/sim65.html # xo65 object files # From: "Ullrich von Bassewitz" # 0 string \x55\x7A\x6E\x61 xo65 object, >4 leshort x version %d, >6 leshort&0x0001 =0x0001 with debug info >6 leshort&0x0001 =0x0000 no debug info # xo65 library files 0 string \x6E\x61\x55\x7A xo65 library, >4 leshort x version %d # o65 object files 0 string \x01\x00\x6F\x36\x35 o65 >6 leshort&0x1000 =0x0000 executable, >6 leshort&0x1000 =0x1000 object, >5 byte x version %d, >6 leshort&0x8000 =0x8000 65816, >6 leshort&0x8000 =0x0000 6502, >6 leshort&0x2000 =0x2000 32 bit, >6 leshort&0x2000 =0x0000 16 bit, >6 leshort&0x4000 =0x4000 page reloc, >6 leshort&0x4000 =0x0000 byte reloc, >6 leshort&0x0003 =0x0000 alignment 1 >6 leshort&0x0003 =0x0001 alignment 2 >6 leshort&0x0003 =0x0002 alignment 4 >6 leshort&0x0003 =0x0003 alignment 256 # sim65 executable files 0 string \x73\x69\x6d\x36\x35 sim65 executable, >5 byte x version %d, >6 leshort&0x0000 =0x0000 6502 >6 leshort&0x0001 =0x0001 65C02 #------------------------------------------------------------------------------ # $File: xwindows,v 1.13 2022/03/24 15:48:58 christos Exp $ # xwindows: file(1) magic for various X/Window system file formats. # Compiled X Keymap # XKM (compiled X keymap) files (including version and byte ordering) 1 string mkx Compiled XKB Keymap: lsb, >0 byte >0 version %d >0 byte =0 obsolete 0 string xkm Compiled XKB Keymap: msb, >3 byte >0 version %d >3 byte =0 obsolete # xfsdump archive 0 string xFSdump0 xfsdump archive >8 belong x (version %d) # Jaleo XFS files 0 long 395726 Jaleo XFS file >4 long x - version %d >8 long x - [%d - >20 long x \b%dx >24 long x \b%dx >28 long 1008 \bYUV422] >28 long 1000 \bRGB24] # Xcursor data # X11 mouse cursor format defined in libXcursor, see # https://www.x.org/archive/X11R6.8.1/doc/Xcursor.3.html # https://cgit.freedesktop.org/xorg/lib/libXcursor/tree/include/X11/Xcursor/Xcursor.h 0 string Xcur Xcursor data !:mime image/x-xcursor >10 leshort x version %d >>8 leshort x \b.%d # X bitmap https://en.wikipedia.org/wiki/X_BitMap 0 search/2048 #define\040 >&0 regex [a-zA-Z0-9]+_width\040 xbm image >>&0 regex [0-9]+ (%sx >>>&0 string \n#define\040 >>>>&0 regex [a-zA-Z0-9]+_height\040 >>>>>&0 regex [0-9]+ \b%s) #------------------------------------------------------------------------------ # $File: yara,v 1.4 2021/04/26 15:56:00 christos Exp $ # yara: file(1) magic for https://virustotal.github.io/yara/ # 0 string YARA >4 lelong >2047 >8 byte <20 YARA 3.x compiled rule set # version >>8 clear x >>8 byte 6 created with version 3.3.0 >>8 byte 8 created with version 3.4.0 >>8 byte 11 created with version 3.5.0 >>8 default x >>>8 byte x development version %#02x #------------------------------------------------------------------------------ # zfs: file(1) magic for ZFS dumps # # From # ZFS dump header has the following structure (as per zfs_ioctl.h # in FreeBSD with drr_type is set to DRR_BEGIN) # # enum { # DRR_BEGIN, DRR_OBJECT, DRR_FREEOBJECTS, # DRR_WRITE, DRR_FREE, DRR_END, # } drr_type; # uint32_t drr_pad; # uint64_t drr_magic; # uint64_t drr_version; # uint64_t drr_creation_time; # dmu_objset_type_t drr_type; # uint32_t drr_pad; # uint64_t drr_toguid; # uint64_t drr_fromguid; # char drr_toname[MAXNAMELEN]; # # Backup magic is 0x00000002f5bacbac (quad word) # The drr_type is defined as # typedef enum dmu_objset_type { # DMU_OST_NONE, # DMU_OST_META, # DMU_OST_ZFS, # DMU_OST_ZVOL, # DMU_OST_OTHER, /* For testing only! */ # DMU_OST_ANY, /* Be careful! */ # DMU_OST_NUMTYPES # } dmu_objset_type_t; # # Almost all uint64_t fields are printed as the 32-bit ones (with high # 32 bits zeroed), because there is no simple way to print them as the # full 64-bit values. # Big-endian values 8 string \000\000\000\002\365\272\313\254 ZFS snapshot (big-endian machine), >20 belong x version %u, >32 belong 0 type: NONE, >32 belong 1 type: META, >32 belong 2 type: ZFS, >32 belong 3 type: ZVOL, >32 belong 4 type: OTHER, >32 belong 5 type: ANY, >32 belong >5 type: UNKNOWN (%u), >40 byte x destination GUID: %02X >41 byte x %02X >42 byte x %02X >43 byte x %02X >44 byte x %02X >45 byte x %02X >46 byte x %02X >47 byte x %02X, >48 ulong >0 >>52 ulong >0 >>>48 byte x source GUID: %02X >>>49 byte x %02X >>>50 byte x %02X >>>51 byte x %02X >>>52 byte x %02X >>>53 byte x %02X >>>54 byte x %02X >>>55 byte x %02X, >56 string >\0 name: '%s' # Little-endian values 8 string \254\313\272\365\002\000\000\000 ZFS snapshot (little-endian machine), >16 lelong x version %u, >32 lelong 0 type: NONE, >32 lelong 1 type: META, >32 lelong 2 type: ZFS, >32 lelong 3 type: ZVOL, >32 lelong 4 type: OTHER, >32 lelong 5 type: ANY, >32 lelong >5 type: UNKNOWN (%u), >47 byte x destination GUID: %02X >46 byte x %02X >45 byte x %02X >44 byte x %02X >43 byte x %02X >42 byte x %02X >41 byte x %02X >40 byte x %02X, >48 ulong >0 >>52 ulong >0 >>>55 byte x source GUID: %02X >>>54 byte x %02X >>>53 byte x %02X >>>52 byte x %02X >>>51 byte x %02X >>>50 byte x %02X >>>49 byte x %02X >>>48 byte x %02X, >56 string >\0 name: '%s' #------------------------------------------------------------------------------ # $File: zilog,v 1.7 2009/09/19 16:28:13 christos Exp $ # zilog: file(1) magic for Zilog Z8000. # # Was it big-endian or little-endian? My Product Specification doesn't # say. # 0 long 0xe807 object file (z8000 a.out) 0 long 0xe808 pure object file (z8000 a.out) 0 long 0xe809 separate object file (z8000 a.out) 0 long 0xe805 overlay object file (z8000 a.out) #------------------------------------------------------------------------------ # $File: zip,v 1.8 2021/10/24 15:53:56 christos Exp $ # zip: file(1) magic for zip files; this is not use # Note the version of magic in archive is currently stronger, this is # just an example until negative offsets are supported better # Note: All fields unless otherwise noted are unsigned! # Zip Central Directory record 0 name zipcd >0 string PK\001\002 Zip archive data !:mime application/zip # no "made by" in local file header with PK\3\4 magic >>4 leshort x \b, made by >>4 use zipversion >>4 use ziphost # inside ./archive 1.151 called "at least" zipversion "to extract" >>6 leshort x \b, extract using at least >>6 use zipversion # This is DOS date like: ledate 21:00:48 19 Dec 2001 != DOS 00:00 1 Jan 2010 ~ 0000213C >>12 ulelong x \b, last modified >>14 lemsdosdate x \b, last modified %s >>12 lemsdostime x %s # uncompressed size of 1st entry; FFffFFff means real value stored in ZIP64 record >>24 ulelong !0xFFffFFff \b, uncompressed size %u # inside ./archive 1.151 called "compression method="zipcompression >>10 leshort x \b, method= >>10 use zipcompression # URL: https://en.wikipedia.org/wiki/Zip_(file_format) # reference: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT (Version: 6.3.9) # Zip known compressions 0 name zipcompression >0 leshort 0 \bstore >0 leshort 1 \bShrinking >0 leshort 6 \bImploding >0 leshort 7 \bTokenizing >0 leshort 8 \bdeflate >0 leshort 9 \bdeflate64 >0 leshort 10 \bLibrary imploding #>0 leshort 11 \bReserved by PKWARE >0 leshort 12 \bbzip2 #>0 leshort 13 \bReserved by PKWARE >0 leshort 14 \blzma #>0 leshort 15 \bReserved by PKWARE >0 leshort 16 \bCMPSC (IBM z/OS) #>0 leshort 17 \bReserved by PKWARE >0 leshort 18 \bIBM TERSE >0 leshort 19 \bIBM LZ77 (z/Architecture) >0 leshort 20 \bZstd (deprecated) >0 leshort 93 \bZstd >0 leshort 94 \bMP3 >0 leshort 95 \bxz >0 leshort 96 \bJpeg >0 leshort 97 \bWavPack >0 leshort 98 \bPPMd >0 leshort 99 \bAES Encrypted >0 default x >>0 leshort x \b[%#x] # Zip known versions 0 name zipversion # The lower byte indicates the ZIP version of this file. The value/10 indicates # the major version number, and the value mod 10 is the minor version number. >0 ubyte/10 x v%u >0 ubyte%10 x \b.%u # >0 leshort 0x09 v0.9 # >0 leshort 0x0a v1.0 # >0 leshort 0x0b v1.1 # >0 leshort 0x14 v2.0 # >0 leshort 0x15 v2.1 # >0 leshort 0x19 v2.5 # >0 leshort 0x1b v2.7 # >0 leshort 0x2d v4.5 # >0 leshort 0x2e v4.6 # >0 leshort 0x32 v5.0 # >0 leshort 0x33 v5.1 # >0 leshort 0x34 v5.2 # >0 leshort 0x3d v6.1 # >0 leshort 0x3e v6.2 # >0 leshort 0x3f v6.3 # >0 default x # >>0 leshort x v?[%#x] # display compatible host system name of ZIP archive 0 name ziphost # The upper byte indicates the compatibility of the file attribute information. # If the file is compatible with MS-DOS (v 2.04g) then this value will be zero. #>1 ubyte 0 DOS >1 ubyte 1 Amiga >1 ubyte 2 OpenVMS >1 ubyte 3 UNIX >1 ubyte 4 VM/CMS >1 ubyte 6 OS/2 >1 ubyte 7 Macintosh >1 ubyte 11 MVS >1 ubyte 13 Acorn Risc >1 ubyte 16 BeOS >1 ubyte 17 Tandem # 9 untested >1 ubyte 5 Atari ST >1 ubyte 8 Z-System >1 ubyte 9 CP/M >1 ubyte 10 Windows NTFS >1 ubyte 12 VSE >1 ubyte 14 VFAT >1 ubyte 15 alternate MVS >1 ubyte 18 OS/400 >1 ubyte 19 OS X # unused #>1 ubyte >19 unused %#x # Zip End Of Central Directory record # GRR: wrong for ZIP with comment archive -22 string PK\005\006 #>4 uleshort !0xFFff \b, %u disks #>6 uleshort !0xFFff \b, central directory disk %u #>8 uleshort !0xFFff \b, %u central directories on this disk #>10 uleshort !0xFFff \b, %u central directories #>12 ulelong !0xFFffFFff \b, %u central directory bytes # offset of central directory #>16 ulelong x \b, central directory offset %#x >(16.l) use zipcd # archive comment length n #>>20 uleshort >0 \b, comment length %u # archive comment >>20 pstring/l >0 \b, %s #------------------------------------------------------------------------------ # $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $ # zyxel: file(1) magic for ZyXEL modems # # From # These are the /etc/magic entries to decode datafiles as used for the # ZyXEL U-1496E DATA/FAX/VOICE modems. (This header conforms to a # ZyXEL-defined standard) 0 string ZyXEL\002 ZyXEL voice data >10 byte 0 - CELP encoding >10 byte&0x0B 1 - ADPCM2 encoding >10 byte&0x0B 2 - ADPCM3 encoding >10 byte&0x0B 3 - ADPCM4 encoding >10 byte&0x0B 8 - New ADPCM3 encoding >10 byte&0x04 4 with resync